# SpamAssassin rules file # # Please don't modify this file as your changes will be overwritten with # the next update. Use /etc/mail/spamassassin/local.cf instead. # See 'perldoc Mail::SpamAssassin::Conf' for details. # # <@LICENSE> # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to you under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at: # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # ########################################################################### require_version 3.004006 ##{ ACCT_PHISHING_MANY meta ACCT_PHISHING_MANY (__ACCT_PHISH_MANY || __EMAIL_PHISH_MANY) && !GOOGLE_DOCS_PHISH_MANY && !GOOG_STO_HTML_PHISH_MANY describe ACCT_PHISHING_MANY Phishing for account information #score ACCT_PHISHING_MANY 3.000 # limit ##} ACCT_PHISHING_MANY ##{ AC_BR_BONANZA rawbody AC_BR_BONANZA /(?:
\s*){30}/i describe AC_BR_BONANZA Too many newlines in a row... spammy template #score AC_BR_BONANZA 0.001 tflags AC_BR_BONANZA publish ##} AC_BR_BONANZA ##{ AC_DIV_BONANZA rawbody AC_DIV_BONANZA /(?:
(?:\s*<\/div>)?\s*){10}/i describe AC_DIV_BONANZA Too many divs in a row... spammy template #score AC_DIV_BONANZA 0.001 tflags AC_DIV_BONANZA publish ##} AC_DIV_BONANZA ##{ AC_FROM_MANY_DOTS meta AC_FROM_MANY_DOTS __AC_FROM_MANY_DOTS_MINFP #score AC_FROM_MANY_DOTS 2.500 # limit describe AC_FROM_MANY_DOTS Multiple periods in From user name tflags AC_FROM_MANY_DOTS publish ##} AC_FROM_MANY_DOTS ##{ AC_HTML_NONSENSE_TAGS rawbody AC_HTML_NONSENSE_TAGS /(?:<[A-Za-z0-9]{4,}>\s*){10}/ describe AC_HTML_NONSENSE_TAGS Many consecutive multi-letter HTML tags, likely nonsense/spam #score AC_HTML_NONSENSE_TAGS 2.0 tflags AC_HTML_NONSENSE_TAGS publish ##} AC_HTML_NONSENSE_TAGS ##{ AC_POST_EXTRAS meta AC_POST_EXTRAS __AC_POST_EXTRAS && !__URI_MAILTO && !__HAS_LIST_ID describe AC_POST_EXTRAS Suspicious URL #score AC_POST_EXTRAS 2.500 # limit tflags AC_POST_EXTRAS publish ##} AC_POST_EXTRAS ##{ AC_SPAMMY_URI_PATTERNS1 meta AC_SPAMMY_URI_PATTERNS1 (__AC_OUTL_URI && __AC_OUTI_URI) describe AC_SPAMMY_URI_PATTERNS1 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS1 4.0 tflags AC_SPAMMY_URI_PATTERNS1 publish ##} AC_SPAMMY_URI_PATTERNS1 ##{ AC_SPAMMY_URI_PATTERNS10 meta AC_SPAMMY_URI_PATTERNS10 __AC_PUNCTNUMS_URI describe AC_SPAMMY_URI_PATTERNS10 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS10 4.0 tflags AC_SPAMMY_URI_PATTERNS10 publish ##} AC_SPAMMY_URI_PATTERNS10 ##{ AC_SPAMMY_URI_PATTERNS11 meta AC_SPAMMY_URI_PATTERNS11 __AC_NDOMLONGNASPX_URI describe AC_SPAMMY_URI_PATTERNS11 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS11 4.0 tflags AC_SPAMMY_URI_PATTERNS11 publish ##} AC_SPAMMY_URI_PATTERNS11 ##{ AC_SPAMMY_URI_PATTERNS12 meta AC_SPAMMY_URI_PATTERNS12 (__AC_CHDSEQ_URI && __AC_MHDSEQ_URI && __AC_UHDSEQ_URI) describe AC_SPAMMY_URI_PATTERNS12 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS12 4.0 tflags AC_SPAMMY_URI_PATTERNS12 publish ##} AC_SPAMMY_URI_PATTERNS12 ##{ AC_SPAMMY_URI_PATTERNS2 meta AC_SPAMMY_URI_PATTERNS2 (__AC_LAND_URI && __AC_UNSUB_URI && __AC_REPORT_URI) describe AC_SPAMMY_URI_PATTERNS2 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS2 4.0 tflags AC_SPAMMY_URI_PATTERNS2 publish ##} AC_SPAMMY_URI_PATTERNS2 ##{ AC_SPAMMY_URI_PATTERNS3 meta AC_SPAMMY_URI_PATTERNS3 (__AC_PHPOFFTOP_URI && __AC_PHPOFFSUB_URI) describe AC_SPAMMY_URI_PATTERNS3 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS3 4.0 tflags AC_SPAMMY_URI_PATTERNS3 publish ##} AC_SPAMMY_URI_PATTERNS3 ##{ AC_SPAMMY_URI_PATTERNS4 meta AC_SPAMMY_URI_PATTERNS4 __AC_NUMS_URI describe AC_SPAMMY_URI_PATTERNS4 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS4 4.0 tflags AC_SPAMMY_URI_PATTERNS4 publish ##} AC_SPAMMY_URI_PATTERNS4 ##{ AC_SPAMMY_URI_PATTERNS8 meta AC_SPAMMY_URI_PATTERNS8 __AC_LONGSEQ_URI describe AC_SPAMMY_URI_PATTERNS8 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS8 4.0 tflags AC_SPAMMY_URI_PATTERNS8 publish ##} AC_SPAMMY_URI_PATTERNS8 ##{ AC_SPAMMY_URI_PATTERNS9 meta AC_SPAMMY_URI_PATTERNS9 (__AC_1SEQC_URI && (__AC_1SEQV_URI || __AC_RMOVE_URI)) describe AC_SPAMMY_URI_PATTERNS9 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS9 4.0 tflags AC_SPAMMY_URI_PATTERNS9 publish ##} AC_SPAMMY_URI_PATTERNS9 ##{ ADMAIL meta ADMAIL __ADMAIL && !__DKIM_EXISTS && !__COMMENT_EXISTS describe ADMAIL "admail" and variants tflags ADMAIL publish ##} ADMAIL ##{ ADMITS_SPAM meta ADMITS_SPAM __ADMITS_SPAM && !__FROM_LOWER && !__MSGID_JAVAMAIL && !__HAS_CAMPAIGNID && !__STY_INVIS_2 && !__LYRIS_EZLM_REMAILER && !__RCD_RDNS_OB describe ADMITS_SPAM Admits this is an ad tflags ADMITS_SPAM publish ##} ADMITS_SPAM ##{ ADULT_DATING_COMPANY meta ADULT_DATING_COMPANY __ADULTDATINGCOMPANY_BODY || __ADULTDATINGCOMPANY_FROM || __ADULTDATINGCOMPANY_REPTO #score ADULT_DATING_COMPANY 10.000 # limit tflags ADULT_DATING_COMPANY publish ##} ADULT_DATING_COMPANY ##{ ADVANCE_FEE_2_NEW_FORM meta ADVANCE_FEE_2_NEW_FORM (__ADVANCE_FEE_2_NEW_FORM && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__FROM_LOWER && !__HAS_X_LOOP describe ADVANCE_FEE_2_NEW_FORM Advance Fee fraud and a form #score ADVANCE_FEE_2_NEW_FORM 2.000 # limit tflags ADVANCE_FEE_2_NEW_FORM publish ##} ADVANCE_FEE_2_NEW_FORM ##{ ADVANCE_FEE_2_NEW_FRM_MNY meta ADVANCE_FEE_2_NEW_FRM_MNY (__ADVANCE_FEE_2_NEW_FRM_MNY && !__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP describe ADVANCE_FEE_2_NEW_FRM_MNY Advance Fee fraud form and lots of money #score ADVANCE_FEE_2_NEW_FRM_MNY 2.500 tflags ADVANCE_FEE_2_NEW_FRM_MNY publish ##} ADVANCE_FEE_2_NEW_FRM_MNY ##{ ADVANCE_FEE_2_NEW_MONEY meta ADVANCE_FEE_2_NEW_MONEY (__ADVANCE_FEE_2_NEW_MONEY && !__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__LYRIS_EZLM_REMAILER && !__COMMENT_EXISTS && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG describe ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money #score ADVANCE_FEE_2_NEW_MONEY 2.000 # limit tflags ADVANCE_FEE_2_NEW_MONEY publish ##} ADVANCE_FEE_2_NEW_MONEY ##{ ADVANCE_FEE_3_NEW meta ADVANCE_FEE_3_NEW (__ADVANCE_FEE_3_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_4_NEW && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__HAS_SENDER && !__HAS_X_LOOP && !__TO_YOUR_ORG && !__BUGGED_IMG describe ADVANCE_FEE_3_NEW Appears to be advance fee fraud (Nigerian 419) #score ADVANCE_FEE_3_NEW 3.5 # limit tflags ADVANCE_FEE_3_NEW publish ##} ADVANCE_FEE_3_NEW ##{ ADVANCE_FEE_3_NEW_FORM meta ADVANCE_FEE_3_NEW_FORM (__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__THREADED && !__HAS_SENDER && !__FROM_LOWER && !__HAS_X_LOOP describe ADVANCE_FEE_3_NEW_FORM Advance Fee fraud and a form tflags ADVANCE_FEE_3_NEW_FORM publish ##} ADVANCE_FEE_3_NEW_FORM ##{ ADVANCE_FEE_3_NEW_FRM_MNY meta ADVANCE_FEE_3_NEW_FRM_MNY (__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP describe ADVANCE_FEE_3_NEW_FRM_MNY Advance Fee fraud form and lots of money tflags ADVANCE_FEE_3_NEW_FRM_MNY publish ##} ADVANCE_FEE_3_NEW_FRM_MNY ##{ ADVANCE_FEE_3_NEW_MONEY meta ADVANCE_FEE_3_NEW_MONEY (__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG describe ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money tflags ADVANCE_FEE_3_NEW_MONEY publish ##} ADVANCE_FEE_3_NEW_MONEY ##{ ADVANCE_FEE_4_NEW meta ADVANCE_FEE_4_NEW (__ADVANCE_FEE_4_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__HAS_ERRORS_TO && !__HAS_X_LOOP && !__BUGGED_IMG describe ADVANCE_FEE_4_NEW Appears to be advance fee fraud (Nigerian 419) tflags ADVANCE_FEE_4_NEW publish ##} ADVANCE_FEE_4_NEW ##{ ADVANCE_FEE_4_NEW_FORM meta ADVANCE_FEE_4_NEW_FORM (__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) describe ADVANCE_FEE_4_NEW_FORM Advance Fee fraud and a form tflags ADVANCE_FEE_4_NEW_FORM publish ##} ADVANCE_FEE_4_NEW_FORM ##{ ADVANCE_FEE_4_NEW_FRM_MNY meta ADVANCE_FEE_4_NEW_FRM_MNY (__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) describe ADVANCE_FEE_4_NEW_FRM_MNY Advance Fee fraud form and lots of money tflags ADVANCE_FEE_4_NEW_FRM_MNY publish ##} ADVANCE_FEE_4_NEW_FRM_MNY ##{ ADVANCE_FEE_4_NEW_MONEY meta ADVANCE_FEE_4_NEW_MONEY (__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG describe ADVANCE_FEE_4_NEW_MONEY Advance Fee fraud and lots of money tflags ADVANCE_FEE_4_NEW_MONEY publish ##} ADVANCE_FEE_4_NEW_MONEY ##{ ADVANCE_FEE_5_NEW meta ADVANCE_FEE_5_NEW (__ADVANCE_FEE_5_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY) && !__BUGGED_IMG describe ADVANCE_FEE_5_NEW Appears to be advance fee fraud (Nigerian 419) tflags ADVANCE_FEE_5_NEW publish ##} ADVANCE_FEE_5_NEW ##{ ADVANCE_FEE_5_NEW_FORM meta ADVANCE_FEE_5_NEW_FORM __ADVANCE_FEE_5_NEW_FORM describe ADVANCE_FEE_5_NEW_FORM Advance Fee fraud and a form tflags ADVANCE_FEE_5_NEW_FORM publish ##} ADVANCE_FEE_5_NEW_FORM ##{ ADVANCE_FEE_5_NEW_FRM_MNY meta ADVANCE_FEE_5_NEW_FRM_MNY __ADVANCE_FEE_5_NEW_FRM_MNY describe ADVANCE_FEE_5_NEW_FRM_MNY Advance Fee fraud form and lots of money tflags ADVANCE_FEE_5_NEW_FRM_MNY publish ##} ADVANCE_FEE_5_NEW_FRM_MNY ##{ ADVANCE_FEE_5_NEW_MONEY meta ADVANCE_FEE_5_NEW_MONEY __ADVANCE_FEE_5_NEW_MONEY && !__BOUNCE_CTYPE && !__BUGGED_IMG describe ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money tflags ADVANCE_FEE_5_NEW_MONEY publish ##} ADVANCE_FEE_5_NEW_MONEY ##{ AD_PREFS body AD_PREFS /(?:\b|_)(?:ad(?:vert[i1l]s[i1l]ng)?|promo(?:tion)?|marketing)[- _](?:pref(?:s|erences)|settings)(?:\b|_)/i describe AD_PREFS Advertising preferences #score AD_PREFS 0.500 # limit tflags AD_PREFS publish ##} AD_PREFS ##{ ALIBABA_IMG_NOT_RCVD_ALI meta ALIBABA_IMG_NOT_RCVD_ALI __ALIBABA_IMG_NOT_RCVD_ALI && !__YOUR_PASSWORD && !__UNSUB_LINK && !__MSGID_BEFORE_RECEIVED && !__HAS_HREF_ONECASE #score ALIBABA_IMG_NOT_RCVD_ALI 2.500 # limit describe ALIBABA_IMG_NOT_RCVD_ALI Alibaba hosted image but message not from Alibaba tflags ALIBABA_IMG_NOT_RCVD_ALI publish ##} ALIBABA_IMG_NOT_RCVD_ALI ##{ AMAZON_IMG_NOT_RCVD_AMZN meta AMAZON_IMG_NOT_RCVD_AMZN __AMAZON_IMG_NOT_RCVD_AMZN && !__HDR_RCVD_KEEPA && !__URI_DBL_DOM && !__RCD_RDNS_SMTP && !__RCD_RDNS_MTA && !__DATE_LOWER && !__MSGID_LIST && !__URI_PRODUCT_AMAZON && !__HAS_ERRORS_TO #score AMAZON_IMG_NOT_RCVD_AMZN 2.500 # limit describe AMAZON_IMG_NOT_RCVD_AMZN Amazon hosted image but message not from Amazon tflags AMAZON_IMG_NOT_RCVD_AMZN publish ##} AMAZON_IMG_NOT_RCVD_AMZN ##{ APOSTROPHE_FROM header APOSTROPHE_FROM From:addr =~ /'/ describe APOSTROPHE_FROM From address contains an apostrophe ##} APOSTROPHE_FROM ##{ APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta APP_DEVELOPMENT_FREEM __APP_DEVELOPMENT_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) describe APP_DEVELOPMENT_FREEM App development pitch, freemail or CHN replyto # score APP_DEVELOPMENT_FREEM 3.500 # limit tflags APP_DEVELOPMENT_FREEM publish endif ##} APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta APP_DEVELOPMENT_NORDNS __APP_DEVELOPMENT && __RDNS_NONE describe APP_DEVELOPMENT_NORDNS App development pitch, no rDNS # score APP_DEVELOPMENT_NORDNS 2.000 # limit tflags APP_DEVELOPMENT_NORDNS publish endif ##} APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ AXB_XMAILER_MIMEOLE_OL_024C2 meta AXB_XMAILER_MIMEOLE_OL_024C2 (__AXB_XM_OL_024C2 && __AXB_MO_OL_024C2) describe AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait ##} AXB_XMAILER_MIMEOLE_OL_024C2 ##{ BANKING_LAWS body BANKING_LAWS /banking laws/i describe BANKING_LAWS Talks about banking laws ##} BANKING_LAWS ##{ BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval ifplugin Mail::SpamAssassin::Plugin::MIMEEval body BASE64_LENGTH_78_79 eval:check_base64_length('78','79') endif ##} BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval ##{ BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval ifplugin Mail::SpamAssassin::Plugin::MIMEEval describe BASE64_LENGTH_79_INF base64 encoded email part uses line length of 78 or 79 characters body BASE64_LENGTH_79_INF eval:check_base64_length('79') describe BASE64_LENGTH_79_INF base64 encoded email part uses line length greater than 79 characters endif ##} BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval ##{ BEBEE_IMG_NOT_RCVD_BB meta BEBEE_IMG_NOT_RCVD_BB __BEBEE_IMG_NOT_RCVD_BB #score BEBEE_IMG_NOT_RCVD_BB 2.000 # limit describe BEBEE_IMG_NOT_RCVD_BB Bebee hosted image but message not from Bebee tflags BEBEE_IMG_NOT_RCVD_BB publish ##} BEBEE_IMG_NOT_RCVD_BB ##{ BIGNUM_EMAILS_FREEM meta BIGNUM_EMAILS_FREEM __BIGNUM_EMAILS_FREEM describe BIGNUM_EMAILS_FREEM Lots of email addresses/leads, free email account #score BIGNUM_EMAILS_FREEM 3.00 # limit tflags BIGNUM_EMAILS_FREEM publish ##} BIGNUM_EMAILS_FREEM ##{ BIGNUM_EMAILS_MANY meta BIGNUM_EMAILS_MANY __BIGNUM_EMAILS_3 && !__HAS_ERRORS_TO && !__HAS_CAMPAIGNID && !__DATE_LOWER describe BIGNUM_EMAILS_MANY Lots of email addresses/leads, over and over #score BIGNUM_EMAILS_MANY 3.00 # limit tflags BIGNUM_EMAILS_MANY publish ##} BIGNUM_EMAILS_MANY ##{ BILL_1618 body BILL_1618 /\bUnder Bill\s?s?.1618(?: Title III)? passed by the 105th U\.S\. Congress\b/i describe BILL_1618 Mentions proposed US law supposedly permitting spamming tflags BILL_1618 publish ##} BILL_1618 ##{ BITCOIN_BOMB meta BITCOIN_BOMB __BITCOIN_ID && __EXPLOSIVE_DEVICE && !BITCOIN_EXTORT_01 describe BITCOIN_BOMB BitCoin + bomb #score BITCOIN_BOMB 3.000 # limit tflags BITCOIN_BOMB publish ##} BITCOIN_BOMB ##{ BITCOIN_DEADLINE meta BITCOIN_DEADLINE __BITCOIN_ID && __HOURS_DEADLINE && !BITCOIN_EXTORT_01 describe BITCOIN_DEADLINE BitCoin with a deadline #score BITCOIN_DEADLINE 3.000 # limit tflags BITCOIN_DEADLINE publish ##} BITCOIN_DEADLINE ##{ BITCOIN_EXTORT_01 meta BITCOIN_EXTORT_01 (__BITCOIN_ID && __EXTORT_MANY) && !( __FROM_FULL_NAME && __SENDER_BOT && __SINGLE_WORD_LINE && __MIME_HTML && __PHPMAILER_MUA ) describe BITCOIN_EXTORT_01 Extortion spam, pay via BitCoin #score BITCOIN_EXTORT_01 5.000 # limit tflags BITCOIN_EXTORT_01 publish ##} BITCOIN_EXTORT_01 ##{ BITCOIN_EXTORT_02 meta BITCOIN_EXTORT_02 __OBFU_BITCOIN_NOID && __EXTORT_MANY describe BITCOIN_EXTORT_02 Extortion spam, pay via BitCoin #score BITCOIN_EXTORT_02 5.000 # limit tflags BITCOIN_EXTORT_02 publish ##} BITCOIN_EXTORT_02 ##{ BITCOIN_IMGUR meta BITCOIN_IMGUR __BITCOIN_IMGUR describe BITCOIN_IMGUR Bitcoin + hosted image #score BITCOIN_IMGUR 3.500 # limit tflags BITCOIN_IMGUR publish ##} BITCOIN_IMGUR ##{ BITCOIN_MALWARE meta BITCOIN_MALWARE __BITCOIN_ID && __MY_MALWARE && !BITCOIN_EXTORT_01 && !__NOT_SPOOFED describe BITCOIN_MALWARE BitCoin + malware bragging #score BITCOIN_MALWARE 3.500 # limit tflags BITCOIN_MALWARE publish ##} BITCOIN_MALWARE ##{ BITCOIN_OBFU_SUBJ meta BITCOIN_OBFU_SUBJ __BITCOIN_OBFU_SUBJ && !__128_ALNUM_URI describe BITCOIN_OBFU_SUBJ Bitcoin + obfuscated subject #score BITCOIN_OBFU_SUBJ 3.500 # limit tflags BITCOIN_OBFU_SUBJ publish ##} BITCOIN_OBFU_SUBJ ##{ BITCOIN_ONAN meta BITCOIN_ONAN __BITCOIN_ID && __YOUR_ONAN && __KHOP_NO_FULL_NAME && !BITCOIN_EXTORT_01 describe BITCOIN_ONAN BitCoin + [censored] #score BITCOIN_ONAN 3.000 # limit tflags BITCOIN_ONAN publish ##} BITCOIN_ONAN ##{ BITCOIN_PAY_ME meta BITCOIN_PAY_ME __BITCOIN_ID && __PAY_ME && !BITCOIN_EXTORT_01 describe BITCOIN_PAY_ME Pay me via BitCoin #score BITCOIN_PAY_ME 3.000 # limit tflags BITCOIN_PAY_ME publish ##} BITCOIN_PAY_ME ##{ BITCOIN_SPAM_01 meta BITCOIN_SPAM_01 __BITCOIN_ID && HTML_MIME_NO_HTML_TAG describe BITCOIN_SPAM_01 BitCoin spam pattern 01 #score BITCOIN_SPAM_01 2.500 # limit tflags BITCOIN_SPAM_01 publish ##} BITCOIN_SPAM_01 ##{ BITCOIN_SPAM_02 meta BITCOIN_SPAM_02 __BITCOIN_SPAM_02 && !__URL_BTC_ID describe BITCOIN_SPAM_02 BitCoin spam pattern 02 #score BITCOIN_SPAM_02 2.500 # limit tflags BITCOIN_SPAM_02 publish ##} BITCOIN_SPAM_02 ##{ BITCOIN_SPAM_03 meta BITCOIN_SPAM_03 __BITCOIN_ID && __SINGLE_WORD_SUBJ describe BITCOIN_SPAM_03 BitCoin spam pattern 03 #score BITCOIN_SPAM_03 2.500 # limit tflags BITCOIN_SPAM_03 publish ##} BITCOIN_SPAM_03 ##{ BITCOIN_SPAM_04 meta BITCOIN_SPAM_04 __BITCOIN_ID && __freemail_hdr_replyto describe BITCOIN_SPAM_04 BitCoin spam pattern 04 #score BITCOIN_SPAM_04 1.500 # limit tflags BITCOIN_SPAM_04 publish ##} BITCOIN_SPAM_04 ##{ BITCOIN_SPAM_05 meta BITCOIN_SPAM_05 __BITCOIN_SPAM_05 && !__HAS_IN_REPLY_TO describe BITCOIN_SPAM_05 BitCoin spam pattern 05 #score BITCOIN_SPAM_05 2.500 # limit tflags BITCOIN_SPAM_05 net publish ##} BITCOIN_SPAM_05 ##{ BITCOIN_SPAM_06 meta BITCOIN_SPAM_06 __BITCOIN_ID && TVD_RCVD_SPACE_BRACKET describe BITCOIN_SPAM_06 BitCoin spam pattern 06 #score BITCOIN_SPAM_06 1.500 # limit tflags BITCOIN_SPAM_06 publish ##} BITCOIN_SPAM_06 ##{ BITCOIN_SPAM_07 meta BITCOIN_SPAM_07 __BITCOIN_SPAM_07 && !__DKIM_EXISTS describe BITCOIN_SPAM_07 BitCoin spam pattern 07 #score BITCOIN_SPAM_07 3.500 # limit tflags BITCOIN_SPAM_07 publish ##} BITCOIN_SPAM_07 ##{ BITCOIN_SPAM_08 meta BITCOIN_SPAM_08 __BITCOIN_ID && __TO_IN_SUBJ describe BITCOIN_SPAM_08 BitCoin spam pattern 08 #score BITCOIN_SPAM_08 2.500 # limit tflags BITCOIN_SPAM_08 publish ##} BITCOIN_SPAM_08 ##{ BITCOIN_SPAM_09 meta BITCOIN_SPAM_09 __BITCOIN_ID && ( __DESTROY_ME || __DESTROY_YOU ) describe BITCOIN_SPAM_09 BitCoin spam pattern 09 #score BITCOIN_SPAM_09 1.500 # limit tflags BITCOIN_SPAM_09 publish ##} BITCOIN_SPAM_09 ##{ BITCOIN_SPAM_10 meta BITCOIN_SPAM_10 __BITCOIN_ID && ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 ) describe BITCOIN_SPAM_10 BitCoin spam pattern 10 #score BITCOIN_SPAM_10 2.500 # limit tflags BITCOIN_SPAM_10 publish ##} BITCOIN_SPAM_10 ##{ BITCOIN_SPAM_11 meta BITCOIN_SPAM_11 __BITCOIN_ID && HTML_MESSAGE && __HTML_SHRT_CMNT_OBFU describe BITCOIN_SPAM_11 BitCoin spam pattern 11 #score BITCOIN_SPAM_11 2.500 # limit tflags BITCOIN_SPAM_11 publish ##} BITCOIN_SPAM_11 ##{ BITCOIN_SPAM_12 meta BITCOIN_SPAM_12 __BITCOIN_ID && __BOGUS_MIME_HDR_MANY describe BITCOIN_SPAM_12 BitCoin spam pattern 12 #score BITCOIN_SPAM_12 2.500 # limit tflags BITCOIN_SPAM_12 publish ##} BITCOIN_SPAM_12 ##{ BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta BITCOIN_SPF_ONLYALL __PDS_SPF_ONLYALL && __BITCOIN_ID tflags BITCOIN_SPF_ONLYALL net publish describe BITCOIN_SPF_ONLYALL Bitcoin from a domain specifically set to pass +all SPF #score BITCOIN_SPF_ONLYALL 2.0 # limit endif endif ##} BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ BITCOIN_TOEQFM meta BITCOIN_TOEQFM __BITCOIN_TOEQFM describe BITCOIN_TOEQFM Bitcoin + To same as From #score BITCOIN_TOEQFM 3.500 # limit ##} BITCOIN_TOEQFM ##{ BITCOIN_VISTA meta BITCOIN_VISTA __BITCOIN && __VISTA_MSGID describe BITCOIN_VISTA Bitcoin + old MSFT msgid format #score BITCOIN_VISTA 3.500 # limit ##} BITCOIN_VISTA ##{ BITCOIN_WFH_01 meta BITCOIN_WFH_01 __BITCOIN_WFH_01 describe BITCOIN_WFH_01 Work-from-Home + bitcoin tflags BITCOIN_WFH_01 publish ##} BITCOIN_WFH_01 ##{ BITCOIN_XPRIO meta BITCOIN_XPRIO __BITCOIN_XPRIO && !__ML1 && !__HAS_SENDER && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY describe BITCOIN_XPRIO Bitcoin + priority #score BITCOIN_XPRIO 2.500 # limit ##} BITCOIN_XPRIO ##{ BITCOIN_YOUR_INFO meta BITCOIN_YOUR_INFO __BITCOIN_ID && __YOUR_PERSONAL && !BITCOIN_EXTORT_01 describe BITCOIN_YOUR_INFO BitCoin with your personal info #score BITCOIN_YOUR_INFO 3.000 # limit tflags BITCOIN_YOUR_INFO publish ##} BITCOIN_YOUR_INFO ##{ BODY_URI_ONLY meta BODY_URI_ONLY __BODY_URI_ONLY && !__NOT_SPOOFED && !__TO_EQ_FROM_DOM && !__X_CRON_ENV && !__DKIM_EXISTS && !__VIA_ML && !__HAS_X_REF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD && !__URI_GOOGLE_DRV describe BODY_URI_ONLY Message body is only a URI in one line of text or for an image #score BODY_URI_ONLY 3.000 # limit tflags BODY_URI_ONLY publish ##} BODY_URI_ONLY ##{ BOGUS_MIME_VERSION meta BOGUS_MIME_VERSION __BOGUS_MIME_VER_02 || __MALF_MIME_VER #score BOGUS_MIME_VERSION 3.500 # limit describe BOGUS_MIME_VERSION Mime version header is bogus tflags BOGUS_MIME_VERSION publish ##} BOGUS_MIME_VERSION ##{ BOGUS_MSM_HDRS meta BOGUS_MSM_HDRS __BOGUS_MSM_HDRS describe BOGUS_MSM_HDRS Apparently bogus Microsoft email headers #score BOGUS_MSM_HDRS 3.000 # limit tflags BOGUS_MSM_HDRS publish ##} BOGUS_MSM_HDRS ##{ BOMB_FREEM meta BOMB_FREEM __EXPLOSIVE_DEVICE && __freemail_hdr_replyto describe BOMB_FREEM Bomb + freemail #score BOMB_FREEM 2.000 # limit tflags BOMB_FREEM publish ##} BOMB_FREEM ##{ BOMB_MONEY meta BOMB_MONEY __EXPLOSIVE_DEVICE && ( __ADVANCE_FEE_3_NEW || __ADVANCE_FEE_4_NEW || __ADVANCE_FEE_5_NEW ) describe BOMB_MONEY Bomb + money: bomb threat? #score BOMB_MONEY 2.500 # limit tflags BOMB_MONEY publish ##} BOMB_MONEY ##{ BTC_ORG describe BTC_ORG Bitcoin wallet ID + unusual header #score BTC_ORG 2.500 # limit ##} BTC_ORG ##{ BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM) if !plugin(Mail::SpamAssassin::Plugin::DKIM) meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST endif ##} BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM) ##{ BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::DKIM meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST && !DKIM_SIGNED endif ##} BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM ##{ BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta BULK_RE_SUSP_NTLD __SUBJ_RE && __ML1 && __FROM_ADDRLIST_SUSPNTLD tflags BULK_RE_SUSP_NTLD publish describe BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD #score BULK_RE_SUSP_NTLD 1.0 # limit endif endif ##} BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ CANT_SEE_AD meta CANT_SEE_AD (__CANT_SEE_AD_1 || __CANT_SEE_AD_2) && !__DOS_HAS_LIST_UNSUB describe CANT_SEE_AD You really want to see our spam. #score CANT_SEE_AD 2.500 # limit tflags CANT_SEE_AD publish ##} CANT_SEE_AD ##{ CN_B2B_SPAMMER body CN_B2B_SPAMMER /\bWe are (?:(?:a )?(?:China|Taiwan)[-\s]based|(?:one of (?:the )?best|(?:a )?leading) (?:international|[^\.]{10,90} (?:in|from) (?:\w+, )?(?:China|Taiwan)))\b/i describe CN_B2B_SPAMMER Chinese company introducing itself tflags CN_B2B_SPAMMER publish ##} CN_B2B_SPAMMER ##{ COMMENT_GIBBERISH meta COMMENT_GIBBERISH __COMMENT_GIBBERISH && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__SENDER_BOT describe COMMENT_GIBBERISH Nonsense in long HTML comment #score COMMENT_GIBBERISH 1.50 # limit tflags COMMENT_GIBBERISH publish ##} COMMENT_GIBBERISH ##{ COMPENSATION describe COMPENSATION "Compensation" #score COMPENSATION 1.50 # limit ##} COMPENSATION ##{ COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM) if !plugin(Mail::SpamAssassin::Plugin::DKIM) meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD endif ##} COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM) ##{ COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::DKIM meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD && !__DKIM_DEPENDABLE endif ##} COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM ##{ CONTENT_AFTER_HTML meta CONTENT_AFTER_HTML __CONTENT_AFTER_HTML && (__L_CTE_8BIT || __RDNS_NUMERIC_TLD || __HTML_TAG_BALANCE_CENTER || __STY_INVIS_MANY || __TO_EQ_FROM_USR || __TO_EQ_FROM_USR_2 || __KAM_HTML_FONT_INVALID || __SUBJECT_ENCODED_B64 ) describe CONTENT_AFTER_HTML More content after HTML close tag + other spam signs #score CONTENT_AFTER_HTML 2.500 # limit tflags CONTENT_AFTER_HTML publish ##} CONTENT_AFTER_HTML ##{ CONTENT_AFTER_HTML_WEAK meta CONTENT_AFTER_HTML_WEAK __CONTENT_AFTER_HTML && !CONTENT_AFTER_HTML && !__CT_TEXT_PLAIN && !__BOUNCE_FROM_DAEMON && !__MSGID_OK_HEX && !__HAS_SENDER && !__LYRIS_EZLM_REMAILER && !MAILING_LIST_MULTI && !__HAS_CID && !__URI_DOTGOV describe CONTENT_AFTER_HTML_WEAK More content after HTML close tag #score CONTENT_AFTER_HTML_WEAK 1.500 # limit tflags CONTENT_AFTER_HTML_WEAK publish ##} CONTENT_AFTER_HTML_WEAK ##{ CORRUPT_FROM_LINE_IN_HDRS meta CORRUPT_FROM_LINE_IN_HDRS (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS) describe CORRUPT_FROM_LINE_IN_HDRS Informational: message is corrupt, with a From line in its headers tflags CORRUPT_FROM_LINE_IN_HDRS userconf publish #score CORRUPT_FROM_LINE_IN_HDRS 0.001 ##} CORRUPT_FROM_LINE_IN_HDRS ##{ CTE_8BIT_MISMATCH meta CTE_8BIT_MISMATCH (__CT_TEXT_PLAIN && (!__CTE || __L_CTE_7BIT) && __L_BODY_8BITS) describe CTE_8BIT_MISMATCH Header says 7bits but body disagrees #score CTE_8BIT_MISMATCH 1 tflags CTE_8BIT_MISMATCH publish ##} CTE_8BIT_MISMATCH ##{ CTYPE_001C_A meta CTYPE_001C_A (0) # obsolete ##} CTYPE_001C_A ##{ CTYPE_001C_B header CTYPE_001C_B Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/ ##} CTYPE_001C_B ##{ CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader CTYPE_8SPACE_GIF Content-Type:raw =~ /^image\/gif;\n {8}name=\".+?\"$/s describe CTYPE_8SPACE_GIF Stock spam image part 'Content-Type' found (8 spc) endif ##} CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ CURR_PRICE body CURR_PRICE /\bCurrent Price:/ ##} CURR_PRICE ##{ DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval ifplugin Mail::SpamAssassin::Plugin::HeaderEval header DATE_IN_FUTURE_Q_PLUS eval:check_for_shifted_date('2920', 'undef') describe DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date endif ##} DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval ##{ DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta DAY_I_EARNED __DAY_I_EARNED >= 3 # score DAY_I_EARNED 3.000 # limit describe DAY_I_EARNED Work-at-home spam tflags DAY_I_EARNED publish endif ##} DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ DEAR_BENEFICIARY body DEAR_BENEFICIARY /\b(?:De[ae]r\s|At+(?:ention|n):?\s?)(?:\S+\s)?Ben[ei]ficiary\b/i describe DEAR_BENEFICIARY Dear Beneficiary: ##} DEAR_BENEFICIARY ##{ DEAR_WINNER body DEAR_WINNER /\bdear.{1,20}winner/i describe DEAR_WINNER Spam with generic salutation of "dear winner" ##} DEAR_WINNER ##{ DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS ifplugin Mail::SpamAssassin::Plugin::AskDNS meta DKIMWL_BL __DKIMWL_WL_BL tflags DKIMWL_BL net publish describe DKIMWL_BL DKIMwl.org - Blocked sender #score DKIMWL_BL 3.0 # limit endif ##} DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS ifplugin Mail::SpamAssassin::Plugin::AskDNS meta DKIMWL_BLOCKED __DKIMWL_BLOCKED tflags DKIMWL_BLOCKED net publish describe DKIMWL_BLOCKED ADMINISTRATOR NOTICE: The query to DKIMWL.org was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. #score DKIMWL_BLOCKED 0.001 # limit endif ##} DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS ifplugin Mail::SpamAssassin::Plugin::AskDNS meta DKIMWL_WL_HIGH __DKIMWL_WL_HI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL || __DKIMWL_BULKMAIL) tflags DKIMWL_WL_HIGH net nice publish describe DKIMWL_WL_HIGH DKIMwl.org - High trust sender #score DKIMWL_WL_HIGH -3.0 # limit endif ##} DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS ifplugin Mail::SpamAssassin::Plugin::AskDNS meta DKIMWL_WL_MED __DKIMWL_WL_MED && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL) tflags DKIMWL_WL_MED net nice publish describe DKIMWL_WL_MED DKIMwl.org - Medium trust sender #score DKIMWL_WL_MED -0.5 # limit endif ##} DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS ifplugin Mail::SpamAssassin::Plugin::AskDNS meta DKIMWL_WL_MEDHI __DKIMWL_WL_MEDHI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL) tflags DKIMWL_WL_MEDHI net nice publish describe DKIMWL_WL_MEDHI DKIMwl.org - Medium-high trust sender #score DKIMWL_WL_MEDHI -1.0 # limit endif ##} DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ DOS_ANAL_SPAM_MAILER header DOS_ANAL_SPAM_MAILER X-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/ describe DOS_ANAL_SPAM_MAILER X-mailer pattern common to anal porn site spam tflags DOS_ANAL_SPAM_MAILER publish ##} DOS_ANAL_SPAM_MAILER ##{ DOS_BODY_HIGH_NO_MID meta DOS_BODY_HIGH_NO_MID __HIGHBITS && MISSING_MID describe DOS_BODY_HIGH_NO_MID High bit body and no message ID header ##} DOS_BODY_HIGH_NO_MID ##{ DOS_DEREK_AUG08 meta DOS_DEREK_AUG08 __DOS_SINGLE_EXT_RELAY && __DOS_HAS_ANY_URI && __NAKED_TO && __LAST_UNTRUSTED_RELAY_NO_AUTH && SPF_PASS && __TVD_MIME_ATT_TP && __CT_TEXT_PLAIN && (__DOS_MSGID_DIGITS9 || __DOS_MSGID_DIGITS10) ##} DOS_DEREK_AUG08 ##{ DOS_FIX_MY_URI meta DOS_FIX_MY_URI __MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINK describe DOS_FIX_MY_URI Looks like a "fix my obfu'd URI please" spam ##} DOS_FIX_MY_URI ##{ DOS_HIGH_BAT_TO_MX meta DOS_HIGH_BAT_TO_MX __DOS_DIRECT_TO_MX && __HIGHBITS && __LAST_UNTRUSTED_RELAY_NO_AUTH && __THEBAT_MUA describe DOS_HIGH_BAT_TO_MX The Bat! Direct to MX with High Bits ##} DOS_HIGH_BAT_TO_MX ##{ DOS_LET_GO_JOB meta DOS_LET_GO_JOB __DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOME describe DOS_LET_GO_JOB Let go from their job and now makes lots of dough! ##} DOS_LET_GO_JOB ##{ DOS_OE_TO_MX meta DOS_OE_TO_MX __OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE describe DOS_OE_TO_MX Delivered direct to MX with OE headers ##} DOS_OE_TO_MX ##{ DOS_OE_TO_MX_IMAGE meta DOS_OE_TO_MX_IMAGE __OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH describe DOS_OE_TO_MX_IMAGE Direct to MX with OE headers and an image ##} DOS_OE_TO_MX_IMAGE ##{ DOS_OUTLOOK_TO_MX meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !T_DOS_OUTLOOK_TO_MX_IMAGE describe DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers ##} DOS_OUTLOOK_TO_MX ##{ DOS_RCVD_IP_TWICE_C header DOS_RCVD_IP_TWICE_C X-Spam-Relays-External =~ /^\s*\[ ip=(?!127)([\d.]+) [^\[]*\bhelo=(?:![\d.]{7,15}!)? [^\[]*\[ ip=\1 [^\]]*\]\s*$/ describe DOS_RCVD_IP_TWICE_C Received from the same IP twice in a row (only one external relay; empty or IP helo) ##} DOS_RCVD_IP_TWICE_C ##{ DOS_STOCK_BAT meta DOS_STOCK_BAT __THEBAT_MUA && (__DOS_BODY_STOCK || __DOS_BODY_TICKER) && (__DOS_REF_TODAY || __DOS_REF_NEXT_WK_DAY || __DOS_REF_2_WK_DAYS) describe DOS_STOCK_BAT Probable pump and dump stock spam ##} DOS_STOCK_BAT ##{ DOS_STOCK_BAT2 meta DOS_STOCK_BAT2 DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2) ##} DOS_STOCK_BAT2 ##{ DOS_URI_ASTERISK uri DOS_URI_ASTERISK m{^[Hh][Tt]{2}[Pp][Ss]?://[^/:]+(?:\*[A-Za-z0-9-]*\.|\*)[A-Za-z]{2,3}(?:\.[A-Za-z]{2})?(?:$|:|/)} describe DOS_URI_ASTERISK Found an asterisk in a URI ##} DOS_URI_ASTERISK ##{ DOS_YOUR_PLACE meta DOS_YOUR_PLACE (__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE || __DOS_CORRESPOND_EMAIL || __DOS_EMAIL_DIRECTLY || __DOS_I_AM_25 || __DOS_WRITE_ME_AT || __DOS_PERSONAL_EMAIL)) describe DOS_YOUR_PLACE Russian dating spam ##} DOS_YOUR_PLACE ##{ DOTGOV_IMAGE meta DOTGOV_IMAGE __DOTGOV_IMAGE && !__HAVE_BOUNCE_RELAYS describe DOTGOV_IMAGE .gov URI + hosted image #score DOTGOV_IMAGE 3.000 # limit tflags DOTGOV_IMAGE publish ##} DOTGOV_IMAGE ##{ DRUGS_HDIA header DRUGS_HDIA Subject =~ /\bhoodia\b/i describe DRUGS_HDIA Subject mentions "hoodia" ##} DRUGS_HDIA ##{ DSN_NO_MIMEVERSION meta DSN_NO_MIMEVERSION (__BOUNCE_RPATH_NULL && !__MIME_VERSION) describe DSN_NO_MIMEVERSION Return-Path <> and no MIME-Version: header #score DSN_NO_MIMEVERSION 2 ##} DSN_NO_MIMEVERSION ##{ DX_TEXT_02 body DX_TEXT_02 /\b(?:change|modif(?:y|ications?)) (?:of|to|(?:yo)?ur) (?:message|sub|comm) stat/i describe DX_TEXT_02 "change your message stat" tflags DX_TEXT_02 publish ##} DX_TEXT_02 ##{ DX_TEXT_03 body DX_TEXT_03 /\b[A-Z]{3} Media (?:Group|Relations)\b/ describe DX_TEXT_03 "XXX Media Group" tflags DX_TEXT_03 publish ##} DX_TEXT_03 ##{ DYNAMIC_IMGUR meta DYNAMIC_IMGUR __DYNAMIC_IMGUR describe DYNAMIC_IMGUR dynamic IP + hosted image #score DYNAMIC_IMGUR 4.000 # limit tflags DYNAMIC_IMGUR publish ##} DYNAMIC_IMGUR ##{ DYN_RDNS_AND_INLINE_IMAGE meta DYN_RDNS_AND_INLINE_IMAGE (RDNS_DYNAMIC && __ANY_IMAGE_ATTACH) describe DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic rDNS ##} DYN_RDNS_AND_INLINE_IMAGE ##{ DYN_RDNS_SHORT_HELO_HTML meta DYN_RDNS_SHORT_HELO_HTML (__HELO_NO_DOMAIN && RDNS_DYNAMIC && HTML_MESSAGE) describe DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML ##} DYN_RDNS_SHORT_HELO_HTML ##{ DYN_RDNS_SHORT_HELO_IMAGE meta DYN_RDNS_SHORT_HELO_IMAGE (__HELO_NO_DOMAIN && RDNS_DYNAMIC && __ANY_IMAGE_ATTACH) describe DYN_RDNS_SHORT_HELO_IMAGE Short HELO string, dynamic rDNS, inline image ##} DYN_RDNS_SHORT_HELO_IMAGE ##{ EBAY_IMG_NOT_RCVD_EBAY meta EBAY_IMG_NOT_RCVD_EBAY __EBAY_IMG_NOT_RCVD_EBAY && !__URI_MAILTO && !__RCD_RDNS_MAIL && !__DKIM_EXISTS #score EBAY_IMG_NOT_RCVD_EBAY 3.000 # limit describe EBAY_IMG_NOT_RCVD_EBAY E-bay hosted image but message not from E-bay tflags EBAY_IMG_NOT_RCVD_EBAY publish ##} EBAY_IMG_NOT_RCVD_EBAY ##{ EMRCP body EMRCP /\bExcess (?:Maximum )?Return Capital (?:Profits?|Funds?)\b/i describe EMRCP "Excess Maximum Return Capital Profit" scam tflags EMRCP publish ##} EMRCP ##{ ENCRYPTED_MESSAGE meta ENCRYPTED_MESSAGE __CT_ENCRYPTED describe ENCRYPTED_MESSAGE Message is encrypted, not likely to be spam #score ENCRYPTED_MESSAGE -1.000 tflags ENCRYPTED_MESSAGE nice publish ##} ENCRYPTED_MESSAGE ##{ END_FUTURE_EMAILS describe END_FUTURE_EMAILS Spammy unsubscribe #score END_FUTURE_EMAILS 2.500 # limit ##} END_FUTURE_EMAILS ##{ END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM) if !plugin(Mail::SpamAssassin::Plugin::DKIM) meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER endif ##} END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM) ##{ END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::DKIM meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER && !__DKIM_DEPENDABLE && !DKIM_SIGNED endif ##} END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM ##{ ENVFROM_GOOG_TRIX meta ENVFROM_GOOG_TRIX __ENVFROM_GOOG_TRIX_SPAMMY describe ENVFROM_GOOG_TRIX From suspicious Google subdomain #score ENVFROM_GOOG_TRIX 3.000 # limit tflags ENVFROM_GOOG_TRIX publish ##} ENVFROM_GOOG_TRIX ##{ EXCUSE_24 body EXCUSE_24 /you(?:'ve|'re| have| are)? receiv(?:e|ed|ing) this (?:advertisement|offer|special|recurring|paid).{0,16}\b(?:by either|because)/i describe EXCUSE_24 Claims you wanted this ad ##} EXCUSE_24 ##{ FACEBOOK_IMG_NOT_RCVD_FB meta FACEBOOK_IMG_NOT_RCVD_FB __FACEBOOK_IMG_NOT_RCVD_FB && !__VIA_ML && !__ONE_IMG && !__RCD_RDNS_SMTP #score FACEBOOK_IMG_NOT_RCVD_FB 2.000 # limit describe FACEBOOK_IMG_NOT_RCVD_FB Facebook hosted image but message not from Facebook tflags FACEBOOK_IMG_NOT_RCVD_FB publish ##} FACEBOOK_IMG_NOT_RCVD_FB ##{ FAKE_REPLY_C meta FAKE_REPLY_C (__SUBJ_RE && __MISSING_REF && __NO_INR_YES_REF) ##} FAKE_REPLY_C ##{ FBI_MONEY meta FBI_MONEY __FBI_SPOOF && LOTS_OF_MONEY describe FBI_MONEY The FBI wants to give you lots of money? #score FBI_MONEY 2.00 # limit tflags FBI_MONEY publish ##} FBI_MONEY ##{ FBI_SPOOF meta FBI_SPOOF __FBI_SPOOF describe FBI_SPOOF Claims to be FBI, but not from FBI domain #score FBI_SPOOF 2.00 # limit tflags FBI_SPOOF publish ##} FBI_SPOOF ##{ FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FILL_THIS_FORM __FILL_THIS_FORM && !__THREADED && !__FB_TOUR && !__VIA_ML describe FILL_THIS_FORM Fill in a form with personal information tflags FILL_THIS_FORM publish endif ##} FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG && !__VIA_ML && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__TRAVEL_MANY describe FILL_THIS_FORM_LONG Fill in a form with personal information # score FILL_THIS_FORM_LONG 2.00 # limit endif ##} FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta FONT_INVIS_DIRECT __FONT_INVIS_DIRECT && !__UNSUB_LINK && !__HAS_ERRORS_TO && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__URI_DOTGOV && !__NAKED_TO && !__MSGID_OK_HEX describe FONT_INVIS_DIRECT Invisible text + direct-to-MX # score FONT_INVIS_DIRECT 3.500 # limit tflags FONT_INVIS_DIRECT publish endif ##} FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta FONT_INVIS_DOTGOV __FONT_INVIS_DOTGOV && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__HAS_LIST_ID describe FONT_INVIS_DOTGOV Invisible text + .gov URI # score FONT_INVIS_DOTGOV 3.500 # limit tflags FONT_INVIS_DOTGOV publish endif ##} FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta FONT_INVIS_HTML_NOHTML __FONT_INVIS_HTML_NOHTML && !__RDNS_LONG describe FONT_INVIS_HTML_NOHTML Invisible text + malformed HTML # score FONT_INVIS_HTML_NOHTML 3.000 # limit tflags FONT_INVIS_HTML_NOHTML publish endif ##} FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta FONT_INVIS_LONG_LINE __FONT_INVIS_LONG_LINE && !__HTML_SINGLET describe FONT_INVIS_LONG_LINE Invisible text + long lines # score FONT_INVIS_LONG_LINE 3.000 # limit tflags FONT_INVIS_LONG_LINE publish endif ##} FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta FONT_INVIS_MSGID __FONT_INVIS_MSGID && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__HAS_ERRORS_TO && !__RCD_RDNS_MAIL && !__MAIL_LINK && !__HDR_RCVD_AMAZON && !__MIME_QP && !__HAS_CAMPAIGNID && !__HAS_THREAD_INDEX && !__RCD_RDNS_MTA describe FONT_INVIS_MSGID Invisible text + suspicious message ID # score FONT_INVIS_MSGID 2.500 # limit tflags FONT_INVIS_MSGID publish endif ##} FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta FONT_INVIS_NORDNS __FONT_INVIS_NORDNS && !__HTML_SINGLET && !__LYRIS_EZLM_REMAILER && !__YOUR_PERSONAL && !__HAS_X_MAILER describe FONT_INVIS_NORDNS Invisible text + no rDNS # score FONT_INVIS_NORDNS 2.500 # limit tflags FONT_INVIS_NORDNS publish endif ##} FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta FONT_INVIS_POSTEXTRAS (__FONT_INVIS || __STY_INVIS) && __AC_POST_EXTRAS describe FONT_INVIS_POSTEXTRAS Invisible text + suspicious URI # score FONT_INVIS_POSTEXTRAS 3.500 # limit tflags FONT_INVIS_POSTEXTRAS publish endif ##} FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ FORGED_SPF_HELO meta FORGED_SPF_HELO __HELO_NOT_RDNS && SPF_HELO_PASS && !SPF_PASS ##} FORGED_SPF_HELO ##{ FORM_FRAUD meta FORM_FRAUD (__FORM_FRAUD && !__FORM_FRAUD_3 && !__FORM_FRAUD_5) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__UPPERCASE_URI && !__UNSUB_LINK describe FORM_FRAUD Fill a form and a fraud phrase #score FORM_FRAUD 1.000 # limit tflags FORM_FRAUD publish ##} FORM_FRAUD ##{ FORM_FRAUD_3 meta FORM_FRAUD_3 (__FORM_FRAUD_3 && !__FORM_FRAUD_5 && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_3_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__MIME_QP && !__DOS_BODY_FRI && !__UNSUB_LINK && !__BUGGED_IMG && !__NOT_SPOOFED describe FORM_FRAUD_3 Fill a form and several fraud phrases tflags FORM_FRAUD_3 publish ##} FORM_FRAUD_3 ##{ FORM_FRAUD_5 meta FORM_FRAUD_5 (__FORM_FRAUD_5 && !__ADVANCE_FEE_5_NEW_FORM && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__BOUNCE_CTYPE describe FORM_FRAUD_5 Fill a form and many fraud phrases tflags FORM_FRAUD_5 publish ##} FORM_FRAUD_5 ##{ FOUND_YOU meta FOUND_YOU __FOUND_YOU && !__DKIM_EXISTS && !__SUBJ_RE && !__HAS_X_REF && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__HAS_ERRORS_TO && !__HAS_IN_REPLY_TO #score FOUND_YOU 3.25 # limit describe FOUND_YOU I found you... tflags FOUND_YOU publish ##} FOUND_YOU ##{ FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) meta FREEMAIL_FORGED_FROMDOMAIN FREEMAIL_FROM && HEADER_FROM_DIFFERENT_DOMAINS describe FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different # score FREEMAIL_FORGED_FROMDOMAIN 0.25 tflags FREEMAIL_FORGED_FROMDOMAIN publish endif endif endif ##} FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) ##{ FREEMAIL_WFH_01 meta FREEMAIL_WFH_01 __FREEMAIL_WFH_01 describe FREEMAIL_WFH_01 Work-from-Home + freemail tflags FREEMAIL_WFH_01 publish ##} FREEMAIL_WFH_01 ##{ FREEM_FRNUM_UNICD_EMPTY meta FREEM_FRNUM_UNICD_EMPTY __FREEM_FRNUM_UNICD_EMPTY describe FREEM_FRNUM_UNICD_EMPTY Numeric freemail From address, unicode From name and Subject, empty body #score FREEM_FRNUM_UNICD_EMPTY 3.750 # limit tflags FREEM_FRNUM_UNICD_EMPTY publish ##} FREEM_FRNUM_UNICD_EMPTY ##{ FRNAME_IN_MSG_XPRIO_NO_SUB meta FRNAME_IN_MSG_XPRIO_NO_SUB (__FROM_NAME_IN_MSG && __XPRIO && (__SUBJECT_EMPTY || __SUBJ_SHORT)) && !__DKIM_EXISTS && !__SUBJ_NOT_SHORT && !ALL_TRUSTED describe FRNAME_IN_MSG_XPRIO_NO_SUB From name in message + X-Priority + short or no subject #score FRNAME_IN_MSG_XPRIO_NO_SUB 2.500 # limit tflags FRNAME_IN_MSG_XPRIO_NO_SUB publish ##} FRNAME_IN_MSG_XPRIO_NO_SUB ##{ FROM_ADDR_WS meta FROM_ADDR_WS __FROM_ADDR_WS && !__RCD_RDNS_MTA_MESSY && !ANY_BOUNCE_MESSAGE && !__FROM_ENCODED_QP && !__RCD_RDNS_MAIL describe FROM_ADDR_WS Malformed From address #score FROM_ADDR_WS 3.000 # limit tflags FROM_ADDR_WS publish ##} FROM_ADDR_WS ##{ FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_BANK_NOAUTH __FROM_ADDRLIST_BANKS && (! NO_RELAYS && ! ALL_TRUSTED) && (! SPF_PASS && ! DKIM_VALID_AU) tflags FROM_BANK_NOAUTH publish net describe FROM_BANK_NOAUTH From Bank domain but no SPF or DKIM #score FROM_BANK_NOAUTH 1.0 # limit endif endif ##} FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta FROM_FMBLA_NDBLOCKED __FROM_FMBLA_NDBLOCKED describe FROM_FMBLA_NDBLOCKED ADMINISTRATOR NOTICE: The query to fresh.fmb.la was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. tflags FROM_FMBLA_NDBLOCKED net publish #score FROM_FMBLA_NDBLOCKED 0.001 # limit endif endif ##} FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta FROM_FMBLA_NEWDOM __FROM_FMBLA_NEWDOM describe FROM_FMBLA_NEWDOM From domain was registered in last 7 days tflags FROM_FMBLA_NEWDOM net #score FROM_FMBLA_NEWDOM 1.5 # limit endif endif ##} FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta FROM_FMBLA_NEWDOM14 __FROM_FMBLA_NEWDOM14 describe FROM_FMBLA_NEWDOM14 From domain was registered in last 7-14 days tflags FROM_FMBLA_NEWDOM14 publish net #score FROM_FMBLA_NEWDOM14 1.0 # limit endif endif ##} FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta FROM_FMBLA_NEWDOM28 __FROM_FMBLA_NEWDOM28 describe FROM_FMBLA_NEWDOM28 From domain was registered in last 14-28 days tflags FROM_FMBLA_NEWDOM28 net publish #score FROM_FMBLA_NEWDOM28 0.8 # limit endif endif ##} FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_GOV_DKIM_AU DKIM_VALID_AU && __FROM_ADDRLIST_GOV tflags FROM_GOV_DKIM_AU net nice publish describe FROM_GOV_DKIM_AU From Government address and DKIM signed #score FROM_GOV_DKIM_AU -1.0 # limit endif endif ##} FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_GOV_REPLYTO_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_GOV && !DKIM_VALID_AU tflags FROM_GOV_REPLYTO_FREEMAIL net publish describe FROM_GOV_REPLYTO_FREEMAIL From Government domain but ReplyTo is FREEMAIL #score FROM_GOV_REPLYTO_FREEMAIL 2.0 endif endif ##} FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_GOV_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_GOV && (! NO_RELAYS && ! ALL_TRUSTED) tflags FROM_GOV_SPOOF net publish describe FROM_GOV_SPOOF From Government domain but matches SPOOFED #score FROM_GOV_SPOOF 1.0 # limit endif endif ##} FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_IN_TO_AND_SUBJ meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1) && !__HAS_LIST_ID describe FROM_IN_TO_AND_SUBJ From address is in To and Subject tflags FROM_IN_TO_AND_SUBJ publish ##} FROM_IN_TO_AND_SUBJ ##{ FROM_LONG_DOM meta FROM_LONG_DOM __FROM_LONG_DOM && !FROM_LONG_DOM_MINFP describe FROM_LONG_DOM Absurdly long From domain name #score FROM_LONG_DOM 1.500 # limit tflags FROM_LONG_DOM publish ##} FROM_LONG_DOM ##{ FROM_LONG_DOM_MINFP meta FROM_LONG_DOM_MINFP __FROM_LONG_DOM && !__RCD_RDNS_MAIL_MESSY && !__ENV_AND_HDR_FROM_MATCH describe FROM_LONG_DOM_MINFP Absurdly long From domain name, suspicious relays #score FROM_LONG_DOM_MINFP 2.500 # limit tflags FROM_LONG_DOM_MINFP publish ##} FROM_LONG_DOM_MINFP ##{ FROM_MISSPACED meta FROM_MISSPACED __FROM_MISSPACED && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__UNSUB_LINK && !__TO___LOWER && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__TO_EQ_FROM_DOM && !__MAIL_LINK && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA describe FROM_MISSPACED From: missing whitespace #score FROM_MISSPACED 2.00 ##} FROM_MISSPACED ##{ FROM_MISSP_EH_MATCH meta FROM_MISSP_EH_MATCH __FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA describe FROM_MISSP_EH_MATCH From misspaced, matches envelope #score FROM_MISSP_EH_MATCH 2.00 # max ##} FROM_MISSP_EH_MATCH ##{ FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta FROM_MISSP_FREEMAIL __FROM_MISSP_FREEMAIL && !__TO_EQ_FROM_DOM && !__MTLANDROID_MUA describe FROM_MISSP_FREEMAIL From misspaced + freemail provider endif ##} FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ FROM_MISSP_MSFT meta FROM_MISSP_MSFT __FROM_RUNON && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS) describe FROM_MISSP_MSFT From misspaced + supposed Microsoft tool ##} FROM_MISSP_MSFT ##{ FROM_MISSP_PHISH meta FROM_MISSP_PHISH __FROM_MISSP_PHISH && !__DOS_HAS_LIST_UNSUB describe FROM_MISSP_PHISH Malformed, claims to be from financial organization - possible phish #score FROM_MISSP_PHISH 3.500 # limit ##} FROM_MISSP_PHISH ##{ FROM_MISSP_REPLYTO meta FROM_MISSP_REPLYTO __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY && !__DOS_HAS_LIST_UNSUB describe FROM_MISSP_REPLYTO From misspaced, has Reply-To #score FROM_MISSP_REPLYTO 2.500 # limit ##} FROM_MISSP_REPLYTO ##{ FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF ifplugin Mail::SpamAssassin::Plugin::SPF meta FROM_MISSP_SPF_FAIL (__FROM_RUNON && SPF_FAIL) tflags FROM_MISSP_SPF_FAIL net # score FROM_MISSP_SPF_FAIL 2.00 # limit endif ##} FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF ##{ FROM_MISSP_USER meta FROM_MISSP_USER (__FROM_RUNON && NSL_RCVD_FROM_USER) describe FROM_MISSP_USER From misspaced, from "User" ##} FROM_MISSP_USER ##{ FROM_MISSP_XPRIO meta FROM_MISSP_XPRIO (__XPRIO && __FROM_MISSPACED) && !__LYRIS_EZLM_REMAILER describe FROM_MISSP_XPRIO Misspaced FROM + X-Priority #score FROM_MISSP_XPRIO 2.500 # limit ##} FROM_MISSP_XPRIO ##{ FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) meta FROM_MULTI_NORDNS __FROM_MULTI_NORDNS describe FROM_MULTI_NORDNS Multiple From addresses + no rDNS endif ##} FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) ##{ FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta FROM_NEWDOM_BTC __PDS_BTC_ID && __PDS_NEWDOMAIN describe FROM_NEWDOM_BTC Newdomain with Bitcoin ID #score FROM_NEWDOM_BTC 2.0 # limit tflags FROM_NEWDOM_BTC net endif endif ##} FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_NTLD_LINKBAIT __LCL__KAM_BODY_LENGTH_LT_512 && __FROM_ADDRLIST_SUSPNTLD && __BODY_URI_ONLY tflags FROM_NTLD_LINKBAIT publish describe FROM_NTLD_LINKBAIT From abused NTLD with little more than a URI #score FROM_NTLD_LINKBAIT 2.0 # limit endif endif ##} FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_NTLD_REPLY_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_SUSPNTLD tflags FROM_NTLD_REPLY_FREEMAIL publish describe FROM_NTLD_REPLY_FREEMAIL From abused NTLD and Reply-To is FREEMAIL #score FROM_NTLD_REPLY_FREEMAIL 2.0 # limit endif endif ##} FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta FROM_NUMBERO_NEWDOMAIN __NUMBERONLY_TLD && __PDS_NEWDOMAIN describe FROM_NUMBERO_NEWDOMAIN Fingerprint and new domain #score FROM_NUMBERO_NEWDOMAIN 2.0 # limit tflags FROM_NUMBERO_NEWDOMAIN net publish endif endif ##} FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_PAYPAL_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_PAYPAL && (! NO_RELAYS && ! ALL_TRUSTED) tflags FROM_PAYPAL_SPOOF publish net describe FROM_PAYPAL_SPOOF From PayPal domain but matches SPOOFED #score FROM_PAYPAL_SPOOF 1.6 # limit endif endif ##} FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_SUSPICIOUS_NTLD __FROM_ADDRLIST_SUSPNTLD tflags FROM_SUSPICIOUS_NTLD publish describe FROM_SUSPICIOUS_NTLD From abused NTLD #score FROM_SUSPICIOUS_NTLD 0.5 # limit endif endif ##} FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_SUSPICIOUS_NTLD_FP __FROM_ADDRLIST_SUSPNTLD && !__HAS_SENDER && !__HAS_IN_REPLY_TO && !__HAS_X_MAILING_LIST tflags FROM_SUSPICIOUS_NTLD_FP publish describe FROM_SUSPICIOUS_NTLD_FP From abused NTLD #score FROM_SUSPICIOUS_NTLD_FP 2.0 # limit endif endif ##} FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_UNBAL2 header FROM_UNBAL2 From:raw =~ /^ [^<]* > /xm describe FROM_UNBAL2 From with unbalanced angle brackets, '<' missing ##} FROM_UNBAL2 ##{ FSL_BULK_SIG meta FSL_BULK_SIG (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK) && !__FSL_HAS_LIST_UNSUB && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__JM_REACTOR_DATE && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__USING_VERP1 && !__KAM_BODY_LENGTH_LT_128 && !__RCVD_IN_DNSWL describe FSL_BULK_SIG Bulk signature with no Unsubscribe #score FSL_BULK_SIG 2.500 # limit tflags FSL_BULK_SIG net publish ##} FSL_BULK_SIG ##{ FSL_CTYPE_WIN1251 header FSL_CTYPE_WIN1251 Content-Type =~ /charset="Windows-1251"/ describe FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam ##} FSL_CTYPE_WIN1251 ##{ FSL_FAKE_HOTMAIL_RVCD header FSL_FAKE_HOTMAIL_RVCD X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/ ##} FSL_FAKE_HOTMAIL_RVCD ##{ FSL_HELO_BARE_IP_1 meta FSL_HELO_BARE_IP_1 __FSL_HELO_BARE_IP_1 && !ALL_TRUSTED ##} FSL_HELO_BARE_IP_1 ##{ FSL_HELO_DEVICE header FSL_HELO_DEVICE X-Spam-Relays-External =~ /\bhelo=(?:(?:dsl)?device|speedtouch)\.lan\b/i ##} FSL_HELO_DEVICE ##{ FSL_HELO_NON_FQDN_1 header FSL_HELO_NON_FQDN_1 X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i ##} FSL_HELO_NON_FQDN_1 ##{ FSL_HELO_SETUP header FSL_HELO_SETUP X-Spam-Relays-External =~ /\bhelo=\S+\.setup\b/i ##} FSL_HELO_SETUP ##{ FSL_INTERIA_ABUSE uri FSL_INTERIA_ABUSE /\/\S+\.(?:w|eu|fm)\.interia\.pl/ ##} FSL_INTERIA_ABUSE ##{ FSL_NEW_HELO_USER meta FSL_NEW_HELO_USER (__FSL_HELO_USER_1 || __FSL_HELO_USER_2 || __FSL_HELO_USER_3) describe FSL_NEW_HELO_USER Spam's using Helo and User #score FSL_NEW_HELO_USER 2.0 tflags FSL_NEW_HELO_USER publish ##} FSL_NEW_HELO_USER ##{ FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_AMAZON /(?:^|\W)(?=)(?!amazon)(?:$|\W)/i describe FUZZY_AMAZON Obfuscated "amazon" tflags FUZZY_AMAZON publish endif ##} FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_ANDROID /(?=)(?!android)/i describe FUZZY_ANDROID Obfuscated "android" tflags FUZZY_ANDROID publish endif ##} FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_APPLE /(?:^|\W)(?=)(?!appl[ey])

(?:$|\W)/i describe FUZZY_APPLE Obfuscated "apple" tflags FUZZY_APPLE publish endif ##} FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_BITCOIN /(?=)(?!bit[-\s]?coin)[-\s]?[-\s]?[-\s]?[-\s]?[-\s]?[-\s]?/i describe FUZZY_BITCOIN Obfuscated "Bitcoin" tflags FUZZY_BITCOIN publish endif ##} FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_BROWSER /(?=)(?!browser)/i describe FUZZY_BROWSER Obfuscated "browser" tflags FUZZY_BROWSER publish endif ##} FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FUZZY_BTC_WALLET FUZZY_BITCOIN && FUZZY_WALLET describe FUZZY_BTC_WALLET Heavily obfuscated "bitcoin wallet" tflags FUZZY_BTC_WALLET publish endif ##} FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_CLICK_HERE /(?=)(?!click(?:\s| )here)****+***/i describe FUZZY_CLICK_HERE Obfuscated "click here" tflags FUZZY_CLICK_HERE publish endif ##} FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FUZZY_DR_OZ __FUZZY_DR_OZ && !__VIA_ML describe FUZZY_DR_OZ Obfuscated Doctor Oz tflags FUZZY_DR_OZ publish endif ##} FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_FACEBOOK /(?=)(?!fa[ck]ebook)/i describe FUZZY_FACEBOOK Obfuscated "facebook" tflags FUZZY_FACEBOOK publish endif ##} FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_HARRIS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_HARRIS /(?:^|\W)(?=)(?!harris)(?:$|\W)/i describe FUZZY_HARRIS Obfuscated "Harris" tflags FUZZY_HARRIS publish endif ##} FUZZY_HARRIS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_IMPORTANT /(?=)(?!important)(?:|)

/i describe FUZZY_IMPORTANT Obfuscated "important" tflags FUZZY_IMPORTANT publish endif ##} FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_MERIDIA /\b(?!meridia)\b/i describe FUZZY_MERIDIA Obfuscation of the word "meridia" endif ##} FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_MICROSOFT /(?=)(?!microsoft)/i describe FUZZY_MICROSOFT Obfuscated "microsoft" tflags FUZZY_MICROSOFT publish endif ##} FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_MONERO meta FUZZY_MONERO __FUZZY_MONERO describe FUZZY_MONERO Obfuscated "Monero" tflags FUZZY_MONERO publish ##} FUZZY_MONERO ##{ FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_NORTON /(?:^|\W)(?=)(?!norton)(?:$|\W)/i describe FUZZY_NORTON Obfuscated "norton" tflags FUZZY_NORTON publish endif ##} FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_OVERSTOCK /(?:^|\W)(?=)(?!over[-\s]?stock)[-\s]?(?:$|\W)/i describe FUZZY_OVERSTOCK Obfuscated "overstock" tflags FUZZY_OVERSTOCK publish endif ##} FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_PAYPAL /(?:^|\W)(?=

)(?!pay[-\s]?pal)

[-\s]?

(?:$|\W)/i describe FUZZY_PAYPAL Obfuscated "paypal" tflags FUZZY_PAYPAL publish endif ##} FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FUZZY_PORN __FUZZY_PORN && !( __ENV_AND_HDR_FROM_MATCH && __SENDER_BOT ) describe FUZZY_PORN Obfuscated "Pornography" or "Pornographic" tflags FUZZY_PORN publish endif ##} FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_PRIVACY /(?=

)(?!privacy)

/i describe FUZZY_PRIVACY Obfuscated "privacy" tflags FUZZY_PRIVACY publish endif ##} FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_PROMOTION /(?=

)(?!promotion)

/i describe FUZZY_PROMOTION Obfuscated "promotion" tflags FUZZY_PROMOTION publish endif ##} FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_SAVINGS /(?=)(?!savings)/i describe FUZZY_SAVINGS Obfuscated "savings" tflags FUZZY_SAVINGS publish endif ##} FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_SECURITY /(?=)(?!security)(?!seguridad)(?!s\xc3\xa9curit\xc3\xa9)(?:|)(?:|)/i describe FUZZY_SECURITY Obfuscated "security" tflags FUZZY_SECURITY publish endif ##} FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_TRUMP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_TRUMP /(?:^|\W)(?=)(?!trump)

(?:$|\W)/i describe FUZZY_TRUMP Obfuscated "Trump" tflags FUZZY_TRUMP publish endif ##} FUZZY_TRUMP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_TRUSTWALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FUZZY_TRUSTWALLET __FUZZY_TRUSTWALLET_BODY || __FUZZY_TRUSTWALLET_FROM describe FUZZY_TRUSTWALLET Obfuscated "Trust Wallet", probable phishing tflags FUZZY_TRUSTWALLET publish endif ##} FUZZY_TRUSTWALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_UNSUBSCRIBE /(?=)(?!unsubscribe)/i describe FUZZY_UNSUBSCRIBE Obfuscated "unsubscribe" tflags FUZZY_UNSUBSCRIBE publish endif ##} FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_WALLET /(?=)(?!wallet)/i describe FUZZY_WALLET Obfuscated "Wallet" tflags FUZZY_WALLET publish endif ##} FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM describe FUZZY_WELLSFARGO Obfuscated "Wells Fargo" tflags FUZZY_WELLSFARGO publish endif ##} FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ GAPPY_HTML meta GAPPY_HTML __GAPPY_HTML && !__UNSUB_LINK && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY describe GAPPY_HTML HTML body with much useless whitespace ##} GAPPY_HTML ##{ GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta GAPPY_SALES_LEADS_FREEM __GAPPY_SALES_LEADS_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) describe GAPPY_SALES_LEADS_FREEM Obfuscated marketing text, freemail or CHN replyto # score GAPPY_SALES_LEADS_FREEM 3.500 # limit tflags GAPPY_SALES_LEADS_FREEM publish endif ##} GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ GB_CUSTOM_HTM_URI if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) meta GB_CUSTOM_HTM_URI ( __GB_CUSTOM_HTM_URI0 || __GB_CUSTOM_HTM_URI1 || __GB_CUSTOM_HTM_URI2 || __GB_DRUPAL_URI ) describe GB_CUSTOM_HTM_URI Custom html uri # score GB_CUSTOM_HTM_URI 1.500 # limit tflags GB_CUSTOM_HTM_URI publish endif endif ##} GB_CUSTOM_HTM_URI if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) ##{ GB_FAKE_RF_SHORT meta GB_FAKE_RF_SHORT ( ! __THREADED && __GB_FAKE_RF && __URL_SHORTENER ) describe GB_FAKE_RF_SHORT Fake reply or forward with url shortener #score GB_FAKE_RF_SHORT 2.000 # limit tflags GB_FAKE_RF_SHORT publish ##} GB_FAKE_RF_SHORT ##{ GB_FORGED_MUA_POSTFIX meta GB_FORGED_MUA_POSTFIX ( __FORGED_MUA_POSTFIX0 || __FORGED_MUA_POSTFIX1 ) describe GB_FORGED_MUA_POSTFIX Forged Postfix mua headers tflags GB_FORGED_MUA_POSTFIX publish #score GB_FORGED_MUA_POSTFIX 2.0 # limit ##} GB_FORGED_MUA_POSTFIX ##{ GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta GB_FREEMAIL_DISPTO ( __FREEMAIL_DISPTO && !__freemail_safe ) describe GB_FREEMAIL_DISPTO Disposition-Notification-To/From or Disposition-Notification-To/body contain different freemails # score GB_FREEMAIL_DISPTO 0.50 # limit tflags GB_FREEMAIL_DISPTO publish endif ##} GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta GB_FREEMAIL_DISPTO_NOTFREEM ( __FREEMAIL_DISPTO && !__freemail_safe && !FREEMAIL_FROM ) describe GB_FREEMAIL_DISPTO_NOTFREEM Disposition-Notification-To/From contain different freemails but mailfrom is not a freemail # score GB_FREEMAIL_DISPTO_NOTFREEM 0.50 # limit tflags GB_FREEMAIL_DISPTO_NOTFREEM publish endif ##} GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ GB_GOOGLE_OBFUR uri GB_GOOGLE_OBFUR /^https:\/\/www\.google\.[a-z]{2,3}\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=(?:[0-9])*\&(?:cad=rja\&uact=[0-9]+\&ved=.{1,50}\&)?url=https?:\/\/.{1,50}(?:&usg=.{1,50})?/ describe GB_GOOGLE_OBFUR Obfuscate url through Google redirect #score GB_GOOGLE_OBFUR 0.75 # limit tflags GB_GOOGLE_OBFUR publish ##} GB_GOOGLE_OBFUR ##{ GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL body GB_HASHBL_BTC eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL ##{ GB_STORAGE_GOOGLE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) uri GB_STORAGE_GOOGLE_EMAIL m|^https?://storage\.cloud\.google\.com/.{4,128}\#%{GB_TO_ADDR}|i describe GB_STORAGE_GOOGLE_EMAIL Google storage cloud abuse # score GB_STORAGE_GOOGLE_EMAIL 2.000 # limit tflags GB_STORAGE_GOOGLE_EMAIL publish endif endif ##} GB_STORAGE_GOOGLE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) ##{ GEO_QUERY_STRING uri GEO_QUERY_STRING /^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i ##} GEO_QUERY_STRING ##{ GOOGLE_DOCS_PHISH meta GOOGLE_DOCS_PHISH (__GOOGLE_DOCS_PHISH_1 || __GOOGLE_DOCS_PHISH_2) describe GOOGLE_DOCS_PHISH Possible phishing via a Google Docs form #score GOOGLE_DOCS_PHISH 3.00 # limit tflags GOOGLE_DOCS_PHISH publish ##} GOOGLE_DOCS_PHISH ##{ GOOGLE_DOCS_PHISH_MANY meta GOOGLE_DOCS_PHISH_MANY __URI_GOOGLE_DOC && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY) describe GOOGLE_DOCS_PHISH_MANY Phishing via a Google Docs form #score GOOGLE_DOCS_PHISH_MANY 4.00 # limit tflags GOOGLE_DOCS_PHISH_MANY publish ##} GOOGLE_DOCS_PHISH_MANY ##{ GOOGLE_DOC_SUSP meta GOOGLE_DOC_SUSP __GOOGLE_DOC_SUSP && !GOOGLE_DOCS_PHISH_MANY && !__HAS_SENDER && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__USING_VERP1 && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_SMTP && ! __HAS_LIST_ID && !__SURVEY && !__BUGGED_IMG describe GOOGLE_DOC_SUSP Suspicious use of Google Docs #score GOOGLE_DOC_SUSP 3.000 # limit tflags GOOGLE_DOC_SUSP publish ##} GOOGLE_DOC_SUSP ##{ GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta GOOGLE_DRIVE_REPLY_BAD_NTLD __PDS_GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD tflags GOOGLE_DRIVE_REPLY_BAD_NTLD publish describe GOOGLE_DRIVE_REPLY_BAD_NTLD From Google Drive and Reply-To is from a suspicious TLD #score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0 # limit endif endif ##} GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ GOOG_MALWARE_DNLD meta GOOG_MALWARE_DNLD __GOOG_MALWARE_DNLD describe GOOG_MALWARE_DNLD File download via Google - Malware? #score GOOG_MALWARE_DNLD 5.000 # limit tflags GOOG_MALWARE_DNLD publish ##} GOOG_MALWARE_DNLD ##{ GOOG_REDIR_DOCUSIGN uri GOOG_REDIR_DOCUSIGN m;://www\.google\.com/url\?.*q=https?://www\.docusign\.com/;i describe GOOG_REDIR_DOCUSIGN Indirect docusign link, probable phishing tflags GOOG_REDIR_DOCUSIGN publish ##} GOOG_REDIR_DOCUSIGN ##{ GOOG_REDIR_NORDNS meta GOOG_REDIR_NORDNS __GOOG_REDIR && RDNS_NONE describe GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website + no rDNS ##} GOOG_REDIR_NORDNS ##{ GOOG_REDIR_SHORT meta GOOG_REDIR_SHORT __GOOG_REDIR && __LCL__KAM_BODY_LENGTH_LT_512 describe GOOG_REDIR_SHORT Google redirect to obscure spamvertised website + short message tflags GOOG_REDIR_SHORT publish ##} GOOG_REDIR_SHORT ##{ GOOG_STO_EMAIL_PHISH meta GOOG_STO_EMAIL_PHISH __URI_GOOG_STO_EMAIL && (__PDS_FROM_NAME_TO_DOMAIN || __TO_IN_SUBJ || __FROM_ADMIN || __VERIFY_ACCOUNT) describe GOOG_STO_EMAIL_PHISH Possible phishing with google hosted content URI having email address #score GOOG_STO_EMAIL_PHISH 3.00 # limit tflags GOOG_STO_EMAIL_PHISH publish ##} GOOG_STO_EMAIL_PHISH ##{ GOOG_STO_HTML_PHISH meta GOOG_STO_HTML_PHISH __GOOG_STO_HTML_PHISH describe GOOG_STO_HTML_PHISH Possible phishing with google content hosting to avoid URIBL #score GOOG_STO_HTML_PHISH 3.00 # limit tflags GOOG_STO_HTML_PHISH publish ##} GOOG_STO_HTML_PHISH ##{ GOOG_STO_HTML_PHISH_MANY meta GOOG_STO_HTML_PHISH_MANY __URI_GOOG_STO_HTML && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY) describe GOOG_STO_HTML_PHISH_MANY Phishing with google content hosting to avoid URIBL #score GOOG_STO_HTML_PHISH_MANY 4.00 # limit tflags GOOG_STO_HTML_PHISH_MANY publish ##} GOOG_STO_HTML_PHISH_MANY ##{ GOOG_STO_IMG_HTML meta GOOG_STO_IMG_HTML __GOOG_STO_IMG_HTML_1 && !URI_GOOG_STO_SPAMMY && !T_URI_GOOG_STO_SUBD_SPAMMY describe GOOG_STO_IMG_HTML Apparently using google content hosting to avoid URIBL #score GOOG_STO_IMG_HTML 3.000 # limit tflags GOOG_STO_IMG_HTML publish ##} GOOG_STO_IMG_HTML ##{ GOOG_STO_IMG_NOHTML meta GOOG_STO_IMG_NOHTML __GOOG_STO_IMG_NOHTML && (__RDNS_NONE || HTML_TEXT_INVISIBLE_STYLE || THIS_AD || __SUBJECT_ENCODED_B64 || __LOTTO_ADMITS || __REPTO_QUOTE) && !__USING_VERP1 && !__HAS_ERRORS_TO && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__HAS_CID && !URI_GOOG_STO_SPAMMY && !T_URI_GOOG_STO_SUBD_SPAMMY describe GOOG_STO_IMG_NOHTML Apparently using google content hosting to avoid URIBL #score GOOG_STO_IMG_NOHTML 2.500 # limit tflags GOOG_STO_IMG_NOHTML publish ##} GOOG_STO_IMG_NOHTML ##{ GOOG_STO_NOIMG_HTML meta GOOG_STO_NOIMG_HTML __GOOG_STO_NOIMG_HTML && !URI_GOOG_STO_SPAMMY && !T_URI_GOOG_STO_SUBD_SPAMMY describe GOOG_STO_NOIMG_HTML Apparently using google content hosting to avoid URIBL #score GOOG_STO_NOIMG_HTML 3.000 # limit tflags GOOG_STO_NOIMG_HTML publish ##} GOOG_STO_NOIMG_HTML ##{ HAS_X_NO_RELAY meta HAS_X_NO_RELAY __HAS_X_NO_RELAY && !__TO_EQ_FROM_1 describe HAS_X_NO_RELAY Has spammy header #score HAS_X_NO_RELAY 2.500 # limit tflags HAS_X_NO_RELAY publish ##} HAS_X_NO_RELAY ##{ HAS_X_OUTGOING_SPAM_STAT meta HAS_X_OUTGOING_SPAM_STAT __HAS_X_OUTGOING_SPAM_STAT && !MAILING_LIST_MULTI && !__HAS_X_MAILMAN_VERSION && !__AUTOREPLY_ASU && !__THREAD_INDEX_GOOD && !__HAS_X_LOOP && !__DOC_ATTACH && !__PDF_ATTACH && !__FROM_EQ_ORG_1 && !__HAS_IN_REPLY_TO describe HAS_X_OUTGOING_SPAM_STAT Has header claiming outbound spam scan - why trust the results? #score HAS_X_OUTGOING_SPAM_STAT 2.000 # limit tflags HAS_X_OUTGOING_SPAM_STAT publish ##} HAS_X_OUTGOING_SPAM_STAT ##{ HDRS_LCASE describe HDRS_LCASE Odd capitalization of message header #score HDRS_LCASE 0.10 # limit ##} HDRS_LCASE ##{ HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) if !plugin(Mail::SpamAssassin::Plugin::FreeMail) meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO endif ##} HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) ##{ HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO endif ##} HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ HDRS_MISSP meta HDRS_MISSP __HDRS_MISSP && !ALL_TRUSTED && !(__FROM_ALL_HEX && __SUBJECT_PRESENT_EMPTY) describe HDRS_MISSP Misspaced headers #score HDRS_MISSP 2.500 # limit tflags HDRS_MISSP publish ##} HDRS_MISSP ##{ HDR_ORDER_FTSDMCXX_001C meta HDR_ORDER_FTSDMCXX_001C (__HDR_ORDER_FTSDMCXXXX && __MID_START_001C) describe HDR_ORDER_FTSDMCXX_001C Header order similar to spam (FTSDMCXX/MID variant) ##} HDR_ORDER_FTSDMCXX_001C ##{ HDR_ORDER_FTSDMCXX_BAT meta HDR_ORDER_FTSDMCXX_BAT (__HDR_ORDER_FTSDMCXXXX && __BAT_BOUNDARY) describe HDR_ORDER_FTSDMCXX_BAT Header order similar to spam (FTSDMCXX/boundary variant) ##} HDR_ORDER_FTSDMCXX_BAT ##{ HDR_ORDER_FTSDMCXX_DIRECT meta HDR_ORDER_FTSDMCXX_DIRECT (__HDR_ORDER_FTSDMCXXXX && __DOS_SINGLE_EXT_RELAY) && !ALL_TRUSTED && !__VIA_ML describe HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam (FTSDMCXX/boundary variant) + direct-to-MX #score HDR_ORDER_FTSDMCXX_DIRECT 2.000 # limit tflags HDR_ORDER_FTSDMCXX_DIRECT publish ##} HDR_ORDER_FTSDMCXX_DIRECT ##{ HDR_ORDER_FTSDMCXX_NORDNS meta HDR_ORDER_FTSDMCXX_NORDNS (__HDR_ORDER_FTSDMCXXXX && __RDNS_NONE) && !ALL_TRUSTED describe HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam (FTSDMCXX/boundary variant) + no rDNS #score HDR_ORDER_FTSDMCXX_NORDNS 3.500 # limit tflags HDR_ORDER_FTSDMCXX_NORDNS publish ##} HDR_ORDER_FTSDMCXX_NORDNS ##{ HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval ifplugin Mail::SpamAssassin::Plugin::HeaderEval header HEADER_COUNT_SUBJECT eval:check_header_count_range('Subject','2','999') describe HEADER_COUNT_SUBJECT Multiple Subject headers found endif ##} HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval ##{ HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) header HEADER_FROM_DIFFERENT_DOMAINS eval:check_equal_from_domains() describe HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different # score HEADER_FROM_DIFFERENT_DOMAINS 0.25 tflags HEADER_FROM_DIFFERENT_DOMAINS publish endif endif endif ##} HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) ##{ HELO_FRIEND header HELO_FRIEND X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i ##} HELO_FRIEND ##{ HELO_LH_LD header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i ##} HELO_LH_LD ##{ HELO_LOCALHOST header HELO_LOCALHOST X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i ##} HELO_LOCALHOST ##{ HELO_NO_DOMAIN meta HELO_NO_DOMAIN __HELO_NO_DOMAIN && !HELO_LOCALHOST describe HELO_NO_DOMAIN Relay reports its domain incorrectly tflags HELO_NO_DOMAIN publish ##} HELO_NO_DOMAIN ##{ HELO_OEM header HELO_OEM X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc|oem\S*) /i ##} HELO_OEM ##{ HEXHASH_WORD meta HEXHASH_WORD (__HEXHASHWORD_S2EU > 1) && !ALL_TRUSTED && !__LYRIS_EZLM_REMAILER && !__MSGID_HEXISH && !__RDNS_SHORT && !__CTYPE_MULTIPART_MIXED && !__HAS_X_REF && !__HAS_IMG_SRC_ONECASE && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__HAS_SENDER describe HEXHASH_WORD Multiple instances of word + hexadecimal hash #score HEXHASH_WORD 3.000 # limit tflags HEXHASH_WORD publish ##} HEXHASH_WORD ##{ HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader HK_CTE_RAW Content-Transfer-Encoding =~ /^raw$/ #score HK_CTE_RAW 2 tflags HK_CTE_RAW publish endif ##} HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ HK_LOTTO meta HK_LOTTO __HK_LOTTO_2 || __HK_LOTTO_STAATS || __HK_LOTTO_BALLOT #score HK_LOTTO 1 ##} HK_LOTTO ##{ HK_NAME_DRUGS header HK_NAME_DRUGS From:name =~ /(?:viagra|\bcialis|cialis\b)/mi describe HK_NAME_DRUGS From name contains drugs #score HK_NAME_DRUGS 2 ##} HK_NAME_DRUGS ##{ HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) meta HK_NAME_FM_MR_MRS __HK_NAME_MR_MRS && FREEMAIL_FROM # score HK_NAME_FM_MR_MRS 1.5 endif endif ##} HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ##{ HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) meta HK_NAME_MR_MRS __HK_NAME_MR_MRS && !FREEMAIL_FROM # score HK_NAME_MR_MRS 1.0 endif endif ##} HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ##{ HK_RANDOM_ENVFROM header HK_RANDOM_ENVFROM EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mc(?:b|g)r|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi describe HK_RANDOM_ENVFROM Envelope sender username looks random #score HK_RANDOM_ENVFROM 1 tflags HK_RANDOM_ENVFROM publish ##} HK_RANDOM_ENVFROM ##{ HK_RANDOM_FROM header HK_RANDOM_FROM From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mc(?:b|g)r|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi describe HK_RANDOM_FROM From username looks random #score HK_RANDOM_FROM 1 tflags HK_RANDOM_FROM publish ##} HK_RANDOM_FROM ##{ HK_RANDOM_REPLYTO header HK_RANDOM_REPLYTO Reply-To:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mc(?:b|g)r|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi describe HK_RANDOM_REPLYTO Reply-To username looks random #score HK_RANDOM_REPLYTO 1 tflags HK_RANDOM_REPLYTO publish ##} HK_RANDOM_REPLYTO ##{ HK_RCVD_IP_MULTICAST header HK_RCVD_IP_MULTICAST X-Spam-Relays-External =~ / ip=(?:22[4-9]|23[0-9])\./ #score HK_RCVD_IP_MULTICAST 2 tflags HK_RCVD_IP_MULTICAST publish ##} HK_RCVD_IP_MULTICAST ##{ HK_SCAM meta HK_SCAM __HK_SCAM_N2 || __HK_SCAM_N3 || __HK_SCAM_N8 || __HK_SCAM_N15 || __HK_SCAM_N16 || __HK_SCAM_S1 || __HK_SCAM_S15 || __HK_SCAM_S25 #score HK_SCAM 2 tflags HK_SCAM publish ##} HK_SCAM ##{ HK_WIN meta HK_WIN ((__hk_win_2 + __hk_win_3 + __hk_win_4 + __hk_win_5 + __hk_win_7 + __hk_win_8 + __hk_win_9 + __hk_win_0 + __hk_win_a + __hk_win_b + __hk_win_c + __hk_win_d + __hk_win_i + __hk_win_j + __hk_win_l + __hk_win_m + __hk_win_n + __hk_win_o) >= 2) #score HK_WIN 1 ##} HK_WIN ##{ HOSTED_IMG_DIRECT_MX meta HOSTED_IMG_DIRECT_MX __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS && !__HDR_RCVD_AMAZON #score HOSTED_IMG_DIRECT_MX 3.500 # limit describe HOSTED_IMG_DIRECT_MX Image hosted at large ecomm, CDN or hosting site, message direct-to-mx tflags HOSTED_IMG_DIRECT_MX publish ##} HOSTED_IMG_DIRECT_MX ##{ HOSTED_IMG_DQ_UNSUB meta HOSTED_IMG_DQ_UNSUB __HOSTED_IMG_DQ_UNSUB #score HOSTED_IMG_DQ_UNSUB 3.500 # limit describe HOSTED_IMG_DQ_UNSUB Image hosted at large ecomm, CDN or hosting site, IP addr unsub link tflags HOSTED_IMG_DQ_UNSUB publish ##} HOSTED_IMG_DQ_UNSUB ##{ HOSTED_IMG_FREEM meta HOSTED_IMG_FREEM __HOSTED_IMG_FREEM && !__THREADED #score HOSTED_IMG_FREEM 3.500 # limit describe HOSTED_IMG_FREEM Image hosted at large ecomm, CDN or hosting site or redirected, freemail from or reply-to tflags HOSTED_IMG_FREEM publish ##} HOSTED_IMG_FREEM ##{ HOSTED_IMG_MULTI meta HOSTED_IMG_MULTI __HOSTED_IMG_MULTI && !__DKIM_EXISTS && !__RCD_RDNS_MAIL #score HOSTED_IMG_MULTI 3.000 # limit describe HOSTED_IMG_MULTI Multiple images hosted at different large ecomm, CDN or hosting sites, free image sites, or redirected tflags HOSTED_IMG_MULTI publish ##} HOSTED_IMG_MULTI ##{ HOSTED_IMG_MULTI_PUB_01 meta HOSTED_IMG_MULTI_PUB_01 (__IMGUR_IMG_2 || __IMGUR_IMG_3) && !__DATE_LOWER && !__BOTH_INR_AND_REF && !__HAS_IN_REPLY_TO describe HOSTED_IMG_MULTI_PUB_01 Multiple hosted images at public site #score HOSTED_IMG_MULTI_PUB_01 3.000 # limit tflags HOSTED_IMG_MULTI_PUB_01 publish ##} HOSTED_IMG_MULTI_PUB_01 ##{ HREF_EMPTY_NORDNS meta HREF_EMPTY_NORDNS __HREF_EMPTY_NORDNS describe HREF_EMPTY_NORDNS Empty href + no rDNS #score HREF_EMPTY_NORDNS 2.500 # limit tflags HREF_EMPTY_NORDNS publish ##} HREF_EMPTY_NORDNS ##{ HREF_EMPTY_PHPMAIL meta HREF_EMPTY_PHPMAIL __HREF_EMPTY_PHPMAIL describe HREF_EMPTY_PHPMAIL Empty href + PHP Mailer #score HREF_EMPTY_PHPMAIL 2.500 # limit tflags HREF_EMPTY_PHPMAIL publish ##} HREF_EMPTY_PHPMAIL ##{ HREF_EMPTY_XANTIABUSE meta HREF_EMPTY_XANTIABUSE __HREF_EMPTY_XANTIABUSE describe HREF_EMPTY_XANTIABUSE Empty href + X-AntiAbuse #score HREF_EMPTY_XANTIABUSE 2.500 # limit tflags HREF_EMPTY_XANTIABUSE publish ##} HREF_EMPTY_XANTIABUSE ##{ HREF_EMPTY_XAUTHED meta HREF_EMPTY_XAUTHED __HREF_EMPTY_XAUTHED describe HREF_EMPTY_XAUTHED Empty href + X-Authenticated-Sender #score HREF_EMPTY_XAUTHED 2.500 # limit tflags HREF_EMPTY_XAUTHED publish ##} HREF_EMPTY_XAUTHED ##{ HTML_BADATTR describe HTML_BADATTR Illegal char in HTML attribute name rawbody HTML_BADATTR /<[a-z]{1,10}\s[^>]{1,80}\/(?:src|href)\s*\=/ #score HTML_BADATTR 1 tflags HTML_BADATTR publish ##} HTML_BADATTR ##{ HTML_ENTITY_ASCII meta HTML_ENTITY_ASCII __HTML_ENTITY_ASCII_MINFP describe HTML_ENTITY_ASCII Obfuscated ASCII #score HTML_ENTITY_ASCII 3.000 # limit tflags HTML_ENTITY_ASCII publish ##} HTML_ENTITY_ASCII ##{ HTML_ENTITY_ASCII_TINY meta HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII_TINY && !__HAS_IN_REPLY_TO describe HTML_ENTITY_ASCII_TINY Obfuscated ASCII + tiny fonts #score HTML_ENTITY_ASCII_TINY 3.000 # limit tflags HTML_ENTITY_ASCII_TINY publish ##} HTML_ENTITY_ASCII_TINY ##{ HTML_FONT_TINY_NORDNS meta HTML_FONT_TINY_NORDNS __HTML_FONT_TINY_NORDNS && !__HAS_CID describe HTML_FONT_TINY_NORDNS Font too small to read, no rDNS #score HTML_FONT_TINY_NORDNS 2.000 # limit ##} HTML_FONT_TINY_NORDNS ##{ HTML_OFF_PAGE meta HTML_OFF_PAGE __HTML_OFF_PAGE && !__RP_MATCHES_RCVD && !__LONGLINE && !__DKIM_EXISTS describe HTML_OFF_PAGE HTML element rendered well off the displayed page #score HTML_OFF_PAGE 3.000 # limit tflags HTML_OFF_PAGE publish ##} HTML_OFF_PAGE ##{ HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU_MANY describe HTML_SHRT_CMNT_OBFU_MANY Obfuscation with many short HTML comments # score HTML_SHRT_CMNT_OBFU_MANY 2.500 # limit tflags HTML_SHRT_CMNT_OBFU_MANY publish endif ##} HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ HTML_SINGLET_MANY meta HTML_SINGLET_MANY __HTML_SINGLET_MANY && !__RCD_RDNS_MTA_MESSY && !__NOT_SPOOFED && !ALL_TRUSTED && !__USING_VERP1 && !__MIME_QP describe HTML_SINGLET_MANY Many single-letter HTML format blocks #score HTML_SINGLET_MANY 2.500 # limit tflags HTML_SINGLET_MANY publish ##} HTML_SINGLET_MANY ##{ HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval ifplugin Mail::SpamAssassin::Plugin::HTMLEval meta HTML_TAG_BALANCE_CENTER __HTML_TAG_BALANCE_CENTER && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY describe HTML_TAG_BALANCE_CENTER Malformatted HTML endif ##} HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval ##{ HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta HTML_TEXT_INVISIBLE_FONT __FONT_INVIS_MANY && !__HAS_ERRORS_TO && !__URI_DOTGOV && !__LYRIS_EZLM_REMAILER && !__ML3 && !__THREADED && !__DKIMWL_WL_HI && !USER_IN_DEF_DKIM_WL && !__MOZILLA_MSGID describe HTML_TEXT_INVISIBLE_FONT HTML hidden text - word obfuscation? # score HTML_TEXT_INVISIBLE_FONT 2.000 # limit tflags HTML_TEXT_INVISIBLE_FONT publish endif ##} HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta HTML_TEXT_INVISIBLE_STYLE __STY_INVIS_MANY && (__RDNS_NONE || __HDRS_LCASE || __UNSUB_EMAIL || __ADMITS_SPAM || __FROM_DOM_INFO || __HTML_TAG_BALANCE_CENTER || __MSGID_RANDY ) && !__RDNS_LONG && !__FROM_ENCODED_QP && !__HAS_THREAD_INDEX describe HTML_TEXT_INVISIBLE_STYLE HTML hidden text + other spam signs # score HTML_TEXT_INVISIBLE_STYLE 3.500 # limit tflags HTML_TEXT_INVISIBLE_STYLE publish endif ##} HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch body HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10') endif ##} HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch ##{ IMG_DIRECT_TO_MX meta IMG_DIRECT_TO_MX __DOS_DIRECT_TO_MX && __JPEG_ATTACH && __ONE_IMG && __IMG_LE_300K ##} IMG_DIRECT_TO_MX ##{ IMG_ONLY_FM_DOM_INFO meta IMG_ONLY_FM_DOM_INFO __HTML_IMG_ONLY && __FROM_DOM_INFO describe IMG_ONLY_FM_DOM_INFO HTML image-only message from .info domain #score IMG_ONLY_FM_DOM_INFO 2.500 # limit tflags IMG_ONLY_FM_DOM_INFO publish ##} IMG_ONLY_FM_DOM_INFO ##{ JH_SPAMMY_HEADERS meta JH_SPAMMY_HEADERS __HAS_COMPLAINT_TO || __HAS_TRACKING_CODE || __HAS_LOGID || __HAS_X_LETTER || __HAS_X_EBSERVER || __HAS_LIST_OPEN describe JH_SPAMMY_HEADERS Has unusual message header(s) seen primarily in spam #score JH_SPAMMY_HEADERS 3.500 # limit tflags JH_SPAMMY_HEADERS publish ##} JH_SPAMMY_HEADERS ##{ JH_SPAMMY_PATTERN01 rawbody JH_SPAMMY_PATTERN01 m;.{0,200}]{0,50}src=['"](https?://[^"'\s]{1,80}\.php\?)t=o(\&[^"'\s]{1,50})["'][>\s].{0,200}