rulesrc/sandbox/smf/20_smf.cf - spamassassin - Git at Google

 #testrules
 header   __FSL_RELAY_GOOGLE	X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.google\.com\.? /i
 header   __FSL_ENVFROM_GOOGLE	X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@g(?:mail|oogle)\.com /i
 meta     FSL_NOT_FROM_GOOGLE	__FSL_ENVFROM_GOOGLE && !__FSL_RELAY_GOOGLE
 score    FSL_NOT_FROM_GOOGLE	2.0
 describe FSL_NOT_FROM_GOOGLE    Envelope-From GMail or Google but not originated from Google systems

 header   __FSL_RELAY_YAHOO      X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.yahoo(?:dns)?\.co(?:m|\.jp) /i
 header   __FSL_ENVFROM_YAHOO    X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@yahoo(?:groups)?\./i
 header   __FSL_ENVFROM_YMAIL    X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@ymail\.com /i
 header   __FSL_ENVFROM_ROCKET   X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@rocketmail\.com /i
 meta     FSL_NOT_FROM_YAHOO     ((__FSL_ENVFROM_YAHOO || __FSL_ENVFROM_YMAIL || __FSL_ENVFROM_ROCKET) && !__FSL_RELAY_YAHOO)
 score    FSL_NOT_FROM_YAHOO     2.0
 describe FSL_NOT_FROM_YAHOO     Envelope-From Yahoo or Yahoo Groups but not originated from Yahoo systems

 header   __FSL_RELAY_HOTMAIL    X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.hotmail\.com /i
 header   __FSL_ENVFROM_HOTMAIL  X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@hotmail\./i
 header   __FSL_ENVFROM_LIVE     X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@live\./i
 meta     FSL_NOT_FROM_HOTMAIL   (__FSL_ENVFROM_HOTMAIL || __FSL_ENVFROM_LIVE) && !__FSL_RELAY_HOTMAIL
 score    FSL_NOT_FROM_HOTMAIL   2.0
 describe FSL_NOT_FROM_HOTMAIL   Envelope-From Hotmail/Live but not originated from Hotmail systems

 header   __FSL_RELAY_AOL        X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.aol\.com/i
 header   __FSL_ENVFROM_AOL      X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@aol\./i
 meta     FSL_NOT_FROM_AOL       __FSL_ENVFROM_AOL && !__FSL_RELAY_AOL
 score    FSL_NOT_FROM_AOL       2.0
 describe FSL_NOT_FROM_AOL       Envelope-From AOL but not originated from AOL systems

 header   FSL_UNDISCLOSED_RCPTS  To =~ /\bundisclosed[- ]recipients\b/i
 score    FSL_UNDISCLOSED_RCPTS  0.01
 describe FSL_UNDISCLOSED_RCPTS  To undisclosed recipients

 header   FSL_ABUSED_WEB_1       exists:X-AntiAbuse
 score    FSL_ABUSED_WEB_1       0.01
 describe FSL_ABUSED_WEB_1       Has X-AntiAbuse header

 header   FSL_ABUSED_WEB_2       exists:X-PHP-Script
 score    FSL_ABUSED_WEB_2       0.01
 describe FSL_ABUSED_WEB_2       Has X-PHP-Script header

 header   FSL_ABUSED_WEB_3       exists:X-PHP-Originating-Script
 score    FSL_ABUSED_WEB_3       0.01
 describe FSL_ABUSED_WEB_3       Has X-PHP-Originating-Script header

 meta     FSL_UNDISCLOSED_BULK  (FSL_UNDISCLOSED_RCPTS && (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK))
 describe FSL_UNDISCLOSED_BULK  Undisclosed recipients and bulk signature
 score    FSL_UNDISCLOSED_BULK  3.0

 # Received: from hwyhsxwaxz (amandacallow@113.162.65.176 with login) by
 header   __FSL_YAHOO_AUTH1      Received =~ /from [a-z]{10} \([^\@ ]+\@\d+\.\d+\.\d+\.\d+ with (?:plain|login)\) /
 # Received: from localhost (rhinotrick@46.185.178.15 with login) by
 header   __FSL_YAHOO_AUTH2      Received =~ /from localhost \([^\@ ]+\@\d+\.\d+\.\d+\.\d+ with (?:plain|login)\) /i
 header   __FSL_YAHOO_AUTH3      Received =~ /from user \([^\@ ]+\@\d+\.\d+\.\d+\.\d+ with (?:plain|login)\) /i
 meta     FSL_YAHOO_AUTH_SIG     (__FSL_RELAY_YAHOO && (__FSL_YAHOO_AUTH1 || __FSL_YAHOO_AUTH2 || __FSL_YAHOO_AUTH3))
 describe FSL_YAHOO_AUTH_SIG     Yahoo SMTP AUTH observed patterns
 score    FSL_YAHOO_AUTH_SIG     5.0

 ifplugin Mail::SpamAssassin::Plugin::FreeMail
 # Test potential error in base rules
 header   __smf_freemail_hdr_replyto  eval:check_freemail_header('Reply-To:addr')
 meta     SMF_FM_FORGED_REPLYTO  __smf_freemail_hdr_replyto && !FREEMAIL_FROM && !__freemail_safe
 describe SMF_FM_FORGED_REPLYTO  Freemail in Reply-To, but not From
 tflags	 SMF_FM_FORGED_REPLYTO  nopublish
 #score    SMF_FM_FORGED_REPLYTO  0.1
 endif

 # Theory: most glue adds their own Received headers be SpamAssassin
 # sees the message, so NO_RECEIVED will never fire when run in that
 # way.  So lets see if a single Untrusted/External is an indicator.
 header   __FSL_COUNT_TRUST      X-Spam-Relays-Trusted =~ /\[[^\]]+\]/
 tflags   __FSL_COUNT_TRUST	multiple
 meta     FSL_RCVD_TR_1          (__FSL_COUNT_TRUST == 1)
 score    FSL_RCVD_TR_1		0.01
 meta     FSL_RCVD_TR_2          (__FSL_COUNT_TRUST == 2)
 score    FSL_RCVD_TR_2		0.01
 meta     FSL_RCVD_TR_3          (__FSL_COUNT_TRUST == 3)
 score    FSL_RCVD_TR_3		0.01
 meta     FSL_RCVD_TR_4          (__FSL_COUNT_TRUST == 4)
 score    FSL_RCVD_TR_4		0.01
 meta     FSL_RCVD_TR_5          (__FSL_COUNT_TRUST == 5)
 score    FSL_RCVD_TR_5		0.01
 meta     FSL_RCVD_TR_GT_5       (__FSL_COUNT_TRUST > 5)

 header   __FSL_COUNT_UNTRUST	X-Spam-Relays-Untrusted =~ /\[[^\]]+\]/
 tflags   __FSL_COUNT_UNTRUST	multiple
 meta     FSL_RCVD_UT_1          (__FSL_COUNT_UNTRUST == 1)
 score    FSL_RCVD_UT_1		0.01
 meta     FSL_RCVD_UT_2          (__FSL_COUNT_UNTRUST == 2)
 score    FSL_RCVD_UT_2		0.01
 meta     FSL_RCVD_UT_3          (__FSL_COUNT_UNTRUST == 3)
 score    FSL_RCVD_UT_3		0.01
 meta     FSL_RCVD_UT_4          (__FSL_COUNT_UNTRUST == 4)
 score    FSL_RCVD_UT_4		0.01
 meta     FSL_RCVD_UT_5          (__FSL_COUNT_UNTRUST == 5)
 score    FSL_RCVD_UT_5		0.01
 meta     FSL_RCVD_UT_GT_5       (__FSL_COUNT_UNTRUST > 5)
 score    FSL_RCVD_UT_GT_5	0.01

 header   __FSL_COUNT_EXTERN	X-Spam-Relays-External =~ /\[[^\]]+\]/
 tflags   __FSL_COUNT_EXTERN	multiple
 meta     FSL_RCVD_EX_0		(__FSL_COUNT_EXTERN == 0)
 score    FSL_RCVD_EX_0		0.01
 meta     FSL_RCVD_EX_1          (__FSL_COUNT_EXTERN == 1)
 score    FSL_RCVD_EX_1		0.01
 meta     FSL_RCVD_EX_2          (__FSL_COUNT_EXTERN == 2)
 score    FSL_RCVD_EX_2		0.01
 meta     FSL_RCVD_EX_3          (__FSL_COUNT_EXTERN == 3)
 score    FSL_RCVD_EX_3		0.01
 meta     FSL_RCVD_EX_4          (__FSL_COUNT_EXTERN == 4)
 score    FSL_RCVD_EX_4		0.01
 meta     FSL_RCVD_EX_5          (__FSL_COUNT_EXTERN == 5)
 score    FSL_RCVD_EX_5		0.01
 meta     FSL_RCVD_EX_GT_5       (__FSL_COUNT_EXTERN > 5)

 meta     FSL_NO_RCVD_1          (__FSL_COUNT_TRUST > 0 && __FSL_COUNT_UNTRUST == 0)
 score    FSL_NO_RCVD_1		0.01

 #rawbody  __FSL_HTML_BLOCKS      /<((?:div|span))[^>]+>.{1,10}?<\/\1[^>]*>.{0,20}?<\1/si
 #tflags   __FSL_HTML_BLOCKS      multiple

 #meta     FSL_HTML_BLOCK_LOTS_1  (__FSL_HTML_BLOCKS > __FSL_BODY_TEXT_LINE)
 #describe FSL_HTML_BLOCK_LOTS_1  More <div> or <span> blocks than lines
 #score    FSL_HTML_BLOCK_LOTS_1  0.01

 #meta     FSL_HTML_BLOCK_LOTS_2  (__FSL_HTML_BLOCKS > (__FSL_BODY_TEXT_LINE * 2))
 #describe FSL_HTML_BLOCK_LOTS_2  More <div> or <span> blocks than twice the amount of lines
 #score    FSL_HTML_BLOCK_LOTS_2  0.01

 #meta     FSL_HTML_BLOCK_LOTS_3  (__FSL_HTML_BLOCKS > (__FSL_BODY_TEXT_LINE * 4))
 #describe FSL_HTML_BLOCK_LOTS_3  More <div> or <span> blocks than 4x the amount of lines
 #score    FSL_HTML_BLOCK_LOTS_3  0.01

 #rawbody  __FSL_HTML_ENTITIES    /\&(?!(?:nbsp|cent|pound|yen|copy|reg|\#1[678][0-9];|\#x[AB][0-9A-F];))(?:\#(?:x[a-f0-9]+|\d{3,4})|[a-zA-Z]+)\;/si
 #tflags   __FSL_HTML_ENTITIES    multiple

 #meta     FSL_HTML_ENT_LOTS_1    (__FSL_HTML_ENTITIES > (__FSL_BODY_TEXT_LINE * 2))
 #describe FSL_HTML_ENT_LOTS_1    Lots of HTML entities x2
 #score    FSL_HTML_ENT_LOTS_1    0.01

 #meta     FSL_HTML_ENT_LOTS_2    (__FSL_HTML_ENTITIES > (__FSL_BODY_TEXT_LINE * 8))
 #describe FSL_HTML_ENT_LOTS_2    Lots of HTML entities x8
 #score    FSL_HTML_ENT_LOTS_2    0.01

 #meta     FSL_HTML_ENT_LOTS_3    (__FSL_HTML_ENTITIES > (__FSL_BODY_TEXT_LINE * 24))
 #describe FSL_HTML_ENT_LOTS_3    Lots of HTML entities x24
 #score    FSL_HTML_ENT_LOTS_3    0.01
	#testrules
	header __FSL_RELAY_GOOGLE X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.google\.com\.? /i
	header __FSL_ENVFROM_GOOGLE X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@g(?:mail\|oogle)\.com /i
	meta FSL_NOT_FROM_GOOGLE __FSL_ENVFROM_GOOGLE && !__FSL_RELAY_GOOGLE
	score FSL_NOT_FROM_GOOGLE 2.0
	describe FSL_NOT_FROM_GOOGLE Envelope-From GMail or Google but not originated from Google systems

	header __FSL_RELAY_YAHOO X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.yahoo(?:dns)?\.co(?:m\|\.jp) /i
	header __FSL_ENVFROM_YAHOO X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@yahoo(?:groups)?\./i
	header __FSL_ENVFROM_YMAIL X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@ymail\.com /i
	header __FSL_ENVFROM_ROCKET X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@rocketmail\.com /i
	meta FSL_NOT_FROM_YAHOO ((__FSL_ENVFROM_YAHOO \|\| __FSL_ENVFROM_YMAIL \|\| __FSL_ENVFROM_ROCKET) && !__FSL_RELAY_YAHOO)
	score FSL_NOT_FROM_YAHOO 2.0
	describe FSL_NOT_FROM_YAHOO Envelope-From Yahoo or Yahoo Groups but not originated from Yahoo systems

	header __FSL_RELAY_HOTMAIL X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.hotmail\.com /i
	header __FSL_ENVFROM_HOTMAIL X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@hotmail\./i
	header __FSL_ENVFROM_LIVE X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@live\./i
	meta FSL_NOT_FROM_HOTMAIL (__FSL_ENVFROM_HOTMAIL \|\| __FSL_ENVFROM_LIVE) && !__FSL_RELAY_HOTMAIL
	score FSL_NOT_FROM_HOTMAIL 2.0
	describe FSL_NOT_FROM_HOTMAIL Envelope-From Hotmail/Live but not originated from Hotmail systems

	header __FSL_RELAY_AOL X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.aol\.com/i
	header __FSL_ENVFROM_AOL X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@aol\./i
	meta FSL_NOT_FROM_AOL __FSL_ENVFROM_AOL && !__FSL_RELAY_AOL
	score FSL_NOT_FROM_AOL 2.0
	describe FSL_NOT_FROM_AOL Envelope-From AOL but not originated from AOL systems

	header FSL_UNDISCLOSED_RCPTS To =~ /\bundisclosed[- ]recipients\b/i
	score FSL_UNDISCLOSED_RCPTS 0.01
	describe FSL_UNDISCLOSED_RCPTS To undisclosed recipients

	header FSL_ABUSED_WEB_1 exists:X-AntiAbuse
	score FSL_ABUSED_WEB_1 0.01
	describe FSL_ABUSED_WEB_1 Has X-AntiAbuse header

	header FSL_ABUSED_WEB_2 exists:X-PHP-Script
	score FSL_ABUSED_WEB_2 0.01
	describe FSL_ABUSED_WEB_2 Has X-PHP-Script header

	header FSL_ABUSED_WEB_3 exists:X-PHP-Originating-Script
	score FSL_ABUSED_WEB_3 0.01
	describe FSL_ABUSED_WEB_3 Has X-PHP-Originating-Script header

	meta FSL_UNDISCLOSED_BULK (FSL_UNDISCLOSED_RCPTS && (DCC_CHECK \|\| RAZOR2_CHECK \|\| PYZOR_CHECK))
	describe FSL_UNDISCLOSED_BULK Undisclosed recipients and bulk signature
	score FSL_UNDISCLOSED_BULK 3.0

	# Received: from hwyhsxwaxz (amandacallow@113.162.65.176 with login) by
	header __FSL_YAHOO_AUTH1 Received =~ /from [a-z]{10} \([^\@ ]+\@\d+\.\d+\.\d+\.\d+ with (?:plain\|login)\) /
	# Received: from localhost (rhinotrick@46.185.178.15 with login) by
	header __FSL_YAHOO_AUTH2 Received =~ /from localhost \([^\@ ]+\@\d+\.\d+\.\d+\.\d+ with (?:plain\|login)\) /i
	header __FSL_YAHOO_AUTH3 Received =~ /from user \([^\@ ]+\@\d+\.\d+\.\d+\.\d+ with (?:plain\|login)\) /i
	meta FSL_YAHOO_AUTH_SIG (__FSL_RELAY_YAHOO && (__FSL_YAHOO_AUTH1 \|\| __FSL_YAHOO_AUTH2 \|\| __FSL_YAHOO_AUTH3))
	describe FSL_YAHOO_AUTH_SIG Yahoo SMTP AUTH observed patterns
	score FSL_YAHOO_AUTH_SIG 5.0

	ifplugin Mail::SpamAssassin::Plugin::FreeMail
	# Test potential error in base rules
	header __smf_freemail_hdr_replyto eval:check_freemail_header('Reply-To:addr')
	meta SMF_FM_FORGED_REPLYTO __smf_freemail_hdr_replyto && !FREEMAIL_FROM && !__freemail_safe
	describe SMF_FM_FORGED_REPLYTO Freemail in Reply-To, but not From
	tflags SMF_FM_FORGED_REPLYTO nopublish
	#score SMF_FM_FORGED_REPLYTO 0.1
	endif

	# Theory: most glue adds their own Received headers be SpamAssassin
	# sees the message, so NO_RECEIVED will never fire when run in that
	# way. So lets see if a single Untrusted/External is an indicator.
	header __FSL_COUNT_TRUST X-Spam-Relays-Trusted =~ /\[[^\]]+\]/
	tflags __FSL_COUNT_TRUST multiple
	meta FSL_RCVD_TR_1 (__FSL_COUNT_TRUST == 1)
	score FSL_RCVD_TR_1 0.01
	meta FSL_RCVD_TR_2 (__FSL_COUNT_TRUST == 2)
	score FSL_RCVD_TR_2 0.01
	meta FSL_RCVD_TR_3 (__FSL_COUNT_TRUST == 3)
	score FSL_RCVD_TR_3 0.01
	meta FSL_RCVD_TR_4 (__FSL_COUNT_TRUST == 4)
	score FSL_RCVD_TR_4 0.01
	meta FSL_RCVD_TR_5 (__FSL_COUNT_TRUST == 5)
	score FSL_RCVD_TR_5 0.01
	meta FSL_RCVD_TR_GT_5 (__FSL_COUNT_TRUST > 5)

	header __FSL_COUNT_UNTRUST X-Spam-Relays-Untrusted =~ /\[[^\]]+\]/
	tflags __FSL_COUNT_UNTRUST multiple
	meta FSL_RCVD_UT_1 (__FSL_COUNT_UNTRUST == 1)
	score FSL_RCVD_UT_1 0.01
	meta FSL_RCVD_UT_2 (__FSL_COUNT_UNTRUST == 2)
	score FSL_RCVD_UT_2 0.01
	meta FSL_RCVD_UT_3 (__FSL_COUNT_UNTRUST == 3)
	score FSL_RCVD_UT_3 0.01
	meta FSL_RCVD_UT_4 (__FSL_COUNT_UNTRUST == 4)
	score FSL_RCVD_UT_4 0.01
	meta FSL_RCVD_UT_5 (__FSL_COUNT_UNTRUST == 5)
	score FSL_RCVD_UT_5 0.01
	meta FSL_RCVD_UT_GT_5 (__FSL_COUNT_UNTRUST > 5)
	score FSL_RCVD_UT_GT_5 0.01

	header __FSL_COUNT_EXTERN X-Spam-Relays-External =~ /\[[^\]]+\]/
	tflags __FSL_COUNT_EXTERN multiple
	meta FSL_RCVD_EX_0 (__FSL_COUNT_EXTERN == 0)
	score FSL_RCVD_EX_0 0.01
	meta FSL_RCVD_EX_1 (__FSL_COUNT_EXTERN == 1)
	score FSL_RCVD_EX_1 0.01
	meta FSL_RCVD_EX_2 (__FSL_COUNT_EXTERN == 2)
	score FSL_RCVD_EX_2 0.01
	meta FSL_RCVD_EX_3 (__FSL_COUNT_EXTERN == 3)
	score FSL_RCVD_EX_3 0.01
	meta FSL_RCVD_EX_4 (__FSL_COUNT_EXTERN == 4)
	score FSL_RCVD_EX_4 0.01
	meta FSL_RCVD_EX_5 (__FSL_COUNT_EXTERN == 5)
	score FSL_RCVD_EX_5 0.01
	meta FSL_RCVD_EX_GT_5 (__FSL_COUNT_EXTERN > 5)

	meta FSL_NO_RCVD_1 (__FSL_COUNT_TRUST > 0 && __FSL_COUNT_UNTRUST == 0)
	score FSL_NO_RCVD_1 0.01

	#rawbody __FSL_HTML_BLOCKS /<((?:div\|span))[^>]+>.{1,10}?<\/\1[^>]*>.{0,20}?<\1/si
	#tflags __FSL_HTML_BLOCKS multiple

	#meta FSL_HTML_BLOCK_LOTS_1 (__FSL_HTML_BLOCKS > __FSL_BODY_TEXT_LINE)
	#describe FSL_HTML_BLOCK_LOTS_1 More <div> or <span> blocks than lines
	#score FSL_HTML_BLOCK_LOTS_1 0.01

	#meta FSL_HTML_BLOCK_LOTS_2 (__FSL_HTML_BLOCKS > (__FSL_BODY_TEXT_LINE * 2))
	#describe FSL_HTML_BLOCK_LOTS_2 More <div> or <span> blocks than twice the amount of lines
	#score FSL_HTML_BLOCK_LOTS_2 0.01

	#meta FSL_HTML_BLOCK_LOTS_3 (__FSL_HTML_BLOCKS > (__FSL_BODY_TEXT_LINE * 4))
	#describe FSL_HTML_BLOCK_LOTS_3 More <div> or <span> blocks than 4x the amount of lines
	#score FSL_HTML_BLOCK_LOTS_3 0.01

	#rawbody __FSL_HTML_ENTITIES /\&(?!(?:nbsp\|cent\|pound\|yen\|copy\|reg\|\#1[678][0-9];\|\#x[AB][0-9A-F];))(?:\#(?:x[a-f0-9]+\|\d{3,4})\|[a-zA-Z]+)\;/si
	#tflags __FSL_HTML_ENTITIES multiple

	#meta FSL_HTML_ENT_LOTS_1 (__FSL_HTML_ENTITIES > (__FSL_BODY_TEXT_LINE * 2))
	#describe FSL_HTML_ENT_LOTS_1 Lots of HTML entities x2
	#score FSL_HTML_ENT_LOTS_1 0.01

	#meta FSL_HTML_ENT_LOTS_2 (__FSL_HTML_ENTITIES > (__FSL_BODY_TEXT_LINE * 8))
	#describe FSL_HTML_ENT_LOTS_2 Lots of HTML entities x8
	#score FSL_HTML_ENT_LOTS_2 0.01

	#meta FSL_HTML_ENT_LOTS_3 (__FSL_HTML_ENTITIES > (__FSL_BODY_TEXT_LINE * 24))
	#describe FSL_HTML_ENT_LOTS_3 Lots of HTML entities x24
	#score FSL_HTML_ENT_LOTS_3 0.01