(?:\s*<\/div>)?\s*){10}/i describe AC_DIV_BONANZA Too many divs in a row... spammy template #score AC_DIV_BONANZA 0.001 tflags AC_DIV_BONANZA publish ##} AC_DIV_BONANZA ##{ AC_FROM_MANY_DOTS meta AC_FROM_MANY_DOTS __AC_FROM_MANY_DOTS_MINFP #score AC_FROM_MANY_DOTS 2.500 # limit describe AC_FROM_MANY_DOTS Multiple periods in From user name tflags AC_FROM_MANY_DOTS publish ##} AC_FROM_MANY_DOTS ##{ AC_HTML_NONSENSE_TAGS rawbody AC_HTML_NONSENSE_TAGS /(?:<[A-Za-z0-9]{4,}>\s*){10}/ describe AC_HTML_NONSENSE_TAGS Many consecutive multi-letter HTML tags, likely nonsense/spam #score AC_HTML_NONSENSE_TAGS 2.0 tflags AC_HTML_NONSENSE_TAGS publish ##} AC_HTML_NONSENSE_TAGS ##{ AC_POST_EXTRAS meta AC_POST_EXTRAS __AC_POST_EXTRAS && !__URI_MAILTO && !__HAS_LIST_ID describe AC_POST_EXTRAS Suspicious URL #score AC_POST_EXTRAS 2.500 # limit tflags AC_POST_EXTRAS publish ##} AC_POST_EXTRAS ##{ AC_SPAMMY_URI_PATTERNS1 meta AC_SPAMMY_URI_PATTERNS1 (__AC_OUTL_URI && __AC_OUTI_URI) describe AC_SPAMMY_URI_PATTERNS1 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS1 4.0 tflags AC_SPAMMY_URI_PATTERNS1 publish ##} AC_SPAMMY_URI_PATTERNS1 ##{ AC_SPAMMY_URI_PATTERNS10 meta AC_SPAMMY_URI_PATTERNS10 __AC_PUNCTNUMS_URI describe AC_SPAMMY_URI_PATTERNS10 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS10 4.0 tflags AC_SPAMMY_URI_PATTERNS10 publish ##} AC_SPAMMY_URI_PATTERNS10 ##{ AC_SPAMMY_URI_PATTERNS11 meta AC_SPAMMY_URI_PATTERNS11 __AC_NDOMLONGNASPX_URI describe AC_SPAMMY_URI_PATTERNS11 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS11 4.0 tflags AC_SPAMMY_URI_PATTERNS11 publish ##} AC_SPAMMY_URI_PATTERNS11 ##{ AC_SPAMMY_URI_PATTERNS12 meta AC_SPAMMY_URI_PATTERNS12 (__AC_CHDSEQ_URI && __AC_MHDSEQ_URI && __AC_UHDSEQ_URI) describe AC_SPAMMY_URI_PATTERNS12 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS12 4.0 tflags AC_SPAMMY_URI_PATTERNS12 publish ##} AC_SPAMMY_URI_PATTERNS12 ##{ AC_SPAMMY_URI_PATTERNS2 meta AC_SPAMMY_URI_PATTERNS2 (__AC_LAND_URI && __AC_UNSUB_URI && __AC_REPORT_URI) describe AC_SPAMMY_URI_PATTERNS2 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS2 4.0 tflags AC_SPAMMY_URI_PATTERNS2 publish ##} AC_SPAMMY_URI_PATTERNS2 ##{ AC_SPAMMY_URI_PATTERNS3 meta AC_SPAMMY_URI_PATTERNS3 (__AC_PHPOFFTOP_URI && __AC_PHPOFFSUB_URI) describe AC_SPAMMY_URI_PATTERNS3 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS3 4.0 tflags AC_SPAMMY_URI_PATTERNS3 publish ##} AC_SPAMMY_URI_PATTERNS3 ##{ AC_SPAMMY_URI_PATTERNS4 meta AC_SPAMMY_URI_PATTERNS4 __AC_NUMS_URI describe AC_SPAMMY_URI_PATTERNS4 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS4 4.0 tflags AC_SPAMMY_URI_PATTERNS4 publish ##} AC_SPAMMY_URI_PATTERNS4 ##{ AC_SPAMMY_URI_PATTERNS8 meta AC_SPAMMY_URI_PATTERNS8 __AC_LONGSEQ_URI describe AC_SPAMMY_URI_PATTERNS8 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS8 4.0 tflags AC_SPAMMY_URI_PATTERNS8 publish ##} AC_SPAMMY_URI_PATTERNS8 ##{ AC_SPAMMY_URI_PATTERNS9 meta AC_SPAMMY_URI_PATTERNS9 (__AC_1SEQC_URI && (__AC_1SEQV_URI || __AC_RMOVE_URI)) describe AC_SPAMMY_URI_PATTERNS9 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS9 4.0 tflags AC_SPAMMY_URI_PATTERNS9 publish ##} AC_SPAMMY_URI_PATTERNS9 ##{ ADMAIL meta ADMAIL __ADMAIL && !__DKIM_EXISTS && !__COMMENT_EXISTS describe ADMAIL "admail" and variants tflags ADMAIL publish ##} ADMAIL ##{ ADMITS_SPAM meta ADMITS_SPAM __ADMITS_SPAM && !__FROM_LOWER && !__MSGID_JAVAMAIL && !__HAS_CAMPAIGNID && !__STY_INVIS_2 && !__LYRIS_EZLM_REMAILER && !__RCD_RDNS_OB describe ADMITS_SPAM Admits this is an ad tflags ADMITS_SPAM publish ##} ADMITS_SPAM ##{ ADULT_DATING_COMPANY meta ADULT_DATING_COMPANY __ADULTDATINGCOMPANY_BODY || __ADULTDATINGCOMPANY_FROM || __ADULTDATINGCOMPANY_REPTO #score ADULT_DATING_COMPANY 10.000 # limit tflags ADULT_DATING_COMPANY publish ##} ADULT_DATING_COMPANY ##{ ADVANCE_FEE_2_NEW_FORM meta ADVANCE_FEE_2_NEW_FORM (__ADVANCE_FEE_2_NEW_FORM && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__FROM_LOWER && !__HAS_X_LOOP describe ADVANCE_FEE_2_NEW_FORM Advance Fee fraud and a form #score ADVANCE_FEE_2_NEW_FORM 2.000 # limit tflags ADVANCE_FEE_2_NEW_FORM publish ##} ADVANCE_FEE_2_NEW_FORM ##{ ADVANCE_FEE_2_NEW_FRM_MNY meta ADVANCE_FEE_2_NEW_FRM_MNY (__ADVANCE_FEE_2_NEW_FRM_MNY && !__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP describe ADVANCE_FEE_2_NEW_FRM_MNY Advance Fee fraud form and lots of money #score ADVANCE_FEE_2_NEW_FRM_MNY 2.500 tflags ADVANCE_FEE_2_NEW_FRM_MNY publish ##} ADVANCE_FEE_2_NEW_FRM_MNY ##{ ADVANCE_FEE_2_NEW_MONEY meta ADVANCE_FEE_2_NEW_MONEY (__ADVANCE_FEE_2_NEW_MONEY && !__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__LYRIS_EZLM_REMAILER && !__COMMENT_EXISTS && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG describe ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money #score ADVANCE_FEE_2_NEW_MONEY 2.000 # limit tflags ADVANCE_FEE_2_NEW_MONEY publish ##} ADVANCE_FEE_2_NEW_MONEY ##{ ADVANCE_FEE_3_NEW meta ADVANCE_FEE_3_NEW (__ADVANCE_FEE_3_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_4_NEW && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__HAS_SENDER && !__HAS_X_LOOP && !__TO_YOUR_ORG && !__BUGGED_IMG describe ADVANCE_FEE_3_NEW Appears to be advance fee fraud (Nigerian 419) #score ADVANCE_FEE_3_NEW 3.5 # limit tflags ADVANCE_FEE_3_NEW publish ##} ADVANCE_FEE_3_NEW ##{ ADVANCE_FEE_3_NEW_FORM meta ADVANCE_FEE_3_NEW_FORM (__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__THREADED && !__HAS_SENDER && !__FROM_LOWER && !__HAS_X_LOOP describe ADVANCE_FEE_3_NEW_FORM Advance Fee fraud and a form tflags ADVANCE_FEE_3_NEW_FORM publish ##} ADVANCE_FEE_3_NEW_FORM ##{ ADVANCE_FEE_3_NEW_FRM_MNY meta ADVANCE_FEE_3_NEW_FRM_MNY (__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP describe ADVANCE_FEE_3_NEW_FRM_MNY Advance Fee fraud form and lots of money tflags ADVANCE_FEE_3_NEW_FRM_MNY publish ##} ADVANCE_FEE_3_NEW_FRM_MNY ##{ ADVANCE_FEE_3_NEW_MONEY meta ADVANCE_FEE_3_NEW_MONEY (__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG describe ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money tflags ADVANCE_FEE_3_NEW_MONEY publish ##} ADVANCE_FEE_3_NEW_MONEY ##{ ADVANCE_FEE_4_NEW meta ADVANCE_FEE_4_NEW (__ADVANCE_FEE_4_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__HAS_ERRORS_TO && !__HAS_X_LOOP && !__BUGGED_IMG describe ADVANCE_FEE_4_NEW Appears to be advance fee fraud (Nigerian 419) tflags ADVANCE_FEE_4_NEW publish ##} ADVANCE_FEE_4_NEW ##{ ADVANCE_FEE_4_NEW_FORM meta ADVANCE_FEE_4_NEW_FORM (__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) describe ADVANCE_FEE_4_NEW_FORM Advance Fee fraud and a form tflags ADVANCE_FEE_4_NEW_FORM publish ##} ADVANCE_FEE_4_NEW_FORM ##{ ADVANCE_FEE_4_NEW_FRM_MNY meta ADVANCE_FEE_4_NEW_FRM_MNY (__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) describe ADVANCE_FEE_4_NEW_FRM_MNY Advance Fee fraud form and lots of money tflags ADVANCE_FEE_4_NEW_FRM_MNY publish ##} ADVANCE_FEE_4_NEW_FRM_MNY ##{ ADVANCE_FEE_4_NEW_MONEY meta ADVANCE_FEE_4_NEW_MONEY (__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG describe ADVANCE_FEE_4_NEW_MONEY Advance Fee fraud and lots of money tflags ADVANCE_FEE_4_NEW_MONEY publish ##} ADVANCE_FEE_4_NEW_MONEY ##{ ADVANCE_FEE_5_NEW meta ADVANCE_FEE_5_NEW (__ADVANCE_FEE_5_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY) && !__BUGGED_IMG describe ADVANCE_FEE_5_NEW Appears to be advance fee fraud (Nigerian 419) tflags ADVANCE_FEE_5_NEW publish ##} ADVANCE_FEE_5_NEW ##{ ADVANCE_FEE_5_NEW_FORM meta ADVANCE_FEE_5_NEW_FORM __ADVANCE_FEE_5_NEW_FORM describe ADVANCE_FEE_5_NEW_FORM Advance Fee fraud and a form tflags ADVANCE_FEE_5_NEW_FORM publish ##} ADVANCE_FEE_5_NEW_FORM ##{ ADVANCE_FEE_5_NEW_FRM_MNY meta ADVANCE_FEE_5_NEW_FRM_MNY __ADVANCE_FEE_5_NEW_FRM_MNY describe ADVANCE_FEE_5_NEW_FRM_MNY Advance Fee fraud form and lots of money tflags ADVANCE_FEE_5_NEW_FRM_MNY publish ##} ADVANCE_FEE_5_NEW_FRM_MNY ##{ ADVANCE_FEE_5_NEW_MONEY meta ADVANCE_FEE_5_NEW_MONEY __ADVANCE_FEE_5_NEW_MONEY && !__BOUNCE_CTYPE && !__BUGGED_IMG describe ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money tflags ADVANCE_FEE_5_NEW_MONEY publish ##} ADVANCE_FEE_5_NEW_MONEY ##{ AD_PREFS body AD_PREFS /(?:\b|_)(?:ad(?:vert[i1l]s[i1l]ng)?|promo(?:tion)?|marketing)[- _](?:pref(?:s|erences)|settings)(?:\b|_)/i describe AD_PREFS Advertising preferences #score AD_PREFS 0.500 # limit tflags AD_PREFS publish ##} AD_PREFS ##{ ALIBABA_IMG_NOT_RCVD_ALI meta ALIBABA_IMG_NOT_RCVD_ALI __ALIBABA_IMG_NOT_RCVD_ALI && !__YOUR_PASSWORD && !__UNSUB_LINK && !__MSGID_BEFORE_RECEIVED && !__HAS_HREF_ONECASE #score ALIBABA_IMG_NOT_RCVD_ALI 2.500 # limit describe ALIBABA_IMG_NOT_RCVD_ALI Alibaba hosted image but message not from Alibaba tflags ALIBABA_IMG_NOT_RCVD_ALI publish ##} ALIBABA_IMG_NOT_RCVD_ALI ##{ AMAZON_IMG_NOT_RCVD_AMZN meta AMAZON_IMG_NOT_RCVD_AMZN __AMAZON_IMG_NOT_RCVD_AMZN && !__HDR_RCVD_KEEPA && !__URI_DBL_DOM && !__RCD_RDNS_SMTP && !__RCD_RDNS_MTA && !__DATE_LOWER && !__MSGID_LIST && !__URI_PRODUCT_AMAZON && !__HAS_ERRORS_TO #score AMAZON_IMG_NOT_RCVD_AMZN 2.500 # limit describe AMAZON_IMG_NOT_RCVD_AMZN Amazon hosted image but message not from Amazon tflags AMAZON_IMG_NOT_RCVD_AMZN publish ##} AMAZON_IMG_NOT_RCVD_AMZN ##{ APOSTROPHE_FROM header APOSTROPHE_FROM From:addr =~ /'/ describe APOSTROPHE_FROM From address contains an apostrophe ##} APOSTROPHE_FROM ##{ APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta APP_DEVELOPMENT_FREEM __APP_DEVELOPMENT_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) describe APP_DEVELOPMENT_FREEM App development pitch, freemail or CHN replyto # score APP_DEVELOPMENT_FREEM 3.500 # limit tflags APP_DEVELOPMENT_FREEM publish endif ##} APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta APP_DEVELOPMENT_NORDNS __APP_DEVELOPMENT && __RDNS_NONE describe APP_DEVELOPMENT_NORDNS App development pitch, no rDNS # score APP_DEVELOPMENT_NORDNS 2.000 # limit tflags APP_DEVELOPMENT_NORDNS publish endif ##} APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ AXB_XMAILER_MIMEOLE_OL_024C2 meta AXB_XMAILER_MIMEOLE_OL_024C2 (__AXB_XM_OL_024C2 && __AXB_MO_OL_024C2) describe AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait ##} AXB_XMAILER_MIMEOLE_OL_024C2 ##{ AXB_XMAILER_MIMEOLE_OL_1ECD5 meta AXB_XMAILER_MIMEOLE_OL_1ECD5 (__AXB_XM_OL_1ECD5 && __AXB_MO_OL_1ECD5) describe AXB_XMAILER_MIMEOLE_OL_1ECD5 Yet another X header trait##} AXB_XMAILER_MIMEOLE_OL_1ECD5 ##{ BANKING_LAWS body BANKING_LAWS /banking laws/i describe BANKING_LAWS Talks about banking laws ##} BANKING_LAWS ##{ BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval ifplugin Mail::SpamAssassin::Plugin::MIMEEval body BASE64_LENGTH_78_79 eval:check_base64_length('78','79') endif ##} BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval ##{ BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval ifplugin Mail::SpamAssassin::Plugin::MIMEEval describe BASE64_LENGTH_79_INF base64 encoded email part uses line length of 78 or 79 characters body BASE64_LENGTH_79_INF eval:check_base64_length('79') describe BASE64_LENGTH_79_INF base64 encoded email part uses line length greater than 79 characters endif ##} BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval ##{ BEBEE_IMG_NOT_RCVD_BB meta BEBEE_IMG_NOT_RCVD_BB __BEBEE_IMG_NOT_RCVD_BB #score BEBEE_IMG_NOT_RCVD_BB 2.000 # limit describe BEBEE_IMG_NOT_RCVD_BB Bebee hosted image but message not from Bebee tflags BEBEE_IMG_NOT_RCVD_BB publish ##} BEBEE_IMG_NOT_RCVD_BB ##{ BIGNUM_EMAILS_FREEM meta BIGNUM_EMAILS_FREEM __BIGNUM_EMAILS_FREEM describe BIGNUM_EMAILS_FREEM Lots of email addresses/leads, free email account #score BIGNUM_EMAILS_FREEM 3.00 # limit tflags BIGNUM_EMAILS_FREEM publish ##} BIGNUM_EMAILS_FREEM ##{ BIGNUM_EMAILS_MANY meta BIGNUM_EMAILS_MANY __BIGNUM_EMAILS_3 && !__HAS_ERRORS_TO && !__HAS_CAMPAIGNID && !__DATE_LOWER describe BIGNUM_EMAILS_MANY Lots of email addresses/leads, over and over #score BIGNUM_EMAILS_MANY 3.00 # limit tflags BIGNUM_EMAILS_MANY publish ##} BIGNUM_EMAILS_MANY ##{ BILL_1618 body BILL_1618 /\bUnder Bill\s?s?.1618(?: Title III)? passed by the 105th U\.S\. Congress\b/i describe BILL_1618 Mentions proposed US law supposedly permitting spamming tflags BILL_1618 publish ##} BILL_1618 ##{ BITCOIN_BOMB meta BITCOIN_BOMB __BITCOIN_ID && __EXPLOSIVE_DEVICE && !BITCOIN_EXTORT_01 describe BITCOIN_BOMB BitCoin + bomb #score BITCOIN_BOMB 3.000 # limit tflags BITCOIN_BOMB publish ##} BITCOIN_BOMB ##{ BITCOIN_DEADLINE meta BITCOIN_DEADLINE __BITCOIN_ID && __HOURS_DEADLINE && !BITCOIN_EXTORT_01 describe BITCOIN_DEADLINE BitCoin with a deadline #score BITCOIN_DEADLINE 3.000 # limit tflags BITCOIN_DEADLINE publish ##} BITCOIN_DEADLINE ##{ BITCOIN_EXTORT_01 meta BITCOIN_EXTORT_01 (__BITCOIN_ID && __EXTORT_MANY) && !( __FROM_FULL_NAME && __SENDER_BOT && __SINGLE_WORD_LINE && __MIME_HTML && __PHPMAILER_MUA ) describe BITCOIN_EXTORT_01 Extortion spam, pay via BitCoin #score BITCOIN_EXTORT_01 5.000 # limit tflags BITCOIN_EXTORT_01 publish ##} BITCOIN_EXTORT_01 ##{ BITCOIN_EXTORT_02 meta BITCOIN_EXTORT_02 __OBFU_BITCOIN_NOID && __EXTORT_MANY describe BITCOIN_EXTORT_02 Extortion spam, pay via BitCoin #score BITCOIN_EXTORT_02 5.000 # limit tflags BITCOIN_EXTORT_02 publish ##} BITCOIN_EXTORT_02 ##{ BITCOIN_IMGUR meta BITCOIN_IMGUR __BITCOIN_IMGUR describe BITCOIN_IMGUR Bitcoin + hosted image #score BITCOIN_IMGUR 3.500 # limit tflags BITCOIN_IMGUR publish ##} BITCOIN_IMGUR ##{ BITCOIN_MALWARE meta BITCOIN_MALWARE __BITCOIN_ID && __MY_MALWARE && !BITCOIN_EXTORT_01 && !__NOT_SPOOFED describe BITCOIN_MALWARE BitCoin + malware bragging #score BITCOIN_MALWARE 3.500 # limit tflags BITCOIN_MALWARE publish ##} BITCOIN_MALWARE ##{ BITCOIN_OBFU_SUBJ meta BITCOIN_OBFU_SUBJ __BITCOIN_OBFU_SUBJ && !__128_ALNUM_URI describe BITCOIN_OBFU_SUBJ Bitcoin + obfuscated subject #score BITCOIN_OBFU_SUBJ 3.500 # limit tflags BITCOIN_OBFU_SUBJ publish ##} BITCOIN_OBFU_SUBJ ##{ BITCOIN_ONAN meta BITCOIN_ONAN __BITCOIN_ID && __YOUR_ONAN && __KHOP_NO_FULL_NAME && !BITCOIN_EXTORT_01 describe BITCOIN_ONAN BitCoin + [censored] #score BITCOIN_ONAN 3.000 # limit tflags BITCOIN_ONAN publish ##} BITCOIN_ONAN ##{ BITCOIN_PAY_ME meta BITCOIN_PAY_ME __BITCOIN_ID && __PAY_ME && !BITCOIN_EXTORT_01 describe BITCOIN_PAY_ME Pay me via BitCoin #score BITCOIN_PAY_ME 3.000 # limit tflags BITCOIN_PAY_ME publish ##} BITCOIN_PAY_ME ##{ BITCOIN_SPAM_01 meta BITCOIN_SPAM_01 __BITCOIN_ID && HTML_MIME_NO_HTML_TAG describe BITCOIN_SPAM_01 BitCoin spam pattern 01 #score BITCOIN_SPAM_01 2.500 # limit tflags BITCOIN_SPAM_01 publish ##} BITCOIN_SPAM_01 ##{ BITCOIN_SPAM_02 meta BITCOIN_SPAM_02 __BITCOIN_SPAM_02 && !__URL_BTC_ID describe BITCOIN_SPAM_02 BitCoin spam pattern 02 #score BITCOIN_SPAM_02 2.500 # limit tflags BITCOIN_SPAM_02 publish ##} BITCOIN_SPAM_02 ##{ BITCOIN_SPAM_03 meta BITCOIN_SPAM_03 __BITCOIN_ID && __SINGLE_WORD_SUBJ describe BITCOIN_SPAM_03 BitCoin spam pattern 03 #score BITCOIN_SPAM_03 2.500 # limit tflags BITCOIN_SPAM_03 publish ##} BITCOIN_SPAM_03 ##{ BITCOIN_SPAM_04 meta BITCOIN_SPAM_04 __BITCOIN_ID && __freemail_hdr_replyto describe BITCOIN_SPAM_04 BitCoin spam pattern 04 #score BITCOIN_SPAM_04 1.500 # limit tflags BITCOIN_SPAM_04 publish ##} BITCOIN_SPAM_04 ##{ BITCOIN_SPAM_05 meta BITCOIN_SPAM_05 __BITCOIN_SPAM_05 && !__HAS_IN_REPLY_TO describe BITCOIN_SPAM_05 BitCoin spam pattern 05 #score BITCOIN_SPAM_05 2.500 # limit tflags BITCOIN_SPAM_05 net publish ##} BITCOIN_SPAM_05 ##{ BITCOIN_SPAM_06 meta BITCOIN_SPAM_06 __BITCOIN_ID && TVD_RCVD_SPACE_BRACKET describe BITCOIN_SPAM_06 BitCoin spam pattern 06 #score BITCOIN_SPAM_06 1.500 # limit tflags BITCOIN_SPAM_06 publish ##} BITCOIN_SPAM_06 ##{ BITCOIN_SPAM_07 meta BITCOIN_SPAM_07 __BITCOIN_SPAM_07 && !__DKIM_EXISTS describe BITCOIN_SPAM_07 BitCoin spam pattern 07 #score BITCOIN_SPAM_07 3.500 # limit tflags BITCOIN_SPAM_07 publish ##} BITCOIN_SPAM_07 ##{ BITCOIN_SPAM_08 meta BITCOIN_SPAM_08 __BITCOIN_ID && __TO_IN_SUBJ describe BITCOIN_SPAM_08 BitCoin spam pattern 08 #score BITCOIN_SPAM_08 2.500 # limit tflags BITCOIN_SPAM_08 publish ##} BITCOIN_SPAM_08 ##{ BITCOIN_SPAM_09 meta BITCOIN_SPAM_09 __BITCOIN_ID && ( __DESTROY_ME || __DESTROY_YOU ) describe BITCOIN_SPAM_09 BitCoin spam pattern 09 #score BITCOIN_SPAM_09 1.500 # limit tflags BITCOIN_SPAM_09 publish ##} BITCOIN_SPAM_09 ##{ BITCOIN_SPAM_10 meta BITCOIN_SPAM_10 __BITCOIN_ID && ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 ) describe BITCOIN_SPAM_10 BitCoin spam pattern 10 #score BITCOIN_SPAM_10 2.500 # limit tflags BITCOIN_SPAM_10 publish ##} BITCOIN_SPAM_10 ##{ BITCOIN_SPAM_11 meta BITCOIN_SPAM_11 __BITCOIN_ID && HTML_MESSAGE && __HTML_SHRT_CMNT_OBFU describe BITCOIN_SPAM_11 BitCoin spam pattern 11 #score BITCOIN_SPAM_11 2.500 # limit tflags BITCOIN_SPAM_11 publish ##} BITCOIN_SPAM_11 ##{ BITCOIN_SPAM_12 meta BITCOIN_SPAM_12 __BITCOIN_ID && __BOGUS_MIME_HDR_MANY describe BITCOIN_SPAM_12 BitCoin spam pattern 12 #score BITCOIN_SPAM_12 2.500 # limit tflags BITCOIN_SPAM_12 publish ##} BITCOIN_SPAM_12 ##{ BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta BITCOIN_SPF_ONLYALL __PDS_SPF_ONLYALL && __BITCOIN_ID tflags BITCOIN_SPF_ONLYALL net publish describe BITCOIN_SPF_ONLYALL Bitcoin from a domain specifically set to pass +all SPF #score BITCOIN_SPF_ONLYALL 2.0 # limit endif endif ##} BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ BITCOIN_TOEQFM meta BITCOIN_TOEQFM __BITCOIN_TOEQFM describe BITCOIN_TOEQFM Bitcoin + To same as From #score BITCOIN_TOEQFM 3.500 # limit ##} BITCOIN_TOEQFM ##{ BITCOIN_VISTA meta BITCOIN_VISTA __BITCOIN && __VISTA_MSGID describe BITCOIN_VISTA Bitcoin + old MSFT msgid format #score BITCOIN_VISTA 3.500 # limit ##} BITCOIN_VISTA ##{ BITCOIN_WFH_01 meta BITCOIN_WFH_01 __BITCOIN_WFH_01 describe BITCOIN_WFH_01 Work-from-Home + bitcoin tflags BITCOIN_WFH_01 publish ##} BITCOIN_WFH_01 ##{ BITCOIN_XPRIO meta BITCOIN_XPRIO __BITCOIN_XPRIO && !__ML1 && !__HAS_SENDER && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY describe BITCOIN_XPRIO Bitcoin + priority #score BITCOIN_XPRIO 2.500 # limit ##} BITCOIN_XPRIO ##{ BITCOIN_YOUR_INFO meta BITCOIN_YOUR_INFO __BITCOIN_ID && __YOUR_PERSONAL && !BITCOIN_EXTORT_01 describe BITCOIN_YOUR_INFO BitCoin with your personal info #score BITCOIN_YOUR_INFO 3.000 # limit tflags BITCOIN_YOUR_INFO publish ##} BITCOIN_YOUR_INFO ##{ BODY_EMAIL_419_FRAUD_GM meta BODY_EMAIL_419_FRAUD_GM __BODY_EMAIL_419_FRAUD_GM && !REPTO_419_FRAUD_GM && !__HAS_IN_REPLY_TO describe BODY_EMAIL_419_FRAUD_GM Email address in body is likely advance fee fraud collector mailbox #score BODY_EMAIL_419_FRAUD_GM 2.500 ##} BODY_EMAIL_419_FRAUD_GM ##{ BODY_URI_ONLY meta BODY_URI_ONLY __BODY_URI_ONLY && !__NOT_SPOOFED && !__TO_EQ_FROM_DOM && !__X_CRON_ENV && !__DKIM_EXISTS && !__VIA_ML && !__HAS_X_REF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD && !__URI_GOOGLE_DRV describe BODY_URI_ONLY Message body is only a URI in one line of text or for an image #score BODY_URI_ONLY 3.000 # limit tflags BODY_URI_ONLY publish ##} BODY_URI_ONLY ##{ BOGUS_MIME_VERSION meta BOGUS_MIME_VERSION __BOGUS_MIME_VER_02 || __MALF_MIME_VER #score BOGUS_MIME_VERSION 3.500 # limit describe BOGUS_MIME_VERSION Mime version header is bogus tflags BOGUS_MIME_VERSION publish ##} BOGUS_MIME_VERSION ##{ BOGUS_MSM_HDRS meta BOGUS_MSM_HDRS __BOGUS_MSM_HDRS describe BOGUS_MSM_HDRS Apparently bogus Microsoft email headers #score BOGUS_MSM_HDRS 3.000 # limit tflags BOGUS_MSM_HDRS publish ##} BOGUS_MSM_HDRS ##{ BOMB_FREEM meta BOMB_FREEM __EXPLOSIVE_DEVICE && __freemail_hdr_replyto describe BOMB_FREEM Bomb + freemail #score BOMB_FREEM 2.000 # limit tflags BOMB_FREEM publish ##} BOMB_FREEM ##{ BOMB_MONEY meta BOMB_MONEY __EXPLOSIVE_DEVICE && ( __ADVANCE_FEE_3_NEW || __ADVANCE_FEE_4_NEW || __ADVANCE_FEE_5_NEW ) describe BOMB_MONEY Bomb + money: bomb threat? #score BOMB_MONEY 2.500 # limit tflags BOMB_MONEY publish ##} BOMB_MONEY ##{ BTC_ORG describe BTC_ORG Bitcoin wallet ID + unusual header #score BTC_ORG 2.500 # limit ##} BTC_ORG ##{ BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM) if !plugin(Mail::SpamAssassin::Plugin::DKIM) meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST endif ##} BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM) ##{ BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::DKIM meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST && !DKIM_SIGNED endif ##} BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM ##{ BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta BULK_RE_SUSP_NTLD __SUBJ_RE && __ML1 && __FROM_ADDRLIST_SUSPNTLD tflags BULK_RE_SUSP_NTLD publish describe BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD #score BULK_RE_SUSP_NTLD 1.0 # limit endif endif ##} BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ CANT_SEE_AD meta CANT_SEE_AD (__CANT_SEE_AD_1 || __CANT_SEE_AD_2) && !__DOS_HAS_LIST_UNSUB describe CANT_SEE_AD You really want to see our spam. #score CANT_SEE_AD 2.500 # limit tflags CANT_SEE_AD publish ##} CANT_SEE_AD ##{ CN_B2B_SPAMMER body CN_B2B_SPAMMER /\bWe are (?:(?:a )?(?:China|Taiwan)[-\s]based|(?:one of (?:the )?best|(?:a )?leading) (?:international|[^\.]{10,90} (?:in|from) (?:\w+, )?(?:China|Taiwan)))\b/i describe CN_B2B_SPAMMER Chinese company introducing itself tflags CN_B2B_SPAMMER publish ##} CN_B2B_SPAMMER ##{ COMMENT_GIBBERISH meta COMMENT_GIBBERISH __COMMENT_GIBBERISH && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__SENDER_BOT describe COMMENT_GIBBERISH Nonsense in long HTML comment #score COMMENT_GIBBERISH 1.50 # limit tflags COMMENT_GIBBERISH publish ##} COMMENT_GIBBERISH ##{ COMPENSATION describe COMPENSATION "Compensation" #score COMPENSATION 1.50 # limit ##} COMPENSATION ##{ COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM) if !plugin(Mail::SpamAssassin::Plugin::DKIM) meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD endif ##} COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM) ##{ COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::DKIM meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD && !__DKIM_DEPENDABLE endif ##} COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM ##{ CONTENT_AFTER_HTML meta CONTENT_AFTER_HTML __CONTENT_AFTER_HTML && (__L_CTE_8BIT || __RDNS_NUMERIC_TLD || __HTML_TAG_BALANCE_CENTER || __STY_INVIS_MANY || __TO_EQ_FROM_USR || __TO_EQ_FROM_USR_2 || __KAM_HTML_FONT_INVALID || __SUBJECT_ENCODED_B64 ) describe CONTENT_AFTER_HTML More content after HTML close tag + other spam signs #score CONTENT_AFTER_HTML 2.500 # limit tflags CONTENT_AFTER_HTML publish ##} CONTENT_AFTER_HTML ##{ CONTENT_AFTER_HTML_WEAK meta CONTENT_AFTER_HTML_WEAK __CONTENT_AFTER_HTML && !CONTENT_AFTER_HTML && !__CT_TEXT_PLAIN && !__BOUNCE_FROM_DAEMON && !__MSGID_OK_HEX && !__HAS_SENDER && !__LYRIS_EZLM_REMAILER && !MAILING_LIST_MULTI && !__HAS_CID && !__URI_DOTGOV describe CONTENT_AFTER_HTML_WEAK More content after HTML close tag #score CONTENT_AFTER_HTML_WEAK 1.500 # limit tflags CONTENT_AFTER_HTML_WEAK publish ##} CONTENT_AFTER_HTML_WEAK ##{ CORRUPT_FROM_LINE_IN_HDRS meta CORRUPT_FROM_LINE_IN_HDRS (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS) describe CORRUPT_FROM_LINE_IN_HDRS Informational: message is corrupt, with a From line in its headers tflags CORRUPT_FROM_LINE_IN_HDRS userconf publish #score CORRUPT_FROM_LINE_IN_HDRS 0.001 ##} CORRUPT_FROM_LINE_IN_HDRS ##{ CTE_8BIT_MISMATCH meta CTE_8BIT_MISMATCH (__CT_TEXT_PLAIN && (!__CTE || __L_CTE_7BIT) && __L_BODY_8BITS) describe CTE_8BIT_MISMATCH Header says 7bits but body disagrees #score CTE_8BIT_MISMATCH 1 tflags CTE_8BIT_MISMATCH publish ##} CTE_8BIT_MISMATCH ##{ CTYPE_001C_A meta CTYPE_001C_A (0) # obsolete ##} CTYPE_001C_A ##{ CTYPE_001C_B header CTYPE_001C_B Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/ ##} CTYPE_001C_B ##{ CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader CTYPE_8SPACE_GIF Content-Type:raw =~ /^image\/gif;\n {8}name=\".+?\"$/s describe CTYPE_8SPACE_GIF Stock spam image part 'Content-Type' found (8 spc) endif ##} CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ CURR_PRICE body CURR_PRICE /\bCurrent Price:/ ##} CURR_PRICE ##{ DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta DAY_I_EARNED __DAY_I_EARNED >= 3 # score DAY_I_EARNED 3.000 # limit describe DAY_I_EARNED Work-at-home spam tflags DAY_I_EARNED publish endif ##} DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ DEAR_BENEFICIARY body DEAR_BENEFICIARY /\b(?:De[ae]r\s|At+(?:ention|n):?\s?)(?:\S+\s)?Ben[ei]ficiary\b/i describe DEAR_BENEFICIARY Dear Beneficiary: ##} DEAR_BENEFICIARY ##{ DEAR_NOBODY rawbody DEAR_NOBODY /^\s*Dear\b[^a-zA-Z]{1,70}\n/mi describe DEAR_NOBODY Message contains Dear but with no name ##} DEAR_NOBODY ##{ DEAR_WINNER body DEAR_WINNER /\bdear.{1,20}winner/i describe DEAR_WINNER Spam with generic salutation of "dear winner" ##} DEAR_WINNER ##{ DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS ifplugin Mail::SpamAssassin::Plugin::AskDNS meta DKIMWL_BL __DKIMWL_WL_BL tflags DKIMWL_BL net publish describe DKIMWL_BL DKIMwl.org - Blocked sender #score DKIMWL_BL 3.0 # limit endif ##} DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS ifplugin Mail::SpamAssassin::Plugin::AskDNS meta DKIMWL_BLOCKED __DKIMWL_BLOCKED tflags DKIMWL_BLOCKED net publish describe DKIMWL_BLOCKED ADMINISTRATOR NOTICE: The query to DKIMWL.org was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. #score DKIMWL_BLOCKED 0.001 # limit endif ##} DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS ifplugin Mail::SpamAssassin::Plugin::AskDNS meta DKIMWL_WL_HIGH __DKIMWL_WL_HI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL || __DKIMWL_BULKMAIL) tflags DKIMWL_WL_HIGH net nice publish describe DKIMWL_WL_HIGH DKIMwl.org - High trust sender #score DKIMWL_WL_HIGH -3.0 # limit endif ##} DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS ifplugin Mail::SpamAssassin::Plugin::AskDNS meta DKIMWL_WL_MED __DKIMWL_WL_MED && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL) tflags DKIMWL_WL_MED net nice publish describe DKIMWL_WL_MED DKIMwl.org - Medium trust sender #score DKIMWL_WL_MED -0.5 # limit endif ##} DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS ifplugin Mail::SpamAssassin::Plugin::AskDNS meta DKIMWL_WL_MEDHI __DKIMWL_WL_MEDHI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL) tflags DKIMWL_WL_MEDHI net nice publish describe DKIMWL_WL_MEDHI DKIMwl.org - Medium-high trust sender #score DKIMWL_WL_MEDHI -1.0 # limit endif ##} DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ DOS_ANAL_SPAM_MAILER header DOS_ANAL_SPAM_MAILER X-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/ describe DOS_ANAL_SPAM_MAILER X-mailer pattern common to anal porn site spam tflags DOS_ANAL_SPAM_MAILER publish ##} DOS_ANAL_SPAM_MAILER ##{ DOS_BODY_HIGH_NO_MID meta DOS_BODY_HIGH_NO_MID __HIGHBITS && MISSING_MID describe DOS_BODY_HIGH_NO_MID High bit body and no message ID header ##} DOS_BODY_HIGH_NO_MID ##{ DOS_DEREK_AUG08 meta DOS_DEREK_AUG08 __DOS_SINGLE_EXT_RELAY && __DOS_HAS_ANY_URI && __NAKED_TO && __LAST_UNTRUSTED_RELAY_NO_AUTH && SPF_PASS && __TVD_MIME_ATT_TP && __CT_TEXT_PLAIN && (__DOS_MSGID_DIGITS9 || __DOS_MSGID_DIGITS10) ##} DOS_DEREK_AUG08 ##{ DOS_FIX_MY_URI meta DOS_FIX_MY_URI __MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINK describe DOS_FIX_MY_URI Looks like a "fix my obfu'd URI please" spam ##} DOS_FIX_MY_URI ##{ DOS_HIGH_BAT_TO_MX meta DOS_HIGH_BAT_TO_MX __DOS_DIRECT_TO_MX && __HIGHBITS && __LAST_UNTRUSTED_RELAY_NO_AUTH && __THEBAT_MUA describe DOS_HIGH_BAT_TO_MX The Bat! Direct to MX with High Bits ##} DOS_HIGH_BAT_TO_MX ##{ DOS_LET_GO_JOB meta DOS_LET_GO_JOB __DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOME describe DOS_LET_GO_JOB Let go from their job and now makes lots of dough! ##} DOS_LET_GO_JOB ##{ DOS_OE_TO_MX meta DOS_OE_TO_MX __OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE describe DOS_OE_TO_MX Delivered direct to MX with OE headers ##} DOS_OE_TO_MX ##{ DOS_OE_TO_MX_IMAGE meta DOS_OE_TO_MX_IMAGE __OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH describe DOS_OE_TO_MX_IMAGE Direct to MX with OE headers and an image ##} DOS_OE_TO_MX_IMAGE ##{ DOS_OUTLOOK_TO_MX meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !T_DOS_OUTLOOK_TO_MX_IMAGE describe DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers ##} DOS_OUTLOOK_TO_MX ##{ DOS_RCVD_IP_TWICE_C header DOS_RCVD_IP_TWICE_C X-Spam-Relays-External =~ /^\s*\[ ip=(?!127)([\d.]+) [^\[]*\bhelo=(?:![\d.]{7,15}!)? [^\[]*\[ ip=\1 [^\]]*\]\s*$/ describe DOS_RCVD_IP_TWICE_C Received from the same IP twice in a row (only one external relay; empty or IP helo) ##} DOS_RCVD_IP_TWICE_C ##{ DOS_STOCK_BAT meta DOS_STOCK_BAT __THEBAT_MUA && (__DOS_BODY_STOCK || __DOS_BODY_TICKER) && (__DOS_REF_TODAY || __DOS_REF_NEXT_WK_DAY || __DOS_REF_2_WK_DAYS) describe DOS_STOCK_BAT Probable pump and dump stock spam ##} DOS_STOCK_BAT ##{ DOS_STOCK_BAT2 meta DOS_STOCK_BAT2 DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2) ##} DOS_STOCK_BAT2 ##{ DOS_URI_ASTERISK uri DOS_URI_ASTERISK m{^[Hh][Tt]{2}[Pp][Ss]?://[^/:]+(?:\*[A-Za-z0-9-]*\.|\*)[A-Za-z]{2,3}(?:\.[A-Za-z]{2})?(?:$|:|/)} describe DOS_URI_ASTERISK Found an asterisk in a URI ##} DOS_URI_ASTERISK ##{ DOS_YOUR_PLACE meta DOS_YOUR_PLACE (__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE || __DOS_CORRESPOND_EMAIL || __DOS_EMAIL_DIRECTLY || __DOS_I_AM_25 || __DOS_WRITE_ME_AT || __DOS_PERSONAL_EMAIL)) describe DOS_YOUR_PLACE Russian dating spam ##} DOS_YOUR_PLACE ##{ DOTGOV_IMAGE meta DOTGOV_IMAGE __DOTGOV_IMAGE && !__HAVE_BOUNCE_RELAYS describe DOTGOV_IMAGE .gov URI + hosted image #score DOTGOV_IMAGE 3.000 # limit tflags DOTGOV_IMAGE publish ##} DOTGOV_IMAGE ##{ DRUGS_HDIA header DRUGS_HDIA Subject =~ /\bhoodia\b/i describe DRUGS_HDIA Subject mentions "hoodia" ##} DRUGS_HDIA ##{ DSN_NO_MIMEVERSION meta DSN_NO_MIMEVERSION (__BOUNCE_RPATH_NULL && !__MIME_VERSION) describe DSN_NO_MIMEVERSION Return-Path <> and no MIME-Version: header #score DSN_NO_MIMEVERSION 2 ##} DSN_NO_MIMEVERSION ##{ DUP_SUSP_HDR meta DUP_SUSP_HDR __DUP_SUSP_HDR describe DUP_SUSP_HDR Duplicate suspicious message headers #score DUP_SUSP_HDR 2.500 # limit ##} DUP_SUSP_HDR ##{ DX_TEXT_02 body DX_TEXT_02 /\b(?:change|modif(?:y|ications?)) (?:of|to|(?:yo)?ur) (?:message|sub|comm) stat/i describe DX_TEXT_02 "change your message stat" tflags DX_TEXT_02 publish ##} DX_TEXT_02 ##{ DX_TEXT_03 body DX_TEXT_03 /\b[A-Z]{3} Media (?:Group|Relations)\b/ describe DX_TEXT_03 "XXX Media Group" tflags DX_TEXT_03 publish ##} DX_TEXT_03 ##{ DYNAMIC_IMGUR meta DYNAMIC_IMGUR __DYNAMIC_IMGUR describe DYNAMIC_IMGUR dynamic IP + hosted image #score DYNAMIC_IMGUR 4.000 # limit tflags DYNAMIC_IMGUR publish ##} DYNAMIC_IMGUR ##{ DYN_RDNS_AND_INLINE_IMAGE meta DYN_RDNS_AND_INLINE_IMAGE (RDNS_DYNAMIC && __ANY_IMAGE_ATTACH) describe DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic rDNS ##} DYN_RDNS_AND_INLINE_IMAGE ##{ DYN_RDNS_SHORT_HELO_HTML meta DYN_RDNS_SHORT_HELO_HTML (__HELO_NO_DOMAIN && RDNS_DYNAMIC && HTML_MESSAGE) describe DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML ##} DYN_RDNS_SHORT_HELO_HTML ##{ DYN_RDNS_SHORT_HELO_IMAGE meta DYN_RDNS_SHORT_HELO_IMAGE (__HELO_NO_DOMAIN && RDNS_DYNAMIC && __ANY_IMAGE_ATTACH) describe DYN_RDNS_SHORT_HELO_IMAGE Short HELO string, dynamic rDNS, inline image ##} DYN_RDNS_SHORT_HELO_IMAGE ##{ EBAY_IMG_NOT_RCVD_EBAY meta EBAY_IMG_NOT_RCVD_EBAY __EBAY_IMG_NOT_RCVD_EBAY && !__URI_MAILTO && !__RCD_RDNS_MAIL && !__DKIM_EXISTS #score EBAY_IMG_NOT_RCVD_EBAY 3.000 # limit describe EBAY_IMG_NOT_RCVD_EBAY E-bay hosted image but message not from E-bay tflags EBAY_IMG_NOT_RCVD_EBAY publish ##} EBAY_IMG_NOT_RCVD_EBAY ##{ EMRCP body EMRCP /\bExcess (?:Maximum )?Return Capital (?:Profits?|Funds?)\b/i describe EMRCP "Excess Maximum Return Capital Profit" scam tflags EMRCP publish ##} EMRCP ##{ ENCRYPTED_MESSAGE meta ENCRYPTED_MESSAGE __CT_ENCRYPTED describe ENCRYPTED_MESSAGE Message is encrypted, not likely to be spam #score ENCRYPTED_MESSAGE -1.000 tflags ENCRYPTED_MESSAGE nice publish ##} ENCRYPTED_MESSAGE ##{ END_FUTURE_EMAILS describe END_FUTURE_EMAILS Spammy unsubscribe #score END_FUTURE_EMAILS 2.500 # limit ##} END_FUTURE_EMAILS ##{ END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM) if !plugin(Mail::SpamAssassin::Plugin::DKIM) meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER endif ##} END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM) ##{ END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::DKIM meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER && !__DKIM_DEPENDABLE && !DKIM_SIGNED endif ##} END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM ##{ ENVFROM_GOOG_TRIX meta ENVFROM_GOOG_TRIX __ENVFROM_GOOG_TRIX_SPAMMY describe ENVFROM_GOOG_TRIX From suspicious Google subdomain #score ENVFROM_GOOG_TRIX 3.000 # limit tflags ENVFROM_GOOG_TRIX publish ##} ENVFROM_GOOG_TRIX ##{ EXCUSE_24 body EXCUSE_24 /you(?:'ve|'re| have| are)? receiv(?:e|ed|ing) this (?:advertisement|offer|special|recurring|paid).{0,16}\b(?:by either|because)/i describe EXCUSE_24 Claims you wanted this ad ##} EXCUSE_24 ##{ FACEBOOK_IMG_NOT_RCVD_FB meta FACEBOOK_IMG_NOT_RCVD_FB __FACEBOOK_IMG_NOT_RCVD_FB && !__VIA_ML && !__ONE_IMG && !__RCD_RDNS_SMTP #score FACEBOOK_IMG_NOT_RCVD_FB 2.000 # limit describe FACEBOOK_IMG_NOT_RCVD_FB Facebook hosted image but message not from Facebook tflags FACEBOOK_IMG_NOT_RCVD_FB publish ##} FACEBOOK_IMG_NOT_RCVD_FB ##{ FAKE_REPLY_C meta FAKE_REPLY_C (__SUBJ_RE && __MISSING_REF && __NO_INR_YES_REF) ##} FAKE_REPLY_C ##{ FBI_MONEY meta FBI_MONEY __FBI_SPOOF && LOTS_OF_MONEY describe FBI_MONEY The FBI wants to give you lots of money? #score FBI_MONEY 2.00 # limit tflags FBI_MONEY publish ##} FBI_MONEY ##{ FBI_SPOOF meta FBI_SPOOF __FBI_SPOOF describe FBI_SPOOF Claims to be FBI, but not from FBI domain #score FBI_SPOOF 2.00 # limit tflags FBI_SPOOF publish ##} FBI_SPOOF ##{ FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FILL_THIS_FORM __FILL_THIS_FORM && !__THREADED && !__FB_TOUR && !__VIA_ML describe FILL_THIS_FORM Fill in a form with personal information tflags FILL_THIS_FORM publish endif ##} FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FILL_THIS_FORM_LOAN __FILL_THIS_FORM_LOAN && !__COMMENT_EXISTS && !__HTML_LINK_IMAGE describe FILL_THIS_FORM_LOAN Answer loan question(s) # score FILL_THIS_FORM_LOAN 2.0 endif ##} FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta FONT_INVIS_DIRECT __FONT_INVIS_DIRECT && !__UNSUB_LINK && !__HAS_ERRORS_TO && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__URI_DOTGOV && !__NAKED_TO && !__MSGID_OK_HEX describe FONT_INVIS_DIRECT Invisible text + direct-to-MX # score FONT_INVIS_DIRECT 3.500 # limit tflags FONT_INVIS_DIRECT publish endif ##} FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta FONT_INVIS_DOTGOV __FONT_INVIS_DOTGOV && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__HAS_LIST_ID describe FONT_INVIS_DOTGOV Invisible text + .gov URI # score FONT_INVIS_DOTGOV 3.500 # limit tflags FONT_INVIS_DOTGOV publish endif ##} FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta FONT_INVIS_HTML_NOHTML __FONT_INVIS_HTML_NOHTML && !__RDNS_LONG describe FONT_INVIS_HTML_NOHTML Invisible text + malformed HTML # score FONT_INVIS_HTML_NOHTML 3.000 # limit tflags FONT_INVIS_HTML_NOHTML publish endif ##} FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta FONT_INVIS_LONG_LINE __FONT_INVIS_LONG_LINE && !__HTML_SINGLET describe FONT_INVIS_LONG_LINE Invisible text + long lines # score FONT_INVIS_LONG_LINE 3.000 # limit tflags FONT_INVIS_LONG_LINE publish endif ##} FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta FONT_INVIS_MSGID __FONT_INVIS_MSGID && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__HAS_ERRORS_TO && !__RCD_RDNS_MAIL && !__MAIL_LINK && !__HDR_RCVD_AMAZON && !__MIME_QP && !__HAS_CAMPAIGNID && !__HAS_THREAD_INDEX && !__RCD_RDNS_MTA describe FONT_INVIS_MSGID Invisible text + suspicious message ID # score FONT_INVIS_MSGID 2.500 # limit tflags FONT_INVIS_MSGID publish endif ##} FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta FONT_INVIS_NORDNS __FONT_INVIS_NORDNS && !__HTML_SINGLET && !__LYRIS_EZLM_REMAILER && !__YOUR_PERSONAL && !__HAS_X_MAILER describe FONT_INVIS_NORDNS Invisible text + no rDNS # score FONT_INVIS_NORDNS 2.500 # limit tflags FONT_INVIS_NORDNS publish endif ##} FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta FONT_INVIS_POSTEXTRAS (__FONT_INVIS || __STY_INVIS) && __AC_POST_EXTRAS describe FONT_INVIS_POSTEXTRAS Invisible text + suspicious URI # score FONT_INVIS_POSTEXTRAS 3.500 # limit tflags FONT_INVIS_POSTEXTRAS publish endif ##} FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ FORGED_SPF_HELO meta FORGED_SPF_HELO __HELO_NOT_RDNS && SPF_HELO_PASS && !SPF_PASS ##} FORGED_SPF_HELO ##{ FORM_FRAUD meta FORM_FRAUD (__FORM_FRAUD && !__FORM_FRAUD_3 && !__FORM_FRAUD_5) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__UPPERCASE_URI && !__UNSUB_LINK describe FORM_FRAUD Fill a form and a fraud phrase #score FORM_FRAUD 1.000 # limit tflags FORM_FRAUD publish ##} FORM_FRAUD ##{ FORM_FRAUD_3 meta FORM_FRAUD_3 (__FORM_FRAUD_3 && !__FORM_FRAUD_5 && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_3_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__MIME_QP && !__DOS_BODY_FRI && !__UNSUB_LINK && !__BUGGED_IMG && !__NOT_SPOOFED describe FORM_FRAUD_3 Fill a form and several fraud phrases tflags FORM_FRAUD_3 publish ##} FORM_FRAUD_3 ##{ FORM_FRAUD_5 meta FORM_FRAUD_5 (__FORM_FRAUD_5 && !__ADVANCE_FEE_5_NEW_FORM && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__BOUNCE_CTYPE describe FORM_FRAUD_5 Fill a form and many fraud phrases tflags FORM_FRAUD_5 publish ##} FORM_FRAUD_5 ##{ FOUND_YOU meta FOUND_YOU __FOUND_YOU && !__DKIM_EXISTS && !__SUBJ_RE && !__HAS_X_REF && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__HAS_ERRORS_TO && !__HAS_IN_REPLY_TO #score FOUND_YOU 3.25 # limit describe FOUND_YOU I found you... tflags FOUND_YOU publish ##} FOUND_YOU ##{ FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) meta FREEMAIL_FORGED_FROMDOMAIN FREEMAIL_FROM && HEADER_FROM_DIFFERENT_DOMAINS describe FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different # score FREEMAIL_FORGED_FROMDOMAIN 0.25 tflags FREEMAIL_FORGED_FROMDOMAIN publish endif endif endif ##} FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) ##{ FREEMAIL_WFH_01 meta FREEMAIL_WFH_01 __FREEMAIL_WFH_01 describe FREEMAIL_WFH_01 Work-from-Home + freemail tflags FREEMAIL_WFH_01 publish ##} FREEMAIL_WFH_01 ##{ FREEM_FRNUM_UNICD_EMPTY meta FREEM_FRNUM_UNICD_EMPTY __FREEM_FRNUM_UNICD_EMPTY describe FREEM_FRNUM_UNICD_EMPTY Numeric freemail From address, unicode From name and Subject, empty body #score FREEM_FRNUM_UNICD_EMPTY 3.750 # limit tflags FREEM_FRNUM_UNICD_EMPTY publish ##} FREEM_FRNUM_UNICD_EMPTY ##{ FRNAME_IN_MSG_XPRIO_NO_SUB meta FRNAME_IN_MSG_XPRIO_NO_SUB (__FROM_NAME_IN_MSG && __XPRIO && (__SUBJECT_EMPTY || __SUBJ_SHORT)) && !__DKIM_EXISTS && !__SUBJ_NOT_SHORT && !ALL_TRUSTED describe FRNAME_IN_MSG_XPRIO_NO_SUB From name in message + X-Priority + short or no subject #score FRNAME_IN_MSG_XPRIO_NO_SUB 2.500 # limit tflags FRNAME_IN_MSG_XPRIO_NO_SUB publish ##} FRNAME_IN_MSG_XPRIO_NO_SUB ##{ FROM_ADDR_WS meta FROM_ADDR_WS __FROM_ADDR_WS && !__RCD_RDNS_MTA_MESSY && !ANY_BOUNCE_MESSAGE && !__FROM_ENCODED_QP && !__RCD_RDNS_MAIL describe FROM_ADDR_WS Malformed From address #score FROM_ADDR_WS 3.000 # limit tflags FROM_ADDR_WS publish ##} FROM_ADDR_WS ##{ FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_BANK_NOAUTH __FROM_ADDRLIST_BANKS && (! NO_RELAYS && ! ALL_TRUSTED) && (! SPF_PASS && ! DKIM_VALID_AU) tflags FROM_BANK_NOAUTH publish net describe FROM_BANK_NOAUTH From Bank domain but no SPF or DKIM #score FROM_BANK_NOAUTH 1.0 # limit endif endif ##} FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta FROM_FMBLA_NDBLOCKED __FROM_FMBLA_NDBLOCKED describe FROM_FMBLA_NDBLOCKED ADMINISTRATOR NOTICE: The query to fresh.fmb.la was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. tflags FROM_FMBLA_NDBLOCKED net publish #score FROM_FMBLA_NDBLOCKED 0.001 # limit endif endif ##} FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta FROM_FMBLA_NEWDOM __FROM_FMBLA_NEWDOM describe FROM_FMBLA_NEWDOM From domain was registered in last 7 days tflags FROM_FMBLA_NEWDOM net #score FROM_FMBLA_NEWDOM 1.5 # limit endif endif ##} FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta FROM_FMBLA_NEWDOM14 __FROM_FMBLA_NEWDOM14 describe FROM_FMBLA_NEWDOM14 From domain was registered in last 7-14 days tflags FROM_FMBLA_NEWDOM14 publish net #score FROM_FMBLA_NEWDOM14 1.0 # limit endif endif ##} FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta FROM_FMBLA_NEWDOM28 __FROM_FMBLA_NEWDOM28 describe FROM_FMBLA_NEWDOM28 From domain was registered in last 14-28 days tflags FROM_FMBLA_NEWDOM28 net publish #score FROM_FMBLA_NEWDOM28 0.8 # limit endif endif ##} FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_GOV_DKIM_AU DKIM_VALID_AU && __FROM_ADDRLIST_GOV tflags FROM_GOV_DKIM_AU net nice publish describe FROM_GOV_DKIM_AU From Government address and DKIM signed #score FROM_GOV_DKIM_AU -1.0 # limit endif endif ##} FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_GOV_REPLYTO_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_GOV && !DKIM_VALID_AU tflags FROM_GOV_REPLYTO_FREEMAIL net publish describe FROM_GOV_REPLYTO_FREEMAIL From Government domain but ReplyTo is FREEMAIL #score FROM_GOV_REPLYTO_FREEMAIL 2.0 endif endif ##} FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_GOV_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_GOV && (! NO_RELAYS && ! ALL_TRUSTED) tflags FROM_GOV_SPOOF net publish describe FROM_GOV_SPOOF From Government domain but matches SPOOFED #score FROM_GOV_SPOOF 1.0 # limit endif endif ##} FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_IN_TO_AND_SUBJ meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1) && !__HAS_LIST_ID describe FROM_IN_TO_AND_SUBJ From address is in To and Subject tflags FROM_IN_TO_AND_SUBJ publish ##} FROM_IN_TO_AND_SUBJ ##{ FROM_LONG_DOM meta FROM_LONG_DOM __FROM_LONG_DOM && !FROM_LONG_DOM_MINFP describe FROM_LONG_DOM Absurdly long From domain name #score FROM_LONG_DOM 1.500 # limit tflags FROM_LONG_DOM publish ##} FROM_LONG_DOM ##{ FROM_LONG_DOM_MINFP meta FROM_LONG_DOM_MINFP __FROM_LONG_DOM && !__RCD_RDNS_MAIL_MESSY && !__ENV_AND_HDR_FROM_MATCH describe FROM_LONG_DOM_MINFP Absurdly long From domain name, suspicious relays #score FROM_LONG_DOM_MINFP 2.500 # limit tflags FROM_LONG_DOM_MINFP publish ##} FROM_LONG_DOM_MINFP ##{ FROM_MISSPACED meta FROM_MISSPACED __FROM_MISSPACED && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__UNSUB_LINK && !__TO___LOWER && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__TO_EQ_FROM_DOM && !__MAIL_LINK && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA describe FROM_MISSPACED From: missing whitespace #score FROM_MISSPACED 2.00 ##} FROM_MISSPACED ##{ FROM_MISSP_DYNIP meta FROM_MISSP_DYNIP __FROM_RUNON && RDNS_DYNAMIC describe FROM_MISSP_DYNIP From misspaced + dynamic rDNS ##} FROM_MISSP_DYNIP ##{ FROM_MISSP_EH_MATCH meta FROM_MISSP_EH_MATCH __FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA describe FROM_MISSP_EH_MATCH From misspaced, matches envelope #score FROM_MISSP_EH_MATCH 2.00 # max ##} FROM_MISSP_EH_MATCH ##{ FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta FROM_MISSP_FREEMAIL __FROM_MISSP_FREEMAIL && !__TO_EQ_FROM_DOM && !__MTLANDROID_MUA describe FROM_MISSP_FREEMAIL From misspaced + freemail provider endif ##} FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ FROM_MISSP_MSFT meta FROM_MISSP_MSFT __FROM_RUNON && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS) describe FROM_MISSP_MSFT From misspaced + supposed Microsoft tool ##} FROM_MISSP_MSFT ##{ FROM_MISSP_PHISH meta FROM_MISSP_PHISH __FROM_MISSP_PHISH && !__DOS_HAS_LIST_UNSUB describe FROM_MISSP_PHISH Malformed, claims to be from financial organization - possible phish #score FROM_MISSP_PHISH 3.500 # limit ##} FROM_MISSP_PHISH ##{ FROM_MISSP_REPLYTO meta FROM_MISSP_REPLYTO __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY && !__DOS_HAS_LIST_UNSUB describe FROM_MISSP_REPLYTO From misspaced, has Reply-To #score FROM_MISSP_REPLYTO 2.500 # limit ##} FROM_MISSP_REPLYTO ##{ FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF ifplugin Mail::SpamAssassin::Plugin::SPF meta FROM_MISSP_SPF_FAIL (__FROM_RUNON && SPF_FAIL) tflags FROM_MISSP_SPF_FAIL net # score FROM_MISSP_SPF_FAIL 2.00 # limit endif ##} FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF ##{ FROM_MISSP_TO_UNDISC meta FROM_MISSP_TO_UNDISC (__FROM_RUNON && __TO_UNDISCLOSED) describe FROM_MISSP_TO_UNDISC From misspaced, To undisclosed ##} FROM_MISSP_TO_UNDISC ##{ FROM_MISSP_USER meta FROM_MISSP_USER (__FROM_RUNON && NSL_RCVD_FROM_USER) describe FROM_MISSP_USER From misspaced, from "User" ##} FROM_MISSP_USER ##{ FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta FROM_NEWDOM_BTC __PDS_BTC_ID && __PDS_NEWDOMAIN describe FROM_NEWDOM_BTC Newdomain with Bitcoin ID #score FROM_NEWDOM_BTC 2.0 # limit tflags FROM_NEWDOM_BTC net endif endif ##} FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_NTLD_LINKBAIT __LCL__KAM_BODY_LENGTH_LT_512 && __FROM_ADDRLIST_SUSPNTLD && __BODY_URI_ONLY tflags FROM_NTLD_LINKBAIT publish describe FROM_NTLD_LINKBAIT From abused NTLD with little more than a URI #score FROM_NTLD_LINKBAIT 2.0 # limit endif endif ##} FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_NTLD_REPLY_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_SUSPNTLD tflags FROM_NTLD_REPLY_FREEMAIL publish describe FROM_NTLD_REPLY_FREEMAIL From abused NTLD and Reply-To is FREEMAIL #score FROM_NTLD_REPLY_FREEMAIL 2.0 # limit endif endif ##} FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta FROM_NUMBERO_NEWDOMAIN __NUMBERONLY_TLD && __PDS_NEWDOMAIN describe FROM_NUMBERO_NEWDOMAIN Fingerprint and new domain #score FROM_NUMBERO_NEWDOMAIN 2.0 # limit tflags FROM_NUMBERO_NEWDOMAIN net publish endif endif ##} FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_PAYPAL_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_PAYPAL && (! NO_RELAYS && ! ALL_TRUSTED) tflags FROM_PAYPAL_SPOOF publish net describe FROM_PAYPAL_SPOOF From PayPal domain but matches SPOOFED #score FROM_PAYPAL_SPOOF 1.6 # limit endif endif ##} FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_SUSPICIOUS_NTLD __FROM_ADDRLIST_SUSPNTLD tflags FROM_SUSPICIOUS_NTLD publish describe FROM_SUSPICIOUS_NTLD From abused NTLD #score FROM_SUSPICIOUS_NTLD 0.5 # limit endif endif ##} FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_SUSPICIOUS_NTLD_FP __FROM_ADDRLIST_SUSPNTLD && !__HAS_SENDER && !__HAS_IN_REPLY_TO && !__HAS_X_MAILING_LIST tflags FROM_SUSPICIOUS_NTLD_FP publish describe FROM_SUSPICIOUS_NTLD_FP From abused NTLD #score FROM_SUSPICIOUS_NTLD_FP 2.0 # limit endif endif ##} FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_UNBAL1 header FROM_UNBAL1 From:raw =~ / < [^>]* $/xm describe FROM_UNBAL1 From with unbalanced angle brackets, '>' missing ##} FROM_UNBAL1 ##{ FROM_UNBAL2 header FROM_UNBAL2 From:raw =~ /^ [^<]* > /xm describe FROM_UNBAL2 From with unbalanced angle brackets, '<' missing ##} FROM_UNBAL2 ##{ FROM_WSP_TRAIL header FROM_WSP_TRAIL From:raw =~ /< [^>]* \s > [^<>]* \z/xm describe FROM_WSP_TRAIL Trailing whitespace before '>' in From header field ##} FROM_WSP_TRAIL ##{ FSL_BULK_SIG meta FSL_BULK_SIG (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK) && !__FSL_HAS_LIST_UNSUB && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__JM_REACTOR_DATE && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__USING_VERP1 && !__KAM_BODY_LENGTH_LT_128 # && !__RCVD_IN_DNSWL describe FSL_BULK_SIG Bulk signature with no Unsubscribe #score FSL_BULK_SIG 2.500 # limit tflags FSL_BULK_SIG net publish ##} FSL_BULK_SIG ##{ FSL_CTYPE_WIN1251 header FSL_CTYPE_WIN1251 Content-Type =~ /charset="Windows-1251"/ describe FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam ##} FSL_CTYPE_WIN1251 ##{ FSL_FAKE_HOTMAIL_RVCD header FSL_FAKE_HOTMAIL_RVCD X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/ ##} FSL_FAKE_HOTMAIL_RVCD ##{ FSL_HAS_TINYURL uri FSL_HAS_TINYURL /tinyurl\.com\// ##} FSL_HAS_TINYURL ##{ FSL_HELO_BARE_IP_1 meta FSL_HELO_BARE_IP_1 __FSL_HELO_BARE_IP_1 && !ALL_TRUSTED ##} FSL_HELO_BARE_IP_1 ##{ FSL_HELO_BARE_IP_2 meta FSL_HELO_BARE_IP_2 __FSL_HELO_BARE_IP_2 && !FSL_HELO_BARE_IP_1 && !__VIA_ML && !__HAS_ERRORS_TO ##} FSL_HELO_BARE_IP_2 ##{ FSL_HELO_DEVICE header FSL_HELO_DEVICE X-Spam-Relays-External =~ /\bhelo=(?:(?:dsl)?device|speedtouch)\.lan\b/i ##} FSL_HELO_DEVICE ##{ FSL_HELO_NON_FQDN_1 header FSL_HELO_NON_FQDN_1 X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i ##} FSL_HELO_NON_FQDN_1 ##{ FSL_HELO_SETUP header FSL_HELO_SETUP X-Spam-Relays-External =~ /\bhelo=\S+\.setup\b/i ##} FSL_HELO_SETUP ##{ FSL_INTERIA_ABUSE uri FSL_INTERIA_ABUSE /\/\S+\.(?:w|eu|fm)\.interia\.pl/ ##} FSL_INTERIA_ABUSE ##{ FSL_NEW_HELO_USER meta FSL_NEW_HELO_USER (__FSL_HELO_USER_1 || __FSL_HELO_USER_2 || __FSL_HELO_USER_3) describe FSL_NEW_HELO_USER Spam's using Helo and User #score FSL_NEW_HELO_USER 2.0 tflags FSL_NEW_HELO_USER publish ##} FSL_NEW_HELO_USER ##{ FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_AMAZON /(?:^|\W)(?=)(?!amazon)(?:$|\W)/i describe FUZZY_AMAZON Obfuscated "amazon" tflags FUZZY_AMAZON publish endif ##} FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_ANDROID /(?=)(?!android)/i describe FUZZY_ANDROID Obfuscated "android" tflags FUZZY_ANDROID publish endif ##} FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_APPLE /(?:^|\W)(?=)(?!appl[ey])
(?:$|\W)/i describe FUZZY_APPLE Obfuscated "apple" tflags FUZZY_APPLE publish endif ##} FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_BITCOIN /(?=)(?!bit[-\s]?coin)[-\s]?[-\s]?[-\s]?[-\s]?[-\s]?[-\s]?/i describe FUZZY_BITCOIN Obfuscated "Bitcoin" tflags FUZZY_BITCOIN publish endif ##} FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_BROWSER /(?=)(?!browser)/i describe FUZZY_BROWSER Obfuscated "browser" tflags FUZZY_BROWSER publish endif ##} FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FUZZY_BTC_WALLET FUZZY_BITCOIN && FUZZY_WALLET describe FUZZY_BTC_WALLET Heavily obfuscated "bitcoin wallet" tflags FUZZY_BTC_WALLET publish endif ##} FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_CLICK_HERE /(?=)(?!click(?:\s| )here)****+***/i describe FUZZY_CLICK_HERE Obfuscated "click here" tflags FUZZY_CLICK_HERE publish endif ##} FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FUZZY_DR_OZ __FUZZY_DR_OZ && !__VIA_ML describe FUZZY_DR_OZ Obfuscated Doctor Oz tflags FUZZY_DR_OZ publish endif ##} FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_FACEBOOK /(?=)(?!fa[ck]ebook)/i describe FUZZY_FACEBOOK Obfuscated "facebook" tflags FUZZY_FACEBOOK publish endif ##} FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_HARRIS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_HARRIS /(?:^|\W)(?=)(?!harris)(?:$|\W)/i describe FUZZY_HARRIS Obfuscated "Harris" tflags FUZZY_HARRIS publish endif ##} FUZZY_HARRIS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_IMPORTANT /(?=)(?!important)(?:|)
/i describe FUZZY_IMPORTANT Obfuscated "important" tflags FUZZY_IMPORTANT publish endif ##} FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_MERIDIA /\b(?!meridia)\b/i describe FUZZY_MERIDIA Obfuscation of the word "meridia" endif ##} FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_MICROSOFT /(?=)(?!microsoft)/i describe FUZZY_MICROSOFT Obfuscated "microsoft" tflags FUZZY_MICROSOFT publish endif ##} FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_MONERO meta FUZZY_MONERO __FUZZY_MONERO describe FUZZY_MONERO Obfuscated "Monero" tflags FUZZY_MONERO publish ##} FUZZY_MONERO ##{ FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_NORTON /(?:^|\W)(?=)(?!norton)(?:$|\W)/i describe FUZZY_NORTON Obfuscated "norton" tflags FUZZY_NORTON publish endif ##} FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_OVERSTOCK /(?:^|\W)(?=)(?!over[-\s]?stock)[-\s]?(?:$|\W)/i describe FUZZY_OVERSTOCK Obfuscated "overstock" tflags FUZZY_OVERSTOCK publish endif ##} FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_PAYPAL /(?:^|\W)(?=
~~~~)(?!pay[-\s]?pal)~~~~
~~~~[-\s]?~~~~
(?:$|\W)/i describe FUZZY_PAYPAL Obfuscated "paypal" tflags FUZZY_PAYPAL publish endif ##} FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FUZZY_PORN __FUZZY_PORN && !( __ENV_AND_HDR_FROM_MATCH && __SENDER_BOT ) describe FUZZY_PORN Obfuscated "Pornography" or "Pornographic" tflags FUZZY_PORN publish endif ##} FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_PRIVACY /(?=
~~~~)(?!privacy)~~~~
/i describe FUZZY_PRIVACY Obfuscated "privacy" tflags FUZZY_PRIVACY publish endif ##} FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_PROMOTION /(?=
~~~~)(?!promotion)~~~~
/i describe FUZZY_PROMOTION Obfuscated "promotion" tflags FUZZY_PROMOTION publish endif ##} FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_SAVINGS /(?=~~)(?!savings)~~/i describe FUZZY_SAVINGS Obfuscated "savings" tflags FUZZY_SAVINGS publish endif ##} FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_SECURITY /(?=)(?!security)(?!seguridad)(?!s\xc3\xa9curit\xc3\xa9)(?:|)(?:|)/i describe FUZZY_SECURITY Obfuscated "security" tflags FUZZY_SECURITY publish endif ##} FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_TRUMP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_TRUMP /(?:^|\W)(?=)(?!trump)
(?:$|\W)/i describe FUZZY_TRUMP Obfuscated "Trump" tflags FUZZY_TRUMP publish endif ##} FUZZY_TRUMP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_TRUSTWALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FUZZY_TRUSTWALLET __FUZZY_TRUSTWALLET_BODY || __FUZZY_TRUSTWALLET_FROM describe FUZZY_TRUSTWALLET Obfuscated "Trust Wallet", probable phishing tflags FUZZY_TRUSTWALLET publish endif ##} FUZZY_TRUSTWALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_UNSUBSCRIBE /(?=)(?!unsubscribe)/i describe FUZZY_UNSUBSCRIBE Obfuscated "unsubscribe" tflags FUZZY_UNSUBSCRIBE publish endif ##} FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_WALLET /(?=)(?!wallet)/i describe FUZZY_WALLET Obfuscated "Wallet" tflags FUZZY_WALLET publish endif ##} FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM describe FUZZY_WELLSFARGO Obfuscated "Wells Fargo" tflags FUZZY_WELLSFARGO publish endif ##} FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta GAPPY_SALES_LEADS_FREEM __GAPPY_SALES_LEADS_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) describe GAPPY_SALES_LEADS_FREEM Obfuscated marketing text, freemail or CHN replyto # score GAPPY_SALES_LEADS_FREEM 3.500 # limit tflags GAPPY_SALES_LEADS_FREEM publish endif ##} GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ GB_BITCOIN_NH meta GB_BITCOIN_NH ( __BITCOIN_ID && !__URL_BTC_ID && ( __NEVER_HEAR_EN || __NEVER_HEAR_IT ) ) describe GB_BITCOIN_NH Localized Bitcoin scam #score GB_BITCOIN_NH 3.0 # limit ##} GB_BITCOIN_NH ##{ GB_CUSTOM_HTM_URI if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) meta GB_CUSTOM_HTM_URI ( __GB_CUSTOM_HTM_URI0 || __GB_CUSTOM_HTM_URI1 || __GB_CUSTOM_HTM_URI2 || __GB_DRUPAL_URI ) describe GB_CUSTOM_HTM_URI Custom html uri # score GB_CUSTOM_HTM_URI 1.500 # limit tflags GB_CUSTOM_HTM_URI publish endif endif ##} GB_CUSTOM_HTM_URI if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) ##{ GB_FAKE_RF_SHORT meta GB_FAKE_RF_SHORT ( ! __THREADED && __GB_FAKE_RF && __URL_SHORTENER ) describe GB_FAKE_RF_SHORT Fake reply or forward with url shortener #score GB_FAKE_RF_SHORT 2.000 # limit tflags GB_FAKE_RF_SHORT publish ##} GB_FAKE_RF_SHORT ##{ GB_FORGED_MUA_POSTFIX meta GB_FORGED_MUA_POSTFIX ( __FORGED_MUA_POSTFIX0 || __FORGED_MUA_POSTFIX1 ) describe GB_FORGED_MUA_POSTFIX Forged Postfix mua headers tflags GB_FORGED_MUA_POSTFIX publish #score GB_FORGED_MUA_POSTFIX 2.0 # limit ##} GB_FORGED_MUA_POSTFIX ##{ GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta GB_FREEMAIL_DISPTO ( __FREEMAIL_DISPTO && !__freemail_safe ) describe GB_FREEMAIL_DISPTO Disposition-Notification-To/From or Disposition-Notification-To/body contain different freemails # score GB_FREEMAIL_DISPTO 0.50 # limit tflags GB_FREEMAIL_DISPTO publish endif ##} GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta GB_FREEMAIL_DISPTO_NOTFREEM ( __FREEMAIL_DISPTO && !__freemail_safe && !FREEMAIL_FROM ) describe GB_FREEMAIL_DISPTO_NOTFREEM Disposition-Notification-To/From contain different freemails but mailfrom is not a freemail # score GB_FREEMAIL_DISPTO_NOTFREEM 0.50 # limit tflags GB_FREEMAIL_DISPTO_NOTFREEM publish endif ##} GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ GB_GOOGLE_OBFUR uri GB_GOOGLE_OBFUR /^https:\/\/www\.google\.[a-z]{2,3}\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=(?:[0-9])*\&(?:cad=rja\&uact=[0-9]+\&ved=.{1,50}\&)?url=https?:\/\/.{1,50}(?:&usg=.{1,50})?/ describe GB_GOOGLE_OBFUR Obfuscate url through Google redirect #score GB_GOOGLE_OBFUR 0.75 # limit tflags GB_GOOGLE_OBFUR publish ##} GB_GOOGLE_OBFUR ##{ GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL body GB_HASHBL_BTC eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL ##{ GB_STORAGE_GOOGLE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) uri GB_STORAGE_GOOGLE_EMAIL m|^https?://storage\.cloud\.google\.com/.{4,128}\#%{GB_TO_ADDR}|i describe GB_STORAGE_GOOGLE_EMAIL Google storage cloud abuse # score GB_STORAGE_GOOGLE_EMAIL 2.000 # limit tflags GB_STORAGE_GOOGLE_EMAIL publish endif endif ##} GB_STORAGE_GOOGLE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) ##{ GEO_QUERY_STRING uri GEO_QUERY_STRING /^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i ##} GEO_QUERY_STRING ##{ GOOGLE_DOCS_PHISH meta GOOGLE_DOCS_PHISH (__GOOGLE_DOCS_PHISH_1 || __GOOGLE_DOCS_PHISH_2) describe GOOGLE_DOCS_PHISH Possible phishing via a Google Docs form #score GOOGLE_DOCS_PHISH 3.00 # limit tflags GOOGLE_DOCS_PHISH publish ##} GOOGLE_DOCS_PHISH ##{ GOOGLE_DOCS_PHISH_MANY meta GOOGLE_DOCS_PHISH_MANY __URI_GOOGLE_DOC && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY) describe GOOGLE_DOCS_PHISH_MANY Phishing via a Google Docs form #score GOOGLE_DOCS_PHISH_MANY 4.00 # limit tflags GOOGLE_DOCS_PHISH_MANY publish ##} GOOGLE_DOCS_PHISH_MANY ##{ GOOGLE_DOC_SUSP meta GOOGLE_DOC_SUSP __GOOGLE_DOC_SUSP && !GOOGLE_DOCS_PHISH_MANY && !__HAS_SENDER && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__USING_VERP1 && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_SMTP && ! __HAS_LIST_ID && !__SURVEY && !__BUGGED_IMG describe GOOGLE_DOC_SUSP Suspicious use of Google Docs #score GOOGLE_DOC_SUSP 3.000 # limit tflags GOOGLE_DOC_SUSP publish ##} GOOGLE_DOC_SUSP ##{ GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta GOOGLE_DRIVE_REPLY_BAD_NTLD __PDS_GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD tflags GOOGLE_DRIVE_REPLY_BAD_NTLD publish describe GOOGLE_DRIVE_REPLY_BAD_NTLD From Google Drive and Reply-To is from a suspicious TLD #score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0 # limit endif endif ##} GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ GOOG_MALWARE_DNLD meta GOOG_MALWARE_DNLD __GOOG_MALWARE_DNLD describe GOOG_MALWARE_DNLD File download via Google - Malware? #score GOOG_MALWARE_DNLD 5.000 # limit tflags GOOG_MALWARE_DNLD publish ##} GOOG_MALWARE_DNLD ##{ GOOG_REDIR_DOCUSIGN uri GOOG_REDIR_DOCUSIGN m;://www\.google\.com/url\?.*q=https?://www\.docusign\.com/;i describe GOOG_REDIR_DOCUSIGN Indirect docusign link, probable phishing tflags GOOG_REDIR_DOCUSIGN publish ##} GOOG_REDIR_DOCUSIGN ##{ GOOG_REDIR_SHORT meta GOOG_REDIR_SHORT __GOOG_REDIR && __LCL__KAM_BODY_LENGTH_LT_512 describe GOOG_REDIR_SHORT Google redirect to obscure spamvertised website + short message tflags GOOG_REDIR_SHORT publish ##} GOOG_REDIR_SHORT ##{ GOOG_STO_EMAIL_PHISH meta GOOG_STO_EMAIL_PHISH __URI_GOOG_STO_EMAIL && (__PDS_FROM_NAME_TO_DOMAIN || __TO_IN_SUBJ || __FROM_ADMIN || __VERIFY_ACCOUNT) describe GOOG_STO_EMAIL_PHISH Possible phishing with google hosted content URI having email address #score GOOG_STO_EMAIL_PHISH 3.00 # limit tflags GOOG_STO_EMAIL_PHISH publish ##} GOOG_STO_EMAIL_PHISH ##{ GOOG_STO_HTML_PHISH meta GOOG_STO_HTML_PHISH __GOOG_STO_HTML_PHISH describe GOOG_STO_HTML_PHISH Possible phishing with google content hosting to avoid URIBL #score GOOG_STO_HTML_PHISH 3.00 # limit tflags GOOG_STO_HTML_PHISH publish ##} GOOG_STO_HTML_PHISH ##{ GOOG_STO_HTML_PHISH_MANY meta GOOG_STO_HTML_PHISH_MANY __URI_GOOG_STO_HTML && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY) describe GOOG_STO_HTML_PHISH_MANY Phishing with google content hosting to avoid URIBL #score GOOG_STO_HTML_PHISH_MANY 4.00 # limit tflags GOOG_STO_HTML_PHISH_MANY publish ##} GOOG_STO_HTML_PHISH_MANY ##{ GOOG_STO_IMG_HTML meta GOOG_STO_IMG_HTML __GOOG_STO_IMG_HTML_1 && !URI_GOOG_STO_SPAMMY && !URI_GOOG_STO_SUBD_SPAMMY describe GOOG_STO_IMG_HTML Apparently using google content hosting to avoid URIBL #score GOOG_STO_IMG_HTML 3.000 # limit tflags GOOG_STO_IMG_HTML publish ##} GOOG_STO_IMG_HTML ##{ GOOG_STO_IMG_NOHTML meta GOOG_STO_IMG_NOHTML __GOOG_STO_IMG_NOHTML && (__RDNS_NONE || HTML_TEXT_INVISIBLE_STYLE || THIS_AD || __SUBJECT_ENCODED_B64 || __LOTTO_ADMITS || __REPTO_QUOTE) && !__USING_VERP1 && !__HAS_ERRORS_TO && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__HAS_CID && !URI_GOOG_STO_SPAMMY && !URI_GOOG_STO_SUBD_SPAMMY describe GOOG_STO_IMG_NOHTML Apparently using google content hosting to avoid URIBL #score GOOG_STO_IMG_NOHTML 2.500 # limit tflags GOOG_STO_IMG_NOHTML publish ##} GOOG_STO_IMG_NOHTML ##{ GOOG_STO_NOIMG_HTML meta GOOG_STO_NOIMG_HTML __GOOG_STO_NOIMG_HTML && !URI_GOOG_STO_SPAMMY && !URI_GOOG_STO_SUBD_SPAMMY describe GOOG_STO_NOIMG_HTML Apparently using google content hosting to avoid URIBL #score GOOG_STO_NOIMG_HTML 3.000 # limit tflags GOOG_STO_NOIMG_HTML publish ##} GOOG_STO_NOIMG_HTML ##{ HAS_X_NO_RELAY meta HAS_X_NO_RELAY __HAS_X_NO_RELAY && !__TO_EQ_FROM_1 describe HAS_X_NO_RELAY Has spammy header #score HAS_X_NO_RELAY 2.500 # limit tflags HAS_X_NO_RELAY publish ##} HAS_X_NO_RELAY ##{ HAS_X_OUTGOING_SPAM_STAT meta HAS_X_OUTGOING_SPAM_STAT __HAS_X_OUTGOING_SPAM_STAT && !MAILING_LIST_MULTI && !__HAS_X_MAILMAN_VERSION && !__AUTOREPLY_ASU && !__THREAD_INDEX_GOOD && !__HAS_X_LOOP && !__DOC_ATTACH && !__PDF_ATTACH && !__FROM_EQ_ORG_1 && !__HAS_IN_REPLY_TO describe HAS_X_OUTGOING_SPAM_STAT Has header claiming outbound spam scan - why trust the results? #score HAS_X_OUTGOING_SPAM_STAT 2.000 # limit tflags HAS_X_OUTGOING_SPAM_STAT publish ##} HAS_X_OUTGOING_SPAM_STAT ##{ HDRS_MISSP meta HDRS_MISSP __HDRS_MISSP && !ALL_TRUSTED && !(__FROM_ALL_HEX && __SUBJECT_PRESENT_EMPTY) describe HDRS_MISSP Misspaced headers #score HDRS_MISSP 2.500 # limit tflags HDRS_MISSP publish ##} HDRS_MISSP ##{ HDR_ORDER_FTSDMCXX_001C meta HDR_ORDER_FTSDMCXX_001C (__HDR_ORDER_FTSDMCXXXX && __MID_START_001C) describe HDR_ORDER_FTSDMCXX_001C Header order similar to spam (FTSDMCXX/MID variant) ##} HDR_ORDER_FTSDMCXX_001C ##{ HDR_ORDER_FTSDMCXX_BAT meta HDR_ORDER_FTSDMCXX_BAT (__HDR_ORDER_FTSDMCXXXX && __BAT_BOUNDARY) describe HDR_ORDER_FTSDMCXX_BAT Header order similar to spam (FTSDMCXX/boundary variant) ##} HDR_ORDER_FTSDMCXX_BAT ##{ HDR_ORDER_FTSDMCXX_DIRECT meta HDR_ORDER_FTSDMCXX_DIRECT (__HDR_ORDER_FTSDMCXXXX && __DOS_SINGLE_EXT_RELAY) && !ALL_TRUSTED && !__VIA_ML describe HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam (FTSDMCXX/boundary variant) + direct-to-MX #score HDR_ORDER_FTSDMCXX_DIRECT 2.000 # limit tflags HDR_ORDER_FTSDMCXX_DIRECT publish ##} HDR_ORDER_FTSDMCXX_DIRECT ##{ HDR_ORDER_FTSDMCXX_NORDNS meta HDR_ORDER_FTSDMCXX_NORDNS (__HDR_ORDER_FTSDMCXXXX && __RDNS_NONE) && !ALL_TRUSTED describe HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam (FTSDMCXX/boundary variant) + no rDNS #score HDR_ORDER_FTSDMCXX_NORDNS 3.500 # limit tflags HDR_ORDER_FTSDMCXX_NORDNS publish ##} HDR_ORDER_FTSDMCXX_NORDNS ##{ HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval ifplugin Mail::SpamAssassin::Plugin::HeaderEval header HEADER_COUNT_SUBJECT eval:check_header_count_range('Subject','2','999') describe HEADER_COUNT_SUBJECT Multiple Subject headers found endif ##} HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval ##{ HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) header HEADER_FROM_DIFFERENT_DOMAINS eval:check_equal_from_domains() describe HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different # score HEADER_FROM_DIFFERENT_DOMAINS 0.25 tflags HEADER_FROM_DIFFERENT_DOMAINS publish endif endif endif ##} HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) ##{ HELO_FRIEND header HELO_FRIEND X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i ##} HELO_FRIEND ##{ HELO_LH_LD header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i ##} HELO_LH_LD ##{ HELO_LOCALHOST header HELO_LOCALHOST X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i ##} HELO_LOCALHOST ##{ HELO_NO_DOMAIN meta HELO_NO_DOMAIN __HELO_NO_DOMAIN && !HELO_LOCALHOST describe HELO_NO_DOMAIN Relay reports its domain incorrectly tflags HELO_NO_DOMAIN publish ##} HELO_NO_DOMAIN ##{ HELO_OEM header HELO_OEM X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc|oem\S*) /i ##} HELO_OEM ##{ HEXHASH_WORD meta HEXHASH_WORD (__HEXHASHWORD_S2EU > 1) && !ALL_TRUSTED && !__LYRIS_EZLM_REMAILER && !__MSGID_HEXISH && !__RDNS_SHORT && !__CTYPE_MULTIPART_MIXED && !__HAS_X_REF && !__HAS_IMG_SRC_ONECASE && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__HAS_SENDER describe HEXHASH_WORD Multiple instances of word + hexadecimal hash #score HEXHASH_WORD 3.000 # limit tflags HEXHASH_WORD publish ##} HEXHASH_WORD ##{ HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader HK_CTE_RAW Content-Transfer-Encoding =~ /^raw$/ #score HK_CTE_RAW 2 tflags HK_CTE_RAW publish endif ##} HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ HK_LOTTO meta HK_LOTTO __HK_LOTTO_2 || __HK_LOTTO_STAATS || __HK_LOTTO_BALLOT #score HK_LOTTO 1 ##} HK_LOTTO ##{ HK_NAME_DRUGS header HK_NAME_DRUGS From:name =~ /(?:viagra|\bcialis|cialis\b)/mi describe HK_NAME_DRUGS From name contains drugs #score HK_NAME_DRUGS 2 ##} HK_NAME_DRUGS ##{ HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) meta HK_NAME_FM_MR_MRS __HK_NAME_MR_MRS && FREEMAIL_FROM # score HK_NAME_FM_MR_MRS 1.5 endif endif ##} HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ##{ HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) meta HK_NAME_MR_MRS __HK_NAME_MR_MRS && !FREEMAIL_FROM # score HK_NAME_MR_MRS 1.0 endif endif ##} HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ##{ HK_RANDOM_ENVFROM header HK_RANDOM_ENVFROM EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mc(?:b|g)r|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi describe HK_RANDOM_ENVFROM Envelope sender username looks random #score HK_RANDOM_ENVFROM 1 tflags HK_RANDOM_ENVFROM publish ##} HK_RANDOM_ENVFROM ##{ HK_RANDOM_FROM header HK_RANDOM_FROM From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mc(?:b|g)r|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi describe HK_RANDOM_FROM From username looks random #score HK_RANDOM_FROM 1 tflags HK_RANDOM_FROM publish ##} HK_RANDOM_FROM ##{ HK_RANDOM_REPLYTO header HK_RANDOM_REPLYTO Reply-To:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mc(?:b|g)r|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi describe HK_RANDOM_REPLYTO Reply-To username looks random #score HK_RANDOM_REPLYTO 1 tflags HK_RANDOM_REPLYTO publish ##} HK_RANDOM_REPLYTO ##{ HK_RCVD_IP_MULTICAST header HK_RCVD_IP_MULTICAST X-Spam-Relays-External =~ / ip=(?:22[4-9]|23[0-9])\./ #score HK_RCVD_IP_MULTICAST 2 tflags HK_RCVD_IP_MULTICAST publish ##} HK_RCVD_IP_MULTICAST ##{ HK_SCAM meta HK_SCAM __HK_SCAM_N2 || __HK_SCAM_N3 || __HK_SCAM_N8 || __HK_SCAM_N15 || __HK_SCAM_N16 || __HK_SCAM_S1 || __HK_SCAM_S15 || __HK_SCAM_S25 #score HK_SCAM 2 tflags HK_SCAM publish ##} HK_SCAM ##{ HK_WIN meta HK_WIN ((__hk_win_2 + __hk_win_3 + __hk_win_4 + __hk_win_5 + __hk_win_7 + __hk_win_8 + __hk_win_9 + __hk_win_0 + __hk_win_a + __hk_win_b + __hk_win_c + __hk_win_d + __hk_win_i + __hk_win_j + __hk_win_l + __hk_win_m + __hk_win_n + __hk_win_o) >= 2) #score HK_WIN 1 ##} HK_WIN ##{ HOSTED_IMG_DIRECT_MX meta HOSTED_IMG_DIRECT_MX __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS && !__HDR_RCVD_AMAZON #score HOSTED_IMG_DIRECT_MX 3.500 # limit describe HOSTED_IMG_DIRECT_MX Image hosted at large ecomm, CDN or hosting site, message direct-to-mx tflags HOSTED_IMG_DIRECT_MX publish ##} HOSTED_IMG_DIRECT_MX ##{ HOSTED_IMG_DQ_UNSUB meta HOSTED_IMG_DQ_UNSUB __HOSTED_IMG_DQ_UNSUB #score HOSTED_IMG_DQ_UNSUB 3.500 # limit describe HOSTED_IMG_DQ_UNSUB Image hosted at large ecomm, CDN or hosting site, IP addr unsub link tflags HOSTED_IMG_DQ_UNSUB publish ##} HOSTED_IMG_DQ_UNSUB ##{ HOSTED_IMG_FREEM meta HOSTED_IMG_FREEM __HOSTED_IMG_FREEM && !__THREADED #score HOSTED_IMG_FREEM 3.500 # limit describe HOSTED_IMG_FREEM Image hosted at large ecomm, CDN or hosting site or redirected, freemail from or reply-to tflags HOSTED_IMG_FREEM publish ##} HOSTED_IMG_FREEM ##{ HOSTED_IMG_MULTI meta HOSTED_IMG_MULTI __HOSTED_IMG_MULTI && !__DKIM_EXISTS && !__RCD_RDNS_MAIL #score HOSTED_IMG_MULTI 3.000 # limit describe HOSTED_IMG_MULTI Multiple images hosted at different large ecomm, CDN or hosting sites, free image sites, or redirected tflags HOSTED_IMG_MULTI publish ##} HOSTED_IMG_MULTI ##{ HOSTED_IMG_MULTI_PUB_01 meta HOSTED_IMG_MULTI_PUB_01 (__IMGUR_IMG_2 || __IMGUR_IMG_3) && !__DATE_LOWER && !__BOTH_INR_AND_REF && !__HAS_IN_REPLY_TO describe HOSTED_IMG_MULTI_PUB_01 Multiple hosted images at public site #score HOSTED_IMG_MULTI_PUB_01 3.000 # limit tflags HOSTED_IMG_MULTI_PUB_01 publish ##} HOSTED_IMG_MULTI_PUB_01 ##{ HREF_EMPTY_NORDNS meta HREF_EMPTY_NORDNS __HREF_EMPTY_NORDNS describe HREF_EMPTY_NORDNS Empty href + no rDNS #score HREF_EMPTY_NORDNS 2.500 # limit tflags HREF_EMPTY_NORDNS publish ##} HREF_EMPTY_NORDNS ##{ HREF_EMPTY_PHPMAIL meta HREF_EMPTY_PHPMAIL __HREF_EMPTY_PHPMAIL describe HREF_EMPTY_PHPMAIL Empty href + PHP Mailer #score HREF_EMPTY_PHPMAIL 2.500 # limit tflags HREF_EMPTY_PHPMAIL publish ##} HREF_EMPTY_PHPMAIL ##{ HREF_EMPTY_XANTIABUSE meta HREF_EMPTY_XANTIABUSE __HREF_EMPTY_XANTIABUSE describe HREF_EMPTY_XANTIABUSE Empty href + X-AntiAbuse #score HREF_EMPTY_XANTIABUSE 2.500 # limit tflags HREF_EMPTY_XANTIABUSE publish ##} HREF_EMPTY_XANTIABUSE ##{ HREF_EMPTY_XAUTHED meta HREF_EMPTY_XAUTHED __HREF_EMPTY_XAUTHED describe HREF_EMPTY_XAUTHED Empty href + X-Authenticated-Sender #score HREF_EMPTY_XAUTHED 2.500 # limit tflags HREF_EMPTY_XAUTHED publish ##} HREF_EMPTY_XAUTHED ##{ HTML_BADATTR describe HTML_BADATTR Illegal char in HTML attribute name rawbody HTML_BADATTR /<[a-z]{1,10}\s[^>]{1,80}\/(?:src|href)\s*\=/ #score HTML_BADATTR 1 tflags HTML_BADATTR publish ##} HTML_BADATTR ##{ HTML_ENTITY_ASCII meta HTML_ENTITY_ASCII __HTML_ENTITY_ASCII_MINFP describe HTML_ENTITY_ASCII Obfuscated ASCII #score HTML_ENTITY_ASCII 3.000 # limit tflags HTML_ENTITY_ASCII publish ##} HTML_ENTITY_ASCII ##{ HTML_ENTITY_ASCII_TINY meta HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII_TINY && !__HAS_IN_REPLY_TO describe HTML_ENTITY_ASCII_TINY Obfuscated ASCII + tiny fonts #score HTML_ENTITY_ASCII_TINY 3.000 # limit tflags HTML_ENTITY_ASCII_TINY publish ##} HTML_ENTITY_ASCII_TINY ##{ HTML_OFF_PAGE meta HTML_OFF_PAGE __HTML_OFF_PAGE && !__RP_MATCHES_RCVD && !__LONGLINE && !__DKIM_EXISTS describe HTML_OFF_PAGE HTML element rendered well off the displayed page #score HTML_OFF_PAGE 3.000 # limit tflags HTML_OFF_PAGE publish ##} HTML_OFF_PAGE ##{ HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU_MANY describe HTML_SHRT_CMNT_OBFU_MANY Obfuscation with many short HTML comments # score HTML_SHRT_CMNT_OBFU_MANY 2.500 # limit tflags HTML_SHRT_CMNT_OBFU_MANY publish endif ##} HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ HTML_SINGLET_MANY meta HTML_SINGLET_MANY __HTML_SINGLET_MANY && !__RCD_RDNS_MTA_MESSY && !__NOT_SPOOFED && !ALL_TRUSTED && !__USING_VERP1 && !__MIME_QP describe HTML_SINGLET_MANY Many single-letter HTML format blocks #score HTML_SINGLET_MANY 2.500 # limit tflags HTML_SINGLET_MANY publish ##} HTML_SINGLET_MANY ##{ HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta HTML_TEXT_INVISIBLE_FONT __FONT_INVIS_MANY && !__HAS_ERRORS_TO && !__URI_DOTGOV && !__LYRIS_EZLM_REMAILER && !__ML3 && !__THREADED && !__DKIMWL_WL_HI && !USER_IN_DEF_DKIM_WL && !__MOZILLA_MSGID describe HTML_TEXT_INVISIBLE_FONT HTML hidden text - word obfuscation? # score HTML_TEXT_INVISIBLE_FONT 2.000 # limit tflags HTML_TEXT_INVISIBLE_FONT publish endif ##} HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta HTML_TEXT_INVISIBLE_STYLE __STY_INVIS_MANY && (__RDNS_NONE || __HDRS_LCASE || __UNSUB_EMAIL || __ADMITS_SPAM || __FROM_DOM_INFO || __HTML_TAG_BALANCE_CENTER || __MSGID_RANDY ) && !__RDNS_LONG && !__FROM_ENCODED_QP && !__HAS_THREAD_INDEX describe HTML_TEXT_INVISIBLE_STYLE HTML hidden text + other spam signs # score HTML_TEXT_INVISIBLE_STYLE 3.500 # limit tflags HTML_TEXT_INVISIBLE_STYLE publish endif ##} HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch body HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10') endif ##} HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch ##{ IMG_ONLY_FM_DOM_INFO meta IMG_ONLY_FM_DOM_INFO __HTML_IMG_ONLY && __FROM_DOM_INFO describe IMG_ONLY_FM_DOM_INFO HTML image-only message from .info domain #score IMG_ONLY_FM_DOM_INFO 2.500 # limit tflags IMG_ONLY_FM_DOM_INFO publish ##} IMG_ONLY_FM_DOM_INFO ##{ JH_SPAMMY_HEADERS meta JH_SPAMMY_HEADERS __HAS_COMPLAINT_TO || __HAS_TRACKING_CODE || __HAS_LOGID || __HAS_X_LETTER || __HAS_X_EBSERVER || __HAS_LIST_OPEN describe JH_SPAMMY_HEADERS Has unusual message header(s) seen primarily in spam #score JH_SPAMMY_HEADERS 3.500 # limit tflags JH_SPAMMY_HEADERS publish ##} JH_SPAMMY_HEADERS ##{ JH_SPAMMY_PATTERN01 rawbody JH_SPAMMY_PATTERN01 m;.{0,200}]{0,50}src=['"](https?://[^"'\s]{1,80}\.php\?)t=o(\&[^"'\s]{1,50})["'][>\s].{0,200}/i describe TVD_FUZZY_FINANCE Obfuscation of the word "finance" endif ##} TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body TVD_FUZZY_FIXED_RATE /(?!fixed rate)\s+/i describe TVD_FUZZY_FIXED_RATE Obfuscation of the phrase "fixed rate" endif ##} TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body TVD_FUZZY_MICROCAP /(?!microcap)(?!micro-cap)-?
/i describe TVD_FUZZY_MICROCAP Obfuscation of the word "micro-cap" endif ##} TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body TVD_FUZZY_PHARMACEUTICAL /(?!pharmaceutical)
/i describe TVD_FUZZY_PHARMACEUTICAL Obfuscation of the word "pharmaceutical" endif ##} TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body TVD_FUZZY_SYMBOL /(?!symboo?l)/i describe TVD_FUZZY_SYMBOL Obfuscation of the word "symbol" endif ##} TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader TVD_FW_GRAPHIC_NAME_LONG Content-Type =~ /\bname="[a-z]{8,}\.gif/ describe TVD_FW_GRAPHIC_NAME_LONG Long image attachment name endif ##} TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader TVD_FW_GRAPHIC_NAME_MID Content-Type =~ /\bname="[a-z]{6,7}\.gif/ describe TVD_FW_GRAPHIC_NAME_MID Medium sized image attachment name endif ##} TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ TVD_INCREASE_SIZE body TVD_INCREASE_SIZE /\bsize of .{1,20}(?:penis|dick|manhood)/i describe TVD_INCREASE_SIZE Advertising for penis enlargement ##} TVD_INCREASE_SIZE ##{ TVD_LINK_SAVE body TVD_LINK_SAVE /\blink to save\b/i describe TVD_LINK_SAVE Spam with the text "link to save" ##} TVD_LINK_SAVE ##{ TVD_PH_BODY_ACCOUNTS_PRE meta TVD_PH_BODY_ACCOUNTS_PRE __TVD_PH_BODY_ACCOUNTS_PRE describe TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as "accounts suspended", "account credited", "account verification" ##} TVD_PH_BODY_ACCOUNTS_PRE ##{ TVD_PH_REC body TVD_PH_REC /\byour .{0,40}account .{0,40}record/i describe TVD_PH_REC Message includes a phrase commonly used in phishing mails ##} TVD_PH_REC ##{ TVD_PH_SEC body TVD_PH_SEC /\byour .{0,40}account .{0,40}security/i describe TVD_PH_SEC Message includes a phrase commonly used in phishing mails ##} TVD_PH_SEC ##{ TVD_PP_PHISH meta TVD_PP_PHISH __FROM_PAYPAL && NORMAL_HTTP_TO_IP ##} TVD_PP_PHISH ##{ TVD_QUAL_MEDS body TVD_QUAL_MEDS /\bquality med(?:ication)?s\b/i describe TVD_QUAL_MEDS The body matches phrases such as "quality meds" or "quality medication" ##} TVD_QUAL_MEDS ##{ TVD_RATWARE_CB header TVD_RATWARE_CB Content-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/i describe TVD_RATWARE_CB Content-Type header that is commonly indicative of ratware ##} TVD_RATWARE_CB ##{ TVD_RATWARE_CB_2 header TVD_RATWARE_CB_2 Content-Type =~ /\bboundary\s*=\s*"?-+\d+=+\.MRA/ describe TVD_RATWARE_CB_2 Content-Type header that is commonly indicative of ratware ##} TVD_RATWARE_CB_2 ##{ TVD_RATWARE_MSGID_02 header TVD_RATWARE_MSGID_02 Message-ID =~ /^[^<]*<[a-z]+\@/ describe TVD_RATWARE_MSGID_02 Ratware with a Message-ID header that is entirely lower-case ##} TVD_RATWARE_MSGID_02 ##{ TVD_RCVD_IP header TVD_RCVD_IP Received =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/ describe TVD_RCVD_IP Message was received from an IP address ##} TVD_RCVD_IP ##{ TVD_RCVD_IP4 header TVD_RCVD_IP4 Received =~ /^from\s+(?:\d+\.){3}\d+\s/ describe TVD_RCVD_IP4 Message was received from an IPv4 address ##} TVD_RCVD_IP4 ##{ TVD_RCVD_SPACE_BRACKET header TVD_RCVD_SPACE_BRACKET Received =~ /$\[(?!unix)[^\[\]]*\s/i ##} TVD_RCVD_SPACE_BRACKET ##{ TVD_SECTION body TVD_SECTION /\bSection (?:27A|21B)/i describe TVD_SECTION References to specific legal codes ##} TVD_SECTION ##{ TVD_SILLY_URI_OBFU body TVD_SILLY_URI_OBFU m!https?://[a-z0-9-]+\.[a-z0-9-]*\.?[^a-z0-9.:/\s"'\@?$>-]+[a-z0-9.-]*[a-z]{3}(?:\s|$)!i describe TVD_SILLY_URI_OBFU URI obfuscation that can fool a URIBL or a uri rule ##} TVD_SILLY_URI_OBFU ##{ TVD_SPACED_SUBJECT_WORD3 header TVD_SPACED_SUBJECT_WORD3 Subject =~ /^(?:(?:Re|Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+$/ describe TVD_SPACED_SUBJECT_WORD3 Entire subject is "UPPERlowerUPPER" with no whitespace ##} TVD_SPACED_SUBJECT_WORD3 ##{ TVD_SPACE_ENCODED meta TVD_SPACE_ENCODED __TVD_SPACE_ENCODED && !__NOT_SPOOFED && !__VIA_ML && !__HS_SUBJ_RE_FW && !__SUBSCRIPTION_INFO && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL && !__ISO_2022_JP_DELIM #score TVD_SPACE_ENCODED 2.500 # limit describe TVD_SPACE_ENCODED Space ratio & encoded subject ##} TVD_SPACE_ENCODED ##{ TVD_SPACE_RATIO_MINFP meta TVD_SPACE_RATIO_MINFP __TVD_SPACE_RATIO && !__CT_ENCRYPTED && !__X_CRON_ENV && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !ALL_TRUSTED && !__MIME_NO_TEXT && !__LONGLINE && !__THREADED && !__SUBSCRIPTION_INFO && !__VIA_ML && !__HELO_HIGHPROFILE && !__DKIM_EXISTS && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MAIL && !__EMPTY_BODY && !__XM_APPLEMAIL #score TVD_SPACE_RATIO_MINFP 2.500 # limit describe TVD_SPACE_RATIO_MINFP Space ratio (vertical text obfuscation?) ##} TVD_SPACE_RATIO_MINFP ##{ TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval ifplugin Mail::SpamAssassin::Plugin::BodyEval body TVD_STOCK1 eval:check_stock_info('2') describe TVD_STOCK1 Spam related to stock trading endif ##} TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval ##{ TVD_SUBJ_ACC_NUM header TVD_SUBJ_ACC_NUM Subject =~ /\b[a-zA-Z]+ [\#\s]{1,4}\d+[A-Z]+/ describe TVD_SUBJ_ACC_NUM Subject has spammy looking monetary reference ##} TVD_SUBJ_ACC_NUM ##{ TVD_SUBJ_FINGER_03 header TVD_SUBJ_FINGER_03 Subject =~ /^\s*\*\s+(?:\w+\W+)+\*\s*$/ describe TVD_SUBJ_FINGER_03 Entire subject is enclosed in asterisks "* like so *" ##} TVD_SUBJ_FINGER_03 ##{ TVD_SUBJ_NUM_OBFU_MINFP meta TVD_SUBJ_NUM_OBFU_MINFP __TVD_SUBJ_NUM_OBFU && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !__X_CRON_ENV && !__NOT_A_PERSON && !__HAS_THREAD_INDEX && !__THREADED && !__NUMBERS_IN_SUBJ && !__URI_MAILTO ##} TVD_SUBJ_NUM_OBFU_MINFP ##{ TVD_SUBJ_OWE header TVD_SUBJ_OWE Subject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe|indebted)\s+(?:\w+\s+)+an\s*other/i describe TVD_SUBJ_OWE Subject line states that the recipieint is in debt ##} TVD_SUBJ_OWE ##{ TVD_SUBJ_WIPE_DEBT header TVD_SUBJ_WIPE_DEBT Subject =~ /(?:wipe out|remove|get (?:rid|out) of|eradicate) .{0,20}(?:owe|debt|obligation)/i describe TVD_SUBJ_WIPE_DEBT Spam advertising a way to eliminate debt ##} TVD_SUBJ_WIPE_DEBT ##{ TVD_VISIT_PHARMA body TVD_VISIT_PHARMA /Online Ph.rmacy/i describe TVD_VISIT_PHARMA Body mentions online pharmacy ##} TVD_VISIT_PHARMA ##{ TVD_VIS_HIDDEN rawbody TVD_VIS_HIDDEN /]+style\s*=\s*"visibility:\s*hidden\b/i describe TVD_VIS_HIDDEN Invisible textarea HTML tags ##} TVD_VIS_HIDDEN ##{ TW_GIBBERISH_MANY meta TW_GIBBERISH_MANY __TENWORD_GIBBERISH > 20 describe TW_GIBBERISH_MANY Lots of gibberish text to spoof pattern matching filters #score TW_GIBBERISH_MANY 2.000 # limit tflags TW_GIBBERISH_MANY publish ##} TW_GIBBERISH_MANY ##{ T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_ACH_CANCELLED_EXE __ACH_CANCELLED_EXE describe T_ACH_CANCELLED_EXE "ACH cancelled" probable malware endif ##} T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta T_ANY_PILL_PRICE (__PILL_PRICE_01 || __PILL_PRICE_02) && !__NOT_A_PERSON describe T_ANY_PILL_PRICE Prices for pills endif ##} T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader T_CDISP_SZ_MANY Content-Disposition =~ /\bsize\s?=\s?\d.*\bsize\s?=\s?\d/ describe T_CDISP_SZ_MANY Suspicious MIME header # score T_CDISP_SZ_MANY 2.0 # limit endif ##} T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_CTE_BAS64 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_CTE_BAS64 __CTE_BAS64 describe T_CTE_BAS64 Malformated Content-Type-Encoding # score T_CTE_BAS64 2.000 # limit tflags T_CTE_BAS64 publish endif ##} T_CTE_BAS64 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_CTYPE_NULL __CTYPE_NULL describe T_CTYPE_NULL Malformed Content-Type header endif ##} T_CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval ifplugin Mail::SpamAssassin::Plugin::HeaderEval header T_DATE_IN_FUTURE_96_Q eval:check_for_shifted_date('96', '2920') describe T_DATE_IN_FUTURE_96_Q Date: is 4 days to 4 months after Received: date endif ##} T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval ##{ T_DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval ifplugin Mail::SpamAssassin::Plugin::HeaderEval header T_DATE_IN_FUTURE_Q_PLUS eval:check_for_shifted_date('2920', 'undef') describe T_DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date endif ##} T_DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval ##{ T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_DOC_ATTACH_NO_EXT __ATTACH_NAME_NO_EXT && (__PDF_ATTACH_MT || __DOC_ATTACH_MT) describe T_DOC_ATTACH_NO_EXT Document attachment with suspicious name endif ##} T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_DOS_OUTLOOK_TO_MX_IMAGE meta T_DOS_OUTLOOK_TO_MX_IMAGE __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH describe T_DOS_OUTLOOK_TO_MX_IMAGE Direct to MX with Outlook headers and an image ##} T_DOS_OUTLOOK_TO_MX_IMAGE ##{ T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader T_DOS_ZIP_HARDCORE Content-Type =~ /^application\/zip;\sname="hardcore\.zip"$/ describe T_DOS_ZIP_HARDCORE hardcore.zip file attached; quite certainly a virus # score T_DOS_ZIP_HARDCORE 2.5 endif ##} T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_DRUGS_ERECTILE_SHORT_SHORTNER __PDS_HTML_LENGTH_1024 && __URL_SHORTENER && DRUGS_ERECTILE describe T_DRUGS_ERECTILE_SHORT_SHORTNER Short erectile drugs advert with T_URL_SHORTENER #score T_DRUGS_ERECTILE_SHORT_SHORTNER 1.5 # limit endif endif ##} T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta T_FILL_THIS_FORM_FRAUD_PHISH __FILL_THIS_FORM_FRAUD_PHISH && !__SPOOFED_URL && !__VIA_ML && !__HAS_IN_REPLY_TO && !__THREADED && !__HDR_RCVD_SHOPIFY && !__HAS_ERRORS_TO describe T_FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s) endif ##} T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta T_FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG && !__VIA_ML && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__TRAVEL_MANY describe T_FILL_THIS_FORM_LONG Fill in a form with personal information # score T_FILL_THIS_FORM_LONG 2.00 # limit endif ##} T_FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta T_FILL_THIS_FORM_SHORT __FILL_THIS_FORM_SHORT && !__VIA_ML && !__MSGID_JAVAMAIL describe T_FILL_THIS_FORM_SHORT Fill in a short form with personal information # score T_FILL_THIS_FORM_SHORT 1.00 # limit endif ##} T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo ifplugin Mail::SpamAssassin::Plugin::ImageInfo meta T_FORGED_TBIRD_IMG_SIZE __FORGED_TBIRD_IMG && __ONE_IMG && __IMG_LE_300K describe T_FORGED_TBIRD_IMG_SIZE Likely forged Thunderbird image spam endif ##} T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo ##{ T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta T_FREEMAIL_DOC_PDF __FREEMAIL_DOC_PDF describe T_FREEMAIL_DOC_PDF MS document or PDF attachment, from freemail endif ##} T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta T_FREEMAIL_DOC_PDF_BCC __FREEMAIL_DOC_PDF && __TO_UNDISCLOSED describe T_FREEMAIL_DOC_PDF_BCC MS document or PDF attachment, from freemail, all recipients hidden endif ##} T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta T_FREEMAIL_RVW_ATTCH (__PLS_REVIEW || __DLND_ATTACH) && __FREEMAIL_DOC_PDF describe T_FREEMAIL_RVW_ATTCH Please review attached document, from freemail endif ##} T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof meta T_FROMNAME_EQUALS_TO __PLUGIN_FROMNAME_EQUALS_TO describe T_FROMNAME_EQUALS_TO From:name matches To: #score T_FROMNAME_EQUALS_TO 1.0 tflags T_FROMNAME_EQUALS_TO publish endif ##} T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof ##{ T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof meta T_FROMNAME_SPOOFED_EMAIL (__PLUGIN_FROMNAME_SPOOF && !__VIA_ML && !__VIA_RESIGNER && !__RP_MATCHES_RCVD) describe T_FROMNAME_SPOOFED_EMAIL From:name looks like a spoofed email #score T_FROMNAME_SPOOFED_EMAIL 0.3 tflags T_FROMNAME_SPOOFED_EMAIL publish endif ##} T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof ##{ T_FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) meta T_FROM_MULTI_NORDNS __FROM_MULTI_NORDNS describe T_FROM_MULTI_NORDNS Multiple From addresses + no rDNS endif ##} T_FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) ##{ T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) meta T_FROM_MULTI_SHORT_IMG __FROM_MULTI_SHORT_IMG && !__RCD_RDNS_MX_MESSY describe T_FROM_MULTI_SHORT_IMG Multiple From addresses + short message with image endif ##} T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) ##{ T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body T_FUZZY_OPTOUT /(?:$|\W)(?=)(?!opt[-\s]?out)
[-\s]?(?:$|\W)/i describe T_FUZZY_OPTOUT Obfuscated opt-out text endif ##} T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body T_FUZZY_SPRM /
/i endif ##} T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof meta T_GB_FREEM_FROM_NOT_REPLY ( !__FROM_EQ_REPLY && FREEMAIL_FROM && FREEMAIL_REPLYTO ) describe T_GB_FREEM_FROM_NOT_REPLY From: and Reply-To: have different freemail domains # score T_GB_FREEM_FROM_NOT_REPLY 1.500 # limit tflags T_GB_FREEM_FROM_NOT_REPLY publish endif endif ##} T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof ##{ T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof meta T_GB_FROMNAME_SPOOFED_EMAIL_IP ( T_FROMNAME_SPOOFED_EMAIL && !__NOT_SPOOFED ) describe T_GB_FROMNAME_SPOOFED_EMAIL_IP From:name looks like a spoofed email from a spoofed ip # score T_GB_FROMNAME_SPOOFED_EMAIL_IP 0.50 # limit tflags T_GB_FROMNAME_SPOOFED_EMAIL_IP publish endif ##} T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof ##{ T_GB_WEBFORM ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta T_GB_WEBFORM ( ( __XMAIL_CODEIGN || __XMAIL_PHPMAIL ) && __URL_SHORTENER && FREEMAIL_FROM ) describe T_GB_WEBFORM Webform with url shortener # score T_GB_WEBFORM 1.500 # limit endif ##} T_GB_WEBFORM ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ T_GB_YOUTUBE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) uri T_GB_YOUTUBE_EMAIL m|^https?://(?:www\.)?youtube\.com/attribution_link\?.{20,256}/%{GB_TO_ADDR}|i describe T_GB_YOUTUBE_EMAIL Youtube attribution links abuse # score T_GB_YOUTUBE_EMAIL 2.000 # limit endif endif ##} T_GB_YOUTUBE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) ##{ T_HDRS_LCASE describe T_HDRS_LCASE Odd capitalization of message header #score T_HDRS_LCASE 0.10 # limit ##} T_HDRS_LCASE ##{ T_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) if !plugin(Mail::SpamAssassin::Plugin::FreeMail) meta T_HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO endif ##} T_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) ##{ T_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta T_HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO endif ##} T_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) meta T_HK_NAME_FM_FROM __HK_NAME_FROM && FREEMAIL_FROM # score T_HK_NAME_FM_FROM 1.5 endif endif ##} T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ##{ T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) meta T_HK_NAME_FROM __HK_NAME_FROM && !FREEMAIL_FROM # score T_HK_NAME_FROM 1.0 endif endif ##} T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ##{ T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_HK_SPAMMY_FILENAME __HK_SPAMMY_CTFN || __HK_SPAMMY_CDFN endif ##} T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_HTML_ATTACH __HTML_ATTACH_01 || __HTML_ATTACH_02 describe T_HTML_ATTACH HTML attachment to bypass scanning? endif ##} T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval ifplugin Mail::SpamAssassin::Plugin::HTMLEval meta T_HTML_TAG_BALANCE_CENTER __HTML_TAG_BALANCE_CENTER && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY describe T_HTML_TAG_BALANCE_CENTER Malformatted HTML endif ##} T_HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval ##{ T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_ISO_ATTACH __ISO_ATTACH || __ISO_ATTACH_MT describe T_ISO_ATTACH ISO attachment - possible malware delivery # score T_ISO_ATTACH 3.000 # limit endif ##} T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval ifplugin Mail::SpamAssassin::Plugin::HTMLEval meta T_KAM_HTML_FONT_INVALID __KAM_HTML_FONT_INVALID describe T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML #score T_KAM_HTML_FONT_INVALID 0.1 endif ##} T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval ##{ T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta T_LARGE_PCT_AFTER_MANY __LARGE_PERCENT_AFTER > 3 describe T_LARGE_PCT_AFTER_MANY Many large percentages after... endif ##} T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body T_LFUZ_PWRMALE /
/i endif ##} T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_LOTTO_AGENT_FM header T_LOTTO_AGENT_FM From =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize[\s_.]transfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i describe T_LOTTO_AGENT_FM Claims Agent ##} T_LOTTO_AGENT_FM ##{ T_LOTTO_AGENT_RPLY meta T_LOTTO_AGENT_RPLY __LOTTO_AGENT_RPLY && !__TO_YOUR_ORG describe T_LOTTO_AGENT_RPLY Claims Agent ##} T_LOTTO_AGENT_RPLY ##{ T_LOTTO_URI uri T_LOTTO_URI /(?:claim(?:s|ing)?(?:[-_]?processing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)?[-_]?rem+it+ance|award)[-_]?(?:department|dept|unit|group|committee|office|agent|manager|secretary)/i describe T_LOTTO_URI Claims Department URL ##} T_LOTTO_URI ##{ T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta T_MANY_PILL_PRICE (__PILL_PRICE_01 + __PILL_PRICE_02) > 2 describe T_MANY_PILL_PRICE Prices for many pills endif ##} T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ T_MIME_MALF if (version >= 3.004000) if (version >= 3.004000) meta T_MIME_MALF __MIME_MALF && !ALL_TRUSTED describe T_MIME_MALF Malformed MIME: headers in body # score T_MIME_MALF 2.00 # limit endif ##} T_MIME_MALF if (version >= 3.004000) ##{ T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta T_MONEY_PERCENT LOTS_OF_MONEY && (__PCT_FOR_YOU || __PCT_OF_PMTS || __FIFTY_FIFTY) describe T_MONEY_PERCENT X% of a lot of money for you endif ##} T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_OBFU_ATTACH_MISSP __FROM_RUNON && (T_OBFU_HTML_ATTACH || OBFU_TEXT_ATTACH || T_OBFU_DOC_ATTACH || T_OBFU_PDF_ATTACH || T_OBFU_JPG_ATTACH || T_OBFU_GIF_ATTACH) describe T_OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From endif ##} T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader T_OBFU_DOC_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.(?:doc|rtf)\b,i describe T_OBFU_DOC_ATTACH MS Document attachment with generic MIME type endif ##} T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader T_OBFU_GIF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.gif\b,i describe T_OBFU_GIF_ATTACH GIF attachment with generic MIME type endif ##} T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader T_OBFU_HTML_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.[a-z]?html?\b,i describe T_OBFU_HTML_ATTACH HTML attachment with non-text MIME type endif ##} T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_OBFU_HTML_ATT_MALW __ZIP_ATTACH_NOFN && __HTML_ATTACH_02 describe T_OBFU_HTML_ATT_MALW HTML attachment with incorrect MIME type - possible malware endif ##} T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader T_OBFU_JPG_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.jpe?g\b,i describe T_OBFU_JPG_ATTACH JPG attachment with generic MIME type endif ##} T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader T_OBFU_PDF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.pdf\b,i describe T_OBFU_PDF_ATTACH PDF attachment with generic MIME type endif ##} T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta T_OFFER_ONLY_AMERICA __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA describe T_OFFER_ONLY_AMERICA Offer only available to US #score T_OFFER_ONLY_AMERICA 2.0 # limit endif endif ##} T_OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta T_PDS_BTC_AHACKER ( __PDS_BTC_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON ) describe T_PDS_BTC_AHACKER Bitcoin Hacker # score T_PDS_BTC_AHACKER 3.0 # limit endif ##} T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta T_PDS_BTC_HACKER ( __PDS_BTC_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM ) describe T_PDS_BTC_HACKER Bitcoin Hacker # score T_PDS_BTC_HACKER 2.0 # limit endif ##} T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta T_PDS_BTC_NTLD ( __BITCOIN_ID && __FROM_ADDRLIST_SUSPNTLD ) describe T_PDS_BTC_NTLD Bitcoin suspect NTLD #score T_PDS_BTC_NTLD 2.0 # limit endif endif ##} T_PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_PDS_EMPTYSUBJ_URISHRT __URL_SHORTENER && __SUBJECT_EMPTY && __PDS_MSG_1024 describe T_PDS_EMPTYSUBJ_URISHRT Empty subject with little more than URI shortener #score T_PDS_EMPTYSUBJ_URISHRT 1.5 # limit endif endif ##} T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_PDS_FREEMAIL_REPLYTO_URISHRT __URL_SHORTENER && __freemail_hdr_replyto && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048 describe T_PDS_FREEMAIL_REPLYTO_URISHRT Freemail replyto with URI shortener #score T_PDS_FREEMAIL_REPLYTO_URISHRT 1.5 # limit endif endif ##} T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_PDS_FROM_2_EMAILS_SHRTNER __URL_SHORTENER && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF) && __BODY_URI_ONLY describe T_PDS_FROM_2_EMAILS_SHRTNER From 2 emails short email with little more than a URI shortener #score T_PDS_FROM_2_EMAILS_SHRTNER 1.5 # limit endif endif ##} T_PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta T_PDS_LTC_AHACKER ( __PDS_LITECOIN_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON ) describe T_PDS_LTC_AHACKER Litecoin Hacker # score T_PDS_LTC_AHACKER 3.0 # limit endif ##} T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta T_PDS_LTC_HACKER ( __PDS_LITECOIN_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM ) describe T_PDS_LTC_HACKER Litecoin Hacker # score T_PDS_LTC_HACKER 2.0 # limit endif ##} T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_PDS_NO_FULL_NAME_SPOOFED_URL __PDS_MSG_1024 && __KHOP_NO_FULL_NAME && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER) describe T_PDS_NO_FULL_NAME_SPOOFED_URL HTML message short, T_SPOOFED_URL and T_KHOP_NO_FULL_NAME #score T_PDS_NO_FULL_NAME_SPOOFED_URL 0.75 # limit endif endif ##} T_PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval header T_PDS_PRO_TLD eval:check_uri_host_listed('SUSP_URI_NTLD_PRO') #score T_PDS_PRO_TLD 1.0 describe T_PDS_PRO_TLD .pro TLD endif endif ##} T_PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ T_PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_PDS_SHORTFWD_URISHRT __URL_SHORTENER && (__THREADED || __HAS_IN_REPLY_TO || __HAS_THREAD_INDEX || __URI_MAILTO || __REPTO_QUOTE) && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048 describe T_PDS_SHORTFWD_URISHRT Threaded email with URI shortener #score T_PDS_SHORTFWD_URISHRT 1.5 # limit endif endif ##} T_PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_PDS_SHORTFWD_URISHRT_FP __URL_SHORTENER && __HS_SUBJ_RE_FW && __PDS_MSG_512 describe T_PDS_SHORTFWD_URISHRT_FP Apparently a short fwd/re with URI shortener #score T_PDS_SHORTFWD_URISHRT_FP 1.5 # limit endif endif ##} T_PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_PDS_SHORTFWD_URISHRT_QP __URL_SHORTENER && __HS_SUBJ_RE_FW && __T_PDS_MSG_512 && !T_PDS_SHORTFWD_URISHRT_FP describe T_PDS_SHORTFWD_URISHRT_QP Apparently a short fwd/re with URI shortener #score T_PDS_SHORTFWD_URISHRT_QP 1.5 # limit endif endif ##} T_PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_PDS_SHORT_SPOOFED_URL __PDS_MSG_1024 && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER) describe T_PDS_SHORT_SPOOFED_URL HTML message short and T_SPOOFED_URL (S_U_FP) #score T_PDS_SHORT_SPOOFED_URL 2.0 endif endif ##} T_PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_PDS_TINYSUBJ_URISHRT __URL_SHORTENER && __SUBJ_SHORT && __PDS_MSG_1024 describe T_PDS_TINYSUBJ_URISHRT Short subject with URL shortener #score T_PDS_TINYSUBJ_URISHRT 1.5 # limit endif endif ##} T_PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) meta T_PDS_TO_EQ_FROM_NAME (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) && !__HAS_SENDER describe T_PDS_TO_EQ_FROM_NAME From: name same as To: address endif ##} T_PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) ##{ T_PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta T_PHOTO_EDITING_DIRECT (__PHOTO_RETOUCHING && __DOS_DIRECT_TO_MX) && !ALL_TRUSTED && !__HAS_HREF describe T_PHOTO_EDITING_DIRECT Image editing service, direct to MX # score T_PHOTO_EDITING_DIRECT 3.000 # limit endif ##} T_PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ T_PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta T_PHOTO_EDITING_FREEM __PHOTO_RETOUCHING > 4 && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) describe T_PHOTO_EDITING_FREEM Image editing service, freemail or CHN replyto # score T_PHOTO_EDITING_FREEM 3.750 # limit endif ##} T_PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { meta T_REMOTE_IMAGE __REMOTE_IMAGE describe T_REMOTE_IMAGE Message contains an external image endif ##} T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { ##{ T_SCC_CTMPP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader describe T_SCC_CTMPP Uncommon Content-Type meta T_SCC_CTMPP __SCC_CTMPP tflags T_SCC_CTMPP publish endif ##} T_SCC_CTMPP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta T_SENT_TO_EMAIL_ADDR __FROM_ADDRLIST_SUSPNTLD && __PDS_SENT_TO_EMAIL_ADDR describe T_SENT_TO_EMAIL_ADDR Email was sent to email address #score T_SENT_TO_EMAIL_ADDR 2.0 # limit endif endif ##} T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ T_SHARE_50_50 meta T_SHARE_50_50 (__SHARE_IT || __AGREED_RATIO) && __FIFTY_FIFTY describe T_SHARE_50_50 Share the money 50/50 ##} T_SHARE_50_50 ##{ T_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_SHORT_SHORTNER __PDS_MSG_512 && __URL_SHORTENER && !DRUGS_ERECTILE describe T_SHORT_SHORTNER Short body with little more than a link to a shortener #score T_SHORT_SHORTNER 2.0 # limit endif endif ##} T_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta T_STY_INVIS_DIRECT __STY_INVIS_DIRECT && !__L_BODY_8BITS && !__UNSUB_LINK && !__HDR_RCVD_AMAZON && !__TO___LOWER && !__PDS_DOUBLE_URL && !__MAIL_LINK && !__USING_VERP1 && !__HAS_X_ENTITY_ID && !__RCD_RDNS_SMTP_MESSY && !__RDNS_STATIC describe T_STY_INVIS_DIRECT HTML hidden text + direct-to-MX # score T_STY_INVIS_DIRECT 2.500 # limit endif ##} T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta T_SUSPNTLD_EXPIRATION_EXTORT LOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLD describe T_SUSPNTLD_EXPIRATION_EXTORT Susp NTLD with an expiration notice and lotsa money #score T_SUSPNTLD_EXPIRATION_EXTORT 2.0 # limit endif endif ##} T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_TONOM_EQ_TOLOC_SHRT_PSHRTNER __PDS_SHORT_URL && __PDS_TONAME_EQ_TOLOCAL && __SUBJ_SHORT describe T_TONOM_EQ_TOLOC_SHRT_PSHRTNER Short subject with potential shortener and To:name eq To:local #score T_TONOM_EQ_TOLOC_SHRT_PSHRTNER 1.5 # limit endif endif ##} T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_TONOM_EQ_TOLOC_SHRT_SHRTNER __URL_SHORTENER && __PDS_TONAME_EQ_TOLOCAL && __PDS_MSG_1024 describe T_TONOM_EQ_TOLOC_SHRT_SHRTNER Short email with shortener and To:name eq To:local #score T_TONOM_EQ_TOLOC_SHRT_SHRTNER 1.5 # limit endif endif ##} T_TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body T_TVD_FUZZY_SECTOR /(?!sector)/i endif ##} T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body T_TVD_FUZZY_SECURITIES /(?!securities)(?!security,? es)/i endif ##} T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader T_TVD_FW_GRAPHIC_ID2 Content-Id =~ /<(?:[0-9A-F]{8}\.){3}[0-9A-F]{8}/ endif ##} T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval ifplugin Mail::SpamAssassin::Plugin::MIMEEval body T_TVD_MIME_EPI eval:check_msg_parse_flags('mime_epilogue_exists') endif ##} T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval ##{ T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval ifplugin Mail::SpamAssassin::Plugin::MIMEEval body T_TVD_MIME_NO_HEADERS eval:check_msg_parse_flags('missing_mime_headers') endif ##} T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval ##{ T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_WON_MONEY_ATTACH __YOU_WON && LOTS_OF_MONEY && (__PDF_ATTACH || __DOC_ATTACH) describe T_WON_MONEY_ATTACH You won lots of money! See attachment. endif ##} T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_WON_NBDY_ATTACH __YOU_WON && __EMPTY_BODY && (__PDF_ATTACH || __DOC_ATTACH || __GIF_ATTACH || __JPEG_ATTACH) describe T_WON_NBDY_ATTACH You won lots of money! See attachment. endif ##} T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_XPRIO_URL_SHORTNER __XPRIO_MINFP && __URL_SHORTENER describe T_XPRIO_URL_SHORTNER X-Priority header and short URL #score T_XPRIO_URL_SHORTNER 1.0 # limit endif endif ##} T_XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta T_ZW_OBFU_BITCOIN __UNICODE_OBFU_ZW && __BITCOIN_ID describe T_ZW_OBFU_BITCOIN Obfuscated text + bitcoin ID - possible extortion # score T_ZW_OBFU_BITCOIN 2.500 # limit endif ##} T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta T_ZW_OBFU_FREEM __UNICODE_OBFU_ZW && __freemail_hdr_replyto describe T_ZW_OBFU_FREEM Obfuscated text + freemail # score T_ZW_OBFU_FREEM 2.000 # limit endif ##} T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta T_ZW_OBFU_FROMTOSUBJ __UNICODE_OBFU_ZW && FROM_IN_TO_AND_SUBJ describe T_ZW_OBFU_FROMTOSUBJ Obfuscated text + from in to and subject # score T_ZW_OBFU_FROMTOSUBJ 2.000 # limit endif ##} T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ UC_GIBBERISH_OBFU meta UC_GIBBERISH_OBFU (__UC_GIBB_OBFU > 1) && !__RP_MATCHES_RCVD && !__VIA_ML && !__DKIM_EXISTS && !ALL_TRUSTED describe UC_GIBBERISH_OBFU Multiple instances of "word VERYLONGGIBBERISH word" #score UC_GIBBERISH_OBFU 3.000 # Limit tflags UC_GIBBERISH_OBFU publish ##} UC_GIBBERISH_OBFU ##{ UNDISC_FREEM meta UNDISC_FREEM __UNDISC_FREEM describe UNDISC_FREEM Undisclosed recipients + freemail reply-to tflags UNDISC_FREEM publish ##} UNDISC_FREEM ##{ UNDISC_MONEY meta UNDISC_MONEY __UNDISC_MONEY && !__VIA_ML && !__MSGID_HEXISH describe UNDISC_MONEY Undisclosed recipients + money/fraud signs tflags UNDISC_MONEY publish ##} UNDISC_MONEY ##{ UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta UNICODE_OBFU_ASC __UNICODE_OBFU_ASC && !__SPAN_BEG_TEXT && !HTML_IMAGE_ONLY_32 describe UNICODE_OBFU_ASC Obfuscating text with unicode # score UNICODE_OBFU_ASC 2.500 # limit tflags UNICODE_OBFU_ASC publish endif ##} UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta UNICODE_OBFU_ZW __UNICODE_OBFU_ZW_2 && !__SUBSCRIPTION_INFO && !__RCD_RDNS_MAIL_MESSY && !__DOS_HAS_LIST_ID && !__USING_VERP1 && !__DOS_HAS_LIST_UNSUB && !__RCD_RDNS_SMTP && !__DKIM_EXISTS describe UNICODE_OBFU_ZW Obfuscating text with hidden characters # score UNICODE_OBFU_ZW 3.500 # limit tflags UNICODE_OBFU_ZW publish endif ##} UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ UNICODE_OBFU_ZW_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta UNICODE_OBFU_ZW_MANY __UNICODE_OBFU_ZW_10 && !__RCD_RDNS_MAIL_MESSY describe UNICODE_OBFU_ZW_MANY Heavily obfuscating text with hidden characters # score UNICODE_OBFU_ZW_MANY 3.000 # limit tflags UNICODE_OBFU_ZW_MANY publish endif ##} UNICODE_OBFU_ZW_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ UNSUB_GOOG_FORM meta UNSUB_GOOG_FORM __UNSUB_GOOG_FORM describe UNSUB_GOOG_FORM Unsubscribe via Google Docs form #score UNSUB_GOOG_FORM 2.500 # limit tflags UNSUB_GOOG_FORM publish ##} UNSUB_GOOG_FORM ##{ URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL ifplugin Mail::SpamAssassin::Plugin::URIDNSBL urirhssub URIBL_RHS_DOB dob.sibl.support-intelligence.net A 2 body URIBL_RHS_DOB eval:check_uridnsbl('URIBL_RHS_DOB') describe URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread) tflags URIBL_RHS_DOB net endif ##} URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL ##{ URI_ADOBESPARK meta URI_ADOBESPARK __URI_ADOBESPARK #score URI_ADOBESPARK 3.500 # limit tflags URI_ADOBESPARK publish ##} URI_ADOBESPARK ##{ URI_AZURE_CLOUDAPP meta URI_AZURE_CLOUDAPP __URI_AZURE_CLOUDAPP && __NAKED_TO && !__HDR_RCVD_GOOGLE describe URI_AZURE_CLOUDAPP Link to hosted azure web application, possible phishing #score URI_AZURE_CLOUDAPP 3.000 # limit tflags URI_AZURE_CLOUDAPP publish ##} URI_AZURE_CLOUDAPP ##{ URI_BUFFLY meta URI_BUFFLY __URI_BUFFLY && !__DOS_HAS_LIST_UNSUB describe URI_BUFFLY buff.ly redirector URI #score URI_BUFFLY 2.000 # limit ##} URI_BUFFLY ##{ URI_CLOUDFLAREIPFS meta URI_CLOUDFLAREIPFS __URI_CLOUDFLAREIPFS describe URI_CLOUDFLAREIPFS References Interplanetary File System PtP content via CloudFlare, likely phishing #score URI_CLOUDFLAREIPFS 3.500 # limit tflags URI_CLOUDFLAREIPFS publish ##} URI_CLOUDFLAREIPFS ##{ URI_DASHGOVEDU meta URI_DASHGOVEDU __URI_DASHGOVEDU describe URI_DASHGOVEDU Suspicious domain name #score URI_DASHGOVEDU 3.500 # limit tflags URI_DASHGOVEDU publish ##} URI_DASHGOVEDU ##{ URI_DATA meta URI_DATA __URI_DATA && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__VIA_ML && !__ENV_AND_HDR_FROM_MATCH && !__DOS_HAS_LIST_UNSUB describe URI_DATA "data:" URI - possible malware or phish #score URI_DATA 3.250 # limit tflags URI_DATA publish ##} URI_DATA ##{ URI_DOTEDU meta URI_DOTEDU __URI_DOTEDU && !__RCVD_DOTEDU_EXT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HAS_X_MAILER && !ALL_TRUSTED && !__UNSUB_LINK && !__RDNS_SHORT && !__MAIL_LINK describe URI_DOTEDU Has .edu URI #score URI_DOTEDU 2.000 # limit tflags URI_DOTEDU publish ##} URI_DOTEDU ##{ URI_DOTEDU_ENTITY meta URI_DOTEDU_ENTITY __URI_DOTEDU_ENTITY && !__SUBSCRIPTION_INFO describe URI_DOTEDU_ENTITY Via .edu MTA + suspicious HTML content #score URI_DOTEDU_ENTITY 3.000 # limit tflags URI_DOTEDU_ENTITY publish ##} URI_DOTEDU_ENTITY ##{ URI_DOTTY_HEX meta URI_DOTTY_HEX __URI_DOTTY_HEX describe URI_DOTTY_HEX Suspicious URI format tflags URI_DOTTY_HEX publish ##} URI_DOTTY_HEX ##{ URI_DQ_UNSUB meta URI_DQ_UNSUB __URI_DQ_UNSUB describe URI_DQ_UNSUB IP-address unsubscribe URI tflags URI_DQ_UNSUB publish ##} URI_DQ_UNSUB ##{ URI_DWEBIPFS meta URI_DWEBIPFS __URI_DWEBIPFS describe URI_DWEBIPFS References Interplanetary File System PtP content via dweb.link, likely phishing #score URI_DWEBIPFS 3.500 # limit tflags URI_DWEBIPFS publish ##} URI_DWEBIPFS ##{ URI_FIREBASEAPP meta URI_FIREBASEAPP __URI_FIREBASEAPP || __URI_WEBAPP describe URI_FIREBASEAPP Link to hosted firebase web application, possible phishing #score URI_FIREBASEAPP 3.000 # limit tflags URI_FIREBASEAPP publish ##} URI_FIREBASEAPP ##{ URI_GOOGDRAWPREVIEW meta URI_GOOGDRAWPREVIEW __URI_GOOGDRAWPREVIEW && !URI_GOOGDRAWPREVIEW_MINFP && !__RCD_RDNS_SMTP && !__TVD_SPACE_RATIO describe URI_GOOGDRAWPREVIEW Link to image at Google Docs, possible phishing #score URI_GOOGDRAWPREVIEW 3.000 # limit tflags URI_GOOGDRAWPREVIEW publish ##} URI_GOOGDRAWPREVIEW ##{ URI_GOOGDRAWPREVIEW_MINFP meta URI_GOOGDRAWPREVIEW_MINFP __URI_GOOGDRAWPREVIEW && (__SUBSCRIPTION_INFO || __HTML_TAG_BALANCE_CENTER || __TO_NO_BRKTS_HTML_ONLY) && !__RCD_RDNS_SMTP && !__TVD_SPACE_RATIO describe URI_GOOGDRAWPREVIEW_MINFP Link to image at Google Docs, probable phishing #score URI_GOOGDRAWPREVIEW_MINFP 3.500 # limit tflags URI_GOOGDRAWPREVIEW_MINFP publish ##} URI_GOOGDRAWPREVIEW_MINFP ##{ URI_GOOGLE_PROXY meta URI_GOOGLE_PROXY __URI_GOOGLE_PROXY && !__FSL_RELAY_GOOGLE && !__TO___LOWER && !__MSGID_OK_HEX && !__HAS_CAMPAIGNID describe URI_GOOGLE_PROXY Accessing a blacklisted URI or obscuring source of phish via Google proxy? tflags URI_GOOGLE_PROXY publish ##} URI_GOOGLE_PROXY ##{ URI_GOOG_STO_SPAMMY uri URI_GOOG_STO_SPAMMY m;^https?://storage\.googleapis\.com/(?:(?:0(?:48dg9hjdjsr68rr409tdu516yts8d4s1yteq560dht|584d8aab5db65a3970e|89409404gdfg8401008gfd041087pioazsq56|ca91f665e5e9e3bff16)|1(?:479______00\-\-074\-4\-\-\-\-\-\-\-_\-\-\-\-\-\-0894_________\-\-\-\-\-\-\-\-\-______09|f28eb9c708059ce7b58|tactc1200)|2(?:024usa|2accc831928fe7a6d19)|3e6fc78af3b63110d89b|4(?:30bc3a2d98b15a0c58bf8df8f938d|hs3rzdz_r_us\-east\-1)|5(?:34c4e7320793c473d0b|a70f8147b2241c|lose1weight)|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|89azr4etr0t6k5jdh4rg9e8udo40kdj1h56gd4xd165jhkd5j04yd156j02|9c32d4d56b8ac7eb1296|a(?:1discover|4301cda1e5c450bab01|d(?:t100visa|vanced1500)|geless(?:brain|t001)|ir0doc5octor|l(?:l(?:_in_one_089498489045187410102003097841202|iedtrust7?)|zheimerbrain)|merican(?:ho(?:777|me(?:191|warranty))|w1)|n(?:c77emen777|dersens40|n(?:nuities0102|utsegtsety)|ti(?:1virus|dcfsdfzef))|pp(?:1ointment|empresa|itausa)|sb50118|tividade|udio0254)|b(?:337276797de5b3|6fa8ec81224238ce57a|7772dcb|a(?:ckmedic|th(?:and777|bhow98|dfgdfgdfh|rooomlki))|cvncv7845|d(?:_________mail____000|fbgverhg|linkmanager|sgbsehtth|thdethydeth)|e(?:achskinnew|dvgervg|lly(?:00fetyy|gluca)|t(?:ter(?:09909|863|butter008)|umpoiytre))|io(?:swit(?:010|sh0908)|techinvest)|l(?:oo(?:ds(?:hark0508|ug(?:217|ar(?:010|blueprint)))|odsugarerte)|ue(?:0sky|printms0?))|o(?:bby\-dependencies|ostinglive01)|r(?:ain(?:232654|al87484)|i(?:an(?:0(?:101|509)|the0101)|eanfrg)|tghrh)|u(?:kssin|ll(?:gold|market)|rnomegaultra|tter(?:knife|spreader(?:0[48]|news)))|yte01smil1e)|c(?:a(?:99rshield|nvascheap|rt\-checkout|unlimited)|bd(?:11gummies|g(?:m0202|umm(?:ty|y005))|health7417|kfgdfg|sgummys)|dfeesde|ertificat01|hoicehom8270|i(?:o_mailpro_bulkmail\-2024___________w87x5230_8940152|rcaknee0)|jowa|o(?:gnigenix|mp(?:erssac00232|r(?:e(?:essaa001|hensiveamericanhomewarranty|ss(?:a(?:0(?:105|201)|191)|ionsocks))|ovanteanexo))|n(?:7cealed|cealed(?:aff0054|tactical)|defesf|ne5ctrou4t0s)|ptquad5e1r|rrectskin|urankdmeksjsed|verageinsu)|quelleczema|reative14141)|d(?:0ujdusudu9s9u\.appspot\.com|159310a731c3ae80e0c|ac2a3ca82cd6a5f4896|e(?:mentiabrain|nta77fend|rma(?:01247|1correct|587475|7correc7t|acorrectskin|correct(?:001new1|new001|skin|1)|hdth|thbsdrhg)|tranmultas)|g(?:iadikir784|vdevgege)|i(?:abetes7|gitaldots1|recting77|ta0526)|lqjxjdxesmapldjehahnse|msksjskeoncbvevde|rtrebtgh747|ysfunction0707|zdzefef)|e(?:7co7verage|a(?:rsring01|sy(?:1canvas|canvasprints))|ingingears|l(?:eepexperts|iminatorlower)|n(?:e(?:nce7777|rgy(?:0icits|savings))|trega)|rec(?:01tions|tiledysfunction)|t(?:alsprcious|ernal07light)|vent(?:0saves01?|save(?:010?|s010))|xpertwindows(?:0102)?|yes(?:1ight|ightmax))|f(?:4747|d(?:128218622bd3f|fdfdzezr78|zdzelom)|edilty5401|habgfdgbfrtg|i(?:7(?:485612|542512)|d(?:el(?:ity(?:09|217|insulife)|ty(?:gbdtrbr|tyhjudtyu))|iity5660|y001)|ghttinnitusnow(?:(?:911|s))?|ltyredfezz|refig(?:22hting|hting)|tnesswatch|xguca777)|l(?:a(?:sh(?:light7fr7ee|tric540)|tbelly)|oodlight(?:010|slima))|o(?:mrulasugaa|od54451|toswhatsapps)|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|u(?:ng(?:01ft|9901|enail010|us(?:eliminator0807|fghgh))|turistic00insol))|g(?:7oldco|cumbmdys|eniusbutter|fhfjgfhfg|hetiop|lu(?:1lossn01k|lossn01k|ster)|old(?:ii00215|trust00)|r(?:7owtmaihn9ew|fgrgrg|ow(?:191|plus11|savage01085))|u(?:ardiao|mm(?:ies11cbd|yss|zdfefzf)|tter(?:0fr1(?:dian)?|protection7))|ympro22)|h(?:4(?:mhoyal1r0|ome1owne1r)|dfghbrh|e(?:1al1t4|a(?:lt(?:h(?:life|news|yhairremedy)|ycbd0909)|rt(?:14141|beat911))|rp(?:ly(?:24701|y0012)|y1414))|ome(?:1security|9865|choice45841|w(?:arranty|rr0216)))|i(?:n(?:formedetranmulta|ogen0065|s(?:1urance7net|7urance7net|t(?:9854|a(?:0541|1heater|863|f(?:atioplo|gregrerg)|hard0(?:0021|605)|nttranslator)|h(?:ard879477|eater001))|urance(?:7net|net))|vest777in)|ron479max5x|tchrelief)|k(?:757474|e(?:ranfvgdgfrder|to(?:0(?:102|202|81477)|191|7(?:878|rim)|adv217|ghghgh|healthnews|jkkfghk|o(?:2(?:22|45)|o7896)|rapid00888|s(?:hark0908|s0479)|toto2323))|iller1111|ne(?:e852|f6565))|l(?:a(?:bcream|wn(?:care3|trugreen001))|e(?:a(?:f7filt7er|nde0585)|ciofve1748)|giesnaturas0|i(?:berty77arran|fefiltrevdf|ve(?:r(?:0health0support|md|supp10)|wirenew024))|o(?:caweb|odlight(?:s0|0)|ss(?:00wrabido0|rapid01245|weightnew85))|u(?:llmattressne000|mi(?:00guard01|agudiidd|g(?:87[56]|uard(?:1074|87585)))))|m(?:a(?:galu|il(?:bd667477388299_747472|trk___newyear2024___g089dh4fg16qs804dsd1jh6g5sq)|l(?:4e7e5nhanc7ement|e(?:0(?:1ed|541)|24700|77en|health475))|ttress0707)|e(?:di(?:ca(?:lsupplies|r(?:0085|123n|df747))|p0lanning)|llitox00545|morybooster|t(?:a(?:bolismlos|greens|lspr(?:ciou[0s]|ecious))|f(?:85|dfvde)))|iracl(?:ecannabidiol|sweight[0s]?|weight)|k_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|le(?:3mlemlm3lm\.appspot\.com|n(?:hsances?|shsance0s))|o(?:bile57mint|n(?:5g154g|t(?:ezuma0(?:01|101)|zdzsds))|onmenermaintain\-66j)|p_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|s_(?:___mailpro\-holiday2024__9s8h7140q6h84e6hs84g6s85d403|g08zr7h48z6rt4hrzj74098j9r70j4894tj\-05hj6z(?:\-2024)?)|w_4098fae4grhtejy9r80t4qt1z984ui94yuiopoikjhnbvx\-\-\-2024|y(?:seniorpe?|theraposture001))|n(?:at(?:ional14587|uralgies)|badefdfg|e(?:sdsd|wtiniggrgr)|inoty74|lmsld|u(?:bupatches|trisd17))|o(?:m(?:eg(?:7aburn|a(?:7burn|n(?:ew|ow00?)))|gaburn)|ne(?:00shot|shot(?:0[01]|124578))|zmenshe)|p(?:a(?:in(?:en01(?:ew|sew)|supp(?:10|l8778)|wenes010)|rtnersav01)|e(?:rsonalized21|tplan85)|ho(?:01to001|tostick004)|leteroid|o(?:rtable(?:heater7|telescope045)|vsedfzef)|r(?:eadvanceds|i(?:mal(?:08544|fhdfh|grow)|ntsvalentine)|o(?:get1___bulkmail_trk_ses_984605129865_0|tectsecurity))|soidngf8147|ure(?:cbdgummies7|plant7))|r(?:apidecision77|e(?:5model1ro4om|adclub11|direct0gumm0|grow101|n(?:ew(?:al20consult|laemailved)|walllll0065)|v(?:caus181|e(?:alscause|rsirol0101)|kcaus181|scaus181))|i(?:ght0108|ngingearstinnitus|verb1986srt4)|oundupccancer|vices8|yokorout(?:(?:01|s010?))?)|s(?:___mailpro__evolution\-unitedstate_____78f40x1fg0|a(?:fety(?:homes?|shome0?)|mples7nuge7|v(?:age(?:0502|72|999|grow010)|es0even0t|ingsevent)|y(?:byebugs|life004))|bd_____mail___29302939298882777231|coutstonenew|d(?:___mailweb|fgwsd74fg)|e(?:curity(?:homenew|providernew)|ni(?:147orperk|orserk77s)|s(?:_trkg___mailbulkform\-045160d5h4fg8_______1jg20xxx|traking_____gmailbulk____tkn\-fkk_209041))|gp008|h(?:arkcbd0808|owersafe)|i(?:gnlaotrrmp|mplex18742)|leepditch|mail_blackfriday__bigusamail_2024\-f084sf|o(?:lbeam004|uthbeach(?:001|skin))|p(?:_trk_in_ses_mimogoodafterj56h6gd__2000_5|reader35)|sgummy777|t(?:ain245|eelprobite77|rictionbp0)|u(?:g(?:ar4701|hdetged)|mmersy0(?:10)?)|zdzdzdzd)|t(?:a(?:cflashlight72|lcumpowder)|e(?:ch________frebulkmnge________teamtechbuy|lescope001|rminix0909|stomus)|h(?:e(?:photostick2804|rasl(?:eeves|ves)|unbreakable)|opinall)|i(?:me0share|nnitus(?:102|new911))|k_mailpro\-bulkmail\-trkngnum89fs64g5\-usa__hallowen|mobile0sur1vey|o(?:enailfungus|p(?:inal|ol(?:\-web|io29034)))|r(?:4ans1lat5or|a(?:balhos|nslato10)|im1life0|ugreen(?:30|s30))|telescope44|unnifgdege)|u(?:berxlm|ltra(?:hgt|omegaburn|u(?:ifipro|wifip)|wifi(?:058|pro002))|n(?:breakable(?:0417|brain0087)|limitedcanvase[es]?)|rgentfung171|s(?:_bulk_click\-mail_oldfrom_9898409486498904948904548094804864xx|bmosquito|6)|tility3in1)|v(?:e(?:7hicle7cov|hi(?:7clesh7|cle01))|frgrerg|i(?:sa(?:alandere?|lander[es]?)|v(?:247w01|int(?:0(?:401|officially)|1010smart|967857)))|szdefzsfzef)|w(?:4enmedicra8|a(?:l(?:k(?:0015|7485|ghghgh|inbath(?:tub44|0))|lkk0409|mart010)|rranhome0012)|defgzegfze|e(?:atherproof|bwhatsfotos|edkiller[1s]?|ight(?:00loss|loss(?:005|newketo))|llgrove90)|i(?:fi(?:booste(?:01|r)|tiop)|n(?:0101|doexpr001))|painen01es)|xcbxcbopiaze|yusdgtduf777|z(?:antacdedzef|ipp874ype57t)))/;i describe URI_GOOG_STO_SPAMMY Link to spammy content hosted by google storage #score URI_GOOG_STO_SPAMMY 3.000 tflags URI_GOOG_STO_SPAMMY publish ##} URI_GOOG_STO_SPAMMY ##{ URI_GOOG_STO_SUBD_SPAMMY uri URI_GOOG_STO_SUBD_SPAMMY m;^https?://(?:(?:0(?:48dg9hjdjsr68rr409tdu516yts8d4s1yteq560dht|584d8aab5db65a3970e|89409404gdfg8401008gfd041087pioazsq56|ca91f665e5e9e3bff16)|1(?:479______00\-\-074\-4\-\-\-\-\-\-\-_\-\-\-\-\-\-0894_________\-\-\-\-\-\-\-\-\-______09|f28eb9c708059ce7b58|tactc1200)|2(?:024usa|2accc831928fe7a6d19)|3e6fc78af3b63110d89b|4(?:30bc3a2d98b15a0c58bf8df8f938d|hs3rzdz_r_us\-east\-1)|5(?:34c4e7320793c473d0b|a70f8147b2241c|lose1weight)|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|89azr4etr0t6k5jdh4rg9e8udo40kdj1h56gd4xd165jhkd5j04yd156j02|9c32d4d56b8ac7eb1296|a(?:1discover|4301cda1e5c450bab01|d(?:t100visa|vanced1500)|geless(?:brain|t001)|ir0doc5octor|l(?:l(?:_in_one_089498489045187410102003097841202|iedtrust7?)|zheimerbrain)|merican(?:ho(?:777|me(?:191|warranty))|w1)|n(?:c77emen777|dersens40|n(?:nuities0102|utsegtsety)|ti(?:1virus|dcfsdfzef))|pp(?:1ointment|empresa|itausa)|sb50118|tividade|udio0254)|b(?:337276797de5b3|6fa8ec81224238ce57a|7772dcb|a(?:ckmedic|th(?:and777|bhow98|dfgdfgdfh|rooomlki))|cvncv7845|d(?:_________mail____000|fbgverhg|linkmanager|sgbsehtth|thdethydeth)|e(?:achskinnew|dvgervg|lly(?:00fetyy|gluca)|t(?:ter(?:09909|863|butter008)|umpoiytre))|io(?:swit(?:010|sh0908)|techinvest)|l(?:oo(?:ds(?:hark0508|ug(?:217|ar(?:010|blueprint)))|odsugarerte)|ue(?:0sky|printms0?))|o(?:bby\-dependencies|ostinglive01)|r(?:ain(?:232654|al87484)|i(?:an(?:0(?:101|509)|the0101)|eanfrg)|tghrh)|u(?:kssin|ll(?:gold|market)|rnomegaultra|tter(?:knife|spreader(?:0[48]|news)))|yte01smil1e)|c(?:a(?:99rshield|nvascheap|rt\-checkout|unlimited)|bd(?:11gummies|g(?:m0202|umm(?:ty|y005))|health7417|kfgdfg|sgummys)|dfeesde|ertificat01|hoicehom8270|i(?:o_mailpro_bulkmail\-2024___________w87x5230_8940152|rcaknee0)|jowa|o(?:gnigenix|mp(?:erssac00232|r(?:e(?:essaa001|hensiveamericanhomewarranty|ss(?:a(?:0(?:105|201)|191)|ionsocks))|ovanteanexo))|n(?:7cealed|cealed(?:aff0054|tactical)|defesf|ne5ctrou4t0s)|ptquad5e1r|rrectskin|urankdmeksjsed|verageinsu)|quelleczema|reative14141)|d(?:0ujdusudu9s9u\.appspot\.com|159310a731c3ae80e0c|ac2a3ca82cd6a5f4896|e(?:mentiabrain|nta77fend|rma(?:01247|1correct|587475|7correc7t|acorrectskin|correct(?:001new1|new001|skin|1)|hdth|thbsdrhg)|tranmultas)|g(?:iadikir784|vdevgege)|i(?:abetes7|gitaldots1|recting77|ta0526)|lqjxjdxesmapldjehahnse|msksjskeoncbvevde|rtrebtgh747|ysfunction0707|zdzefef)|e(?:7co7verage|a(?:rsring01|sy(?:1canvas|canvasprints))|ingingears|l(?:eepexperts|iminatorlower)|n(?:e(?:nce7777|rgy(?:0icits|savings))|trega)|rec(?:01tions|tiledysfunction)|t(?:alsprcious|ernal07light)|vent(?:0saves01?|save(?:010?|s010))|xpertwindows(?:0102)?|yes(?:1ight|ightmax))|f(?:4747|d(?:128218622bd3f|fdfdzezr78|zdzelom)|edilty5401|habgfdgbfrtg|i(?:7(?:485612|542512)|d(?:el(?:ity(?:09|217|insulife)|ty(?:gbdtrbr|tyhjudtyu))|iity5660|y001)|ghttinnitusnow(?:(?:911|s))?|ltyredfezz|refig(?:22hting|hting)|tnesswatch|xguca777)|l(?:a(?:sh(?:light7fr7ee|tric540)|tbelly)|oodlight(?:010|slima))|o(?:mrulasugaa|od54451|toswhatsapps)|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|u(?:ng(?:01ft|9901|enail010|us(?:eliminator0807|fghgh))|turistic00insol))|g(?:7oldco|cumbmdys|eniusbutter|fhfjgfhfg|hetiop|lu(?:1lossn01k|lossn01k|ster)|old(?:ii00215|trust00)|r(?:7owtmaihn9ew|fgrgrg|ow(?:191|plus11|savage01085))|u(?:ardiao|mm(?:ies11cbd|yss|zdfefzf)|tter(?:0fr1(?:dian)?|protection7))|ympro22)|h(?:4(?:mhoyal1r0|ome1owne1r)|dfghbrh|e(?:1al1t4|a(?:lt(?:h(?:life|news|yhairremedy)|ycbd0909)|rt(?:14141|beat911))|rp(?:ly(?:24701|y0012)|y1414))|ome(?:1security|9865|choice45841|w(?:arranty|rr0216)))|i(?:n(?:formedetranmulta|ogen0065|s(?:1urance7net|7urance7net|t(?:9854|a(?:0541|1heater|863|f(?:atioplo|gregrerg)|hard0(?:0021|605)|nttranslator)|h(?:ard879477|eater001))|urance(?:7net|net))|vest777in)|ron479max5x|tchrelief)|k(?:757474|e(?:ranfvgdgfrder|to(?:0(?:102|202|81477)|191|7(?:878|rim)|adv217|ghghgh|healthnews|jkkfghk|o(?:2(?:22|45)|o7896)|rapid00888|s(?:hark0908|s0479)|toto2323))|iller1111|ne(?:e852|f6565))|l(?:a(?:bcream|wn(?:care3|trugreen001))|e(?:a(?:f7filt7er|nde0585)|ciofve1748)|giesnaturas0|i(?:berty77arran|fefiltrevdf|ve(?:r(?:0health0support|md|supp10)|wirenew024))|o(?:caweb|odlight(?:s0|0)|ss(?:00wrabido0|rapid01245|weightnew85))|u(?:llmattressne000|mi(?:00guard01|agudiidd|g(?:87[56]|uard(?:1074|87585)))))|m(?:a(?:galu|il(?:bd667477388299_747472|trk___newyear2024___g089dh4fg16qs804dsd1jh6g5sq)|l(?:4e7e5nhanc7ement|e(?:0(?:1ed|541)|24700|77en|health475))|ttress0707)|e(?:di(?:ca(?:lsupplies|r(?:0085|123n|df747))|p0lanning)|llitox00545|morybooster|t(?:a(?:bolismlos|greens|lspr(?:ciou[0s]|ecious))|f(?:85|dfvde)))|iracl(?:ecannabidiol|sweight[0s]?|weight)|k_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|le(?:3mlemlm3lm\.appspot\.com|n(?:hsances?|shsance0s))|o(?:bile57mint|n(?:5g154g|t(?:ezuma0(?:01|101)|zdzsds))|onmenermaintain\-66j)|p_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|s_(?:___mailpro\-holiday2024__9s8h7140q6h84e6hs84g6s85d403|g08zr7h48z6rt4hrzj74098j9r70j4894tj\-05hj6z(?:\-2024)?)|w_4098fae4grhtejy9r80t4qt1z984ui94yuiopoikjhnbvx\-\-\-2024|y(?:seniorpe?|theraposture001))|n(?:at(?:ional14587|uralgies)|badefdfg|e(?:sdsd|wtiniggrgr)|inoty74|lmsld|u(?:bupatches|trisd17))|o(?:m(?:eg(?:7aburn|a(?:7burn|n(?:ew|ow00?)))|gaburn)|ne(?:00shot|shot(?:0[01]|124578))|zmenshe)|p(?:a(?:in(?:en01(?:ew|sew)|supp(?:10|l8778)|wenes010)|rtnersav01)|e(?:rsonalized21|tplan85)|ho(?:01to001|tostick004)|leteroid|o(?:rtable(?:heater7|telescope045)|vsedfzef)|r(?:eadvanceds|i(?:mal(?:08544|fhdfh|grow)|ntsvalentine)|o(?:get1___bulkmail_trk_ses_984605129865_0|tectsecurity))|soidngf8147|ure(?:cbdgummies7|plant7))|r(?:apidecision77|e(?:5model1ro4om|adclub11|direct0gumm0|grow101|n(?:ew(?:al20consult|laemailved)|walllll0065)|v(?:caus181|e(?:alscause|rsirol0101)|kcaus181|scaus181))|i(?:ght0108|ngingearstinnitus|verb1986srt4)|oundupccancer|vices8|yokorout(?:(?:01|s010?))?)|s(?:___mailpro__evolution\-unitedstate_____78f40x1fg0|a(?:fety(?:homes?|shome0?)|mples7nuge7|v(?:age(?:0502|72|999|grow010)|es0even0t|ingsevent)|y(?:byebugs|life004))|bd_____mail___29302939298882777231|coutstonenew|d(?:___mailweb|fgwsd74fg)|e(?:curity(?:homenew|providernew)|ni(?:147orperk|orserk77s)|s(?:_trkg___mailbulkform\-045160d5h4fg8_______1jg20xxx|traking_____gmailbulk____tkn\-fkk_209041))|gp008|h(?:arkcbd0808|owersafe)|i(?:gnlaotrrmp|mplex18742)|leepditch|mail_blackfriday__bigusamail_2024\-f084sf|o(?:lbeam004|uthbeach(?:001|skin))|p(?:_trk_in_ses_mimogoodafterj56h6gd__2000_5|reader35)|sgummy777|t(?:ain245|eelprobite77|rictionbp0)|u(?:g(?:ar4701|hdetged)|mmersy0(?:10)?)|zdzdzdzd)|t(?:a(?:cflashlight72|lcumpowder)|e(?:ch________frebulkmnge________teamtechbuy|lescope001|rminix0909|stomus)|h(?:e(?:photostick2804|rasl(?:eeves|ves)|unbreakable)|opinall)|i(?:me0share|nnitus(?:102|new911))|k_mailpro\-bulkmail\-trkngnum89fs64g5\-usa__hallowen|mobile0sur1vey|o(?:enailfungus|p(?:inal|ol(?:\-web|io29034)))|r(?:4ans1lat5or|a(?:balhos|nslato10)|im1life0|ugreen(?:30|s30))|telescope44|unnifgdege)|u(?:berxlm|ltra(?:hgt|omegaburn|u(?:ifipro|wifip)|wifi(?:058|pro002))|n(?:breakable(?:0417|brain0087)|limitedcanvase[es]?)|rgentfung171|s(?:_bulk_click\-mail_oldfrom_9898409486498904948904548094804864xx|bmosquito|6)|tility3in1)|v(?:e(?:7hicle7cov|hi(?:7clesh7|cle01))|frgrerg|i(?:sa(?:alandere?|lander[es]?)|v(?:247w01|int(?:0(?:401|officially)|1010smart|967857)))|szdefzsfzef)|w(?:4enmedicra8|a(?:l(?:k(?:0015|7485|ghghgh|inbath(?:tub44|0))|lkk0409|mart010)|rranhome0012)|defgzegfze|e(?:atherproof|bwhatsfotos|edkiller[1s]?|ight(?:00loss|loss(?:005|newketo))|llgrove90)|i(?:fi(?:booste(?:01|r)|tiop)|n(?:0101|doexpr001))|painen01es)|xcbxcbopiaze|yusdgtduf777|z(?:antacdedzef|ipp874ype57t)))\.storage\.googleapis\.com/;i describe URI_GOOG_STO_SUBD_SPAMMY Link to spammy content hosted by google storage #score URI_GOOG_STO_SUBD_SPAMMY 3.000 tflags URI_GOOG_STO_SUBD_SPAMMY publish ##} URI_GOOG_STO_SUBD_SPAMMY ##{ URI_HEX_IP meta URI_HEX_IP __URI_HEX_IP #score URI_HEX_IP 2.500 # limit describe URI_HEX_IP URI with hex-encoded IP-address host tflags URI_HEX_IP publish ##} URI_HEX_IP ##{ URI_IMG_CWINDOWSNET meta URI_IMG_CWINDOWSNET __URI_IMG_CWINDOWSNET && !__RCD_RDNS_SMTP && !__REPTO_QUOTE && !__URI_DOTEDU #score URI_IMG_CWINDOWSNET 3.500 # limit describe URI_IMG_CWINDOWSNET Non-MSFT image hosted by Microsoft Azure infra, possible phishing tflags URI_IMG_CWINDOWSNET publish ##} URI_IMG_CWINDOWSNET ##{ URI_IMG_WP_REDIR meta URI_IMG_WP_REDIR __URI_IMG_WP_REDIR #score URI_IMG_WP_REDIR 3.000 # limit describe URI_IMG_WP_REDIR Image via WordPress "accelerator" proxy tflags URI_IMG_WP_REDIR publish ##} URI_IMG_WP_REDIR ##{ URI_INFURAIPFSIO meta URI_INFURAIPFSIO __URI_INFURAIPFSIO describe URI_INFURAIPFSIO References Interplanetary File System PtP content via infura-ipfs.io, likely phishing #score URI_INFURAIPFSIO 3.500 # limit tflags URI_INFURAIPFSIO publish ##} URI_INFURAIPFSIO ##{ URI_IPFSIO meta URI_IPFSIO __URI_IPFSIO describe URI_IPFSIO References Interplanetary File System PtP content via ipfs.io, likely phishing #score URI_IPFSIO 3.500 # limit tflags URI_IPFSIO publish ##} URI_IPFSIO ##{ URI_LONG_REPEAT meta URI_LONG_REPEAT __URI_LONG_REPEAT describe URI_LONG_REPEAT Long identical host+domain #score URI_LONG_REPEAT 2.500 # limit tflags URI_LONG_REPEAT publish ##} URI_LONG_REPEAT ##{ URI_MALWARE_SCMS uri URI_MALWARE_SCMS /\.SettingContent-ms\b/i describe URI_MALWARE_SCMS Link to malware exploit download (.SettingContent-ms file) tflags URI_MALWARE_SCMS publish ##} URI_MALWARE_SCMS ##{ URI_ONLY_MSGID_MALF meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO describe URI_ONLY_MSGID_MALF URI only + malformed message ID #score URI_ONLY_MSGID_MALF 2.000 # limit tflags URI_ONLY_MSGID_MALF publish ##} URI_ONLY_MSGID_MALF ##{ URI_OPTOUT_3LD uri URI_OPTOUT_3LD m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:com|net)\b,i describe URI_OPTOUT_3LD Opt-out URI, suspicious hostname #score URI_OPTOUT_3LD 2.000 # limit tflags URI_OPTOUT_3LD publish ##} URI_OPTOUT_3LD ##{ URI_OPTOUT_USME uri URI_OPTOUT_USME m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:us|me|mobi|club)\b,i describe URI_OPTOUT_USME Opt-out URI, unusual TLD tflags URI_OPTOUT_USME publish ##} URI_OPTOUT_USME ##{ URI_PHISH describe URI_PHISH Phishing using web form #score URI_PHISH 4.00 # limit tflags URI_PHISH publish ##} URI_PHISH ##{ URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT endif ##} URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) ##{ URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT endif ##} URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ URI_PHP_REDIR meta URI_PHP_REDIR __URI_PHP_REDIR && !__USING_VERP1 && !__RCD_RDNS_MTA #score URI_PHP_REDIR 3.500 # limit describe URI_PHP_REDIR PHP redirect to different URL (link obfuscation) tflags URI_PHP_REDIR publish ##} URI_PHP_REDIR ##{ URI_TRY_3LD meta URI_TRY_3LD __URI_TRY_3LD && !__HAS_ERRORS_TO && !__HDR_RCVD_ALIBABA && !__HDR_CASE_REVERSED && !__XM_EC_MESSENGER && !__CHARITY && !__URI_DOTEDU && !__HAS_X_REF && !__HDR_RCVD_APPLE describe URI_TRY_3LD "Try it" URI, suspicious hostname #score URI_TRY_3LD 2.000 # limit tflags URI_TRY_3LD publish ##} URI_TRY_3LD ##{ URI_TRY_USME meta URI_TRY_USME __URI_TRY_USME && !__DKIM_EXISTS describe URI_TRY_USME "Try it" URI, unusual TLD #score URI_TRY_USME 2.000 # limit tflags URI_TRY_USME publish ##} URI_TRY_USME ##{ URI_WPADMIN meta URI_WPADMIN __URI_WPADMIN describe URI_WPADMIN WordPress login/admin URI, possible phishing tflags URI_WPADMIN publish ##} URI_WPADMIN ##{ URI_WP_DIRINDEX meta URI_WP_DIRINDEX __URI_WPDIRINDEX describe URI_WP_DIRINDEX URI for compromised WordPress site, possible malware #score URI_WP_DIRINDEX 3.500 # limit tflags URI_WP_DIRINDEX publish ##} URI_WP_DIRINDEX ##{ URI_WP_HACKED meta URI_WP_HACKED (__URI_WPCONTENT || __URI_WPINCLUDES) && !__VIA_ML && !__HAS_ERRORS_TO && !__RCD_RDNS_SMTP && !__THREADED && !ALL_TRUSTED && !__NOT_SPOOFED describe URI_WP_HACKED URI for compromised WordPress site, possible malware #score URI_WP_HACKED 3.500 # limit tflags URI_WP_HACKED publish ##} URI_WP_HACKED ##{ URI_WP_HACKED_2 meta URI_WP_HACKED_2 (__PS_TEST_LOC_WP && !URI_WP_HACKED) && !__HAS_LIST_ID && !__THREADED && !__USING_VERP1 describe URI_WP_HACKED_2 URI for compromised WordPress site, possible malware #score URI_WP_HACKED_2 2.500 # limit tflags URI_WP_HACKED_2 publish ##} URI_WP_HACKED_2 ##{ USB_DRIVES meta USB_DRIVES __SUBJ_USB_DRIVES describe USB_DRIVES Trying to sell custom USB flash drives #score USB_DRIVES 2.000 # limit tflags USB_DRIVES publish ##} USB_DRIVES ##{ VFY_ACCT_NORDNS meta VFY_ACCT_NORDNS __VFY_ACCT_NORDNS && !__STY_INVIS_MANY describe VFY_ACCT_NORDNS Verify your account to a poorly-configured MTA - probable phishing #score VFY_ACCT_NORDNS 3.000 # limit tflags VFY_ACCT_NORDNS publish ##} VFY_ACCT_NORDNS ##{ VISTA_COST meta VISTA_COST __VISTA_COST && !__DOS_HAS_LIST_UNSUB describe VISTA_COST Old MSFT msgid format + "cost" #score VISTA_COST 2.500 # limit tflags VISTA_COST publish ##} VISTA_COST ##{ VISTA_TONOM_EQ_TOLOC meta VISTA_TONOM_EQ_TOLOC __VISTA_TONOM_EQ_TOLOC && !__MSOE_MID_WRONG_CASE describe VISTA_TONOM_EQ_TOLOC Old MSFT msgid format + To display name = username #score VISTA_TONOM_EQ_TOLOC 2.500 # limit tflags VISTA_TONOM_EQ_TOLOC publish ##} VISTA_TONOM_EQ_TOLOC ##{ VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta VPS_NO_NTLD __VPSNUMBERONLY_TLD && __FROM_ADDRLIST_SUSPNTLD tflags VPS_NO_NTLD publish describe VPS_NO_NTLD vps[0-9] domain at a suspiscious TLD #score VPS_NO_NTLD 1.0 # limit endif endif ##} VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ WALMART_IMG_NOT_RCVD_WAL meta WALMART_IMG_NOT_RCVD_WAL __WALMART_IMG_NOT_RCVD_WAL && !__DKIM_EXISTS #score WALMART_IMG_NOT_RCVD_WAL 2.500 # limit describe WALMART_IMG_NOT_RCVD_WAL Walmart hosted image but message not from Walmart tflags WALMART_IMG_NOT_RCVD_WAL publish ##} WALMART_IMG_NOT_RCVD_WAL ##{ WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta WORD_INVIS __WORD_INVIS_MINFP && !WORD_INVIS_MANY describe WORD_INVIS A hidden word # score WORD_INVIS 3.000 # limit tflags WORD_INVIS publish endif ##} WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta WORD_INVIS_MANY __WORD_INVIS_2 describe WORD_INVIS_MANY Multiple individual hidden words # score WORD_INVIS_MANY 3.000 # limit tflags WORD_INVIS_MANY publish endif ##} WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ XFER_LOTSA_MONEY meta XFER_LOTSA_MONEY __XFER_LOTSA_MONEY && !__VIA_ML && !__HAS_SENDER && !__SUBSCRIPTION_INFO describe XFER_LOTSA_MONEY Transfer a lot of money #score XFER_LOTSA_MONEY 1.000 # limit ##} XFER_LOTSA_MONEY ##{ XM_DIGITS_ONLY meta XM_DIGITS_ONLY __XM_DIGITS_ONLY describe XM_DIGITS_ONLY X-Mailer malformed #score XM_DIGITS_ONLY 3.000 # limit tflags XM_DIGITS_ONLY publish ##} XM_DIGITS_ONLY ##{ XM_PHPMAILER_FORGED meta XM_PHPMAILER_FORGED __XM_PHPMAILER_FORGED describe XM_PHPMAILER_FORGED Apparently forged header tflags XM_PHPMAILER_FORGED publish ##} XM_PHPMAILER_FORGED ##{ XM_RANDOM meta XM_RANDOM __XM_RANDOM && !__STY_INVIS_3 && !__HAS_IN_REPLY_TO && !__XM_UC_ONLY && !__XM_ASPQMAIL && !__XM_VERY_LONG describe XM_RANDOM X-Mailer apparently random #score XM_RANDOM 2.500 # limit tflags XM_RANDOM publish ##} XM_RANDOM ##{ XPRIO describe XPRIO Has X-Priority header #score XPRIO 2.250 # limit tflags XPRIO publish ##} XPRIO ##{ XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM) if !plugin(Mail::SpamAssassin::Plugin::DKIM) meta XPRIO __XPRIO_MINFP endif ##} XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM) ##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::DKIM tflags XPRIO net endif ##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF) ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF) meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !DKIM_VALID && !DKIM_VALID_AU # && !RCVD_IN_DNSWL_NONE endif endif ##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF) ##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !DKIM_VALID && !DKIM_VALID_AU && !SPF_PASS # && !RCVD_IN_DNSWL_NONE endif endif ##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF ##{ XPRIO_SHORT_SUBJ meta XPRIO_SHORT_SUBJ __XPRIO_SHORT_SUBJ && !__MSM_PRIO_REPTO && !ALL_TRUSTED && !__DKIM_EXISTS && !__RELAY_THRU_WWW && !__CTYPE_HAS_BOUNDARY && !__RCD_RDNS_MTA && !__HAS_HREF describe XPRIO_SHORT_SUBJ Has X Priority header + short subject #score XPRIO_SHORT_SUBJ 2.500 # limit tflags XPRIO_SHORT_SUBJ publish ##} XPRIO_SHORT_SUBJ ##{ XPRIO_VISTA meta XPRIO_VISTA __XPRIO_VISTA && !__BITCOIN && !__TO_TOO_MANY describe XPRIO_VISTA X-Priority + old MSFT msgid format #score XPRIO_VISTA 2.500 # limit tflags XPRIO_VISTA publish ##} XPRIO_VISTA ##{ X_MAILER_CME_6543_MSN header X_MAILER_CME_6543_MSN X-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*$/ ##} X_MAILER_CME_6543_MSN ##{ bayes_ignore_header_sandbox bayes_ignore_header ARC-Authentication-Results bayes_ignore_header ARC-Message-Signature bayes_ignore_header ARC-Seal bayes_ignore_header Authentication-Results bayes_ignore_header Auto-Submitted bayes_ignore_header Autocrypt bayes_ignore_header CTCH-SenderID-TotalSpam bayes_ignore_header IronPort-SDR bayes_ignore_header List-Archive bayes_ignore_header List-Help bayes_ignore_header List-Id bayes_ignore_header List-Post bayes_ignore_header List-Subscribe bayes_ignore_header List-Unsubscribe bayes_ignore_header Mailing-List bayes_ignore_header Precedence bayes_ignore_header Received-SPF bayes_ignore_header suggested_attachment_session_id bayes_ignore_header X-ACL-Warn bayes_ignore_header X-Alimail-AntiSpam bayes_ignore_header X-Amavis-Modified bayes_ignore_header X-Anti-Spam bayes_ignore_header X-Anti-Virus bayes_ignore_header X-Anti-Virus-Version bayes_ignore_header X-AntiAbuse bayes_ignore_header X-Antispam bayes_ignore_header X-Antivirus bayes_ignore_header X-Antivirus-Code bayes_ignore_header X-Antivirus-Status bayes_ignore_header X-Antivirus-Version bayes_ignore_header x-aol-global-disposition bayes_ignore_header X-ASF-Spam-Status bayes_ignore_header X-ASG-Debug-ID bayes_ignore_header X-ASG-Orig-Subj bayes_ignore_header X-ASG-Recipient-Whitelist bayes_ignore_header X-ASG-Tag bayes_ignore_header X-Assp-Version bayes_ignore_header X-Attachment-Id bayes_ignore_header X-Authority-Analysis bayes_ignore_header X-Authvirus bayes_ignore_header X-Auto-Response-Suppress bayes_ignore_header X-AV-Do-Run bayes_ignore_header X-AV-Status bayes_ignore_header x-avast-antispam bayes_ignore_header X-Backend bayes_ignore_header X-Barracuda-Apparent-Source-IP bayes_ignore_header X-Barracuda-Bayes bayes_ignore_header X-Barracuda-BBL-IP bayes_ignore_header X-Barracuda-BRTS-Status bayes_ignore_header X-Barracuda-BRTS-URL-Found bayes_ignore_header X-Barracuda-Connect bayes_ignore_header X-Barracuda-Encrypted bayes_ignore_header X-Barracuda-Envelope-From bayes_ignore_header X-Barracuda-Fingerprint-Found bayes_ignore_header X-Barracuda-Orig-Rcpt bayes_ignore_header X-Barracuda-RBL-IP bayes_ignore_header X-Barracuda-RBL-Trusted-Forwarder bayes_ignore_header X-Barracuda-Spam-Report bayes_ignore_header X-Barracuda-Spam-Score bayes_ignore_header X-Barracuda-Spam-Status bayes_ignore_header X-Barracuda-Start-Time bayes_ignore_header X-Barracuda-UID bayes_ignore_header X-Barracuda-URL bayes_ignore_header X-Barracuda-Virus-Alert bayes_ignore_header X-Bayes-Prob bayes_ignore_header X-Bayesian-Result bayes_ignore_header X-BeenThere bayes_ignore_header X-BitDefender-Spam bayes_ignore_header X-BitDefender-SpamStamp bayes_ignore_header X-BL bayes_ignore_header X-Bogosity bayes_ignore_header X-Boxtrapper bayes_ignore_header X-Brightmail-Tracker bayes_ignore_header X-BTI-AntiSpam bayes_ignore_header X-Bugzilla-Version bayes_ignore_header X-CanIt-Geo bayes_ignore_header X-Canit-Stats-ID bayes_ignore_header X-CanItPRO-Stream bayes_ignore_header X-Clapf-spamicity bayes_ignore_header X-ClientProxiedBy bayes_ignore_header X-Cloud-Security bayes_ignore_header X-CM-Score bayes_ignore_header X-CMAE-Analysis bayes_ignore_header X-CMAE-Match bayes_ignore_header X-CMAE-Score bayes_ignore_header X-CMAE-Verdict bayes_ignore_header X-CNFS-Analysis bayes_ignore_header X-Company bayes_ignore_header X-Complaints-To bayes_ignore_header X-Coremail-Antispam bayes_ignore_header X-CRM114-CacheID bayes_ignore_header X-CRM114-Status bayes_ignore_header X-CRM114-Version bayes_ignore_header X-CT-Spam bayes_ignore_header X-CTCH-SenderID bayes_ignore_header X-CTCH-SenderID-TotalBulk bayes_ignore_header X-CTCH-SenderID-TotalConfirmed bayes_ignore_header X-CTCH-SenderID-TotalMessages bayes_ignore_header X-CTCH-SenderID-TotalRecipients bayes_ignore_header X-CTCH-SenderID-TotalSpam bayes_ignore_header X-CTCH-SenderID-TotalSuspected bayes_ignore_header X-CTCH-SenderID-TotalVirus bayes_ignore_header X-CTCH-Spam bayes_ignore_header X-CTCH-VOD bayes_ignore_header X-Delivered-To bayes_ignore_header X-Drweb-SpamState bayes_ignore_header X-DSPAM-Confidence bayes_ignore_header X-DSPAM-Factors bayes_ignore_header X-DSPAM-Improbability bayes_ignore_header X-DSPAM-Probability bayes_ignore_header X-DSPAM-Processed bayes_ignore_header X-DSPAM-Result bayes_ignore_header X-DSPAM-Signature bayes_ignore_header x-eavas bayes_ignore_header x-eavas-action bayes_ignore_header x-eavas-eavasid bayes_ignore_header X-Enigmail-Version bayes_ignore_header X-EsetId bayes_ignore_header X-EsetResult bayes_ignore_header X-Exchange-Antispam-Report bayes_ignore_header X-Exchange-Antispam-Report-CFA-Test bayes_ignore_header X-ExtloopSabreCommercials1 bayes_ignore_header X-EYOU-SPAMVALUE bayes_ignore_header X-FB-OUTBOUND-SPAM bayes_ignore_header X-FEAS-SBL bayes_ignore_header X-FILTER-SCORE bayes_ignore_header X-Forefront-Antispam-Report bayes_ignore_header X-Forefront-Antispam-Report-Untrusted bayes_ignore_header X-Forefront-PRVS bayes_ignore_header X-Freemail-From bayes_ignore_header X-Fuglu-Spamstatus bayes_ignore_header X-Fuglu-Suspect bayes_ignore_header X-getmail-filter-classifier bayes_ignore_header X-GFIME-MASPAM bayes_ignore_header X-Gm-Message-State bayes_ignore_header X-Gmane-NNTP-Posting-Host bayes_ignore_header X-GMX-Antispam bayes_ignore_header X-GMX-Antivirus bayes_ignore_header X-Google-DKIM-Signature bayes_ignore_header X-He-Spam bayes_ignore_header X-hMailServer-Spam bayes_ignore_header X-IAS bayes_ignore_header X-iGspam-global bayes_ignore_header X-Injected-Via-Gmane bayes_ignore_header X-Interia-Antivirus bayes_ignore_header X-IP-Spam-Verdict bayes_ignore_header X-Ironport bayes_ignore_header X-IronPort-Anti-Spam-Filtered bayes_ignore_header X-IronPort-Anti-Spam-Result bayes_ignore_header X-IronPort-AV bayes_ignore_header X-Ironport-HAT bayes_ignore_header X-Ironport-HOSTNAME bayes_ignore_header X-Ironport-LNR bayes_ignore_header X-Ironport-MessageFilter bayes_ignore_header X-Ironport-MFP bayes_ignore_header X-Ironport-MID bayes_ignore_header X-IronPort-Outgoing-Antispam bayes_ignore_header X-Ironport-RIF bayes_ignore_header X-Ironport-SBRS bayes_ignore_header X-Ironport-SENDER bayes_ignore_header X-Ironport-SUBJECT bayes_ignore_header X-Junk-Score bayes_ignore_header X-Junkmail bayes_ignore_header X-Klms-Anti bayes_ignore_header X-KLMS-AntiPhishing bayes_ignore_header X-Klms-Antispam bayes_ignore_header X-KLMS-AntiSpam-Info bayes_ignore_header X-KLMS-AntiSpam-Interceptor-Info bayes_ignore_header X-KLMS-AntiSpam-Lua-Profiles bayes_ignore_header X-KLMS-AntiSpam-Method bayes_ignore_header X-KLMS-AntiSpam-Moebius-Timestamps bayes_ignore_header X-KLMS-AntiSpam-Rate bayes_ignore_header X-KLMS-AntiSpam-Status bayes_ignore_header X-KLMS-AntiSpam-Version bayes_ignore_header X-KLMS-AntiVirus bayes_ignore_header X-KLMS-AntiVirus-Status bayes_ignore_header X-KLMS-Message-Action bayes_ignore_header X-KLMS-Rule-ID bayes_ignore_header X-KMail-EncryptionState bayes_ignore_header X-KMail-MDN-Sent bayes_ignore_header X-KMail-SignatureState bayes_ignore_header X-Kse-Anti bayes_ignore_header X-Loom-IP bayes_ignore_header X-MailCleaner-SpamChec bayes_ignore_header X-MailCleaner-SpamCheck bayes_ignore_header X-MailFoundry bayes_ignore_header X-Mailman-Version bayes_ignore_header X-MDAV-Processed bayes_ignore_header X-MDMailLookup-Result bayes_ignore_header X-ME-Bayesian bayes_ignore_header X-ME-Content bayes_ignore_header X-MessageFilter bayes_ignore_header x-microsoft-antispam bayes_ignore_header X-Microsoft-Antispam-Message-Info bayes_ignore_header X-Microsoft-Antispam-Message-Info-Original bayes_ignore_header X-Microsoft-Antispam-Untrusted bayes_ignore_header X-Microsoft-Exchange-Diagnostics bayes_ignore_header X-Mlf-Version bayes_ignore_header X-Mozilla-Keys bayes_ignore_header X-Mozilla-Status bayes_ignore_header X-Mozilla-Status2 bayes_ignore_header x-ms-exchange-antispam-messagedata bayes_ignore_header x-ms-exchange-antispam-messagedata-0 bayes_ignore_header X-MS-Exchange-CrossTenant-AuthAs bayes_ignore_header X-MS-Exchange-CrossTenant-AuthSource bayes_ignore_header X-MS-Exchange-CrossTenant-FromEntityHeader bayes_ignore_header x-ms-exchange-crosstenant-id bayes_ignore_header x-ms-exchange-crosstenant-network-message-id bayes_ignore_header X-MS-Exchange-CrossTenant-OriginalArrivalTime bayes_ignore_header x-ms-exchange-crosstenant-rms-persistedconsumerorg bayes_ignore_header X-MS-Exchange-CrossTenant-userprincipalname bayes_ignore_header x-ms-exchange-slblob-mailprops bayes_ignore_header X-MS-Exchange-Transport-CrossTenantHeadersStamped bayes_ignore_header x-ms-office365-filtering-correlation-id bayes_ignore_header X-MS-TrafficTypeDiagnostic bayes_ignore_header X-MSFBL bayes_ignore_header X-MSMail-Priority bayes_ignore_header X-MXScan-AntiSpam bayes_ignore_header X-MXScan-AntiVirus bayes_ignore_header X-MXScan-Country-Sequence bayes_ignore_header X-MXScan-License bayes_ignore_header X-MXScan-Msgid bayes_ignore_header X-MXScan-ProcessingTime bayes_ignore_header X-MXScan-Scan bayes_ignore_header X-NAI-Spam-Flag bayes_ignore_header X-NAI-Spam-Rules bayes_ignore_header X-NAI-Spam-Score bayes_ignore_header X-NAI-Spam-Threshold bayes_ignore_header X-NetStation-Status bayes_ignore_header X-No-Relay bayes_ignore_header X-OriginatorOrg bayes_ignore_header X-OVH-SPAMCAUSE bayes_ignore_header X-OVH-SPAMCAUSE: bayes_ignore_header X-OVH-SPAMSCORE bayes_ignore_header X-OVH-SPAMSTATE bayes_ignore_header X-PerlMx-Spam bayes_ignore_header X-PerlMx-Virus-Scanned bayes_ignore_header X-PFSI-Info bayes_ignore_header X-PMX-Spam bayes_ignore_header X-PMX-Version bayes_ignore_header X-Policy-Service bayes_ignore_header X-policyd-weight bayes_ignore_header X-PreRBLs bayes_ignore_header X-Probable-Spam bayes_ignore_header X-PROLinux-SpamCheck bayes_ignore_header X-Proofpoint-Spam-Reason bayes_ignore_header X-Proofpoint-Virus-Version bayes_ignore_header X-Provags-ID bayes_ignore_header x-purgate-eavas: clean bayes_ignore_header x-purgate-id bayes_ignore_header x-purgate-size bayes_ignore_header x-purgate-type bayes_ignore_header X-Qmail-Scanner-Diagnostics bayes_ignore_header X-Qmail-Scanner-MOVED-X-Spam-Status bayes_ignore_header X-Quarantine-ID bayes_ignore_header X-Received bayes_ignore_header X-RSpam-Report bayes_ignore_header X-SA-Do-Not-Run bayes_ignore_header X-SA-Exim-Version bayes_ignore_header X-Scanned-by bayes_ignore_header X-ServerMaster-MailScanner bayes_ignore_header X-SG-EID bayes_ignore_header X-SG-ID bayes_ignore_header X-SmarterMail-CustomSpamHeader bayes_ignore_header X-Spam bayes_ignore_header X-Spam-Action bayes_ignore_header X-SPAM-AISP bayes_ignore_header X-Spam-Check-By bayes_ignore_header X-Spam-Checker-Version bayes_ignore_header X-Spam-CMAE-Analysis bayes_ignore_header X-Spam-CMAESCORE bayes_ignore_header X-Spam-CTCH-RefID bayes_ignore_header X-Spam-Flag bayes_ignore_header X-Spam-Level bayes_ignore_header X-Spam-Processed bayes_ignore_header X-Spam-Report bayes_ignore_header X-Spam-Scanned bayes_ignore_header X-Spam-Score bayes_ignore_header X-Spam-Score-Int bayes_ignore_header X-Spam-SmartLearn bayes_ignore_header X-Spam-Status bayes_ignore_header X-Spam-Threshold bayes_ignore_header X-Spam_bar bayes_ignore_header X-Spambayes-Classification bayes_ignore_header X-SpamExperts-Domain bayes_ignore_header X-SpamExperts-Outgoing-Class bayes_ignore_header X-SpamExperts-Outgoing-Evidence bayes_ignore_header X-SpamExperts-Username bayes_ignore_header X-Spamfilter-host bayes_ignore_header X-Spamina-Bogosity bayes_ignore_header X-Spamina-Spam-Report bayes_ignore_header X-Spamina-Spam-Score bayes_ignore_header X-SpamInfo bayes_ignore_header X-Spamsave bayes_ignore_header X-SpamTest-Group-ID bayes_ignore_header X-SpamTest-Info bayes_ignore_header X-SpamTest-Method bayes_ignore_header X-SpamTest-Rate bayes_ignore_header X-SpamTest-SPF bayes_ignore_header X-SpamTest-Status bayes_ignore_header X-SpamTest-Status-Extended bayes_ignore_header X-SPF-Scan-By bayes_ignore_header X-STA-Metric bayes_ignore_header X-STA-NotSpam bayes_ignore_header X-STA-Spam bayes_ignore_header X-StarScan-Version bayes_ignore_header X-SurGATE-Result bayes_ignore_header X-SWITCHham-Score bayes_ignore_header X-UI-Filterresults bayes_ignore_header X-UI-Loop bayes_ignore_header X-UI-Out-Filterresults bayes_ignore_header X-Univie-Spam-Checker-Version bayes_ignore_header X-Univie-Virus-Scan bayes_ignore_header X-Virus bayes_ignore_header X-Virus-Checker-Version bayes_ignore_header X-Virus-Scanned bayes_ignore_header X-Virus-Scanner-Result bayes_ignore_header X-Virus-Scanner-Version bayes_ignore_header X-Virus-Status bayes_ignore_header X-VirusChecked bayes_ignore_header X-VR-SCORE bayes_ignore_header X-VR-SPAMCAUSE bayes_ignore_header X-VR-STATUS bayes_ignore_header X-WatchGuard-Mail-Client-IP bayes_ignore_header X-WatchGuard-Mail-From bayes_ignore_header X-WatchGuard-Mail-Recipients bayes_ignore_header X-WatchGuard-Spam-ID bayes_ignore_header X-WatchGuard-Spam-Score bayes_ignore_header X-Whitelist-Domain bayes_ignore_header X-WUM-CCI bayes_ignore_header X_CMAE_Category ##} bayes_ignore_header_sandbox ##{ if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS askdns __FROM_FMBLA_NEWDOM _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.2$/ askdns __FROM_FMBLA_NEWDOM14 _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.14$/ askdns __FROM_FMBLA_NEWDOM28 _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.28$/ askdns __FROM_FMBLA_NDBLOCKED _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.255\.255\.255$/ reuse FROM_FMBLA_NEWDOM reuse FROM_FMBLA_NEWDOM14 reuse FROM_FMBLA_NEWDOM28 reuse FROM_FMBLA_NDBLOCKED reuse __PDS_NEWDOMAIN reuse FROM_NUMBERO_NEWDOMAIN reuse FROM_NEWDOM_BTC askdns __PDS_SPF_ONLYALL _SENDERDOMAIN_ TXT /^v=spf1 \+all$/ reuse BITCOIN_SPF_ONLYALL endif endif ##} if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox ##{ if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval enlist_addrlist (PAYPAL) *@paypal.com *@paypal.co.uk *@paypal.de *@paypal.com.au *@paypal.it enlist_addrlist (PAYPAL) *@paypal.es *@paypal.fr *@paypal.de *@paypal.com.hk enlist_addrlist (PAYPAL) *@*.paypal.com *@*.paypal.co.uk reuse __FROM_ADDRLIST_PAYPAL reuse FROM_PAYPAL_SPOOF enlist_addrlist (BANKS) *@abbey.co.uk *@abbey.com *@abbeyinternational.com *@abbeyinternational.co.uk *@abbeynational.com *@abbeynational.co.uk enlist_addrlist (BANKS) *@allianceleicester.com *@allianceleicester.co.uk *@alliance-leicester.com *@alliance-leicester.co.uk enlist_addrlist (BANKS) *@bankofamerica.com *@bankofamerica.co.uk enlist_addrlist (BANKS) *@barclaycard.com *@barclays.com enlist_addrlist (BANKS) *@citibank.com enlist_addrlist (BANKS) *@firstdirect.com *@firstdirect.co.uk enlist_addrlist (BANKS) *@halifax.com *@halifax.co.uk *@halifax-online.co.uk *@halifax-online.com enlist_addrlist (BANKS) *@hbos.com *@hbos.co.uk enlist_addrlist (BANKS) *@hsbc.com *@hsbc.co.uk *@hsbc.hk *@hsbcgroup.com *@hsbcgroup.co.uk enlist_addrlist (BANKS) *@lloydstsb.com *@lloydstsb.co.uk *@lloyds.com enlist_addrlist (BANKS) *@mbna.com enlist_addrlist (BANKS) *@nationwide.com *@nationwide.co.uk enlist_addrlist (BANKS) *@natwest.com *@natwest.co.uk enlist_addrlist (BANKS) *@santander.com *@santander.co.uk enlist_addrlist (BANKS) *@standardbank.co.za enlist_addrlist (BANKS) *@ybonline.co.uk *@ybonline.com reuse __FROM_ADDRLIST_BANKS reuse FROM_BANK_NOAUTH enlist_addrlist (GOV) *@*.gov enlist_addrlist (GOV) *@*.gov.uk *@parliament.uk *@*.parliament.uk reuse __FROM_ADDRLIST_GOV reuse FROM_GOV_SPOOF reuse FROM_GOV_DKIM_AU reuse FROM_GOV_REPLYTO_FREEMAIL enlist_addrlist (SUSP_NTLD) *@*.icu enlist_addrlist (SUSP_NTLD) *@*.online enlist_addrlist (SUSP_NTLD) *@*.work enlist_addrlist (SUSP_NTLD) *@*.date enlist_addrlist (SUSP_NTLD) *@*.top enlist_addrlist (SUSP_NTLD) *@*.fun enlist_addrlist (SUSP_NTLD) *@*.life enlist_addrlist (SUSP_NTLD) *@*.review enlist_addrlist (SUSP_NTLD) *@*.bid enlist_addrlist (SUSP_NTLD) *@*.stream enlist_addrlist (SUSP_NTLD) *@*.gdn enlist_addrlist (SUSP_NTLD) *@*.click enlist_addrlist (SUSP_NTLD) *@*.world enlist_addrlist (SUSP_NTLD) *@*.fit enlist_addrlist (SUSP_NTLD) *@*.ooo enlist_addrlist (SUSP_NTLD) *@*.faith enlist_addrlist (SUSP_NTLD) *@*.buzz enlist_addrlist (SUSP_NTLD) *@*.trade enlist_addrlist (SUSP_NTLD) *@*.cyou enlist_addrlist (SUSP_NTLD) *@*.vip enlist_uri_host (SUSP_URI_NTLD) icu enlist_uri_host (SUSP_URI_NTLD) online enlist_uri_host (SUSP_URI_NTLD) work enlist_uri_host (SUSP_URI_NTLD) date enlist_uri_host (SUSP_URI_NTLD) top enlist_uri_host (SUSP_URI_NTLD) fun enlist_uri_host (SUSP_URI_NTLD) life enlist_uri_host (SUSP_URI_NTLD) review enlist_uri_host (SUSP_URI_NTLD) bid enlist_uri_host (SUSP_URI_NTLD) stream enlist_uri_host (SUSP_URI_NTLD) gdn enlist_uri_host (SUSP_URI_NTLD) click enlist_uri_host (SUSP_URI_NTLD) world enlist_uri_host (SUSP_URI_NTLD) fit enlist_uri_host (SUSP_URI_NTLD) ooo enlist_uri_host (SUSP_URI_NTLD) faith enlist_uri_host (SUSP_URI_NTLD) buzz enlist_uri_host (SUSP_URI_NTLD) trade enlist_uri_host (SUSP_URI_NTLD) cyou enlist_uri_host (SUSP_URI_NTLD) vip enlist_uri_host (SUSP_URI_NTLD_PRO) pro reuse __FROM_ADDRLIST_SUSPNTLD reuse __REPLYTO_ADDRLIST_SUSPNTLD reuse FROM_SUSPICIOUS_NTLD reuse GOOGLE_DRIVE_REPLY_BAD_NTLD reuse VPS_NO_NTLD endif endif ##} if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox ##{ if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL priority GB_HASHBL_BTC -100 reuse GB_HASHBL_BTC endif endif ##} if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox ##{ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags replace_tag lcase_e (?:e|\xc3[\xa8\xa9\xaa\xab]|\xc4[\x93\x95\x97\x99\x9b]|\xc8[\x85\x87\x80]|\xcf\xb5|\xd0\xb5|\xd1[\x90\x91\x94\xb3]|\xd2[\xbc\xbd\xbe\xbf]|\xd3[\x07\xa9\xab]) replace_rules __E_LIKE_LETTER endif endif ##} if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox ##{ ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox ifplugin Mail::SpamAssassin::Plugin::AskDNS askdns __DKIMWL_FREEMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.3\.\d+$/ reuse __DKIMWL_FREEMAIL askdns __DKIMWL_BULKMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.2\.\d+$/ reuse __DKIMWL_BULKMAIL askdns __DKIMWL_WL_HI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.5$/ reuse __DKIMWL_WL_HI askdns __DKIMWL_WL_MEDHI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.4$/ reuse __DKIMWL_WL_MEDHI askdns __DKIMWL_WL_MED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.3$/ reuse __DKIMWL_WL_MED askdns __DKIMWL_WL_BL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.0$/ reuse __DKIMWL_WL_BL askdns __DKIMWL_BLOCKED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.255\.255\.255$/ reuse __DKIMWL_BLOCKED reuse DKIMWL_WL_HIGH reuse DKIMWL_WL_MEDHI reuse DKIMWL_WL_MED reuse DKIMWL_BL reuse DKIMWL_BLOCKED askdns __HELO_DNS _LASTEXTERNALHELO_ A /./ endif ##} ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox ##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox ifplugin Mail::SpamAssassin::Plugin::DNSEval # { reuse RCVD_IN_PSBL endif ##} ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox ##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox ifplugin Mail::SpamAssassin::Plugin::DNSEval reuse RCVD_IN_IADB_LISTED reuse RCVD_IN_IADB_SPF reuse RCVD_IN_IADB_SENDERID reuse RCVD_IN_IADB_DK reuse RCVD_IN_IADB_RDNS reuse RCVD_IN_IADB_DMARC reuse RCVD_IN_IADB_NOCONTROL reuse RCVD_IN_IADB_OPTOUTONLY reuse RCVD_IN_IADB_UNVERIFIED_1 reuse RCVD_IN_IADB_UNVERIFIED_2 reuse RCVD_IN_IADB_LOOSE reuse RCVD_IN_IADB_OPTIN_LT50 reuse RCVD_IN_IADB_OPTIN_GT50 reuse RCVD_IN_IADB_OPTIN reuse RCVD_IN_IADB_DOPTIN_LT50 reuse RCVD_IN_IADB_DOPTIN_GT50 reuse RCVD_IN_IADB_DOPTIN reuse RCVD_IN_IADB_ML_DOPTIN reuse RCVD_IN_IADB_OOO reuse RCVD_IN_IADB_SOCIAL reuse RCVD_IN_IADB_TRACK reuse RCVD_IN_IADB_ECARD reuse RCVD_IN_IADB_ESP reuse RCVD_IN_IADB_LEG_NPROFIT reuse RCVD_IN_IADB_LEG_BNPROFIT reuse RCVD_IN_IADB_LEG_MAND reuse RCVD_IN_IADB_COURT reuse RCVD_IN_IADB_URG reuse RCVD_IN_IADB_MI_CPEAR reuse RCVD_IN_IADB_UT_CPEAR endif ##} ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox ##{ ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof fns_ignore_dkim linkedin.com googlegroups.com yahoogroups.com yahoogroups.de fns_ignore_headers List-Id fns_check 1 reuse __PLUGIN_FROMNAME_SPOOF reuse __PLUGIN_FROMNAME_EQUALS_TO endif ##} ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox ##{ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox ifplugin Mail::SpamAssassin::Plugin::ReplaceTags replace_rules T_FUZZY_SPRM replace_rules FUZZY_MERIDIA replace_rules TVD_FUZZY_PHARMACEUTICAL replace_rules TVD_FUZZY_SYMBOL replace_rules T_TVD_FUZZY_SECURITIES replace_rules TVD_FUZZY_FINANCE replace_rules TVD_FUZZY_FIXED_RATE replace_rules TVD_FUZZY_MICROCAP replace_rules T_TVD_FUZZY_SECTOR replace_rules TVD_FUZZY_DEGREE replace_rules __COPY_PASTE_EN replace_tag FF_LNNO (?:(?:\d{1,3}(?:[)}\]:.,]{1,80}|(?:st|nd|rd|th)[)}\]:.,]{0,3})|\W?$[\div]{1,5}$|\W?\{\d{1,3}\}|\[\d{1,3}\]|\*{1,5}|\#{1,5}|$?[A-K][)}\]:.,]{1,3})\s?) replace_tag FF_YOUR (?:a?\s?copy\sof\s)?(?:(?:your|din|seu|twoje)[\s,:]{1,5})?(?:present\s|c[uo]rrent\s|full(?:st[\xe4]ndigt)?\s?|complete\s|direct\s|private?\s|valid\s|personal\s|nuvarande\s|vollst[\xe4]ndige\s|aktuelle\s|pe\s(?:ne\s)?){0,3} replace_tag ANDOR (?:\s?[\/&+,]\s?|\sor\s|\sand?\s) replace_tag NUMBER (?:(?:ruf)?num(?:[bm]er)?\(?s?$?|nos?\.|no\b|n[\xb0]|\#s?|nbrs?\.?) replace_tag FF_SUFFIX (?:\sin\s(?:full|words)|\scompleto)?:?(?:\s?[({][^)}]{1,30}[)}])? replace_tag FF_BLANK1 (?:[\s:;]{0,4}(?:(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){3,100})) replace_tag FF_BLANK2 (?:[^-=_.,:;*\w]{0,3}(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){1,100}) replace_tag FF_A1 (?:(?:countr?y|city|province|ter+itory|(?:zip|post(?:al)?)(?:\s?code)?|st?ates?|ad+res+e?)?){1,3}(?:\sof\s(?:residence|birth|employment|citizenship|origin))? replace_tag FF_A2 (?:(?:contact|full|house|home|resident[ia]+l|busines+|mailing|work|delivery|ship+ing|post(?:al)?|of+ice|e-?mail|bostads|wohn)?){0,3}\s?(?:ad+res+[es]{0,2}|location|endere[\xe7]o)(?:\sline)?(?:\s[0-9])? replace_tag FF_N1 (?:company|first|last|all|busines+|legal|ben[ei]ficiary|user|vollstaendigen)?\s?(?:name?[sn]?|navne|nome|nazwy)(?:ad+res+)? replace_tag FF_P1 (?:(?:(?:busines+|contact|fax|voice|house|home|mobile?|cel+(?:ular)?|of+ice|tel+e?(?:\s?(?:ph|f)one?)?|(?:ph|f)one|private)(?:\s(?:ph|f)one)??){1,3}(?:\s?)??){1,3} replace_tag FF_M1 (?:(?:ages?|marital\s?statu[se]|sex|gender|male\sor\sfemale|(?:date\s(?:of\s)?)?birth|religion|nationality|(?:user )?email|next\sof\skin|alter|staatsangehoerigkeit|nationalitet|idade|weik)?){1,3} replace_tag FF_L1 (?:(?:previous\s)?work(?:ing)\s?experience|employment|position|profes+ion|(?:monthly|an+ual)?\s?income|purpose\sof\sl(?:oa|ao)n|an+ual\sturn\s?over|l(?:oa|ao)n\sduration|oc+up[ae]tion(?:\/position)?s?|(?:l(?:oa|ao)n\s|the\s)?amount(?:\sneed(ed)?|\sdesired)?(?:\s(?:as|of)\sloan)?|beruf|zaw(?:=F3|[\xf3])d) replace_tag FF_F1 (?:(?:bank(?:ing)?|beneficiary|billing|acc(?:oun)?t|rout(?:ing)?|swift|receiver|user)?){1,3}\s(?:(?:name|ad+res+(?:es)?|location|code|details|institution|a\/c|)?){1,3} replace_tag FF_F2 (?:(?:(?:international\s)?driver'?s?\sli[sc]+(?:en[sc]e)?|pas+\s?port|id\scard|[ia]d(?:entification|entity)(?:\s(?:card||papers?))?)?){1,3}(?:\s)? replace_tag FF_F3 (?:picture|zdj\scie|test\squestion|answer|amount\swon|(?:inheritance\s)?funds?\svalue|(?:e-?mail\s)?pas+word|e-?mai?l\sid|amount\s[\w\s]{0,30}lost[\w\s]{0,15}) replace_tag FF_F4 (?:log[-\s]?in|(?:e-?mail\s)?user)\s?names? replace_tag FF_F5 (?:ref(?:erence)?|batch|win+ing|award|billet)[-\s]? replace_tag FF_ALL (?:||||||||||) replace_rules __FILL_THIS_FORM_LONG1 replace_rules __FILL_THIS_FORM_LONG2 replace_rules __FILL_THIS_FORM_PARTIAL replace_rules __FILL_THIS_FORM_PARTIAL_RAW replace_rules __FILL_THIS_FORM_SHORT1 replace_rules __FILL_THIS_FORM_SHORT2 replace_rules __FILL_THIS_FORM_LOAN1 replace_rules __FILL_THIS_FORM_FRAUD_PHISH1 replace_tag CURRENCY (?:[$\[]?(?:\bU[Ss][D\$]{0,2}|\$(?:US)?|u\s?s\s?d|U\s?S\s?D|CAD|G\s?B\s?P|=[Aa][34]|\xa3|&\#16[34];|(?i:pounds\ssterling)|\xa4|EUR(?:OS?)?|(?:d')?[Ee]uro?s?|(?i:eur)\sde|CHF|FCFA|d[\xf3]lares\sde\slos\sE+\.\s?U+\.)[\]$]?) replace_tag GB_UK \b(?:U\.?K\.?|(?:Great\s)?Brit(?:ain|ish)|G\.?B\.?)\b replace_tag NUM_NOT_DATE [1-9](?!\d\d\d\.\d\d\.\d\d\s)(?!\d?\.\d\d?\.\d\d\d\d\s) replace_tag NUM_NOT_DATE_IP (?!\d{0,2}(?:\.0|\.[1-2]\d{0,2}){3}(?:\D|$)) replace_rules __LOTSA_MONEY_00 __LOTSA_MONEY_01 __LOTSA_MONEY_02 __LOTSA_MONEY_03 __LOTSA_MONEY_04 replace_tag PERCENT \b(?:\d\d|ten|[a-z]+teen|(?:twen|thir|fou?r|fif)ty(?:-?[a-z]+)?)\s?(?:%|percent) replace_rules __PCT_FOR_YOU_1 __PCT_FOR_YOU_2 __PCT_FOR_YOU_3 __PCT_OF_PMTS replace_rules T_FUZZY_OPTOUT replace_rules __FRT_PRICE replace_rules FUZZY_UNSUBSCRIBE replace_rules FUZZY_ANDROID replace_rules FUZZY_PROMOTION replace_rules FUZZY_PRIVACY replace_rules FUZZY_BROWSER replace_rules FUZZY_SAVINGS replace_rules FUZZY_IMPORTANT replace_rules FUZZY_SECURITY replace_rules __FUZZY_DR_OZ replace_rules FUZZY_CLICK_HERE replace_rules FUZZY_BITCOIN replace_rules __BITCOIN replace_rules FUZZY_WALLET replace_rules __FUZZY_MONERO replace_rules __FUZZY_WELLSFARGO_BODY replace_rules __FUZZY_WELLSFARGO_FROM replace_rules __FUZZY_PORN replace_rules FUZZY_AMAZON replace_rules FUZZY_APPLE replace_rules FUZZY_MICROSOFT replace_rules FUZZY_FACEBOOK replace_rules FUZZY_PAYPAL replace_rules FUZZY_NORTON replace_rules FUZZY_OVERSTOCK replace_rules __FUZZY_TRUSTWALLET_BODY replace_rules __FUZZY_TRUSTWALLET_FROM replace_rules FUZZY_TRUMP replace_rules FUZZY_HARRIS replace_rules __MY_VICTIM replace_rules __MY_MALWARE replace_rules __PAY_ME replace_rules __YOUR_PASSWORD replace_rules __YOUR_WEBCAM replace_rules __YOUR_ONAN replace_rules __YOUR_PERSONAL replace_rules __HOURS_DEADLINE replace_rules __EXPLOSIVE_DEVICE replace_tag SHY (?:=ad|[\xc2][\xad]|[\xad]|&\#xad;|&\#173;||\x{E2}\x{80}\x{8F}) replace_rules __SHY_OBFU_PASSWORD replace_rules __SHY_OBFU_EXPIRE replace_rules T_LFUZ_PWRMALE replace_rules __PDS_BTC_HACKER __PDS_BTC_PIRATE reuse T_PDS_BTC_AHACKER reuse T_PDS_BTC_HACKER reuse T_PDS_LTC_AHACKER reuse T_PDS_LTC_HACKER endif ##} ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox ##{ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox ifplugin Mail::SpamAssassin::Plugin::URIDNSBL reuse URIBL_RHS_DOB endif ##} ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox ##{ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) enlist_uri_host (PDS_CASHSHORTENER) cutpaid.com enlist_uri_host (PDS_CASHSHORTENER) caat.site enlist_uri_host (PDS_CASHSHORTENER) triabicia.com enlist_uri_host (PDS_CASHSHORTENER) 2xs.io enlist_uri_host (PDS_CASHSHORTENER) ocest.site enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz enlist_uri_host (PDS_CASHSHORTENER) waar.site enlist_uri_host (PDS_CASHSHORTENER) cpmlink.net enlist_uri_host (PDS_CASHSHORTENER) cowner.net enlist_uri_host (PDS_CASHSHORTENER) adfoc.us enlist_uri_host (PDS_CASHSHORTENER) shrinkhere.xyz enlist_uri_host (PDS_CASHSHORTENER) gurl.pw enlist_uri_host (PDS_CASHSHORTENER) shortearn.eu enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz enlist_uri_host (PDS_CASHSHORTENER) libittarc.com enlist_uri_host (PDS_CASHSHORTENER) pc.cd enlist_uri_host (PDS_CASHSHORTENER) fc.lc enlist_uri_host (PDS_CASHSHORTENER) dares.xyz enlist_uri_host (PDS_CASHSHORTENER) trendlouds.com enlist_uri_host (PDS_CASHSHORTENER) yogaf.xyz enlist_uri_host (PDS_CASHSHORTENER) cobs.xyz enlist_uri_host (PDS_CASHSHORTENER) olnew.xyz enlist_uri_host (PDS_CASHSHORTENER) cleft.xyz enlist_uri_host (PDS_CASHSHORTENER) 7r6.com enlist_uri_host (PDS_CASHSHORTENER) mitly.us enlist_uri_host (PDS_CASHSHORTENER) kutpay.com enlist_uri_host (PDS_CASHSHORTENER) gsurl.me enlist_uri_host (PDS_CASHSHORTENER) gurl.ly enlist_uri_host (PDS_CASHSHORTENER) gsurl.in enlist_uri_host (PDS_CASHSHORTENER) acitoate.com enlist_uri_host (PDS_CASHSHORTENER) aclabink.com enlist_uri_host (PDS_CASHSHORTENER) activeation.com enlist_uri_host (PDS_CASHSHORTENER) activeterium.com enlist_uri_host (PDS_CASHSHORTENER) adflyforum.com enlist_uri_host (PDS_CASHSHORTENER) adflymail.com enlist_uri_host (PDS_CASHSHORTENER) adult.xyz enlist_uri_host (PDS_CASHSHORTENER) agileurbia.com enlist_uri_host (PDS_CASHSHORTENER) atomcurve.com enlist_uri_host (PDS_CASHSHORTENER) ay.gy enlist_uri_host (PDS_CASHSHORTENER) battleate.com enlist_uri_host (PDS_CASHSHORTENER) biastonu.com enlist_uri_host (PDS_CASHSHORTENER) bitigee.com enlist_uri_host (PDS_CASHSHORTENER) briskrange.com enlist_uri_host (PDS_CASHSHORTENER) brisktopia.com enlist_uri_host (PDS_CASHSHORTENER) casualient.com enlist_uri_host (PDS_CASHSHORTENER) clesolea.com enlist_uri_host (PDS_CASHSHORTENER) code404.biz enlist_uri_host (PDS_CASHSHORTENER) coginator.com enlist_uri_host (PDS_CASHSHORTENER) cogismith.com enlist_uri_host (PDS_CASHSHORTENER) covelign.com enlist_uri_host (PDS_CASHSHORTENER) crefranek.com enlist_uri_host (PDS_CASHSHORTENER) dashsphere.com enlist_uri_host (PDS_CASHSHORTENER) dataurbia.com enlist_uri_host (PDS_CASHSHORTENER) deciomm.com enlist_uri_host (PDS_CASHSHORTENER) ducolomal.com enlist_uri_host (PDS_CASHSHORTENER) east-jones.com enlist_uri_host (PDS_CASHSHORTENER) ecleneue.com enlist_uri_host (PDS_CASHSHORTENER) ellevolaw.com enlist_uri_host (PDS_CASHSHORTENER) endroudo.com enlist_uri_host (PDS_CASHSHORTENER) eunsetee.com enlist_uri_host (PDS_CASHSHORTENER) fainbory.com enlist_uri_host (PDS_CASHSHORTENER) fasttory.com enlist_uri_host (PDS_CASHSHORTENER) fawright.com enlist_uri_host (PDS_CASHSHORTENER) flyserve.co enlist_uri_host (PDS_CASHSHORTENER) greponozy.com enlist_uri_host (PDS_CASHSHORTENER) homoluath.com enlist_uri_host (PDS_CASHSHORTENER) hopigrarn.com enlist_uri_host (PDS_CASHSHORTENER) infopade.com enlist_uri_host (PDS_CASHSHORTENER) j.gs enlist_uri_host (PDS_CASHSHORTENER) kaitect.com enlist_uri_host (PDS_CASHSHORTENER) kializer.com enlist_uri_host (PDS_CASHSHORTENER) kibuilder.com enlist_uri_host (PDS_CASHSHORTENER) kimechanic.com enlist_uri_host (PDS_CASHSHORTENER) kudoflow.com enlist_uri_host (PDS_CASHSHORTENER) legeerook.com enlist_uri_host (PDS_CASHSHORTENER) libittarc.com enlist_uri_host (PDS_CASHSHORTENER) linkjaunt.com enlist_uri_host (PDS_CASHSHORTENER) locinealy.com enlist_uri_host (PDS_CASHSHORTENER) maetrimal.com enlist_uri_host (PDS_CASHSHORTENER) metastead.com enlist_uri_host (PDS_CASHSHORTENER) mmoity.com enlist_uri_host (PDS_CASHSHORTENER) mondoagram.com enlist_uri_host (PDS_CASHSHORTENER) neswery.com enlist_uri_host (PDS_CASHSHORTENER) nimbleinity.com enlist_uri_host (PDS_CASHSHORTENER) onisedeo.com enlist_uri_host (PDS_CASHSHORTENER) optitopt.com enlist_uri_host (PDS_CASHSHORTENER) picocurl.com enlist_uri_host (PDS_CASHSHORTENER) pladollmo.com enlist_uri_host (PDS_CASHSHORTENER) preofery.com enlist_uri_host (PDS_CASHSHORTENER) prereheus.com enlist_uri_host (PDS_CASHSHORTENER) q.gs enlist_uri_host (PDS_CASHSHORTENER) quainator.com enlist_uri_host (PDS_CASHSHORTENER) quamiller.com enlist_uri_host (PDS_CASHSHORTENER) queuecosm.bid enlist_uri_host (PDS_CASHSHORTENER) raboninco.com enlist_uri_host (PDS_CASHSHORTENER) rapidteria.com enlist_uri_host (PDS_CASHSHORTENER) rapidtory.com enlist_uri_host (PDS_CASHSHORTENER) sapolatsu.com enlist_uri_host (PDS_CASHSHORTENER) scapognel.com enlist_uri_host (PDS_CASHSHORTENER) simizer.com enlist_uri_host (PDS_CASHSHORTENER) skamaker.com enlist_uri_host (PDS_CASHSHORTENER) skamason.com enlist_uri_host (PDS_CASHSHORTENER) sluppend.com enlist_uri_host (PDS_CASHSHORTENER) sprysphere.com enlist_uri_host (PDS_CASHSHORTENER) streamvoyage.com enlist_uri_host (PDS_CASHSHORTENER) swarife.com enlist_uri_host (PDS_CASHSHORTENER) swiftation.com enlist_uri_host (PDS_CASHSHORTENER) swifttopia.com enlist_uri_host (PDS_CASHSHORTENER) techigo.com enlist_uri_host (PDS_CASHSHORTENER) threadsphere.bid enlist_uri_host (PDS_CASHSHORTENER) tinyical.com enlist_uri_host (PDS_CASHSHORTENER) tonancos.com enlist_uri_host (PDS_CASHSHORTENER) triabicia.com enlist_uri_host (PDS_CASHSHORTENER) turboagram.com enlist_uri_host (PDS_CASHSHORTENER) twineer.com enlist_uri_host (PDS_CASHSHORTENER) twiriock.com enlist_uri_host (PDS_CASHSHORTENER) userlab66.com enlist_uri_host (PDS_CASHSHORTENER) vaugette.com enlist_uri_host (PDS_CASHSHORTENER) velocicosm.com enlist_uri_host (PDS_CASHSHORTENER) velociterium.com enlist_uri_host (PDS_CASHSHORTENER) viahold.com enlist_uri_host (PDS_CASHSHORTENER) vializer.com enlist_uri_host (PDS_CASHSHORTENER) viwright.com enlist_uri_host (PDS_CASHSHORTENER) whareotiv.com enlist_uri_host (PDS_CASHSHORTENER) wirecellar.com enlist_uri_host (PDS_CASHSHORTENER) x19.biz enlist_uri_host (PDS_CASHSHORTENER) x19network.com enlist_uri_host (PDS_CASHSHORTENER) yabuilder.com enlist_uri_host (PDS_CASHSHORTENER) yamechanic.com enlist_uri_host (PDS_CASHSHORTENER) yoalizer.com enlist_uri_host (PDS_CASHSHORTENER) yobuilder.com enlist_uri_host (PDS_CASHSHORTENER) yoineer.com enlist_uri_host (PDS_CASHSHORTENER) yoitect.com enlist_uri_host (PDS_CASHSHORTENER) zipansion.com enlist_uri_host (PDS_CASHSHORTENER) zipteria.com enlist_uri_host (PDS_CASHSHORTENER) zipvale.com reuse T_PDS_SHORTFWD_URISHRT endif endif ##} ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox ##{ redirector_pattern_sandbox redirector_pattern m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&\#])'i redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:site|inurl):(.*?)(?:$|%20|[\s+&\#])'i redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&\#])'i redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&\#])'i redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/pagead/iclk\?.*?(?<=[?&])adurl=(.*?)(?:$|[&\#])'i redirector_pattern m'^https?:/*(?:\w+\.)?aol\.com/redir\.adp\?.*(?<=[?&])_url=(.*?)(?:$|[&\#])'i redirector_pattern m'^https?/*(?:\w+\.)?facebook\.com/l/;(.*)'i ##} redirector_pattern_sandbox ##{ reuse_sandbox reuse T_PDS_HIDDEN_UK_BUSINESSLOAN reuse T_PDS_DOUBLE_URL reuse T_PDS_DBL_URL_LINKBAIT reuse T_PDS_DBL_URL_TNB_RUNON reuse T_PDS_DBL_URL_ILLEGAL_CHARS reuse T_FROM_2_EMAILS_SHORT reuse T_SHORT_BODY_QUOTE reuse T_BODY_QUOTE_MALF_MSGID reuse SPOOFED_FREEMAIL_NO_RDNS reuse T_PDS_URI_HIDDEN_HELO_NO_DOMAIN reuse T_PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE reuse T_PDS_TONAME_EQ_TOLOCAL_SHORT reuse PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE reuse T_PDS_TONAME_EQ_TOLOCAL_VSHORT reuse T_PDS_LITECOIN_ID reuse PDS_BTC_ID reuse PDS_BTC_MSGID reuse __PDS_GOOGLE_DRIVE_SHARE_1 reuse __PDS_GOOGLE_DRIVE_SHARE_2 reuse __PDS_GOOGLE_DRIVE_SHARE_3 reuse __PDS_GOOGLE_DRIVE_SHARE reuse T_GOOGLE_DRIVE_DEAR_SOMETHING reuse __PDS_GOOGLE_DRIVE_FILE reuse __SHORT_BODY_G_DRIVE reuse __SHORT_BODY_G_DRIVE_DYN reuse T_SHORT_BODY_G_DRIVE_DYN reuse T_FROM_NAME_EQ_TO_G_DRIVE ##} reuse_sandbox uri __128_ALNUM_URI m;[/?][0-9a-z]{128,}$;i uri __128_HEX_URI m,/[0-9a-f]{128}, uri __128_LC_URI m;[/?][a-z]{128,}$; uri __45_ALNUM_IMG m;/[0-9a-z]{45,}/\w+\.(?:png|gif|jpe?g)$;i uri __45_ALNUM_URI m;[/?][0-9a-z]{45,}$;i meta __45_ALNUM_URI_O __45_ALNUM_URI && !__64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI body __4BYTE_UTF8_WORD /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/ tflags __4BYTE_UTF8_WORD multiple maxhits=10 header __4BYTE_UTF8_WORD_FROM From:name =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/ header __4BYTE_UTF8_WORD_SUBJ Subject =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/ uri __64_ANY_URI m;[/?]\w{64,}$;i body __ACCESS_RESTORE /\bto (?:(?:restore|regain) access|(?:remove|uplift) (?:the|this) suspens|continue using your (?:account|online|mailbox)|zugreifen wiederhergestellt)/i body __ACCESS_REVOKE /(?:(?:temporary|permanent) (?:de-?activation|removal) of your (?:\w{1,30} )?(?:access|account)|Ihre Kreditkarte wird gesperrt)/i body __ACCESS_SUSPENDED /\b(?:(?:access|account|e?-?mails) (?:suspension|(?:has|have) (?:been )?(?:temporar(?:il)?y (?:been )?)?(?:suspended|blocked|locked|blacklisted))|suspend (?:you from|your) access(?:ing)?|suspen(?:sion|se|ded) noti(?:ce|fication))\b/i tflags __ACCESS_SUSPENDED multiple maxhits=2 body __ACCOUNT_DISRUPT /\b(?:ensure (?:that )?your (?:account|access) is not (?:disrupted|suspended|interrupted)|(?:avoid|incoming) (?:[a-z]+ ){0,5}e?-?mails? (?:from )?being rejected|avoid (?:account|e?-?mail(?: ?box)? )?(?:shut ?down|suspension|locking|termination|expiration)|will terminate (?:your|its) service)\b/i tflags __ACCOUNT_DISRUPT multiple maxhits=2 body __ACCOUNT_ERROR /\b(?:your account (?:is|appears to be) (?:incorrect|missing|in error|invalid))\b/i body __ACCOUNT_REACTIV /(?:(?:account|access) (?:has been )?(?:successfully )?(?:reviewed and )?re-?(?:activat(?:ion|ed)|new(?:al|ed))|(?:unlock|re-?activate|restore|recover) (?:your|the|this) (?:account|access))/i body __ACCOUNT_SECURE /\b(?:make your (?:"?[^\@\s]+\@\S+"? |e-?mail )?account more secure|Ihre Kreditkarte weist einige Sicherheitsprobleme)\b/i body __ACCOUNT_UPGRADE /\b(?:upgrade (?:of )your (?:account|access)|your (?:access|account) is[\w\s]{0,40}being upgraded|Weiter zur Aktualisierung)\b/i meta __ACCT_PHISH (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __PDS_FROM_NAME_TO_DOMAIN) > 1 && !__ACCT_PHISH_MANY meta __ACCT_PHISH_MANY (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + __PDS_FROM_NAME_TO_DOMAIN) > 3 body __ACH_CANCELLED_01 /\b(?:(?-i:ACH)|dividend)[-_ ](?:payment|transfer|transaction|was)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i body __ACH_CANCELLED_02 /(?:rejected|cancel+ed|declined|your)[-_ ](?:(?-i:ACH)|direct[-_ ]deposit)[-_ ](?:payment|transfer|transaction|declin(?:ed|ing))/i body __ACH_CANCELLED_03 /\bwire[-_ ]?(?:payment|transfer|transaction)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i body __ACH_CANCELLED_04 /\bregarding[-_ ]your[-_ ]direct[-_ ]deposit[-_ ]via[-_ ](?-i:ACH)/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta __ACH_CANCELLED_EXE (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && __EXE_ATTACH endif uri __AC_1SEQC_URI /\/1[a-z0-9]8[a-z0-9_]{20,}\/C\// uri __AC_1SEQV_URI /\/1[a-z0-9]8[a-z0-9_]{20,}\/V\// uri __AC_CHDSEQ_URI /\/chd[a-z0-9]{20,}/ header __AC_FROM_MANY_DOTS From =~ /<(?!do\.not\.reply@)(?:\w{2,}\.){2,}\w+@/i meta __AC_FROM_MANY_DOTS_MINFP __AC_FROM_MANY_DOTS && !ALL_TRUSTED && !FREEMAIL_FORGED_FROMDOMAIN && !FORGED_GMAIL_RCVD && !__UNSUB_LINK && !__XM_VBULLETIN && !__RDNS_SHORT && !__REPTO_QUOTE && !__FSL_RELAY_GOOGLE && !__HAS_IN_REPLY_TO && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_MX_MESSY && !__CTYPE_MULTIPART_MIXED && !__RCD_RDNS_MTA && !__VIA_ML && !__HAS_ERRORS_TO rawbody __AC_HTML_ENTITY_BONANZA_SHRT_RAW /(?:&[A-Z0-9\#]{2,};\s{0,64}){10}/i uri __AC_LAND_URI /\/land\// uri __AC_LONGSEQ_URI /\/[A-Z0-9]{50,}\.(?:php|html|cgi)\b/ uri __AC_MHDSEQ_URI /\/mhd[a-z0-9]{20,}/ uri __AC_NDOMLONGNASPX_URI /[A-Za-z]+[0-9]{2}\.[A-Za-z0-9-]+\.me\/(?:[A-Za-z0-9-]{10,}\/){2}[0-9]{8,}\/[A-Za-z]+\.aspx/ uri __AC_NUMS_URI /(?:\/[0-9]+){5}\.[0-9a-zA-Z]+\.(?:php|html)\b/ uri __AC_OUTI_URI /\/outi\b/ uri __AC_OUTL_URI /\/outl\b/ uri __AC_PHPOFFSUB_URI /\/php\/off\/[0-9.]+\/sub\// uri __AC_PHPOFFTOP_URI /\/php\/off\/[0-9.]+\/top\// uri __AC_POSTHTMLEXTRAS /(?:main[0-9]?|mian|start(?:page)?|info(?:page|source|center)?|(?:one|view)?(?:site|source)(?:view|[0-9])?|(?:hub|file)one|index(?:[0-9]|page)?|mediafile|userlink|faction1)[.,]html?\/\w{2,}\b/i uri __AC_POSTIMGEXTRAS /(?:(?:main|external|hosted|new|file)?(?:im(?:g|age)?|user|one)s?-?(?:view(?:er)?|file|map|finder|portal|hub|online)?s?|library|media(?:source|-?files?)?|main|png|view|begin|file|port|space|webpics|host)(?:[-]?(?:[0-9]|one|two|three|four|five|six|seven|eight|nine))?[.,](?:jpe?g|png|gif)\/\w{2,}\b/i meta __AC_POST_EXTRAS (__AC_POSTHTMLEXTRAS || __AC_POSTIMGEXTRAS) uri __AC_PUNCTNUMS_URI /\.com\/[A-Za-z+=\/.?_-]{4,}[0-9]{9,12}[a-z0-9]{1,2}[A-Za-z+=\/.?_-]+[0-9]{7,9}[A-Za-z+=\/.?_-]{6,}[0-9]{7,9}\b/ uri __AC_REPORT_URI /\/report\// uri __AC_RMOVE_URI /\/r\/move\/[0-9]+\// rawbody __AC_TINY_FONT /(?:font-size)\s*:\s*[1-3]\s*(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i uri __AC_UHDSEQ_URI /\/uhd[a-z0-9]{20,}/ uri __AC_UNSUB_URI /\/unsub\// body __ADMAIL /(?:\b|_)ad-?(?:mail|message)s?(?:\b|_)/i body __ADMITS_SPAM /\bth(?:e[- ]+above|is)(?:\?+s|[- ]+is)[- ]+(?:intended[- ]+as[- ]+)?an?[- ]+(?:e-?mail[- ]+)?[a@]dvert[i1l]sement\b/i body __ADULTDATINGCOMPANY_BODY /\bAdultDatingCompany\b/i header __ADULTDATINGCOMPANY_FROM From:name =~ /\bAdultDatingCompany\b/i header __ADULTDATINGCOMPANY_REPTO Reply-To:name =~ /\bAdultDatingCompany\b/i meta __ADVANCE_FEE_2_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 1) && !__THREAD_INDEX_GOOD meta __ADVANCE_FEE_2_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW meta __ADVANCE_FEE_2_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW meta __ADVANCE_FEE_2_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW meta __ADVANCE_FEE_3_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 2) && !__THREAD_INDEX_GOOD meta __ADVANCE_FEE_3_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW meta __ADVANCE_FEE_3_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW meta __ADVANCE_FEE_3_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW meta __ADVANCE_FEE_4_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 3) && !__THREAD_INDEX_GOOD meta __ADVANCE_FEE_4_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW meta __ADVANCE_FEE_4_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW meta __ADVANCE_FEE_4_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW meta __ADVANCE_FEE_5_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 4) && !__THREAD_INDEX_GOOD meta __ADVANCE_FEE_5_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW meta __ADVANCE_FEE_5_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW meta __ADVANCE_FEE_5_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW body __AFF_004470_NUMBER /(?:\+|00|011)\W{0,3}44\W{0,3}0?\W{0,3}70/ body __AFF_LOTTERY /(?:lottery|winner)/i meta __AFRICAN_STATE (__NIGERIA || __IVORY_COAST || __BURKINA_FASO || __GHANA || __BENIN || __AFR_UNION) body __AFR_UNION /\bafrican\sunion\b/i body __AGREED_RATIO /\b(?:agreed|sharing)\s(?:ratios?|percent\w+)\b/i meta __ALIBABA_IMG_NOT_RCVD_ALI __URI_IMG_ALICDN && !__HDR_RCVD_ALIBABA header __AMADEUSMS_MUA X-Mailer =~ /^Amadeus Messaging Server/ meta __AMAZON_IMG_NOT_RCVD_AMZN __URI_IMG_AMAZON && !__HDR_RCVD_AMAZON && !__HDR_RCVD_AMAZON_HELO body __AM_DYING /\b(?:am\s(?:\S+\s)?dying|terminally\sill|cancer|en\sphase\sterminale|(?:become|is|devenu|maladie)\sincurable|que\sje\smeurs)\b/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /\bimage\//i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __ANY_TEXT_ATTACH 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ANY_TEXT_ATTACH_DOC Content-Type =~ /text\/\w+/i endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __APP_DEVELOPMENT /\b(?:mobile apps|(?:apps?|portal) (?:dev(?:elop(?:ment|ed))?|design|test(?:ing)?|U[IX]|maintenance|support)|(?:we |can |have )+(?:design(?:ed)?|buil[dt]|maintain(?:ed)?|created?)(?: over| more than)?[\s0-9]+apps|different platforms|we are (?:[-a-z]+ ){1,4}(?:software|apps?) (?:company|develop(?:ers|ment)))\b/i tflags __APP_DEVELOPMENT multiple maxhits=6 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __APP_DEVELOPMENT_MANY __APP_DEVELOPMENT > 5 endif body __ATM_CARD /\b(?:your|the|this|through|via|by\smeans\sof\|that\sa|issue\s(?:(?:to|for)\s)?you\sa)[\s$](?:\w{1,20}\s)?(?:atm|debit|(?:money[\s-]?gram\s)?fast\scash)(?:\smaster|swift|value?|cash)?[\s$]card/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta __ATTACH_MSO_MHTML __TEXT_XML_MT && __MSO_THEME_MT && __X_MSO_MT endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __ATTACH_NAME_NO_EXT 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ATTACH_NAME_NO_EXT Content-Type =~ m,\bname\s?=\s?"(?!=\?)[^."]+",i endif body __ATTN_MAIL_USER /\b(?:att(?:entio)?n|dear|caro) (?:web ?(?:mail)?\s\S\s)?(?:web ?|e-?)?mail (?:user|DO USU(?:=E1|[\xe1]|[\xc3][\xa1])RIO)[:;,]/i body __AUTO_ACCIDENT /auto(?:mobile)? accident/i header __AXB_MO_OL_024C2 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2600\.0000/ header __AXB_MO_OL_1ECD5 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1081/ header __AXB_XM_OL_024C2 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2600\.0000/ header __AXB_XM_OL_1ECD5 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1081/ body __BACK_SCRATCH /\bmutual+y?\s(?:benefi(?:t|cial)|interest)\b/i body __BANK_DRAFT /\bbank\sdraft/i body __BARRISTER /\b(?:barrister|solicitor at law|barr\.)/i meta __BEBEE_IMG_NOT_RCVD_BB __URI_IMG_BEBEE && !__HDR_RCVD_BEBEE body __BENEFICIARY /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])n(?:e|=E9|[\xe9]|[\xc3][\xa9])fi(?:c|sh)i?ai?r(?:y|ies|es?)/i body __BENIN /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])nin\b/i body __BIGNUM_EMAILS /\b(?:thousand|million|\d[,1-9]{0,6}(?:[,0]{2,}k?|k))\s(?:(?!and|or|your|place|baby|suspicious|supportive|subpoenaed)\w+\s)?(?:e-?mail(?:(?![-:.\)\>\]])s?|\saddresses)|fax numbers|leads|names)\b/i tflags __BIGNUM_EMAILS multiple maxhits=5 meta __BIGNUM_EMAILS_3 __BIGNUM_EMAILS > 2 meta __BIGNUM_EMAILS_FREEM __BIGNUM_EMAILS && __freemail_hdr_replyto if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __BITCOIN /\bB[-\s]?i[-\s]?t[-\s]?c[-\s]?o[-\s]?i[-\s]?n\b/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __BITCOIN /[-\s]?[-\s]?[-\s]?[-\s]?[-\s]?[-\s]?/i endif body __BITCOIN_ID /\b(?@]+\@gmail\.com)(?:(?:01marviswanczyk|1magnumsecuritiesllc|3dazimhashimpremji7|7912richardtony|9porssts9|a(?:\.(?:bankofaffican|wafager1)|0(?:egbutuu|info\.foreign\.manager1)|12udubello|arenic1|b(?:d(?:97412345|u(?:kfahim|l(?:karim2880|lahmundani019)))|u(?:lkareem461|shadi0004))|c(?:count\.optionsmr\.jonasarmstrong|e(?:cere001|x\.inititative))|d(?:iallo\.boa|rabidiahmed)|gent(?:\.laryedwad|mrssolomon)|isha(?:1976(?:algaddafi|gaddafi25)|gad(?:afi210|dafi(?:aam|libya5|sdaughter)))|jordennishornbeck53|l(?:\.jo60691737|a(?:inminc73|n\.austin(?:041|223)|s(?:cramac|tmacaulay))|ber\.yang222|ex(?:anderpeterson44(?:77|99)|hoffman3319)|ghafrij13|icedoris0000|kasimunadi221|l(?:enholden121|isoncluade11)|nizmaria|phabankofgreecerepublic|ure\.wawrenka1472)|m(?:b(?:\.w\.stuart\.symington|assadormarybethleonardl4)|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|medjahed95))|n(?:ager1|c(?:ebenin|ials|ospende8)|d(?:re(?:aclark1219|lwotti|w(?:bailey449|umehunitedbankforafrica))|trewbailey774|yfox0022)|itaminarnguessan|kheadofficelometogo1985|n(?:a(?:choihkkic|llee091|sigurlaug458)|ettrevor|jenijohnsonn)|t(?:hony(?:alvaradollc|jblinken61)|o(?:meuenio|niopaco20consultant))|yuan006)|office1office1|r(?:adka01|chibaldhamble|nethgracelg01|thur11alan)|s(?:h(?:0611jnag|westwood7)|sistance7agent)|t(?:mcarddepartment0024|sappinc2022|tohlawoffice\.tg)|ustin(?:billmark9|esino)|w1614860|yevayawovi190|z(?:i(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019|premji7))|z(?:dake0|george50))|zedineguessous))|b(?:a(?:lla250abc|nk(?:1985|centralasiahalobca34|ingcentralng)|ochang7a|r(?:\.jacksonwilliams|bersmadar75|clays\.kenya\.bank|lesme002|rister(?:\.fidelisokafor|clarkephillips(?:2(?:02|4)|4[589])|lordruben94)|teld\.huisman01)|uknechtk\.shoreline)|bongo593|c0996013|e(?:alitoniua9|l(?:inekra1|miromalta)|n(?:ezero392|gatl80|jaminsarah195)|rnard\.arnult01|t(?:h17780|syholden940))|i(?:anigercash|ll(?:\.lawrence0747|fhome))|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi|ussambairenepatricia)|r(?:a(?:ndy\.heavenscenttt|volpaul55)|endalaporte112)|uff(?:ettwarrene21|ookj)|w1832621)|c(?:1nicele|a(?:dpayout|ixaseguros9810001|mluba2017|pinolly|r(?:eisu98|twrighttownhomesllc))|bnatm847|claimsa|e(?:da\.ogada77|li(?:cerez|neroullier(?:200|nm))|x02)|fc\.atmoffice56|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:es(?:luenga01|scharf2112|wrightdepartments)|tonnewmanus1)))|e(?:mchung1011|nchung1011)|ienk(?:raymond|wongp))|iticonsultantjohncg0|k(?:enzbezos|ruger00017)|l(?:a(?:im(?:\.facebook001|adviser11|officeadm)|xtonpaul00)|s79408)|o(?:l(?:\.(?:ahmedmarani|hmedismari)|abdullahassi|edavid77032|husseinharmuchc(?:cj|j)|ombasjuan53)|mp(?:asationsettlement|ensationcommitteboard)|n(?:nellyfrances\.cf|sult(?:matthias|sto\.u)|tactad00[04])|operation612)|pt\.eugenebarash|r(?:a(?:bbechambers|wfordgillies1)|i(?:mildaeduardontuintui|st(?:bru(?:05|n05)|davis67|i1537bru|ydavis(?:donation1|foundation0101))))|u(?:berichard61|nninghammrssharonloren|stomerservicelacaixa2)|zyk775)|d(?:29laws|a(?:fi1976|n(?:008629|i(?:el35508109|shlokija)|n(?:uar4|ydan24532))|tukannuarbinmusa|vi(?:d(?:\.loanfirm18|ibe718|kaltschmidtmaureend|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98))|cole77032|e(?:an\.johnston570|btm123|n(?:iwalts|nis(?:clark659|quaid888))|partmentofstate(?:123|202|321)|t(?:ails\.\-shery\.gtl131|lefeckhardd))|h(?:amilton9099|ill27676|lexpresscompany176|sdevice)|i(?:a(?:monddiamondfinancebenin|n(?:e\.s\.wojcicki|nasherylab)|rrahchantal36)|gitalassetholding|p(?:francis1|lomatsshenry))|j970146|minique200|o(?:minicahkye|na(?:ldwilliam1988|tion(?:gafundtion|helpercare5)))|r(?:\.(?:meirh|wilsonpaul02)|29876dr|a(?:bodid|ymdm)|davidrhama221|frederickowen7|j(?:amesdee|oesimon77)|ken(?:nedyuzo|obiorah1?)|meier\.heidi?|owenfrederick|rhamahassan22)|scolder4|u(?:a1155a|b(?:efrank1970|reuilgmbh)|nsilva58|stinmoskovitz\.2facebook)|v\.metus|willslevens|yuzo)|e(?:434051|b(?:enezero392|ook)|christina937|d(?:envictor71|mundventura689|runity|winandersonprivate)|fcc\.financial\.dept|gbutuu|ign\.manager1|kiana|l(?:i(?:bethgomez(?:175|499)|sabeth(?:gmuer11|maria600)|zabethedw0)|o(?:diesawadogo123|tocashoffice1?))|m(?:2keld|efiele(?:328|g757)|ilyrichmond391)|n(?:court1945|gr\.des01)|r(?:2009|e(?:evemusk681|nakgeorge123|zcelic0)|ioncarter\.private)|s(?:sexlss1|therkatherine1960)|togo1985|vgpatmow|wynn284)|f(?:\.mikhail025|a(?:ithdesrie511|milyofsmith112|rahwasam101|tme\.mehmed001)|b(?:589767|lott47)|e(?:deralreserve(?:bankdallasdst|dbankdallas)|lix88995|yzaybrahim)|fle98|g0067333|i(?:duciarybmw2020|nanciera175|rstbank(?:49(?:666|966)|6669|9966|k49666))|j569282|l(?:556249|uhmann\.dn)|o(?:ropunionbank|undations\.west)|p462558|r(?:a(?:100dub132|n(?:c(?:es(?:\.connelly2|patrickconnolly(?:5050|4))|isca(?:mendoza960|samendoza))|k(?:j(?:ane984|ody2|wangg)|l(?:aurarivera|inpiesie6))))|e(?:ddiejohn655|elottosweepstake51)|idmanmikhail511)|spero8[02]|u(?:lanlan28|n(?:dinternationalmonetary214|gg1w)))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|riel(?:eschmitt002|kalia1102))|ddafidraisha990|r(?:ciavincent500|ethbull112016|yakinson121))|b(?:528796|ill4880)|e(?:n(?:\.ahmedmsksi|eralwilliamstony990)|orge(?:brownhoward02|kwame481)|r(?:aldjhjh11|tjanvlieghe787))|i(?:idp955|lbert12oook|ocastano21)|kwasiiwusu1\.persona|l(?:enmoore0011|oriachow5052)|n\.manager1|o(?:dfreyscottdonation|glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219)|rdondallen52)|r(?:aceobia001|e(?:ant311|en(?:ergeoffrey(?:64|776)|lanternlawfirm)|ykuta20))|ubarevaelena58|veraallen|w522834)|h(?:a(?:alqadafi1976|r(?:gate2909|r(?:ison\.williams5000|yebert101)|twellbdaniel)|s(?:h(?:imyreem78|mireem801)|sanalshujairy)|uperthilbigbeate|zimissa03)|dpaymentoffice2018|e(?:a(?:doffice(?:471|centre0210)|therbrooeke101)|cto(?:alon|r(?:castillos653|scastillo6))|l(?:en(?:adamsidaho|giggs88)|pdesk47321)|ritagetrustbank1985)|g(?:8669000|old8080)|heba\.hhassan207|i(?:ldad837|toshurui|ygohscurtis)|o(?:lsemeyerole6|nmackjohn518|p00|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|trryt34|uichmh|warz)|i(?:1955smael|amannjejosonn|b(?:ed627|rahimelizabeth654)|cbcnewyork5|gn\.manager1|jheidi17|l(?:iane\.bettencourt1945|lianbrown)|mf(?:deputyoff(?:000|ice)|grantinter)|n(?:c02|fo(?:\.(?:a(?:b(?:dulrafiqmusau|ogadosmfontana)|nnedouglas10)|diplomat0[78]|foreign\.manager1|g00gleclaim|jschneider|marviswanczyk360|orangedor|ulmusau)|64240|asminternationalpk|bankofamerikaa|dessk\.dfwairportonline|fdrserve|t(?:ech4st255|tcuckk)|vidalpamela00)|gridrolle2|t(?:ernationallppp1|linvestorsfirm)|vestmentinfo11)|onhelpercare5|rvinekim67|s(?:mail(?:eman874|tarkan533)|tfoundation99)|tagetrustbank1985)|j(?:35809121|a(?:6002932|888179|cobmaseon5995|m(?:alpriv8un|es(?:carlos17885|okoh82))|n(?:nsjonifer|usensecureprivate)|sonyeungchiwai|vierlesme001)|b(?:5406424|lsuntrust)|c2222222rrr|e(?:fferydean1960|nn(?:iannjhsonn|ybrown01222)|robtt|ssikasingh4)|j(?:7291634|osvu|umelelo)|k3311131|m(?:3461128|powellfr)|o(?:edward023|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|nietaylor242|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|rmorris|wilson(?:389|490))|tanko214|uba234|walterlove2010)|monkzza|n(?:a(?:ahaskel19|haskel19|thanhaskel377)|esandassociates68|hugo1964|monkssa)|rtownsend01|se(?:ffeldrich|ph(?:acevedo024|babatunde192|ichael41))|vannyanderson001|y(?:ce00011|mrskone5))|rawlings007|s4fernado|u(?:lie(?:leach77|t\.le(?:222|e2222)|watson975)|sticellawgroup)|w6935997)|k(?:a(?:dulinayulii(?:ia|a)|l(?:iaksandr5|stromjames3|tschmidtdavid8)|malnizar000|rabo\.ramala39|t(?:ebaron(?:barr|xq)|hilittman7|jamess043|rinaziako56))|buhazza1|e(?:lsawamelia55|n(?:mckenziejr|nedy\.sawadogo19))|halidbuhazza99|ipkalyabekiana|js09376|kasbu790|o(?:n(?:emrsjoy|takt\.claim)|ssiphilip202|tokairportcargo|watsusho\.co\.ltd\.jp)|r(?:istinewellenstein024|nkl1109)|un(?:gwei7777|ioue28)|wasiowusug)|l(?:a(?:ie66v|r(?:ateambo|rytoms200)|ur(?:a\.chashih147|sent892)|w(?:fem15|officealouancooparation|rencefoundation30))|blackshirepm|e(?:enasinghs97|n(?:dfair\.co\.uk1|netth)|onidasresearch|rynne(?:0west99|west(?:2289|5412)))|gaddafi|i(?:a(?:mfinchus(?:11|3)|ne\.bettencourt1945)|ezlnatashavanessa|fecshortt63|li(?:ane\.bettencourt1945|ianchrstph)|n(?:elink008|glung104)|sa(?:milner001|robin117)|xiung(?:l48|9))|jo(?:bsfoundation|hn6132)|lee091|o(?:g(?:anntomas|insemails)|rrainewirengee|t(?:eriaenlinea17|tyoffice1)|u(?:ghreymargaret67|isdreyfusmargarita5))|p319765|s(?:8409209|arbn01|chantal86)|tant|u(?:c(?:iamariacampbell|kywinners2018)|sba\.moored2019)|w94059|y(?:\.cheapiseth909|diawright836|n(?:\.arthur011|brown7|cmba440|n(?:mkl3332|piet1982))))|m(?:\.franc(?:co9[14]|o10001)|a(?:bel(?:\.manaku|manakuuu)|ck(?:enzbezos|oliver324)|dam(?:gadafiaisha|koenig\.ruhama1b)|i(?:eralois59|ncare655)|j(?:ialfutt|or(?:dennishornbeck53|townsend01))|kaltschmidt|ll(?:am\.mlawal|etman2021)|mastar33m|n(?:a(?:ger1|nkovefimovich)|duesq58|fran6(?:30|56)|uelfranco(?:4313|727|donation02|foundation0|spende8))|r(?:i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00|nne(?:jeanne849|woosley90))|celharriison99|nacoleman84|opabl26|tinesecurityusa)|k(?:roth456|uses200)|shalh011|tin(?:amayer903|eziglesiasabogados|jrschwarz)|y(?:franson56|josen(?:62|81)))|s(?:ayohara001|onmanny05|pencer5151)|t(?:hewriaanza|insbrien22)|u(?:hin52|noveutileina|rhinck11?)|viswan(?:044|142|czyk(?:01478|1(?:19|987)|4(?:89|5)|775|foundation45|k112|zz))|xaajn|ydetratt|zerfexi)|brons667|c(?:\.cheadychang7(?:33|6)|kenthando|lennetth)|dredban775|e(?:044386|engeoffrey|l(?:aniekreiss1971|lagolan|vidabullock5))|g(?:a(?:brielarthurr|ddafi506)|frederick80)|husameddine|i(?:c(?:h(?:ael\.woosley1972|eal(?:armstrong68|sjohnj|wuu002))|paulla|w954)|k(?:e(?:\.weirsky\.foundation(?:001|al001)|austinesino)|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|n(?:fin\.gv|tonjustin98)|ss(?:\.(?:aminaibrahim|melisa\.mehmett|yasmineibrahim101)|boteogottai|yaelronen))|j(?:568566|minabii)|k(?:ent7117|untjoro52)|lbriggs08860|m(?:1086771|argaritalouisdreyfus|gfrederick81|ohammadaljllilati|rstephen16)|nmalarge|o(?:ham(?:edabdul1717|m(?:adraqab00|daljililati1|edshamekh24))|rienkal30)|r(?:\.(?:elbahi\.mohammed\.2021|justinmaxwell09|lusee|tonyelumelu60|wlsonkabore)|4021212|7672900|abelaise|cjames001|d517341|eric(?:franck|schmid4002)|george(?:emera|wilson41)|hanimuhammad627|jamesmc6|m(?:ichael\.bishop00|organgomez56)|r(?:echardthomas|ichardanthony1)|s(?:\.(?:athenajacky492|biyufungchi16|janetolsen?|marinakuznetsov|olsenjanett|su(?:sanread12|zarawanmaling))|a(?:isha(?:alqadafi1976|gaddafi(?:55|62))|n(?:gela454|nchan47)|shaalqaddfi117)|catherineyokes|dominiquethomas7777|e(?:lisabeth73peter|velynbrown7)|f(?:atimaamiraqureshi1983|p2001)|gezeria|h(?:amima60|ristinemadeleine|wee199)|isabelladz|j(?:ackman123|essicajeffrey3|illianbrown|lleach)|katherinepascal9|l(?:isamilner08|ouisabenson2002|uciacorrao)|m(?:a(?:riaelizabethscheffle98|ureens847|yaoliver31)|icheleallison51|ugan)|nicole(?:fr1marios|marois89)|r(?:eem362|obinsanders(?:185|0)|uthsmith9900)|s(?:ar(?:ahbenjamin103|iamirahwulu)|ophiac(?:hrist)?)|v(?:eraaellen|ictoriaedmond03)|winlytheresa)|tomcrist\.ca|vi(?:ktorzubkovv|ncentandrea)|zaishaalqadafi1976)|s(?:\.ellagolan56|agent02|cotthenryjames91|golaan4|smadar44)|twvvv|u(?:ali000111|s(?:ahahmed7d|tadris22))|wmwe10|y(?:burghhugohendrik|racbally))|n(?:a(?:ger1|omiiwasaki181)|c(?:essconnolly|kniem|uberichard61)|eilt(?:9108|rotter(?:2017|968))|fo\.(?:annedouglas10|foreign\.manager1)|harmuchccj|i(?:cholas\.jose73|eberri)|obuyuki\.hirano128|t(?:awdglobal|uintui)|uelfrancodonation02|v637245)|o(?:\.peace004|3344nb|ffi(?:c(?:e(?:\.012123|emaill0002|rricherd876|windowterms)|ialserviceuae)|zielllk)|hallkenneth1|lenasheve73|m(?:arinyandeng|cristworld)|n(?:lineresourcesworldbankb|ufoundationclaims)|p(?:cwkdw|hiachrist)|r(?:abankheadofficelometogo1985|karpatrick)|swald\.l(?:\.lewis|ewwis)|xfaminternationa1980)|p(?:a(?:cex02|storfrancesco1|tric(?:ia881a|k(?:\.efcc|andfrancessconnolly|frances743))|ul(?:eed1969|n8018|richard4k)|ymentofficer14)|b(?:ph202lay2|rookk0)|e(?:130304|nding(?:redirections|waletsfortrust)|rezdonlorenzo336|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|h(?:\.cbnl|il(?:iprogerr|lip\.richead218))|i(?:eterstevens511|lz37754)|o(?:lloke|usazgullaume|wellmrwilliam)|pinc02|r(?:esleybathini1|imecapitalfianceltd|o(?:1nvstream|cessing2013general))|trsvermeulen|ublic|w178483)|q(?:iquanzhou7|nzeng1|pedrohillsdonations|uirlduga)|r(?:19772744|677gfd|83718446|a(?:hashimi80|johnfernn|kidy23|lhashimi78|rivera|ymond(?:aba200|damon(?:15|2)))|e(?:alyh596|beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n(?:2214|asser003302))|lpandemic|m(?:ittanceofficeasaba|ji7)|neehi(?:i\.omb|ll1817)|plyback00|sultbox1404|ttayuen|v(?:\.(?:jamesabel1|mikedadax)|ernestcebi|fr(?:ankjackson91|paulwilliams2))|wumehunitedbankforafrica)|i(?:ch(?:19williams|a(?:miller18|rd(?:4k|lustig4u|w(?:ahl511|il(?:lis815|son19091))))|lawand(?:ds|s))|ffn818|tawilliams4141)|josh(?:200000|5858)|kuofung18|main2028|o(?:b(?:ert(?:cota391|hanandez6655)|inf036)|naldmorris786|s(?:a\.gomes0044|ekipkalya934))|raya9989|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|u(?:ddicklana561|ssiaworldcuppromo|thshoreline))|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid(?:09|7000))|nch(?:e\.pedroz33|oscozfifa)|rfiafarfask7|vicperez)|cott(?:henryjames91|pete(?:89658|rs7989))|e(?:c(?:\.steventernermnuchin|retservicce[789])|phichael41|r(?:geantrobertbrown1|vicemoneygram8)|ydouthiebaconsultant)|g(?:\.offi(?:ce\.group|ice\.group)|t(?:\.monicab03|ireneb2))|h(?:a(?:msiahmohamadyunusbnegara|nemissler(?:2009|3))|ery(?:\.gtl131|etr03)|inawatrathaksin93)|i(?:lverlakeconsultant|m(?:lkheng5|onhei47))|ky\.foundation001|l5342743|o(?:fia\.adams201|p(?:adam3|hiajesse41)|u(?:rcingloggs|thwsltd))|p(?:a(?:cex(?:\.inititative|02)|gentrose)|eelman1972)|t(?:anleyjohn1469|bank1985|e(?:fanpersson886|phen(?:7tam|tam1(?:47|6))|ve(?:acrabbe|n(?:chamberonline|priceprivate)))|hval446119)|u(?:iyang(?:\.boc|02)|n(?:\.hor20|gw\.wong1)|san(?:freeman112x|neklatten502)|zana111bah)|w(?:eeneyjohnson384|islottnl))|t(?:a(?:mmy(?:21gill|webster24)|y(?:ebsouami0|lorcathy362))|ch33555|davalvse|e(?:am\.spacex02|lexgraphicremit\.cbn1|nreyrosilvana54|p0chen|rryparkins11)|h(?:ailandbankoffice01|e(?:ara\.choy2|odorosloannis9|resawilliams7661?|smithf(?:amily124|m124)))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|ander231|c(?:hrist1995|rist(?:52|donation12|foundation99|world))|spende480)|ny(?:\.chung760|robins777|zimpro11)|pchronodesk|shikazusendo101)|p2911220|r(?:ansferriamoney0|embleylindsay|ustfoundationsigridrausing)|t(?:encourt1945|khan69s))|u(?:ba(?:\.bankofaffican|bank(?:bjplc|headoffice471))|d(?:erleyen52|o27657|regwqr)|gauthorization|kponguko|maru(?:godwin599|kareem8)|n(?:claimedfunds554|ited(?:bankforafrica\.plc102|nation(?:organization70|s(?:8182|councilrefunds))))|s(?:a(?:department\.treasuryunit|lotery2)|departmentofjustice80))|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|linagreen|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ct(?:marc1|oriaabraham2310)|dalpamela85|n(?:centgarcia6000|gut(?:170|7))|p(?:financeace|jeferrey)|sa\.incusa1101|vianyuan006)|johannes271|n935990|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczyk(?:m61|ooo006)|rrenebuffett(?:398|2))|b(?:271981|6159980|uffetdonationprogram)|c5000dle|d232633|e(?:llensteinfoundation251|stleygraham4t)|hatsapp(?:inc(?:02|2022)|official001)|i(?:elandherzog\.sw\.herad16|ll(?:clark(?:0010|2618|629)|iam(?:robert3852|smartyrs888)|uyun)|naticket)|kfinancialservice|orldbankregionalmanageroffice|u(?:\.office212|mt722)|ww\.(?:africafinancials|feltonandrew|moneygram9054))|y(?:\.oguzhan011|anghoseok5|doo974|i(?:hsbctanmd|nglukshinawtra)|mentoffice2018|o(?:ngkm00|usefzongo5722))|z(?:bank8876|en(?:etth01|ithbankplconline98)|hangweisheng199|kiaslan1963|minhong65|ubkovmrviktor|yk(?:1987|k112))))\@gmail\.com$/i body __BODY_STARTS_WITH_FROM_LINE /^From \S+ \S\S\S \S\S\S .. ..:..:.. \S+\s+\S+\: /s body __BODY_TEXT_LINE /^\s*\S/ tflags __BODY_TEXT_LINE multiple maxhits=3 meta __BODY_URI_ONLY __BODY_TEXT_LINE < 3 && __HAS_ANY_URI && !__SMIME_MESSAGE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) full __BOGUS_MIME_HDR /\bContent-[XYZ]-[a-z]{6,15}:\s+[a-z]{6,15}\b/ tflags __BOGUS_MIME_HDR multiple maxhits=8 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __BOGUS_MIME_HDR_MANY __BOGUS_MIME_HDR > 7 endif header __BOGUS_MIME_VER_02 MIME-Version =~ /^(?!.*\b1\.0\b).+/ meta __BOGUS_MSM_HDRS __HAS_MSMAIL_PRI && __MSOE_MID_WRONG_CASE && __HDR_ORDER_FTSDMCXXXX body __BONUS_LAST_DAY /\b(?:last|final) day of the (?:\$\d+ |\d+ dollars? )?bonus offer(?:ing)?\b/i meta __BOTH_INR_AND_REF (__XM_BALSA || __XM_CALYPSO || __XM_FORTE || __XM_MHE || __XM_SQRLMAIL || __XM_SYLPHEED || __THEBAT_MUA || __XM_VM || __XM_XIMEVOL || __UA_KMAIL || __UA_MOZ5 || __UA_OPERA7) body __BTC_OBFU_2 /\b\W{0,10}b(?!it[-\s]?coin)\W{0,10}i\W{0,10}t\W{0,10}c\W{0,10}o\W{0,10}i\W{0,10}n\W{0,10}\b/i body __BTC_OBFU_3 /\b\W{0,10}b(?!tc\b)\W{0,10}t\W{0,10}c\W{0,10}\b/i if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __BTC_OBFU_4 /\bb(?!itcoin)[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i endif body __BTC_OBFU_5 /&\#x62;&\#x69;&\#x74;&\#x63;&\#x6F;&\#x69;&\#x6E;/i rawbody __BUGGED_IMG m{]{0,100}\ssrc=.?https?://[^>]{6,80}(?:\?[^>]{8}|[^a-z](?![a-f]{3}|20\d\d[01]\d[0-3]\d)[0-9a-f]{8})}i body __BURKINA_FASO /\bburkina\s?faso\b/i body __CANT_SEE_AD_1 /\b(?:can(?:no|')?t|(?:aren'?t[-,!\s]{1,3}|not[-,!\s]{1,3}|un)able[-,!\s]{1,3}to)[-,!\s]{1,3}(?:(?!our|this|the)\w{1,12}[-,\s]{1,3}){1,2}(?:our|this|the)[-.,\s*]{1,3}(?:commercial[-.,\s]{1,3}|ad(?:v[-.]?ert[i1l]se-?ment)?[-.,\s]{1,3}|images |newsletter |mailing ){1,2}(?:at all|(?:(?:down )?(?:below|underneath))|in (?:your|this) mail|(?:due to|because(?: of)?|as|from) (?:no |missing |unloaded |blocked )?(?:images|graphics))\b/i body __CANT_SEE_AD_2 /\b(?:issue|problem|trouble) (?:getting|viewing|with) (?:(?:our|the) )?(?:message|content|e-?mail|details)(?: below)?[.?] (?:please|go ahead and) (?:click|browse)\b/i body __CAN_HELP /\bcan help\b/i body __CASHPRZ /cash prize of/ body __CHARITY /\b(?:charit(?:y|[ai]ble)|orphans?|homeless|orphelins|sans\sabri)\b/i body __CLEAN_MAILBOX /\b(?:(?:e-?mail|mail\s?box|violation:|(?-i:CLICK)) (?:quota size|clean(?:-?up))|clean ?up click ?here|(?:please|automatically) reduce (?:your|the) e?-?mail ?box size|reduce (?:your |the )?(?:e?-?mail(?: ?box)? )?size automatically)\b/i tflags __CLEAN_MAILBOX multiple maxhits=2 body __CLICK_HERE /\bclick\shere\b/i rawbody __COMMENT_GIBBERISH /\w/ tflags __HTML_SHRT_CMNT_OBFU multiple maxhits=10 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU > 5 && HTML_MESSAGE endif rawbody __HTML_SINGLET />\s*(?:[a-z"]|&\#(?:\d+|x[0-9a-f]+);)\s* 20 ifplugin Mail::SpamAssassin::Plugin::HTMLEval body __HTML_TAG_BALANCE_CENTER eval:html_tag_balance('center', '!= 0') endif body __HUSH_HUSH /\b(?:confiden[tc]i[ae]l(?:\b|ity\b|it(?:=E9|[\xe9]|[\xc3][\xa9]))|private\b|secr[e\xe8](?:te?|cy)\b|sensitive\b|concealed\b|obscured?\b|discre(?:et|tion)\b|very\sdiscrete|top\ssecret|vertraulich(?:en)?\b|geheim\b|priv(?:e|=E9|[\xe9]|[\xc3][\xa9]))/i uri __IMGUR_IMG m,^https?://(?:[^.]+\.)?imgur\.com/[a-z0-9]{7}\.(?:png|gif|jpe?g)$,i tflags __IMGUR_IMG multiple maxhits=4 meta __IMGUR_IMG_2 __IMGUR_IMG == 2 meta __IMGUR_IMG_3 __IMGUR_IMG == 3 if !plugin(Mail::SpamAssassin::Plugin::ImageInfo) meta __IMG_LE_300K 0 endif ifplugin Mail::SpamAssassin::Plugin::ImageInfo body __IMG_LE_300K eval:pixel_coverage('all',62500,300000) endif body __INHERIT_PMT /\binheritance\spayment\s/i body __INTL_BANK /\b(?:international\s(?:\w+\s)?bank|banque\sinternationale)\b/i body __INVEST_COUNTRY /\binvest\sin\syour?\scountry\b/i body __INVEST_MONEY /\binvest(?:ir)?\s(?:this|ces|d[ae]s|sur ce|de ces)\s(?:money|f[ou]nds?)\b/i header __IP_IN_RELAY X-Spam-Relays-External =~ /^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) (?:[^\]]* )?(?:rdns|helo)=\S*(?:\1\D\2\D\3\D\4|\4\D\3\D\2\D\1)/ if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __ISO_ATTACH 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ISO_ATTACH Content-Disposition =~ m,\bfilename="?[^"]+\.iso[";$],i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __ISO_ATTACH_MT 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ISO_ATTACH_MT Content-Type =~ m,\bapplication/x-iso9660-image\b,i endif body __IS_LEGAL /\b(?:(?:(?:this|esta)\s(?:deal|offer|transac[tc]i(?:o|[\xc3][\xb3])n|proposal|exchange|arrangement|work)|it)?\s[ie]s\s(?:(?:guaranteed|completely|absolutely|perfectly|100%|very|fully)\s)?(?:legal|hitch-free|seguro|legitimate)|legitimate\sarrangement|toute?\sl(?:e|=E9|[\xe9]|[\xc3][\xa9])gale)\b/i body __IVORY_COAST /\b(?:Cote\s?D.Ivoire|Ivory\s?Coast|Costa\sde\sMarfil)\b/i body __I_INHERIT /\b(?:I|eu)\s[a-z\s]{0,30}(?:inherited|herdei)\b/i body __I_WILL_YOU /\bwill(?:ed)?\s(?:[a-z\s]{0,20}(?:fortune|money|\$[\d,]+[a-z]{0,9})\s)?to\syou\b/i header __JM_REACTOR_DATE Date =~ / \+0000$/ ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __JPEG_ATTACH Content-Type =~ /image\/jpe?g/i endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __KAM_BLOCK_UTF7_2 Content-Type =~ /charset=(?:unicode-\d+-\d+-)?utf-7/i endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) body __KAM_BODY_LENGTH_LT_1024 eval:check_body_length('1024') describe __KAM_BODY_LENGTH_LT_1024 The length of the body of the email is less than 1024 bytes. endif endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) body __KAM_BODY_LENGTH_LT_128 eval:check_body_length('128') describe __KAM_BODY_LENGTH_LT_128 The length of the body of the email is less than 128 bytes. endif endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) body __KAM_BODY_LENGTH_LT_256 eval:check_body_length('256') describe __KAM_BODY_LENGTH_LT_256 The length of the body of the email is less than 256 bytes. endif endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) body __KAM_BODY_LENGTH_LT_512 eval:check_body_length('512') describe __KAM_BODY_LENGTH_LT_512 The length of the body of the email is less than 512 bytes. endif endif if !plugin(Mail::SpamAssassin::Plugin::HTMLEval) meta __KAM_HTML_FONT_INVALID 0 endif ifplugin Mail::SpamAssassin::Plugin::HTMLEval body __KAM_HTML_FONT_INVALID eval:html_test('font_invalid_color') endif body __KAM_LOTTO2 /(?:(?:ticket|serial|lucky) number|secret pin ?code|batch number|reference number|promotion date)/is header __KB_DATE_CONTAINS_TAB Date:raw =~ /^\t/ header __KB_MSGID_OUTLOOK_888 Message-Id =~ /^<[0-9a-f]{8}(?:\$[0-9a-f]{8}){2}\@/ meta __KHOP_NO_FULL_NAME !(__NOT_A_PERSON || __FROM_ENCODED_QP || __FROM_NEEDS_MIME || __FROM_FULL_NAME) if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) meta __LARGE_PERCENT_AFTER 0 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __LARGE_PERCENT_AFTER /\d{3}% after/i tflags __LARGE_PERCENT_AFTER multiple maxhits=4 endif if !plugin(Mail::SpamAssassin::Plugin::HeaderEval) meta __LCL__ENV_AND_HDR_FROM_MATCH 0 endif ifplugin Mail::SpamAssassin::Plugin::HeaderEval meta __LCL__ENV_AND_HDR_FROM_MATCH __ENV_AND_HDR_FROM_MATCH endif if !plugin(Mail::SpamAssassin::Plugin::BodyEval) meta __LCL__KAM_BODY_LENGTH_LT_1024 0 endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)) meta __LCL__KAM_BODY_LENGTH_LT_1024 0 endif endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) meta __LCL__KAM_BODY_LENGTH_LT_1024 __KAM_BODY_LENGTH_LT_1024 endif endif if !plugin(Mail::SpamAssassin::Plugin::BodyEval) meta __LCL__KAM_BODY_LENGTH_LT_128 0 endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)) meta __LCL__KAM_BODY_LENGTH_LT_128 0 endif endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) meta __LCL__KAM_BODY_LENGTH_LT_128 __KAM_BODY_LENGTH_LT_128 endif endif if !plugin(Mail::SpamAssassin::Plugin::BodyEval) meta __LCL__KAM_BODY_LENGTH_LT_512 0 endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)) meta __LCL__KAM_BODY_LENGTH_LT_512 0 endif endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) meta __LCL__KAM_BODY_LENGTH_LT_512 __KAM_BODY_LENGTH_LT_512 endif endif meta __LINKED_IMG_NOT_RCVD_LINK __URI_IMG_LINKEDIN && !__HDR_RCVD_LINKEDIN meta __LIST_PARTIAL __DOS_HAS_LIST_UNSUB && !__DOS_HAS_LIST_ID meta __LIST_PRTL_PUMPDUMP __LIST_PARTIAL && __PD_CNT_1 meta __LIST_PRTL_SAME_USER __LIST_PARTIAL && __TO_EQ_FROM_USR body __LITECOIN_ID /\b(?[^<\s]{1400}/i if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __LONG_STY_INVIS __STY_INVIS_2 && __LONGLINE endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __LOTSA_MONEY_00 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __LOTSA_MONEY_00 /[\s\.]?[\dOo][,\.][\dOo]{3}(?:(?!\d)|\b)/ endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __LOTSA_MONEY_01 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __LOTSA_MONEY_01 /(?:(?i:sum\sof\s)[$\[]?|\s?)[\s\.]?[\d.,\sOo]{5,20}[\dOo](?[\d.,\sOo]{5,20}[\dOo][$\]$]?\s?(?:|Pounds|(?i:dollars?|bucks))\b/ endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __LOTSA_MONEY_03 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __LOTSA_MONEY_03 /(?:(?i:sum\sof\s)[\(\[]?|\s?)[\d.,\sOo]{0,5}[$\]]?\s?(?i:M(?i:il+)?\b|mil+(?i:io|)n|hund?[re]+a?[dt]|thousand|tausend|milh[\xf5]es)/ endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __LOTSA_MONEY_04 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __LOTSA_MONEY_04 /(?:(?[\d\.,]{0,4}(?:M|\smilli?one?s|\s?mln)|million(?!s)|milln|hund?rea?d(?!s)[^\.]{1,25}thousand(?!s)|cents?[^\.]{1,25}mille|hundert[^\.]{1,30}tausend|ientos?[^\.]{1,20}mil|cent[a-z\s]{1,20}mil\s[a-z]{1,20}centos)[^\.\$]{0,50}?(?:(?:U\.?\s?S\.?\s?(?:A\.?\s?)?|united\s?states\s|E\.\s?U\.\s|canad(?:ian|a)\s|(?:ia\s)?de\s)?d(?:[o\xf3]|[\xc3][\xb3])l+are?s?|\bbucks|U\s?S\s?D|G\s?B\s?P|\spounds?|(?:\s)?pounds?\ssterling|pounds(?!\sof)|(?:d'\s?)?euros?|francs?)\b/i endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __LOTSA_MONEY_05 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __LOTSA_MONEY_05 /(?:(?:sum|value|amount)\sof\s)[\d.,\sO]{7,20}[\dO\.][\)\]\(\s]{0,3}(?:pounds?|dollars?|euros?|bucks)\b/i endif meta __LOTTO_ADMITS __LOTTO_ADMITS_1 || __LOTTO_ADMITS_2 || __LOTTO_ADMITS_3 || __LOTTO_ATTACH_1 || __LOTTO_ATTACH_2 body __LOTTO_ADMITS_1 /\b(?:on-?line|e-?mail|ballot|(?:inter)?national|state|(?:UK|euro)[- ]?(?:mil+ions?|PW)|Canada|Microsoft|MSN|internet|mega|jackpot+|Royal Heritage|foundation|cash\sgrant|mercato|univers|staatsloterij|bill\s?gates|Olympics?|swiss|this|est[ea]|internationaux de gagnants de)(?:\s(?!lot|swe|prom)\w{1,20}){0,3}\s?(?:lot(?:to|t+ery|eri[ea])|sweepstakes?|promo(?:tion|cao|cion)?|jackpot+)\b/i body __LOTTO_ADMITS_2 /\b(?:free)?(?:lot(?:to|tery|erie)|sweepstakes)\s(?:(?:inter)?na[tz]ional|department|bureau|group|award|microsoft)/i uri __LOTTO_ADMITS_3 /lott+ery/i meta __LOTTO_AGENT __LOTTO_AGENT_01 || __LOTTO_AGENT_02 body __LOTTO_AGENT_01 /\b(?:(?:(?:the|y?our)(?:\s\w{1,20})?|contact|accredited|listed)\sclaim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:prize|international|intl|foreign|win+ing)(?:[\s,.]+(?:rem+it+ance|settlement|payment|payout|award|transfer))+|payment|payout|immunity|(? 1 meta __MANY_SPAN_IN_TEXT (__SPAN_BEG_TEXT > 4) && (__SPAN_END_TEXT > 4) uri __MANY_SUBDOM m;^https?://(?:[^\./]{1,30}\.){6};i header __MID_START_001C Message-ID =~ /^<000001c/ body __MILLIONS /\bmillions\sof\s(?:dollar|euro|pound)/i header __MIMEOLE_1106 X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2800.1106$/ meta __MIMEOLE_DIRECT_TO_MX __HAS_MIMEOLE && __DOS_DIRECT_TO_MX header __MIME_BDRY_0D0D Content-Type =~ /boundary="-{12}(?:0[1-9]){12}/ if !((version >= 3.004000)) meta __MIME_CTYPE_IN_BODY 0 endif if (version >= 3.004000) body __MIME_CTYPE_IN_BODY /^Content-Type:\s/ endif if !((version >= 3.004000)) meta __MIME_MALF 0 endif if (version >= 3.004000) meta __MIME_MALF __CTYPE_MULTIPART_ANY && __MIME_CTYPE_IN_BODY endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __MIME_NO_TEXT 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta __MIME_NO_TEXT (__CTYPE_MULTIPART_ANY && !__ANY_TEXT_ATTACH) endif ifplugin Mail::SpamAssassin::Plugin::MIMEEval rawbody __MIME_QPC eval:check_for_mime('mime_qp_count') endif header __MISSING_REF References =~ /^UNSET$/ [if-unset: UNSET] header __MISSING_REPLY In-Reply-To =~ /^UNSET$/ [if-unset: UNSET] rawbody __MIXED_AREA_CASE /<(?!AREA|area)[Aa][Rr][Ee][Aa]\s/ rawbody __MIXED_CENTER_CASE /<(?!CENTER|center)[Cc][Ee][Nn][Tt][Ee][Rr]>/ rawbody __MIXED_FONT_CASE /<(?!FONT|font)[Ff][Oo][Nn][Tt]\s/ describe __MIXED_HREF_CASE Has anchor tags with mixed-up cases in non-quoted lines meta __MIXED_HREF_CASE __HAS_HREF - __HAS_HREF_ONECASE > 0 rawbody __MIXED_IMG_CASE_JH /<(?!IMG|img)[Ii][Mm][Gg]\s/ header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/ meta __MONERO (__MONERO_ID || __MONERO_CURNCY || __URI_MONERO || __FUZZY_MONERO) body __MONERO_CURNCY /Monero $XMR$/ body __MONERO_ID /\b4[0-9AB][1-9A-HJ-NP-Za-km-z]{93,104}\b/ meta __MONEY_FORM_SHORT LOTS_OF_MONEY && __FILL_THIS_FORM_SHORT meta __MONEY_FRAUD_3 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3) meta __MONEY_FRAUD_5 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5) meta __MONEY_FRAUD_8 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 8) ifplugin Mail::SpamAssassin::Plugin::FreeMail meta __MONEY_FREEMAIL_REPTO LOTS_OF_MONEY && __freemail_hdr_replyto endif meta __MONEY_FROM_41 __NSL_RCVD_FROM_41 && LOTS_OF_MONEY body __MOVE_MONEY /\b(?:(?:receive|re-?profile|transfer(?:ring|ir|t)?|release|repatriat(?:e|ion)|rapatrier|secure|r(?:e|=E9|[\xe9]|[\xc3][\xa9])clamation|possession|virer|dona(?:te|r)|depositante|dep[\xc3][\xb3]sito)\s(?:th(?:e(?:se)?|is)|d[ae]s|sur ce|de ce[st]|cet|est[eao]s?|del?)|re-?profiling|receive|re-?locat(?:e|ing)(?:\s\w{1,15})?)\s(?:of\s|your\s|the\s){0,2}(?:sums?\sof\s|inheritance\s)?(?:proceeds|funds?|money|balance|account|g[eo]ld|compte|fond[so]{1,2}|dinero|argent)\b/i meta __MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_MAYBE && __HAS_ANY_URI && __HTML_LINK_IMAGE header __MSGID_GUID Message-ID =~ /^/m meta __MSM_PRIO_REPTO __HAS_MSMAIL_PRI && __HAS_REPLY_TO && __SUBJ_SHORT header __MSOE_MID_WRONG_CASE ALL =~ /\nMessage-Id: / ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __MSO_THEME_MT Content-Type =~ m,\bapplication/vnd.ms-officetheme\b,i endif header __MTLANDROID_MUA X-Mailer =~ /\bMotorola android mail \d+\.\d/ header __MUA_TBIRD User-Agent =~ /^Mozilla\/.* Thunderbird/ body __MY_FORTUNE /\b(?:my|his|her)\s(?:fortune|heritage)\b/i if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __MY_MALWARE /\b(?:(?:I(?:'ve|\shave)?\s(?:put|set\s?up|installed|buil[td]\sin|placed)\s(?:a\s)?|my\s(?:personal\s|background\s|hidden\s)?)(?:mal+ware|virus|spy\s?ware|trojan|program\srecorded|expl[o0]it|backdoor|(?:sneaky\s|hidden\s|malicious\s)+(?:app|stuff))|(?:application|mal+ware)[^\.]{1,30}(?:enable[sd]|allow(?:s|ed))\sme\sto\s(?:access|control)|I\s(?:contaminated|infected|hacked|toxified|poisoned)\s(?:your|this)\s(?:machine|computer|gadget|(?:smart\s?)?phone|device|email)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|mein\shinterhältiges\sProgramm|I\s?am\s?a\s?hacker|(?:(?:trojan|virus|spyware|mal+ware)\s)+giv(?:es|ing)\sme)\b/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __MY_MALWARE /(?:^|\s)(?:(?:(?:'|\s~~~~)?\s(?:~~~~
~~~~<|>~~\s?~~~~~~
||(?:|)\s|
~~~~~~)\s(?:\s)?|\s(?:~~~~~~
\s|\s|\s)?)(?:+||
~~\s?~~||
~~~~\s|~~~~
(?:|0)||(?:\s|\s|~~\s)+(?:~~
~~~~~~|~~))|(?:~~~~~~~~
|+)[^\.]{1,30}(?:(?:|)|~~(?:~~|))\s\s\s(?:|)|\s(?:~~||||~~~~~~
~~)\s(?:|~~)\s(?:~~|~~
||(?:~~\s?)?~~
~~~~~~||)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|\s\s~~~~~~
+|\s?\s?\s?|(?:(?:||
|+)\s)+(?:|)\s)[\s\.,]/i endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __MY_VICTIM /\b(?:hi|hello),?(?:\smy)?\s(?:victim|prey)\b/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __MY_VICTIM /(?:|),?(?:\s)?\s(?:|
)/i endif header __NAKED_TO To =~ /^[^\s<>]+\@[^\s<>]+$/ meta __NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL header __NAME_EQ_EMAIL From:raw =~ /([\w+.-]+\@[\w.-]+\.\w\w+)["'`\s]*<\s*\1>/i header __NAME_IS_EMAIL From:raw =~ /\w\@[\w.-]+\.\w\w+["'`]*\s*<\w+\@\w/ body __NEVER_HEAR_EN /(?:never hear me again|destroy all your secrets|not bother you again|leave you alone)/i body __NEVER_HEAR_IT /eliminare tutti i tuoi segreti|Ti garantisco che non ti disturbe/i meta __NEWEGG_IMG_NOT_RCVD_NEGG __URI_IMG_NEWEGG && !__HDR_RCVD_NEWEGG body __NEW_PRODUCTS /\bhere are new products|\b(?:Our company|we) (?:has |have )?(?:(?:recently|just|newly) (?:introduce|release|launche)[ds](?: a| our| the)? (?:new|(?:\w+\s){1,5}below)|a new (?!cat\s|kitten\s|dog\s|puppy\s|pet\s|baby\s|child\s|boy\s|girl\s)(?:\w+\s){1,5} here)|recently,? our company (?:launch|releas)ed|\bI want to recommend a new (?:\w+ ){1,5}(?:we|our)\b|latest version of our (?:stock|product)|\b(?:our|a) new (?:\w+ ){1,3}has (?:recently|just) been released/i body __NEXT_OF_KIN /\bnext[-\s]of[-\s]kin\b/i body __NIGERIA /\bnigeria\b/i meta __NORDNS_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __RDNS_NONE meta __NOT_A_PERSON __VACATION || ANY_BOUNCE_MESSAGE || __CHALLENGE_RESPONSE || __VIA_ML || __DOS_HAS_LIST_UNSUB || __SENDER_BOT || __UNSUB_LINK || __UNSUB_EMAIL || __MSGID_LIST || __SUBSCRIPTION_INFO tflags __NOT_A_PERSON nice body __NOT_DEAD_YET /\b(?:will\sinherit|que\sherede|your\sdeath|your?\sbeing\sdead)\b/i body __NOT_SCAM /\b(?:not\sa\sscam|(?:not|never)\sscam\syou)\b/i tflags __NOT_SPOOFED nice if !(!plugin(Mail::SpamAssassin::Plugin::DKIM)) if !plugin(Mail::SpamAssassin::Plugin::SPF) meta __NOT_SPOOFED DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, no SPF endif endif if !(!plugin(Mail::SpamAssassin::Plugin::DKIM)) ifplugin Mail::SpamAssassin::Plugin::SPF meta __NOT_SPOOFED SPF_PASS || DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, yes SPF endif endif if !plugin(Mail::SpamAssassin::Plugin::DKIM) if !plugin(Mail::SpamAssassin::Plugin::SPF) meta __NOT_SPOOFED __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, no SPF. endif endif if !plugin(Mail::SpamAssassin::Plugin::DKIM) ifplugin Mail::SpamAssassin::Plugin::SPF meta __NOT_SPOOFED SPF_PASS || __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, yes SPF endif endif meta __NO_INR_YES_REF (__XM_GNUS || __XM_MSOE5 || __XM_MSOE6 || __XM_MOZ4 || __XM_SKYRI || __XM_WWWMAIL || __UA_GNUS || __UA_KNODE || __UA_MUTT || __UA_PAN || __UA_XNEWS) header __NSL_ORIG_FROM_41 X-Originating-IP =~ /^(?:.+\[)?41\./ describe __NSL_ORIG_FROM_41 Originates from 41.0.0.0/8 header __NSL_RCVD_FROM_41 X-Spam-Relays-External =~ / ip=41\./ describe __NSL_RCVD_FROM_41 Received from 41.0.0.0/8 header __NUMBERONLY_TLD From:addr =~ /\@[0-9]{4,}(?:\.[a-z]{2,4})?\.[a-z]+$/i header __NUMBERS_IN_SUBJ Subject =~ /\d{3}/ if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) ) endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) ) endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) ) endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) ) endif body __OBFU_UNSUB_UL /(?:click_here|remove_your|our_e?mail|this_list|to_unsubscribe|future_e?mail|our_list)/ if !plugin(Mail::SpamAssassin::Plugin::ImageInfo) meta __ONE_IMG 0 endif ifplugin Mail::SpamAssassin::Plugin::ImageInfo body __ONE_IMG eval:image_count('all',1,1) endif header __OPERA_MID_NON_OP Message-ID =~ /^<[^o][^p]\./ body __OUR_BEHALF /\b(?:on\s(?:my|our)\sbehalf|of\sbehalf\sof)\b/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __PART_CID_STOCK_LESS Content-ID =~ /^<00[a-f0-9]{10}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[A-Za-z]+>$/ endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __PART_STOCK_CD_F Content-Disposition =~ /filename/ endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __PART_STOCK_CID Content-ID =~ /^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[^\s\.]+>$/ endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __PART_STOCK_CL Content-Location =~ /./ endif body __PASSIVE_INCOME /\bpassive income\b/i body __PASSWORD /\bp[-\s_]?a[-\s_]?s[-\s_]?s[-\s_]?w[-\s_]?o[-\s_]?r[-\s_]?d\b/i body __PASSWORD_EXP_CLUMSY /\bpassword is due for expiration yesterday\b/i body __PASSWORD_UPGRADE /\bpassword upgrade\b/i body __PAXFUL /\bp-?a+-?x+-?f-?u+-?l\b/i if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __PAY_ME /\b(?:pay\sme|(?:(?:send|transmit|give)\s(?:to\s)?me|(?:send(?:en\ssie)?|transfer)\s(?:the\samount\sof|exactly|genau)|I\swant|den\sbetrag\svon|payment\sof)\s(?:[\d,'.\$£]+\s?(?:usd?|eur?(?:os)?|gbp|BTC)?|bitcoin|BTC)|(?:make|perform|send|transmit)\sthe\spayment|amount\sfor\smy\ssilence|(?:pay|fund)\sthis\s(?:bitcoin|monero)[-\s](?:address|wallet|brieftasche)|my bribe(?:ry)?)\b/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __PAY_ME /(?:^|\s)(?:
~~\s|(?:(?:|~~|)\s(?:\s)?|(?:~~(?:\s~~)?|~~~~~~~~~~)\s(?:\s\s||)|\s|\s\s|~~~~~~~~~~
~~~~\s)\s(?:[\d,'.\$£]+\s?(?:~~?|?(?:~~)?|~~~~~~~~
~~|)?||)|(?:|~~
~~~~||~~)\s\s~~~~~~
~~~~|\s\s\s~~|(?:~~~~~~
|)\s\s(?:|)[-\s](?:||| (?:)?))[\s\.,]/i endif body __PAY_YOU /\bpay\syou\b/ if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __PCT_FOR_YOU 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta __PCT_FOR_YOU __PCT_FOR_YOU_1 || __PCT_FOR_YOU_2 || __PCT_FOR_YOU_3 || T_SHARE_50_50 endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __PCT_FOR_YOU_1 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __PCT_FOR_YOU_1 /[\s)]{0,3}(?:(?:of\s[\w\s]{0,35}?)?(?:for|to|as)\syour?|(?:[^\s.]{1,15}\s)?an uns beide)/i endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __PCT_FOR_YOU_2 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __PCT_FOR_YOU_2 /\b(?:(?:give|offer)\syou|vous\s(?:aurez\sdroit\s(?:=E0|[\xe0])|donnerai|all(?:e|=E9|[\xe9]|[\xc3][\xa9])\srecevoir\sautour\sde)|ihnen)\s/i endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __PCT_FOR_YOU_3 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __PCT_FOR_YOU_3 /\byour?\s(?!can)(?:(?!you)\w{1,15}\s){0,10}(?:(?:share|entiti?le(?:d|ment)?|percentage|fee|assist(?:ance)?|comp[ea]nsat(?:ed?|tion)|reward(?:ed)?|renumerat(?:e|tion)|com+is+ion|paid|deduct|account|tage|(?:will|shall|would|(?:are|stand|going)\sto)\s(?:be\s)?(?:tak(?:e|ing)|earn|get(?:ting)?|remit|subtract|with+old)|(?:deduct|taken?|subtract(?:ed)?)\syour|keep(?:ing)?|receiv(?:e|ing)|retain(?:ing)?|have|half|giv(?:en|ing)|paid|(?:give|pay|offer)\s(?:me|you|him)|bank\saccount|to\s(?:take|use)|(?:time|country)\sand|ratio\sof)(?:\s(?!you)\w{1,15}){0,10})\s(?/i endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __PCT_OF_PMTS 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __PCT_OF_PMTS /[\s)]+(?:of\s[\w\s]{0,35}?)?(?:of|du|de)\s(?:(?:the|la)\s)?(?:total\s)?(?:payments?|rem+it+ances?|capital|chec(?:k|que)s?|mon(?:ey|ies)|suma?)/i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __PDF_ATTACH 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta __PDF_ATTACH (__PDF_ATTACH_MT || __PDF_ATTACH_FN1 || __PDF_ATTACH_FN2) endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __PDF_ATTACH_FN1 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __PDF_ATTACH_FN1 Content-Type =~ /="[^"]+\.pdf"/i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __PDF_ATTACH_FN2 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __PDF_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.pdf"/i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __PDF_ATTACH_MT 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __PDF_ATTACH_MT Content-Type =~ m,\bapplication/pdf\b,i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags header __PDS_BTC_ANON From:name =~ /\bAnon/ endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta __PDS_BTC_BADFROM ( __PDS_BTC_HACKER || __PDS_BTC_PIRATE ) endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags header __PDS_BTC_HACKER From:name =~ /hckr/i endif meta __PDS_BTC_ID ( __BITCOIN_ID && !__URL_BTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags header __PDS_BTC_PIRATE From:name =~ /prt/i endif ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) header __PDS_CASHSHORTENER eval:check_uri_host_listed('PDS_CASHSHORTENER') endif endif uri __PDS_DOUBLE_URL m;https?://[\S]+(?:\?|=)https?://[\S]+[\w]+$; if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval body __PDS_EXPIRATION_NOTICE /\bexpiration (?:notice|alert|date)\b/i endif endif if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) header __PDS_FROM_2_EMAILS From =~ /(?:^|<|"| )([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i endif header __PDS_FROM_GMAIL From:addr =~ /\@g(?:oogle)?mail\.com$/i header __PDS_FROM_NAME_TO_DOMAIN ALL =~ /From: ["']?([a-z0-9\.-]+\.[0-9a-z\.-]+)["']? [^\n]+\n+To:[^\n]+\@\1/ism header __PDS_GMAIL_MID Message-Id =~ /\@mail.gmail.com>$/ meta __PDS_GOOGLE_DRIVE_SHARE (__PDS_GOOGLE_DRIVE_SHARE_1 + __PDS_GOOGLE_DRIVE_SHARE_2 + __PDS_GOOGLE_DRIVE_SHARE_3 >= 2) header __PDS_GOOGLE_DRIVE_SHARE_1 References =~ /\@docs\-share\.google\.com\>/ header __PDS_GOOGLE_DRIVE_SHARE_2 From:addr =~ /^drive\-shares\-noreply\@google\.com$/ header __PDS_GOOGLE_DRIVE_SHARE_3 X-Envelope-From:addr =~ /\@doclist\.bounces\.google\.com$/ ifplugin Mail::SpamAssassin::Plugin::AskDNS meta __PDS_HP_HELO_NODNS (__HELO_HIGHPROFILE && !__HELO_DNS) tflags __PDS_HP_HELO_NODNS net endif ifplugin Mail::SpamAssassin::Plugin::HTMLEval meta __PDS_HTML_LENGTH_1024 __HTML_LENGTH_0000_1024 endif ifplugin Mail::SpamAssassin::Plugin::HTMLEval meta __PDS_HTML_LENGTH_2048 __HTML_LENGTH_0000_1024 || __HTML_LENGTH_1024_1536 || __HTML_LENGTH_1536_2048 endif meta __PDS_LITECOIN_ID (__LITECOIN_ID && !__URL_LTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG) meta __PDS_MSG_1024 (__KAM_BODY_LENGTH_LT_1024 || __PDS_HTML_LENGTH_1024) meta __PDS_MSG_512 (__KAM_BODY_LENGTH_LT_512 || __HTML_LENGTH_512) if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta __PDS_NEWDOMAIN (__FROM_FMBLA_NEWDOM || __FROM_FMBLA_NEWDOM14 || __FROM_FMBLA_NEWDOM28) tflags __PDS_NEWDOMAIN net endif endif if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval body __PDS_OFFER_ONLY_AMERICA /This offer (?:is )?(?:only )?for (?:United States|USA)/i endif endif if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) meta __PDS_QP_1024 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEEval meta __PDS_QP_1024 (__MIME_QPC > 0) && (__MIME_QPC < 1024) endif if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) meta __PDS_QP_128 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEEval meta __PDS_QP_128 (__MIME_QPC > 0) && (__MIME_QPC < 128) endif if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) meta __PDS_QP_512 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEEval meta __PDS_QP_512 (__MIME_QPC > 0) && (__MIME_QPC < 512) endif if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) meta __PDS_QP_64 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEEval meta __PDS_QP_64 (__MIME_QPC > 0) && (__MIME_QPC < 64) endif header __PDS_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(?:mta|mail|mx|smtp)\b\S* /i if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval body __PDS_SENT_TO_EMAIL_ADDR /This message was sent to Email Address\./i endif endif if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval body __PDS_SEO1 /(?:top|first page|1st) (?:(?:results|rank(?:ing)?) )?(?:in|of|on) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building/i endif endif if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval body __PDS_SEO2 /losing your (?:[a-z]+ )?(?:rank(?:ing)?|results)|rank well on [a-z]+\b/i endif endif ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta __PDS_SHORT_URL __SHORT_URL && !__URL_SHORTENER && !ALL_TRUSTED endif endif if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS tflags __PDS_SPF_ONLYALL net endif endif meta __PDS_SPOOF_GMAIL_MID __PDS_FROM_GMAIL && !__PDS_GMAIL_MID && !__FSL_RELAY_GOOGLE header __PDS_TONAME_EQ_TOLOCAL To:raw =~ /^\s*['"]?([^'"]+)['"]? ]+)>?\n+(?:[^\n]{1,100}\n+)*From:\W+(\1)([^\n\w<]++<)?((?!\1)[^\n">]++)>?\n/ism endif if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) header __PDS_TO_EQ_FROM_NAME_2 ALL =~ /\nFrom:\W+"([\w+.-]+\@[\w.-]+\.\w\w+)(?:[^\n\w<]{0,80}<)?((?!\1)[^\n">]++)>?\n+(?:[^\n]{1,100}\n+)*To: (?:[^\n<]{0,80}<)?(\1)>?/ism endif ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta __PDS_TO_SUBJ_URISHRT __TO_IN_SUBJ && __URL_SHORTENER && __PDS_MSG_1024 endif endif ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta __PDS_URISHORTENER __URL_SHORTENER endif endif meta __PD_CNT_1 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 0 body __PENDING_MESSAGES /\b(?:messages pending|(?:your|\d+[\])}]?) (?:pending|un(?:delivered|received)) (?:messages|e?-?mails))\b/i body __PERFECT_BINARY /\bperfect binary option\b/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __PHISH_ATTACH_01_01 Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:\.|%C2%B7|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __PHISH_ATTACH_01_02 Content-Type =~ /\bname="?[^"]*(?:\.|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i endif meta __PHISH_FBASE_01 (__URI_FIREBASEAPP || __URI_WEBAPP) && __PDS_FROM_NAME_TO_DOMAIN && __MAIL_LINK if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __PHOTO_RETOUCHING /\b(?:(?:retouching|(?:image|photo|pic)s? (?:[a-z]{1,15} ){0,3}(?:edit(?:ing|ors)|team|(?:cut+|mask|clip+|clean|crop+|resiz|enhanc|etch)ing|cut+(?:ing)?[-\s]?out|enhancement|manipulation|restoration|compositing|working|(?:color|contrast|brightnes+|background|make-?up) (?:cor+ection|change)|solution|work|services?)|(? 1 header __RAND_MKTG_HEADER ALL =~ /^X-(?:[a-z]{2}){1,2}-(?:EBS|(?:Tracking|Subscriber|Delivery|Customer|Campaign)-[DSU]?id):/ism header __RATWARE_BOUND_A ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{10,400}boundary="----=_NextPart_000_...._\1\./msi # " header __RATWARE_BOUND_B ALL =~ /boundary="----=_NextPart_000_...._([0-9a-f]{8})\..{10,400}^Message-Id: <....\1\$[0-9a-f]{8}\$/msi # " header __RCD_RDNS_MAIL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmail[^a-z]/i tflags __RCD_RDNS_MAIL nice header __RCD_RDNS_MAIL_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mail/i tflags __RCD_RDNS_MAIL_MESSY nice header __RCD_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmta[^a-z]/i tflags __RCD_RDNS_MTA nice header __RCD_RDNS_MTA_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mta/i tflags __RCD_RDNS_MTA_MESSY nice header __RCD_RDNS_MX X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmx[^a-z]/i tflags __RCD_RDNS_MX nice header __RCD_RDNS_MX_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mx/ tflags __RCD_RDNS_MX_MESSY nice header __RCD_RDNS_OB X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\boutbounds?[^a-z]/i tflags __RCD_RDNS_OB nice header __RCD_RDNS_SMTP X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bsmtps?[^a-z]/i tflags __RCD_RDNS_SMTP nice header __RCD_RDNS_SMTP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*smtp/ tflags __RCD_RDNS_SMTP_MESSY nice header __RCVD_DOTEDU_EXT X-Spam-Relays-External =~ /\srdns=\S+\.edu\s/i meta __RCVD_DOTEDU_SHORT __RCVD_DOTEDU_EXT && ( __HTML_IMG_ONLY || __BODY_URI_ONLY || __HTML_LENGTH_1024_1536 ) meta __RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_EXT && ( __45_ALNUM_URI || __45_ALNUM_URI_O || __64_ANY_URI ) header __RCVD_DOTGOV_EXT X-Spam-Relays-External =~ /\srdns=\S+\.gov\s/i header __RCVD_ZIXMAIL X-Spam-Relays-Untrusted =~ / helo=smtpout\.zixmail\.net / header __RDNS_LONG X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{30}/ header __RDNS_NO_SUBDOM X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\.\w+ / header __RDNS_NUMERIC_TLD X-Spam-Relays-External =~ /\srdns=\S+\.\d+\s/ header __RDNS_SHORT X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{4,14} / body __RECEIVE_BONUS /\byou(?:'ll)?(?: also| will)* (?:rec[ei]*ve|get|earn|collect|be (?:awarded|handed|remitted|given|paid|(?:greeted|welcomed|started) with)) (?:an? )?(?:gift|bonus|extra)(?: of|:)? \$[\d,]+/i header __RELAY_THRU_WWW Received =~ /from (?:[^ \@]+\@)?www\./ body __RELEASE_MESSAGES /\b(?:release messages|(?:retrieve|release|download) your(?: undelivered|unreceived|held|pending)? e?-?mails|(?:e?-?mails|messages).{1,20}download them now)\b/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { meta __REMOTE_IMAGE (__HTML_IMG_ONLY || __HTML_LINK_IMAGE) && !(__SUBSCRIPTION_INFO || __VIA_ML || __SENDER_BOT || __ANY_IMAGE_ATTACH) endif if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval header __REPLYTO_ADDRLIST_SUSPNTLD eval:check_replyto_in_list('SUSP_NTLD') endif endif header __REPTO_419_FRAUD_AOL_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:f\.|ljaber)|brownchurchill|c(?:hanprivacy|laimdept|ristinabruno|ustom_service)|d(?:hodgkins|onald_anderson)|evelynjoshua|f(?:d\.|ernandezfernandez)|george_clifford|hernandezrosemary|k\.doreen|l(?:erynnewest|izcarroll|ynnpage)|m(?:\.francco|_l\.wanczyk|asayohara|rsjanetedwards)|officework|p(?:aulpollard|eterwong)|royalpalace|spwalker|usembassy|webank|yurdaaytarkan))\d+\@aol\.com$/i header __REPTO_419_FRAUD_GM_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:9porssts|a(?:\.wafager|b(?:dullahmundani|u(?:lkareem|shadi))|cecere|isha(?:1976gaddafi|gaddafilibya)|l(?:an\.austin|ber\.yang|ex(?:anderpeterson|hoffman)|ghafrij|icedoris|kasimunadi|l(?:enholden|isoncluade)|ure\.wawrenka)|m(?:bassadormarybethleonardl|ericadeliverycomapny|ina(?:ltwaijiri|medjahed))|n(?:dyfox|na(?:llee|sigurlaug)|thonyjblinken)|office1office|radka|shwestwood|tmcarddepartment|ustinbillmark|yevayawovi|zi(?:m(?:\.hpremji|hashim(?:donation)?)|z(?:dake|george)))|b(?:a(?:nkcentralasiahalobca|r(?:bersmadar|rister(?:clarkephillips|lordruben)|teld\.huisman))|bongo|e(?:alitoniua|linekra|n(?:ezero|gatl|jaminsarah)|rnard\.arnult|tsyholden)|ill\.lawrence|mwautomobile|oarddept|r(?:avolpaul|endalaporte)|uffettwarrene)|c(?:a(?:mluba|reisu)|bnatm|e(?:da\.ogada|lineroullier)|h(?:a(?:ngching|r(?:itylisajohnrobinson|l(?:esluenga|tonnewmanus)))|e(?:mchung|nchung))|iticonsultantjohncg|la(?:imadviser|xtonpaul)|o(?:lombasjuan|ntactad|operation)|r(?:awfordgillies|ist(?:brun?|davis|ydavis(?:donation|foundation)))|ustomerservicelacaixa)|d(?:a(?:nnuar|vi(?:d(?:\.loanfirm|ibe|larbi|pere|ramirez\.luis)|scarolyn|yax))|e(?:btm|nnis(?:clark|quaid)|partmentofstate)|hlexpresscompany|ipfrancis|minique|ona(?:ldwilliam|tionhelpercare)|r(?:\.wilsonpaul|davidrhama|joesimon|rhamahassan)|unsilva)|e(?:benezero|christina|dmundventura|l(?:i(?:bethgomez|sabeth(?:gmuer|maria)|zabethedw)|o(?:diesawadogo|tocashoffice))|m(?:efieleg?|ilyrichmond)|ngr\.des|re(?:evemusk|nakgeorge|zcelic)|s(?:sexlss|therkatherine)|wynn)|f(?:\.mikhail|a(?:ithdesrie|rahwasam|tme\.mehmed)|blott|irstbank|r(?:a(?:100dub|n(?:c(?:es(?:\.connelly|patrickconnolly)|iscamendoza)|k(?:j(?:ane|ody)|linpiesie)))|eelottosweepstake)|spero|u(?:lanlan|ndinternationalmonetary))|g(?:00gleggewinner|a(?:briel(?:eschmitt|kalia)|r(?:ciavincent|yakinson))|bill|e(?:neralwilliamstony|orge(?:brownhoward|kwame)|r(?:aldjhjh|tjanvlieghe))|i(?:idp|ocastano)|l(?:enmoore|oriachow)|oo(?:golteam|oglegwiinner)|r(?:aceobia|e(?:ant|energeoffrey)))|h(?:a(?:r(?:gate|ryebert)|sh(?:imyreem|mireem)|zimissa)|e(?:a(?:dofficecentre|therbrooeke)|ctor(?:castillos|scastillo)|lengiggs|ritagetrustbank)|gold|heba\.hhassan|ildad|o(?:lsemeyerole|nmackjohn|rnbeckmajordennis|seoky)|trryt)|i(?:b(?:ed|rahimelizabeth)|mfdeputyoff|n(?:fo\.(?:annedouglas|marviswanczyk)|gridrolle|ternationallppp)|rvinekim|smail(?:eman|tarkan))|j(?:a(?:cobmaseon|mesokoh|vierlesme)|e(?:fferydean|ssikasingh)|o(?:edward|hn(?:griffn|nietaylor|r(?:awlings|oxfordjr)|sonwilson|tanko|uba|walterlove|a)|n(?:a(?:haskel|thanhaskel)|esandassociates|hugo)|seph(?:acevedo|babatunde|ichael)|vannyanderson|ymrskone)|rawlings|ulie(?:t\.lee?|watson))|k(?:a(?:l(?:iaksandr|stromjames|tschmidtdavid)|malnizar|rabo\.ramala|t(?:hilittman|jamess|rinaziako))|e(?:lsawamelia|nnedy\.sawadogo)|halidbuhazza|kasbu|r(?:istinewellenstein|nkl)|un(?:gwei|ioue))|l(?:a(?:rrytoms|ursent|wrencefoundation)|e(?:enasinghs|ndfair\.co\.uk|rynne(?:0west|west))|i(?:amfinchus|fecshortt|liane\.bettencourt|n(?:elink|glung)|sa(?:milner|robin)|xiungl?)|john|o(?:ttyoffice|u(?:ghreymargaret|isdreyfusmargarita))|s(?:arbn|chantal)|u(?:ckywinners|sba\.moored)|y(?:\.cheapiseth|diawright|n(?:\.arthur|cmba|nmkl)))|m(?:\.francco|a(?:ckoliver|incare|jor(?:dennishornbeck|townsend)|lletman|n(?:duesq|fran|uelfranco(?:(?:donation|foundation|spende))?)|r(?:i(?:a(?:hhills|nnewoosley)|nacoleman|opabl)|k(?:roth|uses)|shalh|tinamayer|y(?:franson|josen))|s(?:onmanny|pencer)|u(?:hin|rhinck)|viswan(?:czyk(?:(?:foundation|k))?)?)|brons|c\.cheadychang|dredban|el(?:aniekreiss|vidabullock)|gfrederick|i(?:c(?:h(?:ael\.woosley|ealwuu)|w)|k(?:e\.weirsky\.foundational|hai(?:\.fridman|lfridm))|ntonjustin|ss\.yasmineibrahim)|k(?:ent|untjoro)|mrstephen|o(?:ham(?:edabdul|m(?:adraqab|daljililati|edshamekh))|rienkal)|r(?:\.(?:elbahi\.mohammed\.|justinmaxwell|tonyelumelu)|cjames|ericschmid|hanimuhammad|jamesmc|morgangomez|richardanthony|s(?:\.(?:biyufungchi|susanread)|a(?:isha(?:alqadafi|gaddafi)|ngela|shaalqaddfi)|dominiquethomas|evelynbrown|fatimaamiraqureshi|hamima|j(?:ackman|essicajeffrey)|lisamilner|ma(?:riaelizabethscheffle|ureens|yaoliver)|r(?:eem|obinsanders|uthsmith)|sarahbenjamin|victoriaedmond))|s(?:\.ellagolan|agent|golaan|smadar)|ustadris)|n(?:aomiiwasaki|eilt(?:rotter)?|icholas\.jose|obuyuki\.hirano)|o(?:\.peace|ffice(?:emaill|rricherd)|hallkenneth|lenasheve|rabankheadofficelometogo|xfaminternationa)|p(?:a(?:storfrancesco|ul(?:eed|n)|ymentofficer)|b(?:ph202lay|rookk)|e(?:rezdonlorenzo|ter(?:\.waddell|guggi|kenin|stephen))|hillip\.richead|ieterstevens|resleybathini)|q(?:iquanzhou|nzeng)|r(?:a(?:kidy|lhashimi|ymond(?:aba|damon))|e(?:alyh|beccagarang|em(?:has(?:himy|m)|n)|plyback|sultbox|v(?:\.jamesabel|fr(?:ankjackson|paulwilliams)))|i(?:cha(?:miller|rdw(?:ahl|illis))|tawilliams)|main|o(?:b(?:erthanandez|inf)|naldmorris|s(?:a\.gomes|ekipkalya))|raya|t\.rev\.ericmark|uddicklana)|s(?:a(?:l(?:ehhussienconsult|imzaid)|rfiafarfask)|cott(?:henryjames|peters)|e(?:cretservicce|rgeantrobertbrown)|gt(?:\.monicab|ireneb)|h(?:anemissler|ery(?:\.gtl|etr)|inawatrathaksin)|im(?:lkheng|onhei)|o(?:fia\.adams|p(?:adam|hiajesse))|peelman|t(?:anleyjohn|ephentam)|u(?:iyang|n\.hor|sanneklatten)|weeneyjohnson)|t(?:a(?:mmywebster|y(?:ebsouami|lorcathy))|e(?:am\.spacex|nreyrosilvana|rryparkins)|h(?:ailandbankoffice|e(?:ara\.choy|odorosloannis|resawilliams|smithfm))|imothymetheny|lyerdonald|o(?:m(?:ander|c(?:hrist|rist(?:(?:donation|foundation))?)|spende)|ny(?:\.chung|robins|zimpro)|shikazusendo))|u(?:babankheadoffice|derleyen|marukareem|n(?:claimedfunds|ited(?:bankforafrica\.plc|nation(?:organization|s)))|s(?:alotery|departmentofjustice))|v(?:anderwesthuizen|e(?:enapatel|r(?:a(?:aellen|hollinkvan)|enichekaterinaekaterina))|i(?:ctoriaabraham|dalpamela|ngut)|johannes)|w(?:a(?:dp|hlr(?:ichard)?|nczykm|rrenebuffett)|ellensteinfoundation|hatsappofficial|i(?:elandherzog\.sw\.herad|ll(?:clark|iam(?:robert|smartyrs)))|u(?:\.office|mt)|ww\.moneygram)|y(?:\.oguzhan|anghoseok|doo|o(?:ngkm|usefzongo))|z(?:bank|enithbankplconline|kiaslan|minhong)))\d+\@gmail\.com$/i header __REPTO_419_FRAUD_YH_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson|gaaintl\-4g5ee\.w|ilmohammed|lesiakalina|nn(?:awax|hester\.usa))|b(?:a(?:nk\.phbng|rrister\.dennis)|e(?:linekra|n(?:jaminb|nicholas))|riceangela)|c(?:\.(?:aroline|coulibaly)|h(?:arlesscharf|jackson)|juan|ythiamiller\.un)|d(?:hamilton|iaanesoto)|e(?:denvictor|ricalbert)|f(?:aizaadama|ederal\.r)|infobank|j(?:\.edwards|a(?:ckson\.davis|netemoon)|kimyong)|k(?:altschmidtdavid|elvinmark|im(?:\.leang|leang))|l(?:e(?:a_edem|hman)|isarobinson_|y_cheapiseth)|m(?:\.kogi|arie_avis|dzsesszika|elissalewis|o(?:hammedaahil|keye)|unny(?:\.sopheap|_sopheap))|nestordaniel|o(?:biorahkenneth|fficial_franksylvester|legkozyrev|mranshaalan)|peterlee|r(?:alphw(?:\.johnson|johnson)|i(?:chard\.w|taadamsw)|o(?:b(?:ertbailey|orts)|serichard))|s(?:amthong|igurlauganna|leo|mithcolin|oftc|pwalker|te(?:fanopessina|vecox\.))|tylerhess\.|u(?:butu|kdebtmanagement)|vanserge|will(?:clark|smi)|xianglongdai))\d+\@yahoo\.com$/i header __REPTO_CHN_FREEM Reply-To =~ /\@(?:sina|aliyun)\.com/i header __REPTO_RUS_FREEM Reply-To =~ /\@mail\.ru/i if !((version >= 3.003000)) meta __RP_MATCHES_RCVD 0 endif if (version >= 3.003000) if !plugin(Mail::SpamAssassin::Plugin::WLBLEval) meta __RP_MATCHES_RCVD 0 endif endif if (version >= 3.003000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval header __RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd() endif endif body __SCAM /\bscam(?:m?e[dr])?s?\b/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __SCC_BOGUS_CTE_1 Content-Transfer-Encoding =~ /^Hexa/i endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __SCC_CTMPP Content-Type =~ /multipart\/parallel/ endif body __SECURITY_DEPT /\bsecurity dep(?:artmen)?t\b/i header __SENDER_BOT ALL =~ /(?:not?\W?repl[yi]|bounce|contact|daemon|subscri|report|respon[ds]e?r?s?\b|\b(?:root|news|nobody|agent|(?:post|web)?master|manag|send(?:er|ing)?|out|(?:bot|web|www)\b))[^\@ >]{0,5}s?\@\w/i tflags __SENDER_BOT nice uri __SENDGRID_REDIR m,://u\d+\.ct\.sendgrid\.net/ls/click\?upn=, meta __SENDGRID_REDIR_PHISH __SENDGRID_REDIR && ( __PDS_FROM_NAME_TO_DOMAIN || __FORGED_RELAY_MUA_TO_MX || __TO_IN_SUBJ ) body __SHARE_IT /\b(?:(?:share|allocate|teilen|parteger(?:ez|ons)?|partage)\s(?:th(?:e|is)|das|les?|des)\s(?:proceeds|funds?|money|balance|account|geld|compte|fonds)|partager(?:ez|ons)? (?:avec (?:vous|moi)|ratio|suivant un pourcentage))\b/i meta __SHOPIFY_IMG_NOT_RCVD_SFY __URI_IMG_SHOPIFY && !__HDR_RCVD_SHOPIFY && !__HDR_ENVFROM_SHOPIFY uri __SHORT_URL /^https?:\/\/[^\/]{3,6}\.\w\w\/[^\/]{3,8}\/?$/ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags rawbody __SHY_OBFU_EXPIRE /e(?!xpire){0,6}x{0,6}p{0,6}i{0,6}r{0,6}e/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags rawbody __SHY_OBFU_PASSWORD /p(?!assword){0,6}a{0,6}s{0,6}s{0,6}w{0,6}o{0,6}r{0,6}d/i endif body __SINGLE_WORD_LINE /^\s?\S{1,60}\s?$/ tflags __SINGLE_WORD_LINE multiple maxhits=2 header __SINGLE_WORD_SUBJ Subject =~ /^\s*\S{1,60}\s*$/ header __SMIME_MESSAGE Content-Type =~ /application\/pkcs7-mime;/i rawbody __SPAN_BEG_TEXT /[a-z]{2}<(?i:span)\s/ tflags __SPAN_BEG_TEXT multiple maxhits=5 rawbody __SPAN_END_TEXT /[^;>]<\/(?i:span)>[a-z]{3}/ tflags __SPAN_END_TEXT multiple maxhits=5 if !plugin(Mail::SpamAssassin::Plugin::SPF) meta __SPF_FULL_PASS 0 endif ifplugin Mail::SpamAssassin::Plugin::SPF meta __SPF_FULL_PASS (SPF_PASS && SPF_HELO_PASS) tflags __SPF_FULL_PASS net endif if !plugin(Mail::SpamAssassin::Plugin::SPF) meta __SPF_RANDOM_SENDER 0 endif ifplugin Mail::SpamAssassin::Plugin::SPF meta __SPF_RANDOM_SENDER (SPF_HELO_PASS && !SPF_PASS) tflags __SPF_RANDOM_SENDER net endif meta __SPOOFED_FREEMAIL !__NOT_SPOOFED && FREEMAIL_FROM tflags __SPOOFED_FREEMAIL net meta __SPOOFED_FREEM_REPTO __SPOOFED_FREEMAIL && FREEMAIL_REPLYTO tflags __SPOOFED_FREEM_REPTO net rawbody __SPOOFED_URL m/]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\# ]{8,29}[^>"'\# :\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i meta __STATIC_XPRIO_OLE __XPRIO && __RDNS_STATIC && __HAS_MIMEOLE body __STAY_HOME /\b(?:going out of|leaving)(?: your)? (?:home|house|residence)\b/i body __STOCK_TIP /\bsto[ck]{2}\s?tip\b/i if can(Mail::SpamAssassin::Conf::feature_bug6558_free) rawbody __STY_INVIS /\bstyle\s*=\s*"[^">]{0,80}(?:(? 1 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __STY_INVIS_3 __STY_INVIS > 2 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __STY_INVIS_DIRECT __STY_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __STY_INVIS_MANY __STY_INVIS > 5 endif header __SUBJECT_EMPTY Subject:raw =~ /^\s*$/ meta __SUBJECT_PRESENT_EMPTY __HAS_SUBJECT && __SUBJECT_EMPTY header __SUBJ_ADMIN Subject =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i header __SUBJ_ATTENTION Subject =~ /ATTENTION/ meta __SUBJ_BRKN_WORDNUMS __SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFU header __SUBJ_BROKEN_WORD Subject =~ /\s(?!i[PTM][aoh][bcdou]|e[MP]a[is])[a-z]{1,3}[A-Z][a-z]{2}/ tflags __SUBJ_BROKEN_WORD multiple maxhits=2 meta __SUBJ_DOM_ADMIN __SUBJ_ADMIN && __PDS_FROM_NAME_TO_DOMAIN header __SUBJ_HAS_FROM_1 ALL =~ /\nFrom: (?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*Subject: [^\n]{0,100}\1[>,:\s\n]/ism header __SUBJ_HAS_TO_1 ALL =~ /\nTo: (?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n+(?:[^\n]{1,200}\n+)*Subject: [^\n]{0,100}\1[^a-z0-9]/ism header __SUBJ_HAS_TO_2 ALL =~ /\nReceived:[^\n]{0,200} for ;]+)>?;(?:[^\n]+\n+)*Subject: [^\n]{0,100}\1[^a-z0-9]/ism header __SUBJ_HAS_TO_3 ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n+)*To: [^\n]{0,100}\1[^a-z0-9.]/ism header __SUBJ_HAS_WORDS Subject =~ /(?:^|\s)[^\W0-9_]{3,15}(?:\s|$)/ header __SUBJ_NOT_SHORT Subject =~ /^.{16}/ header __SUBJ_OBFU_PUNCT Subject =~ /(?:[-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;][a-z][-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;\s]|(?:[a-z][~`"!@\#$%^&*()_+={}|\\?<>,.:;][a-z](?![a-z])))/i tflags __SUBJ_OBFU_PUNCT multiple maxhits=4 header __SUBJ_RE Subject =~ /^(?:R[eE]|S[vV]|V[sS]|A[wW]):/ header __SUBJ_SHORT Subject =~ /^.{0,8}$/ header __SUBJ_USB_DRIVES Subject =~ /\bUSB (?:[Ff]lash )?[Dd]rives\b/ body __SUBSCRIPTION_INFO /\b(?:e?newsletters?|(?:un)?(?:subscrib|register)|you(?:r| are) subscri(?:b|ption)|opt(?:.|ing)?out\b|further info|you do ?n[o']t w(?:ish|ant)|remov\w{1,3}.{1,9}\blists?\b|to your white.?list)/i tflags __SUBSCRIPTION_INFO nice body __SUM_OF_FUND /\b(?:sum|release|freigabe)\s(?:of|der)\s(?:amount|fund|investment|mittel)\b/i body __SURVEY /\bsurvey\b/i body __SURVIVORS /\b(?:widow|son|daughter|husband|wife|brother|sister|attorney|vi(?:=FA|[\xfa]|[\xc3][\xba])va|esposa|veuve)\s(?:of|to|do|de)\s(?:the\s)?(?:late|falecido|finales|feu|d(?:e|=E9|[\xe9]|[\xc3][\xa9])funt|mr\.?)\s\w+\b/i body __SUSPICION_LOGIN /\bsuspicion login\b/i body __SYSADMIN /\b(?:help?[- ]?desk|(?:(?:web ?)?mail ?|sys(?:tem )?)admin(?:istrator)|local[- ]host|(?:support|upgrade|management|security|admin(?:istrat(?:or|ion))?) (?:team|center)|message from administrator|university mail server copyright|suporte t(?:=E9|[\xe9]|[\xc3][\xa9])cnico|administrador do sistema)\b/i meta __TAGSTAT_IMG_NOT_RCVD_TGST __URI_IMG_TAGSTAT && !__HDR_RCVD_TAGSTAT meta __TARINGANET_IMG_NOT_RCVD_TN __URI_IMG_TARINGANET && !__HDR_RCVD_TARINGANET header __TB_MIME_BDRY_NO_Z Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/ rawbody __TENWORD_GIBBERISH /^\s*(?:[a-z]+\s+){10}\.$/m tflags __TENWORD_GIBBERISH multiple maxhits=21 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __TEXT_XML_MT Content-Type =~ m,\btext/xml\b,i endif body __THEY_INHERIT /\b(?:inherit\sth(?:e|is)\smoney|herede\sest[ea]\sdinero)\b/i body __THIS_AD /(?:\b|_)this[- _]+(?:ad(?:vert[i1l]sement)?|promo(?:tion)?)s?(?:\b|_)/i meta __THREADED (!__MISSING_REPLY && !__NO_INR_YES_REF) || (__MISSING_REPLY && !__MISSING_REF) tflags __THREADED nice header __THREAD_INDEX_GOOD Thread-Index =~ m,^A[A-Za-z0-9][A-Za-z0-9+/]{27}(?:[A-Za-z0-9+/]{20})?(?:[AQgw]==|[A-Za-z0-9+/]{7}|[A-Za-z0-9+/]{13}[AEIMQUYcgkosw048]=)$, header __TO_ALL_NUMS To:addr =~ /^\d+@/ meta __TO_EQ_FM_DIRECT_MX __TO_EQ_FROM && __DOS_DIRECT_TO_MX if !plugin(Mail::SpamAssassin::Plugin::SPF) meta __TO_EQ_FM_DOM_SPF_FAIL 0 endif ifplugin Mail::SpamAssassin::Plugin::SPF meta __TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FROM_DOM && SPF_FAIL tflags __TO_EQ_FM_DOM_SPF_FAIL net endif if !plugin(Mail::SpamAssassin::Plugin::SPF) meta __TO_EQ_FM_SPF_FAIL 0 endif ifplugin Mail::SpamAssassin::Plugin::SPF meta __TO_EQ_FM_SPF_FAIL __TO_EQ_FROM && SPF_FAIL tflags __TO_EQ_FM_SPF_FAIL net endif meta __TO_EQ_FROM (__TO_EQ_FROM_1 || __TO_EQ_FROM_2) describe __TO_EQ_FROM To: same as From: header __TO_EQ_FROM_1 ALL =~ /\nFrom: (?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*To: (?:[^\n]{0,80}<)?\1[>,\s\n]/ism header __TO_EQ_FROM_2 ALL =~ /\nTo: (?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From: (?:[^\n]{0,80}<)?\1[>,\s\n]/ism meta __TO_EQ_FROM_DOM (__TO_EQ_FROM_DOM_1 || __TO_EQ_FROM_DOM_2) describe __TO_EQ_FROM_DOM To: domain same as From: domain header __TO_EQ_FROM_DOM_1 ALL =~ /\nFrom: [^\n@]{0,80}@([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*To: [^\n]+@\1[>,\s\n]/ism header __TO_EQ_FROM_DOM_2 ALL =~ /\nTo: [^\n@]{0,80}@([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From: [^\n]+@\1[>,\s\n]/ism meta __TO_EQ_FROM_USR (__TO_EQ_FROM_USR_1 || __TO_EQ_FROM_USR_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT) describe __TO_EQ_FROM_USR To: username same as From: username header __TO_EQ_FROM_USR_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*To:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism header __TO_EQ_FROM_USR_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*From:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism meta __TO_EQ_FROM_USR_NN (__TO_EQ_FROM_USR_NN_1 || __TO_EQ_FROM_USR_NN_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT) describe __TO_EQ_FROM_USR_NN To: username same as From: username sans trailing nums header __TO_EQ_FROM_USR_NN_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*To:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism header __TO_EQ_FROM_USR_NN_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*From:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism meta __TO_EQ_FROM_USR_NN_MINFP __TO_EQ_FROM_USR_NN && !__TO_EQ_FROM_USR_1 && !__TO_EQ_FROM && !__TO_EQ_FROM_DOM && !__LCL__ENV_AND_HDR_FROM_MATCH && !__DKIM_EXISTS && !__NOT_SPOOFED && !__RCD_RDNS_SMTP && !__RCD_RDNS_MX_MESSY && !__THREADED meta __TO_IN_SUBJ (__SUBJ_HAS_TO_1 || __SUBJ_HAS_TO_2 || __SUBJ_HAS_TO_3) header __TO_NO_ARROWS_R To !~ /(?:>$|>,)/ if !plugin(Mail::SpamAssassin::Plugin::FreeMail) meta __TO_NO_BRKTS_FREEMAIL 0 endif ifplugin Mail::SpamAssassin::Plugin::FreeMail meta __TO_NO_BRKTS_FREEMAIL __TO_NO_ARROWS_R && (FREEMAIL_FROM || FREEMAIL_REPLYTO) endif meta __TO_NO_BRKTS_FROM_RUNON __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && __FROM_RUNON meta __TO_NO_BRKTS_HTML_IMG __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && HTML_MESSAGE && __ONE_IMG meta __TO_NO_BRKTS_HTML_ONLY __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && MIME_HTML_ONLY meta __TO_NO_BRKTS_MSFT __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS) meta __TO_NO_BRKTS_NORDNS_HTML __TO_NO_BRKTS_HTML_ONLY && RDNS_NONE meta __TO_NO_BRKTS_PCNT __TO_NO_ARROWS_R && __FB_NUM_PERCNT header __TO_TOO_MANY To =~ /(?:,[^,]{1,90}){30}/ meta __TO_TOO_MANY_WFH_01 __TO_WAY_TOO_MANY && __WFH_01 header __TO_UNDISCLOSED To =~ /\b(?:undisclosed[-\s]recipients|destinataires inconnus|destinatari nascosti)\b/i header __TO_WAY_TOO_MANY ToCc =~ /(?:,[^,]{1,90}){50}/ body __TO_YOUR_ACCT /\b(?:(?:f[uo]nds|money|f[uo]ndo|dinheiro|bank)\s(?:\w{1,10}\s){0,4}(?:transfer(?:red)?|transferido|sont)|\d+)\s(?:to|para|en)\s(?:your?|sua|votre)\s(?:account|conta|pos+es+ion)/i body __TO_YOUR_ORG /\b(?:to|for) your organi[sz]ation\b/i header __TO___LOWER ALL =~ /to: \S{5}/ body __TRANSFORM_LIFE /\b(?:transform|change) your (?:daily )?life(?:style)?\b/i body __TRAVEL_AGENT /\btravel\sagen(?:t|cy)\b/i body __TRAVEL_BUSINESS /\bbusiness\stravel\b/i body __TRAVEL_ITINERARY /(?:travel|ticketed|your|current) itinerary/i meta __TRAVEL_MANY (__TRAVEL_PROFILE + __TRAVEL_RESERV + __TRAVEL_BUSINESS + __TRAVEL_AGENT) > 2 body __TRAVEL_PROFILE /\btravel+er\sprofile\b/i body __TRAVEL_RESERV /\b(?:reservation\s(?:confirmed|number)|travel\sreservations?)\b/i body __TRTMT_DEFILED /\bdefiled\sall\s(?:forms\sof\s)?(?:medical\s)?treatments?\b/i body __TRUNK_BOX /\b(?:(?:trunk|metallic|proof|security|consignment)\sbox(?:es)?|sealed\ssafe|une mallette m(?:e|=E9|[\xe9]|[\xc3][\xa9])tallique)\b/i body __TRUSTED_CHECK /\b(?:cashier'?s?|certified)\sche(?:ck|que)/i header __TT_BROKEN_VALIUM Subject =~ /V[:^."%()*\[\\]?A[:^."%()*\[\\]?L[:^."%()*\[\\]?I[:^."%()*\[\\]?U[:^."%()*\[\\]?M/i header __TT_BROKEN_VIAGRA Subject =~ /V[:^."%()*\[\\]?I[:^."%()*\[\\]?A[:^."%()*\[\\]?G[:^."%()*\[\\]?R[:^."%()*\[\\]?A/i header __TT_OBSCURED_VALIUM Subject =~ /(?:v|V|\\\/)(?:a|A|$a$|4|@)(?:l|L|\|)(?:i|I|1|\xef|\|)(?:u|U|$u$)(?:m|M)/ header __TT_OBSCURED_VIAGRA Subject =~ /(?:v|V|\\\/)(?:i|I|1|\xef|\|)(?:a|A|$a$|4|@)(?:g|G)(?:r|R)(?:a|A|$a$|4|@)/ header __TT_VALIUM Subject =~ /VALIUM/i header __TT_VIAGRA Subject =~ /VIAGRA/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __TVD_FW_GRAPHIC_ID1 Content-Id =~ /<[0-9a-f]{12}(?:\$[0-9a-f]{8}){2}\@/ endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __TVD_OUTLOOK_IMG Content-Id =~ / 9 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __UNICODE_OBFU_ZW /[a-z0-9\s](?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+(?!\s)[a-z0-9\s]{1,8}(?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+[a-z0-9\s]/i tflags __UNICODE_OBFU_ZW multiple maxhits=10 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __UNICODE_OBFU_ZW_10 __UNICODE_OBFU_ZW > 9 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __UNICODE_OBFU_ZW_2 __UNICODE_OBFU_ZW > 1 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __UNICODE_OBFU_ZW_3 __UNICODE_OBFU_ZW > 2 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __UNICODE_OBFU_ZW_5 __UNICODE_OBFU_ZW > 4 endif body __UNSUB_EMAIL /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b[-a-z_0-9.+=]{0,60}\@[a-z0-9][-a-z_0-9.]{4,20}(?:[^a-z_0-9.-]|$)/i tflags __UNSUB_EMAIL nice body __UNSUB_GOOG_FORM m,Unsub?sc?ribe\s= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval header __VPSNUMBERONLY_TLD From:addr =~ /\@vps[0-9]{4,}\.[a-z]+$/i endif endif meta __WALMART_IMG_NOT_RCVD_WAL __URI_IMG_WALMART && !__HDR_RCVD_WALMART body __WEBMAIL_ACCT /\byour web ?mail account/i body __WE_PAID /\bwe have (?:already )?(?:paid|sent|remitted|issued) \$?\d+(?:,\d+)* (?:thousand )?(?:dollars )?to our (?:users|subscribers|members|clients|affiliates|partners)\b/i meta __WFH_01 ( __PERFECT_BINARY + __WE_PAID + __MAKE_XTRA_DOLLAR + __BONUS_LAST_DAY + __PASSIVE_INCOME + __WITHOUT_EFFORT + __TRANSFORM_LIFE + __STAY_HOME + __RECEIVE_BONUS ) > 2 body __WIDOW /\b(?:widow(?:e[rd])'?s?|veuve)\b/i body __WILL_LEGAL /\b(?:codicil|last\stestament|probate|executor|intestate|bequest|mandamus)\b/i body __WIRE_XFR /\b(?:wire|telegraph(?:ic)?|bank)\s?transfer/i body __WITHOUT_EFFORT /\bwith(?:out(?: a(?:ny)?| the)?| no)(?: great| special| extra)? effort\b/i if can(Mail::SpamAssassin::Conf::feature_bug6558_free) rawbody __WORD_INVIS /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|in|pc|em|ex|ch|rem|lh|vmax))\s*[;'a-z]|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w{1,20} 1 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __WORD_INVIS_5 __WORD_INVIS > 5 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __WORD_INVIS_MINFP __WORD_INVIS && !__SURVEY && !MIME_QP_LONG_LINE && !__FB_TOUR && !__MSGID_GUID endif header __XEROXWORKCTR_MUA X-Mailer =~ /^WorkCentre \D?\d[\d\.]\d+/ meta __XFER_LOTSA_MONEY __XFER_MONEY && LOTS_OF_MONEY meta __XFER_MONEY (__WIRE_XFR || __TRUSTED_CHECK || __BANK_DRAFT || __MOVE_MONEY || __TO_YOUR_ACCT || __PAY_YOU || __GIVE_MONEY) ifplugin Mail::SpamAssassin::Plugin::FreeMail header __XMAIL_CODEIGN X-Mailer =~ /CodeIgniter/ endif ifplugin Mail::SpamAssassin::Plugin::FreeMail header __XMAIL_PHPMAIL X-Mailer =~ /PHPMailer/ endif header __XM_APPLEMAIL X-Mailer =~ /^Apple Mail/ header __XM_ASPQMAIL X-Mailer =~ /^AspQMail/ header __XM_BALSA X-Mailer =~ /^Balsa \d/ header __XM_CALYPSO X-Mailer =~ /^Calypso/ header __XM_DIGITS_ONLY X-Mailer =~ /^\s*\d+\s*$/ header __XM_EC_MESSENGER X-Mailer =~ /\beC-Messenger\b/ header __XM_FORTE X-Mailer =~ /^Forte Agent \d/ header __XM_GNUS X-Mailer =~ /^Gnus v/ header __XM_MHE X-Mailer =~ /^mh-e \d/ header __XM_MOZ4 X-Mailer =~ /^Mozilla 4/ header __XM_MSOE5 X-Mailer =~ /^Microsoft Outlook Express 5/ header __XM_MSOE6 X-Mailer =~ /^Microsoft Outlook Express 6/ header __XM_MS_IN_GENERAL X-Mailer =~ /\bMSCRM\b|Microsoft (?:CDO|Outlook|Office Outlook)\b/ header __XM_OL_10_0_4115 X-Mailer =~ /^Microsoft Outlook, Build 10.0.4115$/ header __XM_OL_28001441 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.1441$/ header __XM_OL_28004682 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.4682$/ header __XM_OL_48072300 X-Mailer =~ /^Microsoft Outlook Express 5.50.4807.2300$/ header __XM_OL_4_72_2106_4 X-Mailer =~ /^Microsoft Outlook Express 4.72.2106.4$/ header __XM_OUTLOOK_EXPRESS X-Mailer =~ /^Microsoft Outlook Express \d/ header __XM_PHPMAILER_FORGED X-Mailer =~ /PHPMailer\s.*version\D+$/ header __XM_RANDOM X-Mailer =~ /q(?!(?:q|box|i\s)?mail|\d|[-\w]*=+;)[^u]/i header __XM_SKYRI X-Mailer =~ /^SKYRiXgreen/ header __XM_SQRLMAIL X-Mailer =~ /^SquirrelMail/ header __XM_SYLPHEED X-Mailer =~ /^Sylpheed/ header __XM_UC_ONLY X-Mailer =~ /^[^a-z]+$/ header __XM_VERY_LONG X-Mailer =~ /.{50}/ header __XM_VM X-Mailer =~ /^VM \d/ header __XM_WWWMAIL X-Mailer =~ /^WWW-Mail \d/ header __XM_XIMEVOL X-Mailer =~ /^Ximian Evolution/ meta __XPRIO_MINFP __XPRIO && !__CT_ENCRYPTED && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_IMG_SRC && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__PHPMAILER_MUA && !__AC_TINY_FONT && !__HAS_PHP_SCRIPT && !__DOS_HAS_LIST_UNSUB && !__HAS_IMG_SRC_ONECASE && !__NAKED_TO && !__HAS_THREAD_INDEX && !__HAS_TNEF && !__HAS_SENDER && !__UNPARSEABLE_RELAY_COUNT && !__PDS_RDNS_MTA && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MX_MESSY && !__TO___LOWER && !__FROM_WORDY && !__RP_MATCHES_RCVD && !__DKIM_EXISTS && !__FROM_WEB_DAEMON && !__RDNS_SHORT && !__L_BODY_8BITS && !__HAS_X_SENDER meta __XPRIO_SHORT_SUBJ __XPRIO_MINFP && __SUBJ_SHORT meta __XPRIO_VISTA __XPRIO_MINFP && __VISTA_MSGID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __X_MSO_MT Content-Type =~ m,\bapplication/x-mso\b,i endif body __YOUR_BANK /\byour?\s(?:full\s)?bank(?:ing)?\sinformations?\b/i body __YOUR_CONSIGNMENT /\b(?:received?|pa(?:y|id)|sen[dt]|h[oe]ld|delay(?:ed)?|impound(?:ed)?|released?|ship(?:ped)?)\syour(?:\s\w+)?\sconsignment\b/i body __YOUR_FUND /\b(?:your|ihr)\s(?:unpaid\s|win+ing\s|ap+roved\s|foreign\s|overdue\s|outstanding\s|contract\s|inheritance\s|nicht\sausbezahlten\s){0,3}(?:fund|f\su\sn\sd|payment|geld)\b/i if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __YOUR_ONAN /\b(?:your?|ihrer)\s(?:ma+s+t+[ur]+b+a+t+(?:ion|ing|e)(?:svideo)?|onanism|solitary\ssex|hand\sfucking|Selbstbefriedigung|(?:pleasur(?:e|ing)|satisfy(?:ing)?)\syourself)\b/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __YOUR_ONAN /(?:^|\s)(?:?|)\s(?:++~~++(?:|)++~~++(?:||)(?:~~)?|~~|~~\s|~~\s|~~~~|(?:~~~~~~~~
~~(?:|)|~~(?:)?)\s)/i endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __YOUR_PASSWORD /\b(?:your|(?:change|modify|update|reset|alter|fix)\sthe)\s(?:account\s|e-?mail\s)?(?:pass[-\s_]?word|pswd)\b/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __YOUR_PASSWORD /(?:^|\s)(?:|(?:||
|||)\s)\s(?:\s|-?\s)?(?:
~~~~~~[-\s_]?|~~~~~~
\s)/i endif body __YOUR_PERM /\byour\spermission\b/i if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __YOUR_PERSONAL /\b(?:your\s(?:personal|private|social\scontact|address|friends)\s(?:info(?:rmation)?|data|details|book|secrets)|all\s(?:of\s)?your\s(?:files|contacts|secrets|correspondence))\b/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __YOUR_PERSONAL /(?:^|\s)(?:\s(?:
|
~~|~~\s ||)\s(?:(?:~~~~)?||||)|~~~~\s(?:\s)?\s(?:|||~~~~~~~~~~~~
))[\s\.,]/i endif body __YOUR_PROFIT /\byour?\sprofit/i if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __YOUR_WEBCAM /\b(?:from|your|with|and|on)\s(?:(?:screen|desktop|microphone)\sand\s|own\s)?(?:web[-\s]?|front[-\s]?|network\s|your\s)camer+a/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __YOUR_WEBCAM /(?:^|\s)(?:|||~~|)\s(?:(?:|~~
|
~~)\s~~\s|\s)?(?:[-\s]?|[-\s]?|\s|\s)+/i endif body __YOU_ASSIST /\b(?:your\sas+istan(?:ce|t)|votre\s(?:as+istance|aide))\b/i body __YOU_INHERIT /\byour\s[a-z\s]{0,30}inherit+ance\b/i meta __YOU_WON __YOU_WON_01 || __YOU_WON_02 || __YOU_WON_03 || __YOU_WON_04 || __HAS_WON_01 || (__YOU_WON_05 && (__MOVE_MONEY || __GIVE_MONEY)) body __YOU_WON_01 /\byou(?:r|'re|'ve|'ll|\shave|\sdid)?\s(?:e-?mail\s)?(?:\w+\s){0,2}(?:a\s)?w[io]n+(?:er|ing)?(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i body __YOU_WON_02 /\bw[io]n\s(?:(?:for|by)\s)?your?\b/i body __YOU_WON_03 /\b(?:your?|win+ing|win+ers?|beneficiaries|participants?|individuals?|address(?:es)?|accounts?|emails?)(?:\s[-a-z\s]{4,40})?\s(?:w(?:ere|as)|ha(?:ve|s) be(?:en)?)\s(?:automatically\s)?(?:(?:randomly|raffly)\s(?:selected|cho+sen|cho+sing|picked)|(?:selected|cho+sen|cho+sing|picked)\s(?:[a-z\s]{2,40}?\srandom(?:ly)?|online|lottery|computer\s(?:ballot|wahlgang))|(?:selected|cho+sen|cho+sing|picked)(?:\sas?|\sthe){0,3}\swin+er)/i body __YOU_WON_04 /\bqu[ei]\s?(?:vous (?:[\xc3][\xaa]|=C3=AA|[\xea]|e)tes\s?gagnant|en\scons(?:e|=E9|[\xe9]|[\xc3][\xa9])quence\sgagne)\b/i body __YOU_WON_05 /\bI won(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __ZIP_ATTACH_MT 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ZIP_ATTACH_MT Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)\b,i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __ZIP_ATTACH_NOFN 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ZIP_ATTACH_NOFN Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)[;\s]*$,i endif ifplugin Mail::SpamAssassin::Plugin::FreeMail header __freemail_mailreplyto eval:check_freemail_header('Mail-Reply-To') endif body __hk_bigmoney /(?:EURO?|USD?|GBP|CFA|\&\#163;|[\xa3\xa4]|\$|sum of).{0,4}(?:[0-9]{3}[^0-9a-z]?[0-9]{3}|[0-9.,]{1,4}(?: ?M\b| ?(?:de )?Mil))/i body __hk_win_0 /\byour? e-?mail just w[oi]n/i body __hk_win_2 /\battn.{0,10}winner/i body __hk_win_3 /\bhappily aa?nnounce/i body __hk_win_4 /\bpleas(?:ure|ed) to inform/i body __hk_win_5 /\b(?:notice the|your) winning/i body __hk_win_7 /\bcongratulations? to your/i body __hk_win_8 /\bunexpected luck/i body __hk_win_9 /\blucky (?:nl )number/i body __hk_win_a /\bwinning (?:e-?mail|numbers|information)/i body __hk_win_b /\byour e-?mail (?:address )?(?:has )?w[io]n/i body __hk_win_c /\bune adresse e-?mail sur internet/i body __hk_win_d /\bcategory (?:\S{0,5} )?winner of our/i body __hk_win_i /\bfunds? transfer/i body __hk_win_j /\b(?:winning|ready for|sum) pay ?out/i body __hk_win_l /\b(?:make|file) (?:for )?your claim/i body __hk_win_m /\br.clamation de votre prix/i body __hk_win_n /\bcollect your prize/i body __hk_win_o /\bclarification and procedure/i ifplugin Mail::SpamAssassin::Plugin::FreeMail header __smf_freemail_hdr_replyto eval:check_freemail_header('Reply-To:addr') endif