rulesrc/sandbox/smf/20_smf.cf - spamassassin - Git at Google

 #testrules
 header   __FSL_RELAY_GOOGLE	X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.google\.com /i
 header   __FSL_ENVFROM_GOOGLE	X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@g(?:mail|oogle)\.com /i
 meta     FSL_NOT_FROM_GOOGLE	__FSL_ENVFROM_GOOGLE && !__FSL_RELAY_GOOGLE
 score    FSL_NOT_FROM_GOOGLE	2.0
 describe FSL_NOT_FROM_GOOGLE    Envelope-From GMail or Google but not originated from Google systems

 header   __FSL_RELAY_YAHOO      X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.yahoo(?:dns)?\.co(?:m|\.jp) /i
 header   __FSL_ENVFROM_YAHOO    X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@yahoo(?:groups)?\./i
 header   __FSL_ENVFROM_YMAIL    X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@ymail\.com /i
 header   __FSL_ENVFROM_ROCKET   X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@rocketmail\.com /i
 meta     FSL_NOT_FROM_YAHOO     ((__FSL_ENVFROM_YAHOO || __FSL_ENVFROM_YMAIL || __FSL_ENVFROM_ROCKET) && !__FSL_RELAY_YAHOO)
 score    FSL_NOT_FROM_YAHOO     2.0
 describe FSL_NOT_FROM_YAHOO     Envelope-From Yahoo or Yahoo Groups but not originated from Yahoo systems

 header   __FSL_RELAY_HOTMAIL    X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.hotmail\.com /i
 header   __FSL_ENVFROM_HOTMAIL  X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@hotmail\./i
 header   __FSL_ENVFROM_LIVE     X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@live\./i
 meta     FSL_NOT_FROM_HOTMAIL   (__FSL_ENVFROM_HOTMAIL || __FSL_ENVFROM_LIVE) && !__FSL_RELAY_HOTMAIL
 score    FSL_NOT_FROM_HOTMAIL   2.0
 describe FSL_NOT_FROM_HOTMAIL   Envelope-From Hotmail/Live but not originated from Hotmail systems

 header   __FSL_RELAY_AOL        X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.aol\.com/i
 header   __FSL_ENVFROM_AOL      X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@aol\./i
 meta     FSL_NOT_FROM_AOL       __FSL_ENVFROM_AOL && !__FSL_RELAY_AOL
 score    FSL_NOT_FROM_AOL       2.0
 describe FSL_NOT_FROM_AOL       Envelope-From AOL but not originated from AOL systems

 header   FSL_UNDISCLOSED_RCPTS  To =~ /\bundisclosed[- ]recipients\b/i
 score    FSL_UNDISCLOSED_RCPTS  0.01
 describe FSL_UNDISCLOSED_RCPTS  To undisclosed recipients

 # JHardin: replaced with __FROM_DOM_INFO subrule
 #header   FSL_FROM_INFO_DOM      From:addr =~ /\.info$/
 #score    FSL_FROM_INFO_DOM      1.0
 #describe FSL_FROM_INFO_DOM      From address is in .info

 body     FSL_ADV                /\bThis(?:\s*is an)? advert(?:isement)?\b/i
 score    FSL_ADV                1.0
 describe FSL_ADV                This is an advertisement

 body     FSL_OPEN_ATTACH        /\b(?:OPEN|VIEW|READ|SEE|YOUR|ARE)\s*(?:THE\s*)?ATTACH(?:ED|MENT)\b?/
 score    FSL_OPEN_ATTACH        2.0
 describe FSL_OPEN_ATTACH        DEMANDS that you open the attachment!

 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
 mimeheader FSL_OPEN_ATTACH_MH   Content-Disposition =~ /\b(?:OPEN|VIEW|READ|SEE|YOUR|ARE)\s*(?:THE\s*)?ATTACH(?:ED|MENT)\b?/
 score      FSL_OPEN_ATTACH_MH   2.0
 describe   FSL_OPEN_ATTACH_MH   Filename demands that you open the attachment!
 endif

 body     __FSL_PHISH_UN         /\buser\s*name\s*:/i
 body     __FSL_PHISH_PW         /\bpass\s*word\s*:/i
 body     __FSL_PHISH_DE         /\bdeactivat(?:ed?|ion)\b/i
 body     __FSL_PHISH_MB         /\b(?:this|your|you're) (?:e|e-)?mailbox (?:has|is)\b/i
 body     __FSL_PHISH_RV         /\bre-?validat(?:ed?|ion)\b/i
 header   __FSL_PHISH_ADMIN      From:name =~ /admin(?:istrator)?\b/i
 meta     FSL_PHISH_EMAIL        (__FSL_PHISH_UN + __FSL_PHISH_PW + __FSL_PHISH_DE + __FSL_PHISH_MB + __FSL_PHISH_RV + __FSL_PHISH_ADMIN) >= 3
 score    FSL_PHISH_EMAIL        1.0
 describe FSL_PHISH_EMAIL        Likely phishing for e-mail account details

 header   FSL_ABUSED_WEB_1       exists:X-AntiAbuse
 score    FSL_ABUSED_WEB_1       0.01
 describe FSL_ABUSED_WEB_1       Has X-AntiAbuse header

 header   FSL_ABUSED_WEB_2       exists:X-PHP-Script
 score    FSL_ABUSED_WEB_2       0.01
 describe FSL_ABUSED_WEB_2       Has X-PHP-Script header

 header   FSL_ABUSED_WEB_3       exists:X-PHP-Originating-Script
 score    FSL_ABUSED_WEB_3       0.01
 describe FSL_ABUSED_WEB_3       Has X-PHP-Originating-Script header

 body     FSL_SUPPLY            /\b(?:i|we|company)\s*(?:can|is|am|are)?\s*(?:sell(?:ing)?|offer(?:ing)?|provid(?:es?|ing|supply(?:ing)))\b/i
 describe FSL_SUPPLY            Something can be supplied
 score    FSL_SUPPLY            1.0

 meta     FSL_SUPPLY_FM         (FREEMAIL_FROM && FSL_SUPPLY)
 describe FSL_SUPPLY_FM         Something can be supplied and from Freemail account
 score    FSL_SUPPLY_FM         1.0

 header   __FSL_SUBJ_SEO_1      Subject =~ /\bSEO\b/i
 header   __FSL_SUBJ_SEO_2      Subject =~ /\bsearch engine optimi[sz]ation\b/i
 meta     FSL_SUBJ_SEO          (__FSL_SUBJ_SEO_1 || __FSL_SUBJ_SEO_2)
 describe FSL_SUBJ_SEO          Search engine optimisation
 score    FSL_SUBJ_SEO          1.0

 body     __FSL_BODY_SEO_1      /\bSEO\b/
 body     __FSL_BODY_SEO_2      /\bsearch engine optimi[sz]ation\b/i
 meta     FSL_BODY_SEO          (__FSL_BODY_SEO_1 || __FSL_BODY_SEO_2)
 describe FSL_BODY_SEO          Search engine optimisation
 score    FSL_BODY_SEO          1.0

 meta     FSL_FREEMAIL_SEO      (FREEMAIL_FROM && (FSL_SUBJ_SEO || FSL_BODY_SEO))
 describe FSL_FREEMAIL_SEO      Freemail account offering SEO
 score    FSL_FREEMAIL_SEO      5.0

 meta     FSL_UNDISCLOSED_BULK  (FSL_UNDISCLOSED_RCPTS && (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK))
 describe FSL_UNDISCLOSED_BULK  Undisclosed recipients and bulk signature
 score    FSL_UNDISCLOSED_BULK  3.0

 header   __FSL_TO_COMMON_ROLE  To:addr =~ /^((?:post|web|domain)master|info|sales|(?:tech)?support|(?:sys)?admin(?:istrator)?|abuse|noc|root|security|compliance|registrar)@/i
 meta     FSL_TO_ROLE_BULK      (__FSL_TO_COMMON_ROLE && (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK))
 describe FSL_TO_ROLE_BULK      Bulk signature and to a role account
 score    FSL_TO_ROLE_BULK      1.0

 # Received: from hwyhsxwaxz (amandacallow@113.162.65.176 with login) by
 header   __FSL_YAHOO_AUTH1      Received =~ /from [a-z]{10} \([^\@ ]+\@\d+\.\d+\.\d+\.\d+ with (?:plain|login)\) /
 # Received: from localhost (rhinotrick@46.185.178.15 with login) by
 header   __FSL_YAHOO_AUTH2      Received =~ /from localhost \([^\@ ]+\@\d+\.\d+\.\d+\.\d+ with (?:plain|login)\) /i
 header   __FSL_YAHOO_AUTH3      Received =~ /from user \([^\@ ]+\@\d+\.\d+\.\d+\.\d+ with (?:plain|login)\) /i
 meta     FSL_YAHOO_AUTH_SIG     (__FSL_RELAY_YAHOO && (__FSL_YAHOO_AUTH1 || __FSL_YAHOO_AUTH2 || __FSL_YAHOO_AUTH3))
 describe FSL_YAHOO_AUTH_SIG     Yahoo SMTP AUTH observed patterns
 score    FSL_YAHOO_AUTH_SIG     5.0

 uri      FSL_UNSUB_RATWARE     /unsubscribe\.php\?M=[0-9]+&C=[^& ]+&L=[0-9]+&N=[0-9]+/
 describe FSL_UNSUB_RATWARE     Unsubscribe ratware signature
 score    FSL_UNSUB_RATWARE     3.0

 body     FSL_I_AM              /^I(?:'m| am)(?! a | by | pretty | very | excited | seeking )\s*[a-zA-Z.-]+(?:\s*\S+){1,3}(?:\s*from\s*\S+[,.]|[,.])/
 describe FSL_I_AM              I am ...
 score    FSL_I_AM              0.1

 # Based on John Hardin's MONEY_FROM_41
 header   __FSL_IPV4_41         ALL =~ /(?:\(|\s+)?\[?41\.(?:[0-9]{1,3}\.){2}[0-9]{1,3}\]?/
 body     __FSL_URGENT_ASSIST   /your urgent assist/i
 body     __FSL_MAIL_HAS        /your mail has/i
 header   __FSL_SUBJECT_EMAIL   Subject =~ /\b[^\@ ]+\@[^\@ ]+\b/
 body     __FSL_ATM_CARD        /\bATM [Cc][Aa][Rr][Dd]\b/
 meta     FSL_FRAUD_FROM_41     (__FSL_IPV4_41 && (LOTS_OF_MONEY || FSL_MY_NAME_IS || FSL_I_AM || __FSL_URGENT_ASSIST || __FSL_MAIL_HAS || __FSL_SUBJECT_EMAIL || __FSL_ATM_CARD))
 score    FSL_FRAUD_FROM_41     1.0

 rawbody  FSL_CSS_NO_DISPLAY      /display:[^:]+\bnone\b/i
 rawbody  FSL_HTML_COMMENT        /<!--/

 header   __FSL_FROM_EQ_REPTO     ALL =~ /(?:Reply-To|From):\s*([^<]+)\s*<[^\@ ]+@[^> ]+>.*(?:From|Reply-To):\s*\1/msi
 body     __FSL_FRIEND_SPAM       /^\s*h(?:i|ello)\s+\S+\s+http:\/\//mi
 meta     FSL_FRIEND_SPAM         (__FSL_FROM_EQ_REPTO && __FSL_FRIEND_SPAM && FREEMAIL_REPLYTO)
 score    FSL_FRIEND_SPAM         10.0
	#testrules
	header __FSL_RELAY_GOOGLE X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.google\.com /i
	header __FSL_ENVFROM_GOOGLE X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@g(?:mail\|oogle)\.com /i
	meta FSL_NOT_FROM_GOOGLE __FSL_ENVFROM_GOOGLE && !__FSL_RELAY_GOOGLE
	score FSL_NOT_FROM_GOOGLE 2.0
	describe FSL_NOT_FROM_GOOGLE Envelope-From GMail or Google but not originated from Google systems

	header __FSL_RELAY_YAHOO X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.yahoo(?:dns)?\.co(?:m\|\.jp) /i
	header __FSL_ENVFROM_YAHOO X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@yahoo(?:groups)?\./i
	header __FSL_ENVFROM_YMAIL X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@ymail\.com /i
	header __FSL_ENVFROM_ROCKET X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@rocketmail\.com /i
	meta FSL_NOT_FROM_YAHOO ((__FSL_ENVFROM_YAHOO \|\| __FSL_ENVFROM_YMAIL \|\| __FSL_ENVFROM_ROCKET) && !__FSL_RELAY_YAHOO)
	score FSL_NOT_FROM_YAHOO 2.0
	describe FSL_NOT_FROM_YAHOO Envelope-From Yahoo or Yahoo Groups but not originated from Yahoo systems

	header __FSL_RELAY_HOTMAIL X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.hotmail\.com /i
	header __FSL_ENVFROM_HOTMAIL X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@hotmail\./i
	header __FSL_ENVFROM_LIVE X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@live\./i
	meta FSL_NOT_FROM_HOTMAIL (__FSL_ENVFROM_HOTMAIL \|\| __FSL_ENVFROM_LIVE) && !__FSL_RELAY_HOTMAIL
	score FSL_NOT_FROM_HOTMAIL 2.0
	describe FSL_NOT_FROM_HOTMAIL Envelope-From Hotmail/Live but not originated from Hotmail systems

	header __FSL_RELAY_AOL X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.aol\.com/i
	header __FSL_ENVFROM_AOL X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@aol\./i
	meta FSL_NOT_FROM_AOL __FSL_ENVFROM_AOL && !__FSL_RELAY_AOL
	score FSL_NOT_FROM_AOL 2.0
	describe FSL_NOT_FROM_AOL Envelope-From AOL but not originated from AOL systems

	header FSL_UNDISCLOSED_RCPTS To =~ /\bundisclosed[- ]recipients\b/i
	score FSL_UNDISCLOSED_RCPTS 0.01
	describe FSL_UNDISCLOSED_RCPTS To undisclosed recipients

	# JHardin: replaced with __FROM_DOM_INFO subrule
	#header FSL_FROM_INFO_DOM From:addr =~ /\.info$/
	#score FSL_FROM_INFO_DOM 1.0
	#describe FSL_FROM_INFO_DOM From address is in .info

	body FSL_ADV /\bThis(?:\s*is an)? advert(?:isement)?\b/i
	score FSL_ADV 1.0
	describe FSL_ADV This is an advertisement

	body FSL_OPEN_ATTACH /\b(?:OPEN\|VIEW\|READ\|SEE\|YOUR\|ARE)\s(?:THE\s)?ATTACH(?:ED\|MENT)\b?/
	score FSL_OPEN_ATTACH 2.0
	describe FSL_OPEN_ATTACH DEMANDS that you open the attachment!

	ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
	mimeheader FSL_OPEN_ATTACH_MH Content-Disposition =~ /\b(?:OPEN\|VIEW\|READ\|SEE\|YOUR\|ARE)\s(?:THE\s)?ATTACH(?:ED\|MENT)\b?/
	score FSL_OPEN_ATTACH_MH 2.0
	describe FSL_OPEN_ATTACH_MH Filename demands that you open the attachment!
	endif

	body __FSL_PHISH_UN /\buser\sname\s:/i
	body __FSL_PHISH_PW /\bpass\sword\s:/i
	body __FSL_PHISH_DE /\bdeactivat(?:ed?\|ion)\b/i
	body __FSL_PHISH_MB /\b(?:this\|your\|you're) (?:e\|e-)?mailbox (?:has\|is)\b/i
	body __FSL_PHISH_RV /\bre-?validat(?:ed?\|ion)\b/i
	header __FSL_PHISH_ADMIN From:name =~ /admin(?:istrator)?\b/i
	meta FSL_PHISH_EMAIL (__FSL_PHISH_UN + __FSL_PHISH_PW + __FSL_PHISH_DE + __FSL_PHISH_MB + __FSL_PHISH_RV + __FSL_PHISH_ADMIN) >= 3
	score FSL_PHISH_EMAIL 1.0
	describe FSL_PHISH_EMAIL Likely phishing for e-mail account details

	header FSL_ABUSED_WEB_1 exists:X-AntiAbuse
	score FSL_ABUSED_WEB_1 0.01
	describe FSL_ABUSED_WEB_1 Has X-AntiAbuse header

	header FSL_ABUSED_WEB_2 exists:X-PHP-Script
	score FSL_ABUSED_WEB_2 0.01
	describe FSL_ABUSED_WEB_2 Has X-PHP-Script header

	header FSL_ABUSED_WEB_3 exists:X-PHP-Originating-Script
	score FSL_ABUSED_WEB_3 0.01
	describe FSL_ABUSED_WEB_3 Has X-PHP-Originating-Script header

	body FSL_SUPPLY /\b(?:i\|we\|company)\s(?:can\|is\|am\|are)?\s(?:sell(?:ing)?\|offer(?:ing)?\|provid(?:es?\|ing\|supply(?:ing)))\b/i
	describe FSL_SUPPLY Something can be supplied
	score FSL_SUPPLY 1.0

	meta FSL_SUPPLY_FM (FREEMAIL_FROM && FSL_SUPPLY)
	describe FSL_SUPPLY_FM Something can be supplied and from Freemail account
	score FSL_SUPPLY_FM 1.0

	header __FSL_SUBJ_SEO_1 Subject =~ /\bSEO\b/i
	header __FSL_SUBJ_SEO_2 Subject =~ /\bsearch engine optimi[sz]ation\b/i
	meta FSL_SUBJ_SEO (__FSL_SUBJ_SEO_1 \|\| __FSL_SUBJ_SEO_2)
	describe FSL_SUBJ_SEO Search engine optimisation
	score FSL_SUBJ_SEO 1.0

	body __FSL_BODY_SEO_1 /\bSEO\b/
	body __FSL_BODY_SEO_2 /\bsearch engine optimi[sz]ation\b/i
	meta FSL_BODY_SEO (__FSL_BODY_SEO_1 \|\| __FSL_BODY_SEO_2)
	describe FSL_BODY_SEO Search engine optimisation
	score FSL_BODY_SEO 1.0

	meta FSL_FREEMAIL_SEO (FREEMAIL_FROM && (FSL_SUBJ_SEO \|\| FSL_BODY_SEO))
	describe FSL_FREEMAIL_SEO Freemail account offering SEO
	score FSL_FREEMAIL_SEO 5.0

	meta FSL_UNDISCLOSED_BULK (FSL_UNDISCLOSED_RCPTS && (DCC_CHECK \|\| RAZOR2_CHECK \|\| PYZOR_CHECK))
	describe FSL_UNDISCLOSED_BULK Undisclosed recipients and bulk signature
	score FSL_UNDISCLOSED_BULK 3.0

	header __FSL_TO_COMMON_ROLE To:addr =~ /^((?:post\|web\|domain)master\|info\|sales\|(?:tech)?support\|(?:sys)?admin(?:istrator)?\|abuse\|noc\|root\|security\|compliance\|registrar)@/i
	meta FSL_TO_ROLE_BULK (__FSL_TO_COMMON_ROLE && (DCC_CHECK \|\| RAZOR2_CHECK \|\| PYZOR_CHECK))
	describe FSL_TO_ROLE_BULK Bulk signature and to a role account
	score FSL_TO_ROLE_BULK 1.0

	# Received: from hwyhsxwaxz (amandacallow@113.162.65.176 with login) by
	header __FSL_YAHOO_AUTH1 Received =~ /from [a-z]{10} \([^\@ ]+\@\d+\.\d+\.\d+\.\d+ with (?:plain\|login)\) /
	# Received: from localhost (rhinotrick@46.185.178.15 with login) by
	header __FSL_YAHOO_AUTH2 Received =~ /from localhost \([^\@ ]+\@\d+\.\d+\.\d+\.\d+ with (?:plain\|login)\) /i
	header __FSL_YAHOO_AUTH3 Received =~ /from user \([^\@ ]+\@\d+\.\d+\.\d+\.\d+ with (?:plain\|login)\) /i
	meta FSL_YAHOO_AUTH_SIG (__FSL_RELAY_YAHOO && (__FSL_YAHOO_AUTH1 \|\| __FSL_YAHOO_AUTH2 \|\| __FSL_YAHOO_AUTH3))
	describe FSL_YAHOO_AUTH_SIG Yahoo SMTP AUTH observed patterns
	score FSL_YAHOO_AUTH_SIG 5.0

	uri FSL_UNSUB_RATWARE /unsubscribe\.php\?M=[0-9]+&C=[^& ]+&L=[0-9]+&N=[0-9]+/
	describe FSL_UNSUB_RATWARE Unsubscribe ratware signature
	score FSL_UNSUB_RATWARE 3.0

	body FSL_I_AM /^I(?:'m\| am)(?! a \| by \| pretty \| very \| excited \| seeking )\s[a-zA-Z.-]+(?:\s\S+){1,3}(?:\sfrom\s\S+[,.]\|[,.])/
	describe FSL_I_AM I am ...
	score FSL_I_AM 0.1

	# Based on John Hardin's MONEY_FROM_41
	header __FSL_IPV4_41 ALL =~ /(?:\(\|\s+)?\[?41\.(?:[0-9]{1,3}\.){2}[0-9]{1,3}\]?/
	body __FSL_URGENT_ASSIST /your urgent assist/i
	body __FSL_MAIL_HAS /your mail has/i
	header __FSL_SUBJECT_EMAIL Subject =~ /\b[^\@ ]+\@[^\@ ]+\b/
	body __FSL_ATM_CARD /\bATM [Cc][Aa][Rr][Dd]\b/
	meta FSL_FRAUD_FROM_41 (__FSL_IPV4_41 && (LOTS_OF_MONEY \|\| FSL_MY_NAME_IS \|\| FSL_I_AM \|\| __FSL_URGENT_ASSIST \|\| __FSL_MAIL_HAS \|\| __FSL_SUBJECT_EMAIL \|\| __FSL_ATM_CARD))
	score FSL_FRAUD_FROM_41 1.0

	rawbody FSL_CSS_NO_DISPLAY /display:[^:]+\bnone\b/i
	rawbody FSL_HTML_COMMENT /<!--/

	header __FSL_FROM_EQ_REPTO ALL =~ /(?:Reply-To\|From):\s([^<]+)\s<[^\@ ]+@[^> ]+>.(?:From\|Reply-To):\s\1/msi
	body __FSL_FRIEND_SPAM /^\s*h(?:i\|ello)\s+\S+\s+http:\/\//mi
	meta FSL_FRIEND_SPAM (__FSL_FROM_EQ_REPTO && __FSL_FRIEND_SPAM && FREEMAIL_REPLYTO)
	score FSL_FRIEND_SPAM 10.0