rulesrc/sandbox/maddoc/99_fsl_testing.cf - spamassassin - Git at Google

 # 419 Spam
 header  __FSL_HELO_USER_1   X-Spam-Relays-External =~ / helo=user /i
 # KAM 3/14/2014 - BUG 6693 - Terminate with ( or [
 header  __FSL_HELO_USER_2   Received =~ /from User(?:\s+by|\s*[\[\(]|$)/i
 # KAM 3/14/2014 - BUG 6693 - Terminated with ) and added EHLO OR HELO matching
 header  __FSL_HELO_USER_3   Received =~ /(?:eh|he)lo(?:=|\s)User\)/i
 meta    FSL_NEW_HELO_USER   (__FSL_HELO_USER_1 || __FSL_HELO_USER_2 || __FSL_HELO_USER_3)
 describe  FSL_NEW_HELO_USER Spam's using Helo and User
 score   FSL_NEW_HELO_USER   2.0
 tflags  FSL_NEW_HELO_USER   publish

 # axb 2012-09-27 Disabled to avoid overlap with autogenerated rules
 # 419 Spam
 # header   FSL_XM_419   X-Mailer =~ /\s+6\.00\.2600\.0000$/
 # describe FSL_XM_419   Old OE version in X-Mailer only seen in 419 spam
 # score    FSL_XM_419   2.0

 # 419 Spam
 header   FSL_CTYPE_WIN1251   Content-Type =~ /charset="Windows-1251"/
 describe FSL_CTYPE_WIN1251   Content-Type only seen in 419 spam
 # score    FSL_CTYPE_WIN1251   2.0

 # 419 Spam
 header   FSL_MID_419   MESSAGE-ID =~ /\@User>$/
 describe FSL_MID_419   Spam signature in Message-ID
 # score    FSL_MID_419   2.0

 # https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7028
 # simplistic rule overlaps with FROM_MISSP_REPLYTO - FP Potential (axb - 04-31-2014)
 #meta     FSL_MISSP_REPLYTO   (__FROM_MISSPACED && __HAS_REPLY_TO)
 # describe FSL_MISSP_REPLYTO   Mis-spaced from and Reply-to
 # score    FSL_MISSP_REPLYTO   2.0

 # http://groups.yahoo.com/group/oftajscns/message
 uri      FSL_YHG_ABUSE   /groups\.yahoo\.com\/group\/\S+\/message/
 describe FSL_YHG_ABUSE   URI pointing to a message in an abused Yahoo Group
 # score          FSL_YHG_ABUSE   2.0

 # Bot spew
 rawbody  FSL_BOTSPAM_1   /^[^\n]+\nhttp:\/\/[^\n]+\.ru\/\n$/s
 describe FSL_BOTSPAM_1   Two-line spam with URI pointing to .ru domain
 # score    FSL_BOTSPAM_1   2.0

 # Mainsleaze
 # overlaps ADMITS_SPAM
 #body     FSL_THIS_IS_ADV  /This is an advertisement\./
 #describe FSL_THIS_IS_ADV  This is an advertisement
 ## score    FSL_THIS_IS_ADV  3.0

 # Bot spew
 #rawbody  FSL_BOTSPAM_2   /alt="Click here to show image"/
 # score    FSL_BOTSPAM_2   0.01

 #rawbody  FSL_BOTSPAM_3   /<img alt="\*\*\* Click here \*\*\*"/
 # score    FSL_BOTSPAM_3   0.01

 # Fake Amazon order e-mails
 #rawbody  FSL_BOTSPAM_4   /Sorry for taking your time\.\./
 # score    FSL_BOTSPAM_4   0.01

 #uri      FSL_RU_URL      /[^\/]+\.ru(?:$|\/|\?)/i
 #tflags   FSL_RU_URL      nopublish
 # score    FSL_RU_URL      0.01

 # SpamEatingMonkey lists
 # SEM-BACKSCATTER
 #header RCVD_IN_SEMBACKSCATTER eval:check_rbl('sembackscatter-lastexternal', 'backscatter.spameatingmonkey.net')
 #tflags RCVD_IN_SEMBACKSCATTER net
 #describe RCVD_IN_SEMBACKSCATTER Received from an IP listed by SEM-BACKSCATTER
 #score RCVD_IN_SEMBACKSCATTER 0.5

 # SEM-BLACK
 #header RCVD_IN_SEMBLACK eval:check_rbl('semblack-lastexternal', 'bl.spameatingmonkey.net')
 #tflags RCVD_IN_SEMBLACK net
 #describe RCVD_IN_SEMBLACK Received from an IP listed by SEM-BLACK
 #score RCVD_IN_SEMBLACK 0.5

 # SEM-URI
 #urirhssub SEM_URI uribl.spameatingmonkey.net. A 2
 #body SEM_URI eval:check_uridnsbl('SEM_URI')
 #describe SEM_URI Contains a URI listed by SEM-URI
 #tflags SEM_URI net
 #score SEM_URI 0.5

 # SEM-URIRED
 #urirhssub SEM_URIRED urired.spameatingmonkey.net. A 2
 #body SEM_URIRED eval:check_uridnsbl('SEM_URIRED')
 #describe SEM_URIRED Contains a URI listed by SEM-URIRED
 #tflags SEM_URIRED net
 #score SEM_URIRED 0.5

 # SEM-FRESH
 #urirhssub SEM_FRESH fresh.spameatingmonkey.net. A 2
 #body SEM_FRESH eval:check_uridnsbl('SEM_FRESH')
 #describe SEM_FRESH Contains a domain registered less than 5 days ago
 #tflags SEM_FRESH net
 #score SEM_FRESH 0.5

 #urirhssub SEM_FRESH_10 fresh10.spameatingmonkey.net. A 2
 #body SEM_FRESH_10 eval:check_uridnsbl('SEM_FRESH_10')
 #describe SEM_FRESH_10 Contains a domain registered less than 10 days ago
 #tflags SEM_FRESH_10 net
 #score SEM_FRESH_10 0.5

 #urirhssub SEM_FRESH_15 fresh15.spameatingmonkey.net. A 2
 #body SEM_FRESH_15 eval:check_uridnsbl('SEM_FRESH_15')
 #describe SEM_FRESH_15 Contains a domain registered less than 15 days ago
 #tflags SEM_FRESH_15 net
 #score SEM_FRESH_15 0.5
	# 419 Spam
	header __FSL_HELO_USER_1 X-Spam-Relays-External =~ / helo=user /i
	# KAM 3/14/2014 - BUG 6693 - Terminate with ( or [
	header __FSL_HELO_USER_2 Received =~ /from User(?:\s+by\|\s*[\[\(]\|$)/i
	# KAM 3/14/2014 - BUG 6693 - Terminated with ) and added EHLO OR HELO matching
	header __FSL_HELO_USER_3 Received =~ /(?:eh\|he)lo(?:=\|\s)User\)/i
	meta FSL_NEW_HELO_USER (__FSL_HELO_USER_1 \|\| __FSL_HELO_USER_2 \|\| __FSL_HELO_USER_3)
	describe FSL_NEW_HELO_USER Spam's using Helo and User
	score FSL_NEW_HELO_USER 2.0
	tflags FSL_NEW_HELO_USER publish

	# axb 2012-09-27 Disabled to avoid overlap with autogenerated rules
	# 419 Spam
	# header FSL_XM_419 X-Mailer =~ /\s+6\.00\.2600\.0000$/
	# describe FSL_XM_419 Old OE version in X-Mailer only seen in 419 spam
	# score FSL_XM_419 2.0

	# 419 Spam
	header FSL_CTYPE_WIN1251 Content-Type =~ /charset="Windows-1251"/
	describe FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam
	# score FSL_CTYPE_WIN1251 2.0

	# 419 Spam
	header FSL_MID_419 MESSAGE-ID =~ /\@User>$/
	describe FSL_MID_419 Spam signature in Message-ID
	# score FSL_MID_419 2.0

	# https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7028
	# simplistic rule overlaps with FROM_MISSP_REPLYTO - FP Potential (axb - 04-31-2014)
	#meta FSL_MISSP_REPLYTO (__FROM_MISSPACED && __HAS_REPLY_TO)
	# describe FSL_MISSP_REPLYTO Mis-spaced from and Reply-to
	# score FSL_MISSP_REPLYTO 2.0

	# http://groups.yahoo.com/group/oftajscns/message
	uri FSL_YHG_ABUSE /groups\.yahoo\.com\/group\/\S+\/message/
	describe FSL_YHG_ABUSE URI pointing to a message in an abused Yahoo Group
	# score FSL_YHG_ABUSE 2.0

	# Bot spew
	rawbody FSL_BOTSPAM_1 /^[^\n]+\nhttp:\/\/[^\n]+\.ru\/\n$/s
	describe FSL_BOTSPAM_1 Two-line spam with URI pointing to .ru domain
	# score FSL_BOTSPAM_1 2.0

	# Mainsleaze
	# overlaps ADMITS_SPAM
	#body FSL_THIS_IS_ADV /This is an advertisement\./
	#describe FSL_THIS_IS_ADV This is an advertisement
	## score FSL_THIS_IS_ADV 3.0

	# Bot spew
	#rawbody FSL_BOTSPAM_2 /alt="Click here to show image"/
	# score FSL_BOTSPAM_2 0.01

	#rawbody FSL_BOTSPAM_3 /<img alt="\\\* Click here \\\*"/
	# score FSL_BOTSPAM_3 0.01

	# Fake Amazon order e-mails
	#rawbody FSL_BOTSPAM_4 /Sorry for taking your time\.\./
	# score FSL_BOTSPAM_4 0.01

	#uri FSL_RU_URL /[^\/]+\.ru(?:$\|\/\|\?)/i
	#tflags FSL_RU_URL nopublish
	# score FSL_RU_URL 0.01

	# SpamEatingMonkey lists
	# SEM-BACKSCATTER
	#header RCVD_IN_SEMBACKSCATTER eval:check_rbl('sembackscatter-lastexternal', 'backscatter.spameatingmonkey.net')
	#tflags RCVD_IN_SEMBACKSCATTER net
	#describe RCVD_IN_SEMBACKSCATTER Received from an IP listed by SEM-BACKSCATTER
	#score RCVD_IN_SEMBACKSCATTER 0.5

	# SEM-BLACK
	#header RCVD_IN_SEMBLACK eval:check_rbl('semblack-lastexternal', 'bl.spameatingmonkey.net')
	#tflags RCVD_IN_SEMBLACK net
	#describe RCVD_IN_SEMBLACK Received from an IP listed by SEM-BLACK
	#score RCVD_IN_SEMBLACK 0.5

	# SEM-URI
	#urirhssub SEM_URI uribl.spameatingmonkey.net. A 2
	#body SEM_URI eval:check_uridnsbl('SEM_URI')
	#describe SEM_URI Contains a URI listed by SEM-URI
	#tflags SEM_URI net
	#score SEM_URI 0.5

	# SEM-URIRED
	#urirhssub SEM_URIRED urired.spameatingmonkey.net. A 2
	#body SEM_URIRED eval:check_uridnsbl('SEM_URIRED')
	#describe SEM_URIRED Contains a URI listed by SEM-URIRED
	#tflags SEM_URIRED net
	#score SEM_URIRED 0.5

	# SEM-FRESH
	#urirhssub SEM_FRESH fresh.spameatingmonkey.net. A 2
	#body SEM_FRESH eval:check_uridnsbl('SEM_FRESH')
	#describe SEM_FRESH Contains a domain registered less than 5 days ago
	#tflags SEM_FRESH net
	#score SEM_FRESH 0.5

	#urirhssub SEM_FRESH_10 fresh10.spameatingmonkey.net. A 2
	#body SEM_FRESH_10 eval:check_uridnsbl('SEM_FRESH_10')
	#describe SEM_FRESH_10 Contains a domain registered less than 10 days ago
	#tflags SEM_FRESH_10 net
	#score SEM_FRESH_10 0.5

	#urirhssub SEM_FRESH_15 fresh15.spameatingmonkey.net. A 2
	#body SEM_FRESH_15 eval:check_uridnsbl('SEM_FRESH_15')
	#describe SEM_FRESH_15 Contains a domain registered less than 15 days ago
	#tflags SEM_FRESH_15 net
	#score SEM_FRESH_15 0.5