| header __MXG_FROM_PAYPAL From:addr:domain =~ /^paypal\./i |
| |
| # Contains a phone number that's not the PayPal support number and contains suspicious keywords |
| body __MXG_PAYPAL_PHONE_SUSP01 /\b1?\d{3}[^a-zA-Z0-9]+\d{3}[^a-zA-Z0-9]+\d{4}\b(?!<888-221-1161)/ |
| body __MXG_PAYPAL_PHONE_SUSP02 /\b(immediately|quickly|subscription|assistance|renewal|fraud|didn't|crypto|BTC|norton|mcafee|antivirus)\b/i |
| meta __MXG_PAYPAL_PHONE_SUSP __MXG_PAYPAL_PHONE_SUSP01 && __MXG_PAYPAL_PHONE_SUSP02 |
| |
| header __MXG_PAYPAL_ABUSE01 To:name =~ /paypal|order|status|billing/ |
| body __MXG_PAYPAL_ABUSE02 /^Hello,.*(paypal|order|status|billing)/i |
| header __MXG_PAYPAL_ABUSE03 X-Spam-Relays-External =~ /\shelo=[^.]+\.outbound\.protection\.outlook\.com\s/ |
| header __MXG_PAYPAL_ABUSE04 Subject =~ /invoice|estimate|request|reminder from|accept|you sent/i |
| meta MXG_PAYPAL_ABUSE (__MXG_PAYPAL_ABUSE01 || __MXG_PAYPAL_ABUSE02 || __MXG_PAYPAL_ABUSE03 || __MXG_PHONE_OBFU || __MXG_PAYPAL_PHONE_SUSP) && __MXG_FROM_PAYPAL && __MXG_PAYPAL_ABUSE04 |
| score MXG_PAYPAL_ABUSE 4.000 |
| describe MXG_PAYPAL_ABUSE Paypal abuse |
| |
