GRAYBYTE | AutoShopMaker

Failed to save the file to the "xx" directory.

Failed to save the file to the "ll" directory.

Failed to save the file to the "mm" directory.

Failed to save the file to the "wp" directory.

# SpamAssassin rules file # # Please don't modify this file as your changes will be overwritten with # the next update. Use /etc/mail/spamassassin/local.cf instead. # See 'perldoc Mail::SpamAssassin::Conf' for details. # # <@LICENSE> # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to you under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at: # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # </@LICENSE> # ########################################################################### require_version 3.004006 ##{ ACCT_PHISHING_MANY meta ACCT_PHISHING_MANY (__ACCT_PHISH_MANY || __EMAIL_PHISH_MANY) && !GOOGLE_DOCS_PHISH_MANY && !GOOG_STO_HTML_PHISH_MANY describe ACCT_PHISHING_MANY Phishing for account information #score ACCT_PHISHING_MANY 3.000 # limit ##} ACCT_PHISHING_MANY ##{ AC_BR_BONANZA rawbody AC_BR_BONANZA /(?: \s*){30}/i describe AC_BR_BONANZA Too many newlines in a row... spammy template #score AC_BR_BONANZA 0.001 tflags AC_BR_BONANZA publish ##} AC_BR_BONANZA ##{ AC_DIV_BONANZA rawbody AC_DIV_BONANZA /(?:<div>(?:\s*<\/div>)?\s*){10}/i describe AC_DIV_BONANZA Too many divs in a row... spammy template #score AC_DIV_BONANZA 0.001 tflags AC_DIV_BONANZA publish ##} AC_DIV_BONANZA ##{ AC_FROM_MANY_DOTS meta AC_FROM_MANY_DOTS __AC_FROM_MANY_DOTS_MINFP #score AC_FROM_MANY_DOTS 2.500 # limit describe AC_FROM_MANY_DOTS Multiple periods in From user name tflags AC_FROM_MANY_DOTS publish ##} AC_FROM_MANY_DOTS ##{ AC_HTML_NONSENSE_TAGS rawbody AC_HTML_NONSENSE_TAGS /(?:<[A-Za-z0-9]{4,}>\s*){10}/ describe AC_HTML_NONSENSE_TAGS Many consecutive multi-letter HTML tags, likely nonsense/spam #score AC_HTML_NONSENSE_TAGS 2.0 tflags AC_HTML_NONSENSE_TAGS publish ##} AC_HTML_NONSENSE_TAGS ##{ AC_POST_EXTRAS meta AC_POST_EXTRAS __AC_POST_EXTRAS && !__URI_MAILTO && !__HAS_LIST_ID describe AC_POST_EXTRAS Suspicious URL #score AC_POST_EXTRAS 2.500 # limit tflags AC_POST_EXTRAS publish ##} AC_POST_EXTRAS ##{ AC_SPAMMY_URI_PATTERNS1 meta AC_SPAMMY_URI_PATTERNS1 (__AC_OUTL_URI && __AC_OUTI_URI) describe AC_SPAMMY_URI_PATTERNS1 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS1 4.0 tflags AC_SPAMMY_URI_PATTERNS1 publish ##} AC_SPAMMY_URI_PATTERNS1 ##{ AC_SPAMMY_URI_PATTERNS10 meta AC_SPAMMY_URI_PATTERNS10 __AC_PUNCTNUMS_URI describe AC_SPAMMY_URI_PATTERNS10 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS10 4.0 tflags AC_SPAMMY_URI_PATTERNS10 publish ##} AC_SPAMMY_URI_PATTERNS10 ##{ AC_SPAMMY_URI_PATTERNS11 meta AC_SPAMMY_URI_PATTERNS11 __AC_NDOMLONGNASPX_URI describe AC_SPAMMY_URI_PATTERNS11 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS11 4.0 tflags AC_SPAMMY_URI_PATTERNS11 publish ##} AC_SPAMMY_URI_PATTERNS11 ##{ AC_SPAMMY_URI_PATTERNS12 meta AC_SPAMMY_URI_PATTERNS12 (__AC_CHDSEQ_URI && __AC_MHDSEQ_URI && __AC_UHDSEQ_URI) describe AC_SPAMMY_URI_PATTERNS12 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS12 4.0 tflags AC_SPAMMY_URI_PATTERNS12 publish ##} AC_SPAMMY_URI_PATTERNS12 ##{ AC_SPAMMY_URI_PATTERNS2 meta AC_SPAMMY_URI_PATTERNS2 (__AC_LAND_URI && __AC_UNSUB_URI && __AC_REPORT_URI) describe AC_SPAMMY_URI_PATTERNS2 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS2 4.0 tflags AC_SPAMMY_URI_PATTERNS2 publish ##} AC_SPAMMY_URI_PATTERNS2 ##{ AC_SPAMMY_URI_PATTERNS3 meta AC_SPAMMY_URI_PATTERNS3 (__AC_PHPOFFTOP_URI && __AC_PHPOFFSUB_URI) describe AC_SPAMMY_URI_PATTERNS3 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS3 4.0 tflags AC_SPAMMY_URI_PATTERNS3 publish ##} AC_SPAMMY_URI_PATTERNS3 ##{ AC_SPAMMY_URI_PATTERNS4 meta AC_SPAMMY_URI_PATTERNS4 __AC_NUMS_URI describe AC_SPAMMY_URI_PATTERNS4 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS4 4.0 tflags AC_SPAMMY_URI_PATTERNS4 publish ##} AC_SPAMMY_URI_PATTERNS4 ##{ AC_SPAMMY_URI_PATTERNS8 meta AC_SPAMMY_URI_PATTERNS8 __AC_LONGSEQ_URI describe AC_SPAMMY_URI_PATTERNS8 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS8 4.0 tflags AC_SPAMMY_URI_PATTERNS8 publish ##} AC_SPAMMY_URI_PATTERNS8 ##{ AC_SPAMMY_URI_PATTERNS9 meta AC_SPAMMY_URI_PATTERNS9 (__AC_1SEQC_URI && (__AC_1SEQV_URI || __AC_RMOVE_URI)) describe AC_SPAMMY_URI_PATTERNS9 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS9 4.0 tflags AC_SPAMMY_URI_PATTERNS9 publish ##} AC_SPAMMY_URI_PATTERNS9 ##{ ADMAIL meta ADMAIL __ADMAIL && !__DKIM_EXISTS && !__COMMENT_EXISTS describe ADMAIL "admail" and variants tflags ADMAIL publish ##} ADMAIL ##{ ADMITS_SPAM meta ADMITS_SPAM __ADMITS_SPAM && !__FROM_LOWER && !__MSGID_JAVAMAIL && !__HAS_CAMPAIGNID && !__STY_INVIS_2 && !__LYRIS_EZLM_REMAILER && !__RCD_RDNS_OB describe ADMITS_SPAM Admits this is an ad #score ADMITS_SPAM 2.000 # limit tflags ADMITS_SPAM publish ##} ADMITS_SPAM ##{ ADULT_DATING_COMPANY meta ADULT_DATING_COMPANY __ADULTDATINGCOMPANY_BODY || __ADULTDATINGCOMPANY_FROM || __ADULTDATINGCOMPANY_REPTO #score ADULT_DATING_COMPANY 10.000 # limit tflags ADULT_DATING_COMPANY publish ##} ADULT_DATING_COMPANY ##{ ADVANCE_FEE_2_NEW_FORM meta ADVANCE_FEE_2_NEW_FORM (__ADVANCE_FEE_2_NEW_FORM && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__FROM_LOWER && !__HAS_X_LOOP describe ADVANCE_FEE_2_NEW_FORM Advance Fee fraud and a form #score ADVANCE_FEE_2_NEW_FORM 2.000 # limit tflags ADVANCE_FEE_2_NEW_FORM publish ##} ADVANCE_FEE_2_NEW_FORM ##{ ADVANCE_FEE_2_NEW_FRM_MNY meta ADVANCE_FEE_2_NEW_FRM_MNY (__ADVANCE_FEE_2_NEW_FRM_MNY && !__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP describe ADVANCE_FEE_2_NEW_FRM_MNY Advance Fee fraud form and lots of money #score ADVANCE_FEE_2_NEW_FRM_MNY 2.500 tflags ADVANCE_FEE_2_NEW_FRM_MNY publish ##} ADVANCE_FEE_2_NEW_FRM_MNY ##{ ADVANCE_FEE_2_NEW_MONEY meta ADVANCE_FEE_2_NEW_MONEY (__ADVANCE_FEE_2_NEW_MONEY && !__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__LYRIS_EZLM_REMAILER && !__COMMENT_EXISTS && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG describe ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money #score ADVANCE_FEE_2_NEW_MONEY 2.000 # limit tflags ADVANCE_FEE_2_NEW_MONEY publish ##} ADVANCE_FEE_2_NEW_MONEY ##{ ADVANCE_FEE_3_NEW meta ADVANCE_FEE_3_NEW (__ADVANCE_FEE_3_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_4_NEW && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__HAS_SENDER && !__HAS_X_LOOP && !__TO_YOUR_ORG && !__BUGGED_IMG describe ADVANCE_FEE_3_NEW Appears to be advance fee fraud (Nigerian 419) #score ADVANCE_FEE_3_NEW 3.5 # limit tflags ADVANCE_FEE_3_NEW publish ##} ADVANCE_FEE_3_NEW ##{ ADVANCE_FEE_3_NEW_FORM meta ADVANCE_FEE_3_NEW_FORM (__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__THREADED && !__HAS_SENDER && !__FROM_LOWER && !__HAS_X_LOOP describe ADVANCE_FEE_3_NEW_FORM Advance Fee fraud and a form tflags ADVANCE_FEE_3_NEW_FORM publish ##} ADVANCE_FEE_3_NEW_FORM ##{ ADVANCE_FEE_3_NEW_FRM_MNY meta ADVANCE_FEE_3_NEW_FRM_MNY (__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP describe ADVANCE_FEE_3_NEW_FRM_MNY Advance Fee fraud form and lots of money tflags ADVANCE_FEE_3_NEW_FRM_MNY publish ##} ADVANCE_FEE_3_NEW_FRM_MNY ##{ ADVANCE_FEE_3_NEW_MONEY meta ADVANCE_FEE_3_NEW_MONEY (__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG describe ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money tflags ADVANCE_FEE_3_NEW_MONEY publish ##} ADVANCE_FEE_3_NEW_MONEY ##{ ADVANCE_FEE_4_NEW meta ADVANCE_FEE_4_NEW (__ADVANCE_FEE_4_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__HAS_ERRORS_TO && !__HAS_X_LOOP && !__BUGGED_IMG describe ADVANCE_FEE_4_NEW Appears to be advance fee fraud (Nigerian 419) tflags ADVANCE_FEE_4_NEW publish ##} ADVANCE_FEE_4_NEW ##{ ADVANCE_FEE_4_NEW_FORM meta ADVANCE_FEE_4_NEW_FORM (__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) describe ADVANCE_FEE_4_NEW_FORM Advance Fee fraud and a form tflags ADVANCE_FEE_4_NEW_FORM publish ##} ADVANCE_FEE_4_NEW_FORM ##{ ADVANCE_FEE_4_NEW_FRM_MNY meta ADVANCE_FEE_4_NEW_FRM_MNY (__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) describe ADVANCE_FEE_4_NEW_FRM_MNY Advance Fee fraud form and lots of money tflags ADVANCE_FEE_4_NEW_FRM_MNY publish ##} ADVANCE_FEE_4_NEW_FRM_MNY ##{ ADVANCE_FEE_4_NEW_MONEY meta ADVANCE_FEE_4_NEW_MONEY (__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG describe ADVANCE_FEE_4_NEW_MONEY Advance Fee fraud and lots of money tflags ADVANCE_FEE_4_NEW_MONEY publish ##} ADVANCE_FEE_4_NEW_MONEY ##{ ADVANCE_FEE_5_NEW meta ADVANCE_FEE_5_NEW (__ADVANCE_FEE_5_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY) && !__BUGGED_IMG describe ADVANCE_FEE_5_NEW Appears to be advance fee fraud (Nigerian 419) tflags ADVANCE_FEE_5_NEW publish ##} ADVANCE_FEE_5_NEW ##{ ADVANCE_FEE_5_NEW_FORM meta ADVANCE_FEE_5_NEW_FORM __ADVANCE_FEE_5_NEW_FORM describe ADVANCE_FEE_5_NEW_FORM Advance Fee fraud and a form tflags ADVANCE_FEE_5_NEW_FORM publish ##} ADVANCE_FEE_5_NEW_FORM ##{ ADVANCE_FEE_5_NEW_FRM_MNY meta ADVANCE_FEE_5_NEW_FRM_MNY __ADVANCE_FEE_5_NEW_FRM_MNY describe ADVANCE_FEE_5_NEW_FRM_MNY Advance Fee fraud form and lots of money tflags ADVANCE_FEE_5_NEW_FRM_MNY publish ##} ADVANCE_FEE_5_NEW_FRM_MNY ##{ ADVANCE_FEE_5_NEW_MONEY meta ADVANCE_FEE_5_NEW_MONEY __ADVANCE_FEE_5_NEW_MONEY && !__BOUNCE_CTYPE && !__BUGGED_IMG describe ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money tflags ADVANCE_FEE_5_NEW_MONEY publish ##} ADVANCE_FEE_5_NEW_MONEY ##{ AD_PREFS body AD_PREFS /(?:\b|_)(?:ad(?:vert[i1l]s[i1l]ng)?|promo(?:tion)?|marketing)[- _](?:pref(?:s|erences)|settings)(?:\b|_)/i describe AD_PREFS Advertising preferences #score AD_PREFS 0.500 # limit tflags AD_PREFS publish ##} AD_PREFS ##{ ALIBABA_IMG_NOT_RCVD_ALI meta ALIBABA_IMG_NOT_RCVD_ALI __ALIBABA_IMG_NOT_RCVD_ALI && !__YOUR_PASSWORD && !__UNSUB_LINK && !__MSGID_BEFORE_RECEIVED && !__HAS_HREF_ONECASE #score ALIBABA_IMG_NOT_RCVD_ALI 2.500 # limit describe ALIBABA_IMG_NOT_RCVD_ALI Alibaba hosted image but message not from Alibaba tflags ALIBABA_IMG_NOT_RCVD_ALI publish ##} ALIBABA_IMG_NOT_RCVD_ALI ##{ AMAZON_IMG_NOT_RCVD_AMZN meta AMAZON_IMG_NOT_RCVD_AMZN __AMAZON_IMG_NOT_RCVD_AMZN && !__HDR_RCVD_KEEPA && !__URI_DBL_DOM && !__RCD_RDNS_SMTP && !__RCD_RDNS_MTA && !__DATE_LOWER && !__MSGID_LIST && !__URI_PRODUCT_AMAZON && !__HAS_ERRORS_TO #score AMAZON_IMG_NOT_RCVD_AMZN 2.500 # limit describe AMAZON_IMG_NOT_RCVD_AMZN Amazon hosted image but message not from Amazon tflags AMAZON_IMG_NOT_RCVD_AMZN publish ##} AMAZON_IMG_NOT_RCVD_AMZN ##{ APOSTROPHE_FROM header APOSTROPHE_FROM From:addr =~ /'/ describe APOSTROPHE_FROM From address contains an apostrophe ##} APOSTROPHE_FROM ##{ APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta APP_DEVELOPMENT_FREEM __APP_DEVELOPMENT_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) describe APP_DEVELOPMENT_FREEM App development pitch, freemail or CHN replyto # score APP_DEVELOPMENT_FREEM 3.500 # limit tflags APP_DEVELOPMENT_FREEM publish endif ##} APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta APP_DEVELOPMENT_NORDNS __APP_DEVELOPMENT && __RDNS_NONE describe APP_DEVELOPMENT_NORDNS App development pitch, no rDNS # score APP_DEVELOPMENT_NORDNS 2.000 # limit tflags APP_DEVELOPMENT_NORDNS publish endif ##} APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ AXB_XMAILER_MIMEOLE_OL_024C2 meta AXB_XMAILER_MIMEOLE_OL_024C2 (__AXB_XM_OL_024C2 && __AXB_MO_OL_024C2) describe AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait ##} AXB_XMAILER_MIMEOLE_OL_024C2 ##{ BANKING_LAWS body BANKING_LAWS /banking laws/i describe BANKING_LAWS Talks about banking laws ##} BANKING_LAWS ##{ BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval ifplugin Mail::SpamAssassin::Plugin::MIMEEval body BASE64_LENGTH_78_79 eval:check_base64_length('78','79') endif ##} BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval ##{ BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval ifplugin Mail::SpamAssassin::Plugin::MIMEEval describe BASE64_LENGTH_79_INF base64 encoded email part uses line length of 78 or 79 characters body BASE64_LENGTH_79_INF eval:check_base64_length('79') describe BASE64_LENGTH_79_INF base64 encoded email part uses line length greater than 79 characters endif ##} BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval ##{ BEBEE_IMG_NOT_RCVD_BB meta BEBEE_IMG_NOT_RCVD_BB __BEBEE_IMG_NOT_RCVD_BB #score BEBEE_IMG_NOT_RCVD_BB 2.000 # limit describe BEBEE_IMG_NOT_RCVD_BB Bebee hosted image but message not from Bebee tflags BEBEE_IMG_NOT_RCVD_BB publish ##} BEBEE_IMG_NOT_RCVD_BB ##{ BIGNUM_EMAILS_FREEM meta BIGNUM_EMAILS_FREEM __BIGNUM_EMAILS_FREEM describe BIGNUM_EMAILS_FREEM Lots of email addresses/leads, free email account #score BIGNUM_EMAILS_FREEM 3.00 # limit tflags BIGNUM_EMAILS_FREEM publish ##} BIGNUM_EMAILS_FREEM ##{ BIGNUM_EMAILS_MANY meta BIGNUM_EMAILS_MANY __BIGNUM_EMAILS_3 && !__HAS_ERRORS_TO && !__HAS_CAMPAIGNID && !__DATE_LOWER describe BIGNUM_EMAILS_MANY Lots of email addresses/leads, over and over #score BIGNUM_EMAILS_MANY 3.00 # limit tflags BIGNUM_EMAILS_MANY publish ##} BIGNUM_EMAILS_MANY ##{ BILL_1618 body BILL_1618 /\bUnder Bill\s?s?.1618(?: Title III)? passed by the 105th U\.S\. Congress\b/i describe BILL_1618 Mentions proposed US law supposedly permitting spamming tflags BILL_1618 publish ##} BILL_1618 ##{ BITCOIN_BOMB meta BITCOIN_BOMB __BITCOIN_ID && __EXPLOSIVE_DEVICE && !BITCOIN_EXTORT_01 describe BITCOIN_BOMB BitCoin + bomb #score BITCOIN_BOMB 3.000 # limit tflags BITCOIN_BOMB publish ##} BITCOIN_BOMB ##{ BITCOIN_DEADLINE meta BITCOIN_DEADLINE __BITCOIN_ID && __HOURS_DEADLINE && !BITCOIN_EXTORT_01 describe BITCOIN_DEADLINE BitCoin with a deadline #score BITCOIN_DEADLINE 3.000 # limit tflags BITCOIN_DEADLINE publish ##} BITCOIN_DEADLINE ##{ BITCOIN_EXTORT_01 meta BITCOIN_EXTORT_01 (__BITCOIN_ID && __EXTORT_MANY) && !( __FROM_FULL_NAME && __SENDER_BOT && __SINGLE_WORD_LINE && __MIME_HTML && __PHPMAILER_MUA ) describe BITCOIN_EXTORT_01 Extortion spam, pay via BitCoin #score BITCOIN_EXTORT_01 5.000 # limit tflags BITCOIN_EXTORT_01 publish ##} BITCOIN_EXTORT_01 ##{ BITCOIN_EXTORT_02 meta BITCOIN_EXTORT_02 __OBFU_BITCOIN_NOID && __EXTORT_MANY describe BITCOIN_EXTORT_02 Extortion spam, pay via BitCoin #score BITCOIN_EXTORT_02 5.000 # limit tflags BITCOIN_EXTORT_02 publish ##} BITCOIN_EXTORT_02 ##{ BITCOIN_IMGUR meta BITCOIN_IMGUR __BITCOIN_IMGUR describe BITCOIN_IMGUR Bitcoin + hosted image #score BITCOIN_IMGUR 3.500 # limit tflags BITCOIN_IMGUR publish ##} BITCOIN_IMGUR ##{ BITCOIN_MALF_HTML meta BITCOIN_MALF_HTML HTML_EXTRA_CLOSE && (__BITCOIN || __BITCOIN_ID) describe BITCOIN_MALF_HTML Bitcoin + malformed HTML #score BITCOIN_MALF_HTML 3.500 # limit ##} BITCOIN_MALF_HTML ##{ BITCOIN_MALWARE meta BITCOIN_MALWARE __BITCOIN_ID && __MY_MALWARE && !BITCOIN_EXTORT_01 && !__NOT_SPOOFED describe BITCOIN_MALWARE BitCoin + malware bragging #score BITCOIN_MALWARE 3.500 # limit tflags BITCOIN_MALWARE publish ##} BITCOIN_MALWARE ##{ BITCOIN_OBFU_SUBJ meta BITCOIN_OBFU_SUBJ __BITCOIN_OBFU_SUBJ && !__128_ALNUM_URI describe BITCOIN_OBFU_SUBJ Bitcoin + obfuscated subject #score BITCOIN_OBFU_SUBJ 3.500 # limit tflags BITCOIN_OBFU_SUBJ publish ##} BITCOIN_OBFU_SUBJ ##{ BITCOIN_ONAN meta BITCOIN_ONAN __BITCOIN_ID && __YOUR_ONAN && __KHOP_NO_FULL_NAME && !BITCOIN_EXTORT_01 describe BITCOIN_ONAN BitCoin + [censored] #score BITCOIN_ONAN 3.000 # limit tflags BITCOIN_ONAN publish ##} BITCOIN_ONAN ##{ BITCOIN_PAY_ME meta BITCOIN_PAY_ME __BITCOIN_ID && __PAY_ME && !BITCOIN_EXTORT_01 describe BITCOIN_PAY_ME Pay me via BitCoin #score BITCOIN_PAY_ME 3.000 # limit tflags BITCOIN_PAY_ME publish ##} BITCOIN_PAY_ME ##{ BITCOIN_SPAM_01 meta BITCOIN_SPAM_01 __BITCOIN_ID && HTML_MIME_NO_HTML_TAG describe BITCOIN_SPAM_01 BitCoin spam pattern 01 #score BITCOIN_SPAM_01 2.500 # limit tflags BITCOIN_SPAM_01 publish ##} BITCOIN_SPAM_01 ##{ BITCOIN_SPAM_02 meta BITCOIN_SPAM_02 __BITCOIN_SPAM_02 && !__URL_BTC_ID describe BITCOIN_SPAM_02 BitCoin spam pattern 02 #score BITCOIN_SPAM_02 2.500 # limit tflags BITCOIN_SPAM_02 publish ##} BITCOIN_SPAM_02 ##{ BITCOIN_SPAM_03 meta BITCOIN_SPAM_03 __BITCOIN_ID && __SINGLE_WORD_SUBJ describe BITCOIN_SPAM_03 BitCoin spam pattern 03 #score BITCOIN_SPAM_03 2.500 # limit tflags BITCOIN_SPAM_03 publish ##} BITCOIN_SPAM_03 ##{ BITCOIN_SPAM_04 meta BITCOIN_SPAM_04 __BITCOIN_ID && __freemail_hdr_replyto describe BITCOIN_SPAM_04 BitCoin spam pattern 04 #score BITCOIN_SPAM_04 1.500 # limit tflags BITCOIN_SPAM_04 publish ##} BITCOIN_SPAM_04 ##{ BITCOIN_SPAM_05 meta BITCOIN_SPAM_05 __BITCOIN_SPAM_05 && !__HAS_IN_REPLY_TO describe BITCOIN_SPAM_05 BitCoin spam pattern 05 #score BITCOIN_SPAM_05 2.500 # limit tflags BITCOIN_SPAM_05 net publish ##} BITCOIN_SPAM_05 ##{ BITCOIN_SPAM_06 meta BITCOIN_SPAM_06 __BITCOIN_ID && TVD_RCVD_SPACE_BRACKET describe BITCOIN_SPAM_06 BitCoin spam pattern 06 #score BITCOIN_SPAM_06 1.500 # limit tflags BITCOIN_SPAM_06 publish ##} BITCOIN_SPAM_06 ##{ BITCOIN_SPAM_07 meta BITCOIN_SPAM_07 __BITCOIN_SPAM_07 && !__DKIM_EXISTS describe BITCOIN_SPAM_07 BitCoin spam pattern 07 #score BITCOIN_SPAM_07 3.500 # limit tflags BITCOIN_SPAM_07 publish ##} BITCOIN_SPAM_07 ##{ BITCOIN_SPAM_08 meta BITCOIN_SPAM_08 __BITCOIN_ID && __TO_IN_SUBJ describe BITCOIN_SPAM_08 BitCoin spam pattern 08 #score BITCOIN_SPAM_08 2.500 # limit tflags BITCOIN_SPAM_08 publish ##} BITCOIN_SPAM_08 ##{ BITCOIN_SPAM_09 meta BITCOIN_SPAM_09 __BITCOIN_ID && ( __DESTROY_ME || __DESTROY_YOU ) describe BITCOIN_SPAM_09 BitCoin spam pattern 09 #score BITCOIN_SPAM_09 1.500 # limit tflags BITCOIN_SPAM_09 publish ##} BITCOIN_SPAM_09 ##{ BITCOIN_SPAM_10 meta BITCOIN_SPAM_10 __BITCOIN_ID && ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 ) describe BITCOIN_SPAM_10 BitCoin spam pattern 10 #score BITCOIN_SPAM_10 2.500 # limit tflags BITCOIN_SPAM_10 publish ##} BITCOIN_SPAM_10 ##{ BITCOIN_SPAM_11 meta BITCOIN_SPAM_11 __BITCOIN_ID && HTML_MESSAGE && __HTML_SHRT_CMNT_OBFU describe BITCOIN_SPAM_11 BitCoin spam pattern 11 #score BITCOIN_SPAM_11 2.500 # limit tflags BITCOIN_SPAM_11 publish ##} BITCOIN_SPAM_11 ##{ BITCOIN_SPAM_12 meta BITCOIN_SPAM_12 __BITCOIN_ID && __BOGUS_MIME_HDR_MANY describe BITCOIN_SPAM_12 BitCoin spam pattern 12 #score BITCOIN_SPAM_12 2.500 # limit tflags BITCOIN_SPAM_12 publish ##} BITCOIN_SPAM_12 ##{ BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta BITCOIN_SPF_ONLYALL __PDS_SPF_ONLYALL && __BITCOIN_ID tflags BITCOIN_SPF_ONLYALL net publish describe BITCOIN_SPF_ONLYALL Bitcoin from a domain specifically set to pass +all SPF #score BITCOIN_SPF_ONLYALL 2.0 # limit endif endif ##} BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ BITCOIN_TOEQFM meta BITCOIN_TOEQFM __BITCOIN_TOEQFM describe BITCOIN_TOEQFM Bitcoin + To same as From #score BITCOIN_TOEQFM 3.500 # limit ##} BITCOIN_TOEQFM ##{ BITCOIN_VISTA meta BITCOIN_VISTA __BITCOIN && __VISTA_MSGID describe BITCOIN_VISTA Bitcoin + old MSFT msgid format #score BITCOIN_VISTA 3.500 # limit ##} BITCOIN_VISTA ##{ BITCOIN_WFH_01 meta BITCOIN_WFH_01 __BITCOIN_WFH_01 describe BITCOIN_WFH_01 Work-from-Home + bitcoin tflags BITCOIN_WFH_01 publish ##} BITCOIN_WFH_01 ##{ BITCOIN_XPRIO meta BITCOIN_XPRIO __BITCOIN_XPRIO && !__ML1 && !__HAS_SENDER && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY describe BITCOIN_XPRIO Bitcoin + priority #score BITCOIN_XPRIO 2.500 # limit ##} BITCOIN_XPRIO ##{ BITCOIN_YOUR_INFO meta BITCOIN_YOUR_INFO __BITCOIN_ID && __YOUR_PERSONAL && !BITCOIN_EXTORT_01 describe BITCOIN_YOUR_INFO BitCoin with your personal info #score BITCOIN_YOUR_INFO 3.000 # limit tflags BITCOIN_YOUR_INFO publish ##} BITCOIN_YOUR_INFO ##{ BODY_URI_ONLY meta BODY_URI_ONLY __BODY_URI_ONLY && !__NOT_SPOOFED && !__TO_EQ_FROM_DOM && !__X_CRON_ENV && !__DKIM_EXISTS && !__VIA_ML && !__HAS_X_REF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD && !__URI_GOOGLE_DRV describe BODY_URI_ONLY Message body is only a URI in one line of text or for an image #score BODY_URI_ONLY 3.000 # limit tflags BODY_URI_ONLY publish ##} BODY_URI_ONLY ##{ BOGUS_MIME_VERSION meta BOGUS_MIME_VERSION __BOGUS_MIME_VER_02 || __MALF_MIME_VER #score BOGUS_MIME_VERSION 3.500 # limit describe BOGUS_MIME_VERSION Mime version header is bogus tflags BOGUS_MIME_VERSION publish ##} BOGUS_MIME_VERSION ##{ BOGUS_MSM_HDRS meta BOGUS_MSM_HDRS __BOGUS_MSM_HDRS describe BOGUS_MSM_HDRS Apparently bogus Microsoft email headers #score BOGUS_MSM_HDRS 3.000 # limit tflags BOGUS_MSM_HDRS publish ##} BOGUS_MSM_HDRS ##{ BOMB_FREEM meta BOMB_FREEM __EXPLOSIVE_DEVICE && __freemail_hdr_replyto describe BOMB_FREEM Bomb + freemail #score BOMB_FREEM 2.000 # limit tflags BOMB_FREEM publish ##} BOMB_FREEM ##{ BOMB_MONEY meta BOMB_MONEY __EXPLOSIVE_DEVICE && ( __ADVANCE_FEE_3_NEW || __ADVANCE_FEE_4_NEW || __ADVANCE_FEE_5_NEW ) describe BOMB_MONEY Bomb + money: bomb threat? #score BOMB_MONEY 2.500 # limit tflags BOMB_MONEY publish ##} BOMB_MONEY ##{ BTC_ORG describe BTC_ORG Bitcoin wallet ID + unusual header #score BTC_ORG 2.500 # limit ##} BTC_ORG ##{ BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM) if !plugin(Mail::SpamAssassin::Plugin::DKIM) meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST endif ##} BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM) ##{ BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::DKIM meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST && !DKIM_SIGNED endif ##} BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM ##{ BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta BULK_RE_SUSP_NTLD __SUBJ_RE && __ML1 && __FROM_ADDRLIST_SUSPNTLD tflags BULK_RE_SUSP_NTLD publish describe BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD #score BULK_RE_SUSP_NTLD 1.0 # limit endif endif ##} BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ CANT_SEE_AD meta CANT_SEE_AD (__CANT_SEE_AD_1 || __CANT_SEE_AD_2) && !__DOS_HAS_LIST_UNSUB describe CANT_SEE_AD You really want to see our spam. #score CANT_SEE_AD 2.500 # limit tflags CANT_SEE_AD publish ##} CANT_SEE_AD ##{ CN_B2B_SPAMMER body CN_B2B_SPAMMER /\bWe are (?:(?:a )?(?:China|Taiwan)[-\s]based|(?:one of (?:the )?best|(?:a )?leading) (?:international|[^\.]{10,90} (?:in|from) (?:\w+, )?(?:China|Taiwan)))\b/i describe CN_B2B_SPAMMER Chinese company introducing itself tflags CN_B2B_SPAMMER publish ##} CN_B2B_SPAMMER ##{ COMMENT_GIBBERISH meta COMMENT_GIBBERISH __COMMENT_GIBBERISH && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__SENDER_BOT describe COMMENT_GIBBERISH Nonsense in long HTML comment #score COMMENT_GIBBERISH 1.50 # limit tflags COMMENT_GIBBERISH publish ##} COMMENT_GIBBERISH ##{ COMPENSATION describe COMPENSATION "Compensation" #score COMPENSATION 1.50 # limit ##} COMPENSATION ##{ COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM) if !plugin(Mail::SpamAssassin::Plugin::DKIM) meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD endif ##} COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM) ##{ COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::DKIM meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD && !__DKIM_DEPENDABLE endif ##} COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM ##{ CONTENT_AFTER_HTML meta CONTENT_AFTER_HTML __CONTENT_AFTER_HTML && (__L_CTE_8BIT || __RDNS_NUMERIC_TLD || __HTML_TAG_BALANCE_CENTER || __STY_INVIS_MANY || __TO_EQ_FROM_USR || __TO_EQ_FROM_USR_2 || __KAM_HTML_FONT_INVALID || __SUBJECT_ENCODED_B64 ) describe CONTENT_AFTER_HTML More content after HTML close tag + other spam signs #score CONTENT_AFTER_HTML 2.500 # limit tflags CONTENT_AFTER_HTML publish ##} CONTENT_AFTER_HTML ##{ CONTENT_AFTER_HTML_WEAK meta CONTENT_AFTER_HTML_WEAK __CONTENT_AFTER_HTML && !CONTENT_AFTER_HTML && !__CT_TEXT_PLAIN && !__BOUNCE_FROM_DAEMON && !__MSGID_OK_HEX && !__HAS_SENDER && !__LYRIS_EZLM_REMAILER && !MAILING_LIST_MULTI && !__HAS_CID && !__URI_DOTGOV describe CONTENT_AFTER_HTML_WEAK More content after HTML close tag #score CONTENT_AFTER_HTML_WEAK 1.500 # limit tflags CONTENT_AFTER_HTML_WEAK publish ##} CONTENT_AFTER_HTML_WEAK ##{ CORRUPT_FROM_LINE_IN_HDRS meta CORRUPT_FROM_LINE_IN_HDRS (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS) describe CORRUPT_FROM_LINE_IN_HDRS Informational: message is corrupt, with a From line in its headers tflags CORRUPT_FROM_LINE_IN_HDRS userconf publish #score CORRUPT_FROM_LINE_IN_HDRS 0.001 ##} CORRUPT_FROM_LINE_IN_HDRS ##{ CTE_8BIT_MISMATCH meta CTE_8BIT_MISMATCH (__CT_TEXT_PLAIN && (!__CTE || __L_CTE_7BIT) && __L_BODY_8BITS) describe CTE_8BIT_MISMATCH Header says 7bits but body disagrees #score CTE_8BIT_MISMATCH 1 tflags CTE_8BIT_MISMATCH publish ##} CTE_8BIT_MISMATCH ##{ CTYPE_001C_A meta CTYPE_001C_A (0) # obsolete ##} CTYPE_001C_A ##{ CTYPE_001C_B header CTYPE_001C_B Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/ ##} CTYPE_001C_B ##{ CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader CTYPE_8SPACE_GIF Content-Type:raw =~ /^image\/gif;\n {8}name=\".+?\"$/s describe CTYPE_8SPACE_GIF Stock spam image part 'Content-Type' found (8 spc) endif ##} CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ CURR_PRICE body CURR_PRICE /\bCurrent Price:/ ##} CURR_PRICE ##{ DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval ifplugin Mail::SpamAssassin::Plugin::HeaderEval header DATE_IN_FUTURE_Q_PLUS eval:check_for_shifted_date('2920', 'undef') describe DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date endif ##} DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval ##{ DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta DAY_I_EARNED __DAY_I_EARNED >= 3 # score DAY_I_EARNED 3.000 # limit describe DAY_I_EARNED Work-at-home spam tflags DAY_I_EARNED publish endif ##} DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ DEAR_BENEFICIARY body DEAR_BENEFICIARY /\b(?:De[ae]r\s|At+(?:ention|n):?\s?)(?:\S+\s)?Ben[ei]ficiary\b/i describe DEAR_BENEFICIARY Dear Beneficiary: ##} DEAR_BENEFICIARY ##{ DEAR_WINNER body DEAR_WINNER /\bdear.{1,20}winner/i describe DEAR_WINNER Spam with generic salutation of "dear winner" ##} DEAR_WINNER ##{ DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS ifplugin Mail::SpamAssassin::Plugin::AskDNS meta DKIMWL_BL __DKIMWL_WL_BL tflags DKIMWL_BL net publish describe DKIMWL_BL DKIMwl.org - Blocked sender #score DKIMWL_BL 3.0 # limit endif ##} DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS ifplugin Mail::SpamAssassin::Plugin::AskDNS meta DKIMWL_BLOCKED __DKIMWL_BLOCKED tflags DKIMWL_BLOCKED net publish describe DKIMWL_BLOCKED ADMINISTRATOR NOTICE: The query to DKIMWL.org was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. #score DKIMWL_BLOCKED 0.001 # limit endif ##} DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS ifplugin Mail::SpamAssassin::Plugin::AskDNS meta DKIMWL_WL_HIGH __DKIMWL_WL_HI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL || __DKIMWL_BULKMAIL) tflags DKIMWL_WL_HIGH net nice publish describe DKIMWL_WL_HIGH DKIMwl.org - High trust sender #score DKIMWL_WL_HIGH -3.0 # limit endif ##} DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS ifplugin Mail::SpamAssassin::Plugin::AskDNS meta DKIMWL_WL_MED __DKIMWL_WL_MED && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL) tflags DKIMWL_WL_MED net nice publish describe DKIMWL_WL_MED DKIMwl.org - Medium trust sender #score DKIMWL_WL_MED -0.5 # limit endif ##} DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS ifplugin Mail::SpamAssassin::Plugin::AskDNS meta DKIMWL_WL_MEDHI __DKIMWL_WL_MEDHI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL) tflags DKIMWL_WL_MEDHI net nice publish describe DKIMWL_WL_MEDHI DKIMwl.org - Medium-high trust sender #score DKIMWL_WL_MEDHI -1.0 # limit endif ##} DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ DOS_ANAL_SPAM_MAILER header DOS_ANAL_SPAM_MAILER X-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/ describe DOS_ANAL_SPAM_MAILER X-mailer pattern common to anal porn site spam tflags DOS_ANAL_SPAM_MAILER publish ##} DOS_ANAL_SPAM_MAILER ##{ DOS_BODY_HIGH_NO_MID meta DOS_BODY_HIGH_NO_MID __HIGHBITS && MISSING_MID describe DOS_BODY_HIGH_NO_MID High bit body and no message ID header ##} DOS_BODY_HIGH_NO_MID ##{ DOS_DEREK_AUG08 meta DOS_DEREK_AUG08 __DOS_SINGLE_EXT_RELAY && __DOS_HAS_ANY_URI && __NAKED_TO && __LAST_UNTRUSTED_RELAY_NO_AUTH && SPF_PASS && __TVD_MIME_ATT_TP && __CT_TEXT_PLAIN && (__DOS_MSGID_DIGITS9 || __DOS_MSGID_DIGITS10) ##} DOS_DEREK_AUG08 ##{ DOS_FIX_MY_URI meta DOS_FIX_MY_URI __MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINK describe DOS_FIX_MY_URI Looks like a "fix my obfu'd URI please" spam ##} DOS_FIX_MY_URI ##{ DOS_HIGH_BAT_TO_MX meta DOS_HIGH_BAT_TO_MX __DOS_DIRECT_TO_MX && __HIGHBITS && __LAST_UNTRUSTED_RELAY_NO_AUTH && __THEBAT_MUA describe DOS_HIGH_BAT_TO_MX The Bat! Direct to MX with High Bits ##} DOS_HIGH_BAT_TO_MX ##{ DOS_LET_GO_JOB meta DOS_LET_GO_JOB __DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOME describe DOS_LET_GO_JOB Let go from their job and now makes lots of dough! ##} DOS_LET_GO_JOB ##{ DOS_OE_TO_MX meta DOS_OE_TO_MX __OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE describe DOS_OE_TO_MX Delivered direct to MX with OE headers ##} DOS_OE_TO_MX ##{ DOS_OE_TO_MX_IMAGE meta DOS_OE_TO_MX_IMAGE __OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH describe DOS_OE_TO_MX_IMAGE Direct to MX with OE headers and an image ##} DOS_OE_TO_MX_IMAGE ##{ DOS_OUTLOOK_TO_MX meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !T_DOS_OUTLOOK_TO_MX_IMAGE describe DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers ##} DOS_OUTLOOK_TO_MX ##{ DOS_RCVD_IP_TWICE_C header DOS_RCVD_IP_TWICE_C X-Spam-Relays-External =~ /^\s*\[ ip=(?!127)([\d.]+) [^\[]*\bhelo=(?:![\d.]{7,15}!)? [^\[]*\[ ip=\1 [^\]]*\]\s*$/ describe DOS_RCVD_IP_TWICE_C Received from the same IP twice in a row (only one external relay; empty or IP helo) ##} DOS_RCVD_IP_TWICE_C ##{ DOS_STOCK_BAT meta DOS_STOCK_BAT __THEBAT_MUA && (__DOS_BODY_STOCK || __DOS_BODY_TICKER) && (__DOS_REF_TODAY || __DOS_REF_NEXT_WK_DAY || __DOS_REF_2_WK_DAYS) describe DOS_STOCK_BAT Probable pump and dump stock spam ##} DOS_STOCK_BAT ##{ DOS_STOCK_BAT2 meta DOS_STOCK_BAT2 DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2) ##} DOS_STOCK_BAT2 ##{ DOS_URI_ASTERISK uri DOS_URI_ASTERISK m{^[Hh][Tt]{2}[Pp][Ss]?://[^/:]+(?:\*[A-Za-z0-9-]*\.|\*)[A-Za-z]{2,3}(?:\.[A-Za-z]{2})?(?:$|:|/)} describe DOS_URI_ASTERISK Found an asterisk in a URI ##} DOS_URI_ASTERISK ##{ DOS_YOUR_PLACE meta DOS_YOUR_PLACE (__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE || __DOS_CORRESPOND_EMAIL || __DOS_EMAIL_DIRECTLY || __DOS_I_AM_25 || __DOS_WRITE_ME_AT || __DOS_PERSONAL_EMAIL)) describe DOS_YOUR_PLACE Russian dating spam ##} DOS_YOUR_PLACE ##{ DOTGOV_IMAGE meta DOTGOV_IMAGE __DOTGOV_IMAGE && !__HAVE_BOUNCE_RELAYS describe DOTGOV_IMAGE .gov URI + hosted image #score DOTGOV_IMAGE 3.000 # limit tflags DOTGOV_IMAGE publish ##} DOTGOV_IMAGE ##{ DRUGS_HDIA header DRUGS_HDIA Subject =~ /\bhoodia\b/i describe DRUGS_HDIA Subject mentions "hoodia" ##} DRUGS_HDIA ##{ DSN_NO_MIMEVERSION meta DSN_NO_MIMEVERSION (__BOUNCE_RPATH_NULL && !__MIME_VERSION) describe DSN_NO_MIMEVERSION Return-Path <> and no MIME-Version: header #score DSN_NO_MIMEVERSION 2 ##} DSN_NO_MIMEVERSION ##{ DX_TEXT_02 body DX_TEXT_02 /\b(?:change|modif(?:y|ications?)) (?:of|to|(?:yo)?ur) (?:message|sub|comm) stat/i describe DX_TEXT_02 "change your message stat" tflags DX_TEXT_02 publish ##} DX_TEXT_02 ##{ DX_TEXT_03 body DX_TEXT_03 /\b[A-Z]{3} Media (?:Group|Relations)\b/ describe DX_TEXT_03 "XXX Media Group" tflags DX_TEXT_03 publish ##} DX_TEXT_03 ##{ DYNAMIC_IMGUR meta DYNAMIC_IMGUR __DYNAMIC_IMGUR describe DYNAMIC_IMGUR dynamic IP + hosted image #score DYNAMIC_IMGUR 4.000 # limit tflags DYNAMIC_IMGUR publish ##} DYNAMIC_IMGUR ##{ DYN_RDNS_AND_INLINE_IMAGE meta DYN_RDNS_AND_INLINE_IMAGE (RDNS_DYNAMIC && __ANY_IMAGE_ATTACH) describe DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic rDNS ##} DYN_RDNS_AND_INLINE_IMAGE ##{ DYN_RDNS_SHORT_HELO_HTML meta DYN_RDNS_SHORT_HELO_HTML (__HELO_NO_DOMAIN && RDNS_DYNAMIC && HTML_MESSAGE) describe DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML ##} DYN_RDNS_SHORT_HELO_HTML ##{ DYN_RDNS_SHORT_HELO_IMAGE meta DYN_RDNS_SHORT_HELO_IMAGE (__HELO_NO_DOMAIN && RDNS_DYNAMIC && __ANY_IMAGE_ATTACH) describe DYN_RDNS_SHORT_HELO_IMAGE Short HELO string, dynamic rDNS, inline image ##} DYN_RDNS_SHORT_HELO_IMAGE ##{ EBAY_IMG_NOT_RCVD_EBAY meta EBAY_IMG_NOT_RCVD_EBAY __EBAY_IMG_NOT_RCVD_EBAY && !__URI_MAILTO && !__RCD_RDNS_MAIL && !__DKIM_EXISTS #score EBAY_IMG_NOT_RCVD_EBAY 3.000 # limit describe EBAY_IMG_NOT_RCVD_EBAY E-bay hosted image but message not from E-bay tflags EBAY_IMG_NOT_RCVD_EBAY publish ##} EBAY_IMG_NOT_RCVD_EBAY ##{ EMRCP body EMRCP /\bExcess (?:Maximum )?Return Capital (?:Profits?|Funds?)\b/i describe EMRCP "Excess Maximum Return Capital Profit" scam tflags EMRCP publish ##} EMRCP ##{ ENCRYPTED_MESSAGE meta ENCRYPTED_MESSAGE __CT_ENCRYPTED describe ENCRYPTED_MESSAGE Message is encrypted, not likely to be spam #score ENCRYPTED_MESSAGE -1.000 tflags ENCRYPTED_MESSAGE nice publish ##} ENCRYPTED_MESSAGE ##{ END_FUTURE_EMAILS describe END_FUTURE_EMAILS Spammy unsubscribe #score END_FUTURE_EMAILS 2.500 # limit ##} END_FUTURE_EMAILS ##{ END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM) if !plugin(Mail::SpamAssassin::Plugin::DKIM) meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER endif ##} END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM) ##{ END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::DKIM meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER && !__DKIM_DEPENDABLE && !DKIM_SIGNED endif ##} END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM ##{ ENVFROM_GOOG_TRIX meta ENVFROM_GOOG_TRIX __ENVFROM_GOOG_TRIX_SPAMMY describe ENVFROM_GOOG_TRIX From suspicious Google subdomain #score ENVFROM_GOOG_TRIX 3.000 # limit tflags ENVFROM_GOOG_TRIX publish ##} ENVFROM_GOOG_TRIX ##{ EXCUSE_24 body EXCUSE_24 /you(?:'ve|'re| have| are)? receiv(?:e|ed|ing) this (?:advertisement|offer|special|recurring|paid).{0,16}\b(?:by either|because)/i describe EXCUSE_24 Claims you wanted this ad ##} EXCUSE_24 ##{ FACEBOOK_IMG_NOT_RCVD_FB meta FACEBOOK_IMG_NOT_RCVD_FB __FACEBOOK_IMG_NOT_RCVD_FB && !__VIA_ML && !__ONE_IMG && !__RCD_RDNS_SMTP #score FACEBOOK_IMG_NOT_RCVD_FB 2.000 # limit describe FACEBOOK_IMG_NOT_RCVD_FB Facebook hosted image but message not from Facebook tflags FACEBOOK_IMG_NOT_RCVD_FB publish ##} FACEBOOK_IMG_NOT_RCVD_FB ##{ FAKE_REPLY_C meta FAKE_REPLY_C (__SUBJ_RE && __MISSING_REF && __NO_INR_YES_REF) ##} FAKE_REPLY_C ##{ FBI_MONEY meta FBI_MONEY __FBI_SPOOF && LOTS_OF_MONEY describe FBI_MONEY The FBI wants to give you lots of money? #score FBI_MONEY 2.00 # limit tflags FBI_MONEY publish ##} FBI_MONEY ##{ FBI_SPOOF meta FBI_SPOOF __FBI_SPOOF describe FBI_SPOOF Claims to be FBI, but not from FBI domain #score FBI_SPOOF 2.00 # limit tflags FBI_SPOOF publish ##} FBI_SPOOF ##{ FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FILL_THIS_FORM __FILL_THIS_FORM && !__THREADED && !__FB_TOUR && !__VIA_ML describe FILL_THIS_FORM Fill in a form with personal information tflags FILL_THIS_FORM publish endif ##} FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FILL_THIS_FORM_LOAN __FILL_THIS_FORM_LOAN && !__COMMENT_EXISTS && !__HTML_LINK_IMAGE describe FILL_THIS_FORM_LOAN Answer loan question(s) # score FILL_THIS_FORM_LOAN 2.0 endif ##} FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG && !__VIA_ML && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__TRAVEL_MANY describe FILL_THIS_FORM_LONG Fill in a form with personal information # score FILL_THIS_FORM_LONG 2.00 # limit endif ##} FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta FONT_INVIS_DIRECT __FONT_INVIS_DIRECT && !__UNSUB_LINK && !__HAS_ERRORS_TO && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__URI_DOTGOV && !__NAKED_TO && !__MSGID_OK_HEX describe FONT_INVIS_DIRECT Invisible text + direct-to-MX # score FONT_INVIS_DIRECT 3.500 # limit tflags FONT_INVIS_DIRECT publish endif ##} FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta FONT_INVIS_DOTGOV __FONT_INVIS_DOTGOV && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__HAS_LIST_ID describe FONT_INVIS_DOTGOV Invisible text + .gov URI # score FONT_INVIS_DOTGOV 3.500 # limit tflags FONT_INVIS_DOTGOV publish endif ##} FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta FONT_INVIS_HTML_NOHTML __FONT_INVIS_HTML_NOHTML && !__RDNS_LONG describe FONT_INVIS_HTML_NOHTML Invisible text + malformed HTML # score FONT_INVIS_HTML_NOHTML 3.000 # limit tflags FONT_INVIS_HTML_NOHTML publish endif ##} FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta FONT_INVIS_LONG_LINE __FONT_INVIS_LONG_LINE && !__HTML_SINGLET describe FONT_INVIS_LONG_LINE Invisible text + long lines # score FONT_INVIS_LONG_LINE 3.000 # limit tflags FONT_INVIS_LONG_LINE publish endif ##} FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta FONT_INVIS_MSGID __FONT_INVIS_MSGID && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__HAS_ERRORS_TO && !__RCD_RDNS_MAIL && !__MAIL_LINK && !__HDR_RCVD_AMAZON && !__MIME_QP && !__HAS_CAMPAIGNID && !__HAS_THREAD_INDEX && !__RCD_RDNS_MTA describe FONT_INVIS_MSGID Invisible text + suspicious message ID # score FONT_INVIS_MSGID 2.500 # limit tflags FONT_INVIS_MSGID publish endif ##} FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta FONT_INVIS_NORDNS __FONT_INVIS_NORDNS && !__HTML_SINGLET && !__LYRIS_EZLM_REMAILER && !__YOUR_PERSONAL && !__HAS_X_MAILER describe FONT_INVIS_NORDNS Invisible text + no rDNS # score FONT_INVIS_NORDNS 2.500 # limit tflags FONT_INVIS_NORDNS publish endif ##} FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta FONT_INVIS_POSTEXTRAS (__FONT_INVIS || __STY_INVIS) && __AC_POST_EXTRAS describe FONT_INVIS_POSTEXTRAS Invisible text + suspicious URI # score FONT_INVIS_POSTEXTRAS 3.500 # limit tflags FONT_INVIS_POSTEXTRAS publish endif ##} FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ FORGED_SPF_HELO meta FORGED_SPF_HELO __HELO_NOT_RDNS && SPF_HELO_PASS && !SPF_PASS ##} FORGED_SPF_HELO ##{ FORM_FRAUD meta FORM_FRAUD (__FORM_FRAUD && !__FORM_FRAUD_3 && !__FORM_FRAUD_5) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__UPPERCASE_URI && !__UNSUB_LINK describe FORM_FRAUD Fill a form and a fraud phrase #score FORM_FRAUD 1.000 # limit tflags FORM_FRAUD publish ##} FORM_FRAUD ##{ FORM_FRAUD_3 meta FORM_FRAUD_3 (__FORM_FRAUD_3 && !__FORM_FRAUD_5 && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_3_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__MIME_QP && !__DOS_BODY_FRI && !__UNSUB_LINK && !__BUGGED_IMG && !__NOT_SPOOFED describe FORM_FRAUD_3 Fill a form and several fraud phrases tflags FORM_FRAUD_3 publish ##} FORM_FRAUD_3 ##{ FORM_FRAUD_5 meta FORM_FRAUD_5 (__FORM_FRAUD_5 && !__ADVANCE_FEE_5_NEW_FORM && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__BOUNCE_CTYPE describe FORM_FRAUD_5 Fill a form and many fraud phrases tflags FORM_FRAUD_5 publish ##} FORM_FRAUD_5 ##{ FOUND_YOU meta FOUND_YOU __FOUND_YOU && !__DKIM_EXISTS && !__SUBJ_RE && !__HAS_X_REF && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__HAS_ERRORS_TO && !__HAS_IN_REPLY_TO #score FOUND_YOU 3.25 # limit describe FOUND_YOU I found you... tflags FOUND_YOU publish ##} FOUND_YOU ##{ FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) meta FREEMAIL_FORGED_FROMDOMAIN FREEMAIL_FROM && HEADER_FROM_DIFFERENT_DOMAINS describe FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different # score FREEMAIL_FORGED_FROMDOMAIN 0.25 tflags FREEMAIL_FORGED_FROMDOMAIN publish endif endif endif ##} FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) ##{ FREEMAIL_WFH_01 meta FREEMAIL_WFH_01 __FREEMAIL_WFH_01 describe FREEMAIL_WFH_01 Work-from-Home + freemail tflags FREEMAIL_WFH_01 publish ##} FREEMAIL_WFH_01 ##{ FREEM_FRNUM_UNICD_EMPTY meta FREEM_FRNUM_UNICD_EMPTY __FREEM_FRNUM_UNICD_EMPTY describe FREEM_FRNUM_UNICD_EMPTY Numeric freemail From address, unicode From name and Subject, empty body #score FREEM_FRNUM_UNICD_EMPTY 3.750 # limit tflags FREEM_FRNUM_UNICD_EMPTY publish ##} FREEM_FRNUM_UNICD_EMPTY ##{ FRNAME_IN_MSG_XPRIO_NO_SUB meta FRNAME_IN_MSG_XPRIO_NO_SUB (__FROM_NAME_IN_MSG && __XPRIO && (__SUBJECT_EMPTY || __SUBJ_SHORT)) && !__DKIM_EXISTS && !__SUBJ_NOT_SHORT && !ALL_TRUSTED describe FRNAME_IN_MSG_XPRIO_NO_SUB From name in message + X-Priority + short or no subject #score FRNAME_IN_MSG_XPRIO_NO_SUB 2.500 # limit tflags FRNAME_IN_MSG_XPRIO_NO_SUB publish ##} FRNAME_IN_MSG_XPRIO_NO_SUB ##{ FROM_ADDR_WS meta FROM_ADDR_WS __FROM_ADDR_WS && !__RCD_RDNS_MTA_MESSY && !ANY_BOUNCE_MESSAGE && !__FROM_ENCODED_QP && !__RCD_RDNS_MAIL describe FROM_ADDR_WS Malformed From address #score FROM_ADDR_WS 3.000 # limit tflags FROM_ADDR_WS publish ##} FROM_ADDR_WS ##{ FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_BANK_NOAUTH __FROM_ADDRLIST_BANKS && (! NO_RELAYS && ! ALL_TRUSTED) && (! SPF_PASS && ! DKIM_VALID_AU) tflags FROM_BANK_NOAUTH publish net describe FROM_BANK_NOAUTH From Bank domain but no SPF or DKIM #score FROM_BANK_NOAUTH 1.0 # limit endif endif ##} FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta FROM_FMBLA_NDBLOCKED __FROM_FMBLA_NDBLOCKED describe FROM_FMBLA_NDBLOCKED ADMINISTRATOR NOTICE: The query to fresh.fmb.la was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. tflags FROM_FMBLA_NDBLOCKED net publish #score FROM_FMBLA_NDBLOCKED 0.001 # limit endif endif ##} FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta FROM_FMBLA_NEWDOM __FROM_FMBLA_NEWDOM describe FROM_FMBLA_NEWDOM From domain was registered in last 7 days tflags FROM_FMBLA_NEWDOM net #score FROM_FMBLA_NEWDOM 1.5 # limit endif endif ##} FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta FROM_FMBLA_NEWDOM14 __FROM_FMBLA_NEWDOM14 describe FROM_FMBLA_NEWDOM14 From domain was registered in last 7-14 days tflags FROM_FMBLA_NEWDOM14 publish net #score FROM_FMBLA_NEWDOM14 1.0 # limit endif endif ##} FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta FROM_FMBLA_NEWDOM28 __FROM_FMBLA_NEWDOM28 describe FROM_FMBLA_NEWDOM28 From domain was registered in last 14-28 days tflags FROM_FMBLA_NEWDOM28 net publish #score FROM_FMBLA_NEWDOM28 0.8 # limit endif endif ##} FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_GOV_DKIM_AU DKIM_VALID_AU && __FROM_ADDRLIST_GOV tflags FROM_GOV_DKIM_AU net nice publish describe FROM_GOV_DKIM_AU From Government address and DKIM signed #score FROM_GOV_DKIM_AU -1.0 # limit endif endif ##} FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_GOV_REPLYTO_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_GOV && !DKIM_VALID_AU tflags FROM_GOV_REPLYTO_FREEMAIL net publish describe FROM_GOV_REPLYTO_FREEMAIL From Government domain but ReplyTo is FREEMAIL #score FROM_GOV_REPLYTO_FREEMAIL 2.0 endif endif ##} FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_GOV_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_GOV && (! NO_RELAYS && ! ALL_TRUSTED) tflags FROM_GOV_SPOOF net publish describe FROM_GOV_SPOOF From Government domain but matches SPOOFED #score FROM_GOV_SPOOF 1.0 # limit endif endif ##} FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_IN_TO_AND_SUBJ meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1) && !__HAS_LIST_ID describe FROM_IN_TO_AND_SUBJ From address is in To and Subject tflags FROM_IN_TO_AND_SUBJ publish ##} FROM_IN_TO_AND_SUBJ ##{ FROM_LONG_DOM meta FROM_LONG_DOM __FROM_LONG_DOM && !FROM_LONG_DOM_MINFP describe FROM_LONG_DOM Absurdly long From domain name #score FROM_LONG_DOM 1.500 # limit tflags FROM_LONG_DOM publish ##} FROM_LONG_DOM ##{ FROM_LONG_DOM_MINFP meta FROM_LONG_DOM_MINFP __FROM_LONG_DOM && !__RCD_RDNS_MAIL_MESSY && !__ENV_AND_HDR_FROM_MATCH describe FROM_LONG_DOM_MINFP Absurdly long From domain name, suspicious relays #score FROM_LONG_DOM_MINFP 2.500 # limit tflags FROM_LONG_DOM_MINFP publish ##} FROM_LONG_DOM_MINFP ##{ FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta FROM_MISSP_FREEMAIL __FROM_MISSP_FREEMAIL && !__TO_EQ_FROM_DOM && !__MTLANDROID_MUA describe FROM_MISSP_FREEMAIL From misspaced + freemail provider endif ##} FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ FROM_MISSP_MSFT meta FROM_MISSP_MSFT __FROM_RUNON && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS) describe FROM_MISSP_MSFT From misspaced + supposed Microsoft tool ##} FROM_MISSP_MSFT ##{ FROM_MISSP_PHISH meta FROM_MISSP_PHISH __FROM_MISSP_PHISH && !__DOS_HAS_LIST_UNSUB describe FROM_MISSP_PHISH Malformed, claims to be from financial organization - possible phish #score FROM_MISSP_PHISH 3.500 # limit ##} FROM_MISSP_PHISH ##{ FROM_MISSP_REPLYTO meta FROM_MISSP_REPLYTO __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY && !__DOS_HAS_LIST_UNSUB describe FROM_MISSP_REPLYTO From misspaced, has Reply-To #score FROM_MISSP_REPLYTO 2.500 # limit ##} FROM_MISSP_REPLYTO ##{ FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF ifplugin Mail::SpamAssassin::Plugin::SPF meta FROM_MISSP_SPF_FAIL (__FROM_RUNON && SPF_FAIL) tflags FROM_MISSP_SPF_FAIL net # score FROM_MISSP_SPF_FAIL 2.00 # limit endif ##} FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF ##{ FROM_MISSP_TO_UNDISC meta FROM_MISSP_TO_UNDISC (__FROM_RUNON && __TO_UNDISCLOSED) describe FROM_MISSP_TO_UNDISC From misspaced, To undisclosed ##} FROM_MISSP_TO_UNDISC ##{ FROM_MISSP_USER meta FROM_MISSP_USER (__FROM_RUNON && NSL_RCVD_FROM_USER) describe FROM_MISSP_USER From misspaced, from "User" ##} FROM_MISSP_USER ##{ FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta FROM_NEWDOM_BTC __PDS_BTC_ID && __PDS_NEWDOMAIN describe FROM_NEWDOM_BTC Newdomain with Bitcoin ID #score FROM_NEWDOM_BTC 2.0 # limit tflags FROM_NEWDOM_BTC net endif endif ##} FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_NTLD_LINKBAIT __LCL__KAM_BODY_LENGTH_LT_512 && __FROM_ADDRLIST_SUSPNTLD && __BODY_URI_ONLY tflags FROM_NTLD_LINKBAIT publish describe FROM_NTLD_LINKBAIT From abused NTLD with little more than a URI #score FROM_NTLD_LINKBAIT 2.0 # limit endif endif ##} FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_NTLD_REPLY_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_SUSPNTLD tflags FROM_NTLD_REPLY_FREEMAIL publish describe FROM_NTLD_REPLY_FREEMAIL From abused NTLD and Reply-To is FREEMAIL #score FROM_NTLD_REPLY_FREEMAIL 2.0 # limit endif endif ##} FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta FROM_NUMBERO_NEWDOMAIN __NUMBERONLY_TLD && __PDS_NEWDOMAIN describe FROM_NUMBERO_NEWDOMAIN Fingerprint and new domain #score FROM_NUMBERO_NEWDOMAIN 2.0 # limit tflags FROM_NUMBERO_NEWDOMAIN net publish endif endif ##} FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_PAYPAL_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_PAYPAL && (! NO_RELAYS && ! ALL_TRUSTED) tflags FROM_PAYPAL_SPOOF publish net describe FROM_PAYPAL_SPOOF From PayPal domain but matches SPOOFED #score FROM_PAYPAL_SPOOF 1.6 # limit endif endif ##} FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_SUSPICIOUS_NTLD __FROM_ADDRLIST_SUSPNTLD tflags FROM_SUSPICIOUS_NTLD publish describe FROM_SUSPICIOUS_NTLD From abused NTLD #score FROM_SUSPICIOUS_NTLD 0.5 # limit endif endif ##} FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_SUSPICIOUS_NTLD_FP __FROM_ADDRLIST_SUSPNTLD && !__HAS_SENDER && !__HAS_IN_REPLY_TO && !__HAS_X_MAILING_LIST tflags FROM_SUSPICIOUS_NTLD_FP publish describe FROM_SUSPICIOUS_NTLD_FP From abused NTLD #score FROM_SUSPICIOUS_NTLD_FP 2.0 # limit endif endif ##} FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_UNBAL1 header FROM_UNBAL1 From:raw =~ / < [^>]* $/xm describe FROM_UNBAL1 From with unbalanced angle brackets, '>' missing ##} FROM_UNBAL1 ##{ FROM_UNBAL2 header FROM_UNBAL2 From:raw =~ /^ [^<]* > /xm describe FROM_UNBAL2 From with unbalanced angle brackets, '<' missing ##} FROM_UNBAL2 ##{ FROM_WSP_LEAD header FROM_WSP_LEAD From:raw =~ /< \s+ [^>\s] [^>]* > [^<>]* \z/xm describe FROM_WSP_LEAD Leading whitespace after '<' in From header field ##} FROM_WSP_LEAD ##{ FSL_BULK_SIG meta FSL_BULK_SIG (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK) && !__FSL_HAS_LIST_UNSUB && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__JM_REACTOR_DATE && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__USING_VERP1 && !__KAM_BODY_LENGTH_LT_128 && !__RCVD_IN_DNSWL describe FSL_BULK_SIG Bulk signature with no Unsubscribe #score FSL_BULK_SIG 2.500 # limit tflags FSL_BULK_SIG net publish ##} FSL_BULK_SIG ##{ FSL_CTYPE_WIN1251 header FSL_CTYPE_WIN1251 Content-Type =~ /charset="Windows-1251"/ describe FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam ##} FSL_CTYPE_WIN1251 ##{ FSL_FAKE_HOTMAIL_RVCD header FSL_FAKE_HOTMAIL_RVCD X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/ ##} FSL_FAKE_HOTMAIL_RVCD ##{ FSL_HELO_BARE_IP_1 meta FSL_HELO_BARE_IP_1 __FSL_HELO_BARE_IP_1 && !ALL_TRUSTED ##} FSL_HELO_BARE_IP_1 ##{ FSL_HELO_DEVICE header FSL_HELO_DEVICE X-Spam-Relays-External =~ /\bhelo=(?:(?:dsl)?device|speedtouch)\.lan\b/i ##} FSL_HELO_DEVICE ##{ FSL_HELO_NON_FQDN_1 header FSL_HELO_NON_FQDN_1 X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i ##} FSL_HELO_NON_FQDN_1 ##{ FSL_HELO_SETUP header FSL_HELO_SETUP X-Spam-Relays-External =~ /\bhelo=\S+\.setup\b/i ##} FSL_HELO_SETUP ##{ FSL_INTERIA_ABUSE uri FSL_INTERIA_ABUSE /\/\S+\.(?:w|eu|fm)\.interia\.pl/ ##} FSL_INTERIA_ABUSE ##{ FSL_NEW_HELO_USER meta FSL_NEW_HELO_USER (__FSL_HELO_USER_1 || __FSL_HELO_USER_2 || __FSL_HELO_USER_3) describe FSL_NEW_HELO_USER Spam's using Helo and User #score FSL_NEW_HELO_USER 2.0 tflags FSL_NEW_HELO_USER publish ##} FSL_NEW_HELO_USER ##{ FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_AMAZON /(?:^|\W)(?=<A>)(?!amazon)<A><M><A><Z><O><N>(?:$|\W)/i describe FUZZY_AMAZON Obfuscated "amazon" tflags FUZZY_AMAZON publish endif ##} FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_ANDROID /(?=<A>)(?!android)<A><N><D><R><O><D>/i describe FUZZY_ANDROID Obfuscated "android" tflags FUZZY_ANDROID publish endif ##} FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_APPLE /(?:^|\W)(?=<A>)(?!appl[ey])<A><L><E>(?:$|\W)/i describe FUZZY_APPLE Obfuscated "apple" tflags FUZZY_APPLE publish endif ##} FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_BITCOIN /(?=)(?!bit[-\s]?coin)[-\s]?[-\s]?<T>[-\s]?<C>[-\s]?<O>[-\s]?[-\s]?<N>/i describe FUZZY_BITCOIN Obfuscated "Bitcoin" tflags FUZZY_BITCOIN publish endif ##} FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_BROWSER /(?=)(?!browser)<R><O><W><S><E><R>/i describe FUZZY_BROWSER Obfuscated "browser" tflags FUZZY_BROWSER publish endif ##} FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FUZZY_BTC_WALLET FUZZY_BITCOIN && FUZZY_WALLET describe FUZZY_BTC_WALLET Heavily obfuscated "bitcoin wallet" tflags FUZZY_BTC_WALLET publish endif ##} FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_CLICK_HERE /(?=<C>)(?!click(?:\s| )here)<C><WS>*<L><WS>*<WS>*<C><WS>*<K><WS>+<H><WS>*<E><WS>*<R><WS>*<E>/i describe FUZZY_CLICK_HERE Obfuscated "click here" tflags FUZZY_CLICK_HERE publish endif ##} FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FUZZY_DR_OZ __FUZZY_DR_OZ && !__VIA_ML describe FUZZY_DR_OZ Obfuscated Doctor Oz tflags FUZZY_DR_OZ publish endif ##} FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_FACEBOOK /(?=<F>)(?!fa[ck]ebook)<F><A><C><E><O><O><K>/i describe FUZZY_FACEBOOK Obfuscated "facebook" tflags FUZZY_FACEBOOK publish endif ##} FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_HARRIS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_HARRIS /(?:^|\W)(?=<H>)(?!harris)<H><A><R><R><S>(?:$|\W)/i describe FUZZY_HARRIS Obfuscated "Harris" tflags FUZZY_HARRIS publish endif ##} FUZZY_HARRIS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_IMPORTANT /(?=)(?!important)(?:<M>|<N>)<O><R><T><A><N><T>/i describe FUZZY_IMPORTANT Obfuscated "important" tflags FUZZY_IMPORTANT publish endif ##} FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_MERIDIA /<inter W3><post P2>\b(?!meridia)<M><E><R><D><A>\b/i describe FUZZY_MERIDIA Obfuscation of the word "meridia" endif ##} FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_MICROSOFT /(?=<M>)(?!microsoft)<M><C><R><O><S><O><F><T>/i describe FUZZY_MICROSOFT Obfuscated "microsoft" tflags FUZZY_MICROSOFT publish endif ##} FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_MONERO meta FUZZY_MONERO __FUZZY_MONERO describe FUZZY_MONERO Obfuscated "Monero" tflags FUZZY_MONERO publish ##} FUZZY_MONERO ##{ FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_NORTON /(?:^|\W)(?=<N>)(?!norton)<N><O><R><T><O><N>(?:$|\W)/i describe FUZZY_NORTON Obfuscated "norton" tflags FUZZY_NORTON publish endif ##} FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_OVERSTOCK /(?:^|\W)(?=<O>)(?!over[-\s]?stock)<O><V><E><R>[-\s]?<S><T><O><C><K>(?:$|\W)/i describe FUZZY_OVERSTOCK Obfuscated "overstock" tflags FUZZY_OVERSTOCK publish endif ##} FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_PAYPAL /(?:^|\W)(?=)(?!pay[-\s]?pal)<A><Y>[-\s]?<A><L>(?:$|\W)/i describe FUZZY_PAYPAL Obfuscated "paypal" tflags FUZZY_PAYPAL publish endif ##} FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FUZZY_PORN __FUZZY_PORN && !( __ENV_AND_HDR_FROM_MATCH && __SENDER_BOT ) describe FUZZY_PORN Obfuscated "Pornography" or "Pornographic" tflags FUZZY_PORN publish endif ##} FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_PRIVACY /(?=)(?!privacy)<R><V><A><C><Y>/i describe FUZZY_PRIVACY Obfuscated "privacy" tflags FUZZY_PRIVACY publish endif ##} FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_PROMOTION /(?=)(?!promotion)<R><O><M><O><T><O><N>/i describe FUZZY_PROMOTION Obfuscated "promotion" tflags FUZZY_PROMOTION publish endif ##} FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_SAVINGS /(?=<S>)(?!savings)<S><A><V><N><G><S>/i describe FUZZY_SAVINGS Obfuscated "savings" tflags FUZZY_SAVINGS publish endif ##} FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_SECURITY /(?=<S>)(?!security)(?!seguridad)(?!s\xc3\xa9curit\xc3\xa9)<S><E>(?:<C>|<G>)<R>(?:<T><Y>|<D><A><D>)/i describe FUZZY_SECURITY Obfuscated "security" tflags FUZZY_SECURITY publish endif ##} FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_TRUMP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_TRUMP /(?:^|\W)(?=<T>)(?!trump)<T><R><M>(?:$|\W)/i describe FUZZY_TRUMP Obfuscated "Trump" tflags FUZZY_TRUMP publish endif ##} FUZZY_TRUMP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_TRUSTWALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FUZZY_TRUSTWALLET __FUZZY_TRUSTWALLET_BODY || __FUZZY_TRUSTWALLET_FROM describe FUZZY_TRUSTWALLET Obfuscated "Trust Wallet", probable phishing tflags FUZZY_TRUSTWALLET publish endif ##} FUZZY_TRUSTWALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_UNSUBSCRIBE /(?=)(?!unsubscribe)<N><S><S><C><R><E>/i describe FUZZY_UNSUBSCRIBE Obfuscated "unsubscribe" tflags FUZZY_UNSUBSCRIBE publish endif ##} FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_WALLET /(?=<W>)(?!wallet)<W><A><L><L><E><T>/i describe FUZZY_WALLET Obfuscated "Wallet" tflags FUZZY_WALLET publish endif ##} FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM describe FUZZY_WELLSFARGO Obfuscated "Wells Fargo" tflags FUZZY_WELLSFARGO publish endif ##} FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta GAPPY_SALES_LEADS_FREEM __GAPPY_SALES_LEADS_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) describe GAPPY_SALES_LEADS_FREEM Obfuscated marketing text, freemail or CHN replyto # score GAPPY_SALES_LEADS_FREEM 3.500 # limit tflags GAPPY_SALES_LEADS_FREEM publish endif ##} GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ GB_BITCOIN_CP meta GB_BITCOIN_CP ( __GB_BITCOIN_CP_DE || __GB_BITCOIN_CP_ES || __GB_BITCOIN_CP_EN || __GB_BITCOIN_CP_FR || __GB_BITCOIN_CP_IT || __GB_BITCOIN_CP_NL || __GB_BITCOIN_CP_SE ) describe GB_BITCOIN_CP Localized Bitcoin scam #score GB_BITCOIN_CP 3.0 # limit ##} GB_BITCOIN_CP ##{ GB_CUSTOM_HTM_URI if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) meta GB_CUSTOM_HTM_URI ( __GB_CUSTOM_HTM_URI0 || __GB_CUSTOM_HTM_URI1 || __GB_CUSTOM_HTM_URI2 || __GB_DRUPAL_URI ) describe GB_CUSTOM_HTM_URI Custom html uri # score GB_CUSTOM_HTM_URI 1.500 # limit tflags GB_CUSTOM_HTM_URI publish endif endif ##} GB_CUSTOM_HTM_URI if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) ##{ GB_FAKE_RF_SHORT meta GB_FAKE_RF_SHORT ( ! __THREADED && __GB_FAKE_RF && __URL_SHORTENER ) describe GB_FAKE_RF_SHORT Fake reply or forward with url shortener #score GB_FAKE_RF_SHORT 2.000 # limit tflags GB_FAKE_RF_SHORT publish ##} GB_FAKE_RF_SHORT ##{ GB_FAKE_SIGNED_MICROSOFT meta GB_FAKE_SIGNED_MICROSOFT ( __GB_FROM_MICROSOFT && ( __GB_ONMICROSOFT_RF && !__AUTOREPLY_ASU ) && DKIM_VALID_AU ) describe GB_FAKE_SIGNED_MICROSOFT Fake Microsoft signed emails #score GB_FAKE_SIGNED_MICROSOFT 2.500 # limit ##} GB_FAKE_SIGNED_MICROSOFT ##{ GB_FORGED_MUA_POSTFIX meta GB_FORGED_MUA_POSTFIX ( __FORGED_MUA_POSTFIX0 || __FORGED_MUA_POSTFIX1 ) describe GB_FORGED_MUA_POSTFIX Forged Postfix mua headers tflags GB_FORGED_MUA_POSTFIX publish #score GB_FORGED_MUA_POSTFIX 2.0 # limit ##} GB_FORGED_MUA_POSTFIX ##{ GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta GB_FREEMAIL_DISPTO ( __FREEMAIL_DISPTO && !__freemail_safe ) describe GB_FREEMAIL_DISPTO Disposition-Notification-To/From or Disposition-Notification-To/body contain different freemails # score GB_FREEMAIL_DISPTO 0.50 # limit tflags GB_FREEMAIL_DISPTO publish endif ##} GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta GB_FREEMAIL_DISPTO_NOTFREEM ( __FREEMAIL_DISPTO && !__freemail_safe && !FREEMAIL_FROM ) describe GB_FREEMAIL_DISPTO_NOTFREEM Disposition-Notification-To/From contain different freemails but mailfrom is not a freemail # score GB_FREEMAIL_DISPTO_NOTFREEM 0.50 # limit tflags GB_FREEMAIL_DISPTO_NOTFREEM publish endif ##} GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ GB_GOOGLE_AMP uri GB_GOOGLE_AMP /https?:\/\/(?:www\.)?google\..{2,6}\/amp\/.{3,128}/i describe GB_GOOGLE_AMP Google Amp abused service #score GB_GOOGLE_AMP 0.5 # limit ##} GB_GOOGLE_AMP ##{ GB_GOOGLE_OBFUR uri GB_GOOGLE_OBFUR /^https:\/\/www\.google\.[a-z]{2,3}\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=(?:[0-9])*\&(?:cad=rja\&uact=[0-9]+\&ved=.{1,50}\&)?url=https?:\/\/.{1,50}(?:&usg=.{1,50})?/ describe GB_GOOGLE_OBFUR Obfuscate url through Google redirect #score GB_GOOGLE_OBFUR 0.75 # limit tflags GB_GOOGLE_OBFUR publish ##} GB_GOOGLE_OBFUR ##{ GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL body GB_HASHBL_BTC eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?<!=)([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,62})\b') tflags GB_HASHBL_BTC net publish describe GB_HASHBL_BTC Message contains BTC address found on BTCBL # score GB_HASHBL_BTC 5.0 # limit endif endif ##} GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL ##{ GEO_QUERY_STRING uri GEO_QUERY_STRING /^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i ##} GEO_QUERY_STRING ##{ GOOGLE_DOCS_PHISH meta GOOGLE_DOCS_PHISH (__GOOGLE_DOCS_PHISH_1 || __GOOGLE_DOCS_PHISH_2) describe GOOGLE_DOCS_PHISH Possible phishing via a Google Docs form #score GOOGLE_DOCS_PHISH 3.00 # limit tflags GOOGLE_DOCS_PHISH publish ##} GOOGLE_DOCS_PHISH ##{ GOOGLE_DOCS_PHISH_MANY meta GOOGLE_DOCS_PHISH_MANY __URI_GOOGLE_DOC && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY) describe GOOGLE_DOCS_PHISH_MANY Phishing via a Google Docs form #score GOOGLE_DOCS_PHISH_MANY 4.00 # limit tflags GOOGLE_DOCS_PHISH_MANY publish ##} GOOGLE_DOCS_PHISH_MANY ##{ GOOGLE_DOC_SUSP meta GOOGLE_DOC_SUSP __GOOGLE_DOC_SUSP && !GOOGLE_DOCS_PHISH_MANY && !__HAS_SENDER && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__USING_VERP1 && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_SMTP && ! __HAS_LIST_ID && !__SURVEY && !__BUGGED_IMG describe GOOGLE_DOC_SUSP Suspicious use of Google Docs #score GOOGLE_DOC_SUSP 3.000 # limit tflags GOOGLE_DOC_SUSP publish ##} GOOGLE_DOC_SUSP ##{ GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta GOOGLE_DRIVE_REPLY_BAD_NTLD __PDS_GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD tflags GOOGLE_DRIVE_REPLY_BAD_NTLD publish describe GOOGLE_DRIVE_REPLY_BAD_NTLD From Google Drive and Reply-To is from a suspicious TLD #score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0 # limit endif endif ##} GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ GOOG_MALWARE_DNLD meta GOOG_MALWARE_DNLD __GOOG_MALWARE_DNLD describe GOOG_MALWARE_DNLD File download via Google - Malware? #score GOOG_MALWARE_DNLD 5.000 # limit tflags GOOG_MALWARE_DNLD publish ##} GOOG_MALWARE_DNLD ##{ GOOG_REDIR_DOCUSIGN uri GOOG_REDIR_DOCUSIGN m;://(?:[^/]+\.)?google\.(?:com|(?:com?\.)?[a-z][a-z])/url\?.*q=https?://www\.docusign\.com/;i describe GOOG_REDIR_DOCUSIGN Indirect docusign link, probable phishing tflags GOOG_REDIR_DOCUSIGN publish ##} GOOG_REDIR_DOCUSIGN ##{ GOOG_REDIR_FRAUD meta GOOG_REDIR_FRAUD __GOOG_REDIR && __FRAUD describe GOOG_REDIR_FRAUD Google redirect to obscure spamvertised website + fraud keywords tflags GOOG_REDIR_FRAUD publish #score GOOG_REDIR_FRAUD 1.500 # limit ##} GOOG_REDIR_FRAUD ##{ GOOG_REDIR_HTML_ONLY meta GOOG_REDIR_HTML_ONLY (__GOOG_REDIR && MIME_HTML_ONLY) # && !RDNS_NONE && !__LCL__KAM_BODY_LENGTH_LT_512 describe GOOG_REDIR_HTML_ONLY Google redirect to obscure spamvertised website + HTML only tflags GOOG_REDIR_HTML_ONLY publish #score GOOG_REDIR_HTML_ONLY 1.500 # limit ##} GOOG_REDIR_HTML_ONLY ##{ GOOG_REDIR_NORDNS meta GOOG_REDIR_NORDNS __GOOG_REDIR && RDNS_NONE && !__MXG_HAS_PHONE04 && !__RELAY_THRU_WWW describe GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website + no rDNS tflags GOOG_REDIR_NORDNS publish #score GOOG_REDIR_NORDNS 1.500 # limit ##} GOOG_REDIR_NORDNS ##{ GOOG_REDIR_NOTRDNS meta GOOG_REDIR_NOTRDNS __GOOG_REDIR && __HELO_NOT_RDNS describe GOOG_REDIR_NOTRDNS Google redirect to obscure spamvertised website + HELO is not rDNS tflags GOOG_REDIR_NOTRDNS publish #score GOOG_REDIR_NOTRDNS 1.500 # limit ##} GOOG_REDIR_NOTRDNS ##{ GOOG_REDIR_SHORT meta GOOG_REDIR_SHORT __GOOG_REDIR && __LCL__KAM_BODY_LENGTH_LT_512 describe GOOG_REDIR_SHORT Google redirect to obscure spamvertised website + short message tflags GOOG_REDIR_SHORT publish #score GOOG_REDIR_SHORT 1.500 # limit ##} GOOG_REDIR_SHORT ##{ GOOG_REDIR_STATICRDNS meta GOOG_REDIR_STATICRDNS __GOOG_REDIR && __BUG6919_RDNS_STATIC describe GOOG_REDIR_STATICRDNS Google redirect to obscure spamvertised website + static rDNS tflags GOOG_REDIR_STATICRDNS publish #score GOOG_REDIR_STATICRDNS 1.500 # limit ##} GOOG_REDIR_STATICRDNS ##{ GOOG_STO_EMAIL_PHISH meta GOOG_STO_EMAIL_PHISH __URI_GOOG_STO_EMAIL && (__PDS_FROM_NAME_TO_DOMAIN || __TO_IN_SUBJ || __FROM_ADMIN || __VERIFY_ACCOUNT) describe GOOG_STO_EMAIL_PHISH Possible phishing with google hosted content URI having email address #score GOOG_STO_EMAIL_PHISH 3.00 # limit tflags GOOG_STO_EMAIL_PHISH publish ##} GOOG_STO_EMAIL_PHISH ##{ GOOG_STO_HTML_PHISH meta GOOG_STO_HTML_PHISH __GOOG_STO_HTML_PHISH describe GOOG_STO_HTML_PHISH Possible phishing with google content hosting to avoid URIBL #score GOOG_STO_HTML_PHISH 3.00 # limit tflags GOOG_STO_HTML_PHISH publish ##} GOOG_STO_HTML_PHISH ##{ GOOG_STO_HTML_PHISH_MANY meta GOOG_STO_HTML_PHISH_MANY __URI_GOOG_STO_HTML && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY) describe GOOG_STO_HTML_PHISH_MANY Phishing with google content hosting to avoid URIBL #score GOOG_STO_HTML_PHISH_MANY 4.00 # limit tflags GOOG_STO_HTML_PHISH_MANY publish ##} GOOG_STO_HTML_PHISH_MANY ##{ GOOG_STO_IMG_HTML meta GOOG_STO_IMG_HTML __GOOG_STO_IMG_HTML_1 && !URI_GOOG_STO_SPAMMY && !T_URI_GOOG_STO_SUBD_SPAMMY describe GOOG_STO_IMG_HTML Apparently using google content hosting to avoid URIBL #score GOOG_STO_IMG_HTML 3.000 # limit tflags GOOG_STO_IMG_HTML publish ##} GOOG_STO_IMG_HTML ##{ GOOG_STO_IMG_NOHTML meta GOOG_STO_IMG_NOHTML __GOOG_STO_IMG_NOHTML && (__RDNS_NONE || HTML_TEXT_INVISIBLE_STYLE || THIS_AD || __SUBJECT_ENCODED_B64 || __LOTTO_ADMITS || __REPTO_QUOTE) && !__USING_VERP1 && !__HAS_ERRORS_TO && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__HAS_CID && !URI_GOOG_STO_SPAMMY && !T_URI_GOOG_STO_SUBD_SPAMMY describe GOOG_STO_IMG_NOHTML Apparently using google content hosting to avoid URIBL #score GOOG_STO_IMG_NOHTML 2.500 # limit tflags GOOG_STO_IMG_NOHTML publish ##} GOOG_STO_IMG_NOHTML ##{ GOOG_STO_NOIMG_HTML meta GOOG_STO_NOIMG_HTML __GOOG_STO_NOIMG_HTML && !URI_GOOG_STO_SPAMMY && !T_URI_GOOG_STO_SUBD_SPAMMY describe GOOG_STO_NOIMG_HTML Apparently using google content hosting to avoid URIBL #score GOOG_STO_NOIMG_HTML 3.000 # limit tflags GOOG_STO_NOIMG_HTML publish ##} GOOG_STO_NOIMG_HTML ##{ HAS_X_NO_RELAY meta HAS_X_NO_RELAY __HAS_X_NO_RELAY && !__TO_EQ_FROM_1 describe HAS_X_NO_RELAY Has spammy header #score HAS_X_NO_RELAY 2.500 # limit tflags HAS_X_NO_RELAY publish ##} HAS_X_NO_RELAY ##{ HAS_X_OUTGOING_SPAM_STAT meta HAS_X_OUTGOING_SPAM_STAT __HAS_X_OUTGOING_SPAM_STAT && !MAILING_LIST_MULTI && !__HAS_X_MAILMAN_VERSION && !__AUTOREPLY_ASU && !__THREAD_INDEX_GOOD && !__HAS_X_LOOP && !__DOC_ATTACH && !__PDF_ATTACH && !__FROM_EQ_ORG_1 && !__HAS_IN_REPLY_TO describe HAS_X_OUTGOING_SPAM_STAT Has header claiming outbound spam scan - why trust the results? #score HAS_X_OUTGOING_SPAM_STAT 2.000 # limit tflags HAS_X_OUTGOING_SPAM_STAT publish ##} HAS_X_OUTGOING_SPAM_STAT ##{ HDRS_LCASE describe HDRS_LCASE Odd capitalization of message header #score HDRS_LCASE 0.10 # limit ##} HDRS_LCASE ##{ HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) if !plugin(Mail::SpamAssassin::Plugin::FreeMail) meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO endif ##} HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) ##{ HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO endif ##} HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ HDRS_MISSP meta HDRS_MISSP __HDRS_MISSP && !ALL_TRUSTED && !(__FROM_ALL_HEX && __SUBJECT_PRESENT_EMPTY) describe HDRS_MISSP Misspaced headers #score HDRS_MISSP 2.500 # limit tflags HDRS_MISSP publish ##} HDRS_MISSP ##{ HDR_ORDER_FTSDMCXX_001C meta HDR_ORDER_FTSDMCXX_001C (__HDR_ORDER_FTSDMCXXXX && __MID_START_001C) describe HDR_ORDER_FTSDMCXX_001C Header order similar to spam (FTSDMCXX/MID variant) ##} HDR_ORDER_FTSDMCXX_001C ##{ HDR_ORDER_FTSDMCXX_BAT meta HDR_ORDER_FTSDMCXX_BAT (__HDR_ORDER_FTSDMCXXXX && __BAT_BOUNDARY) describe HDR_ORDER_FTSDMCXX_BAT Header order similar to spam (FTSDMCXX/boundary variant) ##} HDR_ORDER_FTSDMCXX_BAT ##{ HDR_ORDER_FTSDMCXX_DIRECT meta HDR_ORDER_FTSDMCXX_DIRECT (__HDR_ORDER_FTSDMCXXXX && __DOS_SINGLE_EXT_RELAY) && !ALL_TRUSTED && !__VIA_ML describe HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam (FTSDMCXX/boundary variant) + direct-to-MX #score HDR_ORDER_FTSDMCXX_DIRECT 2.000 # limit tflags HDR_ORDER_FTSDMCXX_DIRECT publish ##} HDR_ORDER_FTSDMCXX_DIRECT ##{ HDR_ORDER_FTSDMCXX_NORDNS meta HDR_ORDER_FTSDMCXX_NORDNS (__HDR_ORDER_FTSDMCXXXX && __RDNS_NONE) && !ALL_TRUSTED describe HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam (FTSDMCXX/boundary variant) + no rDNS #score HDR_ORDER_FTSDMCXX_NORDNS 3.500 # limit tflags HDR_ORDER_FTSDMCXX_NORDNS publish ##} HDR_ORDER_FTSDMCXX_NORDNS ##{ HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval ifplugin Mail::SpamAssassin::Plugin::HeaderEval header HEADER_COUNT_SUBJECT eval:check_header_count_range('Subject','2','999') describe HEADER_COUNT_SUBJECT Multiple Subject headers found endif ##} HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval ##{ HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) header HEADER_FROM_DIFFERENT_DOMAINS eval:check_equal_from_domains() describe HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different # score HEADER_FROM_DIFFERENT_DOMAINS 0.25 tflags HEADER_FROM_DIFFERENT_DOMAINS publish endif endif endif ##} HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) ##{ HELO_FRIEND header HELO_FRIEND X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i ##} HELO_FRIEND ##{ HELO_LH_LD header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i ##} HELO_LH_LD ##{ HELO_LOCALHOST header HELO_LOCALHOST X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i ##} HELO_LOCALHOST ##{ HELO_NO_DOMAIN meta HELO_NO_DOMAIN __HELO_NO_DOMAIN && !HELO_LOCALHOST describe HELO_NO_DOMAIN Relay reports its domain incorrectly tflags HELO_NO_DOMAIN publish ##} HELO_NO_DOMAIN ##{ HELO_OEM header HELO_OEM X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc|oem\S*) /i ##} HELO_OEM ##{ HEXHASH_WORD meta HEXHASH_WORD (__HEXHASHWORD_S2EU > 1) && !ALL_TRUSTED && !__LYRIS_EZLM_REMAILER && !__MSGID_HEXISH && !__RDNS_SHORT && !__CTYPE_MULTIPART_MIXED && !__HAS_X_REF && !__HAS_IMG_SRC_ONECASE && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__HAS_SENDER describe HEXHASH_WORD Multiple instances of word + hexadecimal hash #score HEXHASH_WORD 3.000 # limit tflags HEXHASH_WORD publish ##} HEXHASH_WORD ##{ HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader HK_CTE_RAW Content-Transfer-Encoding =~ /^raw$/ #score HK_CTE_RAW 2 tflags HK_CTE_RAW publish endif ##} HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ HK_LOTTO meta HK_LOTTO __HK_LOTTO_2 || __HK_LOTTO_STAATS || __HK_LOTTO_BALLOT #score HK_LOTTO 1 ##} HK_LOTTO ##{ HK_NAME_DRUGS header HK_NAME_DRUGS From:name =~ /(?:viagra|\bcialis|cialis\b)/mi describe HK_NAME_DRUGS From name contains drugs #score HK_NAME_DRUGS 2 ##} HK_NAME_DRUGS ##{ HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) meta HK_NAME_FM_MR_MRS __HK_NAME_MR_MRS && FREEMAIL_FROM # score HK_NAME_FM_MR_MRS 1.5 endif endif ##} HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ##{ HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) meta HK_NAME_FROM __HK_NAME_FROM && !FREEMAIL_FROM # score HK_NAME_FROM 1.0 endif endif ##} HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ##{ HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) meta HK_NAME_MR_MRS __HK_NAME_MR_MRS && !FREEMAIL_FROM # score HK_NAME_MR_MRS 1.0 endif endif ##} HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ##{ HK_RANDOM_ENVFROM header HK_RANDOM_ENVFROM EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mc(?:b|g)r|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi describe HK_RANDOM_ENVFROM Envelope sender username looks random #score HK_RANDOM_ENVFROM 1 tflags HK_RANDOM_ENVFROM publish ##} HK_RANDOM_ENVFROM ##{ HK_RANDOM_FROM header HK_RANDOM_FROM From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mc(?:b|g)r|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi describe HK_RANDOM_FROM From username looks random #score HK_RANDOM_FROM 1 tflags HK_RANDOM_FROM publish ##} HK_RANDOM_FROM ##{ HK_RANDOM_REPLYTO header HK_RANDOM_REPLYTO Reply-To:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mc(?:b|g)r|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi describe HK_RANDOM_REPLYTO Reply-To username looks random #score HK_RANDOM_REPLYTO 1 tflags HK_RANDOM_REPLYTO publish ##} HK_RANDOM_REPLYTO ##{ HK_RCVD_IP_MULTICAST header HK_RCVD_IP_MULTICAST X-Spam-Relays-External =~ / ip=(?:22[4-9]|23[0-9])\./ #score HK_RCVD_IP_MULTICAST 2 tflags HK_RCVD_IP_MULTICAST publish ##} HK_RCVD_IP_MULTICAST ##{ HK_SCAM meta HK_SCAM __HK_SCAM_N2 || __HK_SCAM_N3 || __HK_SCAM_N8 || __HK_SCAM_N15 || __HK_SCAM_N16 || __HK_SCAM_S1 || __HK_SCAM_S15 || __HK_SCAM_S25 #score HK_SCAM 2 tflags HK_SCAM publish ##} HK_SCAM ##{ HOSTED_IMG_DIRECT_MX meta HOSTED_IMG_DIRECT_MX __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS && !__HDR_RCVD_AMAZON #score HOSTED_IMG_DIRECT_MX 3.500 # limit describe HOSTED_IMG_DIRECT_MX Image hosted at large ecomm, CDN or hosting site, message direct-to-mx tflags HOSTED_IMG_DIRECT_MX publish ##} HOSTED_IMG_DIRECT_MX ##{ HOSTED_IMG_DQ_UNSUB meta HOSTED_IMG_DQ_UNSUB __HOSTED_IMG_DQ_UNSUB #score HOSTED_IMG_DQ_UNSUB 3.500 # limit describe HOSTED_IMG_DQ_UNSUB Image hosted at large ecomm, CDN or hosting site, IP addr unsub link tflags HOSTED_IMG_DQ_UNSUB publish ##} HOSTED_IMG_DQ_UNSUB ##{ HOSTED_IMG_FREEM meta HOSTED_IMG_FREEM __HOSTED_IMG_FREEM && !__THREADED #score HOSTED_IMG_FREEM 3.500 # limit describe HOSTED_IMG_FREEM Image hosted at large ecomm, CDN or hosting site or redirected, freemail from or reply-to tflags HOSTED_IMG_FREEM publish ##} HOSTED_IMG_FREEM ##{ HOSTED_IMG_MULTI meta HOSTED_IMG_MULTI __HOSTED_IMG_MULTI && !__DKIM_EXISTS && !__RCD_RDNS_MAIL #score HOSTED_IMG_MULTI 3.000 # limit describe HOSTED_IMG_MULTI Multiple images hosted at different large ecomm, CDN or hosting sites, free image sites, or redirected tflags HOSTED_IMG_MULTI publish ##} HOSTED_IMG_MULTI ##{ HOSTED_IMG_MULTI_PUB_01 meta HOSTED_IMG_MULTI_PUB_01 (__IMGUR_IMG_2 || __IMGUR_IMG_3) && !__DATE_LOWER && !__BOTH_INR_AND_REF && !__HAS_IN_REPLY_TO describe HOSTED_IMG_MULTI_PUB_01 Multiple hosted images at public site #score HOSTED_IMG_MULTI_PUB_01 3.000 # limit tflags HOSTED_IMG_MULTI_PUB_01 publish ##} HOSTED_IMG_MULTI_PUB_01 ##{ HREF_EMPTY_NORDNS meta HREF_EMPTY_NORDNS __HREF_EMPTY_NORDNS describe HREF_EMPTY_NORDNS Empty href + no rDNS #score HREF_EMPTY_NORDNS 2.500 # limit tflags HREF_EMPTY_NORDNS publish ##} HREF_EMPTY_NORDNS ##{ HREF_EMPTY_PHPMAIL meta HREF_EMPTY_PHPMAIL __HREF_EMPTY_PHPMAIL describe HREF_EMPTY_PHPMAIL Empty href + PHP Mailer #score HREF_EMPTY_PHPMAIL 2.500 # limit tflags HREF_EMPTY_PHPMAIL publish ##} HREF_EMPTY_PHPMAIL ##{ HREF_EMPTY_XANTIABUSE meta HREF_EMPTY_XANTIABUSE __HREF_EMPTY_XANTIABUSE describe HREF_EMPTY_XANTIABUSE Empty href + X-AntiAbuse #score HREF_EMPTY_XANTIABUSE 2.500 # limit tflags HREF_EMPTY_XANTIABUSE publish ##} HREF_EMPTY_XANTIABUSE ##{ HREF_EMPTY_XAUTHED meta HREF_EMPTY_XAUTHED __HREF_EMPTY_XAUTHED describe HREF_EMPTY_XAUTHED Empty href + X-Authenticated-Sender #score HREF_EMPTY_XAUTHED 2.500 # limit tflags HREF_EMPTY_XAUTHED publish ##} HREF_EMPTY_XAUTHED ##{ HTML_BADATTR describe HTML_BADATTR Illegal char in HTML attribute name rawbody HTML_BADATTR /<[a-z]{1,10}\s[^>]{1,80}\/(?:src|href)\s*\=/ #score HTML_BADATTR 1 tflags HTML_BADATTR publish ##} HTML_BADATTR ##{ HTML_ENTITY_ASCII meta HTML_ENTITY_ASCII __HTML_ENTITY_ASCII_MINFP describe HTML_ENTITY_ASCII Obfuscated ASCII #score HTML_ENTITY_ASCII 3.000 # limit tflags HTML_ENTITY_ASCII publish ##} HTML_ENTITY_ASCII ##{ HTML_ENTITY_ASCII_TINY meta HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII_TINY && !__HAS_IN_REPLY_TO describe HTML_ENTITY_ASCII_TINY Obfuscated ASCII + tiny fonts #score HTML_ENTITY_ASCII_TINY 3.000 # limit tflags HTML_ENTITY_ASCII_TINY publish ##} HTML_ENTITY_ASCII_TINY ##{ HTML_FONT_TINY_NORDNS meta HTML_FONT_TINY_NORDNS __HTML_FONT_TINY_NORDNS && !__HAS_CID describe HTML_FONT_TINY_NORDNS Font too small to read, no rDNS #score HTML_FONT_TINY_NORDNS 2.000 # limit ##} HTML_FONT_TINY_NORDNS ##{ HTML_OFF_PAGE meta HTML_OFF_PAGE __HTML_OFF_PAGE && !__RP_MATCHES_RCVD && !__LONGLINE && !__DKIM_EXISTS describe HTML_OFF_PAGE HTML element rendered well off the displayed page #score HTML_OFF_PAGE 3.000 # limit tflags HTML_OFF_PAGE publish ##} HTML_OFF_PAGE ##{ HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU_MANY describe HTML_SHRT_CMNT_OBFU_MANY Obfuscation with many short HTML comments # score HTML_SHRT_CMNT_OBFU_MANY 2.500 # limit tflags HTML_SHRT_CMNT_OBFU_MANY publish endif ##} HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ HTML_SINGLET_MANY meta HTML_SINGLET_MANY __HTML_SINGLET_MANY && !__RCD_RDNS_MTA_MESSY && !__NOT_SPOOFED && !ALL_TRUSTED && !__USING_VERP1 && !__MIME_QP describe HTML_SINGLET_MANY Many single-letter HTML format blocks #score HTML_SINGLET_MANY 2.500 # limit tflags HTML_SINGLET_MANY publish ##} HTML_SINGLET_MANY ##{ HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval ifplugin Mail::SpamAssassin::Plugin::HTMLEval meta HTML_TAG_BALANCE_CENTER __HTML_TAG_BALANCE_CENTER && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY describe HTML_TAG_BALANCE_CENTER Malformatted HTML endif ##} HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval ##{ HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta HTML_TEXT_INVISIBLE_FONT __FONT_INVIS_MANY && !__HAS_ERRORS_TO && !__URI_DOTGOV && !__LYRIS_EZLM_REMAILER && !__ML3 && !__THREADED && !__DKIMWL_WL_HI && !USER_IN_DEF_DKIM_WL && !__MOZILLA_MSGID describe HTML_TEXT_INVISIBLE_FONT HTML hidden text - word obfuscation? # score HTML_TEXT_INVISIBLE_FONT 2.000 # limit tflags HTML_TEXT_INVISIBLE_FONT publish endif ##} HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta HTML_TEXT_INVISIBLE_STYLE __STY_INVIS_MANY && (__RDNS_NONE || __HDRS_LCASE || __UNSUB_EMAIL || __ADMITS_SPAM || __FROM_DOM_INFO || __HTML_TAG_BALANCE_CENTER || __MSGID_RANDY ) && !__RDNS_LONG && !__FROM_ENCODED_QP && !__HAS_THREAD_INDEX describe HTML_TEXT_INVISIBLE_STYLE HTML hidden text + other spam signs # score HTML_TEXT_INVISIBLE_STYLE 3.500 # limit tflags HTML_TEXT_INVISIBLE_STYLE publish endif ##} HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch body HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10') endif ##} HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch ##{ IMG_DIRECT_TO_MX meta IMG_DIRECT_TO_MX __DOS_DIRECT_TO_MX && __JPEG_ATTACH && __ONE_IMG && __IMG_LE_300K ##} IMG_DIRECT_TO_MX ##{ IMG_ONLY_FM_DOM_INFO meta IMG_ONLY_FM_DOM_INFO __HTML_IMG_ONLY && __FROM_DOM_INFO describe IMG_ONLY_FM_DOM_INFO HTML image-only message from .info domain #score IMG_ONLY_FM_DOM_INFO 2.500 # limit tflags IMG_ONLY_FM_DOM_INFO publish ##} IMG_ONLY_FM_DOM_INFO ##{ JH_SPAMMY_HEADERS meta JH_SPAMMY_HEADERS __HAS_COMPLAINT_TO || __HAS_TRACKING_CODE || __HAS_LOGID || __HAS_X_LETTER || __HAS_X_EBSERVER || __HAS_LIST_OPEN describe JH_SPAMMY_HEADERS Has unusual message header(s) seen primarily in spam #score JH_SPAMMY_HEADERS 3.500 # limit tflags JH_SPAMMY_HEADERS publish ##} JH_SPAMMY_HEADERS ##{ JH_SPAMMY_PATTERN01 rawbody JH_SPAMMY_PATTERN01 m;<img src=['"](https?://[^'"]{1,80}/)C([^/.]{1,30}\.jpg)['"]>.{0,200}<img src="\1U\2";ism describe JH_SPAMMY_PATTERN01 Unusual pattern seen in spam campaign #score JH_SPAMMY_PATTERN01 3.000 # limit tflags JH_SPAMMY_PATTERN01 publish ##} JH_SPAMMY_PATTERN01 ##{ JH_SPAMMY_PATTERN02 rawbody JH_SPAMMY_PATTERN02 m;<img [^>]{0,50}src=['"](https?://[^"'\s]{1,80}\.php\?)t=o(\&[^"'\s]{1,50})["'][>\s].{0,200}<a href="\1t=c\2".{0,200}<a href="\1t=u\2";ism describe JH_SPAMMY_PATTERN02 Unusual pattern seen in spam campaign #score JH_SPAMMY_PATTERN02 3.000 # limit tflags JH_SPAMMY_PATTERN02 publish ##} JH_SPAMMY_PATTERN02 ##{ JM_I_FEEL_LUCKY uri JM_I_FEEL_LUCKY /(?:\&|\?)btnI=ec(?:$|\&)/ tflags JM_I_FEEL_LUCKY publish # low hitrate, but always a good sign ##} JM_I_FEEL_LUCKY ##{ JM_RCVD_QMAILV1 header JM_RCVD_QMAILV1 Received =~ /by \S+ $Qmailv1$ with ESMTP/ ##} JM_RCVD_QMAILV1 ##{ JM_TORA_XM meta JM_TORA_XM (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO) ##} JM_TORA_XM ##{ KB_DATE_CONTAINS_TAB meta KB_DATE_CONTAINS_TAB __KB_DATE_CONTAINS_TAB && !__ML_TURNS_SP_TO_TAB #score KB_DATE_CONTAINS_TAB 0.5 ##} KB_DATE_CONTAINS_TAB ##{ KB_FAKED_THE_BAT meta KB_FAKED_THE_BAT (__THEBAT_MUA && KB_DATE_CONTAINS_TAB) ##} KB_FAKED_THE_BAT ##{ KB_RATWARE_BOUNDARY meta KB_RATWARE_BOUNDARY __RATWARE_BOUND_A || __RATWARE_BOUND_B ##} KB_RATWARE_BOUNDARY ##{ KB_RATWARE_MSGID meta KB_RATWARE_MSGID (__KB_MSGID_OUTLOOK_888 && __ANY_OUTLOOK_MUA) ##} KB_RATWARE_MSGID ##{ KB_RATWARE_OUTLOOK_08 header KB_RATWARE_OUTLOOK_08 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary="----=_NextPart_000_...._\1\./msi # " ##} KB_RATWARE_OUTLOOK_08 ##{ KB_RATWARE_OUTLOOK_12 header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # " ##} KB_RATWARE_OUTLOOK_12 ##{ KB_RATWARE_OUTLOOK_16 header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # " ##} KB_RATWARE_OUTLOOK_16 ##{ KB_RATWARE_OUTLOOK_MID header KB_RATWARE_OUTLOOK_MID ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$[0-9a-f]{8}\@.{100,400}boundary="----=_NextPart_000_...._\1\.\2"/msi ##} KB_RATWARE_OUTLOOK_MID ##{ KHOP_FAKE_EBAY meta KHOP_FAKE_EBAY __EBAY_ADDRESS && !__NOT_SPOOFED describe KHOP_FAKE_EBAY Sender falsely claims to be from eBay ##} KHOP_FAKE_EBAY ##{ KHOP_HELO_FCRDNS meta KHOP_HELO_FCRDNS __HELO_NOT_RDNS && !(__VIA_ML || __freemail_safe || __RCVD_IN_DNSWL || __NOT_SPOOFED || __RDNS_SHORT) describe KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS #score KHOP_HELO_FCRDNS 0.4 # 20090603 ##} KHOP_HELO_FCRDNS ##{ LINKEDIN_IMG_NOT_RCVD_LNKN meta LINKEDIN_IMG_NOT_RCVD_LNKN __LINKED_IMG_NOT_RCVD_LINK && !__LUNSUB_BEFORE_SUBJDT #score LINKEDIN_IMG_NOT_RCVD_LNKN 2.500 # limit describe LINKEDIN_IMG_NOT_RCVD_LNKN Linkedin hosted image but message not from Linkedin tflags LINKEDIN_IMG_NOT_RCVD_LNKN publish ##} LINKEDIN_IMG_NOT_RCVD_LNKN ##{ LIST_PARTIAL_SHORT_MSG meta LIST_PARTIAL_SHORT_MSG __LIST_PARTIAL_SHORT_MSG && !__DKIM_EXISTS describe LIST_PARTIAL_SHORT_MSG Incomplete mailing list headers + short message #score LIST_PARTIAL_SHORT_MSG 2.500 # limit ##} LIST_PARTIAL_SHORT_MSG ##{ LIST_PRTL_PUMPDUMP meta LIST_PRTL_PUMPDUMP __LIST_PRTL_PUMPDUMP && !__DKIM_EXISTS describe LIST_PRTL_PUMPDUMP Incomplete List-* headers and stock pump-and-dump #score LIST_PRTL_PUMPDUMP 2.000 # limit tflags LIST_PRTL_PUMPDUMP publish ##} LIST_PRTL_PUMPDUMP ##{ LIST_PRTL_SAME_USER meta LIST_PRTL_SAME_USER __LIST_PRTL_SAME_USER && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_ERRORS_TO describe LIST_PRTL_SAME_USER Incomplete List-* headers and from+to user the same #score LIST_PRTL_SAME_USER 3.000 # limit tflags LIST_PRTL_SAME_USER publish ##} LIST_PRTL_SAME_USER ##{ LIVEFILESTORE uri LIVEFILESTORE m~livefilestore.com/~ ##} LIVEFILESTORE ##{ LONGLN_LOW_CONTRAST meta LONGLN_LOW_CONTRAST __LONGLN_LOW_CONTRAST && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__TRAVEL_ITINERARY describe LONGLN_LOW_CONTRAST Excessively long line + hidden text #score LONGLN_LOW_CONTRAST 2.500 # limit ##} LONGLN_LOW_CONTRAST ##{ LONG_HEX_URI meta LONG_HEX_URI __128_HEX_URI && !__LCL__KAM_BODY_LENGTH_LT_1024 && !__IMG_S3_AWS describe LONG_HEX_URI Very long purely hexadecimal URI #score LONG_HEX_URI 3.000 # limit tflags LONG_HEX_URI publish ##} LONG_HEX_URI ##{ LONG_IMG_URI meta LONG_IMG_URI __45_ALNUM_IMG && !ALL_TRUSTED && !__HAS_ERRORS_TO describe LONG_IMG_URI Image URI with very long path component - web bug? #score LONG_IMG_URI 3.000 # limit tflags LONG_IMG_URI publish ##} LONG_IMG_URI ##{ LONG_INVISIBLE_TEXT describe LONG_INVISIBLE_TEXT Long block of hidden text - bayes poison? #score LONG_INVISIBLE_TEXT 3.000 # limit tflags LONG_INVISIBLE_TEXT publish ##} LONG_INVISIBLE_TEXT ##{ LONG_INVISIBLE_TEXT if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) meta LONG_INVISIBLE_TEXT __LONG_INVIS_DIV endif ##} LONG_INVISIBLE_TEXT if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) ##{ LONG_INVISIBLE_TEXT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta LONG_INVISIBLE_TEXT __LONG_INVIS_DIV || (__LONG_STY_INVIS && !__UNSUB_LINK && !__RCD_RDNS_MTA_MESSY && !__USING_VERP1 && !__RCD_RDNS_MTA && !__RCD_RDNS_MTA_MESSY && !__MIME_QP && !__HAS_X_MAILER && !__REPTO_QUOTE && !__USING_VERP1 ) endif ##} LONG_INVISIBLE_TEXT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ LONG_TERM_PRICE body LONG_TERM_PRICE /long\W+term\W+(?:target|projected)(?:\W+price)?/i ##} LONG_TERM_PRICE ##{ LOOPHOLE_1 body LOOPHOLE_1 /loop-?hole in the banking/i describe LOOPHOLE_1 A loop hole in the banking laws? ##} LOOPHOLE_1 ##{ LOTS_OF_MONEY if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta LOTS_OF_MONEY 0 endif ##} LOTS_OF_MONEY if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) ##{ LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta LOTS_OF_MONEY (__LOTSA_MONEY_00 || __LOTSA_MONEY_01 || __LOTSA_MONEY_02 || __LOTSA_MONEY_03 || __LOTSA_MONEY_04 || __LOTSA_MONEY_05) && !__TRAVEL_ITINERARY describe LOTS_OF_MONEY Huge... sums of money # score LOTS_OF_MONEY 0.01 tflags LOTS_OF_MONEY publish endif ##} LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ LOTTERY_1 meta LOTTERY_1 (__DBLCLAIM && __CASHPRZ) ##} LOTTERY_1 ##{ LOTTERY_PH_004470 meta LOTTERY_PH_004470 (__AFF_004470_NUMBER && __AFF_LOTTERY) ##} LOTTERY_PH_004470 ##{ LOTTO_AGENT meta LOTTO_AGENT __LOTTO_AGENT && !__HAS_IN_REPLY_TO && !__THREADED && !__TO_YOUR_ORG && !__DKIM_EXISTS && !__TRAVEL_ITINERARY && !__AUTO_ACCIDENT && !__HAS_ERRORS_TO && !__RP_MATCHES_RCVD describe LOTTO_AGENT Claims Agent #score LOTTO_AGENT 1.50 # limit ##} LOTTO_AGENT ##{ LOTTO_DEPT meta LOTTO_DEPT __LOTTO_DEPT && !__COMMENT_EXISTS && !__HAS_IN_REPLY_TO && !__THREADED && !__VIA_ML && !__TO_YOUR_ORG && !__TRAVEL_ITINERARY && !__AUTO_ACCIDENT describe LOTTO_DEPT Claims Department #score LOTTO_DEPT 2.00 # limit ##} LOTTO_DEPT ##{ LUCRATIVE meta LUCRATIVE ( __LUCRATIVE && __HELO_NO_DOMAIN ) && !ALL_TRUSTED describe LUCRATIVE Make lots of money! #score LUCRATIVE 2.00 # limit tflags LUCRATIVE publish ##} LUCRATIVE ##{ L_SPAM_TOOL_13 header L_SPAM_TOOL_13 Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/ ##} L_SPAM_TOOL_13 ##{ MALFORMED_FREEMAIL meta MALFORMED_FREEMAIL (MISSING_HEADERS||__HDRS_LCASE) && FREEMAIL_FROM describe MALFORMED_FREEMAIL Bad headers on message from free email service ##} MALFORMED_FREEMAIL ##{ MALF_HTML_B64 meta MALF_HTML_B64 MIME_BASE64_TEXT && HTML_MIME_NO_HTML_TAG describe MALF_HTML_B64 Malformatted base64-encoded HTML content #score MALF_HTML_B64 3.500 # limit tflags MALF_HTML_B64 publish ##} MALF_HTML_B64 ##{ MALWARE_NORDNS meta MALWARE_NORDNS __MALWARE_NORDNS && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01 describe MALWARE_NORDNS Malware bragging + no rDNS #score MALWARE_NORDNS 3.500 # limit tflags MALWARE_NORDNS publish ##} MALWARE_NORDNS ##{ MALWARE_PASSWORD meta MALWARE_PASSWORD __MALWARE_PASSWORD && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01 describe MALWARE_PASSWORD Malware bragging + "password" #score MALWARE_PASSWORD 3.500 # limit tflags MALWARE_PASSWORD publish ##} MALWARE_PASSWORD ##{ MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta MALW_ATTACH __MALW_ATTACH && !__HAS_THREAD_INDEX describe MALW_ATTACH Attachment filename suspicious, probable malware exploit tflags MALW_ATTACH publish endif ##} MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ MANY_HDRS_LCASE describe MANY_HDRS_LCASE Odd capitalization of multiple message headers #score MANY_HDRS_LCASE 0.10 # limit ##} MANY_HDRS_LCASE ##{ MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) if !plugin(Mail::SpamAssassin::Plugin::FreeMail) meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE endif ##} MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) ##{ MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE endif ##} MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ MANY_SPAN_IN_TEXT meta MANY_SPAN_IN_TEXT __MANY_SPAN_IN_TEXT && !__VIA_ML describe MANY_SPAN_IN_TEXT Many tags embedded within text tflags MANY_SPAN_IN_TEXT publish ##} MANY_SPAN_IN_TEXT ##{ MANY_SUBDOM meta MANY_SUBDOM __MANY_SUBDOM && !__JM_REACTOR_DATE && !__UNSUB_LINK && !__VIA_ML && !NO_RELAYS && !__UPPERCASE_URI && !__MIME_QP describe MANY_SUBDOM Lots and lots of subdomain parts in a URI ##} MANY_SUBDOM ##{ MAY_BE_FORGED meta MAY_BE_FORGED __MAY_BE_FORGED && !__NOT_SPOOFED && !__VIA_ML describe MAY_BE_FORGED Relay IP's reverse DNS does not resolve to IP ##} MAY_BE_FORGED ##{ MID_DEGREES header MID_DEGREES Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/ ##} MID_DEGREES ##{ MILLION_HUNDRED body MILLION_HUNDRED /Million\s+\S+\s+Hundred/i describe MILLION_HUNDRED Million "One to Nine" Hundred tflags MILLION_HUNDRED publish ##} MILLION_HUNDRED ##{ MILLION_USD body MILLION_USD /Million\b.{0,40}\b(?:United States? Dollars?|USD)/i describe MILLION_USD Talks about millions of dollars #score MILLION_USD 2 ##} MILLION_USD ##{ MIMEOLE_DIRECT_TO_MX meta MIMEOLE_DIRECT_TO_MX __MIMEOLE_DIRECT_TO_MX && !__ANY_IMAGE_ATTACH && !__DKIM_EXISTS describe MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX #score MIMEOLE_DIRECT_TO_MX 2.000 # limit tflags MIMEOLE_DIRECT_TO_MX publish ##} MIMEOLE_DIRECT_TO_MX ##{ MIME_BOUND_EQ_REL header MIME_BOUND_EQ_REL Content-Type =~ /boundary="=====================_\d+==\.REL"/s ##} MIME_BOUND_EQ_REL ##{ MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta MIME_NO_TEXT __MIME_NO_TEXT && !__BOUNCE_CTYPE && !__CT_ENCRYPTED && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__USER_AGENT_APPLEMAIL && !__HAS_IN_REPLY_TO && !__HAS_X_REF && !__HS_SUBJ_RE_FW && !__PDF_ATTACH && !__LCL__KAM_BODY_LENGTH_LT_128 # score MIME_NO_TEXT 2.00 # limit describe MIME_NO_TEXT No (properly identified) text body parts tflags MIME_NO_TEXT publish endif ##} MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta MIME_PHP_NO_TEXT (MIME_NO_TEXT && __PHP_MUA) describe MIME_PHP_NO_TEXT No text body parts, X-Mailer: PHP endif ##} MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ MIXED_AREA_CASE meta MIXED_AREA_CASE __MIXED_AREA_CASE describe MIXED_AREA_CASE Has area tag in mixed case #score MIXED_AREA_CASE 2.500 # limit tflags MIXED_AREA_CASE publish ##} MIXED_AREA_CASE ##{ MIXED_CENTER_CASE meta MIXED_CENTER_CASE __MIXED_CENTER_CASE describe MIXED_CENTER_CASE Has center tag in mixed case #score MIXED_CENTER_CASE 2.500 # limit tflags MIXED_CENTER_CASE publish ##} MIXED_CENTER_CASE ##{ MIXED_CTYPE_CASE header MIXED_CTYPE_CASE Content-Type =~ m;^(?i:text/)(?!html|HTML)[Hh][Tt][Mm][Ll]; ##} MIXED_CTYPE_CASE ##{ MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta MIXED_ES ( ! HTML_IMAGE_ONLY_16 ) && ( __LOWER_E > 20 ) && ( __E_LIKE_LETTER > ( (__LOWER_E * 14 ) / 10) ) && ( __E_LIKE_LETTER < ( 10 * __LOWER_E ) ) describe MIXED_ES Too many es are not es tflags MIXED_ES publish # lang pl score MIXED_ES 0.01 # lang cz score MIXED_ES 0.01 # lang sk score MIXED_ES 0.01 # lang hr score MIXED_ES 0.01 # lang el score MIXED_ES 0.01 endif endif ##} MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ MIXED_FONT_CASE meta MIXED_FONT_CASE __MIXED_FONT_CASE describe MIXED_FONT_CASE Has font tag in mixed case #score MIXED_FONT_CASE 2.500 # limit tflags MIXED_FONT_CASE publish ##} MIXED_FONT_CASE ##{ MIXED_HREF_CASE meta MIXED_HREF_CASE __MIXED_HREF_CASE && !__LYRIS_EZLM_REMAILER && !__HAS_LIST_ID describe MIXED_HREF_CASE Has href in mixed case #score MIXED_HREF_CASE 2.000 # limit tflags MIXED_HREF_CASE publish ##} MIXED_HREF_CASE ##{ MIXED_IMG_CASE meta MIXED_IMG_CASE __MIXED_IMG_CASE_JH && !__MSGID_JAVAMAIL describe MIXED_IMG_CASE Has img tag in mixed case #score MIXED_IMG_CASE 3.000 # limit tflags MIXED_IMG_CASE publish ##} MIXED_IMG_CASE ##{ MONERO_DEADLINE meta MONERO_DEADLINE __MONERO && __HOURS_DEADLINE && !MONERO_EXTORT_01 describe MONERO_DEADLINE Monero cryptocurrency with a deadline #score MONERO_DEADLINE 3.000 # limit tflags MONERO_DEADLINE publish ##} MONERO_DEADLINE ##{ MONERO_EXTORT_01 meta MONERO_EXTORT_01 __MONERO && __EXTORT_MANY describe MONERO_EXTORT_01 Extortion spam, pay via Monero cryptocurrency #score MONERO_EXTORT_01 5.000 # limit tflags MONERO_EXTORT_01 publish ##} MONERO_EXTORT_01 ##{ MONERO_MALWARE meta MONERO_MALWARE __MONERO && __MY_MALWARE && !MONERO_EXTORT_01 describe MONERO_MALWARE Monero cryptocurrency + malware bragging #score MONERO_MALWARE 3.500 # limit tflags MONERO_MALWARE publish ##} MONERO_MALWARE ##{ MONERO_PAY_ME meta MONERO_PAY_ME __MONERO && __PAY_ME && !MONERO_EXTORT_01 describe MONERO_PAY_ME Pay me via Monero cryptocurrency #score MONERO_PAY_ME 3.000 # limit tflags MONERO_PAY_ME publish ##} MONERO_PAY_ME ##{ MONEY_ATM_CARD meta MONEY_ATM_CARD __MONEY_ATM_CARD && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE describe MONEY_ATM_CARD Lots of money on an ATM card ##} MONEY_ATM_CARD ##{ MONEY_FORM meta MONEY_FORM __MONEY_FORM && !__FB_TOUR && !__FM_MY_PRICE && !__FR_SPACING_8 && !__COMMENT_EXISTS && !__CAN_HELP describe MONEY_FORM Lots of money if you fill out a form ##} MONEY_FORM ##{ MONEY_FORM_SHORT meta MONEY_FORM_SHORT __MONEY_FORM_SHORT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HTML_LINK_IMAGE && !__UPPERCASE_URI && !__THREADED && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__THREAD_INDEX_GOOD describe MONEY_FORM_SHORT Lots of money if you fill out a short form #score MONEY_FORM_SHORT 2.500 # limit ##} MONEY_FORM_SHORT ##{ MONEY_FRAUD_3 meta MONEY_FRAUD_3 (__MONEY_FRAUD_3 && !__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_3_NEW_MONEY) && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__IS_EXCH && !__VIA_ML && !__HAS_THREAD_INDEX && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__HTML_LINK_IMAGE && !__THREADED && !__DOS_BODY_THU && !__URL_SHORTENER && !__TAG_EXISTS_STYLE describe MONEY_FRAUD_3 Lots of money and several fraud phrases tflags MONEY_FRAUD_3 publish ##} MONEY_FRAUD_3 ##{ MONEY_FRAUD_5 meta MONEY_FRAUD_5 (__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_5_NEW_MONEY) && !__VIA_ML && !__HAS_THREAD_INDEX && !__COMMENT_EXISTS && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__URL_SHORTENER && !__TAG_EXISTS_STYLE describe MONEY_FRAUD_5 Lots of money and many fraud phrases tflags MONEY_FRAUD_5 publish ##} MONEY_FRAUD_5 ##{ MONEY_FRAUD_8 meta MONEY_FRAUD_8 __MONEY_FRAUD_8 && !__VIA_ML && !__HAS_THREAD_INDEX && !__BUGGED_IMG describe MONEY_FRAUD_8 Lots of money and very many fraud phrases tflags MONEY_FRAUD_8 publish ##} MONEY_FRAUD_8 ##{ MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta MONEY_FREEMAIL_REPTO __MONEY_FREEMAIL_REPTO && !__HAS_CAMPAIGNID describe MONEY_FREEMAIL_REPTO Lots of money from someone using free email? # score MONEY_FREEMAIL_REPTO 3.000 # limit tflags MONEY_FREEMAIL_REPTO publish endif ##} MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ MONEY_FROM_41 meta MONEY_FROM_41 __MONEY_FROM_41 describe MONEY_FROM_41 Lots of money from Africa #score MONEY_FROM_41 2.00 # limit ##} MONEY_FROM_41 ##{ MONEY_FROM_MISSP meta MONEY_FROM_MISSP LOTS_OF_MONEY && __FROM_MISSPACED && !__MIME_QP describe MONEY_FROM_MISSP Lots of money and misspaced From #score MONEY_FROM_MISSP 2.000 # limit ##} MONEY_FROM_MISSP ##{ MONEY_NOHTML meta MONEY_NOHTML LOTS_OF_MONEY && __CT_TEXT_PLAIN describe MONEY_NOHTML Lots of money in plain text #score MONEY_NOHTML 2.500 # limit ##} MONEY_NOHTML ##{ MSGID_DOLLARS_URI_IMG meta MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_URI_IMG && !__THREADED && !__HS_SUBJ_RE_FW describe MSGID_DOLLARS_URI_IMG Suspicious Message-ID and image #score MSGID_DOLLARS_URI_IMG 3.000 # limit tflags MSGID_DOLLARS_URI_IMG publish ##} MSGID_DOLLARS_URI_IMG ##{ MSGID_HDR_MALF meta MSGID_HDR_MALF __HAS_MESSAGEID describe MSGID_HDR_MALF Has invalid message ID header #score MSGID_HDR_MALF 3.500 # limit tflags MSGID_HDR_MALF publish ##} MSGID_HDR_MALF ##{ MSGID_MULTIPLE_AT header MSGID_MULTIPLE_AT MESSAGEID =~ /<[^>]*\@[^>]*\@/ describe MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters #score MSGID_MULTIPLE_AT 0.001 ##} MSGID_MULTIPLE_AT ##{ MSM_PRIO_REPTO meta MSM_PRIO_REPTO __MSM_PRIO_REPTO && !__ENV_AND_HDR_FROM_MATCH describe MSM_PRIO_REPTO MSMail priority header + Reply-to + short subject #score MSM_PRIO_REPTO 2.500 # limit tflags MSM_PRIO_REPTO publish ##} MSM_PRIO_REPTO ##{ MSOE_MID_WRONG_CASE meta MSOE_MID_WRONG_CASE (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106) ##} MSOE_MID_WRONG_CASE ##{ NA_DOLLARS body NA_DOLLARS /\b(?:\d{1,3})?Million\b.{0,40}\b(?:Canadian Dollar?s?|US\$|U\.? ?S\.? Dollar)/i describe NA_DOLLARS Talks about a million North American dollars #score NA_DOLLARS 1.5 ##} NA_DOLLARS ##{ NEWEGG_IMG_NOT_RCVD_NEGG meta NEWEGG_IMG_NOT_RCVD_NEGG __NEWEGG_IMG_NOT_RCVD_NEGG #score NEWEGG_IMG_NOT_RCVD_NEGG 2.500 # limit describe NEWEGG_IMG_NOT_RCVD_NEGG Newegg hosted image but message not from Newegg tflags NEWEGG_IMG_NOT_RCVD_NEGG publish ##} NEWEGG_IMG_NOT_RCVD_NEGG ##{ NEW_PRODUCTS meta NEW_PRODUCTS __NEW_PRODUCTS && !__STY_INVIS_MANY #score NEW_PRODUCTS 1.250 # limit tflags NEW_PRODUCTS publish ##} NEW_PRODUCTS ##{ NICE_REPLY_A meta NICE_REPLY_A (__SUBJ_RE && !__MISSING_REPLY && !__MISSING_REF && __BOTH_INR_AND_REF) describe NICE_REPLY_A Looks like a legit reply (A) tflags NICE_REPLY_A nice ##} NICE_REPLY_A ##{ NORDNS_LOW_CONTRAST meta NORDNS_LOW_CONTRAST __NORDNS_LOW_CONTRAST && !ALL_TRUSTED && !__HAS_CID && !__THREADED describe NORDNS_LOW_CONTRAST No rDNS + hidden text #score NORDNS_LOW_CONTRAST 2.500 # limit ##} NORDNS_LOW_CONTRAST ##{ NOT_SPAM body NOT_SPAM /\b(?:(?:this (?:e?-?mail|message)|we) (?:is not|are not|cannot be considered) Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)/i describe NOT_SPAM I'm not spam! Really! I'm not, I'm not, I'm not! tflags NOT_SPAM publish ##} NOT_SPAM ##{ NO_FM_NAME_IP_HOSTN meta NO_FM_NAME_IP_HOSTN (__KHOP_NO_FULL_NAME && __IP_IN_RELAY) && !__DOS_RELAYED_EXT describe NO_FM_NAME_IP_HOSTN No From name + hostname using IP address #score NO_FM_NAME_IP_HOSTN 2.500 # limit tflags NO_FM_NAME_IP_HOSTN publish ##} NO_FM_NAME_IP_HOSTN ##{ NSL_RCVD_FROM_USER header NSL_RCVD_FROM_USER Received =~ /from User [\[$]/ describe NSL_RCVD_FROM_USER Received from User ##} NSL_RCVD_FROM_USER ##{ NSL_RCVD_HELO_USER header NSL_RCVD_HELO_USER Received =~ /helo[= ]user$/i describe NSL_RCVD_HELO_USER Received from HELO User ##} NSL_RCVD_HELO_USER ##{ NULL_IN_BODY full NULL_IN_BODY /\x00/ describe NULL_IN_BODY Message has NUL (ASCII 0) byte in message ##} NULL_IN_BODY ##{ OBFU_BITCOIN meta OBFU_BITCOIN __OBFU_BITCOIN describe OBFU_BITCOIN Obfuscated BitCoin references #score OBFU_BITCOIN 3.000 # limit tflags OBFU_BITCOIN publish ##} OBFU_BITCOIN ##{ OBFU_JVSCR_ESC rawbody OBFU_JVSCR_ESC /document\.write\(unescape\(["'](?:%[0-9a-f]{2}){10}/i describe OBFU_JVSCR_ESC Injects content using obfuscated javascript tflags OBFU_JVSCR_ESC publish ##} OBFU_JVSCR_ESC ##{ OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader OBFU_TEXT_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.txt\b,i describe OBFU_TEXT_ATTACH Text attachment with non-text MIME type tflags OBFU_TEXT_ATTACH publish endif ##} OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ OBFU_UNSUB_UL meta OBFU_UNSUB_UL __OBFU_UNSUB_UL && !MAILING_LIST_MULTI describe OBFU_UNSUB_UL Obfuscated unsubscribe text tflags OBFU_UNSUB_UL publish ##} OBFU_UNSUB_UL ##{ ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta ODD_FREEM_REPTO __freemail_mailreplyto describe ODD_FREEM_REPTO Has unusual reply-to header # score ODD_FREEM_REPTO 3.000 # limit tflags ODD_FREEM_REPTO publish endif ##} ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta PART_CID_STOCK (__ANY_IMAGE_ATTACH&&__PART_STOCK_CID&&!__PART_STOCK_CL&&!__PART_STOCK_CD_F) describe PART_CID_STOCK Has a spammy image attachment (by Content-ID) endif ##} PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta PART_CID_STOCK_LESS (__ANY_IMAGE_ATTACH&&__PART_CID_STOCK_LESS) describe PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, more specific) endif ##} PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ PDS_BAD_THREAD_QP_64 meta PDS_BAD_THREAD_QP_64 __PDS_QP_64 && __HAS_THREAD_INDEX && !__THREAD_INDEX_GOOD describe PDS_BAD_THREAD_QP_64 Bad thread header - short QP #score PDS_BAD_THREAD_QP_64 1.0 ##} PDS_BAD_THREAD_QP_64 ##{ PDS_BTC_ID meta PDS_BTC_ID __PDS_BTC_ID describe PDS_BTC_ID FP reduced Bitcoin ID #score PDS_BTC_ID 0.5 ##} PDS_BTC_ID ##{ PDS_BTC_MSGID meta PDS_BTC_MSGID __PDS_BTC_ID && __MSGID_NOFQDN2 describe PDS_BTC_MSGID Bitcoin ID with T_MSGID_NOFQDN2 #score PDS_BTC_MSGID 1.0 ##} PDS_BTC_MSGID ##{ PDS_DBL_URL_HELO_NODOM meta PDS_DBL_URL_HELO_NODOM __PDS_DOUBLE_URL && (__HELO_NO_DOMAIN && !HELO_LOCALHOST) describe PDS_DBL_URL_HELO_NODOM URL that ends with a URL, HELO not a domain #score PDS_DBL_URL_HELO_NODOM 1.0 ##} PDS_DBL_URL_HELO_NODOM ##{ PDS_DBL_URL_LINKBAIT meta PDS_DBL_URL_LINKBAIT __BODY_URI_ONLY && __PDS_DOUBLE_URL describe PDS_DBL_URL_LINKBAIT Linkbait double-url #score PDS_DBL_URL_LINKBAIT 2.5 # limit ##} PDS_DBL_URL_LINKBAIT ##{ PDS_FRNOM_TODOM_DBL_URL meta PDS_FRNOM_TODOM_DBL_URL PDS_FROM_NAME_TO_DOMAIN && __PDS_DOUBLE_URL describe PDS_FRNOM_TODOM_DBL_URL From Name to domain, double URL #score PDS_FRNOM_TODOM_DBL_URL 1.5 ##} PDS_FRNOM_TODOM_DBL_URL ##{ PDS_FRNOM_TODOM_NAKED_TO meta PDS_FRNOM_TODOM_NAKED_TO __NAKED_TO && PDS_FROM_NAME_TO_DOMAIN describe PDS_FRNOM_TODOM_NAKED_TO Naked to From name equals to Domain #score PDS_FRNOM_TODOM_NAKED_TO 1.5 ##} PDS_FRNOM_TODOM_NAKED_TO ##{ PDS_FROM_NAME_TO_DOMAIN meta PDS_FROM_NAME_TO_DOMAIN __PDS_FROM_NAME_TO_DOMAIN #score PDS_FROM_NAME_TO_DOMAIN 2.0 describe PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain ##} PDS_FROM_NAME_TO_DOMAIN ##{ PDS_HELO_SPF_FAIL meta PDS_HELO_SPF_FAIL SPF_HELO_FAIL && __HELO_HIGHPROFILE describe PDS_HELO_SPF_FAIL High profile HELO that fails SPF #score PDS_HELO_SPF_FAIL 2.0 tflags PDS_HELO_SPF_FAIL net ##} PDS_HELO_SPF_FAIL ##{ PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval header PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD') #score PDS_OTHER_BAD_TLD 2.0 describe PDS_OTHER_BAD_TLD Untrustworthy TLDs endif endif ##} PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval header PDS_PRO_TLD eval:check_uri_host_listed('SUSP_URI_NTLD_PRO') #score PDS_PRO_TLD 1.0 describe PDS_PRO_TLD .pro TLD endif endif ##} PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ PHISHING_FREEMAIL meta PHISHING_FREEMAIL (__EMAIL_PHISH || __EMAIL_PHISH_MANY || __ACCT_PHISH || __ACCT_PHISH_MANY) && FREEMAIL_FORGED_REPLYTO describe PHISHING_FREEMAIL Send your login credentials to some random freemail account ##} PHISHING_FREEMAIL ##{ PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta PHISH_ATTACH (__PHISH_ATTACH_01_01 || __PHISH_ATTACH_01_02) && !__HAS_SENDER describe PHISH_ATTACH Attachment filename suspicious, probable phishing tflags PHISH_ATTACH publish endif ##} PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ PHISH_AZURE_CLOUDAPP uri PHISH_AZURE_CLOUDAPP m;^https?://(?=[^/]+\.cloudapp\.azure\.com)(?:(?:b(?:illetedecalle\.northeurope|urofaxnotificado\.eastus)|comprobante(?:digital\.southcentralus|fiscale\.eastus)|infracciondeestacionamiento(?:\.eastus|s\.ukwest)|multa(?:detrafico\.eastus|prev\.eastus|s\.(?:eastus|southcentralus))|notificadosburofax\.eastus|penadetransitomulta\.eastus))\.cloudapp\.azure\.com/;i describe PHISH_AZURE_CLOUDAPP Link to known phishing web application #score PHISH_AZURE_CLOUDAPP 3.500 tflags PHISH_AZURE_CLOUDAPP publish ##} PHISH_AZURE_CLOUDAPP ##{ PHISH_FBASEAPP meta PHISH_FBASEAPP __PHISH_FBASE_01 describe PHISH_FBASEAPP Probable phishing via hosted web app #score PHISH_FBASEAPP 3.000 # limit tflags PHISH_FBASEAPP publish ##} PHISH_FBASEAPP ##{ PHP_NOVER_MUA describe PHP_NOVER_MUA Mail from PHP with no version number #score PHP_NOVER_MUA 3.000 # limit tflags PHP_NOVER_MUA publish ##} PHP_NOVER_MUA ##{ PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM) if !plugin(Mail::SpamAssassin::Plugin::DKIM) meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH endif ##} PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM) ##{ PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::DKIM meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__DKIM_DEPENDABLE && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH endif ##} PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM ##{ PHP_ORIG_SCRIPT meta PHP_ORIG_SCRIPT __PHP_ORIG_SCRIPT_SONLY && !ALL_TRUSTED && !__SUBSCRIPTION_INFO && !__MSGID_BEFORE_RECEIVED && !MSGID_FROM_MTA_HEADER describe PHP_ORIG_SCRIPT Sent by bot & other signs #score PHP_ORIG_SCRIPT 2.500 # limit tflags PHP_ORIG_SCRIPT publish ##} PHP_ORIG_SCRIPT ##{ PHP_SCRIPT meta PHP_SCRIPT __HAS_PHP_SCRIPT && !ALL_TRUSTED && !__PHP_NOVER_MUA && !__TO___LOWER && !__MIME_BASE64 && !__HAS_ANY_EMAIL && !__L_CTE_7BIT describe PHP_SCRIPT Sent by PHP script #score PHP_SCRIPT 2.500 # limit tflags PHP_SCRIPT publish ##} PHP_SCRIPT ##{ PHP_SCRIPT_MUA meta PHP_SCRIPT_MUA __HAS_PHP_SCRIPT && __PHP_NOVER_MUA describe PHP_SCRIPT_MUA Sent by PHP script, no version number #score PHP_SCRIPT_MUA 2.000 # limit tflags PHP_SCRIPT_MUA publish ##} PHP_SCRIPT_MUA ##{ POSSIBLE_APPLE_PHISH_02 meta POSSIBLE_APPLE_PHISH_02 (__FROM_NAME_APPLECOM && !__HDR_RCVD_APPLE) describe POSSIBLE_APPLE_PHISH_02 Claims to be from apple but not processed by any apple MTA tflags POSSIBLE_APPLE_PHISH_02 publish ##} POSSIBLE_APPLE_PHISH_02 ##{ POSSIBLE_EBAY_PHISH_02 meta POSSIBLE_EBAY_PHISH_02 (__FROM_NAME_EBAYCOM && !__HDR_RCVD_EBAY) describe POSSIBLE_EBAY_PHISH_02 Claims to be from ebay but not processed by any ebay MTA tflags POSSIBLE_EBAY_PHISH_02 publish ##} POSSIBLE_EBAY_PHISH_02 ##{ POSSIBLE_PAYPAL_PHISH_01 meta POSSIBLE_PAYPAL_PHISH_01 (__FROM_NAME_PAYPALCOM && __NAME_EMAIL_DIFF) describe POSSIBLE_PAYPAL_PHISH_01 Claims to be from paypal but has non-paypal from email address tflags POSSIBLE_PAYPAL_PHISH_01 publish ##} POSSIBLE_PAYPAL_PHISH_01 ##{ POSSIBLE_PAYPAL_PHISH_02 meta POSSIBLE_PAYPAL_PHISH_02 (__FROM_NAME_PAYPALCOM && !__HDR_RCVD_PAYPAL) describe POSSIBLE_PAYPAL_PHISH_02 Claims to be from paypal but not processed by any paypal MTA tflags POSSIBLE_PAYPAL_PHISH_02 publish #score POSSIBLE_PAYPAL_PHISH_02 1.500 # limit ##} POSSIBLE_PAYPAL_PHISH_02 ##{ POSSIBLE_PAYPAL_PHISH_03 meta POSSIBLE_PAYPAL_PHISH_03 (__FROM_NAME_PAYPALCOM && __TO_ONMICROSOFTCOM) describe POSSIBLE_PAYPAL_PHISH_03 Claims to be from paypal, sent to Microsoft365 domain - likely fraud if you don't use MSFT365! tflags POSSIBLE_PAYPAL_PHISH_03 publish #score POSSIBLE_PAYPAL_PHISH_03 2.500 # limit ##} POSSIBLE_PAYPAL_PHISH_03 ##{ POSSIBLE_PAYPAL_PHISH_04 meta POSSIBLE_PAYPAL_PHISH_04 (__FROM_NAME_PAYPALCOM && __HELLO_EMAILADDR_COM) describe POSSIBLE_PAYPAL_PHISH_04 Claims to be from paypal, greets email address rather than full name tflags POSSIBLE_PAYPAL_PHISH_04 publish #score POSSIBLE_PAYPAL_PHISH_04 1.500 # limit ##} POSSIBLE_PAYPAL_PHISH_04 ##{ POSSIBLE_PAYPAL_PHISH_05 meta POSSIBLE_PAYPAL_PHISH_05 (__FROM_NAME_PAYPALCOM && __PAYPAL_ERROR_01) describe POSSIBLE_PAYPAL_PHISH_05 Claims to be from paypal, about an error requiring attention tflags POSSIBLE_PAYPAL_PHISH_05 publish #score POSSIBLE_PAYPAL_PHISH_05 1.500 # limit ##} POSSIBLE_PAYPAL_PHISH_05 ##{ PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal) ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal) body PP_MIME_FAKE_ASCII_TEXT eval:check_for_ascii_text_illegal() describe PP_MIME_FAKE_ASCII_TEXT MIME text/plain claims to be ASCII but isn't # score PP_MIME_FAKE_ASCII_TEXT 1.0 tflags PP_MIME_FAKE_ASCII_TEXT publish endif endif ##} PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal) ##{ PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) body PP_TOO_MUCH_UNICODE02 eval:check_abundant_unicode_ratio(0.02) describe PP_TOO_MUCH_UNICODE02 Is text/plain but has many unicode escapes # score PP_TOO_MUCH_UNICODE02 0.5 tflags PP_TOO_MUCH_UNICODE02 publish endif endif ##} PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) ##{ PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) body PP_TOO_MUCH_UNICODE05 eval:check_abundant_unicode_ratio(0.05) describe PP_TOO_MUCH_UNICODE05 Is text/plain but has many unicode escapes # score PP_TOO_MUCH_UNICODE05 1.0 tflags PP_TOO_MUCH_UNICODE05 publish endif endif ##} PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) ##{ PUMPDUMP meta PUMPDUMP (__PUMPDUMP_01 || __PUMPDUMP_02 || __PUMPDUMP_03 || __PUMPDUMP_04 || __PUMPDUMP_05 || __PUMPDUMP_06 || __PUMPDUMP_07 || __PUMPDUMP_08 || __PUMPDUMP_09 || __PUMPDUMP_10) && !PUMPDUMP_MULTI describe PUMPDUMP Pump-and-dump stock scam phrase #score PUMPDUMP 1.000 # limit tflags PUMPDUMP publish ##} PUMPDUMP ##{ PUMPDUMP_MULTI meta PUMPDUMP_MULTI (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1 describe PUMPDUMP_MULTI Pump-and-dump stock scam phrases #score PUMPDUMP_MULTI 3.500 # limit tflags PUMPDUMP_MULTI publish ##} PUMPDUMP_MULTI ##{ PUMPDUMP_TIP meta PUMPDUMP_TIP __PD_CNT_1 && __STOCK_TIP describe PUMPDUMP_TIP Pump-and-dump stock tip tflags PUMPDUMP_TIP publish ##} PUMPDUMP_TIP ##{ RAND_HEADER_LIST_SPOOF meta RAND_HEADER_LIST_SPOOF __RAND_HEADER && __LIST_PARTIAL describe RAND_HEADER_LIST_SPOOF Random gibberish message header(s) + pretending to be a mailing list #score RAND_HEADER_LIST_SPOOF 3.000 # limit tflags RAND_HEADER_LIST_SPOOF publish ##} RAND_HEADER_LIST_SPOOF ##{ RAND_HEADER_MANY meta RAND_HEADER_MANY __RAND_HEADER_2 describe RAND_HEADER_MANY Multiple random gibberish message headers #score RAND_HEADER_MANY 3.000 # limit tflags RAND_HEADER_MANY publish ##} RAND_HEADER_MANY ##{ RAND_MKTG_HEADER meta RAND_MKTG_HEADER __RAND_MKTG_HEADER && !__HAVE_BOUNCE_RELAYS && !__HAS_THREAD_INDEX && !__HAS_X_MAILING_LIST describe RAND_MKTG_HEADER Has partially-randomized marketing/tracking header(s) #score RAND_MKTG_HEADER 2.000 # limit tflags RAND_MKTG_HEADER publish ##} RAND_MKTG_HEADER ##{ RATWARE_NO_RDNS meta RATWARE_NO_RDNS __RATWARE_BOUND_A && __RDNS_NONE && __MIME_HTML && __MISSING_REF describe RATWARE_NO_RDNS Suspicious MsgID and MIME boundary + no rDNS #score RATWARE_NO_RDNS 3.000 # limit ##} RATWARE_NO_RDNS ##{ RCVD_BAD_ID header RCVD_BAD_ID Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\$\%&'()*<=>?\@\[\]^\`{|}~]|;\S)/ describe RCVD_BAD_ID Received header contains id field with bad characters ##} RCVD_BAD_ID ##{ RCVD_DBL_DQ header RCVD_DBL_DQ Received =~ /(?:\[\d+\.\d+\.\d+\.\d+\]){2}/ describe RCVD_DBL_DQ Malformatted message header tflags RCVD_DBL_DQ publish ##} RCVD_DBL_DQ ##{ RCVD_DOTEDU_SHORT meta RCVD_DOTEDU_SHORT __RCVD_DOTEDU_SHORT && !ALL_TRUSTED && !__FS_SUBJ_RE && !__HAS_LIST_ID describe RCVD_DOTEDU_SHORT Via .edu MTA + short message #score RCVD_DOTEDU_SHORT 1.500 # limit tflags RCVD_DOTEDU_SHORT publish ##} RCVD_DOTEDU_SHORT ##{ RCVD_DOTEDU_SUSP_URI meta RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_SUSP_URI describe RCVD_DOTEDU_SUSP_URI Via .edu MTA + suspicious URI #score RCVD_DOTEDU_SUSP_URI 3.000 # limit tflags RCVD_DOTEDU_SUSP_URI publish ##} RCVD_DOTEDU_SUSP_URI ##{ RCVD_FORGED_WROTE header RCVD_FORGED_WROTE Received =~ / by \S+ with esmtp $[^a-z ]{6,} [^a-z ]{3,}$ id/ describe RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam) ##} RCVD_FORGED_WROTE ##{ RCVD_FORGED_WROTE2 header RCVD_FORGED_WROTE2 Received =~ /from [0-9.]+ $HELO \S+[A-Za-z]+$ by (\S+) with esmtp $\S+\s\S+$ id \S{6}-\S{6}-\S\S for \S+@\1;/s ##} RCVD_FORGED_WROTE2 ##{ RCVD_IN_IADB_COURT ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_COURT eval:check_rbl_sub('iadb-firsttrusted', '127.3.200.130') describe RCVD_IN_IADB_COURT IADB: Court-ordered email tflags RCVD_IN_IADB_COURT net nice endif ##} RCVD_IN_IADB_COURT ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_DK eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.3') describe RCVD_IN_IADB_DK IADB: Sender publishes Domain Keys record tflags RCVD_IN_IADB_DK net nice endif ##} RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_DMARC ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_DMARC eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.5') describe RCVD_IN_IADB_DMARC IADB: Sender has DMARC record tflags RCVD_IN_IADB_DMARC net nice endif ##} RCVD_IN_IADB_DMARC ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.10') describe RCVD_IN_IADB_DOPTIN IADB: All mailing list mail is confirmed opt-in tflags RCVD_IN_IADB_DOPTIN net nice endif ##} RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_DOPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.9') describe RCVD_IN_IADB_DOPTIN_GT50 IADB: Confirmed opt-in used more than 50% of the time tflags RCVD_IN_IADB_DOPTIN_GT50 net nice endif ##} RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_DOPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.8') describe RCVD_IN_IADB_DOPTIN_LT50 IADB: Confirmed opt-in used less than 50% of the time tflags RCVD_IN_IADB_DOPTIN_LT50 net nice endif ##} RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_ECARD ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_ECARD eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.213') describe RCVD_IN_IADB_ECARD IADB: ecard, e-invitation, or similar e-correspondence service tflags RCVD_IN_IADB_ECARD net nice endif ##} RCVD_IN_IADB_ECARD ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_ESP ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_ESP eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.214') describe RCVD_IN_IADB_ESP IADB: Email Service Provider (ESP) tflags RCVD_IN_IADB_ESP net nice endif ##} RCVD_IN_IADB_ESP ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_LEG_BNPROFIT ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_LEG_BNPROFIT eval:check_rbl_sub('iadb-firsttrusted', '127.3.200.110') describe RCVD_IN_IADB_LEG_BNPROFIT IADB: email sent on behalf of a non-profit organization tflags RCVD_IN_IADB_LEG_BNPROFIT net nice endif ##} RCVD_IN_IADB_LEG_BNPROFIT ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_LEG_MAND ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_LEG_MAND eval:check_rbl_sub('iadb-firsttrusted', '127.3.200.120') describe RCVD_IN_IADB_LEG_MAND IADB: Legally mandated email tflags RCVD_IN_IADB_LEG_MAND net nice endif ##} RCVD_IN_IADB_LEG_MAND ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_LEG_NPROFIT ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_LEG_NPROFIT eval:check_rbl_sub('iadb-firsttrusted', '127.3.200.100') describe RCVD_IN_IADB_LEG_NPROFIT IADB: email sent from a non-profit organization tflags RCVD_IN_IADB_LEG_NPROFIT net nice endif ##} RCVD_IN_IADB_LEG_NPROFIT ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_LISTED eval:check_rbl_sub('iadb-firsttrusted', '^127\.0\.0\.[12]$') describe RCVD_IN_IADB_LISTED Participates in the IADB system tflags RCVD_IN_IADB_LISTED net nice endif ##} RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_LOOSE eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.4') describe RCVD_IN_IADB_LOOSE IADB: Adds relationship addrs w/out opt-in tflags RCVD_IN_IADB_LOOSE net nice endif ##} RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_MI_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.1.10') describe RCVD_IN_IADB_MI_CPEAR IADB: Complies with Michigan's CPEAR law tflags RCVD_IN_IADB_MI_CPEAR net nice endif ##} RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_ML_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.100') describe RCVD_IN_IADB_ML_DOPTIN IADB: Mailing list email only, confirmed opt-in tflags RCVD_IN_IADB_ML_DOPTIN net nice endif ##} RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_NOCONTROL eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.0') describe RCVD_IN_IADB_NOCONTROL IADB: Has absolutely no mailing controls in place tflags RCVD_IN_IADB_NOCONTROL net nice endif ##} RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_OOO eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.200') describe RCVD_IN_IADB_OOO IADB: One-to-one/transactional email only tflags RCVD_IN_IADB_OOO net nice endif ##} RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_OPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.7') describe RCVD_IN_IADB_OPTIN IADB: All mailing list mail is opt-in tflags RCVD_IN_IADB_OPTIN net nice endif ##} RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_OPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.6') describe RCVD_IN_IADB_OPTIN_GT50 IADB: Opt-in used more than 50% of the time tflags RCVD_IN_IADB_OPTIN_GT50 net nice endif ##} RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_OPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.5') describe RCVD_IN_IADB_OPTIN_LT50 IADB: Opt-in used less than 50% of the time tflags RCVD_IN_IADB_OPTIN_LT50 net nice endif ##} RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_OPTOUTONLY eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.1') describe RCVD_IN_IADB_OPTOUTONLY IADB: Scrapes addresses, pure opt-out only tflags RCVD_IN_IADB_OPTOUTONLY net nice endif ##} RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_RDNS eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.4') describe RCVD_IN_IADB_RDNS IADB: Sender has reverse DNS record tflags RCVD_IN_IADB_RDNS net nice endif ##} RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_SENDERID eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.2') describe RCVD_IN_IADB_SENDERID IADB: Sender publishes Sender ID record tflags RCVD_IN_IADB_SENDERID net nice endif ##} RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_SOCIAL ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_SOCIAL eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.211') describe RCVD_IN_IADB_SOCIAL IADB: social networking service email tflags RCVD_IN_IADB_SOCIAL net nice endif ##} RCVD_IN_IADB_SOCIAL ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_SPF eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.1') describe RCVD_IN_IADB_SPF IADB: Sender publishes SPF record tflags RCVD_IN_IADB_SPF net nice endif ##} RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_TRACK ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_TRACK eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.212') describe RCVD_IN_IADB_TRACK IADB: email with open and read tracking services tflags RCVD_IN_IADB_TRACK net nice endif ##} RCVD_IN_IADB_TRACK ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_UNVERIFIED_1 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.2') describe RCVD_IN_IADB_UNVERIFIED_1 IADB: Accepts unverified sign-ups tflags RCVD_IN_IADB_UNVERIFIED_1 net nice endif ##} RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_UNVERIFIED_2 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.3') describe RCVD_IN_IADB_UNVERIFIED_2 IADB: Accepts unverified sign-ups, gives chance to opt out tflags RCVD_IN_IADB_UNVERIFIED_2 net nice endif ##} RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_URG ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_URG eval:check_rbl_sub('iadb-firsttrusted', '127.3.200.255') describe RCVD_IN_IADB_URG IADB: time-critical urgent or emergency communications tflags RCVD_IN_IADB_URG net nice endif ##} RCVD_IN_IADB_URG ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_UT_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.2.10') describe RCVD_IN_IADB_UT_CPEAR IADB: Complies with Utah's CPEAR law tflags RCVD_IN_IADB_UT_CPEAR net nice endif ##} RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # { ifplugin Mail::SpamAssassin::Plugin::DNSEval # { header RCVD_IN_PSBL eval:check_rbl('psbl-lastexternal', 'psbl.surriel.com.') describe RCVD_IN_PSBL Received via a relay in PSBL tflags RCVD_IN_PSBL net endif ##} RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # { ##{ RCVD_MAIL_COM header RCVD_MAIL_COM Received =~ /[\s$\[](?:post|mail)\.com[\s$\]]/is describe RCVD_MAIL_COM Forged Received header (contains post.com or mail.com) ##} RCVD_MAIL_COM ##{ RDNS_LOCALHOST header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i describe RDNS_LOCALHOST Sender's public rDNS is "localhost" ##} RDNS_LOCALHOST ##{ RDNS_NUM_TLD_ATCHNX meta RDNS_NUM_TLD_ATCHNX __RDNS_NUMERIC_TLD && __ATTACH_NAME_NO_EXT describe RDNS_NUM_TLD_ATCHNX Relay rDNS has numeric TLD + suspicious attachment #score RDNS_NUM_TLD_ATCHNX 3.000 # limit tflags RDNS_NUM_TLD_ATCHNX publish ##} RDNS_NUM_TLD_ATCHNX ##{ RDNS_NUM_TLD_XM meta RDNS_NUM_TLD_XM __RDNS_NUMERIC_TLD && (__HAS_XM_SID || __HAS_XM_LID || __HAS_XM_RECPTID || __HAS_XM_SENTBY) describe RDNS_NUM_TLD_XM Relay rDNS has numeric TLD + suspicious headers #score RDNS_NUM_TLD_XM 3.000 # limit tflags RDNS_NUM_TLD_XM publish ##} RDNS_NUM_TLD_XM ##{ REPLYTO_WITHOUT_TO_CC meta REPLYTO_WITHOUT_TO_CC (__HAS_REPLY_TO && !__TOCC_EXISTS) ##} REPLYTO_WITHOUT_TO_CC ##{ REPTO_419_FRAUD header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:speakers)\@012\.net\.il|(?:mail)\@101private\.com|(?:(?:alfredcheuk002|fbi_1234|mavis_wanczyk))\@126\.com|(?:(?:alfredcheuk_yuchow|ehagler|google_promoaward0?|panyawein|wongshiu_ki))\@163\.com|(?:ray\-thomas7h)\@1email\.eu|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:ibrahimtafa)\@abienceinvestmentsfze\.com|(?:russia2018worldcuplotto5)\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:info)\@aidakj\.com|(?:(?:infovsa|maria\.louge|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:attorneygeorgewalter|jessikasingh|lawmensa|travisalex))\@aliyun\.com|(?:(?:director|info))\@anletco-jp\.com|(?:(?:deanie_ron|mundo\.europe|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:institutionaldepartment)\@aol\.nl|(?:support)\@apostlesfoundation\.com|(?:deajohn)\@arubacloub\.com|(?:djohns)\@arubacloud\.com|(?:jeromecgb12)\@asia\.com|(?:jefferson)\@athenaeumbd\.com|(?:(?:bllphillips|desousafam05))\@att\.net|(?:traoreahmed)\@barid\.com|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:noreply\.fujvfes)\@bibliothequegaillard\.com|(?:costruire)\@bigmat\.it|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:onmydestiny18)\@boulevardmalls\.com|(?:luciamariacampbell)\@boximail\.com|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:jessica)\@cadencebankdept\.us|(?:hello)\@captnbb\.com|(?:judith_faulkner63)\@cash4u\.com|(?:cbn)\@cbofficialmail\.cf|(?:201(?:47237|5(?:5765|648[48])))\@ce\.pucmm\.edu\.do|(?:duncanttodd)\@centrum\.cz|(?:gregwingo)\@cheapnet\.it|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|dbank12|fbipayment(?:50|600)|harunajim667|manuel\.rabelais|paul\.wilson|r(?:alphwjohnson|ev_markbless)|trustees101))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:mundo_seguros)\@contorli\.site|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:investmentfince\.com|lottery(?:\.support|usa\.com)|sama_williams|warren(?:\.buffett19|_edward)))\@cpn\.it|(?:(?:angelicainiguez|brunoso|lisatroutman))\@currently\.com|(?:(?:dmalpasswb|freeminds2024|i(?:lanasoloshneor|nfo90000)|joseramonjr1|m(?:hzitafrank0|ynewmission)|r(?:e(?:covered\-tax|em(?:2018|alhashimi|ealhashimi|hashimi2020))|onconway)))\@daum\.net|(?:rex)\@departmentofsecretary\.com|(?:info)\@dieterchwarz-charity\.com|(?:blythemasters)\@digitalassetholding\.org|(?:jorgezalesky)\@diplomats\.com|(?:bar_sahil)\@dominionassociates\.uk|(?:zahvoedir)\@donations\.christchurchliverpool\.xyz|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:health\-support)\@drjohnashworthherbalmeds\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:(?:herrick01|rogersteare02))\@e1\.ru|(?:olga\.ingrif)\@ecb-securities\.com|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:(?:denbrink|facebook\.in(?:structor|tructor)|kathy_gerald1965|megaclaimcenter|pch\.cliamdept))\@email\.com|(?:infoleonfredberbst)\@emailgroups\.net|(?:info)\@emteslastock\.com|(?:johnkadiri)\@englandmail\.com|(?:info)\@euro-pinnacle\.com|(?:(?:a(?:bogado\.antoniopaco|dvancedsegurosespana)|claimdpts|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:lottomax)\@execs\.com|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:(?:jeferrey|yakuyaya77))\@financier\.com|(?:customercare)\@findlaycb\.com|(?:mrsdebbielevin)\@firemail\.de|(?:steve_dickson)\@firemail\.eu|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:info)\@fnconsultant\.biz|(?:(?:e(?:golan2|u_payment)|gella1|k(?:aith\-angel|ossihpilip202)|pchwinningoffice1953|qatardonations16|smadartsadik|tepnherve00))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:(?:mmpaulsmith145|t\.fitzgerald))\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:octaviancm)\@gmx\.co\.uk|(?:(?:ahmet\.broker|f(?:aridaomar|er3nrod1512)|kevin\-office|p\.hamedmoff|rosicboteruff|w(?:alter_anderson|esternunionrespond)))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:juliairis)\@gmx\.net|(?:(?:arthur1alan|joxford))\@gmx\.us|(?:m(?:\.johnson10012|aryclayton123))\@googlemail\.com|(?:gordoncole)\@gordoncole\.co\.uk|(?:ceo)\@gpromo-team\.com|(?:garreth\.webb)\@grossfitconsultancy\.biz|(?:solotexglobalcouriercompany)\@groupesgb\.net|(?:irenegeorgiadou)\@hellenicbankcy\.com|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:(?:cocacolaofficialprize1|williamsdavid_3r))\@hotmail\.co\.uk|(?:christgoldwilliams)\@hotmail\.fr|(?:douglasflint)\@hsbcbank\.group|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:victorwang67)\@imail\.com|(?:bo_li)\@imgrantfunds\.com|(?:patrickc)\@inbox\.com|(?:irdi33)\@inbox\.lt|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:a\.josepaulino|jonardossantos|m(?:\.wood|ingmui0012)|off(?:er2021|iceme)|pierresgift_2021))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:baankston)\@instruction\.com|(?:info)\@intarpol-int\.online|(?:jacek_urbanski)\@irishdoorsystemsltd\.com|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:contactme)\@jimmyofficial\.info|(?:info)\@johannaconsultancy\.com|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:(?:annzainab2022|h(?:ashimirrr22|re187390)|lotteryusa\.com|paulagonzalez|re(?:e(?:m\.alhashimi|ninvestor111)|mmhashimi)))\@kakao\.com|(?:wbuk03)\@katamail\.com|(?:(?:ditmereduart|europsenderscouriers|lewiscarl))\@keemail\.me|(?:mikiwilliams)\@knol-power\.nl|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:philiphampton)\@lec20\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:bmwofficeinfo)\@mail2consultant\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:bjic)\@mail2one\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|info\.federalreserve\.org|johnkofithomas|kateclough1|mriamchombo1968|nancyvee80|philiproger101))\@mail\.com|(?:(?:ayishagddafio?|sambo_dasuki))\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:epowerball)\@mailbox\.sk|(?:cb(?:nofficemail|officemail))\@mailsire\.com|(?:managing\-director_schaefflergroup)\@mariaelisabeth\.gisb\.com\.my|(?:doo\.yusin)\@matherline-trade\.com|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:cadpayout01)\@my\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:benoitdageville2023|nancytseling|reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:zenith)\@nmk\.ugu\.pl|(?:maxedwards)\@octopusinvestment\.co\.uk|(?:info)\@officepch\.com|(?:lindsaytrembley)\@oimail\.com|(?:googleclaims111)\@one\.lt|(?:(?:accountingdrg|emmy\.marty))\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:secretservicce8)\@onionmail\.org|(?:info)\@onlinepch\.com|(?:dieterbe451)\@onmail\.com|(?:(?:castorock|infobiz2|jarramos|mrsalice09))\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:servicio\.correo)\@orange\.fr|(?:info)\@ousos-elearning\.com|(?:turkish\-air)\@outlook\.com\.tr|(?:schaeffler(?:ariaelisabeth|mariaelisabeth))\@outlook\.de|(?:(?:ahmed3khan|dpt_transferunionwestern|mr\.onyeadams))\@outlook\.fr|(?:m\.khan1)\@outlook\.sa|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:info)\@phillipsmorgan\.co\.za|(?:support)\@piraeusegrecebnk\.com|(?:wood)\@poczta\.onet\.eu|(?:(?:m(?:aryjosen|boyaeth)|uncch\-info))\@post\.com|(?:(?:martinahrivnakova|united\.globeawardoffice))\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:(?:charitylisajohnrobinson700|leonardbain|noelldosi|stwrightsmaxinvestment))\@proton\.me|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:franciscoperezc|garethbull808|leyen|mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:trust\-wallet)\@redirectionsdepartment\.xyz|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:msn)\@resrubini\.com|(?:(?:gmackenzie001|wanczykmavis101))\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:info)\@roycockrum\.org|(?:mrs\.rachel2013)\@safe-mail\.net|(?:(?:deputygov_kuben|rcassim\.sarb|vera))\@safrica\.com|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:peterddeng)\@secsuremailer\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:olena\.shevchenko)\@shumejda\.co\.uk|(?:(?:jimyang77|kentpace))\@sina\.com|(?:stan)\@soborka\.net|(?:(?:dycheseaan|sean(?:dyyches|sdychh)))\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:trevor)\@southernphone\.com\.au|(?:info\.jschneider)\@spainmail\.com|(?:mroliverbergmuellers)\@specialautokins\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:alexander)\@stny\.rr\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:xiankailu)\@taiyaubank-hk\.com|(?:mhua)\@tbochk\.com|(?:clory)\@technet\.it|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:zimcargoservicehelpdesks)\@tlen\.pl|(?:bobby\.william)\@tradent\.net|(?:punit)\@traficoanalytica\.com|(?:lopez\.rios)\@udttld\.com|(?:2100973645smsgateway)\@ukraine\.wheat-farmers\.website|(?:info)\@un-grant\.info|(?:(?:b(?:lueskyanimatedfilm|rown\.monica_l)|david\.r\.malpass|info\.(?:clev\.frb|imfamerica)|kristinewellensteinn|policyaddmin\.file))\@usa\.com|(?:team)\@veraphanteepsuwan\.com|(?:dataphilanthropy)\@vipmail\.hu|(?:bmuczdh)\@virgilio\.it|(?:itgiix)\@visa\.com|(?:jvona)\@viscom\.net|(?:holt1231)\@w\.cn|(?:daydreamin)\@wanadoo\.fr|(?:(?:foreignoperationmanager|mr\.(?:ikokuoya|olicadams)))\@web\.cg|(?:weboffice05)\@web\.de|(?:portiaw)\@webbe\.work|(?:b(?:\-calebfirm2007|enklerk\-postpact2|oriscaleb121))\@webmail\.co\.za|(?:(?:elizabethlyonsfield|frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:e\.shaw)\@wilmagroup\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|jeffwilliam207|owengreen70|samue95))\@yahoo\.co\.uk|(?:(?:changgordon(?:61|946)|thomaspeter227))\@yahoo\.com\.hk|(?:jessicp1)\@yahoo\.com\.sg|(?:boa2cb)\@yahoo\.com\.vn|(?:contactus88\-00)\@yahoo\.es|(?:(?:fortinsandrine|rita_will001))\@yahoo\.fr|(?:ukdebtmanagement5)\@yahool\.com|(?:dr\.amelia\.george1)\@yandex\.ru|(?:feyza)\@ybrahim\.com|(?:(?:alfred_cheuk_chow|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:(?:asiafoundationorg\.hr|jefflindsay))\@zoho\.com|(?:(?:benaffleck1977|monicadaniels909))\@zohomail\.com|(?:(?:laprimitivaes|robert166003))\@zohomail\.eu)$/i describe REPTO_419_FRAUD Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD 3.000 tflags REPTO_419_FRAUD publish ##} REPTO_419_FRAUD ##{ REPTO_419_FRAUD_AOL header REPTO_419_FRAUD_AOL Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:\.dordevicii|b(?:000137|rajjohn)|f\.2[06]|gneselizabethgiftfoundationssss|ljaber111|meliageorge|nd(?:_bley|rew_hans)|rthur\.alan)|b(?:a(?:anidleewy|rr_luc)|claimdept|rownchurchill2)|c(?:\.european|allumfoundation|h(?:anprivacy03|eungdavidd|ngeric|ristyruwalt)|laimdept21|ristinabruno38|ustom_service58)|d(?:avid\.kms|hodgkins001|ianwaynie|onald_anderson44)|e(?:ng(?:joej|r\.abdulla)|ricalbertdpm|velynjoshua44)|f(?:d\.29|ernandezfernandez3|oundation\.charity)|g(?:arang\.rebeca|eorge_clifford4|roupfacility)|hernandezrosemary632|info\.dieter_charity|jmesaud|k\.doreen00|l(?:\.b162k|awsuitchamber|erynnewest99|i(?:sarobinson5\.0|zcarroll101)|orrainewirangee|uciacorraomanagerbocub|ynnpage44)|m(?:\.francco91|_l\.wanczyk62|a(?:sayohara21|viswanczyk[do])|rs(?:isabelladzsesszika|janetedwards0001|safiagaddafi))|normapatto|o(?:fficework172|xf174)|p(?:a(?:tricia(?:\.hans|hans)|ulpollard2)|eterwong345|otfolio\.management)|royalpalace2018|s(?:\.fofo|afiiagadafi|ovchan|pwalker721|t(?:aatsloterijnederlands|efano_pessina))|usembassy330|w(?:attson\.renwick|ebank244)|yurdaaytarkan5))\@aol\.com$/i describe REPTO_419_FRAUD_AOL Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_AOL 3.000 tflags REPTO_419_FRAUD_AOL publish ##} REPTO_419_FRAUD_AOL ##{ REPTO_419_FRAUD_AOL_LOOSE meta REPTO_419_FRAUD_AOL_LOOSE __REPTO_419_FRAUD_AOL_LOOSE && !REPTO_419_FRAUD_AOL describe REPTO_419_FRAUD_AOL_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox #score REPTO_419_FRAUD_AOL_LOOSE 1.000 tflags REPTO_419_FRAUD_AOL_LOOSE publish ##} REPTO_419_FRAUD_AOL_LOOSE ##{ REPTO_419_FRAUD_CNS header REPTO_419_FRAUD_CNS Reply-To:addr =~ /^(?=[^\s<>@]+\@consultant\.com)(?:(?:anthonyalvarad|davidhenri|l(?:egacylawfirmdakar|ottomaxclaims7)|m(?:iguel\-pinto|orrisherb)|pchonline|t(?:eo\.westin|he\.trustees1?|offoli\.gauthier|rustees202000)|westernunio(?:n1659|payment\.agent0018)))\@consultant\.com$/i describe REPTO_419_FRAUD_CNS Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_CNS 3.000 tflags REPTO_419_FRAUD_CNS publish ##} REPTO_419_FRAUD_CNS ##{ REPTO_419_FRAUD_GM header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|1magnumsecuritiesllc|7912richardtony|9porssts9|a(?:\.wafager1|12udubello|b(?:d(?:97412345|u(?:kfahim|llahmundani019))|u(?:lkareem461|shadi0004))|c(?:count\.optionsmr\.jonasarmstrong|ecere001)|d(?:iallo\.boa|rabidiahmed)|gent\.laryedwad|isha(?:1976(?:algaddafi|gaddafi25)|gaddafi(?:aam|libya5|sdaughter))|l(?:\.jo60691737|a(?:n\.austin(?:041|223)|scramac)|ber\.yang222|ex(?:anderpeterson4499|hoffman3319)|ghafrij13|icedoris0000|kasimunadi221|l(?:enholden121|isoncluade11)|nizmaria|phabankofgreecerepublic|ure\.wawrenka1472)|m(?:b(?:\.w\.stuart\.symington|assadormarybethleonardl4)|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|medjahed95))|n(?:d(?:rew(?:hawkins735|umehunitedbankforafrica)|yfox0022)|itaminarnguessan|n(?:a(?:choihkkic|llee091|sigurlaug458)|ettrevor|jenijohnsonn)|t(?:hony(?:alvaradollc|jblinken61)|o(?:meuenio|niopaco20consultant)))|office1office1|r(?:adka01|chibaldhamble|thur11alan)|s(?:h(?:0611jnag|westwood7)|sistance7agent)|t(?:mcarddepartment0024|tohlawoffice\.tg)|ustinbillmark9|w1614860|yevayawovi190|z(?:i(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50))|zedineguessous))|b(?:a(?:lla250abc|nk(?:centralasiahalobca34|ingcentralng)|ochang7a|r(?:bersmadar75|clays\.kenya\.bank|rister(?:\.fidelisokafor|clarkephillips(?:2(?:02|4)|4[59])|lordruben94)|teld\.huisman01)|uknechtk\.shoreline)|bongo593|c0996013|e(?:alitoniua9|linekra1|n(?:ezero392|gatl80|jaminsarah195)|rnard\.arnult01|tsyholden940)|i(?:anigercash|ll(?:\.lawrence0747|fhome))|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi|ussambairenepatricia)|r(?:a(?:ndy\.heavenscenttt|volpaul55)|endalaporte112)|uff(?:ettwarrene21|ookj)|w1832621)|c(?:1nicele|a(?:ixaseguros9810001|mluba2017|pinolly|r(?:eisu98|twrighttownhomesllc))|bnatm847|claimsa|e(?:da\.ogada77|li(?:cerez|neroullier(?:200|nm)))|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:es(?:luenga01|wrightdepartments)|tonnewmanus1)))|e(?:mchung1011|n(?:chung1011|gsaephanfoundation))|ienk(?:raymond|wongp))|iticonsultantjohncg0|kruger00017|l(?:a(?:im(?:adviser11|officeadm)|xtonpaul00)|s79408)|o(?:l(?:\.(?:ahmedmarani|hmedismari)|abdullahassi|edavid77032|husseinharmuchc(?:cj|j)|ombasjuan53)|mp(?:asationsettlement|ensationcommitteboard)|n(?:nellyfrances\.cf|sult(?:matthias|sto\.u)|tactad00[04])|operation612)|pt\.eugenebarash|r(?:a(?:bbechambers|wfordgillies1)|ist(?:bru(?:05|n05)|davis67|i1537bru|ydavis(?:donation1|foundation0101)))|u(?:nninghammrssharonloren|stomerservicelacaixa2))|d(?:29(?:634264|laws)|a(?:n(?:008629|i(?:el35508109|shlokija)|n(?:uar4|ydan24532))|tukannuarbinmusa|vi(?:d(?:\.(?:loanfirm18|murray202)|ibe718|kaltschmidtmaureend|larbi11|mathers761|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98))|cole77032|e(?:btm123|n(?:iwalts|nis(?:clark659|quaid888))|partmentofstate(?:123|321)|tlefeckhardd)|h(?:ill27676|lexpresscompany176|sdevice)|i(?:ane\.s\.wojcicki|gitalassetholding|p(?:francis1|lomatsshenry))|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.(?:meirh|w(?:erneroyer563|ilsonpaul02))|abodid|davidrhama221|j(?:amesdee|oesimon77)|kennedyuzo|meier\.heidi?|owenfrederick|rhamahassan22)|u(?:a1155a|breuilgmbh|nsilva58|stinmoskovitz\.2facebook)|v\.metus|willslevens)|e(?:benezero392|christina937|d(?:mundventura689|runity)|fcc\.financial\.dept|l(?:i(?:bethgomez(?:175|499)|sabeth(?:gmuer11|maria600)|zabethedw0)|o(?:diesawadogo123|tocashoffice1?))|m(?:2keld|efiele(?:328|g757)|ilyrichmond391)|ngr\.des01|r(?:e(?:evemusk681|nakgeorge123|zcelic0)|ioncarter\.private)|s(?:sexlss1|therkatherine1960)|vgpatmow|wynn284)|f(?:\.mikhail025|a(?:ithdesrie511|rahwasam101|tme\.mehmed001)|b(?:589767|lott47)|e(?:deralreservebankdallasdst|lix88995|yzaybrahim)|g0067333|irstbank(?:49(?:666|966)|6669|k49666)|j569282|l(?:556249|uhmann\.dn)|o(?:ropunionbank|undations\.west)|p462558|r(?:a(?:100dub132|n(?:c(?:es(?:\.connelly2|patrickconnolly(?:5050|4))|isca(?:mendoza960|samendoza))|k(?:j(?:ane984|ody2|wangg)|l(?:aurarivera|inpiesie6))))|eelottosweepstake51)|spero8[02]|u(?:lanlan28|n(?:dinternationalmonetary214|gg1w)))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|riel(?:eschmitt002|kalia1102))|r(?:ciavincent500|ethbull112016|yakinson121))|b(?:528796|ill4880)|e(?:n(?:\.ahmedmsksi|eralwilliamstony990)|orge(?:brownhoward02|kwame481)|r(?:aldjhjh11|tjanvlieghe787))|i(?:idp955|lbert12oook|ocastano21)|kwasiiwusu1\.persona|l(?:enmoore0011|oriachow5052)|o(?:dfreyscottdonation|glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219))|r(?:aceobia001|e(?:ant311|energeoffrey776))|veraallen|w522834)|h(?:a(?:r(?:gate2909|ryebert101|twellbdaniel)|s(?:h(?:imyreem78|mireem801)|sanalshujairy)|uperthilbigbeate|zimissa03)|e(?:a(?:dofficecentre0210|therbrooeke101)|cto(?:alon|r(?:castillos653|scastillo6))|l(?:en(?:adamsidaho|giggs88)|pdesk47321)|ritagetrustbank1985)|g(?:8669000|old8080)|heba\.hhassan207|i(?:ldad837|toshurui)|o(?:lsemeyerole6|nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|trryt34|uichmh)|i(?:1955smael|amannjejosonn|b(?:ed627|rahimelizabeth654)|mf(?:deputyoff000|grantinter)|n(?:fo(?:\.(?:a(?:bogadosmfontana|nnedouglas10)|g00gleclaim|marviswanczyk360|orangedor|ulmusau)|64240|asminternationalpk|bankofamerikaa|dessk\.dfwairportonline|fdrserve|i3381|t(?:ech4st255|tcuckk))|gridrolle2|t(?:ernationallppp1|linvestorsfirm))|rvinekim67|smail(?:eman874|tarkan533))|j(?:35809121|a(?:6002932|888179|cobmaseon5995|m(?:alpriv8un|es(?:carlos17885|okoh82))|n(?:ahramadanabu|nsjonifer|usensecureprivate)|sonyeungchiwai|vierlesme001)|b(?:5406424|lsuntrust)|c(?:2222222rrr|jgourlt)|e(?:fferydean1960|nn(?:iannjhsonn|ybrown01222)|robtt|ssikasingh4)|j(?:7291634|osvu)|k3311131|m(?:3461128|powellfr)|o(?:edward023|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|nietaylor242|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|t(?:anko214|foundation445)|uba234|walterlove2010)|monkzza|n(?:a(?:haskel19|thanhaskel377)|esandassociates68|hugo1964|monkssa)|seph(?:acevedo024|babatunde192|ichael41)|vannyanderson001|y(?:ce00011|mrskone5))|rawlings007|s4fernado|u(?:lie(?:t\.le(?:222|e2222)|watson975)|sticellawgroup)|w6935997)|k(?:a(?:dulinayulii(?:ia|a)|l(?:iaksandr5|stromjames3|tschmidtdavid8)|malnizar000|rabo\.ramala39|t(?:ebaron(?:barr|xq)|hilittman7|jamess043|rinaziako56))|e(?:lsawamelia55|n(?:mckenziejr|nedy\.sawadogo19))|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|r(?:istinewellenstein024|nkl1109)|un(?:gwei7777|ioue28)|wasiowusug)|l(?:a(?:r(?:ateambo|rytoms200)|ursent892|w(?:officealouancooparation|rencefoundation30))|blackshirepm|e(?:enasinghs97|ndfair\.co\.uk1|onidasresearch|rynne(?:0west99|west(?:2289|5412))|wisrichards378)|i(?:amfinchus(?:11|3)|ezlnatashavanessa|fecshortt63|li(?:ane\.bettencourt1945|ianchrstph)|n(?:elink008|glung104)|sa(?:milner001|robin117)|xiung(?:l48|9))|jo(?:bsfoundation|hn6132)|o(?:ganntomas|rrainewirengee|ttyoffice1|u(?:ghreymargaret67|isdreyfusmargarita5))|p319765|s(?:arbn01|chantal86)|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|diawright836|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:\.francco9[14]|a(?:bel\.manaku|c(?:guiu9|k(?:enzbezos|oliver324))|damkoenig\.ruhama1b|incare655|j(?:ialfutt|or(?:dennishornbeck53|townsend01))|kaltschmidt|ll(?:am\.mlawal|etman2021)|mastar33m|n(?:ankovefimovich|duesq58|fran6(?:30|56)|uelfranco(?:727|donation02|foundation0|spende8))|r(?:i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00|nnewoosley90)|nacoleman84|opabl26|tinesecurityusa)|k(?:roth456|uses200)|shalh011|tin(?:amayer903|eziglesiasabogados|jrschwarz)|y(?:franson56|josen(?:62|81)))|s(?:onmanny05|pencer5151)|thewriaanza|u(?:hin52|noveutileina|rhinck11?)|viswan(?:142|czyk(?:01478|1(?:19|987)|4(?:89|5)|775|foundation45|k112|zz))|xaajn|ydetratt|zerfexi)|brons667|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|engeoffrey|l(?:aniekreiss1971|lagolan|vidabullock5))|gfrederick80|husameddine|i(?:c(?:h(?:ael\.woosley1972|eal(?:sjohnj|wuu002))|paulla|w954)|k(?:e\.weirsky\.foundational001|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|n(?:fin\.gv|tonjustin98)|ss(?:\.(?:aminaibrahim|melisa\.mehmett|yasmineibrahim101)|boteogottai|yaelronen))|jminabii|k(?:ent7117|untjoro52)|lbriggs08860|m(?:1086771|argaritalouisdreyfus|ohammadaljllilati|rstephen16)|nmalarge|o(?:ham(?:edabdul1717|m(?:adraqab00|daljililati1|edshamekh24))|rienkal30)|r(?:\.(?:elbahi\.mohammed\.2021|justinmaxwell09|lusee|tonyelumelu60|wlsonkabore)|7672900|cjames001|d517341|eric(?:franck|schmid4002)|georgeemera|hanimuhammad627|jamesmc6|morgangomez56|r(?:echardthomas|ichardanthony1)|s(?:\.(?:biyufungchi16|janetolsen?|marinakuznetsov|olsenjanett|su(?:sanread12|zarawanmaling))|a(?:isha(?:alqadafi1976|gaddafi62)|ngela454|shaalqaddfi117)|catherineyokes|dominiquethomas7777|evelynbrown7|fatimaamiraqureshi1983|gezeria|h(?:amima60|ristinemadeleine)|isabelladz|j(?:ackman123|essicajeffrey3|lleach)|lisamilner08|m(?:a(?:riaelizabethscheffle98|ureens847|yaoliver31)|ugan)|nicolefr1marios|r(?:eem362|obinsanders185|uthsmith9900)|s(?:ar(?:ahbenjamin103|iamirahwulu)|ophiac)|v(?:eraaellen|ictoriaedmond03))|tomcrist\.ca|vi(?:ktorzubkovv|ncentandrea))|s(?:\.ellagolan56|agent02|golaan4|smadar44)|twvvv|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter(?:2017|968))|icholas\.jose73|obuyuki\.hirano128|tawdglobal|v637245)|o(?:\.peace004|3344nb|ffi(?:c(?:e(?:\.012123|emaill0002|rricherd876|windowterms)|ialserviceuae)|zielllk)|hallkenneth1|lenasheve73|marinyandeng|nufoundationclaims|pcwkdw|rabankheadofficelometogo1985|swald\.l(?:\.lewis|ewwis)|xfaminternationa1980)|p(?:a(?:storfrancesco1|tric(?:ia881a|k(?:\.efcc|andfrancessconnolly))|ul(?:eed1969|n8018)|ymentofficer14)|b(?:ph202lay2|rookk0)|e(?:130304|nding(?:redirections|waletsfortrust)|rezdonlorenzo336|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|h(?:\.cbnl|illip\.richead218)|i(?:eterstevens511|lz37754)|o(?:lloke|usazgullaume|wellmrwilliam)|r(?:esleybathini1|imecapitalfianceltd|o(?:1nvstream|cessing2013general))|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymond(?:aba200|damon15))|e(?:alyh596|beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n(?:2214|asser003302))|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|sultbox1404|v(?:\.(?:jamesabel1|mikedadax)|ernestcebi|fr(?:ankjackson91|paulwilliams2)))|i(?:ch(?:a(?:miller18|rd(?:lustig4u|w(?:ahl511|il(?:lis815|son19091))))|lawandds)|tawilliams4141)|josh200000|main2028|o(?:b(?:erthanandez6655|inf036)|naldmorris786|s(?:a\.gomes0044|ekipkalya934))|raya9989|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|u(?:ddicklana561|ssiaworldcuppromo|thshoreline))|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid(?:09|7000))|n(?:choscozfifa|liualli)|rfiafarfask7|vicperez)|cott(?:henryjames91|peters7989)|e(?:cretservicce[789]|rgeantrobertbrown1|ydouthiebaconsultant)|g(?:\.offiice\.group|t(?:\.monicab03|ireneb2))|h(?:a(?:msiahmohamadyunusbnegara|nemissler(?:2009|3))|ery(?:\.gtl131|etr03)|inawatrathaksin93)|i(?:lverlakeconsultant|m(?:lkheng5|onhei47))|l5342743|o(?:fia\.adams201|p(?:adam3|hiajesse41)|u(?:rcingloggs|thwsltd))|p(?:a(?:cex\.inititative|gentrose)|eelman1972)|t(?:anleyjohn1469|e(?:fanopn75|phen(?:7tam|tam1(?:47|6))|venchamberonline))|u(?:iyang(?:\.boc|02)|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|w(?:eeneyjohnson384|islottnl))|t(?:a(?:mmy(?:21gill|webster24)|y(?:ebsouami0|lorcathy362))|ch33555|davalvse|e(?:am\.spacex02|nreyrosilvana54|rryparkins11)|h(?:ailandbankoffice01|e(?:ara\.choy2|odorosloannis9|resawilliams7661?|smithfm124))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|ander231|c(?:hrist1995|rist(?:52|donation12|foundation99|world))|spende480)|ny(?:\.chung760|robins777|zimpro11)|pchronodesk|shikazusendo101)|p2911220|rustfoundationsigridrausing|sfoundation65|tkhan69s)|u(?:ba(?:\.bankofaffican|bank(?:bjplc|headoffice471))|d(?:erleyen52|regwqr)|kponguko|marukareem8|n(?:claimedfunds554|ited(?:bankforafrica\.plc102|nation(?:organization70|s(?:8182|councilrefunds))))|s(?:alotery2|departmentofjustice80))|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|linagreen|neerchris20003|r(?:a(?:aellen7|hollinkvan0|wilfred50)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|p(?:financeace|jeferrey))|johannes271|n935990|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett(?:398|2))|b(?:271981|6159980|uffetdonationprogram)|c5000dle|d232633|ellensteinfoundation251|hatsappofficial001|i(?:elandherzog\.sw\.herad16|ll(?:clark(?:2618|629)|iam(?:robert3852|smartyrs888)))|kfinancialservice|orldbankregionalmanageroffice|u(?:\.office212|mt722)|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974|inglukshinawtra|o(?:ngkm00|usefzongo5722)|uliiakadulina197)|z(?:bank8876|enithbankplconline98|kiaslan1963|minhong65|ubkovmrviktor)))\@gmail\.com$/i describe REPTO_419_FRAUD_GM Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_GM 3.000 tflags REPTO_419_FRAUD_GM publish ##} REPTO_419_FRAUD_GM ##{ REPTO_419_FRAUD_GM_LOOSE meta REPTO_419_FRAUD_GM_LOOSE __REPTO_419_FRAUD_GM_LOOSE && !REPTO_419_FRAUD_GM describe REPTO_419_FRAUD_GM_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox #score REPTO_419_FRAUD_GM_LOOSE 1.000 tflags REPTO_419_FRAUD_GM_LOOSE publish ##} REPTO_419_FRAUD_GM_LOOSE ##{ REPTO_419_FRAUD_HM header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|licewalton7653|n(?:ikal01|nagray00)|tlancorp|zezul\.idrisazezulidris)|benarnault0|c(?:h(?:angxinjuan|oi21)|laytousey)|d(?:ealings100|l13139|r\.dukanalycoulibaly)|egorbunova22|f(?:axttransfer\.skyebk\.service\.care\.th|ridmanmikhail511)|homlandsecdept|infos(?:43|8)|jacques\.bouchex|katabettencourt2018|l(?:e(?:a_edem|galcosme|wisarm44)|imfu201677|ulihongm)|m(?:oneygrampayfund|pay\-live00924|r(?:abrahambeniamfc|pedrohilldonations|s(?:\.(?:chantal_bill|roselinejac)|helenbgeorge|micheleallison2003)))|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|p(?:atrickmullinfinaceservs|owen10001)|quickcashloansservices|s(?:a(?:jda\.andleeb|nchamps798)|ilvanatenreyrompc|tuboardgntdirector|ulaimaninfante)|t(?:a(?:baka_williamshsbbc|shacap)|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i describe REPTO_419_FRAUD_HM Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_HM 3.000 tflags REPTO_419_FRAUD_HM publish ##} REPTO_419_FRAUD_HM ##{ REPTO_419_FRAUD_OL header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:16u71|a23423|b(?:rahamwilliamsonrpsltduk|s0000200)|l(?:bertchebe|exw113)|ndrew(?:_hai|gamble7))|b(?:a(?:rrmarkphillip|sidris)|etty\.c_investment|illgfile203)|c(?:bforeignremitdept|harlie\.j\.goodmand|laimunit\.facebook|ompensationfunding)|d(?:eborahleeconsult|hl(?:customercares|express\.fastservice)|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020|mr01|oundation701|p\.conn|rancescogaetano01)|g(?:20compessdesk|eoffreynicolas\.esq|ilbertowosukk|race\.manonfoundation)|huyennvoha|j(?:ackson4steve|e(?:anedo1?|ssicameir30))|k(?:aujong|kkunited1|officollins)|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|b(?:illgate9|ryandavisuk44)|mduku|s(?:\.(?:coraluttah|olhaoschad)|_elizabeth20|michelleallison|roseallen))|spvt2020)|olhalytvynenko20|p(?:aul\.walter120|hilcohen0012)|qanejmhffgg|r(?:ichardwahlfreegrant|obertleeonly01)|s(?:aaman10|gi2019|ilv(?:anatenreyro0|erlakeconsultantllc)|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019|reff11)|unvanzyl_mrs|w(?:esteruniontransferunite7|hatsapp_givewin|inuklotocash2018)))\@outlook\.com$/i describe REPTO_419_FRAUD_OL Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_OL 3.000 tflags REPTO_419_FRAUD_OL publish ##} REPTO_419_FRAUD_OL ##{ REPTO_419_FRAUD_PM header REPTO_419_FRAUD_PM Reply-To:addr =~ /^(?=[^\s<>@]+\@protonmail\.com)(?:(?:armstrong0244|berndkoch|davidmetus|euclaim|p(?:a(?:melagriffi|t\.nwankwo)|rotonydonation)|scottpeter012|the\.trustees1|v\.brianpierre|wraggsmk|yihsbltan|ziraatbankasi))\@protonmail\.com$/i describe REPTO_419_FRAUD_PM Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_PM 3.000 tflags REPTO_419_FRAUD_PM publish ##} REPTO_419_FRAUD_PM ##{ REPTO_419_FRAUD_QQ header REPTO_419_FRAUD_QQ Reply-To:addr =~ /^(?=[^\s<>@]+\@qq\.com)(?:(?:1(?:731419584|821317384)|2(?:0(?:32508290|90641921)|3(?:72948239|89029403|97857528))|3523284224|akia\.j55|claimoffice1|dennisonctrenton|l\.valiant|peterwong20177|qatarfoundation01|sabrinacrawford000|treasury_deptment0|wang_cjianlin))\@qq\.com$/i describe REPTO_419_FRAUD_QQ Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_QQ 3.000 tflags REPTO_419_FRAUD_QQ publish ##} REPTO_419_FRAUD_QQ ##{ REPTO_419_FRAUD_YH header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|gaaintl\-4g5ee\.w3|ilmohammed11|lesiakalina2006|mbassador\.l|nn(?:awax48|hester\.usa4))|b(?:a(?:che\.delfine|nk\.phbng14|rr(?:\.thomasclark|ister\.dennis11|william_davies))|e(?:linekra1144|n(?:jaminb34|nicholas22))|illlawrenceee|riceangela45)|c(?:\.(?:aroline90|coulibaly2)|a(?:binet_maitre_emmanuel_patris|mpbellwilliamms)|h(?:arlesscharf112|hoy\.t|jackson65)|juan852|o(?:mpliment\.sseason|ntelamine)|ythiamiller\.un10)|d(?:hamilton9099|iaanesoto190|r(?:\.aminramli|_raymondfung|kobiorah|obiorahkenneth|victorobaji))|e(?:denvictor71|ricalbert24)|f(?:aizaadama2016|bicompensation_funds|ederal\.r73)|g(?:ov\.ukmessageboard|uesfilet1336523)|harry1vans|i(?:\.project33411|befranfgnfmf|nfo(?:bank1|money)|project32411)|j(?:\.edwards228|a(?:ckson\.davis915|netemoon150)|essica\.p_family|inping\.tw|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:altschmidtdavid8|elvinmark629|im(?:\.leang2018?|leang(?:575|90)))|l(?:e(?:a_edem13|hman(?:909|bila))|i(?:m_kaan|sarobinson_555|uhngbin)|o(?:an\.assist|rrainewirengee)|y_cheapiseth(?:11|2019))|m(?:\.kogi81|a(?:itre_arthur\.catheau|rie_avis12)|d(?:\.ps|zsesszika672)|elissalewis(?:10001|4004)|iss\.zarryb|o(?:hammedaahil46|keye79)|r(?:\.viktorzubkovv|s(?:\.esthernicolas|isabella\.dzesszikan|themo))|s\.gracie_olakun|unny(?:\.sopheap207|_sopheap30))|n(?:adhowc|estordaniel2)|o(?:biorahkenneth8|fficial_franksylvester88|legkozyrev1|mranshaalan52)|p(?:ackerkelvin|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|i(?:chard\.w94|taadamsw10)|o(?:b(?:ertbailey2004|orts20)|serichard655))|s(?:amthong4040|igurlauganna34|leo25|mith(?:\.dr|colin767)|o(?:ftc2|pheap\.munny)|pwalker101|te(?:fanopessina573|vecox\.98))|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|u(?:butu16|kdebtmanagement5)|vanserge2001|will(?:clark0010|smi68)|xianglongdai60|zhaodonghk))\@yahoo\.com$/i describe REPTO_419_FRAUD_YH Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_YH 3.000 tflags REPTO_419_FRAUD_YH publish ##} REPTO_419_FRAUD_YH ##{ REPTO_419_FRAUD_YH_LOOSE meta REPTO_419_FRAUD_YH_LOOSE __REPTO_419_FRAUD_YH_LOOSE && !REPTO_419_FRAUD_YH describe REPTO_419_FRAUD_YH_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox #score REPTO_419_FRAUD_YH_LOOSE 1.000 tflags REPTO_419_FRAUD_YH_LOOSE publish ##} REPTO_419_FRAUD_YH_LOOSE ##{ REPTO_419_FRAUD_YJ header REPTO_419_FRAUD_YJ Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.co\.jp)(?:(?:a(?:drianbayford|lainminc73)|b(?:arrevansthomas213|ealife4god)|d(?:eborahmark2|raymndch)|e(?:d(?:032000100|ithi0iochou)|millybrownnc|velynjoshua56)|fred_gamba|henrybanko1970|m(?:24erc|aryp1799_8335|eghanbutlerfca|oneygram100|rs_chen_00001)|nikbnson1|o(?:fficefile_0112|livia_mabor)|pamgells|r(?:acheljude000|eplykasikorn|itawi668)|s(?:andrabates418|d203077)))\@yahoo\.co\.jp$/i describe REPTO_419_FRAUD_YJ Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_YJ 3.000 tflags REPTO_419_FRAUD_YJ publish ##} REPTO_419_FRAUD_YJ ##{ REPTO_419_FRAUD_YN header REPTO_419_FRAUD_YN Reply-To:addr =~ /^(?=[^\s<>@]+\@yandex\.com)(?:(?:a(?:lhashimi123|m(?:andarandle|g3333txx101)|n(?:a\.mariposa|n(?:acooper2019|zainab))|wesome\.mariacarmen)|b(?:ayemahama|igghandgrant|radely\.j)|c(?:harles\.kable|lemlau)|de(?:edee\-paul|jongpeter|ptoversea)|f(?:3dex\.courier|ed\.r3v|reedommarketinvestments)|gadd4fi\.aisha|h(?:ashimireem|halesbbanddd?)|irenaa\.georgiadou|j(?:efrey\-dean|o(?:hnnicholsonjr|seph\-scott2k5)|uliet\.lee2222)|l(?:es20sc|otointernational\.elgordo)|m(?:a(?:hama\.baye|rcarmenguty)|fdpm|ohamed\.bennani|r(?:\.kongkea|akram\.elkerrami|s(?:\.elizabeth\.graham2022|percy)))|nokiahouse1[03]|olivia\.mabor|p(?:aragonloansinc|ri(?:ncedarren0244|vatemail24))|rich(?:ard\.wahl|lawands)|skyeloanand\.financelimited|t(?:\.baloyi|an\.sung|resor\.mambo)|w(?:b\.foundation|ill(?:1amsmarg1|iam(?:simon1960|wilbert1)))|za\.dc2016))\@yandex\.com$/i describe REPTO_419_FRAUD_YN Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_YN 3.000 tflags REPTO_419_FRAUD_YN publish ##} REPTO_419_FRAUD_YN ##{ SB_GIF_AND_NO_URIS meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL) ##} SB_GIF_AND_NO_URIS ##{ SCC_CANSPAM_2 describe SCC_CANSPAM_2 Interesting compliance language body SCC_CANSPAM_2 /you may unsubscribe by clicking here or by writing to/ ##} SCC_CANSPAM_2 ##{ SCC_CTMPP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader describe SCC_CTMPP Uncommon Content-Type meta SCC_CTMPP __SCC_CTMPP tflags SCC_CTMPP publish endif ##} SCC_CTMPP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ SCC_ISEMM_LID_1 describe SCC_ISEMM_LID_1 Fingerprint of a particular spammer using an old spamware header SCC_ISEMM_LID_1 X-Mailer-LID =~ /54,55,56,58,53/ tflags SCC_ISEMM_LID_1 publish #score SCC_ISEMM_LID_1 3.5 ##} SCC_ISEMM_LID_1 ##{ SCC_ISEMM_LID_1A describe SCC_ISEMM_LID_1A Fingerprint of a particular spammer using an old spamware header SCC_ISEMM_LID_1A X-Mailer-LID =~ /54,55,56,/ tflags SCC_ISEMM_LID_1A publish #score SCC_ISEMM_LID_1A 3.5 ##} SCC_ISEMM_LID_1A ##{ SCC_ISEMM_LID_1B describe SCC_ISEMM_LID_1B Genericized spammer fingerprint header SCC_ISEMM_LID_1B X-Mailer-LID =~ /(?:[56][0-9],)+/ tflags SCC_ISEMM_LID_1B publish #score SCC_ISEMM_LID_1B 1.5 ##} SCC_ISEMM_LID_1B ##{ SCC_SPAMMERMID4 describe SCC_SPAMMERMID4 Distinctive Message-Id header SCC_SPAMMERMID4 Message-ID =~ /<[-_a-zA-Z0-9.]{43}\.[-_a-zA-Z0-9.]{43}\@[-a-z0-9]{4,30}\.co>/ #score SCC_SPAMMERMID4 1 ##} SCC_SPAMMERMID4 ##{ SCC_SPECIAL_GUID describe SCC_SPECIAL_GUID Unique in a similar way rawbody SCC_SPECIAL_GUID /^[[:xdigit:]]{8}-[[:xdigit:]]{4}-([[:xdigit:]]{3})-\1-[[:xdigit:]]{12}$/m tflags SCC_SPECIAL_GUID publish multiple maxhits=15 ##} SCC_SPECIAL_GUID ##{ SENDGRID_REDIR_PHISH meta SENDGRID_REDIR_PHISH __SENDGRID_REDIR_PHISH describe SENDGRID_REDIR_PHISH Redirect URI via Sendgrid + phishing signs #score SENDGRID_REDIR_PHISH 3.500 # limit tflags SENDGRID_REDIR_PHISH publish ##} SENDGRID_REDIR_PHISH ##{ SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta SEO_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && (__PDS_SEO1 + __PDS_SEO2 >= 1) tflags SEO_SUSP_NTLD publish describe SEO_SUSP_NTLD SEO offer from suspicious TLD #score SEO_SUSP_NTLD 1.2 # limit endif endif ##} SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ SERGIO_SUBJECT_VIAGRA01 header SERGIO_SUBJECT_VIAGRA01 Subject =~ /v[^a-zA-Z0-9]{0,3}[i1l][^a-zA-Z0-9]{0,3}a[^a-zA-Z0-9 ]{0,3}g[^a-zA-Z0-9]{0,3}r[^a-zA-Z0-9]{0,3}a/i describe SERGIO_SUBJECT_VIAGRA01 Viagra garbled subject ##} SERGIO_SUBJECT_VIAGRA01 ##{ SHOPIFY_IMG_NOT_RCVD_SFY meta SHOPIFY_IMG_NOT_RCVD_SFY __SHOPIFY_IMG_NOT_RCVD_SFY && !MIME_QP_LONG_LINE && !__RCD_RDNS_MTA_MESSY && !__AC_UNSUB_URI && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_ORGANIZATION && !__RCD_RDNS_OB && !__DOS_LINK #score SHOPIFY_IMG_NOT_RCVD_SFY 2.500 # limit describe SHOPIFY_IMG_NOT_RCVD_SFY Shopify hosted image but message not from Shopify tflags SHOPIFY_IMG_NOT_RCVD_SFY publish ##} SHOPIFY_IMG_NOT_RCVD_SFY ##{ SHORTENED_URL_SRC rawbody SHORTENED_URL_SRC /<[^>]{1,99}\ssrc=\W?https?:\/\/(?:bit\.ly|bit\.do|buff\.ly|tinyurl\.com|ow\.ly|owl\.li|is\.gd|v\.gd|tumblr\.com|mysp\.ac|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|goo\.io|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|ecs\.page\.link|cc\.uz|smarturl\.it|s\.apache\.org)\/[^\/]{3}/ ##} SHORTENED_URL_SRC ##{ SHORTENER_SHORT_IMG meta SHORTENER_SHORT_IMG __URL_SHORTENER && HTML_SHORT_LINK_IMG_1 describe SHORTENER_SHORT_IMG Short HTML + image + URL shortener #score SHORTENER_SHORT_IMG 2.500 # limit tflags SHORTENER_SHORT_IMG publish ##} SHORTENER_SHORT_IMG ##{ SHORT_HELO_AND_INLINE_IMAGE meta SHORT_HELO_AND_INLINE_IMAGE (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH) describe SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image ##} SHORT_HELO_AND_INLINE_IMAGE ##{ SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta SHORT_IMG_SUSP_NTLD __LCL__KAM_BODY_LENGTH_LT_1024 && __HTML_LINK_IMAGE && __FROM_ADDRLIST_SUSPNTLD tflags SHORT_IMG_SUSP_NTLD publish describe SHORT_IMG_SUSP_NTLD Short HTML + image + suspicious TLD #score SHORT_IMG_SUSP_NTLD 1.5 # limit endif endif ##} SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ SHORT_TERM_PRICE body SHORT_TERM_PRICE /short\W+term\W+(?:target|projected)(?:\W+price)?/i ##} SHORT_TERM_PRICE ##{ SHY_OBFU_EXPIRE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta SHY_OBFU_EXPIRE __SHY_OBFU_EXPIRE describe SHY_OBFU_EXPIRE Obfuscation, probable phishing # score SHY_OBFU_EXPIRE 4.000 # limit tflags SHY_OBFU_EXPIRE publish endif ##} SHY_OBFU_EXPIRE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ SHY_OBFU_PASSWORD ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta SHY_OBFU_PASSWORD __SHY_OBFU_PASSWORD describe SHY_OBFU_PASSWORD Obfuscation, probable phishing # score SHY_OBFU_PASSWORD 4.000 # limit tflags SHY_OBFU_PASSWORD publish endif ##} SHY_OBFU_PASSWORD ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ SPAMMY_XMAILER meta SPAMMY_XMAILER (__XM_OL_28001441||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4) describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham ##} SPAMMY_XMAILER ##{ SPOOFED_FREEMAIL meta SPOOFED_FREEMAIL __SPOOFED_FREEMAIL && !__HAS_IN_REPLY_TO && !__FS_SUBJ_RE && !__MSGID_GUID && !__freemail_safe && !__THREADED && !__HDRS_LCASE_KNOWN && !__HDR_RCVD_GOOGLE && !__HDR_RCVD_TONLINEDE #score SPOOFED_FREEMAIL 2.000 # limit tflags SPOOFED_FREEMAIL net ##} SPOOFED_FREEMAIL ##{ SPOOFED_FREEMAIL_NO_RDNS meta SPOOFED_FREEMAIL_NO_RDNS __SPOOFED_FREEMAIL && __RDNS_NONE describe SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS #score SPOOFED_FREEMAIL_NO_RDNS 1.5 ##} SPOOFED_FREEMAIL_NO_RDNS ##{ SPOOFED_FREEM_REPTO meta SPOOFED_FREEM_REPTO __SPOOFED_FREEM_REPTO && !__AC_TINY_FONT && !__HAS_IN_REPLY_TO && !__HAS_THREAD_INDEX describe SPOOFED_FREEM_REPTO Forged freemail sender with freemail reply-to #score SPOOFED_FREEM_REPTO 2.500 tflags SPOOFED_FREEM_REPTO net publish ##} SPOOFED_FREEM_REPTO ##{ SPOOFED_FREEM_REPTO_CHN meta SPOOFED_FREEM_REPTO_CHN (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_CHN_FREEM describe SPOOFED_FREEM_REPTO_CHN Forged freemail sender with Chinese freemail reply-to #score SPOOFED_FREEM_REPTO_CHN 3.500 tflags SPOOFED_FREEM_REPTO_CHN net publish ##} SPOOFED_FREEM_REPTO_CHN ##{ SPOOFED_FREEM_REPTO_RUS meta SPOOFED_FREEM_REPTO_RUS (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_RUS_FREEM describe SPOOFED_FREEM_REPTO_RUS Forged freemail sender with Russian freemail reply-to #score SPOOFED_FREEM_REPTO_RUS 3.500 tflags SPOOFED_FREEM_REPTO_RUS net publish ##} SPOOFED_FREEM_REPTO_RUS ##{ SPOOF_GMAIL_MID meta SPOOF_GMAIL_MID SPOOFED_FREEMAIL && __PDS_SPOOF_GMAIL_MID #score SPOOF_GMAIL_MID 1.5 describe SPOOF_GMAIL_MID From Gmail but it doesn't seem to be... ##} SPOOF_GMAIL_MID ##{ STATIC_XPRIO_OLE meta STATIC_XPRIO_OLE __STATIC_XPRIO_OLE describe STATIC_XPRIO_OLE Static RDNS + X-Priority + MIMEOLE #score STATIC_XPRIO_OLE 2.000 # limit tflags STATIC_XPRIO_OLE publish ##} STATIC_XPRIO_OLE ##{ STOCK_IMG_CTYPE meta STOCK_IMG_CTYPE (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__CTYPE_ONETAB_GIF&&__HTML_IMG_ONLY) describe STOCK_IMG_CTYPE Stock spam image part, with distinctive Content-Type header ##} STOCK_IMG_CTYPE ##{ STOCK_IMG_HDR_FROM meta STOCK_IMG_HDR_FROM (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY) describe STOCK_IMG_HDR_FROM Stock spam image part, with distinctive From line ##} STOCK_IMG_HDR_FROM ##{ STOCK_IMG_HTML meta STOCK_IMG_HTML (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY) describe STOCK_IMG_HTML Stock spam image part, with distinctive HTML ##} STOCK_IMG_HTML ##{ STOCK_IMG_OUTLOOK meta STOCK_IMG_OUTLOOK (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__XM_MS_IN_GENERAL&&__HTML_LENGTH_1536_2048) describe STOCK_IMG_OUTLOOK Stock spam image part, with Outlook-like features ##} STOCK_IMG_OUTLOOK ##{ STOCK_PRICES meta STOCK_PRICES (SHORT_TERM_PRICE && LONG_TERM_PRICE) ##} STOCK_PRICES ##{ STOCK_TIP meta STOCK_TIP __STOCK_TIP && !__DKIM_EXISTS describe STOCK_TIP Stock tips #score STOCK_TIP 3.000 # limit tflags STOCK_TIP publish ##} STOCK_TIP ##{ STOX_AND_PRICE meta STOX_AND_PRICE CURR_PRICE && STOX_REPLY_TYPE ##} STOX_AND_PRICE ##{ STOX_REPLY_TYPE header STOX_REPLY_TYPE Content-Type =~ /text\/plain; .* reply-type=original/ ##} STOX_REPLY_TYPE ##{ STOX_REPLY_TYPE_WITHOUT_QUOTES meta STOX_REPLY_TYPE_WITHOUT_QUOTES (STOX_REPLY_TYPE && !(__HS_SUBJ_RE_FW || __HS_QUOTE)) ##} STOX_REPLY_TYPE_WITHOUT_QUOTES ##{ SUBJECT_NEEDS_ENCODING meta SUBJECT_NEEDS_ENCODING (!__SUBJECT_ENCODED_B64 && !__SUBJECT_ENCODED_QP) && __SUBJECT_NEEDS_MIME describe SUBJECT_NEEDS_ENCODING Subject includes non-encoded illegal characters ##} SUBJECT_NEEDS_ENCODING ##{ SUBJ_BRKN_WORDNUMS #score SUBJ_BRKN_WORDNUMS 1.500 # limit describe SUBJ_BRKN_WORDNUMS Subject contains odd word breaks and numbers ##} SUBJ_BRKN_WORDNUMS ##{ SUBJ_BRKN_WORDNUMS if !plugin(Mail::SpamAssassin::Plugin::DKIM) if !plugin(Mail::SpamAssassin::Plugin::DKIM) meta SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS endif ##} SUBJ_BRKN_WORDNUMS if !plugin(Mail::SpamAssassin::Plugin::DKIM) ##{ SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::DKIM meta SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS && !DKIM_SIGNED && !__TO___LOWER endif ##} SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM ##{ SUBJ_UNNEEDED_HTML meta SUBJ_UNNEEDED_HTML __SUBJ_UNNEEDED_HTML && !__NOT_SPOOFED && !__RP_MATCHES_RCVD && !__VIA_ML describe SUBJ_UNNEEDED_HTML Unneeded HTML formatting in Subject: ##} SUBJ_UNNEEDED_HTML ##{ SUSP_UTF8_WORD_COMBO meta SUSP_UTF8_WORD_COMBO __4BYTE_UTF8_WORD && ( __LIST_PARTIAL || __RDNS_NONE || __CLICK_HERE || __PHPMAILER_MUA || __STY_INVIS_3 || __TO___LOWER || __MSGID_OK_DIGITS || __HTML_IMG_ONLY ) describe SUSP_UTF8_WORD_COMBO Words using only suspicious UTF-8 characters + other signs #score SUSP_UTF8_WORD_COMBO 3.000 # limit ##} SUSP_UTF8_WORD_COMBO ##{ SUSP_UTF8_WORD_SUBJ meta SUSP_UTF8_WORD_SUBJ __4BYTE_UTF8_WORD_SUBJ && !__SUBJECT_ENCODED_QP describe SUSP_UTF8_WORD_SUBJ Word in Subject using only suspicious UTF-8 characters #score SUSP_UTF8_WORD_SUBJ 2.000 # limit ##} SUSP_UTF8_WORD_SUBJ ##{ SYSADMIN meta SYSADMIN __SYSADMIN && !ALL_TRUSTED && !__ANY_TEXT_ATTACH && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_OK_DIGITS describe SYSADMIN Supposedly from your IT department #score SYSADMIN 3.500 # limit tflags SYSADMIN publish ##} SYSADMIN ##{ TAGSTAT_IMG_NOT_RCVD_TGST meta TAGSTAT_IMG_NOT_RCVD_TGST __TAGSTAT_IMG_NOT_RCVD_TGST #score TAGSTAT_IMG_NOT_RCVD_TGST 2.000 # limit describe TAGSTAT_IMG_NOT_RCVD_TGST Tagstat hosted image but message not from Tagstat tflags TAGSTAT_IMG_NOT_RCVD_TGST publish ##} TAGSTAT_IMG_NOT_RCVD_TGST ##{ TARINGANET_IMG_NOT_RCVD_TN meta TARINGANET_IMG_NOT_RCVD_TN __TARINGANET_IMG_NOT_RCVD_TN #score TARINGANET_IMG_NOT_RCVD_TN 2.000 # limit describe TARINGANET_IMG_NOT_RCVD_TN media.taringa.net hosted image but message not from taringa.net tflags TARINGANET_IMG_NOT_RCVD_TN publish ##} TARINGANET_IMG_NOT_RCVD_TN ##{ TBIRD_SUSP_MIME_BDRY meta TBIRD_SUSP_MIME_BDRY __MUA_TBIRD && __TB_MIME_BDRY_NO_Z describe TBIRD_SUSP_MIME_BDRY Unlikely Thunderbird MIME boundary ##} TBIRD_SUSP_MIME_BDRY ##{ TEQF_USR_IMAGE meta TEQF_USR_IMAGE __TO_EQ_FROM_USR_NN_MINFP && __ANY_IMAGE_ATTACH describe TEQF_USR_IMAGE To and from user nearly same + image tflags TEQF_USR_IMAGE publish ##} TEQF_USR_IMAGE ##{ TEQF_USR_MSGID_HEX meta TEQF_USR_MSGID_HEX __TO_EQ_FROM_USR_NN_MINFP && __MSGID_OK_HEX && !__MSGID_NOFQDN2 describe TEQF_USR_MSGID_HEX To and from user nearly same + unusual message ID tflags TEQF_USR_MSGID_HEX publish ##} TEQF_USR_MSGID_HEX ##{ TEQF_USR_MSGID_MALF meta TEQF_USR_MSGID_MALF __TO_EQ_FROM_USR_NN_MINFP && __MSGID_NOFQDN2 describe TEQF_USR_MSGID_MALF To and from user nearly same + malformed message ID tflags TEQF_USR_MSGID_MALF publish ##} TEQF_USR_MSGID_MALF ##{ TEQF_USR_POLITE meta TEQF_USR_POLITE __TO_EQ_FROM_USR_NN && __FRAUD_IRT describe TEQF_USR_POLITE To and from user nearly same + polite greeting #score TEQF_USR_POLITE 2.000 # limit ##} TEQF_USR_POLITE ##{ THEBAT_UNREG header THEBAT_UNREG X-Mailer =~ /^The Bat! .{0,20} UNREG$/ ##} THEBAT_UNREG ##{ THIS_AD meta THIS_AD __THIS_AD && !__MOZILLA_MSGID && !__FROM_ENCODED_QP && !__CR_IN_SUBJ && !__RP_MATCHES_RCVD describe THIS_AD "This ad" and variants tflags THIS_AD publish ##} THIS_AD ##{ THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta THIS_IS_ADV_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && __ADMITS_SPAM tflags THIS_IS_ADV_SUSP_NTLD publish describe THIS_IS_ADV_SUSP_NTLD This is an advertisement from a suspicious TLD #score THIS_IS_ADV_SUSP_NTLD 1.5 # limit endif endif ##} THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ TINY_FLOAT rawbody TINY_FLOAT /\bstyle\s*=\s*"[^"]{0,40}?(?:(?:FONT-SIZE\s*:\s+\dpx|FLOAT\s*:\s+(?:right|left))(?:;\s+)?(?:(?!(?:FONT-SIZE|FLOAT))\w+:\s+\w+;?\s*)*){2}/i describe TINY_FLOAT Has small-font floating HTML - text obfuscation? ##} TINY_FLOAT ##{ TONLINE_FAKE_DKIM meta TONLINE_FAKE_DKIM __HDR_RCVD_TONLINEDE && __DKIM_EXISTS describe TONLINE_FAKE_DKIM t-online.de doesn't do DKIM #score TONLINE_FAKE_DKIM 3.000 # limit tflags TONLINE_FAKE_DKIM publish ##} TONLINE_FAKE_DKIM ##{ TO_EQ_FM_DIRECT_MX meta TO_EQ_FM_DIRECT_MX __TO_EQ_FM_DIRECT_MX && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__CTYPE_MULTIPART_MIXED describe TO_EQ_FM_DIRECT_MX To == From and direct-to-MX #score TO_EQ_FM_DIRECT_MX 2.500 # limit tflags TO_EQ_FM_DIRECT_MX publish ##} TO_EQ_FM_DIRECT_MX ##{ TO_EQ_FM_DOM_HTML_IMG meta TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FM_DOM_HTML_IMG && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !__IS_EXCH && !__UNSUB_LINK && !__COMMENT_EXISTS && !__FM_TO_ALL_NUMS && !__DKIM_EXISTS && !__HAS_THREAD_INDEX && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD describe TO_EQ_FM_DOM_HTML_IMG To domain == From domain and HTML image link ##} TO_EQ_FM_DOM_HTML_IMG ##{ TO_EQ_FM_DOM_HTML_ONLY meta TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FM_DOM_HTML_ONLY && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !HTML_MIME_NO_HTML_TAG && !__IS_EXCH && !__MSGID_BEFORE_RECEIVED && !__FM_TO_ALL_NUMS && !__FROM_LOWER && !__HAS_IN_REPLY_TO && !__BUGGED_IMG && !__FROM_ENCODED_QP && !__MSGID_OK_HEX describe TO_EQ_FM_DOM_HTML_ONLY To domain == From domain and HTML only ##} TO_EQ_FM_DOM_HTML_ONLY ##{ TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF ifplugin Mail::SpamAssassin::Plugin::SPF meta TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FM_DOM_SPF_FAIL && !__THREADED && !ALL_TRUSTED describe TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF failed tflags TO_EQ_FM_DOM_SPF_FAIL net endif ##} TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF ##{ TO_EQ_FM_HTML_ONLY meta TO_EQ_FM_HTML_ONLY __TO_EQ_FM_HTML_ONLY && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED && !__DKIM_EXISTS && !__ANY_IMAGE_ATTACH && !__FROM_LOWER && !__TAG_EXISTS_CENTER describe TO_EQ_FM_HTML_ONLY To == From and HTML only ##} TO_EQ_FM_HTML_ONLY ##{ TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF ifplugin Mail::SpamAssassin::Plugin::SPF meta TO_EQ_FM_SPF_FAIL __TO_EQ_FM_SPF_FAIL && !__THREADED && !ALL_TRUSTED describe TO_EQ_FM_SPF_FAIL To == From and external SPF failed tflags TO_EQ_FM_SPF_FAIL net endif ##} TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF ##{ TO_IN_SUBJ meta TO_IN_SUBJ __TO_IN_SUBJ && !__VIA_ML && !MISSING_MIMEOLE && !__THREAD_INDEX_GOOD && !__FSL_RELAY_GOOGLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HS_SUBJ_RE_FW describe TO_IN_SUBJ To address is in Subject tflags TO_IN_SUBJ publish #score TO_IN_SUBJ 0.1 ##} TO_IN_SUBJ ##{ TO_NAME_SUBJ_NO_RDNS meta TO_NAME_SUBJ_NO_RDNS LOCALPART_IN_SUBJECT && __RDNS_NONE describe TO_NAME_SUBJ_NO_RDNS Recipient username in subject + no rDNS #score TO_NAME_SUBJ_NO_RDNS 3.000 # limit tflags TO_NAME_SUBJ_NO_RDNS publish ##} TO_NAME_SUBJ_NO_RDNS ##{ TO_NO_BRKTS_HTML_IMG meta TO_NO_BRKTS_HTML_IMG __TO_NO_BRKTS_HTML_IMG && !__FM_TO_ALL_NUMS && !__FROM_FULL_NAME && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__HAS_SENDER && !__THREADED && !__LONGLINE describe TO_NO_BRKTS_HTML_IMG To: lacks brackets and HTML and one image #score TO_NO_BRKTS_HTML_IMG 2.000 # limit tflags TO_NO_BRKTS_HTML_IMG publish ##} TO_NO_BRKTS_HTML_IMG ##{ TO_NO_BRKTS_HTML_ONLY meta TO_NO_BRKTS_HTML_ONLY __TO_NO_BRKTS_HTML_ONLY && !RDNS_NONE && !__MIME_QP && !__MSGID_JAVAMAIL && !__CTYPE_CHARSET_QUOTED && !__SUBJECT_ENCODED_B64 && !__VIA_ML && !__MSGID_BEFORE_RECEIVED && !__MIME_BASE64 && !__RCD_RDNS_MAIL_MESSY && !__COMMENT_EXISTS && !LOTS_OF_MONEY && !__TAG_EXISTS_CENTER && !__UPPERCASE_URI && !__UNSUB_LINK && !__RCD_RDNS_MX_MESSY && !__DKIM_EXISTS && !__BUGGED_IMG && !__FM_TO_ALL_NUMS && !__URI_12LTRDOM && !__RDNS_NO_SUBDOM && !__HDRS_LCASE && !__LCL__ENV_AND_HDR_FROM_MATCH #score TO_NO_BRKTS_HTML_ONLY 2.00 # limit describe TO_NO_BRKTS_HTML_ONLY To: lacks brackets and HTML only tflags TO_NO_BRKTS_HTML_ONLY publish ##} TO_NO_BRKTS_HTML_ONLY ##{ TO_NO_BRKTS_MSFT meta TO_NO_BRKTS_MSFT __TO_NO_BRKTS_MSFT && !__VIA_ML && !__LYRIS_EZLM_REMAILER && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__UNSUB_LINK && !__NOT_SPOOFED && !__DOS_HAS_LIST_UNSUB && !__NAME_EQ_EMAIL && !__SUBJECT_ENCODED_QP && !__THREADED && !__HAS_THREAD_INDEX && !__HAS_X_REF && !__HAS_IN_REPLY_TO && !__FROM_ENCODED_QP && !__RP_MATCHES_RCVD describe TO_NO_BRKTS_MSFT To: lacks brackets and supposed Microsoft tool #score TO_NO_BRKTS_MSFT 2.50 # limit ##} TO_NO_BRKTS_MSFT ##{ TO_NO_BRKTS_NORDNS_HTML meta TO_NO_BRKTS_NORDNS_HTML __TO_NO_BRKTS_NORDNS_HTML && !ALL_TRUSTED && !__MSGID_JAVAMAIL && !__MSGID_BEFORE_RECEIVED && !__VIA_ML && !__UA_MUTT && !__COMMENT_EXISTS && !__HTML_LENGTH_384 && !__MIME_BASE64 && !__UPPERCASE_URI && !__TO___LOWER && !__TAG_EXISTS_CENTER && !__LONGLINE && !__DKIM_EXISTS #score TO_NO_BRKTS_NORDNS_HTML 2.00 # limit describe TO_NO_BRKTS_NORDNS_HTML To: lacks brackets and no rDNS and HTML only tflags TO_NO_BRKTS_NORDNS_HTML publish ##} TO_NO_BRKTS_NORDNS_HTML ##{ TO_NO_BRKTS_PCNT meta TO_NO_BRKTS_PCNT __TO_NO_BRKTS_PCNT && !__SUBJECT_ENCODED_B64 && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__ISO_2022_JP_DELIM && !__IMS_MSGID && !__THREAD_INDEX_GOOD && !__RCD_RDNS_MX_MESSY && !__UNSUB_LINK && !__LONGLINE && !URI_HEX && !__RP_MATCHES_RCVD && !__MAIL_LINK && !__BUGGED_IMG && !__MIME_QP && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HAS_X_MAILER && !__HTML_LINK_IMAGE && !__SENDER_BOT && !__DKIM_EXISTS && !__KHOP_NO_FULL_NAME && !__THREADED describe TO_NO_BRKTS_PCNT To: lacks brackets + percentage #score TO_NO_BRKTS_PCNT 2.50 # limit tflags TO_NO_BRKTS_PCNT publish ##} TO_NO_BRKTS_PCNT ##{ TO_TOO_MANY_WFH_01 meta TO_TOO_MANY_WFH_01 __TO_TOO_MANY_WFH_01 describe TO_TOO_MANY_WFH_01 Work-from-Home + many recipients tflags TO_TOO_MANY_WFH_01 publish ##} TO_TOO_MANY_WFH_01 ##{ TT_MSGID_TRUNC header TT_MSGID_TRUNC Message-Id =~ /^\s*<?[^<>\s]+\[\d+$/ describe TT_MSGID_TRUNC Scora: Message-Id ends after left-bracket + digits ##} TT_MSGID_TRUNC ##{ TT_OBSCURED_VALIUM meta TT_OBSCURED_VALIUM ( __TT_BROKEN_VALIUM || __TT_OBSCURED_VALIUM ) && ! __TT_VALIUM describe TT_OBSCURED_VALIUM Scora: obscured "VALIUM" in subject ##} TT_OBSCURED_VALIUM ##{ TT_OBSCURED_VIAGRA meta TT_OBSCURED_VIAGRA ( __TT_BROKEN_VIAGRA || __TT_OBSCURED_VIAGRA ) && ! __TT_VIAGRA describe TT_OBSCURED_VIAGRA Scora: obscured "VIAGRA" in subject ##} TT_OBSCURED_VIAGRA ##{ TVD_ACT_193 body TVD_ACT_193 /\bact of (?:193|nineteen thirty)/i describe TVD_ACT_193 Message refers to an act passed in the 1930s ##} TVD_ACT_193 ##{ TVD_APPROVED body TVD_APPROVED /you.{1,2}re .{0,20}approved/i describe TVD_APPROVED Body states that the recipient has been approved ##} TVD_APPROVED ##{ TVD_DEAR_HOMEOWNER body TVD_DEAR_HOMEOWNER /^dear homeowner/i describe TVD_DEAR_HOMEOWNER Spam with generic salutation of "dear homeowner" ##} TVD_DEAR_HOMEOWNER ##{ TVD_EB_PHISH meta TVD_EB_PHISH __FROM_EBAY && NORMAL_HTTP_TO_IP ##} TVD_EB_PHISH ##{ TVD_ENVFROM_APOST header TVD_ENVFROM_APOST EnvelopeFrom =~ /\'/ describe TVD_ENVFROM_APOST Envelope From contains single-quote ##} TVD_ENVFROM_APOST ##{ TVD_FINGER_02 header TVD_FINGER_02 Content-Type =~ /^text\/plain(?:; (?:format=flowed|charset="Windows-1252"|reply-type=original)){3}/i ##} TVD_FINGER_02 ##{ TVD_FLOAT_GENERAL rawbody TVD_FLOAT_GENERAL /\bstyle\s*=\s*"[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]+\s*</i describe TVD_FLOAT_GENERAL Message uses CSS float style ##} TVD_FLOAT_GENERAL ##{ TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body TVD_FUZZY_DEGREE /<inter W1><post P1>\b(?!degree)<D><E><G><R><E><E>\b/i describe TVD_FUZZY_DEGREE Obfuscation of the word "degree" endif ##} TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body TVD_FUZZY_FINANCE /(?!finance)<F><N><A><N><C><E>/i describe TVD_FUZZY_FINANCE Obfuscation of the word "finance" endif ##} TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body TVD_FUZZY_FIXED_RATE /<inter W2><post P2>(?!fixed rate)<F><X><E><D>\s+<R><A><T><E>/i describe TVD_FUZZY_FIXED_RATE Obfuscation of the phrase "fixed rate" endif ##} TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body TVD_FUZZY_MICROCAP /<inter W2><post P2>(?!microcap)(?!micro-cap)<M><C><R><O>-?<C><A>/i describe TVD_FUZZY_MICROCAP Obfuscation of the word "micro-cap" endif ##} TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body TVD_FUZZY_PHARMACEUTICAL /<inter W2><post P2>(?!pharmaceutical)<H><A><R><M><A><C><E><T><C><A><L>/i describe TVD_FUZZY_PHARMACEUTICAL Obfuscation of the word "pharmaceutical" endif ##} TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body TVD_FUZZY_SYMBOL /<inter W2><post P2>(?!symboo?l)<S><Y><M><O><L>/i describe TVD_FUZZY_SYMBOL Obfuscation of the word "symbol" endif ##} TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader TVD_FW_GRAPHIC_NAME_LONG Content-Type =~ /\bname="[a-z]{8,}\.gif/ describe TVD_FW_GRAPHIC_NAME_LONG Long image attachment name endif ##} TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader TVD_FW_GRAPHIC_NAME_MID Content-Type =~ /\bname="[a-z]{6,7}\.gif/ describe TVD_FW_GRAPHIC_NAME_MID Medium sized image attachment name endif ##} TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ TVD_INCREASE_SIZE body TVD_INCREASE_SIZE /\bsize of .{1,20}(?:penis|dick|manhood)/i describe TVD_INCREASE_SIZE Advertising for penis enlargement ##} TVD_INCREASE_SIZE ##{ TVD_LINK_SAVE body TVD_LINK_SAVE /\blink to save\b/i describe TVD_LINK_SAVE Spam with the text "link to save" ##} TVD_LINK_SAVE ##{ TVD_PH_BODY_ACCOUNTS_PRE meta TVD_PH_BODY_ACCOUNTS_PRE __TVD_PH_BODY_ACCOUNTS_PRE describe TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as "accounts suspended", "account credited", "account verification" ##} TVD_PH_BODY_ACCOUNTS_PRE ##{ TVD_PH_FR5 meta TVD_PH_FR5 !__ENV_AND_HDR_FROM_MATCH && __PH_TVD_FROM2 ##} TVD_PH_FR5 ##{ TVD_PH_REC body TVD_PH_REC /\byour .{0,40}account .{0,40}record/i describe TVD_PH_REC Message includes a phrase commonly used in phishing mails ##} TVD_PH_REC ##{ TVD_PH_SEC body TVD_PH_SEC /\byour .{0,40}account .{0,40}security/i describe TVD_PH_SEC Message includes a phrase commonly used in phishing mails ##} TVD_PH_SEC ##{ TVD_PP_PHISH meta TVD_PP_PHISH __FROM_PAYPAL && NORMAL_HTTP_TO_IP ##} TVD_PP_PHISH ##{ TVD_QUAL_MEDS body TVD_QUAL_MEDS /\bquality med(?:ication)?s\b/i describe TVD_QUAL_MEDS The body matches phrases such as "quality meds" or "quality medication" ##} TVD_QUAL_MEDS ##{ TVD_RATWARE_CB header TVD_RATWARE_CB Content-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/i describe TVD_RATWARE_CB Content-Type header that is commonly indicative of ratware ##} TVD_RATWARE_CB ##{ TVD_RATWARE_CB_2 header TVD_RATWARE_CB_2 Content-Type =~ /\bboundary\s*=\s*"?-+\d+=+\.MRA/ describe TVD_RATWARE_CB_2 Content-Type header that is commonly indicative of ratware ##} TVD_RATWARE_CB_2 ##{ TVD_RATWARE_MSGID_02 header TVD_RATWARE_MSGID_02 Message-ID =~ /^[^<]*<[a-z]+\@/ describe TVD_RATWARE_MSGID_02 Ratware with a Message-ID header that is entirely lower-case ##} TVD_RATWARE_MSGID_02 ##{ TVD_RCVD_IP header TVD_RCVD_IP Received =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/ describe TVD_RCVD_IP Message was received from an IP address ##} TVD_RCVD_IP ##{ TVD_RCVD_IP4 header TVD_RCVD_IP4 Received =~ /^from\s+(?:\d+\.){3}\d+\s/ describe TVD_RCVD_IP4 Message was received from an IPv4 address ##} TVD_RCVD_IP4 ##{ TVD_RCVD_SPACE_BRACKET header TVD_RCVD_SPACE_BRACKET Received =~ /$\[(?!unix)[^\[\]]*\s/i ##} TVD_RCVD_SPACE_BRACKET ##{ TVD_SECTION body TVD_SECTION /\bSection (?:27A|21B)/i describe TVD_SECTION References to specific legal codes ##} TVD_SECTION ##{ TVD_SILLY_URI_OBFU body TVD_SILLY_URI_OBFU m!https?://[a-z0-9-]+\.[a-z0-9-]*\.?[^a-z0-9.:/\s"'\@?$>-]+[a-z0-9.-]*[a-z]{3}(?:\s|$)!i describe TVD_SILLY_URI_OBFU URI obfuscation that can fool a URIBL or a uri rule ##} TVD_SILLY_URI_OBFU ##{ TVD_SPACED_SUBJECT_WORD3 header TVD_SPACED_SUBJECT_WORD3 Subject =~ /^(?:(?:Re|Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+$/ describe TVD_SPACED_SUBJECT_WORD3 Entire subject is "UPPERlowerUPPER" with no whitespace ##} TVD_SPACED_SUBJECT_WORD3 ##{ TVD_SPACE_ENCODED meta TVD_SPACE_ENCODED __TVD_SPACE_ENCODED && !__NOT_SPOOFED && !__VIA_ML && !__HS_SUBJ_RE_FW && !__SUBSCRIPTION_INFO && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL && !__ISO_2022_JP_DELIM #score TVD_SPACE_ENCODED 2.500 # limit describe TVD_SPACE_ENCODED Space ratio & encoded subject ##} TVD_SPACE_ENCODED ##{ TVD_SPACE_RATIO_MINFP meta TVD_SPACE_RATIO_MINFP __TVD_SPACE_RATIO && !__CT_ENCRYPTED && !__X_CRON_ENV && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !ALL_TRUSTED && !__MIME_NO_TEXT && !__LONGLINE && !__THREADED && !__SUBSCRIPTION_INFO && !__VIA_ML && !__HELO_HIGHPROFILE && !__DKIM_EXISTS && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MAIL && !__EMPTY_BODY && !__XM_APPLEMAIL #score TVD_SPACE_RATIO_MINFP 2.500 # limit describe TVD_SPACE_RATIO_MINFP Space ratio (vertical text obfuscation?) ##} TVD_SPACE_RATIO_MINFP ##{ TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval ifplugin Mail::SpamAssassin::Plugin::BodyEval body TVD_STOCK1 eval:check_stock_info('2') describe TVD_STOCK1 Spam related to stock trading endif ##} TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval ##{ TVD_SUBJ_ACC_NUM header TVD_SUBJ_ACC_NUM Subject =~ /\b[a-zA-Z]+ [\#\s]{1,4}\d+[A-Z]+/ describe TVD_SUBJ_ACC_NUM Subject has spammy looking monetary reference ##} TVD_SUBJ_ACC_NUM ##{ TVD_SUBJ_FINGER_03 header TVD_SUBJ_FINGER_03 Subject =~ /^\s*\*\s+(?:\w+\W+)+\*\s*$/ describe TVD_SUBJ_FINGER_03 Entire subject is enclosed in asterisks "* like so *" ##} TVD_SUBJ_FINGER_03 ##{ TVD_SUBJ_NUM_OBFU_MINFP meta TVD_SUBJ_NUM_OBFU_MINFP __TVD_SUBJ_NUM_OBFU && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !__X_CRON_ENV && !__NOT_A_PERSON && !__HAS_THREAD_INDEX && !__THREADED && !__NUMBERS_IN_SUBJ && !__URI_MAILTO ##} TVD_SUBJ_NUM_OBFU_MINFP ##{ TVD_SUBJ_OWE header TVD_SUBJ_OWE Subject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe|indebted)\s+(?:\w+\s+)+an\s*other/i describe TVD_SUBJ_OWE Subject line states that the recipieint is in debt ##} TVD_SUBJ_OWE ##{ TVD_SUBJ_WIPE_DEBT header TVD_SUBJ_WIPE_DEBT Subject =~ /(?:wipe out|remove|get (?:rid|out) of|eradicate) .{0,20}(?:owe|debt|obligation)/i describe TVD_SUBJ_WIPE_DEBT Spam advertising a way to eliminate debt ##} TVD_SUBJ_WIPE_DEBT ##{ TVD_VISIT_PHARMA body TVD_VISIT_PHARMA /Online Ph.rmacy/i describe TVD_VISIT_PHARMA Body mentions online pharmacy ##} TVD_VISIT_PHARMA ##{ TVD_VIS_HIDDEN rawbody TVD_VIS_HIDDEN /<TEXTAREA[^>]+style\s*=\s*"visibility:\s*hidden\b/i describe TVD_VIS_HIDDEN Invisible textarea HTML tags ##} TVD_VIS_HIDDEN ##{ TW_GIBBERISH_MANY meta TW_GIBBERISH_MANY __TENWORD_GIBBERISH > 20 describe TW_GIBBERISH_MANY Lots of gibberish text to spoof pattern matching filters #score TW_GIBBERISH_MANY 2.000 # limit tflags TW_GIBBERISH_MANY publish ##} TW_GIBBERISH_MANY ##{ T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_ACH_CANCELLED_EXE __ACH_CANCELLED_EXE describe T_ACH_CANCELLED_EXE "ACH cancelled" probable malware endif ##} T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta T_ANY_PILL_PRICE (__PILL_PRICE_01 || __PILL_PRICE_02) && !__NOT_A_PERSON describe T_ANY_PILL_PRICE Prices for pills endif ##} T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader T_CDISP_SZ_MANY Content-Disposition =~ /\bsize\s?=\s?\d.*\bsize\s?=\s?\d/ describe T_CDISP_SZ_MANY Suspicious MIME header # score T_CDISP_SZ_MANY 2.0 # limit endif ##} T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_CTE_BAS64 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_CTE_BAS64 __CTE_BAS64 describe T_CTE_BAS64 Malformated Content-Type-Encoding # score T_CTE_BAS64 2.000 # limit tflags T_CTE_BAS64 publish endif ##} T_CTE_BAS64 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_CTYPE_NULL __CTYPE_NULL describe T_CTYPE_NULL Malformed Content-Type header endif ##} T_CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval ifplugin Mail::SpamAssassin::Plugin::HeaderEval header T_DATE_IN_FUTURE_96_Q eval:check_for_shifted_date('96', '2920') describe T_DATE_IN_FUTURE_96_Q Date: is 4 days to 4 months after Received: date endif ##} T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval ##{ T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_DOC_ATTACH_NO_EXT __ATTACH_NAME_NO_EXT && (__PDF_ATTACH_MT || __DOC_ATTACH_MT) describe T_DOC_ATTACH_NO_EXT Document attachment with suspicious name endif ##} T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_DOS_OUTLOOK_TO_MX_IMAGE meta T_DOS_OUTLOOK_TO_MX_IMAGE __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH describe T_DOS_OUTLOOK_TO_MX_IMAGE Direct to MX with Outlook headers and an image ##} T_DOS_OUTLOOK_TO_MX_IMAGE ##{ T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader T_DOS_ZIP_HARDCORE Content-Type =~ /^application\/zip;\sname="hardcore\.zip"$/ describe T_DOS_ZIP_HARDCORE hardcore.zip file attached; quite certainly a virus # score T_DOS_ZIP_HARDCORE 2.5 endif ##} T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_DRUGS_ERECTILE_SHORT_SHORTNER __PDS_HTML_LENGTH_1024 && __URL_SHORTENER && DRUGS_ERECTILE describe T_DRUGS_ERECTILE_SHORT_SHORTNER Short erectile drugs advert with T_URL_SHORTENER #score T_DRUGS_ERECTILE_SHORT_SHORTNER 1.5 # limit endif endif ##} T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta T_FILL_THIS_FORM_FRAUD_PHISH __FILL_THIS_FORM_FRAUD_PHISH && !__SPOOFED_URL && !__VIA_ML && !__HAS_IN_REPLY_TO && !__THREADED && !__HDR_RCVD_SHOPIFY && !__HAS_ERRORS_TO describe T_FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s) endif ##} T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta T_FILL_THIS_FORM_SHORT __FILL_THIS_FORM_SHORT && !__VIA_ML && !__MSGID_JAVAMAIL describe T_FILL_THIS_FORM_SHORT Fill in a short form with personal information # score T_FILL_THIS_FORM_SHORT 1.00 # limit endif ##} T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo ifplugin Mail::SpamAssassin::Plugin::ImageInfo meta T_FORGED_TBIRD_IMG_SIZE __FORGED_TBIRD_IMG && __ONE_IMG && __IMG_LE_300K describe T_FORGED_TBIRD_IMG_SIZE Likely forged Thunderbird image spam endif ##} T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo ##{ T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta T_FREEMAIL_DOC_PDF __FREEMAIL_DOC_PDF describe T_FREEMAIL_DOC_PDF MS document or PDF attachment, from freemail endif ##} T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta T_FREEMAIL_DOC_PDF_BCC __FREEMAIL_DOC_PDF && __TO_UNDISCLOSED describe T_FREEMAIL_DOC_PDF_BCC MS document or PDF attachment, from freemail, all recipients hidden endif ##} T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta T_FREEMAIL_RVW_ATTCH (__PLS_REVIEW || __DLND_ATTACH) && __FREEMAIL_DOC_PDF describe T_FREEMAIL_RVW_ATTCH Please review attached document, from freemail endif ##} T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof meta T_FROMNAME_EQUALS_TO __PLUGIN_FROMNAME_EQUALS_TO describe T_FROMNAME_EQUALS_TO From:name matches To: #score T_FROMNAME_EQUALS_TO 1.0 tflags T_FROMNAME_EQUALS_TO publish endif ##} T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof ##{ T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof meta T_FROMNAME_SPOOFED_EMAIL (__PLUGIN_FROMNAME_SPOOF && !__VIA_ML && !__VIA_RESIGNER && !__RP_MATCHES_RCVD) describe T_FROMNAME_SPOOFED_EMAIL From:name looks like a spoofed email #score T_FROMNAME_SPOOFED_EMAIL 0.3 tflags T_FROMNAME_SPOOFED_EMAIL publish endif ##} T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof ##{ T_FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) meta T_FROM_MULTI_NORDNS __FROM_MULTI_NORDNS describe T_FROM_MULTI_NORDNS Multiple From addresses + no rDNS endif ##} T_FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) ##{ T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) meta T_FROM_MULTI_SHORT_IMG __FROM_MULTI_SHORT_IMG && !__RCD_RDNS_MX_MESSY describe T_FROM_MULTI_SHORT_IMG Multiple From addresses + short message with image endif ##} T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) ##{ T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body T_FUZZY_OPTOUT /(?:$|\W)(?=<O>)(?!opt[-\s]?out)<O><T>[-\s]?<O><T>(?:$|\W)/i describe T_FUZZY_OPTOUT Obfuscated opt-out text endif ##} T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body T_FUZZY_SPRM /<inter W1><post P2><S><R><M>/i endif ##} T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof meta T_GB_FREEM_FROM_NOT_REPLY ( !__FROM_EQ_REPLY && FREEMAIL_FROM && FREEMAIL_REPLYTO ) describe T_GB_FREEM_FROM_NOT_REPLY From: and Reply-To: have different freemail domains # score T_GB_FREEM_FROM_NOT_REPLY 1.500 # limit tflags T_GB_FREEM_FROM_NOT_REPLY publish endif endif ##} T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof ##{ T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof meta T_GB_FROMNAME_SPOOFED_EMAIL_IP ( T_FROMNAME_SPOOFED_EMAIL && !__NOT_SPOOFED ) describe T_GB_FROMNAME_SPOOFED_EMAIL_IP From:name looks like a spoofed email from a spoofed ip # score T_GB_FROMNAME_SPOOFED_EMAIL_IP 0.50 # limit tflags T_GB_FROMNAME_SPOOFED_EMAIL_IP publish endif ##} T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof ##{ T_GB_STORAGE_GOOGLE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) uri T_GB_STORAGE_GOOGLE_EMAIL m|^https?://storage\.cloud\.google\.com/.{4,128}\#%{GB_TO_ADDR}|i describe T_GB_STORAGE_GOOGLE_EMAIL Google storage cloud abuse # score T_GB_STORAGE_GOOGLE_EMAIL 2.000 # limit tflags T_GB_STORAGE_GOOGLE_EMAIL publish endif endif ##} T_GB_STORAGE_GOOGLE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) ##{ T_GB_WEBFORM ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta T_GB_WEBFORM ( ( __XMAIL_CODEIGN || __XMAIL_PHPMAIL ) && __URL_SHORTENER && FREEMAIL_FROM ) describe T_GB_WEBFORM Webform with url shortener # score T_GB_WEBFORM 1.500 # limit endif ##} T_GB_WEBFORM ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ T_GB_YOUTUBE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) uri T_GB_YOUTUBE_EMAIL m|^https?://(?:www\.)?youtube\.com/attribution_link\?.{20,256}/%{GB_TO_ADDR}|i describe T_GB_YOUTUBE_EMAIL Youtube attribution links abuse # score T_GB_YOUTUBE_EMAIL 2.000 # limit endif endif ##} T_GB_YOUTUBE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) ##{ T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) meta T_HK_NAME_FM_FROM __HK_NAME_FROM && FREEMAIL_FROM # score T_HK_NAME_FM_FROM 1.5 endif endif ##} T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ##{ T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_HK_SPAMMY_FILENAME __HK_SPAMMY_CTFN || __HK_SPAMMY_CDFN endif ##} T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_HTML_ATTACH __HTML_ATTACH_01 || __HTML_ATTACH_02 describe T_HTML_ATTACH HTML attachment to bypass scanning? endif ##} T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_ISO_ATTACH __ISO_ATTACH || __ISO_ATTACH_MT describe T_ISO_ATTACH ISO attachment - possible malware delivery # score T_ISO_ATTACH 3.000 # limit endif ##} T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval ifplugin Mail::SpamAssassin::Plugin::HTMLEval meta T_KAM_HTML_FONT_INVALID __KAM_HTML_FONT_INVALID describe T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML #score T_KAM_HTML_FONT_INVALID 0.1 endif ##} T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval ##{ T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta T_LARGE_PCT_AFTER_MANY __LARGE_PERCENT_AFTER > 3 describe T_LARGE_PCT_AFTER_MANY Many large percentages after... endif ##} T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body T_LFUZ_PWRMALE /<inter W1><post P2><O><W><E><R><M><A><L><E>/i endif ##} T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_LOTTO_AGENT_FM header T_LOTTO_AGENT_FM From =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize[\s_.]transfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i describe T_LOTTO_AGENT_FM Claims Agent ##} T_LOTTO_AGENT_FM ##{ T_LOTTO_AGENT_RPLY meta T_LOTTO_AGENT_RPLY __LOTTO_AGENT_RPLY && !__TO_YOUR_ORG describe T_LOTTO_AGENT_RPLY Claims Agent ##} T_LOTTO_AGENT_RPLY ##{ T_LOTTO_URI uri T_LOTTO_URI /(?:claim(?:s|ing)?(?:[-_]?processing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)?[-_]?rem+it+ance|award)[-_]?(?:department|dept|unit|group|committee|office|agent|manager|secretary)/i describe T_LOTTO_URI Claims Department URL ##} T_LOTTO_URI ##{ T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta T_MANY_PILL_PRICE (__PILL_PRICE_01 + __PILL_PRICE_02) > 2 describe T_MANY_PILL_PRICE Prices for many pills endif ##} T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ T_MIME_MALF if (version >= 3.004000) if (version >= 3.004000) meta T_MIME_MALF __MIME_MALF && !ALL_TRUSTED describe T_MIME_MALF Malformed MIME: headers in body # score T_MIME_MALF 2.00 # limit endif ##} T_MIME_MALF if (version >= 3.004000) ##{ T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta T_MONEY_PERCENT LOTS_OF_MONEY && (__PCT_FOR_YOU || __PCT_OF_PMTS || __FIFTY_FIFTY) describe T_MONEY_PERCENT X% of a lot of money for you endif ##} T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_OBFU_ATTACH_MISSP __FROM_RUNON && (T_OBFU_HTML_ATTACH || OBFU_TEXT_ATTACH || T_OBFU_DOC_ATTACH || T_OBFU_PDF_ATTACH || T_OBFU_JPG_ATTACH || T_OBFU_GIF_ATTACH) describe T_OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From endif ##} T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader T_OBFU_DOC_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.(?:doc|rtf)\b,i describe T_OBFU_DOC_ATTACH MS Document attachment with generic MIME type endif ##} T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader T_OBFU_GIF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.gif\b,i describe T_OBFU_GIF_ATTACH GIF attachment with generic MIME type endif ##} T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader T_OBFU_HTML_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.[a-z]?html?\b,i describe T_OBFU_HTML_ATTACH HTML attachment with non-text MIME type endif ##} T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_OBFU_HTML_ATT_MALW __ZIP_ATTACH_NOFN && __HTML_ATTACH_02 describe T_OBFU_HTML_ATT_MALW HTML attachment with incorrect MIME type - possible malware endif ##} T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader T_OBFU_JPG_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.jpe?g\b,i describe T_OBFU_JPG_ATTACH JPG attachment with generic MIME type endif ##} T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader T_OBFU_PDF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.pdf\b,i describe T_OBFU_PDF_ATTACH PDF attachment with generic MIME type endif ##} T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta T_OFFER_ONLY_AMERICA __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA describe T_OFFER_ONLY_AMERICA Offer only available to US #score T_OFFER_ONLY_AMERICA 2.0 # limit endif endif ##} T_OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta T_PDS_BTC_AHACKER ( __PDS_BTC_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON ) describe T_PDS_BTC_AHACKER Bitcoin Hacker # score T_PDS_BTC_AHACKER 3.0 # limit endif ##} T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta T_PDS_BTC_HACKER ( __PDS_BTC_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM ) describe T_PDS_BTC_HACKER Bitcoin Hacker # score T_PDS_BTC_HACKER 2.0 # limit endif ##} T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta T_PDS_BTC_NTLD ( __BITCOIN_ID && __FROM_ADDRLIST_SUSPNTLD ) describe T_PDS_BTC_NTLD Bitcoin suspect NTLD #score T_PDS_BTC_NTLD 2.0 # limit endif endif ##} T_PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_PDS_EMPTYSUBJ_URISHRT __URL_SHORTENER && __SUBJECT_EMPTY && __PDS_MSG_1024 describe T_PDS_EMPTYSUBJ_URISHRT Empty subject with little more than URI shortener #score T_PDS_EMPTYSUBJ_URISHRT 1.5 # limit endif endif ##} T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_PDS_FREEMAIL_REPLYTO_URISHRT __URL_SHORTENER && __freemail_hdr_replyto && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048 describe T_PDS_FREEMAIL_REPLYTO_URISHRT Freemail replyto with URI shortener #score T_PDS_FREEMAIL_REPLYTO_URISHRT 1.5 # limit endif endif ##} T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) meta T_PDS_FROM_2_EMAILS __PDS_FROM_2_EMAILS && !__VIA_ML && !__VIA_RESIGNER && !__MSGID_JAVAMAIL && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__DKIM_EXISTS describe T_PDS_FROM_2_EMAILS From header has multiple different addresses # score T_PDS_FROM_2_EMAILS 3.500 # limit endif ##} T_PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) ##{ T_PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_PDS_FROM_2_EMAILS_SHRTNER __URL_SHORTENER && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF) && __BODY_URI_ONLY describe T_PDS_FROM_2_EMAILS_SHRTNER From 2 emails short email with little more than a URI shortener #score T_PDS_FROM_2_EMAILS_SHRTNER 1.5 # limit endif endif ##} T_PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta T_PDS_LTC_AHACKER ( __PDS_LITECOIN_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON ) describe T_PDS_LTC_AHACKER Litecoin Hacker # score T_PDS_LTC_AHACKER 3.0 # limit endif ##} T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta T_PDS_LTC_HACKER ( __PDS_LITECOIN_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM ) describe T_PDS_LTC_HACKER Litecoin Hacker # score T_PDS_LTC_HACKER 2.0 # limit endif ##} T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_PDS_NO_FULL_NAME_SPOOFED_URL __PDS_MSG_1024 && __KHOP_NO_FULL_NAME && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER) describe T_PDS_NO_FULL_NAME_SPOOFED_URL HTML message short, T_SPOOFED_URL and T_KHOP_NO_FULL_NAME #score T_PDS_NO_FULL_NAME_SPOOFED_URL 0.75 # limit endif endif ##} T_PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_PDS_SHORTFWD_URISHRT __URL_SHORTENER && (__THREADED || __HAS_IN_REPLY_TO || __HAS_THREAD_INDEX || __URI_MAILTO || __REPTO_QUOTE) && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048 describe T_PDS_SHORTFWD_URISHRT Threaded email with URI shortener #score T_PDS_SHORTFWD_URISHRT 1.5 # limit endif endif ##} T_PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_PDS_SHORTFWD_URISHRT_FP __URL_SHORTENER && __HS_SUBJ_RE_FW && __PDS_MSG_512 describe T_PDS_SHORTFWD_URISHRT_FP Apparently a short fwd/re with URI shortener #score T_PDS_SHORTFWD_URISHRT_FP 1.5 # limit endif endif ##} T_PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_PDS_SHORTFWD_URISHRT_QP __URL_SHORTENER && __HS_SUBJ_RE_FW && __T_PDS_MSG_512 && !T_PDS_SHORTFWD_URISHRT_FP describe T_PDS_SHORTFWD_URISHRT_QP Apparently a short fwd/re with URI shortener #score T_PDS_SHORTFWD_URISHRT_QP 1.5 # limit endif endif ##} T_PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_PDS_SHORT_SPOOFED_URL __PDS_MSG_1024 && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER) describe T_PDS_SHORT_SPOOFED_URL HTML message short and T_SPOOFED_URL (S_U_FP) #score T_PDS_SHORT_SPOOFED_URL 2.0 endif endif ##} T_PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_PDS_TINYSUBJ_URISHRT __URL_SHORTENER && __SUBJ_SHORT && __PDS_MSG_1024 describe T_PDS_TINYSUBJ_URISHRT Short subject with URL shortener #score T_PDS_TINYSUBJ_URISHRT 1.5 # limit endif endif ##} T_PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) meta T_PDS_TO_EQ_FROM_NAME (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) && !__HAS_SENDER describe T_PDS_TO_EQ_FROM_NAME From: name same as To: address endif ##} T_PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) ##{ T_PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_PDS_URISHRT_LOCALPART_SUBJ LOCALPART_IN_SUBJECT && __URL_SHORTENER && __PDS_MSG_1024 describe T_PDS_URISHRT_LOCALPART_SUBJ Localpart of To in subject #score T_PDS_URISHRT_LOCALPART_SUBJ 1.0 endif endif ##} T_PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta T_PHOTO_EDITING_DIRECT (__PHOTO_RETOUCHING && __DOS_DIRECT_TO_MX) && !ALL_TRUSTED && !__HAS_HREF describe T_PHOTO_EDITING_DIRECT Image editing service, direct to MX # score T_PHOTO_EDITING_DIRECT 3.000 # limit endif ##} T_PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ T_PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta T_PHOTO_EDITING_FREEM __PHOTO_RETOUCHING > 4 && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) describe T_PHOTO_EDITING_FREEM Image editing service, freemail or CHN replyto # score T_PHOTO_EDITING_FREEM 3.750 # limit endif ##} T_PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { meta T_REMOTE_IMAGE __REMOTE_IMAGE describe T_REMOTE_IMAGE Message contains an external image endif ##} T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { ##{ T_SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_SCC_BOGUS_CTE_1 __SCC_BOGUS_CTE_1 describe T_SCC_BOGUS_CTE_1 Bogus Content-Transfer-Encoding header tflags T_SCC_BOGUS_CTE_1 publish endif ##} T_SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta T_SENT_TO_EMAIL_ADDR __FROM_ADDRLIST_SUSPNTLD && __PDS_SENT_TO_EMAIL_ADDR describe T_SENT_TO_EMAIL_ADDR Email was sent to email address #score T_SENT_TO_EMAIL_ADDR 2.0 # limit endif endif ##} T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ T_SHARE_50_50 meta T_SHARE_50_50 (__SHARE_IT || __AGREED_RATIO) && __FIFTY_FIFTY describe T_SHARE_50_50 Share the money 50/50 ##} T_SHARE_50_50 ##{ T_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_SHORT_SHORTNER __PDS_MSG_512 && __URL_SHORTENER && !DRUGS_ERECTILE describe T_SHORT_SHORTNER Short body with little more than a link to a shortener #score T_SHORT_SHORTNER 2.0 # limit endif endif ##} T_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta T_STY_INVIS_DIRECT __STY_INVIS_DIRECT && !__L_BODY_8BITS && !__UNSUB_LINK && !__HDR_RCVD_AMAZON && !__TO___LOWER && !__PDS_DOUBLE_URL && !__MAIL_LINK && !__USING_VERP1 && !__HAS_X_ENTITY_ID && !__RCD_RDNS_SMTP_MESSY && !__RDNS_STATIC describe T_STY_INVIS_DIRECT HTML hidden text + direct-to-MX # score T_STY_INVIS_DIRECT 2.500 # limit endif ##} T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta T_SUSPNTLD_EXPIRATION_EXTORT LOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLD describe T_SUSPNTLD_EXPIRATION_EXTORT Susp NTLD with an expiration notice and lotsa money #score T_SUSPNTLD_EXPIRATION_EXTORT 2.0 # limit endif endif ##} T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_TONOM_EQ_TOLOC_SHRT_PSHRTNER __PDS_SHORT_URL && __PDS_TONAME_EQ_TOLOCAL && __SUBJ_SHORT describe T_TONOM_EQ_TOLOC_SHRT_PSHRTNER Short subject with potential shortener and To:name eq To:local #score T_TONOM_EQ_TOLOC_SHRT_PSHRTNER 1.5 # limit endif endif ##} T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_TONOM_EQ_TOLOC_SHRT_SHRTNER __URL_SHORTENER && __PDS_TONAME_EQ_TOLOCAL && __PDS_MSG_1024 describe T_TONOM_EQ_TOLOC_SHRT_SHRTNER Short email with shortener and To:name eq To:local #score T_TONOM_EQ_TOLOC_SHRT_SHRTNER 1.5 # limit endif endif ##} T_TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body T_TVD_FUZZY_SECTOR /(?!sector)<S><E><C><T><O><R>/i endif ##} T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body T_TVD_FUZZY_SECURITIES /<inter W2><post P2>(?!securities)(?!security,? es)<S><E><C><R><T><E><S>/i endif ##} T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader T_TVD_FW_GRAPHIC_ID2 Content-Id =~ /<(?:[0-9A-F]{8}\.){3}[0-9A-F]{8}/ endif ##} T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval ifplugin Mail::SpamAssassin::Plugin::MIMEEval body T_TVD_MIME_EPI eval:check_msg_parse_flags('mime_epilogue_exists') endif ##} T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval ##{ T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval ifplugin Mail::SpamAssassin::Plugin::MIMEEval body T_TVD_MIME_NO_HEADERS eval:check_msg_parse_flags('missing_mime_headers') endif ##} T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval ##{ T_URI_GOOG_STO_SUBD_SPAMMY uri T_URI_GOOG_STO_SUBD_SPAMMY m;^https?://(?:(?:0(?:000000000000000000000000000000000007|48dg9hjdjsr68rr409tdu516yts8d4s1yteq560dht|584d8aab5db65a3970e|89409404gdfg8401008gfd041087pioazsq56|ca91f665e5e9e3bff16)|1(?:479______00\-\-074\-4\-\-\-\-\-\-\-_\-\-\-\-\-\-0894_________\-\-\-\-\-\-\-\-\-______09|f28eb9c708059ce7b58|tactc1200)|2(?:024usa|2accc831928fe7a6d19)|3e6fc78af3b63110d89b|4(?:30bc3a2d98b15a0c58bf8df8f938d|hs3rzdz_r_us\-east\-1)|5(?:34c4e7320793c473d0b|a70f8147b2241c|lose1weight)|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|89azr4etr0t6k5jdh4rg9e8udo40kdj1h56gd4xd165jhkd5j04yd156j02|9(?:0845045041587041078491540894048940489451000|c32d4d56b8ac7eb1296)|a(?:1discover|4301cda1e5c450bab01|b(?:__________mail_____oo|d___lll____m)|d(?:t100visa|vanced1500)|geless(?:brain|t001)|ir0doc5octor|l(?:l(?:_in_one_089498489045187410102003097841202|iedtrust7?)|zheimerbrain)|merican(?:ho(?:777|me(?:191|warranty))|w1)|n(?:c77emen777|dersens40|n(?:nuities0102|utsegtsety)|ti(?:1virus|dcfsdfzef))|pp(?:1ointment|empresa|itausa)|sb50118|tividade|udio0254)|b(?:337276797de5b3|6fa8ec81224238ce57a|7772dcb|a(?:ckmedic|th(?:and777|bhow98|dfgdfgdfh|rooomlki))|cvncv7845|d(?:_________mail____000|fbgverhg|linkmanager|sgbsehtth|thdethydeth)|e(?:achskinnew|dvgervg|lly(?:00fetyy|gluca)|t(?:ter(?:09909|863|butter008)|umpoiytre))|io(?:swit(?:010|sh0908)|techinvest)|l(?:oo(?:ds(?:hark0508|ug(?:217|ar(?:010|blueprint)))|odsugarerte)|ue(?:0sky|printms0?))|o(?:bby\-dependencies|ostinglive01)|r(?:ain(?:232654|al87484)|i(?:an(?:0(?:101|509)|the0101)|eanfrg)|tghrh)|u(?:kssin|ll(?:gold|market)|rnomegaultra|tter(?:knife|spreader(?:0[48]|news)))|yte01smil1e)|c(?:a(?:99rshield|nvascheap|rt\-checkout|unlimited)|bd(?:11gummies|g(?:m0202|umm(?:ty|y005))|health7417|kfgdfg|sgummys)|dfeesde|ertificat01|hoicehom8270|i(?:o_mailpro_bulkmail\-2024___________w87x5230_8940152|rcaknee0)|jowa|o(?:gnigenix|mp(?:erssac00232|r(?:e(?:essaa001|hensiveamericanhomewarranty|ss(?:a(?:0(?:105|201)|191)|ionsocks))|ovanteanexo))|n(?:7cealed|cealed(?:aff0054|tactical)|defesf|ne5ctrou4t0s)|ptquad5e1r|rrectskin|urankdmeksjsed|verageinsu)|quelleczema|reative14141)|d(?:0ujdusudu9s9u\.appspot\.com|159310a731c3ae80e0c|ac2a3ca82cd6a5f4896|e(?:mentiabrain|nta77fend|rma(?:01247|1correct|587475|7correc7t|acorrectskin|correct(?:001new1|new001|skin|1)|hdth|thbsdrhg)|tranmultas)|g(?:iadikir784|vdevgege)|i(?:abetes7|gitaldots1|recting77|ta0526)|lqjxjdxesmapldjehahnse|msksjskeoncbvevde|rtrebtgh747|ysfunction0707|zdzefef)|e(?:7co7verage|a(?:rsring01|sy(?:1canvas|canvasprints))|ingingears|l(?:eepexperts|iminatorlower)|n(?:e(?:nce7777|rgy(?:0icits|savings))|trega)|rec(?:01tions|tiledysfunction)|t(?:alsprcious|ernal07light)|vent(?:0saves01?|save(?:010?|s010))|xpertwindows(?:0102)?|yes(?:1ight|ightmax))|f(?:4747|d(?:128218622bd3f|fdfdzezr78|zdzelom)|edilty5401|habgfdgbfrtg|i(?:7(?:485612|542512)|d(?:el(?:ity(?:09|217|insulife)|ty(?:gbdtrbr|tyhjudtyu))|iity5660|y001)|ghttinnitusnow(?:(?:911|s))?|ltyredfezz|refig(?:22hting|hting)|tnesswatch|xguca777)|l(?:a(?:sh(?:light7fr7ee|tric540)|tbelly)|oodlight(?:010|slima))|o(?:mrulasugaa|od54451|toswhatsapps)|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|u(?:ng(?:01ft|9901|enail010|us(?:eliminator0807|fghgh))|turistic00insol))|g(?:7oldco|cumbmdys|eniusbutter|fhfjgfhfg|hetiop|lu(?:1lossn01k|lossn01k|ster)|old(?:ii00215|trust00)|r(?:7owtmaihn9ew|fgrgrg|ow(?:191|plus11|savage01085))|u(?:ardiao|mm(?:ies11cbd|yss|zdfefzf)|tter(?:0fr1(?:dian)?|protection7))|ympro22)|h(?:4(?:mhoyal1r0|ome1owne1r)|dfghbrh|e(?:1al1t4|a(?:lt(?:h(?:life|news|yhairremedy)|ycbd0909)|rt(?:14141|beat911))|rp(?:ly(?:24701|y0012)|y1414))|ome(?:1security|9865|choice45841|w(?:arranty|rr0216)))|i(?:n(?:formedetranmulta|ogen0065|s(?:1urance7net|7urance7net|t(?:9854|a(?:0541|1heater|863|f(?:atioplo|gregrerg)|hard0(?:0021|605)|nttranslator)|h(?:ard879477|eater001))|urance(?:7net|net))|vest777in)|ron479max5x|tchrelief)|k(?:757474|e(?:ranfvgdgfrder|to(?:0(?:102|202|81477)|191|7(?:878|rim)|adv217|ghghgh|healthnews|jkkfghk|o(?:2(?:22|45)|o7896)|rapid00888|s(?:hark0908|s0479)|toto2323))|iller1111|ne(?:e852|f6565))|l(?:a(?:bcream|wn(?:care3|trugreen001))|e(?:a(?:f7filt7er|nde0585)|ciofve1748)|giesnaturas0|i(?:berty77arran|fefiltrevdf|ve(?:r(?:0health0support|md|supp10)|wirenew024))|o(?:caweb|odlight(?:s0|0)|ss(?:00wrabido0|rapid01245|weightnew85))|u(?:llmattressne000|mi(?:00guard01|agudiidd|g(?:87[56]|uard(?:1074|87585)))))|m(?:a(?:galu|il(?:bd667477388299_747472|trk___newyear2024___g089dh4fg16qs804dsd1jh6g5sq)|l(?:4e7e5nhanc7ement|e(?:0(?:1ed|541)|24700|77en|health475))|ttress0707)|e(?:di(?:ca(?:lsupplies|r(?:0085|123n|df747))|p0lanning)|llitox00545|morybooster|t(?:a(?:bolismlos|greens|lspr(?:ciou[0s]|ecious))|f(?:85|dfvde)))|iracl(?:ecannabidiol|sweight[0s]?|weight)|k_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|le(?:3mlemlm3lm\.appspot\.com|n(?:hsances?|shsance0s))|o(?:bile57mint|n(?:5g154g|t(?:ezuma0(?:01|101)|zdzsds))|onmenermaintain\-66j)|p_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|s_(?:___mailpro\-holiday2024__9s8h7140q6h84e6hs84g6s85d403|g08zr7h48z6rt4hrzj74098j9r70j4894tj\-05hj6z(?:\-2024)?)|w_4098fae4grhtejy9r80t4qt1z984ui94yuiopoikjhnbvx\-\-\-2024|y(?:seniorpe?|theraposture001))|n(?:at(?:ional14587|uralgies)|badefdfg|e(?:sdsd|wtiniggrgr)|inoty74|lmsld|u(?:bupatches|trisd17))|o(?:m(?:eg(?:7aburn|a(?:7burn|n(?:ew|ow00?)))|gaburn)|ne(?:00shot|shot(?:0[01]|124578))|zmenshe)|p(?:a(?:in(?:en01(?:ew|sew)|supp(?:10|l8778)|wenes010)|rtnersav01)|e(?:rsonalized21|tplan85)|ho(?:01to001|tostick004)|leteroid|o(?:rtable(?:heater7|telescope045)|vsedfzef)|r(?:eadvanceds|i(?:mal(?:08544|fhdfh|grow)|ntsvalentine)|o(?:get1___bulkmail_trk_ses_984605129865_0|tectsecurity))|soidngf8147|ure(?:cbdgummies7|plant7))|r(?:apidecision77|e(?:5model1ro4om|adclub11|direct0gumm0|grow101|n(?:ew(?:al20consult|laemailved)|walllll0065)|v(?:caus181|e(?:alscause|rsirol0101)|kcaus181|scaus181))|i(?:ght0108|ngingearstinnitus|verb1986srt4)|oundupccancer|vices8|yokorout(?:(?:01|s010?))?)|s(?:___mailpro__evolution\-unitedstate_____78f40x1fg0|a(?:fety(?:homes?|shome0?)|mples7nuge7|v(?:age(?:0502|72|999|grow010)|es0even0t|ingsevent)|y(?:byebugs|life004))|bd_____mail___29302939298882777231|coutstonenew|d(?:___mailweb|fgwsd74fg)|e(?:curity(?:homenew|providernew)|ni(?:147orperk|orserk77s)|s(?:_trkg___mailbulkform\-045160d5h4fg8_______1jg20xxx|traking_____gmailbulk____tkn\-fkk_209041))|gp008|h(?:arkcbd0808|owersafe)|i(?:gnlaotrrmp|mplex18742)|leepditch|mail_blackfriday__bigusamail_2024\-f084sf|o(?:lbeam004|uthbeach(?:001|skin))|p(?:_trk_in_ses_mimogoodafterj56h6gd__2000_5|reader35)|sgummy777|t(?:ain245|eelprobite77|rictionbp0)|u(?:g(?:ar4701|hdetged)|mmersy0(?:10)?)|zdzdzdzd)|t(?:a(?:cflashlight72|lcumpowder)|e(?:ch________frebulkmnge________teamtechbuy|lescope001|rminix0909|stomus)|h(?:e(?:photostick2804|rasl(?:eeves|ves)|unbreakable)|opinall)|i(?:me0share|nnitus(?:102|new911))|k_mailpro\-bulkmail\-trkngnum89fs64g5\-usa__hallowen|mobile0sur1vey|o(?:enailfungus|p(?:inal|ol(?:\-web|io29034)))|r(?:4ans1lat5or|a(?:balhos|nslato10)|im1life0|ugreen(?:30|s30))|telescope44|unnifgdege)|u(?:berxlm|ltra(?:hgt|omegaburn|u(?:ifipro|wifip)|wifi(?:058|pro002))|n(?:breakable(?:0417|brain0087)|limitedcanvase[es]?)|rgentfung171|s(?:_bulk_click\-mail_oldfrom_9898409486498904948904548094804864xx|bmosquito|6)|tility3in1)|v(?:e(?:7hicle7cov|hi(?:7clesh7|cle01))|frgrerg|i(?:sa(?:alandere?|lander[es]?)|v(?:247w01|int(?:0(?:401|officially)|1010smart|967857)))|szdefzsfzef)|w(?:4enmedicra8|a(?:l(?:k(?:0015|7485|ghghgh|inbath(?:tub44|0))|lkk0409|mart010)|rranhome0012)|defgzegfze|e(?:atherproof|bwhatsfotos|edkiller[1s]?|ight(?:00loss|loss(?:005|newketo))|llgrove90)|i(?:fi(?:booste(?:01|r)|tiop)|n(?:0101|doexpr001))|painen01es)|xcbxcbopiaze|yusdgtduf777|z(?:antacdedzef|ipp874ype57t)))\.storage\.googleapis\.com/;i describe T_URI_GOOG_STO_SUBD_SPAMMY Link to spammy content hosted by google storage #score T_URI_GOOG_STO_SUBD_SPAMMY 3.000 tflags T_URI_GOOG_STO_SUBD_SPAMMY publish ##} T_URI_GOOG_STO_SUBD_SPAMMY ##{ T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_WON_MONEY_ATTACH __YOU_WON && LOTS_OF_MONEY && (__PDF_ATTACH || __DOC_ATTACH) describe T_WON_MONEY_ATTACH You won lots of money! See attachment. endif ##} T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_WON_NBDY_ATTACH __YOU_WON && __EMPTY_BODY && (__PDF_ATTACH || __DOC_ATTACH || __GIF_ATTACH || __JPEG_ATTACH) describe T_WON_NBDY_ATTACH You won lots of money! See attachment. endif ##} T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_XPRIO_URL_SHORTNER __XPRIO_MINFP && __URL_SHORTENER describe T_XPRIO_URL_SHORTNER X-Priority header and short URL #score T_XPRIO_URL_SHORTNER 1.0 # limit endif endif ##} T_XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta T_ZW_OBFU_BITCOIN __UNICODE_OBFU_ZW && __BITCOIN_ID describe T_ZW_OBFU_BITCOIN Obfuscated text + bitcoin ID - possible extortion # score T_ZW_OBFU_BITCOIN 2.500 # limit endif ##} T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta T_ZW_OBFU_FREEM __UNICODE_OBFU_ZW && __freemail_hdr_replyto describe T_ZW_OBFU_FREEM Obfuscated text + freemail # score T_ZW_OBFU_FREEM 2.000 # limit endif ##} T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta T_ZW_OBFU_FROMTOSUBJ __UNICODE_OBFU_ZW && FROM_IN_TO_AND_SUBJ describe T_ZW_OBFU_FROMTOSUBJ Obfuscated text + from in to and subject # score T_ZW_OBFU_FROMTOSUBJ 2.000 # limit endif ##} T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ UC_GIBBERISH_OBFU meta UC_GIBBERISH_OBFU (__UC_GIBB_OBFU > 1) && !__RP_MATCHES_RCVD && !__VIA_ML && !__DKIM_EXISTS && !ALL_TRUSTED describe UC_GIBBERISH_OBFU Multiple instances of "word VERYLONGGIBBERISH word" #score UC_GIBBERISH_OBFU 3.000 # Limit tflags UC_GIBBERISH_OBFU publish ##} UC_GIBBERISH_OBFU ##{ UNDISC_FREEM meta UNDISC_FREEM __UNDISC_FREEM describe UNDISC_FREEM Undisclosed recipients + freemail reply-to tflags UNDISC_FREEM publish ##} UNDISC_FREEM ##{ UNDISC_MONEY meta UNDISC_MONEY __UNDISC_MONEY && !__VIA_ML && !__MSGID_HEXISH describe UNDISC_MONEY Undisclosed recipients + money/fraud signs tflags UNDISC_MONEY publish ##} UNDISC_MONEY ##{ UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta UNICODE_OBFU_ASC __UNICODE_OBFU_ASC && !__SPAN_BEG_TEXT && !HTML_IMAGE_ONLY_32 describe UNICODE_OBFU_ASC Obfuscating text with unicode # score UNICODE_OBFU_ASC 2.500 # limit tflags UNICODE_OBFU_ASC publish endif ##} UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta UNICODE_OBFU_ZW __UNICODE_OBFU_ZW_2 && !__SUBSCRIPTION_INFO && !__RCD_RDNS_MAIL_MESSY && !__DOS_HAS_LIST_ID && !__USING_VERP1 && !__DOS_HAS_LIST_UNSUB && !__RCD_RDNS_SMTP && !__DKIM_EXISTS describe UNICODE_OBFU_ZW Obfuscating text with hidden characters # score UNICODE_OBFU_ZW 3.500 # limit tflags UNICODE_OBFU_ZW publish endif ##} UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ UNICODE_OBFU_ZW_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta UNICODE_OBFU_ZW_MANY __UNICODE_OBFU_ZW_10 && !__RCD_RDNS_MAIL_MESSY describe UNICODE_OBFU_ZW_MANY Heavily obfuscating text with hidden characters # score UNICODE_OBFU_ZW_MANY 3.000 # limit tflags UNICODE_OBFU_ZW_MANY publish endif ##} UNICODE_OBFU_ZW_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ UNICODE_RTL_OBFU meta UNICODE_RTL_OBFU __UNICODE_RTL_OBFU describe UNICODE_RTL_OBFU Word obfuscation using Unicode right-to-left markers #score UNICODE_RTL_OBFU 1.500 # limit tflags UNICODE_RTL_OBFU publish ##} UNICODE_RTL_OBFU ##{ UNSUB_GOOG_FORM meta UNSUB_GOOG_FORM __UNSUB_GOOG_FORM describe UNSUB_GOOG_FORM Unsubscribe via Google Docs form #score UNSUB_GOOG_FORM 2.500 # limit tflags UNSUB_GOOG_FORM publish ##} UNSUB_GOOG_FORM ##{ UPPERCASE_URI uri UPPERCASE_URI /^[^:A-Z]+[A-Z][a-zA-Z]*:/ describe UPPERCASE_URI Link protocol has unexpected mixed case ##} UPPERCASE_URI ##{ URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL ifplugin Mail::SpamAssassin::Plugin::URIDNSBL urirhssub URIBL_RHS_DOB dob.sibl.support-intelligence.net A 2 body URIBL_RHS_DOB eval:check_uridnsbl('URIBL_RHS_DOB') describe URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread) tflags URIBL_RHS_DOB net endif ##} URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL ##{ URI_ADOBESPARK meta URI_ADOBESPARK __URI_ADOBESPARK #score URI_ADOBESPARK 3.500 # limit tflags URI_ADOBESPARK publish ##} URI_ADOBESPARK ##{ URI_AZURE_CLOUDAPP meta URI_AZURE_CLOUDAPP __URI_AZURE_CLOUDAPP && __NAKED_TO && !__HDR_RCVD_GOOGLE describe URI_AZURE_CLOUDAPP Link to hosted azure web application, possible phishing #score URI_AZURE_CLOUDAPP 3.000 # limit tflags URI_AZURE_CLOUDAPP publish ##} URI_AZURE_CLOUDAPP ##{ URI_BUFFLY meta URI_BUFFLY __URI_BUFFLY && !__DOS_HAS_LIST_UNSUB describe URI_BUFFLY buff.ly redirector URI #score URI_BUFFLY 2.000 # limit ##} URI_BUFFLY ##{ URI_CLOUDFLAREIPFS meta URI_CLOUDFLAREIPFS __URI_CLOUDFLAREIPFS describe URI_CLOUDFLAREIPFS References Interplanetary File System PtP content via CloudFlare, likely phishing #score URI_CLOUDFLAREIPFS 3.500 # limit tflags URI_CLOUDFLAREIPFS publish ##} URI_CLOUDFLAREIPFS ##{ URI_DASHGOVEDU meta URI_DASHGOVEDU __URI_DASHGOVEDU describe URI_DASHGOVEDU Suspicious domain name #score URI_DASHGOVEDU 3.500 # limit tflags URI_DASHGOVEDU publish ##} URI_DASHGOVEDU ##{ URI_DATA meta URI_DATA __URI_DATA && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__VIA_ML && !__ENV_AND_HDR_FROM_MATCH && !__DOS_HAS_LIST_UNSUB describe URI_DATA "data:" URI - possible malware or phish #score URI_DATA 3.250 # limit tflags URI_DATA publish ##} URI_DATA ##{ URI_DOTEDU meta URI_DOTEDU __URI_DOTEDU && !__RCVD_DOTEDU_EXT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HAS_X_MAILER && !ALL_TRUSTED && !__UNSUB_LINK && !__RDNS_SHORT && !__MAIL_LINK describe URI_DOTEDU Has .edu URI #score URI_DOTEDU 2.000 # limit tflags URI_DOTEDU publish ##} URI_DOTEDU ##{ URI_DOTEDU_ENTITY meta URI_DOTEDU_ENTITY __URI_DOTEDU_ENTITY && !__SUBSCRIPTION_INFO describe URI_DOTEDU_ENTITY Via .edu MTA + suspicious HTML content #score URI_DOTEDU_ENTITY 3.000 # limit tflags URI_DOTEDU_ENTITY publish ##} URI_DOTEDU_ENTITY ##{ URI_DOTTY_HEX meta URI_DOTTY_HEX __URI_DOTTY_HEX describe URI_DOTTY_HEX Suspicious URI format tflags URI_DOTTY_HEX publish ##} URI_DOTTY_HEX ##{ URI_DQ_UNSUB meta URI_DQ_UNSUB __URI_DQ_UNSUB describe URI_DQ_UNSUB IP-address unsubscribe URI tflags URI_DQ_UNSUB publish ##} URI_DQ_UNSUB ##{ URI_DWEBIPFS meta URI_DWEBIPFS __URI_DWEBIPFS describe URI_DWEBIPFS References Interplanetary File System PtP content via dweb.link, likely phishing #score URI_DWEBIPFS 3.500 # limit tflags URI_DWEBIPFS publish ##} URI_DWEBIPFS ##{ URI_EXCESS_SLASHES meta URI_EXCESS_SLASHES __URI_EXCESS_SLASHES && !__RCD_RDNS_MAIL_MESSY #score URI_EXCESS_SLASHES 2.500 describe URI_EXCESS_SLASHES Too many slashes in URI, possible attempt to bypass spam filtering tflags URI_EXCESS_SLASHES publish ##} URI_EXCESS_SLASHES ##{ URI_FIREBASEAPP meta URI_FIREBASEAPP __URI_FIREBASEAPP || __URI_WEBAPP describe URI_FIREBASEAPP Link to hosted firebase web application, possible phishing #score URI_FIREBASEAPP 3.000 # limit tflags URI_FIREBASEAPP publish ##} URI_FIREBASEAPP ##{ URI_FLKIPFSXYZIPFS meta URI_FLKIPFSXYZIPFS __URI_FLKIPFSXYZIPFS describe URI_FLKIPFSXYZIPFS References Interplanetary File System PtP content via flk-ipfs.xyz, likely phishing #score URI_FLKIPFSXYZIPFS 3.500 # limit tflags URI_FLKIPFSXYZIPFS publish ##} URI_FLKIPFSXYZIPFS ##{ URI_GLITCHME meta URI_GLITCHME __URI_GLITCHME describe URI_GLITCHME References glitch.me content, possible phishing #score URI_GLITCHME 1.500 #limit tflags URI_GLITCHME publish ##} URI_GLITCHME ##{ URI_GOOGDRAWPREVIEW meta URI_GOOGDRAWPREVIEW __URI_GOOGDRAWPREVIEW && !URI_GOOGDRAWPREVIEW_MINFP && !__RCD_RDNS_SMTP && !__TVD_SPACE_RATIO describe URI_GOOGDRAWPREVIEW Link to image at Google Docs, possible phishing #score URI_GOOGDRAWPREVIEW 3.000 # limit tflags URI_GOOGDRAWPREVIEW publish ##} URI_GOOGDRAWPREVIEW ##{ URI_GOOGDRAWPREVIEW_MINFP meta URI_GOOGDRAWPREVIEW_MINFP __URI_GOOGDRAWPREVIEW && (__SUBSCRIPTION_INFO || __HTML_TAG_BALANCE_CENTER || __TO_NO_BRKTS_HTML_ONLY) && !__RCD_RDNS_SMTP && !__TVD_SPACE_RATIO describe URI_GOOGDRAWPREVIEW_MINFP Link to image at Google Docs, probable phishing #score URI_GOOGDRAWPREVIEW_MINFP 3.500 # limit tflags URI_GOOGDRAWPREVIEW_MINFP publish ##} URI_GOOGDRAWPREVIEW_MINFP ##{ URI_GOOGLE_PROXY meta URI_GOOGLE_PROXY __URI_GOOGLE_PROXY && !__FSL_RELAY_GOOGLE && !__TO___LOWER && !__MSGID_OK_HEX && !__HAS_CAMPAIGNID describe URI_GOOGLE_PROXY Accessing a blacklisted URI or obscuring source of phish via Google proxy? tflags URI_GOOGLE_PROXY publish ##} URI_GOOGLE_PROXY ##{ URI_GOOG_STO_SPAMMY uri URI_GOOG_STO_SPAMMY m;^https?://storage\.googleapis\.com/(?:(?:0(?:000000000000000000000000000000000007|48dg9hjdjsr68rr409tdu516yts8d4s1yteq560dht|584d8aab5db65a3970e|89409404gdfg8401008gfd041087pioazsq56|ca91f665e5e9e3bff16)|1(?:479______00\-\-074\-4\-\-\-\-\-\-\-_\-\-\-\-\-\-0894_________\-\-\-\-\-\-\-\-\-______09|f28eb9c708059ce7b58|tactc1200)|2(?:024usa|2accc831928fe7a6d19)|3e6fc78af3b63110d89b|4(?:30bc3a2d98b15a0c58bf8df8f938d|hs3rzdz_r_us\-east\-1)|5(?:34c4e7320793c473d0b|a70f8147b2241c|lose1weight)|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|89azr4etr0t6k5jdh4rg9e8udo40kdj1h56gd4xd165jhkd5j04yd156j02|9(?:0845045041587041078491540894048940489451000|c32d4d56b8ac7eb1296)|a(?:1discover|4301cda1e5c450bab01|b(?:__________mail_____oo|d___lll____m)|d(?:t100visa|vanced1500)|geless(?:brain|t001)|ir0doc5octor|l(?:l(?:_in_one_089498489045187410102003097841202|iedtrust7?)|zheimerbrain)|merican(?:ho(?:777|me(?:191|warranty))|w1)|n(?:c77emen777|dersens40|n(?:nuities0102|utsegtsety)|ti(?:1virus|dcfsdfzef))|pp(?:1ointment|empresa|itausa)|sb50118|tividade|udio0254)|b(?:337276797de5b3|6fa8ec81224238ce57a|7772dcb|a(?:ckmedic|th(?:and777|bhow98|dfgdfgdfh|rooomlki))|cvncv7845|d(?:_________mail____000|fbgverhg|linkmanager|sgbsehtth|thdethydeth)|e(?:achskinnew|dvgervg|lly(?:00fetyy|gluca)|t(?:ter(?:09909|863|butter008)|umpoiytre))|io(?:swit(?:010|sh0908)|techinvest)|l(?:oo(?:ds(?:hark0508|ug(?:217|ar(?:010|blueprint)))|odsugarerte)|ue(?:0sky|printms0?))|o(?:bby\-dependencies|ostinglive01)|r(?:ain(?:232654|al87484)|i(?:an(?:0(?:101|509)|the0101)|eanfrg)|tghrh)|u(?:kssin|ll(?:gold|market)|rnomegaultra|tter(?:knife|spreader(?:0[48]|news)))|yte01smil1e)|c(?:a(?:99rshield|nvascheap|rt\-checkout|unlimited)|bd(?:11gummies|g(?:m0202|umm(?:ty|y005))|health7417|kfgdfg|sgummys)|dfeesde|ertificat01|hoicehom8270|i(?:o_mailpro_bulkmail\-2024___________w87x5230_8940152|rcaknee0)|jowa|o(?:gnigenix|mp(?:erssac00232|r(?:e(?:essaa001|hensiveamericanhomewarranty|ss(?:a(?:0(?:105|201)|191)|ionsocks))|ovanteanexo))|n(?:7cealed|cealed(?:aff0054|tactical)|defesf|ne5ctrou4t0s)|ptquad5e1r|rrectskin|urankdmeksjsed|verageinsu)|quelleczema|reative14141)|d(?:0ujdusudu9s9u\.appspot\.com|159310a731c3ae80e0c|ac2a3ca82cd6a5f4896|e(?:mentiabrain|nta77fend|rma(?:01247|1correct|587475|7correc7t|acorrectskin|correct(?:001new1|new001|skin|1)|hdth|thbsdrhg)|tranmultas)|g(?:iadikir784|vdevgege)|i(?:abetes7|gitaldots1|recting77|ta0526)|lqjxjdxesmapldjehahnse|msksjskeoncbvevde|rtrebtgh747|ysfunction0707|zdzefef)|e(?:7co7verage|a(?:rsring01|sy(?:1canvas|canvasprints))|ingingears|l(?:eepexperts|iminatorlower)|n(?:e(?:nce7777|rgy(?:0icits|savings))|trega)|rec(?:01tions|tiledysfunction)|t(?:alsprcious|ernal07light)|vent(?:0saves01?|save(?:010?|s010))|xpertwindows(?:0102)?|yes(?:1ight|ightmax))|f(?:4747|d(?:128218622bd3f|fdfdzezr78|zdzelom)|edilty5401|habgfdgbfrtg|i(?:7(?:485612|542512)|d(?:el(?:ity(?:09|217|insulife)|ty(?:gbdtrbr|tyhjudtyu))|iity5660|y001)|ghttinnitusnow(?:(?:911|s))?|ltyredfezz|refig(?:22hting|hting)|tnesswatch|xguca777)|l(?:a(?:sh(?:light7fr7ee|tric540)|tbelly)|oodlight(?:010|slima))|o(?:mrulasugaa|od54451|toswhatsapps)|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|u(?:ng(?:01ft|9901|enail010|us(?:eliminator0807|fghgh))|turistic00insol))|g(?:7oldco|cumbmdys|eniusbutter|fhfjgfhfg|hetiop|lu(?:1lossn01k|lossn01k|ster)|old(?:ii00215|trust00)|r(?:7owtmaihn9ew|fgrgrg|ow(?:191|plus11|savage01085))|u(?:ardiao|mm(?:ies11cbd|yss|zdfefzf)|tter(?:0fr1(?:dian)?|protection7))|ympro22)|h(?:4(?:mhoyal1r0|ome1owne1r)|dfghbrh|e(?:1al1t4|a(?:lt(?:h(?:life|news|yhairremedy)|ycbd0909)|rt(?:14141|beat911))|rp(?:ly(?:24701|y0012)|y1414))|ome(?:1security|9865|choice45841|w(?:arranty|rr0216)))|i(?:n(?:formedetranmulta|ogen0065|s(?:1urance7net|7urance7net|t(?:9854|a(?:0541|1heater|863|f(?:atioplo|gregrerg)|hard0(?:0021|605)|nttranslator)|h(?:ard879477|eater001))|urance(?:7net|net))|vest777in)|ron479max5x|tchrelief)|k(?:757474|e(?:ranfvgdgfrder|to(?:0(?:102|202|81477)|191|7(?:878|rim)|adv217|ghghgh|healthnews|jkkfghk|o(?:2(?:22|45)|o7896)|rapid00888|s(?:hark0908|s0479)|toto2323))|iller1111|ne(?:e852|f6565))|l(?:a(?:bcream|wn(?:care3|trugreen001))|e(?:a(?:f7filt7er|nde0585)|ciofve1748)|giesnaturas0|i(?:berty77arran|fefiltrevdf|ve(?:r(?:0health0support|md|supp10)|wirenew024))|o(?:caweb|odlight(?:s0|0)|ss(?:00wrabido0|rapid01245|weightnew85))|u(?:llmattressne000|mi(?:00guard01|agudiidd|g(?:87[56]|uard(?:1074|87585)))))|m(?:a(?:galu|il(?:bd667477388299_747472|trk___newyear2024___g089dh4fg16qs804dsd1jh6g5sq)|l(?:4e7e5nhanc7ement|e(?:0(?:1ed|541)|24700|77en|health475))|ttress0707)|e(?:di(?:ca(?:lsupplies|r(?:0085|123n|df747))|p0lanning)|llitox00545|morybooster|t(?:a(?:bolismlos|greens|lspr(?:ciou[0s]|ecious))|f(?:85|dfvde)))|iracl(?:ecannabidiol|sweight[0s]?|weight)|k_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|le(?:3mlemlm3lm\.appspot\.com|n(?:hsances?|shsance0s))|o(?:bile57mint|n(?:5g154g|t(?:ezuma0(?:01|101)|zdzsds))|onmenermaintain\-66j)|p_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|s_(?:___mailpro\-holiday2024__9s8h7140q6h84e6hs84g6s85d403|g08zr7h48z6rt4hrzj74098j9r70j4894tj\-05hj6z(?:\-2024)?)|w_4098fae4grhtejy9r80t4qt1z984ui94yuiopoikjhnbvx\-\-\-2024|y(?:seniorpe?|theraposture001))|n(?:at(?:ional14587|uralgies)|badefdfg|e(?:sdsd|wtiniggrgr)|inoty74|lmsld|u(?:bupatches|trisd17))|o(?:m(?:eg(?:7aburn|a(?:7burn|n(?:ew|ow00?)))|gaburn)|ne(?:00shot|shot(?:0[01]|124578))|zmenshe)|p(?:a(?:in(?:en01(?:ew|sew)|supp(?:10|l8778)|wenes010)|rtnersav01)|e(?:rsonalized21|tplan85)|ho(?:01to001|tostick004)|leteroid|o(?:rtable(?:heater7|telescope045)|vsedfzef)|r(?:eadvanceds|i(?:mal(?:08544|fhdfh|grow)|ntsvalentine)|o(?:get1___bulkmail_trk_ses_984605129865_0|tectsecurity))|soidngf8147|ure(?:cbdgummies7|plant7))|r(?:apidecision77|e(?:5model1ro4om|adclub11|direct0gumm0|grow101|n(?:ew(?:al20consult|laemailved)|walllll0065)|v(?:caus181|e(?:alscause|rsirol0101)|kcaus181|scaus181))|i(?:ght0108|ngingearstinnitus|verb1986srt4)|oundupccancer|vices8|yokorout(?:(?:01|s010?))?)|s(?:___mailpro__evolution\-unitedstate_____78f40x1fg0|a(?:fety(?:homes?|shome0?)|mples7nuge7|v(?:age(?:0502|72|999|grow010)|es0even0t|ingsevent)|y(?:byebugs|life004))|bd_____mail___29302939298882777231|coutstonenew|d(?:___mailweb|fgwsd74fg)|e(?:curity(?:homenew|providernew)|ni(?:147orperk|orserk77s)|s(?:_trkg___mailbulkform\-045160d5h4fg8_______1jg20xxx|traking_____gmailbulk____tkn\-fkk_209041))|gp008|h(?:arkcbd0808|owersafe)|i(?:gnlaotrrmp|mplex18742)|leepditch|mail_blackfriday__bigusamail_2024\-f084sf|o(?:lbeam004|uthbeach(?:001|skin))|p(?:_trk_in_ses_mimogoodafterj56h6gd__2000_5|reader35)|sgummy777|t(?:ain245|eelprobite77|rictionbp0)|u(?:g(?:ar4701|hdetged)|mmersy0(?:10)?)|zdzdzdzd)|t(?:a(?:cflashlight72|lcumpowder)|e(?:ch________frebulkmnge________teamtechbuy|lescope001|rminix0909|stomus)|h(?:e(?:photostick2804|rasl(?:eeves|ves)|unbreakable)|opinall)|i(?:me0share|nnitus(?:102|new911))|k_mailpro\-bulkmail\-trkngnum89fs64g5\-usa__hallowen|mobile0sur1vey|o(?:enailfungus|p(?:inal|ol(?:\-web|io29034)))|r(?:4ans1lat5or|a(?:balhos|nslato10)|im1life0|ugreen(?:30|s30))|telescope44|unnifgdege)|u(?:berxlm|ltra(?:hgt|omegaburn|u(?:ifipro|wifip)|wifi(?:058|pro002))|n(?:breakable(?:0417|brain0087)|limitedcanvase[es]?)|rgentfung171|s(?:_bulk_click\-mail_oldfrom_9898409486498904948904548094804864xx|bmosquito|6)|tility3in1)|v(?:e(?:7hicle7cov|hi(?:7clesh7|cle01))|frgrerg|i(?:sa(?:alandere?|lander[es]?)|v(?:247w01|int(?:0(?:401|officially)|1010smart|967857)))|szdefzsfzef)|w(?:4enmedicra8|a(?:l(?:k(?:0015|7485|ghghgh|inbath(?:tub44|0))|lkk0409|mart010)|rranhome0012)|defgzegfze|e(?:atherproof|bwhatsfotos|edkiller[1s]?|ight(?:00loss|loss(?:005|newketo))|llgrove90)|i(?:fi(?:booste(?:01|r)|tiop)|n(?:0101|doexpr001))|painen01es)|xcbxcbopiaze|yusdgtduf777|z(?:antacdedzef|ipp874ype57t)))/;i describe URI_GOOG_STO_SPAMMY Link to spammy content hosted by google storage #score URI_GOOG_STO_SPAMMY 3.000 tflags URI_GOOG_STO_SPAMMY publish ##} URI_GOOG_STO_SPAMMY ##{ URI_HEX_IP meta URI_HEX_IP __URI_HEX_IP #score URI_HEX_IP 2.500 # limit describe URI_HEX_IP URI with hex-encoded IP-address host tflags URI_HEX_IP publish ##} URI_HEX_IP ##{ URI_IMG_CWINDOWSNET meta URI_IMG_CWINDOWSNET __URI_IMG_CWINDOWSNET && !__RCD_RDNS_SMTP && !__REPTO_QUOTE && !__URI_DOTEDU #score URI_IMG_CWINDOWSNET 3.500 # limit describe URI_IMG_CWINDOWSNET Non-MSFT image hosted by Microsoft Azure infra, possible phishing tflags URI_IMG_CWINDOWSNET publish ##} URI_IMG_CWINDOWSNET ##{ URI_IMG_WP_REDIR meta URI_IMG_WP_REDIR __URI_IMG_WP_REDIR #score URI_IMG_WP_REDIR 3.000 # limit describe URI_IMG_WP_REDIR Image via WordPress "accelerator" proxy tflags URI_IMG_WP_REDIR publish ##} URI_IMG_WP_REDIR ##{ URI_IPFS meta URI_IPFS __URI_IPFS describe URI_IPFS References Interplanetary File System PtP content, probable phishing #score URI_IPFS 3.500 #limit tflags URI_IPFS publish ##} URI_IPFS ##{ URI_IPFSIO meta URI_IPFSIO __URI_IPFSIO describe URI_IPFSIO References Interplanetary File System PtP content via ipfs.io, likely phishing #score URI_IPFSIO 3.500 # limit tflags URI_IPFSIO publish ##} URI_IPFSIO ##{ URI_LONG_REPEAT meta URI_LONG_REPEAT __URI_LONG_REPEAT describe URI_LONG_REPEAT Long identical host+domain #score URI_LONG_REPEAT 2.500 # limit tflags URI_LONG_REPEAT publish ##} URI_LONG_REPEAT ##{ URI_MALWARE_SCMS uri URI_MALWARE_SCMS /\.SettingContent-ms\b/i describe URI_MALWARE_SCMS Link to malware exploit download (.SettingContent-ms file) tflags URI_MALWARE_SCMS publish ##} URI_MALWARE_SCMS ##{ URI_ONLY_MSGID_MALF meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO describe URI_ONLY_MSGID_MALF URI only + malformed message ID #score URI_ONLY_MSGID_MALF 2.000 # limit tflags URI_ONLY_MSGID_MALF publish ##} URI_ONLY_MSGID_MALF ##{ URI_OPTOUT_3LD uri URI_OPTOUT_3LD m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:com|net)\b,i describe URI_OPTOUT_3LD Opt-out URI, suspicious hostname #score URI_OPTOUT_3LD 2.000 # limit tflags URI_OPTOUT_3LD publish ##} URI_OPTOUT_3LD ##{ URI_OPTOUT_USME uri URI_OPTOUT_USME m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:us|me|mobi|club)\b,i describe URI_OPTOUT_USME Opt-out URI, unusual TLD tflags URI_OPTOUT_USME publish ##} URI_OPTOUT_USME ##{ URI_PHISH describe URI_PHISH Phishing using web form #score URI_PHISH 4.00 # limit tflags URI_PHISH publish ##} URI_PHISH ##{ URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT endif ##} URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) ##{ URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT endif ##} URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ URI_PHP_REDIR meta URI_PHP_REDIR __URI_PHP_REDIR && !__USING_VERP1 && !__RCD_RDNS_MTA #score URI_PHP_REDIR 3.500 # limit describe URI_PHP_REDIR PHP redirect to different URL (link obfuscation) tflags URI_PHP_REDIR publish ##} URI_PHP_REDIR ##{ URI_TRY_3LD meta URI_TRY_3LD __URI_TRY_3LD && !__HAS_ERRORS_TO && !__HDR_RCVD_ALIBABA && !__HDR_CASE_REVERSED && !__XM_EC_MESSENGER && !__CHARITY && !__URI_DOTEDU && !__HAS_X_REF && !__HDR_RCVD_APPLE describe URI_TRY_3LD "Try it" URI, suspicious hostname #score URI_TRY_3LD 2.000 # limit tflags URI_TRY_3LD publish ##} URI_TRY_3LD ##{ URI_TRY_USME meta URI_TRY_USME __URI_TRY_USME && !__DKIM_EXISTS describe URI_TRY_USME "Try it" URI, unusual TLD #score URI_TRY_USME 2.000 # limit tflags URI_TRY_USME publish ##} URI_TRY_USME ##{ URI_WPADMIN meta URI_WPADMIN __URI_WPADMIN describe URI_WPADMIN WordPress login/admin URI, possible phishing tflags URI_WPADMIN publish ##} URI_WPADMIN ##{ URI_WP_DIRINDEX meta URI_WP_DIRINDEX __URI_WPDIRINDEX describe URI_WP_DIRINDEX URI for compromised WordPress site, possible malware #score URI_WP_DIRINDEX 3.500 # limit tflags URI_WP_DIRINDEX publish ##} URI_WP_DIRINDEX ##{ URI_WP_HACKED meta URI_WP_HACKED (__URI_WPCONTENT || __URI_WPINCLUDES) && !__VIA_ML && !__HAS_ERRORS_TO && !__RCD_RDNS_SMTP && !__THREADED && !ALL_TRUSTED && !__NOT_SPOOFED describe URI_WP_HACKED URI for compromised WordPress site, possible malware #score URI_WP_HACKED 3.500 # limit tflags URI_WP_HACKED publish ##} URI_WP_HACKED ##{ URI_WP_HACKED_2 meta URI_WP_HACKED_2 (__PS_TEST_LOC_WP && !URI_WP_HACKED) && !__HAS_LIST_ID && !__THREADED && !__USING_VERP1 describe URI_WP_HACKED_2 URI for compromised WordPress site, possible malware #score URI_WP_HACKED_2 2.500 # limit tflags URI_WP_HACKED_2 publish ##} URI_WP_HACKED_2 ##{ USB_DRIVES meta USB_DRIVES __SUBJ_USB_DRIVES describe USB_DRIVES Trying to sell custom USB flash drives #score USB_DRIVES 2.000 # limit tflags USB_DRIVES publish ##} USB_DRIVES ##{ VFY_ACCT_NORDNS meta VFY_ACCT_NORDNS __VFY_ACCT_NORDNS && !__STY_INVIS_MANY describe VFY_ACCT_NORDNS Verify your account to a poorly-configured MTA - probable phishing #score VFY_ACCT_NORDNS 3.000 # limit tflags VFY_ACCT_NORDNS publish ##} VFY_ACCT_NORDNS ##{ VISTA_COST meta VISTA_COST __VISTA_COST && !__DOS_HAS_LIST_UNSUB describe VISTA_COST Old MSFT msgid format + "cost" #score VISTA_COST 2.500 # limit tflags VISTA_COST publish ##} VISTA_COST ##{ VISTA_TONOM_EQ_TOLOC meta VISTA_TONOM_EQ_TOLOC __VISTA_TONOM_EQ_TOLOC && !__MSOE_MID_WRONG_CASE describe VISTA_TONOM_EQ_TOLOC Old MSFT msgid format + To display name = username #score VISTA_TONOM_EQ_TOLOC 2.500 # limit tflags VISTA_TONOM_EQ_TOLOC publish ##} VISTA_TONOM_EQ_TOLOC ##{ VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta VPS_NO_NTLD __VPSNUMBERONLY_TLD && __FROM_ADDRLIST_SUSPNTLD tflags VPS_NO_NTLD publish describe VPS_NO_NTLD vps[0-9] domain at a suspiscious TLD #score VPS_NO_NTLD 1.0 # limit endif endif ##} VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ WALMART_IMG_NOT_RCVD_WAL meta WALMART_IMG_NOT_RCVD_WAL __WALMART_IMG_NOT_RCVD_WAL && !__DKIM_EXISTS #score WALMART_IMG_NOT_RCVD_WAL 2.500 # limit describe WALMART_IMG_NOT_RCVD_WAL Walmart hosted image but message not from Walmart tflags WALMART_IMG_NOT_RCVD_WAL publish ##} WALMART_IMG_NOT_RCVD_WAL ##{ WIKI_IMG uri WIKI_IMG m,^https?://[^/]+wiki[mp]edia\.org/.+\.(?:png|gif|jpe?g|webp),i describe WIKI_IMG Image from wikipedia ##} WIKI_IMG ##{ WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta WORD_INVIS __WORD_INVIS_MINFP && !WORD_INVIS_MANY describe WORD_INVIS A hidden word # score WORD_INVIS 3.000 # limit tflags WORD_INVIS publish endif ##} WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta WORD_INVIS_MANY __WORD_INVIS_2 describe WORD_INVIS_MANY Multiple individual hidden words # score WORD_INVIS_MANY 3.000 # limit tflags WORD_INVIS_MANY publish endif ##} WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ XFER_LOTSA_MONEY meta XFER_LOTSA_MONEY __XFER_LOTSA_MONEY && !__VIA_ML && !__HAS_SENDER && !__SUBSCRIPTION_INFO describe XFER_LOTSA_MONEY Transfer a lot of money #score XFER_LOTSA_MONEY 1.000 # limit ##} XFER_LOTSA_MONEY ##{ XM_DIGITS_ONLY meta XM_DIGITS_ONLY __XM_DIGITS_ONLY describe XM_DIGITS_ONLY X-Mailer malformed #score XM_DIGITS_ONLY 3.000 # limit tflags XM_DIGITS_ONLY publish ##} XM_DIGITS_ONLY ##{ XM_PHPMAILER_FORGED meta XM_PHPMAILER_FORGED __XM_PHPMAILER_FORGED describe XM_PHPMAILER_FORGED Apparently forged header tflags XM_PHPMAILER_FORGED publish ##} XM_PHPMAILER_FORGED ##{ XM_RANDOM meta XM_RANDOM __XM_RANDOM && !__STY_INVIS_3 && !__HAS_IN_REPLY_TO && !__XM_UC_ONLY && !__XM_ASPQMAIL && !__XM_VERY_LONG describe XM_RANDOM X-Mailer apparently random #score XM_RANDOM 2.500 # limit tflags XM_RANDOM publish ##} XM_RANDOM ##{ XPRIO describe XPRIO Has X-Priority header #score XPRIO 2.250 # limit tflags XPRIO publish ##} XPRIO ##{ XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM) if !plugin(Mail::SpamAssassin::Plugin::DKIM) meta XPRIO __XPRIO_MINFP endif ##} XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM) ##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::DKIM tflags XPRIO net endif ##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF) ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF) meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE endif endif ##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF) ##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !DKIM_VALID && !DKIM_VALID_AU && !SPF_PASS && !RCVD_IN_DNSWL_NONE endif endif ##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF ##{ XPRIO_SHORT_SUBJ meta XPRIO_SHORT_SUBJ __XPRIO_SHORT_SUBJ && !__MSM_PRIO_REPTO && !ALL_TRUSTED && !__DKIM_EXISTS && !__RELAY_THRU_WWW && !__CTYPE_HAS_BOUNDARY && !__RCD_RDNS_MTA && !__HAS_HREF describe XPRIO_SHORT_SUBJ Has X Priority header + short subject #score XPRIO_SHORT_SUBJ 2.500 # limit tflags XPRIO_SHORT_SUBJ publish ##} XPRIO_SHORT_SUBJ ##{ XPRIO_VISTA meta XPRIO_VISTA __XPRIO_VISTA && !__BITCOIN && !__TO_TOO_MANY describe XPRIO_VISTA X-Priority + old MSFT msgid format #score XPRIO_VISTA 2.500 # limit tflags XPRIO_VISTA publish ##} XPRIO_VISTA ##{ X_MAILER_CME_6543_MSN header X_MAILER_CME_6543_MSN X-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*$/ ##} X_MAILER_CME_6543_MSN ##{ YOUR_DELIVERY_ADDRESS body YOUR_DELIVERY_ADDRESS /(?:(?:respond|reply|answer) (?:to )?(?:our|this) ?e?mail (?:[\w,]+\s){0,10}(?:with|and send(?: us)?)|we(?: will|'ll) need|we need to know|let us know|(?:send|provide|tell|inform|contact)(?: us)?(?: of|with)?|confirm|indicate)(?: t?he (?:order )?quantity and)? (?:your |the )?(?:detailed |specific |exact )?(?:(?:delivery |shipping |mailing |shipment |receiving )?(?:address|location)(?:\s?[,.;]|(?: and| so)? we| if you)|address (?:for|of) (?:shipping|delivery|shipment))|(?:provide|give) us (?:with |details of )(?:the |your )?address,? (?:and )?we will contact (?:the )?(?:warehouse|logistics|storage(?: facility))|your (?:mailing|shipping) address to (?:arrange|set ?up) (?:shipment|delivery) (?:(?:for|to) you|of th)|provide your address details|contact us with your address/i #score YOUR_DELIVERY_ADDRESS 1.250 # limit ##} YOUR_DELIVERY_ADDRESS ##{ YOU_INHERIT meta YOU_INHERIT __YOU_INHERIT describe YOU_INHERIT Discussing your inheritance ##} YOU_INHERIT ##{ bayes_ignore_header_sandbox bayes_ignore_header ARC-Authentication-Results bayes_ignore_header ARC-Message-Signature bayes_ignore_header ARC-Seal bayes_ignore_header Authentication-Results bayes_ignore_header Auto-Submitted bayes_ignore_header Autocrypt bayes_ignore_header CTCH-SenderID-TotalSpam bayes_ignore_header IronPort-SDR bayes_ignore_header List-Archive bayes_ignore_header List-Help bayes_ignore_header List-Id bayes_ignore_header List-Post bayes_ignore_header List-Subscribe bayes_ignore_header List-Unsubscribe bayes_ignore_header Mailing-List bayes_ignore_header Precedence bayes_ignore_header Received-SPF bayes_ignore_header suggested_attachment_session_id bayes_ignore_header X-ACL-Warn bayes_ignore_header X-Alimail-AntiSpam bayes_ignore_header X-Amavis-Modified bayes_ignore_header X-Anti-Spam bayes_ignore_header X-Anti-Virus bayes_ignore_header X-Anti-Virus-Version bayes_ignore_header X-AntiAbuse bayes_ignore_header X-Antispam bayes_ignore_header X-Antivirus bayes_ignore_header X-Antivirus-Code bayes_ignore_header X-Antivirus-Status bayes_ignore_header X-Antivirus-Version bayes_ignore_header x-aol-global-disposition bayes_ignore_header X-ASF-Spam-Status bayes_ignore_header X-ASG-Debug-ID bayes_ignore_header X-ASG-Orig-Subj bayes_ignore_header X-ASG-Recipient-Whitelist bayes_ignore_header X-ASG-Tag bayes_ignore_header X-Assp-Version bayes_ignore_header X-Attachment-Id bayes_ignore_header X-Authority-Analysis bayes_ignore_header X-Authvirus bayes_ignore_header X-Auto-Response-Suppress bayes_ignore_header X-AV-Do-Run bayes_ignore_header X-AV-Status bayes_ignore_header x-avast-antispam bayes_ignore_header X-Backend bayes_ignore_header X-Barracuda-Apparent-Source-IP bayes_ignore_header X-Barracuda-Bayes bayes_ignore_header X-Barracuda-BBL-IP bayes_ignore_header X-Barracuda-BRTS-Status bayes_ignore_header X-Barracuda-BRTS-URL-Found bayes_ignore_header X-Barracuda-Connect bayes_ignore_header X-Barracuda-Encrypted bayes_ignore_header X-Barracuda-Envelope-From bayes_ignore_header X-Barracuda-Fingerprint-Found bayes_ignore_header X-Barracuda-Orig-Rcpt bayes_ignore_header X-Barracuda-RBL-IP bayes_ignore_header X-Barracuda-RBL-Trusted-Forwarder bayes_ignore_header X-Barracuda-Spam-Report bayes_ignore_header X-Barracuda-Spam-Score bayes_ignore_header X-Barracuda-Spam-Status bayes_ignore_header X-Barracuda-Start-Time bayes_ignore_header X-Barracuda-UID bayes_ignore_header X-Barracuda-URL bayes_ignore_header X-Barracuda-Virus-Alert bayes_ignore_header X-Bayes-Prob bayes_ignore_header X-Bayesian-Result bayes_ignore_header X-BeenThere bayes_ignore_header X-BitDefender-Spam bayes_ignore_header X-BitDefender-SpamStamp bayes_ignore_header X-BL bayes_ignore_header X-Bogosity bayes_ignore_header X-Boxtrapper bayes_ignore_header X-Brightmail-Tracker bayes_ignore_header X-BTI-AntiSpam bayes_ignore_header X-Bugzilla-Version bayes_ignore_header X-CanIt-Geo bayes_ignore_header X-Canit-Stats-ID bayes_ignore_header X-CanItPRO-Stream bayes_ignore_header X-Clapf-spamicity bayes_ignore_header X-ClientProxiedBy bayes_ignore_header X-Cloud-Security bayes_ignore_header X-CM-Score bayes_ignore_header X-CMAE-Analysis bayes_ignore_header X-CMAE-Match bayes_ignore_header X-CMAE-Score bayes_ignore_header X-CMAE-Verdict bayes_ignore_header X-CNFS-Analysis bayes_ignore_header X-Company bayes_ignore_header X-Complaints-To bayes_ignore_header X-Coremail-Antispam bayes_ignore_header X-CRM114-CacheID bayes_ignore_header X-CRM114-Status bayes_ignore_header X-CRM114-Version bayes_ignore_header X-CT-Spam bayes_ignore_header X-CTCH-SenderID bayes_ignore_header X-CTCH-SenderID-TotalBulk bayes_ignore_header X-CTCH-SenderID-TotalConfirmed bayes_ignore_header X-CTCH-SenderID-TotalMessages bayes_ignore_header X-CTCH-SenderID-TotalRecipients bayes_ignore_header X-CTCH-SenderID-TotalSpam bayes_ignore_header X-CTCH-SenderID-TotalSuspected bayes_ignore_header X-CTCH-SenderID-TotalVirus bayes_ignore_header X-CTCH-Spam bayes_ignore_header X-CTCH-VOD bayes_ignore_header X-Delivered-To bayes_ignore_header X-Drweb-SpamState bayes_ignore_header X-DSPAM-Confidence bayes_ignore_header X-DSPAM-Factors bayes_ignore_header X-DSPAM-Improbability bayes_ignore_header X-DSPAM-Probability bayes_ignore_header X-DSPAM-Processed bayes_ignore_header X-DSPAM-Result bayes_ignore_header X-DSPAM-Signature bayes_ignore_header x-eavas bayes_ignore_header x-eavas-action bayes_ignore_header x-eavas-eavasid bayes_ignore_header X-Enigmail-Version bayes_ignore_header X-EsetId bayes_ignore_header X-EsetResult bayes_ignore_header X-Exchange-Antispam-Report bayes_ignore_header X-Exchange-Antispam-Report-CFA-Test bayes_ignore_header X-ExtloopSabreCommercials1 bayes_ignore_header X-EYOU-SPAMVALUE bayes_ignore_header X-FB-OUTBOUND-SPAM bayes_ignore_header X-FEAS-SBL bayes_ignore_header X-FILTER-SCORE bayes_ignore_header X-Forefront-Antispam-Report bayes_ignore_header X-Forefront-Antispam-Report-Untrusted bayes_ignore_header X-Forefront-PRVS bayes_ignore_header X-Freemail-From bayes_ignore_header X-Fuglu-Spamstatus bayes_ignore_header X-Fuglu-Suspect bayes_ignore_header X-getmail-filter-classifier bayes_ignore_header X-GFIME-MASPAM bayes_ignore_header X-Gm-Message-State bayes_ignore_header X-Gmane-NNTP-Posting-Host bayes_ignore_header X-GMX-Antispam bayes_ignore_header X-GMX-Antivirus bayes_ignore_header X-Google-DKIM-Signature bayes_ignore_header X-He-Spam bayes_ignore_header X-hMailServer-Spam bayes_ignore_header X-IAS bayes_ignore_header X-iGspam-global bayes_ignore_header X-Injected-Via-Gmane bayes_ignore_header X-Interia-Antivirus bayes_ignore_header X-IP-Spam-Verdict bayes_ignore_header X-Ironport bayes_ignore_header X-IronPort-Anti-Spam-Filtered bayes_ignore_header X-IronPort-Anti-Spam-Result bayes_ignore_header X-IronPort-AV bayes_ignore_header X-Ironport-HAT bayes_ignore_header X-Ironport-HOSTNAME bayes_ignore_header X-Ironport-LNR bayes_ignore_header X-Ironport-MessageFilter bayes_ignore_header X-Ironport-MFP bayes_ignore_header X-Ironport-MID bayes_ignore_header X-IronPort-Outgoing-Antispam bayes_ignore_header X-Ironport-RIF bayes_ignore_header X-Ironport-SBRS bayes_ignore_header X-Ironport-SENDER bayes_ignore_header X-Ironport-SUBJECT bayes_ignore_header X-Junk-Score bayes_ignore_header X-Junkmail bayes_ignore_header X-Klms-Anti bayes_ignore_header X-KLMS-AntiPhishing bayes_ignore_header X-Klms-Antispam bayes_ignore_header X-KLMS-AntiSpam-Info bayes_ignore_header X-KLMS-AntiSpam-Interceptor-Info bayes_ignore_header X-KLMS-AntiSpam-Lua-Profiles bayes_ignore_header X-KLMS-AntiSpam-Method bayes_ignore_header X-KLMS-AntiSpam-Moebius-Timestamps bayes_ignore_header X-KLMS-AntiSpam-Rate bayes_ignore_header X-KLMS-AntiSpam-Status bayes_ignore_header X-KLMS-AntiSpam-Version bayes_ignore_header X-KLMS-AntiVirus bayes_ignore_header X-KLMS-AntiVirus-Status bayes_ignore_header X-KLMS-Message-Action bayes_ignore_header X-KLMS-Rule-ID bayes_ignore_header X-KMail-EncryptionState bayes_ignore_header X-KMail-MDN-Sent bayes_ignore_header X-KMail-SignatureState bayes_ignore_header X-Kse-Anti bayes_ignore_header X-Loom-IP bayes_ignore_header X-MailCleaner-SpamChec bayes_ignore_header X-MailCleaner-SpamCheck bayes_ignore_header X-MailFoundry bayes_ignore_header X-Mailman-Version bayes_ignore_header X-MDAV-Processed bayes_ignore_header X-MDMailLookup-Result bayes_ignore_header X-ME-Bayesian bayes_ignore_header X-ME-Content bayes_ignore_header X-MessageFilter bayes_ignore_header x-microsoft-antispam bayes_ignore_header X-Microsoft-Antispam-Message-Info bayes_ignore_header X-Microsoft-Antispam-Message-Info-Original bayes_ignore_header X-Microsoft-Antispam-Untrusted bayes_ignore_header X-Microsoft-Exchange-Diagnostics bayes_ignore_header X-Mlf-Version bayes_ignore_header X-Mozilla-Keys bayes_ignore_header X-Mozilla-Status bayes_ignore_header X-Mozilla-Status2 bayes_ignore_header x-ms-exchange-antispam-messagedata bayes_ignore_header x-ms-exchange-antispam-messagedata-0 bayes_ignore_header X-MS-Exchange-CrossTenant-AuthAs bayes_ignore_header X-MS-Exchange-CrossTenant-AuthSource bayes_ignore_header X-MS-Exchange-CrossTenant-FromEntityHeader bayes_ignore_header x-ms-exchange-crosstenant-id bayes_ignore_header x-ms-exchange-crosstenant-network-message-id bayes_ignore_header X-MS-Exchange-CrossTenant-OriginalArrivalTime bayes_ignore_header x-ms-exchange-crosstenant-rms-persistedconsumerorg bayes_ignore_header X-MS-Exchange-CrossTenant-userprincipalname bayes_ignore_header x-ms-exchange-slblob-mailprops bayes_ignore_header X-MS-Exchange-Transport-CrossTenantHeadersStamped bayes_ignore_header x-ms-office365-filtering-correlation-id bayes_ignore_header X-MS-TrafficTypeDiagnostic bayes_ignore_header X-MSFBL bayes_ignore_header X-MSMail-Priority bayes_ignore_header X-MXScan-AntiSpam bayes_ignore_header X-MXScan-AntiVirus bayes_ignore_header X-MXScan-Country-Sequence bayes_ignore_header X-MXScan-License bayes_ignore_header X-MXScan-Msgid bayes_ignore_header X-MXScan-ProcessingTime bayes_ignore_header X-MXScan-Scan bayes_ignore_header X-NAI-Spam-Flag bayes_ignore_header X-NAI-Spam-Rules bayes_ignore_header X-NAI-Spam-Score bayes_ignore_header X-NAI-Spam-Threshold bayes_ignore_header X-NetStation-Status bayes_ignore_header X-No-Relay bayes_ignore_header X-OriginatorOrg bayes_ignore_header X-OVH-SPAMCAUSE bayes_ignore_header X-OVH-SPAMCAUSE: bayes_ignore_header X-OVH-SPAMSCORE bayes_ignore_header X-OVH-SPAMSTATE bayes_ignore_header X-PerlMx-Spam bayes_ignore_header X-PerlMx-Virus-Scanned bayes_ignore_header X-PFSI-Info bayes_ignore_header X-PMX-Spam bayes_ignore_header X-PMX-Version bayes_ignore_header X-Policy-Service bayes_ignore_header X-policyd-weight bayes_ignore_header X-PreRBLs bayes_ignore_header X-Probable-Spam bayes_ignore_header X-PROLinux-SpamCheck bayes_ignore_header X-Proofpoint-Spam-Reason bayes_ignore_header X-Proofpoint-Virus-Version bayes_ignore_header X-Provags-ID bayes_ignore_header x-purgate-eavas: clean bayes_ignore_header x-purgate-id bayes_ignore_header x-purgate-size bayes_ignore_header x-purgate-type bayes_ignore_header X-Qmail-Scanner-Diagnostics bayes_ignore_header X-Qmail-Scanner-MOVED-X-Spam-Status bayes_ignore_header X-Quarantine-ID bayes_ignore_header X-Received bayes_ignore_header X-RSpam-Report bayes_ignore_header X-SA-Do-Not-Run bayes_ignore_header X-SA-Exim-Version bayes_ignore_header X-Scanned-by bayes_ignore_header X-ServerMaster-MailScanner bayes_ignore_header X-SG-EID bayes_ignore_header X-SG-ID bayes_ignore_header X-SmarterMail-CustomSpamHeader bayes_ignore_header X-Spam bayes_ignore_header X-Spam-Action bayes_ignore_header X-SPAM-AISP bayes_ignore_header X-Spam-Check-By bayes_ignore_header X-Spam-Checker-Version bayes_ignore_header X-Spam-CMAE-Analysis bayes_ignore_header X-Spam-CMAESCORE bayes_ignore_header X-Spam-CTCH-RefID bayes_ignore_header X-Spam-Flag bayes_ignore_header X-Spam-Level bayes_ignore_header X-Spam-Processed bayes_ignore_header X-Spam-Report bayes_ignore_header X-Spam-Scanned bayes_ignore_header X-Spam-Score bayes_ignore_header X-Spam-Score-Int bayes_ignore_header X-Spam-SmartLearn bayes_ignore_header X-Spam-Status bayes_ignore_header X-Spam-Threshold bayes_ignore_header X-Spam_bar bayes_ignore_header X-Spambayes-Classification bayes_ignore_header X-SpamExperts-Domain bayes_ignore_header X-SpamExperts-Outgoing-Class bayes_ignore_header X-SpamExperts-Outgoing-Evidence bayes_ignore_header X-SpamExperts-Username bayes_ignore_header X-Spamfilter-host bayes_ignore_header X-Spamina-Bogosity bayes_ignore_header X-Spamina-Spam-Report bayes_ignore_header X-Spamina-Spam-Score bayes_ignore_header X-SpamInfo bayes_ignore_header X-Spamsave bayes_ignore_header X-SpamTest-Group-ID bayes_ignore_header X-SpamTest-Info bayes_ignore_header X-SpamTest-Method bayes_ignore_header X-SpamTest-Rate bayes_ignore_header X-SpamTest-SPF bayes_ignore_header X-SpamTest-Status bayes_ignore_header X-SpamTest-Status-Extended bayes_ignore_header X-SPF-Scan-By bayes_ignore_header X-STA-Metric bayes_ignore_header X-STA-NotSpam bayes_ignore_header X-STA-Spam bayes_ignore_header X-StarScan-Version bayes_ignore_header X-SurGATE-Result bayes_ignore_header X-SWITCHham-Score bayes_ignore_header X-UI-Filterresults bayes_ignore_header X-UI-Loop bayes_ignore_header X-UI-Out-Filterresults bayes_ignore_header X-Univie-Spam-Checker-Version bayes_ignore_header X-Univie-Virus-Scan bayes_ignore_header X-Virus bayes_ignore_header X-Virus-Checker-Version bayes_ignore_header X-Virus-Scanned bayes_ignore_header X-Virus-Scanner-Result bayes_ignore_header X-Virus-Scanner-Version bayes_ignore_header X-Virus-Status bayes_ignore_header X-VirusChecked bayes_ignore_header X-VR-SCORE bayes_ignore_header X-VR-SPAMCAUSE bayes_ignore_header X-VR-STATUS bayes_ignore_header X-WatchGuard-Mail-Client-IP bayes_ignore_header X-WatchGuard-Mail-From bayes_ignore_header X-WatchGuard-Mail-Recipients bayes_ignore_header X-WatchGuard-Spam-ID bayes_ignore_header X-WatchGuard-Spam-Score bayes_ignore_header X-Whitelist-Domain bayes_ignore_header X-WUM-CCI bayes_ignore_header X_CMAE_Category ##} bayes_ignore_header_sandbox ##{ if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS askdns __FROM_FMBLA_NEWDOM _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.2$/ askdns __FROM_FMBLA_NEWDOM14 _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.14$/ askdns __FROM_FMBLA_NEWDOM28 _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.28$/ askdns __FROM_FMBLA_NDBLOCKED _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.255\.255\.255$/ reuse FROM_FMBLA_NEWDOM reuse FROM_FMBLA_NEWDOM14 reuse FROM_FMBLA_NEWDOM28 reuse FROM_FMBLA_NDBLOCKED reuse __PDS_NEWDOMAIN reuse FROM_NUMBERO_NEWDOMAIN reuse FROM_NEWDOM_BTC askdns __PDS_SPF_ONLYALL _SENDERDOMAIN_ TXT /^v=spf1 \+all$/ reuse BITCOIN_SPF_ONLYALL endif endif ##} if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox ##{ if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval enlist_addrlist (PAYPAL) *@paypal.com *@paypal.co.uk *@paypal.de *@paypal.com.au *@paypal.it enlist_addrlist (PAYPAL) *@paypal.es *@paypal.fr *@paypal.de *@paypal.com.hk enlist_addrlist (PAYPAL) *@*.paypal.com *@*.paypal.co.uk reuse __FROM_ADDRLIST_PAYPAL reuse FROM_PAYPAL_SPOOF enlist_addrlist (BANKS) *@abbey.co.uk *@abbey.com *@abbeyinternational.com *@abbeyinternational.co.uk *@abbeynational.com *@abbeynational.co.uk enlist_addrlist (BANKS) *@allianceleicester.com *@allianceleicester.co.uk *@alliance-leicester.com *@alliance-leicester.co.uk enlist_addrlist (BANKS) *@bankofamerica.com *@bankofamerica.co.uk enlist_addrlist (BANKS) *@barclaycard.com *@barclays.com enlist_addrlist (BANKS) *@citibank.com enlist_addrlist (BANKS) *@firstdirect.com *@firstdirect.co.uk enlist_addrlist (BANKS) *@halifax.com *@halifax.co.uk *@halifax-online.co.uk *@halifax-online.com enlist_addrlist (BANKS) *@hbos.com *@hbos.co.uk enlist_addrlist (BANKS) *@hsbc.com *@hsbc.co.uk *@hsbc.hk *@hsbcgroup.com *@hsbcgroup.co.uk enlist_addrlist (BANKS) *@lloydstsb.com *@lloydstsb.co.uk *@lloyds.com enlist_addrlist (BANKS) *@mbna.com enlist_addrlist (BANKS) *@nationwide.com *@nationwide.co.uk enlist_addrlist (BANKS) *@natwest.com *@natwest.co.uk enlist_addrlist (BANKS) *@santander.com *@santander.co.uk enlist_addrlist (BANKS) *@standardbank.co.za enlist_addrlist (BANKS) *@ybonline.co.uk *@ybonline.com reuse __FROM_ADDRLIST_BANKS reuse FROM_BANK_NOAUTH enlist_addrlist (GOV) *@*.gov enlist_addrlist (GOV) *@*.gov.uk *@parliament.uk *@*.parliament.uk reuse __FROM_ADDRLIST_GOV reuse FROM_GOV_SPOOF reuse FROM_GOV_DKIM_AU reuse FROM_GOV_REPLYTO_FREEMAIL enlist_addrlist (SUSP_NTLD) *@*.icu enlist_addrlist (SUSP_NTLD) *@*.online enlist_addrlist (SUSP_NTLD) *@*.work enlist_addrlist (SUSP_NTLD) *@*.date enlist_addrlist (SUSP_NTLD) *@*.top enlist_addrlist (SUSP_NTLD) *@*.fun enlist_addrlist (SUSP_NTLD) *@*.life enlist_addrlist (SUSP_NTLD) *@*.review enlist_addrlist (SUSP_NTLD) *@*.bid enlist_addrlist (SUSP_NTLD) *@*.stream enlist_addrlist (SUSP_NTLD) *@*.gdn enlist_addrlist (SUSP_NTLD) *@*.click enlist_addrlist (SUSP_NTLD) *@*.world enlist_addrlist (SUSP_NTLD) *@*.fit enlist_addrlist (SUSP_NTLD) *@*.ooo enlist_addrlist (SUSP_NTLD) *@*.faith enlist_addrlist (SUSP_NTLD) *@*.buzz enlist_addrlist (SUSP_NTLD) *@*.trade enlist_addrlist (SUSP_NTLD) *@*.cyou enlist_addrlist (SUSP_NTLD) *@*.vip enlist_addrlist (SUSP_NTLD) *@*.xyz enlist_uri_host (SUSP_URI_NTLD) icu enlist_uri_host (SUSP_URI_NTLD) online enlist_uri_host (SUSP_URI_NTLD) work enlist_uri_host (SUSP_URI_NTLD) date enlist_uri_host (SUSP_URI_NTLD) top enlist_uri_host (SUSP_URI_NTLD) fun enlist_uri_host (SUSP_URI_NTLD) life enlist_uri_host (SUSP_URI_NTLD) review enlist_uri_host (SUSP_URI_NTLD) bid enlist_uri_host (SUSP_URI_NTLD) stream enlist_uri_host (SUSP_URI_NTLD) gdn enlist_uri_host (SUSP_URI_NTLD) click enlist_uri_host (SUSP_URI_NTLD) world enlist_uri_host (SUSP_URI_NTLD) fit enlist_uri_host (SUSP_URI_NTLD) ooo enlist_uri_host (SUSP_URI_NTLD) faith enlist_uri_host (SUSP_URI_NTLD) buzz enlist_uri_host (SUSP_URI_NTLD) trade enlist_uri_host (SUSP_URI_NTLD) cyou enlist_uri_host (SUSP_URI_NTLD) vip enlist_uri_host (SUSP_URI_NTLD) xyz enlist_uri_host (SUSP_URI_NTLD_PRO) pro reuse __FROM_ADDRLIST_SUSPNTLD reuse __REPLYTO_ADDRLIST_SUSPNTLD reuse FROM_SUSPICIOUS_NTLD reuse GOOGLE_DRIVE_REPLY_BAD_NTLD reuse VPS_NO_NTLD endif endif ##} if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox ##{ if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL priority GB_HASHBL_BTC -100 reuse GB_HASHBL_BTC endif endif ##} if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox ##{ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags replace_tag lcase_e (?:e|\xc3[\xa8\xa9\xaa\xab]|\xc4[\x93\x95\x97\x99\x9b]|\xc8[\x85\x87\x80]|\xcf\xb5|\xd0\xb5|\xd1[\x90\x91\x94\xb3]|\xd2[\xbc\xbd\xbe\xbf]|\xd3[\x07\xa9\xab]) replace_rules __E_LIKE_LETTER endif endif ##} if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox ##{ ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox ifplugin Mail::SpamAssassin::Plugin::AskDNS askdns __DKIMWL_FREEMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.3\.\d+$/ reuse __DKIMWL_FREEMAIL askdns __DKIMWL_BULKMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.2\.\d+$/ reuse __DKIMWL_BULKMAIL askdns __DKIMWL_WL_HI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.5$/ reuse __DKIMWL_WL_HI askdns __DKIMWL_WL_MEDHI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.4$/ reuse __DKIMWL_WL_MEDHI askdns __DKIMWL_WL_MED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.3$/ reuse __DKIMWL_WL_MED askdns __DKIMWL_WL_BL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.0$/ reuse __DKIMWL_WL_BL askdns __DKIMWL_BLOCKED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.255\.255\.255$/ reuse __DKIMWL_BLOCKED reuse DKIMWL_WL_HIGH reuse DKIMWL_WL_MEDHI reuse DKIMWL_WL_MED reuse DKIMWL_BL reuse DKIMWL_BLOCKED askdns __HELO_DNS _LASTEXTERNALHELO_ A /./ endif ##} ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox ##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox ifplugin Mail::SpamAssassin::Plugin::DNSEval # { reuse RCVD_IN_PSBL endif ##} ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox ##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox ifplugin Mail::SpamAssassin::Plugin::DNSEval reuse RCVD_IN_IADB_LISTED reuse RCVD_IN_IADB_SPF reuse RCVD_IN_IADB_SENDERID reuse RCVD_IN_IADB_DK reuse RCVD_IN_IADB_RDNS reuse RCVD_IN_IADB_DMARC reuse RCVD_IN_IADB_NOCONTROL reuse RCVD_IN_IADB_OPTOUTONLY reuse RCVD_IN_IADB_UNVERIFIED_1 reuse RCVD_IN_IADB_UNVERIFIED_2 reuse RCVD_IN_IADB_LOOSE reuse RCVD_IN_IADB_OPTIN_LT50 reuse RCVD_IN_IADB_OPTIN_GT50 reuse RCVD_IN_IADB_OPTIN reuse RCVD_IN_IADB_DOPTIN_LT50 reuse RCVD_IN_IADB_DOPTIN_GT50 reuse RCVD_IN_IADB_DOPTIN reuse RCVD_IN_IADB_ML_DOPTIN reuse RCVD_IN_IADB_OOO reuse RCVD_IN_IADB_SOCIAL reuse RCVD_IN_IADB_TRACK reuse RCVD_IN_IADB_ECARD reuse RCVD_IN_IADB_ESP reuse RCVD_IN_IADB_LEG_NPROFIT reuse RCVD_IN_IADB_LEG_BNPROFIT reuse RCVD_IN_IADB_LEG_MAND reuse RCVD_IN_IADB_COURT reuse RCVD_IN_IADB_URG reuse RCVD_IN_IADB_MI_CPEAR reuse RCVD_IN_IADB_UT_CPEAR endif ##} ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox ##{ ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof fns_ignore_dkim linkedin.com googlegroups.com yahoogroups.com yahoogroups.de fns_ignore_headers List-Id fns_check 1 reuse __PLUGIN_FROMNAME_SPOOF reuse __PLUGIN_FROMNAME_EQUALS_TO endif ##} ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox ##{ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox ifplugin Mail::SpamAssassin::Plugin::ReplaceTags replace_rules T_FUZZY_SPRM replace_rules FUZZY_MERIDIA replace_rules TVD_FUZZY_PHARMACEUTICAL replace_rules TVD_FUZZY_SYMBOL replace_rules T_TVD_FUZZY_SECURITIES replace_rules TVD_FUZZY_FINANCE replace_rules TVD_FUZZY_FIXED_RATE replace_rules TVD_FUZZY_MICROCAP replace_rules T_TVD_FUZZY_SECTOR replace_rules TVD_FUZZY_DEGREE replace_rules __COPY_PASTE_EN replace_tag FF_LNNO (?:(?:\d{1,3}(?:[)}\]:.,]{1,80}|(?:st|nd|rd|th)[)}\]:.,]{0,3})|\W?$[\div]{1,5}$|\W?\{\d{1,3}\}|\[\d{1,3}\]|\*{1,5}|\#{1,5}|$?[A-K][)}\]:.,]{1,3})\s?) replace_tag FF_YOUR (?:a?\s?copy\sof\s)?(?:(?:your|din|seu|twoje)[\s,:]{1,5})?(?:present\s|c[uo]rrent\s|full(?:st[\xe4]ndigt)?\s?|complete\s|direct\s|private?\s|valid\s|personal\s|nuvarande\s|vollst[\xe4]ndige\s|aktuelle\s|pe\s(?:ne\s)?){0,3} replace_tag ANDOR (?:\s?[\/&+,]\s?|\sor\s|\sand?\s) replace_tag NUMBER (?:(?:ruf)?num(?:[bm]er)?\(?s?$?|nos?\.|no\b|n[\xb0]|\#s?|nbrs?\.?) replace_tag FF_SUFFIX (?:\sin\s(?:full|words)|\scompleto)?:?(?:\s?[({][^)}]{1,30}[)}])? replace_tag FF_BLANK1 (?:[\s:;]{0,4}(?:(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){3,100})) replace_tag FF_BLANK2 (?:[^-=_.,:;*\w]{0,3}(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){1,100}) replace_tag FF_A1 (?:(?:countr?y|city|province|ter+itory|(?:zip|post(?:al)?)(?:\s?code)?|st?ates?|ad+res+e?)<ANDOR>?){1,3}(?:\sof\s(?:residence|birth|employment|citizenship|origin))? replace_tag FF_A2 (?:(?:contact|full|house|home|resident[ia]+l|busines+|mailing|work|delivery|ship+ing|post(?:al)?|of+ice|e-?mail|bostads|wohn)<ANDOR>?){0,3}\s?(?:ad+res+[es]{0,2}|location|endere[\xe7]o)(?:\sline)?(?:\s[0-9])? replace_tag FF_N1 (?:company|first|last|all|busines+|legal|ben[ei]ficiary|user|vollstaendigen)?\s?(?:name?[sn]?|navne|nome|nazwy)(?:<ANDOR>ad+res+)? replace_tag FF_P1 (?:(?:(?:busines+|contact|fax|voice|house|home|mobile?|cel+(?:ular)?|of+ice|tel+e?(?:\s?(?:ph|f)one?)?|(?:ph|f)one|private)(?:\s(?:ph|f)one)?<ANDOR>?){1,3}(?:\s?<NUMBER>)?<ANDOR>?){1,3} replace_tag FF_M1 (?:(?:ages?|marital\s?statu[se]|sex|gender|male\sor\sfemale|(?:date\s(?:of\s)?)?birth|religion|nationality|(?:user )?email|next\sof\skin|alter|staatsangehoerigkeit|nationalitet|idade|weik)<ANDOR>?){1,3} replace_tag FF_L1 (?:(?:previous\s)?work(?:ing)\s?experience|employment|position|profes+ion|(?:monthly|an+ual)?\s?income|purpose\sof\sl(?:oa|ao)n|an+ual\sturn\s?over|l(?:oa|ao)n\sduration|oc+up[ae]tion(?:\/position)?s?|(?:l(?:oa|ao)n\s|the\s)?amount(?:\sneed(ed)?|\sdesired)?(?:\s(?:as|of)\sloan)?|beruf|zaw(?:=F3|[\xf3])d) replace_tag FF_F1 (?:(?:bank(?:ing)?|beneficiary|billing|acc(?:oun)?t|rout(?:ing)?|swift|receiver|user)<ANDOR>?){1,3}\s(?:(?:name|ad+res+(?:es)?|location|code|details|institution|a\/c|<NUMBER>)<ANDOR>?){1,3} replace_tag FF_F2 (?:(?:(?:international\s)?driver'?s?\sli[sc]+(?:en[sc]e)?|pas+\s?port|id\scard|[ia]d(?:entification|entity)(?:\s(?:card|<NUMBER>|papers?))?)<ANDOR>?){1,3}(?:\s<NUMBER>)? replace_tag FF_F3 (?:picture|zdj\scie|test\squestion|answer|amount\swon|(?:inheritance\s)?funds?\svalue|(?:e-?mail\s)?pas+word|e-?mai?l\sid|amount\s[\w\s]{0,30}lost[\w\s]{0,15}) replace_tag FF_F4 (?:log[-\s]?in|(?:e-?mail\s)?user)\s?names? replace_tag FF_F5 (?:ref(?:erence)?|batch|win+ing|award|billet)[-\s]?<NUMBER> replace_tag FF_ALL (?:<FF_A1>|<FF_A2>|<FF_N1>|<FF_P1>|<FF_M1>|<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>|<FF_L1>) replace_rules __FILL_THIS_FORM_LONG1 replace_rules __FILL_THIS_FORM_LONG2 replace_rules __FILL_THIS_FORM_PARTIAL replace_rules __FILL_THIS_FORM_PARTIAL_RAW replace_rules __FILL_THIS_FORM_SHORT1 replace_rules __FILL_THIS_FORM_SHORT2 replace_rules __FILL_THIS_FORM_LOAN1 replace_rules __FILL_THIS_FORM_FRAUD_PHISH1 replace_tag CURRENCY (?:[$\[<]?(?:\bU[Ss][D\$]{0,2}|\$(?:US)?|u\s?s\s?d|U\s?S\s?D|CAD|G\s?B\s?P|=[Aa][34]|\xa3|\xe2\x82\xac|&\#16[34];|(?i:pounds\ssterling)|\xa4|EUR(?:OS?)?|(?:d')?[Ee]uro?s?|(?i:eur)\sde|CHF|FCFA|d[\xf3]lares\sde\slos\sE+\.\s?U+\.)[\]$>]?) replace_tag GB_UK \b(?:U\.?K\.?|(?:Great\s)?Brit(?:ain|ish)|G\.?B\.?)\b replace_tag NUM_NOT_DATE [1-9](?!\d\d\d\.\d\d\.\d\d\s)(?!\d?\.\d\d?\.\d\d\d\d\s) replace_tag NUM_NOT_DATE_IP <NUM_NOT_DATE>(?!\d{0,2}(?:\.0|\.[1-2]\d{0,2}){3}(?:\D|$)) replace_rules __LOTSA_MONEY_00 __LOTSA_MONEY_01 __LOTSA_MONEY_02 __LOTSA_MONEY_03 __LOTSA_MONEY_04 replace_tag PERCENT \b(?:\d\d|ten|[a-z]+teen|(?:twen|thir|fou?r|fif)ty(?:-?[a-z]+)?)\s?(?:%|percent) replace_rules __PCT_FOR_YOU_1 __PCT_FOR_YOU_2 __PCT_FOR_YOU_3 __PCT_OF_PMTS replace_rules T_FUZZY_OPTOUT replace_rules __FRT_PRICE replace_rules FUZZY_UNSUBSCRIBE replace_rules FUZZY_ANDROID replace_rules FUZZY_PROMOTION replace_rules FUZZY_PRIVACY replace_rules FUZZY_BROWSER replace_rules FUZZY_SAVINGS replace_rules FUZZY_IMPORTANT replace_rules FUZZY_SECURITY replace_rules __FUZZY_DR_OZ replace_rules FUZZY_CLICK_HERE replace_rules FUZZY_BITCOIN replace_rules __BITCOIN replace_rules FUZZY_WALLET replace_rules __FUZZY_MONERO replace_rules __FUZZY_WELLSFARGO_BODY replace_rules __FUZZY_WELLSFARGO_FROM replace_rules __FUZZY_PORN replace_rules FUZZY_AMAZON replace_rules FUZZY_APPLE replace_rules FUZZY_MICROSOFT replace_rules FUZZY_FACEBOOK replace_rules FUZZY_PAYPAL replace_rules FUZZY_NORTON replace_rules FUZZY_OVERSTOCK replace_rules __FUZZY_TRUSTWALLET_BODY replace_rules __FUZZY_TRUSTWALLET_FROM replace_rules FUZZY_TRUMP replace_rules FUZZY_HARRIS replace_rules __MY_VICTIM replace_rules __MY_MALWARE replace_rules __PAY_ME replace_rules __YOUR_PASSWORD replace_rules __YOUR_WEBCAM replace_rules __YOUR_ONAN replace_rules __YOUR_PERSONAL replace_rules __HOURS_DEADLINE replace_rules __EXPLOSIVE_DEVICE replace_tag SHY (?:=ad|[\xc2][\xad]|[\xad]|&\#xad;|&\#173;||\x{E2}\x{80}\x{8F}) replace_rules __SHY_OBFU_PASSWORD replace_rules __SHY_OBFU_EXPIRE replace_rules T_LFUZ_PWRMALE replace_rules __PDS_BTC_HACKER __PDS_BTC_PIRATE reuse T_PDS_BTC_AHACKER reuse T_PDS_BTC_HACKER reuse T_PDS_LTC_AHACKER reuse T_PDS_LTC_HACKER endif ##} ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox ##{ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox ifplugin Mail::SpamAssassin::Plugin::URIDNSBL reuse URIBL_RHS_DOB endif ##} ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox ##{ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) enlist_uri_host (PDS_CASHSHORTENER) cutpaid.com enlist_uri_host (PDS_CASHSHORTENER) caat.site enlist_uri_host (PDS_CASHSHORTENER) triabicia.com enlist_uri_host (PDS_CASHSHORTENER) 2xs.io enlist_uri_host (PDS_CASHSHORTENER) ocest.site enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz enlist_uri_host (PDS_CASHSHORTENER) waar.site enlist_uri_host (PDS_CASHSHORTENER) cpmlink.net enlist_uri_host (PDS_CASHSHORTENER) cowner.net enlist_uri_host (PDS_CASHSHORTENER) adfoc.us enlist_uri_host (PDS_CASHSHORTENER) shrinkhere.xyz enlist_uri_host (PDS_CASHSHORTENER) gurl.pw enlist_uri_host (PDS_CASHSHORTENER) shortearn.eu enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz enlist_uri_host (PDS_CASHSHORTENER) libittarc.com enlist_uri_host (PDS_CASHSHORTENER) pc.cd enlist_uri_host (PDS_CASHSHORTENER) fc.lc enlist_uri_host (PDS_CASHSHORTENER) dares.xyz enlist_uri_host (PDS_CASHSHORTENER) trendlouds.com enlist_uri_host (PDS_CASHSHORTENER) yogaf.xyz enlist_uri_host (PDS_CASHSHORTENER) cobs.xyz enlist_uri_host (PDS_CASHSHORTENER) olnew.xyz enlist_uri_host (PDS_CASHSHORTENER) cleft.xyz enlist_uri_host (PDS_CASHSHORTENER) 7r6.com enlist_uri_host (PDS_CASHSHORTENER) mitly.us enlist_uri_host (PDS_CASHSHORTENER) kutpay.com enlist_uri_host (PDS_CASHSHORTENER) gsurl.me enlist_uri_host (PDS_CASHSHORTENER) gurl.ly enlist_uri_host (PDS_CASHSHORTENER) gsurl.in enlist_uri_host (PDS_CASHSHORTENER) acitoate.com enlist_uri_host (PDS_CASHSHORTENER) aclabink.com enlist_uri_host (PDS_CASHSHORTENER) activeation.com enlist_uri_host (PDS_CASHSHORTENER) activeterium.com enlist_uri_host (PDS_CASHSHORTENER) adflyforum.com enlist_uri_host (PDS_CASHSHORTENER) adflymail.com enlist_uri_host (PDS_CASHSHORTENER) adult.xyz enlist_uri_host (PDS_CASHSHORTENER) agileurbia.com enlist_uri_host (PDS_CASHSHORTENER) atomcurve.com enlist_uri_host (PDS_CASHSHORTENER) ay.gy enlist_uri_host (PDS_CASHSHORTENER) battleate.com enlist_uri_host (PDS_CASHSHORTENER) biastonu.com enlist_uri_host (PDS_CASHSHORTENER) bitigee.com enlist_uri_host (PDS_CASHSHORTENER) briskrange.com enlist_uri_host (PDS_CASHSHORTENER) brisktopia.com enlist_uri_host (PDS_CASHSHORTENER) casualient.com enlist_uri_host (PDS_CASHSHORTENER) clesolea.com enlist_uri_host (PDS_CASHSHORTENER) code404.biz enlist_uri_host (PDS_CASHSHORTENER) coginator.com enlist_uri_host (PDS_CASHSHORTENER) cogismith.com enlist_uri_host (PDS_CASHSHORTENER) covelign.com enlist_uri_host (PDS_CASHSHORTENER) crefranek.com enlist_uri_host (PDS_CASHSHORTENER) dashsphere.com enlist_uri_host (PDS_CASHSHORTENER) dataurbia.com enlist_uri_host (PDS_CASHSHORTENER) deciomm.com enlist_uri_host (PDS_CASHSHORTENER) ducolomal.com enlist_uri_host (PDS_CASHSHORTENER) east-jones.com enlist_uri_host (PDS_CASHSHORTENER) ecleneue.com enlist_uri_host (PDS_CASHSHORTENER) ellevolaw.com enlist_uri_host (PDS_CASHSHORTENER) endroudo.com enlist_uri_host (PDS_CASHSHORTENER) eunsetee.com enlist_uri_host (PDS_CASHSHORTENER) fainbory.com enlist_uri_host (PDS_CASHSHORTENER) fasttory.com enlist_uri_host (PDS_CASHSHORTENER) fawright.com enlist_uri_host (PDS_CASHSHORTENER) flyserve.co enlist_uri_host (PDS_CASHSHORTENER) greponozy.com enlist_uri_host (PDS_CASHSHORTENER) homoluath.com enlist_uri_host (PDS_CASHSHORTENER) hopigrarn.com enlist_uri_host (PDS_CASHSHORTENER) infopade.com enlist_uri_host (PDS_CASHSHORTENER) j.gs enlist_uri_host (PDS_CASHSHORTENER) kaitect.com enlist_uri_host (PDS_CASHSHORTENER) kializer.com enlist_uri_host (PDS_CASHSHORTENER) kibuilder.com enlist_uri_host (PDS_CASHSHORTENER) kimechanic.com enlist_uri_host (PDS_CASHSHORTENER) kudoflow.com enlist_uri_host (PDS_CASHSHORTENER) legeerook.com enlist_uri_host (PDS_CASHSHORTENER) libittarc.com enlist_uri_host (PDS_CASHSHORTENER) linkjaunt.com enlist_uri_host (PDS_CASHSHORTENER) locinealy.com enlist_uri_host (PDS_CASHSHORTENER) maetrimal.com enlist_uri_host (PDS_CASHSHORTENER) metastead.com enlist_uri_host (PDS_CASHSHORTENER) mmoity.com enlist_uri_host (PDS_CASHSHORTENER) mondoagram.com enlist_uri_host (PDS_CASHSHORTENER) neswery.com enlist_uri_host (PDS_CASHSHORTENER) nimbleinity.com enlist_uri_host (PDS_CASHSHORTENER) onisedeo.com enlist_uri_host (PDS_CASHSHORTENER) optitopt.com enlist_uri_host (PDS_CASHSHORTENER) picocurl.com enlist_uri_host (PDS_CASHSHORTENER) pladollmo.com enlist_uri_host (PDS_CASHSHORTENER) preofery.com enlist_uri_host (PDS_CASHSHORTENER) prereheus.com enlist_uri_host (PDS_CASHSHORTENER) q.gs enlist_uri_host (PDS_CASHSHORTENER) quainator.com enlist_uri_host (PDS_CASHSHORTENER) quamiller.com enlist_uri_host (PDS_CASHSHORTENER) queuecosm.bid enlist_uri_host (PDS_CASHSHORTENER) raboninco.com enlist_uri_host (PDS_CASHSHORTENER) rapidteria.com enlist_uri_host (PDS_CASHSHORTENER) rapidtory.com enlist_uri_host (PDS_CASHSHORTENER) sapolatsu.com enlist_uri_host (PDS_CASHSHORTENER) scapognel.com enlist_uri_host (PDS_CASHSHORTENER) simizer.com enlist_uri_host (PDS_CASHSHORTENER) skamaker.com enlist_uri_host (PDS_CASHSHORTENER) skamason.com enlist_uri_host (PDS_CASHSHORTENER) sluppend.com enlist_uri_host (PDS_CASHSHORTENER) sprysphere.com enlist_uri_host (PDS_CASHSHORTENER) streamvoyage.com enlist_uri_host (PDS_CASHSHORTENER) swarife.com enlist_uri_host (PDS_CASHSHORTENER) swiftation.com enlist_uri_host (PDS_CASHSHORTENER) swifttopia.com enlist_uri_host (PDS_CASHSHORTENER) techigo.com enlist_uri_host (PDS_CASHSHORTENER) threadsphere.bid enlist_uri_host (PDS_CASHSHORTENER) tinyical.com enlist_uri_host (PDS_CASHSHORTENER) tonancos.com enlist_uri_host (PDS_CASHSHORTENER) triabicia.com enlist_uri_host (PDS_CASHSHORTENER) turboagram.com enlist_uri_host (PDS_CASHSHORTENER) twineer.com enlist_uri_host (PDS_CASHSHORTENER) twiriock.com enlist_uri_host (PDS_CASHSHORTENER) userlab66.com enlist_uri_host (PDS_CASHSHORTENER) vaugette.com enlist_uri_host (PDS_CASHSHORTENER) velocicosm.com enlist_uri_host (PDS_CASHSHORTENER) velociterium.com enlist_uri_host (PDS_CASHSHORTENER) viahold.com enlist_uri_host (PDS_CASHSHORTENER) vializer.com enlist_uri_host (PDS_CASHSHORTENER) viwright.com enlist_uri_host (PDS_CASHSHORTENER) whareotiv.com enlist_uri_host (PDS_CASHSHORTENER) wirecellar.com enlist_uri_host (PDS_CASHSHORTENER) x19.biz enlist_uri_host (PDS_CASHSHORTENER) x19network.com enlist_uri_host (PDS_CASHSHORTENER) yabuilder.com enlist_uri_host (PDS_CASHSHORTENER) yamechanic.com enlist_uri_host (PDS_CASHSHORTENER) yoalizer.com enlist_uri_host (PDS_CASHSHORTENER) yobuilder.com enlist_uri_host (PDS_CASHSHORTENER) yoineer.com enlist_uri_host (PDS_CASHSHORTENER) yoitect.com enlist_uri_host (PDS_CASHSHORTENER) zipansion.com enlist_uri_host (PDS_CASHSHORTENER) zipteria.com enlist_uri_host (PDS_CASHSHORTENER) zipvale.com reuse T_PDS_SHORTFWD_URISHRT endif endif ##} ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox ##{ redirector_pattern_sandbox redirector_pattern m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&\#])'i redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:site|inurl):(.*?)(?:$|%20|[\s+&\#])'i redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&\#])'i redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&\#])'i redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/pagead/iclk\?.*?(?<=[?&])adurl=(.*?)(?:$|[&\#])'i redirector_pattern m'^https?:/*(?:\w+\.)?aol\.com/redir\.adp\?.*(?<=[?&])_url=(.*?)(?:$|[&\#])'i redirector_pattern m'^https?/*(?:\w+\.)?facebook\.com/l/;(.*)'i redirector_pattern m;^https?://web\.mmac\.org/.*[?&]url=//(.+)$; ##} redirector_pattern_sandbox ##{ reuse_sandbox reuse T_PDS_HIDDEN_UK_BUSINESSLOAN reuse T_PDS_DOUBLE_URL reuse PDS_DBL_URL_LINKBAIT reuse T_PDS_DBL_URL_TNB_RUNON reuse T_PDS_DBL_URL_ILLEGAL_CHARS reuse T_FROM_2_EMAILS_SHORT reuse T_SHORT_BODY_QUOTE reuse T_BODY_QUOTE_MALF_MSGID reuse SPOOFED_FREEMAIL_NO_RDNS reuse T_PDS_URI_HIDDEN_HELO_NO_DOMAIN reuse T_PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE reuse T_PDS_TONAME_EQ_TOLOCAL_SHORT reuse T_PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE reuse T_PDS_TONAME_EQ_TOLOCAL_VSHORT reuse T_PDS_LITECOIN_ID reuse PDS_BTC_ID reuse PDS_BTC_MSGID reuse __PDS_GOOGLE_DRIVE_SHARE_1 reuse __PDS_GOOGLE_DRIVE_SHARE_2 reuse __PDS_GOOGLE_DRIVE_SHARE_3 reuse __PDS_GOOGLE_DRIVE_SHARE reuse T_GOOGLE_DRIVE_DEAR_SOMETHING reuse __PDS_GOOGLE_DRIVE_FILE reuse __SHORT_BODY_G_DRIVE reuse __SHORT_BODY_G_DRIVE_DYN reuse T_SHORT_BODY_G_DRIVE_DYN reuse T_FROM_NAME_EQ_TO_G_DRIVE ##} reuse_sandbox uri __128_ALNUM_URI m;[/?][0-9a-z]{128,}$;i uri __128_HEX_URI m,/[0-9a-f]{128}, uri __128_LC_URI m;[/?][a-z]{128,}$; uri __45_ALNUM_IMG m;/[0-9a-z]{45,}/\w+\.(?:png|gif|jpe?g|webp)$;i uri __45_ALNUM_URI m;[/?][0-9a-z]{45,}$;i meta __45_ALNUM_URI_O __45_ALNUM_URI && !__64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI body __4BYTE_UTF8_WORD /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/ tflags __4BYTE_UTF8_WORD multiple maxhits=10 header __4BYTE_UTF8_WORD_SUBJ Subject =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/ uri __64_ANY_URI m;[/?]\w{64,}$;i body __ACCESS_RESTORE /\bto (?:(?:restore|regain) access|(?:remove|uplift) (?:the|this) suspens|continue using your (?:account|online|mailbox)|zugreifen wiederhergestellt)/i body __ACCESS_REVOKE /(?:(?:temporary|permanent) (?:de-?activation|removal) of your (?:\w{1,30} )?(?:access|account)|Ihre Kreditkarte wird gesperrt)/i body __ACCESS_SUSPENDED /\b(?:(?:access|account|e?-?mails) (?:suspension|(?:has|have) (?:been )?(?:temporar(?:il)?y (?:been )?)?(?:suspended|blocked|locked|blacklisted))|suspend (?:you from|your) access(?:ing)?|suspen(?:sion|se|ded) noti(?:ce|fication))\b/i tflags __ACCESS_SUSPENDED multiple maxhits=2 body __ACCOUNT_DISRUPT /\b(?:ensure (?:that )?your (?:account|access) is not (?:disrupted|suspended|interrupted)|(?:avoid|incoming) (?:[a-z]+ ){0,5}e?-?mails? (?:from )?being rejected|avoid (?:account|e?-?mail(?: ?box)? )?(?:shut ?down|suspension|locking|termination|expiration)|will terminate (?:your|its) service)\b/i tflags __ACCOUNT_DISRUPT multiple maxhits=2 body __ACCOUNT_ERROR /\b(?:your account (?:is|appears to be) (?:incorrect|missing|in error|invalid))\b/i body __ACCOUNT_REACTIV /(?:(?:account|access) (?:has been )?(?:successfully )?(?:reviewed and )?re-?(?:activat(?:ion|ed)|new(?:al|ed))|(?:unlock|re-?activate|restore|recover) (?:your|the|this) (?:account|access))/i body __ACCOUNT_SECURE /\b(?:make your (?:"?[^\@\s]+\@\S+"? |e-?mail )?account more secure|Ihre Kreditkarte weist einige Sicherheitsprobleme)\b/i body __ACCOUNT_UPGRADE /\b(?:upgrade (?:of )your (?:account|access)|your (?:access|account) is[\w\s]{0,40}being upgraded|Weiter zur Aktualisierung)\b/i meta __ACCT_PHISH (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __PDS_FROM_NAME_TO_DOMAIN) > 1 && !__ACCT_PHISH_MANY meta __ACCT_PHISH_MANY (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + __PDS_FROM_NAME_TO_DOMAIN) > 3 body __ACH_CANCELLED_01 /\b(?:(?-i:ACH)|dividend)[-_ ](?:payment|transfer|transaction|was)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i body __ACH_CANCELLED_02 /(?:rejected|cancel+ed|declined|your)[-_ ](?:(?-i:ACH)|direct[-_ ]deposit)[-_ ](?:payment|transfer|transaction|declin(?:ed|ing))/i body __ACH_CANCELLED_03 /\bwire[-_ ]?(?:payment|transfer|transaction)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i body __ACH_CANCELLED_04 /\bregarding[-_ ]your[-_ ]direct[-_ ]deposit[-_ ]via[-_ ](?-i:ACH)/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta __ACH_CANCELLED_EXE (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && __EXE_ATTACH endif uri __AC_1SEQC_URI /\/1[a-z0-9]8[a-z0-9_]{20,}\/C\// uri __AC_1SEQV_URI /\/1[a-z0-9]8[a-z0-9_]{20,}\/V\// uri __AC_CHDSEQ_URI /\/chd[a-z0-9]{20,}/ header __AC_FROM_MANY_DOTS From =~ /<(?!do\.not\.reply@)(?:\w{2,}\.){2,}\w+@/i meta __AC_FROM_MANY_DOTS_MINFP __AC_FROM_MANY_DOTS && !ALL_TRUSTED && !FREEMAIL_FORGED_FROMDOMAIN && !FORGED_GMAIL_RCVD && !__UNSUB_LINK && !__XM_VBULLETIN && !__RDNS_SHORT && !__REPTO_QUOTE && !__FSL_RELAY_GOOGLE && !__HAS_IN_REPLY_TO && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_MX_MESSY && !__CTYPE_MULTIPART_MIXED && !__RCD_RDNS_MTA && !__VIA_ML && !__HAS_ERRORS_TO rawbody __AC_HTML_ENTITY_BONANZA_SHRT_RAW /(?:&[A-Z0-9\#]{2,};\s{0,64}){10}/i uri __AC_LAND_URI /\/land\// uri __AC_LONGSEQ_URI /\/[A-Z0-9]{50,}\.(?:php|html|cgi)\b/ uri __AC_MHDSEQ_URI /\/mhd[a-z0-9]{20,}/ uri __AC_NDOMLONGNASPX_URI /[A-Za-z]+[0-9]{2}\.[A-Za-z0-9-]+\.me\/(?:[A-Za-z0-9-]{10,}\/){2}[0-9]{8,}\/[A-Za-z]+\.aspx/ uri __AC_NUMS_URI /(?:\/[0-9]+){5}\.[0-9a-zA-Z]+\.(?:php|html)\b/ uri __AC_OUTI_URI /\/outi\b/ uri __AC_OUTL_URI /\/outl\b/ uri __AC_PHPOFFSUB_URI /\/php\/off\/[0-9.]+\/sub\// uri __AC_PHPOFFTOP_URI /\/php\/off\/[0-9.]+\/top\// uri __AC_POSTHTMLEXTRAS /(?:main[0-9]?|mian|start(?:page)?|info(?:page|source|center)?|(?:one|view)?(?:site|source)(?:view|[0-9])?|(?:hub|file)one|index(?:[0-9]|page)?|mediafile|userlink|faction1)[.,]html?\/\w{2,}\b/i uri __AC_POSTIMGEXTRAS /(?:(?:main|external|hosted|new|file)?(?:im(?:g|age)?|user|one)s?-?(?:view(?:er)?|file|map|finder|portal|hub|online)?s?|library|media(?:source|-?files?)?|main|png|view|begin|file|port|space|webpics|host)(?:[-]?(?:[0-9]|one|two|three|four|five|six|seven|eight|nine))?[.,](?:jpe?g|png|gif|webp)\/\w{2,}\b/i meta __AC_POST_EXTRAS (__AC_POSTHTMLEXTRAS || __AC_POSTIMGEXTRAS) uri __AC_PUNCTNUMS_URI /\.com\/[A-Za-z+=\/.?_-]{4,}[0-9]{9,12}[a-z0-9]{1,2}[A-Za-z+=\/.?_-]+[0-9]{7,9}[A-Za-z+=\/.?_-]{6,}[0-9]{7,9}\b/ uri __AC_REPORT_URI /\/report\// uri __AC_RMOVE_URI /\/r\/move\/[0-9]+\// rawbody __AC_TINY_FONT /(?:font-size)\s*:\s*[1-3]\s*(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i uri __AC_UHDSEQ_URI /\/uhd[a-z0-9]{20,}/ uri __AC_UNSUB_URI /\/unsub\// body __ADMAIL /(?:\b|_)ad-?(?:mail|message)s?(?:\b|_)/i body __ADMITS_SPAM /\bth(?:e[- ]+above|is)(?:\?+s|[- ]+is)[- ]+(?:intended[- ]+as[- ]+)?an?[- ]+(?:e-?mail[- ]+)?[a@]dvert[i1l]sement\b/i body __ADULTDATINGCOMPANY_BODY /\bAdultDatingCompany\b/i header __ADULTDATINGCOMPANY_FROM From:name =~ /\bAdultDatingCompany\b/i header __ADULTDATINGCOMPANY_REPTO Reply-To:name =~ /\bAdultDatingCompany\b/i meta __ADVANCE_FEE_2_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 1) && !__THREAD_INDEX_GOOD meta __ADVANCE_FEE_2_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW meta __ADVANCE_FEE_2_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW meta __ADVANCE_FEE_2_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW meta __ADVANCE_FEE_3_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 2) && !__THREAD_INDEX_GOOD meta __ADVANCE_FEE_3_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW meta __ADVANCE_FEE_3_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW meta __ADVANCE_FEE_3_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW meta __ADVANCE_FEE_4_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 3) && !__THREAD_INDEX_GOOD meta __ADVANCE_FEE_4_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW meta __ADVANCE_FEE_4_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW meta __ADVANCE_FEE_4_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW meta __ADVANCE_FEE_5_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 4) && !__THREAD_INDEX_GOOD meta __ADVANCE_FEE_5_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW meta __ADVANCE_FEE_5_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW meta __ADVANCE_FEE_5_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW body __AFF_004470_NUMBER /(?:\+|00|011)\W{0,3}44\W{0,3}0?\W{0,3}70/ body __AFF_LOTTERY /(?:lottery|winner)/i meta __AFRICAN_STATE (__NIGERIA || __IVORY_COAST || __BURKINA_FASO || __GHANA || __BENIN || __AFR_UNION) body __AFR_UNION /\bafrican\sunion\b/i body __AGREED_RATIO /\b(?:agreed|sharing)\s(?:ratios?|percent\w+)\b/i meta __ALIBABA_IMG_NOT_RCVD_ALI __URI_IMG_ALICDN && !__HDR_RCVD_ALIBABA meta __AMAZON_IMG_NOT_RCVD_AMZN __URI_IMG_AMAZON && !__HDR_RCVD_AMAZON && !__HDR_RCVD_AMAZON_HELO body __AM_DYING /\b(?:am\s(?:\S+\s)?dying|terminally\sill|cancer|en\sphase\sterminale|(?:become|is|devenu|maladie)\sincurable|que\sje\smeurs)\b/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /\bimage\//i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __ANY_TEXT_ATTACH 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ANY_TEXT_ATTACH_DOC Content-Type =~ /text\/\w+/i endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __APP_DEVELOPMENT /\b(?:mobile apps|(?:apps?|portal) (?:dev(?:elop(?:ment|ed))?|design|test(?:ing)?|U[IX]|maintenance|support)|(?:we |can |have )+(?:design(?:ed)?|buil[dt]|maintain(?:ed)?|created?)(?: over| more than)?[\s0-9]+apps|different platforms|we are (?:[-a-z]+ ){1,4}(?:software|apps?) (?:company|develop(?:ers|ment)))\b/i tflags __APP_DEVELOPMENT multiple maxhits=6 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __APP_DEVELOPMENT_MANY __APP_DEVELOPMENT > 5 endif body __ATM_CARD /\b(?:your|the|this|through|via|by\smeans\sof\|that\sa|issue\s(?:(?:to|for)\s)?you\sa)[\s$](?:\w{1,20}\s)?(?:atm|debit|(?:money[\s-]?gram\s)?fast\scash)(?:\smaster|swift|value?|cash)?[\s$]card/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta __ATTACH_MSO_MHTML __TEXT_XML_MT && __MSO_THEME_MT && __X_MSO_MT endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __ATTACH_NAME_NO_EXT 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ATTACH_NAME_NO_EXT Content-Type =~ m,\bname\s?=\s?"(?!=\?)[^."]+",i endif body __ATTN_MAIL_USER /\b(?:att(?:entio)?n|dear|caro) (?:web ?(?:mail)?\s\S\s)?(?:web ?|e-?)?mail (?:user|DO USU(?:=E1|[\xe1]|[\xc3][\xa1])RIO)[:;,]/i body __AUTO_ACCIDENT /auto(?:mobile)? accident/i header __AXB_MO_OL_024C2 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2600\.0000/ header __AXB_XM_OL_024C2 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2600\.0000/ body __BACK_SCRATCH /\bmutual+y?\s(?:benefi(?:t|cial)|interest)\b/i body __BANK_DRAFT /\bbank\sdraft/i body __BARRISTER /\b(?:barrister|solicitor at law|barr\.)/i meta __BEBEE_IMG_NOT_RCVD_BB __URI_IMG_BEBEE && !__HDR_RCVD_BEBEE body __BENEFICIARY /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])n(?:e|=E9|[\xe9]|[\xc3][\xa9])fi(?:c|sh)i?ai?r(?:y|ies|es?)/i body __BENIN /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])nin\b/i body __BIGNUM_EMAILS /\b(?:thousand|million|\d[,1-9]{0,6}(?:[,0]{2,}k?|k))\s(?:(?!and|or|your|place|baby|suspicious|supportive|subpoenaed)\w+\s)?(?:e-?mail(?:(?![-:.\)\>\]])s?|\saddresses)|fax numbers|leads|names)\b/i tflags __BIGNUM_EMAILS multiple maxhits=5 meta __BIGNUM_EMAILS_3 __BIGNUM_EMAILS > 2 meta __BIGNUM_EMAILS_FREEM __BIGNUM_EMAILS && __freemail_hdr_replyto if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __BITCOIN /\bB[-\s]?i[-\s]?t[-\s]?c[-\s]?o[-\s]?i[-\s]?n\b/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __BITCOIN /[-\s]?[-\s]?<T>[-\s]?<C>[-\s]?<O>[-\s]?[-\s]?<N>/i endif body __BITCOIN_ID /\b(?<!=)(?:[13](?:(?:[-_=\s][a-km-zA-HJ-NP-Z1-9]){29,34}|[a-km-zA-HJ-NP-Z1-9]{29,34})|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90}|b[-_=\s]c[-_=\s]1(?:[-_=\s][acdefghjklmnpqrstuvwxyz234567890]){30,90})\b/ meta __BITCOIN_IMGUR __IMGUR_IMG && __BITCOIN meta __BITCOIN_OBFU_SUBJ __BITCOIN && __SUBJ_OBFU_PUNCT meta __BITCOIN_SPAM_02 __BITCOIN_ID && __BOTH_INR_AND_REF meta __BITCOIN_SPAM_05 __BITCOIN_ID && __SPOOFED_FREEMAIL meta __BITCOIN_SPAM_07 __BITCOIN_ID && __TO_EQ_FROM meta __BITCOIN_TOEQFM __BITCOIN && __TO_EQ_FROM meta __BITCOIN_WFH_01 __BITCOIN && __WFH_01 meta __BITCOIN_XPRIO __XPRIO && (__BITCOIN || __BITCOIN_ID) body __BODY_STARTS_WITH_FROM_LINE /^From \S+ \S\S\S \S\S\S .. ..:..:.. \S+\s+\S+\: /s body __BODY_TEXT_LINE /^\s*\S/ tflags __BODY_TEXT_LINE multiple maxhits=3 meta __BODY_URI_ONLY __BODY_TEXT_LINE < 3 && __HAS_ANY_URI && !__SMIME_MESSAGE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) full __BOGUS_MIME_HDR /\bContent-[XYZ]-[a-z]{6,15}:\s+[a-z]{6,15}\b/ tflags __BOGUS_MIME_HDR multiple maxhits=8 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __BOGUS_MIME_HDR_MANY __BOGUS_MIME_HDR > 7 endif header __BOGUS_MIME_VER_02 MIME-Version =~ /^(?!.*\b1\.0\b).+/ meta __BOGUS_MSM_HDRS __HAS_MSMAIL_PRI && __MSOE_MID_WRONG_CASE && __HDR_ORDER_FTSDMCXXXX body __BONUS_LAST_DAY /\b(?:last|final) day of the (?:\$\d+ |\d+ dollars? )?bonus offer(?:ing)?\b/i meta __BOTH_INR_AND_REF (__XM_BALSA || __XM_CALYPSO || __XM_FORTE || __XM_MHE || __XM_SQRLMAIL || __XM_SYLPHEED || __THEBAT_MUA || __XM_VM || __XM_XIMEVOL || __UA_KMAIL || __UA_MOZ5 || __UA_OPERA7) body __BTC_OBFU_2 /\b\W{0,10}b(?!it[-\s]?coin)\W{0,10}i\W{0,10}t\W{0,10}c\W{0,10}o\W{0,10}i\W{0,10}n\W{0,10}\b/i body __BTC_OBFU_3 /\b\W{0,10}b(?!tc\b)\W{0,10}t\W{0,10}c\W{0,10}\b/i if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __BTC_OBFU_4 /\bb(?!itcoin)[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i endif body __BTC_OBFU_5 /&\#x62;&\#x69;&\#x74;&\#x63;&\#x6F;&\#x69;&\#x6E;/i header __BUG6919_RDNS_STATIC X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(?:fix|fixip|static|dedicated|business|compute)/i rawbody __BUGGED_IMG m{<img\b[^>]{0,100}\ssrc=.?https?://[^>]{6,80}(?:\?[^>]{8}|[^a-z](?![a-f]{3}|20\d\d[01]\d[0-3]\d)[0-9a-f]{8})}i body __BURKINA_FASO /\bburkina\s?faso\b/i body __CANT_SEE_AD_1 /\b(?:can(?:no|')?t|(?:aren'?t[-,!\s]{1,3}|not[-,!\s]{1,3}|un)able[-,!\s]{1,3}to)[-,!\s]{1,3}(?:(?!our|this|the)\w{1,12}[-,\s]{1,3}){1,2}(?:our|this|the)[-.,\s*]{1,3}(?:commercial[-.,\s]{1,3}|ad(?:v[-.]?ert[i1l]se-?ment)?[-.,\s]{1,3}|images |newsletter |mailing ){1,2}(?:at all|(?:(?:down )?(?:below|underneath))|in (?:your|this) mail|(?:due to|because(?: of)?|as|from) (?:no |missing |unloaded |blocked )?(?:images|graphics))\b/i body __CANT_SEE_AD_2 /\b(?:issue|problem|trouble) (?:getting|viewing|with) (?:(?:our|the) )?(?:message|content|e-?mail|details)(?: below)?[.?] (?:please|go ahead and) (?:click|browse)\b/i body __CAN_HELP /\bcan help\b/i body __CASHPRZ /cash prize of/ body __CHARITY /\b(?:charit(?:y|[ai]ble)|orphans?|homeless|orphelins|sans\sabri)\b/i body __CLEAN_MAILBOX /\b(?:(?:e-?mail|mail\s?box|violation:|(?-i:CLICK)) (?:quota size|clean(?:-?up))|clean ?up click ?here|(?:please|automatically) reduce (?:your|the) e?-?mail ?box size|reduce (?:your |the )?(?:e?-?mail(?: ?box)? )?size automatically)\b/i tflags __CLEAN_MAILBOX multiple maxhits=2 body __CLICK_HERE /\bclick\shere\b/i rawbody __COMMENT_GIBBERISH /\w/ tflags __HTML_SHRT_CMNT_OBFU multiple maxhits=10 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU > 5 && HTML_MESSAGE endif rawbody __HTML_SINGLET />\s*(?:[a-z"]|&\#(?:\d+|x[0-9a-f]+);)\s* 20 ifplugin Mail::SpamAssassin::Plugin::HTMLEval body __HTML_TAG_BALANCE_CENTER eval:html_tag_balance('center', '!= 0') endif body __HUSH_HUSH /\b(?:confiden[tc]i[ae]l(?:\b|ity\b|it(?:=E9|[\xe9]|[\xc3][\xa9]))|private\b|secr[e\xe8](?:te?|cy)\b|sensitive\b|concealed\b|obscured?\b|discre(?:et|tion)\b|very\sdiscrete|top\ssecret|vertraulich(?:en)?\b|geheim\b|priv(?:e|=E9|[\xe9]|[\xc3][\xa9]))/i uri __IMGUR_IMG m,^https?://(?:[^.]+\.)?imgur\.com/[a-z0-9]{7}\.(?:png|gif|jpe?g|webp)$,i tflags __IMGUR_IMG multiple maxhits=4 meta __IMGUR_IMG_2 __IMGUR_IMG == 2 meta __IMGUR_IMG_3 __IMGUR_IMG == 3 if !plugin(Mail::SpamAssassin::Plugin::ImageInfo) meta __IMG_LE_300K 0 endif ifplugin Mail::SpamAssassin::Plugin::ImageInfo body __IMG_LE_300K eval:pixel_coverage('all',62500,300000) endif uri __IMG_S3_AWS m;https://(?:[a-z0-9-]+)\.s3\.amazonaws\.com/uploads/[^./]{1,256}\.(?:jpe?g|gif|png|webp);i body __INHERIT_PMT /\binheritance\spayment\s/i body __INTL_BANK /\b(?:international\s(?:\w+\s)?bank|banque\sinternationale)\b/i body __INVEST_COUNTRY /\binvest\sin\syour?\scountry\b/i body __INVEST_MONEY /\binvest(?:ir)?\s(?:this|ces|d[ae]s|sur ce|de ces)\s(?:money|f[ou]nds?)\b/i header __IP_IN_RELAY X-Spam-Relays-External =~ /^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) (?:[^\]]* )?(?:rdns|helo)=\S*(?:\1\D\2\D\3\D\4|\4\D\3\D\2\D\1)/ if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __ISO_ATTACH 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ISO_ATTACH Content-Disposition =~ m,\bfilename="?[^"]+\.iso[";$],i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __ISO_ATTACH_MT 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ISO_ATTACH_MT Content-Type =~ m,\bapplication/x-iso9660-image\b,i endif body __IS_LEGAL /\b(?:(?:(?:this|esta)\s(?:deal|offer|transac[tc]i(?:o|[\xc3][\xb3])n|proposal|exchange|arrangement|work)|it)?\s[ie]s\s(?:(?:guaranteed|completely|absolutely|perfectly|100%|very|fully)\s)?(?:legal|hitch-free|seguro|legitimate)|legitimate\sarrangement|toute?\sl(?:e|=E9|[\xe9]|[\xc3][\xa9])gale)\b/i body __IVORY_COAST /\b(?:Cote\s?D.Ivoire|Ivory\s?Coast|Costa\sde\sMarfil)\b/i body __I_INHERIT /\b(?:I|eu)\s[a-z\s]{0,30}(?:inherited|herdei)\b/i body __I_WILL_YOU /\bwill(?:ed)?\s(?:[a-z\s]{0,20}(?:fortune|money|\$[\d,]+[a-z]{0,9})\s)?to\syou\b/i header __JM_REACTOR_DATE Date =~ / \+0000$/ ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __JPEG_ATTACH Content-Type =~ /image\/jpe?g/i endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __KAM_BLOCK_UTF7_2 Content-Type =~ /charset=(?:unicode-\d+-\d+-)?utf-7/i endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) body __KAM_BODY_LENGTH_LT_1024 eval:check_body_length('1024') describe __KAM_BODY_LENGTH_LT_1024 The length of the body of the email is less than 1024 bytes. endif endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) body __KAM_BODY_LENGTH_LT_128 eval:check_body_length('128') describe __KAM_BODY_LENGTH_LT_128 The length of the body of the email is less than 128 bytes. endif endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) body __KAM_BODY_LENGTH_LT_256 eval:check_body_length('256') describe __KAM_BODY_LENGTH_LT_256 The length of the body of the email is less than 256 bytes. endif endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) body __KAM_BODY_LENGTH_LT_512 eval:check_body_length('512') describe __KAM_BODY_LENGTH_LT_512 The length of the body of the email is less than 512 bytes. endif endif if !plugin(Mail::SpamAssassin::Plugin::HTMLEval) meta __KAM_HTML_FONT_INVALID 0 endif ifplugin Mail::SpamAssassin::Plugin::HTMLEval body __KAM_HTML_FONT_INVALID eval:html_test('font_invalid_color') endif body __KAM_LOTTO2 /(?:(?:ticket|serial|lucky) number|secret pin ?code|batch number|reference number|promotion date)/is header __KB_DATE_CONTAINS_TAB Date:raw =~ /^\t/ header __KB_MSGID_OUTLOOK_888 Message-Id =~ /^<[0-9a-f]{8}(?:\$[0-9a-f]{8}){2}\@/ meta __KHOP_NO_FULL_NAME !(__NOT_A_PERSON || __FROM_ENCODED_QP || __FROM_NEEDS_MIME || __FROM_FULL_NAME) if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) meta __LARGE_PERCENT_AFTER 0 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __LARGE_PERCENT_AFTER /\d{3}% after/i tflags __LARGE_PERCENT_AFTER multiple maxhits=4 endif if !plugin(Mail::SpamAssassin::Plugin::HeaderEval) meta __LCL__ENV_AND_HDR_FROM_MATCH 0 endif ifplugin Mail::SpamAssassin::Plugin::HeaderEval meta __LCL__ENV_AND_HDR_FROM_MATCH __ENV_AND_HDR_FROM_MATCH endif if !plugin(Mail::SpamAssassin::Plugin::BodyEval) meta __LCL__KAM_BODY_LENGTH_LT_1024 0 endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)) meta __LCL__KAM_BODY_LENGTH_LT_1024 0 endif endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) meta __LCL__KAM_BODY_LENGTH_LT_1024 __KAM_BODY_LENGTH_LT_1024 endif endif if !plugin(Mail::SpamAssassin::Plugin::BodyEval) meta __LCL__KAM_BODY_LENGTH_LT_128 0 endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)) meta __LCL__KAM_BODY_LENGTH_LT_128 0 endif endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) meta __LCL__KAM_BODY_LENGTH_LT_128 __KAM_BODY_LENGTH_LT_128 endif endif if !plugin(Mail::SpamAssassin::Plugin::BodyEval) meta __LCL__KAM_BODY_LENGTH_LT_512 0 endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)) meta __LCL__KAM_BODY_LENGTH_LT_512 0 endif endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) meta __LCL__KAM_BODY_LENGTH_LT_512 __KAM_BODY_LENGTH_LT_512 endif endif meta __LINKED_IMG_NOT_RCVD_LINK __URI_IMG_LINKEDIN && !__HDR_RCVD_LINKEDIN meta __LIST_PARTIAL __DOS_HAS_LIST_UNSUB && !__DOS_HAS_LIST_ID meta __LIST_PARTIAL_SHORT_MSG __HTML_LENGTH_0000_1024 && __LIST_PARTIAL meta __LIST_PRTL_PUMPDUMP __LIST_PARTIAL && __PD_CNT_1 meta __LIST_PRTL_SAME_USER __LIST_PARTIAL && __TO_EQ_FROM_USR body __LITECOIN_ID /\b(?<!=)[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b/ uri __LOCAL_PP_NONPPURL m'https?://(?:[A-Za-z0-9-_]+)\.(?!paypal\.com)(?:[A-Za-z0-9-_\.]+)'i body __LOCK_MAILBOX /\b(?:(?:deactivate|lock(?: up)?|lose ac+ess to|los[se] (?:of )?(?:important )?(?:information|mail|messages) in) (?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|your (?:mail\s?box|(?:(?:web ?|e-?)mail)(?: account)?) (?:(?:will|may) be(?:come)? )?(?:in-?a(?:ctive|cess[ia]ble)|locked|disabled|deleted|removed)\b|ditt konto vara "?deaktiverad"?|begr(?:=E4|\xe4|[\xc3][\xa4])nsad tillg(?:=E5|[\xe5]|[\xc3][\xa5])ng till din brevl(?:=E5|[\xe5]|[\xc3][\xa5])da|contas? de (?:web ?|e-?)mail (?:ser(?:=E1|[\xe1]|[\xc3][\xa1]) (?:desativado|exclu(?:=ED|[\xed]|[\xc3][\xad])do)|(?:=E9|[\xe9]|[\xc3][\xa9]) exclu(?:=ED|[\xed]|[\xc3][\xad])do)|destruir a sua caixa de (?:correio|entrada)|tw(?:=F3|[\xf3])j konto zostalo ograniczone|straci swoje e-?mail na sta[\xc5][\x82]e|konto zostanie automatycznie wy[\xc5][\x82][\xc4][\x85]czona|e-?mail account[^.]{0,30}deactivated (?:in|from) our (?:database|system|server)|you will be deactivated|(?:account|e?-?mail(?: ?box)?) (?:will (?:be )?)?(?:shut ?down|expire|deactivate)|we have (?:stopped|suspended) (?:processing|accepting) (?:any )?(?:incoming|new|fresh) email)/i tflags __LOCK_MAILBOX multiple maxhits=2 full __LONGLINE /^[^\r\n]{998}/m meta __LONGLN_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __LONGLINE rawbody __LONG_INVIS_DIV /<div\s+style\s*=\s*"(?:(?<!-)visibility\s*:\s*hidden|display\s*:\s*none)\s*">[^<\s]{1400}/i if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __LONG_STY_INVIS __STY_INVIS_2 && __LONGLINE endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __LOTSA_MONEY_00 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __LOTSA_MONEY_00 /<CURRENCY>[\s\.]?<NUM_NOT_DATE>[\dOo][,\.][\dOo]{3}(?:(?!\d)|\b)/ endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __LOTSA_MONEY_01 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __LOTSA_MONEY_01 /(?:(?i:sum\sof\s)[$\[]?|<CURRENCY>\s?)[\s\.]?<NUM_NOT_DATE_IP>[\d.,\sOo]{5,20}[\dOo](?<!\.00)\b/ endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __LOTSA_MONEY_02 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __LOTSA_MONEY_02 /(?<![-\d\#])<NUM_NOT_DATE_IP>[\d.,\sOo]{5,20}[\dOo][$\]$]?\s?(?:<CURRENCY>|Pounds|(?i:dollars?|bucks))[\s\b]/ endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __LOTSA_MONEY_03 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __LOTSA_MONEY_03 /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)<NUM_NOT_DATE>[\d.,\sOo]{0,5}[$\]]?\s?(?i:M(?i:il+)?\b|mil+(?i:io|<O>)n|hund?[re]+a?[dt]|thousand|tausend|milh[\xf5]es)/ endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __LOTSA_MONEY_04 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __LOTSA_MONEY_04 /(?:(?<![-\d])<NUM_NOT_DATE>[\d\.,]{0,4}(?:M|\smilli?one?s|\s?mln)|million(?!s)|mill<O>n|hund?rea?d(?!s)[^\.]{1,25}thousand(?!s)|cents?[^\.]{1,25}mille|hundert[^\.]{1,30}tausend|ientos?[^\.]{1,20}mil|cent[a-z\s]{1,20}mil\s[a-z]{1,20}centos)[^\.\$]{0,50}?(?:(?:U\.?\s?S\.?\s?(?:A\.?\s?)?|united\s?states\s|E\.\s?U\.\s|canad(?:ian|a)\s|(?:ia\s)?de\s)?d(?:[o\xf3]|[\xc3][\xb3])l+are?s?|\bbucks|U\s?S\s?D|G\s?B\s?P|<GB_UK>\spounds?|(?:<GB_UK>\s)?pounds?\ssterling|pounds(?!\sof)|(?:d'\s?)?euros?|francs?)\b/i endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __LOTSA_MONEY_05 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __LOTSA_MONEY_05 /(?:(?:sum|value|amount)\sof\s)<NUM_NOT_DATE_IP>[\d.,\sO]{7,20}[\dO\.][\)\]\(\s]{0,3}(?:pounds?|dollars?|euros?|bucks)\b/i endif meta __LOTTO_ADMITS __LOTTO_ADMITS_1 || __LOTTO_ADMITS_2 || __LOTTO_ADMITS_3 || __LOTTO_ATTACH_1 || __LOTTO_ATTACH_2 body __LOTTO_ADMITS_1 /\b(?:on-?line|e-?mail|ballot|(?:inter)?national|state|(?:UK|euro)[- ]?(?:mil+ions?|PW)|Canada|Microsoft|MSN|internet|mega|jackpot+|Royal Heritage|foundation|cash\sgrant|mercato|univers|staatsloterij|bill\s?gates|Olympics?|swiss|this|est[ea]|internationaux de gagnants de)(?:\s(?!lot|swe|prom)\w{1,20}){0,3}\s?(?:lot(?:to|t+ery|eri[ea])|sweepstakes?|promo(?:tion|cao|cion)?|jackpot+)\b/i body __LOTTO_ADMITS_2 /\b(?:free)?(?:lot(?:to|tery|erie)|sweepstakes)\s(?:(?:inter)?na[tz]ional|department|bureau|group|award|microsoft)/i uri __LOTTO_ADMITS_3 /lott+ery/i meta __LOTTO_AGENT __LOTTO_AGENT_01 || __LOTTO_AGENT_02 body __LOTTO_AGENT_01 /\b(?:(?:(?:the|y?our)(?:\s\w{1,20})?|contact|accredited|listed)\sclaim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:prize|international|intl|foreign|win+ing)(?:[\s,.]+(?:rem+it+ance|settlement|payment|payout|award|transfer))+|payment|payout|immunity|(?<!memory\s)grants?(?!\smanager))\s?(?:agent|manager|officer|secretary|director|mgr\b)/i body __LOTTO_AGENT_02 /\blot+ery[^\.]{1,40} ticket agent/i header __LOTTO_AGENT_RPLY Reply-To =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize\stransfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __LOTTO_ATTACH_1 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __LOTTO_ATTACH_1 Content-Type =~ /lott(?:o|ery)/i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __LOTTO_ATTACH_2 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __LOTTO_ATTACH_2 Content-Disposition =~ /lott(?:o|ery)/i endif body __LOTTO_DEPT /\b(?:claim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)(?:\s(?:rem+it+ance|settlement|payment|award))+|payment|award|compensation|lot+ery)(?:\s\w+)?\s?(?:department|dept|unit|group|committee|bureau)/i body __LOTTO_RELATED /\b(?:lot+(?:o|ery)|sweepstakes)\s(?:prize|draw(?:s|ing)?|(?:ge)?win(?:n?er|n?ing)?|jackpot+|award|fund|com+it+e+|com+is+ion|guild|promotion|promocao|program|day|online|company|(?:in)?corporat|agent|co[-,]?ordinator|team)/i body __LOTTO_VERIFY /\bpromo\sverification/i body __LOTTO_WINNINGS /\b(?:claim|process(?:ing)?|transfert?(?:\s\w+)?|redeem|payment|virement|zahlung|reivindicar|demandar|remise)\s(?:(?:[a-z]{1,5}\s)?(?:your|of|the|this|de|ihrer|seu|tu)\s)+(?:win+ings?|money|(?:cash\s)?prize|award|f[ou]nds?|grant|gewinne|premio|gain)\b/i body __LOTTO_WIN_01 /\bwin+ing\s(?:prize|number|notification|draw|check|cheque|details|information|payment)/i if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __LOWER_E /e/ tflags __LOWER_E multiple maxhits=230 endif endif body __LUCKY_WINNER /\b(?:lucky|gl.cklich(?:en)?|afortunados)\s(?:(?:ge)?win+ers?|ganador(?:es)?|individuals?)\b/i body __LUCRATIVE /\b(?:lucrative|profitable|tr[\xe8]s\ssalutaire)\b/i header __LUNSUB_BEFORE_SUBJDT ALL =~ /^List-unsubscribe: (?:[^\n]+\n+){1,40}^(?:Subject|Date): /ism rawbody __L_BODY_8BITS /[\x80-\xff]/ header __L_CTE_7BIT Content-Transfer-Encoding =~ /^7bit$/ header __L_CTE_8BIT Content-Transfer-Encoding =~ /^8bit$/ body __MAILBOX_FULL /\b(?:you(?:r (?:mail\s?box|(?:e-?|web ?)mail))? (?:is (?:almost )?full|quota is running low|(?:quota )?ha(?:s|ve) (?:reached|exceeded|passed) (?:the|your|it'?s?) (?:university )?(?:size|storage|set|(?:e-?|web ?)mail|quota|folder|mail ?box)[\/\s](?:limit |quota |account )+)|over your mail\s?box (?:size )?(?:limit|quota)|maximum mail\s?box (?:size )?(?:limit|quota) exceeded|sua (?:conta|caixa) de (?:(?:e-?|web ?)mail|correio) (?:excedeu (?:sua|o) limite|est(?:=E1|[\xe1]|[\xc3][\xa1]) quase cheio))\b/i body __MAILBOX_FULL_SE /(?:\b=F6|[\xf6]|[\xc3][\xb6])verskridit gr(?:=E4|[\xe4]|[\xc3][\xa4])nsen f(?:=F6|[\xf6]|[\xc3][\xb6])r din postl(?:=E5|[\xe5]|[\xc3][\xa5])da\b/i header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/ body __MAIL_ACCT_ACCESS1 /\b(?:your (?:web ?|e-?)?mail (?:account|log-?in) (?:has )?been accessed|r(?:=F3|[\xf3])zne komputery zalogowaniu sie)\b/i body __MAIL_ACCT_ACCESS2 /\blo+se ac+es+ to your (?:web|e-?)?mail ?(?:account|log-?in|box|address)\b/i uri __MAIL_LINK /\?.{0,200}\w\@[\w-]{1,20}.\w\w\w?\b/i tflags __MAIL_LINK nice body __MAKE_XTRA_DOLLAR /\bmake an extra dollar\b/i header __MALF_MIME_VER MIME-Version =~ /^1\.0\S/ meta __MALWARE_NORDNS __MY_MALWARE && __RDNS_NONE meta __MALWARE_PASSWORD __MY_MALWARE && __PASSWORD ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta __MALW_ATTACH __MALW_ATTACH_01_01 || __MALW_ATTACH_01_02 || __MALW_ATTACH_02_01 || __MALW_ATTACH_02_02 endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __MALW_ATTACH_01_01 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __MALW_ATTACH_01_01 Content-Disposition =~ /\bfilename(?:="?[^"]+|\*(?:\d+\*)?=(?:UTF-8'')?\S+)\.SettingContent-ms\b/i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __MALW_ATTACH_01_02 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __MALW_ATTACH_01_02 Content-Type =~ /\bname="?[^"]+\.SettingContent-ms\b/i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __MALW_ATTACH_02_01 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __MALW_ATTACH_02_01 Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:invoice|statement|payment(?: advice)?|(?:[.,_]|%C2%B7|[\xc2][\xb7])(?:pdf|img|png|gif|jpe?g|webp))\.(?:ace|zip|rar|r17|[7g]?z|iso)[";$]/i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __MALW_ATTACH_02_02 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __MALW_ATTACH_02_02 Content-Type =~ /\bname="?[^"]*(?:invoice|statement|payment(?: advice)?|(?:[.,_]|[\xc2][\xb7])(?:pdf|img|png|gif|jpe?g|webp))\.(?:ace|zip|rar|r17|[7g]?z|iso)[";$]/i endif meta __MANY_HDRS_LCASE __HDRS_LCASE > 1 meta __MANY_SPAN_IN_TEXT (__SPAN_BEG_TEXT > 4) && (__SPAN_END_TEXT > 4) uri __MANY_SUBDOM m;^https?://(?:[^\./]{1,30}\.){6};i header __MAY_BE_FORGED Received =~ /$may be forged$/ header __MID_START_001C Message-ID =~ /^<000001c/ body __MILLIONS /\bmillions\sof\s(?:dollar|euro|pound)/i header __MIMEOLE_1106 X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2800.1106$/ meta __MIMEOLE_DIRECT_TO_MX __HAS_MIMEOLE && __DOS_DIRECT_TO_MX header __MIME_BDRY_0D0D Content-Type =~ /boundary="-{12}(?:0[1-9]){12}/ if !((version >= 3.004000)) meta __MIME_CTYPE_IN_BODY 0 endif if (version >= 3.004000) body __MIME_CTYPE_IN_BODY /^Content-Type:\s/ endif if !((version >= 3.004000)) meta __MIME_MALF 0 endif if (version >= 3.004000) meta __MIME_MALF __CTYPE_MULTIPART_ANY && __MIME_CTYPE_IN_BODY endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __MIME_NO_TEXT 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta __MIME_NO_TEXT (__CTYPE_MULTIPART_ANY && !__ANY_TEXT_ATTACH) endif ifplugin Mail::SpamAssassin::Plugin::MIMEEval rawbody __MIME_QPC eval:check_for_mime('mime_qp_count') endif header __MISSING_REF References =~ /^UNSET$/ [if-unset: UNSET] header __MISSING_REPLY In-Reply-To =~ /^UNSET$/ [if-unset: UNSET] rawbody __MIXED_AREA_CASE /<(?!AREA|area)[Aa][Rr][Ee][Aa]\s/ rawbody __MIXED_CENTER_CASE /<(?!CENTER|center)[Cc][Ee][Nn][Tt][Ee][Rr]>/ rawbody __MIXED_FONT_CASE /<(?!FONT|font)[Ff][Oo][Nn][Tt]\s/ describe __MIXED_HREF_CASE Has anchor tags with mixed-up cases in non-quoted lines meta __MIXED_HREF_CASE __HAS_HREF - __HAS_HREF_ONECASE > 0 rawbody __MIXED_IMG_CASE_JH /<(?!IMG|img)[Ii][Mm][Gg]\s/ header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/ meta __MONERO (__MONERO_ID || __MONERO_CURNCY || __URI_MONERO || __FUZZY_MONERO) body __MONERO_CURNCY /Monero $XMR$/ body __MONERO_ID /\b4[0-9AB][1-9A-HJ-NP-Za-km-z]{93,104}\b/ meta __MONEY_ATM_CARD LOTS_OF_MONEY && __ATM_CARD meta __MONEY_FORM LOTS_OF_MONEY && __FILL_THIS_FORM meta __MONEY_FORM_SHORT LOTS_OF_MONEY && __FILL_THIS_FORM_SHORT meta __MONEY_FRAUD_3 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3) meta __MONEY_FRAUD_5 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5) meta __MONEY_FRAUD_8 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 8) ifplugin Mail::SpamAssassin::Plugin::FreeMail meta __MONEY_FREEMAIL_REPTO LOTS_OF_MONEY && __freemail_hdr_replyto endif meta __MONEY_FROM_41 __NSL_RCVD_FROM_41 && LOTS_OF_MONEY body __MOVE_MONEY /\b(?:(?:receive|re-?profile|transfer(?:ring|ir|t)?|release|repatriat(?:e|ion)|rapatrier|secure|r(?:e|=E9|[\xe9]|[\xc3][\xa9])clamation|possession|virer|dona(?:te|r)|depositante|dep[\xc3][\xb3]sito)\s(?:th(?:e(?:se)?|is)|d[ae]s|sur ce|de ce[st]|cet|est[eao]s?|del?)|re-?profiling|receive|re-?locat(?:e|ing)(?:\s\w{1,15})?)\s(?:of\s|your\s|the\s){0,2}(?:sums?\sof\s|inheritance\s)?(?:proceeds|funds?|money|balance|account|g[eo]ld|compte|fond[so]{1,2}|dinero|argent)\b/i meta __MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_MAYBE && __HAS_ANY_URI && __HTML_LINK_IMAGE header __MSGID_GUID Message-ID =~ /^<?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}\@/i header __MSGID_HEXISH Message-ID =~ /^<?OF[0-9A-F]{8}\.[0-9A-F]{8}-ON[0-9A-F]{8}\.[0-9A-F]{8}(?:-[0-9A-F]{8}\.[0-9A-F]{8})?\@/ header __MSGID_HEX_UID Message-ID =~ /^<?[0-9A-F]{8}\.[0-9A-F]{2,5}%[a-zA-Z]/ header __MSGID_JAVAMAIL Message-ID =~ /\.JavaMail\./ tflags __MSGID_JAVAMAIL nice header __MSGID_LIST Message-ID =~ /-\w+\#[\w.]+\.\w{2,4}\@/ tflags __MSGID_LIST nice header __MSGID_NOFQDN2 Message-ID =~ /<.*\@[A-Za-z0-9]+>/m meta __MSM_PRIO_REPTO __HAS_MSMAIL_PRI && __HAS_REPLY_TO && __SUBJ_SHORT header __MSOE_MID_WRONG_CASE ALL =~ /\nMessage-Id: / ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __MSO_THEME_MT Content-Type =~ m,\bapplication/vnd.ms-officetheme\b,i endif header __MTLANDROID_MUA X-Mailer =~ /\bMotorola android mail \d+\.\d/ header __MUA_TBIRD User-Agent =~ /^Mozilla\/.* Thunderbird/ uri __MXG_HAS_PHONE04 /tel:/ body __MY_FORTUNE /\b(?:my|his|her)\s(?:fortune|heritage)\b/i if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __MY_MALWARE /\b(?:(?:I(?:'ve|\shave)?\s(?:put|set\s?up|installed|buil[td]\sin|placed)\s(?:a\s)?|my\s(?:personal\s|background\s|hidden\s)?)(?:mal+ware|virus|spy\s?ware|trojan|program\srecorded|expl[o0]it|backdoor|(?:sneaky\s|hidden\s|malicious\s)+(?:app|stuff))|(?:application|mal+ware)[^\.]{1,30}(?:enable[sd]|allow(?:s|ed))\sme\sto\s(?:access|control)|I\s(?:contaminated|infected|hacked|toxified|poisoned)\s(?:your|this)\s(?:machine|computer|gadget|(?:smart\s?)?phone|device|email)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|mein\shinterhältiges\sProgramm|I\s?am\s?a\s?hacker|(?:(?:trojan|virus|spyware|mal+ware)\s)+giv(?:es|ing)\sme)\b/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __MY_MALWARE /(?:^|\s)(?:(?:(?:'<V><E>|\s<H><A><V><E>)?\s(?:<T><|><S><E><T>\s?|<N><S><T><A><L><L><E><D>|<L>(?:<T>|<D>)\s<N>|<L><A><C><E><D>)\s(?:<A>\s)?|<M><Y>\s(?:<E><R><S><O><N><A><L>\s|<A><C><K><G><R><O><N><D>\s|<H><D><D><E><N>\s)?)(?:<M><A><L>+<W><A><R><E>|<V><R><S>|<S><Y>\s?<W><A><R><E>|<T><R><O><J><A><N>|<R><O><G><R><A><M>\s<R><E><C><O><R><D><E><D>|<E><X><L>(?:<O>|0)<T>|<A><C><K><D><O><O><R>|(?:<S><N><E><A><K><Y>\s|<H><D><D><E><N>\s|<M><A><L><C><O><S>\s)+(?:<A>|<S><T><F><F>))|(?:<A><L><C><A><T><O><N>|<M><A><L>+<W><A><R><E>)[^\.]{1,30}(?:<E><N><A><L><E>(?:<D>|<S>)|<A><L><L><O><W>(?:<S>|<E><D>))\s<M><E>\s<T><O>\s(?:<A><C><C><E><S><S>|<C><O><N><T><R><O><L>)|\s(?:<C><O><N><T><A><M><N><A><T><E><D>|<N><F><E><C><T><E><D>|<H><A><C><K><E><D>|<T><O><X><F><E><D>|<O><S><O><N><E><D>)\s(?:<Y><O><R>|<T><H><S>)\s(?:<M><A><C><H><N><E>|<C><O><M><T><E><R>|<G><A><D><G><E><T>|(?:<S><M><A><R><T>\s?)?<H><O><N><E>|<D><E><V><C><E>|<E><M><A><L>)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|<M><E><N>\s<H><N><T><E><R><H><A><L><T><G><E><S>\s<R><O><G><R><A><M>+|\s?<A><M>\s?<A>\s?<H><A><C><K><E><R>|(?:(?:<T><R><O><J><A><N>|<V><R><S>|<S><Y><W><A><R><E>|<M><A><L>+<W><A><R><E>)\s)+<G><V>(?:<E><S>|<N><G>)\s<M><E>)[\s\.,]/i endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __MY_VICTIM /\b(?:hi|hello),?(?:\smy)?\s(?:victim|prey)\b/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __MY_VICTIM /(?:<H>|<H><E><L><L><O>),?(?:\s<M><Y>)?\s(?:<V><C><T><M>|<R><E><Y>)/i endif header __NAKED_TO To =~ /^[^\s<>]+\@[^\s<>]+$/ meta __NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL header __NAME_EQ_EMAIL From:raw =~ /([\w+.-]+\@[\w.-]+\.\w\w+)["'`\s]*<\s*\1>/i header __NAME_IS_EMAIL From:raw =~ /\w\@[\w.-]+\.\w\w+["'`]*\s*<\w+\@\w/ meta __NEWEGG_IMG_NOT_RCVD_NEGG __URI_IMG_NEWEGG && !__HDR_RCVD_NEWEGG body __NEW_PRODUCTS /\bhere are new products|(?:We(?: are|'re)|I(?: am|'m)) (?:glad|thrilled|pleased|happy|excited) to (?:present|introduce|share) (?:(?:with you |you to )?our|the)|\b(?:Our company|we) (?:has |have )?(?:(?:recently|just|newly) (?:introduce|release|launche)[ds](?: a| our| the)? (?:new|(?:\w+\s){1,5}below)|a new (?!cat\s|kitten\s|dog\s|puppy\s|pet\s|baby\s|child\s|boy\s|girl\s)(?:\w+\s){1,5} here)|recently,? our company (?:launch|releas)ed|\bI want to recommend a new (?:\w+ ){1,5}(?:we|our)\b|latest version of our (?:stock|product)|\b(?:our|a) new (?:\w+ ){1,3}has (?:recently|just) been released/i body __NEXT_OF_KIN /\bnext[-\s]of[-\s]kin\b/i body __NIGERIA /\bnigeria\b/i meta __NORDNS_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __RDNS_NONE meta __NOT_A_PERSON __VACATION || ANY_BOUNCE_MESSAGE || __CHALLENGE_RESPONSE || __VIA_ML || __DOS_HAS_LIST_UNSUB || __SENDER_BOT || __UNSUB_LINK || __UNSUB_EMAIL || __MSGID_LIST || __SUBSCRIPTION_INFO tflags __NOT_A_PERSON nice body __NOT_DEAD_YET /\b(?:will\sinherit|que\sherede|your\sdeath|your?\sbeing\sdead)\b/i body __NOT_SCAM /\b(?:not\sa\sscam|(?:not|never)\sscam\syou)\b/i tflags __NOT_SPOOFED nice if !(!plugin(Mail::SpamAssassin::Plugin::DKIM)) if !plugin(Mail::SpamAssassin::Plugin::SPF) meta __NOT_SPOOFED DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, no SPF endif endif if !(!plugin(Mail::SpamAssassin::Plugin::DKIM)) ifplugin Mail::SpamAssassin::Plugin::SPF meta __NOT_SPOOFED SPF_PASS || DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, yes SPF endif endif if !plugin(Mail::SpamAssassin::Plugin::DKIM) if !plugin(Mail::SpamAssassin::Plugin::SPF) meta __NOT_SPOOFED __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, no SPF. endif endif if !plugin(Mail::SpamAssassin::Plugin::DKIM) ifplugin Mail::SpamAssassin::Plugin::SPF meta __NOT_SPOOFED SPF_PASS || __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, yes SPF endif endif meta __NO_INR_YES_REF (__XM_GNUS || __XM_MSOE5 || __XM_MSOE6 || __XM_MOZ4 || __XM_SKYRI || __XM_WWWMAIL || __UA_GNUS || __UA_KNODE || __UA_MUTT || __UA_PAN || __UA_XNEWS) header __NSL_ORIG_FROM_41 X-Originating-IP =~ /^(?:.+\[)?41\./ describe __NSL_ORIG_FROM_41 Originates from 41.0.0.0/8 header __NSL_RCVD_FROM_41 X-Spam-Relays-External =~ / ip=41\./ describe __NSL_RCVD_FROM_41 Received from 41.0.0.0/8 header __NUMBERONLY_TLD From:addr =~ /\@[0-9]{4,}(?:\.[a-z]{2,4})?\.[a-z]+$/i header __NUMBERS_IN_SUBJ Subject =~ /\d{3}/ if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) ) endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) ) endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) ) endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) ) endif body __OBFU_UNSUB_UL /(?:click_here|remove_your|our_e?mail|this_list|to_unsubscribe|future_e?mail|our_list)/ if !plugin(Mail::SpamAssassin::Plugin::ImageInfo) meta __ONE_IMG 0 endif ifplugin Mail::SpamAssassin::Plugin::ImageInfo body __ONE_IMG eval:image_count('all',1,1) endif header __OPERA_MID_NON_OP Message-ID =~ /^<[^o][^p]\./ body __OUR_BEHALF /\b(?:on\s(?:my|our)\sbehalf|of\sbehalf\sof)\b/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __PART_CID_STOCK_LESS Content-ID =~ /^<00[a-f0-9]{10}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[A-Za-z]+>$/ endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __PART_STOCK_CD_F Content-Disposition =~ /filename/ endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __PART_STOCK_CID Content-ID =~ /^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[^\s\.]+>$/ endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __PART_STOCK_CL Content-Location =~ /./ endif body __PASSIVE_INCOME /\bpassive income\b/i body __PASSWORD /\bp[-\s_]?a[-\s_]?s[-\s_]?s[-\s_]?w[-\s_]?o[-\s_]?r[-\s_]?d\b/i body __PASSWORD_EXP_CLUMSY /\bpassword is due for expiration yesterday\b/i body __PASSWORD_UPGRADE /\bpassword upgrade\b/i body __PAXFUL /\bp-?a+-?x+-?f-?u+-?l\b/i body __PAYPAL_ERROR_01 /Due to a technical error, a transaction may have been processed on your account/i if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __PAY_ME /\b(?:pay\sme|(?:(?:send|transmit|give)\s(?:to\s)?me|(?:send(?:en\ssie)?|transfer)\s(?:the\samount\sof|exactly|genau)|I\swant|den\sbetrag\svon|payment\sof)\s(?:[\d,'.\$£]+\s?(?:usd?|eur?(?:os)?|gbp|BTC)?|bitcoin|BTC)|(?:make|perform|send|transmit)\sthe\spayment|amount\sfor\smy\ssilence|(?:pay|fund)\sthis\s(?:bitcoin|monero)[-\s](?:address|wallet|brieftasche)|my bribe(?:ry)?)\b/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __PAY_ME /(?:^|\s)(?:<A><Y>\s<M><E>|(?:(?:<S><E><N><D>|<T><R><A><N><S><M><T>|<G><V><E>)\s(?:<T><O>\s)?<M><E>|(?:<S><E><N><D>(?:<E><N>\s<S><E>)?|<T><R><A><N><S><F><E><R>)\s(?:<T><H><E>\s<A><M><O><N><T>\s<O><F>|<E><X><A><C><T><L><Y>|<G><E><N><A>)|\s<W><A><N><T>|<D><E><N>\s<E><T><R><A><G>\s<V><O><N>|<A><Y><M><E><N><T>\s<O><F>)\s(?:[\d,'.\$£]+\s?(?:<S><D>?|<E><R>?(?:<O><S>)?|<G>|<T><C>)?|<T><C><O><N>|<T><C>)|(?:<M><A><K><E>|<E><R><F><O><R><M>|<S><E><N><D>|<T><R><A><N><S><M><T>)\s<T><H><E>\s<A><Y><M><E><N><T>|<A><M><O><N><T>\s<F><O><R>\s<M><Y>\s<S><L><E><N><C><E>|(?:<A><Y>|<F><N><D>)\s<T><H><S>\s(?:<T><C><O><N>|<M><O><N><E><R><O>)[-\s](?:<A><D><D><R><E><S><S>|<W><A><L><L><E><T>|<R><E><F><T><A><S><C><H><E>|<M><Y> <R><E>(?:<R><Y>)?))[\s\.,]/i endif body __PAY_YOU /\bpay\syou\b/ if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __PCT_FOR_YOU 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta __PCT_FOR_YOU __PCT_FOR_YOU_1 || __PCT_FOR_YOU_2 || __PCT_FOR_YOU_3 || T_SHARE_50_50 endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __PCT_FOR_YOU_1 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __PCT_FOR_YOU_1 /<PERCENT>[\s)]{0,3}(?:(?:of\s[\w\s]{0,35}?)?(?:for|to|as)\syour?|(?:[^\s.]{1,15}\s)?an uns beide)/i endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __PCT_FOR_YOU_2 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __PCT_FOR_YOU_2 /\b(?:(?:give|offer)\syou|vous\s(?:aurez\sdroit\s(?:=E0|[\xe0])|donnerai|all(?:e|=E9|[\xe9]|[\xc3][\xa9])\srecevoir\sautour\sde)|ihnen)\s<PERCENT>/i endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __PCT_FOR_YOU_3 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __PCT_FOR_YOU_3 /\byour?\s(?!can)(?:(?!you)\w{1,15}\s){0,10}(?:(?:share|entiti?le(?:d|ment)?|percentage|fee|assist(?:ance)?|comp[ea]nsat(?:ed?|tion)|reward(?:ed)?|renumerat(?:e|tion)|com+is+ion|paid|deduct|account|tage|(?:will|shall|would|(?:are|stand|going)\sto)\s(?:be\s)?(?:tak(?:e|ing)|earn|get(?:ting)?|remit|subtract|with+old)|(?:deduct|taken?|subtract(?:ed)?)\syour|keep(?:ing)?|receiv(?:e|ing)|retain(?:ing)?|have|half|giv(?:en|ing)|paid|(?:give|pay|offer)\s(?:me|you|him)|bank\saccount|to\s(?:take|use)|(?:time|country)\sand|ratio\sof)(?:\s(?!you)\w{1,15}){0,10})\s(?<!by\s)(?<!up\sto\s)<PERCENT>/i endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __PCT_OF_PMTS 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __PCT_OF_PMTS /<PERCENT>[\s)]+(?:of\s[\w\s]{0,35}?)?(?:of|du|de)\s(?:(?:the|la)\s)?(?:total\s)?(?:payments?|rem+it+ances?|capital|chec(?:k|que)s?|mon(?:ey|ies)|suma?)/i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __PDF_ATTACH 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta __PDF_ATTACH (__PDF_ATTACH_MT || __PDF_ATTACH_FN1 || __PDF_ATTACH_FN2) endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __PDF_ATTACH_FN1 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __PDF_ATTACH_FN1 Content-Type =~ /="[^"]+\.pdf"/i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __PDF_ATTACH_FN2 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __PDF_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.pdf"/i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __PDF_ATTACH_MT 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __PDF_ATTACH_MT Content-Type =~ m,\bapplication/pdf\b,i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags header __PDS_BTC_ANON From:name =~ /\bAnon/ endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta __PDS_BTC_BADFROM ( __PDS_BTC_HACKER || __PDS_BTC_PIRATE ) endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags header __PDS_BTC_HACKER From:name =~ /h<A>ck<E>r/i endif meta __PDS_BTC_ID ( __BITCOIN_ID && !__URL_BTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags header __PDS_BTC_PIRATE From:name =~ /pr<A>t<E>/i endif ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) header __PDS_CASHSHORTENER eval:check_uri_host_listed('PDS_CASHSHORTENER') endif endif uri __PDS_DOUBLE_URL m;https?://[\S]+(?:\?|=)https?://[\S]+[\w]+$; if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval body __PDS_EXPIRATION_NOTICE /\bexpiration (?:notice|alert|date)\b/i endif endif if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) header __PDS_FROM_2_EMAILS From =~ /(?:^|<|"| )([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i endif header __PDS_FROM_GMAIL From:addr =~ /\@g(?:oogle)?mail\.com$/i header __PDS_FROM_NAME_TO_DOMAIN ALL =~ /From: ["']?([a-z0-9\.-]+\.[0-9a-z\.-]+)["']? [^\n]+\n+To:[^\n]+\@\1/ism header __PDS_GMAIL_MID Message-Id =~ /\@mail.gmail.com>$/ meta __PDS_GOOGLE_DRIVE_SHARE (__PDS_GOOGLE_DRIVE_SHARE_1 + __PDS_GOOGLE_DRIVE_SHARE_2 + __PDS_GOOGLE_DRIVE_SHARE_3 >= 2) header __PDS_GOOGLE_DRIVE_SHARE_1 References =~ /\@docs\-share\.google\.com\>/ header __PDS_GOOGLE_DRIVE_SHARE_2 From:addr =~ /^drive\-shares\-noreply\@google\.com$/ header __PDS_GOOGLE_DRIVE_SHARE_3 X-Envelope-From:addr =~ /\@doclist\.bounces\.google\.com$/ ifplugin Mail::SpamAssassin::Plugin::AskDNS meta __PDS_HP_HELO_NODNS (__HELO_HIGHPROFILE && !__HELO_DNS) tflags __PDS_HP_HELO_NODNS net endif ifplugin Mail::SpamAssassin::Plugin::HTMLEval meta __PDS_HTML_LENGTH_1024 __HTML_LENGTH_0000_1024 endif ifplugin Mail::SpamAssassin::Plugin::HTMLEval meta __PDS_HTML_LENGTH_2048 __HTML_LENGTH_0000_1024 || __HTML_LENGTH_1024_1536 || __HTML_LENGTH_1536_2048 endif meta __PDS_LITECOIN_ID (__LITECOIN_ID && !__URL_LTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG) meta __PDS_MSG_1024 (__KAM_BODY_LENGTH_LT_1024 || __PDS_HTML_LENGTH_1024) meta __PDS_MSG_512 (__KAM_BODY_LENGTH_LT_512 || __HTML_LENGTH_512) if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta __PDS_NEWDOMAIN (__FROM_FMBLA_NEWDOM || __FROM_FMBLA_NEWDOM14 || __FROM_FMBLA_NEWDOM28) tflags __PDS_NEWDOMAIN net endif endif if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval body __PDS_OFFER_ONLY_AMERICA /This offer (?:is )?(?:only )?for (?:United States|USA)/i endif endif if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) meta __PDS_QP_1024 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEEval meta __PDS_QP_1024 (__MIME_QPC > 0) && (__MIME_QPC < 1024) endif if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) meta __PDS_QP_128 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEEval meta __PDS_QP_128 (__MIME_QPC > 0) && (__MIME_QPC < 128) endif if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) meta __PDS_QP_512 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEEval meta __PDS_QP_512 (__MIME_QPC > 0) && (__MIME_QPC < 512) endif if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) meta __PDS_QP_64 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEEval meta __PDS_QP_64 (__MIME_QPC > 0) && (__MIME_QPC < 64) endif header __PDS_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(?:mta|mail|mx|smtp)\b\S* /i if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval body __PDS_SENT_TO_EMAIL_ADDR /This message was sent to Email Address\./i endif endif if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval body __PDS_SEO1 /(?:top|first page|1st) (?:(?:results|rank(?:ing)?) )?(?:in|of|on) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building/i endif endif if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval body __PDS_SEO2 /(?:losing your|your website) (?:[a-z]+ )?(?:rank(?:ing)?|results)|rank well on [a-z]+\b/i endif endif ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta __PDS_SHORT_URL __SHORT_URL && !__URL_SHORTENER && !ALL_TRUSTED endif endif if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS tflags __PDS_SPF_ONLYALL net endif endif meta __PDS_SPOOF_GMAIL_MID __PDS_FROM_GMAIL && !__PDS_GMAIL_MID && !__FSL_RELAY_GOOGLE header __PDS_TONAME_EQ_TOLOCAL To:raw =~ /^\s*['"]?([^'"]+)['"]? <?\1\@/ if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) header __PDS_TO_EQ_FROM_NAME_1 ALL =~ /\nTo: (?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From:\W+(\1)([^\n\w<]++<)?((?!\1)[^\n">]++)>?\n/ism endif if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) header __PDS_TO_EQ_FROM_NAME_2 ALL =~ /\nFrom:\W+"([\w+.-]+\@[\w.-]+\.\w\w+)(?:[^\n\w<]{0,80}<)?((?!\1)[^\n">]++)>?\n+(?:[^\n]{1,100}\n+)*To: (?:[^\n<]{0,80}<)?(\1)>?/ism endif ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta __PDS_TO_SUBJ_URISHRT __TO_IN_SUBJ && __URL_SHORTENER && __PDS_MSG_1024 endif endif ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta __PDS_URISHORTENER __URL_SHORTENER endif endif meta __PD_CNT_1 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 0 body __PENDING_MESSAGES /\b(?:messages pending|(?:your|\d+[\])}]?) (?:pending|un(?:delivered|received)) (?:messages|e?-?mails))\b/i body __PERFECT_BINARY /\bperfect binary option\b/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __PHISH_ATTACH_01_01 Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:\.|%C2%B7|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __PHISH_ATTACH_01_02 Content-Type =~ /\bname="?[^"]*(?:\.|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i endif meta __PHISH_FBASE_01 (__URI_FIREBASEAPP || __URI_WEBAPP) && __PDS_FROM_NAME_TO_DOMAIN && __MAIL_LINK if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __PHOTO_RETOUCHING /\b(?:(?:retouching|(?:image|photo|pic)s? (?:[a-z]{1,15} ){0,3}(?:edit(?:ing|ors)|team|(?:cut+|mask|clip+|clean|crop+|resiz|enhanc|etch)ing|cut+(?:ing)?[-\s]?out|enhancement|manipulation|restoration|compositing|working|(?:color|contrast|brightnes+|background|make-?up) (?:cor+ection|change)|solution|work|services?)|(?<!that\s)(?<!\.\s)your (?:imag(?:es|ing)|pics)|photo\s?shop (?:expert|service)s?|(?:deliver (?:the|your) |(?:(?:send|throw|ship|drop|deliver|give|provide|e-?mail) us|(?:cut+(?:ing)?[-\s]?out|masking|(?:test|edit)(?:ing)?) (?:for|of|on|with)) (?:(?:an?|one|your|some|sample|test|example|the) )+)(?:image|photo|pic)s?|(?:proces+|edit)(?:\sover|\smore th[ae]n)? \d{2,5}\D? (?:image|photo|pic)s|improv(?:e|ing) (?:(?:image|photo|picture|pic) (?:quality|lighting)|(?:(?:image|photo|picture|pic) )?(?:resolution|contrast|background|color))|cor+ecting (?:color|contrast|brightnes+|background))\b|(?:e-?com+erce|website|jew[el]+r(?:[y's]+|ies)|model+(?:s|ing)?|products?|portraits?|graduation['s]*|school['s]*|bab(?:[y's]+|ies)|famil(?:[y's]+|ies)|kids|wedding|beauty|glamou?r|catalog['s]*|store['s]*|shop['s]*|(?:cut+(?:ing)?[-\s]?out|clip+ing\spath|(?:all|any) kinds? of|enhance|retouch|edit(?:ing)?)[,;]?(?:\s[a-z]{1,15}){0,4})\s(?:image|photo|pic)s?(?:[.,?]|$|\sand\b|\sor\b|\setc\b)|\b(?:imag(?:es|ing)|photos)\s\d+$)/i tflags __PHOTO_RETOUCHING multiple maxhits=5 endif header __PHPMAILER_MUA X-Mailer =~ /^PHPMailer\b/ meta __PHP_MUA __PHP_MUA_1 || __PHP_MUA_2 header __PHP_MUA_1 X-Mailer =~ /^PHP\s?v?\/?\d\./ header __PHP_MUA_2 X-Mailer =~ /^PHP\d$/ header __PHP_NOVER_MUA X-Mailer =~ /^PHP$/ meta __PHP_ORIG_SCRIPT_SONLY __HAS_PHP_ORIG_SCRIPT && (__TVD_SPACE_RATIO || __SINGLE_WORD_SUBJ || __OBFUSCATING_COMMENT_B) header __PH_TVD_FROM2 From:addr =~ /\@.*ebay/i if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) meta __PILL_PRICE_01 0 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __PILL_PRICE_01 m;(?=[\d .f])(?:free|[\d .]{3}(?:/|per|each)) ?(?=[ptc])(?:pill|tablet|cap(?:sule|let))s?\b;i tflags __PILL_PRICE_01 multiple maxhits=3 endif if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) meta __PILL_PRICE_02 0 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __PILL_PRICE_02 /(?=[ptc])(?:pill|tablet|cap(?:sule|let))s[-= :]{1,5}\$?[\d .]{3}/i tflags __PILL_PRICE_02 multiple maxhits=3 endif body __PLS_REVIEW /\b(?:please|kindly)\s(?:(?:re)?view|see)(?:\s\w+)?\sattach(?:ed|ment)\b/i ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof header __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to() endif ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof() endif uri __PS_TEST_LOC_WP m;/(?:wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module)/.{1,128}(?!\.gif|\.jpg|\.png|\.bmp|\.ico|\.pdf|\.svg|\.webp)[^?]{4}(?:\?[^?]{1,5})?$;i body __PUMPDUMP_01 /\b(?:times|multiply|tripl(?:e|ing)|quadrupl(?:e|ing)|quintupl(?:e|ing)) (?:your|an) (?:princip(?:al|le)|investment)\b/i body __PUMPDUMP_02 /\b(?:sto[ck]{2}|share price) (?:will |may |is (?:(?:about|poised|positioned|ready) to |gonna ))?(?:triple|quadruple|quintuple|soar|go(?:es?) (?:nuts|crazy|sky high|way up))\b/i body __PUMPDUMP_03 /\bbuy (?:[^.!]{1,30} )?(?:(?:(?:mon|tues|wednes|thurs|fri)day|tomorrow) (?:first thing|open|morning)|(?:first thing|opens|before) (?:(?:mon|tues|wednes|thurs|fri)day|tomorrow))/i body __PUMPDUMP_04 /\bmake you (?:big bucks|hundreds|thousands)\b/i body __PUMPDUMP_05 /\b(?:tripled|quadrupled|quintupled|(?:shares|value|company) (?:go up|increase|has (?:increased|gained)) (?:by|more than) [a-z\s]{0,20}\d+(?: times| percent| ?%)) (?:and that )?in (?:(?:\d|a (?:span of|few)) days|a very short period)\b/i body __PUMPDUMP_06 /\brecommend(?:ed|s)? (?:a|this) (?:company|stock)\b/i body __PUMPDUMP_07 /\b(?:buy|grab it) for (?:around |about |less than )?\d+ cents\b/i body __PUMPDUMP_08 /\b(?:sto[ck]{2}|sotk) of the year/i body __PUMPDUMP_09 /\b(?:buy|get|snap up|grab) as many shares (?:of it )?as (?:you|I) can\b/i body __PUMPDUMP_10 /\btrading at (?:such )?a (?:bargain|cheap|low)\b/i body __RANDOM_PICK /\b(?:random(?:ly)?\s(?:\w+\s)?(?:select(?:ion|ed)|pick(?:ed)?|computer)|(?:select|pick)ed\s(?:at\s)?random(?:ly)?|(?:esco(?:g|lh)idos|seleccion) (?:aleatoria(?:mente)?|al azar))\b/i header __RAND_HEADER ALL =~ /^(?!Accept-Language|Authentication-Results|Content-|DomainKey-Signature|DKIM-|List-|MIME-|Received-SPF|Return-Path|Thread-|User-Agent|Tracking-Code)(?:[a-z]{4,}-[a-z]{3,}|[a-z]{3,}-[a-z]{4,}):\s+\d(?=\S{6,}\s*$)[\da-f]*(?:[-.]\w+)*\s*$/ism tflags __RAND_HEADER multiple maxhits=4 meta __RAND_HEADER_2 __RAND_HEADER > 1 header __RAND_MKTG_HEADER ALL =~ /^X-(?:[a-z]{2}){1,2}-(?:EBS|(?:Tracking|Subscriber|Delivery|Customer|Campaign)-[DSU]?id):/ism header __RATWARE_BOUND_A ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{10,400}boundary="----=_NextPart_000_...._\1\./msi # " header __RATWARE_BOUND_B ALL =~ /boundary="----=_NextPart_000_...._([0-9a-f]{8})\..{10,400}^Message-Id: <....\1\$[0-9a-f]{8}\$/msi # " header __RCD_RDNS_MAIL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmail[^a-z]/i tflags __RCD_RDNS_MAIL nice header __RCD_RDNS_MAIL_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mail/i tflags __RCD_RDNS_MAIL_MESSY nice header __RCD_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmta[^a-z]/i tflags __RCD_RDNS_MTA nice header __RCD_RDNS_MTA_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mta/i tflags __RCD_RDNS_MTA_MESSY nice header __RCD_RDNS_MX X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmx[^a-z]/i tflags __RCD_RDNS_MX nice header __RCD_RDNS_MX_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mx/ tflags __RCD_RDNS_MX_MESSY nice header __RCD_RDNS_OB X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\boutbounds?[^a-z]/i tflags __RCD_RDNS_OB nice header __RCD_RDNS_SMTP X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bsmtps?[^a-z]/i tflags __RCD_RDNS_SMTP nice header __RCD_RDNS_SMTP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*smtp/ tflags __RCD_RDNS_SMTP_MESSY nice header __RCVD_DOTEDU_EXT X-Spam-Relays-External =~ /\srdns=\S+\.edu\s/i meta __RCVD_DOTEDU_SHORT __RCVD_DOTEDU_EXT && ( __HTML_IMG_ONLY || __BODY_URI_ONLY || __HTML_LENGTH_1024_1536 ) meta __RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_EXT && ( __45_ALNUM_URI || __45_ALNUM_URI_O || __64_ANY_URI ) header __RCVD_DOTGOV_EXT X-Spam-Relays-External =~ /\srdns=\S+\.gov\s/i header __RDNS_LONG X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{30}/ header __RDNS_NO_SUBDOM X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\.\w+ / header __RDNS_NUMERIC_TLD X-Spam-Relays-External =~ /\srdns=\S+\.\d+\s/ header __RDNS_SHORT X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{4,14} / body __RECEIVE_BONUS /\byou(?:'ll)?(?: also| will)* (?:rec[ei]*ve|get|earn|collect|be (?:awarded|handed|remitted|given|paid|(?:greeted|welcomed|started) with)) (?:an? )?(?:gift|bonus|extra)(?: of|:)? \$[\d,]+/i header __RELAY_THRU_WWW Received =~ /from (?:[^ \@]+\@)?www\./ body __RELEASE_MESSAGES /\b(?:release messages|(?:retrieve|release|download) your(?: undelivered|unreceived|held|pending)? e?-?mails|(?:e?-?mails|messages).{1,20}download them now)\b/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { meta __REMOTE_IMAGE (__HTML_IMG_ONLY || __HTML_LINK_IMAGE) && !(__SUBSCRIPTION_INFO || __VIA_ML || __SENDER_BOT || __ANY_IMAGE_ATTACH) endif if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval header __REPLYTO_ADDRLIST_SUSPNTLD eval:check_replyto_in_list('SUSP_NTLD') endif endif header __REPTO_419_FRAUD_AOL_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:f\.|ljaber)|brownchurchill|c(?:hanprivacy|laimdept|ristinabruno|ustom_service)|d(?:hodgkins|onald_anderson)|evelynjoshua|f(?:d\.|ernandezfernandez)|george_clifford|hernandezrosemary|k\.doreen|l(?:erynnewest|izcarroll|ynnpage)|m(?:\.francco|_l\.wanczyk|asayohara|rsjanetedwards)|o(?:fficework|xf)|p(?:aulpollard|eterwong)|royalpalace|spwalker|usembassy|webank|yurdaaytarkan))\d+\@aol\.com$/i header __REPTO_419_FRAUD_GM_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:9porssts|a(?:\.wafager|b(?:dullahmundani|u(?:lkareem|shadi))|cecere|isha(?:1976gaddafi|gaddafilibya)|l(?:an\.austin|ber\.yang|ex(?:anderpeterson|hoffman)|ghafrij|icedoris|kasimunadi|l(?:enholden|isoncluade)|ure\.wawrenka)|m(?:bassadormarybethleonardl|ericadeliverycomapny|ina(?:ltwaijiri|medjahed))|n(?:d(?:rewhawkins|yfox)|na(?:llee|sigurlaug)|thonyjblinken)|office1office|radka|shwestwood|tmcarddepartment|ustinbillmark|yevayawovi|zi(?:m(?:\.hpremji|hashim(?:donation)?)|z(?:dake|george)))|b(?:a(?:nkcentralasiahalobca|r(?:bersmadar|rister(?:clarkephillips|lordruben)|teld\.huisman))|bongo|e(?:alitoniua|linekra|n(?:ezero|gatl|jaminsarah)|rnard\.arnult|tsyholden)|ill\.lawrence|mwautomobile|oarddept|r(?:avolpaul|endalaporte)|uffettwarrene)|c(?:a(?:mluba|reisu)|bnatm|e(?:da\.ogada|lineroullier)|h(?:a(?:ngching|r(?:itylisajohnrobinson|l(?:esluenga|tonnewmanus)))|e(?:mchung|nchung))|iticonsultantjohncg|la(?:imadviser|xtonpaul)|o(?:lombasjuan|ntactad|operation)|r(?:awfordgillies|ist(?:brun?|davis|ydavis(?:donation|foundation)))|ustomerservicelacaixa)|d(?:a(?:nnuar|vi(?:d(?:\.(?:loanfirm|murray)|ibe|larbi|mathers|pere|ramirez\.luis)|scarolyn|yax))|e(?:btm|nnis(?:clark|quaid)|partmentofstate)|hlexpresscompany|ipfrancis|minique|ona(?:ldwilliam|tionhelpercare)|r(?:\.w(?:erneroyer|ilsonpaul)|davidrhama|joesimon|rhamahassan)|unsilva)|e(?:benezero|christina|dmundventura|l(?:i(?:bethgomez|sabeth(?:gmuer|maria)|zabethedw)|o(?:diesawadogo|tocashoffice))|m(?:efieleg?|ilyrichmond)|ngr\.des|re(?:evemusk|nakgeorge|zcelic)|s(?:sexlss|therkatherine)|wynn)|f(?:\.mikhail|a(?:ithdesrie|rahwasam|tme\.mehmed)|blott|irstbank|r(?:a(?:100dub|n(?:c(?:es(?:\.connelly|patrickconnolly)|iscamendoza)|k(?:j(?:ane|ody)|linpiesie)))|eelottosweepstake)|spero|u(?:lanlan|ndinternationalmonetary))|g(?:00gleggewinner|a(?:briel(?:eschmitt|kalia)|r(?:ciavincent|yakinson))|bill|e(?:neralwilliamstony|orge(?:brownhoward|kwame)|r(?:aldjhjh|tjanvlieghe))|i(?:idp|ocastano)|l(?:enmoore|oriachow)|oo(?:golteam|oglegwiinner)|r(?:aceobia|e(?:ant|energeoffrey)))|h(?:a(?:r(?:gate|ryebert)|sh(?:imyreem|mireem)|zimissa)|e(?:a(?:dofficecentre|therbrooeke)|ctor(?:castillos|scastillo)|lengiggs|ritagetrustbank)|gold|heba\.hhassan|ildad|o(?:lsemeyerole|nmackjohn|rnbeckmajordennis|seoky)|trryt)|i(?:b(?:ed|rahimelizabeth)|mfdeputyoff|n(?:fo(?:\.(?:annedouglas|marviswanczyk)|i)|gridrolle|ternationallppp)|rvinekim|smail(?:eman|tarkan))|j(?:a(?:cobmaseon|mesokoh|vierlesme)|e(?:fferydean|ssikasingh)|o(?:edward|hn(?:griffn|nietaylor|r(?:awlings|oxfordjr)|sonwilson|t(?:anko|foundation)|uba|walterlove|a)|n(?:a(?:haskel|thanhaskel)|esandassociates|hugo)|seph(?:acevedo|babatunde|ichael)|vannyanderson|ymrskone)|rawlings|ulie(?:t\.lee?|watson))|k(?:a(?:l(?:iaksandr|stromjames|tschmidtdavid)|malnizar|rabo\.ramala|t(?:hilittman|jamess|rinaziako))|e(?:lsawamelia|nnedy\.sawadogo)|halidbuhazza|kasbu|r(?:istinewellenstein|nkl)|un(?:gwei|ioue))|l(?:a(?:rrytoms|ursent|wrencefoundation)|e(?:enasinghs|ndfair\.co\.uk|rynne(?:0west|west)|wisrichards)|i(?:amfinchus|fecshortt|liane\.bettencourt|n(?:elink|glung)|sa(?:milner|robin)|xiungl?)|john|o(?:ttyoffice|u(?:ghreymargaret|isdreyfusmargarita))|s(?:arbn|chantal)|u(?:ckywinners|sba\.moored)|y(?:\.cheapiseth|diawright|n(?:\.arthur|cmba|nmkl)))|m(?:\.francco|a(?:c(?:guiu|koliver)|incare|jor(?:dennishornbeck|townsend)|lletman|n(?:duesq|fran|uelfranco(?:(?:donation|foundation|spende))?)|r(?:i(?:a(?:hhills|nnewoosley)|nacoleman|opabl)|k(?:roth|uses)|shalh|tinamayer|y(?:franson|josen))|s(?:onmanny|pencer)|u(?:hin|rhinck)|viswan(?:czyk(?:(?:foundation|k))?)?)|brons|c\.cheadychang|dredban|el(?:aniekreiss|vidabullock)|gfrederick|i(?:c(?:h(?:ael\.woosley|ealwuu)|w)|k(?:e\.weirsky\.foundational|hai(?:\.fridman|lfridm))|ntonjustin|ss\.yasmineibrahim)|k(?:ent|untjoro)|mrstephen|o(?:ham(?:edabdul|m(?:adraqab|daljililati|edshamekh))|rienkal)|r(?:\.(?:elbahi\.mohammed\.|justinmaxwell|tonyelumelu)|cjames|ericschmid|hanimuhammad|jamesmc|morgangomez|richardanthony|s(?:\.(?:biyufungchi|susanread)|a(?:isha(?:alqadafi|gaddafi)|ngela|shaalqaddfi)|dominiquethomas|evelynbrown|fatimaamiraqureshi|hamima|j(?:ackman|essicajeffrey)|lisamilner|ma(?:riaelizabethscheffle|ureens|yaoliver)|r(?:eem|obinsanders|uthsmith)|sarahbenjamin|victoriaedmond))|s(?:\.ellagolan|agent|golaan|smadar)|ustadris)|n(?:aomiiwasaki|eilt(?:rotter)?|icholas\.jose|obuyuki\.hirano)|o(?:\.peace|ffice(?:emaill|rricherd)|hallkenneth|lenasheve|rabankheadofficelometogo|xfaminternationa)|p(?:a(?:storfrancesco|ul(?:eed|n)|ymentofficer)|b(?:ph202lay|rookk)|e(?:rezdonlorenzo|ter(?:\.waddell|guggi|kenin|stephen))|hillip\.richead|ieterstevens|resleybathini)|q(?:iquanzhou|nzeng)|r(?:a(?:kidy|lhashimi|ymond(?:aba|damon))|e(?:alyh|beccagarang|em(?:has(?:himy|m)|n)|plyback|sultbox|v(?:\.jamesabel|fr(?:ankjackson|paulwilliams)))|i(?:cha(?:miller|rdw(?:ahl|illis))|tawilliams)|main|o(?:b(?:erthanandez|inf)|naldmorris|s(?:a\.gomes|ekipkalya))|raya|t\.rev\.ericmark|uddicklana)|s(?:a(?:l(?:ehhussienconsult|imzaid)|rfiafarfask)|cott(?:henryjames|peters)|e(?:cretservicce|rgeantrobertbrown)|gt(?:\.monicab|ireneb)|h(?:anemissler|ery(?:\.gtl|etr)|inawatrathaksin)|im(?:lkheng|onhei)|o(?:fia\.adams|p(?:adam|hiajesse))|peelman|t(?:anleyjohn|e(?:fanopn|phentam))|u(?:iyang|n\.hor|sanneklatten)|weeneyjohnson)|t(?:a(?:mmywebster|y(?:ebsouami|lorcathy))|e(?:am\.spacex|nreyrosilvana|rryparkins)|h(?:ailandbankoffice|e(?:ara\.choy|odorosloannis|resawilliams|smithfm))|imothymetheny|lyerdonald|o(?:m(?:ander|c(?:hrist|rist(?:(?:donation|foundation))?)|spende)|ny(?:\.chung|robins|zimpro)|shikazusendo)|sfoundation)|u(?:babankheadoffice|derleyen|marukareem|n(?:claimedfunds|ited(?:bankforafrica\.plc|nation(?:organization|s)))|s(?:alotery|departmentofjustice))|v(?:anderwesthuizen|e(?:enapatel|r(?:a(?:aellen|hollinkvan|wilfred)|enichekaterinaekaterina))|i(?:ctoriaabraham|dalpamela|ngut)|johannes)|w(?:a(?:dp|hlr(?:ichard)?|nczykm|rrenebuffett)|ellensteinfoundation|hatsappofficial|i(?:elandherzog\.sw\.herad|ll(?:clark|iam(?:robert|smartyrs)))|u(?:\.office|mt)|ww\.moneygram)|y(?:\.oguzhan|anghoseok|doo|o(?:ngkm|usefzongo)|uliiakadulina)|z(?:bank|enithbankplconline|kiaslan|minhong)))\d+\@gmail\.com$/i header __REPTO_419_FRAUD_YH_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson|gaaintl\-4g5ee\.w|ilmohammed|lesiakalina|nn(?:awax|hester\.usa))|b(?:a(?:nk\.phbng|rrister\.dennis)|e(?:linekra|n(?:jaminb|nicholas))|riceangela)|c(?:\.(?:aroline|coulibaly)|h(?:arlesscharf|jackson)|juan|ythiamiller\.un)|d(?:hamilton|iaanesoto)|e(?:denvictor|ricalbert)|f(?:aizaadama|ederal\.r)|infobank|j(?:\.edwards|a(?:ckson\.davis|netemoon)|kimyong)|k(?:altschmidtdavid|elvinmark|im(?:\.leang|leang))|l(?:e(?:a_edem|hman)|isarobinson_|y_cheapiseth)|m(?:\.kogi|arie_avis|dzsesszika|elissalewis|o(?:hammedaahil|keye)|unny(?:\.sopheap|_sopheap))|nestordaniel|o(?:biorahkenneth|fficial_franksylvester|legkozyrev|mranshaalan)|peterlee|r(?:alphw(?:\.johnson|johnson)|i(?:chard\.w|taadamsw)|o(?:b(?:ertbailey|orts)|serichard))|s(?:amthong|igurlauganna|leo|mithcolin|oftc|pwalker|te(?:fanopessina|vecox\.))|tylerhess\.|u(?:butu|kdebtmanagement)|vanserge|will(?:clark|smi)|xianglongdai))\d+\@yahoo\.com$/i header __REPTO_CHN_FREEM Reply-To =~ /\@(?:sina|aliyun)\.com/i header __REPTO_RUS_FREEM Reply-To =~ /\@mail\.ru/i if !((version >= 3.003000)) meta __RP_MATCHES_RCVD 0 endif if (version >= 3.003000) if !plugin(Mail::SpamAssassin::Plugin::WLBLEval) meta __RP_MATCHES_RCVD 0 endif endif if (version >= 3.003000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval header __RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd() endif endif body __SCAM /\bscam(?:m?e[dr])?s?\b/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __SCC_BOGUS_CTE_1 Content-Transfer-Encoding =~ /^Hexa/i endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __SCC_CTMPP Content-Type =~ /multipart\/parallel/ endif body __SECURITY_DEPT /\bsecurity dep(?:artmen)?t\b/i header __SENDER_BOT ALL =~ /(?:not?\W?repl[yi]|bounce|contact|daemon|subscri|report|respon[ds]e?r?s?\b|\b(?:root|news|nobody|agent|(?:post|web)?master|manag|send(?:er|ing)?|out|(?:bot|web|www)\b))[^\@ >]{0,5}s?\@\w/i tflags __SENDER_BOT nice uri __SENDGRID_REDIR m,://u\d+\.ct\.sendgrid\.net/ls/click\?upn=, meta __SENDGRID_REDIR_PHISH __SENDGRID_REDIR && ( __PDS_FROM_NAME_TO_DOMAIN || __FORGED_RELAY_MUA_TO_MX || __TO_IN_SUBJ ) body __SHARE_IT /\b(?:(?:share|allocate|teilen|parteger(?:ez|ons)?|partage)\s(?:th(?:e|is)|das|les?|des)\s(?:proceeds|funds?|money|balance|account|geld|compte|fonds)|partager(?:ez|ons)? (?:avec (?:vous|moi)|ratio|suivant un pourcentage))\b/i meta __SHOPIFY_IMG_NOT_RCVD_SFY __URI_IMG_SHOPIFY && !__HDR_RCVD_SHOPIFY && !__HDR_ENVFROM_SHOPIFY uri __SHORT_URL /^https?:\/\/[^\/]{3,6}\.\w\w\/[^\/]{3,8}\/?$/ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags rawbody __SHY_OBFU_EXPIRE /e(?!xpire)<SHY>{0,6}x<SHY>{0,6}p<SHY>{0,6}i<SHY>{0,6}r<SHY>{0,6}e/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags rawbody __SHY_OBFU_PASSWORD /p(?!assword)<SHY>{0,6}a<SHY>{0,6}s<SHY>{0,6}s<SHY>{0,6}w<SHY>{0,6}o<SHY>{0,6}r<SHY>{0,6}d/i endif body __SINGLE_WORD_LINE /^\s?\S{1,60}\s?$/ tflags __SINGLE_WORD_LINE multiple maxhits=2 header __SINGLE_WORD_SUBJ Subject =~ /^\s*\S{1,60}\s*$/ header __SMIME_MESSAGE Content-Type =~ /application\/pkcs7-mime;/i rawbody __SPAN_BEG_TEXT /[a-z]{2}<(?i:span)\s/ tflags __SPAN_BEG_TEXT multiple maxhits=5 rawbody __SPAN_END_TEXT /[^;>]<\/(?i:span)>[a-z]{3}/ tflags __SPAN_END_TEXT multiple maxhits=5 if !plugin(Mail::SpamAssassin::Plugin::SPF) meta __SPF_FULL_PASS 0 endif ifplugin Mail::SpamAssassin::Plugin::SPF meta __SPF_FULL_PASS (SPF_PASS && SPF_HELO_PASS) tflags __SPF_FULL_PASS net endif if !plugin(Mail::SpamAssassin::Plugin::SPF) meta __SPF_RANDOM_SENDER 0 endif ifplugin Mail::SpamAssassin::Plugin::SPF meta __SPF_RANDOM_SENDER (SPF_HELO_PASS && !SPF_PASS) tflags __SPF_RANDOM_SENDER net endif meta __SPOOFED_FREEMAIL !__NOT_SPOOFED && FREEMAIL_FROM tflags __SPOOFED_FREEMAIL net meta __SPOOFED_FREEM_REPTO __SPOOFED_FREEMAIL && FREEMAIL_REPLYTO tflags __SPOOFED_FREEM_REPTO net rawbody __SPOOFED_URL m/<a\s[^>]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\# ]{8,29}[^>"'\# :\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i meta __STATIC_XPRIO_OLE __XPRIO && __RDNS_STATIC && __HAS_MIMEOLE body __STAY_HOME /\b(?:going out of|leaving)(?: your)? (?:home|house|residence)\b/i body __STOCK_TIP /\bsto[ck]{2}\s?tip\b/i if can(Mail::SpamAssassin::Conf::feature_bug6558_free) rawbody __STY_INVIS /\bstyle\s*=\s*"[^">]{0,80}(?:(?<!-)visibility\s*:\s*hidden\s*|display\s*:\s*none\s*)[;"!]/i tflags __STY_INVIS multiple maxhits=6 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __STY_INVIS_1 __STY_INVIS == 1 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __STY_INVIS_1_MINFP __STY_INVIS_1 && !MIME_QP_LONG_LINE && !__MOZILLA_MSGID endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __STY_INVIS_2 __STY_INVIS > 1 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __STY_INVIS_3 __STY_INVIS > 2 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __STY_INVIS_DIRECT __STY_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __STY_INVIS_MANY __STY_INVIS > 5 endif header __SUBJECT_EMPTY Subject:raw =~ /^\s*$/ meta __SUBJECT_PRESENT_EMPTY __HAS_SUBJECT && __SUBJECT_EMPTY header __SUBJ_ADMIN Subject =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i meta __SUBJ_BRKN_WORDNUMS __SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFU header __SUBJ_BROKEN_WORD Subject =~ /\s(?!i[PTM][aoh][bcdou]|e[MP]a[is])[a-z]{1,3}[A-Z][a-z]{2}/ tflags __SUBJ_BROKEN_WORD multiple maxhits=2 meta __SUBJ_DOM_ADMIN __SUBJ_ADMIN && __PDS_FROM_NAME_TO_DOMAIN header __SUBJ_HAS_FROM_1 ALL =~ /\nFrom: (?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*Subject: [^\n]{0,100}\1[>,:\s\n]/ism header __SUBJ_HAS_TO_1 ALL =~ /\nTo: (?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n+(?:[^\n]{1,200}\n+)*Subject: [^\n]{0,100}\1[^a-z0-9]/ism header __SUBJ_HAS_TO_2 ALL =~ /\nReceived:[^\n]{0,200} for <?([^\n\s>;]+)>?;(?:[^\n]+\n+)*Subject: [^\n]{0,100}\1[^a-z0-9]/ism header __SUBJ_HAS_TO_3 ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n+)*To: [^\n]{0,100}\1[^a-z0-9.]/ism header __SUBJ_NOT_SHORT Subject =~ /^.{16}/ header __SUBJ_OBFU_PUNCT Subject =~ /(?:[-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;][a-z][-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;\s]|(?:[a-z][~`"!@\#$%^&*()_+={}|\\?<>,.:;][a-z](?![a-z])))/i tflags __SUBJ_OBFU_PUNCT multiple maxhits=4 header __SUBJ_RE Subject =~ /^(?:R[eE]|S[vV]|V[sS]|A[wW]):/ header __SUBJ_SHORT Subject =~ /^.{0,8}$/ header __SUBJ_UNNEEDED_HTML Subject =~ /%[0-9a-f][0-9a-f]/i tflags __SUBJ_UNNEEDED_HTML multiple maxhits=3 header __SUBJ_USB_DRIVES Subject =~ /\bUSB (?:[Ff]lash )?[Dd]rives\b/ body __SUBSCRIPTION_INFO /\b(?:e?newsletters?|(?:un)?(?:subscrib|register)|you(?:r| are) subscri(?:b|ption)|opt(?:.|ing)?out\b|further info|you do ?n[o']t w(?:ish|ant)|remov\w{1,3}.{1,9}\blists?\b|to your white.?list)/i tflags __SUBSCRIPTION_INFO nice body __SUM_OF_FUND /\b(?:sum|release|freigabe)\s(?:of|der)\s(?:amount|fund|investment|mittel)\b/i body __SURVEY /\bsurvey\b/i body __SURVIVORS /\b(?:widow|son|daughter|husband|wife|brother|sister|attorney|vi(?:=FA|[\xfa]|[\xc3][\xba])va|esposa|veuve)\s(?:of|to|do|de)\s(?:the\s)?(?:late|falecido|finales|feu|d(?:e|=E9|[\xe9]|[\xc3][\xa9])funt|mr\.?)\s\w+\b/i body __SUSPICION_LOGIN /\bsuspicion login\b/i body __SYSADMIN /\b(?:help?[- ]?desk|(?:(?:web ?)?mail ?|sys(?:tem )?)admin(?:istrator)|local[- ]host|(?:support|upgrade|management|security|admin(?:istrat(?:or|ion))?) (?:team|center)|message from administrator|university mail server copyright|suporte t(?:=E9|[\xe9]|[\xc3][\xa9])cnico|administrador do sistema)\b/i meta __TAGSTAT_IMG_NOT_RCVD_TGST __URI_IMG_TAGSTAT && !__HDR_RCVD_TAGSTAT meta __TARINGANET_IMG_NOT_RCVD_TN __URI_IMG_TARINGANET && !__HDR_RCVD_TARINGANET header __TB_MIME_BDRY_NO_Z Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/ rawbody __TENWORD_GIBBERISH /^\s*(?:[a-z]+\s+){10}\.$/m tflags __TENWORD_GIBBERISH multiple maxhits=21 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __TEXT_XML_MT Content-Type =~ m,\btext/xml\b,i endif body __THEY_INHERIT /\b(?:inherit\sth(?:e|is)\smoney|herede\sest[ea]\sdinero)\b/i body __THIS_AD /(?:\b|_)this[- _]+(?:ad(?:vert[i1l]sement)?|promo(?:tion)?)s?(?:\b|_)/i meta __THREADED (!__MISSING_REPLY && !__NO_INR_YES_REF) || (__MISSING_REPLY && !__MISSING_REF) tflags __THREADED nice header __THREAD_INDEX_GOOD Thread-Index =~ m,^A[A-Za-z0-9][A-Za-z0-9+/]{27}(?:[A-Za-z0-9+/]{20})?(?:[AQgw]==|[A-Za-z0-9+/]{7}|[A-Za-z0-9+/]{13}[AEIMQUYcgkosw048]=)$, header __TO_ALL_NUMS To:addr =~ /^\d+@/ meta __TO_EQ_FM_DIRECT_MX __TO_EQ_FROM && __DOS_DIRECT_TO_MX meta __TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FROM_DOM && __HTML_LINK_IMAGE meta __TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FROM_DOM && MIME_HTML_ONLY if !plugin(Mail::SpamAssassin::Plugin::SPF) meta __TO_EQ_FM_DOM_SPF_FAIL 0 endif ifplugin Mail::SpamAssassin::Plugin::SPF meta __TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FROM_DOM && SPF_FAIL tflags __TO_EQ_FM_DOM_SPF_FAIL net endif meta __TO_EQ_FM_HTML_ONLY __TO_EQ_FROM && MIME_HTML_ONLY if !plugin(Mail::SpamAssassin::Plugin::SPF) meta __TO_EQ_FM_SPF_FAIL 0 endif ifplugin Mail::SpamAssassin::Plugin::SPF meta __TO_EQ_FM_SPF_FAIL __TO_EQ_FROM && SPF_FAIL tflags __TO_EQ_FM_SPF_FAIL net endif meta __TO_EQ_FROM (__TO_EQ_FROM_1 || __TO_EQ_FROM_2) describe __TO_EQ_FROM To: same as From: header __TO_EQ_FROM_1 ALL =~ /\nFrom: (?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*To: (?:[^\n]{0,80}<)?\1[>,\s\n]/ism header __TO_EQ_FROM_2 ALL =~ /\nTo: (?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From: (?:[^\n]{0,80}<)?\1[>,\s\n]/ism meta __TO_EQ_FROM_DOM (__TO_EQ_FROM_DOM_1 || __TO_EQ_FROM_DOM_2) describe __TO_EQ_FROM_DOM To: domain same as From: domain header __TO_EQ_FROM_DOM_1 ALL =~ /\nFrom: [^\n@]{0,80}@([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*To: [^\n]+@\1[>,\s\n]/ism header __TO_EQ_FROM_DOM_2 ALL =~ /\nTo: [^\n@]{0,80}@([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From: [^\n]+@\1[>,\s\n]/ism meta __TO_EQ_FROM_USR (__TO_EQ_FROM_USR_1 || __TO_EQ_FROM_USR_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT) describe __TO_EQ_FROM_USR To: username same as From: username header __TO_EQ_FROM_USR_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*To:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism header __TO_EQ_FROM_USR_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*From:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism meta __TO_EQ_FROM_USR_NN (__TO_EQ_FROM_USR_NN_1 || __TO_EQ_FROM_USR_NN_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT) describe __TO_EQ_FROM_USR_NN To: username same as From: username sans trailing nums header __TO_EQ_FROM_USR_NN_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*To:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism header __TO_EQ_FROM_USR_NN_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*From:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism meta __TO_EQ_FROM_USR_NN_MINFP __TO_EQ_FROM_USR_NN && !__TO_EQ_FROM_USR_1 && !__TO_EQ_FROM && !__TO_EQ_FROM_DOM && !__LCL__ENV_AND_HDR_FROM_MATCH && !__DKIM_EXISTS && !__NOT_SPOOFED && !__RCD_RDNS_SMTP && !__RCD_RDNS_MX_MESSY && !__THREADED meta __TO_IN_SUBJ (__SUBJ_HAS_TO_1 || __SUBJ_HAS_TO_2 || __SUBJ_HAS_TO_3) header __TO_NO_ARROWS_R To !~ /(?:>$|>,)/ if !plugin(Mail::SpamAssassin::Plugin::FreeMail) meta __TO_NO_BRKTS_FREEMAIL 0 endif ifplugin Mail::SpamAssassin::Plugin::FreeMail meta __TO_NO_BRKTS_FREEMAIL __TO_NO_ARROWS_R && (FREEMAIL_FROM || FREEMAIL_REPLYTO) endif meta __TO_NO_BRKTS_HTML_IMG __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && HTML_MESSAGE && __ONE_IMG meta __TO_NO_BRKTS_HTML_ONLY __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && MIME_HTML_ONLY meta __TO_NO_BRKTS_MSFT __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS) meta __TO_NO_BRKTS_NORDNS_HTML __TO_NO_BRKTS_HTML_ONLY && RDNS_NONE meta __TO_NO_BRKTS_PCNT __TO_NO_ARROWS_R && __FB_NUM_PERCNT header __TO_ONMICROSOFTCOM To:addr =~ /\@\w+\.onmicrosoft\.com>?$/i header __TO_TOO_MANY To =~ /(?:,[^,]{1,90}){30}/ meta __TO_TOO_MANY_WFH_01 __TO_WAY_TOO_MANY && __WFH_01 header __TO_UNDISCLOSED To =~ /\b(?:undisclosed[-\s]recipients|destinataires inconnus|destinatari nascosti)\b/i header __TO_WAY_TOO_MANY ToCc =~ /(?:,[^,]{1,90}){50}/ body __TO_YOUR_ACCT /\b(?:(?:f[uo]nds|money|f[uo]ndo|dinheiro|bank)\s(?:\w{1,10}\s){0,4}(?:transfer(?:red)?|transferido|sont)|\d+)\s(?:to|para|en)\s(?:your?|sua|votre)\s(?:account|conta|pos+es+ion)/i body __TO_YOUR_ORG /\b(?:to|for) your organi[sz]ation\b/i header __TO___LOWER ALL =~ /to: \S{5}/ body __TRANSFORM_LIFE /\b(?:transform|change) your (?:daily )?life(?:style)?\b/i body __TRAVEL_AGENT /\btravel\sagen(?:t|cy)\b/i body __TRAVEL_BUSINESS /\bbusiness\stravel\b/i body __TRAVEL_ITINERARY /(?:travel|ticketed|your|current) itinerary/i meta __TRAVEL_MANY (__TRAVEL_PROFILE + __TRAVEL_RESERV + __TRAVEL_BUSINESS + __TRAVEL_AGENT) > 2 body __TRAVEL_PROFILE /\btravel+er\sprofile\b/i body __TRAVEL_RESERV /\b(?:reservation\s(?:confirmed|number)|travel\sreservations?)\b/i body __TRTMT_DEFILED /\bdefiled\sall\s(?:forms\sof\s)?(?:medical\s)?treatments?\b/i body __TRUNK_BOX /\b(?:(?:trunk|metallic|proof|security|consignment)\sbox(?:es)?|sealed\ssafe|une mallette m(?:e|=E9|[\xe9]|[\xc3][\xa9])tallique)\b/i body __TRUSTED_CHECK /\b(?:cashier'?s?|certified)\sche(?:ck|que)/i header __TT_BROKEN_VALIUM Subject =~ /V[:^."%()*\[\\]?A[:^."%()*\[\\]?L[:^."%()*\[\\]?I[:^."%()*\[\\]?U[:^."%()*\[\\]?M/i header __TT_BROKEN_VIAGRA Subject =~ /V[:^."%()*\[\\]?I[:^."%()*\[\\]?A[:^."%()*\[\\]?G[:^."%()*\[\\]?R[:^."%()*\[\\]?A/i header __TT_OBSCURED_VALIUM Subject =~ /(?:v|V|\\\/)(?:a|A|$a$|4|@)(?:l|L|\|)(?:i|I|1|\xef|\|)(?:u|U|$u$)(?:m|M)/ header __TT_OBSCURED_VIAGRA Subject =~ /(?:v|V|\\\/)(?:i|I|1|\xef|\|)(?:a|A|$a$|4|@)(?:g|G)(?:r|R)(?:a|A|$a$|4|@)/ header __TT_VALIUM Subject =~ /VALIUM/i header __TT_VIAGRA Subject =~ /VIAGRA/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __TVD_FW_GRAPHIC_ID1 Content-Id =~ /<[0-9a-f]{12}(?:\$[0-9a-f]{8}){2}\@/ endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __TVD_OUTLOOK_IMG Content-Id =~ /<image\d+\.(?:gif|jpe?g|png)\@/ endif body __TVD_PH_BODY_01 /\baccount .{0,20}placed? [io]n restricted status/i body __TVD_PH_BODY_02 /\brecords (?:[a-z_,-]+ )+?(?:feature|(?:a|re)ward)/i body __TVD_PH_BODY_03 /\byou(?:'ve| have) been (?:[a-z_,-]+ )+?payment/i body __TVD_PH_BODY_04 /\bfunds? (?!transfer from)(?!from)(?!in)(?!via)(?:[a-z_,-]+ )+?to your (?:[a-z_,-]+ )*?account/i body __TVD_PH_BODY_05 /\bthis is (?:[a-z_,-]+ )+?protect (?:[a-z_,-]+ )+?your/i body __TVD_PH_BODY_06 /Dear [a-z]+ bank (?:member|customer)/i body __TVD_PH_BODY_07 /\bguarantee the safety of your (?:[a-z_,-]+ )*?account/i body __TVD_PH_BODY_08 /\bmultiple password failures/i body __TVD_PH_BODY_ACCOUNTS_POST /\b(?:(?:[dr]e-?)?activat[a-z]*|(?:re-?)?validate|secure|restore|confirm|update|suspend) (?!your)(?:[a-z_,-]+ )+?accounts?\b/i body __TVD_PH_BODY_ACCOUNTS_PRE /\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*|suspen[a-z]+|notif(?:y|ication)|updated|verifications?|credited)\b/i meta __TVD_PH_BODY_META __TVD_PH_BODY_01 || __TVD_PH_BODY_02 || __TVD_PH_BODY_03 || __TVD_PH_BODY_04 || __TVD_PH_BODY_05 || __TVD_PH_BODY_06 || __TVD_PH_BODY_07 || __TVD_PH_BODY_08 header __TVD_PH_SUBJ_00 Subject =~ /\brewards? survey\b/i header __TVD_PH_SUBJ_02 Subject =~ /\byour payment has been sent\b/i header __TVD_PH_SUBJ_04 Subject =~ /\baccounts? profile\b/i header __TVD_PH_SUBJ_15 Subject =~ /\binvestment for (?:[a-z_,-]+ )*?to(?:morrow|day)\b/i header __TVD_PH_SUBJ_17 Subject =~ /\bremove limitations?\b/i header __TVD_PH_SUBJ_18 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?changes\b/i header __TVD_PH_SUBJ_19 Subject =~ /\bmessage (?:[a-z_,-]+ )*?bank\b/i header __TVD_PH_SUBJ_29 Subject =~ /^notice(?::|[\s\W]*$)/i header __TVD_PH_SUBJ_31 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?verification\b/i header __TVD_PH_SUBJ_36 Subject =~ /\bconsumer notice\b/i header __TVD_PH_SUBJ_37 Subject =~ /\bvalued member[a-z]*\b/i header __TVD_PH_SUBJ_38 Subject =~ /\bonline bank[a-z]*\b/i header __TVD_PH_SUBJ_39 Subject =~ /\bonline department\b/i header __TVD_PH_SUBJ_41 Subject =~ /\bunusual activity\b/i header __TVD_PH_SUBJ_52 Subject =~ /\b(?:account|online) profile\b/i header __TVD_PH_SUBJ_54 Subject =~ /\bun-?authorized access(?:es)?\b/i header __TVD_PH_SUBJ_56 Subject =~ /\brespond now\b/i header __TVD_PH_SUBJ_58 Subject =~ /\bbilling service\b/i header __TVD_PH_SUBJ_59 Subject =~ /\bquestion from (?:[a-z_,-]+ )*?member\b/i header __TVD_PH_SUBJ_ACCESS_POST Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)) (?:[a-z_,-]+ )*?access\b/i meta __TVD_PH_SUBJ_META __TVD_PH_SUBJ_00 || __TVD_PH_SUBJ_02 || __TVD_PH_SUBJ_04 || __TVD_PH_SUBJ_15 || __TVD_PH_SUBJ_17 || __TVD_PH_SUBJ_18 || __TVD_PH_SUBJ_19 || __TVD_PH_SUBJ_29 || __TVD_PH_SUBJ_31 || __TVD_PH_SUBJ_36 || __TVD_PH_SUBJ_37 || __TVD_PH_SUBJ_38 || __TVD_PH_SUBJ_39 || __TVD_PH_SUBJ_41 || __TVD_PH_SUBJ_52 || __TVD_PH_SUBJ_54 || __TVD_PH_SUBJ_56 || __TVD_PH_SUBJ_58 || __TVD_PH_SUBJ_59 || __TVD_PH_SUBJ_ACCESS_POST meta __TVD_SPACE_ENCODED (__TVD_SPACE_RATIO && __SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED) if !plugin(Mail::SpamAssassin::Plugin::BodyEval) meta __TVD_SPACE_RATIO 0 endif header __TVD_SUBJ_NUM_OBFU Subject =~ /[a-z]{3,}\d+[a-z]{2,}/i meta __T_PDS_MSG_512 (__KAM_BODY_LENGTH_LT_512 || __HTML_LENGTH_512 || __PDS_QP_512) header __UA_GNUS User-Agent =~ /^Gnus/ header __UA_KMAIL User-Agent =~ /^KMail/ header __UA_KNODE User-Agent =~ /^KNode/ header __UA_MOZ5 User-Agent =~ /^Mozilla\/5/ header __UA_MSOEMAC User-Agent =~ /^Microsoft-Outlook-Express-Mac/ header __UA_MSOMAC User-Agent =~ /^Microsoft-MacOutlook\/(?:\d+\.){3}/ header __UA_MUTT User-Agent =~ /^Mutt/ header __UA_OPERA7 User-Agent =~ /^Opera7/ header __UA_PAN User-Agent =~ /^Pan/ header __UA_XNEWS User-Agent =~ /^Xnews/ body __UC_GIBB_OBFU /\b[A-Za-z][a-z]{0,20}[,;)]?\s[A-Z]{16,}[a-z]?\s[A-Za-z][a-z]{1,15}\b/ tflags __UC_GIBB_OBFU multiple maxhits=2 body __UN /\bunited\snations?\b/i meta __UNDISC_FREEM __TO_UNDISCLOSED && __freemail_replyto meta __UNDISC_MONEY __TO_UNDISCLOSED && (__ADVANCE_FEE_2_NEW || LOTS_OF_MONEY) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __UNICODE_OBFU_ASC /[a-z0-9\s](?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9]{1,8}(?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9\s]/i tflags __UNICODE_OBFU_ASC multiple maxhits=10 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __UNICODE_OBFU_ASC_MANY __UNICODE_OBFU_ASC > 9 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __UNICODE_OBFU_ZW /[a-z0-9\s](?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+(?!\s)[a-z0-9\s]{1,8}(?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+[a-z0-9\s]/i tflags __UNICODE_OBFU_ZW multiple maxhits=10 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __UNICODE_OBFU_ZW_10 __UNICODE_OBFU_ZW > 9 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __UNICODE_OBFU_ZW_2 __UNICODE_OBFU_ZW > 1 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __UNICODE_OBFU_ZW_3 __UNICODE_OBFU_ZW > 2 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __UNICODE_OBFU_ZW_5 __UNICODE_OBFU_ZW > 4 endif body __UNICODE_RTL_OBFU /\w(?:\x{E2}\x{80}\x{8F}){2,}\w/ tflags __UNICODE_RTL_OBFU multiple maxhits=10 body __UNSUB_EMAIL /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b[-a-z_0-9.+=]{0,60}\@[a-z0-9][-a-z_0-9.]{4,20}(?:[^a-z_0-9.-]|$)/i tflags __UNSUB_EMAIL nice body __UNSUB_GOOG_FORM m,Unsub?sc?ribe\s<?https?://docs\.google\.com/forms/,i uri __UNSUB_LINK /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b/i tflags __UNSUB_LINK nice body __UPGR_MAILBOX /\b(?:up(?:g[ra]+d(?:e|ing)|date) (?:(?:[hw]as|and)\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|(?:web ?|e-?)mail Upgrade cuenta|atualiz(?:e|ar) (?:a|sua) caixa de correio|click\S{0,10} (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?|below)(?: link)? to (?:(?:complete|finish|increase) )?(?:(?:the|this|your)\s)?(?:up(?:date|grade)|(?:web ?|e-?)?mail(?:\s?box)? (?:size|quota|limit))|utrzymania aktywnego konta|request (?:for )additional storage|you (?:have )?(?:failed|refused) to up(?:date|grade))\b/i uri __UPPERCASE_URI /^[^:A-Z]+[A-Z]/ uri __URI_12LTRDOM m,://(?:[^./]+\.)*[a-z]{12}\.[^./]+/,i uri __URI_ADOBESPARK m,https?://branchlink\.adobespark\.com/,i uri __URI_AZURE_CLOUDAPP m,://(?:[^./]+\.)+cloudapp\.azure\.com/, uri __URI_BUFFLY m,//buff\.ly/,i uri __URI_CLOUDFLAREIPFS m,//(?:[^@/]+@)?cloudflare-ipfs\.com/ipfs/,i uri __URI_DASHGOVEDU m,://[^/]*-(?:gov|edu)\.com/,i uri __URI_DATA /^data:(?!image\/)[a-z]/i uri __URI_DBL_DOM m,^https?://[^.]+\.(?!amazon\.com)([^/]+)/.*https?://[^.]+\.\1/,i uri __URI_DOTEDU m;^https?://(?:[^./]+\.)+edu/;i meta __URI_DOTEDU_ENTITY __URI_DOTEDU && __AC_HTML_ENTITY_BONANZA_SHRT_RAW uri __URI_DOTGOV m;^https?://(?:[^./]+\.)+gov/;i uri __URI_DOTTY_HEX /(?:\.[0-9a-f]{2}){30}/ uri __URI_DQ_UNSUB m;^[a-z]+://(?:\d+\.){3}\d+/.*unsubscribe;i uri __URI_DWEBIPFS m;//[^.]{50,}\.ipfs\.dweb\.link/;i rawbody __URI_EXCESS_SLASHES m;https?:///+;i uri __URI_FIREBASEAPP m,://[^./]+\.firebaseapp\.com/, uri __URI_FLKIPFSXYZIPFS m;//[^.]{50,}\.ipfs\.flk-ipfs\.xyz/;i uri __URI_GLITCHME m;//[^.]{50,}\.glitch\.me/;i uri __URI_GOOGDRAWPREVIEW m,://docs\.google\.com/drawings/d/[^/]*/preview,i uri __URI_GOOGLE_DOC m,^https?://docs\.google\.com/(?:[^/]+/)*(?:view(?:form)?\?(?:[^&]+&)*(?:id|formkey|usp)=|document/),i uri __URI_GOOGLE_DRV m,^https?://(?:drive\.google|googledrive)\.com/,i uri __URI_GOOGLE_PROXY m;^https?://(?:[^/]+\.)?googleusercontent\.com/proxy/;i uri __URI_GOOG_STO_EMAIL m;^https?://(?:firebase)?storage\.googleapis\.com/.*[a-z0-9]@(?:[a-z0-9]{2,20}\.){1,3}[a-z]{2,3}$;i uri __URI_GOOG_STO_HTML m,^https?://(?:[^./]+.)?(?:firebase)?storage\.googleapis\.com/.*\.html?(?:$|\?),i tflags __URI_GOOG_STO_HTML multiple maxhits=5 uri __URI_GOOG_STO_IMG m,^https?://(?:[^./]+.)?(?:firebase)?storage\.googleapis\.com/.*\.(?:png|jpe?g|gif|webp)$,i tflags __URI_GOOG_STO_IMG multiple maxhits=5 uri __URI_HEX_IP m;://0x[0-9A-F]{8,}[:/];i meta __URI_HOSTED_IMG ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC || __URI_IMG_TOPHATTER || __URI_IMG_GBTCDN || __URI_IMG_LINKEDIN || __URI_IMG_TUMBLR || __URI_IMG_TAGSTAT || __URI_IMG_FACEBOOK || __URI_IMG_TARINGANET || __URI_IMG_BEBEE || __URI_IMG_EFUSERASSETS || __URI_IMG_IMGBOX_THUMB || __URI_IMG_500PXORG || __URI_IMG_WIXMP || __URI_IMG_POSTIMGCC || __URI_IMG_GTRACING || __URI_IMG_JOOMCDN || __URI_IMG_DHRESOURCE || __URI_IMG_CWINDOWSNET || __URI_IMG_LEAADPERSONS || __URI_IMG_SENSILOEDPER) uri __URI_IMG_500PXORG m;://drscdn\.500px\.org/photo/;i uri __URI_IMG_ALICDN m,//(?:[^/.]+\.)*alicdn\.com/.+\.(?:jpe?g|gif|png|webp),i uri __URI_IMG_AMAZON m,://[^/?]+\.(?:ssl-)?(?:images|media)-amazon\.com/.*\.(?:png|gif|jpe?g|webp)$,i uri __URI_IMG_BEBEE m;://contents\.bebee\.com/users/.+\.(?:jpe?g|gif|png|webp);i uri __URI_IMG_CHANNYPIC m,://www\.channypicture\.com/pic/,i uri __URI_IMG_CWINDOWSNET m;://[^.]{12,}\.(?:blob|web)\.core\.windows\.net/.+\.(?:jpe?g|gif|png|webp);i uri __URI_IMG_DHRESOURCE m;://www\.dhresource\.com/.+\.(?:jpe?g|gif|png|webp);i uri __URI_IMG_EBAY m,://[^/?]+\.ebayimg\.com/,i uri __URI_IMG_EFUSERASSETS m;://\d+\.efuserassets\.com/\d+/.+\.(?:jpe?g|gif|png|webp);i uri __URI_IMG_FACEBOOK m;://(?:[^/.]+\.)+fbcdn\.net/v/.+\.(?:jpe?g|gif|png|webp);i uri __URI_IMG_GBTCDN m;://des\.gbtcdn\.com/storage/store/[0-9a-f/]{30,}\.(?:png|gif|jpe?g|webp)$;i uri __URI_IMG_GTRACING m;://shopify\.gtracing\.com/img/.+\.(?:jpe?g|gif|png|webp);i uri __URI_IMG_IMGBOX_THUMB m;://thumbs\d*\.imgbox\.com/.+\.(?:jpe?g|gif|png|webp);i uri __URI_IMG_JOOMCDN m,://img\.joomcdn\.net/,i uri __URI_IMG_JOOMCDN m;://img\.joomcdn\.net/.+\.(?:jpe?g|gif|png|webp);i uri __URI_IMG_LEAADPERSONS m;://www\.leaadpersons\.com/biz/.+\.(?:jpe?g|gif|png|webp);i uri __URI_IMG_LINKEDIN m;://media-exp\d\.licdn\.com/dms/image/;i uri __URI_IMG_NEWEGG m,://[^/?]+\.neweggimages\.com/,i uri __URI_IMG_POSTIMGCC m;://i\.postimg\.cc/.+\.(?:jpe?g|gif|png|webp);i uri __URI_IMG_SENSILOEDPER m;://www\.sensiloedper\.com/bizgstorage/.+\.(?:jpe?g|gif|png|webp);i uri __URI_IMG_SHOPIFY m,://cdn\.shopify\.com/.+\.(?:jpe?g|gif|png|webp),i uri __URI_IMG_STATICBG m,://imgaz\.staticbg\.com/images/,i uri __URI_IMG_TAGSTAT m;://i\d+\.tagstat\.com/.+\.(?:jpe?g|gif|png|webp);i uri __URI_IMG_TARINGANET m;://media\.taringa\.net/knn/;i uri __URI_IMG_TOPHATTER m;://images\.tophatter\.com/[0-9a-f]{30,}/;i uri __URI_IMG_TUMBLR m;://\d+\.media\.tumblr\.com/.+\.(?:jpe?g|gif|png|webp);i uri __URI_IMG_WALMART m,://[^/?]+\.walmartimages\.com/,i uri __URI_IMG_WISH m,://contestimg\.wish\.com/,i uri __URI_IMG_WIXMP m;://images-wixmp-[0-9a-f]{20,}\.wixmp\.com/;i uri __URI_IMG_WP_REDIR m;://i[02]\.wp\.com/.*\.(?:jpe?g|gif|png|webp)$;i uri __URI_IMG_YTIMG m,://[^/?]+\.ytimg\.com/,i uri __URI_INFURAIPFSIO m,//(?:[^@/]+@)?(?:[^.]+\.)?infura-ipfs\.io/ipfs/,i meta __URI_IPFS __URI_IPFSIO || __URI_INFURAIPFSIO || __URI_CLOUDFLAREIPFS || __URI_DWEBIPFS || __URI_FLKIPFSXYZIPFS uri __URI_IPFSIO m,//(?:[^@/]+@)?ipfs\.io/ipfs/,i uri __URI_LONG_REPEAT m;(?:://|@)(?:\w+\.)*(\w{7,}\.)\1;i uri __URI_MAILTO /^mailto:/i tflags __URI_MAILTO multiple maxhits=16 uri __URI_MONERO /buy-monero/i meta __URI_ONLY_MSGID_MALF __BODY_URI_ONLY && __MSGID_NOFQDN2 meta __URI_PHISH __HAS_ANY_URI && !__URI_GOOGLE_DOC && !__URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH) uri __URI_PHP_REDIR m;/redirect\.php\?;i uri __URI_PRODUCT_AMAZON m,://www\.amazon\.(?:com|co\.uk|[a-z][a-z])/dp/[a-z0-9]{10}/,i uri __URI_TRY_3LD m,^https?://(?:try(?!r\.codeschool)|start|get(?!\.adobe)|save|check(?!out)|act(?!ion)|compare|join|learn(?!ing)|request|visit(?!or|\.vermont)|my(?!sub|turbotax|news\.apple|a\.godaddy|account|support|build|blob|images?|photos?)\w)[^.]*\.(?:(?!list-manage|lt\.)[^/.]+\.)+(?:com|net)\b,i uri __URI_TRY_USME m,^https?://(?:try|start|get|save|check|act|compare|join|learn|request|visit|my)[^.]*\.[^/]+\.(?:us|me|mobi|club)\b,i uri __URI_WEBAPP m,://[^./]+\.web\.app/, uri __URI_WPADMIN m,/wp-admin/\w+/,i uri __URI_WPCONTENT m,/wp-content/.*\.(?:php|html?)\b,i uri __URI_WPDIRINDEX m,/wp-(?:content|includes)/.*/$,i uri __URI_WPINCLUDES m,/wp-includes/.*\.(?:php|html?)\b,i uri __URL_BTC_ID m;[/.](?:[13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})(?:/|$); uri __URL_LTC_ID m;[/.][LM3][a-km-zA-HJ-NP-Z1-9]{26,33}(?:/|$); header __USING_VERP1 Return-Path =~ /[+-].*=/ header __VACATION Subject =~ /\b(?:vacatio|away|out.of.offic|auto.?re|confirm)/i tflags __VACATION nice body __VALIDATE_MAILBOX /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta|you (?:have )?(?:failed|refused) to (?:verify|validate)|(?:e-?mail|confirm) verification|verify k?now|logs?in below to (?:\S+\s){0,10}(?:download|release|retrieve) your (?:messages|e?-?mails)|verify [a-z][a-z0-9_]{3,40}@[a-z][a-z0-9]{2,30}\.[a-z]{2,6}|your mailbox [^@\s]{3,30}@\S{3,30} (?:(?:needs to|must) be verified|(?:needs|requires) verification))\b/i tflags __VALIDATE_MAILBOX multiple maxhits=2 body __VALIDATE_MBOX_SE /(?:\b=E5|[\xe5]|[\xc3][\xa5])terst(?:=E4|\xe4|[\xc3][\xa4])lla ditt konto\b/i body __VERIFY_ACCOUNT /(?:confirm|updated?|verif(?:y|ied)) (?:your|the) (?:(?:account|current|billing|personal|online)? ?(?:records?|information|account|identity|access|data|login)|"?[^\@\s]+\@\S+"? (?:account|mail ?box)|confirm verification|verify k?now|Ihre Angaben .berpr.ft und best.tigt)/i tflags __VERIFY_ACCOUNT multiple maxhits=2 meta __VFY_ACCT_NORDNS __VERIFY_ACCOUNT && __RDNS_NONE meta __VISTA_COST __VISTA_MSGID && __FB_COST meta __VISTA_TONOM_EQ_TOLOC __VISTA_MSGID && __PDS_TONAME_EQ_TOLOCAL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval header __VPSNUMBERONLY_TLD From:addr =~ /\@vps[0-9]{4,}\.[a-z]+$/i endif endif meta __WALMART_IMG_NOT_RCVD_WAL __URI_IMG_WALMART && !__HDR_RCVD_WALMART body __WEBMAIL_ACCT /\byour web ?mail account/i body __WE_PAID /\bwe have (?:already )?(?:paid|sent|remitted|issued) \$?\d+(?:,\d+)* (?:thousand )?(?:dollars )?to our (?:users|subscribers|members|clients|affiliates|partners)\b/i meta __WFH_01 ( __PERFECT_BINARY + __WE_PAID + __MAKE_XTRA_DOLLAR + __BONUS_LAST_DAY + __PASSIVE_INCOME + __WITHOUT_EFFORT + __TRANSFORM_LIFE + __STAY_HOME + __RECEIVE_BONUS ) > 2 body __WIDOW /\b(?:widow(?:e[rd])'?s?|veuve)\b/i body __WILL_LEGAL /\b(?:codicil|last\stestament|probate|executor|intestate|bequest|mandamus)\b/i body __WIRE_XFR /\b(?:wire|telegraph(?:ic)?|bank)\s?transfer/i body __WITHOUT_EFFORT /\bwith(?:out(?: a(?:ny)?| the)?| no)(?: great| special| extra)? effort\b/i if can(Mail::SpamAssassin::Conf::feature_bug6558_free) rawbody __WORD_INVIS /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|in|pc|em|ex|ch|rem|lh|vmax))\s*[;'a-z]|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w{1,20} 1 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __WORD_INVIS_5 __WORD_INVIS > 5 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __WORD_INVIS_MINFP __WORD_INVIS && !__SURVEY && !MIME_QP_LONG_LINE && !__FB_TOUR && !__MSGID_GUID endif meta __XFER_LOTSA_MONEY __XFER_MONEY && LOTS_OF_MONEY meta __XFER_MONEY (__WIRE_XFR || __TRUSTED_CHECK || __BANK_DRAFT || __MOVE_MONEY || __TO_YOUR_ACCT || __PAY_YOU || __GIVE_MONEY) ifplugin Mail::SpamAssassin::Plugin::FreeMail header __XMAIL_CODEIGN X-Mailer =~ /CodeIgniter/ endif ifplugin Mail::SpamAssassin::Plugin::FreeMail header __XMAIL_PHPMAIL X-Mailer =~ /PHPMailer/ endif header __XM_APPLEMAIL X-Mailer =~ /^Apple Mail/ header __XM_ASPQMAIL X-Mailer =~ /^AspQMail/ header __XM_BALSA X-Mailer =~ /^Balsa \d/ header __XM_CALYPSO X-Mailer =~ /^Calypso/ header __XM_DIGITS_ONLY X-Mailer =~ /^\s*\d+\s*$/ header __XM_EC_MESSENGER X-Mailer =~ /\beC-Messenger\b/ header __XM_FORTE X-Mailer =~ /^Forte Agent \d/ header __XM_GNUS X-Mailer =~ /^Gnus v/ header __XM_MHE X-Mailer =~ /^mh-e \d/ header __XM_MOZ4 X-Mailer =~ /^Mozilla 4/ header __XM_MSOE5 X-Mailer =~ /^Microsoft Outlook Express 5/ header __XM_MSOE6 X-Mailer =~ /^Microsoft Outlook Express 6/ header __XM_MS_IN_GENERAL X-Mailer =~ /\bMSCRM\b|Microsoft (?:CDO|Outlook|Office Outlook)\b/ header __XM_OL_10_0_4115 X-Mailer =~ /^Microsoft Outlook, Build 10.0.4115$/ header __XM_OL_28001441 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.1441$/ header __XM_OL_28004682 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.4682$/ header __XM_OL_48072300 X-Mailer =~ /^Microsoft Outlook Express 5.50.4807.2300$/ header __XM_OL_4_72_2106_4 X-Mailer =~ /^Microsoft Outlook Express 4.72.2106.4$/ header __XM_OUTLOOK_EXPRESS X-Mailer =~ /^Microsoft Outlook Express \d/ header __XM_PHPMAILER_FORGED X-Mailer =~ /PHPMailer\s.*version\D+$/ header __XM_RANDOM X-Mailer =~ /q(?!(?:q|box|i\s)?mail|\d|[-\w]*=+;)[^u]/i header __XM_SKYRI X-Mailer =~ /^SKYRiXgreen/ header __XM_SQRLMAIL X-Mailer =~ /^SquirrelMail/ header __XM_SYLPHEED X-Mailer =~ /^Sylpheed/ header __XM_UC_ONLY X-Mailer =~ /^[^a-z]+$/ header __XM_VERY_LONG X-Mailer =~ /.{50}/ header __XM_VM X-Mailer =~ /^VM \d/ header __XM_WWWMAIL X-Mailer =~ /^WWW-Mail \d/ header __XM_XIMEVOL X-Mailer =~ /^Ximian Evolution/ meta __XPRIO_MINFP __XPRIO && !__CT_ENCRYPTED && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_IMG_SRC && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__PHPMAILER_MUA && !__AC_TINY_FONT && !__HAS_PHP_SCRIPT && !__DOS_HAS_LIST_UNSUB && !__HAS_IMG_SRC_ONECASE && !__NAKED_TO && !__HAS_THREAD_INDEX && !__HAS_TNEF && !__HAS_SENDER && !__UNPARSEABLE_RELAY_COUNT && !__PDS_RDNS_MTA && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MX_MESSY && !__TO___LOWER && !__FROM_WORDY && !__RP_MATCHES_RCVD && !__DKIM_EXISTS && !__FROM_WEB_DAEMON && !__RDNS_SHORT && !__L_BODY_8BITS && !__HAS_X_SENDER meta __XPRIO_SHORT_SUBJ __XPRIO_MINFP && __SUBJ_SHORT meta __XPRIO_VISTA __XPRIO_MINFP && __VISTA_MSGID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __X_MSO_MT Content-Type =~ m,\bapplication/x-mso\b,i endif body __YOUR_BANK /\byour?\s(?:full\s)?bank(?:ing)?\sinformations?\b/i body __YOUR_CONSIGNMENT /\b(?:received?|pa(?:y|id)|sen[dt]|h[oe]ld|delay(?:ed)?|impound(?:ed)?|released?|ship(?:ped)?)\syour(?:\s\w+)?\sconsignment\b/i body __YOUR_FUND /\b(?:your|ihr)\s(?:unpaid\s|win+ing\s|ap+roved\s|foreign\s|overdue\s|outstanding\s|contract\s|inheritance\s|nicht\sausbezahlten\s){0,3}(?:fund|f\su\sn\sd|payment|geld)\b/i if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __YOUR_ONAN /\b(?:your?|ihrer)\s(?:ma+s+t+[ur]+b+a+t+(?:ion|ing|e)(?:svideo)?|onanism|solitary\ssex|hand\sfucking|Selbstbefriedigung|(?:pleasur(?:e|ing)|satisfy(?:ing)?)\syourself)\b/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __YOUR_ONAN /(?:^|\s)(?:<Y><O><R>?|<H><R><E><R>)\s(?:<M>+<A>+<S>+<T>+(?:|<R>)++<A>+<T>+(?:<O><N>|<N><G>|<E>)(?:<S><V><D><E><O>)?|<O><N><A><N><S><M>|<S><O><L><T><A><R><Y>\s<S><E><X>|<H><A><N><D>\s<F><C><K><N><G>|<S><E><L><S><T><E><F><R><E><D><G><N><G>|(?:<L><E><A><S><R>(?:<E>|<N><G>)|<S><A><T><S><F><Y>(?:<N><G>)?)\s<Y><O><R><S><E><L><F>)/i endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __YOUR_PASSWORD /\b(?:your|(?:change|modify|update|reset|alter|fix)\sthe)\s(?:account\s|e-?mail\s)?(?:pass[-\s_]?word|pswd)\b/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __YOUR_PASSWORD /(?:^|\s)(?:<Y><O><R>|(?:<C><H><A><N><G><E>|<M><O><D><F><Y>|<D><A><T><E>|<R><E><S><E><T>|<A><L><T><E><R>|<F><X>)\s<T><H><E>)\s(?:<A><C><C><O><N><T>\s|<E>-?<M><A><L>\s)?(?:<A><S><S>[-\s_]?<W><O><R><D>|<S><W><D>\s)/i endif body __YOUR_PERM /\byour\spermission\b/i if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __YOUR_PERSONAL /\b(?:your\s(?:personal|private|social\scontact|address|friends)\s(?:info(?:rmation)?|data|details|book|secrets)|all\s(?:of\s)?your\s(?:files|contacts|secrets|correspondence))\b/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __YOUR_PERSONAL /(?:^|\s)(?:<Y><O><R>\s(?:<E><R><S><O><N><A><L>|<R><V><A><T><E>|<S><O><C><A><L>\s<C><O><N><T><A><C><T>|<A><D><D><R><E><S><S>|<F><R><E><N><D><S>)\s(?:<N><F><O>(?:<R><M><A><T><O><N>)?|<D><A><T><A>|<D><E><T><A><L><S>|<O><O><K>|<S><E><C><R><E><T><S>)|<A><L><L>\s(?:<O><F>\s)?<Y><O><R>\s(?:<F><L><E><S>|<C><O><N><T><A><C><T><S>|<S><E><C><R><E><T><S>|<C><O><R><R><E><S><O><N><D><E><N><C><E>))[\s\.,]/i endif body __YOUR_PROFIT /\byour?\sprofit/i if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __YOUR_WEBCAM /\b(?:from|your|with|and|on)\s(?:(?:screen|desktop|microphone)\sand\s|own\s)?(?:web[-\s]?|front[-\s]?|network\s|your\s)camer+a/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __YOUR_WEBCAM /(?:^|\s)(?:<F><R><O><M>|<Y><O><R>|<W><T><H>|<A><N><D>|<O><N>)\s(?:(?:<S><C><R><E><E><N>|<D><E><S><K><T><O>|<M><C><R><O><H><O><N><E>)\s<A><N><D>\s|<O><W><N>\s)?(?:<W><E>[-\s]?|<F><R><O><N><T>[-\s]?|<N><E><T><W><O><R><K>\s|<Y><O><R>\s)<C><A><M><E><R>+<A>/i endif body __YOU_ASSIST /\b(?:your\sas+istan(?:ce|t)|votre\s(?:as+istance|aide))\b/i body __YOU_INHERIT /\byour\s[a-z\s]{0,30}inherit+ance\b/i meta __YOU_WON __YOU_WON_01 || __YOU_WON_02 || __YOU_WON_03 || __YOU_WON_04 || __HAS_WON_01 || (__YOU_WON_05 && (__MOVE_MONEY || __GIVE_MONEY)) body __YOU_WON_01 /\byou(?:r|'re|'ve|'ll|\shave|\sdid)?\s(?:e-?mail\s)?(?:\w+\s){0,2}(?:a\s)?w[io]n+(?:er|ing)?(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i body __YOU_WON_02 /\bw[io]n\s(?:(?:for|by)\s)?your?\b/i body __YOU_WON_03 /\b(?:your?|win+ing|win+ers?|beneficiaries|participants?|individuals?|address(?:es)?|accounts?|emails?)(?:\s[-a-z\s]{4,40})?\s(?:w(?:ere|as)|ha(?:ve|s) be(?:en)?)\s(?:automatically\s)?(?:(?:randomly|raffly)\s(?:selected|cho+sen|cho+sing|picked)|(?:selected|cho+sen|cho+sing|picked)\s(?:[a-z\s]{2,40}?\srandom(?:ly)?|online|lottery|computer\s(?:ballot|wahlgang))|(?:selected|cho+sen|cho+sing|picked)(?:\sas?|\sthe){0,3}\swin+er)/i body __YOU_WON_04 /\bqu[ei]\s?(?:vous (?:[\xc3][\xaa]|=C3=AA|[\xea]|e)tes\s?gagnant|en\scons(?:e|=E9|[\xe9]|[\xc3][\xa9])quence\sgagne)\b/i body __YOU_WON_05 /\bI won(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __ZIP_ATTACH_MT 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ZIP_ATTACH_MT Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)\b,i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __ZIP_ATTACH_NOFN 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ZIP_ATTACH_NOFN Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)[;\s]*$,i endif ifplugin Mail::SpamAssassin::Plugin::FreeMail header __freemail_mailreplyto eval:check_freemail_header('Mail-Reply-To') endif body __hk_bigmoney /(?:EURO?|USD?|GBP|CFA|\&\#163;|[\xa3\xa4]|\$|sum of).{0,4}(?:[0-9]{3}[^0-9a-z]?[0-9]{3}|[0-9.,]{1,4}(?: ?M\b| ?(?:de )?Mil))/i ifplugin Mail::SpamAssassin::Plugin::FreeMail header __smf_freemail_hdr_replyto eval:check_freemail_header('Reply-To:addr') endif