« back to all changes in this revision
Viewing changes to rules/72_active.cf
- browse files at revision 29
- compare with another revision
- download diff
- download tarball
- view history from revision 29
- Committer: Bazaar Package Importer
- Author(s): Noah Meyerhans
- Date: 2010-01-26 22:53:12 UTC
- mfrom: (1.1.13 upstream) (5.1.7 sid)
- Revision ID: james.westby@ubuntu.com-20100126225312-wkftb10idc1kz2aq
Tags: 3.3.0-1
* New upstream version.
* Switch to dpkg-source 3.0 (quilt) format
* Switch to dpkg-source 3.0 (quilt) format
- files added:
- META.yml
- debian/source
- pkgrules
- t/data/dkim
- files removed:
- debian/patches/00list
- files modified:
- CREDITS
- t/spamc_H.t *
- t/spamc_x_e.t *
added
removed
rules/72_active.cf
1
# SpamAssassin rules file
2
#
3
# Please don't modify this file as your changes will be overwritten with
4
# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
5
# See 'perldoc Mail::SpamAssassin::Conf' for details.
6
#
7
# <@LICENSE>
8
# Licensed to the Apache Software Foundation (ASF) under one or more
9
# contributor license agreements. See the NOTICE file distributed with
10
# this work for additional information regarding copyright ownership.
11
# The ASF licenses this file to you under the Apache License, Version 2.0
12
# (the "License"); you may not use this file except in compliance with
13
# the License. You may obtain a copy of the License at:
14
#
15
# http://www.apache.org/licenses/LICENSE-2.0
16
#
17
# Unless required by applicable law or agreed to in writing, software
18
# distributed under the License is distributed on an "AS IS" BASIS,
19
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20
# See the License for the specific language governing permissions and
21
# limitations under the License.
22
# </@LICENSE>
23
#
24
###########################################################################
25
26
require_version @@VERSION@@
27
28
##{ APOSTROPHE_FROM
29
header APOSTROPHE_FROM From:addr =~ /'/
30
describe APOSTROPHE_FROM From address contains an apostrophe
31
##} APOSTROPHE_FROM
32
33
##{ AXB_XMID_1212
34
header AXB_XMID_1212 Message-Id =~ /^<[0-9]{12}\.[0-9]{12}\@/
35
describe AXB_XMID_1212 Barbera Fingerprint
36
##} AXB_XMID_1212
37
38
##{ AXB_XMID_1510
39
header AXB_XMID_1510 Message-Id =~ /<[0-9A-F]{15}\.[0-9A-F]{10}\@/
40
describe AXB_XMID_1510 Brunello Fingerprint
41
##} AXB_XMID_1510
42
43
##{ AXB_XMID_OEGOESNULL
44
header AXB_XMID_OEGOESNULL Message-ID =~ /^<[0-9-a-f]{12}\$[0-9-a-f]{8}\$[0]{8}\@/
45
describe AXB_XMID_OEGOESNULL Amarone Fingerprint
46
##} AXB_XMID_OEGOESNULL
47
48
##{ AXB_XM_SENDMAIL_NOT
49
header AXB_XM_SENDMAIL_NOT Received =~ /\([123456790]{1,2}\.[0-9]{1,2}\.[0-9]{1}\/[0-9]{1,2}\.[0-9]{2}\.[0-9]{1}\)/
50
describe AXB_XM_SENDMAIL_NOT Nebbiolo fingerprint
51
##} AXB_XM_SENDMAIL_NOT
52
53
##{ AXB_XR_STULDAP
54
header AXB_XR_STULDAP Received =~ /\(8\.12\.3 da nor stuldap\/8\.12\.3\)/
55
##} AXB_XR_STULDAP
56
57
##{ AXB_XTIDX_CHAIN
58
header AXB_XTIDX_CHAIN Thread-Index =~ /(?:\*|\<\>|\)|\()/
59
describe AXB_XTIDX_CHAIN Montepulciano Fingerprint
60
##} AXB_XTIDX_CHAIN
61
62
##{ BANKING_LAWS
63
body BANKING_LAWS /banking laws/i
64
describe BANKING_LAWS Talks about banking laws
65
##} BANKING_LAWS
66
67
##{ BASE64_LENGTH_78_79
68
69
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
70
body BASE64_LENGTH_78_79 eval:check_base64_length('78','79')
71
endif
72
##} BASE64_LENGTH_78_79
73
74
##{ BASE64_LENGTH_79_INF
75
76
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
77
body BASE64_LENGTH_79_INF eval:check_base64_length('79')
78
endif
79
##} BASE64_LENGTH_79_INF
80
81
##{ CORRUPT_FROM_LINE_IN_HDRS
82
meta CORRUPT_FROM_LINE_IN_HDRS (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS)
83
describe CORRUPT_FROM_LINE_IN_HDRS Informational: message is corrupt, with a From line in its headers
84
tflags CORRUPT_FROM_LINE_IN_HDRS userconf publish
85
#score CORRUPT_FROM_LINE_IN_HDRS 0.001
86
##} CORRUPT_FROM_LINE_IN_HDRS
87
88
##{ CTYPE_001C_A
89
meta CTYPE_001C_A (0) # obsolete
90
##} CTYPE_001C_A
91
92
##{ CTYPE_001C_B
93
header CTYPE_001C_B Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/
94
##} CTYPE_001C_B
95
96
##{ CTYPE_8SPACE_GIF
97
98
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
99
mimeheader CTYPE_8SPACE_GIF Content-Type:raw =~ /^image\/gif;\n {8}name=\".+?\"$/s
100
describe CTYPE_8SPACE_GIF Stock spam image part 'Content-Type' found (8 spc)
101
endif
102
##} CTYPE_8SPACE_GIF
103
104
##{ CURR_PRICE
105
body CURR_PRICE /\bCurrent Price:/
106
##} CURR_PRICE
107
108
##{ DEAR_WINNER
109
body DEAR_WINNER /\bdear.{1,20}winner/i
110
##} DEAR_WINNER
111
112
##{ DNS_FROM_OPENWHOIS
113
114
ifplugin Mail::SpamAssassin::Plugin::DNSEval
115
header DNS_FROM_OPENWHOIS eval:check_rbl_envfrom('openwhois', 'bl.open-whois.org.')
116
describe DNS_FROM_OPENWHOIS Envelope sender listed in bl.open-whois.org.
117
tflags DNS_FROM_OPENWHOIS net publish
118
endif
119
##} DNS_FROM_OPENWHOIS
120
121
##{ DOS_FIX_MY_URI
122
meta DOS_FIX_MY_URI __MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINK
123
describe DOS_FIX_MY_URI Looks like a "fix my obfu'd URI please" spam
124
##} DOS_FIX_MY_URI
125
126
##{ DOS_LET_GO_JOB
127
meta DOS_LET_GO_JOB __DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOME
128
describe DOS_LET_GO_JOB Let go from their job and now makes lots of dough!
129
##} DOS_LET_GO_JOB
130
131
##{ DOS_PROVISION4
132
body DOS_PROVISION4 /\bProvisionfor income taxes\b/
133
describe DOS_PROVISION4 Provision for income taxes
134
#score DOS_PROVISION4 1.5
135
##} DOS_PROVISION4
136
137
##{ DOS_REPORT_FIN_INC
138
body DOS_REPORT_FIN_INC /\bReport of financial income\b/
139
describe DOS_REPORT_FIN_INC Report of financial income
140
#score DOS_REPORT_FIN_INC 0.5
141
##} DOS_REPORT_FIN_INC
142
143
##{ DOS_STOCK_BAT
144
meta DOS_STOCK_BAT __THEBAT_MUA && (__DOS_BODY_STOCK || __DOS_BODY_TICKER) && (__DOS_REF_TODAY || __DOS_REF_NEXT_WK_DAY || __DOS_REF_2_WK_DAYS)
145
describe DOS_STOCK_BAT Probable pump and dump stock spam
146
##} DOS_STOCK_BAT
147
148
##{ DOS_STOCK_BAT2
149
meta DOS_STOCK_BAT2 DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2)
150
##} DOS_STOCK_BAT2
151
152
##{ DOS_STOCK_CDYV_GENERIC
153
body DOS_STOCK_CDYV_GENERIC /(?:Lookup|Sym8oL|Search for|Promoting sym|S\.umbol|Target sym|Campaign for): [A-Z]{4},?.{1,50}\b[Pp]rice/
154
describe DOS_STOCK_CDYV_GENERIC Pump and dump stock spam
155
#score DOS_STOCK_CDYV_GENERIC 2.5
156
##} DOS_STOCK_CDYV_GENERIC
157
158
##{ DOS_STOCK_INCOME_STATEMENT
159
meta DOS_STOCK_INCOME_STATEMENT DOS_REPORT_FIN_INC && DOS_PROVISION4 && __DOS_SYMBOL_4 && __DOS_HEADLINES
160
describe DOS_STOCK_INCOME_STATEMENT Pump and dump stock income statement spam
161
#score DOS_STOCK_INCOME_STATEMENT 1.5
162
##} DOS_STOCK_INCOME_STATEMENT
163
164
##{ DOS_URI_ASTERISK
165
uri DOS_URI_ASTERISK m{^[Hh][Tt]{2}[Pp][Ss]?://[^/:]+(?:\*[A-Za-z0-9-]*\.|\*)[A-Za-z]{2,3}(?:\.[A-Za-z]{2})?(?:$|:|/)}
166
describe DOS_URI_ASTERISK Found an asterisk in a URI
167
##} DOS_URI_ASTERISK
168
169
##{ DOS_YOUR_PLACE
170
meta DOS_YOUR_PLACE (__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE || __DOS_CORRESPOND_EMAIL || __DOS_EMAIL_DIRECTLY || __DOS_I_AM_25 || __DOS_WRITE_ME_AT || __DOS_PERSONAL_EMAIL))
171
describe DOS_YOUR_PLACE Russian dating spam
172
##} DOS_YOUR_PLACE
173
174
##{ DRUGS_HDIA
175
header DRUGS_HDIA Subject =~ /\bhoodia\b/i
176
##} DRUGS_HDIA
177
178
##{ DRUGS_STOCK_MIMEOLE
179
meta DRUGS_STOCK_MIMEOLE (__MIMEOLE_1106 && __MAILER_OL_5510)
180
describe DRUGS_STOCK_MIMEOLE Stock-spam forged headers found (5510)
181
##} DRUGS_STOCK_MIMEOLE
182
183
##{ DYN_RDNS_AND_INLINE_IMAGE
184
meta DYN_RDNS_AND_INLINE_IMAGE (RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
185
describe DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic rDNS
186
##} DYN_RDNS_AND_INLINE_IMAGE
187
188
##{ DYN_RDNS_SHORT_HELO_HTML
189
meta DYN_RDNS_SHORT_HELO_HTML (__HELO_NO_DOMAIN && RDNS_DYNAMIC && HTML_MESSAGE)
190
describe DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML
191
##} DYN_RDNS_SHORT_HELO_HTML
192
193
##{ DYN_RDNS_SHORT_HELO_IMAGE
194
meta DYN_RDNS_SHORT_HELO_IMAGE (__HELO_NO_DOMAIN && RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
195
describe DYN_RDNS_SHORT_HELO_IMAGE Short HELO string, dynamic rDNS, inline image
196
##} DYN_RDNS_SHORT_HELO_IMAGE
197
198
##{ FAKE_REPLY_C
199
meta FAKE_REPLY_C (__SUBJ_RE && __MISSING_REF && __NO_INR_YES_REF)
200
##} FAKE_REPLY_C
201
202
##{ FB_ADD_INCHES
203
body FB_ADD_INCHES /(?:add|gain) inches/i
204
describe FB_ADD_INCHES Add / Gain inches
205
##} FB_ADD_INCHES
206
207
##{ FB_ALMOST_SEX
208
body FB_ALMOST_SEX /\b[b-z]sex+\b/i
209
describe FB_ALMOST_SEX It's almost sex, but not!
210
##} FB_ALMOST_SEX
211
212
##{ FB_ANA_TRIM
213
body FB_ANA_TRIM /Ana[^a-z]trim/i
214
describe FB_ANA_TRIM Broken AnaTrim phrase.
215
##} FB_ANA_TRIM
216
217
##{ FB_ANUI
218
body FB_ANUI /A[-_\.]U[-_\.]N[-_\.]I/i
219
describe FB_ANUI Phrase: A_U_N_I
220
##} FB_ANUI
221
222
##{ FB_BILLI0N
223
body FB_BILLI0N /[BM][I1]LL[I1]0N/i
224
describe FB_BILLI0N Phrase: [BM]Illi0n
225
##} FB_BILLI0N
226
227
##{ FB_C0MPANY
228
body FB_C0MPANY /c0mpany/i
229
describe FB_C0MPANY Phrase: C0mpany
230
##} FB_C0MPANY
231
232
##{ FB_CAN_LONGER
233
body FB_CAN_LONGER /can last longer/i
234
describe FB_CAN_LONGER Phrase: can last longer
235
##} FB_CAN_LONGER
236
237
##{ FB_CIALIS_LEO3
238
body FB_CIALIS_LEO3 /(?!CIALIS)\bC\s?[a-z]?\s?[Iitl1\\\/]\s?[a-z]?\s?[Aa]\s?[a-z]?\s?[LIl1\\\/]\s?[a-z]?\s?[ilIt1\\\/]\s?[a-z]?\s?[Ss]\b/
239
describe FB_CIALIS_LEO3 Uses a mis-spelled version of cialis.
240
##} FB_CIALIS_LEO3
241
242
##{ FB_DOUBLE_0WORDS
243
body FB_DOUBLE_0WORDS /\b[a-z]{1,5}0[a-z]{3,9}\s[a-z]{1,5}0[a-z]{3,9}\b/i
244
describe FB_DOUBLE_0WORDS Looks like double 0 words
245
##} FB_DOUBLE_0WORDS
246
247
##{ FB_EMAIL_HIER
248
body FB_EMAIL_HIER /email hier/i
249
describe FB_EMAIL_HIER Phrase: email hier
250
##} FB_EMAIL_HIER
251
252
##{ FB_EXTRA_INCHES
253
body FB_EXTRA_INCHES /extra inches/
254
describe FB_EXTRA_INCHES Phrase: extra inches
255
##} FB_EXTRA_INCHES
256
257
##{ FB_FAKE_NUMBERS
258
body FB_FAKE_NUMBERS /\$\d\d?O\s*[MBT]/i
259
describe FB_FAKE_NUMBERS Looks like numbers with O's insted of 0's
260
##} FB_FAKE_NUMBERS
261
262
##{ FB_FAKE_NUMS4
263
body FB_FAKE_NUMS4 /(?:\b|\b\d)\d,?\d,?OO(?:\b|\d\b)/
264
describe FB_FAKE_NUMS4 Looks like fake numbers (4)
265
##} FB_FAKE_NUMS4
266
267
##{ FB_FHARMACY
268
body FB_FHARMACY /Fharmacy/i
269
describe FB_FHARMACY Phrase: Farmacy
270
##} FB_FHARMACY
271
272
##{ FB_FORWARD_LOOK
273
body FB_FORWARD_LOOK /(?!forward look)f[o0]rward l[0o][0o]k/i
274
describe FB_FORWARD_LOOK Phrase: forward look with 0's
275
##} FB_FORWARD_LOOK
276
277
##{ FB_GAPPY_ADDRESS
278
body FB_GAPPY_ADDRESS /(?:[a-z] ){8}, (?:[a-z0-9] ){4}/i
279
describe FB_GAPPY_ADDRESS Too much spacing in Address
280
##} FB_GAPPY_ADDRESS
281
282
##{ FB_GET_MEDS
283
body FB_GET_MEDS /(?:place f[o0]r|[0o]rder|get\s?(?:y[o0]ur)?|online|quality).{1,7}med[isz][^a]/i
284
describe FB_GET_MEDS Looks like trying to sell meds
285
##} FB_GET_MEDS
286
287
##{ FB_GVR
288
body FB_GVR /(?:pef-rx|vigrex-ds|gsc-100|vp-rx|gv-promax|phentermine|adipex|xenical)/i
289
describe FB_GVR Looks like generic viagra
290
##} FB_GVR
291
292
##{ FB_HEY_BRO_COMMA
293
body FB_HEY_BRO_COMMA /Hey bro, /
294
describe FB_HEY_BRO_COMMA Phrase hey bro,
295
##} FB_HEY_BRO_COMMA
296
297
##{ FB_HG_H_CAP
298
body FB_HG_H_CAP /\bHGH\b/
299
describe FB_HG_H_CAP Phrase: HGH
300
##} FB_HG_H_CAP
301
302
##{ FB_HOMELOAN
303
body FB_HOMELOAN /\$\d{3},\d{3} home loan/i
304
describe FB_HOMELOAN Phrase $x home loan
305
##} FB_HOMELOAN
306
307
##{ FB_IMPRESS_GIRL
308
body FB_IMPRESS_GIRL /\bimpress .{0,5}girl\b/
309
describe FB_IMPRESS_GIRL Phrase: impress ... girl
310
##} FB_IMPRESS_GIRL
311
312
##{ FB_INCREASE_YOUR
313
body FB_INCREASE_YOUR /Increase your energy/i
314
describe FB_INCREASE_YOUR Phrase: Increase your energy
315
##} FB_INCREASE_YOUR
316
317
##{ FB_INDEPEND_RWD
318
body FB_INDEPEND_RWD /independent reward/i
319
describe FB_INDEPEND_RWD Phrase: independent reward
320
##} FB_INDEPEND_RWD
321
322
##{ FB_L0AN
323
body FB_L0AN /\bl0ans?\b/i
324
describe FB_L0AN Phrase: L0an
325
##} FB_L0AN
326
327
##{ FB_LETTERS_21B
328
body FB_LETTERS_21B /-- [a-z]{21}/
329
describe FB_LETTERS_21B Special people leave special signs!
330
##} FB_LETTERS_21B
331
332
##{ FB_LOWER_PAYM
333
body FB_LOWER_PAYM /lower your monthly payments/i
334
describe FB_LOWER_PAYM Phrase: lower your monthly payments
335
##} FB_LOWER_PAYM
336
337
##{ FB_MED1CAT
338
body FB_MED1CAT /\bmed1cat/i
339
describe FB_MED1CAT Phrase: Med1cat
340
##} FB_MED1CAT
341
342
##{ FB_MEDS_PERCENT
343
body FB_MEDS_PERCENT /meds .{3,10}\d\s?%/i
344
describe FB_MEDS_PERCENT Talks about meds and %
345
##} FB_MEDS_PERCENT
346
347
##{ FB_MORE_SIZE
348
body FB_MORE_SIZE /\bmore size\b/
349
describe FB_MORE_SIZE Phrase: more size
350
##} FB_MORE_SIZE
351
352
##{ FB_NOT_PHONE_NUM1
353
body FB_NOT_PHONE_NUM1 /(?!\d{3})8(?:66|77|88|[0o][0o])[-\.\s\)]{1,3}[OIL0-9]{3}[-\.\s]/i
354
describe FB_NOT_PHONE_NUM1 Looks like a fake phone number (1)
355
##} FB_NOT_PHONE_NUM1
356
357
##{ FB_NOT_PHONE_NUM3
358
body FB_NOT_PHONE_NUM3 /8(?:66|77|88|[0o][0o])[-\.\s\)]{1,3}[OIL0-9]{3}[-\.\s]{1,3}(?!\d{4})[OIL0-9]{4}/i
359
describe FB_NOT_PHONE_NUM3 Looks like a fake phone number (3)
360
##} FB_NOT_PHONE_NUM3
361
362
##{ FB_NOT_SCHOOL
363
body FB_NOT_SCHOOL /(?!school)[\$s5]ch[o0][o0][il1\|]/i
364
describe FB_NOT_SCHOOL Looks like school but it's not!
365
##} FB_NOT_SCHOOL
366
367
##{ FB_NO_SCRIP_NEEDED
368
body FB_NO_SCRIP_NEEDED /No.{1,10}P(?:er|re)scr[i1]pt[i1][o0]n (?:needed|requ[1i]re)/i
369
describe FB_NO_SCRIP_NEEDED Phrase: no prescription needed.
370
##} FB_NO_SCRIP_NEEDED
371
372
##{ FB_NUMYO
373
body FB_NUMYO /1[0-9][\s\.]?y[\s\.]?o[\s\.]?\b/i
374
describe FB_NUMYO Speaks of teenager.
375
##} FB_NUMYO
376
377
##{ FB_NUMYO2
378
body FB_NUMYO2 /2[0-9][\s\.]?y[\s\.]?o[\s\.]?\b/i
379
describe FB_NUMYO2 Speaks of 20+ year old.
380
##} FB_NUMYO2
381
382
##{ FB_ODD_SPACED_MONEY
383
body FB_ODD_SPACED_MONEY /\$\d\s,\s\d\d/
384
describe FB_ODD_SPACED_MONEY Looks like money but has odd spacing.
385
##} FB_ODD_SPACED_MONEY
386
387
##{ FB_ONIINE
388
body FB_ONIINE /oniine/i
389
describe FB_ONIINE Mis-spelled online
390
##} FB_ONIINE
391
392
##{ FB_P1LL
393
body FB_P1LL /\bp1ll/i
394
describe FB_P1LL Phrase: p1ll
395
##} FB_P1LL
396
397
##{ FB_PENIS_GROWTH
398
body FB_PENIS_GROWTH /pen[i1]s grow(?:th)?/i
399
describe FB_PENIS_GROWTH Phrase: penis growth
400
##} FB_PENIS_GROWTH
401
402
##{ FB_PIPEDOLLAR
403
body FB_PIPEDOLLAR /(?!dollar)d[o0][1|li][1|li]ar/i
404
describe FB_PIPEDOLLAR Phrase: Dollar, with pipes or 0's.
405
##} FB_PIPEDOLLAR
406
407
##{ FB_PIPE_ILLION
408
body FB_PIPE_ILLION /(?!illion)i[l|][l|][i|][o0]n/i
409
describe FB_PIPE_ILLION Looks like illion, but it's not
410
##} FB_PIPE_ILLION
411
412
##{ FB_PROLONGED_HARD
413
body FB_PROLONGED_HARD /(?:prolonged|increased) hardness/i
414
describe FB_PROLONGED_HARD Talks about prolonged hardness
415
##} FB_PROLONGED_HARD
416
417
##{ FB_QUALITY_REPLICA
418
body FB_QUALITY_REPLICA /quality replica/i
419
describe FB_QUALITY_REPLICA Phrase: quality replica
420
##} FB_QUALITY_REPLICA
421
422
##{ FB_REF_CODE_SPACE
423
body FB_REF_CODE_SPACE /r e f c o d e/i
424
describe FB_REF_CODE_SPACE Refcode with spacing
425
##} FB_REF_CODE_SPACE
426
427
##{ FB_REPLIC_CAP
428
body FB_REPLIC_CAP /REPLICAS?\b/
429
describe FB_REPLIC_CAP Phrase: REPLICA
430
##} FB_REPLIC_CAP
431
432
##{ FB_RE_FI
433
body FB_RE_FI /\bre[^a-z]fi\b/
434
describe FB_RE_FI Looks like refi.
435
##} FB_RE_FI
436
437
##{ FB_ROLLER_IS_T
438
body FB_ROLLER_IS_T /Roller is th/i
439
describe FB_ROLLER_IS_T Phrase: Roller is th
440
##} FB_ROLLER_IS_T
441
442
##{ FB_ROLX
443
body FB_ROLX /\brolx\b/i
444
describe FB_ROLX Phrase: rolx
445
##} FB_ROLX
446
447
##{ FB_SOFTTABS
448
body FB_SOFTTABS /\bsoft\s?t?abs\b/i
449
describe FB_SOFTTABS Phrase: Softabs
450
##} FB_SOFTTABS
451
452
##{ FB_SPACED_FREE
453
body FB_SPACED_FREE /F R E E/i
454
describe FB_SPACED_FREE Phrase: F R E E
455
##} FB_SPACED_FREE
456
457
##{ FB_SPACED_PHN_3B
458
body FB_SPACED_PHN_3B /\d\d\d--\d\d\d--?\d\d\d\d/
459
describe FB_SPACED_PHN_3B Phone number with -- spacing. (B)
460
##} FB_SPACED_PHN_3B
461
462
##{ FB_SPACEY_ZIP
463
body FB_SPACEY_ZIP /\s\d\s\d\s\d\s\d\s\d\s-\s\d\s\d\s\d\s\d/
464
describe FB_SPACEY_ZIP Looks like a s p a c e d zipcode.
465
##} FB_SPACEY_ZIP
466
467
##{ FB_SPUR_M
468
body FB_SPUR_M /\bSPUR-M\b/i
469
describe FB_SPUR_M Phrase: SPUR-M
470
##} FB_SPUR_M
471
472
##{ FB_SSEX
473
body FB_SSEX /\bssex\b/
474
describe FB_SSEX Phrase: ssex
475
##} FB_SSEX
476
477
##{ FB_STOCK_EXPLODE
478
body FB_STOCK_EXPLODE /st[0o]ck\b.{4,10}expl[o0]de/i
479
describe FB_STOCK_EXPLODE Looks like stocks exploding.
480
##} FB_STOCK_EXPLODE
481
482
##{ FB_SYMBLO
483
body FB_SYMBLO /\bSymblo\b/i
484
describe FB_SYMBLO Mis-spelled symbol.
485
##} FB_SYMBLO
486
487
##{ FB_THIS_ADVERT
488
body FB_THIS_ADVERT /this advertiser/i
489
describe FB_THIS_ADVERT Phrase: this advertiser
490
##} FB_THIS_ADVERT
491
492
##{ FB_THOUS_PERSONAL
493
body FB_THOUS_PERSONAL /thousand personal/i
494
describe FB_THOUS_PERSONAL Phrase: thousand personal
495
##} FB_THOUS_PERSONAL
496
497
##{ FB_TO_STOP_DISTRO
498
body FB_TO_STOP_DISTRO /To (?:(?:stop further|longer get) distribution|stop (?:receiving )?announcements)/i
499
describe FB_TO_STOP_DISTRO Phrase: to stop further distribution
500
##} FB_TO_STOP_DISTRO
501
502
##{ FB_ULTRA_ALLURE
503
body FB_ULTRA_ALLURE /Ultra Allure/i
504
describe FB_ULTRA_ALLURE Phrase: Ultra Allure
505
##} FB_ULTRA_ALLURE
506
507
##{ FB_UNLOCK_YOUR_G
508
body FB_UNLOCK_YOUR_G /lock ?(?:to ?)? your girlfriend/i
509
describe FB_UNLOCK_YOUR_G Phrase: lock to your girlfriend
510
##} FB_UNLOCK_YOUR_G
511
512
##{ FB_UNRESOLV_PROV
513
body FB_UNRESOLV_PROV /\{PROV_\d_\d\}/
514
describe FB_UNRESOLV_PROV Pattern Replacement PROV_D
515
##} FB_UNRESOLV_PROV
516
517
##{ FB_WORD1_END_DOLLAR
518
body FB_WORD1_END_DOLLAR / [a-z013]{3,6}\$ /i
519
describe FB_WORD1_END_DOLLAR Looks like a word ending with a $
520
##} FB_WORD1_END_DOLLAR
521
522
##{ FB_YOURSELF_MASTER
523
body FB_YOURSELF_MASTER /yourself master/i
524
describe FB_YOURSELF_MASTER Phrase: yourself master
525
##} FB_YOURSELF_MASTER
526
527
##{ FB_YOUR_REFI
528
body FB_YOUR_REFI /Your refi/i
529
describe FB_YOUR_REFI Phrase: Your refi
530
##} FB_YOUR_REFI
531
532
##{ FH_BAD_OEV1441
533
header FH_BAD_OEV1441 X-Mailer =~ /^Microsoft Outlook Express 6\.00\.2800\.1441$/
534
describe FH_BAD_OEV1441 Bad X-Mailer version
535
##} FH_BAD_OEV1441
536
537
##{ FH_DATE_IS_19XX
538
header FH_DATE_IS_19XX Date =~ /19[789][0-9]/ [if-unset: 2006]
539
describe FH_DATE_IS_19XX The date is not 19xx.
540
##} FH_DATE_IS_19XX
541
542
##{ FH_DATE_PAST_20XX
543
header FH_DATE_PAST_20XX Date =~ /20[1-9][0-9]/ [if-unset: 2006]
544
describe FH_DATE_PAST_20XX The date is grossly in the future.
545
##} FH_DATE_PAST_20XX
546
547
##{ FH_FAKE_RCVD_LINE
548
header FH_FAKE_RCVD_LINE Received =~ /from\s*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s*by\s*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3};\s*[SMTWF].{2},\s*\d{1,2}\s*[JFMASOND].{2,5}\s*\d{4}\s*\d{2}:\d{2}:\d{2}\s*[-+]\d{4}/
549
describe FH_FAKE_RCVD_LINE RCVD line looks faked (A)
550
##} FH_FAKE_RCVD_LINE
551
552
##{ FH_FROMEML_NOTLD
553
header FH_FROMEML_NOTLD From:addr !~ /\./ [if-unset: foo@bar.com]
554
describe FH_FROMEML_NOTLD E-mail address doesn't have TLD (.com, etc.)
555
##} FH_FROMEML_NOTLD
556
557
##{ FH_FROM_CASH
558
header FH_FROM_CASH From:name =~ /\bcash\b/i
559
describe FH_FROM_CASH From name has "cash"
560
##} FH_FROM_CASH
561
562
##{ FH_FROM_GET_NAME
563
header FH_FROM_GET_NAME From:name =~ /\bGet\b/i
564
describe FH_FROM_GET_NAME From name says Get
565
##} FH_FROM_GET_NAME
566
567
##{ FH_FROM_GIVEAWAY
568
header FH_FROM_GIVEAWAY From =~ /Giveaway/i
569
describe FH_FROM_GIVEAWAY From name is giveaway.
570
##} FH_FROM_GIVEAWAY
571
572
##{ FH_FROM_HOODIA
573
header FH_FROM_HOODIA From =~ /Hoodia/i
574
describe FH_FROM_HOODIA From has Hoodia!!?
575
##} FH_FROM_HOODIA
576
577
##{ FH_HAS_XAIMC
578
header FH_HAS_XAIMC exists:X-AIMC-AUTH
579
describe FH_HAS_XAIMC Has X-AIMC-AUTH header
580
##} FH_HAS_XAIMC
581
582
##{ FH_HAS_XID
583
header FH_HAS_XID exists:X-ID
584
describe FH_HAS_XID Has X-ID
585
##} FH_HAS_XID
586
587
##{ FH_HELO_ALMOST_IP
588
header FH_HELO_ALMOST_IP X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^ ]+[a-z][-.]\d{1,3}[-.]\d{1,3}[-.]\d{1,3}[-.][a-z][^ ]+ /i
589
describe FH_HELO_ALMOST_IP Helo is almost an IP addr.
590
##} FH_HELO_ALMOST_IP
591
592
##{ FH_HELO_ENDS_DOT
593
header FH_HELO_ENDS_DOT X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^ ]+\. by=/
594
describe FH_HELO_ENDS_DOT Helo ends with a dot.
595
##} FH_HELO_ENDS_DOT
596
597
##{ FH_HELO_EQ_610HEX
598
header FH_HELO_EQ_610HEX X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=-?[A-F0-9]{6,10} /
599
describe FH_HELO_EQ_610HEX Helo is 6-10 hex chr's.
600
##} FH_HELO_EQ_610HEX
601
602
##{ FH_HELO_EQ_CHARTER
603
header FH_HELO_EQ_CHARTER X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\d{2,3}-\d{1,3}-\d{1,3}-\d{1,3}.{5,20}\.charter\.com /i
604
describe FH_HELO_EQ_CHARTER Helo is d-d-d-d charter.com
605
##} FH_HELO_EQ_CHARTER
606
607
##{ FH_HELO_EQ_D_D_D_D
608
header FH_HELO_EQ_D_D_D_D X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^ ]{0,15}\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}/
609
describe FH_HELO_EQ_D_D_D_D Helo is d-d-d-d
610
##} FH_HELO_EQ_D_D_D_D
611
612
##{ FH_HELO_GMAILSMTP
613
header FH_HELO_GMAILSMTP Received =~ /HELO gmail-smtp-in/
614
describe FH_HELO_GMAILSMTP Faked helo of gmail-smtp-in
615
##} FH_HELO_GMAILSMTP
616
617
##{ FH_HOST_EQ_DYNAMICIP
618
header FH_HOST_EQ_DYNAMICIP X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]{0,25}[dD][yY][nN][aA][mM][iI][cC][iI][pP][^ ]{5,25} helo=/
619
describe FH_HOST_EQ_DYNAMICIP Host is dynamicip
620
##} FH_HOST_EQ_DYNAMICIP
621
622
##{ FH_HOST_EQ_PACBELL_D
623
header FH_HOST_EQ_PACBELL_D X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]+\.dsl\.\w{2,10}\.pacbell\.net /
624
describe FH_HOST_EQ_PACBELL_D Host is pacbell.net dsl
625
##} FH_HOST_EQ_PACBELL_D
626
627
##{ FH_HOST_EQ_VERIZON_P
628
header FH_HOST_EQ_VERIZON_P X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=pool-\d.{5,30}\.verizon\.net/
629
describe FH_HOST_EQ_VERIZON_P Host is pool-.+verizon.net
630
##} FH_HOST_EQ_VERIZON_P
631
632
##{ FH_MSGID_000000
633
header FH_MSGID_000000 MESSAGEID =~ /\$00000000\@/
634
describe FH_MSGID_000000 Special MSGID
635
##} FH_MSGID_000000
636
637
##{ FH_MSGID_01C67
638
header FH_MSGID_01C67 Message-ID =~ /^<000001c[67]/
639
describe FH_MSGID_01C67 Special MSGID
640
##} FH_MSGID_01C67
641
642
##{ FH_MSGID_01C70XXX
643
header FH_MSGID_01C70XXX MESSAGEID =~ /^<01c70[a-f][a-f0-9]{2}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[a-zA-Z0-9-]+>$/
644
describe FH_MSGID_01C70XXX MESSAGE ID seen often!!!
645
##} FH_MSGID_01C70XXX
646
647
##{ FH_MSGID_REPLACE
648
header FH_MSGID_REPLACE MESSAGEID =~ /^<%MSGID/
649
describe FH_MSGID_REPLACE Broken Replace Template
650
##} FH_MSGID_REPLACE
651
652
##{ FH_MSGID_XXBLAH
653
header FH_MSGID_XXBLAH MESSAGEID =~ /6c822ecf/
654
describe FH_MSGID_XXBLAH Common sign in msg-id's 12/21/2006
655
##} FH_MSGID_XXBLAH
656
657
##{ FH_MSGID_XXX
658
header FH_MSGID_XXX MESSAGEID =~ /\@xxx/i
659
describe FH_MSGID_XXX Message-Id = @xxx
660
##} FH_MSGID_XXX
661
662
##{ FH_RE_NEW_DDD
663
header FH_RE_NEW_DDD Subject =~ /^Re: new\s?\d{0,3}$/i
664
describe FH_RE_NEW_DDD Subject is Re: new \d\d\d
665
##} FH_RE_NEW_DDD
666
667
##{ FH_XMAIL_REPLACE
668
header FH_XMAIL_REPLACE X-Mailer =~ /%XMAILER/
669
describe FH_XMAIL_REPLACE Broken Replace Template
670
##} FH_XMAIL_REPLACE
671
672
##{ FH_XMAIL_RND_833
673
header FH_XMAIL_RND_833 X-Mailer =~ /^[a-z]{3}\sv8\.3\.3\./
674
describe FH_XMAIL_RND_833 Special X-Mailer Version
675
##} FH_XMAIL_RND_833
676
677
##{ FM_DOESNT_SAY_STOCK
678
meta FM_DOESNT_SAY_STOCK (__FB_S_SYMBOL && __FM_MY_PRICE && !__FB_S_STOCK && !__FS_S_TRADE)
679
describe FM_DOESNT_SAY_STOCK It's a stock spam but doesn't say stock
680
##} FM_DOESNT_SAY_STOCK
681
682
##{ FM_FAKE_53COM_SPOOF
683
meta FM_FAKE_53COM_SPOOF (__FH_FRM_53 && !__FH_MSG_53 && !__FH_RCV_53)
684
describe FM_FAKE_53COM_SPOOF Spoof mail from 53.com?
685
##} FM_FAKE_53COM_SPOOF
686
687
##{ FM_FAKE_HELO_HOTMAIL
688
meta FM_FAKE_HELO_HOTMAIL (__HOTMAILCOM && !__HOST_HOTMAIL)
689
describe FM_FAKE_HELO_HOTMAIL Looks like a fake hotmail.com helo.
690
##} FM_FAKE_HELO_HOTMAIL
691
692
##{ FM_FAKE_HELO_VERIZON
693
meta FM_FAKE_HELO_VERIZON (__FHELO_VERIZON && !__FHOST_VERIZON)
694
describe FM_FAKE_HELO_VERIZON Looks like a fake verizon.net helo.
695
##} FM_FAKE_HELO_VERIZON
696
697
##{ FM_FRM_RN_L_BRACK
698
meta FM_FRM_RN_L_BRACK (__FROM_RIGH_BRACK && !__FROM_LEFT_BRACK)
699
describe FM_FRM_RN_L_BRACK From name has > but not <
700
##} FM_FRM_RN_L_BRACK
701
702
##{ FM_IS_IT_OUR_ACCOUNT
703
meta FM_IS_IT_OUR_ACCOUNT (__YOUR_ACCOUNT && __MANY_RECIPS)
704
describe FM_IS_IT_OUR_ACCOUNT Is it our account?
705
##} FM_IS_IT_OUR_ACCOUNT
706
707
##{ FM_LIKE_STOCKS
708
meta FM_LIKE_STOCKS (__FM_STOCK_WORDS && !__FB_S_STOCK && __FB_S_SYMBOL)
709
describe FM_LIKE_STOCKS It looks like a duck, it's a duck!
710
##} FM_LIKE_STOCKS
711
712
##{ FM_LUX_GIFTS_REDUCED
713
meta FM_LUX_GIFTS_REDUCED (__FB_LUX_GIFTS && __FB_NUM_PERCNT)
714
describe FM_LUX_GIFTS_REDUCED Luxury Gifts with dd%
715
##} FM_LUX_GIFTS_REDUCED
716
717
##{ FM_MANY_DRUG_WORDS
718
meta FM_MANY_DRUG_WORDS (__VA_WORD && __CS_WORD && __VM_WORD)
719
describe FM_MANY_DRUG_WORDS Lot's of almost drug words
720
##} FM_MANY_DRUG_WORDS
721
722
##{ FM_MORTGAGE4PLUS
723
meta FM_MORTGAGE4PLUS (__FM_MORTGAGE4PLUS && !__FM_MORTGAGE5PLUS && !__FM_MORTGAGE6PLUS)
724
describe FM_MORTGAGE4PLUS Looks like a mortgage spam (4+)
725
##} FM_MORTGAGE4PLUS
726
727
##{ FM_MORTGAGE5PLUS
728
meta FM_MORTGAGE5PLUS (__FM_MORTGAGE5PLUS && !__FM_MORTGAGE6PLUS)
729
describe FM_MORTGAGE5PLUS Looks like a mortgage spam (5+)
730
##} FM_MORTGAGE5PLUS
731
732
##{ FM_MORTGAGE6PLUS
733
meta FM_MORTGAGE6PLUS (__FM_MORTGAGE6PLUS)
734
describe FM_MORTGAGE6PLUS Looks like a mortgage spam (6+)
735
##} FM_MORTGAGE6PLUS
736
737
##{ FM_MULTI_LUX_GIFTS
738
meta FM_MULTI_LUX_GIFTS ((__FB_BRAND_NAME + __FB_TIMEPIECE + __FB_WALLETS + __FB_HANDBAGS + __FB_DESIGNER + __FB_LUX_GIFTS + __FB_NUM_PERCNT + __FB_INK_PEN) > 3)
739
describe FM_MULTI_LUX_GIFTS Talks about variety of luxury gifts
740
##} FM_MULTI_LUX_GIFTS
741
742
##{ FM_PHN_NODNS
743
meta FM_PHN_NODNS (FB_SPACED_PHN_3B && RDNS_NONE)
744
describe FM_PHN_NODNS Phone spacing + no dns
745
##} FM_PHN_NODNS
746
747
##{ FM_RATSIGN_1106
748
meta FM_RATSIGN_1106 (__MSGID_VGA && __DATE_700)
749
describe FM_RATSIGN_1106 Fingerprint seen in lots of spam. 11/2006
750
##} FM_RATSIGN_1106
751
752
##{ FM_RE_HELLO_SPAM
753
meta FM_RE_HELLO_SPAM (__FH_MSGID_01C7 && __FH_HAS_XMSMAIL && __FH_HAS_XPRIORITY && __FS_SUBJ_RE)
754
describe FM_RE_HELLO_SPAM Re: Hello / hi
755
##} FM_RE_HELLO_SPAM
756
757
##{ FM_ROLEX_ADS
758
meta FM_ROLEX_ADS (__FB_ROLEX_MEN && __FB_ROLEX_WMEN && __FB_OMEGA && __FB_GLASHUTE)
759
describe FM_ROLEX_ADS Looks like Rolex spams.
760
##} FM_ROLEX_ADS
761
762
##{ FM_SCHOOLING
763
meta FM_SCHOOLING ((__BACHELORS + __MASTERS + __MBA + __PHD) > 2)
764
describe FM_SCHOOLING Meta Combo Phrase for Schooling (2)
765
##} FM_SCHOOLING
766
767
##{ FM_SCHOOL_DIPLOMA
768
meta FM_SCHOOL_DIPLOMA (FM_SCHOOLING && __DIPLOMA)
769
describe FM_SCHOOL_DIPLOMA Meta for Schooling + Diploma.
770
##} FM_SCHOOL_DIPLOMA
771
772
##{ FM_SCHOOL_TYPES
773
meta FM_SCHOOL_TYPES (__FB_BA && __FB_BCs && __FB_MA && __FB_MBA)
774
describe FM_SCHOOL_TYPES Meta Combo Phrase for Schooling
775
##} FM_SCHOOL_TYPES
776
777
##{ FM_SEX_HELODDDD
778
meta FM_SEX_HELODDDD (__SEX_WRDS && FH_HELO_EQ_D_D_D_D)
779
describe FM_SEX_HELODDDD Sex words + helo = dddd
780
##} FM_SEX_HELODDDD
781
782
##{ FM_SUBJ_APPROVE
783
meta FM_SUBJ_APPROVE (__EXCLAIM_SUBJ && __SUBJ_APPROVE)
784
describe FM_SUBJ_APPROVE Subject has Approve and !
785
##} FM_SUBJ_APPROVE
786
787
##{ FM_TRUE_LOV_ALL_N
788
meta FM_TRUE_LOV_ALL_N (__FB_P_TRUELOVE && __FB_P_ALLNIGHT)
789
describe FM_TRUE_LOV_ALL_N True Love all Night!
790
##} FM_TRUE_LOV_ALL_N
791
792
##{ FM_VEGAS_CASINO
793
meta FM_VEGAS_CASINO ((__FROM_VEGAS + __SUBJ_3DIGIT + __SUBJ_VEGAS + __FB_GAME) > 2)
794
describe FM_VEGAS_CASINO Looks like vega casino spam
795
##} FM_VEGAS_CASINO
796
797
##{ FM_VIAGRA_SPAM1114
798
meta FM_VIAGRA_SPAM1114 (__FH_MSGID_00001C && __FB_VIA_URL_SPEC1)
799
describe FM_VIAGRA_SPAM1114 Signs of a Viagra spam 11/14/2006
800
##} FM_VIAGRA_SPAM1114
801
802
##{ FM_XMAIL_F_OUT
803
header FM_XMAIL_F_OUT X-Mailer =~ /Microsoft Outlook Express V6.00.2900.2180/
804
describe FM_XMAIL_F_OUT Looks like Fake Outlook?
805
##} FM_XMAIL_F_OUT
806
807
##{ FRT_ADOBE2
808
809
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
810
body FRT_ADOBE2 /<inter W0><post P2>\b(?!adobe)<A><D><O><B><E>\b/i
811
describe FRT_ADOBE2 ReplaceTags: Adobe
812
endif
813
##} FRT_ADOBE2
814
815
##{ FRT_BIGGERMEM1
816
817
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
818
body FRT_BIGGERMEM1 /<inter SP2><post P2>(?:<B><I><G><G><E><R>|<L><A><R><G><E><R>).{1,8}(?:<P><E><N><I><S>|<B><R><E><A><S><T>|<M><E><M><B><E><R>)/i
819
describe FRT_BIGGERMEM1 ReplaceTags: Bigger / Larger, Penis / Member
820
endif
821
##} FRT_BIGGERMEM1
822
823
##{ FRT_DIPLOMA
824
825
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
826
body FRT_DIPLOMA /<inter SP2><post P2>\b(?!diploma)<D><I><P><L><O><M><A>/i
827
describe FRT_DIPLOMA ReplaceTags: Diploma
828
endif
829
##} FRT_DIPLOMA
830
831
##{ FRT_DISCOUNT
832
833
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
834
body FRT_DISCOUNT /<inter SP2><post P2>\b(?!discount)<D><I><S><C><O><U><N><T>/i
835
describe FRT_DISCOUNT ReplaceTags: Discount
836
endif
837
##} FRT_DISCOUNT
838
839
##{ FRT_DOLLAR
840
841
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
842
body FRT_DOLLAR /<inter SP2><post P2>\b(?!dollar)<D><O><L><L><A><R>/i
843
describe FRT_DOLLAR ReplaceTags: Dollar
844
endif
845
##} FRT_DOLLAR
846
847
##{ FRT_ESTABLISH2
848
849
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
850
body FRT_ESTABLISH2 /<inter W0><post P2>\b(?!estabi?lish)<E><S><T><A><B><L><I><S><H>/i
851
describe FRT_ESTABLISH2 ReplaceTags: Establish (2)
852
endif
853
##} FRT_ESTABLISH2
854
855
##{ FRT_FUCK2
856
857
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
858
body FRT_FUCK2 /<inter W0><post P2>\b(?!fuck)<F><U><C><K>/i
859
describe FRT_FUCK2 ReplaceTags: Fuck (2)
860
endif
861
##} FRT_FUCK2
862
863
##{ FRT_GUARANTEE1
864
865
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
866
body FRT_GUARANTEE1 /<inter SP2><post P2>(?!guarantee)<G><U><A><R><A><N><T><E><E>/i
867
describe FRT_GUARANTEE1 ReplaceTags: Guarantee (1)
868
endif
869
##} FRT_GUARANTEE1
870
871
##{ FRT_INVESTOR
872
873
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
874
body FRT_INVESTOR /<inter SP2><post P2>\b(?!investor)<I><N><V><E><S><T><O><R>/i
875
describe FRT_INVESTOR ReplaceTags: Investor
876
endif
877
##} FRT_INVESTOR
878
879
##{ FRT_LEVITRA
880
881
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
882
body FRT_LEVITRA /<inter W0><post P2>(?!levitra)<L><E><V><I><T><R><A>/i
883
describe FRT_LEVITRA ReplaceTags: Levitra
884
endif
885
##} FRT_LEVITRA
886
887
##{ FRT_MEETING
888
889
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
890
body FRT_MEETING /<inter SP2><post P2>\b(?!meeting)<M><E><E><T><I><N><G>\b/i
891
describe FRT_MEETING ReplaceTags: Meeting
892
endif
893
##} FRT_MEETING
894
895
##{ FRT_OFFER2
896
897
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
898
body FRT_OFFER2 /<inter W0><post P2>\b(?!offer)<O><F><F><E><R>/i
899
describe FRT_OFFER2 ReplaceTags: Offer (2)
900
endif
901
##} FRT_OFFER2
902
903
##{ FRT_OPPORTUN1
904
905
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
906
body FRT_OPPORTUN1 /<inter SP2><post P2>(?!opportun)<O><P><P><O><R><T><U><N>/i
907
describe FRT_OPPORTUN1 ReplaceTags: Oppertun (1)
908
endif
909
##} FRT_OPPORTUN1
910
911
##{ FRT_OPPORTUN2
912
913
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
914
body FRT_OPPORTUN2 /<inter W0><post P2>(?!opportun)<O><P><P><O><R><T><U><N>/i
915
describe FRT_OPPORTUN2 ReplaceTags: Oppertun (2)
916
endif
917
##} FRT_OPPORTUN2
918
919
##{ FRT_PENIS1
920
921
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
922
body FRT_PENIS1 /<inter SP2><post P2>\b(?!pen\s?is)(?!penny[ ']?s)<P><E><N><I><S>/i
923
describe FRT_PENIS1 ReplaceTags: Penis
924
endif
925
##} FRT_PENIS1
926
927
##{ FRT_PRICE
928
929
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
930
body FRT_PRICE /<inter SP2><post P2>\b(?!price)<P><R><I><C><E>\b/i
931
describe FRT_PRICE ReplaceTags: Price
932
endif
933
##} FRT_PRICE
934
935
##{ FRT_REFINANCE1
936
937
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
938
body FRT_REFINANCE1 /<inter SP2><post P2>\b(?!refinanc)<R><E><F><I><N><A><N><C>/i
939
describe FRT_REFINANCE1 ReplaceTags: Refinance (1)
940
endif
941
##} FRT_REFINANCE1
942
943
##{ FRT_ROLEX
944
945
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
946
body FRT_ROLEX /<inter SP2><post P2>\b(?!rolex)<R><O><L><E><X>/i
947
describe FRT_ROLEX ReplaceTags: Rolex
948
endif
949
##} FRT_ROLEX
950
951
##{ FRT_SEXUAL
952
953
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
954
body FRT_SEXUAL /<inter SP2><post P2>\b(?!sexual)<S><E><X><U><A><L>/i
955
describe FRT_SEXUAL ReplaceTags: Sexual
956
endif
957
##} FRT_SEXUAL
958
959
##{ FRT_SOMA
960
961
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
962
body FRT_SOMA /<post P2>\b(?!soma|500mg)<S><O><M><A>\b/i
963
describe FRT_SOMA ReplaceTags: Soma
964
endif
965
##} FRT_SOMA
966
967
##{ FRT_SOMA2
968
969
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
970
body FRT_SOMA2 /<inter SP2><post P2>\b(?!soma|500? ?mg)<S><O><M><A>\b/i
971
describe FRT_SOMA2 ReplaceTags: Soma (2)
972
endif
973
##} FRT_SOMA2
974
975
##{ FRT_STRONG1
976
977
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
978
body FRT_STRONG1 /<inter SP2><post P2>\b(?!stro\s?ng)<S><T><R><O><N><G>\b/i
979
describe FRT_STRONG1 ReplaceTags: Strong (1)
980
endif
981
##} FRT_STRONG1
982
983
##{ FRT_STRONG2
984
985
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
986
body FRT_STRONG2 /<inter W0><post P2>\b(?!strong)<S><T><R><O><N><G>\b/i
987
describe FRT_STRONG2 ReplaceTags: Strong (2)
988
endif
989
##} FRT_STRONG2
990
991
##{ FRT_SYMBOL
992
993
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
994
body FRT_SYMBOL /<inter SP2><post P2>\b(?!symbol)<S><Y><M><B><O><L>/i
995
describe FRT_SYMBOL ReplaceTags: Symbol
996
endif
997
##} FRT_SYMBOL
998
999
##{ FRT_TODAY2
1000
1001
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1002
body FRT_TODAY2 /<inter W0><post P2>\b(?!today)<T><O><D><A><Y>/i
1003
describe FRT_TODAY2 ReplaceTags: Today (2)
1004
endif
1005
##} FRT_TODAY2
1006
1007
##{ FRT_VALIUM1
1008
1009
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1010
body FRT_VALIUM1 /<inter W0><post P2>\b(?!valium)<V><A><L><I><U><M>/i
1011
describe FRT_VALIUM1 ReplaceTags: Valium
1012
endif
1013
##} FRT_VALIUM1
1014
1015
##{ FRT_VALIUM2
1016
1017
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1018
body FRT_VALIUM2 /<inter SP2><post P2>\b(?!valium)<V><A><L><I><U><M>/i
1019
describe FRT_VALIUM2 ReplaceTags: Valium (2)
1020
endif
1021
##} FRT_VALIUM2
1022
1023
##{ FRT_WEIGHT2
1024
1025
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1026
body FRT_WEIGHT2 /<inter W0><post P2>\b(?!weight)<W><E><I><G><H><T>/i
1027
describe FRT_WEIGHT2 ReplaceTags: Weight (2)
1028
endif
1029
##} FRT_WEIGHT2
1030
1031
##{ FRT_XANAX1
1032
1033
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1034
body FRT_XANAX1 /<inter W0><post P2>\b(?!xanax)<X><A><N><A><X>\b/i
1035
describe FRT_XANAX1 ReplaceTags: Xanax (1)
1036
endif
1037
##} FRT_XANAX1
1038
1039
##{ FRT_XANAX2
1040
1041
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1042
body FRT_XANAX2 /<inter SP2><post P2>\b(?!xanax)<X><A><N><A><X>\b/i
1043
describe FRT_XANAX2 ReplaceTags: Xanax (2)
1044
endif
1045
##} FRT_XANAX2
1046
1047
##{ FR_3TAG_3TAG
1048
rawbody FR_3TAG_3TAG m'<[abcefghijklmnoqstuvwxz]{3}></[abcefghijklmnoqstuvwxz]{3}>'i
1049
describe FR_3TAG_3TAG Looks like 3 <e> small tags.
1050
##} FR_3TAG_3TAG
1051
1052
##{ FR_ALMOST_VIAG2
1053
rawbody FR_ALMOST_VIAG2 /[^a-z](?!viagra)v?ia.?g.?ra/i
1054
describe FR_ALMOST_VIAG2 Almost looks like viagra.
1055
##} FR_ALMOST_VIAG2
1056
1057
##{ FR_CANTSEETEXT
1058
rawbody FR_CANTSEETEXT /class="?cantseetext/i
1059
describe FR_CANTSEETEXT Phrase class=cantseetext
1060
##} FR_CANTSEETEXT
1061
1062
##{ FR_MIDER
1063
rawbody FR_MIDER m'http[^ ]{5,30}/gall?/'
1064
describe FR_MIDER Sign often seen in spams
1065
##} FR_MIDER
1066
1067
##{ FS_AT_NO_COST
1068
header FS_AT_NO_COST Subject =~ /\bat no cost/i
1069
describe FS_AT_NO_COST Subject says "At No Cost"
1070
##} FS_AT_NO_COST
1071
1072
##{ FS_CHEAP_CAP
1073
header FS_CHEAP_CAP Subject =~ /CHEAP/
1074
describe FS_CHEAP_CAP Phrase: Cheap in Caps in Subject.
1075
##} FS_CHEAP_CAP
1076
1077
##{ FS_DOLLAR_BONUS
1078
header FS_DOLLAR_BONUS Subject =~ /\$\d\d\d?\.?\d?\d? bonus/i
1079
describe FS_DOLLAR_BONUS Subject talks about money bonus!
1080
##} FS_DOLLAR_BONUS
1081
1082
##{ FS_EJACULA
1083
header FS_EJACULA Subject =~ /ejaculat(?:[io01][o0i1]n|e)/i
1084
describe FS_EJACULA Phrase: ejaculation in subject.
1085
##} FS_EJACULA
1086
1087
##{ FS_ERECTION
1088
header FS_ERECTION Subject =~ / erection /i
1089
describe FS_ERECTION Phrase: erection in subject.
1090
##} FS_ERECTION
1091
1092
##{ FS_HUGECOCK
1093
header FS_HUGECOCK Subject =~ /(?:huge|tiny|small) (?:c[o0]ck|d[i1]ck|p[e3]n[1i]s)/i
1094
describe FS_HUGECOCK Phrase: Huge Cock
1095
##} FS_HUGECOCK
1096
1097
##{ FS_LARGE_PERCENT2
1098
header FS_LARGE_PERCENT2 Subject =~ /(?!100%)\d[0-9oi][0-9oi]%/i
1099
describe FS_LARGE_PERCENT2 Larger than 100% in subj.
1100
##} FS_LARGE_PERCENT2
1101
1102
##{ FS_LOWER_YOUR
1103
header FS_LOWER_YOUR Subject =~ /lower your/i
1104
describe FS_LOWER_YOUR Phrase: lower your
1105
##} FS_LOWER_YOUR
1106
1107
##{ FS_LOW_RATES
1108
header FS_LOW_RATES Subject =~ / low rates/i
1109
describe FS_LOW_RATES Subject says low rates
1110
##} FS_LOW_RATES
1111
1112
##{ FS_NEW_SOFT_UPLOAD
1113
header FS_NEW_SOFT_UPLOAD Subject =~ /^New software uploaded by/
1114
describe FS_NEW_SOFT_UPLOAD Subj starts with New software uploaded
1115
##} FS_NEW_SOFT_UPLOAD
1116
1117
##{ FS_NEW_XXX
1118
header FS_NEW_XXX Subject =~ /^Re: news? [a-z]{1,5}$/
1119
describe FS_NEW_XXX Subject looks like Fharmacy spams.
1120
##} FS_NEW_XXX
1121
1122
##{ FS_NO_SCRIP
1123
header FS_NO_SCRIP Subject =~ /n[o0O] p[reRE][erER]scr[i1I]pt[i1I][o0O]n/i
1124
describe FS_NO_SCRIP Subject almost says No prescription
1125
##} FS_NO_SCRIP
1126
1127
##{ FS_OBFU_PRMCY
1128
header FS_OBFU_PRMCY Subject =~ /\b(?!(?:pharmacy|primacy))p[ph]{0,4}\S{1,3}r\S{0,2}m\S{0,3}c\S{0,2}y\b/i
1129
describe FS_OBFU_PRMCY what could this word be?
1130
##} FS_OBFU_PRMCY
1131
1132
##{ FS_PERSCRIPTION
1133
header FS_PERSCRIPTION Subject =~ /perscr[i1]pt[i1][o0]n/i
1134
describe FS_PERSCRIPTION Subject mis-spelled prescription
1135
##} FS_PERSCRIPTION
1136
1137
##{ FS_PHARMASUB2
1138
header FS_PHARMASUB2 Subject =~ /PH[A-Za-z]{2,7}MA/
1139
describe FS_PHARMASUB2 Looks like Phramacy subject.
1140
##} FS_PHARMASUB2
1141
1142
##{ FS_RAMROD
1143
header FS_RAMROD Subject =~ /ramrod/i
1144
describe FS_RAMROD Subject says Ramrod
1145
##} FS_RAMROD
1146
1147
##{ FS_REPLICA
1148
header FS_REPLICA Subject =~ /replica/i
1149
describe FS_REPLICA Subject says "replica"
1150
##} FS_REPLICA
1151
1152
##{ FS_REPLICAWATCH
1153
header FS_REPLICAWATCH Subject =~ /replica watch/i
1154
describe FS_REPLICAWATCH Subject says Replica watch
1155
##} FS_REPLICAWATCH
1156
1157
##{ FS_RE_APPROV
1158
header FS_RE_APPROV Subject =~ /re approved/i
1159
describe FS_RE_APPROV Phrase: re approved
1160
##} FS_RE_APPROV
1161
1162
##{ FS_START_DOYOU2
1163
header FS_START_DOYOU2 Subject =~ /^Do you (?:dream|have|want|love|like|wanna)/i
1164
describe FS_START_DOYOU2 Subject starts with Do you dream,have,want,love, etc.
1165
##} FS_START_DOYOU2
1166
1167
##{ FS_START_LOSE
1168
header FS_START_LOSE Subject =~ /^Lose /i
1169
describe FS_START_LOSE Subject starts with Lose
1170
##} FS_START_LOSE
1171
1172
##{ FS_TEEN_BAD
1173
header FS_TEEN_BAD Subject =~ /teen.{1,15}(?:pussy|sex|slut|ass|fuck|rape)/i
1174
describe FS_TEEN_BAD Subject says something bad about teens
1175
##} FS_TEEN_BAD
1176
1177
##{ FS_TIP_DDD
1178
header FS_TIP_DDD Subject =~ /(?:tip|good) \d\d\d?\d?/i
1179
describe FS_TIP_DDD Phrase: subject = tip ddd
1180
##} FS_TIP_DDD
1181
1182
##{ FS_WEIGHT_LOSS
1183
header FS_WEIGHT_LOSS Subject =~ /weight loss/i
1184
describe FS_WEIGHT_LOSS Subject says Weight Loss
1185
score FS_WEIGHT_LOSS 0.942 0.458 0.000 0.000
1186
##} FS_WEIGHT_LOSS
1187
1188
##{ FS_WILL_HELP
1189
header FS_WILL_HELP Subject =~ /will help/
1190
describe FS_WILL_HELP Subject says will help
1191
##} FS_WILL_HELP
1192
1193
##{ FS_WITH_SMALL
1194
header FS_WITH_SMALL Subject =~ /with (?:\w+\s)?(?:small|short)/i
1195
describe FS_WITH_SMALL Subject says With ... small
1196
##} FS_WITH_SMALL
1197
1198
##{ FUZZY_MERIDIA
1199
1200
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1201
body FUZZY_MERIDIA /<inter W3><post P2>\b(?!meridia)<M><E><R><I><D><I><A>\b/i
1202
endif
1203
##} FUZZY_MERIDIA
1204
1205
##{ FU_COMMON_SUBS2
1206
uri FU_COMMON_SUBS2 m'/(?:[2w]m|7d|b|ee|lj|j|o|u)/[,.]?$'
1207
describe FU_COMMON_SUBS2 Sub-dir seen often in spam (2).
1208
##} FU_COMMON_SUBS2
1209
1210
##{ FU_ENDS_NUMS_DOTS_CLK
1211
uri FU_ENDS_NUMS_DOTS_CLK m'(?:clk|uns)/\d+\.\d+\.\d+'i
1212
describe FU_ENDS_NUMS_DOTS_CLK Ends with clk/d+.d+.d+
1213
##} FU_ENDS_NUMS_DOTS_CLK
1214
1215
##{ FU_END_ET
1216
uri FU_END_ET m'/et/$'i
1217
describe FU_END_ET ET Phone Home?
1218
##} FU_END_ET
1219
1220
##{ FU_HOODIA
1221
uri FU_HOODIA /hoodia/i
1222
describe FU_HOODIA URL has hoodia in it.
1223
##} FU_HOODIA
1224
1225
##{ FU_LONG_QUERY3
1226
uri FU_LONG_QUERY3 m'[A-F0-9]{30}\.aspx'
1227
describe FU_LONG_QUERY3 URL has a long file name with .aspx extension.
1228
##} FU_LONG_QUERY3
1229
1230
##{ FU_MIDER
1231
uri FU_MIDER m'/gall?/'
1232
describe FU_MIDER URL has /gal/
1233
##} FU_MIDER
1234
1235
##{ FU_UKGEOCITIES
1236
uri FU_UKGEOCITIES /\b[a-z]{2}\.geocities\.com/i
1237
describe FU_UKGEOCITIES URL with [a-z]{2}.geocities.com
1238
##} FU_UKGEOCITIES
1239
1240
##{ FU_URI_TRACKER_T
1241
uri FU_URI_TRACKER_T m'/[yi]/(?:sp|et|vm|xl2)/'i
1242
describe FU_URI_TRACKER_T URI style tracker (T)
1243
##} FU_URI_TRACKER_T
1244
1245
##{ GEO_QUERY_STRING
1246
uri GEO_QUERY_STRING /^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i
1247
##} GEO_QUERY_STRING
1248
1249
##{ HDR_ORDER_FTSDMCXX_001C
1250
meta HDR_ORDER_FTSDMCXX_001C (__HDR_ORDER_FTSDMCXXXX && __MID_START_001C)
1251
describe HDR_ORDER_FTSDMCXX_001C Header order similar to spam (FTSDMCXX/MID variant)
1252
##} HDR_ORDER_FTSDMCXX_001C
1253
1254
##{ HDR_ORDER_FTSDMCXX_BAT
1255
meta HDR_ORDER_FTSDMCXX_BAT (__HDR_ORDER_FTSDMCXXXX && __BAT_BOUNDARY)
1256
describe HDR_ORDER_FTSDMCXX_BAT Header order similar to spam (FTSDMCXX/boundary variant)
1257
##} HDR_ORDER_FTSDMCXX_BAT
1258
1259
##{ HEADER_COUNT_SUBJECT
1260
1261
ifplugin Mail::SpamAssassin::Plugin::HeaderEval
1262
header HEADER_COUNT_SUBJECT eval:check_header_count_range('Subject','2','999')
1263
describe HEADER_COUNT_SUBJECT Multiple Subject headers found
1264
endif
1265
##} HEADER_COUNT_SUBJECT
1266
1267
##{ HELO_FRIEND
1268
header HELO_FRIEND X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=friend /i
1269
##} HELO_FRIEND
1270
1271
##{ HELO_LH_HOME
1272
header HELO_LH_HOME X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\S+\.(?:home|lan) /i
1273
##} HELO_LH_HOME
1274
1275
##{ HELO_LH_LD
1276
header HELO_LH_LD X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=localhost\.localdomain /i
1277
##} HELO_LH_LD
1278
1279
##{ HELO_LOCALHOST
1280
header HELO_LOCALHOST X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=localhost /i
1281
##} HELO_LOCALHOST
1282
1283
##{ HELO_OEM
1284
header HELO_OEM X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=(?:pc|oem\S*) /i
1285
##} HELO_OEM
1286
1287
##{ HS_BODY_UPLOADED_SOFTWARE
1288
body HS_BODY_UPLOADED_SOFTWARE /^\w+ has uploaded some new software/
1289
describe HS_BODY_UPLOADED_SOFTWARE Somebody has uploaded some new software for you
1290
##} HS_BODY_UPLOADED_SOFTWARE
1291
1292
##{ HS_DRUG_DOLLAR_1
1293
body HS_DRUG_DOLLAR_1 m'^[a-z]+[glrt][a-z]?[eir][a-z]?[asx](?: -|:)? \$[\d.]+$'i
1294
describe HS_DRUG_DOLLAR_1 Contains a drug and price-like pattern.
1295
##} HS_DRUG_DOLLAR_1
1296
1297
##{ HS_DRUG_DOLLAR_2
1298
body HS_DRUG_DOLLAR_2 m'^[a-z]+[lmor][a-z]?[aex][a-z]?[mx](?: -|:)? \$[\d.]+$'i
1299
describe HS_DRUG_DOLLAR_2 Contains a drug and price-like pattern.
1300
##} HS_DRUG_DOLLAR_2
1301
1302
##{ HS_DRUG_DOLLAR_3
1303
body HS_DRUG_DOLLAR_3 m'^[a-z]+[dino][a-z]?[aimu][a-z]?[amx](?: -|:)? \$[\d.]+$'i
1304
describe HS_DRUG_DOLLAR_3 Contains a drug and price-like pattern.
1305
##} HS_DRUG_DOLLAR_3
1306
1307
##{ HS_DRUG_DOLLAR_MANY
1308
meta HS_DRUG_DOLLAR_MANY HS_DRUG_DOLLAR_1 + HS_DRUG_DOLLAR_2 + HS_DRUG_DOLLAR_3 >= 2
1309
describe HS_DRUG_DOLLAR_MANY Contains several drug and dollar-like patterns.
1310
##} HS_DRUG_DOLLAR_MANY
1311
1312
##{ HS_FORGED_OE_FW
1313
meta HS_FORGED_OE_FW __HS_SUBJ_UC_FW && __OE_MUA
1314
describe HS_FORGED_OE_FW Outlook does not prefix forwards with "FW:"
1315
##} HS_FORGED_OE_FW
1316
1317
##{ HS_GETMEOFF
1318
uri HS_GETMEOFF m'/get(?:me)?off\.php(?:$|[\#?])'
1319
describe HS_GETMEOFF Links to common unsubscribe script: 'getmeoff.php'
1320
##} HS_GETMEOFF
1321
1322
##{ HS_INDEX_PARAM
1323
uri HS_INDEX_PARAM m'^https?:/*([^/]*/)+(?:index.(?:cgi|html?|php)|default.(?:asp|jsp))?\?(?!(?-i:[A-Z][a-z]{2,}){2,}$)\w+={0,2}$'i
1324
describe HS_INDEX_PARAM Link contains a common tracker pattern.
1325
##} HS_INDEX_PARAM
1326
1327
##{ HS_MEETUP_FOR_SEX
1328
body HS_MEETUP_FOR_SEX m'(?:meet ?up|see eachother|get together) for (?:some )?(?:action|sex)'i
1329
describe HS_MEETUP_FOR_SEX Talks about meeting up for sex.
1330
##} HS_MEETUP_FOR_SEX
1331
1332
##{ HS_SUBJ_NEW_SOFTWARE
1333
header HS_SUBJ_NEW_SOFTWARE Subject =~ /^New software uploaded by/
1334
describe HS_SUBJ_NEW_SOFTWARE Subject starts with 'New software uploaded by'
1335
##} HS_SUBJ_NEW_SOFTWARE
1336
1337
##{ HS_SUBJ_ONLINE_PHARMACEUTICAL
1338
header HS_SUBJ_ONLINE_PHARMACEUTICAL Subject =~ /\bOnline Pharmaceutical/i
1339
describe HS_SUBJ_ONLINE_PHARMACEUTICAL Subject contains the phrase 'Online pharmaceutical'
1340
##} HS_SUBJ_ONLINE_PHARMACEUTICAL
1341
1342
##{ HTTPS_HTTP_MISMATCH
1343
1344
ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
1345
body HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10')
1346
endif
1347
##} HTTPS_HTTP_MISMATCH
1348
1349
##{ JM_RCVD_QMAILV1
1350
header JM_RCVD_QMAILV1 Received =~ /by \S+ \(Qmailv1\) with ESMTP/
1351
##} JM_RCVD_QMAILV1
1352
1353
##{ JM_TORA_XM
1354
meta JM_TORA_XM (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO)
1355
##} JM_TORA_XM
1356
1357
##{ KAM_LOTTO1
1358
meta KAM_LOTTO1 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 >= 3)
1359
describe KAM_LOTTO1 Likely to be a e-Lotto Scam Email
1360
#score KAM_LOTTO1 0.5
1361
##} KAM_LOTTO1
1362
1363
##{ KAM_LOTTO2
1364
meta KAM_LOTTO2 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 >= 4)
1365
describe KAM_LOTTO2 Highly Likely to be a e-Lotto Scam Email
1366
#score KAM_LOTTO2 1.0
1367
##} KAM_LOTTO2
1368
1369
##{ KAM_LOTTO3
1370
meta KAM_LOTTO3 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 >= 5)
1371
describe KAM_LOTTO3 Almost certain to be a e-Lotto Scam Email
1372
#score KAM_LOTTO3 2.0
1373
##} KAM_LOTTO3
1374
1375
##{ KAM_STOCKOTC
1376
meta KAM_STOCKOTC (0)
1377
tflags KAM_STOCKOTC publish
1378
##} KAM_STOCKOTC
1379
1380
##{ KAM_STOCKTIP15
1381
meta KAM_STOCKTIP15 (0)
1382
tflags KAM_STOCKTIP15 publish
1383
##} KAM_STOCKTIP15
1384
1385
##{ KAM_STOCKTIP20
1386
meta KAM_STOCKTIP20 (0)
1387
tflags KAM_STOCKTIP20 publish
1388
##} KAM_STOCKTIP20
1389
1390
##{ KAM_STOCKTIP21
1391
meta KAM_STOCKTIP21 (0)
1392
tflags KAM_STOCKTIP21 publish
1393
##} KAM_STOCKTIP21
1394
1395
##{ KAM_STOCKTIP4
1396
meta KAM_STOCKTIP4 (0)
1397
tflags KAM_STOCKTIP4 publish
1398
##} KAM_STOCKTIP4
1399
1400
##{ KAM_STOCKTIP6
1401
meta KAM_STOCKTIP6 (0)
1402
tflags KAM_STOCKTIP6 publish
1403
##} KAM_STOCKTIP6
1404
1405
##{ LONG_TERM_PRICE
1406
body LONG_TERM_PRICE /long\W+term\W+(target|projected)(\W+price)?/i
1407
##} LONG_TERM_PRICE
1408
1409
##{ LOOPHOLE_1
1410
body LOOPHOLE_1 /loop-?hole in the banking/i
1411
describe LOOPHOLE_1 A loop hole in the banking laws?
1412
##} LOOPHOLE_1
1413
1414
##{ LOTTERY_1
1415
meta LOTTERY_1 (__DBLCLAIM && __CASHPRZ)
1416
##} LOTTERY_1
1417
1418
##{ L_SPAM_TOOL_13
1419
header L_SPAM_TOOL_13 Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/
1420
##} L_SPAM_TOOL_13
1421
1422
##{ MID_DEGREES
1423
header MID_DEGREES Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/
1424
##} MID_DEGREES
1425
1426
##{ MIME_BOUND_EQ_REL
1427
header MIME_BOUND_EQ_REL Content-Type =~ /boundary="=====================_\d+==\.REL"/s
1428
##} MIME_BOUND_EQ_REL
1429
1430
##{ MSOE_MID_WRONG_CASE
1431
meta MSOE_MID_WRONG_CASE (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106)
1432
##} MSOE_MID_WRONG_CASE
1433
1434
##{ NULL_IN_BODY
1435
full NULL_IN_BODY /\x00/
1436
describe NULL_IN_BODY Message has NUL (ASCII 0) byte in message
1437
##} NULL_IN_BODY
1438
1439
##{ PART_CID_STOCK
1440
1441
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
1442
meta PART_CID_STOCK (__ANY_IMAGE_ATTACH&&__PART_STOCK_CID&&!__PART_STOCK_CL&&!__PART_STOCK_CD_F)
1443
describe PART_CID_STOCK Has a spammy image attachment (by Content-ID)
1444
endif
1445
##} PART_CID_STOCK
1446
1447
##{ PART_CID_STOCK_LESS
1448
1449
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
1450
meta PART_CID_STOCK_LESS (__ANY_IMAGE_ATTACH&&__PART_CID_STOCK_LESS)
1451
describe PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, more specific)
1452
endif
1453
##} PART_CID_STOCK_LESS
1454
1455
##{ RCVD_BAD_ID
1456
header RCVD_BAD_ID Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\$\%&'()*:<=>?\@\[\]^\`{|}~]|;\S)/
1457
##} RCVD_BAD_ID
1458
1459
##{ RCVD_FORGED_WROTE
1460
header RCVD_FORGED_WROTE Received =~ / by \S+ with esmtp \([^a-z ]{6,} [^a-z ]{3,}\) id/
1461
describe RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
1462
##} RCVD_FORGED_WROTE
1463
1464
##{ RCVD_FORGED_WROTE2
1465
header RCVD_FORGED_WROTE2 Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s
1466
##} RCVD_FORGED_WROTE2
1467
1468
##{ RCVD_IN_DNSWL_HI
1469
1470
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1471
header RCVD_IN_DNSWL_HI eval:check_rbl_sub('dnswl-firsttrusted', '127.0.\d+.3')
1472
describe RCVD_IN_DNSWL_HI Sender listed at http://www.dnswl.org/, high trust
1473
tflags RCVD_IN_DNSWL_HI nice net
1474
endif
1475
##} RCVD_IN_DNSWL_HI
1476
1477
##{ RCVD_IN_DNSWL_LOW
1478
1479
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1480
header RCVD_IN_DNSWL_LOW eval:check_rbl_sub('dnswl-firsttrusted', '127.0.\d+.1')
1481
describe RCVD_IN_DNSWL_LOW Sender listed at http://www.dnswl.org/, low trust
1482
tflags RCVD_IN_DNSWL_LOW nice net
1483
endif
1484
##} RCVD_IN_DNSWL_LOW
1485
1486
##{ RCVD_IN_DNSWL_MED
1487
1488
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1489
header RCVD_IN_DNSWL_MED eval:check_rbl_sub('dnswl-firsttrusted', '127.0.\d+.2')
1490
describe RCVD_IN_DNSWL_MED Sender listed at http://www.dnswl.org/, medium trust
1491
tflags RCVD_IN_DNSWL_MED nice net
1492
endif
1493
##} RCVD_IN_DNSWL_MED
1494
1495
##{ RCVD_IN_IADB_DK
1496
1497
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1498
header RCVD_IN_IADB_DK eval:check_rbl_sub('iadb-firsttrusted', '^127.2.255.3$')
1499
describe RCVD_IN_IADB_DK IADB: Sender publishes Domain Keys record
1500
tflags RCVD_IN_IADB_DK net nice
1501
endif
1502
##} RCVD_IN_IADB_DK
1503
1504
##{ RCVD_IN_IADB_DOPTIN
1505
1506
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1507
header RCVD_IN_IADB_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.10$')
1508
describe RCVD_IN_IADB_DOPTIN IADB: All mailing list mail is confirmed opt-in
1509
tflags RCVD_IN_IADB_DOPTIN net nice
1510
endif
1511
##} RCVD_IN_IADB_DOPTIN
1512
1513
##{ RCVD_IN_IADB_DOPTIN_GT50
1514
1515
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1516
header RCVD_IN_IADB_DOPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.9$')
1517
describe RCVD_IN_IADB_DOPTIN_GT50 IADB: Confirmed opt-in used more than 50% of the time
1518
tflags RCVD_IN_IADB_DOPTIN_GT50 net nice
1519
endif
1520
##} RCVD_IN_IADB_DOPTIN_GT50
1521
1522
##{ RCVD_IN_IADB_DOPTIN_LT50
1523
1524
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1525
header RCVD_IN_IADB_DOPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.8$')
1526
describe RCVD_IN_IADB_DOPTIN_LT50 IADB: Confirmed opt-in used less than 50% of the time
1527
tflags RCVD_IN_IADB_DOPTIN_LT50 net nice
1528
endif
1529
##} RCVD_IN_IADB_DOPTIN_LT50
1530
1531
##{ RCVD_IN_IADB_EDDB
1532
1533
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1534
header RCVD_IN_IADB_EDDB eval:check_rbl_sub('iadb-firsttrusted', '^127.0.2.1$')
1535
describe RCVD_IN_IADB_EDDB IADB: Participates in Email Deliverability Database
1536
tflags RCVD_IN_IADB_EDDB net nice
1537
endif
1538
##} RCVD_IN_IADB_EDDB
1539
1540
##{ RCVD_IN_IADB_EPIA
1541
1542
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1543
header RCVD_IN_IADB_EPIA eval:check_rbl_sub('iadb-firsttrusted', '^127.0.2.2$')
1544
describe RCVD_IN_IADB_EPIA IADB: Member of Email Processing Industry Alliance
1545
tflags RCVD_IN_IADB_EPIA net nice
1546
endif
1547
##} RCVD_IN_IADB_EPIA
1548
1549
##{ RCVD_IN_IADB_GOODMAIL
1550
1551
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1552
header RCVD_IN_IADB_GOODMAIL eval:check_rbl_sub('iadb-firsttrusted', '^127.2.255.103$')
1553
describe RCVD_IN_IADB_GOODMAIL IADB: Sender has been certified by GoodMail
1554
tflags RCVD_IN_IADB_GOODMAIL net nice
1555
endif
1556
##} RCVD_IN_IADB_GOODMAIL
1557
1558
##{ RCVD_IN_IADB_LISTED
1559
1560
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1561
header RCVD_IN_IADB_LISTED eval:check_rbl_sub('iadb-firsttrusted', '^127.0.0.[12]$')
1562
describe RCVD_IN_IADB_LISTED Participates in the IADB system
1563
tflags RCVD_IN_IADB_LISTED net nice
1564
endif
1565
##} RCVD_IN_IADB_LISTED
1566
1567
##{ RCVD_IN_IADB_LOOSE
1568
1569
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1570
header RCVD_IN_IADB_LOOSE eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.4$')
1571
describe RCVD_IN_IADB_LOOSE IADB: Adds relationship addrs w/out opt-in
1572
tflags RCVD_IN_IADB_LOOSE net nice
1573
endif
1574
##} RCVD_IN_IADB_LOOSE
1575
1576
##{ RCVD_IN_IADB_MI_CPEAR
1577
1578
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1579
header RCVD_IN_IADB_MI_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '^127.101.1.10$')
1580
describe RCVD_IN_IADB_MI_CPEAR IADB: Complies with Michigan's CPEAR law
1581
tflags RCVD_IN_IADB_MI_CPEAR net nice
1582
endif
1583
##} RCVD_IN_IADB_MI_CPEAR
1584
1585
##{ RCVD_IN_IADB_MI_CPR_30
1586
1587
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1588
header RCVD_IN_IADB_MI_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '^127.101.101.10$')
1589
describe RCVD_IN_IADB_MI_CPR_30 IADB: Checked lists against Michigan's CPR within 30 days
1590
tflags RCVD_IN_IADB_MI_CPR_30 net nice
1591
endif
1592
##} RCVD_IN_IADB_MI_CPR_30
1593
1594
##{ RCVD_IN_IADB_MI_CPR_MAT
1595
1596
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1597
header RCVD_IN_IADB_MI_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '^127.101.201.10$')
1598
describe RCVD_IN_IADB_MI_CPR_MAT IADB: Sends no material under Michigan's CPR
1599
tflags RCVD_IN_IADB_MI_CPR_MAT net nice
1600
endif
1601
##} RCVD_IN_IADB_MI_CPR_MAT
1602
1603
##{ RCVD_IN_IADB_ML_DOPTIN
1604
1605
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1606
header RCVD_IN_IADB_ML_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.100$')
1607
describe RCVD_IN_IADB_ML_DOPTIN IADB: Mailing list email only, confirmed opt-in
1608
tflags RCVD_IN_IADB_ML_DOPTIN net nice
1609
endif
1610
##} RCVD_IN_IADB_ML_DOPTIN
1611
1612
##{ RCVD_IN_IADB_NOCONTROL
1613
1614
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1615
header RCVD_IN_IADB_NOCONTROL eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.0$')
1616
describe RCVD_IN_IADB_NOCONTROL IADB: Has absolutely no mailing controls in place
1617
tflags RCVD_IN_IADB_NOCONTROL net nice
1618
endif
1619
##} RCVD_IN_IADB_NOCONTROL
1620
1621
##{ RCVD_IN_IADB_OOO
1622
1623
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1624
header RCVD_IN_IADB_OOO eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.200$')
1625
describe RCVD_IN_IADB_OOO IADB: One-to-one/transactional email only
1626
tflags RCVD_IN_IADB_OOO net nice
1627
endif
1628
##} RCVD_IN_IADB_OOO
1629
1630
##{ RCVD_IN_IADB_OPTIN
1631
1632
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1633
header RCVD_IN_IADB_OPTIN eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.7$')
1634
describe RCVD_IN_IADB_OPTIN IADB: All mailing list mail is opt-in
1635
tflags RCVD_IN_IADB_OPTIN net nice
1636
endif
1637
##} RCVD_IN_IADB_OPTIN
1638
1639
##{ RCVD_IN_IADB_OPTIN_GT50
1640
1641
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1642
header RCVD_IN_IADB_OPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.6$')
1643
describe RCVD_IN_IADB_OPTIN_GT50 IADB: Opt-in used more than 50% of the time
1644
tflags RCVD_IN_IADB_OPTIN_GT50 net nice
1645
endif
1646
##} RCVD_IN_IADB_OPTIN_GT50
1647
1648
##{ RCVD_IN_IADB_OPTIN_LT50
1649
1650
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1651
header RCVD_IN_IADB_OPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.5$')
1652
describe RCVD_IN_IADB_OPTIN_LT50 IADB: Opt-in used less than 50% of the time
1653
tflags RCVD_IN_IADB_OPTIN_LT50 net nice
1654
endif
1655
##} RCVD_IN_IADB_OPTIN_LT50
1656
1657
##{ RCVD_IN_IADB_OPTOUTONLY
1658
1659
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1660
header RCVD_IN_IADB_OPTOUTONLY eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.1$')
1661
describe RCVD_IN_IADB_OPTOUTONLY IADB: Scrapes addresses, pure opt-out only
1662
tflags RCVD_IN_IADB_OPTOUTONLY net nice
1663
endif
1664
##} RCVD_IN_IADB_OPTOUTONLY
1665
1666
##{ RCVD_IN_IADB_RDNS
1667
1668
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1669
header RCVD_IN_IADB_RDNS eval:check_rbl_sub('iadb-firsttrusted', '^127.2.255.4$')
1670
describe RCVD_IN_IADB_RDNS IADB: Sender has reverse DNS record
1671
tflags RCVD_IN_IADB_RDNS net nice
1672
endif
1673
##} RCVD_IN_IADB_RDNS
1674
1675
##{ RCVD_IN_IADB_SENDERID
1676
1677
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1678
header RCVD_IN_IADB_SENDERID eval:check_rbl_sub('iadb-firsttrusted', '^127.2.255.2$')
1679
describe RCVD_IN_IADB_SENDERID IADB: Sender publishes Sender ID record
1680
tflags RCVD_IN_IADB_SENDERID net nice
1681
endif
1682
##} RCVD_IN_IADB_SENDERID
1683
1684
##{ RCVD_IN_IADB_SPF
1685
1686
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1687
header RCVD_IN_IADB_SPF eval:check_rbl_sub('iadb-firsttrusted', '^127.2.255.1$')
1688
describe RCVD_IN_IADB_SPF IADB: Sender publishes SPF record
1689
tflags RCVD_IN_IADB_SPF net nice
1690
endif
1691
##} RCVD_IN_IADB_SPF
1692
1693
##{ RCVD_IN_IADB_UNVERIFIED_1
1694
1695
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1696
header RCVD_IN_IADB_UNVERIFIED_1 eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.2$')
1697
describe RCVD_IN_IADB_UNVERIFIED_1 IADB: Accepts unverified sign-ups
1698
tflags RCVD_IN_IADB_UNVERIFIED_1 net nice
1699
endif
1700
##} RCVD_IN_IADB_UNVERIFIED_1
1701
1702
##{ RCVD_IN_IADB_UNVERIFIED_2
1703
1704
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1705
header RCVD_IN_IADB_UNVERIFIED_2 eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.3$')
1706
describe RCVD_IN_IADB_UNVERIFIED_2 IADB: Accepts unverified sign-ups, gives chance to opt out
1707
tflags RCVD_IN_IADB_UNVERIFIED_2 net nice
1708
endif
1709
##} RCVD_IN_IADB_UNVERIFIED_2
1710
1711
##{ RCVD_IN_IADB_UT_CPEAR
1712
1713
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1714
header RCVD_IN_IADB_UT_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '^127.101.2.10$')
1715
describe RCVD_IN_IADB_UT_CPEAR IADB: Complies with Utah's CPEAR law
1716
tflags RCVD_IN_IADB_UT_CPEAR net nice
1717
endif
1718
##} RCVD_IN_IADB_UT_CPEAR
1719
1720
##{ RCVD_IN_IADB_UT_CPR_30
1721
1722
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1723
header RCVD_IN_IADB_UT_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '^127.101.102.10$')
1724
describe RCVD_IN_IADB_UT_CPR_30 IADB: Checked lists against Utah's CPR within 30 days
1725
tflags RCVD_IN_IADB_UT_CPR_30 net nice
1726
endif
1727
##} RCVD_IN_IADB_UT_CPR_30
1728
1729
##{ RCVD_IN_IADB_UT_CPR_MAT
1730
1731
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1732
header RCVD_IN_IADB_UT_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '^127.101.202.10$')
1733
describe RCVD_IN_IADB_UT_CPR_MAT IADB: Sends no material under Utah's CPR
1734
tflags RCVD_IN_IADB_UT_CPR_MAT net nice
1735
endif
1736
##} RCVD_IN_IADB_UT_CPR_MAT
1737
1738
##{ RCVD_MAIL_COM
1739
header RCVD_MAIL_COM Received =~ /[\s\(\[](?:post|mail)\.com[\s\)\]]/is
1740
describe RCVD_MAIL_COM Forged Received header (contains post.com or mail.com)
1741
##} RCVD_MAIL_COM
1742
1743
##{ SB_GIF_AND_NO_URIS
1744
meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL)
1745
##} SB_GIF_AND_NO_URIS
1746
1747
##{ SHORT_HELO_AND_INLINE_IMAGE
1748
meta SHORT_HELO_AND_INLINE_IMAGE (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH)
1749
describe SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image
1750
##} SHORT_HELO_AND_INLINE_IMAGE
1751
1752
##{ SHORT_TERM_PRICE
1753
body SHORT_TERM_PRICE /short\W+term\W+(target|projected)(\W+price)?/i
1754
##} SHORT_TERM_PRICE
1755
1756
##{ SPAMMY_XMAILER
1757
meta SPAMMY_XMAILER (__XM_OL_28001441||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4)
1758
describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham
1759
##} SPAMMY_XMAILER
1760
1761
##{ STOCK_IMG_CTYPE
1762
meta STOCK_IMG_CTYPE (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__CTYPE_ONETAB_GIF&&__HTML_IMG_ONLY)
1763
describe STOCK_IMG_CTYPE Stock spam image part, with distinctive Content-Type header
1764
##} STOCK_IMG_CTYPE
1765
1766
##{ STOCK_IMG_HDR_FROM
1767
meta STOCK_IMG_HDR_FROM (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&T_TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY)
1768
describe STOCK_IMG_HDR_FROM Stock spam image part, with distinctive From line
1769
##} STOCK_IMG_HDR_FROM
1770
1771
##{ STOCK_IMG_HTML
1772
meta STOCK_IMG_HTML (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY)
1773
describe STOCK_IMG_HTML Stock spam image part, with distinctive HTML
1774
##} STOCK_IMG_HTML
1775
1776
##{ STOCK_IMG_OUTLOOK
1777
meta STOCK_IMG_OUTLOOK (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__XM_MS_IN_GENERAL&&__HTML_LENGTH_1536_2048)
1778
describe STOCK_IMG_OUTLOOK Stock spam image part, with Outlook-like features
1779
##} STOCK_IMG_OUTLOOK
1780
1781
##{ STOCK_PRICES
1782
meta STOCK_PRICES (SHORT_TERM_PRICE && LONG_TERM_PRICE)
1783
##} STOCK_PRICES
1784
1785
##{ STOX_AND_PRICE
1786
meta STOX_AND_PRICE CURR_PRICE && STOX_REPLY_TYPE
1787
##} STOX_AND_PRICE
1788
1789
##{ STOX_REPLY_TYPE
1790
header STOX_REPLY_TYPE Content-Type =~ /text\/plain; .* reply-type=original/
1791
##} STOX_REPLY_TYPE
1792
1793
##{ SUBJECT_NEEDS_ENCODING
1794
meta SUBJECT_NEEDS_ENCODING (!__SUBJECT_ENCODED_B64 && !__SUBJECT_ENCODED_QP) && __SUBJECT_NEEDS_MIME
1795
##} SUBJECT_NEEDS_ENCODING
1796
1797
##{ SUBJ_RE_NUM
1798
meta SUBJ_RE_NUM !__THEBAT_MUA && __SUBJ_RE_NUM
1799
describe SUBJ_RE_NUM Subject is faking 'The Bat!' responses
1800
##} SUBJ_RE_NUM
1801
1802
##{ TEMPLATE_203_RCVD
1803
header TEMPLATE_203_RCVD Received =~ /from 192.168.0.\d+ \(203-219-/
1804
##} TEMPLATE_203_RCVD
1805
1806
##{ TT_MSGID_TRUNC
1807
header TT_MSGID_TRUNC Message-Id =~ /^\s*<?[^<>\s]+\[\d+$/
1808
describe TT_MSGID_TRUNC Scora: Message-Id ends after left-bracket + digits
1809
##} TT_MSGID_TRUNC
1810
1811
##{ TT_OBSCURED_VALIUM
1812
meta TT_OBSCURED_VALIUM ( __TT_BROKEN_VALIUM || __TT_OBSCURED_VALIUM ) && ! __TT_VALIUM
1813
describe TT_OBSCURED_VALIUM Scora: obscured "VALIUM" in subject
1814
##} TT_OBSCURED_VALIUM
1815
1816
##{ TT_OBSCURED_VIAGRA
1817
meta TT_OBSCURED_VIAGRA ( __TT_BROKEN_VIAGRA || __TT_OBSCURED_VIAGRA ) && ! __TT_VIAGRA
1818
describe TT_OBSCURED_VIAGRA Scora: obscured "VIAGRA" in subject
1819
##} TT_OBSCURED_VIAGRA
1820
1821
##{ TVD_ACT_193
1822
body TVD_ACT_193 /\bact of (?:193|nineteen thirty)/i
1823
##} TVD_ACT_193
1824
1825
##{ TVD_APPROVED
1826
body TVD_APPROVED /you.{1,2}re .{0,20}approved/i
1827
##} TVD_APPROVED
1828
1829
##{ TVD_APP_LOAN
1830
body TVD_APP_LOAN /approved .{0,20}loan/i
1831
##} TVD_APP_LOAN
1832
1833
##{ TVD_DEAR_HOMEOWNER
1834
body TVD_DEAR_HOMEOWNER /^dear homeowner/i
1835
##} TVD_DEAR_HOMEOWNER
1836
1837
##{ TVD_EB_PHISH
1838
meta TVD_EB_PHISH __FROM_EBAY && NORMAL_HTTP_TO_IP
1839
##} TVD_EB_PHISH
1840
1841
##{ TVD_ENVFROM_APOST
1842
header TVD_ENVFROM_APOST EnvelopeFrom =~ /\'/
1843
##} TVD_ENVFROM_APOST
1844
1845
##{ TVD_FINGER_02
1846
header TVD_FINGER_02 Content-Type =~ /^text\/plain(?:; (?:format=flowed|charset="Windows-1252"|reply-type=original)){3}/i
1847
##} TVD_FINGER_02
1848
1849
##{ TVD_FLOAT_GENERAL
1850
rawbody TVD_FLOAT_GENERAL /\bstyle\s*=\s*"[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]+\s*</i
1851
##} TVD_FLOAT_GENERAL
1852
1853
##{ TVD_FUZZY_DEGREE
1854
1855
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1856
body TVD_FUZZY_DEGREE /<inter W1><post P1>\b(?!degree)<D><E><G><R><E><E>\b/i
1857
endif
1858
##} TVD_FUZZY_DEGREE
1859
1860
##{ TVD_FUZZY_FINANCE
1861
1862
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1863
body TVD_FUZZY_FINANCE /(?!finance)<F><I><N><A><N><C><E>/i
1864
endif
1865
##} TVD_FUZZY_FINANCE
1866
1867
##{ TVD_FUZZY_FIXED_RATE
1868
1869
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1870
body TVD_FUZZY_FIXED_RATE /<inter W2><post P2>(?!fixed rate)<F><I><X><E><D>\s+<R><A><T><E>/i
1871
endif
1872
##} TVD_FUZZY_FIXED_RATE
1873
1874
##{ TVD_FUZZY_MICROCAP
1875
1876
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1877
body TVD_FUZZY_MICROCAP /<inter W2><post P2>(?!microcap)(?!micro-cap)<M><I><C><R><O>-?<C><A><P>/i
1878
endif
1879
##} TVD_FUZZY_MICROCAP
1880
1881
##{ TVD_FUZZY_PHARMACEUTICAL
1882
1883
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1884
body TVD_FUZZY_PHARMACEUTICAL /<inter W2><post P2>(?!pharmaceutical)<P><H><A><R><M><A><C><E><U><T><I><C><A><L>/i
1885
endif
1886
##} TVD_FUZZY_PHARMACEUTICAL
1887
1888
##{ TVD_FUZZY_SYMBOL
1889
1890
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1891
body TVD_FUZZY_SYMBOL /<inter W2><post P2>(?!symbol)<S><Y><M><B><O><L>/i
1892
endif
1893
##} TVD_FUZZY_SYMBOL
1894
1895
##{ TVD_FW_GRAPHIC_NAME_LONG
1896
1897
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
1898
mimeheader TVD_FW_GRAPHIC_NAME_LONG Content-Type =~ /\bname="[a-z]{8,}\.gif/
1899
endif
1900
##} TVD_FW_GRAPHIC_NAME_LONG
1901
1902
##{ TVD_FW_GRAPHIC_NAME_MID
1903
1904
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
1905
mimeheader TVD_FW_GRAPHIC_NAME_MID Content-Type =~ /\bname="[a-z]{6,7}\.gif/
1906
endif
1907
##} TVD_FW_GRAPHIC_NAME_MID
1908
1909
##{ TVD_INCREASE_SIZE
1910
body TVD_INCREASE_SIZE /\bsize of .{1,20}(?:penis|dick|manhood)/i
1911
##} TVD_INCREASE_SIZE
1912
1913
##{ TVD_LINK_SAVE
1914
body TVD_LINK_SAVE /\blink to save\b/i
1915
##} TVD_LINK_SAVE
1916
1917
##{ TVD_PH_BODY_ACCOUNTS_PRE
1918
body TVD_PH_BODY_ACCOUNTS_PRE /\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*|suspen[a-z]+|notif(?:y|ication)|updated|verifications?|credited)\b/i
1919
##} TVD_PH_BODY_ACCOUNTS_PRE
1920
1921
##{ TVD_PH_REC
1922
body TVD_PH_REC /\byour .{0,40}account .{0,40}record/i
1923
describe TVD_PH_REC Message has a phrase standard for phishing mails
1924
##} TVD_PH_REC
1925
1926
##{ TVD_PH_SEC
1927
body TVD_PH_SEC /\byour .{0,40}account .{0,40}security/i
1928
describe TVD_PH_SEC Message has a phrase standard for phishing mails
1929
##} TVD_PH_SEC
1930
1931
##{ TVD_PH_SUBJ_ACCOUNTS_POST
1932
header TVD_PH_SUBJ_ACCOUNTS_POST Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)|confirm[a-z]*) (?:[a-z_,-]+ )*?accounts?\b/i
1933
##} TVD_PH_SUBJ_ACCOUNTS_POST
1934
1935
##{ TVD_PH_SUBJ_META
1936
meta TVD_PH_SUBJ_META __TVD_PH_SUBJ_00 || __TVD_PH_SUBJ_02 || __TVD_PH_SUBJ_04 || __TVD_PH_SUBJ_15 || __TVD_PH_SUBJ_17 || __TVD_PH_SUBJ_18 || __TVD_PH_SUBJ_19 || __TVD_PH_SUBJ_29 || __TVD_PH_SUBJ_31 || __TVD_PH_SUBJ_36 || __TVD_PH_SUBJ_37 || __TVD_PH_SUBJ_38 || __TVD_PH_SUBJ_39 || __TVD_PH_SUBJ_41 || __TVD_PH_SUBJ_52 || __TVD_PH_SUBJ_54 || __TVD_PH_SUBJ_56 || __TVD_PH_SUBJ_58 || __TVD_PH_SUBJ_59 || __TVD_PH_SUBJ_ACCESS_POST
1937
##} TVD_PH_SUBJ_META
1938
1939
##{ TVD_PH_SUBJ_URGENT
1940
header TVD_PH_SUBJ_URGENT Subject =~ /^urgent(?:[\s\W]*$|.{1,40}(?:alert|response|assistance|proposal|reply|warning|noti(?:ce|fication)|greeting|matter))/i
1941
##} TVD_PH_SUBJ_URGENT
1942
1943
##{ TVD_PP_PHISH
1944
meta TVD_PP_PHISH __FROM_PAYPAL && NORMAL_HTTP_TO_IP
1945
##} TVD_PP_PHISH
1946
1947
##{ TVD_QUAL_MEDS
1948
body TVD_QUAL_MEDS /\bquality med(?:ication)?s\b/i
1949
##} TVD_QUAL_MEDS
1950
1951
##{ TVD_RATWARE_CB
1952
header TVD_RATWARE_CB Content-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/i
1953
##} TVD_RATWARE_CB
1954
1955
##{ TVD_RATWARE_CB_2
1956
header TVD_RATWARE_CB_2 Content-Type =~ /\bboundary\s*=\s*"?-+\d+=+\.MRA/
1957
##} TVD_RATWARE_CB_2
1958
1959
##{ TVD_RATWARE_MSGID_02
1960
header TVD_RATWARE_MSGID_02 Message-ID =~ /^[^<]*<[a-z]+\@/
1961
##} TVD_RATWARE_MSGID_02
1962
1963
##{ TVD_RCVD_IP
1964
header TVD_RCVD_IP Received =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/
1965
##} TVD_RCVD_IP
1966
1967
##{ TVD_RCVD_IP4
1968
header TVD_RCVD_IP4 Received =~ /^from\s+(?:\d+\.){3}\d+\s/
1969
##} TVD_RCVD_IP4
1970
1971
##{ TVD_RCVD_SINGLE
1972
header TVD_RCVD_SINGLE Received =~ /^from\s+(?!localhost)[^\s.a-z0-9-]+\s/
1973
##} TVD_RCVD_SINGLE
1974
1975
##{ TVD_RCVD_SPACE_BRACKET
1976
header TVD_RCVD_SPACE_BRACKET Received =~ /\(\[(?!UNIX:)[^\[\]]*\s/
1977
##} TVD_RCVD_SPACE_BRACKET
1978
1979
##{ TVD_SECTION
1980
body TVD_SECTION /\bSection (?:27A|21B)/i
1981
##} TVD_SECTION
1982
1983
##{ TVD_SILLY_URI_OBFU
1984
body TVD_SILLY_URI_OBFU m!https?://[a-z0-9-]+\.[a-z0-9-]*\.?[^a-z0-9.:/\s"'\@?\)>-]+[a-z0-9.-]*[a-z]{3}(?:\s|$)!i
1985
##} TVD_SILLY_URI_OBFU
1986
1987
##{ TVD_SPACED_SUBJECT_WORD3
1988
header TVD_SPACED_SUBJECT_WORD3 Subject =~ /^(?:(?:Re|Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+$/
1989
##} TVD_SPACED_SUBJECT_WORD3
1990
1991
##{ TVD_STOCK1
1992
1993
ifplugin Mail::SpamAssassin::Plugin::BodyEval
1994
body TVD_STOCK1 eval:check_stock_info('2')
1995
endif
1996
##} TVD_STOCK1
1997
1998
##{ TVD_SUBJ_ACC_NUM
1999
header TVD_SUBJ_ACC_NUM Subject =~ /\b[a-zA-Z]+ [\#\s]{1,4}\d+[A-Z]+/
2000
describe TVD_SUBJ_ACC_NUM Subject has spammy looking monetary reference
2001
##} TVD_SUBJ_ACC_NUM
2002
2003
##{ TVD_SUBJ_FINGER_03
2004
header TVD_SUBJ_FINGER_03 Subject =~ /^\s*\*\s+(?:\w+\W+)+\*\s*$/
2005
##} TVD_SUBJ_FINGER_03
2006
2007
##{ TVD_SUBJ_OWE
2008
header TVD_SUBJ_OWE Subject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe|indebted)\s+(?:\w+\s+)+an\s*other/i
2009
##} TVD_SUBJ_OWE
2010
2011
##{ TVD_SUBJ_WIPE_DEBT
2012
header TVD_SUBJ_WIPE_DEBT Subject =~ /(?:wipe out|remove|get (?:rid|out) of|eradicate) .{0,20}(?:owe|debt|obligation)/i
2013
##} TVD_SUBJ_WIPE_DEBT
2014
2015
##{ TVD_VISIT_PHARMA
2016
body TVD_VISIT_PHARMA /Online Ph.rmacy/i
2017
##} TVD_VISIT_PHARMA
2018
2019
##{ TVD_VIS_HIDDEN
2020
rawbody TVD_VIS_HIDDEN /<TEXTAREA[^>]+style\s*=\s*"visibility:\s*hidden\b/i
2021
##} TVD_VIS_HIDDEN
2022
2023
##{ T_TVD_FW_GRAPHIC_ID1
2024
2025
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2026
mimeheader T_TVD_FW_GRAPHIC_ID1 Content-Id =~ /<[0-9a-f]{12}(?:\$[0-9a-f]{8}){2}\@/
2027
endif
2028
##} T_TVD_FW_GRAPHIC_ID1
2029
2030
##{ URIBL_RHS_AHBL
2031
2032
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2033
#reuse URIBL_RHS_AHBL T_URIBL_RHS_AHBL
2034
endif
2035
##} URIBL_RHS_AHBL
2036
2037
##{ URIBL_RHS_DOB
2038
2039
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2040
urirhssub URIBL_RHS_DOB dob.sibl.support-intelligence.net A 2
2041
body URIBL_RHS_DOB eval:check_uridnsbl('URIBL_RHS_DOB')
2042
describe URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
2043
tflags URIBL_RHS_DOB net
2044
endif
2045
##} URIBL_RHS_DOB
2046
2047
##{ WHOIS_1AND1PR
2048
2049
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2050
urirhssub WHOIS_1AND1PR bl.open-whois.org. A 127.0.0.2
2051
body WHOIS_1AND1PR eval:check_uridnsbl('WHOIS_1AND1PR')
2052
describe WHOIS_1AND1PR URL registered to 1&1 Private Registration
2053
tflags WHOIS_1AND1PR net
2054
endif
2055
##} WHOIS_1AND1PR
2056
2057
##{ WHOIS_AITPRIV
2058
2059
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2060
urirhssub WHOIS_AITPRIV bl.open-whois.org. A 127.0.0.19
2061
body WHOIS_AITPRIV eval:check_uridnsbl('WHOIS_AITPRIV')
2062
describe WHOIS_AITPRIV URL registered as an AIT Private Registration
2063
tflags WHOIS_AITPRIV net publish
2064
endif
2065
##} WHOIS_AITPRIV
2066
2067
##{ WHOIS_CONTACTPRIV
2068
2069
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2070
urirhssub WHOIS_CONTACTPRIV bl.open-whois.org. A 127.0.0.37
2071
body WHOIS_CONTACTPRIV eval:check_uridnsbl('WHOIS_CONTACTPRIV')
2072
describe WHOIS_CONTACTPRIV URL registered to contactprivacy.com
2073
tflags WHOIS_CONTACTPRIV net
2074
endif
2075
##} WHOIS_CONTACTPRIV
2076
2077
##{ WHOIS_DMNBYPROXY
2078
2079
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2080
urirhssub WHOIS_DMNBYPROXY bl.open-whois.org. A 127.0.0.15
2081
body WHOIS_DMNBYPROXY eval:check_uridnsbl('WHOIS_DMNBYPROXY')
2082
describe WHOIS_DMNBYPROXY Contains URL registered to Domains by Proxy
2083
tflags WHOIS_DMNBYPROXY net
2084
endif
2085
##} WHOIS_DMNBYPROXY
2086
2087
##{ WHOIS_DOMESCROW
2088
2089
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2090
urirhssub WHOIS_DOMESCROW bl.open-whois.org. A 127.0.0.10
2091
body WHOIS_DOMESCROW eval:check_uridnsbl('WHOIS_DOMESCROW')
2092
describe WHOIS_DOMESCROW URL registered to Domain Escrow Services
2093
tflags WHOIS_DOMESCROW net
2094
endif
2095
##} WHOIS_DOMESCROW
2096
2097
##{ WHOIS_DOMPRIVCORP
2098
2099
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2100
urirhssub WHOIS_DOMPRIVCORP bl.open-whois.org. A 127.0.0.24
2101
body WHOIS_DOMPRIVCORP eval:check_uridnsbl('WHOIS_DOMPRIVCORP')
2102
describe WHOIS_DOMPRIVCORP URL registered to DomainPrivacyCorp.com
2103
tflags WHOIS_DOMPRIVCORP net
2104
endif
2105
##} WHOIS_DOMPRIVCORP
2106
2107
##{ WHOIS_DREAMPRIV
2108
2109
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2110
urirhssub WHOIS_DREAMPRIV bl.open-whois.org. A 127.0.0.8
2111
body WHOIS_DREAMPRIV eval:check_uridnsbl('WHOIS_DREAMPRIV')
2112
describe WHOIS_DREAMPRIV URL registered as a DreamHost Private Registration
2113
tflags WHOIS_DREAMPRIV net
2114
endif
2115
##} WHOIS_DREAMPRIV
2116
2117
##{ WHOIS_DROA
2118
2119
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2120
urirhssub WHOIS_DROA bl.open-whois.org. A 127.0.0.26
2121
body WHOIS_DROA eval:check_uridnsbl('WHOIS_DROA')
2122
describe WHOIS_DROA URL registered as an DROA Private Registration
2123
tflags WHOIS_DROA net
2124
endif
2125
##} WHOIS_DROA
2126
2127
##{ WHOIS_DYNADOT
2128
2129
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2130
urirhssub WHOIS_DYNADOT bl.open-whois.org. A 127.0.0.27
2131
body WHOIS_DYNADOT eval:check_uridnsbl('WHOIS_DYNADOT')
2132
describe WHOIS_DYNADOT URL registered to Dynadot Privacy
2133
tflags WHOIS_DYNADOT net
2134
endif
2135
##} WHOIS_DYNADOT
2136
2137
##{ WHOIS_FINEXE
2138
2139
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2140
urirhssub WHOIS_FINEXE bl.open-whois.org. A 127.0.0.25
2141
body WHOIS_FINEXE eval:check_uridnsbl('WHOIS_FINEXE')
2142
describe WHOIS_FINEXE URL registered to Finexe Domain Proxy Service
2143
tflags WHOIS_FINEXE net
2144
endif
2145
##} WHOIS_FINEXE
2146
2147
##{ WHOIS_GKGPROXY
2148
2149
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2150
urirhssub WHOIS_GKGPROXY bl.open-whois.org. A 127.0.0.29
2151
body WHOIS_GKGPROXY eval:check_uridnsbl('WHOIS_GKGPROXY')
2152
describe WHOIS_GKGPROXY URL registered to GKG.NET Domain Proxy Service
2153
tflags WHOIS_GKGPROXY net
2154
endif
2155
##} WHOIS_GKGPROXY
2156
2157
##{ WHOIS_IDSHIELD
2158
2159
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2160
urirhssub WHOIS_IDSHIELD bl.open-whois.org. A 127.0.0.16
2161
body WHOIS_IDSHIELD eval:check_uridnsbl('WHOIS_IDSHIELD')
2162
describe WHOIS_IDSHIELD Contains URL registered to WHOIS ID Shield
2163
tflags WHOIS_IDSHIELD net
2164
endif
2165
##} WHOIS_IDSHIELD
2166
2167
##{ WHOIS_IDTHEFTPROT
2168
2169
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2170
urirhssub WHOIS_IDTHEFTPROT bl.open-whois.org. A 127.0.0.39
2171
body WHOIS_IDTHEFTPROT eval:check_uridnsbl('WHOIS_IDTHEFTPROT')
2172
describe WHOIS_IDTHEFTPROT URL registered to Whois ID Theft Protection
2173
tflags WHOIS_IDTHEFTPROT net
2174
endif
2175
##} WHOIS_IDTHEFTPROT
2176
2177
##{ WHOIS_KATZ
2178
2179
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2180
urirhssub WHOIS_KATZ bl.open-whois.org. A 127.0.0.31
2181
body WHOIS_KATZ eval:check_uridnsbl('WHOIS_KATZ')
2182
describe WHOIS_KATZ URL registered to Katz Global Domain Name Trust
2183
tflags WHOIS_KATZ net
2184
endif
2185
##} WHOIS_KATZ
2186
2187
##{ WHOIS_LISTINGAG
2188
2189
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2190
urirhssub WHOIS_LISTINGAG bl.open-whois.org. A 127.0.0.33
2191
body WHOIS_LISTINGAG eval:check_uridnsbl('WHOIS_LISTINGAG')
2192
describe WHOIS_LISTINGAG URL registered to Domain Listing Agent
2193
tflags WHOIS_LISTINGAG net
2194
endif
2195
##} WHOIS_LISTINGAG
2196
2197
##{ WHOIS_LNOA
2198
2199
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2200
urirhssub WHOIS_LNOA bl.open-whois.org. A 127.0.0.28
2201
body WHOIS_LNOA eval:check_uridnsbl('WHOIS_LNOA')
2202
describe WHOIS_LNOA URL registered to LNOA WHOIS Privacy
2203
tflags WHOIS_LNOA net
2204
endif
2205
##} WHOIS_LNOA
2206
2207
##{ WHOIS_MAPNAME
2208
2209
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2210
urirhssub WHOIS_MAPNAME bl.open-whois.org. A 127.0.0.34
2211
body WHOIS_MAPNAME eval:check_uridnsbl('WHOIS_MAPNAME')
2212
describe WHOIS_MAPNAME URL registered to MapName
2213
tflags WHOIS_MAPNAME net
2214
endif
2215
##} WHOIS_MAPNAME
2216
2217
##{ WHOIS_MONIKER_PRIV
2218
2219
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2220
urirhssub WHOIS_MONIKER_PRIV bl.open-whois.org. A 127.0.0.11
2221
body WHOIS_MONIKER_PRIV eval:check_uridnsbl('WHOIS_MONIKER_PRIV')
2222
describe WHOIS_MONIKER_PRIV URL registered to Moniker Privacy Protection
2223
tflags WHOIS_MONIKER_PRIV net
2224
endif
2225
##} WHOIS_MONIKER_PRIV
2226
2227
##{ WHOIS_MYPRIVREG
2228
2229
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2230
urirhssub WHOIS_MYPRIVREG bl.open-whois.org. A 127.0.0.17
2231
body WHOIS_MYPRIVREG eval:check_uridnsbl('WHOIS_MYPRIVREG')
2232
describe WHOIS_MYPRIVREG URL registered to myprivateregistration.com
2233
tflags WHOIS_MYPRIVREG net
2234
endif
2235
##} WHOIS_MYPRIVREG
2236
2237
##{ WHOIS_NAMEKING
2238
2239
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2240
urirhssub WHOIS_NAMEKING bl.open-whois.org. A 127.0.0.35
2241
body WHOIS_NAMEKING eval:check_uridnsbl('WHOIS_NAMEKING')
2242
describe WHOIS_NAMEKING URL registered to NameKing
2243
tflags WHOIS_NAMEKING net publish
2244
endif
2245
##} WHOIS_NAMEKING
2246
2247
##{ WHOIS_NAMESECURE
2248
2249
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2250
urirhssub WHOIS_NAMESECURE bl.open-whois.org. A 127.0.0.9
2251
body WHOIS_NAMESECURE eval:check_uridnsbl('WHOIS_NAMESECURE')
2252
describe WHOIS_NAMESECURE Contains URL registered to NameSecure
2253
tflags WHOIS_NAMESECURE net
2254
endif
2255
##} WHOIS_NAMESECURE
2256
2257
##{ WHOIS_NETID
2258
2259
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2260
urirhssub WHOIS_NETID bl.open-whois.org. A 127.0.0.42
2261
body WHOIS_NETID eval:check_uridnsbl('WHOIS_NETID')
2262
describe WHOIS_NETID URL registered to NetIdentity
2263
tflags WHOIS_NETID net
2264
endif
2265
##} WHOIS_NETID
2266
2267
##{ WHOIS_NETSOLPR
2268
2269
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2270
urirhssub WHOIS_NETSOLPR bl.open-whois.org. A 127.0.0.4
2271
body WHOIS_NETSOLPR eval:check_uridnsbl('WHOIS_NETSOLPR')
2272
describe WHOIS_NETSOLPR URL registered as a NetSol Private Registration
2273
tflags WHOIS_NETSOLPR net
2274
endif
2275
##} WHOIS_NETSOLPR
2276
2277
##{ WHOIS_NOLDC
2278
2279
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2280
urirhssub WHOIS_NOLDC bl.open-whois.org. A 127.0.0.41
2281
body WHOIS_NOLDC eval:check_uridnsbl('WHOIS_NOLDC')
2282
describe WHOIS_NOLDC URL registered to NOLDC, Inc.
2283
tflags WHOIS_NOLDC net
2284
endif
2285
##} WHOIS_NOLDC
2286
2287
##{ WHOIS_NOMINET
2288
2289
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2290
urirhssub WHOIS_NOMINET bl.open-whois.org. A 127.0.0.36
2291
body WHOIS_NOMINET eval:check_uridnsbl('WHOIS_NOMINET')
2292
describe WHOIS_NOMINET URL registered to Nominet Private Registrant
2293
tflags WHOIS_NOMINET net
2294
endif
2295
##} WHOIS_NOMINET
2296
2297
##{ WHOIS_PRIVACYPOST
2298
2299
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2300
urirhssub WHOIS_PRIVACYPOST bl.open-whois.org. A 127.0.0.7
2301
body WHOIS_PRIVACYPOST eval:check_uridnsbl('WHOIS_PRIVACYPOST')
2302
describe WHOIS_PRIVACYPOST Contains URL registered to PrivacyPost
2303
tflags WHOIS_PRIVACYPOST net
2304
endif
2305
##} WHOIS_PRIVACYPOST
2306
2307
##{ WHOIS_PRIVDOMAIN
2308
2309
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2310
urirhssub WHOIS_PRIVDOMAIN bl.open-whois.org. A 127.0.0.38
2311
body WHOIS_PRIVDOMAIN eval:check_uridnsbl('WHOIS_PRIVDOMAIN')
2312
describe WHOIS_PRIVDOMAIN URL registered to privacy-domain.com
2313
tflags WHOIS_PRIVDOMAIN net
2314
endif
2315
##} WHOIS_PRIVDOMAIN
2316
2317
##{ WHOIS_PRIVPROT
2318
2319
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2320
urirhssub WHOIS_PRIVPROT bl.open-whois.org. A 127.0.0.3
2321
body WHOIS_PRIVPROT eval:check_uridnsbl('WHOIS_PRIVPROT')
2322
describe WHOIS_PRIVPROT URL registered to WHOIS Privacy Protection
2323
tflags WHOIS_PRIVPROT net publish
2324
endif
2325
##} WHOIS_PRIVPROT
2326
2327
##{ WHOIS_REGISTER4LESS
2328
2329
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2330
urirhssub WHOIS_REGISTER4LESS bl.open-whois.org. A 127.0.0.30
2331
body WHOIS_REGISTER4LESS eval:check_uridnsbl('WHOIS_REGISTER4LESS')
2332
describe WHOIS_REGISTER4LESS URL registered to R4L Privacy
2333
tflags WHOIS_REGISTER4LESS net
2334
endif
2335
##} WHOIS_REGISTER4LESS
2336
2337
##{ WHOIS_REGISTERFLY
2338
2339
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2340
urirhssub WHOIS_REGISTERFLY bl.open-whois.org. A 127.0.0.14
2341
body WHOIS_REGISTERFLY eval:check_uridnsbl('WHOIS_REGISTERFLY')
2342
describe WHOIS_REGISTERFLY Contains URL registered to RegisterFly
2343
tflags WHOIS_REGISTERFLY net publish
2344
endif
2345
##} WHOIS_REGISTERFLY
2346
2347
##{ WHOIS_REGTEK
2348
2349
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2350
urirhssub WHOIS_REGTEK bl.open-whois.org. A 127.0.0.40
2351
body WHOIS_REGTEK eval:check_uridnsbl('WHOIS_REGTEK')
2352
describe WHOIS_REGTEK URL registered to RegTek Whois Envoy
2353
tflags WHOIS_REGTEK net
2354
endif
2355
##} WHOIS_REGTEK
2356
2357
##{ WHOIS_SAFENAMES
2358
2359
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2360
urirhssub WHOIS_SAFENAMES bl.open-whois.org. A 127.0.0.12
2361
body WHOIS_SAFENAMES eval:check_uridnsbl('WHOIS_SAFENAMES')
2362
describe WHOIS_SAFENAMES Contains URL registered to SafeNames
2363
tflags WHOIS_SAFENAMES net
2364
endif
2365
##} WHOIS_SAFENAMES
2366
2367
##{ WHOIS_SECINFOSERV
2368
2369
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2370
urirhssub WHOIS_SECINFOSERV bl.open-whois.org. A 127.0.0.21
2371
body WHOIS_SECINFOSERV eval:check_uridnsbl('WHOIS_SECINFOSERV')
2372
describe WHOIS_SECINFOSERV URL registered to Secure WHOIS Information Services
2373
tflags WHOIS_SECINFOSERV net
2374
endif
2375
##} WHOIS_SECINFOSERV
2376
2377
##{ WHOIS_SECUREWHOIS
2378
2379
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2380
urirhssub WHOIS_SECUREWHOIS bl.open-whois.org. A 127.0.0.5
2381
body WHOIS_SECUREWHOIS eval:check_uridnsbl('WHOIS_SECUREWHOIS')
2382
describe WHOIS_SECUREWHOIS Contains URL registered to SecureWhois
2383
tflags WHOIS_SECUREWHOIS net publish
2384
endif
2385
##} WHOIS_SECUREWHOIS
2386
2387
##{ WHOIS_SPAMFREE
2388
2389
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2390
urirhssub WHOIS_SPAMFREE bl.open-whois.org. A 127.0.0.32
2391
body WHOIS_SPAMFREE eval:check_uridnsbl('WHOIS_SPAMFREE')
2392
describe WHOIS_SPAMFREE URL registered to SpamFreeReg.com
2393
tflags WHOIS_SPAMFREE net
2394
endif
2395
##} WHOIS_SPAMFREE
2396
2397
##{ WHOIS_SRSPLUS
2398
2399
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2400
urirhssub WHOIS_SRSPLUS bl.open-whois.org. A 127.0.0.23
2401
body WHOIS_SRSPLUS eval:check_uridnsbl('WHOIS_SRSPLUS')
2402
describe WHOIS_SRSPLUS URL registered as an SRSPlus Private Registration
2403
tflags WHOIS_SRSPLUS net
2404
endif
2405
##} WHOIS_SRSPLUS
2406
2407
##{ WHOIS_UNLISTED
2408
2409
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2410
urirhssub WHOIS_UNLISTED bl.open-whois.org. A 127.0.0.13
2411
body WHOIS_UNLISTED eval:check_uridnsbl('WHOIS_UNLISTED')
2412
describe WHOIS_UNLISTED Contains URL registered to Unlisted-Whois.com
2413
tflags WHOIS_UNLISTED net
2414
endif
2415
##} WHOIS_UNLISTED
2416
2417
##{ WHOIS_WHOISGUARD
2418
2419
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2420
urirhssub WHOIS_WHOISGUARD bl.open-whois.org. A 127.0.0.18
2421
body WHOIS_WHOISGUARD eval:check_uridnsbl('WHOIS_WHOISGUARD')
2422
describe WHOIS_WHOISGUARD URL registered to WhoisGuard
2423
tflags WHOIS_WHOISGUARD net publish
2424
endif
2425
##} WHOIS_WHOISGUARD
2426
2427
##{ WHOIS_WHOISPROT
2428
2429
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2430
urirhssub WHOIS_WHOISPROT bl.open-whois.org. A 127.0.0.20
2431
body WHOIS_WHOISPROT eval:check_uridnsbl('WHOIS_WHOISPROT')
2432
describe WHOIS_WHOISPROT URL registered to WhoisProtector
2433
tflags WHOIS_WHOISPROT net
2434
endif
2435
##} WHOIS_WHOISPROT
2436
2437
##{ XMAILER_MIMEOLE_OL_015D5
2438
meta XMAILER_MIMEOLE_OL_015D5 (__XM_OL_015D5 && __MO_OL_015D5)
2439
##} XMAILER_MIMEOLE_OL_015D5
2440
2441
##{ XMAILER_MIMEOLE_OL_07794
2442
meta XMAILER_MIMEOLE_OL_07794 (__XM_OL_07794 && __MO_OL_07794)
2443
##} XMAILER_MIMEOLE_OL_07794
2444
2445
##{ XMAILER_MIMEOLE_OL_09BB4
2446
meta XMAILER_MIMEOLE_OL_09BB4 (__XM_OL_09BB4 && __MO_OL_09BB4)
2447
##} XMAILER_MIMEOLE_OL_09BB4
2448
2449
##{ XMAILER_MIMEOLE_OL_1ECD5
2450
meta XMAILER_MIMEOLE_OL_1ECD5 (__XM_OL_1ECD5 && __MO_OL_1ECD5)
2451
##} XMAILER_MIMEOLE_OL_1ECD5
2452
2453
##{ XMAILER_MIMEOLE_OL_20C99
2454
meta XMAILER_MIMEOLE_OL_20C99 (__XM_OL_20C99 && __MO_OL_20C99)
2455
##} XMAILER_MIMEOLE_OL_20C99
2456
2457
##{ XMAILER_MIMEOLE_OL_22B61
2458
meta XMAILER_MIMEOLE_OL_22B61 (__XM_OL_22B61 && __MO_OL_22B61)
2459
##} XMAILER_MIMEOLE_OL_22B61
2460
2461
##{ XMAILER_MIMEOLE_OL_25340
2462
meta XMAILER_MIMEOLE_OL_25340 (__XM_OL_25340 && __MO_OL_25340)
2463
##} XMAILER_MIMEOLE_OL_25340
2464
2465
##{ XMAILER_MIMEOLE_OL_32D97
2466
meta XMAILER_MIMEOLE_OL_32D97 (__XM_OL_32D97 && __MO_OL_32D97)
2467
##} XMAILER_MIMEOLE_OL_32D97
2468
2469
##{ XMAILER_MIMEOLE_OL_3857F
2470
meta XMAILER_MIMEOLE_OL_3857F (__XM_OL_3857F && __MO_OL_3857F)
2471
##} XMAILER_MIMEOLE_OL_3857F
2472
2473
##{ XMAILER_MIMEOLE_OL_3AC1D
2474
meta XMAILER_MIMEOLE_OL_3AC1D (__XM_OL_3AC1D && __MO_OL_3AC1D)
2475
##} XMAILER_MIMEOLE_OL_3AC1D
2476
2477
##{ XMAILER_MIMEOLE_OL_3D61D
2478
meta XMAILER_MIMEOLE_OL_3D61D (__XM_OL_3D61D && __MO_OL_3D61D)
2479
##} XMAILER_MIMEOLE_OL_3D61D
2480
2481
##{ XMAILER_MIMEOLE_OL_465CD
2482
meta XMAILER_MIMEOLE_OL_465CD (__XM_OL_465CD && __MO_OL_465CD)
2483
##} XMAILER_MIMEOLE_OL_465CD
2484
2485
##{ XMAILER_MIMEOLE_OL_4B815
2486
meta XMAILER_MIMEOLE_OL_4B815 (__XM_OL_4B815 && __MO_OL_4B815)
2487
##} XMAILER_MIMEOLE_OL_4B815
2488
2489
##{ XMAILER_MIMEOLE_OL_4BF4C
2490
meta XMAILER_MIMEOLE_OL_4BF4C (__XM_OL_4BF4C && __MO_OL_4BF4C)
2491
##} XMAILER_MIMEOLE_OL_4BF4C
2492
2493
##{ XMAILER_MIMEOLE_OL_4EEDB
2494
meta XMAILER_MIMEOLE_OL_4EEDB (__XM_OL_4EEDB && __MO_OL_4EEDB)
2495
##} XMAILER_MIMEOLE_OL_4EEDB
2496
2497
##{ XMAILER_MIMEOLE_OL_4F240
2498
meta XMAILER_MIMEOLE_OL_4F240 (__XM_OL_4F240 && __MO_OL_4F240)
2499
##} XMAILER_MIMEOLE_OL_4F240
2500
2501
##{ XMAILER_MIMEOLE_OL_58CB5
2502
meta XMAILER_MIMEOLE_OL_58CB5 (__XM_OL_58CB5 && __MO_OL_58CB5)
2503
##} XMAILER_MIMEOLE_OL_58CB5
2504
2505
##{ XMAILER_MIMEOLE_OL_5B79A
2506
meta XMAILER_MIMEOLE_OL_5B79A (__XM_OL_5B79A && __MO_OL_5B79A)
2507
##} XMAILER_MIMEOLE_OL_5B79A
2508
2509
##{ XMAILER_MIMEOLE_OL_6554A
2510
meta XMAILER_MIMEOLE_OL_6554A (__XM_OL_6554A && __MO_OL_6554A)
2511
##} XMAILER_MIMEOLE_OL_6554A
2512
2513
##{ XMAILER_MIMEOLE_OL_72641
2514
meta XMAILER_MIMEOLE_OL_72641 (__XM_OL_72641 && __MO_OL_72641)
2515
##} XMAILER_MIMEOLE_OL_72641
2516
2517
##{ XMAILER_MIMEOLE_OL_7533E
2518
meta XMAILER_MIMEOLE_OL_7533E (__XM_OL_7533E && __MO_OL_7533E)
2519
##} XMAILER_MIMEOLE_OL_7533E
2520
2521
##{ XMAILER_MIMEOLE_OL_812FF
2522
meta XMAILER_MIMEOLE_OL_812FF (__XM_OL_812FF && __MO_OL_812FF)
2523
##} XMAILER_MIMEOLE_OL_812FF
2524
2525
##{ XMAILER_MIMEOLE_OL_83BF7
2526
meta XMAILER_MIMEOLE_OL_83BF7 (__XM_OL_83BF7 && __MO_OL_83BF7)
2527
##} XMAILER_MIMEOLE_OL_83BF7
2528
2529
##{ XMAILER_MIMEOLE_OL_8627E
2530
meta XMAILER_MIMEOLE_OL_8627E (__XM_OL_8627E && __MO_OL_8627E)
2531
##} XMAILER_MIMEOLE_OL_8627E
2532
2533
##{ XMAILER_MIMEOLE_OL_8E893
2534
meta XMAILER_MIMEOLE_OL_8E893 (__XM_OL_8E893 && __MO_OL_8E893)
2535
##} XMAILER_MIMEOLE_OL_8E893
2536
2537
##{ XMAILER_MIMEOLE_OL_91287
2538
meta XMAILER_MIMEOLE_OL_91287 (__XM_OL_91287 && __MO_OL_91287)
2539
##} XMAILER_MIMEOLE_OL_91287
2540
2541
##{ XMAILER_MIMEOLE_OL_9B90B
2542
meta XMAILER_MIMEOLE_OL_9B90B (__XM_OL_9B90B && __MO_OL_9B90B)
2543
##} XMAILER_MIMEOLE_OL_9B90B
2544
2545
##{ XMAILER_MIMEOLE_OL_A50F8
2546
meta XMAILER_MIMEOLE_OL_A50F8 (__XM_OL_A50F8 && __MO_OL_A50F8)
2547
##} XMAILER_MIMEOLE_OL_A50F8
2548
2549
##{ XMAILER_MIMEOLE_OL_A842E
2550
meta XMAILER_MIMEOLE_OL_A842E (__XM_OL_A842E && __MO_OL_A842E)
2551
##} XMAILER_MIMEOLE_OL_A842E
2552
2553
##{ XMAILER_MIMEOLE_OL_ADFF7
2554
meta XMAILER_MIMEOLE_OL_ADFF7 (__XM_OL_ADFF7 && __MO_OL_ADFF7)
2555
##} XMAILER_MIMEOLE_OL_ADFF7
2556
2557
##{ XMAILER_MIMEOLE_OL_B30D1
2558
meta XMAILER_MIMEOLE_OL_B30D1 (__XM_OL_B30D1 && __MO_OL_B30D1)
2559
##} XMAILER_MIMEOLE_OL_B30D1
2560
2561
##{ XMAILER_MIMEOLE_OL_B4B40
2562
meta XMAILER_MIMEOLE_OL_B4B40 (__XM_OL_B4B40 && __MO_OL_B4B40)
2563
##} XMAILER_MIMEOLE_OL_B4B40
2564
2565
##{ XMAILER_MIMEOLE_OL_B9B11
2566
meta XMAILER_MIMEOLE_OL_B9B11 (__XM_OL_B9B11 && __MO_OL_B9B11)
2567
##} XMAILER_MIMEOLE_OL_B9B11
2568
2569
##{ XMAILER_MIMEOLE_OL_BC7E6
2570
meta XMAILER_MIMEOLE_OL_BC7E6 (__XM_OL_BC7E6 && __MO_OL_BC7E6)
2571
##} XMAILER_MIMEOLE_OL_BC7E6
2572
2573
##{ XMAILER_MIMEOLE_OL_C65FA
2574
meta XMAILER_MIMEOLE_OL_C65FA (__XM_OL_C65FA && __MO_OL_C65FA)
2575
##} XMAILER_MIMEOLE_OL_C65FA
2576
2577
##{ XMAILER_MIMEOLE_OL_CAC8F
2578
meta XMAILER_MIMEOLE_OL_CAC8F (__XM_OL_CAC8F && __MO_OL_CAC8F)
2579
##} XMAILER_MIMEOLE_OL_CAC8F
2580
2581
##{ XMAILER_MIMEOLE_OL_CF0C0
2582
meta XMAILER_MIMEOLE_OL_CF0C0 (__XM_OL_CF0C0 && __MO_OL_CF0C0)
2583
##} XMAILER_MIMEOLE_OL_CF0C0
2584
2585
##{ XMAILER_MIMEOLE_OL_EF20B
2586
meta XMAILER_MIMEOLE_OL_EF20B (__XM_OL_EF20B && __MO_OL_EF20B)
2587
##} XMAILER_MIMEOLE_OL_EF20B
2588
2589
##{ XMAILER_MIMEOLE_OL_EF222
2590
meta XMAILER_MIMEOLE_OL_EF222 (__XM_OL_EF222 && __MO_OL_EF222)
2591
##} XMAILER_MIMEOLE_OL_EF222
2592
2593
##{ XMAILER_MIMEOLE_OL_F3B05
2594
meta XMAILER_MIMEOLE_OL_F3B05 (__XM_OL_F3B05 && __MO_OL_F3B05)
2595
##} XMAILER_MIMEOLE_OL_F3B05
2596
2597
##{ XMAILER_MIMEOLE_OL_F475E
2598
meta XMAILER_MIMEOLE_OL_F475E (__XM_OL_F475E && __MO_OL_F475E)
2599
##} XMAILER_MIMEOLE_OL_F475E
2600
2601
##{ XMAILER_MIMEOLE_OL_F6D01
2602
meta XMAILER_MIMEOLE_OL_F6D01 (__XM_OL_F6D01 && __MO_OL_F6D01)
2603
##} XMAILER_MIMEOLE_OL_F6D01
2604
2605
##{ XMAILER_MIMEOLE_OL_FF5C8
2606
meta XMAILER_MIMEOLE_OL_FF5C8 (__XM_OL_FF5C8 && __MO_OL_FF5C8)
2607
##} XMAILER_MIMEOLE_OL_FF5C8
2608
2609
##{ if version >= 3.002004 ifplugin Mail::SpamAssassin::Plugin::DKIM _sandbox
2610
2611
if version >= 3.002004
2612
ifplugin Mail::SpamAssassin::Plugin::DKIM
2613
priority T_NOTVALID_YAHOO 500
2614
priority T_NOTVALID_GMAIL 500
2615
priority T_NOTVALID_PAY 500
2616
def_whitelist_from_dkim *@ebay.com
2617
def_whitelist_from_dkim *@*.ebay.com
2618
def_whitelist_from_dkim *@ebay.co.uk
2619
def_whitelist_from_dkim *@*.ebay.co.uk
2620
def_whitelist_from_dkim *@ebay.at
2621
def_whitelist_from_dkim *@ebay.ca
2622
def_whitelist_from_dkim *@ebay.de
2623
def_whitelist_from_dkim *@ebay.fr
2624
def_whitelist_from_dkim *@*.paypal.com
2625
def_whitelist_from_dkim *@*.paypal.com paypal.com
2626
def_whitelist_from_dkim *@paypal.com
2627
def_whitelist_from_dkim *@amazon.com
2628
def_whitelist_from_dkim *@cisco.com
2629
def_whitelist_from_dkim *@alert.bankofamerica.com
2630
def_whitelist_from_dkim *@cnn.com
2631
def_whitelist_from_dkim *@*.cnn.com
2632
def_whitelist_from_dkim *@skype.net
2633
def_whitelist_from_dkim *@welcome.skype.com
2634
def_whitelist_from_dkim *@cc.yahoo-inc.com yahoo-inc.com
2635
def_whitelist_from_dkim *@cc.yahoo-inc.com
2636
endif
2637
endif
2638
##} if version >= 3.002004 ifplugin Mail::SpamAssassin::Plugin::DKIM _sandbox
2639
2640
##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval _sandbox
2641
2642
ifplugin Mail::SpamAssassin::Plugin::DNSEval
2643
#reuse RCVD_IN_DNSWL_LOW
2644
#reuse RCVD_IN_DNSWL_MED
2645
#reuse RCVD_IN_DNSWL_HI
2646
endif
2647
##} ifplugin Mail::SpamAssassin::Plugin::DNSEval _sandbox
2648
2649
##{ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags _sandbox
2650
2651
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2652
replace_rules __FRT_GOLD
2653
replace_rules __FRT_SILVER
2654
replace_tag A [gra\@\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xe4\xe3\xe2\xe0\xe1\xe2\xe3\xe4\xe5\xe60o]
2655
replace_tag B [b8]
2656
replace_tag C [ck\xc7\xe7@]
2657
replace_tag D [d\xd0]
2658
replace_tag E [e3\xc8\xc9\xca\xcb\xe8\xe9\xea\xeb\xa4]
2659
replace_tag F f
2660
replace_tag G [gk]
2661
replace_tag H h
2662
replace_tag I [ilt|!1y?\xcc\xcd\xce\xcf\xec\xed\xee\xef]
2663
replace_tag J j
2664
replace_tag K k
2665
replace_tag L [il|!1\xa3]
2666
replace_tag M (?:m|rn)
2667
replace_tag N [n\xd1\xf1]
2668
replace_tag O [go0\xd2\xd3\xd4\xd5\xd6\xd8\xf0\xf2\xf3\xf4\xf5\xf6\xf8]
2669
replace_tag P [p\xfe]
2670
replace_tag Q q
2671
replace_tag R r
2672
replace_tag S [sz\xa6\xa7]
2673
replace_tag T t
2674
replace_tag U [uv\xb5\xd9\xda\xdb\xdc\xfc\xfb\xfa\xf9\xfd]
2675
replace_tag V (?:[vu]|\\\/)
2676
replace_tag W [wv]
2677
replace_tag X (?:[x\xd7]|><)
2678
replace_tag Y [y\xff\xfd\xa5j]
2679
replace_tag Z [zs]
2680
replace_tag IMG (?:jpe?g|gif|png)
2681
replace_tag SP [\s\d_*\$\%(),.:;?!}{\[\]|\/?^\#~\xa1`'+-]
2682
replace_tag CUR [\$\xa5\xa3\xa4\xa2]
2683
replace_inter SP [\s\d_*\$\%(),.:;?!}{\[\]|\/?^\#~\xa1`'+-]
2684
replace_inter W1 \W?
2685
replace_inter W2 \W{0,2}
2686
replace_inter W3 \W{0,3}
2687
replace_post P2 {1,2}
2688
replace_post P3 {1,3}
2689
replace_inter W0 \w?
2690
replace_inter SP2 [\s\d_*\$\%(),.:;?!}{\[\]|\/?^\#~\xa1`'+-]?
2691
replace_tag G [gk6]
2692
replace_tag Q [qg]
2693
replace_tag S [sz5\xa6\xa7]
2694
replace_tag T [t|]
2695
replace_tag U2 [u\xb5\xd9\xda\xdb\xdc\xfc\xfb\xfa\xf9\xfd]
2696
replace_tag W (?:[wv]|vv)
2697
replace_rules T_FRT_ABSOLUT
2698
replace_rules FRT_ADOBE2
2699
replace_rules T_FRT_ADULT2
2700
replace_rules T_FRT_APPROV
2701
replace_rules T_FRT_BEFORE
2702
replace_rules T_FRT_BELOW2
2703
replace_rules FRT_BIGGERMEM1
2704
replace_rules T_FRT_CANSPAM
2705
replace_rules T_FRT_CLICK
2706
replace_rules T_FRT_COCK
2707
replace_rules T_FRT_CONTACT
2708
replace_rules FRT_DIPLOMA
2709
replace_rules FRT_DISCOUNT
2710
replace_rules FRT_DOLLAR
2711
replace_rules T_FRT_ERECTION
2712
replace_rules T_FRT_ESTABLISH
2713
replace_rules FRT_ESTABLISH2
2714
replace_rules T_FRT_EXPERIENCE
2715
replace_rules T_FRT_FOLLOW1
2716
replace_rules T_FRT_FOLLOW2
2717
replace_rules T_FRT_FREE
2718
replace_rules T_FRT_FRIEND
2719
replace_rules T_FRT_FUCK1
2720
replace_rules FRT_FUCK2
2721
replace_rules FRT_GUARANTEE1
2722
replace_rules T_FRT_HEALTH
2723
replace_rules T_FRT_HOUR
2724
replace_rules T_FRT_INCOME
2725
replace_rules T_FRT_INTEREST
2726
replace_rules FRT_INVESTOR
2727
replace_rules FRT_LEVITRA
2728
replace_rules T_FRT_LITTLE
2729
replace_rules T_FRT_LOLITA1
2730
replace_rules FRT_MEETING
2731
replace_rules FRT_OFFER2
2732
replace_rules FRT_OPPORTUN1
2733
replace_rules FRT_OPPORTUN2
2734
replace_rules T_FRT_PACKAGE
2735
replace_rules T_FRT_PAYMENT
2736
replace_rules FRT_PENIS1
2737
replace_rules T_FRT_PHARMAC
2738
replace_rules T_FRT_POSSIBLE
2739
replace_rules FRT_PRICE
2740
replace_rules T_FRT_PROFILE1
2741
replace_rules T_FRT_PROFILE2
2742
replace_rules T_FRT_PROFIT1
2743
replace_rules T_FRT_PROFIT2
2744
replace_rules T_FRT_PUSSY
2745
replace_rules FRT_REFINANCE1
2746
replace_rules FRT_ROLEX
2747
replace_rules FRT_SEXUAL
2748
replace_rules T_FRT_SLUT
2749
replace_rules FRT_SOMA
2750
replace_rules FRT_SOMA2
2751
replace_rules T_FRT_STOCK1
2752
replace_rules T_FRT_STOCK2
2753
replace_rules FRT_STRONG1
2754
replace_rules FRT_STRONG2
2755
replace_rules FRT_SYMBOL
2756
replace_rules FRT_TODAY2
2757
replace_rules FRT_VALIUM1
2758
replace_rules FRT_VALIUM2
2759
replace_rules T_FRT_VIRGIN1
2760
replace_rules FRT_WEIGHT2
2761
replace_rules FRT_XANAX1
2762
replace_rules FRT_XANAX2
2763
replace_rules T_FUZZY_SPRM
2764
replace_rules FUZZY_MERIDIA
2765
replace_rules TVD_FUZZY_PHARMACEUTICAL
2766
replace_rules TVD_FUZZY_SYMBOL
2767
replace_rules T_TVD_FUZZY_SECURITIES
2768
replace_rules TVD_FUZZY_FINANCE
2769
replace_rules TVD_FUZZY_FIXED_RATE
2770
replace_rules TVD_FUZZY_MICROCAP
2771
replace_rules T_TVD_FUZZY_SECTOR
2772
replace_rules TVD_FUZZY_DEGREE
2773
replace_rules T_LFUZ_PWRMALE
2774
endif
2775
##} ifplugin Mail::SpamAssassin::Plugin::ReplaceTags _sandbox
2776
2777
##{ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL _sandbox
2778
2779
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2780
#reuse URIBL_RHS_DOB
2781
urirhsbl T_URIBL_RHS_AHBL rhsbl.ahbl.org. A
2782
endif
2783
##} ifplugin Mail::SpamAssassin::Plugin::URIDNSBL _sandbox
2784
2785
##{ ifplugin Mail::SpamAssassin::Plugin::WLBLEval _sandbox
2786
2787
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
2788
def_whitelist_from_rcvd abuse@yahoo.com yahoo.com
2789
def_whitelist_from_rcvd MAILER-DAEMON@yahoo.com yahoo.com
2790
endif
2791
##} ifplugin Mail::SpamAssassin::Plugin::WLBLEval _sandbox
2792
2793
##{ redirector_pattern_sandbox
2794
redirector_pattern m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&\#])'i
2795
redirector_pattern m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i
2796
redirector_pattern m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:site|inurl):(.*?)(?:$|%20|[\s+&\#])'i
2797
redirector_pattern m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&\#])'i
2798
redirector_pattern m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&\#])'i
2799
redirector_pattern m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/pagead/iclk\?.*?(?<=[?&])adurl=(.*?)(?:$|[&\#])'i
2800
redirector_pattern m'^http:/*(?:\w+\.)?aol\.com/redir\.adp\?.*(?<=[?&])_url=(.*?)(?:$|[&\#])'i
2801
##} redirector_pattern_sandbox
2802
2803
2804
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2805
mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /image\/(?:gif|jpeg|png)/
2806
endif
2807
body __APPROVALFVGT /approval/i
2808
body __BACHELORS /Bachelor/i
2809
body __BIGDOLLARSFVGT /\$\d{2,3},\d{3}/
2810
body __BODY_STARTS_WITH_FROM_LINE /^From \S+ \S\S\S \S\S\S .. ..:..:.. \S+\s+\S+\: /s
2811
body __CASHPRZ /cash prize of/
2812
body __CS_WORD /\bC[A-Za-z]{2,4}IS\b/
2813
2814
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2815
mimeheader __CTYPE_ONETAB_GIF Content-Type:raw =~ /^image\/gif;\n\tname=\".+?\"$/s
2816
endif
2817
header __DATE_700 Date =~ /-0700/
2818
body __DBLCLAIM /avoid double claiming/
2819
body __DIPLOMA /diploma/i
2820
body __DOS_BODY_FRI /\bfri(?:day)?\b/i
2821
body __DOS_BODY_MON /\bmon(?:day)?\b/i
2822
body __DOS_BODY_SAT /\bsat(?:day)?\b/i
2823
body __DOS_BODY_STOCK /\bstock\b/i
2824
body __DOS_BODY_SUN /\bsun(?:day)?\b/i
2825
body __DOS_BODY_THU /\bthu(?:r(?:s(?:day)?)?)?\b/i
2826
body __DOS_BODY_TICKER /\b[A-Z]{4}\.(?:OB|PK)\b/
2827
body __DOS_BODY_TUE /\btue(?:s(?:day)?)?\b/i
2828
body __DOS_BODY_WED /\bwed(?:nesday)?\b/i
2829
body __DOS_COMING_TO_YOUR_PLACE /I (?:am|might(?: be)?) c[a-z]?o[a-z]?m[a-z]?(?:i[a-z]?n[a-z]?g[a-z]{0,2}|e down) to y[!a-z]{2,4}r (?:city|place[a-z]{0,2}|co[a-z]?u[a-z]?n[a-z]?t[a-z]?ry) in (?:f[a-z]?e[a-z]?w|\d{1,2}) (?:day|week)s/
2830
body __DOS_CORRESPOND_EMAIL /correspond with me using my email/
2831
body __DOS_DROP_ME_A_LINE /Drop me a line at/
2832
body __DOS_EMAIL_DIRECTLY /(?:Email m[a-z]?e|address) direc(?:tl|lt)y at/
2833
body __DOS_FIN_ADVANTAGE /\bfinancial advantage/i
2834
uri __DOS_HAS_ANY_URI /./
2835
body __DOS_HEADLINES /\bHeadlines\b/
2836
body __DOS_HI /^Hi,$/
2837
body __DOS_I_AM_25 /I a.?m 25/
2838
body __DOS_I_DRIVE_A /I drive a/
2839
body __DOS_LET_GO_JOB /I was (?:let go|fired|layed off|dismissed) from a job I h(?:el|a)d for (?:2\d years|\d{3} months)/
2840
body __DOS_LINK /\blink\b/
2841
body __DOS_MEET_EACH_OTHER /(?:meet each other|[Mm]ay ?be we can meet)/
2842
body __DOS_MY_OLD_JOB /my old job/
2843
body __DOS_PERSONAL_EMAIL /personal email at/
2844
header __DOS_RCVD_FRI Received =~ / Fri, /
2845
header __DOS_RCVD_MON Received =~ / Mon, /
2846
header __DOS_RCVD_SAT Received =~ / Sat, /
2847
header __DOS_RCVD_SUN Received =~ / Sun, /
2848
header __DOS_RCVD_THU Received =~ / Thu, /
2849
header __DOS_RCVD_TUE Received =~ / Tue, /
2850
header __DOS_RCVD_WED Received =~ / Wed, /
2851
meta __DOS_REF_2_WK_DAYS (__DOS_RCVD_MON && __DOS_BODY_WED) || (__DOS_RCVD_TUE && __DOS_BODY_THU) || (__DOS_RCVD_WED && __DOS_BODY_FRI) || (__DOS_RCVD_THU && __DOS_BODY_MON) || (__DOS_RCVD_FRI && __DOS_BODY_TUE) || (__DOS_RCVD_SAT && __DOS_BODY_TUE) || (__DOS_RCVD_SUN && __DOS_BODY_TUE)
2852
meta __DOS_REF_NEXT_WK_DAY (__DOS_RCVD_MON && __DOS_BODY_TUE) || (__DOS_RCVD_TUE && __DOS_BODY_WED) || (__DOS_RCVD_WED && __DOS_BODY_THU) || (__DOS_RCVD_THU && __DOS_BODY_FRI) || (__DOS_RCVD_FRI && __DOS_BODY_MON) || (__DOS_RCVD_SAT && __DOS_BODY_MON) || (__DOS_RCVD_SUN && __DOS_BODY_MON)
2853
meta __DOS_REF_TODAY (__DOS_RCVD_MON && __DOS_BODY_MON) || (__DOS_RCVD_TUE && __DOS_BODY_TUE) || (__DOS_RCVD_WED && __DOS_BODY_WED) || (__DOS_RCVD_THU && __DOS_BODY_THU) || (__DOS_RCVD_FRI && __DOS_BODY_FRI) || (__DOS_RCVD_SAT && __DOS_BODY_SAT) || (__DOS_RCVD_SUN && __DOS_BODY_SUN)
2854
header __DOS_SINGLE_EXT_RELAY X-Spam-Relays-External =~ /^\[ [^\]]+ \]$/
2855
body __DOS_STEADY_COURSE /\bsteady (?:and increasing )?course\b/i
2856
body __DOS_STRONG_CF /\bstrong cash flow/i
2857
body __DOS_SYMBOL_4 /\bSymbol [A-Z]{4}\b/
2858
body __DOS_TAKING_HOME /Taking home \d (?:digit level|figures) in \d{1,2} months/
2859
body __DOS_WRITE_ME_AT /[Ww].?r.?i.?t.?e me at/
2860
header __EXCLAIM_SUBJ Subject =~ /\!/
2861
body __FB_BA /\bBA\b/
2862
body __FB_BCs /\bBSc\b/
2863
body __FB_BRAND_NAME /brand name/i
2864
body __FB_C_HTTP_WORD m'c[il1]a[a-z]{2,7}\shttp://'i
2865
body __FB_DESIGNER /designer/i
2866
body __FB_GAME /game/i
2867
body __FB_GLASHUTE /Glashute/
2868
body __FB_HANDBAGS /handbags/i
2869
body __FB_HOTTEST /hottest/i
2870
body __FB_INK_PEN /ink pen/i
2871
body __FB_LUX_GIFTS /Luxury (?:\w+\s)?Gifts/i
2872
body __FB_MA /\bMA\b/
2873
body __FB_MBA /\bMBA\b/
2874
body __FB_NUM_PERCNT /\d\s?\%/
2875
body __FB_OMEGA /Omega/i
2876
body __FB_PH_SPACE_HTTP m'PH[A-Za-z]{6,10}\b.{3,29}\shttp://'
2877
body __FB_PICK /\bpick\b/i
2878
body __FB_PROJECTED /projected/i
2879
body __FB_P_ALLNIGHT /all night!/i
2880
body __FB_P_TRUELOVE /true love/i
2881
body __FB_ROLEX_MEN /Rolex Men/i
2882
body __FB_ROLEX_WMEN /Rolex Lady/i
2883
body __FB_S_PRICE /Pri{1,2}c[a-z]?e/i
2884
body __FB_S_STOCK /Stock/i
2885
body __FB_S_SYMBOL /Symb?o?l?:\s?[A-Z_,\.-]{4,8}/i
2886
body __FB_TIMEPIECE /timepiece/i
2887
meta __FB_VIA_URL_SPEC1 (__FB_C_HTTP_WORD || __FB_V_HTTP_WORD || __FB_V_SPACE_HTTP || __FB_PH_SPACE_HTTP)
2888
body __FB_V_HTTP_WORD m'v[il1]a[a-z]{2,7}\shttp://'i
2889
body __FB_V_SPACE_HTTP m'\bv[a-z01 ]{0,3}a.{5,25}http://'i
2890
body __FB_WALLETS /wallets/i
2891
header __FHELO_VERIZON X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^ ]+verizon\.net /i
2892
header __FHOST_VERIZON X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]+verizon\.net /i
2893
header __FH_FRM_53 From =~ /\@53\.com/i
2894
header __FH_HAS_XMSMAIL exists:X-MSMail-Priority
2895
header __FH_HAS_XPRIORITY exists:X-Priority
2896
header __FH_MSGID_00001C MESSAGEID =~ /^<000001c/
2897
header __FH_MSGID_01C7 MESSAGEID =~ /^<0{1,5}1c7/
2898
header __FH_MSG_53 MESSAGEID =~ /\@53\.com/i
2899
header __FH_RCV_53 Received =~ /\.53\.com/i
2900
body __FIXED_RATEFVGT /fixed rate/i
2901
meta __FM_MORTGAGE4PLUS ((__PREAPPROVEDFVGT + __FIXED_RATEFVGT + __YOUR_CREDITFVGT + __HOMELOANFVGT + __APPROVALFVGT + __BIGDOLLARSFVGT + __LOANURIFVGT + __MORTURIFVGT) > 3)
2902
meta __FM_MORTGAGE5PLUS ((__PREAPPROVEDFVGT + __FIXED_RATEFVGT + __YOUR_CREDITFVGT + __HOMELOANFVGT + __APPROVALFVGT + __BIGDOLLARSFVGT + __LOANURIFVGT + __MORTURIFVGT) > 4)
2903
meta __FM_MORTGAGE6PLUS ((__PREAPPROVEDFVGT + __FIXED_RATEFVGT + __YOUR_CREDITFVGT + __HOMELOANFVGT + __APPROVALFVGT + __BIGDOLLARSFVGT + __LOANURIFVGT + __MORTURIFVGT) > 5)
2904
meta __FM_MY_PRICE (__FB_S_PRICE || FRT_PRICE)
2905
meta __FM_STOCK_WORDS (__FB_HOTTEST || __FB_PICK || __FB_PROJECTED)
2906
header __FROM_EBAY From:addr =~ /\@ebay\.com$/i
2907
header __FROM_LEFT_BRACK From:name =~ /</
2908
header __FROM_PAYPAL From:addr =~ /\@paypal\.com$/i
2909
header __FROM_RIGH_BRACK From:name =~ />/
2910
header __FROM_VEGAS From =~ /Vegas/i
2911
header __FS_SUBJ_RE Subject =~ /^Re: /
2912
header __FS_S_TRADE Subject =~ /\btrade\b/i
2913
2914
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2915
mimeheader __GIF_ATTACH Content-Type =~ /^image\/gif\b/i
2916
endif
2917
body __HAS_ANY_EMAIL /\w@\S+\.\w/
2918
uri __HAS_ANY_URI /./
2919
header __HDR_ORDER_FTSDMCXXXX ALL =~ /\nFrom: .{1,80}?\nTo: .{1,80}?\nSubject: .{1,200}?\nDate: .{1,40}?\nMIME-Version: .{1,40}?\nContent-Type: .{1,120}?\nX-Priority: .{1,40}?\nX-MSMail-Priority: .{1,40}?\nX-Mailer: .{1,80}?\nX-MimeOLE:/s
2920
header __HELO_NO_DOMAIN X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^\.]+ /
2921
body __HOMELOANFVGT /home loan/i
2922
header __HOST_HOTMAIL X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]+\.hotmail\.com /
2923
header __HOTMAILCOM X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=hotmail\.com /i
2924
header __HS_SUBJ_UC_FW Subject =~ /^FW:/
2925
body __KAM_LOTTO1 /(e-?mail address (have emerged a winner|has won|attached to (ticket|reference)|was one of the ten winners)|random selection in our computerized email selection system)/is
2926
body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|batch number|reference number|promotion date)/is
2927
body __KAM_LOTTO3 /(won|claim|cash prize|pounds? sterling)/is
2928
body __KAM_LOTTO4 /(claims (officer|agent)|lottery coordinator|fiduciary (officer|agent)|fiduaciary claims)/is
2929
body __KAM_LOTTO5 /(freelotto group|Royal Heritage Lottery|UK National (Online)? Lottery|U\.?K\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|Luckyday International Lottery|International Lottery)/is
2930
body __KAM_LOTTO6 /(Dear Lucky Winner|Winning Notification|Attention:Winner|Dear Winner)/is
2931
header __KAM_LOTTO7 Subject =~ /(Your Lucky Day|(Attention:|ONLINE) WINNER)/i
2932
uri __LOANURIFVGT /\bloa.?ns?\b/i
2933
header __MAILER_OL_5510 X-Mailer =~ /^Microsoft Office Outlook, Build 11.0.5510$/
2934
header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/
2935
header __MANY_RECIPS ToCc =~ /(?:\@[^@]{5,30}){3}/
2936
body __MASTERS /Masters/i
2937
body __MBA /MBA/i
2938
header __MID_START_001C Message-ID =~ /^<000001c/
2939
header __MIMEOLE_1106 X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2800.1106$/
2940
header __MISSING_REF References =~ /^UNSET$/ [if-unset: UNSET]
2941
header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/
2942
uri __MORTURIFVGT /\bmor.?t\b/i
2943
header __MO_OL_015D5 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2905/
2944
header __MO_OL_07794 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1437/
2945
header __MO_OL_09BB4 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V4\.72\.3155\.0/
2946
header __MO_OL_1ECD5 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1081/
2947
header __MO_OL_20C99 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V4\.72\.3338\.1/
2948
header __MO_OL_22B61 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1158/
2949
header __MO_OL_25340 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4963\.1700/
2950
header __MO_OL_32D97 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V9\.0\.2416/
2951
header __MO_OL_3857F X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1409/
2952
header __MO_OL_3AC1D X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.00\.2919\.6700/
2953
header __MO_OL_3D61D X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V4\.71\.2244\.8/
2954
header __MO_OL_465CD X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1506/
2955
header __MO_OL_4B815 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V4\.71\.2730\.2/
2956
header __MO_OL_4BF4C X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4522\.1200/
2957
header __MO_OL_4EEDB X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4963\.1700/
2958
header __MO_OL_4F240 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1158/
2959
header __MO_OL_58CB5 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4133\.2400/
2960
header __MO_OL_5B79A X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.3790\.1830/
2961
header __MO_OL_6554A X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2905/
2962
header __MO_OL_72641 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1441/
2963
header __MO_OL_7533E X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4963\.1700/
2964
header __MO_OL_812FF X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4927\.1200/
2965
header __MO_OL_83BF7 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V4\.72\.3110\.3/
2966
header __MO_OL_8627E X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1437/
2967
header __MO_OL_8E893 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V10\.0\.2616/
2968
header __MO_OL_91287 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4807\.2300/
2969
header __MO_OL_9B90B X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4807\.1700/
2970
header __MO_OL_A50F8 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4922\.1500/
2971
header __MO_OL_A842E X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1441/
2972
header __MO_OL_ADFF7 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1158/
2973
header __MO_OL_B30D1 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4807\.2300/
2974
header __MO_OL_B4B40 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4133\.2400/
2975
header __MO_OL_B9B11 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2462\.0000/
2976
header __MO_OL_BC7E6 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4927\.1200/
2977
header __MO_OL_C65FA X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4807\.1700/
2978
header __MO_OL_CAC8F X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V4\.71\.1712\.3/
2979
header __MO_OL_CF0C0 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4807\.2300/
2980
header __MO_OL_EF20B X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2180/
2981
header __MO_OL_EF222 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2873/
2982
header __MO_OL_F3B05 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1437/
2983
header __MO_OL_F475E X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2741\.2600/
2984
header __MO_OL_F6D01 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4522\.1200/
2985
header __MO_OL_FF5C8 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2741\.2600/
2986
header __MSGID_VGA Message-ID =~ /^<000001c[67]/
2987
header __MSOE_MID_WRONG_CASE ALL =~ /\nMessage-Id: /
2988
header __NAKED_TO To =~ /^[^\s<>]+\@[^\s<>]+$/
2989
meta __NO_INR_YES_REF (__XM_GNUS || __XM_MSOE5 || __XM_MSOE6 || __XM_MOZ4 || __XM_SKYRI || __XM_WWWMAIL || __UA_GNUS || __UA_KNODE || __UA_MUTT || __UA_PAN || __UA_XNEWS)
2990
2991
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2992
mimeheader __PART_CID_STOCK_LESS Content-ID =~ /^<00[a-f0-9]{10}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[A-Za-z]+>$/
2993
endif
2994
2995
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2996
mimeheader __PART_STOCK_CD_F Content-Disposition =~ /filename/
2997
endif
2998
2999
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3000
mimeheader __PART_STOCK_CID Content-ID =~ /^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[^\s\.]+>$/
3001
endif
3002
3003
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3004
mimeheader __PART_STOCK_CL Content-Location =~ /./
3005
endif
3006
body __PHD /PhD/i
3007
body __PREAPPROVEDFVGT /pre-approved/i
3008
3009
ifplugin Mail::SpamAssassin::Plugin::DNSEval
3010
header __RCVD_IN_DNSWL eval:check_rbl('dnswl-firsttrusted', 'list.dnswl.org.')
3011
tflags __RCVD_IN_DNSWL nice net
3012
endif
3013
meta __SEX_WRDS (__WORD_SEX || __WORD_CUM || __WORD_SPERM || __WORD_SLUTS || __WORD_RAPED)
3014
header __SUBJ_3DIGIT Subject =~ /\b\d{3}[^0-9]/
3015
header __SUBJ_APPROVE Subject =~ /Approve/i
3016
header __SUBJ_RE Subject =~ /^R[eE]:/
3017
header __SUBJ_RE_NUM Subject =~ /^\s*Re\[\d+\]:/i
3018
header __SUBJ_VEGAS Subject =~ /(?:Vegas|Casino)/i
3019
header __TT_BROKEN_VALIUM Subject =~ /V[:^."%()*\[\\]?A[:^."%()*\[\\]?L[:^."%()*\[\\]?I[:^."%()*\[\\]?U[:^."%()*\[\\]?M/i
3020
header __TT_BROKEN_VIAGRA Subject =~ /V[:^."%()*\[\\]?I[:^."%()*\[\\]?A[:^."%()*\[\\]?G[:^."%()*\[\\]?R[:^."%()*\[\\]?A/i
3021
header __TT_OBSCURED_VALIUM Subject =~ /(v|V|\\\/)(a|A|\(a\)|4|@)(l|L|\|)(i|I|1|\xef|\|)(u|U|\(u\))(m|M)/
3022
header __TT_OBSCURED_VIAGRA Subject =~ /(v|V|\\\/)(i|I|1|\xef|\|)(a|A|\(a\)|4|@)(g|G)(r|R)(a|A|\(a\)|4|@)/
3023
header __TT_VALIUM Subject =~ /VALIUM/i
3024
header __TT_VIAGRA Subject =~ /VIAGRA/i
3025
header __TVD_PH_SUBJ_00 Subject =~ /\brewards? survey\b/i
3026
header __TVD_PH_SUBJ_02 Subject =~ /\byour payment has been sent\b/i
3027
header __TVD_PH_SUBJ_04 Subject =~ /\baccounts? profile\b/i
3028
header __TVD_PH_SUBJ_15 Subject =~ /\binvestment for (?:[a-z_,-]+ )*?to(?:morrow|day)\b/i
3029
header __TVD_PH_SUBJ_17 Subject =~ /\bremove limitations?\b/i
3030
header __TVD_PH_SUBJ_18 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?changes\b/i
3031
header __TVD_PH_SUBJ_19 Subject =~ /\bmessage (?:[a-z_,-]+ )*?bank\b/i
3032
header __TVD_PH_SUBJ_29 Subject =~ /^notice(?::|[\s\W]*$)/i
3033
header __TVD_PH_SUBJ_31 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?verification\b/i
3034
header __TVD_PH_SUBJ_36 Subject =~ /\bconsumer notice\b/i
3035
header __TVD_PH_SUBJ_37 Subject =~ /\bvalued member[a-z]*\b/i
3036
header __TVD_PH_SUBJ_38 Subject =~ /\bonline bank[a-z]*\b/i
3037
header __TVD_PH_SUBJ_39 Subject =~ /\bonline department\b/i
3038
header __TVD_PH_SUBJ_41 Subject =~ /\bunusual activity\b/i
3039
header __TVD_PH_SUBJ_52 Subject =~ /\b(?:account|online) profile\b/i
3040
header __TVD_PH_SUBJ_54 Subject =~ /\bun-?authorized access(?:es)?\b/i
3041
header __TVD_PH_SUBJ_56 Subject =~ /\brespond now\b/i
3042
header __TVD_PH_SUBJ_58 Subject =~ /\bbilling service\b/i
3043
header __TVD_PH_SUBJ_59 Subject =~ /\bquestion from (?:[a-z_,-]+ )*?member\b/i
3044
header __TVD_PH_SUBJ_ACCESS_POST Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)) (?:[a-z_,-]+ )*?access\b/i
3045
header __UA_GNUS User-Agent =~ /^Gnus/
3046
header __UA_KNODE User-Agent =~ /^KNode/
3047
header __UA_MUTT User-Agent =~ /^Mutt/
3048
header __UA_PAN User-Agent =~ /^Pan/
3049
header __UA_XNEWS User-Agent =~ /^Xnews/
3050
body __VA_WORD /\bV[A-Za-z]{2,4}RA\b/
3051
body __VM_WORD /\bV[A-Za-z]{2,5}UM\b/
3052
body __WORD_CUM /\bcum\b/i
3053
body __WORD_RAPED /\braped?\b/i
3054
body __WORD_SEX /\bsex(?:iest|y)?\b/i
3055
body __WORD_SLUTS /\bsluts?\b/i
3056
body __WORD_SPERM /\bsperm\b/i
3057
header __XM_GNUS X-Mailer =~ /^Gnus v/
3058
header __XM_MOZ4 X-Mailer =~ /^Mozilla 4/
3059
header __XM_MSOE5 X-Mailer =~ /^Microsoft Outlook Express 5/
3060
header __XM_MSOE6 X-Mailer =~ /^Microsoft Outlook Express 6/
3061
header __XM_MS_IN_GENERAL X-Mailer =~ /\bMSCRM\b|Microsoft (?:CDO|Outlook|Office Outlook)\b/
3062
header __XM_OL_015D5 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
3063
header __XM_OL_07794 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
3064
header __XM_OL_09BB4 X-Mailer =~ /Microsoft\ Outlook\ Express\ 4\.72\.3155\.0/
3065
header __XM_OL_10_0_4115 X-Mailer =~ /^Microsoft Outlook, Build 10.0.4115$/
3066
header __XM_OL_1ECD5 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1081/
3067
header __XM_OL_20C99 X-Mailer =~ /Microsoft\ Outlook\ Express\ 4\.72\.3338\.1/
3068
header __XM_OL_22B61 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1158/
3069
header __XM_OL_25340 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
3070
header __XM_OL_28001441 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.1441$/
3071
header __XM_OL_28004682 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.4682$/
3072
header __XM_OL_32D97 X-Mailer =~ /Microsoft\ Outlook\ IMO\,\ Build\ 9\.0\.2416\ \(9\.0\.2910\.0\)/
3073
header __XM_OL_3857F X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
3074
header __XM_OL_3AC1D X-Mailer =~ /Microsoft\ Outlook\ Express\ 5\.00\.2919\.6700/
3075
header __XM_OL_3D61D X-Mailer =~ /Microsoft\ Outlook\ Express\ 4\.71\.2244\.8/
3076
header __XM_OL_465CD X-Mailer =~ /Microsoft\ Outlook\,\ Build\ 10\.0\.3416/
3077
header __XM_OL_48072300 X-Mailer =~ /^Microsoft Outlook Express 5.50.4807.2300$/
3078
header __XM_OL_4B815 X-Mailer =~ /Microsoft\ Outlook\ Express\ 4\.71\.2730\.2/
3079
header __XM_OL_4BF4C X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
3080
header __XM_OL_4EEDB X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
3081
header __XM_OL_4F240 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
3082
header __XM_OL_4_72_2106_4 X-Mailer =~ /^Microsoft Outlook Express 4.72.2106.4$/
3083
header __XM_OL_58CB5 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
3084
header __XM_OL_5B79A X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
3085
header __XM_OL_6554A X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
3086
header __XM_OL_72641 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1441/
3087
header __XM_OL_7533E X-Mailer =~ /Microsoft\ Outlook\ Express\ 5\.50\.4963\.1700/
3088
header __XM_OL_812FF X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
3089
header __XM_OL_83BF7 X-Mailer =~ /Microsoft\ Outlook\ Express\ 4\.72\.3110\.3/
3090
header __XM_OL_8627E X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1437/
3091
header __XM_OL_8E893 X-Mailer =~ /Microsoft\ Outlook\,\ Build\ 10\.0\.2616/
3092
header __XM_OL_91287 X-Mailer =~ /Microsoft\ Outlook\ Express\ 5\.50\.4807\.2300/
3093
header __XM_OL_9B90B X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
3094
header __XM_OL_A50F8 X-Mailer =~ /Microsoft\ Outlook\ Express\ 5\.50\.4922\.1500/
3095
header __XM_OL_A842E X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1158/
3096
header __XM_OL_ADFF7 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
3097
header __XM_OL_B30D1 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
3098
header __XM_OL_B4B40 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
3099
header __XM_OL_B9B11 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2462\.0000/
3100
header __XM_OL_BC7E6 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
3101
header __XM_OL_C65FA X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
3102
header __XM_OL_CAC8F X-Mailer =~ /Microsoft\ Outlook\ Express\ 4\.71\.1712\.3/
3103
header __XM_OL_CF0C0 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
3104
header __XM_OL_EF20B X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1478/
3105
header __XM_OL_EF222 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2900\.2873/
3106
header __XM_OL_F3B05 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
3107
header __XM_OL_F475E X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
3108
header __XM_OL_F6D01 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
3109
header __XM_OL_FF5C8 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
3110
header __XM_OUTLOOK_EXPRESS X-Mailer =~ /^Microsoft Outlook Express \d/
3111
header __XM_SKYRI X-Mailer =~ /^SKYRiXgreen/
3112
header __XM_WWWMAIL X-Mailer =~ /^WWW-Mail \d/
3113
body __YOUR_ACCOUNT /your account/i
3114
body __YOUR_CREDITFVGT /your credit/i
Loggerhead is a web-based interface for Breezy
Version: 2.0.1