shell bypass 403
UnknownSec Shell
:
/
proc
/
self
/
root
/
proc
/
self
/
root
/
var
/
lib
/
spamassassin
/
3.004003
/
updates_spamassassin_org
/ [
drwxr-xr-x
]
upload
mass deface
mass delete
console
info server
name :
72_active.cf
# SpamAssassin rules file # # Please don't modify this file as your changes will be overwritten with # the next update. Use /etc/mail/spamassassin/local.cf instead. # See 'perldoc Mail::SpamAssassin::Conf' for details. # # <@LICENSE> # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to you under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at: # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # </@LICENSE> # ########################################################################### require_version 3.004003 ##{ AC_BR_BONANZA rawbody AC_BR_BONANZA /(?:<br>\s*){30}/i describe AC_BR_BONANZA Too many newlines in a row... spammy template #score AC_BR_BONANZA 0.001 tflags AC_BR_BONANZA publish ##} AC_BR_BONANZA ##{ AC_DIV_BONANZA rawbody AC_DIV_BONANZA /(?:<div>(?:\s*<\/div>)?\s*){10}/i describe AC_DIV_BONANZA Too many divs in a row... spammy template #score AC_DIV_BONANZA 0.001 tflags AC_DIV_BONANZA publish ##} AC_DIV_BONANZA ##{ AC_FROM_MANY_DOTS meta AC_FROM_MANY_DOTS __AC_FROM_MANY_DOTS_MINFP #score AC_FROM_MANY_DOTS 3.000 # limit describe AC_FROM_MANY_DOTS Multiple periods in From user name tflags AC_FROM_MANY_DOTS publish ##} AC_FROM_MANY_DOTS ##{ AC_HTML_NONSENSE_TAGS rawbody AC_HTML_NONSENSE_TAGS /(?:<[A-Za-z0-9]{4,}>\s*){10}/ describe AC_HTML_NONSENSE_TAGS Many consecutive multi-letter HTML tags, likely nonsense/spam #score AC_HTML_NONSENSE_TAGS 2.0 tflags AC_HTML_NONSENSE_TAGS publish ##} AC_HTML_NONSENSE_TAGS ##{ AC_SPAMMY_URI_PATTERNS1 meta AC_SPAMMY_URI_PATTERNS1 (__AC_OUTL_URI && __AC_OUTI_URI) describe AC_SPAMMY_URI_PATTERNS1 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS1 4.0 tflags AC_SPAMMY_URI_PATTERNS1 publish ##} AC_SPAMMY_URI_PATTERNS1 ##{ AC_SPAMMY_URI_PATTERNS10 meta AC_SPAMMY_URI_PATTERNS10 __AC_PUNCTNUMS_URI describe AC_SPAMMY_URI_PATTERNS10 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS10 4.0 tflags AC_SPAMMY_URI_PATTERNS10 publish ##} AC_SPAMMY_URI_PATTERNS10 ##{ AC_SPAMMY_URI_PATTERNS11 meta AC_SPAMMY_URI_PATTERNS11 __AC_NDOMLONGNASPX_URI describe AC_SPAMMY_URI_PATTERNS11 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS11 4.0 tflags AC_SPAMMY_URI_PATTERNS11 publish ##} AC_SPAMMY_URI_PATTERNS11 ##{ AC_SPAMMY_URI_PATTERNS12 meta AC_SPAMMY_URI_PATTERNS12 (__AC_CHDSEQ_URI && __AC_MHDSEQ_URI && __AC_UHDSEQ_URI) describe AC_SPAMMY_URI_PATTERNS12 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS12 4.0 tflags AC_SPAMMY_URI_PATTERNS12 publish ##} AC_SPAMMY_URI_PATTERNS12 ##{ AC_SPAMMY_URI_PATTERNS2 meta AC_SPAMMY_URI_PATTERNS2 (__AC_LAND_URI && __AC_UNSUB_URI && __AC_REPORT_URI) describe AC_SPAMMY_URI_PATTERNS2 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS2 4.0 tflags AC_SPAMMY_URI_PATTERNS2 publish ##} AC_SPAMMY_URI_PATTERNS2 ##{ AC_SPAMMY_URI_PATTERNS3 meta AC_SPAMMY_URI_PATTERNS3 (__AC_PHPOFFTOP_URI && __AC_PHPOFFSUB_URI) describe AC_SPAMMY_URI_PATTERNS3 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS3 4.0 tflags AC_SPAMMY_URI_PATTERNS3 publish ##} AC_SPAMMY_URI_PATTERNS3 ##{ AC_SPAMMY_URI_PATTERNS4 meta AC_SPAMMY_URI_PATTERNS4 __AC_NUMS_URI describe AC_SPAMMY_URI_PATTERNS4 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS4 4.0 tflags AC_SPAMMY_URI_PATTERNS4 publish ##} AC_SPAMMY_URI_PATTERNS4 ##{ AC_SPAMMY_URI_PATTERNS8 meta AC_SPAMMY_URI_PATTERNS8 __AC_LONGSEQ_URI describe AC_SPAMMY_URI_PATTERNS8 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS8 4.0 tflags AC_SPAMMY_URI_PATTERNS8 publish ##} AC_SPAMMY_URI_PATTERNS8 ##{ AC_SPAMMY_URI_PATTERNS9 meta AC_SPAMMY_URI_PATTERNS9 (__AC_1SEQC_URI && (__AC_1SEQV_URI || __AC_RMOVE_URI)) describe AC_SPAMMY_URI_PATTERNS9 link combos match highly spammy template #score AC_SPAMMY_URI_PATTERNS9 4.0 tflags AC_SPAMMY_URI_PATTERNS9 publish ##} AC_SPAMMY_URI_PATTERNS9 ##{ ADMAIL meta ADMAIL __ADMAIL && !__DKIM_EXISTS && !__COMMENT_EXISTS describe ADMAIL "admail" and variants tflags ADMAIL publish ##} ADMAIL ##{ ADMITS_SPAM meta ADMITS_SPAM __ADMITS_SPAM && !__TO___LOWER && !__MSOE_MID_WRONG_CASE && !__RP_MATCHES_RCVD describe ADMITS_SPAM Admits this is an ad ##} ADMITS_SPAM ##{ ADVANCE_FEE_2_NEW_FORM meta ADVANCE_FEE_2_NEW_FORM (__ADVANCE_FEE_2_NEW_FORM && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__COMMENT_EXISTS && !__THREADED && !__HTML_LINK_IMAGE && !__HDRS_LCASE && !__DOS_HAS_LIST_UNSUB && !__HAS_SENDER && !__HAS_X_LOOP describe ADVANCE_FEE_2_NEW_FORM Advance Fee fraud and a form #score ADVANCE_FEE_2_NEW_FORM 2.000 # limit tflags ADVANCE_FEE_2_NEW_FORM publish ##} ADVANCE_FEE_2_NEW_FORM ##{ ADVANCE_FEE_2_NEW_MONEY meta ADVANCE_FEE_2_NEW_MONEY (__ADVANCE_FEE_2_NEW_MONEY && !__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__DOS_HAS_LIST_UNSUB && !__TAG_EXISTS_CENTER && !__LYRIS_EZLM_REMAILER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__VIA_ML && !__HTML_LINK_IMAGE && !__HDRS_LCASE && !__NAME_EQ_EMAIL && !__URI_MAILTO_MANY && !__RP_MATCHES_RCVD && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP describe ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money #score ADVANCE_FEE_2_NEW_MONEY 2.000 # limit tflags ADVANCE_FEE_2_NEW_MONEY publish ##} ADVANCE_FEE_2_NEW_MONEY ##{ ADVANCE_FEE_3_NEW meta ADVANCE_FEE_3_NEW (__ADVANCE_FEE_3_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_4_NEW && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__TAG_EXISTS_CENTER && !__COMMENT_EXISTS && !__VIA_ML && !__THREADED && !__UNSUB_LINK && !__UPPERCASE_URI && !__SURVEY && !__HAS_SENDER && !__HAS_X_LOOP && !__TO_YOUR_ORG describe ADVANCE_FEE_3_NEW Appears to be advance fee fraud (Nigerian 419) #score ADVANCE_FEE_3_NEW 3.5 # limit tflags ADVANCE_FEE_3_NEW publish ##} ADVANCE_FEE_3_NEW ##{ ADVANCE_FEE_3_NEW_FORM meta ADVANCE_FEE_3_NEW_FORM (__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__HTML_LINK_IMAGE && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP describe ADVANCE_FEE_3_NEW_FORM Advance Fee fraud and a form tflags ADVANCE_FEE_3_NEW_FORM publish ##} ADVANCE_FEE_3_NEW_FORM ##{ ADVANCE_FEE_3_NEW_MONEY meta ADVANCE_FEE_3_NEW_MONEY (__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__HTML_LINK_IMAGE && !__UPPERCASE_URI && !__UNSUB_LINK && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP describe ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money tflags ADVANCE_FEE_3_NEW_MONEY publish ##} ADVANCE_FEE_3_NEW_MONEY ##{ ADVANCE_FEE_4_NEW meta ADVANCE_FEE_4_NEW (__ADVANCE_FEE_4_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_5_NEW) && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__HAS_ERRORS_TO && !__DOS_HAS_LIST_UNSUB describe ADVANCE_FEE_4_NEW Appears to be advance fee fraud (Nigerian 419) tflags ADVANCE_FEE_4_NEW publish ##} ADVANCE_FEE_4_NEW ##{ ADVANCE_FEE_4_NEW_FRM_MNY meta ADVANCE_FEE_4_NEW_FRM_MNY (__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) describe ADVANCE_FEE_4_NEW_FRM_MNY Advance Fee fraud form and lots of money ##} ADVANCE_FEE_4_NEW_FRM_MNY ##{ ADVANCE_FEE_4_NEW_MONEY meta ADVANCE_FEE_4_NEW_MONEY (__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__HTML_LINK_IMAGE && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__HAS_X_LOOP describe ADVANCE_FEE_4_NEW_MONEY Advance Fee fraud and lots of money ##} ADVANCE_FEE_4_NEW_MONEY ##{ ADVANCE_FEE_5_NEW_FRM_MNY meta ADVANCE_FEE_5_NEW_FRM_MNY __ADVANCE_FEE_5_NEW_FRM_MNY describe ADVANCE_FEE_5_NEW_FRM_MNY Advance Fee fraud form and lots of money ##} ADVANCE_FEE_5_NEW_FRM_MNY ##{ AD_PREFS body AD_PREFS /(?:\b|_)(?:ad(?:vert[i1l]s[i1l]ng)?|promo(?:tion)?|marketing)[- _](?:pref(?:s|erences)|settings)(?:\b|_)/i describe AD_PREFS Advertising preferences #score AD_PREFS 0.500 # limit tflags AD_PREFS publish ##} AD_PREFS ##{ ALIBABA_IMG_NOT_RCVD_ALI meta ALIBABA_IMG_NOT_RCVD_ALI __ALIBABA_IMG_NOT_RCVD_ALI && !__YOUR_PASSWORD && !__UNSUB_LINK && !__MSGID_BEFORE_RECEIVED && !__HAS_HREF_ONECASE #score ALIBABA_IMG_NOT_RCVD_ALI 2.500 # limit describe ALIBABA_IMG_NOT_RCVD_ALI Alibaba hosted image but message not from Alibaba tflags ALIBABA_IMG_NOT_RCVD_ALI publish ##} ALIBABA_IMG_NOT_RCVD_ALI ##{ AMAZON_IMG_NOT_RCVD_AMZN meta AMAZON_IMG_NOT_RCVD_AMZN __AMAZON_IMG_NOT_RCVD_AMZN && !__HDR_RCVD_KEEPA && !__URI_DBL_DOM && !__RCD_RDNS_SMTP && !__RCD_RDNS_MTA && !__DATE_LOWER && !__MSGID_LIST #score AMAZON_IMG_NOT_RCVD_AMZN 2.500 # limit describe AMAZON_IMG_NOT_RCVD_AMZN Amazon hosted image but message not from Amazon tflags AMAZON_IMG_NOT_RCVD_AMZN publish ##} AMAZON_IMG_NOT_RCVD_AMZN ##{ APOSTROPHE_FROM header APOSTROPHE_FROM From:addr =~ /'/ describe APOSTROPHE_FROM From address contains an apostrophe ##} APOSTROPHE_FROM ##{ APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta APP_DEVELOPMENT_FREEM __APP_DEVELOPMENT_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) describe APP_DEVELOPMENT_FREEM App development pitch, freemail or CHN replyto # score APP_DEVELOPMENT_FREEM 3.500 # limit tflags APP_DEVELOPMENT_FREEM publish endif ##} APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta APP_DEVELOPMENT_NORDNS __APP_DEVELOPMENT && __RDNS_NONE describe APP_DEVELOPMENT_NORDNS App development pitch, no rDNS # score APP_DEVELOPMENT_NORDNS 2.000 # limit tflags APP_DEVELOPMENT_NORDNS publish endif ##} APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ AXB_XMAILER_MIMEOLE_OL_024C2 meta AXB_XMAILER_MIMEOLE_OL_024C2 (__AXB_XM_OL_024C2 && __AXB_MO_OL_024C2) describe AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait ##} AXB_XMAILER_MIMEOLE_OL_024C2 ##{ BANKING_LAWS body BANKING_LAWS /banking laws/i describe BANKING_LAWS Talks about banking laws ##} BANKING_LAWS ##{ BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval ifplugin Mail::SpamAssassin::Plugin::MIMEEval body BASE64_LENGTH_78_79 eval:check_base64_length('78','79') endif ##} BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval ##{ BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval ifplugin Mail::SpamAssassin::Plugin::MIMEEval describe BASE64_LENGTH_79_INF base64 encoded email part uses line length of 78 or 79 characters body BASE64_LENGTH_79_INF eval:check_base64_length('79') describe BASE64_LENGTH_79_INF base64 encoded email part uses line length greater than 79 characters endif ##} BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval ##{ BITCOIN_BOMB meta BITCOIN_BOMB __BITCOIN_ID && __EXPLOSIVE_DEVICE && !BITCOIN_EXTORT_01 describe BITCOIN_BOMB BitCoin + bomb #score BITCOIN_BOMB 3.000 # limit tflags BITCOIN_BOMB publish ##} BITCOIN_BOMB ##{ BITCOIN_DEADLINE meta BITCOIN_DEADLINE __BITCOIN_ID && __HOURS_DEADLINE && !BITCOIN_EXTORT_01 describe BITCOIN_DEADLINE BitCoin with a deadline #score BITCOIN_DEADLINE 3.000 # limit tflags BITCOIN_DEADLINE publish ##} BITCOIN_DEADLINE ##{ BITCOIN_EXTORT_01 meta BITCOIN_EXTORT_01 __BITCOIN_ID && __EXTORT_MANY describe BITCOIN_EXTORT_01 Extortion spam, pay via BitCoin #score BITCOIN_EXTORT_01 5.000 # limit tflags BITCOIN_EXTORT_01 publish ##} BITCOIN_EXTORT_01 ##{ BITCOIN_MALWARE meta BITCOIN_MALWARE __BITCOIN_ID && __MY_MALWARE && !BITCOIN_EXTORT_01 && !__NOT_SPOOFED describe BITCOIN_MALWARE BitCoin + malware bragging #score BITCOIN_MALWARE 3.500 # limit tflags BITCOIN_MALWARE publish ##} BITCOIN_MALWARE ##{ BITCOIN_PAY_ME meta BITCOIN_PAY_ME __BITCOIN_ID && __PAY_ME && !BITCOIN_EXTORT_01 describe BITCOIN_PAY_ME Pay me via BitCoin #score BITCOIN_PAY_ME 3.000 # limit tflags BITCOIN_PAY_ME publish ##} BITCOIN_PAY_ME ##{ BITCOIN_SPAM_01 meta BITCOIN_SPAM_01 __BITCOIN_ID && HTML_MIME_NO_HTML_TAG describe BITCOIN_SPAM_01 BitCoin spam pattern 01 #score BITCOIN_SPAM_01 2.500 # limit tflags BITCOIN_SPAM_01 publish ##} BITCOIN_SPAM_01 ##{ BITCOIN_SPAM_02 meta BITCOIN_SPAM_02 __BITCOIN_SPAM_02 && !__URL_BTC_ID describe BITCOIN_SPAM_02 BitCoin spam pattern 02 #score BITCOIN_SPAM_02 2.500 # limit tflags BITCOIN_SPAM_02 publish ##} BITCOIN_SPAM_02 ##{ BITCOIN_SPAM_03 meta BITCOIN_SPAM_03 __BITCOIN_ID && __SINGLE_WORD_SUBJ describe BITCOIN_SPAM_03 BitCoin spam pattern 03 #score BITCOIN_SPAM_03 2.500 # limit tflags BITCOIN_SPAM_03 publish ##} BITCOIN_SPAM_03 ##{ BITCOIN_SPAM_04 meta BITCOIN_SPAM_04 __BITCOIN_ID && __freemail_hdr_replyto describe BITCOIN_SPAM_04 BitCoin spam pattern 04 #score BITCOIN_SPAM_04 1.500 # limit tflags BITCOIN_SPAM_04 publish ##} BITCOIN_SPAM_04 ##{ BITCOIN_SPAM_05 meta BITCOIN_SPAM_05 __BITCOIN_SPAM_05 && !__HAS_IN_REPLY_TO describe BITCOIN_SPAM_05 BitCoin spam pattern 05 #score BITCOIN_SPAM_05 2.500 # limit tflags BITCOIN_SPAM_05 net publish ##} BITCOIN_SPAM_05 ##{ BITCOIN_SPAM_06 meta BITCOIN_SPAM_06 __BITCOIN_ID && TVD_RCVD_SPACE_BRACKET describe BITCOIN_SPAM_06 BitCoin spam pattern 06 #score BITCOIN_SPAM_06 1.500 # limit tflags BITCOIN_SPAM_06 publish ##} BITCOIN_SPAM_06 ##{ BITCOIN_SPAM_07 meta BITCOIN_SPAM_07 __BITCOIN_SPAM_07 && !__DKIM_EXISTS describe BITCOIN_SPAM_07 BitCoin spam pattern 07 #score BITCOIN_SPAM_07 3.500 # limit tflags BITCOIN_SPAM_07 publish ##} BITCOIN_SPAM_07 ##{ BITCOIN_SPAM_08 meta BITCOIN_SPAM_08 __BITCOIN_ID && __TO_IN_SUBJ describe BITCOIN_SPAM_08 BitCoin spam pattern 08 #score BITCOIN_SPAM_08 2.500 # limit tflags BITCOIN_SPAM_08 publish ##} BITCOIN_SPAM_08 ##{ BITCOIN_SPAM_09 meta BITCOIN_SPAM_09 __BITCOIN_ID && ( __DESTROY_ME || __DESTROY_YOU ) describe BITCOIN_SPAM_09 BitCoin spam pattern 09 #score BITCOIN_SPAM_09 1.500 # limit tflags BITCOIN_SPAM_09 publish ##} BITCOIN_SPAM_09 ##{ BITCOIN_SPAM_10 meta BITCOIN_SPAM_10 __BITCOIN_ID && ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 ) describe BITCOIN_SPAM_10 BitCoin spam pattern 10 #score BITCOIN_SPAM_10 2.500 # limit tflags BITCOIN_SPAM_10 publish ##} BITCOIN_SPAM_10 ##{ BITCOIN_SPAM_11 meta BITCOIN_SPAM_11 __BITCOIN_ID && HTML_MESSAGE && __HTML_SHRT_CMNT_OBFU describe BITCOIN_SPAM_11 BitCoin spam pattern 11 #score BITCOIN_SPAM_11 2.500 # limit tflags BITCOIN_SPAM_11 publish ##} BITCOIN_SPAM_11 ##{ BITCOIN_SPAM_12 meta BITCOIN_SPAM_12 __BITCOIN_ID && __BOGUS_MIME_HDR_MANY describe BITCOIN_SPAM_12 BitCoin spam pattern 12 #score BITCOIN_SPAM_12 2.500 # limit tflags BITCOIN_SPAM_12 publish ##} BITCOIN_SPAM_12 ##{ BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta BITCOIN_SPF_ONLYALL __PDS_SPF_ONLYALL && __BITCOIN_ID tflags BITCOIN_SPF_ONLYALL net publish describe BITCOIN_SPF_ONLYALL Bitcoin from a domain specifically set to pass +all SPF #score BITCOIN_SPF_ONLYALL 2.0 # limit endif endif ##} BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ BODY_EMPTY meta BODY_EMPTY __EMPTY_BODY && !__NUMBERS_IN_SUBJ && !__CTE && !__RP_MATCHES_RCVD && !__VIA_ML && !__MIME_ATTACHMENT && !__HAS_THREAD_INDEX && !__TO_EQ_FROM_DOM && !__LCL__ENV_AND_HDR_FROM_MATCH && !__FROM_LOWER && !__NOT_SPOOFED && !__MSGID_APPLEMAIL && !__RCD_RDNS_MAIL_MESSY && !NO_RELAYS && !__NOT_A_PERSON describe BODY_EMPTY No body text in message #score BODY_EMPTY 2.00 # limit ##} BODY_EMPTY ##{ BODY_SINGLE_URI meta BODY_SINGLE_URI (__BODY_SINGLE_WORD && __HAS_ANY_URI) && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP describe BODY_SINGLE_URI Message body is only a URI #score BODY_SINGLE_URI 2.500 # limit ##} BODY_SINGLE_URI ##{ BODY_SINGLE_WORD meta BODY_SINGLE_WORD __BODY_SINGLE_WORD && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP describe BODY_SINGLE_WORD Message body is only one word (no spaces) #score BODY_SINGLE_WORD 2.500 # limit ##} BODY_SINGLE_WORD ##{ BODY_URI_ONLY meta BODY_URI_ONLY __BODY_URI_ONLY && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH && !__TO_EQ_FROM_DOM && !__X_CRON_ENV describe BODY_URI_ONLY Message body is only a URI in one line of text or for an image #score BODY_URI_ONLY 1.000 # limit tflags BODY_URI_ONLY publish ##} BODY_URI_ONLY ##{ BOGUS_MIME_VERSION meta BOGUS_MIME_VERSION __BOGUS_MIME_VER_02 #score BOGUS_MIME_VERSION 3.500 # limit describe BOGUS_MIME_VERSION Mime version header is bogus tflags BOGUS_MIME_VERSION publish ##} BOGUS_MIME_VERSION ##{ BOGUS_MSM_HDRS meta BOGUS_MSM_HDRS __BOGUS_MSM_HDRS describe BOGUS_MSM_HDRS Apparently bogus Microsoft email headers #score BOGUS_MSM_HDRS 3.000 # limit tflags BOGUS_MSM_HDRS publish ##} BOGUS_MSM_HDRS ##{ BOMB_FREEM meta BOMB_FREEM __EXPLOSIVE_DEVICE && __freemail_hdr_replyto describe BOMB_FREEM Bomb + freemail #score BOMB_FREEM 2.000 # limit tflags BOMB_FREEM publish ##} BOMB_FREEM ##{ BOMB_MONEY meta BOMB_MONEY __EXPLOSIVE_DEVICE && ( __ADVANCE_FEE_3_NEW || __ADVANCE_FEE_4_NEW || __ADVANCE_FEE_5_NEW ) describe BOMB_MONEY Bomb + money: bomb threat? #score BOMB_MONEY 2.500 # limit tflags BOMB_MONEY publish ##} BOMB_MONEY ##{ BTC_ORG describe BTC_ORG Bitcoin wallet ID + unusual header #score BTC_ORG 2.500 # limit ##} BTC_ORG ##{ BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM) if !plugin(Mail::SpamAssassin::Plugin::DKIM) meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST endif ##} BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM) ##{ BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::DKIM meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST && !DKIM_SIGNED endif ##} BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM ##{ BUG6152_INVALID_DATE_TZ_ABSURD header BUG6152_INVALID_DATE_TZ_ABSURD Date =~ /[-+](?!(?:0\d|1[0-4])(?:[03]0|[14]5))\d{4}/ ##} BUG6152_INVALID_DATE_TZ_ABSURD ##{ BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta BULK_RE_SUSP_NTLD __SUBJ_RE && __ML1 && __FROM_ADDRLIST_SUSPNTLD tflags BULK_RE_SUSP_NTLD publish describe BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD #score BULK_RE_SUSP_NTLD 1.0 # limit endif endif ##} BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ CANT_SEE_AD meta CANT_SEE_AD (__CANT_SEE_AD_1 || __CANT_SEE_AD_2) && !__DOS_HAS_LIST_UNSUB describe CANT_SEE_AD You really want to see our spam. #score CANT_SEE_AD 2.500 # limit tflags CANT_SEE_AD publish ##} CANT_SEE_AD ##{ CK_HELO_DYNAMIC_SPLIT_IP header CK_HELO_DYNAMIC_SPLIT_IP X-Spam-Relays-Untrusted =~ /^[^\]]+helo=(?!(?:\d+\.){4})\d+[^\d\s]+\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]/i describe CK_HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split IP) #score CK_HELO_DYNAMIC_SPLIT_IP 1.5 ##} CK_HELO_DYNAMIC_SPLIT_IP ##{ CK_HELO_GENERIC header CK_HELO_GENERIC X-Spam-Relays-Untrusted =~ /^[^\]]+helo=(?=\S*(?:pool|dyna|lease|dial|dip|static))\S*\d+[^\d\s]+\d+[^\]]+ auth= /i describe CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or Generic rPTR #score CK_HELO_GENERIC 0.25 ##} CK_HELO_GENERIC ##{ CN_B2B_SPAMMER body CN_B2B_SPAMMER /\bWe are (?:(?:a )?(?:China|Taiwan)[-\s]based|(?:one of (?:the )?best|(?:a )?leading) (?:international|[^\.]{10,90} (?:in|from) (?:\w+, )?(?:China|Taiwan)))\b/i describe CN_B2B_SPAMMER Chinese company introducing itself tflags CN_B2B_SPAMMER publish ##} CN_B2B_SPAMMER ##{ COMMENT_GIBBERISH meta COMMENT_GIBBERISH __COMMENT_GIBBERISH && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__SENDER_BOT describe COMMENT_GIBBERISH Nonsense in long HTML comment #score COMMENT_GIBBERISH 1.50 # limit tflags COMMENT_GIBBERISH publish ##} COMMENT_GIBBERISH ##{ COMPENSATION describe COMPENSATION "Compensation" #score COMPENSATION 1.50 # limit ##} COMPENSATION ##{ COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM) if !plugin(Mail::SpamAssassin::Plugin::DKIM) meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD endif ##} COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM) ##{ COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::DKIM meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD && !__DKIM_DEPENDABLE endif ##} COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM ##{ CORRUPT_FROM_LINE_IN_HDRS meta CORRUPT_FROM_LINE_IN_HDRS (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS) describe CORRUPT_FROM_LINE_IN_HDRS Informational: message is corrupt, with a From line in its headers tflags CORRUPT_FROM_LINE_IN_HDRS userconf publish #score CORRUPT_FROM_LINE_IN_HDRS 0.001 ##} CORRUPT_FROM_LINE_IN_HDRS ##{ CTE_8BIT_MISMATCH meta CTE_8BIT_MISMATCH (__CT_TEXT_PLAIN && (!__CTE || __L_CTE_7BIT) && __L_BODY_8BITS) describe CTE_8BIT_MISMATCH Header says 7bits but body disagrees #score CTE_8BIT_MISMATCH 1 tflags CTE_8BIT_MISMATCH publish ##} CTE_8BIT_MISMATCH ##{ CTYPE_001C_A meta CTYPE_001C_A (0) # obsolete ##} CTYPE_001C_A ##{ CTYPE_001C_B header CTYPE_001C_B Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/ ##} CTYPE_001C_B ##{ CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader CTYPE_8SPACE_GIF Content-Type:raw =~ /^image\/gif;\n {8}name=\".+?\"$/s describe CTYPE_8SPACE_GIF Stock spam image part 'Content-Type' found (8 spc) endif ##} CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta CTYPE_NULL __CTYPE_NULL describe CTYPE_NULL Malformed Content-Type header endif ##} CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ CURR_PRICE body CURR_PRICE /\bCurrent Price:/ ##} CURR_PRICE ##{ DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta DAY_I_EARNED __DAY_I_EARNED >= 3 # score DAY_I_EARNED 3.000 # limit describe DAY_I_EARNED Work-at-home spam tflags DAY_I_EARNED publish endif ##} DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ DEAR_BENEFICIARY body DEAR_BENEFICIARY /\b(?:De[ae]r\s|At+(?:ention|n):?\s?)(?:\S+\s)?Ben[ei]ficiary\b/i describe DEAR_BENEFICIARY Dear Beneficiary: ##} DEAR_BENEFICIARY ##{ DEAR_WINNER body DEAR_WINNER /\bdear.{1,20}winner/i describe DEAR_WINNER Spam with generic salutation of "dear winner" ##} DEAR_WINNER ##{ DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS ifplugin Mail::SpamAssassin::Plugin::AskDNS meta DKIMWL_BL __DKIMWL_WL_BL tflags DKIMWL_BL net publish describe DKIMWL_BL DKIMwl.org - Blacklisted sender #score DKIMWL_BL 3.0 # limit endif ##} DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS ifplugin Mail::SpamAssassin::Plugin::AskDNS meta DKIMWL_BLOCKED __DKIMWL_BLOCKED tflags DKIMWL_BLOCKED net publish describe DKIMWL_BLOCKED ADMINISTRATOR NOTICE: The query to DKIMWL.org was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. #score DKIMWL_BLOCKED 0.001 # limit endif ##} DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS ifplugin Mail::SpamAssassin::Plugin::AskDNS meta DKIMWL_WL_HIGH __DKIMWL_WL_HI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL || __DKIMWL_BULKMAIL) tflags DKIMWL_WL_HIGH net nice publish describe DKIMWL_WL_HIGH DKIMwl.org - Whitelisted High sender #score DKIMWL_WL_HIGH -3.0 # limit endif ##} DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS ifplugin Mail::SpamAssassin::Plugin::AskDNS meta DKIMWL_WL_MED __DKIMWL_WL_MED && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL) tflags DKIMWL_WL_MED net nice publish describe DKIMWL_WL_MED DKIMwl.org - Medium sender #score DKIMWL_WL_MED -0.5 # limit endif ##} DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS ifplugin Mail::SpamAssassin::Plugin::AskDNS meta DKIMWL_WL_MEDHI __DKIMWL_WL_MEDHI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL) tflags DKIMWL_WL_MEDHI net nice publish describe DKIMWL_WL_MEDHI DKIMwl.org - Medium-high sender #score DKIMWL_WL_MEDHI -1.0 # limit endif ##} DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ DOS_ANAL_SPAM_MAILER header DOS_ANAL_SPAM_MAILER X-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/ describe DOS_ANAL_SPAM_MAILER X-mailer pattern common to anal porn site spam tflags DOS_ANAL_SPAM_MAILER publish ##} DOS_ANAL_SPAM_MAILER ##{ DOS_DEREK_AUG08 meta DOS_DEREK_AUG08 __DOS_SINGLE_EXT_RELAY && __DOS_HAS_ANY_URI && __NAKED_TO && __LAST_UNTRUSTED_RELAY_NO_AUTH && SPF_PASS && __TVD_MIME_ATT_TP && __CT_TEXT_PLAIN && (__DOS_MSGID_DIGITS9 || __DOS_MSGID_DIGITS10) ##} DOS_DEREK_AUG08 ##{ DOS_FIX_MY_URI meta DOS_FIX_MY_URI __MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINK describe DOS_FIX_MY_URI Looks like a "fix my obfu'd URI please" spam ##} DOS_FIX_MY_URI ##{ DOS_HIGH_BAT_TO_MX meta DOS_HIGH_BAT_TO_MX __DOS_DIRECT_TO_MX && __HIGHBITS && __LAST_UNTRUSTED_RELAY_NO_AUTH && __THEBAT_MUA describe DOS_HIGH_BAT_TO_MX The Bat! Direct to MX with High Bits ##} DOS_HIGH_BAT_TO_MX ##{ DOS_LET_GO_JOB meta DOS_LET_GO_JOB __DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOME describe DOS_LET_GO_JOB Let go from their job and now makes lots of dough! ##} DOS_LET_GO_JOB ##{ DOS_OE_TO_MX meta DOS_OE_TO_MX __OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE describe DOS_OE_TO_MX Delivered direct to MX with OE headers ##} DOS_OE_TO_MX ##{ DOS_OE_TO_MX_IMAGE meta DOS_OE_TO_MX_IMAGE __OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH describe DOS_OE_TO_MX_IMAGE Direct to MX with OE headers and an image ##} DOS_OE_TO_MX_IMAGE ##{ DOS_OUTLOOK_TO_MX meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !T_DOS_OUTLOOK_TO_MX_IMAGE describe DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers ##} DOS_OUTLOOK_TO_MX ##{ DOS_RCVD_IP_TWICE_C header DOS_RCVD_IP_TWICE_C X-Spam-Relays-External =~ /^\s*\[ ip=(?!127)([\d.]+) [^\[]*\bhelo=(?:![\d.]{7,15}!)? [^\[]*\[ ip=\1 [^\]]*\]\s*$/ describe DOS_RCVD_IP_TWICE_C Received from the same IP twice in a row (only one external relay; empty or IP helo) ##} DOS_RCVD_IP_TWICE_C ##{ DOS_STOCK_BAT meta DOS_STOCK_BAT __THEBAT_MUA && (__DOS_BODY_STOCK || __DOS_BODY_TICKER) && (__DOS_REF_TODAY || __DOS_REF_NEXT_WK_DAY || __DOS_REF_2_WK_DAYS) describe DOS_STOCK_BAT Probable pump and dump stock spam ##} DOS_STOCK_BAT ##{ DOS_STOCK_BAT2 meta DOS_STOCK_BAT2 DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2) ##} DOS_STOCK_BAT2 ##{ DOS_URI_ASTERISK uri DOS_URI_ASTERISK m{^[Hh][Tt]{2}[Pp][Ss]?://[^/:]+(?:\*[A-Za-z0-9-]*\.|\*)[A-Za-z]{2,3}(?:\.[A-Za-z]{2})?(?:$|:|/)} describe DOS_URI_ASTERISK Found an asterisk in a URI ##} DOS_URI_ASTERISK ##{ DOS_YOUR_PLACE meta DOS_YOUR_PLACE (__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE || __DOS_CORRESPOND_EMAIL || __DOS_EMAIL_DIRECTLY || __DOS_I_AM_25 || __DOS_WRITE_ME_AT || __DOS_PERSONAL_EMAIL)) describe DOS_YOUR_PLACE Russian dating spam ##} DOS_YOUR_PLACE ##{ DRUGS_HDIA header DRUGS_HDIA Subject =~ /\bhoodia\b/i describe DRUGS_HDIA Subject mentions "hoodia" ##} DRUGS_HDIA ##{ DX_TEXT_02 body DX_TEXT_02 /\b(?:change|modif(?:y|ications?)) (?:of|to|(?:yo)?ur) (?:message|sub|comm) stat/i describe DX_TEXT_02 "change your message stat" tflags DX_TEXT_02 publish ##} DX_TEXT_02 ##{ DX_TEXT_03 body DX_TEXT_03 /\b[A-Z]{3} Media (?:Group|Relations)\b/ describe DX_TEXT_03 "XXX Media Group" tflags DX_TEXT_03 publish ##} DX_TEXT_03 ##{ DYN_RDNS_AND_INLINE_IMAGE meta DYN_RDNS_AND_INLINE_IMAGE (RDNS_DYNAMIC && __ANY_IMAGE_ATTACH) describe DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic rDNS ##} DYN_RDNS_AND_INLINE_IMAGE ##{ DYN_RDNS_SHORT_HELO_HTML meta DYN_RDNS_SHORT_HELO_HTML (__HELO_NO_DOMAIN && RDNS_DYNAMIC && HTML_MESSAGE) describe DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML ##} DYN_RDNS_SHORT_HELO_HTML ##{ DYN_RDNS_SHORT_HELO_IMAGE meta DYN_RDNS_SHORT_HELO_IMAGE (__HELO_NO_DOMAIN && RDNS_DYNAMIC && __ANY_IMAGE_ATTACH) describe DYN_RDNS_SHORT_HELO_IMAGE Short HELO string, dynamic rDNS, inline image ##} DYN_RDNS_SHORT_HELO_IMAGE ##{ EBAY_IMG_NOT_RCVD_EBAY meta EBAY_IMG_NOT_RCVD_EBAY __EBAY_IMG_NOT_RCVD_EBAY && !__URI_MAILTO && !__RCD_RDNS_MAIL && !__DKIM_EXISTS #score EBAY_IMG_NOT_RCVD_EBAY 3.000 # limit describe EBAY_IMG_NOT_RCVD_EBAY E-bay hosted image but message not from E-bay tflags EBAY_IMG_NOT_RCVD_EBAY publish ##} EBAY_IMG_NOT_RCVD_EBAY ##{ ENCRYPTED_MESSAGE meta ENCRYPTED_MESSAGE __CT_ENCRYPTED describe ENCRYPTED_MESSAGE Message is encrypted, not likely to be spam #score ENCRYPTED_MESSAGE -1.000 tflags ENCRYPTED_MESSAGE nice,publish ##} ENCRYPTED_MESSAGE ##{ END_FUTURE_EMAILS describe END_FUTURE_EMAILS Spammy unsubscribe #score END_FUTURE_EMAILS 2.500 # limit ##} END_FUTURE_EMAILS ##{ END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM) if !plugin(Mail::SpamAssassin::Plugin::DKIM) meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER endif ##} END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM) ##{ END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::DKIM meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER && !__DKIM_DEPENDABLE && !DKIM_SIGNED endif ##} END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM ##{ EXCUSE_24 body EXCUSE_24 /you(?:'ve|'re| have| are)? receiv(?:e|ed|ing) this (?:advertisement|offer|special|recurring|paid).{0,16}\b(?:by either|because)/i describe EXCUSE_24 Claims you wanted this ad ##} EXCUSE_24 ##{ FAKE_REPLY_C meta FAKE_REPLY_C (__SUBJ_RE && __MISSING_REF && __NO_INR_YES_REF) ##} FAKE_REPLY_C ##{ FBI_MONEY meta FBI_MONEY __FBI_SPOOF && LOTS_OF_MONEY describe FBI_MONEY The FBI wants to give you lots of money? #score FBI_MONEY 2.00 # limit tflags FBI_MONEY publish ##} FBI_MONEY ##{ FBI_SPOOF meta FBI_SPOOF __FBI_SPOOF describe FBI_SPOOF Claims to be FBI, but not from FBI domain #score FBI_SPOOF 2.00 # limit tflags FBI_SPOOF publish ##} FBI_SPOOF ##{ FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FILL_THIS_FORM __FILL_THIS_FORM && !__THREADED && !__FB_TOUR && !__VIA_ML describe FILL_THIS_FORM Fill in a form with personal information tflags FILL_THIS_FORM publish endif ##} FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG && !__VIA_ML && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__TRAVEL_MANY describe FILL_THIS_FORM_LONG Fill in a form with personal information # score FILL_THIS_FORM_LONG 2.00 # limit endif ##} FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FILL_THIS_FORM_SHORT __FILL_THIS_FORM_SHORT && !__VIA_ML && !__MSGID_JAVAMAIL describe FILL_THIS_FORM_SHORT Fill in a short form with personal information # score FILL_THIS_FORM_SHORT 1.00 # limit endif ##} FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FORGED_RELAY_MUA_TO_MX header FORGED_RELAY_MUA_TO_MX X-Spam-Relays-External =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\[]+ helo=(!(?!(?:10|127|169\.254|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\.)| )[^\[]+$/ ##} FORGED_RELAY_MUA_TO_MX ##{ FORGED_SPF_HELO meta FORGED_SPF_HELO __HELO_NOT_RDNS && SPF_HELO_PASS && !SPF_PASS ##} FORGED_SPF_HELO ##{ FORM_FRAUD meta FORM_FRAUD (__FORM_FRAUD && !__FORM_FRAUD_3 && !__FORM_FRAUD_5) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__UPPERCASE_URI && !__UNSUB_LINK describe FORM_FRAUD Fill a form and a fraud phrase #score FORM_FRAUD 1.000 # limit tflags FORM_FRAUD publish ##} FORM_FRAUD ##{ FORM_FRAUD_3 meta FORM_FRAUD_3 (__FORM_FRAUD_3 && !__FORM_FRAUD_5 && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_3_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__MIME_QP && !__DOS_BODY_FRI && !__UNSUB_LINK && !__BUGGED_IMG && !__NOT_SPOOFED describe FORM_FRAUD_3 Fill a form and several fraud phrases tflags FORM_FRAUD_3 publish ##} FORM_FRAUD_3 ##{ FORM_FRAUD_5 meta FORM_FRAUD_5 (__FORM_FRAUD_5 && !__ADVANCE_FEE_5_NEW_FORM && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__BOUNCE_CTYPE describe FORM_FRAUD_5 Fill a form and many fraud phrases tflags FORM_FRAUD_5 publish ##} FORM_FRAUD_5 ##{ FORM_LOW_CONTRAST meta FORM_LOW_CONTRAST __FORM_LOW_CONTRAST && !__BUGGED_IMG && !__HAS_REPLY_TO && !__DKIM_EXISTS && !__DOS_HAS_LIST_UNSUB && !__MSGID_JAVAMAIL describe FORM_LOW_CONTRAST Fill in a form with hidden text #score FORM_LOW_CONTRAST 2.500 # Limit tflags FORM_LOW_CONTRAST publish ##} FORM_LOW_CONTRAST ##{ FOUND_YOU meta FOUND_YOU __FOUND_YOU && !__DKIM_EXISTS && !__SUBJ_RE && !__HAS_X_REF && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__HAS_ERRORS_TO && !__HAS_IN_REPLY_TO #score FOUND_YOU 3.25 # limit describe FOUND_YOU I found you... tflags FOUND_YOU publish ##} FOUND_YOU ##{ FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) meta FREEMAIL_FORGED_FROMDOMAIN FREEMAIL_FROM && HEADER_FROM_DIFFERENT_DOMAINS describe FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different # score FREEMAIL_FORGED_FROMDOMAIN 0.25 tflags FREEMAIL_FORGED_FROMDOMAIN publish endif endif endif ##} FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) ##{ FREEM_FRNUM_UNICD_EMPTY meta FREEM_FRNUM_UNICD_EMPTY __FREEM_FRNUM_UNICD_EMPTY describe FREEM_FRNUM_UNICD_EMPTY Numeric freemail From address, unicode From name and Subject, empty body #score FREEM_FRNUM_UNICD_EMPTY 3.750 # limit tflags FREEM_FRNUM_UNICD_EMPTY publish ##} FREEM_FRNUM_UNICD_EMPTY ##{ FRNAME_IN_MSG_XPRIO_NO_SUB meta FRNAME_IN_MSG_XPRIO_NO_SUB (__FROM_NAME_IN_MSG && __XPRIO && (__SUBJECT_EMPTY || __SUBJ_SHORT)) && !__DKIM_EXISTS && !__SUBJ_NOT_SHORT && !ALL_TRUSTED describe FRNAME_IN_MSG_XPRIO_NO_SUB From name in message + X-Priority + short or no subject #score FRNAME_IN_MSG_XPRIO_NO_SUB 2.500 # limit tflags FRNAME_IN_MSG_XPRIO_NO_SUB publish ##} FRNAME_IN_MSG_XPRIO_NO_SUB ##{ FROMSPACE describe FROMSPACE Idiosyncratic "From" header format header FROMSPACE From:raw =~ /^\s?\"\s/ ##} FROMSPACE ##{ FROM_2_EMAILS_SHORT meta FROM_2_EMAILS_SHORT __KAM_BODY_LENGTH_LT_512 && __PDS_FROM_2_EMAILS describe FROM_2_EMAILS_SHORT Short body and From looks like 2 different emails #score FROM_2_EMAILS_SHORT 2.0 # limit ##} FROM_2_EMAILS_SHORT ##{ FROM_ADDR_WS meta FROM_ADDR_WS __FROM_ADDR_WS && !__RCD_RDNS_MTA_MESSY && !ANY_BOUNCE_MESSAGE && !__FROM_ENCODED_QP && !__RCD_RDNS_MAIL describe FROM_ADDR_WS Malformed From address #score FROM_ADDR_WS 3.000 # limit tflags FROM_ADDR_WS publish ##} FROM_ADDR_WS ##{ FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_BANK_NOAUTH __FROM_ADDRLIST_BANKS && (! NO_RELAYS && ! ALL_TRUSTED) && (! SPF_PASS && ! DKIM_VALID_AU) tflags FROM_BANK_NOAUTH publish net describe FROM_BANK_NOAUTH From Bank domain but no SPF or DKIM #score FROM_BANK_NOAUTH 1.0 # limit endif endif ##} FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta FROM_FMBLA_NDBLOCKED __FROM_FMBLA_NDBLOCKED describe FROM_FMBLA_NDBLOCKED ADMINISTRATOR NOTICE: The query to fresh.fmb.la was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. tflags FROM_FMBLA_NDBLOCKED net publish #score FROM_FMBLA_NDBLOCKED 0.001 # limit endif endif ##} FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta FROM_FMBLA_NEWDOM __FROM_FMBLA_NEWDOM describe FROM_FMBLA_NEWDOM From domain was registered in last 7 days tflags FROM_FMBLA_NEWDOM net #score FROM_FMBLA_NEWDOM 1.5 # limit endif endif ##} FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta FROM_FMBLA_NEWDOM14 __FROM_FMBLA_NEWDOM14 describe FROM_FMBLA_NEWDOM14 From domain was registered in last 7-14 days tflags FROM_FMBLA_NEWDOM14 publish net #score FROM_FMBLA_NEWDOM14 1.0 # limit endif endif ##} FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta FROM_FMBLA_NEWDOM28 __FROM_FMBLA_NEWDOM28 describe FROM_FMBLA_NEWDOM28 From domain was registered in last 14-28 days tflags FROM_FMBLA_NEWDOM28 net publish #score FROM_FMBLA_NEWDOM28 0.8 # limit endif endif ##} FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_GOV_DKIM_AU DKIM_VALID_AU && __FROM_ADDRLIST_GOV tflags FROM_GOV_DKIM_AU net nice publish describe FROM_GOV_DKIM_AU From Government address and DKIM signed #score FROM_GOV_DKIM_AU -1.0 # limit endif endif ##} FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_GOV_REPLYTO_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_GOV && !DKIM_VALID_AU tflags FROM_GOV_REPLYTO_FREEMAIL net publish describe FROM_GOV_REPLYTO_FREEMAIL From Government domain but ReplyTo is FREEMAIL #score FROM_GOV_REPLYTO_FREEMAIL 2.0 endif endif ##} FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_GOV_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_GOV && (! NO_RELAYS && ! ALL_TRUSTED) tflags FROM_GOV_SPOOF net publish describe FROM_GOV_SPOOF From Government domain but matches SPOOFED #score FROM_GOV_SPOOF 1.0 # limit endif endif ##} FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_IN_TO_AND_SUBJ meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1) && !__HAS_LIST_ID describe FROM_IN_TO_AND_SUBJ From address is in To and Subject tflags FROM_IN_TO_AND_SUBJ publish ##} FROM_IN_TO_AND_SUBJ ##{ FROM_MISSPACED meta FROM_MISSPACED __FROM_MISSPACED && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__UNSUB_LINK && !__TO___LOWER && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__TO_EQ_FROM_DOM && !__MAIL_LINK && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA describe FROM_MISSPACED From: missing whitespace #score FROM_MISSPACED 2.00 ##} FROM_MISSPACED ##{ FROM_MISSP_DYNIP meta FROM_MISSP_DYNIP __FROM_RUNON && RDNS_DYNAMIC describe FROM_MISSP_DYNIP From misspaced + dynamic rDNS ##} FROM_MISSP_DYNIP ##{ FROM_MISSP_EH_MATCH meta FROM_MISSP_EH_MATCH __FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA describe FROM_MISSP_EH_MATCH From misspaced, matches envelope #score FROM_MISSP_EH_MATCH 2.00 # max ##} FROM_MISSP_EH_MATCH ##{ FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta FROM_MISSP_FREEMAIL __FROM_MISSP_FREEMAIL && !__TO_EQ_FROM_DOM && !__MTLANDROID_MUA describe FROM_MISSP_FREEMAIL From misspaced + freemail provider endif ##} FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ FROM_MISSP_MSFT meta FROM_MISSP_MSFT __FROM_RUNON && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS) describe FROM_MISSP_MSFT From misspaced + supposed Microsoft tool ##} FROM_MISSP_MSFT ##{ FROM_MISSP_REPLYTO meta FROM_MISSP_REPLYTO __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY describe FROM_MISSP_REPLYTO From misspaced, has Reply-To #score FROM_MISSP_REPLYTO 2.500 # limit ##} FROM_MISSP_REPLYTO ##{ FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF ifplugin Mail::SpamAssassin::Plugin::SPF meta FROM_MISSP_SPF_FAIL (__FROM_RUNON && SPF_FAIL) tflags FROM_MISSP_SPF_FAIL net # score FROM_MISSP_SPF_FAIL 2.00 # limit endif ##} FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF ##{ FROM_MISSP_TO_UNDISC meta FROM_MISSP_TO_UNDISC (__FROM_RUNON && __TO_UNDISCLOSED) describe FROM_MISSP_TO_UNDISC From misspaced, To undisclosed ##} FROM_MISSP_TO_UNDISC ##{ FROM_MISSP_USER meta FROM_MISSP_USER (__FROM_RUNON && NSL_RCVD_FROM_USER) describe FROM_MISSP_USER From misspaced, from "User" ##} FROM_MISSP_USER ##{ FROM_MISSP_XPRIO meta FROM_MISSP_XPRIO (__XPRIO && __FROM_MISSPACED) && !__LYRIS_EZLM_REMAILER describe FROM_MISSP_XPRIO Misspaced FROM + X-Priority #score FROM_MISSP_XPRIO 2.500 # limit ##} FROM_MISSP_XPRIO ##{ FROM_NAME_EQ_TO_G_DRIVE meta FROM_NAME_EQ_TO_G_DRIVE !__SHORT_BODY_G_DRIVE_DYN && __SHORT_BODY_G_DRIVE && (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) describe FROM_NAME_EQ_TO_G_DRIVE From:name equals To:addr and GDRIVE link #score FROM_NAME_EQ_TO_G_DRIVE 1.5 # limit ##} FROM_NAME_EQ_TO_G_DRIVE ##{ FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta FROM_NEWDOM_BTC __PDS_BTC_ID && __PDS_NEWDOMAIN describe FROM_NEWDOM_BTC Newdomain with Bitcoin ID #score FROM_NEWDOM_BTC 2.0 # limit tflags FROM_NEWDOM_BTC net endif endif ##} FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_NTLD_LINKBAIT __LCL__KAM_BODY_LENGTH_LT_512 && __FROM_ADDRLIST_SUSPNTLD && __BODY_URI_ONLY tflags FROM_NTLD_LINKBAIT publish describe FROM_NTLD_LINKBAIT From abused NTLD with little more than a URI #score FROM_NTLD_LINKBAIT 2.0 # limit endif endif ##} FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_NTLD_REPLY_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_SUSPNTLD tflags FROM_NTLD_REPLY_FREEMAIL publish describe FROM_NTLD_REPLY_FREEMAIL From abused NTLD and Reply-To is FREEMAIL #score FROM_NTLD_REPLY_FREEMAIL 2.0 # limit endif endif ##} FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta FROM_NUMBERO_NEWDOMAIN __NUMBERONLY_TLD && __PDS_NEWDOMAIN describe FROM_NUMBERO_NEWDOMAIN Fingerprint and new domain #score FROM_NUMBERO_NEWDOMAIN 2.0 # limit tflags FROM_NUMBERO_NEWDOMAIN net publish endif endif ##} FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS ##{ FROM_NUMERIC_TLD header FROM_NUMERIC_TLD From:addr =~ /\.\d+$/ describe FROM_NUMERIC_TLD From: address has numeric TLD #score FROM_NUMERIC_TLD 3.000 # limit ##} FROM_NUMERIC_TLD ##{ FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_PAYPAL_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_PAYPAL && (! NO_RELAYS && ! ALL_TRUSTED) tflags FROM_PAYPAL_SPOOF publish net describe FROM_PAYPAL_SPOOF From PayPal domain but matches SPOOFED #score FROM_PAYPAL_SPOOF 1.6 # limit endif endif ##} FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_SUSPICIOUS_NTLD __FROM_ADDRLIST_SUSPNTLD tflags FROM_SUSPICIOUS_NTLD publish describe FROM_SUSPICIOUS_NTLD From abused NTLD #score FROM_SUSPICIOUS_NTLD 0.5 # limit endif endif ##} FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta FROM_SUSPICIOUS_NTLD_FP __FROM_ADDRLIST_SUSPNTLD && !__HAS_SENDER && !__HAS_IN_REPLY_TO && !__HAS_X_MAILING_LIST tflags FROM_SUSPICIOUS_NTLD_FP publish describe FROM_SUSPICIOUS_NTLD_FP From abused NTLD #score FROM_SUSPICIOUS_NTLD_FP 2.0 # limit endif endif ##} FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ FROM_WORDY meta FROM_WORDY ((__FROM_WORDY_SONLY && !__DKIM_EXISTS) || __FROM_WORDY_3) && !__HAS_TNEF && !__USING_VERP1 && !__HAS_THREAD_INDEX && !__HAS_LIST_ID && !__RCD_RDNS_MTA && !__RCD_RDNS_MX describe FROM_WORDY From address looks like a sentence #score FROM_WORDY 2.500 # limit tflags FROM_WORDY publish ##} FROM_WORDY ##{ FROM_WORDY_SHORT meta FROM_WORDY_SHORT ((__FROM_WORDY_SONLY || __FROM_WORDY_3) && __HTML_LENGTH_0000_1024) && !__HAS_TNEF && !__USING_VERP1 describe FROM_WORDY_SHORT From address looks like a sentence + short message #score FROM_WORDY_SHORT 2.500 # limit tflags FROM_WORDY_SHORT publish ##} FROM_WORDY_SHORT ##{ FROM_WSP_TRAIL header FROM_WSP_TRAIL From:raw =~ /< [^>]* \s > [^<>]* \z/xm describe FROM_WSP_TRAIL Trailing whitespace before '>' in From header field ##} FROM_WSP_TRAIL ##{ FSL_BULK_SIG meta FSL_BULK_SIG (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK) && !__FSL_HAS_LIST_UNSUB && !__UNSUB_LINK && !__RCVD_IN_DNSWL && !__JM_REACTOR_DATE && !__RCD_RDNS_SMTP_MESSY describe FSL_BULK_SIG Bulk signature with no Unsubscribe #score FSL_BULK_SIG 3.000 # limit tflags FSL_BULK_SIG net publish ##} FSL_BULK_SIG ##{ FSL_CTYPE_WIN1251 header FSL_CTYPE_WIN1251 Content-Type =~ /charset="Windows-1251"/ describe FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam ##} FSL_CTYPE_WIN1251 ##{ FSL_FAKE_HOTMAIL_RVCD header FSL_FAKE_HOTMAIL_RVCD X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/ ##} FSL_FAKE_HOTMAIL_RVCD ##{ FSL_HELO_BARE_IP_1 meta FSL_HELO_BARE_IP_1 __FSL_HELO_BARE_IP_1 && !ALL_TRUSTED ##} FSL_HELO_BARE_IP_1 ##{ FSL_HELO_DEVICE header FSL_HELO_DEVICE X-Spam-Relays-External =~ /\bhelo=(?:(?:dsl)?device|speedtouch)\.lan\b/i ##} FSL_HELO_DEVICE ##{ FSL_HELO_FAKE header FSL_HELO_FAKE X-Spam-Relays-External =~ /\bhelo=(?:yandex.ru|(?:hotmail|gmail|google|yahoo|msn|microsoft)\.com)\b/i ##} FSL_HELO_FAKE ##{ FSL_HELO_NON_FQDN_1 header FSL_HELO_NON_FQDN_1 X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i ##} FSL_HELO_NON_FQDN_1 ##{ FSL_HELO_SETUP header FSL_HELO_SETUP X-Spam-Relays-External =~ /\bhelo=\S+\.setup\b/i ##} FSL_HELO_SETUP ##{ FSL_INTERIA_ABUSE uri FSL_INTERIA_ABUSE /\/\S+\.(?:w|eu|fm)\.interia\.pl/ ##} FSL_INTERIA_ABUSE ##{ FSL_NEW_HELO_USER meta FSL_NEW_HELO_USER (__FSL_HELO_USER_1 || __FSL_HELO_USER_2 || __FSL_HELO_USER_3) describe FSL_NEW_HELO_USER Spam's using Helo and User #score FSL_NEW_HELO_USER 2.0 tflags FSL_NEW_HELO_USER publish ##} FSL_NEW_HELO_USER ##{ FSL_THIS_IS_ADV body FSL_THIS_IS_ADV /This is an advertisement\./ describe FSL_THIS_IS_ADV This is an advertisement ##} FSL_THIS_IS_ADV ##{ FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_ANDROID /<A>(?!ndroid)<N><D><R><O><I><D>/i describe FUZZY_ANDROID Obfuscated "android" tflags FUZZY_ANDROID publish endif ##} FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_BITCOIN /<B>(?!itcoin)<I><T><C><O><I><N>/i describe FUZZY_BITCOIN Obfuscated "Bitcoin" tflags FUZZY_BITCOIN publish endif ##} FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_BROWSER /<B>(?!rowser)<R><O><W><S><E><R>/i describe FUZZY_BROWSER Obfuscated "browser" tflags FUZZY_BROWSER publish endif ##} FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FUZZY_BTC_WALLET FUZZY_BITCOIN && FUZZY_WALLET describe FUZZY_BTC_WALLET Heavily obfuscated "bitcoin wallet" tflags FUZZY_BTC_WALLET publish endif ##} FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_CLICK_HERE /<C>(?!lick(?:\s| )here)<WS>*<L><WS>*<I><WS>*<C><WS>*<K><WS>+<H><WS>*<E><WS>*<R><WS>*<E>/i describe FUZZY_CLICK_HERE Obfuscated "click here" tflags FUZZY_CLICK_HERE publish endif ##} FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta FUZZY_DR_OZ __FUZZY_DR_OZ && !__VIA_ML && !__DKIM_EXISTS && !__RP_MATCHES_RCVD describe FUZZY_DR_OZ Obfuscated Doctor Oz tflags FUZZY_DR_OZ publish endif ##} FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_IMPORTANT /<I>(?!mportant)<M><P><O><R><T><A><N><T>/i describe FUZZY_IMPORTANT Obfuscated "important" tflags FUZZY_IMPORTANT publish endif ##} FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_MERIDIA /<inter W3><post P2>\b(?!meridia)<M><E><R><I><D><I><A>\b/i describe FUZZY_MERIDIA Obfuscation of the word "meridia" endif ##} FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_MONERO meta FUZZY_MONERO __FUZZY_MONERO describe FUZZY_MONERO Obfuscated "Monero" tflags FUZZY_MONERO publish ##} FUZZY_MONERO ##{ FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_PRIVACY /<P>(?!rivacy)<R><I><V><A><C><Y>/i describe FUZZY_PRIVACY Obfuscated "privacy" tflags FUZZY_PRIVACY publish endif ##} FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_PROMOTION /<P>(?!romotion)<R><O><M><O><T><I><O><N>/i describe FUZZY_PROMOTION Obfuscated "promotion" tflags FUZZY_PROMOTION publish endif ##} FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_SAVINGS /<S>(?!avings)<A><V><I><N><G><S>/i describe FUZZY_SAVINGS Obfuscated "savings" tflags FUZZY_SAVINGS publish endif ##} FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_SECURITY /<S>(?!ecurity)(?!eguridad)<E>(?:<C>|<G>)<U><R><I>(?:<T><Y>|<D><A><D>)/i describe FUZZY_SECURITY Obfuscated "security" tflags FUZZY_SECURITY publish endif ##} FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_UNSUBSCRIBE /<U>(?!nsubscribe)<N><S><U><B><S><C><R><I><B><E>/i describe FUZZY_UNSUBSCRIBE Obfuscated "unsubscribe" tflags FUZZY_UNSUBSCRIBE publish endif ##} FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_WALLET /<W>(?!allet)<A><L><L><E><T>/i describe FUZZY_WALLET Obfuscated "Wallet" tflags FUZZY_WALLET publish endif ##} FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta GAPPY_SALES_LEADS_FREEM __GAPPY_SALES_LEADS_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) describe GAPPY_SALES_LEADS_FREEM Obfuscated marketing text, freemail or CHN replyto # score GAPPY_SALES_LEADS_FREEM 3.500 # limit tflags GAPPY_SALES_LEADS_FREEM publish endif ##} GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ GB_BITCOIN_CP meta GB_BITCOIN_CP ( __GB_BITCOIN_CP_DE || __GB_BITCOIN_CP_ES || __GB_BITCOIN_CP_EN || __GB_BITCOIN_CP_FR || __GB_BITCOIN_CP_IT || __GB_BITCOIN_CP_NL || __GB_BITCOIN_CP_SE ) describe GB_BITCOIN_CP Localized Bitcoin scam #score GB_BITCOIN_CP 3.0 # limit ##} GB_BITCOIN_CP ##{ GB_BITCOIN_NH meta GB_BITCOIN_NH ( __BITCOIN_ID && !__URL_BTC_ID && ( __NEVER_HEAR_EN || __NEVER_HEAR_IT ) ) describe GB_BITCOIN_NH Localized Bitcoin scam #score GB_BITCOIN_NH 3.0 # limit ##} GB_BITCOIN_NH ##{ GB_FORGED_MUA_POSTFIX meta GB_FORGED_MUA_POSTFIX ( __FORGED_MUA_POSTFIX0 || __FORGED_MUA_POSTFIX1 ) describe GB_FORGED_MUA_POSTFIX Forged Postfix mua headers tflags GB_FORGED_MUA_POSTFIX publish #score GB_FORGED_MUA_POSTFIX 2.0 # limit ##} GB_FORGED_MUA_POSTFIX ##{ GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta GB_FREEMAIL_DISPTO ( __FREEMAIL_DISPTO && !__freemail_safe ) describe GB_FREEMAIL_DISPTO Disposition-Notification-To/From or Disposition-Notification-To/body contain different freemails # score GB_FREEMAIL_DISPTO 0.50 # limit tflags GB_FREEMAIL_DISPTO publish endif ##} GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta GB_FREEMAIL_DISPTO_NOTFREEM ( __FREEMAIL_DISPTO && !__freemail_safe && !FREEMAIL_FROM ) describe GB_FREEMAIL_DISPTO_NOTFREEM Disposition-Notification-To/From contain different freemails but mailfrom is not a freemail # score GB_FREEMAIL_DISPTO_NOTFREEM 0.50 # limit tflags GB_FREEMAIL_DISPTO_NOTFREEM publish endif ##} GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ GB_GOOGLE_OBFUR uri GB_GOOGLE_OBFUR /^https:\/\/www\.google\.([a-z]{2,3})\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=([0-9])+\&cad=rja\&uact=([0-9]+)\&ved=.{1,50}\&url=https?:\/\/.{1,50}&usg=.{1,50}/ describe GB_GOOGLE_OBFUR Obfuscate url through Google redirect #score GB_GOOGLE_OBFUR 0.75 # limit tflags GB_GOOGLE_OBFUR publish ##} GB_GOOGLE_OBFUR ##{ GB_GOOGLE_OBFUS uri GB_GOOGLE_OBFUS /^https:\/\/www\.google\.([a-z]{2,3})\/search\?ei=.{1,50}\&gs_l=.{1,20}/ describe GB_GOOGLE_OBFUS Obfuscate url through Google search #score GB_GOOGLE_OBFUS 0.75 # limit ##} GB_GOOGLE_OBFUS ##{ GB_LINKED_IMG_NOT_RCVD_LINK meta GB_LINKED_IMG_NOT_RCVD_LINK __LINKED_IMG_NOT_RCVD_LINK && !__HAS_ERRORS_TO && !__MSGID_LIST && !__MSGID_GUID && !__RCD_RDNS_SMTP describe GB_LINKED_IMG_NOT_RCVD_LINK Linkedin hosted image but message not from Linkedin #score GB_LINKED_IMG_NOT_RCVD_LINK 2.500 # limit tflags GB_LINKED_IMG_NOT_RCVD_LINK publish ##} GB_LINKED_IMG_NOT_RCVD_LINK ##{ GB_WP_FILELINK body GB_WP_FILELINK /\#file_links\["C\:\\\w+\.txt/ describe GB_WP_FILELINK try to abuse file_links uris in Wordpress emails #score GB_WP_FILELINK 2.0 # limit tflags GB_WP_FILELINK publish ##} GB_WP_FILELINK ##{ GEO_QUERY_STRING uri GEO_QUERY_STRING /^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i ##} GEO_QUERY_STRING ##{ GOOGLE_DOCS_PHISH meta GOOGLE_DOCS_PHISH (__GOOGLE_DOCS_PHISH_1 || __GOOGLE_DOCS_PHISH_2) describe GOOGLE_DOCS_PHISH Possible phishing via a Google Docs form #score GOOGLE_DOCS_PHISH 3.00 # limit tflags GOOGLE_DOCS_PHISH publish ##} GOOGLE_DOCS_PHISH ##{ GOOGLE_DOCS_PHISH_MANY meta GOOGLE_DOCS_PHISH_MANY __URI_GOOGLE_DOC && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY) describe GOOGLE_DOCS_PHISH_MANY Phishing via a Google Docs form #score GOOGLE_DOCS_PHISH_MANY 4.00 # limit tflags GOOGLE_DOCS_PHISH_MANY publish ##} GOOGLE_DOCS_PHISH_MANY ##{ GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta GOOGLE_DRIVE_REPLY_BAD_NTLD __PDS_GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD tflags GOOGLE_DRIVE_REPLY_BAD_NTLD publish describe GOOGLE_DRIVE_REPLY_BAD_NTLD From Google Drive and Reply-To is from a suspicious TLD #score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0 # limit endif endif ##} GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ GOOG_MALWARE_DNLD meta GOOG_MALWARE_DNLD __GOOG_MALWARE_DNLD describe GOOG_MALWARE_DNLD File download via Google - Malware? #score GOOG_MALWARE_DNLD 5.000 # limit tflags GOOG_MALWARE_DNLD publish ##} GOOG_MALWARE_DNLD ##{ GOOG_REDIR_HTML_ONLY meta GOOG_REDIR_HTML_ONLY (__GOOG_REDIR && MIME_HTML_ONLY) && !RDNS_NONE && !__LCL__KAM_BODY_LENGTH_LT_512 describe GOOG_REDIR_HTML_ONLY Google redirect to obscure spamvertised website + HTML only #score GOOG_REDIR_HTML_ONLY 2.000 # limit ##} GOOG_REDIR_HTML_ONLY ##{ GOOG_REDIR_NORDNS meta GOOG_REDIR_NORDNS __GOOG_REDIR && RDNS_NONE describe GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website + no rDNS ##} GOOG_REDIR_NORDNS ##{ GOOG_REDIR_SHORT meta GOOG_REDIR_SHORT __GOOG_REDIR && __LCL__KAM_BODY_LENGTH_LT_512 describe GOOG_REDIR_SHORT Google redirect to obscure spamvertised website + short message tflags GOOG_REDIR_SHORT publish ##} GOOG_REDIR_SHORT ##{ HDRS_LCASE describe HDRS_LCASE Odd capitalization of message header #score HDRS_LCASE 0.10 # limit ##} HDRS_LCASE ##{ HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) if !plugin(Mail::SpamAssassin::Plugin::FreeMail) meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO endif ##} HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) ##{ HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO endif ##} HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ HDRS_LCASE_IMGONLY meta HDRS_LCASE_IMGONLY __HDRS_LCASE && __HTML_IMG_ONLY && !__HDRS_LCASE_KNOWN describe HDRS_LCASE_IMGONLY Odd capitalization of message headers + image-only HTML #score HDRS_LCASE_IMGONLY 0.10 # limit ##} HDRS_LCASE_IMGONLY ##{ HDRS_MISSP meta HDRS_MISSP __HDRS_MISSP && !__TAG_EXISTS_HEAD && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH describe HDRS_MISSP Misspaced headers #score HDRS_MISSP 2.000 # limit ##} HDRS_MISSP ##{ HDR_ORDER_FTSDMCXX_001C meta HDR_ORDER_FTSDMCXX_001C (__HDR_ORDER_FTSDMCXXXX && __MID_START_001C) describe HDR_ORDER_FTSDMCXX_001C Header order similar to spam (FTSDMCXX/MID variant) ##} HDR_ORDER_FTSDMCXX_001C ##{ HDR_ORDER_FTSDMCXX_BAT meta HDR_ORDER_FTSDMCXX_BAT (__HDR_ORDER_FTSDMCXXXX && __BAT_BOUNDARY) describe HDR_ORDER_FTSDMCXX_BAT Header order similar to spam (FTSDMCXX/boundary variant) ##} HDR_ORDER_FTSDMCXX_BAT ##{ HDR_ORDER_FTSDMCXX_DIRECT meta HDR_ORDER_FTSDMCXX_DIRECT (__HDR_ORDER_FTSDMCXXXX && __DOS_SINGLE_EXT_RELAY) && !ALL_TRUSTED && !__VIA_ML describe HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam (FTSDMCXX/boundary variant) + direct-to-MX #score HDR_ORDER_FTSDMCXX_DIRECT 2.000 # limit tflags HDR_ORDER_FTSDMCXX_DIRECT publish ##} HDR_ORDER_FTSDMCXX_DIRECT ##{ HDR_ORDER_FTSDMCXX_NORDNS meta HDR_ORDER_FTSDMCXX_NORDNS (__HDR_ORDER_FTSDMCXXXX && __RDNS_NONE) && !ALL_TRUSTED describe HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam (FTSDMCXX/boundary variant) + no rDNS #score HDR_ORDER_FTSDMCXX_NORDNS 3.500 # limit tflags HDR_ORDER_FTSDMCXX_NORDNS publish ##} HDR_ORDER_FTSDMCXX_NORDNS ##{ HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval ifplugin Mail::SpamAssassin::Plugin::HeaderEval header HEADER_COUNT_SUBJECT eval:check_header_count_range('Subject','2','999') describe HEADER_COUNT_SUBJECT Multiple Subject headers found endif ##} HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval ##{ HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) header HEADER_FROM_DIFFERENT_DOMAINS eval:check_equal_from_domains() describe HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different # score HEADER_FROM_DIFFERENT_DOMAINS 0.25 tflags HEADER_FROM_DIFFERENT_DOMAINS publish endif endif endif ##} HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) ##{ HELO_FRIEND header HELO_FRIEND X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i ##} HELO_FRIEND ##{ HELO_LH_LD header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i ##} HELO_LH_LD ##{ HELO_LOCALHOST header HELO_LOCALHOST X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i ##} HELO_LOCALHOST ##{ HELO_MISC_IP meta HELO_MISC_IP (__HELO_MISC_IP && !HELO_DYNAMIC_IPADDR && !HELO_DYNAMIC_IPADDR2 && !HELO_DYNAMIC_SPLIT_IP && !HELO_DYNAMIC_HCC && !HELO_DYNAMIC_DIALIN && ((TVD_RCVD_IP4 + TVD_RCVD_IP + __FSL_HELO_BARE_IP_2) <2)) describe HELO_MISC_IP Looking for more Dynamic IP Relays #score HELO_MISC_IP 0.25 ##} HELO_MISC_IP ##{ HELO_NO_DOMAIN meta HELO_NO_DOMAIN __HELO_NO_DOMAIN && !HELO_LOCALHOST describe HELO_NO_DOMAIN Relay reports its domain incorrectly tflags HELO_NO_DOMAIN publish ##} HELO_NO_DOMAIN ##{ HELO_OEM header HELO_OEM X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc|oem\S*) /i ##} HELO_OEM ##{ HEXHASH_WORD meta HEXHASH_WORD (__HEXHASHWORD_S2EU > 1) && !ALL_TRUSTED && !__LYRIS_EZLM_REMAILER && !__MSGID_HEXISH && !__RDNS_SHORT && !__CTYPE_MULTIPART_MIXED && !__HAS_X_REF && !__HAS_IMG_SRC_ONECASE && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__HAS_SENDER describe HEXHASH_WORD Multiple instances of word + hexadecimal hash #score HEXHASH_WORD 3.000 # limit tflags HEXHASH_WORD publish ##} HEXHASH_WORD ##{ HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader HK_CTE_RAW Content-Transfer-Encoding =~ /^raw$/ #score HK_CTE_RAW 2 tflags HK_CTE_RAW publish endif ##} HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ HK_LOTTO meta HK_LOTTO __HK_LOTTO_2 || __HK_LOTTO_STAATS || __HK_LOTTO_BALLOT #score HK_LOTTO 1 ##} HK_LOTTO ##{ HK_NAME_DRUGS header HK_NAME_DRUGS From:name =~ /(viagra|\bcialis|cialis\b)/mi describe HK_NAME_DRUGS From name contains drugs #score HK_NAME_DRUGS 2 ##} HK_NAME_DRUGS ##{ HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) meta HK_NAME_MR_MRS __HK_NAME_MR_MRS && !FREEMAIL_FROM # score HK_NAME_MR_MRS 1.0 endif endif ##} HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ##{ HK_RANDOM_ENVFROM header HK_RANDOM_ENVFROM EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi describe HK_RANDOM_ENVFROM Envelope sender username looks random #score HK_RANDOM_ENVFROM 1 tflags HK_RANDOM_ENVFROM publish ##} HK_RANDOM_ENVFROM ##{ HK_RANDOM_FROM header HK_RANDOM_FROM From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi describe HK_RANDOM_FROM From username looks random #score HK_RANDOM_FROM 1 tflags HK_RANDOM_FROM publish ##} HK_RANDOM_FROM ##{ HK_RANDOM_REPLYTO header HK_RANDOM_REPLYTO Reply-To:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi describe HK_RANDOM_REPLYTO Reply-To username looks random #score HK_RANDOM_REPLYTO 1 tflags HK_RANDOM_REPLYTO publish ##} HK_RANDOM_REPLYTO ##{ HK_RCVD_IP_MULTICAST header HK_RCVD_IP_MULTICAST X-Spam-Relays-External =~ / ip=(?:22[4-9]|23[0-9])\./ #score HK_RCVD_IP_MULTICAST 2 tflags HK_RCVD_IP_MULTICAST publish ##} HK_RCVD_IP_MULTICAST ##{ HK_SCAM meta HK_SCAM __HK_SCAM_N2 || __HK_SCAM_N3 || __HK_SCAM_N8 || __HK_SCAM_N15 || __HK_SCAM_N16 || __HK_SCAM_S1 || __HK_SCAM_S7 || __HK_SCAM_S15 || __HK_SCAM_S25 #score HK_SCAM 2 tflags HK_SCAM publish ##} HK_SCAM ##{ HOSTED_IMG_DIRECT_MX meta HOSTED_IMG_DIRECT_MX __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS #score HOSTED_IMG_DIRECT_MX 3.500 # limit describe HOSTED_IMG_DIRECT_MX Image hosted at large ecomm site, message direct-to-mx tflags HOSTED_IMG_DIRECT_MX publish ##} HOSTED_IMG_DIRECT_MX ##{ HOSTED_IMG_DQ_UNSUB meta HOSTED_IMG_DQ_UNSUB __HOSTED_IMG_DQ_UNSUB #score HOSTED_IMG_DQ_UNSUB 3.500 # limit describe HOSTED_IMG_DQ_UNSUB Image hosted at large ecomm site, IP addr unsub link tflags HOSTED_IMG_DQ_UNSUB publish ##} HOSTED_IMG_DQ_UNSUB ##{ HOSTED_IMG_FREEM meta HOSTED_IMG_FREEM __HOSTED_IMG_FREEM && !__THREADED #score HOSTED_IMG_FREEM 3.500 # limit describe HOSTED_IMG_FREEM Image hosted at large ecomm site or redirected, freemail from or reply-to tflags HOSTED_IMG_FREEM publish ##} HOSTED_IMG_FREEM ##{ HOSTED_IMG_MULTI meta HOSTED_IMG_MULTI __HOSTED_IMG_MULTI && !__DKIM_EXISTS #score HOSTED_IMG_MULTI 3.000 # limit describe HOSTED_IMG_MULTI Multiple images hosted at different large ecomm sites or redirected tflags HOSTED_IMG_MULTI publish ##} HOSTED_IMG_MULTI ##{ HTML_ENTITY_ASCII meta HTML_ENTITY_ASCII __HTML_ENTITY_ASCII_MINFP describe HTML_ENTITY_ASCII Obfuscated ASCII #score HTML_ENTITY_ASCII 3.000 # limit tflags HTML_ENTITY_ASCII publish ##} HTML_ENTITY_ASCII ##{ HTML_ENTITY_ASCII_TINY meta HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII_MINFP && __HTML_FONT_TINY_01 describe HTML_ENTITY_ASCII_TINY Obfuscated ASCII + tiny fonts #score HTML_ENTITY_ASCII_TINY 3.000 # limit tflags HTML_ENTITY_ASCII_TINY publish ##} HTML_ENTITY_ASCII_TINY ##{ HTML_OFF_PAGE meta HTML_OFF_PAGE __HTML_OFF_PAGE && !__RP_MATCHES_RCVD && !__LONGLINE && !__DKIM_EXISTS describe HTML_OFF_PAGE HTML element rendered well off the displayed page #score HTML_OFF_PAGE 3.000 # limit tflags HTML_OFF_PAGE publish ##} HTML_OFF_PAGE ##{ HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU_MANY describe HTML_SHRT_CMNT_OBFU_MANY Obfuscation with many short HTML comments # score HTML_SHRT_CMNT_OBFU_MANY 2.500 # limit tflags HTML_SHRT_CMNT_OBFU_MANY publish endif ##} HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ HTML_SINGLET_MANY meta HTML_SINGLET_MANY __HTML_SINGLET_MANY && !__STY_INVIS_MANY && !__RCD_RDNS_MTA_MESSY && !__NOT_SPOOFED && !__FEES && !ALL_TRUSTED describe HTML_SINGLET_MANY Many single-letter HTML format blocks #score HTML_SINGLET_MANY 2.500 # limit tflags HTML_SINGLET_MANY publish ##} HTML_SINGLET_MANY ##{ HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval ifplugin Mail::SpamAssassin::Plugin::HTMLEval meta HTML_TAG_BALANCE_CENTER __HTML_TAG_BALANCE_CENTER && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY describe HTML_TAG_BALANCE_CENTER Malformatted HTML endif ##} HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval ##{ HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta HTML_TEXT_INVISIBLE_FONT __FONT_INVIS_MANY describe HTML_TEXT_INVISIBLE_FONT HTML hidden text # score HTML_TEXT_INVISIBLE_FONT 3.000 # limit tflags HTML_TEXT_INVISIBLE_FONT publish endif ##} HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta HTML_TEXT_INVISIBLE_STYLE __STY_INVIS_MANY && (__RDNS_NONE || __HDRS_LCASE || __UNSUB_EMAIL || __ADMITS_SPAM || __FROM_DOM_INFO || __HTML_TAG_BALANCE_CENTER || __MSGID_RANDY ) && !__RDNS_LONG && !__RCD_RDNS_MTA describe HTML_TEXT_INVISIBLE_STYLE HTML hidden text + other spam signs # score HTML_TEXT_INVISIBLE_STYLE 3.500 # limit tflags HTML_TEXT_INVISIBLE_STYLE publish endif ##} HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch body HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10') endif ##} HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch ##{ IMG_ONLY_FM_DOM_INFO meta IMG_ONLY_FM_DOM_INFO __HTML_IMG_ONLY && __FROM_DOM_INFO describe IMG_ONLY_FM_DOM_INFO HTML image-only message from .info domain #score IMG_ONLY_FM_DOM_INFO 2.500 # limit tflags IMG_ONLY_FM_DOM_INFO publish ##} IMG_ONLY_FM_DOM_INFO ##{ JM_I_FEEL_LUCKY uri JM_I_FEEL_LUCKY /(?:\&|\?)btnI=ec(?:$|\&)/ tflags JM_I_FEEL_LUCKY publish # low hitrate, but always a good sign ##} JM_I_FEEL_LUCKY ##{ JM_RCVD_QMAILV1 header JM_RCVD_QMAILV1 Received =~ /by \S+ \(Qmailv1\) with ESMTP/ ##} JM_RCVD_QMAILV1 ##{ JM_TORA_XM meta JM_TORA_XM (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO) ##} JM_TORA_XM ##{ KB_DATE_CONTAINS_TAB meta KB_DATE_CONTAINS_TAB __KB_DATE_CONTAINS_TAB && !__ML_TURNS_SP_TO_TAB #score KB_DATE_CONTAINS_TAB 0.5 ##} KB_DATE_CONTAINS_TAB ##{ KB_FAKED_THE_BAT meta KB_FAKED_THE_BAT (__THEBAT_MUA && KB_DATE_CONTAINS_TAB) ##} KB_FAKED_THE_BAT ##{ KB_FORGED_MOZ4 header KB_FORGED_MOZ4 User-Agent =~ /\bMozilla 4/ describe KB_FORGED_MOZ4 Mozilla 4 uses X-Mailer ##} KB_FORGED_MOZ4 ##{ KB_RATWARE_BOUNDARY meta KB_RATWARE_BOUNDARY __RATWARE_BOUND_A || __RATWARE_BOUND_B ##} KB_RATWARE_BOUNDARY ##{ KB_RATWARE_MSGID meta KB_RATWARE_MSGID (__KB_MSGID_OUTLOOK_888 && __ANY_OUTLOOK_MUA) ##} KB_RATWARE_MSGID ##{ KB_RATWARE_OUTLOOK_08 header KB_RATWARE_OUTLOOK_08 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary="----=_NextPart_000_...._\1\./msi # " ##} KB_RATWARE_OUTLOOK_08 ##{ KB_RATWARE_OUTLOOK_12 header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # " ##} KB_RATWARE_OUTLOOK_12 ##{ KB_RATWARE_OUTLOOK_16 header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # " ##} KB_RATWARE_OUTLOOK_16 ##{ KB_RATWARE_OUTLOOK_MID header KB_RATWARE_OUTLOOK_MID ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$[0-9a-f]{8}\@.{100,400}boundary="----=_NextPart_000_...._\1\.\2"/msi ##} KB_RATWARE_OUTLOOK_MID ##{ KHOP_FAKE_EBAY meta KHOP_FAKE_EBAY __EBAY_ADDRESS && !__NOT_SPOOFED describe KHOP_FAKE_EBAY Sender falsely claims to be from eBay ##} KHOP_FAKE_EBAY ##{ KHOP_HELO_FCRDNS meta KHOP_HELO_FCRDNS __HELO_NOT_RDNS && !(__VIA_ML || __freemail_safe || __RCVD_IN_DNSWL || __NOT_SPOOFED || __RDNS_SHORT) describe KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS #score KHOP_HELO_FCRDNS 0.4 # 20090603 ##} KHOP_HELO_FCRDNS ##{ LIST_PARTIAL_SHORT_MSG meta LIST_PARTIAL_SHORT_MSG __LIST_PARTIAL_SHORT_MSG && !__DKIM_EXISTS describe LIST_PARTIAL_SHORT_MSG Incomplete mailing list headers + short message #score LIST_PARTIAL_SHORT_MSG 2.500 # limit ##} LIST_PARTIAL_SHORT_MSG ##{ LIST_PRTL_PUMPDUMP meta LIST_PRTL_PUMPDUMP __LIST_PRTL_PUMPDUMP && !__DKIM_EXISTS describe LIST_PRTL_PUMPDUMP Incomplete List-* headers and stock pump-and-dump #score LIST_PRTL_PUMPDUMP 2.000 # limit tflags LIST_PRTL_PUMPDUMP publish ##} LIST_PRTL_PUMPDUMP ##{ LIST_PRTL_SAME_USER meta LIST_PRTL_SAME_USER __LIST_PRTL_SAME_USER && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_ERRORS_TO describe LIST_PRTL_SAME_USER Incomplete List-* headers and from+to user the same #score LIST_PRTL_SAME_USER 3.000 # limit tflags LIST_PRTL_SAME_USER publish ##} LIST_PRTL_SAME_USER ##{ LIVEFILESTORE uri LIVEFILESTORE m~livefilestore.com/~ ##} LIVEFILESTORE ##{ LONG_HEX_URI meta LONG_HEX_URI __128_HEX_URI && !__LCL__KAM_BODY_LENGTH_LT_1024 describe LONG_HEX_URI Very long purely hexadecimal URI #score LONG_HEX_URI 3.000 # limit tflags LONG_HEX_URI publish ##} LONG_HEX_URI ##{ LONG_IMG_URI meta LONG_IMG_URI __45_ALNUM_IMG && !ALL_TRUSTED && !__HAS_ERRORS_TO describe LONG_IMG_URI Image URI with very long path component - web bug? #score LONG_IMG_URI 3.000 # limit tflags LONG_IMG_URI publish ##} LONG_IMG_URI ##{ LONG_TERM_PRICE body LONG_TERM_PRICE /long\W+term\W+(target|projected)(\W+price)?/i ##} LONG_TERM_PRICE ##{ LOOPHOLE_1 body LOOPHOLE_1 /loop-?hole in the banking/i describe LOOPHOLE_1 A loop hole in the banking laws? ##} LOOPHOLE_1 ##{ LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta LOTS_OF_MONEY (__LOTSA_MONEY_00 || __LOTSA_MONEY_01 || __LOTSA_MONEY_02 || __LOTSA_MONEY_03 || __LOTSA_MONEY_04 || __LOTSA_MONEY_05) && !__TRAVEL_ITINERARY describe LOTS_OF_MONEY Huge... sums of money # score LOTS_OF_MONEY 0.01 tflags LOTS_OF_MONEY publish endif ##} LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ LOTTERY_1 meta LOTTERY_1 (__DBLCLAIM && __CASHPRZ) ##} LOTTERY_1 ##{ LOTTERY_PH_004470 meta LOTTERY_PH_004470 (__AFF_004470_NUMBER && __AFF_LOTTERY) ##} LOTTERY_PH_004470 ##{ LUCRATIVE meta LUCRATIVE ( __LUCRATIVE && __HELO_NO_DOMAIN ) && !ALL_TRUSTED describe LUCRATIVE Make lots of money! #score LUCRATIVE 2.00 # limit tflags LUCRATIVE publish ##} LUCRATIVE ##{ L_SPAM_TOOL_13 header L_SPAM_TOOL_13 Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/ ##} L_SPAM_TOOL_13 ##{ MALFORMED_FREEMAIL meta MALFORMED_FREEMAIL (MISSING_HEADERS||__HDRS_LCASE) && FREEMAIL_FROM describe MALFORMED_FREEMAIL Bad headers on message from free email service ##} MALFORMED_FREEMAIL ##{ MALF_HTML_B64 meta MALF_HTML_B64 MIME_BASE64_TEXT && HTML_MIME_NO_HTML_TAG describe MALF_HTML_B64 Malformatted base64-encoded HTML content #score MALF_HTML_B64 3.500 # limit tflags MALF_HTML_B64 publish ##} MALF_HTML_B64 ##{ MALWARE_NORDNS meta MALWARE_NORDNS __MALWARE_NORDNS && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01 describe MALWARE_NORDNS Malware bragging + no rDNS #score MALWARE_NORDNS 3.500 # limit tflags MALWARE_NORDNS publish ##} MALWARE_NORDNS ##{ MALWARE_PASSWORD meta MALWARE_PASSWORD __MALWARE_PASSWORD && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01 describe MALWARE_PASSWORD Malware bragging + "password" #score MALWARE_PASSWORD 3.500 # limit tflags MALWARE_PASSWORD publish ##} MALWARE_PASSWORD ##{ MANY_HDRS_LCASE describe MANY_HDRS_LCASE Odd capitalization of multiple message headers #score MANY_HDRS_LCASE 0.10 # limit ##} MANY_HDRS_LCASE ##{ MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) if !plugin(Mail::SpamAssassin::Plugin::FreeMail) meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE endif ##} MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) ##{ MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE endif ##} MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ MANY_SPAN_IN_TEXT meta MANY_SPAN_IN_TEXT __MANY_SPAN_IN_TEXT && !__VIA_ML describe MANY_SPAN_IN_TEXT Many <SPAN> tags embedded within text tflags MANY_SPAN_IN_TEXT publish ##} MANY_SPAN_IN_TEXT ##{ MAY_BE_FORGED meta MAY_BE_FORGED __MAY_BE_FORGED && !__NOT_SPOOFED && !__VIA_ML describe MAY_BE_FORGED Relay IP's reverse DNS does not resolve to IP ##} MAY_BE_FORGED ##{ MID_DEGREES header MID_DEGREES Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/ ##} MID_DEGREES ##{ MILLION_HUNDRED body MILLION_HUNDRED /Million\s+\S+\s+Hundred/i describe MILLION_HUNDRED Million "One to Nine" Hundred tflags MILLION_HUNDRED publish ##} MILLION_HUNDRED ##{ MIMEOLE_DIRECT_TO_MX meta MIMEOLE_DIRECT_TO_MX __MIMEOLE_DIRECT_TO_MX && !__ANY_IMAGE_ATTACH && !__DKIM_EXISTS describe MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX #score MIMEOLE_DIRECT_TO_MX 2.000 # limit tflags MIMEOLE_DIRECT_TO_MX publish ##} MIMEOLE_DIRECT_TO_MX ##{ MIME_BOUND_EQ_REL header MIME_BOUND_EQ_REL Content-Type =~ /boundary="=====================_\d+==\.REL"/s ##} MIME_BOUND_EQ_REL ##{ MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta MIME_NO_TEXT __MIME_NO_TEXT && !__BOUNCE_CTYPE && !__CT_ENCRYPTED && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__USER_AGENT_APPLEMAIL && !__HAS_IN_REPLY_TO && !__HAS_X_REF && !__HS_SUBJ_RE_FW && !__PDF_ATTACH && !__LCL__KAM_BODY_LENGTH_LT_128 # score MIME_NO_TEXT 2.00 # limit describe MIME_NO_TEXT No (properly identified) text body parts tflags MIME_NO_TEXT publish endif ##} MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta MIME_PHP_NO_TEXT (MIME_NO_TEXT && __PHP_MUA) describe MIME_PHP_NO_TEXT No text body parts, X-Mailer: PHP endif ##} MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta MIXED_ES ( ! HTML_IMAGE_ONLY_16 ) && ( __LOWER_E > 20 ) && ( __E_LIKE_LETTER > ( (__LOWER_E * 14 ) / 10) ) && ( __E_LIKE_LETTER < ( 10 * __LOWER_E ) ) describe MIXED_ES Too many es are not es tflags MIXED_ES publish # lang pl score MIXED_ES 0.01 # lang cz score MIXED_ES 0.01 # lang sk score MIXED_ES 0.01 # lang hr score MIXED_ES 0.01 # lang el score MIXED_ES 0.01 endif endif ##} MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ MONERO_EXTORT_01 meta MONERO_EXTORT_01 __MONERO && __EXTORT_MANY describe MONERO_EXTORT_01 Extortion spam, pay via Monero cryptocurrency #score MONERO_EXTORT_01 5.000 # limit tflags MONERO_EXTORT_01 publish ##} MONERO_EXTORT_01 ##{ MONEY_FORM_SHORT meta MONEY_FORM_SHORT __MONEY_FORM_SHORT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HTML_LINK_IMAGE && !__UPPERCASE_URI && !__THREADED && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__THREAD_INDEX_GOOD describe MONEY_FORM_SHORT Lots of money if you fill out a short form #score MONEY_FORM_SHORT 2.500 # limit ##} MONEY_FORM_SHORT ##{ MONEY_FRAUD_3 meta MONEY_FRAUD_3 (__MONEY_FRAUD_3 && !__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_3_NEW_MONEY) && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__IS_EXCH && !__VIA_ML && !__HAS_THREAD_INDEX && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__HTML_LINK_IMAGE && !__THREADED && !__DOS_BODY_THU && !__URL_SHORTENER && !__TAG_EXISTS_STYLE describe MONEY_FRAUD_3 Lots of money and several fraud phrases tflags MONEY_FRAUD_3 publish ##} MONEY_FRAUD_3 ##{ MONEY_FRAUD_5 meta MONEY_FRAUD_5 (__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_5_NEW_MONEY) && !__VIA_ML && !__HAS_THREAD_INDEX && !__COMMENT_EXISTS && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__URL_SHORTENER && !__TAG_EXISTS_STYLE describe MONEY_FRAUD_5 Lots of money and many fraud phrases tflags MONEY_FRAUD_5 publish ##} MONEY_FRAUD_5 ##{ MONEY_FRAUD_8 meta MONEY_FRAUD_8 __MONEY_FRAUD_8 && !__VIA_ML && !__HAS_THREAD_INDEX && !__BUGGED_IMG describe MONEY_FRAUD_8 Lots of money and very many fraud phrases tflags MONEY_FRAUD_8 publish ##} MONEY_FRAUD_8 ##{ MONEY_FROM_41 meta MONEY_FROM_41 __MONEY_FROM_41 describe MONEY_FROM_41 Lots of money from Africa #score MONEY_FROM_41 2.00 # limit ##} MONEY_FROM_41 ##{ MSGID_MULTIPLE_AT header MSGID_MULTIPLE_AT MESSAGEID =~ /<[^>]*\@[^>]*\@/ describe MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters #score MSGID_MULTIPLE_AT 0.001 ##} MSGID_MULTIPLE_AT ##{ MSM_PRIO_REPTO meta MSM_PRIO_REPTO __MSM_PRIO_REPTO && !__ENV_AND_HDR_FROM_MATCH describe MSM_PRIO_REPTO MSMail priority header + Reply-to + short subject #score MSM_PRIO_REPTO 2.500 # limit tflags MSM_PRIO_REPTO publish ##} MSM_PRIO_REPTO ##{ MSOE_MID_WRONG_CASE meta MSOE_MID_WRONG_CASE (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106) ##} MSOE_MID_WRONG_CASE ##{ NEWEGG_IMG_NOT_RCVD_NEGG meta NEWEGG_IMG_NOT_RCVD_NEGG __NEWEGG_IMG_NOT_RCVD_NEGG #score NEWEGG_IMG_NOT_RCVD_NEGG 2.500 # limit describe NEWEGG_IMG_NOT_RCVD_NEGG Newegg hosted image but message not from Newegg tflags NEWEGG_IMG_NOT_RCVD_NEGG publish ##} NEWEGG_IMG_NOT_RCVD_NEGG ##{ NORDNS_LOW_CONTRAST meta NORDNS_LOW_CONTRAST (__HTML_FONT_LOW_CONTRAST_MINFP && __RDNS_NONE) && !ALL_TRUSTED && !__HAS_CID describe NORDNS_LOW_CONTRAST No rDNS + hidden text #score NORDNS_LOW_CONTRAST 2.500 # limit ##} NORDNS_LOW_CONTRAST ##{ NO_FM_NAME_IP_HOSTN meta NO_FM_NAME_IP_HOSTN (__KHOP_NO_FULL_NAME && __IP_IN_RELAY) && !__DOS_RELAYED_EXT describe NO_FM_NAME_IP_HOSTN No From name + hostname using IP address #score NO_FM_NAME_IP_HOSTN 2.500 # limit tflags NO_FM_NAME_IP_HOSTN publish ##} NO_FM_NAME_IP_HOSTN ##{ NSL_RCVD_FROM_USER header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/ describe NSL_RCVD_FROM_USER Received from User ##} NSL_RCVD_FROM_USER ##{ NSL_RCVD_HELO_USER header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i describe NSL_RCVD_HELO_USER Received from HELO User ##} NSL_RCVD_HELO_USER ##{ NULL_IN_BODY full NULL_IN_BODY /\x00/ describe NULL_IN_BODY Message has NUL (ASCII 0) byte in message ##} NULL_IN_BODY ##{ NUMBERONLY_BITCOIN_EXP meta NUMBERONLY_BITCOIN_EXP __NUMBERONLY_TLD && __BITCOIN_ID && __NAKED_TO describe NUMBERONLY_BITCOIN_EXP Domain ends in a large number and very short body with link #score NUMBERONLY_BITCOIN_EXP 2.0 # limit ##} NUMBERONLY_BITCOIN_EXP ##{ OBFU_BITCOIN meta OBFU_BITCOIN __OBFU_BITCOIN describe OBFU_BITCOIN Obfuscated BitCoin references #score OBFU_BITCOIN 3.000 # limit tflags OBFU_BITCOIN publish ##} OBFU_BITCOIN ##{ OBFU_JVSCR_ESC rawbody OBFU_JVSCR_ESC /document\.write\(unescape\(["'](?:%[0-9a-f]{2}){10}/i describe OBFU_JVSCR_ESC Injects content using obfuscated javascript tflags OBFU_JVSCR_ESC publish ##} OBFU_JVSCR_ESC ##{ OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader OBFU_TEXT_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.txt\b,i describe OBFU_TEXT_ATTACH Text attachment with non-text MIME type tflags OBFU_TEXT_ATTACH publish endif ##} OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta PART_CID_STOCK (__ANY_IMAGE_ATTACH&&__PART_STOCK_CID&&!__PART_STOCK_CL&&!__PART_STOCK_CD_F) describe PART_CID_STOCK Has a spammy image attachment (by Content-ID) endif ##} PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta PART_CID_STOCK_LESS (__ANY_IMAGE_ATTACH&&__PART_CID_STOCK_LESS) describe PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, more specific) endif ##} PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ PDS_BTC_ID meta PDS_BTC_ID __PDS_BTC_ID describe PDS_BTC_ID FP reduced Bitcoin ID #score PDS_BTC_ID 0.5 ##} PDS_BTC_ID ##{ PDS_BTC_MSGID meta PDS_BTC_MSGID __PDS_BTC_ID && __MSGID_NOFQDN2 describe PDS_BTC_MSGID Bitcoin ID with T_MSGID_NOFQDN2 #score PDS_BTC_MSGID 1.0 ##} PDS_BTC_MSGID ##{ PDS_DBL_URL_TNB_RUNON meta PDS_DBL_URL_TNB_RUNON __TO_NO_BRKTS_FROM_RUNON && __PDS_DOUBLE_URL describe PDS_DBL_URL_TNB_RUNON Double-url and To no arrows, from runon #score PDS_DBL_URL_TNB_RUNON 2.0 ##} PDS_DBL_URL_TNB_RUNON ##{ PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta PDS_EMPTYSUBJ_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && __SUBJECT_EMPTY && __PDS_MSG_1024 describe PDS_EMPTYSUBJ_URISHRT Empty subject with little more than URI shortener #score PDS_EMPTYSUBJ_URISHRT 1.5 # limit endif endif ##} PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta PDS_FREEMAIL_REPLYTO_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && __freemail_hdr_replyto && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048 describe PDS_FREEMAIL_REPLYTO_URISHRT Freemail replyto with URI shortener #score PDS_FREEMAIL_REPLYTO_URISHRT 1.5 # limit endif endif ##} PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ PDS_FRNOM_TODOM_NAKED_TO meta PDS_FRNOM_TODOM_NAKED_TO __NAKED_TO && PDS_FROM_NAME_TO_DOMAIN describe PDS_FRNOM_TODOM_NAKED_TO Naked to From name equals to Domain #score PDS_FRNOM_TODOM_NAKED_TO 1.5 ##} PDS_FRNOM_TODOM_NAKED_TO ##{ PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) meta PDS_FROM_2_EMAILS __PDS_FROM_2_EMAILS && !__VIA_ML && !__VIA_RESIGNER && !__CLICK_HERE && !__BUGGED_IMG && !__RP_MATCHES_RCVD endif ##} PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) ##{ PDS_FROM_NAME_TO_DOMAIN meta PDS_FROM_NAME_TO_DOMAIN __PDS_FROM_NAME_TO_DOMAIN #score PDS_FROM_NAME_TO_DOMAIN 1.0 describe PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain ##} PDS_FROM_NAME_TO_DOMAIN ##{ PDS_HELO_SPF_FAIL meta PDS_HELO_SPF_FAIL SPF_HELO_FAIL && __HELO_HIGHPROFILE describe PDS_HELO_SPF_FAIL High profile HELO that fails SPF #score PDS_HELO_SPF_FAIL 2.0 tflags PDS_HELO_SPF_FAIL net ##} PDS_HELO_SPF_FAIL ##{ PDS_HP_HELO_NORDNS meta PDS_HP_HELO_NORDNS RDNS_NONE && __HELO_HIGHPROFILE describe PDS_HP_HELO_NORDNS High profile HELO with no sender rDNS #score PDS_HP_HELO_NORDNS 1.0 ##} PDS_HP_HELO_NORDNS ##{ PDS_NAKED_TO_NUMERO meta PDS_NAKED_TO_NUMERO __NAKED_TO && __NUMBERONLY_TLD describe PDS_NAKED_TO_NUMERO Naked-to, numberonly domain #score PDS_NAKED_TO_NUMERO 2.0 ##} PDS_NAKED_TO_NUMERO ##{ PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval header PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD') #score PDS_OTHER_BAD_TLD 2.0 describe PDS_OTHER_BAD_TLD Untrustworthy TLDs endif endif ##} PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ PDS_PHP_EVAL meta PDS_PHP_EVAL __PDS_PHP_EVAL1 describe PDS_PHP_EVAL PHP header shows eval'd code #score PDS_PHP_EVAL 1.5 ##} PDS_PHP_EVAL ##{ PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta PDS_SHORTFWD_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && (__THREADED || __HAS_IN_REPLY_TO || __HAS_THREAD_INDEX || __URI_MAILTO || __REPTO_QUOTE) && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048 describe PDS_SHORTFWD_URISHRT Threaded email with URI shortener #score PDS_SHORTFWD_URISHRT 1.5 # limit endif endif ##} PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ PDS_SHORT_BOGUS_MSM_HDRS meta PDS_SHORT_BOGUS_MSM_HDRS __PDS_HTML_LENGTH_1024 && __BOGUS_MSM_HDRS #score PDS_SHORT_BOGUS_MSM_HDRS 2.0 describe PDS_SHORT_BOGUS_MSM_HDRS Short HTML email with bogus MSM headers ##} PDS_SHORT_BOGUS_MSM_HDRS ##{ PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta PDS_TINYSUBJ_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && __SUBJ_SHORT && __PDS_MSG_1024 describe PDS_TINYSUBJ_URISHRT Short subject with URL shortener #score PDS_TINYSUBJ_URISHRT 1.5 # limit endif endif ##} PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE meta PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE FREEMAIL_FORGED_REPLYTO && __PDS_TONAME_EQ_TOLOCAL describe PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE Forged replyto and __PDS_TONAME_EQ_TOLOCAL #score PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE 2.0 # limit ##} PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE ##{ PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE meta PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE __PDS_TONAME_EQ_TOLOCAL && __HDRS_LCASE describe PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE To: name matches everything in local email - LCASE headers #score PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE 2.0 # limit ##} PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE ##{ PDS_TONAME_EQ_TOLOCAL_SHORT meta PDS_TONAME_EQ_TOLOCAL_SHORT __PDS_TONAME_EQ_TOLOCAL && __KAM_BODY_LENGTH_LT_512 describe PDS_TONAME_EQ_TOLOCAL_SHORT Short body with To: name matches everything in local email #score PDS_TONAME_EQ_TOLOCAL_SHORT 2.0 # limit ##} PDS_TONAME_EQ_TOLOCAL_SHORT ##{ PDS_TONAME_EQ_TOLOCAL_VSHORT meta PDS_TONAME_EQ_TOLOCAL_VSHORT __KAM_BODY_LENGTH_LT_128 && __PDS_TONAME_EQ_TOLOCAL describe PDS_TONAME_EQ_TOLOCAL_VSHORT Very short body and From looks like 2 different emails #score PDS_TONAME_EQ_TOLOCAL_VSHORT 1.0 # limit ##} PDS_TONAME_EQ_TOLOCAL_VSHORT ##{ PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) meta PDS_TO_EQ_FROM_NAME (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) describe PDS_TO_EQ_FROM_NAME From: name same as To: address endif ##} PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) ##{ PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta PHOTO_EDITING_DIRECT (__PHOTO_RETOUCHING && __DOS_DIRECT_TO_MX) && !ALL_TRUSTED && !__HAS_HREF describe PHOTO_EDITING_DIRECT Image editing service, direct to MX # score PHOTO_EDITING_DIRECT 3.000 # limit endif ##} PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta PHOTO_EDITING_FREEM __PHOTO_RETOUCHING > 4 && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) describe PHOTO_EDITING_FREEM Image editing service, freemail or CHN replyto # score PHOTO_EDITING_FREEM 3.750 # limit endif ##} PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ PHP_NOVER_MUA describe PHP_NOVER_MUA Mail from PHP with no version number #score PHP_NOVER_MUA 3.000 # limit tflags PHP_NOVER_MUA publish ##} PHP_NOVER_MUA ##{ PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM) if !plugin(Mail::SpamAssassin::Plugin::DKIM) meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH endif ##} PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM) ##{ PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::DKIM meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__DKIM_DEPENDABLE && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH endif ##} PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM ##{ PHP_ORIG_SCRIPT meta PHP_ORIG_SCRIPT __PHP_ORIG_SCRIPT_SONLY && !ALL_TRUSTED && !__SUBSCRIPTION_INFO && !__MSGID_BEFORE_RECEIVED && !MSGID_FROM_MTA_HEADER describe PHP_ORIG_SCRIPT Sent by bot & other signs #score PHP_ORIG_SCRIPT 2.500 # limit tflags PHP_ORIG_SCRIPT publish ##} PHP_ORIG_SCRIPT ##{ PHP_SCRIPT_MUA meta PHP_SCRIPT_MUA __HAS_PHP_SCRIPT && __PHP_NOVER_MUA describe PHP_SCRIPT_MUA Sent by PHP script, no version number #score PHP_SCRIPT_MUA 2.000 # limit tflags PHP_SCRIPT_MUA publish ##} PHP_SCRIPT_MUA ##{ PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal) ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal) body PP_MIME_FAKE_ASCII_TEXT eval:check_for_ascii_text_illegal() describe PP_MIME_FAKE_ASCII_TEXT MIME text/plain claims to be ASCII but isn't # score PP_MIME_FAKE_ASCII_TEXT 1.0 tflags PP_MIME_FAKE_ASCII_TEXT publish endif endif ##} PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal) ##{ PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) body PP_TOO_MUCH_UNICODE02 eval:check_abundant_unicode_ratio(0.02) describe PP_TOO_MUCH_UNICODE02 Is text/plain but has many unicode escapes # score PP_TOO_MUCH_UNICODE02 0.5 tflags PP_TOO_MUCH_UNICODE02 publish endif endif ##} PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) ##{ PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) body PP_TOO_MUCH_UNICODE05 eval:check_abundant_unicode_ratio(0.05) describe PP_TOO_MUCH_UNICODE05 Is text/plain but has many unicode escapes # score PP_TOO_MUCH_UNICODE05 1.0 tflags PP_TOO_MUCH_UNICODE05 publish endif endif ##} PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) ##{ PUMPDUMP meta PUMPDUMP (__PUMPDUMP_01 || __PUMPDUMP_02 || __PUMPDUMP_03 || __PUMPDUMP_04 || __PUMPDUMP_05 || __PUMPDUMP_06 || __PUMPDUMP_07 || __PUMPDUMP_08 || __PUMPDUMP_09 || __PUMPDUMP_10) && !PUMPDUMP_MULTI describe PUMPDUMP Pump-and-dump stock scam phrase #score PUMPDUMP 1.000 # limit tflags PUMPDUMP publish ##} PUMPDUMP ##{ PUMPDUMP_MULTI meta PUMPDUMP_MULTI (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1 describe PUMPDUMP_MULTI Pump-and-dump stock scam phrases #score PUMPDUMP_MULTI 3.500 # limit tflags PUMPDUMP_MULTI publish ##} PUMPDUMP_MULTI ##{ PUMPDUMP_TIP meta PUMPDUMP_TIP __PD_CNT_1 && __STOCK_TIP describe PUMPDUMP_TIP Pump-and-dump stock tip tflags PUMPDUMP_TIP publish ##} PUMPDUMP_TIP ##{ RAND_HEADER_MANY meta RAND_HEADER_MANY __RAND_HEADER > 3 describe RAND_HEADER_MANY Many random gibberish message headers #score RAND_HEADER_MANY 3.000 # limit tflags RAND_HEADER_MANY publish ##} RAND_HEADER_MANY ##{ RATWARE_NO_RDNS meta RATWARE_NO_RDNS __RATWARE_BOUND_A && __RDNS_NONE && __MIME_HTML && __MISSING_REF describe RATWARE_NO_RDNS Suspicious MsgID and MIME boundary + no rDNS #score RATWARE_NO_RDNS 3.000 # limit ##} RATWARE_NO_RDNS ##{ RCVD_BAD_ID header RCVD_BAD_ID Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\$\%&'()*<=>?\@\[\]^\`{|}~]|;\S)/ describe RCVD_BAD_ID Received header contains id field with bad characters ##} RCVD_BAD_ID ##{ RCVD_DBL_DQ header RCVD_DBL_DQ Received =~ /(?:\[\d+\.\d+\.\d+\.\d+\]){2}/ describe RCVD_DBL_DQ Malformatted message header tflags RCVD_DBL_DQ publish ##} RCVD_DBL_DQ ##{ RCVD_FORGED_WROTE header RCVD_FORGED_WROTE Received =~ / by \S+ with esmtp \([^a-z ]{6,} [^a-z ]{3,}\) id/ describe RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam) ##} RCVD_FORGED_WROTE ##{ RCVD_FORGED_WROTE2 header RCVD_FORGED_WROTE2 Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s ##} RCVD_FORGED_WROTE2 ##{ RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_DK eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.3') describe RCVD_IN_IADB_DK IADB: Sender publishes Domain Keys record tflags RCVD_IN_IADB_DK net nice endif ##} RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.10') describe RCVD_IN_IADB_DOPTIN IADB: All mailing list mail is confirmed opt-in tflags RCVD_IN_IADB_DOPTIN net nice endif ##} RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_DOPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.9') describe RCVD_IN_IADB_DOPTIN_GT50 IADB: Confirmed opt-in used more than 50% of the time tflags RCVD_IN_IADB_DOPTIN_GT50 net nice endif ##} RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_DOPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.8') describe RCVD_IN_IADB_DOPTIN_LT50 IADB: Confirmed opt-in used less than 50% of the time tflags RCVD_IN_IADB_DOPTIN_LT50 net nice endif ##} RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_EDDB eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.1') describe RCVD_IN_IADB_EDDB IADB: Participates in Email Deliverability Database tflags RCVD_IN_IADB_EDDB net nice endif ##} RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_EPIA eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.2') describe RCVD_IN_IADB_EPIA IADB: Member of Email Processing Industry Alliance tflags RCVD_IN_IADB_EPIA net nice endif ##} RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_GOODMAIL eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.103') describe RCVD_IN_IADB_GOODMAIL IADB: Sender has been certified by GoodMail tflags RCVD_IN_IADB_GOODMAIL net nice endif ##} RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_LISTED eval:check_rbl_sub('iadb-firsttrusted', '^127\.0\.0\.[12]$') describe RCVD_IN_IADB_LISTED Participates in the IADB system tflags RCVD_IN_IADB_LISTED net nice endif ##} RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_LOOSE eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.4') describe RCVD_IN_IADB_LOOSE IADB: Adds relationship addrs w/out opt-in tflags RCVD_IN_IADB_LOOSE net nice endif ##} RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_MI_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.1.10') describe RCVD_IN_IADB_MI_CPEAR IADB: Complies with Michigan's CPEAR law tflags RCVD_IN_IADB_MI_CPEAR net nice endif ##} RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_MI_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.101.10') describe RCVD_IN_IADB_MI_CPR_30 IADB: Checked lists against Michigan's CPR within 30 days tflags RCVD_IN_IADB_MI_CPR_30 net nice endif ##} RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_MI_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.201.10') describe RCVD_IN_IADB_MI_CPR_MAT IADB: Sends no material under Michigan's CPR tflags RCVD_IN_IADB_MI_CPR_MAT net nice endif ##} RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_ML_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.100') describe RCVD_IN_IADB_ML_DOPTIN IADB: Mailing list email only, confirmed opt-in tflags RCVD_IN_IADB_ML_DOPTIN net nice endif ##} RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_NOCONTROL eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.0') describe RCVD_IN_IADB_NOCONTROL IADB: Has absolutely no mailing controls in place tflags RCVD_IN_IADB_NOCONTROL net nice endif ##} RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_OOO eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.200') describe RCVD_IN_IADB_OOO IADB: One-to-one/transactional email only tflags RCVD_IN_IADB_OOO net nice endif ##} RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_OPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.7') describe RCVD_IN_IADB_OPTIN IADB: All mailing list mail is opt-in tflags RCVD_IN_IADB_OPTIN net nice endif ##} RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_OPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.6') describe RCVD_IN_IADB_OPTIN_GT50 IADB: Opt-in used more than 50% of the time tflags RCVD_IN_IADB_OPTIN_GT50 net nice endif ##} RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_OPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.5') describe RCVD_IN_IADB_OPTIN_LT50 IADB: Opt-in used less than 50% of the time tflags RCVD_IN_IADB_OPTIN_LT50 net nice endif ##} RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_OPTOUTONLY eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.1') describe RCVD_IN_IADB_OPTOUTONLY IADB: Scrapes addresses, pure opt-out only tflags RCVD_IN_IADB_OPTOUTONLY net nice endif ##} RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_RDNS eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.4') describe RCVD_IN_IADB_RDNS IADB: Sender has reverse DNS record tflags RCVD_IN_IADB_RDNS net nice endif ##} RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_SENDERID eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.2') describe RCVD_IN_IADB_SENDERID IADB: Sender publishes Sender ID record tflags RCVD_IN_IADB_SENDERID net nice endif ##} RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_SPF eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.1') describe RCVD_IN_IADB_SPF IADB: Sender publishes SPF record tflags RCVD_IN_IADB_SPF net nice endif ##} RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_UNVERIFIED_1 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.2') describe RCVD_IN_IADB_UNVERIFIED_1 IADB: Accepts unverified sign-ups tflags RCVD_IN_IADB_UNVERIFIED_1 net nice endif ##} RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_UNVERIFIED_2 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.3') describe RCVD_IN_IADB_UNVERIFIED_2 IADB: Accepts unverified sign-ups, gives chance to opt out tflags RCVD_IN_IADB_UNVERIFIED_2 net nice endif ##} RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_UT_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.2.10') describe RCVD_IN_IADB_UT_CPEAR IADB: Complies with Utah's CPEAR law tflags RCVD_IN_IADB_UT_CPEAR net nice endif ##} RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_UT_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.102.10') describe RCVD_IN_IADB_UT_CPR_30 IADB: Checked lists against Utah's CPR within 30 days tflags RCVD_IN_IADB_UT_CPR_30 net nice endif ##} RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval header RCVD_IN_IADB_UT_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.202.10') describe RCVD_IN_IADB_UT_CPR_MAT IADB: Sends no material under Utah's CPR tflags RCVD_IN_IADB_UT_CPR_MAT net nice endif ##} RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval ##{ RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # { ifplugin Mail::SpamAssassin::Plugin::DNSEval # { header RCVD_IN_PSBL eval:check_rbl('psbl-lastexternal', 'psbl.surriel.com.') describe RCVD_IN_PSBL Received via a relay in PSBL tflags RCVD_IN_PSBL net endif ##} RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # { ##{ RCVD_MAIL_COM header RCVD_MAIL_COM Received =~ /[\s\(\[](?:post|mail)\.com[\s\)\]]/is describe RCVD_MAIL_COM Forged Received header (contains post.com or mail.com) ##} RCVD_MAIL_COM ##{ RDNS_LOCALHOST header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i describe RDNS_LOCALHOST Sender's public rDNS is "localhost" ##} RDNS_LOCALHOST ##{ RDNS_NUM_TLD_ATCHNX meta RDNS_NUM_TLD_ATCHNX __RDNS_NUMERIC_TLD && __ATTACH_NAME_NO_EXT describe RDNS_NUM_TLD_ATCHNX Relay rDNS has numeric TLD + suspicious attachment #score RDNS_NUM_TLD_ATCHNX 3.000 # limit tflags RDNS_NUM_TLD_ATCHNX publish ##} RDNS_NUM_TLD_ATCHNX ##{ RDNS_NUM_TLD_XM meta RDNS_NUM_TLD_XM __RDNS_NUMERIC_TLD && (__HAS_XM_SID || __HAS_XM_LID || __HAS_XM_RECPTID || __HAS_XM_SENTBY) describe RDNS_NUM_TLD_XM Relay rDNS has numeric TLD + suspicious headers #score RDNS_NUM_TLD_XM 3.000 # limit tflags RDNS_NUM_TLD_XM publish ##} RDNS_NUM_TLD_XM ##{ REPLYTO_WITHOUT_TO_CC meta REPLYTO_WITHOUT_TO_CC (__HAS_REPLY_TO && !__TOCC_EXISTS) ##} REPLYTO_WITHOUT_TO_CC ##{ RISK_FREE meta RISK_FREE __FRAUD_IOV && !__UNSUB_LINK && !__VIA_ML && !__HTML_LINK_IMAGE && !__SUBSCRIPTION_INFO && !__HS_SUBJ_RE_FW && !__LCL__ENV_AND_HDR_FROM_MATCH describe RISK_FREE No risk! ##} RISK_FREE ##{ SB_GIF_AND_NO_URIS meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL) ##} SB_GIF_AND_NO_URIS ##{ SCRIPT_GIBBERISH meta SCRIPT_GIBBERISH __SCRIPT_GIBBERISH && (__BODY_XHTML || !__SCRIPT_TAG_IN_BODY) && !__TAG_EXISTS_META describe SCRIPT_GIBBERISH Nonsense in HTML <SCRIPT> tag ##} SCRIPT_GIBBERISH ##{ SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta SEO_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && (__PDS_SEO1 + __PDS_SEO2 >= 1) tflags SEO_SUSP_NTLD publish describe SEO_SUSP_NTLD SEO offer from suspicious TLD #score SEO_SUSP_NTLD 1.2 # limit endif endif ##} SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ SERGIO_SUBJECT_PORN014 header SERGIO_SUBJECT_PORN014 Subject =~ /f[^a-zA-Z0-9]{0,3}[uv][^a-zA-Z0-9]{0,3}c[^a-zA-Z0-9]{0,3}k/i describe SERGIO_SUBJECT_PORN014 F\*\*\* garbled subject ##} SERGIO_SUBJECT_PORN014 ##{ SERGIO_SUBJECT_VIAGRA01 header SERGIO_SUBJECT_VIAGRA01 Subject =~ /v[^a-zA-Z0-9]{0,3}[i1l][^a-zA-Z0-9]{0,3}a[^a-zA-Z0-9 ]{0,3}g[^a-zA-Z0-9]{0,3}r[^a-zA-Z0-9]{0,3}a/i describe SERGIO_SUBJECT_VIAGRA01 Viagra garbled subject ##} SERGIO_SUBJECT_VIAGRA01 ##{ SHOPIFY_IMG_NOT_RCVD_SFY meta SHOPIFY_IMG_NOT_RCVD_SFY __SHOPIFY_IMG_NOT_RCVD_SFY && !__HAS_CAMPAIGN && !MIME_QP_LONG_LINE && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__USING_VERP1 && !__AC_UNSUB_URI && !__HAS_CAMPAIGNID && !__HAS_SENDER #score SHOPIFY_IMG_NOT_RCVD_SFY 2.500 # limit describe SHOPIFY_IMG_NOT_RCVD_SFY Shopify hosted image but message not from Shopify tflags SHOPIFY_IMG_NOT_RCVD_SFY publish ##} SHOPIFY_IMG_NOT_RCVD_SFY ##{ SHORTENED_URL_SRC rawbody SHORTENED_URL_SRC /<[^>]{1,99}\ssrc=\W?https?:\/\/(?:bit\.ly|buff\.ly|tinyurl\.com|ow\.ly|owl\.li|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|goo\.io|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|ecs\.page\.link|cc\.uz|smarturl\.it)\/[^\/]{3}/ ##} SHORTENED_URL_SRC ##{ SHORTENER_SHORT_IMG meta SHORTENER_SHORT_IMG __URL_SHORTENER && HTML_SHORT_LINK_IMG_1 describe SHORTENER_SHORT_IMG Short HTML + image + URL shortener #score SHORTENER_SHORT_IMG 2.500 # limit ##} SHORTENER_SHORT_IMG ##{ SHORT_BODY_G_DRIVE_DYN meta SHORT_BODY_G_DRIVE_DYN __SHORT_BODY_G_DRIVE_DYN describe SHORT_BODY_G_DRIVE_DYN Short body with Google Drive link and dynamic looking sender #score SHORT_BODY_G_DRIVE_DYN 1.5 # limit ##} SHORT_BODY_G_DRIVE_DYN ##{ SHORT_HELO_AND_INLINE_IMAGE meta SHORT_HELO_AND_INLINE_IMAGE (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH) describe SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image ##} SHORT_HELO_AND_INLINE_IMAGE ##{ SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta SHORT_IMG_SUSP_NTLD __LCL__KAM_BODY_LENGTH_LT_1024 && __HTML_LINK_IMAGE && __FROM_ADDRLIST_SUSPNTLD tflags SHORT_IMG_SUSP_NTLD publish describe SHORT_IMG_SUSP_NTLD Short HTML + image + suspicious TLD #score SHORT_IMG_SUSP_NTLD 1.5 # limit endif endif ##} SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta SHORT_SHORTNER __PDS_MSG_512 && (__PDS_URISHORTENER || __URL_SHORTENER) && !DRUGS_ERECTILE describe SHORT_SHORTNER Short body with little more than a link to a shortener #score SHORT_SHORTNER 2.0 # limit endif endif ##} SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ SHORT_TERM_PRICE body SHORT_TERM_PRICE /short\W+term\W+(target|projected)(\W+price)?/i ##} SHORT_TERM_PRICE ##{ SINGLETS_LOW_CONTRAST meta SINGLETS_LOW_CONTRAST __HTML_SINGLET_MANY && __HTML_FONT_LOW_CONTRAST_MINFP describe SINGLETS_LOW_CONTRAST Single-letter formatted HTML + hidden text tflags SINGLETS_LOW_CONTRAST publish ##} SINGLETS_LOW_CONTRAST ##{ SPAMMY_XMAILER meta SPAMMY_XMAILER (__XM_OL_28001441||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4) describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham ##} SPAMMY_XMAILER ##{ SPOOFED_FREEMAIL meta SPOOFED_FREEMAIL __SPOOFED_FREEMAIL && !__FS_SUBJ_RE && !__freemail_safe && !__DOS_HAS_LIST_ID && !__HAS_X_MAILING_LIST && !__HAS_X_REF && !__HAS_THREAD_INDEX && !__HDRS_LCASE_KNOWN && !__FSL_RELAY_GOOGLE #score SPOOFED_FREEMAIL 2.000 # limit tflags SPOOFED_FREEMAIL net ##} SPOOFED_FREEMAIL ##{ SPOOFED_FREEMAIL_NO_RDNS meta SPOOFED_FREEMAIL_NO_RDNS __SPOOFED_FREEMAIL && __RDNS_NONE describe SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS #score SPOOFED_FREEMAIL_NO_RDNS 1.5 ##} SPOOFED_FREEMAIL_NO_RDNS ##{ SPOOFED_FREEM_REPTO meta SPOOFED_FREEM_REPTO __SPOOFED_FREEM_REPTO && !__AC_TINY_FONT && !__HAS_IN_REPLY_TO && !__HAS_THREAD_INDEX describe SPOOFED_FREEM_REPTO Forged freemail sender with freemail reply-to #score SPOOFED_FREEM_REPTO 2.500 tflags SPOOFED_FREEM_REPTO net publish ##} SPOOFED_FREEM_REPTO ##{ SPOOFED_FREEM_REPTO_CHN meta SPOOFED_FREEM_REPTO_CHN (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_CHN_FREEM describe SPOOFED_FREEM_REPTO_CHN Forged freemail sender with Chinese freemail reply-to #score SPOOFED_FREEM_REPTO_CHN 3.500 tflags SPOOFED_FREEM_REPTO_CHN net publish ##} SPOOFED_FREEM_REPTO_CHN ##{ SPOOFED_FREEM_REPTO_RUS meta SPOOFED_FREEM_REPTO_RUS (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_RUS_FREEM describe SPOOFED_FREEM_REPTO_RUS Forged freemail sender with Russian freemail reply-to #score SPOOFED_FREEM_REPTO_RUS 3.500 tflags SPOOFED_FREEM_REPTO_RUS net publish ##} SPOOFED_FREEM_REPTO_RUS ##{ STATIC_XPRIO_OLE meta STATIC_XPRIO_OLE __STATIC_XPRIO_OLE describe STATIC_XPRIO_OLE Static RDNS + X-Priority + MIMEOLE #score STATIC_XPRIO_OLE 2.000 # limit tflags STATIC_XPRIO_OLE publish ##} STATIC_XPRIO_OLE ##{ STOCK_IMG_CTYPE meta STOCK_IMG_CTYPE (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__CTYPE_ONETAB_GIF&&__HTML_IMG_ONLY) describe STOCK_IMG_CTYPE Stock spam image part, with distinctive Content-Type header ##} STOCK_IMG_CTYPE ##{ STOCK_IMG_HDR_FROM meta STOCK_IMG_HDR_FROM (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY) describe STOCK_IMG_HDR_FROM Stock spam image part, with distinctive From line ##} STOCK_IMG_HDR_FROM ##{ STOCK_IMG_HTML meta STOCK_IMG_HTML (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY) describe STOCK_IMG_HTML Stock spam image part, with distinctive HTML ##} STOCK_IMG_HTML ##{ STOCK_IMG_OUTLOOK meta STOCK_IMG_OUTLOOK (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__XM_MS_IN_GENERAL&&__HTML_LENGTH_1536_2048) describe STOCK_IMG_OUTLOOK Stock spam image part, with Outlook-like features ##} STOCK_IMG_OUTLOOK ##{ STOCK_LOW_CONTRAST meta STOCK_LOW_CONTRAST (__HTML_FONT_LOW_CONTRAST_MINFP && __FB_S_STOCK) && !__BUGGED_IMG describe STOCK_LOW_CONTRAST Stocks + hidden text #score STOCK_LOW_CONTRAST 2.500 # limit tflags STOCK_LOW_CONTRAST publish ##} STOCK_LOW_CONTRAST ##{ STOCK_PRICES meta STOCK_PRICES (SHORT_TERM_PRICE && LONG_TERM_PRICE) ##} STOCK_PRICES ##{ STOCK_TIP meta STOCK_TIP __STOCK_TIP && !__DKIM_EXISTS describe STOCK_TIP Stock tips #score STOCK_TIP 3.000 # limit tflags STOCK_TIP publish ##} STOCK_TIP ##{ STOX_AND_PRICE meta STOX_AND_PRICE CURR_PRICE && STOX_REPLY_TYPE ##} STOX_AND_PRICE ##{ STOX_REPLY_TYPE header STOX_REPLY_TYPE Content-Type =~ /text\/plain; .* reply-type=original/ ##} STOX_REPLY_TYPE ##{ STOX_REPLY_TYPE_WITHOUT_QUOTES meta STOX_REPLY_TYPE_WITHOUT_QUOTES (STOX_REPLY_TYPE && !(__HS_SUBJ_RE_FW || __HS_QUOTE)) ##} STOX_REPLY_TYPE_WITHOUT_QUOTES ##{ SUBJECT_NEEDS_ENCODING meta SUBJECT_NEEDS_ENCODING (!__SUBJECT_ENCODED_B64 && !__SUBJECT_ENCODED_QP) && __SUBJECT_NEEDS_MIME describe SUBJECT_NEEDS_ENCODING Subject is encoded but does not specify the encoding ##} SUBJECT_NEEDS_ENCODING ##{ SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::DKIM meta SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS && !DKIM_SIGNED && !__TO___LOWER describe SUBJ_BRKN_WORDNUMS Subject contains odd word breaks and numbers endif ##} SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM ##{ SUBJ_OBFU_PUNCT_FEW meta SUBJ_OBFU_PUNCT_FEW __SUBJ_OBFU_PUNCT > 1 && !__THREADED && !__RP_MATCHES_RCVD && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH describe SUBJ_OBFU_PUNCT_FEW Possible punctuation-obfuscated Subject: header #score SUBJ_OBFU_PUNCT_FEW 0.750 ##} SUBJ_OBFU_PUNCT_FEW ##{ SUBJ_OBFU_PUNCT_MANY meta SUBJ_OBFU_PUNCT_MANY __SUBJ_OBFU_PUNCT > 2 && !__THREADED && !__RP_MATCHES_RCVD && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH describe SUBJ_OBFU_PUNCT_MANY Punctuation-obfuscated Subject: header #score SUBJ_OBFU_PUNCT_MANY 1.750 ##} SUBJ_OBFU_PUNCT_MANY ##{ SUBJ_UNNEEDED_HTML meta SUBJ_UNNEEDED_HTML __SUBJ_UNNEEDED_HTML && !__NOT_SPOOFED && !__RP_MATCHES_RCVD && !__VIA_ML describe SUBJ_UNNEEDED_HTML Unneeded HTML formatting in Subject: ##} SUBJ_UNNEEDED_HTML ##{ SYSADMIN meta SYSADMIN __SYSADMIN && !ALL_TRUSTED && !__ANY_TEXT_ATTACH && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_OK_DIGITS describe SYSADMIN Supposedly from your IT department #score SYSADMIN 3.500 # limit tflags SYSADMIN publish ##} SYSADMIN ##{ TBIRD_SUSP_MIME_BDRY meta TBIRD_SUSP_MIME_BDRY __MUA_TBIRD && __TB_MIME_BDRY_NO_Z describe TBIRD_SUSP_MIME_BDRY Unlikely Thunderbird MIME boundary ##} TBIRD_SUSP_MIME_BDRY ##{ TEQF_USR_IMAGE meta TEQF_USR_IMAGE __TO_EQ_FROM_USR_NN_MINFP && __ANY_IMAGE_ATTACH describe TEQF_USR_IMAGE To and from user nearly same + image tflags TEQF_USR_IMAGE publish ##} TEQF_USR_IMAGE ##{ TEQF_USR_MSGID_HEX meta TEQF_USR_MSGID_HEX __TO_EQ_FROM_USR_NN_MINFP && __MSGID_OK_HEX && !__MSGID_NOFQDN2 describe TEQF_USR_MSGID_HEX To and from user nearly same + unusual message ID tflags TEQF_USR_MSGID_HEX publish ##} TEQF_USR_MSGID_HEX ##{ TEQF_USR_MSGID_MALF meta TEQF_USR_MSGID_MALF __TO_EQ_FROM_USR_NN_MINFP && __MSGID_NOFQDN2 describe TEQF_USR_MSGID_MALF To and from user nearly same + malformed message ID tflags TEQF_USR_MSGID_MALF publish ##} TEQF_USR_MSGID_MALF ##{ THEBAT_UNREG header THEBAT_UNREG X-Mailer =~ /^The Bat! .{0,20} UNREG$/ ##} THEBAT_UNREG ##{ THIS_AD meta THIS_AD __THIS_AD && !__MOZILLA_MSGID && !__FROM_ENCODED_QP && !__CR_IN_SUBJ && !__RP_MATCHES_RCVD describe THIS_AD "This ad" and variants tflags THIS_AD publish ##} THIS_AD ##{ THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta THIS_IS_ADV_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && __PDS_THIS_IS_ADV tflags THIS_IS_ADV_SUSP_NTLD publish describe THIS_IS_ADV_SUSP_NTLD This is an advertisement from a suspicious TLD #score THIS_IS_ADV_SUSP_NTLD 1.5 # limit endif endif ##} THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta TONOM_EQ_TOLOC_SHRT_SHRTNER __PDS_URISHORTENER && __PDS_TONAME_EQ_TOLOCAL && __PDS_MSG_1024 describe TONOM_EQ_TOLOC_SHRT_SHRTNER Short email with shortener and To:name eq To:local #score TONOM_EQ_TOLOC_SHRT_SHRTNER 1.5 # limit endif endif ##} TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ TO_EQ_FM_DIRECT_MX meta TO_EQ_FM_DIRECT_MX __TO_EQ_FM_DIRECT_MX && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__CTYPE_MULTIPART_MIXED describe TO_EQ_FM_DIRECT_MX To == From and direct-to-MX #score TO_EQ_FM_DIRECT_MX 2.500 # limit tflags TO_EQ_FM_DIRECT_MX publish ##} TO_EQ_FM_DIRECT_MX ##{ TO_EQ_FM_DOM_HTML_IMG meta TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FM_DOM_HTML_IMG && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !__IS_EXCH && !__UNSUB_LINK && !__COMMENT_EXISTS && !__FM_TO_ALL_NUMS && !__DKIM_EXISTS && !__HAS_THREAD_INDEX && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD describe TO_EQ_FM_DOM_HTML_IMG To domain == From domain and HTML image link ##} TO_EQ_FM_DOM_HTML_IMG ##{ TO_EQ_FM_DOM_HTML_ONLY meta TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FM_DOM_HTML_ONLY && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !HTML_MIME_NO_HTML_TAG && !__IS_EXCH && !__MSGID_BEFORE_RECEIVED && !__FM_TO_ALL_NUMS && !__FROM_LOWER && !__HAS_IN_REPLY_TO && !__BUGGED_IMG && !__FROM_ENCODED_QP && !__MSGID_OK_HEX describe TO_EQ_FM_DOM_HTML_ONLY To domain == From domain and HTML only ##} TO_EQ_FM_DOM_HTML_ONLY ##{ TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF ifplugin Mail::SpamAssassin::Plugin::SPF meta TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FM_DOM_SPF_FAIL && !__THREADED && !ALL_TRUSTED describe TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF failed tflags TO_EQ_FM_DOM_SPF_FAIL net endif ##} TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF ##{ TO_EQ_FM_HTML_ONLY meta TO_EQ_FM_HTML_ONLY __TO_EQ_FM_HTML_ONLY && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED && !__DKIM_EXISTS && !__ANY_IMAGE_ATTACH && !__FROM_LOWER && !__TAG_EXISTS_CENTER describe TO_EQ_FM_HTML_ONLY To == From and HTML only ##} TO_EQ_FM_HTML_ONLY ##{ TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF ifplugin Mail::SpamAssassin::Plugin::SPF meta TO_EQ_FM_SPF_FAIL __TO_EQ_FM_SPF_FAIL && !__THREADED && !ALL_TRUSTED describe TO_EQ_FM_SPF_FAIL To == From and external SPF failed tflags TO_EQ_FM_SPF_FAIL net endif ##} TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF ##{ TO_IN_SUBJ meta TO_IN_SUBJ __TO_IN_SUBJ && !__VIA_ML && !MISSING_MIMEOLE && !__THREAD_INDEX_GOOD && !__FSL_RELAY_GOOGLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HS_SUBJ_RE_FW describe TO_IN_SUBJ To address is in Subject tflags TO_IN_SUBJ publish #score TO_IN_SUBJ 0.1 ##} TO_IN_SUBJ ##{ TO_NAME_SUBJ_NO_RDNS meta TO_NAME_SUBJ_NO_RDNS LOCALPART_IN_SUBJECT && __RDNS_NONE describe TO_NAME_SUBJ_NO_RDNS Recipient username in subject + no rDNS #score TO_NAME_SUBJ_NO_RDNS 3.000 # limit tflags TO_NAME_SUBJ_NO_RDNS publish ##} TO_NAME_SUBJ_NO_RDNS ##{ TO_NO_BRKTS_FROM_MSSP meta TO_NO_BRKTS_FROM_MSSP __TO_NO_BRKTS_FROM_RUNON && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__TO___LOWER && !__BUGGED_IMG && !__SUBJECT_ENCODED_QP && !__VIA_ML && !__FR_SPACING_8 && !__TAG_EXISTS_CENTER && !__RCVD_ZIXMAIL && !__RP_MATCHES_RCVD && !__HAS_SENDER #score TO_NO_BRKTS_FROM_MSSP 2.50 # max describe TO_NO_BRKTS_FROM_MSSP Multiple header formatting problems ##} TO_NO_BRKTS_FROM_MSSP ##{ TO_NO_BRKTS_HTML_IMG meta TO_NO_BRKTS_HTML_IMG __TO_NO_BRKTS_HTML_IMG && !__FM_TO_ALL_NUMS && !__FROM_FULL_NAME && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__HAS_SENDER && !__THREADED && !__LONGLINE describe TO_NO_BRKTS_HTML_IMG To: lacks brackets and HTML and one image #score TO_NO_BRKTS_HTML_IMG 2.000 # limit tflags TO_NO_BRKTS_HTML_IMG publish ##} TO_NO_BRKTS_HTML_IMG ##{ TO_NO_BRKTS_HTML_ONLY meta TO_NO_BRKTS_HTML_ONLY __TO_NO_BRKTS_HTML_ONLY && !RDNS_NONE && !__MIME_QP && !__MSGID_JAVAMAIL && !__CTYPE_CHARSET_QUOTED && !__SUBJECT_ENCODED_B64 && !__VIA_ML && !__MSGID_BEFORE_RECEIVED && !__MIME_BASE64 && !__RCD_RDNS_MAIL_MESSY && !__COMMENT_EXISTS && !LOTS_OF_MONEY && !__TAG_EXISTS_CENTER && !__UPPERCASE_URI && !__UNSUB_LINK && !__RCD_RDNS_MX_MESSY && !__DKIM_EXISTS && !__BUGGED_IMG && !__FM_TO_ALL_NUMS && !__URI_12LTRDOM && !__RDNS_NO_SUBDOM && !__HDRS_LCASE && !__LCL__ENV_AND_HDR_FROM_MATCH #score TO_NO_BRKTS_HTML_ONLY 2.00 # limit describe TO_NO_BRKTS_HTML_ONLY To: lacks brackets and HTML only tflags TO_NO_BRKTS_HTML_ONLY publish ##} TO_NO_BRKTS_HTML_ONLY ##{ TO_NO_BRKTS_MSFT meta TO_NO_BRKTS_MSFT __TO_NO_BRKTS_MSFT && !__VIA_ML && !__LYRIS_EZLM_REMAILER && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__UNSUB_LINK && !__NOT_SPOOFED && !__DOS_HAS_LIST_UNSUB && !__NAME_EQ_EMAIL && !__SUBJECT_ENCODED_QP && !__THREADED && !__HAS_THREAD_INDEX && !__HAS_X_REF && !__HAS_IN_REPLY_TO && !__FROM_ENCODED_QP && !__RP_MATCHES_RCVD describe TO_NO_BRKTS_MSFT To: lacks brackets and supposed Microsoft tool #score TO_NO_BRKTS_MSFT 2.50 # limit ##} TO_NO_BRKTS_MSFT ##{ TO_NO_BRKTS_NORDNS_HTML meta TO_NO_BRKTS_NORDNS_HTML __TO_NO_BRKTS_NORDNS_HTML && !ALL_TRUSTED && !__MSGID_JAVAMAIL && !__MSGID_BEFORE_RECEIVED && !__VIA_ML && !__UA_MUTT && !__COMMENT_EXISTS && !__HTML_LENGTH_384 && !__MIME_BASE64 && !__UPPERCASE_URI && !__TO___LOWER && !__TAG_EXISTS_CENTER && !__LONGLINE && !__DKIM_EXISTS #score TO_NO_BRKTS_NORDNS_HTML 2.00 # limit describe TO_NO_BRKTS_NORDNS_HTML To: lacks brackets and no rDNS and HTML only tflags TO_NO_BRKTS_NORDNS_HTML publish ##} TO_NO_BRKTS_NORDNS_HTML ##{ TO_NO_BRKTS_PCNT meta TO_NO_BRKTS_PCNT __TO_NO_BRKTS_PCNT && !__SUBJECT_ENCODED_B64 && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__ISO_2022_JP_DELIM && !__IMS_MSGID && !__THREAD_INDEX_GOOD && !__RCD_RDNS_MX_MESSY && !__UNSUB_LINK && !__LONGLINE && !URI_HEX && !__RP_MATCHES_RCVD && !__MAIL_LINK && !__BUGGED_IMG && !__MIME_QP && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HAS_X_MAILER && !__HTML_LINK_IMAGE && !__SENDER_BOT && !__DKIM_EXISTS && !__KHOP_NO_FULL_NAME && !__THREADED describe TO_NO_BRKTS_PCNT To: lacks brackets + percentage #score TO_NO_BRKTS_PCNT 2.50 # limit tflags TO_NO_BRKTS_PCNT publish ##} TO_NO_BRKTS_PCNT ##{ TT_MSGID_TRUNC header TT_MSGID_TRUNC Message-Id =~ /^\s*<?[^<>\s]+\[\d+$/ describe TT_MSGID_TRUNC Scora: Message-Id ends after left-bracket + digits ##} TT_MSGID_TRUNC ##{ TT_OBSCURED_VALIUM meta TT_OBSCURED_VALIUM ( __TT_BROKEN_VALIUM || __TT_OBSCURED_VALIUM ) && ! __TT_VALIUM describe TT_OBSCURED_VALIUM Scora: obscured "VALIUM" in subject ##} TT_OBSCURED_VALIUM ##{ TT_OBSCURED_VIAGRA meta TT_OBSCURED_VIAGRA ( __TT_BROKEN_VIAGRA || __TT_OBSCURED_VIAGRA ) && ! __TT_VIAGRA describe TT_OBSCURED_VIAGRA Scora: obscured "VIAGRA" in subject ##} TT_OBSCURED_VIAGRA ##{ TVD_ACT_193 body TVD_ACT_193 /\bact of (?:193|nineteen thirty)/i describe TVD_ACT_193 Message refers to an act passed in the 1930s ##} TVD_ACT_193 ##{ TVD_APPROVED body TVD_APPROVED /you.{1,2}re .{0,20}approved/i describe TVD_APPROVED Body states that the recipient has been approved ##} TVD_APPROVED ##{ TVD_DEAR_HOMEOWNER body TVD_DEAR_HOMEOWNER /^dear homeowner/i describe TVD_DEAR_HOMEOWNER Spam with generic salutation of "dear homeowner" ##} TVD_DEAR_HOMEOWNER ##{ TVD_EB_PHISH meta TVD_EB_PHISH __FROM_EBAY && NORMAL_HTTP_TO_IP ##} TVD_EB_PHISH ##{ TVD_ENVFROM_APOST header TVD_ENVFROM_APOST EnvelopeFrom =~ /\'/ describe TVD_ENVFROM_APOST Envelope From contains single-quote ##} TVD_ENVFROM_APOST ##{ TVD_FINGER_02 header TVD_FINGER_02 Content-Type =~ /^text\/plain(?:; (?:format=flowed|charset="Windows-1252"|reply-type=original)){3}/i ##} TVD_FINGER_02 ##{ TVD_FLOAT_GENERAL rawbody TVD_FLOAT_GENERAL /\bstyle\s*=\s*"[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]+\s*</i describe TVD_FLOAT_GENERAL Message uses CSS float style ##} TVD_FLOAT_GENERAL ##{ TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body TVD_FUZZY_DEGREE /<inter W1><post P1>\b(?!degree)<D><E><G><R><E><E>\b/i describe TVD_FUZZY_DEGREE Obfuscation of the word "degree" endif ##} TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body TVD_FUZZY_FINANCE /(?!finance)<F><I><N><A><N><C><E>/i describe TVD_FUZZY_FINANCE Obfuscation of the word "finance" endif ##} TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body TVD_FUZZY_FIXED_RATE /<inter W2><post P2>(?!fixed rate)<F><I><X><E><D>\s+<R><A><T><E>/i describe TVD_FUZZY_FIXED_RATE Obfuscation of the phrase "fixed rate" endif ##} TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body TVD_FUZZY_MICROCAP /<inter W2><post P2>(?!microcap)(?!micro-cap)<M><I><C><R><O>-?<C><A><P>/i describe TVD_FUZZY_MICROCAP Obfuscation of the word "micro-cap" endif ##} TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body TVD_FUZZY_PHARMACEUTICAL /<inter W2><post P2>(?!pharmaceutical)<P><H><A><R><M><A><C><E><U><T><I><C><A><L>/i describe TVD_FUZZY_PHARMACEUTICAL Obfuscation of the word "pharmaceutical" endif ##} TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body TVD_FUZZY_SYMBOL /<inter W2><post P2>(?!symboo?l)<S><Y><M><B><O><L>/i describe TVD_FUZZY_SYMBOL Obfuscation of the word "symbol" endif ##} TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader TVD_FW_GRAPHIC_NAME_LONG Content-Type =~ /\bname="[a-z]{8,}\.gif/ describe TVD_FW_GRAPHIC_NAME_LONG Long image attachment name endif ##} TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader TVD_FW_GRAPHIC_NAME_MID Content-Type =~ /\bname="[a-z]{6,7}\.gif/ describe TVD_FW_GRAPHIC_NAME_MID Medium sized image attachment name endif ##} TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ TVD_INCREASE_SIZE body TVD_INCREASE_SIZE /\bsize of .{1,20}(?:penis|dick|manhood)/i describe TVD_INCREASE_SIZE Advertising for penis enlargement ##} TVD_INCREASE_SIZE ##{ TVD_LINK_SAVE body TVD_LINK_SAVE /\blink to save\b/i describe TVD_LINK_SAVE Spam with the text "link to save" ##} TVD_LINK_SAVE ##{ TVD_PH_BODY_ACCOUNTS_PRE meta TVD_PH_BODY_ACCOUNTS_PRE __TVD_PH_BODY_ACCOUNTS_PRE describe TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as "accounts suspended", "account credited", "account verification" ##} TVD_PH_BODY_ACCOUNTS_PRE ##{ TVD_PH_REC body TVD_PH_REC /\byour .{0,40}account .{0,40}record/i describe TVD_PH_REC Message includes a phrase commonly used in phishing mails ##} TVD_PH_REC ##{ TVD_PH_SEC body TVD_PH_SEC /\byour .{0,40}account .{0,40}security/i describe TVD_PH_SEC Message includes a phrase commonly used in phishing mails ##} TVD_PH_SEC ##{ TVD_PP_PHISH meta TVD_PP_PHISH __FROM_PAYPAL && NORMAL_HTTP_TO_IP ##} TVD_PP_PHISH ##{ TVD_QUAL_MEDS body TVD_QUAL_MEDS /\bquality med(?:ication)?s\b/i describe TVD_QUAL_MEDS The body matches phrases such as "quality meds" or "quality medication" ##} TVD_QUAL_MEDS ##{ TVD_RATWARE_CB header TVD_RATWARE_CB Content-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/i describe TVD_RATWARE_CB Content-Type header that is commonly indicative of ratware ##} TVD_RATWARE_CB ##{ TVD_RATWARE_CB_2 header TVD_RATWARE_CB_2 Content-Type =~ /\bboundary\s*=\s*"?-+\d+=+\.MRA/ describe TVD_RATWARE_CB_2 Content-Type header that is commonly indicative of ratware ##} TVD_RATWARE_CB_2 ##{ TVD_RATWARE_MSGID_02 header TVD_RATWARE_MSGID_02 Message-ID =~ /^[^<]*<[a-z]+\@/ describe TVD_RATWARE_MSGID_02 Ratware with a Message-ID header that is entirely lower-case ##} TVD_RATWARE_MSGID_02 ##{ TVD_RCVD_IP header TVD_RCVD_IP Received =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/ describe TVD_RCVD_IP Message was received from an IP address ##} TVD_RCVD_IP ##{ TVD_RCVD_IP4 header TVD_RCVD_IP4 Received =~ /^from\s+(?:\d+\.){3}\d+\s/ describe TVD_RCVD_IP4 Message was received from an IPv4 address ##} TVD_RCVD_IP4 ##{ TVD_RCVD_SPACE_BRACKET header TVD_RCVD_SPACE_BRACKET Received =~ /\(\[(?!unix)[^\[\]]*\s/i ##} TVD_RCVD_SPACE_BRACKET ##{ TVD_SECTION body TVD_SECTION /\bSection (?:27A|21B)/i describe TVD_SECTION References to specific legal codes ##} TVD_SECTION ##{ TVD_SILLY_URI_OBFU body TVD_SILLY_URI_OBFU m!https?://[a-z0-9-]+\.[a-z0-9-]*\.?[^a-z0-9.:/\s"'\@?\)>-]+[a-z0-9.-]*[a-z]{3}(?:\s|$)!i describe TVD_SILLY_URI_OBFU URI obfuscation that can fool a URIBL or a uri rule ##} TVD_SILLY_URI_OBFU ##{ TVD_SPACED_SUBJECT_WORD3 header TVD_SPACED_SUBJECT_WORD3 Subject =~ /^(?:(?:Re|Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+$/ describe TVD_SPACED_SUBJECT_WORD3 Entire subject is "UPPERlowerUPPER" with no whitespace ##} TVD_SPACED_SUBJECT_WORD3 ##{ TVD_SPACE_ENCODED meta TVD_SPACE_ENCODED __TVD_SPACE_ENCODED && !__NOT_SPOOFED && !__VIA_ML && !__HS_SUBJ_RE_FW && !__SUBSCRIPTION_INFO && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL && !__ISO_2022_JP_DELIM #score TVD_SPACE_ENCODED 2.500 # limit describe TVD_SPACE_ENCODED Space ratio & encoded subject ##} TVD_SPACE_ENCODED ##{ TVD_SPACE_RATIO_MINFP meta TVD_SPACE_RATIO_MINFP __TVD_SPACE_RATIO && !__CT_ENCRYPTED && !__SUBSCRIPTION_INFO && !__RCD_RDNS_MAIL && !__SUBJECT_ENCODED_QP && !__THREADED && !__BOTH_INR_AND_REF && !__X_CRON_ENV && !__HAS_THREAD_INDEX && !__HDRS_LCASE_KNOWN && !__ISO_2022_JP_DELIM && !__DOS_HAS_LIST_UNSUB && !__RP_MATCHES_RCVD && !__NOT_SPOOFED && !ALL_TRUSTED && !__RCD_RDNS_SMTP #score TVD_SPACE_RATIO_MINFP 2.500 # limit describe TVD_SPACE_RATIO_MINFP Space ratio ##} TVD_SPACE_RATIO_MINFP ##{ TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval ifplugin Mail::SpamAssassin::Plugin::BodyEval body TVD_STOCK1 eval:check_stock_info('2') describe TVD_STOCK1 Spam related to stock trading endif ##} TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval ##{ TVD_SUBJ_ACC_NUM header TVD_SUBJ_ACC_NUM Subject =~ /\b[a-zA-Z]+ [\#\s]{1,4}\d+[A-Z]+/ describe TVD_SUBJ_ACC_NUM Subject has spammy looking monetary reference ##} TVD_SUBJ_ACC_NUM ##{ TVD_SUBJ_FINGER_03 header TVD_SUBJ_FINGER_03 Subject =~ /^\s*\*\s+(?:\w+\W+)+\*\s*$/ describe TVD_SUBJ_FINGER_03 Entire subject is enclosed in asterisks "* like so *" ##} TVD_SUBJ_FINGER_03 ##{ TVD_SUBJ_NUM_OBFU_MINFP meta TVD_SUBJ_NUM_OBFU_MINFP __TVD_SUBJ_NUM_OBFU && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !__X_CRON_ENV && !__NOT_A_PERSON && !__HAS_THREAD_INDEX && !__THREADED && !__NUMBERS_IN_SUBJ && !__URI_MAILTO ##} TVD_SUBJ_NUM_OBFU_MINFP ##{ TVD_SUBJ_OWE header TVD_SUBJ_OWE Subject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe|indebted)\s+(?:\w+\s+)+an\s*other/i describe TVD_SUBJ_OWE Subject line states that the recipieint is in debt ##} TVD_SUBJ_OWE ##{ TVD_SUBJ_WIPE_DEBT header TVD_SUBJ_WIPE_DEBT Subject =~ /(?:wipe out|remove|get (?:rid|out) of|eradicate) .{0,20}(?:owe|debt|obligation)/i describe TVD_SUBJ_WIPE_DEBT Spam advertising a way to eliminate debt ##} TVD_SUBJ_WIPE_DEBT ##{ TVD_VISIT_PHARMA body TVD_VISIT_PHARMA /Online Ph.rmacy/i describe TVD_VISIT_PHARMA Body mentions online pharmacy ##} TVD_VISIT_PHARMA ##{ TVD_VIS_HIDDEN rawbody TVD_VIS_HIDDEN /<TEXTAREA[^>]+style\s*=\s*"visibility:\s*hidden\b/i describe TVD_VIS_HIDDEN Invisible textarea HTML tags ##} TVD_VIS_HIDDEN ##{ TW_GIBBERISH_MANY meta TW_GIBBERISH_MANY __TENWORD_GIBBERISH > 20 describe TW_GIBBERISH_MANY Lots of gibberish text to spoof pattern matching filters #score TW_GIBBERISH_MANY 2.000 # limit tflags TW_GIBBERISH_MANY publish ##} TW_GIBBERISH_MANY ##{ T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_ACH_CANCELLED_EXE __ACH_CANCELLED_EXE describe T_ACH_CANCELLED_EXE "ACH cancelled" probable malware endif ##} T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta T_ANY_PILL_PRICE (__PILL_PRICE_01 || __PILL_PRICE_02) && !__NOT_A_PERSON describe T_ANY_PILL_PRICE Prices for pills endif ##} T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader T_CDISP_SZ_MANY Content-Disposition =~ /\bsize\s?=\s?\d.*\bsize\s?=\s?\d/ describe T_CDISP_SZ_MANY Suspicious MIME header # score T_CDISP_SZ_MANY 2.0 # limit endif ##} T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval ifplugin Mail::SpamAssassin::Plugin::HeaderEval header T_DATE_IN_FUTURE_96_Q eval:check_for_shifted_date('96', '2920') describe T_DATE_IN_FUTURE_96_Q Date: is 4 days to 4 months after Received: date endif ##} T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval ##{ T_DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval ifplugin Mail::SpamAssassin::Plugin::HeaderEval header T_DATE_IN_FUTURE_Q_PLUS eval:check_for_shifted_date('2920', 'undef') describe T_DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date endif ##} T_DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval ##{ T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_DOC_ATTACH_NO_EXT __ATTACH_NAME_NO_EXT && (__PDF_ATTACH_MT || __DOC_ATTACH_MT) describe T_DOC_ATTACH_NO_EXT Document attachment with suspicious name endif ##} T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_DOS_OUTLOOK_TO_MX_IMAGE meta T_DOS_OUTLOOK_TO_MX_IMAGE __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH describe T_DOS_OUTLOOK_TO_MX_IMAGE Direct to MX with Outlook headers and an image ##} T_DOS_OUTLOOK_TO_MX_IMAGE ##{ T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader T_DOS_ZIP_HARDCORE Content-Type =~ /^application\/zip;\sname="hardcore\.zip"$/ describe T_DOS_ZIP_HARDCORE hardcore.zip file attached; quite certainly a virus # score T_DOS_ZIP_HARDCORE 2.5 endif ##} T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_DRUGS_ERECTILE_SHORT_SHORTNER __PDS_HTML_LENGTH_1024 && (__PDS_URISHORTENER || __URL_SHORTENER) && DRUGS_ERECTILE describe T_DRUGS_ERECTILE_SHORT_SHORTNER Short erectile drugs advert with T_URL_SHORTENER #score T_DRUGS_ERECTILE_SHORT_SHORTNER 1.5 # limit endif endif ##} T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_EMRCP body T_EMRCP /\bExcess (?:Maximum )?Return Capital (?:Profits?|Funds?)\b/i describe T_EMRCP "Excess Maximum Return Capital Profit" scam ##} T_EMRCP ##{ T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta T_FILL_THIS_FORM_FRAUD_PHISH __FILL_THIS_FORM_FRAUD_PHISH && !__UNSUB_LINK && !__SPOOFED_URL && !__DOS_LINK && !__CAN_HELP && !__VIA_ML && !__COMMENT_EXISTS && !__HAS_IN_REPLY_TO && !__THREADED describe T_FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s) endif ##} T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta T_FILL_THIS_FORM_LOAN __FILL_THIS_FORM_LOAN && !__COMMENT_EXISTS && !__HTML_LINK_IMAGE describe T_FILL_THIS_FORM_LOAN Answer loan question(s) # score T_FILL_THIS_FORM_LOAN 2.0 endif ##} T_FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo ifplugin Mail::SpamAssassin::Plugin::ImageInfo meta T_FORGED_TBIRD_IMG_SIZE __FORGED_TBIRD_IMG && __ONE_IMG && __IMG_LE_300K describe T_FORGED_TBIRD_IMG_SIZE Likely forged Thunderbird image spam endif ##} T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo ##{ T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta T_FREEMAIL_DOC_PDF __FREEMAIL_DOC_PDF describe T_FREEMAIL_DOC_PDF MS document or PDF attachment, from freemail endif ##} T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta T_FREEMAIL_DOC_PDF_BCC __FREEMAIL_DOC_PDF && __TO_UNDISCLOSED describe T_FREEMAIL_DOC_PDF_BCC MS document or PDF attachment, from freemail, all recipients hidden endif ##} T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FreeMail meta T_FREEMAIL_RVW_ATTCH (__PLS_REVIEW || __DLND_ATTACH) && __FREEMAIL_DOC_PDF describe T_FREEMAIL_RVW_ATTCH Please review attached document, from freemail endif ##} T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail ##{ T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof meta T_FROMNAME_EQUALS_TO __PLUGIN_FROMNAME_EQUALS_TO describe T_FROMNAME_EQUALS_TO From:name matches To: #score T_FROMNAME_EQUALS_TO 1.0 tflags T_FROMNAME_EQUALS_TO publish endif ##} T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof ##{ T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof meta T_FROMNAME_SPOOFED_EMAIL (__PLUGIN_FROMNAME_SPOOF && !__VIA_ML && !__VIA_RESIGNER && !__RP_MATCHES_RCVD) describe T_FROMNAME_SPOOFED_EMAIL From:name looks like a spoofed email #score T_FROMNAME_SPOOFED_EMAIL 0.3 tflags T_FROMNAME_SPOOFED_EMAIL publish endif ##} T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof ##{ T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body T_FUZZY_OPTOUT /\s(?!opt.?out)<O><P><T>.?<O><U><T>/i describe T_FUZZY_OPTOUT Obfuscated opt-out text endif ##} T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body T_FUZZY_SPRM /<inter W1><post P2><S><P><U><R><M>/i endif ##} T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof meta T_GB_FREEM_FROM_NOT_REPLY ( !__FROM_EQ_REPLY && FREEMAIL_FROM && FREEMAIL_REPLYTO ) describe T_GB_FREEM_FROM_NOT_REPLY From: and Reply-To: have different freemail domains # score T_GB_FREEM_FROM_NOT_REPLY 0.50 # limit tflags T_GB_FREEM_FROM_NOT_REPLY publish endif endif ##} T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof ##{ T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof meta T_GB_FROMNAME_SPOOFED_EMAIL_IP ( T_FROMNAME_SPOOFED_EMAIL && !__NOT_SPOOFED ) describe T_GB_FROMNAME_SPOOFED_EMAIL_IP From:name looks like a spoofed email from a spoofed ip # score T_GB_FROMNAME_SPOOFED_EMAIL_IP 0.50 # limit tflags T_GB_FROMNAME_SPOOFED_EMAIL_IP publish endif ##} T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof ##{ T_GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL body T_GB_HASHBL_BTC eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '(?:\s|^)([13][a-km-zA-HJ-NP-Z1-9]{25,34})(?:\s|$)') tflags T_GB_HASHBL_BTC net describe T_GB_HASHBL_BTC Message contains BTC address found on BTCBL # score T_GB_HASHBL_BTC 5.0 # limit endif endif ##} T_GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL ##{ T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) meta T_HK_NAME_FM_FROM __HK_NAME_FROM && FREEMAIL_FROM # score T_HK_NAME_FM_FROM 1.5 endif endif ##} T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ##{ T_HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) meta T_HK_NAME_FM_MR_MRS __HK_NAME_MR_MRS && FREEMAIL_FROM # score T_HK_NAME_FM_MR_MRS 1.5 endif endif ##} T_HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ##{ T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) meta T_HK_NAME_FROM __HK_NAME_FROM && !FREEMAIL_FROM # score T_HK_NAME_FROM 1.0 endif endif ##} T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ##{ T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_HK_SPAMMY_FILENAME __HK_SPAMMY_CTFN || __HK_SPAMMY_CDFN endif ##} T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_HTML_ATTACH __HTML_ATTACH_01 || __HTML_ATTACH_02 describe T_HTML_ATTACH HTML attachment to bypass scanning? endif ##} T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_ISO_ATTACH __ISO_ATTACH || __ISO_ATTACH_MT describe T_ISO_ATTACH ISO attachment - possible malware delivery # score T_ISO_ATTACH 3.000 # limit endif ##} T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval ifplugin Mail::SpamAssassin::Plugin::HTMLEval body T_KAM_HTML_FONT_INVALID eval:html_test('font_invalid_color') describe T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML #score T_KAM_HTML_FONT_INVALID 0.1 endif ##} T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval ##{ T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta T_LARGE_PCT_AFTER_MANY __LARGE_PERCENT_AFTER > 3 describe T_LARGE_PCT_AFTER_MANY Many large percentages after... endif ##} T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body T_LFUZ_PWRMALE /<inter W1><post P2><P><O><W><E><R><M><A><L><E>/i endif ##} T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_LOTTO_AGENT meta T_LOTTO_AGENT __LOTTO_AGENT && !__HAS_IN_REPLY_TO && !__THREADED && !__TO_YOUR_ORG && !__DKIM_EXISTS && !__TRAVEL_ITINERARY && !__AUTO_ACCIDENT && !__HAS_ERRORS_TO && !__RP_MATCHES_RCVD describe T_LOTTO_AGENT Claims Agent #score T_LOTTO_AGENT 1.50 # limit ##} T_LOTTO_AGENT ##{ T_LOTTO_AGENT_FM header T_LOTTO_AGENT_FM From =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize[\s_.]transfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i describe T_LOTTO_AGENT_FM Claims Agent ##} T_LOTTO_AGENT_FM ##{ T_LOTTO_AGENT_RPLY meta T_LOTTO_AGENT_RPLY __LOTTO_AGENT_RPLY && !__TO_YOUR_ORG describe T_LOTTO_AGENT_RPLY Claims Agent ##} T_LOTTO_AGENT_RPLY ##{ T_LOTTO_URI uri T_LOTTO_URI /(?:claim(?:s|ing)?(?:[-_]?processing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)?[-_]?rem+it+ance|award)[-_]?(?:department|dept|unit|group|committee|office|agent|manager|secretary)/i describe T_LOTTO_URI Claims Department URL ##} T_LOTTO_URI ##{ T_MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_MALW_ATTACH __MALW_ATTACH_01_01 || __MALW_ATTACH_01_02 describe T_MALW_ATTACH Attachment filename suspicious, probable malware exploit endif ##} T_MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta T_MANY_PILL_PRICE (__PILL_PRICE_01 + __PILL_PRICE_02) > 2 describe T_MANY_PILL_PRICE Prices for many pills endif ##} T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ T_MIME_MALF if (version >= 3.004000) if (version >= 3.004000) meta T_MIME_MALF __MIME_MALF && !ALL_TRUSTED describe T_MIME_MALF Malformed MIME: headers in body # score T_MIME_MALF 2.00 # limit endif ##} T_MIME_MALF if (version >= 3.004000) ##{ T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta T_MONEY_PERCENT LOTS_OF_MONEY && (__PCT_FOR_YOU || __PCT_OF_PMTS || __FIFTY_FIFTY) describe T_MONEY_PERCENT X% of a lot of money for you endif ##} T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_OBFU_ATTACH_MISSP __FROM_RUNON && (T_OBFU_HTML_ATTACH || OBFU_TEXT_ATTACH || T_OBFU_DOC_ATTACH || T_OBFU_PDF_ATTACH || T_OBFU_JPG_ATTACH || T_OBFU_GIF_ATTACH) describe T_OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From endif ##} T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader T_OBFU_DOC_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.(?:doc|rtf)\b,i describe T_OBFU_DOC_ATTACH MS Document attachment with generic MIME type endif ##} T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader T_OBFU_GIF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.gif\b,i describe T_OBFU_GIF_ATTACH GIF attachment with generic MIME type endif ##} T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader T_OBFU_HTML_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.html?\b,i describe T_OBFU_HTML_ATTACH HTML attachment with non-text MIME type endif ##} T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_OBFU_HTML_ATT_MALW __ZIP_ATTACH_NOFN && __HTML_ATTACH_02 describe T_OBFU_HTML_ATT_MALW HTML attachment with incorrect MIME type - possible malware endif ##} T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader T_OBFU_JPG_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.jpe?g\b,i describe T_OBFU_JPG_ATTACH JPG attachment with generic MIME type endif ##} T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader T_OBFU_PDF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.pdf\b,i describe T_OBFU_PDF_ATTACH PDF attachment with generic MIME type endif ##} T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta T_OFFER_ONLY_AMERICA __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA describe T_OFFER_ONLY_AMERICA Offer only available to US #score T_OFFER_ONLY_AMERICA 2.0 # limit endif endif ##} T_OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta T_PDS_BTC_AHACKER ( __PDS_BTC_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON ) describe T_PDS_BTC_AHACKER Bitcoin Hacker # score T_PDS_BTC_AHACKER 3.0 # limit endif ##} T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta T_PDS_BTC_HACKER ( __PDS_BTC_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM ) describe T_PDS_BTC_HACKER Bitcoin Hacker # score T_PDS_BTC_HACKER 2.0 # limit endif ##} T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta T_PDS_BTC_NTLD ( __BITCOIN_ID && __FROM_ADDRLIST_SUSPNTLD ) describe T_PDS_BTC_NTLD Bitcoin suspect NTLD #score T_PDS_BTC_NTLD 2.0 # limit endif endif ##} T_PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta T_PDS_LTC_AHACKER ( __PDS_LITECOIN_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON ) describe T_PDS_LTC_AHACKER Litecoin Hacker # score T_PDS_LTC_AHACKER 3.0 # limit endif ##} T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta T_PDS_LTC_HACKER ( __PDS_LITECOIN_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM ) describe T_PDS_LTC_HACKER Litecoin Hacker # score T_PDS_LTC_HACKER 2.0 # limit endif ##} T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { meta T_REMOTE_IMAGE __REMOTE_IMAGE describe T_REMOTE_IMAGE Message contains an external image endif ##} T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { ##{ T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta T_SENT_TO_EMAIL_ADDR __FROM_ADDRLIST_SUSPNTLD && __PDS_SENT_TO_EMAIL_ADDR describe T_SENT_TO_EMAIL_ADDR Email was sent to email address #score T_SENT_TO_EMAIL_ADDR 2.0 # limit endif endif ##} T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ T_SHARE_50_50 meta T_SHARE_50_50 (__SHARE_IT || __AGREED_RATIO) && __FIFTY_FIFTY describe T_SHARE_50_50 Share the money 50/50 ##} T_SHARE_50_50 ##{ T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta T_SUSPNTLD_EXPIRATION_EXTORT LOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLD describe T_SUSPNTLD_EXPIRATION_EXTORT Susp NTLD with an expiration notice and lotsa money #score T_SUSPNTLD_EXPIRATION_EXTORT 2.0 # limit endif endif ##} T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta T_TONOM_EQ_TOLOC_SHRT_PSHRTNER __PDS_SHORT_URL && __PDS_TONAME_EQ_TOLOCAL && __SUBJ_SHORT describe T_TONOM_EQ_TOLOC_SHRT_PSHRTNER Short subject with potential shortener and To:name eq To:local #score T_TONOM_EQ_TOLOC_SHRT_PSHRTNER 1.5 # limit endif endif ##} T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body T_TVD_FUZZY_SECTOR /(?!sector)<S><E><C><T><O><R>/i endif ##} T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body T_TVD_FUZZY_SECURITIES /<inter W2><post P2>(?!securities)(?!security es)<S><E><C><U><R><I><T><I><E><S>/i endif ##} T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ##{ T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader T_TVD_FW_GRAPHIC_ID2 Content-Id =~ /<(?:[0-9A-F]{8}\.){3}[0-9A-F]{8}/ endif ##} T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval ifplugin Mail::SpamAssassin::Plugin::MIMEEval body T_TVD_MIME_EPI eval:check_msg_parse_flags('mime_epilogue_exists') endif ##} T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval ##{ T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval ifplugin Mail::SpamAssassin::Plugin::MIMEEval body T_TVD_MIME_NO_HEADERS eval:check_msg_parse_flags('missing_mime_headers') endif ##} T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval ##{ T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_WON_MONEY_ATTACH __YOU_WON && LOTS_OF_MONEY && (__PDF_ATTACH || __DOC_ATTACH) describe T_WON_MONEY_ATTACH You won lots of money! See attachment. endif ##} T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta T_WON_NBDY_ATTACH __YOU_WON && __EMPTY_BODY && (__PDF_ATTACH || __DOC_ATTACH || __GIF_ATTACH || __JPEG_ATTACH) describe T_WON_NBDY_ATTACH You won lots of money! See attachment. endif ##} T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta T_ZW_OBFU_FREEM __UNICODE_OBFU_ZW && __freemail_hdr_replyto describe T_ZW_OBFU_FREEM Obfuscated text + freemail # score T_ZW_OBFU_FREEM 2.000 # limit endif ##} T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta T_ZW_OBFU_FROMTOSUBJ __UNICODE_OBFU_ZW && FROM_IN_TO_AND_SUBJ describe T_ZW_OBFU_FROMTOSUBJ Obfuscated text + from in to and subject # score T_ZW_OBFU_FROMTOSUBJ 2.000 # limit endif ##} T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ UC_GIBBERISH_OBFU meta UC_GIBBERISH_OBFU (__UC_GIBB_OBFU > 1) && !__RP_MATCHES_RCVD && !__VIA_ML && !__DKIM_EXISTS && !ALL_TRUSTED describe UC_GIBBERISH_OBFU Multiple instances of "word VERYLONGGIBBERISH word" #score UC_GIBBERISH_OBFU 3.000 # Limit tflags UC_GIBBERISH_OBFU publish ##} UC_GIBBERISH_OBFU ##{ UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta UNICODE_OBFU_ASC __UNICODE_OBFU_ASC && !__SPAN_BEG_TEXT && !HTML_IMAGE_ONLY_32 describe UNICODE_OBFU_ASC Obfuscating text with unicode # score UNICODE_OBFU_ASC 2.500 # limit tflags UNICODE_OBFU_ASC publish endif ##} UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta UNICODE_OBFU_ZW __UNICODE_OBFU_ZW_2 && !__SUBSCRIPTION_INFO && !__RCD_RDNS_MAIL_MESSY && !__DOS_HAS_LIST_ID && !__USING_VERP1 && !__DOS_HAS_LIST_UNSUB && !__RCD_RDNS_SMTP && !__DKIM_EXISTS describe UNICODE_OBFU_ZW Obfuscating text with hidden characters # score UNICODE_OBFU_ZW 3.500 # limit tflags UNICODE_OBFU_ZW publish endif ##} UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ UPGRADE_MAILBOX meta UPGRADE_MAILBOX __UPGR_MAILBOX && __HTML_FONT_LOW_CONTRAST_MINFP describe UPGRADE_MAILBOX Upgrade your mailbox! (phishing?) ##} UPGRADE_MAILBOX ##{ URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL ifplugin Mail::SpamAssassin::Plugin::URIDNSBL urirhssub URIBL_RHS_DOB dob.sibl.support-intelligence.net A 2 body URIBL_RHS_DOB eval:check_uridnsbl('URIBL_RHS_DOB') describe URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread) tflags URIBL_RHS_DOB net endif ##} URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL ##{ URI_BUFFLY meta URI_BUFFLY __URI_BUFFLY && !__DOS_HAS_LIST_UNSUB describe URI_BUFFLY buff.ly redirector URI #score URI_BUFFLY 2.000 # limit ##} URI_BUFFLY ##{ URI_DATA meta URI_DATA __URI_DATA && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__VIA_ML && !__ENV_AND_HDR_FROM_MATCH && !__DOS_HAS_LIST_UNSUB describe URI_DATA "data:" URI - possible malware or phish #score URI_DATA 3.250 # limit tflags URI_DATA publish ##} URI_DATA ##{ URI_DQ_UNSUB meta URI_DQ_UNSUB __URI_DQ_UNSUB describe URI_DQ_UNSUB IP-address unsubscribe URI tflags URI_DQ_UNSUB publish ##} URI_DQ_UNSUB ##{ URI_GOOGLE_PROXY meta URI_GOOGLE_PROXY __URI_GOOGLE_PROXY && !__LONGLINE && !__ML1 && !__FSL_RELAY_GOOGLE && !__FROM_LOWER && !__RCD_RDNS_MAIL describe URI_GOOGLE_PROXY Accessing a blacklisted URI or obscuring source of phish via Google proxy? tflags URI_GOOGLE_PROXY publish ##} URI_GOOGLE_PROXY ##{ URI_HEX_IP meta URI_HEX_IP __URI_HEX_IP #score URI_HEX_IP 2.500 # limit describe URI_HEX_IP URI with hex-encoded IP-address host tflags URI_HEX_IP publish ##} URI_HEX_IP ##{ URI_IMG_WP_REDIR meta URI_IMG_WP_REDIR __URI_IMG_WP_REDIR #score URI_IMG_WP_REDIR 3.000 # limit describe URI_IMG_WP_REDIR Image via WordPress "accelerator" proxy tflags URI_IMG_WP_REDIR publish ##} URI_IMG_WP_REDIR ##{ URI_ONLY_MSGID_MALF meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO && !RCVD_IN_DNSWL_LOW tflags URI_ONLY_MSGID_MALF net meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO describe URI_ONLY_MSGID_MALF URI only + malformed message ID #score URI_ONLY_MSGID_MALF 2.000 # limit tflags URI_ONLY_MSGID_MALF publish ##} URI_ONLY_MSGID_MALF ##{ URI_OPTOUT_3LD uri URI_OPTOUT_3LD m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:com|net)\b,i describe URI_OPTOUT_3LD Opt-out URI, suspicious hostname #score URI_OPTOUT_3LD 2.000 # limit tflags URI_OPTOUT_3LD publish ##} URI_OPTOUT_3LD ##{ URI_OPTOUT_USME uri URI_OPTOUT_USME m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:us|me|mobi|club)\b,i describe URI_OPTOUT_USME Opt-out URI, unusual TLD tflags URI_OPTOUT_USME publish ##} URI_OPTOUT_USME ##{ URI_PHISH describe URI_PHISH Phishing using web form #score URI_PHISH 4.00 # limit tflags URI_PHISH publish ##} URI_PHISH ##{ URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney endif ##} URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) ##{ URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE endif ##} URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ URI_PHP_REDIR meta URI_PHP_REDIR __URI_PHP_REDIR && !__USING_VERP1 && !__RCD_RDNS_MTA #score URI_PHP_REDIR 3.500 # limit describe URI_PHP_REDIR PHP redirect to different URL (link obfuscation) tflags URI_PHP_REDIR publish ##} URI_PHP_REDIR ##{ URI_TRY_3LD uri URI_TRY_3LD m,^https?://(?:try|start|get(?!\.adobe)|save|check(?!out)|act|compare|join|learn|request|visit(?!or)|my(?!sub|turbotax)\w)[^.]*\.[^/]+\.(?:com|net)\b,i describe URI_TRY_3LD "Try it" URI, suspicious hostname #score URI_TRY_3LD 2.000 # limit tflags URI_TRY_3LD publish ##} URI_TRY_3LD ##{ URI_TRY_USME meta URI_TRY_USME __URI_TRY_USME && !__DKIM_EXISTS describe URI_TRY_USME "Try it" URI, unusual TLD tflags URI_TRY_USME publish ##} URI_TRY_USME ##{ URI_WPADMIN meta URI_WPADMIN __URI_WPADMIN describe URI_WPADMIN WordPress login/admin URI, possible phishing tflags URI_WPADMIN publish ##} URI_WPADMIN ##{ URI_WP_DIRINDEX meta URI_WP_DIRINDEX __URI_WPDIRINDEX describe URI_WP_DIRINDEX URI for compromised WordPress site, possible malware #score URI_WP_DIRINDEX 3.500 # limit tflags URI_WP_DIRINDEX publish ##} URI_WP_DIRINDEX ##{ URI_WP_HACKED meta URI_WP_HACKED (__URI_WPCONTENT || __URI_WPINCLUDES) && !__VIA_ML && !__HAS_ERRORS_TO && !__RCD_RDNS_SMTP && !__THREADED && !ALL_TRUSTED && !__NOT_SPOOFED describe URI_WP_HACKED URI for compromised WordPress site, possible malware #score URI_WP_HACKED 3.500 # limit tflags URI_WP_HACKED publish ##} URI_WP_HACKED ##{ URI_WP_HACKED_2 meta URI_WP_HACKED_2 (__PS_TEST_LOC_WP && !URI_WP_HACKED) && !__HAS_LIST_ID && !__THREADED && !__USING_VERP1 describe URI_WP_HACKED_2 URI for compromised WordPress site, possible malware #score URI_WP_HACKED_2 2.500 # limit tflags URI_WP_HACKED_2 publish ##} URI_WP_HACKED_2 ##{ USB_DRIVES meta USB_DRIVES __SUBJ_USB_DRIVES describe USB_DRIVES Trying to sell custom USB flash drives #score USB_DRIVES 2.000 # limit tflags USB_DRIVES publish ##} USB_DRIVES ##{ VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval meta VPS_NO_NTLD __VPSNUMBERONLY_TLD && __FROM_ADDRLIST_SUSPNTLD tflags VPS_NO_NTLD publish describe VPS_NO_NTLD vps[0-9] domain at a suspiscious TLD #score VPS_NO_NTLD 1.0 # limit endif endif ##} VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval ##{ WALMART_IMG_NOT_RCVD_WAL meta WALMART_IMG_NOT_RCVD_WAL __WALMART_IMG_NOT_RCVD_WAL && !__DKIM_EXISTS #score WALMART_IMG_NOT_RCVD_WAL 2.500 # limit describe WALMART_IMG_NOT_RCVD_WAL Walmart hosted image but message not from Walmart tflags WALMART_IMG_NOT_RCVD_WAL publish ##} WALMART_IMG_NOT_RCVD_WAL ##{ XM_PHPMAILER_FORGED meta XM_PHPMAILER_FORGED __XM_PHPMAILER_FORGED describe XM_PHPMAILER_FORGED Apparently forged header tflags XM_PHPMAILER_FORGED publish ##} XM_PHPMAILER_FORGED ##{ XPRIO describe XPRIO Has X-Priority header #score XPRIO 2.250 # limit tflags XPRIO publish ##} XPRIO ##{ XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM) if !plugin(Mail::SpamAssassin::Plugin::DKIM) meta XPRIO __XPRIO_MINFP endif ##} XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM) ##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::DKIM tflags XPRIO net endif ##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF) ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF) meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE endif endif ##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF) ##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE && !SPF_PASS endif endif ##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF ##{ XPRIO_SHORT_SUBJ meta XPRIO_SHORT_SUBJ __XPRIO_SHORT_SUBJ && !__UNPARSEABLE_RELAY_COUNT && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__SUBSCRIPTION_INFO && !__FROM_ENCODED_QP && !ALL_TRUSTED && !__NAKED_TO describe XPRIO_SHORT_SUBJ Has X-Priority header + short subject #score XPRIO_SHORT_SUBJ 2.500 # limit tflags XPRIO_SHORT_SUBJ publish ##} XPRIO_SHORT_SUBJ ##{ XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta XPRIO_URL_SHORTNER __XPRIO_MINFP && __PDS_URISHORTENER describe XPRIO_URL_SHORTNER X-Priority header and short URL #score XPRIO_URL_SHORTNER 1.0 # limit endif endif ##} XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ X_MAILER_CME_6543_MSN header X_MAILER_CME_6543_MSN X-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*$/ ##} X_MAILER_CME_6543_MSN ##{ ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta ZW_OBFU_BITCOIN __UNICODE_OBFU_ZW && __BITCOIN_ID describe ZW_OBFU_BITCOIN Obfuscated text + bitcoin ID - possible extortion # score ZW_OBFU_BITCOIN 2.500 # limit endif ##} ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ##{ bayes_ignore_header_sandbox bayes_ignore_header X-ACL-Warn bayes_ignore_header X-Alimail-AntiSpam bayes_ignore_header X-Amavis-Modified bayes_ignore_header X-Anti-Spam bayes_ignore_header X-Anti-Virus bayes_ignore_header X-Anti-Virus-Version bayes_ignore_header X-AntiAbuse bayes_ignore_header X-Antispam bayes_ignore_header X-Antivirus bayes_ignore_header X-Antivirus-Code bayes_ignore_header X-Antivirus-Status bayes_ignore_header X-Antivirus-Version bayes_ignore_header x-aol-global-disposition bayes_ignore_header X-ASF-Spam-Status bayes_ignore_header X-ASG-Debug-ID bayes_ignore_header X-ASG-Orig-Subj bayes_ignore_header X-ASG-Recipient-Whitelist bayes_ignore_header X-ASG-Tag bayes_ignore_header X-Assp-Version bayes_ignore_header X-Authority-Analysis bayes_ignore_header X-Authvirus bayes_ignore_header X-Auto-Response-Suppress bayes_ignore_header X-AV-Do-Run bayes_ignore_header X-AV-Status bayes_ignore_header x-avast-antispam bayes_ignore_header X-Backend bayes_ignore_header X-Barracuda-Apparent-Source-IP bayes_ignore_header X-Barracuda-Bayes bayes_ignore_header X-Barracuda-BBL-IP bayes_ignore_header X-Barracuda-BRTS-Status bayes_ignore_header X-Barracuda-BRTS-URL-Found bayes_ignore_header X-Barracuda-Connect bayes_ignore_header X-Barracuda-Encrypted bayes_ignore_header X-Barracuda-Envelope-From bayes_ignore_header X-Barracuda-Fingerprint-Found bayes_ignore_header X-Barracuda-Orig-Rcpt bayes_ignore_header X-Barracuda-RBL-IP bayes_ignore_header X-Barracuda-RBL-Trusted-Forwarder bayes_ignore_header X-Barracuda-Spam-Report bayes_ignore_header X-Barracuda-Spam-Score bayes_ignore_header X-Barracuda-Spam-Status bayes_ignore_header X-Barracuda-Start-Time bayes_ignore_header X-Barracuda-UID bayes_ignore_header X-Barracuda-URL bayes_ignore_header X-Barracuda-Virus-Alert bayes_ignore_header X-Bayes-Prob bayes_ignore_header X-Bayesian-Result bayes_ignore_header X-BitDefender-Spam bayes_ignore_header X-BitDefender-SpamStamp bayes_ignore_header X-BL bayes_ignore_header X-Bogosity bayes_ignore_header X-Boxtrapper bayes_ignore_header X-Brightmail-Tracker bayes_ignore_header X-BTI-AntiSpam bayes_ignore_header X-Bugzilla-Version bayes_ignore_header X-CanIt-Geo bayes_ignore_header X-Canit-Stats-ID bayes_ignore_header X-CanItPRO-Stream bayes_ignore_header X-Clapf-spamicity bayes_ignore_header X-Cloud-Security bayes_ignore_header X-CM-Score bayes_ignore_header X-CMAE-Analysis bayes_ignore_header X-CMAE-Match bayes_ignore_header X-CMAE-Score bayes_ignore_header X-CMAE-Verdict bayes_ignore_header X-CNFS-Analysis bayes_ignore_header X-Company bayes_ignore_header X-Coremail-Antispam bayes_ignore_header X-CRM114-CacheID bayes_ignore_header X-CRM114-Status bayes_ignore_header X-CRM114-Version bayes_ignore_header X-CT-Spam bayes_ignore_header X-CTCH-SenderID bayes_ignore_header X-CTCH-SenderID-TotalBulk bayes_ignore_header X-CTCH-SenderID-TotalConfirmed bayes_ignore_header X-CTCH-SenderID-TotalMessages bayes_ignore_header X-CTCH-SenderID-TotalRecipients bayes_ignore_header X-CTCH-SenderID-TotalSpam bayes_ignore_header X-CTCH-SenderID-TotalSuspected bayes_ignore_header X-CTCH-SenderID-TotalVirus bayes_ignore_header X-CTCH-Spam bayes_ignore_header X-CTCH-VOD bayes_ignore_header X-Drweb-SpamState bayes_ignore_header X-DSPAM-Confidence bayes_ignore_header X-DSPAM-Factors bayes_ignore_header X-DSPAM-Improbability bayes_ignore_header X-DSPAM-Probability bayes_ignore_header X-DSPAM-Processed bayes_ignore_header X-DSPAM-Result bayes_ignore_header X-DSPAM-Signature bayes_ignore_header x-eavas bayes_ignore_header x-eavas-action bayes_ignore_header x-eavas-eavasid bayes_ignore_header X-Enigmail-Version bayes_ignore_header X-EsetId bayes_ignore_header X-EsetResult bayes_ignore_header X-Exchange-Antispam-Report bayes_ignore_header X-ExtloopSabreCommercials1 bayes_ignore_header X-EYOU-SPAMVALUE bayes_ignore_header X-FB-OUTBOUND-SPAM bayes_ignore_header X-FEAS-SBL bayes_ignore_header X-FILTER-SCORE bayes_ignore_header X-Forefront-Antispam-Report bayes_ignore_header X-Forefront-PRVS bayes_ignore_header X-Fuglu-Spamstatus bayes_ignore_header X-Fuglu-Suspect bayes_ignore_header X-getmail-filter-classifier bayes_ignore_header X-GFIME-MASPAM bayes_ignore_header X-Gmane-NNTP-Posting-Host bayes_ignore_header X-GMX-Antispam bayes_ignore_header X-GMX-Antivirus bayes_ignore_header X-He-Spam bayes_ignore_header X-hMailServer-Spam bayes_ignore_header X-IAS bayes_ignore_header X-iGspam-global bayes_ignore_header X-Injected-Via-Gmane bayes_ignore_header X-Interia-Antivirus bayes_ignore_header X-IP-Spam-Verdict bayes_ignore_header X-Ironport bayes_ignore_header X-IronPort-Anti-Spam-Filtered bayes_ignore_header X-IronPort-Anti-Spam-Result bayes_ignore_header X-IronPort-AV bayes_ignore_header X-Ironport-HAT bayes_ignore_header X-Ironport-HOSTNAME bayes_ignore_header X-Ironport-LNR bayes_ignore_header X-Ironport-MessageFilter bayes_ignore_header X-Ironport-MFP bayes_ignore_header X-Ironport-MID bayes_ignore_header X-IronPort-Outgoing-Antispam bayes_ignore_header X-Ironport-RIF bayes_ignore_header X-Ironport-SBRS bayes_ignore_header X-Ironport-SENDER bayes_ignore_header X-Ironport-SUBJECT bayes_ignore_header X-Junk-Score bayes_ignore_header X-Junkmail bayes_ignore_header X-KLMS-AntiPhishing bayes_ignore_header X-Klms-Antispam bayes_ignore_header X-KLMS-AntiSpam-Info bayes_ignore_header X-KLMS-AntiSpam-Interceptor-Info bayes_ignore_header X-KLMS-AntiSpam-Lua-Profiles bayes_ignore_header X-KLMS-AntiSpam-Method bayes_ignore_header X-KLMS-AntiSpam-Moebius-Timestamps bayes_ignore_header X-KLMS-AntiSpam-Rate bayes_ignore_header X-KLMS-AntiSpam-Status bayes_ignore_header X-KLMS-AntiSpam-Version bayes_ignore_header X-KLMS-AntiVirus bayes_ignore_header X-KLMS-AntiVirus-Status bayes_ignore_header X-KLMS-Message-Action bayes_ignore_header X-KLMS-Rule-ID bayes_ignore_header X-KMail-EncryptionState bayes_ignore_header X-KMail-MDN-Sent bayes_ignore_header X-KMail-SignatureState bayes_ignore_header X-MailCleaner-SpamChec bayes_ignore_header X-MailCleaner-SpamCheck bayes_ignore_header X-MailFoundry bayes_ignore_header X-MDMailLookup-Result bayes_ignore_header X-ME-Bayesian bayes_ignore_header X-ME-Content bayes_ignore_header X-MessageFilter bayes_ignore_header X-Microsoft-Antispam bayes_ignore_header X-Mlf-Version bayes_ignore_header X-MXScan-AntiSpam bayes_ignore_header X-MXScan-AntiVirus bayes_ignore_header X-MXScan-Country-Sequence bayes_ignore_header X-MXScan-License bayes_ignore_header X-MXScan-Msgid bayes_ignore_header X-MXScan-ProcessingTime bayes_ignore_header X-MXScan-Scan bayes_ignore_header X-NAI-Spam-Flag bayes_ignore_header X-NAI-Spam-Rules bayes_ignore_header X-NAI-Spam-Score bayes_ignore_header X-NAI-Spam-Threshold bayes_ignore_header X-NetStation-Status bayes_ignore_header X-OVH-SPAMCAUSE bayes_ignore_header X-OVH-SPAMCAUSE: bayes_ignore_header X-OVH-SPAMSCORE bayes_ignore_header X-OVH-SPAMSTATE bayes_ignore_header X-PerlMx-Spam bayes_ignore_header X-PerlMx-Virus-Scanned bayes_ignore_header X-PFSI-Info bayes_ignore_header X-PMX-Spam bayes_ignore_header X-PMX-Version bayes_ignore_header X-Policy-Service bayes_ignore_header X-policyd-weight bayes_ignore_header X-PreRBLs bayes_ignore_header X-Probable-Spam bayes_ignore_header X-PROLinux-SpamCheck bayes_ignore_header X-Proofpoint-Spam-Reason bayes_ignore_header X-Proofpoint-Virus-Version bayes_ignore_header x-purgate-eavas: clean bayes_ignore_header x-purgate-id bayes_ignore_header x-purgate-size bayes_ignore_header x-purgate-type bayes_ignore_header X-Qmail-Scanner-Diagnostics bayes_ignore_header X-Qmail-Scanner-MOVED-X-Spam-Status bayes_ignore_header X-Quarantine-ID bayes_ignore_header X-RSpam-Report bayes_ignore_header X-SA-Do-Not-Run bayes_ignore_header X-SA-Exim-Version bayes_ignore_header X-Scanned-by bayes_ignore_header X-SmarterMail-CustomSpamHeader bayes_ignore_header X-Spam bayes_ignore_header X-Spam-Action bayes_ignore_header X-SPAM-AISP bayes_ignore_header X-Spam-Check-By bayes_ignore_header X-Spam-Checker-Version bayes_ignore_header X-Spam-CMAE-Analysis bayes_ignore_header X-Spam-CMAESCORE bayes_ignore_header X-Spam-CTCH-RefID bayes_ignore_header X-Spam-Flag bayes_ignore_header X-Spam-Level bayes_ignore_header X-Spam-Processed bayes_ignore_header X-Spam-Report bayes_ignore_header X-Spam-Scanned bayes_ignore_header X-Spam-Score bayes_ignore_header X-Spam-Score-Int bayes_ignore_header X-Spam-SmartLearn bayes_ignore_header X-Spam-Status bayes_ignore_header X-Spam-Threshold bayes_ignore_header X-Spam_bar bayes_ignore_header X-Spambayes-Classification bayes_ignore_header X-SpamExperts-Domain bayes_ignore_header X-SpamExperts-Outgoing-Class bayes_ignore_header X-SpamExperts-Outgoing-Evidence bayes_ignore_header X-SpamExperts-Username bayes_ignore_header X-Spamfilter-host bayes_ignore_header X-Spamina-Bogosity bayes_ignore_header X-Spamina-Spam-Report bayes_ignore_header X-Spamina-Spam-Score bayes_ignore_header X-SpamInfo bayes_ignore_header X-Spamsave bayes_ignore_header X-SpamTest-Group-ID bayes_ignore_header X-SpamTest-Info bayes_ignore_header X-SpamTest-Method bayes_ignore_header X-SpamTest-Rate bayes_ignore_header X-SpamTest-SPF bayes_ignore_header X-SpamTest-Status bayes_ignore_header X-SpamTest-Status-Extended bayes_ignore_header X-SPF-Scan-By bayes_ignore_header X-STA-Metric bayes_ignore_header X-STA-NotSpam bayes_ignore_header X-STA-Spam bayes_ignore_header X-StarScan-Version bayes_ignore_header X-SurGATE-Result bayes_ignore_header X-SWITCHham-Score bayes_ignore_header X-UI-Filterresults bayes_ignore_header X-UI-Loop bayes_ignore_header X-UI-Out-Filterresults bayes_ignore_header X-Univie-Spam-Checker-Version bayes_ignore_header X-Univie-Virus-Scan bayes_ignore_header X-Virus bayes_ignore_header X-Virus-Checker-Version bayes_ignore_header X-Virus-Scanned bayes_ignore_header X-Virus-Scanner-Result bayes_ignore_header X-Virus-Scanner-Version bayes_ignore_header X-Virus-Status bayes_ignore_header X-VirusChecked bayes_ignore_header X-VR-SCORE bayes_ignore_header X-VR-SPAMCAUSE bayes_ignore_header X-VR-STATUS bayes_ignore_header X-WatchGuard-Mail-Client-IP bayes_ignore_header X-WatchGuard-Mail-From bayes_ignore_header X-WatchGuard-Mail-Recipients bayes_ignore_header X-WatchGuard-Spam-ID bayes_ignore_header X-WatchGuard-Spam-Score bayes_ignore_header X-Whitelist-Domain bayes_ignore_header X-WUM-CCI bayes_ignore_header X_CMAE_Category##} bayes_ignore_header_sandbox ##{ if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS askdns __FROM_FMBLA_NEWDOM _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.2$/ askdns __FROM_FMBLA_NEWDOM14 _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.14$/ askdns __FROM_FMBLA_NEWDOM28 _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.28$/ askdns __FROM_FMBLA_NDBLOCKED _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.255\.255\.255$/ reuse FROM_FMBLA_NEWDOM reuse FROM_FMBLA_NEWDOM14 reuse FROM_FMBLA_NEWDOM28 reuse FROM_FMBLA_NDBLOCKED reuse __PDS_NEWDOMAIN reuse FROM_NUMBERO_NEWDOMAIN reuse FROM_NEWDOM_BTC askdns __PDS_SPF_ONLYALL _SENDERDOMAIN_ TXT /^v=spf1 \+all$/ reuse BITCOIN_SPF_ONLYALL endif endif ##} if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox ##{ if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval enlist_addrlist (PAYPAL) *@paypal.com *@paypal.co.uk *@paypal.de *@paypal.com.au *@paypal.it enlist_addrlist (PAYPAL) *@paypal.es *@paypal.fr *@paypal.de *@paypal.com.hk enlist_addrlist (PAYPAL) *@*.paypal.com *@*.paypal.co.uk reuse __FROM_ADDRLIST_PAYPAL reuse FROM_PAYPAL_SPOOF enlist_addrlist (BANKS) *@abbey.co.uk *@abbey.com *@abbeyinternational.com *@abbeyinternational.co.uk *@abbeynational.com *@abbeynational.co.uk enlist_addrlist (BANKS) *@allianceleicester.com *@allianceleicester.co.uk *@alliance-leicester.com *@alliance-leicester.co.uk enlist_addrlist (BANKS) *@bankofamerica.com *@bankofamerica.co.uk enlist_addrlist (BANKS) *@barclaycard.com *@barclays.com enlist_addrlist (BANKS) *@citibank.com enlist_addrlist (BANKS) *@firstdirect.com *@firstdirect.co.uk enlist_addrlist (BANKS) *@halifax.com *@halifax.co.uk *@halifax-online.co.uk *@halifax-online.com enlist_addrlist (BANKS) *@hbos.com *@hbos.co.uk enlist_addrlist (BANKS) *@hsbc.com *@hsbc.co.uk *@hsbc.hk *@hsbcgroup.com *@hsbcgroup.co.uk enlist_addrlist (BANKS) *@lloydstsb.com *@lloydstsb.co.uk *@lloyds.com enlist_addrlist (BANKS) *@mbna.com enlist_addrlist (BANKS) *@nationwide.com *@nationwide.co.uk enlist_addrlist (BANKS) *@natwest.com *@natwest.co.uk enlist_addrlist (BANKS) *@santander.com *@santander.co.uk enlist_addrlist (BANKS) *@standardbank.co.za enlist_addrlist (BANKS) *@ybonline.co.uk *@ybonline.com reuse __FROM_ADDRLIST_BANKS reuse FROM_BANK_NOAUTH enlist_addrlist (GOV) *@*.gov enlist_addrlist (GOV) *@*.gov.uk *@parliament.uk *@*.parliament.uk reuse __FROM_ADDRLIST_GOV reuse FROM_GOV_SPOOF reuse FROM_GOV_DKIM_AU reuse FROM_GOV_REPLYTO_FREEMAIL enlist_addrlist (SUSP_NTLD) *@*.icu enlist_addrlist (SUSP_NTLD) *@*.online enlist_addrlist (SUSP_NTLD) *@*.work enlist_addrlist (SUSP_NTLD) *@*.date enlist_addrlist (SUSP_NTLD) *@*.top enlist_addrlist (SUSP_NTLD) *@*.fun enlist_addrlist (SUSP_NTLD) *@*.life enlist_addrlist (SUSP_NTLD) *@*.review enlist_addrlist (SUSP_NTLD) *@*.xyz enlist_addrlist (SUSP_NTLD) *@*.bid enlist_addrlist (SUSP_NTLD) *@*.stream enlist_addrlist (SUSP_NTLD) *@*.site enlist_addrlist (SUSP_NTLD) *@*.space enlist_addrlist (SUSP_NTLD) *@*.gdn enlist_addrlist (SUSP_NTLD) *@*.click enlist_addrlist (SUSP_NTLD) *@*.pro enlist_addrlist (SUSP_NTLD) *@*.world enlist_addrlist (SUSP_NTLD) *@*.fit enlist_addrlist (SUSP_NTLD) *@*.ooo enlist_addrlist (SUSP_NTLD) *@*.faith enlist_addrlist (SUSP_NTLD) *@*.buzz enlist_uri_host (SUSP_URI_NTLD) icu enlist_uri_host (SUSP_URI_NTLD) online enlist_uri_host (SUSP_URI_NTLD) work enlist_uri_host (SUSP_URI_NTLD) date enlist_uri_host (SUSP_URI_NTLD) top enlist_uri_host (SUSP_URI_NTLD) fun enlist_uri_host (SUSP_URI_NTLD) life enlist_uri_host (SUSP_URI_NTLD) review enlist_uri_host (SUSP_URI_NTLD) xyz enlist_uri_host (SUSP_URI_NTLD) bid enlist_uri_host (SUSP_URI_NTLD) stream enlist_uri_host (SUSP_URI_NTLD) site enlist_uri_host (SUSP_URI_NTLD) space enlist_uri_host (SUSP_URI_NTLD) gdn enlist_uri_host (SUSP_URI_NTLD) click enlist_uri_host (SUSP_URI_NTLD) pro enlist_uri_host (SUSP_URI_NTLD) world enlist_uri_host (SUSP_URI_NTLD) fit enlist_uri_host (SUSP_URI_NTLD) ooo enlist_uri_host (SUSP_URI_NTLD) faith enlist_uri_host (SUSP_URI_NTLD) buzz reuse __FROM_ADDRLIST_SUSPNTLD reuse __REPLYTO_ADDRLIST_SUSPNTLD reuse FROM_SUSPICIOUS_NTLD reuse GOOGLE_DRIVE_REPLY_BAD_NTLD reuse VPS_NO_NTLD endif endif ##} if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox ##{ if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL priority T_GB_HASHBL_BTC -100 reuse T_GB_HASHBL_BTC endif endif ##} if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox ##{ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags replace_tag lcase_e (?:e|\xc3[\xa8\xa9\xaa\xab]|\xc4[\x93\x95\x97\x99\x9b]|\xc8[\x85\x87\x80]|\xcf\xb5|\xd0\xb5|\xd1[\x90\x91\x94\xb3]|\xd2[\xbc\xbd\xbe\xbf]|\xd3[\x07\xa9\xab]) replace_rules __E_LIKE_LETTER endif endif ##} if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox ##{ ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox ifplugin Mail::SpamAssassin::Plugin::AskDNS askdns __DKIMWL_FREEMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.3\.\d+$/ reuse __DKIMWL_FREEMAIL askdns __DKIMWL_BULKMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.2\.\d+$/ reuse __DKIMWL_BULKMAIL askdns __DKIMWL_WL_HI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.5$/ reuse __DKIMWL_WL_HI askdns __DKIMWL_WL_MEDHI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.4$/ reuse __DKIMWL_WL_MEDHI askdns __DKIMWL_WL_MED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.3$/ reuse __DKIMWL_WL_MED askdns __DKIMWL_WL_BL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.0$/ reuse __DKIMWL_WL_BL askdns __DKIMWL_BLOCKED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.255\.255\.255$/ reuse __DKIMWL_BLOCKED reuse DKIMWL_WL_HIGH reuse DKIMWL_WL_MEDHI reuse DKIMWL_WL_MED reuse DKIMWL_BL reuse DKIMWL_BLOCKED endif ##} ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox ##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox ifplugin Mail::SpamAssassin::Plugin::DNSEval # { reuse RCVD_IN_PSBL endif ##} ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox ##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox ifplugin Mail::SpamAssassin::Plugin::DNSEval reuse RCVD_IN_IADB_LISTED reuse RCVD_IN_IADB_EDDB reuse RCVD_IN_IADB_EPIA reuse RCVD_IN_IADB_SPF reuse RCVD_IN_IADB_SENDERID reuse RCVD_IN_IADB_DK reuse RCVD_IN_IADB_RDNS reuse RCVD_IN_IADB_GOODMAIL reuse RCVD_IN_IADB_NOCONTROL reuse RCVD_IN_IADB_OPTOUTONLY reuse RCVD_IN_IADB_UNVERIFIED_1 reuse RCVD_IN_IADB_UNVERIFIED_2 reuse RCVD_IN_IADB_LOOSE reuse RCVD_IN_IADB_OPTIN_LT50 reuse RCVD_IN_IADB_OPTIN_GT50 reuse RCVD_IN_IADB_OPTIN reuse RCVD_IN_IADB_DOPTIN_LT50 reuse RCVD_IN_IADB_DOPTIN_GT50 reuse RCVD_IN_IADB_DOPTIN reuse RCVD_IN_IADB_ML_DOPTIN reuse RCVD_IN_IADB_OOO reuse RCVD_IN_IADB_MI_CPEAR reuse RCVD_IN_IADB_UT_CPEAR reuse RCVD_IN_IADB_MI_CPR_30 reuse RCVD_IN_IADB_UT_CPR_30 reuse RCVD_IN_IADB_MI_CPR_MAT reuse RCVD_IN_IADB_UT_CPR_MAT endif ##} ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox ##{ ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof fns_ignore_dkim linkedin.com googlegroups.com yahoogroups.com yahoogroups.de fns_ignore_headers List-Id fns_check 1 reuse __PLUGIN_FROMNAME_SPOOF reuse __PLUGIN_FROMNAME_EQUALS_TO reuse T_FROMNAME_SPOOFED_EMAIL reuse T_FROMNAME_EQUALS_TO endif ##} ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox ##{ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox ifplugin Mail::SpamAssassin::Plugin::ReplaceTags replace_rules T_FUZZY_SPRM replace_rules FUZZY_MERIDIA replace_rules TVD_FUZZY_PHARMACEUTICAL replace_rules TVD_FUZZY_SYMBOL replace_rules T_TVD_FUZZY_SECURITIES replace_rules TVD_FUZZY_FINANCE replace_rules TVD_FUZZY_FIXED_RATE replace_rules TVD_FUZZY_MICROCAP replace_rules T_TVD_FUZZY_SECTOR replace_rules TVD_FUZZY_DEGREE replace_tag FF_LNNO (?:(?:\d{1,3}(?:[)}\]:.,]{1,80}|(?:st|nd|rd|th)[)}\]:.,]{0,3})|\W?\([\div]{1,5}\)|\W?\{\d{1,3}\}|\[\d{1,3}\]|\*{1,5}|\#{1,5}|\(?[A-K][)}\]:.,]{1,3})\s?) replace_tag FF_YOUR (?:a?\s?copy\sof\s)?(?:(?:your|din|seu|twoje)[\s,:]{1,5})?(?:present\s|c[uo]rrent\s|full(?:st[\xe4]ndigt)?\s?|complete\s|direct\s|private?\s|valid\s|personal\s|nuvarande\s|vollst[\xe4]ndige\s|aktuelle\s|pe\s(?:ne\s)?){0,3} replace_tag ANDOR (?:\s?[\/&+,]\s?|\sor\s|\sand?\s) replace_tag NUMBER (?:(?:ruf)?num(?:[bm]er)?\(?s?\)?|nos?\.|no\b|n[\xb0]|\#s?|nbrs?\.?) replace_tag FF_SUFFIX (?:\sin\s(?:full|words)|\scompleto)?:?(?:\s?[({][^)}]{1,30}[)}])? replace_tag FF_BLANK1 (?:[\s:;]{0,4}(?:(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){3,100})) replace_tag FF_BLANK2 (?:[^-=_.,:;*\w]{0,3}(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){1,100}) replace_tag FF_A1 (?:(?:countr?y|city|province|ter+itory|(?:zip|post(?:al)?)(?:\s?code)?|st?ates?|ad+res+e?)<ANDOR>?){1,3}(?:\sof\s(?:residence|birth|employment|citizenship|origin))? replace_tag FF_A2 (?:(?:contact|full|house|home|resident[ia]+l|busines+|mailing|work|delivery|ship+ing|post(?:al)?|of+ice|e-?mail|bostads|wohn)<ANDOR>?){0,3}\s?(?:ad+res+[es]{0,2}|location|endere[\xe7]o)(?:\sline)?(?:\s[0-9])? replace_tag FF_N1 (?:company|first|last|all|busines+|legal|ben[ei]ficiary|user|vollstaendigen)?\s?(?:name?[sn]?|navne|nome|nazwy)(?:<ANDOR>ad+res+)? replace_tag FF_P1 (?:(?:(?:busines+|contact|fax|voice|house|home|mobile?|cel+(?:ular)?|of+ice|tel+e?(?:\s?(?:ph|f)one?)?|(?:ph|f)one|private)(?:\s(?:ph|f)one)?<ANDOR>?){1,3}(?:\s?<NUMBER>)?<ANDOR>?){1,3} replace_tag FF_M1 (?:(?:ages?|marital\s?statu[se]|sex|gender|male\sor\sfemale|(?:date\s(?:of\s)?)?birth|religion|nationality|(?:user )?email|next\sof\skin|alter|staatsangehoerigkeit|nationalitet|idade|weik)<ANDOR>?){1,3} replace_tag FF_L1 (?:(?:previous\s)?work(?:ing)\s?experience|employment|position|profes+ion|(?:monthly|an+ual)?\s?income|purpose\sof\sl(?:oa|ao)n|an+ual\sturn\s?over|l(?:oa|ao)n\sduration|oc+up[ae]tion(?:\/position)?s?|(?:l(?:oa|ao)n\s|the\s)?amount(?:\sneed(ed)?|\sdesired)?(?:\s(?:as|of)\sloan)?|beruf|zaw(?:=F3|[\xf3])d) replace_tag FF_F1 (?:(?:bank(?:ing)?|beneficiary|billing|acc(?:oun)?t|rout(?:ing)?|swift|receiver|user)<ANDOR>?){1,3}\s(?:(?:name|ad+res+(?:es)?|location|code|details|institution|a\/c|<NUMBER>)<ANDOR>?){1,3} replace_tag FF_F2 (?:(?:(?:international\s)?driver'?s?\sli[sc]+(?:en[sc]e)?|pas+\s?port|id\scard|[ia]d(?:entification|entity)(?:\s(?:card|<NUMBER>|papers?))?)<ANDOR>?){1,3}(?:\s<NUMBER>)? replace_tag FF_F3 (?:picture|zdj\scie|test\squestion|answer|amount\swon|(?:inheritance\s)?funds?\svalue|(?:e-?mail\s)?pas+word|e-?mai?l\sid|amount\s[\w\s]{0,30}lost[\w\s]{0,15}) replace_tag FF_F4 (?:log[-\s]?in|(?:e-?mail\s)?user)\s?names? replace_tag FF_F5 (?:ref(?:erence)?|batch|win+ing|award|billet)[-\s]?<NUMBER> replace_tag FF_ALL (?:<FF_A1>|<FF_A2>|<FF_N1>|<FF_P1>|<FF_M1>|<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>|<FF_L1>) replace_rules __FILL_THIS_FORM_LONG1 replace_rules __FILL_THIS_FORM_LONG2 replace_rules __FILL_THIS_FORM_PARTIAL replace_rules __FILL_THIS_FORM_PARTIAL_RAW replace_rules __FILL_THIS_FORM_SHORT1 replace_rules __FILL_THIS_FORM_SHORT2 replace_rules __FILL_THIS_FORM_LOAN1 replace_rules __FILL_THIS_FORM_FRAUD_PHISH1 replace_tag CURRENCY [\(\[]?(?:\bU[Ss][D\$]{0,2}|\$(?:US)?|usd|CAD|GBP|=[Aa][34]|\xa3|&\#16[34];|(?i:pounds\ssterling)|\xa4|EUR(?:OS)?|(?:d')?[Ee]uro?s?|(?i:eur)\sde|CHF|FCFA|d[\xf3]lares\sde\slos\sE+\.\s?U+\.)[\]\)]? replace_tag GB_UK \b(?:U\.?K\.?|(?:Great\s)?Brit(?:ain|ish)|G\.?B\.?)\b replace_rules __LOTSA_MONEY_00 __LOTSA_MONEY_01 __LOTSA_MONEY_02 __LOTSA_MONEY_03 __LOTSA_MONEY_04 replace_tag PERCENT \b(?:\d\d|ten|[a-z]+teen|(?:twen|thir|fou?r|fif)ty(?:-?[a-z]+)?)\s?(?:%|percent) replace_rules __PCT_FOR_YOU_1 __PCT_FOR_YOU_2 __PCT_FOR_YOU_3 __PCT_OF_PMTS replace_rules T_FUZZY_OPTOUT replace_rules __FRT_PRICE replace_rules FUZZY_UNSUBSCRIBE replace_rules FUZZY_ANDROID replace_rules FUZZY_PROMOTION replace_rules FUZZY_PRIVACY replace_rules FUZZY_BROWSER replace_rules FUZZY_SAVINGS replace_rules FUZZY_IMPORTANT replace_rules FUZZY_SECURITY replace_rules __FUZZY_DR_OZ replace_rules FUZZY_CLICK_HERE replace_rules FUZZY_BITCOIN replace_rules FUZZY_WALLET replace_rules __FUZZY_MONERO replace_rules __MY_VICTIM replace_rules __MY_MALWARE replace_rules __PAY_ME replace_rules __YOUR_PASSWORD replace_rules __YOUR_WEBCAM replace_rules __YOUR_ONAN replace_rules __YOUR_PERSONAL replace_rules __HOURS_DEADLINE replace_rules __EXPLOSIVE_DEVICE replace_rules T_LFUZ_PWRMALE replace_rules __PDS_BTC_HACKER __PDS_BTC_PIRATE reuse T_PDS_BTC_AHACKER reuse T_PDS_BTC_HACKER reuse T_PDS_LTC_AHACKER reuse T_PDS_LTC_HACKER endif ##} ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox ##{ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox ifplugin Mail::SpamAssassin::Plugin::URIDNSBL reuse URIBL_RHS_DOB endif ##} ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox ##{ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) enlist_uri_host (PDS_CASHSHORTENER) cutpaid.com enlist_uri_host (PDS_CASHSHORTENER) caat.site enlist_uri_host (PDS_CASHSHORTENER) triabicia.com enlist_uri_host (PDS_CASHSHORTENER) 2xs.io enlist_uri_host (PDS_CASHSHORTENER) ocest.site enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz enlist_uri_host (PDS_CASHSHORTENER) waar.site enlist_uri_host (PDS_CASHSHORTENER) cpmlink.net enlist_uri_host (PDS_CASHSHORTENER) cowner.net enlist_uri_host (PDS_CASHSHORTENER) adfoc.us enlist_uri_host (PDS_CASHSHORTENER) shrinkhere.xyz enlist_uri_host (PDS_CASHSHORTENER) gurl.pw enlist_uri_host (PDS_CASHSHORTENER) shortearn.eu enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz enlist_uri_host (PDS_CASHSHORTENER) libittarc.com enlist_uri_host (PDS_CASHSHORTENER) pc.cd enlist_uri_host (PDS_CASHSHORTENER) fc.lc enlist_uri_host (PDS_CASHSHORTENER) dares.xyz enlist_uri_host (PDS_CASHSHORTENER) trendlouds.com enlist_uri_host (PDS_CASHSHORTENER) yogaf.xyz enlist_uri_host (PDS_CASHSHORTENER) cobs.xyz enlist_uri_host (PDS_CASHSHORTENER) olnew.xyz enlist_uri_host (PDS_CASHSHORTENER) cleft.xyz enlist_uri_host (PDS_CASHSHORTENER) 7r6.com enlist_uri_host (PDS_CASHSHORTENER) mitly.us enlist_uri_host (PDS_CASHSHORTENER) kutpay.com enlist_uri_host (PDS_CASHSHORTENER) gsurl.me enlist_uri_host (PDS_CASHSHORTENER) gurl.ly enlist_uri_host (PDS_CASHSHORTENER) gsurl.in enlist_uri_host (PDS_CASHSHORTENER) acitoate.com enlist_uri_host (PDS_CASHSHORTENER) aclabink.com enlist_uri_host (PDS_CASHSHORTENER) activeation.com enlist_uri_host (PDS_CASHSHORTENER) activeterium.com enlist_uri_host (PDS_CASHSHORTENER) adflyforum.com enlist_uri_host (PDS_CASHSHORTENER) adflymail.com enlist_uri_host (PDS_CASHSHORTENER) adult.xyz enlist_uri_host (PDS_CASHSHORTENER) agileurbia.com enlist_uri_host (PDS_CASHSHORTENER) atomcurve.com enlist_uri_host (PDS_CASHSHORTENER) ay.gy enlist_uri_host (PDS_CASHSHORTENER) battleate.com enlist_uri_host (PDS_CASHSHORTENER) biastonu.com enlist_uri_host (PDS_CASHSHORTENER) bitigee.com enlist_uri_host (PDS_CASHSHORTENER) briskrange.com enlist_uri_host (PDS_CASHSHORTENER) brisktopia.com enlist_uri_host (PDS_CASHSHORTENER) casualient.com enlist_uri_host (PDS_CASHSHORTENER) clesolea.com enlist_uri_host (PDS_CASHSHORTENER) code404.biz enlist_uri_host (PDS_CASHSHORTENER) coginator.com enlist_uri_host (PDS_CASHSHORTENER) cogismith.com enlist_uri_host (PDS_CASHSHORTENER) covelign.com enlist_uri_host (PDS_CASHSHORTENER) crefranek.com enlist_uri_host (PDS_CASHSHORTENER) dashsphere.com enlist_uri_host (PDS_CASHSHORTENER) dataurbia.com enlist_uri_host (PDS_CASHSHORTENER) deciomm.com enlist_uri_host (PDS_CASHSHORTENER) ducolomal.com enlist_uri_host (PDS_CASHSHORTENER) east-jones.com enlist_uri_host (PDS_CASHSHORTENER) ecleneue.com enlist_uri_host (PDS_CASHSHORTENER) ellevolaw.com enlist_uri_host (PDS_CASHSHORTENER) endroudo.com enlist_uri_host (PDS_CASHSHORTENER) eunsetee.com enlist_uri_host (PDS_CASHSHORTENER) fainbory.com enlist_uri_host (PDS_CASHSHORTENER) fasttory.com enlist_uri_host (PDS_CASHSHORTENER) fawright.com enlist_uri_host (PDS_CASHSHORTENER) flyserve.co enlist_uri_host (PDS_CASHSHORTENER) greponozy.com enlist_uri_host (PDS_CASHSHORTENER) homoluath.com enlist_uri_host (PDS_CASHSHORTENER) hopigrarn.com enlist_uri_host (PDS_CASHSHORTENER) infopade.com enlist_uri_host (PDS_CASHSHORTENER) j.gs enlist_uri_host (PDS_CASHSHORTENER) kaitect.com enlist_uri_host (PDS_CASHSHORTENER) kializer.com enlist_uri_host (PDS_CASHSHORTENER) kibuilder.com enlist_uri_host (PDS_CASHSHORTENER) kimechanic.com enlist_uri_host (PDS_CASHSHORTENER) kudoflow.com enlist_uri_host (PDS_CASHSHORTENER) legeerook.com enlist_uri_host (PDS_CASHSHORTENER) libittarc.com enlist_uri_host (PDS_CASHSHORTENER) linkjaunt.com enlist_uri_host (PDS_CASHSHORTENER) locinealy.com enlist_uri_host (PDS_CASHSHORTENER) maetrimal.com enlist_uri_host (PDS_CASHSHORTENER) metastead.com enlist_uri_host (PDS_CASHSHORTENER) mmoity.com enlist_uri_host (PDS_CASHSHORTENER) mondoagram.com enlist_uri_host (PDS_CASHSHORTENER) neswery.com enlist_uri_host (PDS_CASHSHORTENER) nimbleinity.com enlist_uri_host (PDS_CASHSHORTENER) onisedeo.com enlist_uri_host (PDS_CASHSHORTENER) optitopt.com enlist_uri_host (PDS_CASHSHORTENER) picocurl.com enlist_uri_host (PDS_CASHSHORTENER) pladollmo.com enlist_uri_host (PDS_CASHSHORTENER) preofery.com enlist_uri_host (PDS_CASHSHORTENER) prereheus.com enlist_uri_host (PDS_CASHSHORTENER) q.gs enlist_uri_host (PDS_CASHSHORTENER) quainator.com enlist_uri_host (PDS_CASHSHORTENER) quamiller.com enlist_uri_host (PDS_CASHSHORTENER) queuecosm.bid enlist_uri_host (PDS_CASHSHORTENER) raboninco.com enlist_uri_host (PDS_CASHSHORTENER) rapidteria.com enlist_uri_host (PDS_CASHSHORTENER) rapidtory.com enlist_uri_host (PDS_CASHSHORTENER) sapolatsu.com enlist_uri_host (PDS_CASHSHORTENER) scapognel.com enlist_uri_host (PDS_CASHSHORTENER) simizer.com enlist_uri_host (PDS_CASHSHORTENER) skamaker.com enlist_uri_host (PDS_CASHSHORTENER) skamason.com enlist_uri_host (PDS_CASHSHORTENER) sluppend.com enlist_uri_host (PDS_CASHSHORTENER) sprysphere.com enlist_uri_host (PDS_CASHSHORTENER) streamvoyage.com enlist_uri_host (PDS_CASHSHORTENER) swarife.com enlist_uri_host (PDS_CASHSHORTENER) swiftation.com enlist_uri_host (PDS_CASHSHORTENER) swifttopia.com enlist_uri_host (PDS_CASHSHORTENER) techigo.com enlist_uri_host (PDS_CASHSHORTENER) threadsphere.bid enlist_uri_host (PDS_CASHSHORTENER) tinyical.com enlist_uri_host (PDS_CASHSHORTENER) tonancos.com enlist_uri_host (PDS_CASHSHORTENER) triabicia.com enlist_uri_host (PDS_CASHSHORTENER) turboagram.com enlist_uri_host (PDS_CASHSHORTENER) twineer.com enlist_uri_host (PDS_CASHSHORTENER) twiriock.com enlist_uri_host (PDS_CASHSHORTENER) userlab66.com enlist_uri_host (PDS_CASHSHORTENER) vaugette.com enlist_uri_host (PDS_CASHSHORTENER) velocicosm.com enlist_uri_host (PDS_CASHSHORTENER) velociterium.com enlist_uri_host (PDS_CASHSHORTENER) viahold.com enlist_uri_host (PDS_CASHSHORTENER) vializer.com enlist_uri_host (PDS_CASHSHORTENER) viwright.com enlist_uri_host (PDS_CASHSHORTENER) whareotiv.com enlist_uri_host (PDS_CASHSHORTENER) wirecellar.com enlist_uri_host (PDS_CASHSHORTENER) x19.biz enlist_uri_host (PDS_CASHSHORTENER) x19network.com enlist_uri_host (PDS_CASHSHORTENER) yabuilder.com enlist_uri_host (PDS_CASHSHORTENER) yamechanic.com enlist_uri_host (PDS_CASHSHORTENER) yoalizer.com enlist_uri_host (PDS_CASHSHORTENER) yobuilder.com enlist_uri_host (PDS_CASHSHORTENER) yoineer.com enlist_uri_host (PDS_CASHSHORTENER) yoitect.com enlist_uri_host (PDS_CASHSHORTENER) zipansion.com enlist_uri_host (PDS_CASHSHORTENER) zipteria.com enlist_uri_host (PDS_CASHSHORTENER) zipvale.com enlist_uri_host (PDS_URISHORTENER) owl.li enlist_uri_host (PDS_URISHORTENER) formspring.me enlist_uri_host (PDS_URISHORTENER) cc.uz enlist_uri_host (PDS_URISHORTENER) back.ly enlist_uri_host (PDS_URISHORTENER) 0rz.tw enlist_uri_host (PDS_URISHORTENER) 1l2.us enlist_uri_host (PDS_URISHORTENER) 1link.in enlist_uri_host (PDS_URISHORTENER) 1u.ro enlist_uri_host (PDS_URISHORTENER) 1url.com enlist_uri_host (PDS_URISHORTENER) 2.gp enlist_uri_host (PDS_URISHORTENER) 2.ly enlist_uri_host (PDS_URISHORTENER) 2big.at enlist_uri_host (PDS_URISHORTENER) 2chap.it enlist_uri_host (PDS_URISHORTENER) 2pl.us enlist_uri_host (PDS_URISHORTENER) 2su.de enlist_uri_host (PDS_URISHORTENER) 2tu.us enlist_uri_host (PDS_URISHORTENER) 2ze.us enlist_uri_host (PDS_URISHORTENER) 3.ly enlist_uri_host (PDS_URISHORTENER) 301.to enlist_uri_host (PDS_URISHORTENER) 301url.com enlist_uri_host (PDS_URISHORTENER) 307.to enlist_uri_host (PDS_URISHORTENER) 4ms.me enlist_uri_host (PDS_URISHORTENER) 4sq.com enlist_uri_host (PDS_URISHORTENER) 4url.cc enlist_uri_host (PDS_URISHORTENER) 6url.com enlist_uri_host (PDS_URISHORTENER) 7.ly enlist_uri_host (PDS_URISHORTENER) 9mp.com enlist_uri_host (PDS_URISHORTENER) a.gd enlist_uri_host (PDS_URISHORTENER) a.gg enlist_uri_host (PDS_URISHORTENER) a.nf enlist_uri_host (PDS_URISHORTENER) a2a.me enlist_uri_host (PDS_URISHORTENER) a2n.eu enlist_uri_host (PDS_URISHORTENER) aa.cx enlist_uri_host (PDS_URISHORTENER) abbr.com enlist_uri_host (PDS_URISHORTENER) abcurl.net enlist_uri_host (PDS_URISHORTENER) abe5.com enlist_uri_host (PDS_URISHORTENER) access.im enlist_uri_host (PDS_URISHORTENER) ad.vu enlist_uri_host (PDS_URISHORTENER) adf.ly enlist_uri_host (PDS_URISHORTENER) adjix.com enlist_uri_host (PDS_URISHORTENER) afx.cc enlist_uri_host (PDS_URISHORTENER) all.fuseurl.com enlist_uri_host (PDS_URISHORTENER) alturl.com enlist_uri_host (PDS_URISHORTENER) amzn.com enlist_uri_host (PDS_URISHORTENER) amzn.to enlist_uri_host (PDS_URISHORTENER) ar.gy enlist_uri_host (PDS_URISHORTENER) arm.in enlist_uri_host (PDS_URISHORTENER) arst.ch enlist_uri_host (PDS_URISHORTENER) asso.in enlist_uri_host (PDS_URISHORTENER) atu.ca enlist_uri_host (PDS_URISHORTENER) aurls.info enlist_uri_host (PDS_URISHORTENER) awe.sm enlist_uri_host (PDS_URISHORTENER) ayl.lv enlist_uri_host (PDS_URISHORTENER) azc.cc enlist_uri_host (PDS_URISHORTENER) azqq.com enlist_uri_host (PDS_URISHORTENER) b23.ru enlist_uri_host (PDS_URISHORTENER) b2l.me enlist_uri_host (PDS_URISHORTENER) b65.com enlist_uri_host (PDS_URISHORTENER) b65.us enlist_uri_host (PDS_URISHORTENER) bacn.me enlist_uri_host (PDS_URISHORTENER) bcool.bz enlist_uri_host (PDS_URISHORTENER) beam.to enlist_uri_host (PDS_URISHORTENER) bgl.me enlist_uri_host (PDS_URISHORTENER) binged.it enlist_uri_host (PDS_URISHORTENER) bit.do enlist_uri_host (PDS_URISHORTENER) bit.ly enlist_uri_host (PDS_URISHORTENER) bitly.com enlist_uri_host (PDS_URISHORTENER) bizj.us enlist_uri_host (PDS_URISHORTENER) bkite.com enlist_uri_host (PDS_URISHORTENER) blippr.com enlist_uri_host (PDS_URISHORTENER) bloat.me enlist_uri_host (PDS_URISHORTENER) blu.cc enlist_uri_host (PDS_URISHORTENER) bon.no enlist_uri_host (PDS_URISHORTENER) bravo.ly enlist_uri_host (PDS_URISHORTENER) bsa.ly enlist_uri_host (PDS_URISHORTENER) bt.io enlist_uri_host (PDS_URISHORTENER) budurl.com enlist_uri_host (PDS_URISHORTENER) buff.ly enlist_uri_host (PDS_URISHORTENER) buk.me enlist_uri_host (PDS_URISHORTENER) burnurl.com enlist_uri_host (PDS_URISHORTENER) c-o.in enlist_uri_host (PDS_URISHORTENER) c.shamekh.ws enlist_uri_host (PDS_URISHORTENER) canurl.com enlist_uri_host (PDS_URISHORTENER) cd4.me enlist_uri_host (PDS_URISHORTENER) chilp.it enlist_uri_host (PDS_URISHORTENER) chopd.it enlist_uri_host (PDS_URISHORTENER) chpt.me enlist_uri_host (PDS_URISHORTENER) chs.mx enlist_uri_host (PDS_URISHORTENER) chzb.gr enlist_uri_host (PDS_URISHORTENER) cl.lk enlist_uri_host (PDS_URISHORTENER) cl.ly enlist_uri_host (PDS_URISHORTENER) clck.ru enlist_uri_host (PDS_URISHORTENER) cli.gs enlist_uri_host (PDS_URISHORTENER) cliccami.info enlist_uri_host (PDS_URISHORTENER) clickthru.ca enlist_uri_host (PDS_URISHORTENER) clipurl.us enlist_uri_host (PDS_URISHORTENER) clk.my enlist_uri_host (PDS_URISHORTENER) cloaky.de enlist_uri_host (PDS_URISHORTENER) clop.in enlist_uri_host (PDS_URISHORTENER) clp.ly enlist_uri_host (PDS_URISHORTENER) coge.la enlist_uri_host (PDS_URISHORTENER) cokeurl.com enlist_uri_host (PDS_URISHORTENER) conta.cc enlist_uri_host (PDS_URISHORTENER) cort.as enlist_uri_host (PDS_URISHORTENER) cot.ag enlist_uri_host (PDS_URISHORTENER) crks.me enlist_uri_host (PDS_URISHORTENER) crum.pl enlist_uri_host (PDS_URISHORTENER) ctvr.us enlist_uri_host (PDS_URISHORTENER) curio.us enlist_uri_host (PDS_URISHORTENER) cuthut.com enlist_uri_host (PDS_URISHORTENER) cutt.us enlist_uri_host (PDS_URISHORTENER) cuturl.com enlist_uri_host (PDS_URISHORTENER) cuturls.com enlist_uri_host (PDS_URISHORTENER) dai.ly enlist_uri_host (PDS_URISHORTENER) db.tt enlist_uri_host (PDS_URISHORTENER) dealspl.us enlist_uri_host (PDS_URISHORTENER) decenturl.com enlist_uri_host (PDS_URISHORTENER) df9.net enlist_uri_host (PDS_URISHORTENER) dfl8.me enlist_uri_host (PDS_URISHORTENER) digbig.com enlist_uri_host (PDS_URISHORTENER) digg.com enlist_uri_host (PDS_URISHORTENER) digipills.com enlist_uri_host (PDS_URISHORTENER) digs.by enlist_uri_host (PDS_URISHORTENER) disq.us enlist_uri_host (PDS_URISHORTENER) dld.bz enlist_uri_host (PDS_URISHORTENER) dlvr.it enlist_uri_host (PDS_URISHORTENER) dn.vc enlist_uri_host (PDS_URISHORTENER) do.my enlist_uri_host (PDS_URISHORTENER) doi.org enlist_uri_host (PDS_URISHORTENER) doiop.com enlist_uri_host (PDS_URISHORTENER) dopen.us enlist_uri_host (PDS_URISHORTENER) dr.tl enlist_uri_host (PDS_URISHORTENER) drudge.tw enlist_uri_host (PDS_URISHORTENER) durl.me enlist_uri_host (PDS_URISHORTENER) durl.us enlist_uri_host (PDS_URISHORTENER) dvlr.it enlist_uri_host (PDS_URISHORTENER) dwarfurl.com enlist_uri_host (PDS_URISHORTENER) easyuri.com enlist_uri_host (PDS_URISHORTENER) easyurl.net enlist_uri_host (PDS_URISHORTENER) eca.sh enlist_uri_host (PDS_URISHORTENER) eclurl.com enlist_uri_host (PDS_URISHORTENER) eepurl.com enlist_uri_host (PDS_URISHORTENER) eezurl.com enlist_uri_host (PDS_URISHORTENER) eweri.com enlist_uri_host (PDS_URISHORTENER) ewerl.com enlist_uri_host (PDS_URISHORTENER) ezurl.eu enlist_uri_host (PDS_URISHORTENER) fa.by enlist_uri_host (PDS_URISHORTENER) faceto.us enlist_uri_host (PDS_URISHORTENER) fav.me enlist_uri_host (PDS_URISHORTENER) fb.me enlist_uri_host (PDS_URISHORTENER) fbshare.me enlist_uri_host (PDS_URISHORTENER) ff.im enlist_uri_host (PDS_URISHORTENER) fff.to enlist_uri_host (PDS_URISHORTENER) fhurl.com enlist_uri_host (PDS_URISHORTENER) fire.to enlist_uri_host (PDS_URISHORTENER) firsturl.de enlist_uri_host (PDS_URISHORTENER) firsturl.net enlist_uri_host (PDS_URISHORTENER) flic.kr enlist_uri_host (PDS_URISHORTENER) flingk.com enlist_uri_host (PDS_URISHORTENER) flq.us enlist_uri_host (PDS_URISHORTENER) fly2.ws enlist_uri_host (PDS_URISHORTENER) fon.gs enlist_uri_host (PDS_URISHORTENER) foxyurl.com enlist_uri_host (PDS_URISHORTENER) freak.to enlist_uri_host (PDS_URISHORTENER) fur.ly enlist_uri_host (PDS_URISHORTENER) fuseurl.com enlist_uri_host (PDS_URISHORTENER) fuzzy.to enlist_uri_host (PDS_URISHORTENER) fwd4.me enlist_uri_host (PDS_URISHORTENER) fwdurl.net enlist_uri_host (PDS_URISHORTENER) fwib.net enlist_uri_host (PDS_URISHORTENER) g.ro.lt enlist_uri_host (PDS_URISHORTENER) g8l.us enlist_uri_host (PDS_URISHORTENER) get-shorty.com enlist_uri_host (PDS_URISHORTENER) get-url.com enlist_uri_host (PDS_URISHORTENER) get.sh enlist_uri_host (PDS_URISHORTENER) geturl.us enlist_uri_host (PDS_URISHORTENER) gg.gg enlist_uri_host (PDS_URISHORTENER) gi.vc enlist_uri_host (PDS_URISHORTENER) gizmo.do enlist_uri_host (PDS_URISHORTENER) gkurl.us enlist_uri_host (PDS_URISHORTENER) gl.am enlist_uri_host (PDS_URISHORTENER) go.9nl.com enlist_uri_host (PDS_URISHORTENER) go.ign.com enlist_uri_host (PDS_URISHORTENER) go.to enlist_uri_host (PDS_URISHORTENER) go.usa.gov enlist_uri_host (PDS_URISHORTENER) go2.me enlist_uri_host (PDS_URISHORTENER) gog.li enlist_uri_host (PDS_URISHORTENER) golmao.com enlist_uri_host (PDS_URISHORTENER) goo.gl enlist_uri_host (PDS_URISHORTENER) good.ly enlist_uri_host (PDS_URISHORTENER) goshrink.com enlist_uri_host (PDS_URISHORTENER) gplus.to enlist_uri_host (PDS_URISHORTENER) gri.ms enlist_uri_host (PDS_URISHORTENER) gurl.es enlist_uri_host (PDS_URISHORTENER) hao.jp enlist_uri_host (PDS_URISHORTENER) hellotxt.com enlist_uri_host (PDS_URISHORTENER) hex.io enlist_uri_host (PDS_URISHORTENER) hiderefer.com enlist_uri_host (PDS_URISHORTENER) hmm.ph enlist_uri_host (PDS_URISHORTENER) hop.im enlist_uri_host (PDS_URISHORTENER) hopclicks.com enlist_uri_host (PDS_URISHORTENER) hotredirect.com enlist_uri_host (PDS_URISHORTENER) hotshorturl.com enlist_uri_host (PDS_URISHORTENER) href.in enlist_uri_host (PDS_URISHORTENER) hsblinks.com enlist_uri_host (PDS_URISHORTENER) ht.ly enlist_uri_host (PDS_URISHORTENER) htxt.it enlist_uri_host (PDS_URISHORTENER) hub.am enlist_uri_host (PDS_URISHORTENER) huff.to enlist_uri_host (PDS_URISHORTENER) hugeurl.com enlist_uri_host (PDS_URISHORTENER) hulu.com enlist_uri_host (PDS_URISHORTENER) hurl.it enlist_uri_host (PDS_URISHORTENER) hurl.me enlist_uri_host (PDS_URISHORTENER) hurl.no enlist_uri_host (PDS_URISHORTENER) hurl.ws enlist_uri_host (PDS_URISHORTENER) icanhaz.com enlist_uri_host (PDS_URISHORTENER) icio.us enlist_uri_host (PDS_URISHORTENER) idek.net enlist_uri_host (PDS_URISHORTENER) ikr.me enlist_uri_host (PDS_URISHORTENER) ilix.in enlist_uri_host (PDS_URISHORTENER) inx.lv enlist_uri_host (PDS_URISHORTENER) ir.pe enlist_uri_host (PDS_URISHORTENER) irt.me enlist_uri_host (PDS_URISHORTENER) is.gd enlist_uri_host (PDS_URISHORTENER) iscool.net enlist_uri_host (PDS_URISHORTENER) it2.in enlist_uri_host (PDS_URISHORTENER) ito.mx enlist_uri_host (PDS_URISHORTENER) its.my enlist_uri_host (PDS_URISHORTENER) itsy.it enlist_uri_host (PDS_URISHORTENER) ix.lt enlist_uri_host (PDS_URISHORTENER) j.mp enlist_uri_host (PDS_URISHORTENER) j2j.de enlist_uri_host (PDS_URISHORTENER) jdem.cz enlist_uri_host (PDS_URISHORTENER) jijr.com enlist_uri_host (PDS_URISHORTENER) just.as enlist_uri_host (PDS_URISHORTENER) k.vu enlist_uri_host (PDS_URISHORTENER) k6.kz enlist_uri_host (PDS_URISHORTENER) ketkp.in enlist_uri_host (PDS_URISHORTENER) kisa.ch enlist_uri_host (PDS_URISHORTENER) kissa.be enlist_uri_host (PDS_URISHORTENER) kl.am enlist_uri_host (PDS_URISHORTENER) klck.me enlist_uri_host (PDS_URISHORTENER) kore.us enlist_uri_host (PDS_URISHORTENER) korta.nu enlist_uri_host (PDS_URISHORTENER) kots.nu enlist_uri_host (PDS_URISHORTENER) krunchd.com enlist_uri_host (PDS_URISHORTENER) krz.ch enlist_uri_host (PDS_URISHORTENER) ktzr.us enlist_uri_host (PDS_URISHORTENER) kxk.me enlist_uri_host (PDS_URISHORTENER) l.hh.de enlist_uri_host (PDS_URISHORTENER) l.pr enlist_uri_host (PDS_URISHORTENER) l9k.net enlist_uri_host (PDS_URISHORTENER) lat.ms enlist_uri_host (PDS_URISHORTENER) liip.to enlist_uri_host (PDS_URISHORTENER) liltext.com enlist_uri_host (PDS_URISHORTENER) lin.cr enlist_uri_host (PDS_URISHORTENER) lin.io enlist_uri_host (PDS_URISHORTENER) linkbee.com enlist_uri_host (PDS_URISHORTENER) linkbun.ch enlist_uri_host (PDS_URISHORTENER) linkee.com enlist_uri_host (PDS_URISHORTENER) linkgap.com enlist_uri_host (PDS_URISHORTENER) linkslice.com enlist_uri_host (PDS_URISHORTENER) linxfix.de enlist_uri_host (PDS_URISHORTENER) liteurl.net enlist_uri_host (PDS_URISHORTENER) liurl.cn enlist_uri_host (PDS_URISHORTENER) livesi.de enlist_uri_host (PDS_URISHORTENER) lix.in enlist_uri_host (PDS_URISHORTENER) lk.ht enlist_uri_host (PDS_URISHORTENER) ln-s.net enlist_uri_host (PDS_URISHORTENER) ln-s.ru enlist_uri_host (PDS_URISHORTENER) lnk.by enlist_uri_host (PDS_URISHORTENER) lnk.gd enlist_uri_host (PDS_URISHORTENER) lnk.in enlist_uri_host (PDS_URISHORTENER) lnk.ly enlist_uri_host (PDS_URISHORTENER) lnk.ms enlist_uri_host (PDS_URISHORTENER) lnk.sk enlist_uri_host (PDS_URISHORTENER) lnkd.in enlist_uri_host (PDS_URISHORTENER) lnkurl.com enlist_uri_host (PDS_URISHORTENER) loopt.us enlist_uri_host (PDS_URISHORTENER) lost.in enlist_uri_host (PDS_URISHORTENER) lru.jp enlist_uri_host (PDS_URISHORTENER) lt.tl enlist_uri_host (PDS_URISHORTENER) lu.to enlist_uri_host (PDS_URISHORTENER) lurl.no enlist_uri_host (PDS_URISHORTENER) macte.ch enlist_uri_host (PDS_URISHORTENER) mash.to enlist_uri_host (PDS_URISHORTENER) mavrev.com enlist_uri_host (PDS_URISHORTENER) mcaf.ee enlist_uri_host (PDS_URISHORTENER) memurl.com enlist_uri_host (PDS_URISHORTENER) merky.de enlist_uri_host (PDS_URISHORTENER) metamark.net enlist_uri_host (PDS_URISHORTENER) migre.me enlist_uri_host (PDS_URISHORTENER) min2.me enlist_uri_host (PDS_URISHORTENER) minilien.com enlist_uri_host (PDS_URISHORTENER) minilink.org enlist_uri_host (PDS_URISHORTENER) miniurl.com enlist_uri_host (PDS_URISHORTENER) minurl.fr enlist_uri_host (PDS_URISHORTENER) mke.me enlist_uri_host (PDS_URISHORTENER) moby.to enlist_uri_host (PDS_URISHORTENER) moourl.com enlist_uri_host (PDS_URISHORTENER) mrte.ch enlist_uri_host (PDS_URISHORTENER) msg.sg enlist_uri_host (PDS_URISHORTENER) murl.kz enlist_uri_host (PDS_URISHORTENER) mv2.me enlist_uri_host (PDS_URISHORTENER) myloc.me enlist_uri_host (PDS_URISHORTENER) mysp.in enlist_uri_host (PDS_URISHORTENER) myurl.in enlist_uri_host (PDS_URISHORTENER) myurl.si enlist_uri_host (PDS_URISHORTENER) n.pr enlist_uri_host (PDS_URISHORTENER) nanoref.com enlist_uri_host (PDS_URISHORTENER) nanourl.se enlist_uri_host (PDS_URISHORTENER) nbc.co enlist_uri_host (PDS_URISHORTENER) nblo.gs enlist_uri_host (PDS_URISHORTENER) nbx.ch enlist_uri_host (PDS_URISHORTENER) ncane.com enlist_uri_host (PDS_URISHORTENER) ndurl.com enlist_uri_host (PDS_URISHORTENER) ne1.net enlist_uri_host (PDS_URISHORTENER) netnet.me enlist_uri_host (PDS_URISHORTENER) netshortcut.com enlist_uri_host (PDS_URISHORTENER) ni.to enlist_uri_host (PDS_URISHORTENER) nig.gr enlist_uri_host (PDS_URISHORTENER) nm.ly enlist_uri_host (PDS_URISHORTENER) nn.nf enlist_uri_host (PDS_URISHORTENER) not.my enlist_uri_host (PDS_URISHORTENER) notlong.com enlist_uri_host (PDS_URISHORTENER) nsfw.in enlist_uri_host (PDS_URISHORTENER) nutshellurl.com enlist_uri_host (PDS_URISHORTENER) nxy.in enlist_uri_host (PDS_URISHORTENER) nyti.ms enlist_uri_host (PDS_URISHORTENER) o-x.fr enlist_uri_host (PDS_URISHORTENER) o.ly enlist_uri_host (PDS_URISHORTENER) oboeyasui.com enlist_uri_host (PDS_URISHORTENER) oc1.us enlist_uri_host (PDS_URISHORTENER) offur.com enlist_uri_host (PDS_URISHORTENER) ofl.me enlist_uri_host (PDS_URISHORTENER) om.ly enlist_uri_host (PDS_URISHORTENER) omf.gd enlist_uri_host (PDS_URISHORTENER) omoikane.net enlist_uri_host (PDS_URISHORTENER) on.cnn.com enlist_uri_host (PDS_URISHORTENER) on.mktw.net enlist_uri_host (PDS_URISHORTENER) onecent.us enlist_uri_host (PDS_URISHORTENER) onforb.es enlist_uri_host (PDS_URISHORTENER) onion.com enlist_uri_host (PDS_URISHORTENER) onsaas.info enlist_uri_host (PDS_URISHORTENER) ooqx.com enlist_uri_host (PDS_URISHORTENER) oreil.ly enlist_uri_host (PDS_URISHORTENER) orz.se enlist_uri_host (PDS_URISHORTENER) ow.ly enlist_uri_host (PDS_URISHORTENER) oxyz.info enlist_uri_host (PDS_URISHORTENER) p.ly enlist_uri_host (PDS_URISHORTENER) p8g.tw enlist_uri_host (PDS_URISHORTENER) parv.us enlist_uri_host (PDS_URISHORTENER) paulding.net enlist_uri_host (PDS_URISHORTENER) pduda.mobi enlist_uri_host (PDS_URISHORTENER) peaurl.com enlist_uri_host (PDS_URISHORTENER) pendek.in enlist_uri_host (PDS_URISHORTENER) pep.si enlist_uri_host (PDS_URISHORTENER) pic.gd enlist_uri_host (PDS_URISHORTENER) piko.me enlist_uri_host (PDS_URISHORTENER) ping.fm enlist_uri_host (PDS_URISHORTENER) piurl.com enlist_uri_host (PDS_URISHORTENER) pli.gs enlist_uri_host (PDS_URISHORTENER) plumurl.com enlist_uri_host (PDS_URISHORTENER) plurl.me enlist_uri_host (PDS_URISHORTENER) pnt.me enlist_uri_host (PDS_URISHORTENER) politi.co enlist_uri_host (PDS_URISHORTENER) poll.fm enlist_uri_host (PDS_URISHORTENER) pop.ly enlist_uri_host (PDS_URISHORTENER) poprl.com enlist_uri_host (PDS_URISHORTENER) post.ly enlist_uri_host (PDS_URISHORTENER) posted.at enlist_uri_host (PDS_URISHORTENER) pp.gg enlist_uri_host (PDS_URISHORTENER) profile.to enlist_uri_host (PDS_URISHORTENER) pt2.me enlist_uri_host (PDS_URISHORTENER) ptiturl.com enlist_uri_host (PDS_URISHORTENER) pub.vitrue.com enlist_uri_host (PDS_URISHORTENER) puke.it enlist_uri_host (PDS_URISHORTENER) pysper.com enlist_uri_host (PDS_URISHORTENER) qik.li enlist_uri_host (PDS_URISHORTENER) qlnk.net enlist_uri_host (PDS_URISHORTENER) qoiob.com enlist_uri_host (PDS_URISHORTENER) qr.cx enlist_uri_host (PDS_URISHORTENER) qte.me enlist_uri_host (PDS_URISHORTENER) qu.tc enlist_uri_host (PDS_URISHORTENER) quickurl.co.uk enlist_uri_host (PDS_URISHORTENER) qurl.com enlist_uri_host (PDS_URISHORTENER) qurlyq.com enlist_uri_host (PDS_URISHORTENER) quu.nu enlist_uri_host (PDS_URISHORTENER) qux.in enlist_uri_host (PDS_URISHORTENER) qy.fi enlist_uri_host (PDS_URISHORTENER) r.im enlist_uri_host (PDS_URISHORTENER) rb6.me enlist_uri_host (PDS_URISHORTENER) rde.me enlist_uri_host (PDS_URISHORTENER) read.bi enlist_uri_host (PDS_URISHORTENER) readthis.ca enlist_uri_host (PDS_URISHORTENER) reallytinyurl.com enlist_uri_host (PDS_URISHORTENER) redir.ec enlist_uri_host (PDS_URISHORTENER) redirects.ca enlist_uri_host (PDS_URISHORTENER) redirx.com enlist_uri_host (PDS_URISHORTENER) relyt.us enlist_uri_host (PDS_URISHORTENER) retwt.me enlist_uri_host (PDS_URISHORTENER) ri.ms enlist_uri_host (PDS_URISHORTENER) rickroll.it enlist_uri_host (PDS_URISHORTENER) rivva.de enlist_uri_host (PDS_URISHORTENER) riz.gd enlist_uri_host (PDS_URISHORTENER) rly.cc enlist_uri_host (PDS_URISHORTENER) rnk.me enlist_uri_host (PDS_URISHORTENER) rsmonkey.com enlist_uri_host (PDS_URISHORTENER) rt.nu enlist_uri_host (PDS_URISHORTENER) ru.ly enlist_uri_host (PDS_URISHORTENER) rubyurl.com enlist_uri_host (PDS_URISHORTENER) rurl.org enlist_uri_host (PDS_URISHORTENER) rww.tw enlist_uri_host (PDS_URISHORTENER) s.gnoss.us enlist_uri_host (PDS_URISHORTENER) s3nt.com enlist_uri_host (PDS_URISHORTENER) s4c.in enlist_uri_host (PDS_URISHORTENER) s7y.us enlist_uri_host (PDS_URISHORTENER) safe.mn enlist_uri_host (PDS_URISHORTENER) safelinks.ru enlist_uri_host (PDS_URISHORTENER) sai.ly enlist_uri_host (PDS_URISHORTENER) sameurl.com enlist_uri_host (PDS_URISHORTENER) sdut.us enlist_uri_host (PDS_URISHORTENER) sed.cx enlist_uri_host (PDS_URISHORTENER) sfu.ca enlist_uri_host (PDS_URISHORTENER) shadyurl.com enlist_uri_host (PDS_URISHORTENER) shar.es enlist_uri_host (PDS_URISHORTENER) shim.net enlist_uri_host (PDS_URISHORTENER) shink.de enlist_uri_host (PDS_URISHORTENER) shorl.com enlist_uri_host (PDS_URISHORTENER) short.ie enlist_uri_host (PDS_URISHORTENER) short.to enlist_uri_host (PDS_URISHORTENER) shorten.ws enlist_uri_host (PDS_URISHORTENER) shortenurl.com enlist_uri_host (PDS_URISHORTENER) shorterlink.com enlist_uri_host (PDS_URISHORTENER) shortio.com enlist_uri_host (PDS_URISHORTENER) shortlinks.co.uk enlist_uri_host (PDS_URISHORTENER) shortly.nl enlist_uri_host (PDS_URISHORTENER) shortn.me enlist_uri_host (PDS_URISHORTENER) shortna.me enlist_uri_host (PDS_URISHORTENER) shortr.me enlist_uri_host (PDS_URISHORTENER) shorturl.com enlist_uri_host (PDS_URISHORTENER) shortz.me enlist_uri_host (PDS_URISHORTENER) shoturl.us enlist_uri_host (PDS_URISHORTENER) shout.to enlist_uri_host (PDS_URISHORTENER) show.my enlist_uri_host (PDS_URISHORTENER) shredu enlist_uri_host (PDS_URISHORTENER) shredurl.com enlist_uri_host (PDS_URISHORTENER) shrinkify.com enlist_uri_host (PDS_URISHORTENER) shrinkr.com enlist_uri_host (PDS_URISHORTENER) shrinkster.com enlist_uri_host (PDS_URISHORTENER) shrinkurl.us enlist_uri_host (PDS_URISHORTENER) shrt.fr enlist_uri_host (PDS_URISHORTENER) shrt.st enlist_uri_host (PDS_URISHORTENER) shrt.ws enlist_uri_host (PDS_URISHORTENER) shrten.com enlist_uri_host (PDS_URISHORTENER) shrtl.com enlist_uri_host (PDS_URISHORTENER) shrtn.com enlist_uri_host (PDS_URISHORTENER) shrtnd.com enlist_uri_host (PDS_URISHORTENER) shrunkin.com enlist_uri_host (PDS_URISHORTENER) shurl.net enlist_uri_host (PDS_URISHORTENER) shw.me enlist_uri_host (PDS_URISHORTENER) simurl.com enlist_uri_host (PDS_URISHORTENER) simurl.net enlist_uri_host (PDS_URISHORTENER) simurl.org enlist_uri_host (PDS_URISHORTENER) simurl.us enlist_uri_host (PDS_URISHORTENER) sitelutions.com enlist_uri_host (PDS_URISHORTENER) siteo.us enlist_uri_host (PDS_URISHORTENER) sl.ly enlist_uri_host (PDS_URISHORTENER) slate.me enlist_uri_host (PDS_URISHORTENER) slidesha.re enlist_uri_host (PDS_URISHORTENER) slki.ru enlist_uri_host (PDS_URISHORTENER) smallr.com enlist_uri_host (PDS_URISHORTENER) smallr.net enlist_uri_host (PDS_URISHORTENER) smarturl.it enlist_uri_host (PDS_URISHORTENER) smfu.in enlist_uri_host (PDS_URISHORTENER) smsh.me enlist_uri_host (PDS_URISHORTENER) smurl.com enlist_uri_host (PDS_URISHORTENER) smurl.name enlist_uri_host (PDS_URISHORTENER) sn.im enlist_uri_host (PDS_URISHORTENER) sn.vc enlist_uri_host (PDS_URISHORTENER) snadr.it enlist_uri_host (PDS_URISHORTENER) snipie.com enlist_uri_host (PDS_URISHORTENER) snipr.com enlist_uri_host (PDS_URISHORTENER) snipurl.com enlist_uri_host (PDS_URISHORTENER) snkr.me enlist_uri_host (PDS_URISHORTENER) snurl.com enlist_uri_host (PDS_URISHORTENER) soo.gd enlist_uri_host (PDS_URISHORTENER) song.ly enlist_uri_host (PDS_URISHORTENER) sp2.ro enlist_uri_host (PDS_URISHORTENER) spedr.com enlist_uri_host (PDS_URISHORTENER) sqze.it enlist_uri_host (PDS_URISHORTENER) srnk.net enlist_uri_host (PDS_URISHORTENER) srs.li enlist_uri_host (PDS_URISHORTENER) starturl.com enlist_uri_host (PDS_URISHORTENER) stickurl.com enlist_uri_host (PDS_URISHORTENER) stpmvt.com enlist_uri_host (PDS_URISHORTENER) sturly.com enlist_uri_host (PDS_URISHORTENER) su.pr enlist_uri_host (PDS_URISHORTENER) surl.co.uk enlist_uri_host (PDS_URISHORTENER) surl.hu enlist_uri_host (PDS_URISHORTENER) surl.it enlist_uri_host (PDS_URISHORTENER) t.cn enlist_uri_host (PDS_URISHORTENER) t.co enlist_uri_host (PDS_URISHORTENER) t.lh.com enlist_uri_host (PDS_URISHORTENER) ta.gd enlist_uri_host (PDS_URISHORTENER) takemyfile.com enlist_uri_host (PDS_URISHORTENER) tbd.ly enlist_uri_host (PDS_URISHORTENER) tcrn.ch enlist_uri_host (PDS_URISHORTENER) tgr.me enlist_uri_host (PDS_URISHORTENER) tgr.ph enlist_uri_host (PDS_URISHORTENER) th8.us enlist_uri_host (PDS_URISHORTENER) thecow.me enlist_uri_host (PDS_URISHORTENER) thrdl.es enlist_uri_host (PDS_URISHORTENER) tighturl.com enlist_uri_host (PDS_URISHORTENER) timesurl.at enlist_uri_host (PDS_URISHORTENER) tini.us enlist_uri_host (PDS_URISHORTENER) tiniuri.com enlist_uri_host (PDS_URISHORTENER) tiny.cc enlist_uri_host (PDS_URISHORTENER) tiny.ly enlist_uri_host (PDS_URISHORTENER) tiny.pl enlist_uri_host (PDS_URISHORTENER) tinyarro.ws enlist_uri_host (PDS_URISHORTENER) tinylink.com enlist_uri_host (PDS_URISHORTENER) tinylink.in enlist_uri_host (PDS_URISHORTENER) tinypl.us enlist_uri_host (PDS_URISHORTENER) tinysong.com enlist_uri_host (PDS_URISHORTENER) tinytw.it enlist_uri_host (PDS_URISHORTENER) tinyuri.ca enlist_uri_host (PDS_URISHORTENER) tinyurl.com enlist_uri_host (PDS_URISHORTENER) tk. enlist_uri_host (PDS_URISHORTENER) tl.gd enlist_uri_host (PDS_URISHORTENER) tllg.net enlist_uri_host (PDS_URISHORTENER) tmi.me enlist_uri_host (PDS_URISHORTENER) tncr.ws enlist_uri_host (PDS_URISHORTENER) tnij.org enlist_uri_host (PDS_URISHORTENER) tnw.to enlist_uri_host (PDS_URISHORTENER) tny.com enlist_uri_host (PDS_URISHORTENER) to. enlist_uri_host (PDS_URISHORTENER) to.je enlist_uri_host (PDS_URISHORTENER) to.ly enlist_uri_host (PDS_URISHORTENER) to.vg enlist_uri_host (PDS_URISHORTENER) togoto.us enlist_uri_host (PDS_URISHORTENER) totc.us enlist_uri_host (PDS_URISHORTENER) toysr.us enlist_uri_host (PDS_URISHORTENER) tpm.ly enlist_uri_host (PDS_URISHORTENER) tr.im enlist_uri_host (PDS_URISHORTENER) tr.my enlist_uri_host (PDS_URISHORTENER) tra.kz enlist_uri_host (PDS_URISHORTENER) traceurl.com enlist_uri_host (PDS_URISHORTENER) trackurl.it enlist_uri_host (PDS_URISHORTENER) trcb.me enlist_uri_host (PDS_URISHORTENER) trg.li enlist_uri_host (PDS_URISHORTENER) trib.al enlist_uri_host (PDS_URISHORTENER) trick.ly enlist_uri_host (PDS_URISHORTENER) trii.us enlist_uri_host (PDS_URISHORTENER) trim.li enlist_uri_host (PDS_URISHORTENER) trumpink.lt enlist_uri_host (PDS_URISHORTENER) trunc.it enlist_uri_host (PDS_URISHORTENER) truncurl.com enlist_uri_host (PDS_URISHORTENER) tsort.us enlist_uri_host (PDS_URISHORTENER) tubeurl.com enlist_uri_host (PDS_URISHORTENER) turo.us enlist_uri_host (PDS_URISHORTENER) tw0.us enlist_uri_host (PDS_URISHORTENER) tw1.us enlist_uri_host (PDS_URISHORTENER) tw2.us enlist_uri_host (PDS_URISHORTENER) tw5.us enlist_uri_host (PDS_URISHORTENER) tw6.us enlist_uri_host (PDS_URISHORTENER) tw8.us enlist_uri_host (PDS_URISHORTENER) tw9.us enlist_uri_host (PDS_URISHORTENER) twa.lk enlist_uri_host (PDS_URISHORTENER) tweet.me enlist_uri_host (PDS_URISHORTENER) tweetburner.com enlist_uri_host (PDS_URISHORTENER) tweetl.com enlist_uri_host (PDS_URISHORTENER) twhub.com enlist_uri_host (PDS_URISHORTENER) twi.gy enlist_uri_host (PDS_URISHORTENER) twip.us enlist_uri_host (PDS_URISHORTENER) twirl.at enlist_uri_host (PDS_URISHORTENER) twit.ac enlist_uri_host (PDS_URISHORTENER) twitclicks.com enlist_uri_host (PDS_URISHORTENER) twitterurl.net enlist_uri_host (PDS_URISHORTENER) twitterurl.org enlist_uri_host (PDS_URISHORTENER) twitthis.com enlist_uri_host (PDS_URISHORTENER) twittu.ms enlist_uri_host (PDS_URISHORTENER) twiturl.de enlist_uri_host (PDS_URISHORTENER) twitzap.com enlist_uri_host (PDS_URISHORTENER) twlv.net enlist_uri_host (PDS_URISHORTENER) twtr.us enlist_uri_host (PDS_URISHORTENER) twurl.cc enlist_uri_host (PDS_URISHORTENER) twurl.nl enlist_uri_host (PDS_URISHORTENER) u.mavrev.com enlist_uri_host (PDS_URISHORTENER) u.nu enlist_uri_host (PDS_URISHORTENER) u76.org enlist_uri_host (PDS_URISHORTENER) ub0.cc enlist_uri_host (PDS_URISHORTENER) uiop.me enlist_uri_host (PDS_URISHORTENER) ulimit.com enlist_uri_host (PDS_URISHORTENER) ulu.lu enlist_uri_host (PDS_URISHORTENER) unfaker.it enlist_uri_host (PDS_URISHORTENER) updating.me enlist_uri_host (PDS_URISHORTENER) u.to enlist_uri_host (PDS_URISHORTENER) ur.ly enlist_uri_host (PDS_URISHORTENER) ur1.ca enlist_uri_host (PDS_URISHORTENER) urizy.com enlist_uri_host (PDS_URISHORTENER) url.ag enlist_uri_host (PDS_URISHORTENER) url.az enlist_uri_host (PDS_URISHORTENER) url.co.uk enlist_uri_host (PDS_URISHORTENER) url.go.it enlist_uri_host (PDS_URISHORTENER) url.ie enlist_uri_host (PDS_URISHORTENER) url.inc-x.eu enlist_uri_host (PDS_URISHORTENER) url.lotpatrol.com enlist_uri_host (PDS_URISHORTENER) url360.me enlist_uri_host (PDS_URISHORTENER) url4.eu enlist_uri_host (PDS_URISHORTENER) urlao.com enlist_uri_host (PDS_URISHORTENER) urlbee.com enlist_uri_host (PDS_URISHORTENER) urlborg.com enlist_uri_host (PDS_URISHORTENER) urlbrief.com enlist_uri_host (PDS_URISHORTENER) urlcorta.es enlist_uri_host (PDS_URISHORTENER) urlcover.com enlist_uri_host (PDS_URISHORTENER) urlcut.com enlist_uri_host (PDS_URISHORTENER) urlcutter.com enlist_uri_host (PDS_URISHORTENER) urlenco.de enlist_uri_host (PDS_URISHORTENER) urlg.info enlist_uri_host (PDS_URISHORTENER) urlhawk.com enlist_uri_host (PDS_URISHORTENER) urli.nl enlist_uri_host (PDS_URISHORTENER) urlin.it enlist_uri_host (PDS_URISHORTENER) urlkiss.com enlist_uri_host (PDS_URISHORTENER) urloo.com enlist_uri_host (PDS_URISHORTENER) urlpire.com enlist_uri_host (PDS_URISHORTENER) urls.im enlist_uri_host (PDS_URISHORTENER) urlshorteningservicefortwitter.com enlist_uri_host (PDS_URISHORTENER) urltea.com enlist_uri_host (PDS_URISHORTENER) urlu.ms enlist_uri_host (PDS_URISHORTENER) urlvi.b enlist_uri_host (PDS_URISHORTENER) urlvi.be enlist_uri_host (PDS_URISHORTENER) urlx.ie enlist_uri_host (PDS_URISHORTENER) urlz.at enlist_uri_host (PDS_URISHORTENER) urlzen.com enlist_uri_host (PDS_URISHORTENER) usat.ly enlist_uri_host (PDS_URISHORTENER) use.my enlist_uri_host (PDS_URISHORTENER) uservoice.com enlist_uri_host (PDS_URISHORTENER) ustre.am enlist_uri_host (PDS_URISHORTENER) vado.it enlist_uri_host (PDS_URISHORTENER) vb.ly enlist_uri_host (PDS_URISHORTENER) vdirect.com enlist_uri_host (PDS_URISHORTENER) vgn.am enlist_uri_host (PDS_URISHORTENER) vi.ly enlist_uri_host (PDS_URISHORTENER) viigo.im enlist_uri_host (PDS_URISHORTENER) virl.com enlist_uri_host (PDS_URISHORTENER) vl.am enlist_uri_host (PDS_URISHORTENER) vm.lc enlist_uri_host (PDS_URISHORTENER) voizle.com enlist_uri_host (PDS_URISHORTENER) vtc.es enlist_uri_host (PDS_URISHORTENER) w0r.me enlist_uri_host (PDS_URISHORTENER) w33.us enlist_uri_host (PDS_URISHORTENER) w34.us enlist_uri_host (PDS_URISHORTENER) w3t.org enlist_uri_host (PDS_URISHORTENER) w55.de enlist_uri_host (PDS_URISHORTENER) wa9.la enlist_uri_host (PDS_URISHORTENER) wapo.st enlist_uri_host (PDS_URISHORTENER) wapurl.co.uk enlist_uri_host (PDS_URISHORTENER) webalias.com enlist_uri_host (PDS_URISHORTENER) welcome.to enlist_uri_host (PDS_URISHORTENER) wh.gov enlist_uri_host (PDS_URISHORTENER) widg.me enlist_uri_host (PDS_URISHORTENER) wipi.es enlist_uri_host (PDS_URISHORTENER) wkrg.com enlist_uri_host (PDS_URISHORTENER) woo.ly enlist_uri_host (PDS_URISHORTENER) wp.me enlist_uri_host (PDS_URISHORTENER) x.co enlist_uri_host (PDS_URISHORTENER) x.hypem.com enlist_uri_host (PDS_URISHORTENER) x.se enlist_uri_host (PDS_URISHORTENER) x.vu enlist_uri_host (PDS_URISHORTENER) xeeurl.com enlist_uri_host (PDS_URISHORTENER) xil.in enlist_uri_host (PDS_URISHORTENER) xlurl.de enlist_uri_host (PDS_URISHORTENER) xn--1ci.ws enlist_uri_host (PDS_URISHORTENER) xn--3fi.ws enlist_uri_host (PDS_URISHORTENER) xn--5gi.ws enlist_uri_host (PDS_URISHORTENER) xn--9gi.ws enlist_uri_host (PDS_URISHORTENER) xn--bih.ws enlist_uri_host (PDS_URISHORTENER) xn--cwg.ws enlist_uri_host (PDS_URISHORTENER) xn--egi.ws enlist_uri_host (PDS_URISHORTENER) xn--fwg.ws enlist_uri_host (PDS_URISHORTENER) xn--hgi.ws enlist_uri_host (PDS_URISHORTENER) xn--l3h.ws enlist_uri_host (PDS_URISHORTENER) xn--odi.ws enlist_uri_host (PDS_URISHORTENER) xn--ogi.ws enlist_uri_host (PDS_URISHORTENER) xn--rei.ws enlist_uri_host (PDS_URISHORTENER) xn--vgi.ws enlist_uri_host (PDS_URISHORTENER) xr.com enlist_uri_host (PDS_URISHORTENER) xrl.in enlist_uri_host (PDS_URISHORTENER) xrl.us enlist_uri_host (PDS_URISHORTENER) xrt.me enlist_uri_host (PDS_URISHORTENER) xurl.es enlist_uri_host (PDS_URISHORTENER) xurl.jp enlist_uri_host (PDS_URISHORTENER) xxsurl.de enlist_uri_host (PDS_URISHORTENER) xzb.cc enlist_uri_host (PDS_URISHORTENER) y.ahoo.it enlist_uri_host (PDS_URISHORTENER) yatuc.com enlist_uri_host (PDS_URISHORTENER) ye-s.com enlist_uri_host (PDS_URISHORTENER) ye.pe enlist_uri_host (PDS_URISHORTENER) yep.it enlist_uri_host (PDS_URISHORTENER) yfrog.com enlist_uri_host (PDS_URISHORTENER) yhoo.it enlist_uri_host (PDS_URISHORTENER) yiyd.com enlist_uri_host (PDS_URISHORTENER) youtu.be enlist_uri_host (PDS_URISHORTENER) yuarel.com enlist_uri_host (PDS_URISHORTENER) z.pe enlist_uri_host (PDS_URISHORTENER) z0p.de enlist_uri_host (PDS_URISHORTENER) zapt.in enlist_uri_host (PDS_URISHORTENER) zi.ma enlist_uri_host (PDS_URISHORTENER) zi.me enlist_uri_host (PDS_URISHORTENER) zi.mu enlist_uri_host (PDS_URISHORTENER) zi.pe enlist_uri_host (PDS_URISHORTENER) zip.li enlist_uri_host (PDS_URISHORTENER) zipmyurl.com enlist_uri_host (PDS_URISHORTENER) zite.to enlist_uri_host (PDS_URISHORTENER) zootit.com enlist_uri_host (PDS_URISHORTENER) zud.me enlist_uri_host (PDS_URISHORTENER) zurl.ws enlist_uri_host (PDS_URISHORTENER) zz.gd enlist_uri_host (PDS_URISHORTENER) zzang.kr enlist_uri_host (PDS_URISHORTENER) t.ly enlist_uri_host (PDS_URISHORTENER) wow.link enlist_uri_host (PDS_URISHORTENER) twixar.me enlist_uri_host (PDS_URISHORTENER) lnk.cm enlist_uri_host (PDS_URISHORTENER) rb.gy enlist_uri_host (PDS_URISHORTENER) gplinks.in enlist_uri_host (PDS_URISHORTENER) utfg.sk enlist_uri_host (PDS_URISHORTENER) um.lk enlist_uri_host (PDS_URISHORTENER) xn--vi8hiv.ws enlist_uri_host (PDS_URISHORTENER) ouo.io enlist_uri_host (PDS_URISHORTENER) mmo.tc enlist_uri_host (PDS_URISHORTENER) pvp.tc enlist_uri_host (PDS_URISHORTENER) ko.tc enlist_uri_host (PDS_URISHORTENER) m2.tc enlist_uri_host (PDS_URISHORTENER) sro.tc enlist_uri_host (PDS_URISHORTENER) heg.tc enlist_uri_host (PDS_URISHORTENER) fn.tc enlist_uri_host (PDS_URISHORTENER) lol.tc enlist_uri_host (PDS_URISHORTENER) tek.link enlist_uri_host (PDS_URISHORTENER) tr.im enlist_uri_host (PDS_URISHORTENER) cutwin.biz enlist_uri_host (PDS_URISHORTENER) urlzs.com enlist_uri_host (PDS_URISHORTENER) qqc.co enlist_uri_host (PDS_URISHORTENER) yyv.co enlist_uri_host (PDS_URISHORTENER) erq.io enlist_uri_host (PDS_URISHORTENER) yko.io enlist_uri_host (PDS_URISHORTENER) poweredbysecurity.online enlist_uri_host (PDS_URISHORTENER) poweredbysecurity.org enlist_uri_host (PDS_URISHORTENER) poweredbydialup.online enlist_uri_host (PDS_URISHORTENER) poweredbydialup.club enlist_uri_host (PDS_URISHORTENER) canadianlumberjacks.online enlist_uri_host (PDS_URISHORTENER) canadianlumberjacks.club enlist_uri_host (PDS_URISHORTENER) packetlivesmatter.online enlist_uri_host (PDS_URISHORTENER) packetlivesmatter.club enlist_uri_host (PDS_URISHORTENER) amishprincess.com enlist_uri_host (PDS_URISHORTENER) poweredbydialup.org enlist_uri_host (PDS_URISHORTENER) amishdatacenter.com enlist_uri_host (PDS_URISHORTENER) youtubeshort.pro enlist_uri_host (PDS_URISHORTENER) catsnthing.com enlist_uri_host (PDS_URISHORTENER) youtubeshort.watch enlist_uri_host (PDS_URISHORTENER) yourtube.site enlist_uri_host (PDS_URISHORTENER) catsnthings.fun enlist_uri_host (PDS_URISHORTENER) curiouscat.club enlist_uri_host (PDS_URISHORTENER) crabrave.pw enlist_uri_host (PDS_URISHORTENER) fortnitechat.site enlist_uri_host (PDS_URISHORTENER) fortnight.space enlist_uri_host (PDS_URISHORTENER) disçordapp.com enlist_uri_host (PDS_URISHORTENER) freegiftcards.co enlist_uri_host (PDS_URISHORTENER) minecräft.com enlist_uri_host (PDS_URISHORTENER) stopify.co enlist_uri_host (PDS_URISHORTENER) spottyfly.com enlist_uri_host (PDS_URISHORTENER) bmwforum.co enlist_uri_host (PDS_URISHORTENER) grabify.link enlist_uri_host (PDS_URISHORTENER) joinmy.site enlist_uri_host (PDS_URISHORTENER) youshouldclick.us reuse PDS_SHORTFWD_URISHRT endif endif ##} ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox ##{ redirector_pattern_sandbox redirector_pattern m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&\#])'i redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:site|inurl):(.*?)(?:$|%20|[\s+&\#])'i redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&\#])'i redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&\#])'i redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/pagead/iclk\?.*?(?<=[?&])adurl=(.*?)(?:$|[&\#])'i redirector_pattern m'^https?:/*(?:\w+\.)?aol\.com/redir\.adp\?.*(?<=[?&])_url=(.*?)(?:$|[&\#])'i redirector_pattern m'^https?/*(?:\w+\.)?facebook\.com/l/;(.*)'i ##} redirector_pattern_sandbox ##{ reuse_sandbox reuse T_PDS_HIDDEN_UK_BUSINESSLOAN reuse T_PDS_DOUBLE_URL reuse T_PDS_DBL_URL_LINKBAIT reuse PDS_DBL_URL_TNB_RUNON reuse T_PDS_DBL_URL_ILLEGAL_CHARS reuse FROM_2_EMAILS_SHORT reuse T_SHORT_BODY_QUOTE reuse T_BODY_QUOTE_MALF_MSGID reuse SPOOFED_FREEMAIL_NO_RDNS reuse T_PDS_URI_HIDDEN_HELO_NO_DOMAIN reuse PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE reuse PDS_TONAME_EQ_TOLOCAL_SHORT reuse PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE reuse PDS_TONAME_EQ_TOLOCAL_VSHORT reuse T_PDS_LITECOIN_ID reuse PDS_BTC_ID reuse PDS_BTC_MSGID reuse __NUMBERONLY_TLD reuse __NUMBEREND_TLD reuse T_NUMBEREND_LINKBAIT reuse NUMBERONLY_BITCOIN_EXP reuse PDS_NAKED_TO_NUMERO reuse __PDS_GOOGLE_DRIVE_SHARE_1 reuse __PDS_GOOGLE_DRIVE_SHARE_2 reuse __PDS_GOOGLE_DRIVE_SHARE_3 reuse __PDS_GOOGLE_DRIVE_SHARE reuse T_GOOGLE_DRIVE_DEAR_SOMETHING reuse __PDS_GOOGLE_DRIVE_FILE reuse __SHORT_BODY_G_DRIVE reuse __SHORT_BODY_G_DRIVE_DYN reuse SHORT_BODY_G_DRIVE_DYN reuse FROM_NAME_EQ_TO_G_DRIVE ##} reuse_sandbox uri __128_HEX_URI m,/[0-9a-f]{128}, uri __45_ALNUM_IMG m;/[0-9a-z]{45,}/\w+\.(?:png|gif|jpe?g)$;i body __ACCESS_RESTORE /\bto (?:(?:restore|regain) access|(?:remove|uplift) (?:the|this) suspens|continue using your (?:account|online))/i body __ACCESS_REVOKE /(?:temporary|permanent) (?:de-?activation|removal) of your (?:\w{1,30} )?(?:access|account)/i body __ACCESS_SUSPENDED /\b?(:(?:access|account) has been (?:temporar(?:il)?y )(?:suspended|blocked|locked)|suspend (?:you from|your) access(?:ing)?)\b/i body __ACCOUNT_DISRUPT /ensure (?:that )?your (?:account|access) is not (?:disrupted|suspended|interrupted)/i body __ACCOUNT_ERROR /your account (?:is|appears to be) (?:incorrect|missing|in error|invalid)/i body __ACCOUNT_REACTIV /(?:(?:account|access) (?:has been )?(?:successfully )?(?:reviewed and )?re-?(?:activat(?:ion|ed)|new(?:al|ed))|(?:unlock|re-?activate|restore|recover) (?:your|the|this) (?:account|access))/i body __ACCOUNT_UPGRADE /(?:upgrade (?:of )your (?:account|access)|your (?:access|account) is[\w\s]{0,40}being upgraded)/i meta __ACCT_PHISH (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE) > 1 && !__ACCT_PHISH_MANY meta __ACCT_PHISH_MANY (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE) > 3 body __ACH_CANCELLED_01 /\b(?:(?-i:ACH)|dividend)[-_ ](?:payment|transfer|transaction|was)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i body __ACH_CANCELLED_02 /(?:rejected|cancel+ed|declined|your)[-_ ](?:(?-i:ACH)|direct[-_ ]deposit)[-_ ](?:payment|transfer|transaction|declin(?:ed|ing))/i body __ACH_CANCELLED_03 /\bwire[-_ ]?(?:payment|transfer|transaction)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i body __ACH_CANCELLED_04 /\bregarding[-_ ]your[-_ ]direct[-_ ]deposit[-_ ]via[-_ ](?-i:ACH)/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta __ACH_CANCELLED_EXE (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && __EXE_ATTACH endif uri __AC_1SEQC_URI /\/1[a-z0-9]8[a-z0-9_]{20,}\/C\// uri __AC_1SEQV_URI /\/1[a-z0-9]8[a-z0-9_]{20,}\/V\// uri __AC_CHDSEQ_URI /\/chd[a-z0-9]{20,}/ header __AC_FROM_MANY_DOTS From =~ /<(?:\w{2,}\.){2,}\w+@/ meta __AC_FROM_MANY_DOTS_MINFP __AC_FROM_MANY_DOTS && !ALL_TRUSTED && !FREEMAIL_FORGED_FROMDOMAIN && !FORGED_GMAIL_RCVD && !__UNSUB_LINK && !__XM_VBULLETIN && !__RDNS_SHORT && !__REPTO_QUOTE && !__FSL_RELAY_GOOGLE && !__HAS_IN_REPLY_TO && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_MX_MESSY && !__CTYPE_MULTIPART_MIXED && !__RCD_RDNS_MTA && !__VIA_ML && !__HAS_ERRORS_TO uri __AC_LAND_URI /\/land\// uri __AC_LONGSEQ_URI /\/[A-Z0-9]{50,}\.(?:php|html|cgi)\b/ uri __AC_MHDSEQ_URI /\/mhd[a-z0-9]{20,}/ uri __AC_NDOMLONGNASPX_URI /[A-Za-z]+[0-9]{2}\.[A-Za-z0-9-]+\.me\/(?:[A-Za-z0-9-]{10,}\/){2}[0-9]{8,}\/[A-Za-z]+\.aspx/ uri __AC_NUMS_URI /(?:\/[0-9]+){5}\.[0-9a-zA-Z]+\.(:?php|html)\b/ uri __AC_OUTI_URI /\/outi\b/ uri __AC_OUTL_URI /\/outl\b/ uri __AC_PHPOFFSUB_URI /\/php\/off\/[0-9.]+\/sub\// uri __AC_PHPOFFTOP_URI /\/php\/off\/[0-9.]+\/top\// uri __AC_PUNCTNUMS_URI /\.com\/[A-Za-z+=\/.?_-]{4,}[0-9]{9,12}[a-z0-9]{1,2}[A-Za-z+=\/.?_-]+[0-9]{7,9}[A-Za-z+=\/.?_-]{6,}[0-9]{7,9}\b/ uri __AC_REPORT_URI /\/report\// uri __AC_RMOVE_URI /\/r\/move\/[0-9]+\// rawbody __AC_TINY_FONT /(?:font-size)\s*:\s*[1-3]\s*(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i uri __AC_UHDSEQ_URI /\/uhd[a-z0-9]{20,}/ uri __AC_UNSUB_URI /\/unsub\// body __ADMAIL /(?:\b|_)ad-?(?:mail|message)s?(?:\b|_)/i body __ADMITS_SPAM /\bth(?:e[- ]+above|is)(?:\?+s|[- ]+is)[- ]+(?:intended[- ]+as[- ]+)?an?[- ]+(?:email[- ]+)?[a@]dvert[i1l]sement\b/i meta __ADVANCE_FEE_2_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + T_LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 1) && !__THREAD_INDEX_GOOD meta __ADVANCE_FEE_2_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW meta __ADVANCE_FEE_2_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW meta __ADVANCE_FEE_3_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + T_LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 2) && !__THREAD_INDEX_GOOD meta __ADVANCE_FEE_3_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW meta __ADVANCE_FEE_3_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW meta __ADVANCE_FEE_3_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW meta __ADVANCE_FEE_4_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + T_LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 3) && !__THREAD_INDEX_GOOD meta __ADVANCE_FEE_4_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW meta __ADVANCE_FEE_4_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW meta __ADVANCE_FEE_4_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW meta __ADVANCE_FEE_5_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + T_LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 4) && !__THREAD_INDEX_GOOD meta __ADVANCE_FEE_5_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW meta __ADVANCE_FEE_5_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW meta __ADVANCE_FEE_5_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW body __AFF_004470_NUMBER /(?:\+|00|011)\W{0,3}44\W{0,3}0?\W{0,3}70/ body __AFF_LOTTERY /(?:lottery|winner)/i meta __AFRICAN_STATE (__NIGERIA || __IVORY_COAST || __BURKINA_FASO || __GHANA || __BENIN || __AFR_UNION) body __AFR_UNION /\bafrican\sunion\b/i body __AGREED_RATIO /\b(?:agreed|sharing)\s(?:ratios?|percent\w+)\b/i meta __ALIBABA_IMG_NOT_RCVD_ALI __URI_IMG_ALICDN && !__HDR_RCVD_ALIBABA header __AMADEUSMS_MUA X-Mailer =~ /^Amadeus Messaging Server/ meta __AMAZON_IMG_NOT_RCVD_AMZN __URI_IMG_AMAZON && !__HDR_RCVD_AMAZON body __AM_DYING /\b(?:am\s(?:\S+\s)?dying|terminally\sill|cancer|en\sphase\sterminale|(?:become|is|devenu|maladie)\sincurable|que\sje\smeurs)\b/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /\bimage\//i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __ANY_TEXT_ATTACH 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ANY_TEXT_ATTACH_DOC Content-Type =~ /text\/\w+/i endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __APP_DEVELOPMENT /\b(?:mobile apps|(?:apps?|portal) (?:dev(?:elop(?:ment|ed))?|design|test(?:ing)?|U[IX]|maintenance|support)|(?:we |can |have )+(?:design(?:ed)?|buil[dt]|maintain(?:ed)?|created?)(?: over| more than)?[\s0-9]+apps|different platforms|we are (?:[-a-z]+ ){1,4}(?:software|apps?) (?:company|develop(?:ers|ment)))\b/i tflags __APP_DEVELOPMENT multiple maxhits=6 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __APP_DEVELOPMENT_MANY __APP_DEVELOPMENT > 5 endif body __ATM_CARD /\b(?:your|the|this|through|via|by\smeans\sof\|that\sa|issue\s(?:(?:to|for)\s)?you\sa)[\s\(](?:\w{1,20}\s)?(?:atm|debit|(?:money[\s-]?gram\s)?fast\scash)(?:\smaster|swift|value?|cash)?[\s\)]card/i if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __ATTACH_NAME_NO_EXT 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ATTACH_NAME_NO_EXT Content-Type =~ m,\bname\s?=\s?"(?!=\?)[^."]+",i endif body __ATTN_MAIL_USER /\b(?:att(?:entio)?n|dear|caro) (?:web ?(?:mail)?\s\S\s)?(?:web ?|e-?)?mail (?:user|DO USU(?:=E1|[\xe1]|[\xc3][\xa1])RIO)[:;,]/i body __AUTO_ACCIDENT /auto(?:mobile)? accident/i header __AXB_MO_OL_024C2 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2600\.0000/ header __AXB_XM_OL_024C2 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2600\.0000/ body __BACK_SCRATCH /\bmutual+y?\s(?:benefi(?:t|cial)|interest)\b/i body __BANK_DRAFT /\bbank\sdraft/i body __BARRISTER /\b(?:barrister|solicitor at law|barr\.)/i body __BENEFICIARY /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])n(?:e|=E9|[\xe9]|[\xc3][\xa9])fi(?:c|sh)i?ai?r(?:y|ies|es?)/i body __BENIN /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])nin\b/i body __BITCOIN_ID /\b(?<!=)[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/ meta __BITCOIN_SPAM_02 __BITCOIN_ID && __BOTH_INR_AND_REF meta __BITCOIN_SPAM_05 __BITCOIN_ID && __SPOOFED_FREEMAIL meta __BITCOIN_SPAM_07 __BITCOIN_ID && __TO_EQ_FROM meta __BODY_SINGLE_WORD __BODY_TEXT_LINE < 3 && !__EMPTY_BODY && !__SMIME_MESSAGE && ((__SINGLE_WORD_LINE && !__SINGLE_WORD_SUBJ) || __SINGLE_WORD_LINE > 1) body __BODY_STARTS_WITH_FROM_LINE /^From \S+ \S\S\S \S\S\S .. ..:..:.. \S+\s+\S+\: /s body __BODY_TEXT_LINE /^\s*\S/ tflags __BODY_TEXT_LINE multiple maxhits=3 meta __BODY_URI_ONLY __BODY_TEXT_LINE < 3 && __HAS_ANY_URI && !__SMIME_MESSAGE body __BODY_XHTML /<x-html>/i if can(Mail::SpamAssassin::Conf::feature_bug6558_free) full __BOGUS_MIME_HDR /\bContent-[XYZ]-[a-z]{6,15}:\s+[a-z]{6,15}\b/ tflags __BOGUS_MIME_HDR multiple maxhits=8 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __BOGUS_MIME_HDR_MANY __BOGUS_MIME_HDR > 7 endif header __BOGUS_MIME_VER_02 MIME-Version =~ /^(?!.*\b1\.0\b).+/ meta __BOGUS_MSM_HDRS __HAS_MSMAIL_PRI && __MSOE_MID_WRONG_CASE && __HDR_ORDER_FTSDMCXXXX meta __BOTH_INR_AND_REF (__XM_BALSA || __XM_CALYPSO || __XM_FORTE || __XM_MHE || __XM_SQRLMAIL || __XM_SYLPHEED || __THEBAT_MUA || __XM_VM || __XM_XIMEVOL || __UA_KMAIL || __UA_MOZ5 || __UA_OPERA7) body __BTC_OBFU_2 /\b\W{0,10}b(?!itcoin)\W{0,10}i\W{0,10}t\W{0,10}c\W{0,10}o\W{0,10}i\W{0,10}n\W{0,10}\b/i body __BTC_OBFU_3 /\b\W{0,10}b(?!tc\b)\W{0,10}t\W{0,10}c\W{0,10}\b/i if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __BTC_OBFU_4 /\bb(?!itcoin)[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i endif body __BTC_OBFU_5 /&\#x62;&\#x69;&\#x74;&\#x63;&\#x6F;&\#x69;&\#x6E;/i rawbody __BUGGED_IMG m{<img\b[^>]{0,100}\ssrc=.?https?://[^>]{6,80}(?:\?[^>]{8}|[^a-z](?![a-f]{3}|20\d\d[01]\d[0-3]\d)[0-9a-f]{8})}i body __BURKINA_FASO /\bburkina\s?faso\b/i body __CANT_SEE_AD_1 /\b(?:can(?:no|')?t|(?:aren'?t[-,!\s]{1,3}|not[-,!\s]{1,3}|un)able[-,!\s]{1,3}to)[-,!\s]{1,3}(?:(?!our|this|the)\w{1,12}[-,\s]{1,3}){1,2}(?:our|this|the)[-.,\s*]{1,3}(?:commercial[-.,\s]{1,3}|ad(?:v[-.]?ert[i1l]se-?ment)?[-.,\s]{1,3}|images |newsletter |mailing ){1,2}(?:at all|(?:(?:down )?(?:below|underneath))|in (?:your|this) mail|(?:due to|because(?: of)?|as|from) (?:no |missing |unloaded |blocked )?(?:images|graphics))\b/i body __CANT_SEE_AD_2 /\b(?:issue|problem|trouble) (?:getting|viewing|with) (?:(?:our|the) )?(?:message|content|e-?mail|details)(?: below)?[.?] (?:please|go ahead and) (?:click|browse)\b/i body __CAN_HELP /\bcan help\b/i body __CASHPRZ /cash prize of/ body __CHARITY /\b(?:charit(?:y|[ai]ble)|orphans?|homeless|orphelins|sans\sabri)\b/i body __CLEAN_MAILBOX /\b(?:(?:e-?mail|mail\s?box|violation:|(?-i:CLICK)) (?:quota size|clean(?:-?up))|clean ?up click ?here)\b/i body __CLICK_HERE /\bclick\shere\b/i rawbody __COMMENT_GIBBERISH /<!--(?:\s{1,10}[-\w'"]{1,40}){100}/im body __COMPENSATION /\b(?:compensat(?:e|ion)|recompensed?|ausgleich)\b/i body __CONTACT_ATTY /\bcontact(?:er)?\s(?:my|(?:de\s)?mon)\s(?:barrister|attou?rney|lawyer|avocat|gestionnaire)\b/i body __CONTACT_YOU /\b(?:contact(?:ing)\syou|vous\scontacter?)\b/i body __COPY_PASTE_DE /Kopieren Sie es und f(?:\xfc|\xc3\xbc)gen Sie es ein|Kopieren \& Einf(?:\xfc|\xc3\xbc)gen/i body __COPY_PASTE_EN /Copy (and|\+|\&) paste/i body __COPY_PASTE_ES /copiarlo y pegarlo/i body __COPY_PASTE_FR /le copier (et le|\+) coller/i body __COPY_PASTE_IT /copia(r?)lo (e|\&) incolla(r?)lo/i body __COPY_PASTE_NL /kopieer en plak het/i body __COPY_PASTE_SE /kopiera den och klistra in/i body __COURIER /\bcourier\s(?:company|service)\b/i header __CR_IN_SUBJ Subject:raw =~ /\015/ header __CTYPE_MULTIPART_ANY Content-Type =~ /multipart\/\w+/i header __CTYPE_MULTIPART_MIXED Content-Type =~ /multipart\/mixed/i if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __CTYPE_NULL 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __CTYPE_NULL Content-Type =~ /^\s*;/ endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __CTYPE_ONETAB_GIF Content-Type:raw =~ /^image\/gif;\n\tname=\".+?\"$/s endif header __CT_ENCRYPTED Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/ ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __CT_UTF7 Content-Type =~ /\bcharset=.?utf-7\b/i endif header __DATE_LOWER ALL =~ /date:\s\S{5}/ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __DAY_I_EARNED /day,?\sI\s(?:earned|got|received|made|brought\sin)\s\$\s?\d{3}/i tflags __DAY_I_EARNED multiple maxhits=4 endif body __DBLCLAIM /avoid double claiming/ body __DEAD_PARENT /\b(?:my|meu)\s(?:(?:deceased|dead)\s(?:father|mother|husband)|(?:father|dad|mother|mom|husband|marido)(?:'?s)?\s(?:death|died|passed\saway|murder|was\s(?:killed|murdered|poisoned)|faleceu))/i body __DEAL /\b(?:(?:business|financial|this|the|mutual|die(?:se)?r?|cette|profitable)\s(?:deal|transa[ck]tion|proposal|off[er]{2}|venture|suggestion|partnership)|your\spartnership)/i body __DECEASED /\b(?:the|my|your|der|du|le|meu?)\s(?:deceased|late|verstorbenen|d(?:i|e|=E9|[\xe9]|[\xc3][\xa9])funto?|d(?:e|=E9|[\xe9]|[\xc3][\xa9])nt|falecido)\b/i body __DESTROY_ME /\b(?:destroy|hunt|quemar)\sm[eyi]\b/i body __DESTROY_YOU /\b(?:destroy\syou|deine Zukunft zerst\S{1,3}ren)/i body __DIED_IN /\bdied\sin\b/i body __DIPLOMATIC /\bdiplomatic\b/i ifplugin Mail::SpamAssassin::Plugin::AskDNS tflags __DKIMWL_BLOCKED net endif ifplugin Mail::SpamAssassin::Plugin::AskDNS tflags __DKIMWL_BULKMAIL net endif ifplugin Mail::SpamAssassin::Plugin::AskDNS tflags __DKIMWL_FREEMAIL net endif ifplugin Mail::SpamAssassin::Plugin::AskDNS tflags __DKIMWL_WL_BL net endif ifplugin Mail::SpamAssassin::Plugin::AskDNS tflags __DKIMWL_WL_HI net endif ifplugin Mail::SpamAssassin::Plugin::AskDNS tflags __DKIMWL_WL_MED net endif ifplugin Mail::SpamAssassin::Plugin::AskDNS tflags __DKIMWL_WL_MEDHI net endif header __DKIM_EXISTS exists:DKIM-Signature tflags __DKIM_EXISTS nice body __DLND_ATTACH /\bdownload\sthe\sattach(?:ed|ment)\b/i if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __DOC_ATTACH 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta __DOC_ATTACH (__DOC_ATTACH_MT || __DOC_ATTACH_FN1 || __DOC_ATTACH_FN2) endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __DOC_ATTACH_FN1 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __DOC_ATTACH_FN1 Content-Type =~ /="[^"]+\.(?:docx?|rtf)"/i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __DOC_ATTACH_FN2 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __DOC_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.(?:docx?|rtf)"/i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __DOC_ATTACH_MT 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __DOC_ATTACH_MT Content-Type =~ m,\bapplication/(?:msword|rtf|vnd\.ms-word|vnd\.openxmlformats-officedocument\.wordprocessingml\.document)\b,i endif body __DORMANT_ACCT /\b(?:(?:dormant|abandoned|left\s?over)\s(?:account|fund|transaction|sum|deposit)|fonds\sdorment)/i body __DOS_BODY_FRI /\bfri(?:day)?\b/i body __DOS_BODY_MON /\bmon(?:day)?\b/i body __DOS_BODY_SAT /\bsat(?:day)?\b/i body __DOS_BODY_STOCK /\bstock\b/i body __DOS_BODY_SUN /\bsun(?:day)?\b/i body __DOS_BODY_THU /\bthu(?:r(?:s(?:day)?)?)?\b/i body __DOS_BODY_TICKER /\b[A-Z]{4}\.(?:OB|PK)\b/ body __DOS_BODY_TUE /\btue(?:s(?:day)?)?\b/i body __DOS_BODY_WED /\bwed(?:nesday)?\b/i body __DOS_COMING_TO_YOUR_PLACE /I (?:am|might(?: be)?) c[a-z]?o[a-z]?m[a-z]?(?:i[a-z]?n[a-z]?g[a-z]{0,2}|e down) to y[!a-z]{2,4}r (?:city|place[a-z]{0,2}|co[a-z]?u[a-z]?n[a-z]?t[a-z]?ry) in (?:f[a-z]?e[a-z]?w|\d{1,2}) (?:day|week)s/ body __DOS_CORRESPOND_EMAIL /correspond with me using my email/ meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT body __DOS_DROP_ME_A_LINE /Drop me a line at/ body __DOS_EMAIL_DIRECTLY /(?:Email m[a-z]?e|address) direc(?:tl|lt)y at/ body __DOS_FIN_ADVANTAGE /\bfinancial advantage/i uri __DOS_HAS_ANY_URI /^\w+:\/\// header __DOS_HAS_LIST_ID exists:List-ID header __DOS_HAS_LIST_UNSUB exists:List-Unsubscribe header __DOS_HAS_MAILING_LIST exists:Mailing-List body __DOS_HI /^Hi,$/ body __DOS_I_AM_25 /I a.?m 25/ body __DOS_I_DRIVE_A /I drive a/ body __DOS_LET_GO_JOB /I was (?:let go|fired|layed off|dismissed) from a job I h(?:el|a)d for (?:2\d years|\d{3} months)/ body __DOS_LINK /\blink\b/ body __DOS_MEET_EACH_OTHER /(?:meet each other|[Mm]ay ?be we can meet)/ header __DOS_MSGID_DIGITS10 Message-ID =~ /<1[013-9]\d{8}\@.*>/ header __DOS_MSGID_DIGITS9 Message-ID =~ /<\d{9}\@.*>/ body __DOS_MY_OLD_JOB /my old job/ body __DOS_PERSONAL_EMAIL /personal email at/ header __DOS_RCVD_FRI Received =~ / Fri, / header __DOS_RCVD_MON Received =~ / Mon, / header __DOS_RCVD_SAT Received =~ / Sat, / header __DOS_RCVD_SUN Received =~ / Sun, / header __DOS_RCVD_THU Received =~ / Thu, / header __DOS_RCVD_TUE Received =~ / Tue, / header __DOS_RCVD_WED Received =~ / Wed, / meta __DOS_REF_2_WK_DAYS (__DOS_RCVD_MON && __DOS_BODY_WED) || (__DOS_RCVD_TUE && __DOS_BODY_THU) || (__DOS_RCVD_WED && __DOS_BODY_FRI) || (__DOS_RCVD_THU && __DOS_BODY_MON) || (__DOS_RCVD_FRI && __DOS_BODY_TUE) || (__DOS_RCVD_SAT && __DOS_BODY_TUE) || (__DOS_RCVD_SUN && __DOS_BODY_TUE) meta __DOS_REF_NEXT_WK_DAY (__DOS_RCVD_MON && __DOS_BODY_TUE) || (__DOS_RCVD_TUE && __DOS_BODY_WED) || (__DOS_RCVD_WED && __DOS_BODY_THU) || (__DOS_RCVD_THU && __DOS_BODY_FRI) || (__DOS_RCVD_FRI && __DOS_BODY_MON) || (__DOS_RCVD_SAT && __DOS_BODY_MON) || (__DOS_RCVD_SUN && __DOS_BODY_MON) meta __DOS_REF_TODAY (__DOS_RCVD_MON && __DOS_BODY_MON) || (__DOS_RCVD_TUE && __DOS_BODY_TUE) || (__DOS_RCVD_WED && __DOS_BODY_WED) || (__DOS_RCVD_THU && __DOS_BODY_THU) || (__DOS_RCVD_FRI && __DOS_BODY_FRI) || (__DOS_RCVD_SAT && __DOS_BODY_SAT) || (__DOS_RCVD_SUN && __DOS_BODY_SUN) header __DOS_RELAYED_EXT ALL-EXTERNAL =~ /(?:^|\n)[Rr][eE][cC][eE][iI][vV][eE][dD]:\s.+\n[Rr][eE][cC][eE][iI][vV][eE][dD]:\s/s header __DOS_SINGLE_EXT_RELAY X-Spam-Relays-External =~ /^\[ [^\]]+ \]$/ body __DOS_STEADY_COURSE /\bsteady (?:and increasing )?course\b/i body __DOS_STRONG_CF /\bstrong cash flow/i body __DOS_TAKING_HOME /Taking home \d (?:digit level|figures) in \d{1,2} months/ body __DOS_WRITE_ME_AT /[Ww].?r.?i.?t.?e me at/ body __EARLY_DEMISE /\buntimely\sdeath\b/i header __EBAY_ADDRESS From:addr =~ /[\@.]ebay\.\w\w\w?(?:\.\w\w)?$/i meta __EBAY_IMG_NOT_RCVD_EBAY __URI_IMG_EBAY && !__HDR_RCVD_EBAY meta __EMAIL_PHISH (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST) > 1) meta __EMAIL_PHISH_MANY (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST) > 3) meta __EMPTY_BODY __BODY_TEXT_LINE < 2 && !__SMIME_MESSAGE body __END_FUTURE_EMAILS /\b(?:end|stop(?! receiving these (?:alerts|emails))|cease|discontinue|removed?|(?:do(?! not wish to receive [\w\s]{0,20}emails)|would|you(?:'d)?) (?:not (?:wish|want|like|desire)|(?:prefer|wish|want|like|desire) not) to|exclude yourself|fore?go)[- ](?:get |receiv(?:ing|e) |or |(?:a-z{1,30} ){0,4}from )?(?:these|our|(?:any )?(?:future|further)) (?:(?:e|ad)?-?m(?:ail(?:ing)?|es+[age]{3})|alert|PSA|marketing|notice)[- ]?(?:ad|update)?s?\b/i if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __EXE_ATTACH 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __EXE_ATTACH Content-Type =~ /\.exe\b/i endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __EXPLOSIVE_DEVICE /\b(?:explosive\sdevice|bomb)\b/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __EXPLOSIVE_DEVICE /(?:^|\s)(?:<E><X><P><L><O><S><I><V><E>\s<D><E><V><I><C><E>|<B><O><M><B>)\s/i endif meta __EXTORT_MANY (__MY_MALWARE + __PAY_ME + __MY_VICTIM + __YOUR_WEBCAM + __YOUR_ONAN + __YOUR_PERSONAL + __HOURS_DEADLINE + __YOUR_PASSWORD + LOCALPART_IN_SUBJECT + __DESTROY_ME + __DESTROY_YOU + __EXPLOSIVE_DEVICE) > 2 body __EX_CUSTOMER /\b(?:(?:dead|deceased|late|verstorbenen|death\sof\sthe)\s(?:[ck]lient|customer|ac+ount|invest[eo]r|beneficiary|depositor|mr\.|kunde|engr?\.?)|titulaire\sdu\scompte\sest\sd(?:e|=E9|[\xe9]|[\xc3][\xa9])c(?:e|=E9|[\xe9]|[\xc3][\xa9])d(?:e|=E9|[\xe9]|[\xc3][\xa9])|invest[eo]r\sdied|(?:e|=E9|[\xe9]|[\xc3][\xa9])tranger\sd(?:e|=E9|[\xe9]|[\xc3][\xa9])c(?:e|=E9|[\xe9]|[\xc3][\xa9])d(?:e|=E9|[\xe9]|[\xc3][\xa9])|(?:[ck]lient|customer|ac+ount|invest[eo]r|beneficiary|mr\.|kunde|engr?\.?)\s(?:[a-z]{1,10}\s)?(?:dead|deceased|verstorbenen))/i if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __E_LIKE_LETTER /<lcase_e>/ tflags __E_LIKE_LETTER multiple maxhits=320 endif endif body __FAILED_LOGINS /unsuc+es+ful log-?[io]n at+empts/i body __FBI_BODY_SHOUT_1 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/ rawbody __FBI_BODY_SHOUT_2 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/m header __FBI_FM_DOM From:addr =~ /\bfbi\.gov$/ header __FBI_FM_NAME From:name =~ /federal\sbureau\sof\sinvestigation/i header __FBI_RCVD_DOM X-Spam-Relays-External =~ / rdns=\S+\bfbi\.gov / meta __FBI_SPOOF (__FBI_FM_NAME || __FBI_FM_DOM || __FBI_BODY_SHOUT_1 || __FBI_BODY_SHOUT_2) && !__FBI_RCVD_DOM && __HAS_REPLY_TO body __FB_COST /\bcost\b/i body __FB_NUM_PERCNT /\d\s?\%/ body __FB_S_PRICE /pri{1,2}c[a-z]?e/i body __FB_S_STOCK /\bstock/i body __FB_TOUR /\btour/i body __FEES /\b(?:security|safe\w*|courier|registration|pay|paid|up-?front|processing|delivery|transfer|keeping)[\s\w]{0,15}\s(?:fee|charge)s?\b/i body __FIFTY_FIFTY /\b(?:50|fifty)(?:%?[\/:]50%?|%|\spercent)/i if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __FILL_THIS_FORM 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta __FILL_THIS_FORM (__FILL_THIS_FORM_LONG || __FILL_THIS_FORM_PARTIAL > 4 || __FILL_THIS_FORM_PARTIAL_RAW > 4) endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __FILL_THIS_FORM_FRAUD_PHISH 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta __FILL_THIS_FORM_FRAUD_PHISH (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FILL_THIS_FORM_FRAUD_PHISH1 || __EMAIL_PHISH) endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __FILL_THIS_FORM_FRAUD_PHISH1 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __FILL_THIS_FORM_FRAUD_PHISH1 /<FF_YOUR>(?:<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>)<FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __FILL_THIS_FORM_LOAN 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta __FILL_THIS_FORM_LOAN __FILL_THIS_FORM && __FILL_THIS_FORM_LOAN1 endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __FILL_THIS_FORM_LOAN1 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __FILL_THIS_FORM_LOAN1 /<FF_YOUR><FF_L1><FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __FILL_THIS_FORM_LONG 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta __FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG1 || __FILL_THIS_FORM_LONG2 endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __FILL_THIS_FORM_LONG1 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __FILL_THIS_FORM_LONG1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __FILL_THIS_FORM_LONG2 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __FILL_THIS_FORM_LONG2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __FILL_THIS_FORM_PARTIAL 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __FILL_THIS_FORM_PARTIAL /^\s?<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20){1,4}$)/im tflags __FILL_THIS_FORM_PARTIAL multiple maxhits=5 endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __FILL_THIS_FORM_PARTIAL_RAW 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags rawbody __FILL_THIS_FORM_PARTIAL_RAW /^(?>\s{0,50})<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20| |<\/\w+>){0,4}$)/im tflags __FILL_THIS_FORM_PARTIAL_RAW multiple maxhits=5 endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __FILL_THIS_FORM_SHORT 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta __FILL_THIS_FORM_SHORT !__FILL_THIS_FORM && (__FILL_THIS_FORM_SHORT1 || __FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_PARTIAL > 2 || __FILL_THIS_FORM_PARTIAL_RAW > 2) endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __FILL_THIS_FORM_SHORT1 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __FILL_THIS_FORM_SHORT1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __FILL_THIS_FORM_SHORT2 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __FILL_THIS_FORM_SHORT2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i endif header __FLASHMAIL_MUA X-Mailer =~ /^NetEase Flash Mail \d/ if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __FM_MY_PRICE __FB_S_PRICE endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta __FM_MY_PRICE (__FB_S_PRICE || __FRT_PRICE) endif meta __FM_TO_ALL_NUMS __FROM_ALL_NUMS && __TO_ALL_NUMS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) rawbody __FONT_INVIS /<font\s[^>]{1,80}(?:font-size\s*:\s*[01]px\s*;|color\s*:\s*transparent\s*;)[^>]{1,80}>\w/i tflags __FONT_INVIS multiple, maxhits=6 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __FONT_INVIS_MANY __FONT_INVIS > 5 endif header __FORGED_MUA_POSTFIX0 User-Agent =~ /Postfix/ header __FORGED_MUA_POSTFIX1 X-Mailer =~ /Postfix/ meta __FORGED_TBIRD_IMG __MUA_TBIRD && __JPEG_ATTACH && __MIME_BDRY_0D0D describe __FORGED_TBIRD_IMG Possibly forged Thunderbird image spam meta __FORM_FRAUD (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + T_EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 1) meta __FORM_FRAUD_3 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + T_EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3) meta __FORM_FRAUD_5 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + T_EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5) meta __FORM_LOW_CONTRAST (__FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_SHORT2) && __HTML_FONT_LOW_CONTRAST_MINFP if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __FOR_SALE_LTP /00\.? (?:less 10%|LTP)/i tflags __FOR_SALE_LTP multiple maxhits=11 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __FOR_SALE_LTP_MANY __FOR_SALE_LTP > 10 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __FOR_SALE_NET /00\.? NET/i tflags __FOR_SALE_NET multiple maxhits=11 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __FOR_SALE_NET_MANY __FOR_SALE_NET > 10 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __FOR_SALE_OBO /\bor best offer\b/i tflags __FOR_SALE_OBO multiple maxhits=6 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __FOR_SALE_OBO_MANY __FOR_SALE_OBO > 5 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __FOR_SALE_PRC_100K /\bprice:? \$\d\d\d,\d\d\d/i tflags __FOR_SALE_PRC_100K multiple maxhits=11 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __FOR_SALE_PRC_100K_MANY __FOR_SALE_PRC_100K > 5 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __FOR_SALE_PRC_10K /\bprice:? \$\d\d,\d\d\d/i tflags __FOR_SALE_PRC_10K multiple maxhits=11 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __FOR_SALE_PRC_10K_MANY __FOR_SALE_PRC_10K > 10 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __FOR_SALE_PRC_1K /\bprice:? \$\d,?\d\d\d[.\s]/i tflags __FOR_SALE_PRC_1K multiple maxhits=11 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __FOR_SALE_PRC_1K_MANY __FOR_SALE_PRC_1K > 10 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) rawbody __FOR_SALE_PRC_EOL /\s\$\d{1,3},\d00(?:\.00)?$/m tflags __FOR_SALE_PRC_EOL multiple maxhits=11 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __FOR_SALE_PRC_EOL_MANY __FOR_SALE_PRC_EOL > 10 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __FOR_SALE_PRC_MANY (__FOR_SALE_PRC_1K + __FOR_SALE_PRC_10K + __FOR_SALE_PRC_100K) > 20 endif body __FOUND_YOU /\b(?:I|we)\sfound\syour?\b/i body __FRAUD /\b(?:de)?fraud/i body __FRAUD_IOV /\b(?:no risks?|risky?[- ]{0,3}free|free of risks?|100% safe|v\S{1,3}llig Risikofrei ist)\b/i body __FRAUD_PTX /\b(?:ass?ass?inat(?:ed|ion)|murder(?:e?d)?|poison(?:e?d)?|kill(?:ed|ing|ers)\b[^.]{0,99}\b(?:war veterans|rebels?)|les tueurs)\b/i body __FRAUD_XWW /\b(?:honest(?:ly)?\sco(?:-?operat(?:e|ion)|llaborat(?:e|ion))|ehrliche\szusammenarbeit|sichere [kc]o+p[eo]ration|col+aboration\swith\sme)\b/i ifplugin Mail::SpamAssassin::Plugin::FreeMail header __FREEMAIL_DISPTO eval:check_freemail_header('Disposition-Notification-To') endif ifplugin Mail::SpamAssassin::Plugin::FreeMail meta __FREEMAIL_DOC_PDF (__DOC_ATTACH || __PDF_ATTACH) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) endif meta __FREEM_FRNUM_UNICD_EMPTY FREEMAIL_FROM && __FROM_ALL_NUMS && __FROM_ENCODED_B64 && __SUBJECT_ENCODED_B64 && __EMPTY_BODY if !plugin(Mail::SpamAssassin::Plugin::FreeMail) meta __FROM_41_FREEMAIL 0 endif ifplugin Mail::SpamAssassin::Plugin::FreeMail meta __FROM_41_FREEMAIL (__NSL_ORIG_FROM_41 || __NSL_RCVD_FROM_41) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) && !__THREADED describe __FROM_41_FREEMAIL Sent from Africa + freemail provider endif if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval header __FROM_ADDRLIST_BANKS eval:check_from_in_list('BANKS') endif endif if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval header __FROM_ADDRLIST_GOV eval:check_from_in_list('GOV') endif endif if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval header __FROM_ADDRLIST_PAYPAL eval:check_from_in_list('PAYPAL') endif endif if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval header __FROM_ADDRLIST_SUSPNTLD eval:check_from_in_list('SUSP_NTLD') endif endif header __FROM_ADDR_WS From:addr =~ /\s/ header __FROM_ALL_NUMS From:addr =~ /^\d+@/ header __FROM_DNS From =~ /(?<![^\w.-])dns(?:admin)?\@/i header __FROM_DOM_INFO From:addr =~ /\.info$/i header __FROM_EBAY From:addr =~ /\@ebay\.com$/i ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof header __FROM_EQ_REPLY eval:check_fromname_equals_replyto() endif endif if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS tflags __FROM_FMBLA_NDBLOCKED net endif endif if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS tflags __FROM_FMBLA_NEWDOM net endif endif if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS tflags __FROM_FMBLA_NEWDOM14 net endif endif if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS tflags __FROM_FMBLA_NEWDOM28 net endif endif header __FROM_FULL_NAME From:name =~ /^[^a-z[:punct:][:cntrl:]\d\s][^[:punct:][:cntrl:]\d\s]*[[:punct:]\s]+[^a-z[:punct:][:cntrl:]\d\s]/ tflags __FROM_FULL_NAME nice header __FROM_INFO From =~ /(?<![^\w.-])info\@/i header __FROM_LOWER ALL =~ /from:\s\S{5}/ header __FROM_MISSPACED From =~ /^\s*"[^"]*"</ meta __FROM_MISSP_EH_MATCH __FROM_RUNON_UNCODED && __LCL__ENV_AND_HDR_FROM_MATCH if !plugin(Mail::SpamAssassin::Plugin::FreeMail) meta __FROM_MISSP_FREEMAIL 0 endif ifplugin Mail::SpamAssassin::Plugin::FreeMail meta __FROM_MISSP_FREEMAIL __FROM_RUNON && (FREEMAIL_FROM || FREEMAIL_REPLYTO) endif meta __FROM_MISSP_REPLYTO __FROM_RUNON && __HAS_REPLY_TO full __FROM_NAME_IN_MSG /^From:\s+([^<]\S+\s\S+)\s(?=.{1,2048}^\1\r?$)/sm header __FROM_PAYPAL From:addr =~ /\@paypal\.com$/i header __FROM_RUNON From =~ /\S+<\w+/ header __FROM_RUNON_UNCODED From:raw =~ /\S+(?<!\?=)<\w+/ header __FROM_WEB_DAEMON From:addr =~ /(?:apache|www|web|tomcat|\biis\b).*\@/i header __FROM_WORDY From:addr =~ /^(?:(?:[A-Z][A-Za-z]+|or|&)\.)+[A-Z][A-Za-z]+\@/ header __FROM_WORDY_3 From:addr =~ /(?:(?:[A-Z][A-Za-z]+|or|&)\.){2,}[A-Z][A-Za-z]+\@/ meta __FROM_WORDY_SONLY __FROM_WORDY && (__XPRIO_MINFP || __TO_NO_BRKTS_MSFT || __FILL_THIS_FORM_SHORT || __HAS_MSMAIL_PRI || DEAR_FRIEND || __TO_NO_BRKTS_FROM_MSSP || FREEMAIL_REPLYTO ) if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __FRT_PRICE 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __FRT_PRICE /<inter SP2><post P2>\b(?!price)<P><R><IX><C><E>\b/i endif rawbody __FR_SPACING_8 /[a-z0-9]{6}\s{8}[a-z0-9]{5}/i header __FSL_HAS_LIST_UNSUB exists:List-Unsubscribe header __FSL_HELO_BARE_IP_1 X-Spam-Relays-External =~ /^[^\]]+ helo=(?!127)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} [^\]]*auth= /i header __FSL_HELO_BARE_IP_2 X-Spam-Relays-Untrusted =~ /helo=(?!127)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} /i header __FSL_HELO_USER_1 X-Spam-Relays-External =~ / helo=user /i header __FSL_HELO_USER_2 Received =~ /from User(?:\s+by|\s*[\[\(]|$)/i header __FSL_HELO_USER_3 Received =~ /(?:eh|he)lo(?:=|\s)User\)/i header __FSL_RELAY_GOOGLE X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.google\.com /i header __FS_SUBJ_RE Subject =~ /^Re: / ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __FUZZY_DR_OZ /\bD(?!(?-i:(?:r.|octor)(?:\s| )Oz))(?:<R>|<O><C>(?:<T><O><R>)?)\.?<WS>*<O><Z>(?:$|\W)/i endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __FUZZY_MONERO 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __FUZZY_MONERO /<M>(?!onero)<O><N><E><R><O>/i endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __GAPPY_SALES_LEADS /\b(?:business|e?-?mail|your|marketing|advertising)\s(?!sales|leads|campaign)(?:s\s?a\s?l\s?e\s?s|l\s?e\s?a\s?d\s?s|c\s?a\s?m\s?p\s?a\s?i\s?g\s?n)\b/i tflags __GAPPY_SALES_LEADS multiple maxhits=3 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __GAPPY_SALES_LEADS_MANY __GAPPY_SALES_LEADS > 2 endif meta __GB_BITCOIN_CP_DE ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_DE ) describe __GB_BITCOIN_CP_DE German Bitcoin scam meta __GB_BITCOIN_CP_EN ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_EN ) describe __GB_BITCOIN_CP_EN English Bitcoin scam meta __GB_BITCOIN_CP_ES ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_ES ) describe __GB_BITCOIN_CP_ES Spanish Bitcoin scam meta __GB_BITCOIN_CP_FR ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_FR ) describe __GB_BITCOIN_CP_FR French Bitcoin scam meta __GB_BITCOIN_CP_IT ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_IT ) describe __GB_BITCOIN_CP_IT Italian Bitcoin scam meta __GB_BITCOIN_CP_NL ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_NL ) describe __GB_BITCOIN_CP_NL Dutch Bitcoin scam meta __GB_BITCOIN_CP_SE ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_SE ) describe __GB_BITCOIN_CP_SE Swedish Bitcoin scam body __GHANA /\bghana\b/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __GIF_ATTACH Content-Type =~ /^image\/gif\b/i endif body __GIVE_MONEY /\b(?:(?:give\syou\s(?:this\s)?(?:money|fund|inheritance))|(?:donated?\s(?:\w\+\s){0,3}(?:the\ssum\sof|(?:(?:the|this|some)\s(?:money|funds?|inheritance)|to\s)(?:you|(?:(?:the|a)\s)?church|charit(?:y|ies)|humanit\w+|needy|poor|orphan(?:age)?s?|philanthropists\?)))|de vous donner cet argent|faire don de la somme|voudrais en faire don|tego funduszu do dom(?:=F3|[\xf3])w (?:dziecka|wdowy))\b/i meta __GOOGLE_DOCS_PHISH_1 __URI_GOOGLE_DOC && (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST) meta __GOOGLE_DOCS_PHISH_2 __URI_GOOGLE_DOC && (__EMAIL_PHISH || __ACCT_PHISH) uri __GOOG_MALWARE_DNLD m;^https?://[^/]*\.google\.com/[^?]*url\?.*[\?&/]download;i uri __GOOG_REDIR m;^https?://[^/]*\.google\.com/url\?;i body __HAS_ANY_EMAIL /\w@\S+\.\w/ uri __HAS_ANY_URI /^\w+:\/\// header __HAS_CAMPAIGN exists:X-Campaign header __HAS_CAMPAIGNID exists:X-Campaignid header __HAS_CID exists:X-CID describe __HAS_HREF Has an anchor tag with a href attribute in non-quoted line rawbody __HAS_HREF /^[^>].*?<a href=/im tflags __HAS_HREF multiple maxhits=100 describe __HAS_HREF_ONECASE Has an anchor tag with a href attribute in non-quoted line with consistent case rawbody __HAS_HREF_ONECASE /^[^>].*?<(a href|A HREF)=/m tflags __HAS_HREF_ONECASE multiple maxhits=100 describe __HAS_IMG_SRC Has an img tag on a non-quoted line rawbody __HAS_IMG_SRC /^[^>].*?<img src=/im tflags __HAS_IMG_SRC multiple maxhits=100 rawbody __HAS_IMG_SRC_DATA /^[^>].*?<img src=['"]data/im describe __HAS_IMG_SRC_ONECASE Has an img tag on a non-quoted line with consistent case rawbody __HAS_IMG_SRC_ONECASE /^[^>].*?<(img src|IMG SRC)=/m tflags __HAS_IMG_SRC_ONECASE multiple maxhits=100 header __HAS_PHP_ORIG_SCRIPT exists:X-PHP-Originating-Script header __HAS_PHP_SCRIPT exists:X-PHP-Script header __HAS_THREAD_INDEX exists:Thread-Index body __HAS_WON_01 /\bque ha ganado\b/i header __HAS_XM_LID exists:X-Mailer-LID header __HAS_XM_RECPTID exists:X-Mailer-RecptId header __HAS_XM_SENTBY exists:X-Mailer-Sent-By header __HAS_XM_SID exists:X-Mailer-SID header __HDRS_LCASE ALL =~ /\n(?:Message-id|Content-type|X-MSMail-priority|from|subject|to|cc|Disposition-notification-to):/sm tflags __HDRS_LCASE multiple maxhits=3 meta __HDRS_LCASE_KNOWN __MSGID_JAVAMAIL || __UA_MSOEMAC || __UA_MSOMAC || __MSGID_APPLEMAIL || __MSGID_HEX_UID || __MSGID_HEXISH header __HDRS_MISSP ALL =~ /\n(?:Subject|From|To):\S/ism header __HDR_ORDER_FTSDMCXXXX ALL =~ /\nFrom: .{1,80}?\nTo: .{1,80}?\nSubject: .{1,200}?\nDate: .{1,40}?\nMIME-Version: .{1,40}?\nContent-Type: .{1,120}?\nX-Priority: .{1,40}?\nX-MSMail-Priority: .{1,40}?\nX-Mailer: .{1,80}?\nX-MimeOLE:/s header __HDR_RCVD_ALIBABA X-Spam-Relays-External =~ /\srdns=\S+\.alibaba\.com\s/ header __HDR_RCVD_AMAZON X-Spam-Relays-External =~ /\srdns=\S+\.amazon(?:ses)?\.com\s/ header __HDR_RCVD_EBAY X-Spam-Relays-External =~ /\srdns=\S+\.ebay\.com\s/ header __HDR_RCVD_KEEPA X-Spam-Relays-External =~ /\srdns=\S+\.keepa\.com\s/ header __HDR_RCVD_LINKEDIN X-Spam-Relays-External =~ /rdns=mail\S+\-\S+\.linkedin\.com\s/ header __HDR_RCVD_NEWEGG X-Spam-Relays-External =~ /\srdns=\S+\.newegg\.com\s/ header __HDR_RCVD_SHOPIFY X-Spam-Relays-External =~ /\srdns=\S+\.shopify\.com\s/ header __HDR_RCVD_WALMART X-Spam-Relays-External =~ /\srdns=\S+\.walmart\.com\s/ header __HELO_HIGHPROFILE X-Spam-Relays-External =~ /^[^\]]+ helo=\S*(?:hotmail|gmail|google|yahoo|msn|microsoft|outlook|paypal|xxx)\.[\w]+\b/i header __HELO_MISC_IP X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^a-z\?]\S{0,30}(?:\d{1,3}[^\d]){4}[^\]]+ auth= /i header __HELO_NOT_RDNS X-Spam-Relays-External =~ /^[^\]]+ rdns=(\S+) helo=(?!\1)\S/ header __HELO_NO_DOMAIN X-Spam-Relays-External =~ /^[^\]]+ helo=[^\.]+ / body __HEXHASHWORD_S2EU /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[a-z]{0,10}(?!-?\d{1,5}-)(?!\d{10}\s)(?:(?!--)[-0-9a-f]){10,64}(?:[g-z][a-z]{0,10})?\s[A-Z]?[a-z]{1,15}\b/ tflags __HEXHASHWORD_S2EU multiple maxhits=4 body __HK_LOTTO_2 /\blot(?:eri[ej]|t(?:ery|o)) ?(?:(?:inter)?national|foundation|mercato|univers|euro ?million|e-?mail|euro-pw|bill ?gates|swiss|prestige|cristal|am.ricaine|coca.?cola|fiduciary|department)/i body __HK_LOTTO_BALLOT /\b(?:promotional|on.?line|computer|internet|e-?mail|fran.aise) (?:ballot|draw|sweepstake)/i body __HK_LOTTO_STAATS /\bstaatsloteri/i ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) header __HK_NAME_FROM From:name =~ /^FROM\b/mi endif endif ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) header __HK_NAME_MR_MRS From:name =~ /^M(?:RS?|ISS)\b/mi endif endif body __HK_SCAM_N15 /\b(?:account (?:overseas?|offshore)|(?:overseas?|offshore) account)\b/i body __HK_SCAM_N16 /\b(?:arrangement secret|secret arrangement)\b/i body __HK_SCAM_N2 /\bnext of kin\b/i body __HK_SCAM_N3 /\bdirect telephone numbers?\b/i body __HK_SCAM_N8 /\byour compensation\b/i body __HK_SCAM_S1 /pay you the sum of/i body __HK_SCAM_S15 /(?:discovered a dormant account|can you be my partner)/i body __HK_SCAM_S25 /\bbank (?:in|of) ghana/i body __HK_SCAM_S7 /(?:(?:investment|proposed|lucrative) (?:business|venture)|(?:business|venture) (?:enterprise|propos(?:al|ition)))/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __HK_SPAMMY_CDFN Content-Disposition =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __HK_SPAMMY_CTFN Content-Type =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi endif meta __HOSTED_IMG_DIRECT_MX __DOS_DIRECT_TO_MX && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG ) meta __HOSTED_IMG_DQ_UNSUB __URI_DQ_UNSUB && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG ) meta __HOSTED_IMG_FREEM ( FREEMAIL_REPLYTO || FREEMAIL_FROM ) && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_WP_REDIR || __URI_IMG_STATICBG ) meta __HOSTED_IMG_MULTI ( __URI_IMG_EBAY + __URI_IMG_AMAZON + __URI_IMG_ALICDN + __URI_IMG_WALMART + __URI_IMG_NEWEGG + __URI_IMG_SHOPIFY + __URI_IMG_YTIMG + __URI_IMG_JOOMCDN + __URI_IMG_WISH + __URI_IMG_WP_REDIR + __URI_IMG_STATICBG ) > 1 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __HOURS_DEADLINE /\b(?:(?:give\syou|gebe\sihnen(?:\snur)?|you\s(?:will\s)?have(?:\sonly|\sjust)?|within)(?:(\sthe)?\s(?:last|next))?\s(?:\d+|one|two|three)\s?(?:hours?|hr(?:\s?s)?|days?|stunden)|(?:by|to|until|before)\sthe\send\sof\sthe\s(?:work(?:ing)?\s)?day|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\shours?\sbefore\s(?:sending|releasing|exposing|publishing)|(?:the|your)\sdeadline\s(?:is|will\sbe))\b/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __HOURS_DEADLINE /(?:^|\s)(?:(?:<G><I><V><E>\s<Y><O><U>|<G><E><B><E>\s<I><H><N><E><N>(?:\s<N><U><R>)?|<Y><O><U>\s(?:<W><I><L><L>\s)?<H><A><V><E>(?:\s<O><N><L><Y>|\s<J><U><S><T>)?|<W><I><T><H><I><N>)(?:(\s<T><H><E>)?\s(?:<L><A><S><T>|<N><E><X><T>))?\s(?:\d+|<O><N><E>|<T><W><O>|<T><H><R><E><E>)\s?(?:<H><O><U><R><S>?|<H><R>\s?<S>?|<D><A><Y><S>?|<S><T><U><N><D><E><N>)|(?:<B><Y>|<T><O>|<U><N><T><I><L>|<B><E><F><O><R><E>)\s<T><H><E>\s<E><N><D>\s<O><F>\s<T><H><E>\s(?:<W><O><R><K>(?:<I><N><G>)?\s)?<D><A><Y>|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\s<H><O><U><R><S>?\s<B><E><F><O><R><E>\s(?:<S><E><N><D><I><N><G>|<R><E><L><E><A><S><I><N><G>|<E><X><P><O><S><I><N><G>|<P><U><B><L><I><S><H><I><N><G>)|(?:<T><H><E>|<Y><O><U><R>)\s<D><E><A><D><L><I><N><E>\s(?:<I><S>|<W><I><L><L>\s<B><E>))/i endif rawbody __HS_QUOTE /^> / header __HS_SUBJ_RE_FW Subject =~ /^(?i:re|fw):/ if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __HTML_ATTACH_01 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __HTML_ATTACH_01 Content-Type =~ m,\btext/html\b.+\.html?\b,i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __HTML_ATTACH_02 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __HTML_ATTACH_02 Content-Disposition =~ m,\bfilename="?[^"]+\.html?\b,i endif rawbody __HTML_ENTITY_ASCII /(?:&\#(?:(?:\d{1,2}|1[01]\d|12[0-7])|x[0-7][0-9a-f])\s{0,64};\s{0,64}){10}/i meta __HTML_ENTITY_ASCII_MINFP __HTML_ENTITY_ASCII && !__DKIM_EXISTS && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__JM_REACTOR_DATE && !__HAS_ERRORS_TO && !__L_BODY_8BITS && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML if !plugin(Mail::SpamAssassin::Plugin::DKIM) meta __HTML_FONT_LOW_CONTRAST_MINFP HTML_FONT_LOW_CONTRAST && !__HAS_SENDER && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED && !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN endif ifplugin Mail::SpamAssassin::Plugin::DKIM meta __HTML_FONT_LOW_CONTRAST_MINFP HTML_FONT_LOW_CONTRAST && !__HAS_SENDER && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED && !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN && !DKIM_VALID endif rawbody __HTML_FONT_TINY_01 /font-size:\s{0,5}[0-4]px;/i rawbody __HTML_OFF_PAGE /;(?:top|left):-\d{3,9}px;/i if can(Mail::SpamAssassin::Conf::feature_bug6558_free) rawbody __HTML_SHRT_CMNT_OBFU /\w<!--\s*\w+\s*-->\w/ tflags __HTML_SHRT_CMNT_OBFU multiple maxhits=10 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU > 5 && HTML_MESSAGE endif rawbody __HTML_SINGLET />\s*(?:[a-z"]|&\#(?:\d+|x[0-9a-f]+);)\s*</i tflags __HTML_SINGLET multiple, maxhits=21 meta __HTML_SINGLET_MANY __HTML_SINGLET > 20 ifplugin Mail::SpamAssassin::Plugin::HTMLEval body __HTML_TAG_BALANCE_CENTER eval:html_tag_balance('center', '!= 0') endif body __HUSH_HUSH /\b(?:confiden[tc]i[ae]l(?:\b|ity\b|it(?:=E9|[\xe9]|[\xc3][\xa9]))|private\b|secr[e\xe8](?:te?|cy)\b|sensitive\b|concealed\b|obscured?\b|discre(?:et|tion)\b|very\sdiscrete|top\ssecret|vertraulich(?:en)?\b|geheim\b|priv(?:e|=E9|[\xe9]|[\xc3][\xa9]))/i if !plugin(Mail::SpamAssassin::Plugin::ImageInfo) meta __IMG_LE_300K 0 endif ifplugin Mail::SpamAssassin::Plugin::ImageInfo body __IMG_LE_300K eval:pixel_coverage('all',62500,300000) endif body __INHERIT_PMT /\binheritance\spayment\s/i body __INTL_BANK /\b(?:international\s(?:\w+\s)?bank|banque\sinternationale)\b/i body __INVEST_COUNTRY /\binvest\sin\syour?\scountry\b/i body __INVEST_MONEY /\binvest(?:ir)?\s(?:this|ces|d[ae]s|sur ce|de ces)\s(?:money|f[ou]nds?)\b/i header __IP_IN_RELAY X-Spam-Relays-External =~ /^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) (?:[^\]]* )?(?:rdns|helo)=\S*(?:\1\D\2\D\3\D\4|\4\D\3\D\2\D\1)/ if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __ISO_ATTACH 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ISO_ATTACH Content-Disposition =~ m,\bfilename="?[^"]+\.iso[";$],i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __ISO_ATTACH_MT 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ISO_ATTACH_MT Content-Type =~ m,\bapplication/x-iso9660-image\b,i endif body __IS_LEGAL /\b(?:(?:(this|esta)\s(?:deal|offer|transac[tc]i(?:o|[\xc3][\xb3])n|proposal|exchange|arrangement|work)|it)?\s[ie]s\s(?:(?:guaranteed|completely|absolutely|perfectly|100%|very|fully)\s)?(?:legal|hitch-free|seguro|legitimate)|legitimate\sarrangement|toute?\sl(?:e|=E9|[\xe9]|[\xc3][\xa9])gale)\b/i body __IVORY_COAST /\b(?:Cote\s?D.Ivoire|Ivory\s?Coast|Costa\sde\sMarfil)\b/i body __I_INHERIT /\b(?:I|eu)\s[a-z\s]{0,30}(?:inherited|herdei)\b/i body __I_WILL_YOU /\bwill(?:ed)?\s(?:[a-z\s]{0,20}(?:fortune|money|\$[\d,]+[a-z]{0,9})\s)?to\syou\b/i header __JM_REACTOR_DATE Date =~ / \+0000$/ ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __JPEG_ATTACH Content-Type =~ /image\/jpe?g/i endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __KAM_BLOCK_UTF7_2 Content-Type =~ /charset=(?:unicode-\d+-\d+-)?utf-7/i endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) body __KAM_BODY_LENGTH_LT_1024 eval:check_body_length('1024') describe __KAM_BODY_LENGTH_LT_1024 The length of the body of the email is less than 1024 bytes. endif endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) body __KAM_BODY_LENGTH_LT_128 eval:check_body_length('128') describe __KAM_BODY_LENGTH_LT_128 The length of the body of the email is less than 128 bytes. endif endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) body __KAM_BODY_LENGTH_LT_256 eval:check_body_length('256') describe __KAM_BODY_LENGTH_LT_256 The length of the body of the email is less than 256 bytes. endif endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) body __KAM_BODY_LENGTH_LT_512 eval:check_body_length('512') describe __KAM_BODY_LENGTH_LT_512 The length of the body of the email is less than 512 bytes. endif endif body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|batch number|reference number|promotion date)/is header __KB_DATE_CONTAINS_TAB Date:raw =~ /^\t/ header __KB_MSGID_OUTLOOK_888 Message-Id =~ /^<[0-9a-f]{8}(?:\$[0-9a-f]{8}){2}\@/ meta __KHOP_NO_FULL_NAME !(__NOT_A_PERSON || __FROM_ENCODED_QP || __FROM_NEEDS_MIME || __FROM_FULL_NAME) if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) meta __LARGE_PERCENT_AFTER 0 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __LARGE_PERCENT_AFTER /\d{3}% after/i tflags __LARGE_PERCENT_AFTER multiple maxhits=4 endif if !plugin(Mail::SpamAssassin::Plugin::HeaderEval) meta __LCL__ENV_AND_HDR_FROM_MATCH 0 endif ifplugin Mail::SpamAssassin::Plugin::HeaderEval meta __LCL__ENV_AND_HDR_FROM_MATCH __ENV_AND_HDR_FROM_MATCH endif if !plugin(Mail::SpamAssassin::Plugin::BodyEval) meta __LCL__KAM_BODY_LENGTH_LT_1024 0 endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)) meta __LCL__KAM_BODY_LENGTH_LT_1024 0 endif endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) meta __LCL__KAM_BODY_LENGTH_LT_1024 __KAM_BODY_LENGTH_LT_1024 endif endif if !plugin(Mail::SpamAssassin::Plugin::BodyEval) meta __LCL__KAM_BODY_LENGTH_LT_128 0 endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)) meta __LCL__KAM_BODY_LENGTH_LT_128 0 endif endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) meta __LCL__KAM_BODY_LENGTH_LT_128 __KAM_BODY_LENGTH_LT_128 endif endif if !plugin(Mail::SpamAssassin::Plugin::BodyEval) meta __LCL__KAM_BODY_LENGTH_LT_512 0 endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)) meta __LCL__KAM_BODY_LENGTH_LT_512 0 endif endif ifplugin Mail::SpamAssassin::Plugin::BodyEval if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) meta __LCL__KAM_BODY_LENGTH_LT_512 __KAM_BODY_LENGTH_LT_512 endif endif meta __LINKED_IMG_NOT_RCVD_LINK __URI_IMG_LINKEDIN && !__HDR_RCVD_LINKEDIN meta __LIST_PARTIAL __DOS_HAS_LIST_UNSUB && !__DOS_HAS_LIST_ID meta __LIST_PARTIAL_SHORT_MSG __HTML_LENGTH_0000_1024 && __LIST_PARTIAL meta __LIST_PRTL_PUMPDUMP __LIST_PARTIAL && __PD_CNT_1 meta __LIST_PRTL_SAME_USER __LIST_PARTIAL && __TO_EQ_FROM_USR body __LITECOIN_ID /\b(?<!=)[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b/ uri __LOCAL_PP_NONPPURL m'https?://(?:[A-Za-z0-9-_]+)\.(?!paypal\.com)(?:[A-Za-z0-9-_\.]+)'i body __LOCK_MAILBOX /\b(?:(?:deactivate|lock|lose ac+ess to|los[se] (?:of )?(?:important )?(?:information|mail|messages) in) (?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|your (?:mail\s?box|(?:(?:web ?|e-?)mail)(?: account)?) (?:(?:will|may) be(?:come)? )?(?:in-?a(?:ctive|cess[ia]ble)|locked|disabled|deleted|removed)\b|ditt konto vara "?deaktiverad"?|begr(?:=E4|\xe4|[\xc3][\xa4])nsad tillg(?:=E5|[\xe5]|[\xc3][\xa5])ng till din brevl(?:=E5|[\xe5]|[\xc3][\xa5])da|contas? de (?:web ?|e-?)mail (?:ser(?:=E1|[\xe1]|[\xc3][\xa1]) (?:desativado|exclu(?:=ED|[\xed]|[\xc3][\xad])do)|(?:=E9|[\xe9]|[\xc3][\xa9]) exclu(?:=ED|[\xed]|[\xc3][\xad])do)|destruir a sua caixa de (?:correio|entrada)|tw(?:=F3|[\xf3])j konto zostalo ograniczone|straci swoje e-?mail na sta[\xc5][\x82]e|konto zostanie automatycznie wy[\xc5][\x82][\xc4][\x85]czona|e-?mail account[^.]{0,30}deactivated (?:in|from) our (?:database|system|server))/i full __LONGLINE /^[^\r\n]{998}/m if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __LOTSA_MONEY_00 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __LOTSA_MONEY_00 /<CURRENCY>[\s\.]?[1-9][\dOo][,\.][\dOo]{3}(?:(?!\d)|\b)/ endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __LOTSA_MONEY_01 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __LOTSA_MONEY_01 /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)[\s\.]?[1-9][\d.,\sOo]{5,20}[\dOo](?<!\.00)/ endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __LOTSA_MONEY_02 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __LOTSA_MONEY_02 /(?<!\d)[1-9][\d.,\sOo]{5,20}[\dOo][\)\]\(]?\s?(?:<CURRENCY>|Pounds|(?i:dollars?|bucks))\b/ endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __LOTSA_MONEY_03 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __LOTSA_MONEY_03 /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)[1-9][\d.,\sOo]{0,5}[\)\]]?\s?(?i:M(?i:il)?\b|mil+(?i:io|<O>)n|hund?[re]+a?[dt]|thousand|tausend|milh[\xf5]es)/ endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __LOTSA_MONEY_04 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __LOTSA_MONEY_04 /(?:(?<!\d)[1-9][\d\.,]{0,4}(?:M|\smilli?one?s|\s?mln)|million(?!s)|mill<O>n|hund?rea?d(?!s)[^\.]{1,25}thousand(?!s)|cents?[^\.]{1,25}mille|hundert[^\.]{1,30}tausend|ientos?[^\.]{1,20}mil|cent[a-z\s]{1,20}mil\s[a-z]{1,20}centos)[^\.\$]{0,50}?(?:(?:U\.?\s?S\.?\s?(?:A\.?\s?)?|united\s?states\s|E\.\s?U\.\s|canad(?:ian|a)\s|(?:ia\s)?de\s)?d(?:[o\xf3]|[\xc3][\xb3])l+are?s?|\bbucks|USD|GBP|<GB_UK>\spounds?|(?:<GB_UK>\s)?pounds?\ssterling|pounds(?!\sof)|(?:d'\s?)?euros?|francs?)\b/i endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __LOTSA_MONEY_05 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __LOTSA_MONEY_05 /(?:(?:sum|value|amount)\sof\s)[1-9][\d.,\sO]{7,20}[\dO\.][\)\]\(\s]{0,3}(?:pounds?|dollars?|euros?|bucks)\b/i endif meta __LOTTO_ADMITS __LOTTO_ADMITS_1 || __LOTTO_ADMITS_2 || __LOTTO_ADMITS_3 || __LOTTO_ATTACH_1 || __LOTTO_ATTACH_2 body __LOTTO_ADMITS_1 /\b(?:on-?line|e-?mail|ballot|(?:inter)?national|state|(?:UK|euro)[- ]?(?:mil+ions?|PW)|Canada|Microsoft|MSN|internet|mega|jackpot+|Royal Heritage|foundation|cash\sgrant|mercato|univers|staatsloterij|bill\s?gates|Olympics?|swiss|this|est[ea]|internationaux de gagnants de)(?:\s(?!lot|swe|prom)\w{1,20}){0,3}\s?(?:lot(?:to|t+ery|eri[ea])|sweepstakes?|promo(?:tion|cao|cion)?|jackpot+)\b/i body __LOTTO_ADMITS_2 /\b(?:free)?(?:lot(?:to|tery|erie)|sweepstakes)\s(?:(?:inter)?na[tz]ional|department|bureau|group|award|microsoft)/i uri __LOTTO_ADMITS_3 /lott+ery/i meta __LOTTO_AGENT __LOTTO_AGENT_01 || __LOTTO_AGENT_02 body __LOTTO_AGENT_01 /\b(?:(?:(?:the|y?our)(?:\s\w{1,20})?|contact|accredited|listed)\sclaim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:prize|international|intl|foreign|win+ing)(?:[\s,.]+(?:rem+it+ance|settlement|payment|payout|award|transfer))+|payment|payout|immunity|(?<!memory\s)grants?(?!\smanager))\s?(?:agent|manager|officer|secretary|director|mgr\b)/i body __LOTTO_AGENT_02 /\blot+ery[^\.]{1,40} ticket agent/i header __LOTTO_AGENT_RPLY Reply-To =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize\stransfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __LOTTO_ATTACH_1 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __LOTTO_ATTACH_1 Content-Type =~ /lott(?:o|ery)/i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __LOTTO_ATTACH_2 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __LOTTO_ATTACH_2 Content-Disposition =~ /lott(?:o|ery)/i endif body __LOTTO_DEPT /\b(?:claim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)(?:\s(?:rem+it+ance|settlement|payment|award))+|payment|award|compensation|lot+ery)(?:\s\w+)?\s?(?:department|dept|unit|group|committee|bureau)/i body __LOTTO_RELATED /\b(?:lot+(?:o|ery)|sweepstakes)\s(?:prize|draw(?:s|ing)?|(?:ge)?win(?:n?er|n?ing)?|jackpot+|award|fund|com+it+e+|com+is+ion|guild|promotion|promocao|program|day|online|company|(?:in)?corporat|agent|co[-,]?ordinator|team)/i body __LOTTO_VERIFY /\bpromo\sverification/i body __LOTTO_WINNINGS /\b(?:claim|process(?:ing)?|transfert?(?:\s\w+)?|redeem|payment|virement|zahlung|reivindicar|demandar|remise)\s(?:(?:[a-z]{1,5}\s)?(?:your|of|the|this|de|ihrer|seu|tu)\s)+(?:win+ings?|money|(?:cash\s)?prize|award|f[ou]nds?|grant|gewinne|premio|gain)\b/i body __LOTTO_WIN_01 /\bwin+ing\s(?:prize|number|notification|draw|check|cheque|details|information|payment)/i if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __LOWER_E /e/ tflags __LOWER_E multiple maxhits=230 endif endif body __LUCKY_WINNER /\b(?:lucky|gl.cklich(?:en)?|afortunados)\s(?:(?:ge)?win+ers?|ganador(?:es)?|individuals?)\b/i body __LUCRATIVE /\b(?:lucrative|profitable|tr[\xe8]s\ssalutaire)\b/i rawbody __L_BODY_8BITS /[\x80-\xff]/ header __L_CTE_7BIT Content-Transfer-Encoding =~ /^7bit$/ body __MAILBOX_FULL /\b(?:you(?:r (?:mail\s?box|(?:e-?|web ?)mail))? (?:is (?:almost )?full|(?:quota )?ha(?:s|ve) (?:reached|exceeded|passed) (?:the|your|it'?s?) (?:university )?(?:size|storage|set|(?:e-?|web ?)mail|quota|folder|mail ?box)[\/\s](?:limit |quota |account )+)|over your mail\s?box (?:size )?(?:limit|quota)|maximum mail\s?box (?:size )?(?:limit|quota) exceeded|sua (?:conta|caixa) de (?:(?:e-?|web ?)mail|correio) (?:excedeu (?:sua|o) limite|est(?:=E1|[\xe1]|[\xc3][\xa1]) quase cheio))\b/i body __MAILBOX_FULL_SE /(?:\b=F6|[\xf6]|[\xc3][\xb6])verskridit gr(?:=E4|[\xe4]|[\xc3][\xa4])nsen f(?:=F6|[\xf6]|[\xc3][\xb6])r din postl(?:=E5|[\xe5]|[\xc3][\xa5])da\b/i header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/ body __MAIL_ACCT_ACCESS1 /\b(?:your (?:web ?|e-?)?mail (?:account|log-?in) (?:has )?been accessed|r(?:=F3|[\xf3])zne komputery zalogowaniu sie)\b/i body __MAIL_ACCT_ACCESS2 /\blo+se ac+es+ to your (?:web|e-?)?mail (?:account|log-?in|box|address)\b/i uri __MAIL_LINK /\?.{0,200}\w\@[\w-]{1,20}.\w\w\w?\b/i tflags __MAIL_LINK nice meta __MALWARE_NORDNS __MY_MALWARE && __RDNS_NONE meta __MALWARE_PASSWORD __MY_MALWARE && __PASSWORD if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __MALW_ATTACH_01_01 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __MALW_ATTACH_01_01 Content-Disposition =~ /\bfilename="?[^"]+\.SettingContent-ms\b/i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __MALW_ATTACH_01_02 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __MALW_ATTACH_01_02 Content-Type =~ /\bname="?[^"]+\.SettingContent-ms\b/i endif meta __MANY_HDRS_LCASE __HDRS_LCASE > 1 meta __MANY_SPAN_IN_TEXT (__SPAN_BEG_TEXT > 4) && (__SPAN_END_TEXT > 4) header __MAY_BE_FORGED Received =~ /\(may be forged\)/ header __MID_START_001C Message-ID =~ /^<000001c/ body __MILLIONS /\bmillions\sof\s(?:dollar|euro|pound)/i header __MIMEOLE_1106 X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2800.1106$/ meta __MIMEOLE_DIRECT_TO_MX __HAS_MIMEOLE && __DOS_DIRECT_TO_MX header __MIME_BDRY_0D0D Content-Type =~ /boundary="-{12}(?:0[1-9]){12}/ if !((version >= 3.004000)) meta __MIME_CTYPE_IN_BODY 0 endif if (version >= 3.004000) body __MIME_CTYPE_IN_BODY /^Content-Type:\s/ endif if !((version >= 3.004000)) meta __MIME_MALF 0 endif if (version >= 3.004000) meta __MIME_MALF __CTYPE_MULTIPART_ANY && __MIME_CTYPE_IN_BODY endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __MIME_NO_TEXT 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta __MIME_NO_TEXT (__CTYPE_MULTIPART_ANY && !__ANY_TEXT_ATTACH) endif header __MISSING_REF References =~ /^UNSET$/ [if-unset: UNSET] header __MISSING_REPLY In-Reply-To =~ /^UNSET$/ [if-unset: UNSET] header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/ meta __MONERO (__MONERO_ID || __MONERO_CURNCY || __URI_MONERO || __FUZZY_MONERO) body __MONERO_CURNCY /Monero \(XMR\)/ body __MONERO_ID /\b4[0-9AB][1-9A-HJ-NP-Za-km-z]{93,104}\b/ meta __MONEY_FORM_SHORT LOTS_OF_MONEY && __FILL_THIS_FORM_SHORT meta __MONEY_FRAUD_3 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + T_EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3) meta __MONEY_FRAUD_5 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + T_EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5) meta __MONEY_FRAUD_8 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + T_EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 8) meta __MONEY_FROM_41 __NSL_RCVD_FROM_41 && LOTS_OF_MONEY body __MOVE_MONEY /\b(?:(?:receive|re-?profile|transfer(?:ring|ir|t)?|release|repatriat(?:e|ion)|rapatrier|secure|r(?:e|=E9|[\xe9]|[\xc3][\xa9])clamation|possession|virer|dona(?:te|r)|depositante|dep[\xc3][\xb3]sito)\s(?:th(?:e(?:se)?|is)|d[ae]s|sur ce|de ce[st]|cet|est[eao]s?|del?)|re-?profiling|receive|re-?locat(?:e|ing)(?:\s\w{1,15})?)\s(?:of\s|your\s|the\s){0,2}(?:sums?\sof\s|inheritance\s)?(?:proceeds|funds?|money|balance|account|g[eo]ld|compte|fond[so]{1,2}|dinero|argent)\b/i header __MSGID_GUID Message-ID =~ /^<?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}\@/i header __MSGID_HEXISH Message-ID =~ /^<?OF[0-9A-F]{8}\.[0-9A-F]{8}-ON[0-9A-F]{8}\.[0-9A-F]{8}(?:-[0-9A-F]{8}\.[0-9A-F]{8})?\@/ header __MSGID_HEX_UID Message-ID =~ /^<?[0-9A-F]{8}\.[0-9A-F]{2,5}%[a-zA-Z]/ header __MSGID_JAVAMAIL Message-ID =~ /\.JavaMail\./ tflags __MSGID_JAVAMAIL nice header __MSGID_LIST Message-ID =~ /-\w+\#[\w.]+\.\w{2,4}\@/ tflags __MSGID_LIST nice header __MSGID_NOFQDN2 Message-ID =~ /<.*\@[A-Za-z0-9]+>/m meta __MSM_PRIO_REPTO __HAS_MSMAIL_PRI && __HAS_REPLY_TO && __SUBJ_SHORT header __MSOE_MID_WRONG_CASE ALL =~ /\nMessage-Id: / header __MTLANDROID_MUA X-Mailer =~ /\bMotorola android mail \d+\.\d/ header __MUA_TBIRD User-Agent =~ /^Mozilla\/(.*) Thunderbird/ body __MY_FORTUNE /\b(?:my|his|her)\s(?:fortune|heritage)\b/i if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __MY_MALWARE /\b(?:(?:I(?:'ve|\shave)?\s(?:put|set\s?up|installed|buil[td]\sin|placed)\s(?:a\s)?|my\s(?:personal\s)?)(?:malware|virus|spy\s?ware|trojan|program\srecorded|expl[o0]it)|application[^\.]{1,30}(?:enable[sd]|allows)\sme\sto\s(?:access|control)|I\s(?:contaminated|infected|hacked|toxified|poisoned)\s(?:your|this)\s(?:machine|computer|gadget|(?:smart\s?)?phone|device|email)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|mein\shinterhältiges\sProgramm|I\s?am\s?a\s?hacker|(?:(?:trojan|virus|spyware|malware)\s)+giv(?:es|ing)\sme)\b/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __MY_MALWARE /(?:^|\s)(?:(?:<I>(?:'<V><E>|\s<H><A><V><E>)?\s(?:<P><U><T><|><S><E><T>\s?<U><P>|<I><N><S><T><A><L><L><E><D>|<B><U><I><L>(?:<T>|<D>)\s<I><N>|<P><L><A><C><E><D>)\s(?:<A>\s)?|<M><Y>\s(?:<P><E><R><S><O><N><A><L>\s)?)(?:<M><A><L><W><A><R><E>|<V><I><R><U><S>|<S><P><Y>\s?<W><A><R><E>|<T><R><O><J><A><N>|<P><R><O><G><R><A><M>\s<R><E><C><O><R><D><E><D>|<E><X><P><L>(?:<O>|0)<I><T>)|<A><P><P><L><I><C><A><T><I><O><N>[^\.]{1,30}(?:<E><N><A><B><L><E>(?:<D>|<S>)|<A><L><L><O><W>)\s<M><E>\s<T><O>\s(?:<A><C><C><E><S><S>|<C><O><N><T><R><O><L>)|<I>\s(?:<C><O><N><T><A><M><I><N><A><T><E><D>|<I><N><F><E><C><T><E><D>|<H><A><C><K><E><D>|<T><O><X><I><F><I><E><D>|<P><O><I><S><O><N><E><D>)\s(?:<Y><O><U><R>|<T><H><I><S>)\s(?:<M><A><C><H><I><N><E>|<C><O><M><P><U><T><E><R>|<G><A><D><G><E><T>|(?:<S><M><A><R><T>\s?)?<P><H><O><N><E>|<D><E><V><I><C><E>|<E><M><A><I><L>)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|<M><E><I><N>\s<H><I><N><T><E><R><H><A><L><T><I><G><E><S>\s<P><R><O><G><R><A><M>+|<I>\s?<A><M>\s?<A>\s?<H><A><C><K><E><R>|(?:(?:<T><R><O><J><A><N>|<V><I><R><U><S>|<S><P><Y><W><A><R><E>|<M><A><L><W><A><R><E>)\s)+<G><I><V>(?:<E><S>|<I><N><G>)\s<M><E>)[\s\.,]/i endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __MY_VICTIM /\b(?:hi|hello),?(?:\smy)?\s(?:victim|prey)\b/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __MY_VICTIM /(?:<H><I>|<H><E><L><L><O>),?(?:\s<M><Y>)?\s(?:<V><I><C><T><I><M>|<P><R><E><Y>)/i endif header __NAKED_TO To =~ /^[^\s<>]+\@[^\s<>]+$/ header __NAME_EQ_EMAIL From:raw =~ /([\w+.-]+\@[\w.-]+\.\w\w+)["'`\s]*<\s*\1>/i body __NEVER_HEAR_EN /(never hear me again|destroy all your secrets|not bother you again|leave you alone)/i body __NEVER_HEAR_IT /eliminare tutti i tuoi segreti|Ti garantisco che non ti disturbe/i meta __NEWEGG_IMG_NOT_RCVD_NEGG __URI_IMG_NEWEGG && !__HDR_RCVD_NEWEGG body __NEXT_OF_KIN /\bnext[-\s]of[-\s]kin\b/i body __NIGERIA /\bnigeria\b/i meta __NOT_A_PERSON __VACATION || ANY_BOUNCE_MESSAGE || __CHALLENGE_RESPONSE || __VIA_ML || __DOS_HAS_LIST_UNSUB || __SENDER_BOT || __UNSUB_LINK || __UNSUB_EMAIL || __MSGID_LIST || __SUBSCRIPTION_INFO tflags __NOT_A_PERSON nice body __NOT_DEAD_YET /\b(?:will\sinherit|que\sherede)\b/i body __NOT_SCAM /\b(?:not\sa\sscam|(?:not|never)\sscam\syou)\b/i tflags __NOT_SPOOFED nice if !(!plugin(Mail::SpamAssassin::Plugin::DKIM)) if !plugin(Mail::SpamAssassin::Plugin::SPF) meta __NOT_SPOOFED DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, no SPF endif endif if !(!plugin(Mail::SpamAssassin::Plugin::DKIM)) ifplugin Mail::SpamAssassin::Plugin::SPF meta __NOT_SPOOFED SPF_PASS || DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, yes SPF endif endif if !plugin(Mail::SpamAssassin::Plugin::DKIM) if !plugin(Mail::SpamAssassin::Plugin::SPF) meta __NOT_SPOOFED __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, no SPF. endif endif if !plugin(Mail::SpamAssassin::Plugin::DKIM) ifplugin Mail::SpamAssassin::Plugin::SPF meta __NOT_SPOOFED SPF_PASS || __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, yes SPF endif endif meta __NO_INR_YES_REF (__XM_GNUS || __XM_MSOE5 || __XM_MSOE6 || __XM_MOZ4 || __XM_SKYRI || __XM_WWWMAIL || __UA_GNUS || __UA_KNODE || __UA_MUTT || __UA_PAN || __UA_XNEWS) header __NSL_ORIG_FROM_41 X-Originating-IP =~ /^(?:.+\[)?41\./ describe __NSL_ORIG_FROM_41 Originates from 41.0.0.0/8 header __NSL_RCVD_FROM_41 X-Spam-Relays-External =~ / ip=41\./ describe __NSL_RCVD_FROM_41 Received from 41.0.0.0/8 header __NUMBERONLY_TLD From:addr =~ /\@[0-9]{4,}(\.[a-z]{2,4})?\.[a-z]+$/i header __NUMBERS_IN_SUBJ Subject =~ /\d{3}/ if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) ) endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) ) endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) ) endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) ) endif if !plugin(Mail::SpamAssassin::Plugin::ImageInfo) meta __ONE_IMG 0 endif ifplugin Mail::SpamAssassin::Plugin::ImageInfo body __ONE_IMG eval:image_count('all',1,1) endif header __OPERA_MID_NON_OP Message-ID =~ /^<[^o][^p]\./ body __OUR_BEHALF /\b(?:on\s(?:my|our)\sbehalf|of\sbehalf\sof)\b/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __PART_CID_STOCK_LESS Content-ID =~ /^<00[a-f0-9]{10}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[A-Za-z]+>$/ endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __PART_STOCK_CD_F Content-Disposition =~ /filename/ endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __PART_STOCK_CID Content-ID =~ /^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[^\s\.]+>$/ endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __PART_STOCK_CL Content-Location =~ /./ endif body __PASSWORD /\bp[-\s_]?a[-\s_]?s[-\s_]?s[-\s_]?w[-\s_]?o[-\s_]?r[-\s_]?d\b/i if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __PAY_ME /\b(?:pay\sme|(?:(?:send|transmit|give)\sme|(?:send(?:en\ssie)?|transfer)\s(?:the\samount\sof|exactly|genau)|I\swant|den\sbetrag\svon|payment\sof)\s(?:[\d,'.\$£]+\s?(?:usd?|eur?(?:os)?|gbp|BTC)?|bitcoin|BTC)|(?:make|perform|send|transmit)\sthe\spayment|amount\sfor\smy\ssilence|(?:pay|fund)\sthis\s(?:bitcoin|monero)[-\s](?:address|wallet|brieftasche))\b/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __PAY_ME /(?:^|\s)(?:<P><A><Y>\s<M><E>|(?:(?:<S><E><N><D>|<T><R><A><N><S><M><I><T>|<G><I><V><E>)\s<M><E>|(?:<S><E><N><D>(?:<E><N>\s<S><I><E>)?|<T><R><A><N><S><F><E><R>)\s(?:<T><H><E>\s<A><M><O><U><N><T>\s<O><F>|<E><X><A><C><T><L><Y>|<G><E><N><A><U>)|<I>\s<W><A><N><T>|<D><E><N>\s<B><E><T><R><A><G>\s<V><O><N>|<P><A><Y><M><E><N><T>\s<O><F>)\s(?:[\d,'.\$£]+\s?(?:<U><S><D>?|<E><U><R>?(?:<O><S>)?|<G><B><P>|<B><T><C>)?|<B><I><T><C><O><I><N>|<B><T><C>)|(?:<M><A><K><E>|<P><E><R><F><O><R><M>|<S><E><N><D>|<T><R><A><N><S><M><I><T>)\s<T><H><E>\s<P><A><Y><M><E><N><T>|<A><M><O><U><N><T>\s<F><O><R>\s<M><Y>\s<S><I><L><E><N><C><E>|(?:<P><A><Y>|<F><U><N><D>)\s<T><H><I><S>\s(?:<B><I><T><C><O><I><N>|<M><O><N><E><R><O>)[-\s](?:<A><D><D><R><E><S><S>|<W><A><L><L><E><T>|<B><R><I><E><F><T><A><S><C><H><E>))[\s\.,]/i endif body __PAY_YOU /\bpay\syou\b/ if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __PCT_FOR_YOU 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta __PCT_FOR_YOU __PCT_FOR_YOU_1 || __PCT_FOR_YOU_2 || __PCT_FOR_YOU_3 || T_SHARE_50_50 endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __PCT_FOR_YOU_1 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __PCT_FOR_YOU_1 /<PERCENT>[\s)]{0,3}(?:(?:of\s[\w\s]{0,35}?)?(?:for|to|as)\syour?|(?:[^\s.]{1,15}\s)?an uns beide)/i endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __PCT_FOR_YOU_2 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __PCT_FOR_YOU_2 /\b(?:(?:give|offer)\syou|vous\s(?:aurez\sdroit\s(?:=E0|[\xe0])|donnerai|all(?:e|=E9|[\xe9]|[\xc3][\xa9])\srecevoir\sautour\sde)|ihnen)\s<PERCENT>/i endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __PCT_FOR_YOU_3 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __PCT_FOR_YOU_3 /\byour?\s(?!can)(?:(?!you)\w{1,15}\s){0,10}(?:(?:share|entiti?le(?:d|ment)?|percentage|fee|assist(?:ance)?|comp[ea]nsat(?:ed?|tion)|reward(?:ed)?|renumerat(?:e|tion)|com+is+ion|paid|deduct|account|tage|(?:will|shall|would|(?:are|stand|going)\sto)\s(?:be\s)?(?:tak(?:e|ing)|earn|get(?:ting)?|remit|subtract|with+old)|(?:deduct|taken?|subtract(?:ed)?)\syour|keep(?:ing)?|receiv(?:e|ing)|retain(?:ing)?|have|half|giv(?:en|ing)|paid|(?:give|pay|offer)\s(?:me|you|him)|bank\saccount|to\s(?:take|use)|(?:time|country)\sand|ratio\sof)(?:\s(?!you)\w{1,15}){0,10})\s(?<!by\s)(?<!up\sto\s)<PERCENT>/i endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) meta __PCT_OF_PMTS 0 endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __PCT_OF_PMTS /<PERCENT>[\s)]+(?:of\s[\w\s]{0,35}?)?(?:of|du|de)\s(?:(?:the|la)\s)?(?:total\s)?(?:payments?|rem+it+ances?|capital|chec(?:k|que)s?|mon(?:ey|ies)|suma?)/i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __PDF_ATTACH 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader meta __PDF_ATTACH (__PDF_ATTACH_MT || __PDF_ATTACH_FN1 || __PDF_ATTACH_FN2) endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __PDF_ATTACH_FN1 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __PDF_ATTACH_FN1 Content-Type =~ /="[^"]+\.pdf"/i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __PDF_ATTACH_FN2 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __PDF_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.pdf"/i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __PDF_ATTACH_MT 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __PDF_ATTACH_MT Content-Type =~ m,\bapplication/pdf\b,i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags header __PDS_BTC_ANON From:name =~ /\bAnon/ endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags meta __PDS_BTC_BADFROM ( __PDS_BTC_HACKER || __PDS_BTC_PIRATE ) endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags header __PDS_BTC_HACKER From:name =~ /h<A>ck<E>r/i endif meta __PDS_BTC_ID ( __BITCOIN_ID && !__URL_BTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags header __PDS_BTC_PIRATE From:name =~ /p<I>r<A>t<E>/i endif ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) header __PDS_CASHSHORTENER eval:check_uri_host_listed('PDS_CASHSHORTENER') endif endif uri __PDS_DOUBLE_URL m;https?://[\S]+(?:\?|=)https?://[\S]+[\w]+$; if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval body __PDS_EXPIRATION_NOTICE /\bexpiration (notice|alert|date)\b/i endif endif if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) header __PDS_FROM_2_EMAILS From =~ /^\W+([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i endif header __PDS_FROM_NAME_TO_DOMAIN ALL =~ /From: ["']?([a-z0-9\.-]+\.[0-9a-z\.-]+)["']? [^\n]+\nTo:[^\n]+\@\1/ism uri __PDS_GOOGLE_DRIVE_FILE /\/drive\.google\.com\/file/i meta __PDS_GOOGLE_DRIVE_SHARE (__PDS_GOOGLE_DRIVE_SHARE_1 + __PDS_GOOGLE_DRIVE_SHARE_2 + __PDS_GOOGLE_DRIVE_SHARE_3 >= 2) header __PDS_GOOGLE_DRIVE_SHARE_1 References =~ /\@docs\-share\.google\.com\>/ header __PDS_GOOGLE_DRIVE_SHARE_2 From:addr =~ /^drive\-shares\-noreply\@google\.com$/ header __PDS_GOOGLE_DRIVE_SHARE_3 X-Envelope-From:addr =~ /\@doclist\.bounces\.google\.com$/ ifplugin Mail::SpamAssassin::Plugin::HTMLEval meta __PDS_HTML_LENGTH_1024 __HTML_LENGTH_0000_1024 endif ifplugin Mail::SpamAssassin::Plugin::HTMLEval meta __PDS_HTML_LENGTH_2048 __HTML_LENGTH_0000_1024 || __HTML_LENGTH_1024_1536 || __HTML_LENGTH_1536_2048 endif meta __PDS_LITECOIN_ID (__LITECOIN_ID && !__URL_LTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta __PDS_MSG_1024 (__KAM_BODY_LENGTH_LT_1024 || __PDS_HTML_LENGTH_1024) endif endif ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta __PDS_MSG_512 (__KAM_BODY_LENGTH_LT_512 || __HTML_LENGTH_512) endif endif if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS meta __PDS_NEWDOMAIN (__FROM_FMBLA_NEWDOM || __FROM_FMBLA_NEWDOM14 || __FROM_FMBLA_NEWDOM28) tflags __PDS_NEWDOMAIN net endif endif if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval body __PDS_OFFER_ONLY_AMERICA /This offer (is )?(only )?for (United States|USA)/i endif endif header __PDS_PHP_EVAL1 X-PHP-Originating-Script =~ /eval..'d code/i if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval body __PDS_SENT_TO_EMAIL_ADDR /This message was sent to Email Address\./i endif endif if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval body __PDS_SEO1 /(?:top|first page|1st) (?:(?:results|rank(?:ing)?) )?(?:in|of|on) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building/i endif endif if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval body __PDS_SEO2 /losing your (?:[a-z]+ )?(?:rank(?:ing)?|results)|rank well on [a-z]+\b/i endif endif ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) meta __PDS_SHORT_URL __SHORT_URL && !(__URL_SHORTENER || __PDS_URISHORTENER) && !ALL_TRUSTED endif endif if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS tflags __PDS_SPF_ONLYALL net endif endif if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval body __PDS_THIS_IS_ADV /This is an advert(?:isement)?/i endif endif header __PDS_TONAME_EQ_TOLOCAL To:raw =~ /^\s*['"]?([^'"]+)['"]? <?\1\@/ if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) header __PDS_TO_EQ_FROM_NAME_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\W+(\1)([^\n\w<]++<)?((?!\1)[^\n">]++)>?\n/ism endif if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) header __PDS_TO_EQ_FROM_NAME_2 ALL =~ /\nFrom:\W+"([\w+.-]+\@[\w.-]+\.\w\w+)(?:[^\n\w<]{0,80}<)?((?!\1)[^\n">]++)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n<]{0,80}<)?(\1)>?/ism endif ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) header __PDS_URISHORTENER eval:check_uri_host_listed('PDS_URISHORTENER') endif endif meta __PD_CNT_1 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 0 if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __PHOTO_RETOUCHING /\b(?:(?:retouching|(?:image|photo|pic)s? (?:[a-z]{1,15} ){0,3}(?:edit(?:ing|ors)|team|(?:cut+|mask|clip+|clean|crop+|resiz|enhanc|etch)ing|cut+(?:ing)?[-\s]?out|enhancement|manipulation|restoration|compositing|working|(?:color|contrast|brightnes+|background|make-?up) (?:cor+ection|change)|solution|work|services?)|(?<!that\s)(?<!\.\s)your (?:imag(?:es|ing)|pics)|photo\s?shop (?:expert|service)s?|(?:deliver (?:the|your) |(?:(?:send|throw|ship|drop|deliver|give|provide|e-?mail) us|(?:cut+(?:ing)?[-\s]?out|masking|(?:test|edit)(?:ing)?) (?:for|of|on|with)) (?:(?:an?|one|your|some|sample|test|example|the) )+)(?:image|photo|pic)s?|(?:proces+|edit)(?:\sover|\smore th[ae]n)? \d{2,5}\D? (?:image|photo|pic)s|improv(?:e|ing) (?:(?:image|photo|picture|pic) (?:quality|lighting)|(?:(?:image|photo|picture|pic) )?(?:resolution|contrast|background|color))|cor+ecting (?:color|contrast|brightnes+|background))\b|(?:e-?com+erce|website|jew[el]+r(?:[y's]+|ies)|model+(?:s|ing)?|products?|portraits?|graduation['s]*|school['s]*|bab(?:[y's]+|ies)|famil(?:[y's]+|ies)|kids|wedding|beauty|glamou?r|catalog['s]*|store['s]*|shop['s]*|(?:cut+(?:ing)?[-\s]?out|clip+ing\spath|(?:all|any) kinds? of|enhance|retouch|edit(?:ing)?)[,;]?(?:\s[a-z]{1,15}){0,4})\s(?:image|photo|pic)s?(?:[.,?]|$|\sand\b|\sor\b|\setc\b)|\b(?:imag(?:es|ing)|photos)\s\d+$)/i tflags __PHOTO_RETOUCHING multiple maxhits=5 endif header __PHPMAILER_MUA X-Mailer =~ /^PHPMailer\b/ meta __PHP_MUA __PHP_MUA_1 || __PHP_MUA_2 header __PHP_MUA_1 X-Mailer =~ /^PHP\s?v?\/?\d\./ header __PHP_MUA_2 X-Mailer =~ /^PHP\d$/ header __PHP_NOVER_MUA X-Mailer =~ /^PHP$/ meta __PHP_ORIG_SCRIPT_SONLY __HAS_PHP_ORIG_SCRIPT && (__TVD_SPACE_RATIO || __SINGLE_WORD_SUBJ || __OBFUSCATING_COMMENT_B) if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) meta __PILL_PRICE_01 0 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __PILL_PRICE_01 m;(?=[\d .f])(?:free|[\d .]{3}(?:/|per|each)) ?(?=[ptc])(?:pill|tablet|cap(?:sule|let))s?\b;i tflags __PILL_PRICE_01 multiple maxhits=3 endif if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) meta __PILL_PRICE_02 0 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __PILL_PRICE_02 /(?=[ptc])(?:pill|tablet|cap(?:sule|let))s[-= :]{1,5}\$?[\d .]{3}/i tflags __PILL_PRICE_02 multiple maxhits=3 endif body __PLS_REVIEW /\b(?:please|kindly)\s(?:(?:re)?view|see)(?:\s\w+)?\sattach(?:ed|ment)\b/i ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof header __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to() endif ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof() endif uri __PS_TEST_LOC_WP m;/(?:wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module)/.{1,128}(?!\.gif|\.jpg|\.png|\.bmp|\.ico|\.pdf)[^?]{4}(?:\?[^?]{1,5})?$;i body __PUMPDUMP_01 /\b(?:times|multiply|tripl(?:e|ing)|quadrupl(?:e|ing)|quintupl(?:e|ing)) (?:your|an) (?:princip(?:al|le)|investment)\b/i body __PUMPDUMP_02 /\b(?:sto[ck]{2}|share price) (?:will |may |is (?:(?:about|poised|positioned|ready) to |gonna ))?(?:triple|quadruple|quintuple|soar|go(?:es?) (?:nuts|crazy|sky high|way up))\b/i body __PUMPDUMP_03 /\bbuy (?:[^.!]{1,30} )?(?:(?:(?:mon|tues|wednes|thurs|fri)day|tomorrow) (?:first thing|open|morning)|(?:first thing|opens|before) (?:(?:mon|tues|wednes|thurs|fri)day|tomorrow))/i body __PUMPDUMP_04 /\bmake you (?:big bucks|hundreds|thousands)\b/i body __PUMPDUMP_05 /\b(?:tripled|quadrupled|quintupled|(?:shares|value|company) (?:go up|increase|has (?:increased|gained)) (?:by|more than) [a-z\s]{0,20}\d+(?: times| percent| ?%)) (?:and that )?in (?:(?:\d|a (?:span of|few)) days|a very short period)\b/i body __PUMPDUMP_06 /\brecommend(?:ed|s)? (?:a|this) (?:company|stock)\b/i body __PUMPDUMP_07 /\b(?:buy|grab it) for (?:around |about |less than )?\d+ cents\b/i body __PUMPDUMP_08 /\b?(:sto[ck]{2}|sotk) of the year/i body __PUMPDUMP_09 /\b(?:buy|get|snap up|grab) as many shares (?:of it )?as (?:you|I) can\b/i body __PUMPDUMP_10 /\btrading at (?:such )?a (?:bargain|cheap|low)\b/i body __RANDOM_PICK /\b(?:random(?:ly)?\s(?:\w+\s)?(?:select(?:ion|ed)|pick(?:ed)?|computer)|(?:select|pick)ed\s(?:at\s)?random(?:ly)?|(?:esco(?:g|lh)idos|seleccion) (?:aleatoria(?:mente)?|al azar))\b/i header __RAND_HEADER ALL =~ /^(?!Accept-Language|Authentication-Results|Content-|DomainKey-Signature|DKIM-|List-|MIME-|Received-SPF|Return-Path|Thread-|User-Agent)(?:[a-z]{4,}-[a-z]{3,}|[a-z]{3,}-[a-z]{4,}):\s+\d(?=\S{6,}\s*$)[\da-f]*(?:[-.]\w+)*\s*$/ism tflags __RAND_HEADER multiple, maxhits=4 header __RATWARE_BOUND_A ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{10,400}boundary="----=_NextPart_000_...._\1\./msi # " header __RATWARE_BOUND_B ALL =~ /boundary="----=_NextPart_000_...._([0-9a-f]{8})\..{10,400}^Message-Id: <....\1\$[0-9a-f]{8}\$/msi # " header __RCD_RDNS_MAIL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmail[^a-z]/i tflags __RCD_RDNS_MAIL nice header __RCD_RDNS_MAIL_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mail/i tflags __RCD_RDNS_MAIL_MESSY nice header __RCD_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmta[^a-z]/i tflags __RCD_RDNS_MTA nice header __RCD_RDNS_MTA_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mta/i tflags __RCD_RDNS_MTA_MESSY nice header __RCD_RDNS_MX X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmx[^a-z]/i tflags __RCD_RDNS_MX nice header __RCD_RDNS_MX_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mx/ tflags __RCD_RDNS_MX_MESSY nice header __RCD_RDNS_SMTP X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bsmtps?[^a-z]/i tflags __RCD_RDNS_SMTP nice header __RCD_RDNS_SMTP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*smtp/ tflags __RCD_RDNS_SMTP_MESSY nice header __RCVD_ZIXMAIL X-Spam-Relays-Untrusted =~ / helo=smtpout\.zixmail\.net / header __RDNS_LONG X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{30}/ header __RDNS_NO_SUBDOM X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\.\w+ / header __RDNS_NUMERIC_TLD X-Spam-Relays-External =~ /\srdns=\S+\.\d+\s/ header __RDNS_SHORT X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{4,14} / ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { meta __REMOTE_IMAGE (__HTML_IMG_ONLY || __HTML_LINK_IMAGE) && !(__SUBSCRIPTION_INFO || __VIA_ML || __SENDER_BOT || __ANY_IMAGE_ATTACH) endif if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval header __REPLYTO_ADDRLIST_SUSPNTLD eval:check_replyto_in_list('SUSP_NTLD') endif endif header __REPTO_CHN_FREEM Reply-To =~ /\@(?:sina|aliyun)\.com/i header __REPTO_RUS_FREEM Reply-To =~ /\@mail\.ru/i if !((version >= 3.003000)) meta __RP_MATCHES_RCVD 0 endif if (version >= 3.003000) if !plugin(Mail::SpamAssassin::Plugin::WLBLEval) meta __RP_MATCHES_RCVD 0 endif endif if (version >= 3.003000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval header __RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd() endif endif body __SCAM /\bscam(?:m?e[dr])?s?\b/i rawbody __SCRIPT_GIBBERISH /<script>[^;<]{100}/im body __SCRIPT_TAG_IN_BODY /<script>/i body __SECURITY_DEPT /\bsecurity dep(?:artmen)?t\b/i header __SENDER_BOT ALL =~ /(?:not?\W?repl[yi]|bounce|contact|daemon|subscri|report|respon[ds]e?r?s?\b|\b(?:root|news|nobody|agent|(?:post|web)?master|manag|send(?:er|ing)?|out|(?:bot|web|www)\b))[^\@ >]{0,5}s?\@\w/i tflags __SENDER_BOT nice body __SHARE_IT /\b(?:(?:share|allocate|teilen|parteger(?:ez|ons)?|partage)\s(?:th(?:e|is)|das|les?|des)\s(?:proceeds|funds?|money|balance|account|geld|compte|fonds)|partager(?:ez|ons)? (?:avec (?:vous|moi)|ratio|suivant un pourcentage))\b/i meta __SHOPIFY_IMG_NOT_RCVD_SFY __URI_IMG_SHOPIFY && !__HDR_RCVD_SHOPIFY meta __SHORT_BODY_G_DRIVE __BODY_URI_ONLY && __LCL__KAM_BODY_LENGTH_LT_512 && __PDS_GOOGLE_DRIVE_FILE meta __SHORT_BODY_G_DRIVE_DYN __SHORT_BODY_G_DRIVE && (RDNS_DYNAMIC || HELO_DYNAMIC_IPADDR || HELO_DYNAMIC_HCC || FSL_HELO_NON_FQDN_1) uri __SHORT_URL /^https?:\/\/[^\/]{3,6}\.\w\w\/[^\/]{3,8}\/?$/ body __SINGLE_WORD_LINE /^\s?\S{1,60}\s?$/ tflags __SINGLE_WORD_LINE multiple maxhits=2 header __SINGLE_WORD_SUBJ Subject =~ /^\s*\S{1,60}\s*$/ header __SMIME_MESSAGE Content-Type =~ /application\/pkcs7-mime;/i rawbody __SPAN_BEG_TEXT /[a-z]{2}<(?i:span)\s/ tflags __SPAN_BEG_TEXT multiple maxhits=5 rawbody __SPAN_END_TEXT /[^;>]<\/(?i:span)>[a-z]{3}/ tflags __SPAN_END_TEXT multiple maxhits=5 if !plugin(Mail::SpamAssassin::Plugin::SPF) meta __SPF_FULL_PASS 0 endif ifplugin Mail::SpamAssassin::Plugin::SPF meta __SPF_FULL_PASS (SPF_PASS && SPF_HELO_PASS) tflags __SPF_FULL_PASS net endif if !plugin(Mail::SpamAssassin::Plugin::SPF) meta __SPF_RANDOM_SENDER 0 endif ifplugin Mail::SpamAssassin::Plugin::SPF meta __SPF_RANDOM_SENDER (SPF_HELO_PASS && !SPF_PASS) tflags __SPF_RANDOM_SENDER net endif meta __SPOOFED_FREEMAIL !__NOT_SPOOFED && FREEMAIL_FROM tflags __SPOOFED_FREEMAIL net meta __SPOOFED_FREEM_REPTO __SPOOFED_FREEMAIL && FREEMAIL_REPLYTO tflags __SPOOFED_FREEM_REPTO net rawbody __SPOOFED_URL m/<a\s[^>]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\# ]{8,29}[^>"'\# :\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i meta __STATIC_XPRIO_OLE __XPRIO && __RDNS_STATIC && __HAS_MIMEOLE body __STOCK_TIP /\bsto[ck]{2}\s?tip\b/i if can(Mail::SpamAssassin::Conf::feature_bug6558_free) rawbody __STY_INVIS /\bstyle\s*=\s*"[^">]{0,80}(?:visibility\s*:\s*hidden\s*;|display\s*:\s*none\s*;)/i tflags __STY_INVIS multiple, maxhits=6 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __STY_INVIS_2 __STY_INVIS > 1 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __STY_INVIS_3 __STY_INVIS > 2 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __STY_INVIS_MANY __STY_INVIS > 5 endif header __SUBJECT_EMPTY Subject:raw =~ /^\s*$/ meta __SUBJ_BRKN_WORDNUMS __SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFU header __SUBJ_BROKEN_WORD Subject =~ /\s(?!i[PTM][aoh][bcdou]|e[MP]a[is])[a-z]{1,3}[A-Z][a-z]{2}/ tflags __SUBJ_BROKEN_WORD multiple maxhits=2 header __SUBJ_HAS_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*Subject:\s+[^\n]{0,100}\1[>,\s\n]/ism header __SUBJ_HAS_TO_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n(?:[^\n]{1,200}\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism header __SUBJ_HAS_TO_2 ALL =~ /\nReceived:[^\n]{0,200} for <?([^\n\s>;]+)>?;(?:[^\n]+\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism header __SUBJ_HAS_TO_3 ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n)*To:\s+[^\n]{0,100}\1[^a-z0-9.]/ism header __SUBJ_NOT_SHORT Subject =~ /^.{16}/ header __SUBJ_OBFU_PUNCT Subject =~ /(?:(?!<[a-z][a-z])[-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;][a-z][-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;\s]|[a-z][~`"!@\#$%^&*()_+={}|\\?<>,.:;][a-z])/i tflags __SUBJ_OBFU_PUNCT multiple maxhits=4 header __SUBJ_RE Subject =~ /^(?:R[eE]|S[vV]|V[sS]|A[wW]):/ header __SUBJ_SHORT Subject =~ /^.{0,8}$/ header __SUBJ_UNNEEDED_HTML Subject =~ /%[0-9a-f][0-9a-f]/i tflags __SUBJ_UNNEEDED_HTML multiple, maxhits=3 header __SUBJ_USB_DRIVES Subject =~ /\bUSB (?:[Ff]lash )?[Dd]rives\b/ body __SUBSCRIPTION_INFO /\b(?:e?newsletters?|(?:un)?(?:subscrib|register)|you(?:r| are) subscri(?:b|ption)|opt(?:.|ing)?out\b|further info|you do ?n[o']t w(?:ish|ant)|remov\w{1,3}.{1,9}\blists?\b|to your white.?list)/i tflags __SUBSCRIPTION_INFO nice body __SUM_OF_FUND /\b(?:sum|release|freigabe)\s(?:of|der)\s(?:amount|fund|investment|mittel)\b/i body __SURVEY /\bsurvey\b/i body __SURVIVORS /\b(?:widow|son|daughter|husband|wife|brother|sister|attorney|vi(?:=FA|[\xfa]|[\xc3][\xba])va|esposa|veuve)\s(?:of|to|do|de)\s(?:the\s)?(?:late|falecido|finales|feu|d(?:e|=E9|[\xe9]|[\xc3][\xa9])funt|mr\.?)\s\w+\b/i body __SYSADMIN /\b(?:help?[- ]?desk|(?:(?:web ?)?mail ?|sys(?:tem )?)admin(?:istrator)|local[- ]host|(?:support|upgrade|management) (?:team|center)|message from administrator|university mail server copyright|suporte t(?:=E9|[\xe9]|[\xc3][\xa9])cnico|administrador do sistema)\b/i header __TB_MIME_BDRY_NO_Z Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/ rawbody __TENWORD_GIBBERISH /^\s*(?:[a-z]+\s+){10}\.$/m tflags __TENWORD_GIBBERISH multiple maxhits=21 body __THEY_INHERIT /\b(?:inherit\sth(?:e|is)\smoney|herede\sest[ea]\sdinero)\b/i body __THIS_AD /(?:\b|_)this[- _]+(?:ad(?:vert[i1l]sement)?|promo(?:tion)?)s?(?:\b|_)/i meta __THREADED (!__MISSING_REPLY && !__NO_INR_YES_REF) || (__MISSING_REPLY && !__MISSING_REF) tflags __THREADED nice header __THREAD_INDEX_GOOD Thread-Index =~ m,^A[a-z0-9][A-Za-z0-9+/]{27}(?:[A-Za-z0-9+/]{20})?(?:[AQgw]==|[A-Za-z0-9+/]{7}|[A-Za-z0-9+/]{13}[AEIMQUYcgkosw048]=)$, header __TO_ALL_NUMS To:addr =~ /^\d+@/ meta __TO_EQ_FM_DIRECT_MX __TO_EQ_FROM && __DOS_DIRECT_TO_MX meta __TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FROM_DOM && __HTML_LINK_IMAGE meta __TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FROM_DOM && MIME_HTML_ONLY if !plugin(Mail::SpamAssassin::Plugin::SPF) meta __TO_EQ_FM_DOM_SPF_FAIL 0 endif ifplugin Mail::SpamAssassin::Plugin::SPF meta __TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FROM_DOM && SPF_FAIL tflags __TO_EQ_FM_DOM_SPF_FAIL net endif meta __TO_EQ_FM_HTML_ONLY __TO_EQ_FROM && MIME_HTML_ONLY if !plugin(Mail::SpamAssassin::Plugin::SPF) meta __TO_EQ_FM_SPF_FAIL 0 endif ifplugin Mail::SpamAssassin::Plugin::SPF meta __TO_EQ_FM_SPF_FAIL __TO_EQ_FROM && SPF_FAIL tflags __TO_EQ_FM_SPF_FAIL net endif meta __TO_EQ_FROM (__TO_EQ_FROM_1 || __TO_EQ_FROM_2) describe __TO_EQ_FROM To: same as From: header __TO_EQ_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism header __TO_EQ_FROM_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism meta __TO_EQ_FROM_DOM (__TO_EQ_FROM_DOM_1 || __TO_EQ_FROM_DOM_2) describe __TO_EQ_FROM_DOM To: domain same as From: domain header __TO_EQ_FROM_DOM_1 ALL =~ /\nFrom:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+[^\n]+@\1[>,\s\n]/ism header __TO_EQ_FROM_DOM_2 ALL =~ /\nTo:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+[^\n]+@\1[>,\s\n]/ism meta __TO_EQ_FROM_USR (__TO_EQ_FROM_USR_1 || __TO_EQ_FROM_USR_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT) describe __TO_EQ_FROM_USR To: username same as From: username header __TO_EQ_FROM_USR_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism header __TO_EQ_FROM_USR_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism meta __TO_EQ_FROM_USR_NN (__TO_EQ_FROM_USR_NN_1 || __TO_EQ_FROM_USR_NN_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT) describe __TO_EQ_FROM_USR_NN To: username same as From: username sans trailing nums header __TO_EQ_FROM_USR_NN_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism header __TO_EQ_FROM_USR_NN_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism meta __TO_EQ_FROM_USR_NN_MINFP __TO_EQ_FROM_USR_NN && !__TO_EQ_FROM_USR_1 && !__TO_EQ_FROM && !__TO_EQ_FROM_DOM && !__LCL__ENV_AND_HDR_FROM_MATCH && !__DKIM_EXISTS && !__NOT_SPOOFED && !__RCD_RDNS_SMTP && !__RCD_RDNS_MX_MESSY && !__THREADED meta __TO_IN_SUBJ (__SUBJ_HAS_TO_1 || __SUBJ_HAS_TO_2 || __SUBJ_HAS_TO_3) header __TO_NO_ARROWS_R To !~ /(?:>$|>,)/ if !plugin(Mail::SpamAssassin::Plugin::FreeMail) meta __TO_NO_BRKTS_FREEMAIL 0 endif ifplugin Mail::SpamAssassin::Plugin::FreeMail meta __TO_NO_BRKTS_FREEMAIL __TO_NO_ARROWS_R && (FREEMAIL_FROM || FREEMAIL_REPLYTO) endif meta __TO_NO_BRKTS_FROM_MSSP __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && __FROM_MISSPACED meta __TO_NO_BRKTS_FROM_RUNON __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && __FROM_RUNON meta __TO_NO_BRKTS_HTML_IMG __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && HTML_MESSAGE && __ONE_IMG meta __TO_NO_BRKTS_HTML_ONLY __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && MIME_HTML_ONLY meta __TO_NO_BRKTS_MSFT __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS) meta __TO_NO_BRKTS_NORDNS_HTML __TO_NO_BRKTS_HTML_ONLY && RDNS_NONE meta __TO_NO_BRKTS_PCNT __TO_NO_ARROWS_R && __FB_NUM_PERCNT header __TO_UNDISCLOSED To =~ /\b(?:undisclosed[-\s]recipients|destinataires inconnus|destinatari nascosti)\b/i body __TO_YOUR_ACCT /\b(?:(?:f[uo]nds|money|f[uo]ndo|dinheiro|bank)\s(?:\w{1,10}\s){0,4}(?:transfer(?:red)?|transferido|sont)|\d+)\s(?:to|para|en)\s(?:your?|sua|votre)\s(?:account|conta|pos+es+ion)/i body __TO_YOUR_ORG /\b(?:to|for) your organi[sz]ation\b/i header __TO___LOWER ALL =~ /to:\s\S{5}/ body __TRAVEL_AGENT /\btravel\sagen(?:t|cy)\b/i body __TRAVEL_BUSINESS /\bbusiness\stravel\b/i body __TRAVEL_ITINERARY /(?:travel|ticketed|your|current) itinerary/i meta __TRAVEL_MANY (__TRAVEL_PROFILE + __TRAVEL_RESERV + __TRAVEL_BUSINESS + __TRAVEL_AGENT) > 2 body __TRAVEL_PROFILE /\btravel+er\sprofile\b/i body __TRAVEL_RESERV /\b(?:reservation\s(?:confirmed|number)|travel\sreservations?)\b/i body __TRTMT_DEFILED /\bdefiled\sall\s(?:forms\sof\s)?(?:medical\s)?treatments?\b/i body __TRUNK_BOX /\b(?:(?:trunk|metallic|proof|security|consignment)\sbox(?:es)?|sealed\ssafe|une mallette m(?:e|=E9|[\xe9]|[\xc3][\xa9])tallique)\b/i body __TRUSTED_CHECK /\b(?:cashier'?s?|certified)\sche(?:ck|que)/i header __TT_BROKEN_VALIUM Subject =~ /V[:^."%()*\[\\]?A[:^."%()*\[\\]?L[:^."%()*\[\\]?I[:^."%()*\[\\]?U[:^."%()*\[\\]?M/i header __TT_BROKEN_VIAGRA Subject =~ /V[:^."%()*\[\\]?I[:^."%()*\[\\]?A[:^."%()*\[\\]?G[:^."%()*\[\\]?R[:^."%()*\[\\]?A/i header __TT_OBSCURED_VALIUM Subject =~ /(v|V|\\\/)(a|A|\(a\)|4|@)(l|L|\|)(i|I|1|\xef|\|)(u|U|\(u\))(m|M)/ header __TT_OBSCURED_VIAGRA Subject =~ /(v|V|\\\/)(i|I|1|\xef|\|)(a|A|\(a\)|4|@)(g|G)(r|R)(a|A|\(a\)|4|@)/ header __TT_VALIUM Subject =~ /VALIUM/i header __TT_VIAGRA Subject =~ /VIAGRA/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __TVD_FW_GRAPHIC_ID1 Content-Id =~ /<[0-9a-f]{12}(?:\$[0-9a-f]{8}){2}\@/ endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __TVD_OUTLOOK_IMG Content-Id =~ /<image\d+\.(?:gif|jpe?g|png)\@/ endif body __TVD_PH_BODY_01 /\baccount .{0,20}placed? [io]n restricted status/i body __TVD_PH_BODY_02 /\brecords (?:[a-z_,-]+ )+?(?:feature|(?:a|re)ward)/i body __TVD_PH_BODY_03 /\byou(?:'ve| have) been (?:[a-z_,-]+ )+?payment/i body __TVD_PH_BODY_04 /\bfunds? (?!transfer from)(?!from)(?!in)(?!via)(?:[a-z_,-]+ )+?to your (?:[a-z_,-]+ )*?account/i body __TVD_PH_BODY_05 /\bthis is (?:[a-z_,-]+ )+?protect (?:[a-z_,-]+ )+?your/i body __TVD_PH_BODY_06 /Dear [a-z]+ bank (?:member|customer)/i body __TVD_PH_BODY_07 /\bguarantee the safety of your (?:[a-z_,-]+ )*?account/i body __TVD_PH_BODY_08 /\bmultiple password failures/i body __TVD_PH_BODY_ACCOUNTS_POST /\b(?:(?:[dr]e-?)?activat[a-z]*|(?:re-?)?validate|secure|restore|confirm|update|suspend) (?!your)(?:[a-z_,-]+ )+?accounts?\b/i body __TVD_PH_BODY_ACCOUNTS_PRE /\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*|suspen[a-z]+|notif(?:y|ication)|updated|verifications?|credited)\b/i meta __TVD_PH_BODY_META __TVD_PH_BODY_01 || __TVD_PH_BODY_02 || __TVD_PH_BODY_03 || __TVD_PH_BODY_04 || __TVD_PH_BODY_05 || __TVD_PH_BODY_06 || __TVD_PH_BODY_07 || __TVD_PH_BODY_08 header __TVD_PH_SUBJ_00 Subject =~ /\brewards? survey\b/i header __TVD_PH_SUBJ_02 Subject =~ /\byour payment has been sent\b/i header __TVD_PH_SUBJ_04 Subject =~ /\baccounts? profile\b/i header __TVD_PH_SUBJ_15 Subject =~ /\binvestment for (?:[a-z_,-]+ )*?to(?:morrow|day)\b/i header __TVD_PH_SUBJ_17 Subject =~ /\bremove limitations?\b/i header __TVD_PH_SUBJ_18 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?changes\b/i header __TVD_PH_SUBJ_19 Subject =~ /\bmessage (?:[a-z_,-]+ )*?bank\b/i header __TVD_PH_SUBJ_29 Subject =~ /^notice(?::|[\s\W]*$)/i header __TVD_PH_SUBJ_31 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?verification\b/i header __TVD_PH_SUBJ_36 Subject =~ /\bconsumer notice\b/i header __TVD_PH_SUBJ_37 Subject =~ /\bvalued member[a-z]*\b/i header __TVD_PH_SUBJ_38 Subject =~ /\bonline bank[a-z]*\b/i header __TVD_PH_SUBJ_39 Subject =~ /\bonline department\b/i header __TVD_PH_SUBJ_41 Subject =~ /\bunusual activity\b/i header __TVD_PH_SUBJ_52 Subject =~ /\b(?:account|online) profile\b/i header __TVD_PH_SUBJ_54 Subject =~ /\bun-?authorized access(?:es)?\b/i header __TVD_PH_SUBJ_56 Subject =~ /\brespond now\b/i header __TVD_PH_SUBJ_58 Subject =~ /\bbilling service\b/i header __TVD_PH_SUBJ_59 Subject =~ /\bquestion from (?:[a-z_,-]+ )*?member\b/i header __TVD_PH_SUBJ_ACCESS_POST Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)) (?:[a-z_,-]+ )*?access\b/i meta __TVD_PH_SUBJ_META __TVD_PH_SUBJ_00 || __TVD_PH_SUBJ_02 || __TVD_PH_SUBJ_04 || __TVD_PH_SUBJ_15 || __TVD_PH_SUBJ_17 || __TVD_PH_SUBJ_18 || __TVD_PH_SUBJ_19 || __TVD_PH_SUBJ_29 || __TVD_PH_SUBJ_31 || __TVD_PH_SUBJ_36 || __TVD_PH_SUBJ_37 || __TVD_PH_SUBJ_38 || __TVD_PH_SUBJ_39 || __TVD_PH_SUBJ_41 || __TVD_PH_SUBJ_52 || __TVD_PH_SUBJ_54 || __TVD_PH_SUBJ_56 || __TVD_PH_SUBJ_58 || __TVD_PH_SUBJ_59 || __TVD_PH_SUBJ_ACCESS_POST meta __TVD_SPACE_ENCODED (__TVD_SPACE_RATIO && __SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED) if !plugin(Mail::SpamAssassin::Plugin::BodyEval) meta __TVD_SPACE_RATIO 0 endif header __TVD_SUBJ_NUM_OBFU Subject =~ /[a-z]{3,}\d+[a-z]{2,}/i header __UA_GNUS User-Agent =~ /^Gnus/ header __UA_KMAIL User-Agent =~ /^KMail/ header __UA_KNODE User-Agent =~ /^KNode/ header __UA_MOZ5 User-Agent =~ /^Mozilla\/5/ header __UA_MSOEMAC User-Agent =~ /^Microsoft-Outlook-Express-Mac/ header __UA_MSOMAC User-Agent =~ /^Microsoft-MacOutlook\/(?:\d+\.){3}/ header __UA_MUTT User-Agent =~ /^Mutt/ header __UA_OPERA7 User-Agent =~ /^Opera7/ header __UA_PAN User-Agent =~ /^Pan/ header __UA_XNEWS User-Agent =~ /^Xnews/ body __UC_GIBB_OBFU /\b[A-Za-z][a-z]{0,20}[,;)]?\s[A-Z]{16,}[a-z]?\s[A-Za-z][a-z]{1,15}\b/ tflags __UC_GIBB_OBFU multiple maxhits=2 body __UN /\bunited\snations?\b/i if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __UNICODE_OBFU_ASC /[a-z0-9\s](?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9]{1,8}(?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9\s]/i tflags __UNICODE_OBFU_ASC multiple maxhits=10 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __UNICODE_OBFU_ASC_MANY __UNICODE_OBFU_ASC > 9 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __UNICODE_OBFU_ZW /[a-z0-9\s](?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+(?!\s)[a-z0-9\s]{1,8}(?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+[a-z0-9\s]/i tflags __UNICODE_OBFU_ZW multiple maxhits=10 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __UNICODE_OBFU_ZW_10 __UNICODE_OBFU_ZW > 9 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __UNICODE_OBFU_ZW_2 __UNICODE_OBFU_ZW > 1 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __UNICODE_OBFU_ZW_3 __UNICODE_OBFU_ZW > 2 endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) meta __UNICODE_OBFU_ZW_5 __UNICODE_OBFU_ZW > 4 endif body __UNSUB_EMAIL /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b[-a-z_0-9.+=]{0,60}\@[a-z0-9][-a-z_0-9.]{4,20}(?:[^a-z_0-9.-]|$)/i tflags __UNSUB_EMAIL nice uri __UNSUB_LINK /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b/i tflags __UNSUB_LINK nice body __UPGR_MAILBOX /\b(?:up(?:g[ra]+d(?:e|ing)|date) (?:[hw]as\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|(?:web ?|e-?)mail Upgrade cuenta|atualiz(?:e|ar) (?:a|sua) caixa de correio|click\S{0,10} (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?|below)(?: link)? to (?:(?:complete|finish|increase) )?(?:(?:the|this|your)\s)?(?:up(?:date|grade)|(?:web ?|e-?)?mail(?:\s?box)? (?:size|quota|limit))|utrzymania aktywnego konta|request (?:for )additional storage)\b/i uri __UPPERCASE_URI /^[^:A-Z]+[A-Z]/ uri __URI_12LTRDOM m,://(?:[^./]+\.)*[a-z]{12}\.[^./]+/,i uri __URI_BUFFLY m,//buff\.ly/,i uri __URI_DATA /^data:(?!image\/)[a-z]/i uri __URI_DBL_DOM m,^https?://[^.]+\.(?!amazon\.com)([^/]+)/.*https?://[^.]+\.\1/,i uri __URI_DQ_UNSUB m;^[a-z]+://(?:\d+\.){3}\d+/.*unsubscribe;i uri __URI_GOOGLE_DOC m,^https?://docs\.google\.com/(?:[^/]+/)*view(?:form)?\?(?:id|formkey)=,i uri __URI_GOOGLE_PROXY m;^https?://[^.]+\.googleusercontent\.com/proxy/;i uri __URI_HEX_IP m;://0x[0-9A-F]{8,}[:/];i uri __URI_IMG_ALICDN m,//(?:[^/.]+\.)*alicdn\.com/.+\.(?:jpe?g|gif|png),i uri __URI_IMG_AMAZON m,://[^/?]+\.(?:ssl-)?images-amazon\.com/,i uri __URI_IMG_EBAY m,://[^/?]+\.ebayimg\.com/,i uri __URI_IMG_JOOMCDN m,://img\.joomcdn\.net/,i uri __URI_IMG_LINKEDIN /^https:\/\/static\.licdn\.com\/scds\/common\/u\/images\/email\/artdeco\/illustrations\/56\/magnifying-glass\.png/ uri __URI_IMG_NEWEGG m,://[^/?]+\.neweggimages\.com/,i uri __URI_IMG_SHOPIFY m,://cdn\.shopify\.com/.+\.(?:jpe?g|gif|png),i uri __URI_IMG_STATICBG m,://imgaz\.staticbg\.com/images/,i uri __URI_IMG_WALMART m,://[^/?]+\.walmartimages\.com/,i uri __URI_IMG_WISH m,://contestimg\.wish\.com/,i uri __URI_IMG_WP_REDIR m;://i[02]\.wp\.com/.*\.(?:jpe?g|gif|png)$;i uri __URI_IMG_YTIMG m,://[^/?]+\.ytimg\.com/,i uri __URI_MAILTO /^mailto:/i tflags __URI_MAILTO multiple maxhits=16 meta __URI_MAILTO_MANY __URI_MAILTO > 15 uri __URI_MONERO /buy-monero/i meta __URI_ONLY_MSGID_MALF __BODY_URI_ONLY && __MSGID_NOFQDN2 meta __URI_PHISH __HAS_ANY_URI && !__URI_GOOGLE_DOC && (__EMAIL_PHISH || __ACCT_PHISH) uri __URI_PHP_REDIR m;/redirect\.php\?;i uri __URI_TRY_USME m,^https?://(?:try|start|get|save|check|act|compare|join|learn|request|visit|my)[^.]*\.[^/]+\.(?:us|me|mobi|club)\b,i uri __URI_WPADMIN m,/wp-admin/\w+/,i uri __URI_WPCONTENT m,/wp-content/.*\.(?:php|html?)\b,i uri __URI_WPDIRINDEX m,/wp-(?:content|includes)/.*/$,i uri __URI_WPINCLUDES m,/wp-includes/.*\.(?:php|html?)\b,i uri __URL_BTC_ID m;[/.][13][a-km-zA-HJ-NP-Z1-9]{25,34}(?:/|$); uri __URL_LTC_ID m;[/.][LM3][a-km-zA-HJ-NP-Z1-9]{26,33}(?:/|$); uri __URL_SHORTENER /^https?:\/\/(?:bit\.ly|buff\.ly|tinyurl\.com|ow\.ly|owl\.li|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|goo\.io|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|ecs\.page\.link|cc\.uz|smarturl\.it)\/[^\/]{3}\/?/ header __USING_VERP1 Return-Path =~ /[+-].*=/ header __VACATION Subject =~ /\b(?:vacatio|away|out.of.offic|auto.?re|confirm)/i tflags __VACATION nice body __VALIDATE_MAILBOX /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta)\b/i body __VALIDATE_MBOX_SE /(?:\b=E5|[\xe5]|[\xc3][\xa5])terst(?:=E4|\xe4|[\xc3][\xa4])lla ditt konto\b/i body __VERIFY_ACCOUNT /(?:confirm|updated?|verify) (?:your|the) (?:account|current|billing|personal|online)? ?(?:records?|information|account|identity|access|data|login)/i if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval header __VPSNUMBERONLY_TLD From:addr =~ /\@vps[0-9]{4,}\.[a-z]+$/i endif endif meta __WALMART_IMG_NOT_RCVD_WAL __URI_IMG_WALMART && !__HDR_RCVD_WALMART body __WEBMAIL_ACCT /\byour web ?mail account/i body __WIDOW /\b(?:widow(?:e[rd])'?s?|veuve)\b/i body __WILL_LEGAL /\b(?:codicil|last\stestament|probate|executor|intestate|bequest|mandamus)\b/i body __WIRE_XFR /\b(?:wire|telegraph(?:ic)?|bank)\s?transfer/i header __XEROXWORKCTR_MUA X-Mailer =~ /^WorkCentre \D?\d[\d\.]\d+/ meta __XFER_MONEY (__WIRE_XFR || __TRUSTED_CHECK || __BANK_DRAFT || __MOVE_MONEY || __TO_YOUR_ACCT || __PAY_YOU || __GIVE_MONEY) header __XM_BALSA X-Mailer =~ /^Balsa \d/ header __XM_CALYPSO X-Mailer =~ /^Calypso/ header __XM_FORTE X-Mailer =~ /^Forte Agent \d/ header __XM_GNUS X-Mailer =~ /^Gnus v/ header __XM_MHE X-Mailer =~ /^mh-e \d/ header __XM_MOZ4 X-Mailer =~ /^Mozilla 4/ header __XM_MSOE5 X-Mailer =~ /^Microsoft Outlook Express 5/ header __XM_MSOE6 X-Mailer =~ /^Microsoft Outlook Express 6/ header __XM_MS_IN_GENERAL X-Mailer =~ /\bMSCRM\b|Microsoft (?:CDO|Outlook|Office Outlook)\b/ header __XM_OL_10_0_4115 X-Mailer =~ /^Microsoft Outlook, Build 10.0.4115$/ header __XM_OL_28001441 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.1441$/ header __XM_OL_28004682 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.4682$/ header __XM_OL_48072300 X-Mailer =~ /^Microsoft Outlook Express 5.50.4807.2300$/ header __XM_OL_4_72_2106_4 X-Mailer =~ /^Microsoft Outlook Express 4.72.2106.4$/ header __XM_OUTLOOK_EXPRESS X-Mailer =~ /^Microsoft Outlook Express \d/ header __XM_PHPMAILER_FORGED X-Mailer =~ /PHPMailer\s.*version\D+$/ header __XM_SKYRI X-Mailer =~ /^SKYRiXgreen/ header __XM_SQRLMAIL X-Mailer =~ /^SquirrelMail/ header __XM_SYLPHEED X-Mailer =~ /^Sylpheed/ header __XM_VM X-Mailer =~ /^VM \d/ header __XM_WWWMAIL X-Mailer =~ /^WWW-Mail \d/ header __XM_XIMEVOL X-Mailer =~ /^Ximian Evolution/ meta __XPRIO_MINFP __XPRIO && !__CT_ENCRYPTED && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__THREADED && !__LONGLINE && !__MAIL_LINK && !__RCD_RDNS_SMTP && !__USING_VERP1 && !__RCD_RDNS_MX_MESSY && !__XM_VBULLETIN && !__HAS_HREF && !__HAS_IMG_SRC && !__RCD_RDNS_MAIL_MESSY && !__HAS_SENDER && !__THREAD_INDEX_GOOD && !__VIA_ML && !__PHPMAILER_MUA && !__FROM_WEB_DAEMON meta __XPRIO_SHORT_SUBJ __XPRIO && __SUBJ_SHORT body __YOUR_BANK /\byour?\s(?:full\s)?bank(?:ing)?\sinformations?\b/i body __YOUR_FUND /\b(?:your|ihr)\s(?:unpaid\s|win+ing\s|ap+roved\s|foreign\s|overdue\s|outstanding\s|contract\s|inheritance\s|nicht\sausbezahlten\s){0,3}(?:fund|payment|geld)\b/i if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __YOUR_ONAN /\b(?:your?|ihrer)\s(?:mast[ur]{2}bati(?:on|ng)(?:svideo)?|onanism|solitary\ssex|hand\sfucking|Selbstbefriedigung)\b/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __YOUR_ONAN /(?:^|\s)(?:<Y><O><U><R>?|<I><H><R><E><R>)\s(?:<M><A><S><T>(?:<U>|<R>){2}<B><A><T><I>(?:<O><N>|<N><G>)(?:<S><V><I><D><E><O>)?|<O><N><A><N><I><S><M>|<S><O><L><I><T><A><R><Y>\s<S><E><X>|<H><A><N><D>\s<F><U><C><K><I><N><G>|<S><E><L><B><S><T><B><E><F><R><I><E><D><I><G><U><N><G>)/i endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __YOUR_PASSWORD /\b(?:your|(?:change|modify|update|reset|alter|fix)\sthe)\s(?:pass[-\s_]word|pswd)\b/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __YOUR_PASSWORD /(?:^|\s)(?:<Y><O><U><R>|(?:<C><H><A><N><G><E>|<M><O><D><I><F><Y>|<U><P><D><A><T><E>|<R><E><S><E><T>|<A><L><T><E><R>|<F><I><X>)\s<T><H><E>)\s(?:<P><A><S><S>[-\s_]<W><O><R><D>|<P><S><W><D>\s)/i endif body __YOUR_PERM /\byour\spermission\b/i if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __YOUR_PERSONAL /\b(?:your\s(?:personal|private|social\scontact|address|friends)\s(?:info(?:rmation)?|data|details|book|secrets)|all\syour\sfiles)\b/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __YOUR_PERSONAL /(?:^|\s)(?:<Y><O><U><R>\s(?:<P><E><R><S><O><N><A><L>|<P><R><I><V><A><T><E>|<S><O><C><I><A><L>\s<C><O><N><T><A><C><T>|<A><D><D><R><E><S><S>|<F><R><I><E><N><D><S>)\s(?:<I><N><F><O>(?:<R><M><A><T><I><O><N>)?|<D><A><T><A>|<D><E><T><A><I><L><S>|<B><O><O><K>|<S><E><C><R><E><T><S>)|<A><L><L>\s<Y><O><U><R>\s<F><I><L><E><S>)[\s\.]/i endif body __YOUR_PROFIT /\byour?\sprofit/i if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) body __YOUR_WEBCAM /\b(?:from|your|with)\s(?:(?:screen|desktop)\sand\s|own\s)?(?:web[-\s]?|front[-\s]?|network\s)cam\b/i endif ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __YOUR_WEBCAM /(?:^|\s)(?:<F><R><O><M>|<Y><O><U><R>|<W><I><T><H>)\s(?:(?:<S><C><R><E><E><N>|<D><E><S><K><T><O><P>)\s<A><N><D>\s|<O><W><N>\s)?(?:<W><E><B>[-\s]?|<F><R><O><N><T>[-\s]?|<N><E><T><W><O><R><K>\s)<C><A><M>/i endif body __YOU_ASSIST /\b(?:your\sas+istan(?:ce|t)|votre\s(?:as+istance|aide))\b/i body __YOU_INHERIT /\byour\s[a-z\s]{0,30}inherit+ance\b/i meta __YOU_WON __YOU_WON_01 || __YOU_WON_02 || __YOU_WON_03 || __YOU_WON_04 || __HAS_WON_01 || (__YOU_WON_05 && (__MOVE_MONEY || __GIVE_MONEY)) body __YOU_WON_01 /\byou(?:r|'re|'ve|'ll|\shave|\sdid)?\s(?:e-?mail\s)?(?:\w+\s){0,2}(?:a\s)?w[io]n+(?:er|ing)?(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i body __YOU_WON_02 /\bw[io]n\s(?:(?:for|by)\s)?your?\b/i body __YOU_WON_03 /\b(?:your?|win+ing|win+ers?|beneficiaries|participants?|individuals?|address(?:es)?|accounts?|emails?)(?:\s[-a-z\s]{4,40})?\s(?:w(?:ere|as)|ha(?:ve|s) be(?:en)?)\s(?:automatically\s)?(?:(?:randomly|raffly)\s(?:selected|cho+sen|cho+sing|picked)|(?:selected|cho+sen|cho+sing|picked)\s(?:[a-z\s]{2,40}?\srandom(?:ly)?|online|lottery|computer\s(?:ballot|wahlgang))|(?:selected|cho+sen|cho+sing|picked)(?:\sas?|\sthe){0,3}\swin+er)/i body __YOU_WON_04 /\bqu[ei]\s?(?:vous (?:[\xc3][\xaa]|=C3=AA|[\xea]|e)tes\s?gagnant|en\scons(?:e|=E9|[\xe9]|[\xc3][\xa9])quence\sgagne)\b/i body __YOU_WON_05 /\bI won(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __ZIP_ATTACH_MT 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ZIP_ATTACH_MT Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)\b,i endif if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) meta __ZIP_ATTACH_NOFN 0 endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ZIP_ATTACH_NOFN Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)[;\s]*$,i endif body __hk_bigmoney /(?:EURO?|USD?|GBP|CFA|\&\#163;|[\xa3\xa4]|\$|sum of).{0,4}(?:[0-9]{3}[^0-9a-z]?[0-9]{3}|[0-9.,]{1,4}(?: ?M\b| ?(?:de )?Mil))/i ifplugin Mail::SpamAssassin::Plugin::FreeMail header __smf_freemail_hdr_replyto eval:check_freemail_header('Reply-To:addr') endif
© 2024 UnknownSec