1
# SpamAssassin rules file
3
# Please don't modify this file as your changes will be overwritten with
4
# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
5
# See 'perldoc Mail::SpamAssassin::Conf' for details.
8
# Licensed to the Apache Software Foundation (ASF) under one or more
9
# contributor license agreements. See the NOTICE file distributed with
10
# this work for additional information regarding copyright ownership.
11
# The ASF licenses this file to you under the Apache License, Version 2.0
12
# (the "License"); you may not use this file except in compliance with
13
# the License. You may obtain a copy of the License at:
15
# http://www.apache.org/licenses/LICENSE-2.0
17
# Unless required by applicable law or agreed to in writing, software
18
# distributed under the License is distributed on an "AS IS" BASIS,
19
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20
# See the License for the specific language governing permissions and
21
# limitations under the License.
24
###########################################################################
26
require_version @@VERSION@@
29
header APOSTROPHE_FROM From:addr =~ /'/
30
describe APOSTROPHE_FROM From address contains an apostrophe
34
header AXB_XMID_1212 Message-Id =~ /^<[0-9]{12}\.[0-9]{12}\@/
35
describe AXB_XMID_1212 Barbera Fingerprint
39
header AXB_XMID_1510 Message-Id =~ /<[0-9A-F]{15}\.[0-9A-F]{10}\@/
40
describe AXB_XMID_1510 Brunello Fingerprint
43
##{ AXB_XMID_OEGOESNULL
44
header AXB_XMID_OEGOESNULL Message-ID =~ /^<[0-9-a-f]{12}\$[0-9-a-f]{8}\$[0]{8}\@/
45
describe AXB_XMID_OEGOESNULL Amarone Fingerprint
46
##} AXB_XMID_OEGOESNULL
48
##{ AXB_XM_SENDMAIL_NOT
49
header AXB_XM_SENDMAIL_NOT Received =~ /\([123456790]{1,2}\.[0-9]{1,2}\.[0-9]{1}\/[0-9]{1,2}\.[0-9]{2}\.[0-9]{1}\)/
50
describe AXB_XM_SENDMAIL_NOT Nebbiolo fingerprint
51
##} AXB_XM_SENDMAIL_NOT
54
header AXB_XR_STULDAP Received =~ /\(8\.12\.3 da nor stuldap\/8\.12\.3\)/
58
header AXB_XTIDX_CHAIN Thread-Index =~ /(?:\*|\<\>|\)|\()/
59
describe AXB_XTIDX_CHAIN Montepulciano Fingerprint
63
body BANKING_LAWS /banking laws/i
64
describe BANKING_LAWS Talks about banking laws
67
##{ BASE64_LENGTH_78_79
69
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
70
body BASE64_LENGTH_78_79 eval:check_base64_length('78','79')
72
##} BASE64_LENGTH_78_79
74
##{ BASE64_LENGTH_79_INF
76
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
77
body BASE64_LENGTH_79_INF eval:check_base64_length('79')
79
##} BASE64_LENGTH_79_INF
81
##{ CORRUPT_FROM_LINE_IN_HDRS
82
meta CORRUPT_FROM_LINE_IN_HDRS (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS)
83
describe CORRUPT_FROM_LINE_IN_HDRS Informational: message is corrupt, with a From line in its headers
84
tflags CORRUPT_FROM_LINE_IN_HDRS userconf publish
85
#score CORRUPT_FROM_LINE_IN_HDRS 0.001
86
##} CORRUPT_FROM_LINE_IN_HDRS
89
meta CTYPE_001C_A (0) # obsolete
93
header CTYPE_001C_B Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/
98
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
99
mimeheader CTYPE_8SPACE_GIF Content-Type:raw =~ /^image\/gif;\n {8}name=\".+?\"$/s
100
describe CTYPE_8SPACE_GIF Stock spam image part 'Content-Type' found (8 spc)
105
body CURR_PRICE /\bCurrent Price:/
109
body DEAR_WINNER /\bdear.{1,20}winner/i
112
##{ DNS_FROM_OPENWHOIS
114
ifplugin Mail::SpamAssassin::Plugin::DNSEval
115
header DNS_FROM_OPENWHOIS eval:check_rbl_envfrom('openwhois', 'bl.open-whois.org.')
116
describe DNS_FROM_OPENWHOIS Envelope sender listed in bl.open-whois.org.
117
tflags DNS_FROM_OPENWHOIS net publish
119
##} DNS_FROM_OPENWHOIS
122
meta DOS_FIX_MY_URI __MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINK
123
describe DOS_FIX_MY_URI Looks like a "fix my obfu'd URI please" spam
127
meta DOS_LET_GO_JOB __DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOME
128
describe DOS_LET_GO_JOB Let go from their job and now makes lots of dough!
132
body DOS_PROVISION4 /\bProvisionfor income taxes\b/
133
describe DOS_PROVISION4 Provision for income taxes
134
#score DOS_PROVISION4 1.5
137
##{ DOS_REPORT_FIN_INC
138
body DOS_REPORT_FIN_INC /\bReport of financial income\b/
139
describe DOS_REPORT_FIN_INC Report of financial income
140
#score DOS_REPORT_FIN_INC 0.5
141
##} DOS_REPORT_FIN_INC
144
meta DOS_STOCK_BAT __THEBAT_MUA && (__DOS_BODY_STOCK || __DOS_BODY_TICKER) && (__DOS_REF_TODAY || __DOS_REF_NEXT_WK_DAY || __DOS_REF_2_WK_DAYS)
145
describe DOS_STOCK_BAT Probable pump and dump stock spam
149
meta DOS_STOCK_BAT2 DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2)
152
##{ DOS_STOCK_CDYV_GENERIC
153
body DOS_STOCK_CDYV_GENERIC /(?:Lookup|Sym8oL|Search for|Promoting sym|S\.umbol|Target sym|Campaign for): [A-Z]{4},?.{1,50}\b[Pp]rice/
154
describe DOS_STOCK_CDYV_GENERIC Pump and dump stock spam
155
#score DOS_STOCK_CDYV_GENERIC 2.5
156
##} DOS_STOCK_CDYV_GENERIC
158
##{ DOS_STOCK_INCOME_STATEMENT
159
meta DOS_STOCK_INCOME_STATEMENT DOS_REPORT_FIN_INC && DOS_PROVISION4 && __DOS_SYMBOL_4 && __DOS_HEADLINES
160
describe DOS_STOCK_INCOME_STATEMENT Pump and dump stock income statement spam
161
#score DOS_STOCK_INCOME_STATEMENT 1.5
162
##} DOS_STOCK_INCOME_STATEMENT
165
uri DOS_URI_ASTERISK m{^[Hh][Tt]{2}[Pp][Ss]?://[^/:]+(?:\*[A-Za-z0-9-]*\.|\*)[A-Za-z]{2,3}(?:\.[A-Za-z]{2})?(?:$|:|/)}
166
describe DOS_URI_ASTERISK Found an asterisk in a URI
170
meta DOS_YOUR_PLACE (__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE || __DOS_CORRESPOND_EMAIL || __DOS_EMAIL_DIRECTLY || __DOS_I_AM_25 || __DOS_WRITE_ME_AT || __DOS_PERSONAL_EMAIL))
171
describe DOS_YOUR_PLACE Russian dating spam
175
header DRUGS_HDIA Subject =~ /\bhoodia\b/i
178
##{ DRUGS_STOCK_MIMEOLE
179
meta DRUGS_STOCK_MIMEOLE (__MIMEOLE_1106 && __MAILER_OL_5510)
180
describe DRUGS_STOCK_MIMEOLE Stock-spam forged headers found (5510)
181
##} DRUGS_STOCK_MIMEOLE
183
##{ DYN_RDNS_AND_INLINE_IMAGE
184
meta DYN_RDNS_AND_INLINE_IMAGE (RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
185
describe DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic rDNS
186
##} DYN_RDNS_AND_INLINE_IMAGE
188
##{ DYN_RDNS_SHORT_HELO_HTML
189
meta DYN_RDNS_SHORT_HELO_HTML (__HELO_NO_DOMAIN && RDNS_DYNAMIC && HTML_MESSAGE)
190
describe DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML
191
##} DYN_RDNS_SHORT_HELO_HTML
193
##{ DYN_RDNS_SHORT_HELO_IMAGE
194
meta DYN_RDNS_SHORT_HELO_IMAGE (__HELO_NO_DOMAIN && RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
195
describe DYN_RDNS_SHORT_HELO_IMAGE Short HELO string, dynamic rDNS, inline image
196
##} DYN_RDNS_SHORT_HELO_IMAGE
199
meta FAKE_REPLY_C (__SUBJ_RE && __MISSING_REF && __NO_INR_YES_REF)
203
body FB_ADD_INCHES /(?:add|gain) inches/i
204
describe FB_ADD_INCHES Add / Gain inches
208
body FB_ALMOST_SEX /\b[b-z]sex+\b/i
209
describe FB_ALMOST_SEX It's almost sex, but not!
213
body FB_ANA_TRIM /Ana[^a-z]trim/i
214
describe FB_ANA_TRIM Broken AnaTrim phrase.
218
body FB_ANUI /A[-_\.]U[-_\.]N[-_\.]I/i
219
describe FB_ANUI Phrase: A_U_N_I
223
body FB_BILLI0N /[BM][I1]LL[I1]0N/i
224
describe FB_BILLI0N Phrase: [BM]Illi0n
228
body FB_C0MPANY /c0mpany/i
229
describe FB_C0MPANY Phrase: C0mpany
233
body FB_CAN_LONGER /can last longer/i
234
describe FB_CAN_LONGER Phrase: can last longer
238
body FB_CIALIS_LEO3 /(?!CIALIS)\bC\s?[a-z]?\s?[Iitl1\\\/]\s?[a-z]?\s?[Aa]\s?[a-z]?\s?[LIl1\\\/]\s?[a-z]?\s?[ilIt1\\\/]\s?[a-z]?\s?[Ss]\b/
239
describe FB_CIALIS_LEO3 Uses a mis-spelled version of cialis.
243
body FB_DOUBLE_0WORDS /\b[a-z]{1,5}0[a-z]{3,9}\s[a-z]{1,5}0[a-z]{3,9}\b/i
244
describe FB_DOUBLE_0WORDS Looks like double 0 words
248
body FB_EMAIL_HIER /email hier/i
249
describe FB_EMAIL_HIER Phrase: email hier
253
body FB_EXTRA_INCHES /extra inches/
254
describe FB_EXTRA_INCHES Phrase: extra inches
258
body FB_FAKE_NUMBERS /\$\d\d?O\s*[MBT]/i
259
describe FB_FAKE_NUMBERS Looks like numbers with O's insted of 0's
263
body FB_FAKE_NUMS4 /(?:\b|\b\d)\d,?\d,?OO(?:\b|\d\b)/
264
describe FB_FAKE_NUMS4 Looks like fake numbers (4)
268
body FB_FHARMACY /Fharmacy/i
269
describe FB_FHARMACY Phrase: Farmacy
273
body FB_FORWARD_LOOK /(?!forward look)f[o0]rward l[0o][0o]k/i
274
describe FB_FORWARD_LOOK Phrase: forward look with 0's
278
body FB_GAPPY_ADDRESS /(?:[a-z] ){8}, (?:[a-z0-9] ){4}/i
279
describe FB_GAPPY_ADDRESS Too much spacing in Address
283
body FB_GET_MEDS /(?:place f[o0]r|[0o]rder|get\s?(?:y[o0]ur)?|online|quality).{1,7}med[isz][^a]/i
284
describe FB_GET_MEDS Looks like trying to sell meds
288
body FB_GVR /(?:pef-rx|vigrex-ds|gsc-100|vp-rx|gv-promax|phentermine|adipex|xenical)/i
289
describe FB_GVR Looks like generic viagra
293
body FB_HEY_BRO_COMMA /Hey bro, /
294
describe FB_HEY_BRO_COMMA Phrase hey bro,
298
body FB_HG_H_CAP /\bHGH\b/
299
describe FB_HG_H_CAP Phrase: HGH
303
body FB_HOMELOAN /\$\d{3},\d{3} home loan/i
304
describe FB_HOMELOAN Phrase $x home loan
308
body FB_IMPRESS_GIRL /\bimpress .{0,5}girl\b/
309
describe FB_IMPRESS_GIRL Phrase: impress ... girl
313
body FB_INCREASE_YOUR /Increase your energy/i
314
describe FB_INCREASE_YOUR Phrase: Increase your energy
318
body FB_INDEPEND_RWD /independent reward/i
319
describe FB_INDEPEND_RWD Phrase: independent reward
323
body FB_L0AN /\bl0ans?\b/i
324
describe FB_L0AN Phrase: L0an
328
body FB_LETTERS_21B /-- [a-z]{21}/
329
describe FB_LETTERS_21B Special people leave special signs!
333
body FB_LOWER_PAYM /lower your monthly payments/i
334
describe FB_LOWER_PAYM Phrase: lower your monthly payments
338
body FB_MED1CAT /\bmed1cat/i
339
describe FB_MED1CAT Phrase: Med1cat
343
body FB_MEDS_PERCENT /meds .{3,10}\d\s?%/i
344
describe FB_MEDS_PERCENT Talks about meds and %
348
body FB_MORE_SIZE /\bmore size\b/
349
describe FB_MORE_SIZE Phrase: more size
352
##{ FB_NOT_PHONE_NUM1
353
body FB_NOT_PHONE_NUM1 /(?!\d{3})8(?:66|77|88|[0o][0o])[-\.\s\)]{1,3}[OIL0-9]{3}[-\.\s]/i
354
describe FB_NOT_PHONE_NUM1 Looks like a fake phone number (1)
355
##} FB_NOT_PHONE_NUM1
357
##{ FB_NOT_PHONE_NUM3
358
body FB_NOT_PHONE_NUM3 /8(?:66|77|88|[0o][0o])[-\.\s\)]{1,3}[OIL0-9]{3}[-\.\s]{1,3}(?!\d{4})[OIL0-9]{4}/i
359
describe FB_NOT_PHONE_NUM3 Looks like a fake phone number (3)
360
##} FB_NOT_PHONE_NUM3
363
body FB_NOT_SCHOOL /(?!school)[\$s5]ch[o0][o0][il1\|]/i
364
describe FB_NOT_SCHOOL Looks like school but it's not!
367
##{ FB_NO_SCRIP_NEEDED
368
body FB_NO_SCRIP_NEEDED /No.{1,10}P(?:er|re)scr[i1]pt[i1][o0]n (?:needed|requ[1i]re)/i
369
describe FB_NO_SCRIP_NEEDED Phrase: no prescription needed.
370
##} FB_NO_SCRIP_NEEDED
373
body FB_NUMYO /1[0-9][\s\.]?y[\s\.]?o[\s\.]?\b/i
374
describe FB_NUMYO Speaks of teenager.
378
body FB_NUMYO2 /2[0-9][\s\.]?y[\s\.]?o[\s\.]?\b/i
379
describe FB_NUMYO2 Speaks of 20+ year old.
382
##{ FB_ODD_SPACED_MONEY
383
body FB_ODD_SPACED_MONEY /\$\d\s,\s\d\d/
384
describe FB_ODD_SPACED_MONEY Looks like money but has odd spacing.
385
##} FB_ODD_SPACED_MONEY
388
body FB_ONIINE /oniine/i
389
describe FB_ONIINE Mis-spelled online
393
body FB_P1LL /\bp1ll/i
394
describe FB_P1LL Phrase: p1ll
398
body FB_PENIS_GROWTH /pen[i1]s grow(?:th)?/i
399
describe FB_PENIS_GROWTH Phrase: penis growth
403
body FB_PIPEDOLLAR /(?!dollar)d[o0][1|li][1|li]ar/i
404
describe FB_PIPEDOLLAR Phrase: Dollar, with pipes or 0's.
408
body FB_PIPE_ILLION /(?!illion)i[l|][l|][i|][o0]n/i
409
describe FB_PIPE_ILLION Looks like illion, but it's not
412
##{ FB_PROLONGED_HARD
413
body FB_PROLONGED_HARD /(?:prolonged|increased) hardness/i
414
describe FB_PROLONGED_HARD Talks about prolonged hardness
415
##} FB_PROLONGED_HARD
417
##{ FB_QUALITY_REPLICA
418
body FB_QUALITY_REPLICA /quality replica/i
419
describe FB_QUALITY_REPLICA Phrase: quality replica
420
##} FB_QUALITY_REPLICA
422
##{ FB_REF_CODE_SPACE
423
body FB_REF_CODE_SPACE /r e f c o d e/i
424
describe FB_REF_CODE_SPACE Refcode with spacing
425
##} FB_REF_CODE_SPACE
428
body FB_REPLIC_CAP /REPLICAS?\b/
429
describe FB_REPLIC_CAP Phrase: REPLICA
433
body FB_RE_FI /\bre[^a-z]fi\b/
434
describe FB_RE_FI Looks like refi.
438
body FB_ROLLER_IS_T /Roller is th/i
439
describe FB_ROLLER_IS_T Phrase: Roller is th
443
body FB_ROLX /\brolx\b/i
444
describe FB_ROLX Phrase: rolx
448
body FB_SOFTTABS /\bsoft\s?t?abs\b/i
449
describe FB_SOFTTABS Phrase: Softabs
453
body FB_SPACED_FREE /F R E E/i
454
describe FB_SPACED_FREE Phrase: F R E E
458
body FB_SPACED_PHN_3B /\d\d\d--\d\d\d--?\d\d\d\d/
459
describe FB_SPACED_PHN_3B Phone number with -- spacing. (B)
463
body FB_SPACEY_ZIP /\s\d\s\d\s\d\s\d\s\d\s-\s\d\s\d\s\d\s\d/
464
describe FB_SPACEY_ZIP Looks like a s p a c e d zipcode.
468
body FB_SPUR_M /\bSPUR-M\b/i
469
describe FB_SPUR_M Phrase: SPUR-M
473
body FB_SSEX /\bssex\b/
474
describe FB_SSEX Phrase: ssex
478
body FB_STOCK_EXPLODE /st[0o]ck\b.{4,10}expl[o0]de/i
479
describe FB_STOCK_EXPLODE Looks like stocks exploding.
483
body FB_SYMBLO /\bSymblo\b/i
484
describe FB_SYMBLO Mis-spelled symbol.
488
body FB_THIS_ADVERT /this advertiser/i
489
describe FB_THIS_ADVERT Phrase: this advertiser
492
##{ FB_THOUS_PERSONAL
493
body FB_THOUS_PERSONAL /thousand personal/i
494
describe FB_THOUS_PERSONAL Phrase: thousand personal
495
##} FB_THOUS_PERSONAL
497
##{ FB_TO_STOP_DISTRO
498
body FB_TO_STOP_DISTRO /To (?:(?:stop further|longer get) distribution|stop (?:receiving )?announcements)/i
499
describe FB_TO_STOP_DISTRO Phrase: to stop further distribution
500
##} FB_TO_STOP_DISTRO
503
body FB_ULTRA_ALLURE /Ultra Allure/i
504
describe FB_ULTRA_ALLURE Phrase: Ultra Allure
508
body FB_UNLOCK_YOUR_G /lock ?(?:to ?)? your girlfriend/i
509
describe FB_UNLOCK_YOUR_G Phrase: lock to your girlfriend
513
body FB_UNRESOLV_PROV /\{PROV_\d_\d\}/
514
describe FB_UNRESOLV_PROV Pattern Replacement PROV_D
517
##{ FB_WORD1_END_DOLLAR
518
body FB_WORD1_END_DOLLAR / [a-z013]{3,6}\$ /i
519
describe FB_WORD1_END_DOLLAR Looks like a word ending with a $
520
##} FB_WORD1_END_DOLLAR
522
##{ FB_YOURSELF_MASTER
523
body FB_YOURSELF_MASTER /yourself master/i
524
describe FB_YOURSELF_MASTER Phrase: yourself master
525
##} FB_YOURSELF_MASTER
528
body FB_YOUR_REFI /Your refi/i
529
describe FB_YOUR_REFI Phrase: Your refi
533
header FH_BAD_OEV1441 X-Mailer =~ /^Microsoft Outlook Express 6\.00\.2800\.1441$/
534
describe FH_BAD_OEV1441 Bad X-Mailer version
538
header FH_DATE_IS_19XX Date =~ /19[789][0-9]/ [if-unset: 2006]
539
describe FH_DATE_IS_19XX The date is not 19xx.
542
##{ FH_DATE_PAST_20XX
543
header FH_DATE_PAST_20XX Date =~ /20[1-9][0-9]/ [if-unset: 2006]
544
describe FH_DATE_PAST_20XX The date is grossly in the future.
545
##} FH_DATE_PAST_20XX
547
##{ FH_FAKE_RCVD_LINE
548
header FH_FAKE_RCVD_LINE Received =~ /from\s*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s*by\s*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3};\s*[SMTWF].{2},\s*\d{1,2}\s*[JFMASOND].{2,5}\s*\d{4}\s*\d{2}:\d{2}:\d{2}\s*[-+]\d{4}/
549
describe FH_FAKE_RCVD_LINE RCVD line looks faked (A)
550
##} FH_FAKE_RCVD_LINE
553
header FH_FROMEML_NOTLD From:addr !~ /\./ [if-unset: foo@bar.com]
554
describe FH_FROMEML_NOTLD E-mail address doesn't have TLD (.com, etc.)
558
header FH_FROM_CASH From:name =~ /\bcash\b/i
559
describe FH_FROM_CASH From name has "cash"
563
header FH_FROM_GET_NAME From:name =~ /\bGet\b/i
564
describe FH_FROM_GET_NAME From name says Get
568
header FH_FROM_GIVEAWAY From =~ /Giveaway/i
569
describe FH_FROM_GIVEAWAY From name is giveaway.
573
header FH_FROM_HOODIA From =~ /Hoodia/i
574
describe FH_FROM_HOODIA From has Hoodia!!?
578
header FH_HAS_XAIMC exists:X-AIMC-AUTH
579
describe FH_HAS_XAIMC Has X-AIMC-AUTH header
583
header FH_HAS_XID exists:X-ID
584
describe FH_HAS_XID Has X-ID
587
##{ FH_HELO_ALMOST_IP
588
header FH_HELO_ALMOST_IP X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^ ]+[a-z][-.]\d{1,3}[-.]\d{1,3}[-.]\d{1,3}[-.][a-z][^ ]+ /i
589
describe FH_HELO_ALMOST_IP Helo is almost an IP addr.
590
##} FH_HELO_ALMOST_IP
593
header FH_HELO_ENDS_DOT X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^ ]+\. by=/
594
describe FH_HELO_ENDS_DOT Helo ends with a dot.
597
##{ FH_HELO_EQ_610HEX
598
header FH_HELO_EQ_610HEX X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=-?[A-F0-9]{6,10} /
599
describe FH_HELO_EQ_610HEX Helo is 6-10 hex chr's.
600
##} FH_HELO_EQ_610HEX
602
##{ FH_HELO_EQ_CHARTER
603
header FH_HELO_EQ_CHARTER X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\d{2,3}-\d{1,3}-\d{1,3}-\d{1,3}.{5,20}\.charter\.com /i
604
describe FH_HELO_EQ_CHARTER Helo is d-d-d-d charter.com
605
##} FH_HELO_EQ_CHARTER
607
##{ FH_HELO_EQ_D_D_D_D
608
header FH_HELO_EQ_D_D_D_D X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^ ]{0,15}\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}/
609
describe FH_HELO_EQ_D_D_D_D Helo is d-d-d-d
610
##} FH_HELO_EQ_D_D_D_D
612
##{ FH_HELO_GMAILSMTP
613
header FH_HELO_GMAILSMTP Received =~ /HELO gmail-smtp-in/
614
describe FH_HELO_GMAILSMTP Faked helo of gmail-smtp-in
615
##} FH_HELO_GMAILSMTP
617
##{ FH_HOST_EQ_DYNAMICIP
618
header FH_HOST_EQ_DYNAMICIP X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]{0,25}[dD][yY][nN][aA][mM][iI][cC][iI][pP][^ ]{5,25} helo=/
619
describe FH_HOST_EQ_DYNAMICIP Host is dynamicip
620
##} FH_HOST_EQ_DYNAMICIP
622
##{ FH_HOST_EQ_PACBELL_D
623
header FH_HOST_EQ_PACBELL_D X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]+\.dsl\.\w{2,10}\.pacbell\.net /
624
describe FH_HOST_EQ_PACBELL_D Host is pacbell.net dsl
625
##} FH_HOST_EQ_PACBELL_D
627
##{ FH_HOST_EQ_VERIZON_P
628
header FH_HOST_EQ_VERIZON_P X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=pool-\d.{5,30}\.verizon\.net/
629
describe FH_HOST_EQ_VERIZON_P Host is pool-.+verizon.net
630
##} FH_HOST_EQ_VERIZON_P
633
header FH_MSGID_000000 MESSAGEID =~ /\$00000000\@/
634
describe FH_MSGID_000000 Special MSGID
638
header FH_MSGID_01C67 Message-ID =~ /^<000001c[67]/
639
describe FH_MSGID_01C67 Special MSGID
642
##{ FH_MSGID_01C70XXX
643
header FH_MSGID_01C70XXX MESSAGEID =~ /^<01c70[a-f][a-f0-9]{2}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[a-zA-Z0-9-]+>$/
644
describe FH_MSGID_01C70XXX MESSAGE ID seen often!!!
645
##} FH_MSGID_01C70XXX
648
header FH_MSGID_REPLACE MESSAGEID =~ /^<%MSGID/
649
describe FH_MSGID_REPLACE Broken Replace Template
653
header FH_MSGID_XXBLAH MESSAGEID =~ /6c822ecf/
654
describe FH_MSGID_XXBLAH Common sign in msg-id's 12/21/2006
658
header FH_MSGID_XXX MESSAGEID =~ /\@xxx/i
659
describe FH_MSGID_XXX Message-Id = @xxx
663
header FH_RE_NEW_DDD Subject =~ /^Re: new\s?\d{0,3}$/i
664
describe FH_RE_NEW_DDD Subject is Re: new \d\d\d
668
header FH_XMAIL_REPLACE X-Mailer =~ /%XMAILER/
669
describe FH_XMAIL_REPLACE Broken Replace Template
673
header FH_XMAIL_RND_833 X-Mailer =~ /^[a-z]{3}\sv8\.3\.3\./
674
describe FH_XMAIL_RND_833 Special X-Mailer Version
677
##{ FM_DOESNT_SAY_STOCK
678
meta FM_DOESNT_SAY_STOCK (__FB_S_SYMBOL && __FM_MY_PRICE && !__FB_S_STOCK && !__FS_S_TRADE)
679
describe FM_DOESNT_SAY_STOCK It's a stock spam but doesn't say stock
680
##} FM_DOESNT_SAY_STOCK
682
##{ FM_FAKE_53COM_SPOOF
683
meta FM_FAKE_53COM_SPOOF (__FH_FRM_53 && !__FH_MSG_53 && !__FH_RCV_53)
684
describe FM_FAKE_53COM_SPOOF Spoof mail from 53.com?
685
##} FM_FAKE_53COM_SPOOF
687
##{ FM_FAKE_HELO_HOTMAIL
688
meta FM_FAKE_HELO_HOTMAIL (__HOTMAILCOM && !__HOST_HOTMAIL)
689
describe FM_FAKE_HELO_HOTMAIL Looks like a fake hotmail.com helo.
690
##} FM_FAKE_HELO_HOTMAIL
692
##{ FM_FAKE_HELO_VERIZON
693
meta FM_FAKE_HELO_VERIZON (__FHELO_VERIZON && !__FHOST_VERIZON)
694
describe FM_FAKE_HELO_VERIZON Looks like a fake verizon.net helo.
695
##} FM_FAKE_HELO_VERIZON
697
##{ FM_FRM_RN_L_BRACK
698
meta FM_FRM_RN_L_BRACK (__FROM_RIGH_BRACK && !__FROM_LEFT_BRACK)
699
describe FM_FRM_RN_L_BRACK From name has > but not <
700
##} FM_FRM_RN_L_BRACK
702
##{ FM_IS_IT_OUR_ACCOUNT
703
meta FM_IS_IT_OUR_ACCOUNT (__YOUR_ACCOUNT && __MANY_RECIPS)
704
describe FM_IS_IT_OUR_ACCOUNT Is it our account?
705
##} FM_IS_IT_OUR_ACCOUNT
708
meta FM_LIKE_STOCKS (__FM_STOCK_WORDS && !__FB_S_STOCK && __FB_S_SYMBOL)
709
describe FM_LIKE_STOCKS It looks like a duck, it's a duck!
712
##{ FM_LUX_GIFTS_REDUCED
713
meta FM_LUX_GIFTS_REDUCED (__FB_LUX_GIFTS && __FB_NUM_PERCNT)
714
describe FM_LUX_GIFTS_REDUCED Luxury Gifts with dd%
715
##} FM_LUX_GIFTS_REDUCED
717
##{ FM_MANY_DRUG_WORDS
718
meta FM_MANY_DRUG_WORDS (__VA_WORD && __CS_WORD && __VM_WORD)
719
describe FM_MANY_DRUG_WORDS Lot's of almost drug words
720
##} FM_MANY_DRUG_WORDS
723
meta FM_MORTGAGE4PLUS (__FM_MORTGAGE4PLUS && !__FM_MORTGAGE5PLUS && !__FM_MORTGAGE6PLUS)
724
describe FM_MORTGAGE4PLUS Looks like a mortgage spam (4+)
728
meta FM_MORTGAGE5PLUS (__FM_MORTGAGE5PLUS && !__FM_MORTGAGE6PLUS)
729
describe FM_MORTGAGE5PLUS Looks like a mortgage spam (5+)
733
meta FM_MORTGAGE6PLUS (__FM_MORTGAGE6PLUS)
734
describe FM_MORTGAGE6PLUS Looks like a mortgage spam (6+)
737
##{ FM_MULTI_LUX_GIFTS
738
meta FM_MULTI_LUX_GIFTS ((__FB_BRAND_NAME + __FB_TIMEPIECE + __FB_WALLETS + __FB_HANDBAGS + __FB_DESIGNER + __FB_LUX_GIFTS + __FB_NUM_PERCNT + __FB_INK_PEN) > 3)
739
describe FM_MULTI_LUX_GIFTS Talks about variety of luxury gifts
740
##} FM_MULTI_LUX_GIFTS
743
meta FM_PHN_NODNS (FB_SPACED_PHN_3B && RDNS_NONE)
744
describe FM_PHN_NODNS Phone spacing + no dns
748
meta FM_RATSIGN_1106 (__MSGID_VGA && __DATE_700)
749
describe FM_RATSIGN_1106 Fingerprint seen in lots of spam. 11/2006
753
meta FM_RE_HELLO_SPAM (__FH_MSGID_01C7 && __FH_HAS_XMSMAIL && __FH_HAS_XPRIORITY && __FS_SUBJ_RE)
754
describe FM_RE_HELLO_SPAM Re: Hello / hi
758
meta FM_ROLEX_ADS (__FB_ROLEX_MEN && __FB_ROLEX_WMEN && __FB_OMEGA && __FB_GLASHUTE)
759
describe FM_ROLEX_ADS Looks like Rolex spams.
763
meta FM_SCHOOLING ((__BACHELORS + __MASTERS + __MBA + __PHD) > 2)
764
describe FM_SCHOOLING Meta Combo Phrase for Schooling (2)
767
##{ FM_SCHOOL_DIPLOMA
768
meta FM_SCHOOL_DIPLOMA (FM_SCHOOLING && __DIPLOMA)
769
describe FM_SCHOOL_DIPLOMA Meta for Schooling + Diploma.
770
##} FM_SCHOOL_DIPLOMA
773
meta FM_SCHOOL_TYPES (__FB_BA && __FB_BCs && __FB_MA && __FB_MBA)
774
describe FM_SCHOOL_TYPES Meta Combo Phrase for Schooling
778
meta FM_SEX_HELODDDD (__SEX_WRDS && FH_HELO_EQ_D_D_D_D)
779
describe FM_SEX_HELODDDD Sex words + helo = dddd
783
meta FM_SUBJ_APPROVE (__EXCLAIM_SUBJ && __SUBJ_APPROVE)
784
describe FM_SUBJ_APPROVE Subject has Approve and !
787
##{ FM_TRUE_LOV_ALL_N
788
meta FM_TRUE_LOV_ALL_N (__FB_P_TRUELOVE && __FB_P_ALLNIGHT)
789
describe FM_TRUE_LOV_ALL_N True Love all Night!
790
##} FM_TRUE_LOV_ALL_N
793
meta FM_VEGAS_CASINO ((__FROM_VEGAS + __SUBJ_3DIGIT + __SUBJ_VEGAS + __FB_GAME) > 2)
794
describe FM_VEGAS_CASINO Looks like vega casino spam
797
##{ FM_VIAGRA_SPAM1114
798
meta FM_VIAGRA_SPAM1114 (__FH_MSGID_00001C && __FB_VIA_URL_SPEC1)
799
describe FM_VIAGRA_SPAM1114 Signs of a Viagra spam 11/14/2006
800
##} FM_VIAGRA_SPAM1114
803
header FM_XMAIL_F_OUT X-Mailer =~ /Microsoft Outlook Express V6.00.2900.2180/
804
describe FM_XMAIL_F_OUT Looks like Fake Outlook?
809
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
810
body FRT_ADOBE2 /<inter W0><post P2>\b(?!adobe)<A><D><O><B><E>\b/i
811
describe FRT_ADOBE2 ReplaceTags: Adobe
817
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
818
body FRT_BIGGERMEM1 /<inter SP2><post P2>(?:<B><I><G><G><E><R>|<L><A><R><G><E><R>).{1,8}(?:<P><E><N><I><S>|<B><R><E><A><S><T>|<M><E><M><B><E><R>)/i
819
describe FRT_BIGGERMEM1 ReplaceTags: Bigger / Larger, Penis / Member
825
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
826
body FRT_DIPLOMA /<inter SP2><post P2>\b(?!diploma)<D><I><P><L><O><M><A>/i
827
describe FRT_DIPLOMA ReplaceTags: Diploma
833
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
834
body FRT_DISCOUNT /<inter SP2><post P2>\b(?!discount)<D><I><S><C><O><U><N><T>/i
835
describe FRT_DISCOUNT ReplaceTags: Discount
841
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
842
body FRT_DOLLAR /<inter SP2><post P2>\b(?!dollar)<D><O><L><L><A><R>/i
843
describe FRT_DOLLAR ReplaceTags: Dollar
849
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
850
body FRT_ESTABLISH2 /<inter W0><post P2>\b(?!estabi?lish)<E><S><T><A><B><L><I><S><H>/i
851
describe FRT_ESTABLISH2 ReplaceTags: Establish (2)
857
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
858
body FRT_FUCK2 /<inter W0><post P2>\b(?!fuck)<F><U><C><K>/i
859
describe FRT_FUCK2 ReplaceTags: Fuck (2)
865
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
866
body FRT_GUARANTEE1 /<inter SP2><post P2>(?!guarantee)<G><U><A><R><A><N><T><E><E>/i
867
describe FRT_GUARANTEE1 ReplaceTags: Guarantee (1)
873
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
874
body FRT_INVESTOR /<inter SP2><post P2>\b(?!investor)<I><N><V><E><S><T><O><R>/i
875
describe FRT_INVESTOR ReplaceTags: Investor
881
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
882
body FRT_LEVITRA /<inter W0><post P2>(?!levitra)<L><E><V><I><T><R><A>/i
883
describe FRT_LEVITRA ReplaceTags: Levitra
889
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
890
body FRT_MEETING /<inter SP2><post P2>\b(?!meeting)<M><E><E><T><I><N><G>\b/i
891
describe FRT_MEETING ReplaceTags: Meeting
897
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
898
body FRT_OFFER2 /<inter W0><post P2>\b(?!offer)<O><F><F><E><R>/i
899
describe FRT_OFFER2 ReplaceTags: Offer (2)
905
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
906
body FRT_OPPORTUN1 /<inter SP2><post P2>(?!opportun)<O><P><P><O><R><T><U><N>/i
907
describe FRT_OPPORTUN1 ReplaceTags: Oppertun (1)
913
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
914
body FRT_OPPORTUN2 /<inter W0><post P2>(?!opportun)<O><P><P><O><R><T><U><N>/i
915
describe FRT_OPPORTUN2 ReplaceTags: Oppertun (2)
921
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
922
body FRT_PENIS1 /<inter SP2><post P2>\b(?!pen\s?is)(?!penny[ ']?s)<P><E><N><I><S>/i
923
describe FRT_PENIS1 ReplaceTags: Penis
929
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
930
body FRT_PRICE /<inter SP2><post P2>\b(?!price)<P><R><I><C><E>\b/i
931
describe FRT_PRICE ReplaceTags: Price
937
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
938
body FRT_REFINANCE1 /<inter SP2><post P2>\b(?!refinanc)<R><E><F><I><N><A><N><C>/i
939
describe FRT_REFINANCE1 ReplaceTags: Refinance (1)
945
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
946
body FRT_ROLEX /<inter SP2><post P2>\b(?!rolex)<R><O><L><E><X>/i
947
describe FRT_ROLEX ReplaceTags: Rolex
953
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
954
body FRT_SEXUAL /<inter SP2><post P2>\b(?!sexual)<S><E><X><U><A><L>/i
955
describe FRT_SEXUAL ReplaceTags: Sexual
961
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
962
body FRT_SOMA /<post P2>\b(?!soma|500mg)<S><O><M><A>\b/i
963
describe FRT_SOMA ReplaceTags: Soma
969
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
970
body FRT_SOMA2 /<inter SP2><post P2>\b(?!soma|500? ?mg)<S><O><M><A>\b/i
971
describe FRT_SOMA2 ReplaceTags: Soma (2)
977
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
978
body FRT_STRONG1 /<inter SP2><post P2>\b(?!stro\s?ng)<S><T><R><O><N><G>\b/i
979
describe FRT_STRONG1 ReplaceTags: Strong (1)
985
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
986
body FRT_STRONG2 /<inter W0><post P2>\b(?!strong)<S><T><R><O><N><G>\b/i
987
describe FRT_STRONG2 ReplaceTags: Strong (2)
993
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
994
body FRT_SYMBOL /<inter SP2><post P2>\b(?!symbol)<S><Y><M><B><O><L>/i
995
describe FRT_SYMBOL ReplaceTags: Symbol
1001
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1002
body FRT_TODAY2 /<inter W0><post P2>\b(?!today)<T><O><D><A><Y>/i
1003
describe FRT_TODAY2 ReplaceTags: Today (2)
1009
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1010
body FRT_VALIUM1 /<inter W0><post P2>\b(?!valium)<V><A><L><I><U><M>/i
1011
describe FRT_VALIUM1 ReplaceTags: Valium
1017
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1018
body FRT_VALIUM2 /<inter SP2><post P2>\b(?!valium)<V><A><L><I><U><M>/i
1019
describe FRT_VALIUM2 ReplaceTags: Valium (2)
1025
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1026
body FRT_WEIGHT2 /<inter W0><post P2>\b(?!weight)<W><E><I><G><H><T>/i
1027
describe FRT_WEIGHT2 ReplaceTags: Weight (2)
1033
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1034
body FRT_XANAX1 /<inter W0><post P2>\b(?!xanax)<X><A><N><A><X>\b/i
1035
describe FRT_XANAX1 ReplaceTags: Xanax (1)
1041
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1042
body FRT_XANAX2 /<inter SP2><post P2>\b(?!xanax)<X><A><N><A><X>\b/i
1043
describe FRT_XANAX2 ReplaceTags: Xanax (2)
1048
rawbody FR_3TAG_3TAG m'<[abcefghijklmnoqstuvwxz]{3}></[abcefghijklmnoqstuvwxz]{3}>'i
1049
describe FR_3TAG_3TAG Looks like 3 <e> small tags.
1053
rawbody FR_ALMOST_VIAG2 /[^a-z](?!viagra)v?ia.?g.?ra/i
1054
describe FR_ALMOST_VIAG2 Almost looks like viagra.
1058
rawbody FR_CANTSEETEXT /class="?cantseetext/i
1059
describe FR_CANTSEETEXT Phrase class=cantseetext
1063
rawbody FR_MIDER m'http[^ ]{5,30}/gall?/'
1064
describe FR_MIDER Sign often seen in spams
1068
header FS_AT_NO_COST Subject =~ /\bat no cost/i
1069
describe FS_AT_NO_COST Subject says "At No Cost"
1073
header FS_CHEAP_CAP Subject =~ /CHEAP/
1074
describe FS_CHEAP_CAP Phrase: Cheap in Caps in Subject.
1078
header FS_DOLLAR_BONUS Subject =~ /\$\d\d\d?\.?\d?\d? bonus/i
1079
describe FS_DOLLAR_BONUS Subject talks about money bonus!
1083
header FS_EJACULA Subject =~ /ejaculat(?:[io01][o0i1]n|e)/i
1084
describe FS_EJACULA Phrase: ejaculation in subject.
1088
header FS_ERECTION Subject =~ / erection /i
1089
describe FS_ERECTION Phrase: erection in subject.
1093
header FS_HUGECOCK Subject =~ /(?:huge|tiny|small) (?:c[o0]ck|d[i1]ck|p[e3]n[1i]s)/i
1094
describe FS_HUGECOCK Phrase: Huge Cock
1097
##{ FS_LARGE_PERCENT2
1098
header FS_LARGE_PERCENT2 Subject =~ /(?!100%)\d[0-9oi][0-9oi]%/i
1099
describe FS_LARGE_PERCENT2 Larger than 100% in subj.
1100
##} FS_LARGE_PERCENT2
1103
header FS_LOWER_YOUR Subject =~ /lower your/i
1104
describe FS_LOWER_YOUR Phrase: lower your
1108
header FS_LOW_RATES Subject =~ / low rates/i
1109
describe FS_LOW_RATES Subject says low rates
1112
##{ FS_NEW_SOFT_UPLOAD
1113
header FS_NEW_SOFT_UPLOAD Subject =~ /^New software uploaded by/
1114
describe FS_NEW_SOFT_UPLOAD Subj starts with New software uploaded
1115
##} FS_NEW_SOFT_UPLOAD
1118
header FS_NEW_XXX Subject =~ /^Re: news? [a-z]{1,5}$/
1119
describe FS_NEW_XXX Subject looks like Fharmacy spams.
1123
header FS_NO_SCRIP Subject =~ /n[o0O] p[reRE][erER]scr[i1I]pt[i1I][o0O]n/i
1124
describe FS_NO_SCRIP Subject almost says No prescription
1128
header FS_OBFU_PRMCY Subject =~ /\b(?!(?:pharmacy|primacy))p[ph]{0,4}\S{1,3}r\S{0,2}m\S{0,3}c\S{0,2}y\b/i
1129
describe FS_OBFU_PRMCY what could this word be?
1133
header FS_PERSCRIPTION Subject =~ /perscr[i1]pt[i1][o0]n/i
1134
describe FS_PERSCRIPTION Subject mis-spelled prescription
1138
header FS_PHARMASUB2 Subject =~ /PH[A-Za-z]{2,7}MA/
1139
describe FS_PHARMASUB2 Looks like Phramacy subject.
1143
header FS_RAMROD Subject =~ /ramrod/i
1144
describe FS_RAMROD Subject says Ramrod
1148
header FS_REPLICA Subject =~ /replica/i
1149
describe FS_REPLICA Subject says "replica"
1153
header FS_REPLICAWATCH Subject =~ /replica watch/i
1154
describe FS_REPLICAWATCH Subject says Replica watch
1158
header FS_RE_APPROV Subject =~ /re approved/i
1159
describe FS_RE_APPROV Phrase: re approved
1163
header FS_START_DOYOU2 Subject =~ /^Do you (?:dream|have|want|love|like|wanna)/i
1164
describe FS_START_DOYOU2 Subject starts with Do you dream,have,want,love, etc.
1168
header FS_START_LOSE Subject =~ /^Lose /i
1169
describe FS_START_LOSE Subject starts with Lose
1173
header FS_TEEN_BAD Subject =~ /teen.{1,15}(?:pussy|sex|slut|ass|fuck|rape)/i
1174
describe FS_TEEN_BAD Subject says something bad about teens
1178
header FS_TIP_DDD Subject =~ /(?:tip|good) \d\d\d?\d?/i
1179
describe FS_TIP_DDD Phrase: subject = tip ddd
1183
header FS_WEIGHT_LOSS Subject =~ /weight loss/i
1184
describe FS_WEIGHT_LOSS Subject says Weight Loss
1185
score FS_WEIGHT_LOSS 0.942 0.458 0.000 0.000
1189
header FS_WILL_HELP Subject =~ /will help/
1190
describe FS_WILL_HELP Subject says will help
1194
header FS_WITH_SMALL Subject =~ /with (?:\w+\s)?(?:small|short)/i
1195
describe FS_WITH_SMALL Subject says With ... small
1200
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1201
body FUZZY_MERIDIA /<inter W3><post P2>\b(?!meridia)<M><E><R><I><D><I><A>\b/i
1206
uri FU_COMMON_SUBS2 m'/(?:[2w]m|7d|b|ee|lj|j|o|u)/[,.]?$'
1207
describe FU_COMMON_SUBS2 Sub-dir seen often in spam (2).
1210
##{ FU_ENDS_NUMS_DOTS_CLK
1211
uri FU_ENDS_NUMS_DOTS_CLK m'(?:clk|uns)/\d+\.\d+\.\d+'i
1212
describe FU_ENDS_NUMS_DOTS_CLK Ends with clk/d+.d+.d+
1213
##} FU_ENDS_NUMS_DOTS_CLK
1216
uri FU_END_ET m'/et/$'i
1217
describe FU_END_ET ET Phone Home?
1221
uri FU_HOODIA /hoodia/i
1222
describe FU_HOODIA URL has hoodia in it.
1226
uri FU_LONG_QUERY3 m'[A-F0-9]{30}\.aspx'
1227
describe FU_LONG_QUERY3 URL has a long file name with .aspx extension.
1231
uri FU_MIDER m'/gall?/'
1232
describe FU_MIDER URL has /gal/
1236
uri FU_UKGEOCITIES /\b[a-z]{2}\.geocities\.com/i
1237
describe FU_UKGEOCITIES URL with [a-z]{2}.geocities.com
1240
##{ FU_URI_TRACKER_T
1241
uri FU_URI_TRACKER_T m'/[yi]/(?:sp|et|vm|xl2)/'i
1242
describe FU_URI_TRACKER_T URI style tracker (T)
1243
##} FU_URI_TRACKER_T
1245
##{ GEO_QUERY_STRING
1246
uri GEO_QUERY_STRING /^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i
1247
##} GEO_QUERY_STRING
1249
##{ HDR_ORDER_FTSDMCXX_001C
1250
meta HDR_ORDER_FTSDMCXX_001C (__HDR_ORDER_FTSDMCXXXX && __MID_START_001C)
1251
describe HDR_ORDER_FTSDMCXX_001C Header order similar to spam (FTSDMCXX/MID variant)
1252
##} HDR_ORDER_FTSDMCXX_001C
1254
##{ HDR_ORDER_FTSDMCXX_BAT
1255
meta HDR_ORDER_FTSDMCXX_BAT (__HDR_ORDER_FTSDMCXXXX && __BAT_BOUNDARY)
1256
describe HDR_ORDER_FTSDMCXX_BAT Header order similar to spam (FTSDMCXX/boundary variant)
1257
##} HDR_ORDER_FTSDMCXX_BAT
1259
##{ HEADER_COUNT_SUBJECT
1261
ifplugin Mail::SpamAssassin::Plugin::HeaderEval
1262
header HEADER_COUNT_SUBJECT eval:check_header_count_range('Subject','2','999')
1263
describe HEADER_COUNT_SUBJECT Multiple Subject headers found
1265
##} HEADER_COUNT_SUBJECT
1268
header HELO_FRIEND X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=friend /i
1272
header HELO_LH_HOME X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\S+\.(?:home|lan) /i
1276
header HELO_LH_LD X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=localhost\.localdomain /i
1280
header HELO_LOCALHOST X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=localhost /i
1284
header HELO_OEM X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=(?:pc|oem\S*) /i
1287
##{ HS_BODY_UPLOADED_SOFTWARE
1288
body HS_BODY_UPLOADED_SOFTWARE /^\w+ has uploaded some new software/
1289
describe HS_BODY_UPLOADED_SOFTWARE Somebody has uploaded some new software for you
1290
##} HS_BODY_UPLOADED_SOFTWARE
1292
##{ HS_DRUG_DOLLAR_1
1293
body HS_DRUG_DOLLAR_1 m'^[a-z]+[glrt][a-z]?[eir][a-z]?[asx](?: -|:)? \$[\d.]+$'i
1294
describe HS_DRUG_DOLLAR_1 Contains a drug and price-like pattern.
1295
##} HS_DRUG_DOLLAR_1
1297
##{ HS_DRUG_DOLLAR_2
1298
body HS_DRUG_DOLLAR_2 m'^[a-z]+[lmor][a-z]?[aex][a-z]?[mx](?: -|:)? \$[\d.]+$'i
1299
describe HS_DRUG_DOLLAR_2 Contains a drug and price-like pattern.
1300
##} HS_DRUG_DOLLAR_2
1302
##{ HS_DRUG_DOLLAR_3
1303
body HS_DRUG_DOLLAR_3 m'^[a-z]+[dino][a-z]?[aimu][a-z]?[amx](?: -|:)? \$[\d.]+$'i
1304
describe HS_DRUG_DOLLAR_3 Contains a drug and price-like pattern.
1305
##} HS_DRUG_DOLLAR_3
1307
##{ HS_DRUG_DOLLAR_MANY
1308
meta HS_DRUG_DOLLAR_MANY HS_DRUG_DOLLAR_1 + HS_DRUG_DOLLAR_2 + HS_DRUG_DOLLAR_3 >= 2
1309
describe HS_DRUG_DOLLAR_MANY Contains several drug and dollar-like patterns.
1310
##} HS_DRUG_DOLLAR_MANY
1313
meta HS_FORGED_OE_FW __HS_SUBJ_UC_FW && __OE_MUA
1314
describe HS_FORGED_OE_FW Outlook does not prefix forwards with "FW:"
1318
uri HS_GETMEOFF m'/get(?:me)?off\.php(?:$|[\#?])'
1319
describe HS_GETMEOFF Links to common unsubscribe script: 'getmeoff.php'
1323
uri HS_INDEX_PARAM m'^https?:/*([^/]*/)+(?:index.(?:cgi|html?|php)|default.(?:asp|jsp))?\?(?!(?-i:[A-Z][a-z]{2,}){2,}$)\w+={0,2}$'i
1324
describe HS_INDEX_PARAM Link contains a common tracker pattern.
1327
##{ HS_MEETUP_FOR_SEX
1328
body HS_MEETUP_FOR_SEX m'(?:meet ?up|see eachother|get together) for (?:some )?(?:action|sex)'i
1329
describe HS_MEETUP_FOR_SEX Talks about meeting up for sex.
1330
##} HS_MEETUP_FOR_SEX
1332
##{ HS_SUBJ_NEW_SOFTWARE
1333
header HS_SUBJ_NEW_SOFTWARE Subject =~ /^New software uploaded by/
1334
describe HS_SUBJ_NEW_SOFTWARE Subject starts with 'New software uploaded by'
1335
##} HS_SUBJ_NEW_SOFTWARE
1337
##{ HS_SUBJ_ONLINE_PHARMACEUTICAL
1338
header HS_SUBJ_ONLINE_PHARMACEUTICAL Subject =~ /\bOnline Pharmaceutical/i
1339
describe HS_SUBJ_ONLINE_PHARMACEUTICAL Subject contains the phrase 'Online pharmaceutical'
1340
##} HS_SUBJ_ONLINE_PHARMACEUTICAL
1342
##{ HTTPS_HTTP_MISMATCH
1344
ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
1345
body HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10')
1347
##} HTTPS_HTTP_MISMATCH
1350
header JM_RCVD_QMAILV1 Received =~ /by \S+ \(Qmailv1\) with ESMTP/
1354
meta JM_TORA_XM (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO)
1358
meta KAM_LOTTO1 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 >= 3)
1359
describe KAM_LOTTO1 Likely to be a e-Lotto Scam Email
1360
#score KAM_LOTTO1 0.5
1364
meta KAM_LOTTO2 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 >= 4)
1365
describe KAM_LOTTO2 Highly Likely to be a e-Lotto Scam Email
1366
#score KAM_LOTTO2 1.0
1370
meta KAM_LOTTO3 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 >= 5)
1371
describe KAM_LOTTO3 Almost certain to be a e-Lotto Scam Email
1372
#score KAM_LOTTO3 2.0
1376
meta KAM_STOCKOTC (0)
1377
tflags KAM_STOCKOTC publish
1381
meta KAM_STOCKTIP15 (0)
1382
tflags KAM_STOCKTIP15 publish
1386
meta KAM_STOCKTIP20 (0)
1387
tflags KAM_STOCKTIP20 publish
1391
meta KAM_STOCKTIP21 (0)
1392
tflags KAM_STOCKTIP21 publish
1396
meta KAM_STOCKTIP4 (0)
1397
tflags KAM_STOCKTIP4 publish
1401
meta KAM_STOCKTIP6 (0)
1402
tflags KAM_STOCKTIP6 publish
1406
body LONG_TERM_PRICE /long\W+term\W+(target|projected)(\W+price)?/i
1410
body LOOPHOLE_1 /loop-?hole in the banking/i
1411
describe LOOPHOLE_1 A loop hole in the banking laws?
1415
meta LOTTERY_1 (__DBLCLAIM && __CASHPRZ)
1419
header L_SPAM_TOOL_13 Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/
1423
header MID_DEGREES Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/
1426
##{ MIME_BOUND_EQ_REL
1427
header MIME_BOUND_EQ_REL Content-Type =~ /boundary="=====================_\d+==\.REL"/s
1428
##} MIME_BOUND_EQ_REL
1430
##{ MSOE_MID_WRONG_CASE
1431
meta MSOE_MID_WRONG_CASE (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106)
1432
##} MSOE_MID_WRONG_CASE
1435
full NULL_IN_BODY /\x00/
1436
describe NULL_IN_BODY Message has NUL (ASCII 0) byte in message
1441
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
1442
meta PART_CID_STOCK (__ANY_IMAGE_ATTACH&&__PART_STOCK_CID&&!__PART_STOCK_CL&&!__PART_STOCK_CD_F)
1443
describe PART_CID_STOCK Has a spammy image attachment (by Content-ID)
1447
##{ PART_CID_STOCK_LESS
1449
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
1450
meta PART_CID_STOCK_LESS (__ANY_IMAGE_ATTACH&&__PART_CID_STOCK_LESS)
1451
describe PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, more specific)
1453
##} PART_CID_STOCK_LESS
1456
header RCVD_BAD_ID Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\$\%&'()*:<=>?\@\[\]^\`{|}~]|;\S)/
1459
##{ RCVD_FORGED_WROTE
1460
header RCVD_FORGED_WROTE Received =~ / by \S+ with esmtp \([^a-z ]{6,} [^a-z ]{3,}\) id/
1461
describe RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
1462
##} RCVD_FORGED_WROTE
1464
##{ RCVD_FORGED_WROTE2
1465
header RCVD_FORGED_WROTE2 Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s
1466
##} RCVD_FORGED_WROTE2
1468
##{ RCVD_IN_DNSWL_HI
1470
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1471
header RCVD_IN_DNSWL_HI eval:check_rbl_sub('dnswl-firsttrusted', '127.0.\d+.3')
1472
describe RCVD_IN_DNSWL_HI Sender listed at http://www.dnswl.org/, high trust
1473
tflags RCVD_IN_DNSWL_HI nice net
1475
##} RCVD_IN_DNSWL_HI
1477
##{ RCVD_IN_DNSWL_LOW
1479
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1480
header RCVD_IN_DNSWL_LOW eval:check_rbl_sub('dnswl-firsttrusted', '127.0.\d+.1')
1481
describe RCVD_IN_DNSWL_LOW Sender listed at http://www.dnswl.org/, low trust
1482
tflags RCVD_IN_DNSWL_LOW nice net
1484
##} RCVD_IN_DNSWL_LOW
1486
##{ RCVD_IN_DNSWL_MED
1488
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1489
header RCVD_IN_DNSWL_MED eval:check_rbl_sub('dnswl-firsttrusted', '127.0.\d+.2')
1490
describe RCVD_IN_DNSWL_MED Sender listed at http://www.dnswl.org/, medium trust
1491
tflags RCVD_IN_DNSWL_MED nice net
1493
##} RCVD_IN_DNSWL_MED
1497
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1498
header RCVD_IN_IADB_DK eval:check_rbl_sub('iadb-firsttrusted', '^127.2.255.3$')
1499
describe RCVD_IN_IADB_DK IADB: Sender publishes Domain Keys record
1500
tflags RCVD_IN_IADB_DK net nice
1504
##{ RCVD_IN_IADB_DOPTIN
1506
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1507
header RCVD_IN_IADB_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.10$')
1508
describe RCVD_IN_IADB_DOPTIN IADB: All mailing list mail is confirmed opt-in
1509
tflags RCVD_IN_IADB_DOPTIN net nice
1511
##} RCVD_IN_IADB_DOPTIN
1513
##{ RCVD_IN_IADB_DOPTIN_GT50
1515
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1516
header RCVD_IN_IADB_DOPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.9$')
1517
describe RCVD_IN_IADB_DOPTIN_GT50 IADB: Confirmed opt-in used more than 50% of the time
1518
tflags RCVD_IN_IADB_DOPTIN_GT50 net nice
1520
##} RCVD_IN_IADB_DOPTIN_GT50
1522
##{ RCVD_IN_IADB_DOPTIN_LT50
1524
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1525
header RCVD_IN_IADB_DOPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.8$')
1526
describe RCVD_IN_IADB_DOPTIN_LT50 IADB: Confirmed opt-in used less than 50% of the time
1527
tflags RCVD_IN_IADB_DOPTIN_LT50 net nice
1529
##} RCVD_IN_IADB_DOPTIN_LT50
1531
##{ RCVD_IN_IADB_EDDB
1533
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1534
header RCVD_IN_IADB_EDDB eval:check_rbl_sub('iadb-firsttrusted', '^127.0.2.1$')
1535
describe RCVD_IN_IADB_EDDB IADB: Participates in Email Deliverability Database
1536
tflags RCVD_IN_IADB_EDDB net nice
1538
##} RCVD_IN_IADB_EDDB
1540
##{ RCVD_IN_IADB_EPIA
1542
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1543
header RCVD_IN_IADB_EPIA eval:check_rbl_sub('iadb-firsttrusted', '^127.0.2.2$')
1544
describe RCVD_IN_IADB_EPIA IADB: Member of Email Processing Industry Alliance
1545
tflags RCVD_IN_IADB_EPIA net nice
1547
##} RCVD_IN_IADB_EPIA
1549
##{ RCVD_IN_IADB_GOODMAIL
1551
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1552
header RCVD_IN_IADB_GOODMAIL eval:check_rbl_sub('iadb-firsttrusted', '^127.2.255.103$')
1553
describe RCVD_IN_IADB_GOODMAIL IADB: Sender has been certified by GoodMail
1554
tflags RCVD_IN_IADB_GOODMAIL net nice
1556
##} RCVD_IN_IADB_GOODMAIL
1558
##{ RCVD_IN_IADB_LISTED
1560
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1561
header RCVD_IN_IADB_LISTED eval:check_rbl_sub('iadb-firsttrusted', '^127.0.0.[12]$')
1562
describe RCVD_IN_IADB_LISTED Participates in the IADB system
1563
tflags RCVD_IN_IADB_LISTED net nice
1565
##} RCVD_IN_IADB_LISTED
1567
##{ RCVD_IN_IADB_LOOSE
1569
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1570
header RCVD_IN_IADB_LOOSE eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.4$')
1571
describe RCVD_IN_IADB_LOOSE IADB: Adds relationship addrs w/out opt-in
1572
tflags RCVD_IN_IADB_LOOSE net nice
1574
##} RCVD_IN_IADB_LOOSE
1576
##{ RCVD_IN_IADB_MI_CPEAR
1578
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1579
header RCVD_IN_IADB_MI_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '^127.101.1.10$')
1580
describe RCVD_IN_IADB_MI_CPEAR IADB: Complies with Michigan's CPEAR law
1581
tflags RCVD_IN_IADB_MI_CPEAR net nice
1583
##} RCVD_IN_IADB_MI_CPEAR
1585
##{ RCVD_IN_IADB_MI_CPR_30
1587
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1588
header RCVD_IN_IADB_MI_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '^127.101.101.10$')
1589
describe RCVD_IN_IADB_MI_CPR_30 IADB: Checked lists against Michigan's CPR within 30 days
1590
tflags RCVD_IN_IADB_MI_CPR_30 net nice
1592
##} RCVD_IN_IADB_MI_CPR_30
1594
##{ RCVD_IN_IADB_MI_CPR_MAT
1596
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1597
header RCVD_IN_IADB_MI_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '^127.101.201.10$')
1598
describe RCVD_IN_IADB_MI_CPR_MAT IADB: Sends no material under Michigan's CPR
1599
tflags RCVD_IN_IADB_MI_CPR_MAT net nice
1601
##} RCVD_IN_IADB_MI_CPR_MAT
1603
##{ RCVD_IN_IADB_ML_DOPTIN
1605
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1606
header RCVD_IN_IADB_ML_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.100$')
1607
describe RCVD_IN_IADB_ML_DOPTIN IADB: Mailing list email only, confirmed opt-in
1608
tflags RCVD_IN_IADB_ML_DOPTIN net nice
1610
##} RCVD_IN_IADB_ML_DOPTIN
1612
##{ RCVD_IN_IADB_NOCONTROL
1614
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1615
header RCVD_IN_IADB_NOCONTROL eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.0$')
1616
describe RCVD_IN_IADB_NOCONTROL IADB: Has absolutely no mailing controls in place
1617
tflags RCVD_IN_IADB_NOCONTROL net nice
1619
##} RCVD_IN_IADB_NOCONTROL
1621
##{ RCVD_IN_IADB_OOO
1623
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1624
header RCVD_IN_IADB_OOO eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.200$')
1625
describe RCVD_IN_IADB_OOO IADB: One-to-one/transactional email only
1626
tflags RCVD_IN_IADB_OOO net nice
1628
##} RCVD_IN_IADB_OOO
1630
##{ RCVD_IN_IADB_OPTIN
1632
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1633
header RCVD_IN_IADB_OPTIN eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.7$')
1634
describe RCVD_IN_IADB_OPTIN IADB: All mailing list mail is opt-in
1635
tflags RCVD_IN_IADB_OPTIN net nice
1637
##} RCVD_IN_IADB_OPTIN
1639
##{ RCVD_IN_IADB_OPTIN_GT50
1641
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1642
header RCVD_IN_IADB_OPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.6$')
1643
describe RCVD_IN_IADB_OPTIN_GT50 IADB: Opt-in used more than 50% of the time
1644
tflags RCVD_IN_IADB_OPTIN_GT50 net nice
1646
##} RCVD_IN_IADB_OPTIN_GT50
1648
##{ RCVD_IN_IADB_OPTIN_LT50
1650
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1651
header RCVD_IN_IADB_OPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.5$')
1652
describe RCVD_IN_IADB_OPTIN_LT50 IADB: Opt-in used less than 50% of the time
1653
tflags RCVD_IN_IADB_OPTIN_LT50 net nice
1655
##} RCVD_IN_IADB_OPTIN_LT50
1657
##{ RCVD_IN_IADB_OPTOUTONLY
1659
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1660
header RCVD_IN_IADB_OPTOUTONLY eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.1$')
1661
describe RCVD_IN_IADB_OPTOUTONLY IADB: Scrapes addresses, pure opt-out only
1662
tflags RCVD_IN_IADB_OPTOUTONLY net nice
1664
##} RCVD_IN_IADB_OPTOUTONLY
1666
##{ RCVD_IN_IADB_RDNS
1668
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1669
header RCVD_IN_IADB_RDNS eval:check_rbl_sub('iadb-firsttrusted', '^127.2.255.4$')
1670
describe RCVD_IN_IADB_RDNS IADB: Sender has reverse DNS record
1671
tflags RCVD_IN_IADB_RDNS net nice
1673
##} RCVD_IN_IADB_RDNS
1675
##{ RCVD_IN_IADB_SENDERID
1677
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1678
header RCVD_IN_IADB_SENDERID eval:check_rbl_sub('iadb-firsttrusted', '^127.2.255.2$')
1679
describe RCVD_IN_IADB_SENDERID IADB: Sender publishes Sender ID record
1680
tflags RCVD_IN_IADB_SENDERID net nice
1682
##} RCVD_IN_IADB_SENDERID
1684
##{ RCVD_IN_IADB_SPF
1686
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1687
header RCVD_IN_IADB_SPF eval:check_rbl_sub('iadb-firsttrusted', '^127.2.255.1$')
1688
describe RCVD_IN_IADB_SPF IADB: Sender publishes SPF record
1689
tflags RCVD_IN_IADB_SPF net nice
1691
##} RCVD_IN_IADB_SPF
1693
##{ RCVD_IN_IADB_UNVERIFIED_1
1695
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1696
header RCVD_IN_IADB_UNVERIFIED_1 eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.2$')
1697
describe RCVD_IN_IADB_UNVERIFIED_1 IADB: Accepts unverified sign-ups
1698
tflags RCVD_IN_IADB_UNVERIFIED_1 net nice
1700
##} RCVD_IN_IADB_UNVERIFIED_1
1702
##{ RCVD_IN_IADB_UNVERIFIED_2
1704
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1705
header RCVD_IN_IADB_UNVERIFIED_2 eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.3$')
1706
describe RCVD_IN_IADB_UNVERIFIED_2 IADB: Accepts unverified sign-ups, gives chance to opt out
1707
tflags RCVD_IN_IADB_UNVERIFIED_2 net nice
1709
##} RCVD_IN_IADB_UNVERIFIED_2
1711
##{ RCVD_IN_IADB_UT_CPEAR
1713
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1714
header RCVD_IN_IADB_UT_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '^127.101.2.10$')
1715
describe RCVD_IN_IADB_UT_CPEAR IADB: Complies with Utah's CPEAR law
1716
tflags RCVD_IN_IADB_UT_CPEAR net nice
1718
##} RCVD_IN_IADB_UT_CPEAR
1720
##{ RCVD_IN_IADB_UT_CPR_30
1722
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1723
header RCVD_IN_IADB_UT_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '^127.101.102.10$')
1724
describe RCVD_IN_IADB_UT_CPR_30 IADB: Checked lists against Utah's CPR within 30 days
1725
tflags RCVD_IN_IADB_UT_CPR_30 net nice
1727
##} RCVD_IN_IADB_UT_CPR_30
1729
##{ RCVD_IN_IADB_UT_CPR_MAT
1731
ifplugin Mail::SpamAssassin::Plugin::DNSEval
1732
header RCVD_IN_IADB_UT_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '^127.101.202.10$')
1733
describe RCVD_IN_IADB_UT_CPR_MAT IADB: Sends no material under Utah's CPR
1734
tflags RCVD_IN_IADB_UT_CPR_MAT net nice
1736
##} RCVD_IN_IADB_UT_CPR_MAT
1739
header RCVD_MAIL_COM Received =~ /[\s\(\[](?:post|mail)\.com[\s\)\]]/is
1740
describe RCVD_MAIL_COM Forged Received header (contains post.com or mail.com)
1743
##{ SB_GIF_AND_NO_URIS
1744
meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL)
1745
##} SB_GIF_AND_NO_URIS
1747
##{ SHORT_HELO_AND_INLINE_IMAGE
1748
meta SHORT_HELO_AND_INLINE_IMAGE (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH)
1749
describe SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image
1750
##} SHORT_HELO_AND_INLINE_IMAGE
1752
##{ SHORT_TERM_PRICE
1753
body SHORT_TERM_PRICE /short\W+term\W+(target|projected)(\W+price)?/i
1754
##} SHORT_TERM_PRICE
1757
meta SPAMMY_XMAILER (__XM_OL_28001441||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4)
1758
describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham
1762
meta STOCK_IMG_CTYPE (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__CTYPE_ONETAB_GIF&&__HTML_IMG_ONLY)
1763
describe STOCK_IMG_CTYPE Stock spam image part, with distinctive Content-Type header
1766
##{ STOCK_IMG_HDR_FROM
1767
meta STOCK_IMG_HDR_FROM (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&T_TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY)
1768
describe STOCK_IMG_HDR_FROM Stock spam image part, with distinctive From line
1769
##} STOCK_IMG_HDR_FROM
1772
meta STOCK_IMG_HTML (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY)
1773
describe STOCK_IMG_HTML Stock spam image part, with distinctive HTML
1776
##{ STOCK_IMG_OUTLOOK
1777
meta STOCK_IMG_OUTLOOK (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__XM_MS_IN_GENERAL&&__HTML_LENGTH_1536_2048)
1778
describe STOCK_IMG_OUTLOOK Stock spam image part, with Outlook-like features
1779
##} STOCK_IMG_OUTLOOK
1782
meta STOCK_PRICES (SHORT_TERM_PRICE && LONG_TERM_PRICE)
1786
meta STOX_AND_PRICE CURR_PRICE && STOX_REPLY_TYPE
1790
header STOX_REPLY_TYPE Content-Type =~ /text\/plain; .* reply-type=original/
1793
##{ SUBJECT_NEEDS_ENCODING
1794
meta SUBJECT_NEEDS_ENCODING (!__SUBJECT_ENCODED_B64 && !__SUBJECT_ENCODED_QP) && __SUBJECT_NEEDS_MIME
1795
##} SUBJECT_NEEDS_ENCODING
1798
meta SUBJ_RE_NUM !__THEBAT_MUA && __SUBJ_RE_NUM
1799
describe SUBJ_RE_NUM Subject is faking 'The Bat!' responses
1802
##{ TEMPLATE_203_RCVD
1803
header TEMPLATE_203_RCVD Received =~ /from 192.168.0.\d+ \(203-219-/
1804
##} TEMPLATE_203_RCVD
1807
header TT_MSGID_TRUNC Message-Id =~ /^\s*<?[^<>\s]+\[\d+$/
1808
describe TT_MSGID_TRUNC Scora: Message-Id ends after left-bracket + digits
1811
##{ TT_OBSCURED_VALIUM
1812
meta TT_OBSCURED_VALIUM ( __TT_BROKEN_VALIUM || __TT_OBSCURED_VALIUM ) && ! __TT_VALIUM
1813
describe TT_OBSCURED_VALIUM Scora: obscured "VALIUM" in subject
1814
##} TT_OBSCURED_VALIUM
1816
##{ TT_OBSCURED_VIAGRA
1817
meta TT_OBSCURED_VIAGRA ( __TT_BROKEN_VIAGRA || __TT_OBSCURED_VIAGRA ) && ! __TT_VIAGRA
1818
describe TT_OBSCURED_VIAGRA Scora: obscured "VIAGRA" in subject
1819
##} TT_OBSCURED_VIAGRA
1822
body TVD_ACT_193 /\bact of (?:193|nineteen thirty)/i
1826
body TVD_APPROVED /you.{1,2}re .{0,20}approved/i
1830
body TVD_APP_LOAN /approved .{0,20}loan/i
1833
##{ TVD_DEAR_HOMEOWNER
1834
body TVD_DEAR_HOMEOWNER /^dear homeowner/i
1835
##} TVD_DEAR_HOMEOWNER
1838
meta TVD_EB_PHISH __FROM_EBAY && NORMAL_HTTP_TO_IP
1841
##{ TVD_ENVFROM_APOST
1842
header TVD_ENVFROM_APOST EnvelopeFrom =~ /\'/
1843
##} TVD_ENVFROM_APOST
1846
header TVD_FINGER_02 Content-Type =~ /^text\/plain(?:; (?:format=flowed|charset="Windows-1252"|reply-type=original)){3}/i
1849
##{ TVD_FLOAT_GENERAL
1850
rawbody TVD_FLOAT_GENERAL /\bstyle\s*=\s*"[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]+\s*</i
1851
##} TVD_FLOAT_GENERAL
1853
##{ TVD_FUZZY_DEGREE
1855
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1856
body TVD_FUZZY_DEGREE /<inter W1><post P1>\b(?!degree)<D><E><G><R><E><E>\b/i
1858
##} TVD_FUZZY_DEGREE
1860
##{ TVD_FUZZY_FINANCE
1862
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1863
body TVD_FUZZY_FINANCE /(?!finance)<F><I><N><A><N><C><E>/i
1865
##} TVD_FUZZY_FINANCE
1867
##{ TVD_FUZZY_FIXED_RATE
1869
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1870
body TVD_FUZZY_FIXED_RATE /<inter W2><post P2>(?!fixed rate)<F><I><X><E><D>\s+<R><A><T><E>/i
1872
##} TVD_FUZZY_FIXED_RATE
1874
##{ TVD_FUZZY_MICROCAP
1876
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1877
body TVD_FUZZY_MICROCAP /<inter W2><post P2>(?!microcap)(?!micro-cap)<M><I><C><R><O>-?<C><A><P>/i
1879
##} TVD_FUZZY_MICROCAP
1881
##{ TVD_FUZZY_PHARMACEUTICAL
1883
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1884
body TVD_FUZZY_PHARMACEUTICAL /<inter W2><post P2>(?!pharmaceutical)<P><H><A><R><M><A><C><E><U><T><I><C><A><L>/i
1886
##} TVD_FUZZY_PHARMACEUTICAL
1888
##{ TVD_FUZZY_SYMBOL
1890
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1891
body TVD_FUZZY_SYMBOL /<inter W2><post P2>(?!symbol)<S><Y><M><B><O><L>/i
1893
##} TVD_FUZZY_SYMBOL
1895
##{ TVD_FW_GRAPHIC_NAME_LONG
1897
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
1898
mimeheader TVD_FW_GRAPHIC_NAME_LONG Content-Type =~ /\bname="[a-z]{8,}\.gif/
1900
##} TVD_FW_GRAPHIC_NAME_LONG
1902
##{ TVD_FW_GRAPHIC_NAME_MID
1904
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
1905
mimeheader TVD_FW_GRAPHIC_NAME_MID Content-Type =~ /\bname="[a-z]{6,7}\.gif/
1907
##} TVD_FW_GRAPHIC_NAME_MID
1909
##{ TVD_INCREASE_SIZE
1910
body TVD_INCREASE_SIZE /\bsize of .{1,20}(?:penis|dick|manhood)/i
1911
##} TVD_INCREASE_SIZE
1914
body TVD_LINK_SAVE /\blink to save\b/i
1917
##{ TVD_PH_BODY_ACCOUNTS_PRE
1918
body TVD_PH_BODY_ACCOUNTS_PRE /\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*|suspen[a-z]+|notif(?:y|ication)|updated|verifications?|credited)\b/i
1919
##} TVD_PH_BODY_ACCOUNTS_PRE
1922
body TVD_PH_REC /\byour .{0,40}account .{0,40}record/i
1923
describe TVD_PH_REC Message has a phrase standard for phishing mails
1927
body TVD_PH_SEC /\byour .{0,40}account .{0,40}security/i
1928
describe TVD_PH_SEC Message has a phrase standard for phishing mails
1931
##{ TVD_PH_SUBJ_ACCOUNTS_POST
1932
header TVD_PH_SUBJ_ACCOUNTS_POST Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)|confirm[a-z]*) (?:[a-z_,-]+ )*?accounts?\b/i
1933
##} TVD_PH_SUBJ_ACCOUNTS_POST
1935
##{ TVD_PH_SUBJ_META
1936
meta TVD_PH_SUBJ_META __TVD_PH_SUBJ_00 || __TVD_PH_SUBJ_02 || __TVD_PH_SUBJ_04 || __TVD_PH_SUBJ_15 || __TVD_PH_SUBJ_17 || __TVD_PH_SUBJ_18 || __TVD_PH_SUBJ_19 || __TVD_PH_SUBJ_29 || __TVD_PH_SUBJ_31 || __TVD_PH_SUBJ_36 || __TVD_PH_SUBJ_37 || __TVD_PH_SUBJ_38 || __TVD_PH_SUBJ_39 || __TVD_PH_SUBJ_41 || __TVD_PH_SUBJ_52 || __TVD_PH_SUBJ_54 || __TVD_PH_SUBJ_56 || __TVD_PH_SUBJ_58 || __TVD_PH_SUBJ_59 || __TVD_PH_SUBJ_ACCESS_POST
1937
##} TVD_PH_SUBJ_META
1939
##{ TVD_PH_SUBJ_URGENT
1940
header TVD_PH_SUBJ_URGENT Subject =~ /^urgent(?:[\s\W]*$|.{1,40}(?:alert|response|assistance|proposal|reply|warning|noti(?:ce|fication)|greeting|matter))/i
1941
##} TVD_PH_SUBJ_URGENT
1944
meta TVD_PP_PHISH __FROM_PAYPAL && NORMAL_HTTP_TO_IP
1948
body TVD_QUAL_MEDS /\bquality med(?:ication)?s\b/i
1952
header TVD_RATWARE_CB Content-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/i
1955
##{ TVD_RATWARE_CB_2
1956
header TVD_RATWARE_CB_2 Content-Type =~ /\bboundary\s*=\s*"?-+\d+=+\.MRA/
1957
##} TVD_RATWARE_CB_2
1959
##{ TVD_RATWARE_MSGID_02
1960
header TVD_RATWARE_MSGID_02 Message-ID =~ /^[^<]*<[a-z]+\@/
1961
##} TVD_RATWARE_MSGID_02
1964
header TVD_RCVD_IP Received =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/
1968
header TVD_RCVD_IP4 Received =~ /^from\s+(?:\d+\.){3}\d+\s/
1972
header TVD_RCVD_SINGLE Received =~ /^from\s+(?!localhost)[^\s.a-z0-9-]+\s/
1975
##{ TVD_RCVD_SPACE_BRACKET
1976
header TVD_RCVD_SPACE_BRACKET Received =~ /\(\[(?!UNIX:)[^\[\]]*\s/
1977
##} TVD_RCVD_SPACE_BRACKET
1980
body TVD_SECTION /\bSection (?:27A|21B)/i
1983
##{ TVD_SILLY_URI_OBFU
1984
body TVD_SILLY_URI_OBFU m!https?://[a-z0-9-]+\.[a-z0-9-]*\.?[^a-z0-9.:/\s"'\@?\)>-]+[a-z0-9.-]*[a-z]{3}(?:\s|$)!i
1985
##} TVD_SILLY_URI_OBFU
1987
##{ TVD_SPACED_SUBJECT_WORD3
1988
header TVD_SPACED_SUBJECT_WORD3 Subject =~ /^(?:(?:Re|Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+$/
1989
##} TVD_SPACED_SUBJECT_WORD3
1993
ifplugin Mail::SpamAssassin::Plugin::BodyEval
1994
body TVD_STOCK1 eval:check_stock_info('2')
1998
##{ TVD_SUBJ_ACC_NUM
1999
header TVD_SUBJ_ACC_NUM Subject =~ /\b[a-zA-Z]+ [\#\s]{1,4}\d+[A-Z]+/
2000
describe TVD_SUBJ_ACC_NUM Subject has spammy looking monetary reference
2001
##} TVD_SUBJ_ACC_NUM
2003
##{ TVD_SUBJ_FINGER_03
2004
header TVD_SUBJ_FINGER_03 Subject =~ /^\s*\*\s+(?:\w+\W+)+\*\s*$/
2005
##} TVD_SUBJ_FINGER_03
2008
header TVD_SUBJ_OWE Subject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe|indebted)\s+(?:\w+\s+)+an\s*other/i
2011
##{ TVD_SUBJ_WIPE_DEBT
2012
header TVD_SUBJ_WIPE_DEBT Subject =~ /(?:wipe out|remove|get (?:rid|out) of|eradicate) .{0,20}(?:owe|debt|obligation)/i
2013
##} TVD_SUBJ_WIPE_DEBT
2015
##{ TVD_VISIT_PHARMA
2016
body TVD_VISIT_PHARMA /Online Ph.rmacy/i
2017
##} TVD_VISIT_PHARMA
2020
rawbody TVD_VIS_HIDDEN /<TEXTAREA[^>]+style\s*=\s*"visibility:\s*hidden\b/i
2023
##{ T_TVD_FW_GRAPHIC_ID1
2025
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2026
mimeheader T_TVD_FW_GRAPHIC_ID1 Content-Id =~ /<[0-9a-f]{12}(?:\$[0-9a-f]{8}){2}\@/
2028
##} T_TVD_FW_GRAPHIC_ID1
2032
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2033
#reuse URIBL_RHS_AHBL T_URIBL_RHS_AHBL
2039
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2040
urirhssub URIBL_RHS_DOB dob.sibl.support-intelligence.net A 2
2041
body URIBL_RHS_DOB eval:check_uridnsbl('URIBL_RHS_DOB')
2042
describe URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
2043
tflags URIBL_RHS_DOB net
2049
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2050
urirhssub WHOIS_1AND1PR bl.open-whois.org. A 127.0.0.2
2051
body WHOIS_1AND1PR eval:check_uridnsbl('WHOIS_1AND1PR')
2052
describe WHOIS_1AND1PR URL registered to 1&1 Private Registration
2053
tflags WHOIS_1AND1PR net
2059
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2060
urirhssub WHOIS_AITPRIV bl.open-whois.org. A 127.0.0.19
2061
body WHOIS_AITPRIV eval:check_uridnsbl('WHOIS_AITPRIV')
2062
describe WHOIS_AITPRIV URL registered as an AIT Private Registration
2063
tflags WHOIS_AITPRIV net publish
2067
##{ WHOIS_CONTACTPRIV
2069
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2070
urirhssub WHOIS_CONTACTPRIV bl.open-whois.org. A 127.0.0.37
2071
body WHOIS_CONTACTPRIV eval:check_uridnsbl('WHOIS_CONTACTPRIV')
2072
describe WHOIS_CONTACTPRIV URL registered to contactprivacy.com
2073
tflags WHOIS_CONTACTPRIV net
2075
##} WHOIS_CONTACTPRIV
2077
##{ WHOIS_DMNBYPROXY
2079
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2080
urirhssub WHOIS_DMNBYPROXY bl.open-whois.org. A 127.0.0.15
2081
body WHOIS_DMNBYPROXY eval:check_uridnsbl('WHOIS_DMNBYPROXY')
2082
describe WHOIS_DMNBYPROXY Contains URL registered to Domains by Proxy
2083
tflags WHOIS_DMNBYPROXY net
2085
##} WHOIS_DMNBYPROXY
2089
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2090
urirhssub WHOIS_DOMESCROW bl.open-whois.org. A 127.0.0.10
2091
body WHOIS_DOMESCROW eval:check_uridnsbl('WHOIS_DOMESCROW')
2092
describe WHOIS_DOMESCROW URL registered to Domain Escrow Services
2093
tflags WHOIS_DOMESCROW net
2097
##{ WHOIS_DOMPRIVCORP
2099
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2100
urirhssub WHOIS_DOMPRIVCORP bl.open-whois.org. A 127.0.0.24
2101
body WHOIS_DOMPRIVCORP eval:check_uridnsbl('WHOIS_DOMPRIVCORP')
2102
describe WHOIS_DOMPRIVCORP URL registered to DomainPrivacyCorp.com
2103
tflags WHOIS_DOMPRIVCORP net
2105
##} WHOIS_DOMPRIVCORP
2109
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2110
urirhssub WHOIS_DREAMPRIV bl.open-whois.org. A 127.0.0.8
2111
body WHOIS_DREAMPRIV eval:check_uridnsbl('WHOIS_DREAMPRIV')
2112
describe WHOIS_DREAMPRIV URL registered as a DreamHost Private Registration
2113
tflags WHOIS_DREAMPRIV net
2119
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2120
urirhssub WHOIS_DROA bl.open-whois.org. A 127.0.0.26
2121
body WHOIS_DROA eval:check_uridnsbl('WHOIS_DROA')
2122
describe WHOIS_DROA URL registered as an DROA Private Registration
2123
tflags WHOIS_DROA net
2129
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2130
urirhssub WHOIS_DYNADOT bl.open-whois.org. A 127.0.0.27
2131
body WHOIS_DYNADOT eval:check_uridnsbl('WHOIS_DYNADOT')
2132
describe WHOIS_DYNADOT URL registered to Dynadot Privacy
2133
tflags WHOIS_DYNADOT net
2139
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2140
urirhssub WHOIS_FINEXE bl.open-whois.org. A 127.0.0.25
2141
body WHOIS_FINEXE eval:check_uridnsbl('WHOIS_FINEXE')
2142
describe WHOIS_FINEXE URL registered to Finexe Domain Proxy Service
2143
tflags WHOIS_FINEXE net
2149
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2150
urirhssub WHOIS_GKGPROXY bl.open-whois.org. A 127.0.0.29
2151
body WHOIS_GKGPROXY eval:check_uridnsbl('WHOIS_GKGPROXY')
2152
describe WHOIS_GKGPROXY URL registered to GKG.NET Domain Proxy Service
2153
tflags WHOIS_GKGPROXY net
2159
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2160
urirhssub WHOIS_IDSHIELD bl.open-whois.org. A 127.0.0.16
2161
body WHOIS_IDSHIELD eval:check_uridnsbl('WHOIS_IDSHIELD')
2162
describe WHOIS_IDSHIELD Contains URL registered to WHOIS ID Shield
2163
tflags WHOIS_IDSHIELD net
2167
##{ WHOIS_IDTHEFTPROT
2169
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2170
urirhssub WHOIS_IDTHEFTPROT bl.open-whois.org. A 127.0.0.39
2171
body WHOIS_IDTHEFTPROT eval:check_uridnsbl('WHOIS_IDTHEFTPROT')
2172
describe WHOIS_IDTHEFTPROT URL registered to Whois ID Theft Protection
2173
tflags WHOIS_IDTHEFTPROT net
2175
##} WHOIS_IDTHEFTPROT
2179
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2180
urirhssub WHOIS_KATZ bl.open-whois.org. A 127.0.0.31
2181
body WHOIS_KATZ eval:check_uridnsbl('WHOIS_KATZ')
2182
describe WHOIS_KATZ URL registered to Katz Global Domain Name Trust
2183
tflags WHOIS_KATZ net
2189
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2190
urirhssub WHOIS_LISTINGAG bl.open-whois.org. A 127.0.0.33
2191
body WHOIS_LISTINGAG eval:check_uridnsbl('WHOIS_LISTINGAG')
2192
describe WHOIS_LISTINGAG URL registered to Domain Listing Agent
2193
tflags WHOIS_LISTINGAG net
2199
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2200
urirhssub WHOIS_LNOA bl.open-whois.org. A 127.0.0.28
2201
body WHOIS_LNOA eval:check_uridnsbl('WHOIS_LNOA')
2202
describe WHOIS_LNOA URL registered to LNOA WHOIS Privacy
2203
tflags WHOIS_LNOA net
2209
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2210
urirhssub WHOIS_MAPNAME bl.open-whois.org. A 127.0.0.34
2211
body WHOIS_MAPNAME eval:check_uridnsbl('WHOIS_MAPNAME')
2212
describe WHOIS_MAPNAME URL registered to MapName
2213
tflags WHOIS_MAPNAME net
2217
##{ WHOIS_MONIKER_PRIV
2219
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2220
urirhssub WHOIS_MONIKER_PRIV bl.open-whois.org. A 127.0.0.11
2221
body WHOIS_MONIKER_PRIV eval:check_uridnsbl('WHOIS_MONIKER_PRIV')
2222
describe WHOIS_MONIKER_PRIV URL registered to Moniker Privacy Protection
2223
tflags WHOIS_MONIKER_PRIV net
2225
##} WHOIS_MONIKER_PRIV
2229
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2230
urirhssub WHOIS_MYPRIVREG bl.open-whois.org. A 127.0.0.17
2231
body WHOIS_MYPRIVREG eval:check_uridnsbl('WHOIS_MYPRIVREG')
2232
describe WHOIS_MYPRIVREG URL registered to myprivateregistration.com
2233
tflags WHOIS_MYPRIVREG net
2239
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2240
urirhssub WHOIS_NAMEKING bl.open-whois.org. A 127.0.0.35
2241
body WHOIS_NAMEKING eval:check_uridnsbl('WHOIS_NAMEKING')
2242
describe WHOIS_NAMEKING URL registered to NameKing
2243
tflags WHOIS_NAMEKING net publish
2247
##{ WHOIS_NAMESECURE
2249
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2250
urirhssub WHOIS_NAMESECURE bl.open-whois.org. A 127.0.0.9
2251
body WHOIS_NAMESECURE eval:check_uridnsbl('WHOIS_NAMESECURE')
2252
describe WHOIS_NAMESECURE Contains URL registered to NameSecure
2253
tflags WHOIS_NAMESECURE net
2255
##} WHOIS_NAMESECURE
2259
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2260
urirhssub WHOIS_NETID bl.open-whois.org. A 127.0.0.42
2261
body WHOIS_NETID eval:check_uridnsbl('WHOIS_NETID')
2262
describe WHOIS_NETID URL registered to NetIdentity
2263
tflags WHOIS_NETID net
2269
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2270
urirhssub WHOIS_NETSOLPR bl.open-whois.org. A 127.0.0.4
2271
body WHOIS_NETSOLPR eval:check_uridnsbl('WHOIS_NETSOLPR')
2272
describe WHOIS_NETSOLPR URL registered as a NetSol Private Registration
2273
tflags WHOIS_NETSOLPR net
2279
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2280
urirhssub WHOIS_NOLDC bl.open-whois.org. A 127.0.0.41
2281
body WHOIS_NOLDC eval:check_uridnsbl('WHOIS_NOLDC')
2282
describe WHOIS_NOLDC URL registered to NOLDC, Inc.
2283
tflags WHOIS_NOLDC net
2289
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2290
urirhssub WHOIS_NOMINET bl.open-whois.org. A 127.0.0.36
2291
body WHOIS_NOMINET eval:check_uridnsbl('WHOIS_NOMINET')
2292
describe WHOIS_NOMINET URL registered to Nominet Private Registrant
2293
tflags WHOIS_NOMINET net
2297
##{ WHOIS_PRIVACYPOST
2299
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2300
urirhssub WHOIS_PRIVACYPOST bl.open-whois.org. A 127.0.0.7
2301
body WHOIS_PRIVACYPOST eval:check_uridnsbl('WHOIS_PRIVACYPOST')
2302
describe WHOIS_PRIVACYPOST Contains URL registered to PrivacyPost
2303
tflags WHOIS_PRIVACYPOST net
2305
##} WHOIS_PRIVACYPOST
2307
##{ WHOIS_PRIVDOMAIN
2309
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2310
urirhssub WHOIS_PRIVDOMAIN bl.open-whois.org. A 127.0.0.38
2311
body WHOIS_PRIVDOMAIN eval:check_uridnsbl('WHOIS_PRIVDOMAIN')
2312
describe WHOIS_PRIVDOMAIN URL registered to privacy-domain.com
2313
tflags WHOIS_PRIVDOMAIN net
2315
##} WHOIS_PRIVDOMAIN
2319
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2320
urirhssub WHOIS_PRIVPROT bl.open-whois.org. A 127.0.0.3
2321
body WHOIS_PRIVPROT eval:check_uridnsbl('WHOIS_PRIVPROT')
2322
describe WHOIS_PRIVPROT URL registered to WHOIS Privacy Protection
2323
tflags WHOIS_PRIVPROT net publish
2327
##{ WHOIS_REGISTER4LESS
2329
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2330
urirhssub WHOIS_REGISTER4LESS bl.open-whois.org. A 127.0.0.30
2331
body WHOIS_REGISTER4LESS eval:check_uridnsbl('WHOIS_REGISTER4LESS')
2332
describe WHOIS_REGISTER4LESS URL registered to R4L Privacy
2333
tflags WHOIS_REGISTER4LESS net
2335
##} WHOIS_REGISTER4LESS
2337
##{ WHOIS_REGISTERFLY
2339
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2340
urirhssub WHOIS_REGISTERFLY bl.open-whois.org. A 127.0.0.14
2341
body WHOIS_REGISTERFLY eval:check_uridnsbl('WHOIS_REGISTERFLY')
2342
describe WHOIS_REGISTERFLY Contains URL registered to RegisterFly
2343
tflags WHOIS_REGISTERFLY net publish
2345
##} WHOIS_REGISTERFLY
2349
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2350
urirhssub WHOIS_REGTEK bl.open-whois.org. A 127.0.0.40
2351
body WHOIS_REGTEK eval:check_uridnsbl('WHOIS_REGTEK')
2352
describe WHOIS_REGTEK URL registered to RegTek Whois Envoy
2353
tflags WHOIS_REGTEK net
2359
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2360
urirhssub WHOIS_SAFENAMES bl.open-whois.org. A 127.0.0.12
2361
body WHOIS_SAFENAMES eval:check_uridnsbl('WHOIS_SAFENAMES')
2362
describe WHOIS_SAFENAMES Contains URL registered to SafeNames
2363
tflags WHOIS_SAFENAMES net
2367
##{ WHOIS_SECINFOSERV
2369
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2370
urirhssub WHOIS_SECINFOSERV bl.open-whois.org. A 127.0.0.21
2371
body WHOIS_SECINFOSERV eval:check_uridnsbl('WHOIS_SECINFOSERV')
2372
describe WHOIS_SECINFOSERV URL registered to Secure WHOIS Information Services
2373
tflags WHOIS_SECINFOSERV net
2375
##} WHOIS_SECINFOSERV
2377
##{ WHOIS_SECUREWHOIS
2379
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2380
urirhssub WHOIS_SECUREWHOIS bl.open-whois.org. A 127.0.0.5
2381
body WHOIS_SECUREWHOIS eval:check_uridnsbl('WHOIS_SECUREWHOIS')
2382
describe WHOIS_SECUREWHOIS Contains URL registered to SecureWhois
2383
tflags WHOIS_SECUREWHOIS net publish
2385
##} WHOIS_SECUREWHOIS
2389
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2390
urirhssub WHOIS_SPAMFREE bl.open-whois.org. A 127.0.0.32
2391
body WHOIS_SPAMFREE eval:check_uridnsbl('WHOIS_SPAMFREE')
2392
describe WHOIS_SPAMFREE URL registered to SpamFreeReg.com
2393
tflags WHOIS_SPAMFREE net
2399
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2400
urirhssub WHOIS_SRSPLUS bl.open-whois.org. A 127.0.0.23
2401
body WHOIS_SRSPLUS eval:check_uridnsbl('WHOIS_SRSPLUS')
2402
describe WHOIS_SRSPLUS URL registered as an SRSPlus Private Registration
2403
tflags WHOIS_SRSPLUS net
2409
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2410
urirhssub WHOIS_UNLISTED bl.open-whois.org. A 127.0.0.13
2411
body WHOIS_UNLISTED eval:check_uridnsbl('WHOIS_UNLISTED')
2412
describe WHOIS_UNLISTED Contains URL registered to Unlisted-Whois.com
2413
tflags WHOIS_UNLISTED net
2417
##{ WHOIS_WHOISGUARD
2419
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2420
urirhssub WHOIS_WHOISGUARD bl.open-whois.org. A 127.0.0.18
2421
body WHOIS_WHOISGUARD eval:check_uridnsbl('WHOIS_WHOISGUARD')
2422
describe WHOIS_WHOISGUARD URL registered to WhoisGuard
2423
tflags WHOIS_WHOISGUARD net publish
2425
##} WHOIS_WHOISGUARD
2429
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2430
urirhssub WHOIS_WHOISPROT bl.open-whois.org. A 127.0.0.20
2431
body WHOIS_WHOISPROT eval:check_uridnsbl('WHOIS_WHOISPROT')
2432
describe WHOIS_WHOISPROT URL registered to WhoisProtector
2433
tflags WHOIS_WHOISPROT net
2437
##{ XMAILER_MIMEOLE_OL_015D5
2438
meta XMAILER_MIMEOLE_OL_015D5 (__XM_OL_015D5 && __MO_OL_015D5)
2439
##} XMAILER_MIMEOLE_OL_015D5
2441
##{ XMAILER_MIMEOLE_OL_07794
2442
meta XMAILER_MIMEOLE_OL_07794 (__XM_OL_07794 && __MO_OL_07794)
2443
##} XMAILER_MIMEOLE_OL_07794
2445
##{ XMAILER_MIMEOLE_OL_09BB4
2446
meta XMAILER_MIMEOLE_OL_09BB4 (__XM_OL_09BB4 && __MO_OL_09BB4)
2447
##} XMAILER_MIMEOLE_OL_09BB4
2449
##{ XMAILER_MIMEOLE_OL_1ECD5
2450
meta XMAILER_MIMEOLE_OL_1ECD5 (__XM_OL_1ECD5 && __MO_OL_1ECD5)
2451
##} XMAILER_MIMEOLE_OL_1ECD5
2453
##{ XMAILER_MIMEOLE_OL_20C99
2454
meta XMAILER_MIMEOLE_OL_20C99 (__XM_OL_20C99 && __MO_OL_20C99)
2455
##} XMAILER_MIMEOLE_OL_20C99
2457
##{ XMAILER_MIMEOLE_OL_22B61
2458
meta XMAILER_MIMEOLE_OL_22B61 (__XM_OL_22B61 && __MO_OL_22B61)
2459
##} XMAILER_MIMEOLE_OL_22B61
2461
##{ XMAILER_MIMEOLE_OL_25340
2462
meta XMAILER_MIMEOLE_OL_25340 (__XM_OL_25340 && __MO_OL_25340)
2463
##} XMAILER_MIMEOLE_OL_25340
2465
##{ XMAILER_MIMEOLE_OL_32D97
2466
meta XMAILER_MIMEOLE_OL_32D97 (__XM_OL_32D97 && __MO_OL_32D97)
2467
##} XMAILER_MIMEOLE_OL_32D97
2469
##{ XMAILER_MIMEOLE_OL_3857F
2470
meta XMAILER_MIMEOLE_OL_3857F (__XM_OL_3857F && __MO_OL_3857F)
2471
##} XMAILER_MIMEOLE_OL_3857F
2473
##{ XMAILER_MIMEOLE_OL_3AC1D
2474
meta XMAILER_MIMEOLE_OL_3AC1D (__XM_OL_3AC1D && __MO_OL_3AC1D)
2475
##} XMAILER_MIMEOLE_OL_3AC1D
2477
##{ XMAILER_MIMEOLE_OL_3D61D
2478
meta XMAILER_MIMEOLE_OL_3D61D (__XM_OL_3D61D && __MO_OL_3D61D)
2479
##} XMAILER_MIMEOLE_OL_3D61D
2481
##{ XMAILER_MIMEOLE_OL_465CD
2482
meta XMAILER_MIMEOLE_OL_465CD (__XM_OL_465CD && __MO_OL_465CD)
2483
##} XMAILER_MIMEOLE_OL_465CD
2485
##{ XMAILER_MIMEOLE_OL_4B815
2486
meta XMAILER_MIMEOLE_OL_4B815 (__XM_OL_4B815 && __MO_OL_4B815)
2487
##} XMAILER_MIMEOLE_OL_4B815
2489
##{ XMAILER_MIMEOLE_OL_4BF4C
2490
meta XMAILER_MIMEOLE_OL_4BF4C (__XM_OL_4BF4C && __MO_OL_4BF4C)
2491
##} XMAILER_MIMEOLE_OL_4BF4C
2493
##{ XMAILER_MIMEOLE_OL_4EEDB
2494
meta XMAILER_MIMEOLE_OL_4EEDB (__XM_OL_4EEDB && __MO_OL_4EEDB)
2495
##} XMAILER_MIMEOLE_OL_4EEDB
2497
##{ XMAILER_MIMEOLE_OL_4F240
2498
meta XMAILER_MIMEOLE_OL_4F240 (__XM_OL_4F240 && __MO_OL_4F240)
2499
##} XMAILER_MIMEOLE_OL_4F240
2501
##{ XMAILER_MIMEOLE_OL_58CB5
2502
meta XMAILER_MIMEOLE_OL_58CB5 (__XM_OL_58CB5 && __MO_OL_58CB5)
2503
##} XMAILER_MIMEOLE_OL_58CB5
2505
##{ XMAILER_MIMEOLE_OL_5B79A
2506
meta XMAILER_MIMEOLE_OL_5B79A (__XM_OL_5B79A && __MO_OL_5B79A)
2507
##} XMAILER_MIMEOLE_OL_5B79A
2509
##{ XMAILER_MIMEOLE_OL_6554A
2510
meta XMAILER_MIMEOLE_OL_6554A (__XM_OL_6554A && __MO_OL_6554A)
2511
##} XMAILER_MIMEOLE_OL_6554A
2513
##{ XMAILER_MIMEOLE_OL_72641
2514
meta XMAILER_MIMEOLE_OL_72641 (__XM_OL_72641 && __MO_OL_72641)
2515
##} XMAILER_MIMEOLE_OL_72641
2517
##{ XMAILER_MIMEOLE_OL_7533E
2518
meta XMAILER_MIMEOLE_OL_7533E (__XM_OL_7533E && __MO_OL_7533E)
2519
##} XMAILER_MIMEOLE_OL_7533E
2521
##{ XMAILER_MIMEOLE_OL_812FF
2522
meta XMAILER_MIMEOLE_OL_812FF (__XM_OL_812FF && __MO_OL_812FF)
2523
##} XMAILER_MIMEOLE_OL_812FF
2525
##{ XMAILER_MIMEOLE_OL_83BF7
2526
meta XMAILER_MIMEOLE_OL_83BF7 (__XM_OL_83BF7 && __MO_OL_83BF7)
2527
##} XMAILER_MIMEOLE_OL_83BF7
2529
##{ XMAILER_MIMEOLE_OL_8627E
2530
meta XMAILER_MIMEOLE_OL_8627E (__XM_OL_8627E && __MO_OL_8627E)
2531
##} XMAILER_MIMEOLE_OL_8627E
2533
##{ XMAILER_MIMEOLE_OL_8E893
2534
meta XMAILER_MIMEOLE_OL_8E893 (__XM_OL_8E893 && __MO_OL_8E893)
2535
##} XMAILER_MIMEOLE_OL_8E893
2537
##{ XMAILER_MIMEOLE_OL_91287
2538
meta XMAILER_MIMEOLE_OL_91287 (__XM_OL_91287 && __MO_OL_91287)
2539
##} XMAILER_MIMEOLE_OL_91287
2541
##{ XMAILER_MIMEOLE_OL_9B90B
2542
meta XMAILER_MIMEOLE_OL_9B90B (__XM_OL_9B90B && __MO_OL_9B90B)
2543
##} XMAILER_MIMEOLE_OL_9B90B
2545
##{ XMAILER_MIMEOLE_OL_A50F8
2546
meta XMAILER_MIMEOLE_OL_A50F8 (__XM_OL_A50F8 && __MO_OL_A50F8)
2547
##} XMAILER_MIMEOLE_OL_A50F8
2549
##{ XMAILER_MIMEOLE_OL_A842E
2550
meta XMAILER_MIMEOLE_OL_A842E (__XM_OL_A842E && __MO_OL_A842E)
2551
##} XMAILER_MIMEOLE_OL_A842E
2553
##{ XMAILER_MIMEOLE_OL_ADFF7
2554
meta XMAILER_MIMEOLE_OL_ADFF7 (__XM_OL_ADFF7 && __MO_OL_ADFF7)
2555
##} XMAILER_MIMEOLE_OL_ADFF7
2557
##{ XMAILER_MIMEOLE_OL_B30D1
2558
meta XMAILER_MIMEOLE_OL_B30D1 (__XM_OL_B30D1 && __MO_OL_B30D1)
2559
##} XMAILER_MIMEOLE_OL_B30D1
2561
##{ XMAILER_MIMEOLE_OL_B4B40
2562
meta XMAILER_MIMEOLE_OL_B4B40 (__XM_OL_B4B40 && __MO_OL_B4B40)
2563
##} XMAILER_MIMEOLE_OL_B4B40
2565
##{ XMAILER_MIMEOLE_OL_B9B11
2566
meta XMAILER_MIMEOLE_OL_B9B11 (__XM_OL_B9B11 && __MO_OL_B9B11)
2567
##} XMAILER_MIMEOLE_OL_B9B11
2569
##{ XMAILER_MIMEOLE_OL_BC7E6
2570
meta XMAILER_MIMEOLE_OL_BC7E6 (__XM_OL_BC7E6 && __MO_OL_BC7E6)
2571
##} XMAILER_MIMEOLE_OL_BC7E6
2573
##{ XMAILER_MIMEOLE_OL_C65FA
2574
meta XMAILER_MIMEOLE_OL_C65FA (__XM_OL_C65FA && __MO_OL_C65FA)
2575
##} XMAILER_MIMEOLE_OL_C65FA
2577
##{ XMAILER_MIMEOLE_OL_CAC8F
2578
meta XMAILER_MIMEOLE_OL_CAC8F (__XM_OL_CAC8F && __MO_OL_CAC8F)
2579
##} XMAILER_MIMEOLE_OL_CAC8F
2581
##{ XMAILER_MIMEOLE_OL_CF0C0
2582
meta XMAILER_MIMEOLE_OL_CF0C0 (__XM_OL_CF0C0 && __MO_OL_CF0C0)
2583
##} XMAILER_MIMEOLE_OL_CF0C0
2585
##{ XMAILER_MIMEOLE_OL_EF20B
2586
meta XMAILER_MIMEOLE_OL_EF20B (__XM_OL_EF20B && __MO_OL_EF20B)
2587
##} XMAILER_MIMEOLE_OL_EF20B
2589
##{ XMAILER_MIMEOLE_OL_EF222
2590
meta XMAILER_MIMEOLE_OL_EF222 (__XM_OL_EF222 && __MO_OL_EF222)
2591
##} XMAILER_MIMEOLE_OL_EF222
2593
##{ XMAILER_MIMEOLE_OL_F3B05
2594
meta XMAILER_MIMEOLE_OL_F3B05 (__XM_OL_F3B05 && __MO_OL_F3B05)
2595
##} XMAILER_MIMEOLE_OL_F3B05
2597
##{ XMAILER_MIMEOLE_OL_F475E
2598
meta XMAILER_MIMEOLE_OL_F475E (__XM_OL_F475E && __MO_OL_F475E)
2599
##} XMAILER_MIMEOLE_OL_F475E
2601
##{ XMAILER_MIMEOLE_OL_F6D01
2602
meta XMAILER_MIMEOLE_OL_F6D01 (__XM_OL_F6D01 && __MO_OL_F6D01)
2603
##} XMAILER_MIMEOLE_OL_F6D01
2605
##{ XMAILER_MIMEOLE_OL_FF5C8
2606
meta XMAILER_MIMEOLE_OL_FF5C8 (__XM_OL_FF5C8 && __MO_OL_FF5C8)
2607
##} XMAILER_MIMEOLE_OL_FF5C8
2609
##{ if version >= 3.002004 ifplugin Mail::SpamAssassin::Plugin::DKIM _sandbox
2611
if version >= 3.002004
2612
ifplugin Mail::SpamAssassin::Plugin::DKIM
2613
priority T_NOTVALID_YAHOO 500
2614
priority T_NOTVALID_GMAIL 500
2615
priority T_NOTVALID_PAY 500
2616
def_whitelist_from_dkim *@ebay.com
2617
def_whitelist_from_dkim *@*.ebay.com
2618
def_whitelist_from_dkim *@ebay.co.uk
2619
def_whitelist_from_dkim *@*.ebay.co.uk
2620
def_whitelist_from_dkim *@ebay.at
2621
def_whitelist_from_dkim *@ebay.ca
2622
def_whitelist_from_dkim *@ebay.de
2623
def_whitelist_from_dkim *@ebay.fr
2624
def_whitelist_from_dkim *@*.paypal.com
2625
def_whitelist_from_dkim *@*.paypal.com paypal.com
2626
def_whitelist_from_dkim *@paypal.com
2627
def_whitelist_from_dkim *@amazon.com
2628
def_whitelist_from_dkim *@cisco.com
2629
def_whitelist_from_dkim *@alert.bankofamerica.com
2630
def_whitelist_from_dkim *@cnn.com
2631
def_whitelist_from_dkim *@*.cnn.com
2632
def_whitelist_from_dkim *@skype.net
2633
def_whitelist_from_dkim *@welcome.skype.com
2634
def_whitelist_from_dkim *@cc.yahoo-inc.com yahoo-inc.com
2635
def_whitelist_from_dkim *@cc.yahoo-inc.com
2638
##} if version >= 3.002004 ifplugin Mail::SpamAssassin::Plugin::DKIM _sandbox
2640
##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval _sandbox
2642
ifplugin Mail::SpamAssassin::Plugin::DNSEval
2643
#reuse RCVD_IN_DNSWL_LOW
2644
#reuse RCVD_IN_DNSWL_MED
2645
#reuse RCVD_IN_DNSWL_HI
2647
##} ifplugin Mail::SpamAssassin::Plugin::DNSEval _sandbox
2649
##{ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags _sandbox
2651
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2652
replace_rules __FRT_GOLD
2653
replace_rules __FRT_SILVER
2654
replace_tag A [gra\@\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xe4\xe3\xe2\xe0\xe1\xe2\xe3\xe4\xe5\xe60o]
2656
replace_tag C [ck\xc7\xe7@]
2657
replace_tag D [d\xd0]
2658
replace_tag E [e3\xc8\xc9\xca\xcb\xe8\xe9\xea\xeb\xa4]
2662
replace_tag I [ilt|!1y?\xcc\xcd\xce\xcf\xec\xed\xee\xef]
2665
replace_tag L [il|!1\xa3]
2666
replace_tag M (?:m|rn)
2667
replace_tag N [n\xd1\xf1]
2668
replace_tag O [go0\xd2\xd3\xd4\xd5\xd6\xd8\xf0\xf2\xf3\xf4\xf5\xf6\xf8]
2669
replace_tag P [p\xfe]
2672
replace_tag S [sz\xa6\xa7]
2674
replace_tag U [uv\xb5\xd9\xda\xdb\xdc\xfc\xfb\xfa\xf9\xfd]
2675
replace_tag V (?:[vu]|\\\/)
2677
replace_tag X (?:[x\xd7]|><)
2678
replace_tag Y [y\xff\xfd\xa5j]
2680
replace_tag IMG (?:jpe?g|gif|png)
2681
replace_tag SP [\s\d_*\$\%(),.:;?!}{\[\]|\/?^\#~\xa1`'+-]
2682
replace_tag CUR [\$\xa5\xa3\xa4\xa2]
2683
replace_inter SP [\s\d_*\$\%(),.:;?!}{\[\]|\/?^\#~\xa1`'+-]
2684
replace_inter W1 \W?
2685
replace_inter W2 \W{0,2}
2686
replace_inter W3 \W{0,3}
2687
replace_post P2 {1,2}
2688
replace_post P3 {1,3}
2689
replace_inter W0 \w?
2690
replace_inter SP2 [\s\d_*\$\%(),.:;?!}{\[\]|\/?^\#~\xa1`'+-]?
2693
replace_tag S [sz5\xa6\xa7]
2695
replace_tag U2 [u\xb5\xd9\xda\xdb\xdc\xfc\xfb\xfa\xf9\xfd]
2696
replace_tag W (?:[wv]|vv)
2697
replace_rules T_FRT_ABSOLUT
2698
replace_rules FRT_ADOBE2
2699
replace_rules T_FRT_ADULT2
2700
replace_rules T_FRT_APPROV
2701
replace_rules T_FRT_BEFORE
2702
replace_rules T_FRT_BELOW2
2703
replace_rules FRT_BIGGERMEM1
2704
replace_rules T_FRT_CANSPAM
2705
replace_rules T_FRT_CLICK
2706
replace_rules T_FRT_COCK
2707
replace_rules T_FRT_CONTACT
2708
replace_rules FRT_DIPLOMA
2709
replace_rules FRT_DISCOUNT
2710
replace_rules FRT_DOLLAR
2711
replace_rules T_FRT_ERECTION
2712
replace_rules T_FRT_ESTABLISH
2713
replace_rules FRT_ESTABLISH2
2714
replace_rules T_FRT_EXPERIENCE
2715
replace_rules T_FRT_FOLLOW1
2716
replace_rules T_FRT_FOLLOW2
2717
replace_rules T_FRT_FREE
2718
replace_rules T_FRT_FRIEND
2719
replace_rules T_FRT_FUCK1
2720
replace_rules FRT_FUCK2
2721
replace_rules FRT_GUARANTEE1
2722
replace_rules T_FRT_HEALTH
2723
replace_rules T_FRT_HOUR
2724
replace_rules T_FRT_INCOME
2725
replace_rules T_FRT_INTEREST
2726
replace_rules FRT_INVESTOR
2727
replace_rules FRT_LEVITRA
2728
replace_rules T_FRT_LITTLE
2729
replace_rules T_FRT_LOLITA1
2730
replace_rules FRT_MEETING
2731
replace_rules FRT_OFFER2
2732
replace_rules FRT_OPPORTUN1
2733
replace_rules FRT_OPPORTUN2
2734
replace_rules T_FRT_PACKAGE
2735
replace_rules T_FRT_PAYMENT
2736
replace_rules FRT_PENIS1
2737
replace_rules T_FRT_PHARMAC
2738
replace_rules T_FRT_POSSIBLE
2739
replace_rules FRT_PRICE
2740
replace_rules T_FRT_PROFILE1
2741
replace_rules T_FRT_PROFILE2
2742
replace_rules T_FRT_PROFIT1
2743
replace_rules T_FRT_PROFIT2
2744
replace_rules T_FRT_PUSSY
2745
replace_rules FRT_REFINANCE1
2746
replace_rules FRT_ROLEX
2747
replace_rules FRT_SEXUAL
2748
replace_rules T_FRT_SLUT
2749
replace_rules FRT_SOMA
2750
replace_rules FRT_SOMA2
2751
replace_rules T_FRT_STOCK1
2752
replace_rules T_FRT_STOCK2
2753
replace_rules FRT_STRONG1
2754
replace_rules FRT_STRONG2
2755
replace_rules FRT_SYMBOL
2756
replace_rules FRT_TODAY2
2757
replace_rules FRT_VALIUM1
2758
replace_rules FRT_VALIUM2
2759
replace_rules T_FRT_VIRGIN1
2760
replace_rules FRT_WEIGHT2
2761
replace_rules FRT_XANAX1
2762
replace_rules FRT_XANAX2
2763
replace_rules T_FUZZY_SPRM
2764
replace_rules FUZZY_MERIDIA
2765
replace_rules TVD_FUZZY_PHARMACEUTICAL
2766
replace_rules TVD_FUZZY_SYMBOL
2767
replace_rules T_TVD_FUZZY_SECURITIES
2768
replace_rules TVD_FUZZY_FINANCE
2769
replace_rules TVD_FUZZY_FIXED_RATE
2770
replace_rules TVD_FUZZY_MICROCAP
2771
replace_rules T_TVD_FUZZY_SECTOR
2772
replace_rules TVD_FUZZY_DEGREE
2773
replace_rules T_LFUZ_PWRMALE
2775
##} ifplugin Mail::SpamAssassin::Plugin::ReplaceTags _sandbox
2777
##{ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL _sandbox
2779
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
2780
#reuse URIBL_RHS_DOB
2781
urirhsbl T_URIBL_RHS_AHBL rhsbl.ahbl.org. A
2783
##} ifplugin Mail::SpamAssassin::Plugin::URIDNSBL _sandbox
2785
##{ ifplugin Mail::SpamAssassin::Plugin::WLBLEval _sandbox
2787
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
2788
def_whitelist_from_rcvd abuse@yahoo.com yahoo.com
2789
def_whitelist_from_rcvd MAILER-DAEMON@yahoo.com yahoo.com
2791
##} ifplugin Mail::SpamAssassin::Plugin::WLBLEval _sandbox
2793
##{ redirector_pattern_sandbox
2794
redirector_pattern m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&\#])'i
2795
redirector_pattern m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i
2796
redirector_pattern m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:site|inurl):(.*?)(?:$|%20|[\s+&\#])'i
2797
redirector_pattern m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&\#])'i
2798
redirector_pattern m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&\#])'i
2799
redirector_pattern m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/pagead/iclk\?.*?(?<=[?&])adurl=(.*?)(?:$|[&\#])'i
2800
redirector_pattern m'^http:/*(?:\w+\.)?aol\.com/redir\.adp\?.*(?<=[?&])_url=(.*?)(?:$|[&\#])'i
2801
##} redirector_pattern_sandbox
2804
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2805
mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /image\/(?:gif|jpeg|png)/
2807
body __APPROVALFVGT /approval/i
2808
body __BACHELORS /Bachelor/i
2809
body __BIGDOLLARSFVGT /\$\d{2,3},\d{3}/
2810
body __BODY_STARTS_WITH_FROM_LINE /^From \S+ \S\S\S \S\S\S .. ..:..:.. \S+\s+\S+\: /s
2811
body __CASHPRZ /cash prize of/
2812
body __CS_WORD /\bC[A-Za-z]{2,4}IS\b/
2814
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2815
mimeheader __CTYPE_ONETAB_GIF Content-Type:raw =~ /^image\/gif;\n\tname=\".+?\"$/s
2817
header __DATE_700 Date =~ /-0700/
2818
body __DBLCLAIM /avoid double claiming/
2819
body __DIPLOMA /diploma/i
2820
body __DOS_BODY_FRI /\bfri(?:day)?\b/i
2821
body __DOS_BODY_MON /\bmon(?:day)?\b/i
2822
body __DOS_BODY_SAT /\bsat(?:day)?\b/i
2823
body __DOS_BODY_STOCK /\bstock\b/i
2824
body __DOS_BODY_SUN /\bsun(?:day)?\b/i
2825
body __DOS_BODY_THU /\bthu(?:r(?:s(?:day)?)?)?\b/i
2826
body __DOS_BODY_TICKER /\b[A-Z]{4}\.(?:OB|PK)\b/
2827
body __DOS_BODY_TUE /\btue(?:s(?:day)?)?\b/i
2828
body __DOS_BODY_WED /\bwed(?:nesday)?\b/i
2829
body __DOS_COMING_TO_YOUR_PLACE /I (?:am|might(?: be)?) c[a-z]?o[a-z]?m[a-z]?(?:i[a-z]?n[a-z]?g[a-z]{0,2}|e down) to y[!a-z]{2,4}r (?:city|place[a-z]{0,2}|co[a-z]?u[a-z]?n[a-z]?t[a-z]?ry) in (?:f[a-z]?e[a-z]?w|\d{1,2}) (?:day|week)s/
2830
body __DOS_CORRESPOND_EMAIL /correspond with me using my email/
2831
body __DOS_DROP_ME_A_LINE /Drop me a line at/
2832
body __DOS_EMAIL_DIRECTLY /(?:Email m[a-z]?e|address) direc(?:tl|lt)y at/
2833
body __DOS_FIN_ADVANTAGE /\bfinancial advantage/i
2834
uri __DOS_HAS_ANY_URI /./
2835
body __DOS_HEADLINES /\bHeadlines\b/
2836
body __DOS_HI /^Hi,$/
2837
body __DOS_I_AM_25 /I a.?m 25/
2838
body __DOS_I_DRIVE_A /I drive a/
2839
body __DOS_LET_GO_JOB /I was (?:let go|fired|layed off|dismissed) from a job I h(?:el|a)d for (?:2\d years|\d{3} months)/
2840
body __DOS_LINK /\blink\b/
2841
body __DOS_MEET_EACH_OTHER /(?:meet each other|[Mm]ay ?be we can meet)/
2842
body __DOS_MY_OLD_JOB /my old job/
2843
body __DOS_PERSONAL_EMAIL /personal email at/
2844
header __DOS_RCVD_FRI Received =~ / Fri, /
2845
header __DOS_RCVD_MON Received =~ / Mon, /
2846
header __DOS_RCVD_SAT Received =~ / Sat, /
2847
header __DOS_RCVD_SUN Received =~ / Sun, /
2848
header __DOS_RCVD_THU Received =~ / Thu, /
2849
header __DOS_RCVD_TUE Received =~ / Tue, /
2850
header __DOS_RCVD_WED Received =~ / Wed, /
2851
meta __DOS_REF_2_WK_DAYS (__DOS_RCVD_MON && __DOS_BODY_WED) || (__DOS_RCVD_TUE && __DOS_BODY_THU) || (__DOS_RCVD_WED && __DOS_BODY_FRI) || (__DOS_RCVD_THU && __DOS_BODY_MON) || (__DOS_RCVD_FRI && __DOS_BODY_TUE) || (__DOS_RCVD_SAT && __DOS_BODY_TUE) || (__DOS_RCVD_SUN && __DOS_BODY_TUE)
2852
meta __DOS_REF_NEXT_WK_DAY (__DOS_RCVD_MON && __DOS_BODY_TUE) || (__DOS_RCVD_TUE && __DOS_BODY_WED) || (__DOS_RCVD_WED && __DOS_BODY_THU) || (__DOS_RCVD_THU && __DOS_BODY_FRI) || (__DOS_RCVD_FRI && __DOS_BODY_MON) || (__DOS_RCVD_SAT && __DOS_BODY_MON) || (__DOS_RCVD_SUN && __DOS_BODY_MON)
2853
meta __DOS_REF_TODAY (__DOS_RCVD_MON && __DOS_BODY_MON) || (__DOS_RCVD_TUE && __DOS_BODY_TUE) || (__DOS_RCVD_WED && __DOS_BODY_WED) || (__DOS_RCVD_THU && __DOS_BODY_THU) || (__DOS_RCVD_FRI && __DOS_BODY_FRI) || (__DOS_RCVD_SAT && __DOS_BODY_SAT) || (__DOS_RCVD_SUN && __DOS_BODY_SUN)
2854
header __DOS_SINGLE_EXT_RELAY X-Spam-Relays-External =~ /^\[ [^\]]+ \]$/
2855
body __DOS_STEADY_COURSE /\bsteady (?:and increasing )?course\b/i
2856
body __DOS_STRONG_CF /\bstrong cash flow/i
2857
body __DOS_SYMBOL_4 /\bSymbol [A-Z]{4}\b/
2858
body __DOS_TAKING_HOME /Taking home \d (?:digit level|figures) in \d{1,2} months/
2859
body __DOS_WRITE_ME_AT /[Ww].?r.?i.?t.?e me at/
2860
header __EXCLAIM_SUBJ Subject =~ /\!/
2861
body __FB_BA /\bBA\b/
2862
body __FB_BCs /\bBSc\b/
2863
body __FB_BRAND_NAME /brand name/i
2864
body __FB_C_HTTP_WORD m'c[il1]a[a-z]{2,7}\shttp://'i
2865
body __FB_DESIGNER /designer/i
2866
body __FB_GAME /game/i
2867
body __FB_GLASHUTE /Glashute/
2868
body __FB_HANDBAGS /handbags/i
2869
body __FB_HOTTEST /hottest/i
2870
body __FB_INK_PEN /ink pen/i
2871
body __FB_LUX_GIFTS /Luxury (?:\w+\s)?Gifts/i
2872
body __FB_MA /\bMA\b/
2873
body __FB_MBA /\bMBA\b/
2874
body __FB_NUM_PERCNT /\d\s?\%/
2875
body __FB_OMEGA /Omega/i
2876
body __FB_PH_SPACE_HTTP m'PH[A-Za-z]{6,10}\b.{3,29}\shttp://'
2877
body __FB_PICK /\bpick\b/i
2878
body __FB_PROJECTED /projected/i
2879
body __FB_P_ALLNIGHT /all night!/i
2880
body __FB_P_TRUELOVE /true love/i
2881
body __FB_ROLEX_MEN /Rolex Men/i
2882
body __FB_ROLEX_WMEN /Rolex Lady/i
2883
body __FB_S_PRICE /Pri{1,2}c[a-z]?e/i
2884
body __FB_S_STOCK /Stock/i
2885
body __FB_S_SYMBOL /Symb?o?l?:\s?[A-Z_,\.-]{4,8}/i
2886
body __FB_TIMEPIECE /timepiece/i
2887
meta __FB_VIA_URL_SPEC1 (__FB_C_HTTP_WORD || __FB_V_HTTP_WORD || __FB_V_SPACE_HTTP || __FB_PH_SPACE_HTTP)
2888
body __FB_V_HTTP_WORD m'v[il1]a[a-z]{2,7}\shttp://'i
2889
body __FB_V_SPACE_HTTP m'\bv[a-z01 ]{0,3}a.{5,25}http://'i
2890
body __FB_WALLETS /wallets/i
2891
header __FHELO_VERIZON X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^ ]+verizon\.net /i
2892
header __FHOST_VERIZON X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]+verizon\.net /i
2893
header __FH_FRM_53 From =~ /\@53\.com/i
2894
header __FH_HAS_XMSMAIL exists:X-MSMail-Priority
2895
header __FH_HAS_XPRIORITY exists:X-Priority
2896
header __FH_MSGID_00001C MESSAGEID =~ /^<000001c/
2897
header __FH_MSGID_01C7 MESSAGEID =~ /^<0{1,5}1c7/
2898
header __FH_MSG_53 MESSAGEID =~ /\@53\.com/i
2899
header __FH_RCV_53 Received =~ /\.53\.com/i
2900
body __FIXED_RATEFVGT /fixed rate/i
2901
meta __FM_MORTGAGE4PLUS ((__PREAPPROVEDFVGT + __FIXED_RATEFVGT + __YOUR_CREDITFVGT + __HOMELOANFVGT + __APPROVALFVGT + __BIGDOLLARSFVGT + __LOANURIFVGT + __MORTURIFVGT) > 3)
2902
meta __FM_MORTGAGE5PLUS ((__PREAPPROVEDFVGT + __FIXED_RATEFVGT + __YOUR_CREDITFVGT + __HOMELOANFVGT + __APPROVALFVGT + __BIGDOLLARSFVGT + __LOANURIFVGT + __MORTURIFVGT) > 4)
2903
meta __FM_MORTGAGE6PLUS ((__PREAPPROVEDFVGT + __FIXED_RATEFVGT + __YOUR_CREDITFVGT + __HOMELOANFVGT + __APPROVALFVGT + __BIGDOLLARSFVGT + __LOANURIFVGT + __MORTURIFVGT) > 5)
2904
meta __FM_MY_PRICE (__FB_S_PRICE || FRT_PRICE)
2905
meta __FM_STOCK_WORDS (__FB_HOTTEST || __FB_PICK || __FB_PROJECTED)
2906
header __FROM_EBAY From:addr =~ /\@ebay\.com$/i
2907
header __FROM_LEFT_BRACK From:name =~ /</
2908
header __FROM_PAYPAL From:addr =~ /\@paypal\.com$/i
2909
header __FROM_RIGH_BRACK From:name =~ />/
2910
header __FROM_VEGAS From =~ /Vegas/i
2911
header __FS_SUBJ_RE Subject =~ /^Re: /
2912
header __FS_S_TRADE Subject =~ /\btrade\b/i
2914
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2915
mimeheader __GIF_ATTACH Content-Type =~ /^image\/gif\b/i
2917
body __HAS_ANY_EMAIL /\w@\S+\.\w/
2918
uri __HAS_ANY_URI /./
2919
header __HDR_ORDER_FTSDMCXXXX ALL =~ /\nFrom: .{1,80}?\nTo: .{1,80}?\nSubject: .{1,200}?\nDate: .{1,40}?\nMIME-Version: .{1,40}?\nContent-Type: .{1,120}?\nX-Priority: .{1,40}?\nX-MSMail-Priority: .{1,40}?\nX-Mailer: .{1,80}?\nX-MimeOLE:/s
2920
header __HELO_NO_DOMAIN X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^\.]+ /
2921
body __HOMELOANFVGT /home loan/i
2922
header __HOST_HOTMAIL X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]+\.hotmail\.com /
2923
header __HOTMAILCOM X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=hotmail\.com /i
2924
header __HS_SUBJ_UC_FW Subject =~ /^FW:/
2925
body __KAM_LOTTO1 /(e-?mail address (have emerged a winner|has won|attached to (ticket|reference)|was one of the ten winners)|random selection in our computerized email selection system)/is
2926
body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|batch number|reference number|promotion date)/is
2927
body __KAM_LOTTO3 /(won|claim|cash prize|pounds? sterling)/is
2928
body __KAM_LOTTO4 /(claims (officer|agent)|lottery coordinator|fiduciary (officer|agent)|fiduaciary claims)/is
2929
body __KAM_LOTTO5 /(freelotto group|Royal Heritage Lottery|UK National (Online)? Lottery|U\.?K\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|Luckyday International Lottery|International Lottery)/is
2930
body __KAM_LOTTO6 /(Dear Lucky Winner|Winning Notification|Attention:Winner|Dear Winner)/is
2931
header __KAM_LOTTO7 Subject =~ /(Your Lucky Day|(Attention:|ONLINE) WINNER)/i
2932
uri __LOANURIFVGT /\bloa.?ns?\b/i
2933
header __MAILER_OL_5510 X-Mailer =~ /^Microsoft Office Outlook, Build 11.0.5510$/
2934
header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/
2935
header __MANY_RECIPS ToCc =~ /(?:\@[^@]{5,30}){3}/
2936
body __MASTERS /Masters/i
2938
header __MID_START_001C Message-ID =~ /^<000001c/
2939
header __MIMEOLE_1106 X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2800.1106$/
2940
header __MISSING_REF References =~ /^UNSET$/ [if-unset: UNSET]
2941
header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/
2942
uri __MORTURIFVGT /\bmor.?t\b/i
2943
header __MO_OL_015D5 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2905/
2944
header __MO_OL_07794 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1437/
2945
header __MO_OL_09BB4 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V4\.72\.3155\.0/
2946
header __MO_OL_1ECD5 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1081/
2947
header __MO_OL_20C99 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V4\.72\.3338\.1/
2948
header __MO_OL_22B61 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1158/
2949
header __MO_OL_25340 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4963\.1700/
2950
header __MO_OL_32D97 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V9\.0\.2416/
2951
header __MO_OL_3857F X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1409/
2952
header __MO_OL_3AC1D X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.00\.2919\.6700/
2953
header __MO_OL_3D61D X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V4\.71\.2244\.8/
2954
header __MO_OL_465CD X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1506/
2955
header __MO_OL_4B815 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V4\.71\.2730\.2/
2956
header __MO_OL_4BF4C X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4522\.1200/
2957
header __MO_OL_4EEDB X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4963\.1700/
2958
header __MO_OL_4F240 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1158/
2959
header __MO_OL_58CB5 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4133\.2400/
2960
header __MO_OL_5B79A X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.3790\.1830/
2961
header __MO_OL_6554A X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2905/
2962
header __MO_OL_72641 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1441/
2963
header __MO_OL_7533E X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4963\.1700/
2964
header __MO_OL_812FF X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4927\.1200/
2965
header __MO_OL_83BF7 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V4\.72\.3110\.3/
2966
header __MO_OL_8627E X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1437/
2967
header __MO_OL_8E893 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V10\.0\.2616/
2968
header __MO_OL_91287 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4807\.2300/
2969
header __MO_OL_9B90B X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4807\.1700/
2970
header __MO_OL_A50F8 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4922\.1500/
2971
header __MO_OL_A842E X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1441/
2972
header __MO_OL_ADFF7 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1158/
2973
header __MO_OL_B30D1 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4807\.2300/
2974
header __MO_OL_B4B40 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4133\.2400/
2975
header __MO_OL_B9B11 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2462\.0000/
2976
header __MO_OL_BC7E6 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4927\.1200/
2977
header __MO_OL_C65FA X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4807\.1700/
2978
header __MO_OL_CAC8F X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V4\.71\.1712\.3/
2979
header __MO_OL_CF0C0 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4807\.2300/
2980
header __MO_OL_EF20B X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2180/
2981
header __MO_OL_EF222 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2873/
2982
header __MO_OL_F3B05 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1437/
2983
header __MO_OL_F475E X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2741\.2600/
2984
header __MO_OL_F6D01 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4522\.1200/
2985
header __MO_OL_FF5C8 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2741\.2600/
2986
header __MSGID_VGA Message-ID =~ /^<000001c[67]/
2987
header __MSOE_MID_WRONG_CASE ALL =~ /\nMessage-Id: /
2988
header __NAKED_TO To =~ /^[^\s<>]+\@[^\s<>]+$/
2989
meta __NO_INR_YES_REF (__XM_GNUS || __XM_MSOE5 || __XM_MSOE6 || __XM_MOZ4 || __XM_SKYRI || __XM_WWWMAIL || __UA_GNUS || __UA_KNODE || __UA_MUTT || __UA_PAN || __UA_XNEWS)
2991
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2992
mimeheader __PART_CID_STOCK_LESS Content-ID =~ /^<00[a-f0-9]{10}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[A-Za-z]+>$/
2995
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2996
mimeheader __PART_STOCK_CD_F Content-Disposition =~ /filename/
2999
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3000
mimeheader __PART_STOCK_CID Content-ID =~ /^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[^\s\.]+>$/
3003
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3004
mimeheader __PART_STOCK_CL Content-Location =~ /./
3007
body __PREAPPROVEDFVGT /pre-approved/i
3009
ifplugin Mail::SpamAssassin::Plugin::DNSEval
3010
header __RCVD_IN_DNSWL eval:check_rbl('dnswl-firsttrusted', 'list.dnswl.org.')
3011
tflags __RCVD_IN_DNSWL nice net
3013
meta __SEX_WRDS (__WORD_SEX || __WORD_CUM || __WORD_SPERM || __WORD_SLUTS || __WORD_RAPED)
3014
header __SUBJ_3DIGIT Subject =~ /\b\d{3}[^0-9]/
3015
header __SUBJ_APPROVE Subject =~ /Approve/i
3016
header __SUBJ_RE Subject =~ /^R[eE]:/
3017
header __SUBJ_RE_NUM Subject =~ /^\s*Re\[\d+\]:/i
3018
header __SUBJ_VEGAS Subject =~ /(?:Vegas|Casino)/i
3019
header __TT_BROKEN_VALIUM Subject =~ /V[:^."%()*\[\\]?A[:^."%()*\[\\]?L[:^."%()*\[\\]?I[:^."%()*\[\\]?U[:^."%()*\[\\]?M/i
3020
header __TT_BROKEN_VIAGRA Subject =~ /V[:^."%()*\[\\]?I[:^."%()*\[\\]?A[:^."%()*\[\\]?G[:^."%()*\[\\]?R[:^."%()*\[\\]?A/i
3021
header __TT_OBSCURED_VALIUM Subject =~ /(v|V|\\\/)(a|A|\(a\)|4|@)(l|L|\|)(i|I|1|\xef|\|)(u|U|\(u\))(m|M)/
3022
header __TT_OBSCURED_VIAGRA Subject =~ /(v|V|\\\/)(i|I|1|\xef|\|)(a|A|\(a\)|4|@)(g|G)(r|R)(a|A|\(a\)|4|@)/
3023
header __TT_VALIUM Subject =~ /VALIUM/i
3024
header __TT_VIAGRA Subject =~ /VIAGRA/i
3025
header __TVD_PH_SUBJ_00 Subject =~ /\brewards? survey\b/i
3026
header __TVD_PH_SUBJ_02 Subject =~ /\byour payment has been sent\b/i
3027
header __TVD_PH_SUBJ_04 Subject =~ /\baccounts? profile\b/i
3028
header __TVD_PH_SUBJ_15 Subject =~ /\binvestment for (?:[a-z_,-]+ )*?to(?:morrow|day)\b/i
3029
header __TVD_PH_SUBJ_17 Subject =~ /\bremove limitations?\b/i
3030
header __TVD_PH_SUBJ_18 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?changes\b/i
3031
header __TVD_PH_SUBJ_19 Subject =~ /\bmessage (?:[a-z_,-]+ )*?bank\b/i
3032
header __TVD_PH_SUBJ_29 Subject =~ /^notice(?::|[\s\W]*$)/i
3033
header __TVD_PH_SUBJ_31 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?verification\b/i
3034
header __TVD_PH_SUBJ_36 Subject =~ /\bconsumer notice\b/i
3035
header __TVD_PH_SUBJ_37 Subject =~ /\bvalued member[a-z]*\b/i
3036
header __TVD_PH_SUBJ_38 Subject =~ /\bonline bank[a-z]*\b/i
3037
header __TVD_PH_SUBJ_39 Subject =~ /\bonline department\b/i
3038
header __TVD_PH_SUBJ_41 Subject =~ /\bunusual activity\b/i
3039
header __TVD_PH_SUBJ_52 Subject =~ /\b(?:account|online) profile\b/i
3040
header __TVD_PH_SUBJ_54 Subject =~ /\bun-?authorized access(?:es)?\b/i
3041
header __TVD_PH_SUBJ_56 Subject =~ /\brespond now\b/i
3042
header __TVD_PH_SUBJ_58 Subject =~ /\bbilling service\b/i
3043
header __TVD_PH_SUBJ_59 Subject =~ /\bquestion from (?:[a-z_,-]+ )*?member\b/i
3044
header __TVD_PH_SUBJ_ACCESS_POST Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)) (?:[a-z_,-]+ )*?access\b/i
3045
header __UA_GNUS User-Agent =~ /^Gnus/
3046
header __UA_KNODE User-Agent =~ /^KNode/
3047
header __UA_MUTT User-Agent =~ /^Mutt/
3048
header __UA_PAN User-Agent =~ /^Pan/
3049
header __UA_XNEWS User-Agent =~ /^Xnews/
3050
body __VA_WORD /\bV[A-Za-z]{2,4}RA\b/
3051
body __VM_WORD /\bV[A-Za-z]{2,5}UM\b/
3052
body __WORD_CUM /\bcum\b/i
3053
body __WORD_RAPED /\braped?\b/i
3054
body __WORD_SEX /\bsex(?:iest|y)?\b/i
3055
body __WORD_SLUTS /\bsluts?\b/i
3056
body __WORD_SPERM /\bsperm\b/i
3057
header __XM_GNUS X-Mailer =~ /^Gnus v/
3058
header __XM_MOZ4 X-Mailer =~ /^Mozilla 4/
3059
header __XM_MSOE5 X-Mailer =~ /^Microsoft Outlook Express 5/
3060
header __XM_MSOE6 X-Mailer =~ /^Microsoft Outlook Express 6/
3061
header __XM_MS_IN_GENERAL X-Mailer =~ /\bMSCRM\b|Microsoft (?:CDO|Outlook|Office Outlook)\b/
3062
header __XM_OL_015D5 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
3063
header __XM_OL_07794 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
3064
header __XM_OL_09BB4 X-Mailer =~ /Microsoft\ Outlook\ Express\ 4\.72\.3155\.0/
3065
header __XM_OL_10_0_4115 X-Mailer =~ /^Microsoft Outlook, Build 10.0.4115$/
3066
header __XM_OL_1ECD5 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1081/
3067
header __XM_OL_20C99 X-Mailer =~ /Microsoft\ Outlook\ Express\ 4\.72\.3338\.1/
3068
header __XM_OL_22B61 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1158/
3069
header __XM_OL_25340 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
3070
header __XM_OL_28001441 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.1441$/
3071
header __XM_OL_28004682 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.4682$/
3072
header __XM_OL_32D97 X-Mailer =~ /Microsoft\ Outlook\ IMO\,\ Build\ 9\.0\.2416\ \(9\.0\.2910\.0\)/
3073
header __XM_OL_3857F X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
3074
header __XM_OL_3AC1D X-Mailer =~ /Microsoft\ Outlook\ Express\ 5\.00\.2919\.6700/
3075
header __XM_OL_3D61D X-Mailer =~ /Microsoft\ Outlook\ Express\ 4\.71\.2244\.8/
3076
header __XM_OL_465CD X-Mailer =~ /Microsoft\ Outlook\,\ Build\ 10\.0\.3416/
3077
header __XM_OL_48072300 X-Mailer =~ /^Microsoft Outlook Express 5.50.4807.2300$/
3078
header __XM_OL_4B815 X-Mailer =~ /Microsoft\ Outlook\ Express\ 4\.71\.2730\.2/
3079
header __XM_OL_4BF4C X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
3080
header __XM_OL_4EEDB X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
3081
header __XM_OL_4F240 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
3082
header __XM_OL_4_72_2106_4 X-Mailer =~ /^Microsoft Outlook Express 4.72.2106.4$/
3083
header __XM_OL_58CB5 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
3084
header __XM_OL_5B79A X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
3085
header __XM_OL_6554A X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
3086
header __XM_OL_72641 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1441/
3087
header __XM_OL_7533E X-Mailer =~ /Microsoft\ Outlook\ Express\ 5\.50\.4963\.1700/
3088
header __XM_OL_812FF X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
3089
header __XM_OL_83BF7 X-Mailer =~ /Microsoft\ Outlook\ Express\ 4\.72\.3110\.3/
3090
header __XM_OL_8627E X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1437/
3091
header __XM_OL_8E893 X-Mailer =~ /Microsoft\ Outlook\,\ Build\ 10\.0\.2616/
3092
header __XM_OL_91287 X-Mailer =~ /Microsoft\ Outlook\ Express\ 5\.50\.4807\.2300/
3093
header __XM_OL_9B90B X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
3094
header __XM_OL_A50F8 X-Mailer =~ /Microsoft\ Outlook\ Express\ 5\.50\.4922\.1500/
3095
header __XM_OL_A842E X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1158/
3096
header __XM_OL_ADFF7 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
3097
header __XM_OL_B30D1 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
3098
header __XM_OL_B4B40 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
3099
header __XM_OL_B9B11 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2462\.0000/
3100
header __XM_OL_BC7E6 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
3101
header __XM_OL_C65FA X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
3102
header __XM_OL_CAC8F X-Mailer =~ /Microsoft\ Outlook\ Express\ 4\.71\.1712\.3/
3103
header __XM_OL_CF0C0 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
3104
header __XM_OL_EF20B X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1478/
3105
header __XM_OL_EF222 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2900\.2873/
3106
header __XM_OL_F3B05 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
3107
header __XM_OL_F475E X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
3108
header __XM_OL_F6D01 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
3109
header __XM_OL_FF5C8 X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
3110
header __XM_OUTLOOK_EXPRESS X-Mailer =~ /^Microsoft Outlook Express \d/
3111
header __XM_SKYRI X-Mailer =~ /^SKYRiXgreen/
3112
header __XM_WWWMAIL X-Mailer =~ /^WWW-Mail \d/
3113
body __YOUR_ACCOUNT /your account/i
3114
body __YOUR_CREDITFVGT /your credit/i