Google Git
Sign in
apache / spamassassin / b4a1293a359967bddc1c8a70b05117169209cbdf / . / rulesrc / sandbox / jhardin / 20_misc_testing.cf
blob: 63d4201849d1016e3f2d710e5157f19bc4a3c016 [file] [log] [blame]
# Ensure plugin-based rules used for FP avoidance exist
# even if the plugin is not loaded, or an older version is loaded
# __KAM_BODY_LENGTH_LT_128
ifplugin Mail::SpamAssassin::Plugin::BodyEval
if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
meta __LCL__KAM_BODY_LENGTH_LT_128 __KAM_BODY_LENGTH_LT_128
else
meta __LCL__KAM_BODY_LENGTH_LT_128 0
endif
else
meta __LCL__KAM_BODY_LENGTH_LT_128 0
endif
# __KAM_BODY_LENGTH_LT_512
ifplugin Mail::SpamAssassin::Plugin::BodyEval
if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
meta __LCL__KAM_BODY_LENGTH_LT_512 __KAM_BODY_LENGTH_LT_512
else
meta __LCL__KAM_BODY_LENGTH_LT_512 0
endif
else
meta __LCL__KAM_BODY_LENGTH_LT_512 0
endif
# __KAM_BODY_LENGTH_LT_1024
ifplugin Mail::SpamAssassin::Plugin::BodyEval
if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
meta __LCL__KAM_BODY_LENGTH_LT_1024 __KAM_BODY_LENGTH_LT_1024
else
meta __LCL__KAM_BODY_LENGTH_LT_1024 0
endif
else
meta __LCL__KAM_BODY_LENGTH_LT_1024 0
endif
# __ENV_AND_HDR_FROM_MATCH
ifplugin Mail::SpamAssassin::Plugin::HeaderEval
meta __LCL__ENV_AND_HDR_FROM_MATCH __ENV_AND_HDR_FROM_MATCH
else
meta __LCL__ENV_AND_HDR_FROM_MATCH 0
endif
# __TVD_SPACE_RATIO
ifplugin Mail::SpamAssassin::Plugin::BodyEval
#
else
meta __TVD_SPACE_RATIO 0
endif
#
#header REPLYTO_MANY_AT Reply-To =~ /\@.+\@/
#describe REPLYTO_MANY_AT More than one @ in Reply-To:
#
#header SENDER_MANY_AT Sender =~ /\@.+\@/
#describe SENDER_MANY_AT More than one @ in Sender:
#
#header FROM_MANY_AT From =~ /\@.+\@/
#describe FROM_MANY_AT More than one @ in From:
#
header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i
describe RDNS_LOCALHOST Sender's public rDNS is "localhost"
#body EU_SPAM_LAW m,Directive 2000/31/EC of the European Parliament,i
#describe EU_SPAM_LAW Quoting "European Parliament" spam law
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __HTML_ATTACH_01 Content-Type =~ m,\btext/html\b.+\.html?\b,i
mimeheader __HTML_ATTACH_02 Content-Disposition =~ m,\bfilename="?[^"]+\.html?\b,i
meta HTML_ATTACH __HTML_ATTACH_01 || __HTML_ATTACH_02
describe HTML_ATTACH HTML attachment to bypass scanning?
mimeheader OBFU_HTML_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.html?\b,i
describe OBFU_HTML_ATTACH HTML attachment with non-text MIME type
mimeheader OBFU_TEXT_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.txt\b,i
describe OBFU_TEXT_ATTACH Text attachment with non-text MIME type
#score OBFU_TEXT_ATTACH 2.5
tflags OBFU_TEXT_ATTACH publish
mimeheader OBFU_DOC_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.(?:doc|rtf)\b,i
describe OBFU_DOC_ATTACH MS Document attachment with generic MIME type
#score OBFU_DOC_ATTACH 0.25
mimeheader OBFU_PDF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.pdf\b,i
describe OBFU_PDF_ATTACH PDF attachment with generic MIME type
#score OBFU_PDF_ATTACH 0.25
mimeheader OBFU_JPG_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.jpe?g\b,i
describe OBFU_JPG_ATTACH JPG attachment with generic MIME type
#score OBFU_JPG_ATTACH 1.50
mimeheader OBFU_GIF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.gif\b,i
describe OBFU_GIF_ATTACH GIF attachment with generic MIME type
#score OBFU_GIF_ATTACH 1.50
meta OBFU_ATTACH_MISSP __FROM_RUNON && (OBFU_HTML_ATTACH || OBFU_TEXT_ATTACH || OBFU_DOC_ATTACH || OBFU_PDF_ATTACH || OBFU_JPG_ATTACH || OBFU_GIF_ATTACH)
describe OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From
# mimeheader ECMSNGR_MH X-ecm-part-format =~ /./
# describe ECMSNGR_MH eC-Messenger header
mimeheader __CTYPE_NULL Content-Type =~ /^\s*;/
meta CTYPE_NULL __CTYPE_NULL
describe CTYPE_NULL Malformed Content-Type header
mimeheader __ZIP_ATTACH_NOFN Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)[;\s]*$,i
meta OBFU_HTML_ATT_MALW __ZIP_ATTACH_NOFN && __HTML_ATTACH_02
describe OBFU_HTML_ATT_MALW HTML attachment with incorrect MIME type - possible malware
mimeheader __PDF_ATTACH Content-Type =~ m,\bapplication/pdf\b,i
mimeheader __ATTACH_NAME_NO_EXT Content-Type =~ m,\bname\s?=\s?"(?!=\?)[^."]+",i
meta DOC_ATTACH_NO_EXT __ATTACH_NAME_NO_EXT && (__PDF_ATTACH || __DOC_ATTACH_MT)
describe DOC_ATTACH_NO_EXT Document attachment with suspicious name
mimeheader __ZIP_ATTACH_MT Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)\b,i
else
meta __HTML_ATTACH_01 0
meta __HTML_ATTACH_02 0
meta __CTYPE_NULL 0
meta __ZIP_ATTACH_NOFN 0
meta __PDF_ATTACH 0
meta __ATTACH_NAME_NO_EXT 0
meta __ZIP_ATTACH_MT 0
endif
# general case of spample observation
#header MUA_ONE_WORD X-Mailer =~ /^[A-Za-z][a-z]*$/
#describe MUA_ONE_WORD Single word X-Mailer: not CamelCase
body DEAR_EMAIL_USER /^\s?(?:Dear\s|Attention:?\s?)(?:E|Web)-?mail\s(?:account\s)?User\b/i
describe DEAR_EMAIL_USER Dear Email User:
#score DEAR_EMAIL_USER 3.0
# from users list spamples 8/2009
uri URI_NUMERIC_CCTLD m;^[a-z]+://(?:\d+\.){2,}[a-z][a-z]/;i
describe URI_NUMERIC_CCTLD CCTLD URI with multiple numeric subdomains
# various MUAs
header __PHP_NOVER_MUA X-Mailer =~ /^PHP$/
header __PHPMAILER_MUA X-Mailer =~ /^PHPMailer\b/
ifplugin Mail::SpamAssassin::Plugin::DKIM
meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__DKIM_DEPENDABLE && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
else
meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
endif
describe PHP_NOVER_MUA Mail from PHP with no version number
score PHP_NOVER_MUA 3.000 # limit
tflags PHP_NOVER_MUA publish
# From should have whitespace between the comment and the address
# Better S/O, good enough for standalone rule
header __FROM_MISSPACED From =~ /^\s*"[^"]*"</
# legit mailers known to misspace from
header __MTLANDROID_MUA X-Mailer =~ /\bMotorola android mail \d+\.\d/
header __XEROXWORKCTR_MUA X-Mailer =~ /^WorkCentre \D?\d[\d\.]\d+/
header __AMADEUSMS_MUA X-Mailer =~ /^Amadeus Messaging Server/
header __FLASHMAIL_MUA X-Mailer =~ /^NetEase Flash Mail \d/
# meta with some stuff to reduce FPs
meta FROM_MISSPACED __FROM_MISSPACED && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__UNSUB_LINK && !__TO___LOWER && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__TO_EQ_FROM_DOM && !__MAIL_LINK && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
describe FROM_MISSPACED From: missing whitespace
score FROM_MISSPACED 2.00
# Encrypted mail provider unable to properly format their headers (as of 07/2011)
header __RCVD_ZIXMAIL X-Spam-Relays-Untrusted =~ / helo=smtpout\.zixmail\.net /
# Poorer S/O than FROM_MISSPACED but better performance in metas
header __FROM_RUNON From =~ /\S+<\w+/
header __FROM_RUNON_UNCODED From:raw =~ /\S+(?<!\?=)<\w+/
ifplugin Mail::SpamAssassin::Plugin::SPF
#meta FROM_MISSP_SPF_FAIL1 (__FROM_RUNON && !SPF_PASS)
#tflags FROM_MISSP_SPF_FAIL1 net
meta FROM_MISSP_SPF_FAIL (__FROM_RUNON && SPF_FAIL)
tflags FROM_MISSP_SPF_FAIL net
score FROM_MISSP_SPF_FAIL 2.00 # limit
endif
meta __FROM_MISSP_EH_MATCH __FROM_RUNON_UNCODED && __LCL__ENV_AND_HDR_FROM_MATCH
meta FROM_MISSP_EH_MATCH __FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
describe FROM_MISSP_EH_MATCH From misspaced, matches envelope
score FROM_MISSP_EH_MATCH 2.00 # max
# most hits > 10 points already
#meta __FROM_MISSP_URI __FROM_RUNON_UNCODED && __HAS_ANY_URI
#meta FROM_MISSP_URI __FROM_MISSP_URI && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !MISSING_MIMEOLE && !__REPTO_QUOTE && !__UNSUB_LINK && !__MSGID_OK_HEX && !__MAIL_LINK && !__MIME_QP && !__BUGGED_IMG && !MIME_BASE64_TEXT && !__CTYPE_MULTIPART_ALT && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD && !__THREADED && !__TAG_EXISTS_META
#describe FROM_MISSP_URI From misspaced, has URI
#score FROM_MISSP_URI 2.00 # max
meta FROM_MISSP_USER (__FROM_RUNON && NSL_RCVD_FROM_USER)
describe FROM_MISSP_USER From misspaced, from "User"
# all hits > 10 points already
#meta FROM_MISSP_NO_TO (__FROM_RUNON && MISSING_HEADERS)
#describe FROM_MISSP_NO_TO From misspaced, To missing
meta FROM_MISSP_TO_UNDISC (__FROM_RUNON && __TO_UNDISCLOSED)
describe FROM_MISSP_TO_UNDISC From misspaced, To undisclosed
ifplugin Mail::SpamAssassin::Plugin::DKIM
meta __FROM_MISSP_DKIM (__FROM_RUNON_UNCODED && __DKIM_DEPENDABLE)
tflags __FROM_MISSP_DKIM net
meta FROM_MISSP_DKIM __FROM_MISSP_DKIM && !__CTYPE_MULTIPART_ALT && !__MIME_QP && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__MIME_BASE64 && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
describe FROM_MISSP_DKIM From misspaced, DKIM dependable
else
meta __FROM_MISSP_DKIM 0
endif
meta __FROM_MISSP_REPLYTO __FROM_RUNON && __REPLYTO_EXISTS
meta FROM_MISSP_REPLYTO __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY
describe FROM_MISSP_REPLYTO From misspaced, has Reply-To
## To the same
#header TO_MISSPACED To =~ /^\s*"[^"]*"</
#describe TO_MISSPACED To: missing whitespace
#score TO_MISSPACED 0.25
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta __FROM_MISSP_FREEMAIL __FROM_RUNON && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
meta FROM_MISSP_FREEMAIL __FROM_MISSP_FREEMAIL && !__TO_EQ_FROM_DOM && !__MTLANDROID_MUA
describe FROM_MISSP_FREEMAIL From misspaced + freemail provider
#score FROM_MISSP_FREEMAIL 2.0
else
meta __FROM_MISSP_FREEMAIL 0
endif
meta FROM_MISSP_MSFT __FROM_RUNON && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS)
describe FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
#score FROM_MISSP_MSFT 3.5
meta FROM_MISSP_DYNIP __FROM_RUNON && RDNS_DYNAMIC
describe FROM_MISSP_DYNIP From misspaced + dynamic rDNS
#score FROM_MISSP_DYNIP 2.0
# observed in spam 8/2009
header __MUA_EQ_ORG_1 ALL =~ /\nX-Mailer: ([^\n]+)\n.*Organization: \1\n/ism
header __MUA_EQ_ORG_2 ALL =~ /\nOrganization: ([^\n]+)\n.*X-Mailer: \1\n/ism
meta MAILER_EQ_ORG __MUA_EQ_ORG_1 || __MUA_EQ_ORG_2
describe MAILER_EQ_ORG X-Mailer: same as Organization:
#tflags MAILER_EQ_ORG publish
header __FROM_EQ_ORG_1 ALL =~ /\nFrom: "?([^\n]+)"? <[^>]+>\n.*Organization: \1\n/ism
header __FROM_EQ_ORG_2 ALL =~ /\nOrganization: ([^\n]+)\n.*From: "?\1"?/ism
#meta FROM_EQ_ORG __FROM_EQ_ORG_1 || __FROM_EQ_ORG_2
#describe FROM_EQ_ORG From: same as Organization:
#tflags FROM_EQ_ORG publish
# observed in UCE 9/2009
#header __HDRS_LCASE ALL =~ /\n(?:Reply-to|Message-id|Content-type|X-MSMail-priority|from|subject|to|Disposition-notification-to):/sm
header __HDRS_LCASE ALL =~ /\n(?:Message-id|Content-type|X-MSMail-priority|from|subject|to|cc|Disposition-notification-to):/sm
tflags __HDRS_LCASE multiple maxhits=3
# __MSGID_APPLEMAIL is uppercase-only GUID message_id. This may be redundant.
header __MSGID_GUID Message-ID =~ /^<?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}\@/i
header __MSGID_GUID_LOOSE Message-ID =~ /^<?[0-9A-Z]{8}-(?:[0-9A-Z]{3,4}-){3}[0-9A-Z]{11,12}\@/
meta __MSGID_GUID_FAKE __MSGID_GUID_LOOSE && !__MSGID_GUID
# It would be nice if somebody could identify the MUA/MTA that generates this:
header __MSGID_HEX_UID Message-ID =~ /^<?[0-9A-F]{8}\.[0-9A-F]{2,5}%[a-zA-Z]/
# It would be nice if somebody could identify the MUA/MTA that generates this:
header __MSGID_HEXISH Message-ID =~ /^<?OF[0-9A-F]{8}\.[0-9A-F]{8}-ON[0-9A-F]{8}\.[0-9A-F]{8}(?:-[0-9A-F]{8}\.[0-9A-F]{8})?\@/
# MUAs and MTAs known or suspected to do this
header __UA_MSOMAC User-Agent =~ /^Microsoft-MacOutlook\/(?:\d+\.){3}/
meta __HDRS_LCASE_KNOWN __MSGID_JAVAMAIL || __UA_MSOEMAC || __UA_MSOMAC || __MSGID_APPLEMAIL || __MSGID_HEX_UID || __MSGID_HEXISH
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
else
meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
endif
describe HDRS_LCASE Odd capitalization of message header
score HDRS_LCASE 0.10 # limit
meta __MANY_HDRS_LCASE __HDRS_LCASE > 1
meta __TOOMANY_HDRS_LCASE __HDRS_LCASE > 2
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
else
meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
endif
describe MANY_HDRS_LCASE Odd capitalization of multiple message headers
score MANY_HDRS_LCASE 0.10 # limit
# Some metas that appear to perform well in masscheck
#meta __HDRS_LCASE_1K __HDRS_LCASE && __SINGLE_HEADER_1K
#meta HDRS_LCASE_1K __HDRS_LCASE_1K && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__MIME_QP && !__BUGGED_IMG && !__BOUNCE_RPATH_NULL && !__NOT_SPOOFED && !__DKIM_EXISTS && !__RDNS_NONE
#describe HDRS_LCASE_1K Odd capitalization of message headers + long header
#score HDRS_LCASE_1K 0.50 # limit
meta HDRS_LCASE_IMGONLY __HDRS_LCASE && __HTML_IMG_ONLY && !__HDRS_LCASE_KNOWN
describe HDRS_LCASE_IMGONLY Odd capitalization of message headers + image-only HTML
score HDRS_LCASE_IMGONLY 0.10 # limit
# observed in UCE from India, 9/2009
header MDN_BOTCHED Disposition-notification-to =~ /<>/
describe MDN_BOTCHED Malformed return receipt header
# observed in spam 9/2009
header __HDRS_MISSP ALL =~ /\n(?:Subject|From|To):\S/ism
meta HDRS_MISSP __HDRS_MISSP && !__TAG_EXISTS_HEAD && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH
describe HDRS_MISSP Misspaced headers
score HDRS_MISSP 2.000 # limit
header SPAMMY_MIME_BDRY_01 Content-Type =~ /boundary="\@\@BOUNDARY"/
describe SPAMMY_MIME_BDRY_01 Spammy MIME boundary string
#score SPAMMY_MIME_BDRY_01 0.10
# testing
header __TB_MIME_BDRY_NO_Z Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/
meta TBIRD_SUSP_MIME_BDRY __MUA_TBIRD && __TB_MIME_BDRY_NO_Z
describe TBIRD_SUSP_MIME_BDRY Unlikely Thunderbird MIME boundary
# too dangerous even if it has a good S/O and hits >20% of spam in masschecks
#meta TBIRD_SPOOF __MUA_TBIRD && !__HAS_IN_REPLY_TO && !__HAS_X_REF && !__THREADED && !__VIA_ML && !__NOT_SPOOFED && !__HAS_SENDER && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__RP_MATCHES_RCVD && !ALL_TRUSTED && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL_MESSY && !__MIME_BASE64 && !__S25R_1
#describe TBIRD_SPOOF Claims Thunderbird mail client but looks suspicious
#score TBIRD_SPOOF 2.00 # limit
# seen in a few HTML fraud spams
rawbody RUNON_SHY /(?:\&shy;){3}/i
describe RUNON_SHY Repeating soft hyphens
#score RUNON_SHY 0.1
tflags RUNON_SHY nopublish
# Seen all too often
header LAZY_LISTWASHING To =~ /\@(?:example\.com|example\.domain|your\.domain|some\.domain|domain\.dom|somewhere\.tld|somewhere\.com|your\.?domain\.com|your\.favorite\.machine)\b/i
describe LAZY_LISTWASHING Lazy spammer, painfully obvious bogus addresses
#score LAZY_LISTWASHING 0.25
# Little to work with
body __PLS_REVIEW /\b(?:please|kindly)\s(?:(?:re)?view|see)(?:\s\w+)?\sattach(?:ed|ment)\b/i
body __DLND_ATTACH /\bdownload\sthe\sattach(?:ed|ment)\b/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __DOC_ATTACH_MT Content-Type =~ m,\bapplication/(?:msword|rtf|vnd\.ms-word|vnd\.openxmlformats-officedocument\.wordprocessingml\.document)\b,i
mimeheader __DOC_ATTACH_FN1 Content-Type =~ /="[^"]+\.(?:docx?|rtf)"/i
mimeheader __DOC_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.(?:docx?|rtf)"/i
meta __DOC_ATTACH (__DOC_ATTACH_MT || __DOC_ATTACH_FN1 || __DOC_ATTACH_FN2)
mimeheader __PDF_ATTACH_MT Content-Type =~ m,\bapplication/pdf\b,i
mimeheader __PDF_ATTACH_FN1 Content-Type =~ /="[^"]+\.pdf"/i
mimeheader __PDF_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.pdf"/i
meta __PDF_ATTACH (__PDF_ATTACH_MT || __PDF_ATTACH_FN1 || __PDF_ATTACH_FN2)
# observed in 419 spam
mimeheader CDISP_SZ_MANY Content-Disposition =~ /\bsize\s?=\s?\d.*\bsize\s?=\s?\d/
describe CDISP_SZ_MANY Suspicious MIME header
score CDISP_SZ_MANY 2.0 # limit
else
meta __DOC_ATTACH_MT 0
meta __DOC_ATTACH_FN1 0
meta __DOC_ATTACH_FN2 0
meta __DOC_ATTACH 0
meta __PDF_ATTACH_MT 0
meta __PDF_ATTACH_FN1 0
meta __PDF_ATTACH_FN2 0
meta __PDF_ATTACH 0
endif
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta __FREEMAIL_DOC_PDF (__DOC_ATTACH || __PDF_ATTACH) && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
meta FREEMAIL_DOC_PDF __FREEMAIL_DOC_PDF
describe FREEMAIL_DOC_PDF MS document or PDF attachment, from freemail
meta FREEMAIL_DOC_PDF_BCC __FREEMAIL_DOC_PDF && __TO_UNDISCLOSED
describe FREEMAIL_DOC_PDF_BCC MS document or PDF attachment, from freemail, all recipients hidden
meta FREEMAIL_RVW_ATTCH (__PLS_REVIEW || __DLND_ATTACH) && __FREEMAIL_DOC_PDF
describe FREEMAIL_RVW_ATTCH Please review attached document, from freemail
endif
meta EMPTY_RVW_ATTCH (__PLS_REVIEW || __DLND_ATTACH) && __EMPTY_BODY
describe EMPTY_RVW_ATTCH Please review attached document, empty message
body __END_FUTURE_EMAILS /\b(?:end|stop(?! receiving these (?:alerts|emails))|cease|discontinue|removed?|(?:do(?! not wish to receive [\w\s]{0,20}emails)|would|you(?:'d)?) (?:not (?:wish|want|like|desire)|(?:prefer|wish|want|like|desire) not) to|exclude yourself|fore?go)[- ](?:get |receiv(?:ing|e) |or |(?:a-z{1,30} ){0,4}from )?(?:these|our|(?:any )?(?:future|further)) (?:(?:e|ad)?-?m(?:ail(?:ing)?|es+[age]{3})|alert|PSA|marketing|notice)[- ]?(?:ad|update)?s?\b/i
ifplugin Mail::SpamAssassin::Plugin::DKIM
meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER && !__DKIM_DEPENDABLE && !DKIM_SIGNED
else
meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER
endif
describe END_FUTURE_EMAILS Spammy unsubscribe
score END_FUTURE_EMAILS 2.500 # limit
body AD_COMPLAINTS /\bcomplaints about this ad+\b/i
describe AD_COMPLAINTS Complain about this spam
# observed in bank phishing 09/2009
#rawbody MISQ_HTML /<\w{2,20}[^>=]{1,30}=[^"][^">]{1,30}[^=]"[\s>]/
#describe MISQ_HTML Unbalanced quotes in HTML tag
#tflags MISQ_HTML nopublish
# observed in bank phishing 09/2009
uri WIKI_IMG m,^https?://[^/]+wiki[mp]edia\.org/.+\.(?:png|gif|jpe?g),i
describe WIKI_IMG Image from wikipedia
# observed in spam 09/2009
header SUBJ_RE_CLNCLN Subject =~ /^\s*RE::/
describe SUBJ_RE_CLNCLN Subject RE::
# observed in spam 02/2011
header TO_SEM_SEM To =~ /;;/
describe TO_SEM_SEM To has ";;"
tflags TO_SEM_SEM nopublish
uri __MANY_SUBDOM m;^https?://(?:[^\./]{1,30}\.){6};i
meta MANY_SUBDOM __MANY_SUBDOM && !__JM_REACTOR_DATE && !__UNSUB_LINK && !__VIA_ML && !NO_RELAYS && !__UPPERCASE_URI && !__MIME_QP
describe MANY_SUBDOM Lots and lots of subdomain parts in a URI
# by request of Benny Pedersen <me@junc.org> on the users list 10/9/2009
#meta RFC_ABUSE_POST (__DNS_FROM_RFC_ABUSE && __DNS_FROM_RFC_POST)
#describe RFC_ABUSE_POST Both abuse and postmaster missing on sender domain
#score RFC_ABUSE_POST 0.01
#tflags RFC_ABUSE_POST net
body CALL_SKYPE /\bCall this phone number [\w\s]{0,30}with Skype\b/
# <SPAN> tags shouldn't appear in the midst of text
rawbody __SPAN_BEG_TEXT /[a-z]{2}<(?i:span)\s/
tflags __SPAN_BEG_TEXT multiple maxhits=5
rawbody __SPAN_END_TEXT /[^;>]<\/(?i:span)>[a-z]{3}/
tflags __SPAN_END_TEXT multiple maxhits=5
meta __MANY_SPAN_IN_TEXT (__SPAN_BEG_TEXT > 4) && (__SPAN_END_TEXT > 4)
meta MANY_SPAN_IN_TEXT __MANY_SPAN_IN_TEXT && !__VIA_ML
describe MANY_SPAN_IN_TEXT Many <SPAN> tags embedded within text
tflags MANY_SPAN_IN_TEXT publish
#score MANY_SPAN_IN_TEXT 2.50
#uri __FEEDPROXY_URI m;http://feedproxy\.google\.com/;i
#rawbody __FEEDPROXY m;http://feedproxy\.google\.com/;i
#tflags __FEEDPROXY multiple maxhits=5
#meta MANY_GOOG_PROXY __FEEDPROXY > 4
#describe MANY_GOOG_PROXY Many Google feedproxy URIs
rawbody TINY_FLOAT /\bstyle\s*=\s*"[^"]{0,40}?(?:(?:FONT-SIZE\s*:\s+\dpx|FLOAT\s*:\s+(?:right|left))(?:;\s+)?(?:(?!(?:FONT-SIZE|FLOAT))\w+:\s+\w+;?\s*)*){2}/i
describe TINY_FLOAT Has small-font floating HTML - text obfuscation?
#score TINY_FLOAT 2.00
# endless requests on the users list...
header __TO_EQ_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism
header __TO_EQ_FROM_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism
meta __TO_EQ_FROM (__TO_EQ_FROM_1 || __TO_EQ_FROM_2)
describe __TO_EQ_FROM To: same as From:
#tflags __TO_EQ_FROM publish
# Suggested by Hans-Werner Friedemann on users list 09/30/2010
header __SUBJ_HAS_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*Subject:\s+[^\n]{0,100}\1[>,\s\n]/ism
meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1)
describe FROM_IN_TO_AND_SUBJ From address is in To and Subject
tflags FROM_IN_TO_AND_SUBJ publish
header __SUBJ_HAS_TO_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n(?:[^\n]{1,200}\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
header __SUBJ_HAS_TO_2 ALL =~ /\nReceived:[^\n]{0,200} for <?([^\n\s>;]+)>?;(?:[^\n]+\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
header __SUBJ_HAS_TO_3 ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n)*To:\s+[^\n]{0,100}\1[^a-z0-9.]/ism
meta __TO_IN_SUBJ (__SUBJ_HAS_TO_1 || __SUBJ_HAS_TO_2 || __SUBJ_HAS_TO_3)
meta TO_IN_SUBJ __TO_IN_SUBJ && !__VIA_ML && !MISSING_MIMEOLE && !__THREAD_INDEX_GOOD && !__FSL_RELAY_GOOGLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HS_SUBJ_RE_FW
describe TO_IN_SUBJ To address is in Subject
tflags TO_IN_SUBJ publish
score TO_IN_SUBJ 0.1
meta __TO_EQ_FM_HTML_ONLY __TO_EQ_FROM && MIME_HTML_ONLY
meta TO_EQ_FM_HTML_ONLY __TO_EQ_FM_HTML_ONLY && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED && !__DKIM_EXISTS && !__ANY_IMAGE_ATTACH && !__FROM_LOWER && !__TAG_EXISTS_CENTER
describe TO_EQ_FM_HTML_ONLY To == From and HTML only
#tflags TO_EQ_FM_HTML_ONLY publish
meta __TO_EQ_FM_DIRECT_MX __TO_EQ_FROM && __DOS_DIRECT_TO_MX
meta TO_EQ_FM_DIRECT_MX __TO_EQ_FM_DIRECT_MX && !__THREAD_INDEX_GOOD && !__IS_EXCH
describe TO_EQ_FM_DIRECT_MX To == From and direct-to-MX
#tflags TO_EQ_FM_DIRECT_MX publish
# Why __HUSH_HUSH hits ham on this in masscheck I don't know. Legit bank emails maybe?
meta __TO_EQ_FM_HTML_DIRECT __TO_EQ_FM_DIRECT_MX && MIME_HTML_ONLY
meta TO_EQ_FM_HTML_DIRECT __TO_EQ_FM_HTML_DIRECT && !__HUSH_HUSH
describe TO_EQ_FM_HTML_DIRECT To == From and HTML only, direct-to-MX
#tflags TO_EQ_FM_HTML_DIRECT publish
ifplugin Mail::SpamAssassin::Plugin::SPF
meta __TO_EQ_FM_SPF_FAIL __TO_EQ_FROM && SPF_FAIL
tflags __TO_EQ_FM_SPF_FAIL net
meta TO_EQ_FM_SPF_FAIL __TO_EQ_FM_SPF_FAIL && !__THREADED && !ALL_TRUSTED
describe TO_EQ_FM_SPF_FAIL To == From and external SPF failed
tflags TO_EQ_FM_SPF_FAIL net
else
meta __TO_EQ_FM_SPF_FAIL 0
endif
# Paul Stead on SA list 11/2014
# ++ not liked by perl 5.8.x
if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
header __PDS_TO_EQ_FROM_NAME_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\W+(\1)([^\n\w<]++<)?((?!\1)[^\n">]++)>?\n/ism
header __PDS_TO_EQ_FROM_NAME_2 ALL =~ /\nFrom:\W+"([\w+.-]+\@[\w.-]+\.\w\w+)(?:[^\n\w<]{0,80}<)?((?!\1)[^\n">]++)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n<]{0,80}<)?(\1)>?/ism
meta PDS_TO_EQ_FROM_NAME (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2)
describe PDS_TO_EQ_FROM_NAME From: name same as To: address
header __PDS_FROM_2_EMAILS From =~ /^\W+([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i
meta PDS_FROM_2_EMAILS __PDS_FROM_2_EMAILS && !__VIA_ML && !__VIA_RESIGNER && !__CLICK_HERE && !__BUGGED_IMG && !__RP_MATCHES_RCVD
endif
uri __PDS_LOC_WP_POMO m;/wp-includes/pomo/(?!(?:entry|po|mo|streams|translations)\.php).*;i
header __FROM_ALL_NUMS From:addr =~ /^\d+@/
header __TO_ALL_NUMS To:addr =~ /^\d+@/
meta __FM_TO_ALL_NUMS __FROM_ALL_NUMS && __TO_ALL_NUMS
header __TO_EQ_FROM_DOM_1 ALL =~ /\nFrom:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+[^\n]+@\1[>,\s\n]/ism
header __TO_EQ_FROM_DOM_2 ALL =~ /\nTo:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+[^\n]+@\1[>,\s\n]/ism
meta __TO_EQ_FROM_DOM (__TO_EQ_FROM_DOM_1 || __TO_EQ_FROM_DOM_2)
describe __TO_EQ_FROM_DOM To: domain same as From: domain
meta __TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FROM_DOM && MIME_HTML_ONLY
meta TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FM_DOM_HTML_ONLY && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !HTML_MIME_NO_HTML_TAG && !__IS_EXCH && !__MSGID_BEFORE_RECEIVED && !__FM_TO_ALL_NUMS && !__FROM_LOWER && !__HAS_IN_REPLY_TO && !__BUGGED_IMG && !__FROM_ENCODED_QP && !__MSGID_OK_HEX
describe TO_EQ_FM_DOM_HTML_ONLY To domain == From domain and HTML only
meta __TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FROM_DOM && __HTML_LINK_IMAGE
meta TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FM_DOM_HTML_IMG && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !__IS_EXCH && !__UNSUB_LINK && !__COMMENT_EXISTS && !__FM_TO_ALL_NUMS && !__DKIM_EXISTS && !__HAS_THREAD_INDEX && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD
describe TO_EQ_FM_DOM_HTML_IMG To domain == From domain and HTML image link
ifplugin Mail::SpamAssassin::Plugin::SPF
meta __TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FROM_DOM && SPF_FAIL
tflags __TO_EQ_FM_DOM_SPF_FAIL net
meta TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FM_DOM_SPF_FAIL && !__THREADED && !ALL_TRUSTED
describe TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF failed
tflags TO_EQ_FM_DOM_SPF_FAIL net
else
meta __TO_EQ_FM_DOM_SPF_FAIL 0
endif
# Evaluate ReturnPath and blacklist collisions
meta __RP_SAFE_BRBL RCVD_IN_RP_SAFE && RCVD_IN_BRBL_LASTEXT
meta __RP_CERTIFIED_BRBL RCVD_IN_RP_CERTIFIED && RCVD_IN_BRBL_LASTEXT
tflags __RP_SAFE_BRBL net nopublish
tflags __RP_CERTIFIED_BRBL net nopublish
meta __RP_SAFE_ZEN RCVD_IN_RP_SAFE && __RCVD_IN_ZEN
meta __RP_CERTIFIED_ZEN RCVD_IN_RP_CERTIFIED && __RCVD_IN_ZEN
tflags __RP_SAFE_ZEN net nopublish
tflags __RP_CERTIFIED_ZEN net nopublish
meta __RP_SAFE_SORBS RCVD_IN_RP_SAFE && __RCVD_IN_SORBS
meta __RP_CERTIFIED_SORBS RCVD_IN_RP_CERTIFIED && __RCVD_IN_SORBS
tflags __RP_SAFE_SORBS net nopublish
tflags __RP_CERTIFIED_SORBS net nopublish
meta __RP_SAFE_XBL RCVD_IN_RP_SAFE && RCVD_IN_XBL
meta __RP_CERTIFIED_XBL RCVD_IN_RP_CERTIFIED && RCVD_IN_XBL
tflags __RP_SAFE_XBL net nopublish
tflags __RP_CERTIFIED_XBL net nopublish
meta __RP_SAFE_PSBL RCVD_IN_RP_SAFE && RCVD_IN_PSBL
meta __RP_CERTIFIED_PSBL RCVD_IN_RP_CERTIFIED && RCVD_IN_PSBL
tflags __RP_SAFE_PSBL net nopublish
tflags __RP_CERTIFIED_PSBL net nopublish
#meta __RP_SAFE_ANBREP_L3 RCVD_IN_RP_SAFE && RCVD_IN_ANBREP_L3
#meta __RP_CERTIFIED_ANBREP_L3 RCVD_IN_RP_CERTIFIED && RCVD_IN_ANBREP_L3
#tflags __RP_SAFE_ANBREP_L3 net nopublish
#tflags __RP_CERTIFIED_ANBREP_L3 net nopublish
# a URI in the From comment text, to bypass URIBL checks
# simplistic URI format for now
header __FROM_URI_1 From =~ /[^\@]www[.\s][^\s"<\@]+[.\s](?:com|net|info|biz|org|\w\w)\b.*["<]/i
header __FROM_URI_2 From =~ m;http://(?:[^.\s]+\.){1,3}(?:com|net|info|biz|org|\w\w)\b;i
meta FROM_URI __FROM_URI_1 || __FROM_URI_2
describe FROM_URI URI or www. in From
# observed in spam feb 2010
# Apparently-To per RFC2821 SHOULD NOT be used
header __APPARENTLY_TO Apparently-To =~ /<.*>/
tflags __APPARENTLY_TO multiple maxhits=21 nopublish
meta HAS_APPARENTLY_TO __APPARENTLY_TO > 0
describe HAS_APPARENTLY_TO Has deprecated Apparently-To header
#score HAS_APPARENTLY_TO 0.50
tflags HAS_APPARENTLY_TO nopublish
meta MANY_APPARENTLY_TO __APPARENTLY_TO > 20
describe MANY_APPARENTLY_TO Has many Apparently-To headers
#score MANY_APPARENTLY_TO 2.00
tflags MANY_APPARENTLY_TO nopublish
# obfuscation of "opt out"
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body FUZZY_OPTOUT /\b(?!opt.?out)<O><P><T>.?<O><U><T>\b/i
replace_rules FUZZY_OPTOUT
describe FUZZY_OPTOUT Obfuscated opt-out text
endif
# stock spam disclaimer obfuscation
# body GAPPY_TRADING /\b(?!trading)t[^a-z\s]?r[^a-z\s]?a[^a-z\s]?d[^a-z\s]?i[^a-z\s]?n[^a-z\s]?g/i
# body GAPPY_SECURITIES /\b(?!securities)s[^a-z\s]?e[^a-z\s]?c[^a-z\s]?u[^a-z\s]?r[^a-z\s]?i[^a-z\s]?t[^a-z\s]?i[^a-z\s]?e[^a-z\s]?s/i
# body GAPPY_RISK /\b(?!risky?)r[^a-z\s]?i[^a-z\s]?s[^a-z\s]?k(?:[^a-z\s]?y)?/i
# body GAPPY_SELLING /\b(?!selling)s[^a-z\s]?e[^a-z\s]?l[^a-z\s]?l[^a-z\s]?i[^a-z\s]?n[^a-z\s]?g/i
# body GAPPY_HUNDRED /\b(?!hundred)h[^a-z\s]?u[^a-z\s]?n[^a-z\s]?d[^a-z\s]?r[^a-z\s]?e[^a-z\s]?d/i
# body GAPPY_THOUSAND /\b(?!thousand)t[^a-z\s]?h[^a-z\s]?o[^a-z\s]?u[^a-z\s]?s[^a-z\s]?a[^a-z\s]?n[^a-z\s]?d/i
# body GAPPY_EXPENSES /\b(?!expenses)e[^a-z\s]?x[^a-z\s]?p[^a-z\s]?e[^a-z\s]?n[^a-z\s]?s[^a-z\s]?e[^a-z\s]?s/i
# body GAPPY_DOLLARS /\b(?!dollars)d[^a-z\s]?o[^a-z\s]?l[^a-z\s]?l[^a-z\s]?a[^a-z\s]?r[^a-z\s]?s/i
#
# describe GAPPY_TRADING Possible obfuscated stock disclaimer
# describe GAPPY_SECURITIES Possible obfuscated stock disclaimer
# describe GAPPY_RISK Possible obfuscated stock disclaimer
# describe GAPPY_SELLING Possible obfuscated stock disclaimer
# describe GAPPY_HUNDRED Possible obfuscated stock disclaimer
# describe GAPPY_THOUSAND Possible obfuscated stock disclaimer
# describe GAPPY_EXPENSES Possible obfuscated stock disclaimer
# describe GAPPY_DOLLARS Possible obfuscated stock disclaimer
body GAPPY_GENITALIA /\bp(?!enis)(?!en is)[^a-z]?e[^a-z]?n[^a-z]?i[^a-z]?s(?:\b|_)/i
describe GAPPY_GENITALIA G.a.p.p.y male body parts
body GAPPY_PILLS /\bp(?!ills)[^a-z]?i[^a-z]?l[^a-z]?l[^a-z]?s(?:\b|_)/i
describe GAPPY_PILLS G.a.p.p.y pills
body __STYLE_TAG_IN_BODY /<style(?:[^>]{0,30})?>/i
body __BODY_XHTML /<x-html>/i
if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
# possessive {0,4}+ requires perl 5.10 or better
rawbody __STYLE_GIBBERISH_1 /<style(?:\s[^>]{0,40})?>(?:\s{0,100}(?!<\/style>)(?:(?:\/\*(?:\s|[^*<]|\*(?!\/)|<(?!\/style>)){0,200}\*\/)|\#[^{<]{1,50}\{[^}<]{4,100}\})){0,4}+(?:\s{0,100}(?!<\/style>|\/\*)[^\s:;,]){150}/im
else
# older perl, can't deal with style comments properly
rawbody __STYLE_GIBBERISH_1 /<style(?:\s[^>]{0,40})?>(?:\s{0,100}(?!<\/style>|\/\*)[^\s:;,]){150}/im
endif
rawbody __STYLE_GIBBERISH_2 /\.style\w{0,20}\s{1,10}\{[^:;]{200}/im
rawbody __STYLE_GIBBERISH_3 /<style(?:\s[^>]{0,40})?>\s{0,80}(?:[\w:]{1,30}\s{0,10}\{[^}]{1,50}\}\s{0,80}){1,5}(?:[\w,.']{1,30}\s{1,10}){40}/im
meta __STYLE_GIBBERISH (__STYLE_GIBBERISH_1 || __STYLE_GIBBERISH_2 || __STYLE_GIBBERISH_3)
meta STYLE_GIBBERISH __STYLE_GIBBERISH && (__BODY_XHTML || !__STYLE_TAG_IN_BODY) && !__RCD_RDNS_MX_MESSY && !__HAS_THREAD_INDEX && !__ANY_OUTLOOK_MUA && !__MIME_QP && !ALL_TRUSTED
describe STYLE_GIBBERISH Nonsense in HTML <STYLE> tag
score STYLE_GIBBERISH 3.50 # limit
tflags STYLE_GIBBERISH publish
body __SCRIPT_TAG_IN_BODY /<script>/i
rawbody __SCRIPT_GIBBERISH /<script>[^;<]{100}/im
meta SCRIPT_GIBBERISH __SCRIPT_GIBBERISH && (__BODY_XHTML || !__SCRIPT_TAG_IN_BODY) && !__TAG_EXISTS_META
describe SCRIPT_GIBBERISH Nonsense in HTML <SCRIPT> tag
rawbody __COMMENT_GIBBERISH /<!--(?:\s{1,10}[-\w'"]{1,40}){100}/im
meta COMMENT_GIBBERISH __COMMENT_GIBBERISH && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__SENDER_BOT
describe COMMENT_GIBBERISH Nonsense in long HTML comment
score COMMENT_GIBBERISH 1.50 # limit
tflags COMMENT_GIBBERISH publish
#rawbody MANY_DIV_5 /(?:<div[^>]{0,30}>\s{0,80}){5}/im
#tflags MANY_DIV_5 nopublish
#rawbody MANY_DIV_6 /(?:<div[^>]{0,30}>\s{0,80}){6}/im
#tflags MANY_DIV_6 nopublish
#rawbody MANY_DIV_7 /(?:<div[^>]{0,30}>\s{0,80}){7}/im
#tflags MANY_DIV_7 nopublish
#rawbody MANY_DIV_8 /(?:<div[^>]{0,30}>\s{0,80}){8}/im
#tflags MANY_DIV_8 nopublish
#rawbody MANY_DIV_9 /(?:<div[^>]{0,30}>\s{0,80}){9}/im
#tflags MANY_DIV_9 nopublish
#rawbody MANY_DIV_10 /(?:<div[^>]{0,30}>\s{0,80}){10}/im
#tflags MANY_DIV_10 nopublish
#header FROM_TRL_UNDR From =~ /_\@/
#tflags FROM_TRL_UNDR nopublish
#body LOTSA_EMAILS /\b(?:thousand|million)\se-?mail(?:\saddresse)?s?\b/i
#tflags LOTSA_EMAILS nopublish
body __BIGNUM_EMAILS /\b(?:thousand|million|\d[,\d]{4,})\s(?:(?!and|or|your)\w+\s)?(?:e-?mail\saddresses|leads|names)\b/i
meta BIGNUM_EMAILS __BIGNUM_EMAILS && !__SPOOFED_URL && !__BUGGED_IMG
describe BIGNUM_EMAILS Lots of email addresses/leads
score BIGNUM_EMAILS 3.00 # limti
#tflags BIGNUM_EMAILS nopublish
#rawbody __HTML_ELEM_OBFU /[a-z\s]&\#[91]\d\d?[a-z]/
#tflags __HTML_ELEM_OBFU multiple nopublish
#meta HTML_ELEM_OBFU_25 __HTML_ELEM_OBFU > 25
#tflags HTML_ELEM_OBFU_25 nopublish
#meta HTML_ELEM_OBFU_50 __HTML_ELEM_OBFU > 50
#tflags HTML_ELEM_OBFU_50 nopublish
#meta HTML_ELEM_OBFU_100 __HTML_ELEM_OBFU > 100
#tflags HTML_ELEM_OBFU_100 nopublish
#meta HTML_ELEM_OBFU_150 __HTML_ELEM_OBFU > 150
#tflags HTML_ELEM_OBFU_150 nopublish
#header PPMC_FROM_1 From =~ /\bPayPa[IL](?:\.Com)?\b/
#describe PPMC_FROM_1 Paypal phishing sign
uri URI_HIDDEN_2 m;.{8}(?:[/\\]|%(?i:5c|2f))(?!\.\.?[/%\\])\..;
describe URI_HIDDEN_2 URI contains a hidden file or directory
# Catch spam originating from 41.0.0.0/8 (Africa, incl S.Africa)
# Ned Slider, SAU list, 3/11/2010
header __NSL_ORIG_FROM_41 X-Originating-IP =~ /^(?:.+\[)?41\./
describe __NSL_ORIG_FROM_41 Originates from 41.0.0.0/8
# Catch spam injected from 41.0.0.0/8 (Africa, incl S.Africa)
# Ned Slider, SAU list, 3/11/2010
# consider using khop __RCVD_VIA_AFRINIC_E instead
#header __NSL_RCVD_FROM_41 Received =~ /[([]41\./
header __NSL_RCVD_FROM_41 X-Spam-Relays-External =~ / ip=41\./
describe __NSL_RCVD_FROM_41 Received from 41.0.0.0/8
meta __MONEY_FROM_41 __NSL_RCVD_FROM_41 && LOTS_OF_MONEY
meta MONEY_FROM_41 __MONEY_FROM_41
describe MONEY_FROM_41 Lots of money from Africa
score MONEY_FROM_41 2.00 # limit
# some metas with the above, maybe reduce FPs
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta __FROM_41_FREEMAIL (__NSL_ORIG_FROM_41 || __NSL_RCVD_FROM_41) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) && !__THREADED
describe __FROM_41_FREEMAIL Sent from Africa + freemail provider
# meta __FROM_AFR_FREEMAIL __RCVD_VIA_AFRINIC_E && (FREEMAIL_FROM || FREEMAIL_REPLYTO) && !__THREADED
# describe __FROM_AFR_FREEMAIL Sent from Africa + freemail provider
else
meta __FROM_41_FREEMAIL 0
endif
# More from Ned
header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i
describe NSL_RCVD_HELO_USER Received from HELO User
header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/
describe NSL_RCVD_FROM_USER Received from User
# observed in spam 3/11/2010
header DATE_DOTS Date =~ /\d\d\.\d\d\.\d\d/
describe DATE_DOTS Periods in date header
uri IMAGESHACK_URI /\.imageshack\.us\//i
describe IMAGESHACK_URI URI contains imageshack.us
#uri __DYNDNS_URI /\.dyndns\.org(?:\/.*)?/i
#tflags __DYNDNS_URI multiple maxhits=2
#meta DYNDNS_URIS __DYNDNS_URI > 1
#describe DYNDNS_URIS Has multiple dyndns.org URIs
## Does not perform better than URL_SHORTENER family
## the ones that misses are already scoring 7+ points
#uri __BITLY_URI /\/\/bit\.ly\//i
#meta BITLY_URI __BITLY_URI && !__HDR_CASE_REVERSED && !__HAS_SENDER && !__HAS_CAMPAIGNID && !__DOS_HAS_LIST_UNSUB && !__HAS_ERRORS_TO && !__MAIL_LINK && !__MSGID_JAVAMAIL && !__ENV_AND_HDR_FROM_MATCH && !__THREADED && !__USING_VERP1 && !__IMG_VIA_BITLY && !__URL_SHORTENER
#describe BITLY_URI URI contains bit.ly
#score BITLY_URI 3.000 # limit
#tflags BITLY_URI publish
#
## HTML image sourced via URL shortening service:
## <IMG border=0 hspace=0 alt="" src="http://bit.ly/1OiuN0y" width=26 height=25>
#rawbody __IMG_VIA_BITLY m;<img\s[^>]+\ssrc\s*=\s*"?https?://(?:www\.)?bit\.ly/;i
#meta IMG_VIA_BITLY __IMG_VIA_BITLY && !SHORTENED_URL_SRC
#describe IMG_VIA_BITLY HTML image via URL shortener - URIBL avoidance?
#score IMG_VIA_BITLY 2.500 # limit
uri __URI_OBFU_DOM /:\/\/(?:\w+\.)+(?:com|gov|net|org)(?:\.\w+){3,}\//i
meta URI_OBFU_DOM __URI_OBFU_DOM && !__VIA_ML
describe URI_OBFU_DOM URI pretending to be different domain
uri DQ_URI_DOM_IN_PATH /:\/\/[\d\.]+\/[^\/]+\/[^\@]+[a-z0-9]\w{3,}\.(?:com|gov|net)/i
describe DQ_URI_DOM_IN_PATH DQ URI having a domain name in the path part
uri LH_URI_DOM_IN_PATH /:\/\/[^\/]{25,}\/[^\/]+\/[^\@]+[a-z0-9]\w{3,}\.(?:com|gov|net)/i
describe LH_URI_DOM_IN_PATH Long-host URI having a domain name in the path part
# observed in phish 4/10/10
uri URI_1234 m,//1\.2\.3\.4/,
# requested by Benny Pedersen 17 Apr 2010, 10 Aug 2011
ifplugin Mail::SpamAssassin::Plugin::SPF
meta __SPF_FULL_PASS (SPF_PASS && SPF_HELO_PASS)
tflags __SPF_FULL_PASS net
meta __SPF_RANDOM_SENDER (SPF_HELO_PASS && !SPF_PASS)
tflags __SPF_RANDOM_SENDER net
else
meta __SPF_FULL_PASS 0
meta __SPF_RANDOM_SENDER 0
endif
# Spam from ZA
header CAN_SPAM_HDR CAN-SPAM_Compliant =~ /./
header RPT_SPAM_HDR Report-SPAM =~ /./
#header LONG_FROM From =~ /<[^<@]{40,}\w\@/
#if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
# body __MANY_RECORDS_1 /\s[A-Z][a-z]{1,30}s(?:\sDatabase)?[-:\s]{2,5}(?i:1\smillion\s|\d[\d,.]{1,8}[Kk]?\s(?i:thousand\s|million\s)?)(?i:total\s|full\sdata\s)?(?i:email|record)s/
# tflags __MANY_RECORDS_1 multiple maxhits=16
# body __MANY_RECORDS_2 /\W{1,4}\s(?:[a-z\/]{1,20}\s){0,4}(?:doctor|physician|provider|therapist|counselor|dentist|veterinarian|clinic|hospital|agent|chiropractor|psychologist|companie|supplier)s/i
# tflags __MANY_RECORDS_2 multiple maxhits=16
# body __MANY_RECORDS_3 /\W{1,4}\s(?:(?:[A-Z]{1,2}[a-z\/]{0,20}|and)\s){0,4}[A-Z][a-z]{1,20}s Database/
# tflags __MANY_RECORDS_3 multiple maxhits=16
# #meta BIG_LISTS (__MANY_RECORDS_1 + __MANY_RECORDS_2 + __MANY_RECORDS_3) > 5
# meta __MANY_BIG_LISTS (__MANY_RECORDS_1 + __MANY_RECORDS_2 + __MANY_RECORDS_3) > 15
# meta MANY_BIG_LISTS __MANY_BIG_LISTS && !HTML_MESSAGE && !__CTYPE_MULTIPART_ANY && !__HS_SUBJ_RE_FW && !__HAS_THREAD_INDEX
# describe MANY_BIG_LISTS Lots of mailing lists / databases available!
#endif
# Suggested by Gerard Z 2010-08-15
#uri __GZ_PILL_SQUAT1 /\/[a-z]{3,8}\d{2}\.html/i
#uri __GZ_PILL_SQUAT2 /\/[a-z]{3,8}\d{2}\.jpg/i
#meta __GZ_PILL_SQUATTERS __GZ_PILL_SQUAT1 && __GZ_PILL_SQUAT2
#meta GZ_PILL_SQUATTERS __GZ_PILL_SQUATTERS && !__DOS_RELAYED_EXT && !__FROM_ISO_2022_JP && !__RCD_RDNS_MX_MESSY
#describe GZ_PILL_SQUATTERS Found a link to rogue pill pusher content
# observed in multiple spam
header TO_JOHNZY TO =~ /johnzy_the_king\@hotmail\.com/i
describe TO_JOHNZY To a spammy recipent
#score TO_JOHNZY 3.00
# Discussed on list and observed in spam 10/15/2010
header TO_ONE_CHAR To =~ /^\s*"<"\s*</
describe TO_ONE_CHAR Bogus TO name
# Check From: as well...
header FROM_ONE_CHAR From =~ /^\s*"[^"]"\s*</
describe FROM_ONE_CHAR Bogus FROM name
# __ version of khop rule for FP filtering
meta __NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL
# 12-letter domain names, suggested by Len Conrad on the users list
header __RCVD_12LTRDOM Received =~ /[(\s.][a-z]{12}\./
header __RPATH_12LTRDOM Return-Path =~ /\@[a-z]{12}\./
uri __URI_12LTRDOM m,://(?:[^./]+\.)*[a-z]{12}\.[^./]+/,i
header __FROM_12LTRDOM_1 From =~ /\@(?!facebookmail)[a-z]{12}\./
## suppress this, masscheck is publishing it as a T_ rule and ignoring the score limit, so hits get 1 point
#ifplugin Mail::SpamAssassin::Plugin::FreeMail
# meta FROM_12LTRDOM __FROM_12LTRDOM_1 && !__VIA_ML && !__TO___LOWER && !__FS_SUBJ_RE && !__RCD_RDNS_MAIL_MESSY && !__freemail_safe && !__UNSUB_LINK && !NO_RELAYS && !__UNUSABLE_MSGID && !DATE_IN_PAST_96_XX && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__RCD_RDNS_SMTP_MESSY && !__FB_NATIONAL && !__MAIL_LINK && !__NAME_EMAIL_DIFF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__SENDER_BOT && !__IMS_MSGID && !__HS_SUBJ_RE_FW && !__DOS_HAS_LIST_UNSUB && !__THREAD_INDEX_GOOD && !__TO_EQ_FROM_DOM && !__URI_MAILTO && !__SUBSCRIPTION_INFO
#else
# meta FROM_12LTRDOM __FROM_12LTRDOM_1 && !__VIA_ML && !__TO___LOWER && !__FS_SUBJ_RE && !__RCD_RDNS_MAIL_MESSY && !__UNSUB_LINK && !NO_RELAYS && !__UNUSABLE_MSGID && !DATE_IN_PAST_96_XX && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__RCD_RDNS_SMTP_MESSY && !__FB_NATIONAL && !__MAIL_LINK && !__NAME_EMAIL_DIFF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__SENDER_BOT && !__IMS_MSGID && !__HS_SUBJ_RE_FW && !__DOS_HAS_LIST_UNSUB && !__THREAD_INDEX_GOOD && !__TO_EQ_FROM_DOM && !__URI_MAILTO && !__SUBSCRIPTION_INFO
#endif
#describe FROM_12LTRDOM From a 12-letter domain
##tflags FROM_12LTRDOM nopublish
#score FROM_12LTRDOM 0.10 # limit
# promising masscheck results
meta __MONEY_12LTRDOM __FROM_12LTRDOM_1 && __LOTSA_MONEY_00
meta MONEY_12LTRDOM __MONEY_12LTRDOM
score MONEY_12LTRDOM 0.10 # limit
describe MONEY_12LTRDOM Mentions lots of money and from a 12-letter domain
# spammer email addresses noted by D. German on users list 9/2010
body DG_SPAMMER_EMAIL_B /\b[a-z]{10,30}\.[a-z]{3,10}\@[a-z]{3,10}\.[a-z]{6,30}\.[a-z]{2,4}\b/
header DG_SPAMMER_EMAIL_F From =~ /\b[a-z]{10,30}\.[a-z]{3,10}\@[a-z]{3,10}\.[a-z]{6,30}\.[a-z]{2,4}\b/
describe DG_SPAMMER_EMAIL_B Recognized spammer email address in body
describe DG_SPAMMER_EMAIL_F Recognized spammer email address in From: header
# Spammers can't include the real name successfully...
body __FORGED_FB_USERCP_01 /This message was intended for Want to control which emails you receive from Facebook\?/i
# Javascript obfuscation noted by J. Brennan on the Users list 09/2010
rawbody OBFU_JVSCR_ESC /document\.write\(unescape\("(?:%[0-9a-f]{2}){10}/i
describe OBFU_JVSCR_ESC Injects content using obfuscated javascript
#score OBFU_JVSCR_ESC 2.75
tflags OBFU_JVSCR_ESC publish
# Starting to observe in spam
meta __LIST_PARTIAL __DOS_HAS_LIST_UNSUB && !__DOS_HAS_LIST_ID
meta LIST_PARTIAL __LIST_PARTIAL && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_SENDER && !__HAS_ERRORS_TO
describe LIST_PARTIAL Has incomplete List-* header set
score LIST_PARTIAL 1.000 # limit
meta __LIST_PRTL_SAME_USER __LIST_PARTIAL && __TO_EQ_FROM_USR
meta LIST_PRTL_SAME_USER __LIST_PRTL_SAME_USER && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_ERRORS_TO
describe LIST_PRTL_SAME_USER Incomplete List-* headers and from+to user the same
score LIST_PRTL_SAME_USER 3.000 # limit
tflags LIST_PRTL_SAME_USER publish
meta __LIST_PRTL_PUMPDUMP __LIST_PARTIAL && __PD_CNT_1
meta LIST_PRTL_PUMPDUMP __LIST_PRTL_PUMPDUMP && !__DKIM_EXISTS
describe LIST_PRTL_PUMPDUMP Incomplete List-* headers and stock pump-and-dump
score LIST_PRTL_PUMPDUMP 2.000 # limit
tflags LIST_PRTL_PUMPDUMP publish
# in lots of phishing
uri __UCOZ_URI /\.ucoz\.org\//i
describe __UCOZ_URI URI contains ucoz.org
# Intrust Domains is a persistent domain registration spammer
# recent sign, will likely change
#body __ARTHUR_SIMMONS /Arthur Simmons/
#body __INTRUST_DOMS /In[Tt]rust Domains/
#meta ARTHUR_INTRUST __ARTHUR_SIMMONS && __INTRUST_DOMS
#describe ARTHUR_INTRUST Arthur Simmons - registrar spammer extraordinaire
#header ART_NAMES_ORG Received =~ /\bart\.names\.org\b/i
#describe ART_NAMES_ORG Arthur Simmons - registrar spammer extraordinaire
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
body __PILL_PRICE_01 m;(?=[\d .f])(?:free|[\d .]{3}(?:/|per|each)) ?(?=[ptc])(?:pill|tablet|cap(?:sule|let))s?\b;i
body __PILL_PRICE_02 /(?=[ptc])(?:pill|tablet|cap(?:sule|let))s[-= :]{1,5}\$?[\d .]{3}/i
tflags __PILL_PRICE_01 multiple maxhits=3
tflags __PILL_PRICE_02 multiple maxhits=3
meta ANY_PILL_PRICE (__PILL_PRICE_01 || __PILL_PRICE_02) && !__NOT_A_PERSON
describe ANY_PILL_PRICE Prices for pills
meta MANY_PILL_PRICE (__PILL_PRICE_01 + __PILL_PRICE_02) > 2
describe MANY_PILL_PRICE Prices for many pills
else
meta __PILL_PRICE_01 0
meta __PILL_PRICE_02 0
endif
# More from Ned Slider
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta NSL_FREEMAIL_SUBJ (FREEMAIL_FROM && MISSING_SUBJECT)
describe NSL_FREEMAIL_SUBJ From freemail with missing subject
# score NSL_FREEMAIL_SUBJ 1.0
tflags NSL_FREEMAIL_SUBJ nopublish
meta NSL_FREEMAIL_M1 (NSL_FREEMAIL_SUBJ && (__HAS_ANY_URI || __MANY_RECIPS))
describe NSL_FREEMAIL_M1 From freemail, missing subject and uri or many recips
# score NSL_FREEMAIL_M1 1.0
tflags NSL_FREEMAIL_M1 nopublish
meta NSL_FREEMAIL_M2 (FREEMAIL_FROM && __HAS_ANY_URI && __MANY_RECIPS)
describe NSL_FREEMAIL_M2 From freemail with uri and many recips
# score NSL_FREEMAIL_M2 1.0
tflags NSL_FREEMAIL_M2 nopublish
endif
header NSL_TO_ENDS_COMMA To =~ /,$/
describe NSL_TO_ENDS_COMMA To: ends with a comma
#score NSL_TO_ENDS_COMMA 0.001
tflags NSL_TO_ENDS_COMMA nopublish
body CN_B2B_SPAMMER /\bWe are (?:(?:a )?(?:China|Taiwan)[-\s]based|(?:one of (?:the )?best|(?:a )?leading) (?:international|[^\.]{10,90} (?:in|from) (?:\w+, )?(?:China|Taiwan)))\b/i
describe CN_B2B_SPAMMER Chinese company introducing itself
tflags CN_B2B_SPAMMER publish
body CN_OPTOUT_EML /\b(?:pasamenzi|arinayuma)\@sina\.com\b/i
describe CN_OPTOUT_EML Opt-out email address in CN B2B spams
# __ version of khopesh UPPERCASE_URI, for use in metas
uri __UPPERCASE_URI /^[^:A-Z]+[A-Z]/
# __ version of khopesh SINGLE_HEADER_1K, for use in metas
#header __SINGLE_HEADER_1K ALL:raw =~ /(?-xim:(?=(?!X-Spam|X-MailScan)(?:^|\n)[^\s\n]+:(?:.(?!\n\S)){1024,2047}.(?:\n\S|$)))/s
# __ version of mmartinec RP_MATCHES_RCVD, for use in metas
if version >= 3.003000
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header __RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd()
else
meta __RP_MATCHES_RCVD 0
endif
else
meta __RP_MATCHES_RCVD 0
endif
# for sale newsletters
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
body __FOR_SALE_OBO /\bor best offer\b/i
tflags __FOR_SALE_OBO multiple maxhits=6
meta __FOR_SALE_OBO_MANY __FOR_SALE_OBO > 5
body __FOR_SALE_PRC_1K /\bprice:? \$\d,?\d\d\d[.\s]/i
tflags __FOR_SALE_PRC_1K multiple maxhits=11
meta __FOR_SALE_PRC_1K_MANY __FOR_SALE_PRC_1K > 10
body __FOR_SALE_PRC_10K /\bprice:? \$\d\d,\d\d\d/i
tflags __FOR_SALE_PRC_10K multiple maxhits=11
meta __FOR_SALE_PRC_10K_MANY __FOR_SALE_PRC_10K > 10
body __FOR_SALE_PRC_100K /\bprice:? \$\d\d\d,\d\d\d/i
tflags __FOR_SALE_PRC_100K multiple maxhits=11
meta __FOR_SALE_PRC_100K_MANY __FOR_SALE_PRC_100K > 5
meta __FOR_SALE_PRC_MANY (__FOR_SALE_PRC_1K + __FOR_SALE_PRC_10K + __FOR_SALE_PRC_100K) > 20
body __FOR_SALE_LTP /00\.? (?:less 10%|LTP)/i
tflags __FOR_SALE_LTP multiple maxhits=11
meta __FOR_SALE_LTP_MANY __FOR_SALE_LTP > 10
body __FOR_SALE_NET /00\.? NET/i
tflags __FOR_SALE_NET multiple maxhits=11
meta __FOR_SALE_NET_MANY __FOR_SALE_NET > 10
rawbody __FOR_SALE_PRC_EOL /\s\$\d{1,3},\d00(?:\.00)?$/m
tflags __FOR_SALE_PRC_EOL multiple maxhits=11
meta __FOR_SALE_PRC_EOL_MANY __FOR_SALE_PRC_EOL > 10
endif
uri __URI_MAILTO /^mailto:/i
tflags __URI_MAILTO multiple maxhits=16
meta __URI_MAILTO_MANY __URI_MAILTO > 15
header REPLYTO_EMPTY Reply-To =~ /<>/
describe REPLYTO_EMPTY Reply-To undeliverable
header __TO_MANY To =~ /(?:,[^,]{1,90}){10}/
header __CC_MANY Cc =~ /(?:,[^,]{1,90}){10}/
header __TO_TOO_MANY To =~ /(?:,[^,]{1,90}){30}/
header __CC_TOO_MANY Cc =~ /(?:,[^,]{1,90}){30}/
header __TO_WAY_TOO_MANY ToCc =~ /(?:,[^,]{1,90}){50}/
meta FREEMAIL_MANY_TO __TO_WAY_TOO_MANY && FREEMAIL_FROM
describe FREEMAIL_MANY_TO Freemail sender, 50+ exposed recipients
score FREEMAIL_MANY_TO 2.000 # limit
body __GAPPY_PHONE_NA /1 ?- \d \d \d ?- \d \d \d ?- \d \d \d \d/
meta GAPPY_PHONE_NA __GAPPY_PHONE_NA
describe GAPPY_PHONE_NA Phone number with lots of spaces
full __GAPPY_HTML_01 m;</?[a-z]{1,6}(?:\s[^>]{0,40})?>(?:\s|=09){0,80}(?:(?!\d)[\w'()\#,.:!]{1,15}(?:\s|=09){4,80}){7}\S;
full __GAPPY_HTML_02 m;\S(?:(?:\s|=09){4,80}(?!\d)[\w'()\#,.:!]{1,15}){7}(?:\s|=09){0,5}</?[a-z]{1,6}/?>;
#full __GAPPY_HTML_03 /^(?:=09){5,20}</m
#tflags __GAPPY_HTML_03 multiple maxhits=11
#full __GAPPY_HTML_04 /^(?:=0A){5,20}/m
#tflags __GAPPY_HTML_04 multiple maxhits=11
#meta __GAPPY_HTML __MIME_HTML && (__GAPPY_HTML_01 || __GAPPY_HTML_02 || (__GAPPY_HTML_03 > 10) || (__GAPPY_HTML_04 > 10))
meta __GAPPY_HTML __MIME_HTML && (__GAPPY_HTML_01 || __GAPPY_HTML_02)
meta GAPPY_HTML __GAPPY_HTML && !__UNSUB_LINK && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY
describe GAPPY_HTML HTML body with much useless whitespace
# Try to improve S/O per bug 6119
meta TVD_SPACE_RATIO_MINFP __TVD_SPACE_RATIO && !__CT_ENCRYPTED && !__LCL__ENV_AND_HDR_FROM_MATCH && !__SUBSCRIPTION_INFO && !__RCD_RDNS_MAIL && !__SUBJECT_ENCODED_QP && !__THREADED && !__TO_EQ_FROM_DOM && !__BOTH_INR_AND_REF && !__X_CRON_ENV && !__HAS_THREAD_INDEX && !__HDRS_LCASE_KNOWN && !__ISO_2022_JP_DELIM
#tflags TVD_SPACE_RATIO_MINFP nopublish
score TVD_SPACE_RATIO_MINFP 2.750 # limit
describe TVD_SPACE_RATIO_MINFP Space ratio
# Only useful for English-language email
#meta SUBJECT_UNNEEDED_ENCODING (__SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED) && !__RCD_RDNS_MAIL && !__LCL__ENV_AND_HDR_FROM_MATCH && !__SUBSCRIPTION_INFO && !__THREADED && !__NONBOUNCE_READ_RECEIPT
#describe SUBJECT_UNNEEDED_ENCODING Subject encoded but not non-ANSI?
#score SUBJECT_UNNEEDED_ENCODING 1.000 # limit
#tflags SUBJECT_UNNEEDED_ENCODING publish
# Be sensitive to FP on legit japanese- and chinese-language mailing lists (09/2014)
meta __TVD_SPACE_ENCODED (__TVD_SPACE_RATIO && __SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED)
meta TVD_SPACE_ENCODED __TVD_SPACE_ENCODED && !__NOT_SPOOFED && !__VIA_ML && !__HS_SUBJ_RE_FW && !__SUBSCRIPTION_INFO && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL && !__ISO_2022_JP_DELIM
score TVD_SPACE_ENCODED 2.500 # limit
describe TVD_SPACE_ENCODED Space ratio & encoded subject
meta TVD_SPACE_ENC_FM_MIME __TVD_SPACE_ENCODED && __FROM_NEEDS_MIME && !__ISO_2022_JP_DELIM
score TVD_SPACE_ENC_FM_MIME 2.000 # limit
describe TVD_SPACE_ENC_FM_MIME Space ratio & encoded subject & MIME needed
# sample from users list: Subject: Sta ffWork sFastToSen dTab le tsGood s
header __SUBJ_BROKEN_WORD Subject =~ /\s(?!i[PTM][aoh][bcdou]|e[MP]a[is])[a-z]{1,3}[A-Z][a-z]{2}/
tflags __SUBJ_BROKEN_WORD multiple maxhits=2
meta SUBJ_BROKEN_WORD __SUBJ_BROKEN_WORD && !ALL_TRUSTED && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__MIME_QP && !__DOS_HAS_LIST_UNSUB && !__HAS_IN_REPLY_TO && !__THREADED && !__MSGID_JAVAMAIL && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY && !__MSGID_OK_DIGITS && !__NOT_A_PERSON && !__LCL__ENV_AND_HDR_FROM_MATCH
describe SUBJ_BROKEN_WORD Subject contains odd word break
meta SUBJ_BROKEN_WORDS __SUBJ_BROKEN_WORD > 1 && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__MIME_QP && !__DOS_HAS_LIST_UNSUB && !__HAS_IN_REPLY_TO && !__THREADED && !__MSGID_JAVAMAIL && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY && !__MSGID_OK_DIGITS
describe SUBJ_BROKEN_WORDS Subject contains multiple odd word breaks
# felicity TVD_SUBJ_NUM_OBFU as subrule
header __TVD_SUBJ_NUM_OBFU Subject =~ /[a-z]{3,}\d+[a-z]{2,}/i
meta __SUBJ_BRKN_WORDNUMS __SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFU
ifplugin Mail::SpamAssassin::Plugin::DKIM
meta SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS && !DKIM_SIGNED && !__TO___LOWER
describe SUBJ_BRKN_WORDNUMS Subject contains odd word breaks and numbers
endif
meta TVD_SUBJ_NUM_OBFU_MINFP __TVD_SUBJ_NUM_OBFU && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !__X_CRON_ENV && !__NOT_A_PERSON && !__HAS_THREAD_INDEX && !__THREADED && !__NUMBERS_IN_SUBJ && !__URI_MAILTO
# from spample on users list 7/20/2011
header __XM_PHPMAILER_FORGED X-Mailer =~ /PHPMailer\s.*version\D+$/
meta XM_PHPMAILER_FORGED __XM_PHPMAILER_FORGED
describe XM_PHPMAILER_FORGED Apparently forged header
tflags XM_PHPMAILER_FORGED publish
# from spample on users list 7/24/2011
header __XM_EC_MESSENGER X-Mailer =~ /\beC-Messenger\b/
#meta XM_EC_MESSENGER __XM_EC_MESSENGER
#describe XM_EC_MESSENGER eC-Messenger bulk mail service
header __SUBJ_OBFU_PUNCT Subject =~ /(?:(?!<[a-z][a-z])[-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;][a-z][-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;\s]|[a-z][~`"!@\#$%^&*()_+={}|\\?<>,.:;][a-z])/i
tflags __SUBJ_OBFU_PUNCT multiple maxhits=4
meta SUBJ_OBFU_PUNCT_FEW __SUBJ_OBFU_PUNCT > 1 && !__THREADED && !__RP_MATCHES_RCVD && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH
describe SUBJ_OBFU_PUNCT_FEW Possible punctuation-obfuscated Subject: header
score SUBJ_OBFU_PUNCT_FEW 0.750
meta SUBJ_OBFU_PUNCT_MANY __SUBJ_OBFU_PUNCT > 2 && !__THREADED && !__RP_MATCHES_RCVD && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH
describe SUBJ_OBFU_PUNCT_MANY Punctuation-obfuscated Subject: header
score SUBJ_OBFU_PUNCT_MANY 1.750
#meta SUBJ_MANGLED __SUBJ_OBFU_PUNCT && __GAPPY_SUBJECT && !__RP_MATCHES_RCVD && !__HAS_X_MAILER && !__DOS_HAS_LIST_UNSUB
#score SUBJ_MANGLED 2.000 # limit
# A document was scanned and sentto you using a Hewlett-Packard HP Officejet
# A document was scanned and sent to you using a Hewlett-Packard HP Officejet
# Scan from Hewlet-Packard Officejet
# Scan from a HP Officejet
# Hewlett-Packard Officejet Location: machine location not set
# Xerox WorkCentre
# See http://isc.sans.edu/diary.html?storyid=11848#comment
body __SCANNED /\b(?:(?:document was scan+ed and sent ?to you using|Scan from)(?: an?)? (?:(?:Hewlet+-Packard |HP ){1,2}Officejet|Hewlet+-Packard Officejet Location: machine location not set)|Xerox\b)/i
meta SCANNED_EXTERNAL __SCANNED && !ALL_TRUSTED && !__XEROXWORKCTR_MUA
describe SCANNED_EXTERNAL "Scanned Document" email from external source - malware?
score SCANNED_EXTERNAL 3.00 # limit
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
# real estate / stock scam spams 11/2011
# roughly similar to FS_LARGE_PERCENT2, better S/O?
body __LARGE_PERCENT_AFTER /\d{3}% after/i
tflags __LARGE_PERCENT_AFTER multiple maxhits=4
meta LARGE_PCT_AFTER_MANY __LARGE_PERCENT_AFTER > 3
describe LARGE_PCT_AFTER_MANY Many large percentages after...
else
meta __LARGE_PERCENT_AFTER 0
endif
# phish/malware 11/2011
body __ACH_CANCELLED_01 /\b(?:(?-i:ACH)|dividend)[-_ ](?:payment|transfer|transaction|was)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i
body __ACH_CANCELLED_02 /(?:rejected|cancel+ed|declined|your)[-_ ](?:(?-i:ACH)|direct[-_ ]deposit)[-_ ](?:payment|transfer|transaction|declin(?:ed|ing))/i
body __ACH_CANCELLED_03 /\bwire[-_ ]?(?:payment|transfer|transaction)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i
body __ACH_CANCELLED_04 /\bregarding[-_ ]your[-_ ]direct[-_ ]deposit[-_ ]via[-_ ](?-i:ACH)/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __EXE_ATTACH Content-Type =~ /\.exe\b/i
meta __ACH_CANCELLED_EXE (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && __EXE_ATTACH
meta ACH_CANCELLED_EXE __ACH_CANCELLED_EXE
describe ACH_CANCELLED_EXE "ACH cancelled" probable malware
else
meta __EXE_ATTACH 0
endif
meta __ACH_CANCELLED (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && (__HAS_ANY_URI || LOTS_OF_MONEY)
meta ACH_CANCELLED __ACH_CANCELLED
describe ACH_CANCELLED "ACH cancelled" fraud / phish
# spams from users list query 03/2012
# Not useful as scored rules, may be useful meta'd with something else
uri __URI_DBL_SUBDOM m,^https?://(?!www\.amazon\.com)([^/]+)/.*https?://(?:[^.]+\.)?\1/,i
#meta URI_DBL_SUBDOM __URI_DBL_SUBDOM && !__RP_MATCHES_RCVD && !__FROM_LOWER && !__HAS_ERRORS_TO && !__TO_EQ_FROM_DOM
#score URI_DBL_SUBDOM 1.00 # limit
uri __URI_DBL_DOM m,^https?://[^.]+\.(?!amazon\.com)([^/]+)/.*https?://[^.]+\.\1/,i
uri __URI_DBL_INDIR m,(?:=https?://(?!www\.amazon\.com).*?){2},i
meta URI_DBL_INDIR __URI_DBL_INDIR && !__URI_TRPL_INDIR
describe URI_DBL_INDIR A URI with two levels of indirection
uri __URI_TRPL_INDIR m,(?:=https?://(?!www\.amazon\.com).*?){3},i
meta URI_TRPL_INDIR __URI_TRPL_INDIR
describe URI_TRPL_INDIR A URI with at least three levels of indirection
# suggestion on users list 04/2012
header SUBJ_ODD_CASE ALL =~ /\n(?!(?:Subject:|SUBJECT:|subject:))(?i:subject:)/sm
describe SUBJ_ODD_CASE Oddly mixed-case Subject: header
# Somebody's resurrecting the dead 07/1012
body BILL_1618 /\bUnder Bills?.1618(?: Title III)? passed by the 105th U\.S\. Congress\b/i
describe BILL_1618 Mentions proposed US law supposedly permitting spamming
body NOT_SPAM /\b(?:this mail cannot be considered Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)\b/i
describe NOT_SPAM I'm not spam! Really! I'm not, I'm not, I'm not!
# suggested by http://isc.sans.edu/diary.html?storyid=13921
uri URI_MALWARE_BH /\.\w{2,4}\/[\d\w]{8}\/index\.html/i
describe URI_MALWARE_BH Possible BlackHole malware links / phishing
score URI_MALWARE_BH 1.0 # limit
# suggested by https://isc.sans.edu/diary.html?storyid=13996
uri __URI_DATA /^data:[a-z]/i
meta URI_DATA __URI_DATA && !ALL_TRUSTED
describe URI_DATA "data:" URI - possible malware or phish
score URI_DATA 1.0 # limit
header __SUBJ_ATTENTION Subject =~ /ATTENTION/
meta SUBJ_ATTENTION __SUBJ_ATTENTION && !ALL_TRUSTED
describe SUBJ_ATTENTION ATTENTION in Subject
score SUBJ_ATTENTION 0.500 # limit
header __IRS_FM_NAME From:name =~ /internal\srevenue\sservice/i
header __IRS_FM_DOM From:addr =~ /\birs\.gov$/
header __IRS_RCVD_DOM X-Spam-Relays-External =~ / rdns=\S+\birs\.gov /
meta __IRS_SPOOF (__IRS_FM_NAME || __IRS_FM_DOM) && !__IRS_RCVD_DOM && __REPLYTO_EXISTS
meta IRS_SPOOF __IRS_SPOOF
describe IRS_SPOOF Claims to be IRS, but not from IRS domain
score IRS_SPOOF 2.00 # limit
header __FBI_FM_NAME From:name =~ /federal\sbureau\sof\sinvestigation/i
header __FBI_FM_DOM From:addr =~ /\bfbi\.gov$/
header __FBI_RCVD_DOM X-Spam-Relays-External =~ / rdns=\S+\bfbi\.gov /
body __FBI_BODY_SHOUT_1 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/
rawbody __FBI_BODY_SHOUT_2 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/m
meta __FBI_SPOOF (__FBI_FM_NAME || __FBI_FM_DOM || __FBI_BODY_SHOUT_1 || __FBI_BODY_SHOUT_2) && !__FBI_RCVD_DOM && __REPLYTO_EXISTS
meta FBI_SPOOF __FBI_SPOOF
describe FBI_SPOOF Claims to be FBI, but not from FBI domain
score FBI_SPOOF 2.00 # limit
tflags FBI_SPOOF publish
meta FBI_MONEY __FBI_SPOOF && LOTS_OF_MONEY
describe FBI_MONEY The FBI wants to give you lots of money?
score FBI_MONEY 2.00 # limit
tflags FBI_MONEY publish
header __FROM_ASB_BANK From:addr =~ /\basb\.co\.nz$/i
header __FROM_AMEX From =~ /american\s?express/i
header __FROM_BANK_LOOSE From =~ /ban(?:k|co)/i
header __FROM_CHASE From:addr =~ /chase(?:2?-?paymentech)\.com$/i
header __FROM_CMNWLTH_BANK From:addr =~ /\bcommonwealth\.com\.au$/i
header __FROM_EBAY_LOOSE From =~ /\be-?bay\b/i
header __FROM_HSBC From:addr =~ /\bhsbc\.co\.uk$/i
header __FROM_LLOYDSTSB From:addr =~ /\blloyds(?:tsb)\.(?:co\.uk|com)$/i
header __FROM_PAYPAL_LOOSE From =~ /paypal/i
header __FROM_WELLSFARGO From:addr =~ /wellsfargo\.com$/i
header __FROM_WESTERNUNION From:addr =~ /westernunion\.com$/i
meta __FROM_MISSP_PHISH __FROM_MISSPACED && (__FROM_ASB_BANK || __FROM_AMEX || __FROM_BANK_LOOSE || __FROM_CHASE || __FROM_CMNWLTH_BANK || __FROM_EBAY_LOOSE || __FROM_HSBC || __FROM_LLOYDSTSB || __FROM_PAYPAL_LOOSE || __FROM_WELLSFARGO || __FROM_WESTERNUNION)
meta FROM_MISSP_PHISH __FROM_MISSP_PHISH
describe FROM_MISSP_PHISH Malformed, claims to be from financial organization - possible phish
score FROM_MISSP_PHISH 3.500 # limit
# another upload-a-document-for-public-access site
uri __URI_YOUSENDIT m,^https?://www\.yousendit\.com/directdownload,i
# see also DOS_GOOGLE_DOCS
uri __URI_GOOGLE_DOC m,^https?://docs\.google\.com/(?:[^/]+/)*view(?:form)?\?(?:id|formkey)=,i
uri __URI_GOOGLE_DRV m,^https?://googledrive\.com/,i
body __WEBMAIL_ACCT /\byour web ?mail account/i
body __MAILBOX_FULL /\b(?:you(?:r (?:mail\s?box|(?:e-?|web ?)mail))? (?:is (?:almost )?full|(?:quota )?ha(?:s|ve) (?:reached|exceeded|passed) (?:the|your|it'?s?) (?:university )?(?:size|storage|set|(?:e-?|web ?)mail|quota|folder|mail ?box)[\/\s](?:limit |quota |account )+)|over your mail\s?box (?:size )?(?:limit|quota)|maximum mail\s?box (?:size )?(?:limit|quota) exceeded|sua (?:conta|caixa) de (?:(?:e-?|web ?)mail|correio) (?:excedeu (?:sua|o) limite|est(?:=E1|[\xe1]|[\xc3][\xa1]) quase cheio))\b/i
body __CLEAN_MAILBOX /\b(?:(?:e-?mail|mail\s?box|violation:|(?-i:CLICK)) (?:quota size|clean(?:-?up))|clean ?up click ?here)\b/i
body __VALIDATE_MAILBOX /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta)\b/i
body __UPGR_MAILBOX /\b(?:up(?:g[ra]+d(?:e|ing)|date) (?:[hw]as\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|(?:web ?|e-?)mail Upgrade cuenta|atualiz(?:e|ar) (?:a|sua) caixa de correio|click\S{0,10} (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?|below)(?: link)? to (?:(?:complete|finish|increase) )?(?:(?:the|this|your)\s)?(?:up(?:date|grade)|(?:web ?|e-?)?mail(?:\s?box)? (?:size|quota|limit))|utrzymania aktywnego konta|request (?:for )additional storage)\b/i
body __LOCK_MAILBOX /\b(?:(?:deactivate|lock|lose ac+ess to|los[se] (?:of )?(?:important )?(?:information|mail|messages) in) (?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|your (?:mail\s?box|(?:(?:web ?|e-?)mail)(?: account)?) (?:(?:will|may) be(?:come)? )?(?:in-?a(?:ctive|cess[ia]ble)|locked|disabled|deleted|removed)\b|ditt konto vara "?deaktiverad"?|begr(?:=E4|\xe4|[\xc3][\xa4])nsad tillg(?:=E5|[\xe5]|[\xc3][\xa5])ng till din brevl(?:=E5|[\xe5]|[\xc3][\xa5])da|contas? de (?:web ?|e-?)mail (?:ser(?:=E1|[\xe1]|[\xc3][\xa1]) (?:desativado|exclu(?:=ED|[\xed]|[\xc3][\xad])do)|(?:=E9|[\xe9]|[\xc3][\xa9]) exclu(?:=ED|[\xed]|[\xc3][\xad])do)|destruir a sua caixa de (?:correio|entrada)|tw(?:=F3|[\xf3])j konto zostalo ograniczone|straci swoje e-?mail na sta[\xc5][\x82]e|konto zostanie automatycznie wy[\xc5][\x82][\xc4][\x85]czona|e-?mail account[^.]{0,30}deactivated (?:in|from) our (?:database|system|server))/i
body __SYSADMIN /\b(?:help?[- ]?desk|(?:(?:web ?)?mail ?|sys(?:tem )?)admin(?:istrator)|local[- ]host|(?:support|upgrade|management) (?:team|center)|message from administrator|university mail server copyright|suporte t(?:=E9|[\xe9]|[\xc3][\xa9])cnico|administrador do sistema)\b/i
body __ATTN_MAIL_USER /\b(?:att(?:entio)?n|dear|caro) (?:web ?(?:mail)?\s\S\s)?(?:web ?|e-?)?mail (?:user|DO USU(?:=E1|[\xe1]|[\xc3][\xa1])RIO)[:;,]/i
body __MAIL_ACCT_ACCESS1 /\b(?:your (?:web ?|e-?)?mail (?:account|log-?in) (?:has )?been accessed|r(?:=F3|[\xf3])zne komputery zalogowaniu sie)\b/i
body __MAIL_ACCT_ACCESS2 /\blo+se ac+es+ to your (?:web|e-?)?mail (?:account|log-?in|box|address)\b/i
body __MAILBOX_FULL_SE /(?:\b=F6|[\xf6]|[\xc3][\xb6])verskridit gr(?:=E4|[\xe4]|[\xc3][\xa4])nsen f(?:=F6|[\xf6]|[\xc3][\xb6])r din postl(?:=E5|[\xe5]|[\xc3][\xa5])da\b/i
body __VALIDATE_MBOX_SE /(?:\b=E5|[\xe5]|[\xc3][\xa5])terst(?:=E4|\xe4|[\xc3][\xa4])lla ditt konto\b/i
meta __EMAIL_PHISH (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST) > 1)
meta __EMAIL_PHISH_MANY (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST) > 3)
meta UPGRADE_MAILBOX __UPGR_MAILBOX && __HTML_FONT_LOW_CONTRAST_MINFP
describe UPGRADE_MAILBOX Upgrade your mailbox! (phishing?)
body __ACCESS_SUSPENDED /\b?(:(?:access|account) has been (?:temporar(?:il)?y )(?:suspended|blocked|locked)|suspend (?:you from|your) access(?:ing)?)\b/i
body __ACCESS_RESTORE /\bto (?:(?:restore|regain) access|(?:remove|uplift) (?:the|this) suspens|continue using your (?:account|online))/i
body __ACCESS_REVOKE /(?:temporary|permanent) (?:de-?activation|removal) of your (?:\w{1,30} )?(?:access|account)/i
body __VERIFY_ACCOUNT /(?:confirm|updated?|verify) (?:your|the) (?:account|current|billing|personal|online)? ?(?:records?|information|account|identity|access|data|login)/i
body __FAILED_LOGINS /unsuc+es+ful log-?[io]n at+empts/i
body __ACCOUNT_REACTIV /(?:(?:account|access) (?:has been )?(?:successfully )?(?:reviewed and )?re-?(?:activat(?:ion|ed)|new(?:al|ed))|(?:unlock|re-?activate|restore|recover) (?:your|the|this) (?:account|access))/i
body __SECURITY_DEPT /\bsecurity dep(?:artmen)?t\b/i
body __ACCOUNT_ERROR /your account (?:is|appears to be) (?:incorrect|missing|in error|invalid)/i
body __ACCOUNT_DISRUPT /ensure (?:that )?your (?:account|access) is not (?:disrupted|suspended|interrupted)/i
body __ACCOUNT_UPGRADE /(?:upgrade (?:of )your (?:account|access)|your (?:access|account) is[\w\s]{0,40}being upgraded)/i
meta __ACCT_PHISH (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE) > 1 && !__ACCT_PHISH_MANY
meta __ACCT_PHISH_MANY (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE) > 3
meta ACCT_PHISHING __ACCT_PHISH
describe ACCT_PHISHING Possible phishing for account information
score ACCT_PHISHING 1.500 # limit
meta ACCT_PHISHING_MANY __ACCT_PHISH_MANY
describe ACCT_PHISHING_MANY Phishing for account information
score ACCT_PHISHING_MANY 3.000 # limit
meta PHISHING_FREEMAIL (__EMAIL_PHISH || __EMAIL_PHISH_MANY || __ACCT_PHISH || __ACCT_PHISH_MANY) && FREEMAIL_FORGED_REPLYTO
describe PHISHING_FREEMAIL Send your login credentials to some random freemail account
# Google Docs observed on LOTS of phishes 2012
meta __GOOGLE_DOCS_PHISH_1 __URI_GOOGLE_DOC && (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST)
meta __GOOGLE_DOCS_PHISH_2 __URI_GOOGLE_DOC && (__EMAIL_PHISH || __ACCT_PHISH)
meta GOOGLE_DOCS_PHISH (__GOOGLE_DOCS_PHISH_1 || __GOOGLE_DOCS_PHISH_2)
describe GOOGLE_DOCS_PHISH Possible phishing via a Google Docs form
score GOOGLE_DOCS_PHISH 3.00 # limit
tflags GOOGLE_DOCS_PHISH publish
meta GOOGLE_DOCS_PHISH_MANY __URI_GOOGLE_DOC && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY)
describe GOOGLE_DOCS_PHISH_MANY Phishing via a Google Docs form
score GOOGLE_DOCS_PHISH_MANY 4.00 # limit
tflags GOOGLE_DOCS_PHISH_MANY publish
meta URI_GOOGLE_DOCS __URI_GOOGLE_DOC && !__DKIM_EXISTS && !__TO_EQ_FROM_DOM && !__DOS_REF_TODAY && !__DOS_BODY_FRI && !__DOS_BODY_WED && !__freemail_safe_fwd && !__TO_EQ_FROM_DOM && !__HAS_ERRORS_TO
describe URI_GOOGLE_DOCS URI for Google Docs, common in phishing
score URI_GOOGLE_DOCS 1.00 # limit
meta __URI_PHISH __HAS_ANY_URI && !__URI_GOOGLE_DOC && (__EMAIL_PHISH || __ACCT_PHISH)
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE
else
meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney
endif
describe URI_PHISH Phishing using web form
score URI_PHISH 4.00 # limit
tflags URI_PHISH publish
meta SYSADMIN __SYSADMIN && !ALL_TRUSTED && !__ANY_TEXT_ATTACH && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_OK_DIGITS
describe SYSADMIN Supposedly from your IT department
score SYSADMIN 3.500 # limit
tflags SYSADMIN publish
# suggested by MPerkel on the users list 11/10/2012
uri __URI_PROTO_MC /^(?!(?-i:(?:[Hh]ttps?|HTTPS?):))https?:/i
uri __URI_WWW_MC m,://(?!(?-i:www|WWW))www\.,i
uri __URI_TLD_MC /\.(?!(?-i:com|net|org|biz|info|COM|NET|ORG))(?:com|net|org|biz|info)\b/i
uri __URI_GOOG_MC /(?!(?-i:[Gg]oogle))google/i
rawbody __HTML_FONT_TINY_01 /font-size:\s{0,5}[0-4]px;/i
meta HTML_FONT_TINY __HTML_FONT_TINY_01 && __TAG_EXISTS_BODY && !__DKIM_EXISTS && !__BUGGED_IMG && !__VIA_ML && !__RP_MATCHES_RCVD && !__THREADED && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_JAVAMAIL && !__FROM_LOWER && !__HAS_THREAD_INDEX && !__FROM_LOWER
describe HTML_FONT_TINY Font too small to read
score HTML_FONT_TINY 1.500 # limit
body __BODY_TEXT_LINE /^\s*\S/
tflags __BODY_TEXT_LINE multiple maxhits=3
meta __EMPTY_BODY __BODY_TEXT_LINE < 2 && !__SMIME_MESSAGE
# this hits 13% of masscheck corpus spam, 50% of that only scores 2 points
meta BODY_EMPTY __EMPTY_BODY && !__NUMBERS_IN_SUBJ && !__CTE && !__RP_MATCHES_RCVD && !__VIA_ML && !__MIME_ATTACHMENT && !__HAS_THREAD_INDEX && !__TO_EQ_FROM_DOM && !__LCL__ENV_AND_HDR_FROM_MATCH && !__FROM_LOWER && !__NOT_SPOOFED && !__MSGID_APPLEMAIL && !__RCD_RDNS_MAIL_MESSY && !NO_RELAYS && !__NOT_A_PERSON
describe BODY_EMPTY No body text in message
score BODY_EMPTY 3.00 # limit
meta __BODY_URI_ONLY __BODY_TEXT_LINE < 3 && __HAS_ANY_URI && !__SMIME_MESSAGE
meta BODY_URI_ONLY __BODY_URI_ONLY && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH && !__TO_EQ_FROM_DOM && !__X_CRON_ENV
describe BODY_URI_ONLY Message body is only a URI in one line of text or for an image
score BODY_URI_ONLY 1.000 # limit
tflags BODY_URI_ONLY publish
body __SINGLE_WORD_LINE /^\s?\S{1,60}\s?$/
tflags __SINGLE_WORD_LINE multiple maxhits=2
header __SINGLE_WORD_SUBJ Subject =~ /^\s*\S{1,60}\s*$/
meta __BODY_SINGLE_WORD __BODY_TEXT_LINE < 3 && !__EMPTY_BODY && !__SMIME_MESSAGE && ((__SINGLE_WORD_LINE && !__SINGLE_WORD_SUBJ) || __SINGLE_WORD_LINE > 1)
meta BODY_SINGLE_WORD __BODY_SINGLE_WORD && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP
describe BODY_SINGLE_WORD Message body is only one word (no spaces)
score BODY_SINGLE_WORD 2.500 # limit
meta BODY_SINGLE_URI (__BODY_SINGLE_WORD && __HAS_ANY_URI) && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP
describe BODY_SINGLE_URI Message body is only a URI
score BODY_SINGLE_URI 2.500 # limit
#ifplugin Mail::SpamAssassin::Plugin::DKIM
# # malformed DKIM signatures seen in the wild - see bug#6895
# # see how well this performs
# meta __DKIM_MALFORMED DKIM_SIGNED && !DKIM_VALID
#endif
#body __YOUR_PHOTOS /\byour photos (?:as p[rw]omised )?(?:here )?(?:- )?https?:/i
#meta YOUR_PHOTOS __YOUR_PHOTOS && !__HAS_ANY_EMAIL && !__HAS_REPLY_TO && !__DOS_HAS_LIST_UNSUB
#describe YOUR_PHOTOS "Your Photos" phishing or malware
#score YOUR_PHOTOS 4.00 # limit
body __UNSUBSCRIBE_ES /\b(?:Para darte de baja y no recibir ning(?:=FA|[\xfa]|[\xc3][\xba])n|Si no desea que le enviemos publicidad|Si desea eliminar su correo [^\s@]{1,64}@[^\s@]{1,64} de nuestra lista|no recibir estos boletines a: [^\s@]{1,64}@[^\s@]{1,64} simplemente|Si no desea recibir m(?:=E1|[\xe1]|[\xc3][\xa1]|a)s notificaciones)\b/i
meta UNSUBSCRIBE_ES __UNSUBSCRIBE_ES
score UNSUBSCRIBE_ES 2.500 # limit
body __UNSUBSCRIBE_PT /\bSe n(?:a|=E3|[\xe3]|[\xc3][\xa3])o desejar mais receber nossos e-?mails?\b/i
meta UNSUBSCRIBE_PT __UNSUBSCRIBE_PT
score UNSUBSCRIBE_PT 2.500 # limit
body __URI_DBL_PROTO m,\b(?:https?:/+){2},i
uri __URI_DOS_FILE /^[A-Z]:\\/i
meta __FORM_LOW_CONTRAST (__FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_SHORT2) && __HTML_FONT_LOW_CONTRAST_MINFP
meta FORM_LOW_CONTRAST __FORM_LOW_CONTRAST && !__BUGGED_IMG && !__HAS_REPLY_TO && !__DKIM_EXISTS && !__DOS_HAS_LIST_UNSUB && !__MSGID_JAVAMAIL
describe FORM_LOW_CONTRAST Fill in a form with hidden text
score FORM_LOW_CONTRAST 2.500 # Limit
tflags FORM_LOW_CONTRAST publish
# try to FP-reduce HTML_FONT_LOW_CONTRAST
meta __HTML_FONT_LOW_CONTRAST_MINFP HTML_FONT_LOW_CONTRAST && !__HAS_SENDER && !__VIA_ML && !__RP_MATCHES_RCVD && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED && !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN && !__DKIM_EXISTS && !__SENDER_BOT
# some no-ham combinations
meta GAPPY_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __GAPPY_SUBJECT
describe GAPPY_LOW_CONTRAST Gappy subject + hidden text
score GAPPY_LOW_CONTRAST 2.500 # limit
meta URI_ONLY_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __BODY_URI_ONLY
score URI_ONLY_LOW_CONTRAST 2.500 # limit
meta SUBJ_OBFU_LOW_CNTRST (HTML_FONT_LOW_CONTRAST && __SUBJ_OBFU_PUNCT) && !ALL_TRUSTED && !__NOT_A_PERSON && !__THREADED
describe SUBJ_OBFU_LOW_CNTRST Subject obfuscation + hidden text
score SUBJ_OBFU_LOW_CNTRST 2.500 # limit
meta URI_DOTDOT_LOW_CNTRST HTML_FONT_LOW_CONTRAST && __URI_DOM_DOTDOT
describe URI_DOTDOT_LOW_CNTRST Suspicious URI + hidden text
score URI_DOTDOT_LOW_CNTRST 2.500 # limit
meta STOCK_LOW_CONTRAST (__HTML_FONT_LOW_CONTRAST_MINFP && __FB_S_STOCK) && !__BUGGED_IMG
describe STOCK_LOW_CONTRAST Stocks + hidden text
score STOCK_LOW_CONTRAST 2.500 # limit
tflags STOCK_LOW_CONTRAST publish
uri __URI_DOM_DOTDOT m,://[^/]+\.\.,
meta FOUND_YOU __FOUND_YOU && !__DKIM_EXISTS && !__SUBJ_RE && !__HAS_X_REF && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__HAS_ERRORS_TO && !__HAS_IN_REPLY_TO
score FOUND_YOU 3.25 # limit
describe FOUND_YOU I found you...
tflags FOUND_YOU publish
#rawbody __HTML_FONT_ONE_WORD_01 />\s{0,5}\S{1,15}\s{0,5}<\/font>/i
#tflags __HTML_FONT_ONE_WORD_01 multiple maxhits=26
#meta HTML_FONT_ONE_WORD_MANY __HTML_FONT_ONE_WORD_01 > 25
#describe HTML_FONT_ONE_WORD_MANY Many one-word font changes
#score HTML_FONT_ONE_WORD_MANY 0.50 # limit (initial)
#body __ADMITS_CANSPAM /\bThis is a CANSPAM ACT compliant advertising broadcast\b/i
#body __ADMITS_CANSPAM /\bThis is a CANSPAM ACT compliant\b/i
#meta ADMITS_CANSPAM __ADMITS_CANSPAM && !__VIA_ML
#describe ADMITS_CANSPAM Admits to being spam
body __ADMITS_SPAM /\bth(?:e[- ]+above|is)(?:\?+s|[- ]+is)[- ]+(?:intended[- ]+as[- ]+)?an?[- ]+(?:email[- ]+)?[a@]dvert[i1l]sement\b/i
meta ADMITS_SPAM __ADMITS_SPAM && !__TO___LOWER && !__MSOE_MID_WRONG_CASE && !__RP_MATCHES_RCVD
describe ADMITS_SPAM Admits this is an ad
#body __OBFU_ADVERT /\badvert[1l]sement\b/i
#meta OBFU_ADVERT __OBFU_ADVERT
#describe OBFU_ADVERT Misspelled "advertisement"
#tflags OBFU_ADVERT publish
#body __SEO_REGISTER /\bsearch engine (?:registration|subscription|submission)\b/i
#tflags __SEO_REGISTER multiple maxhits=5
#meta SEO_REGISTER __SEO_REGISTER > 4
#score SEO_REGISTER 2.50 # limit
#uri REMOVE_YEAHNET /imremove\@yeah\.net/i
#describe REMOVE_YEAHNET Opt-out address used by CN spammers
header __FROM_LIC From:name =~ /^Lic\./
header __FROM_DOM_INFO From:addr =~ /\.info$/i
meta ES_LIC_FROM_INFO __FROM_LIC && __FROM_DOM_INFO && __UNSUBSCRIBE_ES
describe ES_LIC_FROM_INFO Spanish-language spam from .info domain
header __SMIME_MESSAGE Content-Type =~ /application\/pkcs7-mime;/i
#uri __JIMDO_PHISH /(?:microsoft|outlook|access|helpdesk|upd?ates|newaccount)\w+\.jimdo\.com/i
body __CLICK_HERE /\bclick\shere\b/i
#meta JIMDO_PHISH __JIMDO_PHISH && __CLICK_HERE
#describe JIMDO_PHISH Apparent phishing via webform hosted at jimdo.com
#score JIMDO_PHISH 3.00 # limit
body __TRAVEL_PROFILE /\btravel+er\sprofile\b/i
body __TRAVEL_RESERV /\b(?:reservation\s(?:confirmed|number)|travel\sreservations?)\b/i
body __TRAVEL_BUSINESS /\bbusiness\stravel\b/i
body __TRAVEL_AGENT /\btravel\sagen(?:t|cy)\b/i
meta __TRAVEL_MANY (__TRAVEL_PROFILE + __TRAVEL_RESERV + __TRAVEL_BUSINESS + __TRAVEL_AGENT) > 2
uri __URI_WPADMIN m,/wp-admin/\w+/,i
meta URI_WPADMIN __URI_WPADMIN
describe URI_WPADMIN WordPress login/admin URI, possible phishing
tflags URI_WPADMIN publish
uri __URI_WPCONTENT m,/wp-content/.*\.(?:php|html?)\b,i
uri __URI_WPCONTENT_L m,/wp-content/.*\.(?:(?!gif|jpg|png|bmp|ico|eot|pdf)[a-z]{3}|(?!jpeg)[a-z]{4})\b,i
uri __URI_WPINCLUDES m,/wp-includes/.*\.(?:php|html?)\b,i
uri __URI_WPINCLUDES_L m,/wp-includes/.*\.(?:(?!gif|jpg|png|bmp|ico|eot|pdf)[a-z]{3}|(?!jpeg)[a-z]{4})\b,i
#uri __URI_WP_WHITELIST m,/wp-content/plugins/civicrm/,i
meta URI_WP_HACKED (__URI_WPCONTENT || __URI_WPINCLUDES) && !__VIA_ML && !__HAS_ERRORS_TO && !__RCD_RDNS_SMTP && !__THREADED && !ALL_TRUSTED && !__NOT_SPOOFED
describe URI_WP_HACKED URI for compromised WordPress site, possible malware
score URI_WP_HACKED 3.000 # limit
tflags URI_WP_HACKED publish
uri __URI_WPDIRINDEX m,/wp-(?:content|includes)/.*/$,i
meta URI_WP_DIRINDEX __URI_WPDIRINDEX
describe URI_WP_DIRINDEX URI for compromised WordPress site, possible malware
score URI_WP_DIRINDEX 3.000 # limit
tflags URI_WP_DIRINDEX publish
# this has some overlap with URI_WP_HACKED
uri __PS_TEST_LOC_WP m;/(?:wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module)/.{1,64}(?!\.gif|\.jpg|\.png|\.bmp|\.ico|\.pdf).{4}$;i
meta URI_WP_HACKED_2 (__PS_TEST_LOC_WP && !URI_WP_HACKED) && !__TO_EQ_FROM && !__THREADED
describe URI_WP_HACKED_2 URI for compromised WordPress site, possible malware
score URI_WP_HACKED_2 2.000 # limit
tflags URI_WP_HACKED_2 publish
# subrules migrated from 00_FVGT_File001.cf
header __SUBJ_LOWER ALL =~ /subject:\s\S{5}/
header __FROM_LOWER ALL =~ /from:\s\S{5}/
header __TO___LOWER ALL =~ /to:\s\S{5}/
header __DATE_LOWER ALL =~ /date:\s\S{5}/
# duplicates __XPRIO
#header __FH_HAS_XPRIORITY exists:X-Priority
meta __XPRIO_MINFP __XPRIO && !__CT_ENCRYPTED && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__THREADED && !__RP_MATCHES_RCVD && !__LONGLINE && !__MAIL_LINK && !__RCD_RDNS_SMTP && !__PDF_ATTACH && !__USING_VERP1 && !__HAS_DOMAINKEY_SIG && !__LIST_PARTIAL
ifplugin Mail::SpamAssassin::Plugin::DKIM
ifplugin Mail::SpamAssassin::Plugin::SPF
meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE && !SPF_PASS
else
meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE
endif
tflags XPRIO net
score XPRIO 2.000 # limit
else
meta XPRIO __XPRIO_MINFP
score XPRIO 2.000 # limit
endif
describe XPRIO Has X-Priority header
tflags XPRIO publish
# some no-ham combinations
meta __XPRIO_SHORT_SUBJ __XPRIO && __SUBJ_SHORT
meta XPRIO_SHORT_SUBJ __XPRIO_SHORT_SUBJ && !__HAS_ANY_URI && !__TO_NO_ARROWS_R && !__ENV_AND_HDR_FROM_MATCH && !__VISTA_MSGID
describe XPRIO_SHORT_SUBJ Has X-Priority header + short subject
score XPRIO_SHORT_SUBJ 2.500 # limit
tflags XPRIO_SHORT_SUBJ publish
meta FROM_MISSP_XPRIO __XPRIO && __FROM_MISSPACED
describe FROM_MISSP_XPRIO Misspaced FROM + X-Priority
score FROM_MISSP_XPRIO 2.500 # limit
meta __STATIC_XPRIO_OLE __XPRIO && __RDNS_STATIC && __HAS_MIMEOLE
meta STATIC_XPRIO_OLE __STATIC_XPRIO_OLE
describe STATIC_XPRIO_OLE Static RDNS + X-Priority + MIMEOLE
score STATIC_XPRIO_OLE 2.000 # limit
tflags STATIC_XPRIO_OLE publish
# Apparent good performance is an artifact of certain corpora's collection mechanism
#meta XPRIO_RPATH_NULL (__XPRIO && __BOUNCE_RPATH_NULL) && !__HAS_ERRORS_TO && !__VIA_ML && !ANY_BOUNCE_MESSAGE && !__HAS_ORGANIZATION && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED
#score XPRIO_RPATH_NULL 2.500 # limit
#
#meta TO_EQ_FM_NN_RPATH_NULL (__TO_EQ_FROM_USR_NN && __BOUNCE_RPATH_NULL) && !__TO_EQ_FROM_USR
#score TO_EQ_FM_NN_RPATH_NULL 2.000 # limit
#tflags TO_EQ_FM_NN_RPATH_NULL publish
header __FS_SUBJ_RE Subject =~ /^Re: /
header __NUMBERS_IN_SUBJ Subject =~ /\d{3}/
body __CAN_HELP /\bcan help\b/i
body __FB_COST /\bcost\b/i
body __FB_NATIONAL /national/i
body __FB_NUM_PERCNT /\d\s?\%/
body __FB_S_STOCK /\bstock/i
body __FB_TOUR /\btour/i
body __SURVEY /\bsurvey\b/i
body __FB_S_PRICE /pri{1,2}c[a-z]?e/i
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body __FRT_PRICE /<inter SP2><post P2>\b(?!price)<P><R><IX><C><E>\b/i
replace_rules __FRT_PRICE
meta __FM_MY_PRICE (__FB_S_PRICE || __FRT_PRICE)
else
meta __FRT_PRICE 0
meta __FM_MY_PRICE __FB_S_PRICE
endif
rawbody __FR_SPACING_8 /[a-z0-9]{6}\s{8}[a-z0-9]{5}/i
rawbody __FR_SPACING_9 /[a-z0-9]{6}\s{9}[a-z0-9]{5}/i
rawbody __FR_SPACING_15 /[a-z0-9]{6}\s{15}[a-z0-9]{5}/i
rawbody __FR_SPACING_17 /[a-z0-9]{6}\s{17}[a-z0-9]{5}/i
rawbody __FR_SPACING_22 /[a-z0-9]{6}\s{22}[a-z0-9]{5}/i
# per users mailing list question from Joe Quinn
#body __HEXHASHWORD_S /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{18})[0-9a-f]{18}/
#tflags __HEXHASHWORD_S multiple maxhits=4
body __HEXHASHWORD_S2EU /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[a-z]{0,10}(?!-?\d{1,5}-)(?!\d{10}\s)(?:(?!--)[-0-9a-f]){10,64}(?:[g-z][a-z]{0,10})?\s[A-Z]?[a-z]{1,15}\b/
tflags __HEXHASHWORD_S2EU multiple maxhits=4
#body __HEXHASHWORD_S2E /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[a-z]{0,10}[0-9a-f]{10,64}(?:[g-z][a-z]{0,10})?\s[A-Z]?[a-z]{1,15}\b/
#tflags __HEXHASHWORD_S2E multiple maxhits=4
#body __HEXHASHWORD_S2 /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[0-9a-f]{10,64}\s[A-Z]?[a-z]{1,15}\b/
#tflags __HEXHASHWORD_S2 multiple maxhits=4
#body __HEXHASHWORD /\s[A-Z]?[a-z]{1,15}\s[0-9a-f]{30}/
#tflags __HEXHASHWORD multiple maxhits=4
meta __HEXHASH_2 __HEXHASHWORD_S2EU > 1
meta __HEXHASH_3 __HEXHASHWORD_S2EU > 2
meta __HEXHASH_4 __HEXHASHWORD_S2EU > 3
#meta __HEXHASH_5 __HEXHASHWORD_S2EU > 4
meta HEXHASH_WORD (__HEXHASHWORD_S2EU > 1) && !ALL_TRUSTED && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__LCL__ENV_AND_HDR_FROM_MATCH && !__LYRIS_EZLM_REMAILER && !__THREADED && !__HDRS_LCASE && !__MSGID_HEXISH && !__RDNS_SHORT
describe HEXHASH_WORD Multiple instances of word + hexadecimal hash
score HEXHASH_WORD 3.000 # limit
tflags HEXHASH_WORD publish
# from users list spample provided by Larry Starr
body __UC_GIBB_OBFU /\b[A-Za-z][a-z]{0,20}[,;)]?\s[A-Z]{16,}[a-z]?\s[A-Za-z][a-z]{1,15}\b/
tflags __UC_GIBB_OBFU multiple maxhits=2
#meta __UC_GIBB_2 __UC_GIBB_OBFU > 1
#meta __UC_GIBB_3 __UC_GIBB_OBFU > 2
#meta __UC_GIBB_4 __UC_GIBB_OBFU > 3
#meta __UC_GIBB_5 __UC_GIBB_OBFU > 4
#meta __UC_GIBB_6 __UC_GIBB_OBFU > 5
#meta __UC_GIBB_7 __UC_GIBB_OBFU > 6
meta UC_GIBBERISH_OBFU (__UC_GIBB_OBFU > 1) && !__RP_MATCHES_RCVD && !__VIA_ML && !__DKIM_EXISTS && !ALL_TRUSTED
describe UC_GIBBERISH_OBFU Multiple instances of "word VERYLONGGIBBERISH word"
score UC_GIBBERISH_OBFU 3.000 # Limit
tflags UC_GIBBERISH_OBFU publish
#body __B2B_HELP /\bhelp(?:ing)? (?:businesses like yours|your business)\b/i
#body __YOUR_BIZ /\bbusiness(?:es) like yours|(?<!of )your b(?:usiness|rand)\b/i
# will be removed with immediate effect from any further mailing list
# wish to receive information from us in the future
# This-link http://www.nowyehue.com/bon/dds/ will end messages.
# stop receiving these emails
# Unsubscribe me from this list
# We are not promoting any kind of SPAM.
# recieve any kind promotional email form us
# To stop receiving these emails
# exclude yourself from further ad-messages
# removal options
# Stop PSA alert
#body __UNSUB_PSA /\bstop PSA alert\b/i
#body __UNSUB_EXCL /\bexclude yourself from further ad\b/i
#meta UNSUB_EXCL __UNSUB_EXCL
#score UNSUB_EXCL 2.000 # limit
#body __UNSUB_OPT /\bremoval options?\b/i
#meta UNSUB_OPT __UNSUB_OPT
#score UNSUB_OPT 2.000 # limit
header __NO_TRUSTED_RELAY X-Spam-Relays-Trusted !~ /ip=/i
#body CANT_SEE_AD /\b(?:can(?:no|')?t|(?:aren'?t |not |un)able to) (?:view|read|see|scan|witness|consider|look at|participate in|take in|(?:make|check|scope) out|eye|scrutinize|watch|display|observe) (?:our|this|the) (?:commercial[-. ]|ad(?:v[-.]?ert[i1l]se-?ment)? |images |newsletter |mailing ){1,2}(?:at all|(?:(?:down )?(?:below|underneath))|in (?:your|this) mail|(?:due to|because(?: of)?|as|from) (?:no |missing |unloaded |blocked )?images)\b/i
body __CANT_SEE_AD_1 /\b(?:can(?:no|')?t|(?:aren'?t[-,!\s]{1,3}|not[-,!\s]{1,3}|un)able[-,!\s]{1,3}to)[-,!\s]{1,3}(?:(?!our|this|the)\w{1,12}[-,\s]{1,3}){1,2}(?:our|this|the)[-.,\s*]{1,3}(?:commercial[-.,\s]{1,3}|ad(?:v[-.]?ert[i1l]se-?ment)?[-.,\s]{1,3}|images |newsletter |mailing ){1,2}(?:at all|(?:(?:down )?(?:below|underneath))|in (?:your|this) mail|(?:due to|because(?: of)?|as|from) (?:no |missing |unloaded |blocked )?(?:images|graphics))\b/i
body __CANT_SEE_AD_2 /\b(?:issue|problem|trouble) (?:getting|viewing|with) (?:(?:our|the) )?(?:message|content|e-?mail|details)(?: below)?[.?] (?:please|go ahead and) (?:click|browse)\b/i
meta CANT_SEE_AD __CANT_SEE_AD_1 || __CANT_SEE_AD_2
describe CANT_SEE_AD You really want to see our spam.
score CANT_SEE_AD 3.000 # limit
tflags CANT_SEE_AD publish
uri __128_HEX_URI m,/[0-9a-f]{128},
#tflags __128_HEX_URI multiple maxhits=2
#uri __192_HEX_URI m,/[0-9a-f]{192},
#uri __256_HEX_URI m,/[0-9a-f]{256},
#uri __384_HEX_URI m,/[0-9a-f]{384},
#meta __128_HEX_URI_SGL __128_HEX_URI == 1
#meta __128_HEX_URI_MLT __128_HEX_URI > 1
meta LONG_HEX_URI __128_HEX_URI && !__LCL__KAM_BODY_LENGTH_LT_1024
describe LONG_HEX_URI Very long purely hexadecimal URI
score LONG_HEX_URI 3.000 # limit
tflags LONG_HEX_URI publish
uri __128_LC_URI m;[/?][a-z]{128,}$;
uri __128_LC_IMG m;/[a-z]{128,}/\w+\.(?:png|gif|jpe?g)$;
uri __128_ALNUM_URI m;[/?][0-9a-z]{128,}$;i
uri __128_ALNUM_IMG m;/[0-9a-z]{128,}/\w+\.(?:png|gif|jpe?g)$;i
uri __64_ANY_URI m;[/?]\w{64,}$;i
uri __64_ANY_IMG m;/\w{64,}/\w+\.(?:png|gif|jpe?g)$;i
uri __45_ALNUM_URI m;[/?][0-9a-z]{45,}$;i
uri __45_ALNUM_IMG m;/[0-9a-z]{45,}/\w+\.(?:png|gif|jpe?g)$;i
meta __128_LC_URI_IMG __128_LC_URI && __128_LC_IMG
meta __128_ALNUM_URI_O __128_ALNUM_URI && !__128_LC_URI
meta __128_ALNUM_IMG_O __128_ALNUM_IMG && !__128_LC_IMG
meta __128_ALNUM_URI_IMG __128_ALNUM_URI_O && __128_ALNUM_IMG_O
meta __64_ANY_URI_O __64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI
meta __64_ANY_IMG_O __64_ANY_IMG && !__128_ALNUM_IMG && !__128_LC_IMG
meta __64_ALNUM_URI_IMG __64_ANY_URI_O && __64_ANY_IMG_O
meta __45_ALNUM_URI_O __45_ALNUM_URI && !__64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI
meta __45_ALNUM_IMG_O __45_ALNUM_IMG && !__64_ANY_IMG && !__128_ALNUM_IMG && !__128_LC_IMG
meta __45_ALNUM_URI_IMG __45_ALNUM_URI_O && __45_ALNUM_IMG_O
meta LONG_IMG_URI __45_ALNUM_IMG && !ALL_TRUSTED && !__HAS_ERRORS_TO
describe LONG_IMG_URI Image URI with very long path component - web bug?
score LONG_IMG_URI 3.000 # limit
tflags LONG_IMG_URI publish
rawbody __HTML_OFF_PAGE /;(?:top|left):-\d{3,9}px;/i
meta HTML_OFF_PAGE __HTML_OFF_PAGE && !__RP_MATCHES_RCVD && !__LONGLINE && !__DKIM_EXISTS
describe HTML_OFF_PAGE HTML element rendered well off the displayed page
score HTML_OFF_PAGE 2.000 # limit
tflags HTML_OFF_PAGE publish
body __PUMPDUMP_01 /\b(?:times|multiply|tripl(?:e|ing)|quadrupl(?:e|ing)|quintupl(?:e|ing)) (?:your|an) (?:princip(?:al|le)|investment)\b/i
body __PUMPDUMP_02 /\b(?:sto[ck]{2}|share price) (?:will |may |is (?:(?:about|poised|positioned|ready) to |gonna ))?(?:triple|quadruple|quintuple|soar|go(?:es?) (?:nuts|crazy|sky high|way up))\b/i
body __PUMPDUMP_03 /\bbuy (?:[^.!]{1,30} )?(?:(?:(?:mon|tues|wednes|thurs|fri)day|tomorrow) (?:first thing|open|morning)|(?:first thing|opens|before) (?:(?:mon|tues|wednes|thurs|fri)day|tomorrow))/i
body __PUMPDUMP_04 /\bmake you (?:big bucks|hundreds|thousands)\b/i
body __PUMPDUMP_05 /\b(?:tripled|quadrupled|quintupled|(?:shares|value|company) (?:go up|increase|has (?:increased|gained)) (?:by|more than) [a-z\s]{0,20}\d+(?: times| percent| ?%)) (?:and that )?in (?:(?:\d|a (?:span of|few)) days|a very short period)\b/i
body __PUMPDUMP_06 /\brecommend(?:ed|s)? (?:a|this) (?:company|stock)\b/i
body __PUMPDUMP_07 /\b(?:buy|grab it) for (?:around |about |less than )?\d+ cents\b/i
body __PUMPDUMP_08 /\b?(:sto[ck]{2}|sotk) of the year/i
body __PUMPDUMP_09 /\b(?:buy|get|snap up|grab) as many shares (?:of it )?as (?:you|I) can\b/i
body __PUMPDUMP_10 /\btrading at (?:such )?a (?:bargain|cheap|low)\b/i
meta __PD_CNT_1 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 0
meta __PD_CNT_2 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1
meta __PD_CNT_3 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 2
meta __PD_CNT_4 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 3
meta __PD_CNT_5 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 4
meta __PD_CNT_6 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 5
meta __PD_CNT_7 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 6
meta PUMPDUMP (__PUMPDUMP_01 || __PUMPDUMP_02 || __PUMPDUMP_03 || __PUMPDUMP_04 || __PUMPDUMP_05 || __PUMPDUMP_06 || __PUMPDUMP_07 || __PUMPDUMP_08 || __PUMPDUMP_09 || __PUMPDUMP_10) && !PUMPDUMP_MULTI
describe PUMPDUMP Pump-and-dump stock scam phrase
score PUMPDUMP 1.000 # limit
tflags PUMPDUMP publish
meta PUMPDUMP_MULTI (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1
describe PUMPDUMP_MULTI Pump-and-dump stock scam phrases
score PUMPDUMP_MULTI 3.500 # limit
tflags PUMPDUMP_MULTI publish
body __STOCK_TIP /\bsto[ck]{2}\s?tip\b/i
meta STOCK_TIP __STOCK_TIP && !__DKIM_EXISTS
describe STOCK_TIP Stock tips
score STOCK_TIP 3.000 # limit
tflags STOCK_TIP publish
meta PUMPDUMP_TIP __PD_CNT_1 && __STOCK_TIP
describe PUMPDUMP_TIP Pump-and-dump stock tip
tflags PUMPDUMP_TIP publish
#body DR_OZ_OBFU /\bD(?:r\.|oc(?:tor)?) ?0z\b/i
#describe DR_OZ_OBFU Obfuscated Doctor Oz
#
#body DOC_OZ /\b(?:doc oz|Dr\.?Oz)\b/
#describe DOC_OZ Doctor Oz
body __ADMAIL /(?:\b|_)ad-?(?:mail|message)s?(?:\b|_)/i
meta ADMAIL __ADMAIL && !__DKIM_EXISTS && !__COMMENT_EXISTS
describe ADMAIL "admail" and variants
tflags ADMAIL publish
body ORS /\bOn-?line Rate Saver\b/i
describe ORS "Online Rate Saver"
# subrule version of MMartinec CR_IN_SUBJ
header __CR_IN_SUBJ Subject:raw =~ /\015/
body __THIS_AD /(?:\b|_)this[- _]+(?:ad(?:vert[i1l]sement)?|promo(?:tion)?)s?(?:\b|_)/i
meta THIS_AD __THIS_AD && !__MOZILLA_MSGID && !__FROM_ENCODED_QP && !__CR_IN_SUBJ && !__RP_MATCHES_RCVD
describe THIS_AD "This ad" and variants
tflags THIS_AD publish
body AD_PREFS /(?:\b|_)(?:ad(?:vert[i1l]s[i1l]ng)?|promo(?:tion)?|marketing)[- _](?:pref(?:s|erences)|settings)(?:\b|_)/i
describe AD_PREFS Advertising preferences
tflags AD_PREFS publish
#body OPT_OUT /\bOpt-Out Here\b/i
#score OPT_OUT 2.000
uri URI_OPTOUT_USME m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:us|me|mobi|club)\b,i
describe URI_OPTOUT_USME Opt-out URI, unusual TLD
tflags URI_OPTOUT_USME publish
uri URI_OPTOUT_3LD m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:com|net)\b,i
describe URI_OPTOUT_3LD Opt-out URI, suspicious hostname
score URI_OPTOUT_3LD 2.000 # limit
tflags URI_OPTOUT_3LD publish
uri __URI_TRY_USME m,^https?://(?:try|start|get|save|check|act|compare|join|learn|request|visit|my)[^.]*\.[^/]+\.(?:us|me|mobi|club)\b,i
meta URI_TRY_USME __URI_TRY_USME && !__DKIM_EXISTS
describe URI_TRY_USME "Try it" URI, unusual TLD
tflags URI_TRY_USME publish
uri URI_TRY_3LD m,^https?://(?:try|start|get|save|check(?!out)|act|compare|join|learn|request|visit(?!or)|my(?!sub)\w)[^.]*\.[^/]+\.(?:com|net)\b,i
describe URI_TRY_3LD "Try it" URI, suspicious hostname
score URI_TRY_3LD 2.000 # limit
tflags URI_TRY_3LD publish
## REFINE THIS
#body __INCOMING_FAX /\bincoming fax\b/i
#body __BANK /\bbank\b/i
#body __ACCT_STMT /\bac(?:count|tivity) statement\b/i
#uri __URI_DROPBOX m,[/.]dropbox\.com\/,i
#meta DROPBOX_MALW (__INCOMING_FAX || (__BANK && __ACCT_STMT)) && __URI_DROPBOX && !ALL_TRUSTED
#describe DROPBOX_MALW Spoofed FAX or bank statement with Dropbox link: PROBABLE MALWARE
#score DROPBOX_MALW 10.00
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body FUZZY_UNSUBSCRIBE /<U>(?!nsubscribe)<N><S><U><B><S><C><R><I><B><E>/i
replace_rules FUZZY_UNSUBSCRIBE
describe FUZZY_UNSUBSCRIBE Obfuscated "unsubscribe"
tflags FUZZY_UNSUBSCRIBE publish
body FUZZY_ANDROID /<A>(?!ndroid)<N><D><R><O><I><D>/i
replace_rules FUZZY_ANDROID
describe FUZZY_ANDROID Obfuscated "android"
tflags FUZZY_ANDROID publish
body FUZZY_PROMOTION /<P>(?!romotion)<R><O><M><O><T><I><O><N>/i
replace_rules FUZZY_PROMOTION
describe FUZZY_PROMOTION Obfuscated "promotion"
tflags FUZZY_PROMOTION publish
body FUZZY_PRIVACY /<P>(?!rivacy)<R><I><V><A><C><Y>/i
replace_rules FUZZY_PRIVACY
describe FUZZY_PRIVACY Obfuscated "privacy"
tflags FUZZY_PRIVACY publish
body FUZZY_BROWSER /<B>(?!rowser)<R><O><W><S><E><R>/i
replace_rules FUZZY_BROWSER
describe FUZZY_BROWSER Obfuscated "browser"
tflags FUZZY_BROWSER publish
body FUZZY_SAVINGS /<S>(?!avings)<A><V><I><N><G><S>/i
replace_rules FUZZY_SAVINGS
describe FUZZY_SAVINGS Obfuscated "savings"
tflags FUZZY_SAVINGS publish
body FUZZY_IMPORTANT /<I>(?!mportant)<M><P><O><R><T><A><N><T>/i
replace_rules FUZZY_IMPORTANT
describe FUZZY_IMPORTANT Obfuscated "important"
tflags FUZZY_IMPORTANT publish
body FUZZY_SECURITY /<S>(?!ecurity)(?!eguridad)<E>(?:<C>|<G>)<U><R><I>(?:<T><Y>|<D><A><D>)/i
replace_rules FUZZY_SECURITY
describe FUZZY_SECURITY Obfuscated "security"
tflags FUZZY_SECURITY publish
body __FUZZY_DR_OZ /\bD(?!(?-i:(?:r.|octor)(?:\s|&nbsp;)Oz))(?:<R>|<O><C>(?:<T><O><R>)?)\.?<WS>*<O><Z>(?:$|\W)/i
replace_rules __FUZZY_DR_OZ
meta FUZZY_DR_OZ __FUZZY_DR_OZ && !__VIA_ML && !__DKIM_EXISTS && !__RP_MATCHES_RCVD
describe FUZZY_DR_OZ Obfuscated Doctor Oz
tflags FUZZY_DR_OZ publish
body FUZZY_CLICK_HERE /<C>(?!lick(?:\s|&nbsp;)here)<WS>*<L><WS>*<I><WS>*<C><WS>*<K><WS>+<H><WS>*<E><WS>*<R><WS>*<E>/i
replace_rules FUZZY_CLICK_HERE
describe FUZZY_CLICK_HERE Obfuscated "click here"
tflags FUZZY_CLICK_HERE publish
endif
#body NUM_FREE /\b\d+free/i
#describe NUM_FREE Number + free
# seen in spam (malware?) 07/2014
#header __DATE_SPACEY ALL =~ /\nDate:\s{8}/ism
#uri __FSL_LINK_AWS_S3_WEB_LOOSE m,^https?://(?:[^./]+\.)*s3[^./]+\.amazonaws\.com,i
uri URI_DQ_UNSUB m;^[a-z]+://(?:\d+\.){3}\d+/.*unsubscribe;i
describe URI_DQ_UNSUB IP-address unsubscribe URI
tflags URI_DQ_UNSUB publish
uri __URI_GOOGLE_PROXY m;^https?://[^.]+\.googleusercontent\.com/proxy/;i
meta URI_GOOGLE_PROXY __URI_GOOGLE_PROXY && !__LONGLINE && !__ML1 && !__FSL_RELAY_GOOGLE && !__FROM_LOWER && !__RCD_RDNS_MAIL
describe URI_GOOGLE_PROXY Accessing a blacklisted URI or obscuring source of phish via Google proxy?
tflags URI_GOOGLE_PROXY publish
# Apparent good performance is an artifact of certain corpora's collection mechanism
#meta RPATH_NULL_CTCQ __BOUNCE_RPATH_NULL && __CTYPE_CHARSET_QUOTED && !__VIA_ML && !__SUBJECT_ENCODED_QP && !ANY_BOUNCE_MESSAGE && !__DOS_HAS_LIST_UNSUB && !__TAG_EXISTS_STYLE && !__TAG_EXISTS_STYLE && !__HAS_THREAD_INDEX
#score RPATH_NULL_CTCQ 2.000 # limit
rawbody __TENWORD_GIBBERISH /^\s*(?:[a-z]+\s+){10}\.$/m
tflags __TENWORD_GIBBERISH multiple maxhits=21
meta TW_GIBBERISH_MANY __TENWORD_GIBBERISH > 20
describe TW_GIBBERISH_MANY Lots of gibberish text to spoof pattern matching filters
score TW_GIBBERISH_MANY 2.000 # limit
tflags TW_GIBBERISH_MANY publish
#body __OPTOUT_BRKT /\[(?:unsub(?:scribe)|remove(?: me)|leave)\]/i
#tflags __OPTOUT_BRKT multiple maxhits=2
#meta OPTOUT_BRKT_MANY __OPTOUT_BRKT > 1
#describe OPTOUT_BRKT_MANY Repetitive opt-outs
#score OPTOUT_BRKT_MANY 2.000 # limit
# Oh, the humanity! Is there no better way?
#full __RECIP_IN_URL_DOM m;^Received:[^:]{1,400}?\sfor\s<(\w+)\@.+?https?://\1\d*\.;ism
#describe __RECIP_IN_URL_DOM Recipient in body URL
#tflags __RECIP_IN_URL_DOM nopublish
# reported on users list 09/2014 jdebert <jdebert@garlic.com>
header RCVD_DBL_DQ Received =~ /(?:\[\d+\.\d+\.\d+\.\d+\]){2}/
describe RCVD_DBL_DQ Malformatted message header
tflags RCVD_DBL_DQ publish
# reported on users list 09/2014 George Johnson <georgejohnson@talaya.net>
header __RAND_HEADER ALL =~ /^(?!Accept-Language|Authentication-Results|Content-|DomainKey-Signature|DKIM-|List-|MIME-|Received-SPF|Return-Path|Thread-|User-Agent)(?:[a-z]{4,}-[a-z]{3,}|[a-z]{3,}-[a-z]{4,}):\s+\d(?=\S{6,}\s*$)[\da-f]*(?:[-.]\w+)*\s*$/ism
tflags __RAND_HEADER multiple, maxhits=4
meta RAND_HEADER_MANY __RAND_HEADER > 3
describe RAND_HEADER_MANY Many random gibberish message headers
score RAND_HEADER_MANY 3.000 # limit
tflags RAND_HEADER_MANY publish
#body FR_SPAM_LAW /article 34 de la loi 78-17\b/i
#describe FR_SPAM_LAW References French privacy law
#score FR_SPAM_LAW 1.000 # limit
body __EDGER_HOOVER /\bedger hoover\b/i
header __FM_EDGER_HOOVER From =~ /\bedger hoover\b/i
body __MYSTERY_SHOPPER /\bmystery shoppers?\b/i
header __HAS_NO_RELAY X-No-Relay =~ /./
header __DUP_SUSP_HDR ALL =~ /\n(X-No-Relay)\s*:[ ][^\n]{1,100}\n\1\s*:[ ]/ism
meta DUP_SUSP_HDR __DUP_SUSP_HDR
describe DUP_SUSP_HDR Duplicate suspicious message headers
score DUP_SUSP_HDR 2.500 # limit
# seen 10/2014: "https://www.google.com/url?q=https://copy.com/ApbFn2848pQm/ShippingInvoice_6974.PDF.scr?download=1&sa=D&sntz=1&usg=AFQjCNGhvWhljnujQlP85tA6YUsddfuJow"
uri __GOOG_MALWARE_DNLD m;^https?://[^/]*\.google\.com/[^?]*url\?.*[\?&/]download;i
meta GOOG_MALWARE_DNLD __GOOG_MALWARE_DNLD
describe GOOG_MALWARE_DNLD File download via Google - Malware?
score GOOG_MALWARE_DNLD 5.000 # limit
tflags GOOG_MALWARE_DNLD publish
uri __GOOG_REDIR m;^https?://[^/]*\.google\.com/url\?;i
body ONLINE_MKTG_CNSLT /\bonline marketing consultant\b/i
body SOLICIT_BIZ /\bbusiness solicitation messag/i
body __SPELLED_OUT_NUM /\b(?:(?:one|two|three|four|five|six|seven|eight|nine|zero)[\s_-]?){4,}/i
meta SPELLED_OUT_NUMBER __SPELLED_OUT_NUM && !__DKIM_EXISTS
describe SPELLED_OUT_NUMBER Spelled out a number (one two three)
score SPELLED_OUT_NUMBER 3.000 # limit
body __NUM_SPCD_LTRS /\d{4}\s(?:[a-z]\s){5}/i
header __SUBJ_UNNEEDED_HTML Subject =~ /%[0-9a-f][0-9a-f]/i
tflags __SUBJ_UNNEEDED_HTML multiple, maxhits=3
meta __SUBJ_UNNEEDED_HTML_MANY __SUBJ_UNNEEDED_HTML > 1
meta SUBJ_UNNEEDED_HTML __SUBJ_UNNEEDED_HTML && !__NOT_SPOOFED && !__RP_MATCHES_RCVD && !__VIA_ML
describe SUBJ_UNNEEDED_HTML Unneeded HTML formatting in Subject:
body __HELP_YOU_SUCCEED /\bhelp you succeed\b/i
body __WANT_BIZ /\b(?:I|we) want your business\b/i
meta TEQF_USR_MSGID_MALF __TO_EQ_FROM_USR_NN_MINFP && __MSGID_NOFQDN2
describe TEQF_USR_MSGID_MALF To and from user nearly same + malformed message ID
tflags TEQF_USR_MSGID_MALF publish
meta TEQF_USR_MSGID_HEX __TO_EQ_FROM_USR_NN_MINFP && __MSGID_OK_HEX && !__MSGID_NOFQDN2
describe TEQF_USR_MSGID_HEX To and from user nearly same + unusual message ID
tflags TEQF_USR_MSGID_HEX publish
meta TEQF_USR_IMAGE __TO_EQ_FROM_USR_NN_MINFP && __ANY_IMAGE_ATTACH
describe TEQF_USR_IMAGE To and from user nearly same + image
tflags TEQF_USR_IMAGE publish
meta TEQF_USR_POLITE __TO_EQ_FROM_USR_NN && __FRAUD_IRT
describe TEQF_USR_POLITE To and from user nearly same + polite greeting
score TEQF_USR_POLITE 2.000 # limit
meta __MSGID_HEX_MALF __MSGID_NOFQDN2 && __MSGID_OK_HEX
meta __URI_ONLY_MSGID_MALF __BODY_URI_ONLY && __MSGID_NOFQDN2
meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO
describe URI_ONLY_MSGID_MALF URI only + malformed message ID
tflags URI_ONLY_MSGID_MALF publish
# These may be a bit risky, the masscheck ham corpus may not
# reflect how often these are legit in Real Life...
meta GOOG_REDIR_SHORT __GOOG_REDIR && __LCL__KAM_BODY_LENGTH_LT_512
describe GOOG_REDIR_SHORT Google redirect to obscure spamvertised website + short message
tflags GOOG_REDIR_SHORT publish
meta GOOG_REDIR_NORDNS __GOOG_REDIR && RDNS_NONE
describe GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website + no rDNS
meta GOOG_REDIR_HTML_ONLY (__GOOG_REDIR && MIME_HTML_ONLY) && !RDNS_NONE && !__LCL__KAM_BODY_LENGTH_LT_512
describe GOOG_REDIR_HTML_ONLY Google redirect to obscure spamvertised website + HTML only
score GOOG_REDIR_HTML_ONLY 2.000 # limit
# low S/O, apparently lots of invisible ham...
rawbody __STY_INVIS /\bstyle\s*=(?:3d)?\s*"\s*(?:visibility\s*:\s*hidden\s*;|display\s*:\s*none\s*;|background\s*:)/i
tflags __STY_INVIS multiple, maxhits=6
meta __STY_INVIS_MANY __STY_INVIS > 5
#meta HTML_TEXT_INVISIBLE __STY_INVIS_MANY
#describe HTML_TEXT_INVISIBLE Hidden text
#score HTML_TEXT_INVISIBLE 2.000 # limit
# try it on span tags only...
rawbody __SPAN_INVIS /<span\s[^>]{0,80}style\s*=(?:3d)?\s*"\s*(?:visibility\s*:\s*hidden\s*;|display\s*:\s*none\s*;|background\s*:)/i
# Adapted from SARE rules __SARE_HTML_SINGLET*
rawbody __HTML_SINGLET />\s*(?:[a-z"]|&\#(?:\d+|x[0-9a-f]+);)\s*</i
tflags __HTML_SINGLET multiple, maxhits=21
meta __HTML_SINGLET_MANY __HTML_SINGLET > 20
#meta HTML_SINGLET_MANY __HTML_SINGLET_MANY
#describe HTML_SINGLET_MANY Many single-letter HTML format blocks
#score HTML_SINGLET_MANY 1.000 # limit
meta SINGLETS_LOW_CONTRAST __HTML_SINGLET_MANY && __HTML_FONT_LOW_CONTRAST_MINFP
describe SINGLETS_LOW_CONTRAST Single-letter formatted HTML + hidden text
tflags SINGLETS_LOW_CONTRAST publish
# per users list, 10-11 2014
uri MALWARE_HACKED_URI m;/(?:dropbox|googlebox|bank\w+|newgdoc)/(?:doc(?:ument)?|invoice|message|index)\.php$;
describe MALWARE_HACKED_URI Malware or phishing hosted-file URI at hacked webserver
uri __HACKED_PHP_URI m;/\w+/(?:doc(?:ument)?|invoice|message)\.php$;
meta HACKED_PHP_URI __HACKED_PHP_URI
describe HACKED_PHP_URI Possible phishing/malware URI
score HACKED_PHP_URI 2.000 # limit
# very poor S/O - this appears a lot more in ham than in spam??
#body __PUNCT_ODD_SPACING /[a-z]{3}\s+[.,][a-z]{3}/
#tflags __PUNCT_ODD_SPACING multiple, maxhits=3
#meta __PUNCT_ODD_SPACING_MANY __PUNCT_ODD_SPACING > 2
# poor S/O - how is this in ham?
#header XMAILER_MANY ALL =~ /\nX-Mailer:(?:[^\n]+\n)+X-Mailer:/ism
#describe XMAILER_MANY Has multiple X-Mailer: headers
body __RAW_TOKEN_BODY /\#(?:(?:First|Last)Name|Email)\#/i
#header __RAW_TOKEN_HDR ALL =~ /\$(?:rand[^$]{0,10})\$/i
#tflags __RAW_TOKEN multiple maxhits=3
#meta RAW_TOKENS __RAW_TOKEN > 2
#describe RAW_TOKENS Raw mail merge tokens in body
header __REPTO_CHN_FREEM Reply-To =~ /\@(?:sina|aliyun)\.com/i
meta __SPOOFED_FREEM_REPTO __SPOOFED_FREEMAIL && FREEMAIL_REPLYTO
meta SPOOFED_FREEM_REPTO_CHN (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_CHN_FREEM
describe SPOOFED_FREEM_REPTO_CHN Forged freemail sender with Chinese freemail reply-to
score SPOOFED_FREEM_REPTO_CHN 3.500
tflags SPOOFED_FREEM_REPTO_CHN publish
meta SPOOFED_FREEM_REPTO __SPOOFED_FREEM_REPTO && !__THREADED
describe SPOOFED_FREEM_REPTO Forged freemail sender with freemail reply-to
score SPOOFED_FREEM_REPTO 2.500
tflags SPOOFED_FREEM_REPTO publish
#header __VERY_LONG_REPTO Reply-To =~ /[^<\s\@]{25,}\@/
#meta __VERY_LONG_REPTO_SHORT_MSG __VERY_LONG_REPTO && __HTML_LENGTH_0000_1024
#meta VERY_LONG_REPTO_SHORT_MSG __VERY_LONG_REPTO_SHORT_MSG && !__VIA_ML && !__TO_EQ_FROM_DOM && !__THREAD_INDEX_GOOD
#describe VERY_LONG_REPTO_SHORT_MSG Very long Reply-To username + short message
#score VERY_LONG_REPTO_SHORT_MSG 2.500 # limit
#tflags VERY_LONG_REPTO_SHORT_MSG publish
#
#ifplugin Mail::SpamAssassin::Plugin::FreeMail
# meta __VERY_LONG_FREEM_REPTO __VERY_LONG_REPTO && FREEMAIL_REPLYTO
# meta VERY_LONG_FREEM_REPTO __VERY_LONG_FREEM_REPTO
# describe VERY_LONG_FREEM_REPTO Very long freemail Reply-To username
# score VERY_LONG_FREEM_REPTO 2.500 # limit
# tflags VERY_LONG_FREEM_REPTO publish
#endif
# for <steve.stewart@fastnet.co.uk>; Mon, 2 Nov 2015 14:27:08 GMT
# (envelope-from fastnet.co.uk.12056010.steve.stewart@vmta27.topreasonstovisit.com)
# S/O low, seems to be common in legit mailing lists
# Maybe in meta with "not a mailing list" rules?
#header __RECIP_IN_ENV_FM_01 Received =~ /for\s+<([^\@]+)\@([^>]+)>.*envelope-from\s+\2\.\d+\.\1\@/i
#header __RECIP_IN_ENV_FM_02 Received =~ /for\s+<([^\@]+)\@([^>]+)>.*envelope-from\s+[^@]*\2[^@]*\@/i
uri URI_MALWARE_CWALL /\/abuse_report\.php\?(?!username=)[^&\s.]{1,100}\./i
describe URI_MALWARE_CWALL Potential CryptoWall malware URL
meta __LIST_PARTIAL_SHORT_MSG __HTML_LENGTH_0000_1024 && __LIST_PARTIAL
meta LIST_PARTIAL_SHORT_MSG __LIST_PARTIAL_SHORT_MSG && !__DKIM_EXISTS
describe LIST_PARTIAL_SHORT_MSG Incomplete mailing list headers + short message
score LIST_PARTIAL_SHORT_MSG 2.500 # limit
# duplicates __HAS_MSMAIL_PRI
#header __FH_HAS_XMSMAIL exists:X-MSMail-Priority
meta __BOGUS_MSM_HDRS __HAS_MSMAIL_PRI && __MSOE_MID_WRONG_CASE && __HDR_ORDER_FTSDMCXXXX
meta BOGUS_MSM_HDRS __BOGUS_MSM_HDRS
describe BOGUS_MSM_HDRS Apparently bogus Microsoft email headers
score BOGUS_MSM_HDRS 3.000 # limit
tflags BOGUS_MSM_HDRS publish
#meta __BOGUS_MSM_PRIO __HAS_MSMAIL_PRI && __HDR_ORDER_FTSDMCXXXX
#meta __BOGUS_MSM_PRIO_MINFP __BOGUS_MSM_PRIO && !__BOGUS_MSM_HDRS && !__MSGID_NOFQDN2 && !__ANY_OUTLOOK_MUA && !__RCD_RDNS_MAIL_MESSY
meta __MSM_PRIO_REPTO __HAS_MSMAIL_PRI && __REPLYTO_EXISTS && __SUBJ_SHORT
meta MSM_PRIO_REPTO __MSM_PRIO_REPTO && !__ENV_AND_HDR_FROM_MATCH
describe MSM_PRIO_REPTO MSMail priority header + Reply-to + short subject
score MSM_PRIO_REPTO 2.500 # limit
tflags MSM_PRIO_REPTO publish
header __XM_YAMAIL X-Mailer =~ /^Yamail/
# __GATED_THROUGH_RCVD_REMOVER includes messages with no Received headers *at all*.
# Don't consider those, only consider the ones where *some* Received headers may have been removed
meta __RCVD_RMV_PARTIAL __GATED_THROUGH_RCVD_REMOVER && __HAS_RCVD
# Compare __GATED_THROUGH_RCVD_REMOVER and "via ezmlm"
header __ML_EZMLM Mailing-List =~ /\bezmlm\b/
# easy for spammers to forge a signed message and still have it displayed to the recipient?
#header KHOP_ENCRYPTED_CONTENT Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/
header __CT_ENCRYPTED Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/
meta ENCRYPTED_MESSAGE __CT_ENCRYPTED
describe ENCRYPTED_MESSAGE Message is encrypted, not likely to be spam
score ENCRYPTED_MESSAGE -1.000
tflags ENCRYPTED_MESSAGE nice,publish
#body __PHONE_GIBBERISH_01 /(?:\b\d\d\d-\d\d\d-\d\d\d\d\s+[a-z][^\d\s:.]+\s+){15}/
header __HAS_GMX_BULK exists:X-Gmx-Bulk
ifplugin Mail::SpamAssassin::Plugin::HTMLEval
body __HTML_TAG_BALANCE_CENTER eval:html_tag_balance('center', '!= 0')
meta HTML_TAG_BALANCE_CENTER __HTML_TAG_BALANCE_CENTER && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY
describe HTML_TAG_BALANCE_CENTER Malformatted HTML
endif
# more random garbage message headers 01/2016
header __HDR_CASE_REVERSED ALL =~ /^(?!DomainKey)[^-:\s]*[a-z][A-Z]/m
tflags __HDR_CASE_REVERSED multiple maxhits=4
meta __HDR_CASE_REV_MANY (__HDR_CASE_REVERSED > 3)
meta HDR_CASE_REV_MANY __HDR_CASE_REV_MANY
describe HDR_CASE_REV_MANY Multiple malformed (possibly random gibberish) message headers
score HDR_CASE_REV_MANY 2.000 # limit
meta HDR_CASE_REV_ENC __HDR_CASE_REVERSED && (__FROM_ENCODED_B64 || __TVD_SPACE_ENCODED )
describe HDR_CASE_REV_ENC Malformed (possibly random gibberish) message header + suspicious encoding
score HDR_CASE_REV_ENC 2.000 # limit
meta HDR_CASE_REV_HELO_IP __HDR_CASE_REVERSED && __HELO_MISC_IP
describe HDR_CASE_REV_HELO_IP Malformed (possibly random gibberish) message header + IP in HELO
score HDR_CASE_REV_HELO_IP 2.000 # limit
header __HAS_CAMPAIGN exists:X-Campaign
header __HAS_CAMPAIGNID exists:X-Campaignid
header __HAS_CID exists:X-CID
header __HAS_XM_LID exists:X-Mailer-LID
header __HAS_XM_RECPTID exists:X-Mailer-RecptId
header __HAS_XM_SID exists:X-Mailer-SID
header __HAS_XM_SENTBY exists:X-Mailer-Sent-By
header __HAS_DOMAINKEY_SIG exists:DomainKey-Signature
header __HAS_PHP_SCRIPT exists:X-PHP-Script
header __HAS_PHP_ORIG_SCRIPT exists:X-PHP-Originating-Script
header __FROM_WORDY From:addr =~ /(?:(?:[A-Z][A-Za-z]+|or|&)\.)+[A-Z][A-Za-z]+\@/
#header __FROM_WORDY_3 From:addr =~ /(?:(?:[A-Z][A-Za-z]+|or|&)\.){2,}[A-Z][A-Za-z]+\@/
meta __FROM_WORDY_SONLY __FROM_WORDY && (__KHOP_NO_FULL_NAME || __CTYPE_HTML || __TO_EQ_FROM_DOM_2 || __HTML_IMG_ONLY || FREEMAIL_FORGED_REPLYTO )
meta FROM_WORDY (__FROM_WORDY_SONLY && !__HTML_LENGTH_0000_1024) && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HAS_TNEF && !__USING_VERP1 && !__HDRS_LCASE_KNOWN
describe FROM_WORDY From address looks like a sentence
tflags FROM_WORDY publish
meta FROM_WORDY_SHORT (__FROM_WORDY_SONLY && __HTML_LENGTH_0000_1024) && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HAS_TNEF && !__USING_VERP1
describe FROM_WORDY_SHORT From address looks like a sentence + short message
tflags FROM_WORDY_SHORT publish
meta PHP_SCRIPT_MUA __HAS_PHP_SCRIPT && __PHP_NOVER_MUA
describe PHP_SCRIPT_MUA Sent by PHP script, no version number
score PHP_SCRIPT_MUA 2.000 # limit
tflags PHP_SCRIPT_MUA publish
meta __PHP_SCRIPT_MIMENEEDED __HAS_PHP_SCRIPT && __FROM_NEEDS_MIME
meta __PHP_ORIG_SCRIPT_SONLY __HAS_PHP_ORIG_SCRIPT && (__TVD_SPACE_RATIO || __SINGLE_WORD_SUBJ || __OBFUSCATING_COMMENT_B)
meta PHP_ORIG_SCRIPT __PHP_ORIG_SCRIPT_SONLY && !ALL_TRUSTED && !__SUBSCRIPTION_INFO
describe PHP_ORIG_SCRIPT Sent by bot & other signs
score PHP_ORIG_SCRIPT 2.500 # limit
tflags PHP_ORIG_SCRIPT publish
# noted 5/26/2016 on list by RW
header __PHP_ORIG_SCRIPT_EVAL X-PHP-Originating-Script =~ /\beval\b.*\bcode\b/i
#header __FROM_AUTHORITY_COMPANY From:name =~ /\b(?:court|fed-?ex|dhl|e-?zpass|invoice)\b/
#meta __PHP_MALWARE_ATTACH __HAS_PHP_SCRIPT && __FROM_AUTHORITY_COMPANY && __ZIP_ATTACH_MT
meta __XMSID __HAS_XM_SID && !__CTYPE_MULTIPART_MIXED
meta __XMSID_SONLY __HAS_XM_SID && (INVALID_MSGID || __XPRIO || __HAS_X_MAILER)
header __UNSUB_MAILTO_BOGUS List-Unsubscribe =~ /mailto:[^@\s">]*[\s?">]/