rulesrc/sandbox/jhardin/20_fillform.cf - spamassassin - Git at Google


 #
 # Ruleset to match fill-in-this-form body text
 # common in scams and loan spams
 # occasional in phishing
 #
 # Requires multipass ReplaceTags plugin
 #
 # If you are using this with 3.2.5, make sure you get this as well:
 # http://svn.apache.org/viewvc/spamassassin/branches/3.2/lib/Mail/SpamAssassin/Plugin/ReplaceTags.pm
 #
 # <jhardin@impsec.org>
 # $Id$
 #

 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

   # Repetitive syntactic bits
   replace_tag FF_LNNO   (?:(?:\d{1,3}(?:[)}\]:.,]{1,80}|(?:st|nd|rd|th)[)}\]:.,]{0,3})|\W?\([\div]{1,5}\)|\W?\{\d{1,3}\}|\[\d{1,3}\]|\*{1,5}|\#{1,5}|\(?[A-K][)}\]:.,]{1,3})\s?)
   replace_tag FF_YOUR   (?:a?\s?copy\sof\s)?(?:(?:your|din|seu|twoje)[\s,:]{1,5})?(?:present\s|c[uo]rrent\s|full(?:st[\xe4]ndigt)?\s?|complete\s|direct\s|private?\s|valid\s|personal\s|nuvarande\s|vollst[\xe4]ndige\s|aktuelle\s|pe\s(?:ne\s)?){0,3}
   replace_tag ANDOR     (?:\s?[\/&+,]\s?|\sor\s|\sand?\s)
   replace_tag NUMBER    (?:(?:ruf)?num(?:[bm]er)?\(?s?\)?|nos?\.|no\b|n[\xb0]|\#s?|nbrs?\.?)
   replace_tag FF_SUFFIX (?:\sin\s(?:full|words)|\scompleto)?:?(?:\s?[({][^)}]{1,30}[)}])?
   replace_tag FF_BLANK1 (?:[\s:;]{0,4}(?:(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){3,100}))
   replace_tag FF_BLANK2 (?:[^-=_.,:;*\w]{0,3}(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){1,100})

   # Address variations
   replace_tag FF_A1 (?:(?:countr?y|city|province|ter+itory|(?:zip|post(?:al)?)(?:\s?code)?|st?ates?|ad+res+e?)<ANDOR>?){1,3}(?:\sof\s(?:residence|birth|employment|citizenship|origin))?
   replace_tag FF_A2 (?:(?:contact|full|house|home|resident[ia]+l|busines+|mailing|work|delivery|ship+ing|post(?:al)?|of+ice|e-?mail|bostads|wohn)<ANDOR>?){0,3}\s?(?:ad+res+[es]{0,2}|location|endere[\xe7]o)(?:\sline)?(?:\s[0-9])?

   # Name variations
   replace_tag FF_N1 (?:company|first|last|all|busines+|legal|ben[ei]ficiary|user|vollstaendigen)?\s?(?:name?[sn]?|navne|nome|nazwy)(?:<ANDOR>ad+res+)?

   # Telephone variations
   replace_tag FF_P1 (?:(?:(?:busines+|contact|fax|voice|house|home|mobile?|cel+(?:ular)?|of+ice|tel+e?(?:\s?(?:ph|f)one?)?|(?:ph|f)one|private)(?:\s(?:ph|f)one)?<ANDOR>?){1,3}(?:\s?<NUMBER>)?<ANDOR>?){1,3}

   # Misc personal data
   replace_tag FF_M1 (?:(?:ages?|marital\s?statu[se]|sex|gender|male\sor\sfemale|(?:date\s(?:of\s)?)?birth|religion|nationality|(?:user )?email|next\sof\skin|alter|staatsangehoerigkeit|nationalitet|idade|weik)<ANDOR>?){1,3}

   # Loan application details
   replace_tag FF_L1 (?:(?:previous\s)?work(?:ing)\s?experience|employment|position|profes+ion|(?:monthly|an+ual)?\s?income|purpose\sof\sl(?:oa|ao)n|an+ual\sturn\s?over|l(?:oa|ao)n\sduration|oc+up[ae]tion(?:\/position)?s?|(?:l(?:oa|ao)n\s|the\s)?amount(?:\sneed(ed)?|\sdesired)?(?:\s(?:as|of)\sloan)?|beruf|zaw(?:=F3|[\xf3])d)

   # Financial/ID details (scams and phishing)
   replace_tag FF_F1 (?:(?:bank(?:ing)?|beneficiary|billing|acc(?:oun)?t|rout(?:ing)?|swift|receiver|user)<ANDOR>?){1,3}\s(?:(?:name|ad+res+(?:es)?|location|code|details|institution|a\/c|<NUMBER>)<ANDOR>?){1,3}
   replace_tag FF_F2 (?:(?:(?:international\s)?driver'?s?\sli[sc]+(?:en[sc]e)?|pas+\s?port|id\scard|[ia]d(?:entification|entity)(?:\s(?:card|<NUMBER>|papers?))?)<ANDOR>?){1,3}(?:\s<NUMBER>)?
   replace_tag FF_F3 (?:picture|zdj\scie|test\squestion|answer|amount\swon|(?:inheritance\s)?funds?\svalue|(?:e-?mail\s)?pas+word|e-?mai?l\sid|amount\s[\w\s]{0,30}lost[\w\s]{0,15})
   replace_tag FF_F4 (?:log[-\s]?in|(?:e-?mail\s)?user)\s?names?
   replace_tag FF_F5 (?:ref(?:erence)?|batch|win+ing|award|billet)[-\s]?<NUMBER>

   # All variations together
   replace_tag FF_ALL (?:<FF_A1>|<FF_A2>|<FF_N1>|<FF_P1>|<FF_M1>|<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>|<FF_L1>)

   # 5+ fields (high reliability)
   # Leave this exposed, it's a fairly good spam sign by itself
   body     __FILL_THIS_FORM_LONG1         /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i
   body     __FILL_THIS_FORM_LONG2         /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i
   replace_rules   __FILL_THIS_FORM_LONG1
   replace_rules   __FILL_THIS_FORM_LONG2
   meta     __FILL_THIS_FORM_LONG          __FILL_THIS_FORM_LONG1 || __FILL_THIS_FORM_LONG2
   meta     FILL_THIS_FORM_LONG            __FILL_THIS_FORM_LONG && !__VIA_ML && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__TRAVEL_MANY
   describe FILL_THIS_FORM_LONG            Fill in a form with personal information
   score    FILL_THIS_FORM_LONG            2.00	# limit

   # 5+ fields that body paragraph processing didn't paste together
   body     __FILL_THIS_FORM_PARTIAL       /^\s?<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20){1,4}$)/im
   replace_rules   __FILL_THIS_FORM_PARTIAL
   tflags   __FILL_THIS_FORM_PARTIAL       multiple maxhits=5
   rawbody  __FILL_THIS_FORM_PARTIAL_RAW   /^(?>\s{0,50})<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20|&nbsp;|<\/\w+>){0,4}$)/im
   replace_rules   __FILL_THIS_FORM_PARTIAL_RAW
   tflags   __FILL_THIS_FORM_PARTIAL_RAW   multiple maxhits=5

   # 5+ fields in either format
   # For easy use in metas
   meta     __FILL_THIS_FORM               (__FILL_THIS_FORM_LONG || __FILL_THIS_FORM_PARTIAL > 4 || __FILL_THIS_FORM_PARTIAL_RAW > 4)
   meta     FILL_THIS_FORM                 __FILL_THIS_FORM && !__THREADED && !__FB_TOUR && !__VIA_ML
   describe FILL_THIS_FORM                 Fill in a form with personal information
   #score    FILL_THIS_FORM                 1.00
   tflags   FILL_THIS_FORM                 publish

   # 3 or 4 fields (low reliability, but still useful in metas
   body     __FILL_THIS_FORM_SHORT1        /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i
   body     __FILL_THIS_FORM_SHORT2        /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i
   replace_rules   __FILL_THIS_FORM_SHORT1
   replace_rules   __FILL_THIS_FORM_SHORT2
   meta     __FILL_THIS_FORM_SHORT         !__FILL_THIS_FORM && (__FILL_THIS_FORM_SHORT1 || __FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_PARTIAL > 2 || __FILL_THIS_FORM_PARTIAL_RAW > 2)
   meta     FILL_THIS_FORM_SHORT           __FILL_THIS_FORM_SHORT && !__VIA_ML && !__MSGID_JAVAMAIL
   describe FILL_THIS_FORM_SHORT           Fill in a short form with personal information
   score    FILL_THIS_FORM_SHORT           1.00	# limit

   # Add to score if loan question is present
   body     __FILL_THIS_FORM_LOAN1         /<FF_YOUR><FF_L1><FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i
   replace_rules   __FILL_THIS_FORM_LOAN1
   meta     __FILL_THIS_FORM_LOAN          __FILL_THIS_FORM && __FILL_THIS_FORM_LOAN1
   meta     FILL_THIS_FORM_LOAN            __FILL_THIS_FORM_LOAN && !__COMMENT_EXISTS && !__HTML_LINK_IMAGE
   describe FILL_THIS_FORM_LOAN            Answer loan question(s)
   score    FILL_THIS_FORM_LOAN            2.0

   # Add to score if fraud/phishing question is present
   body     __FILL_THIS_FORM_FRAUD_PHISH1   /<FF_YOUR>(?:<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>)<FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i
   replace_rules   __FILL_THIS_FORM_FRAUD_PHISH1
   meta     __FILL_THIS_FORM_FRAUD_PHISH   (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FILL_THIS_FORM_FRAUD_PHISH1 || __EMAIL_PHISH || __ACCT_PHISH)
   meta     FILL_THIS_FORM_FRAUD_PHISH     __FILL_THIS_FORM_FRAUD_PHISH && !__UNSUB_LINK && !__SPOOFED_URL && !__DOS_LINK && !__CAN_HELP && !__VIA_ML && !__COMMENT_EXISTS && !__HAS_IN_REPLY_TO && !__THREADED && !__HDR_RCVD_SHOPIFY
   describe FILL_THIS_FORM_FRAUD_PHISH     Answer suspicious question(s)
   #score    FILL_THIS_FORM_FRAUD_PHISH     1.50

 else
   meta     __FILL_THIS_FORM_LONG1         0
   meta     __FILL_THIS_FORM_LONG2         0
   meta     __FILL_THIS_FORM_LONG          0
   meta     __FILL_THIS_FORM_PARTIAL       0
   meta     __FILL_THIS_FORM_PARTIAL_RAW   0
   meta     __FILL_THIS_FORM               0
   meta     __FILL_THIS_FORM_SHORT1        0
   meta     __FILL_THIS_FORM_SHORT2        0
   meta     __FILL_THIS_FORM_SHORT         0
   meta     __FILL_THIS_FORM_LOAN1         0
   meta     __FILL_THIS_FORM_LOAN          0
   meta     __FILL_THIS_FORM_FRAUD_PHISH1  0
   meta     __FILL_THIS_FORM_FRAUD_PHISH   0
 endif   # Mail::SpamAssassin::Plugin::ReplaceTags

	#
	# Ruleset to match fill-in-this-form body text
	# common in scams and loan spams
	# occasional in phishing
	#
	# Requires multipass ReplaceTags plugin
	#
	# If you are using this with 3.2.5, make sure you get this as well:
	# http://svn.apache.org/viewvc/spamassassin/branches/3.2/lib/Mail/SpamAssassin/Plugin/ReplaceTags.pm
	#
	# <jhardin@impsec.org>
	# $Id$
	#

	ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

	# Repetitive syntactic bits
	replace_tag FF_LNNO (?:(?:\d{1,3}(?:[)}\]:.,]{1,80}\|(?:st\|nd\|rd\|th)[)}\]:.,]{0,3})\|\W?\([\div]{1,5}\)\|\W?\{\d{1,3}\}\|\[\d{1,3}\]\|\*{1,5}\|\#{1,5}\|\(?[A-K][)}\]:.,]{1,3})\s?)
	replace_tag FF_YOUR (?:a?\s?copy\sof\s)?(?:(?:your\|din\|seu\|twoje)[\s,:]{1,5})?(?:present\s\|c[uo]rrent\s\|full(?:st[\xe4]ndigt)?\s?\|complete\s\|direct\s\|private?\s\|valid\s\|personal\s\|nuvarande\s\|vollst[\xe4]ndige\s\|aktuelle\s\|pe\s(?:ne\s)?){0,3}
	replace_tag ANDOR (?:\s?[\/&+,]\s?\|\sor\s\|\sand?\s)
	replace_tag NUMBER (?:(?:ruf)?num(?:[bm]er)?\(?s?\)?\|nos?\.\|no\b\|n[\xb0]\|\#s?\|nbrs?\.?)
	replace_tag FF_SUFFIX (?:\sin\s(?:full\|words)\|\scompleto)?:?(?:\s?[({][^)}]{1,30}[)}])?
	replace_tag FF_BLANK1 (?:[\s:;]{0,4}(?:(?:[-=_.,:;*\s\x85]\|&\#\d{1,3};\|[\xe2][\x80][\xa6]){3,100}))
	replace_tag FF_BLANK2 (?:[^-=_.,:;\w]{0,3}(?:[-=_.,:;\s\x85]\|&\#\d{1,3};\|[\xe2][\x80][\xa6]){1,100})

	# Address variations
	replace_tag FF_A1 (?:(?:countr?y\|city\|province\|ter+itory\|(?:zip\|post(?:al)?)(?:\s?code)?\|st?ates?\|ad+res+e?)<ANDOR>?){1,3}(?:\sof\s(?:residence\|birth\|employment\|citizenship\|origin))?
	replace_tag FF_A2 (?:(?:contact\|full\|house\|home\|resident[ia]+l\|busines+\|mailing\|work\|delivery\|ship+ing\|post(?:al)?\|of+ice\|e-?mail\|bostads\|wohn)<ANDOR>?){0,3}\s?(?:ad+res+[es]{0,2}\|location\|endere[\xe7]o)(?:\sline)?(?:\s[0-9])?

	# Name variations
	replace_tag FF_N1 (?:company\|first\|last\|all\|busines+\|legal\|ben[ei]ficiary\|user\|vollstaendigen)?\s?(?:name?[sn]?\|navne\|nome\|nazwy)(?:<ANDOR>ad+res+)?

	# Telephone variations
	replace_tag FF_P1 (?:(?:(?:busines+\|contact\|fax\|voice\|house\|home\|mobile?\|cel+(?:ular)?\|of+ice\|tel+e?(?:\s?(?:ph\|f)one?)?\|(?:ph\|f)one\|private)(?:\s(?:ph\|f)one)?<ANDOR>?){1,3}(?:\s?<NUMBER>)?<ANDOR>?){1,3}

	# Misc personal data
	replace_tag FF_M1 (?:(?:ages?\|marital\s?statu[se]\|sex\|gender\|male\sor\sfemale\|(?:date\s(?:of\s)?)?birth\|religion\|nationality\|(?:user )?email\|next\sof\skin\|alter\|staatsangehoerigkeit\|nationalitet\|idade\|weik)<ANDOR>?){1,3}

	# Loan application details
	replace_tag FF_L1 (?:(?:previous\s)?work(?:ing)\s?experience\|employment\|position\|profes+ion\|(?:monthly\|an+ual)?\s?income\|purpose\sof\sl(?:oa\|ao)n\|an+ual\sturn\s?over\|l(?:oa\|ao)n\sduration\|oc+up[ae]tion(?:\/position)?s?\|(?:l(?:oa\|ao)n\s\|the\s)?amount(?:\sneed(ed)?\|\sdesired)?(?:\s(?:as\|of)\sloan)?\|beruf\|zaw(?:=F3\|[\xf3])d)

	# Financial/ID details (scams and phishing)
	replace_tag FF_F1 (?:(?:bank(?:ing)?\|beneficiary\|billing\|acc(?:oun)?t\|rout(?:ing)?\|swift\|receiver\|user)<ANDOR>?){1,3}\s(?:(?:name\|ad+res+(?:es)?\|location\|code\|details\|institution\|a\/c\|<NUMBER>)<ANDOR>?){1,3}
	replace_tag FF_F2 (?:(?:(?:international\s)?driver'?s?\sli[sc]+(?:en[sc]e)?\|pas+\s?port\|id\scard\|[ia]d(?:entification\|entity)(?:\s(?:card\|<NUMBER>\|papers?))?)<ANDOR>?){1,3}(?:\s<NUMBER>)?
	replace_tag FF_F3 (?:picture\|zdj\scie\|test\squestion\|answer\|amount\swon\|(?:inheritance\s)?funds?\svalue\|(?:e-?mail\s)?pas+word\|e-?mai?l\sid\|amount\s[\w\s]{0,30}lost[\w\s]{0,15})
	replace_tag FF_F4 (?:log[-\s]?in\|(?:e-?mail\s)?user)\s?names?
	replace_tag FF_F5 (?:ref(?:erence)?\|batch\|win+ing\|award\|billet)[-\s]?<NUMBER>

	# All variations together
	replace_tag FF_ALL (?:<FF_A1>\|<FF_A2>\|<FF_N1>\|<FF_P1>\|<FF_M1>\|<FF_F1>\|<FF_F2>\|<FF_F3>\|<FF_F4>\|<FF_F5>\|<FF_L1>)

	# 5+ fields (high reliability)
	# Leave this exposed, it's a fairly good spam sign by itself
	body __FILL_THIS_FORM_LONG1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?\|<ANDOR>)){5}/i
	body __FILL_THIS_FORM_LONG2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?\|<ANDOR>)){5}/i
	replace_rules __FILL_THIS_FORM_LONG1
	replace_rules __FILL_THIS_FORM_LONG2
	meta __FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG1 \|\| __FILL_THIS_FORM_LONG2
	meta FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG && !__VIA_ML && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__TRAVEL_MANY
	describe FILL_THIS_FORM_LONG Fill in a form with personal information
	score FILL_THIS_FORM_LONG 2.00 # limit

	# 5+ fields that body paragraph processing didn't paste together
	body __FILL_THIS_FORM_PARTIAL /^\s?<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>\|(?:[-=_.,:;*\s]\|=20){1,4}$)/im
	replace_rules __FILL_THIS_FORM_PARTIAL
	tflags __FILL_THIS_FORM_PARTIAL multiple maxhits=5
	rawbody __FILL_THIS_FORM_PARTIAL_RAW /^(?>\s{0,50})<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>\|(?:[-=_.,:;*\s]\|=20\| \|<\/\w+>){0,4}$)/im
	replace_rules __FILL_THIS_FORM_PARTIAL_RAW
	tflags __FILL_THIS_FORM_PARTIAL_RAW multiple maxhits=5

	# 5+ fields in either format
	# For easy use in metas
	meta __FILL_THIS_FORM (__FILL_THIS_FORM_LONG \|\| __FILL_THIS_FORM_PARTIAL > 4 \|\| __FILL_THIS_FORM_PARTIAL_RAW > 4)
	meta FILL_THIS_FORM __FILL_THIS_FORM && !__THREADED && !__FB_TOUR && !__VIA_ML
	describe FILL_THIS_FORM Fill in a form with personal information
	#score FILL_THIS_FORM 1.00
	tflags FILL_THIS_FORM publish

	# 3 or 4 fields (low reliability, but still useful in metas
	body __FILL_THIS_FORM_SHORT1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>\|<ANDOR>)){3}/i
	body __FILL_THIS_FORM_SHORT2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>\|<ANDOR>)){3}/i
	replace_rules __FILL_THIS_FORM_SHORT1
	replace_rules __FILL_THIS_FORM_SHORT2
	meta __FILL_THIS_FORM_SHORT !__FILL_THIS_FORM && (__FILL_THIS_FORM_SHORT1 \|\| __FILL_THIS_FORM_SHORT2 \|\| __FILL_THIS_FORM_PARTIAL > 2 \|\| __FILL_THIS_FORM_PARTIAL_RAW > 2)
	meta FILL_THIS_FORM_SHORT __FILL_THIS_FORM_SHORT && !__VIA_ML && !__MSGID_JAVAMAIL
	describe FILL_THIS_FORM_SHORT Fill in a short form with personal information
	score FILL_THIS_FORM_SHORT 1.00 # limit

	# Add to score if loan question is present
	body __FILL_THIS_FORM_LOAN1 /<FF_YOUR><FF_L1><FF_SUFFIX>(?:<FF_BLANK1>\|<FF_BLANK2>$)/i
	replace_rules __FILL_THIS_FORM_LOAN1
	meta __FILL_THIS_FORM_LOAN __FILL_THIS_FORM && __FILL_THIS_FORM_LOAN1
	meta FILL_THIS_FORM_LOAN __FILL_THIS_FORM_LOAN && !__COMMENT_EXISTS && !__HTML_LINK_IMAGE
	describe FILL_THIS_FORM_LOAN Answer loan question(s)
	score FILL_THIS_FORM_LOAN 2.0

	# Add to score if fraud/phishing question is present
	body __FILL_THIS_FORM_FRAUD_PHISH1 /<FF_YOUR>(?:<FF_F1>\|<FF_F2>\|<FF_F3>\|<FF_F4>\|<FF_F5>)<FF_SUFFIX>(?:<FF_BLANK1>\|<FF_BLANK2>$)/i
	replace_rules __FILL_THIS_FORM_FRAUD_PHISH1
	meta __FILL_THIS_FORM_FRAUD_PHISH (__FILL_THIS_FORM \|\| __FILL_THIS_FORM_SHORT) && (__FILL_THIS_FORM_FRAUD_PHISH1 \|\| __EMAIL_PHISH \|\| __ACCT_PHISH)
	meta FILL_THIS_FORM_FRAUD_PHISH __FILL_THIS_FORM_FRAUD_PHISH && !__UNSUB_LINK && !__SPOOFED_URL && !__DOS_LINK && !__CAN_HELP && !__VIA_ML && !__COMMENT_EXISTS && !__HAS_IN_REPLY_TO && !__THREADED && !__HDR_RCVD_SHOPIFY
	describe FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
	#score FILL_THIS_FORM_FRAUD_PHISH 1.50

	else
	meta __FILL_THIS_FORM_LONG1 0
	meta __FILL_THIS_FORM_LONG2 0
	meta __FILL_THIS_FORM_LONG 0
	meta __FILL_THIS_FORM_PARTIAL 0
	meta __FILL_THIS_FORM_PARTIAL_RAW 0
	meta __FILL_THIS_FORM 0
	meta __FILL_THIS_FORM_SHORT1 0
	meta __FILL_THIS_FORM_SHORT2 0
	meta __FILL_THIS_FORM_SHORT 0
	meta __FILL_THIS_FORM_LOAN1 0
	meta __FILL_THIS_FORM_LOAN 0
	meta __FILL_THIS_FORM_FRAUD_PHISH1 0
	meta __FILL_THIS_FORM_FRAUD_PHISH 0
	endif # Mail::SpamAssassin::Plugin::ReplaceTags