72_active.cf

# SpamAssassin rules file
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at:
# 
#     http://www.apache.org/licenses/LICENSE-2.0
# 
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################

require_version @@VERSION@@

##{ APOSTROPHE_FROM
header		APOSTROPHE_FROM	From:addr =~ /'/
describe	APOSTROPHE_FROM	From address contains an apostrophe
##} APOSTROPHE_FROM

##{ AXB_XMID_1212
header          AXB_XMID_1212                   Message-Id =~ /^<[0-9]{12}\.[0-9]{12}\@/
describe        AXB_XMID_1212                   Barbera Fingerprint
##} AXB_XMID_1212

##{ AXB_XMID_1510
header          AXB_XMID_1510                   Message-Id =~ /<[0-9A-F]{15}\.[0-9A-F]{10}\@/
describe        AXB_XMID_1510                   Brunello Fingerprint
##} AXB_XMID_1510

##{ AXB_XMID_OEGOESNULL
header          AXB_XMID_OEGOESNULL             Message-ID =~ /^<[0-9-a-f]{12}\$[0-9-a-f]{8}\$[0]{8}\@/
describe        AXB_XMID_OEGOESNULL             Amarone Fingerprint
##} AXB_XMID_OEGOESNULL

##{ AXB_XM_SENDMAIL_NOT
header          AXB_XM_SENDMAIL_NOT             Received =~ /\([123456790]{1,2}\.[0-9]{1,2}\.[0-9]{1}\/[0-9]{1,2}\.[0-9]{2}\.[0-9]{1}\)/
describe        AXB_XM_SENDMAIL_NOT             Nebbiolo fingerprint
##} AXB_XM_SENDMAIL_NOT

##{ AXB_XR_STULDAP
header  AXB_XR_STULDAP     Received =~ /\(8\.12\.3 da nor stuldap\/8\.12\.3\)/
##} AXB_XR_STULDAP

##{ AXB_XTIDX_CHAIN
header          AXB_XTIDX_CHAIN                 Thread-Index =~ /(?:\*|\<\>|\)|\()/
describe        AXB_XTIDX_CHAIN                 Montepulciano Fingerprint
##} AXB_XTIDX_CHAIN

##{ BANKING_LAWS
body		BANKING_LAWS	/banking laws/i
describe	BANKING_LAWS	Talks about banking laws
##} BANKING_LAWS

##{ BASE64_LENGTH_78_79

ifplugin Mail::SpamAssassin::Plugin::MIMEEval
body BASE64_LENGTH_78_79	eval:check_base64_length('78','79')
endif
##} BASE64_LENGTH_78_79

##{ BASE64_LENGTH_79_INF

ifplugin Mail::SpamAssassin::Plugin::MIMEEval
body BASE64_LENGTH_79_INF	eval:check_base64_length('79')
endif
##} BASE64_LENGTH_79_INF

##{ CORRUPT_FROM_LINE_IN_HDRS
meta CORRUPT_FROM_LINE_IN_HDRS (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS)
describe CORRUPT_FROM_LINE_IN_HDRS Informational: message is corrupt, with a From line in its headers
tflags CORRUPT_FROM_LINE_IN_HDRS userconf publish
#score CORRUPT_FROM_LINE_IN_HDRS 0.001
##} CORRUPT_FROM_LINE_IN_HDRS

##{ CTYPE_001C_A
meta CTYPE_001C_A  (0)      # obsolete
##} CTYPE_001C_A

##{ CTYPE_001C_B
header CTYPE_001C_B Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/
##} CTYPE_001C_B

##{ CTYPE_8SPACE_GIF

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader CTYPE_8SPACE_GIF Content-Type:raw =~ /^image\/gif;\n {8}name=\".+?\"$/s
describe CTYPE_8SPACE_GIF   Stock spam image part 'Content-Type' found (8 spc)
endif
##} CTYPE_8SPACE_GIF

##{ CURR_PRICE
body CURR_PRICE         /\bCurrent Price:/
##} CURR_PRICE

##{ DEAR_WINNER
body DEAR_WINNER /\bdear.{1,20}winner/i
##} DEAR_WINNER

##{ DNS_FROM_DOB

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header DNS_FROM_DOB             eval:check_rbl_envfrom('dob','dob.sibl.support-intelligence.net.')
describe DNS_FROM_DOB           Sender from new domain (Day Old Bread)
tflags DNS_FROM_DOB             net
endif
##} DNS_FROM_DOB

##{ DNS_FROM_OPENWHOIS
header          DNS_FROM_OPENWHOIS  eval:check_rbl_envfrom('openwhois', 'bl.open-whois.org.')
describe        DNS_FROM_OPENWHOIS  Envelope sender listed in bl.open-whois.org.
tflags          DNS_FROM_OPENWHOIS  net publish
##} DNS_FROM_OPENWHOIS

##{ DOS_FIX_MY_URI
meta DOS_FIX_MY_URI             __MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINK
describe DOS_FIX_MY_URI         Looks like a "fix my obfu'd URI please" spam
##} DOS_FIX_MY_URI

##{ DOS_LET_GO_JOB
meta DOS_LET_GO_JOB	__DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOME
describe DOS_LET_GO_JOB	Let go from their job and now makes lots of dough!
##} DOS_LET_GO_JOB

##{ DOS_PROVISION4
body DOS_PROVISION4	/\bProvisionfor income taxes\b/
describe DOS_PROVISION4	Provision for income taxes
#score DOS_PROVISION4	1.5
##} DOS_PROVISION4

##{ DOS_REPORT_FIN_INC
body DOS_REPORT_FIN_INC		/\bReport of financial income\b/
describe DOS_REPORT_FIN_INC	Report of financial income
#score DOS_REPORT_FIN_INC	0.5
##} DOS_REPORT_FIN_INC

##{ DOS_STOCK_BAT
meta		DOS_STOCK_BAT		__THEBAT_MUA && (__DOS_BODY_STOCK || __DOS_BODY_TICKER) && (__DOS_REF_TODAY || __DOS_REF_NEXT_WK_DAY || __DOS_REF_2_WK_DAYS)
describe	DOS_STOCK_BAT		Probable pump and dump stock spam
##} DOS_STOCK_BAT

##{ DOS_STOCK_BAT2
meta		DOS_STOCK_BAT2		DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2)
##} DOS_STOCK_BAT2

##{ DOS_STOCK_CDYV_GENERIC
body DOS_STOCK_CDYV_GENERIC	/(?:Lookup|Sym8oL|Search for|Promoting sym|S\.umbol|Target sym|Campaign for): [A-Z]{4},?.{1,50}\b[Pp]rice/
describe DOS_STOCK_CDYV_GENERIC	Pump and dump stock spam
#score DOS_STOCK_CDYV_GENERIC	2.5
##} DOS_STOCK_CDYV_GENERIC

##{ DOS_STOCK_INCOME_STATEMENT
meta DOS_STOCK_INCOME_STATEMENT		DOS_REPORT_FIN_INC && DOS_PROVISION4 && __DOS_SYMBOL_4 && __DOS_HEADLINES
describe DOS_STOCK_INCOME_STATEMENT	Pump and dump stock income statement spam
#score DOS_STOCK_INCOME_STATEMENT	1.5
##} DOS_STOCK_INCOME_STATEMENT

##{ DOS_URI_ASTERISK
uri DOS_URI_ASTERISK    m{^[Hh][Tt]{2}[Pp][Ss]?://[^/:]+(?:\*[A-Za-z0-9-]*\.|\*)[A-Za-z]{2,3}(?:\.[A-Za-z]{2})?(?:$|:|/)}
describe DOS_URI_ASTERISK       Found an asterisk in a URI
##} DOS_URI_ASTERISK

##{ DOS_YOUR_PLACE
meta	DOS_YOUR_PLACE	(__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE || __DOS_CORRESPOND_EMAIL || __DOS_EMAIL_DIRECTLY || __DOS_I_AM_25 || __DOS_WRITE_ME_AT || __DOS_PERSONAL_EMAIL))
describe	DOS_YOUR_PLACE		Russian dating spam
##} DOS_YOUR_PLACE

##{ DRUGS_HDIA
header DRUGS_HDIA	Subject =~ /\bhoodia\b/i
##} DRUGS_HDIA

##{ DRUGS_STOCK_MIMEOLE
meta DRUGS_STOCK_MIMEOLE (__MIMEOLE_1106 && __MAILER_OL_5510)
describe DRUGS_STOCK_MIMEOLE Stock-spam forged headers found (5510)
##} DRUGS_STOCK_MIMEOLE

##{ DYN_RDNS_AND_INLINE_IMAGE
meta DYN_RDNS_AND_INLINE_IMAGE     (RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
describe DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic rDNS
##} DYN_RDNS_AND_INLINE_IMAGE

##{ DYN_RDNS_SHORT_HELO_HTML
meta DYN_RDNS_SHORT_HELO_HTML      (__HELO_NO_DOMAIN && RDNS_DYNAMIC && HTML_MESSAGE)
describe DYN_RDNS_SHORT_HELO_HTML  Sent by dynamic rDNS, short HELO, and HTML
##} DYN_RDNS_SHORT_HELO_HTML

##{ DYN_RDNS_SHORT_HELO_IMAGE
meta DYN_RDNS_SHORT_HELO_IMAGE       (__HELO_NO_DOMAIN && RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
describe DYN_RDNS_SHORT_HELO_IMAGE    Short HELO string, dynamic rDNS, inline image
##} DYN_RDNS_SHORT_HELO_IMAGE

##{ FAKE_REPLY_C
meta     FAKE_REPLY_C		(__SUBJ_RE && __MISSING_REF && __NO_INR_YES_REF)
##} FAKE_REPLY_C

##{ FB_ADD_INCHES
body     FB_ADD_INCHES		/(?:add|gain) inches/i
describe FB_ADD_INCHES		Add / Gain inches
##} FB_ADD_INCHES

##{ FB_ALMOST_SEX
body     FB_ALMOST_SEX		/\b[b-z]sex+\b/i
describe FB_ALMOST_SEX		It's almost sex, but not!
##} FB_ALMOST_SEX

##{ FB_ANA_TRIM
body     FB_ANA_TRIM		/Ana[^a-z]trim/i
describe FB_ANA_TRIM		Broken AnaTrim phrase.
##} FB_ANA_TRIM

##{ FB_ANUI
body     FB_ANUI		/A[-_\.]U[-_\.]N[-_\.]I/i
describe FB_ANUI		Phrase: A_U_N_I
##} FB_ANUI

##{ FB_BILLI0N
body      FB_BILLI0N		/[BM][I1]LL[I1]0N/i
describe  FB_BILLI0N		Phrase: [BM]Illi0n
##} FB_BILLI0N

##{ FB_C0MPANY
body     FB_C0MPANY		/c0mpany/i
describe FB_C0MPANY		Phrase: C0mpany
##} FB_C0MPANY

##{ FB_CAN_LONGER
body     FB_CAN_LONGER		/can last longer/i
describe FB_CAN_LONGER		Phrase: can last longer
##} FB_CAN_LONGER

##{ FB_CIALIS_LEO3
body     FB_CIALIS_LEO3		/(?!CIALIS)\bC\s?[a-z]?\s?[Iitl1\\\/]\s?[a-z]?\s?[Aa]\s?[a-z]?\s?[LIl1\\\/]\s?[a-z]?\s?[ilIt1\\\/]\s?[a-z]?\s?[Ss]\b/
describe FB_CIALIS_LEO3		Uses a mis-spelled version of cialis.
##} FB_CIALIS_LEO3

##{ FB_DOUBLE_0WORDS
body     FB_DOUBLE_0WORDS	/\b[a-z]{1,5}0[a-z]{3,9}\s[a-z]{1,5}0[a-z]{3,9}\b/i
describe FB_DOUBLE_0WORDS	Looks like double 0 words
##} FB_DOUBLE_0WORDS

##{ FB_EMAIL_HIER
body     FB_EMAIL_HIER		/email hier/i
describe FB_EMAIL_HIER		Phrase: email hier
##} FB_EMAIL_HIER

##{ FB_EXTRA_INCHES
body     FB_EXTRA_INCHES	/extra inches/
describe FB_EXTRA_INCHES	Phrase: extra inches
##} FB_EXTRA_INCHES

##{ FB_FAKE_NUMBERS
body     FB_FAKE_NUMBERS	/\$\d\d?O\s*[MBT]/i
describe FB_FAKE_NUMBERS	Looks like numbers with O's insted of 0's
##} FB_FAKE_NUMBERS

##{ FB_FAKE_NUMS4
body     FB_FAKE_NUMS4		/(?:\b|\b\d)\d,?\d,?OO(?:\b|\d\b)/
describe FB_FAKE_NUMS4		Looks like fake numbers (4)
##} FB_FAKE_NUMS4

##{ FB_FHARMACY
body     FB_FHARMACY		/Fharmacy/i
describe FB_FHARMACY		Phrase: Farmacy
##} FB_FHARMACY

##{ FB_FORWARD_LOOK
body     FB_FORWARD_LOOK	/(?!forward look)f[o0]rward l[0o][0o]k/i
describe FB_FORWARD_LOOK	Phrase: forward look with 0's
##} FB_FORWARD_LOOK

##{ FB_GAPPY_ADDRESS
body     FB_GAPPY_ADDRESS	/(?:[a-z] ){8}, (?:[a-z0-9] ){4}/i
describe FB_GAPPY_ADDRESS	Too much spacing in Address
##} FB_GAPPY_ADDRESS

##{ FB_GET_MEDS
body     FB_GET_MEDS		/(?:place f[o0]r|[0o]rder|get\s?(?:y[o0]ur)?|online|quality).{1,7}med[isz][^a]/i
describe FB_GET_MEDS		Looks like trying to sell meds
##} FB_GET_MEDS

##{ FB_GVR
body     FB_GVR			/(?:pef-rx|vigrex-ds|gsc-100|vp-rx|gv-promax|phentermine|adipex|xenical)/i
describe FB_GVR			Looks like generic viagra
##} FB_GVR

##{ FB_HEY_BRO_COMMA
body     FB_HEY_BRO_COMMA	/Hey bro, /
describe FB_HEY_BRO_COMMA	Phrase hey bro,
##} FB_HEY_BRO_COMMA

##{ FB_HOMELOAN
body     FB_HOMELOAN		/\$\d{3},\d{3} home loan/i
describe FB_HOMELOAN		Phrase $x home loan
##} FB_HOMELOAN

##{ FB_IMPRESS_GIRL
body     FB_IMPRESS_GIRL	/\bimpress .{0,5}girl\b/
describe FB_IMPRESS_GIRL	Phrase: impress ... girl
##} FB_IMPRESS_GIRL

##{ FB_INCREASE_YOUR
body     FB_INCREASE_YOUR	/Increase your energy/i
describe FB_INCREASE_YOUR	Phrase: Increase your energy
##} FB_INCREASE_YOUR

##{ FB_INDEPEND_RWD
body     FB_INDEPEND_RWD	/independent reward/i
describe FB_INDEPEND_RWD	Phrase: independent reward
##} FB_INDEPEND_RWD

##{ FB_L0AN
body     FB_L0AN		/\bl0ans?\b/i
describe FB_L0AN		Phrase: L0an
##} FB_L0AN

##{ FB_LETTERS_21B
body     FB_LETTERS_21B		/-- [a-z]{21}/
describe FB_LETTERS_21B		Special people leave special signs!
##} FB_LETTERS_21B

##{ FB_LOWER_PAYM
body     FB_LOWER_PAYM		/lower your monthly payments/i
describe FB_LOWER_PAYM		Phrase: lower your monthly payments
##} FB_LOWER_PAYM

##{ FB_MED1CAT
body     FB_MED1CAT		/\bmed1cat/i
describe FB_MED1CAT		Phrase: Med1cat
score FB_MED1CAT                     1.000 0.000 0.000 0.000
##} FB_MED1CAT

##{ FB_MEDS_PERCENT
body     FB_MEDS_PERCENT	/meds .{3,10}\d\s?%/i
describe FB_MEDS_PERCENT	Talks about meds and %
##} FB_MEDS_PERCENT

##{ FB_MORE_SIZE
body     FB_MORE_SIZE		/\bmore size\b/
describe FB_MORE_SIZE		Phrase: more size
##} FB_MORE_SIZE

##{ FB_NOT_PHONE_NUM1
body     FB_NOT_PHONE_NUM1	/(?!\d{3})8(?:66|77|88|[0o][0o])[-\.\s\)]{1,3}[OIL0-9]{3}[-\.\s]/i
describe FB_NOT_PHONE_NUM1	Looks like a fake phone number (1)
##} FB_NOT_PHONE_NUM1

##{ FB_NOT_PHONE_NUM3
body     FB_NOT_PHONE_NUM3	/8(?:66|77|88|[0o][0o])[-\.\s\)]{1,3}[OIL0-9]{3}[-\.\s]{1,3}(?!\d{4})[OIL0-9]{4}/i
describe FB_NOT_PHONE_NUM3	Looks like a fake phone number (3)
##} FB_NOT_PHONE_NUM3

##{ FB_NOT_SCHOOL
body     FB_NOT_SCHOOL		/(?!school)[\$s5]ch[o0][o0][il1\|]/i
describe FB_NOT_SCHOOL		Looks like school but it's not!
##} FB_NOT_SCHOOL

##{ FB_NO_SCRIP_NEEDED
body     FB_NO_SCRIP_NEEDED	/No.{1,10}P(?:er|re)scr[i1]pt[i1][o0]n (?:needed|requ[1i]re)/i
describe FB_NO_SCRIP_NEEDED	Phrase: no prescription needed.
##} FB_NO_SCRIP_NEEDED

##{ FB_NUMYO
body     FB_NUMYO		/1[0-9][\s\.]?y[\s\.]?o[\s\.]?\b/i
describe FB_NUMYO		Speaks of teenager.
##} FB_NUMYO

##{ FB_NUMYO2
body     FB_NUMYO2		/2[0-9][\s\.]?y[\s\.]?o[\s\.]?\b/i
describe FB_NUMYO2		Speaks of 20+ year old.
##} FB_NUMYO2

##{ FB_ODD_SPACED_MONEY
body     FB_ODD_SPACED_MONEY	/\$\d\s,\s\d\d/
describe FB_ODD_SPACED_MONEY	Looks like money but has odd spacing.
##} FB_ODD_SPACED_MONEY

##{ FB_ONIINE
body     FB_ONIINE		/oniine/i
describe FB_ONIINE		Mis-spelled online
##} FB_ONIINE

##{ FB_P1LL
body     FB_P1LL		/\bp1ll/i
describe FB_P1LL		Phrase: p1ll
##} FB_P1LL

##{ FB_PENIS_GROWTH
body     FB_PENIS_GROWTH	/pen[i1]s grow(?:th)?/i
describe FB_PENIS_GROWTH	Phrase: penis growth
##} FB_PENIS_GROWTH

##{ FB_PIPEDOLLAR
body     FB_PIPEDOLLAR		/(?!dollar)d[o0][1|li][1|li]ar/i
describe FB_PIPEDOLLAR		Phrase: Dollar, with pipes or 0's.
##} FB_PIPEDOLLAR

##{ FB_PIPE_ILLION
body     FB_PIPE_ILLION		/(?!illion)i[l|][l|][i|][o0]n/i
describe FB_PIPE_ILLION		Looks like illion, but it's not
##} FB_PIPE_ILLION

##{ FB_PROLONGED_HARD
body     FB_PROLONGED_HARD	/(?:prolonged|increased) hardness/i
describe FB_PROLONGED_HARD	Talks about prolonged hardness
##} FB_PROLONGED_HARD

##{ FB_QUALITY_REPLICA
body     FB_QUALITY_REPLICA	/quality replica/i
describe FB_QUALITY_REPLICA	Phrase: quality replica
##} FB_QUALITY_REPLICA

##{ FB_REF_CODE_SPACE
body     FB_REF_CODE_SPACE	/r e f c o d e/i
describe FB_REF_CODE_SPACE	Refcode with spacing
##} FB_REF_CODE_SPACE

##{ FB_REPLIC_CAP
body     FB_REPLIC_CAP		/REPLICAS?\b/
describe FB_REPLIC_CAP		Phrase: REPLICA
##} FB_REPLIC_CAP

##{ FB_RE_FI
body     FB_RE_FI		/\bre[^a-z]fi\b/
describe FB_RE_FI		Looks like refi.
##} FB_RE_FI

##{ FB_ROLLER_IS_T
body     FB_ROLLER_IS_T		/Roller is th/i
describe FB_ROLLER_IS_T		Phrase: Roller is th
##} FB_ROLLER_IS_T

##{ FB_ROLX
body     FB_ROLX		/\brolx\b/i
describe FB_ROLX		Phrase: rolx
##} FB_ROLX

##{ FB_SOFTTABS
body     FB_SOFTTABS		/\bsoft\s?t?abs\b/i
describe FB_SOFTTABS		Phrase: Softabs
##} FB_SOFTTABS

##{ FB_SPACED_FREE
body     FB_SPACED_FREE		/F R E E/i
describe FB_SPACED_FREE		Phrase: F R E E
##} FB_SPACED_FREE

##{ FB_SPACED_PHN_3B
body     FB_SPACED_PHN_3B	/\d\d\d--\d\d\d--?\d\d\d\d/
describe FB_SPACED_PHN_3B	Phone number with -- spacing. (B)
##} FB_SPACED_PHN_3B

##{ FB_SPACEY_ZIP
body     FB_SPACEY_ZIP		/\s\d\s\d\s\d\s\d\s\d\s-\s\d\s\d\s\d\s\d/
describe FB_SPACEY_ZIP		Looks like a  s p a c e d zipcode.
##} FB_SPACEY_ZIP

##{ FB_SPUR_M
body     FB_SPUR_M		/\bSPUR-M\b/i
describe FB_SPUR_M		Phrase: SPUR-M
##} FB_SPUR_M

##{ FB_SSEX
body     FB_SSEX		/\bssex\b/
describe FB_SSEX		Phrase: ssex
##} FB_SSEX

##{ FB_STOCK_EXPLODE
body     FB_STOCK_EXPLODE	 /st[0o]ck\b.{4,10}expl[o0]de/i
describe FB_STOCK_EXPLODE	Looks like stocks exploding.
##} FB_STOCK_EXPLODE

##{ FB_SYMBLO
body     FB_SYMBLO		/\bSymblo\b/i
describe FB_SYMBLO		Mis-spelled symbol.
##} FB_SYMBLO

##{ FB_THIS_ADVERT
body     FB_THIS_ADVERT		/this advertiser/i
describe FB_THIS_ADVERT		Phrase: this advertiser
##} FB_THIS_ADVERT

##{ FB_THOUS_PERSONAL
body     FB_THOUS_PERSONAL	/thousand personal/i
describe FB_THOUS_PERSONAL	Phrase: thousand personal
##} FB_THOUS_PERSONAL

##{ FB_TO_STOP_DISTRO
body     FB_TO_STOP_DISTRO	/To (?:(?:stop further|longer get) distribution|stop (?:receiving )?announcements)/i
describe FB_TO_STOP_DISTRO	Phrase: to stop further distribution
##} FB_TO_STOP_DISTRO

##{ FB_ULTRA_ALLURE
body     FB_ULTRA_ALLURE	/Ultra Allure/i
describe FB_ULTRA_ALLURE	Phrase: Ultra Allure
##} FB_ULTRA_ALLURE

##{ FB_UNLOCK_YOUR_G
body     FB_UNLOCK_YOUR_G	/lock ?(?:to ?)? your girlfriend/i
describe FB_UNLOCK_YOUR_G	Phrase: lock to your girlfriend
##} FB_UNLOCK_YOUR_G

##{ FB_UNRESOLV_PROV
body     FB_UNRESOLV_PROV	/\{PROV_\d_\d\}/
describe FB_UNRESOLV_PROV	Pattern Replacement PROV_D
##} FB_UNRESOLV_PROV

##{ FB_WORD1_END_DOLLAR
body     FB_WORD1_END_DOLLAR	/ [a-z013]{3,6}\$ /i
describe FB_WORD1_END_DOLLAR	Looks like a word ending with a $
##} FB_WORD1_END_DOLLAR

##{ FB_YOURSELF_MASTER
body     FB_YOURSELF_MASTER	/yourself master/i
describe FB_YOURSELF_MASTER	Phrase: yourself master
##} FB_YOURSELF_MASTER

##{ FB_YOUR_REFI
body     FB_YOUR_REFI		/Your refi/i
describe FB_YOUR_REFI		Phrase: Your refi
##} FB_YOUR_REFI

##{ FH_BAD_OEV1441
header   FH_BAD_OEV1441		X-Mailer =~ /^Microsoft Outlook Express 6\.00\.2800\.1441$/
describe FH_BAD_OEV1441		Bad X-Mailer version
##} FH_BAD_OEV1441

##{ FH_DATE_IS_19XX
header   FH_DATE_IS_19XX	Date =~ /19[789][0-9]/ [if-unset: 2006]
describe FH_DATE_IS_19XX	The date is not 19xx.
##} FH_DATE_IS_19XX

##{ FH_DATE_PAST_20XX
header   FH_DATE_PAST_20XX	Date =~ /20[1-9][0-9]/ [if-unset: 2006]
describe FH_DATE_PAST_20XX	The date is grossly in the future.
##} FH_DATE_PAST_20XX

##{ FH_FAKE_RCVD_LINE
header   FH_FAKE_RCVD_LINE	Received =~ /from\s*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s*by\s*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3};\s*[SMTWF].{2},\s*\d{1,2}\s*[JFMASOND].{2,5}\s*\d{4}\s*\d{2}:\d{2}:\d{2}\s*[-+]\d{4}/
describe FH_FAKE_RCVD_LINE	RCVD line looks faked (A)
##} FH_FAKE_RCVD_LINE

##{ FH_FROMEML_NOTLD
header   FH_FROMEML_NOTLD	From:addr !~ /\./ [if-unset: foo@bar.com]
describe FH_FROMEML_NOTLD	E-mail address doesn't have TLD (.com, etc.)
##} FH_FROMEML_NOTLD

##{ FH_FROM_CASH
header   FH_FROM_CASH		From:name =~ /\bcash\b/i
describe FH_FROM_CASH		From name has "cash"
##} FH_FROM_CASH

##{ FH_FROM_GET_NAME
header   FH_FROM_GET_NAME	From:name =~ /\bGet\b/i
describe FH_FROM_GET_NAME	From name says Get
##} FH_FROM_GET_NAME

##{ FH_FROM_GIVEAWAY
header   FH_FROM_GIVEAWAY	From =~ /Giveaway/i
describe FH_FROM_GIVEAWAY	From name is giveaway.
##} FH_FROM_GIVEAWAY

##{ FH_FROM_HOODIA
header   FH_FROM_HOODIA		From =~ /Hoodia/i
describe FH_FROM_HOODIA		From has Hoodia!!?
##} FH_FROM_HOODIA

##{ FH_HAS_XAIMC
header   FH_HAS_XAIMC		exists:X-AIMC-AUTH
describe FH_HAS_XAIMC		Has X-AIMC-AUTH header
##} FH_HAS_XAIMC

##{ FH_HAS_XID
header   FH_HAS_XID		exists:X-ID
describe FH_HAS_XID		Has X-ID
##} FH_HAS_XID

##{ FH_HELO_ALMOST_IP
header   FH_HELO_ALMOST_IP	X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^ ]+[a-z][-.]\d{1,3}[-.]\d{1,3}[-.]\d{1,3}[-.][a-z][^ ]+ /i
describe FH_HELO_ALMOST_IP	Helo is almost an IP addr.
##} FH_HELO_ALMOST_IP

##{ FH_HELO_ENDS_DOT
header   FH_HELO_ENDS_DOT	X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^ ]+\. by=/
describe FH_HELO_ENDS_DOT	Helo ends with a dot.
##} FH_HELO_ENDS_DOT

##{ FH_HELO_EQ_610HEX
header   FH_HELO_EQ_610HEX	X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=-?[A-F0-9]{6,10} /
describe FH_HELO_EQ_610HEX	Helo is 6-10 hex chr's.
##} FH_HELO_EQ_610HEX

##{ FH_HELO_EQ_CHARTER
header   FH_HELO_EQ_CHARTER	X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\d{2,3}-\d{1,3}-\d{1,3}-\d{1,3}.{5,20}\.charter\.com /i
describe FH_HELO_EQ_CHARTER	Helo is d-d-d-d charter.com
##} FH_HELO_EQ_CHARTER

##{ FH_HELO_EQ_D_D_D_D
header   FH_HELO_EQ_D_D_D_D	X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^ ]{0,15}\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}/
describe FH_HELO_EQ_D_D_D_D	Helo is d-d-d-d
##} FH_HELO_EQ_D_D_D_D

##{ FH_HELO_GMAILSMTP
header   FH_HELO_GMAILSMTP	Received =~ /HELO gmail-smtp-in/
describe FH_HELO_GMAILSMTP	Faked helo of gmail-smtp-in
##} FH_HELO_GMAILSMTP

##{ FH_HOST_EQ_DYNAMICIP
header   FH_HOST_EQ_DYNAMICIP	X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]{0,25}[dD][yY][nN][aA][mM][iI][cC][iI][pP][^ ]{5,25} helo=/
describe FH_HOST_EQ_DYNAMICIP	Host is dynamicip
##} FH_HOST_EQ_DYNAMICIP

##{ FH_HOST_EQ_PACBELL_D
header   FH_HOST_EQ_PACBELL_D	X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]+\.dsl\.\w{2,10}\.pacbell\.net /
describe FH_HOST_EQ_PACBELL_D	Host is pacbell.net dsl
##} FH_HOST_EQ_PACBELL_D

##{ FH_HOST_EQ_VERIZON_P
header   FH_HOST_EQ_VERIZON_P	X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=pool-\d.{5,30}\.verizon\.net/
describe FH_HOST_EQ_VERIZON_P	Host is pool-.+verizon.net
##} FH_HOST_EQ_VERIZON_P

##{ FH_MSGID_000000
header   FH_MSGID_000000	MESSAGEID =~ /\$00000000\@/
describe FH_MSGID_000000	Special MSGID
##} FH_MSGID_000000

##{ FH_MSGID_01C67
header   FH_MSGID_01C67		Message-ID =~ /^<000001c[67]/
describe FH_MSGID_01C67		Special MSGID
##} FH_MSGID_01C67

##{ FH_MSGID_01C70XXX
header   FH_MSGID_01C70XXX	MESSAGEID =~ /^<01c70[a-f][a-f0-9]{2}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[a-zA-Z0-9-]+>$/
describe FH_MSGID_01C70XXX	MESSAGE ID seen often!!!
##} FH_MSGID_01C70XXX

##{ FH_MSGID_REPLACE
header   FH_MSGID_REPLACE	MESSAGEID =~ /^<%MSGID/
describe FH_MSGID_REPLACE	Broken Replace Template
##} FH_MSGID_REPLACE

##{ FH_MSGID_XXBLAH
header   FH_MSGID_XXBLAH	MESSAGEID =~ /6c822ecf/
describe FH_MSGID_XXBLAH	Common sign in msg-id's 12/21/2006
##} FH_MSGID_XXBLAH

##{ FH_MSGID_XXX
header   FH_MSGID_XXX		MESSAGEID =~ /\@xxx/i
describe FH_MSGID_XXX		Message-Id = @xxx
##} FH_MSGID_XXX

##{ FH_RE_NEW_DDD
header   FH_RE_NEW_DDD		Subject =~ /^Re: new\s?\d{0,3}$/i
describe FH_RE_NEW_DDD		Subject is Re: new \d\d\d
##} FH_RE_NEW_DDD

##{ FH_XMAIL_REPLACE
header   FH_XMAIL_REPLACE	X-Mailer =~ /%XMAILER/
describe FH_XMAIL_REPLACE	Broken Replace Template
##} FH_XMAIL_REPLACE

##{ FH_XMAIL_RND_833
header   FH_XMAIL_RND_833	X-Mailer =~ /^[a-z]{3}\sv8\.3\.3\./
describe FH_XMAIL_RND_833	Special X-Mailer Version
##} FH_XMAIL_RND_833

##{ FM_DOESNT_SAY_STOCK
meta     FM_DOESNT_SAY_STOCK	(__FB_S_SYMBOL && __FM_MY_PRICE && !__FB_S_STOCK && !__FS_S_TRADE)
describe FM_DOESNT_SAY_STOCK	It's a stock spam but doesn't say stock
##} FM_DOESNT_SAY_STOCK

##{ FM_FAKE_53COM_SPOOF
meta     FM_FAKE_53COM_SPOOF	(__FH_FRM_53 && !__FH_MSG_53 && !__FH_RCV_53)
describe FM_FAKE_53COM_SPOOF	Spoof mail from 53.com?
##} FM_FAKE_53COM_SPOOF

##{ FM_FAKE_HELO_HOTMAIL
meta     FM_FAKE_HELO_HOTMAIL	(__HOTMAILCOM && !__HOST_HOTMAIL)
describe FM_FAKE_HELO_HOTMAIL	Looks like a fake hotmail.com helo.
##} FM_FAKE_HELO_HOTMAIL

##{ FM_FAKE_HELO_VERIZON
meta     FM_FAKE_HELO_VERIZON	(__FHELO_VERIZON && !__FHOST_VERIZON)
describe FM_FAKE_HELO_VERIZON	Looks like a fake verizon.net helo.
##} FM_FAKE_HELO_VERIZON

##{ FM_FRM_RN_L_BRACK
meta     FM_FRM_RN_L_BRACK	(__FROM_RIGH_BRACK && !__FROM_LEFT_BRACK)
describe FM_FRM_RN_L_BRACK	From name has > but not <
##} FM_FRM_RN_L_BRACK

##{ FM_IS_IT_OUR_ACCOUNT
meta     FM_IS_IT_OUR_ACCOUNT	(__YOUR_ACCOUNT && __MANY_RECIPS)
describe FM_IS_IT_OUR_ACCOUNT	Is it our account?
##} FM_IS_IT_OUR_ACCOUNT

##{ FM_LIKE_STOCKS
meta     FM_LIKE_STOCKS		(__FM_STOCK_WORDS && !__FB_S_STOCK && __FB_S_SYMBOL)
describe FM_LIKE_STOCKS		It looks like a duck, it's a duck!
##} FM_LIKE_STOCKS

##{ FM_LUX_GIFTS_REDUCED
meta     FM_LUX_GIFTS_REDUCED	(__FB_LUX_GIFTS && __FB_NUM_PERCNT)
describe FM_LUX_GIFTS_REDUCED	Luxury Gifts with dd%
##} FM_LUX_GIFTS_REDUCED

##{ FM_MANY_DRUG_WORDS
meta     FM_MANY_DRUG_WORDS	(__VA_WORD && __CS_WORD && __VM_WORD)
describe FM_MANY_DRUG_WORDS	Lot's of almost drug words
##} FM_MANY_DRUG_WORDS

##{ FM_MORTGAGE4PLUS
meta     FM_MORTGAGE4PLUS	(__FM_MORTGAGE4PLUS && !__FM_MORTGAGE5PLUS && !__FM_MORTGAGE6PLUS)
describe FM_MORTGAGE4PLUS	Looks like a mortgage spam (4+)
##} FM_MORTGAGE4PLUS

##{ FM_MORTGAGE5PLUS
meta     FM_MORTGAGE5PLUS	(__FM_MORTGAGE5PLUS && !__FM_MORTGAGE6PLUS)
describe FM_MORTGAGE5PLUS	Looks like a mortgage spam (5+)
##} FM_MORTGAGE5PLUS

##{ FM_MORTGAGE6PLUS
meta     FM_MORTGAGE6PLUS	(__FM_MORTGAGE6PLUS)
describe FM_MORTGAGE6PLUS	Looks like a mortgage spam (6+)
##} FM_MORTGAGE6PLUS

##{ FM_MULTI_LUX_GIFTS
meta     FM_MULTI_LUX_GIFTS	((__FB_BRAND_NAME + __FB_TIMEPIECE + __FB_WALLETS + __FB_HANDBAGS + __FB_DESIGNER + __FB_LUX_GIFTS + __FB_NUM_PERCNT + __FB_INK_PEN) > 3)
describe FM_MULTI_LUX_GIFTS	Talks about variety of luxury gifts
##} FM_MULTI_LUX_GIFTS

##{ FM_PHN_NODNS
meta     FM_PHN_NODNS		(FB_SPACED_PHN_3B && RDNS_NONE)
describe FM_PHN_NODNS		Phone spacing + no dns
##} FM_PHN_NODNS

##{ FM_RATSIGN_1106
meta     FM_RATSIGN_1106	(__MSGID_VGA && __DATE_700)
describe FM_RATSIGN_1106	Fingerprint seen in lots of spam. 11/2006
##} FM_RATSIGN_1106

##{ FM_RE_HELLO_SPAM
meta     FM_RE_HELLO_SPAM	(__FH_MSGID_01C7 && __FH_HAS_XMSMAIL && __FH_HAS_XPRIORITY && __FS_SUBJ_RE)
describe FM_RE_HELLO_SPAM	Re: Hello / hi
##} FM_RE_HELLO_SPAM

##{ FM_ROLEX_ADS
meta     FM_ROLEX_ADS		(__FB_ROLEX_MEN && __FB_ROLEX_WMEN && __FB_OMEGA && __FB_GLASHUTE)
describe FM_ROLEX_ADS		Looks like Rolex spams.
##} FM_ROLEX_ADS

##{ FM_SCHOOLING
meta     FM_SCHOOLING		((__BACHELORS + __MASTERS + __MBA + __PHD) > 2)
describe FM_SCHOOLING		Meta Combo Phrase for Schooling (2)
##} FM_SCHOOLING

##{ FM_SCHOOL_DIPLOMA
meta     FM_SCHOOL_DIPLOMA	(FM_SCHOOLING && __DIPLOMA)
describe FM_SCHOOL_DIPLOMA	Meta for Schooling + Diploma.
##} FM_SCHOOL_DIPLOMA

##{ FM_SCHOOL_TYPES
meta     FM_SCHOOL_TYPES	(__FB_BA && __FB_BCs && __FB_MA && __FB_MBA)
describe FM_SCHOOL_TYPES	Meta Combo Phrase for Schooling
##} FM_SCHOOL_TYPES

##{ FM_SEX_HELODDDD
meta     FM_SEX_HELODDDD	(__SEX_WRDS && FH_HELO_EQ_D_D_D_D)
describe FM_SEX_HELODDDD	Sex words + helo = dddd
##} FM_SEX_HELODDDD

##{ FM_SUBJ_APPROVE
meta     FM_SUBJ_APPROVE	(__EXCLAIM_SUBJ && __SUBJ_APPROVE)
describe FM_SUBJ_APPROVE	Subject has Approve and !
##} FM_SUBJ_APPROVE

##{ FM_TRUE_LOV_ALL_N
meta     FM_TRUE_LOV_ALL_N	(__FB_P_TRUELOVE && __FB_P_ALLNIGHT)
describe FM_TRUE_LOV_ALL_N	True Love all Night!
##} FM_TRUE_LOV_ALL_N

##{ FM_VEGAS_CASINO
meta     FM_VEGAS_CASINO	((__FROM_VEGAS + __SUBJ_3DIGIT + __SUBJ_VEGAS + __FB_GAME) > 2)
describe FM_VEGAS_CASINO	Looks like vega casino spam
##} FM_VEGAS_CASINO

##{ FM_VIAGRA_SPAM1114
meta     FM_VIAGRA_SPAM1114	(__FH_MSGID_00001C && __FB_VIA_URL_SPEC1)
describe FM_VIAGRA_SPAM1114	Signs of a Viagra spam 11/14/2006
##} FM_VIAGRA_SPAM1114

##{ FM_XMAIL_F_OUT
header   FM_XMAIL_F_OUT		X-Mailer =~ /Microsoft Outlook Express V6.00.2900.2180/
describe FM_XMAIL_F_OUT		Looks like Fake Outlook?
##} FM_XMAIL_F_OUT

##{ FRT_ADOBE2

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_ADOBE2		/<inter W0><post P2>\b(?!adobe)<A><D><O><B><E>\b/i
describe FRT_ADOBE2		ReplaceTags: Adobe
endif
##} FRT_ADOBE2

##{ FRT_BIGGERMEM1

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_BIGGERMEM1		/<inter SP2><post P2>(?:<B><I><G><G><E><R>|<L><A><R><G><E><R>).{1,8}(?:<P><E><N><I><S>|<B><R><E><A><S><T>|<M><E><M><B><E><R>)/i
describe FRT_BIGGERMEM1		ReplaceTags: Bigger / Larger, Penis / Member
endif
##} FRT_BIGGERMEM1

##{ FRT_DIPLOMA

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_DIPLOMA		/<inter SP2><post P2>\b(?!diploma)<D><I><P><L><O><M><A>/i
describe FRT_DIPLOMA		ReplaceTags: Diploma
endif
##} FRT_DIPLOMA

##{ FRT_DISCOUNT

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_DISCOUNT		/<inter SP2><post P2>\b(?!discount)<D><I><S><C><O><U><N><T>/i
describe FRT_DISCOUNT		ReplaceTags: Discount
endif
##} FRT_DISCOUNT

##{ FRT_DOLLAR

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_DOLLAR		/<inter SP2><post P2>\b(?!dollar)<D><O><L><L><A><R>/i
describe FRT_DOLLAR		ReplaceTags: Dollar
endif
##} FRT_DOLLAR

##{ FRT_ESTABLISH2

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_ESTABLISH2		/<inter W0><post P2>\b(?!estabi?lish)<E><S><T><A><B><L><I><S><H>/i
describe FRT_ESTABLISH2		ReplaceTags: Establish (2)
endif
##} FRT_ESTABLISH2

##{ FRT_FUCK2

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_FUCK2		/<inter W0><post P2>\b(?!fuck)<F><U><C><K>/i
describe FRT_FUCK2		ReplaceTags: Fuck (2)
endif
##} FRT_FUCK2

##{ FRT_GUARANTEE1

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_GUARANTEE1		/<inter SP2><post P2>(?!guarantee)<G><U><A><R><A><N><T><E><E>/i
describe FRT_GUARANTEE1		ReplaceTags: Guarantee (1)
endif
##} FRT_GUARANTEE1

##{ FRT_INVESTOR

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_INVESTOR		/<inter SP2><post P2>\b(?!investor)<I><N><V><E><S><T><O><R>/i
describe FRT_INVESTOR		ReplaceTags: Investor
endif
##} FRT_INVESTOR

##{ FRT_LEVITRA

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_LEVITRA		/<inter W0><post P2>(?!levitra)<L><E><V><I><T><R><A>/i
describe FRT_LEVITRA		ReplaceTags: Levitra
endif
##} FRT_LEVITRA

##{ FRT_MEETING

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_MEETING		/<inter SP2><post P2>\b(?!meeting)<M><E><E><T><I><N><G>\b/i
describe FRT_MEETING		ReplaceTags: Meeting
endif
##} FRT_MEETING

##{ FRT_OFFER2

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_OFFER2		/<inter W0><post P2>\b(?!offer)<O><F><F><E><R>/i
describe FRT_OFFER2		ReplaceTags: Offer (2)
endif
##} FRT_OFFER2

##{ FRT_OPPORTUN1

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_OPPORTUN1		/<inter SP2><post P2>(?!opportun)<O><P><P><O><R><T><U><N>/i
describe FRT_OPPORTUN1		ReplaceTags: Oppertun (1)
endif
##} FRT_OPPORTUN1

##{ FRT_OPPORTUN2

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_OPPORTUN2		/<inter W0><post P2>(?!opportun)<O><P><P><O><R><T><U><N>/i
describe FRT_OPPORTUN2		ReplaceTags: Oppertun (2)
endif
##} FRT_OPPORTUN2

##{ FRT_PENIS1

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_PENIS1		/<inter SP2><post P2>\b(?!pen\s?is)(?!penny[ ']?s)<P><E><N><I><S>/i
describe FRT_PENIS1		ReplaceTags: Penis
endif
##} FRT_PENIS1

##{ FRT_PRICE

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_PRICE		/<inter SP2><post P2>\b(?!price)<P><R><I><C><E>\b/i
describe FRT_PRICE		ReplaceTags: Price
endif
##} FRT_PRICE

##{ FRT_REFINANCE1

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_REFINANCE1		/<inter SP2><post P2>\b(?!refinanc)<R><E><F><I><N><A><N><C>/i
describe FRT_REFINANCE1		ReplaceTags: Refinance (1)
endif
##} FRT_REFINANCE1

##{ FRT_ROLEX

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_ROLEX		/<inter SP2><post P2>\b(?!rolex)<R><O><L><E><X>/i
describe FRT_ROLEX		ReplaceTags: Rolex
endif
##} FRT_ROLEX

##{ FRT_SEXUAL

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_SEXUAL		/<inter SP2><post P2>\b(?!sexual)<S><E><X><U><A><L>/i
describe FRT_SEXUAL		ReplaceTags: Sexual
endif
##} FRT_SEXUAL

##{ FRT_SOMA

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_SOMA		/<post P2>\b(?!soma|500mg)<S><O><M><A>\b/i
describe FRT_SOMA		ReplaceTags: Soma
endif
##} FRT_SOMA

##{ FRT_SOMA2

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_SOMA2		/<inter SP2><post P2>\b(?!soma|500? ?mg)<S><O><M><A>\b/i
describe FRT_SOMA2		ReplaceTags: Soma (2)
endif
##} FRT_SOMA2

##{ FRT_STRONG1

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_STRONG1		/<inter SP2><post P2>\b(?!stro\s?ng)<S><T><R><O><N><G>\b/i
describe FRT_STRONG1		ReplaceTags: Strong (1)
endif
##} FRT_STRONG1

##{ FRT_STRONG2

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_STRONG2		/<inter W0><post P2>\b(?!strong)<S><T><R><O><N><G>\b/i
describe FRT_STRONG2		ReplaceTags: Strong (2)
endif
##} FRT_STRONG2

##{ FRT_SYMBOL

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_SYMBOL		/<inter SP2><post P2>\b(?!symbol)<S><Y><M><B><O><L>/i
describe FRT_SYMBOL		ReplaceTags: Symbol
endif
##} FRT_SYMBOL

##{ FRT_TODAY2

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_TODAY2		/<inter W0><post P2>\b(?!today)<T><O><D><A><Y>/i
describe FRT_TODAY2		ReplaceTags: Today (2)
endif
##} FRT_TODAY2

##{ FRT_VALIUM1

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_VALIUM1		/<inter W0><post P2>\b(?!valium)<V><A><L><I><U><M>/i
describe FRT_VALIUM1		ReplaceTags: Valium
endif
##} FRT_VALIUM1

##{ FRT_VALIUM2

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_VALIUM2		/<inter SP2><post P2>\b(?!valium)<V><A><L><I><U><M>/i
describe FRT_VALIUM2		ReplaceTags: Valium (2)
endif
##} FRT_VALIUM2

##{ FRT_WEIGHT2

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_WEIGHT2		/<inter W0><post P2>\b(?!weight)<W><E><I><G><H><T>/i
describe FRT_WEIGHT2		ReplaceTags: Weight (2)
endif
##} FRT_WEIGHT2

##{ FRT_XANAX1

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_XANAX1		/<inter W0><post P2>\b(?!xanax)<X><A><N><A><X>\b/i
describe FRT_XANAX1		ReplaceTags: Xanax (1)
endif
##} FRT_XANAX1

##{ FRT_XANAX2

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body     FRT_XANAX2		/<inter SP2><post P2>\b(?!xanax)<X><A><N><A><X>\b/i
describe FRT_XANAX2		ReplaceTags: Xanax (2)
endif
##} FRT_XANAX2

##{ FR_3TAG_3TAG
rawbody  FR_3TAG_3TAG		m'<[abcefghijklmnoqstuvwxz]{3}></[abcefghijklmnoqstuvwxz]{3}>'i
describe FR_3TAG_3TAG		Looks like 3 <e> small tags.
##} FR_3TAG_3TAG

##{ FR_ALMOST_VIAG2
rawbody  FR_ALMOST_VIAG2	/[^a-z](?!viagra)v?ia.?g.?ra/i
describe FR_ALMOST_VIAG2	Almost looks like viagra.
##} FR_ALMOST_VIAG2

##{ FR_CANTSEETEXT
rawbody  FR_CANTSEETEXT		/class="?cantseetext/i
describe FR_CANTSEETEXT		Phrase class=cantseetext
##} FR_CANTSEETEXT

##{ FR_MIDER
rawbody  FR_MIDER		m'http[^ ]{5,30}/gall?/'
describe FR_MIDER		Sign often seen in spams
##} FR_MIDER

##{ FS_AT_NO_COST
header   FS_AT_NO_COST		Subject =~ /\bat no cost/i
describe FS_AT_NO_COST		Subject says "At No Cost"
##} FS_AT_NO_COST

##{ FS_CHEAP_CAP
header   FS_CHEAP_CAP		Subject =~ /CHEAP/
describe FS_CHEAP_CAP		Phrase: Cheap in Caps in Subject.
##} FS_CHEAP_CAP

##{ FS_DOLLAR_BONUS
header   FS_DOLLAR_BONUS	Subject =~ /\$\d\d\d?\.?\d?\d? bonus/i
describe FS_DOLLAR_BONUS	Subject talks about money bonus!
##} FS_DOLLAR_BONUS

##{ FS_EJACULA
header   FS_EJACULA		Subject =~ /ejaculat(?:[io01][o0i1]n|e)/i
describe FS_EJACULA		Phrase: ejaculation in subject.
##} FS_EJACULA

##{ FS_ERECTION
header   FS_ERECTION		Subject =~ / erection /i
describe FS_ERECTION		Phrase: erection in subject.
##} FS_ERECTION

##{ FS_HUGECOCK
header   FS_HUGECOCK		Subject =~ /(?:huge|tiny|small) (?:c[o0]ck|d[i1]ck|p[e3]n[1i]s)/i
describe FS_HUGECOCK		Phrase: Huge Cock
##} FS_HUGECOCK

##{ FS_LARGE_PERCENT2
header   FS_LARGE_PERCENT2	Subject =~ /(?!100%)\d[0-9oi][0-9oi]%/i
describe FS_LARGE_PERCENT2	Larger than 100% in subj.
##} FS_LARGE_PERCENT2

##{ FS_LOWER_YOUR
header   FS_LOWER_YOUR		Subject =~ /lower your/i
describe FS_LOWER_YOUR		Phrase: lower your
score FS_LOWER_YOUR                  1.000 0.000 0.000 0.000
##} FS_LOWER_YOUR

##{ FS_LOW_RATES
header	 FS_LOW_RATES		Subject =~ / low rates/i
describe FS_LOW_RATES		Subject says low rates
##} FS_LOW_RATES

##{ FS_NEW_SOFT_UPLOAD
header   FS_NEW_SOFT_UPLOAD	Subject =~ /^New software uploaded by/
describe FS_NEW_SOFT_UPLOAD	Subj starts with New software uploaded
##} FS_NEW_SOFT_UPLOAD

##{ FS_NEW_XXX
header   FS_NEW_XXX		Subject =~ /^Re: news? [a-z]{1,5}$/
describe FS_NEW_XXX		Subject looks like Fharmacy spams.
##} FS_NEW_XXX

##{ FS_NO_SCRIP
header   FS_NO_SCRIP		Subject =~ /n[o0O] p[reRE][erER]scr[i1I]pt[i1I][o0O]n/i
describe FS_NO_SCRIP		Subject almost says No prescription
##} FS_NO_SCRIP

##{ FS_OBFU_PRMCY
header   FS_OBFU_PRMCY		Subject =~ /\b(?!(?:pharmacy|primacy))p[ph]{0,4}\S{1,3}r\S{0,2}m\S{0,3}c\S{0,2}y\b/i
describe FS_OBFU_PRMCY		what could this word be?
##} FS_OBFU_PRMCY

##{ FS_PERSCRIPTION
header   FS_PERSCRIPTION	Subject =~ /perscr[i1]pt[i1][o0]n/i
describe FS_PERSCRIPTION	Subject mis-spelled prescription
##} FS_PERSCRIPTION

##{ FS_PHARMASUB2
header   FS_PHARMASUB2		Subject =~ /PH[A-Za-z]{2,7}MA/
describe FS_PHARMASUB2		Looks like Phramacy subject.
##} FS_PHARMASUB2

##{ FS_RAMROD
header   FS_RAMROD		Subject =~ /ramrod/i
describe FS_RAMROD		Subject says Ramrod
##} FS_RAMROD

##{ FS_REPLICA
header   FS_REPLICA		Subject =~ /replica/i
describe FS_REPLICA		Subject says "replica"
##} FS_REPLICA

##{ FS_REPLICAWATCH
header   FS_REPLICAWATCH	Subject =~ /replica watch/i
describe FS_REPLICAWATCH	Subject says Replica watch
##} FS_REPLICAWATCH

##{ FS_RE_APPROV
header   FS_RE_APPROV		Subject =~ /re approved/i
describe FS_RE_APPROV		Phrase: re approved
##} FS_RE_APPROV

##{ FS_START_DOYOU2
header   FS_START_DOYOU2	Subject =~ /^Do you (?:dream|have|want|love|like|wanna)/i
describe FS_START_DOYOU2	Subject starts with Do you dream,have,want,love, etc.
##} FS_START_DOYOU2

##{ FS_START_LOSE
header   FS_START_LOSE		Subject =~ /^Lose /i
describe FS_START_LOSE		Subject starts with Lose
##} FS_START_LOSE

##{ FS_TEEN_BAD
header	 FS_TEEN_BAD		Subject =~ /teen.{1,15}(?:pussy|sex|slut|ass|fuck|rape)/i
describe FS_TEEN_BAD		Subject says something bad about teens
##} FS_TEEN_BAD

##{ FS_TIP_DDD
header   FS_TIP_DDD		Subject =~ /(?:tip|good) \d\d\d?\d?/i
describe FS_TIP_DDD		Phrase: subject = tip ddd
##} FS_TIP_DDD

##{ FS_WEIGHT_LOSS
header   FS_WEIGHT_LOSS		Subject =~ /weight loss/i
describe FS_WEIGHT_LOSS		Subject says Weight Loss
##} FS_WEIGHT_LOSS

##{ FS_WILL_HELP
header   FS_WILL_HELP		Subject =~ /will help/
describe FS_WILL_HELP		Subject says will help
##} FS_WILL_HELP

##{ FS_WITH_SMALL
header   FS_WITH_SMALL		Subject =~ /with (?:\w+\s)?(?:small|short)/i
describe FS_WITH_SMALL		Subject says With ... small
##} FS_WITH_SMALL

##{ FUZZY_MERIDIA

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body FUZZY_MERIDIA	/<inter W3><post P2>\b(?!meridia)<M><E><R><I><D><I><A>\b/i
endif
##} FUZZY_MERIDIA

##{ FU_COMMON_SUBS2
uri      FU_COMMON_SUBS2	m'/(?:[2w]m|7d|b|ee|lj|j|o|u)/[,.]?$'
describe FU_COMMON_SUBS2	Sub-dir seen often in spam (2).
##} FU_COMMON_SUBS2

##{ FU_ENDS_NUMS_DOTS_CLK
uri      FU_ENDS_NUMS_DOTS_CLK	m'(?:clk|uns)/\d+\.\d+\.\d+'i
describe FU_ENDS_NUMS_DOTS_CLK	Ends with clk/d+.d+.d+
##} FU_ENDS_NUMS_DOTS_CLK

##{ FU_END_ET
uri      FU_END_ET		m'/et/$'i
describe FU_END_ET		ET Phone Home?
##} FU_END_ET

##{ FU_HOODIA
uri      FU_HOODIA		/hoodia/i
describe FU_HOODIA		URL has hoodia in it.
##} FU_HOODIA

##{ FU_LONG_QUERY3
uri      FU_LONG_QUERY3		m'[A-F0-9]{30}\.aspx'
describe FU_LONG_QUERY3		URL has a long file name with .aspx extension.
##} FU_LONG_QUERY3

##{ FU_MIDER
uri      FU_MIDER		m'/gall?/'
describe FU_MIDER		URL has /gal/
##} FU_MIDER

##{ FU_UKGEOCITIES
uri      FU_UKGEOCITIES		/\b[a-z]{2}\.geocities\.com/i
describe FU_UKGEOCITIES		URL with [a-z]{2}.geocities.com
##} FU_UKGEOCITIES

##{ FU_URI_TRACKER_T
uri      FU_URI_TRACKER_T	m'/[yi]/(?:sp|et|vm|xl2)/'i
describe FU_URI_TRACKER_T	URI style tracker (T)
##} FU_URI_TRACKER_T

##{ GEO_QUERY_STRING
uri	GEO_QUERY_STRING	/^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i
##} GEO_QUERY_STRING

##{ HDR_ORDER_FTSDMCXX_001C
meta HDR_ORDER_FTSDMCXX_001C  (__HDR_ORDER_FTSDMCXXXX && __MID_START_001C)
describe HDR_ORDER_FTSDMCXX_001C  Header order similar to spam (FTSDMCXX/MID variant)
##} HDR_ORDER_FTSDMCXX_001C

##{ HDR_ORDER_FTSDMCXX_BAT
meta HDR_ORDER_FTSDMCXX_BAT   (__HDR_ORDER_FTSDMCXXXX && __BAT_BOUNDARY)
describe HDR_ORDER_FTSDMCXX_BAT   Header order similar to spam (FTSDMCXX/boundary variant)
##} HDR_ORDER_FTSDMCXX_BAT

##{ HEADER_COUNT_SUBJECT

ifplugin Mail::SpamAssassin::Plugin::HeaderEval
header HEADER_COUNT_SUBJECT	eval:check_header_count_range('Subject','2','999')
describe HEADER_COUNT_SUBJECT	Multiple Subject headers found
endif
##} HEADER_COUNT_SUBJECT

##{ HELO_FRIEND
header HELO_FRIEND  X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=friend /i
##} HELO_FRIEND

##{ HELO_LH_HOME
header HELO_LH_HOME X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\S+\.(?:home|lan) /i
##} HELO_LH_HOME

##{ HELO_LH_LD
header HELO_LH_LD   X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=localhost\.localdomain /i
##} HELO_LH_LD

##{ HELO_LOCALHOST
header HELO_LOCALHOST   X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=localhost /i
##} HELO_LOCALHOST

##{ HELO_OEM
header HELO_OEM  X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=(?:pc|oem\S*) /i
##} HELO_OEM

##{ HS_BODY_UPLOADED_SOFTWARE
body HS_BODY_UPLOADED_SOFTWARE /^\w+ has uploaded some new software/
describe HS_BODY_UPLOADED_SOFTWARE Somebody has uploaded some new software for you
##} HS_BODY_UPLOADED_SOFTWARE

##{ HS_DRUG_DOLLAR_1
body HS_DRUG_DOLLAR_1 m'^[a-z]+[glrt][a-z]?[eir][a-z]?[asx](?: -|:)? \$[\d.]+$'i
describe HS_DRUG_DOLLAR_1 Contains a drug and price-like pattern.
##} HS_DRUG_DOLLAR_1

##{ HS_DRUG_DOLLAR_2
body HS_DRUG_DOLLAR_2 m'^[a-z]+[lmor][a-z]?[aex][a-z]?[mx](?: -|:)? \$[\d.]+$'i
describe HS_DRUG_DOLLAR_2 Contains a drug and price-like pattern.
##} HS_DRUG_DOLLAR_2

##{ HS_DRUG_DOLLAR_3
body HS_DRUG_DOLLAR_3 m'^[a-z]+[dino][a-z]?[aimu][a-z]?[amx](?: -|:)? \$[\d.]+$'i
describe HS_DRUG_DOLLAR_3 Contains a drug and price-like pattern.
##} HS_DRUG_DOLLAR_3

##{ HS_DRUG_DOLLAR_MANY
meta HS_DRUG_DOLLAR_MANY HS_DRUG_DOLLAR_1 + HS_DRUG_DOLLAR_2 + HS_DRUG_DOLLAR_3 >= 2
describe HS_DRUG_DOLLAR_MANY Contains several drug and dollar-like patterns.
##} HS_DRUG_DOLLAR_MANY

##{ HS_FORGED_OE_FW
meta HS_FORGED_OE_FW __HS_SUBJ_UC_FW && __OE_MUA
describe HS_FORGED_OE_FW Outlook does not prefix forwards with "FW:"
##} HS_FORGED_OE_FW

##{ HS_GETMEOFF
uri HS_GETMEOFF m'/get(?:me)?off\.php(?:$|[\#?])'
describe HS_GETMEOFF Links to common unsubscribe script: 'getmeoff.php'
##} HS_GETMEOFF

##{ HS_INDEX_PARAM
uri HS_INDEX_PARAM m'^https?:/*([^/]*/)+(?:index.(?:cgi|html?|php)|default.(?:asp|jsp))?\?(?!(?-i:[A-Z][a-z]{2,}){2,}$)\w+={0,2}$'i
describe HS_INDEX_PARAM Link contains a common tracker pattern.
##} HS_INDEX_PARAM

##{ HS_MEETUP_FOR_SEX
body HS_MEETUP_FOR_SEX m'(?:meet ?up|see eachother|get together) for (?:some )?(?:action|sex)'i
describe HS_MEETUP_FOR_SEX Talks about meeting up for sex.
##} HS_MEETUP_FOR_SEX

##{ HS_SUBJ_NEW_SOFTWARE
header HS_SUBJ_NEW_SOFTWARE Subject =~ /^New software uploaded by/
describe HS_SUBJ_NEW_SOFTWARE Subject starts with 'New software uploaded by'
##} HS_SUBJ_NEW_SOFTWARE

##{ HS_SUBJ_ONLINE_PHARMACEUTICAL
header HS_SUBJ_ONLINE_PHARMACEUTICAL Subject =~ /\bOnline Pharmaceutical/i
describe HS_SUBJ_ONLINE_PHARMACEUTICAL Subject contains the phrase 'Online pharmaceutical'
##} HS_SUBJ_ONLINE_PHARMACEUTICAL

##{ HTTPS_HTTP_MISMATCH

ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
body  HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10')
endif
##} HTTPS_HTTP_MISMATCH

##{ JM_RCVD_QMAILV1
header JM_RCVD_QMAILV1     Received =~ /by \S+ \(Qmailv1\) with ESMTP/
##} JM_RCVD_QMAILV1

##{ JM_TORA_XM
meta JM_TORA_XM     (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO)
##} JM_TORA_XM

##{ KAM_LOTTO1
meta            KAM_LOTTO1      (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 >= 3)
describe        KAM_LOTTO1      Likely to be a e-Lotto Scam Email
#score           KAM_LOTTO1      0.5
score KAM_LOTTO1                     2.207 2.192 0.000 0.000
##} KAM_LOTTO1

##{ KAM_LOTTO2
meta            KAM_LOTTO2      (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 >= 4)
describe        KAM_LOTTO2      Highly Likely to be a e-Lotto Scam Email
#score           KAM_LOTTO2      1.0
score KAM_LOTTO2                     1.000 1.759 0.000 0.000
##} KAM_LOTTO2

##{ KAM_LOTTO3
meta            KAM_LOTTO3      (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 >= 5)
describe        KAM_LOTTO3      Almost certain to be a e-Lotto Scam Email
#score           KAM_LOTTO3      2.0
##} KAM_LOTTO3

##{ KAM_STOCKOTC
meta KAM_STOCKOTC       (0)
tflags KAM_STOCKOTC     publish
##} KAM_STOCKOTC

##{ KAM_STOCKTIP15
meta KAM_STOCKTIP15     (0)
tflags KAM_STOCKTIP15   publish
##} KAM_STOCKTIP15

##{ KAM_STOCKTIP20
meta KAM_STOCKTIP20     (0)
tflags KAM_STOCKTIP20   publish
##} KAM_STOCKTIP20

##{ KAM_STOCKTIP21
meta KAM_STOCKTIP21     (0)
tflags KAM_STOCKTIP21   publish
##} KAM_STOCKTIP21

##{ KAM_STOCKTIP4
meta KAM_STOCKTIP4      (0)
tflags KAM_STOCKTIP4    publish
##} KAM_STOCKTIP4

##{ KAM_STOCKTIP6
meta KAM_STOCKTIP6      (0)
tflags KAM_STOCKTIP6    publish
##} KAM_STOCKTIP6

##{ LONG_TERM_PRICE
body LONG_TERM_PRICE  /long\W+term\W+(target|projected)(\W+price)?/i
##} LONG_TERM_PRICE

##{ LOOPHOLE_1
body		LOOPHOLE_1	/loop-?hole in the banking/i
describe	LOOPHOLE_1	A loop hole in the banking laws?
##} LOOPHOLE_1

##{ LOTTERY_1
meta LOTTERY_1      (__DBLCLAIM && __CASHPRZ)
##} LOTTERY_1

##{ L_SPAM_TOOL_13
header L_SPAM_TOOL_13   Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/
##} L_SPAM_TOOL_13

##{ MID_DEGREES
header MID_DEGREES  Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/
##} MID_DEGREES

##{ MIME_BOUND_EQ_REL
header MIME_BOUND_EQ_REL    Content-Type =~ /boundary="=====================_\d+==\.REL"/s
##} MIME_BOUND_EQ_REL

##{ MSOE_MID_WRONG_CASE
meta MSOE_MID_WRONG_CASE  (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106)
##} MSOE_MID_WRONG_CASE

##{ NULL_IN_BODY
full NULL_IN_BODY	/\x00/
describe NULL_IN_BODY   Message has NUL (ASCII 0) byte in message
##} NULL_IN_BODY

##{ PART_CID_STOCK

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta PART_CID_STOCK      (__ANY_IMAGE_ATTACH&&__PART_STOCK_CID&&!__PART_STOCK_CL&&!__PART_STOCK_CD_F)
describe PART_CID_STOCK  Has a spammy image attachment (by Content-ID)
endif
##} PART_CID_STOCK

##{ PART_CID_STOCK_LESS

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta PART_CID_STOCK_LESS (__ANY_IMAGE_ATTACH&&__PART_CID_STOCK_LESS)
describe PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, more specific)
endif
##} PART_CID_STOCK_LESS

##{ RCVD_BAD_ID
header RCVD_BAD_ID      Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\$\%&'()*:<=>?\@\[\]^\`{|}~]|;\S)/
##} RCVD_BAD_ID

##{ RCVD_FORGED_WROTE
header RCVD_FORGED_WROTE    Received =~ / by \S+ with esmtp \([^a-z ]{6,} [^a-z ]{3,}\) id/
describe RCVD_FORGED_WROTE  Forged 'Received' header found ('wrote:' spam)
##} RCVD_FORGED_WROTE

##{ RCVD_FORGED_WROTE2
header RCVD_FORGED_WROTE2 Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s
##} RCVD_FORGED_WROTE2

##{ RCVD_IN_DNSWL_HI

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header	RCVD_IN_DNSWL_HI	eval:check_rbl_sub('dnswl-firsttrusted', '127.0.\d+.3')
describe RCVD_IN_DNSWL_HI	Sender listed at http://www.dnswl.org/, high trust
tflags RCVD_IN_DNSWL_HI		nice net
endif
##} RCVD_IN_DNSWL_HI

##{ RCVD_IN_DNSWL_LOW

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header	RCVD_IN_DNSWL_LOW	eval:check_rbl_sub('dnswl-firsttrusted', '127.0.\d+.1')
describe RCVD_IN_DNSWL_LOW	Sender listed at http://www.dnswl.org/, low trust
tflags RCVD_IN_DNSWL_LOW	nice net
endif
##} RCVD_IN_DNSWL_LOW

##{ RCVD_IN_DNSWL_MED

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header	RCVD_IN_DNSWL_MED	eval:check_rbl_sub('dnswl-firsttrusted', '127.0.\d+.2')
describe RCVD_IN_DNSWL_MED	Sender listed at http://www.dnswl.org/, medium trust
tflags RCVD_IN_DNSWL_MED	nice net
endif
##} RCVD_IN_DNSWL_MED

##{ RCVD_IN_DOB

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_DOB              eval:check_rbl_sub('dob', '127.0.0.2')
describe RCVD_IN_DOB            Received via relay in new domain (Day Old Bread)
tflags RCVD_IN_DOB              net
endif
##} RCVD_IN_DOB

##{ RCVD_IN_IADB_DK

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DK			eval:check_rbl_sub('iadb-firsttrusted', '^127.2.255.3$')
describe RCVD_IN_IADB_DK		IADB: Sender publishes Domain Keys record
tflags RCVD_IN_IADB_DK			net nice
endif
##} RCVD_IN_IADB_DK

##{ RCVD_IN_IADB_DOPTIN

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DOPTIN		eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.10$')
describe RCVD_IN_IADB_DOPTIN		IADB: All mailing list mail is confirmed opt-in
tflags RCVD_IN_IADB_DOPTIN		net nice
endif
##} RCVD_IN_IADB_DOPTIN

##{ RCVD_IN_IADB_DOPTIN_GT50

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DOPTIN_GT50		eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.9$')
describe RCVD_IN_IADB_DOPTIN_GT50	IADB: Confirmed opt-in used more than 50% of the time
tflags RCVD_IN_IADB_DOPTIN_GT50		net nice
endif
##} RCVD_IN_IADB_DOPTIN_GT50

##{ RCVD_IN_IADB_DOPTIN_LT50

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DOPTIN_LT50		eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.8$')
describe RCVD_IN_IADB_DOPTIN_LT50	IADB: Confirmed opt-in used less than 50% of the time
tflags RCVD_IN_IADB_DOPTIN_LT50		net nice
endif
##} RCVD_IN_IADB_DOPTIN_LT50

##{ RCVD_IN_IADB_EDDB

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_EDDB		eval:check_rbl_sub('iadb-firsttrusted', '^127.0.2.1$')
describe RCVD_IN_IADB_EDDB		IADB: Participates in Email Deliverability Database
tflags RCVD_IN_IADB_EDDB		net nice
endif
##} RCVD_IN_IADB_EDDB

##{ RCVD_IN_IADB_EPIA

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_EPIA		eval:check_rbl_sub('iadb-firsttrusted', '^127.0.2.2$')
describe RCVD_IN_IADB_EPIA		IADB: Member of Email Processing Industry Alliance
tflags RCVD_IN_IADB_EPIA		net nice
endif
##} RCVD_IN_IADB_EPIA

##{ RCVD_IN_IADB_GOODMAIL

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_GOODMAIL		eval:check_rbl_sub('iadb-firsttrusted', '^127.2.255.103$')
describe RCVD_IN_IADB_GOODMAIL		IADB: Sender has been certified by GoodMail
tflags RCVD_IN_IADB_GOODMAIL 		net nice
endif
##} RCVD_IN_IADB_GOODMAIL

##{ RCVD_IN_IADB_LISTED

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_LISTED		eval:check_rbl_sub('iadb-firsttrusted', '^127.0.0.[12]$')
describe RCVD_IN_IADB_LISTED		Participates in the IADB system
tflags RCVD_IN_IADB_LISTED		net nice
endif
##} RCVD_IN_IADB_LISTED

##{ RCVD_IN_IADB_LOOSE

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_LOOSE		eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.4$')
describe RCVD_IN_IADB_LOOSE		IADB: Adds relationship addrs w/out opt-in
tflags RCVD_IN_IADB_LOOSE		net nice
endif
##} RCVD_IN_IADB_LOOSE

##{ RCVD_IN_IADB_MI_CPEAR

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_MI_CPEAR		eval:check_rbl_sub('iadb-firsttrusted', '^127.101.1.10$')
describe RCVD_IN_IADB_MI_CPEAR		IADB: Complies with Michigan's CPEAR law
tflags RCVD_IN_IADB_MI_CPEAR		net nice
endif
##} RCVD_IN_IADB_MI_CPEAR

##{ RCVD_IN_IADB_MI_CPR_30

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_MI_CPR_30		eval:check_rbl_sub('iadb-firsttrusted', '^127.101.101.10$')
describe RCVD_IN_IADB_MI_CPR_30		IADB: Checked lists against Michigan's CPR within 30 days
tflags RCVD_IN_IADB_MI_CPR_30		net nice
endif
##} RCVD_IN_IADB_MI_CPR_30

##{ RCVD_IN_IADB_MI_CPR_MAT

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_MI_CPR_MAT		eval:check_rbl_sub('iadb-firsttrusted', '^127.101.201.10$')
describe RCVD_IN_IADB_MI_CPR_MAT	IADB: Sends no material under Michigan's CPR
tflags RCVD_IN_IADB_MI_CPR_MAT		net nice
endif
##} RCVD_IN_IADB_MI_CPR_MAT

##{ RCVD_IN_IADB_ML_DOPTIN

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_ML_DOPTIN		eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.100$')
describe RCVD_IN_IADB_ML_DOPTIN		IADB: Mailing list email only, confirmed opt-in
tflags RCVD_IN_IADB_ML_DOPTIN		net nice
endif
##} RCVD_IN_IADB_ML_DOPTIN

##{ RCVD_IN_IADB_NOCONTROL

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_NOCONTROL		eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.0$')
describe RCVD_IN_IADB_NOCONTROL		IADB: Has absolutely no mailing controls in place
tflags RCVD_IN_IADB_NOCONTROL		net nice
endif
##} RCVD_IN_IADB_NOCONTROL

##{ RCVD_IN_IADB_OOO

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OOO			eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.200$')
describe RCVD_IN_IADB_OOO		IADB: One-to-one/transactional email only
tflags RCVD_IN_IADB_OOO			net nice
endif
##} RCVD_IN_IADB_OOO

##{ RCVD_IN_IADB_OPTIN

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OPTIN		eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.7$')
describe RCVD_IN_IADB_OPTIN		IADB: All mailing list mail is opt-in
tflags RCVD_IN_IADB_OPTIN		net nice
endif
##} RCVD_IN_IADB_OPTIN

##{ RCVD_IN_IADB_OPTIN_GT50

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OPTIN_GT50		eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.6$')
describe RCVD_IN_IADB_OPTIN_GT50	IADB: Opt-in used more than 50% of the time
tflags RCVD_IN_IADB_OPTIN_GT50		net nice
endif
##} RCVD_IN_IADB_OPTIN_GT50

##{ RCVD_IN_IADB_OPTIN_LT50

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OPTIN_LT50		eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.5$')
describe RCVD_IN_IADB_OPTIN_LT50	IADB: Opt-in used less than 50% of the time
tflags RCVD_IN_IADB_OPTIN_LT50		net nice
endif
##} RCVD_IN_IADB_OPTIN_LT50

##{ RCVD_IN_IADB_OPTOUTONLY

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OPTOUTONLY		eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.1$')
describe RCVD_IN_IADB_OPTOUTONLY 	IADB: Scrapes addresses, pure opt-out only
tflags RCVD_IN_IADB_OPTOUTONLY		net nice
endif
##} RCVD_IN_IADB_OPTOUTONLY

##{ RCVD_IN_IADB_RDNS

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_RDNS		eval:check_rbl_sub('iadb-firsttrusted', '^127.2.255.4$')
describe RCVD_IN_IADB_RDNS		IADB: Sender has reverse DNS record
tflags RCVD_IN_IADB_RDNS		net nice
endif
##} RCVD_IN_IADB_RDNS

##{ RCVD_IN_IADB_SENDERID

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_SENDERID		eval:check_rbl_sub('iadb-firsttrusted', '^127.2.255.2$')
describe RCVD_IN_IADB_SENDERID		IADB: Sender publishes Sender ID record
tflags RCVD_IN_IADB_SENDERID		net nice
endif
##} RCVD_IN_IADB_SENDERID

##{ RCVD_IN_IADB_SPF

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_SPF			eval:check_rbl_sub('iadb-firsttrusted', '^127.2.255.1$')
describe RCVD_IN_IADB_SPF		IADB: Sender publishes SPF record
tflags RCVD_IN_IADB_SPF			net nice
endif
##} RCVD_IN_IADB_SPF

##{ RCVD_IN_IADB_UNVERIFIED_1

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UNVERIFIED_1	eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.2$')
describe RCVD_IN_IADB_UNVERIFIED_1	IADB: Accepts unverified sign-ups
tflags RCVD_IN_IADB_UNVERIFIED_1	net nice
endif
##} RCVD_IN_IADB_UNVERIFIED_1

##{ RCVD_IN_IADB_UNVERIFIED_2

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UNVERIFIED_2	eval:check_rbl_sub('iadb-firsttrusted', '^127.3.100.3$')
describe RCVD_IN_IADB_UNVERIFIED_2	IADB: Accepts unverified sign-ups, gives chance to opt out
tflags RCVD_IN_IADB_UNVERIFIED_2	net nice
endif
##} RCVD_IN_IADB_UNVERIFIED_2

##{ RCVD_IN_IADB_UT_CPEAR

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UT_CPEAR		eval:check_rbl_sub('iadb-firsttrusted', '^127.101.2.10$')
describe RCVD_IN_IADB_UT_CPEAR		IADB: Complies with Utah's CPEAR law
tflags RCVD_IN_IADB_UT_CPEAR		net nice
endif
##} RCVD_IN_IADB_UT_CPEAR

##{ RCVD_IN_IADB_UT_CPR_30

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UT_CPR_30		eval:check_rbl_sub('iadb-firsttrusted', '^127.101.102.10$')
describe RCVD_IN_IADB_UT_CPR_30		IADB: Checked lists against Utah's CPR within 30 days
tflags RCVD_IN_IADB_UT_CPR_30		net nice
endif
##} RCVD_IN_IADB_UT_CPR_30

##{ RCVD_IN_IADB_UT_CPR_MAT

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UT_CPR_MAT		eval:check_rbl_sub('iadb-firsttrusted', '^127.101.202.10$')
describe RCVD_IN_IADB_UT_CPR_MAT	IADB: Sends no material under Utah's CPR
tflags RCVD_IN_IADB_UT_CPR_MAT		net nice
endif
##} RCVD_IN_IADB_UT_CPR_MAT

##{ RCVD_MAIL_COM
header RCVD_MAIL_COM        Received =~ /[\s\(\[](?:post|mail)\.com[\s\)\]]/is
describe RCVD_MAIL_COM      Forged Received header (contains post.com or mail.com)
##} RCVD_MAIL_COM

##{ SB_GIF_AND_NO_URIS
meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL)
##} SB_GIF_AND_NO_URIS

##{ SHORT_HELO_AND_INLINE_IMAGE
meta SHORT_HELO_AND_INLINE_IMAGE     (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH)
describe SHORT_HELO_AND_INLINE_IMAGE    Short HELO string, with inline image
##} SHORT_HELO_AND_INLINE_IMAGE

##{ SHORT_TERM_PRICE
body SHORT_TERM_PRICE /short\W+term\W+(target|projected)(\W+price)?/i
##} SHORT_TERM_PRICE

##{ SPAMMY_XMAILER
meta SPAMMY_XMAILER (__XM_OL_28001441||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4)
describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham
##} SPAMMY_XMAILER

##{ STOCK_IMG_CTYPE
meta STOCK_IMG_CTYPE (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__CTYPE_ONETAB_GIF&&__HTML_IMG_ONLY)
describe STOCK_IMG_CTYPE  Stock spam image part, with distinctive Content-Type header
##} STOCK_IMG_CTYPE

##{ STOCK_IMG_HDR_FROM
meta STOCK_IMG_HDR_FROM  (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&T_TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY)
describe STOCK_IMG_HDR_FROM Stock spam image part, with distinctive From line
##} STOCK_IMG_HDR_FROM

##{ STOCK_IMG_HTML
meta STOCK_IMG_HTML  (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY)
describe STOCK_IMG_HTML   Stock spam image part, with distinctive HTML
##} STOCK_IMG_HTML

##{ STOCK_IMG_OUTLOOK
meta STOCK_IMG_OUTLOOK  (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__XM_MS_IN_GENERAL&&__HTML_LENGTH_1536_2048)
describe STOCK_IMG_OUTLOOK  Stock spam image part, with Outlook-like features
##} STOCK_IMG_OUTLOOK

##{ STOCK_PRICES
meta STOCK_PRICES (SHORT_TERM_PRICE && LONG_TERM_PRICE)
##} STOCK_PRICES

##{ STOX_AND_PRICE
meta STOX_AND_PRICE     CURR_PRICE && STOX_REPLY_TYPE
##} STOX_AND_PRICE

##{ STOX_REPLY_TYPE
header STOX_REPLY_TYPE  Content-Type =~ /text\/plain; .* reply-type=original/
##} STOX_REPLY_TYPE

##{ SUBJECT_NEEDS_ENCODING
meta SUBJECT_NEEDS_ENCODING    (!__SUBJECT_ENCODED_B64 && !__SUBJECT_ENCODED_QP) && __SUBJECT_NEEDS_MIME
##} SUBJECT_NEEDS_ENCODING

##{ SUBJ_RE_NUM
meta SUBJ_RE_NUM	!__THEBAT_MUA && __SUBJ_RE_NUM
describe SUBJ_RE_NUM	Subject is faking 'The Bat!' responses
##} SUBJ_RE_NUM

##{ TEMPLATE_203_RCVD
header TEMPLATE_203_RCVD    Received =~ /from 192.168.0.\d+ \(203-219-/
##} TEMPLATE_203_RCVD

##{ TT_MSGID_TRUNC
header TT_MSGID_TRUNC   Message-Id =~ /^\s*<?[^<>\s]+\[\d+$/
describe TT_MSGID_TRUNC Scora: Message-Id ends after left-bracket + digits
##} TT_MSGID_TRUNC

##{ TT_OBSCURED_VALIUM
meta TT_OBSCURED_VALIUM         ( __TT_BROKEN_VALIUM || __TT_OBSCURED_VALIUM ) && ! __TT_VALIUM
describe TT_OBSCURED_VALIUM     Scora: obscured "VALIUM" in subject
##} TT_OBSCURED_VALIUM

##{ TT_OBSCURED_VIAGRA
meta TT_OBSCURED_VIAGRA         ( __TT_BROKEN_VIAGRA || __TT_OBSCURED_VIAGRA ) && ! __TT_VIAGRA
describe TT_OBSCURED_VIAGRA     Scora: obscured "VIAGRA" in subject
##} TT_OBSCURED_VIAGRA

##{ TVD_ACT_193
body TVD_ACT_193		/\bact of (?:193|nineteen thirty)/i
##} TVD_ACT_193

##{ TVD_APPROVED
body TVD_APPROVED		/you.{1,2}re .{0,20}approved/i
##} TVD_APPROVED

##{ TVD_APP_LOAN
body TVD_APP_LOAN		/approved .{0,20}loan/i
##} TVD_APP_LOAN

##{ TVD_DEAR_HOMEOWNER
body TVD_DEAR_HOMEOWNER		/^dear homeowner/i
##} TVD_DEAR_HOMEOWNER

##{ TVD_EB_PHISH
meta TVD_EB_PHISH	__FROM_EBAY && NORMAL_HTTP_TO_IP
##} TVD_EB_PHISH

##{ TVD_ENVFROM_APOST
header TVD_ENVFROM_APOST	EnvelopeFrom =~ /\'/
##} TVD_ENVFROM_APOST

##{ TVD_FINGER_02
header TVD_FINGER_02	Content-Type =~ /^text\/plain(?:; (?:format=flowed|charset="Windows-1252"|reply-type=original)){3}/i
##} TVD_FINGER_02

##{ TVD_FLOAT_GENERAL
rawbody TVD_FLOAT_GENERAL	/\bstyle\s*=\s*"[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]+\s*</i
##} TVD_FLOAT_GENERAL

##{ TVD_FUZZY_DEGREE

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body TVD_FUZZY_DEGREE	/<inter W1><post P1>\b(?!degree)<D><E><G><R><E><E>\b/i
endif
##} TVD_FUZZY_DEGREE

##{ TVD_FUZZY_FINANCE

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body TVD_FUZZY_FINANCE	/(?!finance)<F><I><N><A><N><C><E>/i
endif
##} TVD_FUZZY_FINANCE

##{ TVD_FUZZY_FIXED_RATE

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body TVD_FUZZY_FIXED_RATE	/<inter W2><post P2>(?!fixed rate)<F><I><X><E><D>\s+<R><A><T><E>/i
endif
##} TVD_FUZZY_FIXED_RATE

##{ TVD_FUZZY_MICROCAP

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body TVD_FUZZY_MICROCAP	/<inter W2><post P2>(?!microcap)(?!micro-cap)<M><I><C><R><O>-?<C><A><P>/i
endif
##} TVD_FUZZY_MICROCAP

##{ TVD_FUZZY_PHARMACEUTICAL

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body TVD_FUZZY_PHARMACEUTICAL	/<inter W2><post P2>(?!pharmaceutical)<P><H><A><R><M><A><C><E><U><T><I><C><A><L>/i
endif
##} TVD_FUZZY_PHARMACEUTICAL

##{ TVD_FUZZY_SYMBOL

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body TVD_FUZZY_SYMBOL	/<inter W2><post P2>(?!symbol)<S><Y><M><B><O><L>/i
endif
##} TVD_FUZZY_SYMBOL

##{ TVD_FW_GRAPHIC_NAME_LONG

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader TVD_FW_GRAPHIC_NAME_LONG	Content-Type =~ /\bname="[a-z]{8,}\.gif/
endif
##} TVD_FW_GRAPHIC_NAME_LONG

##{ TVD_FW_GRAPHIC_NAME_MID

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader TVD_FW_GRAPHIC_NAME_MID	Content-Type =~ /\bname="[a-z]{6,7}\.gif/
endif
##} TVD_FW_GRAPHIC_NAME_MID

##{ TVD_INCREASE_SIZE
body TVD_INCREASE_SIZE		/\bsize of .{1,20}(?:penis|dick|manhood)/i
##} TVD_INCREASE_SIZE

##{ TVD_LINK_SAVE
body TVD_LINK_SAVE		/\blink to save\b/i
##} TVD_LINK_SAVE

##{ TVD_PH_BODY_ACCOUNTS_PRE
body TVD_PH_BODY_ACCOUNTS_PRE	/\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*|suspen[a-z]+|notif(?:y|ication)|updated|verifications?|credited)\b/i
##} TVD_PH_BODY_ACCOUNTS_PRE

##{ TVD_PH_REC
body TVD_PH_REC		/\byour .{0,40}account .{0,40}record/i
describe TVD_PH_REC	Message has a phrase standard for phishing mails
##} TVD_PH_REC

##{ TVD_PH_SEC
body TVD_PH_SEC		/\byour .{0,40}account .{0,40}security/i
describe TVD_PH_SEC	Message has a phrase standard for phishing mails
##} TVD_PH_SEC

##{ TVD_PH_SUBJ_ACCOUNTS_POST
header TVD_PH_SUBJ_ACCOUNTS_POST	Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)|confirm[a-z]*) (?:[a-z_,-]+ )*?accounts?\b/i
##} TVD_PH_SUBJ_ACCOUNTS_POST

##{ TVD_PH_SUBJ_META
meta TVD_PH_SUBJ_META __TVD_PH_SUBJ_00 || __TVD_PH_SUBJ_02 || __TVD_PH_SUBJ_04 || __TVD_PH_SUBJ_15 || __TVD_PH_SUBJ_17 || __TVD_PH_SUBJ_18 || __TVD_PH_SUBJ_19 || __TVD_PH_SUBJ_29 || __TVD_PH_SUBJ_31 || __TVD_PH_SUBJ_36 || __TVD_PH_SUBJ_37 || __TVD_PH_SUBJ_38 || __TVD_PH_SUBJ_39 || __TVD_PH_SUBJ_41 || __TVD_PH_SUBJ_52 || __TVD_PH_SUBJ_54 || __TVD_PH_SUBJ_56 || __TVD_PH_SUBJ_58 || __TVD_PH_SUBJ_59 || __TVD_PH_SUBJ_ACCESS_POST
##} TVD_PH_SUBJ_META

##{ TVD_PH_SUBJ_URGENT
header TVD_PH_SUBJ_URGENT		Subject =~ /^urgent(?:[\s\W]*$|.{1,40}(?:alert|response|assistance|proposal|reply|warning|noti(?:ce|fication)|greeting|matter))/i
##} TVD_PH_SUBJ_URGENT

##{ TVD_PP_PHISH
meta TVD_PP_PHISH	__FROM_PAYPAL && NORMAL_HTTP_TO_IP
##} TVD_PP_PHISH

##{ TVD_QUAL_MEDS
body TVD_QUAL_MEDS		/\bquality med(?:ication)?s\b/i
##} TVD_QUAL_MEDS

##{ TVD_RATWARE_CB
header TVD_RATWARE_CB		Content-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/i
##} TVD_RATWARE_CB

##{ TVD_RATWARE_CB_2
header TVD_RATWARE_CB_2		Content-Type =~ /\bboundary\s*=\s*"?-+\d+=+\.MRA/
##} TVD_RATWARE_CB_2

##{ TVD_RATWARE_MSGID_02
header TVD_RATWARE_MSGID_02	Message-ID =~ /^[^<]*<[a-z]+\@/
##} TVD_RATWARE_MSGID_02

##{ TVD_RCVD_IP
header TVD_RCVD_IP  Received =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/
##} TVD_RCVD_IP

##{ TVD_RCVD_IP4
header TVD_RCVD_IP4 Received =~ /^from\s+(?:\d+\.){3}\d+\s/
##} TVD_RCVD_IP4

##{ TVD_RCVD_SINGLE
header TVD_RCVD_SINGLE Received =~ /^from\s+(?!localhost)[^\s.a-z0-9-]+\s/
##} TVD_RCVD_SINGLE

##{ TVD_RCVD_SPACE_BRACKET
header TVD_RCVD_SPACE_BRACKET Received =~ /\(\[(?!UNIX:)[^\[\]]*\s/
##} TVD_RCVD_SPACE_BRACKET

##{ TVD_SECTION
body TVD_SECTION		/\bSection (?:27A|21B)/i
##} TVD_SECTION

##{ TVD_SILLY_URI_OBFU
body TVD_SILLY_URI_OBFU		m!https?://[a-z0-9-]+\.[a-z0-9-]*\.?[^a-z0-9.:/\s"'\@?\)>-]+[a-z0-9.-]*[a-z]{3}(?:\s|$)!i
##} TVD_SILLY_URI_OBFU

##{ TVD_SPACED_SUBJECT_WORD3
header TVD_SPACED_SUBJECT_WORD3	Subject =~ /^(?:(?:Re|Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+$/
##} TVD_SPACED_SUBJECT_WORD3

##{ TVD_STOCK1

ifplugin Mail::SpamAssassin::Plugin::BodyEval
body TVD_STOCK1    eval:check_stock_info('2')
endif
##} TVD_STOCK1

##{ TVD_SUBJ_ACC_NUM
header	TVD_SUBJ_ACC_NUM	Subject =~ /\b[a-zA-Z]+ [\#\s]{1,4}\d+[A-Z]+/
describe TVD_SUBJ_ACC_NUM	Subject has spammy looking monetary reference
##} TVD_SUBJ_ACC_NUM

##{ TVD_SUBJ_FINGER_03
header TVD_SUBJ_FINGER_03	Subject =~ /^\s*\*\s+(?:\w+\W+)+\*\s*$/
##} TVD_SUBJ_FINGER_03

##{ TVD_SUBJ_OWE
header TVD_SUBJ_OWE Subject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe|indebted)\s+(?:\w+\s+)+an\s*other/i
##} TVD_SUBJ_OWE

##{ TVD_SUBJ_WIPE_DEBT
header TVD_SUBJ_WIPE_DEBT	Subject =~ /(?:wipe out|remove|get (?:rid|out) of|eradicate) .{0,20}(?:owe|debt|obligation)/i
##} TVD_SUBJ_WIPE_DEBT

##{ TVD_VISIT_PHARMA
body TVD_VISIT_PHARMA		/Online Ph.rmacy/i
##} TVD_VISIT_PHARMA

##{ TVD_VIS_HIDDEN
rawbody TVD_VIS_HIDDEN /<TEXTAREA[^>]+style\s*=\s*"visibility:\s*hidden\b/i
##} TVD_VIS_HIDDEN

##{ T_TVD_FW_GRAPHIC_ID1

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader T_TVD_FW_GRAPHIC_ID1	Content-Id =~ /<[0-9a-f]{12}(?:\$[0-9a-f]{8}){2}\@/
endif
##} T_TVD_FW_GRAPHIC_ID1

##{ URIBL_RHS_AHBL

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
body            URIBL_RHS_AHBL  eval:check_uridnsbl('URIBL_RHS_AHBL')
describe        URIBL_RHS_AHBL  Contains an URI listed in rhsbl.ahbl.org.
tflags          URIBL_RHS_AHBL  net
#score URIBL_RHS_AHBL                 0.000 0.001 0.000 0.000
endif
##} URIBL_RHS_AHBL

##{ URIBL_RHS_DOB

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub URIBL_RHS_DOB         dob.sibl.support-intelligence.net  A   2
body URIBL_RHS_DOB              eval:check_uridnsbl('URIBL_RHS_DOB')
describe URIBL_RHS_DOB          Contains an URI of a new domain (Day Old Bread)
tflags URIBL_RHS_DOB            net
endif
##} URIBL_RHS_DOB

##{ WHOIS_1AND1PR

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_1AND1PR       bl.open-whois.org.  A   127.0.0.2
body            WHOIS_1AND1PR       eval:check_uridnsbl('WHOIS_1AND1PR')
describe        WHOIS_1AND1PR       URL registered to 1&1 Private Registration
tflags          WHOIS_1AND1PR       net
endif
##} WHOIS_1AND1PR

##{ WHOIS_AITPRIV

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_AITPRIV       bl.open-whois.org.  A   127.0.0.19
body            WHOIS_AITPRIV       eval:check_uridnsbl('WHOIS_AITPRIV')
describe        WHOIS_AITPRIV       URL registered as an AIT Private Registration
tflags          WHOIS_AITPRIV       net publish
endif
##} WHOIS_AITPRIV

##{ WHOIS_CONTACTPRIV

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_CONTACTPRIV   bl.open-whois.org.  A   127.0.0.37
body            WHOIS_CONTACTPRIV   eval:check_uridnsbl('WHOIS_CONTACTPRIV')
describe        WHOIS_CONTACTPRIV   URL registered to contactprivacy.com
tflags          WHOIS_CONTACTPRIV   net
endif
##} WHOIS_CONTACTPRIV

##{ WHOIS_DMNBYPROXY

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_DMNBYPROXY        bl.open-whois.org.  A   127.0.0.15
body            WHOIS_DMNBYPROXY        eval:check_uridnsbl('WHOIS_DMNBYPROXY')
describe        WHOIS_DMNBYPROXY        Contains URL registered to Domains by Proxy
tflags          WHOIS_DMNBYPROXY        net
endif
##} WHOIS_DMNBYPROXY

##{ WHOIS_DOMESCROW

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_DOMESCROW     bl.open-whois.org.  A   127.0.0.10
body            WHOIS_DOMESCROW     eval:check_uridnsbl('WHOIS_DOMESCROW')
describe        WHOIS_DOMESCROW     URL registered to Domain Escrow Services
tflags          WHOIS_DOMESCROW     net
endif
##} WHOIS_DOMESCROW

##{ WHOIS_DOMPRIVCORP

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub               WHOIS_DOMPRIVCORP   bl.open-whois.org.      A       127.0.0.24
body                    WHOIS_DOMPRIVCORP   eval:check_uridnsbl('WHOIS_DOMPRIVCORP')
describe                WHOIS_DOMPRIVCORP   URL registered to DomainPrivacyCorp.com
tflags                  WHOIS_DOMPRIVCORP   net
endif
##} WHOIS_DOMPRIVCORP

##{ WHOIS_DREAMPRIV

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_DREAMPRIV     bl.open-whois.org.  A   127.0.0.8
body            WHOIS_DREAMPRIV     eval:check_uridnsbl('WHOIS_DREAMPRIV')
describe        WHOIS_DREAMPRIV     URL registered as a DreamHost Private Registration
tflags          WHOIS_DREAMPRIV     net
endif
##} WHOIS_DREAMPRIV

##{ WHOIS_DROA

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub               WHOIS_DROA          bl.open-whois.org.      A       127.0.0.26
body                    WHOIS_DROA      eval:check_uridnsbl('WHOIS_DROA')
describe                WHOIS_DROA      URL registered as an DROA Private Registration
tflags                  WHOIS_DROA      net
endif
##} WHOIS_DROA

##{ WHOIS_DYNADOT

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub               WHOIS_DYNADOT       bl.open-whois.org.      A       127.0.0.27
body                    WHOIS_DYNADOT       eval:check_uridnsbl('WHOIS_DYNADOT')
describe                WHOIS_DYNADOT       URL registered to Dynadot Privacy
tflags                  WHOIS_DYNADOT       net
endif
##} WHOIS_DYNADOT

##{ WHOIS_FINEXE

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub               WHOIS_FINEXE        bl.open-whois.org.      A       127.0.0.25
body                    WHOIS_FINEXE        eval:check_uridnsbl('WHOIS_FINEXE')
describe                WHOIS_FINEXE        URL registered to Finexe Domain Proxy Service
tflags                  WHOIS_FINEXE        net
endif
##} WHOIS_FINEXE

##{ WHOIS_GKGPROXY

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub               WHOIS_GKGPROXY      bl.open-whois.org.      A       127.0.0.29
body                    WHOIS_GKGPROXY      eval:check_uridnsbl('WHOIS_GKGPROXY')
describe                WHOIS_GKGPROXY      URL registered to GKG.NET Domain Proxy Service
tflags                  WHOIS_GKGPROXY      net
endif
##} WHOIS_GKGPROXY

##{ WHOIS_IDSHIELD

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_IDSHIELD      bl.open-whois.org.  A   127.0.0.16
body            WHOIS_IDSHIELD      eval:check_uridnsbl('WHOIS_IDSHIELD')
describe        WHOIS_IDSHIELD      Contains URL registered to WHOIS ID Shield
tflags          WHOIS_IDSHIELD      net
endif
##} WHOIS_IDSHIELD

##{ WHOIS_IDTHEFTPROT

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_IDTHEFTPROT   bl.open-whois.org.  A   127.0.0.39
body            WHOIS_IDTHEFTPROT   eval:check_uridnsbl('WHOIS_IDTHEFTPROT')
describe        WHOIS_IDTHEFTPROT   URL registered to Whois ID Theft Protection
tflags          WHOIS_IDTHEFTPROT   net
endif
##} WHOIS_IDTHEFTPROT

##{ WHOIS_KATZ

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub               WHOIS_KATZ      bl.open-whois.org.      A       127.0.0.31
body                    WHOIS_KATZ      eval:check_uridnsbl('WHOIS_KATZ')
describe                WHOIS_KATZ      URL registered to Katz Global Domain Name Trust
tflags                  WHOIS_KATZ      net
endif
##} WHOIS_KATZ

##{ WHOIS_LISTINGAG

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_LISTINGAG     bl.open-whois.org.  A   127.0.0.33
body            WHOIS_LISTINGAG     eval:check_uridnsbl('WHOIS_LISTINGAG')
describe        WHOIS_LISTINGAG     URL registered to Domain Listing Agent
tflags          WHOIS_LISTINGAG     net
endif
##} WHOIS_LISTINGAG

##{ WHOIS_LNOA

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub               WHOIS_LNOA      bl.open-whois.org.      A       127.0.0.28
body                    WHOIS_LNOA      eval:check_uridnsbl('WHOIS_LNOA')
describe                WHOIS_LNOA      URL registered to LNOA WHOIS Privacy
tflags                  WHOIS_LNOA      net
endif
##} WHOIS_LNOA

##{ WHOIS_MAPNAME

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_MAPNAME       bl.open-whois.org.  A   127.0.0.34
body            WHOIS_MAPNAME       eval:check_uridnsbl('WHOIS_MAPNAME')
describe        WHOIS_MAPNAME       URL registered to MapName
tflags          WHOIS_MAPNAME       net
endif
##} WHOIS_MAPNAME

##{ WHOIS_MONIKER_PRIV

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_MONIKER_PRIV  bl.open-whois.org.  A   127.0.0.11
body            WHOIS_MONIKER_PRIV  eval:check_uridnsbl('WHOIS_MONIKER_PRIV')
describe        WHOIS_MONIKER_PRIV  URL registered to Moniker Privacy Protection
tflags          WHOIS_MONIKER_PRIV  net
endif
##} WHOIS_MONIKER_PRIV

##{ WHOIS_MYPRIVREG

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_MYPRIVREG     bl.open-whois.org.  A   127.0.0.17
body            WHOIS_MYPRIVREG     eval:check_uridnsbl('WHOIS_MYPRIVREG')
describe        WHOIS_MYPRIVREG     URL registered to myprivateregistration.com
tflags          WHOIS_MYPRIVREG     net
endif
##} WHOIS_MYPRIVREG

##{ WHOIS_NAMEKING

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_NAMEKING      bl.open-whois.org.  A   127.0.0.35
body            WHOIS_NAMEKING      eval:check_uridnsbl('WHOIS_NAMEKING')
describe        WHOIS_NAMEKING      URL registered to NameKing
tflags          WHOIS_NAMEKING      net publish
endif
##} WHOIS_NAMEKING

##{ WHOIS_NAMESECURE

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_NAMESECURE    bl.open-whois.org.  A   127.0.0.9
body            WHOIS_NAMESECURE    eval:check_uridnsbl('WHOIS_NAMESECURE')
describe        WHOIS_NAMESECURE    Contains URL registered to NameSecure
tflags          WHOIS_NAMESECURE    net
endif
##} WHOIS_NAMESECURE

##{ WHOIS_NETID

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_NETID     bl.open-whois.org.  A   127.0.0.42
body            WHOIS_NETID     eval:check_uridnsbl('WHOIS_NETID')
describe        WHOIS_NETID     URL registered to NetIdentity
tflags          WHOIS_NETID     net
endif
##} WHOIS_NETID

##{ WHOIS_NETSOLPR

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_NETSOLPR      bl.open-whois.org.  A   127.0.0.4
body            WHOIS_NETSOLPR      eval:check_uridnsbl('WHOIS_NETSOLPR')
describe        WHOIS_NETSOLPR      URL registered as a NetSol Private Registration
tflags          WHOIS_NETSOLPR      net
endif
##} WHOIS_NETSOLPR

##{ WHOIS_NOLDC

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_NOLDC     bl.open-whois.org.  A   127.0.0.41
body            WHOIS_NOLDC     eval:check_uridnsbl('WHOIS_NOLDC')
describe        WHOIS_NOLDC     URL registered to NOLDC, Inc.
tflags          WHOIS_NOLDC     net
endif
##} WHOIS_NOLDC

##{ WHOIS_NOMINET

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_NOMINET       bl.open-whois.org.  A   127.0.0.36
body            WHOIS_NOMINET       eval:check_uridnsbl('WHOIS_NOMINET')
describe        WHOIS_NOMINET       URL registered to Nominet Private Registrant
tflags          WHOIS_NOMINET       net
endif
##} WHOIS_NOMINET

##{ WHOIS_PRIVACYPOST

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_PRIVACYPOST   bl.open-whois.org.  A   127.0.0.7
body            WHOIS_PRIVACYPOST   eval:check_uridnsbl('WHOIS_PRIVACYPOST')
describe        WHOIS_PRIVACYPOST   Contains URL registered to PrivacyPost
tflags          WHOIS_PRIVACYPOST   net
endif
##} WHOIS_PRIVACYPOST

##{ WHOIS_PRIVDOMAIN

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_PRIVDOMAIN    bl.open-whois.org.  A   127.0.0.38
body            WHOIS_PRIVDOMAIN    eval:check_uridnsbl('WHOIS_PRIVDOMAIN')
describe        WHOIS_PRIVDOMAIN    URL registered to privacy-domain.com
tflags          WHOIS_PRIVDOMAIN    net
endif
##} WHOIS_PRIVDOMAIN

##{ WHOIS_PRIVPROT

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_PRIVPROT      bl.open-whois.org.  A   127.0.0.3
body            WHOIS_PRIVPROT      eval:check_uridnsbl('WHOIS_PRIVPROT')
describe        WHOIS_PRIVPROT      URL registered to WHOIS Privacy Protection
tflags          WHOIS_PRIVPROT      net publish
endif
##} WHOIS_PRIVPROT

##{ WHOIS_REGISTER4LESS

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_REGISTER4LESS bl.open-whois.org.  A   127.0.0.30
body            WHOIS_REGISTER4LESS eval:check_uridnsbl('WHOIS_REGISTER4LESS')
describe        WHOIS_REGISTER4LESS URL registered to R4L Privacy
tflags          WHOIS_REGISTER4LESS      net
endif
##} WHOIS_REGISTER4LESS

##{ WHOIS_REGISTERFLY

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_REGISTERFLY       bl.open-whois.org.  A   127.0.0.14
body            WHOIS_REGISTERFLY       eval:check_uridnsbl('WHOIS_REGISTERFLY')
describe        WHOIS_REGISTERFLY       Contains URL registered to RegisterFly
tflags          WHOIS_REGISTERFLY       net publish
endif
##} WHOIS_REGISTERFLY

##{ WHOIS_REGTEK

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_REGTEK        bl.open-whois.org.  A   127.0.0.40
body            WHOIS_REGTEK        eval:check_uridnsbl('WHOIS_REGTEK')
describe        WHOIS_REGTEK        URL registered to RegTek Whois Envoy
tflags          WHOIS_REGTEK        net
endif
##} WHOIS_REGTEK

##{ WHOIS_SAFENAMES

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_SAFENAMES     bl.open-whois.org.  A   127.0.0.12
body            WHOIS_SAFENAMES     eval:check_uridnsbl('WHOIS_SAFENAMES')
describe        WHOIS_SAFENAMES     Contains URL registered to SafeNames
tflags          WHOIS_SAFENAMES     net
endif
##} WHOIS_SAFENAMES

##{ WHOIS_SECINFOSERV

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_SECINFOSERV   bl.open-whois.org.  A   127.0.0.21
body            WHOIS_SECINFOSERV   eval:check_uridnsbl('WHOIS_SECINFOSERV')
describe        WHOIS_SECINFOSERV   URL registered to Secure WHOIS Information Services
tflags          WHOIS_SECINFOSERV   net
endif
##} WHOIS_SECINFOSERV

##{ WHOIS_SECUREWHOIS

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_SECUREWHOIS   bl.open-whois.org.  A   127.0.0.5
body            WHOIS_SECUREWHOIS   eval:check_uridnsbl('WHOIS_SECUREWHOIS')
describe        WHOIS_SECUREWHOIS   Contains URL registered to SecureWhois
tflags          WHOIS_SECUREWHOIS   net publish
endif
##} WHOIS_SECUREWHOIS

##{ WHOIS_SPAMFREE

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_SPAMFREE      bl.open-whois.org.  A   127.0.0.32
body            WHOIS_SPAMFREE      eval:check_uridnsbl('WHOIS_SPAMFREE')
describe        WHOIS_SPAMFREE      URL registered to SpamFreeReg.com
tflags          WHOIS_SPAMFREE      net
endif
##} WHOIS_SPAMFREE

##{ WHOIS_SRSPLUS

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_SRSPLUS       bl.open-whois.org.  A   127.0.0.23
body            WHOIS_SRSPLUS       eval:check_uridnsbl('WHOIS_SRSPLUS')
describe        WHOIS_SRSPLUS       URL registered as an SRSPlus Private Registration
tflags          WHOIS_SRSPLUS       net
endif
##} WHOIS_SRSPLUS

##{ WHOIS_UNLISTED

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_UNLISTED      bl.open-whois.org.  A   127.0.0.13
body            WHOIS_UNLISTED      eval:check_uridnsbl('WHOIS_UNLISTED')
describe        WHOIS_UNLISTED      Contains URL registered to Unlisted-Whois.com
tflags          WHOIS_UNLISTED      net
endif
##} WHOIS_UNLISTED

##{ WHOIS_WHOISGUARD

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_WHOISGUARD        bl.open-whois.org.  A   127.0.0.18
body            WHOIS_WHOISGUARD        eval:check_uridnsbl('WHOIS_WHOISGUARD')
describe        WHOIS_WHOISGUARD        URL registered to WhoisGuard
tflags          WHOIS_WHOISGUARD        net publish
endif
##} WHOIS_WHOISGUARD

##{ WHOIS_WHOISPROT

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub       WHOIS_WHOISPROT     bl.open-whois.org.  A   127.0.0.20
body            WHOIS_WHOISPROT     eval:check_uridnsbl('WHOIS_WHOISPROT')
describe        WHOIS_WHOISPROT     URL registered to WhoisProtector
tflags          WHOIS_WHOISPROT     net
endif
##} WHOIS_WHOISPROT

##{ XMAILER_MIMEOLE_OL_015D5
meta XMAILER_MIMEOLE_OL_015D5  (__XM_OL_015D5 && __MO_OL_015D5)
##} XMAILER_MIMEOLE_OL_015D5

##{ XMAILER_MIMEOLE_OL_07794
meta XMAILER_MIMEOLE_OL_07794  (__XM_OL_07794 && __MO_OL_07794)
##} XMAILER_MIMEOLE_OL_07794

##{ XMAILER_MIMEOLE_OL_09BB4
meta XMAILER_MIMEOLE_OL_09BB4  (__XM_OL_09BB4 && __MO_OL_09BB4)
##} XMAILER_MIMEOLE_OL_09BB4

##{ XMAILER_MIMEOLE_OL_1ECD5
meta XMAILER_MIMEOLE_OL_1ECD5  (__XM_OL_1ECD5 && __MO_OL_1ECD5)
##} XMAILER_MIMEOLE_OL_1ECD5

##{ XMAILER_MIMEOLE_OL_20C99
meta XMAILER_MIMEOLE_OL_20C99  (__XM_OL_20C99 && __MO_OL_20C99)
##} XMAILER_MIMEOLE_OL_20C99

##{ XMAILER_MIMEOLE_OL_22B61
meta XMAILER_MIMEOLE_OL_22B61  (__XM_OL_22B61 && __MO_OL_22B61)
##} XMAILER_MIMEOLE_OL_22B61

##{ XMAILER_MIMEOLE_OL_25340
meta XMAILER_MIMEOLE_OL_25340  (__XM_OL_25340 && __MO_OL_25340)
##} XMAILER_MIMEOLE_OL_25340

##{ XMAILER_MIMEOLE_OL_32D97
meta XMAILER_MIMEOLE_OL_32D97  (__XM_OL_32D97 && __MO_OL_32D97)
##} XMAILER_MIMEOLE_OL_32D97

##{ XMAILER_MIMEOLE_OL_3857F
meta XMAILER_MIMEOLE_OL_3857F  (__XM_OL_3857F && __MO_OL_3857F)
##} XMAILER_MIMEOLE_OL_3857F

##{ XMAILER_MIMEOLE_OL_3AC1D
meta XMAILER_MIMEOLE_OL_3AC1D  (__XM_OL_3AC1D && __MO_OL_3AC1D)
##} XMAILER_MIMEOLE_OL_3AC1D

##{ XMAILER_MIMEOLE_OL_3D61D
meta XMAILER_MIMEOLE_OL_3D61D  (__XM_OL_3D61D && __MO_OL_3D61D)
##} XMAILER_MIMEOLE_OL_3D61D

##{ XMAILER_MIMEOLE_OL_465CD
meta XMAILER_MIMEOLE_OL_465CD  (__XM_OL_465CD && __MO_OL_465CD)
##} XMAILER_MIMEOLE_OL_465CD

##{ XMAILER_MIMEOLE_OL_4B815
meta XMAILER_MIMEOLE_OL_4B815  (__XM_OL_4B815 && __MO_OL_4B815)
##} XMAILER_MIMEOLE_OL_4B815

##{ XMAILER_MIMEOLE_OL_4BF4C
meta XMAILER_MIMEOLE_OL_4BF4C  (__XM_OL_4BF4C && __MO_OL_4BF4C)
##} XMAILER_MIMEOLE_OL_4BF4C

##{ XMAILER_MIMEOLE_OL_4EEDB
meta XMAILER_MIMEOLE_OL_4EEDB  (__XM_OL_4EEDB && __MO_OL_4EEDB)
##} XMAILER_MIMEOLE_OL_4EEDB

##{ XMAILER_MIMEOLE_OL_4F240
meta XMAILER_MIMEOLE_OL_4F240  (__XM_OL_4F240 && __MO_OL_4F240)
##} XMAILER_MIMEOLE_OL_4F240

##{ XMAILER_MIMEOLE_OL_58CB5
meta XMAILER_MIMEOLE_OL_58CB5  (__XM_OL_58CB5 && __MO_OL_58CB5)
##} XMAILER_MIMEOLE_OL_58CB5

##{ XMAILER_MIMEOLE_OL_5B79A
meta XMAILER_MIMEOLE_OL_5B79A  (__XM_OL_5B79A && __MO_OL_5B79A)
##} XMAILER_MIMEOLE_OL_5B79A

##{ XMAILER_MIMEOLE_OL_6554A
meta XMAILER_MIMEOLE_OL_6554A  (__XM_OL_6554A && __MO_OL_6554A)
##} XMAILER_MIMEOLE_OL_6554A

##{ XMAILER_MIMEOLE_OL_72641
meta XMAILER_MIMEOLE_OL_72641  (__XM_OL_72641 && __MO_OL_72641)
##} XMAILER_MIMEOLE_OL_72641

##{ XMAILER_MIMEOLE_OL_7533E
meta XMAILER_MIMEOLE_OL_7533E  (__XM_OL_7533E && __MO_OL_7533E)
##} XMAILER_MIMEOLE_OL_7533E

##{ XMAILER_MIMEOLE_OL_812FF
meta XMAILER_MIMEOLE_OL_812FF  (__XM_OL_812FF && __MO_OL_812FF)
##} XMAILER_MIMEOLE_OL_812FF

##{ XMAILER_MIMEOLE_OL_83BF7
meta XMAILER_MIMEOLE_OL_83BF7  (__XM_OL_83BF7 && __MO_OL_83BF7)
##} XMAILER_MIMEOLE_OL_83BF7

##{ XMAILER_MIMEOLE_OL_8627E
meta XMAILER_MIMEOLE_OL_8627E  (__XM_OL_8627E && __MO_OL_8627E)
##} XMAILER_MIMEOLE_OL_8627E

##{ XMAILER_MIMEOLE_OL_8E893
meta XMAILER_MIMEOLE_OL_8E893  (__XM_OL_8E893 && __MO_OL_8E893)
##} XMAILER_MIMEOLE_OL_8E893

##{ XMAILER_MIMEOLE_OL_91287
meta XMAILER_MIMEOLE_OL_91287  (__XM_OL_91287 && __MO_OL_91287)
##} XMAILER_MIMEOLE_OL_91287

##{ XMAILER_MIMEOLE_OL_9B90B
meta XMAILER_MIMEOLE_OL_9B90B  (__XM_OL_9B90B && __MO_OL_9B90B)
##} XMAILER_MIMEOLE_OL_9B90B

##{ XMAILER_MIMEOLE_OL_A50F8
meta XMAILER_MIMEOLE_OL_A50F8  (__XM_OL_A50F8 && __MO_OL_A50F8)
##} XMAILER_MIMEOLE_OL_A50F8

##{ XMAILER_MIMEOLE_OL_A842E
meta XMAILER_MIMEOLE_OL_A842E  (__XM_OL_A842E && __MO_OL_A842E)
##} XMAILER_MIMEOLE_OL_A842E

##{ XMAILER_MIMEOLE_OL_ADFF7
meta XMAILER_MIMEOLE_OL_ADFF7  (__XM_OL_ADFF7 && __MO_OL_ADFF7)
##} XMAILER_MIMEOLE_OL_ADFF7

##{ XMAILER_MIMEOLE_OL_B30D1
meta XMAILER_MIMEOLE_OL_B30D1  (__XM_OL_B30D1 && __MO_OL_B30D1)
##} XMAILER_MIMEOLE_OL_B30D1

##{ XMAILER_MIMEOLE_OL_B4B40
meta XMAILER_MIMEOLE_OL_B4B40  (__XM_OL_B4B40 && __MO_OL_B4B40)
##} XMAILER_MIMEOLE_OL_B4B40

##{ XMAILER_MIMEOLE_OL_B9B11
meta XMAILER_MIMEOLE_OL_B9B11  (__XM_OL_B9B11 && __MO_OL_B9B11)
##} XMAILER_MIMEOLE_OL_B9B11

##{ XMAILER_MIMEOLE_OL_BC7E6
meta XMAILER_MIMEOLE_OL_BC7E6  (__XM_OL_BC7E6 && __MO_OL_BC7E6)
##} XMAILER_MIMEOLE_OL_BC7E6

##{ XMAILER_MIMEOLE_OL_C65FA
meta XMAILER_MIMEOLE_OL_C65FA  (__XM_OL_C65FA && __MO_OL_C65FA)
##} XMAILER_MIMEOLE_OL_C65FA

##{ XMAILER_MIMEOLE_OL_C9068
meta XMAILER_MIMEOLE_OL_C9068  (__XM_OL_C9068 && __MO_OL_C9068)
##} XMAILER_MIMEOLE_OL_C9068

##{ XMAILER_MIMEOLE_OL_CAC8F
meta XMAILER_MIMEOLE_OL_CAC8F  (__XM_OL_CAC8F && __MO_OL_CAC8F)
##} XMAILER_MIMEOLE_OL_CAC8F

##{ XMAILER_MIMEOLE_OL_CF0C0
meta XMAILER_MIMEOLE_OL_CF0C0  (__XM_OL_CF0C0 && __MO_OL_CF0C0)
##} XMAILER_MIMEOLE_OL_CF0C0

##{ XMAILER_MIMEOLE_OL_EF20B
meta XMAILER_MIMEOLE_OL_EF20B  (__XM_OL_EF20B && __MO_OL_EF20B)
##} XMAILER_MIMEOLE_OL_EF20B

##{ XMAILER_MIMEOLE_OL_EF222
meta XMAILER_MIMEOLE_OL_EF222  (__XM_OL_EF222 && __MO_OL_EF222)
##} XMAILER_MIMEOLE_OL_EF222

##{ XMAILER_MIMEOLE_OL_F3B05
meta XMAILER_MIMEOLE_OL_F3B05  (__XM_OL_F3B05 && __MO_OL_F3B05)
##} XMAILER_MIMEOLE_OL_F3B05

##{ XMAILER_MIMEOLE_OL_F475E
meta XMAILER_MIMEOLE_OL_F475E  (__XM_OL_F475E && __MO_OL_F475E)
##} XMAILER_MIMEOLE_OL_F475E

##{ XMAILER_MIMEOLE_OL_F6D01
meta XMAILER_MIMEOLE_OL_F6D01  (__XM_OL_F6D01 && __MO_OL_F6D01)
##} XMAILER_MIMEOLE_OL_F6D01

##{ XMAILER_MIMEOLE_OL_FF5C8
meta XMAILER_MIMEOLE_OL_FF5C8  (__XM_OL_FF5C8 && __MO_OL_FF5C8)
##} XMAILER_MIMEOLE_OL_FF5C8

##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval _sandbox

ifplugin Mail::SpamAssassin::Plugin::DNSEval
#reuse RCVD_IN_DNSWL_LOW
#reuse RCVD_IN_DNSWL_MED
#reuse RCVD_IN_DNSWL_HI
endif
##} ifplugin Mail::SpamAssassin::Plugin::DNSEval _sandbox

##{ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags _sandbox

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_rules __FRT_GOLD
replace_rules __FRT_SILVER
replace_tag	A	[gra\@\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xe4\xe3\xe2\xe0\xe1\xe2\xe3\xe4\xe5\xe60o]
replace_tag	B	[b8]
replace_tag	C	[ck\xc7\xe7@]
replace_tag	D	[d\xd0]
replace_tag	E	[e3\xc8\xc9\xca\xcb\xe8\xe9\xea\xeb\xa4]
replace_tag	F	f
replace_tag	G	[gk]
replace_tag	H	h
replace_tag	I	[ilt|!1y?\xcc\xcd\xce\xcf\xec\xed\xee\xef]
replace_tag	J	j
replace_tag	K	k
replace_tag	L	[il|!1\xa3]
replace_tag	M	(?:m|rn)
replace_tag	N	[n\xd1\xf1]
replace_tag	O	[go0\xd2\xd3\xd4\xd5\xd6\xd8\xf0\xf2\xf3\xf4\xf5\xf6\xf8]
replace_tag	P	[p\xfe]
replace_tag	Q	q
replace_tag	R	r
replace_tag	S	[sz\xa6\xa7]
replace_tag	T	t
replace_tag	U	[uv\xb5\xd9\xda\xdb\xdc\xfc\xfb\xfa\xf9\xfd]
replace_tag	V	(?:[vu]|\\\/)
replace_tag	W	[wv]
replace_tag	X	(?:[x\xd7]|><)
replace_tag	Y	[y\xff\xfd\xa5j]
replace_tag	Z	[zs]
replace_tag	IMG	(?:jpe?g|gif|png)
replace_tag	SP	[\s\d_*\$\%(),.:;?!}{\[\]|\/?^\#~\xa1`'+-]
replace_tag	CUR	[\$\xa5\xa3\xa4\xa2]
replace_inter	SP	[\s\d_*\$\%(),.:;?!}{\[\]|\/?^\#~\xa1`'+-]
replace_inter	W1	\W?
replace_inter	W2	\W{0,2}
replace_inter	W3	\W{0,3}
replace_post	P2	{1,2}
replace_post	P3	{1,3}
replace_inter W0 \w?
replace_inter SP2 [\s\d_*\$\%(),.:;?!}{\[\]|\/?^\#~\xa1`'+-]?
replace_tag   G  [gk6]
replace_tag   Q  [qg]
replace_tag   S  [sz5\xa6\xa7]
replace_tag   T  [t|]
replace_tag   U2 [u\xb5\xd9\xda\xdb\xdc\xfc\xfb\xfa\xf9\xfd]
replace_tag   W  (?:[wv]|vv)
replace_rules T_FRT_ABSOLUT
replace_rules FRT_ADOBE2
replace_rules T_FRT_ADULT2
replace_rules T_FRT_APPROV
replace_rules T_FRT_BEFORE
replace_rules T_FRT_BELOW2
replace_rules FRT_BIGGERMEM1
replace_rules T_FRT_CANSPAM
replace_rules T_FRT_CLICK
replace_rules T_FRT_COCK
replace_rules T_FRT_CONTACT
replace_rules FRT_DIPLOMA
replace_rules FRT_DISCOUNT
replace_rules FRT_DOLLAR
replace_rules T_FRT_ERECTION
replace_rules T_FRT_ESTABLISH
replace_rules FRT_ESTABLISH2
replace_rules T_FRT_EXPERIENCE
replace_rules T_FRT_FOLLOW1
replace_rules T_FRT_FOLLOW2
replace_rules T_FRT_FREE
replace_rules T_FRT_FRIEND
replace_rules T_FRT_FUCK1
replace_rules FRT_FUCK2
replace_rules FRT_GUARANTEE1
replace_rules T_FRT_HEALTH
replace_rules T_FRT_HOUR
replace_rules T_FRT_INCOME
replace_rules T_FRT_INTEREST
replace_rules FRT_INVESTOR
replace_rules FRT_LEVITRA
replace_rules T_FRT_LITTLE
replace_rules T_FRT_LOLITA1
replace_rules FRT_MEETING
replace_rules FRT_OFFER2
replace_rules FRT_OPPORTUN1
replace_rules FRT_OPPORTUN2
replace_rules T_FRT_PACKAGE
replace_rules T_FRT_PAYMENT
replace_rules FRT_PENIS1
replace_rules T_FRT_PHARMAC
replace_rules T_FRT_POSSIBLE
replace_rules FRT_PRICE
replace_rules T_FRT_PROFILE1
replace_rules T_FRT_PROFILE2
replace_rules T_FRT_PROFIT1
replace_rules T_FRT_PROFIT2
replace_rules T_FRT_PUSSY
replace_rules FRT_REFINANCE1
replace_rules FRT_ROLEX
replace_rules FRT_SEXUAL
replace_rules T_FRT_SLUT
replace_rules FRT_SOMA
replace_rules FRT_SOMA2
replace_rules T_FRT_STOCK1
replace_rules T_FRT_STOCK2
replace_rules FRT_STRONG1
replace_rules FRT_STRONG2
replace_rules FRT_SYMBOL
replace_rules FRT_TODAY2
replace_rules FRT_VALIUM1
replace_rules FRT_VALIUM2
replace_rules T_FRT_VIRGIN1
replace_rules FRT_WEIGHT2
replace_rules FRT_XANAX1
replace_rules FRT_XANAX2
replace_rules T_FUZZY_SPRM
replace_rules FUZZY_MERIDIA
replace_rules TVD_FUZZY_PHARMACEUTICAL
replace_rules TVD_FUZZY_SYMBOL
replace_rules T_TVD_FUZZY_SECURITIES
replace_rules TVD_FUZZY_FINANCE
replace_rules TVD_FUZZY_FIXED_RATE
replace_rules TVD_FUZZY_MICROCAP
replace_rules T_TVD_FUZZY_SECTOR
replace_rules TVD_FUZZY_DEGREE
replace_rules T_LFUZ_PWRMALE
endif
##} ifplugin Mail::SpamAssassin::Plugin::ReplaceTags _sandbox

##{ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL _sandbox

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhsbl        URIBL_RHS_AHBL  rhsbl.ahbl.org. A
endif
##} ifplugin Mail::SpamAssassin::Plugin::URIDNSBL _sandbox

##{ redirector_pattern_sandbox
redirector_pattern m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&\#])'i
redirector_pattern m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i
redirector_pattern m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:site|inurl):(.*?)(?:$|%20|[\s+&\#])'i
redirector_pattern m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&\#])'i
redirector_pattern m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&\#])'i
redirector_pattern m'^http:/*(?:\w+\.)?aol\.com/redir\.adp\?.*(?<=[?&])_url=(.*?)(?:$|[&\#])'i
redirector_pattern m'^http:/*rd\.yahoo\.co\.jp/\*(.*)'i
##} redirector_pattern_sandbox


ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /image\/(?:gif|jpeg|png)/
endif
body     __APPROVALFVGT		/approval/i
body     __BACHELORS		/Bachelor/i
body     __BIGDOLLARSFVGT	/\$\d{2,3},\d{3}/
body __BODY_STARTS_WITH_FROM_LINE /^From \S+ \S\S\S \S\S\S .. ..:..:.. \S+\s+\S+\: /s
body __CASHPRZ      /cash prize of/
body     __CS_WORD		/\bC[A-Za-z]{2,4}IS\b/

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __CTYPE_ONETAB_GIF Content-Type:raw =~ /^image\/gif;\n\tname=\".+?\"$/s
endif
header   __DATE_700		Date =~ /-0700/
body __DBLCLAIM     /avoid double claiming/
body     __DIPLOMA		/diploma/i
body	__DOS_BODY_FRI	/\bfri(?:day)?\b/i
body	__DOS_BODY_MON	/\bmon(?:day)?\b/i
body	__DOS_BODY_SAT	/\bsat(?:day)?\b/i
body		__DOS_BODY_STOCK	/\bstock\b/i
body	__DOS_BODY_SUN	/\bsun(?:day)?\b/i
body	__DOS_BODY_THU	/\bthu(?:r(?:s(?:day)?)?)?\b/i
body		__DOS_BODY_TICKER	/\b[A-Z]{4}\.(?:OB|PK)\b/
body	__DOS_BODY_TUE	/\btue(?:s(?:day)?)?\b/i
body	__DOS_BODY_WED	/\bwed(?:nesday)?\b/i
body	__DOS_COMING_TO_YOUR_PLACE	/I (?:am|might(?: be)?) c[a-z]?o[a-z]?m[a-z]?(?:i[a-z]?n[a-z]?g[a-z]{0,2}|e down) to y[!a-z]{2,4}r (?:city|place[a-z]{0,2}|co[a-z]?u[a-z]?n[a-z]?t[a-z]?ry) in (?:f[a-z]?e[a-z]?w|\d{1,2}) (?:day|week)s/
body	__DOS_CORRESPOND_EMAIL		/correspond with me using my email/
body	__DOS_DROP_ME_A_LINE		/Drop me a line at/
body	__DOS_EMAIL_DIRECTLY		/(?:Email m[a-z]?e|address) direc(?:tl|lt)y at/
body		__DOS_FIN_ADVANTAGE	/\bfinancial advantage/i
uri __DOS_HAS_ANY_URI		/./
body __DOS_HEADLINES	/\bHeadlines\b/
body __DOS_HI                   /^Hi,$/
body	__DOS_I_AM_25			/I a.?m 25/
body __DOS_I_DRIVE_A	/I drive a/
body __DOS_LET_GO_JOB	/I was (?:let go|fired|layed off|dismissed) from a job I h(?:el|a)d for (?:2\d years|\d{3} months)/
body __DOS_LINK                 /\blink\b/
body	__DOS_MEET_EACH_OTHER		/(?:meet each other|[Mm]ay ?be we can meet)/
body __DOS_MY_OLD_JOB	/my old job/
body	__DOS_PERSONAL_EMAIL		/personal email at/
header	__DOS_RCVD_FRI	Received =~ / Fri, /
header	__DOS_RCVD_MON	Received =~ / Mon, /
header	__DOS_RCVD_SAT	Received =~ / Sat, /
header	__DOS_RCVD_SUN	Received =~ / Sun, /
header	__DOS_RCVD_THU	Received =~ / Thu, /
header	__DOS_RCVD_TUE	Received =~ / Tue, /
header	__DOS_RCVD_WED	Received =~ / Wed, /
meta	__DOS_REF_2_WK_DAYS	(__DOS_RCVD_MON && __DOS_BODY_WED) || (__DOS_RCVD_TUE && __DOS_BODY_THU) || (__DOS_RCVD_WED && __DOS_BODY_FRI) || (__DOS_RCVD_THU && __DOS_BODY_MON) || (__DOS_RCVD_FRI && __DOS_BODY_TUE) || (__DOS_RCVD_SAT && __DOS_BODY_TUE) || (__DOS_RCVD_SUN && __DOS_BODY_TUE)
meta	__DOS_REF_NEXT_WK_DAY	(__DOS_RCVD_MON && __DOS_BODY_TUE) || (__DOS_RCVD_TUE && __DOS_BODY_WED) || (__DOS_RCVD_WED && __DOS_BODY_THU) || (__DOS_RCVD_THU && __DOS_BODY_FRI) || (__DOS_RCVD_FRI && __DOS_BODY_MON) || (__DOS_RCVD_SAT && __DOS_BODY_MON) || (__DOS_RCVD_SUN && __DOS_BODY_MON)
meta	__DOS_REF_TODAY		(__DOS_RCVD_MON && __DOS_BODY_MON) || (__DOS_RCVD_TUE && __DOS_BODY_TUE) || (__DOS_RCVD_WED && __DOS_BODY_WED) || (__DOS_RCVD_THU && __DOS_BODY_THU) || (__DOS_RCVD_FRI && __DOS_BODY_FRI) || (__DOS_RCVD_SAT && __DOS_BODY_SAT) || (__DOS_RCVD_SUN && __DOS_BODY_SUN)
header __DOS_SINGLE_EXT_RELAY   X-Spam-Relays-External =~ /^\[ [^\]]+ \]$/
body		__DOS_STEADY_COURSE	/\bsteady (?:and increasing )?course\b/i
body		__DOS_STRONG_CF		/\bstrong cash flow/i
body __DOS_SYMBOL_4	/\bSymbol [A-Z]{4}\b/
body __DOS_TAKING_HOME	/Taking home \d (?:digit level|figures) in \d{1,2} months/
body	__DOS_WRITE_ME_AT		/[Ww].?r.?i.?t.?e me at/
header   __EXCLAIM_SUBJ		Subject =~ /\!/
body     __FB_BA		/\bBA\b/
body     __FB_BCs		/\bBSc\b/
body     __FB_BRAND_NAME	/brand name/i
body     __FB_C_HTTP_WORD	m'c[il1]a[a-z]{2,7}\shttp://'i
body     __FB_DESIGNER		/designer/i
body     __FB_GAME		/game/i
body     __FB_GLASHUTE		/Glashute/
body     __FB_HANDBAGS		/handbags/i
body     __FB_HOTTEST		/hottest/i
body     __FB_INK_PEN		/ink pen/i
body     __FB_LUX_GIFTS		/Luxury (?:\w+\s)?Gifts/i
body     __FB_MA		/\bMA\b/
body     __FB_MBA		/\bMBA\b/
body     __FB_NUM_PERCNT	/\d\s?\%/
body     __FB_OMEGA		/Omega/i
body     __FB_PH_SPACE_HTTP	m'PH[A-Za-z]{6,10}\b.{3,29}\shttp://'
body     __FB_PICK		/\bpick\b/i
body     __FB_PROJECTED		/projected/i
body     __FB_P_ALLNIGHT	/all night!/i
body     __FB_P_TRUELOVE	/true love/i
body     __FB_ROLEX_MEN		/Rolex Men/i
body     __FB_ROLEX_WMEN	/Rolex Lady/i
body     __FB_S_PRICE		/Pri{1,2}c[a-z]?e/i
body     __FB_S_STOCK		/Stock/i
body     __FB_S_SYMBOL		/Symb?o?l?:\s?[A-Z_,\.-]{4,8}/i
body     __FB_TIMEPIECE		/timepiece/i
meta     __FB_VIA_URL_SPEC1	(__FB_C_HTTP_WORD || __FB_V_HTTP_WORD || __FB_V_SPACE_HTTP || __FB_PH_SPACE_HTTP)
body     __FB_V_HTTP_WORD	m'v[il1]a[a-z]{2,7}\shttp://'i
body     __FB_V_SPACE_HTTP	m'\bv[a-z01 ]{0,3}a.{5,25}http://'i
body     __FB_WALLETS		/wallets/i
header   __FHELO_VERIZON	X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^ ]+verizon\.net /i
header   __FHOST_VERIZON	X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]+verizon\.net /i
header   __FH_FRM_53		From =~ /\@53\.com/i
header   __FH_HAS_XMSMAIL	exists:X-MSMail-Priority
header   __FH_HAS_XPRIORITY	exists:X-Priority
header   __FH_MSGID_00001C	MESSAGEID =~ /^<000001c/
header   __FH_MSGID_01C7	MESSAGEID =~ /^<0{1,5}1c7/
header   __FH_MSG_53		MESSAGEID =~ /\@53\.com/i
header   __FH_RCV_53		Received =~ /\.53\.com/i
body     __FIXED_RATEFVGT	/fixed rate/i
meta     __FM_MORTGAGE4PLUS	((__PREAPPROVEDFVGT + __FIXED_RATEFVGT + __YOUR_CREDITFVGT + __HOMELOANFVGT + __APPROVALFVGT + __BIGDOLLARSFVGT + __LOANURIFVGT + __MORTURIFVGT) > 3)
meta     __FM_MORTGAGE5PLUS	((__PREAPPROVEDFVGT + __FIXED_RATEFVGT + __YOUR_CREDITFVGT + __HOMELOANFVGT + __APPROVALFVGT + __BIGDOLLARSFVGT + __LOANURIFVGT + __MORTURIFVGT) > 4)
meta     __FM_MORTGAGE6PLUS	((__PREAPPROVEDFVGT + __FIXED_RATEFVGT + __YOUR_CREDITFVGT + __HOMELOANFVGT + __APPROVALFVGT + __BIGDOLLARSFVGT + __LOANURIFVGT + __MORTURIFVGT) > 5)
meta     __FM_MY_PRICE		(__FB_S_PRICE || FRT_PRICE)
meta     __FM_STOCK_WORDS	(__FB_HOTTEST || __FB_PICK || __FB_PROJECTED)
header __FROM_EBAY	From:addr =~ /\@ebay\.com$/i
header   __FROM_LEFT_BRACK	From:name =~ /</
header __FROM_PAYPAL	From:addr =~ /\@paypal\.com$/i
header   __FROM_RIGH_BRACK	From:name =~ />/
header   __FROM_VEGAS		From =~ /Vegas/i
header   __FS_SUBJ_RE		Subject =~ /^Re: /
header   __FS_S_TRADE		Subject =~ /\btrade\b/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __GIF_ATTACH Content-Type =~ /^image\/gif\b/i
endif
body __HAS_ANY_EMAIL /\w@\S+\.\w/
uri __HAS_ANY_URI   /./
header __HDR_ORDER_FTSDMCXXXX ALL =~ /\nFrom: .{1,80}?\nTo: .{1,80}?\nSubject: .{1,200}?\nDate: .{1,40}?\nMIME-Version: .{1,40}?\nContent-Type: .{1,120}?\nX-Priority: .{1,40}?\nX-MSMail-Priority: .{1,40}?\nX-Mailer: .{1,80}?\nX-MimeOLE:/s
header __HELO_NO_DOMAIN   X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^\.]+ /
body     __HOMELOANFVGT		/home loan/i
header   __HOST_HOTMAIL		X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]+\.hotmail\.com /
header   __HOTMAILCOM		X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=hotmail\.com /i
header __HS_SUBJ_UC_FW Subject =~ /^FW:/
body            __KAM_LOTTO1    /(e-?mail address (have emerged a winner|has won|attached to (ticket|reference)|was one of the ten winners)|random selection in our computerized email selection system)/is       
body            __KAM_LOTTO2    /((ticket|serial|lucky) number|secret pin ?code|batch number|reference number|promotion date)/is
body            __KAM_LOTTO3    /(won|claim|cash prize|pounds? sterling)/is
body            __KAM_LOTTO4    /(claims (officer|agent)|lottery coordinator|fiduciary (officer|agent)|fiduaciary claims)/is
body            __KAM_LOTTO5    /(freelotto group|Royal Heritage Lottery|UK National (Online)? Lottery|U\.?K\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|Luckyday International Lottery|International Lottery)/is
body            __KAM_LOTTO6    /(Dear Lucky Winner|Winning Notification|Attention:Winner|Dear Winner)/is
header          __KAM_LOTTO7    Subject =~ /(Your Lucky Day|(Attention:|ONLINE) WINNER)/i
uri      __LOANURIFVGT		/\bloa.?ns?\b/i
header __MAILER_OL_5510 X-Mailer =~ /^Microsoft Office Outlook, Build 11.0.5510$/
header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/
header   __MANY_RECIPS		ToCc =~ /(?:\@[^@]{5,30}){3}/
body     __MASTERS		/Masters/i
body     __MBA			/MBA/i
header __MID_START_001C   Message-ID =~ /^<000001c/
header __MIMEOLE_1106   X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2800.1106$/
header   __MISSING_REF		References =~ /^UNSET$/ [if-unset: UNSET]
header __MOLE_2962  X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/
uri      __MORTURIFVGT		/\bmor.?t\b/i
header __MO_OL_015D5  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2905/
header __MO_OL_07794  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1437/
header __MO_OL_09BB4  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V4\.72\.3155\.0/
header __MO_OL_1ECD5  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1081/
header __MO_OL_20C99  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V4\.72\.3338\.1/
header __MO_OL_22B61  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1158/
header __MO_OL_25340  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4963\.1700/
header __MO_OL_32D97  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V9\.0\.2416/
header __MO_OL_3857F  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1409/
header __MO_OL_3AC1D  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.00\.2919\.6700/
header __MO_OL_3D61D  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V4\.71\.2244\.8/
header __MO_OL_465CD  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1506/
header __MO_OL_4B815  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V4\.71\.2730\.2/
header __MO_OL_4BF4C  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4522\.1200/
header __MO_OL_4EEDB  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4963\.1700/
header __MO_OL_4F240  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1158/
header __MO_OL_58CB5  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4133\.2400/
header __MO_OL_5B79A  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.3790\.1830/
header __MO_OL_6554A  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2905/
header __MO_OL_72641  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1441/
header __MO_OL_7533E  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4963\.1700/
header __MO_OL_812FF  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4927\.1200/
header __MO_OL_83BF7  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V4\.72\.3110\.3/
header __MO_OL_8627E  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1437/
header __MO_OL_8E893  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V10\.0\.2616/
header __MO_OL_91287  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4807\.2300/
header __MO_OL_9B90B  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4807\.1700/
header __MO_OL_A50F8  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4922\.1500/
header __MO_OL_A842E  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1441/
header __MO_OL_ADFF7  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1158/
header __MO_OL_B30D1  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4807\.2300/
header __MO_OL_B4B40  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4133\.2400/
header __MO_OL_B9B11  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2462\.0000/
header __MO_OL_BC7E6  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4927\.1200/
header __MO_OL_C65FA  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4807\.1700/
header __MO_OL_C9068  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1807/
header __MO_OL_CAC8F  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V4\.71\.1712\.3/
header __MO_OL_CF0C0  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4807\.2300/
header __MO_OL_EF20B  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2180/
header __MO_OL_EF222  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2873/
header __MO_OL_F3B05  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1437/
header __MO_OL_F475E  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2741\.2600/
header __MO_OL_F6D01  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V5\.50\.4522\.1200/
header __MO_OL_FF5C8  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2741\.2600/
header   __MSGID_VGA		Message-ID =~ /^<000001c[67]/
header __MSOE_MID_WRONG_CASE   ALL =~ /\nMessage-Id: /
header __NAKED_TO   To =~ /^[^\s<>]+\@[^\s<>]+$/
meta     __NO_INR_YES_REF	(__XM_GNUS || __XM_MSOE5 || __XM_MSOE6 || __XM_MOZ4 || __XM_SKYRI || __XM_WWWMAIL || __UA_GNUS || __UA_KNODE || __UA_MUTT || __UA_PAN || __UA_XNEWS)

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __PART_CID_STOCK_LESS    Content-ID =~ /^<00[a-f0-9]{10}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[A-Za-z]+>$/
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __PART_STOCK_CD_F Content-Disposition =~ /filename/
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __PART_STOCK_CID Content-ID =~ /^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[^\s\.]+>$/
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __PART_STOCK_CL Content-Location =~ /./
endif
body     __PHD			/PhD/i
body     __PREAPPROVEDFVGT	/pre-approved/i

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header	__RCVD_IN_DNSWL		eval:check_rbl('dnswl-firsttrusted', 'list.dnswl.org.')
tflags	__RCVD_IN_DNSWL		nice net
endif

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header __RCVD_IN_DOB            eval:check_rbl('dob', 'dob.sibl.support-intelligence.net.', '255')
describe __RCVD_IN_DOB          Received via relay in new domain (Day Old Bread)
tflags __RCVD_IN_DOB            net
endif
meta     __SEX_WRDS		(__WORD_SEX || __WORD_CUM || __WORD_SPERM || __WORD_SLUTS || __WORD_RAPED)
header   __SUBJ_3DIGIT		Subject =~ /\b\d{3}[^0-9]/
header   __SUBJ_APPROVE		Subject =~ /Approve/i
header   __SUBJ_RE		Subject =~ /^R[eE]:/
header __SUBJ_RE_NUM	Subject =~ /^\s*Re\[\d+\]:/i
header   __SUBJ_VEGAS		Subject =~ /(?:Vegas|Casino)/i
header __TT_BROKEN_VALIUM       Subject =~ /V[:^."%()*\[\\]?A[:^."%()*\[\\]?L[:^."%()*\[\\]?I[:^."%()*\[\\]?U[:^."%()*\[\\]?M/i
header __TT_BROKEN_VIAGRA       Subject =~ /V[:^."%()*\[\\]?I[:^."%()*\[\\]?A[:^."%()*\[\\]?G[:^."%()*\[\\]?R[:^."%()*\[\\]?A/i
header __TT_OBSCURED_VALIUM     Subject =~ /(v|V|\\\/)(a|A|\(a\)|4|@)(l|L|\|)(i|I|1|\xef|\|)(u|U|\(u\))(m|M)/
header __TT_OBSCURED_VIAGRA     Subject =~ /(v|V|\\\/)(i|I|1|\xef|\|)(a|A|\(a\)|4|@)(g|G)(r|R)(a|A|\(a\)|4|@)/
header __TT_VALIUM              Subject =~ /VALIUM/i
header __TT_VIAGRA              Subject =~ /VIAGRA/i
header __TVD_PH_SUBJ_00		Subject =~ /\brewards? survey\b/i
header __TVD_PH_SUBJ_02		Subject =~ /\byour payment has been sent\b/i
header __TVD_PH_SUBJ_04		Subject =~ /\baccounts? profile\b/i
header __TVD_PH_SUBJ_15		Subject =~ /\binvestment for (?:[a-z_,-]+ )*?to(?:morrow|day)\b/i
header __TVD_PH_SUBJ_17		Subject =~ /\bremove limitations?\b/i
header __TVD_PH_SUBJ_18		Subject =~ /\bsecurity (?:[a-z_,-]+ )*?changes\b/i
header __TVD_PH_SUBJ_19		Subject =~ /\bmessage (?:[a-z_,-]+ )*?bank\b/i
header __TVD_PH_SUBJ_29		Subject =~ /^notice(?::|[\s\W]*$)/i
header __TVD_PH_SUBJ_31		Subject =~ /\bsecurity (?:[a-z_,-]+ )*?verification\b/i
header __TVD_PH_SUBJ_36		Subject =~ /\bconsumer notice\b/i
header __TVD_PH_SUBJ_37		Subject =~ /\bvalued member[a-z]*\b/i
header __TVD_PH_SUBJ_38		Subject =~ /\bonline bank[a-z]*\b/i
header __TVD_PH_SUBJ_39		Subject =~ /\bonline department\b/i
header __TVD_PH_SUBJ_41		Subject =~ /\bunusual activity\b/i
header __TVD_PH_SUBJ_52		Subject =~ /\b(?:account|online) profile\b/i
header __TVD_PH_SUBJ_54		Subject =~ /\bun-?authorized access(?:es)?\b/i
header __TVD_PH_SUBJ_56		Subject =~ /\brespond now\b/i
header __TVD_PH_SUBJ_58		Subject =~ /\bbilling service\b/i
header __TVD_PH_SUBJ_59		Subject =~ /\bquestion from (?:[a-z_,-]+ )*?member\b/i
header __TVD_PH_SUBJ_ACCESS_POST	Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)) (?:[a-z_,-]+ )*?access\b/i
header   __UA_GNUS		User-Agent =~ /^Gnus/
header   __UA_KNODE		User-Agent =~ /^KNode/
header   __UA_MUTT		User-Agent =~ /^Mutt/
header   __UA_PAN		User-Agent =~ /^Pan/
header   __UA_XNEWS		User-Agent =~ /^Xnews/
body     __VA_WORD		/\bV[A-Za-z]{2,4}RA\b/
body     __VM_WORD		/\bV[A-Za-z]{2,5}UM\b/
body     __WORD_CUM		/\bcum\b/i
body     __WORD_RAPED		/\braped?\b/i
body     __WORD_SEX		/\bsex(?:iest|y)?\b/i
body     __WORD_SLUTS		/\bsluts?\b/i
body     __WORD_SPERM		/\bsperm\b/i
header   __XM_GNUS		X-Mailer =~ /^Gnus v/
header   __XM_MOZ4		X-Mailer =~ /^Mozilla 4/
header   __XM_MSOE5		X-Mailer =~ /^Microsoft Outlook Express 5/
header   __XM_MSOE6		X-Mailer =~ /^Microsoft Outlook Express 6/
header __XM_MS_IN_GENERAL     X-Mailer =~ /\bMSCRM\b|Microsoft (?:CDO|Outlook|Office Outlook)\b/
header __XM_OL_015D5  X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
header __XM_OL_07794  X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
header __XM_OL_09BB4  X-Mailer =~ /Microsoft\ Outlook\ Express\ 4\.72\.3155\.0/
header __XM_OL_10_0_4115    X-Mailer =~ /^Microsoft Outlook, Build 10.0.4115$/
header __XM_OL_1ECD5  X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1081/
header __XM_OL_20C99  X-Mailer =~ /Microsoft\ Outlook\ Express\ 4\.72\.3338\.1/
header __XM_OL_22B61  X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1158/
header __XM_OL_25340  X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
header __XM_OL_28001441    X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.1441$/
header __XM_OL_28004682    X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.4682$/
header __XM_OL_32D97  X-Mailer =~ /Microsoft\ Outlook\ IMO\,\ Build\ 9\.0\.2416\ \(9\.0\.2910\.0\)/
header __XM_OL_3857F  X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
header __XM_OL_3AC1D  X-Mailer =~ /Microsoft\ Outlook\ Express\ 5\.00\.2919\.6700/
header __XM_OL_3D61D  X-Mailer =~ /Microsoft\ Outlook\ Express\ 4\.71\.2244\.8/
header __XM_OL_465CD  X-Mailer =~ /Microsoft\ Outlook\,\ Build\ 10\.0\.3416/
header __XM_OL_48072300    X-Mailer =~ /^Microsoft Outlook Express 5.50.4807.2300$/
header __XM_OL_4B815  X-Mailer =~ /Microsoft\ Outlook\ Express\ 4\.71\.2730\.2/
header __XM_OL_4BF4C  X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
header __XM_OL_4EEDB  X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
header __XM_OL_4F240  X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
header __XM_OL_4_72_2106_4  X-Mailer =~ /^Microsoft Outlook Express 4.72.2106.4$/
header __XM_OL_58CB5  X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
header __XM_OL_5B79A  X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
header __XM_OL_6554A  X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
header __XM_OL_72641  X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1441/
header __XM_OL_7533E  X-Mailer =~ /Microsoft\ Outlook\ Express\ 5\.50\.4963\.1700/
header __XM_OL_812FF  X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
header __XM_OL_83BF7  X-Mailer =~ /Microsoft\ Outlook\ Express\ 4\.72\.3110\.3/
header __XM_OL_8627E  X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1437/
header __XM_OL_8E893  X-Mailer =~ /Microsoft\ Outlook\,\ Build\ 10\.0\.2616/
header __XM_OL_91287  X-Mailer =~ /Microsoft\ Outlook\ Express\ 5\.50\.4807\.2300/
header __XM_OL_9B90B  X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
header __XM_OL_A50F8  X-Mailer =~ /Microsoft\ Outlook\ Express\ 5\.50\.4922\.1500/
header __XM_OL_A842E  X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1158/
header __XM_OL_ADFF7  X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
header __XM_OL_B30D1  X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
header __XM_OL_B4B40  X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
header __XM_OL_B9B11  X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2462\.0000/
header __XM_OL_BC7E6  X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
header __XM_OL_C65FA  X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
header __XM_OL_C9068  X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1478/
header __XM_OL_CAC8F  X-Mailer =~ /Microsoft\ Outlook\ Express\ 4\.71\.1712\.3/
header __XM_OL_CF0C0  X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
header __XM_OL_EF20B  X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1478/
header __XM_OL_EF222  X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2900\.2873/
header __XM_OL_F3B05  X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
header __XM_OL_F475E  X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
header __XM_OL_F6D01  X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.6353/
header __XM_OL_FF5C8  X-Mailer =~ /Microsoft\ Office\ Outlook\,\ Build\ 11\.0\.5510/
header __XM_OUTLOOK_EXPRESS    X-Mailer =~ /^Microsoft Outlook Express \d/
header   __XM_SKYRI		X-Mailer =~ /^SKYRiXgreen/
header   __XM_WWWMAIL		X-Mailer =~ /^WWW-Mail \d/
body     __YOUR_ACCOUNT		/your account/i
body     __YOUR_CREDITFVGT	/your credit/i