#
###########################################################################
require_version 3.004000
##{ AC_HTML_NONSENSE_TAGS
rawbody AC_HTML_NONSENSE_TAGS /(?:<[A-Za-z0-9]{4,}>\s*){10}/
describe AC_HTML_NONSENSE_TAGS Many consecutive multi-letter HTML tags, likely nonsense/spam
#score AC_HTML_NONSENSE_TAGS 2.0
tflags AC_HTML_NONSENSE_TAGS publish
##} AC_HTML_NONSENSE_TAGS
##{ ADVANCE_FEE_2_NEW_FORM
meta ADVANCE_FEE_2_NEW_FORM __ADVANCE_FEE_2_NEW_FORM && !__COMMENT_EXISTS && !__THREADED && !__HTML_LINK_IMAGE && !__HDRS_LCASE && !__DOS_HAS_LIST_UNSUB && !__HAS_SENDER && !__HAS_X_LOOP
describe ADVANCE_FEE_2_NEW_FORM Advance Fee fraud and a form
tflags ADVANCE_FEE_2_NEW_FORM publish
##} ADVANCE_FEE_2_NEW_FORM
##{ ADVANCE_FEE_2_NEW_FRM_MNY
meta ADVANCE_FEE_2_NEW_FRM_MNY __ADVANCE_FEE_2_NEW_FRM_MNY && !__HTML_LINK_IMAGE && !__HDRS_LCASE && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP
describe ADVANCE_FEE_2_NEW_FRM_MNY Advance Fee fraud form and lots of money
##} ADVANCE_FEE_2_NEW_FRM_MNY
##{ ADVANCE_FEE_2_NEW_MONEY
meta ADVANCE_FEE_2_NEW_MONEY __ADVANCE_FEE_2_NEW_MONEY && !__DOS_HAS_LIST_UNSUB && !__TAG_EXISTS_CENTER && !__LYRIS_EZLM_REMAILER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__VIA_ML && !__HTML_LINK_IMAGE && !__HDRS_LCASE && !__NAME_EQ_EMAIL && !__URI_MAILTO_MANY && !__RP_MATCHES_RCVD && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP
describe ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money
tflags ADVANCE_FEE_2_NEW_MONEY publish
##} ADVANCE_FEE_2_NEW_MONEY
##{ ADVANCE_FEE_3_NEW
meta ADVANCE_FEE_3_NEW __ADVANCE_FEE_3_NEW && !__HTML_LINK_IMAGE && !__TAG_EXISTS_CENTER && !__COMMENT_EXISTS && !__VIA_ML && !__THREADED && !__UNSUB_LINK && !__UPPERCASE_URI && !__SURVEY && !__HAS_SENDER && !__HAS_X_LOOP
describe ADVANCE_FEE_3_NEW Appears to be advance fee fraud (Nigerian 419)
#score ADVANCE_FEE_3_NEW 3.5 # limit
tflags ADVANCE_FEE_3_NEW publish
##} ADVANCE_FEE_3_NEW
##{ ADVANCE_FEE_3_NEW_FORM
meta ADVANCE_FEE_3_NEW_FORM __ADVANCE_FEE_3_NEW_FORM && !__HTML_LINK_IMAGE && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP
describe ADVANCE_FEE_3_NEW_FORM Advance Fee fraud and a form
tflags ADVANCE_FEE_3_NEW_FORM publish
##} ADVANCE_FEE_3_NEW_FORM
##{ ADVANCE_FEE_3_NEW_FRM_MNY
meta ADVANCE_FEE_3_NEW_FRM_MNY __ADVANCE_FEE_3_NEW_FRM_MNY && !__HTML_LINK_IMAGE && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP
describe ADVANCE_FEE_3_NEW_FRM_MNY Advance Fee fraud form and lots of money
##} ADVANCE_FEE_3_NEW_FRM_MNY
##{ ADVANCE_FEE_3_NEW_MONEY
meta ADVANCE_FEE_3_NEW_MONEY __ADVANCE_FEE_3_NEW_MONEY && !__HTML_LINK_IMAGE && !__UPPERCASE_URI && !__UNSUB_LINK && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP
describe ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money
tflags ADVANCE_FEE_3_NEW_MONEY publish
##} ADVANCE_FEE_3_NEW_MONEY
##{ ADVANCE_FEE_4_NEW
meta ADVANCE_FEE_4_NEW __ADVANCE_FEE_4_NEW && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__HAS_ERRORS_TO
describe ADVANCE_FEE_4_NEW Appears to be advance fee fraud (Nigerian 419)
tflags ADVANCE_FEE_4_NEW publish
##} ADVANCE_FEE_4_NEW
##{ ADVANCE_FEE_4_NEW_FORM
meta ADVANCE_FEE_4_NEW_FORM __ADVANCE_FEE_4_NEW_FORM
describe ADVANCE_FEE_4_NEW_FORM Advance Fee fraud and a form
##} ADVANCE_FEE_4_NEW_FORM
##{ ADVANCE_FEE_4_NEW_FRM_MNY
meta ADVANCE_FEE_4_NEW_FRM_MNY __ADVANCE_FEE_4_NEW_FRM_MNY
describe ADVANCE_FEE_4_NEW_FRM_MNY Advance Fee fraud form and lots of money
##} ADVANCE_FEE_4_NEW_FRM_MNY
##{ ADVANCE_FEE_4_NEW_MONEY
meta ADVANCE_FEE_4_NEW_MONEY __ADVANCE_FEE_4_NEW_MONEY && !__HTML_LINK_IMAGE && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__HAS_X_LOOP
describe ADVANCE_FEE_4_NEW_MONEY Advance Fee fraud and lots of money
##} ADVANCE_FEE_4_NEW_MONEY
##{ ADVANCE_FEE_5_NEW
meta ADVANCE_FEE_5_NEW __ADVANCE_FEE_5_NEW
describe ADVANCE_FEE_5_NEW Appears to be advance fee fraud (Nigerian 419)
##} ADVANCE_FEE_5_NEW
##{ ADVANCE_FEE_5_NEW_FORM
meta ADVANCE_FEE_5_NEW_FORM __ADVANCE_FEE_5_NEW_FORM
describe ADVANCE_FEE_5_NEW_FORM Advance Fee fraud and a form
##} ADVANCE_FEE_5_NEW_FORM
##{ ADVANCE_FEE_5_NEW_FRM_MNY
meta ADVANCE_FEE_5_NEW_FRM_MNY __ADVANCE_FEE_5_NEW_FRM_MNY
describe ADVANCE_FEE_5_NEW_FRM_MNY Advance Fee fraud form and lots of money
##} ADVANCE_FEE_5_NEW_FRM_MNY
##{ ADVANCE_FEE_5_NEW_MONEY
meta ADVANCE_FEE_5_NEW_MONEY __ADVANCE_FEE_5_NEW_MONEY
describe ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money
##} ADVANCE_FEE_5_NEW_MONEY
##{ APOSTROPHE_FROM
header APOSTROPHE_FROM From:addr =~ /'/
describe APOSTROPHE_FROM From address contains an apostrophe
##} APOSTROPHE_FROM
##{ AXB_3LITTLE_PIGS
body AXB_3LITTLE_PIGS /\bwas sent by third-party independent marketing agent\./
describe AXB_3LITTLE_PIGS chinny chin chin
##} AXB_3LITTLE_PIGS
##{ AXB_3LITTLE_PIGS if (version >= 3.004000)
if (version >= 3.004000)
tflags AXB_3LITTLE_PIGS autolearn_force
endif
##} AXB_3LITTLE_PIGS if (version >= 3.004000)
##{ AXB_BODYMAIL_SBL112884
body AXB_BODYMAIL_SBL112884 /\@yeah\.net\b/
describe AXB_BODYMAIL_SBL112884 Spammer dropbox SBL112884
##} AXB_BODYMAIL_SBL112884
##{ AXB_ONMS_LEAKS
meta AXB_ONMS_LEAKS (__FROM_ONMS && __TO_ONMS && __TO_ONMS_RCPTS)
describe AXB_ONMS_LEAKS Onmicrosoft Leak Party
##} AXB_ONMS_LEAKS
##{ AXB_XMAILER_MIMEOLE_OL_024C2
meta AXB_XMAILER_MIMEOLE_OL_024C2 (__AXB_XM_OL_024C2 && __AXB_MO_OL_024C2)
##} AXB_XMAILER_MIMEOLE_OL_024C2
##{ AXB_XMAILER_MIMEOLE_OL_1ECD5
meta AXB_XMAILER_MIMEOLE_OL_1ECD5 (__AXB_XM_OL_1ECD5 && __AXB_MO_OL_1ECD5)##} AXB_XMAILER_MIMEOLE_OL_1ECD5
##{ AXB_XMA_BASP
header AXB_XMA_BASP X-Mail-Agent =~ /^BASP21/
describe AXB_XMA_BASP Mailer fingerprint
##} AXB_XMA_BASP
##{ AXB_XM_FORGED_OL2600
meta AXB_XM_FORGED_OL2600 (__AXB_XM_OL_2600 && !__AXB_MO_OL_2600 )
describe AXB_XM_FORGED_OL2600 Forged OE v. 6.2600
##} AXB_XM_FORGED_OL2600
##{ AXB_X_FF_SEZ_S
header AXB_X_FF_SEZ_S X-Forefront-Antispam-Report =~ /^SFV\:SPM/
describe AXB_X_FF_SEZ_S Forefront sez this is spam
##} AXB_X_FF_SEZ_S
##{ BANKING_LAWS
body BANKING_LAWS /banking laws/i
describe BANKING_LAWS Talks about banking laws
##} BANKING_LAWS
##{ BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
body BASE64_LENGTH_78_79 eval:check_base64_length('78','79')
endif
##} BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
##{ BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
body BASE64_LENGTH_79_INF eval:check_base64_length('79')
endif
##} BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval
##{ BIGNUM_EMAILS
meta BIGNUM_EMAILS __BIGNUM_EMAILS && !__SPOOFED_URL && !__BUGGED_IMG
describe BIGNUM_EMAILS Lots of email addresses/leads
#score BIGNUM_EMAILS 3.00 # limti
##} BIGNUM_EMAILS
##{ BILLION_OVERLAP
meta BILLION_OVERLAP (BILLION_DOLLARS + US_DOLLARS_3 >= 2)
#score BILLION_OVERLAP -1.0
describe BILLION_OVERLAP Reducing score for overlap of similar rules
##} BILLION_OVERLAP
##{ BITLY_URI
meta BITLY_URI __BITLY_URI && !__SUBSCRIPTION_INFO && !__HAS_ANY_EMAIL && !__HAS_REPLY_TO && !__UNSUB_LINK && !__RCD_RDNS_MAIL_MESSY && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__TO_NO_BRKTS_HTML_ONLY && !__NOT_SPOOFED
describe BITLY_URI URI contains bit.ly
#score BITLY_URI 2.25 # limit
##} BITLY_URI
##{ BODY_EMPTY
meta BODY_EMPTY __EMPTY_BODY && !__NUMBERS_IN_SUBJ && !__CTE && !__RP_MATCHES_RCVD && !__VIA_ML && !__MIME_ATTACHMENT && !__HAS_THREAD_INDEX && !__TO_EQ_FROM_DOM && !__ENV_AND_HDR_FROM_MATCH && !__FROM_LOWER && !__NOT_SPOOFED && !__MSGID_APPLEMAIL && !__RCD_RDNS_MAIL_MESSY && !NO_RELAYS && !__NOT_A_PERSON
describe BODY_EMPTY No body text in message
#score BODY_EMPTY 3.00 # limit
##} BODY_EMPTY
##{ BUG6152_INVALID_DATE_TZ_ABSURD
header BUG6152_INVALID_DATE_TZ_ABSURD Date =~ /[-+](?!(?:0\d|1[0-4])(?:[03]0|[14]5))\d{4}/
##} BUG6152_INVALID_DATE_TZ_ABSURD
##{ CK_HELO_DYNAMIC_SPLIT_IP
header CK_HELO_DYNAMIC_SPLIT_IP X-Spam-Relays-Untrusted =~ /^[^\]]+helo=(?!(?:\d+\.){4})\d+[^\d\s]+\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]/i
describe CK_HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split IP)
#score CK_HELO_DYNAMIC_SPLIT_IP 1.5
##} CK_HELO_DYNAMIC_SPLIT_IP
##{ CK_HELO_GENERIC
header CK_HELO_GENERIC X-Spam-Relays-Untrusted =~ /^[^\]]+helo=(?=\S*(?:pool|dyna|lease|dial|dip|static))\S*\d+[^\d\s]+\d+[^\]]+ auth= /i
describe CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or Generic rPTR
#score CK_HELO_GENERIC 0.25
##} CK_HELO_GENERIC
##{ CN_B2B_SPAMMER
body CN_B2B_SPAMMER /\bWe are (?:(?:a )?(?:China|Taiwan)[-\s]based|(?:one of (?:the )?best|(?:a )?leading) [^\.]{10,90} (?:in|from) (?:China|Taiwan))\b/i
describe CN_B2B_SPAMMER Chinese company introducing itself
##} CN_B2B_SPAMMER
##{ COMMENT_GIBBERISH
meta COMMENT_GIBBERISH __COMMENT_GIBBERISH && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__SENDER_BOT
describe COMMENT_GIBBERISH Nonsense in long HTML comment
#score COMMENT_GIBBERISH 1.00 # limit
##} COMMENT_GIBBERISH
##{ COMPENSATION
describe COMPENSATION "Compensation"
#score COMPENSATION 1.50 # limit
##} COMPENSATION
##{ COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM)
if !plugin(Mail::SpamAssassin::Plugin::DKIM)
meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD
endif
##} COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM)
##{ COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM
ifplugin Mail::SpamAssassin::Plugin::DKIM
meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD && !__DKIM_DEPENDABLE
endif
##} COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM
##{ CORRUPT_FROM_LINE_IN_HDRS
meta CORRUPT_FROM_LINE_IN_HDRS (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS)
describe CORRUPT_FROM_LINE_IN_HDRS Informational: message is corrupt, with a From line in its headers
tflags CORRUPT_FROM_LINE_IN_HDRS userconf publish
#score CORRUPT_FROM_LINE_IN_HDRS 0.001
##} CORRUPT_FROM_LINE_IN_HDRS
##{ CTYPE_001C_A
meta CTYPE_001C_A (0) # obsolete
##} CTYPE_001C_A
##{ CTYPE_001C_B
header CTYPE_001C_B Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/
##} CTYPE_001C_B
##{ CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader CTYPE_8SPACE_GIF Content-Type:raw =~ /^image\/gif;\n {8}name=\".+?\"$/s
describe CTYPE_8SPACE_GIF Stock spam image part 'Content-Type' found (8 spc)
endif
##} CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ CURR_PRICE
body CURR_PRICE /\bCurrent Price:/
##} CURR_PRICE
##{ DATE_DOTS
header DATE_DOTS Date =~ /\d\d\.\d\d\.\d\d/
describe DATE_DOTS Periods in date header
##} DATE_DOTS
##{ DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval
ifplugin Mail::SpamAssassin::Plugin::HeaderEval
header DATE_IN_FUTURE_96_Q eval:check_for_shifted_date('96', '2920')
describe DATE_IN_FUTURE_96_Q Date: is 4 days to 4 months after Received: date
endif
##} DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval
##{ DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval
ifplugin Mail::SpamAssassin::Plugin::HeaderEval
header DATE_IN_FUTURE_Q_PLUS eval:check_for_shifted_date('2920', 'undef')
describe DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date
endif
##} DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval
##{ DEAR_BENEFICIARY
body DEAR_BENEFICIARY /\b(?:De[ae]r\s|At+(?:ention|n):?\s?)(?:\S+\s)?Ben[ei]ficiary\b/i
describe DEAR_BENEFICIARY Dear Beneficiary:
##} DEAR_BENEFICIARY
##{ DEAR_EMAIL_USER
body DEAR_EMAIL_USER /^\s?(?:Dear\s|Attention:?\s?)(?:E|Web)-?mail\s(?:account\s)?User\b/i
describe DEAR_EMAIL_USER Dear Email User:
##} DEAR_EMAIL_USER
##{ DEAR_WINNER
body DEAR_WINNER /\bdear.{1,20}winner/i
##} DEAR_WINNER
##{ DOS_ANAL_SPAM_MAILER
header DOS_ANAL_SPAM_MAILER X-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/
describe DOS_ANAL_SPAM_MAILER X-mailer pattern common to anal porn site spam
tflags DOS_ANAL_SPAM_MAILER publish
##} DOS_ANAL_SPAM_MAILER
##{ DOS_FIX_MY_URI
meta DOS_FIX_MY_URI __MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINK
describe DOS_FIX_MY_URI Looks like a "fix my obfu'd URI please" spam
##} DOS_FIX_MY_URI
##{ DOS_HIGH_BAT_TO_MX
meta DOS_HIGH_BAT_TO_MX __DOS_DIRECT_TO_MX && __HIGHBITS && __LAST_UNTRUSTED_RELAY_NO_AUTH && __THEBAT_MUA
describe DOS_HIGH_BAT_TO_MX The Bat! Direct to MX with High Bits
##} DOS_HIGH_BAT_TO_MX
##{ DOS_LET_GO_JOB
meta DOS_LET_GO_JOB __DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOME
describe DOS_LET_GO_JOB Let go from their job and now makes lots of dough!
##} DOS_LET_GO_JOB
##{ DOS_OE_TO_MX
meta DOS_OE_TO_MX __OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE
describe DOS_OE_TO_MX Delivered direct to MX with OE headers
##} DOS_OE_TO_MX
##{ DOS_OE_TO_MX_IMAGE
meta DOS_OE_TO_MX_IMAGE __OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
describe DOS_OE_TO_MX_IMAGE Direct to MX with OE headers and an image
##} DOS_OE_TO_MX_IMAGE
##{ DOS_OUTLOOK_TO_MX
meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !T_DOS_OUTLOOK_TO_MX_IMAGE
describe DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers
##} DOS_OUTLOOK_TO_MX
##{ DOS_RCVD_IP_TWICE_C
header DOS_RCVD_IP_TWICE_C X-Spam-Relays-External =~ /^\s*\[ ip=(?!127)([\d.]+) [^\[]*\bhelo=(?:![\d.]{7,15}!)? [^\[]*\[ ip=\1 [^\]]*\]\s*$/
describe DOS_RCVD_IP_TWICE_C Received from the same IP twice in a row (only one external relay; empty or IP helo)
##} DOS_RCVD_IP_TWICE_C
##{ DOS_STOCK_BAT
meta DOS_STOCK_BAT __THEBAT_MUA && (__DOS_BODY_STOCK || __DOS_BODY_TICKER) && (__DOS_REF_TODAY || __DOS_REF_NEXT_WK_DAY || __DOS_REF_2_WK_DAYS)
describe DOS_STOCK_BAT Probable pump and dump stock spam
##} DOS_STOCK_BAT
##{ DOS_STOCK_BAT2
meta DOS_STOCK_BAT2 DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2)
##} DOS_STOCK_BAT2
##{ DOS_URI_ASTERISK
uri DOS_URI_ASTERISK m{^[Hh][Tt]{2}[Pp][Ss]?://[^/:]+(?:\*[A-Za-z0-9-]*\.|\*)[A-Za-z]{2,3}(?:\.[A-Za-z]{2})?(?:$|:|/)}
describe DOS_URI_ASTERISK Found an asterisk in a URI
##} DOS_URI_ASTERISK
##{ DOS_YOUR_PLACE
meta DOS_YOUR_PLACE (__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE || __DOS_CORRESPOND_EMAIL || __DOS_EMAIL_DIRECTLY || __DOS_I_AM_25 || __DOS_WRITE_ME_AT || __DOS_PERSONAL_EMAIL))
describe DOS_YOUR_PLACE Russian dating spam
##} DOS_YOUR_PLACE
##{ DRUGS_HDIA
header DRUGS_HDIA Subject =~ /\bhoodia\b/i
##} DRUGS_HDIA
##{ DRUGS_STOCK_MIMEOLE
meta DRUGS_STOCK_MIMEOLE (__MIMEOLE_1106 && __MAILER_OL_5510)
describe DRUGS_STOCK_MIMEOLE Stock-spam forged headers found (5510)
##} DRUGS_STOCK_MIMEOLE
##{ DSN_NO_MIMEVERSION
meta DSN_NO_MIMEVERSION (__BOUNCE_RPATH_NULL && !__MIME_VERSION)
describe DSN_NO_MIMEVERSION Return-Path <> and no MIME-Version: header
#score DSN_NO_MIMEVERSION 2
##} DSN_NO_MIMEVERSION
##{ DYN_RDNS_AND_INLINE_IMAGE
meta DYN_RDNS_AND_INLINE_IMAGE (RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
describe DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic rDNS
##} DYN_RDNS_AND_INLINE_IMAGE
##{ DYN_RDNS_SHORT_HELO_HTML
meta DYN_RDNS_SHORT_HELO_HTML (__HELO_NO_DOMAIN && RDNS_DYNAMIC && HTML_MESSAGE)
describe DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML
##} DYN_RDNS_SHORT_HELO_HTML
##{ DYN_RDNS_SHORT_HELO_IMAGE
meta DYN_RDNS_SHORT_HELO_IMAGE (__HELO_NO_DOMAIN && RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
describe DYN_RDNS_SHORT_HELO_IMAGE Short HELO string, dynamic rDNS, inline image
##} DYN_RDNS_SHORT_HELO_IMAGE
##{ EMAIL_URI_PHISH
#score EMAIL_URI_PHISH 4.00 # limit
describe EMAIL_URI_PHISH Email account phishing using web form
tflags EMAIL_URI_PHISH publish # Force publication - very good S/O, hits mainly <= 3 points
##} EMAIL_URI_PHISH
##{ EMAIL_URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
meta EMAIL_URI_PHISH __EMAIL_URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney
endif
##} EMAIL_URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
##{ EMAIL_URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta EMAIL_URI_PHISH __EMAIL_URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE
endif
##} EMAIL_URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ EMRCP
body EMRCP /\bExcess Maximum Return Capital Profit\b/i
describe EMRCP "Excess Maximum Return Capital Profit" Fidelity scam
##} EMRCP
##{ FAKE_REPLY_C
meta FAKE_REPLY_C (__SUBJ_RE && __MISSING_REF && __NO_INR_YES_REF)
##} FAKE_REPLY_C
##{ FBI_MONEY
meta FBI_MONEY __FBI_SPOOF && LOTS_OF_MONEY
describe FBI_MONEY The FBI wants to give you lots of money?
#score FBI_MONEY 2.00 # limit
##} FBI_MONEY
##{ FBI_SPOOF
meta FBI_SPOOF __FBI_SPOOF
describe FBI_SPOOF Claims to be FBI, but not from FBI domain
#score FBI_SPOOF 2.00 # limit
##} FBI_SPOOF
##{ FH_FAKE_RCVD_LINE
header FH_FAKE_RCVD_LINE Received =~ /from\s*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s*by\s*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3};\s*[SMTWF].{2},\s*\d{1,2}\s*[JFMASOND].{2,5}\s*\d{4}\s*\d{2}:\d{2}:\d{2}\s*[-+]\d{4}/
describe FH_FAKE_RCVD_LINE RCVD line looks faked (A)
##} FH_FAKE_RCVD_LINE
##{ FH_FROM_START_YOU
header FH_FROM_START_YOU From =~ /^You\b/i
describe FH_FROM_START_YOU From starts with you.
##} FH_FROM_START_YOU
##{ FH_HELO_ALMOST_IP
header FH_HELO_ALMOST_IP X-Spam-Relays-External =~ /^[^\]]+ helo=[^ ]+[a-z][-.]\d{1,3}[-.]\d{1,3}[-.]\d{1,3}[-.][a-z][^ ]+ /i
describe FH_HELO_ALMOST_IP Helo is almost an IP addr.
##} FH_HELO_ALMOST_IP
##{ FH_HOST_EQ_DYNAMICIP
header FH_HOST_EQ_DYNAMICIP X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]{0,25}[dD][yY][nN][aA][mM][iI][cC][iI][pP][^ ]{5,25} helo=/
describe FH_HOST_EQ_DYNAMICIP Host is dynamicip
##} FH_HOST_EQ_DYNAMICIP
##{ FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
meta FILL_THIS_FORM __FILL_THIS_FORM && !__THREADED && !__FB_TOUR && !__VIA_ML
describe FILL_THIS_FORM Fill in a form with personal information
tflags FILL_THIS_FORM publish
endif
##} FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
meta FILL_THIS_FORM_FRAUD_PHISH __FILL_THIS_FORM_FRAUD_PHISH && !__UNSUB_LINK && !__SPOOFED_URL && !__DOS_LINK && !__CAN_HELP && !__VIA_ML && !__COMMENT_EXISTS && !__HAS_IN_REPLY_TO && !__THREADED
describe FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
endif
##} FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
meta FILL_THIS_FORM_LOAN __FILL_THIS_FORM_LOAN && !__COMMENT_EXISTS && !__HTML_LINK_IMAGE
describe FILL_THIS_FORM_LOAN Answer loan question(s)
endif
##} FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
meta FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG && !__VIA_ML && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__TRAVEL_MANY
describe FILL_THIS_FORM_LONG Fill in a form with personal information
# score FILL_THIS_FORM_LONG 2.00 # limit
endif
##} FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FM_LOTTO_MONEY
meta FM_LOTTO_MONEY (__FM_LARGE_MONEY && __FM_NAT_LOTTERY)
describe FM_LOTTO_MONEY Talks about lotto and large money!
##} FM_LOTTO_MONEY
##{ FM_LOTTO_YOU_WON
meta FM_LOTTO_YOU_WON (__FM_LARGE_MONEY && __FM_NAT_LOTTERY && __YOU_WON_SOMTIN)
describe FM_LOTTO_YOU_WON Talks about lotto and you won!
##} FM_LOTTO_YOU_WON
##{ FORM_FRAUD_3
meta FORM_FRAUD_3 __FORM_FRAUD_3 && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__MIME_QP && !__DOS_BODY_FRI && !__UNSUB_LINK && !__BUGGED_IMG && !__NOT_SPOOFED
describe FORM_FRAUD_3 Fill a form and several fraud phrases
tflags FORM_FRAUD_3 publish
##} FORM_FRAUD_3
##{ FORM_FRAUD_5
meta FORM_FRAUD_5 __FORM_FRAUD_5 && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML
describe FORM_FRAUD_5 Fill a form and many fraud phrases
tflags FORM_FRAUD_5 publish
##} FORM_FRAUD_5
##{ FROM_12LTRDOM
describe FROM_12LTRDOM From a 12-letter domain
#score FROM_12LTRDOM 0.10 # limit
##} FROM_12LTRDOM
##{ FROM_12LTRDOM if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
meta FROM_12LTRDOM __FROM_12LTRDOM_1 && !__VIA_ML && !__TO___LOWER && !__FS_SUBJ_RE && !__RCD_RDNS_MAIL_MESSY && !__UNSUB_LINK && !NO_RELAYS && !__UNUSABLE_MSGID && !DATE_IN_PAST_96_XX && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__RCD_RDNS_SMTP_MESSY && !__FB_NATIONAL && !__MAIL_LINK && !__NAME_EMAIL_DIFF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__SENDER_BOT && !__IMS_MSGID && !__HS_SUBJ_RE_FW && !__DOS_HAS_LIST_UNSUB && !__THREAD_INDEX_GOOD && !__TO_EQ_FROM_DOM && !__URI_MAILTO && !__SUBSCRIPTION_INFO
endif
##} FROM_12LTRDOM if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
##{ FROM_12LTRDOM ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta FROM_12LTRDOM __FROM_12LTRDOM_1 && !__VIA_ML && !__TO___LOWER && !__FS_SUBJ_RE && !__RCD_RDNS_MAIL_MESSY && !__freemail_safe && !__UNSUB_LINK && !NO_RELAYS && !__UNUSABLE_MSGID && !DATE_IN_PAST_96_XX && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__RCD_RDNS_SMTP_MESSY && !__FB_NATIONAL && !__MAIL_LINK && !__NAME_EMAIL_DIFF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__SENDER_BOT && !__IMS_MSGID && !__HS_SUBJ_RE_FW && !__DOS_HAS_LIST_UNSUB && !__THREAD_INDEX_GOOD && !__TO_EQ_FROM_DOM && !__URI_MAILTO && !__SUBSCRIPTION_INFO
endif
##} FROM_12LTRDOM ifplugin Mail::SpamAssassin::Plugin::FreeMail
##{ FROM_IN_TO_AND_SUBJ
meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1)
describe FROM_IN_TO_AND_SUBJ From address is in To and Subject
tflags FROM_IN_TO_AND_SUBJ publish
##} FROM_IN_TO_AND_SUBJ
##{ FROM_MISSPACED
meta FROM_MISSPACED __FROM_MISSPACED && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__UNSUB_LINK && !__TO___LOWER && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__TO_EQ_FROM_DOM && !__MAIL_LINK && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
describe FROM_MISSPACED From: missing whitespace
#score FROM_MISSPACED 2.00
##} FROM_MISSPACED
##{ FROM_MISSP_DYNIP
meta FROM_MISSP_DYNIP __FROM_RUNON && RDNS_DYNAMIC
describe FROM_MISSP_DYNIP From misspaced + dynamic rDNS
##} FROM_MISSP_DYNIP
##{ FROM_MISSP_EH_MATCH
meta FROM_MISSP_EH_MATCH __FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
describe FROM_MISSP_EH_MATCH From misspaced, matches envelope
#score FROM_MISSP_EH_MATCH 2.00 # max
##} FROM_MISSP_EH_MATCH
##{ FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta FROM_MISSP_FREEMAIL __FROM_MISSP_FREEMAIL && !__TO_EQ_FROM_DOM && !__MTLANDROID_MUA
describe FROM_MISSP_FREEMAIL From misspaced + freemail provider
endif
##} FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail
##{ FROM_MISSP_MSFT
meta FROM_MISSP_MSFT __FROM_RUNON && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS)
describe FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
##} FROM_MISSP_MSFT
##{ FROM_MISSP_PHISH
meta FROM_MISSP_PHISH __FROM_MISSP_PHISH
describe FROM_MISSP_PHISH Malformed, claims to be from financial organization - possible phish
#score FROM_MISSP_PHISH 4.75 # limit
##} FROM_MISSP_PHISH
##{ FROM_MISSP_REPLYTO
meta FROM_MISSP_REPLYTO __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY
describe FROM_MISSP_REPLYTO From misspaced, has Reply-To
##} FROM_MISSP_REPLYTO
##{ FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
ifplugin Mail::SpamAssassin::Plugin::SPF
meta FROM_MISSP_SPF_FAIL (__FROM_RUNON && SPF_FAIL)
tflags FROM_MISSP_SPF_FAIL net
# score FROM_MISSP_SPF_FAIL 2.00 # limit
endif
##} FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
##{ FROM_MISSP_TO_UNDISC
meta FROM_MISSP_TO_UNDISC (__FROM_RUNON && __TO_UNDISCLOSED)
describe FROM_MISSP_TO_UNDISC From misspaced, To undisclosed
##} FROM_MISSP_TO_UNDISC
##{ FROM_MISSP_USER
meta FROM_MISSP_USER (__FROM_RUNON && NSL_RCVD_FROM_USER)
describe FROM_MISSP_USER From misspaced, from "User"
##} FROM_MISSP_USER
##{ FROM_WSP_LEAD
header FROM_WSP_LEAD From:raw =~ /< \s+ [^>\s] [^>]* > [^<>]* \z/xm
describe FROM_WSP_LEAD Leading whitespace after '<' in From header field
##} FROM_WSP_LEAD
##{ FRT_ADOBE2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body FRT_ADOBE2 /