# SpamAssassin rules file # # Please don't modify this file as your changes will be overwritten with # the next update. Use /etc/spamassassin/local.cf instead. # See 'perldoc Mail::SpamAssassin::Conf' for details. # # <@LICENSE> # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to you under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at: # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # ########################################################################### require_version 3.003001 ##{ ADVANCE_FEE_2_NEW_FORM meta ADVANCE_FEE_2_NEW_FORM __ADVANCE_FEE_2_NEW_FORM && !__COMMENT_EXISTS && !__THREADED && !__HTML_LINK_IMAGE && !__HDRS_LCASE describe ADVANCE_FEE_2_NEW_FORM Advance Fee fraud and a form tflags ADVANCE_FEE_2_NEW_FORM publish ##} ADVANCE_FEE_2_NEW_FORM ##{ ADVANCE_FEE_2_NEW_FRM_MNY meta ADVANCE_FEE_2_NEW_FRM_MNY __ADVANCE_FEE_2_NEW_FRM_MNY && !__HTML_LINK_IMAGE && !__HDRS_LCASE describe ADVANCE_FEE_2_NEW_FRM_MNY Advance Fee fraud form and lots of money ##} ADVANCE_FEE_2_NEW_FRM_MNY ##{ ADVANCE_FEE_2_NEW_MONEY meta ADVANCE_FEE_2_NEW_MONEY __ADVANCE_FEE_2_NEW_MONEY && !__DOS_HAS_LIST_UNSUB && !__TAG_EXISTS_CENTER && !__LYRIS_EZLM_REMAILER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__VIA_ML && !__HTML_LINK_IMAGE && !__HDRS_LCASE && !__NAME_EQ_EMAIL describe ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money tflags ADVANCE_FEE_2_NEW_MONEY publish ##} ADVANCE_FEE_2_NEW_MONEY ##{ ADVANCE_FEE_3_NEW meta ADVANCE_FEE_3_NEW __ADVANCE_FEE_3_NEW && !__HTML_LINK_IMAGE && !__TAG_EXISTS_CENTER && !__COMMENT_EXISTS && !__VIA_ML && !__THREADED && !__UNSUB_LINK describe ADVANCE_FEE_3_NEW Appears to be advance fee fraud (Nigerian 419) tflags ADVANCE_FEE_3_NEW publish ##} ADVANCE_FEE_3_NEW ##{ ADVANCE_FEE_3_NEW_FORM meta ADVANCE_FEE_3_NEW_FORM __ADVANCE_FEE_3_NEW_FORM && !__HTML_LINK_IMAGE describe ADVANCE_FEE_3_NEW_FORM Advance Fee fraud and a form tflags ADVANCE_FEE_3_NEW_FORM publish ##} ADVANCE_FEE_3_NEW_FORM ##{ ADVANCE_FEE_3_NEW_FRM_MNY meta ADVANCE_FEE_3_NEW_FRM_MNY __ADVANCE_FEE_3_NEW_FRM_MNY && !__HTML_LINK_IMAGE describe ADVANCE_FEE_3_NEW_FRM_MNY Advance Fee fraud form and lots of money ##} ADVANCE_FEE_3_NEW_FRM_MNY ##{ ADVANCE_FEE_3_NEW_MONEY meta ADVANCE_FEE_3_NEW_MONEY __ADVANCE_FEE_3_NEW_MONEY && !__HTML_LINK_IMAGE describe ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money tflags ADVANCE_FEE_3_NEW_MONEY publish ##} ADVANCE_FEE_3_NEW_MONEY ##{ ADVANCE_FEE_4_NEW meta ADVANCE_FEE_4_NEW __ADVANCE_FEE_4_NEW describe ADVANCE_FEE_4_NEW Appears to be advance fee fraud (Nigerian 419) tflags ADVANCE_FEE_4_NEW publish ##} ADVANCE_FEE_4_NEW ##{ ADVANCE_FEE_4_NEW_FORM meta ADVANCE_FEE_4_NEW_FORM __ADVANCE_FEE_4_NEW_FORM describe ADVANCE_FEE_4_NEW_FORM Advance Fee fraud and a form ##} ADVANCE_FEE_4_NEW_FORM ##{ ADVANCE_FEE_4_NEW_FRM_MNY meta ADVANCE_FEE_4_NEW_FRM_MNY __ADVANCE_FEE_4_NEW_FRM_MNY describe ADVANCE_FEE_4_NEW_FRM_MNY Advance Fee fraud form and lots of money ##} ADVANCE_FEE_4_NEW_FRM_MNY ##{ ADVANCE_FEE_4_NEW_MONEY meta ADVANCE_FEE_4_NEW_MONEY __ADVANCE_FEE_4_NEW_MONEY && !__HTML_LINK_IMAGE && !__TAG_EXISTS_CENTER describe ADVANCE_FEE_4_NEW_MONEY Advance Fee fraud and lots of money ##} ADVANCE_FEE_4_NEW_MONEY ##{ ADVANCE_FEE_5_NEW meta ADVANCE_FEE_5_NEW __ADVANCE_FEE_5_NEW describe ADVANCE_FEE_5_NEW Appears to be advance fee fraud (Nigerian 419) ##} ADVANCE_FEE_5_NEW ##{ ADVANCE_FEE_5_NEW_FORM meta ADVANCE_FEE_5_NEW_FORM __ADVANCE_FEE_5_NEW_FORM describe ADVANCE_FEE_5_NEW_FORM Advance Fee fraud and a form ##} ADVANCE_FEE_5_NEW_FORM ##{ ADVANCE_FEE_5_NEW_FRM_MNY meta ADVANCE_FEE_5_NEW_FRM_MNY __ADVANCE_FEE_5_NEW_FRM_MNY describe ADVANCE_FEE_5_NEW_FRM_MNY Advance Fee fraud form and lots of money ##} ADVANCE_FEE_5_NEW_FRM_MNY ##{ ADVANCE_FEE_5_NEW_MONEY meta ADVANCE_FEE_5_NEW_MONEY __ADVANCE_FEE_5_NEW_MONEY describe ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money ##} ADVANCE_FEE_5_NEW_MONEY ##{ ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta ANY_PILL_PRICE (__PILL_PRICE_01 || __PILL_PRICE_02) && !__NOT_A_PERSON describe ANY_PILL_PRICE Prices for pills endif ##} ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ APOSTROPHE_FROM header APOSTROPHE_FROM From:addr =~ /'/ describe APOSTROPHE_FROM From address contains an apostrophe ##} APOSTROPHE_FROM ##{ AXB_SSCECCF rawbody AXB_SSCECCF /\bSandboxScopeClass ExternalClass\b/ describe AXB_SSCECCF unidentified fingerprint ##} AXB_SSCECCF ##{ AXB_XRCVD_APACHE_CTRIP header AXB_XRCVD_APACHE_CTRIP Received =~ /\bfrom apache by ctrip\.com\b/i describe AXB_XRCVD_APACHE_CTRIP possibly forged ctrip sender - apache ##} AXB_XRCVD_APACHE_CTRIP ##{ BANKING_LAWS body BANKING_LAWS /banking laws/i describe BANKING_LAWS Talks about banking laws ##} BANKING_LAWS ##{ BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval ifplugin Mail::SpamAssassin::Plugin::MIMEEval body BASE64_LENGTH_78_79 eval:check_base64_length('78','79') endif ##} BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval ##{ BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval ifplugin Mail::SpamAssassin::Plugin::MIMEEval body BASE64_LENGTH_79_INF eval:check_base64_length('79') endif ##} BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval ##{ BUG6152_INVALID_DATE_TZ_ABSURD header BUG6152_INVALID_DATE_TZ_ABSURD Date =~ /[-+](?!(?:0\d|1[0-4])(?:[03]0|[14]5))\d{4}/ ##} BUG6152_INVALID_DATE_TZ_ABSURD ##{ CN_B2B_SPAMMER body CN_B2B_SPAMMER /We are (?:a )?China[-\s]based/i describe CN_B2B_SPAMMER Chinese company introducing itself ##} CN_B2B_SPAMMER ##{ CORRUPT_FROM_LINE_IN_HDRS meta CORRUPT_FROM_LINE_IN_HDRS (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS) describe CORRUPT_FROM_LINE_IN_HDRS Informational: message is corrupt, with a From line in its headers tflags CORRUPT_FROM_LINE_IN_HDRS userconf publish #score CORRUPT_FROM_LINE_IN_HDRS 0.001 ##} CORRUPT_FROM_LINE_IN_HDRS ##{ CTYPE_001C_A meta CTYPE_001C_A (0) # obsolete ##} CTYPE_001C_A ##{ CTYPE_001C_B header CTYPE_001C_B Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/ ##} CTYPE_001C_B ##{ CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader CTYPE_8SPACE_GIF Content-Type:raw =~ /^image\/gif;\n {8}name=\".+?\"$/s describe CTYPE_8SPACE_GIF Stock spam image part 'Content-Type' found (8 spc) endif ##} CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta CTYPE_NULL __CTYPE_NULL describe CTYPE_NULL Malformed Content-Type header endif ##} CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ CURR_PRICE body CURR_PRICE /\bCurrent Price:/ ##} CURR_PRICE ##{ DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval ifplugin Mail::SpamAssassin::Plugin::HeaderEval header DATE_IN_FUTURE_96_Q eval:check_for_shifted_date('96', '2920') describe DATE_IN_FUTURE_96_Q Date: is 4 days to 4 months after Received: date endif ##} DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval ##{ DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval ifplugin Mail::SpamAssassin::Plugin::HeaderEval header DATE_IN_FUTURE_Q_PLUS eval:check_for_shifted_date('2920', 'undef') describe DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date endif ##} DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval ##{ DEAR_BENEFICIARY body DEAR_BENEFICIARY /^\s?(?:Dear\s|At+(?:ention|n):?\s?)(?:\S+\s)?Ben[ei]ficiary\b/i describe DEAR_BENEFICIARY Dear Beneficiary: ##} DEAR_BENEFICIARY ##{ DEAR_EMAIL body DEAR_EMAIL /^\s*Dear\b.{0,70}\w\@\w/i describe DEAR_EMAIL Message contains Dear email address #score DEAR_EMAIL 1.5 # 20090424 ##} DEAR_EMAIL ##{ DEAR_WINNER body DEAR_WINNER /\bdear.{1,20}winner/i ##} DEAR_WINNER ##{ DG_SPAMMER_EMAIL_F header DG_SPAMMER_EMAIL_F From =~ /\b[a-z]{10,30}\.[a-z]{3,10}\@[a-z]{3,10}\.[a-z]{6,30}\.[a-z]{2,4}\b/ ##} DG_SPAMMER_EMAIL_F ##{ DOS_ANAL_SPAM_MAILER header DOS_ANAL_SPAM_MAILER X-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/ describe DOS_ANAL_SPAM_MAILER X-mailer pattern common to anal porn site spam tflags DOS_ANAL_SPAM_MAILER publish ##} DOS_ANAL_SPAM_MAILER ##{ DOS_FIX_MY_URI meta DOS_FIX_MY_URI __MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINK describe DOS_FIX_MY_URI Looks like a "fix my obfu'd URI please" spam ##} DOS_FIX_MY_URI ##{ DOS_HIGH_BAT_TO_MX meta DOS_HIGH_BAT_TO_MX __DOS_DIRECT_TO_MX && __HIGHBITS && __LAST_UNTRUSTED_RELAY_NO_AUTH && __THEBAT_MUA describe DOS_HIGH_BAT_TO_MX The Bat! Direct to MX with High Bits ##} DOS_HIGH_BAT_TO_MX ##{ DOS_LET_GO_JOB meta DOS_LET_GO_JOB __DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOME describe DOS_LET_GO_JOB Let go from their job and now makes lots of dough! ##} DOS_LET_GO_JOB ##{ DOS_OE_TO_MX meta DOS_OE_TO_MX __OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE describe DOS_OE_TO_MX Delivered direct to MX with OE headers ##} DOS_OE_TO_MX ##{ DOS_OE_TO_MX_IMAGE meta DOS_OE_TO_MX_IMAGE __OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH describe DOS_OE_TO_MX_IMAGE Direct to MX with OE headers and an image ##} DOS_OE_TO_MX_IMAGE ##{ DOS_OUTLOOK_TO_MX meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !T_DOS_OUTLOOK_TO_MX_IMAGE describe DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers ##} DOS_OUTLOOK_TO_MX ##{ DOS_RCVD_IP_TWICE_C header DOS_RCVD_IP_TWICE_C X-Spam-Relays-External =~ /^\s*\[ ip=(?!127)([\d.]+) [^\[]*\bhelo=(?:![\d.]{7,15}!)? [^\[]*\[ ip=\1 [^\]]*\]\s*$/ describe DOS_RCVD_IP_TWICE_C Received from the same IP twice in a row (only one external relay; empty or IP helo) ##} DOS_RCVD_IP_TWICE_C ##{ DOS_STOCK_BAT meta DOS_STOCK_BAT __THEBAT_MUA && (__DOS_BODY_STOCK || __DOS_BODY_TICKER) && (__DOS_REF_TODAY || __DOS_REF_NEXT_WK_DAY || __DOS_REF_2_WK_DAYS) describe DOS_STOCK_BAT Probable pump and dump stock spam ##} DOS_STOCK_BAT ##{ DOS_STOCK_BAT2 meta DOS_STOCK_BAT2 DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2) ##} DOS_STOCK_BAT2 ##{ DOS_URI_ASTERISK uri DOS_URI_ASTERISK m{^[Hh][Tt]{2}[Pp][Ss]?://[^/:]+(?:\*[A-Za-z0-9-]*\.|\*)[A-Za-z]{2,3}(?:\.[A-Za-z]{2})?(?:$|:|/)} describe DOS_URI_ASTERISK Found an asterisk in a URI ##} DOS_URI_ASTERISK ##{ DOS_YOUR_PLACE meta DOS_YOUR_PLACE (__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE || __DOS_CORRESPOND_EMAIL || __DOS_EMAIL_DIRECTLY || __DOS_I_AM_25 || __DOS_WRITE_ME_AT || __DOS_PERSONAL_EMAIL)) describe DOS_YOUR_PLACE Russian dating spam ##} DOS_YOUR_PLACE ##{ DRUGS_HDIA header DRUGS_HDIA Subject =~ /\bhoodia\b/i ##} DRUGS_HDIA ##{ DRUGS_STOCK_MIMEOLE meta DRUGS_STOCK_MIMEOLE (__MIMEOLE_1106 && __MAILER_OL_5510) describe DRUGS_STOCK_MIMEOLE Stock-spam forged headers found (5510) ##} DRUGS_STOCK_MIMEOLE ##{ DYN_RDNS_AND_INLINE_IMAGE meta DYN_RDNS_AND_INLINE_IMAGE (RDNS_DYNAMIC && __ANY_IMAGE_ATTACH) describe DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic rDNS ##} DYN_RDNS_AND_INLINE_IMAGE ##{ DYN_RDNS_SHORT_HELO_HTML meta DYN_RDNS_SHORT_HELO_HTML (__HELO_NO_DOMAIN && RDNS_DYNAMIC && HTML_MESSAGE) describe DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML ##} DYN_RDNS_SHORT_HELO_HTML ##{ DYN_RDNS_SHORT_HELO_IMAGE meta DYN_RDNS_SHORT_HELO_IMAGE (__HELO_NO_DOMAIN && RDNS_DYNAMIC && __ANY_IMAGE_ATTACH) describe DYN_RDNS_SHORT_HELO_IMAGE Short HELO string, dynamic rDNS, inline image ##} DYN_RDNS_SHORT_HELO_IMAGE ##{ END_FUTURE_EMAILS body END_FUTURE_EMAILS /\bend future (?:email|alert)s?\b/i describe END_FUTURE_EMAILS Pump-and-dump unsubscribe ##} END_FUTURE_EMAILS ##{ FAKE_REPLY_C meta FAKE_REPLY_C (__SUBJ_RE && __MISSING_REF && __NO_INR_YES_REF) ##} FAKE_REPLY_C ##{ FB_ADD_INCHES body FB_ADD_INCHES /(?:add|gain) inches/i describe FB_ADD_INCHES Add / Gain inches ##} FB_ADD_INCHES ##{ FB_ALMOST_SEX body FB_ALMOST_SEX /\b[b-z]sex+\b/i describe FB_ALMOST_SEX It's almost sex, but not! ##} FB_ALMOST_SEX ##{ FB_ANA_TRIM body FB_ANA_TRIM /Ana[^a-z]trim/i describe FB_ANA_TRIM Broken AnaTrim phrase. ##} FB_ANA_TRIM ##{ FB_ANUI body FB_ANUI /A[-_\.]U[-_\.]N[-_\.]I/i describe FB_ANUI Phrase: A_U_N_I ##} FB_ANUI ##{ FB_BILLI0N body FB_BILLI0N /[BM][I1]LL[I1]0N/i describe FB_BILLI0N Phrase: [BM]Illi0n ##} FB_BILLI0N ##{ FB_C0MPANY body FB_C0MPANY /c0mpany/i describe FB_C0MPANY Phrase: C0mpany ##} FB_C0MPANY ##{ FB_CAN_LONGER body FB_CAN_LONGER /can last longer/i describe FB_CAN_LONGER Phrase: can last longer ##} FB_CAN_LONGER ##{ FB_CIALIS_LEO3 body FB_CIALIS_LEO3 /\bC(?!IALIS|eibal|laim|laritas)\s?[a-z]?\s?[Iitl1\\\/]\s?[a-z]?\s?[Aa]\s?[a-z]?\s?[LIl1\\\/]\s?[a-z]?\s?[ilIt1\\\/]\s?[a-z]?\s?[Ss]\b/ describe FB_CIALIS_LEO3 Uses a mis-spelled version of cialis. ##} FB_CIALIS_LEO3 ##{ FB_DOUBLE_0WORDS body FB_DOUBLE_0WORDS /\b[a-z]{1,5}0[a-z]{3,9}\s[a-z]{1,5}0[a-z]{3,9}\b/i describe FB_DOUBLE_0WORDS Looks like double 0 words ##} FB_DOUBLE_0WORDS ##{ FB_EMAIL_HIER body FB_EMAIL_HIER /email hier/i describe FB_EMAIL_HIER Phrase: email hier ##} FB_EMAIL_HIER ##{ FB_EXTRA_INCHES body FB_EXTRA_INCHES /extra inches/ describe FB_EXTRA_INCHES Phrase: extra inches ##} FB_EXTRA_INCHES ##{ FB_FAKE_NUMBERS body FB_FAKE_NUMBERS /\$\d\d?O\s*[MBT]/i describe FB_FAKE_NUMBERS Looks like numbers with O's insted of 0's ##} FB_FAKE_NUMBERS ##{ FB_FAKE_NUMS4 body FB_FAKE_NUMS4 /(?:\b|\b\d)\d,?\d,?OO(?:\b|\d\b)/ describe FB_FAKE_NUMS4 Looks like fake numbers (4) ##} FB_FAKE_NUMS4 ##{ FB_FHARMACY body FB_FHARMACY /Fharmacy/i describe FB_FHARMACY Phrase: Farmacy ##} FB_FHARMACY ##{ FB_FORWARD_LOOK body FB_FORWARD_LOOK /(?!forward look)f[o0]rward l[0o][0o]k/i describe FB_FORWARD_LOOK Phrase: forward look with 0's ##} FB_FORWARD_LOOK ##{ FB_GAPPY_ADDRESS body FB_GAPPY_ADDRESS /(?:[a-z] ){8}, (?:[a-z0-9] ){4}/i describe FB_GAPPY_ADDRESS Too much spacing in Address ##} FB_GAPPY_ADDRESS ##{ FB_GET_MEDS body FB_GET_MEDS /(?:place f[o0]r|[0o]rder|get\s?(?:y[o0]ur)?|online|quality).{1,7}med[isz][^a]/i describe FB_GET_MEDS Looks like trying to sell meds ##} FB_GET_MEDS ##{ FB_GREAT_BEST_SEX body FB_GREAT_BEST_SEX /(?:greater|best|Improved) sex/i describe FB_GREAT_BEST_SEX Phrase: greater, best, improved sex ##} FB_GREAT_BEST_SEX ##{ FB_GVR body FB_GVR /(?:pef-rx|vigrex-ds|gsc-100|vp-rx|gv-promax|phentermine|adipex|xenical)/i describe FB_GVR Looks like generic viagra ##} FB_GVR ##{ FB_HEY_BRO_COMMA body FB_HEY_BRO_COMMA /Hey bro, / describe FB_HEY_BRO_COMMA Phrase hey bro, ##} FB_HEY_BRO_COMMA ##{ FB_HG_H_CAP body FB_HG_H_CAP /\bHGH\b/ describe FB_HG_H_CAP Phrase: HGH ##} FB_HG_H_CAP ##{ FB_HOMELOAN body FB_HOMELOAN /\$\d{3},\d{3} home loan/i describe FB_HOMELOAN Phrase $x home loan ##} FB_HOMELOAN ##{ FB_IMPRESS_GIRL body FB_IMPRESS_GIRL /\bimpress .{0,5}girl\b/ describe FB_IMPRESS_GIRL Phrase: impress ... girl ##} FB_IMPRESS_GIRL ##{ FB_INCREASE_YOUR body FB_INCREASE_YOUR /Increase your energy/i describe FB_INCREASE_YOUR Phrase: Increase your energy ##} FB_INCREASE_YOUR ##{ FB_INDEPEND_RWD body FB_INDEPEND_RWD /independent reward/i describe FB_INDEPEND_RWD Phrase: independent reward ##} FB_INDEPEND_RWD ##{ FB_L0AN body FB_L0AN /\bl0ans?\b/i describe FB_L0AN Phrase: L0an ##} FB_L0AN ##{ FB_LETTERS_21B body FB_LETTERS_21B /-- [a-z]{21}/ describe FB_LETTERS_21B Special people leave special signs! ##} FB_LETTERS_21B ##{ FB_LOSE_WEIGHT_CAP body FB_LOSE_WEIGHT_CAP /LOSE WEIGHT/ describe FB_LOSE_WEIGHT_CAP Phrase: LOSE WEIGHT ##} FB_LOSE_WEIGHT_CAP ##{ FB_LOWER_PAYM body FB_LOWER_PAYM /lower your monthly payments/i describe FB_LOWER_PAYM Phrase: lower your monthly payments ##} FB_LOWER_PAYM ##{ FB_MORE_SIZE body FB_MORE_SIZE /\bmore size\b/ describe FB_MORE_SIZE Phrase: more size ##} FB_MORE_SIZE ##{ FB_NOT_PHONE_NUM1 body FB_NOT_PHONE_NUM1 /(?!\d{3})8(?:66|77|88|[0o][0o])[-\.\s\)]{1,3}[OIL0-9]{3}[-\.\s]/i describe FB_NOT_PHONE_NUM1 Looks like a fake phone number (1) ##} FB_NOT_PHONE_NUM1 ##{ FB_NOT_PHONE_NUM3 body FB_NOT_PHONE_NUM3 /8(?:66|77|88|[0o][0o])[-\.\s\)]{1,3}[OIL0-9]{3}[-\.\s]{1,3}(?!\d{4})[OIL0-9]{4}/i describe FB_NOT_PHONE_NUM3 Looks like a fake phone number (3) ##} FB_NOT_PHONE_NUM3 ##{ FB_NOT_SCHOOL body FB_NOT_SCHOOL /(?!school)[\$s5]ch[o0][o0][il1\|]/i describe FB_NOT_SCHOOL Looks like school but it's not! ##} FB_NOT_SCHOOL ##{ FB_NOT_SEXUAL body FB_NOT_SEXUAL /[^Ss]exual/ describe FB_NOT_SEXUAL Almost Sexual but not. ##} FB_NOT_SEXUAL ##{ FB_NUMYO body FB_NUMYO /1[0-9][\s\.]?y[\s\.]?o[\s\.]?\b/i describe FB_NUMYO Speaks of teenager. ##} FB_NUMYO ##{ FB_NUMYO2 body FB_NUMYO2 /2[0-9][\s\.]?y[\s\.]?o[\s\.]?\b/i describe FB_NUMYO2 Speaks of 20+ year old. ##} FB_NUMYO2 ##{ FB_ODD_SPACED_MONEY body FB_ODD_SPACED_MONEY /\$\d\s,\s\d\d/ describe FB_ODD_SPACED_MONEY Looks like money but has odd spacing. ##} FB_ODD_SPACED_MONEY ##{ FB_ONIINE body FB_ONIINE /oniine/i describe FB_ONIINE Mis-spelled online ##} FB_ONIINE ##{ FB_P1LL body FB_P1LL /\bp1ll/i describe FB_P1LL Phrase: p1ll ##} FB_P1LL ##{ FB_PENIS_GROWTH body FB_PENIS_GROWTH /pen[i1]s grow(?:th)?/i describe FB_PENIS_GROWTH Phrase: penis growth ##} FB_PENIS_GROWTH ##{ FB_PIPEDOLLAR body FB_PIPEDOLLAR /(?!dollar)d[o0][1|li][1|li]ar/i describe FB_PIPEDOLLAR Phrase: Dollar, with pipes or 0's. ##} FB_PIPEDOLLAR ##{ FB_PIPE_ILLION body FB_PIPE_ILLION /(?!illion)i[l|][l|][i|][o0]n/i describe FB_PIPE_ILLION Looks like illion, but it's not ##} FB_PIPE_ILLION ##{ FB_PROLONGED_HARD body FB_PROLONGED_HARD /(?:prolonged|increased) hardness/i describe FB_PROLONGED_HARD Talks about prolonged hardness ##} FB_PROLONGED_HARD ##{ FB_QUALITY_REPLICA body FB_QUALITY_REPLICA /quality replica/i describe FB_QUALITY_REPLICA Phrase: quality replica ##} FB_QUALITY_REPLICA ##{ FB_REF_CODE_SPACE body FB_REF_CODE_SPACE /r e f c o d e/i describe FB_REF_CODE_SPACE Refcode with spacing ##} FB_REF_CODE_SPACE ##{ FB_REPLICA_ROLEX body FB_REPLICA_ROLEX /replica rolex/i describe FB_REPLICA_ROLEX Phrase: Replica Rolex ##} FB_REPLICA_ROLEX ##{ FB_REPLIC_CAP body FB_REPLIC_CAP /REPLICAS?\b/ describe FB_REPLIC_CAP Phrase: REPLICA ##} FB_REPLIC_CAP ##{ FB_RE_FI body FB_RE_FI /\bre[^a-z]fi\b/ describe FB_RE_FI Looks like refi. ##} FB_RE_FI ##{ FB_ROLLER_IS_T body FB_ROLLER_IS_T /Roller is th/i describe FB_ROLLER_IS_T Phrase: Roller is th ##} FB_ROLLER_IS_T ##{ FB_ROLX body FB_ROLX /\brolx\b/i describe FB_ROLX Phrase: rolx ##} FB_ROLX ##{ FB_SAVE_PERSC body FB_SAVE_PERSC /sav(?:e|ing).{1,45}p[re][re]scr[i1]pt[i1][o0]n/i describe FB_SAVE_PERSC Phrase: save ... prescription. ##} FB_SAVE_PERSC ##{ FB_SOFTTABS body FB_SOFTTABS /\bsoft\s?t?abs\b/i describe FB_SOFTTABS Phrase: Softabs ##} FB_SOFTTABS ##{ FB_SPACED_FREE body FB_SPACED_FREE /F R E E/i describe FB_SPACED_FREE Phrase: F R E E ##} FB_SPACED_FREE ##{ FB_SPACED_PHN_3B body FB_SPACED_PHN_3B /\d\d\d--\d\d\d--?\d\d\d\d/ describe FB_SPACED_PHN_3B Phone number with -- spacing. (B) ##} FB_SPACED_PHN_3B ##{ FB_SPACEY_ZIP body FB_SPACEY_ZIP /\s\d\s\d\s\d\s\d\s\d\s-\s\d\s\d\s\d\s\d/ describe FB_SPACEY_ZIP Looks like a s p a c e d zipcode. ##} FB_SPACEY_ZIP ##{ FB_SPUR_M body FB_SPUR_M /\bSPUR-M\b/i describe FB_SPUR_M Phrase: SPUR-M ##} FB_SPUR_M ##{ FB_SSEX body FB_SSEX /\bssex\b/ describe FB_SSEX Phrase: ssex ##} FB_SSEX ##{ FB_STOCK_EXPLODE body FB_STOCK_EXPLODE /st[0o]ck\b.{4,10}expl[o0]de/i describe FB_STOCK_EXPLODE Looks like stocks exploding. ##} FB_STOCK_EXPLODE ##{ FB_SYMBLO body FB_SYMBLO /\bSymblo\b/i describe FB_SYMBLO Mis-spelled symbol. ##} FB_SYMBLO ##{ FB_THIS_ADVERT body FB_THIS_ADVERT /this advertiser/i describe FB_THIS_ADVERT Phrase: this advertiser ##} FB_THIS_ADVERT ##{ FB_THOUS_PERSONAL body FB_THOUS_PERSONAL /thousand personal/i describe FB_THOUS_PERSONAL Phrase: thousand personal ##} FB_THOUS_PERSONAL ##{ FB_TO_STOP_DISTRO body FB_TO_STOP_DISTRO /To (?:(?:stop further|longer get) distribution|stop (?:receiving )?announcements)/i describe FB_TO_STOP_DISTRO Phrase: to stop further distribution ##} FB_TO_STOP_DISTRO ##{ FB_ULTRA_ALLURE body FB_ULTRA_ALLURE /Ultra Allure/i describe FB_ULTRA_ALLURE Phrase: Ultra Allure ##} FB_ULTRA_ALLURE ##{ FB_UNLOCK_YOUR_G body FB_UNLOCK_YOUR_G /lock ?(?:to ?)? your girlfriend/i describe FB_UNLOCK_YOUR_G Phrase: lock to your girlfriend ##} FB_UNLOCK_YOUR_G ##{ FB_UNRESOLV_PROV body FB_UNRESOLV_PROV /\{PROV_\d_\d\}/ describe FB_UNRESOLV_PROV Pattern Replacement PROV_D ##} FB_UNRESOLV_PROV ##{ FB_YOURSELF_MASTER body FB_YOURSELF_MASTER /yourself master/i describe FB_YOURSELF_MASTER Phrase: yourself master ##} FB_YOURSELF_MASTER ##{ FB_YOUR_REFI body FB_YOUR_REFI /Your refi/i describe FB_YOUR_REFI Phrase: Your refi ##} FB_YOUR_REFI ##{ FB_YOUR_REFILL body FB_YOUR_REFILL /your refill/i describe FB_YOUR_REFILL Phrase: your refill ##} FB_YOUR_REFILL ##{ FH_BAD_OEV1441 header FH_BAD_OEV1441 X-Mailer =~ /^Microsoft Outlook Express 6\.00\.2800\.1441$/ describe FH_BAD_OEV1441 Bad X-Mailer version ##} FH_BAD_OEV1441 ##{ FH_DATE_IS_19XX header FH_DATE_IS_19XX Date =~ /19[789][0-9]/ [if-unset: 2006] describe FH_DATE_IS_19XX The date is not 19xx. ##} FH_DATE_IS_19XX ##{ FH_FAKE_RCVD_LINE header FH_FAKE_RCVD_LINE Received =~ /from\s*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s*by\s*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3};\s*[SMTWF].{2},\s*\d{1,2}\s*[JFMASOND].{2,5}\s*\d{4}\s*\d{2}:\d{2}:\d{2}\s*[-+]\d{4}/ describe FH_FAKE_RCVD_LINE RCVD line looks faked (A) ##} FH_FAKE_RCVD_LINE ##{ FH_FAKE_RCVD_LINE_B header FH_FAKE_RCVD_LINE_B Received =~ /from\s*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s*by\s*[a-z0-9.]{4,24}\.[a-z0-9.]{4,36}\.(?:com|net|org|biz);\s*[SMTWF].{2},\s*\d{1,2}\s*[JFMASOND].{2,5}\s*\d{4}\s*\d{2}:\d{2}:\d{2}\s*[-+]\d{4}/i describe FH_FAKE_RCVD_LINE_B RCVD line looks faked (B) ##} FH_FAKE_RCVD_LINE_B ##{ FH_FROMEML_NOTLD header FH_FROMEML_NOTLD From:addr !~ /\@[^@]+\.(?:[a-z]{2,}|xn--[a-z0-9]+(?:-[a-z0-9]*)?)$/i [if-unset: foo@bar.com] describe FH_FROMEML_NOTLD E-mail address doesn't have TLD (.com, etc.) ##} FH_FROMEML_NOTLD ##{ FH_FROM_CASH header FH_FROM_CASH From:name =~ /\bcash\b/i describe FH_FROM_CASH From name has "cash" ##} FH_FROM_CASH ##{ FH_FROM_GET_NAME header FH_FROM_GET_NAME From:name =~ /\bGet\b/i describe FH_FROM_GET_NAME From name says Get ##} FH_FROM_GET_NAME ##{ FH_FROM_GIVEAWAY header FH_FROM_GIVEAWAY From =~ /Giveaway/i describe FH_FROM_GIVEAWAY From name is giveaway. ##} FH_FROM_GIVEAWAY ##{ FH_FROM_HOODIA header FH_FROM_HOODIA From =~ /Hoodia/i describe FH_FROM_HOODIA From has Hoodia!!? ##} FH_FROM_HOODIA ##{ FH_HAS_XAIMC header FH_HAS_XAIMC exists:X-AIMC-AUTH describe FH_HAS_XAIMC Has X-AIMC-AUTH header ##} FH_HAS_XAIMC ##{ FH_HAS_XID header FH_HAS_XID exists:X-ID describe FH_HAS_XID Has X-ID ##} FH_HAS_XID ##{ FH_HELO_ALMOST_IP header FH_HELO_ALMOST_IP X-Spam-Relays-External =~ /^[^\]]+ helo=[^ ]+[a-z][-.]\d{1,3}[-.]\d{1,3}[-.]\d{1,3}[-.][a-z][^ ]+ /i describe FH_HELO_ALMOST_IP Helo is almost an IP addr. ##} FH_HELO_ALMOST_IP ##{ FH_HELO_ENDS_DOT header FH_HELO_ENDS_DOT X-Spam-Relays-External =~ /^[^\]]+ helo=[^ ]+\. by=/ describe FH_HELO_ENDS_DOT Helo ends with a dot. ##} FH_HELO_ENDS_DOT ##{ FH_HELO_EQ_610HEX header FH_HELO_EQ_610HEX X-Spam-Relays-External =~ /^[^\]]+ helo=-?[A-F0-9]{6,10} / describe FH_HELO_EQ_610HEX Helo is 6-10 hex chr's. ##} FH_HELO_EQ_610HEX ##{ FH_HELO_EQ_CHARTER header FH_HELO_EQ_CHARTER X-Spam-Relays-External =~ /^[^\]]+ helo=\d{2,3}-\d{1,3}-\d{1,3}-\d{1,3}.{5,20}\.charter\.com /i describe FH_HELO_EQ_CHARTER Helo is d-d-d-d charter.com ##} FH_HELO_EQ_CHARTER ##{ FH_HELO_EQ_D_D_D_D header FH_HELO_EQ_D_D_D_D X-Spam-Relays-External =~ /^[^\]]+ helo=[^ ]{0,15}\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}/ describe FH_HELO_EQ_D_D_D_D Helo is d-d-d-d ##} FH_HELO_EQ_D_D_D_D ##{ FH_HELO_GMAILSMTP header FH_HELO_GMAILSMTP Received =~ /HELO gmail-smtp-in/ describe FH_HELO_GMAILSMTP Faked helo of gmail-smtp-in ##} FH_HELO_GMAILSMTP ##{ FH_HOST_EQ_DYNAMICIP header FH_HOST_EQ_DYNAMICIP X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]{0,25}[dD][yY][nN][aA][mM][iI][cC][iI][pP][^ ]{5,25} helo=/ describe FH_HOST_EQ_DYNAMICIP Host is dynamicip ##} FH_HOST_EQ_DYNAMICIP ##{ FH_HOST_EQ_PACBELL_D header FH_HOST_EQ_PACBELL_D X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.dsl\.\w{2,10}\.pacbell\.net / describe FH_HOST_EQ_PACBELL_D Host is pacbell.net dsl ##} FH_HOST_EQ_PACBELL_D ##{ FH_HOST_EQ_VERIZON_P header FH_HOST_EQ_VERIZON_P X-Spam-Relays-External =~ /^[^\]]+ rdns=pool-\d.{5,30}\.verizon\.net/ describe FH_HOST_EQ_VERIZON_P Host is pool-.+verizon.net ##} FH_HOST_EQ_VERIZON_P ##{ FH_HOST_IN_ADDRARPA header FH_HOST_IN_ADDRARPA X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]{0,25}\.in-addr\.arpa / describe FH_HOST_IN_ADDRARPA HOST dns says "in-addr.arpa" ##} FH_HOST_IN_ADDRARPA ##{ FH_MSGID_000000 header FH_MSGID_000000 MESSAGEID =~ /\$00000000\@/ describe FH_MSGID_000000 Special MSGID ##} FH_MSGID_000000 ##{ FH_MSGID_01C67 header FH_MSGID_01C67 Message-ID =~ /^<000001c[67]/ describe FH_MSGID_01C67 Special MSGID ##} FH_MSGID_01C67 ##{ FH_MSGID_01C70XXX header FH_MSGID_01C70XXX MESSAGEID =~ /^<01c70[a-f][a-f0-9]{2}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[a-zA-Z0-9-]+>$/ describe FH_MSGID_01C70XXX MESSAGE ID seen often!!! ##} FH_MSGID_01C70XXX ##{ FH_MSGID_REPLACE header FH_MSGID_REPLACE MESSAGEID =~ /^<%MSGID/ describe FH_MSGID_REPLACE Broken Replace Template ##} FH_MSGID_REPLACE ##{ FH_MSGID_XXBLAH header FH_MSGID_XXBLAH MESSAGEID =~ /6c822ecf/ describe FH_MSGID_XXBLAH Common sign in msg-id's 12/21/2006 ##} FH_MSGID_XXBLAH ##{ FH_MSGID_XXX header FH_MSGID_XXX MESSAGEID =~ /\@xxx/i describe FH_MSGID_XXX Message-Id = @xxx ##} FH_MSGID_XXX ##{ FH_RE_NEW_DDD header FH_RE_NEW_DDD Subject =~ /^Re: new\s?\d{0,3}$/i describe FH_RE_NEW_DDD Subject is Re: new \d\d\d ##} FH_RE_NEW_DDD ##{ FH_XMAIL_REPLACE header FH_XMAIL_REPLACE X-Mailer =~ /%XMAILER/ describe FH_XMAIL_REPLACE Broken Replace Template ##} FH_XMAIL_REPLACE ##{ FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FILL_THIS_FORM __FILL_THIS_FORM && !__THREADED && !__FB_TOUR && !__VIA_ML describe FILL_THIS_FORM Fill in a form with personal information tflags FILL_THIS_FORM publish endif ##} FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FILL_THIS_FORM_FRAUD_PHISH __FILL_THIS_FORM_FRAUD_PHISH && !__UNSUB_LINK && !__SPOOFED_URL && !__DOS_LINK && !__CAN_HELP && !__VIA_ML describe FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s) endif ##} FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FILL_THIS_FORM_LOAN __FILL_THIS_FORM_LOAN && !__COMMENT_EXISTS && !__HTML_LINK_IMAGE describe FILL_THIS_FORM_LOAN Answer loan question(s) endif ##} FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG && !__VIA_ML && !__DOS_HAS_LIST_UNSUB && !__THREADED describe FILL_THIS_FORM_LONG Fill in a form with personal information endif ##} FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FM_DOESNT_SAY_STOCK meta FM_DOESNT_SAY_STOCK (__FB_S_SYMBOL && __FM_MY_PRICE && !__FB_S_STOCK && !__FS_S_TRADE) describe FM_DOESNT_SAY_STOCK It's a stock spam but doesn't say stock ##} FM_DOESNT_SAY_STOCK ##{ FM_FAKE_53COM_SPOOF meta FM_FAKE_53COM_SPOOF (__FH_FRM_53 && !__FH_MSG_53 && !__FH_RCV_53) describe FM_FAKE_53COM_SPOOF Spoof mail from 53.com? ##} FM_FAKE_53COM_SPOOF ##{ FM_FAKE_HELO_HOTMAIL meta FM_FAKE_HELO_HOTMAIL (__HOTMAILCOM && !__HOST_HOTMAIL) describe FM_FAKE_HELO_HOTMAIL Looks like a fake hotmail.com helo. ##} FM_FAKE_HELO_HOTMAIL ##{ FM_FAKE_HELO_VERIZON meta FM_FAKE_HELO_VERIZON (__FHELO_VERIZON && !__FHOST_VERIZON) describe FM_FAKE_HELO_VERIZON Looks like a fake verizon.net helo. ##} FM_FAKE_HELO_VERIZON ##{ FM_FRM_RN_L_BRACK meta FM_FRM_RN_L_BRACK (__FROM_RIGH_BRACK && !__FROM_LEFT_BRACK && !__FROM_ISO_2022_JP) describe FM_FRM_RN_L_BRACK From name has > but not < ##} FM_FRM_RN_L_BRACK ##{ FM_IS_IT_OUR_ACCOUNT meta FM_IS_IT_OUR_ACCOUNT (__YOUR_ACCOUNT && __MANY_RECIPS) describe FM_IS_IT_OUR_ACCOUNT Is it our account? ##} FM_IS_IT_OUR_ACCOUNT ##{ FM_LIKE_STOCKS meta FM_LIKE_STOCKS (__FM_STOCK_WORDS && !__FB_S_STOCK && __FB_S_SYMBOL) describe FM_LIKE_STOCKS It looks like a duck, it's a duck! ##} FM_LIKE_STOCKS ##{ FM_LOTTO_YOU_WON meta FM_LOTTO_YOU_WON (__FM_LARGE_MONEY && __FM_NAT_LOTTERY && __YOU_WON_SOMTIN) describe FM_LOTTO_YOU_WON Talks about lotto and you won! ##} FM_LOTTO_YOU_WON ##{ FM_LUX_GIFTS_REDUCED meta FM_LUX_GIFTS_REDUCED (__FB_LUX_GIFTS && __FB_NUM_PERCNT) describe FM_LUX_GIFTS_REDUCED Luxury Gifts with dd% ##} FM_LUX_GIFTS_REDUCED ##{ FM_MANY_DRUG_WORDS meta FM_MANY_DRUG_WORDS (__VA_WORD && __CS_WORD && __VM_WORD) describe FM_MANY_DRUG_WORDS Lot's of almost drug words ##} FM_MANY_DRUG_WORDS ##{ FM_MORTGAGE5PLUS meta FM_MORTGAGE5PLUS (__FM_MORTGAGE5PLUS && !__FM_MORTGAGE6PLUS) describe FM_MORTGAGE5PLUS Looks like a mortgage spam (5+) ##} FM_MORTGAGE5PLUS ##{ FM_MORTGAGE6PLUS meta FM_MORTGAGE6PLUS (__FM_MORTGAGE6PLUS) describe FM_MORTGAGE6PLUS Looks like a mortgage spam (6+) ##} FM_MORTGAGE6PLUS ##{ FM_MULTI_LUX_GIFTS meta FM_MULTI_LUX_GIFTS ((__FB_BRAND_NAME + __FB_TIMEPIECE + __FB_WALLETS + __FB_HANDBAGS + __FB_DESIGNER + __FB_LUX_GIFTS + __FB_NUM_PERCNT + __FB_INK_PEN) > 3) describe FM_MULTI_LUX_GIFTS Talks about variety of luxury gifts ##} FM_MULTI_LUX_GIFTS ##{ FM_PHN_NODNS meta FM_PHN_NODNS (FB_SPACED_PHN_3B && RDNS_NONE) describe FM_PHN_NODNS Phone spacing + no dns ##} FM_PHN_NODNS ##{ FM_RATSIGN_1106 meta FM_RATSIGN_1106 (__MSGID_VGA && __DATE_700) describe FM_RATSIGN_1106 Fingerprint seen in lots of spam. 11/2006 ##} FM_RATSIGN_1106 ##{ FM_RE_HELLO_SPAM meta FM_RE_HELLO_SPAM (__FH_MSGID_01C7 && __FH_HAS_XMSMAIL && __FH_HAS_XPRIORITY && __FS_SUBJ_RE) describe FM_RE_HELLO_SPAM Re: Hello / hi ##} FM_RE_HELLO_SPAM ##{ FM_ROLEX_ADS meta FM_ROLEX_ADS (__FB_ROLEX_MEN && __FB_ROLEX_WMEN && __FB_OMEGA && __FB_GLASHUTE) describe FM_ROLEX_ADS Looks like Rolex spams. ##} FM_ROLEX_ADS ##{ FM_SCHOOLING meta FM_SCHOOLING ((__BACHELORS + __MASTERS + __MBA + __PHD) > 2) describe FM_SCHOOLING Meta Combo Phrase for Schooling (2) ##} FM_SCHOOLING ##{ FM_SCHOOL_DIPLOMA meta FM_SCHOOL_DIPLOMA (FM_SCHOOLING && __DIPLOMA) describe FM_SCHOOL_DIPLOMA Meta for Schooling + Diploma. ##} FM_SCHOOL_DIPLOMA ##{ FM_SCHOOL_TYPES meta FM_SCHOOL_TYPES (__FB_BA && __FB_BCs && __FB_MA && __FB_MBA) describe FM_SCHOOL_TYPES Meta Combo Phrase for Schooling ##} FM_SCHOOL_TYPES ##{ FM_SEX_HELODDDD meta FM_SEX_HELODDDD (__SEX_WRDS && FH_HELO_EQ_D_D_D_D) describe FM_SEX_HELODDDD Sex words + helo = dddd ##} FM_SEX_HELODDDD ##{ FM_SUBJ_APPROVE meta FM_SUBJ_APPROVE (__EXCLAIM_SUBJ && __SUBJ_APPROVE) describe FM_SUBJ_APPROVE Subject has Approve and ! ##} FM_SUBJ_APPROVE ##{ FM_TRUE_LOV_ALL_N meta FM_TRUE_LOV_ALL_N (__FB_P_TRUELOVE && __FB_P_ALLNIGHT) describe FM_TRUE_LOV_ALL_N True Love all Night! ##} FM_TRUE_LOV_ALL_N ##{ FM_VEGAS_CASINO meta FM_VEGAS_CASINO ((__FROM_VEGAS + __SUBJ_3DIGIT + __SUBJ_VEGAS + __FB_GAME) > 2) describe FM_VEGAS_CASINO Looks like vega casino spam ##} FM_VEGAS_CASINO ##{ FM_XMAIL_F_OUT header FM_XMAIL_F_OUT X-Mailer =~ /Microsoft Outlook Express V6.00.2900.2180/ describe FM_XMAIL_F_OUT Looks like Fake Outlook? ##} FM_XMAIL_F_OUT ##{ FORGED_RELAY_MUA_TO_MX header FORGED_RELAY_MUA_TO_MX X-Spam-Relays-External =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\[]+ helo=(!(?!(?:10|127|169\.254|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\.)| )[^\[]+$/ ##} FORGED_RELAY_MUA_TO_MX ##{ FORM_FRAUD_3 meta FORM_FRAUD_3 __FORM_FRAUD_3 && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__MIME_QP describe FORM_FRAUD_3 Fill a form and several fraud phrases tflags FORM_FRAUD_3 publish ##} FORM_FRAUD_3 ##{ FORM_FRAUD_5 meta FORM_FRAUD_5 __FORM_FRAUD_5 && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML describe FORM_FRAUD_5 Fill a form and many fraud phrases tflags FORM_FRAUD_5 publish ##} FORM_FRAUD_5 ##{ FROM_12LTRDOM meta FROM_12LTRDOM __FROM_12LTRDOM_1 && !__VIA_ML && !__TO___LOWER && !__FS_SUBJ_RE && !__RCD_RDNS_MAIL_MESSY && !__freemail_safe && !__UNSUB_LINK && !NO_RELAYS && !__UNUSABLE_MSGID && !DATE_IN_PAST_96_XX && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__RCD_RDNS_SMTP_MESSY && !__FB_NATIONAL && !__MAIL_LINK && !__NAME_EMAIL_DIFF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__SENDER_BOT && !__IMS_MSGID && !__HS_SUBJ_RE_FW && !__DOS_HAS_LIST_UNSUB describe FROM_12LTRDOM From a 12-letter domain ##} FROM_12LTRDOM ##{ FROM_IN_TO_AND_SUBJ meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1) describe FROM_IN_TO_AND_SUBJ From address is in To and Subject tflags FROM_IN_TO_AND_SUBJ publish ##} FROM_IN_TO_AND_SUBJ ##{ FROM_MISSPACED meta FROM_MISSPACED __FROM_MISSPACED && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__UNSUB_LINK && !__TO___LOWER && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__TO_EQ_FROM_DOM && !__MAIL_LINK describe FROM_MISSPACED From: missing whitespace ##} FROM_MISSPACED ##{ FROM_MISSP_DKIM meta FROM_MISSP_DKIM (__FROM_RUNON && __DKIM_DEPENDABLE) describe FROM_MISSP_DKIM From misspaced, DKIM dependable tflags FROM_MISSP_DKIM net ##} FROM_MISSP_DKIM ##{ FROM_MISSP_DYNIP meta FROM_MISSP_DYNIP __FROM_RUNON && RDNS_DYNAMIC describe FROM_MISSP_DYNIP From misspaced + dynamic rDNS ##} FROM_MISSP_DYNIP ##{ FROM_MISSP_EH_MATCH meta FROM_MISSP_EH_MATCH __FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL describe FROM_MISSP_EH_MATCH From misspaced, matches envelope #score FROM_MISSP_EH_MATCH 2.5 # max ##} FROM_MISSP_EH_MATCH ##{ FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta FROM_MISSP_FREEMAIL __FROM_MISSP_FREEMAIL && !__TO_EQ_FROM_DOM describe FROM_MISSP_FREEMAIL From misspaced + freemail provider endif ##} FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ FROM_MISSP_MSFT meta FROM_MISSP_MSFT __FROM_RUNON && (__ANY_OUTLOOK_MUA || __HAS_MIMEOLE || __MIMEOLE_MS) describe FROM_MISSP_MSFT From misspaced + supposed Microsoft tool ##} FROM_MISSP_MSFT ##{ FROM_MISSP_NO_TO meta FROM_MISSP_NO_TO (__FROM_RUNON && MISSING_HEADERS) describe FROM_MISSP_NO_TO From misspaced, To missing ##} FROM_MISSP_NO_TO ##{ FROM_MISSP_REPLYTO meta FROM_MISSP_REPLYTO __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY describe FROM_MISSP_REPLYTO From misspaced, has Reply-To ##} FROM_MISSP_REPLYTO ##{ FROM_MISSP_SPF_FAIL meta FROM_MISSP_SPF_FAIL (__FROM_RUNON && SPF_FAIL) tflags FROM_MISSP_SPF_FAIL net ##} FROM_MISSP_SPF_FAIL ##{ FROM_MISSP_TO_UNDISC meta FROM_MISSP_TO_UNDISC (__FROM_RUNON && __TO_UNDISCLOSED) describe FROM_MISSP_TO_UNDISC From misspaced, To undisclosed ##} FROM_MISSP_TO_UNDISC ##{ FROM_MISSP_URI meta FROM_MISSP_URI __FROM_MISSP_URI && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !MISSING_MIMEOLE && !__COMMENT_EXISTS && !__REPTO_QUOTE && !__UNSUB_LINK && !__TO___LOWER && !__MSGID_OK_HEX && !__MAIL_LINK && !__MIME_QP && !__BUGGED_IMG && !MIME_BASE64_TEXT describe FROM_MISSP_URI From misspaced, has URI ##} FROM_MISSP_URI ##{ FROM_MISSP_USER meta FROM_MISSP_USER (__FROM_RUNON && NSL_RCVD_FROM_USER) describe FROM_MISSP_USER From misspaced, from "User" ##} FROM_MISSP_USER ##{ FROM_WEBSITE header FROM_WEBSITE From:raw =~ m'\b(?:f|ht)tps?://[^\s"\b(?!adobe)\b/i describe FRT_ADOBE2 ReplaceTags: Adobe endif ##} FRT_ADOBE2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_APPROV ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_APPROV /\b(?!approu?v)

/i describe FRT_APPROV ReplaceTags: Approve endif ##} FRT_APPROV ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_BIGGERMEM1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_BIGGERMEM1 /(?:|).{1,8}(?:

||)/i describe FRT_BIGGERMEM1 ReplaceTags: Bigger / Larger, Penis / Member endif ##} FRT_BIGGERMEM1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_DIPLOMA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_DIPLOMA /\b(?!d[iy]pl[o\xe2\xc2]m)

/i describe FRT_DIPLOMA ReplaceTags: Diploma endif ##} FRT_DIPLOMA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_DISCOUNT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_DISCOUNT /\b(?!discount)/i describe FRT_DISCOUNT ReplaceTags: Discount endif ##} FRT_DISCOUNT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_DOLLAR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_DOLLAR /\b(?!dollar)/i describe FRT_DOLLAR ReplaceTags: Dollar endif ##} FRT_DOLLAR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_ERECTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_ERECTION /(?!erection)/i describe FRT_ERECTION ReplaceTags: Erection endif ##} FRT_ERECTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_ESTABLISH2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_ESTABLISH2 /\b(?!estabi?lish)/i describe FRT_ESTABLISH2 ReplaceTags: Establish (2) endif ##} FRT_ESTABLISH2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_FUCK2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_FUCK2 /\b(?!fuck)/i describe FRT_FUCK2 ReplaceTags: Fuck (2) endif ##} FRT_FUCK2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_GUARANTEE1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_GUARANTEE1 /(?!guarantee)/i describe FRT_GUARANTEE1 ReplaceTags: Guarantee (1) endif ##} FRT_GUARANTEE1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_HEALTH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_HEALTH /\b(?!health)\b/i describe FRT_HEALTH ReplaceTags: Health endif ##} FRT_HEALTH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_INVESTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_INVESTOR /\b(?!investor)/i describe FRT_INVESTOR ReplaceTags: Investor endif ##} FRT_INVESTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_LEVITRA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_LEVITRA /(?!levitra)/i describe FRT_LEVITRA ReplaceTags: Levitra endif ##} FRT_LEVITRA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_MEETING ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_MEETING /\b(?!meeting)\b/i describe FRT_MEETING ReplaceTags: Meeting endif ##} FRT_MEETING ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_OFFER2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_OFFER2 /\b(?!offer)/i describe FRT_OFFER2 ReplaceTags: Offer (2) endif ##} FRT_OFFER2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_OPPORTUN2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_OPPORTUN2 /(?!opportun)

/i describe FRT_OPPORTUN2 ReplaceTags: Oppertun (2) endif ##} FRT_OPPORTUN2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_PENIS1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_PENIS1 /\b(?!pen\s?(?:ie?s|ny[ ']?s))

\b/i describe FRT_PENIS1 ReplaceTags: Penis endif ##} FRT_PENIS1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_PRICE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_PRICE /\b(?!price)

\b/i describe FRT_PRICE ReplaceTags: Price endif ##} FRT_PRICE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_REFINANCE1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_REFINANCE1 /\b(?!refinanc)/i describe FRT_REFINANCE1 ReplaceTags: Refinance (1) endif ##} FRT_REFINANCE1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_ROLEX ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_ROLEX /\b(?!rolex)/i describe FRT_ROLEX ReplaceTags: Rolex endif ##} FRT_ROLEX ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_SEXUAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_SEXUAL /\b(?!sexual)/i describe FRT_SEXUAL ReplaceTags: Sexual endif ##} FRT_SEXUAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_SOMA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_SOMA /\b(?!soma|sommar|500mg)\b/i describe FRT_SOMA ReplaceTags: Soma endif ##} FRT_SOMA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_SOMA2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_SOMA2 /\b(?!soma|som[m\s]\xE4|sommar|500? ?mg)\b/i describe FRT_SOMA2 ReplaceTags: Soma (2) endif ##} FRT_SOMA2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_STRONG1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_STRONG1 /\b(?!stro\s?ng)\b/i describe FRT_STRONG1 ReplaceTags: Strong (1) endif ##} FRT_STRONG1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_STRONG2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_STRONG2 /\b(?!strong)\b/i describe FRT_STRONG2 ReplaceTags: Strong (2) endif ##} FRT_STRONG2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_SYMBOL /\b(?!symbol)/i describe FRT_SYMBOL ReplaceTags: Symbol endif ##} FRT_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_TODAY2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_TODAY2 /\b(?!today)/i describe FRT_TODAY2 ReplaceTags: Today (2) endif ##} FRT_TODAY2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_VALIUM1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_VALIUM1 /\b(?!valium|verifiquem|volturno|vollum)\b/i describe FRT_VALIUM1 ReplaceTags: Valium endif ##} FRT_VALIUM1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_VALIUM2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_VALIUM2 /\b(?!valium|verifiquem|volturno|vollum)\b/i describe FRT_VALIUM2 ReplaceTags: Valium (2) endif ##} FRT_VALIUM2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_WEIGHT2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_WEIGHT2 /\b(?!weight)/i describe FRT_WEIGHT2 ReplaceTags: Weight (2) endif ##} FRT_WEIGHT2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_XANAX1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_XANAX1 /\b(?!xanax)\b/i describe FRT_XANAX1 ReplaceTags: Xanax (1) endif ##} FRT_XANAX1 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FRT_XANAX2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_XANAX2 /\b(?!xanax)\b/i describe FRT_XANAX2 ReplaceTags: Xanax (2) endif ##} FRT_XANAX2 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FR_3TAG_3TAG rawbody FR_3TAG_3TAG m'<[abcefghijklmnoqstuvwxz]{3}>'i describe FR_3TAG_3TAG Looks like 3 small tags. ##} FR_3TAG_3TAG ##{ FR_ALMOST_VIAG2 rawbody FR_ALMOST_VIAG2 /[^a-z](?!viagra)v?ia.?g.?ra/i describe FR_ALMOST_VIAG2 Almost looks like viagra. ##} FR_ALMOST_VIAG2 ##{ FR_CANTSEETEXT rawbody FR_CANTSEETEXT /class="?cantseetext/i describe FR_CANTSEETEXT Phrase class=cantseetext ##} FR_CANTSEETEXT ##{ FR_DOT_FEVER_5 rawbody FR_DOT_FEVER_5 /(?:[a-z ']{2,35}\s[.,]\s){5}/ describe FR_DOT_FEVER_5 Lots of dots inbetween letters. ##} FR_DOT_FEVER_5 ##{ FR_MIDER rawbody FR_MIDER m'http[^ ]{5,30}/gall?/' describe FR_MIDER Sign often seen in spams ##} FR_MIDER ##{ FR_TITLE_NUMS rawbody FR_TITLE_NUMS m'\d+'i describe FR_TITLE_NUMS HTML Title is only numbers ##} FR_TITLE_NUMS ##{ FSL_CTYPE_WIN1251 header FSL_CTYPE_WIN1251 Content-Type =~ /charset="Windows-1251"/ describe FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam #score FSL_CTYPE_WIN1251 2.0 ##} FSL_CTYPE_WIN1251 ##{ FSL_FAKE_GMAIL_RCVD header FSL_FAKE_GMAIL_RCVD X-Spam-Relays-External =~ /gmail-smtp-in\.l\.google\.com/ #score FSL_FAKE_GMAIL_RCVD 0.001 ##} FSL_FAKE_GMAIL_RCVD ##{ FSL_FAKE_HOTMAIL_RVCD header FSL_FAKE_HOTMAIL_RVCD X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/ ##} FSL_FAKE_HOTMAIL_RVCD ##{ FSL_GEO_ABUSE uri FSL_GEO_ABUSE /\/geocities\.com\/\S+$/ #score FSL_GEO_ABUSE 3.0 ##} FSL_GEO_ABUSE ##{ FSL_HELO_BARE_IP_1 header FSL_HELO_BARE_IP_1 X-Spam-Relays-External =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+ /i #score FSL_HELO_BARE_IP_1 0.001 ##} FSL_HELO_BARE_IP_1 ##{ FSL_HELO_DEVICE header FSL_HELO_DEVICE X-Spam-Relays-External =~ /\bhelo=(?:(?:dsl)?device|speedtouch)\.lan\b/i #score FSL_HELO_DEVICE 0.001 ##} FSL_HELO_DEVICE ##{ FSL_HELO_NON_FQDN_1 header FSL_HELO_NON_FQDN_1 X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i #score FSL_HELO_NON_FQDN_1 0.001 ##} FSL_HELO_NON_FQDN_1 ##{ FSL_HELO_SETUP header FSL_HELO_SETUP X-Spam-Relays-External =~ /\bhelo=\S+\.setup\b/i #score FSL_HELO_SETUP 0.001 ##} FSL_HELO_SETUP ##{ FSL_INTERIA_ABUSE uri FSL_INTERIA_ABUSE /\/\S+\.(?:w|eu|fm)\.interia\.pl/ #score FSL_INTERIA_ABUSE 15.0 ##} FSL_INTERIA_ABUSE ##{ FSL_MID_419 header FSL_MID_419 MESSAGE-ID =~ /\@User>$/ describe FSL_MID_419 Spam signature in Message-ID #score FSL_MID_419 2.0 ##} FSL_MID_419 ##{ FSL_UA meta FSL_UA (__FSL_UA_1 || __FSL_UA_2) #score FSL_UA 3.0 ##} FSL_UA ##{ FSL_XM_419 header FSL_XM_419 X-Mailer =~ /\s+6\.00\.2600\.0000$/ describe FSL_XM_419 Old OE version in X-Mailer only seen in 419 spam #score FSL_XM_419 2.0 ##} FSL_XM_419 ##{ FSL_YG_ABUSE uri FSL_YG_ABUSE /\/groups\.yahoo\.com\/group\/\S+\/message\/1$/ #score FSL_YG_ABUSE 15.0 ##} FSL_YG_ABUSE ##{ FS_ABIGGER header FS_ABIGGER Subject =~ /a bigger/i describe FS_ABIGGER Subject has "a bigger" ##} FS_ABIGGER ##{ FS_APPROVE_YOU header FS_APPROVE_YOU Subject =~ /approve you/i describe FS_APPROVE_YOU Subject says approve you ##} FS_APPROVE_YOU ##{ FS_AT_NO_COST header FS_AT_NO_COST Subject =~ /\bat no cost/i describe FS_AT_NO_COST Subject says "At No Cost" ##} FS_AT_NO_COST ##{ FS_CHEAP_CAP header FS_CHEAP_CAP Subject =~ /CHEAP/ describe FS_CHEAP_CAP Phrase: Cheap in Caps in Subject. ##} FS_CHEAP_CAP ##{ FS_DOLLAR_BONUS header FS_DOLLAR_BONUS Subject =~ /\$\d\d\d?\.?\d?\d? bonus/i describe FS_DOLLAR_BONUS Subject talks about money bonus! ##} FS_DOLLAR_BONUS ##{ FS_EJACULA header FS_EJACULA Subject =~ /ejaculat(?:[io01][o0i1]n|e)/i describe FS_EJACULA Phrase: ejaculation in subject. ##} FS_EJACULA ##{ FS_ERECTION header FS_ERECTION Subject =~ / erection /i describe FS_ERECTION Phrase: erection in subject. ##} FS_ERECTION ##{ FS_HUGECOCK header FS_HUGECOCK Subject =~ /(?:huge|tiny|small) (?:c[o0]ck|d[i1]ck|p[e3]n[1i]s)/i describe FS_HUGECOCK Phrase: Huge Cock ##} FS_HUGECOCK ##{ FS_LARGE_PERCENT2 header FS_LARGE_PERCENT2 Subject =~ /(?!100%)\d[0-9oi][0-9oi]%/i describe FS_LARGE_PERCENT2 Larger than 100% in subj. ##} FS_LARGE_PERCENT2 ##{ FS_LOW_RATES header FS_LOW_RATES Subject =~ / low rates/i describe FS_LOW_RATES Subject says low rates ##} FS_LOW_RATES ##{ FS_NEW_SOFT_UPLOAD header FS_NEW_SOFT_UPLOAD Subject =~ /^New software uploaded by/ describe FS_NEW_SOFT_UPLOAD Subj starts with New software uploaded ##} FS_NEW_SOFT_UPLOAD ##{ FS_NEW_XXX header FS_NEW_XXX Subject =~ /^Re: news? [a-z]{1,5}$/ describe FS_NEW_XXX Subject looks like Fharmacy spams. ##} FS_NEW_XXX ##{ FS_NO_SCRIP header FS_NO_SCRIP Subject =~ /n[o0O] p[reRE][erER]scr[i1I]pt[i1I][o0O]n/i describe FS_NO_SCRIP Subject almost says No prescription ##} FS_NO_SCRIP ##{ FS_NUDE header FS_NUDE Subject =~ /\bnude\b/i describe FS_NUDE Subject says Nude ##} FS_NUDE ##{ FS_OBFU_PRMCY header FS_OBFU_PRMCY Subject =~ /\b(?!(?:pharmacy|primacy))p[ph]{0,4}\S{1,3}r\S{0,2}m\S{0,3}c\S{0,2}y\b/i describe FS_OBFU_PRMCY what could this word be? ##} FS_OBFU_PRMCY ##{ FS_PERSCRIPTION header FS_PERSCRIPTION Subject =~ /perscr[i1]pt[i1][o0]n/i describe FS_PERSCRIPTION Subject mis-spelled prescription ##} FS_PERSCRIPTION ##{ FS_PHARMASUB2 header FS_PHARMASUB2 Subject =~ /PH[A-Za-z]{2,7}MA/ describe FS_PHARMASUB2 Looks like Phramacy subject. ##} FS_PHARMASUB2 ##{ FS_RAMROD header FS_RAMROD Subject =~ /ramrod/i describe FS_RAMROD Subject says Ramrod ##} FS_RAMROD ##{ FS_REPLICA meta FS_REPLICA __FS_REPLICA && !FS_REPLICAWATCH describe FS_REPLICA Subject says "replica" ##} FS_REPLICA ##{ FS_REPLICAWATCH header FS_REPLICAWATCH Subject =~ /replica watch\b/i describe FS_REPLICAWATCH Subject says Replica watch ##} FS_REPLICAWATCH ##{ FS_RE_APPROV header FS_RE_APPROV Subject =~ /re approved/i describe FS_RE_APPROV Phrase: re approved ##} FS_RE_APPROV ##{ FS_START_DOYOU2 header FS_START_DOYOU2 Subject =~ /^Do you (?:dream|have|want|love|like|wanna)/i describe FS_START_DOYOU2 Subject starts with Do you dream,have,want,love, etc. ##} FS_START_DOYOU2 ##{ FS_START_LOSE header FS_START_LOSE Subject =~ /^Lose /i describe FS_START_LOSE Subject starts with Lose ##} FS_START_LOSE ##{ FS_TEEN_BAD header FS_TEEN_BAD Subject =~ /teen.{1,15}(?:pussy|sex|slut|ass|fuck|rape)/i describe FS_TEEN_BAD Subject says something bad about teens ##} FS_TEEN_BAD ##{ FS_TIP_DDD header FS_TIP_DDD Subject =~ /(?:tip|good) \d\d\d?\d?/i describe FS_TIP_DDD Phrase: subject = tip ddd ##} FS_TIP_DDD ##{ FS_WEIGHT_LOSS header FS_WEIGHT_LOSS Subject =~ /weight loss/i describe FS_WEIGHT_LOSS Subject says Weight Loss ##} FS_WEIGHT_LOSS ##{ FS_WILL_HELP header FS_WILL_HELP Subject =~ /will help/ describe FS_WILL_HELP Subject says will help ##} FS_WILL_HELP ##{ FS_WITH_SMALL header FS_WITH_SMALL Subject =~ /with (?:\w+\s)?(?:small|short)/i describe FS_WITH_SMALL Subject says With ... small ##} FS_WITH_SMALL ##{ FS_YOUR_REFILL header FS_YOUR_REFILL Subject =~ /your refill/i describe FS_YOUR_REFILL Subject Phrase: your refill ##} FS_YOUR_REFILL ##{ FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_MERIDIA /\b(?!meridia)\b/i endif ##} FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FU_COMMON_SUBS2 uri FU_COMMON_SUBS2 m'/(?:[2w]m|7d|b|ee|lj|j|o|u)/[,.]?$' describe FU_COMMON_SUBS2 Sub-dir seen often in spam (2). ##} FU_COMMON_SUBS2 ##{ FU_ENDS_NUMS_DOTS_CLK uri FU_ENDS_NUMS_DOTS_CLK m'(?:clk|uns)/\d+\.\d+\.\d+'i describe FU_ENDS_NUMS_DOTS_CLK Ends with clk/d+.d+.d+ ##} FU_ENDS_NUMS_DOTS_CLK ##{ FU_END_ET uri FU_END_ET m'/et/$'i describe FU_END_ET ET Phone Home? ##} FU_END_ET ##{ FU_HOODIA uri FU_HOODIA /hoodia/i describe FU_HOODIA URL has hoodia in it. ##} FU_HOODIA ##{ FU_LONG_QUERY3 uri FU_LONG_QUERY3 m'[A-F0-9]{30}\.aspx' describe FU_LONG_QUERY3 URL has a long file name with .aspx extension. ##} FU_LONG_QUERY3 ##{ FU_MIDER uri FU_MIDER m'/gall?/' describe FU_MIDER URL has /gal/ ##} FU_MIDER ##{ FU_UKGEOCITIES uri FU_UKGEOCITIES /\b[a-z]{2}\.geocities\.com/i describe FU_UKGEOCITIES URL with [a-z]{2}.geocities.com ##} FU_UKGEOCITIES ##{ FU_URI_TRACKER_T uri FU_URI_TRACKER_T m'/[yi]/(?:sp|et|vm|xl2)/'i describe FU_URI_TRACKER_T URI style tracker (T) ##} FU_URI_TRACKER_T ##{ GAPPY_HTML meta GAPPY_HTML __GAPPY_HTML && !__UNSUB_LINK && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY describe GAPPY_HTML HTML body with much useless whitespace ##} GAPPY_HTML ##{ GAPPY_PHONE_NA meta GAPPY_PHONE_NA __GAPPY_PHONE_NA describe GAPPY_PHONE_NA Phone number with lots of spaces ##} GAPPY_PHONE_NA ##{ GEO_QUERY_STRING uri GEO_QUERY_STRING /^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i ##} GEO_QUERY_STRING ##{ HDR_ORDER_FTSDMCXX_001C meta HDR_ORDER_FTSDMCXX_001C (__HDR_ORDER_FTSDMCXXXX && __MID_START_001C) describe HDR_ORDER_FTSDMCXX_001C Header order similar to spam (FTSDMCXX/MID variant) ##} HDR_ORDER_FTSDMCXX_001C ##{ HDR_ORDER_FTSDMCXX_BAT meta HDR_ORDER_FTSDMCXX_BAT (__HDR_ORDER_FTSDMCXXXX && __BAT_BOUNDARY) describe HDR_ORDER_FTSDMCXX_BAT Header order similar to spam (FTSDMCXX/boundary variant) ##} HDR_ORDER_FTSDMCXX_BAT ##{ HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval ifplugin Mail::SpamAssassin::Plugin::HeaderEval header HEADER_COUNT_SUBJECT eval:check_header_count_range('Subject','2','999') describe HEADER_COUNT_SUBJECT Multiple Subject headers found endif ##} HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval ##{ HELO_FRIEND header HELO_FRIEND X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i ##} HELO_FRIEND ##{ HELO_LH_HOME header HELO_LH_HOME X-Spam-Relays-External =~ /^[^\]]+ helo=\S+\.(?:home|lan) /i ##} HELO_LH_HOME ##{ HELO_LH_LD header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i ##} HELO_LH_LD ##{ HELO_LOCALHOST header HELO_LOCALHOST X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i ##} HELO_LOCALHOST ##{ HELO_NO_DOMAIN meta HELO_NO_DOMAIN __HELO_NO_DOMAIN && !HELO_LOCALHOST describe HELO_NO_DOMAIN Relay reports its domain incorrectly ##} HELO_NO_DOMAIN ##{ HELO_OEM header HELO_OEM X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc|oem\S*) /i ##} HELO_OEM ##{ HK_LOTTO meta HK_LOTTO __HK_LOTTO_1 || __HK_LOTTO_2 || __HK_LOTTO_JACKPOT || __HK_LOTTO_STAATS || __HK_LOTTO_BALLOT #score HK_LOTTO 1 ##} HK_LOTTO ##{ HK_NAME_DRUGS header HK_NAME_DRUGS From:name =~ /(viagra|\bcialis|cialis\b)/mi describe HK_NAME_DRUGS From name contains drugs #score HK_NAME_DRUGS 2 ##} HK_NAME_DRUGS ##{ HK_PNIS body HK_PNIS /\bpenis\b/i #score HK_PNIS 1 ##} HK_PNIS ##{ HK_RANDOM_ENVFROM header HK_RANDOM_ENVFROM EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr|-mailer@)|[^@]{20})[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi describe HK_RANDOM_ENVFROM Envelope sender username looks random #score HK_RANDOM_ENVFROM 1 ##} HK_RANDOM_ENVFROM ##{ HK_SCAM_N2 body HK_SCAM_N2 /\bnext of kin\b/i ##} HK_SCAM_N2 ##{ HK_SCAM_N8 body HK_SCAM_N8 /\byour compensation\b/i ##} HK_SCAM_N8 ##{ HS_BOBAX_MID_2 header HS_BOBAX_MID_2 Message-Id =~ /^<\dIX\d{3}EJXVWDA\d{3}\@[a-z\-]+\.[a-z]+>/ describe HS_BOBAX_MID_2 Bobax? Message-Id: <0IX000EJXVWDA000@example.com> ##} HS_BOBAX_MID_2 ##{ HS_BODY_UPLOADED_SOFTWARE body HS_BODY_UPLOADED_SOFTWARE /^\w+ has uploaded some new software/ describe HS_BODY_UPLOADED_SOFTWARE Somebody has uploaded some new software for you ##} HS_BODY_UPLOADED_SOFTWARE ##{ HS_DRUG_DOLLAR_1 body HS_DRUG_DOLLAR_1 m'^[a-z]+[glrt][a-z]?[eir][a-z]?[asx](?: -|:)? \$[\d.]+$'i describe HS_DRUG_DOLLAR_1 Contains a drug and price-like pattern. ##} HS_DRUG_DOLLAR_1 ##{ HS_DRUG_DOLLAR_2 body HS_DRUG_DOLLAR_2 m'^[a-z]+[lmor][a-z]?[aex][a-z]?[mx](?: -|:)? \$[\d.]+$'i describe HS_DRUG_DOLLAR_2 Contains a drug and price-like pattern. ##} HS_DRUG_DOLLAR_2 ##{ HS_DRUG_DOLLAR_3 body HS_DRUG_DOLLAR_3 m'^[a-z]+[dino][a-z]?[aimu][a-z]?[amx](?: -|:)? \$[\d.]+$'i describe HS_DRUG_DOLLAR_3 Contains a drug and price-like pattern. ##} HS_DRUG_DOLLAR_3 ##{ HS_DRUG_DOLLAR_MANY meta HS_DRUG_DOLLAR_MANY HS_DRUG_DOLLAR_1 + HS_DRUG_DOLLAR_2 + HS_DRUG_DOLLAR_3 >= 2 describe HS_DRUG_DOLLAR_MANY Contains several drug and dollar-like patterns. ##} HS_DRUG_DOLLAR_MANY ##{ HS_FORGED_OE_FW meta HS_FORGED_OE_FW __HS_SUBJ_UC_FW && __OE_MUA describe HS_FORGED_OE_FW Outlook does not prefix forwards with "FW:" ##} HS_FORGED_OE_FW ##{ HS_GETMEOFF uri HS_GETMEOFF m'/get(?:me)?off\.php(?:$|[\#?])' describe HS_GETMEOFF Links to common unsubscribe script: 'getmeoff.php' ##} HS_GETMEOFF ##{ HS_INDEX_PARAM uri HS_INDEX_PARAM m'^https?:/*([^/]*/)+(?:index.(?:cgi|html?|php)|default.(?:asp|jsp))?\?(?!(?-i:[A-Z][a-z]{2,}){2,}$)\w+={0,2}$'i describe HS_INDEX_PARAM Link contains a common tracker pattern. ##} HS_INDEX_PARAM ##{ HS_MEETUP_FOR_SEX body HS_MEETUP_FOR_SEX m'(?:meet ?up|see eachother|get together) for (?:some )?(?:action|sex)'i describe HS_MEETUP_FOR_SEX Talks about meeting up for sex. ##} HS_MEETUP_FOR_SEX ##{ HS_SUBJ_NEW_SOFTWARE header HS_SUBJ_NEW_SOFTWARE Subject =~ /^New software uploaded by/ describe HS_SUBJ_NEW_SOFTWARE Subject starts with 'New software uploaded by' ##} HS_SUBJ_NEW_SOFTWARE ##{ HS_SUBJ_ONLINE_PHARMACEUTICAL header HS_SUBJ_ONLINE_PHARMACEUTICAL Subject =~ /\bOnline Pharmaceutical/i describe HS_SUBJ_ONLINE_PHARMACEUTICAL Subject contains the phrase 'Online pharmaceutical' ##} HS_SUBJ_ONLINE_PHARMACEUTICAL ##{ HS_VPXL body HS_VPXL /\bVPXL\b/i describe HS_VPXL Contains VPXL, yet the recommended dose is only 2 tablets. ##} HS_VPXL ##{ HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch body HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10') endif ##} HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch ##{ JM_FAKE_PSMTP_RCVD header JM_FAKE_PSMTP_RCVD Received =~ /^from \[\d+\.\d+\.\d+\.\d+\] by \S+\.\S+\.psmtp\.com; /m ##} JM_FAKE_PSMTP_RCVD ##{ JM_I_FEEL_LUCKY uri JM_I_FEEL_LUCKY /(?:\&|\?)btnI=ec(?:$|\&)/ tflags JM_I_FEEL_LUCKY publish # low hitrate, but always a good sign ##} JM_I_FEEL_LUCKY ##{ JM_RCVD_QMAILV1 header JM_RCVD_QMAILV1 Received =~ /by \S+ \(Qmailv1\) with ESMTP/ ##} JM_RCVD_QMAILV1 ##{ JM_TORA_XM meta JM_TORA_XM (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO) ##} JM_TORA_XM ##{ KB_DATE_CONTAINS_TAB header KB_DATE_CONTAINS_TAB Date:raw =~ /^\t/ ##} KB_DATE_CONTAINS_TAB ##{ KB_FAKED_THE_BAT meta KB_FAKED_THE_BAT (__THEBAT_MUA && KB_DATE_CONTAINS_TAB) ##} KB_FAKED_THE_BAT ##{ KB_FORGED_MOZ4 header KB_FORGED_MOZ4 User-Agent =~ /\bMozilla 4/ describe KB_FORGED_MOZ4 Mozilla 4 uses X-Mailer ##} KB_FORGED_MOZ4 ##{ KB_RATWARE_BOUNDARY meta KB_RATWARE_BOUNDARY __RATWARE_BOUND_A || __RATWARE_BOUND_B ##} KB_RATWARE_BOUNDARY ##{ KB_RATWARE_MSGID meta KB_RATWARE_MSGID (__KB_MSGID_OUTLOOK_888 && __ANY_OUTLOOK_MUA) ##} KB_RATWARE_MSGID ##{ KB_RATWARE_OUTLOOK_08 header KB_RATWARE_OUTLOOK_08 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary="----=_NextPart_000_...._\1\./msi # " ##} KB_RATWARE_OUTLOOK_08 ##{ KB_RATWARE_OUTLOOK_12 header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # " ##} KB_RATWARE_OUTLOOK_12 ##{ KB_RATWARE_OUTLOOK_16 header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # " ##} KB_RATWARE_OUTLOOK_16 ##{ KB_RATWARE_OUTLOOK_MID header KB_RATWARE_OUTLOOK_MID ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$[0-9a-f]{8}\@.{100,400}boundary="----=_NextPart_000_...._\1\.\2"/msi ##} KB_RATWARE_OUTLOOK_MID ##{ KHOP_DYNAMIC meta KHOP_DYNAMIC __LAST_EXTERNAL_RELAY_NO_AUTH && !ALL_TRUSTED && (__5_SUBDOM || __RDNS_HEX || __S25R_4 || __S25R_6 || __RCD_RDNS_DYN_MESSY || __RCD_RDNS_PPP_MESSY || __RCD_RDNS_PPOE_MESSY) && !__RCD_RDNS_MAIL_MESSY describe KHOP_DYNAMIC Relay looks like a dynamic address #score KHOP_DYNAMIC 2.0 ##} KHOP_DYNAMIC ##{ LIVEFILESTORE uri LIVEFILESTORE m~livefilestore.com/~ ##} LIVEFILESTORE ##{ LONG_TERM_PRICE body LONG_TERM_PRICE /long\W+term\W+(target|projected)(\W+price)?/i ##} LONG_TERM_PRICE ##{ LOOPHOLE_1 body LOOPHOLE_1 /loop-?hole in the banking/i describe LOOPHOLE_1 A loop hole in the banking laws? ##} LOOPHOLE_1 ##{ LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta LOTS_OF_MONEY (__LOTSA_MONEY_00 || __LOTSA_MONEY_01 || __LOTSA_MONEY_02 || __LOTSA_MONEY_03 || __LOTSA_MONEY_04 || __LOTSA_MONEY_05) describe LOTS_OF_MONEY Huge... sums of money # score LOTS_OF_MONEY 0.01 tflags LOTS_OF_MONEY publish endif ##} LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ LOTTERY_1 meta LOTTERY_1 (__DBLCLAIM && __CASHPRZ) ##} LOTTERY_1 ##{ LOTTERY_PH_004470 meta LOTTERY_PH_004470 (__AFF_004470_NUMBER && __AFF_LOTTERY) ##} LOTTERY_PH_004470 ##{ LOTTO_AGENT body LOTTO_AGENT /\b(?:claim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:prize|international|intl|foreign|win+ing)(?:[\s,.]+(?:rem+it+ance|settlement|payment|award|transfer))+|payment|immunity|grants?)\s?(?:agent|manager|officer|secretary|director|mgr\b)/i describe LOTTO_AGENT Claims Agent ##} LOTTO_AGENT ##{ L_SPAM_TOOL_13 header L_SPAM_TOOL_13 Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/ ##} L_SPAM_TOOL_13 ##{ MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta MANY_PILL_PRICE (__PILL_PRICE_01 + __PILL_PRICE_02) > 2 describe MANY_PILL_PRICE Prices for many pills endif ##} MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ MANY_SPAN_IN_TEXT meta MANY_SPAN_IN_TEXT __MANY_SPAN_IN_TEXT && !__VIA_ML describe MANY_SPAN_IN_TEXT Many tags embedded within text tflags MANY_SPAN_IN_TEXT publish ##} MANY_SPAN_IN_TEXT ##{ MID_DEGREES header MID_DEGREES Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/ ##} MID_DEGREES ##{ MIME_BOUND_EQ_REL header MIME_BOUND_EQ_REL Content-Type =~ /boundary="=====================_\d+==\.REL"/s ##} MIME_BOUND_EQ_REL ##{ MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta MIME_PHP_NO_TEXT (T_MIME_NO_TEXT && __XM_PHP) describe MIME_PHP_NO_TEXT No text body parts, X-Mailer: PHP endif ##} MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ MONEY_ATM_CARD meta MONEY_ATM_CARD LOTS_OF_MONEY && __ATM_CARD describe MONEY_ATM_CARD Lots of money on an ATM card ##} MONEY_ATM_CARD ##{ MONEY_FRAUD_3 meta MONEY_FRAUD_3 __MONEY_FRAUD_3 && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__IS_EXCH && !__VIA_ML && !__HAS_THREAD_INDEX && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__HTML_LINK_IMAGE describe MONEY_FRAUD_3 Lots of money and several fraud phrases tflags MONEY_FRAUD_3 publish ##} MONEY_FRAUD_3 ##{ MONEY_FRAUD_5 meta MONEY_FRAUD_5 __MONEY_FRAUD_5 && !__VIA_ML && !__HAS_THREAD_INDEX && !__COMMENT_EXISTS && !__UNSUB_LINK && !__TAG_EXISTS_CENTER describe MONEY_FRAUD_5 Lots of money and many fraud phrases tflags MONEY_FRAUD_5 publish ##} MONEY_FRAUD_5 ##{ MONEY_FRAUD_8 meta MONEY_FRAUD_8 __MONEY_FRAUD_8 && !__VIA_ML && !__HAS_THREAD_INDEX describe MONEY_FRAUD_8 Lots of money and very many fraud phrases tflags MONEY_FRAUD_8 publish ##} MONEY_FRAUD_8 ##{ MONEY_FROM_MISSP meta MONEY_FROM_MISSP LOTS_OF_MONEY && __FROM_MISSPACED && !__MIME_QP describe MONEY_FROM_MISSP Lots of money and misspaced From ##} MONEY_FROM_MISSP ##{ MONEY_LOTTERY meta MONEY_LOTTERY LOTS_OF_MONEY && (__LOTTO_WINNINGS + __LOTTO_WIN_01 + __YOU_WON + LOTTO_AGENT + T_LOTTO_DEPT + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __LOTTO_ADMITS + __LOTTO_RELATED + DEAR_WINNER + __LOTTO_VERIFY > 1) && !__CAN_HELP && !__HTML_LINK_IMAGE && !__DOS_HAS_LIST_UNSUB describe MONEY_LOTTERY Lots of money from a lottery ##} MONEY_LOTTERY ##{ MSOE_MID_WRONG_CASE meta MSOE_MID_WRONG_CASE (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106) ##} MSOE_MID_WRONG_CASE ##{ NSL_RCVD_FROM_USER header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/ describe NSL_RCVD_FROM_USER Received from User ##} NSL_RCVD_FROM_USER ##{ NULL_IN_BODY full NULL_IN_BODY /\x00/ describe NULL_IN_BODY Message has NUL (ASCII 0) byte in message ##} NULL_IN_BODY ##{ OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta OBFU_ATTACH_MISSP __FROM_RUNON && (T_OBFU_HTML_ATTACH || OBFU_TEXT_ATTACH || T_OBFU_DOC_ATTACH || T_OBFU_PDF_ATTACH || T_OBFU_JPG_ATTACH || T_OBFU_GIF_ATTACH) describe OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From endif ##} OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ OBFU_JVSCR_ESC rawbody OBFU_JVSCR_ESC /document\.write\(unescape\("(?:%[0-9a-f]{2}){10}/i describe OBFU_JVSCR_ESC Injects content using obfuscated javascript tflags OBFU_JVSCR_ESC publish ##} OBFU_JVSCR_ESC ##{ OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader OBFU_TEXT_ATTACH Content-Type =~ m,application/octet-stream;.+\.txt\b,i describe OBFU_TEXT_ATTACH Text attachment with non-text MIME type tflags OBFU_TEXT_ATTACH publish endif ##} OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta PART_CID_STOCK (__ANY_IMAGE_ATTACH&&__PART_STOCK_CID&&!__PART_STOCK_CL&&!__PART_STOCK_CD_F) describe PART_CID_STOCK Has a spammy image attachment (by Content-ID) endif ##} PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta PART_CID_STOCK_LESS (__ANY_IMAGE_ATTACH&&__PART_CID_STOCK_LESS) describe PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, more specific) endif ##} PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ RCVD_BAD_ID header RCVD_BAD_ID Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\$\%&'()*<=>?\@\[\]^\`{|}~]|;\S)/ ##} RCVD_BAD_ID ##{ RCVD_FORGED_WROTE header RCVD_FORGED_WROTE Received =~ / by \S+ with esmtp \([^a-z ]{6,} [^a-z ]{3,}\) id/ describe RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam) ##} RCVD_FORGED_WROTE ##{ RCVD_FORGED_WROTE2 header RCVD_FORGED_WROTE2 Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s ##} RCVD_FORGED_WROTE2 ##{ RCVD_IN_BRBL_LASTEXT ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_BRBL_LASTEXT eval:check_rbl('brbl-lastexternal','bb.barracudacentral.org') tflags RCVD_IN_BRBL_LASTEXT net endif ##} RCVD_IN_BRBL_LASTEXT ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_CSS header RCVD_IN_CSS eval:check_rbl_sub('zen', '127.0.0.3') describe RCVD_IN_CSS Received via a relay in Spamhaus CSS tflags RCVD_IN_CSS net ##} RCVD_IN_CSS ##{ RCVD_IN_DNSWL_HI ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_DNSWL_HI eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.3$') describe RCVD_IN_DNSWL_HI Sender listed at http://www.dnswl.org/, high trust tflags RCVD_IN_DNSWL_HI nice net endif ##} RCVD_IN_DNSWL_HI ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_DNSWL_LOW ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_DNSWL_LOW eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.1$') describe RCVD_IN_DNSWL_LOW Sender listed at http://www.dnswl.org/, low trust tflags RCVD_IN_DNSWL_LOW nice net endif ##} RCVD_IN_DNSWL_LOW ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_DNSWL_MED ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_DNSWL_MED eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.2$') describe RCVD_IN_DNSWL_MED Sender listed at http://www.dnswl.org/, medium trust tflags RCVD_IN_DNSWL_MED nice net endif ##} RCVD_IN_DNSWL_MED ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_DNSWL_NONE ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_DNSWL_NONE eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.0$') describe RCVD_IN_DNSWL_NONE Sender listed at http://www.dnswl.org/, no trust tflags RCVD_IN_DNSWL_NONE nice net endif ##} RCVD_IN_DNSWL_NONE ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_DK eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.3') describe RCVD_IN_IADB_DK IADB: Sender publishes Domain Keys record tflags RCVD_IN_IADB_DK net nice endif ##} RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.10') describe RCVD_IN_IADB_DOPTIN IADB: All mailing list mail is confirmed opt-in tflags RCVD_IN_IADB_DOPTIN net nice endif ##} RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_DOPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.9') describe RCVD_IN_IADB_DOPTIN_GT50 IADB: Confirmed opt-in used more than 50% of the time tflags RCVD_IN_IADB_DOPTIN_GT50 net nice endif ##} RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_DOPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.8') describe RCVD_IN_IADB_DOPTIN_LT50 IADB: Confirmed opt-in used less than 50% of the time tflags RCVD_IN_IADB_DOPTIN_LT50 net nice endif ##} RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_EDDB eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.1') describe RCVD_IN_IADB_EDDB IADB: Participates in Email Deliverability Database tflags RCVD_IN_IADB_EDDB net nice endif ##} RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_EPIA eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.2') describe RCVD_IN_IADB_EPIA IADB: Member of Email Processing Industry Alliance tflags RCVD_IN_IADB_EPIA net nice endif ##} RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_GOODMAIL eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.103') describe RCVD_IN_IADB_GOODMAIL IADB: Sender has been certified by GoodMail tflags RCVD_IN_IADB_GOODMAIL net nice endif ##} RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_LISTED eval:check_rbl_sub('iadb-firsttrusted', '^127\.0\.0\.[12]$') describe RCVD_IN_IADB_LISTED Participates in the IADB system tflags RCVD_IN_IADB_LISTED net nice endif ##} RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_LOOSE eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.4') describe RCVD_IN_IADB_LOOSE IADB: Adds relationship addrs w/out opt-in tflags RCVD_IN_IADB_LOOSE net nice endif ##} RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_MI_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.1.10') describe RCVD_IN_IADB_MI_CPEAR IADB: Complies with Michigan's CPEAR law tflags RCVD_IN_IADB_MI_CPEAR net nice endif ##} RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_MI_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.101.10') describe RCVD_IN_IADB_MI_CPR_30 IADB: Checked lists against Michigan's CPR within 30 days tflags RCVD_IN_IADB_MI_CPR_30 net nice endif ##} RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_MI_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.201.10') describe RCVD_IN_IADB_MI_CPR_MAT IADB: Sends no material under Michigan's CPR tflags RCVD_IN_IADB_MI_CPR_MAT net nice endif ##} RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_ML_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.100') describe RCVD_IN_IADB_ML_DOPTIN IADB: Mailing list email only, confirmed opt-in tflags RCVD_IN_IADB_ML_DOPTIN net nice endif ##} RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_NOCONTROL eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.0') describe RCVD_IN_IADB_NOCONTROL IADB: Has absolutely no mailing controls in place tflags RCVD_IN_IADB_NOCONTROL net nice endif ##} RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_OOO eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.200') describe RCVD_IN_IADB_OOO IADB: One-to-one/transactional email only tflags RCVD_IN_IADB_OOO net nice endif ##} RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_OPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.7') describe RCVD_IN_IADB_OPTIN IADB: All mailing list mail is opt-in tflags RCVD_IN_IADB_OPTIN net nice endif ##} RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_OPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.6') describe RCVD_IN_IADB_OPTIN_GT50 IADB: Opt-in used more than 50% of the time tflags RCVD_IN_IADB_OPTIN_GT50 net nice endif ##} RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_OPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.5') describe RCVD_IN_IADB_OPTIN_LT50 IADB: Opt-in used less than 50% of the time tflags RCVD_IN_IADB_OPTIN_LT50 net nice endif ##} RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_OPTOUTONLY eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.1') describe RCVD_IN_IADB_OPTOUTONLY IADB: Scrapes addresses, pure opt-out only tflags RCVD_IN_IADB_OPTOUTONLY net nice endif ##} RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_RDNS eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.4') describe RCVD_IN_IADB_RDNS IADB: Sender has reverse DNS record tflags RCVD_IN_IADB_RDNS net nice endif ##} RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_SENDERID eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.2') describe RCVD_IN_IADB_SENDERID IADB: Sender publishes Sender ID record tflags RCVD_IN_IADB_SENDERID net nice endif ##} RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_SPF eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.1') describe RCVD_IN_IADB_SPF IADB: Sender publishes SPF record tflags RCVD_IN_IADB_SPF net nice endif ##} RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_UNVERIFIED_1 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.2') describe RCVD_IN_IADB_UNVERIFIED_1 IADB: Accepts unverified sign-ups tflags RCVD_IN_IADB_UNVERIFIED_1 net nice endif ##} RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_UNVERIFIED_2 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.3') describe RCVD_IN_IADB_UNVERIFIED_2 IADB: Accepts unverified sign-ups, gives chance to opt out tflags RCVD_IN_IADB_UNVERIFIED_2 net nice endif ##} RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_UT_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.2.10') describe RCVD_IN_IADB_UT_CPEAR IADB: Complies with Utah's CPEAR law tflags RCVD_IN_IADB_UT_CPEAR net nice endif ##} RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_UT_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.102.10') describe RCVD_IN_IADB_UT_CPR_30 IADB: Checked lists against Utah's CPR within 30 days tflags RCVD_IN_IADB_UT_CPR_30 net nice endif ##} RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_UT_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.202.10') describe RCVD_IN_IADB_UT_CPR_MAT IADB: Sends no material under Utah's CPR tflags RCVD_IN_IADB_UT_CPR_MAT net nice endif ##} RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_PSBL header RCVD_IN_PSBL eval:check_rbl('psbl-lastexternal', 'psbl.surriel.com.') describe RCVD_IN_PSBL Received via a relay in PSBL tflags RCVD_IN_PSBL net ##} RCVD_IN_PSBL ##{ RCVD_IN_RP_CERTIFIED header RCVD_IN_RP_CERTIFIED eval:check_rbl_txt('ssc-firsttrusted', 'sa-trusted.bondedsender.org.') describe RCVD_IN_RP_CERTIFIED Sender is in Return Path Certified (trusted relay) tflags RCVD_IN_RP_CERTIFIED net nice ##} RCVD_IN_RP_CERTIFIED ##{ RCVD_IN_RP_RNBL header RCVD_IN_RP_RNBL eval:check_rbl('rnbl-lastexternal','bl.score.senderscore.com.') describe RCVD_IN_RP_RNBL Relay in RNBL, https://senderscore.org/blacklistlookup/ tflags RCVD_IN_RP_RNBL net ##} RCVD_IN_RP_RNBL ##{ RCVD_IN_RP_SAFE header RCVD_IN_RP_SAFE eval:check_rbl_txt('ssc-firsttrusted','sa-accredit.habeas.com.') describe RCVD_IN_RP_SAFE Sender is in Return Path Safe (trusted relay) tflags RCVD_IN_RP_SAFE net nice ##} RCVD_IN_RP_SAFE ##{ RCVD_MAIL_COM header RCVD_MAIL_COM Received =~ /[\s\(\[](?:post|mail)\.com[\s\)\]]/is describe RCVD_MAIL_COM Forged Received header (contains post.com or mail.com) ##} RCVD_MAIL_COM ##{ RDNS_LOCALHOST header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i describe RDNS_LOCALHOST Sender's public rDNS is "localhost" ##} RDNS_LOCALHOST ##{ REPLYTO_WITHOUT_TO_CC meta REPLYTO_WITHOUT_TO_CC (__REPLYTO_EXISTS && !__TOCC_EXISTS) ##} REPLYTO_WITHOUT_TO_CC ##{ RISK_FREE meta RISK_FREE __FRAUD_IOV && !__UNSUB_LINK && !__VIA_ML && !__HTML_LINK_IMAGE && !__SUBSCRIPTION_INFO && !__HS_SUBJ_RE_FW describe RISK_FREE No risk! ##} RISK_FREE ##{ RP_MATCHES_RCVD if version >= 3.003000 ifplugin Mail::SpamAssassin::Plugin::WLBLEval if version >= 3.003000 ifplugin Mail::SpamAssassin::Plugin::WLBLEval header RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd() describe RP_MATCHES_RCVD Envelope sender domain matches handover relay domain tflags RP_MATCHES_RCVD nice endif endif ##} RP_MATCHES_RCVD if version >= 3.003000 ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ S25R_6 describe S25R_6 T_S25R: rDNS looks dynamic or customer-facing meta S25R_6 __S25R_6 && !(__S25R_1||__S25R_2||__S25R_3||__S25R_4||__S25R_5 || __NOT_SPOOFED || __GREYLISTING) ##} S25R_6 ##{ SB_GIF_AND_NO_URIS meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL) ##} SB_GIF_AND_NO_URIS ##{ SHORT_HELO_AND_INLINE_IMAGE meta SHORT_HELO_AND_INLINE_IMAGE (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH) describe SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image ##} SHORT_HELO_AND_INLINE_IMAGE ##{ SHORT_TERM_PRICE body SHORT_TERM_PRICE /short\W+term\W+(target|projected)(\W+price)?/i ##} SHORT_TERM_PRICE ##{ SINGLE_HEADER_1K meta SINGLE_HEADER_1K __SINGLE_HEADER_1K && !__VIA_ML && !__THREADED describe SINGLE_HEADER_1K A single header contains 1K-2K characters ##} SINGLE_HEADER_1K ##{ SINGLE_HEADER_2K header SINGLE_HEADER_2K ALL:raw =~ /(?-xim:(?=(?:^|\n)[^\s\n]+:(?:.(?!\n\S)){2048,3071}.(?:\n\S|$)))/s describe SINGLE_HEADER_2K A single header contains 2K-3K characters ##} SINGLE_HEADER_2K ##{ SINGLE_HEADER_3K header SINGLE_HEADER_3K ALL:raw =~ /(?-xim:(?=(?:^|\n)[^\s\n]+:(?:.(?!\n\S)){3072,4095}.(?:\n\S|$)))/s describe SINGLE_HEADER_3K A single header contains 3K-4K characters ##} SINGLE_HEADER_3K ##{ SINGLE_HEADER_4K header SINGLE_HEADER_4K ALL:raw =~ /(?-xim:(?=(?:^|\n)[^\s\n]+:(?:.(?!\n\S)){4096,5119}.(?:\n\S|$)))/s describe SINGLE_HEADER_4K A single header contains 4K-5K characters ##} SINGLE_HEADER_4K ##{ SPAMMY_XMAILER meta SPAMMY_XMAILER (__XM_OL_28001441||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4) describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham ##} SPAMMY_XMAILER ##{ STOCK_IMG_CTYPE meta STOCK_IMG_CTYPE (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__CTYPE_ONETAB_GIF&&__HTML_IMG_ONLY) describe STOCK_IMG_CTYPE Stock spam image part, with distinctive Content-Type header ##} STOCK_IMG_CTYPE ##{ STOCK_IMG_HDR_FROM meta STOCK_IMG_HDR_FROM (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY) describe STOCK_IMG_HDR_FROM Stock spam image part, with distinctive From line ##} STOCK_IMG_HDR_FROM ##{ STOCK_IMG_HTML meta STOCK_IMG_HTML (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY) describe STOCK_IMG_HTML Stock spam image part, with distinctive HTML ##} STOCK_IMG_HTML ##{ STOCK_IMG_OUTLOOK meta STOCK_IMG_OUTLOOK (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__XM_MS_IN_GENERAL&&__HTML_LENGTH_1536_2048) describe STOCK_IMG_OUTLOOK Stock spam image part, with Outlook-like features ##} STOCK_IMG_OUTLOOK ##{ STOCK_PRICES meta STOCK_PRICES (SHORT_TERM_PRICE && LONG_TERM_PRICE) ##} STOCK_PRICES ##{ STOX_AND_PRICE meta STOX_AND_PRICE CURR_PRICE && STOX_REPLY_TYPE ##} STOX_AND_PRICE ##{ STOX_REPLY_TYPE header STOX_REPLY_TYPE Content-Type =~ /text\/plain; .* reply-type=original/ ##} STOX_REPLY_TYPE ##{ STOX_REPLY_TYPE_WITHOUT_QUOTES meta STOX_REPLY_TYPE_WITHOUT_QUOTES (STOX_REPLY_TYPE && !(__HS_SUBJ_RE_FW || __HS_QUOTE)) ##} STOX_REPLY_TYPE_WITHOUT_QUOTES ##{ STYLE_GIBBERISH meta STYLE_GIBBERISH __STYLE_GIBBERISH && !__STYLE_TAG_IN_BODY && !__THREADED && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_DIAL_MESSY && !__HAS_REPLY_TO && !MIME_HTML_MOSTLY describe STYLE_GIBBERISH Nonsense in HTML