# exceptions (bug 5397):
# exceptions: 66-220-155-151.mail-mail.facebook.com
# exceptions: o167-89-97-77.outbound-mail.sendgrid.net (bug 7592)
-header __RDNS_STATIC X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(?:fix|static|fixip|dedicated|mail\-mail|outbound-mail)/i
+header __RDNS_STATIC X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(?:fix|static|fixip|dedicated|mail\-mail|outbound-mail|smtp)/i
# bug 5586:
header __CGATE_RCVD Received =~ /by \S+ \(CommuniGate Pro/
# node-c-8b22.a2000.nl
# cm89.omega139.maxonline.com.sg
# cm114.gamma208.maxonline.com.sg
-header __HELO_DYNAMIC_DHCP X-Spam-Relays-External =~ /^[^\]]+ helo=\S*(?:(?<!a)cm|catv|docsis|cable|dsl|dhcp|cpe|node)\S*\d+[^\d\s]+\d+[^\]]+ auth= /i
+header __HELO_DYNAMIC_DHCP X-Spam-Relays-External =~ /^[^\]]+ helo=\S*(?:(?<!smtp)(?<!a)cm|catv|docsis|cable|dsl|dhcp|cpe|node)\S*\d+[^\d\s]+\d+[^\]]+ auth= /i
meta HELO_DYNAMIC_DHCP (__HELO_DYNAMIC_DHCP && !HELO_STATIC_HOST)
describe HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP)
#score USER_IN_WHITELIST -100.000 - Moved to 60_whitelist.cf
#score USER_IN_DEF_WHITELIST -15.000 - Moved to 60_whitelist.cf
#score USER_IN_BLACKLIST_TO 10.000 - Moved to 60_whitelist.cf
-score URI_HOST_IN_BLACKLIST 100.0
-score URI_HOST_IN_WHITELIST -100.0
+#score URI_HOST_IN_BLACKLIST 100.0 - Moved to 60_whitelist.cf
+#score URI_HOST_IN_WHITELIST -100.0 - Moved to 60_whitelist.cf
#Removed in bug 7256
#score HEADER_HOST_IN_BLACKLIST 100.0
#score HEADER_HOST_IN_WHITELIST -100.0
# DKIM
ifplugin Mail::SpamAssassin::Plugin::DKIM
-score USER_IN_DKIM_WHITELIST -100.000
+#score USER_IN_DKIM_WHITELIST -100.000 - Moved to 60_whitelist_dkim.cf
score USER_IN_DEF_DKIM_WL -7.500
score DKIM_SIGNED 0.1
score DKIM_VALID -0.1
if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
- #bz7826 renames blacklist to blocklist
+ #bz7826 renames whitelist to welcomelist and blacklist to blocklist
header USER_IN_BLOCKLIST eval:check_from_in_blocklist()
- describe USER_IN_BLOCKLIST From: address is in the user's block-list
+ describe USER_IN_BLOCKLIST From: user is listed in the block-list
tflags USER_IN_BLOCKLIST userconf nice noautolearn
score USER_IN_BLOCKLIST 100.0
else
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header USER_IN_BLOCKLIST eval:check_from_in_blacklist()
- describe USER_IN_BLOCKLIST From: address is in the user's block-list
+ describe USER_IN_BLOCKLIST From: user is listed in the block-list
tflags USER_IN_BLOCKLIST userconf nice noautolearn
score USER_IN_BLOCKLIST 0.01
if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
- #bz7826 renames whitelist to welcomelist
+ #bz7826 renames whitelist to welcomelist and blacklist to blocklist
header USER_IN_WELCOMELIST eval:check_from_in_welcomelist()
- describe USER_IN_WELCOMELIST user is listed in 'welcomelist_from'
+ describe USER_IN_WELCOMELIST User is listed in 'welcomelist_from'
tflags USER_IN_WELCOMELIST userconf nice noautolearn
score USER_IN_WELCOMELIST -100.0
else
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header USER_IN_WELCOMELIST eval:check_from_in_whitelist()
- describe USER_IN_WELCOMELIST user is listed in 'welcomelist_from'
+ describe USER_IN_WELCOMELIST User is listed in 'welcomelist_from'
tflags USER_IN_WELCOMELIST userconf nice noautolearn
score USER_IN_WELCOMELIST -0.01
if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
- #bz7826 renames whitelist to welcomelist
+ #bz7826 renames whitelist to welcomelist and blacklist to blocklist
header USER_IN_DEF_WELCOMELIST eval:check_from_in_default_welcomelist()
- describe USER_IN_DEF_WELCOMELIST From: address is in the default welcome-list
+ describe USER_IN_DEF_WELCOMELIST From: user is listed in the default welcome-list
tflags USER_IN_DEF_WELCOMELIST userconf nice noautolearn
score USER_IN_DEF_WELCOMELIST -15.0
else
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header USER_IN_DEF_WELCOMELIST eval:check_from_in_default_whitelist()
- describe USER_IN_DEF_WELCOMELIST From: address is in the default welcome-list
+ describe USER_IN_DEF_WELCOMELIST From: user is listed in the default welcome-list
tflags USER_IN_DEF_WELCOMELIST userconf nice noautolearn
score USER_IN_DEF_WELCOMELIST -0.01
if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
- #bz7826 renames blacklist to blocklist
+ #bz7826 renames whitelist to welcomelist and blacklist to blocklist
header USER_IN_BLOCKLIST_TO eval:check_to_in_blocklist()
describe USER_IN_BLOCKLIST_TO User is listed in 'blocklist_to'
tflags USER_IN_BLOCKLIST_TO userconf nice noautolearn
if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
- #bz7826 renames whitelist to welcomelist
+ #bz7826 renames whitelist to welcomelist and blacklist to blocklist
header USER_IN_WELCOMELIST_TO eval:check_to_in_welcomelist()
describe USER_IN_WELCOMELIST_TO User is listed in 'welcomelist_to'
tflags USER_IN_WELCOMELIST_TO userconf nice noautolearn
tflags USER_IN_ALL_SPAM_TO userconf nice noautolearn
endif
-if (version >= 3.004000)
+if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
- body URI_HOST_IN_BLACKLIST eval:check_uri_host_in_blacklist()
- describe URI_HOST_IN_BLACKLIST Host or Domain is listed in the user's URI black-list
- tflags URI_HOST_IN_BLACKLIST userconf noautolearn
-
- body URI_HOST_IN_WHITELIST eval:check_uri_host_in_whitelist()
- describe URI_HOST_IN_WHITELIST Host or Domain is listed in the user's URI white-list
- tflags URI_HOST_IN_WHITELIST userconf nice noautolearn
-
- # Bug 7256, using a header rule with an eval() function does not work the way
- # this was intended.
-
- # header HEADER_HOST_IN_BLACKLIST eval:check_uri_host_listed('BLACK')
- # describe HEADER_HOST_IN_BLACKLIST Host or Domain in header is listed in the user's URI black-list
- # tflags HEADER_HOST_IN_BLACKLIST userconf noautolearn
-
- # header HEADER_HOST_IN_WHITELIST eval:check_uri_host_listed('WHITE')
- # describe HEADER_HOST_IN_WHITELIST Host or Domain in header is listed in the user's URI white-list
- # tflags HEADER_HOST_IN_WHITELIST userconf nice noautolearn
+ #bz7826 renames whitelist to welcomelist and blacklist to blocklist
+ body URI_HOST_IN_BLOCKLIST eval:check_uri_host_in_blocklist()
+ describe URI_HOST_IN_BLOCKLIST Host or Domain is listed in the user's URI block-list
+ tflags URI_HOST_IN_BLOCKLIST userconf noautolearn
+ score URI_HOST_IN_BLOCKLIST 100.0
+
+ ifplugin Mail::SpamAssassin::Plugin::RaciallyCharged
+ meta URI_HOST_IN_BLACKLIST (URI_HOST_IN_BLOCKLIST)
+ describe URI_HOST_IN_BLACKLIST DEPRECATED: See URI_HOST_IN_BLOCKLIST
+ tflags URI_HOST_IN_BLACKLIST userconf noautolearn
+ score URI_HOST_IN_BLOCKLIST -0.01
+ score URI_HOST_IN_BLACKLIST 100.0
+ endif
+ endif
+else
+ if (version >= 3.004000)
+ ifplugin Mail::SpamAssassin::Plugin::WLBLEval
+ body URI_HOST_IN_BLOCKLIST eval:check_uri_host_in_blacklist()
+ describe URI_HOST_IN_BLOCKLIST Host or Domain is listed in the user's URI block-list
+ tflags URI_HOST_IN_BLOCKLIST userconf noautolearn
+ score URI_HOST_IN_BLOCKLIST -0.01
+
+ meta URI_HOST_IN_BLACKLIST (URI_HOST_IN_BLOCKLIST)
+ describe URI_HOST_IN_BLACKLIST DEPRECATED: See URI_HOST_IN_BLOCKLIST
+ tflags URI_HOST_IN_BLACKLIST userconf noautolearn
+ score URI_HOST_IN_BLACKLIST 100.0
+ endif
endif
endif
+if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist)
+ ifplugin Mail::SpamAssassin::Plugin::WLBLEval
+ #bz7826 renames whitelist to welcomelist and blacklist to blocklist
+ body URI_HOST_IN_WELCOMELIST eval:check_uri_host_in_welcomelist()
+ describe URI_HOST_IN_WELCOMELIST Host or Domain is listed in the user's URI welcome-list
+ tflags URI_HOST_IN_WELCOMELIST userconf nice noautolearn
+ score URI_HOST_IN_WELCOMELIST -100.0
+
+ ifplugin Mail::SpamAssassin::Plugin::RaciallyCharged
+ meta URI_HOST_IN_WHITELIST (URI_HOST_IN_WELCOMELIST)
+ describe URI_HOST_IN_WHITELIST DEPRECATED: See URI_HOST_IN_WELCOMELIST
+ tflags URI_HOST_IN_WHITELIST userconf nice noautolearn
+ score URI_HOST_IN_WELCOMELIST -0.01
+ score URI_HOST_IN_WHITELIST -100.0
+ endif
+ endif
+else
+ if (version >= 3.004000)
+ ifplugin Mail::SpamAssassin::Plugin::WLBLEval
+ body URI_HOST_IN_WELCOMELIST eval:check_uri_host_in_whitelist()
+ describe URI_HOST_IN_WELCOMELIST Host or Domain is listed in the user's URI welcome-list
+ tflags URI_HOST_IN_WELCOMELIST userconf nice noautolearn
+ score URI_HOST_IN_WELCOMELIST -0.01
+
+ meta URI_HOST_IN_WHITELIST (URI_HOST_IN_WELCOMELIST)
+ describe URI_HOST_IN_WHITELIST DEPRECATED: See URI_HOST_IN_WELCOMELIST
+ tflags URI_HOST_IN_WHITELIST userconf nice noautolearn
+ score URI_HOST_IN_WHITELIST -100.0
+ endif
+ endif
+endif
+
+ # Bug 7256, using a header rule with an eval() function does not work the way
+ # this was intended.
+
+ # header HEADER_HOST_IN_BLACKLIST eval:check_uri_host_listed('BLACK')
+ # describe HEADER_HOST_IN_BLACKLIST Host or Domain in header is listed in the user's URI black-list
+ # tflags HEADER_HOST_IN_BLACKLIST userconf noautolearn
+
+ # header HEADER_HOST_IN_WHITELIST eval:check_uri_host_listed('WHITE')
+ # describe HEADER_HOST_IN_WHITELIST Host or Domain in header is listed in the user's URI white-list
+ # tflags HEADER_HOST_IN_WHITELIST userconf nice noautolearn
+
###########################################################################
# Default welcomelists. These should be addresses which send mail that is often
# tagged (incorrectly) as spam; it also helps that they be addresses of big
###########################################################################
# SPF and DKIM whitelist rules
-if (version >= 3.003000)
-
-ifplugin Mail::SpamAssassin::Plugin::SPF
-
if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist)
###########################################################################
def_welcomelist_auth *@*.cvs.com
def_welcomelist_auth *@*.hgtv.com
def_welcomelist_auth *@*.starz.com
-def_welcomelist_auth *@*.golfballs.com
def_welcomelist_auth *@*.zales.com
def_welcomelist_auth *@*.partycity.com
def_welcomelist_auth *@*.petco.com
def_whitelist_auth *@*.cvs.com
def_whitelist_auth *@*.hgtv.com
def_whitelist_auth *@*.starz.com
-def_whitelist_auth *@*.golfballs.com
def_whitelist_auth *@*.zales.com
def_whitelist_auth *@*.partycity.com
def_whitelist_auth *@*.petco.com
endif # if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist)
-endif # Mail::SpamAssassin::Plugin::SPF
-
-endif # version >= 3.3.0
###########################################################################
# DKIM whitelist rules
-ifplugin Mail::SpamAssassin::Plugin::DKIM
+#For those wondering why there's not just an ifplugin in front of all of this, there's a big involving it
+#in nested if statements
+if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist)
+ ifplugin Mail::SpamAssassin::Plugin::DKIM
+ #bz7826 renames whitelist to welcomelist and blacklist to blocklist
+ header USER_IN_DKIM_WELCOMELIST eval:check_for_dkim_welcomelist_from()
+ describe USER_IN_DKIM_WELCOMELIST From: address is in the user's DKIM welcomelist
+ tflags USER_IN_DKIM_WELCOMELIST nice noautolearn net userconf
+ score USER_IN_DKIM_WELCOMELIST -100.000
-header USER_IN_DKIM_WHITELIST eval:check_for_dkim_whitelist_from()
-describe USER_IN_DKIM_WHITELIST From: address is in the user's DKIM whitelist
-tflags USER_IN_DKIM_WHITELIST nice noautolearn net userconf
-reuse USER_IN_DKIM_WHITELIST
+ ifplugin Mail::SpamAssassin::Plugin::RaciallyCharged
+ meta USER_IN_DKIM_WHITELIST (USER_IN_DKIM_WELCOMELIST)
+ describe USER_IN_DKIM_WHITELIST DEPRECATED: See USER_IN_DKIM_WELCOMELIST
+ tflags USER_IN_DKIM_WHITELIST nice noautolearn net userconf
+ score USER_IN_DKIM_WELCOMELIST -0.01
+ score USER_IN_DKIM_WHITELIST -100.000
+ endif
+ endif
-header USER_IN_DEF_DKIM_WL eval:check_for_def_dkim_whitelist_from()
-describe USER_IN_DEF_DKIM_WL From: address is in the default DKIM white-list
+ #might be a way to only have one instance of the below block, unsure if it's even necessary
+ reuse USER_IN_DKIM_WHITELSIT
+ reuse USER_IN_DKIM_WELCOMELIST
+
+else
+ ifplugin Mail::SpamAssassin::Plugin::DKIM
+ header USER_IN_DKIM_WELCOMELIST eval:check_for_dkim_whitelist_from()
+ describe USER_IN_DKIM_WELCOMELIST From: address is in the user's DKIM welcomelist
+ tflags USER_IN_DKIM_WELCOMELIST nice noautolearn net userconf
+ score USER_IN_DKIM_WELCOMELIST -0.01
+
+ meta USER_IN_DKIM_WHITELIST (USER_IN_DKIM_WELCOMELIST)
+ describe USER_IN_DKIM_WHITELIST DEPRECATED: See USER_IN_DKIM_WELCOMELIST
+ tflags USER_IN_DKIM_WHITELIST nice noautolearn net userconf
+ score USER_IN_DKIM_WHITELIST -100.000
+ endif
+
+ reuse USER_IN_DKIM_WHITELSIT
+ reuse USER_IN_DKIM_WELCOMELIST
+
+endif
+
+
+if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist)
+ifplugin Mail::SpamAssassin::Plugin::DKIM
+
+# The backwards compatibility for this rule will be after the else statement below
+header USER_IN_DEF_DKIM_WL eval:check_for_def_dkim_welcomelist_from()
+describe USER_IN_DEF_DKIM_WL From: address is in the default DKIM welcome-list
tflags USER_IN_DEF_DKIM_WL nice noautolearn net
reuse USER_IN_DEF_DKIM_WL
+
###########################################################################
-# Default whitelists. These should be e-mail addresses of authors (i.e.
+# Default welcomelists. These should be e-mail addresses of authors (i.e.
# addresses in the From header field) which send mail that is often
-# tagged (incorrectly) as spam. DKIM whitelisting only applies to mail
+# tagged (incorrectly) as spam. DKIM welcomelisting only applies to mail
# with a valid DKIM (or older DK) signature. An optional second parameter
# can specify a signing domain (the 'd' tag), if different from author's
# domain. Please see Mail::SpamAssassin::Plugin::DKIM man page for details.
# Whitelist and blacklist addresses are file-glob-style patterns, so
# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work.
+def_welcomelist_from_dkim *@*.ebay.com ebay.com
+def_welcomelist_from_dkim *@ebay.com
+def_welcomelist_from_dkim *@ebay.co.uk
+def_welcomelist_from_dkim *@*.ebay.co.uk
+def_welcomelist_from_dkim *@ebay.at
+def_welcomelist_from_dkim *@*.ebay.at
+def_welcomelist_from_dkim *@ebay.be
+def_welcomelist_from_dkim *@*.ebay.be
+def_welcomelist_from_dkim *@ebay.de
+def_welcomelist_from_dkim *@*.ebay.de
+def_welcomelist_from_dkim *@ebay.es
+def_welcomelist_from_dkim *@*.ebay.es
+def_welcomelist_from_dkim *@ebay.fr
+def_welcomelist_from_dkim *@*.ebay.fr
+def_welcomelist_from_dkim *@ebay.ie
+def_welcomelist_from_dkim *@*.ebay.ie
+def_welcomelist_from_dkim *@ebay.it
+def_welcomelist_from_dkim *@*.ebay.it
+def_welcomelist_from_dkim *@ebay.nl
+def_welcomelist_from_dkim *@*.ebay.nl
+def_welcomelist_from_dkim *@ebay.pt
+def_welcomelist_from_dkim *@*.ebay.pt
+def_welcomelist_from_dkim *@ebay.ca
+def_welcomelist_from_dkim *@*.ebay.ca
+
+def_welcomelist_from_dkim *@* paypal.com
+def_welcomelist_from_dkim *@paypal.com
+def_welcomelist_from_dkim *@*.paypal.com
+def_welcomelist_from_dkim *@paypal.co.uk
+def_welcomelist_from_dkim *@*.paypal.co.uk
+def_welcomelist_from_dkim *@paypal.at
+def_welcomelist_from_dkim *@*.paypal.at
+def_welcomelist_from_dkim *@paypal.be
+def_welcomelist_from_dkim *@*.paypal.be
+def_welcomelist_from_dkim *@paypal.de
+def_welcomelist_from_dkim *@*.paypal.de
+def_welcomelist_from_dkim *@paypal.es
+def_welcomelist_from_dkim *@*.paypal.es
+def_welcomelist_from_dkim *@paypal.fr
+def_welcomelist_from_dkim *@*.paypal.fr
+def_welcomelist_from_dkim *@paypal.ie
+def_welcomelist_from_dkim *@*.paypal.ie
+def_welcomelist_from_dkim *@paypal.it
+def_welcomelist_from_dkim *@*.paypal.it
+def_welcomelist_from_dkim *@paypal.nl
+def_welcomelist_from_dkim *@*.paypal.nl
+def_welcomelist_from_dkim *@paypal.pt
+def_welcomelist_from_dkim *@*.paypal.pt
+def_welcomelist_from_dkim *@paypal.ca
+def_welcomelist_from_dkim *@*.paypal.ca
+
+def_welcomelist_from_dkim *@cisco.com
+def_welcomelist_from_dkim *@lh.lufthansa.com
+def_welcomelist_from_dkim *@*.milesandmore.com
+def_welcomelist_from_dkim *@mail.hotels.com
+def_welcomelist_from_dkim *@email.hotels.com
+def_welcomelist_from_dkim *@alert.bankofamerica.com
+def_welcomelist_from_dkim *@ealerts.bankofamerica.com
+def_welcomelist_from_dkim *@cc.yahoo-inc.com yahoo-inc.com
+def_welcomelist_from_dkim *@cc.yahoo-inc.com
+def_welcomelist_from_dkim googlealerts-noreply@google.com
+def_welcomelist_from_dkim *@*.google.com
+
+def_welcomelist_from_dkim *@springer.delivery.net
+def_welcomelist_from_dkim *@sci.scientific-direct.net
+def_welcomelist_from_dkim *@strongmail.the-scientist.com
+def_welcomelist_from_dkim *@ealert.nature.com
+def_welcomelist_from_dkim *@gateways.nature.com
+def_welcomelist_from_dkim *@information.nature.com
+def_welcomelist_from_dkim *@newsdesk.world-nuclear-news.org
+def_welcomelist_from_dkim *@biocompare.com
+def_welcomelist_from_dkim *@dentalcompare.com
+def_welcomelist_from_dkim *@medcompare.com
+def_welcomelist_from_dkim *@itbusinessedge.com
+def_welcomelist_from_dkim *@nl.reuters.com
+def_welcomelist_from_dkim *@email.washingtonpost.com
+def_welcomelist_from_dkim *@washingtontimesmail.com
+def_welcomelist_from_dkim *@info-aaas.org
+def_welcomelist_from_dkim *@*.newsmax.com
+def_welcomelist_from_dkim *@zdnet.online.com
+def_welcomelist_from_dkim *@m-w.com
+
+def_welcomelist_from_dkim *@skype.net
+def_welcomelist_from_dkim *@*.skype.net
+def_welcomelist_from_dkim *@*.skype.net skype.net
+def_welcomelist_from_dkim *@*.skype.com
+def_welcomelist_from_dkim *@*.skype.com skype.com
+
+#consider also:
+# def_welcomelist_from_dkim *@avaaz.org
+# def_welcomelist_from_dkim *@techrepublic.online.com
+# def_welcomelist_from_dkim ezines@arcamax.com
+# def_welcomelist_from_dkim *@yousendit.com
+# def_welcomelist_from_dkim *@meetup.com
+# def_welcomelist_from_dkim *@astrology.com
+# def_welcomelist_from_dkim *@google.com
+# def_welcomelist_from_dkim *@amazon.com
+# def_welcomelist_from_dkim *@amazon.co.uk
+# def_welcomelist_from_dkim *@amazon.de
+# def_welcomelist_from_dkim *@amazon.fr
+
+def_welcomelist_from_dkim *@imdb.com amazonses.com
+def_welcomelist_from_dkim *@dhl.com
+def_welcomelist_from_dkim *@tumblr.com
+def_welcomelist_from_dkim *@fisglobal.com
+def_welcomelist_from_dkim *@*.msgfocus.com
+def_welcomelist_from_dkim *@boredpanda.com mailersend.com
+
+endif # Mail::SpamAssassin::Plugin::DKIM
+
+
+
+
+#
+# For older versions of SA, these old entries remain for SA before version 4.0
+#
+
+else
+ifplugin Mail::SpamAssassin::Plugin::DKIM
+
+header USER_IN_DEF_DKIM_WL eval:check_for_def_dkim_whitelist_from()
+describe USER_IN_DEF_DKIM_WL From: address is in the default DKIM welcome-list
+tflags USER_IN_DEF_DKIM_WL nice noautolearn net
+reuse USER_IN_DEF_DKIM_WL
+
def_whitelist_from_dkim *@*.ebay.com ebay.com
def_whitelist_from_dkim *@ebay.com
def_whitelist_from_dkim *@ebay.co.uk
def_whitelist_from_dkim *@boredpanda.com mailersend.com
endif # Mail::SpamAssassin::Plugin::DKIM
+endif # if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist)
+
tflags AMAZON_IMG_NOT_RCVD_AMZN publish
##} AMAZON_IMG_NOT_RCVD_AMZN
+##{ ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
+
+if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
+ meta ANY_PILL_PRICE (__PILL_PRICE_01 || __PILL_PRICE_02) && !__NOT_A_PERSON
+ describe ANY_PILL_PRICE Prices for pills
+endif
+##} ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
+
##{ APOSTROPHE_FROM
header APOSTROPHE_FROM From:addr =~ /'/
meta AXB_XMAILER_MIMEOLE_OL_1ECD5 (__AXB_XM_OL_1ECD5 && __AXB_MO_OL_1ECD5)
describe AXB_XMAILER_MIMEOLE_OL_1ECD5 Yet another X header trait##} AXB_XMAILER_MIMEOLE_OL_1ECD5
+##{ AXB_XM_FORGED_OL2600
+
+meta AXB_XM_FORGED_OL2600 (__AXB_XM_OL_2600 && !__AXB_MO_OL_2600 )
+describe AXB_XM_FORGED_OL2600 Forged OE v. 6.2600
+##} AXB_XM_FORGED_OL2600
+
##{ BANKING_LAWS
body BANKING_LAWS /banking laws/i
endif
##} BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval
+##{ BEBEE_IMG_NOT_RCVD_BB
+
+meta BEBEE_IMG_NOT_RCVD_BB __BEBEE_IMG_NOT_RCVD_BB
+#score BEBEE_IMG_NOT_RCVD_BB 2.000 # limit
+describe BEBEE_IMG_NOT_RCVD_BB Bebee hosted image but message not from Bebee
+tflags BEBEE_IMG_NOT_RCVD_BB publish
+##} BEBEE_IMG_NOT_RCVD_BB
+
##{ BIGNUM_EMAILS_FREEM
meta BIGNUM_EMAILS_FREEM __BIGNUM_EMAILS_FREEM
#score BODY_SINGLE_URI 2.500 # limit
##} BODY_SINGLE_URI
+##{ BODY_SINGLE_WORD
+
+meta BODY_SINGLE_WORD __BODY_SINGLE_WORD && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP
+describe BODY_SINGLE_WORD Message body is only one word (no spaces)
+#score BODY_SINGLE_WORD 2.500 # limit
+##} BODY_SINGLE_WORD
+
##{ BODY_URI_ONLY
meta BODY_URI_ONLY __BODY_URI_ONLY && !__NOT_SPOOFED && !__TO_EQ_FROM_DOM && !__X_CRON_ENV && !__DKIM_EXISTS && !__VIA_ML && !__HAS_X_REF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD && !__URI_GOOGLE_DRV
body CURR_PRICE /\bCurrent Price:/
##} CURR_PRICE
-##{ DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval
-
-ifplugin Mail::SpamAssassin::Plugin::HeaderEval
-header DATE_IN_FUTURE_96_Q eval:check_for_shifted_date('96', '2920')
-describe DATE_IN_FUTURE_96_Q Date: is 4 days to 4 months after Received: date
-endif
-##} DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval
-
##{ DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
describe DEAR_WINNER Spam with generic salutation of "dear winner"
##} DEAR_WINNER
-##{ DETAILS_OF_PRODUCT
-
-body DETAILS_OF_PRODUCT /(?:Please|kindly) (?:see|refer to|check(?: out)?) the (?:details of the product|(?:detailed |complete |specific )?product (?:details|information)) (below|following|that follow|in detail)|the following (?:(?:is the )?(?:detailed )?product information|is a brief introduction to (?:\w+\s){0,5}this product)|\bhere (is|are) some basic information about this|you can (?:\w+ )?understand our product/i
-#score DETAILS_OF_PRODUCT 1.250 # limit
-##} DETAILS_OF_PRODUCT
-
##{ DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS
ifplugin Mail::SpamAssassin::Plugin::AskDNS
describe EXCUSE_24 Claims you wanted this ad
##} EXCUSE_24
-##{ FAKE_REPLY_A1
-
-meta FAKE_REPLY_A1 (__SUBJ_RE && __MISSING_REPLY && __MISSING_REF && __BOTH_INR_AND_REF)
-##} FAKE_REPLY_A1
+##{ FACEBOOK_IMG_NOT_RCVD_FB
-##{ FAKE_REPLY_B
-
-meta FAKE_REPLY_B (__SUBJ_RE && __MISSING_REPLY && __INR_AND_NO_REF)
-##} FAKE_REPLY_B
+meta FACEBOOK_IMG_NOT_RCVD_FB __FACEBOOK_IMG_NOT_RCVD_FB && !__VIA_ML && !__ONE_IMG && !__RCD_RDNS_SMTP
+#score FACEBOOK_IMG_NOT_RCVD_FB 2.000 # limit
+describe FACEBOOK_IMG_NOT_RCVD_FB Facebook hosted image but message not from Facebook
+tflags FACEBOOK_IMG_NOT_RCVD_FB publish
+##} FACEBOOK_IMG_NOT_RCVD_FB
##{ FAKE_REPLY_C
##{ FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
- meta FONT_INVIS_MSGID __FONT_INVIS_MSGID && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__HAS_ERRORS_TO && !__RCD_RDNS_MAIL && !__MAIL_LINK && !__HDR_RCVD_AMAZON && !__MIME_QP && !__HAS_CAMPAIGNID && !__HAS_THREAD_INDEX
+ meta FONT_INVIS_MSGID __FONT_INVIS_MSGID && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__HAS_ERRORS_TO && !__RCD_RDNS_MAIL && !__MAIL_LINK && !__HDR_RCVD_AMAZON && !__MIME_QP && !__HAS_CAMPAIGNID && !__HAS_THREAD_INDEX && !__RCD_RDNS_MTA
describe FONT_INVIS_MSGID Invisible text + suspicious message ID
# score FONT_INVIS_MSGID 2.500 # limit
tflags FONT_INVIS_MSGID publish
tflags FORM_FRAUD_5 publish
##} FORM_FRAUD_5
-##{ FORM_LOW_CONTRAST
-
-meta FORM_LOW_CONTRAST __FORM_LOW_CONTRAST && !__BUGGED_IMG && !__HAS_REPLY_TO && !__DKIM_EXISTS && !__DOS_HAS_LIST_UNSUB && !__MSGID_JAVAMAIL
-describe FORM_LOW_CONTRAST Fill in a form with hidden text
-#score FORM_LOW_CONTRAST 2.500 # Limit
-tflags FORM_LOW_CONTRAST publish
-##} FORM_LOW_CONTRAST
-
##{ FOUND_YOU
meta FOUND_YOU __FOUND_YOU && !__DKIM_EXISTS && !__SUBJ_RE && !__HAS_X_REF && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__HAS_ERRORS_TO && !__HAS_IN_REPLY_TO
tflags FOUND_YOU publish
##} FOUND_YOU
+##{ FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail
+
+ifplugin Mail::SpamAssassin::Plugin::FreeMail
+ meta FREEMAIL_DOC_PDF_BCC __FREEMAIL_DOC_PDF && __TO_UNDISCLOSED
+ describe FREEMAIL_DOC_PDF_BCC MS document or PDF attachment, from freemail, all recipients hidden
+endif
+##} FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail
+
##{ FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::FreeMail
tflags FRNAME_IN_MSG_XPRIO_NO_SUB publish
##} FRNAME_IN_MSG_XPRIO_NO_SUB
-##{ FROMSPACE
-
-describe FROMSPACE Idiosyncratic "From" header format
-header FROMSPACE From:raw =~ /^\s?\"\s/
-##} FROMSPACE
-
##{ FROM_2_EMAILS_SHORT
meta FROM_2_EMAILS_SHORT __KAM_BODY_LENGTH_LT_512 && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF)
endif
##} FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
-##{ FROM_NAME_EQ_TO_G_DRIVE
-
-meta FROM_NAME_EQ_TO_G_DRIVE !__SHORT_BODY_G_DRIVE_DYN && __SHORT_BODY_G_DRIVE && (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2)
-describe FROM_NAME_EQ_TO_G_DRIVE From:name equals To:addr and GDRIVE link
-#score FROM_NAME_EQ_TO_G_DRIVE 1.5 # limit
-##} FROM_NAME_EQ_TO_G_DRIVE
-
##{ FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
if (version >= 3.004001)
##{ FSL_BULK_SIG
-meta FSL_BULK_SIG (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK) && !__FSL_HAS_LIST_UNSUB && !__UNSUB_LINK && !__RCVD_IN_DNSWL && !__JM_REACTOR_DATE && !__RCD_RDNS_SMTP_MESSY
+meta FSL_BULK_SIG (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK) && !__FSL_HAS_LIST_UNSUB && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__RCVD_IN_DNSWL && !__JM_REACTOR_DATE && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__USING_VERP1 && !__KAM_BODY_LENGTH_LT_128
describe FSL_BULK_SIG Bulk signature with no Unsubscribe
-#score FSL_BULK_SIG 3.000 # limit
+#score FSL_BULK_SIG 2.500 # limit
tflags FSL_BULK_SIG net publish
##} FSL_BULK_SIG
endif
##} FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+##{ GAPPY_LOW_CONTRAST
+
+meta GAPPY_LOW_CONTRAST __GAPPY_LOW_CONTRAST && !__HAS_LIST_ID
+describe GAPPY_LOW_CONTRAST Gappy subject + hidden text
+#score GAPPY_LOW_CONTRAST 2.500 # limit
+##} GAPPY_LOW_CONTRAST
+
##{ GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
tflags GB_GOOGLE_OBFUR publish
##} GB_GOOGLE_OBFUR
+##{ GB_GOOG_IMG_NOT_RCVD_GOOG
+
+meta GB_GOOG_IMG_NOT_RCVD_GOOG ( __GDRIVE_IMG_NOT_RCVD_GOOG || __GPHOTO_IMG_NOT_RCVD_GOOG ) && !__HAS_ERRORS_TO && !__MSGID_LIST && !__MSGID_GUID && !__RCD_RDNS_SMTP
+describe GB_GOOG_IMG_NOT_RCVD_GOOG Google hosted image but message not from Google
+#score GB_GOOG_IMG_NOT_RCVD_GOOG 2.500 # limit
+##} GB_GOOG_IMG_NOT_RCVD_GOOG
+
##{ GEO_QUERY_STRING
uri GEO_QUERY_STRING /^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i
#score HK_NAME_DRUGS 2
##} HK_NAME_DRUGS
-##{ HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
-
-ifplugin Mail::SpamAssassin::Plugin::FreeMail
-if (version >= 3.004000)
- meta HK_NAME_FM_MR_MRS __HK_NAME_MR_MRS && FREEMAIL_FROM
-# score HK_NAME_FM_MR_MRS 1.5
-endif
-endif
-##} HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
-
##{ HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::FreeMail
tflags HK_SCAM publish
##} HK_SCAM
+##{ HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+meta HK_SPAMMY_FILENAME __HK_SPAMMY_CTFN || __HK_SPAMMY_CDFN
+endif
+##} HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+
##{ HK_WIN
meta HK_WIN ((__hk_win_2 + __hk_win_3 + __hk_win_4 + __hk_win_5 + __hk_win_7 + __hk_win_8 + __hk_win_9 + __hk_win_0 + __hk_win_a + __hk_win_b + __hk_win_c + __hk_win_d + __hk_win_i + __hk_win_j + __hk_win_l + __hk_win_m + __hk_win_n + __hk_win_o) >= 2)
##{ HOSTED_IMG_MULTI_PUB_01
-meta HOSTED_IMG_MULTI_PUB_01 (__IMGUR_IMG_2 || __IMGUR_IMG_3) && !__DATE_LOWER && !__BOTH_INR_AND_REF
+meta HOSTED_IMG_MULTI_PUB_01 (__IMGUR_IMG_2 || __IMGUR_IMG_3) && !__DATE_LOWER && !__BOTH_INR_AND_REF && !__HAS_IN_REPLY_TO
describe HOSTED_IMG_MULTI_PUB_01 Multiple hosted images at public site
#score HOSTED_IMG_MULTI_PUB_01 3.000 # limit
tflags HOSTED_IMG_MULTI_PUB_01 publish
##{ HTML_ENTITY_ASCII_TINY
-meta HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII_MINFP && __HTML_FONT_TINY_01
+meta HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII_TINY && !__HAS_IN_REPLY_TO
describe HTML_ENTITY_ASCII_TINY Obfuscated ASCII + tiny fonts
#score HTML_ENTITY_ASCII_TINY 3.000 # limit
tflags HTML_ENTITY_ASCII_TINY publish
##{ HTML_FONT_TINY_NORDNS
-meta HTML_FONT_TINY_NORDNS __HTML_FONT_TINY_01 && __RDNS_NONE
+meta HTML_FONT_TINY_NORDNS __HTML_FONT_TINY_NORDNS && !__HAS_CID
describe HTML_FONT_TINY_NORDNS Font too small to read, no rDNS
-#score HTML_FONT_TINY_NORDNS 1.500 # limit
+#score HTML_FONT_TINY_NORDNS 2.000 # limit
##} HTML_FONT_TINY_NORDNS
##{ HTML_OFF_PAGE
uri LIVEFILESTORE m~livefilestore.com/~
##} LIVEFILESTORE
+##{ LONGLN_LOW_CONTRAST
+
+meta LONGLN_LOW_CONTRAST __LONGLN_LOW_CONTRAST && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__TRAVEL_ITINERARY
+describe LONGLN_LOW_CONTRAST Excessively long line + hidden text
+#score LONGLN_LOW_CONTRAST 2.500 # limit
+##} LONGLN_LOW_CONTRAST
+
##{ LONG_HEX_URI
meta LONG_HEX_URI __128_HEX_URI && !__LCL__KAM_BODY_LENGTH_LT_1024
#score LOTTO_AGENT 1.50 # limit
##} LOTTO_AGENT
+##{ LOTTO_DEPT
+
+meta LOTTO_DEPT __LOTTO_DEPT && !__COMMENT_EXISTS && !__HAS_IN_REPLY_TO && !__THREADED && !__VIA_ML && !__TO_YOUR_ORG && !__TRAVEL_ITINERARY && !__AUTO_ACCIDENT
+describe LOTTO_DEPT Claims Department
+#score LOTTO_DEPT 2.00 # limit
+##} LOTTO_DEPT
+
##{ LUCRATIVE
meta LUCRATIVE ( __LUCRATIVE && __HELO_NO_DOMAIN ) && !ALL_TRUSTED
tflags MILLION_HUNDRED publish
##} MILLION_HUNDRED
-##{ MILLION_USD
-
-body MILLION_USD /Million\b.{0,40}\b(?:United States? Dollars?|USD)/i
-describe MILLION_USD Talks about millions of dollars
-#score MILLION_USD 2
-##} MILLION_USD
-
##{ MIMEOLE_DIRECT_TO_MX
meta MIMEOLE_DIRECT_TO_MX __MIMEOLE_DIRECT_TO_MX && !__ANY_IMAGE_ATTACH && !__DKIM_EXISTS
tflags MONERO_PAY_ME publish
##} MONERO_PAY_ME
-##{ MONEY_ATM_CARD
-
-meta MONEY_ATM_CARD __MONEY_ATM_CARD && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE
-describe MONEY_ATM_CARD Lots of money on an ATM card
-##} MONEY_ATM_CARD
-
##{ MONEY_FORM
meta MONEY_FORM __MONEY_FORM && !__FB_TOUR && !__FM_MY_PRICE && !__FR_SPACING_8 && !__COMMENT_EXISTS && !__CAN_HELP
#score MONEY_FROM_MISSP 2.000 # limit
##} MONEY_FROM_MISSP
-##{ MONEY_NOHTML
-
-meta MONEY_NOHTML LOTS_OF_MONEY && __CT_TEXT_PLAIN
-describe MONEY_NOHTML Lots of money in plain text
-#score MONEY_NOHTML 2.500 # limit
-##} MONEY_NOHTML
-
##{ MSGID_DOLLARS_URI_IMG
meta MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_URI_IMG && !__THREADED && !__HS_SUBJ_RE_FW
#score MSGID_MULTIPLE_AT 0.001
##} MSGID_MULTIPLE_AT
-##{ MSGID_WSP_TRAIL
+##{ MSGID_NOFQDN1
-header MSGID_WSP_TRAIL Message-ID:raw =~ /< [^>]* \s > [^<>]* \z/xm
-describe MSGID_WSP_TRAIL Trailing whitespace before '>' in Message-ID header
-##} MSGID_WSP_TRAIL
+meta MSGID_NOFQDN1 __MSGID_NOFQDN1
+describe MSGID_NOFQDN1 Message-ID with no domain name
+##} MSGID_NOFQDN1
##{ MSMAIL_PRI_ABNORMAL
meta MSOE_MID_WRONG_CASE (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106)
##} MSOE_MID_WRONG_CASE
-##{ NAME_EMAIL_DIFF
-
-meta NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL
-describe NAME_EMAIL_DIFF Sender NAME is an unrelated email address
-##} NAME_EMAIL_DIFF
-
##{ NA_DOLLARS
body NA_DOLLARS /\b(?:\d{1,3})?Million\b.{0,40}\b(?:Canadian Dollar?s?|US\$|U\.? ?S\.? Dollar)/i
tflags NEWEGG_IMG_NOT_RCVD_NEGG publish
##} NEWEGG_IMG_NOT_RCVD_NEGG
+##{ NEW_PRODUCTS
+
+meta NEW_PRODUCTS __NEW_PRODUCTS && !__STY_INVIS_MANY
+#score NEW_PRODUCTS 1.250 # limit
+tflags NEW_PRODUCTS publish
+##} NEW_PRODUCTS
+
##{ NICE_REPLY_A
meta NICE_REPLY_A (__SUBJ_RE && !__MISSING_REPLY && !__MISSING_REF && __BOTH_INR_AND_REF)
tflags NICE_REPLY_A nice
##} NICE_REPLY_A
+##{ NORDNS_LOW_CONTRAST
+
+meta NORDNS_LOW_CONTRAST __NORDNS_LOW_CONTRAST && !ALL_TRUSTED && !__HAS_CID && !__THREADED
+describe NORDNS_LOW_CONTRAST No rDNS + hidden text
+#score NORDNS_LOW_CONTRAST 2.500 # limit
+##} NORDNS_LOW_CONTRAST
+
##{ NOT_SPAM
body NOT_SPAM /\b(?:(?:this (?:e?-?mail|message)|we) (?:is not|are not|cannot be considered) Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)/i
describe NULL_IN_BODY Message has NUL (ASCII 0) byte in message
##} NULL_IN_BODY
-##{ NUMBEREND_LINKBAIT
-
-meta NUMBEREND_LINKBAIT __NUMBEREND_TLD && __LCL__KAM_BODY_LENGTH_LT_1024 && __BODY_URI_ONLY
-describe NUMBEREND_LINKBAIT Domain ends in a large number and very short body with link
-#score NUMBEREND_LINKBAIT 1.0 # limit
-##} NUMBEREND_LINKBAIT
-
##{ OBFU_BITCOIN
meta OBFU_BITCOIN __OBFU_BITCOIN
endif
##} OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
-##{ ONLINE_MKTG_CNSLT
-
-body ONLINE_MKTG_CNSLT /\bonline marketing consultant\b/i
-##} ONLINE_MKTG_CNSLT
-
-##{ ORDER_TODAY
-
-meta ORDER_TODAY __ORDER_TODAY && (__HTML_IMG_ONLY || __ALIBABA_IMG_NOT_RCVD_ALI || __TO_NO_BRKTS_NORDNS_HTML)
-describe ORDER_TODAY Get your order in now!
-#score ORDER_TODAY 2.500 # limit
-##} ORDER_TODAY
-
##{ PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
#score PDS_FRNOM_TODOM_NAKED_TO 1.5
##} PDS_FRNOM_TODOM_NAKED_TO
-##{ PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
-
-ifplugin Mail::SpamAssassin::Plugin::WLBLEval
-if (version >= 3.004000)
-meta PDS_FROM_2_EMAILS_SHRTNER (__PDS_URISHORTENER || __URL_SHORTENER) && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF) && __BODY_URI_ONLY
-describe PDS_FROM_2_EMAILS_SHRTNER From 2 emails short email with little more than a URI shortener
-#score PDS_FROM_2_EMAILS_SHRTNER 1.5 # limit
-endif
-endif
-##} PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
-
##{ PDS_FROM_NAME_TO_DOMAIN
meta PDS_FROM_NAME_TO_DOMAIN __PDS_FROM_NAME_TO_DOMAIN
describe PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC with FP steps
##} PDS_RDNS_DYNAMIC_FP
-##{ PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
-
-ifplugin Mail::SpamAssassin::Plugin::WLBLEval
-if (version >= 3.004000)
-meta PDS_SHORTFWD_URISHRT_FP (__PDS_URISHORTENER || __URL_SHORTENER) && __HS_SUBJ_RE_FW && __PDS_MSG_512
-describe PDS_SHORTFWD_URISHRT_FP Apparently a short fwd/re with URI shortener
-#score PDS_SHORTFWD_URISHRT_FP 1.5 # limit
-endif
-endif
-##} PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
-
-##{ PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
-
-ifplugin Mail::SpamAssassin::Plugin::WLBLEval
-if (version >= 3.004000)
-meta PDS_SHORTFWD_URISHRT_QP (__PDS_URISHORTENER || __URL_SHORTENER) && __HS_SUBJ_RE_FW && __T_PDS_MSG_512 && !PDS_SHORTFWD_URISHRT_FP
-describe PDS_SHORTFWD_URISHRT_QP Apparently a short fwd/re with URI shortener
-#score PDS_SHORTFWD_URISHRT_QP 1.5 # limit
-endif
-endif
-##} PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
-
##{ PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
tflags PHP_SCRIPT_MUA publish
##} PHP_SCRIPT_MUA
+##{ POSSIBLE_AMAZON_PHISH_02
+
+meta POSSIBLE_AMAZON_PHISH_02 (__FROM_NAME_AMAZONCOM && !__HDR_RCVD_AMAZON && !__HDR_RCVD_AMAZON_HELO)
+##} POSSIBLE_AMAZON_PHISH_02
+
##{ POSSIBLE_APPLE_PHISH_02
meta POSSIBLE_APPLE_PHISH_02 (__FROM_NAME_APPLECOM && !__HDR_RCVD_APPLE)
tflags RDNS_NUM_TLD_XM publish
##} RDNS_NUM_TLD_XM
-##{ READY_TO_SHIP
-
-body READY_TO_SHIP /(?:(?:in our (?:stock|warehouse|store)(?: today| now| right away)?[.,:]\s|our (?:\w+,? ){2,8}(?:is |now )+)Ready (?:to (?:be )?|for )+(?:ship|send|deliver)|ready (?:for shipping|to (?:ship|send)) (?:(?:in|from|by) our (?:warehouse|stock)|(?:to|for)(?: global(?:ly)?| worldwide| customers){2})|(?:(?:our|this|a|great|fine|wonderful|cool|popular) new product|we have(?: \w+){1,6} available|ready) in (?:our )?(?:warehouse|stock|store)|just arrived in our warehouse|we will (?:contact the (?:warehouse|logistics) to )?arrange (?:the )?(?:shipment|delivery)|a new (?:\w+ ){1,3}in our warehouse)/i
-#score READY_TO_SHIP 1.250 # limit
-##} READY_TO_SHIP
-
##{ REPLYTO_EMPTY
header REPLYTO_EMPTY Reply-To =~ /<>/
##{ REPTO_419_FRAUD
-header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:speakers)\@012\.net\.il|(?:mail)\@101private\.com|(?:(?:alfredcheuk002|fbi_1234|longchii|mavis_wanczyk|qfdonation))\@126\.com|(?:(?:a(?:aronmichaels005|lfredcheuk_yuchow)|ehagler|google_promoaward0?|istarsolar|joeblp|microsoft(?:_office16|award01)|panyawein|wong(?:_shiu(?:09|2016)|shiu_ki)))\@163\.com|(?:(?:navas1|ray\-thomas7h))\@1email\.eu|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:(?:mr\.tonyelumelu|r(?:emittancedept001|ussia2018worldcuplotto5)))\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:info)\@aidakj\.com|(?:(?:a\.aktr|c(?:arlos\.adan|entralbank_malaysia2)|infovsa|maria\.louge|sarahjiwooali|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:adainis|jessikasingh|travisalex))\@aliyun\.com|(?:(?:director|info))\@anletco-jp\.com|(?:(?:deanie_ron|m(?:softgbcmanager|undo\.europe)|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:institutionaldepartment)\@aol\.nl|(?:deajohn)\@arubacloub\.com|(?:djohns)\@arubacloud\.com|(?:jeromecgb12)\@asia\.com|(?:bllphillips)\@att\.net|(?:garry\.quinlan)\@australiamail\.com|(?:(?:traoreahmed|zetiaziz))\@barid\.com|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:noreply\.fujvfes)\@bibliothequegaillard\.com|(?:costruire)\@bigmat\.it|(?:alerts\-noreply)\@bis\.org|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:executivedirector)\@box\.az|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:drbenardsani\.nnpc)\@bsgcpk\.com|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:rim43505)\@cantv\.net|(?:duncanttodd)\@centrum\.cz|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|fbipayment(?:50|600)|harunajim667|ralphwjohnson))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:dmalpasswb|re(?:covered\-tax|em(?:2018|alhashimi|hashimi2020))))\@daum\.net|(?:rex)\@departmentofsecretary\.com|(?:blythemasters)\@digitalassetholding\.org|(?:(?:diplomaticagent11|jentwistle90))\@diplomats\.com|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:(?:herrick01|rogersteare02))\@e1\.ru|(?:olga\.ingrif)\@ecb-securities\.com|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:no\-reply)\@economizar-na-web\.com\.br|(?:(?:denbrink|kathy_gerald1965|megaclaimcenter))\@email\.com|(?:johnkadiri)\@englandmail\.com|(?:info)\@euro-pinnacle\.com|(?:(?:advancedsegurosespana|claimdpts|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:(?:jeferrey|yakuyaya77))\@financier\.com|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:notice)\@fnb\.co\.za|(?:info)\@fnconsultant\.biz|(?:(?:atmofficeauthoriza|captain\.lucasadam|e(?:golan2|u_payment)|gella1|k(?:aith\-angel|ossihpilip202)|pchwinningoffice1953|qatardonations16|smadartsadik|tepnherve00|worldauthorization))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:mmpaulsmith145)\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:o(?:ctaviancm|rlando\.bloom))\@gmx\.co\.uk|(?:(?:a(?:hmet\.broker|lliance\.consultant)|f(?:aridaomar|er3nrod1512)|johnson\.douglas|kevin\-office|p\.hamedmoff|rosicboteruff|walter_anderson))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:joxford)\@gmx\.us|(?:ben\.malbon)\@googlefps\.co\.uk|(?:m\.johnson10012)\@googlemail\.com|(?:larrypage)\@gpa-team\.com|(?:ceo)\@gpromo-team\.com|(?:sundarpichai)\@gpromoteam\.com|(?:sundarpichai)\@gpromoteamuk\.com|(?:garreth\.webb)\@grossfitconsultancy\.biz|(?:irenegeorgiadou)\@hellenicbankcy\.com|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:williamsdavid_3r)\@hotmail\.co\.uk|(?:christgoldwilliams)\@hotmail\.fr|(?:douglasflint)\@hsbcbank\.group|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:victorwang67)\@imail\.com|(?:01)\@imf-org\.org|(?:chrisdodgshun)\@inbound\.plus|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:janetyellenoffice|off(?:er2021|iceme)))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:sgt\.dave)\@inmano\.com|(?:baankston)\@instruction\.com|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:wbuk0[13])\@katamail\.com|(?:(?:ditmereduart|europsenderscouriers|lewiscarl))\@keemail\.me|(?:mikiwilliams)\@knol-power\.nl|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:philiphampton)\@lec20\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:deqishanmedical1)\@localnet\.com|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:fanliangjen)\@mail\.china\.com|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|eddy_haryono|ghazal\-a|info\.federalreserve\.org|kateclough1|mriamchombo1968|nancyvee80|ren\.deqi212))\@mail\.com|(?:williamsdawson)\@mail\.com\.tr|(?:(?:ayishagddafio|david\.onyeoma\.74|hmtreasyru\.ng|sambo_dasuki))\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:brantwbishop)\@mailbox\.org|(?:epowerball)\@mailbox\.sk|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:rbi\-e)\@mit\.tc|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:paul\.chang)\@msn\.com|(?:enquiry)\@multiplysearch\.com|(?:cadpayout01)\@my\.com|(?:(?:contactmee|ministersoffinance))\@mynet\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:zenith)\@nmk\.ugu\.pl|(?:maxedwards)\@octopusinvestment\.co\.uk|(?:lindsaytrembley)\@oimail\.com|(?:googleclaims111)\@one\.lt|(?:accountingdrg)\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:(?:castorock|infobiz2|jarramos|mrsalice09))\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:servicio\.correo)\@orange\.fr|(?:turkish\-air)\@outlook\.com\.tr|(?:(?:ahmed3khan|dpt_transferunionwestern|mr\.onyeadams|rohitjain0))\@outlook\.fr|(?:m\.khan1)\@outlook\.sa|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:info)\@phillipsmorgan\.co\.za|(?:wood)\@poczta\.onet\.eu|(?:m(?:aryjosen|boyaeth))\@post\.com|(?:united\.globeawardoffice)\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:jamesmr\.monday)\@rocketmail\.com|(?:(?:g(?:loriacmackenzie001|mackenzie001)|monicatorres001|wanczykmavis101))\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:info)\@roycockrum\.org|(?:mrs\.rachel2013)\@safe-mail\.net|(?:vera)\@safrica\.com|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:peterddeng)\@secsuremailer\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:(?:jimyang77|kentpace))\@sina\.com|(?:swat)\@sltdchambers\.com|(?:(?:dycheseaan|sean(?:dyyches|sdychh)))\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:info\.jschneider)\@spainmail\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:contact\.hmrc\.gov\.uk)\@sudhisalooja\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:xiankailu)\@taiyaubank-hk\.com|(?:mhua)\@tbochk\.com|(?:veronicabright)\@terra\.com\.pe|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:zimcargoservicehelpdesks)\@tlen\.pl|(?:drew)\@ton\.net\.ru|(?:itpark01)\@tpg\.com\.au|(?:bobby\.william)\@tradent\.net|(?:info)\@treasury-departmentdc\.twomini\.com|(?:info)\@treasury-usa\.3eeweb\.com|(?:info)\@un-grant\.info|(?:(?:b(?:lueskyanimatedfilm|rown\.monica_l)|info\.(?:clev\.frb|imfamerica)|policyaddmin\.file))\@usa\.com|(?:bmuczdh)\@virgilio\.it|(?:itgiix)\@visa\.com|(?:vankoning)\@volny\.cz|(?:holt1231)\@w\.cn|(?:infos)\@walmart\.com|(?:daydreamin)\@wanadoo\.fr|(?:(?:foreignoperationmanager|mr\.(?:ikokuoya|olicadams)))\@web\.cg|(?:weboffice05)\@web\.de|(?:b(?:\-calebfirm2007|oriscaleb121))\@webmail\.co\.za|(?:(?:frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:grahamjoneschambers)\@wildblue\.net|(?:e\.shaw)\@wilmagroup\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:stephaniehans\.euromillionlottery)\@yahoo\.be|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|bobwatson92|fundyawa2014|j(?:effwilliam207|oe_modisen)|lloydsbanksb|owengreen70|rebeccajoe98|samue95))\@yahoo\.co\.uk|(?:(?:changgordon(?:61|946)|lordsmartin|revlarrutycoker2015|thomaspeter227|zhu\.shumin))\@yahoo\.com\.hk|(?:imf_office_agent)\@yahoo\.com\.my|(?:(?:dr\.pauljames110|jessicp1))\@yahoo\.com\.sg|(?:boa2cb)\@yahoo\.com\.vn|(?:(?:contactus88\-00|jflangvm5nshyazyo7si6jfuqah6jsldw2kw6c2t|lmj82717|m(?:r\.angelabenjamin|srangelabne32)))\@yahoo\.es|(?:(?:charlinebebe22|fortinsandrine|rita_will001))\@yahoo\.fr|(?:maktoum\.shasher)\@yahoo\.pt|(?:ukdebtmanagement5)\@yahool\.com|(?:dr\.amelia\.george1)\@yandex\.ru|(?:jayanderson)\@yccaifuu\.com|(?:(?:alfred_cheuk_chow|friedrich_mayrh1|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|feliciamagi|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:(?:asiafoundationorg\.hr|jefflindsay))\@zoho\.com|(?:laprimitivaes)\@zohomail\.eu)$/i
+header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:mail)\@101private\.com|(?:(?:alfredcheuk002|mavis_wanczyk))\@126\.com|(?:(?:alfredcheuk_yuchow|ehagler))\@163\.com|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:russia2018worldcuplotto5)\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:(?:infovsa|maria\.louge|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:jessikasingh|travisalex))\@aliyun\.com|(?:(?:deanie_ron|mundo\.europe|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:support)\@apostlesfoundation\.com|(?:jeromecgb12)\@asia\.com|(?:bllphillips)\@att\.net|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:costruire)\@bigmat\.it|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:onmydestiny18)\@boulevardmalls\.com|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|fbipayment(?:50|600)|harunajim667|ralphwjohnson))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:dmalpasswb|joseramonjr1|re(?:covered\-tax|em(?:2018|alhashimi|hashimi2020))))\@daum\.net|(?:blythemasters)\@digitalassetholding\.org|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:rogersteare02)\@e1\.ru|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:(?:denbrink|kathy_gerald1965|pch\.cliamdept))\@email\.com|(?:info)\@euro-pinnacle\.com|(?:(?:advancedsegurosespana|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:lottomax)\@execs\.com|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:jeferrey)\@financier\.com|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:info)\@fnconsultant\.biz|(?:(?:egolan2|gella1|qatardonations16|smadartsadik|tepnherve00))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:mmpaulsmith145)\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:octaviancm)\@gmx\.co\.uk|(?:(?:ahmet\.broker|f(?:aridaomar|er3nrod1512)|kevin\-office|p\.hamedmoff|rosicboteruff|walter_anderson))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:joxford)\@gmx\.us|(?:m\.johnson10012)\@googlemail\.com|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:christgoldwilliams)\@hotmail\.fr|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:offer2021|pierresgift_2021))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:info)\@johannaconsultancy\.com|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:(?:hre187390|re(?:em\.alhashimi|mmhashimi)))\@kakao\.com|(?:europsenderscouriers)\@keemail\.me|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:bmwofficeinfo)\@mail2consultant\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|kateclough1|mriamchombo1968))\@mail\.com|(?:ayishagddafio)\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:cadpayout01)\@my\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:lindsaytrembley)\@oimail\.com|(?:accountingdrg)\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:jarramos)\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:ahmed3khan)\@outlook\.fr|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:wood)\@poczta\.onet\.eu|(?:m(?:aryjosen|boyaeth))\@post\.com|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:franciscoperezc|mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:wanczykmavis101)\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:mrs\.rachel2013)\@safe-mail\.net|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:(?:jimyang77|kentpace))\@sina\.com|(?:stan)\@soborka\.net|(?:dycheseaan)\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:info\.jschneider)\@spainmail\.com|(?:mroliverbergmuellers)\@specialautokins\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:mhua)\@tbochk\.com|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:bobby\.william)\@tradent\.net|(?:lopez\.rios)\@udttld\.com|(?:info)\@un-grant\.info|(?:(?:info\.(?:clev\.frb|imfamerica)|policyaddmin\.file))\@usa\.com|(?:bmuczdh)\@virgilio\.it|(?:holt1231)\@w\.cn|(?:daydreamin)\@wanadoo\.fr|(?:weboffice05)\@web\.de|(?:portiaw)\@webbe\.work|(?:b(?:\-calebfirm2007|enklerk\-postpact2|oriscaleb121))\@webmail\.co\.za|(?:(?:frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|jeffwilliam207|owengreen70|samue95))\@yahoo\.co\.uk|(?:(?:changgordon946|thomaspeter227))\@yahoo\.com\.hk|(?:boa2cb)\@yahoo\.com\.vn|(?:contactus88\-00)\@yahoo\.es|(?:fortinsandrine)\@yahoo\.fr|(?:dr\.amelia\.george1)\@yandex\.ru|(?:(?:alfred_cheuk_chow|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:jefflindsay)\@zoho\.com|(?:benaffleck1977)\@zohomail\.com|(?:laprimitivaes)\@zohomail\.eu)$/i
describe REPTO_419_FRAUD Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD 3.000
tflags REPTO_419_FRAUD publish
##{ REPTO_419_FRAUD_AOL
-header REPTO_419_FRAUD_AOL Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:\.dordevicii|aromartins|f\.2[06]|ljaber111|meliageorge|n(?:d(?:_bley|rew_hans)|ttilimarim)|rthur\.alan)|b(?:aanidleewy|claimdept|rownchurchill2)|c(?:\.european|allumfoundation|h(?:anprivacy03|eungdavidd|ngeric|ristyruwalt)|ristinabruno38|ustom_service58)|d(?:avid(?:\.kms|opatry)|hodgkins001|ianwaynie|onald_anderson44)|e(?:ng(?:joej|r\.abdulla)|ricalbertdpm|velynjoshua44)|f(?:d\.29|ernandezfernandez3|oundation\.charity)|g(?:arang\.rebeca|eorge_clifford4|roupfacility)|hernandezrosemary632|jmesaud|k\.doreen00|l(?:\.b162k|erynnewest99|i(?:sarobinson5\.0|zcarroll101)|orrainewirangee)|m(?:_l\.wanczyk62|aviswanczyk[do]|rs(?:isabelladzsesszika|safiagaddafi))|no(?:rmapatto|tification\.notification)|p(?:a(?:tricia(?:\.hans|hans)|ulpollard2)|eterwong345|otfolio\.management)|r(?:achel_wat2|oyalpalace2018)|s(?:afiiagadafi|gt\.gillianj200|ovchan|pwalker721|t(?:aatsloterijnederlands|efano_pessina))|usembassy330|w(?:attson\.renwick|ebank244|issam\.haddad|u\.xiabk)|yurdaaytarkan5|zeti\.aziz))\@aol\.com$/i
+header REPTO_419_FRAUD_AOL Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:f\.2[06]|ljaber111|meliageorge|nd(?:_bley|rew_hans)|rthur\.alan)|b(?:aanidleewy|claimdept)|c(?:\.european|allumfoundation|h(?:anprivacy03|eungdavidd|ngeric|ristyruwalt)|laimdept21|ristinabruno38|ustom_service58)|d(?:avid\.kms|hodgkins001|ianwaynie)|e(?:ricalbertdpm|velynjoshua44)|f(?:d\.29|ernandezfernandez3|oundation\.charity)|g(?:arang\.rebeca|eorge_clifford4|roupfacility)|hernandezrosemary632|jmesaud|k\.doreen00|l(?:\.b162k|erynnewest99|isarobinson5\.0|orrainewirangee)|m(?:_l\.wanczyk62|aviswanczyk[do]|rs(?:isabelladzsesszika|safiagaddafi))|officework172|p(?:aulpollard2|otfolio\.management)|royalpalace2018|s(?:afiiagadafi|ovchan|pwalker721|t(?:aatsloterijnederlands|efano_pessina))|usembassy330|wattson\.renwick|yurdaaytarkan5))\@aol\.com$/i
describe REPTO_419_FRAUD_AOL Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_AOL 3.000
tflags REPTO_419_FRAUD_AOL publish
##{ REPTO_419_FRAUD_CNS
-header REPTO_419_FRAUD_CNS Reply-To:addr =~ /^(?=[^\s<>@]+\@consultant\.com)(?:(?:anthonyalvarad|davidhenri|legacylawfirmdakar|m(?:iguel\-pinto|orrisherb)|owenschamber|santiagosegur|t(?:eo\.westin|he\.trustees1?|rustees202000)|westernunion1659))\@consultant\.com$/i
+header REPTO_419_FRAUD_CNS Reply-To:addr =~ /^(?=[^\s<>@]+\@consultant\.com)(?:(?:anthonyalvarad|davidhenri|lottomaxclaims7|morrisherb|t(?:eo\.westin|he\.trustees1|rustees202000)))\@consultant\.com$/i
describe REPTO_419_FRAUD_CNS Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_CNS 3.000
tflags REPTO_419_FRAUD_CNS publish
##{ REPTO_419_FRAUD_GM
-header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|41speedlinkdelivery|7912richardtony|a(?:b(?:d97412345|u(?:lkareem461|shadi0004))|c(?:aalzz11|count\.optionsmr\.jonasarmstrong|e(?:alss11|cere001))|d(?:esilgon77|iallo\.boa)|erofilxeport|gent\.laryedwad|isha(?:1976algaddafi|gaddafiaam)|jaminamo|l(?:\.jo60691737|a(?:n\.austin(?:041|223)|scramac)|ber\.yang222|ex(?:ander(?:daisy911|peterson4499)|hoffman3319|smithznn)|ghafrij13|hajarb|lenholden121|nizmaria|ure\.wawrenka1472)|m(?:b\.w\.stuart\.symington|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|tasomda))|n(?:d(?:rewumehunitedbankforafrica|yfox0022)|itaminarnguessan|n(?:a(?:choihkkic|llee091|sigurlaug458)|jenijohnsonn)|t(?:honyalvaradollc|o(?:meuenio|niopaco20consultant)))|r(?:adka01|chibaldhamble|thur11alan)|s(?:h(?:0611jnag|westwood7)|ianbae1010|sistance7agent)|t(?:m(?:mastercard41|office929)|tohlawoffice\.tg)|w1614860|yevayawovi190|zi(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50)))|b(?:a(?:lla250abc|nk(?:centralasiahalobca34|ingcentralng)|ochang7a|r(?:bersmadar75|r(?:\.(?:charles(?:1954|office)|martinrichard)|ister(?:\.fidelisokafor|lordruben94)|ubenjames)|teld\.huisman01))|bongo593|c0996013|e(?:linekra1|n(?:ezero392|jaminsarah195))|i(?:anigercash|ll(?:\.lawrence0747|fhome))|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi)|r(?:a(?:ndy\.heavenscenttt|volpaul55)|endalaporte112|ianmoynih00)|uff(?:ettwarrene21|ookj))|c(?:a(?:ixaseguros9810001|mluba2017|r(?:eisu98|l(?:os\.s\.helux|thomos)|twrighttownhomesllc))|bnatm847|claimsa|e(?:li(?:cerez|neroullier(?:200|nm))|ntraltrustlltd)|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:esluenga01|tonnewmanus1)))|e(?:mchung1011|nchung1011)|i(?:enk(?:raymond|wongp)|mwiakim))|iticonsultantjohncg0|kruger00017|l(?:a(?:im(?:adviser11|officeadm)|xtonpaul00)|s79408)|o(?:l(?:\.(?:ahmedmarani|fakhrialsalabi(?:01)?|hmedismari)|abdullahassi|edavid77032|husseinharmuchc(?:cj|j)|inchrisweir50|mohmanairf|o(?:mbasjuan53|nelsaad00))|mpensationcommitteboard|n(?:sult(?:ancy64|matthias|sto\.u)|tact(?:\.kolason|ad00[04]))|operation612)|pt\.eugenebarash|r(?:a(?:bbechambers|wfordgillies1)|ist(?:bru(?:05|n05)|i1537bru))|ustomerservicelacaixa2)|d(?:29laws|a(?:n(?:008629|iel(?:35508109|zulu11)|nydan24532)|v(?:i(?:d(?:\.loanfirm18|ibe718|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98)|ychan1970))|c(?:layconsult|ole77032)|e(?:btm123|n(?:iwalts|nis(?:clark659|quaid888))|partmentofstate(?:123|321)|tlefeckhardd)|hill27676|i(?:ane\.s\.wojcicki|gitalassetholding|p(?:francis1|lomat(?:\.john\.clerke|sshenry)))|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.(?:meirh|wilsonpaul02)|abodid|davidrhama221|j(?:amesdee|oesimon77)|kennedyuzo|meier\.heidi?|o(?:vieogor1|wenfrederick))|u(?:a1155a|nsilva58|stinmoskovitz\.2facebook)|v\.metus)|e(?:benezero392|christina937|d(?:runity|winfreeman22)|fcc\.financial\.dept|l(?:i(?:bethgomez(?:175|499)|sabethmaria600|zabethedw0)|otocashoffice1?)|m(?:2keld|ailpostlink09|efiele(?:328|g757)|ilyrichmond391)|r(?:enakgeorge123|ioncarter\.private)|ssexlss1|vgpatmow)|f(?:\.mikhail025|a(?:ithdesrie511|tme\.mehmed001)|blott47|e(?:deralreservebankdallasdst|lix88995)|g0067333|irstbank(?:49(?:666|966)|k49666)|j569282|l(?:556249|aurentdz40|uhmann\.dn)|mb\.agent|o(?:ropunionbank|undations\.west)|r(?:a(?:100dub132|n(?:c(?:espatrickconnolly(?:5050|4)|isca(?:mendoza960|samendoza))|k(?:j(?:ane984|wangg)|laurarivera)))|bbankny\.gov|e(?:derick\.colemanesq|elottosweepstake51))|u(?:lanlan28|ngg1w))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|rielkalia1102)|r(?:ethbull112016|yakinson121))|bill4880|e(?:n(?:\.ahmedmsksi|eral(?:abdulrazak|williamstony990))|orgekwame481|r(?:aldjhjh11|tjanvlieghe787))|g780904|i(?:idp955|lbert12oook)|kwasiiwusu1\.persona|l(?:enmoore0011|oriachow5052)|o(?:glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219)|vgodwinemefiele111)|r(?:ace(?:jackmanwoods|obia001)|e(?:ant311|energeoffrey776))|veraallen)|h(?:a(?:r(?:old\.dia1100|ryebert101|twellbdaniel)|s(?:h(?:imyreem78|mireem801)|sanalshujairy))|e(?:a(?:dofficecentre0210|therbrooeke101)|cto(?:alon|r(?:castillos653|scastillo6))|lpdesk47321)|gold8080|heba\.hhassan207|i(?:ldad837|toshurui)|klee\.mike|o(?:lsemeyerole6|nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|trryt34|uichmh)|i(?:1955smael|amannjejosonn|bed627|n(?:fo(?:\.(?:abogadosmfontana|g00gleclaim|questiondesk|ulmusau)|64240|98cbnoffice7|a(?:prl06|sminternationalpk)|dessk\.dfwairportonline|fdrserve)|gridrolle2|t(?:ernationallppp1|linvestorsfirm))|smailtarkan533|terryoffice)|j(?:35809121|a(?:6002932|888179|cobmaseon5995|m(?:alpriv8un|es(?:husmansdesk2240|okoh82))|nusensecureprivate|sonyeungchiwai|vierlesme001)|b5406424|c2222222rrr|e(?:ff(?:deandk2|erydean1960)|nniannjhsonn|ssikasingh4)|imyang977|k3311131|mpowellfr|o(?:e(?:dward023|kendal540|lmodisen)|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|tanko214|uba234|walterlove2010)|monkzza|n(?:esandassociates68|monkssa)|s(?:ephacevedo024|ianeangenor)|y(?:ce00011|mrskone5))|rawlings007|s4fernado|uliet\.le(?:222|e2222)|w6935997)|k(?:a(?:lstromjames3|malnizar000|rabo\.ramala39|t(?:ebaronbarr|hilittman7|jamess043|rinaziako56))|e(?:lsawamelia55|n(?:mck(?:ay1980|enziejr)|nedy\.sawadogo19))|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|rnkl1109|un(?:gwei7777|ioue28)|wasiowusug)|l(?:a(?:r(?:ateambo|rytoms200)|ursent892|wrencefoundation30)|blackshirepm|e(?:ndfair\.co\.uk1|rynne(?:0west99|west2289))|i(?:amfinchus(?:11|3)|ezlnatashavanessa|li(?:ane\.bettencourt1945|ianchrstph)|n(?:elink008|glung104)|xiung(?:l48|9))|john6132|o(?:g(?:anntomas|eengen)|rrainewirengee|ttyoffice1|u(?:ghreymargaret67|isdreyfusmargarita5))|p319765|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:a(?:bel\.manaku|ck(?:enzbezos|oliver324)|incare655|jor(?:dennishornbeck53|townsend01)|k(?:altschmidt|toumsheikhhasher)|n(?:duesq58|fran630|uelfranco(?:727|foundation0))|r(?:cusdembialomr|i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00)|nacoleman84|opabl26)|k(?:roth456|uses200)|y(?:franson56|jify00aaz01))|s(?:onmanny05|pencer5151)|t(?:hewriaanza|twilly3)|u(?:noveutileina|rhinck11?)|viswanczyk(?:1(?:19|987)|4(?:89|5)|775|foundation45|k112|zz)|xaajn|ydetratt)|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|engeoffrey|l(?:lagolan|vidabullock5)|nnss01)|gfrederick80|husameddine|i(?:c(?:he(?:alwuu002|lintagro)|paulla|w954)|k(?:edawson1960s|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|nfin\.gv|ss(?:\.melisa\.mehmett|boteogottai|yaelronen))|jminabii|k(?:ent7117|untjoro52)|lbriggs08860|m(?:1086771|argaritalouisdreyfus)|nmalarge|o(?:ham(?:edabdul1717|madraqab00)|rienkal30)|r(?:\.(?:justinmaxwell09|lusee|wlsonkabore)|7672900|cjames001|d517341|ericfranck|fabianchukwu|hanimuhammad627|jamesmc6|martine80|paulfrank01|r(?:echardthomas|ichardanthony1)|s(?:\.(?:biyufungchi16|janetolsen?|olsenjanett|patarkatsishvili|susanread12)|a(?:ishaalqadafi1976|ngela454)|g(?:ezeria|racewoods70)|h(?:amima60|ristinemadeleine)|j(?:ackman123|lleach)|maureens847|nicolefr1marios|r(?:obinsanders185|uthsmith9900)|s(?:arahbenjamin103|ophiac)|veraaellen)|tomcrist\.ca)|s(?:agent02|golaan4|smadar44)|twvvv|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter(?:2017|968))|obuyuki\.hirano128|tawdglobal)|o(?:\.peace004|3344nb|ffice(?:\.012123|rricherd876|windowterms)|hallkenneth1|liviemorgan4|marinyandeng|nufoundationclaims|pcwkdw|swald\.l(?:\.lewis|ewwis)|vieogor1)|p(?:\.compton101|a(?:storfrancesco1|trick(?:\.efcc|andfrancessconnolly)|ul(?:eed1969|n8018)|ymentofficer14)|brookk0|e(?:130304|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|h(?:\.cbnl|illip\.richead218)|i(?:eterstevens511|lz37754)|o(?:lloke|wellmrwilliam)|r(?:esleybathini1|o(?:1nvstream|cessing2013general))|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymond(?:aba200|damon15))|e(?:beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n2214)|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|v(?:\.(?:jamesabel1|mikedadax)|ernestcebi|frankjackson91))|i(?:ch(?:ard(?:lustig4u|w(?:ahl511|illis815))|lawandds)|tawilliams4141)|josh200000|o(?:berthanandez6655|naldmorris786|s(?:a\.gomes0044|e(?:kipkalya934|tam00)))|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|u(?:ssiaworldcuppromo|thmporat1\"))|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid7000)|nchoscozfifa|rfiafarfask7)|cottpeters7989|e(?:cretservicce[78]|rgeantrobertbrown1|ydouthiebaconsultant)|g\.offiice\.group|h(?:a(?:msiahmohamadyunusbnegara|nemissler2009)|e(?:ikhalmaktoum79|ry(?:\.gtl131|etr03))|inawatrathaksin93)|i(?:lverlakeconsultant|mlkheng5)|krause680|l5342743|o(?:fia\.adams201|u(?:rcingloggs|thwsltd))|peelman1972|rfredericodehernandez|sdt224|tephentam1(?:47|6)|u(?:iyang(?:\.boc|02)|leiman\.cbnn|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|w(?:eeneyjohnson384|islottnl))|t(?:a(?:mmy21gill|y(?:ebsouami0|lorcathy362))|davalvse|erryparkins11|h(?:ailandbankoffice01|e(?:ara\.choy2|bigbiglottowinning77|odorosloannis9|resawilliams7661?|smithfm124))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|c(?:hrist1995|rist(?:52|donation12|foundation99|world)))|ny(?:\.chung760|zimpro11)|pchronodesk|shikazusendo101)|p2911220|ransfermoney21\.2|tkhan69s)|u(?:babankbjplc|dregwqr|kponguko|marukareem8|n(?:claimedfunds554|itednation(?:organization70|s(?:8182|councilrefunds)))|sdepartmentofjustice80)|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|pjeferrey)|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett2)|b(?:271981|6159980)|d232633|i(?:elandherzog\.sw\.herad16|ge122|ll(?:clark2618|iamrobert3852|update123))|kfinancialservice|orldbankregionalmanageroffice|u(?:\.office212|mt722)|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974)|z(?:enithbankplconline98|kiaslan1963|minhong65)))\@gmail\.com$/i
+header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|7912richardtony|a(?:b(?:d97412345|u(?:lkareem461|shadi0004))|c(?:count\.optionsmr\.jonasarmstrong|ecere001)|d(?:iallo\.boa|rabidiahmed)|isha(?:1976algaddafi|gaddafiaam)|l(?:\.jo60691737|an\.austin(?:041|223)|ex(?:anderpeterson4499|hoffman3319)|ghafrij13|kasimunadi221|l(?:enholden121|isoncluade11)|nizmaria|ure\.wawrenka1472)|m(?:ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|medjahed95))|n(?:d(?:rewumehunitedbankforafrica|yfox0022)|n(?:a(?:llee091|sigurlaug458)|jenijohnsonn)|t(?:honyalvaradollc|o(?:meuenio|niopaco20consultant)))|r(?:adka01|chibaldhamble|thur11alan)|shwestwood7|ttohlawoffice\.tg|w1614860|zi(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50)))|b(?:a(?:nkcentralasiahalobca34|ochang7a|r(?:bersmadar75|clays\.kenya\.bank|rister(?:\.fidelisokafor|lordruben94)|teld\.huisman01))|bongo593|e(?:alitoniua9|linekra1|n(?:ezero392|jaminsarah195))|ill\.lawrence0747|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi)|r(?:andy\.heavenscenttt|endalaporte112)|uff(?:ettwarrene21|ookj))|c(?:artwrighttownhomesllc|claimsa|elicerez|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:esluenga01|tonnewmanus1)))|e(?:mchung1011|nchung1011)|ienkwongp)|iticonsultantjohncg0|kruger00017|l(?:axtonpaul00|s79408)|o(?:l(?:edavid77032|husseinharmuchc(?:cj|j)|ombasjuan53)|mp(?:asationsettlement|ensationcommitteboard)|n(?:sult(?:matthias|sto\.u)|tactad00[04]))|pt\.eugenebarash|r(?:abbechambers|ist(?:bru(?:05|n05)|i1537bru))|ustomerservicelacaixa2)|d(?:29laws|a(?:n(?:008629|iel35508109|nydan24532)|tukannuarbinmusa|vi(?:d(?:\.loanfirm18|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98))|cole77032|e(?:n(?:iwalts|nisclark659)|partmentofstate123|tlefeckhardd)|i(?:ane\.s\.wojcicki|gitalassetholding|plomatsshenry)|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.meirh|abodid|davidrhama221|jamesdee|kennedyuzo|meier\.heidi?|owenfrederick)|u(?:nsilva58|stinmoskovitz\.2facebook)|v\.metus)|e(?:benezero392|christina937|drunity|l(?:i(?:bethgomez(?:175|499)|sabethmaria600|zabethedw0)|otocashoffice1?)|m(?:2keld|efiele(?:328|g757)|ilyrichmond391)|r(?:e(?:nakgeorge123|zcelic0)|ioncarter\.private)|stherkatherine1960|vgpatmow|wynn284)|f(?:\.mikhail025|a(?:ithdesrie511|tme\.mehmed001)|blott47|e(?:deralreservebankdallasdst|lix88995)|g0067333|irstbank(?:49966|6669|k49666)|j569282|l(?:556249|uhmann\.dn)|oundations\.west|r(?:a(?:100dub132|n(?:c(?:espatrickconnolly(?:5050|4)|iscamendoza960)|kj(?:ane984|wangg)))|eelottosweepstake51)|spero80|u(?:lanlan28|ngg1w))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|rielkalia1102)|rethbull112016)|bill4880|e(?:neralwilliamstony990|orgekwame481|raldjhjh11)|iidp955|l(?:enmoore0011|oriachow5052)|o(?:glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219))|r(?:aceobia001|e(?:ant311|energeoffrey776))|veraallen)|h(?:a(?:rryebert101|s(?:h(?:imyreem78|mireem801)|sanalshujairy))|e(?:atherbrooeke101|cto(?:alon|r(?:castillos653|scastillo6))|l(?:enadamsidaho|pdesk47321))|gold8080|i(?:ldad837|toshurui)|o(?:nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|uichmh)|i(?:1955smael|amannjejosonn|bed627|mfgrantinter|n(?:fo(?:\.(?:abogadosmfontana|g00gleclaim|ulmusau)|64240|asminternationalpk|dessk\.dfwairportonline|fdrserve)|gridrolle2)|smailtarkan533)|j(?:35809121|a(?:6002932|888179|m(?:alpriv8un|esokoh82)|nusensecureprivate|sonyeungchiwai|vierlesme001)|b5406424|c2222222rrr|e(?:fferydean1960|nniannjhsonn)|k3311131|m(?:3461128|powellfr)|o(?:edward023|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|uba234|walterlove2010)|monkzza|n(?:athanhaskel377|hugo1964|monkssa)|sephacevedo024|yce00011)|rawlings007|s4fernado|w6935997)|k(?:a(?:malnizar000|rabo\.ramala39|t(?:ebaronbarr|jamess043|rinaziako56))|en(?:mckenziejr|nedy\.sawadogo19)|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|rnkl1109|un(?:gwei7777|ioue28))|l(?:a(?:rrytoms200|ursent892|wrencefoundation30)|blackshirepm|erynne(?:0west99|west2289)|i(?:amfinchus(?:11|3)|ezlnatashavanessa|li(?:ane\.bettencourt1945|ianchrstph)|nelink008)|john6132|o(?:ganntomas|rrainewirengee|ughreymargaret67)|p319765|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|diawright836|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:a(?:bel\.manaku|ckenzbezos|incare655|j(?:ialfutt|or(?:dennishornbeck53|townsend01))|kaltschmidt|n(?:duesq58|fran630|uelfranco(?:727|foundation0))|r(?:i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00)|opabl26)|kroth456|tinamayer903|yfranson56)|thewriaanza|u(?:noveutileina|rhinck11?)|viswan(?:142|czyk(?:1(?:19|987)|4(?:89|5)|775|foundation45|k112))|xaajn|ydetratt)|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|l(?:lagolan|vidabullock5))|gfrederick80|husameddine|i(?:c(?:h(?:ael\.woosley1972|eal(?:sjohnj|wuu002))|paulla|w954)|kh(?:\.fridman|ai(?:\.fridman261|lfridm32))|ss(?:\.melisa\.mehmett|yaelronen))|jminabii|k(?:ent7117|untjoro52)|m(?:1086771|argaritalouisdreyfus)|nmalarge|ohamedabdul1717|r(?:\.(?:justinmaxwell09|lusee)|cjames001|d517341|ericfranck|hanimuhammad627|jamesmc6|r(?:echardthomas|ichardanthony1)|s(?:\.(?:janetolsen?|olsenjanett|susanread12)|a(?:ishaalqadafi1976|ngela454)|fatimaamiraqureshi1983|gezeria|h(?:amima60|ristinemadeleine)|j(?:ackman123|lleach)|maureens847|r(?:obinsanders185|uthsmith9900)|sarahbenjamin103|veraaellen)|tomcrist\.ca)|s(?:agent02|golaan4|smadar44)|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter968)|obuyuki\.hirano128|tawdglobal)|o(?:\.peace004|3344nb|ffice(?:\.012123|rricherd876|windowterms)|hallkenneth1|marinyandeng|nufoundationclaims|pcwkdw)|p(?:a(?:trick(?:\.efcc|andfrancessconnolly)|ul(?:eed1969|n8018))|b(?:ph202lay2|rookk0)|e(?:130304|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|hillip\.richead218|ilz37754|olloke|ro1nvstream|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymondaba200)|e(?:beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n2214)|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|v(?:\.jamesabel1|ernestcebi|frankjackson91))|ichard(?:lustig4u|w(?:ahl511|illis815))|josh200000|o(?:berthanandez6655|naldmorris786|s(?:a\.gomes0044|ekipkalya934))|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|ussiaworldcuppromo)|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid7000)|nchoscozfifa|rfiafarfask7)|cottpeters7989|e(?:cretservicce[78]|rgeantrobertbrown1)|g(?:\.offiice\.group|tireneb2)|h(?:a(?:msiahmohamadyunusbnegara|nemissler2009)|ery(?:\.gtl131|etr03)|inawatrathaksin93)|imlkheng5|op(?:adam3|hiajesse41)|peelman1972|tephentam1(?:47|6)|u(?:iyang(?:\.boc|02)|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|weeneyjohnson384)|t(?:ay(?:ebsouami0|lorcathy362)|davalvse|erryparkins11|h(?:ailandbankoffice01|e(?:ara\.choy2|odorosloannis9))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|c(?:hrist1995|rist(?:52|donation12|foundation99|world)))|ny(?:\.chung760|zimpro11)|pchronodesk|shikazusendo101)|p2911220|tkhan69s)|u(?:kponguko|marukareem8|n(?:claimedfunds554|itednation(?:organization70|s(?:8182|councilrefunds)))|sdepartmentofjustice80)|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|pjeferrey)|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett2)|b(?:271981|6159980)|i(?:elandherzog\.sw\.herad16|ll(?:clark2618|iamsmartyrs888))|kfinancialservice|orldbankregionalmanageroffice|u\.office212|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974|ousefzongo5722)|z(?:enithbankplconline98|kiaslan1963|minhong65)))\@gmail\.com$/i
describe REPTO_419_FRAUD_GM Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_GM 3.000
tflags REPTO_419_FRAUD_GM publish
##{ REPTO_419_FRAUD_HM
-header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|nikal01|zezul\.idrisazezulidris)|benarnault0|c(?:ecilekaramoko123|hoi21)|d(?:l13139|r\.dukanalycoulibaly)|egorbunova22|fanliangjen2|gen\.dmathokdiigwol|infos(?:43|8)|katabettencourt2018|l(?:\.b120k|e(?:a_edem|wisarm44)|imfu201677|ulihongm)|m(?:cliffmomah998|r(?:abrahambeniamfc|pedrohilldonations|s(?:\.roselinejac|elizabetmk|helenbgeorge|micheleallison2003)))|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|p(?:atrickmullinfinaceservs|owen10001)|s(?:ajda\.andleeb|gthansencs|tephenbettinger|ulaimaninfante)|t(?:ashacap|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i
+header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|n(?:ikal01|nagray00)|zezul\.idrisazezulidris)|choi21|d(?:l13139|r\.dukanalycoulibaly)|egorbunova22|faxttransfer\.skyebk\.service\.care\.th|infos(?:43|8)|katabettencourt2018|l(?:e(?:a_edem|galcosme|wisarm44)|ulihongm)|mr(?:abrahambeniamfc|pedrohilldonations|smicheleallison2003)|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|powen10001|s(?:ajda\.andleeb|ulaimaninfante)|t(?:ashacap|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i
describe REPTO_419_FRAUD_HM Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_HM 3.000
tflags REPTO_419_FRAUD_HM publish
##{ REPTO_419_FRAUD_OL
-header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:a(?:23423|lexandermason)|brahamwilliamsonrpsltduk|l(?:bertchebe|exw113)|ndrew(?:_hai|gamble7)|utoresponds)|b(?:a(?:r(?:bayo_jacobs|claysplc2016)|sidris)|etty\.c_investment|illgfile203|riam8molefe)|c(?:bforeignremitdept|harlie\.j\.goodmand|o(?:l\.(?:airforce\.saadwarfali|warfalisaadairforce)|mpensationfunding))|d(?:eborahleeconsult|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020)|g(?:20compessdesk|eoffreynicolas\.esq|ilbertowosukk)|huyennvoha|j(?:ackson4steve|e(?:anedo1?|ssicameir30))|k(?:aujong|kkunited1)|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|gbplc3|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|bryandavisuk44|jonah\.ot|mduku|s(?:\.coraluttah|_elizabeth20|michelleallison|roseallen)|vitaloadams)|spvt2020)|p(?:aul(?:\.walter120|blakey05)|hilcohen0012)|qanejmhffgg|r(?:c19691|ichardwahlfreegrant)|s(?:aaman10|gi2019|ilverlakeconsultantllc|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019|reff11)|unvanzyl_mrs|winuklotocash2018))\@outlook\.com$/i
+header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:brahamwilliamsonrpsltduk|lbertchebe|ndrewgamble7)|b(?:asidris|etty\.c_investment|illgfile203)|c(?:bforeignremitdept|harlie\.j\.goodmand|laimunit\.facebook|ompensationfunding)|d(?:eborahleeconsult|hl(?:customercares|express\.fastservice)|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020)|g(?:20compessdesk|race\.manonfoundation)|j(?:ackson4steve|e(?:anedo1|ssicameir30))|kaujong|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|bryandavisuk44|mduku|s(?:_elizabeth20|michelleallison|roseallen))|spvt2020)|philcohen0012|richardwahlfreegrant|s(?:aaman10|gi2019|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019)|unvanzyl_mrs|winuklotocash2018))\@outlook\.com$/i
describe REPTO_419_FRAUD_OL Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_OL 3.000
tflags REPTO_419_FRAUD_OL publish
##{ REPTO_419_FRAUD_PM
-header REPTO_419_FRAUD_PM Reply-To:addr =~ /^(?=[^\s<>@]+\@protonmail\.com)(?:(?:armstrong0244|berndkoch|davidmetus|euclaim|p(?:a(?:melagriffi|t\.nwankwo)|rotonydonation)|scottpeter012|v\.brianpierre|wraggsmk|yihsbltan|ziraatbankasi))\@protonmail\.com$/i
+header REPTO_419_FRAUD_PM Reply-To:addr =~ /^(?=[^\s<>@]+\@protonmail\.com)(?:(?:armstrong0244|berndkoch|davidmetus|euclaim|p(?:a(?:melagriffi|t\.nwankwo)|rotonydonation)|scottpeter012|v\.brianpierre|yihsbltan|ziraatbankasi))\@protonmail\.com$/i
describe REPTO_419_FRAUD_PM Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_PM 3.000
tflags REPTO_419_FRAUD_PM publish
##{ REPTO_419_FRAUD_QQ
-header REPTO_419_FRAUD_QQ Reply-To:addr =~ /^(?=[^\s<>@]+\@qq\.com)(?:(?:1(?:731419584|821317384)|2(?:0(?:32508290|90641921)|3(?:72948239|89029403|97857528)|751232036)|3(?:323469072|523284224)|a(?:gent(?:markruben_fbi|promofficer)|kia\.j55)|claimoffice1|dennisonctrenton|l\.valiant|peterwong20177|s(?:abrinacrawford000|hu60w)|treasury_deptment0|wang_cjianlin))\@qq\.com$/i
+header REPTO_419_FRAUD_QQ Reply-To:addr =~ /^(?=[^\s<>@]+\@qq\.com)(?:(?:1731419584|2(?:032508290|3(?:72948239|89029403|97857528))|3523284224|akia\.j55|l\.valiant|peterwong20177|qatarfoundation01|wang_cjianlin))\@qq\.com$/i
describe REPTO_419_FRAUD_QQ Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_QQ 3.000
tflags REPTO_419_FRAUD_QQ publish
##{ REPTO_419_FRAUD_YH
-header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|gaaintl\-4g5ee\.w3|l(?:berts\.odia|esiakalina2006)|mbassador\.l|nn(?:awax48|hester\.usa4))|b(?:a(?:che\.delfine|nk\.phbng14|rr(?:\.thomasclark|ister\.(?:dennis11|marcus)|lawrencefubara39|william_davies))|en(?:jaminb34|nicholas22)|illlawrenceee|riceangela45)|c(?:\.(?:aroline90|coulibaly2)|a(?:binet_maitre_emmanuel_patris|mpbellwilliamms)|h(?:arlesscharf112|hoy\.t|im\.w|jackson65)|juan852|o(?:llins(?:mattew32|wayne84)|mpliment\.sseason|ntelamine)|ythiamiller\.un10)|d(?:hamilton9099|i(?:aanesoto190|plomaticagent180)|r(?:\.aminramli|_raymondfung|victorobaji))|e(?:dwarddawson|ricalbert24)|f(?:aizaadama2016|bicompensation_funds|ederal\.r73|id00180)|g(?:ov\.ukmessageboard|raham\.eddie2016|uesfilet1336523)|harry1vans|i(?:\.project33411|befranfgnfmf|nfo(?:111mail|bank1|money)|project32411)|j(?:\.edwards228|a(?:ckson\.davis915|ne(?:_ooparah|temoon150))|essica\.p_family|inping\.tw|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:elvinmark629|im(?:\.leang2018?|leang(?:575|90))|yle_grubbe)|l(?:e(?:a_edem13|ge331|hman(?:909|bila))|i(?:m_kaan|sarobinson_555|uhngbin)|y_cheapiseth(?:11|2019))|m(?:arie_avis12|d(?:\.ps|zsesszika672)|elissalewis(?:10001|4004)|iss\.zarryb|o(?:hammedaahil46|keye79)|r(?:kellyayi62|s(?:\.esthernicolas|isabella\.dzesszikan|themo))|s\.gracie_olakun|unny(?:\.sopheap207|_sopheap30))|n(?:adhowc|estordaniel2|orahuz1960)|o(?:fficial_franksylvester88|legkozyrev1|mranshaalan52)|p(?:a(?:ckerkelvin|yus123x)|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|i(?:chard\.w94|taadamsw10)|o(?:b(?:ertbailey2004|orts20)|se(?:mary\.3as|richard655)))|s(?:amthong4040|igurlauganna34|leo25|mith(?:\.dr|colin767)|opheap\.munny|pwalker101|sgt\.bethany|tevecox\.98)|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|u(?:butu16|kdebtmanagement5)|vanserge2001|will(?:clark0010|iamsimon(?:22|521))|xianglongdai60|zhaodonghk))\@yahoo\.com$/i
+header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|lesiakalina2006|mbassador\.l|nnhester\.usa4)|b(?:a(?:che\.delfine|nk\.phbng14|rr\.thomasclark)|en(?:jaminb34|nicholas22)|illlawrenceee|riceangela45)|c(?:\.aroline90|abinet_maitre_emmanuel_patris|h(?:arlesscharf112|hoy\.t|jackson65)|juan852|ontelamine|ythiamiller\.un10)|d(?:hamilton9099|r(?:_raymondfung|kobiorah|victorobaji))|ericalbert24|f(?:bicompensation_funds|ederal\.r73)|i(?:\.project33411|befranfgnfmf|nfomoney|project32411)|j(?:a(?:ckson\.davis915|netemoon150)|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:elvinmark629|im(?:\.leang2018?|leang(?:575|90)))|l(?:e(?:a_edem13|hman(?:909|bila))|i(?:m_kaan|sarobinson_555)|orrainewirengee|y_cheapiseth(?:11|2019))|m(?:a(?:itre_arthur\.catheau|rie_avis12)|d(?:\.ps|zsesszika672)|elissalewis4004|o(?:hammedaahil46|keye79)|rs(?:\.esthernicolas|isabella\.dzesszikan)|s\.gracie_olakun)|o(?:legkozyrev1|mranshaalan52)|p(?:ackerkelvin|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|o(?:bertbailey2004|serichard655))|s(?:amthong4040|igurlauganna34|leo25|opheap\.munny|pwalker101|tevecox\.98)|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|vanserge2001|willclark0010|xianglongdai60|zhaodonghk))\@yahoo\.com$/i
describe REPTO_419_FRAUD_YH Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_YH 3.000
tflags REPTO_419_FRAUD_YH publish
##{ REPTO_419_FRAUD_YJ
-header REPTO_419_FRAUD_YJ Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.co\.jp)(?:(?:a(?:drianbayford|lainminc73|n(?:gelinarichardson01|ita(?:kirkweeks45|usarpac)))|b(?:a(?:lmaa1115|rrevansthomas213)|ealife4god|gsblcagent|nchmclaw)|d(?:eborahmark2|raymndch)|e(?:d(?:032000100|ithi0iochou)|millybrownnc|ssicajlavoie|velynjoshua56)|fred_gamba|henrybanko1970|m(?:24erc|aryp1799_8335|eghanbutlerfca|ktbradley|oneygram100|rs_chen_00001)|nikbnson1|o(?:fficialinfoemail|livia_mabor)|pamgells|r(?:acheljude000|eplykasikorn|itawi668)|s(?:andrabates418|d203077)))\@yahoo\.co\.jp$/i
+header REPTO_419_FRAUD_YJ Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.co\.jp)(?:(?:a(?:drianbayford|lainminc73)|d(?:eborahmark2|raymndch)|e(?:d(?:032000100|ithi0iochou)|millybrownnc)|fred_gamba|henrybanko1970|m(?:24erc|aryp1799_8335|eghanbutlerfca|oneygram100|rs_chen_00001)|r(?:acheljude000|itawi668)|s(?:andrabates418|d203077)))\@yahoo\.co\.jp$/i
describe REPTO_419_FRAUD_YJ Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_YJ 3.000
tflags REPTO_419_FRAUD_YJ publish
##{ REPTO_419_FRAUD_YN
-header REPTO_419_FRAUD_YN Reply-To:addr =~ /^(?=[^\s<>@]+\@yandex\.com)(?:(?:a(?:lsharibi|m(?:andarandle|g3333txx101)|na\.mariposa|wesome\.mariacarmen)|b(?:ayemahama|igghandgrant|radely\.j)|clemlau|diezanimadueke|f(?:3dex\.courier|ed\.r3v|reedommarketinvestments|uzhongjun\.director)|g(?:\.anniversary(?:101)?|add4fi\.aisha)|hhalesbbanddd?|irenaa\.georgiadou|j(?:efrey(?:\-dean|\.dean11)|o(?:hnnicholsonjr|seph\-scott2k5)|uliet\.lee2222)|kenhamberlet|l(?:es20sc|otointernational\.elgordo)|m(?:a(?:hama\.baye|rcarmenguty)|fdpm|ohamed\.bennani|r(?:\-(?:jos\.martins|robert\-patrick\.patrick)|\.kongkea|akram\.elkerrami|spercy))|nokiahouse1[03]|olivia\.mabor|p(?:aragonloansinc|hilipfen778|ri(?:ncedarren0244|vatemail24)|ullmanrb)|rich(?:ard\.wahl|lawands)|skyeloanand\.financelimited|t(?:\.baloyi|an\.sung|omss\.smith|resor\.mambo)|w(?:b\.foundation|ill(?:1amsmarg1|iamsimon1960))|za\.dc2016))\@yandex\.com$/i
+header REPTO_419_FRAUD_YN Reply-To:addr =~ /^(?=[^\s<>@]+\@yandex\.com)(?:(?:a(?:m(?:andarandle|g3333txx101)|na\.mariposa|wesome\.mariacarmen)|clemlau|dejongpeter|f(?:3dex\.courier|ed\.r3v|reedommarketinvestments)|gadd4fi\.aisha|h(?:ashimireem|halesbbanddd?)|joseph\-scott2k5|l(?:es20sc|otointernational\.elgordo)|m(?:arcarmenguty|fdpm|r(?:\.kongkea|akram\.elkerrami|spercy))|p(?:aragonloansinc|rincedarren0244)|rich(?:ard\.wahl|lawands)|tresor\.mambo|w(?:b\.foundation|ill(?:1amsmarg1|iam(?:simon1960|wilbert1)))|za\.dc2016))\@yandex\.com$/i
describe REPTO_419_FRAUD_YN Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_YN 3.000
tflags REPTO_419_FRAUD_YN publish
meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL)
##} SB_GIF_AND_NO_URIS
-##{ SCC_NEWBIE_HASBEENS
-
-describe SCC_NEWBIE_HASBEENS Abused gTLDs seen in spam from Google Apps.
-header SCC_NEWBIE_HASBEENS X-Beenthere =~ /\.(today|online|monster)/
-##} SCC_NEWBIE_HASBEENS
-
##{ SCRIPT_GIBBERISH
meta SCRIPT_GIBBERISH __SCRIPT_GIBBERISH && (__BODY_XHTML || !__SCRIPT_TAG_IN_BODY) && !__TAG_EXISTS_META
tflags SHORTENER_SHORT_IMG publish
##} SHORTENER_SHORT_IMG
-##{ SHORTENER_SHORT_SUBJ
-
-meta SHORTENER_SHORT_SUBJ __SHORTENER_SHORT_SUBJ && !__DOS_HAS_LIST_UNSUB && !__HAS_LIST_ID && !__HDR_RCVD_GOOGLE && !__XPRIO
-describe SHORTENER_SHORT_SUBJ URL shortener (avoiding URIBL?) + short subject
-#score SHORTENER_SHORT_SUBJ 3.000 # limit
-##} SHORTENER_SHORT_SUBJ
-
-##{ SHORT_BODY_G_DRIVE_DYN
-
-meta SHORT_BODY_G_DRIVE_DYN __SHORT_BODY_G_DRIVE_DYN
-describe SHORT_BODY_G_DRIVE_DYN Short body with Google Drive link and dynamic looking sender
-#score SHORT_BODY_G_DRIVE_DYN 1.5 # limit
-##} SHORT_BODY_G_DRIVE_DYN
-
##{ SHORT_HELO_AND_INLINE_IMAGE
meta SHORT_HELO_AND_INLINE_IMAGE (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH)
body SHORT_TERM_PRICE /short\W+term\W+(target|projected)(\W+price)?/i
##} SHORT_TERM_PRICE
-##{ SINGLETS_LOW_CONTRAST
-
-meta SINGLETS_LOW_CONTRAST __HTML_SINGLET_MANY && __HTML_FONT_LOW_CONTRAST_MINFP
-describe SINGLETS_LOW_CONTRAST Single-letter formatted HTML + hidden text
-tflags SINGLETS_LOW_CONTRAST publish
-##} SINGLETS_LOW_CONTRAST
-
##{ SPAMMY_XMAILER
meta SPAMMY_XMAILER (__XM_OL_28001441||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4)
describe STOCK_IMG_OUTLOOK Stock spam image part, with Outlook-like features
##} STOCK_IMG_OUTLOOK
-##{ STOCK_LOW_CONTRAST
-
-meta STOCK_LOW_CONTRAST (__HTML_FONT_LOW_CONTRAST_MINFP && __FB_S_STOCK) && !__BUGGED_IMG
-describe STOCK_LOW_CONTRAST Stocks + hidden text
-#score STOCK_LOW_CONTRAST 2.500 # limit
-tflags STOCK_LOW_CONTRAST publish
-##} STOCK_LOW_CONTRAST
-
##{ STOCK_PRICES
meta STOCK_PRICES (SHORT_TERM_PRICE && LONG_TERM_PRICE)
meta STOX_AND_PRICE CURR_PRICE && STOX_REPLY_TYPE
##} STOX_AND_PRICE
+##{ STOX_BOUND_090909_B
+
+header STOX_BOUND_090909_B Content-Type:raw =~ /;\n boundary=\"------------0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]\"$/s
+##} STOX_BOUND_090909_B
+
##{ STOX_REPLY_TYPE
header STOX_REPLY_TYPE Content-Type =~ /text\/plain; .* reply-type=original/
##{ SUBJECT_NEEDS_ENCODING
meta SUBJECT_NEEDS_ENCODING (!__SUBJECT_ENCODED_B64 && !__SUBJECT_ENCODED_QP) && __SUBJECT_NEEDS_MIME
-describe SUBJECT_NEEDS_ENCODING Subject is encoded but does not specify the encoding
+describe SUBJECT_NEEDS_ENCODING Subject includes non-encoded illegal characters
##} SUBJECT_NEEDS_ENCODING
+##{ SUBJ_BRKN_WORDNUMS
+
+#score SUBJ_BRKN_WORDNUMS 1.500 # limit
+describe SUBJ_BRKN_WORDNUMS Subject contains odd word breaks and numbers
+##} SUBJ_BRKN_WORDNUMS
+
+##{ SUBJ_BRKN_WORDNUMS if !plugin(Mail::SpamAssassin::Plugin::DKIM)
+
+if !plugin(Mail::SpamAssassin::Plugin::DKIM)
+ meta SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS
+endif
+##} SUBJ_BRKN_WORDNUMS if !plugin(Mail::SpamAssassin::Plugin::DKIM)
+
##{ SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM
ifplugin Mail::SpamAssassin::Plugin::DKIM
meta SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS && !DKIM_SIGNED && !__TO___LOWER
- describe SUBJ_BRKN_WORDNUMS Subject contains odd word breaks and numbers
endif
##} SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM
-##{ SUBJ_UNNEEDED_HTML
+##{ SUBJ_OBFU_LOW_CNTRST
-meta SUBJ_UNNEEDED_HTML __SUBJ_UNNEEDED_HTML && !__NOT_SPOOFED && !__RP_MATCHES_RCVD && !__VIA_ML
-describe SUBJ_UNNEEDED_HTML Unneeded HTML formatting in Subject:
-##} SUBJ_UNNEEDED_HTML
+meta SUBJ_OBFU_LOW_CNTRST (HTML_FONT_LOW_CONTRAST && __SUBJ_OBFU_PUNCT) && !ALL_TRUSTED && !__NOT_A_PERSON && !__THREADED
+describe SUBJ_OBFU_LOW_CNTRST Subject obfuscation + hidden text
+#score SUBJ_OBFU_LOW_CNTRST 2.500 # limit
+##} SUBJ_OBFU_LOW_CNTRST
+
+##{ SUSP_UTF8_WORD_SUBJ
+
+meta SUSP_UTF8_WORD_SUBJ __4BYTE_UTF8_WORD_SUBJ
+describe SUSP_UTF8_WORD_SUBJ Word in Subject using only suspicious UTF-8 characters
+#score SUSP_UTF8_WORD_SUBJ 2.000 # limit
+##} SUSP_UTF8_WORD_SUBJ
##{ SYSADMIN
tflags TAGSTAT_IMG_NOT_RCVD_TGST publish
##} TAGSTAT_IMG_NOT_RCVD_TGST
+##{ TARINGANET_IMG_NOT_RCVD_TN
+
+meta TARINGANET_IMG_NOT_RCVD_TN __TARINGANET_IMG_NOT_RCVD_TN
+#score TARINGANET_IMG_NOT_RCVD_TN 2.000 # limit
+describe TARINGANET_IMG_NOT_RCVD_TN media.taringa.net hosted image but message not from taringa.net
+tflags TARINGANET_IMG_NOT_RCVD_TN publish
+##} TARINGANET_IMG_NOT_RCVD_TN
+
##{ TBIRD_SUSP_MIME_BDRY
meta TBIRD_SUSP_MIME_BDRY __MUA_TBIRD && __TB_MIME_BDRY_NO_Z
tflags TO_EQ_FM_DIRECT_MX publish
##} TO_EQ_FM_DIRECT_MX
-##{ TO_EQ_FM_DOM_HTML_IMG
+##{ TO_EQ_FM_DOM_HTML_ONLY
-meta TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FM_DOM_HTML_IMG && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !__IS_EXCH && !__UNSUB_LINK && !__COMMENT_EXISTS && !__FM_TO_ALL_NUMS && !__DKIM_EXISTS && !__HAS_THREAD_INDEX && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD
-describe TO_EQ_FM_DOM_HTML_IMG To domain == From domain and HTML image link
-##} TO_EQ_FM_DOM_HTML_IMG
+meta TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FM_DOM_HTML_ONLY && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !HTML_MIME_NO_HTML_TAG && !__IS_EXCH && !__MSGID_BEFORE_RECEIVED && !__FM_TO_ALL_NUMS && !__FROM_LOWER && !__HAS_IN_REPLY_TO && !__BUGGED_IMG && !__FROM_ENCODED_QP && !__MSGID_OK_HEX
+describe TO_EQ_FM_DOM_HTML_ONLY To domain == From domain and HTML only
+##} TO_EQ_FM_DOM_HTML_ONLY
##{ TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
tflags TO_NAME_SUBJ_NO_RDNS publish
##} TO_NAME_SUBJ_NO_RDNS
+##{ TO_NO_BRKTS_DYNIP
+
+meta TO_NO_BRKTS_DYNIP __TO_NO_BRKTS_DYNIP && !__NAME_IS_EMAIL && !__MSGID_OK_HEX && !__UNSUB_LINK && !__THREADED && !__RCD_RDNS_MX_MESSY && !__COMMENT_EXISTS && !__MUA_TBIRD && !__CD && !__ML1 && !__RP_MATCHES_RCVD && !__SUBSCRIPTION_INFO && !__HAS_THREAD_INDEX && !__IS_EXCH
+describe TO_NO_BRKTS_DYNIP To: lacks brackets and dynamic rDNS
+##} TO_NO_BRKTS_DYNIP
+
##{ TO_NO_BRKTS_FROM_MSSP
meta TO_NO_BRKTS_FROM_MSSP __TO_NO_BRKTS_FROM_RUNON && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__TO___LOWER && !__BUGGED_IMG && !__SUBJECT_ENCODED_QP && !__VIA_ML && !__FR_SPACING_8 && !__TAG_EXISTS_CENTER && !__RCVD_ZIXMAIL && !__RP_MATCHES_RCVD && !__HAS_SENDER
describe TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as "accounts suspended", "account credited", "account verification"
##} TVD_PH_BODY_ACCOUNTS_PRE
-##{ TVD_PH_BODY_META
-
-meta TVD_PH_BODY_META __TVD_PH_BODY_META
-##} TVD_PH_BODY_META
-
##{ TVD_PH_REC
body TVD_PH_REC /\byour .{0,40}account .{0,40}record/i
describe TVD_SPACE_ENCODED Space ratio & encoded subject
##} TVD_SPACE_ENCODED
+##{ TVD_SPACE_ENC_FM_MIME
+
+meta TVD_SPACE_ENC_FM_MIME __TVD_SPACE_ENCODED && __FROM_NEEDS_MIME && !__ISO_2022_JP_DELIM
+#score TVD_SPACE_ENC_FM_MIME 2.000 # limit
+describe TVD_SPACE_ENC_FM_MIME Space ratio & encoded subject & MIME needed
+##} TVD_SPACE_ENC_FM_MIME
+
##{ TVD_SPACE_RATIO_MINFP
meta TVD_SPACE_RATIO_MINFP __TVD_SPACE_RATIO && !__CT_ENCRYPTED && !__X_CRON_ENV && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !ALL_TRUSTED && !__MIME_NO_TEXT && !__LONGLINE && !__THREADED && !__SUBSCRIPTION_INFO && !__VIA_ML && !__HELO_HIGHPROFILE && !__DKIM_EXISTS && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MAIL && !__EMPTY_BODY && !__XM_APPLEMAIL
endif
##} T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
-##{ T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
-
-if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
- meta T_ANY_PILL_PRICE (__PILL_PRICE_01 || __PILL_PRICE_02) && !__NOT_A_PERSON
- describe T_ANY_PILL_PRICE Prices for pills
-endif
-##} T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
-
##{ T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
endif
##} T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+##{ T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval
+
+ifplugin Mail::SpamAssassin::Plugin::HeaderEval
+header T_DATE_IN_FUTURE_96_Q eval:check_for_shifted_date('96', '2920')
+describe T_DATE_IN_FUTURE_96_Q Date: is 4 days to 4 months after Received: date
+endif
+##} T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval
+
##{ T_DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval
ifplugin Mail::SpamAssassin::Plugin::HeaderEval
endif
##} T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
-##{ T_FORGED_RELAY_MUA_TO_MX
-
-header T_FORGED_RELAY_MUA_TO_MX X-Spam-Relays-External =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\[]+ helo=(!(?!(?:10|127|169\.254|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\.)| )[^\[]+$/
-##} T_FORGED_RELAY_MUA_TO_MX
-
##{ T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo
ifplugin Mail::SpamAssassin::Plugin::ImageInfo
endif
##} T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail
-##{ T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail
-
-ifplugin Mail::SpamAssassin::Plugin::FreeMail
- meta T_FREEMAIL_DOC_PDF_BCC __FREEMAIL_DOC_PDF && __TO_UNDISCLOSED
- describe T_FREEMAIL_DOC_PDF_BCC MS document or PDF attachment, from freemail, all recipients hidden
-endif
-##} T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail
-
##{ T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::FreeMail
endif
##} T_GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL
+##{ T_GB_WEBFORM ifplugin Mail::SpamAssassin::Plugin::FreeMail
+
+ifplugin Mail::SpamAssassin::Plugin::FreeMail
+ meta T_GB_WEBFORM ( ( __XMAIL_CODEIGN || __XMAIL_PHPMAIL ) && ( __PDS_URISHORTENER || __URL_SHORTENER ) && FREEMAIL_FROM )
+ describe T_GB_WEBFORM Webform with url shortener
+# score T_GB_WEBFORM 1.500 # limit
+endif
+##} T_GB_WEBFORM ifplugin Mail::SpamAssassin::Plugin::FreeMail
+
##{ T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::FreeMail
endif
##} T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
+##{ T_HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
+
+ifplugin Mail::SpamAssassin::Plugin::FreeMail
+if (version >= 3.004000)
+ meta T_HK_NAME_FM_MR_MRS __HK_NAME_MR_MRS && FREEMAIL_FROM
+# score T_HK_NAME_FM_MR_MRS 1.5
+endif
+endif
+##} T_HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
+
##{ T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::FreeMail
endif
##} T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
-##{ T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
-
-ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
-meta T_HK_SPAMMY_FILENAME __HK_SPAMMY_CTFN || __HK_SPAMMY_CDFN
-endif
-##} T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
-
##{ T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
endif
##} T_PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
+##{ T_PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+
+ifplugin Mail::SpamAssassin::Plugin::WLBLEval
+if (version >= 3.004000)
+meta T_PDS_FROM_2_EMAILS_SHRTNER (__PDS_URISHORTENER || __URL_SHORTENER) && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF) && __BODY_URI_ONLY
+describe T_PDS_FROM_2_EMAILS_SHRTNER From 2 emails short email with little more than a URI shortener
+#score T_PDS_FROM_2_EMAILS_SHRTNER 1.5 # limit
+endif
+endif
+##} T_PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+
##{ T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
endif
##} T_PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+##{ T_PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+
+ifplugin Mail::SpamAssassin::Plugin::WLBLEval
+if (version >= 3.004000)
+meta T_PDS_SHORTFWD_URISHRT_FP (__PDS_URISHORTENER || __URL_SHORTENER) && __HS_SUBJ_RE_FW && __PDS_MSG_512
+describe T_PDS_SHORTFWD_URISHRT_FP Apparently a short fwd/re with URI shortener
+#score T_PDS_SHORTFWD_URISHRT_FP 1.5 # limit
+endif
+endif
+##} T_PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+
+##{ T_PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+
+ifplugin Mail::SpamAssassin::Plugin::WLBLEval
+if (version >= 3.004000)
+meta T_PDS_SHORTFWD_URISHRT_QP (__PDS_URISHORTENER || __URL_SHORTENER) && __HS_SUBJ_RE_FW && __T_PDS_MSG_512 && !T_PDS_SHORTFWD_URISHRT_FP
+describe T_PDS_SHORTFWD_URISHRT_QP Apparently a short fwd/re with URI shortener
+#score T_PDS_SHORTFWD_URISHRT_QP 1.5 # limit
+endif
+endif
+##} T_PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+
##{ T_PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
endif
##} T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+##{ T_XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+
+ifplugin Mail::SpamAssassin::Plugin::WLBLEval
+if (version >= 3.004000)
+meta T_XPRIO_URL_SHORTNER __XPRIO_MINFP && __PDS_URISHORTENER
+describe T_XPRIO_URL_SHORTNER X-Priority header and short URL
+#score T_XPRIO_URL_SHORTNER 1.0 # limit
+endif
+endif
+##} T_XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+
##{ T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
endif
##} T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
-##{ T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
-
-if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
- meta T_ZW_OBFU_FREEM __UNICODE_OBFU_ZW && __freemail_hdr_replyto
- describe T_ZW_OBFU_FREEM Obfuscated text + freemail
-# score T_ZW_OBFU_FREEM 2.000 # limit
-endif
-##} T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
-
##{ T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
tflags URI_DATA publish
##} URI_DATA
-##{ URI_DEOBFU_INSTR
-
-meta URI_DEOBFU_INSTR __URI_DEOBFU_INSTR && !__MSGID_OK_HOST
-describe URI_DEOBFU_INSTR How to deobfuscate this URI
-##} URI_DEOBFU_INSTR
-
##{ URI_DOTEDU
meta URI_DOTEDU __URI_DOTEDU && !__RCVD_DOTEDU_EXT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HAS_X_MAILER && !ALL_TRUSTED && !__UNSUB_LINK && !__RDNS_SHORT && !__MAIL_LINK
##{ URI_GOOG_STO_SPAMMY
-uri URI_GOOG_STO_SPAMMY m;^https?://storage\.googleapis\.com/(?:(?:1tactc1200|5a70f8147b2241c|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|a(?:1discover|d(?:t100visa|vanced1500)|geless(?:brain|t001)|l(?:liedtrust7?|zheimerbrain)|merican(?:ho(?:777|me(?:191|warranty))|w1)|n(?:c77emen777|dersens40|n(?:nuities0102|utsegtsety)|ti(?:1virus|dcfsdfzef))|pp(?:1ointment|empresa|itausa)|tividade|udio0254)|b(?:337276797de5b3|7772dcb|ath(?:and777|bhow98|dfgdfgdfh|rooomlki)|cvncv7845|d(?:fbgverhg|sgbsehtth|thdethydeth)|e(?:dvgervg|lly(?:00fetyy|gluca)|t(?:ter(?:09909|863|butter008)|umpoiytre))|io(?:swit(?:010|sh0908)|techinvest)|l(?:oo(?:ds(?:hark0508|ug(?:217|ar(?:010|blueprint)))|odsugarerte)|ueprintms0?)|o(?:bby\-dependencies|ostinglive01)|r(?:ain(?:232654|al87484)|i(?:an(?:0(?:101|509)|the0101)|eanfrg)|tghrh)|u(?:ll(?:gold|market)|rnomegaultra|tter(?:knife|spreader0[48])))|c(?:a(?:99rshield|nvascheap|rt\-checkout|unlimited)|bd(?:11gummies|g(?:m0202|umm(?:ty|y005))|health7417|kfgdfg|sgummys)|dfeesde|ertificat01|hoicehom8270|ircaknee0|jowa|o(?:mp(?:erssac00232|r(?:e(?:essaa001|hensiveamericanhomewarranty|ss(?:a(?:0(?:105|201)|191)|ionsocks))|ovanteanexo))|n(?:7cealed|cealed(?:aff0054|tactical)|defesf)|rrectskin|verageinsu)|reative14141)|d(?:e(?:mentiabrain|nta77fend|rma(?:01247|1correct|587475|7correc7t|acorrectskin|correct(?:skin|1)|hdth|thbsdrhg)|tranmultas)|g(?:iadikir784|vdevgege)|i(?:abetes7|gitaldots1|recting77|ta0526)|rtrebtgh747|ysfunction0707|zdzefef)|e(?:7co7verage|a(?:rsring01|sy(?:1canvas|canvasprints))|ingingears|l(?:eepexperts|iminatorlower)|n(?:e(?:nce7777|rgy0icits)|trega)|rec(?:01tions|tiledysfunction)|talsprcious|vent(?:0saves01?|save010?)|xpertwindows(?:0102)?|yes(?:1ight|ightmax))|f(?:4747|d(?:128218622bd3f|fdfdzezr78|zdzelom)|edilty5401|habgfdgbfrtg|i(?:7(?:485612|542512)|d(?:el(?:ity(?:09|217|insulife)|ty(?:gbdtrbr|tyhjudtyu))|iity5660|y001)|ghttinnitusnow(?:(?:911|s))?|ltyredfezz|refig(?:22hting|hting)|tnesswatch|xguca777)|l(?:a(?:sh(?:light7fr7ee|tric540)|tbelly)|oodlight(?:010|slima))|o(?:mrulasugaa|od54451|toswhatsapps)|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|u(?:ng(?:01ft|9901|enail010|us(?:eliminator0807|fghgh))|turistic00insol))|g(?:7oldco|cumbmdys|eniusbutter|fhfjgfhfg|hetiop|luster|old(?:ii00215|trust00)|r(?:fgrgrg|ow(?:191|plus11|savage01085))|u(?:ardiao|mm(?:ies11cbd|yss|zdfefzf)|tter(?:0fr1|protection7))|ympro22)|h(?:dfghbrh|e(?:1al1t4|a(?:lt(?:h(?:life|news|yhairremedy)|ycbd0909)|rt(?:14141|beat911))|rply(?:24701|y0012))|ome(?:9865|choice45841|w(?:arranty|rr0216)))|i(?:n(?:formedetranmulta|ogen0065|s(?:1urance7net|7urance7net|t(?:9854|a(?:0541|1heater|863|f(?:atioplo|gregrerg)|hard0(?:0021|605)|nttranslator)|h(?:ard879477|eater001))|urance(?:7net|net))|vest777in)|tchrelief)|k(?:757474|e(?:ranfvgdgfrder|to(?:0(?:102|202|81477)|191|7(?:878|rim)|adv217|ghghgh|healthnews|jkkfghk|o(?:2(?:22|45)|o7896)|rapid00888|s(?:hark0908|s0479)|toto2323))|iller1111|ne(?:e852|f6565))|l(?:a(?:bcream|wn(?:care3|trugreen001))|e(?:a(?:f7filt7er|nde0585)|ciofve1748)|giesnaturas0|i(?:berty77arran|fefiltrevdf|ve(?:r(?:0health0support|md|supp10)|wirenew024))|o(?:caweb|odlight(?:s0|0)|ss(?:00wrabido0|rapid01245|weightnew85))|u(?:llmattressne000|mi(?:agudiidd|g(?:87[56]|uard(?:1074|87585)))))|m(?:a(?:galu|le(?:0(?:1ed|541)|24700|77en|health475)|ttress0707)|e(?:dica(?:lsupplies|r(?:0085|123n|df747))|llitox00545|morybooster|t(?:a(?:bolismlos|greens|lspr(?:ciou[0s]|ecious))|f(?:85|dfvde)))|iracl(?:ecannabidiol|sweight[0s]?|weight)|len(?:hsances?|shsance0s)|o(?:n(?:5g154g|t(?:ezuma0(?:01|101)|zdzsds))|onmenermaintain\-66j)|y(?:seniorpe?|theraposture001))|n(?:at(?:ional14587|uralgies)|badefdfg|e(?:sdsd|wtiniggrgr)|inoty74|lmsld|u(?:bupatches|trisd17))|o(?:m(?:eg(?:7aburn|a(?:7burn|n(?:ew|ow00?)))|gaburn)|ne(?:00shot|shot(?:0[01]|124578))|zmenshe)|p(?:a(?:in(?:en01(?:ew|sew)|supp(?:10|l8778)|wenes010)|rtnersav01)|e(?:rsonalized21|tplan85)|ho01to001|leteroid|o(?:rtable(?:heater7|telescope045)|vsedfzef)|r(?:eadvanceds|i(?:mal(?:08544|fhdfh|grow)|ntsvalentine)|otectsecurity)|soidngf8147|ure(?:cbdgummies7|plant7))|r(?:apidecision77|e(?:adclub11|grow101|n(?:ewlaemailved|walllll0065)|v(?:caus181|e(?:alscause|rsirol0101)|kcaus181|scaus181))|i(?:ght0108|ngingearstinnitus|verb1986srt4)|oundupccancer|vices8|yokorout(?:(?:01|s010?))?)|s(?:a(?:fety(?:homes?|shome0?)|mples7nuge7|v(?:age(?:0502|72|999|grow010)|ingsevent)|ylife004)|coutstonenew|dfgwsd74fg|e(?:curity(?:homenew|providernew)|ni(?:147orperk|orserk77s))|gp008|h(?:arkcbd0808|owersafe)|i(?:gnlaotrrmp|mplex18742)|leepditch|outhbeach(?:001|skin)|preader35|sgummy777|t(?:ain245|eelprobite77|rictionbp0)|u(?:g(?:ar4701|hdetged)|mmersy0(?:10)?)|zdzdzdzd)|t(?:a(?:cflashlight72|lcumpowder)|e(?:lescope001|rminix0909)|h(?:e(?:photostick2804|rasleeves|unbreakable)|opinall)|innitus(?:102|new911)|o(?:enailfungus|pinal)|r(?:a(?:balhos|nslato10)|ugreen(?:30|s30))|telescope44|unnifgdege)|u(?:berxlm|ltra(?:hgt|omegaburn|u(?:ifipro|wifip)|wifi(?:058|pro002))|n(?:breakable(?:0417|brain0087)|limitedcanvase[es]?)|rgentfung171|sbmosquito)|v(?:e(?:7hicle7cov|hi(?:7clesh7|cle01))|frgrerg|i(?:sa(?:alandere?|lander[es]?)|v(?:247w01|int(?:0(?:401|officially)|967857)))|szdefzsfzef)|w(?:4enmedicra8|a(?:l(?:k(?:0015|7485|ghghgh|inbath(?:tub44|0))|lkk0409)|rranhome0012)|defgzegfze|e(?:atherproof|bwhatsfotos|edkiller[1s]?|ightloss(?:005|newketo)|llgrove90)|i(?:fibooster|n(?:0101|doexpr001))|painen01es)|xcbxcbopiaze|yusdgtduf777|zantacdedzef))/;i
+uri URI_GOOG_STO_SPAMMY m;^https?://storage\.googleapis\.com/(?:(?:1tactc1200|5a70f8147b2241c|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|a(?:1discover|d(?:t100visa|vanced1500)|geless(?:brain|t001)|l(?:liedtrust7?|zheimerbrain)|merican(?:ho(?:777|me(?:191|warranty))|w1)|n(?:c77emen777|dersens40|n(?:nuities0102|utsegtsety)|ti(?:1virus|dcfsdfzef))|pp(?:1ointment|empresa|itausa)|tividade|udio0254)|b(?:337276797de5b3|7772dcb|a(?:ckmedic|th(?:and777|bhow98|dfgdfgdfh|rooomlki))|cvncv7845|d(?:fbgverhg|sgbsehtth|thdethydeth)|e(?:achskinnew|dvgervg|lly(?:00fetyy|gluca)|t(?:ter(?:09909|863|butter008)|umpoiytre))|io(?:swit(?:010|sh0908)|techinvest)|l(?:oo(?:ds(?:hark0508|ug(?:217|ar(?:010|blueprint)))|odsugarerte)|ue(?:0sky|printms0?))|o(?:bby\-dependencies|ostinglive01)|r(?:ain(?:232654|al87484)|i(?:an(?:0(?:101|509)|the0101)|eanfrg)|tghrh)|u(?:ll(?:gold|market)|rnomegaultra|tter(?:knife|spreader(?:0[48]|news))))|c(?:a(?:99rshield|nvascheap|rt\-checkout|unlimited)|bd(?:11gummies|g(?:m0202|umm(?:ty|y005))|health7417|kfgdfg|sgummys)|dfeesde|ertificat01|hoicehom8270|ircaknee0|jowa|o(?:gnigenix|mp(?:erssac00232|r(?:e(?:essaa001|hensiveamericanhomewarranty|ss(?:a(?:0(?:105|201)|191)|ionsocks))|ovanteanexo))|n(?:7cealed|cealed(?:aff0054|tactical)|defesf)|rrectskin|verageinsu)|quelleczema|reative14141)|d(?:0ujdusudu9s9u\.appspot\.com|e(?:mentiabrain|nta77fend|rma(?:01247|1correct|587475|7correc7t|acorrectskin|correct(?:new001|skin|1)|hdth|thbsdrhg)|tranmultas)|g(?:iadikir784|vdevgege)|i(?:abetes7|gitaldots1|recting77|ta0526)|rtrebtgh747|ysfunction0707|zdzefef)|e(?:7co7verage|a(?:rsring01|sy(?:1canvas|canvasprints))|ingingears|l(?:eepexperts|iminatorlower)|n(?:e(?:nce7777|rgy(?:0icits|savings))|trega)|rec(?:01tions|tiledysfunction)|talsprcious|vent(?:0saves01?|save(?:010?|s010))|xpertwindows(?:0102)?|yes(?:1ight|ightmax))|f(?:4747|d(?:128218622bd3f|fdfdzezr78|zdzelom)|edilty5401|habgfdgbfrtg|i(?:7(?:485612|542512)|d(?:el(?:ity(?:09|217|insulife)|ty(?:gbdtrbr|tyhjudtyu))|iity5660|y001)|ghttinnitusnow(?:(?:911|s))?|ltyredfezz|refig(?:22hting|hting)|tnesswatch|xguca777)|l(?:a(?:sh(?:light7fr7ee|tric540)|tbelly)|oodlight(?:010|slima))|o(?:mrulasugaa|od54451|toswhatsapps)|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|u(?:ng(?:01ft|9901|enail010|us(?:eliminator0807|fghgh))|turistic00insol))|g(?:7oldco|cumbmdys|eniusbutter|fhfjgfhfg|hetiop|lu(?:lossn01k|ster)|old(?:ii00215|trust00)|r(?:fgrgrg|ow(?:191|plus11|savage01085))|u(?:ardiao|mm(?:ies11cbd|yss|zdfefzf)|tter(?:0fr1|protection7))|ympro22)|h(?:dfghbrh|e(?:1al1t4|a(?:lt(?:h(?:life|news|yhairremedy)|ycbd0909)|rt(?:14141|beat911))|rp(?:ly(?:24701|y0012)|y1414))|ome(?:1security|9865|choice45841|w(?:arranty|rr0216)))|i(?:n(?:formedetranmulta|ogen0065|s(?:1urance7net|7urance7net|t(?:9854|a(?:0541|1heater|863|f(?:atioplo|gregrerg)|hard0(?:0021|605)|nttranslator)|h(?:ard879477|eater001))|urance(?:7net|net))|vest777in)|tchrelief)|k(?:757474|e(?:ranfvgdgfrder|to(?:0(?:102|202|81477)|191|7(?:878|rim)|adv217|ghghgh|healthnews|jkkfghk|o(?:2(?:22|45)|o7896)|rapid00888|s(?:hark0908|s0479)|toto2323))|iller1111|ne(?:e852|f6565))|l(?:a(?:bcream|wn(?:care3|trugreen001))|e(?:a(?:f7filt7er|nde0585)|ciofve1748)|giesnaturas0|i(?:berty77arran|fefiltrevdf|ve(?:r(?:0health0support|md|supp10)|wirenew024))|o(?:caweb|odlight(?:s0|0)|ss(?:00wrabido0|rapid01245|weightnew85))|u(?:llmattressne000|mi(?:00guard01|agudiidd|g(?:87[56]|uard(?:1074|87585)))))|m(?:a(?:galu|le(?:0(?:1ed|541)|24700|77en|health475)|ttress0707)|e(?:dica(?:lsupplies|r(?:0085|123n|df747))|llitox00545|morybooster|t(?:a(?:bolismlos|greens|lspr(?:ciou[0s]|ecious))|f(?:85|dfvde)))|iracl(?:ecannabidiol|sweight[0s]?|weight)|le(?:3mlemlm3lm\.appspot\.com|n(?:hsances?|shsance0s))|o(?:n(?:5g154g|t(?:ezuma0(?:01|101)|zdzsds))|onmenermaintain\-66j)|y(?:seniorpe?|theraposture001))|n(?:at(?:ional14587|uralgies)|badefdfg|e(?:sdsd|wtiniggrgr)|inoty74|lmsld|u(?:bupatches|trisd17))|o(?:m(?:eg(?:7aburn|a(?:7burn|n(?:ew|ow00?)))|gaburn)|ne(?:00shot|shot(?:0[01]|124578))|zmenshe)|p(?:a(?:in(?:en01(?:ew|sew)|supp(?:10|l8778)|wenes010)|rtnersav01)|e(?:rsonalized21|tplan85)|ho(?:01to001|tostick004)|leteroid|o(?:rtable(?:heater7|telescope045)|vsedfzef)|r(?:eadvanceds|i(?:mal(?:08544|fhdfh|grow)|ntsvalentine)|otectsecurity)|soidngf8147|ure(?:cbdgummies7|plant7))|r(?:apidecision77|e(?:adclub11|grow101|n(?:ewlaemailved|walllll0065)|v(?:caus181|e(?:alscause|rsirol0101)|kcaus181|scaus181))|i(?:ght0108|ngingearstinnitus|verb1986srt4)|oundupccancer|vices8|yokorout(?:(?:01|s010?))?)|s(?:a(?:fety(?:homes?|shome0?)|mples7nuge7|v(?:age(?:0502|72|999|grow010)|ingsevent)|y(?:byebugs|life004))|coutstonenew|dfgwsd74fg|e(?:curity(?:homenew|providernew)|ni(?:147orperk|orserk77s))|gp008|h(?:arkcbd0808|owersafe)|i(?:gnlaotrrmp|mplex18742)|leepditch|o(?:lbeam004|uthbeach(?:001|skin))|preader35|sgummy777|t(?:ain245|eelprobite77|rictionbp0)|u(?:g(?:ar4701|hdetged)|mmersy0(?:10)?)|zdzdzdzd)|t(?:a(?:cflashlight72|lcumpowder)|e(?:lescope001|rminix0909|stomus)|h(?:e(?:photostick2804|rasl(?:eeves|ves)|unbreakable)|opinall)|innitus(?:102|new911)|o(?:enailfungus|pinal)|r(?:a(?:balhos|nslato10)|ugreen(?:30|s30))|telescope44|unnifgdege)|u(?:berxlm|ltra(?:hgt|omegaburn|u(?:ifipro|wifip)|wifi(?:058|pro002))|n(?:breakable(?:0417|brain0087)|limitedcanvase[es]?)|rgentfung171|sbmosquito|tility3in1)|v(?:e(?:7hicle7cov|hi(?:7clesh7|cle01))|frgrerg|i(?:sa(?:alandere?|lander[es]?)|v(?:247w01|int(?:0(?:401|officially)|967857)))|szdefzsfzef)|w(?:4enmedicra8|a(?:l(?:k(?:0015|7485|ghghgh|inbath(?:tub44|0))|lkk0409|mart010)|rranhome0012)|defgzegfze|e(?:atherproof|bwhatsfotos|edkiller[1s]?|ightloss(?:005|newketo)|llgrove90)|i(?:fi(?:booste(?:01|r)|tiop)|n(?:0101|doexpr001))|painen01es)|xcbxcbopiaze|yusdgtduf777|zantacdedzef))/;i
describe URI_GOOG_STO_SPAMMY Link to spammy content hosted by google storage
#score URI_GOOG_STO_SPAMMY 3.000
tflags URI_GOOG_STO_SPAMMY publish
tflags URI_IMG_WP_REDIR publish
##} URI_IMG_WP_REDIR
+##{ URI_IN_URI_10
+
+uri URI_IN_URI_10 /(?::\/\/.*?){10}/
+describe URI_IN_URI_10 Multiple URIs inside URI
+##} URI_IN_URI_10
+
##{ URI_LONG_REPEAT
meta URI_LONG_REPEAT __URI_LONG_REPEAT
-describe URI_LONG_REPEAT Very long identical host+domain
+describe URI_LONG_REPEAT Long identical host+domain
#score URI_LONG_REPEAT 2.500 # limit
tflags URI_LONG_REPEAT publish
##} URI_LONG_REPEAT
tflags WALMART_IMG_NOT_RCVD_WAL publish
##} WALMART_IMG_NOT_RCVD_WAL
-##{ WANT_TO_ORDER
-
-body WANT_TO_ORDER /you (?:(?:would )?like|want|are interested|need|wish)(?: to| in)? (?:plac(?:e|ing) an order|order(?:ing)? (?:for )?(?:this|it|now|today|our \w+)|take one (?:or two )?(?:today|now))\b/i
-#score WANT_TO_ORDER 2.750 # limit
-##} WANT_TO_ORDER
-
##{ WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
tflags XM_DIGITS_ONLY publish
##} XM_DIGITS_ONLY
+##{ XM_LIGHT_HEAVY
+
+meta XM_LIGHT_HEAVY __XM_LIGHT_HEAVY && !__HAS_X_BEEN_THERE
+describe XM_LIGHT_HEAVY Special edition of a MUA
+#score XM_LIGHT_HEAVY 2.500 # limit
+##} XM_LIGHT_HEAVY
+
##{ XM_PHPMAILER_FORGED
meta XM_PHPMAILER_FORGED __XM_PHPMAILER_FORGED
ifplugin Mail::SpamAssassin::Plugin::DKIM
if !plugin(Mail::SpamAssassin::Plugin::SPF)
- meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE
+ meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE
endif
endif
##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF)
ifplugin Mail::SpamAssassin::Plugin::DKIM
ifplugin Mail::SpamAssassin::Plugin::SPF
- meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE && !SPF_PASS
+ meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE && !SPF_PASS
endif
endif
##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF
tflags XPRIO_SHORT_SUBJ publish
##} XPRIO_SHORT_SUBJ
-##{ XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
-
-ifplugin Mail::SpamAssassin::Plugin::WLBLEval
-if (version >= 3.004000)
-meta XPRIO_URL_SHORTNER __XPRIO_MINFP && __PDS_URISHORTENER
-describe XPRIO_URL_SHORTNER X-Priority header and short URL
-#score XPRIO_URL_SHORTNER 1.0 # limit
-endif
-endif
-##} XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
-
##{ X_MAILER_CME_6543_MSN
header X_MAILER_CME_6543_MSN X-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*$/
##} X_MAILER_CME_6543_MSN
-##{ YOUR_DELIVERY_ADDRESS
-
-body YOUR_DELIVERY_ADDRESS /(?:(?:respond|reply|answer) (?:to )?(?:our|this) ?e?mail (?:[\w,]+\s){0,10}(?:with|and send(?: us)?)|we need to know|let us know|(?:send|provide|tell|inform)(?: us)?(?: of)?|confirm|indicate)(?: t?he (?:order )?quantity and)? (?:your |the )?(?:detailed |specific )?(?:(?:delivery |shipping |mailing |shipment |receiving )?address(?:\s?[,.;]|(?: and| so)? we| if you)|address (?:for|of) (?:shipping|delivery|shipment))/i
-#score YOUR_DELIVERY_ADDRESS 1.250 # limit
-##} YOUR_DELIVERY_ADDRESS
-
##{ YOU_INHERIT
meta YOU_INHERIT __YOU_INHERIT
describe YOU_INHERIT Discussing your inheritance
##} YOU_INHERIT
+##{ ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
+
+if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
+ meta ZW_OBFU_FREEM __UNICODE_OBFU_ZW && __freemail_hdr_replyto
+ describe ZW_OBFU_FREEM Obfuscated text + freemail
+# score ZW_OBFU_FREEM 2.000 # limit
+endif
+##} ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
+
##{ bayes_ignore_header_sandbox
bayes_ignore_header X-ACL-Warn
reuse __PDS_GOOGLE_DRIVE_FILE
reuse __SHORT_BODY_G_DRIVE
reuse __SHORT_BODY_G_DRIVE_DYN
-reuse SHORT_BODY_G_DRIVE_DYN
-reuse FROM_NAME_EQ_TO_G_DRIVE
+reuse T_SHORT_BODY_G_DRIVE_DYN
+reuse T_FROM_NAME_EQ_TO_G_DRIVE
##} reuse_sandbox
meta __45_ALNUM_URI_O __45_ALNUM_URI && !__64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI
+header __4BYTE_UTF8_WORD_SUBJ Subject =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/
+
uri __64_ANY_URI m;[/?]\w{64,}$;i
body __ACCESS_RESTORE /\bto (?:(?:restore|regain) access|(?:remove|uplift) (?:the|this) suspens|continue using your (?:account|online|mailbox)|zugreifen wiederhergestellt)/i
uri __AC_RMOVE_URI /\/r\/move\/[0-9]+\//
-rawbody __AC_TINY_FONT /(?:font-size)\s*:\s*[1-3]\s*(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i
+rawbody __AC_TINY_FONT /(?:font-size)\s*:\s*[1-3]\s*(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i
uri __AC_UHDSEQ_URI /\/uhd[a-z0-9]{20,}/
header __AXB_MO_OL_1ECD5 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1081/
+header __AXB_MO_OL_2600 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2600\.0000/
+
header __AXB_XM_OL_024C2 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2600\.0000/
header __AXB_XM_OL_1ECD5 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1081/
+header __AXB_XM_OL_2600 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2600\.0000/
+
body __BACK_SCRATCH /\bmutual+y?\s(?:benefi(?:t|cial)|interest)\b/i
body __BANK_DRAFT /\bbank\sdraft/i
body __BARRISTER /\b(?:barrister|solicitor at law|barr\.)/i
+meta __BEBEE_IMG_NOT_RCVD_BB __URI_IMG_BEBEE && !__HDR_RCVD_BEBEE
+
body __BENEFICIARY /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])n(?:e|=E9|[\xe9]|[\xc3][\xa9])fi(?:c|sh)i?ai?r(?:y|ies|es?)/i
body __BENIN /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])nin\b/i
endif
endif
+meta __FACEBOOK_IMG_NOT_RCVD_FB __URI_IMG_FACEBOOK && !__HDR_RCVD_FACEBOOK
+
body __FAILED_LOGINS /unsuc+es+ful log-?[io]n at+empts/i
body __FBI_BODY_SHOUT_1 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/
header __FORGED_MUA_POSTFIX1 X-Mailer =~ /Postfix/
+header __FORGED_RELAY_MUA_TO_MX X-Spam-Relays-External =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\[]+ helo=(!(?!(?:10|127|169\.254|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\.)| )[^\[]+$/
+
meta __FORGED_TBIRD_IMG __MUA_TBIRD && __JPEG_ATTACH && __MIME_BDRY_0D0D
describe __FORGED_TBIRD_IMG Possibly forged Thunderbird image spam
meta __FORM_FRAUD_5 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5)
-meta __FORM_LOW_CONTRAST (__FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_SHORT2) && __HTML_FONT_LOW_CONTRAST_MINFP
-
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
body __FOR_SALE_LTP /00\.? (?:less 10%|LTP)/i
tflags __FOR_SALE_LTP multiple maxhits=11
meta __FROM_MULTI_SHORT_IMG __PDS_FROM_2_EMAILS && (HTML_IMAGE_ONLY_16 || HTML_SHORT_LINK_IMG_2 || __HTML_IMG_ONLY)
endif
+header __FROM_NAME_AMAZONCOM From:name =~ /\bamazon\.com\b/i
+
header __FROM_NAME_APPLECOM From:name =~ /\bapple\.com\b/i
header __FROM_NAME_EBAYCOM From:name =~ /\bebay\.com\b/i
header __FUZZY_WELLSFARGO_FROM From:name =~ /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>[-\s]?<F><A><R><G><O>/i
endif
+meta __GAPPY_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __GAPPY_SUBJECT
+
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
body __GAPPY_SALES_LEADS /\b(?:business|e?-?mail|your|marketing|advertising)\s(?!sales|leads|campaign)(?:s\s?a\s?l\s?e\s?s|l\s?e\s?a\s?d\s?s|c\s?a\s?m\s?p\s?a\s?i\s?g\s?n)\b/i
tflags __GAPPY_SALES_LEADS multiple maxhits=3
header __GB_FAKE_RF Subject =~ /(Fw|Re)\:{1,2}[\W+]/i
+meta __GDRIVE_IMG_NOT_RCVD_GOOG __URI_IMG_GDRIVE && !__HDR_RCVD_GOOGLE
+
body __GHANA /\bghana\b/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta __GOOG_STO_NOIMG_HTML !__URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML
+meta __GPHOTO_IMG_NOT_RCVD_GOOG __URI_IMG_GPHOTO && !__HDR_RCVD_GOOGLE
+
body __HAS_ANY_EMAIL /\w@\S+\.\w/
uri __HAS_ANY_URI /^\w+:\/\//
header __HAS_X_OUTGOING_SPAM_STAT exists:X-OutGoing-Spam-Status
+header __HAS_X_SENDER exists:X-Sender
+
header __HAS_X_SOURCE_DIR exists:X-Source-Dir
header __HDRS_LCASE ALL =~ /\n(?:Message-id|Content-type|X-MSMail-priority|from|subject|to|cc|Disposition-notification-to):/sm
header __HDR_CASE_REVERSED ALL =~ /^(?!DomainKey)[^-:\s]*[a-z][A-Z]/m
tflags __HDR_CASE_REVERSED multiple maxhits=4
+header __HDR_ENVFROM_SHOPIFY X-Spam-Relays-External =~ /\shelo=\S+\.mailer\.shopify\.com\s(?:[^\]\s]+\s)*envfrom=\S+\.shopifyemail\.com\s/
+
header __HDR_ORDER_FTSDMCXXXX ALL =~ /\nFrom: .{1,80}?\nTo: .{1,80}?\nSubject: .{1,200}?\nDate: .{1,40}?\nMIME-Version: .{1,40}?\nContent-Type: .{1,120}?\nX-Priority: .{1,40}?\nX-MSMail-Priority: .{1,40}?\nX-Mailer: .{1,80}?\nX-MimeOLE:/s
header __HDR_RCVD_ALIBABA X-Spam-Relays-External =~ /\srdns=\S+\.alibaba\.com\s/
header __HDR_RCVD_APPLE X-Spam-Relays-External =~ /\srdns=\S+\.apple\.com\s/
+header __HDR_RCVD_BEBEE X-Spam-Relays-External =~ /\srdns=\S+\.bebee\.com\s/
+
header __HDR_RCVD_EBAY X-Spam-Relays-External =~ /\srdns=\S+\.ebay\.com\s/
+header __HDR_RCVD_FACEBOOK X-Spam-Relays-External =~ /\srdns=\S+\.facebook\.com\s/
+
header __HDR_RCVD_GOOGLE X-Spam-Relays-External =~ / rdns=mail-\S+\.google\.com\.?\s/
header __HDR_RCVD_KEEPA X-Spam-Relays-External =~ /\srdns=\S+\.keepa\.com\s/
header __HDR_RCVD_TAGSTAT X-Spam-Relays-External =~ /\srdns=\S+\.tagstat\.com\s/
+header __HDR_RCVD_TARINGANET X-Spam-Relays-External =~ /\srdns=\S+\.taringa\.net\s/
+
header __HDR_RCVD_TONLINEDE X-Spam-Relays-External =~ /\srdns=\S+\.t-online\.de\s/
header __HDR_RCVD_WALMART X-Spam-Relays-External =~ /\srdns=\S+\.walmart\.com\s/
mimeheader __HK_SPAMMY_CTFN Content-Type =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi
endif
-meta __HOSTED_IMG_DIRECT_MX __DOS_DIRECT_TO_MX && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC || __URI_IMG_TOPHATTER || __URI_IMG_GBTCDN || __URI_IMG_LINKEDIN || __URI_IMG_TUMBLR || __URI_IMG_TAGSTAT)
+meta __HOSTED_IMG_DIRECT_MX __DOS_DIRECT_TO_MX && __URI_HOSTED_IMG
-meta __HOSTED_IMG_DQ_UNSUB __URI_DQ_UNSUB && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC || __URI_IMG_TOPHATTER || __URI_IMG_GBTCDN || __URI_IMG_LINKEDIN || __URI_IMG_TUMBLR || __URI_IMG_TAGSTAT)
+meta __HOSTED_IMG_DQ_UNSUB __URI_DQ_UNSUB && __URI_HOSTED_IMG
-meta __HOSTED_IMG_FREEM ( FREEMAIL_REPLYTO || FREEMAIL_FROM ) && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_WP_REDIR || __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC || __URI_IMG_TOPHATTER || __URI_IMG_GBTCDN || __URI_IMG_LINKEDIN || __URI_IMG_TUMBLR || __URI_IMG_TAGSTAT)
+meta __HOSTED_IMG_FREEM ( FREEMAIL_REPLYTO || FREEMAIL_FROM ) && __URI_HOSTED_IMG
-meta __HOSTED_IMG_MULTI ( __URI_IMG_EBAY + __URI_IMG_AMAZON + __URI_IMG_ALICDN + __URI_IMG_WALMART + __URI_IMG_NEWEGG + __URI_IMG_SHOPIFY + __URI_IMG_YTIMG + __URI_IMG_JOOMCDN + __URI_IMG_WISH + __URI_IMG_WP_REDIR + __URI_IMG_STATICBG + __URI_IMG_CHANNYPIC + __URI_IMG_TOPHATTER + __URI_IMG_GBTCDN + __URI_IMG_LINKEDIN + __URI_IMG_TUMBLR + __URI_IMG_TAGSTAT) > 1
+meta __HOSTED_IMG_MULTI ( __URI_IMG_EBAY + __URI_IMG_AMAZON + __URI_IMG_ALICDN + __URI_IMG_WALMART + __URI_IMG_NEWEGG + __URI_IMG_SHOPIFY + __URI_IMG_YTIMG + __URI_IMG_JOOMCDN + __URI_IMG_WISH + __URI_IMG_WP_REDIR + __URI_IMG_STATICBG + __URI_IMG_CHANNYPIC + __URI_IMG_TOPHATTER + __URI_IMG_GBTCDN + __URI_IMG_LINKEDIN + __URI_IMG_TUMBLR + __URI_IMG_TAGSTAT + __URI_IMG_FACEBOOK + __URI_IMG_TARINGANET + __URI_IMG_BEBEE + __URI_IMG_EFUSERASSETS + __URI_IMG_IMGBOX_THUMB + __URI_IMG_500PXORG + __URI_IMG_WIXMP + __URI_IMG_POSTIMGCC + __URI_IMG_GTRACING + __URI_IMG_JOOMCDN + __URI_IMG_DHRESOURCE) > 1
if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
body __HOURS_DEADLINE /\b(?:(?:give\syou|gebe\sihnen(?:\snur)?|you\s(?:will\s)?have(?:\sonly|\sjust)?|within)(?:(\sthe)?\s(?:last|next))?\s(?:\d+|one|two|three|a few)\s?(?:hours?|hr(?:\s?s)?|days?|stunden)|(?:by|to|until|before)\sthe\send\sof\sthe\s(?:work(?:ing)?\s)?day|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\shours?\sbefore\s(?:sending|releasing|exposing|publishing)|(?:the|your)\sdeadline\s(?:is|will\sbe))\b/i
meta __HTML_ENTITY_ASCII_MINFP __HTML_ENTITY_ASCII && !__DKIM_EXISTS && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__JM_REACTOR_DATE && !__HAS_ERRORS_TO && !__L_BODY_8BITS && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML
-if !plugin(Mail::SpamAssassin::Plugin::DKIM)
- meta __HTML_FONT_LOW_CONTRAST_MINFP HTML_FONT_LOW_CONTRAST && !__HAS_SENDER && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED && !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN
-endif
-
-ifplugin Mail::SpamAssassin::Plugin::DKIM
- meta __HTML_FONT_LOW_CONTRAST_MINFP HTML_FONT_LOW_CONTRAST && !__HAS_SENDER && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED && !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN && !DKIM_VALID
-endif
+meta __HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII && (__HTML_FONT_TINY_01 || __HTML_FONT_TINY_02 || __AC_TINY_FONT)
rawbody __HTML_FONT_TINY_01 /font-size:\s{0,5}[0-4]px;/i
+rawbody __HTML_FONT_TINY_02 /<font\s[^>]{0,80}size\s*=\s*["']?-(?:[2-9]|[1-9]\d+)["']?[^>]{0,80}>/i
+
+meta __HTML_FONT_TINY_NORDNS (__HTML_FONT_TINY_01 || __HTML_FONT_TINY_02 || __AC_TINY_FONT) && __RDNS_NONE
+
rawbody __HTML_OFF_PAGE /;(?:top|left):-\d{3,9}px;/i
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
body __INHERIT_PMT /\binheritance\spayment\s/i
-meta __INR_AND_NO_REF (__XM_IMAIL || __XM_APPLEMAIL || __XM_COMMUNIG || __XM_EDMAX || __XM_ELM || __XM_EMUMAIL || __XM_EXMH || __XM_LOTUSN || __XM_MAILCITY || __XM_MAILSMITH || __XM_MSCDO || __XM_MSOUT || __XM_MIMETOOLS || __XM_OPERA6 || __XM_PEGASUS || __XM_QUALCOM || __UA_IMP || __UA_MSOEMAC || __UA_MSENTOUR || __UA_OPERA7)
-
body __INTL_BANK /\b(?:international\s(?:\w+\s)?bank|banque\sinternationale)\b/i
body __INVEST_COUNTRY /\binvest\sin\syour?\scountry\b/i
full __LONGLINE /^[^\r\n]{998}/m
+meta __LONGLN_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __LONGLINE
+
rawbody __LONG_INVIS_DIV /<div\s+style\s*=\s*"(?:(?<!-)visibility\s*:\s*hidden|display\s*:\s*none)\s*">[^<\s]{1400}/i
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
body __MONERO_ID /\b4[0-9AB][1-9A-HJ-NP-Za-km-z]{93,104}\b/
-meta __MONEY_ATM_CARD LOTS_OF_MONEY && __ATM_CARD
-
meta __MONEY_FORM LOTS_OF_MONEY && __FILL_THIS_FORM
meta __MONEY_FORM_SHORT LOTS_OF_MONEY && __FILL_THIS_FORM_SHORT
header __MSGID_LIST Message-ID =~ /-\w+\#[\w.]+\.\w{2,4}\@/
tflags __MSGID_LIST nice
+header __MSGID_NOFQDN1 Message-ID =~ /<[^\@]*>/m
+
header __MSGID_NOFQDN2 Message-ID =~ /<.*\@[A-Za-z0-9]+>/m
meta __MSMAIL_PRI_ABNORMAL __HAS_MSMAIL_PRI && !__MSMAIL_PRI_NORMAL
meta __NEWEGG_IMG_NOT_RCVD_NEGG __URI_IMG_NEWEGG && !__HDR_RCVD_NEWEGG
+body __NEW_PRODUCTS /\bhere are new products|\b(?:Our company|we) (?:has |have )?(?:(?:recently|just|newly) (?:introduce|release|launche)[ds](?: a| our| the)? (?:new|(?:\w+\s){1,5}below)|a new (?!cat\s|kitten\s|dog\s|puppy\s|pet\s|baby\s|child\s|boy\s|girl\s)(?:\w+\s){1,5} here)|recently,? our company (?:launch|releas)ed|\bI want to recommend a new (?:\w+ ){1,5}(?:we|our)\b|latest version of our (?:stock|product)|\b(?:our|a) new (?:\w+ ){1,3}has (?:recently|just) been released/i
+
body __NEXT_OF_KIN /\bnext[-\s]of[-\s]kin\b/i
body __NIGERIA /\bnigeria\b/i
+meta __NORDNS_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __RDNS_NONE
+
meta __NOT_A_PERSON __VACATION || ANY_BOUNCE_MESSAGE || __CHALLENGE_RESPONSE || __VIA_ML || __DOS_HAS_LIST_UNSUB || __SENDER_BOT || __UNSUB_LINK || __UNSUB_EMAIL || __MSGID_LIST || __SUBSCRIPTION_INFO
tflags __NOT_A_PERSON nice
header __NSL_RCVD_FROM_41 X-Spam-Relays-External =~ / ip=41\./
describe __NSL_RCVD_FROM_41 Received from 41.0.0.0/8
-header __NUMBEREND_TLD From:addr =~ /\@[a-z]{2,}[0-9]{4,}(\.[a-z]{2,4})?\.[a-z]+$/i
-
header __NUMBERONLY_TLD From:addr =~ /\@[0-9]{4,}(\.[a-z]{2,4})?\.[a-z]+$/i
header __NUMBERS_IN_SUBJ Subject =~ /\d{3}/
header __OPERA_MID_NON_OP Message-ID =~ /^<[^o][^p]\./
-body __ORDER_TODAY /\border (?:it|one|yours|this) (?:today|now|right\saway)\b/i
-
body __OUR_BEHALF /\b(?:on\s(?:my|our)\sbehalf|of\sbehalf\sof)\b/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
header __PDS_GMAIL_MID Message-Id =~ /\@mail.gmail.com>$/
-uri __PDS_GOOGLE_DRIVE_FILE /\/drive\.google\.com\/file/i
-
meta __PDS_GOOGLE_DRIVE_SHARE (__PDS_GOOGLE_DRIVE_SHARE_1 + __PDS_GOOGLE_DRIVE_SHARE_2 + __PDS_GOOGLE_DRIVE_SHARE_3 >= 2)
header __PDS_GOOGLE_DRIVE_SHARE_1 References =~ /\@docs\-share\.google\.com\>/
header __REPLYTO_NOREPLY Reply-To =~ /\bno-?reply@/i
-header __REPTO_419_FRAUD_AOL_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:f\.|ljaber)|brownchurchill|c(?:hanprivacy|ristinabruno|ustom_service)|d(?:hodgkins|onald_anderson)|evelynjoshua|f(?:d\.|ernandezfernandez)|george_clifford|hernandezrosemary|k\.doreen|l(?:erynnewest|izcarroll)|m_l\.wanczyk|p(?:aulpollard|eterwong)|r(?:achel_wat|oyalpalace)|s(?:gt\.gillianj|pwalker)|usembassy|webank|yurdaaytarkan))\d+\@aol\.com$/i
+header __REPTO_419_FRAUD_AOL_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:f\.|ljaber)|c(?:hanprivacy|laimdept|ristinabruno|ustom_service)|dhodgkins|evelynjoshua|f(?:d\.|ernandezfernandez)|george_clifford|hernandezrosemary|k\.doreen|lerynnewest|m_l\.wanczyk|officework|paulpollard|royalpalace|spwalker|usembassy|yurdaaytarkan))\d+\@aol\.com$/i
-header __REPTO_419_FRAUD_GM_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:a(?:bu(?:lkareem|shadi)|c(?:aalzz|e(?:alss|cere))|desilgon|l(?:an\.austin|ber\.yang|ex(?:ander(?:daisy|peterson)|hoffman)|ghafrij|lenholden|ure\.wawrenka)|m(?:ericadeliverycomapny|inaltwaijiri)|n(?:dyfox|na(?:llee|sigurlaug))|radka|s(?:hwestwood|ianbae)|tm(?:mastercard|office)|yevayawovi|zi(?:m(?:\.hpremji|hashim(?:donation)?)|z(?:dake|george)))|b(?:a(?:nkcentralasiahalobca|r(?:bersmadar|r(?:\.charles|isterlordruben)|teld\.huisman))|bongo|e(?:linekra|n(?:ezero|jaminsarah))|ill\.lawrence|mwautomobile|oarddept|r(?:avolpaul|endalaporte|ianmoynih)|uffettwarrene)|c(?:a(?:mluba|reisu)|bnatm|elineroullier|h(?:a(?:ngching|r(?:itylisajohnrobinson|l(?:esluenga|tonnewmanus)))|e(?:mchung|nchung))|iticonsultantjohncg|la(?:imadviser|xtonpaul)|o(?:l(?:\.fakhrialsalabi|inchrisweir|o(?:mbasjuan|nelsaad))|n(?:sultancy|tactad)|operation)|r(?:awfordgillies|istbrun?)|ustomerservicelacaixa)|d(?:a(?:nielzulu|v(?:i(?:d(?:\.loanfirm|ibe|larbi|pere|ramirez\.luis)|scarolyn|yax)|ychan))|e(?:btm|nnis(?:clark|quaid)|partmentofstate)|ipfrancis|minique|ona(?:ldwilliam|tionhelpercare)|r(?:\.wilsonpaul|davidrhama|joesimon|ovieogor)|unsilva)|e(?:benezero|christina|dwinfreeman|l(?:i(?:bethgomez|sabethmaria|zabethedw)|otocashoffice)|m(?:ailpostlink|efieleg?|ilyrichmond)|renakgeorge|ssexlss)|f(?:\.mikhail|a(?:ithdesrie|tme\.mehmed)|blott|laurentdz|r(?:a(?:100dub|n(?:c(?:espatrickconnolly|iscamendoza)|kjane))|eelottosweepstake)|ulanlan)|g(?:00gleggewinner|a(?:brielkalia|ryakinson)|bill|e(?:neralwilliamstony|orgekwame|r(?:aldjhjh|tjanvlieghe))|iidp|l(?:enmoore|oriachow)|o(?:o(?:golteam|oglegwiinner)|vgodwinemefiele)|r(?:aceobia|e(?:ant|energeoffrey)))|h(?:a(?:r(?:old\.dia|ryebert)|sh(?:imyreem|mireem))|e(?:a(?:dofficecentre|therbrooeke)|ctor(?:castillos|scastillo))|gold|heba\.hhassan|ildad|o(?:lsemeyerole|nmackjohn|rnbeckmajordennis|seoky)|trryt)|i(?:bed|n(?:fo(?:98cbnoffice|aprl)|gridrolle|ternationallppp)|smailtarkan)|j(?:a(?:cobmaseon|mes(?:husmansdesk|okoh)|vierlesme)|e(?:ff(?:deandk|erydean)|ssikasingh)|imyang|o(?:e(?:dward|kendal)|hn(?:griffn|r(?:awlings|oxfordjr)|sonwilson|tanko|uba|walterlove|a)|nesandassociates|sephacevedo|ymrskone)|rawlings|uliet\.lee?)|k(?:a(?:lstromjames|malnizar|rabo\.ramala|t(?:hilittman|jamess|rinaziako))|e(?:lsawamelia|n(?:mckay|nedy\.sawadogo))|halidbuhazza|kasbu|rnkl|un(?:gwei|ioue))|l(?:a(?:rrytoms|ursent|wrencefoundation)|e(?:ndfair\.co\.uk|rynne(?:0west|west))|i(?:amfinchus|liane\.bettencourt|n(?:elink|glung)|xiungl?)|john|o(?:ttyoffice|u(?:ghreymargaret|isdreyfusmargarita))|u(?:ckywinners|sba\.moored)|y(?:\.cheapiseth|n(?:\.arthur|cmba|nmkl)))|m(?:a(?:ckoliver|incare|jor(?:dennishornbeck|townsend)|n(?:duesq|fran|uelfranco(?:foundation)?)|r(?:i(?:ahhills|nacoleman|opabl)|k(?:roth|uses)|y(?:franson|jify00aaz))|s(?:onmanny|pencer)|ttwilly|urhinck|viswanczyk(?:(?:foundation|k))?)|c\.cheadychang|dredban|e(?:lvidabullock|nnss)|gfrederick|i(?:c(?:healwuu|w)|khai(?:\.fridman|lfridm))|k(?:ent|untjoro)|o(?:ham(?:edabdul|madraqab)|rienkal)|r(?:\.justinmaxwell|cjames|hanimuhammad|jamesmc|martine|paulfrank|richardanthony|s(?:\.(?:biyufungchi|susanread)|a(?:ishaalqadafi|ngela)|gracewoods|hamima|jackman|maureens|r(?:obinsanders|uthsmith)|sarahbenjamin))|s(?:agent|golaan|smadar)|ustadris)|n(?:aomiiwasaki|eilt(?:rotter)?|obuyuki\.hirano)|o(?:\.peace|fficerricherd|hallkenneth|liviemorgan|vieogor)|p(?:\.compton|a(?:storfrancesco|ul(?:eed|n)|ymentofficer)|brookk|eter(?:\.waddell|guggi|kenin|stephen)|hillip\.richead|ieterstevens|resleybathini)|q(?:iquanzhou|nzeng)|r(?:a(?:kidy|lhashimi|ymond(?:aba|damon))|e(?:beccagarang|em(?:has(?:himy|m)|n)|plyback|v(?:\.jamesabel|frankjackson))|i(?:chardw(?:ahl|illis)|tawilliams)|o(?:berthanandez|naldmorris|s(?:a\.gomes|e(?:kipkalya|tam)))|t\.rev\.ericmark)|s(?:a(?:l(?:ehhussienconsult|imzaid)|rfiafarfask)|cottpeters|e(?:cretservicce|rgeantrobertbrown)|h(?:anemissler|e(?:ikhalmaktoum|ry(?:\.gtl|etr))|inawatrathaksin)|imlkheng|krause|ofia\.adams|peelman|sdt|tephentam|u(?:iyang|n\.hor|sanneklatten)|weeneyjohnson)|t(?:ay(?:ebsouami|lorcathy)|erryparkins|h(?:ailandbankoffice|e(?:ara\.choy|bigbiglottowinning|odorosloannis|resawilliams|smithfm))|imothymetheny|lyerdonald|o(?:mc(?:hrist|rist(?:(?:donation|foundation))?)|ny(?:\.chung|zimpro)|shikazusendo))|u(?:marukareem|n(?:claimedfunds|itednation(?:organization|s))|sdepartmentofjustice)|v(?:anderwesthuizen|e(?:enapatel|r(?:a(?:aellen|hollinkvan)|enichekaterinaekaterina))|i(?:ctoriaabraham|dalpamela|ngut))|w(?:a(?:dp|hlr(?:ichard)?|nczykm|rrenebuffett)|i(?:elandherzog\.sw\.herad|ge|ll(?:clark|iamrobert|update))|u(?:\.office|mt)|ww\.moneygram)|y(?:\.oguzhan|anghoseok|doo)|z(?:enithbankplconline|kiaslan|minhong)))\d+\@gmail\.com$/i
+header __REPTO_419_FRAUD_GM_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:a(?:bu(?:lkareem|shadi)|cecere|l(?:an\.austin|ex(?:anderpeterson|hoffman)|ghafrij|kasimunadi|l(?:enholden|isoncluade)|ure\.wawrenka)|m(?:ericadeliverycomapny|ina(?:ltwaijiri|medjahed))|n(?:dyfox|na(?:llee|sigurlaug))|radka|shwestwood|zi(?:m(?:\.hpremji|hashim(?:donation)?)|z(?:dake|george)))|b(?:a(?:nkcentralasiahalobca|r(?:bersmadar|risterlordruben|teld\.huisman))|bongo|e(?:alitoniua|linekra|n(?:ezero|jaminsarah))|ill\.lawrence|mwautomobile|oarddept|rendalaporte|uffettwarrene)|c(?:h(?:a(?:ngching|r(?:itylisajohnrobinson|l(?:esluenga|tonnewmanus)))|e(?:mchung|nchung))|iticonsultantjohncg|laxtonpaul|o(?:lombasjuan|ntactad)|ristbrun?|ustomerservicelacaixa)|d(?:avi(?:d(?:\.loanfirm|larbi|pere|ramirez\.luis)|scarolyn|yax)|e(?:nnisclark|partmentofstate)|minique|ona(?:ldwilliam|tionhelpercare)|rdavidrhama|unsilva)|e(?:benezero|christina|l(?:i(?:bethgomez|sabethmaria|zabethedw)|otocashoffice)|m(?:efieleg?|ilyrichmond)|re(?:nakgeorge|zcelic)|stherkatherine|wynn)|f(?:\.mikhail|a(?:ithdesrie|tme\.mehmed)|blott|irstbank|r(?:a(?:100dub|n(?:c(?:espatrickconnolly|iscamendoza)|kjane))|eelottosweepstake)|spero|ulanlan)|g(?:00gleggewinner|abrielkalia|bill|e(?:neralwilliamstony|orgekwame|raldjhjh)|iidp|l(?:enmoore|oriachow)|oo(?:golteam|oglegwiinner)|r(?:aceobia|e(?:ant|energeoffrey)))|h(?:a(?:rryebert|sh(?:imyreem|mireem))|e(?:atherbrooeke|ctor(?:castillos|scastillo))|gold|ildad|o(?:nmackjohn|rnbeckmajordennis|seoky))|i(?:bed|ngridrolle|smailtarkan)|j(?:a(?:mesokoh|vierlesme)|efferydean|o(?:edward|hn(?:griffn|r(?:awlings|oxfordjr)|sonwilson|uba|walterlove|a)|n(?:athanhaskel|hugo)|sephacevedo)|rawlings)|k(?:a(?:malnizar|rabo\.ramala|t(?:jamess|rinaziako))|ennedy\.sawadogo|halidbuhazza|kasbu|rnkl|un(?:gwei|ioue))|l(?:a(?:rrytoms|ursent|wrencefoundation)|erynne(?:0west|west)|i(?:amfinchus|liane\.bettencourt|nelink)|john|oughreymargaret|u(?:ckywinners|sba\.moored)|y(?:\.cheapiseth|diawright|n(?:\.arthur|cmba|nmkl)))|m(?:a(?:incare|jor(?:dennishornbeck|townsend)|n(?:duesq|fran|uelfranco(?:foundation)?)|r(?:i(?:ahhills|opabl)|kroth|tinamayer|yfranson)|urhinck|viswan(?:czyk(?:(?:foundation|k))?)?)|c\.cheadychang|dredban|elvidabullock|gfrederick|i(?:c(?:h(?:ael\.woosley|ealwuu)|w)|khai(?:\.fridman|lfridm))|k(?:ent|untjoro)|ohamedabdul|r(?:\.justinmaxwell|cjames|hanimuhammad|jamesmc|richardanthony|s(?:\.susanread|a(?:ishaalqadafi|ngela)|fatimaamiraqureshi|hamima|jackman|maureens|r(?:obinsanders|uthsmith)|sarahbenjamin))|s(?:agent|golaan|smadar)|ustadris)|n(?:aomiiwasaki|eilt(?:rotter)?|obuyuki\.hirano)|o(?:\.peace|fficerricherd|hallkenneth)|p(?:aul(?:eed|n)|b(?:ph202lay|rookk)|eter(?:\.waddell|guggi|kenin|stephen)|hillip\.richead)|q(?:iquanzhou|nzeng)|r(?:a(?:kidy|lhashimi|ymondaba)|e(?:beccagarang|em(?:has(?:himy|m)|n)|plyback|v(?:\.jamesabel|frankjackson))|ichardw(?:ahl|illis)|o(?:berthanandez|naldmorris|s(?:a\.gomes|ekipkalya))|t\.rev\.ericmark)|s(?:a(?:l(?:ehhussienconsult|imzaid)|rfiafarfask)|cottpeters|e(?:cretservicce|rgeantrobertbrown)|gtireneb|h(?:anemissler|ery(?:\.gtl|etr)|inawatrathaksin)|imlkheng|op(?:adam|hiajesse)|peelman|tephentam|u(?:iyang|n\.hor|sanneklatten)|weeneyjohnson)|t(?:ay(?:ebsouami|lorcathy)|erryparkins|h(?:ailandbankoffice|e(?:ara\.choy|odorosloannis))|imothymetheny|lyerdonald|o(?:mc(?:hrist|rist(?:(?:donation|foundation))?)|ny(?:\.chung|zimpro)|shikazusendo))|u(?:marukareem|n(?:claimedfunds|itednation(?:organization|s))|sdepartmentofjustice)|v(?:anderwesthuizen|e(?:enapatel|r(?:a(?:aellen|hollinkvan)|enichekaterinaekaterina))|i(?:ctoriaabraham|dalpamela|ngut))|w(?:a(?:dp|hlr(?:ichard)?|nczykm|rrenebuffett)|i(?:elandherzog\.sw\.herad|ll(?:clark|iamsmartyrs))|u\.office|ww\.moneygram)|y(?:\.oguzhan|anghoseok|doo|ousefzongo)|z(?:enithbankplconline|kiaslan|minhong)))\d+\@gmail\.com$/i
-header __REPTO_419_FRAUD_YH_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson|gaaintl\-4g5ee\.w|lesiakalina|nn(?:awax|hester\.usa))|b(?:a(?:nk\.phbng|rr(?:ister\.dennis|lawrencefubara))|en(?:jaminb|nicholas)|riceangela)|c(?:\.(?:aroline|coulibaly)|h(?:arlesscharf|jackson)|juan|ollins(?:mattew|wayne)|ythiamiller\.un)|d(?:hamilton|i(?:aanesoto|plomaticagent))|ericalbert|f(?:aizaadama|ederal\.r)|graham\.eddie|infobank|j(?:\.edwards|a(?:ckson\.davis|netemoon)|kimyong)|k(?:elvinmark|im(?:\.leang|leang))|l(?:e(?:a_edem|ge|hman)|isarobinson_|y_cheapiseth)|m(?:arie_avis|dzsesszika|elissalewis|o(?:hammedaahil|keye)|rkellyayi|unny(?:\.sopheap|_sopheap))|n(?:estordaniel|orahuz)|o(?:fficial_franksylvester|legkozyrev|mranshaalan)|peterlee|r(?:alphw(?:\.johnson|johnson)|i(?:chard\.w|taadamsw)|o(?:b(?:ertbailey|orts)|serichard))|s(?:amthong|igurlauganna|leo|mithcolin|pwalker|tevecox\.)|tylerhess\.|u(?:butu|kdebtmanagement)|vanserge|will(?:clark|iamsimon)|xianglongdai))\d+\@yahoo\.com$/i
+header __REPTO_419_FRAUD_YH_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson|lesiakalina|nnhester\.usa)|b(?:ank\.phbng|en(?:jaminb|nicholas)|riceangela)|c(?:\.aroline|h(?:arlesscharf|jackson)|juan|ythiamiller\.un)|dhamilton|ericalbert|federal\.r|j(?:a(?:ckson\.davis|netemoon)|kimyong)|k(?:elvinmark|im(?:\.leang|leang))|l(?:e(?:a_edem|hman)|isarobinson_|y_cheapiseth)|m(?:arie_avis|dzsesszika|elissalewis|o(?:hammedaahil|keye))|o(?:legkozyrev|mranshaalan)|peterlee|r(?:alphw(?:\.johnson|johnson)|o(?:bertbailey|serichard))|s(?:amthong|igurlauganna|leo|pwalker|tevecox\.)|tylerhess\.|vanserge|willclark|xianglongdai))\d+\@yahoo\.com$/i
header __REPTO_CHN_FREEM Reply-To =~ /\@(?:sina|aliyun)\.com/i
meta __SENDGRID_REDIR_NOPHISH __SENDGRID_REDIR && !__SENDGRID_REDIR_PHISH
-meta __SENDGRID_REDIR_PHISH __SENDGRID_REDIR && ( __PDS_FROM_NAME_TO_DOMAIN || T_FORGED_RELAY_MUA_TO_MX || __TO_IN_SUBJ )
+meta __SENDGRID_REDIR_PHISH __SENDGRID_REDIR && ( __PDS_FROM_NAME_TO_DOMAIN || __FORGED_RELAY_MUA_TO_MX || __TO_IN_SUBJ )
body __SHARE_IT /\b(?:(?:share|allocate|teilen|parteger(?:ez|ons)?|partage)\s(?:th(?:e|is)|das|les?|des)\s(?:proceeds|funds?|money|balance|account|geld|compte|fonds)|partager(?:ez|ons)? (?:avec (?:vous|moi)|ratio|suivant un pourcentage))\b/i
-meta __SHOPIFY_IMG_NOT_RCVD_SFY __URI_IMG_SHOPIFY && !__HDR_RCVD_SHOPIFY
-
-meta __SHORTENER_SHORT_SUBJ __URL_SHORTENER && __SUBJ_SHORT
-
-meta __SHORT_BODY_G_DRIVE __BODY_URI_ONLY && __LCL__KAM_BODY_LENGTH_LT_512 && __PDS_GOOGLE_DRIVE_FILE
-
-meta __SHORT_BODY_G_DRIVE_DYN __SHORT_BODY_G_DRIVE && (RDNS_DYNAMIC || HELO_DYNAMIC_IPADDR || HELO_DYNAMIC_HCC || FSL_HELO_NON_FQDN_1)
+meta __SHOPIFY_IMG_NOT_RCVD_SFY __URI_IMG_SHOPIFY && !__HDR_RCVD_SHOPIFY && !__HDR_ENVFROM_SHOPIFY
uri __SHORT_URL /^https?:\/\/[^\/]{3,6}\.\w\w\/[^\/]{3,8}\/?$/
header __SUBJ_SHORT Subject =~ /^.{0,8}$/
-header __SUBJ_UNNEEDED_HTML Subject =~ /%[0-9a-f][0-9a-f]/i
-tflags __SUBJ_UNNEEDED_HTML multiple maxhits=3
-
header __SUBJ_USB_DRIVES Subject =~ /\bUSB (?:[Ff]lash )?[Dd]rives\b/
body __SUBSCRIPTION_INFO /\b(?:e?newsletters?|(?:un)?(?:subscrib|register)|you(?:r| are) subscri(?:b|ption)|opt(?:.|ing)?out\b|further info|you do ?n[o']t w(?:ish|ant)|remov\w{1,3}.{1,9}\blists?\b|to your white.?list)/i
meta __TAGSTAT_IMG_NOT_RCVD_TGST __URI_IMG_TAGSTAT && !__HDR_RCVD_TAGSTAT
+meta __TARINGANET_IMG_NOT_RCVD_TN __URI_IMG_TARINGANET && !__HDR_RCVD_TARINGANET
+
header __TB_MIME_BDRY_NO_Z Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/
rawbody __TENWORD_GIBBERISH /^\s*(?:[a-z]+\s+){10}\.$/m
meta __TO_EQ_FM_DIRECT_MX __TO_EQ_FROM && __DOS_DIRECT_TO_MX
-meta __TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FROM_DOM && __HTML_LINK_IMAGE
+meta __TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FROM_DOM && MIME_HTML_ONLY
if !plugin(Mail::SpamAssassin::Plugin::SPF)
meta __TO_EQ_FM_DOM_SPF_FAIL 0
header __TO_NO_ARROWS_R To !~ /(?:>$|>,)/
+meta __TO_NO_BRKTS_DYNIP __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && RDNS_DYNAMIC
+
if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
meta __TO_NO_BRKTS_FREEMAIL 0
endif
header __UA_GNUS User-Agent =~ /^Gnus/
-header __UA_IMP User-Agent =~ /^Internet Messaging Program/
-
header __UA_KMAIL User-Agent =~ /^KMail/
header __UA_KNODE User-Agent =~ /^KNode/
header __UA_MOZ5 User-Agent =~ /^Mozilla\/5/
-header __UA_MSENTOUR User-Agent =~ /^Microsoft-Entourage/
-
header __UA_MSOEMAC User-Agent =~ /^Microsoft-Outlook-Express-Mac/
header __UA_MSOMAC User-Agent =~ /^Microsoft-MacOutlook\/(?:\d+\.){3}/
uri __URI_DBL_DOM m,^https?://[^.]+\.(?!amazon\.com)([^/]+)/.*https?://[^.]+\.\1/,i
-body __URI_DEOBFU_INSTR /(?:delete|remove|take\sout)(?:\sthe)?\sspaces/i
-
uri __URI_DOTEDU m;^https?://(?:[^./]+\.)+edu/;i
meta __URI_DOTEDU_ENTITY __URI_DOTEDU && __AC_HTML_ENTITY_BONANZA_SHRT_RAW
uri __URI_HEX_IP m;://0x[0-9A-F]{8,}[:/];i
-uri __URI_IMG_ALICDN m,//(?:[^/.]+\.)*alicdn\.com/.+\.(?:jpe?g|gif|png),i
+meta __URI_HOSTED_IMG ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC || __URI_IMG_TOPHATTER || __URI_IMG_GBTCDN || __URI_IMG_LINKEDIN || __URI_IMG_TUMBLR || __URI_IMG_TAGSTAT || __URI_IMG_FACEBOOK || __URI_IMG_TARINGANET || __URI_IMG_BEBEE || __URI_IMG_EFUSERASSETS || __URI_IMG_IMGBOX_THUMB || __URI_IMG_500PXORG || __URI_IMG_WIXMP || __URI_IMG_POSTIMGCC || __URI_IMG_GTRACING || __URI_IMG_JOOMCDN || __URI_IMG_DHRESOURCE )
-uri __URI_IMG_AMAZON m,://[^/?]+\.(?:ssl-)?(?:images|media)-amazon\.com/.*\.(?:png|gif|jpe?g)$,i
+uri __URI_IMG_500PXORG m;://drscdn\.500px\.org/photo/;i
+
+uri __URI_IMG_ALICDN m,//(?:[^/.]+\.)*alicdn\.com/.+\.(?:jpe?g|gif|png|webp),i
+
+uri __URI_IMG_AMAZON m,://[^/?]+\.(?:ssl-)?(?:images|media)-amazon\.com/.*\.(?:png|gif|jpe?g|webp)$,i
+
+uri __URI_IMG_BEBEE m;://contents\.bebee\.com/users/.+\.(?:jpe?g|gif|png|webp);i
uri __URI_IMG_CHANNYPIC m,://www\.channypicture\.com/pic/,i
+uri __URI_IMG_DHRESOURCE m;://www\.dhresource\.com/.+\.(?:jpe?g|gif|png|webp);i
+
uri __URI_IMG_EBAY m,://[^/?]+\.ebayimg\.com/,i
-uri __URI_IMG_GBTCDN m;://des\.gbtcdn\.com/storage/store/[0-9a-f/]{30,}\.(?:png|gif|jpe?g)$;i
+uri __URI_IMG_EFUSERASSETS m;://\d+\.efuserassets\.com/\d+/.+\.(?:jpe?g|gif|png|webp);i
+
+uri __URI_IMG_FACEBOOK m;://([^/.]+\.)+fbcdn\.net/v/.+\.(?:jpe?g|gif|png|webp);i
+
+uri __URI_IMG_GBTCDN m;://des\.gbtcdn\.com/storage/store/[0-9a-f/]{30,}\.(?:png|gif|jpe?g|webp)$;i
+
+uri __URI_IMG_GDRIVE /^https:\/\/www\.google\.com\/drive\/static\/images\/drive\/logo-drive\.png/
+
+uri __URI_IMG_GPHOTO /^https:\/\/www\.google\.com\/photos\/about\/static\/images\/logo_photos_64dp\.svg/
+
+uri __URI_IMG_GTRACING m;://shopify\.gtracing\.com/img/.+\.(?:jpe?g|gif|png|webp);i
+
+uri __URI_IMG_IMGBOX_THUMB m;://thumbs\d*\.imgbox\.com/.+\.(?:jpe?g|gif|png|webp);i
uri __URI_IMG_JOOMCDN m,://img\.joomcdn\.net/,i
+uri __URI_IMG_JOOMCDN m;://img\.joomcdn\.net/.+\.(?:jpe?g|gif|png|webp);i
uri __URI_IMG_LINKEDIN m;://media-exp\d\.licdn\.com/dms/image/;i
uri __URI_IMG_NEWEGG m,://[^/?]+\.neweggimages\.com/,i
-uri __URI_IMG_SHOPIFY m,://cdn\.shopify\.com/.+\.(?:jpe?g|gif|png),i
+uri __URI_IMG_POSTIMGCC m;://i\.postimg\.cc/.+\.(?:jpe?g|gif|png|webp);i
+
+uri __URI_IMG_SHOPIFY m,://cdn\.shopify\.com/.+\.(?:jpe?g|gif|png|webp),i
uri __URI_IMG_STATICBG m,://imgaz\.staticbg\.com/images/,i
-uri __URI_IMG_TAGSTAT m;://i\d+\.tagstat\.com/.+\.(?:jpe?g|gif|png);i
+uri __URI_IMG_TAGSTAT m;://i\d+\.tagstat\.com/.+\.(?:jpe?g|gif|png|webp);i
+
+uri __URI_IMG_TARINGANET m;://media\.taringa\.net/knn/;i
uri __URI_IMG_TOPHATTER m;://images\.tophatter\.com/[0-9a-f]{30,}/;i
-uri __URI_IMG_TUMBLR m;://\d+\.media\.tumblr\.com/.+\.(?:jpe?g|gif|png);i
+uri __URI_IMG_TUMBLR m;://\d+\.media\.tumblr\.com/.+\.(?:jpe?g|gif|png|webp);i
uri __URI_IMG_WALMART m,://[^/?]+\.walmartimages\.com/,i
uri __URI_IMG_WISH m,://contestimg\.wish\.com/,i
+uri __URI_IMG_WIXMP m;://images-wixmp-[0-9a-f]{20,}\.wixmp\.com/;i
+
uri __URI_IMG_WP_REDIR m;://i[02]\.wp\.com/.*\.(?:jpe?g|gif|png)$;i
uri __URI_IMG_YTIMG m,://[^/?]+\.ytimg\.com/,i
-uri __URI_LONG_REPEAT m;(?:://|@)(?:\w+\.)*(\w{10,}\.)\1;i
+uri __URI_LONG_REPEAT m;(?:://|@)(?:\w+\.)*(\w{7,}\.)\1;i
uri __URI_MAILTO /^mailto:/i
tflags __URI_MAILTO multiple maxhits=16
meta __XFER_MONEY (__WIRE_XFR || __TRUSTED_CHECK || __BANK_DRAFT || __MOVE_MONEY || __TO_YOUR_ACCT || __PAY_YOU || __GIVE_MONEY)
+ifplugin Mail::SpamAssassin::Plugin::FreeMail
+ header __XMAIL_CODEIGN X-Mailer =~ /CodeIgniter/
+endif
+
+ifplugin Mail::SpamAssassin::Plugin::FreeMail
+ header __XMAIL_PHPMAIL X-Mailer =~ /PHPMailer/
+endif
+
header __XM_APPLEMAIL X-Mailer =~ /^Apple Mail/
header __XM_ASPQMAIL X-Mailer =~ /^AspQMail/
header __XM_CALYPSO X-Mailer =~ /^Calypso/
-header __XM_COMMUNIG X-Mailer =~ /^CommuniGate/
-
header __XM_DIGITS_ONLY X-Mailer =~ /^\s*\d+\s*$/
header __XM_EC_MESSENGER X-Mailer =~ /\beC-Messenger\b/
-header __XM_EDMAX X-Mailer =~ /^EdMax/
-
-header __XM_ELM X-Mailer =~ /^ELM/
-
-header __XM_EMUMAIL X-Mailer =~ /^EMUmail/
-
-header __XM_EXMH X-Mailer =~ /^exmh/
-
header __XM_FORTE X-Mailer =~ /^Forte Agent \d/
header __XM_GNUS X-Mailer =~ /^Gnus v/
-header __XM_IMAIL X-Mailer =~ /^<IMail v\d/
-
-header __XM_LOTUSN X-Mailer =~ /^Lotus Notes/
-
-header __XM_MAILCITY X-Mailer =~ /^MailCity Service/
-
-header __XM_MAILSMITH X-Mailer =~ /^Mailsmith /
+header __XM_LIGHT_HEAVY X-Mailer =~ /\b(?:light|(?<!::)lite|standard|business|pro(?:fessional)?|educational|personal)\b/i
header __XM_MHE X-Mailer =~ /^mh-e \d/
-header __XM_MIMETOOLS X-Mailer =~ /^MIME-tools \d/i
-
header __XM_MOZ4 X-Mailer =~ /^Mozilla 4/
-header __XM_MSCDO X-Mailer =~ /^Microsoft CDO/
-
header __XM_MSOE5 X-Mailer =~ /^Microsoft Outlook Express 5/
header __XM_MSOE6 X-Mailer =~ /^Microsoft Outlook Express 6/
-header __XM_MSOUT X-Mailer =~ /^Microsoft Outlook[, ]?\s?[BIC]/ #Build, IMO, CWS
-
header __XM_MS_IN_GENERAL X-Mailer =~ /\bMSCRM\b|Microsoft (?:CDO|Outlook|Office Outlook)\b/
header __XM_OL_10_0_4115 X-Mailer =~ /^Microsoft Outlook, Build 10.0.4115$/
header __XM_OL_4_72_2106_4 X-Mailer =~ /^Microsoft Outlook Express 4.72.2106.4$/
-header __XM_OPERA6 X-Mailer =~ /^Opera 6/
-
header __XM_OUTLOOK_EXPRESS X-Mailer =~ /^Microsoft Outlook Express \d/
-header __XM_PEGASUS X-Mailer =~ /^Pegasus Mail/
-
header __XM_PHPMAILER_FORGED X-Mailer =~ /PHPMailer\s.*version\D+$/
-header __XM_QUALCOM X-Mailer =~ /^QUALCOMM Windows Eudora/
-
header __XM_RANDOM X-Mailer =~ /q(?!q?mail|boxmail|\d|[-\w]*=+;)[^u]/i
header __XM_SKYRI X-Mailer =~ /^SKYRiXgreen/
header __XM_XIMEVOL X-Mailer =~ /^Ximian Evolution/
-meta __XPRIO_MINFP __XPRIO && !__CT_ENCRYPTED && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_IMG_SRC && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__PHPMAILER_MUA && !__AC_TINY_FONT && !__HAS_PHP_SCRIPT && !__DOS_HAS_LIST_UNSUB && !__HAS_IMG_SRC_ONECASE && !__NAKED_TO && !__HAS_THREAD_INDEX && !__HAS_TNEF && !__HAS_SENDER && !__UNPARSEABLE_RELAY_COUNT && !__PDS_RDNS_MTA && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MX_MESSY && !__TO___LOWER && !__FROM_WORDY && !__RP_MATCHES_RCVD && !__DKIM_EXISTS && !__FROM_WEB_DAEMON && !__RDNS_SHORT && !__L_BODY_8BITS
+meta __XPRIO_MINFP __XPRIO && !__CT_ENCRYPTED && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_IMG_SRC && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__PHPMAILER_MUA && !__AC_TINY_FONT && !__HAS_PHP_SCRIPT && !__DOS_HAS_LIST_UNSUB && !__HAS_IMG_SRC_ONECASE && !__NAKED_TO && !__HAS_THREAD_INDEX && !__HAS_TNEF && !__HAS_SENDER && !__UNPARSEABLE_RELAY_COUNT && !__PDS_RDNS_MTA && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MX_MESSY && !__TO___LOWER && !__FROM_WORDY && !__RP_MATCHES_RCVD && !__DKIM_EXISTS && !__FROM_WEB_DAEMON && !__RDNS_SHORT && !__L_BODY_8BITS && !__HAS_X_SENDER
meta __XPRIO_SHORT_SUBJ __XPRIO_MINFP && __SUBJ_SHORT
-score ACCT_PHISHING_MANY 2.996 2.996 2.996 2.996
+score ACCT_PHISHING_MANY 2.999 2.996 2.999 2.996
score AC_BR_BONANZA 0.001 0.001 0.001 0.001
score AC_DIV_BONANZA 0.001 0.001 0.001 0.001
-score AC_FROM_MANY_DOTS 2.996 1.998 2.996 1.998
-score AC_HTML_NONSENSE_TAGS 1.898 1.522 1.898 1.522
+score AC_FROM_MANY_DOTS 3.000 0.578 3.000 0.578
+score AC_HTML_NONSENSE_TAGS 1.999 1.997 1.999 1.997
score AC_POST_EXTRAS 1.000 1.000 1.000 1.000
score AC_SPAMMY_URI_PATTERNS1 1.000 1.000 1.000 1.000
score AC_SPAMMY_URI_PATTERNS10 1.000 1.000 1.000 1.000
score AC_SPAMMY_URI_PATTERNS4 1.000 1.000 1.000 1.000
score AC_SPAMMY_URI_PATTERNS8 1.000 1.000 1.000 1.000
score AC_SPAMMY_URI_PATTERNS9 1.000 1.000 1.000 1.000
-score ADMITS_SPAM 3.595 3.396 3.595 3.396
+score ADMITS_SPAM 2.899 1.510 2.899 1.510
score ADULT_DATING_COMPANY 10.001 10.001 10.001 10.001
-score ADVANCE_FEE_2_NEW_FORM 1.985 0.598 1.985 0.598
-score ADVANCE_FEE_2_NEW_FRM_MNY 2.497 2.499 2.497 2.499
-score ADVANCE_FEE_2_NEW_MONEY 1.997 1.997 1.997 1.997
-score ADVANCE_FEE_3_NEW 3.497 2.077 3.497 2.077
-score ADVANCE_FEE_3_NEW_FRM_MNY 0.001 0.001 0.001 0.001
-score ADVANCE_FEE_3_NEW_MONEY 2.897 2.696 2.897 2.696
-score ADVANCE_FEE_4_NEW 2.497 2.297 2.497 2.297
-score ADVANCE_FEE_4_NEW_FRM_MNY 0.001 0.001 0.001 0.001
-score ADVANCE_FEE_4_NEW_MONEY 2.481 0.792 2.481 0.792
-score ADVANCE_FEE_5_NEW 2.596 0.762 2.596 0.762
-score ADVANCE_FEE_5_NEW_FRM_MNY 0.001 0.001 0.001 0.001
+score ADVANCE_FEE_2_NEW_FORM 1.000 1.000 1.000 1.000
+score ADVANCE_FEE_2_NEW_FRM_MNY 0.001 0.001 0.001 0.001
+score ADVANCE_FEE_2_NEW_MONEY 0.001 0.001 0.001 0.001
+score ADVANCE_FEE_3_NEW 2.836 1.673 2.836 1.673
+score ADVANCE_FEE_3_NEW_FRM_MNY 1.536 2.197 1.536 2.197
+score ADVANCE_FEE_3_NEW_MONEY 2.799 0.001 2.799 0.001
+score ADVANCE_FEE_4_NEW 2.210 0.001 2.210 0.001
+score ADVANCE_FEE_4_NEW_FRM_MNY 0.199 1.098 0.199 1.098
+score ADVANCE_FEE_4_NEW_MONEY 0.406 0.722 0.406 0.722
+score ADVANCE_FEE_5_NEW 0.091 0.001 0.091 0.001
+score ADVANCE_FEE_5_NEW_FRM_MNY 0.001 1.080 0.001 1.080
score ADVANCE_FEE_5_NEW_MONEY 0.001 0.001 0.001 0.001
-score AD_PREFS 0.289 0.466 0.289 0.466
-score ALIBABA_IMG_NOT_RCVD_ALI 1.989 2.499 1.989 2.499
-score AMAZON_IMG_NOT_RCVD_AMZN 2.497 0.001 2.497 0.001
+score AD_PREFS 0.312 0.498 0.312 0.498
+score ALIBABA_IMG_NOT_RCVD_ALI 1.000 1.000 1.000 1.000
+score AMAZON_IMG_NOT_RCVD_AMZN 2.499 0.001 2.499 0.001
score APP_DEVELOPMENT_FREEM 1.000 1.000 1.000 1.000
-score APP_DEVELOPMENT_NORDNS 1.997 1.157 1.997 1.157
-score AXB_XMAILER_MIMEOLE_OL_024C2 0.001 0.001 0.001 0.001
-score BIGNUM_EMAILS_FREEM 2.996 1.882 2.996 1.882
-score BIGNUM_EMAILS_MANY 2.997 2.996 2.997 2.996
+score APP_DEVELOPMENT_NORDNS 1.000 1.997 1.000 1.997
+score AXB_XMAILER_MIMEOLE_OL_024C2 0.403 0.001 0.403 0.001
+score BEBEE_IMG_NOT_RCVD_BB 1.000 1.000 1.000 1.000
+score BIGNUM_EMAILS_FREEM 0.159 0.001 0.159 0.001
+score BIGNUM_EMAILS_MANY 2.999 0.003 2.999 0.003
score BITCOIN_BOMB 1.000 1.000 1.000 1.000
score BITCOIN_DEADLINE 1.000 1.000 1.000 1.000
score BITCOIN_EXTORT_01 1.000 1.000 1.000 1.000
score BITCOIN_EXTORT_02 1.000 1.000 1.000 1.000
-score BITCOIN_IMGUR 1.000 1.000 1.000 1.000
-score BITCOIN_MALF_HTML 3.496 3.496 3.496 3.496
+score BITCOIN_IMGUR 2.236 3.496 2.236 3.496
+score BITCOIN_MALF_HTML 0.001 2.487 0.001 2.487
score BITCOIN_MALWARE 1.000 0.001 1.000 0.001
score BITCOIN_OBFU_SUBJ 1.000 1.000 1.000 1.000
-score BITCOIN_ONAN 2.996 2.996 2.996 2.996
+score BITCOIN_ONAN 1.000 1.000 1.000 1.000
score BITCOIN_PAY_ME 1.000 1.000 1.000 1.000
score BITCOIN_SPAM_01 1.000 1.000 1.000 1.000
-score BITCOIN_SPAM_02 2.497 1.019 2.497 1.019
-score BITCOIN_SPAM_03 1.000 1.000 1.000 1.000
+score BITCOIN_SPAM_02 2.499 1.083 2.499 1.083
+score BITCOIN_SPAM_03 1.000 1.875 1.000 1.875
score BITCOIN_SPAM_04 1.000 1.000 1.000 1.000
-score BITCOIN_SPAM_05 0.001 1.253 0.001 1.253
+score BITCOIN_SPAM_05 0.001 2.255 0.001 2.255
score BITCOIN_SPAM_06 1.000 1.000 1.000 1.000
-score BITCOIN_SPAM_07 3.496 3.496 3.496 3.496
+score BITCOIN_SPAM_07 3.499 3.496 3.499 3.496
score BITCOIN_SPAM_08 1.000 1.000 1.000 1.000
-score BITCOIN_SPAM_09 1.000 1.000 1.000 1.000
+score BITCOIN_SPAM_09 1.499 1.498 1.499 1.498
score BITCOIN_SPAM_10 1.000 1.000 1.000 1.000
score BITCOIN_SPAM_11 1.000 1.000 1.000 1.000
score BITCOIN_SPAM_12 1.000 1.000 1.000 1.000
score BITCOIN_SPF_ONLYALL 0.001 1.000 0.001 1.000
-score BITCOIN_XPRIO 0.283 0.091 0.283 0.091
-score BITCOIN_YOUR_INFO 1.000 1.000 1.000 1.000
-score BODY_SINGLE_URI 0.632 0.001 0.632 0.001
-score BODY_URI_ONLY 1.000 0.001 1.000 0.001
-score BOGUS_MIME_VERSION 3.496 2.990 3.496 2.990
+score BITCOIN_XPRIO 1.490 0.001 1.490 0.001
+score BITCOIN_YOUR_INFO 2.999 2.975 2.999 2.975
+score BODY_SINGLE_URI 1.746 2.497 1.746 2.497
+score BODY_SINGLE_WORD 0.001 0.001 0.001 0.001
+score BODY_URI_ONLY 1.000 1.533 1.000 1.533
+score BOGUS_MIME_VERSION 3.499 3.496 3.499 3.496
score BOGUS_MSM_HDRS 1.000 1.000 1.000 1.000
score BOMB_FREEM 1.000 1.000 1.000 1.000
score BOMB_MONEY 1.000 1.000 1.000 1.000
score BTC_ORG 1.000 1.000 1.000 1.000
-score BULK_RE_SUSP_NTLD 0.998 1.000 0.998 1.000
+score BULK_RE_SUSP_NTLD 1.000 1.000 1.000 1.000
score CANT_SEE_AD 1.000 1.000 1.000 1.000
-score CK_HELO_GENERIC 0.248 0.248 0.248 0.248
+score CK_HELO_GENERIC 0.250 0.001 0.250 0.001
score COMMENT_GIBBERISH 1.000 1.000 1.000 1.000
score COMPENSATION 1.000 0.001 1.000 0.001
-score CONTENT_AFTER_HTML 2.497 2.497 2.497 2.497
-score CTE_8BIT_MISMATCH 0.998 0.001 0.998 0.001
-score DATE_IN_FUTURE_96_Q 2.445 1.803 2.445 1.803
+score CONTENT_AFTER_HTML 2.182 0.001 2.182 0.001
+score CTE_8BIT_MISMATCH 0.999 0.001 0.999 0.001
score DAY_I_EARNED 1.000 1.000 1.000 1.000
-score DEAR_BENEFICIARY 0.001 0.001 0.001 0.001
-score DETAILS_OF_PRODUCT 1.249 1.248 1.249 1.248
-score DKIMWL_BL 0.001 2.303 0.001 2.303
+score DEAR_BENEFICIARY 0.841 1.432 0.841 1.432
+score DKIMWL_BL 0.001 2.996 0.001 2.996
score DKIMWL_BLOCKED 0.001 0.001 0.001 0.001
-score DKIMWL_WL_HIGH 0.001 -0.700 0.001 -0.700
+score DKIMWL_WL_HIGH 0.001 -0.702 0.001 -0.702
score DKIMWL_WL_MED 0.001 -0.001 0.001 -0.001
-score DKIMWL_WL_MEDHI 0.001 -0.998 0.001 -0.998
+score DKIMWL_WL_MEDHI 0.001 -0.001 0.001 -0.001
score DOTGOV_IMAGE 1.000 1.000 1.000 1.000
-score DX_TEXT_03 1.698 1.398 1.698 1.398
-score DYNAMIC_IMGUR 2.653 3.177 2.653 3.177
-score EBAY_IMG_NOT_RCVD_EBAY 0.905 2.999 0.905 2.999
-score ENCRYPTED_MESSAGE -0.998 -0.998 -0.998 -0.998
-score END_FUTURE_EMAILS 1.000 1.000 1.000 1.000
+score DX_TEXT_03 1.200 0.001 1.200 0.001
+score DYNAMIC_IMGUR 1.000 1.000 1.000 1.000
+score EBAY_IMG_NOT_RCVD_EBAY 1.000 1.000 1.000 1.000
+score ENCRYPTED_MESSAGE -1.000 -1.000 -1.000 -1.000
+score END_FUTURE_EMAILS 1.000 0.001 1.000 0.001
score ENVFROM_GOOG_TRIX 1.000 1.000 1.000 1.000
-score FAKE_REPLY_A1 3.995 2.322 3.995 2.322
-score FAKE_REPLY_B 3.895 3.595 3.895 3.595
+score FACEBOOK_IMG_NOT_RCVD_FB 1.498 1.318 1.498 1.318
score FBI_MONEY 1.000 1.000 1.000 1.000
score FBI_SPOOF 1.000 1.000 1.000 1.000
-score FILL_THIS_FORM 1.197 0.001 1.197 0.001
-score FONT_INVIS_DIRECT 2.399 0.001 2.399 0.001
-score FONT_INVIS_DOTGOV 3.496 3.496 3.496 3.496
-score FONT_INVIS_HTML_NOHTML 0.001 0.001 0.001 0.001
-score FONT_INVIS_LONG_LINE 2.996 2.996 2.996 2.996
-score FONT_INVIS_MSGID 2.498 2.497 2.498 2.497
-score FONT_INVIS_NORDNS 1.389 2.053 1.389 2.053
-score FONT_INVIS_POSTEXTRAS 1.000 1.000 1.000 1.000
+score FILL_THIS_FORM 1.699 1.597 1.699 1.597
+score FONT_INVIS_DIRECT 0.001 0.001 0.001 0.001
+score FONT_INVIS_DOTGOV 1.000 1.000 1.000 1.000
+score FONT_INVIS_HTML_NOHTML 2.178 0.001 2.178 0.001
+score FONT_INVIS_LONG_LINE 2.588 2.993 2.588 2.993
+score FONT_INVIS_MSGID 2.499 1.810 2.499 1.810
+score FONT_INVIS_NORDNS 1.000 1.000 1.000 1.000
+score FONT_INVIS_POSTEXTRAS 1.392 1.352 1.392 1.352
score FORM_FRAUD 1.000 0.001 1.000 0.001
score FORM_FRAUD_5 0.001 0.001 0.001 0.001
-score FORM_LOW_CONTRAST 1.000 1.000 1.000 1.000
-score FOUND_YOU 3.246 2.954 3.246 2.954
-score FREEMAIL_FORGED_FROMDOMAIN 0.249 0.249 0.249 0.249
+score FOUND_YOU 3.249 3.246 3.249 3.246
+score FREEMAIL_FORGED_FROMDOMAIN 0.250 0.248 0.250 0.248
score FREEM_FRNUM_UNICD_EMPTY 1.000 1.000 1.000 1.000
score FRNAME_IN_MSG_XPRIO_NO_SUB 1.000 1.000 1.000 1.000
-score FROMSPACE 3.096 2.608 3.096 2.608
-score FROM_2_EMAILS_SHORT 2.690 2.996 2.690 2.996
+score FROM_2_EMAILS_SHORT 2.999 2.585 2.999 2.585
score FROM_ADDR_WS 1.000 1.000 1.000 1.000
score FROM_BANK_NOAUTH 0.001 0.998 0.001 0.998
score FROM_FMBLA_NDBLOCKED 0.001 0.001 0.001 0.001
-score FROM_FMBLA_NEWDOM 0.001 1.499 0.001 1.499
+score FROM_FMBLA_NEWDOM 0.001 1.498 0.001 1.498
score FROM_FMBLA_NEWDOM14 0.001 0.998 0.001 0.998
score FROM_FMBLA_NEWDOM28 0.001 0.798 0.001 0.798
-score FROM_GOV_DKIM_AU 0.001 -0.999 0.001 -0.999
+score FROM_GOV_DKIM_AU 0.001 -0.001 0.001 -0.001
score FROM_GOV_REPLYTO_FREEMAIL 0.001 1.000 0.001 1.000
-score FROM_GOV_SPOOF 0.001 0.001 0.001 0.001
-score FROM_MISSPACED 0.001 0.001 0.001 0.001
-score FROM_MISSP_DYNIP 0.254 0.400 0.254 0.400
+score FROM_GOV_SPOOF 0.001 1.000 0.001 1.000
+score FROM_IN_TO_AND_SUBJ 2.099 2.197 2.099 2.197
+score FROM_MISSPACED 1.217 0.001 1.217 0.001
score FROM_MISSP_EH_MATCH 0.001 0.001 0.001 0.001
-score FROM_MISSP_FREEMAIL 2.278 0.001 2.278 0.001
-score FROM_MISSP_MSFT 0.001 2.839 0.001 2.839
-score FROM_MISSP_PHISH 3.496 1.689 3.496 1.689
+score FROM_MISSP_FREEMAIL 3.199 2.996 3.199 2.996
+score FROM_MISSP_MSFT 2.450 0.001 2.450 0.001
+score FROM_MISSP_PHISH 2.953 3.496 2.953 3.496
score FROM_MISSP_REPLYTO 1.000 0.001 1.000 0.001
score FROM_MISSP_SPF_FAIL 0.001 0.001 0.001 0.001
score FROM_MISSP_USER 0.001 0.001 0.001 0.001
-score FROM_MULTI_NORDNS 0.687 2.057 0.687 2.057
-score FROM_NAME_EQ_TO_G_DRIVE 0.308 0.167 0.308 0.167
-score FROM_NEWDOM_BTC 0.001 1.997 0.001 1.997
-score FROM_NTLD_LINKBAIT 1.666 1.000 1.666 1.000
-score FROM_NTLD_REPLY_FREEMAIL 1.999 0.481 1.999 0.481
+score FROM_MULTI_NORDNS 2.491 1.896 2.491 1.896
+score FROM_NEWDOM_BTC 0.001 0.863 0.001 0.863
+score FROM_NTLD_LINKBAIT 1.000 1.000 1.000 1.000
+score FROM_NTLD_REPLY_FREEMAIL 1.999 1.000 1.999 1.000
score FROM_NUMBERO_NEWDOMAIN 0.001 1.000 0.001 1.000
score FROM_NUMERIC_TLD 1.000 1.000 1.000 1.000
-score FROM_PAYPAL_SPOOF 0.001 0.001 0.001 0.001
-score FROM_SUSPICIOUS_NTLD 0.498 0.498 0.498 0.498
-score FROM_SUSPICIOUS_NTLD_FP 1.997 0.917 1.997 0.917
-score FSL_BULK_SIG 0.001 1.995 0.001 1.995
+score FROM_PAYPAL_SPOOF 0.001 1.597 0.001 1.597
+score FROM_SUSPICIOUS_NTLD 0.469 0.001 0.469 0.001
+score FROM_SUSPICIOUS_NTLD_FP 1.821 1.997 1.821 1.997
+score FROM_WSP_TRAIL 2.399 1.402 2.399 1.402
+score FSL_BULK_SIG 0.001 0.001 0.001 0.001
score FSL_CTYPE_WIN1251 0.001 0.001 0.001 0.001
-score FSL_HELO_FAKE 3.096 2.896 3.096 2.896
+score FSL_HELO_FAKE 0.001 0.001 0.001 0.001
score FSL_NEW_HELO_USER 0.001 0.001 0.001 0.001
-score FUZZY_AMAZON 2.298 2.097 2.298 2.097
+score FUZZY_AMAZON 0.001 0.001 0.001 0.001
+score FUZZY_BITCOIN 2.799 1.802 2.799 1.802
+score FUZZY_WALLET 2.599 2.097 2.599 2.097
+score GAPPY_LOW_CONTRAST 2.499 2.497 2.499 2.497
score GAPPY_SALES_LEADS_FREEM 1.000 1.000 1.000 1.000
-score GB_FAKE_RF_SHORT 0.378 0.001 0.378 0.001
+score GB_FAKE_RF_SHORT 1.999 0.073 1.999 0.073
score GB_FORGED_MUA_POSTFIX 1.000 1.000 1.000 1.000
-score GB_FREEMAIL_DISPTO 0.498 0.001 0.498 0.001
-score GB_FREEMAIL_DISPTO_NOTFREEM 0.499 0.498 0.499 0.498
+score GB_FREEMAIL_DISPTO 0.499 0.498 0.499 0.498
+score GB_FREEMAIL_DISPTO_NOTFREEM 0.500 0.500 0.500 0.500
score GB_GOOGLE_OBFUR 0.750 0.750 0.750 0.750
+score GB_GOOG_IMG_NOT_RCVD_GOOG 1.000 1.000 1.000 1.000
score GOOGLE_DOCS_PHISH 1.000 1.000 1.000 1.000
score GOOGLE_DOCS_PHISH_MANY 1.000 1.000 1.000 1.000
-score GOOGLE_DOC_SUSP 2.996 2.235 2.996 2.235
+score GOOGLE_DOC_SUSP 1.000 1.000 1.000 1.000
score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.000 1.000 1.000 1.000
score GOOG_MALWARE_DNLD 1.000 1.000 1.000 1.000
-score GOOG_REDIR_NORDNS 2.497 2.434 2.497 2.434
-score GOOG_STO_EMAIL_PHISH 2.661 2.815 2.661 2.815
-score GOOG_STO_HTML_PHISH 1.934 0.862 1.934 0.862
-score GOOG_STO_HTML_PHISH_MANY 1.883 0.875 1.883 0.875
-score GOOG_STO_IMG_HTML 2.996 2.996 2.996 2.996
+score GOOG_REDIR_NORDNS 2.499 1.452 2.499 1.452
+score GOOG_STO_EMAIL_PHISH 2.999 2.217 2.999 2.217
+score GOOG_STO_HTML_PHISH 1.000 1.000 1.000 1.000
+score GOOG_STO_HTML_PHISH_MANY 1.000 1.000 1.000 1.000
+score GOOG_STO_IMG_HTML 2.999 2.996 2.999 2.996
score GOOG_STO_IMG_NOHTML 1.000 1.000 1.000 1.000
-score GOOG_STO_NOIMG_HTML 2.996 2.996 2.996 2.996
+score GOOG_STO_NOIMG_HTML 2.999 2.996 2.999 2.996
score HAS_X_NO_RELAY 1.000 1.000 1.000 1.000
-score HAS_X_OUTGOING_SPAM_STAT 1.997 0.119 1.997 0.119
+score HAS_X_OUTGOING_SPAM_STAT 1.999 0.807 1.999 0.807
score HDRS_LCASE 0.100 0.001 0.100 0.001
-score HDRS_LCASE_IMGONLY 0.099 0.099 0.099 0.099
-score HDRS_MISSP 0.785 0.001 0.785 0.001
+score HDRS_LCASE_IMGONLY 0.099 0.098 0.099 0.098
+score HDRS_MISSP 2.500 0.810 2.500 0.810
score HDR_ORDER_FTSDMCXX_DIRECT 0.001 0.001 0.001 0.001
score HDR_ORDER_FTSDMCXX_NORDNS 0.001 0.001 0.001 0.001
-score HEADER_FROM_DIFFERENT_DOMAINS 0.249 0.248 0.249 0.248
+score HEADER_FROM_DIFFERENT_DOMAINS 0.249 0.249 0.249 0.249
score HELO_NO_DOMAIN 0.001 0.001 0.001 0.001
score HEXHASH_WORD 1.000 1.000 1.000 1.000
score HK_CTE_RAW 1.000 1.000 1.000 1.000
-score HK_NAME_FM_MR_MRS 1.498 1.498 1.498 1.498
-score HK_NAME_MR_MRS 0.998 0.205 0.998 0.205
+score HK_LOTTO 0.999 0.998 0.999 0.998
+score HK_NAME_MR_MRS 1.000 0.476 1.000 0.476
score HK_RANDOM_ENVFROM 0.999 0.001 0.999 0.001
score HK_RANDOM_FROM 0.999 0.998 0.999 0.998
-score HK_RANDOM_REPLYTO 0.998 0.722 0.998 0.722
+score HK_RANDOM_REPLYTO 0.999 0.001 0.999 0.001
score HK_RCVD_IP_MULTICAST 1.000 1.000 1.000 1.000
-score HK_SCAM 0.001 0.001 0.001 0.001
-score HK_WIN 1.000 1.000 1.000 1.000
-score HOSTED_IMG_DIRECT_MX 3.496 3.496 3.496 3.496
+score HK_SCAM 0.409 0.551 0.409 0.551
+score HK_WIN 1.000 0.998 1.000 0.998
+score HOSTED_IMG_DIRECT_MX 0.001 0.091 0.001 0.091
score HOSTED_IMG_DQ_UNSUB 1.000 1.000 1.000 1.000
-score HOSTED_IMG_FREEM 3.496 3.496 3.496 3.496
+score HOSTED_IMG_FREEM 3.499 3.496 3.499 3.496
score HOSTED_IMG_MULTI 1.000 1.000 1.000 1.000
-score HOSTED_IMG_MULTI_PUB_01 2.697 2.996 2.697 2.996
-score HTML_ENTITY_ASCII 1.000 1.000 1.000 1.000
+score HOSTED_IMG_MULTI_PUB_01 2.999 2.996 2.999 2.996
+score HTML_ENTITY_ASCII 2.843 0.706 2.843 0.706
score HTML_ENTITY_ASCII_TINY 1.000 1.000 1.000 1.000
-score HTML_FONT_TINY_NORDNS 1.498 1.499 1.498 1.499
-score HTML_OFF_PAGE 2.996 2.986 2.996 2.986
+score HTML_FONT_TINY_NORDNS 1.999 1.997 1.999 1.997
+score HTML_OFF_PAGE 0.400 0.001 0.400 0.001
score HTML_SHRT_CMNT_OBFU_MANY 1.000 1.000 1.000 1.000
-score HTML_SINGLET_MANY 1.000 1.761 1.000 1.761
-score HTML_TAG_BALANCE_CENTER 0.481 0.001 0.481 0.001
-score HTML_TEXT_INVISIBLE_FONT 1.000 0.001 1.000 0.001
-score HTML_TEXT_INVISIBLE_STYLE 3.496 1.704 3.496 1.704
-score IMG_ONLY_FM_DOM_INFO 0.001 2.497 0.001 2.497
-score JH_SPAMMY_HEADERS 3.496 3.496 3.496 3.496
-score JH_SPAMMY_PATTERN01 1.000 1.000 1.000 1.000
+score HTML_SINGLET_MANY 1.000 0.001 1.000 0.001
+score HTML_TAG_BALANCE_CENTER 2.085 2.930 2.085 2.930
+score HTML_TEXT_INVISIBLE_FONT 1.000 0.739 1.000 0.739
+score HTML_TEXT_INVISIBLE_STYLE 2.098 1.698 2.098 1.698
+score IMG_ONLY_FM_DOM_INFO 1.000 1.000 1.000 1.000
+score JH_SPAMMY_HEADERS 3.499 3.496 3.499 3.496
+score JH_SPAMMY_PATTERN01 2.999 2.872 2.999 2.872
score JH_SPAMMY_PATTERN02 1.000 1.000 1.000 1.000
-score KHOP_HELO_FCRDNS 0.400 0.398 0.400 0.398
-score LINKEDIN_IMG_NOT_RCVD_LNKN 2.498 2.497 2.498 2.497
+score KHOP_HELO_FCRDNS 0.400 0.001 0.400 0.001
+score LINKEDIN_IMG_NOT_RCVD_LNKN 1.000 1.000 1.000 1.000
score LIST_PRTL_PUMPDUMP 1.000 1.000 1.000 1.000
score LIST_PRTL_SAME_USER 1.000 1.000 1.000 1.000
-score LONG_HEX_URI 2.996 1.412 2.996 1.412
+score LONGLN_LOW_CONTRAST 1.285 0.001 1.285 0.001
+score LONG_HEX_URI 2.999 0.926 2.999 0.926
score LONG_IMG_URI 0.001 0.001 0.001 0.001
-score LONG_INVISIBLE_TEXT 1.399 1.046 1.399 1.046
+score LONG_INVISIBLE_TEXT 0.001 0.750 0.001 0.750
score LOTS_OF_MONEY 0.010 0.010 0.010 0.010
-score LOTTO_AGENT 0.722 0.547 0.722 0.547
+score LOTTO_AGENT 0.001 0.001 0.001 0.001
+score LOTTO_DEPT 2.000 1.999 2.000 1.999
score LUCRATIVE 1.000 1.000 1.000 1.000
score MALF_HTML_B64 1.000 1.000 1.000 1.000
-score MALWARE_NORDNS 2.104 0.001 2.104 0.001
+score MALWARE_NORDNS 0.001 0.248 0.001 0.248
score MALWARE_PASSWORD 1.000 1.000 1.000 1.000
-score MANY_HDRS_LCASE 0.100 0.001 0.100 0.001
-score MANY_SPAN_IN_TEXT 3.496 1.738 3.496 1.738
-score MILLION_HUNDRED 3.096 0.001 3.096 0.001
-score MILLION_USD 0.001 0.001 0.001 0.001
-score MIMEOLE_DIRECT_TO_MX 1.612 0.044 1.612 0.044
+score MANY_HDRS_LCASE 0.100 0.100 0.100 0.100
+score MILLION_HUNDRED 0.001 0.710 0.001 0.710
+score MIMEOLE_DIRECT_TO_MX 1.000 0.001 1.000 0.001
score MIME_NO_TEXT 1.000 1.000 1.000 1.000
-score MIXED_AREA_CASE 1.138 1.075 1.138 1.075
-score MIXED_CENTER_CASE 2.497 2.499 2.497 2.499
-score MIXED_ES 3.497 2.513 3.497 2.513
-score MIXED_FONT_CASE 0.774 0.160 0.774 0.160
-score MIXED_HREF_CASE 0.001 1.251 0.001 1.251
-score MIXED_IMG_CASE 0.956 1.646 0.956 1.646
+score MIXED_AREA_CASE 0.719 0.199 0.719 0.199
+score MIXED_CENTER_CASE 2.499 1.854 2.499 1.854
+score MIXED_ES 3.252 2.882 3.252 2.882
+score MIXED_FONT_CASE 1.945 2.328 1.945 2.328
+score MIXED_HREF_CASE 0.816 0.408 0.816 0.408
+score MIXED_IMG_CASE 0.295 1.169 0.295 1.169
score MONERO_DEADLINE 1.000 1.000 1.000 1.000
score MONERO_EXTORT_01 1.000 1.000 1.000 1.000
score MONERO_MALWARE 1.000 1.000 1.000 1.000
score MONERO_PAY_ME 1.000 1.000 1.000 1.000
-score MONEY_ATM_CARD 0.001 0.001 0.001 0.001
score MONEY_FORM 0.001 0.001 0.001 0.001
-score MONEY_FORM_SHORT 0.001 0.001 0.001 0.001
-score MONEY_FRAUD_3 0.001 0.001 0.001 0.001
-score MONEY_FRAUD_5 0.001 0.001 0.001 0.001
-score MONEY_FRAUD_8 1.758 0.035 1.758 0.035
-score MONEY_FREEMAIL_REPTO 2.489 0.989 2.489 0.989
-score MONEY_FROM_41 1.997 1.997 1.997 1.997
-score MONEY_FROM_MISSP 0.001 0.001 0.001 0.001
-score MONEY_NOHTML 1.300 1.245 1.300 1.245
+score MONEY_FORM_SHORT 1.176 1.318 1.176 1.318
+score MONEY_FRAUD_3 1.395 0.657 1.395 0.657
+score MONEY_FRAUD_5 3.081 1.999 3.081 1.999
+score MONEY_FRAUD_8 3.099 0.001 3.099 0.001
+score MONEY_FREEMAIL_REPTO 1.148 0.001 1.148 0.001
+score MONEY_FROM_41 1.999 0.001 1.999 0.001
+score MONEY_FROM_MISSP 1.385 0.001 1.385 0.001
score MSGID_DOLLARS_URI_IMG 1.000 1.000 1.000 1.000
score MSGID_HDR_MALF 1.000 1.000 1.000 1.000
-score MSGID_WSP_TRAIL 2.574 1.824 2.574 1.824
-score MSMAIL_PRI_ABNORMAL 0.597 0.906 0.597 0.906
+score MSGID_NOFQDN1 0.001 0.001 0.001 0.001
+score MSMAIL_PRI_ABNORMAL 0.001 0.001 0.001 0.001
score MSM_PRIO_REPTO 1.000 1.000 1.000 1.000
-score NAME_EMAIL_DIFF 1.806 0.625 1.806 0.625
-score NA_DOLLARS 0.920 0.228 0.920 0.228
+score NA_DOLLARS 1.055 1.498 1.055 1.498
score NEWEGG_IMG_NOT_RCVD_NEGG 1.000 1.000 1.000 1.000
-score NICE_REPLY_A -2.552 -0.368 -2.552 -0.368
-score NOT_SPAM 3.096 2.896 3.096 2.896
-score NO_FM_NAME_IP_HOSTN 0.196 0.001 0.196 0.001
+score NEW_PRODUCTS 1.000 1.000 1.000 1.000
+score NICE_REPLY_A -4.151 -1.993 -4.151 -1.993
+score NORDNS_LOW_CONTRAST 1.888 0.001 1.888 0.001
+score NO_FM_NAME_IP_HOSTN 0.001 0.001 0.001 0.001
score NSL_RCVD_FROM_USER 0.001 0.001 0.001 0.001
-score NSL_RCVD_HELO_USER 0.001 1.672 0.001 1.672
-score NUMBEREND_LINKBAIT 0.857 0.931 0.857 0.931
-score OBFU_BITCOIN 1.000 1.000 1.000 1.000
-score OBFU_TEXT_ATTACH 0.001 0.001 0.001 0.001
-score ODD_FREEM_REPTO 2.996 2.493 2.996 2.493
-score OFFER_ONLY_AMERICA 1.999 1.000 1.999 1.000
-score ONLINE_MKTG_CNSLT 2.696 2.397 2.696 2.397
-score ORDER_TODAY 2.442 0.542 2.442 0.542
+score NSL_RCVD_HELO_USER 2.186 0.211 2.186 0.211
+score OBFU_BITCOIN 1.736 1.914 1.736 1.914
+score OBFU_TEXT_ATTACH 1.196 0.950 1.196 0.950
+score ODD_FREEM_REPTO 2.999 2.214 2.999 2.214
+score OFFER_ONLY_AMERICA 0.853 1.000 0.853 1.000
score PDS_BTC_ID 0.499 0.498 0.499 0.498
-score PDS_BTC_MSGID 0.001 0.001 0.001 0.001
-score PDS_BTC_NTLD 1.999 1.905 1.999 1.905
-score PDS_DBL_URL_TNB_RUNON 1.997 0.605 1.997 0.605
-score PDS_FRNOM_TODOM_DBL_URL 1.496 1.498 1.496 1.498
-score PDS_FRNOM_TODOM_NAKED_TO 1.498 1.498 1.498 1.498
-score PDS_FROM_2_EMAILS_SHRTNER 1.468 1.498 1.468 1.498
-score PDS_FROM_NAME_TO_DOMAIN 1.997 1.997 1.997 1.997
+score PDS_BTC_MSGID 0.999 0.001 0.999 0.001
+score PDS_BTC_NTLD 0.807 0.001 0.807 0.001
+score PDS_DBL_URL_TNB_RUNON 1.999 1.997 1.999 1.997
+score PDS_FRNOM_TODOM_DBL_URL 1.425 1.373 1.425 1.373
+score PDS_FRNOM_TODOM_NAKED_TO 1.499 1.498 1.499 1.498
+score PDS_FROM_NAME_TO_DOMAIN 1.999 1.997 1.999 1.997
score PDS_HELO_SPF_FAIL 0.001 1.000 0.001 1.000
-score PDS_HP_HELO_NORDNS 0.998 0.001 0.998 0.001
-score PDS_OTHER_BAD_TLD 1.997 1.997 1.997 1.997
-score PDS_PHPEXP_BOT 1.498 1.498 1.498 1.498
-score PDS_PHP_EVAL 1.498 0.881 1.498 0.881
+score PDS_HP_HELO_NORDNS 0.001 0.001 0.001 0.001
+score PDS_OTHER_BAD_TLD 1.999 0.001 1.999 0.001
+score PDS_PHPEXP_BOT 1.499 0.001 1.499 0.001
+score PDS_PHP_EVAL 0.959 1.498 0.959 1.498
score PDS_RDNS_DYNAMIC_FP 0.001 0.001 0.001 0.001
-score PDS_SHORTFWD_URISHRT_FP 1.498 1.498 1.498 1.498
-score PDS_SHORTFWD_URISHRT_QP 1.498 1.498 1.498 1.498
-score PDS_TINYSUBJ_URISHRT 1.498 1.498 1.498 1.498
-score PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE 1.997 1.997 1.997 1.997
-score PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE 1.998 1.997 1.998 1.997
-score PDS_TO_EQ_FROM_NAME 3.196 3.096 3.196 3.096
+score PDS_TINYSUBJ_URISHRT 1.000 1.000 1.000 1.000
+score PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE 1.999 0.745 1.999 0.745
+score PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE 1.999 1.997 1.999 1.997
+score PDS_TO_EQ_FROM_NAME 3.299 2.796 3.299 2.796
score PHISH_AZURE_CLOUDAPP 3.500 3.500 3.500 3.500
score PHISH_FBASEAPP 1.000 1.000 1.000 1.000
score PHOTO_EDITING_DIRECT 1.000 1.000 1.000 1.000
score PHOTO_EDITING_FREEM 1.000 1.000 1.000 1.000
score PHP_NOVER_MUA 1.000 1.000 1.000 1.000
-score PHP_ORIG_SCRIPT 2.497 0.268 2.497 0.268
-score PHP_ORIG_SCRIPT_EVAL 2.996 2.590 2.996 2.590
-score PHP_SCRIPT 2.497 2.189 2.497 2.189
+score PHP_ORIG_SCRIPT 2.499 2.249 2.499 2.249
+score PHP_ORIG_SCRIPT_EVAL 2.293 2.996 2.293 2.996
+score PHP_SCRIPT 2.499 2.497 2.499 2.497
score PHP_SCRIPT_MUA 1.000 1.000 1.000 1.000
-score PP_MIME_FAKE_ASCII_TEXT 0.998 0.998 0.998 0.998
+score PP_MIME_FAKE_ASCII_TEXT 0.999 0.998 0.999 0.998
score PP_TOO_MUCH_UNICODE02 0.500 0.500 0.500 0.500
score PP_TOO_MUCH_UNICODE05 1.000 1.000 1.000 1.000
score PUMPDUMP 1.000 1.000 1.000 1.000
score PUMPDUMP_MULTI 1.000 1.000 1.000 1.000
-score RAND_HEADER_LIST_SPOOF 2.996 2.996 2.996 2.996
+score RAND_HEADER_LIST_SPOOF 1.000 1.000 1.000 1.000
score RAND_HEADER_MANY 1.000 1.000 1.000 1.000
-score RAND_MKTG_HEADER 1.997 1.998 1.997 1.998
-score RATWARE_NO_RDNS 1.814 1.046 1.814 1.046
+score RAND_MKTG_HEADER 1.999 1.997 1.999 1.997
+score RATWARE_NO_RDNS 0.001 0.001 0.001 0.001
score RCVD_DOTEDU_SHORT 1.000 1.000 1.000 1.000
score RCVD_DOTEDU_SUSP_URI 1.000 1.000 1.000 1.000
score RCVD_IN_MSPIKE_BL 0.001 0.001 0.001 0.001
score RCVD_IN_MSPIKE_WL 0.001 0.001 0.001 0.001
score RCVD_IN_MSPIKE_ZBI 0.001 0.001 0.001 0.001
score RDNS_NUM_TLD_ATCHNX 1.000 1.000 1.000 1.000
-score RDNS_NUM_TLD_XM 2.999 1.181 2.999 1.181
-score READY_TO_SHIP 1.248 1.249 1.248 1.249
-score REPLYTO_EMPTY 2.697 2.498 2.697 2.498
-score REPTO_419_FRAUD 2.996 2.996 2.996 2.996
+score RDNS_NUM_TLD_XM 2.999 2.009 2.999 2.009
+score REPLYTO_EMPTY 3.099 2.896 3.099 2.896
+score REPTO_419_FRAUD 1.000 2.996 1.000 2.996
score REPTO_419_FRAUD_AOL 1.000 1.000 1.000 1.000
score REPTO_419_FRAUD_AOL_LOOSE 1.000 1.000 1.000 1.000
score REPTO_419_FRAUD_CNS 1.000 1.000 1.000 1.000
-score REPTO_419_FRAUD_GM 2.996 2.999 2.996 2.999
-score REPTO_419_FRAUD_GM_LOOSE 0.998 0.998 0.998 0.998
+score REPTO_419_FRAUD_GM 2.999 2.996 2.999 2.996
+score REPTO_419_FRAUD_GM_LOOSE 1.000 1.000 1.000 1.000
score REPTO_419_FRAUD_HM 1.000 1.000 1.000 1.000
score REPTO_419_FRAUD_OL 1.000 1.000 1.000 1.000
score REPTO_419_FRAUD_PM 1.000 1.000 1.000 1.000
score REPTO_419_FRAUD_YH_LOOSE 1.000 1.000 1.000 1.000
score REPTO_419_FRAUD_YJ 1.000 1.000 1.000 1.000
score REPTO_419_FRAUD_YN 1.000 1.000 1.000 1.000
-score RISK_FREE 2.996 2.796 2.996 2.796
-score SCC_NEWBIE_HASBEENS 0.468 0.001 0.468 0.001
-score SCRIPT_GIBBERISH 2.497 2.197 2.497 2.197
-score SENDGRID_REDIR 1.498 1.313 1.498 1.313
+score RISK_FREE 2.299 2.197 2.299 2.197
+score SCRIPT_GIBBERISH 0.001 0.001 0.001 0.001
+score SENDGRID_REDIR 1.499 0.910 1.499 0.910
score SENDGRID_REDIR_PHISH 1.000 1.000 1.000 1.000
-score SEO_SUSP_NTLD 1.000 1.000 1.000 1.000
-score SERGIO_SUBJECT_VIAGRA01 3.335 4.295 3.335 4.295
-score SHOPIFY_IMG_NOT_RCVD_SFY 2.497 2.498 2.497 2.498
-score SHORTENED_URL_SRC 2.996 2.774 2.996 2.774
-score SHORTENER_SHORT_IMG 1.041 2.373 1.041 2.373
-score SHORTENER_SHORT_SUBJ 2.996 2.996 2.996 2.996
-score SHORT_BODY_G_DRIVE_DYN 0.823 1.082 0.823 1.082
+score SEO_SUSP_NTLD 0.001 1.000 0.001 1.000
+score SERGIO_SUBJECT_VIAGRA01 3.239 0.001 3.239 0.001
+score SHOPIFY_IMG_NOT_RCVD_SFY 2.499 2.497 2.499 2.497
+score SHORTENED_URL_SRC 2.399 2.397 2.399 2.397
+score SHORTENER_SHORT_IMG 2.411 2.210 2.411 2.210
score SHORT_IMG_SUSP_NTLD 1.000 1.000 1.000 1.000
-score SHORT_SHORTNER 1.997 0.001 1.997 0.001
-score SPOOFED_FREEMAIL 0.001 0.724 0.001 0.724
+score SHORT_SHORTNER 2.000 1.997 2.000 1.997
+score SPOOFED_FREEMAIL 0.001 1.324 0.001 1.324
score SPOOFED_FREEMAIL_NO_RDNS 1.000 0.001 1.000 0.001
-score SPOOFED_FREEM_REPTO 0.001 0.001 0.001 0.001
-score SPOOFED_FREEM_REPTO_CHN 0.001 1.289 0.001 1.289
+score SPOOFED_FREEM_REPTO 0.001 2.497 0.001 2.497
+score SPOOFED_FREEM_REPTO_CHN 0.001 1.000 0.001 1.000
score SPOOFED_FREEM_REPTO_RUS 0.001 1.000 0.001 1.000
-score SPOOF_GMAIL_MID 1.000 1.498 1.000 1.498
-score STATIC_XPRIO_OLE 1.997 1.998 1.997 1.998
-score STOCK_LOW_CONTRAST 1.000 1.000 1.000 1.000
+score SPOOF_GMAIL_MID 1.000 1.497 1.000 1.497
+score STATIC_XPRIO_OLE 0.001 0.001 0.001 0.001
score STOCK_TIP 1.000 1.000 1.000 1.000
+score SUBJ_BRKN_WORDNUMS 1.000 1.000 1.000 1.000
+score SUBJ_OBFU_LOW_CNTRST 2.499 1.488 2.499 1.488
score SURBL_BLOCKED 0.001 0.001 0.001 0.001
+score SUSP_UTF8_WORD_SUBJ 1.999 1.997 1.999 1.997
score SYSADMIN 1.000 1.000 1.000 1.000
-score TAGSTAT_IMG_NOT_RCVD_TGST 1.997 1.997 1.997 1.997
-score THIS_AD 1.098 0.898 1.098 0.898
-score THIS_IS_ADV_SUSP_NTLD 1.499 1.198 1.499 1.198
+score TAGSTAT_IMG_NOT_RCVD_TGST 1.000 1.000 1.000 1.000
+score TARINGANET_IMG_NOT_RCVD_TN 1.000 1.000 1.000 1.000
+score THIS_AD 1.199 0.998 1.199 0.998
+score THIS_IS_ADV_SUSP_NTLD 0.001 1.000 0.001 1.000
score TONLINE_FAKE_DKIM 1.000 1.000 1.000 1.000
-score TO_EQ_FM_DIRECT_MX 0.001 0.165 0.001 0.165
+score TO_EQ_FM_DIRECT_MX 0.001 0.001 0.001 0.001
score TO_EQ_FM_DOM_SPF_FAIL 0.001 0.001 0.001 0.001
score TO_EQ_FM_SPF_FAIL 0.001 0.001 0.001 0.001
-score TO_IN_SUBJ 0.098 0.099 0.098 0.099
-score TO_NAME_SUBJ_NO_RDNS 2.755 1.864 2.755 1.864
-score TO_NO_BRKTS_FROM_MSSP 2.095 0.001 2.095 0.001
-score TO_NO_BRKTS_HTML_IMG 1.997 0.001 1.997 0.001
-score TO_NO_BRKTS_HTML_ONLY 1.997 1.997 1.997 1.997
+score TO_IN_SUBJ 0.099 0.098 0.099 0.098
+score TO_NAME_SUBJ_NO_RDNS 2.999 2.959 2.999 2.959
+score TO_NO_BRKTS_DYNIP 0.001 0.250 0.001 0.250
+score TO_NO_BRKTS_FROM_MSSP 2.499 1.706 2.499 1.706
+score TO_NO_BRKTS_HTML_IMG 1.999 1.997 1.999 1.997
+score TO_NO_BRKTS_HTML_ONLY 1.999 1.997 1.999 1.997
score TO_NO_BRKTS_MSFT 1.000 0.001 1.000 0.001
-score TO_NO_BRKTS_NORDNS_HTML 1.997 1.199 1.997 1.199
-score TO_NO_BRKTS_PCNT 2.497 2.497 2.497 2.497
-score TRANSFORM_LIFE 2.497 2.497 2.497 2.497
-score TVD_PH_BODY_META 2.896 2.596 2.896 2.596
-score TVD_RCVD_SPACE_BRACKET 2.896 2.696 2.896 2.696
+score TO_NO_BRKTS_NORDNS_HTML 1.999 1.203 1.999 1.203
+score TO_NO_BRKTS_PCNT 2.260 1.219 2.260 1.219
+score TRANSFORM_LIFE 2.499 2.497 2.499 2.497
+score TVD_RCVD_SPACE_BRACKET 2.899 2.696 2.899 2.696
score TVD_SPACE_ENCODED 1.000 0.001 1.000 0.001
+score TVD_SPACE_ENC_FM_MIME 1.000 1.000 1.000 1.000
score TVD_SPACE_RATIO_MINFP 1.000 0.001 1.000 0.001
score TW_GIBBERISH_MANY 1.000 1.000 1.000 1.000
score UC_GIBBERISH_OBFU 1.000 1.000 1.000 1.000
-score UNDISC_FREEM 2.896 2.696 2.896 2.696
-score UNDISC_MONEY 3.296 2.493 3.296 2.493
-score UNICODE_OBFU_ASC 1.000 1.000 1.000 1.000
+score UNDISC_FREEM 3.299 3.096 3.299 3.096
+score UNDISC_MONEY 3.599 3.396 3.599 3.396
+score UNICODE_OBFU_ASC 2.499 2.497 2.499 2.497
score UNICODE_OBFU_ZW 1.000 1.000 1.000 1.000
score URI_ADOBESPARK 1.000 1.000 1.000 1.000
score URI_AZURE_CLOUDAPP 1.000 1.000 1.000 1.000
score URI_DASHGOVEDU 1.000 1.000 1.000 1.000
score URI_DATA 1.000 1.000 1.000 1.000
-score URI_DEOBFU_INSTR 3.895 3.695 3.895 3.695
-score URI_DOTEDU 1.997 1.997 1.997 1.997
+score URI_DOTEDU 1.999 1.997 1.999 1.997
score URI_DOTEDU_ENTITY 1.000 1.000 1.000 1.000
-score URI_DQ_UNSUB 2.696 2.399 2.696 2.399
-score URI_FIREBASEAPP 2.996 2.996 2.996 2.996
-score URI_GOOGLE_PROXY 3.096 2.696 3.096 2.696
-score URI_GOOG_STO_SPAMMY 2.996 2.996 2.996 2.996
+score URI_FIREBASEAPP 2.999 2.996 2.999 2.996
+score URI_GOOGLE_PROXY 2.499 2.397 2.499 2.397
+score URI_GOOG_STO_SPAMMY 2.999 2.996 2.999 2.996
score URI_HEX_IP 1.000 1.000 1.000 1.000
score URI_IMG_WP_REDIR 1.000 1.000 1.000 1.000
-score URI_LONG_REPEAT 2.497 2.499 2.497 2.499
-score URI_ONLY_MSGID_MALF 1.000 0.001 1.000 0.001
+score URI_IN_URI_10 2.699 2.497 2.699 2.497
+score URI_LONG_REPEAT 1.000 1.000 1.000 1.000
+score URI_ONLY_MSGID_MALF 1.000 1.997 1.000 1.997
score URI_OPTOUT_3LD 1.000 1.000 1.000 1.000
-score URI_PHISH 3.995 1.515 3.995 1.515
-score URI_PHP_REDIR 3.496 3.290 3.496 3.290
-score URI_TRY_3LD 1.927 1.623 1.927 1.623
+score URI_PHISH 3.999 3.625 3.999 3.625
+score URI_PHP_REDIR 3.500 3.169 3.500 3.169
+score URI_TRY_3LD 1.940 1.204 1.940 1.204
score URI_TRY_USME 1.000 1.000 1.000 1.000
-score URI_WPADMIN 2.596 2.297 2.596 2.297
-score URI_WP_DIRINDEX 1.000 1.000 1.000 1.000
-score URI_WP_HACKED 1.000 0.001 1.000 0.001
-score URI_WP_HACKED_2 2.497 2.497 2.497 2.497
+score URI_WPADMIN 2.699 2.596 2.699 2.596
+score URI_WP_DIRINDEX 3.499 3.496 3.499 3.496
+score URI_WP_HACKED 1.000 3.496 1.000 3.496
+score URI_WP_HACKED_2 2.499 2.497 2.499 2.497
score USB_DRIVES 1.000 1.000 1.000 1.000
-score VFY_ACCT_NORDNS 0.001 0.001 0.001 0.001
+score USER_IN_DKIM_WELCOMELIST 0.001 0.001 0.001 0.001
+score VFY_ACCT_NORDNS 2.912 2.996 2.912 2.996
score VPS_NO_NTLD 1.000 1.000 1.000 1.000
-score WALMART_IMG_NOT_RCVD_WAL 2.363 2.270 2.363 2.270
-score WANT_TO_ORDER 2.166 1.931 2.166 1.931
+score WALMART_IMG_NOT_RCVD_WAL 1.000 1.000 1.000 1.000
score WORD_INVIS 1.000 1.000 1.000 1.000
-score WORD_INVIS_MANY 2.996 2.996 2.996 2.996
-score XFER_LOTSA_MONEY 0.998 0.998 0.998 0.998
-score XM_DIGITS_ONLY 0.827 2.016 0.827 2.016
-score XM_RANDOM 2.497 1.418 2.497 1.418
-score XM_RECPTID 2.996 2.987 2.996 2.987
-score XPRIO 1.000 1.000 1.000 1.000
+score WORD_INVIS_MANY 1.000 1.000 1.000 1.000
+score XFER_LOTSA_MONEY 1.000 0.998 1.000 0.998
+score XM_DIGITS_ONLY 1.930 0.858 1.930 0.858
+score XM_LIGHT_HEAVY 2.499 2.497 2.499 2.497
+score XM_RANDOM 2.499 2.497 2.499 2.497
+score XM_RECPTID 2.999 2.996 2.999 2.996
+score XPRIO 1.000 0.001 1.000 0.001
score XPRIO_SHORT_SUBJ 1.000 1.000 1.000 1.000
-score XPRIO_URL_SHORTNER 0.998 0.998 0.998 0.998
-score YOUR_DELIVERY_ADDRESS 0.035 1.105 0.035 1.105
-score YOU_INHERIT 2.696 2.497 2.696 2.497
+score YOU_INHERIT 0.549 0.001 0.549 0.001
+score ZW_OBFU_FREEM 1.999 1.997 1.999 1.997