File: //var/lib/spamassassin/3.003001/updates_spamassassin_org/72_active.cf
# SpamAssassin rules file
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
require_version 3.003001
##{ ACH_CANCELLED
meta ACH_CANCELLED __ACH_CANCELLED
describe ACH_CANCELLED "ACH cancelled" fraud / phish
##} ACH_CANCELLED
##{ ADVANCE_FEE_2_NEW_FORM
meta ADVANCE_FEE_2_NEW_FORM __ADVANCE_FEE_2_NEW_FORM && !__COMMENT_EXISTS && !__THREADED && !__HTML_LINK_IMAGE && !__HDRS_LCASE && !__DOS_HAS_LIST_UNSUB && !__HAS_SENDER && !__HAS_X_LOOP
describe ADVANCE_FEE_2_NEW_FORM Advance Fee fraud and a form
tflags ADVANCE_FEE_2_NEW_FORM publish
##} ADVANCE_FEE_2_NEW_FORM
##{ ADVANCE_FEE_2_NEW_FRM_MNY
meta ADVANCE_FEE_2_NEW_FRM_MNY __ADVANCE_FEE_2_NEW_FRM_MNY && !__HTML_LINK_IMAGE && !__HDRS_LCASE && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP
describe ADVANCE_FEE_2_NEW_FRM_MNY Advance Fee fraud form and lots of money
##} ADVANCE_FEE_2_NEW_FRM_MNY
##{ ADVANCE_FEE_2_NEW_MONEY
meta ADVANCE_FEE_2_NEW_MONEY __ADVANCE_FEE_2_NEW_MONEY && !__DOS_HAS_LIST_UNSUB && !__TAG_EXISTS_CENTER && !__LYRIS_EZLM_REMAILER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__VIA_ML && !__HTML_LINK_IMAGE && !__HDRS_LCASE && !__NAME_EQ_EMAIL && !__URI_MAILTO_MANY && !__RP_MATCHES_RCVD && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP
describe ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money
tflags ADVANCE_FEE_2_NEW_MONEY publish
##} ADVANCE_FEE_2_NEW_MONEY
##{ ADVANCE_FEE_3_NEW
meta ADVANCE_FEE_3_NEW __ADVANCE_FEE_3_NEW && !__HTML_LINK_IMAGE && !__TAG_EXISTS_CENTER && !__COMMENT_EXISTS && !__VIA_ML && !__THREADED && !__UNSUB_LINK && !__UPPERCASE_URI && !__SURVEY && !__HAS_SENDER && !__HAS_X_LOOP
describe ADVANCE_FEE_3_NEW Appears to be advance fee fraud (Nigerian 419)
#score ADVANCE_FEE_3_NEW 3.5 # limit
tflags ADVANCE_FEE_3_NEW publish
##} ADVANCE_FEE_3_NEW
##{ ADVANCE_FEE_3_NEW_FORM
meta ADVANCE_FEE_3_NEW_FORM __ADVANCE_FEE_3_NEW_FORM && !__HTML_LINK_IMAGE && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP
describe ADVANCE_FEE_3_NEW_FORM Advance Fee fraud and a form
tflags ADVANCE_FEE_3_NEW_FORM publish
##} ADVANCE_FEE_3_NEW_FORM
##{ ADVANCE_FEE_3_NEW_FRM_MNY
meta ADVANCE_FEE_3_NEW_FRM_MNY __ADVANCE_FEE_3_NEW_FRM_MNY && !__HTML_LINK_IMAGE && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP
describe ADVANCE_FEE_3_NEW_FRM_MNY Advance Fee fraud form and lots of money
##} ADVANCE_FEE_3_NEW_FRM_MNY
##{ ADVANCE_FEE_3_NEW_MONEY
meta ADVANCE_FEE_3_NEW_MONEY __ADVANCE_FEE_3_NEW_MONEY && !__HTML_LINK_IMAGE && !__UPPERCASE_URI && !__UNSUB_LINK && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP
describe ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money
tflags ADVANCE_FEE_3_NEW_MONEY publish
##} ADVANCE_FEE_3_NEW_MONEY
##{ ADVANCE_FEE_4_NEW
meta ADVANCE_FEE_4_NEW __ADVANCE_FEE_4_NEW && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__HAS_ERRORS_TO
describe ADVANCE_FEE_4_NEW Appears to be advance fee fraud (Nigerian 419)
tflags ADVANCE_FEE_4_NEW publish
##} ADVANCE_FEE_4_NEW
##{ ADVANCE_FEE_4_NEW_FORM
meta ADVANCE_FEE_4_NEW_FORM __ADVANCE_FEE_4_NEW_FORM
describe ADVANCE_FEE_4_NEW_FORM Advance Fee fraud and a form
##} ADVANCE_FEE_4_NEW_FORM
##{ ADVANCE_FEE_4_NEW_FRM_MNY
meta ADVANCE_FEE_4_NEW_FRM_MNY __ADVANCE_FEE_4_NEW_FRM_MNY
describe ADVANCE_FEE_4_NEW_FRM_MNY Advance Fee fraud form and lots of money
##} ADVANCE_FEE_4_NEW_FRM_MNY
##{ ADVANCE_FEE_4_NEW_MONEY
meta ADVANCE_FEE_4_NEW_MONEY __ADVANCE_FEE_4_NEW_MONEY && !__HTML_LINK_IMAGE && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__HAS_X_LOOP
describe ADVANCE_FEE_4_NEW_MONEY Advance Fee fraud and lots of money
##} ADVANCE_FEE_4_NEW_MONEY
##{ ADVANCE_FEE_5_NEW
meta ADVANCE_FEE_5_NEW __ADVANCE_FEE_5_NEW
describe ADVANCE_FEE_5_NEW Appears to be advance fee fraud (Nigerian 419)
##} ADVANCE_FEE_5_NEW
##{ ADVANCE_FEE_5_NEW_FORM
meta ADVANCE_FEE_5_NEW_FORM __ADVANCE_FEE_5_NEW_FORM
describe ADVANCE_FEE_5_NEW_FORM Advance Fee fraud and a form
##} ADVANCE_FEE_5_NEW_FORM
##{ ADVANCE_FEE_5_NEW_FRM_MNY
meta ADVANCE_FEE_5_NEW_FRM_MNY __ADVANCE_FEE_5_NEW_FRM_MNY
describe ADVANCE_FEE_5_NEW_FRM_MNY Advance Fee fraud form and lots of money
##} ADVANCE_FEE_5_NEW_FRM_MNY
##{ ADVANCE_FEE_5_NEW_MONEY
meta ADVANCE_FEE_5_NEW_MONEY __ADVANCE_FEE_5_NEW_MONEY
describe ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money
##} ADVANCE_FEE_5_NEW_MONEY
##{ APOSTROPHE_FROM
header APOSTROPHE_FROM From:addr =~ /'/
describe APOSTROPHE_FROM From address contains an apostrophe
##} APOSTROPHE_FROM
##{ AXB_XMAILER_MIMEOLE_OL_024C2
meta AXB_XMAILER_MIMEOLE_OL_024C2 (__AXB_XM_OL_024C2 && __AXB_MO_OL_024C2)
##} AXB_XMAILER_MIMEOLE_OL_024C2
##{ AXB_XMAILER_MIMEOLE_OL_1ECD5
meta AXB_XMAILER_MIMEOLE_OL_1ECD5 (__AXB_XM_OL_1ECD5 && __AXB_MO_OL_1ECD5)
##} AXB_XMAILER_MIMEOLE_OL_1ECD5
##{ AXB_XMAILER_MIMEOLE_OL_22B61
meta AXB_XMAILER_MIMEOLE_OL_22B61 (__AXB_XM_OL_22B61 && __AXB_MO_OL_22B61)
##} AXB_XMAILER_MIMEOLE_OL_22B61
##{ AXB_XMAILER_MIMEOLE_OL_4379D
meta AXB_XMAILER_MIMEOLE_OL_4379D (__AXB_XM_OL_4379D && __AXB_MO_OL_4379D)
##} AXB_XMAILER_MIMEOLE_OL_4379D
##{ AXB_XMAILER_MIMEOLE_OL_616F8
meta AXB_XMAILER_MIMEOLE_OL_616F8 (__AXB_XM_OL_616F8 && __AXB_MO_OL_616F8)
##} AXB_XMAILER_MIMEOLE_OL_616F8
##{ AXB_XMAILER_MIMEOLE_OL_7EB15
meta AXB_XMAILER_MIMEOLE_OL_7EB15 (__AXB_XM_OL_7EB15 && __AXB_MO_OL_7EB15)
##} AXB_XMAILER_MIMEOLE_OL_7EB15
##{ AXB_XMAILER_MIMEOLE_OL_8627E
meta AXB_XMAILER_MIMEOLE_OL_8627E (__AXB_XM_OL_8627E && __AXB_MO_OL_8627E)
##} AXB_XMAILER_MIMEOLE_OL_8627E
##{ AXB_XMAILER_MIMEOLE_OL_A275F
meta AXB_XMAILER_MIMEOLE_OL_A275F (__AXB_XM_OL_A275F && __AXB_MO_OL_A275F)
##} AXB_XMAILER_MIMEOLE_OL_A275F
##{ AXB_XMAILER_MIMEOLE_OL_A6545
meta AXB_XMAILER_MIMEOLE_OL_A6545 (__AXB_XM_OL_A6545 && __AXB_MO_OL_A6545)
##} AXB_XMAILER_MIMEOLE_OL_A6545
##{ AXB_XMAILER_MIMEOLE_OL_A7B9C
meta AXB_XMAILER_MIMEOLE_OL_A7B9C (__AXB_XM_OL_A7B9C && __AXB_MO_OL_A7B9C)
##} AXB_XMAILER_MIMEOLE_OL_A7B9C
##{ AXB_XMAILER_MIMEOLE_OL_B11B5
meta AXB_XMAILER_MIMEOLE_OL_B11B5 (__AXB_XM_OL_B11B5 && __AXB_MO_OL_B11B5)
##} AXB_XMAILER_MIMEOLE_OL_B11B5
##{ AXB_XMAILER_MIMEOLE_OL_C485C
meta AXB_XMAILER_MIMEOLE_OL_C485C (__AXB_XM_OL_C485C && __AXB_MO_OL_C485C)
##} AXB_XMAILER_MIMEOLE_OL_C485C
##{ AXB_XMA_BASP
header AXB_XMA_BASP X-Mail-Agent =~ /^BASP21/
describe AXB_XMA_BASP Mailer fingerprint
##} AXB_XMA_BASP
##{ AXB_X_RCV_WLOCAL
header AXB_X_RCV_WLOCAL Received=~ /with LOCAL\;/
##} AXB_X_RCV_WLOCAL
##{ BANKING_LAWS
body BANKING_LAWS /banking laws/i
describe BANKING_LAWS Talks about banking laws
##} BANKING_LAWS
##{ BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
body BASE64_LENGTH_78_79 eval:check_base64_length('78','79')
endif
##} BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
##{ BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
body BASE64_LENGTH_79_INF eval:check_base64_length('79')
endif
##} BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval
##{ BUG6152_INVALID_DATE_TZ_ABSURD
header BUG6152_INVALID_DATE_TZ_ABSURD Date =~ /[-+](?!(?:0\d|1[0-4])(?:[03]0|[14]5))\d{4}/
##} BUG6152_INVALID_DATE_TZ_ABSURD
##{ CK_HELO_DYNAMIC_SPLIT_IP
header CK_HELO_DYNAMIC_SPLIT_IP X-Spam-Relays-Untrusted =~ /^[^\]]+helo=(?!(?:\d+\.){4})\d+[^\d\s]+\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]/i
describe CK_HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split IP)
#score CK_HELO_DYNAMIC_SPLIT_IP 3.0
##} CK_HELO_DYNAMIC_SPLIT_IP
##{ CK_HELO_GENERIC
header CK_HELO_GENERIC X-Spam-Relays-Untrusted =~ /^[^\]]+helo=(?=\S*(?:pool|dyna|lease|dial|dip|static))\S*\d+[^\d\s]+\d+[^\]]+ auth= /i
describe CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or Generic rPTR
#score CK_HELO_GENERIC 0.25
##} CK_HELO_GENERIC
##{ COMPENSATION
describe COMPENSATION "Compensation"
#score COMPENSATION 1.50 # limit
##} COMPENSATION
##{ COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM)
if !plugin(Mail::SpamAssassin::Plugin::DKIM)
meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD
endif
##} COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM)
##{ COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM
ifplugin Mail::SpamAssassin::Plugin::DKIM
meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD && !__DKIM_DEPENDABLE
endif
##} COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM
##{ CORRUPT_FROM_LINE_IN_HDRS
meta CORRUPT_FROM_LINE_IN_HDRS (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS)
describe CORRUPT_FROM_LINE_IN_HDRS Informational: message is corrupt, with a From line in its headers
tflags CORRUPT_FROM_LINE_IN_HDRS userconf publish
#score CORRUPT_FROM_LINE_IN_HDRS 0.001
##} CORRUPT_FROM_LINE_IN_HDRS
##{ CTYPE_001C_A
meta CTYPE_001C_A (0) # obsolete
##} CTYPE_001C_A
##{ CTYPE_001C_B
header CTYPE_001C_B Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/
##} CTYPE_001C_B
##{ CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader CTYPE_8SPACE_GIF Content-Type:raw =~ /^image\/gif;\n {8}name=\".+?\"$/s
describe CTYPE_8SPACE_GIF Stock spam image part 'Content-Type' found (8 spc)
endif
##} CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ CURR_PRICE
body CURR_PRICE /\bCurrent Price:/
##} CURR_PRICE
##{ DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval
ifplugin Mail::SpamAssassin::Plugin::HeaderEval
header DATE_IN_FUTURE_Q_PLUS eval:check_for_shifted_date('2920', 'undef')
describe DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date
endif
##} DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval
##{ DEAR_BENEFICIARY
body DEAR_BENEFICIARY /\b(?:De[ae]r\s|At+(?:ention|n):?\s?)(?:\S+\s)?Ben[ei]ficiary\b/i
describe DEAR_BENEFICIARY Dear Beneficiary:
##} DEAR_BENEFICIARY
##{ DEAR_WINNER
body DEAR_WINNER /\bdear.{1,20}winner/i
##} DEAR_WINNER
##{ DOS_ANAL_SPAM_MAILER
header DOS_ANAL_SPAM_MAILER X-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/
describe DOS_ANAL_SPAM_MAILER X-mailer pattern common to anal porn site spam
tflags DOS_ANAL_SPAM_MAILER publish
##} DOS_ANAL_SPAM_MAILER
##{ DOS_FIX_MY_URI
meta DOS_FIX_MY_URI __MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINK
describe DOS_FIX_MY_URI Looks like a "fix my obfu'd URI please" spam
##} DOS_FIX_MY_URI
##{ DOS_HIGH_BAT_TO_MX
meta DOS_HIGH_BAT_TO_MX __DOS_DIRECT_TO_MX && __HIGHBITS && __LAST_UNTRUSTED_RELAY_NO_AUTH && __THEBAT_MUA
describe DOS_HIGH_BAT_TO_MX The Bat! Direct to MX with High Bits
##} DOS_HIGH_BAT_TO_MX
##{ DOS_LET_GO_JOB
meta DOS_LET_GO_JOB __DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOME
describe DOS_LET_GO_JOB Let go from their job and now makes lots of dough!
##} DOS_LET_GO_JOB
##{ DOS_OE_TO_MX
meta DOS_OE_TO_MX __OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE
describe DOS_OE_TO_MX Delivered direct to MX with OE headers
##} DOS_OE_TO_MX
##{ DOS_OE_TO_MX_IMAGE
meta DOS_OE_TO_MX_IMAGE __OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
describe DOS_OE_TO_MX_IMAGE Direct to MX with OE headers and an image
##} DOS_OE_TO_MX_IMAGE
##{ DOS_OUTLOOK_TO_MX
meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !T_DOS_OUTLOOK_TO_MX_IMAGE
describe DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers
##} DOS_OUTLOOK_TO_MX
##{ DOS_RCVD_IP_TWICE_C
header DOS_RCVD_IP_TWICE_C X-Spam-Relays-External =~ /^\s*\[ ip=(?!127)([\d.]+) [^\[]*\bhelo=(?:![\d.]{7,15}!)? [^\[]*\[ ip=\1 [^\]]*\]\s*$/
describe DOS_RCVD_IP_TWICE_C Received from the same IP twice in a row (only one external relay; empty or IP helo)
##} DOS_RCVD_IP_TWICE_C
##{ DOS_STOCK_BAT
meta DOS_STOCK_BAT __THEBAT_MUA && (__DOS_BODY_STOCK || __DOS_BODY_TICKER) && (__DOS_REF_TODAY || __DOS_REF_NEXT_WK_DAY || __DOS_REF_2_WK_DAYS)
describe DOS_STOCK_BAT Probable pump and dump stock spam
##} DOS_STOCK_BAT
##{ DOS_STOCK_BAT2
meta DOS_STOCK_BAT2 DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2)
##} DOS_STOCK_BAT2
##{ DOS_URI_ASTERISK
uri DOS_URI_ASTERISK m{^[Hh][Tt]{2}[Pp][Ss]?://[^/:]+(?:\*[A-Za-z0-9-]*\.|\*)[A-Za-z]{2,3}(?:\.[A-Za-z]{2})?(?:$|:|/)}
describe DOS_URI_ASTERISK Found an asterisk in a URI
##} DOS_URI_ASTERISK
##{ DOS_YOUR_PLACE
meta DOS_YOUR_PLACE (__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE || __DOS_CORRESPOND_EMAIL || __DOS_EMAIL_DIRECTLY || __DOS_I_AM_25 || __DOS_WRITE_ME_AT || __DOS_PERSONAL_EMAIL))
describe DOS_YOUR_PLACE Russian dating spam
##} DOS_YOUR_PLACE
##{ DRUGS_HDIA
header DRUGS_HDIA Subject =~ /\bhoodia\b/i
##} DRUGS_HDIA
##{ DRUGS_STOCK_MIMEOLE
meta DRUGS_STOCK_MIMEOLE (__MIMEOLE_1106 && __MAILER_OL_5510)
describe DRUGS_STOCK_MIMEOLE Stock-spam forged headers found (5510)
##} DRUGS_STOCK_MIMEOLE
##{ DYN_RDNS_AND_INLINE_IMAGE
meta DYN_RDNS_AND_INLINE_IMAGE (RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
describe DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic rDNS
##} DYN_RDNS_AND_INLINE_IMAGE
##{ DYN_RDNS_SHORT_HELO_HTML
meta DYN_RDNS_SHORT_HELO_HTML (__HELO_NO_DOMAIN && RDNS_DYNAMIC && HTML_MESSAGE)
describe DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML
##} DYN_RDNS_SHORT_HELO_HTML
##{ DYN_RDNS_SHORT_HELO_IMAGE
meta DYN_RDNS_SHORT_HELO_IMAGE (__HELO_NO_DOMAIN && RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
describe DYN_RDNS_SHORT_HELO_IMAGE Short HELO string, dynamic rDNS, inline image
##} DYN_RDNS_SHORT_HELO_IMAGE
##{ EMAIL_URI_PHISH
#score EMAIL_URI_PHISH 4.00 # limit
describe EMAIL_URI_PHISH Email account phishing using web form
tflags EMAIL_URI_PHISH publish # Force publication - very good S/O, hits mainly <= 3 points
##} EMAIL_URI_PHISH
##{ EMAIL_URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
meta EMAIL_URI_PHISH __EMAIL_URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney
endif
##} EMAIL_URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
##{ EMAIL_URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta EMAIL_URI_PHISH __EMAIL_URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE
endif
##} EMAIL_URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ EMPTY_BODY
meta EMPTY_BODY __EMPTY_BODY && !__NUMBERS_IN_SUBJ && !__CTE && !__RP_MATCHES_RCVD && !__VIA_ML && !__MIME_ATTACHMENT && !__HAS_THREAD_INDEX && !__TO_EQ_FROM_DOM && !__ENV_AND_HDR_FROM_MATCH && !__FROM_LOWER && !__NOT_SPOOFED && !__MSGID_APPLEMAIL && !__RCD_RDNS_MAIL_MESSY && !NO_RELAYS && !__NOT_A_PERSON
describe EMPTY_BODY No body text in message
#score EMPTY_BODY 3.00 # limit
##} EMPTY_BODY
##{ FAKE_REPLY_C
meta FAKE_REPLY_C (__SUBJ_RE && __MISSING_REF && __NO_INR_YES_REF)
##} FAKE_REPLY_C
##{ FB_ADD_INCHES
body FB_ADD_INCHES /(?:add|gain) inches/i
describe FB_ADD_INCHES Add / Gain inches
##} FB_ADD_INCHES
##{ FB_ALMOST_SEX
body FB_ALMOST_SEX /\b[b-z]sex+\b/i
describe FB_ALMOST_SEX It's almost sex, but not!
##} FB_ALMOST_SEX
##{ FB_ANA_TRIM
body FB_ANA_TRIM /Ana[^a-z]trim/i
describe FB_ANA_TRIM Broken AnaTrim phrase.
##} FB_ANA_TRIM
##{ FB_ANUI
body FB_ANUI /A[-_\.]U[-_\.]N[-_\.]I/i
describe FB_ANUI Phrase: A_U_N_I
##} FB_ANUI
##{ FB_BILLI0N
body FB_BILLI0N /[BM][I1]LL[I1]0N/i
describe FB_BILLI0N Phrase: [BM]Illi0n
##} FB_BILLI0N
##{ FB_C0MPANY
body FB_C0MPANY /c0mpany/i
describe FB_C0MPANY Phrase: C0mpany
##} FB_C0MPANY
##{ FB_CAN_LONGER
body FB_CAN_LONGER /can last longer/i
describe FB_CAN_LONGER Phrase: can last longer
##} FB_CAN_LONGER
##{ FB_CIALIS_LEO3
body FB_CIALIS_LEO3 /\bC(?!IALIS|eibal|laim|laritas)\s?[a-z]?\s?[Iitl1\\\/]\s?[a-z]?\s?[Aa]\s?[a-z]?\s?[LIl1\\\/]\s?[a-z]?\s?[ilIt1\\\/]\s?[a-z]?\s?[Ss]\b/
describe FB_CIALIS_LEO3 Uses a mis-spelled version of cialis.
##} FB_CIALIS_LEO3
##{ FB_DOUBLE_0WORDS
body FB_DOUBLE_0WORDS /\b[a-z]{1,5}0[a-z]{3,9}\s[a-z]{1,5}0[a-z]{3,9}\b/i
describe FB_DOUBLE_0WORDS Looks like double 0 words
##} FB_DOUBLE_0WORDS
##{ FB_EMAIL_HIER
body FB_EMAIL_HIER /email hier/i
describe FB_EMAIL_HIER Phrase: email hier
##} FB_EMAIL_HIER
##{ FB_EXTRA_INCHES
body FB_EXTRA_INCHES /extra inches/
describe FB_EXTRA_INCHES Phrase: extra inches
##} FB_EXTRA_INCHES
##{ FB_FAKE_NUMBERS
body FB_FAKE_NUMBERS /\$\d\d?O\s*[MBT]/i
describe FB_FAKE_NUMBERS Looks like numbers with O's insted of 0's
##} FB_FAKE_NUMBERS
##{ FB_FAKE_NUMS4
body FB_FAKE_NUMS4 /(?:\b|\b\d)\d,?\d,?OO(?:\b|\d\b)/
describe FB_FAKE_NUMS4 Looks like fake numbers (4)
##} FB_FAKE_NUMS4
##{ FB_FHARMACY
body FB_FHARMACY /Fharmacy/i
describe FB_FHARMACY Phrase: Farmacy
##} FB_FHARMACY
##{ FB_FORWARD_LOOK
body FB_FORWARD_LOOK /(?!forward look)f[o0]rward l[0o][0o]k/i
describe FB_FORWARD_LOOK Phrase: forward look with 0's
##} FB_FORWARD_LOOK
##{ FB_GAPPY_ADDRESS
body FB_GAPPY_ADDRESS /(?:[a-z] ){8}, (?:[a-z0-9] ){4}/i
describe FB_GAPPY_ADDRESS Too much spacing in Address
##} FB_GAPPY_ADDRESS
##{ FB_GET_MEDS
body FB_GET_MEDS /(?:place f[o0]r|[0o]rder|get\s?(?:y[o0]ur)?|online|quality).{1,7}med[isz][^a]/i
describe FB_GET_MEDS Looks like trying to sell meds
##} FB_GET_MEDS
##{ FB_GVR
body FB_GVR /(?:pef-rx|vigrex-ds|gsc-100|vp-rx|gv-promax|phentermine|adipex|xenical)/i
describe FB_GVR Looks like generic viagra
##} FB_GVR
##{ FB_HEY_BRO_COMMA
body FB_HEY_BRO_COMMA /Hey bro, /
describe FB_HEY_BRO_COMMA Phrase hey bro,
##} FB_HEY_BRO_COMMA
##{ FB_HG_H_CAP
body FB_HG_H_CAP /\bHGH\b/
describe FB_HG_H_CAP Phrase: HGH
##} FB_HG_H_CAP
##{ FB_HOMELOAN
body FB_HOMELOAN /\$\d{3},\d{3} home loan/i
describe FB_HOMELOAN Phrase $x home loan
##} FB_HOMELOAN
##{ FB_IMPRESS_GIRL
body FB_IMPRESS_GIRL /\bimpress .{0,5}girl\b/
describe FB_IMPRESS_GIRL Phrase: impress ... girl
##} FB_IMPRESS_GIRL
##{ FB_INCREASE_YOUR
body FB_INCREASE_YOUR /Increase your energy/i
describe FB_INCREASE_YOUR Phrase: Increase your energy
##} FB_INCREASE_YOUR
##{ FB_INDEPEND_RWD
body FB_INDEPEND_RWD /independent reward/i
describe FB_INDEPEND_RWD Phrase: independent reward
##} FB_INDEPEND_RWD
##{ FB_L0AN
body FB_L0AN /\bl0ans?\b/i
describe FB_L0AN Phrase: L0an
##} FB_L0AN
##{ FB_LETTERS_21B
body FB_LETTERS_21B /-- [a-z]{21}/
describe FB_LETTERS_21B Special people leave special signs!
##} FB_LETTERS_21B
##{ FB_LOSE_WEIGHT_CAP
body FB_LOSE_WEIGHT_CAP /LOSE WEIGHT/
describe FB_LOSE_WEIGHT_CAP Phrase: LOSE WEIGHT
##} FB_LOSE_WEIGHT_CAP
##{ FB_LOWER_PAYM
body FB_LOWER_PAYM /lower your monthly payments/i
describe FB_LOWER_PAYM Phrase: lower your monthly payments
##} FB_LOWER_PAYM
##{ FB_MORE_SIZE
body FB_MORE_SIZE /\bmore size\b/
describe FB_MORE_SIZE Phrase: more size
##} FB_MORE_SIZE
##{ FB_NOT_PHONE_NUM1
body FB_NOT_PHONE_NUM1 /(?!\d{3})8(?:66|77|88|[0o][0o])[-\.\s\)]{1,3}[OIL0-9]{3}[-\.\s]/i
describe FB_NOT_PHONE_NUM1 Looks like a fake phone number (1)
##} FB_NOT_PHONE_NUM1
##{ FB_NOT_PHONE_NUM3
body FB_NOT_PHONE_NUM3 /8(?:66|77|88|[0o][0o])[-\.\s\)]{1,3}[OIL0-9]{3}[-\.\s]{1,3}(?!\d{4})[OIL0-9]{4}/i
describe FB_NOT_PHONE_NUM3 Looks like a fake phone number (3)
##} FB_NOT_PHONE_NUM3
##{ FB_NOT_SCHOOL
body FB_NOT_SCHOOL /(?!school)[\$s5]ch[o0][o0][il1\|]/i
describe FB_NOT_SCHOOL Looks like school but it's not!
##} FB_NOT_SCHOOL
##{ FB_NUMYO
body FB_NUMYO /1[0-9][\s\.]?y[\s\.]?o[\s\.]?\b/i
describe FB_NUMYO Speaks of teenager.
##} FB_NUMYO
##{ FB_NUMYO2
body FB_NUMYO2 /2[0-9][\s\.]?y[\s\.]?o[\s\.]?\b/i
describe FB_NUMYO2 Speaks of 20+ year old.
##} FB_NUMYO2
##{ FB_ODD_SPACED_MONEY
body FB_ODD_SPACED_MONEY /\$\d\s,\s\d\d/
describe FB_ODD_SPACED_MONEY Looks like money but has odd spacing.
##} FB_ODD_SPACED_MONEY
##{ FB_ONIINE
body FB_ONIINE /oniine/i
describe FB_ONIINE Mis-spelled online
##} FB_ONIINE
##{ FB_P1LL
body FB_P1LL /\bp1ll/i
describe FB_P1LL Phrase: p1ll
##} FB_P1LL
##{ FB_PENIS_GROWTH
body FB_PENIS_GROWTH /pen[i1]s grow(?:th)?/i
describe FB_PENIS_GROWTH Phrase: penis growth
##} FB_PENIS_GROWTH
##{ FB_PIPEDOLLAR
body FB_PIPEDOLLAR /(?!dollar)d[o0][1|li][1|li]ar/i
describe FB_PIPEDOLLAR Phrase: Dollar, with pipes or 0's.
##} FB_PIPEDOLLAR
##{ FB_PIPE_ILLION
body FB_PIPE_ILLION /(?!illion)i[l|][l|][i|][o0]n/i
describe FB_PIPE_ILLION Looks like illion, but it's not
##} FB_PIPE_ILLION
##{ FB_PROLONGED_HARD
body FB_PROLONGED_HARD /(?:prolonged|increased) hardness/i
describe FB_PROLONGED_HARD Talks about prolonged hardness
##} FB_PROLONGED_HARD
##{ FB_QUALITY_REPLICA
body FB_QUALITY_REPLICA /quality replica/i
describe FB_QUALITY_REPLICA Phrase: quality replica
##} FB_QUALITY_REPLICA
##{ FB_REF_CODE_SPACE
body FB_REF_CODE_SPACE /r e f c o d e/i
describe FB_REF_CODE_SPACE Refcode with spacing
##} FB_REF_CODE_SPACE
##{ FB_REPLICA_ROLEX
body FB_REPLICA_ROLEX /replica rolex/i
describe FB_REPLICA_ROLEX Phrase: Replica Rolex
##} FB_REPLICA_ROLEX
##{ FB_REPLIC_CAP
body FB_REPLIC_CAP /REPLICAS?\b/
describe FB_REPLIC_CAP Phrase: REPLICA
##} FB_REPLIC_CAP
##{ FB_RE_FI
body FB_RE_FI /\bre[^a-z]fi\b/
describe FB_RE_FI Looks like refi.
##} FB_RE_FI
##{ FB_ROLLER_IS_T
body FB_ROLLER_IS_T /Roller is th/i
describe FB_ROLLER_IS_T Phrase: Roller is th
##} FB_ROLLER_IS_T
##{ FB_ROLX
body FB_ROLX /\brolx\b/i
describe FB_ROLX Phrase: rolx
##} FB_ROLX
##{ FB_SAVE_PERSC
body FB_SAVE_PERSC /sav(?:e|ing).{1,45}p[re][re]scr[i1]pt[i1][o0]n/i
describe FB_SAVE_PERSC Phrase: save ... prescription.
##} FB_SAVE_PERSC
##{ FB_SOFTTABS
body FB_SOFTTABS /\bsoft\s?t?abs\b/i
describe FB_SOFTTABS Phrase: Softabs
##} FB_SOFTTABS
##{ FB_SPACED_FREE
body FB_SPACED_FREE /F R E E/i
describe FB_SPACED_FREE Phrase: F R E E
##} FB_SPACED_FREE
##{ FB_SPACED_PHN_3B
body FB_SPACED_PHN_3B /\d\d\d--\d\d\d--?\d\d\d\d/
describe FB_SPACED_PHN_3B Phone number with -- spacing. (B)
##} FB_SPACED_PHN_3B
##{ FB_SPACEY_ZIP
body FB_SPACEY_ZIP /\s\d\s\d\s\d\s\d\s\d\s-\s\d\s\d\s\d\s\d/
describe FB_SPACEY_ZIP Looks like a s p a c e d zipcode.
##} FB_SPACEY_ZIP
##{ FB_SPUR_M
body FB_SPUR_M /\bSPUR-M\b/i
describe FB_SPUR_M Phrase: SPUR-M
##} FB_SPUR_M
##{ FB_SSEX
body FB_SSEX /\bssex\b/
describe FB_SSEX Phrase: ssex
##} FB_SSEX
##{ FB_STOCK_EXPLODE
body FB_STOCK_EXPLODE /st[0o]ck\b.{4,10}expl[o0]de/i
describe FB_STOCK_EXPLODE Looks like stocks exploding.
##} FB_STOCK_EXPLODE
##{ FB_SYMBLO
body FB_SYMBLO /\bSymblo\b/i
describe FB_SYMBLO Mis-spelled symbol.
##} FB_SYMBLO
##{ FB_THIS_ADVERT
body FB_THIS_ADVERT /this advertiser/i
describe FB_THIS_ADVERT Phrase: this advertiser
##} FB_THIS_ADVERT
##{ FB_THOUS_PERSONAL
body FB_THOUS_PERSONAL /thousand personal/i
describe FB_THOUS_PERSONAL Phrase: thousand personal
##} FB_THOUS_PERSONAL
##{ FB_TO_STOP_DISTRO
body FB_TO_STOP_DISTRO /To (?:(?:stop further|longer get) distribution|stop (?:receiving )?announcements)/i
describe FB_TO_STOP_DISTRO Phrase: to stop further distribution
##} FB_TO_STOP_DISTRO
##{ FB_ULTRA_ALLURE
body FB_ULTRA_ALLURE /Ultra Allure/i
describe FB_ULTRA_ALLURE Phrase: Ultra Allure
##} FB_ULTRA_ALLURE
##{ FB_UNLOCK_YOUR_G
body FB_UNLOCK_YOUR_G /lock ?(?:to ?)? your girlfriend/i
describe FB_UNLOCK_YOUR_G Phrase: lock to your girlfriend
##} FB_UNLOCK_YOUR_G
##{ FB_UNRESOLV_PROV
body FB_UNRESOLV_PROV /\{PROV_\d_\d\}/
describe FB_UNRESOLV_PROV Pattern Replacement PROV_D
##} FB_UNRESOLV_PROV
##{ FB_YOURSELF_MASTER
body FB_YOURSELF_MASTER /yourself master/i
describe FB_YOURSELF_MASTER Phrase: yourself master
##} FB_YOURSELF_MASTER
##{ FB_YOUR_REFI
body FB_YOUR_REFI /Your refi/i
describe FB_YOUR_REFI Phrase: Your refi
##} FB_YOUR_REFI
##{ FH_BAD_OEV1441
header FH_BAD_OEV1441 X-Mailer =~ /^Microsoft Outlook Express 6\.00\.2800\.1441$/
describe FH_BAD_OEV1441 Bad X-Mailer version
##} FH_BAD_OEV1441
##{ FH_DATE_IS_19XX
header FH_DATE_IS_19XX Date =~ /19[789][0-9]/ [if-unset: 2006]
describe FH_DATE_IS_19XX The date is not 19xx.
##} FH_DATE_IS_19XX
##{ FH_FAKE_RCVD_LINE
header FH_FAKE_RCVD_LINE Received =~ /from\s*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s*by\s*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3};\s*[SMTWF].{2},\s*\d{1,2}\s*[JFMASOND].{2,5}\s*\d{4}\s*\d{2}:\d{2}:\d{2}\s*[-+]\d{4}/
describe FH_FAKE_RCVD_LINE RCVD line looks faked (A)
##} FH_FAKE_RCVD_LINE
##{ FH_FAKE_RCVD_LINE_B
header FH_FAKE_RCVD_LINE_B Received =~ /from\s*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s*by\s*[a-z0-9.]{4,24}\.[a-z0-9.]{4,36}\.(?:com|net|org|biz);\s*[SMTWF].{2},\s*\d{1,2}\s*[JFMASOND].{2,5}\s*\d{4}\s*\d{2}:\d{2}:\d{2}\s*[-+]\d{4}/i
describe FH_FAKE_RCVD_LINE_B RCVD line looks faked (B)
##} FH_FAKE_RCVD_LINE_B
##{ FH_FROMEML_NOTLD
header FH_FROMEML_NOTLD From:addr !~ /\@[^@]+\.(?:[a-z]{2,}|xn--[a-z0-9]+(?:-[a-z0-9]*)?)$/i [if-unset: foo@bar.com]
describe FH_FROMEML_NOTLD E-mail address doesn't have TLD (.com, etc.)
##} FH_FROMEML_NOTLD
##{ FH_FROM_CASH
header FH_FROM_CASH From:name =~ /\bcash\b/i
describe FH_FROM_CASH From name has "cash"
##} FH_FROM_CASH
##{ FH_FROM_GET_NAME
header FH_FROM_GET_NAME From:name =~ /\bGet\b/i
describe FH_FROM_GET_NAME From name says Get
##} FH_FROM_GET_NAME
##{ FH_FROM_GIVEAWAY
header FH_FROM_GIVEAWAY From =~ /Giveaway/i
describe FH_FROM_GIVEAWAY From name is giveaway.
##} FH_FROM_GIVEAWAY
##{ FH_FROM_HOODIA
header FH_FROM_HOODIA From =~ /Hoodia/i
describe FH_FROM_HOODIA From has Hoodia!!?
##} FH_FROM_HOODIA
##{ FH_HAS_XAIMC
header FH_HAS_XAIMC exists:X-AIMC-AUTH
describe FH_HAS_XAIMC Has X-AIMC-AUTH header
##} FH_HAS_XAIMC
##{ FH_HAS_XID
header FH_HAS_XID exists:X-ID
describe FH_HAS_XID Has X-ID
##} FH_HAS_XID
##{ FH_HELO_ALMOST_IP
header FH_HELO_ALMOST_IP X-Spam-Relays-External =~ /^[^\]]+ helo=[^ ]+[a-z][-.]\d{1,3}[-.]\d{1,3}[-.]\d{1,3}[-.][a-z][^ ]+ /i
describe FH_HELO_ALMOST_IP Helo is almost an IP addr.
##} FH_HELO_ALMOST_IP
##{ FH_HELO_ENDS_DOT
header FH_HELO_ENDS_DOT X-Spam-Relays-External =~ /^[^\]]+ helo=[^ ]+\. by=/
describe FH_HELO_ENDS_DOT Helo ends with a dot.
##} FH_HELO_ENDS_DOT
##{ FH_HELO_EQ_610HEX
header FH_HELO_EQ_610HEX X-Spam-Relays-External =~ /^[^\]]+ helo=-?[A-F0-9]{6,10} /
describe FH_HELO_EQ_610HEX Helo is 6-10 hex chr's.
##} FH_HELO_EQ_610HEX
##{ FH_HELO_EQ_CHARTER
header FH_HELO_EQ_CHARTER X-Spam-Relays-External =~ /^[^\]]+ helo=\d{2,3}-\d{1,3}-\d{1,3}-\d{1,3}.{5,20}\.charter\.com /i
describe FH_HELO_EQ_CHARTER Helo is d-d-d-d charter.com
##} FH_HELO_EQ_CHARTER
##{ FH_HELO_GMAILSMTP
header FH_HELO_GMAILSMTP Received =~ /HELO gmail-smtp-in/
describe FH_HELO_GMAILSMTP Faked helo of gmail-smtp-in
##} FH_HELO_GMAILSMTP
##{ FH_HOST_EQ_DYNAMICIP
header FH_HOST_EQ_DYNAMICIP X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]{0,25}[dD][yY][nN][aA][mM][iI][cC][iI][pP][^ ]{5,25} helo=/
describe FH_HOST_EQ_DYNAMICIP Host is dynamicip
##} FH_HOST_EQ_DYNAMICIP
##{ FH_HOST_EQ_PACBELL_D
header FH_HOST_EQ_PACBELL_D X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.dsl\.\w{2,10}\.pacbell\.net /
describe FH_HOST_EQ_PACBELL_D Host is pacbell.net dsl
##} FH_HOST_EQ_PACBELL_D
##{ FH_HOST_EQ_VERIZON_P
header FH_HOST_EQ_VERIZON_P X-Spam-Relays-External =~ /^[^\]]+ rdns=pool-\d.{5,30}\.verizon\.net/
describe FH_HOST_EQ_VERIZON_P Host is pool-.+verizon.net
##} FH_HOST_EQ_VERIZON_P
##{ FH_HOST_IN_ADDRARPA
header FH_HOST_IN_ADDRARPA X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]{0,25}\.in-addr\.arpa /
describe FH_HOST_IN_ADDRARPA HOST dns says "in-addr.arpa"
##} FH_HOST_IN_ADDRARPA
##{ FH_MSGID_000000
header FH_MSGID_000000 MESSAGEID =~ /\$00000000\@/
describe FH_MSGID_000000 Special MSGID
##} FH_MSGID_000000
##{ FH_MSGID_01C67
header FH_MSGID_01C67 Message-ID =~ /^<000001c[67]/
describe FH_MSGID_01C67 Special MSGID
##} FH_MSGID_01C67
##{ FH_MSGID_01C70XXX
header FH_MSGID_01C70XXX MESSAGEID =~ /^<01c70[a-f][a-f0-9]{2}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[a-zA-Z0-9-]+>$/
describe FH_MSGID_01C70XXX MESSAGE ID seen often!!!
##} FH_MSGID_01C70XXX
##{ FH_MSGID_REPLACE
header FH_MSGID_REPLACE MESSAGEID =~ /^<%MSGID/
describe FH_MSGID_REPLACE Broken Replace Template
##} FH_MSGID_REPLACE
##{ FH_MSGID_XXBLAH
header FH_MSGID_XXBLAH MESSAGEID =~ /6c822ecf/
describe FH_MSGID_XXBLAH Common sign in msg-id's 12/21/2006
##} FH_MSGID_XXBLAH
##{ FH_MSGID_XXX
header FH_MSGID_XXX MESSAGEID =~ /\@xxx/i
describe FH_MSGID_XXX Message-Id = @xxx
##} FH_MSGID_XXX
##{ FH_RE_NEW_DDD
header FH_RE_NEW_DDD Subject =~ /^Re: new\s?\d{0,3}$/i
describe FH_RE_NEW_DDD Subject is Re: new \d\d\d
##} FH_RE_NEW_DDD
##{ FH_XMAIL_REPLACE
header FH_XMAIL_REPLACE X-Mailer =~ /%XMAILER/
describe FH_XMAIL_REPLACE Broken Replace Template
##} FH_XMAIL_REPLACE
##{ FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
meta FILL_THIS_FORM __FILL_THIS_FORM && !__THREADED && !__FB_TOUR && !__VIA_ML
describe FILL_THIS_FORM Fill in a form with personal information
tflags FILL_THIS_FORM publish
endif
##} FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
meta FILL_THIS_FORM_FRAUD_PHISH __FILL_THIS_FORM_FRAUD_PHISH && !__UNSUB_LINK && !__SPOOFED_URL && !__DOS_LINK && !__CAN_HELP && !__VIA_ML && !__COMMENT_EXISTS && !__HAS_IN_REPLY_TO && !__THREADED
describe FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
endif
##} FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
meta FILL_THIS_FORM_LOAN __FILL_THIS_FORM_LOAN && !__COMMENT_EXISTS && !__HTML_LINK_IMAGE
describe FILL_THIS_FORM_LOAN Answer loan question(s)
endif
##} FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
meta FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG && !__VIA_ML && !__DOS_HAS_LIST_UNSUB && !__THREADED
describe FILL_THIS_FORM_LONG Fill in a form with personal information
endif
##} FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FM_DOESNT_SAY_STOCK
meta FM_DOESNT_SAY_STOCK (__FB_S_SYMBOL && __FM_MY_PRICE && !__FB_S_STOCK && !__FS_S_TRADE)
describe FM_DOESNT_SAY_STOCK It's a stock spam but doesn't say stock
##} FM_DOESNT_SAY_STOCK
##{ FM_FAKE_53COM_SPOOF
meta FM_FAKE_53COM_SPOOF (__FH_FRM_53 && !__FH_MSG_53 && !__FH_RCV_53)
describe FM_FAKE_53COM_SPOOF Spoof mail from 53.com?
##} FM_FAKE_53COM_SPOOF
##{ FM_FAKE_HELO_HOTMAIL
meta FM_FAKE_HELO_HOTMAIL (__HOTMAILCOM && !__HOST_HOTMAIL)
describe FM_FAKE_HELO_HOTMAIL Looks like a fake hotmail.com helo.
##} FM_FAKE_HELO_HOTMAIL
##{ FM_FAKE_HELO_VERIZON
meta FM_FAKE_HELO_VERIZON (__FHELO_VERIZON && !__FHOST_VERIZON)
describe FM_FAKE_HELO_VERIZON Looks like a fake verizon.net helo.
##} FM_FAKE_HELO_VERIZON
##{ FM_FRM_RN_L_BRACK
meta FM_FRM_RN_L_BRACK (__FROM_RIGH_BRACK && !__FROM_LEFT_BRACK && !__FROM_ISO_2022_JP)
describe FM_FRM_RN_L_BRACK From name has > but not <
##} FM_FRM_RN_L_BRACK
##{ FM_IS_IT_OUR_ACCOUNT
meta FM_IS_IT_OUR_ACCOUNT (__YOUR_ACCOUNT && __MANY_RECIPS)
describe FM_IS_IT_OUR_ACCOUNT Is it our account?
##} FM_IS_IT_OUR_ACCOUNT
##{ FM_LIKE_STOCKS
meta FM_LIKE_STOCKS (__FM_STOCK_WORDS && !__FB_S_STOCK && __FB_S_SYMBOL)
describe FM_LIKE_STOCKS It looks like a duck, it's a duck!
##} FM_LIKE_STOCKS
##{ FM_LOTTO_YOU_WON
meta FM_LOTTO_YOU_WON (__FM_LARGE_MONEY && __FM_NAT_LOTTERY && __YOU_WON_SOMTIN)
describe FM_LOTTO_YOU_WON Talks about lotto and you won!
##} FM_LOTTO_YOU_WON
##{ FM_LUX_GIFTS_REDUCED
meta FM_LUX_GIFTS_REDUCED (__FB_LUX_GIFTS && __FB_NUM_PERCNT)
describe FM_LUX_GIFTS_REDUCED Luxury Gifts with dd%
##} FM_LUX_GIFTS_REDUCED
##{ FM_MANY_DRUG_WORDS
meta FM_MANY_DRUG_WORDS (__VA_WORD && __CS_WORD && __VM_WORD)
describe FM_MANY_DRUG_WORDS Lot's of almost drug words
##} FM_MANY_DRUG_WORDS
##{ FM_MORTGAGE5PLUS
meta FM_MORTGAGE5PLUS (__FM_MORTGAGE5PLUS && !__FM_MORTGAGE6PLUS)
describe FM_MORTGAGE5PLUS Looks like a mortgage spam (5+)
##} FM_MORTGAGE5PLUS
##{ FM_MORTGAGE6PLUS
meta FM_MORTGAGE6PLUS (__FM_MORTGAGE6PLUS)
describe FM_MORTGAGE6PLUS Looks like a mortgage spam (6+)
##} FM_MORTGAGE6PLUS
##{ FM_MULTI_LUX_GIFTS
meta FM_MULTI_LUX_GIFTS ((__FB_BRAND_NAME + __FB_TIMEPIECE + __FB_WALLETS + __FB_HANDBAGS + __FB_DESIGNER + __FB_LUX_GIFTS + __FB_NUM_PERCNT + __FB_INK_PEN) > 3)
describe FM_MULTI_LUX_GIFTS Talks about variety of luxury gifts
##} FM_MULTI_LUX_GIFTS
##{ FM_PHN_NODNS
meta FM_PHN_NODNS (FB_SPACED_PHN_3B && RDNS_NONE)
describe FM_PHN_NODNS Phone spacing + no dns
##} FM_PHN_NODNS
##{ FM_RATSIGN_1106
meta FM_RATSIGN_1106 (__MSGID_VGA && __DATE_700)
describe FM_RATSIGN_1106 Fingerprint seen in lots of spam. 11/2006
##} FM_RATSIGN_1106
##{ FM_RE_HELLO_SPAM
meta FM_RE_HELLO_SPAM (__FH_MSGID_01C7 && __FH_HAS_XMSMAIL && __FH_HAS_XPRIORITY && __FS_SUBJ_RE)
describe FM_RE_HELLO_SPAM Re: Hello / hi
##} FM_RE_HELLO_SPAM
##{ FM_ROLEX_ADS
meta FM_ROLEX_ADS (__FB_ROLEX_MEN && __FB_ROLEX_WMEN && __FB_OMEGA && __FB_GLASHUTE)
describe FM_ROLEX_ADS Looks like Rolex spams.
##} FM_ROLEX_ADS
##{ FM_SCHOOLING
meta FM_SCHOOLING ((__BACHELORS + __MASTERS + __MBA + __PHD) > 2)
describe FM_SCHOOLING Meta Combo Phrase for Schooling (2)
##} FM_SCHOOLING
##{ FM_SCHOOL_DIPLOMA
meta FM_SCHOOL_DIPLOMA (FM_SCHOOLING && __DIPLOMA)
describe FM_SCHOOL_DIPLOMA Meta for Schooling + Diploma.
##} FM_SCHOOL_DIPLOMA
##{ FM_SCHOOL_TYPES
meta FM_SCHOOL_TYPES (__FB_BA && __FB_BCs && __FB_MA && __FB_MBA)
describe FM_SCHOOL_TYPES Meta Combo Phrase for Schooling
##} FM_SCHOOL_TYPES
##{ FM_SUBJ_APPROVE
meta FM_SUBJ_APPROVE (__EXCLAIM_SUBJ && __SUBJ_APPROVE)
describe FM_SUBJ_APPROVE Subject has Approve and !
##} FM_SUBJ_APPROVE
##{ FM_SUBJ_YOU_PROFIT
meta FM_SUBJ_YOU_PROFIT (__FS_PROFIT && __FS_YOU)
describe FM_SUBJ_YOU_PROFIT Subject says you profit
##} FM_SUBJ_YOU_PROFIT
##{ FM_TRUE_LOV_ALL_N
meta FM_TRUE_LOV_ALL_N (__FB_P_TRUELOVE && __FB_P_ALLNIGHT)
describe FM_TRUE_LOV_ALL_N True Love all Night!
##} FM_TRUE_LOV_ALL_N
##{ FM_VEGAS_CASINO
meta FM_VEGAS_CASINO ((__FROM_VEGAS + __SUBJ_3DIGIT + __SUBJ_VEGAS + __FB_GAME) > 2)
describe FM_VEGAS_CASINO Looks like vega casino spam
##} FM_VEGAS_CASINO
##{ FM_XMAIL_F_OUT
header FM_XMAIL_F_OUT X-Mailer =~ /Microsoft Outlook Express V6.00.2900.2180/
describe FM_XMAIL_F_OUT Looks like Fake Outlook?
##} FM_XMAIL_F_OUT
##{ FORM_FRAUD_3
meta FORM_FRAUD_3 __FORM_FRAUD_3 && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__MIME_QP && !__DOS_BODY_FRI && !__UNSUB_LINK && !__BUGGED_IMG && !__NOT_SPOOFED
describe FORM_FRAUD_3 Fill a form and several fraud phrases
tflags FORM_FRAUD_3 publish
##} FORM_FRAUD_3
##{ FORM_FRAUD_5
meta FORM_FRAUD_5 __FORM_FRAUD_5 && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML
describe FORM_FRAUD_5 Fill a form and many fraud phrases
tflags FORM_FRAUD_5 publish
##} FORM_FRAUD_5
##{ FROM_12LTRDOM
describe FROM_12LTRDOM From a 12-letter domain
#score FROM_12LTRDOM 0.10 # limit
##} FROM_12LTRDOM
##{ FROM_12LTRDOM if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
meta FROM_12LTRDOM __FROM_12LTRDOM_1 && !__VIA_ML && !__TO___LOWER && !__FS_SUBJ_RE && !__RCD_RDNS_MAIL_MESSY && !__UNSUB_LINK && !NO_RELAYS && !__UNUSABLE_MSGID && !DATE_IN_PAST_96_XX && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__RCD_RDNS_SMTP_MESSY && !__FB_NATIONAL && !__MAIL_LINK && !__NAME_EMAIL_DIFF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__SENDER_BOT && !__IMS_MSGID && !__HS_SUBJ_RE_FW_rulesrc_sandbox_jm_20_basic_cf && !__DOS_HAS_LIST_UNSUB && !__THREAD_INDEX_GOOD && !__TO_EQ_FROM_DOM && !__URI_MAILTO && !__SUBSCRIPTION_INFO
endif
##} FROM_12LTRDOM if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
##{ FROM_12LTRDOM ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta FROM_12LTRDOM __FROM_12LTRDOM_1 && !__VIA_ML && !__TO___LOWER && !__FS_SUBJ_RE && !__RCD_RDNS_MAIL_MESSY && !__freemail_safe && !__UNSUB_LINK && !NO_RELAYS && !__UNUSABLE_MSGID && !DATE_IN_PAST_96_XX && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__RCD_RDNS_SMTP_MESSY && !__FB_NATIONAL && !__MAIL_LINK && !__NAME_EMAIL_DIFF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__SENDER_BOT && !__IMS_MSGID && !__HS_SUBJ_RE_FW_rulesrc_sandbox_jm_20_basic_cf && !__DOS_HAS_LIST_UNSUB && !__THREAD_INDEX_GOOD && !__TO_EQ_FROM_DOM && !__URI_MAILTO && !__SUBSCRIPTION_INFO
endif
##} FROM_12LTRDOM ifplugin Mail::SpamAssassin::Plugin::FreeMail
##{ FROM_IN_TO_AND_SUBJ
meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1)
describe FROM_IN_TO_AND_SUBJ From address is in To and Subject
tflags FROM_IN_TO_AND_SUBJ publish
##} FROM_IN_TO_AND_SUBJ
##{ FROM_MISSPACED
meta FROM_MISSPACED __FROM_MISSPACED && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__UNSUB_LINK && !__TO___LOWER && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__TO_EQ_FROM_DOM && !__MAIL_LINK && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
describe FROM_MISSPACED From: missing whitespace
#score FROM_MISSPACED 2.00
##} FROM_MISSPACED
##{ FROM_MISSP_EH_MATCH
meta FROM_MISSP_EH_MATCH __FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
describe FROM_MISSP_EH_MATCH From misspaced, matches envelope
#score FROM_MISSP_EH_MATCH 2.00 # max
##} FROM_MISSP_EH_MATCH
##{ FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta FROM_MISSP_FREEMAIL __FROM_MISSP_FREEMAIL && !__TO_EQ_FROM_DOM && !__MTLANDROID_MUA
describe FROM_MISSP_FREEMAIL From misspaced + freemail provider
endif
##} FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail
##{ FROM_MISSP_MSFT
meta FROM_MISSP_MSFT __FROM_RUNON && (__ANY_OUTLOOK_MUA || __HAS_MIMEOLE || __MIMEOLE_MS)
describe FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
##} FROM_MISSP_MSFT
##{ FROM_MISSP_PHISH
meta FROM_MISSP_PHISH __FROM_MISSP_PHISH
describe FROM_MISSP_PHISH Malformed, claims to be from financial organization - possible phish
#score FROM_MISSP_PHISH 4.75 # limit
##} FROM_MISSP_PHISH
##{ FROM_MISSP_REPLYTO
meta FROM_MISSP_REPLYTO __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY
describe FROM_MISSP_REPLYTO From misspaced, has Reply-To
##} FROM_MISSP_REPLYTO
##{ FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
ifplugin Mail::SpamAssassin::Plugin::SPF
meta FROM_MISSP_SPF_FAIL (__FROM_RUNON && SPF_FAIL)
tflags FROM_MISSP_SPF_FAIL net
# score FROM_MISSP_SPF_FAIL 2.00 # limit
endif
##} FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
##{ FROM_MISSP_TO_UNDISC
meta FROM_MISSP_TO_UNDISC (__FROM_RUNON && __TO_UNDISCLOSED)
describe FROM_MISSP_TO_UNDISC From misspaced, To undisclosed
##} FROM_MISSP_TO_UNDISC
##{ FROM_MISSP_USER
meta FROM_MISSP_USER (__FROM_RUNON && NSL_RCVD_FROM_USER)
describe FROM_MISSP_USER From misspaced, from "User"
##} FROM_MISSP_USER
##{ FRT_ADOBE2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body FRT_ADOBE2 /<inter W0><post P2>\b(?!adobe)<A><D><O><B><E>\b/i
describe FRT_ADOBE2 ReplaceTags: Adobe
endif
##} FRT_ADOBE2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FRT_APPROV ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body FRT_APPROV /<inter sP2><post P2>\b(?!approu?v)<A><P><P><R><O><V>/i
describe FRT_APPROV ReplaceTags: Approve
endif
##} FRT_APPROV ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FRT_BIGGERMEM1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body FRT_BIGGERMEM1 /<inter SP2><post P2>(?:<B><IX><GX><GX><E><R>|<L><A><R><GX><E><R>).{1,8}(?:<P><E><N><IX><SX>|<B><R><E><A><SX><TX>|<M><E><M><B><E><R>)/i
describe FRT_BIGGERMEM1 ReplaceTags: Bigger / Larger, Penis / Member
endif
##} FRT_BIGGERMEM1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FRT_OFFER2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body FRT_OFFER2 /<inter W0><post P2>\b(?!offer)<O><F><F><E><R>/i
describe FRT_OFFER2 ReplaceTags: Offer (2)
endif
##} FRT_OFFER2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FRT_PENIS1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body FRT_PENIS1 /<inter SP2><post P2>\b(?!pen\s?(?:ie?s|ny[ ']?s))<P><E><N><IX><SX>\b/i
describe FRT_PENIS1 ReplaceTags: Penis
endif
##} FRT_PENIS1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FRT_PRICE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body FRT_PRICE /<inter SP2><post P2>\b(?!price)<P><R><IX><C><E>\b/i
describe FRT_PRICE ReplaceTags: Price
endif
##} FRT_PRICE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FRT_ROLEX ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body FRT_ROLEX /<inter SP2><post P2>\b(?!rolex)<R><O><L><E><X>/i
describe FRT_ROLEX ReplaceTags: Rolex
endif
##} FRT_ROLEX ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FR_3TAG_3TAG
rawbody FR_3TAG_3TAG m'<[abcefghijklmnoqstuvwxz]{3}></[abcefghijklmnoqstuvwxz]{3}>'i
describe FR_3TAG_3TAG Looks like 3 <e> small tags.
##} FR_3TAG_3TAG
##{ FR_ALMOST_VIAG2
rawbody FR_ALMOST_VIAG2 /[^a-z](?!viagra)v?ia.?g.?ra/i
describe FR_ALMOST_VIAG2 Almost looks like viagra.
##} FR_ALMOST_VIAG2
##{ FR_CANTSEETEXT
rawbody FR_CANTSEETEXT /class="?cantseetext/i
describe FR_CANTSEETEXT Phrase class=cantseetext
##} FR_CANTSEETEXT
##{ FR_MIDER
rawbody FR_MIDER m'http[^ ]{5,30}/gall?/'
describe FR_MIDER Sign often seen in spams
##} FR_MIDER
##{ FR_TITLE_NUMS
rawbody FR_TITLE_NUMS m'<title>\d+</title>'i
describe FR_TITLE_NUMS HTML Title is only numbers
##} FR_TITLE_NUMS
##{ FSL_CTYPE_WIN1251
header FSL_CTYPE_WIN1251 Content-Type =~ /charset="Windows-1251"/
describe FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam
##} FSL_CTYPE_WIN1251
##{ FSL_FAKE_GMAIL_RCVD
header FSL_FAKE_GMAIL_RCVD X-Spam-Relays-External =~ /gmail-smtp-in\.l\.google\.com/
##} FSL_FAKE_GMAIL_RCVD
##{ FSL_FAKE_HOTMAIL_RVCD
header FSL_FAKE_HOTMAIL_RVCD X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/
##} FSL_FAKE_HOTMAIL_RVCD
##{ FSL_GEO_ABUSE
uri FSL_GEO_ABUSE /\/geocities\.com\/\S+$/
##} FSL_GEO_ABUSE
##{ FSL_HAS_TINYURL
uri FSL_HAS_TINYURL /tinyurl\.com\//
##} FSL_HAS_TINYURL
##{ FSL_HELO_BARE_IP_1
header FSL_HELO_BARE_IP_1 X-Spam-Relays-External =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+ /i
##} FSL_HELO_BARE_IP_1
##{ FSL_HELO_BARE_IP_2
header FSL_HELO_BARE_IP_2 X-Spam-Relays-External =~ /\bhelo=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/i
##} FSL_HELO_BARE_IP_2
##{ FSL_HELO_DEVICE
header FSL_HELO_DEVICE X-Spam-Relays-External =~ /\bhelo=(?:(?:dsl)?device|speedtouch)\.lan\b/i
##} FSL_HELO_DEVICE
##{ FSL_HELO_FIREWALL
header FSL_HELO_FIREWALL X-Spam-Relays-External =~ /\bhelo=\S+\.firewall\b/i
##} FSL_HELO_FIREWALL
##{ FSL_HELO_NON_FQDN_1
header FSL_HELO_NON_FQDN_1 X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i
##} FSL_HELO_NON_FQDN_1
##{ FSL_HELO_SETUP
header FSL_HELO_SETUP X-Spam-Relays-External =~ /\bhelo=\S+\.setup\b/i
##} FSL_HELO_SETUP
##{ FSL_INTERIA_ABUSE
uri FSL_INTERIA_ABUSE /\/\S+\.(?:w|eu|fm)\.interia\.pl/
##} FSL_INTERIA_ABUSE
##{ FSL_MID_419
header FSL_MID_419 MESSAGE-ID =~ /\@User>$/
describe FSL_MID_419 Spam signature in Message-ID
##} FSL_MID_419
##{ FSL_MISSP_REPLYTO
meta FSL_MISSP_REPLYTO (__FROM_MISSPACED && __HAS_REPLY_TO)
describe FSL_MISSP_REPLYTO Mis-spaced from and Reply-to
##} FSL_MISSP_REPLYTO
##{ FSL_YG_ABUSE
uri FSL_YG_ABUSE /\/groups\.yahoo\.com\/group\/\S+\/message\/1$/
##} FSL_YG_ABUSE
##{ FS_ABIGGER
header FS_ABIGGER Subject =~ /a bigger/i
describe FS_ABIGGER Subject has "a bigger"
##} FS_ABIGGER
##{ FS_APPROVE_YOU
header FS_APPROVE_YOU Subject =~ /approve you/i
describe FS_APPROVE_YOU Subject says approve you
##} FS_APPROVE_YOU
##{ FS_AT_NO_COST
header FS_AT_NO_COST Subject =~ /\bat no cost/i
describe FS_AT_NO_COST Subject says "At No Cost"
##} FS_AT_NO_COST
##{ FS_CHEAP_CAP
header FS_CHEAP_CAP Subject =~ /CHEAP/
describe FS_CHEAP_CAP Phrase: Cheap in Caps in Subject.
##} FS_CHEAP_CAP
##{ FS_DOLLAR_BONUS
header FS_DOLLAR_BONUS Subject =~ /\$\d\d\d?\.?\d?\d? bonus/i
describe FS_DOLLAR_BONUS Subject talks about money bonus!
##} FS_DOLLAR_BONUS
##{ FS_EJACULA
header FS_EJACULA Subject =~ /ejaculat(?:[io01][o0i1]n|e)/i
describe FS_EJACULA Phrase: ejaculation in subject.
##} FS_EJACULA
##{ FS_ERECTION
header FS_ERECTION Subject =~ / erection /i
describe FS_ERECTION Phrase: erection in subject.
##} FS_ERECTION
##{ FS_HUGECOCK
header FS_HUGECOCK Subject =~ /(?:huge|tiny|small) (?:c[o0]ck|d[i1]ck|p[e3]n[1i]s)/i
describe FS_HUGECOCK Phrase: Huge Cock
##} FS_HUGECOCK
##{ FS_LARGE_PERCENT2
header FS_LARGE_PERCENT2 Subject =~ /(?!100%)\d[0-9oi][0-9oi]%/i
describe FS_LARGE_PERCENT2 Larger than 100% in subj.
##} FS_LARGE_PERCENT2
##{ FS_LOW_RATES
header FS_LOW_RATES Subject =~ / low rates/i
describe FS_LOW_RATES Subject says low rates
##} FS_LOW_RATES
##{ FS_NEW_SOFT_UPLOAD
header FS_NEW_SOFT_UPLOAD Subject =~ /^New software uploaded by/
describe FS_NEW_SOFT_UPLOAD Subj starts with New software uploaded
##} FS_NEW_SOFT_UPLOAD
##{ FS_NEW_XXX
header FS_NEW_XXX Subject =~ /^Re: news? [a-z]{1,5}$/
describe FS_NEW_XXX Subject looks like Fharmacy spams.
##} FS_NEW_XXX
##{ FS_NO_SCRIP
header FS_NO_SCRIP Subject =~ /n[o0O] p[reRE][erER]scr[i1I]pt[i1I][o0O]n/i
describe FS_NO_SCRIP Subject almost says No prescription
##} FS_NO_SCRIP
##{ FS_NUDE
header FS_NUDE Subject =~ /\bnude\b/i
describe FS_NUDE Subject says Nude
##} FS_NUDE
##{ FS_OBFU_PRMCY
header FS_OBFU_PRMCY Subject =~ /\b(?!(?:pharmacy|primacy))p[ph]{0,4}\S{1,3}r\S{0,2}m\S{0,3}c\S{0,2}y\b/i
describe FS_OBFU_PRMCY what could this word be?
##} FS_OBFU_PRMCY
##{ FS_PERSCRIPTION
header FS_PERSCRIPTION Subject =~ /perscr[i1]pt[i1][o0]n/i
describe FS_PERSCRIPTION Subject mis-spelled prescription
##} FS_PERSCRIPTION
##{ FS_PHARMASUB2
header FS_PHARMASUB2 Subject =~ /PH[A-Za-z]{2,7}MA/
describe FS_PHARMASUB2 Looks like Phramacy subject.
##} FS_PHARMASUB2
##{ FS_RAMROD
header FS_RAMROD Subject =~ /ramrod/i
describe FS_RAMROD Subject says Ramrod
##} FS_RAMROD
##{ FS_RE_APPROV
header FS_RE_APPROV Subject =~ /re approved/i
describe FS_RE_APPROV Phrase: re approved
##} FS_RE_APPROV
##{ FS_START_DOYOU2
header FS_START_DOYOU2 Subject =~ /^Do you (?:dream|have|want|love|like|wanna)/i
describe FS_START_DOYOU2 Subject starts with Do you dream,have,want,love, etc.
##} FS_START_DOYOU2
##{ FS_START_LOSE
header FS_START_LOSE Subject =~ /^Lose /i
describe FS_START_LOSE Subject starts with Lose
##} FS_START_LOSE
##{ FS_TEEN_BAD
header FS_TEEN_BAD Subject =~ /teen.{1,15}(?:pussy|sex|slut|ass|fuck|rape)/i
describe FS_TEEN_BAD Subject says something bad about teens
##} FS_TEEN_BAD
##{ FS_TIP_DDD
header FS_TIP_DDD Subject =~ /(?:tip|good) \d\d\d?\d?/i
describe FS_TIP_DDD Phrase: subject = tip ddd
##} FS_TIP_DDD
##{ FS_WEIGHT_LOSS
header FS_WEIGHT_LOSS Subject =~ /weight loss/i
describe FS_WEIGHT_LOSS Subject says Weight Loss
##} FS_WEIGHT_LOSS
##{ FS_WILL_HELP
header FS_WILL_HELP Subject =~ /will help/
describe FS_WILL_HELP Subject says will help
##} FS_WILL_HELP
##{ FS_WITH_SMALL
header FS_WITH_SMALL Subject =~ /with (?:\w+\s)?(?:small|short)/i
describe FS_WITH_SMALL Subject says With ... small
##} FS_WITH_SMALL
##{ FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body FUZZY_MERIDIA /<inter W3><post P2>\b(?!meridia)<M><E><R><I><D><I><A>\b/i
endif
##} FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FU_COMMON_SUBS2
uri FU_COMMON_SUBS2 m'/(?:[2w]m|7d|b|ee|lj|j|o|u)/[,.]?$'
describe FU_COMMON_SUBS2 Sub-dir seen often in spam (2).
##} FU_COMMON_SUBS2
##{ FU_ENDS_NUMS_DOTS_CLK
uri FU_ENDS_NUMS_DOTS_CLK m'(?:clk|uns)/\d+\.\d+\.\d+'i
describe FU_ENDS_NUMS_DOTS_CLK Ends with clk/d+.d+.d+
##} FU_ENDS_NUMS_DOTS_CLK
##{ FU_END_ET
uri FU_END_ET m'/et/$'i
describe FU_END_ET ET Phone Home?
##} FU_END_ET
##{ FU_HOODIA
uri FU_HOODIA /hoodia/i
describe FU_HOODIA URL has hoodia in it.
##} FU_HOODIA
##{ FU_LONG_QUERY3
uri FU_LONG_QUERY3 m'[A-F0-9]{30}\.aspx'
describe FU_LONG_QUERY3 URL has a long file name with .aspx extension.
##} FU_LONG_QUERY3
##{ FU_MIDER
uri FU_MIDER m'/gall?/'
describe FU_MIDER URL has /gal/
##} FU_MIDER
##{ FU_UKGEOCITIES
uri FU_UKGEOCITIES /\b[a-z]{2}\.geocities\.com/i
describe FU_UKGEOCITIES URL with [a-z]{2}.geocities.com
##} FU_UKGEOCITIES
##{ FU_URI_TRACKER_T
uri FU_URI_TRACKER_T m'/[yi]/(?:sp|et|vm|xl2)/'i
describe FU_URI_TRACKER_T URI style tracker (T)
##} FU_URI_TRACKER_T
##{ GEO_QUERY_STRING
uri GEO_QUERY_STRING /^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i
##} GEO_QUERY_STRING
##{ GOOGLE_DOCS_PHISH
meta GOOGLE_DOCS_PHISH (__GOOGLE_DOCS_PHISH_1 || __GOOGLE_DOCS_PHISH_2)
describe GOOGLE_DOCS_PHISH E-mail account phishing via a Google Docs form
#score GOOGLE_DOCS_PHISH 4.00 # limit
tflags GOOGLE_DOCS_PHISH publish # Force publication - great S/O, hits only <= 6 points
##} GOOGLE_DOCS_PHISH
##{ GOOGLE_DOCS_PHISH_MANY
meta GOOGLE_DOCS_PHISH_MANY __URI_GOOGLE_DOC && __EMAIL_PHISH_MANY
describe GOOGLE_DOCS_PHISH_MANY E-mail account phishing via a Google Docs form
#score GOOGLE_DOCS_PHISH_MANY 5.50 # limit
tflags GOOGLE_DOCS_PHISH_MANY publish # Force publication - great S/O, hits only <= 6 points
##} GOOGLE_DOCS_PHISH_MANY
##{ HDRS_LCASE
describe HDRS_LCASE Odd capitalization of message header
#score HDRS_LCASE 0.10 # limit
##} HDRS_LCASE
##{ HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
endif
##} HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
##{ HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
endif
##} HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
##{ HDRS_LCASE_1K
meta HDRS_LCASE_1K __HDRS_LCASE_1K && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__MIME_QP && !__BUGGED_IMG && !__BOUNCE_RPATH_NULL && !__NOT_SPOOFED && !__DKIM_EXISTS && !__RDNS_NONE
describe HDRS_LCASE_1K Odd capitalization of message headers + long header
#score HDRS_LCASE_1K 0.50 # limit
##} HDRS_LCASE_1K
##{ HDR_ORDER_FTSDMCXX_001C
meta HDR_ORDER_FTSDMCXX_001C (__HDR_ORDER_FTSDMCXXXX && __MID_START_001C)
describe HDR_ORDER_FTSDMCXX_001C Header order similar to spam (FTSDMCXX/MID variant)
##} HDR_ORDER_FTSDMCXX_001C
##{ HDR_ORDER_FTSDMCXX_BAT
meta HDR_ORDER_FTSDMCXX_BAT (__HDR_ORDER_FTSDMCXXXX && __BAT_BOUNDARY)
describe HDR_ORDER_FTSDMCXX_BAT Header order similar to spam (FTSDMCXX/boundary variant)
##} HDR_ORDER_FTSDMCXX_BAT
##{ HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval
ifplugin Mail::SpamAssassin::Plugin::HeaderEval
header HEADER_COUNT_SUBJECT eval:check_header_count_range('Subject','2','999')
describe HEADER_COUNT_SUBJECT Multiple Subject headers found
endif
##} HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval
##{ HELO_FRIEND
header HELO_FRIEND X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i
##} HELO_FRIEND
##{ HELO_LH_HOME
header HELO_LH_HOME X-Spam-Relays-External =~ /^[^\]]+ helo=\S+\.(?:home|lan) /i
##} HELO_LH_HOME
##{ HELO_LH_LD
header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i
##} HELO_LH_LD
##{ HELO_LOCALHOST
header HELO_LOCALHOST X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i
##} HELO_LOCALHOST
##{ HELO_OEM
header HELO_OEM X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc|oem\S*) /i
##} HELO_OEM
##{ HK_LOTTO
meta HK_LOTTO __HK_LOTTO_1 || __HK_LOTTO_2 || __HK_LOTTO_JACKPOT || __HK_LOTTO_STAATS || __HK_LOTTO_BALLOT
#score HK_LOTTO 1
##} HK_LOTTO
##{ HK_NAME_DRUGS
header HK_NAME_DRUGS From:name =~ /(viagra|\bcialis|cialis\b)/mi
describe HK_NAME_DRUGS From name contains drugs
#score HK_NAME_DRUGS 2
##} HK_NAME_DRUGS
##{ HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::FreeMail
if (version >= 3.004000)
meta HK_NAME_FM_MR_MRS __HK_NAME_MR_MRS && FREEMAIL_FROM
# score HK_NAME_FM_MR_MRS 1.5
endif
endif
##} HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
##{ HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::FreeMail
if (version >= 3.004000)
meta HK_NAME_MR_MRS __HK_NAME_MR_MRS && !FREEMAIL_FROM
# score HK_NAME_MR_MRS 1.0
endif
endif
##} HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
##{ HK_RANDOM_ENVFROM
header HK_RANDOM_ENVFROM EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr|-mailer@)|[^@]{20})[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
describe HK_RANDOM_ENVFROM Envelope sender username looks random
#score HK_RANDOM_ENVFROM 1
##} HK_RANDOM_ENVFROM
##{ HK_RANDOM_FROM
header HK_RANDOM_FROM From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr|-mailer@)|[^@]{26}|.*?@.{0,20}\bcmp-info\.com$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
describe HK_RANDOM_FROM From username looks random
#score HK_RANDOM_FROM 1
##} HK_RANDOM_FROM
##{ HK_SCAM_N15
body HK_SCAM_N15 /\b(?:account (?:overseas?|offshore)|(?:overseas?|offshore) account)\b/i
##} HK_SCAM_N15
##{ HK_SCAM_N2
body HK_SCAM_N2 /\bnext of kin\b/i
##} HK_SCAM_N2
##{ HK_SCAM_S23
body HK_SCAM_S23 /(?:\b(?:urgent alert|start trade|get it at monday)\b|\b(?:5-|five )day price:)/i
##} HK_SCAM_S23
##{ HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
body HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10')
endif
##} HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
##{ JM_I_FEEL_LUCKY
uri JM_I_FEEL_LUCKY /(?:\&|\?)btnI=ec(?:$|\&)/
tflags JM_I_FEEL_LUCKY publish # low hitrate, but always a good sign
##} JM_I_FEEL_LUCKY
##{ JM_RCVD_QMAILV1
header JM_RCVD_QMAILV1 Received =~ /by \S+ \(Qmailv1\) with ESMTP/
##} JM_RCVD_QMAILV1
##{ JM_TORA_XM
meta JM_TORA_XM (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO)
##} JM_TORA_XM
##{ KB_DATE_CONTAINS_TAB
meta KB_DATE_CONTAINS_TAB __KB_DATE_CONTAINS_TAB && !__ML_TURNS_SP_TO_TAB
#score KB_DATE_CONTAINS_TAB 0.5
##} KB_DATE_CONTAINS_TAB
##{ KB_FAKED_THE_BAT
meta KB_FAKED_THE_BAT (__THEBAT_MUA && KB_DATE_CONTAINS_TAB)
##} KB_FAKED_THE_BAT
##{ KB_FORGED_MOZ4
header KB_FORGED_MOZ4 User-Agent =~ /\bMozilla 4/
describe KB_FORGED_MOZ4 Mozilla 4 uses X-Mailer
##} KB_FORGED_MOZ4
##{ KB_RATWARE_BOUNDARY
meta KB_RATWARE_BOUNDARY __RATWARE_BOUND_A || __RATWARE_BOUND_B
##} KB_RATWARE_BOUNDARY
##{ KB_RATWARE_MSGID
meta KB_RATWARE_MSGID (__KB_MSGID_OUTLOOK_888 && __ANY_OUTLOOK_MUA)
##} KB_RATWARE_MSGID
##{ KB_RATWARE_OUTLOOK_08
header KB_RATWARE_OUTLOOK_08 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary="----=_NextPart_000_...._\1\./msi # "
##} KB_RATWARE_OUTLOOK_08
##{ KB_RATWARE_OUTLOOK_12
header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # "
##} KB_RATWARE_OUTLOOK_12
##{ KB_RATWARE_OUTLOOK_16
header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # "
##} KB_RATWARE_OUTLOOK_16
##{ KB_RATWARE_OUTLOOK_MID
header KB_RATWARE_OUTLOOK_MID ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$[0-9a-f]{8}\@.{100,400}boundary="----=_NextPart_000_...._\1\.\2"/msi
##} KB_RATWARE_OUTLOOK_MID
##{ KHOP_JS_OBFUSCATION
meta KHOP_JS_OBFUSCATION __TR_JS_EXTRA_UNESCAPE || __TR_JS_EXTRA_CONCAT || __TR_JS_CONCATINATED_HTTP
describe KHOP_JS_OBFUSCATION Script: unnecessarily complex string composition
##} KHOP_JS_OBFUSCATION
##{ LIVEFILESTORE
uri LIVEFILESTORE m~livefilestore.com/~
##} LIVEFILESTORE
##{ LONG_TERM_PRICE
body LONG_TERM_PRICE /long\W+term\W+(target|projected)(\W+price)?/i
##} LONG_TERM_PRICE
##{ LOOPHOLE_1
body LOOPHOLE_1 /loop-?hole in the banking/i
describe LOOPHOLE_1 A loop hole in the banking laws?
##} LOOPHOLE_1
##{ LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
meta LOTS_OF_MONEY (__LOTSA_MONEY_00 || __LOTSA_MONEY_01 || __LOTSA_MONEY_02 || __LOTSA_MONEY_03 || __LOTSA_MONEY_04 || __LOTSA_MONEY_05)
describe LOTS_OF_MONEY Huge... sums of money
# score LOTS_OF_MONEY 0.01
tflags LOTS_OF_MONEY publish
endif
##} LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ LOTTERY_1
meta LOTTERY_1 (__DBLCLAIM && __CASHPRZ)
##} LOTTERY_1
##{ LOTTERY_PH_004470
meta LOTTERY_PH_004470 (__AFF_004470_NUMBER && __AFF_LOTTERY)
##} LOTTERY_PH_004470
##{ LOTTO_AGENT
meta LOTTO_AGENT __LOTTO_AGENT_01 || __LOTTO_AGENT_02
describe LOTTO_AGENT Claims Agent
#score LOTTO_AGENT 3.50 # limit
##} LOTTO_AGENT
##{ LOTTO_DEPT
meta LOTTO_DEPT __LOTTO_DEPT && !__COMMENT_EXISTS && !__HAS_IN_REPLY_TO && !__THREADED && !__VIA_ML
describe LOTTO_DEPT Claims Department
#score LOTTO_DEPT 2.00 # limit
##} LOTTO_DEPT
##{ L_SPAM_TOOL_13
header L_SPAM_TOOL_13 Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/
##} L_SPAM_TOOL_13
##{ MANY_SPAN_IN_TEXT
meta MANY_SPAN_IN_TEXT __MANY_SPAN_IN_TEXT && !__VIA_ML
describe MANY_SPAN_IN_TEXT Many <SPAN> tags embedded within text
tflags MANY_SPAN_IN_TEXT publish
##} MANY_SPAN_IN_TEXT
##{ MID_DEGREES
header MID_DEGREES Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/
##} MID_DEGREES
##{ MIME_BOUND_EQ_REL
header MIME_BOUND_EQ_REL Content-Type =~ /boundary="=====================_\d+==\.REL"/s
##} MIME_BOUND_EQ_REL
##{ MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta MIME_PHP_NO_TEXT (T_MIME_NO_TEXT && __PHP_MUA)
describe MIME_PHP_NO_TEXT No text body parts, X-Mailer: PHP
endif
##} MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ MONEY_ATM_CARD
meta MONEY_ATM_CARD __MONEY_ATM_CARD && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE
describe MONEY_ATM_CARD Lots of money on an ATM card
##} MONEY_ATM_CARD
##{ MONEY_FORM
meta MONEY_FORM __MONEY_FORM && !__FB_TOUR && !__FM_MY_PRICE && !__FR_SPACING_8 && !__COMMENT_EXISTS && !__CAN_HELP
describe MONEY_FORM Lots of money if you fill out a form
##} MONEY_FORM
##{ MONEY_FORM_SHORT
meta MONEY_FORM_SHORT __MONEY_FORM_SHORT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HTML_LINK_IMAGE && !__UPPERCASE_URI && !__THREADED && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER
describe MONEY_FORM_SHORT Lots of money if you fill out a short form
##} MONEY_FORM_SHORT
##{ MONEY_FRAUD_3
meta MONEY_FRAUD_3 __MONEY_FRAUD_3 && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__IS_EXCH && !__VIA_ML && !__HAS_THREAD_INDEX && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__HTML_LINK_IMAGE && !__THREADED && !__DOS_BODY_THU && !__URL_SHORTENER && !__TAG_EXISTS_STYLE
describe MONEY_FRAUD_3 Lots of money and several fraud phrases
tflags MONEY_FRAUD_3 publish
##} MONEY_FRAUD_3
##{ MONEY_FRAUD_5
meta MONEY_FRAUD_5 __MONEY_FRAUD_5 && !__VIA_ML && !__HAS_THREAD_INDEX && !__COMMENT_EXISTS && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__URL_SHORTENER && !__TAG_EXISTS_STYLE
describe MONEY_FRAUD_5 Lots of money and many fraud phrases
tflags MONEY_FRAUD_5 publish
##} MONEY_FRAUD_5
##{ MONEY_FROM_41
meta MONEY_FROM_41 __MONEY_FROM_41
describe MONEY_FROM_41 Lots of money from Africa
#score MONEY_FROM_41 2.00 # limit
##} MONEY_FROM_41
##{ MONEY_FROM_MISSP
meta MONEY_FROM_MISSP LOTS_OF_MONEY && __FROM_MISSPACED && !__MIME_QP
describe MONEY_FROM_MISSP Lots of money and misspaced From
##} MONEY_FROM_MISSP
##{ MSGID_MULTIPLE_AT
header MSGID_MULTIPLE_AT MESSAGEID =~ /<[^>]*\@[^>]*\@/
describe MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters
#score MSGID_MULTIPLE_AT 0.001
##} MSGID_MULTIPLE_AT
##{ MSOE_MID_WRONG_CASE
meta MSOE_MID_WRONG_CASE (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106)
##} MSOE_MID_WRONG_CASE
##{ NSL_RCVD_FROM_USER
header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/
describe NSL_RCVD_FROM_USER Received from User
##} NSL_RCVD_FROM_USER
##{ NSL_RCVD_HELO_USER
header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i
describe NSL_RCVD_HELO_USER Received from HELO User
##} NSL_RCVD_HELO_USER
##{ NULL_IN_BODY
full NULL_IN_BODY /\x00/
describe NULL_IN_BODY Message has NUL (ASCII 0) byte in message
##} NULL_IN_BODY
##{ OBFU_JVSCR_ESC
rawbody OBFU_JVSCR_ESC /document\.write\(unescape\("(?:%[0-9a-f]{2}){10}/i
describe OBFU_JVSCR_ESC Injects content using obfuscated javascript
tflags OBFU_JVSCR_ESC publish
##} OBFU_JVSCR_ESC
##{ OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader OBFU_TEXT_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.txt\b,i
describe OBFU_TEXT_ATTACH Text attachment with non-text MIME type
tflags OBFU_TEXT_ATTACH publish
endif
##} OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta PART_CID_STOCK (__ANY_IMAGE_ATTACH&&__PART_STOCK_CID&&!__PART_STOCK_CL&&!__PART_STOCK_CD_F)
describe PART_CID_STOCK Has a spammy image attachment (by Content-ID)
endif
##} PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta PART_CID_STOCK_LESS (__ANY_IMAGE_ATTACH&&__PART_CID_STOCK_LESS)
describe PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, more specific)
endif
##} PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ PHP_NOVER_MUA
#score PHP_NOVER_MUA 3.50 # limit
describe PHP_NOVER_MUA Mail from PHP with no version number
##} PHP_NOVER_MUA
##{ PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM)
if !plugin(Mail::SpamAssassin::Plugin::DKIM)
meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
endif
##} PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM)
##{ PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM
ifplugin Mail::SpamAssassin::Plugin::DKIM
meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__DKIM_DEPENDABLE && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
endif
##} PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM
##{ RCVD_BAD_ID
header RCVD_BAD_ID Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\$\%&'()*<=>?\@\[\]^\`{|}~]|;\S)/
##} RCVD_BAD_ID
##{ RCVD_FORGED_WROTE
header RCVD_FORGED_WROTE Received =~ / by \S+ with esmtp \([^a-z ]{6,} [^a-z ]{3,}\) id/
describe RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
##} RCVD_FORGED_WROTE
##{ RCVD_FORGED_WROTE2
header RCVD_FORGED_WROTE2 Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s
##} RCVD_FORGED_WROTE2
##{ RCVD_IN_BRBL_LASTEXT ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_BRBL_LASTEXT eval:check_rbl('brbl-lastexternal','bb.barracudacentral.org')
tflags RCVD_IN_BRBL_LASTEXT net
endif
##} RCVD_IN_BRBL_LASTEXT ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_DNSWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_DNSWL_BLOCKED eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.255$')
describe RCVD_IN_DNSWL_BLOCKED ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
tflags RCVD_IN_DNSWL_BLOCKED net noautolearn
endif
##} RCVD_IN_DNSWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_DNSWL_HI ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_DNSWL_HI eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.3$')
describe RCVD_IN_DNSWL_HI Sender listed at http://www.dnswl.org/, high trust
tflags RCVD_IN_DNSWL_HI nice net
endif
##} RCVD_IN_DNSWL_HI ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_DNSWL_LOW ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_DNSWL_LOW eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.1$')
describe RCVD_IN_DNSWL_LOW Sender listed at http://www.dnswl.org/, low trust
tflags RCVD_IN_DNSWL_LOW nice net
endif
##} RCVD_IN_DNSWL_LOW ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_DNSWL_MED ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_DNSWL_MED eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.2$')
describe RCVD_IN_DNSWL_MED Sender listed at http://www.dnswl.org/, medium trust
tflags RCVD_IN_DNSWL_MED nice net
endif
##} RCVD_IN_DNSWL_MED ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_DNSWL_NONE ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_DNSWL_NONE eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.0$')
describe RCVD_IN_DNSWL_NONE Sender listed at http://www.dnswl.org/, no trust
tflags RCVD_IN_DNSWL_NONE nice net
endif
##} RCVD_IN_DNSWL_NONE ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DK eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.3')
describe RCVD_IN_IADB_DK IADB: Sender publishes Domain Keys record
tflags RCVD_IN_IADB_DK net nice
endif
##} RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.10')
describe RCVD_IN_IADB_DOPTIN IADB: All mailing list mail is confirmed opt-in
tflags RCVD_IN_IADB_DOPTIN net nice
endif
##} RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DOPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.9')
describe RCVD_IN_IADB_DOPTIN_GT50 IADB: Confirmed opt-in used more than 50% of the time
tflags RCVD_IN_IADB_DOPTIN_GT50 net nice
endif
##} RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DOPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.8')
describe RCVD_IN_IADB_DOPTIN_LT50 IADB: Confirmed opt-in used less than 50% of the time
tflags RCVD_IN_IADB_DOPTIN_LT50 net nice
endif
##} RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_EDDB eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.1')
describe RCVD_IN_IADB_EDDB IADB: Participates in Email Deliverability Database
tflags RCVD_IN_IADB_EDDB net nice
endif
##} RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_EPIA eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.2')
describe RCVD_IN_IADB_EPIA IADB: Member of Email Processing Industry Alliance
tflags RCVD_IN_IADB_EPIA net nice
endif
##} RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_GOODMAIL eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.103')
describe RCVD_IN_IADB_GOODMAIL IADB: Sender has been certified by GoodMail
tflags RCVD_IN_IADB_GOODMAIL net nice
endif
##} RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_LISTED eval:check_rbl_sub('iadb-firsttrusted', '^127\.0\.0\.[12]$')
describe RCVD_IN_IADB_LISTED Participates in the IADB system
tflags RCVD_IN_IADB_LISTED net nice
endif
##} RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_LOOSE eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.4')
describe RCVD_IN_IADB_LOOSE IADB: Adds relationship addrs w/out opt-in
tflags RCVD_IN_IADB_LOOSE net nice
endif
##} RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_MI_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.1.10')
describe RCVD_IN_IADB_MI_CPEAR IADB: Complies with Michigan's CPEAR law
tflags RCVD_IN_IADB_MI_CPEAR net nice
endif
##} RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_MI_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.101.10')
describe RCVD_IN_IADB_MI_CPR_30 IADB: Checked lists against Michigan's CPR within 30 days
tflags RCVD_IN_IADB_MI_CPR_30 net nice
endif
##} RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_MI_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.201.10')
describe RCVD_IN_IADB_MI_CPR_MAT IADB: Sends no material under Michigan's CPR
tflags RCVD_IN_IADB_MI_CPR_MAT net nice
endif
##} RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_ML_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.100')
describe RCVD_IN_IADB_ML_DOPTIN IADB: Mailing list email only, confirmed opt-in
tflags RCVD_IN_IADB_ML_DOPTIN net nice
endif
##} RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_NOCONTROL eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.0')
describe RCVD_IN_IADB_NOCONTROL IADB: Has absolutely no mailing controls in place
tflags RCVD_IN_IADB_NOCONTROL net nice
endif
##} RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OOO eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.200')
describe RCVD_IN_IADB_OOO IADB: One-to-one/transactional email only
tflags RCVD_IN_IADB_OOO net nice
endif
##} RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.7')
describe RCVD_IN_IADB_OPTIN IADB: All mailing list mail is opt-in
tflags RCVD_IN_IADB_OPTIN net nice
endif
##} RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.6')
describe RCVD_IN_IADB_OPTIN_GT50 IADB: Opt-in used more than 50% of the time
tflags RCVD_IN_IADB_OPTIN_GT50 net nice
endif
##} RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.5')
describe RCVD_IN_IADB_OPTIN_LT50 IADB: Opt-in used less than 50% of the time
tflags RCVD_IN_IADB_OPTIN_LT50 net nice
endif
##} RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OPTOUTONLY eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.1')
describe RCVD_IN_IADB_OPTOUTONLY IADB: Scrapes addresses, pure opt-out only
tflags RCVD_IN_IADB_OPTOUTONLY net nice
endif
##} RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_RDNS eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.4')
describe RCVD_IN_IADB_RDNS IADB: Sender has reverse DNS record
tflags RCVD_IN_IADB_RDNS net nice
endif
##} RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_SENDERID eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.2')
describe RCVD_IN_IADB_SENDERID IADB: Sender publishes Sender ID record
tflags RCVD_IN_IADB_SENDERID net nice
endif
##} RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_SPF eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.1')
describe RCVD_IN_IADB_SPF IADB: Sender publishes SPF record
tflags RCVD_IN_IADB_SPF net nice
endif
##} RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UNVERIFIED_1 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.2')
describe RCVD_IN_IADB_UNVERIFIED_1 IADB: Accepts unverified sign-ups
tflags RCVD_IN_IADB_UNVERIFIED_1 net nice
endif
##} RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UNVERIFIED_2 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.3')
describe RCVD_IN_IADB_UNVERIFIED_2 IADB: Accepts unverified sign-ups, gives chance to opt out
tflags RCVD_IN_IADB_UNVERIFIED_2 net nice
endif
##} RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UT_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.2.10')
describe RCVD_IN_IADB_UT_CPEAR IADB: Complies with Utah's CPEAR law
tflags RCVD_IN_IADB_UT_CPEAR net nice
endif
##} RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UT_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.102.10')
describe RCVD_IN_IADB_UT_CPR_30 IADB: Checked lists against Utah's CPR within 30 days
tflags RCVD_IN_IADB_UT_CPR_30 net nice
endif
##} RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UT_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.202.10')
describe RCVD_IN_IADB_UT_CPR_MAT IADB: Sends no material under Utah's CPR
tflags RCVD_IN_IADB_UT_CPR_MAT net nice
endif
##} RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
header RCVD_IN_PSBL eval:check_rbl('psbl-lastexternal', 'psbl.surriel.com.')
describe RCVD_IN_PSBL Received via a relay in PSBL
tflags RCVD_IN_PSBL net
endif
##} RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
##{ RCVD_MAIL_COM
header RCVD_MAIL_COM Received =~ /[\s\(\[](?:post|mail)\.com[\s\)\]]/is
describe RCVD_MAIL_COM Forged Received header (contains post.com or mail.com)
##} RCVD_MAIL_COM
##{ RDNS_LOCALHOST
header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i
describe RDNS_LOCALHOST Sender's public rDNS is "localhost"
##} RDNS_LOCALHOST
##{ REPLYTO_WITHOUT_TO_CC
meta REPLYTO_WITHOUT_TO_CC (__REPLYTO_EXISTS && !__TOCC_EXISTS)
##} REPLYTO_WITHOUT_TO_CC
##{ RISK_FREE
meta RISK_FREE __FRAUD_IOV && !__UNSUB_LINK && !__VIA_ML && !__HTML_LINK_IMAGE && !__SUBSCRIPTION_INFO && !__HS_SUBJ_RE_FW_rulesrc_sandbox_jm_20_basic_cf
describe RISK_FREE No risk!
##} RISK_FREE
##{ RP_MATCHES_RCVD if version >= 3.003000 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if version >= 3.003000
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd()
describe RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
tflags RP_MATCHES_RCVD nice
endif
endif
##} RP_MATCHES_RCVD if version >= 3.003000 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
##{ SB_GIF_AND_NO_URIS
meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL)
##} SB_GIF_AND_NO_URIS
##{ SERGIO_SUBJECT_PORN014
header SERGIO_SUBJECT_PORN014 Subject =~ /f[^a-zA-Z0-9]{0,3}[uv][^a-zA-Z0-9]{0,3}c[^a-zA-Z0-9]{0,3}k/i
describe SERGIO_SUBJECT_PORN014 F\*\*\* garbled subject
##} SERGIO_SUBJECT_PORN014
##{ SHORTENED_URL_HREF
rawbody SHORTENED_URL_HREF /<[^>]{1,99}\shref=\W?http:\/\/(?:bit\.ly|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com)\/[^\/]{3}/
#score SHORTENED_URL_HREF 1.0
##} SHORTENED_URL_HREF
##{ SHORT_HELO_AND_INLINE_IMAGE
meta SHORT_HELO_AND_INLINE_IMAGE (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH)
describe SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image
##} SHORT_HELO_AND_INLINE_IMAGE
##{ SHORT_TERM_PRICE
body SHORT_TERM_PRICE /short\W+term\W+(target|projected)(\W+price)?/i
##} SHORT_TERM_PRICE
##{ SPAMMY_XMAILER
meta SPAMMY_XMAILER (__XM_OL_28001441||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4)
describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham
##} SPAMMY_XMAILER
##{ STOCK_IMG_CTYPE
meta STOCK_IMG_CTYPE (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__CTYPE_ONETAB_GIF&&__HTML_IMG_ONLY)
describe STOCK_IMG_CTYPE Stock spam image part, with distinctive Content-Type header
##} STOCK_IMG_CTYPE
##{ STOCK_IMG_HDR_FROM
meta STOCK_IMG_HDR_FROM (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY)
describe STOCK_IMG_HDR_FROM Stock spam image part, with distinctive From line
##} STOCK_IMG_HDR_FROM
##{ STOCK_IMG_HTML
meta STOCK_IMG_HTML (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY)
describe STOCK_IMG_HTML Stock spam image part, with distinctive HTML
##} STOCK_IMG_HTML
##{ STOCK_IMG_OUTLOOK
meta STOCK_IMG_OUTLOOK (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__XM_MS_IN_GENERAL&&__HTML_LENGTH_1536_2048)
describe STOCK_IMG_OUTLOOK Stock spam image part, with Outlook-like features
##} STOCK_IMG_OUTLOOK
##{ STOCK_PRICES
meta STOCK_PRICES (SHORT_TERM_PRICE && LONG_TERM_PRICE)
##} STOCK_PRICES
##{ STOX_AND_PRICE
meta STOX_AND_PRICE CURR_PRICE && STOX_REPLY_TYPE
##} STOX_AND_PRICE
##{ STOX_REPLY_TYPE
header STOX_REPLY_TYPE Content-Type =~ /text\/plain; .* reply-type=original/
##} STOX_REPLY_TYPE
##{ STOX_REPLY_TYPE_WITHOUT_QUOTES
meta STOX_REPLY_TYPE_WITHOUT_QUOTES (STOX_REPLY_TYPE && !(__HS_SUBJ_RE_FW_rulesrc_sandbox_jm_20_basic_cf || __HS_QUOTE_rulesrc_sandbox_jm_20_basic_cf))
##} STOX_REPLY_TYPE_WITHOUT_QUOTES
##{ STYLE_GIBBERISH
meta STYLE_GIBBERISH __STYLE_GIBBERISH && !__STYLE_TAG_IN_BODY && !__THREADED && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_DIAL_MESSY && !__HAS_REPLY_TO && !MIME_HTML_MOSTLY
describe STYLE_GIBBERISH Nonsense in HTML <STYLE> tag
##} STYLE_GIBBERISH
##{ SUBJECT_NEEDS_ENCODING
meta SUBJECT_NEEDS_ENCODING (!__SUBJECT_ENCODED_B64 && !__SUBJECT_ENCODED_QP) && __SUBJECT_NEEDS_MIME
##} SUBJECT_NEEDS_ENCODING
##{ TAB_IN_FROM
meta TAB_IN_FROM __TAB_IN_FROM && !__ML_TURNS_SP_TO_TAB
describe TAB_IN_FROM From starts with a tab
#score TAB_IN_FROM 0.5
##} TAB_IN_FROM
##{ TBIRD_SUSP_MIME_BDRY
meta TBIRD_SUSP_MIME_BDRY __MUA_TBIRD && __TB_MIME_BDRY_NO_Z
describe TBIRD_SUSP_MIME_BDRY Unlikely Thunderbird MIME boundary
##} TBIRD_SUSP_MIME_BDRY
##{ THEBAT_UNREG
header THEBAT_UNREG X-Mailer =~ /^The Bat! .{0,20} UNREG$/
##} THEBAT_UNREG
##{ TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
ifplugin Mail::SpamAssassin::Plugin::SPF
meta TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FM_DOM_SPF_FAIL && !__THREADED && !ALL_TRUSTED
describe TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF failed
tflags TO_EQ_FM_DOM_SPF_FAIL net
endif
##} TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
##{ TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
ifplugin Mail::SpamAssassin::Plugin::SPF
meta TO_EQ_FM_SPF_FAIL __TO_EQ_FM_SPF_FAIL && !__THREADED && !ALL_TRUSTED
describe TO_EQ_FM_SPF_FAIL To == From and external SPF failed
tflags TO_EQ_FM_SPF_FAIL net
endif
##} TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
##{ TO_NO_BRKTS_FROM_MSSP
meta TO_NO_BRKTS_FROM_MSSP __TO_NO_BRKTS_FROM_RUNON && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__TO___LOWER && !__BUGGED_IMG && !__SUBJECT_ENCODED_QP && !__VIA_ML && !__FR_SPACING_8 && !__TAG_EXISTS_CENTER && !__RCVD_ZIXMAIL && !__RP_MATCHES_RCVD && !__HAS_SENDER
#score TO_NO_BRKTS_FROM_MSSP 2.50 # max
describe TO_NO_BRKTS_FROM_MSSP Multiple formatting errors
##} TO_NO_BRKTS_FROM_MSSP
##{ TO_NO_BRKTS_MSFT
meta TO_NO_BRKTS_MSFT __TO_NO_BRKTS_MSFT && !__VIA_ML && !__LYRIS_EZLM_REMAILER && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__UNSUB_LINK && !__NOT_SPOOFED && !__DOS_HAS_LIST_UNSUB && !__NAME_EQ_EMAIL && !__SUBJECT_ENCODED_QP && !__THREADED && !__HAS_THREAD_INDEX && !__HAS_X_REF && !__HAS_IN_REPLY_TO && !__FROM_ENCODED_QP && !__RP_MATCHES_RCVD && !__SUBJECT_UTF8_B_ENCODED
describe TO_NO_BRKTS_MSFT To: misformatted and supposed Microsoft tool
#score TO_NO_BRKTS_MSFT 3.50 # limit
##} TO_NO_BRKTS_MSFT
##{ TO_NO_BRKTS_NORDNS
meta TO_NO_BRKTS_NORDNS __TO_NO_BRKTS_NORDNS && !__MANY_RECIPS && !__FROM_RUNON && !__VIA_ML && !__TO___LOWER && !ALL_TRUSTED && !__COMMENT_EXISTS && !__DOS_HAS_LIST_UNSUB && !__OE_MSGID_1 && !__MSGID_JAVAMAIL && !__CTYPE_MULTIPART_MIXED && !__UNSUB_LINK && !__JM_REACTOR_DATE && !__TAG_EXISTS_CENTER && !__HAS_UA && !__TO_EQ_FROM_DOM && !__TAG_EXISTS_STYLE
#score TO_NO_BRKTS_NORDNS 2.75 # limit
describe TO_NO_BRKTS_NORDNS To: misformatted and no rDNS
##} TO_NO_BRKTS_NORDNS
##{ TT_MSGID_TRUNC
header TT_MSGID_TRUNC Message-Id =~ /^\s*<?[^<>\s]+\[\d+$/
describe TT_MSGID_TRUNC Scora: Message-Id ends after left-bracket + digits
##} TT_MSGID_TRUNC
##{ TT_OBSCURED_VALIUM
meta TT_OBSCURED_VALIUM ( __TT_BROKEN_VALIUM || __TT_OBSCURED_VALIUM ) && ! __TT_VALIUM
describe TT_OBSCURED_VALIUM Scora: obscured "VALIUM" in subject
##} TT_OBSCURED_VALIUM
##{ TT_OBSCURED_VIAGRA
meta TT_OBSCURED_VIAGRA ( __TT_BROKEN_VIAGRA || __TT_OBSCURED_VIAGRA ) && ! __TT_VIAGRA
describe TT_OBSCURED_VIAGRA Scora: obscured "VIAGRA" in subject
##} TT_OBSCURED_VIAGRA
##{ TVD_ACT_193
body TVD_ACT_193 /\bact of (?:193|nineteen thirty)/i
##} TVD_ACT_193
##{ TVD_APPROVED
body TVD_APPROVED /you.{1,2}re .{0,20}approved/i
##} TVD_APPROVED
##{ TVD_DEAR_HOMEOWNER
body TVD_DEAR_HOMEOWNER /^dear homeowner/i
##} TVD_DEAR_HOMEOWNER
##{ TVD_EB_PHISH
meta TVD_EB_PHISH __FROM_EBAY && NORMAL_HTTP_TO_IP
##} TVD_EB_PHISH
##{ TVD_ENVFROM_APOST
header TVD_ENVFROM_APOST EnvelopeFrom =~ /\'/
##} TVD_ENVFROM_APOST
##{ TVD_FINGER_02
header TVD_FINGER_02 Content-Type =~ /^text\/plain(?:; (?:format=flowed|charset="Windows-1252"|reply-type=original)){3}/i
##} TVD_FINGER_02
##{ TVD_FLOAT_GENERAL
rawbody TVD_FLOAT_GENERAL /\bstyle\s*=\s*"[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]+\s*</i
##} TVD_FLOAT_GENERAL
##{ TVD_FROM_1
header TVD_FROM_1 From:addr =~ /[^\@0-9]{2}\d{3}\.(?:com|net|org|info|biz)$/i
##} TVD_FROM_1
##{ TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body TVD_FUZZY_DEGREE /<inter W1><post P1>\b(?!degree)<D><E><G><R><E><E>\b/i
endif
##} TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body TVD_FUZZY_FINANCE /(?!finance)<F><I><N><A><N><C><E>/i
endif
##} TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body TVD_FUZZY_FIXED_RATE /<inter W2><post P2>(?!fixed rate)<F><I><X><E><D>\s+<R><A><T><E>/i
endif
##} TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body TVD_FUZZY_MICROCAP /<inter W2><post P2>(?!microcap)(?!micro-cap)<M><I><C><R><O>-?<C><A><P>/i
endif
##} TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body TVD_FUZZY_PHARMACEUTICAL /<inter W2><post P2>(?!pharmaceutical)<P><H><A><R><M><A><C><E><U><T><I><C><A><L>/i
endif
##} TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body TVD_FUZZY_SYMBOL /<inter W2><post P2>(?!symbol)<S><Y><M><B><O><L>/i
endif
##} TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader TVD_FW_GRAPHIC_NAME_LONG Content-Type =~ /\bname="[a-z]{8,}\.gif/
endif
##} TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader TVD_FW_GRAPHIC_NAME_MID Content-Type =~ /\bname="[a-z]{6,7}\.gif/
endif
##} TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ TVD_INCREASE_SIZE
body TVD_INCREASE_SIZE /\bsize of .{1,20}(?:penis|dick|manhood)/i
##} TVD_INCREASE_SIZE
##{ TVD_LINK_SAVE
body TVD_LINK_SAVE /\blink to save\b/i
##} TVD_LINK_SAVE
##{ TVD_PH_BODY_ACCOUNTS_PRE
meta TVD_PH_BODY_ACCOUNTS_PRE __TVD_PH_BODY_ACCOUNTS_PRE
##} TVD_PH_BODY_ACCOUNTS_PRE
##{ TVD_PH_BODY_META
meta TVD_PH_BODY_META __TVD_PH_BODY_META
##} TVD_PH_BODY_META
##{ TVD_PH_REC
body TVD_PH_REC /\byour .{0,40}account .{0,40}record/i
describe TVD_PH_REC Message has a phrase standard for phishing mails
##} TVD_PH_REC
##{ TVD_PH_SEC
body TVD_PH_SEC /\byour .{0,40}account .{0,40}security/i
describe TVD_PH_SEC Message has a phrase standard for phishing mails
##} TVD_PH_SEC
##{ TVD_PP_PHISH
meta TVD_PP_PHISH __FROM_PAYPAL && NORMAL_HTTP_TO_IP
##} TVD_PP_PHISH
##{ TVD_QUAL_MEDS
body TVD_QUAL_MEDS /\bquality med(?:ication)?s\b/i
##} TVD_QUAL_MEDS
##{ TVD_RATWARE_CB
header TVD_RATWARE_CB Content-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/i
##} TVD_RATWARE_CB
##{ TVD_RATWARE_CB_2
header TVD_RATWARE_CB_2 Content-Type =~ /\bboundary\s*=\s*"?-+\d+=+\.MRA/
##} TVD_RATWARE_CB_2
##{ TVD_RATWARE_MSGID_02
header TVD_RATWARE_MSGID_02 Message-ID =~ /^[^<]*<[a-z]+\@/
##} TVD_RATWARE_MSGID_02
##{ TVD_RCVD_IP
header TVD_RCVD_IP Received =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/
##} TVD_RCVD_IP
##{ TVD_RCVD_IP4
header TVD_RCVD_IP4 Received =~ /^from\s+(?:\d+\.){3}\d+\s/
##} TVD_RCVD_IP4
##{ TVD_RCVD_SINGLE
header TVD_RCVD_SINGLE Received =~ /^from\s+(?!localhost)[^\s.a-z0-9-]+\s/
##} TVD_RCVD_SINGLE
##{ TVD_RCVD_SPACE_BRACKET
header TVD_RCVD_SPACE_BRACKET Received =~ /\(\[(?!UNIX:)[^\[\]]*\s/
##} TVD_RCVD_SPACE_BRACKET
##{ TVD_SECTION
body TVD_SECTION /\bSection (?:27A|21B)/i
##} TVD_SECTION
##{ TVD_SILLY_URI_OBFU
body TVD_SILLY_URI_OBFU m!https?://[a-z0-9-]+\.[a-z0-9-]*\.?[^a-z0-9.:/\s"'\@?\)>-]+[a-z0-9.-]*[a-z]{3}(?:\s|$)!i
##} TVD_SILLY_URI_OBFU
##{ TVD_SPACED_SUBJECT_WORD3
header TVD_SPACED_SUBJECT_WORD3 Subject =~ /^(?:(?:Re|Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+$/
##} TVD_SPACED_SUBJECT_WORD3
##{ TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval
ifplugin Mail::SpamAssassin::Plugin::BodyEval
body TVD_STOCK1 eval:check_stock_info('2')
endif
##} TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval
##{ TVD_SUBJ_ACC_NUM
header TVD_SUBJ_ACC_NUM Subject =~ /\b[a-zA-Z]+ [\#\s]{1,4}\d+[A-Z]+/
describe TVD_SUBJ_ACC_NUM Subject has spammy looking monetary reference
##} TVD_SUBJ_ACC_NUM
##{ TVD_SUBJ_FINGER_03
header TVD_SUBJ_FINGER_03 Subject =~ /^\s*\*\s+(?:\w+\W+)+\*\s*$/
##} TVD_SUBJ_FINGER_03
##{ TVD_SUBJ_OWE
header TVD_SUBJ_OWE Subject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe|indebted)\s+(?:\w+\s+)+an\s*other/i
##} TVD_SUBJ_OWE
##{ TVD_SUBJ_WIPE_DEBT
header TVD_SUBJ_WIPE_DEBT Subject =~ /(?:wipe out|remove|get (?:rid|out) of|eradicate) .{0,20}(?:owe|debt|obligation)/i
##} TVD_SUBJ_WIPE_DEBT
##{ TVD_UNDER_VALUED
body TVD_UNDER_VALUED /(?:company|stock) .{1,20}under-?valued/i
##} TVD_UNDER_VALUED
##{ TVD_VISIT_PHARMA
body TVD_VISIT_PHARMA /Online Ph.rmacy/i
##} TVD_VISIT_PHARMA
##{ TVD_VIS_HIDDEN
rawbody TVD_VIS_HIDDEN /<TEXTAREA[^>]+style\s*=\s*"visibility:\s*hidden\b/i
##} TVD_VIS_HIDDEN
##{ T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta T_ACH_CANCELLED_EXE __ACH_CANCELLED_EXE
describe T_ACH_CANCELLED_EXE "ACH cancelled" probable malware
endif
##} T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ T_AJB_CANPOST_BADLINK ifplugin Mail::SpamAssassin::Plugin::URIDetail
ifplugin Mail::SpamAssassin::Plugin::URIDetail
describe T_AJB_CANPOST_BADLINK Found a mismatch between href and anchored text pretending to link to www.canadapost.ca
endif
##} T_AJB_CANPOST_BADLINK ifplugin Mail::SpamAssassin::Plugin::URIDetail
##{ T_AJB_UTUBE_BADLINK ifplugin Mail::SpamAssassin::Plugin::URIDetail
ifplugin Mail::SpamAssassin::Plugin::URIDetail
describe T_AJB_UTUBE_BADLINK Found a mismatch between href and anchored text pretending to link to www.youtube.com
endif
##} T_AJB_UTUBE_BADLINK ifplugin Mail::SpamAssassin::Plugin::URIDetail
##{ T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
meta T_ANY_PILL_PRICE (__PILL_PRICE_01 || __PILL_PRICE_02) && !__NOT_A_PERSON
describe T_ANY_PILL_PRICE Prices for pills
endif
##} T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
##{ T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader T_CDISP_SZ_MANY Content-Disposition =~ /\bsize\s?=\s?\d.*\bsize\s?=\s?\d/
describe T_CDISP_SZ_MANY Suspicious MIME header
# score T_CDISP_SZ_MANY 2.0 # limit
endif
##} T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ T_CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta T_CTYPE_NULL __CTYPE_NULL
describe T_CTYPE_NULL Malformed Content-Type header
endif
##} T_CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval
ifplugin Mail::SpamAssassin::Plugin::HeaderEval
header T_DATE_IN_FUTURE_96_Q eval:check_for_shifted_date('96', '2920')
describe T_DATE_IN_FUTURE_96_Q Date: is 4 days to 4 months after Received: date
endif
##} T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval
##{ T_DKIM_INVALID ifplugin Mail::SpamAssassin::Plugin::DKIM
ifplugin Mail::SpamAssassin::Plugin::DKIM
meta T_DKIM_INVALID __DKIM_EXISTS && !DKIM_VALID
describe T_DKIM_INVALID DKIM-Signature header exists but is not valid
endif
##} T_DKIM_INVALID ifplugin Mail::SpamAssassin::Plugin::DKIM
##{ T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta T_DOC_ATTACH_NO_EXT __ATTACH_NAME_NO_EXT && (__PDF_ATTACH || __DOC_ATTACH_MT)
describe T_DOC_ATTACH_NO_EXT Document attachment with suspicious name
endif
##} T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ T_DOS_OUTLOOK_TO_MX_IMAGE
meta T_DOS_OUTLOOK_TO_MX_IMAGE __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
describe T_DOS_OUTLOOK_TO_MX_IMAGE Direct to MX with Outlook headers and an image
##} T_DOS_OUTLOOK_TO_MX_IMAGE
##{ T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader T_DOS_ZIP_HARDCORE Content-Type =~ /^application\/zip;\sname="hardcore\.zip"$/
describe T_DOS_ZIP_HARDCORE hardcore.zip file attached; quite certainly a virus
# score T_DOS_ZIP_HARDCORE 2.5
endif
##} T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ T_EMRCP
body T_EMRCP /\bExcess Maximum Return Capital Profit\b/i
describe T_EMRCP "Excess Maximum Return Capital Profit" Fidelity scam
##} T_EMRCP
##{ T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
meta T_FILL_THIS_FORM_SHORT __FILL_THIS_FORM_SHORT && !__VIA_ML && !__MSGID_JAVAMAIL
describe T_FILL_THIS_FORM_SHORT Fill in a short form with personal information
# score T_FILL_THIS_FORM_SHORT 1.0 # limit
endif
##} T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo
ifplugin Mail::SpamAssassin::Plugin::ImageInfo
meta T_FORGED_TBIRD_IMG_SIZE __FORGED_TBIRD_IMG && __ONE_IMG && __IMG_LE_300K
describe T_FORGED_TBIRD_IMG_SIZE Likely forged Thunderbird image spam
endif
##} T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo
##{ T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta T_FREEMAIL_DOC_PDF (__DOC_ATTACH || __PDF_ATTACH) && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
describe T_FREEMAIL_DOC_PDF MS document or PDF attachment, from freemail
endif
##} T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail
##{ T_FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::FreeMail
if (version >= 3.004000)
meta T_FREEMAIL_FORGED_FROMDOMAIN FREEMAIL_FROM && T_HEADER_FROM_DIFFERENT_DOMAINS
describe T_FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different
# score T_FREEMAIL_FORGED_FROMDOMAIN 0.25
endif
endif
##} T_FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
##{ T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta T_FREEMAIL_RVW_ATTCH (__PLS_REVIEW || __DLND_ATTACH) && T_FREEMAIL_DOC_PDF
describe T_FREEMAIL_RVW_ATTCH Please review attached document, from freemail
endif
##} T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail
##{ T_FRM_SILVER_GOLD ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
meta T_FRM_SILVER_GOLD (__FRT_SILVER && __FRT_GOLD)
describe T_FRM_SILVER_GOLD ReplaceTags: Silver & Gold
endif
##} T_FRM_SILVER_GOLD ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FROM_MISSP_DKIM ifplugin Mail::SpamAssassin::Plugin::DKIM
ifplugin Mail::SpamAssassin::Plugin::DKIM
meta T_FROM_MISSP_DKIM __FROM_MISSP_DKIM && !__CTYPE_MULTIPART_ALT && !__MIME_QP && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__MIME_BASE64 && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
describe T_FROM_MISSP_DKIM From misspaced, DKIM dependable
endif
##} T_FROM_MISSP_DKIM ifplugin Mail::SpamAssassin::Plugin::DKIM
##{ T_FRT_ABSOLUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_ABSOLUT /<inter SP2><post P2>\b(?!absolutely)<A><B><SX><O><L><U><TX><E><L><Y>/i
describe T_FRT_ABSOLUT ReplaceTags: Absolutely
endif
##} T_FRT_ABSOLUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_ADULT2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_ADULT2 /<inter W0><post P2>\b(?!adult)<A><D><UX><L><TX>/i
describe T_FRT_ADULT2 ReplaceTags: Adult
endif
##} T_FRT_ADULT2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_BEFORE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_BEFORE /<inter SP2><post P2>\b(?!before)<B><E><F><O><R><E>\b/i
describe T_FRT_BEFORE ReplaceTags: Before
endif
##} T_FRT_BEFORE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_BELOW2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_BELOW2 /<inter W0><post P2>\b(?!below)<B><E><L><O><WX>\b/i
describe T_FRT_BELOW2 ReplaceTags: Below (2)
endif
##} T_FRT_BELOW2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_CANSPAM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_CANSPAM /<inter SP2><post P2>\b(?!CAN<SP>SPAM)<C><A><N><SP><SX><P><A><M>/i
describe T_FRT_CANSPAM ReplaceTags: Can Spam
endif
##} T_FRT_CANSPAM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_CLICK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_CLICK /<post P2>\b(?!click)<C><L><IX><C><K>\b/i
describe T_FRT_CLICK ReplaceTags: Click
endif
##} T_FRT_CLICK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_COCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_COCK /<inter SP2><post P2>\b(?![cs]ock)<C><O><C><K>/i
describe T_FRT_COCK ReplaceTags: Cock
endif
##} T_FRT_COCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_CONTACT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_CONTACT /<inter SP2><post P2>\b(?!contr?act)<C><O><N><TX><A><C><TX>/i
describe T_FRT_CONTACT ReplaceTags: Contact
endif
##} T_FRT_CONTACT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_ERECTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_ERECTION /<inter SP2><post P2>(?!erection)<E><R><E><C><TX><IX><O><N>/i
describe T_FRT_ERECTION ReplaceTags: Erection
endif
##} T_FRT_ERECTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_ESTABLISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_ESTABLISH /<inter SP2><post P2>\b(?!estabi?lish)<E><SX><TX><A><B><L><IX><SX><H>/i
describe T_FRT_ESTABLISH ReplaceTags: Establish
endif
##} T_FRT_ESTABLISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_EXPERIENCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_EXPERIENCE /<inter SP2><post P2>\b(?!exp[e\xe9\xc9]rience)<E><X><P><E><R><IX><E><N><C><E>\b/i
describe T_FRT_EXPERIENCE ReplaceTags: Experience
endif
##} T_FRT_EXPERIENCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_FOLLOW1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_FOLLOW1 /<inter SP2><post P2>\b(?!follow)<F><O><L><L><O><WX>/i
describe T_FRT_FOLLOW1 ReplaceTags: Follow
endif
##} T_FRT_FOLLOW1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_FOLLOW2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_FOLLOW2 /<inter W0><post P2>\b(?!follow)<F><O><L><L><O><WX>/i
describe T_FRT_FOLLOW2 ReplaceTags: Follow (2)
endif
##} T_FRT_FOLLOW2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_FREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_FREE /<inter SP2><post P2>\b(?!free)<F><R><E><E>\b/i
describe T_FRT_FREE ReplaceTags: Free
endif
##} T_FRT_FREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_FRIEND ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_FRIEND /<inter SP2><post P2>\b(?!friend)<F><R><IX><E><N><D>/i
describe T_FRT_FRIEND ReplaceTags: Friend
endif
##} T_FRT_FRIEND ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_FUCK1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_FUCK1 /<inter SP2><post P2>\b(?!fuck)<F><U><C><K>/i
describe T_FRT_FUCK1 ReplaceTags: Fuck (1)
endif
##} T_FRT_FUCK1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_HEALTH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_HEALTH /<inter SP2><post P2>\b(?!health)<H><E><A><L><TX><H>\b/i
describe T_FRT_HEALTH ReplaceTags: Health
endif
##} T_FRT_HEALTH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_HOUR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_HOUR /<inter SP2><post P2>\b(?!hour)<H><O><U><R>\b/i
describe T_FRT_HOUR ReplaceTags: Hour
endif
##} T_FRT_HOUR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_INCOME ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_INCOME /<inter SP2><post P2>\b(?!income)<IX><N><C><O><M><E>\b/i
describe T_FRT_INCOME ReplaceTags: Income
endif
##} T_FRT_INCOME ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_INTEREST ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_INTEREST /<inter SP2><post P2>\b(?!interest)<IX><N><TX><E><R><E><SX><TX>\b/i
describe T_FRT_INTEREST ReplaceTags: Interest
endif
##} T_FRT_INTEREST ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_LITTLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_LITTLE /<inter SP2><post P2>\b(?!little)<L><IX><TX><TX><L><E>/i
describe T_FRT_LITTLE ReplaceTags: Little
endif
##} T_FRT_LITTLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_LOLITA1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_LOLITA1 /<inter SP2><post P2>\b(?!lolita)<L><O><L><IX><TX><A>/i
describe T_FRT_LOLITA1 ReplaceTags: Lolita (1)
endif
##} T_FRT_LOLITA1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_OPPORTUN1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_OPPORTUN1 /<inter SP2><post P2>(?!opportun)<O><P><P><O><R><TX><U><N>/i
describe T_FRT_OPPORTUN1 ReplaceTags: Oppertun (1)
endif
##} T_FRT_OPPORTUN1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_PACKAGE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_PACKAGE /<inter SP2><post P2>\b(?!package)<P><A><C><K><A><GX><E>/i
describe T_FRT_PACKAGE ReplaceTags: Package
endif
##} T_FRT_PACKAGE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_PAYMENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_PAYMENT /<inter W0>\b(?!payment)<P><A><Y><M><E><N><TX>/i
describe T_FRT_PAYMENT ReplaceTags: Payment
endif
##} T_FRT_PAYMENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_PHARMAC ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_PHARMAC /<inter W0><post P2>(?!pharma[c\@])<P><H><A><R><M><A><C>/i
describe T_FRT_PHARMAC ReplaceTags: Pharmac
endif
##} T_FRT_PHARMAC ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_POSSIBLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_POSSIBLE /<inter SP2><post P2>\b(?!possible)<P><O><SX><SX><IX><B><L><E>\b/i
describe T_FRT_POSSIBLE ReplaceTags: Possible
endif
##} T_FRT_POSSIBLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_PROFILE1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_PROFILE1 /<inter SP2><post P2>\b(?!profile)<P><R><O><F><IX><L><E>/i
describe T_FRT_PROFILE1 ReplaceTags: Profile (1)
endif
##} T_FRT_PROFILE1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_PROFILE2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_PROFILE2 /<inter W0><post P2>\b(?!profile)<P><R><O><F><IX><L><E>/i
describe T_FRT_PROFILE2 ReplaceTags: Profile (2)
endif
##} T_FRT_PROFILE2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_PROFIT1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_PROFIT1 /<inter SP2><post P2>\b(?!profit)<P><R><O><F><IX><TX>/i
describe T_FRT_PROFIT1 ReplaceTags: Profit (1)
endif
##} T_FRT_PROFIT1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_PROFIT2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_PROFIT2 /<inter W0><post P2>\b(?!profit)<P><R><O><F><IX><TX>/i
describe T_FRT_PROFIT2 ReplaceTags: Profit (2)
endif
##} T_FRT_PROFIT2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_PUSSY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_PUSSY /<inter SP2><post P2>\b(?!pussy)<P><U><SX><SX><Y>/i
describe T_FRT_PUSSY ReplaceTags: Pussy
endif
##} T_FRT_PUSSY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_SLUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_SLUT /<inter SP2><post P2>\b(?!slut)<SX><L><U><TX>/
describe T_FRT_SLUT ReplaceTags: Slut
endif
##} T_FRT_SLUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_STOCK1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_STOCK1 /<inter SP2><post P2>\b(?!stock)<SX><TX><O><C><K>/i
describe T_FRT_STOCK1 ReplaceTags: Stock (1)
endif
##} T_FRT_STOCK1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_STOCK2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_STOCK2 /<inter W0><post P2>\b(?!stor?ck)<SX><TX><O><C><K>/i
describe T_FRT_STOCK2 ReplaceTags: Stock (2)
endif
##} T_FRT_STOCK2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FRT_VIRGIN1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FRT_VIRGIN1 /<inter SP2><post P2>(?!virgin)<V><IX><R><GX><IX><N><SX>?\b/i
describe T_FRT_VIRGIN1 ReplaceTags: Virgin (1)
endif
##} T_FRT_VIRGIN1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FUZZY_OPTOUT /\b(?!opt.?out)<O><P><T>.?<O><U><T>\b/i
describe T_FUZZY_OPTOUT Obfuscated opt-out text
endif
##} T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FUZZY_SPRM /<inter W1><post P2><S><P><U><R><M>/i
endif
##} T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::FreeMail
if (version >= 3.004000)
header T_HEADER_FROM_DIFFERENT_DOMAINS eval:check_equal_from_domains()
describe T_HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different
# score T_HEADER_FROM_DIFFERENT_DOMAINS 0.25
endif
endif
##} T_HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
##{ T_HK_NAME_DR ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta T_HK_NAME_DR __HK_NAME_DR && !FREEMAIL_FROM
#score T_HK_NAME_DR 1.0
endif
##} T_HK_NAME_DR ifplugin Mail::SpamAssassin::Plugin::FreeMail
##{ T_HK_NAME_FM_DR ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta T_HK_NAME_FM_DR __HK_NAME_DR && FREEMAIL_FROM
#score T_HK_NAME_FM_DR 1.5
endif
##} T_HK_NAME_FM_DR ifplugin Mail::SpamAssassin::Plugin::FreeMail
##{ T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta T_HK_NAME_FM_FROM __HK_NAME_FROM && FREEMAIL_FROM
#score T_HK_NAME_FM_FROM 1.5
endif
##} T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail
##{ T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta T_HK_NAME_FROM __HK_NAME_FROM && !FREEMAIL_FROM
#score T_HK_NAME_FROM 1.0
endif
##} T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail
##{ T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta T_HK_SPAMMY_FILENAME __HK_SPAMMY_CTFN || __HK_SPAMMY_CDFN
endif
##} T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta T_HTML_ATTACH __HTML_ATTACH_01 || __HTML_ATTACH_02
describe T_HTML_ATTACH HTML attachment to bypass scanning?
endif
##} T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval
ifplugin Mail::SpamAssassin::Plugin::HTMLEval
body T_KAM_HTML_FONT_INVALID eval:html_test('font_invalid_color')
describe T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML
#score T_KAM_HTML_FONT_INVALID 0.1
endif
##} T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval
##{ T_KHOP_FOREIGN_CLICK if ! plugin (Mail::SpamAssassin::Plugin::URIDetail)
if ! plugin (Mail::SpamAssassin::Plugin::URIDetail)
rawbody T_KHOP_FOREIGN_CLICK m{\bhref=[^>]{9,199}>[^<]{0,80}(?:<(?!/a\b)[^>]{0,299}>[^<]{0,80}){0,9}[^<]{0,80}\b(?:cli(?:quez\W|ck\Wa)ici\b|cli(?:cca\W|c\Wa|que\Wa)qu[^<.,a ]|klie?k(?:\Whi?er|ni(?:j|nite)\Wtu[tk]aj)\b)}si
endif
##} T_KHOP_FOREIGN_CLICK if ! plugin (Mail::SpamAssassin::Plugin::URIDetail)
##{ T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
meta T_LARGE_PCT_AFTER_MANY __LARGE_PERCENT_AFTER > 3
describe T_LARGE_PCT_AFTER_MANY Many large percentages after...
endif
##} T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
##{ T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_LFUZ_PWRMALE /<inter W1><post P2><P><O><W><E><R><M><A><L><E>/i
endif
##} T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_LOTTO_AGENT_FM
header T_LOTTO_AGENT_FM From =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize[\s_.]transfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i
describe T_LOTTO_AGENT_FM Claims Agent
##} T_LOTTO_AGENT_FM
##{ T_LOTTO_AGENT_RPLY
header T_LOTTO_AGENT_RPLY Reply-To =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize\stransfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i
describe T_LOTTO_AGENT_RPLY Claims Agent
##} T_LOTTO_AGENT_RPLY
##{ T_LOTTO_URI
uri T_LOTTO_URI /(?:claim(?:s|ing)?(?:[-_]?processing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)?[-_]?rem+it+ance|award)[-_]?(?:department|dept|unit|group|committee|office|agent|manager|secretary)/i
describe T_LOTTO_URI Claims Department
##} T_LOTTO_URI
##{ T_MANY_HDRS_LCASE
describe T_MANY_HDRS_LCASE Odd capitalization of multiple message headers
#score T_MANY_HDRS_LCASE 0.10 # limit
##} T_MANY_HDRS_LCASE
##{ T_MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
meta T_MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
endif
##} T_MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
##{ T_MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta T_MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
endif
##} T_MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
##{ T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
meta T_MANY_PILL_PRICE (__PILL_PRICE_01 + __PILL_PRICE_02) > 2
describe T_MANY_PILL_PRICE Prices for many pills
endif
##} T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
##{ T_MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta T_MIME_NO_TEXT __MIME_NO_TEXT && !__MSGID_APPLEMAIL && !__USER_AGENT_APPLEMAIL && !__HAS_IN_REPLY_TO && !__HAS_X_REF && !__HS_SUBJ_RE_FW_rulesrc_sandbox_jm_20_basic_cf
# score T_MIME_NO_TEXT 2.00 # limit
describe T_MIME_NO_TEXT No (properly identified) text body parts
endif
##} T_MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
meta T_MONEY_PERCENT LOTS_OF_MONEY && (__PCT_FOR_YOU || __PCT_OF_PMTS || __FIFTY_FIFTY)
describe T_MONEY_PERCENT X% of a lot of money for you
endif
##} T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta T_OBFU_ATTACH_MISSP __FROM_RUNON && (T_OBFU_HTML_ATTACH || OBFU_TEXT_ATTACH || T_OBFU_DOC_ATTACH || T_OBFU_PDF_ATTACH || T_OBFU_JPG_ATTACH || T_OBFU_GIF_ATTACH)
describe T_OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From
endif
##} T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader T_OBFU_DOC_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.(?:doc|rtf)\b,i
describe T_OBFU_DOC_ATTACH MS Document attachment with generic MIME type
endif
##} T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader T_OBFU_GIF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.gif\b,i
describe T_OBFU_GIF_ATTACH GIF attachment with generic MIME type
endif
##} T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader T_OBFU_HTML_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.html?\b,i
describe T_OBFU_HTML_ATTACH HTML attachment with non-text MIME type
endif
##} T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta T_OBFU_HTML_ATT_MALW __ZIP_ATTACH_NOFN && __HTML_ATTACH_02
describe T_OBFU_HTML_ATT_MALW HTML attachment with incorrect MIME type - possible malware
endif
##} T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader T_OBFU_JPG_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.jpe?g\b,i
describe T_OBFU_JPG_ATTACH JPG attachment with generic MIME type
endif
##} T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader T_OBFU_PDF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.pdf\b,i
describe T_OBFU_PDF_ATTACH PDF attachment with generic MIME type
endif
##} T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
meta T_REMOTE_IMAGE __REMOTE_IMAGE
describe T_REMOTE_IMAGE Message contains an external image
endif
##} T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
##{ T_SHARE_50_50
meta T_SHARE_50_50 (__SHARE_IT || __AGREED_RATIO) && __FIFTY_FIFTY
describe T_SHARE_50_50 Share the money 50/50
##} T_SHARE_50_50
##{ T_SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM
ifplugin Mail::SpamAssassin::Plugin::DKIM
meta T_SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS && !DKIM_SIGNED && !__TO___LOWER
describe T_SUBJ_BRKN_WORDNUMS Subject contains odd word breaks and numbers
endif
##} T_SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM
##{ T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_TVD_FUZZY_SECTOR /(?!sector)<S><E><C><T><O><R>/i
endif
##} T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_TVD_FUZZY_SECURITIES /<inter W2><post P2>(?!securities)<S><E><C><U><R><I><T><I><E><S>/i
endif
##} T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader T_TVD_FW_GRAPHIC_ID2 Content-Id =~ /<(?:[0-9A-F]{8}\.){3}[0-9A-F]{8}/
endif
##} T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
body T_TVD_MIME_EPI eval:check_msg_parse_flags('mime_epilogue_exists')
endif
##} T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval
##{ T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
body T_TVD_MIME_NO_HEADERS eval:check_msg_parse_flags('missing_mime_headers')
endif
##} T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval
##{ T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta T_WON_MONEY_ATTACH __YOU_WON && LOTS_OF_MONEY && (__PDF_ATTACH || __DOC_ATTACH)
describe T_WON_MONEY_ATTACH You won lots of money! See attachment.
endif
##} T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta T_WON_NBDY_ATTACH __YOU_WON && __EMPTY_BODY && (__PDF_ATTACH || __DOC_ATTACH || __GIF_ATTACH || __JPEG_ATTACH)
describe T_WON_NBDY_ATTACH You won lots of money! See attachment.
endif
##} T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub URIBL_RHS_DOB dob.sibl.support-intelligence.net A 2
body URIBL_RHS_DOB eval:check_uridnsbl('URIBL_RHS_DOB')
describe URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
tflags URIBL_RHS_DOB net
endif
##} URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
##{ URI_OBFU_WWW ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body URI_OBFU_WWW /(?<!http:\/\/)\b_*w{2,3}(?!\.[-\w]+\.(?:com|net|org|biz|info))[^[:alnum:]]{1,3}(?:<D><O><T>+[^[:alnum:]]{1,3})?[[:alnum:]][-\w]{1,20}[[:alnum:]][^[:alnum:]]{1,3}(?:<D><O><T>+[^[:alnum:]]{1,3})?(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g|b\s?i\s?z|i\s?n\s?f\s?o)_*\b/i
describe URI_OBFU_WWW Obfuscated URI
endif
##} URI_OBFU_WWW ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ VANITY
meta VANITY (__V_KNOWN_VANITY && (__V_NO_COST + __V_INFORM_YOU + __V_INNERCIRCLE + __V_SHMUCK + __V_EXECS_PROS + __V_PUB_DEADLINE + __V_REGISTRY + __V_NOMINATION + __V_BIOGRAPHY + __V_ACCOLADES + __V_RECOGNITION + __V_DISTINGUISHED + __V_EXCELLENCE + __V_ACHIEVEMENT > 3)) || (__V_BESTOFAWARD && (__V_SBCAVANITY || __V_USCAVANITY))
describe VANITY Vanity or fake awards
#score VANITY 2.3
##} VANITY
##{ X_MAILER_CME_6543_MSN
header X_MAILER_CME_6543_MSN X-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*$/
##} X_MAILER_CME_6543_MSN
##{ if !(! plugin (Mail::SpamAssassin::Plugin::URIDetail))_sandbox
if !(! plugin (Mail::SpamAssassin::Plugin::URIDetail))
uri_detail T_KHOP_FOREIGN_CLICK text =~ /\b(?:cli(?:quez\W|ck\Wa)ici\b|cli(?:cca\W|c\Wa|que\Wa)qu[^<.,a ]|klie?k(?:\Whi?er|ni(?:j|nite)\Wtu[tk]aj)\b)/i
endif
##} if !(! plugin (Mail::SpamAssassin::Plugin::URIDetail))_sandbox
##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox
ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
reuse RCVD_IN_PSBL
endif
##} ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox
##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox
ifplugin Mail::SpamAssassin::Plugin::DNSEval
reuse __RCVD_IN_DNSWL
reuse RCVD_IN_DNSWL_NONE
reuse RCVD_IN_DNSWL_LOW
reuse RCVD_IN_DNSWL_MED
reuse RCVD_IN_DNSWL_HI
reuse RCVD_IN_DNSWL_BLOCKED
reuse RCVD_IN_IADB_LISTED
reuse RCVD_IN_IADB_EDDB
reuse RCVD_IN_IADB_EPIA
reuse RCVD_IN_IADB_SPF
reuse RCVD_IN_IADB_SENDERID
reuse RCVD_IN_IADB_DK
reuse RCVD_IN_IADB_RDNS
reuse RCVD_IN_IADB_GOODMAIL
reuse RCVD_IN_IADB_NOCONTROL
reuse RCVD_IN_IADB_OPTOUTONLY
reuse RCVD_IN_IADB_UNVERIFIED_1
reuse RCVD_IN_IADB_UNVERIFIED_2
reuse RCVD_IN_IADB_LOOSE
reuse RCVD_IN_IADB_OPTIN_LT50
reuse RCVD_IN_IADB_OPTIN_GT50
reuse RCVD_IN_IADB_OPTIN
reuse RCVD_IN_IADB_DOPTIN_LT50
reuse RCVD_IN_IADB_DOPTIN_GT50
reuse RCVD_IN_IADB_DOPTIN
reuse RCVD_IN_IADB_ML_DOPTIN
reuse RCVD_IN_IADB_OOO
reuse RCVD_IN_IADB_MI_CPEAR
reuse RCVD_IN_IADB_UT_CPEAR
reuse RCVD_IN_IADB_MI_CPR_30
reuse RCVD_IN_IADB_UT_CPR_30
reuse RCVD_IN_IADB_MI_CPR_MAT
reuse RCVD_IN_IADB_UT_CPR_MAT
endif
##} ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox
##{ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_rules __FRT_GOLD
replace_rules __FRT_SILVER
replace_inter W0 \w?
replace_inter SP2 [\s\d_*\$\%(),.:;?!}{\[\]|\/?^\#~\xa1`'+-]?
replace_tag GX [gk6]
replace_tag IX [ilt|!1y?\xcc\xcd\xce\xcf\xec\xed\xee\xef]
replace_tag SX [sz5\xa6\xa7]
replace_tag TX [t|]
replace_tag UX [u\xb5\xd9\xda\xdb\xdc\xfc\xfb\xfa\xf9\xfd]
replace_tag WX (?:[wv]|vv)
replace_rules T_FRT_ABSOLUT
replace_rules FRT_ADOBE2
replace_rules T_FRT_ADULT2
replace_rules FRT_APPROV
replace_rules T_FRT_BEFORE
replace_rules T_FRT_BELOW2
replace_rules FRT_BIGGERMEM1
replace_rules T_FRT_CANSPAM
replace_rules T_FRT_CLICK
replace_rules T_FRT_COCK
replace_rules T_FRT_CONTACT
replace_rules FRT_DISCOUNT
replace_rules T_FRT_ERECTION
replace_rules T_FRT_ESTABLISH
replace_rules T_FRT_EXPERIENCE
replace_rules T_FRT_FOLLOW1
replace_rules T_FRT_FOLLOW2
replace_rules T_FRT_FREE
replace_rules T_FRT_FRIEND
replace_rules T_FRT_FUCK1
replace_rules T_FRT_HEALTH
replace_rules T_FRT_HOUR
replace_rules T_FRT_INCOME
replace_rules T_FRT_INTEREST
replace_rules T_FRT_LITTLE
replace_rules T_FRT_LOLITA1
replace_rules FRT_OFFER2
replace_rules T_FRT_OPPORTUN1
replace_rules T_FRT_PACKAGE
replace_rules T_FRT_PAYMENT
replace_rules FRT_PENIS1
replace_rules T_FRT_PHARMAC
replace_rules T_FRT_POSSIBLE
replace_rules FRT_PRICE
replace_rules T_FRT_PROFILE1
replace_rules T_FRT_PROFILE2
replace_rules T_FRT_PROFIT1
replace_rules T_FRT_PROFIT2
replace_rules T_FRT_PUSSY
replace_rules FRT_ROLEX
replace_rules T_FRT_SLUT
replace_rules T_FRT_STOCK1
replace_rules T_FRT_STOCK2
replace_rules T_FRT_VIRGIN1
replace_rules T_FUZZY_SPRM
replace_rules FUZZY_MERIDIA
replace_rules TVD_FUZZY_PHARMACEUTICAL
replace_rules TVD_FUZZY_SYMBOL
replace_rules T_TVD_FUZZY_SECURITIES
replace_rules TVD_FUZZY_FINANCE
replace_rules TVD_FUZZY_FIXED_RATE
replace_rules TVD_FUZZY_MICROCAP
replace_rules T_TVD_FUZZY_SECTOR
replace_rules TVD_FUZZY_DEGREE
replace_tag FF_LNNO (?:(?:\d{1,3}(?:[)}\]:.,]{1,80}|(?:st|nd|rd|th)[)}\]:.,]{0,3})|\W?\([\div]{1,5}\)|\W?\{\d{1,3}\}|\[\d{1,3}\]|\*{1,5}|\#{1,5}|\(?[A-K][)}\]:.,]{1,3})\s?)
replace_tag FF_YOUR (?:a?\s?copy\sof\s)?(?:(?:your|din|seu|twoje)[\s,:]{1,5})?(?:present\s|c[uo]rrent\s|full(?:st[\xe4]ndigt)?\s?|complete\s|direct\s|private?\s|valid\s|personal\s|nuvarande\s|vollst[\xe4]ndige\s|aktuelle\s|pe\s(?:ne\s)?){0,3}
replace_tag ANDOR (?:\s?[\/&+,]\s?|\sor\s|\sand?\s)
replace_tag NUMBER (?:(?:ruf)?num(?:[bm]er)?s?|nos?\.|no\b|n[\xb0]|\#s?|nbrs?\.?)
replace_tag FF_SUFFIX (?:\sin\s(?:full|words)|\scompleto)?:?(?:\s?[({][^)}]{1,30}[)}])?
replace_tag FF_BLANK1 (?:[\s:;]{0,4}(?:(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){3,100}))
replace_tag FF_BLANK2 (?:[^-=_.,:;*\w]{0,3}(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){1,100})
replace_tag FF_A1 (?:(?:countr?y|city|province|ter+itory|(?:zip|postal)(?:\s?code)?|st?ates?|ad+res+e?)<ANDOR>?){1,3}(?:\sof\s(?:residence|birth|employment|citizenship|origin))?
replace_tag FF_A2 (?:(?:contact|full|house|home|resident[ia]+l|busines+|mailing|work|delivery|ship+ing|post(?:al)?|of+ice|e-?mail|bostads|wohn)<ANDOR>?){0,3}\s?(?:ad+res+[es]{0,2}|location|endere[\xe7]o)(?:\sline)?(?:\s[0-9])?
replace_tag FF_N1 (?:company|first|last|all|busines+|legal|ben[ei]ficiary|user|vollstaendigen)?\s?(?:name?[sn]?|navne|nome|nazwy)(?:<ANDOR>ad+res+)?
replace_tag FF_P1 (?:(?:(?:busines+|contact|fax|voice|house|home|mobile?|cel+(?:ular)?|of+ice|tel+e?(?:\s?(?:ph|f)one?)?|(?:ph|f)one|private)(?:\s(?:ph|f)one)?<ANDOR>?){1,3}(?:\s?<NUMBER>)?<ANDOR>?){1,3}
replace_tag FF_M1 (?:(?:ages?|marital\s?statu[se]|sex|gender|male\sor\sfemale|(?:date\s(?:of\s)?)?birth|religion|nationality|(?:user )?email|next\sof\skin|alter|staatsangehoerigkeit|nationalitet|idade|weik)<ANDOR>?){1,3}
replace_tag FF_L1 (?:(?:previous\s)?work(?:ing)\s?experience|employment|position|profes+ion|(?:monthly|an+ual)?\s?income|purpose\sof\sl(?:oa|ao)n|an+ual\sturn\s?over|l(?:oa|ao)n\sduration|oc+up[ae]tion(?:\/position)?s?|(?:l(?:oa|ao)n\s|the\s)?amount(?:\sneed(ed)?|\sdesired)?(?:\s(?:as|of)\sloan)?|beruf|zaw(?:=F3|[\xf3])d)
replace_tag FF_F1 (?:(?:bank|beneficiary|billing|acc(?:oun)?t|rout(?:ing)?|swift|receiver|user)<ANDOR>?){1,3}\s(?:(?:name|ad+res+(?:es)?|location|code|details|a\/c|<NUMBER>)<ANDOR>?){1,3}
replace_tag FF_F2 (?:(?:(?:international\s)?driver'?s?\sli[sc]+(?:en[sc]e)?|pas+\s?port|id\scard|[ia]d(?:entification|entity)(?:\s(?:card|<NUMBER>|papers?))?)<ANDOR>?){1,3}(?:\s<NUMBER>)?
replace_tag FF_F3 (?:picture|zdj\scie|test\squestion|answer|amount\swon|(?:inheritance\s)?funds?\svalue|(?:e-?mail\s)?pas+word|e-?mai?l\sid|amount\s[\w\s]{0,30}lost[\w\s]{0,15})
replace_tag FF_F4 (?:log[-\s]?in|(?:e-?mail\s)?user)\s?names?
replace_tag FF_F5 (?:ref(?:erence)?|batch|win+ing|award|billet)[-\s]?<NUMBER>
replace_tag FF_ALL (?:<FF_A1>|<FF_A2>|<FF_N1>|<FF_P1>|<FF_M1>|<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>|<FF_L1>)
replace_rules __FILL_THIS_FORM_LONG1
replace_rules __FILL_THIS_FORM_LONG2
replace_rules __FILL_THIS_FORM_PARTIAL
replace_rules __FILL_THIS_FORM_PARTIAL_RAW
replace_rules __FILL_THIS_FORM_SHORT1
replace_rules __FILL_THIS_FORM_SHORT2
replace_rules __FILL_THIS_FORM_LOAN1
replace_rules __FILL_THIS_FORM_FRAUD_PHISH1
replace_tag CURRENCY [\(\[]?(?:\bU[Ss][D\$]{0,2}|\$(?:US)?|usd|GBP|=[Aa][34]|\xa3|&\#16[34];|(?i:pounds\ssterling)|\xa4|EUR(?:OS)?|(?:d')?[Ee]uro?s?|(?i:eur)\sde|CHF|FCFA|d[\xf3]lares\sde\slos\sE+\.\s?U+\.)[\]\)]?
replace_tag GB_UK \b(?:U\.?K\.?|(?:Great\s)?Brit(?:ain|ish)|G\.?B\.?)\b
replace_rules __LOTSA_MONEY_00 __LOTSA_MONEY_01 __LOTSA_MONEY_02 __LOTSA_MONEY_03 __LOTSA_MONEY_04
replace_tag PERCENT \b(?:\d\d|ten|[a-z]+teen|(?:twen|thir|fou?r|fif)ty(?:-?[a-z]+)?)\s?(?:%|percent)
replace_rules __PCT_FOR_YOU_1 __PCT_FOR_YOU_2 __PCT_FOR_YOU_3 __PCT_OF_PMTS
replace_rules T_FUZZY_OPTOUT
replace_rules URI_OBFU_WWW
replace_rules T_LFUZ_PWRMALE
endif
##} ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox
##{ ifplugin Mail::SpamAssassin::Plugin::URIDetail_sandbox
ifplugin Mail::SpamAssassin::Plugin::URIDetail
uri_detail T_AJB_CANPOST_BADLINK raw !~ /canadapost\./ text =~ /(?:https?:\/\/|www\.)canadapost\./ type =~ /^a$/
uri_detail T_AJB_UTUBE_BADLINK raw !~ /youtube\./ text =~ /(?:https?:\/\/|www\.)youtube\./ type =~ /^a$/
endif
##} ifplugin Mail::SpamAssassin::Plugin::URIDetail_sandbox
##{ redirector_pattern_sandbox
redirector_pattern m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&\#])'i
redirector_pattern m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i
redirector_pattern m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:site|inurl):(.*?)(?:$|%20|[\s+&\#])'i
redirector_pattern m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&\#])'i
redirector_pattern m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&\#])'i
redirector_pattern m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/pagead/iclk\?.*?(?<=[?&])adurl=(.*?)(?:$|[&\#])'i
redirector_pattern m'^http:/*(?:\w+\.)?aol\.com/redir\.adp\?.*(?<=[?&])_url=(.*?)(?:$|[&\#])'i
redirector_pattern m'^https?/*(?:\w+\.)?facebook\.com/l/;(.*)'i
##} redirector_pattern_sandbox
##{ reuse_sandbox
reuse T_RCVD_IN_NIX_SPAM
##} reuse_sandbox
meta __ACH_CANCELLED (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && (__HAS_ANY_URI || LOTS_OF_MONEY)
body __ACH_CANCELLED_01 /\b(?:(?-i:ACH)|dividend)[-_ ](?:payment|transfer|transaction|was)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i
body __ACH_CANCELLED_02 /(?:rejected|cancel+ed|declined|your)[-_ ](?:(?-i:ACH)|direct[-_ ]deposit)[-_ ](?:payment|transfer|transaction|declin(?:ed|ing))/i
body __ACH_CANCELLED_03 /\bwire[-_ ]?(?:payment|transfer|transaction)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i
body __ACH_CANCELLED_04 /\bregarding[-_ ]your[-_ ]direct[-_ ]deposit[-_ ]via[-_ ](?-i:ACH)/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta __ACH_CANCELLED_EXE (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && __EXE_ATTACH
endif
meta __ADVANCE_FEE_2_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 1) && !__THREAD_INDEX_GOOD
meta __ADVANCE_FEE_2_NEW_FORM __FILL_THIS_FORM && __ADVANCE_FEE_2_NEW
meta __ADVANCE_FEE_2_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW
meta __ADVANCE_FEE_2_NEW_MONEY LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW
meta __ADVANCE_FEE_3_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 2) && !__THREAD_INDEX_GOOD
meta __ADVANCE_FEE_3_NEW_FORM __FILL_THIS_FORM && __ADVANCE_FEE_3_NEW
meta __ADVANCE_FEE_3_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW
meta __ADVANCE_FEE_3_NEW_MONEY LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW
meta __ADVANCE_FEE_4_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 3) && !__THREAD_INDEX_GOOD
meta __ADVANCE_FEE_4_NEW_FORM __FILL_THIS_FORM && __ADVANCE_FEE_4_NEW
meta __ADVANCE_FEE_4_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW
meta __ADVANCE_FEE_4_NEW_MONEY LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW
meta __ADVANCE_FEE_5_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 4) && !__THREAD_INDEX_GOOD
meta __ADVANCE_FEE_5_NEW_FORM __FILL_THIS_FORM && __ADVANCE_FEE_5_NEW
meta __ADVANCE_FEE_5_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW
meta __ADVANCE_FEE_5_NEW_MONEY LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW
body __AFF_004470_NUMBER /(?:\+|00|011)\W{0,3}44\W{0,3}0?\W{0,3}70/
body __AFF_LOTTERY /(?:lottery|winner)/i
meta __AFRICAN_STATE (__NIGERIA || __IVORY_COAST || __BURKINA_FASO || __GHANA || __BENIN || __AFR_UNION)
body __AFR_UNION /\bafrican\sunion\b/i
body __AGREED_RATIO /\b(?:agreed|sharing)\s(?:ratios?|percent\w+)\b/i
header __AMADEUSMS_MUA X-Mailer =~ /^Amadeus Messaging Server/
body __AM_DYING /\b(?:am\s(?:\S+\s)?dying|terminally\sill|cancer|en\sphase\sterminale|(?:become|is|devenu|maladie)\sincurable|que\sje\smeurs)\b/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /image\/(?:gif|jpeg|png)/
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __ANY_TEXT_ATTACH_DOC Content-Type =~ /text\/\w+/i
endif
body __APPROVALFVGT /approval/i
body __ATM_CARD /\b(?:your|the|this|through|via|by\smeans\sof\|that\sa)[\s\(](?:\w{1,20}\s)?(?:atm|debit|(?:money[\s-]?gram\s)?fast\scash)(?:\smaster|swift|value?|cash)?[\s\)]card/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __ATTACH_NAME_NO_EXT Content-Type =~ m,\bname\s?=\s?"(?!=\?)[^."]+",i
endif
body __ATTN_MAIL_USER /\b(?:att(?:entio)?n|dear|caro) (?:web ?(?:mail)?\s\S\s)?(?:web ?|e-?)?mail (?:user|DO USU(?:=E1|[\xe1]|[\xc3][\xa1])RIO)[:;,]/i
header __AXB_MO_OL_024C2 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2600\.0000/
header __AXB_MO_OL_1ECD5 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1081/
header __AXB_MO_OL_22B61 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1158/
header __AXB_MO_OL_4379D X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2180/
header __AXB_MO_OL_616F8 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1409/
header __AXB_MO_OL_7EB15 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.0\.6001\.18049/
header __AXB_MO_OL_8627E X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1437/
header __AXB_MO_OL_A275F X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1506/
header __AXB_MO_OL_A6545 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1807/
header __AXB_MO_OL_A7B9C X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1106/
header __AXB_MO_OL_B11B5 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.0\.6001\.18645/
header __AXB_MO_OL_C485C X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.5994/
header __AXB_XM_OL_024C2 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2600\.0000/
header __AXB_XM_OL_1ECD5 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1081/
header __AXB_XM_OL_22B61 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1158/
header __AXB_XM_OL_4379D X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2900\.2180/
header __AXB_XM_OL_616F8 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1409/
header __AXB_XM_OL_7EB15 X-Mailer =~ /Microsoft\ Windows\ Mail\ 6\.0\.6001\.18000/
header __AXB_XM_OL_8627E X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1437/
header __AXB_XM_OL_A275F X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1506/
header __AXB_XM_OL_A6545 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1807/
header __AXB_XM_OL_A7B9C X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1106/
header __AXB_XM_OL_B11B5 X-Mailer =~ /Microsoft\ Windows\ Mail\ 6\.0\.6001\.18416/
header __AXB_XM_OL_C485C X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2900\.5512/
body __BACHELORS /Bachelor/i
body __BACK_SCRATCH /\bmutual+y?\s(?:benefi(?:t|cial)|interest)\b/i
body __BANK_DRAFT /\bbank\sdraft/i
body __BARRISTER /\b(?:barrister|solicitor at law|barr\.)/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
full __BASE64_MDAW /^(?:MDAw){12}/
endif
body __BENEFICIARY /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])n(?:e|=E9|[\xe9]|[\xc3][\xa9])fi(?:c|sh)i?ai?r(?:y|ies|es?)/i
body __BENIN /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])nin\b/i
body __BIGDOLLARSFVGT /\$\d{2,3},\d{3}/
body __BODY_STARTS_WITH_FROM_LINE /^From \S+ \S\S\S \S\S\S .. ..:..:.. \S+\s+\S+\: /s
body __BODY_TEXT_LINE /^\s*\S/
tflags __BODY_TEXT_LINE multiple maxhits=3
rawbody __BUGGED_IMG m{<img\b[^>]{0,100}\ssrc=.?https?://[^>]{6,80}(?:\?[^>]{8}|[^a-z](?![a-f]{3}|20\d\d[01]\d[0-3]\d)[0-9a-f]{8})}i
body __BURKINA_FASO /\bburkina\s?faso\b/i
body __CAN_HELP /can help/
body __CASHPRZ /cash prize of/
body __CHARITY /\b(?:charit(?:y|[ai]ble)|orphans?|homeless|orphelins|sans\sabri)\b/i
body __CLEAN_MAILBOX /\b(?:(?:e-?mail|mail\s?box|violation:|(?-i:CLICK)) (?:quota size|clean(?:-?up))|clean ?up click ?here)\b/i
body __COMPENSATION /\b(?:compensat(?:e|ion)|recompensed?|ausgleich)\b/i
body __CONTACT_ATTY /\bcontact(?:er)?\s(?:my|(?:de\s)?mon)\s(?:barrister|attou?rney|lawyer|avocat|gestionnaire)\b/i
body __CONTACT_YOU /\b(?:contact(?:ing)\syou|vous\scontacter?)\b/i
body __COURIER /\bcourier\s(?:company|service)\b/i
body __CS_WORD /\bC[A-Za-z]{2,4}IS\b/
header __CTYPE_MULTIPART_ANY Content-Type =~ /multipart\/\w+/i
header __CTYPE_MULTIPART_MIXED Content-Type =~ /multipart\/mixed/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __CTYPE_NULL Content-Type =~ /^\s*;/
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __CTYPE_ONETAB_GIF Content-Type:raw =~ /^image\/gif;\n\tname=\".+?\"$/s
endif
header __DATE_700 Date =~ /-0700/
body __DBLCLAIM /avoid double claiming/
body __DEAD_PARENT /\b(?:my|meu)\s(?:(?:deceased|dead)\s(?:father|mother|husband)|(?:father|dad|mother|mom|husband|marido)(?:'?s)?\s(?:death|died|passed\saway|murder|was\s(?:killed|murdered|poisoned)|faleceu))/i
body __DEAL /\b(?:(?:business|financial|this|the|mutual|die(?:se)?r?|cette|profitable)\s(?:deal|transa[ck]tion|proposal|off[er]{2}|venture|suggestion|partnership)|your\spartnership)/i
body __DECEASED /\b(?:the|my|der|du|le|meu?)\s(?:deceased|late|verstorbenen|d(?:i|e|=E9|[\xe9]|[\xc3][\xa9])funto?|d(?:e|=E9|[\xe9]|[\xc3][\xa9])nt|falecido)\b/i
body __DESTROY_ME /\b(?:destroy|hunt|quemar)\sm[eyi]\b/i
body __DIED_IN /\bdied\sin\b/i
body __DIPLOMA /diploma/i
body __DIPLOMATIC /\bdiplomatic\b/i
header __DKIM_EXISTS exists:DKIM-Signature
tflags __DKIM_EXISTS nice
body __DLND_ATTACH /\bdownload\sthe\sattach(?:ed|ment)\b/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta __DOC_ATTACH (__DOC_ATTACH_MT || __DOC_ATTACH_FN1 || __DOC_ATTACH_FN2)
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __DOC_ATTACH_FN1 Content-Type =~ /="[^"]+\.(?:docx?|rtf)"/i
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __DOC_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.(?:docx?|rtf)"/i
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __DOC_ATTACH_MT Content-Type =~ m,\bapplication/(?:msword|rtf|vnd\.ms-word|vnd\.openxmlformats-officedocument\.wordprocessingml\.document)\b,i
endif
body __DORMANT_ACCT /\b(?:(?:dormant|abandoned|left\s?over)\s(?:account|fund|transaction|sum|deposit)|fonds\sdorment)/i
body __DOS_BODY_FRI /\bfri(?:day)?\b/i
body __DOS_BODY_MON /\bmon(?:day)?\b/i
body __DOS_BODY_SAT /\bsat(?:day)?\b/i
body __DOS_BODY_STOCK /\bstock\b/i
body __DOS_BODY_SUN /\bsun(?:day)?\b/i
body __DOS_BODY_THU /\bthu(?:r(?:s(?:day)?)?)?\b/i
body __DOS_BODY_TICKER /\b[A-Z]{4}\.(?:OB|PK)\b/
body __DOS_BODY_TUE /\btue(?:s(?:day)?)?\b/i
body __DOS_BODY_WED /\bwed(?:nesday)?\b/i
body __DOS_COMING_TO_YOUR_PLACE /I (?:am|might(?: be)?) c[a-z]?o[a-z]?m[a-z]?(?:i[a-z]?n[a-z]?g[a-z]{0,2}|e down) to y[!a-z]{2,4}r (?:city|place[a-z]{0,2}|co[a-z]?u[a-z]?n[a-z]?t[a-z]?ry) in (?:f[a-z]?e[a-z]?w|\d{1,2}) (?:day|week)s/
body __DOS_CORRESPOND_EMAIL /correspond with me using my email/
meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT
body __DOS_DROP_ME_A_LINE /Drop me a line at/
body __DOS_EMAIL_DIRECTLY /(?:Email m[a-z]?e|address) direc(?:tl|lt)y at/
body __DOS_FIN_ADVANTAGE /\bfinancial advantage/i
uri __DOS_HAS_ANY_URI /./
header __DOS_HAS_LIST_ID exists:List-ID
header __DOS_HAS_LIST_UNSUB exists:List-Unsubscribe
header __DOS_HAS_MAILING_LIST exists:Mailing-List
body __DOS_HI /^Hi,$/
body __DOS_I_AM_25 /I a.?m 25/
body __DOS_I_DRIVE_A /I drive a/
body __DOS_LET_GO_JOB /I was (?:let go|fired|layed off|dismissed) from a job I h(?:el|a)d for (?:2\d years|\d{3} months)/
body __DOS_LINK /\blink\b/
body __DOS_MEET_EACH_OTHER /(?:meet each other|[Mm]ay ?be we can meet)/
body __DOS_MY_OLD_JOB /my old job/
body __DOS_PERSONAL_EMAIL /personal email at/
header __DOS_RCVD_FRI Received =~ / Fri, /
header __DOS_RCVD_MON Received =~ / Mon, /
header __DOS_RCVD_SAT Received =~ / Sat, /
header __DOS_RCVD_SUN Received =~ / Sun, /
header __DOS_RCVD_THU Received =~ / Thu, /
header __DOS_RCVD_TUE Received =~ / Tue, /
header __DOS_RCVD_WED Received =~ / Wed, /
meta __DOS_REF_2_WK_DAYS (__DOS_RCVD_MON && __DOS_BODY_WED) || (__DOS_RCVD_TUE && __DOS_BODY_THU) || (__DOS_RCVD_WED && __DOS_BODY_FRI) || (__DOS_RCVD_THU && __DOS_BODY_MON) || (__DOS_RCVD_FRI && __DOS_BODY_TUE) || (__DOS_RCVD_SAT && __DOS_BODY_TUE) || (__DOS_RCVD_SUN && __DOS_BODY_TUE)
meta __DOS_REF_NEXT_WK_DAY (__DOS_RCVD_MON && __DOS_BODY_TUE) || (__DOS_RCVD_TUE && __DOS_BODY_WED) || (__DOS_RCVD_WED && __DOS_BODY_THU) || (__DOS_RCVD_THU && __DOS_BODY_FRI) || (__DOS_RCVD_FRI && __DOS_BODY_MON) || (__DOS_RCVD_SAT && __DOS_BODY_MON) || (__DOS_RCVD_SUN && __DOS_BODY_MON)
meta __DOS_REF_TODAY (__DOS_RCVD_MON && __DOS_BODY_MON) || (__DOS_RCVD_TUE && __DOS_BODY_TUE) || (__DOS_RCVD_WED && __DOS_BODY_WED) || (__DOS_RCVD_THU && __DOS_BODY_THU) || (__DOS_RCVD_FRI && __DOS_BODY_FRI) || (__DOS_RCVD_SAT && __DOS_BODY_SAT) || (__DOS_RCVD_SUN && __DOS_BODY_SUN)
header __DOS_RELAYED_EXT ALL-EXTERNAL =~ /(?:^|\n)[Rr][eE][cC][eE][iI][vV][eE][dD]:\s.+\n[Rr][eE][cC][eE][iI][vV][eE][dD]:\s/s
header __DOS_SINGLE_EXT_RELAY X-Spam-Relays-External =~ /^\[ [^\]]+ \]$/
body __DOS_STEADY_COURSE /\bsteady (?:and increasing )?course\b/i
body __DOS_STRONG_CF /\bstrong cash flow/i
body __DOS_TAKING_HOME /Taking home \d (?:digit level|figures) in \d{1,2} months/
body __DOS_WRITE_ME_AT /[Ww].?r.?i.?t.?e me at/
body __EARLY_DEMISE /\buntimely\sdeath\b/i
meta __EMAIL_PHISH (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST) > 1)
meta __EMAIL_PHISH_MANY (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST) > 3)
meta __EMAIL_URI_PHISH __HAS_ANY_URI && !__URI_GOOGLE_DOC && __EMAIL_PHISH
meta __EMPTY_BODY __BODY_TEXT_LINE < 2
header __EXCLAIM_SUBJ Subject =~ /\!/
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __EXE_ATTACH Content-Type =~ /\.exe\b/i
endif
body __EX_CUSTOMER /\b(?:(?:dead|deceased|late|verstorbenen|death\sof\sthe)\s(?:[ck]lient|customer|ac+ount|invest[eo]r|beneficiary|depositor|mr\.|kunde|engr?\.?)|titulaire\sdu\scompte\sest\sd(?:e|=E9|[\xe9]|[\xc3][\xa9])c(?:e|=E9|[\xe9]|[\xc3][\xa9])d(?:e|=E9|[\xe9]|[\xc3][\xa9])|invest[eo]r\sdied|(?:e|=E9|[\xe9]|[\xc3][\xa9])tranger\sd(?:e|=E9|[\xe9]|[\xc3][\xa9])c(?:e|=E9|[\xe9]|[\xc3][\xa9])d(?:e|=E9|[\xe9]|[\xc3][\xa9])|(?:[ck]lient|customer|ac+ount|invest[eo]r|beneficiary|mr\.|kunde|engr?\.?)\s(?:[a-z]{1,10}\s)?(?:dead|deceased|verstorbenen))/i
body __FB_BA /\bBA\b/
body __FB_BCs /\bBSc\b/
body __FB_BRAND_NAME /brand name/i
body __FB_CONGRADS /Congratulations/i
body __FB_COST /cost/i
body __FB_DESIGNER /designer/i
body __FB_GAME /game/i
body __FB_GLASHUTE /Glashute/
body __FB_HANDBAGS /handbags/i
body __FB_HOTTEST /hottest/i
body __FB_INK_PEN /ink pen/i
body __FB_LOTTERY /lottery/i
body __FB_LUX_GIFTS /Luxury (?:\w+\s)?Gifts/i
body __FB_MA /\bMA\b/
body __FB_MBA /\bMBA\b/
body __FB_NATIONAL /national/i
body __FB_NUM_PERCNT /\d\s?\%/
body __FB_OMEGA /Omega/i
body __FB_PICK /\bpick\b/i
body __FB_PROJECTED /projected/i
body __FB_P_ALLNIGHT /all night!/i
body __FB_P_TRUELOVE /true love/i
body __FB_ROLEX_MEN /Rolex Men/i
body __FB_ROLEX_WMEN /Rolex Lady/i
body __FB_S_PRICE /Pri{1,2}c[a-z]?e/i
body __FB_S_STOCK /Stock/i
body __FB_S_SYMBOL /Symb?o?l?:\s?[A-Z_,\.-]{4,8}/i
body __FB_TIMEPIECE /timepiece/i
body __FB_TOUR /\btour/i
body __FB_WALLETS /wallets/i
body __FEES /\b(?:security|safe\w*|courier|registration|pay|paid|up-?front|processing|delivery|transfer|keeping)[\s\w]{0,15}\s(?:fee|charge)s?\b/i
header __FHELO_VERIZON X-Spam-Relays-External =~ /^[^\]]+ helo=[^ ]+verizon\.net /i
header __FHOST_VERIZON X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+verizon\.net /i
header __FH_FRM_53 From =~ /\@53\.com/i
header __FH_HAS_XMSMAIL exists:X-MSMail-Priority
header __FH_HAS_XPRIORITY exists:X-Priority
header __FH_MSGID_01C7 MESSAGEID =~ /^<0{1,5}1c7/
header __FH_MSG_53 MESSAGEID =~ /\@53\.com/i
header __FH_RCV_53 Received =~ /\.53\.com/i
body __FIFTY_FIFTY /\b(?:50|fifty)(?:%?[\/:]50%?|%|\spercent)\b/
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
meta __FILL_THIS_FORM (__FILL_THIS_FORM_LONG || __FILL_THIS_FORM_PARTIAL > 4 || __FILL_THIS_FORM_PARTIAL_RAW > 4)
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
meta __FILL_THIS_FORM_FRAUD_PHISH (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FILL_THIS_FORM_FRAUD_PHISH1 || __EMAIL_PHISH)
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body __FILL_THIS_FORM_FRAUD_PHISH1 /<FF_YOUR>(?:<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>)<FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
meta __FILL_THIS_FORM_LOAN __FILL_THIS_FORM && __FILL_THIS_FORM_LOAN1
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body __FILL_THIS_FORM_LOAN1 /<FF_YOUR><FF_L1><FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
meta __FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG1 || __FILL_THIS_FORM_LONG2
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body __FILL_THIS_FORM_LONG1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body __FILL_THIS_FORM_LONG2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body __FILL_THIS_FORM_PARTIAL /^\s?<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20){1,4}$)/im
tflags __FILL_THIS_FORM_PARTIAL multiple maxhits=5
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
rawbody __FILL_THIS_FORM_PARTIAL_RAW /^(?>\s{0,50})<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20| |<\/\w+>){0,4}$)/im
tflags __FILL_THIS_FORM_PARTIAL_RAW multiple maxhits=5
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
meta __FILL_THIS_FORM_SHORT !__FILL_THIS_FORM && (__FILL_THIS_FORM_SHORT1 || __FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_PARTIAL > 2 || __FILL_THIS_FORM_PARTIAL_RAW > 2)
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body __FILL_THIS_FORM_SHORT1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body __FILL_THIS_FORM_SHORT2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i
endif
body __FIXED_RATEFVGT /fixed rate/i
header __FLASHMAIL_MUA X-Mailer =~ /^NetEase Flash Mail \d/
meta __FM_LARGE_MONEY (__F_LARGE_MONEY || __F_LARGE_MONEY_2)
meta __FM_MORTGAGE5PLUS ((__PREAPPROVEDFVGT + __FIXED_RATEFVGT + __YOUR_CREDITFVGT + __HOMELOANFVGT + __APPROVALFVGT + __BIGDOLLARSFVGT + __LOANURIFVGT + __MORTURIFVGT) > 4)
meta __FM_MORTGAGE6PLUS ((__PREAPPROVEDFVGT + __FIXED_RATEFVGT + __YOUR_CREDITFVGT + __HOMELOANFVGT + __APPROVALFVGT + __BIGDOLLARSFVGT + __LOANURIFVGT + __MORTURIFVGT) > 5)
meta __FM_MY_PRICE (__FB_S_PRICE || FRT_PRICE)
meta __FM_NAT_LOTTERY (__FB_NATIONAL && __FB_LOTTERY)
meta __FM_STOCK_WORDS (__FB_HOTTEST || __FB_PICK || __FB_PROJECTED)
meta __FORGED_TBIRD_IMG __MUA_TBIRD && __JPEG_ATTACH && __MIME_BDRY_0D0D
describe __FORGED_TBIRD_IMG Possibly forged Thunderbird image spam
meta __FORM_FRAUD_3 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + T_EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3)
meta __FORM_FRAUD_5 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + T_EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
body __FOR_SALE_LTP /00\.? (?:less 10%|LTP)/i
tflags __FOR_SALE_LTP multiple maxhits=11
endif
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
meta __FOR_SALE_LTP_MANY __FOR_SALE_LTP > 10
endif
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
body __FOR_SALE_NET /00\.? NET/i
tflags __FOR_SALE_NET multiple maxhits=11
endif
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
meta __FOR_SALE_NET_MANY __FOR_SALE_NET > 10
endif
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
body __FOR_SALE_OBO /\bor best offer\b/i
tflags __FOR_SALE_OBO multiple maxhits=6
endif
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
meta __FOR_SALE_OBO_MANY __FOR_SALE_OBO > 5
endif
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
body __FOR_SALE_PRC_100K /\bprice:? \$\d\d\d,\d\d\d/i
tflags __FOR_SALE_PRC_100K multiple maxhits=11
endif
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
meta __FOR_SALE_PRC_100K_MANY __FOR_SALE_PRC_100K > 5
endif
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
body __FOR_SALE_PRC_10K /\bprice:? \$\d\d,\d\d\d/i
tflags __FOR_SALE_PRC_10K multiple maxhits=11
endif
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
meta __FOR_SALE_PRC_10K_MANY __FOR_SALE_PRC_10K > 10
endif
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
body __FOR_SALE_PRC_1K /\bprice:? \$\d,?\d\d\d[.\s]/i
tflags __FOR_SALE_PRC_1K multiple maxhits=11
endif
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
meta __FOR_SALE_PRC_1K_MANY __FOR_SALE_PRC_1K > 10
endif
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
rawbody __FOR_SALE_PRC_EOL /\s\$\d{1,3},\d00(?:\.00)?$/m
tflags __FOR_SALE_PRC_EOL multiple maxhits=11
endif
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
meta __FOR_SALE_PRC_EOL_MANY __FOR_SALE_PRC_EOL > 10
endif
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
meta __FOR_SALE_PRC_MANY (__FOR_SALE_PRC_1K + __FOR_SALE_PRC_10K + __FOR_SALE_PRC_100K) > 20
endif
body __FOUND_YOU /\b(?:I|we)\sfound\syour?\b/i
body __FRAUD /\b(?:de)?fraud/i
body __FRAUD_IOV /\b(?:no risks?|risky?[- ]{0,3}free|free of risks?|100% safe|v.llig Risikofrei ist)\b/i
body __FRAUD_PTX /\b(?:ass?ass?inat(?:ed|ion)|murder(?:e?d)?|poison(?:e?d)?|kill(?:ed|ing|ers)\b[^.]{0,99}\b(?:war veterans|rebels?)|les tueurs)\b/i
body __FRAUD_XWW /\b(?:honest(?:ly)?\sco(?:-?operat(?:e|ion)|llaborat(?:e|ion))|ehrliche\szusammenarbeit|col+aboration\swith\sme)\b/i
header __FROM_12LTRDOM_1 From =~ /\@(?!facebookmail)[a-z]{12}\./
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta __FROM_41_FREEMAIL (__NSL_ORIG_FROM_41 || __NSL_RCVD_FROM_41) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) && !__THREADED
describe __FROM_41_FREEMAIL Sent from Africa + freemail provider
endif
header __FROM_AMEX From =~ /american\s?express/i
header __FROM_ASB_BANK From:addr =~ /\basb\.co\.nz$/i
header __FROM_BANK_LOOSE From =~ /ban(?:k|co)/i
header __FROM_CHASE From:addr =~ /chase(?:2?-?paymentech)\.com$/i
header __FROM_EBAY From:addr =~ /\@ebay\.com$/i
header __FROM_EBAY_LOOSE From =~ /\be-?bay\b/i
header __FROM_HSBC From:addr =~ /\bhsbc\.co\.uk$/i
header __FROM_ISO_2022_JP From:raw =~ /=\?ISO-2022-JP\?/
header __FROM_LEFT_BRACK From:name =~ /</
header __FROM_LLOYDSTSB From:addr =~ /\blloyds(?:tsb)\.(?:co\.uk|com)$/i
header __FROM_LOWER ALL =~ /from:\s\S{5}/
header __FROM_MISSPACED From =~ /^\s*"[^"]*"</
ifplugin Mail::SpamAssassin::Plugin::DKIM
meta __FROM_MISSP_DKIM (__FROM_RUNON_UNCODED && __DKIM_DEPENDABLE)
tflags __FROM_MISSP_DKIM net
endif
meta __FROM_MISSP_EH_MATCH __FROM_RUNON_UNCODED && __ENV_AND_HDR_FROM_MATCH
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta __FROM_MISSP_FREEMAIL __FROM_RUNON && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
endif
meta __FROM_MISSP_PHISH __FROM_MISSPACED && (__FROM_ASB_BANK || __FROM_AMEX || __FROM_BANK_LOOSE || __FROM_CHASE || __FROM_EBAY_LOOSE || __FROM_HSBC || __FROM_LLOYDSTSB || __FROM_PAYPAL_LOOSE || __FROM_WELLSFARGO || __FROM_WESTERNUNION)
meta __FROM_MISSP_REPLYTO __FROM_RUNON && __REPLYTO_EXISTS
header __FROM_PAYPAL From:addr =~ /\@paypal\.com$/i
header __FROM_PAYPAL_LOOSE From =~ /paypal/i
header __FROM_RIGH_BRACK From:name =~ />/
header __FROM_RUNON From =~ /\S+<\w+/
header __FROM_RUNON_UNCODED From:raw =~ /\S+(?<!\?=)<\w+/
header __FROM_VEGAS From =~ /Vegas/i
header __FROM_WELLSFARGO From:addr =~ /wellsfargo\.com$/i
header __FROM_WESTERNUNION From:addr =~ /westernunion\.com$/i
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body __FRT_GOLD /<inter SP2><post P2>\b(?!gold)<G><O><L><D>\b/i
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body __FRT_SILVER /<inter SP2><post P2>\b(?!s[il][li]ver)<S><I><L><V><E><R>\b/i
endif
rawbody __FR_SPACING_8 /[a-z0-9]{6}\s{8}[a-z0-9]{5}/i
header __FS_PROFIT Subject =~ /profit/i
header __FS_SUBJ_RE Subject =~ /^Re: /
header __FS_S_TRADE Subject =~ /\btrade\b/i
header __FS_YOU Subject =~ /you\b/i
body __F_LARGE_MONEY /\d\d\d,\d\d\d/
body __F_LARGE_MONEY_2 /\d\d?\s?(?:thousand|(?:m|b|tr)illion)/i
body __GHANA /\bghana\b/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __GIF_ATTACH Content-Type =~ /^image\/gif\b/i
endif
body __GIVE_MONEY /\b(?:(?:give\syou\s(?:this\s)?(?:money|fund|inheritance))|(?:donated?\s(?:\w\+\s){0,3}(?:the\ssum\sof|(?:(?:the|this|some)\s(?:money|funds?|inheritance)|to\s)(?:you|(?:(?:the|a)\s)?church|charit(?:y|ies)|humanit\w+|needy|poor|orphan(?:age)?s?|philanthropists\?)))|de vous donner cet argent|faire don de la somme|voudrais en faire don|tego funduszu do dom(?:=F3|[\xf3])w (?:dziecka|wdowy))\b/i
meta __GOOGLE_DOCS_PHISH_1 __URI_GOOGLE_DOC && (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST)
meta __GOOGLE_DOCS_PHISH_2 __URI_GOOGLE_DOC && __EMAIL_PHISH
body __HAS_ANY_EMAIL /\w@\S+\.\w/
uri __HAS_ANY_URI /./
header __HAS_THREAD_INDEX exists:Thread-Index
body __HAS_WON_01 /\bque ha ganado\b/i
header __HDRS_LCASE ALL =~ /\n(?:Message-id|Content-type|X-MSMail-priority|from|subject|to|cc|Disposition-notification-to):/sm
tflags __HDRS_LCASE multiple maxhits=3
meta __HDRS_LCASE_1K __HDRS_LCASE && __SINGLE_HEADER_1K
meta __HDRS_LCASE_KNOWN __MSGID_JAVAMAIL || __UA_MSOEMAC || __UA_MSOMAC || __MSGID_APPLEMAIL || __MSGID_HEX_UID || __MSGID_HEXISH
header __HDR_ORDER_FTSDMCXXXX ALL =~ /\nFrom: .{1,80}?\nTo: .{1,80}?\nSubject: .{1,200}?\nDate: .{1,40}?\nMIME-Version: .{1,40}?\nContent-Type: .{1,120}?\nX-Priority: .{1,40}?\nX-MSMail-Priority: .{1,40}?\nX-Mailer: .{1,80}?\nX-MimeOLE:/s
header __HELO_NO_DOMAIN X-Spam-Relays-External =~ /^[^\]]+ helo=[^\.]+ /
body __HK_LOTTO_1 /\b(?:(?:inter)?national|foundation|mercato|univers|euro ?million|e-?mail|euro-pw|bill ?gates|swiss|prestige|cristal|am.ricaine|coca.?cola|fiduciary|department) ?lot(?:eri[ej]|t(?:ery|o))/i
body __HK_LOTTO_2 /\blot(?:eri[ej]|t(?:ery|o)) ?(?:(?:inter)?national|foundation|mercato|univers|euro ?million|e-?mail|euro-pw|bill ?gates|swiss|prestige|cristal|am.ricaine|coca.?cola|fiduciary|department)/i
body __HK_LOTTO_BALLOT /\b(?:promotional|on.?line|computer|internet|e-?mail|fran.aise) (?:ballot|draw|sweepstake)/i
body __HK_LOTTO_JACKPOT /\bmega jackpot\b/i
body __HK_LOTTO_STAATS /\bstaatsloteri/i
ifplugin Mail::SpamAssassin::Plugin::FreeMail
header __HK_NAME_DR From:name =~ /^DR\b/mi
endif
ifplugin Mail::SpamAssassin::Plugin::FreeMail
header __HK_NAME_FROM From:name =~ /^FROM\b/mi
endif
ifplugin Mail::SpamAssassin::Plugin::FreeMail
if (version >= 3.004000)
header __HK_NAME_MR_MRS From:name =~ /^M(?:RS?|ISS)\b/mi
endif
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __HK_SPAMMY_CDFN Content-Disposition =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __HK_SPAMMY_CTFN Content-Type =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi
endif
body __HOMELOANFVGT /home loan/i
header __HOST_HOTMAIL X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.hotmail\.com /
header __HOTMAILCOM X-Spam-Relays-External =~ /^[^\]]+ helo=hotmail\.com /i
rawbody __HS_QUOTE_rulesrc_sandbox_jm_20_basic_cf /^> /
header __HS_SUBJ_RE_FW_rulesrc_sandbox_jm_20_basic_cf Subject =~ /^(?i:re|fw):/
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __HTML_ATTACH_01 Content-Type =~ m,\btext/html\b.+\.html?\b,i
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __HTML_ATTACH_02 Content-Disposition =~ m,\bfilename="?[^"]+\.html?\b,i
endif
ifplugin Mail::SpamAssassin::Plugin::HTMLEval
body __HTML_COMMENT_10000 eval:html_text_match('comment', '(?s)^(?=.{10000})')
endif
ifplugin Mail::SpamAssassin::Plugin::HTMLEval
body __HTML_COMMENT_20000 eval:html_text_match('comment', '(?s)^(?=.{20000})')
endif
ifplugin Mail::SpamAssassin::Plugin::HTMLEval
body __HTML_COMMENT_30000 eval:html_text_match('comment', '(?s)^(?=.{30000})')
endif
ifplugin Mail::SpamAssassin::Plugin::HTMLEval
body __HTML_COMMENT_50000 eval:html_text_match('comment', '(?s)^(?=(?:.{25000}){2})')
endif
body __HUSH_HUSH /\b(?:confiden[tc]i[ae]l(?:\b|ity\b|it(?:=E9|[\xe9]|[\xc3][\xa9]))|private\b|secr[e\xe8](?:te?|cy)\b|sensitive\b|concealed\b|obscured?\b|discre(?:et|tion)\b|very\sdiscrete|top\ssecret|vertraulich(?:en)?\b|geheim\b|priv(?:e|=E9|[\xe9]|[\xc3][\xa9]))/i
ifplugin Mail::SpamAssassin::Plugin::ImageInfo
body __IMG_LE_300K eval:pixel_coverage('all',62500,300000)
endif
body __INHERIT_PMT /\binheritance\spayment\s/i
body __INTL_BANK /\b(?:international\s(?:\w+\s)?bank|banque\sinternationale)\b/i
body __INVEST_COUNTRY /\binvest\sin\syour?\scountry\b/i
body __INVEST_MONEY /\binvest(?:ir)?\s(?:this|ces|d[ae]s|sur ce|de ces)\s(?:money|f[ou]nds?)\b/i
body __IS_LEGAL /\b(?:(?:(this|esta)\s(?:deal|offer|transac[tc]i(?:o|[\xc3][\xb3])n|proposal|exchange|arrangement|work)|it)?\s[ie]s\s(?:(?:guaranteed|completely|absolutely|perfectly|100%|very|fully)\s)?(?:legal|hitch-free|seguro|legitimate)|legitimate\sarrangement)\b/i
body __IVORY_COAST /\b(?:Cote\s?D.Ivoire|Ivory\s?Coast|Costa\sde\sMarfil)\b/i
body __I_INHERIT /\b(?:I|eu)\s[a-z\s]{0,30}(?:inherited|herdei)\b/i
body __I_WILL_YOU /\bwill(?:ed)?\s(?:[a-z\s]{0,20}(?:fortune|money|\$[\d,]+[a-z]{0,9})\s)?to\syou\b/i
header __JM_REACTOR_DATE Date =~ / \+0000$/
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __JPEG_ATTACH Content-Type =~ /image\/jpeg/i
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_BLOCK_UTF7_2 Content-Type =~ /charset=(?:unicode-\d+-\d+-)?utf-7/i
endif
ifplugin Mail::SpamAssassin::Plugin::BodyEval
if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
body __KAM_BODY_LENGTH_LT_1024 eval:check_body_length('1024')
describe __KAM_BODY_LENGTH_LT_1024 The length of the body of the email is less than 1024 bytes.
endif
endif
ifplugin Mail::SpamAssassin::Plugin::BodyEval
if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
body __KAM_BODY_LENGTH_LT_128 eval:check_body_length('128')
describe __KAM_BODY_LENGTH_LT_128 The length of the body of the email is less than 128 bytes.
endif
endif
ifplugin Mail::SpamAssassin::Plugin::BodyEval
if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
body __KAM_BODY_LENGTH_LT_256 eval:check_body_length('256')
describe __KAM_BODY_LENGTH_LT_256 The length of the body of the email is less than 256 bytes.
endif
endif
ifplugin Mail::SpamAssassin::Plugin::BodyEval
if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
body __KAM_BODY_LENGTH_LT_512 eval:check_body_length('512')
describe __KAM_BODY_LENGTH_LT_512 The length of the body of the email is less than 512 bytes.
endif
endif
body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|batch number|reference number|promotion date)/is
header __KB_DATE_CONTAINS_TAB Date:raw =~ /^\t/
header __KB_MSGID_OUTLOOK_888 Message-Id =~ /^<[0-9a-f]{8}(?:\$[0-9a-f]{8}){2}\@/
if ! plugin (Mail::SpamAssassin::Plugin::OpenPGP)
body __KHOP_PGP_I1 /-----BEGIN PGP (?:SIGNATURE|MESSAGE|PUBLIC|PRIVATE)(?:, PART [0-9]{1,4}\/[0-9]{1,4}| KEY BLOCK)?-----/
tflags __KHOP_PGP_I1 nice
endif
if ! plugin (Mail::SpamAssassin::Plugin::OpenPGP)
body __KHOP_PGP_I2 /-----END PGP/
tflags __KHOP_PGP_I2 nice
endif
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
body __LARGE_PERCENT_AFTER /\d{3}% after/i
tflags __LARGE_PERCENT_AFTER multiple maxhits=4
endif
uri __LOANURIFVGT /\bloa.?ns?\b/i
uri __LOCAL_PP_NONPPURL m'https?://(?:[A-Za-z0-9-_]+)\.(?!paypal\.com)(?:[A-Za-z0-9-_\.]+)'i
body __LOCK_MAILBOX /\b(?:(?:deactivate|lock|lose ac+ess to|los[se] (?:of )?(?:important )?(?:information|mail|messages) in) (?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|your (?:mail\s?box|(?:(?:web ?|e-?)mail)(?: account)?) (?:(?:will|may) be(?:come)? )?(?:in-?a(?:ctive|cess[ia]ble)|locked|disabled|deleted|removed)\b|ditt konto vara "?deaktiverad"?|begr(?:=E4|\xe4|[\xc3][\xa4])nsad tillg(?:=E5|[\xe5]|[\xc3][\xa5])ng till din brevl(?:=E5|[\xe5]|[\xc3][\xa5])da|contas? de (?:web ?|e-?)mail (?:ser(?:=E1|[\xe1]|[\xc3][\xa1]) (?:desativado|exclu(?:=ED|[\xed]|[\xc3][\xad])do)|(?:=E9|[\xe9]|[\xc3][\xa9]) exclu(?:=ED|[\xed]|[\xc3][\xad])do)|destruir a sua caixa de (?:correio|entrada)|tw(?:=F3|[\xf3])j konto zostalo ograniczone|straci swoje e-?mail na sta[\xc5][\x82]e|konto zostanie automatycznie wy[\xc5][\x82][\xc4][\x85]czona)/i
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body __LOTSA_MONEY_00 /<CURRENCY>[\s\.]?\d[\dOo][,\.][\dOo]{3}(?:(?!\d)|\b)/
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body __LOTSA_MONEY_01 /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)[\s\.]?\d[\d.,\sOo]{5,20}[\dOo](?<!\.00)/
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body __LOTSA_MONEY_02 /\d[\d.,\sOo]{5,20}[\dOo][\)\]\(]?\s?(?:<CURRENCY>|Pounds|(?i:dollars?|bucks))\b/
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body __LOTSA_MONEY_03 /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)\d[\d.,\sOo]{0,5}[\)\]]?\s?(?i:M(?i:il)?\b|mil+(?i:io|<O>)n|hund?[re]+a?[dt]|thousand|tausend|milh[\xf5]es)/
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body __LOTSA_MONEY_04 /(?:\d[\d\.,]{0,4}(?:M|\smilli?one?s|\s?mln)|million(?!s)|mill<O>n|hund?rea?d(?!s)[^\.]{1,25}thousand(?!s)|cents?[^\.]{1,25}mille|hundert[^\.]{1,30}tausend|ientos?[^\.]{1,20}mil|cent[a-z\s]{1,20}mil\s[a-z]{1,20}centos)[^\.\$]{0,50}?(?:(?:U\.?\s?S\.?\s?(?:A\.?\s?)?|united\s?states\s|E\.\s?U\.\s|canad(?:ian|a)\s|(?:ia\s)?de\s)?d(?:[o\xf3]|[\xc3][\xb3])l+are?s?|bucks|USD|GBP|<GB_UK>\spounds?|(?:<GB_UK>\s)?pounds?\ssterling|pounds(?!\sof)|(?:d'\s?)?euros?|francs?)\b/i
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body __LOTSA_MONEY_05 /(?:(?:sum|value|amount)\sof\s)\d[\d.,\sO]{7,20}[\dO\.][\)\]\(\s]{0,3}(?:pounds?|dollars?|euros?|bucks)\b/i
endif
meta __LOTTO_ADMITS __LOTTO_ADMITS_1 || __LOTTO_ADMITS_2 || __LOTTO_ADMITS_3 || __LOTTO_ATTACH_1 || __LOTTO_ATTACH_2
body __LOTTO_ADMITS_1 /\b(?:on-?line|e-?mail|ballot|(?:inter)?national|state|(?:UK|euro)[- ]?(?:mil+ions?|PW)|Canada|Microsoft|MSN|internet|mega|jackpot+|Royal Heritage|foundation|cash\sgrant|mercato|univers|staatsloterij|bill\s?gates|Olympics?|swiss|this|est[ea]|internationaux de gagnants de)(?:\s(?!lot|swe|prom)\w{1,20}){0,3}\s?(?:lot(?:to|t+ery|eri[ea])|sweepstakes?|promo(?:tion|cao|cion)?|jackpot+)\b/i
body __LOTTO_ADMITS_2 /\b(?:free)?(?:lot(?:to|tery|erie)|sweepstakes)\s(?:(?:inter)?na[tz]ional|department|bureau|group|award|microsoft)/i
uri __LOTTO_ADMITS_3 /lott+ery/i
body __LOTTO_AGENT_01 /\b(?:(?:(?:the|y?our)(?:\s\w{1,20})?|contact|accredited|listed)\sclaim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:prize|international|intl|foreign|win+ing)(?:[\s,.]+(?:rem+it+ance|settlement|payment|payout|award|transfer))+|payment|payout|immunity|(?<!memory\s)grants?)\s?(?:agent|manager|officer|secretary|director|mgr\b)/i
body __LOTTO_AGENT_02 /\blot+ery[^\.]{1,40} ticket agent/i
if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
meta __LOTTO_ATTACH_1 0
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __LOTTO_ATTACH_1 Content-Type =~ /lott(?:o|ery)/i
endif
if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
meta __LOTTO_ATTACH_2 0
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __LOTTO_ATTACH_2 Content-Disposition =~ /lott(?:o|ery)/i
endif
body __LOTTO_DEPT /\b(?:claim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)(?:\s(?:rem+it+ance|settlement|payment|award))+|payment|award|compensation|lot+ery)(?:\s\w+)?\s?(?:department|dept|unit|group|committee|bureau)/i
body __LOTTO_RELATED /\b(?:lot+(?:o|ery)|sweepstakes)\s(?:prize|draw(?:s|ing)?|(?:ge)?win(?:n?er|n?ing)?|jackpot+|award|fund|com+it+e+|com+is+ion|guild|promotion|promocao|program|day|online|company|(?:in)?corporat|agent|co[-,]?ordinator|team)/i
body __LOTTO_VERIFY /\bpromo\sverification/i
body __LOTTO_WINNINGS /\b(?:claim|process(?:ing)?|transfert?(?:\s\w+)?|redeem|payment|virement|zahlung|reivindicar|demandar|remise)\s(?:(?:[a-z]{1,5}\s)?(?:your|of|the|this|de|ihrer|seu|tu)\s)+(?:win+ings?|money|(?:cash\s)?prize|award|f[ou]nds?|grant|gewinne|premio|gain)\b/i
body __LOTTO_WIN_01 /\bwin+ing\s(?:prize|number|notification|draw|check|cheque|details|information|payment)/i
body __LUCKY_WINNER /\b(?:lucky|gl.cklich(?:en)?|afortunados)\s(?:(?:ge)?win+ers?|ganador(?:es)?|individuals?)\b/i
body __LUCRATIVE /\b(?:lucrative|profitable|tr[\xe8]s\ssalutaire)\b/i
body __MAILBOX_FULL /\b(?:you(?:r (?:mail\s?box|(?:e-?|web ?)mail))? (?:is (?:almost )?full|(?:quota )?ha(?:s|ve) (?:reached|exceeded|passed) (?:the|your|it'?s?) (?:size|storage|set|(?:e-?|web ?)mail|quota|folder|mail ?box)[\/\s](?:limit|quota))|over your mail\s?box (?:size )?(?:limit|quota)|maximum mail\s?box (?:size )?(?:limit|quota) exceeded|sua (?:conta|caixa) de (?:(?:e-?|web ?)mail|correio) (?:excedeu (?:sua|o) limite|est(?:=E1|[\xe1]|[\xc3][\xa1]) quase cheio))\b/i
body __MAILBOX_FULL_SE /(?:\b=F6|[\xf6]|[\xc3][\xb6])verskridit gr(?:=E4|[\xe4]|[\xc3][\xa4])nsen f(?:=F6|[\xf6]|[\xc3][\xb6])r din postl(?:=E5|[\xe5]|[\xc3][\xa5])da\b/i
header __MAILER_OL_5510 X-Mailer =~ /^Microsoft Office Outlook, Build 11.0.5510$/
header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/
body __MAIL_ACCT_ACCESS1 /\b(?:your (?:web ?|e-?)?mail (?:account|log-?in) (?:has )?been accessed|r(?:=F3|[\xf3])zne komputery zalogowaniu sie)\b/i
body __MAIL_ACCT_ACCESS2 /\blo+se ac+es+ to your (?:web|e-?)?mail (?:account|log-?in|box|address)\b/i
uri __MAIL_LINK /\?.{0,200}\w\@[\w-]{1,20}.\w\w\w?\b/i
tflags __MAIL_LINK nice
meta __MANY_HDRS_LCASE __HDRS_LCASE > 1
header __MANY_RECIPS ToCc =~ /(?:\@[^@]{5,100}){3}/
meta __MANY_SPAN_IN_TEXT (__SPAN_BEG_TEXT > 4) && (__SPAN_END_TEXT > 4)
body __MASTERS /Masters/i
body __MBA /MBA/i
header __MID_START_001C Message-ID =~ /^<000001c/
body __MILLIONS /\bmillions\sof\s(?:dollar|euro|pound)/i
header __MIMEOLE_1106 X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2800.1106$/
header __MIME_BDRY_0D0D Content-Type =~ /boundary="-{12}(?:0[1-9]){12}/
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta __MIME_NO_TEXT (__CTYPE_MULTIPART_ANY && !__ANY_TEXT_ATTACH)
endif
header __MISSING_REF References =~ /^UNSET$/ [if-unset: UNSET]
header __MISSING_REPLY In-Reply-To =~ /^UNSET$/ [if-unset: UNSET]
header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/
meta __MONEY_ATM_CARD LOTS_OF_MONEY && __ATM_CARD
meta __MONEY_FORM LOTS_OF_MONEY && __FILL_THIS_FORM
meta __MONEY_FORM_SHORT LOTS_OF_MONEY && __FILL_THIS_FORM_SHORT
meta __MONEY_FRAUD_3 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + T_EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3)
meta __MONEY_FRAUD_5 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + T_EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5)
meta __MONEY_FROM_41 __NSL_RCVD_FROM_41 && LOTS_OF_MONEY
uri __MORTURIFVGT /\bmor.?t\b/i
body __MOVE_MONEY /\b(?:(?:receive|re-?profile|transfer(?:ring|ir|t)?|release|repatriate|rapatrier|secure|r(?:e|=E9|[\xe9]|[\xc3][\xa9])clamation|possession|virer|dona(?:te|r)|depositante|dep[\xc3][\xb3]sito)\s(?:th(?:e(?:se)?|is)|d[ae]s|sur ce|de ce[st]|cet|est[eao]s?|del?)|re-?profiling|receive|re-?locat(?:e|ing)(?:\s\w{1,15})?)\s(?:sums?\sof\s)?(?:proceeds|funds?|money|balance|account|g[eo]ld|compte|fond[so]{1,2}|dinero|argent)\b/i
header __MSGID_HEXISH Message-ID =~ /^<?OF[0-9A-F]{8}\.[0-9A-F]{8}-ON[0-9A-F]{8}\.[0-9A-F]{8}(?:-[0-9A-F]{8}\.[0-9A-F]{8})?\@/
header __MSGID_HEX_UID Message-ID =~ /^<?[0-9A-F]{8}\.[0-9A-F]{2,5}%[a-zA-Z]/
header __MSGID_JAVAMAIL Message-ID =~ /\.JavaMail\./
tflags __MSGID_JAVAMAIL nice
header __MSGID_LIST Message-ID =~ /-\w+\#[\w.]+\.\w{2,4}\@/
tflags __MSGID_LIST nice
header __MSGID_VGA Message-ID =~ /^<000001c[67]/
header __MSOE_MID_WRONG_CASE ALL =~ /\nMessage-Id: /
header __MTLANDROID_MUA X-Mailer =~ /\bMotorola android mail \d+\.\d/
header __MUA_TBIRD User-Agent =~ /Thunderbird/
body __MY_FORTUNE /\b(?:my|his|her)\s(?:fortune|heritage)\b/i
header __NAKED_TO To =~ /^[^\s<>]+\@[^\s<>]+$/
meta __NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL
header __NAME_EQ_EMAIL From:raw =~ /([\w+.-]+\@[\w.-]+\.\w\w+)["'`\s]*<\s*\1>/
header __NAME_IS_EMAIL From:raw =~ /\w\@[\w.-]+\.\w\w+["'`]*\s*<\w+\@\w/
body __NEXT_OF_KIN /\bnext[-\s]of[-\s]kin\b/i
body __NIGERIA /\bnigeria\b/i
meta __NOT_A_PERSON __VACATION || ANY_BOUNCE_MESSAGE || __CHALLENGE_RESPONSE || __VIA_ML || __DOS_HAS_LIST_UNSUB || __SENDER_BOT || __UNSUB_LINK || __UNSUB_EMAIL || __MSGID_LIST || __SUBSCRIPTION_INFO
tflags __NOT_A_PERSON nice
body __NOT_DEAD_YET /\b(?:will\sinherit|que\sherede)\b/i
body __NOT_SCAM /\b(?:not\sa\sscam|(?:not|never)\sscam\syou)\b/i
tflags __NOT_SPOOFED nice
if ! plugin (Mail::SpamAssassin::Plugin::DKIM)
if !plugin(Mail::SpamAssassin::Plugin::SPF)
meta __NOT_SPOOFED __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, no SPF.
endif
endif
if ! plugin (Mail::SpamAssassin::Plugin::DKIM)
ifplugin Mail::SpamAssassin::Plugin::SPF
meta __NOT_SPOOFED SPF_PASS || __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, yes SPF
endif
endif
if !(! plugin (Mail::SpamAssassin::Plugin::DKIM))
if !plugin(Mail::SpamAssassin::Plugin::SPF)
meta __NOT_SPOOFED DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, no SPF
endif
endif
if !(! plugin (Mail::SpamAssassin::Plugin::DKIM))
ifplugin Mail::SpamAssassin::Plugin::SPF
meta __NOT_SPOOFED SPF_PASS || DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, yes SPF
endif
endif
meta __NO_INR_YES_REF (__XM_GNUS || __XM_MSOE5 || __XM_MSOE6 || __XM_MOZ4 || __XM_SKYRI || __XM_WWWMAIL || __UA_GNUS || __UA_KNODE || __UA_MUTT || __UA_PAN || __UA_XNEWS)
header __NSL_ORIG_FROM_41 X-Originating-IP =~ /^(?:.+\[)?41\./
describe __NSL_ORIG_FROM_41 Originates from 41.0.0.0/8
header __NSL_RCVD_FROM_41 X-Spam-Relays-External =~ / ip=41\./
describe __NSL_RCVD_FROM_41 Received from 41.0.0.0/8
header __NUMBERS_IN_SUBJ Subject =~ /\d{3}/
ifplugin Mail::SpamAssassin::Plugin::ImageInfo
body __ONE_IMG eval:image_count('all',1,1)
endif
header __OPERA_MID_NON_OP Message-ID =~ /^<[^o][^p]\./
body __OUR_BEHALF /\b(?:on\s(?:my|our)\sbehalf|of\sbehalf\sof)\b/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __PART_CID_STOCK_LESS Content-ID =~ /^<00[a-f0-9]{10}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[A-Za-z]+>$/
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __PART_STOCK_CD_F Content-Disposition =~ /filename/
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __PART_STOCK_CID Content-ID =~ /^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[^\s\.]+>$/
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __PART_STOCK_CL Content-Location =~ /./
endif
body __PAY_YOU /\bpay\syou\b/
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
meta __PCT_FOR_YOU __PCT_FOR_YOU_1 || __PCT_FOR_YOU_2 || __PCT_FOR_YOU_3 || T_SHARE_50_50
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body __PCT_FOR_YOU_1 /<PERCENT>[\s)]{0,3}(?:of\s[\w\s]{0,35}?)?(?:for|to|as)\syour?/i
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body __PCT_FOR_YOU_2 /\b(?:(?:give|offer)\syou|vous\s(?:aurez\sdroit\s(?:=E0|[\xe0])|donnerai|all(?:e|=E9|[\xe9]|[\xc3][\xa9])\srecevoir\sautour\sde)|ihnen)\s<PERCENT>/i
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body __PCT_FOR_YOU_3 /\byour?\s(?!can)(?:(?!you)\w{1,15}\s){0,10}(?:(?:share|entiti?le(?:d|ment)?|percentage|fee|assist(?:ance)?|comp[ea]nsat(?:ed?|tion)|reward(?:ed)?|renumerat(?:e|tion)|com+is+ion|paid|deduct|account|tage|(?:will|shall|would|(?:are|stand|going)\sto)\s(?:be\s)?(?:tak(?:e|ing)|earn|get(?:ting)?|remit|subtract|with+old)|(?:deduct|taken?|subtract(?:ed)?)\syour|keep(?:ing)?|receiv(?:e|ing)|retain(?:ing)?|have|half|giv(?:en|ing)|paid|(?:give|pay|offer)\s(?:me|you|him)|bank\saccount|to\s(?:take|use)|(?:time|country)\sand|ratio\sof)(?:\s(?!you)\w{1,15}){0,10})\s(?<!by\s)(?<!up\sto\s)<PERCENT>/i
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body __PCT_OF_PMTS /<PERCENT>[\s)]+(?:of\s[\w\s]{0,35}?)?(?:of|du|de)\s(?:(?:the|la)\s)?(?:total\s)?(?:payments?|rem+it+ances?|capital|chec(?:k|que)s?|mon(?:ey|ies)|suma?)/i
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __PDF_ATTACH Content-Type =~ m,\bapplication/pdf\b,i
meta __PDF_ATTACH (__PDF_ATTACH_MT || __PDF_ATTACH_FN1 || __PDF_ATTACH_FN2)
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __PDF_ATTACH_FN1 Content-Type =~ /="[^"]+\.pdf"/i
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __PDF_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.pdf"/i
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __PDF_ATTACH_MT Content-Type =~ m,\bapplication/pdf\b,i
endif
if ! plugin (Mail::SpamAssassin::Plugin::OpenPGP)
meta __PGP_INLINE ( __KHOP_PGP_I1 && __KHOP_PGP_I2 )
tflags __PGP_INLINE nice noautolearn
endif
if ! plugin (Mail::SpamAssassin::Plugin::OpenPGP)
header __PGP_SIGNED Content-Type =~ /multipart\/signed;.*\/pgp-signature/s
tflags __PGP_SIGNED nice noautolearn
endif
body __PHD /PhD/i
meta __PHP_MUA __PHP_MUA_1 || __PHP_MUA_2
header __PHP_MUA_1 X-Mailer =~ /^PHP\s?v?\/?\d\./
header __PHP_MUA_2 X-Mailer =~ /^PHP\d$/
header __PHP_NOVER_MUA X-Mailer =~ /^PHP$/
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
body __PILL_PRICE_01 m;(?=[\d .f])(?:free|[\d .]{3}(?:/|per|each)) ?(?=[ptc])(?:pill|tablet|cap(?:sule|let))s?\b;i
tflags __PILL_PRICE_01 multiple maxhits=3
endif
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
body __PILL_PRICE_02 /(?=[ptc])(?:pill|tablet|cap(?:sule|let))s[-= :]{1,5}\$?[\d .]{3}/i
tflags __PILL_PRICE_02 multiple maxhits=3
endif
body __PLS_REVIEW /\b(?:please|kindly)\s(?:(?:re)?view|see)(?:\s\w+)?\sattach(?:ed|ment)\b/i
body __PREAPPROVEDFVGT /pre-approved/i
body __RANDOM_PICK /\b(?:random(?:ly)?\s(?:\w+\s)?(?:select(?:ion|ed)|pick(?:ed)?|computer)|(?:select|pick)ed\s(?:at\s)?random(?:ly)?|(?:esco(?:g|lh)idos|seleccion) (?:aleatoria(?:mente)?|al azar))\b/i
header __RATWARE_BOUND_A ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{10,400}boundary="----=_NextPart_000_...._\1\./msi # "
header __RATWARE_BOUND_B ALL =~ /boundary="----=_NextPart_000_...._([0-9a-f]{8})\..{10,400}^Message-Id: <....\1\$[0-9a-f]{8}\$/msi # "
header __RCD_RDNS_DIAL_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*dial/i
header __RCD_RDNS_MAIL_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mail/i
tflags __RCD_RDNS_MAIL_MESSY nice
header __RCD_RDNS_MTA_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mta/i
tflags __RCD_RDNS_MTA_MESSY nice
header __RCD_RDNS_MX X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmx[^a-z]/i
tflags __RCD_RDNS_MX nice
header __RCD_RDNS_MX_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mx/
tflags __RCD_RDNS_MX_MESSY nice
header __RCD_RDNS_SMTP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*smtp/
tflags __RCD_RDNS_SMTP_MESSY nice
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header __RCVD_IN_DNSWL eval:check_rbl('dnswl-firsttrusted', 'list.dnswl.org.')
tflags __RCVD_IN_DNSWL nice net
endif
header __RCVD_ZIXMAIL X-Spam-Relays-Untrusted =~ / helo=smtpout\.zixmail\.net /
header __RDNS_SHORT X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{4,14} /
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
meta __REMOTE_IMAGE (__HTML_IMG_ONLY || __HTML_LINK_IMAGE) && !(__SUBSCRIPTION_INFO || __VIA_ML || __SENDER_BOT || __ANY_IMAGE_ATTACH)
endif
header __REPLYTO_EXISTS exists:Reply-To
if !(version >= 3.003000)
meta __RP_MATCHES_RCVD 0
endif
if version >= 3.003000
if !plugin(Mail::SpamAssassin::Plugin::WLBLEval)
meta __RP_MATCHES_RCVD 0
endif
endif
if version >= 3.003000
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header __RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd()
endif
endif
body __SCAM /\bscam(?:m?e[dr])?s?\b/i
header __SENDER_BOT ALL =~ /(?:not?\W?repl[yi]|bounce|contact|daemon|subscri|report|respon[ds]e?r?s?\b|\b(?:root|news|nobody|agent|(?:post|web)?master|manag|send(?:er|ing)?|out|(?:bot|web|www)\b))[^\@ >]{0,5}s?\@\w/i
tflags __SENDER_BOT nice
body __SHARE_IT /\b(?:(?:share|allocate|teilen|parteger(?:ez|ons)?|partage)\s(?:th(?:e|is)|das|les?|des)\s(?:proceeds|funds?|money|balance|account|geld|compte|fonds)|partager(?:ez|ons)? (?:avec (?:vous|moi)|ratio|suivant un pourcentage))\b/i
header __SINGLE_HEADER_1K ALL:raw =~ /(?-xim:(?=(?!X-Spam|X-MailScan|D\w{3,8}-Signature)(?:^|\n)[^\s\n]+:(?:.(?!\n\S)){1024,2047}.(?:\n\S|$)))/s
rawbody __SPAN_BEG_TEXT /[a-z]{2}<(?i:span)\s/
tflags __SPAN_BEG_TEXT multiple maxhits=5
rawbody __SPAN_END_TEXT /[^;>]<\/(?i:span)>[a-z]{3}/
tflags __SPAN_END_TEXT multiple maxhits=5
ifplugin Mail::SpamAssassin::Plugin::SPF
meta __SPF_FULL_PASS (SPF_PASS && SPF_HELO_PASS)
tflags __SPF_FULL_PASS net
endif
ifplugin Mail::SpamAssassin::Plugin::SPF
meta __SPF_RANDOM_SENDER (SPF_HELO_PASS && !SPF_PASS)
tflags __SPF_RANDOM_SENDER net
endif
rawbody __SPOOFED_URL m/<a\s[^>]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\# ]{8,29}[^>"'\# :\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i
meta __STYLE_GIBBERISH (__STYLE_GIBBERISH_1 || __STYLE_GIBBERISH_2)
rawbody __STYLE_GIBBERISH_1 /<style[^>]{0,30}>(?:\s{0,80}[^\s:;<]){150}/im
rawbody __STYLE_GIBBERISH_2 /\.style\w{0,20}\s{1,10}\{[^:;]{200}/im
body __STYLE_TAG_IN_BODY /<style(?:[^>]{0,30})?>/i
header __SUBJ_3DIGIT Subject =~ /\b\d{3}[^0-9]/
header __SUBJ_APPROVE Subject =~ /Approve/i
meta __SUBJ_BRKN_WORDNUMS __SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFU
header __SUBJ_BROKEN_WORD Subject =~ /\s(?!i[PTM][aoh][bcdou])[a-z]{1,3}[A-Z][a-z]{2}/
tflags __SUBJ_BROKEN_WORD multiple maxhits=2
header __SUBJ_HAS_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*Subject:\s+[^\n]{0,100}\1[>,\s\n]/ism
header __SUBJ_RE Subject =~ /^R[eE]:/
header __SUBJ_VEGAS Subject =~ /(?:Vegas|Casino)/i
body __SUBSCRIPTION_INFO /\b(?:e?newsletters?|(?:un)?(?:subscrib|register)|you(?:r| are) subscri(?:b|ption)|opt(?:.|ing)?out\b|further info|you do ?n[o']t w(?:ish|ant)|remov\w{1,3}.{1,9}\blists?\b|to your white.?list)/i
tflags __SUBSCRIPTION_INFO nice
body __SUM_OF_FUND /\b(?:sum|release|freigabe)\s(?:of|der)\s(?:amount|fund|investment|mittel)\b/i
body __SURVEY /\bsurvey\b/i
body __SURVIVORS /\b(?:widow|son|daughter|husband|wife|brother|sister|attorney|vi(?:=FA|[\xfa]|[\xc3][\xba])va|esposa|veuve)\s(?:of|to|do|de)\s(?:the\s)?(?:late|falecido|finales|feu|d(?:e|=E9|[\xe9]|[\xc3][\xa9])funt|mr\.?)\s\w+\b/i
body __SYSADMIN /\b(?:help?[- ]?desk|(?:(?:web ?)?mail ?|sys(?:tem )?)admin(?:istrator)|local[- ]host|(?:support|upgrade|management) (?:team|center)|message from administrator|university mail server copyright|suporte t(?:=E9|[\xe9]|[\xc3][\xa9])cnico|administrador do sistema)\b/i
header __TAB_IN_FROM From:raw =~ /^\t/s
describe __TAB_IN_FROM From starts with a tab
header __TB_MIME_BDRY_NO_Z Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/
body __THEY_INHERIT /\b(?:inherit\sth(?:e|is)\smoney|herede\sest[ea]\sdinero)\b/i
meta __THREADED (!__MISSING_REPLY && !__NO_INR_YES_REF) || (__MISSING_REPLY && !__MISSING_REF)
tflags __THREADED nice
header __THREAD_INDEX_GOOD Thread-Index =~ m,^A[a-z0-9][A-Za-z0-9+/]{27}(?:[A-Za-z0-9+/]{20})?(?:[AQgw]==|[A-Za-z0-9+/]{7}|[A-Za-z0-9+/]{13}[AEIMQUYcgkosw048]=)$,
ifplugin Mail::SpamAssassin::Plugin::SPF
meta __TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FROM_DOM && SPF_FAIL
tflags __TO_EQ_FM_DOM_SPF_FAIL net
endif
ifplugin Mail::SpamAssassin::Plugin::SPF
meta __TO_EQ_FM_SPF_FAIL __TO_EQ_FROM && SPF_FAIL
tflags __TO_EQ_FM_SPF_FAIL net
endif
meta __TO_EQ_FROM (__TO_EQ_FROM_1 || __TO_EQ_FROM_2)
describe __TO_EQ_FROM To: same as From:
header __TO_EQ_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism
header __TO_EQ_FROM_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism
meta __TO_EQ_FROM_DOM (__TO_EQ_FROM_DOM_1 || __TO_EQ_FROM_DOM_2)
describe __TO_EQ_FROM_DOM To: domain same as From: domain
header __TO_EQ_FROM_DOM_1 ALL =~ /\nFrom:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+[^\n]+@\1[>,\s\n]/ism
header __TO_EQ_FROM_DOM_2 ALL =~ /\nTo:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+[^\n]+@\1[>,\s\n]/ism
header __TO_NO_ARROWS_R To !~ /(?:>$|>,)/
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta __TO_NO_BRKTS_FREEMAIL __TO_NO_ARROWS_R && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
endif
meta __TO_NO_BRKTS_FROM_RUNON __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && __FROM_RUNON
meta __TO_NO_BRKTS_HTML_ONLY __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && MIME_HTML_ONLY
meta __TO_NO_BRKTS_MSFT __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && (__ANY_OUTLOOK_MUA || __HAS_MIMEOLE || __MIMEOLE_MS)
meta __TO_NO_BRKTS_NORDNS __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && RDNS_NONE
header __TO_UNDISCLOSED To =~ /(?:undisclosed-recipients|destinataires inconnus):/i
body __TO_YOUR_ACCT /\b(?:f[uo]nds|money|f[uo]ndo|dinheiro|bank)\s(?:\w{1,10}\s){0,4}(?:transfer(?:red)?|transferido|sont)\s(?:to|para|en)\s(?:your|sua|votre)\s(?:account|conta|pos+es+ion)/i
header __TO___LOWER ALL =~ /to:\s\S{5}/
body __TRTMT_DEFILED /\bdefiled\sall\s(?:forms\sof\s)?(?:medical\s)?treatments?\b/i
body __TRUNK_BOX /\b(?:(?:trunk|metallic|proof|security|consignment)\sbox(?:es)?|sealed\ssafe|une mallette m(?:e|=E9|[\xe9]|[\xc3][\xa9])tallique)\b/i
body __TRUSTED_CHECK /\b(?:cashier'?s?|certified)\sche(?:ck|que)/i
rawbody __TR_JS_CONCATINATED_HTTP m@\b(?!http:/)h["'+]{0,3}(?:t["'+]{0,3}){2}p['"+]{0,3}:['"+]{0,3}/@
describe __TR_JS_CONCATINATED_HTTP Contains concatenated URI like "htt"+"p://..."
rawbody __TR_JS_EXTRA_CONCAT /[+=(]\s{0,9}["'][a-z0-9.]{1,32}["'] ?\+ ?["'][a-z0-9]{1,32}["']/i
describe __TR_JS_EXTRA_CONCAT JavaScript: Unnecessary string concatenation
rawbody __TR_JS_EXTRA_UNESCAPE /[+=(]\s{0,9}unescape\s{0,9}\(\s{0,9}["']%(?i:6[1-9A-F]|7[0-9A])/
describe __TR_JS_EXTRA_UNESCAPE JavaScript: Unnecessary URI escaping
header __TT_BROKEN_VALIUM Subject =~ /V[:^."%()*\[\\]?A[:^."%()*\[\\]?L[:^."%()*\[\\]?I[:^."%()*\[\\]?U[:^."%()*\[\\]?M/i
header __TT_BROKEN_VIAGRA Subject =~ /V[:^."%()*\[\\]?I[:^."%()*\[\\]?A[:^."%()*\[\\]?G[:^."%()*\[\\]?R[:^."%()*\[\\]?A/i
header __TT_OBSCURED_VALIUM Subject =~ /(v|V|\\\/)(a|A|\(a\)|4|@)(l|L|\|)(i|I|1|\xef|\|)(u|U|\(u\))(m|M)/
header __TT_OBSCURED_VIAGRA Subject =~ /(v|V|\\\/)(i|I|1|\xef|\|)(a|A|\(a\)|4|@)(g|G)(r|R)(a|A|\(a\)|4|@)/
header __TT_VALIUM Subject =~ /VALIUM/i
header __TT_VIAGRA Subject =~ /VIAGRA/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __TVD_FW_GRAPHIC_ID1 Content-Id =~ /<[0-9a-f]{12}(?:\$[0-9a-f]{8}){2}\@/
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __TVD_OUTLOOK_IMG Content-Id =~ /<image\d+\.(?:gif|jpe?g|png)\@/
endif
body __TVD_PH_BODY_01 /\baccount .{0,20}placed? [io]n restricted status/i
body __TVD_PH_BODY_02 /\brecords (?:[a-z_,-]+ )+?(?:feature|(?:a|re)ward)/i
body __TVD_PH_BODY_03 /\byou(?:'ve| have) been (?:[a-z_,-]+ )+?payment/i
body __TVD_PH_BODY_04 /\bfunds? (?!transfer from)(?!from)(?!in)(?!via)(?:[a-z_,-]+ )+?to your (?:[a-z_,-]+ )*?account/i
body __TVD_PH_BODY_05 /\bthis is (?:[a-z_,-]+ )+?protect (?:[a-z_,-]+ )+?your/i
body __TVD_PH_BODY_06 /Dear [a-z]+ bank (?:member|customer)/i
body __TVD_PH_BODY_07 /\bguarantee the safety of your (?:[a-z_,-]+ )*?account/i
body __TVD_PH_BODY_08 /\bmultiple password failures/i
body __TVD_PH_BODY_ACCOUNTS_POST /\b(?:(?:[dr]e-?)?activat[a-z]*|(?:re-?)?validate|secure|restore|confirm|update|suspend) (?!your)(?:[a-z_,-]+ )+?accounts?\b/i
body __TVD_PH_BODY_ACCOUNTS_PRE /\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*|suspen[a-z]+|notif(?:y|ication)|updated|verifications?|credited)\b/i
meta __TVD_PH_BODY_META __TVD_PH_BODY_01 || __TVD_PH_BODY_02 || __TVD_PH_BODY_03 || __TVD_PH_BODY_04 || __TVD_PH_BODY_05 || __TVD_PH_BODY_06 || __TVD_PH_BODY_07 || __TVD_PH_BODY_08
header __TVD_PH_SUBJ_00 Subject =~ /\brewards? survey\b/i
header __TVD_PH_SUBJ_02 Subject =~ /\byour payment has been sent\b/i
header __TVD_PH_SUBJ_04 Subject =~ /\baccounts? profile\b/i
header __TVD_PH_SUBJ_15 Subject =~ /\binvestment for (?:[a-z_,-]+ )*?to(?:morrow|day)\b/i
header __TVD_PH_SUBJ_17 Subject =~ /\bremove limitations?\b/i
header __TVD_PH_SUBJ_18 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?changes\b/i
header __TVD_PH_SUBJ_19 Subject =~ /\bmessage (?:[a-z_,-]+ )*?bank\b/i
header __TVD_PH_SUBJ_29 Subject =~ /^notice(?::|[\s\W]*$)/i
header __TVD_PH_SUBJ_31 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?verification\b/i
header __TVD_PH_SUBJ_36 Subject =~ /\bconsumer notice\b/i
header __TVD_PH_SUBJ_37 Subject =~ /\bvalued member[a-z]*\b/i
header __TVD_PH_SUBJ_38 Subject =~ /\bonline bank[a-z]*\b/i
header __TVD_PH_SUBJ_39 Subject =~ /\bonline department\b/i
header __TVD_PH_SUBJ_41 Subject =~ /\bunusual activity\b/i
header __TVD_PH_SUBJ_52 Subject =~ /\b(?:account|online) profile\b/i
header __TVD_PH_SUBJ_54 Subject =~ /\bun-?authorized access(?:es)?\b/i
header __TVD_PH_SUBJ_56 Subject =~ /\brespond now\b/i
header __TVD_PH_SUBJ_58 Subject =~ /\bbilling service\b/i
header __TVD_PH_SUBJ_59 Subject =~ /\bquestion from (?:[a-z_,-]+ )*?member\b/i
header __TVD_PH_SUBJ_ACCESS_POST Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)) (?:[a-z_,-]+ )*?access\b/i
meta __TVD_PH_SUBJ_META __TVD_PH_SUBJ_00 || __TVD_PH_SUBJ_02 || __TVD_PH_SUBJ_04 || __TVD_PH_SUBJ_15 || __TVD_PH_SUBJ_17 || __TVD_PH_SUBJ_18 || __TVD_PH_SUBJ_19 || __TVD_PH_SUBJ_29 || __TVD_PH_SUBJ_31 || __TVD_PH_SUBJ_36 || __TVD_PH_SUBJ_37 || __TVD_PH_SUBJ_38 || __TVD_PH_SUBJ_39 || __TVD_PH_SUBJ_41 || __TVD_PH_SUBJ_52 || __TVD_PH_SUBJ_54 || __TVD_PH_SUBJ_56 || __TVD_PH_SUBJ_58 || __TVD_PH_SUBJ_59 || __TVD_PH_SUBJ_ACCESS_POST
header __TVD_SUBJ_NUM_OBFU Subject =~ /[a-z]{3,}\d+[a-z]{2,}/i
header __UA_GNUS User-Agent =~ /^Gnus/
header __UA_KNODE User-Agent =~ /^KNode/
header __UA_MSOEMAC User-Agent =~ /^Microsoft-Outlook-Express-Mac/
header __UA_MSOMAC User-Agent =~ /^Microsoft-MacOutlook\/(?:\d+\.){3}/
header __UA_MUTT User-Agent =~ /^Mutt/
header __UA_PAN User-Agent =~ /^Pan/
header __UA_XNEWS User-Agent =~ /^Xnews/
body __UN /\bunited\snations?\b/i
body __UNSUB_EMAIL /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b[-a-z_0-9.+=]{0,60}\@[a-z0-9][-a-z_0-9.]{4,20}(?:[^a-z_0-9.-]|$)/i
tflags __UNSUB_EMAIL nice
uri __UNSUB_LINK /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b/i
tflags __UNSUB_LINK nice
body __UPGR_MAILBOX /\b(?:up(?:g[ra]+d(?:e|ing)|date) (?:[hw]as\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|(?:web ?|e-?)mail Upgrade cuenta|atualiz(?:e|ar) (?:a|sua) caixa de correio|click\S{0,10} (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?|below)(?: link)? to (?:(?:complete|finish|increase) )?(?:(?:the|this|your)\s)?(?:up(?:date|grade)|(?:web ?|e-?)?mail(?:\s?box)? (?:size|quota|limit))|utrzymania aktywnego konta)\b/i
uri __UPPERCASE_URI /^[^:A-Z]+[A-Z]/
uri __URI_GOOGLE_DOC m,^https?://docs\.google\.com/(?:[^/]+/)*view(?:form)?\?(?:id|formkey)=,i
uri __URI_MAILTO /^mailto:/i
tflags __URI_MAILTO multiple maxhits=16
meta __URI_MAILTO_MANY __URI_MAILTO > 15
uri __URL_SHORTENER /^http:\/\/(?:bit\.ly|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com)\/[^\/]{3}\/?/
header __VACATION Subject =~ /\b(?:vacatio|away|out.of.offic|auto.?re|confirm)/i
tflags __VACATION nice
body __VALIDATE_MAILBOX /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta)\b/i
body __VALIDATE_MBOX_SE /(?:\b=E5|[\xe5]|[\xc3][\xa5])terst(?:=E4|\xe4|[\xc3][\xa4])lla ditt konto\b/i
body __VA_WORD /\bV[A-Za-z]{2,4}RA\b/
body __VM_WORD /\bV[A-Za-z]{2,5}UM\b/
body __V_ACCOLADES /\baccolades?\b/i
body __V_ACHIEVEMENT /\bbenchmark of achievement\b/i
body __V_BESTOFAWARD /\bBest of \w+ Award/
body __V_BIOGRAPHY /\b(?:biography|biographies|biographical)\b/i
body __V_CBNVANITY /\bContinental Broadcasting Network\b/
body __V_DISTINGUISHED /\bdistinguished\b/i
body __V_DPHPVANITY /\bDistinguished Professionals Hardcover Publication\b/
body __V_EXCELLENCE /\b(?:demonstrated|commitment to) excellence\b/i
body __V_EXECS_PROS /\bexecutives? (?:and|&) professionals?\b/i
body __V_HONOR_SOCIETY /\bHonor Society\b/
body __V_INFORM_YOU /\b(?:pleased?|pleasure) to inform you\b/
body __V_INNERCIRCLE /\bInner Circle\b/
meta __V_KNOWN_VANITY __V_PRINCETONPRE || __V_WHOSWHO || __V_DPHPVANITY || __V_CBNVANITY || __V_HONOR_SOCIETY
body __V_NOMINATION /\b(?:nominated|nomination|potential candidate)\b/i
body __V_NO_COST /\b(?:no costs?|cost-? *free|free of costs?|no fees?|neither cost nor obligation)\b/i
body __V_PRINCETONPRE /\bPrinceton Premier/
body __V_PUB_DEADLINE /\bpublication deadlines?\b/i
body __V_RECOGNITION /\brecognition\b/i
body __V_REGISTRY /\bregistry\b/i
body __V_SBCAVANITY /\bSmall Business Commerce Association/
body __V_SHMUCK /\b(?:accomplished|distinguished|exceptional|talented|calibre of) +(?:professionals?|individuals?)\b/i
body __V_USCAVANITY /\bUS Commerce Association/
body __V_WHOSWHO /\bWho.s Who\b/
body __WEBMAIL_ACCT /\byour web ?mail account/i
body __WIDOW /\b(?:widow(?:e[rd])'?s?|veuve)\b/i
body __WILL_LEGAL /\b(?:codicil|last\stestament|probate|executor|intestate|bequest|mandamus)\b/i
body __WIRE_XFR /\b(?:wire|telegraph(?:ic)?|bank)\s?transfer/i
header __XEROXWORKCTR_MUA X-Mailer =~ /^WorkCentre \D?\d[\d\.]\d+/
meta __XFER_MONEY (__WIRE_XFR || __TRUSTED_CHECK || __BANK_DRAFT || __MOVE_MONEY || __TO_YOUR_ACCT || __PAY_YOU || __GIVE_MONEY)
header __XM_GNUS X-Mailer =~ /^Gnus v/
header __XM_MOZ4 X-Mailer =~ /^Mozilla 4/
header __XM_MSOE5 X-Mailer =~ /^Microsoft Outlook Express 5/
header __XM_MSOE6 X-Mailer =~ /^Microsoft Outlook Express 6/
header __XM_MS_IN_GENERAL X-Mailer =~ /\bMSCRM\b|Microsoft (?:CDO|Outlook|Office Outlook)\b/
header __XM_OL_10_0_4115 X-Mailer =~ /^Microsoft Outlook, Build 10.0.4115$/
header __XM_OL_28001441 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.1441$/
header __XM_OL_28004682 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.4682$/
header __XM_OL_48072300 X-Mailer =~ /^Microsoft Outlook Express 5.50.4807.2300$/
header __XM_OL_4_72_2106_4 X-Mailer =~ /^Microsoft Outlook Express 4.72.2106.4$/
header __XM_OUTLOOK_EXPRESS X-Mailer =~ /^Microsoft Outlook Express \d/
header __XM_SKYRI X-Mailer =~ /^SKYRiXgreen/
header __XM_WWWMAIL X-Mailer =~ /^WWW-Mail \d/
body __YOUR_ACCOUNT /your account/i
body __YOUR_BANK /\byour?\s(?:full\s)?bank(?:ing)?\sinformations?\b/i
body __YOUR_CREDITFVGT /your credit/i
body __YOUR_FUND /\b(?:your|ihr)\s(?:unpaid\s|win+ing\s|ap+roved\s|foreign\s|overdue\s|outstanding\s|nicht\sausbezahlten\s){0,3}(?:fund|payment|geld)\b/i
body __YOUR_PERM /\byour\spermission\b/i
body __YOUR_PROFIT /\byour?\sprofit/i
body __YOU_ASSIST /\b(?:your\sas+istan(?:ce|t)|votre\s(?:as+istance|aide))\b/i
body __YOU_HAVE_WON /you(?: \w+)? won/i
body __YOU_INHERIT /\byour\s[a-z\s]{0,30}inherit+ance\b/i
meta __YOU_WON __YOU_WON_01 || __YOU_WON_02 || __YOU_WON_03 || __YOU_WON_04 || __HAS_WON_01 || (__YOU_WON_05 && (__MOVE_MONEY || __GIVE_MONEY))
body __YOU_WON_01 /\byou(?:r|'re|'ve|'ll|\shave|\sdid)?\s(?:e-?mail\s)?(?:\w+\s){0,2}(?:a\s)?w[io]n+(?:er|ing)?(?!'t)\b/i
body __YOU_WON_02 /\bw[io]n\s(?:(?:for|by)\s)?your?\b/i
body __YOU_WON_03 /\b(?:your?|win+ing|win+ers?|beneficiaries|participants?|individuals?|address(?:es)?|accounts?|emails?)(?:\s[-a-z\s]{4,40})?\s(?:w(?:ere|as)|ha(?:ve|s) be(?:en)?)\s(?:automatically\s)?(?:(?:randomly|raffly)\s(?:selected|cho+sen|cho+sing|picked)|(?:selected|cho+sen|cho+sing|picked)\s(?:[a-z\s]{2,40}?\srandom(?:ly)?|online|lottery|computer\s(?:ballot|wahlgang)))/i
body __YOU_WON_04 /\bqu[ei]\s?(?:vous (?:[\xc3][\xaa]|=C3=AA|[\xea]|e)tes\s?gagnant|en\scons(?:e|=E9|[\xe9]|[\xc3][\xa9])quence\sgagne)\b/i
body __YOU_WON_05 /\bI won\b/i
meta __YOU_WON_SOMTIN (__YOU_HAVE_WON || __FB_CONGRADS)
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __ZIP_ATTACH_NOFN Content-Type =~ m,\bapplication/zip[;\s]*$,i
endif
body __hk_bigmoney /(?:EURO?|USD?|GBP|CFA|\&\#163;|[\xa3\xa4]|\$|sum of).{0,4}(?:[0-9]{3}[^0-9a-z]?[0-9]{3}|[0-9.,]{1,4}(?: ?M\b| ?(?:de )?Mil))/i