(?:$|\W)/i
describe FUZZY_TRUMP Obfuscated "Trump"
tflags FUZZY_TRUMP publish
endif
##} FUZZY_TRUMP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FUZZY_TRUSTWALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
meta FUZZY_TRUSTWALLET __FUZZY_TRUSTWALLET_BODY || __FUZZY_TRUSTWALLET_FROM
describe FUZZY_TRUSTWALLET Obfuscated "Trust Wallet", probable phishing
tflags FUZZY_TRUSTWALLET publish
endif
##} FUZZY_TRUSTWALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body FUZZY_UNSUBSCRIBE /(?=)(?!unsubscribe)/i
describe FUZZY_UNSUBSCRIBE Obfuscated "unsubscribe"
tflags FUZZY_UNSUBSCRIBE publish
endif
##} FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body FUZZY_WALLET /(?=)(?!wallet)/i
describe FUZZY_WALLET Obfuscated "Wallet"
tflags FUZZY_WALLET publish
endif
##} FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
meta FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM
describe FUZZY_WELLSFARGO Obfuscated "Wells Fargo"
tflags FUZZY_WELLSFARGO publish
endif
##} FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ GAPPY_HTML
meta GAPPY_HTML __GAPPY_HTML && !__UNSUB_LINK && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY
describe GAPPY_HTML HTML body with much useless whitespace
##} GAPPY_HTML
##{ GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
meta GAPPY_SALES_LEADS_FREEM __GAPPY_SALES_LEADS_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
describe GAPPY_SALES_LEADS_FREEM Obfuscated marketing text, freemail or CHN replyto
# score GAPPY_SALES_LEADS_FREEM 3.500 # limit
tflags GAPPY_SALES_LEADS_FREEM publish
endif
##} GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
##{ GB_CUSTOM_HTM_URI if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)
if (version >= 4.000000)
if can(Mail::SpamAssassin::Conf::feature_capture_rules)
meta GB_CUSTOM_HTM_URI ( __GB_CUSTOM_HTM_URI0 || __GB_CUSTOM_HTM_URI1 || __GB_CUSTOM_HTM_URI2 || __GB_DRUPAL_URI )
describe GB_CUSTOM_HTM_URI Custom html uri
# score GB_CUSTOM_HTM_URI 1.500 # limit
tflags GB_CUSTOM_HTM_URI publish
endif
endif
##} GB_CUSTOM_HTM_URI if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)
##{ GB_FAKE_RF_SHORT
meta GB_FAKE_RF_SHORT ( ! __THREADED && __GB_FAKE_RF && __URL_SHORTENER )
describe GB_FAKE_RF_SHORT Fake reply or forward with url shortener
#score GB_FAKE_RF_SHORT 2.000 # limit
tflags GB_FAKE_RF_SHORT publish
##} GB_FAKE_RF_SHORT
##{ GB_FORGED_MUA_POSTFIX
meta GB_FORGED_MUA_POSTFIX ( __FORGED_MUA_POSTFIX0 || __FORGED_MUA_POSTFIX1 )
describe GB_FORGED_MUA_POSTFIX Forged Postfix mua headers
tflags GB_FORGED_MUA_POSTFIX publish
#score GB_FORGED_MUA_POSTFIX 2.0 # limit
##} GB_FORGED_MUA_POSTFIX
##{ GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta GB_FREEMAIL_DISPTO ( __FREEMAIL_DISPTO && !__freemail_safe )
describe GB_FREEMAIL_DISPTO Disposition-Notification-To/From or Disposition-Notification-To/body contain different freemails
# score GB_FREEMAIL_DISPTO 0.50 # limit
tflags GB_FREEMAIL_DISPTO publish
endif
##} GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
##{ GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta GB_FREEMAIL_DISPTO_NOTFREEM ( __FREEMAIL_DISPTO && !__freemail_safe && !FREEMAIL_FROM )
describe GB_FREEMAIL_DISPTO_NOTFREEM Disposition-Notification-To/From contain different freemails but mailfrom is not a freemail
# score GB_FREEMAIL_DISPTO_NOTFREEM 0.50 # limit
tflags GB_FREEMAIL_DISPTO_NOTFREEM publish
endif
##} GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail
##{ GB_GOOGLE_OBFUR
uri GB_GOOGLE_OBFUR /^https:\/\/www\.google\.[a-z]{2,3}\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=(?:[0-9])*\&(?:cad=rja\&uact=[0-9]+\&ved=.{1,50}\&)?url=https?:\/\/.{1,50}(?:&usg=.{1,50})?/
describe GB_GOOGLE_OBFUR Obfuscate url through Google redirect
#score GB_GOOGLE_OBFUR 0.75 # limit
tflags GB_GOOGLE_OBFUR publish
##} GB_GOOGLE_OBFUR
##{ GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL
if (version >= 3.004003)
ifplugin Mail::SpamAssassin::Plugin::HashBL
body GB_HASHBL_BTC eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL
##{ GB_STORAGE_GOOGLE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)
if (version >= 4.000000)
if can(Mail::SpamAssassin::Conf::feature_capture_rules)
uri GB_STORAGE_GOOGLE_EMAIL m|^https?://storage\.cloud\.google\.com/.{4,128}\#%{GB_TO_ADDR}|i
describe GB_STORAGE_GOOGLE_EMAIL Google storage cloud abuse
# score GB_STORAGE_GOOGLE_EMAIL 2.000 # limit
tflags GB_STORAGE_GOOGLE_EMAIL publish
endif
endif
##} GB_STORAGE_GOOGLE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)
##{ GEO_QUERY_STRING
uri GEO_QUERY_STRING /^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i
##} GEO_QUERY_STRING
##{ GOOGLE_DOCS_PHISH
meta GOOGLE_DOCS_PHISH (__GOOGLE_DOCS_PHISH_1 || __GOOGLE_DOCS_PHISH_2)
describe GOOGLE_DOCS_PHISH Possible phishing via a Google Docs form
#score GOOGLE_DOCS_PHISH 3.00 # limit
tflags GOOGLE_DOCS_PHISH publish
##} GOOGLE_DOCS_PHISH
##{ GOOGLE_DOCS_PHISH_MANY
meta GOOGLE_DOCS_PHISH_MANY __URI_GOOGLE_DOC && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY)
describe GOOGLE_DOCS_PHISH_MANY Phishing via a Google Docs form
#score GOOGLE_DOCS_PHISH_MANY 4.00 # limit
tflags GOOGLE_DOCS_PHISH_MANY publish
##} GOOGLE_DOCS_PHISH_MANY
##{ GOOGLE_DOC_SUSP
meta GOOGLE_DOC_SUSP __GOOGLE_DOC_SUSP && !GOOGLE_DOCS_PHISH_MANY && !__HAS_SENDER && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__USING_VERP1 && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_SMTP && ! __HAS_LIST_ID && !__SURVEY && !__BUGGED_IMG
describe GOOGLE_DOC_SUSP Suspicious use of Google Docs
#score GOOGLE_DOC_SUSP 3.000 # limit
tflags GOOGLE_DOC_SUSP publish
##} GOOGLE_DOC_SUSP
##{ GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta GOOGLE_DRIVE_REPLY_BAD_NTLD __PDS_GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD
tflags GOOGLE_DRIVE_REPLY_BAD_NTLD publish
describe GOOGLE_DRIVE_REPLY_BAD_NTLD From Google Drive and Reply-To is from a suspicious TLD
#score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0 # limit
endif
endif
##} GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
##{ GOOG_MALWARE_DNLD
meta GOOG_MALWARE_DNLD __GOOG_MALWARE_DNLD
describe GOOG_MALWARE_DNLD File download via Google - Malware?
#score GOOG_MALWARE_DNLD 5.000 # limit
tflags GOOG_MALWARE_DNLD publish
##} GOOG_MALWARE_DNLD
##{ GOOG_REDIR_DOCUSIGN
uri GOOG_REDIR_DOCUSIGN m;://www\.google\.com/url\?.*q=https?://www\.docusign\.com/;i
describe GOOG_REDIR_DOCUSIGN Indirect docusign link, probable phishing
tflags GOOG_REDIR_DOCUSIGN publish
##} GOOG_REDIR_DOCUSIGN
##{ GOOG_REDIR_NORDNS
meta GOOG_REDIR_NORDNS __GOOG_REDIR && RDNS_NONE
describe GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website + no rDNS
##} GOOG_REDIR_NORDNS
##{ GOOG_REDIR_SHORT
meta GOOG_REDIR_SHORT __GOOG_REDIR && __LCL__KAM_BODY_LENGTH_LT_512
describe GOOG_REDIR_SHORT Google redirect to obscure spamvertised website + short message
tflags GOOG_REDIR_SHORT publish
##} GOOG_REDIR_SHORT
##{ GOOG_STO_EMAIL_PHISH
meta GOOG_STO_EMAIL_PHISH __URI_GOOG_STO_EMAIL && (__PDS_FROM_NAME_TO_DOMAIN || __TO_IN_SUBJ || __FROM_ADMIN || __VERIFY_ACCOUNT)
describe GOOG_STO_EMAIL_PHISH Possible phishing with google hosted content URI having email address
#score GOOG_STO_EMAIL_PHISH 3.00 # limit
tflags GOOG_STO_EMAIL_PHISH publish
##} GOOG_STO_EMAIL_PHISH
##{ GOOG_STO_HTML_PHISH
meta GOOG_STO_HTML_PHISH __GOOG_STO_HTML_PHISH
describe GOOG_STO_HTML_PHISH Possible phishing with google content hosting to avoid URIBL
#score GOOG_STO_HTML_PHISH 3.00 # limit
tflags GOOG_STO_HTML_PHISH publish
##} GOOG_STO_HTML_PHISH
##{ GOOG_STO_HTML_PHISH_MANY
meta GOOG_STO_HTML_PHISH_MANY __URI_GOOG_STO_HTML && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY)
describe GOOG_STO_HTML_PHISH_MANY Phishing with google content hosting to avoid URIBL
#score GOOG_STO_HTML_PHISH_MANY 4.00 # limit
tflags GOOG_STO_HTML_PHISH_MANY publish
##} GOOG_STO_HTML_PHISH_MANY
##{ GOOG_STO_IMG_HTML
meta GOOG_STO_IMG_HTML __GOOG_STO_IMG_HTML_1 && !URI_GOOG_STO_SPAMMY && !T_URI_GOOG_STO_SUBD_SPAMMY
describe GOOG_STO_IMG_HTML Apparently using google content hosting to avoid URIBL
#score GOOG_STO_IMG_HTML 3.000 # limit
tflags GOOG_STO_IMG_HTML publish
##} GOOG_STO_IMG_HTML
##{ GOOG_STO_IMG_NOHTML
meta GOOG_STO_IMG_NOHTML __GOOG_STO_IMG_NOHTML && (__RDNS_NONE || HTML_TEXT_INVISIBLE_STYLE || THIS_AD || __SUBJECT_ENCODED_B64 || __LOTTO_ADMITS || __REPTO_QUOTE) && !__USING_VERP1 && !__HAS_ERRORS_TO && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__HAS_CID && !URI_GOOG_STO_SPAMMY && !T_URI_GOOG_STO_SUBD_SPAMMY
describe GOOG_STO_IMG_NOHTML Apparently using google content hosting to avoid URIBL
#score GOOG_STO_IMG_NOHTML 2.500 # limit
tflags GOOG_STO_IMG_NOHTML publish
##} GOOG_STO_IMG_NOHTML
##{ GOOG_STO_NOIMG_HTML
meta GOOG_STO_NOIMG_HTML __GOOG_STO_NOIMG_HTML && !URI_GOOG_STO_SPAMMY && !T_URI_GOOG_STO_SUBD_SPAMMY
describe GOOG_STO_NOIMG_HTML Apparently using google content hosting to avoid URIBL
#score GOOG_STO_NOIMG_HTML 3.000 # limit
tflags GOOG_STO_NOIMG_HTML publish
##} GOOG_STO_NOIMG_HTML
##{ HAS_X_NO_RELAY
meta HAS_X_NO_RELAY __HAS_X_NO_RELAY && !__TO_EQ_FROM_1
describe HAS_X_NO_RELAY Has spammy header
#score HAS_X_NO_RELAY 2.500 # limit
tflags HAS_X_NO_RELAY publish
##} HAS_X_NO_RELAY
##{ HAS_X_OUTGOING_SPAM_STAT
meta HAS_X_OUTGOING_SPAM_STAT __HAS_X_OUTGOING_SPAM_STAT && !MAILING_LIST_MULTI && !__HAS_X_MAILMAN_VERSION && !__AUTOREPLY_ASU && !__THREAD_INDEX_GOOD && !__HAS_X_LOOP && !__DOC_ATTACH && !__PDF_ATTACH && !__FROM_EQ_ORG_1 && !__HAS_IN_REPLY_TO
describe HAS_X_OUTGOING_SPAM_STAT Has header claiming outbound spam scan - why trust the results?
#score HAS_X_OUTGOING_SPAM_STAT 2.000 # limit
tflags HAS_X_OUTGOING_SPAM_STAT publish
##} HAS_X_OUTGOING_SPAM_STAT
##{ HDRS_LCASE
describe HDRS_LCASE Odd capitalization of message header
#score HDRS_LCASE 0.10 # limit
##} HDRS_LCASE
##{ HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
endif
##} HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
##{ HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
endif
##} HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
##{ HDRS_MISSP
meta HDRS_MISSP __HDRS_MISSP && !ALL_TRUSTED && !(__FROM_ALL_HEX && __SUBJECT_PRESENT_EMPTY)
describe HDRS_MISSP Misspaced headers
#score HDRS_MISSP 2.500 # limit
tflags HDRS_MISSP publish
##} HDRS_MISSP
##{ HDR_ORDER_FTSDMCXX_001C
meta HDR_ORDER_FTSDMCXX_001C (__HDR_ORDER_FTSDMCXXXX && __MID_START_001C)
describe HDR_ORDER_FTSDMCXX_001C Header order similar to spam (FTSDMCXX/MID variant)
##} HDR_ORDER_FTSDMCXX_001C
##{ HDR_ORDER_FTSDMCXX_BAT
meta HDR_ORDER_FTSDMCXX_BAT (__HDR_ORDER_FTSDMCXXXX && __BAT_BOUNDARY)
describe HDR_ORDER_FTSDMCXX_BAT Header order similar to spam (FTSDMCXX/boundary variant)
##} HDR_ORDER_FTSDMCXX_BAT
##{ HDR_ORDER_FTSDMCXX_DIRECT
meta HDR_ORDER_FTSDMCXX_DIRECT (__HDR_ORDER_FTSDMCXXXX && __DOS_SINGLE_EXT_RELAY) && !ALL_TRUSTED && !__VIA_ML
describe HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam (FTSDMCXX/boundary variant) + direct-to-MX
#score HDR_ORDER_FTSDMCXX_DIRECT 2.000 # limit
tflags HDR_ORDER_FTSDMCXX_DIRECT publish
##} HDR_ORDER_FTSDMCXX_DIRECT
##{ HDR_ORDER_FTSDMCXX_NORDNS
meta HDR_ORDER_FTSDMCXX_NORDNS (__HDR_ORDER_FTSDMCXXXX && __RDNS_NONE) && !ALL_TRUSTED
describe HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam (FTSDMCXX/boundary variant) + no rDNS
#score HDR_ORDER_FTSDMCXX_NORDNS 3.500 # limit
tflags HDR_ORDER_FTSDMCXX_NORDNS publish
##} HDR_ORDER_FTSDMCXX_NORDNS
##{ HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval
ifplugin Mail::SpamAssassin::Plugin::HeaderEval
header HEADER_COUNT_SUBJECT eval:check_header_count_range('Subject','2','999')
describe HEADER_COUNT_SUBJECT Multiple Subject headers found
endif
##} HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval
##{ HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::HeaderEval
if (version >= 3.004000)
header HEADER_FROM_DIFFERENT_DOMAINS eval:check_equal_from_domains()
describe HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different
# score HEADER_FROM_DIFFERENT_DOMAINS 0.25
tflags HEADER_FROM_DIFFERENT_DOMAINS publish
endif
endif
endif
##} HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)
##{ HELO_FRIEND
header HELO_FRIEND X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i
##} HELO_FRIEND
##{ HELO_LH_LD
header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i
##} HELO_LH_LD
##{ HELO_LOCALHOST
header HELO_LOCALHOST X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i
##} HELO_LOCALHOST
##{ HELO_NO_DOMAIN
meta HELO_NO_DOMAIN __HELO_NO_DOMAIN && !HELO_LOCALHOST
describe HELO_NO_DOMAIN Relay reports its domain incorrectly
tflags HELO_NO_DOMAIN publish
##} HELO_NO_DOMAIN
##{ HELO_OEM
header HELO_OEM X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc|oem\S*) /i
##} HELO_OEM
##{ HEXHASH_WORD
meta HEXHASH_WORD (__HEXHASHWORD_S2EU > 1) && !ALL_TRUSTED && !__LYRIS_EZLM_REMAILER && !__MSGID_HEXISH && !__RDNS_SHORT && !__CTYPE_MULTIPART_MIXED && !__HAS_X_REF && !__HAS_IMG_SRC_ONECASE && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__HAS_SENDER
describe HEXHASH_WORD Multiple instances of word + hexadecimal hash
#score HEXHASH_WORD 3.000 # limit
tflags HEXHASH_WORD publish
##} HEXHASH_WORD
##{ HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader HK_CTE_RAW Content-Transfer-Encoding =~ /^raw$/
#score HK_CTE_RAW 2
tflags HK_CTE_RAW publish
endif
##} HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ HK_LOTTO
meta HK_LOTTO __HK_LOTTO_2 || __HK_LOTTO_STAATS || __HK_LOTTO_BALLOT
#score HK_LOTTO 1
##} HK_LOTTO
##{ HK_NAME_DRUGS
header HK_NAME_DRUGS From:name =~ /(?:viagra|\bcialis|cialis\b)/mi
describe HK_NAME_DRUGS From name contains drugs
#score HK_NAME_DRUGS 2
##} HK_NAME_DRUGS
##{ HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::FreeMail
if (version >= 3.004000)
meta HK_NAME_FM_MR_MRS __HK_NAME_MR_MRS && FREEMAIL_FROM
# score HK_NAME_FM_MR_MRS 1.5
endif
endif
##} HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
##{ HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::FreeMail
if (version >= 3.004000)
meta HK_NAME_MR_MRS __HK_NAME_MR_MRS && !FREEMAIL_FROM
# score HK_NAME_MR_MRS 1.0
endif
endif
##} HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
##{ HK_RANDOM_ENVFROM
header HK_RANDOM_ENVFROM EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mc(?:b|g)r|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
describe HK_RANDOM_ENVFROM Envelope sender username looks random
#score HK_RANDOM_ENVFROM 1
tflags HK_RANDOM_ENVFROM publish
##} HK_RANDOM_ENVFROM
##{ HK_RANDOM_FROM
header HK_RANDOM_FROM From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mc(?:b|g)r|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
describe HK_RANDOM_FROM From username looks random
#score HK_RANDOM_FROM 1
tflags HK_RANDOM_FROM publish
##} HK_RANDOM_FROM
##{ HK_RANDOM_REPLYTO
header HK_RANDOM_REPLYTO Reply-To:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mc(?:b|g)r|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
describe HK_RANDOM_REPLYTO Reply-To username looks random
#score HK_RANDOM_REPLYTO 1
tflags HK_RANDOM_REPLYTO publish
##} HK_RANDOM_REPLYTO
##{ HK_RCVD_IP_MULTICAST
header HK_RCVD_IP_MULTICAST X-Spam-Relays-External =~ / ip=(?:22[4-9]|23[0-9])\./
#score HK_RCVD_IP_MULTICAST 2
tflags HK_RCVD_IP_MULTICAST publish
##} HK_RCVD_IP_MULTICAST
##{ HK_SCAM
meta HK_SCAM __HK_SCAM_N2 || __HK_SCAM_N3 || __HK_SCAM_N8 || __HK_SCAM_N15 || __HK_SCAM_N16 || __HK_SCAM_S1 || __HK_SCAM_S15 || __HK_SCAM_S25
#score HK_SCAM 2
tflags HK_SCAM publish
##} HK_SCAM
##{ HK_WIN
meta HK_WIN ((__hk_win_2 + __hk_win_3 + __hk_win_4 + __hk_win_5 + __hk_win_7 + __hk_win_8 + __hk_win_9 + __hk_win_0 + __hk_win_a + __hk_win_b + __hk_win_c + __hk_win_d + __hk_win_i + __hk_win_j + __hk_win_l + __hk_win_m + __hk_win_n + __hk_win_o) >= 2)
#score HK_WIN 1
##} HK_WIN
##{ HOSTED_IMG_DIRECT_MX
meta HOSTED_IMG_DIRECT_MX __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS && !__HDR_RCVD_AMAZON
#score HOSTED_IMG_DIRECT_MX 3.500 # limit
describe HOSTED_IMG_DIRECT_MX Image hosted at large ecomm, CDN or hosting site, message direct-to-mx
tflags HOSTED_IMG_DIRECT_MX publish
##} HOSTED_IMG_DIRECT_MX
##{ HOSTED_IMG_DQ_UNSUB
meta HOSTED_IMG_DQ_UNSUB __HOSTED_IMG_DQ_UNSUB
#score HOSTED_IMG_DQ_UNSUB 3.500 # limit
describe HOSTED_IMG_DQ_UNSUB Image hosted at large ecomm, CDN or hosting site, IP addr unsub link
tflags HOSTED_IMG_DQ_UNSUB publish
##} HOSTED_IMG_DQ_UNSUB
##{ HOSTED_IMG_FREEM
meta HOSTED_IMG_FREEM __HOSTED_IMG_FREEM && !__THREADED
#score HOSTED_IMG_FREEM 3.500 # limit
describe HOSTED_IMG_FREEM Image hosted at large ecomm, CDN or hosting site or redirected, freemail from or reply-to
tflags HOSTED_IMG_FREEM publish
##} HOSTED_IMG_FREEM
##{ HOSTED_IMG_MULTI
meta HOSTED_IMG_MULTI __HOSTED_IMG_MULTI && !__DKIM_EXISTS && !__RCD_RDNS_MAIL
#score HOSTED_IMG_MULTI 3.000 # limit
describe HOSTED_IMG_MULTI Multiple images hosted at different large ecomm, CDN or hosting sites, free image sites, or redirected
tflags HOSTED_IMG_MULTI publish
##} HOSTED_IMG_MULTI
##{ HOSTED_IMG_MULTI_PUB_01
meta HOSTED_IMG_MULTI_PUB_01 (__IMGUR_IMG_2 || __IMGUR_IMG_3) && !__DATE_LOWER && !__BOTH_INR_AND_REF && !__HAS_IN_REPLY_TO
describe HOSTED_IMG_MULTI_PUB_01 Multiple hosted images at public site
#score HOSTED_IMG_MULTI_PUB_01 3.000 # limit
tflags HOSTED_IMG_MULTI_PUB_01 publish
##} HOSTED_IMG_MULTI_PUB_01
##{ HREF_EMPTY_NORDNS
meta HREF_EMPTY_NORDNS __HREF_EMPTY_NORDNS
describe HREF_EMPTY_NORDNS Empty href + no rDNS
#score HREF_EMPTY_NORDNS 2.500 # limit
tflags HREF_EMPTY_NORDNS publish
##} HREF_EMPTY_NORDNS
##{ HREF_EMPTY_PHPMAIL
meta HREF_EMPTY_PHPMAIL __HREF_EMPTY_PHPMAIL
describe HREF_EMPTY_PHPMAIL Empty href + PHP Mailer
#score HREF_EMPTY_PHPMAIL 2.500 # limit
tflags HREF_EMPTY_PHPMAIL publish
##} HREF_EMPTY_PHPMAIL
##{ HREF_EMPTY_XANTIABUSE
meta HREF_EMPTY_XANTIABUSE __HREF_EMPTY_XANTIABUSE
describe HREF_EMPTY_XANTIABUSE Empty href + X-AntiAbuse
#score HREF_EMPTY_XANTIABUSE 2.500 # limit
tflags HREF_EMPTY_XANTIABUSE publish
##} HREF_EMPTY_XANTIABUSE
##{ HREF_EMPTY_XAUTHED
meta HREF_EMPTY_XAUTHED __HREF_EMPTY_XAUTHED
describe HREF_EMPTY_XAUTHED Empty href + X-Authenticated-Sender
#score HREF_EMPTY_XAUTHED 2.500 # limit
tflags HREF_EMPTY_XAUTHED publish
##} HREF_EMPTY_XAUTHED
##{ HTML_BADATTR
describe HTML_BADATTR Illegal char in HTML attribute name
rawbody HTML_BADATTR /<[a-z]{1,10}\s[^>]{1,80}\/(?:src|href)\s*\=/
#score HTML_BADATTR 1
tflags HTML_BADATTR publish
##} HTML_BADATTR
##{ HTML_ENTITY_ASCII
meta HTML_ENTITY_ASCII __HTML_ENTITY_ASCII_MINFP
describe HTML_ENTITY_ASCII Obfuscated ASCII
#score HTML_ENTITY_ASCII 3.000 # limit
tflags HTML_ENTITY_ASCII publish
##} HTML_ENTITY_ASCII
##{ HTML_ENTITY_ASCII_TINY
meta HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII_TINY && !__HAS_IN_REPLY_TO
describe HTML_ENTITY_ASCII_TINY Obfuscated ASCII + tiny fonts
#score HTML_ENTITY_ASCII_TINY 3.000 # limit
tflags HTML_ENTITY_ASCII_TINY publish
##} HTML_ENTITY_ASCII_TINY
##{ HTML_FONT_TINY_NORDNS
meta HTML_FONT_TINY_NORDNS __HTML_FONT_TINY_NORDNS && !__HAS_CID
describe HTML_FONT_TINY_NORDNS Font too small to read, no rDNS
#score HTML_FONT_TINY_NORDNS 2.000 # limit
##} HTML_FONT_TINY_NORDNS
##{ HTML_OFF_PAGE
meta HTML_OFF_PAGE __HTML_OFF_PAGE && !__RP_MATCHES_RCVD && !__LONGLINE && !__DKIM_EXISTS
describe HTML_OFF_PAGE HTML element rendered well off the displayed page
#score HTML_OFF_PAGE 3.000 # limit
tflags HTML_OFF_PAGE publish
##} HTML_OFF_PAGE
##{ HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
meta HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU_MANY
describe HTML_SHRT_CMNT_OBFU_MANY Obfuscation with many short HTML comments
# score HTML_SHRT_CMNT_OBFU_MANY 2.500 # limit
tflags HTML_SHRT_CMNT_OBFU_MANY publish
endif
##} HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
##{ HTML_SINGLET_MANY
meta HTML_SINGLET_MANY __HTML_SINGLET_MANY && !__RCD_RDNS_MTA_MESSY && !__NOT_SPOOFED && !ALL_TRUSTED && !__USING_VERP1 && !__MIME_QP
describe HTML_SINGLET_MANY Many single-letter HTML format blocks
#score HTML_SINGLET_MANY 2.500 # limit
tflags HTML_SINGLET_MANY publish
##} HTML_SINGLET_MANY
##{ HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval
ifplugin Mail::SpamAssassin::Plugin::HTMLEval
meta HTML_TAG_BALANCE_CENTER __HTML_TAG_BALANCE_CENTER && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY
describe HTML_TAG_BALANCE_CENTER Malformatted HTML
endif
##} HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval
##{ HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
meta HTML_TEXT_INVISIBLE_FONT __FONT_INVIS_MANY && !__HAS_ERRORS_TO && !__URI_DOTGOV && !__LYRIS_EZLM_REMAILER && !__ML3 && !__THREADED && !__DKIMWL_WL_HI && !USER_IN_DEF_DKIM_WL && !__MOZILLA_MSGID
describe HTML_TEXT_INVISIBLE_FONT HTML hidden text - word obfuscation?
# score HTML_TEXT_INVISIBLE_FONT 2.000 # limit
tflags HTML_TEXT_INVISIBLE_FONT publish
endif
##} HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
##{ HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
meta HTML_TEXT_INVISIBLE_STYLE __STY_INVIS_MANY && (__RDNS_NONE || __HDRS_LCASE || __UNSUB_EMAIL || __ADMITS_SPAM || __FROM_DOM_INFO || __HTML_TAG_BALANCE_CENTER || __MSGID_RANDY ) && !__RDNS_LONG && !__FROM_ENCODED_QP && !__HAS_THREAD_INDEX
describe HTML_TEXT_INVISIBLE_STYLE HTML hidden text + other spam signs
# score HTML_TEXT_INVISIBLE_STYLE 3.500 # limit
tflags HTML_TEXT_INVISIBLE_STYLE publish
endif
##} HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
##{ HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
body HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10')
endif
##} HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
##{ IMG_DIRECT_TO_MX
meta IMG_DIRECT_TO_MX __DOS_DIRECT_TO_MX && __JPEG_ATTACH && __ONE_IMG && __IMG_LE_300K
##} IMG_DIRECT_TO_MX
##{ IMG_ONLY_FM_DOM_INFO
meta IMG_ONLY_FM_DOM_INFO __HTML_IMG_ONLY && __FROM_DOM_INFO
describe IMG_ONLY_FM_DOM_INFO HTML image-only message from .info domain
#score IMG_ONLY_FM_DOM_INFO 2.500 # limit
tflags IMG_ONLY_FM_DOM_INFO publish
##} IMG_ONLY_FM_DOM_INFO
##{ JH_SPAMMY_HEADERS
meta JH_SPAMMY_HEADERS __HAS_COMPLAINT_TO || __HAS_TRACKING_CODE || __HAS_LOGID || __HAS_X_LETTER || __HAS_X_EBSERVER || __HAS_LIST_OPEN
describe JH_SPAMMY_HEADERS Has unusual message header(s) seen primarily in spam
#score JH_SPAMMY_HEADERS 3.500 # limit
tflags JH_SPAMMY_HEADERS publish
##} JH_SPAMMY_HEADERS
##{ JH_SPAMMY_PATTERN01
rawbody JH_SPAMMY_PATTERN01 m;.{0,200}]{0,50}src=['"](https?://[^"'\s]{1,80}\.php\?)t=o(\&[^"'\s]{1,50})["'][>\s].{0,200} tags embedded within text
tflags MANY_SPAN_IN_TEXT publish
##} MANY_SPAN_IN_TEXT
##{ MANY_SUBDOM
meta MANY_SUBDOM __MANY_SUBDOM && !__JM_REACTOR_DATE && !__UNSUB_LINK && !__VIA_ML && !NO_RELAYS && !__UPPERCASE_URI && !__MIME_QP
describe MANY_SUBDOM Lots and lots of subdomain parts in a URI
##} MANY_SUBDOM
##{ MID_DEGREES
header MID_DEGREES Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/
##} MID_DEGREES
##{ MILLION_HUNDRED
body MILLION_HUNDRED /Million\s+\S+\s+Hundred/i
describe MILLION_HUNDRED Million "One to Nine" Hundred
tflags MILLION_HUNDRED publish
##} MILLION_HUNDRED
##{ MILLION_USD
body MILLION_USD /Million\b.{0,40}\b(?:United States? Dollars?|USD)/i
describe MILLION_USD Talks about millions of dollars
#score MILLION_USD 2
##} MILLION_USD
##{ MIMEOLE_DIRECT_TO_MX
meta MIMEOLE_DIRECT_TO_MX __MIMEOLE_DIRECT_TO_MX && !__ANY_IMAGE_ATTACH && !__DKIM_EXISTS
describe MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX
#score MIMEOLE_DIRECT_TO_MX 2.000 # limit
tflags MIMEOLE_DIRECT_TO_MX publish
##} MIMEOLE_DIRECT_TO_MX
##{ MIME_BOUND_EQ_REL
header MIME_BOUND_EQ_REL Content-Type =~ /boundary="=====================_\d+==\.REL"/s
##} MIME_BOUND_EQ_REL
##{ MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta MIME_NO_TEXT __MIME_NO_TEXT && !__BOUNCE_CTYPE && !__CT_ENCRYPTED && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__USER_AGENT_APPLEMAIL && !__HAS_IN_REPLY_TO && !__HAS_X_REF && !__HS_SUBJ_RE_FW && !__PDF_ATTACH && !__LCL__KAM_BODY_LENGTH_LT_128
# score MIME_NO_TEXT 2.00 # limit
describe MIME_NO_TEXT No (properly identified) text body parts
tflags MIME_NO_TEXT publish
endif
##} MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta MIME_PHP_NO_TEXT (MIME_NO_TEXT && __PHP_MUA)
describe MIME_PHP_NO_TEXT No text body parts, X-Mailer: PHP
endif
##} MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ MIXED_AREA_CASE
meta MIXED_AREA_CASE __MIXED_AREA_CASE
describe MIXED_AREA_CASE Has area tag in mixed case
#score MIXED_AREA_CASE 2.500 # limit
tflags MIXED_AREA_CASE publish
##} MIXED_AREA_CASE
##{ MIXED_CENTER_CASE
meta MIXED_CENTER_CASE __MIXED_CENTER_CASE
describe MIXED_CENTER_CASE Has center tag in mixed case
#score MIXED_CENTER_CASE 2.500 # limit
tflags MIXED_CENTER_CASE publish
##} MIXED_CENTER_CASE
##{ MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
meta MIXED_ES ( ! HTML_IMAGE_ONLY_16 ) && ( __LOWER_E > 20 ) && ( __E_LIKE_LETTER > ( (__LOWER_E * 14 ) / 10) ) && ( __E_LIKE_LETTER < ( 10 * __LOWER_E ) )
describe MIXED_ES Too many es are not es
tflags MIXED_ES publish
# lang pl score MIXED_ES 0.01
# lang cz score MIXED_ES 0.01
# lang sk score MIXED_ES 0.01
# lang hr score MIXED_ES 0.01
# lang el score MIXED_ES 0.01
endif
endif
##} MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ MIXED_FONT_CASE
meta MIXED_FONT_CASE __MIXED_FONT_CASE
describe MIXED_FONT_CASE Has font tag in mixed case
#score MIXED_FONT_CASE 2.500 # limit
tflags MIXED_FONT_CASE publish
##} MIXED_FONT_CASE
##{ MIXED_HREF_CASE
meta MIXED_HREF_CASE __MIXED_HREF_CASE && !__LYRIS_EZLM_REMAILER && !__HAS_LIST_ID
describe MIXED_HREF_CASE Has href in mixed case
#score MIXED_HREF_CASE 2.000 # limit
tflags MIXED_HREF_CASE publish
##} MIXED_HREF_CASE
##{ MIXED_IMG_CASE
meta MIXED_IMG_CASE __MIXED_IMG_CASE_JH && !__MSGID_JAVAMAIL
describe MIXED_IMG_CASE Has img tag in mixed case
#score MIXED_IMG_CASE 3.000 # limit
tflags MIXED_IMG_CASE publish
##} MIXED_IMG_CASE
##{ MONERO_DEADLINE
meta MONERO_DEADLINE __MONERO && __HOURS_DEADLINE && !MONERO_EXTORT_01
describe MONERO_DEADLINE Monero cryptocurrency with a deadline
#score MONERO_DEADLINE 3.000 # limit
tflags MONERO_DEADLINE publish
##} MONERO_DEADLINE
##{ MONERO_EXTORT_01
meta MONERO_EXTORT_01 __MONERO && __EXTORT_MANY
describe MONERO_EXTORT_01 Extortion spam, pay via Monero cryptocurrency
#score MONERO_EXTORT_01 5.000 # limit
tflags MONERO_EXTORT_01 publish
##} MONERO_EXTORT_01
##{ MONERO_MALWARE
meta MONERO_MALWARE __MONERO && __MY_MALWARE && !MONERO_EXTORT_01
describe MONERO_MALWARE Monero cryptocurrency + malware bragging
#score MONERO_MALWARE 3.500 # limit
tflags MONERO_MALWARE publish
##} MONERO_MALWARE
##{ MONERO_PAY_ME
meta MONERO_PAY_ME __MONERO && __PAY_ME && !MONERO_EXTORT_01
describe MONERO_PAY_ME Pay me via Monero cryptocurrency
#score MONERO_PAY_ME 3.000 # limit
tflags MONERO_PAY_ME publish
##} MONERO_PAY_ME
##{ MONEY_ATM_CARD
meta MONEY_ATM_CARD __MONEY_ATM_CARD && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE
describe MONEY_ATM_CARD Lots of money on an ATM card
##} MONEY_ATM_CARD
##{ MONEY_FORM
meta MONEY_FORM __MONEY_FORM && !__FB_TOUR && !__FM_MY_PRICE && !__FR_SPACING_8 && !__COMMENT_EXISTS && !__CAN_HELP
describe MONEY_FORM Lots of money if you fill out a form
##} MONEY_FORM
##{ MONEY_FORM_SHORT
meta MONEY_FORM_SHORT __MONEY_FORM_SHORT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HTML_LINK_IMAGE && !__UPPERCASE_URI && !__THREADED && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__THREAD_INDEX_GOOD
describe MONEY_FORM_SHORT Lots of money if you fill out a short form
#score MONEY_FORM_SHORT 2.500 # limit
##} MONEY_FORM_SHORT
##{ MONEY_FRAUD_3
meta MONEY_FRAUD_3 (__MONEY_FRAUD_3 && !__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_3_NEW_MONEY) && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__IS_EXCH && !__VIA_ML && !__HAS_THREAD_INDEX && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__HTML_LINK_IMAGE && !__THREADED && !__DOS_BODY_THU && !__URL_SHORTENER && !__TAG_EXISTS_STYLE
describe MONEY_FRAUD_3 Lots of money and several fraud phrases
tflags MONEY_FRAUD_3 publish
##} MONEY_FRAUD_3
##{ MONEY_FRAUD_5
meta MONEY_FRAUD_5 (__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_5_NEW_MONEY) && !__VIA_ML && !__HAS_THREAD_INDEX && !__COMMENT_EXISTS && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__URL_SHORTENER && !__TAG_EXISTS_STYLE
describe MONEY_FRAUD_5 Lots of money and many fraud phrases
tflags MONEY_FRAUD_5 publish
##} MONEY_FRAUD_5
##{ MONEY_FRAUD_8
meta MONEY_FRAUD_8 __MONEY_FRAUD_8 && !__VIA_ML && !__HAS_THREAD_INDEX && !__BUGGED_IMG
describe MONEY_FRAUD_8 Lots of money and very many fraud phrases
tflags MONEY_FRAUD_8 publish
##} MONEY_FRAUD_8
##{ MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta MONEY_FREEMAIL_REPTO __MONEY_FREEMAIL_REPTO && !__HAS_CAMPAIGNID
describe MONEY_FREEMAIL_REPTO Lots of money from someone using free email?
# score MONEY_FREEMAIL_REPTO 3.000 # limit
tflags MONEY_FREEMAIL_REPTO publish
endif
##} MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
##{ MONEY_FROM_41
meta MONEY_FROM_41 __MONEY_FROM_41
describe MONEY_FROM_41 Lots of money from Africa
#score MONEY_FROM_41 2.00 # limit
##} MONEY_FROM_41
##{ MONEY_FROM_MISSP
meta MONEY_FROM_MISSP LOTS_OF_MONEY && __FROM_MISSPACED && !__MIME_QP
describe MONEY_FROM_MISSP Lots of money and misspaced From
#score MONEY_FROM_MISSP 2.000 # limit
##} MONEY_FROM_MISSP
##{ MONEY_NOHTML
meta MONEY_NOHTML LOTS_OF_MONEY && __CT_TEXT_PLAIN
describe MONEY_NOHTML Lots of money in plain text
#score MONEY_NOHTML 2.500 # limit
##} MONEY_NOHTML
##{ MSGID_DOLLARS_URI_IMG
meta MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_URI_IMG && !__THREADED && !__HS_SUBJ_RE_FW
describe MSGID_DOLLARS_URI_IMG Suspicious Message-ID and image
#score MSGID_DOLLARS_URI_IMG 3.000 # limit
tflags MSGID_DOLLARS_URI_IMG publish
##} MSGID_DOLLARS_URI_IMG
##{ MSGID_HDR_MALF
meta MSGID_HDR_MALF __HAS_MESSAGEID
describe MSGID_HDR_MALF Has invalid message ID header
#score MSGID_HDR_MALF 3.500 # limit
tflags MSGID_HDR_MALF publish
##} MSGID_HDR_MALF
##{ MSGID_MULTIPLE_AT
header MSGID_MULTIPLE_AT MESSAGEID =~ /<[^>]*\@[^>]*\@/
describe MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters
#score MSGID_MULTIPLE_AT 0.001
##} MSGID_MULTIPLE_AT
##{ MSM_PRIO_REPTO
meta MSM_PRIO_REPTO __MSM_PRIO_REPTO && !__ENV_AND_HDR_FROM_MATCH
describe MSM_PRIO_REPTO MSMail priority header + Reply-to + short subject
#score MSM_PRIO_REPTO 2.500 # limit
tflags MSM_PRIO_REPTO publish
##} MSM_PRIO_REPTO
##{ MSOE_MID_WRONG_CASE
meta MSOE_MID_WRONG_CASE (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106)
##} MSOE_MID_WRONG_CASE
##{ NA_DOLLARS
body NA_DOLLARS /\b(?:\d{1,3})?Million\b.{0,40}\b(?:Canadian Dollar?s?|US\$|U\.? ?S\.? Dollar)/i
describe NA_DOLLARS Talks about a million North American dollars
#score NA_DOLLARS 1.5
##} NA_DOLLARS
##{ NEWEGG_IMG_NOT_RCVD_NEGG
meta NEWEGG_IMG_NOT_RCVD_NEGG __NEWEGG_IMG_NOT_RCVD_NEGG
#score NEWEGG_IMG_NOT_RCVD_NEGG 2.500 # limit
describe NEWEGG_IMG_NOT_RCVD_NEGG Newegg hosted image but message not from Newegg
tflags NEWEGG_IMG_NOT_RCVD_NEGG publish
##} NEWEGG_IMG_NOT_RCVD_NEGG
##{ NEW_PRODUCTS
meta NEW_PRODUCTS __NEW_PRODUCTS && !__STY_INVIS_MANY
#score NEW_PRODUCTS 1.250 # limit
tflags NEW_PRODUCTS publish
##} NEW_PRODUCTS
##{ NICE_REPLY_A
meta NICE_REPLY_A (__SUBJ_RE && !__MISSING_REPLY && !__MISSING_REF && __BOTH_INR_AND_REF)
describe NICE_REPLY_A Looks like a legit reply (A)
tflags NICE_REPLY_A nice
##} NICE_REPLY_A
##{ NORDNS_LOW_CONTRAST
meta NORDNS_LOW_CONTRAST __NORDNS_LOW_CONTRAST && !ALL_TRUSTED && !__HAS_CID && !__THREADED
describe NORDNS_LOW_CONTRAST No rDNS + hidden text
#score NORDNS_LOW_CONTRAST 2.500 # limit
##} NORDNS_LOW_CONTRAST
##{ NOT_SPAM
body NOT_SPAM /\b(?:(?:this (?:e?-?mail|message)|we) (?:is not|are not|cannot be considered) Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)/i
describe NOT_SPAM I'm not spam! Really! I'm not, I'm not, I'm not!
tflags NOT_SPAM publish
##} NOT_SPAM
##{ NO_FM_NAME_IP_HOSTN
meta NO_FM_NAME_IP_HOSTN (__KHOP_NO_FULL_NAME && __IP_IN_RELAY) && !__DOS_RELAYED_EXT
describe NO_FM_NAME_IP_HOSTN No From name + hostname using IP address
#score NO_FM_NAME_IP_HOSTN 2.500 # limit
tflags NO_FM_NAME_IP_HOSTN publish
##} NO_FM_NAME_IP_HOSTN
##{ NSL_RCVD_FROM_USER
header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/
describe NSL_RCVD_FROM_USER Received from User
##} NSL_RCVD_FROM_USER
##{ NSL_RCVD_HELO_USER
header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i
describe NSL_RCVD_HELO_USER Received from HELO User
##} NSL_RCVD_HELO_USER
##{ NULL_IN_BODY
full NULL_IN_BODY /\x00/
describe NULL_IN_BODY Message has NUL (ASCII 0) byte in message
##} NULL_IN_BODY
##{ OBFU_BITCOIN
meta OBFU_BITCOIN __OBFU_BITCOIN
describe OBFU_BITCOIN Obfuscated BitCoin references
#score OBFU_BITCOIN 3.000 # limit
tflags OBFU_BITCOIN publish
##} OBFU_BITCOIN
##{ OBFU_JVSCR_ESC
rawbody OBFU_JVSCR_ESC /document\.write\(unescape\(["'](?:%[0-9a-f]{2}){10}/i
describe OBFU_JVSCR_ESC Injects content using obfuscated javascript
tflags OBFU_JVSCR_ESC publish
##} OBFU_JVSCR_ESC
##{ OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader OBFU_TEXT_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.txt\b,i
describe OBFU_TEXT_ATTACH Text attachment with non-text MIME type
tflags OBFU_TEXT_ATTACH publish
endif
##} OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ OBFU_UNSUB_UL
meta OBFU_UNSUB_UL __OBFU_UNSUB_UL && !MAILING_LIST_MULTI
describe OBFU_UNSUB_UL Obfuscated unsubscribe text
tflags OBFU_UNSUB_UL publish
##} OBFU_UNSUB_UL
##{ ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta ODD_FREEM_REPTO __freemail_mailreplyto
describe ODD_FREEM_REPTO Has unusual reply-to header
# score ODD_FREEM_REPTO 3.000 # limit
tflags ODD_FREEM_REPTO publish
endif
##} ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
##{ PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta PART_CID_STOCK (__ANY_IMAGE_ATTACH&&__PART_STOCK_CID&&!__PART_STOCK_CL&&!__PART_STOCK_CD_F)
describe PART_CID_STOCK Has a spammy image attachment (by Content-ID)
endif
##} PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta PART_CID_STOCK_LESS (__ANY_IMAGE_ATTACH&&__PART_CID_STOCK_LESS)
describe PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, more specific)
endif
##} PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ PDS_BAD_THREAD_QP_64
meta PDS_BAD_THREAD_QP_64 __PDS_QP_64 && __HAS_THREAD_INDEX && !__THREAD_INDEX_GOOD
describe PDS_BAD_THREAD_QP_64 Bad thread header - short QP
#score PDS_BAD_THREAD_QP_64 1.0
##} PDS_BAD_THREAD_QP_64
##{ PDS_BTC_ID
meta PDS_BTC_ID __PDS_BTC_ID
describe PDS_BTC_ID FP reduced Bitcoin ID
#score PDS_BTC_ID 0.5
##} PDS_BTC_ID
##{ PDS_BTC_MSGID
meta PDS_BTC_MSGID __PDS_BTC_ID && __MSGID_NOFQDN2
describe PDS_BTC_MSGID Bitcoin ID with T_MSGID_NOFQDN2
#score PDS_BTC_MSGID 1.0
##} PDS_BTC_MSGID
##{ PDS_DBL_URL_LINKBAIT
meta PDS_DBL_URL_LINKBAIT __BODY_URI_ONLY && __PDS_DOUBLE_URL
describe PDS_DBL_URL_LINKBAIT Linkbait double-url
#score PDS_DBL_URL_LINKBAIT 2.5 # limit
##} PDS_DBL_URL_LINKBAIT
##{ PDS_FRNOM_TODOM_DBL_URL
meta PDS_FRNOM_TODOM_DBL_URL PDS_FROM_NAME_TO_DOMAIN && __PDS_DOUBLE_URL
describe PDS_FRNOM_TODOM_DBL_URL From Name to domain, double URL
#score PDS_FRNOM_TODOM_DBL_URL 1.5
##} PDS_FRNOM_TODOM_DBL_URL
##{ PDS_FRNOM_TODOM_NAKED_TO
meta PDS_FRNOM_TODOM_NAKED_TO __NAKED_TO && PDS_FROM_NAME_TO_DOMAIN
describe PDS_FRNOM_TODOM_NAKED_TO Naked to From name equals to Domain
#score PDS_FRNOM_TODOM_NAKED_TO 1.5
##} PDS_FRNOM_TODOM_NAKED_TO
##{ PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
meta PDS_FROM_2_EMAILS __PDS_FROM_2_EMAILS && !__VIA_ML && !__VIA_RESIGNER && !__MSGID_JAVAMAIL && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__DKIM_EXISTS
describe PDS_FROM_2_EMAILS From header has multiple different addresses
# score PDS_FROM_2_EMAILS 3.500 # limit
endif
##} PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
##{ PDS_FROM_NAME_TO_DOMAIN
meta PDS_FROM_NAME_TO_DOMAIN __PDS_FROM_NAME_TO_DOMAIN
#score PDS_FROM_NAME_TO_DOMAIN 2.0
describe PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain
##} PDS_FROM_NAME_TO_DOMAIN
##{ PDS_HELO_SPF_FAIL
meta PDS_HELO_SPF_FAIL SPF_HELO_FAIL && __HELO_HIGHPROFILE
describe PDS_HELO_SPF_FAIL High profile HELO that fails SPF
#score PDS_HELO_SPF_FAIL 2.0
tflags PDS_HELO_SPF_FAIL net
##} PDS_HELO_SPF_FAIL
##{ PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD')
#score PDS_OTHER_BAD_TLD 2.0
describe PDS_OTHER_BAD_TLD Untrustworthy TLDs
endif
endif
##} PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
##{ PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta PHISH_ATTACH (__PHISH_ATTACH_01_01 || __PHISH_ATTACH_01_02) && !__HAS_SENDER
describe PHISH_ATTACH Attachment filename suspicious, probable phishing
tflags PHISH_ATTACH publish
endif
##} PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ PHISH_AZURE_CLOUDAPP
uri PHISH_AZURE_CLOUDAPP m;^https?://(?=[^/]+\.cloudapp\.azure\.com)(?:(?:b(?:illetedecalle\.northeurope|urofaxnotificado\.eastus)|comprobante(?:digital\.southcentralus|fiscale\.eastus)|infracciondeestacionamiento(?:\.eastus|s\.ukwest)|multa(?:detrafico\.eastus|prev\.eastus|s\.(?:eastus|southcentralus))|notificadosburofax\.eastus|penadetransitomulta\.eastus))\.cloudapp\.azure\.com/;i
describe PHISH_AZURE_CLOUDAPP Link to known phishing web application
#score PHISH_AZURE_CLOUDAPP 3.500
tflags PHISH_AZURE_CLOUDAPP publish
##} PHISH_AZURE_CLOUDAPP
##{ PHISH_FBASEAPP
meta PHISH_FBASEAPP __PHISH_FBASE_01
describe PHISH_FBASEAPP Probable phishing via hosted web app
#score PHISH_FBASEAPP 3.000 # limit
tflags PHISH_FBASEAPP publish
##} PHISH_FBASEAPP
##{ PHP_NOVER_MUA
describe PHP_NOVER_MUA Mail from PHP with no version number
#score PHP_NOVER_MUA 3.000 # limit
tflags PHP_NOVER_MUA publish
##} PHP_NOVER_MUA
##{ PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM)
if !plugin(Mail::SpamAssassin::Plugin::DKIM)
meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
endif
##} PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM)
##{ PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM
ifplugin Mail::SpamAssassin::Plugin::DKIM
meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__DKIM_DEPENDABLE && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
endif
##} PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM
##{ PHP_ORIG_SCRIPT
meta PHP_ORIG_SCRIPT __PHP_ORIG_SCRIPT_SONLY && !ALL_TRUSTED && !__SUBSCRIPTION_INFO && !__MSGID_BEFORE_RECEIVED && !MSGID_FROM_MTA_HEADER
describe PHP_ORIG_SCRIPT Sent by bot & other signs
#score PHP_ORIG_SCRIPT 2.500 # limit
tflags PHP_ORIG_SCRIPT publish
##} PHP_ORIG_SCRIPT
##{ PHP_SCRIPT
meta PHP_SCRIPT __HAS_PHP_SCRIPT && !ALL_TRUSTED && !__PHP_NOVER_MUA && !__TO___LOWER && !__MIME_BASE64 && !__HAS_ANY_EMAIL && !__L_CTE_7BIT
describe PHP_SCRIPT Sent by PHP script
#score PHP_SCRIPT 2.500 # limit
tflags PHP_SCRIPT publish
##} PHP_SCRIPT
##{ PHP_SCRIPT_MUA
meta PHP_SCRIPT_MUA __HAS_PHP_SCRIPT && __PHP_NOVER_MUA
describe PHP_SCRIPT_MUA Sent by PHP script, no version number
#score PHP_SCRIPT_MUA 2.000 # limit
tflags PHP_SCRIPT_MUA publish
##} PHP_SCRIPT_MUA
##{ POSSIBLE_APPLE_PHISH_02
meta POSSIBLE_APPLE_PHISH_02 (__FROM_NAME_APPLECOM && !__HDR_RCVD_APPLE)
describe POSSIBLE_APPLE_PHISH_02 Claims to be from apple but not processed by any apple MTA
tflags POSSIBLE_APPLE_PHISH_02 publish
##} POSSIBLE_APPLE_PHISH_02
##{ POSSIBLE_EBAY_PHISH_02
meta POSSIBLE_EBAY_PHISH_02 (__FROM_NAME_EBAYCOM && !__HDR_RCVD_EBAY)
describe POSSIBLE_EBAY_PHISH_02 Claims to be from ebay but not processed by any ebay MTA
tflags POSSIBLE_EBAY_PHISH_02 publish
##} POSSIBLE_EBAY_PHISH_02
##{ POSSIBLE_PAYPAL_PHISH_01
meta POSSIBLE_PAYPAL_PHISH_01 (__FROM_NAME_PAYPALCOM && __NAME_EMAIL_DIFF)
describe POSSIBLE_PAYPAL_PHISH_01 Claims to be from paypal but has non-paypal from email address
tflags POSSIBLE_PAYPAL_PHISH_01 publish
##} POSSIBLE_PAYPAL_PHISH_01
##{ POSSIBLE_PAYPAL_PHISH_02
meta POSSIBLE_PAYPAL_PHISH_02 (__FROM_NAME_PAYPALCOM && !__HDR_RCVD_PAYPAL)
describe POSSIBLE_PAYPAL_PHISH_02 Claims to be from paypal but not processed by any paypal MTA
tflags POSSIBLE_PAYPAL_PHISH_02 publish
##} POSSIBLE_PAYPAL_PHISH_02
##{ PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)
body PP_MIME_FAKE_ASCII_TEXT eval:check_for_ascii_text_illegal()
describe PP_MIME_FAKE_ASCII_TEXT MIME text/plain claims to be ASCII but isn't
# score PP_MIME_FAKE_ASCII_TEXT 1.0
tflags PP_MIME_FAKE_ASCII_TEXT publish
endif
endif
##} PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)
##{ PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
body PP_TOO_MUCH_UNICODE02 eval:check_abundant_unicode_ratio(0.02)
describe PP_TOO_MUCH_UNICODE02 Is text/plain but has many unicode escapes
# score PP_TOO_MUCH_UNICODE02 0.5
tflags PP_TOO_MUCH_UNICODE02 publish
endif
endif
##} PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
##{ PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
body PP_TOO_MUCH_UNICODE05 eval:check_abundant_unicode_ratio(0.05)
describe PP_TOO_MUCH_UNICODE05 Is text/plain but has many unicode escapes
# score PP_TOO_MUCH_UNICODE05 1.0
tflags PP_TOO_MUCH_UNICODE05 publish
endif
endif
##} PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
##{ PUMPDUMP
meta PUMPDUMP (__PUMPDUMP_01 || __PUMPDUMP_02 || __PUMPDUMP_03 || __PUMPDUMP_04 || __PUMPDUMP_05 || __PUMPDUMP_06 || __PUMPDUMP_07 || __PUMPDUMP_08 || __PUMPDUMP_09 || __PUMPDUMP_10) && !PUMPDUMP_MULTI
describe PUMPDUMP Pump-and-dump stock scam phrase
#score PUMPDUMP 1.000 # limit
tflags PUMPDUMP publish
##} PUMPDUMP
##{ PUMPDUMP_MULTI
meta PUMPDUMP_MULTI (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1
describe PUMPDUMP_MULTI Pump-and-dump stock scam phrases
#score PUMPDUMP_MULTI 3.500 # limit
tflags PUMPDUMP_MULTI publish
##} PUMPDUMP_MULTI
##{ PUMPDUMP_TIP
meta PUMPDUMP_TIP __PD_CNT_1 && __STOCK_TIP
describe PUMPDUMP_TIP Pump-and-dump stock tip
tflags PUMPDUMP_TIP publish
##} PUMPDUMP_TIP
##{ RAND_HEADER_LIST_SPOOF
meta RAND_HEADER_LIST_SPOOF __RAND_HEADER && __LIST_PARTIAL
describe RAND_HEADER_LIST_SPOOF Random gibberish message header(s) + pretending to be a mailing list
#score RAND_HEADER_LIST_SPOOF 3.000 # limit
tflags RAND_HEADER_LIST_SPOOF publish
##} RAND_HEADER_LIST_SPOOF
##{ RAND_HEADER_MANY
meta RAND_HEADER_MANY __RAND_HEADER_2
describe RAND_HEADER_MANY Multiple random gibberish message headers
#score RAND_HEADER_MANY 3.000 # limit
tflags RAND_HEADER_MANY publish
##} RAND_HEADER_MANY
##{ RAND_MKTG_HEADER
meta RAND_MKTG_HEADER __RAND_MKTG_HEADER && !__HAVE_BOUNCE_RELAYS && !__HAS_THREAD_INDEX && !__HAS_X_MAILING_LIST
describe RAND_MKTG_HEADER Has partially-randomized marketing/tracking header(s)
#score RAND_MKTG_HEADER 2.000 # limit
tflags RAND_MKTG_HEADER publish
##} RAND_MKTG_HEADER
##{ RATWARE_NO_RDNS
meta RATWARE_NO_RDNS __RATWARE_BOUND_A && __RDNS_NONE && __MIME_HTML && __MISSING_REF
describe RATWARE_NO_RDNS Suspicious MsgID and MIME boundary + no rDNS
#score RATWARE_NO_RDNS 3.000 # limit
##} RATWARE_NO_RDNS
##{ RCVD_BAD_ID
header RCVD_BAD_ID Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\$\%&'()*<=>?\@\[\]^\`{|}~]|;\S)/
describe RCVD_BAD_ID Received header contains id field with bad characters
##} RCVD_BAD_ID
##{ RCVD_DBL_DQ
header RCVD_DBL_DQ Received =~ /(?:\[\d+\.\d+\.\d+\.\d+\]){2}/
describe RCVD_DBL_DQ Malformatted message header
tflags RCVD_DBL_DQ publish
##} RCVD_DBL_DQ
##{ RCVD_DOTEDU_SHORT
meta RCVD_DOTEDU_SHORT __RCVD_DOTEDU_SHORT && !ALL_TRUSTED && !__FS_SUBJ_RE && !__HAS_LIST_ID
describe RCVD_DOTEDU_SHORT Via .edu MTA + short message
#score RCVD_DOTEDU_SHORT 1.500 # limit
tflags RCVD_DOTEDU_SHORT publish
##} RCVD_DOTEDU_SHORT
##{ RCVD_DOTEDU_SUSP_URI
meta RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_SUSP_URI
describe RCVD_DOTEDU_SUSP_URI Via .edu MTA + suspicious URI
#score RCVD_DOTEDU_SUSP_URI 3.000 # limit
tflags RCVD_DOTEDU_SUSP_URI publish
##} RCVD_DOTEDU_SUSP_URI
##{ RCVD_FORGED_WROTE
header RCVD_FORGED_WROTE Received =~ / by \S+ with esmtp \([^a-z ]{6,} [^a-z ]{3,}\) id/
describe RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
##} RCVD_FORGED_WROTE
##{ RCVD_FORGED_WROTE2
header RCVD_FORGED_WROTE2 Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s
##} RCVD_FORGED_WROTE2
##{ RCVD_IN_IADB_COURT ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_COURT eval:check_rbl_sub('iadb-firsttrusted', '127.3.200.130')
describe RCVD_IN_IADB_COURT IADB: Court-ordered email
tflags RCVD_IN_IADB_COURT net nice
endif
##} RCVD_IN_IADB_COURT ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DK eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.3')
describe RCVD_IN_IADB_DK IADB: Sender publishes Domain Keys record
tflags RCVD_IN_IADB_DK net nice
endif
##} RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_DMARC ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DMARC eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.5')
describe RCVD_IN_IADB_DMARC IADB: Sender has DMARC record
tflags RCVD_IN_IADB_DMARC net nice
endif
##} RCVD_IN_IADB_DMARC ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.10')
describe RCVD_IN_IADB_DOPTIN IADB: All mailing list mail is confirmed opt-in
tflags RCVD_IN_IADB_DOPTIN net nice
endif
##} RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DOPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.9')
describe RCVD_IN_IADB_DOPTIN_GT50 IADB: Confirmed opt-in used more than 50% of the time
tflags RCVD_IN_IADB_DOPTIN_GT50 net nice
endif
##} RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DOPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.8')
describe RCVD_IN_IADB_DOPTIN_LT50 IADB: Confirmed opt-in used less than 50% of the time
tflags RCVD_IN_IADB_DOPTIN_LT50 net nice
endif
##} RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_ECARD ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_ECARD eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.213')
describe RCVD_IN_IADB_ECARD IADB: ecard, e-invitation, or similar e-correspondence service
tflags RCVD_IN_IADB_ECARD net nice
endif
##} RCVD_IN_IADB_ECARD ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_ESP ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_ESP eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.214')
describe RCVD_IN_IADB_ESP IADB: Email Service Provider (ESP)
tflags RCVD_IN_IADB_ESP net nice
endif
##} RCVD_IN_IADB_ESP ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_LEG_BNPROFIT ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_LEG_BNPROFIT eval:check_rbl_sub('iadb-firsttrusted', '127.3.200.110')
describe RCVD_IN_IADB_LEG_BNPROFIT IADB: email sent on behalf of a non-profit organization
tflags RCVD_IN_IADB_LEG_BNPROFIT net nice
endif
##} RCVD_IN_IADB_LEG_BNPROFIT ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_LEG_MAND ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_LEG_MAND eval:check_rbl_sub('iadb-firsttrusted', '127.3.200.120')
describe RCVD_IN_IADB_LEG_MAND IADB: Legally mandated email
tflags RCVD_IN_IADB_LEG_MAND net nice
endif
##} RCVD_IN_IADB_LEG_MAND ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_LEG_NPROFIT ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_LEG_NPROFIT eval:check_rbl_sub('iadb-firsttrusted', '127.3.200.100')
describe RCVD_IN_IADB_LEG_NPROFIT IADB: email sent from a non-profit organization
tflags RCVD_IN_IADB_LEG_NPROFIT net nice
endif
##} RCVD_IN_IADB_LEG_NPROFIT ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_LISTED eval:check_rbl_sub('iadb-firsttrusted', '^127\.0\.0\.[12]$')
describe RCVD_IN_IADB_LISTED Participates in the IADB system
tflags RCVD_IN_IADB_LISTED net nice
endif
##} RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_LOOSE eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.4')
describe RCVD_IN_IADB_LOOSE IADB: Adds relationship addrs w/out opt-in
tflags RCVD_IN_IADB_LOOSE net nice
endif
##} RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_MI_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.1.10')
describe RCVD_IN_IADB_MI_CPEAR IADB: Complies with Michigan's CPEAR law
tflags RCVD_IN_IADB_MI_CPEAR net nice
endif
##} RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_ML_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.100')
describe RCVD_IN_IADB_ML_DOPTIN IADB: Mailing list email only, confirmed opt-in
tflags RCVD_IN_IADB_ML_DOPTIN net nice
endif
##} RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_NOCONTROL eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.0')
describe RCVD_IN_IADB_NOCONTROL IADB: Has absolutely no mailing controls in place
tflags RCVD_IN_IADB_NOCONTROL net nice
endif
##} RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OOO eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.200')
describe RCVD_IN_IADB_OOO IADB: One-to-one/transactional email only
tflags RCVD_IN_IADB_OOO net nice
endif
##} RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.7')
describe RCVD_IN_IADB_OPTIN IADB: All mailing list mail is opt-in
tflags RCVD_IN_IADB_OPTIN net nice
endif
##} RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.6')
describe RCVD_IN_IADB_OPTIN_GT50 IADB: Opt-in used more than 50% of the time
tflags RCVD_IN_IADB_OPTIN_GT50 net nice
endif
##} RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.5')
describe RCVD_IN_IADB_OPTIN_LT50 IADB: Opt-in used less than 50% of the time
tflags RCVD_IN_IADB_OPTIN_LT50 net nice
endif
##} RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OPTOUTONLY eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.1')
describe RCVD_IN_IADB_OPTOUTONLY IADB: Scrapes addresses, pure opt-out only
tflags RCVD_IN_IADB_OPTOUTONLY net nice
endif
##} RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_RDNS eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.4')
describe RCVD_IN_IADB_RDNS IADB: Sender has reverse DNS record
tflags RCVD_IN_IADB_RDNS net nice
endif
##} RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_SENDERID eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.2')
describe RCVD_IN_IADB_SENDERID IADB: Sender publishes Sender ID record
tflags RCVD_IN_IADB_SENDERID net nice
endif
##} RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_SOCIAL ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_SOCIAL eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.211')
describe RCVD_IN_IADB_SOCIAL IADB: social networking service email
tflags RCVD_IN_IADB_SOCIAL net nice
endif
##} RCVD_IN_IADB_SOCIAL ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_SPF eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.1')
describe RCVD_IN_IADB_SPF IADB: Sender publishes SPF record
tflags RCVD_IN_IADB_SPF net nice
endif
##} RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_TRACK ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_TRACK eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.212')
describe RCVD_IN_IADB_TRACK IADB: email with open and read tracking services
tflags RCVD_IN_IADB_TRACK net nice
endif
##} RCVD_IN_IADB_TRACK ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UNVERIFIED_1 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.2')
describe RCVD_IN_IADB_UNVERIFIED_1 IADB: Accepts unverified sign-ups
tflags RCVD_IN_IADB_UNVERIFIED_1 net nice
endif
##} RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UNVERIFIED_2 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.3')
describe RCVD_IN_IADB_UNVERIFIED_2 IADB: Accepts unverified sign-ups, gives chance to opt out
tflags RCVD_IN_IADB_UNVERIFIED_2 net nice
endif
##} RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_URG ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_URG eval:check_rbl_sub('iadb-firsttrusted', '127.3.200.255')
describe RCVD_IN_IADB_URG IADB: time-critical urgent or emergency communications
tflags RCVD_IN_IADB_URG net nice
endif
##} RCVD_IN_IADB_URG ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UT_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.2.10')
describe RCVD_IN_IADB_UT_CPEAR IADB: Complies with Utah's CPEAR law
tflags RCVD_IN_IADB_UT_CPEAR net nice
endif
##} RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
header RCVD_IN_PSBL eval:check_rbl('psbl-lastexternal', 'psbl.surriel.com.')
describe RCVD_IN_PSBL Received via a relay in PSBL
tflags RCVD_IN_PSBL net
endif
##} RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
##{ RCVD_MAIL_COM
header RCVD_MAIL_COM Received =~ /[\s\(\[](?:post|mail)\.com[\s\)\]]/is
describe RCVD_MAIL_COM Forged Received header (contains post.com or mail.com)
##} RCVD_MAIL_COM
##{ RDNS_LOCALHOST
header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i
describe RDNS_LOCALHOST Sender's public rDNS is "localhost"
##} RDNS_LOCALHOST
##{ RDNS_NUM_TLD_ATCHNX
meta RDNS_NUM_TLD_ATCHNX __RDNS_NUMERIC_TLD && __ATTACH_NAME_NO_EXT
describe RDNS_NUM_TLD_ATCHNX Relay rDNS has numeric TLD + suspicious attachment
#score RDNS_NUM_TLD_ATCHNX 3.000 # limit
tflags RDNS_NUM_TLD_ATCHNX publish
##} RDNS_NUM_TLD_ATCHNX
##{ RDNS_NUM_TLD_XM
meta RDNS_NUM_TLD_XM __RDNS_NUMERIC_TLD && (__HAS_XM_SID || __HAS_XM_LID || __HAS_XM_RECPTID || __HAS_XM_SENTBY)
describe RDNS_NUM_TLD_XM Relay rDNS has numeric TLD + suspicious headers
#score RDNS_NUM_TLD_XM 3.000 # limit
tflags RDNS_NUM_TLD_XM publish
##} RDNS_NUM_TLD_XM
##{ REPLYTO_WITHOUT_TO_CC
meta REPLYTO_WITHOUT_TO_CC (__HAS_REPLY_TO && !__TOCC_EXISTS)
##} REPLYTO_WITHOUT_TO_CC
##{ REPTO_419_FRAUD
header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:speakers)\@012\.net\.il|(?:mail)\@101private\.com|(?:(?:alfredcheuk002|fbi_1234|mavis_wanczyk))\@126\.com|(?:(?:alfredcheuk_yuchow|ehagler|google_promoaward0?|panyawein|wongshiu_ki))\@163\.com|(?:ray\-thomas7h)\@1email\.eu|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:ibrahimtafa)\@abienceinvestmentsfze\.com|(?:russia2018worldcuplotto5)\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:info)\@aidakj\.com|(?:(?:infovsa|maria\.louge|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:attorneygeorgewalter|jessikasingh|lawmensa|travisalex))\@aliyun\.com|(?:(?:director|info))\@anletco-jp\.com|(?:(?:deanie_ron|mundo\.europe|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:institutionaldepartment)\@aol\.nl|(?:support)\@apostlesfoundation\.com|(?:deajohn)\@arubacloub\.com|(?:djohns)\@arubacloud\.com|(?:jeromecgb12)\@asia\.com|(?:jefferson)\@athenaeumbd\.com|(?:(?:bllphillips|desousafam05))\@att\.net|(?:traoreahmed)\@barid\.com|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:noreply\.fujvfes)\@bibliothequegaillard\.com|(?:costruire)\@bigmat\.it|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:onmydestiny18)\@boulevardmalls\.com|(?:luciamariacampbell)\@boximail\.com|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:jessica)\@cadencebankdept\.us|(?:hello)\@captnbb\.com|(?:judith_faulkner63)\@cash4u\.com|(?:cbn)\@cbofficialmail\.cf|(?:201(?:47237|5(?:5765|648[48])))\@ce\.pucmm\.edu\.do|(?:duncanttodd)\@centrum\.cz|(?:gregwingo)\@cheapnet\.it|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|dbank12|fbipayment(?:50|600)|harunajim667|manuel\.rabelais|paul\.wilson|r(?:alphwjohnson|ev_markbless)|trustees101))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:mundo_seguros)\@contorli\.site|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:investmentfince\.com|lottery(?:\.support|usa\.com)|sama_williams|warren(?:\.buffett19|_edward)))\@cpn\.it|(?:(?:angelicainiguez|brunoso|lisatroutman))\@currently\.com|(?:(?:dmalpasswb|freeminds2024|i(?:lanasoloshneor|nfo90000)|joseramonjr1|m(?:hzitafrank0|ynewmission)|r(?:e(?:covered\-tax|em(?:2018|alhashimi|ealhashimi|hashimi2020))|onconway)))\@daum\.net|(?:rex)\@departmentofsecretary\.com|(?:info)\@dieterchwarz-charity\.com|(?:blythemasters)\@digitalassetholding\.org|(?:jorgezalesky)\@diplomats\.com|(?:bar_sahil)\@dominionassociates\.uk|(?:zahvoedir)\@donations\.christchurchliverpool\.xyz|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:health\-support)\@drjohnashworthherbalmeds\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:(?:herrick01|rogersteare02))\@e1\.ru|(?:olga\.ingrif)\@ecb-securities\.com|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:(?:denbrink|facebook\.in(?:structor|tructor)|kathy_gerald1965|megaclaimcenter|pch\.cliamdept))\@email\.com|(?:infoleonfredberbst)\@emailgroups\.net|(?:info)\@emteslastock\.com|(?:johnkadiri)\@englandmail\.com|(?:info)\@euro-pinnacle\.com|(?:(?:a(?:bogado\.antoniopaco|dvancedsegurosespana)|claimdpts|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:lottomax)\@execs\.com|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:(?:jeferrey|yakuyaya77))\@financier\.com|(?:customercare)\@findlaycb\.com|(?:mrsdebbielevin)\@firemail\.de|(?:steve_dickson)\@firemail\.eu|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:info)\@fnconsultant\.biz|(?:(?:e(?:golan2|u_payment)|gella1|k(?:aith\-angel|ossihpilip202)|pchwinningoffice1953|qatardonations16|smadartsadik|tepnherve00))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:(?:mmpaulsmith145|t\.fitzgerald))\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:octaviancm)\@gmx\.co\.uk|(?:(?:ahmet\.broker|f(?:aridaomar|er3nrod1512)|kevin\-office|p\.hamedmoff|rosicboteruff|w(?:alter_anderson|esternunionrespond)))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:juliairis)\@gmx\.net|(?:(?:arthur1alan|joxford))\@gmx\.us|(?:m(?:\.johnson10012|aryclayton123))\@googlemail\.com|(?:gordoncole)\@gordoncole\.co\.uk|(?:ceo)\@gpromo-team\.com|(?:garreth\.webb)\@grossfitconsultancy\.biz|(?:solotexglobalcouriercompany)\@groupesgb\.net|(?:irenegeorgiadou)\@hellenicbankcy\.com|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:(?:cocacolaofficialprize1|williamsdavid_3r))\@hotmail\.co\.uk|(?:christgoldwilliams)\@hotmail\.fr|(?:douglasflint)\@hsbcbank\.group|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:victorwang67)\@imail\.com|(?:bo_li)\@imgrantfunds\.com|(?:patrickc)\@inbox\.com|(?:irdi33)\@inbox\.lt|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:a\.josepaulino|jonardossantos|m(?:\.wood|ingmui0012)|off(?:er2021|iceme)|pierresgift_2021))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:baankston)\@instruction\.com|(?:info)\@intarpol-int\.online|(?:jacek_urbanski)\@irishdoorsystemsltd\.com|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:contactme)\@jimmyofficial\.info|(?:info)\@johannaconsultancy\.com|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:(?:annzainab2022|h(?:ashimirrr22|re187390)|lotteryusa\.com|paulagonzalez|re(?:e(?:m\.alhashimi|ninvestor111)|mmhashimi)))\@kakao\.com|(?:wbuk03)\@katamail\.com|(?:(?:ditmereduart|europsenderscouriers|lewiscarl))\@keemail\.me|(?:mikiwilliams)\@knol-power\.nl|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:philiphampton)\@lec20\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:bmwofficeinfo)\@mail2consultant\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:bjic)\@mail2one\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|info\.federalreserve\.org|johnkofithomas|kateclough1|mriamchombo1968|nancyvee80|philiproger101))\@mail\.com|(?:(?:ayishagddafio?|sambo_dasuki))\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:epowerball)\@mailbox\.sk|(?:cb(?:nofficemail|officemail))\@mailsire\.com|(?:managing\-director_schaefflergroup)\@mariaelisabeth\.gisb\.com\.my|(?:doo\.yusin)\@matherline-trade\.com|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:cadpayout01)\@my\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:benoitdageville2023|nancytseling|reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:zenith)\@nmk\.ugu\.pl|(?:maxedwards)\@octopusinvestment\.co\.uk|(?:info)\@officepch\.com|(?:lindsaytrembley)\@oimail\.com|(?:googleclaims111)\@one\.lt|(?:(?:accountingdrg|emmy\.marty))\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:secretservicce8)\@onionmail\.org|(?:info)\@onlinepch\.com|(?:dieterbe451)\@onmail\.com|(?:(?:castorock|infobiz2|jarramos|mrsalice09))\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:servicio\.correo)\@orange\.fr|(?:info)\@ousos-elearning\.com|(?:turkish\-air)\@outlook\.com\.tr|(?:schaeffler(?:ariaelisabeth|mariaelisabeth))\@outlook\.de|(?:(?:ahmed3khan|dpt_transferunionwestern|mr\.onyeadams))\@outlook\.fr|(?:m\.khan1)\@outlook\.sa|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:info)\@phillipsmorgan\.co\.za|(?:support)\@piraeusegrecebnk\.com|(?:wood)\@poczta\.onet\.eu|(?:(?:m(?:aryjosen|boyaeth)|uncch\-info))\@post\.com|(?:(?:martinahrivnakova|united\.globeawardoffice))\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:(?:charitylisajohnrobinson700|leonardbain|noelldosi|stwrightsmaxinvestment))\@proton\.me|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:franciscoperezc|garethbull808|leyen|mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:trust\-wallet)\@redirectionsdepartment\.xyz|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:msn)\@resrubini\.com|(?:(?:gmackenzie001|wanczykmavis101))\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:info)\@roycockrum\.org|(?:mrs\.rachel2013)\@safe-mail\.net|(?:(?:deputygov_kuben|rcassim\.sarb|vera))\@safrica\.com|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:peterddeng)\@secsuremailer\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:olena\.shevchenko)\@shumejda\.co\.uk|(?:(?:jimyang77|kentpace))\@sina\.com|(?:stan)\@soborka\.net|(?:(?:dycheseaan|sean(?:dyyches|sdychh)))\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:trevor)\@southernphone\.com\.au|(?:info\.jschneider)\@spainmail\.com|(?:mroliverbergmuellers)\@specialautokins\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:alexander)\@stny\.rr\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:xiankailu)\@taiyaubank-hk\.com|(?:mhua)\@tbochk\.com|(?:clory)\@technet\.it|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:zimcargoservicehelpdesks)\@tlen\.pl|(?:bobby\.william)\@tradent\.net|(?:punit)\@traficoanalytica\.com|(?:lopez\.rios)\@udttld\.com|(?:2100973645smsgateway)\@ukraine\.wheat-farmers\.website|(?:info)\@un-grant\.info|(?:(?:b(?:lueskyanimatedfilm|rown\.monica_l)|david\.r\.malpass|info\.(?:clev\.frb|imfamerica)|kristinewellensteinn|policyaddmin\.file))\@usa\.com|(?:team)\@veraphanteepsuwan\.com|(?:dataphilanthropy)\@vipmail\.hu|(?:bmuczdh)\@virgilio\.it|(?:itgiix)\@visa\.com|(?:jvona)\@viscom\.net|(?:holt1231)\@w\.cn|(?:daydreamin)\@wanadoo\.fr|(?:(?:foreignoperationmanager|mr\.(?:ikokuoya|olicadams)))\@web\.cg|(?:weboffice05)\@web\.de|(?:portiaw)\@webbe\.work|(?:b(?:\-calebfirm2007|enklerk\-postpact2|oriscaleb121))\@webmail\.co\.za|(?:(?:elizabethlyonsfield|frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:e\.shaw)\@wilmagroup\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|jeffwilliam207|owengreen70|samue95))\@yahoo\.co\.uk|(?:(?:changgordon(?:61|946)|thomaspeter227))\@yahoo\.com\.hk|(?:jessicp1)\@yahoo\.com\.sg|(?:boa2cb)\@yahoo\.com\.vn|(?:contactus88\-00)\@yahoo\.es|(?:(?:fortinsandrine|rita_will001))\@yahoo\.fr|(?:ukdebtmanagement5)\@yahool\.com|(?:dr\.amelia\.george1)\@yandex\.ru|(?:(?:alfred_cheuk_chow|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:(?:asiafoundationorg\.hr|jefflindsay))\@zoho\.com|(?:(?:benaffleck1977|monicadaniels909))\@zohomail\.com|(?:(?:laprimitivaes|robert166003))\@zohomail\.eu)$/i
describe REPTO_419_FRAUD Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD 3.000
tflags REPTO_419_FRAUD publish
##} REPTO_419_FRAUD
##{ REPTO_419_FRAUD_AOL
header REPTO_419_FRAUD_AOL Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:\.dordevicii|b(?:000137|rajjohn)|f\.2[06]|gneselizabethgiftfoundationssss|ljaber111|meliageorge|nd(?:_bley|rew_hans)|rthur\.alan)|b(?:a(?:anidleewy|rr_luc)|claimdept|rownchurchill2)|c(?:\.european|allumfoundation|h(?:anprivacy03|eungdavidd|ngeric|ristyruwalt)|laimdept21|ristinabruno38|ustom_service58)|d(?:avid\.kms|hodgkins001|ianwaynie|onald_anderson44)|e(?:ng(?:joej|r\.abdulla)|ricalbertdpm|velynjoshua44)|f(?:d\.29|ernandezfernandez3|oundation\.charity)|g(?:arang\.rebeca|eorge_clifford4|roupfacility)|hernandezrosemary632|info\.dieter_charity|jmesaud|k\.doreen00|l(?:\.b162k|erynnewest99|i(?:sarobinson5\.0|zcarroll101)|orrainewirangee|uciacorraomanagerbocub|ynnpage44)|m(?:\.francco91|_l\.wanczyk62|a(?:sayohara21|viswanczyk[do])|rs(?:isabelladzsesszika|janetedwards0001|safiagaddafi))|normapatto|o(?:fficework172|xf174)|p(?:a(?:tricia(?:\.hans|hans)|ulpollard2)|eterwong345|otfolio\.management)|royalpalace2018|s(?:\.fofo|afiiagadafi|ovchan|pwalker721|t(?:aatsloterijnederlands|efano_pessina))|usembassy330|w(?:attson\.renwick|ebank244)|yurdaaytarkan5))\@aol\.com$/i
describe REPTO_419_FRAUD_AOL Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_AOL 3.000
tflags REPTO_419_FRAUD_AOL publish
##} REPTO_419_FRAUD_AOL
##{ REPTO_419_FRAUD_AOL_LOOSE
meta REPTO_419_FRAUD_AOL_LOOSE __REPTO_419_FRAUD_AOL_LOOSE && !REPTO_419_FRAUD_AOL
describe REPTO_419_FRAUD_AOL_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_AOL_LOOSE 1.000
tflags REPTO_419_FRAUD_AOL_LOOSE publish
##} REPTO_419_FRAUD_AOL_LOOSE
##{ REPTO_419_FRAUD_CNS
header REPTO_419_FRAUD_CNS Reply-To:addr =~ /^(?=[^\s<>@]+\@consultant\.com)(?:(?:anthonyalvarad|davidhenri|l(?:egacylawfirmdakar|ottomaxclaims7)|m(?:iguel\-pinto|orrisherb)|pchonline|t(?:eo\.westin|he\.trustees1?|offoli\.gauthier|rustees202000)|westernunio(?:n1659|payment\.agent0018)))\@consultant\.com$/i
describe REPTO_419_FRAUD_CNS Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_CNS 3.000
tflags REPTO_419_FRAUD_CNS publish
##} REPTO_419_FRAUD_CNS
##{ REPTO_419_FRAUD_GM
header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|1magnumsecuritiesllc|7912richardtony|9porssts9|a(?:\.wafager1|12udubello|b(?:d(?:97412345|u(?:kfahim|llahmundani019))|u(?:lkareem461|shadi0004))|c(?:count\.optionsmr\.jonasarmstrong|ecere001)|d(?:iallo\.boa|rabidiahmed)|gent\.laryedwad|isha(?:1976(?:algaddafi|gaddafi25)|gaddafi(?:aam|libya5|sdaughter))|l(?:\.jo60691737|a(?:n\.austin(?:041|223)|scramac)|ber\.yang222|ex(?:anderpeterson4499|hoffman3319)|ghafrij13|icedoris0000|kasimunadi221|l(?:enholden121|isoncluade11)|nizmaria|phabankofgreecerepublic|ure\.wawrenka1472)|m(?:b(?:\.w\.stuart\.symington|assadormarybethleonardl4)|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|medjahed95))|n(?:d(?:rew(?:hawkins735|umehunitedbankforafrica)|yfox0022)|itaminarnguessan|n(?:a(?:choihkkic|llee091|sigurlaug458)|ettrevor|jenijohnsonn)|t(?:hony(?:alvaradollc|jblinken61)|o(?:meuenio|niopaco20consultant)))|office1office1|r(?:adka01|chibaldhamble|thur11alan)|s(?:h(?:0611jnag|westwood7)|sistance7agent)|t(?:mcarddepartment0024|tohlawoffice\.tg)|ustinbillmark9|w1614860|yevayawovi190|z(?:i(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50))|zedineguessous))|b(?:a(?:lla250abc|nk(?:centralasiahalobca34|ingcentralng)|ochang7a|r(?:bersmadar75|clays\.kenya\.bank|rister(?:\.fidelisokafor|clarkephillips(?:2(?:02|4)|4[59])|lordruben94)|teld\.huisman01)|uknechtk\.shoreline)|bongo593|c0996013|e(?:alitoniua9|linekra1|n(?:ezero392|gatl80|jaminsarah195)|rnard\.arnult01|tsyholden940)|i(?:anigercash|ll(?:\.lawrence0747|fhome))|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi|ussambairenepatricia)|r(?:a(?:ndy\.heavenscenttt|volpaul55)|endalaporte112)|uff(?:ettwarrene21|ookj)|w1832621)|c(?:1nicele|a(?:ixaseguros9810001|mluba2017|pinolly|r(?:eisu98|twrighttownhomesllc))|bnatm847|claimsa|e(?:da\.ogada77|li(?:cerez|neroullier(?:200|nm)))|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:es(?:luenga01|wrightdepartments)|tonnewmanus1)))|e(?:mchung1011|nchung1011)|ienk(?:raymond|wongp))|iticonsultantjohncg0|kruger00017|l(?:a(?:im(?:adviser11|officeadm)|xtonpaul00)|s79408)|o(?:l(?:\.(?:ahmedmarani|hmedismari)|abdullahassi|edavid77032|husseinharmuchc(?:cj|j)|ombasjuan53)|mp(?:asationsettlement|ensationcommitteboard)|n(?:nellyfrances\.cf|sult(?:matthias|sto\.u)|tactad00[04])|operation612)|pt\.eugenebarash|r(?:a(?:bbechambers|wfordgillies1)|ist(?:bru(?:05|n05)|davis67|i1537bru|ydavis(?:donation1|foundation0101)))|u(?:nninghammrssharonloren|stomerservicelacaixa2))|d(?:29laws|a(?:n(?:008629|i(?:el35508109|shlokija)|n(?:uar4|ydan24532))|tukannuarbinmusa|vi(?:d(?:\.loanfirm18|ibe718|kaltschmidtmaureend|larbi11|mathers761|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98))|cole77032|e(?:btm123|n(?:iwalts|nis(?:clark659|quaid888))|partmentofstate(?:123|321)|tlefeckhardd)|h(?:ill27676|lexpresscompany176|sdevice)|i(?:ane\.s\.wojcicki|gitalassetholding|p(?:francis1|lomatsshenry))|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.(?:meirh|w(?:erneroyer563|ilsonpaul02))|abodid|davidrhama221|j(?:amesdee|oesimon77)|kennedyuzo|meier\.heidi?|owenfrederick|rhamahassan22)|u(?:a1155a|breuilgmbh|nsilva58|stinmoskovitz\.2facebook)|v\.metus|willslevens)|e(?:benezero392|christina937|d(?:mundventura689|runity)|fcc\.financial\.dept|l(?:i(?:bethgomez(?:175|499)|sabeth(?:gmuer11|maria600)|zabethedw0)|o(?:diesawadogo123|tocashoffice1?))|m(?:2keld|efiele(?:328|g757)|ilyrichmond391)|ngr\.des01|r(?:e(?:evemusk681|nakgeorge123|zcelic0)|ioncarter\.private)|s(?:sexlss1|therkatherine1960)|vgpatmow|wynn284)|f(?:\.mikhail025|a(?:ithdesrie511|rahwasam101|tme\.mehmed001)|b(?:589767|lott47)|e(?:deralreservebankdallasdst|lix88995|yzaybrahim)|g0067333|irstbank(?:49(?:666|966)|6669|k49666)|j569282|l(?:556249|uhmann\.dn)|o(?:ropunionbank|undations\.west)|p462558|r(?:a(?:100dub132|n(?:c(?:es(?:\.connelly2|patrickconnolly(?:5050|4))|isca(?:mendoza960|samendoza))|k(?:j(?:ane984|ody2|wangg)|l(?:aurarivera|inpiesie6))))|eelottosweepstake51)|spero8[02]|u(?:lanlan28|n(?:dinternationalmonetary214|gg1w)))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|riel(?:eschmitt002|kalia1102))|r(?:ciavincent500|ethbull112016|yakinson121))|b(?:528796|ill4880)|e(?:n(?:\.ahmedmsksi|eralwilliamstony990)|orge(?:brownhoward02|kwame481)|r(?:aldjhjh11|tjanvlieghe787))|i(?:idp955|lbert12oook|ocastano21)|kwasiiwusu1\.persona|l(?:enmoore0011|oriachow5052)|o(?:dfreyscottdonation|glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219))|r(?:aceobia001|e(?:ant311|energeoffrey776))|veraallen|w522834)|h(?:a(?:r(?:gate2909|ryebert101|twellbdaniel)|s(?:h(?:imyreem78|mireem801)|sanalshujairy)|uperthilbigbeate|zimissa03)|e(?:a(?:dofficecentre0210|therbrooeke101)|cto(?:alon|r(?:castillos653|scastillo6))|l(?:en(?:adamsidaho|giggs88)|pdesk47321)|ritagetrustbank1985)|g(?:8669000|old8080)|heba\.hhassan207|i(?:ldad837|toshurui)|o(?:lsemeyerole6|nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|trryt34|uichmh)|i(?:1955smael|amannjejosonn|b(?:ed627|rahimelizabeth654)|mf(?:deputyoff000|grantinter)|n(?:fo(?:\.(?:a(?:bogadosmfontana|nnedouglas10)|g00gleclaim|marviswanczyk360|orangedor|ulmusau)|64240|asminternationalpk|bankofamerikaa|dessk\.dfwairportonline|fdrserve|t(?:ech4st255|tcuckk))|gridrolle2|t(?:ernationallppp1|linvestorsfirm))|rvinekim67|smail(?:eman874|tarkan533))|j(?:35809121|a(?:6002932|888179|cobmaseon5995|m(?:alpriv8un|es(?:carlos17885|okoh82))|n(?:ahramadanabu|nsjonifer|usensecureprivate)|sonyeungchiwai|vierlesme001)|b(?:5406424|lsuntrust)|c(?:2222222rrr|jgourlt)|e(?:fferydean1960|nn(?:iannjhsonn|ybrown01222)|robtt|ssikasingh4)|j(?:7291634|osvu)|k3311131|m(?:3461128|powellfr)|o(?:edward023|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|nietaylor242|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|tanko214|uba234|walterlove2010)|monkzza|n(?:a(?:haskel19|thanhaskel377)|esandassociates68|hugo1964|monkssa)|seph(?:acevedo024|babatunde192|ichael41)|vannyanderson001|y(?:ce00011|mrskone5))|rawlings007|s4fernado|u(?:lie(?:t\.le(?:222|e2222)|watson975)|sticellawgroup)|w6935997)|k(?:a(?:dulinayulii(?:ia|a)|l(?:iaksandr5|stromjames3|tschmidtdavid8)|malnizar000|rabo\.ramala39|t(?:ebaron(?:barr|xq)|hilittman7|jamess043|rinaziako56))|e(?:lsawamelia55|n(?:mckenziejr|nedy\.sawadogo19))|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|r(?:istinewellenstein024|nkl1109)|un(?:gwei7777|ioue28)|wasiowusug)|l(?:a(?:r(?:ateambo|rytoms200)|ursent892|w(?:officealouancooparation|rencefoundation30))|blackshirepm|e(?:enasinghs97|ndfair\.co\.uk1|onidasresearch|rynne(?:0west99|west(?:2289|5412))|wisrichards378)|i(?:amfinchus(?:11|3)|ezlnatashavanessa|fecshortt63|li(?:ane\.bettencourt1945|ianchrstph)|n(?:elink008|glung104)|sa(?:milner001|robin117)|xiung(?:l48|9))|jo(?:bsfoundation|hn6132)|o(?:ganntomas|rrainewirengee|ttyoffice1|u(?:ghreymargaret67|isdreyfusmargarita5))|p319765|s(?:arbn01|chantal86)|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|diawright836|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:\.francco9[14]|a(?:bel\.manaku|ck(?:enzbezos|oliver324)|damkoenig\.ruhama1b|incare655|j(?:ialfutt|or(?:dennishornbeck53|townsend01))|kaltschmidt|ll(?:am\.mlawal|etman2021)|mastar33m|n(?:ankovefimovich|duesq58|fran6(?:30|56)|uelfranco(?:727|donation02|foundation0|spende8))|r(?:i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00|nnewoosley90)|nacoleman84|opabl26|tinesecurityusa)|k(?:roth456|uses200)|shalh011|tin(?:amayer903|eziglesiasabogados|jrschwarz)|y(?:franson56|josen(?:62|81)))|s(?:onmanny05|pencer5151)|thewriaanza|u(?:hin52|noveutileina|rhinck11?)|viswan(?:142|czyk(?:01478|1(?:19|987)|4(?:89|5)|775|foundation45|k112|zz))|xaajn|ydetratt|zerfexi)|brons667|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|engeoffrey|l(?:aniekreiss1971|lagolan|vidabullock5))|gfrederick80|husameddine|i(?:c(?:h(?:ael\.woosley1972|eal(?:sjohnj|wuu002))|paulla|w954)|k(?:e\.weirsky\.foundational001|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|n(?:fin\.gv|tonjustin98)|ss(?:\.(?:aminaibrahim|melisa\.mehmett|yasmineibrahim101)|boteogottai|yaelronen))|jminabii|k(?:ent7117|untjoro52)|lbriggs08860|m(?:1086771|argaritalouisdreyfus|ohammadaljllilati|rstephen16)|nmalarge|o(?:ham(?:edabdul1717|m(?:adraqab00|daljililati1|edshamekh24))|rienkal30)|r(?:\.(?:elbahi\.mohammed\.2021|justinmaxwell09|lusee|tonyelumelu60|wlsonkabore)|7672900|cjames001|d517341|eric(?:franck|schmid4002)|georgeemera|hanimuhammad627|jamesmc6|morgangomez56|r(?:echardthomas|ichardanthony1)|s(?:\.(?:biyufungchi16|janetolsen?|marinakuznetsov|olsenjanett|su(?:sanread12|zarawanmaling))|a(?:isha(?:alqadafi1976|gaddafi62)|ngela454|shaalqaddfi117)|catherineyokes|dominiquethomas7777|evelynbrown7|fatimaamiraqureshi1983|gezeria|h(?:amima60|ristinemadeleine)|isabelladz|j(?:ackman123|essicajeffrey3|lleach)|lisamilner08|m(?:a(?:riaelizabethscheffle98|ureens847|yaoliver31)|ugan)|nicolefr1marios|r(?:eem362|obinsanders185|uthsmith9900)|s(?:ar(?:ahbenjamin103|iamirahwulu)|ophiac)|v(?:eraaellen|ictoriaedmond03))|tomcrist\.ca|vi(?:ktorzubkovv|ncentandrea))|s(?:\.ellagolan56|agent02|golaan4|smadar44)|twvvv|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter(?:2017|968))|icholas\.jose73|obuyuki\.hirano128|tawdglobal|v637245)|o(?:\.peace004|3344nb|ffi(?:c(?:e(?:\.012123|emaill0002|rricherd876|windowterms)|ialserviceuae)|zielllk)|hallkenneth1|lenasheve73|marinyandeng|nufoundationclaims|pcwkdw|rabankheadofficelometogo1985|swald\.l(?:\.lewis|ewwis)|xfaminternationa1980)|p(?:a(?:storfrancesco1|tric(?:ia881a|k(?:\.efcc|andfrancessconnolly))|ul(?:eed1969|n8018)|ymentofficer14)|b(?:ph202lay2|rookk0)|e(?:130304|nding(?:redirections|waletsfortrust)|rezdonlorenzo336|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|h(?:\.cbnl|illip\.richead218)|i(?:eterstevens511|lz37754)|o(?:lloke|usazgullaume|wellmrwilliam)|r(?:esleybathini1|imecapitalfianceltd|o(?:1nvstream|cessing2013general))|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymond(?:aba200|damon15))|e(?:alyh596|beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n(?:2214|asser003302))|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|sultbox1404|v(?:\.(?:jamesabel1|mikedadax)|ernestcebi|fr(?:ankjackson91|paulwilliams2)))|i(?:ch(?:a(?:miller18|rd(?:lustig4u|w(?:ahl511|il(?:lis815|son19091))))|lawandds)|tawilliams4141)|josh200000|main2028|o(?:b(?:erthanandez6655|inf036)|naldmorris786|s(?:a\.gomes0044|ekipkalya934))|raya9989|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|u(?:ddicklana561|ssiaworldcuppromo|thshoreline))|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid(?:09|7000))|nchoscozfifa|rfiafarfask7|vicperez)|cott(?:henryjames91|peters7989)|e(?:cretservicce[789]|rgeantrobertbrown1|ydouthiebaconsultant)|g(?:\.offiice\.group|t(?:\.monicab03|ireneb2))|h(?:a(?:msiahmohamadyunusbnegara|nemissler(?:2009|3))|ery(?:\.gtl131|etr03)|inawatrathaksin93)|i(?:lverlakeconsultant|m(?:lkheng5|onhei47))|l5342743|o(?:fia\.adams201|p(?:adam3|hiajesse41)|u(?:rcingloggs|thwsltd))|p(?:a(?:cex\.inititative|gentrose)|eelman1972)|t(?:anleyjohn1469|e(?:fanopn75|phen(?:7tam|tam1(?:47|6))|venchamberonline))|u(?:iyang(?:\.boc|02)|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|w(?:eeneyjohnson384|islottnl))|t(?:a(?:mmy(?:21gill|webster24)|y(?:ebsouami0|lorcathy362))|ch33555|davalvse|e(?:am\.spacex02|nreyrosilvana54|rryparkins11)|h(?:ailandbankoffice01|e(?:ara\.choy2|odorosloannis9|resawilliams7661?|smithfm124))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|ander231|c(?:hrist1995|rist(?:52|donation12|foundation99|world))|spende480)|ny(?:\.chung760|robins777|zimpro11)|pchronodesk|shikazusendo101)|p2911220|rustfoundationsigridrausing|sfoundation65|tkhan69s)|u(?:ba(?:\.bankofaffican|bank(?:bjplc|headoffice471))|d(?:erleyen52|regwqr)|kponguko|marukareem8|n(?:claimedfunds554|ited(?:bankforafrica\.plc102|nation(?:organization70|s(?:8182|councilrefunds))))|s(?:alotery2|departmentofjustice80))|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|linagreen|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|p(?:financeace|jeferrey))|johannes271|n935990|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett(?:398|2))|b(?:271981|6159980|uffetdonationprogram)|c5000dle|d232633|ellensteinfoundation251|hatsappofficial001|i(?:elandherzog\.sw\.herad16|ll(?:clark(?:2618|629)|iam(?:robert3852|smartyrs888)))|kfinancialservice|orldbankregionalmanageroffice|u(?:\.office212|mt722)|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974|inglukshinawtra|o(?:ngkm00|usefzongo5722))|z(?:bank8876|enithbankplconline98|kiaslan1963|minhong65|ubkovmrviktor)))\@gmail\.com$/i
describe REPTO_419_FRAUD_GM Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_GM 3.000
tflags REPTO_419_FRAUD_GM publish
##} REPTO_419_FRAUD_GM
##{ REPTO_419_FRAUD_GM_LOOSE
meta REPTO_419_FRAUD_GM_LOOSE __REPTO_419_FRAUD_GM_LOOSE && !REPTO_419_FRAUD_GM
describe REPTO_419_FRAUD_GM_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_GM_LOOSE 1.000
tflags REPTO_419_FRAUD_GM_LOOSE publish
##} REPTO_419_FRAUD_GM_LOOSE
##{ REPTO_419_FRAUD_HM
header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|licewalton7653|n(?:ikal01|nagray00)|tlancorp|zezul\.idrisazezulidris)|benarnault0|c(?:h(?:angxinjuan|oi21)|laytousey)|d(?:ealings100|l13139|r\.dukanalycoulibaly)|egorbunova22|f(?:axttransfer\.skyebk\.service\.care\.th|ridmanmikhail511)|homlandsecdept|infos(?:43|8)|jacques\.bouchex|katabettencourt2018|l(?:e(?:a_edem|galcosme|wisarm44)|imfu201677|ulihongm)|m(?:oneygrampayfund|pay\-live00924|r(?:abrahambeniamfc|pedrohilldonations|s(?:\.(?:chantal_bill|roselinejac)|helenbgeorge|micheleallison2003)))|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|p(?:atrickmullinfinaceservs|owen10001)|quickcashloansservices|s(?:a(?:jda\.andleeb|nchamps798)|ilvanatenreyrompc|tuboardgntdirector|ulaimaninfante)|t(?:a(?:baka_williamshsbbc|shacap)|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i
describe REPTO_419_FRAUD_HM Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_HM 3.000
tflags REPTO_419_FRAUD_HM publish
##} REPTO_419_FRAUD_HM
##{ REPTO_419_FRAUD_OL
header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:16u71|a23423|b(?:rahamwilliamsonrpsltduk|s0000200)|l(?:bertchebe|exw113)|ndrew(?:_hai|gamble7))|b(?:a(?:rrmarkphillip|sidris)|etty\.c_investment|illgfile203)|c(?:bforeignremitdept|harlie\.j\.goodmand|laimunit\.facebook|ompensationfunding)|d(?:eborahleeconsult|hl(?:customercares|express\.fastservice)|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020|mr01|oundation701|p\.conn|rancescogaetano01)|g(?:20compessdesk|eoffreynicolas\.esq|ilbertowosukk|race\.manonfoundation)|huyennvoha|j(?:ackson4steve|e(?:anedo1?|ssicameir30))|k(?:aujong|kkunited1|officollins)|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|b(?:illgate9|ryandavisuk44)|mduku|s(?:\.(?:coraluttah|olhaoschad)|_elizabeth20|michelleallison|roseallen))|spvt2020)|olhalytvynenko20|p(?:aul\.walter120|hilcohen0012)|qanejmhffgg|r(?:ichardwahlfreegrant|obertleeonly01)|s(?:aaman10|gi2019|ilv(?:anatenreyro0|erlakeconsultantllc)|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019|reff11)|unvanzyl_mrs|w(?:esteruniontransferunite7|hatsapp_givewin|inuklotocash2018)))\@outlook\.com$/i
describe REPTO_419_FRAUD_OL Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_OL 3.000
tflags REPTO_419_FRAUD_OL publish
##} REPTO_419_FRAUD_OL
##{ REPTO_419_FRAUD_PM
header REPTO_419_FRAUD_PM Reply-To:addr =~ /^(?=[^\s<>@]+\@protonmail\.com)(?:(?:armstrong0244|berndkoch|davidmetus|euclaim|p(?:a(?:melagriffi|t\.nwankwo)|rotonydonation)|scottpeter012|the\.trustees1|v\.brianpierre|wraggsmk|yihsbltan|ziraatbankasi))\@protonmail\.com$/i
describe REPTO_419_FRAUD_PM Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_PM 3.000
tflags REPTO_419_FRAUD_PM publish
##} REPTO_419_FRAUD_PM
##{ REPTO_419_FRAUD_QQ
header REPTO_419_FRAUD_QQ Reply-To:addr =~ /^(?=[^\s<>@]+\@qq\.com)(?:(?:1(?:731419584|821317384)|2(?:0(?:32508290|90641921)|3(?:72948239|89029403|97857528))|3523284224|akia\.j55|claimoffice1|dennisonctrenton|l\.valiant|peterwong20177|qatarfoundation01|sabrinacrawford000|treasury_deptment0|wang_cjianlin))\@qq\.com$/i
describe REPTO_419_FRAUD_QQ Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_QQ 3.000
tflags REPTO_419_FRAUD_QQ publish
##} REPTO_419_FRAUD_QQ
##{ REPTO_419_FRAUD_YH
header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|gaaintl\-4g5ee\.w3|ilmohammed11|lesiakalina2006|mbassador\.l|nn(?:awax48|hester\.usa4))|b(?:a(?:che\.delfine|nk\.phbng14|rr(?:\.thomasclark|ister\.dennis11|william_davies))|e(?:linekra1144|n(?:jaminb34|nicholas22))|illlawrenceee|riceangela45)|c(?:\.(?:aroline90|coulibaly2)|a(?:binet_maitre_emmanuel_patris|mpbellwilliamms)|h(?:arlesscharf112|hoy\.t|jackson65)|juan852|o(?:mpliment\.sseason|ntelamine)|ythiamiller\.un10)|d(?:hamilton9099|iaanesoto190|r(?:\.aminramli|_raymondfung|kobiorah|obiorahkenneth|victorobaji))|e(?:denvictor71|ricalbert24)|f(?:aizaadama2016|bicompensation_funds|ederal\.r73)|g(?:ov\.ukmessageboard|uesfilet1336523)|harry1vans|i(?:\.project33411|befranfgnfmf|nfo(?:bank1|money)|project32411)|j(?:\.edwards228|a(?:ckson\.davis915|netemoon150)|essica\.p_family|inping\.tw|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:altschmidtdavid8|elvinmark629|im(?:\.leang2018?|leang(?:575|90)))|l(?:e(?:a_edem13|hman(?:909|bila))|i(?:m_kaan|sarobinson_555|uhngbin)|o(?:an\.assist|rrainewirengee)|y_cheapiseth(?:11|2019))|m(?:\.kogi81|a(?:itre_arthur\.catheau|rie_avis12)|d(?:\.ps|zsesszika672)|elissalewis(?:10001|4004)|iss\.zarryb|o(?:hammedaahil46|keye79)|r(?:\.viktorzubkovv|s(?:\.esthernicolas|isabella\.dzesszikan|themo))|s\.gracie_olakun|unny(?:\.sopheap207|_sopheap30))|n(?:adhowc|estordaniel2)|o(?:biorahkenneth8|fficial_franksylvester88|legkozyrev1|mranshaalan52)|p(?:ackerkelvin|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|i(?:chard\.w94|taadamsw10)|o(?:b(?:ertbailey2004|orts20)|serichard655))|s(?:amthong4040|igurlauganna34|leo25|mith(?:\.dr|colin767)|o(?:ftc2|pheap\.munny)|pwalker101|te(?:fanopessina573|vecox\.98))|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|u(?:butu16|kdebtmanagement5)|vanserge2001|will(?:clark0010|smi68)|xianglongdai60|zhaodonghk))\@yahoo\.com$/i
describe REPTO_419_FRAUD_YH Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_YH 3.000
tflags REPTO_419_FRAUD_YH publish
##} REPTO_419_FRAUD_YH
##{ REPTO_419_FRAUD_YH_LOOSE
meta REPTO_419_FRAUD_YH_LOOSE __REPTO_419_FRAUD_YH_LOOSE && !REPTO_419_FRAUD_YH
describe REPTO_419_FRAUD_YH_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_YH_LOOSE 1.000
tflags REPTO_419_FRAUD_YH_LOOSE publish
##} REPTO_419_FRAUD_YH_LOOSE
##{ REPTO_419_FRAUD_YJ
header REPTO_419_FRAUD_YJ Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.co\.jp)(?:(?:a(?:drianbayford|lainminc73)|b(?:arrevansthomas213|ealife4god)|d(?:eborahmark2|raymndch)|e(?:d(?:032000100|ithi0iochou)|millybrownnc|velynjoshua56)|fred_gamba|henrybanko1970|m(?:24erc|aryp1799_8335|eghanbutlerfca|oneygram100|rs_chen_00001)|nikbnson1|o(?:fficefile_0112|livia_mabor)|pamgells|r(?:acheljude000|eplykasikorn|itawi668)|s(?:andrabates418|d203077)))\@yahoo\.co\.jp$/i
describe REPTO_419_FRAUD_YJ Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_YJ 3.000
tflags REPTO_419_FRAUD_YJ publish
##} REPTO_419_FRAUD_YJ
##{ REPTO_419_FRAUD_YN
header REPTO_419_FRAUD_YN Reply-To:addr =~ /^(?=[^\s<>@]+\@yandex\.com)(?:(?:a(?:lhashimi123|m(?:andarandle|g3333txx101)|n(?:a\.mariposa|n(?:acooper2019|zainab))|wesome\.mariacarmen)|b(?:ayemahama|igghandgrant|radely\.j)|c(?:harles\.kable|lemlau)|de(?:edee\-paul|jongpeter|ptoversea)|f(?:3dex\.courier|ed\.r3v|reedommarketinvestments)|gadd4fi\.aisha|h(?:ashimireem|halesbbanddd?)|irenaa\.georgiadou|j(?:efrey\-dean|o(?:hnnicholsonjr|seph\-scott2k5)|uliet\.lee2222)|l(?:es20sc|otointernational\.elgordo)|m(?:a(?:hama\.baye|rcarmenguty)|fdpm|ohamed\.bennani|r(?:\.kongkea|akram\.elkerrami|s(?:\.elizabeth\.graham2022|percy)))|nokiahouse1[03]|olivia\.mabor|p(?:aragonloansinc|ri(?:ncedarren0244|vatemail24))|rich(?:ard\.wahl|lawands)|skyeloanand\.financelimited|t(?:\.baloyi|an\.sung|resor\.mambo)|w(?:b\.foundation|ill(?:1amsmarg1|iam(?:simon1960|wilbert1)))|za\.dc2016))\@yandex\.com$/i
describe REPTO_419_FRAUD_YN Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_YN 3.000
tflags REPTO_419_FRAUD_YN publish
##} REPTO_419_FRAUD_YN
##{ RISK_FREE
meta RISK_FREE __FRAUD_IOV && !__UNSUB_LINK && !__VIA_ML && !__HTML_LINK_IMAGE && !__SUBSCRIPTION_INFO && !__HS_SUBJ_RE_FW && !__LCL__ENV_AND_HDR_FROM_MATCH
describe RISK_FREE No risk!
##} RISK_FREE
##{ SB_GIF_AND_NO_URIS
meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL)
##} SB_GIF_AND_NO_URIS
##{ SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta SCC_BOGUS_CTE_1 __SCC_BOGUS_CTE_1
describe SCC_BOGUS_CTE_1 Bogus Content-Transfer-Encoding header
tflags SCC_BOGUS_CTE_1 publish
endif
##} SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ SCC_CANSPAM_2
describe SCC_CANSPAM_2 Interesting compliance language
body SCC_CANSPAM_2 /you may unsubscribe by clicking here or by writing to/
##} SCC_CANSPAM_2
##{ SCC_ISEMM_LID_1
describe SCC_ISEMM_LID_1 Fingerprint of a particular spammer using an old spamware
header SCC_ISEMM_LID_1 X-Mailer-LID =~ /54,55,56,58,53/
tflags SCC_ISEMM_LID_1 publish
#score SCC_ISEMM_LID_1 3.5
##} SCC_ISEMM_LID_1
##{ SCC_ISEMM_LID_1A
describe SCC_ISEMM_LID_1A Fingerprint of a particular spammer using an old spamware
header SCC_ISEMM_LID_1A X-Mailer-LID =~ /54,55,56,/
tflags SCC_ISEMM_LID_1A publish
#score SCC_ISEMM_LID_1A 3.5
##} SCC_ISEMM_LID_1A
##{ SCC_ISEMM_LID_1B
describe SCC_ISEMM_LID_1B Genericized spammer fingerprint
header SCC_ISEMM_LID_1B X-Mailer-LID =~ /(?:[56][0-9],)+/
tflags SCC_ISEMM_LID_1B publish
#score SCC_ISEMM_LID_1B 1.5
##} SCC_ISEMM_LID_1B
##{ SCC_SPAMMER_ADDR_2
describe SCC_SPAMMER_ADDR_2 Fingerprint of a particular spammer
body SCC_SPAMMER_ADDR_2 /6130 W Flamingo Rd/
##} SCC_SPAMMER_ADDR_2
##{ SCC_SPECIAL_GUID
describe SCC_SPECIAL_GUID Unique in a similar way
rawbody SCC_SPECIAL_GUID /^[[:xdigit:]]{8}-[[:xdigit:]]{4}-([[:xdigit:]]{3})-\1-[[:xdigit:]]{12}$/m
tflags SCC_SPECIAL_GUID publish multiple maxhits=15
##} SCC_SPECIAL_GUID
##{ SCRIPT_GIBBERISH
meta SCRIPT_GIBBERISH __SCRIPT_GIBBERISH && (__BODY_XHTML || !__SCRIPT_TAG_IN_BODY) && !__TAG_EXISTS_META
describe SCRIPT_GIBBERISH Nonsense in HTML