MOON
Server: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
System: Linux csr818.wilogic.com 2.6.18-419.el5xen #1 SMP Fri Feb 24 22:50:37 UTC 2017 x86_64
User: digitals (531)
PHP: 5.4.45
Disabled: NONE
$ pwd: /var/lib/spamassassin/3.002004/updates_spamassassin_org/
Upload Files
File: //var/lib/spamassassin/3.002004/updates_spamassassin_org/80_additional.cf
# Please don't modify this file as your changes will be overwritten with
# the next update.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at:
# 
#     http://www.apache.org/licenses/LICENSE-2.0
# 
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################

# 2007/07/10
# 0.269   0.3293   0.0000    1.000   0.76    0.00  TVD_PDF_FINGER01
rawbody __TVD_BODY		/\S{4}/
header __TVD_MIME_CT_MM		Content-Type =~ /^multipart\/mixed/i
meta __TVD_MIME_ATT		__TVD_MIME_ATT_AP || __TVD_MIME_ATT_AOPDF
meta TVD_PDF_FINGER01		__TVD_MIME_CT_MM && __TVD_MIME_ATT_TP && __TVD_MIME_ATT && !__TVD_BODY
describe TVD_PDF_FINGER01	Mail matches standard pdf spam fingerprint

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader 

mimeheader __TVD_MIME_ATT_TP    Content-Type =~ /^text\/plain/i
mimeheader __TVD_MIME_ATT_AP    Content-Type =~ /^application\/pdf/i
mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i

endif # Mail::SpamAssassin::Plugin::MIMEHeader


# 2007/09/20
meta CARD_DIRECT_WWW_ADDRESS	(__CARD_DIRECT_WWW_ADDRESS && !__LEGIT_MARLO_CARD)
body __CARD_DIRECT_WWW_ADDRESS	/card's direct www address below while you are connected to the Internet/
body __LEGIT_MARLO_CARD		/At our Card Pick Up site, enter BOTH the Directory/
score CARD_DIRECT_WWW_ADDRESS	1.577

header DOS_ANAL_SPAM_MAILER	X-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/
describe DOS_ANAL_SPAM_MAILER	X-mailer pattern common to anal porn site spam
score DOS_ANAL_SPAM_MAILER	2.0

meta __DOS_DIRECT_TO_MX		__DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT
header __DOS_HAS_LIST_ID	exists:List-ID
header __DOS_HAS_LIST_UNSUB	exists:List-Unsubscribe
header __DOS_HAS_MAILING_LIST	exists:Mailing-List
header __DOS_RELAYED_EXT	ALL-EXTERNAL =~ /(?:^|\n)[Rr][eE][cC][eE][iI][vV][eE][dD]:\s.+\n[Rr][eE][cC][eE][iI][vV][eE][dD]:\s/s

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

mimeheader __ANY_IMAGE_ATTACH	Content-Type =~ /image\/(?:gif|jpeg|png)/

meta DOS_OE_TO_MX_IMAGE		__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
describe DOS_OE_TO_MX_IMAGE	Direct to MX with OE headers and an image
score DOS_OE_TO_MX_IMAGE	3.0

meta DOS_OUTLOOK_TO_MX_IMAGE		__ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
describe DOS_OUTLOOK_TO_MX_IMAGE	Direct to MX with Outlook headers and an image
score DOS_OUTLOOK_TO_MX_IMAGE		1.059

endif # Mail::SpamAssassin::Plugin::MIMEHeader

meta DOS_OE_TO_MX		__OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE
describe DOS_OE_TO_MX		Delivered direct to MX with OE headers
score DOS_OE_TO_MX		2.75

meta DOS_OUTLOOK_TO_MX		__ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OUTLOOK_TO_MX_IMAGE
describe DOS_OUTLOOK_TO_MX	Delivered direct to MX with Outlook headers
score DOS_OUTLOOK_TO_MX		1.0

body FB_CASINO			/(?!casino)Ca[\$s5][i1\|]n[o0]/i
describe FB_CASINO		Phrase: ca$ino
score FB_CASINO			1.075

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

body FRT_BEFORE			/<inter SP2><post P2>\b(?!before)<B><E><F><O><R><E>\b/i
describe FRT_BEFORE		ReplaceTags: Before
score FRT_BEFORE		2.381

endif # Mail::SpamAssassin::Plugin::ReplaceTags

meta LOTTERY_PH_004470		(__AFF_004470_NUMBER && __AFF_LOTTERY)
body __AFF_004470_NUMBER	/(?:\+|00|011)\W{0,3}44\W{0,3}0?\W{0,3}70/
body __AFF_LOTTERY		/(?:lottery|winner)/i
score LOTTERY_PH_004470		2.015

##{ HS_BOBAX_MID_1
header HS_BOBAX_MID_1 Message-Id =~ /^<\d{4}D\d{3}\.\d{6}\.\d{5}\@[A-Z]{4}>/
describe HS_BOBAX_MID_1 Bobax? Message-Id: <0000D000.000000.00000@AAAA>
##} HS_BOBAX_MID_1

##{ HS_BOBAX_MID_2
header HS_BOBAX_MID_2 Message-Id =~ /^<\dIX\d{3}EJXVWDA\d{3}\@[a-z\-]+\.[a-z]+>/
describe HS_BOBAX_MID_2 Bobax? Message-Id: <0IX000EJXVWDA000@example.com>
##} HS_BOBAX_MID_2

##{ HS_OUTLOOK_MID_NOBRK
header HS_OUTLOOK_MID_NOBRK Message-ID =~ /^[a-f0-9]{12,13}(?:\$[a-f0-9]{8}){2}\@[A-Za-z0-9]+$/
describe HS_OUTLOOK_MID_NOBRK Outlook-esque message ID with no brackets.
##} HS_OUTLOOK_MID_NOBRK

##{ JM_REACTOR_MAILER
meta JM_REACTOR_MAILER (__JM_REACTOR_MID && __JM_REACTOR_DATE && __JM_REACTOR_XM2900 && __JM_REACTOR_XMOLE)
describe JM_REACTOR_MAILER Header patterns indicative of "Reactor Mailer" ratware
##} JM_REACTOR_MAILER
header __JM_REACTOR_DATE    Date =~ / \+0000$/
header __JM_REACTOR_MID     Message-ID =~ /^<000\S+\@[a-z0-9]+>$/
header __JM_REACTOR_XM2900  X-Mailer =~ /^Microsoft Outlook Express 6.00.2900.3138$/
header __JM_REACTOR_XMOLE   X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2900.3198$/
@ Telegram