rulesrc/sandbox/dos/70_other.cf - spamassassin - Git at Google

 ########################################################################
 #
 # <@LICENSE>
 # Licensed to the Apache Software Foundation (ASF) under one or more
 # contributor license agreements.  See the NOTICE file distributed with
 # this work for additional information regarding copyright ownership.
 # The ASF licenses this file to you under the Apache License, Version 2.0
 # (the "License"); you may not use this file except in compliance with
 # the License.  You may obtain a copy of the License at:
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # </@LICENSE>
 #
 ########################################################################


 # Russian dating spams that usually have email addresses at domains listed
 # by URIBL and sometimes SURBL -- that we won't check
 body	__DOS_COMING_TO_YOUR_PLACE	/I (?:am|might(?: be)?) c[a-z]?o[a-z]?m[a-z]?(?:i[a-z]?n[a-z]?g[a-z]{0,2}|e down) to y[!a-z]{2,4}r (?:city|place[a-z]{0,2}|co[a-z]?u[a-z]?n[a-z]?t[a-z]?ry) in (?:f[a-z]?e[a-z]?w|\d{1,2}) (?:day|week)s/
 body	__DOS_MEET_EACH_OTHER		/(?:meet each other|[Mm]ay ?be we can meet)/
 body	__DOS_DROP_ME_A_LINE		/Drop me a line at/
 body	__DOS_CORRESPOND_EMAIL		/correspond with me using my email/
 body	__DOS_EMAIL_DIRECTLY		/(?:Email m[a-z]?e|address) direc(?:tl|lt)y at/
 body	__DOS_WRITE_ME_AT		/[Ww].?r.?i.?t.?e me at/
 body	__DOS_PERSONAL_EMAIL		/personal email at/
 body	__DOS_I_AM_25			/I a.?m 25/
 meta	DOS_YOUR_PLACE	(__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE || __DOS_CORRESPOND_EMAIL || __DOS_EMAIL_DIRECTLY || __DOS_I_AM_25 || __DOS_WRITE_ME_AT || __DOS_PERSONAL_EMAIL))
 describe	DOS_YOUR_PLACE		Russian dating spam


 # Domain Listing Center
 body	__DOS_DOM_LIST_CENTER		/Domain Listing Center/
 body	__DOS_NOT_A_BILL		/THIS IS NOT A BILL/
 body	__DOS_SUB_SEARCH_ENGINE		/Submission to \d{2,4} search engines/
 header  __DOS_FINAL_NOTICE_DL		Subject =~ /Final Notice of Domain Listing/
 meta	DOS_DOM_LIST_CENTER		(__DOS_DOM_LIST_CENTER && __DOS_NOT_A_BILL && __DOS_SUB_SEARCH_ENGINE && __DOS_FINAL_NOTICE_DL)
 describe	DOS_DOM_LIST_CENTER	Final notice for search engine submission


 # Stock's with prices containing 'O'
 body	__DOS_STOCK_COMPANY		/Company: /
 body	__DOS_STOCK_TICKER		/Ticker: /
 body	__DOS_STOCK_O_PRICE		/(?:Current|Target)(?: Price)?:\s+\$(?:O\.|\d\.O)/
 meta	DOS_STOCK_O_PRICE		(__DOS_STOCK_COMPANY && __DOS_STOCK_TICKER && __DOS_STOCK_O_PRICE)
 describe	DOS_STOCK_O_PRICE	Stocks with 'oh', rather than 'zero' values


 # http://www.squirrelmail.org/docs/user/user-3.html#ss3.1
 # mids: 1123.145.23.250.17.squirrel@webserveraddress
 # Message-ID: <1252.10.145.1.219.1157357908.squirrel@cyan.dostech.net>
 # X-Mailer: SquirrelMail (version 1.2.11)
 # User-Agent: SquirrelMail/1.4.4
 #
 # Disabled 2014-07-03 - Bug 7061
 #header __DOS_UA_SM	User-Agent =~ /SquirrelMail/
 #header __DOS_MAILER_SM	X-Mailer =~ /SquirrelMail/
 #header __DOS_RELAY_SM	Received =~ /SquirrelMail authenticated/
 #header __DOS_SM_MID	Message-ID =~ /^<\d{4,8}(?:\.\d{1,3}){4}(?:\.\d{10})?\.squirrel\@[A-Za-z0-9._-]+>$/
 #
 #meta DOS_FAKE_SQUIRREL		(__DOS_MAILER_SM || __DOS_UA_SM) && (!__DOS_RELAY_SM || !__DOS_SM_MID)
 #describe DOS_FAKE_SQUIRREL	Message contains faked SquirrelMail headers


 # your job must suck if you count how long you've had it by months after 10 or 20+ years
 body __DOS_LET_GO_JOB	/I was (?:let go|fired|layed off|dismissed) from a job I h(?:el|a)d for (?:2\d years|\d{3} months)/
 body __DOS_MY_OLD_JOB	/my old job/
 body __DOS_I_DRIVE_A	/I drive a/
 body __DOS_TAKING_HOME	/Taking home \d (?:digit level|figures) in \d{1,2} months/

 meta DOS_LET_GO_JOB	__DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOME
 describe DOS_LET_GO_JOB	Let go from their job and now makes lots of dough!


 # these shouldn't last long, but I'm curious... and need a mortgage
 body __DOS_488K_FIXED	/\$488,?\d{3}(?:\.00)? at a [0-3]\.\d{2}% fixed/
 body __DOS_372K_VARI	/\$372,?\d{3}(?:\.00)? at a [0-3]\.\d{2}% variable/
 body __DOS_492K_INT	/\$492,?\d{3}(?:\.00)? at a [0-3]\.\d{2}% interest/
 body __DOS_248K_FIXED	/\$248,?\d{3}(?:\.00)? at a [0-3]\.\d{2}% fixed/
 body __DOS_198K_VARI	/\$198,?\d{3}(?:\.00)? at a [0-3]\.\d{2}% variable/

 meta DOS_MORTGAGE	__DOS_488K_FIXED + __DOS_372K_VARI + __DOS_492K_INT + __DOS_248K_FIXED + __DOS_198K_VARI > 1


 # I won't be buying stocks from a stock broker who manages to spell stock wrong twice in a row
 body DOS_DOUBLE_SOTCK		/\b(s(?:otc|tco)k)\b.{15,50}\b\1\b/
 describe DOS_DOUBLE_SOTCK	Stock spelt wrong the same way twice in a row

 body DOS_TWO_MIS_STOCK		/\bs(?:otc|tco)k\b.{15,50}\bs(?:otc|tco)k\b/
 describe DOS_TWO_MIS_STOCK	Stock spelt wrong twice in a row


 # small bodied stock spams - Oct 19, 2006
 header __DOS_HAVE_TO_READ	Subject =~ /have to read/
 header __DOS_REQ_TO_READ	Subject =~ /require to read/

 body __DOS_TOLD_DAY		/have been told that (?:Mon|Tues|Wednes|Thurs|Fri)day is the day/
 body __DOS_OIL_EXCEED		/oil \w{2,20} exceeded all its expectations/
 body __DOS_DEAL_MAKE_MONEY	/is the \w{2,20} deal and those who knows it is making money/
 body __DOS_GREAT_DRAWN_UP	/great \w{2,20} are drawn up/
 body __DOS_KEY_GET_IN_EARLY	/key is getting in early/
 body __DOS_INCREASE_UP		/increase is up/
 body __DOS_WASTE_TIME_MISS	/(?:waste time|loss moment) and miss out/
 body __DOS_NO_STOPPING		/no stopping this one/

 meta DOS_TO_READ_STOCK		(__DOS_HAVE_TO_READ || __DOS_REQ_TO_READ) + __DOS_TOLD_DAY + __DOS_OIL_EXCEED + __DOS_DEAL_MAKE_MONEY + __DOS_GREAT_DRAWN_UP + __DOS_KEY_GET_IN_EARLY + __DOS_INCREASE_UP + __DOS_WASTE_TIME_MISS + __DOS_NO_STOPPING > 4

 describe DOS_TO_READ_STOCK	Stock pumping you just have to read
 ## score DOS_TO_READ_STOCK		2.0


 # text messages from my phone to email addresses often end up with a score of 4.9+
 header		__BELL_MOBILITY_RELAY	X-Spam-Relays-External =~ /^[^\]]+ rdns=mail\.txt\.bellmobilite\.ca helo=erwdbmgweb02\.bellmobilite\.ca /
 meta		BELL_MOBILITY_TXT_MSG	INVALID_DATE && MISSING_SUBJECT && FROM_STARTS_WITH_NUMS && __BELL_MOBILITY_RELAY
 describe	BELL_MOBILITY_TXT_MSG	Adjustment for poorly formatted text->email messages
 tflags		BELL_MOBILITY_TXT_MSG	nice
 ## score		BELL_MOBILITY_TXT_MSG	-4.0


 # <puppyforslae.com@rfidalliancelabs.com>
 header		DOS_DOT_COM_AT	Envelope-From:addr =~ /^[^=]+\.com\@[^\@]+$/
 describe	DOS_DOT_COM_AT	Envelope-From has a domain.com@anotherdomain.com


 # pump and dump stock spam claiming to be sent by The Bat!
 header	__DOS_RCVD_MON	Received =~ / Mon, /
 header	__DOS_RCVD_TUE	Received =~ / Tue, /
 header	__DOS_RCVD_WED	Received =~ / Wed, /
 header	__DOS_RCVD_THU	Received =~ / Thu, /
 header	__DOS_RCVD_FRI	Received =~ / Fri, /
 header	__DOS_RCVD_SAT	Received =~ / Sat, /
 header	__DOS_RCVD_SUN	Received =~ / Sun, /

 body	__DOS_BODY_MON	/\bmon(?:day)?\b/i
 body	__DOS_BODY_TUE	/\btue(?:s(?:day)?)?\b/i
 body	__DOS_BODY_WED	/\bwed(?:nesday)?\b/i
 body	__DOS_BODY_THU	/\bthu(?:r(?:s(?:day)?)?)?\b/i
 body	__DOS_BODY_FRI	/\bfri(?:day)?\b/i
 body	__DOS_BODY_SAT	/\bsat(?:day)?\b/i
 body	__DOS_BODY_SUN	/\bsun(?:day)?\b/i

 meta	__DOS_REF_TODAY		(__DOS_RCVD_MON && __DOS_BODY_MON) || (__DOS_RCVD_TUE && __DOS_BODY_TUE) || (__DOS_RCVD_WED && __DOS_BODY_WED) || (__DOS_RCVD_THU && __DOS_BODY_THU) || (__DOS_RCVD_FRI && __DOS_BODY_FRI) || (__DOS_RCVD_SAT && __DOS_BODY_SAT) || (__DOS_RCVD_SUN && __DOS_BODY_SUN)

 meta	__DOS_REF_NEXT_WK_DAY	(__DOS_RCVD_MON && __DOS_BODY_TUE) || (__DOS_RCVD_TUE && __DOS_BODY_WED) || (__DOS_RCVD_WED && __DOS_BODY_THU) || (__DOS_RCVD_THU && __DOS_BODY_FRI) || (__DOS_RCVD_FRI && __DOS_BODY_MON) || (__DOS_RCVD_SAT && __DOS_BODY_MON) || (__DOS_RCVD_SUN && __DOS_BODY_MON)

 meta	__DOS_REF_2_WK_DAYS	(__DOS_RCVD_MON && __DOS_BODY_WED) || (__DOS_RCVD_TUE && __DOS_BODY_THU) || (__DOS_RCVD_WED && __DOS_BODY_FRI) || (__DOS_RCVD_THU && __DOS_BODY_MON) || (__DOS_RCVD_FRI && __DOS_BODY_TUE) || (__DOS_RCVD_SAT && __DOS_BODY_TUE) || (__DOS_RCVD_SUN && __DOS_BODY_TUE)

 body		__DOS_BODY_STOCK	/\bstock\b/i
 body		__DOS_BODY_TICKER	/\b[A-Z]{4}\.(?:OB|PK)\b/

 meta		DOS_STOCK_BAT		__THEBAT_MUA && (__DOS_BODY_STOCK || __DOS_BODY_TICKER) && (__DOS_REF_TODAY || __DOS_REF_NEXT_WK_DAY || __DOS_REF_2_WK_DAYS)
 describe	DOS_STOCK_BAT		Probable pump and dump stock spam

 body		__DOS_FIN_ADVANTAGE	/\bfinancial advantage/i
 body		__DOS_STRONG_CF		/\bstrong cash flow/i
 body		__DOS_STEADY_COURSE	/\bsteady (?:and increasing )?course\b/i

 meta		DOS_STOCK_BAT2		DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2)


 # http://www.fod*rx.com
 # http://www.rx555*com
 uri DOS_URI_ASTERISK    m{^[Hh][Tt]{2}[Pp][Ss]?://[^/:]+(?:\*[A-Za-z0-9-]*\.|\*)[A-Za-z]{2,3}(?:\.[A-Za-z]{2})?(?:$|:|/)}
 describe DOS_URI_ASTERISK       Found an asterisk in a URI
 ## score DOS_URI_ASTERISK  1.5


 header __DOS_SINGLE_EXT_RELAY   X-Spam-Relays-External =~ /^\[ [^\]]+ \]$/
 body __DOS_HI                   /^Hi,$/
 body __DOS_LINK                 /\blink\b/
 uri __DOS_HAS_ANY_URI		/^\w+:\/\//

 meta DOS_FIX_MY_URI             __MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINK
 describe DOS_FIX_MY_URI         Looks like a "fix my obfu'd URI please" spam
 #score DOS_FIX_MY_URI            1.2


 # 20070405 - pump and dump income statement spam
 body __DOS_SYMBOL_4	/\bSymbol [A-Z]{4}\b/
 body __DOS_HEADLINES	/\bHeadlines\b/

 body DOS_PROVISION4	/\bProvisionfor income taxes\b/
 describe DOS_PROVISION4	Provision for income taxes
 score DOS_PROVISION4	1.5

 body DOS_REPORT_FIN_INC		/\bReport of financial income\b/
 describe DOS_REPORT_FIN_INC	Report of financial income
 score DOS_REPORT_FIN_INC	0.5

 meta DOS_STOCK_INCOME_STATEMENT		DOS_REPORT_FIN_INC && DOS_PROVISION4 && __DOS_SYMBOL_4 && __DOS_HEADLINES
 describe DOS_STOCK_INCOME_STATEMENT	Pump and dump stock income statement spam
 score DOS_STOCK_INCOME_STATEMENT	1.5

 # 20070405 - pump and dump spam CDYV, generic version ([A-Z]{4} for CDYV)
 body DOS_STOCK_CDYV_GENERIC	/(?:Lookup|Sym8oL|Search for|Promoting sym|S\.umbol|Target sym|Campaign for): [A-Z]{4},?.{1,50}\b[Pp]rice/
 describe DOS_STOCK_CDYV_GENERIC	Pump and dump stock spam
 score DOS_STOCK_CDYV_GENERIC	2.5

 # 20070905 - GIF spam
 header __DOS_HAS_LIST_ID	exists:List-ID
 header __DOS_HAS_LIST_UNSUB	exists:List-Unsubscribe
 header __DOS_HAS_MAILING_LIST	exists:Mailing-List
 # we complete ignore(!) received headers we can't get "useful" info from, which screws up detecting direct-to-mx
 header __DOS_RELAYED_EXT	ALL-EXTERNAL =~ /(?:^|\n)[Rr][eE][cC][eE][iI][vV][eE][dD]:\s.+\n[Rr][eE][cC][eE][iI][vV][eE][dD]:\s/s
 meta __DOS_DIRECT_TO_MX		__DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT

 meta DOS_OUTLOOK_TO_MX		__ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OUTLOOK_TO_MX_IMAGE
 describe DOS_OUTLOOK_TO_MX	Delivered direct to MX with Outlook headers

 meta DOS_OUTLOOK_TO_MX_IMAGE		__ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
 describe DOS_OUTLOOK_TO_MX_IMAGE	Direct to MX with Outlook headers and an image

 meta DOS_OE_TO_MX		__OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE
 describe DOS_OE_TO_MX		Delivered direct to MX with OE headers

 meta DOS_OE_TO_MX_IMAGE		__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
 describe DOS_OE_TO_MX_IMAGE	Direct to MX with OE headers and an image

 # 20070907 - Google "I'm feeling lucky" redirect
 uri DOS_GOOGLE_LUCKY_REDIRECT	  	m{^http://[^/]\.google\.[^/]/search?(?:.*&|&?)btnI=?}
 describe DOS_GOOGLE_LUCKY_REDIRECT	Invisible Google redirect using the "lucky button"

 # 20070911 - new-ish anal porn site spam
 # force publish it for scoring, it's the only spam I get that isn't caught
 header DOS_ANAL_SPAM_MAILER	X-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/
 describe DOS_ANAL_SPAM_MAILER	X-mailer pattern common to anal porn site spam
 tflags DOS_ANAL_SPAM_MAILER	publish

 # 20071004 - new variant in the last few days
 header DOS_ANAL_SPAM_MAILER2	X-mailer =~ /^[A-Z][a-z]{6}e .* \d\.\d{2}$/
 describe DOS_ANAL_SPAM_MAILER2	X-mailer pattern common to porn site spam
 #tflags DOS_ANAL_SPAM_MAILER2	publish

 # 20070927 - sendmail specific check to detect forged received headers
 header DOS_FORGED_RCVD_QUADS    ALL-EXTERNAL =~ /(?:^|\n)Received:\s+from \[(\d{2,3}\.\d{1,3}.\d{1,3}\.\d{1,3})\] .+\nReceived:\s+from \[\1\] by \S+; /
 describe DOS_FORGED_RCVD_QUADS  Probable forged received header

 # 20080213 - generic DOS_FORGED_RCVD_QUADS_x
 header DOS_RCVD_IP_TWICE_A	X-Spam-Relays-External =~ /\[ ip=(?!127)([\d.]+) [^\[]*\bhelo=\S+ [^\[]*\[ ip=\1 /
 describe DOS_RCVD_IP_TWICE_A	Received from the same IP twice in a row

 header DOS_RCVD_IP_TWICE_B	X-Spam-Relays-External =~ /^\s*\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\]]*\]\s*$/
 describe DOS_RCVD_IP_TWICE_B	Received from the same IP twice in a row (only one external relay)

 header DOS_RCVD_IP_TWICE_C	X-Spam-Relays-External =~ /^\s*\[ ip=(?!127)([\d.]+) [^\[]*\bhelo=(?:![\d.]{7,15}!)? [^\[]*\[ ip=\1 [^\]]*\]\s*$/
 describe DOS_RCVD_IP_TWICE_C	Received from the same IP twice in a row (only one external relay; empty or IP helo)

 # 20071108 - asks you to remove the dot from the end of the domain name
 body DOS_REMOVE_DOMAIN_DOT		/e(?:mov|let)e the (?:dot|period|point) from the end/
 meta DOS_REMOVE_DOMAIN_DOT_YAHOO	DOS_REMOVE_DOMAIN_DOT && FORGED_YAHOO_RCVD

 # 20071118 - web pharmacy spam
 body __DOS_MED_WHAT_COULD       /\bwhat (?:more|else) could you /i
 body __DOS_MED_NO_DIRECTION     /\bN0 (?:(?:medicinal|doctor) (?:directions|instructions|recommendations)|prescriptions needed)\b/
 body __DOS_MED_CAN_WEB_PHARM    /\b(?:Web-Based Canadian|Canadian On-Line) Pharmacy\b/i
 body __DOS_MED_MARK_DOWN        /\d{2}% (?:mark down|reduction)/i
 meta DOS_MED_CAN_PHARM_NOV07    __OE_MSGID_2 && __DOS_HAS_ANY_URI && ((__DOS_MED_WHAT_COULD && __DOS_MED_NO_DIRECTION) || ( __DOS_MED_CAN_WEB_PHARM && __DOS_MED_MARK_DOWN))

 # 20071220
 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
   mimeheader    DOS_ZIP_HARDCORE        Content-Type =~ /^application\/zip;\sname="hardcore\.zip"$/
   describe      DOS_ZIP_HARDCORE        hardcore.zip file attached; quite certainly a virus
   score         DOS_ZIP_HARDCORE        2.5
 endif

 body            DOS_PLAYED_IN_HARDCORE  /played in hardcore porn/
 describe        DOS_PLAYED_IN_HARDCORE  Claims someone played in hardcore porn
 score           DOS_PLAYED_IN_HARDCORE  1.5

 meta DOS_HC_ZIP_VIRUS           DOS_ZIP_HARDCORE && DOS_PLAYED_IN_HARDCORE
 describe DOS_HC_ZIP_VIRUS       Hardcore porn virus spam
 score DOS_HC_ZIP_VIRUS          3.5

 # 20071227
 header DOS_PORN_BOUNDARY        Content-Type =~ /\bboundary="----\#(?:SUBSTANCE|CONTENT)_BOUNDARY"$/
 describe DOS_PORN_BOUNDARY      Content boundary common to porn spam
 score DOS_PORN_BOUNDARY         1.0

 # 20070225
 header X_MAILER_CME_6543_MSN	X-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*$/


 # 20070723
 header DOS_FAKE_UPS_TRACK_NUM	Subject =~ /UPS Tracking Number \d{10}/
 describe DOS_FAKE_UPS_TRACK_NUM	Invalid UPS Tracking Number in Subject

 # 2000818
 header __DOS_MSGID_DIGITS9 Message-ID =~ /<\d{9}\@.*>/
 header __DOS_MSGID_DIGITS10 Message-ID =~ /<1[013-9]\d{8}\@.*>/

 meta DOS_DEREK_AUG08    __DOS_SINGLE_EXT_RELAY && __DOS_HAS_ANY_URI && __NAKED_TO && __LAST_UNTRUSTED_RELAY_NO_AUTH && SPF_PASS && __TVD_MIME_ATT_TP && __CT_TEXT_PLAIN && (__DOS_MSGID_DIGITS9 || __DOS_MSGID_DIGITS10)

 # 20081030 - high bit mail sent direct to MX claiming to be The Bat!
 meta DOS_HIGH_BAT_TO_MX		__DOS_DIRECT_TO_MX && __HIGHBITS && __LAST_UNTRUSTED_RELAY_NO_AUTH && __THEBAT_MUA
 describe DOS_HIGH_BAT_TO_MX	The Bat! Direct to MX with High Bits

 # 20081101 - domain expiration/maintenance phishes
 uri DOS_PHISH_WWW_COM_BIZ	/^http:\/\/www\.[^.]+\.com\.[^.]+\.biz$/
 uri DOS_PHISH_WWW_COM_RU	/^http:\/\/www\.[^.]+\.com\.[^.]+\.ru$/

 # 20081105 - high bit body with no message id header
 meta DOS_BODY_HIGH_NO_MID       __HIGHBITS && MISSING_MID
 describe DOS_BODY_HIGH_NO_MID   High bit body and no message ID header

 # 20081111 - less conservative shot at highbit spam
 # 20100408 - disabled -- this rule appears to be bad... complaints in bug 6389
 #meta DOS_HIGHBIT_HDRS_BODY      __FROM_NEEDS_MIME && __SUBJECT_ENCODED_B64 && __FROM_ENCODED_B64 && __SUBJECT_NEEDS_MIME && __HIGHBITS
 #describe DOS_HIGHBIT_HDRS_BODY  Headers need encoding and body is highbit
	########################################################################
	#
	# <@LICENSE>
	# Licensed to the Apache Software Foundation (ASF) under one or more
	# contributor license agreements. See the NOTICE file distributed with
	# this work for additional information regarding copyright ownership.
	# The ASF licenses this file to you under the Apache License, Version 2.0
	# (the "License"); you may not use this file except in compliance with
	# the License. You may obtain a copy of the License at:
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	# </@LICENSE>
	#
	########################################################################


	# Russian dating spams that usually have email addresses at domains listed
	# by URIBL and sometimes SURBL -- that we won't check
	body __DOS_COMING_TO_YOUR_PLACE /I (?:am\|might(?: be)?) c[a-z]?o[a-z]?m[a-z]?(?:i[a-z]?n[a-z]?g[a-z]{0,2}\|e down) to y[!a-z]{2,4}r (?:city\|place[a-z]{0,2}\|co[a-z]?u[a-z]?n[a-z]?t[a-z]?ry) in (?:f[a-z]?e[a-z]?w\|\d{1,2}) (?:day\|week)s/
	body __DOS_MEET_EACH_OTHER /(?:meet each other\|[Mm]ay ?be we can meet)/
	body __DOS_DROP_ME_A_LINE /Drop me a line at/
	body __DOS_CORRESPOND_EMAIL /correspond with me using my email/
	body __DOS_EMAIL_DIRECTLY /(?:Email m[a-z]?e\|address) direc(?:tl\|lt)y at/
	body __DOS_WRITE_ME_AT /[Ww].?r.?i.?t.?e me at/
	body __DOS_PERSONAL_EMAIL /personal email at/
	body __DOS_I_AM_25 /I a.?m 25/
	meta DOS_YOUR_PLACE (__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE \|\| __DOS_CORRESPOND_EMAIL \|\| __DOS_EMAIL_DIRECTLY \|\| __DOS_I_AM_25 \|\| __DOS_WRITE_ME_AT \|\| __DOS_PERSONAL_EMAIL))
	describe DOS_YOUR_PLACE Russian dating spam


	# Domain Listing Center
	body __DOS_DOM_LIST_CENTER /Domain Listing Center/
	body __DOS_NOT_A_BILL /THIS IS NOT A BILL/
	body __DOS_SUB_SEARCH_ENGINE /Submission to \d{2,4} search engines/
	header __DOS_FINAL_NOTICE_DL Subject =~ /Final Notice of Domain Listing/
	meta DOS_DOM_LIST_CENTER (__DOS_DOM_LIST_CENTER && __DOS_NOT_A_BILL && __DOS_SUB_SEARCH_ENGINE && __DOS_FINAL_NOTICE_DL)
	describe DOS_DOM_LIST_CENTER Final notice for search engine submission


	# Stock's with prices containing 'O'
	body __DOS_STOCK_COMPANY /Company: /
	body __DOS_STOCK_TICKER /Ticker: /
	body __DOS_STOCK_O_PRICE /(?:Current\|Target)(?: Price)?:\s+\$(?:O\.\|\d\.O)/
	meta DOS_STOCK_O_PRICE (__DOS_STOCK_COMPANY && __DOS_STOCK_TICKER && __DOS_STOCK_O_PRICE)
	describe DOS_STOCK_O_PRICE Stocks with 'oh', rather than 'zero' values


	# http://www.squirrelmail.org/docs/user/user-3.html#ss3.1
	# mids: 1123.145.23.250.17.squirrel@webserveraddress
	# Message-ID: <1252.10.145.1.219.1157357908.squirrel@cyan.dostech.net>
	# X-Mailer: SquirrelMail (version 1.2.11)
	# User-Agent: SquirrelMail/1.4.4
	#
	# Disabled 2014-07-03 - Bug 7061
	#header __DOS_UA_SM User-Agent =~ /SquirrelMail/
	#header __DOS_MAILER_SM X-Mailer =~ /SquirrelMail/
	#header __DOS_RELAY_SM Received =~ /SquirrelMail authenticated/
	#header __DOS_SM_MID Message-ID =~ /^<\d{4,8}(?:\.\d{1,3}){4}(?:\.\d{10})?\.squirrel\@[A-Za-z0-9._-]+>$/
	#
	#meta DOS_FAKE_SQUIRREL (__DOS_MAILER_SM \|\| __DOS_UA_SM) && (!__DOS_RELAY_SM \|\| !__DOS_SM_MID)
	#describe DOS_FAKE_SQUIRREL Message contains faked SquirrelMail headers


	# your job must suck if you count how long you've had it by months after 10 or 20+ years
	body __DOS_LET_GO_JOB /I was (?:let go\|fired\|layed off\|dismissed) from a job I h(?:el\|a)d for (?:2\d years\|\d{3} months)/
	body __DOS_MY_OLD_JOB /my old job/
	body __DOS_I_DRIVE_A /I drive a/
	body __DOS_TAKING_HOME /Taking home \d (?:digit level\|figures) in \d{1,2} months/

	meta DOS_LET_GO_JOB __DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOME
	describe DOS_LET_GO_JOB Let go from their job and now makes lots of dough!


	# these shouldn't last long, but I'm curious... and need a mortgage
	body __DOS_488K_FIXED /\$488,?\d{3}(?:\.00)? at a [0-3]\.\d{2}% fixed/
	body __DOS_372K_VARI /\$372,?\d{3}(?:\.00)? at a [0-3]\.\d{2}% variable/
	body __DOS_492K_INT /\$492,?\d{3}(?:\.00)? at a [0-3]\.\d{2}% interest/
	body __DOS_248K_FIXED /\$248,?\d{3}(?:\.00)? at a [0-3]\.\d{2}% fixed/
	body __DOS_198K_VARI /\$198,?\d{3}(?:\.00)? at a [0-3]\.\d{2}% variable/

	meta DOS_MORTGAGE __DOS_488K_FIXED + __DOS_372K_VARI + __DOS_492K_INT + __DOS_248K_FIXED + __DOS_198K_VARI > 1


	# I won't be buying stocks from a stock broker who manages to spell stock wrong twice in a row
	body DOS_DOUBLE_SOTCK /\b(s(?:otc\|tco)k)\b.{15,50}\b\1\b/
	describe DOS_DOUBLE_SOTCK Stock spelt wrong the same way twice in a row

	body DOS_TWO_MIS_STOCK /\bs(?:otc\|tco)k\b.{15,50}\bs(?:otc\|tco)k\b/
	describe DOS_TWO_MIS_STOCK Stock spelt wrong twice in a row


	# small bodied stock spams - Oct 19, 2006
	header __DOS_HAVE_TO_READ Subject =~ /have to read/
	header __DOS_REQ_TO_READ Subject =~ /require to read/

	body __DOS_TOLD_DAY /have been told that (?:Mon\|Tues\|Wednes\|Thurs\|Fri)day is the day/
	body __DOS_OIL_EXCEED /oil \w{2,20} exceeded all its expectations/
	body __DOS_DEAL_MAKE_MONEY /is the \w{2,20} deal and those who knows it is making money/
	body __DOS_GREAT_DRAWN_UP /great \w{2,20} are drawn up/
	body __DOS_KEY_GET_IN_EARLY /key is getting in early/
	body __DOS_INCREASE_UP /increase is up/
	body __DOS_WASTE_TIME_MISS /(?:waste time\|loss moment) and miss out/
	body __DOS_NO_STOPPING /no stopping this one/

	meta DOS_TO_READ_STOCK (__DOS_HAVE_TO_READ \|\| __DOS_REQ_TO_READ) + __DOS_TOLD_DAY + __DOS_OIL_EXCEED + __DOS_DEAL_MAKE_MONEY + __DOS_GREAT_DRAWN_UP + __DOS_KEY_GET_IN_EARLY + __DOS_INCREASE_UP + __DOS_WASTE_TIME_MISS + __DOS_NO_STOPPING > 4

	describe DOS_TO_READ_STOCK Stock pumping you just have to read
	## score DOS_TO_READ_STOCK 2.0


	# text messages from my phone to email addresses often end up with a score of 4.9+
	header __BELL_MOBILITY_RELAY X-Spam-Relays-External =~ /^[^\]]+ rdns=mail\.txt\.bellmobilite\.ca helo=erwdbmgweb02\.bellmobilite\.ca /
	meta BELL_MOBILITY_TXT_MSG INVALID_DATE && MISSING_SUBJECT && FROM_STARTS_WITH_NUMS && __BELL_MOBILITY_RELAY
	describe BELL_MOBILITY_TXT_MSG Adjustment for poorly formatted text->email messages
	tflags BELL_MOBILITY_TXT_MSG nice
	## score BELL_MOBILITY_TXT_MSG -4.0


	# <puppyforslae.com@rfidalliancelabs.com>
	header DOS_DOT_COM_AT Envelope-From:addr =~ /^[^=]+\.com\@[^\@]+$/
	describe DOS_DOT_COM_AT Envelope-From has a domain.com@anotherdomain.com


	# pump and dump stock spam claiming to be sent by The Bat!
	header __DOS_RCVD_MON Received =~ / Mon, /
	header __DOS_RCVD_TUE Received =~ / Tue, /
	header __DOS_RCVD_WED Received =~ / Wed, /
	header __DOS_RCVD_THU Received =~ / Thu, /
	header __DOS_RCVD_FRI Received =~ / Fri, /
	header __DOS_RCVD_SAT Received =~ / Sat, /
	header __DOS_RCVD_SUN Received =~ / Sun, /

	body __DOS_BODY_MON /\bmon(?:day)?\b/i
	body __DOS_BODY_TUE /\btue(?:s(?:day)?)?\b/i
	body __DOS_BODY_WED /\bwed(?:nesday)?\b/i
	body __DOS_BODY_THU /\bthu(?:r(?:s(?:day)?)?)?\b/i
	body __DOS_BODY_FRI /\bfri(?:day)?\b/i
	body __DOS_BODY_SAT /\bsat(?:day)?\b/i
	body __DOS_BODY_SUN /\bsun(?:day)?\b/i

	meta __DOS_REF_TODAY (__DOS_RCVD_MON && __DOS_BODY_MON) \|\| (__DOS_RCVD_TUE && __DOS_BODY_TUE) \|\| (__DOS_RCVD_WED && __DOS_BODY_WED) \|\| (__DOS_RCVD_THU && __DOS_BODY_THU) \|\| (__DOS_RCVD_FRI && __DOS_BODY_FRI) \|\| (__DOS_RCVD_SAT && __DOS_BODY_SAT) \|\| (__DOS_RCVD_SUN && __DOS_BODY_SUN)

	meta __DOS_REF_NEXT_WK_DAY (__DOS_RCVD_MON && __DOS_BODY_TUE) \|\| (__DOS_RCVD_TUE && __DOS_BODY_WED) \|\| (__DOS_RCVD_WED && __DOS_BODY_THU) \|\| (__DOS_RCVD_THU && __DOS_BODY_FRI) \|\| (__DOS_RCVD_FRI && __DOS_BODY_MON) \|\| (__DOS_RCVD_SAT && __DOS_BODY_MON) \|\| (__DOS_RCVD_SUN && __DOS_BODY_MON)

	meta __DOS_REF_2_WK_DAYS (__DOS_RCVD_MON && __DOS_BODY_WED) \|\| (__DOS_RCVD_TUE && __DOS_BODY_THU) \|\| (__DOS_RCVD_WED && __DOS_BODY_FRI) \|\| (__DOS_RCVD_THU && __DOS_BODY_MON) \|\| (__DOS_RCVD_FRI && __DOS_BODY_TUE) \|\| (__DOS_RCVD_SAT && __DOS_BODY_TUE) \|\| (__DOS_RCVD_SUN && __DOS_BODY_TUE)

	body __DOS_BODY_STOCK /\bstock\b/i
	body __DOS_BODY_TICKER /\b[A-Z]{4}\.(?:OB\|PK)\b/

	meta DOS_STOCK_BAT __THEBAT_MUA && (__DOS_BODY_STOCK \|\| __DOS_BODY_TICKER) && (__DOS_REF_TODAY \|\| __DOS_REF_NEXT_WK_DAY \|\| __DOS_REF_2_WK_DAYS)
	describe DOS_STOCK_BAT Probable pump and dump stock spam

	body __DOS_FIN_ADVANTAGE /\bfinancial advantage/i
	body __DOS_STRONG_CF /\bstrong cash flow/i
	body __DOS_STEADY_COURSE /\bsteady (?:and increasing )?course\b/i

	meta DOS_STOCK_BAT2 DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2)


	# http://www.fod*rx.com
	# http://www.rx555*com
	uri DOS_URI_ASTERISK m{^[Hh][Tt]{2}[Pp][Ss]?://[^/:]+(?:\[A-Za-z0-9-]\.\|\*)[A-Za-z]{2,3}(?:\.[A-Za-z]{2})?(?:$\|:\|/)}
	describe DOS_URI_ASTERISK Found an asterisk in a URI
	## score DOS_URI_ASTERISK 1.5


	header __DOS_SINGLE_EXT_RELAY X-Spam-Relays-External =~ /^\[ [^\]]+ \]$/
	body __DOS_HI /^Hi,$/
	body __DOS_LINK /\blink\b/
	uri __DOS_HAS_ANY_URI /^\w+:\/\//

	meta DOS_FIX_MY_URI __MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINK
	describe DOS_FIX_MY_URI Looks like a "fix my obfu'd URI please" spam
	#score DOS_FIX_MY_URI 1.2


	# 20070405 - pump and dump income statement spam
	body __DOS_SYMBOL_4 /\bSymbol [A-Z]{4}\b/
	body __DOS_HEADLINES /\bHeadlines\b/

	body DOS_PROVISION4 /\bProvisionfor income taxes\b/
	describe DOS_PROVISION4 Provision for income taxes
	score DOS_PROVISION4 1.5

	body DOS_REPORT_FIN_INC /\bReport of financial income\b/
	describe DOS_REPORT_FIN_INC Report of financial income
	score DOS_REPORT_FIN_INC 0.5

	meta DOS_STOCK_INCOME_STATEMENT DOS_REPORT_FIN_INC && DOS_PROVISION4 && __DOS_SYMBOL_4 && __DOS_HEADLINES
	describe DOS_STOCK_INCOME_STATEMENT Pump and dump stock income statement spam
	score DOS_STOCK_INCOME_STATEMENT 1.5

	# 20070405 - pump and dump spam CDYV, generic version ([A-Z]{4} for CDYV)
	body DOS_STOCK_CDYV_GENERIC /(?:Lookup\|Sym8oL\|Search for\|Promoting sym\|S\.umbol\|Target sym\|Campaign for): [A-Z]{4},?.{1,50}\b[Pp]rice/
	describe DOS_STOCK_CDYV_GENERIC Pump and dump stock spam
	score DOS_STOCK_CDYV_GENERIC 2.5

	# 20070905 - GIF spam
	header __DOS_HAS_LIST_ID exists:List-ID
	header __DOS_HAS_LIST_UNSUB exists:List-Unsubscribe
	header __DOS_HAS_MAILING_LIST exists:Mailing-List
	# we complete ignore(!) received headers we can't get "useful" info from, which screws up detecting direct-to-mx
	header __DOS_RELAYED_EXT ALL-EXTERNAL =~ /(?:^\|\n)[Rr][eE][cC][eE][iI][vV][eE][dD]:\s.+\n[Rr][eE][cC][eE][iI][vV][eE][dD]:\s/s
	meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT

	meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OUTLOOK_TO_MX_IMAGE
	describe DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers

	meta DOS_OUTLOOK_TO_MX_IMAGE __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
	describe DOS_OUTLOOK_TO_MX_IMAGE Direct to MX with Outlook headers and an image

	meta DOS_OE_TO_MX __OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE
	describe DOS_OE_TO_MX Delivered direct to MX with OE headers

	meta DOS_OE_TO_MX_IMAGE __OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
	describe DOS_OE_TO_MX_IMAGE Direct to MX with OE headers and an image

	# 20070907 - Google "I'm feeling lucky" redirect
	uri DOS_GOOGLE_LUCKY_REDIRECT m{^http://[^/]\.google\.[^/]/search?(?:.*&\|&?)btnI=?}
	describe DOS_GOOGLE_LUCKY_REDIRECT Invisible Google redirect using the "lucky button"

	# 20070911 - new-ish anal porn site spam
	# force publish it for scoring, it's the only spam I get that isn't caught
	header DOS_ANAL_SPAM_MAILER X-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/
	describe DOS_ANAL_SPAM_MAILER X-mailer pattern common to anal porn site spam
	tflags DOS_ANAL_SPAM_MAILER publish

	# 20071004 - new variant in the last few days
	header DOS_ANAL_SPAM_MAILER2 X-mailer =~ /^[A-Z][a-z]{6}e .* \d\.\d{2}$/
	describe DOS_ANAL_SPAM_MAILER2 X-mailer pattern common to porn site spam
	#tflags DOS_ANAL_SPAM_MAILER2 publish

	# 20070927 - sendmail specific check to detect forged received headers
	header DOS_FORGED_RCVD_QUADS ALL-EXTERNAL =~ /(?:^\|\n)Received:\s+from \[(\d{2,3}\.\d{1,3}.\d{1,3}\.\d{1,3})\] .+\nReceived:\s+from \[\1\] by \S+; /
	describe DOS_FORGED_RCVD_QUADS Probable forged received header

	# 20080213 - generic DOS_FORGED_RCVD_QUADS_x
	header DOS_RCVD_IP_TWICE_A X-Spam-Relays-External =~ /\[ ip=(?!127)([\d.]+) [^\[]\bhelo=\S+ [^\[]\[ ip=\1 /
	describe DOS_RCVD_IP_TWICE_A Received from the same IP twice in a row

	header DOS_RCVD_IP_TWICE_B X-Spam-Relays-External =~ /^\s\[ ip=(?!127)([\d.]+) [^\[]\[ ip=\1 [^\]]\]\s$/
	describe DOS_RCVD_IP_TWICE_B Received from the same IP twice in a row (only one external relay)

	header DOS_RCVD_IP_TWICE_C X-Spam-Relays-External =~ /^\s\[ ip=(?!127)([\d.]+) [^\[]\bhelo=(?:![\d.]{7,15}!)? [^\[]\[ ip=\1 [^\]]\]\s*$/
	describe DOS_RCVD_IP_TWICE_C Received from the same IP twice in a row (only one external relay; empty or IP helo)

	# 20071108 - asks you to remove the dot from the end of the domain name
	body DOS_REMOVE_DOMAIN_DOT /e(?:mov\|let)e the (?:dot\|period\|point) from the end/
	meta DOS_REMOVE_DOMAIN_DOT_YAHOO DOS_REMOVE_DOMAIN_DOT && FORGED_YAHOO_RCVD

	# 20071118 - web pharmacy spam
	body __DOS_MED_WHAT_COULD /\bwhat (?:more\|else) could you /i
	body __DOS_MED_NO_DIRECTION /\bN0 (?:(?:medicinal\|doctor) (?:directions\|instructions\|recommendations)\|prescriptions needed)\b/
	body __DOS_MED_CAN_WEB_PHARM /\b(?:Web-Based Canadian\|Canadian On-Line) Pharmacy\b/i
	body __DOS_MED_MARK_DOWN /\d{2}% (?:mark down\|reduction)/i
	meta DOS_MED_CAN_PHARM_NOV07 __OE_MSGID_2 && __DOS_HAS_ANY_URI && ((__DOS_MED_WHAT_COULD && __DOS_MED_NO_DIRECTION) \|\| ( __DOS_MED_CAN_WEB_PHARM && __DOS_MED_MARK_DOWN))

	# 20071220
	ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
	mimeheader DOS_ZIP_HARDCORE Content-Type =~ /^application\/zip;\sname="hardcore\.zip"$/
	describe DOS_ZIP_HARDCORE hardcore.zip file attached; quite certainly a virus
	score DOS_ZIP_HARDCORE 2.5
	endif

	body DOS_PLAYED_IN_HARDCORE /played in hardcore porn/
	describe DOS_PLAYED_IN_HARDCORE Claims someone played in hardcore porn
	score DOS_PLAYED_IN_HARDCORE 1.5

	meta DOS_HC_ZIP_VIRUS DOS_ZIP_HARDCORE && DOS_PLAYED_IN_HARDCORE
	describe DOS_HC_ZIP_VIRUS Hardcore porn virus spam
	score DOS_HC_ZIP_VIRUS 3.5

	# 20071227
	header DOS_PORN_BOUNDARY Content-Type =~ /\bboundary="----\#(?:SUBSTANCE\|CONTENT)_BOUNDARY"$/
	describe DOS_PORN_BOUNDARY Content boundary common to porn spam
	score DOS_PORN_BOUNDARY 1.0

	# 20070225
	header X_MAILER_CME_6543_MSN X-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*$/


	# 20070723
	header DOS_FAKE_UPS_TRACK_NUM Subject =~ /UPS Tracking Number \d{10}/
	describe DOS_FAKE_UPS_TRACK_NUM Invalid UPS Tracking Number in Subject

	# 2000818
	header __DOS_MSGID_DIGITS9 Message-ID =~ /<\d{9}\@.*>/
	header __DOS_MSGID_DIGITS10 Message-ID =~ /<1[013-9]\d{8}\@.*>/

	meta DOS_DEREK_AUG08 __DOS_SINGLE_EXT_RELAY && __DOS_HAS_ANY_URI && __NAKED_TO && __LAST_UNTRUSTED_RELAY_NO_AUTH && SPF_PASS && __TVD_MIME_ATT_TP && __CT_TEXT_PLAIN && (__DOS_MSGID_DIGITS9 \|\| __DOS_MSGID_DIGITS10)

	# 20081030 - high bit mail sent direct to MX claiming to be The Bat!
	meta DOS_HIGH_BAT_TO_MX __DOS_DIRECT_TO_MX && __HIGHBITS && __LAST_UNTRUSTED_RELAY_NO_AUTH && __THEBAT_MUA
	describe DOS_HIGH_BAT_TO_MX The Bat! Direct to MX with High Bits

	# 20081101 - domain expiration/maintenance phishes
	uri DOS_PHISH_WWW_COM_BIZ /^http:\/\/www\.[^.]+\.com\.[^.]+\.biz$/
	uri DOS_PHISH_WWW_COM_RU /^http:\/\/www\.[^.]+\.com\.[^.]+\.ru$/

	# 20081105 - high bit body with no message id header
	meta DOS_BODY_HIGH_NO_MID __HIGHBITS && MISSING_MID
	describe DOS_BODY_HIGH_NO_MID High bit body and no message ID header

	# 20081111 - less conservative shot at highbit spam
	# 20100408 - disabled -- this rule appears to be bad... complaints in bug 6389
	#meta DOS_HIGHBIT_HDRS_BODY __FROM_NEEDS_MIME && __SUBJECT_ENCODED_B64 && __FROM_ENCODED_B64 && __SUBJECT_NEEDS_MIME && __HIGHBITS
	#describe DOS_HIGHBIT_HDRS_BODY Headers need encoding and body is highbit