
# Ensure plugin-based rules used for FP avoidance exist
# even if the plugin is not loaded, or an older version is loaded
# __KAM_BODY_LENGTH_LT_128
ifplugin Mail::SpamAssassin::Plugin::BodyEval
  if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
    meta      __LCL__KAM_BODY_LENGTH_LT_128     __KAM_BODY_LENGTH_LT_128
  else
    meta      __LCL__KAM_BODY_LENGTH_LT_128     0
  endif
else
  meta      __LCL__KAM_BODY_LENGTH_LT_128     0
endif

# __KAM_BODY_LENGTH_LT_512
ifplugin Mail::SpamAssassin::Plugin::BodyEval
  if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
    meta      __LCL__KAM_BODY_LENGTH_LT_512     __KAM_BODY_LENGTH_LT_512
  else
    meta      __LCL__KAM_BODY_LENGTH_LT_512     0
  endif
else
  meta      __LCL__KAM_BODY_LENGTH_LT_512     0
endif

# __KAM_BODY_LENGTH_LT_1024
ifplugin Mail::SpamAssassin::Plugin::BodyEval
  if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
    meta      __LCL__KAM_BODY_LENGTH_LT_1024    __KAM_BODY_LENGTH_LT_1024
  else
    meta      __LCL__KAM_BODY_LENGTH_LT_1024    0
  endif
else
  meta      __LCL__KAM_BODY_LENGTH_LT_1024    0
endif

# __ENV_AND_HDR_FROM_MATCH
ifplugin Mail::SpamAssassin::Plugin::HeaderEval
  meta      __LCL__ENV_AND_HDR_FROM_MATCH     __ENV_AND_HDR_FROM_MATCH
else
  meta      __LCL__ENV_AND_HDR_FROM_MATCH     0
endif

# __TVD_SPACE_RATIO
ifplugin Mail::SpamAssassin::Plugin::BodyEval
  #
else
  meta      __TVD_SPACE_RATIO      0
endif


#
#header         REPLYTO_MANY_AT Reply-To =~ /\@.+\@/
#describe       REPLYTO_MANY_AT More than one @ in Reply-To:
#
#header         SENDER_MANY_AT  Sender =~ /\@.+\@/
#describe       SENDER_MANY_AT  More than one @ in Sender:
#
#header         FROM_MANY_AT    From =~ /\@.+\@/
#describe       FROM_MANY_AT    More than one @ in From:
#

header         RDNS_LOCALHOST  X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i
describe       RDNS_LOCALHOST  Sender's public rDNS is "localhost"

#body           EU_SPAM_LAW     m,Directive 2000/31/EC of the European Parliament,i
#describe       EU_SPAM_LAW     Quoting "European Parliament" spam law

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __HTML_ATTACH_01    Content-Type =~ m,\btext/html\b.+\.html?\b,i
  mimeheader   __HTML_ATTACH_02    Content-Disposition =~ m,\bfilename="?[^"]+\.html?\b,i
  meta         HTML_ATTACH         __HTML_ATTACH_01 || __HTML_ATTACH_02
  describe     HTML_ATTACH         HTML attachment to bypass scanning?

  mimeheader   OBFU_HTML_ATTACH    Content-Type =~ m,\bapplication/octet-stream\b.+\.html?\b,i
  describe     OBFU_HTML_ATTACH    HTML attachment with non-text MIME type

  mimeheader   OBFU_TEXT_ATTACH    Content-Type =~ m,\bapplication/octet-stream\b.+\.txt\b,i
  describe     OBFU_TEXT_ATTACH    Text attachment with non-text MIME type
  #score        OBFU_TEXT_ATTACH    2.5
  tflags       OBFU_TEXT_ATTACH    publish

  mimeheader   OBFU_DOC_ATTACH     Content-Type =~ m,\bapplication/octet-stream\b.+\.(?:doc|rtf)\b,i
  describe     OBFU_DOC_ATTACH     MS Document attachment with generic MIME type
  #score        OBFU_DOC_ATTACH     0.25

  mimeheader   OBFU_PDF_ATTACH     Content-Type =~ m,\bapplication/octet-stream\b.+\.pdf\b,i
  describe     OBFU_PDF_ATTACH     PDF attachment with generic MIME type
  #score        OBFU_PDF_ATTACH     0.25

  mimeheader   OBFU_JPG_ATTACH     Content-Type =~ m,\bapplication/octet-stream\b.+\.jpe?g\b,i
  describe     OBFU_JPG_ATTACH     JPG attachment with generic MIME type
  #score        OBFU_JPG_ATTACH     1.50

  mimeheader   OBFU_GIF_ATTACH     Content-Type =~ m,\bapplication/octet-stream\b.+\.gif\b,i
  describe     OBFU_GIF_ATTACH     GIF attachment with generic MIME type
  #score        OBFU_GIF_ATTACH     1.50

  meta         OBFU_ATTACH_MISSP   __FROM_RUNON && (OBFU_HTML_ATTACH || OBFU_TEXT_ATTACH || OBFU_DOC_ATTACH || OBFU_PDF_ATTACH || OBFU_JPG_ATTACH || OBFU_GIF_ATTACH)
  describe     OBFU_ATTACH_MISSP   Obfuscated attachment type and misspaced From

#  mimeheader   ECMSNGR_MH          X-ecm-part-format =~ /./
#  describe     ECMSNGR_MH          eC-Messenger header

  mimeheader   __CTYPE_NULL        Content-Type =~ /^\s*;/
  meta         CTYPE_NULL          __CTYPE_NULL
  describe     CTYPE_NULL          Malformed Content-Type header

  mimeheader   __ZIP_ATTACH_NOFN   Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)[;\s]*$,i
  meta         OBFU_HTML_ATT_MALW  __ZIP_ATTACH_NOFN && __HTML_ATTACH_02
  describe     OBFU_HTML_ATT_MALW  HTML attachment with incorrect MIME type - possible malware

  mimeheader   __ATTACH_NAME_NO_EXT Content-Type =~ m,\bname\s?=\s?"(?!=\?)[^."]+",i
  meta         DOC_ATTACH_NO_EXT   __ATTACH_NAME_NO_EXT && (__PDF_ATTACH_MT || __DOC_ATTACH_MT)
  describe     DOC_ATTACH_NO_EXT   Document attachment with suspicious name

  mimeheader   __ZIP_ATTACH_MT     Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)\b,i

  # see https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39?gi=7ec45f2481ce
  mimeheader   __MALW_ATTACH_01_01 Content-Disposition =~ /\bfilename(?:="?[^"]+|\*(?:\d+\*)?=(?:UTF-8'')?\S+)\.SettingContent-ms\b/i
  mimeheader   __MALW_ATTACH_01_02 Content-Type =~ /\bname="?[^"]+\.SettingContent-ms\b/i
  # others
  mimeheader   __MALW_ATTACH_02_01 Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:invoice|statement|(?:\.|%C2%B7|[\xc2][\xb7]|_)(?:pdf|img|png|gif|jpe?g))\.(?:ace|zip|7z|rar|r17|gz)[";$]/i
  mimeheader   __MALW_ATTACH_02_02 Content-Type =~ /\bname="?[^"]*(?:invoice|statement|(?:\.|[\xc2][\xb7]|_)(?:pdf|img|png|gif|jpe?g))\.(?:ace|zip|7z|rar|r17|gz)[";$]/i
  meta         __MALW_ATTACH       __MALW_ATTACH_01_01 || __MALW_ATTACH_01_02 || __MALW_ATTACH_02_01 || __MALW_ATTACH_02_02
  meta         MALW_ATTACH         __MALW_ATTACH && !__HAS_THREAD_INDEX 
  describe     MALW_ATTACH         Attachment filename suspicious, probable malware exploit
  tflags       MALW_ATTACH         publish

  mimeheader   __ISO_ATTACH        Content-Disposition =~ m,\bfilename="?[^"]+\.iso[";$],i
  mimeheader   __ISO_ATTACH_MT     Content-Type =~ m,\bapplication/x-iso9660-image\b,i
  meta         ISO_ATTACH          __ISO_ATTACH || __ISO_ATTACH_MT
  describe     ISO_ATTACH          ISO attachment - possible malware delivery
  score        ISO_ATTACH          3.000	# limit

  mimeheader   __PHISH_ATTACH_01_01  Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:\.|%C2%B7|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i
  mimeheader   __PHISH_ATTACH_01_02  Content-Type =~ /\bname="?[^"]*(?:\.|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i
  meta         PHISH_ATTACH          (__PHISH_ATTACH_01_01 || __PHISH_ATTACH_01_02) && !__HAS_SENDER 
  describe     PHISH_ATTACH          Attachment filename suspicious, probable phishing
  tflags       PHISH_ATTACH          publish

else
  meta         __HTML_ATTACH_01    0
  meta         __HTML_ATTACH_02    0
  meta         __CTYPE_NULL        0
  meta         __ZIP_ATTACH_NOFN   0
  meta         __ATTACH_NAME_NO_EXT 0
  meta         __ZIP_ATTACH_MT     0
  meta         __MALW_ATTACH_01_01 0
  meta         __MALW_ATTACH_01_02 0
  meta         __MALW_ATTACH_02_01 0
  meta         __MALW_ATTACH_02_02 0
  meta         __ISO_ATTACH        0
  meta         __ISO_ATTACH_MT     0
endif

# general case of spample observation
#header         MUA_ONE_WORD       X-Mailer =~ /^[A-Za-z][a-z]*$/
#describe       MUA_ONE_WORD       Single word X-Mailer: not CamelCase

body           DEAR_EMAIL_USER          /^\s?(?:Dear\s|Attention:?\s?)(?:E|Web)-?mail\s(?:account\s)?User\b/i
describe       DEAR_EMAIL_USER          Dear Email User:
#score          DEAR_EMAIL_USER          3.0


# from users list spamples 8/2009
uri            URI_NUMERIC_CCTLD     m;^[a-z]+://(?:\d+\.){2,}[a-z][a-z]/;i
describe       URI_NUMERIC_CCTLD     CCTLD URI with multiple numeric subdomains

# various MUAs
header  __PHP_NOVER_MUA       X-Mailer =~ /^PHP$/
header  __PHPMAILER_MUA       X-Mailer =~ /^PHPMailer\b/

ifplugin Mail::SpamAssassin::Plugin::DKIM
  meta    PHP_NOVER_MUA       __PHP_NOVER_MUA && !__DKIM_DEPENDABLE && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
else
  meta    PHP_NOVER_MUA       __PHP_NOVER_MUA && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
endif
describe  PHP_NOVER_MUA       Mail from PHP with no version number
score     PHP_NOVER_MUA       3.000	# limit
tflags    PHP_NOVER_MUA       publish


# From should have whitespace between the comment and the address
# Better S/O, good enough for standalone rule
header         __FROM_MISSPACED      From =~ /^\s*"[^"]*"</

# legit mailers known to misspace from
header         __MTLANDROID_MUA    X-Mailer =~ /\bMotorola android mail \d+\.\d/
header         __XEROXWORKCTR_MUA  X-Mailer =~ /^WorkCentre \D?\d[\d\.]\d+/
header         __AMADEUSMS_MUA     X-Mailer =~ /^Amadeus Messaging Server/
header         __FLASHMAIL_MUA     X-Mailer =~ /^NetEase Flash Mail \d/


# meta with some stuff to reduce FPs
meta           FROM_MISSPACED        __FROM_MISSPACED && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__UNSUB_LINK && !__TO___LOWER && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__TO_EQ_FROM_DOM && !__MAIL_LINK && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
describe       FROM_MISSPACED        From: missing whitespace
score          FROM_MISSPACED        2.00

# Encrypted mail provider unable to properly format their headers (as of 07/2011)
header         __RCVD_ZIXMAIL        X-Spam-Relays-Untrusted =~ / helo=smtpout\.zixmail\.net /

# Poorer S/O than FROM_MISSPACED but better performance in metas
header         __FROM_RUNON          From =~ /\S+<\w+/
header         __FROM_RUNON_UNCODED  From:raw =~ /\S+(?<!\?=)<\w+/

ifplugin Mail::SpamAssassin::Plugin::SPF
  #meta           FROM_MISSP_SPF_FAIL1  (__FROM_RUNON && !SPF_PASS)
  #tflags         FROM_MISSP_SPF_FAIL1  net
  meta           FROM_MISSP_SPF_FAIL  (__FROM_RUNON && SPF_FAIL)
  tflags         FROM_MISSP_SPF_FAIL  net
  score          FROM_MISSP_SPF_FAIL  2.00	# limit
endif

meta           __FROM_MISSP_EH_MATCH __FROM_RUNON_UNCODED && __LCL__ENV_AND_HDR_FROM_MATCH
meta           FROM_MISSP_EH_MATCH   __FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
describe       FROM_MISSP_EH_MATCH   From misspaced, matches envelope
score          FROM_MISSP_EH_MATCH   2.00	# max

# most hits > 10 points already
#meta           __FROM_MISSP_URI      __FROM_RUNON_UNCODED && __HAS_ANY_URI
#meta           FROM_MISSP_URI        __FROM_MISSP_URI && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !MISSING_MIMEOLE && !__REPTO_QUOTE && !__UNSUB_LINK && !__MSGID_OK_HEX && !__MAIL_LINK && !__MIME_QP && !__BUGGED_IMG && !MIME_BASE64_TEXT && !__CTYPE_MULTIPART_ALT && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD && !__THREADED && !__TAG_EXISTS_META
#describe       FROM_MISSP_URI        From misspaced, has URI
#score          FROM_MISSP_URI        2.00	# max

meta           FROM_MISSP_USER       (__FROM_RUNON && NSL_RCVD_FROM_USER)
describe       FROM_MISSP_USER       From misspaced, from "User"

# all hits > 10 points already
#meta           FROM_MISSP_NO_TO      (__FROM_RUNON && MISSING_HEADERS)
#describe       FROM_MISSP_NO_TO      From misspaced, To missing

meta           FROM_MISSP_TO_UNDISC  (__FROM_RUNON && __TO_UNDISCLOSED)
describe       FROM_MISSP_TO_UNDISC  From misspaced, To undisclosed

# 0 hits 8/2016
#ifplugin Mail::SpamAssassin::Plugin::DKIM
#  meta         __FROM_MISSP_DKIM     (__FROM_RUNON_UNCODED && __DKIM_DEPENDABLE)
#  tflags       __FROM_MISSP_DKIM     net
#  meta         FROM_MISSP_DKIM       __FROM_MISSP_DKIM && !__CTYPE_MULTIPART_ALT && !__MIME_QP && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__MIME_BASE64 && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
#  describe     FROM_MISSP_DKIM       From misspaced, DKIM dependable
#else
#  meta         __FROM_MISSP_DKIM     0
#endif

meta           __FROM_MISSP_REPLYTO  __FROM_RUNON && __HAS_REPLY_TO
meta           FROM_MISSP_REPLYTO    __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY && !__DOS_HAS_LIST_UNSUB 
describe       FROM_MISSP_REPLYTO    From misspaced, has Reply-To
score          FROM_MISSP_REPLYTO    2.500	# limit

## To the same
#header         TO_MISSPACED          To =~ /^\s*"[^"]*"</
#describe       TO_MISSPACED          To: missing whitespace
#score          TO_MISSPACED          0.25

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta         __FROM_MISSP_FREEMAIL __FROM_RUNON && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
  meta         FROM_MISSP_FREEMAIL   __FROM_MISSP_FREEMAIL && !__TO_EQ_FROM_DOM && !__MTLANDROID_MUA
  describe     FROM_MISSP_FREEMAIL   From misspaced + freemail provider
  #score        FROM_MISSP_FREEMAIL   2.0
else
  meta         __FROM_MISSP_FREEMAIL 0
endif

meta           FROM_MISSP_MSFT       __FROM_RUNON && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS)
describe       FROM_MISSP_MSFT       From misspaced + supposed Microsoft tool
#score          FROM_MISSP_MSFT       3.5

meta           FROM_MISSP_DYNIP      __FROM_RUNON && RDNS_DYNAMIC
describe       FROM_MISSP_DYNIP      From misspaced + dynamic rDNS
#score          FROM_MISSP_DYNIP      2.0


# observed in spam 8/2009
header         __MUA_EQ_ORG_1        ALL =~ /\nX-Mailer: ([^\n]+)\n.*Organization: \1\n/ism
header         __MUA_EQ_ORG_2        ALL =~ /\nOrganization: ([^\n]+)\n.*X-Mailer: \1\n/ism
meta           MAILER_EQ_ORG         __MUA_EQ_ORG_1 || __MUA_EQ_ORG_2
describe       MAILER_EQ_ORG         X-Mailer: same as Organization:
#tflags         MAILER_EQ_ORG         publish

header         __FROM_EQ_ORG_1       ALL =~ /\nFrom: "?([^\n]+)"? <[^>]+>\n.*Organization: \1\n/ism
header         __FROM_EQ_ORG_2       ALL =~ /\nOrganization: ([^\n]+)\n.*From: "?\1"?/ism
#meta           FROM_EQ_ORG           __FROM_EQ_ORG_1 || __FROM_EQ_ORG_2
#describe       FROM_EQ_ORG           From: same as Organization:
#tflags         FROM_EQ_ORG           publish


# observed in UCE 9/2009
#header         __HDRS_LCASE          ALL =~ /\n(?:Reply-to|Message-id|Content-type|X-MSMail-priority|from|subject|to|Disposition-notification-to):/sm
header         __HDRS_LCASE          ALL =~ /\n(?:Message-id|Content-type|X-MSMail-priority|from|subject|to|cc|Disposition-notification-to):/sm
tflags         __HDRS_LCASE          multiple maxhits=3

# __MSGID_APPLEMAIL is uppercase-only GUID message_id. This may be redundant.
header         __MSGID_GUID          Message-ID =~ /^<?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}\@/i
header         __MSGID_GUID_LOOSE    Message-ID =~ /^<?[0-9A-Z]{8}-(?:[0-9A-Z]{3,4}-){3}[0-9A-Z]{11,12}\@/
meta           __MSGID_GUID_FAKE     __MSGID_GUID_LOOSE && !__MSGID_GUID
# It would be nice if somebody could identify the MUA/MTA that generates this:
header         __MSGID_HEX_UID       Message-ID =~ /^<?[0-9A-F]{8}\.[0-9A-F]{2,5}%[a-zA-Z]/
# It would be nice if somebody could identify the MUA/MTA that generates this:
header         __MSGID_HEXISH        Message-ID =~ /^<?OF[0-9A-F]{8}\.[0-9A-F]{8}-ON[0-9A-F]{8}\.[0-9A-F]{8}(?:-[0-9A-F]{8}\.[0-9A-F]{8})?\@/

# MUAs and MTAs known or suspected to do this
header         __UA_MSOMAC           User-Agent =~ /^Microsoft-MacOutlook\/(?:\d+\.){3}/
meta           __HDRS_LCASE_KNOWN    __MSGID_JAVAMAIL || __UA_MSOEMAC || __UA_MSOMAC || __MSGID_APPLEMAIL || __MSGID_HEX_UID || __MSGID_HEXISH

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta         HDRS_LCASE            __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
else
  meta         HDRS_LCASE            __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
endif
describe       HDRS_LCASE            Odd capitalization of message header
score          HDRS_LCASE            0.10	# limit
meta           __MANY_HDRS_LCASE     __HDRS_LCASE > 1
meta           __TOOMANY_HDRS_LCASE  __HDRS_LCASE > 2
ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta         MANY_HDRS_LCASE       __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
else
  meta         MANY_HDRS_LCASE       __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
endif
describe       MANY_HDRS_LCASE       Odd capitalization of multiple message headers
score          MANY_HDRS_LCASE       0.10	# limit

# Some metas that appear to perform well in masscheck
#meta           __HDRS_LCASE_1K       __HDRS_LCASE && __SINGLE_HEADER_1K
#meta           HDRS_LCASE_1K         __HDRS_LCASE_1K && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__MIME_QP && !__BUGGED_IMG && !__BOUNCE_RPATH_NULL && !__NOT_SPOOFED && !__DKIM_EXISTS && !__RDNS_NONE
#describe       HDRS_LCASE_1K         Odd capitalization of message headers + long header
#score          HDRS_LCASE_1K         0.50	# limit
meta           HDRS_LCASE_IMGONLY    __HDRS_LCASE && __HTML_IMG_ONLY && !__HDRS_LCASE_KNOWN
describe       HDRS_LCASE_IMGONLY    Odd capitalization of message headers + image-only HTML
score          HDRS_LCASE_IMGONLY    0.10	# limit


# observed in UCE from India, 9/2009
header         MDN_BOTCHED           Disposition-notification-to =~ /<>/
describe       MDN_BOTCHED           Malformed return receipt header

# observed in spam 9/2009
header         __HDRS_MISSP          ALL:raw =~ /^(?:Subject|From|To|Reply-To):\S/ism
meta           HDRS_MISSP            __HDRS_MISSP && !ALL_TRUSTED && !(__FROM_ALL_HEX && __SUBJECT_PRESENT_EMPTY)
describe       HDRS_MISSP            Misspaced headers
score          HDRS_MISSP            2.500	# limit
tflags         HDRS_MISSP            publish

header         SPAMMY_MIME_BDRY_01  Content-Type =~ /boundary="\@\@BOUNDARY"/
describe       SPAMMY_MIME_BDRY_01  Spammy MIME boundary string
#score          SPAMMY_MIME_BDRY_01  0.10

# testing
header         __TB_MIME_BDRY_NO_Z   Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/
meta           TBIRD_SUSP_MIME_BDRY  __MUA_TBIRD && __TB_MIME_BDRY_NO_Z
describe       TBIRD_SUSP_MIME_BDRY  Unlikely Thunderbird MIME boundary

# too dangerous even if it has a good S/O and hits >20% of spam in masschecks
#meta           TBIRD_SPOOF           __MUA_TBIRD && !__HAS_IN_REPLY_TO && !__HAS_X_REF  && !__THREADED  && !__VIA_ML && !__NOT_SPOOFED && !__HAS_SENDER && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__RP_MATCHES_RCVD && !ALL_TRUSTED && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL_MESSY && !__MIME_BASE64 && !__S25R_1
#describe       TBIRD_SPOOF           Claims Thunderbird mail client but looks suspicious
#score          TBIRD_SPOOF           2.00	# limit

# seen in a few HTML fraud spams
rawbody        RUNON_SHY          /(?:\&shy;){3}/i
describe       RUNON_SHY          Repeating soft hyphens
#score          RUNON_SHY          0.1
tflags         RUNON_SHY          nopublish

# Seen all too often
header         LAZY_LISTWASHING   To =~ /\@(?:example\.com|example\.domain|your\.domain|some\.domain|domain\.dom|somewhere\.tld|somewhere\.com|your\.?domain\.com|your\.favorite\.machine)\b/i
describe       LAZY_LISTWASHING   Lazy spammer, painfully obvious bogus addresses
#score          LAZY_LISTWASHING   0.25

# Little to work with
body           __PLS_REVIEW       /\b(?:please|kindly)\s(?:(?:re)?view|see)(?:\s\w+)?\sattach(?:ed|ment)\b/i
body           __DLND_ATTACH      /\bdownload\sthe\sattach(?:ed|ment)\b/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __DOC_ATTACH_MT    Content-Type =~ m,\bapplication/(?:msword|rtf|vnd\.ms-word|vnd\.openxmlformats-officedocument\.wordprocessingml\.document)\b,i
  mimeheader   __DOC_ATTACH_FN1   Content-Type =~ /="[^"]+\.(?:docx?|rtf)"/i
  mimeheader   __DOC_ATTACH_FN2   Content-Disposition =~ /="[^"]+\.(?:docx?|rtf)"/i
  meta         __DOC_ATTACH       (__DOC_ATTACH_MT || __DOC_ATTACH_FN1 || __DOC_ATTACH_FN2)
  mimeheader   __PDF_ATTACH_MT    Content-Type =~ m,\bapplication/pdf\b,i
  mimeheader   __PDF_ATTACH_FN1   Content-Type =~ /="[^"]+\.pdf"/i
  mimeheader   __PDF_ATTACH_FN2   Content-Disposition =~ /="[^"]+\.pdf"/i
  meta         __PDF_ATTACH       (__PDF_ATTACH_MT || __PDF_ATTACH_FN1 || __PDF_ATTACH_FN2)

  # observed in 419 spam
  mimeheader   CDISP_SZ_MANY      Content-Disposition =~ /\bsize\s?=\s?\d.*\bsize\s?=\s?\d/
  describe     CDISP_SZ_MANY      Suspicious MIME header
  score        CDISP_SZ_MANY      2.0  # limit
else
  meta         __DOC_ATTACH_MT    0
  meta         __DOC_ATTACH_FN1   0
  meta         __DOC_ATTACH_FN2   0
  meta         __DOC_ATTACH       0
  meta         __PDF_ATTACH_MT    0
  meta         __PDF_ATTACH_FN1   0
  meta         __PDF_ATTACH_FN2   0
  meta         __PDF_ATTACH       0
endif

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta         __FREEMAIL_DOC_PDF     (__DOC_ATTACH || __PDF_ATTACH) && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
  meta         FREEMAIL_DOC_PDF       __FREEMAIL_DOC_PDF
  describe     FREEMAIL_DOC_PDF       MS document or PDF attachment, from freemail

  meta         FREEMAIL_DOC_PDF_BCC   __FREEMAIL_DOC_PDF && __TO_UNDISCLOSED
  describe     FREEMAIL_DOC_PDF_BCC   MS document or PDF attachment, from freemail, all recipients hidden

  meta         FREEMAIL_RVW_ATTCH     (__PLS_REVIEW || __DLND_ATTACH) && __FREEMAIL_DOC_PDF
  describe     FREEMAIL_RVW_ATTCH     Please review attached document, from freemail
endif

meta           EMPTY_RVW_ATTCH      (__PLS_REVIEW || __DLND_ATTACH) && __EMPTY_BODY
describe       EMPTY_RVW_ATTCH      Please review attached document, empty message

body           __END_FUTURE_EMAILS /\b(?:end|stop(?! receiving these (?:alerts|emails))|cease|discontinue|removed?|(?:do(?! not wish to receive [\w\s]{0,20}emails)|would|you(?:'d)?) (?:not (?:wish|want|like|desire)|(?:prefer|wish|want|like|desire) not) to|exclude yourself|fore?go)[- ](?:get |receiv(?:ing|e) |or |(?:a-z{1,30} ){0,4}from )?(?:these|our|(?:any )?(?:future|further)) (?:(?:e|ad)?-?m(?:ail(?:ing)?|es+[age]{3})|alert|PSA|marketing|notice)[- ]?(?:ad|update)?s?\b/i
ifplugin Mail::SpamAssassin::Plugin::DKIM
  meta         END_FUTURE_EMAILS   __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER && !__DKIM_DEPENDABLE && !DKIM_SIGNED
else
  meta         END_FUTURE_EMAILS   __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER
endif
describe       END_FUTURE_EMAILS   Spammy unsubscribe
score          END_FUTURE_EMAILS   2.500	# limit


body           AD_COMPLAINTS       /\bcomplaints about this ad+\b/i
describe       AD_COMPLAINTS       Complain about this spam

# observed in bank phishing 09/2009
#rawbody        MISQ_HTML           /<\w{2,20}[^>=]{1,30}=[^"][^">]{1,30}[^=]"[\s>]/
#describe       MISQ_HTML           Unbalanced quotes in HTML tag
#tflags         MISQ_HTML           nopublish

# observed in bank phishing 09/2009
uri            WIKI_IMG            m,^https?://[^/]+wiki[mp]edia\.org/.+\.(?:png|gif|jpe?g),i
describe       WIKI_IMG            Image from wikipedia

# observed in spam 09/2009
header         SUBJ_RE_CLNCLN      Subject =~ /^\s*RE::/
describe       SUBJ_RE_CLNCLN      Subject RE::

# observed in spam 02/2011
header         TO_SEM_SEM          To =~ /;;/
describe       TO_SEM_SEM          To has ";;"
tflags         TO_SEM_SEM          nopublish

uri            __MANY_SUBDOM       m;^https?://(?:[^\./]{1,30}\.){6};i
meta           MANY_SUBDOM         __MANY_SUBDOM && !__JM_REACTOR_DATE && !__UNSUB_LINK && !__VIA_ML && !NO_RELAYS && !__UPPERCASE_URI && !__MIME_QP
describe       MANY_SUBDOM         Lots and lots of subdomain parts in a URI

# by request of Benny Pedersen <me@junc.org> on the users list 10/9/2009
#meta           RFC_ABUSE_POST      (__DNS_FROM_RFC_ABUSE && __DNS_FROM_RFC_POST)
#describe       RFC_ABUSE_POST      Both abuse and postmaster missing on sender domain
#score          RFC_ABUSE_POST      0.01
#tflags         RFC_ABUSE_POST      net

body           CALL_SKYPE            /\bCall this phone number [\w\s]{0,30}with Skype\b/

# <SPAN> tags shouldn't appear in the midst of text
rawbody        __SPAN_BEG_TEXT     /[a-z]{2}<(?i:span)\s/
tflags         __SPAN_BEG_TEXT     multiple maxhits=5
rawbody        __SPAN_END_TEXT     /[^;>]<\/(?i:span)>[a-z]{3}/
tflags         __SPAN_END_TEXT     multiple maxhits=5
meta           __MANY_SPAN_IN_TEXT   (__SPAN_BEG_TEXT > 4) && (__SPAN_END_TEXT > 4)
meta           MANY_SPAN_IN_TEXT   __MANY_SPAN_IN_TEXT && !__VIA_ML
describe       MANY_SPAN_IN_TEXT   Many <SPAN> tags embedded within text
tflags         MANY_SPAN_IN_TEXT   publish
#score          MANY_SPAN_IN_TEXT   2.50

#uri            __FEEDPROXY_URI     m;http://feedproxy\.google\.com/;i
#rawbody        __FEEDPROXY         m;http://feedproxy\.google\.com/;i
#tflags         __FEEDPROXY         multiple maxhits=5
#meta           MANY_GOOG_FDPROXY   __FEEDPROXY > 4
#describe       MANY_GOOG_FDPROXY   Many Google feedproxy URIs

rawbody        TINY_FLOAT         /\bstyle\s*=\s*"[^"]{0,40}?(?:(?:FONT-SIZE\s*:\s+\dpx|FLOAT\s*:\s+(?:right|left))(?:;\s+)?(?:(?!(?:FONT-SIZE|FLOAT))\w+:\s+\w+;?\s*)*){2}/i
describe       TINY_FLOAT         Has small-font floating HTML - text obfuscation?
#score          TINY_FLOAT         2.00


# endless requests on the users list...
header         __TO_EQ_FROM_1       ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism
header         __TO_EQ_FROM_2       ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism
meta           __TO_EQ_FROM         (__TO_EQ_FROM_1 || __TO_EQ_FROM_2)
describe       __TO_EQ_FROM         To: same as From:
#tflags         __TO_EQ_FROM         publish

# Suggested by Hans-Werner Friedemann on users list 09/30/2010
header         __SUBJ_HAS_FROM_1    ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*Subject:\s+[^\n]{0,100}\1[>,:\s\n]/ism
meta           FROM_IN_TO_AND_SUBJ  (__TO_EQ_FROM && __SUBJ_HAS_FROM_1) && !__HAS_LIST_ID 
describe       FROM_IN_TO_AND_SUBJ  From address is in To and Subject
tflags         FROM_IN_TO_AND_SUBJ  publish

header         __SUBJ_HAS_TO_1      ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n(?:[^\n]{1,200}\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
header         __SUBJ_HAS_TO_2      ALL =~ /\nReceived:[^\n]{0,200} for <?([^\n\s>;]+)>?;(?:[^\n]+\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
header         __SUBJ_HAS_TO_3      ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n)*To:\s+[^\n]{0,100}\1[^a-z0-9.]/ism
meta           __TO_IN_SUBJ         (__SUBJ_HAS_TO_1 || __SUBJ_HAS_TO_2 || __SUBJ_HAS_TO_3)
meta           TO_IN_SUBJ           __TO_IN_SUBJ && !__VIA_ML && !MISSING_MIMEOLE && !__THREAD_INDEX_GOOD && !__FSL_RELAY_GOOGLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HS_SUBJ_RE_FW
describe       TO_IN_SUBJ           To address is in Subject
tflags         TO_IN_SUBJ           publish
score          TO_IN_SUBJ           0.1

header         __SUBJ_HAS_TOUSR_1   ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^@\n\s>,]+)@[^\n\s>;]+>?\n(?:[^\n]{1,200}\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
header         __SUBJ_HAS_TOUSR_2   ALL =~ /\nReceived:[^\n]{0,200} for <?([^@\n\s>;]+)@[^\n\s>;]+>?;(?:[^\n]+\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
meta           __TOUSR_IN_SUBJ      (__SUBJ_HAS_TOUSR_1 || __SUBJ_HAS_TOUSR_2) && !__TO_IN_SUBJ

header         __SUBJ_HAS_ANY_EMAIL Subject =~ /\b[a-z][a-z0-9_.+]+@(?:[a-z][-a-z0-9]+\.)+[a-z]{2,8}\b/i


meta           __TO_EQ_FM_HTML_ONLY __TO_EQ_FROM && MIME_HTML_ONLY
meta           TO_EQ_FM_HTML_ONLY   __TO_EQ_FM_HTML_ONLY && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED && !__DKIM_EXISTS && !__ANY_IMAGE_ATTACH && !__FROM_LOWER && !__TAG_EXISTS_CENTER
describe       TO_EQ_FM_HTML_ONLY   To == From and HTML only
#tflags         TO_EQ_FM_HTML_ONLY   publish

meta           __TO_EQ_FM_DIRECT_MX __TO_EQ_FROM && __DOS_DIRECT_TO_MX
meta           TO_EQ_FM_DIRECT_MX   __TO_EQ_FM_DIRECT_MX && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__CTYPE_MULTIPART_MIXED 
describe       TO_EQ_FM_DIRECT_MX   To == From and direct-to-MX
score          TO_EQ_FM_DIRECT_MX   2.500	# limit
tflags         TO_EQ_FM_DIRECT_MX   publish

# Why __HUSH_HUSH hits ham on this in masscheck I don't know. Legit bank emails maybe?
meta           __TO_EQ_FM_HTML_DIRECT __TO_EQ_FM_DIRECT_MX && MIME_HTML_ONLY
meta           TO_EQ_FM_HTML_DIRECT  __TO_EQ_FM_HTML_DIRECT && !__HUSH_HUSH
describe       TO_EQ_FM_HTML_DIRECT  To == From and HTML only, direct-to-MX
#tflags         TO_EQ_FM_HTML_DIRECT  publish

ifplugin Mail::SpamAssassin::Plugin::SPF
  meta           __TO_EQ_FM_SPF_FAIL  __TO_EQ_FROM && SPF_FAIL
  tflags         __TO_EQ_FM_SPF_FAIL  net
  meta           TO_EQ_FM_SPF_FAIL    __TO_EQ_FM_SPF_FAIL && !__THREADED && !ALL_TRUSTED
  describe       TO_EQ_FM_SPF_FAIL    To == From and external SPF failed
  tflags         TO_EQ_FM_SPF_FAIL    net
else
  meta           __TO_EQ_FM_SPF_FAIL  0
endif

# Paul Stead on SA list 11/2014
# ++ not liked by perl 5.8.x
if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
  header     __PDS_TO_EQ_FROM_NAME_1  ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\W+(\1)([^\n\w<]++<)?((?!\1)[^\n">]++)>?\n/ism
  header     __PDS_TO_EQ_FROM_NAME_2  ALL =~ /\nFrom:\W+"([\w+.-]+\@[\w.-]+\.\w\w+)(?:[^\n\w<]{0,80}<)?((?!\1)[^\n">]++)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n<]{0,80}<)?(\1)>?/ism

  meta       PDS_TO_EQ_FROM_NAME      (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) && !__HAS_SENDER 
  describe   PDS_TO_EQ_FROM_NAME      From: name same as To: address

  header     __PDS_FROM_2_EMAILS      From =~ /(?:^|<|"| )([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i
  meta       PDS_FROM_2_EMAILS        __PDS_FROM_2_EMAILS && !__VIA_ML && !__VIA_RESIGNER && !__MSGID_JAVAMAIL && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__DKIM_EXISTS 
  describe   PDS_FROM_2_EMAILS        From header has multiple different addresses
  score      PDS_FROM_2_EMAILS        3.500	# limit

  meta       __FROM_MULTI_NORDNS      __PDS_FROM_2_EMAILS && __RDNS_NONE 
  meta       FROM_MULTI_NORDNS        __FROM_MULTI_NORDNS
  describe   FROM_MULTI_NORDNS        Multiple From addresses + no rDNS

  meta       __FROM_MULTI_SHORT_IMG   __PDS_FROM_2_EMAILS && (HTML_IMAGE_ONLY_16 || HTML_SHORT_LINK_IMG_2 || __HTML_IMG_ONLY)
  meta       FROM_MULTI_SHORT_IMG     __FROM_MULTI_SHORT_IMG && !__RCD_RDNS_MX_MESSY 
  describe   FROM_MULTI_SHORT_IMG     Multiple From addresses + short message with image

endif

uri     __PDS_LOC_WP_POMO       m;/wp-includes/pomo/(?!(?:entry|po|mo|streams|translations)\.php).*;i


header         __FROM_ALL_NUMS      From:addr =~ /^\d+@/
header         __TO_ALL_NUMS        To:addr =~ /^\d+@/
meta           __FM_TO_ALL_NUMS     __FROM_ALL_NUMS && __TO_ALL_NUMS

header         __TO_EQ_FROM_DOM_1   ALL =~ /\nFrom:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+[^\n]+@\1[>,\s\n]/ism
header         __TO_EQ_FROM_DOM_2   ALL =~ /\nTo:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+[^\n]+@\1[>,\s\n]/ism
meta           __TO_EQ_FROM_DOM     (__TO_EQ_FROM_DOM_1 || __TO_EQ_FROM_DOM_2)
describe       __TO_EQ_FROM_DOM     To: domain same as From: domain

meta           __TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FROM_DOM && MIME_HTML_ONLY
meta           TO_EQ_FM_DOM_HTML_ONLY   __TO_EQ_FM_DOM_HTML_ONLY && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !HTML_MIME_NO_HTML_TAG && !__IS_EXCH && !__MSGID_BEFORE_RECEIVED && !__FM_TO_ALL_NUMS && !__FROM_LOWER && !__HAS_IN_REPLY_TO && !__BUGGED_IMG && !__FROM_ENCODED_QP && !__MSGID_OK_HEX
describe       TO_EQ_FM_DOM_HTML_ONLY   To domain == From domain and HTML only

meta           __TO_EQ_FM_DOM_HTML_IMG  __TO_EQ_FROM_DOM && __HTML_LINK_IMAGE
meta           TO_EQ_FM_DOM_HTML_IMG    __TO_EQ_FM_DOM_HTML_IMG && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !__IS_EXCH && !__UNSUB_LINK && !__COMMENT_EXISTS && !__FM_TO_ALL_NUMS && !__DKIM_EXISTS && !__HAS_THREAD_INDEX && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD
describe       TO_EQ_FM_DOM_HTML_IMG    To domain == From domain and HTML image link

ifplugin Mail::SpamAssassin::Plugin::SPF
  meta           __TO_EQ_FM_DOM_SPF_FAIL  __TO_EQ_FROM_DOM && SPF_FAIL
  tflags         __TO_EQ_FM_DOM_SPF_FAIL  net
  meta           TO_EQ_FM_DOM_SPF_FAIL    __TO_EQ_FM_DOM_SPF_FAIL && !__THREADED && !ALL_TRUSTED
  describe       TO_EQ_FM_DOM_SPF_FAIL    To domain == From domain and external SPF failed
  tflags         TO_EQ_FM_DOM_SPF_FAIL    net
else
  meta           __TO_EQ_FM_DOM_SPF_FAIL  0
endif


# Evaluate ReturnPath and blacklist collisions
meta           __RP_SAFE_BRBL             RCVD_IN_RP_SAFE && RCVD_IN_BRBL_LASTEXT
meta           __RP_CERTIFIED_BRBL        RCVD_IN_RP_CERTIFIED && RCVD_IN_BRBL_LASTEXT
tflags         __RP_SAFE_BRBL             net nopublish
tflags         __RP_CERTIFIED_BRBL        net nopublish
meta           __RP_SAFE_ZEN              RCVD_IN_RP_SAFE && __RCVD_IN_ZEN
meta           __RP_CERTIFIED_ZEN         RCVD_IN_RP_CERTIFIED && __RCVD_IN_ZEN
tflags         __RP_SAFE_ZEN              net nopublish
tflags         __RP_CERTIFIED_ZEN         net nopublish
meta           __RP_SAFE_SORBS            RCVD_IN_RP_SAFE && __RCVD_IN_SORBS
meta           __RP_CERTIFIED_SORBS       RCVD_IN_RP_CERTIFIED && __RCVD_IN_SORBS
tflags         __RP_SAFE_SORBS            net nopublish
tflags         __RP_CERTIFIED_SORBS       net nopublish
meta           __RP_SAFE_XBL              RCVD_IN_RP_SAFE && RCVD_IN_XBL
meta           __RP_CERTIFIED_XBL         RCVD_IN_RP_CERTIFIED && RCVD_IN_XBL
tflags         __RP_SAFE_XBL              net nopublish
tflags         __RP_CERTIFIED_XBL         net nopublish
meta           __RP_SAFE_PSBL             RCVD_IN_RP_SAFE && RCVD_IN_PSBL
meta           __RP_CERTIFIED_PSBL        RCVD_IN_RP_CERTIFIED && RCVD_IN_PSBL
tflags         __RP_SAFE_PSBL             net nopublish
tflags         __RP_CERTIFIED_PSBL        net nopublish
#meta           __RP_SAFE_ANBREP_L3        RCVD_IN_RP_SAFE && RCVD_IN_ANBREP_L3
#meta           __RP_CERTIFIED_ANBREP_L3   RCVD_IN_RP_CERTIFIED && RCVD_IN_ANBREP_L3
#tflags         __RP_SAFE_ANBREP_L3        net nopublish
#tflags         __RP_CERTIFIED_ANBREP_L3   net nopublish

# a URI in the From comment text, to bypass URIBL checks
# simplistic URI format for now
header         __FROM_URI_1               From =~ /[^\@]www[.\s][^\s"<\@]+[.\s](?:com|net|info|biz|org|\w\w)\b.*["<]/i
header         __FROM_URI_2               From =~ m;http://(?:[^.\s]+\.){1,3}(?:com|net|info|biz|org|\w\w)\b;i
meta           FROM_URI                   __FROM_URI_1 || __FROM_URI_2
describe       FROM_URI                   URI or www. in From

# observed in spam feb 2010
# Apparently-To per RFC2821 SHOULD NOT be used
header         __APPARENTLY_TO            Apparently-To =~ /<.*>/
tflags         __APPARENTLY_TO            multiple maxhits=21 nopublish
meta           HAS_APPARENTLY_TO          __APPARENTLY_TO > 0
describe       HAS_APPARENTLY_TO          Has deprecated Apparently-To header
#score          HAS_APPARENTLY_TO          0.50
tflags         HAS_APPARENTLY_TO          nopublish
meta           MANY_APPARENTLY_TO         __APPARENTLY_TO > 20
describe       MANY_APPARENTLY_TO         Has many Apparently-To headers
#score          MANY_APPARENTLY_TO         2.00
tflags         MANY_APPARENTLY_TO         nopublish

# obfuscation of "opt out"
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body           FUZZY_OPTOUT             /(?:$|\W)(?=<O>)(?!opt[-\s]?out)<O><P><T>[-\s]?<O><U><T>(?:$|\W)/i
  replace_rules  FUZZY_OPTOUT
  describe       FUZZY_OPTOUT             Obfuscated opt-out text
endif

# stock spam disclaimer obfuscation
# body           GAPPY_TRADING              /\b(?!trading)t[^a-z\s]?r[^a-z\s]?a[^a-z\s]?d[^a-z\s]?i[^a-z\s]?n[^a-z\s]?g/i
# body           GAPPY_SECURITIES           /\b(?!securities)s[^a-z\s]?e[^a-z\s]?c[^a-z\s]?u[^a-z\s]?r[^a-z\s]?i[^a-z\s]?t[^a-z\s]?i[^a-z\s]?e[^a-z\s]?s/i
# body           GAPPY_RISK                 /\b(?!risky?)r[^a-z\s]?i[^a-z\s]?s[^a-z\s]?k(?:[^a-z\s]?y)?/i
# body           GAPPY_SELLING              /\b(?!selling)s[^a-z\s]?e[^a-z\s]?l[^a-z\s]?l[^a-z\s]?i[^a-z\s]?n[^a-z\s]?g/i
# body           GAPPY_HUNDRED              /\b(?!hundred)h[^a-z\s]?u[^a-z\s]?n[^a-z\s]?d[^a-z\s]?r[^a-z\s]?e[^a-z\s]?d/i
# body           GAPPY_THOUSAND             /\b(?!thousand)t[^a-z\s]?h[^a-z\s]?o[^a-z\s]?u[^a-z\s]?s[^a-z\s]?a[^a-z\s]?n[^a-z\s]?d/i
# body           GAPPY_EXPENSES             /\b(?!expenses)e[^a-z\s]?x[^a-z\s]?p[^a-z\s]?e[^a-z\s]?n[^a-z\s]?s[^a-z\s]?e[^a-z\s]?s/i
# body           GAPPY_DOLLARS              /\b(?!dollars)d[^a-z\s]?o[^a-z\s]?l[^a-z\s]?l[^a-z\s]?a[^a-z\s]?r[^a-z\s]?s/i
#
# describe       GAPPY_TRADING              Possible obfuscated stock disclaimer
# describe       GAPPY_SECURITIES           Possible obfuscated stock disclaimer
# describe       GAPPY_RISK                 Possible obfuscated stock disclaimer
# describe       GAPPY_SELLING              Possible obfuscated stock disclaimer
# describe       GAPPY_HUNDRED              Possible obfuscated stock disclaimer
# describe       GAPPY_THOUSAND             Possible obfuscated stock disclaimer
# describe       GAPPY_EXPENSES             Possible obfuscated stock disclaimer
# describe       GAPPY_DOLLARS              Possible obfuscated stock disclaimer

body           GAPPY_GENITALIA          /\bp(?!enis)(?!en is)[^a-z]?e[^a-z]?n[^a-z]?i[^a-z]?s(?:\b|_)/i
describe       GAPPY_GENITALIA          G.a.p.p.y male body parts

body           GAPPY_PILLS              /\bp(?!ills)[^a-z]?i[^a-z]?l[^a-z]?l[^a-z]?s(?:\b|_)/i
describe       GAPPY_PILLS              G.a.p.p.y pills

body           __STYLE_TAG_IN_BODY      /<style(?:[^>]{0,30})?>/i
body           __BODY_XHTML             /<x-html>/i

#if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
#  # possessive {0,4}+ requires perl 5.10 or better
#  rawbody        __STYLE_GIBBERISH_1      /<style(?:\s[^>]{0,40})?>(?:\s{0,100}(?!<\/style>)(?:(?:\/\*(?:\s|[^*<]|\*(?!\/)|<(?!\/style>|!--)){0,200}\*\/)|\#[^{<]{1,50}\{[^}<]{4,100}\})){0,4}+(?:\s{0,100}(?!<\/style>|\/\*|<!--)(?:\/{3,}?\*|,,?+|;;?+|::?+|\|\|?+|[^\s:;,\|]|[:;,\|\/]{2})){150}/im
#else
#  # older perl, can't deal with style comments properly
#  rawbody        __STYLE_GIBBERISH_1      /<style(?:\s[^>]{0,40})?>(?:\s{0,100}(?!<\/style>|\/\*)[^\s:;,]){150}/im
#endif
#rawbody        __STYLE_GIBBERISH_2      /\.style\w{0,20}\s{1,10}\{[^:;]{200}/im
#rawbody        __STYLE_GIBBERISH_3      /<style(?:\s[^>]{0,40})?>\s{0,80}(?:[\w:]{1,30}\s{0,10}\{[^}]{1,50}\}\s{0,80}){1,5}(?:[\w,.']{1,30}\s{1,10}){40}/im
#meta           __STYLE_GIBBERISH        (__STYLE_GIBBERISH_1 || __STYLE_GIBBERISH_2 || __STYLE_GIBBERISH_3)
#meta           STYLE_GIBBERISH          __STYLE_GIBBERISH && (__BODY_XHTML || !__STYLE_TAG_IN_BODY) && !__RCD_RDNS_MX_MESSY && !__HAS_THREAD_INDEX && !__ANY_OUTLOOK_MUA && !__MIME_QP && !ALL_TRUSTED
#describe       STYLE_GIBBERISH          Nonsense in HTML <STYLE> tag
#score          STYLE_GIBBERISH          3.50	# limit
#tflags         STYLE_GIBBERISH          publish

body           __SCRIPT_TAG_IN_BODY     /<script>/i
rawbody        __SCRIPT_GIBBERISH       /<script>[^;<]{100}/im
meta           SCRIPT_GIBBERISH         __SCRIPT_GIBBERISH && (__BODY_XHTML || !__SCRIPT_TAG_IN_BODY) && !__TAG_EXISTS_META
describe       SCRIPT_GIBBERISH         Nonsense in HTML <SCRIPT> tag

rawbody        __COMMENT_GIBBERISH      /<!--(?:\s{1,10}[-\w'"]{1,40}){100}/im
meta           COMMENT_GIBBERISH        __COMMENT_GIBBERISH && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__SENDER_BOT
describe       COMMENT_GIBBERISH        Nonsense in long HTML comment
score          COMMENT_GIBBERISH        1.50	# limit
tflags         COMMENT_GIBBERISH        publish

#rawbody        MANY_DIV_5                   /(?:<div[^>]{0,30}>\s{0,80}){5}/im
#tflags         MANY_DIV_5                    nopublish
#rawbody        MANY_DIV_6                   /(?:<div[^>]{0,30}>\s{0,80}){6}/im
#tflags         MANY_DIV_6                    nopublish
#rawbody        MANY_DIV_7                   /(?:<div[^>]{0,30}>\s{0,80}){7}/im
#tflags         MANY_DIV_7                    nopublish
#rawbody        MANY_DIV_8                   /(?:<div[^>]{0,30}>\s{0,80}){8}/im
#tflags         MANY_DIV_8                    nopublish
#rawbody        MANY_DIV_9                   /(?:<div[^>]{0,30}>\s{0,80}){9}/im
#tflags         MANY_DIV_9                    nopublish
#rawbody        MANY_DIV_10                   /(?:<div[^>]{0,30}>\s{0,80}){10}/im
#tflags         MANY_DIV_10                   nopublish

#header         FROM_TRL_UNDR              From =~ /_\@/
#tflags         FROM_TRL_UNDR              nopublish

#body           LOTSA_EMAILS               /\b(?:thousand|million)\se-?mail(?:\saddresse)?s?\b/i
#tflags         LOTSA_EMAILS               nopublish

body           __BIGNUM_EMAIL_TST1        /\b(?:thousand|million|\d[,1-9]{0,6}(?:[,0]+k?|k))\s(?:(?!and|or|your|place|baby)\w+\s)?(?:e-?mail)\b/i
body           __BIGNUM_EMAIL_TST2        /\b(?:thousand|million|\d[,1-9]{0,6}(?:[,0]+k?|k))\s(?:(?!and|or|your|place|baby)\w+\s)?(?:e-?mails)\b/i
body           __BIGNUM_EMAIL_TST3        /\b(?:thousand|million|\d[,1-9]{0,6}(?:[,0]+k?|k))\s(?:(?!and|or|your|place|baby)\w+\s)?(?:e-?mail:)/i
body           __BIGNUM_EMAIL_TST4        /\b(?:thousand|million|\d[,1-9]{0,6}(?:[,0]+k?|k))\s(?:(?!and|or|your|place|baby)\w+\s)?(?:e-?mail(?!:)s?)\b/i
body           __BIGNUM_EMAILS            /\b(?:thousand|million|\d[,1-9]{0,6}(?:[,0]+k?|k))\s(?:(?!and|or|your|place|baby)\w+\s)?(?:e-?mail(?:s|\saddresses)|fax numbers|leads|names)\b/i
tflags         __BIGNUM_EMAILS            multiple maxhits=5
meta           BIGNUM_EMAILS              __BIGNUM_EMAILS && !BIGNUM_EMAILS_MANY && !__BIGNUM_EMAILS_FREEM && !__RDNS_HEX && !MIME_QP_LONG_LINE 
describe       BIGNUM_EMAILS              Lots of email addresses/leads
score          BIGNUM_EMAILS              2.50		# limit
tflags         BIGNUM_EMAILS              publish

meta           __BIGNUM_EMAILS_FREEM      __BIGNUM_EMAILS && __freemail_hdr_replyto
meta           BIGNUM_EMAILS_FREEM        __BIGNUM_EMAILS_FREEM
describe       BIGNUM_EMAILS_FREEM        Lots of email addresses/leads, free email account
score          BIGNUM_EMAILS_FREEM        3.00		# limit
tflags         BIGNUM_EMAILS_FREEM        publish

meta           __BIGNUM_EMAILS_2          __BIGNUM_EMAILS > 1
meta           __BIGNUM_EMAILS_3          __BIGNUM_EMAILS > 2
meta           __BIGNUM_EMAILS_4          __BIGNUM_EMAILS > 3
meta           __BIGNUM_EMAILS_5          __BIGNUM_EMAILS > 4
meta           BIGNUM_EMAILS_MANY         __BIGNUM_EMAILS_3 && !__HAS_ERRORS_TO && !__HAS_CAMPAIGNID && !__DATE_LOWER 
describe       BIGNUM_EMAILS_MANY         Lots of email addresses/leads, over and over
score          BIGNUM_EMAILS_MANY         3.00		# limit
tflags         BIGNUM_EMAILS_MANY         publish

#rawbody        __HTML_ELEM_OBFU           /[a-z\s]&\#[91]\d\d?[a-z]/
#tflags         __HTML_ELEM_OBFU           multiple nopublish
#meta           HTML_ELEM_OBFU_25          __HTML_ELEM_OBFU > 25
#tflags         HTML_ELEM_OBFU_25          nopublish
#meta           HTML_ELEM_OBFU_50          __HTML_ELEM_OBFU > 50
#tflags         HTML_ELEM_OBFU_50          nopublish
#meta           HTML_ELEM_OBFU_100         __HTML_ELEM_OBFU > 100
#tflags         HTML_ELEM_OBFU_100         nopublish
#meta           HTML_ELEM_OBFU_150         __HTML_ELEM_OBFU > 150
#tflags         HTML_ELEM_OBFU_150         nopublish

#header         PPMC_FROM_1                From =~ /\bPayPa[IL](?:\.Com)?\b/
#describe       PPMC_FROM_1                Paypal phishing sign

uri            URI_HIDDEN_2               m;.{8}(?:[/\\]|%(?i:5c|2f))(?!\.\.?[/%\\])\..;
describe       URI_HIDDEN_2               URI contains a hidden file or directory


# Catch spam originating from 41.0.0.0/8 (Africa, incl S.Africa)
# Ned Slider, SAU list, 3/11/2010
header          __NSL_ORIG_FROM_41        X-Originating-IP =~ /^(?:.+\[)?41\./
describe        __NSL_ORIG_FROM_41        Originates from 41.0.0.0/8

# Catch spam injected from 41.0.0.0/8 (Africa, incl S.Africa)
# Ned Slider, SAU list, 3/11/2010
# consider using khop __RCVD_VIA_AFRINIC_E instead
#header          __NSL_RCVD_FROM_41        Received =~ /[([]41\./
header          __NSL_RCVD_FROM_41        X-Spam-Relays-External =~ / ip=41\./
describe        __NSL_RCVD_FROM_41        Received from 41.0.0.0/8

meta            __MONEY_FROM_41           __NSL_RCVD_FROM_41 && LOTS_OF_MONEY
meta            MONEY_FROM_41             __MONEY_FROM_41
describe        MONEY_FROM_41             Lots of money from Africa
score           MONEY_FROM_41             2.00	# limit


# some metas with the above, maybe reduce FPs
ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta         __FROM_41_FREEMAIL         (__NSL_ORIG_FROM_41 || __NSL_RCVD_FROM_41) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) && !__THREADED
  describe     __FROM_41_FREEMAIL         Sent from Africa + freemail provider

#  meta         __FROM_AFR_FREEMAIL       __RCVD_VIA_AFRINIC_E && (FREEMAIL_FROM || FREEMAIL_REPLYTO) && !__THREADED
#  describe     __FROM_AFR_FREEMAIL       Sent from Africa + freemail provider
else
  meta         __FROM_41_FREEMAIL         0
endif

# More from Ned
header         NSL_RCVD_HELO_USER       Received =~ /helo[= ]user\)/i
describe       NSL_RCVD_HELO_USER       Received from HELO User

header         NSL_RCVD_FROM_USER       Received =~ /from User [\[\(]/
describe       NSL_RCVD_FROM_USER       Received from User


# observed in spam 3/11/2010
header          DATE_DOTS               Date =~ /\d\d\.\d\d\.\d\d/
describe        DATE_DOTS               Periods in date header

uri             IMAGESHACK_URI          /\.imageshack\.us\//i
describe        IMAGESHACK_URI          URI contains imageshack.us

#uri             __DYNDNS_URI            /\.dyndns\.org(?:\/.*)?/i
#tflags          __DYNDNS_URI            multiple maxhits=2
#meta            DYNDNS_URIS             __DYNDNS_URI > 1
#describe        DYNDNS_URIS             Has multiple dyndns.org URIs


## Does not perform better than URL_SHORTENER family
## the ones that misses are already scoring 7+ points
#uri             __BITLY_URI             /\/\/bit\.ly\//i
#meta            BITLY_URI               __BITLY_URI && !__HDR_CASE_REVERSED && !__HAS_SENDER && !__HAS_CAMPAIGNID && !__DOS_HAS_LIST_UNSUB && !__HAS_ERRORS_TO && !__MAIL_LINK && !__MSGID_JAVAMAIL && !__ENV_AND_HDR_FROM_MATCH && !__THREADED && !__USING_VERP1 && !__IMG_VIA_BITLY && !__URL_SHORTENER 
#describe        BITLY_URI               URI contains bit.ly
#score           BITLY_URI               3.000	# limit
#tflags          BITLY_URI               publish
#
## HTML image sourced via URL shortening service:
## <IMG border=0 hspace=0 alt="" src="http://bit.ly/1OiuN0y" width=26 height=25>
#rawbody         __IMG_VIA_BITLY         m;<img\s[^>]+\ssrc\s*=\s*"?https?://(?:www\.)?bit\.ly/;i
#meta            IMG_VIA_BITLY           __IMG_VIA_BITLY && !SHORTENED_URL_SRC 
#describe        IMG_VIA_BITLY           HTML image via URL shortener - URIBL avoidance?
#score           IMG_VIA_BITLY           2.500	# limit

uri             __URI_OBFU_DOM          /:\/\/(?:\w+\.)+(?:com|gov|net|org)(?:\.\w+){3,}\//i
meta            URI_OBFU_DOM            __URI_OBFU_DOM && !__VIA_ML
describe        URI_OBFU_DOM            URI pretending to be different domain

uri             DQ_URI_DOM_IN_PATH      /:\/\/[\d\.]+\/[^\/]+\/[^\@]+[a-z0-9]\w{3,}\.(?:com|gov|net)/i
describe        DQ_URI_DOM_IN_PATH      DQ URI having a domain name in the path part

uri             LH_URI_DOM_IN_PATH      /:\/\/[^\/]{25,}\/[^\/]+\/[^\@]+[a-z0-9]\w{3,}\.(?:com|gov|net)/i
describe        LH_URI_DOM_IN_PATH      Long-host URI having a domain name in the path part

# observed in phish 4/10/10
uri             URI_1234                m,//1\.2\.3\.4/,

# requested by Benny Pedersen 17 Apr 2010, 10 Aug 2011
ifplugin Mail::SpamAssassin::Plugin::SPF
  meta            __SPF_FULL_PASS         (SPF_PASS && SPF_HELO_PASS)
  tflags          __SPF_FULL_PASS         net
  meta            __SPF_RANDOM_SENDER     (SPF_HELO_PASS && !SPF_PASS)
  tflags          __SPF_RANDOM_SENDER     net
else
  meta            __SPF_FULL_PASS         0
  meta            __SPF_RANDOM_SENDER     0
endif

# Spam from ZA
header          CAN_SPAM_HDR            CAN-SPAM_Compliant =~ /./
header          RPT_SPAM_HDR            Report-SPAM =~ /./


#header          LONG_FROM               From =~ /<[^<@]{40,}\w\@/


#if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
#  body            __MANY_RECORDS_1        /\s[A-Z][a-z]{1,30}s(?:\sDatabase)?[-:\s]{2,5}(?i:1\smillion\s|\d[\d,.]{1,8}[Kk]?\s(?i:thousand\s|million\s)?)(?i:total\s|full\sdata\s)?(?i:email|record)s/
#  tflags          __MANY_RECORDS_1        multiple maxhits=16
#  body            __MANY_RECORDS_2        /\W{1,4}\s(?:[a-z\/]{1,20}\s){0,4}(?:doctor|physician|provider|therapist|counselor|dentist|veterinarian|clinic|hospital|agent|chiropractor|psychologist|companie|supplier)s/i
#  tflags          __MANY_RECORDS_2        multiple maxhits=16
#  body            __MANY_RECORDS_3        /\W{1,4}\s(?:(?:[A-Z]{1,2}[a-z\/]{0,20}|and)\s){0,4}[A-Z][a-z]{1,20}s Database/
#  tflags          __MANY_RECORDS_3        multiple maxhits=16
#  #meta            BIG_LISTS               (__MANY_RECORDS_1 + __MANY_RECORDS_2 + __MANY_RECORDS_3) > 5
#  meta            __MANY_BIG_LISTS        (__MANY_RECORDS_1 + __MANY_RECORDS_2 + __MANY_RECORDS_3) > 15
#  meta            MANY_BIG_LISTS          __MANY_BIG_LISTS && !HTML_MESSAGE && !__CTYPE_MULTIPART_ANY && !__HS_SUBJ_RE_FW && !__HAS_THREAD_INDEX
#  describe        MANY_BIG_LISTS          Lots of mailing lists / databases available!
#endif


# Suggested by Gerard Z 2010-08-15
#uri         __GZ_PILL_SQUAT1       /\/[a-z]{3,8}\d{2}\.html/i
#uri         __GZ_PILL_SQUAT2       /\/[a-z]{3,8}\d{2}\.jpg/i
#meta        __GZ_PILL_SQUATTERS    __GZ_PILL_SQUAT1 && __GZ_PILL_SQUAT2
#meta        GZ_PILL_SQUATTERS      __GZ_PILL_SQUATTERS && !__DOS_RELAYED_EXT && !__FROM_ISO_2022_JP && !__RCD_RDNS_MX_MESSY
#describe    GZ_PILL_SQUATTERS      Found a link to rogue pill pusher content

# observed in multiple spam
header      TO_JOHNZY              TO =~ /johnzy_the_king\@hotmail\.com/i
describe    TO_JOHNZY              To a spammy recipent
#score       TO_JOHNZY              3.00

# Discussed on list and observed in spam 10/15/2010
header      TO_ONE_CHAR            To =~ /^\s*"<"\s*</
describe    TO_ONE_CHAR            Bogus TO name
# Check From: as well...
header      FROM_ONE_CHAR          From =~ /^\s*"[^"]"\s*</
describe    FROM_ONE_CHAR          Bogus FROM name

# __ version of khop rule for FP filtering
meta           __NAME_EMAIL_DIFF   __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL

# 12-letter domain names, suggested by Len Conrad on the users list
header         __RCVD_12LTRDOM     Received =~ /[(\s.][a-z]{12}\./
header         __RPATH_12LTRDOM    Return-Path =~ /\@[a-z]{12}\./
uri            __URI_12LTRDOM      m,://(?:[^./]+\.)*[a-z]{12}\.[^./]+/,i

header         __FROM_12LTRDOM_1   From =~ /\@(?!facebookmail)[a-z]{12}\./
## suppress this, masscheck is publishing it as a T_ rule and ignoring the score limit, so hits get 1 point
#ifplugin Mail::SpamAssassin::Plugin::FreeMail
#  meta         FROM_12LTRDOM       __FROM_12LTRDOM_1 && !__VIA_ML && !__TO___LOWER && !__FS_SUBJ_RE && !__RCD_RDNS_MAIL_MESSY && !__freemail_safe && !__UNSUB_LINK && !NO_RELAYS && !__UNUSABLE_MSGID && !DATE_IN_PAST_96_XX && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__RCD_RDNS_SMTP_MESSY && !__FB_NATIONAL && !__MAIL_LINK && !__NAME_EMAIL_DIFF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__SENDER_BOT && !__IMS_MSGID && !__HS_SUBJ_RE_FW && !__DOS_HAS_LIST_UNSUB && !__THREAD_INDEX_GOOD && !__TO_EQ_FROM_DOM && !__URI_MAILTO && !__SUBSCRIPTION_INFO
#else
#  meta         FROM_12LTRDOM       __FROM_12LTRDOM_1 && !__VIA_ML && !__TO___LOWER && !__FS_SUBJ_RE && !__RCD_RDNS_MAIL_MESSY && !__UNSUB_LINK && !NO_RELAYS && !__UNUSABLE_MSGID && !DATE_IN_PAST_96_XX && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__RCD_RDNS_SMTP_MESSY && !__FB_NATIONAL && !__MAIL_LINK && !__NAME_EMAIL_DIFF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__SENDER_BOT && !__IMS_MSGID && !__HS_SUBJ_RE_FW && !__DOS_HAS_LIST_UNSUB && !__THREAD_INDEX_GOOD && !__TO_EQ_FROM_DOM && !__URI_MAILTO && !__SUBSCRIPTION_INFO
#endif
#describe       FROM_12LTRDOM       From a 12-letter domain
##tflags         FROM_12LTRDOM       nopublish
#score          FROM_12LTRDOM       0.10  	# limit

# promising masscheck results
meta           __MONEY_12LTRDOM    __FROM_12LTRDOM_1 && __LOTSA_MONEY_00
meta           MONEY_12LTRDOM      __MONEY_12LTRDOM
score          MONEY_12LTRDOM      0.10		# limit
describe       MONEY_12LTRDOM      Mentions lots of money and from a 12-letter domain

# spammer email addresses noted by D. German on users list 9/2010
body        DG_SPAMMER_EMAIL_B     /\b[a-z]{10,30}\.[a-z]{3,10}\@[a-z]{3,10}\.[a-z]{6,30}\.[a-z]{2,4}\b/
header      DG_SPAMMER_EMAIL_F     From =~ /\b[a-z]{10,30}\.[a-z]{3,10}\@[a-z]{3,10}\.[a-z]{6,30}\.[a-z]{2,4}\b/
describe    DG_SPAMMER_EMAIL_B     Recognized spammer email address in body
describe    DG_SPAMMER_EMAIL_F     Recognized spammer email address in From: header

# Spammers can't include the real name successfully...
body        __FORGED_FB_USERCP_01  /This message was intended for Want to control which emails you receive from Facebook\?/i

# Javascript obfuscation noted by J. Brennan on the Users list 09/2010
rawbody     OBFU_JVSCR_ESC         /document\.write\(unescape\(["'](?:%[0-9a-f]{2}){10}/i
describe    OBFU_JVSCR_ESC         Injects content using obfuscated javascript
#score       OBFU_JVSCR_ESC         2.75
tflags      OBFU_JVSCR_ESC         publish

# Starting to observe in spam
meta        __LIST_PARTIAL         __DOS_HAS_LIST_UNSUB && !__DOS_HAS_LIST_ID
meta        LIST_PARTIAL           __LIST_PARTIAL && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_SENDER && !__HAS_ERRORS_TO 
describe    LIST_PARTIAL           Has incomplete List-* header set
score       LIST_PARTIAL           1.000   # limit

meta        __LIST_PRTL_SAME_USER  __LIST_PARTIAL && __TO_EQ_FROM_USR
meta        LIST_PRTL_SAME_USER    __LIST_PRTL_SAME_USER && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_ERRORS_TO 
describe    LIST_PRTL_SAME_USER    Incomplete List-* headers and from+to user the same
score       LIST_PRTL_SAME_USER    3.000   # limit
tflags      LIST_PRTL_SAME_USER    publish

meta        __LIST_PRTL_PUMPDUMP   __LIST_PARTIAL && __PD_CNT_1
meta        LIST_PRTL_PUMPDUMP     __LIST_PRTL_PUMPDUMP && !__DKIM_EXISTS 
describe    LIST_PRTL_PUMPDUMP     Incomplete List-* headers and stock pump-and-dump
score       LIST_PRTL_PUMPDUMP     2.000   # limit
tflags      LIST_PRTL_PUMPDUMP     publish


# in lots of phishing
uri         __UCOZ_URI             /\.ucoz\.org\//i
describe    __UCOZ_URI             URI contains ucoz.org

# Intrust Domains is a persistent domain registration spammer
# recent sign, will likely change
#body        __ARTHUR_SIMMONS       /Arthur Simmons/
#body        __INTRUST_DOMS         /In[Tt]rust Domains/
#meta        ARTHUR_INTRUST         __ARTHUR_SIMMONS && __INTRUST_DOMS
#describe    ARTHUR_INTRUST         Arthur Simmons - registrar spammer extraordinaire

#header      ART_NAMES_ORG          Received =~ /\bart\.names\.org\b/i
#describe    ART_NAMES_ORG          Arthur Simmons - registrar spammer extraordinaire

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  body        __PILL_PRICE_01        m;(?=[\d .f])(?:free|[\d .]{3}(?:/|per|each)) ?(?=[ptc])(?:pill|tablet|cap(?:sule|let))s?\b;i
  body        __PILL_PRICE_02        /(?=[ptc])(?:pill|tablet|cap(?:sule|let))s[-= :]{1,5}\$?[\d .]{3}/i
  tflags      __PILL_PRICE_01        multiple maxhits=3
  tflags      __PILL_PRICE_02        multiple maxhits=3
  meta        ANY_PILL_PRICE         (__PILL_PRICE_01 || __PILL_PRICE_02) && !__NOT_A_PERSON
  describe    ANY_PILL_PRICE         Prices for pills
  meta        MANY_PILL_PRICE        (__PILL_PRICE_01 + __PILL_PRICE_02) > 2
  describe    MANY_PILL_PRICE        Prices for many pills
else
  meta        __PILL_PRICE_01        0
  meta        __PILL_PRICE_02        0
endif

# More from Ned Slider
ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta        NSL_FREEMAIL_SUBJ      (FREEMAIL_FROM && MISSING_SUBJECT)
  describe    NSL_FREEMAIL_SUBJ      From freemail with missing subject
#  score       NSL_FREEMAIL_SUBJ      1.0
  tflags      NSL_FREEMAIL_SUBJ      nopublish

  meta        NSL_FREEMAIL_M1        (NSL_FREEMAIL_SUBJ && (__HAS_ANY_URI || __MANY_RECIPS))
  describe    NSL_FREEMAIL_M1        From freemail, missing subject and uri or many recips
#  score       NSL_FREEMAIL_M1        1.0
  tflags      NSL_FREEMAIL_M1        nopublish

  meta        NSL_FREEMAIL_M2        (FREEMAIL_FROM && __HAS_ANY_URI && __MANY_RECIPS)
  describe    NSL_FREEMAIL_M2        From freemail with uri and many recips
#  score       NSL_FREEMAIL_M2        1.0
  tflags      NSL_FREEMAIL_M2        nopublish
endif

header      NSL_TO_ENDS_COMMA      To =~ /,$/
describe    NSL_TO_ENDS_COMMA      To: ends with a comma
#score       NSL_TO_ENDS_COMMA      0.001
tflags      NSL_TO_ENDS_COMMA      nopublish


body        CN_B2B_SPAMMER         /\bWe are (?:(?:a )?(?:China|Taiwan)[-\s]based|(?:one of (?:the )?best|(?:a )?leading) (?:international|[^\.]{10,90} (?:in|from) (?:\w+, )?(?:China|Taiwan)))\b/i
describe    CN_B2B_SPAMMER         Chinese company introducing itself
tflags      CN_B2B_SPAMMER         publish

body        CN_OPTOUT_EML          /\b(?:pasamenzi|arinayuma)\@sina\.com\b/i
describe    CN_OPTOUT_EML          Opt-out email address in CN B2B spams

# __ version of khopesh UPPERCASE_URI, for use in metas
uri         __UPPERCASE_URI        /^[^:A-Z]+[A-Z]/

# __ version of khopesh SINGLE_HEADER_1K, for use in metas
#header      __SINGLE_HEADER_1K     ALL:raw =~ /(?-xim:(?=(?!X-Spam|X-MailScan)(?:^|\n)[^\s\n]+:(?:.(?!\n\S)){1024,2047}.(?:\n\S|$)))/s

# for sale newsletters
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  body        __FOR_SALE_OBO            /\bor best offer\b/i
  tflags      __FOR_SALE_OBO            multiple maxhits=6
  meta        __FOR_SALE_OBO_MANY       __FOR_SALE_OBO > 5

  body        __FOR_SALE_PRC_1K         /\bprice:? \$\d,?\d\d\d[.\s]/i
  tflags      __FOR_SALE_PRC_1K         multiple maxhits=11
  meta        __FOR_SALE_PRC_1K_MANY    __FOR_SALE_PRC_1K > 10

  body        __FOR_SALE_PRC_10K        /\bprice:? \$\d\d,\d\d\d/i
  tflags      __FOR_SALE_PRC_10K        multiple maxhits=11
  meta        __FOR_SALE_PRC_10K_MANY   __FOR_SALE_PRC_10K > 10

  body        __FOR_SALE_PRC_100K       /\bprice:? \$\d\d\d,\d\d\d/i
  tflags      __FOR_SALE_PRC_100K       multiple maxhits=11
  meta        __FOR_SALE_PRC_100K_MANY  __FOR_SALE_PRC_100K > 5

  meta        __FOR_SALE_PRC_MANY       (__FOR_SALE_PRC_1K + __FOR_SALE_PRC_10K + __FOR_SALE_PRC_100K) > 20

  body        __FOR_SALE_LTP            /00\.? (?:less 10%|LTP)/i
  tflags      __FOR_SALE_LTP            multiple maxhits=11
  meta        __FOR_SALE_LTP_MANY       __FOR_SALE_LTP > 10

  body        __FOR_SALE_NET            /00\.? NET/i
  tflags      __FOR_SALE_NET            multiple maxhits=11
  meta        __FOR_SALE_NET_MANY       __FOR_SALE_NET > 10

  rawbody     __FOR_SALE_PRC_EOL        /\s\$\d{1,3},\d00(?:\.00)?$/m
  tflags      __FOR_SALE_PRC_EOL        multiple maxhits=11
  meta        __FOR_SALE_PRC_EOL_MANY   __FOR_SALE_PRC_EOL > 10
endif

uri         __URI_MAILTO              /^mailto:/i
tflags      __URI_MAILTO              multiple maxhits=16
meta        __URI_MAILTO_MANY         __URI_MAILTO > 15


header      REPLYTO_EMPTY          Reply-To =~ /<>/
describe    REPLYTO_EMPTY          Reply-To undeliverable

header      __TO_MANY              To =~ /(?:,[^,]{1,90}){10}/
header      __CC_MANY              Cc =~ /(?:,[^,]{1,90}){10}/

header      __TO_TOO_MANY          To =~ /(?:,[^,]{1,90}){30}/
header      __CC_TOO_MANY          Cc =~ /(?:,[^,]{1,90}){30}/

header      __TO_WAY_TOO_MANY      ToCc =~ /(?:,[^,]{1,90}){50}/

meta        FREEMAIL_MANY_TO       __TO_WAY_TOO_MANY && FREEMAIL_FROM
describe    FREEMAIL_MANY_TO       Freemail sender, 50+ exposed recipients
score       FREEMAIL_MANY_TO       2.000	# limit


body        __GAPPY_PHONE_NA       /1 ?- \d \d \d ?- \d \d \d ?- \d \d \d \d/
meta        GAPPY_PHONE_NA         __GAPPY_PHONE_NA
describe    GAPPY_PHONE_NA         Phone number with lots of spaces

full        __GAPPY_HTML_01        m;</?[a-z]{1,6}(?:\s[^>]{0,40})?>(?:\s|=09){0,80}(?:(?!\d)[\w'()\#,.:!]{1,15}(?:\s|=09){4,80}){7}\S;
full        __GAPPY_HTML_02        m;\S(?:(?:\s|=09){4,80}(?!\d)[\w'()\#,.:!]{1,15}){7}(?:\s|=09){0,5}</?[a-z]{1,6}/?>;
#full        __GAPPY_HTML_03        /^(?:=09){5,20}</m
#tflags      __GAPPY_HTML_03        multiple maxhits=11
#full        __GAPPY_HTML_04        /^(?:=0A){5,20}/m
#tflags      __GAPPY_HTML_04        multiple maxhits=11
#meta        __GAPPY_HTML           __MIME_HTML && (__GAPPY_HTML_01 || __GAPPY_HTML_02 || (__GAPPY_HTML_03 > 10) || (__GAPPY_HTML_04 > 10))
meta        __GAPPY_HTML           __MIME_HTML && (__GAPPY_HTML_01 || __GAPPY_HTML_02)
meta        GAPPY_HTML             __GAPPY_HTML && !__UNSUB_LINK && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY
describe    GAPPY_HTML             HTML body with much useless whitespace

# Try to improve S/O per bug 6119
meta        TVD_SPACE_RATIO_MINFP  __TVD_SPACE_RATIO && !__CT_ENCRYPTED && !__X_CRON_ENV && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !ALL_TRUSTED && !__MIME_NO_TEXT && !__LONGLINE && !__THREADED && !__SUBSCRIPTION_INFO && !__VIA_ML && !__HELO_HIGHPROFILE && !__DKIM_EXISTS && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MAIL && !__EMPTY_BODY && !__XM_APPLEMAIL 
#tflags      TVD_SPACE_RATIO_MINFP  nopublish
score       TVD_SPACE_RATIO_MINFP  2.500   # limit
describe    TVD_SPACE_RATIO_MINFP  Space ratio (vertical text obfuscation?)

# Only useful for English-language email
#meta        SUBJECT_UNNEEDED_ENCODING    (__SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED) && !__RCD_RDNS_MAIL && !__LCL__ENV_AND_HDR_FROM_MATCH && !__SUBSCRIPTION_INFO && !__THREADED && !__NONBOUNCE_READ_RECEIPT 
#describe    SUBJECT_UNNEEDED_ENCODING    Subject encoded but not non-ANSI?
#score       SUBJECT_UNNEEDED_ENCODING    1.000    # limit
#tflags      SUBJECT_UNNEEDED_ENCODING    publish

# Be sensitive to FP on legit japanese- and chinese-language mailing lists (09/2014)
meta        __TVD_SPACE_ENCODED    (__TVD_SPACE_RATIO && __SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED)
meta        TVD_SPACE_ENCODED      __TVD_SPACE_ENCODED && !__NOT_SPOOFED && !__VIA_ML && !__HS_SUBJ_RE_FW && !__SUBSCRIPTION_INFO && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL && !__ISO_2022_JP_DELIM
score       TVD_SPACE_ENCODED      2.500   # limit
describe    TVD_SPACE_ENCODED      Space ratio & encoded subject

meta        TVD_SPACE_ENC_FM_MIME  __TVD_SPACE_ENCODED && __FROM_NEEDS_MIME && !__ISO_2022_JP_DELIM
score       TVD_SPACE_ENC_FM_MIME  2.000   # limit
describe    TVD_SPACE_ENC_FM_MIME  Space ratio & encoded subject & MIME needed


# sample from users list:   Subject: Sta ffWork sFastToSen dTab le tsGood s
header      __SUBJ_BROKEN_WORD     Subject =~ /\s(?!i[PTM][aoh][bcdou]|e[MP]a[is])[a-z]{1,3}[A-Z][a-z]{2}/
tflags      __SUBJ_BROKEN_WORD     multiple maxhits=2
meta        SUBJ_BROKEN_WORD       __SUBJ_BROKEN_WORD && !ALL_TRUSTED && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__MIME_QP && !__DOS_HAS_LIST_UNSUB && !__HAS_IN_REPLY_TO && !__THREADED && !__MSGID_JAVAMAIL && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY && !__MSGID_OK_DIGITS && !__NOT_A_PERSON && !__LCL__ENV_AND_HDR_FROM_MATCH
describe    SUBJ_BROKEN_WORD       Subject contains odd word break
meta        SUBJ_BROKEN_WORDS      __SUBJ_BROKEN_WORD > 1 && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__MIME_QP && !__DOS_HAS_LIST_UNSUB && !__HAS_IN_REPLY_TO && !__THREADED && !__MSGID_JAVAMAIL && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY && !__MSGID_OK_DIGITS
describe    SUBJ_BROKEN_WORDS      Subject contains multiple odd word breaks

# felicity TVD_SUBJ_NUM_OBFU as subrule
header      __TVD_SUBJ_NUM_OBFU    Subject =~ /[a-z]{3,}\d+[a-z]{2,}/i
meta        __SUBJ_BRKN_WORDNUMS   __SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFU
ifplugin Mail::SpamAssassin::Plugin::DKIM
  meta      SUBJ_BRKN_WORDNUMS     __SUBJ_BRKN_WORDNUMS && !DKIM_SIGNED && !__TO___LOWER
  describe  SUBJ_BRKN_WORDNUMS     Subject contains odd word breaks and numbers
endif

meta        TVD_SUBJ_NUM_OBFU_MINFP   __TVD_SUBJ_NUM_OBFU && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !__X_CRON_ENV && !__NOT_A_PERSON && !__HAS_THREAD_INDEX && !__THREADED && !__NUMBERS_IN_SUBJ && !__URI_MAILTO

# from spample on users list 7/20/2011
header      __XM_PHPMAILER_FORGED  X-Mailer =~ /PHPMailer\s.*version\D+$/
meta        XM_PHPMAILER_FORGED    __XM_PHPMAILER_FORGED
describe    XM_PHPMAILER_FORGED    Apparently forged header
tflags      XM_PHPMAILER_FORGED    publish

# from spample on users list 7/24/2011
header      __XM_EC_MESSENGER      X-Mailer =~ /\beC-Messenger\b/
#meta        XM_EC_MESSENGER        __XM_EC_MESSENGER
#describe    XM_EC_MESSENGER        eC-Messenger bulk mail service

header      __SUBJ_OBFU_PUNCT      Subject =~ /(?:[-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;][a-z][-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;\s]|(?:[a-z][~`"!@\#$%^&*()_+={}|\\?<>,.:;][a-z](?![a-z])))/i
tflags      __SUBJ_OBFU_PUNCT      multiple maxhits=4
meta        __SUBJ_OBFU_PUNCT_NOEM __SUBJ_OBFU_PUNCT && !__SUBJ_HAS_ANY_EMAIL
meta        SUBJ_OBFU_PUNCT_FEW    __SUBJ_OBFU_PUNCT > 1 && !SUBJ_OBFU_PUNCT_MANY && !__SUBJ_HAS_ANY_EMAIL && !__TOUSR_IN_SUBJ && !__THREADED && !__HAS_X_MAILING_LIST && !__TVD_MIME_ATT 
describe    SUBJ_OBFU_PUNCT_FEW    Possible punctuation-obfuscated message subject
score       SUBJ_OBFU_PUNCT_FEW    0.500	# limit
meta        SUBJ_OBFU_PUNCT_MANY   __SUBJ_OBFU_PUNCT > 2 && !__SUBJ_HAS_ANY_EMAIL && !__TOUSR_IN_SUBJ && !__THREADED && !__HAS_X_MAILING_LIST && !__TVD_MIME_ATT 
describe    SUBJ_OBFU_PUNCT_MANY   Punctuation-obfuscated message subject
score       SUBJ_OBFU_PUNCT_MANY   2.000	# limit

#meta        SUBJ_MANGLED           __SUBJ_OBFU_PUNCT && __GAPPY_SUBJECT && !__RP_MATCHES_RCVD && !__HAS_X_MAILER && !__DOS_HAS_LIST_UNSUB 
#score       SUBJ_MANGLED           2.000    # limit

# A document was scanned and sentto you using a Hewlett-Packard HP Officejet
# A document was scanned and sent to you using a Hewlett-Packard HP Officejet
# Scan from Hewlet-Packard Officejet
# Scan from a HP Officejet
# Hewlett-Packard Officejet Location: machine location not set
# Xerox WorkCentre
# See http://isc.sans.edu/diary.html?storyid=11848#comment
body        __SCANNED              /\b(?:(?:document was scan+ed and sent ?to you using|Scan from)(?: an?)? (?:(?:Hewlet+-Packard |HP ){1,2}Officejet|Hewlet+-Packard Officejet Location: machine location not set)|Xerox\b)/i
meta        SCANNED_EXTERNAL       __SCANNED && !ALL_TRUSTED && !__XEROXWORKCTR_MUA
describe    SCANNED_EXTERNAL       "Scanned Document" email from external source - malware?
score       SCANNED_EXTERNAL       3.00		# limit

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
   # real estate / stock scam spams 11/2011
   # roughly similar to FS_LARGE_PERCENT2, better S/O?
   body        __LARGE_PERCENT_AFTER  /\d{3}% after/i
   tflags      __LARGE_PERCENT_AFTER  multiple maxhits=4
   meta        LARGE_PCT_AFTER_MANY   __LARGE_PERCENT_AFTER > 3
   describe    LARGE_PCT_AFTER_MANY   Many large percentages after...
else
   meta        __LARGE_PERCENT_AFTER  0
endif

# phish/malware 11/2011
body        __ACH_CANCELLED_01     /\b(?:(?-i:ACH)|dividend)[-_ ](?:payment|transfer|transaction|was)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i
body        __ACH_CANCELLED_02     /(?:rejected|cancel+ed|declined|your)[-_ ](?:(?-i:ACH)|direct[-_ ]deposit)[-_ ](?:payment|transfer|transaction|declin(?:ed|ing))/i
body        __ACH_CANCELLED_03     /\bwire[-_ ]?(?:payment|transfer|transaction)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i
body        __ACH_CANCELLED_04     /\bregarding[-_ ]your[-_ ]direct[-_ ]deposit[-_ ]via[-_ ](?-i:ACH)/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
	mimeheader   __EXE_ATTACH        Content-Type =~ /\.exe\b/i
	meta         __ACH_CANCELLED_EXE (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && __EXE_ATTACH
	meta         ACH_CANCELLED_EXE   __ACH_CANCELLED_EXE
	describe     ACH_CANCELLED_EXE   "ACH cancelled" probable malware
else
	meta         __EXE_ATTACH        0
endif

meta        __ACH_CANCELLED        (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && (__HAS_ANY_URI || LOTS_OF_MONEY)
meta        ACH_CANCELLED          __ACH_CANCELLED
describe    ACH_CANCELLED          "ACH cancelled" fraud / phish

# spams from users list query 03/2012
# Not useful as scored rules, may be useful meta'd with something else
uri         __URI_DBL_SUBDOM   m,^https?://(?!www\.amazon\.com)([^/]+)/.*https?://(?:[^.]+\.)?\1/,i
#meta        URI_DBL_SUBDOM     __URI_DBL_SUBDOM && !__RP_MATCHES_RCVD && !__FROM_LOWER && !__HAS_ERRORS_TO && !__TO_EQ_FROM_DOM
#score       URI_DBL_SUBDOM     1.00	# limit

uri         __URI_DBL_DOM      m,^https?://[^.]+\.(?!amazon\.com)([^/]+)/.*https?://[^.]+\.\1/,i

uri         __URI_DBL_INDIR    m,(?:=https?://(?!www\.amazon\.com).*?){2},i
meta        URI_DBL_INDIR      __URI_DBL_INDIR && !__URI_TRPL_INDIR
describe    URI_DBL_INDIR      A URI with two levels of indirection
uri         __URI_TRPL_INDIR   m,(?:=https?://(?!www\.amazon\.com).*?){3},i
meta        URI_TRPL_INDIR     __URI_TRPL_INDIR
describe    URI_TRPL_INDIR     A URI with at least three levels of indirection

# suggestion on users list 04/2012
header      SUBJ_ODD_CASE      ALL =~ /\n(?!(?:Subject:|SUBJECT:|subject:))(?i:subject:)/sm
describe    SUBJ_ODD_CASE      Oddly mixed-case Subject: header


# Somebody's resurrecting the dead 07/1012
body        BILL_1618          /\bUnder Bills?.1618(?: Title III)? passed by the 105th U\.S\. Congress\b/i
describe    BILL_1618          Mentions proposed US law supposedly permitting spamming
body        NOT_SPAM           /\b(?:(?:this (?:e?-?mail|message)|we) (?:is not|are not|cannot be considered) Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)/i
describe    NOT_SPAM           I'm not spam! Really! I'm not, I'm not, I'm not!
tflags      NOT_SPAM           publish


# see https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39?gi=7ec45f2481ce
uri         URI_MALWARE_SCMS   /\.SettingContent-ms\b/i
describe    URI_MALWARE_SCMS   Link to malware exploit download (.SettingContent-ms file)
tflags      URI_MALWARE_SCMS   publish

# suggested by http://isc.sans.edu/diary.html?storyid=13921
uri         URI_MALWARE_BH     /\.\w{2,4}\/[\d\w]{8}\/index\.html/i
describe    URI_MALWARE_BH     Possible BlackHole malware links / phishing
score       URI_MALWARE_BH     1.0	# limit

# suggested by https://isc.sans.edu/diary.html?storyid=13996
uri         __URI_DATA         /^data:(?!image\/)[a-z]/i
meta        URI_DATA           __URI_DATA && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__VIA_ML && !__ENV_AND_HDR_FROM_MATCH && !__DOS_HAS_LIST_UNSUB 
describe    URI_DATA           "data:" URI - possible malware or phish
score       URI_DATA           3.250	# limit
tflags      URI_DATA           publish


header      __SUBJ_ATTENTION     Subject =~ /ATTENTION/
meta        SUBJ_ATTENTION       __SUBJ_ATTENTION && !ALL_TRUSTED
describe    SUBJ_ATTENTION       ATTENTION in Subject
score       SUBJ_ATTENTION       0.500	# limit

header      __IRS_FM_NAME        From:name =~ /internal\srevenue\sservice/i
header      __IRS_FM_DOM         From:addr =~ /\birs\.gov$/
header      __IRS_RCVD_DOM       X-Spam-Relays-External =~ / rdns=\S+\birs\.gov /
meta        __IRS_SPOOF          (__IRS_FM_NAME || __IRS_FM_DOM) && !__IRS_RCVD_DOM && __HAS_REPLY_TO
meta        IRS_SPOOF            __IRS_SPOOF
describe    IRS_SPOOF            Claims to be IRS, but not from IRS domain
score       IRS_SPOOF            2.00	# limit


header      __FBI_FM_NAME        From:name =~ /federal\sbureau\sof\sinvestigation/i
header      __FBI_FM_DOM         From:addr =~ /\bfbi\.gov$/
header      __FBI_RCVD_DOM       X-Spam-Relays-External =~ / rdns=\S+\bfbi\.gov /
body        __FBI_BODY_SHOUT_1   /^FEDERAL BUREAU OF INVESTIGATIONS?\b/
rawbody     __FBI_BODY_SHOUT_2   /^FEDERAL BUREAU OF INVESTIGATIONS?\b/m
meta        __FBI_SPOOF          (__FBI_FM_NAME || __FBI_FM_DOM || __FBI_BODY_SHOUT_1 || __FBI_BODY_SHOUT_2) && !__FBI_RCVD_DOM && __HAS_REPLY_TO
meta        FBI_SPOOF            __FBI_SPOOF
describe    FBI_SPOOF            Claims to be FBI, but not from FBI domain
score       FBI_SPOOF            2.00	# limit
tflags      FBI_SPOOF            publish

meta        FBI_MONEY            __FBI_SPOOF && LOTS_OF_MONEY
describe    FBI_MONEY            The FBI wants to give you lots of money?
score       FBI_MONEY            2.00	# limit
tflags      FBI_MONEY            publish


header      __FROM_ASB_BANK      From:addr =~ /\basb\.co\.nz$/i
header      __FROM_AMEX          From =~ /american\s?express/i
header      __FROM_BANK_LOOSE    From =~ /ban(?:k|co)/i
header      __FROM_CHASE         From:addr =~ /chase(?:2?-?paymentech)\.com$/i
header      __FROM_CMNWLTH_BANK  From:addr =~ /\bcommonwealth\.com\.au$/i
header      __FROM_EBAY_LOOSE    From =~ /\be-?bay\b/i
header      __FROM_HSBC          From:addr =~ /\bhsbc\.co\.uk$/i
header      __FROM_LLOYDSTSB     From:addr =~ /\blloyds(?:tsb)\.(?:co\.uk|com)$/i
header      __FROM_PAYPAL_LOOSE  From =~ /paypal/i
header      __FROM_WELLSFARGO    From:addr =~ /wellsfargo\.com$/i
header      __FROM_WESTERNUNION  From:addr =~ /westernunion\.com$/i

meta        __FROM_MISSP_PHISH   __FROM_MISSPACED && (__FROM_ASB_BANK || __FROM_AMEX || __FROM_BANK_LOOSE || __FROM_CHASE || __FROM_CMNWLTH_BANK || __FROM_EBAY_LOOSE || __FROM_HSBC || __FROM_LLOYDSTSB || __FROM_PAYPAL_LOOSE || __FROM_WELLSFARGO || __FROM_WESTERNUNION)
meta        FROM_MISSP_PHISH     __FROM_MISSP_PHISH && !__DOS_HAS_LIST_UNSUB 
describe    FROM_MISSP_PHISH     Malformed, claims to be from financial organization - possible phish
score       FROM_MISSP_PHISH     3.500	# limit

# another upload-a-document-for-public-access site
uri         __URI_YOUSENDIT      m,^https?://www\.yousendit\.com/directdownload,i

# see also DOS_GOOGLE_DOCS
uri         __URI_GOOGLE_DOC     m,^https?://docs\.google\.com/(?:[^/]+/)*(?:view(?:form)?\?(?:[^&]+&)*(?:id|formkey|usp)=|document/),i
uri         __URI_GOOGLE_DRV     m,^https?://(?:drive\.google|googledrive)\.com/,i

# another fill-a-form service
uri         __FORMS_GLE              m;^https?://forms\.gle/[0-9a-z]{15,}$;i

# rotten S/O
#meta        FORMS_GLE                __FORMS_GLE && !__HAS_X_BEEN_THERE && !__URI_DOTEDU && !__HAS_CAMPAIGN 
#describe    FORMS_GLE                Hosted fill-in-this-form

#meta        __FORMS_GLE_SUSP         __FORMS_GLE && ( __REPLYTO_NOREPLY || __MSOE_MID_WRONG_CASE )

#meta        __SHORTENED_URL_FORM     __FORMS_GLE && __URL_SHORTENER


body        __WEBMAIL_ACCT       /\byour web ?mail account/i
body        __MAILBOX_FULL       /\b(?:you(?:r (?:mail\s?box|(?:e-?|web ?)mail))? (?:is (?:almost )?full|quota is running low|(?:quota )?ha(?:s|ve) (?:reached|exceeded|passed) (?:the|your|it'?s?) (?:university )?(?:size|storage|set|(?:e-?|web ?)mail|quota|folder|mail ?box)[\/\s](?:limit |quota |account )+)|over your mail\s?box (?:size )?(?:limit|quota)|maximum mail\s?box (?:size )?(?:limit|quota) exceeded|sua (?:conta|caixa) de (?:(?:e-?|web ?)mail|correio) (?:excedeu (?:sua|o) limite|est(?:=E1|[\xe1]|[\xc3][\xa1]) quase cheio))\b/i
body        __CLEAN_MAILBOX      /\b(?:(?:e-?mail|mail\s?box|violation:|(?-i:CLICK)) (?:quota size|clean(?:-?up))|clean ?up click ?here|(?:please|automatically) reduce (?:your|the) e?-?mail ?box size|reduce (?:your |the )?(?:e?-?mail(?: ?box)? )?size automatically)\b/i
tflags      __CLEAN_MAILBOX      multiple maxhits=2
body        __VALIDATE_MAILBOX   /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta|you (?:have )?(?:failed|refused) to (?:verify|validate)|(?:e-?mail|confirm) verification|verify k?now|logs?in below to (\S+\s){0,10}(?:download|release|retrieve) your (?:messages|e?-?mails))\b/i
tflags      __VALIDATE_MAILBOX   multiple maxhits=2
body        __UPGR_MAILBOX       /\b(?:up(?:g[ra]+d(?:e|ing)|date) (?:(?:[hw]as|and)\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|(?:web ?|e-?)mail Upgrade cuenta|atualiz(?:e|ar) (?:a|sua) caixa de correio|click\S{0,10} (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?|below)(?: link)? to (?:(?:complete|finish|increase) )?(?:(?:the|this|your)\s)?(?:up(?:date|grade)|(?:web ?|e-?)?mail(?:\s?box)? (?:size|quota|limit))|utrzymania aktywnego konta|request (?:for )additional storage|you (?:have )?(?:failed|refused) to up(?:date|grade))\b/i
body        __LOCK_MAILBOX       /\b(?:(?:deactivate|lock(?: up)?|lose ac+ess to|los[se] (?:of )?(?:important )?(?:information|mail|messages) in) (?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|your (?:mail\s?box|(?:(?:web ?|e-?)mail)(?: account)?) (?:(?:will|may) be(?:come)? )?(?:in-?a(?:ctive|cess[ia]ble)|locked|disabled|deleted|removed)\b|ditt konto vara "?deaktiverad"?|begr(?:=E4|\xe4|[\xc3][\xa4])nsad tillg(?:=E5|[\xe5]|[\xc3][\xa5])ng till din brevl(?:=E5|[\xe5]|[\xc3][\xa5])da|contas? de (?:web ?|e-?)mail (?:ser(?:=E1|[\xe1]|[\xc3][\xa1]) (?:desativado|exclu(?:=ED|[\xed]|[\xc3][\xad])do)|(?:=E9|[\xe9]|[\xc3][\xa9]) exclu(?:=ED|[\xed]|[\xc3][\xad])do)|destruir a sua caixa de (?:correio|entrada)|tw(?:=F3|[\xf3])j konto zostalo ograniczone|straci swoje e-?mail na sta[\xc5][\x82]e|konto zostanie automatycznie wy[\xc5][\x82][\xc4][\x85]czona|e-?mail account[^.]{0,30}deactivated (?:in|from) our (?:database|system|server)|you will be deactivated|(?:account|e?-?mail(?: ?box)?) (?:will (?:be )?)?(?:shut ?down|expire|deactivate)|we have (?:stopped|suspended) (?:processing|accepting) (?:any )?(?:incoming|new|fresh) email)/i
tflags      __LOCK_MAILBOX       multiple maxhits=2
body        __SYSADMIN           /\b(?:help?[- ]?desk|(?:(?:web ?)?mail ?|sys(?:tem )?)admin(?:istrator)|local[- ]host|(?:support|upgrade|management|security|admin(?:istrat(?:or|ion))?) (?:team|center)|message from administrator|university mail server copyright|suporte t(?:=E9|[\xe9]|[\xc3][\xa9])cnico|administrador do sistema)\b/i
header      __SUBJ_ADMIN         Subject =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i
meta        __SUBJ_DOM_ADMIN     __SUBJ_ADMIN && __PDS_FROM_NAME_TO_DOMAIN
header      __FROM_ADMIN         From =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i
meta        __FROM_DOM_ADMIN     __FROM_ADMIN && __PDS_FROM_NAME_TO_DOMAIN
body        __ATTN_MAIL_USER     /\b(?:att(?:entio)?n|dear|caro) (?:web ?(?:mail)?\s\S\s)?(?:web ?|e-?)?mail (?:user|DO USU(?:=E1|[\xe1]|[\xc3][\xa1])RIO)[:;,]/i
body        __MAIL_ACCT_ACCESS1  /\b(?:your (?:web ?|e-?)?mail (?:account|log-?in) (?:has )?been accessed|r(?:=F3|[\xf3])zne komputery zalogowaniu sie)\b/i
body        __MAIL_ACCT_ACCESS2  /\blo+se ac+es+ to your (?:web|e-?)?mail ?(?:account|log-?in|box|address)\b/i

body        __MAILBOX_FULL_SE    /(?:\b=F6|[\xf6]|[\xc3][\xb6])verskridit gr(?:=E4|[\xe4]|[\xc3][\xa4])nsen f(?:=F6|[\xf6]|[\xc3][\xb6])r din postl(?:=E5|[\xe5]|[\xc3][\xa5])da\b/i
body        __VALIDATE_MBOX_SE   /(?:\b=E5|[\xe5]|[\xc3][\xa5])terst(?:=E4|\xe4|[\xc3][\xa4])lla ditt konto\b/i
body        __PASSWORD_UPGRADE   /\bpassword upgrade\b/i
body        __PENDING_MESSAGES   /\b(?:messages pending|(?:your|\d+[\])}]?) (?:pending|un(?:delivered|received)) (?:messages|e?-?mails))\b/i
body        __RELEASE_MESSAGES   /\b(?:release messages|(?:retrieve|release|download) your(?: undelivered|unreceived|held|pending)? e?-?mails|(?:e?-?mails|messages).{1,20}download them now)\b/i
body        __PASSWORD_EXP_CLUMSY  /\bpassword is due for expiration yesterday\b/i

meta        __EMAIL_PHISH        (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN) > 1) && !__EMAIL_PHISH_MANY
meta        __EMAIL_PHISH_MANY   (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN) > 3)

meta        UPGRADE_MAILBOX      __UPGR_MAILBOX && __HTML_FONT_LOW_CONTRAST_MINFP 
describe    UPGRADE_MAILBOX      Upgrade your mailbox! (phishing?)

body        __ACCESS_SUSPENDED   /\b(?:(?:access|account|e?-?mails) (?:suspension|(?:has|have) (?:been )?(?:temporar(?:il)?y (?:been )?)?(?:suspended|blocked|locked|blacklisted))|suspend (?:you from|your) access(?:ing)?|suspen(?:sion|se|ded) noti(?:ce|fication))\b/i
tflags      __ACCESS_SUSPENDED   multiple maxhits=2
body        __ACCESS_RESTORE     /\bto (?:(?:restore|regain) access|(?:remove|uplift) (?:the|this) suspens|continue using your (?:account|online|mailbox)|zugreifen wiederhergestellt)/i
body        __ACCESS_REVOKE      /(?:(?:temporary|permanent) (?:de-?activation|removal) of your (?:\w{1,30} )?(?:access|account)|Ihre Kreditkarte wird gesperrt)/i
body        __VERIFY_ACCOUNT     /(?:confirm|updated?|verif(?:y|ied)) (?:your|the) (?:(?:account|current|billing|personal|online)? ?(?:records?|information|account|identity|access|data|login)|"?[^\@\s]+\@\S+"? (?:account|mail ?box)|confirm verification|verify k?now|Ihre Angaben .berpr.ft und best.tigt)/i
tflags      __VERIFY_ACCOUNT     multiple maxhits=2
body        __FAILED_LOGINS      /unsuc+es+ful log-?[io]n at+empts/i
body        __ACCOUNT_REACTIV    /(?:(?:account|access) (?:has been )?(?:successfully )?(?:reviewed and )?re-?(?:activat(?:ion|ed)|new(?:al|ed))|(?:unlock|re-?activate|restore|recover) (?:your|the|this) (?:account|access))/i
body        __SECURITY_DEPT      /\bsecurity dep(?:artmen)?t\b/i
body        __ACCOUNT_ERROR      /\b(?:your account (?:is|appears to be) (?:incorrect|missing|in error|invalid))\b/i
body        __ACCOUNT_DISRUPT    /\b(?:ensure (?:that )?your (?:account|access) is not (?:disrupted|suspended|interrupted)|(?:avoid|incoming) (?:[a-z]+ ){0,5}e?-?mails? (?:from )?being rejected|avoid (?:account|e?-?mail(?: ?box)? )?(?:shut ?down|suspension|locking|termination|expiration)|will terminate (?:your|its) service)\b/i
tflags      __ACCOUNT_DISRUPT    multiple maxhits=2
body        __ACCOUNT_UPGRADE    /\b(?:upgrade (?:of )your (?:account|access)|your (?:access|account) is[\w\s]{0,40}being upgraded|Weiter zur Aktualisierung)\b/i
body        __ACCOUNT_SECURE     /\b(?:make your (?:"?[^\@\s]+\@\S+"? |e-?mail )?account more secure|Ihre Kreditkarte weist einige Sicherheitsprobleme)\b/i
body        __SUSPICION_LOGIN    /\bsuspicion login\b/i

meta        __ACCT_PHISH         (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __PDS_FROM_NAME_TO_DOMAIN) > 1 && !__ACCT_PHISH_MANY
meta        __ACCT_PHISH_MANY    (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + __PDS_FROM_NAME_TO_DOMAIN) > 3
meta        ACCT_PHISHING        (__ACCT_PHISH || __EMAIL_PHISH) && !ACCT_PHISHING_MANY && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MTA_MESSY && !__STY_INVIS_MANY
describe    ACCT_PHISHING        Possible phishing for account information
score       ACCT_PHISHING        1.500  # limit
meta        ACCT_PHISHING_MANY   (__ACCT_PHISH_MANY || __EMAIL_PHISH_MANY) && !GOOGLE_DOCS_PHISH_MANY && !GOOG_STO_HTML_PHISH_MANY
describe    ACCT_PHISHING_MANY   Phishing for account information
score       ACCT_PHISHING_MANY   3.000  # limit

meta        PHISHING_FREEMAIL    (__EMAIL_PHISH || __EMAIL_PHISH_MANY || __ACCT_PHISH || __ACCT_PHISH_MANY) && FREEMAIL_FORGED_REPLYTO
describe    PHISHING_FREEMAIL    Send your login credentials to some random freemail account

meta        __VFY_ACCT_NORDNS    __VERIFY_ACCOUNT && __RDNS_NONE 
meta        VFY_ACCT_NORDNS      __VFY_ACCT_NORDNS && !__STY_INVIS_MANY 
describe    VFY_ACCT_NORDNS      Verify your account to a poorly-configured MTA - probable phishing
score       VFY_ACCT_NORDNS      3.000	# limit
tflags      VFY_ACCT_NORDNS      publish

meta        __VFY_ACCT_FRAUD     __VERIFY_ACCOUNT && __ADVANCE_FEE_2_NEW 
meta        __VFY_ACCT_FREEM     __VERIFY_ACCOUNT && __freemail_hdr_replyto 

# Google Docs observed on LOTS of phishes 2012
meta        __GOOGLE_DOCS_PHISH_1  __URI_GOOGLE_DOC && (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST)
meta        __GOOGLE_DOCS_PHISH_2  __URI_GOOGLE_DOC && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY
meta        GOOGLE_DOCS_PHISH    (__GOOGLE_DOCS_PHISH_1 || __GOOGLE_DOCS_PHISH_2)
describe    GOOGLE_DOCS_PHISH    Possible phishing via a Google Docs form
score       GOOGLE_DOCS_PHISH    3.00	# limit
tflags      GOOGLE_DOCS_PHISH    publish

meta        GOOGLE_DOCS_PHISH_MANY  __URI_GOOGLE_DOC && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY)
describe    GOOGLE_DOCS_PHISH_MANY  Phishing via a Google Docs form
score       GOOGLE_DOCS_PHISH_MANY  4.00	# limit
tflags      GOOGLE_DOCS_PHISH_MANY  publish

meta        __GOOGLE_DOC_SUSP    __URI_GOOGLE_DOC && (__HAS_DOMAINKEY_SIG || __RDNS_NONE || __SYSADMIN || __STY_INVIS || LOTS_OF_MONEY || __XFER_MONEY || __ADVANCE_FEE_2_NEW) && !ALL_TRUSTED
meta        GOOGLE_DOC_SUSP      __GOOGLE_DOC_SUSP && !GOOGLE_DOCS_PHISH_MANY && !__HAS_SENDER && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__USING_VERP1 && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_SMTP && ! __HAS_LIST_ID && !__SURVEY && !__BUGGED_IMG 
describe    GOOGLE_DOC_SUSP      Suspicious use of Google Docs
score       GOOGLE_DOC_SUSP      3.000	# limit
tflags      GOOGLE_DOC_SUSP      publish

#meta        URI_GOOGLE_DOCS      __URI_GOOGLE_DOC && !__DKIM_EXISTS && !__TO_EQ_FROM_DOM && !__DOS_REF_TODAY && !__DOS_BODY_FRI && !__DOS_BODY_WED && !__freemail_safe_fwd && !__TO_EQ_FROM_DOM && !__HAS_ERRORS_TO
#describe    URI_GOOGLE_DOCS      URI for Google Docs, common in phishing
#score       URI_GOOGLE_DOCS      1.00	# limit

meta        __URI_PHISH    __HAS_ANY_URI && !__URI_GOOGLE_DOC && !__URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH)
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  meta      URI_PHISH      __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT 
else
  meta      URI_PHISH      __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT 
endif
describe    URI_PHISH            Phishing using web form
score       URI_PHISH            4.00   # limit
tflags      URI_PHISH            publish

meta        SYSADMIN             __SYSADMIN && !ALL_TRUSTED && !__ANY_TEXT_ATTACH && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_OK_DIGITS 
describe    SYSADMIN             Supposedly from your IT department
score       SYSADMIN             3.500	# limit
tflags      SYSADMIN             publish

# suggested by MPerkel on the users list 11/10/2012
uri         __URI_PROTO_MC       /^(?!(?-i:(?:[Hh]ttps?|HTTPS?):))https?:/i
uri         __URI_WWW_MC         m,://(?!(?-i:www|WWW))www\.,i
uri         __URI_TLD_MC         /\.(?!(?-i:com|net|org|biz|info|COM|NET|ORG))(?:com|net|org|biz|info)\b/i
uri         __URI_GOOG_MC        /(?!(?-i:[Gg]oogle))google/i

rawbody     __HTML_FONT_TINY_01      /font-size:\s{0,5}[0-4]px;/i
meta        HTML_FONT_TINY_NORDNS    __HTML_FONT_TINY_01 && __RDNS_NONE 
describe    HTML_FONT_TINY_NORDNS    Font too small to read, no rDNS
score       HTML_FONT_TINY_NORDNS    1.500	# limit

body        __BODY_TEXT_LINE     /^\s*\S/
tflags      __BODY_TEXT_LINE     multiple maxhits=3
meta        __EMPTY_BODY         __BODY_TEXT_LINE < 2 && !__SMIME_MESSAGE
# this hits 13% of masscheck corpus spam, 50% of that only scores 2 points
meta        BODY_EMPTY           __EMPTY_BODY && !ALL_TRUSTED && !__MIME_ATTACHMENT && !__HAS_THREAD_INDEX && !__TO_EQ_FROM_DOM && !NO_RELAYS && !__PDF_ATTACH && !__HDR_RCVD_GOOGLE && !__MSGID_APPLEMAIL && !__XM_IPHONEMAIL 
describe    BODY_EMPTY           No body text in message
score       BODY_EMPTY           2.00	# limit


meta        __BODY_URI_ONLY      __BODY_TEXT_LINE < 3 && __HAS_ANY_URI && !__SMIME_MESSAGE
meta        BODY_URI_ONLY        __BODY_URI_ONLY && !__NOT_SPOOFED && !__TO_EQ_FROM_DOM && !__X_CRON_ENV && !__DKIM_EXISTS && !__VIA_ML && !__HAS_X_REF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD && !__URI_GOOGLE_DRV 
describe    BODY_URI_ONLY        Message body is only a URI in one line of text or for an image
score       BODY_URI_ONLY        3.000   # limit
tflags      BODY_URI_ONLY        publish


body        __SINGLE_WORD_LINE  /^\s?\S{1,60}\s?$/
tflags      __SINGLE_WORD_LINE  multiple maxhits=2
header      __SINGLE_WORD_SUBJ  Subject =~ /^\s*\S{1,60}\s*$/
meta        __BODY_SINGLE_WORD    __BODY_TEXT_LINE < 3 && !__EMPTY_BODY && !__SMIME_MESSAGE && ((__SINGLE_WORD_LINE && !__SINGLE_WORD_SUBJ) || __SINGLE_WORD_LINE > 1)
meta        BODY_SINGLE_WORD    __BODY_SINGLE_WORD && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP
describe    BODY_SINGLE_WORD    Message body is only one word (no spaces)
score       BODY_SINGLE_WORD    2.500	# limit

meta        __BODY_SINGLE_URI     (__BODY_SINGLE_WORD && __HAS_ANY_URI)
meta        BODY_SINGLE_URI     __BODY_SINGLE_URI && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP && !__VIA_ML 
describe    BODY_SINGLE_URI     Message body is only a URI
score       BODY_SINGLE_URI     2.500	# limit

#ifplugin Mail::SpamAssassin::Plugin::DKIM
#  # malformed DKIM signatures seen in the wild - see bug#6895
#  # see how well this performs
#  meta      __DKIM_MALFORMED	DKIM_SIGNED && !DKIM_VALID
#endif

#body        __YOUR_PHOTOS       /\byour photos (?:as p[rw]omised )?(?:here )?(?:- )?https?:/i
#meta        YOUR_PHOTOS         __YOUR_PHOTOS && !__HAS_ANY_EMAIL && !__HAS_REPLY_TO && !__DOS_HAS_LIST_UNSUB
#describe    YOUR_PHOTOS         "Your Photos" phishing or malware
#score       YOUR_PHOTOS         4.00	# limit

body        __UNSUBSCRIBE_ES   /\b(?:Para darte de baja y no recibir ning(?:=FA|[\xfa]|[\xc3][\xba])n|Si no desea que le enviemos publicidad|Si desea eliminar su correo [^\s@]{1,64}@[^\s@]{1,64} de nuestra lista|no recibir estos boletines a: [^\s@]{1,64}@[^\s@]{1,64} simplemente|Si no desea recibir m(?:=E1|[\xe1]|[\xc3][\xa1]|a)s notificaciones)\b/i
meta        UNSUBSCRIBE_ES     __UNSUBSCRIBE_ES
score       UNSUBSCRIBE_ES     2.500	# limit

body        __UNSUBSCRIBE_PT   /\bSe n(?:a|=E3|[\xe3]|[\xc3][\xa3])o desejar mais receber nossos e-?mails?\b/i
meta        UNSUBSCRIBE_PT     __UNSUBSCRIBE_PT
score       UNSUBSCRIBE_PT     2.500	# limit

body        __URI_DBL_PROTO    m,\b(?:https?:/+){2},i

uri         __URI_DOS_FILE     /^[A-Z]:\\/i

meta        __FORM_LOW_CONTRAST   (__FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_SHORT2) && __HTML_FONT_LOW_CONTRAST_MINFP
meta        FORM_LOW_CONTRAST     __FORM_LOW_CONTRAST && !__BUGGED_IMG && !__HAS_REPLY_TO && !__DKIM_EXISTS && !__DOS_HAS_LIST_UNSUB && !__MSGID_JAVAMAIL
describe    FORM_LOW_CONTRAST     Fill in a form with hidden text
score       FORM_LOW_CONTRAST     2.500	# Limit
tflags      FORM_LOW_CONTRAST     publish


# try to FP-reduce HTML_FONT_LOW_CONTRAST
ifplugin Mail::SpamAssassin::Plugin::DKIM
  meta        __HTML_FONT_LOW_CONTRAST_MINFP	HTML_FONT_LOW_CONTRAST && !__HAS_SENDER && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED && !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN && !DKIM_VALID
else
  meta        __HTML_FONT_LOW_CONTRAST_MINFP	HTML_FONT_LOW_CONTRAST && !__HAS_SENDER && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED && !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN
endif

# some no-ham (at the time) combinations
meta        GAPPY_LOW_CONTRAST    HTML_FONT_LOW_CONTRAST && __GAPPY_SUBJECT 
describe    GAPPY_LOW_CONTRAST    Gappy subject + hidden text
score       GAPPY_LOW_CONTRAST    2.500   # limit

meta        URI_ONLY_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __BODY_URI_ONLY 
score       URI_ONLY_LOW_CONTRAST 2.500   # limit

meta        SUBJ_OBFU_LOW_CNTRST  (HTML_FONT_LOW_CONTRAST && __SUBJ_OBFU_PUNCT) && !ALL_TRUSTED && !__NOT_A_PERSON && !__THREADED 
describe    SUBJ_OBFU_LOW_CNTRST  Subject obfuscation + hidden text
score       SUBJ_OBFU_LOW_CNTRST  2.500   # limit

meta        URI_DOTDOT_LOW_CNTRST HTML_FONT_LOW_CONTRAST && __URI_DOM_DOTDOT
describe    URI_DOTDOT_LOW_CNTRST Suspicious URI + hidden text
score       URI_DOTDOT_LOW_CNTRST 2.500   # limit

meta        STOCK_LOW_CONTRAST    (__HTML_FONT_LOW_CONTRAST_MINFP && __FB_S_STOCK) && !__BUGGED_IMG 
describe    STOCK_LOW_CONTRAST    Stocks + hidden text
score       STOCK_LOW_CONTRAST    2.500   # limit
tflags      STOCK_LOW_CONTRAST    publish

meta        NORDNS_LOW_CONTRAST   (__HTML_FONT_LOW_CONTRAST_MINFP && __RDNS_NONE) && !ALL_TRUSTED && !__HAS_CID 
describe    NORDNS_LOW_CONTRAST   No rDNS + hidden text
score       NORDNS_LOW_CONTRAST   2.500   # limit


uri         __URI_DOM_DOTDOT      m,://[^/]+\.\.,

meta        FOUND_YOU          __FOUND_YOU && !__DKIM_EXISTS && !__SUBJ_RE && !__HAS_X_REF && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__HAS_ERRORS_TO && !__HAS_IN_REPLY_TO
score       FOUND_YOU          3.25	# limit
describe    FOUND_YOU          I found you...
tflags      FOUND_YOU          publish


#rawbody     __HTML_FONT_ONE_WORD_01   />\s{0,5}\S{1,15}\s{0,5}<\/font>/i
#tflags      __HTML_FONT_ONE_WORD_01   multiple maxhits=26
#meta        HTML_FONT_ONE_WORD_MANY   __HTML_FONT_ONE_WORD_01 > 25
#describe    HTML_FONT_ONE_WORD_MANY   Many one-word font changes
#score       HTML_FONT_ONE_WORD_MANY   0.50	# limit (initial)


#body        __ADMITS_CANSPAM  /\bThis is a CANSPAM ACT compliant advertising broadcast\b/i
#body        __ADMITS_CANSPAM  /\bThis is a CANSPAM ACT compliant\b/i
#meta        ADMITS_CANSPAM    __ADMITS_CANSPAM && !__VIA_ML
#describe    ADMITS_CANSPAM    Admits to being spam

body        __ADMITS_SPAM     /\bth(?:e[- ]+above|is)(?:\?+s|[- ]+is)[- ]+(?:intended[- ]+as[- ]+)?an?[- ]+(?:e-?mail[- ]+)?[a@]dvert[i1l]sement\b/i
meta        ADMITS_SPAM       __ADMITS_SPAM && !__FROM_LOWER && !__MSGID_JAVAMAIL && !__HAS_CAMPAIGNID && !__STY_INVIS_2 && !__LYRIS_EZLM_REMAILER && !__RCD_RDNS_OB 
describe    ADMITS_SPAM       Admits this is an ad
tflags      ADMITS_SPAM       publish

#body        __OBFU_ADVERT     /\badvert[1l]sement\b/i
#meta        OBFU_ADVERT       __OBFU_ADVERT
#describe    OBFU_ADVERT       Misspelled "advertisement"
#tflags      OBFU_ADVERT       publish


#body        __SEO_REGISTER    /\bsearch engine (?:registration|subscription|submission)\b/i
#tflags      __SEO_REGISTER    multiple maxhits=5
#meta        SEO_REGISTER      __SEO_REGISTER > 4
#score       SEO_REGISTER      2.50	# limit


#uri         REMOVE_YEAHNET    /imremove\@yeah\.net/i
#describe    REMOVE_YEAHNET    Opt-out address used by CN spammers


header      __FROM_LIC         From:name =~ /^Lic\./
header      __FROM_DOM_INFO    From:addr =~ /\.info$/i
meta        ES_LIC_FROM_INFO   __FROM_LIC && __FROM_DOM_INFO && __UNSUBSCRIBE_ES
describe    ES_LIC_FROM_INFO   Spanish-language spam from .info domain


header      __SMIME_MESSAGE    Content-Type =~ /application\/pkcs7-mime;/i


#uri         __JIMDO_PHISH      /(?:microsoft|outlook|access|helpdesk|upd?ates|newaccount)\w+\.jimdo\.com/i
body        __CLICK_HERE       /\bclick\shere\b/i

#meta        JIMDO_PHISH        __JIMDO_PHISH && __CLICK_HERE
#describe    JIMDO_PHISH        Apparent phishing via webform hosted at jimdo.com
#score       JIMDO_PHISH        3.00	# limit

body        __TRAVEL_PROFILE   /\btravel+er\sprofile\b/i
body        __TRAVEL_RESERV    /\b(?:reservation\s(?:confirmed|number)|travel\sreservations?)\b/i
body        __TRAVEL_BUSINESS  /\bbusiness\stravel\b/i
body        __TRAVEL_AGENT     /\btravel\sagen(?:t|cy)\b/i
meta        __TRAVEL_MANY      (__TRAVEL_PROFILE + __TRAVEL_RESERV + __TRAVEL_BUSINESS + __TRAVEL_AGENT) > 2

uri         __URI_WPADMIN      m,/wp-admin/\w+/,i
meta        URI_WPADMIN        __URI_WPADMIN
describe    URI_WPADMIN        WordPress login/admin URI, possible phishing
tflags      URI_WPADMIN        publish

uri         __URI_WPCONTENT    m,/wp-content/.*\.(?:php|html?)\b,i
uri         __URI_WPCONTENT_L  m,/wp-content/.*\.(?:(?!gif|jpg|png|bmp|ico|eot|pdf)[a-z]{3}|(?!jpeg)[a-z]{4})\b,i
uri         __URI_WPINCLUDES   m,/wp-includes/.*\.(?:php|html?)\b,i
uri         __URI_WPINCLUDES_L m,/wp-includes/.*\.(?:(?!gif|jpg|png|bmp|ico|eot|pdf)[a-z]{3}|(?!jpeg)[a-z]{4})\b,i
#uri         __URI_WP_WHITELIST m,/wp-content/plugins/civicrm/,i
meta        URI_WP_HACKED      (__URI_WPCONTENT || __URI_WPINCLUDES) && !__VIA_ML && !__HAS_ERRORS_TO && !__RCD_RDNS_SMTP && !__THREADED && !ALL_TRUSTED && !__NOT_SPOOFED 
describe    URI_WP_HACKED      URI for compromised WordPress site, possible malware
score       URI_WP_HACKED      3.500   # limit
tflags      URI_WP_HACKED      publish

uri         __URI_WPDIRINDEX   m,/wp-(?:content|includes)/.*/$,i
meta        URI_WP_DIRINDEX    __URI_WPDIRINDEX
describe    URI_WP_DIRINDEX    URI for compromised WordPress site, possible malware
score       URI_WP_DIRINDEX    3.500   # limit
tflags      URI_WP_DIRINDEX    publish

# this has some overlap with URI_WP_HACKED
uri         __PS_TEST_LOC_WP   m;/(?:wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module)/.{1,128}(?!\.gif|\.jpg|\.png|\.bmp|\.ico|\.pdf)[^?]{4}(?:\?[^?]{1,5})?$;i
meta        URI_WP_HACKED_2    (__PS_TEST_LOC_WP && !URI_WP_HACKED) && !__HAS_LIST_ID && !__THREADED && !__USING_VERP1 
describe    URI_WP_HACKED_2    URI for compromised WordPress site, possible malware
score       URI_WP_HACKED_2    2.500   # limit
tflags      URI_WP_HACKED_2    publish


# subrules migrated from 00_FVGT_File001.cf

header      __SUBJ_LOWER       ALL =~ /subject:\s\S{5}/
header      __FROM_LOWER       ALL =~ /from:\s\S{5}/
header      __TO___LOWER       ALL =~ /to:\s\S{5}/
header      __DATE_LOWER       ALL =~ /date:\s\S{5}/


# duplicates __XPRIO
#header      __FH_HAS_XPRIORITY exists:X-Priority
meta        __XPRIO_MINFP      __XPRIO && !__CT_ENCRYPTED && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_IMG_SRC && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__PHPMAILER_MUA && !__AC_TINY_FONT && !__HAS_PHP_SCRIPT && !__DOS_HAS_LIST_UNSUB && !__HAS_IMG_SRC_ONECASE && !__NAKED_TO && !__HAS_THREAD_INDEX && !__HAS_TNEF && !__HAS_SENDER && !__UNPARSEABLE_RELAY_COUNT && !__PDS_RDNS_MTA && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MX_MESSY && !__TO___LOWER && !__FROM_WORDY && !__RP_MATCHES_RCVD && !__DKIM_EXISTS && !__FROM_WEB_DAEMON && !__RDNS_SHORT && !__L_BODY_8BITS 

ifplugin Mail::SpamAssassin::Plugin::DKIM
  ifplugin Mail::SpamAssassin::Plugin::SPF
    meta    XPRIO              __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE && !SPF_PASS 
  else
    meta    XPRIO              __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE 
  endif
  tflags    XPRIO              net
else
  meta      XPRIO              __XPRIO_MINFP
endif
describe    XPRIO              Has X-Priority header
score       XPRIO              2.250	# limit
tflags      XPRIO              publish

# some high-S/O combinations

meta        __XPRIO_SHORT_SUBJ __XPRIO_MINFP && __SUBJ_SHORT 
meta        XPRIO_SHORT_SUBJ   __XPRIO_SHORT_SUBJ && !__MSM_PRIO_REPTO && !ALL_TRUSTED && !__DKIM_EXISTS && !__RELAY_THRU_WWW && !__CTYPE_HAS_BOUNDARY && !__RCD_RDNS_MTA && !__HAS_HREF 
describe    XPRIO_SHORT_SUBJ   Has X Priority header + short subject
score       XPRIO_SHORT_SUBJ   2.500	# limit
tflags      XPRIO_SHORT_SUBJ   publish

meta        FROM_MISSP_XPRIO   (__XPRIO && __FROM_MISSPACED) && !__LYRIS_EZLM_REMAILER 
describe    FROM_MISSP_XPRIO   Misspaced FROM + X-Priority
score       FROM_MISSP_XPRIO   2.500   # limit

meta        __STATIC_XPRIO_OLE   __XPRIO && __RDNS_STATIC && __HAS_MIMEOLE
meta        STATIC_XPRIO_OLE     __STATIC_XPRIO_OLE
describe    STATIC_XPRIO_OLE     Static RDNS + X-Priority + MIMEOLE
score       STATIC_XPRIO_OLE     2.000   # limit
tflags      STATIC_XPRIO_OLE     publish

# Apparent good performance is an artifact of certain corpora's collection mechanism
#meta        XPRIO_RPATH_NULL   (__XPRIO && __BOUNCE_RPATH_NULL) && !__HAS_ERRORS_TO && !__VIA_ML && !ANY_BOUNCE_MESSAGE && !__HAS_ORGANIZATION && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED 
#score       XPRIO_RPATH_NULL   2.500   # limit
#
#meta        TO_EQ_FM_NN_RPATH_NULL   (__TO_EQ_FROM_USR_NN && __BOUNCE_RPATH_NULL) && !__TO_EQ_FROM_USR 
#score       TO_EQ_FM_NN_RPATH_NULL   2.000   # limit
#tflags      TO_EQ_FM_NN_RPATH_NULL   publish


header      __FS_SUBJ_RE       Subject =~ /^Re: /
header      __NUMBERS_IN_SUBJ  Subject =~ /\d{3}/

body        __CAN_HELP         /\bcan help\b/i
body        __FB_COST          /\bcost\b/i
body        __FB_NATIONAL      /national/i
body        __FB_NUM_PERCNT    /\d\s?\%/
body        __FB_S_STOCK       /\bstock/i
body        __FB_TOUR          /\btour/i
body        __SURVEY           /\bsurvey\b/i

body        __FB_S_PRICE       /pri{1,2}c[a-z]?e/i

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
	body        __FRT_PRICE        /<inter SP2><post P2>\b(?!price)<P><R><IX><C><E>\b/i
	replace_rules                  __FRT_PRICE

	meta        __FM_MY_PRICE      (__FB_S_PRICE || __FRT_PRICE)
else
	meta        __FRT_PRICE        0
	meta        __FM_MY_PRICE      __FB_S_PRICE
endif

rawbody     __FR_SPACING_8     /[a-z0-9]{6}\s{8}[a-z0-9]{5}/i
rawbody     __FR_SPACING_9     /[a-z0-9]{6}\s{9}[a-z0-9]{5}/i
rawbody     __FR_SPACING_15    /[a-z0-9]{6}\s{15}[a-z0-9]{5}/i
rawbody     __FR_SPACING_17    /[a-z0-9]{6}\s{17}[a-z0-9]{5}/i
rawbody     __FR_SPACING_22    /[a-z0-9]{6}\s{22}[a-z0-9]{5}/i


# per users mailing list question from Joe Quinn
#body        __HEXHASHWORD_S    /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{18})[0-9a-f]{18}/
#tflags      __HEXHASHWORD_S    multiple maxhits=4
body        __HEXHASHWORD_S2EU /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[a-z]{0,10}(?!-?\d{1,5}-)(?!\d{10}\s)(?:(?!--)[-0-9a-f]){10,64}(?:[g-z][a-z]{0,10})?\s[A-Z]?[a-z]{1,15}\b/
tflags      __HEXHASHWORD_S2EU multiple maxhits=4
#body        __HEXHASHWORD_S2E  /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[a-z]{0,10}[0-9a-f]{10,64}(?:[g-z][a-z]{0,10})?\s[A-Z]?[a-z]{1,15}\b/
#tflags      __HEXHASHWORD_S2E  multiple maxhits=4
#body        __HEXHASHWORD_S2   /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[0-9a-f]{10,64}\s[A-Z]?[a-z]{1,15}\b/
#tflags      __HEXHASHWORD_S2   multiple maxhits=4
#body        __HEXHASHWORD      /\s[A-Z]?[a-z]{1,15}\s[0-9a-f]{30}/
#tflags      __HEXHASHWORD      multiple maxhits=4
meta        __HEXHASH_2        __HEXHASHWORD_S2EU > 1
meta        __HEXHASH_3        __HEXHASHWORD_S2EU > 2
meta        __HEXHASH_4        __HEXHASHWORD_S2EU > 3
#meta        __HEXHASH_5        __HEXHASHWORD_S2EU > 4
meta        HEXHASH_WORD       (__HEXHASHWORD_S2EU > 1) && !ALL_TRUSTED && !__LYRIS_EZLM_REMAILER && !__MSGID_HEXISH && !__RDNS_SHORT && !__CTYPE_MULTIPART_MIXED && !__HAS_X_REF && !__HAS_IMG_SRC_ONECASE && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__HAS_SENDER 
describe    HEXHASH_WORD       Multiple instances of word + hexadecimal hash
score       HEXHASH_WORD       3.000	# limit
tflags      HEXHASH_WORD       publish

#  from users list spample provided by Larry Starr
body        __UC_GIBB_OBFU     /\b[A-Za-z][a-z]{0,20}[,;)]?\s[A-Z]{16,}[a-z]?\s[A-Za-z][a-z]{1,15}\b/
tflags      __UC_GIBB_OBFU     multiple maxhits=2
#meta        __UC_GIBB_2        __UC_GIBB_OBFU > 1
#meta        __UC_GIBB_3        __UC_GIBB_OBFU > 2
#meta        __UC_GIBB_4        __UC_GIBB_OBFU > 3
#meta        __UC_GIBB_5        __UC_GIBB_OBFU > 4
#meta        __UC_GIBB_6        __UC_GIBB_OBFU > 5
#meta        __UC_GIBB_7        __UC_GIBB_OBFU > 6
meta        UC_GIBBERISH_OBFU  (__UC_GIBB_OBFU > 1) && !__RP_MATCHES_RCVD && !__VIA_ML && !__DKIM_EXISTS && !ALL_TRUSTED
describe    UC_GIBBERISH_OBFU  Multiple instances of "word VERYLONGGIBBERISH word"
score       UC_GIBBERISH_OBFU  3.000	# Limit
tflags      UC_GIBBERISH_OBFU  publish


#body        __B2B_HELP         /\bhelp(?:ing)? (?:businesses like yours|your business)\b/i
#body        __YOUR_BIZ         /\bbusiness(?:es) like yours|(?<!of )your b(?:usiness|rand)\b/i


# will be removed with immediate effect from any further mailing list
# wish to receive information from us in the future
# This-link http://www.nowyehue.com/bon/dds/ will end messages.
# stop receiving these emails
# Unsubscribe me from this list
# We are not promoting any kind of SPAM.
# recieve any kind promotional email form us
# To stop receiving these emails
# exclude yourself from further ad-messages
# removal options
# Stop PSA alert

#body        __UNSUB_PSA       /\bstop PSA alert\b/i

#body        __UNSUB_EXCL      /\bexclude yourself from further ad\b/i
#meta        UNSUB_EXCL        __UNSUB_EXCL
#score       UNSUB_EXCL        2.000	# limit

#body        __UNSUB_OPT       /\bremoval options?\b/i
#meta        UNSUB_OPT         __UNSUB_OPT
#score       UNSUB_OPT         2.000	# limit

header	    __NO_TRUSTED_RELAY	X-Spam-Relays-Trusted !~ /ip=/i

#body        CANT_SEE_AD       /\b(?:can(?:no|')?t|(?:aren'?t |not |un)able to) (?:view|read|see|scan|witness|consider|look at|participate in|take in|(?:make|check|scope) out|eye|scrutinize|watch|display|observe) (?:our|this|the) (?:commercial[-. ]|ad(?:v[-.]?ert[i1l]se-?ment)? |images |newsletter |mailing ){1,2}(?:at all|(?:(?:down )?(?:below|underneath))|in (?:your|this) mail|(?:due to|because(?: of)?|as|from) (?:no |missing |unloaded |blocked )?images)\b/i
body        __CANT_SEE_AD_1   /\b(?:can(?:no|')?t|(?:aren'?t[-,!\s]{1,3}|not[-,!\s]{1,3}|un)able[-,!\s]{1,3}to)[-,!\s]{1,3}(?:(?!our|this|the)\w{1,12}[-,\s]{1,3}){1,2}(?:our|this|the)[-.,\s*]{1,3}(?:commercial[-.,\s]{1,3}|ad(?:v[-.]?ert[i1l]se-?ment)?[-.,\s]{1,3}|images |newsletter |mailing ){1,2}(?:at all|(?:(?:down )?(?:below|underneath))|in (?:your|this) mail|(?:due to|because(?: of)?|as|from) (?:no |missing |unloaded |blocked )?(?:images|graphics))\b/i
body        __CANT_SEE_AD_2   /\b(?:issue|problem|trouble) (?:getting|viewing|with) (?:(?:our|the) )?(?:message|content|e-?mail|details)(?: below)?[.?] (?:please|go ahead and) (?:click|browse)\b/i
meta        CANT_SEE_AD       (__CANT_SEE_AD_1 || __CANT_SEE_AD_2) && !__DOS_HAS_LIST_UNSUB
describe    CANT_SEE_AD       You really want to see our spam.
score       CANT_SEE_AD       2.500	# limit
tflags      CANT_SEE_AD       publish

uri         __128_HEX_URI     m,/[0-9a-f]{128},
#tflags      __128_HEX_URI     multiple maxhits=2
#uri         __192_HEX_URI     m,/[0-9a-f]{192},
#uri         __256_HEX_URI     m,/[0-9a-f]{256},
#uri         __384_HEX_URI     m,/[0-9a-f]{384},
#meta        __128_HEX_URI_SGL __128_HEX_URI == 1
#meta        __128_HEX_URI_MLT __128_HEX_URI > 1
meta        LONG_HEX_URI      __128_HEX_URI && !__LCL__KAM_BODY_LENGTH_LT_1024
describe    LONG_HEX_URI      Very long purely hexadecimal URI
score       LONG_HEX_URI      3.000	# limit
tflags      LONG_HEX_URI      publish

uri         __128_LC_URI        m;[/?][a-z]{128,}$;
uri         __128_LC_IMG        m;/[a-z]{128,}/\w+\.(?:png|gif|jpe?g)$;
uri         __128_ALNUM_URI     m;[/?][0-9a-z]{128,}$;i
uri         __128_ALNUM_IMG     m;/[0-9a-z]{128,}/\w+\.(?:png|gif|jpe?g)$;i
uri         __64_ANY_URI        m;[/?]\w{64,}$;i
uri         __64_ANY_IMG        m;/\w{64,}/\w+\.(?:png|gif|jpe?g)$;i
uri         __45_ALNUM_URI      m;[/?][0-9a-z]{45,}$;i
uri         __45_ALNUM_IMG      m;/[0-9a-z]{45,}/\w+\.(?:png|gif|jpe?g)$;i
meta        __128_LC_URI_IMG    __128_LC_URI && __128_LC_IMG
meta        __128_ALNUM_URI_O   __128_ALNUM_URI && !__128_LC_URI
meta        __128_ALNUM_IMG_O   __128_ALNUM_IMG && !__128_LC_IMG
meta        __128_ALNUM_URI_IMG __128_ALNUM_URI_O && __128_ALNUM_IMG_O
meta        __64_ANY_URI_O      __64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI
meta        __64_ANY_IMG_O      __64_ANY_IMG && !__128_ALNUM_IMG && !__128_LC_IMG
meta        __64_ALNUM_URI_IMG  __64_ANY_URI_O && __64_ANY_IMG_O
meta        __45_ALNUM_URI_O    __45_ALNUM_URI && !__64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI
meta        __45_ALNUM_IMG_O    __45_ALNUM_IMG && !__64_ANY_IMG && !__128_ALNUM_IMG && !__128_LC_IMG
meta        __45_ALNUM_URI_IMG  __45_ALNUM_URI_O && __45_ALNUM_IMG_O

meta        LONG_IMG_URI        __45_ALNUM_IMG && !ALL_TRUSTED && !__HAS_ERRORS_TO 
describe    LONG_IMG_URI        Image URI with very long path component - web bug?
score       LONG_IMG_URI        3.000	# limit
tflags      LONG_IMG_URI        publish


rawbody     __HTML_OFF_PAGE   /;(?:top|left):-\d{3,9}px;/i
meta        HTML_OFF_PAGE     __HTML_OFF_PAGE && !__RP_MATCHES_RCVD && !__LONGLINE && !__DKIM_EXISTS
describe    HTML_OFF_PAGE     HTML element rendered well off the displayed page
score       HTML_OFF_PAGE     3.000	# limit
tflags      HTML_OFF_PAGE     publish


body        __PUMPDUMP_01     /\b(?:times|multiply|tripl(?:e|ing)|quadrupl(?:e|ing)|quintupl(?:e|ing)) (?:your|an) (?:princip(?:al|le)|investment)\b/i
body        __PUMPDUMP_02     /\b(?:sto[ck]{2}|share price) (?:will |may |is (?:(?:about|poised|positioned|ready) to |gonna ))?(?:triple|quadruple|quintuple|soar|go(?:es?) (?:nuts|crazy|sky high|way up))\b/i
body        __PUMPDUMP_03     /\bbuy (?:[^.!]{1,30} )?(?:(?:(?:mon|tues|wednes|thurs|fri)day|tomorrow) (?:first thing|open|morning)|(?:first thing|opens|before) (?:(?:mon|tues|wednes|thurs|fri)day|tomorrow))/i
body        __PUMPDUMP_04     /\bmake you (?:big bucks|hundreds|thousands)\b/i
body        __PUMPDUMP_05     /\b(?:tripled|quadrupled|quintupled|(?:shares|value|company) (?:go up|increase|has (?:increased|gained)) (?:by|more than) [a-z\s]{0,20}\d+(?: times| percent| ?%)) (?:and that )?in (?:(?:\d|a (?:span of|few)) days|a very short period)\b/i
body        __PUMPDUMP_06     /\brecommend(?:ed|s)? (?:a|this) (?:company|stock)\b/i
body        __PUMPDUMP_07     /\b(?:buy|grab it) for (?:around |about |less than )?\d+ cents\b/i
body        __PUMPDUMP_08     /\b?(:sto[ck]{2}|sotk) of the year/i
body        __PUMPDUMP_09     /\b(?:buy|get|snap up|grab) as many shares (?:of it )?as (?:you|I) can\b/i
body        __PUMPDUMP_10     /\btrading at (?:such )?a (?:bargain|cheap|low)\b/i
meta        __PD_CNT_1        (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 0
meta        __PD_CNT_2        (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1
meta        __PD_CNT_3        (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 2
meta        __PD_CNT_4        (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 3
meta        __PD_CNT_5        (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 4
meta        __PD_CNT_6        (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 5
meta        __PD_CNT_7        (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 6
meta        PUMPDUMP          (__PUMPDUMP_01 || __PUMPDUMP_02 || __PUMPDUMP_03 || __PUMPDUMP_04 || __PUMPDUMP_05 || __PUMPDUMP_06 || __PUMPDUMP_07 || __PUMPDUMP_08 || __PUMPDUMP_09 || __PUMPDUMP_10) && !PUMPDUMP_MULTI
describe    PUMPDUMP          Pump-and-dump stock scam phrase
score       PUMPDUMP          1.000	# limit
tflags      PUMPDUMP          publish
meta        PUMPDUMP_MULTI    (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1
describe    PUMPDUMP_MULTI    Pump-and-dump stock scam phrases
score       PUMPDUMP_MULTI    3.500	# limit
tflags      PUMPDUMP_MULTI    publish

body        __STOCK_TIP       /\bsto[ck]{2}\s?tip\b/i
meta        STOCK_TIP         __STOCK_TIP && !__DKIM_EXISTS 
describe    STOCK_TIP         Stock tips
score       STOCK_TIP         3.000	# limit
tflags      STOCK_TIP         publish

meta        PUMPDUMP_TIP      __PD_CNT_1 && __STOCK_TIP
describe    PUMPDUMP_TIP      Pump-and-dump stock tip
tflags      PUMPDUMP_TIP      publish


#body        DR_OZ_OBFU        /\bD(?:r\.|oc(?:tor)?) ?0z\b/i
#describe    DR_OZ_OBFU        Obfuscated Doctor Oz
#
#body        DOC_OZ            /\b(?:doc oz|Dr\.?Oz)\b/
#describe    DOC_OZ            Doctor Oz


body        __ADMAIL          /(?:\b|_)ad-?(?:mail|message)s?(?:\b|_)/i
meta        ADMAIL            __ADMAIL && !__DKIM_EXISTS && !__COMMENT_EXISTS 
describe    ADMAIL            "admail" and variants
tflags      ADMAIL            publish

body        ORS               /\bOn-?line Rate Saver\b/i
describe    ORS               "Online Rate Saver"


# subrule version of MMartinec CR_IN_SUBJ
header      __CR_IN_SUBJ      Subject:raw =~ /\015/


body        __THIS_AD         /(?:\b|_)this[- _]+(?:ad(?:vert[i1l]sement)?|promo(?:tion)?)s?(?:\b|_)/i
meta        THIS_AD           __THIS_AD && !__MOZILLA_MSGID && !__FROM_ENCODED_QP && !__CR_IN_SUBJ && !__RP_MATCHES_RCVD 
describe    THIS_AD           "This ad" and variants
tflags      THIS_AD           publish

# low S/O, legit subscribed marketing in masscheck corpus?
body        AD_PREFS          /(?:\b|_)(?:ad(?:vert[i1l]s[i1l]ng)?|promo(?:tion)?|marketing)[- _](?:pref(?:s|erences)|settings)(?:\b|_)/i
describe    AD_PREFS          Advertising preferences
score       AD_PREFS          0.500	# limit
tflags      AD_PREFS          publish

#body        OPT_OUT           /\bOpt-Out Here\b/i
#score       OPT_OUT           2.000

uri         URI_OPTOUT_USME   m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:us|me|mobi|club)\b,i
describe    URI_OPTOUT_USME   Opt-out URI, unusual TLD
tflags      URI_OPTOUT_USME   publish

uri         URI_OPTOUT_3LD    m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:com|net)\b,i
describe    URI_OPTOUT_3LD    Opt-out URI, suspicious hostname
score       URI_OPTOUT_3LD    2.000   # limit
tflags      URI_OPTOUT_3LD    publish

uri         __URI_TRY_USME    m,^https?://(?:try|start|get|save|check|act|compare|join|learn|request|visit|my)[^.]*\.[^/]+\.(?:us|me|mobi|club)\b,i
meta        URI_TRY_USME      __URI_TRY_USME && !__DKIM_EXISTS 
describe    URI_TRY_USME      "Try it" URI, unusual TLD
tflags      URI_TRY_USME      publish

uri         URI_TRY_3LD       m,^https?://(?:try|start|get(?!\.adobe)|save|check(?!out)|act|compare|join|learn|request|visit(?!or)|my(?!sub|turbotax)\w)[^.]*\.[^/]+\.(?:com|net)\b,i
describe    URI_TRY_3LD       "Try it" URI, suspicious hostname
score       URI_TRY_3LD       2.000   # limit
tflags      URI_TRY_3LD       publish


## REFINE THIS
#body        __INCOMING_FAX    /\bincoming fax\b/i
#body        __BANK            /\bbank\b/i
#body        __ACCT_STMT       /\bac(?:count|tivity) statement\b/i
#uri         __URI_DROPBOX     m,[/.]dropbox\.com\/,i
#meta        DROPBOX_MALW      (__INCOMING_FAX || (__BANK && __ACCT_STMT)) && __URI_DROPBOX && !ALL_TRUSTED 
#describe    DROPBOX_MALW      Spoofed FAX or bank statement with Dropbox link: PROBABLE MALWARE
#score       DROPBOX_MALW      10.00


ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          FUZZY_UNSUBSCRIBE   /(?=<U>)(?!unsubscribe)<U><N><S><U><B><S><C><R><I><B><E>/i
  replace_rules FUZZY_UNSUBSCRIBE
  describe      FUZZY_UNSUBSCRIBE   Obfuscated "unsubscribe"
  tflags        FUZZY_UNSUBSCRIBE   publish

  body          FUZZY_ANDROID       /(?=<A>)(?!android)<A><N><D><R><O><I><D>/i
  replace_rules FUZZY_ANDROID
  describe      FUZZY_ANDROID       Obfuscated "android"
  tflags        FUZZY_ANDROID       publish

  body          FUZZY_PROMOTION     /(?=<P>)(?!promotion)<P><R><O><M><O><T><I><O><N>/i
  replace_rules FUZZY_PROMOTION
  describe      FUZZY_PROMOTION     Obfuscated "promotion"
  tflags        FUZZY_PROMOTION     publish

  body          FUZZY_PRIVACY       /(?=<P>)(?!privacy)<P><R><I><V><A><C><Y>/i
  replace_rules FUZZY_PRIVACY
  describe      FUZZY_PRIVACY       Obfuscated "privacy"
  tflags        FUZZY_PRIVACY       publish

  body          FUZZY_BROWSER       /(?=<B>)(?!browser)<B><R><O><W><S><E><R>/i
  replace_rules FUZZY_BROWSER
  describe      FUZZY_BROWSER       Obfuscated "browser"
  tflags        FUZZY_BROWSER       publish

  body          FUZZY_SAVINGS       /(?=<S>)(?!savings)<S><A><V><I><N><G><S>/i
  replace_rules FUZZY_SAVINGS
  describe      FUZZY_SAVINGS       Obfuscated "savings"
  tflags        FUZZY_SAVINGS       publish

  body          FUZZY_IMPORTANT     /(?=<I>)(?!important)<I>(?:<M>|<N>)<P><O><R><T><A><N><T>/i
  replace_rules FUZZY_IMPORTANT
  describe      FUZZY_IMPORTANT     Obfuscated "important"
  tflags        FUZZY_IMPORTANT     publish

  body          FUZZY_SECURITY      /(?=<S>)(?!security)(?!seguridad)(?!s\xc3\xa9curit\xc3\xa9)<S><E>(?:<C>|<G>)<U><R><I>(?:<T><Y>|<D><A><D>)/i
  replace_rules FUZZY_SECURITY
  describe      FUZZY_SECURITY      Obfuscated "security"
  tflags        FUZZY_SECURITY      publish

  body          __FUZZY_DR_OZ       /(?=<D>)(?!(?-i:D(?:r.|octor)(?:\s|&nbsp;)Oz))(?:<R>|<O><C>(?:<T><O><R>)?)\.?<WS>*<O><Z>(?:$|\W)/i
  replace_rules __FUZZY_DR_OZ
  meta          FUZZY_DR_OZ         __FUZZY_DR_OZ && !__VIA_ML
  describe      FUZZY_DR_OZ         Obfuscated Doctor Oz
  tflags        FUZZY_DR_OZ         publish

  body          FUZZY_CLICK_HERE    /(?=<C>)(?!click(?:\s|&nbsp;)here)<C><WS>*<L><WS>*<I><WS>*<C><WS>*<K><WS>+<H><WS>*<E><WS>*<R><WS>*<E>/i
  replace_rules FUZZY_CLICK_HERE
  describe      FUZZY_CLICK_HERE    Obfuscated "click here"
  tflags        FUZZY_CLICK_HERE    publish

  body          FUZZY_BITCOIN       /(?=<B>)(?!bit[-\s]?coin)<B>[-\s]?<I>[-\s]?<T>[-\s]?<C>[-\s]?<O>[-\s]?<I>[-\s]?<N>/i
  replace_rules FUZZY_BITCOIN   
  describe      FUZZY_BITCOIN       Obfuscated "Bitcoin"
  tflags        FUZZY_BITCOIN       publish


  body          __BITCOIN           /<B>[-\s]?<I>[-\s]?<T>[-\s]?<C>[-\s]?<O>[-\s]?<I>[-\s]?<N>/i
  replace_rules __BITCOIN   

  body          FUZZY_WALLET        /(?=<W>)(?!wallet)<W><A><L><L><E><T>/i
  replace_rules FUZZY_WALLET    
  describe      FUZZY_WALLET        Obfuscated "Wallet"
  tflags        FUZZY_WALLET        publish

  meta          FUZZY_BTC_WALLET    FUZZY_BITCOIN && FUZZY_WALLET
  describe      FUZZY_BTC_WALLET    Heavily obfuscated "bitcoin wallet"
  tflags        FUZZY_BTC_WALLET    publish

  body          __FUZZY_MONERO      /(?=<M>)(?!monero)<M><O><N><E><R><O>/i
  replace_rules __FUZZY_MONERO

  body          __FUZZY_WELLSFARGO_BODY  /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>[-\s]?<F><A><R><G><O>/i
  replace_rules __FUZZY_WELLSFARGO_BODY
  header        __FUZZY_WELLSFARGO_FROM  From:name =~ /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>[-\s]?<F><A><R><G><O>/i
  replace_rules __FUZZY_WELLSFARGO_FROM
  meta          FUZZY_WELLSFARGO         __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM
  describe      FUZZY_WELLSFARGO         Obfuscated "Wells Fargo"

  body          __FUZZY_PORN        /(?=<P>)(?!pornograph?(?:y|ic|er))<P><O><R><N><O><G><R><A><P><H>?(?:<Y>|<I><C>|<E><R>)/i
  replace_rules __FUZZY_PORN      
  meta          FUZZY_PORN          __FUZZY_PORN && !( __ENV_AND_HDR_FROM_MATCH && __SENDER_BOT )
  describe      FUZZY_PORN          Obfuscated "Pornography" or "Pornographic"
  tflags        FUZZY_PORN          publish

  body          FUZZY_AMAZON        /(?:^|\W)(?=<A>)(?!amazon)<A><M><A><Z><O><N>(?:$|\W)/i
  replace_rules FUZZY_AMAZON   
  describe      FUZZY_AMAZON        Obfuscated "amazon"
  tflags        FUZZY_AMAZON        publish

  body          FUZZY_APPLE         /(?:^|\W)(?=<A>)(?!apple)<A><P><P><L><E>(?:$|\W)/i
  replace_rules FUZZY_APPLE    
  describe      FUZZY_APPLE         Obfuscated "apple"
  tflags        FUZZY_APPLE         publish

  body          FUZZY_MICROSOFT     /(?=<M>)(?!microsoft)<M><I><C><R><O><S><O><F><T>/i
  replace_rules FUZZY_MICROSOFT
  describe      FUZZY_MICROSOFT     Obfuscated "microsoft"
  tflags        FUZZY_MICROSOFT     publish

  body          FUZZY_FACEBOOK      /(?=<F>)(?!fa[ck]ebook)<F><A><C><E><B><O><O><K>/i
  replace_rules FUZZY_FACEBOOK  
  describe      FUZZY_FACEBOOK      Obfuscated "facebook"
  tflags        FUZZY_FACEBOOK      publish

  body          FUZZY_PAYPAL        /(?:^|\W)(?=<P>)(?!pay[-\s]?pal)<P><A><Y>[-\s]?<P><A><L>(?:$|\W)/i
  replace_rules FUZZY_PAYPAL   
  describe      FUZZY_PAYPAL        Obfuscated "paypal"
  tflags        FUZZY_PAYPAL        publish

  body          FUZZY_NORTON        /(?:^|\W)(?=<N>)(?!norton)<N><O><R><T><O><N>(?:$|\W)/i
  replace_rules FUZZY_NORTON   
  describe      FUZZY_NORTON        Obfuscated "norton"
  tflags        FUZZY_NORTON        publish

  body          FUZZY_OVERSTOCK     /(?:^|\W)(?=<O>)(?!over[-\s]?stock)<O><V><E><R>[-\s]?<S><T><O><C><K>(?:$|\W)/i
  replace_rules FUZZY_OVERSTOCK
  describe      FUZZY_OVERSTOCK     Obfuscated "overstock"
  tflags        FUZZY_OVERSTOCK     publish

else
  meta          __FUZZY_MONERO      0
  body          __BITCOIN           /\bB[-\s]?i[-\s]?t[-\s]?c[-\s]?o[-\s]?i[-\s]?n\b/i
endif

uri            __URL_BTC_ID     m;[/.](?:[13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})(?:/|$);
body           __BITCOIN_ID     /\b(?<!=)(?:[13](?:(?:[-_=\s][a-km-zA-HJ-NP-Z1-9]){29,34}|[a-km-zA-HJ-NP-Z1-9]{29,34})|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90}|b[-_=\s]c[-_=\s]1(?:[-_=\s][acdefghjklmnpqrstuvwxyz234567890]){30,90})\b/

meta          FUZZY_MONERO        __FUZZY_MONERO
describe      FUZZY_MONERO        Obfuscated "Monero"
tflags        FUZZY_MONERO        publish

body           __MONERO_ID      /\b4[0-9AB][1-9A-HJ-NP-Za-km-z]{93,104}\b/
body           __MONERO_CURNCY  /Monero \(XMR\)/
uri            __URI_MONERO     /buy-monero/i
meta           __MONERO         (__MONERO_ID || __MONERO_CURNCY || __URI_MONERO || __FUZZY_MONERO)

ifplugin Mail::SpamAssassin::Plugin::DKIM
  meta           BTC_ORG          (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST && !DKIM_SIGNED
else
  meta           BTC_ORG          (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST 
endif
describe       BTC_ORG          Bitcoin wallet ID + unusual header
score          BTC_ORG          2.500	# limit

meta           BITCOIN_PDF      __BITCOIN && __PDF_ATTACH
describe       BITCOIN_PDF      "Bitcoin" + PDF attachment
score          BITCOIN_PDF      2.500	# limit

meta           BITCOIN_MALF_HTML    HTML_EXTRA_CLOSE && (__BITCOIN || __BITCOIN_ID)
describe       BITCOIN_MALF_HTML    Bitcoin + malformed HTML
score          BITCOIN_MALF_HTML    3.500	# limit

meta           __BITCOIN_XPRIO      __XPRIO && (__BITCOIN || __BITCOIN_ID)
meta           BITCOIN_XPRIO        __BITCOIN_XPRIO && !__ML1 && !__HAS_SENDER && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY 
describe       BITCOIN_XPRIO        Bitcoin + priority
score          BITCOIN_XPRIO        2.500	# limit

meta           __BITCOIN_OBFU_SUBJ  __BITCOIN && __SUBJ_OBFU_PUNCT 
meta           BITCOIN_OBFU_SUBJ    __BITCOIN_OBFU_SUBJ && !__128_ALNUM_URI 
describe       BITCOIN_OBFU_SUBJ    Bitcoin + obfuscated subject
score          BITCOIN_OBFU_SUBJ    3.500	# limit
tflags         BITCOIN_OBFU_SUBJ    publish


# bitcoin obfuscation - tip o' the hat to Steve Zinski on the users list, with a little cleanup
body           __BTC_OBFU_2     /\b\W{0,10}b(?!it[-\s]?coin)\W{0,10}i\W{0,10}t\W{0,10}c\W{0,10}o\W{0,10}i\W{0,10}n\W{0,10}\b/i
body           __BTC_OBFU_3     /\b\W{0,10}b(?!tc\b)\W{0,10}t\W{0,10}c\W{0,10}\b/i

# seen in sloppy spam
body           __BTC_OBFU_5     /&\#x62;&\#x69;&\#x74;&\#x63;&\#x6F;&\#x69;&\#x6E;/i

# __BTC_OBFU_4 duplicates (to a degree) FUZZY_BITCOIN
# Use FUZZY_BITCOIN (more hits) if possible
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta           __OBFU_BITCOIN   ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) )
  meta           __OBFU_BITCOIN_NOID   ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) )
else
  body           __BTC_OBFU_4     /\bb(?!itcoin)[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
  meta           __OBFU_BITCOIN   ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) )
  meta           __OBFU_BITCOIN_NOID   ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) )
endif

meta           OBFU_BITCOIN     __OBFU_BITCOIN
describe       OBFU_BITCOIN     Obfuscated BitCoin references
score          OBFU_BITCOIN     3.000	# limit
tflags         OBFU_BITCOIN     publish

meta           BITCOIN_SPAM_01  __BITCOIN_ID && HTML_MIME_NO_HTML_TAG
describe       BITCOIN_SPAM_01  BitCoin spam pattern 01
score          BITCOIN_SPAM_01  2.500	# limit
tflags         BITCOIN_SPAM_01  publish

meta           __BITCOIN_SPAM_02  __BITCOIN_ID && __BOTH_INR_AND_REF 
meta           BITCOIN_SPAM_02    __BITCOIN_SPAM_02 && !__URL_BTC_ID 
describe       BITCOIN_SPAM_02    BitCoin spam pattern 02
score          BITCOIN_SPAM_02    2.500	# limit
tflags         BITCOIN_SPAM_02    publish

meta           BITCOIN_SPAM_03  __BITCOIN_ID && __SINGLE_WORD_SUBJ
describe       BITCOIN_SPAM_03  BitCoin spam pattern 03
score          BITCOIN_SPAM_03  2.500	# limit
tflags         BITCOIN_SPAM_03  publish

meta           BITCOIN_SPAM_04  __BITCOIN_ID && __freemail_hdr_replyto
describe       BITCOIN_SPAM_04  BitCoin spam pattern 04
score          BITCOIN_SPAM_04  1.500	# limit
tflags         BITCOIN_SPAM_04  publish

meta           __BITCOIN_SPAM_05  __BITCOIN_ID && __SPOOFED_FREEMAIL 
meta           BITCOIN_SPAM_05    __BITCOIN_SPAM_05 && !__HAS_IN_REPLY_TO 
describe       BITCOIN_SPAM_05    BitCoin spam pattern 05
score          BITCOIN_SPAM_05    2.500	# limit
tflags         BITCOIN_SPAM_05    net publish

meta           BITCOIN_SPAM_06  __BITCOIN_ID && TVD_RCVD_SPACE_BRACKET
describe       BITCOIN_SPAM_06  BitCoin spam pattern 06
score          BITCOIN_SPAM_06  1.500	# limit
tflags         BITCOIN_SPAM_06  publish

meta           __BITCOIN_SPAM_07  __BITCOIN_ID && __TO_EQ_FROM
meta           BITCOIN_SPAM_07    __BITCOIN_SPAM_07 && !__DKIM_EXISTS 
describe       BITCOIN_SPAM_07    BitCoin spam pattern 07
score          BITCOIN_SPAM_07    3.500	# limit
tflags         BITCOIN_SPAM_07    publish

meta           BITCOIN_SPAM_08  __BITCOIN_ID && __TO_IN_SUBJ 
describe       BITCOIN_SPAM_08  BitCoin spam pattern 08
score          BITCOIN_SPAM_08  2.500	# limit
tflags         BITCOIN_SPAM_08  publish

body           __DESTROY_YOU    /\b(?:destroy\syou|deine Zukunft zerst\S{1,3}ren)/i

meta           BITCOIN_SPAM_09  __BITCOIN_ID && ( __DESTROY_ME || __DESTROY_YOU )
describe       BITCOIN_SPAM_09  BitCoin spam pattern 09
score          BITCOIN_SPAM_09  1.500	# limit
tflags         BITCOIN_SPAM_09  publish

meta           BITCOIN_SPAM_10  __BITCOIN_ID && ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 )
describe       BITCOIN_SPAM_10  BitCoin spam pattern 10
score          BITCOIN_SPAM_10  2.500	# limit
tflags         BITCOIN_SPAM_10  publish

meta           BITCOIN_SPAM_11  __BITCOIN_ID && HTML_MESSAGE && __HTML_SHRT_CMNT_OBFU
describe       BITCOIN_SPAM_11  BitCoin spam pattern 11
score          BITCOIN_SPAM_11  2.500	# limit
tflags         BITCOIN_SPAM_11  publish

meta           BITCOIN_SPAM_12  __BITCOIN_ID && __BOGUS_MIME_HDR_MANY
describe       BITCOIN_SPAM_12  BitCoin spam pattern 12
score          BITCOIN_SPAM_12  2.500	# limit
tflags         BITCOIN_SPAM_12  publish

body           __PAXFUL         /\bp-?a+-?x+-?f-?u+-?l\b/i

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body           __MY_VICTIM            /(?:<H><I>|<H><E><L><L><O>),?(?:\s<M><Y>)?\s(?:<V><I><C><T><I><M>|<P><R><E><Y>)/i
  replace_rules  __MY_VICTIM
  body           __MY_MALWARE           /(?:^|\s)(?:(?:<I>(?:'<V><E>|\s<H><A><V><E>)?\s(?:<P><U><T><|><S><E><T>\s?<U><P>|<I><N><S><T><A><L><L><E><D>|<B><U><I><L>(?:<T>|<D>)\s<I><N>|<P><L><A><C><E><D>)\s(?:<A>\s)?|<M><Y>\s(?:<P><E><R><S><O><N><A><L>\s|<B><A><C><K><G><R><O><U><N><D>\s|<H><I><D><D><E><N>\s)?)(?:<M><A><L>+<W><A><R><E>|<V><I><R><U><S>|<S><P><Y>\s?<W><A><R><E>|<T><R><O><J><A><N>|<P><R><O><G><R><A><M>\s<R><E><C><O><R><D><E><D>|<E><X><P><L>(?:<O>|0)<I><T>|<B><A><C><K><D><O><O><R>|(?:<S><N><E><A><K><Y>\s|<H><I><D><D><E><N>\s|<M><A><L><I><C><I><O><U><S>\s)+(?:<A><P><P>|<S><T><U><F><F>))|(?:<A><P><P><L><I><C><A><T><I><O><N>|<M><A><L>+<W><A><R><E>)[^\.]{1,30}(?:<E><N><A><B><L><E>(?:<D>|<S>)|<A><L><L><O><W>(?:<S>|<E><D>))\s<M><E>\s<T><O>\s(?:<A><C><C><E><S><S>|<C><O><N><T><R><O><L>)|<I>\s(?:<C><O><N><T><A><M><I><N><A><T><E><D>|<I><N><F><E><C><T><E><D>|<H><A><C><K><E><D>|<T><O><X><I><F><I><E><D>|<P><O><I><S><O><N><E><D>)\s(?:<Y><O><U><R>|<T><H><I><S>)\s(?:<M><A><C><H><I><N><E>|<C><O><M><P><U><T><E><R>|<G><A><D><G><E><T>|(?:<S><M><A><R><T>\s?)?<P><H><O><N><E>|<D><E><V><I><C><E>|<E><M><A><I><L>)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|<M><E><I><N>\s<H><I><N><T><E><R><H><A><L><T><I><G><E><S>\s<P><R><O><G><R><A><M>+|<I>\s?<A><M>\s?<A>\s?<H><A><C><K><E><R>|(?:(?:<T><R><O><J><A><N>|<V><I><R><U><S>|<S><P><Y><W><A><R><E>|<M><A><L>+<W><A><R><E>)\s)+<G><I><V>(?:<E><S>|<I><N><G>)\s<M><E>)[\s\.,]/i
  replace_rules  __MY_MALWARE
  body           __PAY_ME               /(?:^|\s)(?:<P><A><Y>\s<M><E>|(?:(?:<S><E><N><D>|<T><R><A><N><S><M><I><T>|<G><I><V><E>)\s(?:<T><O>\s)?<M><E>|(?:<S><E><N><D>(?:<E><N>\s<S><I><E>)?|<T><R><A><N><S><F><E><R>)\s(?:<T><H><E>\s<A><M><O><U><N><T>\s<O><F>|<E><X><A><C><T><L><Y>|<G><E><N><A><U>)|<I>\s<W><A><N><T>|<D><E><N>\s<B><E><T><R><A><G>\s<V><O><N>|<P><A><Y><M><E><N><T>\s<O><F>)\s(?:[\d,'.\$£]+\s?(?:<U><S><D>?|<E><U><R>?(?:<O><S>)?|<G><B><P>|<B><T><C>)?|<B><I><T><C><O><I><N>|<B><T><C>)|(?:<M><A><K><E>|<P><E><R><F><O><R><M>|<S><E><N><D>|<T><R><A><N><S><M><I><T>)\s<T><H><E>\s<P><A><Y><M><E><N><T>|<A><M><O><U><N><T>\s<F><O><R>\s<M><Y>\s<S><I><L><E><N><C><E>|(?:<P><A><Y>|<F><U><N><D>)\s<T><H><I><S>\s(?:<B><I><T><C><O><I><N>|<M><O><N><E><R><O>)[-\s](?:<A><D><D><R><E><S><S>|<W><A><L><L><E><T>|<B><R><I><E><F><T><A><S><C><H><E>|<M><Y> <B><R><I><B><E>(?:<R><Y>)?))[\s\.,]/i
  replace_rules  __PAY_ME
  body           __YOUR_PASSWORD        /(?:^|\s)(?:<Y><O><U><R>|(?:<C><H><A><N><G><E>|<M><O><D><I><F><Y>|<U><P><D><A><T><E>|<R><E><S><E><T>|<A><L><T><E><R>|<F><I><X>)\s<T><H><E>)\s(?:<A><C><C><O><U><N><T>\s|<E>-?<M><A><I><L>\s)?(?:<P><A><S><S>[-\s_]?<W><O><R><D>|<P><S><W><D>\s)/i
  replace_rules  __YOUR_PASSWORD
  body           __YOUR_WEBCAM          /(?:^|\s)(?:<F><R><O><M>|<Y><O><U><R>|<W><I><T><H>|<A><N><D>|<O><N>)\s(?:(?:<S><C><R><E><E><N>|<D><E><S><K><T><O><P>|<M><I><C><R><O><P><H><O><N><E>)\s<A><N><D>\s|<O><W><N>\s)?(?:<W><E><B>[-\s]?|<F><R><O><N><T>[-\s]?|<N><E><T><W><O><R><K>\s|<Y><O><U><R>\s)<C><A><M><E><R>+<A>/i
  replace_rules  __YOUR_WEBCAM
  body           __YOUR_ONAN            /(?:^|\s)(?:<Y><O><U><R>?|<I><H><R><E><R>)\s(?:<M>+<A>+<S>+<T>+(?:<U>|<R>)+<B>+<A>+<T>+(?:<I><O><N>|<I><N><G>|<E>)(?:<S><V><I><D><E><O>)?|<O><N><A><N><I><S><M>|<S><O><L><I><T><A><R><Y>\s<S><E><X>|<H><A><N><D>\s<F><U><C><K><I><N><G>|<S><E><L><B><S><T><B><E><F><R><I><E><D><I><G><U><N><G>|(?:<P><L><E><A><S><U><R>(?:<E>|<I><N><G>)|<S><A><T><I><S><F><Y>(?:<I><N><G>)?)\s<Y><O><U><R><S><E><L><F>)/i
  replace_rules  __YOUR_ONAN
  body           __YOUR_PERSONAL        /(?:^|\s)(?:<Y><O><U><R>\s(?:<P><E><R><S><O><N><A><L>|<P><R><I><V><A><T><E>|<S><O><C><I><A><L>\s<C><O><N><T><A><C><T>|<A><D><D><R><E><S><S>|<F><R><I><E><N><D><S>)\s(?:<I><N><F><O>(?:<R><M><A><T><I><O><N>)?|<D><A><T><A>|<D><E><T><A><I><L><S>|<B><O><O><K>|<S><E><C><R><E><T><S>)|<A><L><L>\s(?:<O><F>\s)?<Y><O><U><R>\s(?:<F><I><L><E><S>|<C><O><N><T><A><C><T><S>|<S><E><C><R><E><T><S>|<C><O><R><R><E><S><P><O><N><D><E><N><C><E>))[\s\.,]/i
  replace_rules  __YOUR_PERSONAL
  body           __HOURS_DEADLINE       /(?:^|\s)(?:(?:<G><I><V><E>\s<Y><O><U>|<G><E><B><E>\s<I><H><N><E><N>(?:\s<N><U><R>)?|<Y><O><U>\s(?:<W><I><L><L>\s)?<H><A><V><E>(?:\s<O><N><L><Y>|\s<J><U><S><T>)?|<W><I><T><H><I><N>)(?:(\s<T><H><E>)?\s(?:<L><A><S><T>|<N><E><X><T>))?\s(?:\d+|<O><N><E>|<T><W><O>|<T><H><R><E><E>|<A> <F><E><W>)\s?(?:<H><O><U><R><S>?|<H><R>\s?<S>?|<D><A><Y><S>?|<S><T><U><N><D><E><N>)|(?:<B><Y>|<T><O>|<U><N><T><I><L>|<B><E><F><O><R><E>)\s<T><H><E>\s<E><N><D>\s<O><F>\s<T><H><E>\s(?:<W><O><R><K>(?:<I><N><G>)?\s)?<D><A><Y>|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\s<H><O><U><R><S>?\s<B><E><F><O><R><E>\s(?:<S><E><N><D><I><N><G>|<R><E><L><E><A><S><I><N><G>|<E><X><P><O><S><I><N><G>|<P><U><B><L><I><S><H><I><N><G>)|(?:<T><H><E>|<Y><O><U><R>)\s<D><E><A><D><L><I><N><E>\s(?:<I><S>|<W><I><L><L>\s<B><E>))/i
  replace_rules  __HOURS_DEADLINE
  body           __EXPLOSIVE_DEVICE     /(?:^|\s)(?:<E><X><P><L><O><S><I><V><E>\s<D><E><V><I><C><E>|<B><O><M><B>)\s/i
  replace_rules  __EXPLOSIVE_DEVICE
else
  body           __MY_VICTIM            /\b(?:hi|hello),?(?:\smy)?\s(?:victim|prey)\b/i
  body           __MY_MALWARE           /\b(?:(?:I(?:'ve|\shave)?\s(?:put|set\s?up|installed|buil[td]\sin|placed)\s(?:a\s)?|my\s(?:personal\s|background\s|hidden\s)?)(?:mal+ware|virus|spy\s?ware|trojan|program\srecorded|expl[o0]it|backdoor|(?:sneaky\s|hidden\s|malicious\s)+(?:app|stuff))|(?:application|mal+ware)[^\.]{1,30}(?:enable[sd]|allow(?:s|ed))\sme\sto\s(?:access|control)|I\s(?:contaminated|infected|hacked|toxified|poisoned)\s(?:your|this)\s(?:machine|computer|gadget|(?:smart\s?)?phone|device|email)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|mein\shinterhältiges\sProgramm|I\s?am\s?a\s?hacker|(?:(?:trojan|virus|spyware|mal+ware)\s)+giv(?:es|ing)\sme)\b/i
  body           __PAY_ME               /\b(?:pay\sme|(?:(?:send|transmit|give)\s(?:to\s)?me|(?:send(?:en\ssie)?|transfer)\s(?:the\samount\sof|exactly|genau)|I\swant|den\sbetrag\svon|payment\sof)\s(?:[\d,'.\$£]+\s?(?:usd?|eur?(?:os)?|gbp|BTC)?|bitcoin|BTC)|(?:make|perform|send|transmit)\sthe\spayment|amount\sfor\smy\ssilence|(?:pay|fund)\sthis\s(?:bitcoin|monero)[-\s](?:address|wallet|brieftasche)|my bribe(?:ry)?)\b/i
  body           __YOUR_PASSWORD        /\b(?:your|(?:change|modify|update|reset|alter|fix)\sthe)\s(?:account\s|e-?mail\s)?(?:pass[-\s_]?word|pswd)\b/i
  body           __YOUR_WEBCAM          /\b(?:from|your|with|and|on)\s(?:(?:screen|desktop|microphone)\sand\s|own\s)?(?:web[-\s]?|front[-\s]?|network\s|your\s)camer+a/i
  body           __YOUR_ONAN            /\b(?:your?|ihrer)\s(?:ma+s+t+[ur]+b+a+t+(?:ion|ing|e)(?:svideo)?|onanism|solitary\ssex|hand\sfucking|Selbstbefriedigung|(?:pleasur(?:e|ing)|satisfy(?:ing)?)\syourself)\b/i
  body           __YOUR_PERSONAL        /\b(?:your\s(?:personal|private|social\scontact|address|friends)\s(?:info(?:rmation)?|data|details|book|secrets)|all\s(?:of\s)?your\s(?:files|contacts|secrets|correspondence))\b/i
  body           __HOURS_DEADLINE       /\b(?:(?:give\syou|gebe\sihnen(?:\snur)?|you\s(?:will\s)?have(?:\sonly|\sjust)?|within)(?:(\sthe)?\s(?:last|next))?\s(?:\d+|one|two|three|a few)\s?(?:hours?|hr(?:\s?s)?|days?|stunden)|(?:by|to|until|before)\sthe\send\sof\sthe\s(?:work(?:ing)?\s)?day|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\shours?\sbefore\s(?:sending|releasing|exposing|publishing)|(?:the|your)\sdeadline\s(?:is|will\sbe))\b/i
  body           __EXPLOSIVE_DEVICE     /\b(?:explosive\sdevice|bomb)\b/i
endif
meta           __EXTORT_MANY          (__MY_MALWARE + __PAY_ME + __MY_VICTIM + __YOUR_WEBCAM + __YOUR_ONAN + __YOUR_PERSONAL + __HOURS_DEADLINE + __YOUR_PASSWORD + LOCALPART_IN_SUBJECT + __DESTROY_ME + __DESTROY_YOU + __EXPLOSIVE_DEVICE + __PAXFUL + __HUSH_HUSH) > 3

meta           BITCOIN_EXTORT_01      (__BITCOIN_ID && __EXTORT_MANY) && !( __FROM_FULL_NAME && __SENDER_BOT && __SINGLE_WORD_LINE && __MIME_HTML && __PHPMAILER_MUA )
describe       BITCOIN_EXTORT_01      Extortion spam, pay via BitCoin
score          BITCOIN_EXTORT_01      5.000	# limit
tflags         BITCOIN_EXTORT_01      publish

meta           BITCOIN_EXTORT_02      __OBFU_BITCOIN_NOID && __EXTORT_MANY
describe       BITCOIN_EXTORT_02      Extortion spam, pay via BitCoin
score          BITCOIN_EXTORT_02      5.000	# limit
tflags         BITCOIN_EXTORT_02      publish

meta           BITCOIN_PAY_ME         __BITCOIN_ID && __PAY_ME && !BITCOIN_EXTORT_01
describe       BITCOIN_PAY_ME         Pay me via BitCoin
score          BITCOIN_PAY_ME         3.000	# limit
tflags         BITCOIN_PAY_ME         publish

meta           BITCOIN_DEADLINE       __BITCOIN_ID && __HOURS_DEADLINE && !BITCOIN_EXTORT_01
describe       BITCOIN_DEADLINE       BitCoin with a deadline
score          BITCOIN_DEADLINE       3.000	# limit
tflags         BITCOIN_DEADLINE       publish

meta           BITCOIN_YOUR_INFO      __BITCOIN_ID && __YOUR_PERSONAL && !BITCOIN_EXTORT_01
describe       BITCOIN_YOUR_INFO      BitCoin with your personal info
score          BITCOIN_YOUR_INFO      3.000	# limit
tflags         BITCOIN_YOUR_INFO      publish

meta           BITCOIN_MALWARE        __BITCOIN_ID && __MY_MALWARE && !BITCOIN_EXTORT_01 && !__NOT_SPOOFED
describe       BITCOIN_MALWARE        BitCoin + malware bragging
score          BITCOIN_MALWARE        3.500	# limit
tflags         BITCOIN_MALWARE        publish

meta           BITCOIN_BOMB           __BITCOIN_ID && __EXPLOSIVE_DEVICE && !BITCOIN_EXTORT_01
describe       BITCOIN_BOMB           BitCoin + bomb
score          BITCOIN_BOMB           3.000	# limit
tflags         BITCOIN_BOMB           publish

meta           MONERO_EXTORT_01       __MONERO && __EXTORT_MANY
describe       MONERO_EXTORT_01       Extortion spam, pay via Monero cryptocurrency
score          MONERO_EXTORT_01       5.000	# limit
tflags         MONERO_EXTORT_01       publish

meta           MONERO_PAY_ME          __MONERO && __PAY_ME && !MONERO_EXTORT_01
describe       MONERO_PAY_ME          Pay me via Monero cryptocurrency
score          MONERO_PAY_ME          3.000	# limit
tflags         MONERO_PAY_ME          publish

meta           MONERO_DEADLINE        __MONERO && __HOURS_DEADLINE && !MONERO_EXTORT_01
describe       MONERO_DEADLINE        Monero cryptocurrency with a deadline
score          MONERO_DEADLINE        3.000	# limit
tflags         MONERO_DEADLINE        publish

meta           MONERO_MALWARE         __MONERO && __MY_MALWARE && !MONERO_EXTORT_01
describe       MONERO_MALWARE         Monero cryptocurrency + malware bragging
score          MONERO_MALWARE         3.500	# limit
tflags         MONERO_MALWARE         publish

meta           BOMB_FREEM             __EXPLOSIVE_DEVICE && __freemail_hdr_replyto 
describe       BOMB_FREEM             Bomb + freemail
score          BOMB_FREEM             2.000	# limit
tflags         BOMB_FREEM             publish

meta           BOMB_MONEY             __EXPLOSIVE_DEVICE && ( __ADVANCE_FEE_3_NEW || __ADVANCE_FEE_4_NEW || __ADVANCE_FEE_5_NEW )
describe       BOMB_MONEY             Bomb + money: bomb threat?
score          BOMB_MONEY             2.500	# limit
tflags         BOMB_MONEY             publish

meta           __MALWARE_NORDNS       __MY_MALWARE && __RDNS_NONE 
meta           MALWARE_NORDNS         __MALWARE_NORDNS && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01
describe       MALWARE_NORDNS         Malware bragging + no rDNS
score          MALWARE_NORDNS         3.500	# limit
tflags         MALWARE_NORDNS         publish

# 100% overlap with __MALWARE_NORDNS
#meta           __MALWARE_IP_NORDNS    __MY_MALWARE && __HELO_MISC_IP && __RDNS_NONE 

meta           __MALWARE_PASSWORD     __MY_MALWARE && __PASSWORD 
meta           MALWARE_PASSWORD       __MALWARE_PASSWORD && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01
describe       MALWARE_PASSWORD       Malware bragging + "password"
score          MALWARE_PASSWORD       3.500	# limit
tflags         MALWARE_PASSWORD       publish


#body          NUM_FREE         /\b\d+free/i
#describe      NUM_FREE         Number + free

# seen in spam (malware?) 07/2014
#header         __DATE_SPACEY    ALL:raw =~ /\nDate:\s{8}/ism

#uri           __FSL_LINK_AWS_S3_WEB_LOOSE       m,^https?://(?:[^./]+\.)*s3[^./]+\.amazonaws\.com,i


uri            __URI_DQ_UNSUB   m;^[a-z]+://(?:\d+\.){3}\d+/.*unsubscribe;i
meta           URI_DQ_UNSUB     __URI_DQ_UNSUB
describe       URI_DQ_UNSUB     IP-address unsubscribe URI
tflags         URI_DQ_UNSUB     publish

uri            __URI_GOOGLE_PROXY     m;^https?://[^.]+\.googleusercontent\.com/proxy/;i
meta           URI_GOOGLE_PROXY       __URI_GOOGLE_PROXY && !__FSL_RELAY_GOOGLE && !__TO___LOWER && !__MSGID_OK_HEX && !__HAS_CAMPAIGNID 
describe       URI_GOOGLE_PROXY       Accessing a blacklisted URI or obscuring source of phish via Google proxy?
tflags         URI_GOOGLE_PROXY       publish

# Apparent good performance is an artifact of certain corpora's collection mechanism
#meta           RPATH_NULL_CTCQ        __BOUNCE_RPATH_NULL && __CTYPE_CHARSET_QUOTED && !__VIA_ML && !__SUBJECT_ENCODED_QP && !ANY_BOUNCE_MESSAGE && !__DOS_HAS_LIST_UNSUB && !__TAG_EXISTS_STYLE && !__TAG_EXISTS_STYLE && !__HAS_THREAD_INDEX 
#score          RPATH_NULL_CTCQ        2.000   # limit

rawbody        __TENWORD_GIBBERISH    /^\s*(?:[a-z]+\s+){10}\.$/m
tflags         __TENWORD_GIBBERISH    multiple maxhits=21
meta           TW_GIBBERISH_MANY      __TENWORD_GIBBERISH > 20
describe       TW_GIBBERISH_MANY      Lots of gibberish text to spoof pattern matching filters
score          TW_GIBBERISH_MANY      2.000   # limit
tflags         TW_GIBBERISH_MANY      publish

#body           __OPTOUT_BRKT          /\[(?:unsub(?:scribe)|remove(?: me)|leave)\]/i
#tflags         __OPTOUT_BRKT          multiple maxhits=2
#meta           OPTOUT_BRKT_MANY       __OPTOUT_BRKT > 1
#describe       OPTOUT_BRKT_MANY       Repetitive opt-outs
#score          OPTOUT_BRKT_MANY       2.000   # limit


# Oh, the humanity! Is there no better way?
#full           __RECIP_IN_URL_DOM     m;^Received:[^:]{1,400}?\sfor\s<(\w+)\@.+?https?://\1\d*\.;ism
#describe       __RECIP_IN_URL_DOM     Recipient in body URL
#tflags         __RECIP_IN_URL_DOM     nopublish


# reported on users list 09/2014 jdebert <jdebert@garlic.com>
header      RCVD_DBL_DQ                Received =~ /(?:\[\d+\.\d+\.\d+\.\d+\]){2}/
describe    RCVD_DBL_DQ                Malformatted message header
tflags      RCVD_DBL_DQ                publish

# reported on users list 09/2014 George Johnson <georgejohnson@talaya.net>
header    __RAND_HEADER                ALL =~ /^(?!Accept-Language|Authentication-Results|Content-|DomainKey-Signature|DKIM-|List-|MIME-|Received-SPF|Return-Path|Thread-|User-Agent|Tracking-Code)(?:[a-z]{4,}-[a-z]{3,}|[a-z]{3,}-[a-z]{4,}):\s+\d(?=\S{6,}\s*$)[\da-f]*(?:[-.]\w+)*\s*$/ism
tflags    __RAND_HEADER                multiple maxhits=4
meta      __RAND_HEADER_2              __RAND_HEADER > 1
meta      __RAND_HEADER_3              __RAND_HEADER > 2
meta      __RAND_HEADER_4              __RAND_HEADER > 3

#meta      RAND_HEADER                  __RAND_HEADER && !RAND_HEADER_MANY && !__MIME_BASE64 
#describe  RAND_HEADER                  Random gibberish message header(s)
#score     RAND_HEADER                  3.000   # limit
#tflags    RAND_HEADER                  publish

meta      RAND_HEADER_LIST_SPOOF       __RAND_HEADER && __LIST_PARTIAL 
describe  RAND_HEADER_LIST_SPOOF       Random gibberish message header(s) + pretending to be a mailing list
score     RAND_HEADER_LIST_SPOOF       3.000   # limit
tflags    RAND_HEADER_LIST_SPOOF       publish

meta      RAND_HEADER_MANY             __RAND_HEADER_2
describe  RAND_HEADER_MANY             Multiple random gibberish message headers
score     RAND_HEADER_MANY             3.000   # limit
tflags    RAND_HEADER_MANY             publish

header    __RAND_MKTG_HEADER           ALL =~ /^X-(?:[a-z]{2}){1,2}-(?:EBS|(?:Tracking|Subscriber|Delivery|Customer|Campaign)-[DSU]?id):/ism
meta      RAND_MKTG_HEADER             __RAND_MKTG_HEADER && !__HAVE_BOUNCE_RELAYS 
describe  RAND_MKTG_HEADER             Has partially-randomized marketing/tracking header(s)
score     RAND_MKTG_HEADER             3.000	# limit
tflags    RAND_MKTG_HEADER             publish


#body      FR_SPAM_LAW                  /article 34 de la loi 78-17\b/i
#describe  FR_SPAM_LAW                  References French privacy law
#score     FR_SPAM_LAW                  1.000   # limit

body      __EDGER_HOOVER                /\bedger hoover\b/i
header    __FM_EDGER_HOOVER             From =~ /\bedger hoover\b/i

body      __MYSTERY_SHOPPER             /\bmystery shoppers?\b/i

header    __HAS_X_NO_RELAY              exists:X-No-Relay
meta      HAS_X_NO_RELAY                __HAS_X_NO_RELAY && !__TO_EQ_FROM_1 
describe  HAS_X_NO_RELAY                Has spammy header
score     HAS_X_NO_RELAY                2.500	# limit
tflags    HAS_X_NO_RELAY                publish


header    __DUP_SUSP_HDR                ALL =~ /\n(X-No-Relay)\s*:[ 	][^\n]{1,100}\n\1\s*:[ 	]/ism
meta      DUP_SUSP_HDR                  __DUP_SUSP_HDR
describe  DUP_SUSP_HDR                  Duplicate suspicious message headers
score     DUP_SUSP_HDR                  2.500	# limit

# seen 10/2014: "https://www.google.com/url?q=https://copy.com/ApbFn2848pQm/ShippingInvoice_6974.PDF.scr?download=1&sa=D&sntz=1&usg=AFQjCNGhvWhljnujQlP85tA6YUsddfuJow"
uri       __GOOG_MALWARE_DNLD           m;^https?://[^/]*\.google\.com/[^?]*url\?.*[\?&/]download;i
meta      GOOG_MALWARE_DNLD             __GOOG_MALWARE_DNLD
describe  GOOG_MALWARE_DNLD             File download via Google - Malware?
score     GOOG_MALWARE_DNLD             5.000   # limit
tflags    GOOG_MALWARE_DNLD             publish

uri       __GOOG_REDIR                  m;^https?://[^/]*\.google\.com/url\?;i
uri       __GOOG_REDIR_IMG              m;^https?://[^/]*\.google\.com/url\?(?:[^&]+\&)*q=https?://.*\.(?:png|gif|jpe?g)(?=$|\?|\&);i
tflags    __GOOG_REDIR_IMG              multiple
uri       __GOOG_REDIR_HTML             m;^https?://[^/]*\.google\.com/url\?(?:[^&]+\&)*q=https?://.*\.html?(?=$|\?|\&);i
uri       __GOOG_REDIR_ARCHV            m;^https?://[^/]*\.google\.com/url\?(?:[^&]+\&)*q=https?://.*\.(?:ace|zip|7z|rar)(?=$|\?|\&);i

uri       __GOOG_PROXY_IMG              m;^https?://[^.]+\.googleusercontent\.com/proxy/.*\.(?:png|gif|jpe?g)(?=$|\?|\&);i
tflags    __GOOG_PROXY_IMG              multiple
uri       __GOOG_PROXY_HTML             m;^https?://[^.]+\.googleusercontent\.com/proxy/.*\.html?(?=$|\?|\&);i
uri       __GOOG_PROXY_ARCHV            m;^https?://[^.]+\.googleusercontent\.com/proxy/.*\.(?:ace|zip|7z|rar)(?=$|\?|\&);i

uri       __DDG_REDIR                   m;^https?://(?:proxy|external-content)\.duckduckgo\.com/iu/\?(?:[^&]+\&)*u=https?://;i
uri       __DDG_REDIR_IMG               m;^https?://(?:proxy|external-content)\.duckduckgo\.com/iu/\?(?:[^&]+\&)*u=https?://.*\.(?:png|gif|jpe?g)(?=$|\?|\&);i
tflags    __DDG_REDIR_IMG               multiple
uri       __DDG_REDIR_HTML              m;^https?://(?:proxy|external-content)\.duckduckgo\.com/iu/\?(?:[^&]+\&)*u=https?://.*\.html?(?=$|\?|\&);i
uri       __DDG_REDIR_ARCHV             m;^https?://(?:proxy|external-content)\.duckduckgo\.com/iu/\?(?:[^&]+\&)*u=https?://.*\.(?:ace|zip|7z|rar)(?=$|\?|\&);i


body      ONLINE_MKTG_CNSLT             /\bonline marketing consultant\b/i

body      SOLICIT_BIZ                   /\bbusiness solicitation messag/i

body      __SPELLED_OUT_NUM             /\b(?:(?:one|two|three|four|five|six|seven|eight|nine|zero)[\s_-]?){4,}/i
meta      SPELLED_OUT_NUMBER            __SPELLED_OUT_NUM && !__DKIM_EXISTS 
describe  SPELLED_OUT_NUMBER            Spelled out a number (one two three)
score     SPELLED_OUT_NUMBER            3.000   # limit

body      __NUM_SPCD_LTRS               /\d{4}\s(?:[a-z]\s){5}/i


header    __SUBJ_UNNEEDED_HTML          Subject =~ /%[0-9a-f][0-9a-f]/i
tflags    __SUBJ_UNNEEDED_HTML          multiple maxhits=3
meta      __SUBJ_UNNEEDED_HTML_MANY     __SUBJ_UNNEEDED_HTML > 1
meta      SUBJ_UNNEEDED_HTML            __SUBJ_UNNEEDED_HTML && !__NOT_SPOOFED && !__RP_MATCHES_RCVD && !__VIA_ML 
describe  SUBJ_UNNEEDED_HTML            Unneeded HTML formatting in Subject:

body      __HELP_YOU_SUCCEED            /\bhelp you succeed\b/i

body      __WANT_BIZ                    /\b(?:I|we) want your business\b/i

meta      TEQF_USR_MSGID_MALF           __TO_EQ_FROM_USR_NN_MINFP && __MSGID_NOFQDN2 
describe  TEQF_USR_MSGID_MALF           To and from user nearly same + malformed message ID
tflags    TEQF_USR_MSGID_MALF           publish

meta      TEQF_USR_MSGID_HEX            __TO_EQ_FROM_USR_NN_MINFP && __MSGID_OK_HEX && !__MSGID_NOFQDN2
describe  TEQF_USR_MSGID_HEX            To and from user nearly same + unusual message ID
tflags    TEQF_USR_MSGID_HEX            publish

meta      TEQF_USR_IMAGE                __TO_EQ_FROM_USR_NN_MINFP && __ANY_IMAGE_ATTACH 
describe  TEQF_USR_IMAGE                To and from user nearly same + image
tflags    TEQF_USR_IMAGE                publish

meta      TEQF_USR_POLITE               __TO_EQ_FROM_USR_NN && __FRAUD_IRT 
describe  TEQF_USR_POLITE               To and from user nearly same + polite greeting
score     TEQF_USR_POLITE               2.000	# limit

meta      __MSGID_HEX_MALF              __MSGID_NOFQDN2 && __MSGID_OK_HEX

meta      __URI_ONLY_MSGID_MALF         __BODY_URI_ONLY && __MSGID_NOFQDN2
#ifplugin Mail::SpamAssassin::Plugin::DNSEval
  meta      URI_ONLY_MSGID_MALF           __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO && !RCVD_IN_DNSWL_LOW
  tflags    URI_ONLY_MSGID_MALF           net
#else
  meta      URI_ONLY_MSGID_MALF           __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO
#endif
describe  URI_ONLY_MSGID_MALF           URI only + malformed message ID
score     URI_ONLY_MSGID_MALF           2.000	# limit
tflags    URI_ONLY_MSGID_MALF           publish

# These may be a bit risky, the masscheck ham corpus may not
# reflect how often these are legit in Real Life...
meta      GOOG_REDIR_SHORT              __GOOG_REDIR && __LCL__KAM_BODY_LENGTH_LT_512 
describe  GOOG_REDIR_SHORT              Google redirect to obscure spamvertised website + short message
tflags    GOOG_REDIR_SHORT              publish

meta      GOOG_REDIR_NORDNS             __GOOG_REDIR && RDNS_NONE
describe  GOOG_REDIR_NORDNS             Google redirect to obscure spamvertised website + no rDNS

meta      GOOG_REDIR_HTML_ONLY          (__GOOG_REDIR && MIME_HTML_ONLY) && !RDNS_NONE && !__LCL__KAM_BODY_LENGTH_LT_512
describe  GOOG_REDIR_HTML_ONLY          Google redirect to obscure spamvertised website + HTML only
score     GOOG_REDIR_HTML_ONLY          2.000	# limit

rawbody   __LONG_INVIS_DIV              /<div\s+style\s*=\s*"(?:(?<!-)visibility\s*:\s*hidden|display\s*:\s*none)\s*">[^<\s]{1400}/i

# low S/O, apparently lots of invisible ham...
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  rawbody   __STY_INVIS                   /\bstyle\s*=\s*"[^">]{0,80}(?:(?<!-)visibility\s*:\s*hidden\s*|display\s*:\s*none\s*)[;"!]/i
  tflags    __STY_INVIS                   multiple maxhits=6
  meta      __STY_INVIS_1                 __STY_INVIS == 1
  meta      __STY_INVIS_2                 __STY_INVIS > 1
  meta      __STY_INVIS_3                 __STY_INVIS > 2
  meta      __STY_INVIS_MANY              __STY_INVIS > 5

  # Widely used in ham for hiding tracking images? See how it performs on non-IMG tags...
  # S/O the same. :(
  #rawbody   __STY_INVIS_NONIMG            /<(?!img\s)[a-z]+\s[^>]{0,200}\bstyle\s*=\s*"[^">]{0,80}(?:(?<!-)visibility\s*:\s*hidden\s*|display\s*:\s*none\s*)[;"!]/i

  # *one* invisible style has better S/O than multiple...
  meta      __STY_INVIS_1_MINFP           __STY_INVIS_1 && !MIME_QP_LONG_LINE && !__MOZILLA_MSGID && !__FROM_ADDRLIST_PAYPAL 

  meta      HTML_TEXT_INVISIBLE_STYLE     __STY_INVIS_MANY && (__RDNS_NONE || __HDRS_LCASE || __UNSUB_EMAIL ||  __ADMITS_SPAM || __FROM_DOM_INFO || __HTML_TAG_BALANCE_CENTER || __MSGID_RANDY ) && !__RDNS_LONG && !__FROM_ENCODED_QP && !__HAS_THREAD_INDEX 
  describe  HTML_TEXT_INVISIBLE_STYLE     HTML hidden text + other spam signs
  score     HTML_TEXT_INVISIBLE_STYLE     3.500   # limit
  tflags    HTML_TEXT_INVISIBLE_STYLE     publish

  meta      __LONG_STY_INVIS              __STY_INVIS && __LONGLINE
  meta      LONG_INVISIBLE_TEXT           __LONG_INVIS_DIV || (__LONG_STY_INVIS && !__UNSUB_LINK && !__RCD_RDNS_MTA_MESSY && !__USING_VERP1 && !__RCD_RDNS_MTA && !__RCD_RDNS_MTA_MESSY && !__MIME_QP && !__HAS_X_MAILER && !__REPTO_QUOTE && !__USING_VERP1 )

  meta      __STY_INVIS_DIRECT            __STY_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED 
  meta      STY_INVIS_DIRECT              __STY_INVIS_DIRECT && !__L_BODY_8BITS && !__UNSUB_LINK && !__HDR_RCVD_AMAZON && !__TO___LOWER && !__PDS_DOUBLE_URL && !__MAIL_LINK 
  describe  STY_INVIS_DIRECT              HTML hidden text + direct-to-MX
  score     STY_INVIS_DIRECT              2.500	# limit

else
  meta      LONG_INVISIBLE_TEXT           __LONG_INVIS_DIV
endif

# try it on span tags only...
rawbody   __SPAN_INVIS                  /<span\s[^>]{0,200}style\s*=\s*"[^">]{0,80}(?:(?<!-)visibility\s*:\s*hidden\s*|display\s*:\s*none\s*)[;"!][^>]{1,200}>/i

describe  LONG_INVISIBLE_TEXT           Long block of hidden text - bayes poison?
score     LONG_INVISIBLE_TEXT           3.000	# limit
tflags    LONG_INVISIBLE_TEXT           publish


if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  # Lots of ham uses invisible fonts - WHY?
  rawbody   __FONT_INVIS                  /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|pc|ch|rem|lh|vmax|%)|0+(?:\.0\d*)(?:em|ex|in))(?:\s[a-z]|\s*[;'])|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w/i
  tflags    __FONT_INVIS                  multiple maxhits=11
  meta      __FONT_INVIS_2                __FONT_INVIS > 2
  meta      __FONT_INVIS_5                __FONT_INVIS > 5
  meta      __FONT_INVIS_10               __FONT_INVIS > 10
  meta      __FONT_INVIS_MANY             __FONT_INVIS_2
  meta      HTML_TEXT_INVISIBLE_FONT      __FONT_INVIS_MANY && !__HAS_ERRORS_TO && !__URI_DOTGOV && !__LYRIS_EZLM_REMAILER && !__ML3 && !__THREADED && !__DKIMWL_WL_HI && !USER_IN_DEF_DKIM_WL && !__MOZILLA_MSGID 
  describe  HTML_TEXT_INVISIBLE_FONT      HTML hidden text - word obfuscation?
  score     HTML_TEXT_INVISIBLE_FONT      2.000   # limit
  tflags    HTML_TEXT_INVISIBLE_FONT      publish

  # Does this hit less ham while still hitting spam?
  rawbody   __WORD_INVIS                  /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|in|pc|em|ex|ch|rem|lh|vmax))\s*[;'a-z]|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w{1,20}</i
  tflags    __WORD_INVIS                  multiple maxhits=6
  meta      __WORD_INVIS_2                __WORD_INVIS > 1
  meta      __WORD_INVIS_5                __WORD_INVIS > 5

  meta      __WORD_INVIS_MINFP            __WORD_INVIS && !__SURVEY && !MIME_QP_LONG_LINE && !__FB_TOUR && !__MSGID_GUID 
  meta      WORD_INVIS                    __WORD_INVIS_MINFP && !WORD_INVIS_MANY
  describe  WORD_INVIS                    A hidden word
  score     WORD_INVIS                    3.000	# limit
  tflags    WORD_INVIS                    publish

  meta      WORD_INVIS_MANY               __WORD_INVIS_2
  describe  WORD_INVIS_MANY               Multiple individual hidden words
  score     WORD_INVIS_MANY               3.000	# limit
  tflags    WORD_INVIS_MANY               publish


  meta      __FONT_INVIS_LONG_LINE        __FONT_INVIS && __LONGLINE 
  meta      FONT_INVIS_LONG_LINE          __FONT_INVIS_LONG_LINE && !__HTML_SINGLET 
  describe  FONT_INVIS_LONG_LINE          Invisible text + long lines
  score     FONT_INVIS_LONG_LINE          3.000	# limit
  tflags    FONT_INVIS_LONG_LINE          publish

  meta      __FONT_INVIS_NORDNS           __FONT_INVIS && __RDNS_NONE 
  meta      FONT_INVIS_NORDNS             __FONT_INVIS_NORDNS && !__HTML_SINGLET && !__LYRIS_EZLM_REMAILER && !__YOUR_PERSONAL && !__HAS_X_MAILER 
  describe  FONT_INVIS_NORDNS             Invisible text + no rDNS
  score     FONT_INVIS_NORDNS             2.500	# limit
  tflags    FONT_INVIS_NORDNS             publish

  meta      FONT_INVIS_POSTEXTRAS         (__FONT_INVIS || __STY_INVIS) && __AC_POST_EXTRAS
  describe  FONT_INVIS_POSTEXTRAS         Invisible text + suspicious URI
  score     FONT_INVIS_POSTEXTRAS         3.500	# limit
  tflags    FONT_INVIS_POSTEXTRAS         publish

  meta      __FONT_INVIS_MSGID            __FONT_INVIS && __MSGID_OK_HOST 
  meta      FONT_INVIS_MSGID              __FONT_INVIS_MSGID && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__HAS_ERRORS_TO && !__RCD_RDNS_MAIL && !__MAIL_LINK && !__HDR_RCVD_AMAZON && !__MIME_QP && !__HAS_CAMPAIGNID && !__HAS_THREAD_INDEX 
  describe  FONT_INVIS_MSGID              Invisible text + suspicious message ID
  score     FONT_INVIS_MSGID              2.500	# limit
  tflags    FONT_INVIS_MSGID              publish

  meta      __FONT_INVIS_HTML_NOHTML      __FONT_INVIS && HTML_MIME_NO_HTML_TAG 
  meta      FONT_INVIS_HTML_NOHTML        __FONT_INVIS_HTML_NOHTML && !__RDNS_LONG 
  describe  FONT_INVIS_HTML_NOHTML        Invisible text + malformed HTML
  score     FONT_INVIS_HTML_NOHTML        3.000	# limit
  tflags    FONT_INVIS_HTML_NOHTML        publish


#  meta      __FONT_INVIS_NAKED_TO         __FONT_INVIS && __NAKED_TO
#  meta      FONT_INVIS_NAKED_TO           __FONT_INVIS_NAKED_TO && !__ML3 && !__HAS_ERRORS_TO
#  describe  FONT_INVIS_NAKED_TO           Invisible text + suspicious To
#  score     FONT_INVIS_NAKED_TO           2.500	# limit

  meta      __FONT_INVIS_CENTER           __FONT_INVIS && __TAG_EXISTS_CENTER 
  meta      __FONT_INVIS_SINGLET          __FONT_INVIS && __HTML_SINGLET 

  meta      __FONT_INVIS_DIRECT           __FONT_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED 
  meta      FONT_INVIS_DIRECT             __FONT_INVIS_DIRECT && !__UNSUB_LINK && !__HAS_ERRORS_TO && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__URI_DOTGOV && !__NAKED_TO && !__MSGID_OK_HEX 
  describe  FONT_INVIS_DIRECT             Invisible text + direct-to-MX
  score     FONT_INVIS_DIRECT             3.500	# limit
  tflags    FONT_INVIS_DIRECT             publish

  meta      __FONT_INVIS_DOTGOV           __FONT_INVIS && __URI_DOTGOV 
  meta      FONT_INVIS_DOTGOV             __FONT_INVIS_DOTGOV && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__HAS_LIST_ID 
  describe  FONT_INVIS_DOTGOV             Invisible text + .gov URI
  score     FONT_INVIS_DOTGOV             3.500	# limit
  tflags    FONT_INVIS_DOTGOV             publish

endif

# Adapted from SARE rules __SARE_HTML_SINGLET
rawbody   __HTML_SINGLET                />\s*(?:[a-z"]|&\#(?:\d+|x[0-9a-f]+);)\s*</i
tflags    __HTML_SINGLET                multiple maxhits=21
meta      __HTML_SINGLET_10             __HTML_SINGLET > 10
meta      __HTML_SINGLET_MANY           __HTML_SINGLET > 20
meta      HTML_SINGLET_MANY             __HTML_SINGLET_MANY && !__RCD_RDNS_MTA_MESSY && !__NOT_SPOOFED && !ALL_TRUSTED && !__USING_VERP1 && !__MIME_QP 
describe  HTML_SINGLET_MANY             Many single-letter HTML format blocks
score     HTML_SINGLET_MANY             2.500   # limit
tflags    HTML_SINGLET_MANY             publish

meta      SINGLETS_LOW_CONTRAST         __HTML_SINGLET_MANY && __HTML_FONT_LOW_CONTRAST_MINFP
describe  SINGLETS_LOW_CONTRAST         Single-letter formatted HTML + hidden text
tflags    SINGLETS_LOW_CONTRAST         publish

# per users list, 10-11 2014
uri       MALWARE_HACKED_URI            m;/(?:dropbox|googlebox|bank\w+|newgdoc)/(?:doc(?:ument)?|invoice|message|index)\.php$;
describe  MALWARE_HACKED_URI            Malware or phishing hosted-file URI at hacked webserver

uri       __HACKED_PHP_URI              m;/\w+/(?:doc(?:ument)?|invoice|message)\.php$;
meta      HACKED_PHP_URI                __HACKED_PHP_URI
describe  HACKED_PHP_URI                Possible phishing/malware URI
score     HACKED_PHP_URI                2.000     # limit

# very poor S/O - this appears a lot more in ham than in spam??
#body      __PUNCT_ODD_SPACING           /[a-z]{3}\s+[.,][a-z]{3}/
#tflags    __PUNCT_ODD_SPACING           multiple maxhits=3
#meta      __PUNCT_ODD_SPACING_MANY      __PUNCT_ODD_SPACING > 2

# poor S/O - how is this in ham?
#header    XMAILER_MANY                  ALL =~ /\nX-Mailer:(?:[^\n]+\n)+X-Mailer:/ism
#describe  XMAILER_MANY                  Has multiple X-Mailer: headers

body      __RAW_TOKEN_BODY              /\#(?:(?:First|Last)Name|Email)\#/i
#header    __RAW_TOKEN_HDR               ALL =~ /\$(?:rand[^$]{0,10})\$/i
#tflags    __RAW_TOKEN                   multiple maxhits=3
#meta      RAW_TOKENS                    __RAW_TOKEN > 2
#describe  RAW_TOKENS                    Raw mail merge tokens in body

header    __REPTO_CHN_FREEM             Reply-To =~ /\@(?:sina|aliyun)\.com/i

meta      __SPOOFED_FREEM_REPTO         __SPOOFED_FREEMAIL && FREEMAIL_REPLYTO
tflags    __SPOOFED_FREEM_REPTO         net

meta      SPOOFED_FREEM_REPTO_CHN       (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_CHN_FREEM
describe  SPOOFED_FREEM_REPTO_CHN       Forged freemail sender with Chinese freemail reply-to
score     SPOOFED_FREEM_REPTO_CHN       3.500
tflags    SPOOFED_FREEM_REPTO_CHN       net publish

header    __REPTO_RUS_FREEM             Reply-To =~ /\@mail\.ru/i

meta      SPOOFED_FREEM_REPTO_RUS       (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_RUS_FREEM
describe  SPOOFED_FREEM_REPTO_RUS       Forged freemail sender with Russian freemail reply-to
score     SPOOFED_FREEM_REPTO_RUS       3.500
tflags    SPOOFED_FREEM_REPTO_RUS       net publish

meta      SPOOFED_FREEM_REPTO           __SPOOFED_FREEM_REPTO && !__AC_TINY_FONT && !__HAS_IN_REPLY_TO && !__HAS_THREAD_INDEX 
describe  SPOOFED_FREEM_REPTO           Forged freemail sender with freemail reply-to
score     SPOOFED_FREEM_REPTO           2.500
tflags    SPOOFED_FREEM_REPTO           net publish


#header    __VERY_LONG_REPTO             Reply-To =~ /[^<\s\@]{25,}\@/
#meta      __VERY_LONG_REPTO_SHORT_MSG   __VERY_LONG_REPTO && __HTML_LENGTH_0000_1024
#meta      VERY_LONG_REPTO_SHORT_MSG     __VERY_LONG_REPTO_SHORT_MSG && !__VIA_ML && !__TO_EQ_FROM_DOM && !__THREAD_INDEX_GOOD 
#describe  VERY_LONG_REPTO_SHORT_MSG     Very long Reply-To username + short message
#score     VERY_LONG_REPTO_SHORT_MSG     2.500	# limit
#tflags    VERY_LONG_REPTO_SHORT_MSG     publish
#
#ifplugin Mail::SpamAssassin::Plugin::FreeMail
#  meta      __VERY_LONG_FREEM_REPTO       __VERY_LONG_REPTO && FREEMAIL_REPLYTO
#  meta      VERY_LONG_FREEM_REPTO         __VERY_LONG_FREEM_REPTO
#  describe  VERY_LONG_FREEM_REPTO         Very long freemail Reply-To username
#  score     VERY_LONG_FREEM_REPTO         2.500	# limit
#  tflags    VERY_LONG_FREEM_REPTO         publish
#endif

#	for <steve.stewart@fastnet.co.uk>; Mon, 2 Nov 2015 14:27:08 GMT
#        (envelope-from fastnet.co.uk.12056010.steve.stewart@vmta27.topreasonstovisit.com)
# S/O low, seems to be common in legit mailing lists
# Maybe in meta with "not a mailing list" rules?
#header    __RECIP_IN_ENV_FM_01          Received =~ /for\s+<([^\@]+)\@([^>]+)>.*envelope-from\s+\2\.\d+\.\1\@/i
#header    __RECIP_IN_ENV_FM_02          Received =~ /for\s+<([^\@]+)\@([^>]+)>.*envelope-from\s+[^@]*\2[^@]*\@/i


uri        URI_MALWARE_CWALL            /\/abuse_report\.php\?(?!username=)[^&\s.]{1,100}\./i
describe   URI_MALWARE_CWALL            Potential CryptoWall malware URL


meta       __LIST_PARTIAL_SHORT_MSG     __HTML_LENGTH_0000_1024 && __LIST_PARTIAL 
meta       LIST_PARTIAL_SHORT_MSG       __LIST_PARTIAL_SHORT_MSG && !__DKIM_EXISTS
describe   LIST_PARTIAL_SHORT_MSG       Incomplete mailing list headers + short message
score      LIST_PARTIAL_SHORT_MSG       2.500	# limit

# duplicates __HAS_MSMAIL_PRI
#header      __FH_HAS_XMSMAIL   exists:X-MSMail-Priority

meta       __BOGUS_MSM_HDRS             __HAS_MSMAIL_PRI && __MSOE_MID_WRONG_CASE && __HDR_ORDER_FTSDMCXXXX
meta       BOGUS_MSM_HDRS               __BOGUS_MSM_HDRS
describe   BOGUS_MSM_HDRS               Apparently bogus Microsoft email headers
score      BOGUS_MSM_HDRS               3.000	# limit
tflags     BOGUS_MSM_HDRS               publish

#meta       __BOGUS_MSM_PRIO             __HAS_MSMAIL_PRI && __HDR_ORDER_FTSDMCXXXX
#meta       __BOGUS_MSM_PRIO_MINFP       __BOGUS_MSM_PRIO && !__BOGUS_MSM_HDRS && !__MSGID_NOFQDN2 && !__ANY_OUTLOOK_MUA && !__RCD_RDNS_MAIL_MESSY

meta       __MSM_PRIO_REPTO             __HAS_MSMAIL_PRI && __HAS_REPLY_TO && __SUBJ_SHORT 
meta       MSM_PRIO_REPTO              __MSM_PRIO_REPTO && !__ENV_AND_HDR_FROM_MATCH 
describe   MSM_PRIO_REPTO              MSMail priority header + Reply-to + short subject
score      MSM_PRIO_REPTO              2.500	# limit
tflags     MSM_PRIO_REPTO              publish

header     __XM_YAMAIL                 X-Mailer =~ /^Yamail/


# __GATED_THROUGH_RCVD_REMOVER includes messages with no Received headers *at all*.
# Don't consider those, only consider the ones where *some* Received headers may have been removed
meta        __RCVD_RMV_PARTIAL __GATED_THROUGH_RCVD_REMOVER && __HAS_RCVD

# Compare __GATED_THROUGH_RCVD_REMOVER and "via ezmlm"
header      __ML_EZMLM         Mailing-List =~ /\bezmlm\b/


# easy for spammers to forge a signed message and still have it displayed to the recipient?
#header  KHOP_ENCRYPTED_CONTENT Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/
header     __CT_ENCRYPTED              Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/
meta       ENCRYPTED_MESSAGE           __CT_ENCRYPTED
describe   ENCRYPTED_MESSAGE           Message is encrypted, not likely to be spam
score      ENCRYPTED_MESSAGE           -1.000
tflags     ENCRYPTED_MESSAGE           nice publish


#body       __PHONE_GIBBERISH_01        /(?:\b\d\d\d-\d\d\d-\d\d\d\d\s+[a-z][^\d\s:.]+\s+){15}/

header      __HAS_GMX_BULK             exists:X-Gmx-Bulk

ifplugin Mail::SpamAssassin::Plugin::HTMLEval
  body       __HTML_TAG_BALANCE_CENTER     eval:html_tag_balance('center', '!= 0')
  meta       HTML_TAG_BALANCE_CENTER       __HTML_TAG_BALANCE_CENTER && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY 
  describe   HTML_TAG_BALANCE_CENTER       Malformatted HTML
endif


# more random garbage message headers 01/2016
header     __HDR_CASE_REVERSED         ALL =~ /^(?!DomainKey)[^-:\s]*[a-z][A-Z]/m
tflags     __HDR_CASE_REVERSED         multiple maxhits=4
meta       __HDR_CASE_REV_MANY         (__HDR_CASE_REVERSED > 3)

meta       HDR_CASE_REV_MANY           __HDR_CASE_REV_MANY
describe   HDR_CASE_REV_MANY           Multiple malformed (possibly random gibberish) message headers
score      HDR_CASE_REV_MANY           2.000	# limit

meta       HDR_CASE_REV_ENC            __HDR_CASE_REVERSED && (__FROM_ENCODED_B64 || __TVD_SPACE_ENCODED )
describe   HDR_CASE_REV_ENC            Malformed (possibly random gibberish) message header + suspicious encoding
score      HDR_CASE_REV_ENC            2.000	# limit

meta       HDR_CASE_REV_HELO_IP        __HDR_CASE_REVERSED && __HELO_MISC_IP
describe   HDR_CASE_REV_HELO_IP        Malformed (possibly random gibberish) message header + IP in HELO
score      HDR_CASE_REV_HELO_IP        2.000	# limit


header     __HAS_CAMPAIGN              exists:X-Campaign 
header     __HAS_CAMPAIGNID            exists:X-Campaignid
header     __HAS_CID                   exists:X-CID
header     __HAS_XM_LID                exists:X-Mailer-LID
header     __HAS_XM_RECPTID            exists:X-Mailer-RecptId
header     __HAS_XM_SID                exists:X-Mailer-SID
header     __HAS_XM_SENTBY             exists:X-Mailer-Sent-By
header     __HAS_DOMAINKEY_SIG         exists:DomainKey-Signature
header     __HAS_PHP_SCRIPT            exists:X-PHP-Script
header     __HAS_PHP_ORIG_SCRIPT       exists:X-PHP-Originating-Script

meta       XM_RECPTID                  __HAS_XM_RECPTID && !__TAG_EXISTS_SCRIPT && !__REPLYTO_NOREPLY && !__ENVFROM_AMAZONSES && !__DOS_DIRECT_TO_MX && !__FRAUD_PTX 
describe   XM_RECPTID                  Has spammy message header
score      XM_RECPTID                  3.000	# limit

header     __FROM_WORDY                From:addr =~ /^(?:(?:[A-Z][A-Za-z]+|or|&)\.)+[A-Z][A-Za-z]+\@/
#header     __FROM_WORDY                From:addr =~ /^(?:(?:[A-Z][A-Za-z]+|or|&)\.)+[A-Z][A-Za-z]+(?<!Customer\.S(?:ervice|upport))\@/
header     __FROM_WORDY_3              From:addr =~ /(?:(?:[A-Z][A-Za-z]+|or|&)\.){2,}[A-Z][A-Za-z]+\@/

# __FROM_WORDY S/O now very poor (ham sign? :) ), don't score even with FP avoidance
#meta       __FROM_WORDY_SONLY          __FROM_WORDY && (__XPRIO_MINFP || __TO_NO_BRKTS_MSFT || __FILL_THIS_FORM_SHORT || __HAS_MSMAIL_PRI || DEAR_FRIEND ||  __TO_NO_BRKTS_FROM_MSSP || FREEMAIL_REPLYTO )
#meta       FROM_WORDY                  ((__FROM_WORDY_SONLY && !__DKIM_EXISTS) || __FROM_WORDY_3) && !__HAS_TNEF && !__USING_VERP1 && !__HAS_THREAD_INDEX && !__HAS_LIST_ID && !__RCD_RDNS_MTA  && !__RCD_RDNS_MX 
#describe   FROM_WORDY                  From address looks like a sentence
#score      FROM_WORDY                  2.500	# limit
#tflags     FROM_WORDY                  publish
#
#meta       FROM_WORDY_SHORT            ((__FROM_WORDY_SONLY || __FROM_WORDY_3) && __HTML_LENGTH_0000_1024) && !__HAS_TNEF && !__USING_VERP1 
#describe   FROM_WORDY_SHORT            From address looks like a sentence + short message
#score      FROM_WORDY_SHORT            2.500	# limit
#tflags     FROM_WORDY_SHORT            publish

meta       PHP_SCRIPT                  __HAS_PHP_SCRIPT && !ALL_TRUSTED && !__PHP_NOVER_MUA && !__TO___LOWER && !__MIME_BASE64 && !__HAS_ANY_EMAIL && !__L_CTE_7BIT 
describe   PHP_SCRIPT                  Sent by PHP script
score      PHP_SCRIPT                  2.500	# limit
tflags     PHP_SCRIPT                  publish

meta       PHP_SCRIPT_MUA              __HAS_PHP_SCRIPT && __PHP_NOVER_MUA 
describe   PHP_SCRIPT_MUA              Sent by PHP script, no version number
score      PHP_SCRIPT_MUA              2.000	# limit
tflags     PHP_SCRIPT_MUA              publish

meta       __PHP_SCRIPT_MIMENEEDED     __HAS_PHP_SCRIPT && __FROM_NEEDS_MIME 

meta       __PHP_ORIG_SCRIPT_SONLY     __HAS_PHP_ORIG_SCRIPT && (__TVD_SPACE_RATIO || __SINGLE_WORD_SUBJ || __OBFUSCATING_COMMENT_B)
meta       PHP_ORIG_SCRIPT             __PHP_ORIG_SCRIPT_SONLY && !ALL_TRUSTED && !__SUBSCRIPTION_INFO && !__MSGID_BEFORE_RECEIVED && !MSGID_FROM_MTA_HEADER
describe   PHP_ORIG_SCRIPT             Sent by bot & other signs
score      PHP_ORIG_SCRIPT             2.500	# limit
tflags     PHP_ORIG_SCRIPT             publish

# noted 5/26/2016 on list by RW
header     __PHP_ORIG_SCRIPT_EVAL      X-PHP-Originating-Script =~ /\beval\b.*\bcode\b/i
meta       PHP_ORIG_SCRIPT_EVAL        __PHP_ORIG_SCRIPT_EVAL
describe   PHP_ORIG_SCRIPT_EVAL        From suspicious PHP source
score      PHP_ORIG_SCRIPT_EVAL        3.000	# limit


#header     __FROM_AUTHORITY_COMPANY    From:name =~ /\b(?:court|fed-?ex|dhl|e-?zpass|invoice)\b/i
#meta       __PHP_MALWARE_ATTACH        __HAS_PHP_SCRIPT && __FROM_AUTHORITY_COMPANY && __ZIP_ATTACH_MT

meta       __XMSID                     __HAS_XM_SID && !__CTYPE_MULTIPART_MIXED 
meta       __XMSID_SONLY               __HAS_XM_SID && (INVALID_MSGID || __XPRIO || __HAS_X_MAILER)

header     __UNSUB_MAILTO_BOGUS        List-Unsubscribe =~ /mailto:[^@">]*[?">]/i

meta       __MIMEOLE_DIRECT_TO_MX      __HAS_MIMEOLE && __DOS_DIRECT_TO_MX 
meta       MIMEOLE_DIRECT_TO_MX        __MIMEOLE_DIRECT_TO_MX && !__ANY_IMAGE_ATTACH && !__DKIM_EXISTS 
describe   MIMEOLE_DIRECT_TO_MX        MIMEOLE + direct-to-MX
score      MIMEOLE_DIRECT_TO_MX        2.000	# limit
tflags     MIMEOLE_DIRECT_TO_MX        publish


# suggested 9/2016 by ChipM in personal email
# would be a LOT nicer if rules could use other rules' captures
# terrible S/O
#full       __FROM_FULLN_URL            m;^From:\s+"?([a-z]+)\s([a-z]+)\b.*?https?://[^/]+/\1[_.]\2\b;ism
#meta       FROM_FULLN_URL              __FROM_FULLN_URL && !__THREADED 
#describe   FROM_FULLN_URL              From address full name is in body URL - possible phishing
#score      FROM_FULLN_URL              2.000	# limit

# warning: __SUBJECT_EMPTY true if header entirely missing...
header     __SUBJECT_EMPTY              Subject:raw =~ /^\s*$/
meta       __SUBJECT_PRESENT_EMPTY      __HAS_SUBJECT && __SUBJECT_EMPTY

body       __BAYES_POISON_NUMS_01       /\s([0-9]{6,})\s(?:.{15,}?\s\1\s){10}/


rawbody    __SPAMTOOL_GOOF_01           /^: SMTPHEADER_REPLYTO\#$/m


if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  body       __PHOTO_RETOUCHING         /\b(?:(?:retouching|(?:image|photo|pic)s? (?:[a-z]{1,15} ){0,3}(?:edit(?:ing|ors)|team|(?:cut+|mask|clip+|clean|crop+|resiz|enhanc|etch)ing|cut+(?:ing)?[-\s]?out|enhancement|manipulation|restoration|compositing|working|(?:color|contrast|brightnes+|background|make-?up) (?:cor+ection|change)|solution|work|services?)|(?<!that\s)(?<!\.\s)your (?:imag(?:es|ing)|pics)|photo\s?shop (?:expert|service)s?|(?:deliver (?:the|your) |(?:(?:send|throw|ship|drop|deliver|give|provide|e-?mail) us|(?:cut+(?:ing)?[-\s]?out|masking|(?:test|edit)(?:ing)?) (?:for|of|on|with)) (?:(?:an?|one|your|some|sample|test|example|the) )+)(?:image|photo|pic)s?|(?:proces+|edit)(?:\sover|\smore th[ae]n)? \d{2,5}\D? (?:image|photo|pic)s|improv(?:e|ing) (?:(?:image|photo|picture|pic) (?:quality|lighting)|(?:(?:image|photo|picture|pic) )?(?:resolution|contrast|background|color))|cor+ecting (?:color|contrast|brightnes+|background))\b|(?:e-?com+erce|website|jew[el]+r(?:[y's]+|ies)|model+(?:s|ing)?|products?|portraits?|graduation['s]*|school['s]*|bab(?:[y's]+|ies)|famil(?:[y's]+|ies)|kids|wedding|beauty|glamou?r|catalog['s]*|store['s]*|shop['s]*|(?:cut+(?:ing)?[-\s]?out|clip+ing\spath|(?:all|any) kinds? of|enhance|retouch|edit(?:ing)?)[,;]?(?:\s[a-z]{1,15}){0,4})\s(?:image|photo|pic)s?(?:[.,?]|$|\sand\b|\sor\b|\setc\b)|\b(?:imag(?:es|ing)|photos)\s\d+$)/i
  tflags     __PHOTO_RETOUCHING         multiple maxhits=5
  meta       PHOTO_EDITING_FREEM        __PHOTO_RETOUCHING > 4 && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
  describe   PHOTO_EDITING_FREEM        Image editing service, freemail or CHN replyto
  score      PHOTO_EDITING_FREEM        3.750	# limit

  meta       PHOTO_EDITING_DIRECT       (__PHOTO_RETOUCHING && __DOS_DIRECT_TO_MX) && !ALL_TRUSTED && !__HAS_HREF
  describe   PHOTO_EDITING_DIRECT       Image editing service, direct to MX
  score      PHOTO_EDITING_DIRECT       3.000	# limit
endif

## not performing well in masscheck
#if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
#  body       __GENERATE_LEADS           /\b(?:new (?:customer|client)s|(?:customer|client|business|new) leads|y?our marketing|(?:marketing|ad(?:vertising)) services?)\b/i
#  tflags     __GENERATE_LEADS           multiple maxhits=5
#  meta       __GENERATE_LEADS_1         __GENERATE_LEADS > 1	# for masscheck analysis
#  meta       __GENERATE_LEADS_2         __GENERATE_LEADS > 2	# for masscheck analysis
#  meta       __GENERATE_LEADS_3         __GENERATE_LEADS > 3	# for masscheck analysis
#  meta       __GENERATE_LEADS_4         __GENERATE_LEADS > 4	# for masscheck analysis
#  meta       __GENERATE_LEADS_MINFP     __GENERATE_LEADS && !__RCD_RDNS_MTA && !__RCD_RDNS_MTA_MESSY && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY
#
#  meta       MARKETING_FREEM            __GENERATE_LEADS_MINFP && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
#  describe   MARKETING_FREEM            Marketing service, freemail or CHN replyto
#  score      MARKETING_FREEM            3.500	# limit
#
#  meta       MARKETING_SHORT            __GENERATE_LEADS_MINFP && __LCL__KAM_BODY_LENGTH_LT_1024
#  describe   MARKETING_SHORT            Marketing service, short message
#  score      MARKETING_SHORT            3.500	# limit
#
#  meta       MARKETING_NO_RDNS          __GENERATE_LEADS_MINFP && __RDNS_NONE
#  describe   MARKETING_NO_RDNS          Marketing service, no RDNS
#  score      MARKETING_NO_RDNS          3.500	# limit
#endif

meta       HDR_ORDER_FTSDMCXX_DIRECT  (__HDR_ORDER_FTSDMCXXXX && __DOS_SINGLE_EXT_RELAY) && !ALL_TRUSTED && !__VIA_ML
describe   HDR_ORDER_FTSDMCXX_DIRECT  Header order similar to spam (FTSDMCXX/boundary variant) + direct-to-MX
score      HDR_ORDER_FTSDMCXX_DIRECT  2.000	# limit
tflags     HDR_ORDER_FTSDMCXX_DIRECT  publish

meta       HDR_ORDER_FTSDMCXX_NORDNS  (__HDR_ORDER_FTSDMCXXXX && __RDNS_NONE) && !ALL_TRUSTED
describe   HDR_ORDER_FTSDMCXX_NORDNS  Header order similar to spam (FTSDMCXX/boundary variant) + no rDNS
score      HDR_ORDER_FTSDMCXX_NORDNS  3.500	# limit
tflags     HDR_ORDER_FTSDMCXX_NORDNS  publish

body       __UNICODE_OBFU_URI_DOM     /[0-9a-z]{3,10}(?:\xe3\x80\x82|\xe7\x82\xb9)(?:c[o0]m|net|inf[o0]|biz|cn)\b/i
meta       UNICODE_OBFU_DOM_NO_BODY   __UNICODE_OBFU_URI_DOM && __EMPTY_BODY
score      UNICODE_OBFU_DOM_NO_BODY   3.750	# limit
describe   UNICODE_OBFU_DOM_NO_BODY   Unicode/chinese obfuscated domain + no body

#header     __REPTO_MULTI_ADDR         Reply-To:addr =~ /,/
#meta       MULTI_REPTO_NO_RDNS        __REPTO_MULTI_ADDR && __RDNS_NONE && !__DOS_HAS_LIST_UNSUB 
#score      MULTI_REPTO_NO_RDNS        2.500	# limit
#describe   MULTI_REPTO_NO_RDNS        Multiple Reply-to addresses + no RDNS

#uri        __URI_PHP_LOGIN            /\blogin\.php/i

meta       __FREEM_FRNUM_UNICD_EMPTY  FREEMAIL_FROM && __FROM_ALL_NUMS && __FROM_ENCODED_B64 && __SUBJECT_ENCODED_B64 && __EMPTY_BODY
header     __SUB_END_NUMSCOM          Subject =~ /[0-9]{6,}[-\s]?c[-\s]?[o0][-\s]?m$/i

#meta       FREEM_FRNUM_UNICD_EMPTY    __FREEM_FRNUM_UNICD_EMPTY && !__SUB_END_NUMSCOM
meta       FREEM_FRNUM_UNICD_EMPTY    __FREEM_FRNUM_UNICD_EMPTY
describe   FREEM_FRNUM_UNICD_EMPTY    Numeric freemail From address, unicode From name and Subject, empty body
score      FREEM_FRNUM_UNICD_EMPTY    3.750	# limit
tflags     FREEM_FRNUM_UNICD_EMPTY    publish

#meta       FREEM_FRNUM_EMPTY_NUMSCOM  __FREEM_FRNUM_UNICD_EMPTY && __SUB_END_NUMSCOM
#describe   FREEM_FRNUM_EMPTY_NUMSCOM  Numeric freemail From address, unicode From name and Subject, empty body, obfuscated domain name
#score      FREEM_FRNUM_EMPTY_NUMSCOM  2.500	# limit


# masscheck just doesn't see this one for some reason
#rawbody    __JS_HTML_OBFU_01          /\bdocument\.write\('(?:\\u00[0-9a-f]{2}){30}/i


# very little spam in corpus even though they are bombarding *me* with it
header     __SUBJ_USB_DRIVES          Subject =~ /\bUSB (?:[Ff]lash )?[Dd]rives\b/
meta       USB_DRIVES                 __SUBJ_USB_DRIVES
describe   USB_DRIVES                 Trying to sell custom USB flash drives
score      USB_DRIVES                 2.000	# limit
tflags     USB_DRIVES                 publish

#header     __SUBJ_YOUR_LOGO           Subject =~ /\b(?:with|having) your logos?\b/i
#header     __SUBJ_CUSTOM_WITH_LOGO    Subject =~ /^(?=.*\bcustom\b).*(?:printed |with )+(?:your )?logos?\b/i

full       __FROM_NAME_IN_MSG         /^From:\s+([^<]\S+\s\S+)\s(?=.{1,2048}^\1\r?$)/sm
meta       FRNAME_IN_MSG_XPRIO_NO_SUB (__FROM_NAME_IN_MSG && __XPRIO && (__SUBJECT_EMPTY || __SUBJ_SHORT)) && !__DKIM_EXISTS  && !__SUBJ_NOT_SHORT && !ALL_TRUSTED
describe   FRNAME_IN_MSG_XPRIO_NO_SUB From name in message + X-Priority + short or no subject
score      FRNAME_IN_MSG_XPRIO_NO_SUB 2.500	# limit
tflags     FRNAME_IN_MSG_XPRIO_NO_SUB publish

meta       __FRNAME_IN_MSG_XPRIO      (__FROM_NAME_IN_MSG && __XPRIO && !(__SUBJECT_EMPTY || __SUBJ_SHORT))
#describe   FRNAME_IN_MSG_XPRIO        From name in message + X-Priority
#score      FRNAME_IN_MSG_XPRIO        2.500	# limit
#tflags     FRNAME_IN_MSG_XPRIO        publish

meta       __FRNAME_IN_MSG_NO_SUBJ    (__FROM_NAME_IN_MSG && (__SUBJECT_EMPTY || __SUBJ_SHORT) && !__XPRIO)
#describe   FRNAME_IN_MSG_NO_SUBJ      From name in message + short or no subject
#score      FRNAME_IN_MSG_NO_SUBJ      2.500	# limit
#tflags     FRNAME_IN_MSG_NO_SUBJ      publish


rawbody    __HTTP_REFRESH             /<meta\s[^>]{0,200}"refresh"/ism
tflags     __HTTP_REFRESH             publish

meta       RATWARE_NO_RDNS            __RATWARE_BOUND_A && __RDNS_NONE && __MIME_HTML && __MISSING_REF 
describe   RATWARE_NO_RDNS            Suspicious MsgID and MIME boundary + no rDNS
score      RATWARE_NO_RDNS            3.000	# limit

meta       BAT_BDRY_TO_MALF           __BAT_BOUNDARY && __TO_NO_ARROWS_R 
describe   BAT_BDRY_TO_MALF           Bat boundary + misformatted To: address
score      BAT_BDRY_TO_MALF           2.500	# limit

meta       IMG_ONLY_FM_DOM_INFO       __HTML_IMG_ONLY && __FROM_DOM_INFO
describe   IMG_ONLY_FM_DOM_INFO       HTML image-only message from .info domain
score      IMG_ONLY_FM_DOM_INFO       2.500	# limit
tflags     IMG_ONLY_FM_DOM_INFO       publish

meta       NO_FM_NAME_IP_HOSTN        (__KHOP_NO_FULL_NAME && __IP_IN_RELAY) && !__DOS_RELAYED_EXT 
describe   NO_FM_NAME_IP_HOSTN        No From name + hostname using IP address
score      NO_FM_NAME_IP_HOSTN        2.500	# limit
tflags     NO_FM_NAME_IP_HOSTN        publish

header     FROM_NUMERIC_TLD            From:addr =~ /\.\d+$/
describe   FROM_NUMERIC_TLD            From: address has numeric TLD
score      FROM_NUMERIC_TLD            3.000	# limit

header     __RDNS_NUMERIC_TLD          X-Spam-Relays-External =~ /\srdns=\S+\.\d+\s/
header     __RDNS_NUMERIC_TLD_NODQ     X-Spam-Relays-External =~ /\srdns=(?!\d+\.\d+\.\d+\.\d+\s)\S+\.\d+\s/

meta       RDNS_NUM_TLD_XM             __RDNS_NUMERIC_TLD && (__HAS_XM_SID || __HAS_XM_LID || __HAS_XM_RECPTID || __HAS_XM_SENTBY)
describe   RDNS_NUM_TLD_XM             Relay rDNS has numeric TLD + suspicious headers
score      RDNS_NUM_TLD_XM             3.000	# limit
tflags     RDNS_NUM_TLD_XM             publish

meta       RDNS_NUM_TLD_ATCHNX         __RDNS_NUMERIC_TLD && __ATTACH_NAME_NO_EXT
describe   RDNS_NUM_TLD_ATCHNX         Relay rDNS has numeric TLD + suspicious attachment
score      RDNS_NUM_TLD_ATCHNX         3.000	# limit
tflags     RDNS_NUM_TLD_ATCHNX         publish

meta       MALF_HTML_B64               MIME_BASE64_TEXT && HTML_MIME_NO_HTML_TAG 
describe   MALF_HTML_B64               Malformatted base64-encoded HTML content
score      MALF_HTML_B64               3.500	# limit
tflags     MALF_HTML_B64               publish

meta       TO_NAME_SUBJ_NO_RDNS        LOCALPART_IN_SUBJECT && __RDNS_NONE 
describe   TO_NAME_SUBJ_NO_RDNS        Recipient username in subject + no rDNS
score      TO_NAME_SUBJ_NO_RDNS        3.000	# limit
tflags     TO_NAME_SUBJ_NO_RDNS        publish

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  # more-precise version of __OBFUSCATING_COMMENT_A
  rawbody    __HTML_SHRT_CMNT_OBFU       /\w<!--\s*\w+\s*-->\w/
  tflags     __HTML_SHRT_CMNT_OBFU       multiple maxhits=10
  meta       __HTML_SHRT_CMNT_OBFU_MANY  __HTML_SHRT_CMNT_OBFU > 5 && HTML_MESSAGE
  meta       HTML_SHRT_CMNT_OBFU_MANY    __HTML_SHRT_CMNT_OBFU_MANY
  describe   HTML_SHRT_CMNT_OBFU_MANY    Obfuscation with many short HTML comments
  score      HTML_SHRT_CMNT_OBFU_MANY    2.500	# limit
  tflags     HTML_SHRT_CMNT_OBFU_MANY    publish
endif

header     __FROM_ADDR_WS              From:addr =~ /\s/
meta       FROM_ADDR_WS                __FROM_ADDR_WS && !__RCD_RDNS_MTA_MESSY && !ANY_BOUNCE_MESSAGE && !__FROM_ENCODED_QP && !__RCD_RDNS_MAIL 
describe   FROM_ADDR_WS                Malformed From address
score      FROM_ADDR_WS                3.000	# limit
tflags     FROM_ADDR_WS                publish

header     __XM_MSWINLIVE              X-Mailer =~ /^Microsoft Windows Live Mail \d+\.\d+\.\d+\.\d+/
header     __XM_IPADMAIL               X-Mailer =~ /^iPad Mail \([0-9A-F]{4,8}\)/
header     __XM_IPHONEMAIL             X-Mailer =~ /^iPhone Mail \([0-9A-F]{4,8}\)/

meta       __ANY_EXTERNAL              __FSL_COUNT_EXTERN > 0


if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  body       __GAPPY_SALES_LEADS         /\b(?:business|e?-?mail|your|marketing|advertising)\s(?!sales|leads|campaign)(?:s\s?a\s?l\s?e\s?s|l\s?e\s?a\s?d\s?s|c\s?a\s?m\s?p\s?a\s?i\s?g\s?n)\b/i
  tflags     __GAPPY_SALES_LEADS         multiple maxhits=3
  meta       __GAPPY_SALES_LEADS_MANY    __GAPPY_SALES_LEADS > 2
  meta       GAPPY_SALES_LEADS_FREEM     __GAPPY_SALES_LEADS_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
  describe   GAPPY_SALES_LEADS_FREEM     Obfuscated marketing text, freemail or CHN replyto
  score      GAPPY_SALES_LEADS_FREEM     3.500	# limit
  tflags     GAPPY_SALES_LEADS_FREEM     publish
endif


if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  body       __APP_DEVELOPMENT           /\b(?:mobile apps|(?:apps?|portal) (?:dev(?:elop(?:ment|ed))?|design|test(?:ing)?|U[IX]|maintenance|support)|(?:we |can |have )+(?:design(?:ed)?|buil[dt]|maintain(?:ed)?|created?)(?: over| more than)?[\s0-9]+apps|different platforms|we are (?:[-a-z]+ ){1,4}(?:software|apps?) (?:company|develop(?:ers|ment)))\b/i
  tflags     __APP_DEVELOPMENT           multiple maxhits=6
  meta       __APP_DEVELOPMENT_MANY      __APP_DEVELOPMENT > 5

  meta       APP_DEVELOPMENT_FREEM       __APP_DEVELOPMENT_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
  describe   APP_DEVELOPMENT_FREEM       App development pitch, freemail or CHN replyto
  score      APP_DEVELOPMENT_FREEM       3.500	# limit
  tflags     APP_DEVELOPMENT_FREEM       publish

  meta       APP_DEVELOPMENT_NORDNS      __APP_DEVELOPMENT && __RDNS_NONE 
  describe   APP_DEVELOPMENT_NORDNS      App development pitch, no rDNS
  score      APP_DEVELOPMENT_NORDNS      2.000	# limit
  tflags     APP_DEVELOPMENT_NORDNS      publish
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  body       __UNICODE_OBFU_ZW          /[a-z0-9\s](?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+(?!\s)[a-z0-9\s]{1,8}(?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+[a-z0-9\s]/i
  tflags     __UNICODE_OBFU_ZW          multiple maxhits=10
  meta       __UNICODE_OBFU_ZW_2        __UNICODE_OBFU_ZW > 1
  meta       __UNICODE_OBFU_ZW_3        __UNICODE_OBFU_ZW > 2
  meta       __UNICODE_OBFU_ZW_5        __UNICODE_OBFU_ZW > 4
  meta       __UNICODE_OBFU_ZW_10       __UNICODE_OBFU_ZW > 9
  meta       UNICODE_OBFU_ZW            __UNICODE_OBFU_ZW_2 && !__SUBSCRIPTION_INFO && !__RCD_RDNS_MAIL_MESSY && !__DOS_HAS_LIST_ID && !__USING_VERP1 && !__DOS_HAS_LIST_UNSUB && !__RCD_RDNS_SMTP && !__DKIM_EXISTS 
  describe   UNICODE_OBFU_ZW            Obfuscating text with hidden characters
  score      UNICODE_OBFU_ZW            3.500	# limit
  tflags     UNICODE_OBFU_ZW            publish

  body       __UNICODE_OBFU_ASC         /[a-z0-9\s](?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9]{1,8}(?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9\s]/i
  tflags     __UNICODE_OBFU_ASC         multiple maxhits=10
  meta       __UNICODE_OBFU_ASC_MANY    __UNICODE_OBFU_ASC > 9
  meta       UNICODE_OBFU_ASC           __UNICODE_OBFU_ASC && !__SPAN_BEG_TEXT && !HTML_IMAGE_ONLY_32
  describe   UNICODE_OBFU_ASC           Obfuscating text with unicode
  score      UNICODE_OBFU_ASC           2.500	# limit
  tflags     UNICODE_OBFU_ASC           publish

  meta       ZW_OBFU_BITCOIN            __UNICODE_OBFU_ZW && __BITCOIN_ID
  describe   ZW_OBFU_BITCOIN            Obfuscated text + bitcoin ID - possible extortion
  score      ZW_OBFU_BITCOIN            2.500	# limit

  meta       ZW_OBFU_FROMTOSUBJ         __UNICODE_OBFU_ZW && FROM_IN_TO_AND_SUBJ 
  describe   ZW_OBFU_FROMTOSUBJ         Obfuscated text + from in to and subject
  score      ZW_OBFU_FROMTOSUBJ         2.000	# limit

  meta       ZW_OBFU_FREEM              __UNICODE_OBFU_ZW && __freemail_hdr_replyto 
  describe   ZW_OBFU_FREEM              Obfuscated text + freemail
  score      ZW_OBFU_FREEM              2.000	# limit

  full       __BOGUS_MIME_HDR            /\bContent-[XYZ]-[a-z]{6,15}:\s+[a-z]{6,15}\b/
  tflags     __BOGUS_MIME_HDR            multiple maxhits=8
  meta       __BOGUS_MIME_HDR_MANY       __BOGUS_MIME_HDR > 7
endif


# HTML entity obfuscation per list discussion 11/2018 (thanks AC and RW)
# Broad non-ASCII didn't pan out
# body       __AC_HTML_ENTITY_BONANZA_BODY    /(?:&(?:[A-Z0-9]{2,}|\#(?:[0-9]{2,5}|x[0-9A-F]{2,4}));\s{0,64}){20}/i
# rawbody    __AC_HTML_ENTITY_BONANZA_RAW     /(?:&(?:[A-Z0-9]{2,}|\#(?:[0-9]{2,5}|x[0-9A-F]{2,4}));\s{0,64}){20}/i
# body       __AC_HTML_ENTITY_BONANZA_SHRT_BODY    /(?:&[A-Z0-9\#]{2,};\s{0,64}){20}/i
rawbody    __AC_HTML_ENTITY_BONANZA_SHRT_RAW_MANY     /(?:&[A-Z0-9\#]{2,};\s{0,64}){20}/i
rawbody    __AC_HTML_ENTITY_BONANZA_SHRT_RAW          /(?:&[A-Z0-9\#]{2,};\s{0,64}){10}/i
# meta       __AC_HTML_ENTITY_BONANZA_MINFP   __AC_HTML_ENTITY_BONANZA_SHRT_RAW_MANY && !__RCD_RDNS_MTA_MESSY && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA 
# runaway backtracking?
#rawbody    __AC_HTML_ENTITY_BONANZA_NEW  /(?:(?:\w|\s|[.,!?:'"()\$]){0,32}(?:&(?:[A-Za-z0-9]{2,64}|\#(?:[0-9]{2,5}|x[0-9A-F]{2,4}));\s*){1,64}){10}/i

# rawbody    __RW_HTML_ENTITY_ASCII_MANY       /(?:&\#(?:(?:\d{1,2}|1[01]\d|12[0-7])|x[0-7][0-9a-f])\s{0,64};\s{0,64}){20}/i
# meta       __RW_HTML_ENTITY_ASCII_MANY_MINFP     __HTML_ENTITY_ASCII_MANY && !__DKIM_EXISTS && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__JM_REACTOR_DATE && !__HAS_ERRORS_TO && !__L_BODY_8BITS && !__RCD_RDNS_MAIL_MESSY 

rawbody    __HTML_ENTITY_ASCII         /(?:&\#(?:(?:\d{1,2}|1[01]\d|12[0-7])|x[0-7][0-9a-f])\s{0,64};\s{0,64}){10}/i
meta       __HTML_ENTITY_ASCII_MINFP   __HTML_ENTITY_ASCII && !__DKIM_EXISTS && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__JM_REACTOR_DATE && !__HAS_ERRORS_TO && !__L_BODY_8BITS && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML 

meta       HTML_ENTITY_ASCII           __HTML_ENTITY_ASCII_MINFP
describe   HTML_ENTITY_ASCII           Obfuscated ASCII
score      HTML_ENTITY_ASCII           3.000	# limit
tflags     HTML_ENTITY_ASCII           publish

meta       HTML_ENTITY_ASCII_TINY      __HTML_ENTITY_ASCII_MINFP && __HTML_FONT_TINY_01 
describe   HTML_ENTITY_ASCII_TINY      Obfuscated ASCII + tiny fonts
score      HTML_ENTITY_ASCII_TINY      3.000	# limit
tflags     HTML_ENTITY_ASCII_TINY      publish


rawbody    __HTML_URI_NO_PROTOCOL      /<a\s+href\s*=(?:3d)?\s*"[a-z0-9][-a-z0-9_]{1,64}(?:\.[a-z0-9][-a-z0-9_]{1,64}){1,5}\s*"/i

meta       URI_GIBB_NO_PROTO           __HTML_URI_NO_PROTOCOL && __128_ALNUM_URI 
score      URI_GIBB_NO_PROTO           3.000	# limit
describe   URI_GIBB_NO_PROTO           Long, gibberish, no-protocol URI

# test rules suggested by Amir Caspi
header     __AC_FROM_MANY_DOTS         From =~ /<(?:\w{2,}\.){2,}\w+@/
meta       __AC_FROM_MANY_DOTS_MINFP   __AC_FROM_MANY_DOTS && !ALL_TRUSTED && !FREEMAIL_FORGED_FROMDOMAIN && !FORGED_GMAIL_RCVD && !__UNSUB_LINK && !__XM_VBULLETIN && !__RDNS_SHORT && !__REPTO_QUOTE && !__FSL_RELAY_GOOGLE && !__HAS_IN_REPLY_TO && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_MX_MESSY && !__CTYPE_MULTIPART_MIXED && !__RCD_RDNS_MTA && !__VIA_ML && !__HAS_ERRORS_TO 
meta       AC_FROM_MANY_DOTS           __AC_FROM_MANY_DOTS_MINFP
score      AC_FROM_MANY_DOTS           3.000	# limit
describe   AC_FROM_MANY_DOTS           Multiple periods in From user name
tflags     AC_FROM_MANY_DOTS           publish

rawbody    __AC_LARGE_INDENT           /text-indent\s*:\s*[-]?[0-9]{3,}(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i

uri        __AC_POSTHTMLEXTRAS         /(?:main[0-9]?|mian|start(?:page)?|info(?:page|source|center)?|(?:one|view)?(?:site|source)(?:view|[0-9])?|(?:hub|file)one|index(?:[0-9]|page)?|mediafile|userlink|faction1)[.,]html?\/\w{2,}\b/i

uri        __AC_POSTIMGEXTRAS          /(?:(?:main|external|hosted|new|file)?(?:im(?:g|age)?|user|one)s?-?(?:view(?:er)?|file|map|finder|portal|hub|online)?s?|library|media(?:source|-?files?)?|main|png|view|begin|file|port|space|webpics|host)(?:[-]?(?:[0-9]|one|two|three|four|five|six|seven|eight|nine))?[.,](?:jpe?g|png|gif)\/\w{2,}\b/i

meta       __AC_POST_EXTRAS            (__AC_POSTHTMLEXTRAS || __AC_POSTIMGEXTRAS)
meta       AC_POST_EXTRAS              __AC_POST_EXTRAS && !__URI_MAILTO && !__HAS_LIST_ID 
describe   AC_POST_EXTRAS              Suspicious URL
score      AC_POST_EXTRAS              2.500	# limit
tflags     AC_POST_EXTRAS              publish

rawbody    __AC_TINY_FONT              /(?:font-size)\s*:\s*[1-3]\s*(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i


uri        __URI_BUFFLY                m,//buff\.ly/,i
meta       URI_BUFFLY                  __URI_BUFFLY && !__DOS_HAS_LIST_UNSUB
describe   URI_BUFFLY                  buff.ly redirector URI
score      URI_BUFFLY                  2.000	# limit

meta       SHORTENER_SHORT_IMG         __URL_SHORTENER && HTML_SHORT_LINK_IMG_1
describe   SHORTENER_SHORT_IMG         Short HTML + image + URL shortener
score      SHORTENER_SHORT_IMG         2.500	# limit
tflags     SHORTENER_SHORT_IMG         publish

header     __DATA_ENTRY_SERVICE        Subject =~ /\bdata entry services?\b/i
meta       FREEM_DATA_ENTRY            __DATA_ENTRY_SERVICE && __freemail_hdr_replyto
describe   FREEM_DATA_ENTRY            Data entry services too cheap to buy a real domain
score      FREEM_DATA_ENTRY            2.500	# limit


header     __HDR_RCVD_EBAY             X-Spam-Relays-External =~ /\srdns=\S+\.ebay\.com\s/
uri        __URI_IMG_EBAY              m,://[^/?]+\.ebayimg\.com/,i

meta       __EBAY_IMG_NOT_RCVD_EBAY    __URI_IMG_EBAY && !__HDR_RCVD_EBAY
meta       EBAY_IMG_NOT_RCVD_EBAY      __EBAY_IMG_NOT_RCVD_EBAY && !__URI_MAILTO && !__RCD_RDNS_MAIL && !__DKIM_EXISTS
score      EBAY_IMG_NOT_RCVD_EBAY      3.000	# limit
describe   EBAY_IMG_NOT_RCVD_EBAY      E-bay hosted image but message not from E-bay
tflags     EBAY_IMG_NOT_RCVD_EBAY      publish

header     __HDR_RCVD_AMAZON           X-Spam-Relays-External =~ /\srdns=\S+\.amazon(?:ses)?\.com\s/
uri        __URI_IMG_AMAZON            m,://[^/?]+\.(?:ssl-)?images-amazon\.com/,i

# price alert site that leverages Amazon, avoid FPs
header     __HDR_RCVD_KEEPA            X-Spam-Relays-External =~ /\srdns=\S+\.keepa\.com\s/

meta       __AMAZON_IMG_NOT_RCVD_AMZN  __URI_IMG_AMAZON && !__HDR_RCVD_AMAZON
meta       AMAZON_IMG_NOT_RCVD_AMZN    __AMAZON_IMG_NOT_RCVD_AMZN && !__HDR_RCVD_KEEPA && !__URI_DBL_DOM && !__RCD_RDNS_SMTP && !__RCD_RDNS_MTA && !__DATE_LOWER && !__MSGID_LIST
score      AMAZON_IMG_NOT_RCVD_AMZN    2.500	# limit
describe   AMAZON_IMG_NOT_RCVD_AMZN    Amazon hosted image but message not from Amazon
tflags     AMAZON_IMG_NOT_RCVD_AMZN    publish

header     __HDR_RCVD_ALIBABA          X-Spam-Relays-External =~ /\srdns=\S+\.alibaba\.com\s/
uri        __URI_IMG_ALICDN            m,//(?:[^/.]+\.)*alicdn\.com/.+\.(?:jpe?g|gif|png),i

meta       __ALIBABA_IMG_NOT_RCVD_ALI  __URI_IMG_ALICDN && !__HDR_RCVD_ALIBABA
meta       ALIBABA_IMG_NOT_RCVD_ALI    __ALIBABA_IMG_NOT_RCVD_ALI && !__YOUR_PASSWORD && !__UNSUB_LINK && !__MSGID_BEFORE_RECEIVED && !__HAS_HREF_ONECASE 
score      ALIBABA_IMG_NOT_RCVD_ALI    2.500	# limit
describe   ALIBABA_IMG_NOT_RCVD_ALI    Alibaba hosted image but message not from Alibaba
tflags     ALIBABA_IMG_NOT_RCVD_ALI    publish

header     __HDR_RCVD_WALMART          X-Spam-Relays-External =~ /\srdns=\S+\.walmart\.com\s/
uri        __URI_IMG_WALMART           m,://[^/?]+\.walmartimages\.com/,i

meta       __WALMART_IMG_NOT_RCVD_WAL  __URI_IMG_WALMART && !__HDR_RCVD_WALMART
meta       WALMART_IMG_NOT_RCVD_WAL    __WALMART_IMG_NOT_RCVD_WAL && !__DKIM_EXISTS
score      WALMART_IMG_NOT_RCVD_WAL    2.500	# limit
describe   WALMART_IMG_NOT_RCVD_WAL    Walmart hosted image but message not from Walmart
tflags     WALMART_IMG_NOT_RCVD_WAL    publish

header     __HDR_RCVD_NEWEGG           X-Spam-Relays-External =~ /\srdns=\S+\.newegg\.com\s/
uri        __URI_IMG_NEWEGG            m,://[^/?]+\.neweggimages\.com/,i

meta       __NEWEGG_IMG_NOT_RCVD_NEGG  __URI_IMG_NEWEGG && !__HDR_RCVD_NEWEGG
meta       NEWEGG_IMG_NOT_RCVD_NEGG    __NEWEGG_IMG_NOT_RCVD_NEGG
score      NEWEGG_IMG_NOT_RCVD_NEGG    2.500	# limit
describe   NEWEGG_IMG_NOT_RCVD_NEGG    Newegg hosted image but message not from Newegg
tflags     NEWEGG_IMG_NOT_RCVD_NEGG    publish

header     __HDR_RCVD_SHOPIFY          X-Spam-Relays-External =~ /\srdns=\S+\.shopify\.com\s/
uri        __URI_IMG_SHOPIFY           m,://cdn\.shopify\.com/.+\.(?:jpe?g|gif|png),i

meta       __SHOPIFY_IMG_NOT_RCVD_SFY  __URI_IMG_SHOPIFY && !__HDR_RCVD_SHOPIFY
meta       SHOPIFY_IMG_NOT_RCVD_SFY    __SHOPIFY_IMG_NOT_RCVD_SFY && !MIME_QP_LONG_LINE && !__RCD_RDNS_MTA_MESSY && !__AC_UNSUB_URI && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_ORGANIZATION && !__RCD_RDNS_OB && !__DOS_LINK 
score      SHOPIFY_IMG_NOT_RCVD_SFY    2.500	# limit
describe   SHOPIFY_IMG_NOT_RCVD_SFY    Shopify hosted image but message not from Shopify
tflags     SHOPIFY_IMG_NOT_RCVD_SFY    publish

uri        __URI_IMG_YTIMG             m,://[^/?]+\.ytimg\.com/,i
uri        __URI_IMG_JOOMCDN           m,://img\.joomcdn\.net/,i
uri        __URI_IMG_WISH              m,://contestimg\.wish\.com/,i
uri        __URI_IMG_STATICBG          m,://imgaz\.staticbg\.com/images/,i


meta       __HOSTED_IMG_DQ_UNSUB       __URI_DQ_UNSUB && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG )
meta       HOSTED_IMG_DQ_UNSUB         __HOSTED_IMG_DQ_UNSUB
score      HOSTED_IMG_DQ_UNSUB         3.500	# limit
describe   HOSTED_IMG_DQ_UNSUB         Image hosted at large ecomm site, IP addr unsub link
tflags     HOSTED_IMG_DQ_UNSUB         publish

meta       __HOSTED_IMG_DIRECT_MX      __DOS_DIRECT_TO_MX && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN  || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG )
meta       HOSTED_IMG_DIRECT_MX        __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS 
score      HOSTED_IMG_DIRECT_MX        3.500	# limit
describe   HOSTED_IMG_DIRECT_MX        Image hosted at large ecomm site, message direct-to-mx
tflags     HOSTED_IMG_DIRECT_MX        publish

meta       __HOSTED_IMG_FREEM          ( FREEMAIL_REPLYTO || FREEMAIL_FROM ) && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_WP_REDIR || __URI_IMG_STATICBG ) 
meta       HOSTED_IMG_FREEM            __HOSTED_IMG_FREEM && !__THREADED 
score      HOSTED_IMG_FREEM            3.500	# limit
describe   HOSTED_IMG_FREEM            Image hosted at large ecomm site or redirected, freemail from or reply-to
tflags     HOSTED_IMG_FREEM            publish

meta       __HOSTED_IMG_MULTI          ( __URI_IMG_EBAY + __URI_IMG_AMAZON + __URI_IMG_ALICDN + __URI_IMG_WALMART + __URI_IMG_NEWEGG + __URI_IMG_SHOPIFY + __URI_IMG_YTIMG + __URI_IMG_JOOMCDN + __URI_IMG_WISH + __URI_IMG_WP_REDIR + __URI_IMG_STATICBG ) > 1
meta       HOSTED_IMG_MULTI            __HOSTED_IMG_MULTI && !__DKIM_EXISTS 
score      HOSTED_IMG_MULTI            3.000	# limit
describe   HOSTED_IMG_MULTI            Multiple images hosted at different large ecomm sites or redirected
tflags     HOSTED_IMG_MULTI            publish


# WordPress "image accelerator" - abused for obfuscating hosted spamvertised product images
uri        __URI_IMG_WP_REDIR          m;://i[02]\.wp\.com/.*\.(?:jpe?g|gif|png)$;i
meta       URI_IMG_WP_REDIR            __URI_IMG_WP_REDIR
score      URI_IMG_WP_REDIR            3.000	# limit
describe   URI_IMG_WP_REDIR            Image via WordPress "accelerator" proxy
tflags     URI_IMG_WP_REDIR            publish

#header     __BOGUS_MIME_VER_01         MIME-Version =~ /^(?!\s*1\.0).+/
header     __BOGUS_MIME_VER_02         MIME-Version =~ /^(?!.*\b1\.0\b).+/
header     __MALF_MIME_VER             MIME-Version =~ /^1\.0\S/
meta       BOGUS_MIME_VERSION          __BOGUS_MIME_VER_02 || __MALF_MIME_VER
score      BOGUS_MIME_VERSION          3.500	# limit
describe   BOGUS_MIME_VERSION          Mime version header is bogus
tflags     BOGUS_MIME_VERSION          publish


header     __VERBOSE_MIME_VER          MIME-Version =~ /^1\.0\s+\(\S[^)]*\)/


# also hits NORMAL_HTTP_TO_IP but should be punished harder
uri        __URI_HEX_IP                m;://0x[0-9A-F]{8,}[:/];i
meta       URI_HEX_IP                  __URI_HEX_IP
score      URI_HEX_IP                  2.500	# limit
describe   URI_HEX_IP                  URI with hex-encoded IP-address host
tflags     URI_HEX_IP                  publish

uri        __URI_PHP_REDIR             m;/redirect\.php\?;i
meta       URI_PHP_REDIR               __URI_PHP_REDIR && !__USING_VERP1 && !__RCD_RDNS_MTA 
score      URI_PHP_REDIR               3.500	# limit
describe   URI_PHP_REDIR               PHP redirect to different URL (link obfuscation)
tflags     URI_PHP_REDIR               publish


if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  body       __DAY_I_EARNED            /day,?\sI\s(?:earned|got|received|made|brought\sin)\s\$\s?\d{3}/i
  tflags     __DAY_I_EARNED            multiple maxhits=4
  #meta       __DAY_I_EARNED_1          __DAY_I_EARNED >= 1
  #meta       __DAY_I_EARNED_2          __DAY_I_EARNED >= 2
  #meta       __DAY_I_EARNED_3          __DAY_I_EARNED >= 3
  meta       DAY_I_EARNED              __DAY_I_EARNED >= 3
  score      DAY_I_EARNED              3.000	# limit
  describe   DAY_I_EARNED              Work-at-home spam
  tflags     DAY_I_EARNED              publish
endif


# test rule suggested by list discussion
meta       __NORDNS_SPOOFED            __RDNS_NONE && !__NOT_SPOOFED


# potential bitcoin extortion obfuscation
body       __PASSWORD                  /\bp[-\s_]?a[-\s_]?s[-\s_]?s[-\s_]?w[-\s_]?o[-\s_]?r[-\s_]?d\b/i
meta       __UNAME_PASSWD_PDF          ( __PASSWORD || __YOUR_PASSWORD ) && LOCALPART_IN_SUBJECT && __PDF_ATTACH


# .gov and .edu URIs appearing in spams, attempts to leverage whitelisting?
uri        __URI_DOTGOV                m;^https?://(?:[^./]+\.)+gov/;i
uri        __URI_DOTEDU                m;^https?://(?:[^./]+\.)+edu/;i
header     __RCVD_DOTGOV_EXT           X-Spam-Relays-External =~ /\.gov\s/i
header     __RCVD_DOTEDU_EXT           X-Spam-Relays-External =~ /\.edu\s/i

meta       __DOTGOV_FREEMAIL           __URI_DOTGOV && __freemail_hdr_replyto
#meta       __DOTGOV_MONEY              __URI_DOTGOV && ( __XFER_MONEY || __MONEY_FRAUD || __YOUR_FUND || __BENEFICIARY || __COMPENSATION || __LOTSA_MONEY_01 || __LOTSA_MONEY_04 )
meta       __DOTGOV_MONEY              __URI_DOTGOV && ( __YOUR_FUND )

meta       __DOTGOV_IMAGE              __URI_DOTGOV && __REMOTE_IMAGE 
meta       DOTGOV_IMAGE                __DOTGOV_IMAGE && !__HAVE_BOUNCE_RELAYS 
describe   DOTGOV_IMAGE                .gov URI + hosted image
score      DOTGOV_IMAGE                3.000	# limit
tflags     DOTGOV_IMAGE                publish

meta       __DOTGOV_NXDKIM             __URI_DOTGOV && DKIM_ADSP_NXDOMAIN 
tflags     __DOTGOV_NXDKIM             net

meta       URI_DOTEDU                  __URI_DOTEDU && !__RCVD_DOTEDU_EXT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HAS_X_MAILER && !ALL_TRUSTED && !__UNSUB_LINK && !__RDNS_SHORT && !__MAIL_LINK 
describe   URI_DOTEDU                  Has .edu URI
score      URI_DOTEDU                  2.000	# limit
tflags     URI_DOTEDU                  publish

meta       __URI_DOTEDU_LONG           __URI_DOTEDU && __LONGLINE 
meta       URI_DOTEDU_LONG             __URI_DOTEDU_LONG && !ALL_TRUSTED && !__RDNS_LONG && !__DOS_RELAYED_EXT && !__URI_MAILTO && !__CTE 
describe   URI_DOTEDU_LONG             Has .edu URI + excessively long line
score      URI_DOTEDU_LONG             3.000	# limit

meta       __URI_DOTEDU_ENTITY         __URI_DOTEDU && __AC_HTML_ENTITY_BONANZA_SHRT_RAW 
meta       URI_DOTEDU_ENTITY           __URI_DOTEDU_ENTITY && !__SUBSCRIPTION_INFO 
describe   URI_DOTEDU_ENTITY           Via .edu MTA + suspicious HTML content
score      URI_DOTEDU_ENTITY           3.000	# limit
tflags     URI_DOTEDU_ENTITY           publish

meta       __RCVD_DOTEDU_SUSP_URI      __RCVD_DOTEDU_EXT && ( __45_ALNUM_URI || __45_ALNUM_URI_O || __64_ANY_URI )
meta       RCVD_DOTEDU_SUSP_URI        __RCVD_DOTEDU_SUSP_URI
describe   RCVD_DOTEDU_SUSP_URI        Via .edu MTA + suspicious URI
score      RCVD_DOTEDU_SUSP_URI        3.000	# limit
tflags     RCVD_DOTEDU_SUSP_URI        publish

meta       __RCVD_DOTEDU_SHORT         __RCVD_DOTEDU_EXT && ( __HTML_IMG_ONLY || __BODY_URI_ONLY || __HTML_LENGTH_1024_1536 )
meta       RCVD_DOTEDU_SHORT           __RCVD_DOTEDU_SHORT && !__FS_SUBJ_RE && !__HAS_LIST_ID 
describe   RCVD_DOTEDU_SHORT           Via .edu MTA + short message
score      RCVD_DOTEDU_SHORT           2.500	# limit
tflags     RCVD_DOTEDU_SHORT           publish

meta       __RCVD_DOTEDU_SUSP          __RCVD_DOTEDU_EXT && ( MIME_QP_LONG_LINE || __TVD_SPACE_RATIO || __FROM_RUNON || __USING_VERP1 )
meta       RCVD_DOTEDU_SUSP            __RCVD_DOTEDU_SUSP && !__HAS_X_LOOP && !__HAS_X_REF 
describe   RCVD_DOTEDU_SUSP            Via .edu MTA + suspicious content
score      RCVD_DOTEDU_SUSP            2.000	# limit


# bitcoin work-at-home spams 04/2020
body       __PERFECT_BINARY            /\bperfect binary option\b/i
body       __WE_PAID                   /\bwe have (?:already )?(?:paid|sent|remitted|issued) \$?\d+(?:,\d+)* (?:thousand )?(?:dollars )?to our (?:users|subscribers|members|clients|affiliates|partners)\b/i
body       __MAKE_XTRA_DOLLAR          /\bmake an extra dollar\b/i
body       __BONUS_LAST_DAY            /\b(?:last|final) day of the (?:\$\d+ |\d+ dollars? )?bonus offer(?:ing)?\b/i
body       __PASSIVE_INCOME            /\bpassive income\b/i
body       __WITHOUT_EFFORT            /\bwith(?:out(?: a(?:ny)?| the)?| no)(?: great| special| extra)? effort\b/i
body       __TRANSFORM_LIFE            /\b(transform|change) your (?:daily )?life(?:style)?\b/i
body       __STAY_HOME                 /\b(?:going out of|leaving)(?: your)? (?:home|house|residence)\b/i
body       __RECEIVE_BONUS             /\byou(?:'ll)?(?: also| will)* (?:rec[ei]*ve|get|earn|collect|be (?:awarded|handed|remitted|given|paid|(?:greeted|welcomed|started) with)) (?:an? )?(?:gift|bonus|extra)(?: of|:)? \$[\d,]+/i

meta       TRANSFORM_LIFE              __TRANSFORM_LIFE && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_X_MAILER && !__VIA_ML 
describe   TRANSFORM_LIFE              Transform your life!
score      TRANSFORM_LIFE              2.500	# limit


meta       __WFH_01                    ( __PERFECT_BINARY + __WE_PAID + __MAKE_XTRA_DOLLAR + __BONUS_LAST_DAY + __PASSIVE_INCOME + __WITHOUT_EFFORT + __TRANSFORM_LIFE + __STAY_HOME + __RECEIVE_BONUS ) > 2

meta       __BITCOIN_WFH_01            __BITCOIN && __WFH_01
meta       BITCOIN_WFH_01              __BITCOIN_WFH_01
describe   BITCOIN_WFH_01              Work-from-Home + bitcoin
tflags     BITCOIN_WFH_01              publish

meta       __TO_TOO_MANY_WFH_01        __TO_WAY_TOO_MANY && __WFH_01
meta       TO_TOO_MANY_WFH_01          __TO_TOO_MANY_WFH_01
describe   TO_TOO_MANY_WFH_01          Work-from-Home + many recipients
tflags     TO_TOO_MANY_WFH_01          publish

meta       __FREEMAIL_WFH_01           (FREEMAIL_FROM || FREEMAIL_REPLYTO) && __WFH_01
meta       FREEMAIL_WFH_01             __FREEMAIL_WFH_01
describe   FREEMAIL_WFH_01             Work-from-Home + freemail
tflags     FREEMAIL_WFH_01             publish


body       __4BYTE_UTF8_WORD           /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/
tflags     __4BYTE_UTF8_WORD           multiple maxhits=10
meta       __4BYTE_UTF8_WORD_3         __4BYTE_UTF8_WORD > 3
meta       __4BYTE_UTF8_WORD_5         __4BYTE_UTF8_WORD > 5
meta       __4BYTE_UTF8_WORD_9         __4BYTE_UTF8_WORD > 9
meta       SUSP_UTF8_WORD_MANY         __4BYTE_UTF8_WORD_9
describe   SUSP_UTF8_WORD_MANY         Many words using only suspicious UTF-8 characters
score      SUSP_UTF8_WORD_MANY         3.000	# limit

meta       SUSP_UTF8_WORD_COMBO        __4BYTE_UTF8_WORD && ( __LIST_PARTIAL || __RDNS_NONE || __CLICK_HERE || __PHPMAILER_MUA || __STY_INVIS_3 ||  __TO___LOWER || __MSGID_OK_DIGITS || __HTML_IMG_ONLY )
describe   SUSP_UTF8_WORD_COMBO        Words using only suspicious UTF-8 characters + other signs
score      SUSP_UTF8_WORD_COMBO        3.000	# limit

header     __4BYTE_UTF8_WORD_SUBJ      Subject =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/
meta       SUSP_UTF8_WORD_SUBJ         __4BYTE_UTF8_WORD_SUBJ
describe   SUSP_UTF8_WORD_SUBJ         Word in Subject using only suspicious UTF-8 characters
score      SUSP_UTF8_WORD_SUBJ         2.000	# limit

header     __4BYTE_UTF8_WORD_FROM      From:name =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/
meta       SUSP_UTF8_WORD_FROM         __4BYTE_UTF8_WORD_FROM
describe   SUSP_UTF8_WORD_FROM         Word in From name using only suspicious UTF-8 characters
score      SUSP_UTF8_WORD_FROM         2.000	# limit

# observed by AC
rawbody    __HTML_EMPTY_CELLS          /<td>(?:<\/td><td>){5,}/i
tflags     __HTML_EMPTY_CELLS          multiple maxhits=3
meta       __HTML_EMPTY_CELLS_MANY     __HTML_EMPTY_CELLS > 2
meta       HTML_EMPTY_CELLS_MANY       __HTML_EMPTY_CELLS_MANY
describe   HTML_EMPTY_CELLS_MANY       HTML table with lots of empty cells
score      HTML_EMPTY_CELLS_MANY       1.500	# limit


uri        __SENDGRID_REDIR            m,://u\d+\.ct\.sendgrid\.net/ls/click\?upn=,
meta       __SENDGRID_REDIR_NOPHISH    __SENDGRID_REDIR && !__SENDGRID_REDIR_PHISH
meta       SENDGRID_REDIR              __SENDGRID_REDIR_NOPHISH && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__HAS_X_MAILMAN_VERSION && !__STY_INVIS_MANY && !__HTML_SINGLET_10 && !__HAVE_BOUNCE_RELAYS 
describe   SENDGRID_REDIR              Redirect URI via Sendgrid
score      SENDGRID_REDIR              1.500	# limit
tflags     SENDGRID_REDIR              publish

meta       __SENDGRID_REDIR_PHISH      __SENDGRID_REDIR && ( __PDS_FROM_NAME_TO_DOMAIN || FORGED_RELAY_MUA_TO_MX || __TO_IN_SUBJ )
meta       SENDGRID_REDIR_PHISH        __SENDGRID_REDIR_PHISH
describe   SENDGRID_REDIR_PHISH        Redirect URI via Sendgrid + phishing signs
score      SENDGRID_REDIR_PHISH        3.500	# limit
tflags     SENDGRID_REDIR_PHISH        publish

meta       __MSGID_DOLLARS_URI_IMG     __MSGID_DOLLARS_MAYBE && __HAS_ANY_URI && __HTML_LINK_IMAGE
meta       MSGID_DOLLARS_URI_IMG       __MSGID_DOLLARS_URI_IMG && !__THREADED && !__HS_SUBJ_RE_FW 
describe   MSGID_DOLLARS_URI_IMG       Suspicious Message-ID and image
score      MSGID_DOLLARS_URI_IMG       3.000	# limit
tflags     MSGID_DOLLARS_URI_IMG       publish

uri        __URI_DASHGOVEDU            m,://[^/]*-(?:gov|edu)\.com/,i
meta       URI_DASHGOVEDU              __URI_DASHGOVEDU
describe   URI_DASHGOVEDU              Suspicious domain name
score      URI_DASHGOVEDU              3.500	# limit
tflags     URI_DASHGOVEDU              publish

# all have good S/O but are already scored very highly
#meta       __NOINR_MSOE_FORG           __NO_INR_YES_REF && __MSOE_MID_WRONG_CASE 
#meta       __NOINR_MONEY               __NO_INR_YES_REF && __LOTSA_MONEY_01 
#meta       __NOINR_FRAUD               __NO_INR_YES_REF && (__AFRICAN_STATE || __BENEFICIARY || __COMPENSATION || __FILL_THIS_FORM_PARTIAL || __LOTTO_DEPT || __WIRE_XFR || __TRANSFORM_LIFE )

# Apparent use of content hosted at storage.googleapis.com
# (mapped images and HTML landing pages for the imagemap URIs)
# to avoid URIBL hits
uri        __URI_GOOG_STO_IMG         m,^https?://storage\.googleapis\.com/.*\.(?:png|jpe?g|gif)$,i
tflags     __URI_GOOG_STO_IMG         multiple maxhits=5

uri        __URI_GOOG_STO_HTML        m,^https?://(?:firebase)?storage\.googleapis\.com/.*\.html?(?:$|\?),i
tflags     __URI_GOOG_STO_HTML        multiple maxhits=5

meta       __GOOG_STO_IMG_NOHTML      __URI_GOOG_STO_IMG && !__URI_GOOG_STO_HTML
meta       __GOOG_STO_NOIMG_HTML      !__URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML

meta       __GOOG_STO_IMG_HTML_2      __URI_GOOG_STO_IMG && (__URI_GOOG_STO_HTML > 1)
meta       __GOOG_STO_IMG_HTML_1      __URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML

meta       GOOG_STO_IMG_HTML          __GOOG_STO_IMG_HTML_1 && !URI_GOOG_STO_SPAMMY
describe   GOOG_STO_IMG_HTML          Apparently using google content hosting to avoid URIBL
score      GOOG_STO_IMG_HTML          3.000	# limit
tflags     GOOG_STO_IMG_HTML          publish

meta       GOOG_STO_NOIMG_HTML        __GOOG_STO_NOIMG_HTML && !URI_GOOG_STO_SPAMMY
describe   GOOG_STO_NOIMG_HTML        Apparently using google content hosting to avoid URIBL
score      GOOG_STO_NOIMG_HTML        3.000	# limit
tflags     GOOG_STO_NOIMG_HTML        publish

# S/O not great, try salvage what's possible
meta       GOOG_STO_IMG_NOHTML        __GOOG_STO_IMG_NOHTML && (__RDNS_NONE || HTML_TEXT_INVISIBLE_STYLE || THIS_AD || __SUBJECT_ENCODED_B64 || __LOTTO_ADMITS || __REPTO_QUOTE) && !__USING_VERP1 && !__HAS_ERRORS_TO && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__HAS_CID && !URI_GOOG_STO_SPAMMY
describe   GOOG_STO_IMG_NOHTML        Apparently using google content hosting to avoid URIBL
score      GOOG_STO_IMG_NOHTML        2.500	# limit
tflags     GOOG_STO_IMG_NOHTML        publish

meta        __GOOG_STO_HTML_PHISH     __URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY
meta        GOOG_STO_HTML_PHISH       __GOOG_STO_HTML_PHISH
describe    GOOG_STO_HTML_PHISH       Possible phishing with google content hosting to avoid URIBL
score       GOOG_STO_HTML_PHISH       3.00	# limit
tflags      GOOG_STO_HTML_PHISH       publish

meta        GOOG_STO_HTML_PHISH_MANY  __URI_GOOG_STO_HTML && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY)
describe    GOOG_STO_HTML_PHISH_MANY  Phishing with google content hosting to avoid URIBL
score       GOOG_STO_HTML_PHISH_MANY  4.00	# limit
tflags      GOOG_STO_HTML_PHISH_MANY  publish


# download-a-file pitch, malware? 11/2020
#header     CRAIGSLIST_DATING          Subject =~ /Sexy \w+ From Craigs?list/i
#describe   CRAIGSLIST_DATING          Possible malware
#score      CRAIGSLIST_DATING          4.000	# limit

uri        __URI_PVT_SHAREPOINT       m,^https?://(?!www\.)(?!static\d+\.)(?:[^/.]+\.)+sharepoint\.com/,i

# suspicious HTML observed in the wild
# Rotten S/O. Why do this in ham?
#rawbody    __QUOTQUOTQUOT             /(?:&quot;){5,}/
#tflags     __QUOTQUOTQUOT             multiple maxhits=16
#meta       __QUOTQUOTQUOT_MANY        __QUOTQUOTQUOT > 15


# Abysmal S/O. Why do this in ham?
#body        __OBFU_SHY                 /\b(?:[a-z]{1,3}[\xc2][\xad][a-z]{1,2}|\w+(?:[\xc2][\xad]\w+){2,6})\b(?![\xc2])/i
#tflags      __OBFU_SHY                 multiple maxhits=11
#meta        __OBFU_SHY_MANY            __OBFU_SHY > 10

# For masscheck eval, by request
header      __LW_TEST_01               From:addr =~ /^store-news\@amazon\.com$/
header      __LW_TEST_02               From:addr =~ /^newsletters\@hohiko\.co\.uk$/
header      __LW_TEST_03               From:addr =~ /\@hohiko\.co\.uk$/

header      __HDR_RCVD_TONLINEDE       X-Spam-Relays-External =~ /\srdns=\S+\.t-online\.de\s/

meta        TONLINE_FAKE_DKIM          __HDR_RCVD_TONLINEDE && __DKIM_EXISTS 
describe    TONLINE_FAKE_DKIM          t-online.de doesn't do DKIM
score       TONLINE_FAKE_DKIM          3.000	# limit
tflags      TONLINE_FAKE_DKIM          publish


header      __MSMAIL_PRI_NORMAL        X-MSMail-Priority =~ /^normal$/i
header      __MSMAIL_PRI_HIGH          X-MSMail-Priority =~ /^(?:high|urgent)$/i
header      __MSMAIL_PRI_LOW           X-MSMail-Priority =~ /^(?:low|non-urgent)$/i
meta        __MSMAIL_PRI_ABNORMAL      __HAS_MSMAIL_PRI && !__MSMAIL_PRI_NORMAL

# This is counterintuitive - exclude __MSMAIL_PRI_HIGH ?
# It seems that 99% of the spam using X-MSMail-Priority other than "normal" is using *invalid values*
# score "high" separately if justified
meta        MSMAIL_PRI_ABNORMAL        __MSMAIL_PRI_ABNORMAL && !ALL_TRUSTED && !__ANY_OUTLOOK_MUA && !__HAS_THREAD_INDEX  && !__DKIM_EXISTS && !__MSOE_MID_WRONG_CASE && !__HAS_X_MAILER && !__HAS_UA && !__MSMAIL_PRI_HIGH 
describe    MSMAIL_PRI_ABNORMAL        Email priority often abused
score       MSMAIL_PRI_ABNORMAL        1.500	# limit

#meta        MSMAIL_PRI_HIGH            __MSMAIL_PRI_HIGH && !ALL_TRUSTED && !__FROM_LOWER && !__RDNS_SHORT 
#describe    MSMAIL_PRI_HIGH            Email priority often abused
#score       MSMAIL_PRI_HIGH            1.500	# limit


# Phishing? 11/2020
full        __TO_ADDR_BODY_DOC         /^To:\s+(?:"[^"\n]{0,80}"\s*)?<?([^@\s]{1,40})@([^\s>]{1,40})>?\s(?=.{1,2048}\b\1(?:@\2)?\s+(?:sharepoint|document))/ism


body        __BODY_HAS_ISBN            /(?:^|[^-\d])97[89]-\d(?:(?!--)[-\d]){10,14}(?:$|[^-\d])/

header      __REPLYTO_NOREPLY          Reply-To =~ /\bno-?reply@/i
#meta        __REPLYTO_NOREPLY_SUSP     __REPLYTO_NOREPLY && (__HAS_DOMAINKEY_SIG || FORGED_RELAY_MUA_TO_MX || __MSGID_NOFQDN2 || __URI_DBL_SUBDOM)

# S/O good but bulk already scoring >6 points
body        __ORDER_TODAY              /\border (?:it|one|yours|this) (?:today|now|right\saway)\b/i
#tflags      __ORDER_TODAY              multiple maxhits=4
#meta        __ORDER_TODAY_2            __ORDER_TODAY > 1
#meta        __ORDER_TODAY_3            __ORDER_TODAY > 2
#meta        __ORDER_TODAY_4            __ORDER_TODAY > 3
#meta        __ORDER_TODAY_IMG          __ORDER_TODAY && __HTML_IMG_ONLY 
#meta        __ORDER_TODAY_ALI          __ORDER_TODAY && __ALIBABA_IMG_NOT_RCVD_ALI 
meta        ORDER_TODAY                __ORDER_TODAY && (__HTML_IMG_ONLY || __ALIBABA_IMG_NOT_RCVD_ALI || __TO_NO_BRKTS_NORDNS_HTML)
describe    ORDER_TODAY                Get your order in now!
score       ORDER_TODAY                2.500	# limit


meta        __SHORTENER_SHORT_SUBJ     __URL_SHORTENER && __SUBJ_SHORT 
meta        SHORTENER_SHORT_SUBJ       __SHORTENER_SHORT_SUBJ && !__DOS_HAS_LIST_UNSUB && !__HAS_LIST_ID && !__HDR_RCVD_GOOGLE && !__XPRIO 
describe    SHORTENER_SHORT_SUBJ       URL shortener (avoiding URIBL?) + short subject
score       SHORTENER_SHORT_SUBJ       3.000	# limit

#meta        __URL_SHORTENER_MINFP      __URL_SHORTENER && !__URI_DOTGOV && __HAS_ERRORS_TO && !__URI_DBL_DOM 

uri         __URI_DOTTY_HEX            /(?:\.[0-9a-f]{2}){30}/
meta        URI_DOTTY_HEX              __URI_DOTTY_HEX
describe    URI_DOTTY_HEX              Suspicious URI format
tflags      URI_DOTTY_HEX              publish


uri         __URI_MYSP_AC              m;://mysp\.ac/;i
meta        URI_MYSP_AC                __URI_MYSP_AC
describe    URI_MYSP_AC                Uses unusual redirector to avoid URIBL


# evaluate different options before finalizing
header     __ENVFROM_GOOG_TRIX         EnvelopeFrom =~ /(?:@|=)trix\.bounces\.google\.com(?:$|=)/
meta       __ENVFROM_GOOG_TRIX_SPAMMY  __ENVFROM_GOOG_TRIX && (__GOOGLE_DOC_SUSP || FREEMAIL_REPLYTO_END_DIGIT || __ADVANCE_FEE_2_NEW || FORGED_GMAIL_RCVD || LOTS_OF_MONEY || __HAS_X_SOURCE_DIR )
meta       ENVFROM_GOOG_TRIX           __ENVFROM_GOOG_TRIX_SPAMMY
describe   ENVFROM_GOOG_TRIX           From suspicious Google subdomain
score      ENVFROM_GOOG_TRIX           3.000	# limit
tflags     ENVFROM_GOOG_TRIX           publish

header     __ENVFROM_AMAZONSES         EnvelopeFrom =~ /\@amazonses\.com$/

# evaluate before altering __FSL_ENVFROM_*
header   __JH_ENVFROM_GOOGLE   EnvelopeFrom =~ /\@g(?:mail|oogle)\.com$/i
header   __JH_ENVFROM_YAHOO    EnvelopeFrom =~ /\@yahoo(?:groups)?\./i
header   __JH_ENVFROM_YMAIL    EnvelopeFrom =~ /\@ymail\.com$/i
header   __JH_ENVFROM_ROCKET   EnvelopeFrom =~ /\@rocketmail\.com$/i
header   __JH_ENVFROM_HOTMAIL  EnvelopeFrom =~ /\@hotmail\./i
header   __JH_ENVFROM_LIVE     EnvelopeFrom =~ /\@live\./i
header   __JH_ENVFROM_AOL      EnvelopeFrom =~ /\@aol\./i


# observed in Netflix phish 12/2020
uri        URI_FREELOGO                m;::/www\.freepnglogos\.com/uploads;i
describe   URI_FREELOGO                Free logo image, possible phishing

# observed in tons of spam 12/2020
rawbody    JH_SPAMMY_PATTERN01         m;<img src=['"](https?://[^'"]{1,80}/)C([^/.]{1,30}\.jpg)['"]>.{0,200}<img src="\1U\2";ism
describe   JH_SPAMMY_PATTERN01         Unusual pattern seen in spam campaign
score      JH_SPAMMY_PATTERN01         3.000	# limit
tflags     JH_SPAMMY_PATTERN01         publish

rawbody    JH_SPAMMY_PATTERN02         m;<img [^>]{0,50}src=['"](https?://[^"'\s]{1,80}\.php\?)t=o(\&[^"'\s]{1,50})["'][>\s].{0,200}<a href="\1t=c\2".{0,200}<a href="\1t=u\2";ism
describe   JH_SPAMMY_PATTERN02         Unusual pattern seen in spam campaign
score      JH_SPAMMY_PATTERN02         3.000	# limit
tflags     JH_SPAMMY_PATTERN02         publish

# observed in tons of spam 12/2020 - already scores high without this
rawbody    __MIXED_FONT_CASE           /<(?!FONT|font)[Ff][Oo][Nn][Tt]\s/
meta       MIXED_FONT_CASE             __MIXED_FONT_CASE
describe   MIXED_FONT_CASE             Has font tag in mixed case
score      MIXED_FONT_CASE             2.500	 # limit
tflags     MIXED_FONT_CASE             publish

rawbody    __MIXED_CENTER_CASE         /<(?!CENTER|center)[Cc][Ee][Nn][Tt][Ee][Rr]>/
meta       MIXED_CENTER_CASE           __MIXED_CENTER_CASE
describe   MIXED_CENTER_CASE           Has center tag in mixed case
score      MIXED_CENTER_CASE           2.500	 # limit
tflags     MIXED_CENTER_CASE           publish

rawbody    __MIXED_AREA_CASE           /<(?!AREA|area)[Aa][Rr][Ee][Aa]\s/
meta       MIXED_AREA_CASE             __MIXED_AREA_CASE
describe   MIXED_AREA_CASE             Has area tag in mixed case
score      MIXED_AREA_CASE             2.500	 # limit
tflags     MIXED_AREA_CASE             publish

# BC's similar mixed-case rules use more-indirect logic and have a poorer S/O
rawbody    __MIXED_IMG_CASE_JH         /<(?!IMG|img)[Ii][Mm][Gg]\s/
meta       MIXED_IMG_CASE              __MIXED_IMG_CASE_JH && !__MSGID_JAVAMAIL 
describe   MIXED_IMG_CASE              Has img tag in mixed case
score      MIXED_IMG_CASE              3.000	 # limit
tflags     MIXED_IMG_CASE              publish

rawbody    __MIXED_HREF_CASE_JH        /<[Aa](?i:rea)?\s+(?!HREF|href)[Hh][Rr][Ee][Ff]=/
meta       MIXED_HREF_CASE             __MIXED_HREF_CASE_JH
describe   MIXED_HREF_CASE             Has href in mixed case
score      MIXED_HREF_CASE             2.000	 # limit
tflags     MIXED_HREF_CASE             publish

meta       __LOTSA_MIXED_CASE_TAGS     (__MIXED_FONT_CASE + __MIXED_CENTER_CASE + __MIXED_AREA_CASE + __MIXED_IMG_CASE_JH + __MIXED_HREF_CASE_JH) > 1

# phishing content for now, may go primarly legit at some point
uri        __URI_FIREBASEAPP           m,://[^./]+\.firebaseapp\.com/,
uri        __URI_WEBAPP                m,://[^./]+\.web\.app/,
meta       URI_FIREBASEAPP             __URI_FIREBASEAPP || __URI_WEBAPP
describe   URI_FIREBASEAPP             Link to hosted firebase web application, possible phishing
score      URI_FIREBASEAPP             3.000	# limit
tflags     URI_FIREBASEAPP             publish

uri        __URI_AZURE_CLOUDAPP        m,://(?:[^./]+\.)+cloudapp\.azure\.com/,
meta       URI_AZURE_CLOUDAPP          __URI_AZURE_CLOUDAPP && __NAKED_TO && !__HDR_RCVD_GOOGLE
describe   URI_AZURE_CLOUDAPP          Link to hosted azure web application, possible phishing
score      URI_AZURE_CLOUDAPP          3.000	# limit
tflags     URI_AZURE_CLOUDAPP          publish

uri        __URI_ADOBESPARK            m,https?://branchlink\.adobespark\.com/,i
meta       URI_ADOBESPARK              __URI_ADOBESPARK
score      URI_ADOBESPARK              3.500	# limit
tflags     URI_ADOBESPARK              publish


# seen in a few spams
body       __BTC_MLM                   /Block[-\s]?chain network marketing/i

# phishing
meta       __PHISH_FBASE_01            (__URI_FIREBASEAPP || __URI_WEBAPP) && __PDS_FROM_NAME_TO_DOMAIN && __MAIL_LINK
meta       PHISH_FBASEAPP              __PHISH_FBASE_01
describe   PHISH_FBASEAPP              Probable phishing via hosted web app
score      PHISH_FBASEAPP              3.000	# limit
tflags     PHISH_FBASEAPP              publish

meta       __UNDISC_MONEY              __TO_UNDISCLOSED && (__ADVANCE_FEE_2_NEW || LOTS_OF_MONEY)
meta       UNDISC_MONEY                __UNDISC_MONEY && !__VIA_ML && !__MSGID_HEXISH
describe   UNDISC_MONEY                Undisclosed recipients + money/fraud signs
tflags     UNDISC_MONEY                publish

meta       __UNDISC_FREEM              __TO_UNDISCLOSED && __freemail_replyto 
meta       UNDISC_FREEM                __UNDISC_FREEM
describe   UNDISC_FREEM                Undisclosed recipients + freemail reply-to
tflags     UNDISC_FREEM                publish

header     __REPTO_LONG                Reply-To:addr =~ /[a-z]{25,}\d*@/i
header     __REPTO_MISSPACED           ALL:raw =~ /^Reply-To:\S/ism

# content+respond+unsub texts as free hosted images
# spammer response: now only two hosted images
uri        __IMGUR_IMG                 m,^https?://(?:[^.]+\.)?imgur\.com/[a-z0-9]{7}\.(?:png|gif|jpe?g)$,i
tflags     __IMGUR_IMG                 multiple maxhits=4
meta       __IMGUR_IMG_2               __IMGUR_IMG == 2
meta       __IMGUR_IMG_3               __IMGUR_IMG == 3
meta       HOSTED_IMG_MULTI_PUB_01     (__IMGUR_IMG_2 || __IMGUR_IMG_3) && !__DATE_LOWER && !__BOTH_INR_AND_REF 
describe   HOSTED_IMG_MULTI_PUB_01     Multiple hosted images at public site
score      HOSTED_IMG_MULTI_PUB_01     3.000	# limit
tflags     HOSTED_IMG_MULTI_PUB_01     publish

meta       __BITCOIN_IMGUR             __IMGUR_IMG && __BITCOIN 
meta       BITCOIN_IMGUR               __BITCOIN_IMGUR
describe   BITCOIN_IMGUR               Bitcoin + hosted image
score      BITCOIN_IMGUR               3.500	# limit
tflags     BITCOIN_IMGUR               publish

meta       __DYNAMIC_IMGUR             __IMGUR_IMG && __RDNS_DYNAMIC_IPADDR 
meta       DYNAMIC_IMGUR               __DYNAMIC_IMGUR
describe   DYNAMIC_IMGUR               dynamic IP + hosted image
score      DYNAMIC_IMGUR               4.000	# limit
tflags     DYNAMIC_IMGUR               publish

body       __OBFU_UNSUB_UL             /(?:click_here|remove_your|our_e?mail|this_list|to_unsubscribe|future_e?mail|our_list)/
meta       OBFU_UNSUB_UL               __OBFU_UNSUB_UL && !MAILING_LIST_MULTI 
describe   OBFU_UNSUB_UL               Obfuscated unsubscribe text
tflags     OBFU_UNSUB_UL               publish

header     __HAS_X_GOOGLE_DKIM_SIG     exists:X-Google-DKIM-Signature
header     __HAS_X_SENDER              exists:X-Sender
header     __HAS_X_CONTACTID           exists:X-ContactID
header     __HAS_X_LETTER              exists:X-Letter
header     __HAS_X_PROCINFO            exists:X-ProcInfo
header     __HAS_X_MAILGUN_SID         exists:X-Mailgun-Sid
header     __HAS_X_MAILGUN_TRACK_OPN   exists:X-Mailgun-Track-Opens
header     __HAS_X_EBSERVER            exists:X-EBSERVER
header     __HAS_X_SOURCE_DIR          exists:X-Source-Dir
header     __HAS_X_OUTGOING_SPAM_STAT  exists:X-OutGoing-Spam-Status
header     __HAS_X_ENTITY_ID           exists:X-Entity-ID
header     __HAS_HEADER_STARTS_NUM     ALL =~ /^\d[-a-z0-9]*:/ism

meta       HAS_X_OUTGOING_SPAM_STAT    __HAS_X_OUTGOING_SPAM_STAT && !MAILING_LIST_MULTI && !__HAS_X_MAILMAN_VERSION && !__AUTOREPLY_ASU && !__THREAD_INDEX_GOOD 
describe   HAS_X_OUTGOING_SPAM_STAT    Has header claiming outbound spam scan - why trust the results?
score      HAS_X_OUTGOING_SPAM_STAT    3.000	# limit
tflags     HAS_X_OUTGOING_SPAM_STAT    publish

# note: *NOT* "Message-ID" !
header     __HAS_MESSAGEID             exists:MessageID
meta       MSGID_HDR_MALF              __HAS_MESSAGEID
describe   MSGID_HDR_MALF              Has invalid message ID header
score      MSGID_HDR_MALF              3.500	# limit
tflags     MSGID_HDR_MALF              publish

# perfect S/O, but MTAs are supposed to add Message-ID if missing so very low overall hit rate
# more a detection of broken MTA
meta       __HAS_MESSAGEID_ONLY        __HAS_MESSAGEID && !__HAS_MESSAGE_ID


header     __HAS_LIST_OPEN             exists:List-Open
header     __HAS_LIST_POST             exists:List-Post
header     __HAS_COMPLAINT_TO          exists:Complaint-To
header     __HAS_TRACKING_CODE         exists:Tracking-Code
header     __HAS_LOGID                 exists:logid

meta       JH_SPAMMY_HEADERS           __HAS_COMPLAINT_TO || __HAS_TRACKING_CODE || __HAS_LOGID || __HAS_X_LETTER || __HAS_X_EBSERVER || __HAS_LIST_OPEN
describe   JH_SPAMMY_HEADERS           Has unusual message header(s) seen primarily in spam
score      JH_SPAMMY_HEADERS           3.500	# limit
tflags     JH_SPAMMY_HEADERS           publish

# observed in some phish/419 spams
header     __HAS_MAIL_REPLY_TO         exists:Mail-Reply-To

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  header     __freemail_mailreplyto      eval:check_freemail_header('Mail-Reply-To')

  meta       ODD_FREEM_REPTO             __freemail_mailreplyto
  describe   ODD_FREEM_REPTO             Has unusual reply-to header
  score      ODD_FREEM_REPTO             3.000	# limit
  tflags     ODD_FREEM_REPTO             publish
endif

rawbody    __CONTENT_AFTER_HTML        /<\/html>\s*[a-z0-9]/i
meta       CONTENT_AFTER_HTML          __CONTENT_AFTER_HTML && !__HAS_SENDER && !__LYRIS_EZLM_REMAILER 
describe   CONTENT_AFTER_HTML          More content after HTML close tag
score      CONTENT_AFTER_HTML          2.500	# limit
tflags     CONTENT_AFTER_HTML          publish

# High S/O but rare - ahead of the curve?
uri        GOOG_REDIR_DOCUSIGN         m;://www\.google\.com/url\?.*q=https?://www\.docusign\.com/;i
describe   GOOG_REDIR_DOCUSIGN         Indirect docusign link, probable phishing
tflags     GOOG_REDIR_DOCUSIGN         publish

header     __LUNSUB_BEFORE_SUBJDT      ALL =~ /^List-unsubscribe: (?:[^\n]+\n){1,40}^(?:Subject|Date): /ism
header     __LUNSUB_BRKT_MALF          List-Unsubscribe =~ /<[^>]*$/

header     REPTO_SPOTTY                Reply-To:addr =~ /^(?:[a-z]{1,3}\.){4,}[a-z]+\d+\@/i

header     MIXED_CTYPE_CASE            Content-Type =~ m;^(?i:text/)(?!html|HTML)[Hh][Tt][Mm][Ll];

header     __XM_ONE_WORD               X-Mailer =~ /^\s*\w+\s*$/
header     __XM_ONE_WORD_UNKNOWN       X-Mailer =~ /^\s*(?!php|msgsend|send(?:html|inblue|mail)|liveagent|(?:cheetah|xyz|swift|power)mailer|dmdroid|codeigniter|peppered|host(?:odo|edsimply)|smart_send_\d|postfix|contactlab|communigator|magnews|(?:as2|manta|be|mikatiminge|web)mail|edelivery|sellware|WHMCS$|CR$|EMS$|SM[EF]$|ACEM$|RMM\d?|EOW\d|FM$|ZIMACS$|oempro\d|typo\d|drupal|mail(?:eon|ingwork|er|spring|force)|onlineoffice|oscommerce|redmine|m1mailmessage_v\d)\w+\s*$/i
header     __XM_ALNUM_STARTS_DIGIT     X-Mailer =~ /^\s*\d+[\s\d]*[^\s\d]/
header     __XM_DIGITS_ONLY            X-Mailer =~ /^\s*\d+\s*$/
header     __XM_UC_ONLY                X-Mailer =~ /^[^a-z]+$/
header     __XM_UC_ONLY_UNKNOWN        X-Mailer =~ /^(?!SM[EF]$|ACEM$|CR$|PHP(?:BB)?\d?$|EMS$|TYPO\d$|WHMCS$|RMM\d?$|GURU$|SMTP$|ZIMACS$|EOW\d|FM$)[^a-z]+$/
header     __XM_LC_ONLY                X-Mailer =~ /^[^A-Z]+$/
header     __XM_LC_ONLY_UNKNOWN        X-Mailer =~ /^(?!php|mailer$|sendhtml$)[^A-Z]+$/
header     __XM_RANDOM                 X-Mailer =~ /q(?!q?mail|boxmail|\d|[-\w]*=+;)[^u]/i
header     __XM_LIGHT_HEAVY            X-Mailer =~ /\b(?:light|(?<!::)lite|standard|business|pro(?:fessional)?|educational|personal)\b/i

header     __XM_SMART_SEND             X-Mailer =~ /^Smart_Send(?:_\d+)+$/
header     __XM_CHEETAHMAILER          X-Mailer =~ /^CheetahMailer$/
header     __XM_XYZMAILER              X-Mailer =~ /^XyzMailer$/
header     __XM_DMDROID                X-Mailer =~ /^dmDroid$/
header     __XM_DRUPAL                 X-Mailer =~ /^Drupal$/

meta       XM_DIGITS_ONLY              __XM_DIGITS_ONLY
describe   XM_DIGITS_ONLY              X-Mailer malformed
score      XM_DIGITS_ONLY              3.000	# limit
tflags     XM_DIGITS_ONLY              publish

# just a check
header     __XM_QBOXMAIL               X-Mailer =~ /qboxmail/i


meta       XM_RANDOM                   __XM_RANDOM && !__STY_INVIS_3 && !__HAS_IN_REPLY_TO 
describe   XM_RANDOM                   X-Mailer apparently random
score      XM_RANDOM                   3.000	# limit
tflags     XM_RANDOM                   publish

meta       XM_UC_ONLY                  __XM_UC_ONLY_UNKNOWN && !__STY_INVIS_MANY && !__HAS_X_REF && !__RCVD_DOTGOV_EXT 
describe   XM_UC_ONLY                  X-Mailer all uppercase
score      XM_UC_ONLY                  2.500	# limit

meta       XM_ONE_WORD                 __XM_ONE_WORD_UNKNOWN && !__L_CTE_7BIT && !__HAS_X_MAILING_LIST 
describe   XM_ONE_WORD                 X-Mailer only one word
score      XM_ONE_WORD                 2.000	# limit

meta       XM_LIGHT_HEAVY              __XM_LIGHT_HEAVY && !__HAS_X_BEEN_THERE 
describe   XM_LIGHT_HEAVY              Special edition of a MUA
score      XM_LIGHT_HEAVY              2.500	# limit

# public PDF hosting abused for phishing redirects
uri        __OPENTEXT_PDF              m;://core.opentext.com/pdfjs/web/viewer.html?shortLink=;i