)(?!pay[-\s]?pal) )(?!privacy) )(?!promotion) /i
describe TVD_FUZZY_MICROCAP Obfuscation of the word "micro-cap"
endif
##} TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body TVD_FUZZY_PHARMACEUTICAL /)(?!savings)/i
describe FUZZY_SAVINGS Obfuscated "savings"
tflags FUZZY_SAVINGS publish
endif
##} FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body FUZZY_SECURITY /(?=)(?!security)(?!seguridad)(?!s\xc3\xa9curit\xc3\xa9)![](['"](https?://[^'"]{1,80}/)C([^/.]{1,30}\.jpg)['"])
.{0,200}]{0,50}src=['"](https?://[^"'\s]{1,80}\.php\?)t=o(\&[^"'\s]{1,50})["'][>\s].{0,200} tags embedded within text
tflags MANY_SPAN_IN_TEXT publish
##} MANY_SPAN_IN_TEXT
##{ MAY_BE_FORGED
meta MAY_BE_FORGED __MAY_BE_FORGED && !__NOT_SPOOFED && !__VIA_ML
describe MAY_BE_FORGED Relay IP's reverse DNS does not resolve to IP
##} MAY_BE_FORGED
##{ MID_DEGREES
header MID_DEGREES Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/
##} MID_DEGREES
##{ MILLION_HUNDRED
body MILLION_HUNDRED /Million\s+\S+\s+Hundred/i
describe MILLION_HUNDRED Million "One to Nine" Hundred
tflags MILLION_HUNDRED publish
##} MILLION_HUNDRED
##{ MILLION_USD
body MILLION_USD /Million\b.{0,40}\b(?:United States? Dollars?|USD)/i
describe MILLION_USD Talks about millions of dollars
#score MILLION_USD 2
##} MILLION_USD
##{ MIMEOLE_DIRECT_TO_MX
meta MIMEOLE_DIRECT_TO_MX __MIMEOLE_DIRECT_TO_MX && !__ANY_IMAGE_ATTACH && !__DKIM_EXISTS
describe MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX
#score MIMEOLE_DIRECT_TO_MX 2.000 # limit
tflags MIMEOLE_DIRECT_TO_MX publish
##} MIMEOLE_DIRECT_TO_MX
##{ MIME_BOUND_EQ_REL
header MIME_BOUND_EQ_REL Content-Type =~ /boundary="=====================_\d+==\.REL"/s
##} MIME_BOUND_EQ_REL
##{ MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta MIME_NO_TEXT __MIME_NO_TEXT && !__BOUNCE_CTYPE && !__CT_ENCRYPTED && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__USER_AGENT_APPLEMAIL && !__HAS_IN_REPLY_TO && !__HAS_X_REF && !__HS_SUBJ_RE_FW && !__PDF_ATTACH && !__LCL__KAM_BODY_LENGTH_LT_128
# score MIME_NO_TEXT 2.00 # limit
describe MIME_NO_TEXT No (properly identified) text body parts
tflags MIME_NO_TEXT publish
endif
##} MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta MIME_PHP_NO_TEXT (MIME_NO_TEXT && __PHP_MUA)
describe MIME_PHP_NO_TEXT No text body parts, X-Mailer: PHP
endif
##} MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ MIXED_AREA_CASE
meta MIXED_AREA_CASE __MIXED_AREA_CASE
describe MIXED_AREA_CASE Has area tag in mixed case
#score MIXED_AREA_CASE 2.500 # limit
tflags MIXED_AREA_CASE publish
##} MIXED_AREA_CASE
##{ MIXED_CENTER_CASE
meta MIXED_CENTER_CASE __MIXED_CENTER_CASE
describe MIXED_CENTER_CASE Has center tag in mixed case
#score MIXED_CENTER_CASE 2.500 # limit
tflags MIXED_CENTER_CASE publish
##} MIXED_CENTER_CASE
##{ MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
meta MIXED_ES ( ! HTML_IMAGE_ONLY_16 ) && ( __LOWER_E > 20 ) && ( __E_LIKE_LETTER > ( (__LOWER_E * 14 ) / 10) ) && ( __E_LIKE_LETTER < ( 10 * __LOWER_E ) )
describe MIXED_ES Too many es are not es
tflags MIXED_ES publish
# lang pl score MIXED_ES 0.01
# lang cz score MIXED_ES 0.01
# lang sk score MIXED_ES 0.01
# lang hr score MIXED_ES 0.01
# lang el score MIXED_ES 0.01
endif
endif
##} MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ MIXED_FONT_CASE
meta MIXED_FONT_CASE __MIXED_FONT_CASE
describe MIXED_FONT_CASE Has font tag in mixed case
#score MIXED_FONT_CASE 2.500 # limit
tflags MIXED_FONT_CASE publish
##} MIXED_FONT_CASE
##{ MIXED_HREF_CASE
meta MIXED_HREF_CASE __MIXED_HREF_CASE_JH
describe MIXED_HREF_CASE Has href in mixed case
#score MIXED_HREF_CASE 2.000 # limit
tflags MIXED_HREF_CASE publish
##} MIXED_HREF_CASE
##{ MIXED_IMG_CASE
meta MIXED_IMG_CASE __MIXED_IMG_CASE_JH && !__MSGID_JAVAMAIL
describe MIXED_IMG_CASE Has img tag in mixed case
#score MIXED_IMG_CASE 3.000 # limit
tflags MIXED_IMG_CASE publish
##} MIXED_IMG_CASE
##{ MONERO_DEADLINE
meta MONERO_DEADLINE __MONERO && __HOURS_DEADLINE && !MONERO_EXTORT_01
describe MONERO_DEADLINE Monero cryptocurrency with a deadline
#score MONERO_DEADLINE 3.000 # limit
tflags MONERO_DEADLINE publish
##} MONERO_DEADLINE
##{ MONERO_EXTORT_01
meta MONERO_EXTORT_01 __MONERO && __EXTORT_MANY
describe MONERO_EXTORT_01 Extortion spam, pay via Monero cryptocurrency
#score MONERO_EXTORT_01 5.000 # limit
tflags MONERO_EXTORT_01 publish
##} MONERO_EXTORT_01
##{ MONERO_MALWARE
meta MONERO_MALWARE __MONERO && __MY_MALWARE && !MONERO_EXTORT_01
describe MONERO_MALWARE Monero cryptocurrency + malware bragging
#score MONERO_MALWARE 3.500 # limit
tflags MONERO_MALWARE publish
##} MONERO_MALWARE
##{ MONERO_PAY_ME
meta MONERO_PAY_ME __MONERO && __PAY_ME && !MONERO_EXTORT_01
describe MONERO_PAY_ME Pay me via Monero cryptocurrency
#score MONERO_PAY_ME 3.000 # limit
tflags MONERO_PAY_ME publish
##} MONERO_PAY_ME
##{ MONEY_ATM_CARD
meta MONEY_ATM_CARD __MONEY_ATM_CARD && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE
describe MONEY_ATM_CARD Lots of money on an ATM card
##} MONEY_ATM_CARD
##{ MONEY_FORM
meta MONEY_FORM __MONEY_FORM && !__FB_TOUR && !__FM_MY_PRICE && !__FR_SPACING_8 && !__COMMENT_EXISTS && !__CAN_HELP
describe MONEY_FORM Lots of money if you fill out a form
##} MONEY_FORM
##{ MONEY_FORM_SHORT
meta MONEY_FORM_SHORT __MONEY_FORM_SHORT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HTML_LINK_IMAGE && !__UPPERCASE_URI && !__THREADED && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__THREAD_INDEX_GOOD
describe MONEY_FORM_SHORT Lots of money if you fill out a short form
#score MONEY_FORM_SHORT 2.500 # limit
##} MONEY_FORM_SHORT
##{ MONEY_FRAUD_3
meta MONEY_FRAUD_3 (__MONEY_FRAUD_3 && !__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_3_NEW_MONEY) && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__IS_EXCH && !__VIA_ML && !__HAS_THREAD_INDEX && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__HTML_LINK_IMAGE && !__THREADED && !__DOS_BODY_THU && !__URL_SHORTENER && !__TAG_EXISTS_STYLE
describe MONEY_FRAUD_3 Lots of money and several fraud phrases
tflags MONEY_FRAUD_3 publish
##} MONEY_FRAUD_3
##{ MONEY_FRAUD_5
meta MONEY_FRAUD_5 (__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_5_NEW_MONEY) && !__VIA_ML && !__HAS_THREAD_INDEX && !__COMMENT_EXISTS && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__URL_SHORTENER && !__TAG_EXISTS_STYLE
describe MONEY_FRAUD_5 Lots of money and many fraud phrases
tflags MONEY_FRAUD_5 publish
##} MONEY_FRAUD_5
##{ MONEY_FRAUD_8
meta MONEY_FRAUD_8 __MONEY_FRAUD_8 && !__VIA_ML && !__HAS_THREAD_INDEX && !__BUGGED_IMG
describe MONEY_FRAUD_8 Lots of money and very many fraud phrases
tflags MONEY_FRAUD_8 publish
##} MONEY_FRAUD_8
##{ MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta MONEY_FREEMAIL_REPTO __MONEY_FREEMAIL_REPTO && !__HAS_CAMPAIGNID
describe MONEY_FREEMAIL_REPTO Lots of money from someone using free email?
# score MONEY_FREEMAIL_REPTO 3.000 # limit
tflags MONEY_FREEMAIL_REPTO publish
endif
##} MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
##{ MONEY_FROM_41
meta MONEY_FROM_41 __MONEY_FROM_41
describe MONEY_FROM_41 Lots of money from Africa
#score MONEY_FROM_41 2.00 # limit
##} MONEY_FROM_41
##{ MSGID_DOLLARS_URI_IMG
meta MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_URI_IMG && !__THREADED && !__HS_SUBJ_RE_FW
describe MSGID_DOLLARS_URI_IMG Suspicious Message-ID and image
#score MSGID_DOLLARS_URI_IMG 3.000 # limit
tflags MSGID_DOLLARS_URI_IMG publish
##} MSGID_DOLLARS_URI_IMG
##{ MSGID_HDR_MALF
meta MSGID_HDR_MALF __HAS_MESSAGEID
describe MSGID_HDR_MALF Has invalid message ID header
#score MSGID_HDR_MALF 3.500 # limit
tflags MSGID_HDR_MALF publish
##} MSGID_HDR_MALF
##{ MSGID_MULTIPLE_AT
header MSGID_MULTIPLE_AT MESSAGEID =~ /<[^>]*\@[^>]*\@/
describe MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters
#score MSGID_MULTIPLE_AT 0.001
##} MSGID_MULTIPLE_AT
##{ MSMAIL_PRI_ABNORMAL
meta MSMAIL_PRI_ABNORMAL __MSMAIL_PRI_ABNORMAL && !ALL_TRUSTED && !__ANY_OUTLOOK_MUA && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__MSOE_MID_WRONG_CASE && !__HAS_X_MAILER && !__HAS_UA && !__MSMAIL_PRI_HIGH
describe MSMAIL_PRI_ABNORMAL Email priority often abused
#score MSMAIL_PRI_ABNORMAL 1.500 # limit
##} MSMAIL_PRI_ABNORMAL
##{ MSM_PRIO_REPTO
meta MSM_PRIO_REPTO __MSM_PRIO_REPTO && !__ENV_AND_HDR_FROM_MATCH
describe MSM_PRIO_REPTO MSMail priority header + Reply-to + short subject
#score MSM_PRIO_REPTO 2.500 # limit
tflags MSM_PRIO_REPTO publish
##} MSM_PRIO_REPTO
##{ MSOE_MID_WRONG_CASE
meta MSOE_MID_WRONG_CASE (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106)
##} MSOE_MID_WRONG_CASE
##{ NA_DOLLARS
body NA_DOLLARS /\b(?:\d{1,3})?Million\b.{0,40}\b(?:Canadian Dollar?s?|US\$|U\.? ?S\.? Dollar)/i
describe NA_DOLLARS Talks about a million North American dollars
#score NA_DOLLARS 1.5
##} NA_DOLLARS
##{ NEWEGG_IMG_NOT_RCVD_NEGG
meta NEWEGG_IMG_NOT_RCVD_NEGG __NEWEGG_IMG_NOT_RCVD_NEGG
#score NEWEGG_IMG_NOT_RCVD_NEGG 2.500 # limit
describe NEWEGG_IMG_NOT_RCVD_NEGG Newegg hosted image but message not from Newegg
tflags NEWEGG_IMG_NOT_RCVD_NEGG publish
##} NEWEGG_IMG_NOT_RCVD_NEGG
##{ NEW_PRODUCTS
meta NEW_PRODUCTS __NEW_PRODUCTS && !__STY_INVIS_MANY
#score NEW_PRODUCTS 1.250 # limit
tflags NEW_PRODUCTS publish
##} NEW_PRODUCTS
##{ NICE_REPLY_A
meta NICE_REPLY_A (__SUBJ_RE && !__MISSING_REPLY && !__MISSING_REF && __BOTH_INR_AND_REF)
describe NICE_REPLY_A Looks like a legit reply (A)
tflags NICE_REPLY_A nice
##} NICE_REPLY_A
##{ NORDNS_LOW_CONTRAST
meta NORDNS_LOW_CONTRAST __NORDNS_LOW_CONTRAST && !ALL_TRUSTED && !__HAS_CID && !__THREADED
describe NORDNS_LOW_CONTRAST No rDNS + hidden text
#score NORDNS_LOW_CONTRAST 2.500 # limit
##} NORDNS_LOW_CONTRAST
##{ NOT_SPAM
body NOT_SPAM /\b(?:(?:this (?:e?-?mail|message)|we) (?:is not|are not|cannot be considered) Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)/i
describe NOT_SPAM I'm not spam! Really! I'm not, I'm not, I'm not!
tflags NOT_SPAM publish
##} NOT_SPAM
##{ NO_FM_NAME_IP_HOSTN
meta NO_FM_NAME_IP_HOSTN (__KHOP_NO_FULL_NAME && __IP_IN_RELAY) && !__DOS_RELAYED_EXT
describe NO_FM_NAME_IP_HOSTN No From name + hostname using IP address
#score NO_FM_NAME_IP_HOSTN 2.500 # limit
tflags NO_FM_NAME_IP_HOSTN publish
##} NO_FM_NAME_IP_HOSTN
##{ NSL_RCVD_FROM_USER
header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/
describe NSL_RCVD_FROM_USER Received from User
##} NSL_RCVD_FROM_USER
##{ NSL_RCVD_HELO_USER
header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i
describe NSL_RCVD_HELO_USER Received from HELO User
##} NSL_RCVD_HELO_USER
##{ NULL_IN_BODY
full NULL_IN_BODY /\x00/
describe NULL_IN_BODY Message has NUL (ASCII 0) byte in message
##} NULL_IN_BODY
##{ NUMBERONLY_BITCOIN_EXP
meta NUMBERONLY_BITCOIN_EXP __NUMBERONLY_TLD && __BITCOIN_ID && __NAKED_TO
describe NUMBERONLY_BITCOIN_EXP Domain ends in a large number and very short body with link
#score NUMBERONLY_BITCOIN_EXP 2.0 # limit
##} NUMBERONLY_BITCOIN_EXP
##{ OBFU_BITCOIN
meta OBFU_BITCOIN __OBFU_BITCOIN
describe OBFU_BITCOIN Obfuscated BitCoin references
#score OBFU_BITCOIN 3.000 # limit
tflags OBFU_BITCOIN publish
##} OBFU_BITCOIN
##{ OBFU_JVSCR_ESC
rawbody OBFU_JVSCR_ESC /document\.write\(unescape\(["'](?:%[0-9a-f]{2}){10}/i
describe OBFU_JVSCR_ESC Injects content using obfuscated javascript
tflags OBFU_JVSCR_ESC publish
##} OBFU_JVSCR_ESC
##{ OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader OBFU_TEXT_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.txt\b,i
describe OBFU_TEXT_ATTACH Text attachment with non-text MIME type
tflags OBFU_TEXT_ATTACH publish
endif
##} OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ OBFU_UNSUB_UL
meta OBFU_UNSUB_UL __OBFU_UNSUB_UL && !MAILING_LIST_MULTI
describe OBFU_UNSUB_UL Obfuscated unsubscribe text
tflags OBFU_UNSUB_UL publish
##} OBFU_UNSUB_UL
##{ ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta ODD_FREEM_REPTO __freemail_mailreplyto
describe ODD_FREEM_REPTO Has unusual reply-to header
# score ODD_FREEM_REPTO 3.000 # limit
tflags ODD_FREEM_REPTO publish
endif
##} ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
##{ PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta PART_CID_STOCK (__ANY_IMAGE_ATTACH&&__PART_STOCK_CID&&!__PART_STOCK_CL&&!__PART_STOCK_CD_F)
describe PART_CID_STOCK Has a spammy image attachment (by Content-ID)
endif
##} PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta PART_CID_STOCK_LESS (__ANY_IMAGE_ATTACH&&__PART_CID_STOCK_LESS)
describe PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, more specific)
endif
##} PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ PDS_BAD_THREAD_QP_64
meta PDS_BAD_THREAD_QP_64 __PDS_QP_64 && __HAS_THREAD_INDEX && !__THREAD_INDEX_GOOD
describe PDS_BAD_THREAD_QP_64 Bad thread header - short QP
#score PDS_BAD_THREAD_QP_64 1.0
##} PDS_BAD_THREAD_QP_64
##{ PDS_BTC_ID
meta PDS_BTC_ID __PDS_BTC_ID
describe PDS_BTC_ID FP reduced Bitcoin ID
#score PDS_BTC_ID 0.5
##} PDS_BTC_ID
##{ PDS_BTC_MSGID
meta PDS_BTC_MSGID __PDS_BTC_ID && __MSGID_NOFQDN2
describe PDS_BTC_MSGID Bitcoin ID with T_MSGID_NOFQDN2
#score PDS_BTC_MSGID 1.0
##} PDS_BTC_MSGID
##{ PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta PDS_BTC_NTLD ( __BITCOIN_ID && __FROM_ADDRLIST_SUSPNTLD )
describe PDS_BTC_NTLD Bitcoin suspect NTLD
#score PDS_BTC_NTLD 2.0 # limit
endif
endif
##} PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
##{ PDS_DBL_URL_TNB_RUNON
meta PDS_DBL_URL_TNB_RUNON __TO_NO_BRKTS_FROM_RUNON && __PDS_DOUBLE_URL
describe PDS_DBL_URL_TNB_RUNON Double-url and To no arrows, from runon
#score PDS_DBL_URL_TNB_RUNON 2.0
##} PDS_DBL_URL_TNB_RUNON
##{ PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
meta PDS_FROM_2_EMAILS __PDS_FROM_2_EMAILS && !__VIA_ML && !__VIA_RESIGNER && !__MSGID_JAVAMAIL && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__DKIM_EXISTS
describe PDS_FROM_2_EMAILS From header has multiple different addresses
# score PDS_FROM_2_EMAILS 3.500 # limit
endif
##} PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
##{ PDS_HELO_SPF_FAIL
meta PDS_HELO_SPF_FAIL SPF_HELO_FAIL && __HELO_HIGHPROFILE
describe PDS_HELO_SPF_FAIL High profile HELO that fails SPF
#score PDS_HELO_SPF_FAIL 2.0
tflags PDS_HELO_SPF_FAIL net
##} PDS_HELO_SPF_FAIL
##{ PDS_NAKED_TO_NUMERO
meta PDS_NAKED_TO_NUMERO __NAKED_TO && __NUMBERONLY_TLD
describe PDS_NAKED_TO_NUMERO Naked-to, numberonly domain
#score PDS_NAKED_TO_NUMERO 2.0
##} PDS_NAKED_TO_NUMERO
##{ PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
meta PDS_NO_FULL_NAME_SPOOFED_URL __PDS_MSG_1024 && __KHOP_NO_FULL_NAME && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER)
describe PDS_NO_FULL_NAME_SPOOFED_URL HTML message short, T_SPOOFED_URL and T_KHOP_NO_FULL_NAME
#score PDS_NO_FULL_NAME_SPOOFED_URL 0.75 # limit
endif
endif
##} PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
##{ PDS_PHP_EVAL
meta PDS_PHP_EVAL __PDS_PHP_EVAL1
describe PDS_PHP_EVAL PHP header shows eval'd code
#score PDS_PHP_EVAL 1.5
##} PDS_PHP_EVAL
##{ PDS_RDNS_DYNAMIC_FP
meta PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC && !__PDS_RDNS_MTA
#score PDS_RDNS_DYNAMIC_FP 0.01
describe PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC with FP steps
##} PDS_RDNS_DYNAMIC_FP
##{ PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
meta PDS_SHORT_SPOOFED_URL __PDS_MSG_1024 && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER)
describe PDS_SHORT_SPOOFED_URL HTML message short and T_SPOOFED_URL (S_U_FP)
#score PDS_SHORT_SPOOFED_URL 2.0
endif
endif
##} PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
##{ PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE
meta PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE FREEMAIL_FORGED_REPLYTO && __PDS_TONAME_EQ_TOLOCAL
describe PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE Forged replyto and __PDS_TONAME_EQ_TOLOCAL
#score PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE 2.0 # limit
##} PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE
##{ PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta PHISH_ATTACH (__PHISH_ATTACH_01_01 || __PHISH_ATTACH_01_02) && !__HAS_SENDER
describe PHISH_ATTACH Attachment filename suspicious, probable phishing
tflags PHISH_ATTACH publish
endif
##} PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ PHISH_AZURE_CLOUDAPP
uri PHISH_AZURE_CLOUDAPP m;^https?://(?=[^/]+\.cloudapp\.azure\.com)(?:(?:b(?:illetedecalle\.northeurope|urofaxnotificado\.eastus)|comprobante(?:digital\.southcentralus|fiscale\.eastus)|infracciondeestacionamiento(?:\.eastus|s\.ukwest)|multa(?:detrafico\.eastus|prev\.eastus|s\.(?:eastus|southcentralus))|notificadosburofax\.eastus|penadetransitomulta\.eastus))\.cloudapp\.azure\.com/;i
describe PHISH_AZURE_CLOUDAPP Link to known phishing web application
#score PHISH_AZURE_CLOUDAPP 3.500
tflags PHISH_AZURE_CLOUDAPP publish
##} PHISH_AZURE_CLOUDAPP
##{ PHISH_FBASEAPP
meta PHISH_FBASEAPP __PHISH_FBASE_01
describe PHISH_FBASEAPP Probable phishing via hosted web app
#score PHISH_FBASEAPP 3.000 # limit
tflags PHISH_FBASEAPP publish
##} PHISH_FBASEAPP
##{ PHP_NOVER_MUA
describe PHP_NOVER_MUA Mail from PHP with no version number
#score PHP_NOVER_MUA 3.000 # limit
tflags PHP_NOVER_MUA publish
##} PHP_NOVER_MUA
##{ PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM)
if !plugin(Mail::SpamAssassin::Plugin::DKIM)
meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
endif
##} PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM)
##{ PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM
ifplugin Mail::SpamAssassin::Plugin::DKIM
meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__DKIM_DEPENDABLE && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
endif
##} PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM
##{ PHP_ORIG_SCRIPT
meta PHP_ORIG_SCRIPT __PHP_ORIG_SCRIPT_SONLY && !ALL_TRUSTED && !__SUBSCRIPTION_INFO && !__MSGID_BEFORE_RECEIVED && !MSGID_FROM_MTA_HEADER
describe PHP_ORIG_SCRIPT Sent by bot & other signs
#score PHP_ORIG_SCRIPT 2.500 # limit
tflags PHP_ORIG_SCRIPT publish
##} PHP_ORIG_SCRIPT
##{ PHP_ORIG_SCRIPT_EVAL
meta PHP_ORIG_SCRIPT_EVAL __PHP_ORIG_SCRIPT_EVAL
describe PHP_ORIG_SCRIPT_EVAL From suspicious PHP source
#score PHP_ORIG_SCRIPT_EVAL 3.000 # limit
##} PHP_ORIG_SCRIPT_EVAL
##{ PHP_SCRIPT
meta PHP_SCRIPT __HAS_PHP_SCRIPT && !ALL_TRUSTED && !__PHP_NOVER_MUA && !__TO___LOWER && !__MIME_BASE64 && !__HAS_ANY_EMAIL && !__L_CTE_7BIT
describe PHP_SCRIPT Sent by PHP script
#score PHP_SCRIPT 2.500 # limit
tflags PHP_SCRIPT publish
##} PHP_SCRIPT
##{ PHP_SCRIPT_MUA
meta PHP_SCRIPT_MUA __HAS_PHP_SCRIPT && __PHP_NOVER_MUA
describe PHP_SCRIPT_MUA Sent by PHP script, no version number
#score PHP_SCRIPT_MUA 2.000 # limit
tflags PHP_SCRIPT_MUA publish
##} PHP_SCRIPT_MUA
##{ POSSIBLE_APPLE_PHISH_02
meta POSSIBLE_APPLE_PHISH_02 (__FROM_NAME_APPLECOM && !__HDR_RCVD_APPLE)
describe POSSIBLE_APPLE_PHISH_02 Claims to be from apple but not processed by any apple MTA
tflags POSSIBLE_APPLE_PHISH_02 publish
##} POSSIBLE_APPLE_PHISH_02
##{ POSSIBLE_EBAY_PHISH_02
meta POSSIBLE_EBAY_PHISH_02 (__FROM_NAME_EBAYCOM && !__HDR_RCVD_EBAY)
describe POSSIBLE_EBAY_PHISH_02 Claims to be from ebay but not processed by any ebay MTA
tflags POSSIBLE_EBAY_PHISH_02 publish
##} POSSIBLE_EBAY_PHISH_02
##{ POSSIBLE_PAYPAL_PHISH_01
meta POSSIBLE_PAYPAL_PHISH_01 (__FROM_NAME_PAYPALCOM && __NAME_EMAIL_DIFF)
describe POSSIBLE_PAYPAL_PHISH_01 Claims to be from paypal but has non-paypal from email address
tflags POSSIBLE_PAYPAL_PHISH_01 publish
##} POSSIBLE_PAYPAL_PHISH_01
##{ POSSIBLE_PAYPAL_PHISH_02
meta POSSIBLE_PAYPAL_PHISH_02 (__FROM_NAME_PAYPALCOM && !__HDR_RCVD_PAYPAL)
describe POSSIBLE_PAYPAL_PHISH_02 Claims to be from paypal but not processed by any paypal MTA
tflags POSSIBLE_PAYPAL_PHISH_02 publish
##} POSSIBLE_PAYPAL_PHISH_02
##{ PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)
body PP_MIME_FAKE_ASCII_TEXT eval:check_for_ascii_text_illegal()
describe PP_MIME_FAKE_ASCII_TEXT MIME text/plain claims to be ASCII but isn't
# score PP_MIME_FAKE_ASCII_TEXT 1.0
tflags PP_MIME_FAKE_ASCII_TEXT publish
endif
endif
##} PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)
##{ PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
body PP_TOO_MUCH_UNICODE02 eval:check_abundant_unicode_ratio(0.02)
describe PP_TOO_MUCH_UNICODE02 Is text/plain but has many unicode escapes
# score PP_TOO_MUCH_UNICODE02 0.5
tflags PP_TOO_MUCH_UNICODE02 publish
endif
endif
##} PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
##{ PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
body PP_TOO_MUCH_UNICODE05 eval:check_abundant_unicode_ratio(0.05)
describe PP_TOO_MUCH_UNICODE05 Is text/plain but has many unicode escapes
# score PP_TOO_MUCH_UNICODE05 1.0
tflags PP_TOO_MUCH_UNICODE05 publish
endif
endif
##} PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
##{ PUMPDUMP
meta PUMPDUMP (__PUMPDUMP_01 || __PUMPDUMP_02 || __PUMPDUMP_03 || __PUMPDUMP_04 || __PUMPDUMP_05 || __PUMPDUMP_06 || __PUMPDUMP_07 || __PUMPDUMP_08 || __PUMPDUMP_09 || __PUMPDUMP_10) && !PUMPDUMP_MULTI
describe PUMPDUMP Pump-and-dump stock scam phrase
#score PUMPDUMP 1.000 # limit
tflags PUMPDUMP publish
##} PUMPDUMP
##{ PUMPDUMP_MULTI
meta PUMPDUMP_MULTI (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1
describe PUMPDUMP_MULTI Pump-and-dump stock scam phrases
#score PUMPDUMP_MULTI 3.500 # limit
tflags PUMPDUMP_MULTI publish
##} PUMPDUMP_MULTI
##{ PUMPDUMP_TIP
meta PUMPDUMP_TIP __PD_CNT_1 && __STOCK_TIP
describe PUMPDUMP_TIP Pump-and-dump stock tip
tflags PUMPDUMP_TIP publish
##} PUMPDUMP_TIP
##{ RAND_HEADER_LIST_SPOOF
meta RAND_HEADER_LIST_SPOOF __RAND_HEADER && __LIST_PARTIAL
describe RAND_HEADER_LIST_SPOOF Random gibberish message header(s) + pretending to be a mailing list
#score RAND_HEADER_LIST_SPOOF 3.000 # limit
tflags RAND_HEADER_LIST_SPOOF publish
##} RAND_HEADER_LIST_SPOOF
##{ RAND_HEADER_MANY
meta RAND_HEADER_MANY __RAND_HEADER_2
describe RAND_HEADER_MANY Multiple random gibberish message headers
#score RAND_HEADER_MANY 3.000 # limit
tflags RAND_HEADER_MANY publish
##} RAND_HEADER_MANY
##{ RAND_MKTG_HEADER
meta RAND_MKTG_HEADER __RAND_MKTG_HEADER && !__HAVE_BOUNCE_RELAYS && !__HAS_THREAD_INDEX && !__HAS_X_MAILING_LIST
describe RAND_MKTG_HEADER Has partially-randomized marketing/tracking header(s)
#score RAND_MKTG_HEADER 2.000 # limit
tflags RAND_MKTG_HEADER publish
##} RAND_MKTG_HEADER
##{ RATWARE_NO_RDNS
meta RATWARE_NO_RDNS __RATWARE_BOUND_A && __RDNS_NONE && __MIME_HTML && __MISSING_REF
describe RATWARE_NO_RDNS Suspicious MsgID and MIME boundary + no rDNS
#score RATWARE_NO_RDNS 3.000 # limit
##} RATWARE_NO_RDNS
##{ RCVD_BAD_ID
header RCVD_BAD_ID Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\$\%&'()*<=>?\@\[\]^\`{|}~]|;\S)/
describe RCVD_BAD_ID Received header contains id field with bad characters
##} RCVD_BAD_ID
##{ RCVD_DBL_DQ
header RCVD_DBL_DQ Received =~ /(?:\[\d+\.\d+\.\d+\.\d+\]){2}/
describe RCVD_DBL_DQ Malformatted message header
tflags RCVD_DBL_DQ publish
##} RCVD_DBL_DQ
##{ RCVD_DOTEDU_SHORT
meta RCVD_DOTEDU_SHORT __RCVD_DOTEDU_SHORT && !ALL_TRUSTED && !__FS_SUBJ_RE && !__HAS_LIST_ID
describe RCVD_DOTEDU_SHORT Via .edu MTA + short message
#score RCVD_DOTEDU_SHORT 1.500 # limit
tflags RCVD_DOTEDU_SHORT publish
##} RCVD_DOTEDU_SHORT
##{ RCVD_DOTEDU_SUSP_URI
meta RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_SUSP_URI
describe RCVD_DOTEDU_SUSP_URI Via .edu MTA + suspicious URI
#score RCVD_DOTEDU_SUSP_URI 3.000 # limit
tflags RCVD_DOTEDU_SUSP_URI publish
##} RCVD_DOTEDU_SUSP_URI
##{ RCVD_FORGED_WROTE
header RCVD_FORGED_WROTE Received =~ / by \S+ with esmtp \([^a-z ]{6,} [^a-z ]{3,}\) id/
describe RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
##} RCVD_FORGED_WROTE
##{ RCVD_FORGED_WROTE2
header RCVD_FORGED_WROTE2 Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s
##} RCVD_FORGED_WROTE2
##{ RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DK eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.3')
describe RCVD_IN_IADB_DK IADB: Sender publishes Domain Keys record
tflags RCVD_IN_IADB_DK net nice
endif
##} RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.10')
describe RCVD_IN_IADB_DOPTIN IADB: All mailing list mail is confirmed opt-in
tflags RCVD_IN_IADB_DOPTIN net nice
endif
##} RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DOPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.9')
describe RCVD_IN_IADB_DOPTIN_GT50 IADB: Confirmed opt-in used more than 50% of the time
tflags RCVD_IN_IADB_DOPTIN_GT50 net nice
endif
##} RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DOPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.8')
describe RCVD_IN_IADB_DOPTIN_LT50 IADB: Confirmed opt-in used less than 50% of the time
tflags RCVD_IN_IADB_DOPTIN_LT50 net nice
endif
##} RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_EDDB eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.1')
describe RCVD_IN_IADB_EDDB IADB: Participates in Email Deliverability Database
tflags RCVD_IN_IADB_EDDB net nice
endif
##} RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_EPIA eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.2')
describe RCVD_IN_IADB_EPIA IADB: Member of Email Processing Industry Alliance
tflags RCVD_IN_IADB_EPIA net nice
endif
##} RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_GOODMAIL eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.103')
describe RCVD_IN_IADB_GOODMAIL IADB: Sender has been certified by GoodMail
tflags RCVD_IN_IADB_GOODMAIL net nice
endif
##} RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_LISTED eval:check_rbl_sub('iadb-firsttrusted', '^127\.0\.0\.[12]$')
describe RCVD_IN_IADB_LISTED Participates in the IADB system
tflags RCVD_IN_IADB_LISTED net nice
endif
##} RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_LOOSE eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.4')
describe RCVD_IN_IADB_LOOSE IADB: Adds relationship addrs w/out opt-in
tflags RCVD_IN_IADB_LOOSE net nice
endif
##} RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_MI_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.1.10')
describe RCVD_IN_IADB_MI_CPEAR IADB: Complies with Michigan's CPEAR law
tflags RCVD_IN_IADB_MI_CPEAR net nice
endif
##} RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_MI_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.101.10')
describe RCVD_IN_IADB_MI_CPR_30 IADB: Checked lists against Michigan's CPR within 30 days
tflags RCVD_IN_IADB_MI_CPR_30 net nice
endif
##} RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_MI_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.201.10')
describe RCVD_IN_IADB_MI_CPR_MAT IADB: Sends no material under Michigan's CPR
tflags RCVD_IN_IADB_MI_CPR_MAT net nice
endif
##} RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_ML_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.100')
describe RCVD_IN_IADB_ML_DOPTIN IADB: Mailing list email only, confirmed opt-in
tflags RCVD_IN_IADB_ML_DOPTIN net nice
endif
##} RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_NOCONTROL eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.0')
describe RCVD_IN_IADB_NOCONTROL IADB: Has absolutely no mailing controls in place
tflags RCVD_IN_IADB_NOCONTROL net nice
endif
##} RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OOO eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.200')
describe RCVD_IN_IADB_OOO IADB: One-to-one/transactional email only
tflags RCVD_IN_IADB_OOO net nice
endif
##} RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.7')
describe RCVD_IN_IADB_OPTIN IADB: All mailing list mail is opt-in
tflags RCVD_IN_IADB_OPTIN net nice
endif
##} RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.6')
describe RCVD_IN_IADB_OPTIN_GT50 IADB: Opt-in used more than 50% of the time
tflags RCVD_IN_IADB_OPTIN_GT50 net nice
endif
##} RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.5')
describe RCVD_IN_IADB_OPTIN_LT50 IADB: Opt-in used less than 50% of the time
tflags RCVD_IN_IADB_OPTIN_LT50 net nice
endif
##} RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OPTOUTONLY eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.1')
describe RCVD_IN_IADB_OPTOUTONLY IADB: Scrapes addresses, pure opt-out only
tflags RCVD_IN_IADB_OPTOUTONLY net nice
endif
##} RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_RDNS eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.4')
describe RCVD_IN_IADB_RDNS IADB: Sender has reverse DNS record
tflags RCVD_IN_IADB_RDNS net nice
endif
##} RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_SENDERID eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.2')
describe RCVD_IN_IADB_SENDERID IADB: Sender publishes Sender ID record
tflags RCVD_IN_IADB_SENDERID net nice
endif
##} RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_SPF eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.1')
describe RCVD_IN_IADB_SPF IADB: Sender publishes SPF record
tflags RCVD_IN_IADB_SPF net nice
endif
##} RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UNVERIFIED_1 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.2')
describe RCVD_IN_IADB_UNVERIFIED_1 IADB: Accepts unverified sign-ups
tflags RCVD_IN_IADB_UNVERIFIED_1 net nice
endif
##} RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UNVERIFIED_2 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.3')
describe RCVD_IN_IADB_UNVERIFIED_2 IADB: Accepts unverified sign-ups, gives chance to opt out
tflags RCVD_IN_IADB_UNVERIFIED_2 net nice
endif
##} RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UT_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.2.10')
describe RCVD_IN_IADB_UT_CPEAR IADB: Complies with Utah's CPEAR law
tflags RCVD_IN_IADB_UT_CPEAR net nice
endif
##} RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UT_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.102.10')
describe RCVD_IN_IADB_UT_CPR_30 IADB: Checked lists against Utah's CPR within 30 days
tflags RCVD_IN_IADB_UT_CPR_30 net nice
endif
##} RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UT_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.202.10')
describe RCVD_IN_IADB_UT_CPR_MAT IADB: Sends no material under Utah's CPR
tflags RCVD_IN_IADB_UT_CPR_MAT net nice
endif
##} RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
header RCVD_IN_PSBL eval:check_rbl('psbl-lastexternal', 'psbl.surriel.com.')
describe RCVD_IN_PSBL Received via a relay in PSBL
tflags RCVD_IN_PSBL net
endif
##} RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
##{ RCVD_MAIL_COM
header RCVD_MAIL_COM Received =~ /[\s\(\[](?:post|mail)\.com[\s\)\]]/is
describe RCVD_MAIL_COM Forged Received header (contains post.com or mail.com)
##} RCVD_MAIL_COM
##{ RDNS_LOCALHOST
header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i
describe RDNS_LOCALHOST Sender's public rDNS is "localhost"
##} RDNS_LOCALHOST
##{ RDNS_NUM_TLD_ATCHNX
meta RDNS_NUM_TLD_ATCHNX __RDNS_NUMERIC_TLD && __ATTACH_NAME_NO_EXT
describe RDNS_NUM_TLD_ATCHNX Relay rDNS has numeric TLD + suspicious attachment
#score RDNS_NUM_TLD_ATCHNX 3.000 # limit
tflags RDNS_NUM_TLD_ATCHNX publish
##} RDNS_NUM_TLD_ATCHNX
##{ RDNS_NUM_TLD_XM
meta RDNS_NUM_TLD_XM __RDNS_NUMERIC_TLD && (__HAS_XM_SID || __HAS_XM_LID || __HAS_XM_RECPTID || __HAS_XM_SENTBY)
describe RDNS_NUM_TLD_XM Relay rDNS has numeric TLD + suspicious headers
#score RDNS_NUM_TLD_XM 3.000 # limit
tflags RDNS_NUM_TLD_XM publish
##} RDNS_NUM_TLD_XM
##{ REPLYTO_WITHOUT_TO_CC
meta REPLYTO_WITHOUT_TO_CC (__HAS_REPLY_TO && !__TOCC_EXISTS)
##} REPLYTO_WITHOUT_TO_CC
##{ REPTO_419_FRAUD
header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:mail)\@101private\.com|(?:(?:alfredcheuk002|mavis_wanczyk))\@126\.com|(?:(?:alfredcheuk_yuchow|ehagler))\@163\.com|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:russia2018worldcuplotto5)\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:(?:infovsa|maria\.louge|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:jessikasingh|lawmensa|travisalex))\@aliyun\.com|(?:(?:deanie_ron|mundo\.europe|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:support)\@apostlesfoundation\.com|(?:jeromecgb12)\@asia\.com|(?:bllphillips)\@att\.net|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:costruire)\@bigmat\.it|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:onmydestiny18)\@boulevardmalls\.com|(?:luciamariacampbell)\@boximail\.com|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:20156488)\@ce\.pucmm\.edu\.do|(?:gregwingo)\@cheapnet\.it|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|dbank12|fbipayment(?:50|600)|harunajim667|manuel\.rabelais|paul\.wilson|r(?:alphwjohnson|ev_markbless)|trustees101))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:mundo_seguros)\@contorli\.site|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:brunoso|lisatroutman))\@currently\.com|(?:(?:dmalpasswb|i(?:lanasoloshneor|nfo90000)|joseramonjr1|re(?:covered\-tax|em(?:2018|alhashimi|ealhashimi|hashimi2020))))\@daum\.net|(?:blythemasters)\@digitalassetholding\.org|(?:bar_sahil)\@dominionassociates\.uk|(?:zahvoedir)\@donations\.christchurchliverpool\.xyz|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:rogersteare02)\@e1\.ru|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:(?:denbrink|kathy_gerald1965|pch\.cliamdept))\@email\.com|(?:infoleonfredberbst)\@emailgroups\.net|(?:info)\@euro-pinnacle\.com|(?:(?:advancedsegurosespana|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:lottomax)\@execs\.com|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:jeferrey)\@financier\.com|(?:mrsdebbielevin)\@firemail\.de|(?:steve_dickson)\@firemail\.eu|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:info)\@fnconsultant\.biz|(?:(?:egolan2|gella1|qatardonations16|smadartsadik|tepnherve00))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:mmpaulsmith145)\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:octaviancm)\@gmx\.co\.uk|(?:(?:ahmet\.broker|f(?:aridaomar|er3nrod1512)|kevin\-office|p\.hamedmoff|rosicboteruff|walter_anderson))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:juliairis)\@gmx\.net|(?:(?:arthur1alan|joxford))\@gmx\.us|(?:m(?:\.johnson10012|aryclayton123))\@googlemail\.com|(?:solotexglobalcouriercompany)\@groupesgb\.net|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:christgoldwilliams)\@hotmail\.fr|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:bo_li)\@imgrantfunds\.com|(?:irdi33)\@inbox\.lt|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:a\.josepaulino|jonardossantos|mingmui0012|offer2021|pierresgift_2021))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:info)\@intarpol-int\.online|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:info)\@johannaconsultancy\.com|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:(?:annzainab2022|h(?:ashimirrr22|re187390)|re(?:e(?:m\.alhashimi|ninvestor111)|mmhashimi)))\@kakao\.com|(?:europsenderscouriers)\@keemail\.me|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:bmwofficeinfo)\@mail2consultant\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|kateclough1|mriamchombo1968))\@mail\.com|(?:ayishagddafio?)\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:cb(?:nofficemail|officemail))\@mailsire\.com|(?:doo\.yusin)\@matherline-trade\.com|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:cadpayout01)\@my\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:lindsaytrembley)\@oimail\.com|(?:(?:accountingdrg|emmy\.marty))\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:jarramos)\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:ahmed3khan)\@outlook\.fr|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:wood)\@poczta\.onet\.eu|(?:(?:m(?:aryjosen|boyaeth)|uncch\-info))\@post\.com|(?:martinahrivnakova)\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:(?:charitylisajohnrobinson700|leonardbain))\@proton\.me|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:franciscoperezc|garethbull808|mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:msn)\@resrubini\.com|(?:wanczykmavis101)\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:mrs\.rachel2013)\@safe-mail\.net|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:(?:jimyang77|kentpace))\@sina\.com|(?:stan)\@soborka\.net|(?:dycheseaan)\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:info\.jschneider)\@spainmail\.com|(?:mroliverbergmuellers)\@specialautokins\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:alexander)\@stny\.rr\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:mhua)\@tbochk\.com|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:bobby\.william)\@tradent\.net|(?:lopez\.rios)\@udttld\.com|(?:2100973645smsgateway)\@ukraine\.wheat-farmers\.website|(?:info)\@un-grant\.info|(?:(?:info\.(?:clev\.frb|imfamerica)|policyaddmin\.file))\@usa\.com|(?:dataphilanthropy)\@vipmail\.hu|(?:bmuczdh)\@virgilio\.it|(?:holt1231)\@w\.cn|(?:daydreamin)\@wanadoo\.fr|(?:weboffice05)\@web\.de|(?:portiaw)\@webbe\.work|(?:b(?:\-calebfirm2007|enklerk\-postpact2|oriscaleb121))\@webmail\.co\.za|(?:(?:elizabethlyonsfield|frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|jeffwilliam207|owengreen70|samue95))\@yahoo\.co\.uk|(?:(?:changgordon946|thomaspeter227))\@yahoo\.com\.hk|(?:boa2cb)\@yahoo\.com\.vn|(?:contactus88\-00)\@yahoo\.es|(?:fortinsandrine)\@yahoo\.fr|(?:dr\.amelia\.george1)\@yandex\.ru|(?:(?:alfred_cheuk_chow|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:jefflindsay)\@zoho\.com|(?:(?:benaffleck1977|monicadaniels909))\@zohomail\.com|(?:laprimitivaes)\@zohomail\.eu)$/i
describe REPTO_419_FRAUD Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD 3.000
tflags REPTO_419_FRAUD publish
##} REPTO_419_FRAUD
##{ REPTO_419_FRAUD_AOL
header REPTO_419_FRAUD_AOL Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:brajjohn|f\.2[06]|ljaber111|meliageorge|nd(?:_bley|rew_hans)|rthur\.alan)|b(?:a(?:anidleewy|rr_luc)|claimdept)|c(?:\.european|allumfoundation|h(?:anprivacy03|eungdavidd|ngeric|ristyruwalt)|laimdept21|ristinabruno38|ustom_service58)|d(?:avid\.kms|hodgkins001|ianwaynie)|e(?:ricalbertdpm|velynjoshua44)|f(?:d\.29|ernandezfernandez3|oundation\.charity)|g(?:arang\.rebeca|eorge_clifford4|roupfacility)|hernandezrosemary632|jmesaud|k\.doreen00|l(?:\.b162k|erynnewest99|isarobinson5\.0|orrainewirangee|ynnpage44)|m(?:_l\.wanczyk62|a(?:sayohara21|viswanczyk[do])|rs(?:isabelladzsesszika|janetedwards0001|safiagaddafi))|officework172|p(?:aulpollard2|otfolio\.management)|royalpalace2018|s(?:\.fofo|afiiagadafi|ovchan|pwalker721|t(?:aatsloterijnederlands|efano_pessina))|usembassy330|wattson\.renwick|yurdaaytarkan5))\@aol\.com$/i
describe REPTO_419_FRAUD_AOL Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_AOL 3.000
tflags REPTO_419_FRAUD_AOL publish
##} REPTO_419_FRAUD_AOL
##{ REPTO_419_FRAUD_AOL_LOOSE
meta REPTO_419_FRAUD_AOL_LOOSE __REPTO_419_FRAUD_AOL_LOOSE && !REPTO_419_FRAUD_AOL
describe REPTO_419_FRAUD_AOL_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_AOL_LOOSE 1.000
tflags REPTO_419_FRAUD_AOL_LOOSE publish
##} REPTO_419_FRAUD_AOL_LOOSE
##{ REPTO_419_FRAUD_CNS
header REPTO_419_FRAUD_CNS Reply-To:addr =~ /^(?=[^\s<>@]+\@consultant\.com)(?:(?:anthonyalvarad|davidhenri|lottomaxclaims7|morrisherb|t(?:eo\.westin|he\.trustees1|rustees202000)|westernuniopayment\.agent0018))\@consultant\.com$/i
describe REPTO_419_FRAUD_CNS Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_CNS 3.000
tflags REPTO_419_FRAUD_CNS publish
##} REPTO_419_FRAUD_CNS
##{ REPTO_419_FRAUD_GM
header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|7912richardtony|9porssts9|a(?:\.wafager1|b(?:d(?:97412345|ullahmundani019)|u(?:lkareem461|shadi0004))|c(?:count\.optionsmr\.jonasarmstrong|ecere001)|d(?:iallo\.boa|rabidiahmed)|isha(?:1976(?:algaddafi|gaddafi25)|gaddafiaam)|l(?:\.jo60691737|an\.austin(?:041|223)|ex(?:anderpeterson4499|hoffman3319)|ghafrij13|kasimunadi221|l(?:enholden121|isoncluade11)|nizmaria|ure\.wawrenka1472)|m(?:bassadormarybethleonardl4|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|medjahed95))|n(?:d(?:rewumehunitedbankforafrica|yfox0022)|n(?:a(?:llee091|sigurlaug458)|ettrevor|jenijohnsonn)|t(?:honyalvaradollc|o(?:meuenio|niopaco20consultant)))|office1office1|r(?:adka01|chibaldhamble|thur11alan)|shwestwood7|ttohlawoffice\.tg|ustinbillmark9|w1614860|z(?:i(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50))|zedineguessous))|b(?:a(?:nkcentralasiahalobca34|ochang7a|r(?:bersmadar75|clays\.kenya\.bank|rister(?:\.fidelisokafor|lordruben94)|teld\.huisman01))|bongo593|e(?:alitoniua9|linekra1|n(?:ezero392|gatl80|jaminsarah195))|ill\.lawrence0747|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi)|r(?:andy\.heavenscenttt|endalaporte112)|uff(?:ettwarrene21|ookj)|w1832621)|c(?:artwrighttownhomesllc|claimsa|elicerez|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:es(?:luenga01|wrightdepartments)|tonnewmanus1)))|e(?:mchung1011|nchung1011)|ienkwongp)|iticonsultantjohncg0|kruger00017|l(?:axtonpaul00|s79408)|o(?:l(?:edavid77032|husseinharmuchc(?:cj|j)|ombasjuan53)|mp(?:asationsettlement|ensationcommitteboard)|n(?:sult(?:matthias|sto\.u)|tactad00[04]))|pt\.eugenebarash|r(?:abbechambers|ist(?:bru(?:05|n05)|davis67|i1537bru|ydavisdonation1))|ustomerservicelacaixa2)|d(?:29laws|a(?:n(?:008629|i(?:el35508109|shlokija)|n(?:uar4|ydan24532))|tukannuarbinmusa|vi(?:d(?:\.loanfirm18|kaltschmidtmaureend|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98))|cole77032|e(?:n(?:iwalts|nisclark659)|partmentofstate123|tlefeckhardd)|hsdevice|i(?:ane\.s\.wojcicki|gitalassetholding|plomatsshenry)|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.meirh|abodid|davidrhama221|jamesdee|kennedyuzo|meier\.heidi?|owenfrederick)|u(?:nsilva58|stinmoskovitz\.2facebook)|v\.metus)|e(?:benezero392|christina937|drunity|l(?:i(?:bethgomez(?:175|499)|sabethmaria600|zabethedw0)|o(?:diesawadogo123|tocashoffice1?))|m(?:2keld|efiele(?:328|g757)|ilyrichmond391)|r(?:e(?:nakgeorge123|zcelic0)|ioncarter\.private)|stherkatherine1960|vgpatmow|wynn284)|f(?:\.mikhail025|a(?:ithdesrie511|tme\.mehmed001)|blott47|e(?:deralreservebankdallasdst|lix88995)|g0067333|irstbank(?:49966|6669|k49666)|j569282|l(?:556249|uhmann\.dn)|oundations\.west|p462558|r(?:a(?:100dub132|n(?:c(?:espatrickconnolly(?:5050|4)|iscamendoza960)|k(?:j(?:ane984|wangg)|linpiesie6)))|eelottosweepstake51)|spero8[02]|u(?:lanlan28|ngg1w))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|riel(?:eschmitt002|kalia1102))|r(?:ciavincent500|ethbull112016))|b(?:528796|ill4880)|e(?:neralwilliamstony990|orgekwame481|raldjhjh11)|iidp955|l(?:enmoore0011|oriachow5052)|o(?:dfreyscottdonation|glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219))|r(?:aceobia001|e(?:ant311|energeoffrey776))|veraallen)|h(?:a(?:r(?:gate2909|ryebert101)|s(?:h(?:imyreem78|mireem801)|sanalshujairy))|e(?:atherbrooeke101|cto(?:alon|r(?:castillos653|scastillo6))|l(?:en(?:adamsidaho|giggs88)|pdesk47321))|g(?:8669000|old8080)|i(?:ldad837|toshurui)|o(?:nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|uichmh)|i(?:1955smael|amannjejosonn|bed627|mf(?:deputyoff000|grantinter)|n(?:fo(?:\.(?:a(?:bogadosmfontana|nnedouglas10)|g00gleclaim|ulmusau)|64240|asminternationalpk|bankofamerikaa|dessk\.dfwairportonline|fdrserve|ttcuckk)|gridrolle2)|smail(?:eman874|tarkan533))|j(?:35809121|a(?:6002932|888179|m(?:alpriv8un|esokoh82)|n(?:nsjonifer|usensecureprivate)|sonyeungchiwai|vierlesme001)|b(?:5406424|lsuntrust)|c2222222rrr|e(?:fferydean1960|nniannjhsonn|robtt)|josvu|k3311131|m(?:3461128|powellfr)|o(?:edward023|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|uba234|walterlove2010)|monkzza|n(?:athanhaskel377|hugo1964|monkssa)|seph(?:acevedo024|ichael41)|vannyanderson001|yce00011)|rawlings007|s4fernado|uliewatson975|w6935997)|k(?:a(?:l(?:iaksandr5|tschmidtdavid8)|malnizar000|rabo\.ramala39|t(?:ebaron(?:barr|xq)|jamess043|rinaziako56))|en(?:mckenziejr|nedy\.sawadogo19)|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|rnkl1109|un(?:gwei7777|ioue28))|l(?:a(?:rrytoms200|ursent892|w(?:officealouancooparation|rencefoundation30))|blackshirepm|e(?:enasinghs97|onidasresearch|rynne(?:0west99|west2289))|i(?:amfinchus(?:11|3)|ezlnatashavanessa|fecshortt63|li(?:ane\.bettencourt1945|ianchrstph)|nelink008|sa(?:milner001|robin117))|john6132|o(?:ganntomas|rrainewirengee|ughreymargaret67)|p319765|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|diawright836|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:a(?:bel\.manaku|ckenzbezos|damkoenig\.ruhama1b|incare655|j(?:ialfutt|or(?:dennishornbeck53|townsend01))|kaltschmidt|ll(?:am\.mlawal|etman2021)|mastar33m|n(?:ankovefimovich|duesq58|fran630|uelfranco(?:727|donation02|foundation0|spende8))|r(?:i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00)|opabl26|tinesecurityusa)|kroth456|shalh011|tin(?:amayer903|eziglesiasabogados|jrschwarz)|y(?:franson56|josen(?:62|81)))|thewriaanza|u(?:noveutileina|rhinck11?)|viswan(?:142|czyk(?:01478|1(?:19|987)|4(?:89|5)|775|foundation45|k112))|xaajn|ydetratt)|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|l(?:lagolan|vidabullock5))|gfrederick80|husameddine|i(?:c(?:h(?:ael\.woosley1972|eal(?:sjohnj|wuu002))|paulla|w954)|k(?:e\.weirsky\.foundational001|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|ss(?:\.(?:melisa\.mehmett|yasmineibrahim101)|yaelronen))|jminabii|k(?:ent7117|untjoro52)|m(?:1086771|argaritalouisdreyfus|ohammadaljllilati)|nmalarge|oham(?:edabdul1717|m(?:daljililati1|edshamekh24))|r(?:\.(?:elbahi\.mohammed\.2021|justinmaxwell09|lusee)|cjames001|d517341|eric(?:franck|schmid4002)|hanimuhammad627|jamesmc6|r(?:echardthomas|ichardanthony1)|s(?:\.(?:janetolsen?|olsenjanett|susanread12)|a(?:ishaalqadafi1976|ngela454)|dominiquethomas7777|evelynbrown7|fatimaamiraqureshi1983|gezeria|h(?:amima60|ristinemadeleine)|isabelladz|j(?:ackman123|lleach)|lisamilner08|maureens847|r(?:obinsanders185|uthsmith9900)|sarahbenjamin103|v(?:eraaellen|ictoriaedmond03))|tomcrist\.ca|viktorzubkovv)|s(?:\.ellagolan56|agent02|golaan4|smadar44)|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter968)|icholas\.jose73|obuyuki\.hirano128|tawdglobal|v637245)|o(?:\.peace004|3344nb|ffice(?:\.012123|rricherd876|windowterms)|hallkenneth1|marinyandeng|nufoundationclaims|pcwkdw|xfaminternationa1980)|p(?:a(?:trick(?:\.efcc|andfrancessconnolly)|ul(?:eed1969|n8018))|b(?:ph202lay2|rookk0)|e(?:130304|rezdonlorenzo336|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|hillip\.richead218|ilz37754|olloke|ro1nvstream|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymondaba200)|e(?:alyh596|beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n(?:2214|asser003302))|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|v(?:\.jamesabel1|ernestcebi|fr(?:ankjackson91|paulwilliams2)))|icha(?:miller18|rd(?:lustig4u|w(?:ahl511|il(?:lis815|son19091))))|josh200000|main2028|o(?:b(?:erthanandez6655|inf036)|naldmorris786|s(?:a\.gomes0044|ekipkalya934))|raya9989|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|u(?:ddicklana561|ssiaworldcuppromo))|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid7000)|nchoscozfifa|rfiafarfask7)|cottpeters7989|e(?:cretservicce[78]|rgeantrobertbrown1)|g(?:\.offiice\.group|t(?:\.monicab03|ireneb2))|h(?:a(?:msiahmohamadyunusbnegara|nemissler2009)|ery(?:\.gtl131|etr03)|inawatrathaksin93)|im(?:lkheng5|onhei47)|op(?:adam3|hiajesse41)|peelman1972|t(?:anleyjohn1469|ephentam1(?:47|6))|u(?:iyang(?:\.boc|02)|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|weeneyjohnson384)|t(?:a(?:mmywebster24|y(?:ebsouami0|lorcathy362))|ch33555|davalvse|erryparkins11|h(?:ailandbankoffice01|e(?:ara\.choy2|odorosloannis9))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|ander231|c(?:hrist1995|rist(?:52|donation12|foundation99|world))|spende480)|ny(?:\.chung760|zimpro11)|pchronodesk|shikazusendo101)|p2911220|tkhan69s)|u(?:kponguko|marukareem8|n(?:claimedfunds554|itednation(?:organization70|s(?:8182|councilrefunds)))|s(?:alotery2|departmentofjustice80))|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|linagreen|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|pjeferrey)|n935990|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett2)|b(?:271981|6159980)|c5000dle|hatsappofficial001|i(?:elandherzog\.sw\.herad16|ll(?:clark(?:2618|629)|iamsmartyrs888))|kfinancialservice|orldbankregionalmanageroffice|u\.office212|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974|o(?:ngkm00|usefzongo5722))|z(?:bank8876|enithbankplconline98|kiaslan1963|minhong65|ubkovmrviktor)))\@gmail\.com$/i
describe REPTO_419_FRAUD_GM Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_GM 3.000
tflags REPTO_419_FRAUD_GM publish
##} REPTO_419_FRAUD_GM
##{ REPTO_419_FRAUD_GM_LOOSE
meta REPTO_419_FRAUD_GM_LOOSE __REPTO_419_FRAUD_GM_LOOSE && !REPTO_419_FRAUD_GM
describe REPTO_419_FRAUD_GM_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_GM_LOOSE 1.000
tflags REPTO_419_FRAUD_GM_LOOSE publish
##} REPTO_419_FRAUD_GM_LOOSE
##{ REPTO_419_FRAUD_HM
header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|n(?:ikal01|nagray00)|zezul\.idrisazezulidris)|c(?:hoi21|laytousey)|d(?:l13139|r\.dukanalycoulibaly)|egorbunova22|faxttransfer\.skyebk\.service\.care\.th|infos(?:43|8)|katabettencourt2018|l(?:e(?:a_edem|galcosme|wisarm44)|ulihongm)|mr(?:abrahambeniamfc|pedrohilldonations|s(?:\.chantal_bill|micheleallison2003))|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|powen10001|quickcashloansservices|s(?:a(?:jda\.andleeb|nchamps798)|ulaimaninfante)|t(?:ashacap|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i
describe REPTO_419_FRAUD_HM Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_HM 3.000
tflags REPTO_419_FRAUD_HM publish
##} REPTO_419_FRAUD_HM
##{ REPTO_419_FRAUD_OL
header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:16u71|b(?:rahamwilliamsonrpsltduk|s0000200)|lbertchebe|ndrewgamble7)|b(?:asidris|etty\.c_investment|illgfile203)|c(?:bforeignremitdept|harlie\.j\.goodmand|laimunit\.facebook|ompensationfunding)|d(?:eborahleeconsult|hl(?:customercares|express\.fastservice)|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020|mr01|oundation701|p\.conn)|g(?:20compessdesk|race\.manonfoundation)|j(?:ackson4steve|e(?:anedo1|ssicameir30))|kaujong|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|b(?:illgate9|ryandavisuk44)|mduku|s(?:_elizabeth20|michelleallison|roseallen))|spvt2020)|philcohen0012|richardwahlfreegrant|s(?:aaman10|gi2019|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019)|unvanzyl_mrs|w(?:esteruniontransferunite7|hatsapp_givewin|inuklotocash2018)))\@outlook\.com$/i
describe REPTO_419_FRAUD_OL Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_OL 3.000
tflags REPTO_419_FRAUD_OL publish
##} REPTO_419_FRAUD_OL
##{ REPTO_419_FRAUD_PM
header REPTO_419_FRAUD_PM Reply-To:addr =~ /^(?=[^\s<>@]+\@protonmail\.com)(?:(?:armstrong0244|berndkoch|davidmetus|euclaim|p(?:a(?:melagriffi|t\.nwankwo)|rotonydonation)|scottpeter012|the\.trustees1|v\.brianpierre|yihsbltan|ziraatbankasi))\@protonmail\.com$/i
describe REPTO_419_FRAUD_PM Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_PM 3.000
tflags REPTO_419_FRAUD_PM publish
##} REPTO_419_FRAUD_PM
##{ REPTO_419_FRAUD_QQ
header REPTO_419_FRAUD_QQ Reply-To:addr =~ /^(?=[^\s<>@]+\@qq\.com)(?:(?:1731419584|2(?:032508290|3(?:72948239|89029403|97857528))|3523284224|akia\.j55|l\.valiant|peterwong20177|qatarfoundation01|wang_cjianlin))\@qq\.com$/i
describe REPTO_419_FRAUD_QQ Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_QQ 3.000
tflags REPTO_419_FRAUD_QQ publish
##} REPTO_419_FRAUD_QQ
##{ REPTO_419_FRAUD_YH
header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|ilmohammed11|lesiakalina2006|mbassador\.l|nnhester\.usa4)|b(?:a(?:che\.delfine|nk\.phbng14|rr\.thomasclark)|en(?:jaminb34|nicholas22)|illlawrenceee|riceangela45)|c(?:\.aroline90|abinet_maitre_emmanuel_patris|h(?:arlesscharf112|hoy\.t|jackson65)|juan852|ontelamine|ythiamiller\.un10)|d(?:hamilton9099|r(?:_raymondfung|kobiorah|obiorahkenneth|victorobaji))|e(?:denvictor71|ricalbert24)|f(?:bicompensation_funds|ederal\.r73)|i(?:\.project33411|befranfgnfmf|nfomoney|project32411)|j(?:a(?:ckson\.davis915|netemoon150)|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:altschmidtdavid8|elvinmark629|im(?:\.leang2018?|leang(?:575|90)))|l(?:e(?:a_edem13|hman(?:909|bila))|i(?:m_kaan|sarobinson_555)|o(?:an\.assist|rrainewirengee)|y_cheapiseth(?:11|2019))|m(?:\.kogi81|a(?:itre_arthur\.catheau|rie_avis12)|d(?:\.ps|zsesszika672)|elissalewis4004|o(?:hammedaahil46|keye79)|rs(?:\.esthernicolas|isabella\.dzesszikan)|s\.gracie_olakun)|o(?:legkozyrev1|mranshaalan52)|p(?:ackerkelvin|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|o(?:bertbailey2004|serichard655))|s(?:amthong4040|igurlauganna34|leo25|opheap\.munny|pwalker101|te(?:fanopessina573|vecox\.98))|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|vanserge2001|will(?:clark0010|smi68)|xianglongdai60|zhaodonghk))\@yahoo\.com$/i
describe REPTO_419_FRAUD_YH Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_YH 3.000
tflags REPTO_419_FRAUD_YH publish
##} REPTO_419_FRAUD_YH
##{ REPTO_419_FRAUD_YH_LOOSE
meta REPTO_419_FRAUD_YH_LOOSE __REPTO_419_FRAUD_YH_LOOSE && !REPTO_419_FRAUD_YH
describe REPTO_419_FRAUD_YH_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_YH_LOOSE 1.000
tflags REPTO_419_FRAUD_YH_LOOSE publish
##} REPTO_419_FRAUD_YH_LOOSE
##{ REPTO_419_FRAUD_YJ
header REPTO_419_FRAUD_YJ Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.co\.jp)(?:(?:a(?:drianbayford|lainminc73)|d(?:eborahmark2|raymndch)|e(?:d(?:032000100|ithi0iochou)|millybrownnc)|fred_gamba|henrybanko1970|m(?:24erc|aryp1799_8335|eghanbutlerfca|oneygram100|rs_chen_00001)|r(?:acheljude000|itawi668)|s(?:andrabates418|d203077)))\@yahoo\.co\.jp$/i
describe REPTO_419_FRAUD_YJ Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_YJ 3.000
tflags REPTO_419_FRAUD_YJ publish
##} REPTO_419_FRAUD_YJ
##{ REPTO_419_FRAUD_YN
header REPTO_419_FRAUD_YN Reply-To:addr =~ /^(?=[^\s<>@]+\@yandex\.com)(?:(?:a(?:lhashimi123|m(?:andarandle|g3333txx101)|n(?:a\.mariposa|n(?:acooper2019|zainab))|wesome\.mariacarmen)|c(?:harles\.kable|lemlau)|de(?:edee\-paul|jongpeter|ptoversea)|f(?:3dex\.courier|ed\.r3v|reedommarketinvestments)|gadd4fi\.aisha|h(?:ashimireem|halesbbanddd?)|joseph\-scott2k5|l(?:es20sc|otointernational\.elgordo)|m(?:arcarmenguty|fdpm|r(?:\.kongkea|akram\.elkerrami|spercy))|p(?:aragonloansinc|rincedarren0244)|rich(?:ard\.wahl|lawands)|tresor\.mambo|w(?:b\.foundation|ill(?:1amsmarg1|iam(?:simon1960|wilbert1)))|za\.dc2016))\@yandex\.com$/i
describe REPTO_419_FRAUD_YN Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_YN 3.000
tflags REPTO_419_FRAUD_YN publish
##} REPTO_419_FRAUD_YN
##{ REPTO_INFONUMSCOM
meta REPTO_INFONUMSCOM __REPTO_INFONUMSCOM
#score REPTO_INFONUMSCOM 3.000 # limit
tflags REPTO_INFONUMSCOM publish
##} REPTO_INFONUMSCOM
##{ RISK_FREE
meta RISK_FREE __FRAUD_IOV && !__UNSUB_LINK && !__VIA_ML && !__HTML_LINK_IMAGE && !__SUBSCRIPTION_INFO && !__HS_SUBJ_RE_FW && !__LCL__ENV_AND_HDR_FROM_MATCH
describe RISK_FREE No risk!
##} RISK_FREE
##{ SB_GIF_AND_NO_URIS
meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL)
##} SB_GIF_AND_NO_URIS
##{ SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta SCC_BOGUS_CTE_1 __SCC_BOGUS_CTE_1
describe SCC_BOGUS_CTE_1 Bogus Content-Transfer-Encoding header
tflags SCC_BOGUS_CTE_1 publish
endif
##} SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ SCC_CTMPP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
describe SCC_CTMPP Uncommon Content-Type
meta SCC_CTMPP __SCC_CTMPP
tflags SCC_CTMPP publish
endif
##} SCC_CTMPP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ SCC_ISEMM_LID_1
describe SCC_ISEMM_LID_1 Fingerprint of a particular spammer using an old spamware
header SCC_ISEMM_LID_1 X-Mailer-LID =~ /54,55,56,58,53/
tflags SCC_ISEMM_LID_1 publish
#score SCC_ISEMM_LID_1 3.5
##} SCC_ISEMM_LID_1
##{ SCC_ISEMM_LID_1B
describe SCC_ISEMM_LID_1B Genericized spammer fingerprint
header SCC_ISEMM_LID_1B X-Mailer-LID =~ /([56][0-9],)+/
tflags SCC_ISEMM_LID_1B publish
#score SCC_ISEMM_LID_1B 1.5
##} SCC_ISEMM_LID_1B
##{ SCC_SPAMMER_ADDR_2
describe SCC_SPAMMER_ADDR_2 Fingerprint of a particular spammer
body SCC_SPAMMER_ADDR_2 /6130 W Flamingo Rd/
##} SCC_SPAMMER_ADDR_2
##{ SCC_SPECIAL_GUID
describe SCC_SPECIAL_GUID Unique in a similar way
rawbody SCC_SPECIAL_GUID /^([[:xdigit:]]{8})-([[:xdigit:]]{4})-([[:xdigit:]]{3})-\3-([[:xdigit:]]{12})$/m
tflags SCC_SPECIAL_GUID publish multiple maxhits=15
##} SCC_SPECIAL_GUID
##{ SENDGRID_REDIR
meta SENDGRID_REDIR __SENDGRID_REDIR_NOPHISH && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__HAS_X_MAILMAN_VERSION && !__STY_INVIS_MANY && !__HTML_SINGLET_10 && !__HAVE_BOUNCE_RELAYS
describe SENDGRID_REDIR Redirect URI via Sendgrid
#score SENDGRID_REDIR 1.500 # limit
tflags SENDGRID_REDIR publish
##} SENDGRID_REDIR
##{ SENDGRID_REDIR_PHISH
meta SENDGRID_REDIR_PHISH __SENDGRID_REDIR_PHISH
describe SENDGRID_REDIR_PHISH Redirect URI via Sendgrid + phishing signs
#score SENDGRID_REDIR_PHISH 3.500 # limit
tflags SENDGRID_REDIR_PHISH publish
##} SENDGRID_REDIR_PHISH
##{ SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta SEO_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && (__PDS_SEO1 + __PDS_SEO2 >= 1)
tflags SEO_SUSP_NTLD publish
describe SEO_SUSP_NTLD SEO offer from suspicious TLD
#score SEO_SUSP_NTLD 1.2 # limit
endif
endif
##} SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
##{ SERGIO_SUBJECT_VIAGRA01
header SERGIO_SUBJECT_VIAGRA01 Subject =~ /v[^a-zA-Z0-9]{0,3}[i1l][^a-zA-Z0-9]{0,3}a[^a-zA-Z0-9 ]{0,3}g[^a-zA-Z0-9]{0,3}r[^a-zA-Z0-9]{0,3}a/i
describe SERGIO_SUBJECT_VIAGRA01 Viagra garbled subject
##} SERGIO_SUBJECT_VIAGRA01
##{ SHOPIFY_IMG_NOT_RCVD_SFY
meta SHOPIFY_IMG_NOT_RCVD_SFY __SHOPIFY_IMG_NOT_RCVD_SFY && !MIME_QP_LONG_LINE && !__RCD_RDNS_MTA_MESSY && !__AC_UNSUB_URI && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_ORGANIZATION && !__RCD_RDNS_OB && !__DOS_LINK
#score SHOPIFY_IMG_NOT_RCVD_SFY 2.500 # limit
describe SHOPIFY_IMG_NOT_RCVD_SFY Shopify hosted image but message not from Shopify
tflags SHOPIFY_IMG_NOT_RCVD_SFY publish
##} SHOPIFY_IMG_NOT_RCVD_SFY
##{ SHORTENED_URL_SRC
rawbody SHORTENED_URL_SRC /<[^>]{1,99}\ssrc=\W?https?:\/\/(?:bit\.ly|bit\.do|buff\.ly|tinyurl\.com|ow\.ly|owl\.li|is\.gd|tumblr\.com|mysp\.ac|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|goo\.io|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|ecs\.page\.link|cc\.uz|smarturl\.it|s\.apache\.org)\/[^\/]{3}/
##} SHORTENED_URL_SRC
##{ SHORTENER_SHORT_IMG
meta SHORTENER_SHORT_IMG __URL_SHORTENER && HTML_SHORT_LINK_IMG_1
describe SHORTENER_SHORT_IMG Short HTML + image + URL shortener
#score SHORTENER_SHORT_IMG 2.500 # limit
tflags SHORTENER_SHORT_IMG publish
##} SHORTENER_SHORT_IMG
##{ SHORT_HELO_AND_INLINE_IMAGE
meta SHORT_HELO_AND_INLINE_IMAGE (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH)
describe SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image
##} SHORT_HELO_AND_INLINE_IMAGE
##{ SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta SHORT_IMG_SUSP_NTLD __LCL__KAM_BODY_LENGTH_LT_1024 && __HTML_LINK_IMAGE && __FROM_ADDRLIST_SUSPNTLD
tflags SHORT_IMG_SUSP_NTLD publish
describe SHORT_IMG_SUSP_NTLD Short HTML + image + suspicious TLD
#score SHORT_IMG_SUSP_NTLD 1.5 # limit
endif
endif
##} SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
##{ SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
meta SHORT_SHORTNER __PDS_MSG_512 && __URL_SHORTENER && !DRUGS_ERECTILE
describe SHORT_SHORTNER Short body with little more than a link to a shortener
#score SHORT_SHORTNER 2.0 # limit
endif
endif
##} SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
##{ SHORT_TERM_PRICE
body SHORT_TERM_PRICE /short\W+term\W+(target|projected)(\W+price)?/i
##} SHORT_TERM_PRICE
##{ SPAMMY_XMAILER
meta SPAMMY_XMAILER (__XM_OL_28001441||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4)
describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham
##} SPAMMY_XMAILER
##{ SPOOFED_FREEMAIL
meta SPOOFED_FREEMAIL __SPOOFED_FREEMAIL && !__HAS_IN_REPLY_TO && !__FS_SUBJ_RE && !__MSGID_GUID && !__freemail_safe && !__THREADED && !__HDRS_LCASE_KNOWN && !__HDR_RCVD_GOOGLE && !__HDR_RCVD_TONLINEDE
#score SPOOFED_FREEMAIL 2.000 # limit
tflags SPOOFED_FREEMAIL net
##} SPOOFED_FREEMAIL
##{ SPOOFED_FREEMAIL_NO_RDNS
meta SPOOFED_FREEMAIL_NO_RDNS __SPOOFED_FREEMAIL && __RDNS_NONE
describe SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS
#score SPOOFED_FREEMAIL_NO_RDNS 1.5
##} SPOOFED_FREEMAIL_NO_RDNS
##{ SPOOFED_FREEM_REPTO
meta SPOOFED_FREEM_REPTO __SPOOFED_FREEM_REPTO && !__AC_TINY_FONT && !__HAS_IN_REPLY_TO && !__HAS_THREAD_INDEX
describe SPOOFED_FREEM_REPTO Forged freemail sender with freemail reply-to
#score SPOOFED_FREEM_REPTO 2.500
tflags SPOOFED_FREEM_REPTO net publish
##} SPOOFED_FREEM_REPTO
##{ SPOOFED_FREEM_REPTO_CHN
meta SPOOFED_FREEM_REPTO_CHN (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_CHN_FREEM
describe SPOOFED_FREEM_REPTO_CHN Forged freemail sender with Chinese freemail reply-to
#score SPOOFED_FREEM_REPTO_CHN 3.500
tflags SPOOFED_FREEM_REPTO_CHN net publish
##} SPOOFED_FREEM_REPTO_CHN
##{ SPOOFED_FREEM_REPTO_RUS
meta SPOOFED_FREEM_REPTO_RUS (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_RUS_FREEM
describe SPOOFED_FREEM_REPTO_RUS Forged freemail sender with Russian freemail reply-to
#score SPOOFED_FREEM_REPTO_RUS 3.500
tflags SPOOFED_FREEM_REPTO_RUS net publish
##} SPOOFED_FREEM_REPTO_RUS
##{ SPOOF_GMAIL_MID
meta SPOOF_GMAIL_MID SPOOFED_FREEMAIL && __PDS_SPOOF_GMAIL_MID
#score SPOOF_GMAIL_MID 1.5
describe SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...
##} SPOOF_GMAIL_MID
##{ STATIC_XPRIO_OLE
meta STATIC_XPRIO_OLE __STATIC_XPRIO_OLE
describe STATIC_XPRIO_OLE Static RDNS + X-Priority + MIMEOLE
#score STATIC_XPRIO_OLE 2.000 # limit
tflags STATIC_XPRIO_OLE publish
##} STATIC_XPRIO_OLE
##{ STOCK_IMG_CTYPE
meta STOCK_IMG_CTYPE (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__CTYPE_ONETAB_GIF&&__HTML_IMG_ONLY)
describe STOCK_IMG_CTYPE Stock spam image part, with distinctive Content-Type header
##} STOCK_IMG_CTYPE
##{ STOCK_IMG_HDR_FROM
meta STOCK_IMG_HDR_FROM (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY)
describe STOCK_IMG_HDR_FROM Stock spam image part, with distinctive From line
##} STOCK_IMG_HDR_FROM
##{ STOCK_IMG_HTML
meta STOCK_IMG_HTML (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY)
describe STOCK_IMG_HTML Stock spam image part, with distinctive HTML
##} STOCK_IMG_HTML
##{ STOCK_IMG_OUTLOOK
meta STOCK_IMG_OUTLOOK (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__XM_MS_IN_GENERAL&&__HTML_LENGTH_1536_2048)
describe STOCK_IMG_OUTLOOK Stock spam image part, with Outlook-like features
##} STOCK_IMG_OUTLOOK
##{ STOCK_PRICES
meta STOCK_PRICES (SHORT_TERM_PRICE && LONG_TERM_PRICE)
##} STOCK_PRICES
##{ STOCK_TIP
meta STOCK_TIP __STOCK_TIP && !__DKIM_EXISTS
describe STOCK_TIP Stock tips
#score STOCK_TIP 3.000 # limit
tflags STOCK_TIP publish
##} STOCK_TIP
##{ STOX_AND_PRICE
meta STOX_AND_PRICE CURR_PRICE && STOX_REPLY_TYPE
##} STOX_AND_PRICE
##{ STOX_BOUND_090909_B
header STOX_BOUND_090909_B Content-Type:raw =~ /;\n boundary=\"------------0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]\"$/s
##} STOX_BOUND_090909_B
##{ STOX_REPLY_TYPE
header STOX_REPLY_TYPE Content-Type =~ /text\/plain; .* reply-type=original/
##} STOX_REPLY_TYPE
##{ STOX_REPLY_TYPE_WITHOUT_QUOTES
meta STOX_REPLY_TYPE_WITHOUT_QUOTES (STOX_REPLY_TYPE && !(__HS_SUBJ_RE_FW || __HS_QUOTE))
##} STOX_REPLY_TYPE_WITHOUT_QUOTES
##{ SUBJECT_NEEDS_ENCODING
meta SUBJECT_NEEDS_ENCODING (!__SUBJECT_ENCODED_B64 && !__SUBJECT_ENCODED_QP) && __SUBJECT_NEEDS_MIME
describe SUBJECT_NEEDS_ENCODING Subject includes non-encoded illegal characters
##} SUBJECT_NEEDS_ENCODING
##{ SUBJ_ATTENTION
meta SUBJ_ATTENTION __SUBJ_ATTENTION && !ALL_TRUSTED
describe SUBJ_ATTENTION ATTENTION in Subject
#score SUBJ_ATTENTION 0.500 # limit
##} SUBJ_ATTENTION
##{ SUBJ_BRKN_WORDNUMS
#score SUBJ_BRKN_WORDNUMS 1.500 # limit
describe SUBJ_BRKN_WORDNUMS Subject contains odd word breaks and numbers
##} SUBJ_BRKN_WORDNUMS
##{ SUBJ_BRKN_WORDNUMS if !plugin(Mail::SpamAssassin::Plugin::DKIM)
if !plugin(Mail::SpamAssassin::Plugin::DKIM)
meta SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS
endif
##} SUBJ_BRKN_WORDNUMS if !plugin(Mail::SpamAssassin::Plugin::DKIM)
##{ SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM
ifplugin Mail::SpamAssassin::Plugin::DKIM
meta SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS && !DKIM_SIGNED && !__TO___LOWER
endif
##} SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM
##{ SUBJ_UNNEEDED_HTML
meta SUBJ_UNNEEDED_HTML __SUBJ_UNNEEDED_HTML && !__NOT_SPOOFED && !__RP_MATCHES_RCVD && !__VIA_ML
describe SUBJ_UNNEEDED_HTML Unneeded HTML formatting in Subject:
##} SUBJ_UNNEEDED_HTML
##{ SUSP_UTF8_WORD_MANY
meta SUSP_UTF8_WORD_MANY __4BYTE_UTF8_WORD_9
describe SUSP_UTF8_WORD_MANY Many words using only suspicious UTF-8 characters
#score SUSP_UTF8_WORD_MANY 3.000 # limit
##} SUSP_UTF8_WORD_MANY
##{ SUSP_UTF8_WORD_SUBJ
meta SUSP_UTF8_WORD_SUBJ __4BYTE_UTF8_WORD_SUBJ
describe SUSP_UTF8_WORD_SUBJ Word in Subject using only suspicious UTF-8 characters
#score SUSP_UTF8_WORD_SUBJ 2.000 # limit
##} SUSP_UTF8_WORD_SUBJ
##{ SYSADMIN
meta SYSADMIN __SYSADMIN && !ALL_TRUSTED && !__ANY_TEXT_ATTACH && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_OK_DIGITS
describe SYSADMIN Supposedly from your IT department
#score SYSADMIN 3.500 # limit
tflags SYSADMIN publish
##} SYSADMIN
##{ TAGSTAT_IMG_NOT_RCVD_TGST
meta TAGSTAT_IMG_NOT_RCVD_TGST __TAGSTAT_IMG_NOT_RCVD_TGST
#score TAGSTAT_IMG_NOT_RCVD_TGST 2.000 # limit
describe TAGSTAT_IMG_NOT_RCVD_TGST Tagstat hosted image but message not from Tagstat
tflags TAGSTAT_IMG_NOT_RCVD_TGST publish
##} TAGSTAT_IMG_NOT_RCVD_TGST
##{ TARINGANET_IMG_NOT_RCVD_TN
meta TARINGANET_IMG_NOT_RCVD_TN __TARINGANET_IMG_NOT_RCVD_TN
#score TARINGANET_IMG_NOT_RCVD_TN 2.000 # limit
describe TARINGANET_IMG_NOT_RCVD_TN media.taringa.net hosted image but message not from taringa.net
tflags TARINGANET_IMG_NOT_RCVD_TN publish
##} TARINGANET_IMG_NOT_RCVD_TN
##{ TBIRD_SUSP_MIME_BDRY
meta TBIRD_SUSP_MIME_BDRY __MUA_TBIRD && __TB_MIME_BDRY_NO_Z
describe TBIRD_SUSP_MIME_BDRY Unlikely Thunderbird MIME boundary
##} TBIRD_SUSP_MIME_BDRY
##{ TEQF_USR_IMAGE
meta TEQF_USR_IMAGE __TO_EQ_FROM_USR_NN_MINFP && __ANY_IMAGE_ATTACH
describe TEQF_USR_IMAGE To and from user nearly same + image
tflags TEQF_USR_IMAGE publish
##} TEQF_USR_IMAGE
##{ TEQF_USR_MSGID_HEX
meta TEQF_USR_MSGID_HEX __TO_EQ_FROM_USR_NN_MINFP && __MSGID_OK_HEX && !__MSGID_NOFQDN2
describe TEQF_USR_MSGID_HEX To and from user nearly same + unusual message ID
tflags TEQF_USR_MSGID_HEX publish
##} TEQF_USR_MSGID_HEX
##{ TEQF_USR_MSGID_MALF
meta TEQF_USR_MSGID_MALF __TO_EQ_FROM_USR_NN_MINFP && __MSGID_NOFQDN2
describe TEQF_USR_MSGID_MALF To and from user nearly same + malformed message ID
tflags TEQF_USR_MSGID_MALF publish
##} TEQF_USR_MSGID_MALF
##{ THEBAT_UNREG
header THEBAT_UNREG X-Mailer =~ /^The Bat! .{0,20} UNREG$/
##} THEBAT_UNREG
##{ THIS_AD
meta THIS_AD __THIS_AD && !__MOZILLA_MSGID && !__FROM_ENCODED_QP && !__CR_IN_SUBJ && !__RP_MATCHES_RCVD
describe THIS_AD "This ad" and variants
tflags THIS_AD publish
##} THIS_AD
##{ THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta THIS_IS_ADV_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && __ADMITS_SPAM
tflags THIS_IS_ADV_SUSP_NTLD publish
describe THIS_IS_ADV_SUSP_NTLD This is an advertisement from a suspicious TLD
#score THIS_IS_ADV_SUSP_NTLD 1.5 # limit
endif
endif
##} THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
##{ TONLINE_FAKE_DKIM
meta TONLINE_FAKE_DKIM __HDR_RCVD_TONLINEDE && __DKIM_EXISTS
describe TONLINE_FAKE_DKIM t-online.de doesn't do DKIM
#score TONLINE_FAKE_DKIM 3.000 # limit
tflags TONLINE_FAKE_DKIM publish
##} TONLINE_FAKE_DKIM
##{ TO_EQ_FM_DIRECT_MX
meta TO_EQ_FM_DIRECT_MX __TO_EQ_FM_DIRECT_MX && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__CTYPE_MULTIPART_MIXED
describe TO_EQ_FM_DIRECT_MX To == From and direct-to-MX
#score TO_EQ_FM_DIRECT_MX 2.500 # limit
tflags TO_EQ_FM_DIRECT_MX publish
##} TO_EQ_FM_DIRECT_MX
##{ TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
ifplugin Mail::SpamAssassin::Plugin::SPF
meta TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FM_DOM_SPF_FAIL && !__THREADED && !ALL_TRUSTED
describe TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF failed
tflags TO_EQ_FM_DOM_SPF_FAIL net
endif
##} TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
##{ TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
ifplugin Mail::SpamAssassin::Plugin::SPF
meta TO_EQ_FM_SPF_FAIL __TO_EQ_FM_SPF_FAIL && !__THREADED && !ALL_TRUSTED
describe TO_EQ_FM_SPF_FAIL To == From and external SPF failed
tflags TO_EQ_FM_SPF_FAIL net
endif
##} TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
##{ TO_IN_SUBJ
meta TO_IN_SUBJ __TO_IN_SUBJ && !__VIA_ML && !MISSING_MIMEOLE && !__THREAD_INDEX_GOOD && !__FSL_RELAY_GOOGLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HS_SUBJ_RE_FW
describe TO_IN_SUBJ To address is in Subject
tflags TO_IN_SUBJ publish
#score TO_IN_SUBJ 0.1
##} TO_IN_SUBJ
##{ TO_NAME_SUBJ_NO_RDNS
meta TO_NAME_SUBJ_NO_RDNS LOCALPART_IN_SUBJECT && __RDNS_NONE
describe TO_NAME_SUBJ_NO_RDNS Recipient username in subject + no rDNS
#score TO_NAME_SUBJ_NO_RDNS 3.000 # limit
tflags TO_NAME_SUBJ_NO_RDNS publish
##} TO_NAME_SUBJ_NO_RDNS
##{ TO_NO_BRKTS_HTML_IMG
meta TO_NO_BRKTS_HTML_IMG __TO_NO_BRKTS_HTML_IMG && !__FM_TO_ALL_NUMS && !__FROM_FULL_NAME && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__HAS_SENDER && !__THREADED && !__LONGLINE
describe TO_NO_BRKTS_HTML_IMG To: lacks brackets and HTML and one image
#score TO_NO_BRKTS_HTML_IMG 2.000 # limit
tflags TO_NO_BRKTS_HTML_IMG publish
##} TO_NO_BRKTS_HTML_IMG
##{ TO_NO_BRKTS_HTML_ONLY
meta TO_NO_BRKTS_HTML_ONLY __TO_NO_BRKTS_HTML_ONLY && !RDNS_NONE && !__MIME_QP && !__MSGID_JAVAMAIL && !__CTYPE_CHARSET_QUOTED && !__SUBJECT_ENCODED_B64 && !__VIA_ML && !__MSGID_BEFORE_RECEIVED && !__MIME_BASE64 && !__RCD_RDNS_MAIL_MESSY && !__COMMENT_EXISTS && !LOTS_OF_MONEY && !__TAG_EXISTS_CENTER && !__UPPERCASE_URI && !__UNSUB_LINK && !__RCD_RDNS_MX_MESSY && !__DKIM_EXISTS && !__BUGGED_IMG && !__FM_TO_ALL_NUMS && !__URI_12LTRDOM && !__RDNS_NO_SUBDOM && !__HDRS_LCASE && !__LCL__ENV_AND_HDR_FROM_MATCH
#score TO_NO_BRKTS_HTML_ONLY 2.00 # limit
describe TO_NO_BRKTS_HTML_ONLY To: lacks brackets and HTML only
tflags TO_NO_BRKTS_HTML_ONLY publish
##} TO_NO_BRKTS_HTML_ONLY
##{ TO_NO_BRKTS_MSFT
meta TO_NO_BRKTS_MSFT __TO_NO_BRKTS_MSFT && !__VIA_ML && !__LYRIS_EZLM_REMAILER && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__UNSUB_LINK && !__NOT_SPOOFED && !__DOS_HAS_LIST_UNSUB && !__NAME_EQ_EMAIL && !__SUBJECT_ENCODED_QP && !__THREADED && !__HAS_THREAD_INDEX && !__HAS_X_REF && !__HAS_IN_REPLY_TO && !__FROM_ENCODED_QP && !__RP_MATCHES_RCVD
describe TO_NO_BRKTS_MSFT To: lacks brackets and supposed Microsoft tool
#score TO_NO_BRKTS_MSFT 2.50 # limit
##} TO_NO_BRKTS_MSFT
##{ TO_NO_BRKTS_NORDNS_HTML
meta TO_NO_BRKTS_NORDNS_HTML __TO_NO_BRKTS_NORDNS_HTML && !ALL_TRUSTED && !__MSGID_JAVAMAIL && !__MSGID_BEFORE_RECEIVED && !__VIA_ML && !__UA_MUTT && !__COMMENT_EXISTS && !__HTML_LENGTH_384 && !__MIME_BASE64 && !__UPPERCASE_URI && !__TO___LOWER && !__TAG_EXISTS_CENTER && !__LONGLINE && !__DKIM_EXISTS
#score TO_NO_BRKTS_NORDNS_HTML 2.00 # limit
describe TO_NO_BRKTS_NORDNS_HTML To: lacks brackets and no rDNS and HTML only
tflags TO_NO_BRKTS_NORDNS_HTML publish
##} TO_NO_BRKTS_NORDNS_HTML
##{ TO_NO_BRKTS_PCNT
meta TO_NO_BRKTS_PCNT __TO_NO_BRKTS_PCNT && !__SUBJECT_ENCODED_B64 && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__ISO_2022_JP_DELIM && !__IMS_MSGID && !__THREAD_INDEX_GOOD && !__RCD_RDNS_MX_MESSY && !__UNSUB_LINK && !__LONGLINE && !URI_HEX && !__RP_MATCHES_RCVD && !__MAIL_LINK && !__BUGGED_IMG && !__MIME_QP && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HAS_X_MAILER && !__HTML_LINK_IMAGE && !__SENDER_BOT && !__DKIM_EXISTS && !__KHOP_NO_FULL_NAME && !__THREADED
describe TO_NO_BRKTS_PCNT To: lacks brackets + percentage
#score TO_NO_BRKTS_PCNT 2.50 # limit
tflags TO_NO_BRKTS_PCNT publish
##} TO_NO_BRKTS_PCNT
##{ TO_TOO_MANY_WFH_01
meta TO_TOO_MANY_WFH_01 __TO_TOO_MANY_WFH_01
describe TO_TOO_MANY_WFH_01 Work-from-Home + many recipients
tflags TO_TOO_MANY_WFH_01 publish
##} TO_TOO_MANY_WFH_01
##{ TT_MSGID_TRUNC
header TT_MSGID_TRUNC Message-Id =~ /^\s*\s]+\[\d+$/
describe TT_MSGID_TRUNC Scora: Message-Id ends after left-bracket + digits
##} TT_MSGID_TRUNC
##{ TT_OBSCURED_VALIUM
meta TT_OBSCURED_VALIUM ( __TT_BROKEN_VALIUM || __TT_OBSCURED_VALIUM ) && ! __TT_VALIUM
describe TT_OBSCURED_VALIUM Scora: obscured "VALIUM" in subject
##} TT_OBSCURED_VALIUM
##{ TT_OBSCURED_VIAGRA
meta TT_OBSCURED_VIAGRA ( __TT_BROKEN_VIAGRA || __TT_OBSCURED_VIAGRA ) && ! __TT_VIAGRA
describe TT_OBSCURED_VIAGRA Scora: obscured "VIAGRA" in subject
##} TT_OBSCURED_VIAGRA
##{ TVD_ACT_193
body TVD_ACT_193 /\bact of (?:193|nineteen thirty)/i
describe TVD_ACT_193 Message refers to an act passed in the 1930s
##} TVD_ACT_193
##{ TVD_APPROVED
body TVD_APPROVED /you.{1,2}re .{0,20}approved/i
describe TVD_APPROVED Body states that the recipient has been approved
##} TVD_APPROVED
##{ TVD_DEAR_HOMEOWNER
body TVD_DEAR_HOMEOWNER /^dear homeowner/i
describe TVD_DEAR_HOMEOWNER Spam with generic salutation of "dear homeowner"
##} TVD_DEAR_HOMEOWNER
##{ TVD_EB_PHISH
meta TVD_EB_PHISH __FROM_EBAY && NORMAL_HTTP_TO_IP
##} TVD_EB_PHISH
##{ TVD_ENVFROM_APOST
header TVD_ENVFROM_APOST EnvelopeFrom =~ /\'/
describe TVD_ENVFROM_APOST Envelope From contains single-quote
##} TVD_ENVFROM_APOST
##{ TVD_FINGER_02
header TVD_FINGER_02 Content-Type =~ /^text\/plain(?:; (?:format=flowed|charset="Windows-1252"|reply-type=original)){3}/i
##} TVD_FINGER_02
##{ TVD_FLOAT_GENERAL
rawbody TVD_FLOAT_GENERAL /\bstyle\s*=\s*"[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]+\s*