diff options
| author | mdecimus <mauro@stalw.art> | 2023-10-01 19:37:55 +0200 |
|---|---|---|
| committer | mdecimus <mauro@stalw.art> | 2023-10-01 19:37:55 +0200 |
| commit | 7824368cf3395dce9b607c9979521dd685f3fc52 (patch) | |
| tree | 982cc0b207df9fb29e8fc73a2e45bcda99939ebb | |
| parent | 638ad25ce922d651a3b12c266f5a05fd6c32b6c3 (diff) | |
Added MIME, URL and headers spam modules.
99 files changed, 2119 insertions, 24055 deletions
@@ -123,9 +123,9 @@ dependencies = [ [[package]] name = "anstream" -version = "0.5.0" +version = "0.6.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b1f58811cfac344940f1a400b6e6231ce35171f614f26439e80f8c1465c5cc0c" +checksum = "2ab91ebe16eb252986481c5b62f6098f3b698a45e34b5b98200cf20dd2484a44" dependencies = [ "anstyle", "anstyle-parse", @@ -137,15 +137,15 @@ dependencies = [ [[package]] name = "anstyle" -version = "1.0.3" +version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b84bf0a05bbb2a83e5eb6fa36bb6e87baa08193c35ff52bbf6b38d8af2890e46" +checksum = "7079075b41f533b8c61d2a4d073c4676e1f8b249ff94a393b0595db304e0dd87" [[package]] name = "anstyle-parse" -version = "0.2.1" +version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "938874ff5980b03a87c5524b3ae5b59cf99b1d6bc836848df7bc5ada9643c333" +checksum = "317b9a89c1868f5ea6ff1d9539a69f45dffc21ce321ac1fd1160dfa48c8e2140" dependencies = [ "utf8parse", ] @@ -161,9 +161,9 @@ dependencies = [ [[package]] name = "anstyle-wincon" -version = "2.1.0" +version = "3.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "58f54d10c6dfa51283a066ceab3ec1ab78d13fae00aa49243a45e4571fb79dfd" +checksum = "f0699d10d2f4d628a98ee7b57b289abbc98ff3bad977cb3152709d4bf2330628" dependencies = [ "anstyle", "windows-sys 0.48.0", @@ -804,9 +804,9 @@ dependencies = [ [[package]] name = "clap" -version = "4.4.5" +version = "4.4.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "824956d0dca8334758a5b7f7e50518d66ea319330cbceedcf76905c2f6ab30e3" +checksum = "d04704f56c2cde07f43e8e2c154b43f216dc5c92fc98ada720177362f953b956" dependencies = [ "clap_builder", "clap_derive", @@ -814,9 +814,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.4.5" +version = "4.4.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "122ec64120a49b4563ccaedcbea7818d069ed8e9aa6d829b82d8a4128936b2ab" +checksum = "0e231faeaca65ebd1ea3c737966bf858971cd38c3849107aa3ea7de90a804e45" dependencies = [ "anstream", "anstyle", @@ -1100,7 +1100,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "978747c1d849a7d2ee5e8adc0159961c48fb7e5db2f06af6723b80123bb53856" dependencies = [ "cfg-if", - "hashbrown 0.14.0", + "hashbrown 0.14.1", "lock_api", "once_cell", "parking_lot_core", @@ -1122,6 +1122,12 @@ dependencies = [ ] [[package]] +name = "decancer" +version = "1.6.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "080b09f6adad25c23d8c47c54e52e59b0dc09d079c4b23e0f147dac440359d0d" + +[[package]] name = "der" version = "0.7.8" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -1470,9 +1476,9 @@ checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5" [[package]] name = "errno" -version = "0.3.3" +version = "0.3.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "136526188508e25c6fef639d7927dfb3e0e3084488bf202267829cf7fc23dbdd" +checksum = "add4f07d43996f76ef320709726a556a9d4f965d9410d8d0271132d2f8293480" dependencies = [ "errno-dragonfly", "libc", @@ -1924,9 +1930,9 @@ dependencies = [ [[package]] name = "hashbrown" -version = "0.14.0" +version = "0.14.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2c6201b9ff9fd90a5a3bac2e56a830d0caa509576f0e503818ee82c181b3437a" +checksum = "7dfda62a12f55daeae5015f81b0baea145391cb4520f86c248fc615d72640d12" dependencies = [ "ahash 0.8.3", "allocator-api2", @@ -1938,7 +1944,7 @@ version = "0.8.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e8094feaf31ff591f651a2664fb9cfd92bba7a60ce3197265e9482ebe753c8f7" dependencies = [ - "hashbrown 0.14.0", + "hashbrown 0.14.1", ] [[package]] @@ -2147,7 +2153,7 @@ dependencies = [ [[package]] name = "hyper-util" version = "0.0.0" -source = "git+https://github.com/hyperium/hyper-util#eacb82d00d27751f2d56a21ab03530db46c4cf41" +source = "git+https://github.com/hyperium/hyper-util#d97181a278d9c59f1d7f2713732e400440861216" dependencies = [ "bytes", "futures-channel", @@ -2268,12 +2274,12 @@ dependencies = [ [[package]] name = "indexmap" -version = "2.0.0" +version = "2.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d5477fe2230a79769d8dc68e0eabf5437907c0457a5614a9e8dddb67f65eb65d" +checksum = "8adf3ddd720272c6ea8bf59463c04e0f93d0bbf7c5439b691bca2987e0270897" dependencies = [ "equivalent", - "hashbrown 0.14.0", + "hashbrown 0.14.1", ] [[package]] @@ -2389,7 +2395,7 @@ checksum = "93f0c1347cd3ac8d7c6e3a2dc33ac496d365cf09fc0831aa61111e1a6738983e" dependencies = [ "cedarwood", "fxhash", - "hashbrown 0.14.0", + "hashbrown 0.14.1", "lazy_static", "phf", "phf_codegen", @@ -2677,9 +2683,9 @@ dependencies = [ [[package]] name = "linux-raw-sys" -version = "0.4.7" +version = "0.4.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1a9bad9f94746442c783ca431b22403b519cd7fbeed0533fdd6328b2f2212128" +checksum = "3852614a3bd9ca9804678ba6be5e3b8ce76dfc902cae004e3e0c44051b6e88db" [[package]] name = "lock_api" @@ -2886,9 +2892,9 @@ checksum = "490cc448043f947bae3cbee9c203358d62dbee0db12107a74be5c30ccfd09771" [[package]] name = "memchr" -version = "2.6.3" +version = "2.6.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8f232d6ef707e1956a43342693d2a31e72989554d58299d7a88738cc95b0d35c" +checksum = "f665ee40bc4a3c5590afb1e9677db74a508659dfd71e126420da8274909a0167" [[package]] name = "memoffset" @@ -3398,7 +3404,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e1d3afd2628e69da2be385eb6f2fd57c8ac7977ceeff6dc166ff1657b0e386a9" dependencies = [ "fixedbitset", - "indexmap 2.0.0", + "indexmap 2.0.2", ] [[package]] @@ -3870,13 +3876,13 @@ dependencies = [ [[package]] name = "regex" -version = "1.9.5" +version = "1.9.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "697061221ea1b4a94a624f67d0ae2bfe4e22b8a17b6a192afb11046542cc8c47" +checksum = "ebee201405406dbf528b8b672104ae6d6d63e6d118cb10e4d51abbc7b58044ff" dependencies = [ "aho-corasick", "memchr", - "regex-automata 0.3.8", + "regex-automata 0.3.9", "regex-syntax 0.7.5", ] @@ -3891,9 +3897,9 @@ dependencies = [ [[package]] name = "regex-automata" -version = "0.3.8" +version = "0.3.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c2f401f4955220693b56f8ec66ee9c78abffd8d1c4f23dc41a23839eb88f0795" +checksum = "59b23e92ee4318893fa3fe3e6fb365258efbfe6ac6ab30f090cdcbb7aa37efa9" dependencies = [ "aho-corasick", "memchr", @@ -4157,9 +4163,9 @@ dependencies = [ [[package]] name = "rustix" -version = "0.38.14" +version = "0.38.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "747c788e9ce8e92b12cd485c49ddf90723550b654b32508f979b71a7b1ecda4f" +checksum = "d2f9da0cbd88f9f09e7814e388301c8414c51c62aa6ce1e4b5c551d49d96e531" dependencies = [ "bitflags 2.4.0", "errno", @@ -4539,9 +4545,9 @@ dependencies = [ [[package]] name = "sharded-slab" -version = "0.1.4" +version = "0.1.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "900fba806f70c630b0a382d0d825e17a0f19fcd059a2ade1ff237bcddf446b31" +checksum = "c1b21f559e07218024e7e9f90f96f601825397de0e25420135f7f952453fed0b" dependencies = [ "lazy_static", ] @@ -4561,7 +4567,7 @@ checksum = "a7cee0529a6d40f580e7a5e6c495c8fbfe21b7b52795ed4bb5e62cdf92bc6380" [[package]] name = "sieve-rs" version = "0.3.1" -source = "git+https://github.com/stalwartlabs/sieve#63929ef8713b3592b74ec4a080c15da44f5cb5af" +source = "git+https://github.com/stalwartlabs/sieve#3039311edc66988223e0bc6029a23fb3f8931f94" dependencies = [ "ahash 0.8.3", "bincode", @@ -4625,11 +4631,13 @@ dependencies = [ "ahash 0.8.3", "blake3", "dashmap", + "decancer", "directory", "form_urlencoded", "http-body-util", "hyper 1.0.0-rc.4", "hyper-util", + "idna 0.4.0", "imagesize", "lazy_static", "linkify", @@ -4656,6 +4664,7 @@ dependencies = [ "tokio", "tokio-rustls", "tracing", + "unicode-security", "utils", "webpki-roots 0.25.2", "whatlang", @@ -4665,7 +4674,7 @@ dependencies = [ [[package]] name = "smtp-proto" version = "0.1.1" -source = "git+https://github.com/stalwartlabs/smtp-proto#d2f81940d9ad74c9c03cd4bf55e681e9d94d4fe4" +source = "git+https://github.com/stalwartlabs/smtp-proto#d5949da111db6d9299c6a8928bf77f3dce337a1d" [[package]] name = "snafu" @@ -4781,7 +4790,7 @@ dependencies = [ "futures-util", "hashlink", "hex", - "indexmap 2.0.0", + "indexmap 2.0.2", "log", "memchr", "once_cell", @@ -5710,6 +5719,22 @@ dependencies = [ ] [[package]] +name = "unicode-script" +version = "0.5.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7d817255e1bed6dfd4ca47258685d14d2bdcfbc64fdc9e3819bd5848057b8ecc" + +[[package]] +name = "unicode-security" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9ef5756b3097992b934b06608c69f48448a0fbe804bb1e72b982f6d7983e9e63" +dependencies = [ + "unicode-normalization", + "unicode-script", +] + +[[package]] name = "unicode-segmentation" version = "1.10.1" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -5942,9 +5967,9 @@ dependencies = [ [[package]] name = "webpki" -version = "0.22.1" +version = "0.22.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f0e74f82d49d545ad128049b7e88f6576df2da6b02e9ce565c6f533be576957e" +checksum = "07ecc0cd7cac091bf682ec5efa18b1cff79d617b84181f38b3951dbe135f607f" dependencies = [ "ring", "untrusted", diff --git a/crates/smtp/Cargo.toml b/crates/smtp/Cargo.toml index 6c108543..bff08522 100644 --- a/crates/smtp/Cargo.toml +++ b/crates/smtp/Cargo.toml @@ -50,6 +50,9 @@ lazy_static = "1.4" whatlang = "0.16" imagesize = "0.12" linkify = "0.10" +idna = "0.4" +decancer = "1.6.1" +unicode-security = "0.1.0" [features] test_mode = [] diff --git a/crates/smtp/src/outbound/delivery.rs b/crates/smtp/src/outbound/delivery.rs index 0e493fb2..02d10ef4 100644 --- a/crates/smtp/src/outbound/delivery.rs +++ b/crates/smtp/src/outbound/delivery.rs @@ -694,6 +694,15 @@ impl DeliveryAttempt { .await { StartTlsResult::Success { smtp_client } => { + tracing::debug!( + parent: &span, + context = "tls", + event = "success", + mx = envelope.mx, + protocol = ?smtp_client.tls_connection().protocol_version(), + cipher = ?smtp_client.tls_connection().negotiated_cipher_suite(), + ); + // Verify DANE if let Some(dane_policy) = &dane_policy { if let Err(status) = dane_policy.verify( diff --git a/crates/smtp/src/scripts/functions/html.rs b/crates/smtp/src/scripts/functions/html.rs index a6d8c3d0..1399e448 100644 --- a/crates/smtp/src/scripts/functions/html.rs +++ b/crates/smtp/src/scripts/functions/html.rs @@ -21,7 +21,8 @@ * for more details. */ -use hyper::Uri; +use std::borrow::Cow; + use mail_parser::decoders::html::{add_html_token, html_to_text}; use sieve::{runtime::Variable, Context}; @@ -74,6 +75,15 @@ pub fn fn_html_attr_size<'x>( dimension.map(Variable::Integer).unwrap_or_default() } +pub fn fn_html_attrs<'x>(_: &'x Context<'x, SieveContext>, v: Vec<Variable<'x>>) -> Variable<'x> { + html_attr_tokens( + v[0].to_cow().as_ref(), + v[1].to_cow().as_ref(), + v[2].to_string_array(), + ) + .into() +} + pub fn fn_html_attr<'x>(_: &'x Context<'x, SieveContext>, v: Vec<Variable<'x>>) -> Variable<'x> { get_attribute(v[0].to_cow().as_ref(), v[1].to_cow().as_ref()) .map(|s| Variable::String(s.to_string())) @@ -232,6 +242,102 @@ pub fn html_to_tokens(input: &str) -> Vec<Variable<'static>> { tags } +pub fn html_attr_tokens(input: &str, tag: &str, attrs: Vec<Cow<str>>) -> Vec<Variable<'static>> { + let input = input.as_bytes(); + let mut iter = input.iter().enumerate().peekable(); + let mut tags = vec![]; + + while let Some((mut pos, &ch)) = iter.next() { + if ch == b'<' { + if !matches!(input.get(pos + 1..pos + 4), Some(b"!--")) { + let mut in_quote = false; + let mut last_ch_pos: usize = 0; + + while matches!(iter.peek(), Some((_, &ch)) if ch.is_ascii_whitespace()) { + pos += 1; + iter.next(); + } + + let found_tag = tag.is_empty() + || (matches!(input.get(pos + 1..pos + tag.len() + 1), Some(t) if t.eq_ignore_ascii_case(tag.as_bytes())) + && matches!(input.get(pos + tag.len() + 1), Some(ch) if ch.is_ascii_whitespace())); + + 'outer: while let Some((pos, &ch)) = iter.next() { + match ch { + b'>' if !in_quote => { + break; + } + b'"' => { + in_quote = !in_quote; + } + b'=' if found_tag + && !in_quote + && attrs.iter().any(|attr| matches!(input.get(last_ch_pos.saturating_sub(attr.len()) + 1..last_ch_pos + 1), Some(a) if a.eq_ignore_ascii_case(attr.as_bytes()))) + && matches!(input.get(last_ch_pos + 1), Some(ch) if ch.is_ascii_whitespace() || *ch == b'=') => + { + while matches!(iter.peek(), Some((_, &ch)) if ch.is_ascii_whitespace()) + { + iter.next(); + } + let mut tag = vec![]; + + for (_, &ch) in iter.by_ref() { + match ch { + b'>' if !in_quote => { + if !tag.is_empty() { + tags.push(Variable::String( + String::from_utf8(tag).unwrap_or_default(), + )); + } + break 'outer; + } + b'"' => { + if in_quote { + in_quote = false; + break; + } else { + in_quote = true; + } + } + b' ' | b'\t' | b'\r' | b'\n' if !in_quote => { + break; + } + _ => { + tag.push(ch); + } + } + } + + if !tag.is_empty() { + tags.push(Variable::String( + String::from_utf8(tag).unwrap_or_default(), + )); + } + } + b' ' | b'\t' | b'\r' | b'\n' => {} + _ => { + last_ch_pos = pos; + } + } + } + } else { + let mut last_ch: u8 = 0; + let mut before_last_ch: u8 = 0; + + for (_, &ch) in iter.by_ref() { + if ch == b'>' && last_ch == b'-' && before_last_ch == b'-' { + break; + } + before_last_ch = last_ch; + last_ch = ch; + } + } + } + } + + tags +} + pub fn html_img_area(arr: &[Variable<'_>]) -> u32 { arr.iter() .filter_map(|v| { @@ -261,29 +367,6 @@ pub fn html_img_area(arr: &[Variable<'_>]) -> u32 { .sum::<u32>() } -pub fn fn_uri_part<'x>(_: &'x Context<'x, SieveContext>, v: Vec<Variable<'x>>) -> Variable<'x> { - v[0].to_cow() - .parse::<Uri>() - .ok() - .and_then(|uri| match v[1].to_cow().as_ref() { - "scheme" => uri.scheme_str().map(|s| Variable::String(s.to_lowercase())), - "host" => uri.host().map(|s| Variable::String(s.to_lowercase())), - "scheme_host" => uri - .scheme_str() - .and_then(|s| (s, uri.host()?).into()) - .map(|(s, h)| Variable::String(format!("{}://{}", s, h))), - "path" => Variable::String(uri.path().to_string()).into(), - "port" => uri.port_u16().map(|port| Variable::Integer(port as i64)), - "query" => uri.query().map(|s| Variable::String(s.to_string())), - "path_query" => uri - .path_and_query() - .map(|s| Variable::String(s.to_string())), - "authority" => uri.authority().map(|s| Variable::String(s.to_string())), - _ => None, - }) - .unwrap_or_default() -} - pub fn get_attribute<'x>(tag: &'x str, attr_name: &str) -> Option<&'x str> { let tag = tag.as_bytes(); let attr_name = attr_name.as_bytes(); diff --git a/crates/smtp/src/scripts/functions/mod.rs b/crates/smtp/src/scripts/functions/mod.rs index 89bf5ccf..3d9d6708 100644 --- a/crates/smtp/src/scripts/functions/mod.rs +++ b/crates/smtp/src/scripts/functions/mod.rs @@ -28,12 +28,16 @@ pub mod html; mod image; mod misc; mod text; +mod unicode; +mod url; use sieve::{runtime::Variable, FunctionMap}; use crate::config::scripts::SieveContext; -use self::{array::*, email::*, header::*, html::*, image::*, misc::*, text::*}; +use self::{ + array::*, email::*, header::*, html::*, image::*, misc::*, text::*, unicode::*, url::*, +}; pub fn register_functions() -> FunctionMap<SieveContext> { FunctionMap::new() @@ -52,6 +56,7 @@ pub fn register_functions() -> FunctionMap<SieveContext> { .with_function("html_to_text", fn_html_to_text) .with_function("is_uppercase", fn_is_uppercase) .with_function("is_lowercase", fn_is_lowercase) + .with_function("has_digits", fn_has_digits) .with_function("tokenize_words", fn_tokenize_words) .with_function("tokenize_html", fn_tokenize_html) .with_function("max_line_len", fn_max_line_len) @@ -63,9 +68,15 @@ pub fn register_functions() -> FunctionMap<SieveContext> { .with_function("lines", fn_lines) .with_function("is_header_utf8_valid", fn_is_header_utf8_valid) .with_function("img_metadata", fn_img_metadata) - .with_function("sort", fn_sort) .with_function("is_ip_addr", fn_is_ip_addr) .with_function("winnow", fn_winnow) + .with_function("has_zwsp", fn_has_zwsp) + .with_function("has_obscured", fn_has_obscured) + .with_function("is_single_script", fn_is_single_script) + .with_function("puny_decode", fn_puny_decode) + .with_function("unicode_skeleton", fn_unicode_skeleton) + .with_function("cure_text", fn_cure_text) + .with_function_args("sort", fn_sort, 2) .with_function_args("tokenize_url", fn_tokenize_url, 2) .with_function_args("email_part", fn_email_part, 2) .with_function_args("domain_part", fn_domain_part, 2) @@ -80,10 +91,12 @@ pub fn register_functions() -> FunctionMap<SieveContext> { .with_function_args("levenshtein_distance", fn_levenshtein_distance, 2) .with_function_args("html_has_tag", fn_html_has_tag, 2) .with_function_args("html_attr", fn_html_attr, 2) + .with_function_args("html_attrs", fn_html_attrs, 3) .with_function_args("html_attr_size", fn_html_attr_size, 3) .with_function_args("uri_part", fn_uri_part, 2) .with_function_args("substring", fn_substring, 3) .with_function_args("split", fn_split, 2) + .with_function_args("rsplit", fn_rsplit, 2) .with_function_args("strip_prefix", fn_strip_prefix, 2) .with_function_args("strip_suffix", fn_strip_suffix, 2) .with_function_args("is_intersect", fn_is_intersect, 2) diff --git a/crates/smtp/src/scripts/functions/text.rs b/crates/smtp/src/scripts/functions/text.rs index 475e703a..947ad5cd 100644 --- a/crates/smtp/src/scripts/functions/text.rs +++ b/crates/smtp/src/scripts/functions/text.rs @@ -50,25 +50,6 @@ pub fn fn_len<'x>(_: &'x Context<'x, SieveContext>, v: Vec<Variable<'x>>) -> Var .into() } -pub fn fn_is_ascii<'x>(_: &'x Context<'x, SieveContext>, v: Vec<Variable<'x>>) -> Variable<'x> { - match &v[0] { - Variable::String(s) => s.chars().all(|c| c.is_ascii()), - Variable::StringRef(s) => s.chars().all(|c| c.is_ascii()), - Variable::Integer(_) | Variable::Float(_) => true, - Variable::Array(a) => a.iter().all(|v| match v { - Variable::String(s) => s.chars().all(|c| c.is_ascii()), - Variable::StringRef(s) => s.chars().all(|c| c.is_ascii()), - _ => true, - }), - Variable::ArrayRef(a) => a.iter().all(|v| match v { - Variable::String(s) => s.chars().all(|c| c.is_ascii()), - Variable::StringRef(s) => s.chars().all(|c| c.is_ascii()), - _ => true, - }), - } - .into() -} - pub fn fn_to_lowercase<'x>( _: &'x Context<'x, SieveContext>, mut v: Vec<Variable<'x>>, @@ -129,6 +110,14 @@ pub fn fn_is_lowercase<'x>(_: &'x Context<'x, SieveContext>, v: Vec<Variable<'x> .into() } +pub fn fn_has_digits<'x>(_: &'x Context<'x, SieveContext>, v: Vec<Variable<'x>>) -> Variable<'x> { + v[0].to_cow() + .as_ref() + .chars() + .any(|c| c.is_ascii_digit()) + .into() +} + pub fn fn_tokenize_words<'x>( _: &'x Context<'x, SieveContext>, v: Vec<Variable<'x>>, @@ -305,52 +294,24 @@ pub fn fn_split<'x>(_: &'x Context<'x, SieveContext>, v: Vec<Variable<'x>>) -> V } } -pub fn fn_tokenize_url<'x>( - ctx: &'x Context<'x, SieveContext>, - mut v: Vec<Variable<'x>>, -) -> Variable<'x> { - let must_have_scheme = v[1].to_bool(); - let filter_url = |url: &str| -> bool { - if must_have_scheme || url.contains("://") { - true - } else { - // Filter out possible URLs without a valid TLD - let url = url.split_once('/').map_or(url, |(f, _)| f); - let tld = url.rsplit_once('.').map_or(url, |(_, tld)| tld); - ctx.context().psl.contains(tld) - } - }; - - match v.remove(0) { - Variable::StringRef(text) => linkify::LinkFinder::new() - .url_must_have_scheme(must_have_scheme) - .links(text.as_ref()) - .filter_map(|url| { - let url = url.as_str(); - if filter_url(url) { - Some(Variable::from(url.to_string())) - } else { - None - } - }) +pub fn fn_rsplit<'x>(_: &'x Context<'x, SieveContext>, v: Vec<Variable<'x>>) -> Variable<'x> { + match &v[0] { + Variable::StringRef(s) => s + .rsplit(v[1].to_cow().as_ref()) + .map(Variable::from) + .collect::<Vec<_>>() + .into(), + Variable::String(s) => s + .rsplit(v[1].to_cow().as_ref()) + .map(|s| Variable::String(s.to_string())) + .collect::<Vec<_>>() + .into(), + val => val + .to_string() + .rsplit(v[1].to_cow().as_ref()) + .map(|s| Variable::String(s.to_string())) .collect::<Vec<_>>() .into(), - v @ (Variable::String(_) | Variable::Array(_) | Variable::ArrayRef(_)) => { - linkify::LinkFinder::new() - .url_must_have_scheme(must_have_scheme) - .links(v.to_cow().as_ref()) - .filter_map(|url| { - let url = url.as_str(); - if filter_url(url) { - Some(Variable::from(url.to_string())) - } else { - None - } - }) - .collect::<Vec<_>>() - .into() - } - v => v, } } diff --git a/crates/smtp/src/scripts/functions/unicode.rs b/crates/smtp/src/scripts/functions/unicode.rs new file mode 100644 index 00000000..21fbca67 --- /dev/null +++ b/crates/smtp/src/scripts/functions/unicode.rs @@ -0,0 +1,134 @@ +/* + * Copyright (c) 2023 Stalwart Labs Ltd. + * + * This file is part of Stalwart Mail Server. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of + * the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * in the LICENSE file at the top-level directory of this distribution. + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * You can be released from the requirements of the AGPLv3 license by + * purchasing a commercial license. Please contact licensing@stalw.art + * for more details. +*/ + +use sieve::{runtime::Variable, Context}; +use unicode_security::MixedScript; + +use crate::config::scripts::SieveContext; + +pub fn fn_is_ascii<'x>(_: &'x Context<'x, SieveContext>, v: Vec<Variable<'x>>) -> Variable<'x> { + match &v[0] { + Variable::String(s) => s.chars().all(|c| c.is_ascii()), + Variable::StringRef(s) => s.chars().all(|c| c.is_ascii()), + Variable::Integer(_) | Variable::Float(_) => true, + Variable::Array(a) => a.iter().all(|v| match v { + Variable::String(s) => s.chars().all(|c| c.is_ascii()), + Variable::StringRef(s) => s.chars().all(|c| c.is_ascii()), + _ => true, + }), + Variable::ArrayRef(a) => a.iter().all(|v| match v { + Variable::String(s) => s.chars().all(|c| c.is_ascii()), + Variable::StringRef(s) => s.chars().all(|c| c.is_ascii()), + _ => true, + }), + } + .into() +} + +pub fn fn_has_zwsp<'x>(_: &'x Context<'x, SieveContext>, v: Vec<Variable<'x>>) -> Variable<'x> { + match &v[0] { + Variable::String(s) => s.chars().any(|c| c.is_zwsp()), + Variable::StringRef(s) => s.chars().any(|c| c.is_zwsp()), + Variable::Array(a) => a.iter().any(|v| match v { + Variable::String(s) => s.chars().any(|c| c.is_zwsp()), + Variable::StringRef(s) => s.chars().any(|c| c.is_zwsp()), + _ => true, + }), + Variable::ArrayRef(a) => a.iter().any(|v| match v { + Variable::String(s) => s.chars().any(|c| c.is_zwsp()), + Variable::StringRef(s) => s.chars().any(|c| c.is_zwsp()), + _ => true, + }), + Variable::Integer(_) | Variable::Float(_) => false, + } + .into() +} + +pub fn fn_has_obscured<'x>(_: &'x Context<'x, SieveContext>, v: Vec<Variable<'x>>) -> Variable<'x> { + match &v[0] { + Variable::String(s) => s.chars().any(|c| c.is_obscured()), + Variable::StringRef(s) => s.chars().any(|c| c.is_obscured()), + Variable::Array(a) => a.iter().any(|v| match v { + Variable::String(s) => s.chars().any(|c| c.is_obscured()), + Variable::StringRef(s) => s.chars().any(|c| c.is_obscured()), + _ => true, + }), + Variable::ArrayRef(a) => a.iter().any(|v| match v { + Variable::String(s) => s.chars().any(|c| c.is_obscured()), + Variable::StringRef(s) => s.chars().any(|c| c.is_obscured()), + _ => true, + }), + Variable::Integer(_) | Variable::Float(_) => false, + } + .into() +} + +trait CharUtils { + fn is_zwsp(&self) -> bool; + fn is_obscured(&self) -> bool; +} + +impl CharUtils for char { + fn is_zwsp(&self) -> bool { + matches!( + self, + '\u{200B}' | '\u{200C}' | '\u{200D}' | '\u{FEFF}' | '\u{00AD}' + ) + } + + fn is_obscured(&self) -> bool { + matches!( + self, + '\u{200B}'..='\u{200F}' + | '\u{2028}'..='\u{202F}' + | '\u{205F}'..='\u{206F}' + | '\u{FEFF}' + ) + } +} + +pub fn fn_cure_text<'x>(_: &'x Context<'x, SieveContext>, v: Vec<Variable<'x>>) -> Variable<'x> { + decancer::cure(v[0].to_cow().as_ref()).into_str().into() +} + +pub fn fn_unicode_skeleton<'x>( + _: &'x Context<'x, SieveContext>, + v: Vec<Variable<'x>>, +) -> Variable<'x> { + unicode_security::skeleton(v[0].to_cow().as_ref()) + .collect::<String>() + .into() +} + +pub fn fn_is_single_script<'x>( + _: &'x Context<'x, SieveContext>, + v: Vec<Variable<'x>>, +) -> Variable<'x> { + let text = v[0].to_cow(); + if !text.is_empty() { + text.as_ref().is_single_script() + } else { + true + } + .into() +} diff --git a/crates/smtp/src/scripts/functions/url.rs b/crates/smtp/src/scripts/functions/url.rs new file mode 100644 index 00000000..94c69763 --- /dev/null +++ b/crates/smtp/src/scripts/functions/url.rs @@ -0,0 +1,134 @@ +/* + * Copyright (c) 2023 Stalwart Labs Ltd. + * + * This file is part of Stalwart Mail Server. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of + * the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * in the LICENSE file at the top-level directory of this distribution. + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * You can be released from the requirements of the AGPLv3 license by + * purchasing a commercial license. Please contact licensing@stalw.art + * for more details. +*/ + +use std::net::IpAddr; + +use hyper::Uri; +use sieve::{runtime::Variable, Context}; + +use crate::config::scripts::SieveContext; + +pub fn fn_tokenize_url<'x>( + ctx: &'x Context<'x, SieveContext>, + mut v: Vec<Variable<'x>>, +) -> Variable<'x> { + let must_have_scheme = v[1].to_bool(); + + match v.remove(0) { + Variable::StringRef(text) => linkify::LinkFinder::new() + .url_must_have_scheme(must_have_scheme) + .links(text.as_ref()) + .filter_map(|url| filter_url(url.as_str(), must_have_scheme, ctx)) + .collect::<Vec<_>>() + .into(), + v @ (Variable::String(_) | Variable::Array(_) | Variable::ArrayRef(_)) => { + linkify::LinkFinder::new() + .url_must_have_scheme(must_have_scheme) + .links(v.to_cow().as_ref()) + .filter_map(|url| { + filter_url(url.as_str(), must_have_scheme, ctx).map(|v| v.into_owned()) + }) + .collect::<Vec<_>>() + .into() + } + v => v, + } +} + +fn filter_url<'x, 'y>( + url: &'x str, + must_have_scheme: bool, + ctx: &'y Context<'y, SieveContext>, +) -> Option<Variable<'x>> { + if must_have_scheme || url.contains("://") { + Some(Variable::StringRef(url)) + } else { + // Filter out possible URLs without a valid TLD + let host = url.split_once('/').map_or(url, |(f, _)| f); + if (host + .as_bytes() + .first() + .map_or(true, |ch| ch.is_ascii_hexdigit()) + && host.parse::<IpAddr>().is_ok()) + || ctx + .context() + .psl + .contains(host.rsplit_once('.').map_or(host, |(_, tld)| tld)) + || host.ends_with(".onion") + { + Some(Variable::String(format!("https://{url}"))) + } else { + None + } + } +} + +pub fn fn_uri_part<'x>(_: &'x Context<'x, SieveContext>, v: Vec<Variable<'x>>) -> Variable<'x> { + v[0].to_cow() + .parse::<Uri>() + .ok() + .and_then(|uri| match v[1].to_cow().as_ref() { + "scheme" => uri.scheme_str().map(|s| Variable::String(s.to_lowercase())), + "host" => uri.host().map(|s| Variable::String(s.to_lowercase())), + "scheme_host" => uri + .scheme_str() + .and_then(|s| (s, uri.host()?).into()) + .map(|(s, h)| Variable::String(format!("{}://{}", s, h))), + "path" => Variable::String(uri.path().to_string()).into(), + "port" => uri.port_u16().map(|port| Variable::Integer(port as i64)), + "query" => uri.query().map(|s| Variable::String(s.to_string())), + "path_query" => uri + .path_and_query() + .map(|s| Variable::String(s.to_string())), + "authority" => uri.authority().map(|s| Variable::String(s.to_string())), + _ => None, + }) + .unwrap_or_default() +} + +pub fn fn_puny_decode<'x>( + _: &'x Context<'x, SieveContext>, + mut v: Vec<Variable<'x>>, +) -> Variable<'x> { + let domain = v[0].to_cow(); + if domain.contains("xn--") { + let mut decoded = String::with_capacity(domain.len()); + for part in domain.split('.') { + if !decoded.is_empty() { + decoded.push('.'); + } + + if let Some(puny) = part + .strip_prefix("xn--") + .and_then(idna::punycode::decode_to_string) + { + decoded.push_str(&puny); + } else { + decoded.push_str(part); + } + } + decoded.into() + } else { + v.remove(0) + } +} diff --git a/crates/smtp/src/scripts/plugins/dns.rs b/crates/smtp/src/scripts/plugins/dns.rs new file mode 100644 index 00000000..057189d1 --- /dev/null +++ b/crates/smtp/src/scripts/plugins/dns.rs @@ -0,0 +1,182 @@ +/* + * Copyright (c) 2023 Stalwart Labs Ltd. + * + * This file is part of Stalwart Mail Server. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of + * the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * in the LICENSE file at the top-level directory of this distribution. + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * You can be released from the requirements of the AGPLv3 license by + * purchasing a commercial license. Please contact licensing@stalw.art + * for more details. +*/ + +use std::net::IpAddr; + +use mail_auth::IpLookupStrategy; +use sieve::{runtime::Variable, FunctionMap}; + +use crate::config::scripts::SieveContext; + +use super::PluginContext; + +pub fn register(plugin_id: u32, fnc_map: &mut FunctionMap<SieveContext>) { + fnc_map.set_external_function("dns_query", plugin_id, 2); +} + +pub fn register_exists(plugin_id: u32, fnc_map: &mut FunctionMap<SieveContext>) { + fnc_map.set_external_function("dns_exists", plugin_id, 2); +} + +pub fn exec(ctx: PluginContext<'_>) -> Variable<'static> { + let entry = ctx.arguments[0].to_cow(); + let record_type = ctx.arguments[1].to_cow(); + + if record_type.eq_ignore_ascii_case("ip") { + match ctx.handle.block_on(ctx.core.resolvers.dns.ip_lookup( + entry.as_ref(), + IpLookupStrategy::Ipv4thenIpv6, + 10, + )) { + Ok(result) => result + .iter() + .map(|ip| Variable::String(ip.to_string())) + .collect::<Vec<_>>() + .into(), + Err(err) => err.short_error().into(), + } + } else if record_type.eq_ignore_ascii_case("mx") { + match ctx + .handle + .block_on(ctx.core.resolvers.dns.mx_lookup(entry.as_ref())) + { + Ok(result) => result + .iter() + .flat_map(|mx| { + mx.exchanges + .iter() + .map(|host| Variable::String(format!("{} {}", mx.preference, host))) + }) + .collect::<Vec<_>>() + .into(), + Err(err) => err.short_error().into(), + } + } else if record_type.eq_ignore_ascii_case("ptr") { + if let Ok(addr) = entry.parse::<IpAddr>() { + match ctx.handle.block_on(ctx.core.resolvers.dns.ptr_lookup(addr)) { + Ok(result) => result + .iter() + .map(|host| Variable::String(host.to_string())) + .collect::<Vec<_>>() + .into(), + Err(err) => err.short_error().into(), + } + } else { + Variable::default() + } + } else if record_type.eq_ignore_ascii_case("ipv4") { + match ctx + .handle + .block_on(ctx.core.resolvers.dns.ipv4_lookup(entry.as_ref())) + { + Ok(result) => result + .iter() + .map(|ip| Variable::String(ip.to_string())) + .collect::<Vec<_>>() + .into(), + Err(err) => err.short_error().into(), + } + } else if record_type.eq_ignore_ascii_case("ipv6") { + match ctx + .handle + .block_on(ctx.core.resolvers.dns.ipv6_lookup(entry.as_ref())) + { + Ok(result) => result + .iter() + .map(|ip| Variable::String(ip.to_string())) + .collect::<Vec<_>>() + .into(), + Err(err) => err.short_error().into(), + } + } else { + Variable::default() + } +} + +pub fn exec_exists(ctx: PluginContext<'_>) -> Variable<'static> { + let entry = ctx.arguments[0].to_cow(); + let record_type = ctx.arguments[1].to_cow(); + + if record_type.eq_ignore_ascii_case("ip") { + match ctx.handle.block_on(ctx.core.resolvers.dns.ip_lookup( + entry.as_ref(), + IpLookupStrategy::Ipv4thenIpv6, + 10, + )) { + Ok(result) => !result.is_empty(), + Err(_) => false, + } + } else if record_type.eq_ignore_ascii_case("mx") { + match ctx + .handle + .block_on(ctx.core.resolvers.dns.mx_lookup(entry.as_ref())) + { + Ok(result) => result.iter().any(|mx| !mx.exchanges.is_empty()), + Err(_) => false, + } + } else if record_type.eq_ignore_ascii_case("ptr") { + if let Ok(addr) = entry.parse::<IpAddr>() { + match ctx.handle.block_on(ctx.core.resolvers.dns.ptr_lookup(addr)) { + Ok(result) => !result.is_empty(), + Err(_) => false, + } + } else { + false + } + } else if record_type.eq_ignore_ascii_case("ipv4") { + match ctx + .handle + .block_on(ctx.core.resolvers.dns.ipv4_lookup(entry.as_ref())) + { + Ok(result) => !result.is_empty(), + Err(_) => false, + } + } else if record_type.eq_ignore_ascii_case("ipv6") { + match ctx + .handle + .block_on(ctx.core.resolvers.dns.ipv6_lookup(entry.as_ref())) + { + Ok(result) => !result.is_empty(), + Err(_) => false, + } + } else { + false + } + .into() +} + +trait ShortError { + fn short_error(&self) -> &'static str; +} + +impl ShortError for mail_auth::Error { + fn short_error(&self) -> &'static str { + match self { + mail_auth::Error::DnsError(_) => "temp_fail", + mail_auth::Error::DnsRecordNotFound(_) => "not_found", + mail_auth::Error::Io(_) => "io_error", + mail_auth::Error::InvalidRecordType => "invalid_record", + _ => "unknown_error", + } + } +} diff --git a/crates/smtp/src/scripts/plugins/http.rs b/crates/smtp/src/scripts/plugins/http.rs new file mode 100644 index 00000000..54ecb4b5 --- /dev/null +++ b/crates/smtp/src/scripts/plugins/http.rs @@ -0,0 +1,70 @@ +/* + * Copyright (c) 2023 Stalwart Labs Ltd. + * + * This file is part of Stalwart Mail Server. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of + * the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * in the LICENSE file at the top-level directory of this distribution. + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * You can be released from the requirements of the AGPLv3 license by + * purchasing a commercial license. Please contact licensing@stalw.art + * for more details. +*/ + +use std::time::Duration; + +use reqwest::redirect::Policy; +use sieve::{runtime::Variable, FunctionMap}; + +use crate::config::scripts::SieveContext; + +use super::PluginContext; + +pub fn register_header(plugin_id: u32, fnc_map: &mut FunctionMap<SieveContext>) { + fnc_map.set_external_function("http_header", plugin_id, 4); +} + +pub fn exec_header(ctx: PluginContext<'_>) -> Variable<'static> { + let url = ctx.arguments[0].to_cow(); + let header = ctx.arguments[1].to_cow(); + let agent = ctx.arguments[2].to_cow(); + let timeout = ctx.arguments[3].to_cow().parse::<u64>().unwrap_or(5000); + + #[cfg(feature = "test_mode")] + if url.contains("redirect.") { + return Variable::String(url.split_once("/?").unwrap().1.to_string()); + } + + if let Ok(client) = reqwest::Client::builder() + .user_agent(agent.as_ref()) + .timeout(Duration::from_millis(timeout)) + .redirect(Policy::none()) + .danger_accept_invalid_certs(true) + .build() + { + let _enter = ctx.handle.enter(); + ctx.handle + .block_on(client.get(url.as_ref()).send()) + .ok() + .and_then(|response| { + response + .headers() + .get(header.as_ref()) + .and_then(|h| h.to_str().ok()) + .map(|h| Variable::String(h.to_string())) + }) + .unwrap_or_default() + } else { + false.into() + } +} diff --git a/crates/smtp/src/scripts/plugins/lookup.rs b/crates/smtp/src/scripts/plugins/lookup.rs new file mode 100644 index 00000000..af8eb23d --- /dev/null +++ b/crates/smtp/src/scripts/plugins/lookup.rs @@ -0,0 +1,58 @@ +/* + * Copyright (c) 2023 Stalwart Labs Ltd. + * + * This file is part of Stalwart Mail Server. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of + * the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * in the LICENSE file at the top-level directory of this distribution. + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * You can be released from the requirements of the AGPLv3 license by + * purchasing a commercial license. Please contact licensing@stalw.art + * for more details. +*/ + +use sieve::{runtime::Variable, FunctionMap}; + +use crate::config::scripts::SieveContext; + +use super::PluginContext; + +pub fn register(plugin_id: u32, fnc_map: &mut FunctionMap<SieveContext>) { + fnc_map.set_external_function("lookup", plugin_id, 2); +} + +pub fn exec(ctx: PluginContext<'_>) -> Variable<'static> { + let lookup_id = ctx.arguments[0].to_cow(); + let item = ctx.arguments[1].to_cow(); + let span = ctx.span; + + if !lookup_id.is_empty() && !item.is_empty() { + if let Some(lookup) = ctx.core.sieve.lookup.get(lookup_id.as_ref()) { + return ctx + .handle + .block_on(lookup.contains(item.as_ref())) + .unwrap_or(false) + .into(); + } else { + tracing::warn!( + parent: span, + context = "sieve:lookup", + event = "failed", + reason = "Unknown lookup id", + lookup_id = %lookup_id, + ); + } + } + + false.into() +} diff --git a/crates/smtp/src/scripts/plugins/mod.rs b/crates/smtp/src/scripts/plugins/mod.rs index ad5099e4..0ccb2171 100644 --- a/crates/smtp/src/scripts/plugins/mod.rs +++ b/crates/smtp/src/scripts/plugins/mod.rs @@ -21,7 +21,10 @@ * for more details. */ +pub mod dns; pub mod exec; +pub mod http; +pub mod lookup; pub mod query; use ahash::AHashMap; @@ -43,8 +46,22 @@ pub struct PluginContext<'x> { pub arguments: Vec<Variable<'static>>, } -const PLUGINS_EXEC: [ExecPluginFnc; 2] = [query::exec, exec::exec]; -const PLUGINS_REGISTER: [RegisterPluginFnc; 2] = [query::register, exec::register]; +const PLUGINS_EXEC: [ExecPluginFnc; 6] = [ + query::exec, + exec::exec, + lookup::exec, + dns::exec, + dns::exec_exists, + http::exec_header, +]; +const PLUGINS_REGISTER: [RegisterPluginFnc; 6] = [ + query::register, + exec::register, + lookup::register, + dns::register, + dns::register_exists, + http::register_header, +]; pub trait RegisterSievePlugins { fn register_plugins(self) -> Self; diff --git a/resources/config/lists/redirectors.inc b/resources/config/lists/redirectors.inc index e976280b..d3e9d22b 100644 --- a/resources/config/lists/redirectors.inc +++ b/resources/config/lists/redirectors.inc @@ -1015,9 +1015,9 @@ wurl.in wurl.us wuw.su ww.tl -www.clickmeeting.com -www.grandstreamnetworks.ru -www.reg.ru +clickmeeting.com +grandstreamnetworks.ru +reg.ru wz.ae x2t.com xaa.su diff --git a/resources/config/sieve/date.sieve b/resources/config/sieve/date.sieve index 99057fc6..cf02dda3 100644 --- a/resources/config/sieve/date.sieve +++ b/resources/config/sieve/date.sieve @@ -1,4 +1,4 @@ -if eval "!is_empty(header.date.raw)" { +if eval "header.date.exists" { let "date" "header.date.date"; if eval "date != 0" { diff --git a/resources/config/sieve/from.sieve b/resources/config/sieve/from.sieve index baab379d..93f624ef 100644 --- a/resources/config/sieve/from.sieve +++ b/resources/config/sieve/from.sieve @@ -21,9 +21,9 @@ if eval "from_count > 0" { let "t.WWW_DOT_DOMAIN" "1"; } - if string :list "${from_domain_sld}" "spam/free-domains" { + if eval "lookup('spam/free-domains', from_domain_sld)" { let "t.FREEMAIL_FROM" "1"; - } elsif string :list "${from_domain_sld}" "spam/disposable-domains" { + } elsif eval "lookup('spam/disposable-domains', from_domain_sld)" { let "t.DISPOSABLE_FROM" "1"; } } else { @@ -132,9 +132,9 @@ if eval "!is_empty(envelope.from)" { let "envfrom_domain_sld" "domain_part(email_part(envelope.from, 'domain'), 'sld')"; if eval "!is_empty(envfrom_domain_sld)" { - if string :list "${envfrom_domain_sld}" "spam/free-domains" { + if eval "lookup('spam/free-domains', envfrom_domain_sld)" { let "t.FREEMAIL_ENVFROM" "1"; - } elsif string :list "${envfrom_domain_sld}" "spam/disposable-domains" { + } elsif eval "lookup('spam/disposable-domains', envfrom_domain_sld)" { let "t.DISPOSABLE_ENVFROM" "1"; } } diff --git a/resources/config/sieve/headers.sieve b/resources/config/sieve/headers.sieve new file mode 100644 index 00000000..f0f67e3e --- /dev/null +++ b/resources/config/sieve/headers.sieve @@ -0,0 +1,118 @@ + + +if eval "header.x-priority.exists" { + let "xp" "header.x-priority"; + if eval "xp == 0" { + let "t.HAS_X_PRIO_ZERO" "1"; + } elsif eval "xp == 1" { + let "t.HAS_X_PRIO_ONE" "1"; + } elsif eval "xp == 2" { + let "t.HAS_X_PRIO_TWO" "1"; + } elsif eval "xp <= 4" { + let "t.HAS_X_PRIO_THREE" "1"; + } elsif eval "xp >= 5" { + let "t.HAS_X_PRIO_FIVE" "1"; + } +} + +let "unique_header_names" "to_lowercase(header.Content-Type:Content-Transfer-Encoding:Date:From:Sender:Reply-To:To:Cc:Bcc:Message-ID:In-Reply-To:References:Subject[*].raw_name)"; +if eval "count(unique_header_names) != count(dedup(unique_header_names))" { + let "t.MULTIPLE_UNIQUE_HEADERS" "1"; +} + +# Wrong case X-Mailer +if eval "header.x-mailer.exists && header.x-mailer.raw_name != 'X-Mailer'" { + let "t.XM_CASE" "1"; +} + +# Has organization header +if eval "header.organization:organisation.exists" { + let "t.HAS_ORG_HEADER" "1"; +} + +# Has X-Originating-IP header +if eval "header.X-Originating-IP.exists" { + let "t.HAS_XOIP" "1"; +} + +# Has List-Unsubscribe header +if eval "header.List-Unsubscribe.exists" { + let "t.HAS_LIST_UNSUB" "1"; +} + +# Missing version number in X-Mailer or User-Agent headers +if eval "(header.X-Mailer.exists && !has_digits(header.X-Mailer)) || (header.User-Agent.exists && !has_digits(header.User-Agent))" { + let "t.XM_UA_NO_VERSION" "1"; +} + +# Precedence is bulk +if eval "eq_ignore_case(header.Precedence, 'bulk')" { + let "t.PRECEDENCE_BULK" "1"; +} + +# Upstream SPAM filtering +if eval "contains_ignore_case(header.X-KLMS-AntiSpam-Status, 'spam')" { + # Kaspersky Security for Mail Server says this message is spam + let "t.KLMS_SPAM" "1"; +} +let "spam_hdr" "to_lowercase(header.X-Spam:X-Spam-Flag:X-Spam-Status)"; +if eval "contains(spam_hdr, 'yes') || contains(spam_hdr, 'true') || contains(spam_hdr, 'spam')" { + # Message was already marked as spam + let "t.SPAM_FLAG" "1"; +} +if eval "contains_ignore_case(header.X-UI-Filterresults:X-UI-Out-Filterresults, 'junk')" { + # United Internet says this message is spam + let "t.UNITEDINTERNET_SPAM" "1"; +} + +# Compromised hosts +if eval "header.X-PHP-Originating-Script.exists" { + let "t.HAS_X_POS" "1"; + if eval "contains(header.X-PHP-Originating-Script, 'eval()')" { + let "t.X_PHP_EVAL" "1"; + } + if eval "contains(header.X-PHP-Originating-Script, '../')" { + let "t.HIDDEN_SOURCE_OBJ" "1"; + } +} +if eval "header.X-PHP-Script.exists" { + let "t.HAS_X_PHP_SCRIPT" "1"; + if eval "contains(header.X-PHP-Script, 'eval()')" { + let "t.X_PHP_EVAL" "1"; + } + if eval "contains(header.X-PHP-Script, 'sendmail.php')" { + let "t.PHP_XPS_PATTERN" "1"; + } + if eval "contains(header.X-PHP-Script, '../')" { + let "t.HIDDEN_SOURCE_OBJ" "1"; + } +} +if eval "header.X-Source:X-Source-Args:X-Source-Dir.exists" { + let "t.HAS_X_SOURCE" "1"; + if eval "contains(header.X-Source-Args, '../')" { + let "t.HIDDEN_SOURCE_OBJ" "1"; + } +} +if eval "contains(header.X-Authenticated-Sender, ': ')" { + let "t.HAS_X_AS" "1"; +} +if eval "contains(header.X-Get-Message-Sender-Via, 'authenticated_id:')" { + let "t.HAS_X_GMSV" "1"; +} +if eval "header.X-AntiAbuse.exists" { + let "t.HAS_X_ANTIABUSE" "1"; +} +if eval "header.X-Authentication-Warning.exists" { + let "t.HAS_XAW" "1"; +} + +# Check for empty delimiters in raw headers +let "raw_headers" "header.from:to:cc:subject:reply-to:date[*].raw"; +let "i" "count(raw_headers)"; +while "i > 0" { + let "i" "i - 1"; + if eval "!starts_with(raw_headers[i], ' ')" { + let "t.HEADER_EMPTY_DELIMITER" "1"; + break; + } +} diff --git a/resources/config/sieve/html.sieve b/resources/config/sieve/html.sieve index 8bef5cf5..3ba05d4c 100644 --- a/resources/config/sieve/html.sieve +++ b/resources/config/sieve/html.sieve @@ -5,8 +5,9 @@ if eval "header.content-type == 'text/html'" { } foreverypart { - if eval "is_body() && eq_ignore_case(header.content-type, 'text/html')" { + if eval "eq_ignore_case(header.content-type, 'text/html')" { # Tokenize HTML + let "is_body_part" "is_body()"; let "html_tokens" "tokenize_html(part.text)"; let "html_tokens_len" "len(html_tokens)"; let "html_char_count" "0"; @@ -19,6 +20,7 @@ foreverypart { let "in_head" "0"; let "in_body" "0"; let "in_anchor" "0"; + let "in_anchor_href_ip" "0"; let "in_anchor_href" ""; let "i" "0"; @@ -35,26 +37,44 @@ foreverypart { let "text" "to_lowercase(trim(strip_prefix(token, '_')))"; let "html_words" "html_words + len(tokenize_words(text))"; - if eval "starts_with(text, 'https://') || starts_with(text, 'http://')" { + let "uris" "tokenize_url(text, false)"; + + if eval "!is_empty(uris)" { let "has_uri" "1"; - if eval "in_anchor && !is_empty(in_anchor_href) && - uri_part(text, 'scheme') != uri_part(in_anchor_href, 'scheme')" { - # The anchor text contains a distinct scheme compared to the target URL - let "t.HTTP_TO_HTTPS" "1"; + let "uri" "uris[0]"; + + if eval "in_anchor && !is_empty(in_anchor_href)" { + if eval "contains(text, '://') && + uri_part(uri, 'scheme') != uri_part(in_anchor_href, 'scheme')" { + # The anchor text contains a distinct scheme compared to the target URL + let "t.HTTP_TO_HTTPS" "1"; + } + if eval "(!in_anchor_href_ip && (domain_part(uri_part(uri, 'host'), 'sld') != domain_part(uri_part(in_anchor_href, 'host'), 'sld'))) || + (in_anchor_href_ip && (uri_part(uri, 'host') != uri_part(in_anchor_href, 'host')))" { + let "t.PHISHING" "1"; + } } } elsif eval "!is_empty(text)" { let "has_text" "1"; } } } elsif eval "starts_with(token, '<img')" { - let "dimensions" "html_attr_size(token, 'width', 800) + html_attr_size(token, 'height', 600)"; + if eval "is_body_part" { + let "dimensions" "html_attr_size(token, 'width', 800) + html_attr_size(token, 'height', 600)"; - if eval "in_anchor && dimensions >= 210" { - let "has_link_to_img" "1"; - } - if eval "dimensions > 100" { - # We assume that a single picture 100x200 contains approx 3 words of text - let "html_img_words" "html_img_words + dimensions / 100"; + if eval "in_anchor && dimensions >= 210" { + let "has_link_to_img" "1"; + } + if eval "dimensions > 100" { + # We assume that a single picture 100x200 contains approx 3 words of text + let "html_img_words" "html_img_words + dimensions / 100"; + } + + let "img_src" "html_attr(token, 'src')"; + if eval "starts_with(img_src, 'data:') && contains(img_src, ';base64,')" { + # Has Data URI encoding + let "t.HAS_DATA_URI" "1"; + } } } elsif eval "starts_with(token, '<head')" { let "in_head" "in_head + 1"; @@ -66,45 +86,62 @@ foreverypart { let "in_body" "in_body - 1"; } elsif eval "starts_with(token, '<a ')" { let "in_anchor" "1"; - let "in_anchor_href" "trim(html_attr(token, 'href'))"; + let "in_anchor_href_ip" "0"; + let "in_anchor_href" "to_lowercase(trim(html_attr(token, 'href')))"; - if eval "is_ip_addr(uri_part(in_anchor_href, 'host'))" { + if eval "is_body_part && starts_with(in_anchor_href, 'data:') && contains(in_anchor_href, ';base64,')" { + # Has Data URI encoding + let "t.HAS_DATA_URI" "1"; + if eval "contains(in_anchor_href, 'text/')" { + # Uses Data URI encoding to obfuscate plain or HTML in base64 + let "t.DATA_URI_OBFU" "1"; + } + } elsif eval "is_ip_addr(uri_part(in_anchor_href, 'host'))" { # HTML anchor points to an IP address let "t.HTTP_TO_IP" "1"; + let "in_anchor_href_ip" "1"; } } elsif eval "in_anchor && starts_with(token, '</a')" { let "in_anchor" "0"; - } elsif eval "starts_with(token, '<link') && + } elsif eval "starts_with(token, '<meta ')" { + if eval "eq_ignore_case(html_attr(token, 'http-equiv'), 'refresh') && + contains_ignore_case(html_attr(token, 'content'), 'url=')" { + # HTML meta refresh tag + let "t.HTML_META_REFRESH_URL" "1"; + } + } elsif eval "starts_with(token, '<link') && is_body_part && (contains_ignore_case(html_attr(token, 'rel'), 'stylesheet') || contains_ignore_case(html_attr(token, 'href'), '.css') )" { let "t.EXT_CSS" "1"; } } - # Check for unbalanced tags - if eval "in_head != 0 || in_body != 0" { - let "t.HTML_UNBALANCED_TAG" "1"; - } + if eval "is_body_part" { + # Check for unbalanced tags + if eval "in_head != 0 || in_body != 0" { + let "t.HTML_UNBALANCED_TAG" "1"; + } - # Check for short HTML parts with a link to an image - if eval "has_link_to_img" { - if eval "html_char_count < 1024" { - let "t.HTML_SHORT_LINK_IMG_1" "1"; - } elsif eval "html_char_count < 1536" { - let "t.HTML_SHORT_LINK_IMG_2" "1"; - } elsif eval "html_char_count < 2048" { - let "t.HTML_SHORT_LINK_IMG_3" "1"; + # Check for short HTML parts with a link to an image + if eval "has_link_to_img" { + if eval "html_char_count < 1024" { + let "t.HTML_SHORT_LINK_IMG_1" "1"; + } elsif eval "html_char_count < 1536" { + let "t.HTML_SHORT_LINK_IMG_2" "1"; + } elsif eval "html_char_count < 2048" { + let "t.HTML_SHORT_LINK_IMG_3" "1"; + } + } + + if eval "(!has_link_to_img || html_char_count >= 2048) && + (html_img_words / (html_words + html_img_words) > 0.5)" { + # Message contains more images than text + let "t.HTML_TEXT_IMG_RATIO" "1"; } - } - - if eval "(!has_link_to_img || html_char_count >= 2048) && - (html_img_words / (html_words + html_img_words) > 0.5)" { - # Message contains more images than text - let "t.HTML_TEXT_IMG_RATIO" "1"; - } - if eval "has_uri && !has_text" { - let "t.BODY_URI_ONLY" "1"; + if eval "has_uri && !has_text" { + let "t.BODY_URI_ONLY" "1"; + } } } } diff --git a/resources/config/sieve/mime.sieve b/resources/config/sieve/mime.sieve new file mode 100644 index 00000000..8137c610 --- /dev/null +++ b/resources/config/sieve/mime.sieve @@ -0,0 +1,157 @@ +if eval "!header.mime-version.exists" { + if eval "header.content-type.exists || header.content-transfer-encoding.exists" { + let "t.MISSING_MIME_VERSION" "1"; + } +} elsif eval "header.mime-version.raw_name != 'MIME-Version'" { + let "t.MV_CASE" "1"; +} + +let "has_text_part" "0"; +let "is_encrypted" "0"; + +foreverypart { + let "type" "to_lowercase(header.content-type.type)"; + let "subtype" "to_lowercase(header.content-type.subtype)"; + let "cte" "header.content-transfer-encoding"; + let "part_is_attachment" "is_attachment()"; + + if eval "cte != '' && !is_lowercase(cte)" { + let "cte" "to_lowercase(cte)"; + let "t.CTE_CASE" "1"; + } + + if eval "ends_with(header.content-type.raw, ';')" { + # Content-Type header ends with a semi-colon + let "t.CT_EXTRA_SEMI" "1"; + } + + if eval "type == 'multipart'" { + if eval "subtype == 'alternative'" { + let "has_plain_part" "0"; + let "has_html_part" "0"; + + let "text_part_words" ""; + let "text_part_uris" "0"; + + let "html_part_words" ""; + let "html_part_uris" "0"; + + foreverypart { + let "ma_ct" "to_lowercase(header.content-type)"; + + if eval "!has_plain_part && ma_ct == 'text/plain'" { + let "text_part" "part.text"; + let "text_part_words" "tokenize_words(text_part)"; + let "text_part_uris" "count(tokenize_url(text_part, true))"; + let "has_plain_part" "1"; + } elsif eval "!has_html_part && ma_ct == 'text/html'" { + let "html_part" "html_to_text(part.text)"; + let "html_part_words" "tokenize_words(html_part)"; + let "html_part_uris" "count(tokenize_url(html_part, true))"; + let "has_html_part" "1"; + } + } + + # Multipart message mostly text/html MIME + if eval "has_html_part" { + if eval "!has_plain_part" { + let "t.MIME_MA_MISSING_TEXT" "1"; + } + } elsif eval "has_plain_part" { + let "t.MIME_MA_MISSING_HTML" "1"; + } + + # HTML and text parts are different + if eval "!t.R_PARTS_DIFFER && has_html_part && has_plain_part && + (!is_empty(text_part_words) || !is_empty(html_part_words)) && + cosine_similarity(text_part_words, html_part_words) < 0.95" { + let "t.R_PARTS_DIFFER" "1"; + } + + # Odd URI count between parts + if eval "text_part_uris != html_part_uris" { + set "t.URI_COUNT_ODD" "1"; + } + } elsif eval "subtype == 'mixed'" { + let "num_text_parts" "0"; + let "has_other_part" "0"; + + foreverypart { + if eval "eq_ignore_case(header.content-type.type, 'text') && !is_attachment()" { + let "num_text_parts" "num_text_parts + 1"; + } elsif eval "!eq_ignore_case(header.content-type.type, 'multipart')" { + let "has_other_part" "1"; + } + } + + # Found multipart/mixed without non-textual part + if eval "!has_other_part && num_text_parts < 3" { + let "t.CTYPE_MIXED_BOGUS" "1"; + } + } elsif eval "subtype == 'encrypted'" { + set "is_encrypted" "1"; + } + } elsif eval "type == 'text'" { + # MIME text part claims to be ASCII but isn't + if eval "cte == '' || cte == '7bit'" { + if eval "!is_ascii(part.raw)" { + let "t.R_BAD_CTE_7BIT" "1"; + } + } else { + if eval "cte == 'base64'" { + # Has text part encoded in base64 + let "t.MIME_BASE64_TEXT" "1"; + if eval "is_ascii(part.text)" { + # Has text part encoded in base64 that does not contain any 8bit characters + let "t.MIME_BASE64_TEXT_BOGUS" "1"; + } + } + + if eval "subtype == 'plain' && is_empty(header.content-type.attr.charset)" { + # Charset header is missing + let "t.R_MISSING_CHARSET" "1"; + } + } + let "has_text_part" "1"; + } elsif eval "type == 'application'" { + if eval "subtype == 'pkcs7-mime'" { + let "t.ENCRYPTED_SMIME" "1"; + let "part_is_attachment" "0"; + } elsif eval "subtype == 'pkcs7-signature'" { + let "t.SIGNED_SMIME" "1"; + let "part_is_attachment" "0"; + } elsif eval "subtype == 'pgp-encrypted'" { + let "t.ENCRYPTED_PGP" "1"; + let "part_is_attachment" "0"; + } elsif eval "subtype == 'pgp-signature'" { + let "t.SIGNED_PGP" "1"; + let "part_is_attachment" "0"; + } elsif eval "subtype == 'octet-stream'" { + if eval "!is_encrypted && + !header.content-id.exists && + (!header.content-disposition.exists || + (!eq_ignore_case(header.content-disposition.type, 'attachment') && + is_empty(header.content-disposition.attr.filename)))" { + let "t.CTYPE_MISSING_DISPOSITION" "1"; + } + } + } + + if eval "is_empty(type)" { + if eval "header.content-type.exists" { + let "t.BROKEN_CONTENT_TYPE" "1"; + } + } elsif eval "!header.Content-Disposition:Content-Transfer-Encoding:MIME-Version.exists && (type != 'text' || subtype != 'plain')" { + # Only Content-Type header without other MIME headers + let "t.MIME_HEADER_CTYPE_ONLY" "1"; + } + + if eval "part_is_attachment" { + # Has a MIME attachment + let "t.HAS_ATTACHMENT" "1"; + } +} + +if eval "has_text_part && (t.ENCRYPTED_SMIME || t.SIGNED_SMIME || t.ENCRYPTED_PGP || t.SIGNED_PGP)" { + let "t.BOGUS_ENCRYPTED_AND_TEXT" "1"; +} diff --git a/resources/config/sieve/recipient.sieve b/resources/config/sieve/recipient.sieve index 32aca51e..93aed0b5 100644 --- a/resources/config/sieve/recipient.sieve +++ b/resources/config/sieve/recipient.sieve @@ -17,8 +17,9 @@ if eval "!is_empty(to_raw)" { let "t.MISSING_TO" "1"; } -let "rcpt_addr" "to_lowercase(header.to:cc:bcc[*].addr[*])"; -let "rcpt_count" "count(winnow(rcpt_addr))"; +let "rcpt_addr" "dedup(to_lowercase(header.to:cc:bcc[*].addr[*]))"; +let "rcpt_addr_clean" "winnow(rcpt_addr)"; +let "rcpt_count" "count(rcpt_addr_clean)"; if eval "rcpt_count > 0" { if eval "rcpt_count == 1" { @@ -80,16 +81,24 @@ if eval "rcpt_count > 0" { } } + # Check if it is an into to info + if eval "!t.INFO_TO_INFO_LU && + local_part == 'info' && + eq_ignore_case(email_part(header.from.addr, 'local'), 'info') && + header.List-Unsubscribe.exists" { + let "t.INFO_TO_INFO_LU" "1"; + } + # Check for freemail or disposable domains let "domain" "domain_part(email_part(addr, 'domain'), 'sld')"; if eval "!is_empty(domain)" { - if string :list "${domain}" "spam/free-domains" { + if eval "lookup('spam/free-domains', domain)" { if eval "!t.FREEMAIL_TO && contains_ignore_case(header.to[*].addr[*], addr)" { let "t.FREEMAIL_TO" "1"; } elsif eval "!t.FREEMAIL_CC && contains_ignore_case(header.cc[*].addr[*], addr)" { let "t.FREEMAIL_CC" "1"; } - } elsif string :list "${domain}" "spam/disposable-domains" { + } elsif eval "lookup('spam/disposable-domains', domain)" { if eval "!t.DISPOSABLE_TO && contains_ignore_case(header.to[*].addr[*], addr)" { let "t.DISPOSABLE_TO" "1"; } elsif eval "!t.DISPOSABLE_CC && contains_ignore_case(header.cc[*].addr[*], addr)" { @@ -142,6 +151,58 @@ if eval "rcpt_count > 0" { starts_with(envelope.from, 'mailer-daemon@'))" { let "t.HFILTER_RCPT_BOUNCEMOREONE" "1"; } + + # Check for sorted recipients + if eval "rcpt_count >= 7 && sort(rcpt_addr_clean, false) == rcpt_addr_clean" { + let "t.SORTED_RECIPS" "1"; + } + + # Check for suspiciously similar recipients + if eval "!t.SORTED_RECIPS && rcpt_count => 5" { + let "i" "rcpt_count"; + let "hits" "0"; + let "combinations" "0"; + + while "i" { + let "i" "i - 1"; + let "j" "i"; + while "j" { + let "j" "j - 1"; + let "a" "rcpt_addr_clean[i]"; + let "b" "rcpt_addr_clean[j]"; + + if eval "levenshtein_distance(email_part(a, 'local'), email_part(b, 'local')) < 3" { + let "hits" "hits + 1"; + } + + let "a" "email_part(a, 'domain')"; + let "b" "email_part(b, 'domain')"; + + if eval "a != b && levenshtein_distance(a, b) < 4" { + let "hits" "hits + 1"; + } + + let "combinations" "combinations + 1"; + } + } + + if eval "hits / combinations > 0.65" { + let "t.SUSPICIOUS_RECIPS" "1"; + } + } + + # Check for spaces in recipient addresses + let "raw_to" "header.to:cc[*].raw"; + let "i" "len(raw_to)"; + while "i != 0" { + let "i" "i - 1"; + let "raw_addr" "rsplit(raw_to[i], '<')[0]"; + if eval "contains(raw_addr, '>') && (starts_with(raw_addr, ' ' ) || ends_with(raw_addr, ' >'))" { + let "t.TO_WRAPPED_IN_SPACES" "1"; + break; + } + } + } else { let "t.RCPT_COUNT_ZERO" "1"; diff --git a/resources/config/sieve/replyto.sieve b/resources/config/sieve/replyto.sieve index 594e3244..71e73819 100644 --- a/resources/config/sieve/replyto.sieve +++ b/resources/config/sieve/replyto.sieve @@ -49,13 +49,12 @@ if eval "!is_empty(rto_raw)" { } } - if string :list "${rto_domain}" "spam/free-domains" { + if eval "lookup('spam/free-domains', rto_domain)" { let "t.FREEMAIL_REPLYTO" "1"; - if allof(eval "rto_domain != from_domain", string :list "${from_domain}" "spam/free-domains") { + if eval "rto_domain != from_domain && lookup('spam/free-domains', from_domain)" { let "t.FREEMAIL_REPLYTO_NEQ_FROM_DOM" "1"; } - - } elsif string :list "${rto_domain}" "spam/disposable-domains" { + } elsif eval "lookup('spam/disposable-domains', rto_domain)" { let "t.DISPOSABLE_REPLYTO" "1"; } diff --git a/resources/config/sieve/subject.sieve b/resources/config/sieve/subject.sieve index 415954c1..a9c7db01 100644 --- a/resources/config/sieve/subject.sieve +++ b/resources/config/sieve/subject.sieve @@ -14,7 +14,7 @@ if eval "count_chars(thread_name) > 200" { let "t.SUBJ_VERY_LONG" "1"; } -if eval "contains(subject_lcase, 'http://') || contains(subject_lcase, 'https://')" { +if eval "!is_empty(tokenize_url(subject_lcase, true))" { # Subject contains a URL let "t.URL_IN_SUBJECT" "1"; } diff --git a/resources/config/sieve/url.sieve b/resources/config/sieve/url.sieve new file mode 100644 index 00000000..5373f8cc --- /dev/null +++ b/resources/config/sieve/url.sieve @@ -0,0 +1,114 @@ +let "text_body" "body.to_text"; +let "body_urls" "tokenize_url(text_body, false)"; +let "html_body_urls" "html_attrs(body.html, '', ['href', 'src'])"; +let "urls" "dedup(tokenize_url(header.subject, false) + body_urls + html_body_urls)"; + +if eval "(count(body_urls) == 1 || count(html_body_urls) == 1) && count(tokenize_words(text_body)) == 0" { + let "t.HFILTER_URL_ONLY" "1"; +} + +if eval "has_zwsp(urls)" { + let "t.ZERO_WIDTH_SPACE_URL" "1"; +} elsif eval "has_obscured(urls)" { + let "t.R_SUSPICIOUS_URL" "1"; +} + +let "i" "count(urls)"; +while "i > 0" { + let "i" "i - 1"; + let "url" "urls[i]"; + let "host" "uri_part(url, 'host')"; + + if eval "!is_empty(host)" { + let "is_ip" "is_ip_addr(host)"; + let "host" "puny_decode(host)"; + let "host_lc" "to_lowercase(host)"; + let "host_sld" "domain_part(host_lc, 'sld')"; + + if eval "!is_ip && + (!t.REDIRECTOR_URL || !t.URL_REDIRECTOR_NESTED) && + lookup('spam/redirectors', host_sld)" { + let "t.REDIRECTOR_URL" "1"; + let "redir_count" "1"; + + while "redir_count <= 5" { + # Use a custom user-agent and a 3 second timeout + let "url_redirect" "http_header(url, 'Location', 'Mozilla/5.0 (X11; Linux i686; rv:109.0) Gecko/20100101 Firefox/118.0', 3000)"; + if eval "!is_empty(url_redirect)" { + let "url" "url_redirect"; + let "host" "uri_part(url, 'host')"; + let "is_ip" "is_ip_addr(host)"; + let "host" "puny_decode(host)"; + let "host_lc" "to_lowercase(host)"; + let "host_sld" "domain_part(host_lc, 'sld')"; + + if eval "!is_ip && lookup('spam/redirectors', host_sld)" { + let "redir_count" "redir_count + 1"; + } else { + break; + } + } else { + break; + } + } + + if eval "redir_count > 5" { + let "t.URL_REDIRECTOR_NESTED" "1"; + } + } + + let "url_lc" "to_lowercase(url)"; + let "query" "uri_part(url_lc, 'path_query')"; + if eval "!is_ip" { + if eval "!is_ascii(host)" { + let "host_cured" "cure_text(host)"; + if eval "host_lc != host_cured" { + if eval "dns_exists(host_cured, 'ip')" { + let "t.OMOGRAPH_URL" "1"; + } else { + let "t.CONFUSABLE_URL" "1"; + } + } + + if eval "!is_single_script(host)" { + let "t.R_MIXED_CHARSET_URL" "1"; + } + } else { + if eval "ends_with(host, 'googleusercontent.com') && starts_with(query, '/proxy/')" { + let "t.HAS_GUC_PROXY_URI" "1"; + } elsif eval "ends_with(host, 'firebasestorage.googleapis.com')" { + let "t.HAS_GOOGLE_FIREBASE_URL" "1"; + } elsif eval "starts_with(domain_part(host, 'sld'), 'google.') && contains(query, 'url?') " { + let "t.HAS_GOOGLE_REDIR" "1"; + } + } + + if eval "(contains(host_lc, 'ipfs.') || contains(query, '/ipfs')) && contains(query, '/qm')" { + # InterPlanetary File System (IPFS) gateway URL, likely malicious + let "t.HAS_IPFS_GATEWAY_URL" "1"; + } elsif eval "ends_with(host_lc, '.onion')" { + let "t.HAS_ONION_URI" "1"; + } + } else { + # URL is an ip address + let "t.R_SUSPICIOUS_URL" "1"; + } + + if eval "starts_with(query, '/wp-')" { + # Contains WordPress URIs + let "t.HAS_WP_URI" "1"; + if eval "starts_with(query, '/wp-content') | starts_with(query, '/wp-includes')" { + # URL that is pointing to a compromised WordPress installation + let "t.WP_COMPROMISED" "1"; + } + } + if eval "contains(query, '/../') && !contains(query, '/well-known') && !contains(query, '/well_known')" { + # Message contains URI with a hidden path + let "t.URI_HIDDEN_PATH" "1"; + } + } else { + # URL could not be parsed + let "t.R_SUSPICIOUS_URL" "1"; + } +} + diff --git a/resources/spamassassin/10_default_prefs.cf b/resources/spamassassin/10_default_prefs.cf deleted file mode 100644 index d63e608b..00000000 --- a/resources/spamassassin/10_default_prefs.cf +++ /dev/null @@ -1,184 +0,0 @@ -# SpamAssassin basic config file -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -# Default template. Try to keep it under 78 columns (inside the the dots below). -# ........................................................................ -clear_report_template -if can(Mail::SpamAssassin::Conf::feature_yesno_takes_args) -report Spam detection software, running on the system "_HOSTNAME_", -report has_YESNO(, NOT)_ identified this incoming email as_YESNO( possible,)_ spam. The original -report message has been attached to this so you can view it or label -else -report Spam detection software, running on the system "_HOSTNAME_", has -report identified this incoming email as possible spam. The original message -report has been attached to this so you can view it (if it isn't spam) or label -endif -report similar future email. If you have any questions, see -report _CONTACTADDRESS_ for details. -report -report Content preview: _PREVIEW_ -report -report Content analysis details: (_SCORE_ points, _REQD_ required) -report -report " pts rule name description" -report ---- ---------------------- -------------------------------------------------- -report _SUMMARY_ - -# ........................................................................ - -# A 'contact address' users should contact for more info. (replaces -# _CONTACTADDRESS_ above if present) -report_contact @@CONTACT_ADDRESS@@ - -########################################################################### - -# Unsafe-for-viewing message report template. -# -# ...................................................................... -clear_unsafe_report_template -unsafe_report The original message was not completely plain text, and may be unsafe to -unsafe_report open with some email clients; in particular, it may contain a virus, -unsafe_report or confirm that your address can receive spam. If you wish to view -unsafe_report it, it may be safer to save it to a file and open it with an editor. -# ...................................................................... - -########################################################################### -# Database configuration options. -# -# user_scores_dsn MUST be in the form: -# DBI:databasetype:databasename:hostname:port -# ex. DBI:mysql:spamassassin:localhost -# -# user_scores_sql_username is the authorized username to connect to DSN -# user_scores_sql_password is the password for the database username - -#user_scores_dsn DBI:mysql:spamassassin:localhost -#user_scores_sql_username spam -#user_scores_sql_password spamfilter - -########################################################################## -# Headers to be added to mail (can be overriden by users in -# ~/.spamassassin/user_prefs) -# Make sure the header stays entirely on one line here - -clear_headers - -#X-Spam-Checker-Version: SpamAssassin 2.60-cvs (1.188-2003-05-24-exp) -add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_ - -#X-Spam-Flag: YES -add_header spam Flag _YESNOCAPS_ - -#X-Spam-Level: ************* -add_header all Level _STARS(*)_ - -#X-Spam-Status: Yes, score=14.0 required=5.0 tests=BAYES_99,CALL_FREE -# DATE_IN_PAST_12_24,DCC_CHECK,DRASTIC_REDUCED,FROM_HAS_MIXED_NUMS -# FROM_HAS_MIXED_NUMS3,HOME_EMPLOYMENT,INVALID_DATE,INVALID_MSGID -# LINES_OF_YELLING,MSGID_HAS_NO_AT,NO_REAL_NAME,ONCE_IN_LIFETIME -# UNDISC_RECIPS autolearn=spam version=2.60-cvs -add_header all Status "_YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_" - -########################################################################### -# Default prefs values: users can override these in their -# ~/.spamassassin/user_prefs files. - -# How many points before a mail is considered spam. -required_score 5 - -# Mail using locales used in these country codes will not be marked -# as being possibly spam in a foreign language. -ok_locales all - -# Mail using languages used in these country codes will not be marked -# as being possibly spam in a foreign language. This is an expensive -# classification, so it is is disabled in init.pre by default. -ifplugin Mail::SpamAssassin::Plugin::TextCat -ok_languages all -endif # Mail::SpamAssassin::Plugin::TextCat - -# Mail which scores outside this range will be fed back into SpamAssassin's -# learning system automatically, to train the Bayesian scanner. -ifplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold -bayes_auto_learn_threshold_nonspam 0.1 -bayes_auto_learn_threshold_spam 12.0 -endif # Mail::SpamAssassin::Plugin::AutoLearnThreshold - -# Set this to 0 to turn off auto-learning. -bayes_auto_learn 1 - -# report_safe controls the markup of spam. If you set it to 0, the message -# body of spam messages will not be modified -report_safe 1 - -# Headers to parse for originating IP address -if can(Mail::SpamAssassin::Conf::feature_originating_ip_headers) -clear_originating_ip_headers -originating_ip_headers X-Yahoo-Post-IP X-Originating-IP X-Apparently-From -originating_ip_headers X-SenderIP X-AOL-IP -originating_ip_headers X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp -endif - -if can(Mail::SpamAssassin::Conf::feature_dns_local_ports_permit_avoid) -# leave out the more densely populated port number ranges -dns_local_ports_avoid 0-11000 -# leave out some ephemeral ports, making them available to other programs -dns_local_ports_avoid 49152-49408 -# avoid IANA assigned high port numbers -dns_local_ports_avoid 11000-11001 11106 11111-11112 11161-11165 11201 11208 -dns_local_ports_avoid 11211 11319-11321 11367 11371 11600 11720 11751 11967 -dns_local_ports_avoid 12000-12008 12012-12013 12109 12121 12168 12172 12300 -dns_local_ports_avoid 12321-12322 12345 12753 13160 13216-13218 13223-13224 -dns_local_ports_avoid 13720-13722 13724 13782-13783 13785-13786 13818-13822 -dns_local_ports_avoid 13929 14000-14001 14033-14034 14141-14142 14145 14149 -dns_local_ports_avoid 14154 14250 14414 14936-14937 15000 15345 15363 15555 -dns_local_ports_avoid 15660 15740 16161 16309-16311 16360-16361 16367-16368 -dns_local_ports_avoid 16384 16900 16950 16991-16995 17007 17185 17219 17235 -dns_local_ports_avoid 17500 17729 17754-17756 18000 18181-18187 18241 18262 -dns_local_ports_avoid 18463 18634-18635 18769 18881 18888 19000 19191 19194 -dns_local_ports_avoid 19283 19315 19398 19410-19412 19539-19541 19999-20003 -dns_local_ports_avoid 20005 20014 20034 20046 20049 20167 20202 20222 20480 -dns_local_ports_avoid 20670 20999-21000 21554 21590 21800 21845-21849 -dns_local_ports_avoid 22000-22005 22273 22305 22343 22347 22350 22555 22763 -dns_local_ports_avoid 22800 22951 23000-23005 23272 23333 23400-23402 -dns_local_ports_avoid 24000-24006 24242 24249 24321 24386 24465 24554 -dns_local_ports_avoid 24676-24678 24680 24922 25000-25009 25793 25900-25903 -dns_local_ports_avoid 26000 26133 26208 26260-26263 26486-26487 26489 27345 -dns_local_ports_avoid 27442 27504 27782 27999-28000 28240 29167 30001-30002 -dns_local_ports_avoid 30260 30999 31416 31457 31620 31765 31948-31949 32034 -dns_local_ports_avoid 32249 32483 32635-32636 32767-32777 32801 32896 33123 -dns_local_ports_avoid 33331 33434 33656 34249 34378-34379 34962-34964 34980 -dns_local_ports_avoid 36001 36865 37475 37654 38201-38203 39681 40000 -dns_local_ports_avoid 40841-40843 41111 41794-41795 42508-42510 43188-43190 -dns_local_ports_avoid 43440-43441 44321-44322 44553 44818 45054 45678 45825 -dns_local_ports_avoid 45966 46999-47000 47557 47624 47806 47808 48000-48003 -dns_local_ports_avoid 48128-48129 48556 48619 -endif - -# Some common prefs settings can be set here, to take effect site-wide -# unless the user override them. See the user_prefs.template file for -# explanations. - - diff --git a/resources/spamassassin/10_hasbase.cf b/resources/spamassassin/10_hasbase.cf deleted file mode 100644 index 795b794a..00000000 --- a/resources/spamassassin/10_hasbase.cf +++ /dev/null @@ -1,89 +0,0 @@ -# SpamAssassin rules file: Base __HAS_* rules for meta rules -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -# PLEASE KEEP THIS TIDY - -# According to Bug 6781 - -# Header rules - - -header __HAS_SENDER exists:Sender - -header __HAS_FROM exists:From - -header __HAS_TO exists:To - -header __HAS_CC exists:CC - -header __HAS_REPLY_TO exists:Reply-To - -header __HAS_ORGANIZATION exists:Organization - -# Webmail - -# MUA & User Agents -header __HAS_UA exists:User-Agent -header __HAS_XMAIL exists:X-Mailer - - -# Other -header __HAS_DKIM_SIGHD exists:DKIM-Signature - -header __HAS_TNEF exists:X-MS-TNEF-Correlator - -header __HAS_ERRORS_TO exists:Errors-To -header __HAS_ORIGINALLY exists:X-Originally-To -header __HAS_LIST_ID exists:List-Id -header __HAS_X_BEEN_THERE exists:X-BeenThere -header __HAS_X_REF exists:References -header __HAS_IN_REPLY_TO exists:In-Reply-To -header __XPRIO exists:X-Priority -header __DISPONOT exists:Disposition-Notification-To -header __RRCPTO exists:Return-Receipt-To -header __OLDPEG exists:X-Confirm-Reading-To -header __AOL_IP exists:X-AOL-IP - - -# Rawbody rules - - - -# Mimeheader rules -# should be encapsulated in if ... endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -# Put rules below - - -# -endif - - - - -# URI rules - -uri __HAS_URI /./ diff --git a/resources/spamassassin/20_advance_fee.cf b/resources/spamassassin/20_advance_fee.cf deleted file mode 100644 index a8869101..00000000 --- a/resources/spamassassin/20_advance_fee.cf +++ /dev/null @@ -1,96 +0,0 @@ -# SpamAssassin rules file: advance fee fraud rules (Nigerian 419 scams) -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -require_version @@VERSION@@ - -# predicate naming used to avoid renumbering -# 1. assign new rules a random unique three letter sequence -# 2. sort on rule definition, not rule name - -header __FRAUD_VQE Subject =~ /^(?:Re:|\[.{1,10}\])?\s*(?:very )?urgent\s+(?:(?:and|&)\s+)?(?:confidential|assistance|business|attention|reply|response|help)\b/i - -body __FRAUD_DBI /(?:\bdollars?\b|\busd(?:ollars)?(?:[0-9]|\b)|\bus\$|\$[0-9,.]{6,}|\$[0-9].{0,8}[mb]illion|\$[0-9.,]{2,10} ?m|\beuros?\b|u[.]?s[.]? [0-9.]+ m)/i -body __FRAUD_KJV /(?:claim|concerning) (?:the|this) money/i -body __FRAUD_IRJ /(?:finance|holding|securit(?:ies|y)) (?:company|firm|storage house)/i -body __FRAUD_NEB /(?:government|bank) of nigeria/i -body __FRAUD_XJR /(?:who was a|as a|an? honest|you being a|to any) foreigner/i -body __FRAUD_DPR /\b(?:(?:respond|reply) (?:urgently|immediately)|(?:urgent|immediate|earliest) (?:reply|response))\b/i -body __FRAUD_PTS /\b(?:ass?ass?inat(?:ed|ion)|murder(?:e?d)?|kill(?:ed|ing)\b[^.]{0,99}\b(?:war veterans|rebels?))\b/i -body __FRAUD_BEP /\b(?:bank of nigeria|central bank of|trust bank|apex bank|amalgamated bank)\b/i -body __FRAUD_TDP /\b(?:business partner(?:s|ship)?|silent partner(?:s|ship)?)\b/i -body __FRAUD_GAN /\b(?:charles taylor|serena|abacha|gu[eéè]i|sese[- ]?seko|kabila)\b/i -body __FRAUD_IRT /\b(?:compliments? of the|dear friend|dear sir|yours faithfully|season'?s greetings)\b/i -body __FRAUD_AON /\b(?:confidential|private|alternate|alternative) (?:(?:e-? *)?mail)\b/i -body __FRAUD_WNY /\b(?:disburse?(?:ment)?|incurr?(?:ed)?|remunerr?at(?:ed?|ion)|remm?itt?(?:ed|ance|ing)?)\b/i -body __FRAUD_IPK /\b(?:in|to|visit) your country\b/i -body __FRAUD_QXX /\b(?:my name is|i am) (?:mrs?|engr|barrister|dr|prince(?:ss)?)[. ]/i -body __FRAUD_IOU /\b(?:no risks?|risk-? *free|free of risks?|100% safe)\b/i -body __FRAUD_EZY /\b(?:of|the) late president\b/i -body __FRAUD_MLY /\b(?:reply|respond)\b[^.]{0,50}\b(?:to|through)\b[^.]{0,50}\@\b/i -body __FRAUD_ZFJ /\b(?:wife|son|brother|daughter) of the late\b/i -body __FRAUD_KDT /\bU\.?S\.?(?:D\.?)?\s*(?:\$\s*)?(?:\d+,\d+,\d+|\d+\.\d+\.\d+|\d+(?:\.\d+)?\s*milli?on)/i -body __FRAUD_ULK /\baffidavits?\b/i -body __FRAUD_BGP /\battached to ticket number\b/i -body __FRAUD_FBI /\bdisburs/i -body __FRAUD_JBU /\bforeign account\b/i -body __FRAUD_YWW /\bfurnish you with\b/i -body __FRAUD_JYG /\bgive\s+you .{0,15}(?:fund|money|total|sum|contact|percent)\b/i -body __FRAUD_XVW /\bhonest cooperation\b/i -body __FRAUD_UUY /\blegitimate business(?:es)?\b/i -body __FRAUD_SNT /\blocate(?: .{1,20})? extended relative/i -body __FRAUD_LTX /\bmilli?on (?:.{1,25} thousand\s*)?(?:(?:united states|u\.?s\.?) dollars|(?i:U\.?S\.?D?))\b/i -body __FRAUD_JNB /\boperat(?:e|ing)\b[^.]{0,99}\b(?:for(?:ei|ie)gn|off-? ?shore|over-? ?seas?) (?:bank )?accounts?\b/i -body __FRAUD_QFY /\bover-? *(?:invoiced?|cost(?:s|ing)?)\b/i -body __FRAUD_WDR /\bprivate lawyer\b/i -body __FRAUD_WFC /\bsecur(?:e|ing) (?:the )?(?:funds?|monies)\b/i -body __FRAUD_AUM /\bthe desk of\b/i -body __FRAUD_MCQ /\btransaction\b.{1,30}\b(?:magnitude|diplomatic|strict|absolute|secret|confiden(?:tial|ce)|guarantee)/i -body __FRAUD_ETX /\byour\b[^.]{0,99}\b(?:contact (?:details|information)|private (?:e?[- ]?mail|telephone|tel|phone|fax))\b/i -body __FRAUD_PVN /as the beneficiary/i -body __FRAUD_FVU /award notification/i -body __FRAUD_CKF /computer ballot system/i -body __FRAUD_FCW /fiduciary agent/i -body __FRAUD_MQO /foreign (?:business partner|customer)/i -body __FRAUD_TCC /foreign (?:offshore )?(?:bank|account)/i -body __FRAUD_GBW /god gives .{1,10}second chance/i -body __FRAUD_NRG /i am contacting you/i -body __FRAUD_RLX /lott(?:o|ery) (?:co,?ordinator|international)/i -body __FRAUD_AXF /magnanimity/i -body __FRAUD_THJ /modalit(?:y|ies)/i -body __FRAUD_YQV /nigerian? (?:national|government)/i -body __FRAUD_YJA /over-invoice/i -body __FRAUD_YPO /the total sum/i -body __FRAUD_UOQ /vital documents/i - -# -# jhardin: temporarily disable to gauge and score ADVANCE_FEE_NEW rules in isolation -# -# meta ADVANCE_FEE_2 (__FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_EZY + __FRAUD_ZFJ + __FRAUD_KDT + __FRAUD_BGP + __FRAUD_FBI + __FRAUD_JBU + __FRAUD_JYG + __FRAUD_XVW + __FRAUD_SNT + __FRAUD_LTX + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_FCW + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_NRG + __FRAUD_RLX + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __FRAUD_DBI + __FRAUD_BEP + __FRAUD_DPR + __FRAUD_QXX + __FRAUD_QFY + __FRAUD_PTS + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IPK + __FRAUD_AON + __FRAUD_WNY + __FRAUD_AUM + __FRAUD_WFC + __FRAUD_YWW + __FRAUD_ULK + __FRAUD_IOU + __FRAUD_JNB + __FRAUD_IRT + __FRAUD_ETX + __FRAUD_WDR + __FRAUD_UUY + __FRAUD_MLY > 2) -# meta ADVANCE_FEE_3 (__FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_EZY + __FRAUD_ZFJ + __FRAUD_KDT + __FRAUD_BGP + __FRAUD_FBI + __FRAUD_JBU + __FRAUD_JYG + __FRAUD_XVW + __FRAUD_SNT + __FRAUD_LTX + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_FCW + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_NRG + __FRAUD_RLX + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __FRAUD_DBI + __FRAUD_BEP + __FRAUD_DPR + __FRAUD_QXX + __FRAUD_QFY + __FRAUD_PTS + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IPK + __FRAUD_AON + __FRAUD_WNY + __FRAUD_AUM + __FRAUD_WFC + __FRAUD_YWW + __FRAUD_ULK + __FRAUD_IOU + __FRAUD_JNB + __FRAUD_IRT + __FRAUD_ETX + __FRAUD_WDR + __FRAUD_UUY + __FRAUD_MLY > 3) -# meta ADVANCE_FEE_4 (__FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_EZY + __FRAUD_ZFJ + __FRAUD_KDT + __FRAUD_BGP + __FRAUD_FBI + __FRAUD_JBU + __FRAUD_JYG + __FRAUD_XVW + __FRAUD_SNT + __FRAUD_LTX + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_FCW + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_NRG + __FRAUD_RLX + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __FRAUD_DBI + __FRAUD_BEP + __FRAUD_DPR + __FRAUD_QXX + __FRAUD_QFY + __FRAUD_PTS + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IPK + __FRAUD_AON + __FRAUD_WNY + __FRAUD_AUM + __FRAUD_WFC + __FRAUD_YWW + __FRAUD_ULK + __FRAUD_IOU + __FRAUD_JNB + __FRAUD_IRT + __FRAUD_ETX + __FRAUD_WDR + __FRAUD_UUY + __FRAUD_MLY > 4) -# -# describe ADVANCE_FEE_2 Appears to be advance fee fraud (Nigerian 419) -# describe ADVANCE_FEE_3 Appears to be advance fee fraud (Nigerian 419) -# describe ADVANCE_FEE_4 Appears to be advance fee fraud (Nigerian 419) diff --git a/resources/spamassassin/20_aux_tlds.cf b/resources/spamassassin/20_aux_tlds.cf deleted file mode 100644 index 77c22da4..00000000 --- a/resources/spamassassin/20_aux_tlds.cf +++ /dev/null @@ -1,746 +0,0 @@ -# SpamAssassin - Auxiliary TLD Definitions -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -# This file replaces the SARE http://www.rulesemporium.com/rules/90_2tld.cf -# which will be deprecated as from 2010-05-01 - -# File updated 2014-09-17 to contain complete TLD lists, they are no longer -# hardcoded into SA codebase and Util/RegistrarBoundaries.pm is deprecated -# in favor of Mail::SpamAssassin::RegistryBoundaries. - - -# Let's clear the internal TLD list, we only want to read from this config -# file and ignore possible old hardcoded lists. -if can(Mail::SpamAssassin::Conf::feature_registryboundaries) -clear_util_rb -endif - - -# -# 1st level TLD list -# - -# Basic list can be obtained with the following command: -# wget https://data.iana.org/TLD/tlds-alpha-by-domain.txt -q -O - | tail -n+2 | perl -ne 'print lc' -# Current list may include more or less.. TODO easier maintenance? - -# util_rb_tld only accepts alpha (a-z) input before RegistryBoundaries was -# implemented in 3.4.1(?), put IDN TLDs with numeric, hyphen (0-9-) etc in -# this block -# -# For an up to date list of IDN TLDs that can be pasted into this block, run this command: -# wget https://data.iana.org/TLD/tlds-alpha-by-domain.txt -q -O - | grep -i '^xn--' | tr '\n' ' ' | fold -w 80 -s | perl -pe 's/\s+$//; s/.*/util_rb_tld \L$_\n/' -# Since version 4.0 the util_rb_tld also accepts Unicode IDN labels (encoded as UTF-8), e.g.: -# wget https://data.iana.org/TLD/tlds-alpha-by-domain.txt -q -O - | grep -i '^xn--' | idn -u | tr '\n' ' ' | fold -w 80 -s | perl -pe 's/\s+$//; s/.*/util_rb_tld \L$_\n/' - -if can(Mail::SpamAssassin::Conf::feature_registryboundaries) -# Updated 2022-10-18 -util_rb_tld xn--11b4c3d xn--1ck2e1b xn--1qqw23a xn--2scrj9c xn--30rr7y xn--3bst00m -util_rb_tld xn--3ds443g xn--3e0b707e xn--3hcrj9c xn--3pxu8k xn--42c2d9a xn--45br5cyl -util_rb_tld xn--45brj9c xn--45q11c xn--4dbrk0ce xn--4gbrim xn--54b7fta0cc xn--55qw42g -util_rb_tld xn--55qx5d xn--5su34j936bgsg xn--5tzm5g xn--6frz82g xn--6qq986b3xl xn--80adxhks -util_rb_tld xn--80ao21a xn--80aqecdr1a xn--80asehdb xn--80aswg xn--8y0a063a xn--90a3ac -util_rb_tld xn--90ae xn--90ais xn--9dbq2a xn--9et52u xn--9krt00a xn--b4w605ferd -util_rb_tld xn--bck1b9a5dre4c xn--c1avg xn--c2br7g xn--cck2b3b xn--cckwcxetd xn--cg4bki -util_rb_tld xn--clchc0ea0b2g2a9gcd xn--czr694b xn--czrs0t xn--czru2d xn--d1acj3b xn--d1alf -util_rb_tld xn--e1a4c xn--eckvdtc9d xn--efvy88h xn--fct429k xn--fhbei xn--fiq228c5hs -util_rb_tld xn--fiq64b xn--fiqs8s xn--fiqz9s xn--fjq720a xn--flw351e xn--fpcrj9c3d -util_rb_tld xn--fzc2c9e2c xn--fzys8d69uvgm xn--g2xx48c xn--gckr3f0f xn--gecrj9c xn--gk3at1e -util_rb_tld xn--h2breg3eve xn--h2brj9c xn--h2brj9c8c xn--hxt814e xn--i1b6b1a6a2e -util_rb_tld xn--imr513n xn--io0a7i xn--j1aef xn--j1amh xn--j6w193g xn--jlq480n2rg -util_rb_tld xn--jlq61u9w7b xn--jvr189m xn--kcrx77d1x4a xn--kprw13d xn--kpry57d xn--kput3i -util_rb_tld xn--l1acc xn--lgbbat1ad8j xn--mgb9awbf xn--mgba3a3ejt xn--mgba3a4f16a -util_rb_tld xn--mgba7c0bbn0a xn--mgbaakc7dvf xn--mgbaam7a8h xn--mgbab2bd xn--mgbah1a3hjkrd -util_rb_tld xn--mgbai9azgqp6j xn--mgbayh7gpa xn--mgbbh1a xn--mgbbh1a71e xn--mgbc0a9azcg -util_rb_tld xn--mgbca7dzdo xn--mgbcpq6gpa1a xn--mgberp4a5d4ar xn--mgbgu82a xn--mgbi4ecexp -util_rb_tld xn--mgbpl2fh xn--mgbt3dhd xn--mgbtx2b xn--mgbx4cd0ab xn--mix891f xn--mk1bu44c -util_rb_tld xn--mxtq1m xn--ngbc5azd xn--ngbe9e0a xn--ngbrx xn--node xn--nqv7f -util_rb_tld xn--nqv7fs00ema xn--nyqy26a xn--o3cw4h xn--ogbpf8fl xn--otu796d xn--p1acf -util_rb_tld xn--p1ai xn--pgbs0dh xn--pssy2u xn--q7ce6a xn--q9jyb4c xn--qcka1pmc xn--qxa6a -util_rb_tld xn--qxam xn--rhqv96g xn--rovu88b xn--rvc1e0am3e xn--s9brj9c xn--ses554g -util_rb_tld xn--t60b56a xn--tckwe xn--tiq49xqyj xn--unup4y xn--vermgensberater-ctb -util_rb_tld xn--vermgensberatung-pwb xn--vhquv xn--vuq861b xn--w4r85el8fhu5dnra xn--w4rs40l -util_rb_tld xn--wgbh1c xn--wgbl6a xn--xhq521b xn--xkc2al3hye2a xn--xkc2dl3a5ee0h xn--y9a3aq -util_rb_tld xn--yfro4i67o xn--ygbi2ammx xn--zfr164b -endif - -# Standard List -# For an up to date list of TLDs that can be pasted into this block, run this command: -# wget https://data.iana.org/TLD/tlds-alpha-by-domain.txt -q -O - | tail -n+2 | grep -vi '^xn--' | tr '\n' ' ' | fold -w 80 -s | perl -pe 's/\s+$//; s/.*/util_rb_tld \L$_\n/' - -# Updated 2022-10-18 -util_rb_tld aaa aarp abarth abb abbott abbvie abc able abogado abudhabi ac academy -util_rb_tld accenture accountant accountants aco actor ad adac ads adult ae aeg aero aetna -util_rb_tld af afl africa ag agakhan agency ai aig airbus airforce airtel akdn al alfaromeo -util_rb_tld alibaba alipay allfinanz allstate ally alsace alstom am amazon americanexpress -util_rb_tld americanfamily amex amfam amica amsterdam analytics android anquan anz ao aol -util_rb_tld apartments app apple aq aquarelle ar arab aramco archi army arpa art arte as -util_rb_tld asda asia associates at athleta attorney au auction audi audible audio auspost -util_rb_tld author auto autos avianca aw aws ax axa az azure ba baby baidu banamex -util_rb_tld bananarepublic band bank bar barcelona barclaycard barclays barefoot bargains -util_rb_tld baseball basketball bauhaus bayern bb bbc bbt bbva bcg bcn bd be beats beauty -util_rb_tld beer bentley berlin best bestbuy bet bf bg bh bharti bi bible bid bike bing -util_rb_tld bingo bio biz bj black blackfriday blockbuster blog bloomberg blue bm bms bmw -util_rb_tld bn bnpparibas bo boats boehringer bofa bom bond boo book booking bosch bostik -util_rb_tld boston bot boutique box br bradesco bridgestone broadway broker brother -util_rb_tld brussels bs bt build builders business buy buzz bv bw by bz bzh ca cab cafe cal -util_rb_tld call calvinklein cam camera camp canon capetown capital capitalone car caravan -util_rb_tld cards care career careers cars casa case cash casino cat catering catholic cba -util_rb_tld cbn cbre cbs cc cd center ceo cern cf cfa cfd cg ch chanel channel charity -util_rb_tld chase chat cheap chintai christmas chrome church ci cipriani circle cisco -util_rb_tld citadel citi citic city cityeats ck cl claims cleaning click clinic clinique -util_rb_tld clothing cloud club clubmed cm cn co coach codes coffee college cologne com -util_rb_tld comcast commbank community company compare computer comsec condos construction -util_rb_tld consulting contact contractors cooking cookingchannel cool coop corsica country -util_rb_tld coupon coupons courses cpa cr credit creditcard creditunion cricket crown crs -util_rb_tld cruise cruises cu cuisinella cv cw cx cy cymru cyou cz dabur dad dance data -util_rb_tld date dating datsun day dclk dds de deal dealer deals degree delivery dell -util_rb_tld deloitte delta democrat dental dentist desi design dev dhl diamonds diet -util_rb_tld digital direct directory discount discover dish diy dj dk dm dnp do docs doctor -util_rb_tld dog domains dot download drive dtv dubai dunlop dupont durban dvag dvr dz earth -util_rb_tld eat ec eco edeka edu education ee eg email emerck energy engineer engineering -util_rb_tld enterprises epson equipment er ericsson erni es esq estate et etisalat eu -util_rb_tld eurovision eus events exchange expert exposed express extraspace fage fail -util_rb_tld fairwinds faith family fan fans farm farmers fashion fast fedex feedback -util_rb_tld ferrari ferrero fi fiat fidelity fido film final finance financial fire -util_rb_tld firestone firmdale fish fishing fit fitness fj fk flickr flights flir florist -util_rb_tld flowers fly fm fo foo food foodnetwork football ford forex forsale forum -util_rb_tld foundation fox fr free fresenius frl frogans frontdoor frontier ftr fujitsu fun -util_rb_tld fund furniture futbol fyi ga gal gallery gallo gallup game games gap garden gay -util_rb_tld gb gbiz gd gdn ge gea gent genting george gf gg ggee gh gi gift gifts gives -util_rb_tld giving gl glass gle global globo gm gmail gmbh gmo gmx gn godaddy gold -util_rb_tld goldpoint golf goo goodyear goog google gop got gov gp gq gr grainger graphics -util_rb_tld gratis green gripe grocery group gs gt gu guardian gucci guge guide guitars -util_rb_tld guru gw gy hair hamburg hangout haus hbo hdfc hdfcbank health healthcare help -util_rb_tld helsinki here hermes hgtv hiphop hisamitsu hitachi hiv hk hkt hm hn hockey -util_rb_tld holdings holiday homedepot homegoods homes homesense honda horse hospital host -util_rb_tld hosting hot hoteles hotels hotmail house how hr hsbc ht hu hughes hyatt hyundai -util_rb_tld ibm icbc ice icu id ie ieee ifm ikano il im imamat imdb immo immobilien in inc -util_rb_tld industries infiniti info ing ink institute insurance insure int international -util_rb_tld intuit investments io ipiranga iq ir irish is ismaili ist istanbul it itau itv -util_rb_tld jaguar java jcb je jeep jetzt jewelry jio jll jm jmp jnj jo jobs joburg jot joy -util_rb_tld jp jpmorgan jprs juegos juniper kaufen kddi ke kerryhotels kerrylogistics -util_rb_tld kerryproperties kfh kg kh ki kia kids kim kinder kindle kitchen kiwi km kn -util_rb_tld koeln komatsu kosher kp kpmg kpn kr krd kred kuokgroup kw ky kyoto kz la -util_rb_tld lacaixa lamborghini lamer lancaster lancia land landrover lanxess lasalle lat -util_rb_tld latino latrobe law lawyer lb lc lds lease leclerc lefrak legal lego lexus lgbt -util_rb_tld li lidl life lifeinsurance lifestyle lighting like lilly limited limo lincoln -util_rb_tld linde link lipsy live living lk llc llp loan loans locker locus loft lol london -util_rb_tld lotte lotto love lpl lplfinancial lr ls lt ltd ltda lu lundbeck luxe luxury lv -util_rb_tld ly ma macys madrid maif maison makeup man management mango map market marketing -util_rb_tld markets marriott marshalls maserati mattel mba mc mckinsey md me med media meet -util_rb_tld melbourne meme memorial men menu merckmsd mg mh miami microsoft mil mini mint -util_rb_tld mit mitsubishi mk ml mlb mls mm mma mn mo mobi mobile moda moe moi mom monash -util_rb_tld money monster mormon mortgage moscow moto motorcycles mov movie mp mq mr ms msd -util_rb_tld mt mtn mtr mu museum music mutual mv mw mx my mz na nab nagoya name natura navy -util_rb_tld nba nc ne nec net netbank netflix network neustar new news next nextdirect -util_rb_tld nexus nf nfl ng ngo nhk ni nico nike nikon ninja nissan nissay nl no nokia -util_rb_tld northwesternmutual norton now nowruz nowtv np nr nra nrw ntt nu nyc nz obi -util_rb_tld observer office okinawa olayan olayangroup oldnavy ollo om omega one ong onl -util_rb_tld online ooo open oracle orange org organic origins osaka otsuka ott ovh pa page -util_rb_tld panasonic paris pars partners parts party passagens pay pccw pe pet pf pfizer -util_rb_tld pg ph pharmacy phd philips phone photo photography photos physio pics pictet -util_rb_tld pictures pid pin ping pink pioneer pizza pk pl place play playstation plumbing -util_rb_tld plus pm pn pnc pohl poker politie porn post pr pramerica praxi press prime pro -util_rb_tld prod productions prof progressive promo properties property protection pru -util_rb_tld prudential ps pt pub pw pwc py qa qpon quebec quest racing radio re read -util_rb_tld realestate realtor realty recipes red redstone redumbrella rehab reise reisen -util_rb_tld reit reliance ren rent rentals repair report republican rest restaurant review -util_rb_tld reviews rexroth rich richardli ricoh ril rio rip ro rocher rocks rodeo rogers -util_rb_tld room rs rsvp ru rugby ruhr run rw rwe ryukyu sa saarland safe safety sakura -util_rb_tld sale salon samsclub samsung sandvik sandvikcoromant sanofi sap sarl sas save -util_rb_tld saxo sb sbi sbs sc sca scb schaeffler schmidt scholarships school schule -util_rb_tld schwarz science scot sd se search seat secure security seek select sener -util_rb_tld services ses seven sew sex sexy sfr sg sh shangrila sharp shaw shell shia -util_rb_tld shiksha shoes shop shopping shouji show showtime si silk sina singles site sj -util_rb_tld sk ski skin sky skype sl sling sm smart smile sn sncf so soccer social softbank -util_rb_tld software sohu solar solutions song sony soy spa space sport spot sr srl ss st -util_rb_tld stada staples star statebank statefarm stc stcgroup stockholm storage store -util_rb_tld stream studio study style su sucks supplies supply support surf surgery suzuki -util_rb_tld sv swatch swiss sx sy sydney systems sz tab taipei talk taobao target -util_rb_tld tatamotors tatar tattoo tax taxi tc tci td tdk team tech technology tel temasek -util_rb_tld tennis teva tf tg th thd theater theatre tiaa tickets tienda tiffany tips tires -util_rb_tld tirol tj tjmaxx tjx tk tkmaxx tl tm tmall tn to today tokyo tools top toray -util_rb_tld toshiba total tours town toyota toys tr trade trading training travel -util_rb_tld travelchannel travelers travelersinsurance trust trv tt tube tui tunes tushu tv -util_rb_tld tvs tw tz ua ubank ubs ug uk unicom university uno uol ups us uy uz va -util_rb_tld vacations vana vanguard vc ve vegas ventures verisign versicherung vet vg vi -util_rb_tld viajes video vig viking villas vin vip virgin visa vision viva vivo vlaanderen -util_rb_tld vn vodka volkswagen volvo vote voting voto voyage vu vuelos wales walmart -util_rb_tld walter wang wanggou watch watches weather weatherchannel webcam weber website -util_rb_tld wed wedding weibo weir wf whoswho wien wiki williamhill win windows wine -util_rb_tld winners wme wolterskluwer woodside work works world wow ws wtc wtf xbox xerox -util_rb_tld xfinity xihuan xin xxx xyz yachts yahoo yamaxun yandex ye yodobashi yoga -util_rb_tld yokohama you youtube yt yun za zappos zara zero zip zm zone zuerich zw - -# -# 2nd level TLD list -# - -# http://www.neustar.us/policies/docs/rfc_1480.txt -# data originally from http://spamcheck.freeapp.net/two-level-tlds -# The freeapp.net site now says that information on the site is obsolete -# See discussion and sources in comments of bug 5677 -# updated as per bug 5815 -# cleanup in progress per bug 6795 (axb) -# Unsorted sources: -# .ua : https://hostmaster.ua -# .hu : http://www.domain.hu/domain/English/szabalyzat/sld.html - -util_rb_2tld com.ac edu.ac gov.ac mil.ac net.ac org.ac -util_rb_2tld nom.ad -util_rb_2tld ac.ae co.ae com.ae gov.ae mil.ae name.ae net.ae org.ae pro.ae sch.ae -util_rb_2tld com.af edu.af gov.af net.af -util_rb_2tld co.ag com.ag net.ag nom.ag org.ag -util_rb_2tld com.ai edu.ai gov.ai net.ai off.ai org.ai -util_rb_2tld com.al edu.al gov.al net.al org.al -util_rb_2tld com.an edu.an net.an org.an -util_rb_2tld co.ao ed.ao gv.ao it.ao og.ao pb.ao -util_rb_2tld com.ar edu.ar gov.ar int.ar mil.ar net.ar org.ar -util_rb_2tld e164.arpa in-addr.arpa ip6.arpa iris.arpa uri.arpa urn.arpa -util_rb_2tld ac.at co.at gv.at or.at priv.at -util_rb_2tld act.au asn.au com.au conf.au csiro.au edu.au gov.au id.au info.au net.au nsw.au nt.au org.au otc.au oz.au qld.au sa.au tas.au telememo.au vic.au wa.au -util_rb_2tld com.aw -util_rb_2tld biz.az com.az edu.az gov.az info.az int.az mil.az name.az net.az org.az pp.az -util_rb_2tld co.ba com.ba edu.ba gov.ba mil.ba net.ba org.ba rs.ba unbi.ba unsa.ba -util_rb_2tld com.bb edu.bb gov.bb net.bb org.bb -util_rb_2tld ac.bd com.bd edu.bd gov.bd mil.bd net.bd org.bd -util_rb_2tld ac.be belgie.be dns.be fgov.be -util_rb_2tld gov.bf -util_rb_2tld biz.bh cc.bh com.bh edu.bh gov.bh info.bh net.bh org.bh -util_rb_2tld com.bm edu.bm gov.bm net.bm org.bm -util_rb_2tld com.bn edu.bn net.bn org.bn -util_rb_2tld com.bo edu.bo gob.bo gov.bo int.bo mil.bo net.bo org.bo tv.bo -util_rb_2tld adm.br adv.br agr.br am.br arq.br art.br ato.br bio.br bmd.br cim.br cng.br cnt.br com.br coop.br dpn.br eco.br ecn.br edu.br eng.br esp.br etc.br eti.br far.br fm.br fnd.br fot.br fst.br g12.br ggf.br gov.br imb.br ind.br inf.br jor.br lel.br mat.br med.br mil.br mus.br net.br nom.br not.br ntr.br odo.br org.br ppg.br pro.br psc.br psi.br qsl.br rec.br slg.br srv.br tmp.br trd.br tur.br tv.br vet.br zlg.br -util_rb_2tld com.bs net.bs org.bs -util_rb_2tld com.bt edu.bt gov.bt net.bt org.bt -util_rb_2tld co.bw org.bw -util_rb_2tld gov.by mil.by -util_rb_2tld com.bz net.bz org.bz -util_rb_2tld ab.ca bc.ca gc.ca mb.ca nb.ca nf.ca nl.ca ns.ca nt.ca nu.ca on.ca pe.ca qc.ca sk.ca yk.ca -util_rb_2tld co.ck edu.ck gov.ck net.ck org.ck -util_rb_2tld ac.cn ah.cn bj.cn com.cn cq.cn edu.cn fj.cn gd.cn gov.cn gs.cn gx.cn gz.cn ha.cn hb.cn he.cn hi.cn hk.cn hl.cn hn.cn jl.cn js.cn jx.cn ln.cn mo.cn net.cn nm.cn nx.cn org.cn qh.cn sc.cn sd.cn sh.cn sn.cn sx.cn tj.cn tw.cn xj.cn xz.cn yn.cn zj.cn -util_rb_2tld arts.co com.co edu.co firm.co gov.co info.co int.co mil.co net.co nom.co org.co rec.co web.co -util_rb_2tld co.cm com.cm net.cm -util_rb_2tld au.com br.com cn.com de.com eu.com gb.com hu.com no.com qc.com ru.com sa.com se.com uk.com us.com uy.com za.com -util_rb_2tld ac.cr co.cr ed.cr fi.cr go.cr or.cr sa.cr -util_rb_2tld com.cu edu.cu gov.cu inf.cu net.cu org.cu -util_rb_2tld gov.cx -util_rb_2tld ac.cy biz.cy com.cy ekloges.cy gov.cy ltd.cy name.cy net.cy org.cy parliament.cy press.cy pro.cy tm.cy -util_rb_2tld co.dk -util_rb_2tld com.dm edu.dm gov.dm net.dm org.dm -util_rb_2tld art.do com.do edu.do gob.do gov.do mil.do net.do org.do sld.do web.do -util_rb_2tld art.dz asso.dz com.dz edu.dz gov.dz net.dz org.dz pol.dz -util_rb_2tld com.ec edu.ec fin.ec gov.ec info.ec k12.ec med.ec mil.ec net.ec org.ec pro.ec gob.ec -util_rb_2tld co.ee com.ee edu.ee fie.ee med.ee org.ee pri.ee -util_rb_2tld com.eg edu.eg eun.eg gov.eg mil.eg net.eg org.eg sci.eg -util_rb_2tld com.er edu.er gov.er ind.er mil.er net.er org.er -util_rb_2tld com.es edu.es gob.es nom.es org.es -util_rb_2tld biz.et com.et edu.et gov.et info.et name.et net.et org.et -util_rb_2tld aland.fi -util_rb_2tld ac.fj biz.fj com.fj gov.fj id.fj info.fj mil.fj name.fj net.fj org.fj pro.fj school.fj -util_rb_2tld ac.fk co.fk com.fk gov.fk net.fk nom.fk org.fk -util_rb_2tld tm.fr asso.fr nom.fr prd.fr presse.fr com.fr gouv.fr -util_rb_2tld com.ge edu.ge gov.ge mil.ge net.ge org.ge pvt.ge -util_rb_2tld ac.gg alderney.gg co.gg gov.gg guernsey.gg ind.gg ltd.gg net.gg org.gg sark.gg sch.gg -util_rb_2tld com.gh edu.gh gov.gh mil.gh org.gh -util_rb_2tld com.gi edu.gi gov.gi ltd.gi mod.gi org.gi -util_rb_2tld ac.gn com.gn gov.gn net.gn org.gn -util_rb_2tld asso.gp com.gp edu.gp net.gp org.gp -util_rb_2tld com.gr edu.gr gov.gr net.gr org.gr -util_rb_2tld com.gt edu.gt gob.gt ind.gt mil.gt net.gt org.gt -util_rb_2tld com.gu edu.gu gov.gu mil.gu net.gu org.gu -util_rb_2tld com.hk edu.hk gov.hk idv.hk net.hk org.hk -util_rb_2tld com.hn edu.hn gob.hn mil.hn net.hn org.hn -util_rb_2tld com.hr from.hr iz.hr name.hr -util_rb_2tld adult.ht art.ht asso.ht com.ht coop.ht edu.ht firm.ht gouv.ht info.ht med.ht net.ht org.ht perso.ht pol.ht pro.ht rel.ht shop.ht -util_rb_2tld 2000.hu agrar.hu bolt.hu casino.hu city.hu co.hu erotica.hu erotika.hu film.hu forum.hu games.hu hotel.hu info.hu ingatlan.hu jogasz.hu konyvelo.hu lakas.hu media.hu news.hu org.hu priv.hu reklam.hu sex.hu shop.hu sport.hu suli.hu szex.hu tm.hu tozsde.hu utazas.hu video.hu -util_rb_2tld ac.id co.id go.id mil.id net.id or.id sch.id web.id -util_rb_2tld gov.ie -util_rb_2tld ac.il co.il gov.il idf.il k12.il muni.il net.il org.il -util_rb_2tld ac.im co.im com.im gov.im net.im nic.im org.im -util_rb_2tld ac.in co.in edu.in ernet.in firm.in gen.in gov.in ind.in mil.in net.in nic.in org.in res.in -util_rb_2tld com.io gov.io mil.io net.io org.io -util_rb_2tld gov.iq -util_rb_2tld ac.ir co.ir gov.ir id.ir net.ir org.ir sch.ir -util_rb_2tld edu.it gov.it -util_rb_2tld ac.je co.je gov.je ind.je jersey.je ltd.je net.je org.je sch.je -util_rb_2tld com.jm edu.jm gov.jm net.jm org.jm -util_rb_2tld com.jo edu.jo gov.jo mil.jo net.jo org.jo -util_rb_2tld ac.jp ad.jp aichi.jp akita.jp aomori.jp chiba.jp co.jp ed.jp ehime.jp fukui.jp fukuoka.jp fukushima.jp gifu.jp go.jp gov.jp gr.jp gunma.jp hiroshima.jp hokkaido.jp hyogo.jp ibaraki.jp ishikawa.jp iwate.jp kagawa.jp kagoshima.jp kanagawa.jp kanazawa.jp kawasaki.jp kitakyushu.jp kobe.jp kochi.jp kumamoto.jp kyoto.jp lg.jp matsuyama.jp mie.jp miyagi.jp miyazaki.jp nagano.jp nagasaki.jp nagoya.jp nara.jp ne.jp net.jp niigata.jp oita.jp okayama.jp okinawa.jp or.jp org.jp osaka.jp saga.jp saitama.jp sapporo.jp sendai.jp shiga.jp shimane.jp shizuoka.jp takamatsu.jp tochigi.jp tokushima.jp tokyo.jp tottori.jp toyama.jp utsunomiya.jp wakayama.jp yamagata.jp yamaguchi.jp yamanashi.jp yokohama.jp -util_rb_2tld ac.ke co.ke go.ke ne.ke new.ke or.ke sc.ke -util_rb_2tld com.kg edu.kg gov.kg mil.kg net.kg org.kg -util_rb_2tld com.kh edu.kh gov.kh mil.kh net.kh org.kh per.kh -util_rb_2tld ac.kr busan.kr chungbuk.kr chungnam.kr co.kr daegu.kr daejeon.kr es.kr gangwon.kr go.kr gwangju.kr gyeongbuk.kr gyeonggi.kr gyeongnam.kr hs.kr incheon.kr jeju.kr jeonbuk.kr jeonnam.kr kg.kr kyonggi.kr mil.kr ms.kr ne.kr or.kr pe.kr re.kr sc.kr seoul.kr ulsan.kr -util_rb_2tld com.kw edu.kw gov.kw mil.kw net.kw org.kw -util_rb_2tld com.ky edu.ky gov.ky net.ky org.ky -util_rb_2tld com.kz edu.kz gov.kz mil.kz net.kz org.kz -util_rb_2tld com.la net.la org.la -util_rb_2tld com.lb edu.lb gov.lb mil.lb net.lb org.lb -util_rb_2tld com.lc edu.lc gov.lc net.lc org.lc -util_rb_2tld assn.lk com.lk edu.lk gov.lk grp.lk hotel.lk int.lk ltd.lk net.lk ngo.lk org.lk sch.lk soc.lk web.lk -util_rb_2tld com.lr edu.lr gov.lr net.lr org.lr -util_rb_2tld co.ls org.ls -util_rb_2tld gov.lt mil.lt -util_rb_2tld asn.lv com.lv conf.lv edu.lv gov.lv id.lv mil.lv net.lv org.lv -util_rb_2tld biz.ly com.ly edu.ly gov.ly id.ly med.ly net.ly org.ly plc.ly sch.ly -util_rb_2tld ac.ma co.ma gov.ma net.ma org.ma press.ma -util_rb_2tld asso.mc tm.mc -util_rb_2tld ac.me co.me edu.me gov.me its.me net.me org.me priv.me -util_rb_2tld com.mg edu.mg gov.mg mil.mg nom.mg org.mg prd.mg tm.mg -util_rb_2tld army.mil navy.mil -util_rb_2tld com.mk org.mk -util_rb_2tld com.mm edu.mm gov.mm net.mm org.mm -util_rb_2tld edu.mn gov.mn org.mn -util_rb_2tld com.mo edu.mo gov.mo net.mo org.mo -util_rb_2tld music.mobi weather.mobi -util_rb_2tld co.mp edu.mp gov.mp net.mp org.mp -util_rb_2tld com.mt edu.mt gov.mt net.mt org.mt tm.mt uu.mt -util_rb_2tld co.mu com.mu -util_rb_2tld aero.mv biz.mv com.mv coop.mv edu.mv gov.mv info.mv int.mv mil.mv museum.mv name.mv net.mv org.mv pro.mv -util_rb_2tld ac.mw co.mw com.mw coop.mw edu.mw gov.mw int.mw museum.mw net.mw org.mw -util_rb_2tld com.mx edu.mx gob.mx net.mx org.mx -util_rb_2tld com.my edu.my gov.my mil.my name.my net.my org.my -util_rb_2tld co.mz net.mz org.mz ac.mz gov.mz edu.mz -util_rb_2tld alt.na com.na cul.na edu.na net.na org.na telecom.na unam.na -util_rb_2tld com.nc net.nc org.nc -util_rb_2tld de.net gb.net uk.net -util_rb_2tld ac.ng com.ng edu.ng gov.ng net.ng org.ng sch.ng -util_rb_2tld ac.ni biz.ni com.ni edu.ni gob.ni in.ni info.ni int.ni mil.ni net.ni nom.ni org.ni web.ni -util_rb_2tld fhs.no folkebibl.no fylkesbibl.no herad.no idrett.no kommune.no mil.no museum.no priv.no stat.no tel.no vgs.no -util_rb_2tld com.np edu.np gov.np mil.np net.np org.np -util_rb_2tld biz.nr co.nr com.nr edu.nr fax.nr gov.nr info.nr mob.nr mobil.nr mobile.nr net.nr org.nr tel.nr tlf.nr -util_rb_2tld ac.nz co.nz cri.nz geek.nz gen.nz govt.nz iwi.nz kiwi.nz maori.nz mil.nz net.nz org.nz parliament.nz school.nz -util_rb_2tld ac.om biz.om co.om com.om edu.om gov.om med.om mil.om mod.om museum.om net.om org.om pro.om sch.om -util_rb_2tld dk.org eu.org -util_rb_2tld abo.pa ac.pa com.pa edu.pa gob.pa ing.pa med.pa net.pa nom.pa org.pa sld.pa -util_rb_2tld com.pe edu.pe gob.pe mil.pe net.pe nom.pe org.pe -util_rb_2tld com.pf edu.pf org.pf -util_rb_2tld ac.pg com.pg net.pg -util_rb_2tld com.ph edu.ph gov.ph mil.ph net.ph ngo.ph org.ph -util_rb_2tld biz.pk com.pk edu.pk fam.pk gob.pk gok.pk gon.pk gop.pk gos.pk gov.pk net.pk org.pk web.pk -util_rb_2tld art.pl biz.pl com.pl edu.pl gov.pl info.pl mil.pl net.pl ngo.pl org.pl -util_rb_2tld biz.pr com.pr edu.pr gov.pr info.pr isla.pr name.pr net.pr org.pr pro.pr -util_rb_2tld cpa.pro law.pro med.pro -util_rb_2tld com.ps edu.ps gov.ps net.ps org.ps plo.ps sec.ps -util_rb_2tld com.pt edu.pt gov.pt int.pt net.pt nome.pt org.pt publ.pt -util_rb_2tld com.py edu.py gov.py net.py org.py -util_rb_2tld com.qa edu.qa gov.qa net.qa org.qa -util_rb_2tld asso.re com.re nom.re -util_rb_2tld arts.ro com.ro firm.ro info.ro nom.ro nt.ro org.ro rec.ro store.ro tm.ro www.ro -util_rb_2tld ac.rs co.rs edu.rs gov.rs in.rs org.rs -util_rb_2tld ac.ru com.ru edu.ru gov.ru int.ru mil.ru net.ru org.ru pp.ru -util_rb_2tld ac.rw co.rw com.rw edu.rw gouv.rw gov.rw int.rw mil.rw net.rw -util_rb_2tld com.sa edu.sa gov.sa med.sa net.sa org.sa pub.sa sch.sa -util_rb_2tld com.sb edu.sb gov.sb net.sb org.sb -util_rb_2tld com.sc edu.sc gov.sc net.sc org.sc -util_rb_2tld com.sd edu.sd gov.sd info.sd med.sd net.sd org.sd sch.sd tv.sd -util_rb_2tld ab.se ac.se bd.se brand.se c.se d.se e.se f.se fh.se fhsk.se fhv.se g.se h.se i.se k.se komforb.se kommunalforbund.se komvux.se lanarb.se lanbib.se m.se mil.se n.se naturbruksgymn.se o.se org.se parti.se pp.se press.se s.se sshn.se t.se tm.se u.se w.se x.se y.se z.se -util_rb_2tld com.sg edu.sg gov.sg idn.sg net.sg org.sg per.sg -util_rb_2tld com.sh edu.sh gov.sh mil.sh net.sh org.sh -util_rb_2tld edu.sk gov.sk mil.sk -util_rb_2tld co.st com.st consulado.st edu.st embaixada.st gov.st mil.st net.st org.st principe.st saotome.st store.st -util_rb_2tld com.sv edu.sv gob.sv org.sv red.sv -util_rb_2tld com.sy gov.sy net.sy org.sy -util_rb_2tld at.tf bg.tf ca.tf ch.tf cz.tf de.tf edu.tf eu.tf int.tf net.tf pl.tf ru.tf sg.tf us.tf -util_rb_2tld ac.th co.th go.th in.th mi.th net.th or.th -util_rb_2tld ac.tj biz.tj co.tj com.tj edu.tj go.tj gov.tj int.tj mil.tj name.tj net.tj org.tj web.tj -util_rb_2tld com.tn edunet.tn ens.tn fin.tn gov.tn ind.tn info.tn intl.tn nat.tn net.tn org.tn rnrt.tn rns.tn rnu.tn tourism.tn -util_rb_2tld gov.to -util_rb_2tld gov.tp -util_rb_2tld av.tr bbs.tr bel.tr biz.tr com.tr dr.tr edu.tr gen.tr gov.tr info.tr k12.tr mil.tr name.tr net.tr org.tr pol.tr tel.tr web.tr -util_rb_2tld aero.tt at.tt au.tt be.tt biz.tt ca.tt co.tt com.tt coop.tt de.tt dk.tt edu.tt es.tt eu.tt fr.tt gov.tt info.tt int.tt it.tt jobs.tt mobi.tt museum.tt name.tt net.tt nic.tt org.tt pro.tt se.tt travel.tt uk.tt us.tt -util_rb_2tld co.tv gov.tv -util_rb_2tld club.tw com.tw ebiz.tw edu.tw game.tw gov.tw idv.tw mil.tw net.tw org.tw -util_rb_2tld ac.tz co.tz go.tz ne.tz or.tz -util_rb_2tld cherkassy.ua chernigov.ua chernovtsy.ua ck.ua cn.ua co.ua com.ua crimea.ua cv.ua dn.ua dnepropetrovsk.ua donetsk.ua dp.ua edu.ua gov.ua if.ua in.ua ivano-frankivsk.ua kh.ua kharkov.ua kherson.ua khmelnitskiy.ua kiev.ua kirovograd.ua km.ua kr.ua ks.ua kv.ua lg.ua lugansk.ua lutsk.ua lviv.ua mk.ua net.ua nikolaev.ua od.ua odessa.ua org.ua pl.ua poltava.ua rovno.ua rv.ua sebastopol.ua sumy.ua te.ua ternopil.ua uzhgorod.ua vinnica.ua vn.ua zaporizhzhe.ua zhitomir.ua zp.ua zt.ua -util_rb_2tld ac.ug co.ug go.ug ne.ug or.ug sc.ug -util_rb_2tld ac.uk bl.uk british-library.uk co.uk edu.uk gov.uk icnet.uk jet.uk ltd.uk me.uk mod.uk national-library-scotland.uk net.uk nhs.uk nic.uk nls.uk org.uk parliament.uk plc.uk police.uk sch.uk -util_rb_2tld ak.us al.us ar.us az.us ca.us co.us ct.us dc.us de.us dni.us fed.us fl.us ga.us hi.us ia.us id.us il.us in.us isa.us kids.us ks.us ky.us la.us ma.us md.us me.us mi.us mn.us mo.us ms.us mt.us nc.us nd.us ne.us nh.us nj.us nm.us nsn.us nv.us ny.us oh.us ok.us or.us pa.us ri.us sc.us sd.us tn.us tx.us ut.us va.us vt.us wa.us wi.us wv.us wy.us -util_rb_2tld com.uy edu.uy gub.uy mil.uy net.uy org.uy -util_rb_2tld vatican.va -util_rb_2tld arts.ve bib.ve co.ve com.ve edu.ve firm.ve gov.ve info.ve int.ve mil.ve net.ve nom.ve org.ve rec.ve store.ve tec.ve web.ve -util_rb_2tld co.vi com.vi edu.vi gov.vi net.vi org.vi -util_rb_2tld ac.vn biz.vn com.vn edu.vn gov.vn health.vn info.vn int.vn name.vn net.vn org.vn pro.vn -util_rb_2tld ch.vu com.vu de.vu edu.vu fr.vu net.vu org.vu -util_rb_2tld com.ws edu.ws gov.ws net.ws org.ws -util_rb_2tld com.ye edu.ye gov.ye mil.ye net.ye org.ye -util_rb_2tld ac.za alt.za bourse.za city.za co.za edu.za gov.za law.za mil.za net.za ngo.za nom.za org.za school.za tm.za web.za -util_rb_2tld ac.zm co.zm com.zm edu.zm gov.zm org.zm sch.zm -util_rb_2tld ac.zw co.zw gov.zw org.zw -# -util_rb_2tld 110mb.com -util_rb_2tld 9k.com -util_rb_2tld addr.com -util_rb_2tld altervista.org -util_rb_2tld biz.tm -util_rb_2tld blogger.ca -util_rb_2tld blogger.cf -util_rb_2tld blogger.ch -util_rb_2tld blogspot.com -util_rb_2tld blogger.cv -util_rb_2tld blogger.jp -util_rb_2tld blogger.pl -util_rb_2tld blogger.re -util_rb_2tld blogger.se -util_rb_2tld blogspot.ca -util_rb_2tld blogspot.cv -util_rb_2tld blogspot.de -util_rb_2tld blogspot.fr -util_rb_2tld blogspot.in -util_rb_2tld blogspot.it -util_rb_2tld blogspot.jp -util_rb_2tld blogspot.mx -util_rb_2tld blogspot.pt -util_rb_2tld blogspot.re -util_rb_2tld blogspot.se -util_rb_2tld bravehost.com -util_rb_2tld bravejournal.com -util_rb_2tld by.ru -util_rb_2tld chat.ru -util_rb_2tld cjb.net -util_rb_2tld es.tl -util_rb_2tld extra.hu -util_rb_2tld freehostia.com -util_rb_2tld front.ru -util_rb_2tld geocities.com -util_rb_2tld getmyip.com -util_rb_2tld googlepages.com -util_rb_2tld helloweb.eu -util_rb_2tld host.sk -util_rb_2tld hotbox.ru -util_rb_2tld hotmail.ru -util_rb_2tld hu2.ru -util_rb_2tld hut2.ru -util_rb_2tld iblogger.org -util_rb_2tld ic.cz -util_rb_2tld id.ru -util_rb_2tld kwik.to -util_rb_2tld land.ru -util_rb_2tld mine.nu -util_rb_2tld mooo.com -util_rb_2tld narod.ru -util_rb_2tld netsolhost.com -util_rb_2tld na.by -util_rb_2tld newmail.ru -util_rb_2tld nextmail.ru -util_rb_2tld nightmail.ru -util_rb_2tld nm.ru -util_rb_2tld notlong.com -util_rb_2tld page.tl page.link -util_rb_2tld pochta.ru -util_rb_2tld pochtamt.ru -util_rb_2tld pop3.ru -util_rb_2tld proboards.com -util_rb_2tld rbcmail.ru -util_rb_2tld rm.ru -util_rb_2tld smtp.ru -util_rb_2tld sol.ru -util_rb_2tld t35.com -util_rb_2tld tripod.com -util_rb_2tld uk.to -util_rb_2tld unblog.fr -util_rb_2tld us.to -util_rb_2tld web-soft.ru -util_rb_2tld wz.cz -util_rb_2tld zmail.ru -util_rb_2tld t35.net -util_rb_2tld t35.com -util_rb_2tld wordpress.com -util_rb_2tld jino-net.ru -util_rb_2tld 6a.org -util_rb_2tld xf.cz -util_rb_2tld fr.tc -util_rb_2tld googlegroups.com -util_rb_2tld 150m.com -util_rb_2tld bravepages.com -util_rb_2tld ucoz.ru -util_rb_2tld ucoz.com -util_rb_2tld ucoz.net -util_rb_2tld szm.com -util_rb_2tld geocities.jp -util_rb_2tld gmxhome.de -util_rb_2tld freeservercity.com -util_rb_2tld iquebec.com -util_rb_2tld mail2k.ru -util_rb_2tld mail.ru -util_rb_2tld ath.cx -util_rb_2tld go.ro -util_rb_2tld z8.ru -util_rb_2tld appspot.com -util_rb_2tld gigazu.net -util_rb_2tld weebly.com -util_rb_2tld ifrance.com -util_rb_2tld jimdo.com -util_rb_2tld kimsufi.com -util_rb_2tld mail333.su -util_rb_2tld pisem.su -util_rb_2tld mail15.su -util_rb_2tld prserv.net -util_rb_2tld angelfire.com -util_rb_2tld 163.to -util_rb_2tld home.pl -util_rb_2tld redirectme.net -util_rb_2tld interia.pl -util_rb_2tld co.kg -util_rb_2tld ning.com -util_rb_2tld xorg.pl -util_rb_2tld free.fr -util_rb_2tld we.bs -util_rb_2tld net.tc -util_rb_2tld isuisse.com -util_rb_2tld de.ki -util_rb_2tld funpic.de -util_rb_2tld interii.pl -util_rb_2tld selfip.com -#util_rb_2tld livejournal.com - Removed per bug 6662 4/7/15 - KAM -util_rb_2tld t3.to -util_rb_2tld fx.to -util_rb_2tld iespana.es -util_rb_2tld go.com -util_rb_2tld hostevo.com -util_rb_2tld iwebsource.com -util_rb_2tld one.pl -util_rb_2tld gratishost.com -util_rb_2tld netfirms.com -util_rb_2tld ibelgique.com -util_rb_2tld to.it -util_rb_2tld whsites.net -util_rb_2tld home.ro -util_rb_2tld 1blu.de -util_rb_2tld co.cc -util_rb_2tld cc.cc -util_rb_2tld webs.com -util_rb_2tld webcindario.com -util_rb_2tld idoo.com -util_rb_2tld selfip.net -util_rb_2tld ovh.net -util_rb_2tld sapo.pt -util_rb_2tld homeip.net -util_rb_2tld unlugar.com -util_rb_2tld nov.ru -util_rb_2tld republika.pl -util_rb_2tld blog.com -util_rb_2tld sosblog.com -util_rb_2tld servebbs.com -util_rb_2tld serveftp.com -util_rb_2tld gob.ve -util_rb_2tld xanga.com -util_rb_2tld com.vc -util_rb_2tld net.vc -util_rb_2tld org.vc -util_rb_2tld kickme.to -util_rb_2tld asso.ws -util_rb_2tld url.st -util_rb_2tld at.pn -util_rb_2tld au.pn -util_rb_2tld ca.pn -util_rb_2tld ch.pn -util_rb_2tld cn.pn -util_rb_2tld co.pn -util_rb_2tld corp.st -util_rb_2tld societe.st -util_rb_2tld de.pn -util_rb_2tld es.pn -util_rb_2tld eu.pn -util_rb_2tld euro.tm -util_rb_2tld fr.pn -util_rb_2tld gov.pn -util_rb_2tld government.pn -util_rb_2tld it.pn -util_rb_2tld jp.pn -util_rb_2tld perso.tc -util_rb_2tld site.tc -util_rb_2tld societe.st -util_rb_2tld url.st -util_rb_2tld blog.ru -util_rb_2tld eu.tc -util_rb_2tld us.tc -util_rb_2tld pro.tc -util_rb_2tld de.tc -util_rb_2tld at.tc -util_rb_2tld it.tc -util_rb_2tld es.tc -util_rb_2tld ru.tc -util_rb_2tld se.tc -util_rb_2tld dk.tc -util_rb_2tld be.tc -util_rb_2tld no.tc -util_rb_2tld int.tc -util_rb_2tld pl.tc -util_rb_2tld bg.tc -util_rb_2tld cz.tc -util_rb_2tld mx.tc -util_rb_2tld br.tc -util_rb_2tld hk.tc -util_rb_2tld kr.tc -util_rb_2tld th.tc -util_rb_2tld ph.tc -util_rb_2tld at.lv -util_rb_2tld de.lv -util_rb_2tld ch.lv -util_rb_2tld org.rw -util_rb_2tld myvnc.com -util_rb_2tld blog4ever.com -util_rb_2tld sytes.net -util_rb_2tld multiply.com -util_rb_2tld 80.hk -util_rb_2tld shutterfly.com -util_rb_2tld chez.com -util_rb_2tld ce.ms -util_rb_2tld zapto.org -util_rb_2tld cz.cc -util_rb_2tld fromru.su -util_rb_2tld krovatka.su -util_rb_2tld pochta.com -util_rb_2tld 5ballov.ru -util_rb_2tld usa.cc -util_rb_2tld jpn.com -util_rb_2tld yolasite.com -util_rb_2tld in.net -util_rb_2tld com.de -util_rb_2tld biz.ua -util_rb_2tld azurewebsites.net -util_rb_2tld azureedge.net -util_rb_2tld zohosites.com -util_rb_2tld wixsite.com -util_rb_2tld firebaseapp.com -util_rb_2tld web.app -# -util_rb_2tld neostrada.pl -util_rb_2tld vv.cc -util_rb_2tld co.be -util_rb_2tld uni.cc -util_rb_2tld shop.co -util_rb_2tld tumblr.com -util_rb_2tld fileave.com -util_rb_2tld de.tl -util_rb_2tld co.com -# Dyndns.com -util_rb_2tld dyndns-at-home.com -util_rb_2tld dyndns-at-work.com -util_rb_2tld dyndns-blog.com -util_rb_2tld dyndns-free.com -util_rb_2tld dyndns-home.com -util_rb_2tld dyndns-ip.com -util_rb_2tld dyndns-mail.com -util_rb_2tld dyndns-office.com -util_rb_2tld dyndns-pics.com -util_rb_2tld dyndns-remote.com -util_rb_2tld dyndns-server.com -util_rb_2tld dyndns-web.com -util_rb_2tld dyndns-wiki.com -util_rb_2tld dyndns-work.com -util_rb_2tld dyndns.biz -util_rb_2tld dyndns.info -util_rb_2tld dyndns.org -util_rb_2tld dyndns.tv -util_rb_2tld dyndns.dk -util_rb_2tld dyndns.ws -util_rb_2tld mydyndns.org -util_rb_2tld qip.ru -# -util_rb_2tld no-ip.biz -util_rb_2tld no-ip.ca -util_rb_2tld no-ip.com -util_rb_2tld no-ip.info -util_rb_2tld no-ip.net -util_rb_2tld no-ip.org -# -util_rb_2tld gotdns.ch -util_rb_2tld ddnsking.com -util_rb_2tld ddns.net -util_rb_2tld bounceme.net -util_rb_2tld hopto.org -util_rb_2tld serveblog.net -util_rb_2tld myftp.org -util_rb_2tld myftp.biz - - -# -# 3rd level TLD list (SA 3.3+) -# -# There was a bug before 3.4.1(?), only one 3TLD per line works! -# - -if (version >= 3.003000) - -util_rb_3tld demon.co.uk -util_rb_3tld esc.edu.ar -util_rb_3tld lkd.co.im -util_rb_3tld plc.co.im -util_rb_3tld ltd.co.im -# -util_rb_3tld bay.livefilestore.com -util_rb_3tld blu.livefilestore.com -util_rb_3tld groups.live.com -util_rb_3tld spaces.live.com -util_rb_3tld profile.live.com -util_rb_3tld web.aplus.net -util_rb_3tld cloud.prohosting.com -util_rb_3tld skydrive.live.com -util_rb_3tld docs.google.com -util_rb_3tld spaces.msn.com -util_rb_3tld blog.friendster.com -util_rb_3tld plc.co.im -util_rb_3tld ltd.co.im -util_rb_3tld sakura.ne.jp -util_rb_3tld web.officelive.com -util_rb_3tld com.sapo.pt -util_rb_3tld paginas.sapo.pt -util_rb_3tld no.sapo.pt -util_rb_3tld home.sapo.pt -util_rb_3tld do.sapo.pt -util_rb_3tld homepage.t-online.de -util_rb_3tld privat.t-online.de -util_rb_3tld web.fc2.com -util_rb_3tld co.uk.pn -util_rb_3tld com.au.pn -util_rb_3tld co.at.pn -util_rb_3tld co.at.lv -util_rb_3tld or.at.lv -util_rb_3tld co.at.tc -util_rb_3tld qld.edu.au -util_rb_3tld perso.neuf.fr -util_rb_3tld perso.sfr.fr -util_rb_3tld hop.clickbank.net -util_rb_3tld user.icpnet.pl -util_rb_3tld en.alibaba.com -# -util_rb_3tld blogspot.co.nz -util_rb_3tld blogspot.co.uk -util_rb_3tld blogspot.com.ar -util_rb_3tld blogspot.com.au -util_rb_3tld blogspot.com.br -util_rb_3tld blogspot.com.es -# -util_rb_3tld no-ip.co.uk -# -util_rb_3tld mobile.web.tr -util_rb_3tld ct.sendgrid.net - -endif - - diff --git a/resources/spamassassin/20_body_tests.cf b/resources/spamassassin/20_body_tests.cf deleted file mode 100644 index 55223a53..00000000 --- a/resources/spamassassin/20_body_tests.cf +++ /dev/null @@ -1,169 +0,0 @@ -# SpamAssassin rules file: body tests -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# Note: body tests are run with long lines, so be sure to limit the -# size of searches; use /.{0,30}/ instead of /.*/ to avoid huge -# search times. -# -# Note: If you are adding a rule which looks for a phrase in the body -# (as most of them do), please add it to rules/20_phrases.cf instead. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -require_version @@VERSION@@ - -########################################################################### -# GTUBE test - the generic test for UBE. -body GTUBE /XJS\*C4JDBQADN1\.NSBN3\*2IDNEN\*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL\*C\.34X/ -describe GTUBE Generic Test for Unsolicited Bulk Email -tflags GTUBE userconf noautolearn - -########################################################################### - -# this seems to be the new fashion (as of Jul 5 2002). base64-encoded -# parts need to be stripped before this match -body TRACKER_ID /^[a-z0-9]{6,24}[-_a-z0-9]{12,36}[a-z0-9]{6,24}\s*\z/is -describe TRACKER_ID Incorporates a tracking ID number - -body WEIRD_QUOTING /[\042\223\224\262\263\271]{2}\S{0,16}[\042\223\224\262\263\271]{2}/ -describe WEIRD_QUOTING Weird repeated double-quotation marks - -########################################################################### -# multipart/alternative has very good accuracy, other multipart types are -# similar to MIME_HTML_ONLY so they don't need a separate rule -header __CTYPE_MULTIPART_ALT Content-Type =~ /multipart\/alternative/i -meta MIME_HTML_ONLY_MULTI (__CTYPE_MULTIPART_ALT && MIME_HTML_ONLY) -describe MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts - -# note: __HIGHBITS is used in rules/20_html_tests.cf, HTML_CHARSET_FARAWAY -meta MIME_CHARSET_FARAWAY (__MIME_CHARSET_FARAWAY && __HIGHBITS) -describe MIME_CHARSET_FARAWAY MIME character set indicates foreign language -tflags MIME_CHARSET_FARAWAY userconf - -########################################################################### - -# duncf -body EMAIL_ROT13 /\b[a-z(\]-]+\^[a-z-]+\([a-z]{2,3}\b/ -describe EMAIL_ROT13 Body contains a ROT13-encoded email address -test EMAIL_ROT13 ok qhabs^ebtref(pbz -test EMAIL_ROT13 ok zxrggyre^riv-vap(pbz -test EMAIL_ROT13 fail duncf-nospam@rogers.com - -# this could use more work -body __LONGWORDS_A /\b(?:[a-z]{8,}[\s\.]+){6}/ -body __LONGWORDS_B /\b(?:[a-z]{6,}[\s\.]+){9}/ -body __LONGWORDS_C /\b(?:[a-z]{5,}[\s\.]+){10}/ -meta LONGWORDS (__LONGWORDS_A + __LONGWORDS_B + __LONGWORDS_C > 1) -describe LONGWORDS Long string of long words - - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::BodyEval - - -# This rule uses a simple algorithm to determine if the text and html -# parts of an multipart/alternative message are different. -body MPART_ALT_DIFF eval:multipart_alternative_difference('99', '100') -describe MPART_ALT_DIFF HTML and text parts are different - -body MPART_ALT_DIFF_COUNT eval:multipart_alternative_difference_count('3', '1') -describe MPART_ALT_DIFF_COUNT HTML and text parts are different - -body BLANK_LINES_80_90 eval:check_blank_line_ratio('80','90','4') -describe BLANK_LINES_80_90 Message body has 80-90% blank lines - -# it's the ratio of spaces to non-spaces in each paragraph. apparently -# messages where generally there are lots of spaces mean the message is spam. -# 8.532 10.6051 0.1897 0.982 0.75 0.01 T_VERTICAL_WORDS_TVD_1 -# bug 6149: avoid common .jp false positives -header __SUBJECT_UTF8_B_ENCODED Subject:raw =~ /=\?UTF-?8\?B\?/i -body __TVD_SPACE_RATIO eval:tvd_vertical_words('0','10') -meta TVD_SPACE_RATIO (__TVD_SPACE_RATIO && !__ISO_2022_JP_DELIM && !__SUBJECT_UTF8_B_ENCODED && !__HIGHBITS) - -endif - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::MIMEEval - -# 0.767 0.9097 0.0000 1.000 0.84 1.00 MULTIPART_ALT_NON_TEXT -body MULTIPART_ALT_NON_TEXT eval:check_ma_non_text() - -body CHARSET_FARAWAY eval:check_for_faraway_charset() -describe CHARSET_FARAWAY Character set indicates a foreign language -tflags CHARSET_FARAWAY userconf - -# these tests doesn't actually use rawbody since rawbody isn't raw enough; -# they must be written very carefully to avoid modifying the original content - -# MIME Content-Transfer-Encoding control rules -rawbody __MIME_BASE64 eval:check_for_mime('mime_base64_count') -describe __MIME_BASE64 Includes a base64 attachment - -rawbody __MIME_QP eval:check_for_mime('mime_qp_count') -describe __MIME_QP Includes a quoted-printable attachment - -# No longer used in MIMEEval -#rawbody MIME_BASE64_BLANKS eval:check_for_mime('mime_base64_blanks') -#describe MIME_BASE64_BLANKS Extra blank lines in base64 encoding - - -rawbody MIME_BASE64_TEXT eval:check_for_mime('mime_base64_encoded_text') -describe MIME_BASE64_TEXT Message text disguised using base64 encoding - - -body MISSING_MIME_HB_SEP eval:check_msg_parse_flags('missing_mime_head_body_separator') -describe MISSING_MIME_HB_SEP Missing blank line between MIME header and body - -body MIME_HTML_MOSTLY eval:check_mime_multipart_ratio('0.00','0.01') -describe MIME_HTML_MOSTLY Multipart message mostly text/html MIME - -# Steve Linford via Charlie Watts: good test! -body MIME_HTML_ONLY eval:check_for_mime_html_only() -describe MIME_HTML_ONLY Message only has text/html MIME parts - -rawbody MIME_QP_LONG_LINE eval:check_for_mime('mime_qp_long_line') -describe MIME_QP_LONG_LINE Quoted-printable line longer than 76 chars - -rawbody __MIME_CHARSET_FARAWAY eval:check_for_mime('mime_faraway_charset') - -body MIME_BAD_ISO_CHARSET eval:check_for_mime('mime_bad_iso_charset') -describe MIME_BAD_ISO_CHARSET MIME character set is an unknown ISO charset - -body MIMEPART_LIMIT_EXCEEDED eval:check_for_mime('mimepart_limit_exceeded') -describe MIMEPART_LIMIT_EXCEEDED Message has too many MIME parts - -endif - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::URIEval - -body HTTPS_IP_MISMATCH eval:check_https_ip_mismatch() -describe HTTPS_IP_MISMATCH IP to HTTPS link found in HTML - -body URI_TRUNCATED eval:check_uri_truncated() -describe URI_TRUNCATED Message contained a URI which was truncated - -endif diff --git a/resources/spamassassin/20_compensate.cf b/resources/spamassassin/20_compensate.cf deleted file mode 100644 index f7f62a8b..00000000 --- a/resources/spamassassin/20_compensate.cf +++ /dev/null @@ -1,48 +0,0 @@ -# SpamAssassin rules file: compensation for common false positives -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### -# Header compensation tests - -require_version @@VERSION@@ - -header __HAS_RCVD exists:Received -priority __HAS_RCVD -2000 # Bug 8078 -meta NO_RECEIVED (!__HAS_RCVD) -tflags NO_RECEIVED nice userconf -describe NO_RECEIVED Informational: message has no Received headers - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::RelayEval - -# The message was never sent via an untrustworthy host. -header ALL_TRUSTED eval:check_all_trusted() -describe ALL_TRUSTED Passed through trusted hosts only via SMTP -tflags ALL_TRUSTED nice userconf - -header NO_RELAYS eval:check_no_relays() -tflags NO_RELAYS nice userconf -describe NO_RELAYS Informational: message was not relayed via SMTP - -endif diff --git a/resources/spamassassin/20_dnsbl_tests.cf b/resources/spamassassin/20_dnsbl_tests.cf deleted file mode 100644 index 93e7356e..00000000 --- a/resources/spamassassin/20_dnsbl_tests.cf +++ /dev/null @@ -1,251 +0,0 @@ -# SpamAssassin rules file: DNS blocklist and welcomelist tests -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -require_version @@VERSION@@ - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::DNSEval - -# See the Mail::SpamAssassin::Conf manual page for details of how to use -# check_rbl(). - -# --------------------------------------------------------------------------- -# Multizone / Multi meaning BLs first. -# -# Note that currently TXT queries cannot be used for these, since the -# DNSBLs do not return the A type (127.0.0.x) as part of the TXT reply. - - -# --------------------------------------------------------------------------- -# SORBS -# transfers: both axfr and ixfr available -# URL: http://www.dnsbl.sorbs.net/ -# pay-to-use: no -# delist: $50 fee for RCVD_IN_SORBS_SPAM, others have free retest on request - -header __RCVD_IN_SORBS eval:check_rbl('sorbs', 'dnsbl.sorbs.net.') -describe __RCVD_IN_SORBS SORBS: sender is listed in SORBS -tflags __RCVD_IN_SORBS net -reuse __RCVD_IN_SORBS - -header RCVD_IN_SORBS_HTTP eval:check_rbl_sub('sorbs', '127.0.0.2') -describe RCVD_IN_SORBS_HTTP SORBS: sender is open HTTP proxy server -tflags RCVD_IN_SORBS_HTTP net -reuse RCVD_IN_SORBS_HTTP - -header RCVD_IN_SORBS_SOCKS eval:check_rbl_sub('sorbs', '127.0.0.3') -describe RCVD_IN_SORBS_SOCKS SORBS: sender is open SOCKS proxy server -tflags RCVD_IN_SORBS_SOCKS net -reuse RCVD_IN_SORBS_SOCKS - -header RCVD_IN_SORBS_MISC eval:check_rbl_sub('sorbs', '127.0.0.4') -describe RCVD_IN_SORBS_MISC SORBS: sender is open proxy server -tflags RCVD_IN_SORBS_MISC net -reuse RCVD_IN_SORBS_MISC - -header RCVD_IN_SORBS_SMTP eval:check_rbl_sub('sorbs', '127.0.0.5') -describe RCVD_IN_SORBS_SMTP SORBS: sender is open SMTP relay -tflags RCVD_IN_SORBS_SMTP net -reuse RCVD_IN_SORBS_SMTP - -# delist: $50 fee -#header RCVD_IN_SORBS_SPAM eval:check_rbl_sub('sorbs', '127.0.0.6') -#describe RCVD_IN_SORBS_SPAM SORBS: sender is a spam source -#tflags RCVD_IN_SORBS_SPAM net -#reuse RCVD_IN_SORBS_SPAM RCVD_IN_SORBS_SPAM - -header RCVD_IN_SORBS_WEB eval:check_rbl_sub('sorbs', '127.0.0.7') -describe RCVD_IN_SORBS_WEB SORBS: sender is an abusable web server -tflags RCVD_IN_SORBS_WEB net -reuse RCVD_IN_SORBS_WEB - -header RCVD_IN_SORBS_BLOCK eval:check_rbl_sub('sorbs', '127.0.0.8') -describe RCVD_IN_SORBS_BLOCK SORBS: sender demands to never be tested -tflags RCVD_IN_SORBS_BLOCK net -reuse RCVD_IN_SORBS_BLOCK - -header RCVD_IN_SORBS_ZOMBIE eval:check_rbl_sub('sorbs', '127.0.0.9') -describe RCVD_IN_SORBS_ZOMBIE SORBS: sender is on a hijacked network -tflags RCVD_IN_SORBS_ZOMBIE net -reuse RCVD_IN_SORBS_ZOMBIE - -header RCVD_IN_SORBS_DUL eval:check_rbl('sorbs-lastexternal', 'dnsbl.sorbs.net.', '127.0.0.10') -describe RCVD_IN_SORBS_DUL SORBS: sent directly from dynamic IP address -tflags RCVD_IN_SORBS_DUL net -reuse RCVD_IN_SORBS_DUL - -# --------------------------------------------------------------------------- -# Spamhaus ZEN includes SBL+CSS+XBL+PBL -# https://www.spamhaus.org/faq/section/DNSBL%20Usage#200 -# -# Spamhaus XBL contains the Abuseat CBL data (cbl.abuseat.org) - -header __RCVD_IN_ZEN eval:check_rbl('zen', 'zen.spamhaus.org.') -describe __RCVD_IN_ZEN Received via a relay in Spamhaus Zen -tflags __RCVD_IN_ZEN net -reuse __RCVD_IN_ZEN - -# SBL is the Spamhaus Block List: https://www.spamhaus.org/sbl/ -header RCVD_IN_SBL eval:check_rbl_sub('zen', '127.0.0.2') -describe RCVD_IN_SBL Received via a relay in Spamhaus SBL -tflags RCVD_IN_SBL net -reuse RCVD_IN_SBL - -# XBL is the Exploits Block List: https://www.spamhaus.org/xbl/ -header RCVD_IN_XBL eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '^127\.0\.0\.[4567]$') -describe RCVD_IN_XBL Received via a relay in Spamhaus XBL -tflags RCVD_IN_XBL net -reuse RCVD_IN_XBL - -# PBL is the Policy Block List: https://www.spamhaus.org/pbl/ -header RCVD_IN_PBL eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '^127\.0\.0\.1[01]$') -describe RCVD_IN_PBL Received via a relay in Spamhaus PBL -tflags RCVD_IN_PBL net -reuse RCVD_IN_PBL - -# CSS is the Spamhaus CSS Component of the SBL List: https://www.spamhaus.org/css/ -header RCVD_IN_SBL_CSS eval:check_rbl_sub('zen', '127.0.0.3') -describe RCVD_IN_SBL_CSS Received via a relay in Spamhaus SBL-CSS -tflags RCVD_IN_SBL_CSS net -reuse RCVD_IN_SBL_CSS - -# New blocked checks 10/2019 -header RCVD_IN_ZEN_BLOCKED_OPENDNS eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '^127\.255\.255\.254$') -describe RCVD_IN_ZEN_BLOCKED_OPENDNS ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ -tflags RCVD_IN_ZEN_BLOCKED_OPENDNS net -reuse RCVD_IN_ZEN_BLOCKED_OPENDNS - -# New blocked checks 10/2019 -header RCVD_IN_ZEN_BLOCKED eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '^127\.255\.255\.255$') -describe RCVD_IN_ZEN_BLOCKED ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/ -tflags RCVD_IN_ZEN_BLOCKED net -reuse RCVD_IN_ZEN_BLOCKED - -if can(Mail::SpamAssassin::Conf::feature_dns_block_rule) -dns_block_rule RCVD_IN_ZEN_BLOCKED_OPENDNS zen.spamhaus.org -dns_block_rule RCVD_IN_ZEN_BLOCKED zen.spamhaus.org -endif - - -# Now, single zone BLs follow: - -# --------------------------------------------------------------------------- -# NOTE: donation tests, see README file for details - -header RCVD_IN_BL_SPAMCOP_NET eval:check_rbl_txt('spamcop', 'bl.spamcop.net.', '(?i:spamcop)') -describe RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net -tflags RCVD_IN_BL_SPAMCOP_NET net -reuse RCVD_IN_BL_SPAMCOP_NET - -# --------------------------------------------------------------------------- -# NOTE: commercial tests, see README file for details - -header RCVD_IN_MAPS_RBL eval:check_rbl('rblplus', 'activationcode.r.mail-abuse.com.', '1') -describe RCVD_IN_MAPS_RBL Relay in RBL, http://www.mail-abuse.com/enduserinfo_rbl.html -tflags RCVD_IN_MAPS_RBL net -reuse RCVD_IN_MAPS_RBL - -header RCVD_IN_MAPS_DUL eval:check_rbl('rblplus-lastexternal', 'activationcode.r.mail-abuse.com.', '2') -describe RCVD_IN_MAPS_DUL Relay in DUL, http://www.mail-abuse.com/enduserinfo_dul.html -tflags RCVD_IN_MAPS_DUL net -reuse RCVD_IN_MAPS_DUL - -header RCVD_IN_MAPS_RSS eval:check_rbl_sub('rblplus', '4') -describe RCVD_IN_MAPS_RSS Relay in RSS, http://www.mail-abuse.com/enduserinfo_rss.html -tflags RCVD_IN_MAPS_RSS net -reuse RCVD_IN_MAPS_RSS - -header RCVD_IN_MAPS_OPS eval:check_rbl_sub('rblplus', '8') -describe RCVD_IN_MAPS_OPS Relay in OPS, http://www.mail-abuse.com/enduserinfo_ops.html -tflags RCVD_IN_MAPS_OPS net -reuse RCVD_IN_MAPS_OPS - -# The NML isn't part of the RBL+ and I find any documentation for it - is it dead? -header RCVD_IN_MAPS_NML eval:check_rbl('nml', 'nonconfirm.mail-abuse.com.') -describe RCVD_IN_MAPS_NML Relay in NML, http://www.mail-abuse.com/enduserinfo_nml.html -tflags RCVD_IN_MAPS_NML net -reuse RCVD_IN_MAPS_NML - -# --------------------------------------------------------------------------- -# Section for DNS WL related lookups below. - -# IADB support ... -header __RCVD_IN_IADB eval:check_rbl('iadb-firsttrusted', 'iadb.isipp.com.') -tflags __RCVD_IN_IADB net nice -reuse __RCVD_IN_IADB - -header RCVD_IN_IADB_VOUCHED eval:check_rbl_sub('iadb-firsttrusted', '127.0.1.255') -describe RCVD_IN_IADB_VOUCHED ISIPP IADB lists as vouched-for sender -tflags RCVD_IN_IADB_VOUCHED net nice -reuse RCVD_IN_IADB_VOUCHED - -# --------------------------------------------------------------------------- -# Validity (née Return Path, SenderScore) reputation DNSBLs -# https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6247 -# Certified: -# https://www.validity.com/resource-center/fact-sheet-certification/ -# (replaces RCVD_IN_BSP_TRUSTED, RCVD_IN_BSP_OTHER, RCVD_IN_SSC_TRUSTED_COI, RCVD_IN_RP_CERTIFIED) -header RCVD_IN_VALIDITY_CERTIFIED eval:check_rbl_txt('ssc-firsttrusted', 'sa-trusted.bondedsender.org.') -describe RCVD_IN_VALIDITY_CERTIFIED Sender in Validity Certification - Contact certification@validity.com -tflags RCVD_IN_VALIDITY_CERTIFIED net nice publish -reuse RCVD_IN_VALIDITY_CERTIFIED RCVD_IN_RP_CERTIFIED - -# Safe: -# https://www.validity.com/resource-center/fact-sheet-certification/ -# (replaces HABEAS_ACCREDITED_COI, HABEAS_ACCREDITED_SOI, HABEAS_CHECKED, RCVD_IN_RP_SAFE) -header RCVD_IN_VALIDITY_SAFE eval:check_rbl_txt('ssc-firsttrusted','sa-accredit.habeas.com.') -describe RCVD_IN_VALIDITY_SAFE Sender in Validity Safe - Contact certification@validity.com -tflags RCVD_IN_VALIDITY_SAFE net nice publish -reuse RCVD_IN_VALIDITY_SAFE RCVD_IN_RP_SAFE - -# Validity RPBL (née Return Path Reputation Network Blacklist - RNBL): -# https://www.senderscore.org/blocklistlookup/ -# (replaces RCVD_IN_RP_RNBL) -header RCVD_IN_VALIDITY_RPBL eval:check_rbl('rnbl-lastexternal','bl.score.senderscore.com.') -describe RCVD_IN_VALIDITY_RPBL Relay in Validity RPBL, https://senderscore.org/blocklistlookup/ -tflags RCVD_IN_VALIDITY_RPBL net publish -reuse RCVD_IN_VALIDITY_RPBL RCVD_IN_RP_RNBL - -endif - -#These are old and useless - The zones are no longer supported by SpamHaus 2018-12-12 -#ifplugin Mail::SpamAssassin::Plugin::AskDNS -# -#askdns DKIMDOMAIN_IN_DWL _DKIMDOMAIN_._vouch.dwl.spamhaus.org TXT /^([a-z]+ )*(transaction|list|all)( [a-z]+)*$/ -#tflags DKIMDOMAIN_IN_DWL net nice -#describe DKIMDOMAIN_IN_DWL Signing domain listed in Spamhaus DWL -#reuse DKIMDOMAIN_IN_DWL -# -#askdns __DKIMDOMAIN_IN_DWL_ANY _DKIMDOMAIN_._vouch.dwl.spamhaus.org TXT -#tflags __DKIMDOMAIN_IN_DWL_ANY net nice -#describe __DKIMDOMAIN_IN_DWL_ANY Any TXT response received from a Spamhaus DWL -#reuse __DKIMDOMAIN_IN_DWL_ANY -# -#meta DKIMDOMAIN_IN_DWL_UNKNOWN __DKIMDOMAIN_IN_DWL_ANY && !DKIMDOMAIN_IN_DWL -#tflags DKIMDOMAIN_IN_DWL_UNKNOWN net nice -#describe DKIMDOMAIN_IN_DWL_UNKNOWN Unrecognized response from Spamhaus DWL -# -#endif diff --git a/resources/spamassassin/20_drugs.cf b/resources/spamassassin/20_drugs.cf deleted file mode 100644 index 94d59c8c..00000000 --- a/resources/spamassassin/20_drugs.cf +++ /dev/null @@ -1,277 +0,0 @@ -# SpamAssassin rules file: drug tests -# -# This ruleset is intended to detect common "pill spam" however, it is not -# appropriate for all environments. It may not be appropriate for a medical or -# pharmaceutical environment. If in doubt, adjust the scores of all the rules -# to 0.01 and see if they fire off on your daily nonspam. -# -# Please don't modify this file as your changes will be overwritten with the -# next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. See 'perldoc -# Mail::SpamAssassin::Conf' for details. -# -# Note: body tests are run with long lines, so be sure to limit the size of -# searches; use /.{0,30}/ instead of /.*/ to avoid huge search times. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -require_version @@VERSION@@ - -########################################################################### -# header rules -# (only use sufficiently long drug name to make name unique) - -header SUBJECT_DRUG_GAP_C Subject =~ /\bc(?!ialis(?:t|\xc3\xa9|\xe9))[\sc]{0,2}i[\si]{0,2}a[\sa]{0,2}l[\sl]{0,2}i[\si]{0,2}s{1,3}\b/i -describe SUBJECT_DRUG_GAP_C Subject contains a gappy version of 'cialis' - -header SUBJECT_DRUG_GAP_L Subject =~ /l.{0,2}e.{0,2}v.{0,2}i.{0,2}t.{0,2}r.{0,2}a/i -describe SUBJECT_DRUG_GAP_L Subject contains a gappy version of 'levitra' - - -header SUBJECT_DRUG_GAP_S Subject =~ /\bs.{0,1}o.{0,1}m.{0,1}a\b/i -describe SUBJECT_DRUG_GAP_S Subject contains a gappy version of 'soma' - -# Bug 5396 - Hits visa and random finnish words -#header SUBJECT_DRUG_GAP_VA Subject =~ /v.{0,2}a.{0,2}l.{0,2}i.{0,2}u.{0,2}m/i -#describe SUBJECT_DRUG_GAP_VA Subject contains a gappy version of 'valium' - - -header SUBJECT_DRUG_GAP_X Subject =~ /x.{0,2}a.{0,2}n.{0,2}a.{0,2}x/i -describe SUBJECT_DRUG_GAP_X Subject contains a gappy version of 'xanax' - -########################################################################### -# body rules - -body DRUG_DOSAGE m{[\d\.]+ *\$? *(?:[\\/]|per) *d.?o.?s.?e}i -describe DRUG_DOSAGE Talks about price per dose - -# jm: keep this case-sensitive, otherwise it FP's -body DRUG_ED_CAPS /\b(?:CIALIS|LEVITRA|VIAGRA)/ -describe DRUG_ED_CAPS Mentions an E.D. drug - - -body DRUG_ED_SILD /\bsildenafil\b/i -describe DRUG_ED_SILD Talks about an E.D. drug using its chemical name - -body DRUG_ED_GENERIC /\bGeneric Viagra\b/ -describe DRUG_ED_GENERIC Mentions Generic Viagra - -body DRUG_ED_ONLINE /\bviagra .{0,25}(?:express|online|overnight)/i -describe DRUG_ED_ONLINE Fast Viagra Delivery - -body ONLINE_PHARMACY /\bonline pharmacy|\b(?:drugs|medications) online/i -describe ONLINE_PHARMACY Online Pharmacy - -# Updated bug 6448 -body NO_PRESCRIPTION /N[o0].{1,10}P(?:er|re)scr[i1]pt[i1][o0]n.{1,10}(?:n[e3][e3]d[e3]d|requ[1i]re|n[e3]c[e3]ssary)/i -describe NO_PRESCRIPTION No prescription needed - -# too easy -body VIA_GAP_GRA /\bvia.gra\b/i -describe VIA_GAP_GRA Attempts to disguise the word 'viagra' - -######################################################################## -# male sexual dysfunction drugs -# -# This section is undergoing improvements and I'm trying to track down a -# FP case that seems to mostly affect technical emails. -# However, all of the test cases so far fail to match when retested. -# note: The regex /v.i.a.g.r.a/ was intentionally not used -# due to potential false positive cases with PGP signatures -# and other base-64ish stuff. -# instead other patterns are used catch non alphanumeric gapping patterns -# note: \W = "non word character" - -# Note: many of the drugs named in here are brand-names and are trademarked. -# All trademarks are property of the respective owners. -#current best char substitutions -# i - [i1!|l\xEC-\xEF] -# a - [a4\xE0-\xE6@] -# e - [e3\xE8-\xEB] -# o - [o0\xF2-\xF6] -# u - [u\xB5\xF9-\xFC] - -# v - (?:\\\/|V) -# l - [l!|1] -# -# Also see 25_replace.cf -# -# If you're adding accented-character exclusions, include the HTML entity tags -# as well to cover the case where they appear in plain-text body parts. -# -#plain Viagra and Cialis (used in obfu detection) -body __DRUGS_ERECTILE_V /\bViagra\b/i -body __DRUGS_ERECTILE_C /\bCialis(?!\xc3\xa9|\xe9)\b/i -body __DRUGS_ERECTILE_L /\bLevitra\b/i -# obfu/plain and mis-spelled Viagra variants -body __DRUGS_ERECTILE1 /(?:\b|\s)[_\W]{0,3}(?:\\\/|V)[_\W]{0,3}[ij1!|l\xEC\xED\xEE\xEF][_\W]{0,3}[a40\xE0-\xE6@][_\W]{0,3}[xyz]?[gj][_\W]{0,3}r[_\W]{0,3}[a40\xE0-\xE6@][_\W]{0,3}x?[_\W]{0,3}(?:\b|\s)/i -body __DRUGS_ERECTILE2 /\bV(?:agira|igara|iaggra|iaegra)\b/i -# cialis variants (spelling correct now) -# note: the rather strange pre-amble is to avoid FPs on french words containing high-ascii chars surrounding -# "cialis". -# try to avoid FPs on "specialist" and FR "spécialisé" -body __DRUGS_ERECTILE3 /(?:\A|[\s\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f])[_\W]{0,3}(?!cialis(?:t|\xc3\xa9|\xe9|\&\#xe9\;|\é\;)|c i a l i s (?:t|\xc3\xa9|\xe9|\&\#xe9\;|\é\;))C[_\W]{0,3}[ij1!|l\xEC\xED\xEE\xEF][_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}l?[l!|1][_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}s[_\W]{0,3}(?:\b|\s)/i -body __DRUGS_ERECTILE4 /\bC(?:alis|ilias|ilais)\b/i -# generic names -#sildenafil citrate -body __DRUGS_ERECTILE5 /\b_{0,3}s[_\W]?[i1!|l\xEC-\xEF][_\W]?l[_\W]?d[_\W]?[e3\xE8-\xEB][_\W]?n[_\W]?[a4\xE0-\xE6@][_\W]?f[_\W]?[i1!|l\xEC-\xEF][_\W]?l c[_\W]?[i1!|l\xEC-\xEF][_\W]?t[_\W]?r[_\W]?[a4\xE0-\xE6@][_\W]?t[_\W]?[e3\xE8-\xEB]_{0,3}(?:\b|\s)/i -#Levitra -body __DRUGS_ERECTILE6 /\b_{0,3}L[_\W]?[e3\xE8-\xEB][_\W]?(?:\\\/|V)[_\W]?[i1!|l\xEC-\xEF][_\W]?t[_\W]?r[_\W]?[a4\xE0-\xE6@][_\W]?(?:\b|\s)/i -#tadalafil -body __DRUGS_ERECTILE8 /\b_{0,3}T[_\W]?[a4\xE0-\xE6@][_\W]?d[_\W]?[a4\xE0-\xE6@][_\W]?l[_\W]?[a4\xE0-\xE6@][_\W]?f[_\W]?[i1!|l\xEC-\xEF][_\W]?l_{0,3}\b/i -# gapped/obfu viagra variants using funky html-style character codes -rawbody __DRUGS_ERECTILE10 /\b_{0,3}V[_\W]?(?:i|\ï\;)[_\W]?(?:a|\à|\å)\;?[_\W]?g[_\W]?r[_\W]?(?:a|\à|\å)\b/i -#apcalis - a generic of cialis -body __DRUGS_ERECTILE11 /(?:\b|\s)_{0,3}[a4\xE0-\xE6@][_\W]{0,3}p[_\W]{0,3}c[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}[l!|1][_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}s_{0,3}\b/i -meta DRUGS_ERECTILE (__DRUGS_ERECTILE1 || __DRUGS_ERECTILE2 || __DRUGS_ERECTILE3 || __DRUGS_ERECTILE4 || __DRUGS_ERECTILE5 || __DRUGS_ERECTILE6 || __DRUGS_ERECTILE8 || __DRUGS_ERECTILE10 || __DRUGS_ERECTILE11 ) -describe DRUGS_ERECTILE Refers to an erectile drug -meta DRUGS_ERECTILE_OBFU ( (__DRUGS_ERECTILE1 &&!__DRUGS_ERECTILE_V) || (__DRUGS_ERECTILE3 && !__DRUGS_ERECTILE_C) ||__DRUGS_ERECTILE2 || (__DRUGS_ERECTILE10 &&!__DRUGS_ERECTILE_V) || (__DRUGS_ERECTILE6 &&!__DRUGS_ERECTILE_L)) -describe DRUGS_ERECTILE_OBFU Obfuscated reference to an erectile drug - - - -#diet -body __DRUGS_DIET_PHEN /\bphentermine\b/i -#phentermine -body __DRUGS_DIET1 /(?:\b|\s)[_\W]{0,3}p[_\W]{0,3}h[_\W]{0,3}[e3\xE8-\xEB][_\W]{0,3}n[_\W]{0,3}t[_\W]{0,3}[e3\xE8-\xEB][_\W]{0,3}r[_\W]{0,3}m[_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}n[_\W]{0,3}[e3\xE8-\xEB][_\W]{0,3}(?:\b|\s)/i -#ionamin -body __DRUGS_DIET2 /(?:\b|\s)_{0,3}[i1!|l\xEC-\xEF][_\W]?o[_\W]?n[_\W]?[a4\xE0-\xE6@][_\W]?m[_\W]?[i1!|l\xEC-\xEF][_\W]?n_{0,3}\b/i -#bontril -body __DRUGS_DIET3 /\bbontril\b/i -#phendimetrazine -body __DRUGS_DIET4 /\bphendimetrazine\b/i -#diethylpropion, generic of Tenuate, uncommon in spam -body __DRUGS_DIET5 /\bdiethylpropion\b/i -#Meridia -body __DRUGS_DIET6 /(?:\b|\s)[_\W]{0,3}M[_\W]{0,3}[e3\xE8-\xEB][_\W]{0,3}r[_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}d[_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}(?:\b|\s)/i -#tenuate -body __DRUGS_DIET7 /\b_{0,3}t[_\W]?[e3\xE8-\xEB][_\W]?n[_\W]?u[_\W]?a[_\W]?t[_\W]?[e3\xE8-\xEB]_{0,3}(?:\b|\s)/i -#didrex -body __DRUGS_DIET8 /\b_{0,3}d[_\W]?[i1!|l\xEC-\xEF][_\W]?d[_\W]?r[_\W][e3\xE8-\xEB[_\W]?xx?_{0,3}\b/i -#adipex -body __DRUGS_DIET9 /\b_{0,3}a[_\W]?d[_\W]?[i1!|l\xEC-\xEF][_\W]?p[_\W]?[e3\xE8-\xEB][_\W]?x_{0,3}\b/i -#xenical -body __DRUGS_DIET10 /\b_{0,3}x?x[_\W]?[e3\xE8-\xEB][_\W]?n[_\W]?[i1!|l\xEC-\xEF][_\W]?c[_\W]?[a4\xE0-\xE6@][_\W]?l_{0,3}\b/i -meta DRUGS_DIET (__DRUGS_DIET1 || __DRUGS_DIET2 || __DRUGS_DIET3 || __DRUGS_DIET4 ||__DRUGS_DIET5 ||__DRUGS_DIET6 ||__DRUGS_DIET7 ||__DRUGS_DIET8 || __DRUGS_DIET9 || __DRUGS_DIET10 ) -describe DRUGS_DIET Refers to a diet drug -meta DRUGS_DIET_OBFU (__DRUGS_DIET1 && !__DRUGS_DIET_PHEN) -describe DRUGS_DIET_OBFU Obfuscated reference to a diet drug - -# pain relief drugs -body __DRUGS_PAIN_VICO /vicodin/i -body __DRUGS_PAIN_VIOXX /vioxx/i -body __DRUGS_PAIN_FIO /fioricet/i -body __DRUGS_PAIN1 /\b_{0,3}h[_\W]?y[_\W]?d[_\W]?r[_\W]?[o0\xF2-\xF6][_\W]?c[_\W]?[o0\xF2-\xF6][_\W]?d[_\W]?[o0\xF2-\xF6][_\W]?n[_\W]?e_{0,3}\b/i -body __DRUGS_PAIN2 /\b_{0,3}c[o0\xF2-\xF6]deine_{0,3}\b/i -#ultram -body __DRUGS_PAIN3 /(?:\b|\s)[_\W]{0,3}[u\xB5\xF9-\xFC][_\W]{0,3}l[_\W]{0,3}t[_\W]{0,3}r[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}m_{0,3}\b/i -#vicodin -body __DRUGS_PAIN4 /(?:\b|\s)[_\W]{0,3}(?:\\\/|V)[_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}c[_\W]{0,3}[o0\xF2-\xF6][_\W]{0,3}d[_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}ns?[_\W]{0,3}(?:\b|\s)/i -#tramadol -body __DRUGS_PAIN5 /\b_{0,3}t[_\W]?r[_\W]?[a4\xE0-\xE6@][_\W]?m[_\W]?[a4\xE0-\xE6@][_\W]?d[_\W]?[o0\xF2-\xF6][_\W]?[l!|1]_{0,3}\b/i -# ultracet, uncommon in spam. -body __DRUGS_PAIN6 /\b_{0,3}u[_\W]?l[_\W]?t[_\W]?r[_\W]?a[_\W]?c[_\W]?e[_\W]?t_{0,3}\b/i -#fioricet -body __DRUGS_PAIN7 /\b_{0,3}f[_\W]?[i1!|l\xEC-\xEF][_\W]?[o0\xF2-\xF6][_\W]?r[_\W]?[i1!|l\xEC-\xEF][_\W]?c[_\W]?[e3\xE8-\xEB][_\W]?[t7]_{0,3}\b/i -#celebrex -body __DRUGS_PAIN8 /\b_{0,3}c[_\W]?[e3\xE8-\xEB][_\W]?l[_\W]?[e3\xE8-\xEB][_\W]?b[_\W]?r[_\W]?[e3\xE8-\xEB][_\W]?x_{0,3}\b/i -#imitrex -body __DRUGS_PAIN9 /(?:\b|\s)_{0,3}[i1!|l\xEC-\xEF]m[i1!|l\xEC-\xEF]tr[e3\xE8-\xEB]x_{0,3}\b/i -#vioxx -body __DRUGS_PAIN10 /(?:\b|\s)[_\W]{0,3}(?:\\\/|V)[_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}[o0\xF2-\xF6][_\W]{0,3}x[_\W]{0,3}xx?_{0,3}\b/i -#zebutal, uncommon in spam. -body __DRUGS_PAIN11 /\bzebutal\b/i -#esgic plus, uncommon in spam. -body __DRUGS_PAIN12 /\besgic plus\b/i -#Darvon - a prescription narcotic -body __DRUGS_PAIN13 /\bD[_\W]?[a4\xE0-\xE6@][_\W]?r[_\W]?v[_\W]?[o0\xF2-\xF6][_\W]?n\b/i -body __DRUGS_PAIN14 /N[o0\xF2-\xF6]rc[o0\xF2-\xF6]/i -meta __DRUGS_PAIN (__DRUGS_PAIN1 || __DRUGS_PAIN2 || __DRUGS_PAIN3 || __DRUGS_PAIN4 ||__DRUGS_PAIN5 ||__DRUGS_PAIN6 ||__DRUGS_PAIN7 ||__DRUGS_PAIN8 || __DRUGS_PAIN9 || __DRUGS_PAIN10|| __DRUGS_PAIN11 || __DRUGS_PAIN12 || __DRUGS_PAIN13 ||__DRUGS_PAIN14) -#sleep aids -#ativan and lorazepam already under anxiety -#Ambien, brand of zolpidem tartrate -body __DRUGS_SLEEP1 /(?:\b|\s)[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}m[_\W]{0,3}b[_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}[e3\xE8-\xEB][_\W]{0,3}n[_\W]{0,3}(?:\b|\s)/i -#sonata, brand of zaleplon -body __DRUGS_SLEEP2 /(?:\b|\s)[_\W]{0,3}S[_\W]{0,3}[o0\xF2-\xF6][_\W]{0,3}n[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}t[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}(?:\b|\s)/i -#Restoril, brand of temazepam, uncommon in spam -body __DRUGS_SLEEP3 /\b_{0,3}R[_\W]?[e3\xE8-\xEB][_\W]?s[_\W]?t[_\W]?[o0\xF2-\xF6][_\W]?r[_\W]?i[_\W]?l_{0,3}\b/i -#Halcion, brand of triazolam -body __DRUGS_SLEEP4 /\b_{0,3}H[_\W]?[a4\xE0-\xE6@][_\W]?l[_\W]?c[_\W]?i[_\W]?[o0\xF2-\xF6][_\W]?n_{0,3}\b/i - -meta __DRUGS_SLEEP (__DRUGS_SLEEP1 || __DRUGS_SLEEP2 || __DRUGS_SLEEP3 ||__DRUGS_SLEEP4) - -#muscle relaxants -#soma - removed due to Bug 7612 -#body __DRUGS_MUSCLE1 /(?:\b|\s)[_\W]{0,3}s[_\W]{0,3}[o0\xF2-\xF6][_\W]{0,3}m[_\W]{0,3}[a4\xE0-\xE3\xE5\xE6@][_\W]{0,3}(?:\b|\s)/i -#cyclobenzaprine -body __DRUGS_MUSCLE2 /\b_{0,3}cycl[o0\xF2-\xF6]b[e3\xE8-\xEB]nz[a4\xE0-\xE6@]pr[i1!|l\xEC-\xEF]n[e3\xE8-\xEB]_{0,3}(?:\b|\s)/i -#flexeril -body __DRUGS_MUSCLE3 /\b_{0,3}f[_\W]?l[_\W]?[e3\xE8-\xEB][_\W]?x[_\W]?[e3\xE8-\xEB][_\W]?r[_\W]?[i1!|l\xEC-\xEF]_{0,3}[_\W]?l_{0,3}\b/i -#zanaflex -body __DRUGS_MUSCLE4 /\b_{0,3}z[_\W]?a[_\W]?n[_\W]?a[_\W]?f[_\W]?l[_\W]?e[_\W]?x_{0,3}\b/i -#skelaxin -body __DRUGS_MUSCLE5 /\bskelaxin\b/i -meta DRUGS_MUSCLE (__DRUGS_MUSCLE2 || __DRUGS_MUSCLE3 || __DRUGS_MUSCLE4 ||__DRUGS_MUSCLE5 ) -describe DRUGS_MUSCLE Refers to a muscle relaxant -#anti-anxiety -#these two rules are used to differentiate between obfu and non-obfu spellings -body __DRUGS_ANXIETY_XAN /xan[ae]x/i -body __DRUGS_ANXIETY_VAL /valium/i -#xanax - note: second a sometimes done as e. -body __DRUGS_ANXIETY1 /(?:\b|\s)[_\W]{0,3}x?x[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}n[_\W]{0,3}[ea4\xE1\xE2\xE3@][_\W]{0,3}xx?_{0,3}\b/i -#alprazolam -body __DRUGS_ANXIETY2 /\bAlprazolam\b/i -#valium -body __DRUGS_ANXIETY3 /(?:\b|\s)[_\W]{0,3}(?:\\\/|V)[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}[l|][_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}[u\xB5\xF9-\xFC][_\W]{0,3}m\b/i -#diazepam, generic of valium -body __DRUGS_ANXIETY4 /\b_{0,3}D[_\W]?[i1!|l\xEC-\xEF][_\W]?[a4\xE0-\xE6@][_\W]?z[_\W]?[ea3\xE9\xEA\xEB][_\W]?p[_\W]?[a4\xE0-\xE6@][_\W]?m_{0,3}\b/i -#ativan -body __DRUGS_ANXIETY5 /(?:\b|\s)[a4\xE0-\xE6@][_\W]?t[_\W]?[i1!|l\xEC-\xEF][_\W]?v[_\W]?[a4\xE0-\xE6@][_\W]?n_{0,3}\b/i -#lorazepam - generic of ativan, uncommon in spam -body __DRUGS_ANXIETY6 /\b_{0,3}l[_\W]?[o0\xF2-\xF6][_\W]?r[_\W]?[a4\xE0-\xE6@][_\W]?z[_\W]?[e3\xE8-\xEB][_\W]?p[_\W]?[a4\xE0-\xE6@][_\W]?m_{0,3}\b/i -#clonazepam, generic. -body __DRUGS_ANXIETY7 /\b_{0,3}c[_\W]?l[_\W]?[o0\xF2-\xF6][_\W]?n[_\W]?[a4\xE0-\xE6@][_\W]?z[_\W]?e[_\W]?p[_\W]?[a4\xE0-\xE6@][_\W]?m\b/i -#klonopin, brand of clonazepam, uncommon in spam -body __DRUGS_ANXIETY8 /\bklonopin\b/i -#rivotril, brand of clonazepam, uncommon in spam -body __DRUGS_ANXIETY9 /\brivotril\b/i -meta DRUGS_ANXIETY (__DRUGS_ANXIETY1 || __DRUGS_ANXIETY2 || __DRUGS_ANXIETY3 || __DRUGS_ANXIETY4 ||__DRUGS_ANXIETY5 ||__DRUGS_ANXIETY6 ||__DRUGS_ANXIETY7 ||__DRUGS_ANXIETY8 || __DRUGS_ANXIETY9 ) -describe DRUGS_ANXIETY Refers to an anxiety control drug -meta DRUGS_ANXIETY_OBFU ( (__DRUGS_ANXIETY1 &&! __DRUGS_ANXIETY_XAN) || (__DRUGS_ANXIETY3 && !__DRUGS_ANXIETY_VAL)) -describe DRUGS_ANXIETY_OBFU Obfuscated reference to an anxiety control drug - -body DRUGS_SMEAR1 /(?:Viagra|Valium|Xanax|Soma|Cialis){2}/i -describe DRUGS_SMEAR1 Two or more drugs crammed together into one word - -#search for "weird" combinations that are unlikely to -#be prescribed together for a single event, thus unlikely to be -#mentioned in the same email, except an online pharmacy ad. -meta DRUGS_ANXIETY_EREC (DRUGS_ERECTILE && DRUGS_ANXIETY) -describe DRUGS_ANXIETY_EREC Refers to both an erectile and an anxiety drug -meta DRUGS_SLEEP_EREC (DRUGS_ERECTILE && __DRUGS_SLEEP) -describe DRUGS_SLEEP_EREC Refers to both an erectile and a sleep aid drug - -# note: some 3 item combos are "normal" ie: a patient might legitimately -# be prescribed depression, anxiety and sleep aid drugs all at once. -# however, I know of no "normal" 4-item combinations. -meta DRUGS_MANYKINDS (DRUGS_ERECTILE + DRUGS_DIET + __DRUGS_PAIN + __DRUGS_SLEEP + DRUGS_MUSCLE + DRUGS_ANXIETY > 3) -describe DRUGS_MANYKINDS Refers to at least four kinds of drugs - -######################################################################## - diff --git a/resources/spamassassin/20_dynrdns.cf b/resources/spamassassin/20_dynrdns.cf deleted file mode 100644 index 76a552ca..00000000 --- a/resources/spamassassin/20_dynrdns.cf +++ /dev/null @@ -1,213 +0,0 @@ -# SpamAssassin rules file: dynamic-ish rDNS tests -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# We should write a new ruletype for these, to save typing. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -require_version @@VERSION@@ - -# --------------------------------------------------------------------------- - -# Note the '^[^\]]+ ' stanza: this ensures that we only match spamware -# connecting to a internal relay; if a mail came from a dynamic addr but -# was relayed through their smarthost, that's fine. - -# See bug #5856, all references of "trusted" were changed to "external" - -# All of the RDNS_DYNAMIC rules require that the last external relay -# did not use SMTP authentication. These rules should not be firing on -# friendlies! -header __LAST_UNTRUSTED_RELAY_NO_AUTH X-Spam-Relays-Untrusted =~ /^[^\]]+ auth= / -header __LAST_EXTERNAL_RELAY_NO_AUTH X-Spam-Relays-External =~ /^[^\]]+ auth= / - -# dhcp024-210-034-053.columbus.rr.com [24.210.34.53] -# c-66-176-16-108.se.client2.attbi.com [66.176.16.108] -# c-67-168-174-61.client.comcast.net [67.168.174.61] -# NNN-NNN-NNN-NNN.fibertel.com.ar -# NN.NN.NNN.NNN.ap.yournet.ne.jp -# NN.NNN.NN-NN.rev.gaoland.net -# vaise-1-82-67-44-166.fbx.proxad.net [82.67.44.166] -# lns-vlq-11-62-147-186-141.adsl.proxad.net [62.147.186.141] -# dsl-200-95-109-107.prod-infinitum.com.mx [200.95.109.107] -# port-212-202-77-203.reverse.qsc.de [212.202.77.203] -# pool-151-203-32-68.bos.east.verizon.net [151.203.32.68] -# c-67-164-133-216.client.comcast.net [67.164.133.216] -# 200-171-228-6.customer.telesp.net.br [200.171.228.6] -# modemcable090.28-201-24.mc.videotron.ca [24.201.28.90] -# 80-218-47-160.dclient.hispeed.ch [80.218.47.160] -# cdm-68-226-239-16.laft.cox-internet.com [68.226.239.16] -# d53-64-35-171.nap.wideopenwest.com [64.53.171.35] -# 74.67-201-80.adsl.skynet.be [80.201.67.74] -# 12-218-225-223.client.mchsi.com [12.218.225.223] -# pptp-81-30-186-139.ufanet.ru [81.30.186.139] -# (require an alpha first, as legit HELO'ing-as-IP-address is hit otherwise) -header __RDNS_DYNAMIC_IPADDR X-Spam-Relays-External =~ /^[^\]]+ rdns=(?![^\s\]]+[-.]static[-.])\S*\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]\d+\S*\.\S+\.\S/i -describe __RDNS_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) - -# dhcp024-210-034-053.columbus.rr.com [24.210.34.53] -# catv-506237d8.miskcatv.broadband.hu [80.98.55.216] -# node-c-8b22.a2000.nl -# cm89.omega139.maxonline.com.sg -# cm114.gamma208.maxonline.com.sg -header __RDNS_DYNAMIC_DHCP X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(?:cm|catv|docsis|cable|dsl|dhcp|cpe|node)\S*\d+[^\d\s]+\d/i -describe __RDNS_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP) - -# fia83-8.dsl.hccnet.nl [62.251.8.83] -# fia160-115-100.dsl.hccnet.nl [80.100.115.160] -header __RDNS_DYNAMIC_HCC X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\d+[^\d\s]+\d+\S*\.(?:docsis|cable|dsl|adsl|dhcp|cpe)\./i -describe __RDNS_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC) - -# h0002a5d76857.ne.client2.attbi.com [65.96.12.59] -header __RDNS_DYNAMIC_ATTBI X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+\d+\S+\.client2\.attbi\.com/i -describe __RDNS_DYNAMIC_ATTBI Relay HELO'd using suspicious hostname (ATTBI.com) - -# CPE0004e2372711-CM000a73666706.cpe.net.cable.rogers.com -# CPE00e0184f0eba-CM014490118324.cpe.net.cable.rogers.com [24.43.109.140] -header __RDNS_DYNAMIC_ROGERS X-Spam-Relays-External =~ /^[^\]]+ rdns=CPE\d+\S+\.rogers\.com/i -describe __RDNS_DYNAMIC_ROGERS Relay HELO'd using suspicious hostname (Rogers) - -# ca-morpark-cuda1-zone7-b-159.vnnyca.adelphia.net[67.23.129.159] -# tn-greenvillecuda1cable7a-36.atlaga.adelphia.net [68.171.113.36] -# ky-richmond2a-123.rhmdky.adelphia.net [68.71.36.123] -# ny-lackawannacadent4-chtwga3a-b-117.buf.adelphia.net [68.71.205.117] -# fl-edel-u2-c3c-233.pbc.adelphia.net [68.64.89.233] -header __RDNS_DYNAMIC_ADELPHIA X-Spam-Relays-External =~ /^[^\]]+ rdns=[a-z]{2}-\S+-\d{1,3}\.[a-z]{3,8}\.adelphia\.net/i -describe __RDNS_DYNAMIC_ADELPHIA Relay HELO'd using suspicious hostname (Adelphia) - -# pD9E4F89F.dip.t-dialin.net [217.228.248.159] -header __RDNS_DYNAMIC_DIALIN X-Spam-Relays-External =~ /^[^\]]+ rdns=[a-z][A-F0-9]+\.dip\./ -describe __RDNS_DYNAMIC_DIALIN Relay HELO'd using suspicious hostname (T-Dialin) - -# 0xd5aaf40b.dhcp.kabelnettet.dk -# 0x50a46949.virnxx11.adsl-dhcp.tele.dk -header __RDNS_DYNAMIC_HEXIP X-Spam-Relays-External =~ /^[^\]]+ rdns=0x[a-f0-9]{8}\./ -describe __RDNS_DYNAMIC_HEXIP Relay HELO'd using suspicious hostname (Hex IP) - -# 118.Red-80-35-201.pooles.rima-tde.net -header __RDNS_DYNAMIC_SPLIT_IP X-Spam-Relays-External =~ /^[^\]]+ rdns=\d+\.\S+\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]/ -describe __RDNS_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split IP) - -# YahooBB219173000034.bbtec.net [219.173.0.34] -header __RDNS_DYNAMIC_YAHOOBB X-Spam-Relays-External =~ /^[^\]]+ rdns=YahooBB/i -describe __RDNS_DYNAMIC_YAHOOBB Relay HELO'd using suspicious hostname (YahooBB) - -# ool-18be1aaf.dyn.optonline.net [24.190.26.175] -header __RDNS_DYNAMIC_OOL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+\.dyn\.optonline\.net/ -describe __RDNS_DYNAMIC_OOL Relay HELO'd using suspicious hostname (OptOnline) - -# wiley-170-10231.roadrunner.nf.net [205.251.210.249] -header __RDNS_DYNAMIC_RR2 X-Spam-Relays-External =~ /^[^\]]+ rdns=[a-z]+-\d{1,3}-\d{1,5}\.roadrunner/i -describe __RDNS_DYNAMIC_RR2 Relay HELO'd using suspicious hostname (RR 2) - -# pcp04024417pcs.toresd01.pa.comcast.net [68.86.206.126] -# bgp542174bgs.ewndsr01.nj.comcast.net[68.38.144.91] -# Computer-udp135632uds.union01.nj.comcast.net [68.39.99.32] -header __RDNS_DYNAMIC_COMCAST X-Spam-Relays-External =~ /^[^\]]+ rdns=[a-z-]+\d+[a-z]{3}\.[a-z0-9]+\...\.comcast/i -describe __RDNS_DYNAMIC_COMCAST Relay HELO'd using suspicious hostname (Comcast) - -# h234n2fls32o895.telia.com [217.208.73.234] -# h53n2fls32o828.telia.com -# h116n2fls32o1111.telia.com -# h29n1fls306o1003.telia.com -header __RDNS_DYNAMIC_TELIA X-Spam-Relays-External =~ /^[^\]]+ rdns=h\d+n\d+fls\S+\.telia\.com/i -describe __RDNS_DYNAMIC_TELIA Relay HELO'd using suspicious hostname (Telia) - -# CM-vina5-168-207.cm.vtr.net [200.104.168.207] -# CM-anto1-98-153.cm.vtr.net [200.104.98.153] -header __RDNS_DYNAMIC_VTR X-Spam-Relays-External =~ /^[^\]]+ rdns=cm-[a-z]+\d+-\d+-\d+\.cm\.vtr/i -describe __RDNS_DYNAMIC_VTR Relay HELO'd using suspicious hostname (VTR) - -# ec9z5l.cm.chello.no -header __RDNS_DYNAMIC_CHELLO_NO X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+\.cm\.chello\.no/i -describe __RDNS_DYNAMIC_CHELLO_NO Relay HELO'd using suspicious hostname (Chello.no) - -# g225174.upc-g.chello.nl -# a151145.upc-a.chello.nl -# a96134.upc-a.chello.nl -header __RDNS_DYNAMIC_CHELLO_NL X-Spam-Relays-External =~ /^[^\]]+ rdns=[a-z]\d+\.upc-[a-z]\.chello\.nl/i -describe __RDNS_DYNAMIC_CHELLO_NL Relay HELO'd using suspicious hostname (Chello.nl) - -# MG001182.user.veloxzone.com.br -# ba199058073.user.veloxzone.com.br -header __RDNS_DYNAMIC_VELOX X-Spam-Relays-External =~ /^[^\]]+ rdns=[a-z]{2}\d+\.user\.veloxzone\./i -describe __RDNS_DYNAMIC_VELOX Relay HELO'd using suspicious hostname (Veloxzone) - -# public4-seve6-5-cust173.lond.broadband.ntl.com -# spr1-bolt5-5-0-cust9.manc.broadband.ntl.com -# spc1-lewi4-6-0-cust190.lond.broadband.ntl.com -header __RDNS_DYNAMIC_NTL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+\d+-\d+-cust\d+\.[a-z]{4,6}\.broadband\.ntl\.com/i -describe __RDNS_DYNAMIC_NTL Relay HELO'd using suspicious hostname (NTL) - -# (I'm quite sure these may be a good spamsign in future) -# nwblwi-nrp3-l10-a671.nwblwi.tds.net -header __RDNS_DYNAMIC_TDS X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+-[a-z]\d+\.[a-z]{6}\.tds\.net/i -header __RDNS_DYNAMIC_VIRTUA X-Spam-Relays-External =~ /^[^\]]+ rdns=\d+\.cps\./i - -# sp1-c700-131.spacelan.ne.jp -header __RDNS_DYNAMIC_SPACELAN X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+-[a-z]\d+-\d+\./i - -# rDNS host-type indicators, as per -# https://tools.ietf.org/id/draft-msullivan-dnsop-generic-naming-schemes-00.txt -header __RDNS_INDICATOR_DYN X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+[\-\.]dyn(?:amic)?[\-\.]/i - -# surprisingly large ham hitrate -header __RDNS_INDICATOR_TYPE X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+[\-\.](?:dial|modem|isdn|dov|\S?dsl|cable|wireless)[\-\.]/i - -# this hits a little ham, not too much though -header __RDNS_INDICATOR_RES X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+[\-\.](?:res|resnet|client)[\-\.]/i - -# these are non-standard, but common in the field; 100% spam correlation! -# (I think that's a fluke) -header __RDNS_INDICATOR_TYPE2 X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+[\-\.](?:docsis|dhcp|cpe|catv)[\-\.]/i - -# dsl.dynamic8510023760.ttnet.net.tr -header __RDNS_DYNAMIC_TTNET X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+[\-\.]dyn(?:amic)?\d/i - -# c221106.ppp.asahi-net.or.jp -# i253064.ppp.asahi-net.or.jp -# u035201.ppp.asahi-net.or.jp -# w158034.ppp.asahi-net.or.jp -header __RDNS_DYNAMIC_ASAHI X-Spam-Relays-External =~ /^[^\]]+ rdns=[a-z][0-9]+\.ppp\.asahi-net\.or\.jp/i - -# exceptions (bug 5397): -# exceptions: 66-220-155-151.mail-mail.facebook.com -# exceptions: o167-89-97-77.outbound-mail.sendgrid.net (bug 7592) -header __RDNS_STATIC X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(?:fix|static|fixip|dedicated|mail\-mail|outbound-mail|smtp)/i - -# bug 5586: -header __CGATE_RCVD Received =~ /by \S+ \(CommuniGate Pro/ -# bug 5926: -header __DOMINO_RCVD Received =~ /by \S+ \(Lotus Domino / - -header __RDNS_NONE X-Spam-Relays-External =~ /^[^\]]+ rdns= / - -########################################################################### - -meta RDNS_DYNAMIC (__LAST_EXTERNAL_RELAY_NO_AUTH && !__RDNS_STATIC && (__RDNS_DYNAMIC_IPADDR || __RDNS_DYNAMIC_DHCP || __RDNS_DYNAMIC_HCC || __RDNS_DYNAMIC_ATTBI || __RDNS_DYNAMIC_ROGERS || __RDNS_DYNAMIC_ADELPHIA || __RDNS_DYNAMIC_DIALIN || __RDNS_DYNAMIC_HEXIP || __RDNS_DYNAMIC_SPLIT_IP || __RDNS_DYNAMIC_YAHOOBB || __RDNS_DYNAMIC_OOL || __RDNS_DYNAMIC_RR2 || __RDNS_DYNAMIC_COMCAST || __RDNS_DYNAMIC_TELIA || __RDNS_DYNAMIC_VTR || __RDNS_DYNAMIC_CHELLO_NO || __RDNS_DYNAMIC_CHELLO_NL || __RDNS_DYNAMIC_VELOX || __RDNS_DYNAMIC_NTL || __RDNS_DYNAMIC_TDS || __RDNS_DYNAMIC_VIRTUA || __RDNS_DYNAMIC_SPACELAN || __RDNS_INDICATOR_DYN || __RDNS_INDICATOR_RES || __RDNS_INDICATOR_TYPE2 || __RDNS_DYNAMIC_TTNET || __RDNS_DYNAMIC_ASAHI)) -describe RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS - -meta RDNS_NONE (__RDNS_NONE && !__CGATE_RCVD && !__DOMINO_RCVD) -describe RDNS_NONE Delivered to internal network by a host with no rDNS - - diff --git a/resources/spamassassin/20_fake_helo_tests.cf b/resources/spamassassin/20_fake_helo_tests.cf deleted file mode 100644 index cedd0d9e..00000000 --- a/resources/spamassassin/20_fake_helo_tests.cf +++ /dev/null @@ -1,160 +0,0 @@ -# SpamAssassin rules file: fake-HELO tests -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# We should write a new ruletype for these, to save typing. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -require_version @@VERSION@@ - -#--------------------------------------------------------------------------- -# Handle hosts that look like HELO_DYNAMIC hosts - -# cmr-208-124-139-194.cr.net.cable.rogers.com) [208.124.139.194] -# cmr-208-97-119-114.cr.net.cable.rogers.com) [208.97.119.114] -header __HELO_STATIC_ROGERS X-Spam-Relays-External =~ /^[^\]]+ helo=cmr-\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}\S+\.rogers\.com[^\]]+ auth= /i - -# o167-89-97-77.outbound-mail.sendgrid.net (bug 7592) -header __HELO_STATIC_SENDGRID X-Spam-Relays-External =~ /^[^\]]+ helo=o\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}\.outbound-mail\.sendgrid\.net\s[^\]]+ auth= /i - -# 50-203-126-142-static.hfc.comcastbusiness.net -header __HELO_STATIC_COMCAST X-Spam-Relays-External =~ /^[^\]]+ helo=\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}-static\.hfc\.comcastbusiness\.net\s[^\]]+ auth= /i - -describe HELO_STATIC_HOST Relay HELO'd using static hostname -meta HELO_STATIC_HOST (__HELO_STATIC_ROGERS || __HELO_STATIC_SENDGRID || __HELO_STATIC_COMCAST) - -# --------------------------------------------------------------------------- - -# Suresh says: these will never be used as HELOs from real mail.com relays. -# Just check the most recent handover; the connection to a internal host. -# This way a legit sender can send to their MSA using that HELO (quite a few -# MUAs will do that), but a spammer gets caught. (List of domains comes from -# the drop-down list on the Mail.com signup page.) -#header FAKE_HELO_MAIL_COM_DOM X-Spam-Relays-External =~ /^[^\]]+ helo=(?:\S+\.|)(?:(?:mail|email|iname|cheerful|consultant|europe|mindless|myself|post|techie|usa|writeme|2die4|artlover|bikerider|catlover|cliffhanger|cutey|doglover|gardener|hot-shot|inorbit|loveable|mad\.scientist|playful|poetic|popstar|saintly|seductive|soon|whoever|winning|witty|yours|africamail|arcticmail|asia|australiamail|europe|japan|samerica|usa|berlin|dublin|london|madrid|moscowmail|munich|nycmail|paris|rome|sanfranmail|singapore|tokyo|accountant|adexec|allergist|alumnidirector|archaeologist|chemist|clerk|columnist|comic|consultant|counsellor|deliveryman|diplomats|doctor|dr|engineer|execs|financier|geologist|graphic-designer|insurer|journalist|lawyer|legislator|lobbyist|minister|optician|pediatrician|presidency|priest|publicist|realtyagent|registerednurses|repairman|representative|rescueteam|scientist|sociologist|teacher|techietechnologist|umpire)\.com|(?:programmer|earthling|hairdresser)\.net|musician\.org) /i -#describe FAKE_HELO_MAIL_COM_DOM Relay HELO'd with suspicious hostname (mail.com) - - -# --------------------------------------------------------------------------- -# Interesting new feature; spamware HELO'ing, from a dialup IP addr, -# using that IP's rDNS entry. We can catch this easily. There aren't -# many legit mailservers calling themselves -# 'dhcp024-210-034-053.columbus.rr.com'. ;) -# -# Note the '^[^\]]+ ' stanza: this ensures that we only match spamware -# connecting to a internal relay; if a mail came from a dynamic addr but -# was relayed through their smarthost, that's fine. - -# See bug #5856, all references of trusted were changed to internal - -# dhcp024-210-034-053.columbus.rr.com [24.210.34.53] -# c-66-176-16-108.se.client2.attbi.com [66.176.16.108] -# c-67-168-174-61.client.comcast.net [67.168.174.61] -# NNN-NNN-NNN-NNN.fibertel.com.ar -# NN.NN.NNN.NNN.ap.yournet.ne.jp -# NN.NNN.NN-NN.rev.gaoland.net -# vaise-1-82-67-44-166.fbx.proxad.net [82.67.44.166] -# lns-vlq-11-62-147-186-141.adsl.proxad.net [62.147.186.141] -# dsl-200-95-109-107.prod-infinitum.com.mx [200.95.109.107] -# port-212-202-77-203.reverse.qsc.de [212.202.77.203] -# pool-151-203-32-68.bos.east.verizon.net [151.203.32.68] -# c-67-164-133-216.client.comcast.net [67.164.133.216] -# 200-171-228-6.customer.telesp.net.br [200.171.228.6] -# modemcable090.28-201-24.mc.videotron.ca [24.201.28.90] -# 80-218-47-160.dclient.hispeed.ch [80.218.47.160] -# cdm-68-226-239-16.laft.cox-internet.com [68.226.239.16] -# d53-64-35-171.nap.wideopenwest.com [64.53.171.35] -# 74.67-201-80.adsl.skynet.be [80.201.67.74] -# 12-218-225-223.client.mchsi.com [12.218.225.223] -# (require an alpha first, as legit HELO'ing-as-IP-address is hit otherwise) -header __HELO_DYNAMIC_IPADDR X-Spam-Relays-External =~ /^[^\]]+ helo=(?![^\s\]]+[-.]static[-.])[a-z]\S*\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]\d+[^\d\s][^\.]*\.\S+\.\S+[^\]]+ auth= /i -meta HELO_DYNAMIC_IPADDR (__HELO_DYNAMIC_IPADDR && !HELO_STATIC_HOST) -describe HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) - -# dhcp024-210-034-053.columbus.rr.com [24.210.34.53] -# catv-506237d8.miskcatv.broadband.hu [80.98.55.216] -# node-c-8b22.a2000.nl -# cm89.omega139.maxonline.com.sg -# cm114.gamma208.maxonline.com.sg -header __HELO_DYNAMIC_DHCP X-Spam-Relays-External =~ /^[^\]]+ helo=\S*(?:(?<!smtp)(?<!a)cm|catv|docsis|cable|dsl|dhcp|cpe|node)\S*\d+[^\d\s]+\d+[^\]]+ auth= /i -meta HELO_DYNAMIC_DHCP (__HELO_DYNAMIC_DHCP && !HELO_STATIC_HOST) -describe HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP) - -# fia83-8.dsl.hccnet.nl [62.251.8.83] -# fia160-115-100.dsl.hccnet.nl [80.100.115.160] -header __HELO_DYNAMIC_HCC X-Spam-Relays-External =~ /^[^\]]+ helo=\S*\d+[^\d\s]+\d+\S*\.(?:docsis|cable|dsl|adsl|dhcp|cpe)\.[^\]]+ auth= /i -meta HELO_DYNAMIC_HCC (__HELO_DYNAMIC_HCC && !HELO_STATIC_HOST) -describe HELO_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC) - -# h0002a5d76857.ne.client2.attbi.com [65.96.12.59] - -# CPE0004e2372711-CM000a73666706.cpe.net.cable.rogers.com -# CPE00e0184f0eba-CM014490118324.cpe.net.cable.rogers.com [24.43.109.140] -header HELO_DYNAMIC_ROGERS X-Spam-Relays-External =~ /^[^\]]+ helo=CPE\d+\S+\.rogers\.com[^\]]+ auth= /i -describe HELO_DYNAMIC_ROGERS Relay HELO'd using suspicious hostname (Rogers) - -# pD9E4F89F.dip.t-dialin.net [217.228.248.159] -header HELO_DYNAMIC_DIALIN X-Spam-Relays-External =~ /^[^\]]+ helo=[a-z][A-F0-9]+\.dip\./ -describe HELO_DYNAMIC_DIALIN Relay HELO'd using suspicious hostname (T-Dialin) - -# 0xd5aaf40b.dhcp.kabelnettet.dk -# 0x50a46949.virnxx11.adsl-dhcp.tele.dk -header HELO_DYNAMIC_HEXIP X-Spam-Relays-External =~ /^[^\]]+ helo=0x[a-f0-9]{8}\./ -describe HELO_DYNAMIC_HEXIP Relay HELO'd using suspicious hostname (Hex IP) - -# 118.Red-80-35-201.pooles.rima-tde.net -header HELO_DYNAMIC_SPLIT_IP X-Spam-Relays-External =~ /^[^\]]+ helo=\d+\.\S+\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]/ -describe HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split IP) - -# YahooBB219173000034.bbtec.net [219.173.0.34] - -# 10-35-124-91.pool.ukrtel.net [91.124.35.10] -# 89-215-186-91.2073241113.ddns-lan.rakovski.ekk.bg [217.18.240.147] -# 200.109.193-29.dyn.dsl.cantv.net [200.109.193.29] -# 113x35x70x11.ap113.ftth.ucom.ne.jp [113.35.70.11] -# 98x9x3p5siouq.kvknv3sv1quk.3ejp4xzv.com [213.250.20.156] -# 1.0/24.137.95.202.in-addr.arpa [202.95.137.1] -header __HELO_DYNAMIC_IPADDR2 X-Spam-Relays-External =~ /^[^\]]+ helo=(?![^\s\]]+[-.](?:static|mail|smtp|mx)\d*[-.])\d{1,3}(?:[\Wx_]\d{1,3}){3}[^\d\s][^\s.]*\.\S+\.\S+[^\]]+ auth= /i -meta HELO_DYNAMIC_IPADDR2 (__HELO_DYNAMIC_IPADDR2 && !HELO_DYNAMIC_SPLIT_IP) -describe HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) - -# h234n2fls32o895.telia.com [217.208.73.234] -# h53n2fls32o828.telia.com -# h116n2fls32o1111.telia.com -# h29n1fls306o1003.telia.com - -# CM-vina5-168-207.cm.vtr.net [200.104.168.207] -# CM-anto1-98-153.cm.vtr.net [200.104.98.153] - -# ec9z5l.cm.chello.no - -# g225174.upc-g.chello.nl -# a151145.upc-a.chello.nl -# a96134.upc-a.chello.nl -header HELO_DYNAMIC_CHELLO_NL X-Spam-Relays-External =~ /^[^\]]+ helo=[a-z]\d+\.upc-[a-z]\.chello\.nl[^\]]+ auth= /i -describe HELO_DYNAMIC_CHELLO_NL Relay HELO'd using suspicious hostname (Chello.nl) - -# cp160000-a.mill1.nb.home.nl -# cp341468-b.venra1.lb.home.nl -header HELO_DYNAMIC_HOME_NL X-Spam-Relays-External =~ /^[^\]]+ helo=[a-z]{2}\d+-\S\.\S+\d\.[a-z]{2}\.home\.nl[^]]+ auth= /i -describe HELO_DYNAMIC_HOME_NL Relay HELO'd using suspicious hostname (Home.nl) - diff --git a/resources/spamassassin/20_freemail.cf b/resources/spamassassin/20_freemail.cf deleted file mode 100644 index 63edef8c..00000000 --- a/resources/spamassassin/20_freemail.cf +++ /dev/null @@ -1,65 +0,0 @@ -# SpamAssassin - FreeMail rules -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - -body __freemail_safe_fwd /---\s?(?:(?:Forwarded|Original) message|Alkuper(?:\xe4|\xc3\xa4)inen viesti)/i -header __freemail_safe_rls X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+\.(?:tfbnw\.net|ebay\.com|tieto\.com) / -meta __freemail_safe __freemail_safe_fwd || __ML2 || __ML4 || __HAS_X_MAILING_LIST || __HAS_X_MAILMAN_VERSION || __freemail_safe_rls - -header __freemail_replyto eval:check_freemail_replyto('replyto') -meta FREEMAIL_REPLYTO __freemail_replyto && !__freemail_safe -describe FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different freemails -score FREEMAIL_REPLYTO 2 - -header __freemail_reply eval:check_freemail_replyto('reply') -meta FREEMAIL_REPLY __freemail_reply && !__freemail_replyto && !__freemail_safe -describe FREEMAIL_REPLY From and body contain different freemails -score FREEMAIL_REPLY 0.5 - -header FREEMAIL_FROM eval:check_freemail_from() -describe FREEMAIL_FROM Sender email is commonly abused enduser mail provider -score FREEMAIL_FROM 0.001 - -header FREEMAIL_ENVFROM_END_DIGIT eval:check_freemail_header('EnvelopeFrom', '\d@') -describe FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit -score FREEMAIL_ENVFROM_END_DIGIT 0.1 - -header FREEMAIL_REPLYTO_END_DIGIT eval:check_freemail_header('Reply-To', '\d@') -describe FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit -score FREEMAIL_REPLYTO_END_DIGIT 0.1 - -#header FREEMAIL_SUBJECT eval:check_freemail_header('Subject') -#describe FREEMAIL_SUBJECT Subject contains freemail -#score FREEMAIL_SUBJECT 0.001 - -# Idea from John Hardin -header __freemail_hdr_replyto eval:check_freemail_header('Reply-To') -meta FREEMAIL_FORGED_REPLYTO __freemail_hdr_replyto && !FREEMAIL_FROM && !__freemail_safe -describe FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From -score FREEMAIL_FORGED_REPLYTO 0.1 - -endif - diff --git a/resources/spamassassin/20_freemail_domains.cf b/resources/spamassassin/20_freemail_domains.cf deleted file mode 100644 index 52cd505f..00000000 --- a/resources/spamassassin/20_freemail_domains.cf +++ /dev/null @@ -1,545 +0,0 @@ -# SpamAssassin - FreeMail domains file -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -# List contains commonly abused end user mail providers -# "freemail" is solely used for label purposes. - -# weed out domains that already exist given a FILE of one domain per line: -# perl -lane 'if (@F and shift(@F) eq "freemail_domains") { -# for (@F) { s/\./\\./g; s/\?/./g; s/\*/[^.]*/g; print } -# }' rules/*.cf |grep -wvf- FILE - -# Updated 2016-08-18-axb - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - -# Initial import from old FreeMail.pm / 090428 -freemail_domains 020.co.uk 123.com 123box.net 123india.com 123mail.cl -freemail_domains 123mail.org 123qwe.co.uk 138mail.com 141.ro 150mail.com 150ml.com 16mail.com -freemail_domains 1963chevrolet.com 1963pontiac.com 1netdrive.com 1st-website.com 1stpd.net -freemail_domains 2-mail.com 20after4.com 21cn.com 24h.co.jp 24horas.com 271soundview.com -freemail_domains 2die4.com 2mydns.com 2net.us 3000.it 3ammagazine.com 3email.com 3xl.net -freemail_domains 444.net 4email.com 4email.net 4newyork.com 50mail.com 55mail.cc 5fm.za.com -freemail_domains 6210.hu 6sens.com 702mail.co.za 7110.hu 8848.net 8m.com 8m.net 8x.com.br 8u8.com 8u8.hk 8u8.tw -freemail_domains a-topmail.at about.com abv.bg acceso.or.cr access4less.net accessgcc.com -freemail_domains acmemail.net adiga.com adinet.com.uy -freemail_domains adres.nl advalvas.be aeiou.pt aeneasmail.com afrik.com -freemail_domains afropoets.com aggies.com ahaa.dk aichi.com aim.com airpost.net aiutamici.com -freemail_domains aklan.com aknet.kg alabama.usa.com alaska.usa.com alavatotal.com -freemail_domains albafind.com albawaba.com alburaq.net aldeax.com aldeax.com.ar alex4all.com aliyun.com -freemail_domains alexandria.cc algeria.com alice.it allmail.net -freemail_domains alskens.dk altavista.se altbox.org alternativagratis.com alum.com -freemail_domains alunos.unipar.br alvilag.hu amenworld.com america.hm -freemail_domains americamail.com amnetsal.com amorous.com ananzi.co.za anet.ne.jp anfmail.com -freemail_domains angelfire.com animail.net aniverse.com anjungcafe.com -freemail_domains another.com antedoonsub.com antwerpen.com anunciador.net anytimenow.com -freemail_domains aol.* aol.co*.* aon.at apexmail.com apollo.lv approvers.net aprava.com -freemail_domains apropo.ro arcor.de argentina.com -freemail_domains arizona.usa.com arkansas.usa.com armmail.com army.com arnet.com.ar aroma.com -freemail_domains arrl.net aruba.it asheville.com asia-links.com -freemail_domains asiamail.com assala.com assamesemail.com asurfer.com -freemail_domains atl.lv atlas.cz atlas.sk atozasia.com atreillou.com att.net *.att.ne.jp au.ru aubenin.com -freemail_domains aus-city.com aussiemail.com.au avasmail.com.mv axarnet.com -freemail_domains ayna.com azet.sk babbalu.com badgers.com bakpaka.com bakpaka.net -freemail_domains balochistan.org baluch.com bama-fan.com bancora.net bankersmail.com -freemail_domains barlick.net beeebank.com beehive.org -freemail_domains been-there.com beirut.com belizehome.com belizemail.net -freemail_domains belizeweb.com bellsouth.net berlin.de bestmail.us bflomail.com -freemail_domains bgnmail.com bharatmail.com big-orange.com bigboss.cz bigfoot.com bigger.com -freemail_domains bigmailbox.com bigmir.net bigstring.com bip.net bigpond.com -freemail_domains bitwiser.com biz.by bizhosting.com black-sea.ro blackburnmail.com -freemail_domains blackglobalnetwork.net blink182.net blue.devils.com bluebottle.com -freemail_domains bluemail.ch blumail.org blvds.com bol.com.br bolando.com -freemail_domains bollywood2000.com bollywoodz.com bombka.dyn.pl bonbon.net boom.com -freemail_domains bootmail.com bostonoffice.com box.az boxbg.com boxemail.com brain.com.pk -freemail_domains brasilia.net bravanese.com brazilmail.com.br breathe.com -freemail_domains brestonline.com brfree.com.br brujula.net btcc.org -freemail_domains buffaloes.com bulgaria.com bulldogs.com bumerang.ro burntmail.com -freemail_domains butch-femme.net buzy.com buzzjakkerz.com c-box.cz c3.hu c4.com cadinfo.net -freemail_domains calcfacil.com.br calcware.org california.usa.com -freemail_domains callnetuk.com camaroclubsweden.com canada-11.com canada.com canal21.com -freemail_domains canoemail.com caramail.com cardblvd.com care-mail.com care2.com caress.com -freemail_domains carioca.net cashette.com casino.com casinomail.com cataloniamail.com -freemail_domains catalunyamail.com cataz.com catcha.com catholic.org caths.co.uk -freemail_domains caxess.net cbrmail.com cc.lv cemelli.com centoper.it centralpets.com -freemail_domains centrum.cz centrum.sk centurylink.net cercaziende.it cgac.es chaiyo.com chaiyomail.com -freemail_domains chance2mail.com channelonetv.com charter.net chattown.com checkitmail.at -freemail_domains chelny.com cheshiremail.com chil-e.com chillimail.com -freemail_domains china.com christianmail.org ciaoweb.it cine.com ciphercom.net -freemail_domains circlemail.com cititrustbank1.cjb.net citromail.hu citynetusa.com ciudad.com.ar -freemail_domains claramail.com classicmail.co.za cliffhanger.com clix.pt -freemail_domains close2you.net cluemail.com clujnapoca.ro collegeclub.com -freemail_domains colombia.com colorado.usa.com comcast.net comfortable.com -freemail_domains compaqnet.fr compuserve.com computer.net computermail.net -freemail_domains computhouse.com conevyt.org.mx connect4free.net connecticut.usa.com -freemail_domains coolgoose.com coolkiwi.com coollist.com coxinet.net -freemail_domains coolmail.com coolmail.net coolsend.com cooltoad.com cooperation.net -freemail_domains copacabana.com copticmail.com corporateattorneys.com corporation.net -freemail_domains correios.net.br correomagico.com cosmo.com cosmosurf.net cougars.com -freemail_domains count.com countrybass.com couple.com criticalpath.net -freemail_domains critterpost.com crosspaths.net crosswinds.net cryingmail.com cs.com -freemail_domains csucsposta.hu cumbriamail.com curio-city.com custmail.com -freemail_domains cwazy.co.uk cwazy.net cww.de cyberaccess.com.pk -freemail_domains cybergirls.dk cyberguys.dk cybernet.it cymail.net -freemail_domains dabsol.net dada.net dadanet.it dailypioneer.com damuc.org.br -freemail_domains dansegulvet.com darkhorsefan.net data54.com davegracey.com dayzers.com -freemail_domains daum.net dbmail.com dcemail.com dcsi.net deacons.com deadlymob.org deal-maker.com -freemail_domains dearriba.com degoo.com delajaonline.org delaware.usa.com delfi.lv -freemail_domains delhimail.com demon.deacons.com desertonline.com -freemail_domains desidrivers.com deskpilot.com despammed.com detik.com devils.com dexara.net -freemail_domains dhmail.net di-ve.com didamail.com digitaltrue.com -freemail_domains direccion.com director-general.com diri.com discardmail.com -freemail_domains discoverymail.net disinfo.net djmillenium.com dmailman.com -freemail_domains dnsmadeeasy.com do.net.ar dodgeit.com dogmail.co.uk -freemail_domains doityourself.com domaindiscover.com domainmanager.com doneasy.com -freemail_domains dontexist.org dores.com dostmail.com dot5hosting.com dotcom.fr -freemail_domains dotnow.com dott.it doubt.com dplanet.ch dragoncon.net dragonfans.com -freemail_domains dropzone.com dserver.org dubaiwebcity.com dublin.ie dustdevil.com -freemail_domains dynamitemail.com dyndns.org e-apollo.lv e-hkma.com -freemail_domains e-mail.cz e-mail.ph e-mailanywhere.com e-milio.com e-tapaal.com e-webtec.com earthalliance.com -freemail_domains earthling.net eastmail.com eastrolog.com easy-pages.com easy.com -freemail_domains easyinfomail.co.za easypeasy.com echina.com ecn.org ecplaza.net eircom.net -freemail_domains edsamail.com.ph educacao.te.pt edumail.co.za eeism.com ego.co.th ekolay.net -freemail_domains elforotv.com.ar elitemail.org elsitio.com eltimon.com elvis.com -freemail_domains email.com.br email.cz email.bg email.it email.lu email.lviv.ua email.nu -freemail_domains email.ro email.si email2me.com emailacc.com emailaccount.com -freemail_domains emailaddresses.com emailchoice.com emailcorner.net emailn.de emailengine.net -freemail_domains emailengine.org emailgaul.com emailgroups.net emailhut.net emailpinoy.com -freemail_domains emailplanet.com emailplus.org emailuser.net ematic.com embarqmail.com -freemail_domains embroideryforums.com eml.cc emoka.ro emptymail.com enel.net enelpunto.net -freemail_domains england.com enterate.com.ar entryweb.it entusiastisk.com -freemail_domains enusmail.com epatra.com epix.net epomail.com epost.de eprompter.com eqqu.com -freemail_domains eramail.co.za eresmas.com eriga.lv ertelecom.ru esde-s.org esfera.cl estadao.com.br -freemail_domains etllao.com euromail.net euroseek.com -freemail_domains euskalmail.com evafan.com everyday.com.kh everymail.net everyone.net -freemail_domains excite.* excite.co*.* execs2k.com executivemail.co.za -freemail_domains expn.com ezilon.com ezrs.com f-m.fm facilmail.com fadrasha.net fadrasha.org -freemail_domains faithhighway.com faithmail.com familymailbox.com familyroll.com -freemail_domains familysafeweb.net fan.com fan.net faroweb.com fast-email.com fast-mail.org -freemail_domains fastem.com fastemail.us fastemailer.com fastermail.com fastest.cc -freemail_domains fastimap.com fastmail.* fastmail.co*.* fastmailbox.net -freemail_domains fastmessaging.com fastwebmail.it fawz.net fea.st federalcontractors.com -freemail_domains fedxmail.com feelings.com female.ru fepg.net ffanet.com fiberia.com -freemail_domains filipinolinks.com financesource.com findmail.com -freemail_domains fiscal.net flashmail.com flipcode.com florida.usa.com floridagators.com -freemail_domains fmail.co.uk fmailbox.com fmgirl.com fmguy.com fnmail.com footballer.com foxmail.com -freemail_domains forfree.at forsythmissouri.org fortuncity.com forum.dk free.com.pe free.fr -freemail_domains free.net.nz freeaccess.nl freegates.be freeghana.com freehosting.nl -freemail_domains freei.co.th freeler.nl freemail.* freemail.*.* freemail.globalsite.com.br -freemail_domains freemuslim.net freenet.de freenet.kg freeola.net freepgs.com freesbee.fr -freemail_domains freeservers.com freestart.hu freesurf.ch freesurf.fr -freemail_domains freesurf.nl freeuk.com freeuk.net freeweb.it freewebemail.com freeyellow.com -freemail_domains frisurf.no frontiernet.net fsmail.net fsnet.co.uk ftml.net fuelie.org -freemail_domains fun-greetings-jokes.com fun.21cn.com fusemail.com fut.es gala.net -freemail_domains galmail.co.za gamebox.net gamecocks.com gawab.com gay.com -freemail_domains gaymailbox.com gaza.net gazeta.pl gci.net gdi.net geeklife.com gemari.or.id -freemail_domains genxemail.com geopia.com georgia.usa.com getmail.no -freemail_domains ggaweb.ch giga4u.de gjk.dk glay.org glendale.net globalfree.it globomail.com -freemail_domains globalpinoy.com globalsite.com.br globalum.com globetrotter.net gmail.com -freemail_domains gmx.* go-bama.com go-cavs.com go-chargers.com go-dawgs.com go-gators.com -freemail_domains go-hogs.com go-irish.com go-spartans.com go-tigers.com go.aggies.com -freemail_domains go.air-force.com go.badgers.com go.big-orange.com go.blue.devils.com -freemail_domains go.buffaloes.com go.bulldogs.com go.com go.cougars.com go.dores.com -freemail_domains go.gamecocks.com go.huskies.com go.longhorns.com go.mustangs.com -freemail_domains go.rebels.com go.ro go.ru go.terrapins.com go.wildcats.com go.wolverines.com -freemail_domains go.yellow-jackets.com go2net.com go4.it gofree.co.uk golfemail.com -freemail_domains goliadtexas.com gomail.com.ua gonowmail.com gonuts4free.com googlemail.com -freemail_domains goplay.com gorontalo.net gotmail.com gotomy.com govzone.com grad.com -freemail_domains graffiti.net gratisweb.com gtechnics.com -freemail_domains guate.net guessmail.com gwalla.com h-mail.us haberx.com hailmail.net -freemail_domains halejob.com hamptonroads.com handbag.com hanmail.net happemail.com -freemail_domains happycounsel.com hawaii.com hawaii.usa.com hayahaya.tg hedgeai.com -freemail_domains heesun.net heremail.com hetnet.nl highveldmail.co.za hildebrands.de -freemail_domains hingis.org hispavista.com hitmanrecords.com hockeyghiaccio.com -freemail_domains hockeymail.com holapuravida.com home.no.net home.ro home.se homelocator.com -freemail_domains homemail.co.za homenetmail.com homestead.com homosexual.net hongkong.com hong-kong-1.com -freemail_domains hopthu.com hosanna.net hot.ee hotbot.com hotbox.ru hotcoolmail.com hotdak.com -freemail_domains hotfire.net hotinbox.com hotmail.* hotmail.co*.* -freemail_domains hotpop.com hotvoice.com hour.com howling.com huhmail.com -freemail_domains humour.com hurra.de hush.ai hush.com hushmail.com huskies.com -freemail_domains hutchcity.com i-france.com i-p.com i12.com i2828.com ibatam.com ibest.com.br -freemail_domains ibizdns.com icafe.com ice.is icestorm.com icloud.com icq.com icqmail.com icrazy.com -freemail_domains id.ru idaho.usa.com idirect.com idncafe.com ieg.com.br iespalomeras.net -freemail_domains iespana.es ifrance.com ig.com.br ignazio.it illinois.usa.com ilse.net -freemail_domains ilse.nl imail.ru imailbox.com imap-mail.com imap.cc imapmail.org imel.org -freemail_domains in-box.net inbox.com inbox.ge inbox.lv inbox.net inbox.ru in.com -freemail_domains incamail.com indexa.fr india.com indiamail.com indiana.usa.com -freemail_domains indiatimes.com induquimica.org inet.com.ua infinito.it infoapex.com -freemail_domains infohq.com infomail.es infomart.or.jp infosat.net infovia.com.ar inicia.es -freemail_domains inmail.sk inmail24.com inoutbox.com -freemail_domains intelnet.net.gt intelnett.com interblod.com -freemail_domains interfree.it interia.pl interlap.com.ar intermail.hu internet-e-mail.com -freemail_domains internet-mail.org internet.lu internetegypt.com internetemails.net -freemail_domains internetmailing.net inwind.it iobox.com iobox.fi iol.it iol.pt iowa.usa.com -freemail_domains ip3.com ipermitmail.com iqemail.com iquebec.com iran.com irangate.net -freemail_domains iscool.net islandmama.com ismart.net isonews2.com isonfire.com isp9.net -freemail_domains ispey.com itelgua.com itloox.com itmom.com -freemail_domains ivenus.com iwan-fals.com iwon.com ixp.net japan.com jaydemail.com -freemail_domains jedrzejow.pl jetemail.net jingjo.net jippii.fi jmail.co.za jojomail.com -freemail_domains jovem.te.pt joymail.com jubii.dk jubiipost.dk jumpy.it -freemail_domains juno.com justemail.net justmailz.com k.ro kaazoo.com kabissa.org kaixo.com -freemail_domains kalluritimes.com kalpoint.com kansas.usa.com katamail.com kataweb.it -freemail_domains kayafmmail.co.za keko.com.ar kentucky.usa.com keptprivate.com -freemail_domains kimo.com kiwitown.com klik.it klikni.cz kmtn.ru koko.com kolozsvar.ro kombud.com -freemail_domains koreanmail.com kotaksuratku.info krunis.com kukamail.com -freemail_domains kuronowish.com kyokodate.com kyokofukada.net ladymail.cz lagoon.nc -freemail_domains lahaonline.com lamalla.net lancsmail.com land.ru laposte.net latinmail.com -freemail_domains lawyer.com lawyersmail.com lawyerzone.com lebanonatlas.com leehom.net -freemail_domains leonardo.it leonlai.net letsjam.com letterbox.org -freemail_domains letterboxes.org levele.com lexpress.net libero.it liberomail.com -freemail_domains libertysurf.net libre.net lightwines.org linkmaster.com linuxfreemail.com -freemail_domains lionsfan.com.au live.* livedoor.com llandudno.com -freemail_domains llangollen.com lmxmail.sk loggain.net loggain.nu lolnetwork.net -freemail_domains london.com longhorns.com look.com looksmart.co.uk looksmart.com -freemail_domains looksmart.com.au loteria.net lotonazo.com louisiana.usa.com louiskoo.com -freemail_domains loveable.com lovemail.com lovingjesus.com lpemail.com luckymail.com luso.pt -freemail_domains lusoweb.pt luukku.com lycos.* lycos.co*.* lycosmail.com mac.com -freemail_domains machinecandy.com macmail.com mad.scientist.com madcrazy.com -freemail_domains madonno.com madrid.com mag2.com magicmail.co.za magik-net.com mail-atlas.net -freemail_domains mail-awu.de mail-box.cz mail.by mail-center.com mail-central.com mail-jp.org -freemail_domains mail-online.dk mail-page.com mail-x-change.com mail.austria.com mail.az -freemail_domains mail.de mail.be mail.bg mail.bulgaria.com mail.co.za mail.dk mail.ee -freemail_domains mail.goo.ne.jp mail.gr mail.lawguru.com mail.md mail.mn mail.org mail.pf -freemail_domains mail.pt mail.ru mail.yahoo.co.jp mail15.com mail2*.com mail3000.com mail333.com -freemail_domains mail8.com mailandftp.com mailandnews.com mailas.com mailasia.com mailbg.com -freemail_domains mailblocks.com mailbolt.com mailbox.as mailbox.co.za mailbox.gr mailbox.hu -freemail_domains mailbox.sk mailc.net mailcan.com mailcircuit.com mailclub.fr mailclub.net -freemail_domains maildozy.com mailfly.com mailforce.net mailftp.com mailglobal.net -freemail_domains mailhaven.com mailinator.com mailingaddress.org mailingweb.com mailisent.com -freemail_domains mailite.com mailme.dk mailmight.com mailmij.nl mailnew.com mailops.com -freemail_domains mailpanda.com mailpersonal.com mailroom.com mailru.com mails.de mailsent.net -freemail_domains mailserver.dk mailservice.ms mailsnare.net mailsurf.com mailup.net -freemail_domains mailvault.com mailworks.org maine.usa.com majorana.martina-franca.ta.it -freemail_domains maktoob.com malayalamtelevision.net malayalapathram.com male.ru manager.de -freemail_domains manlymail.net mantrafreenet.com mantramail.com mantraonline.com -freemail_domains marihuana.ro marijuana.nl marketweighton.com maryland.usa.com -freemail_domains masrawy.com massachusetts.usa.com mauimail.com mbox.com.au mcrmail.com me.by me.com -freemail_domains medicinatv.com meetingmall.com megamail.pt menara.ma merseymail.com mesra.net -freemail_domains messagez.com metacrawler.com mexico.com miaoweb.net -freemail_domains michigan.usa.com micro2media.com miesto.sk mighty.co.za milacamn.net -freemail_domains milmail.com mindless.com mindviz.com minnesota.usa.com -freemail_domains mississippi.usa.com missouri.usa.com mixmail.com ml1.net ml2clan.com -freemail_domains mlanime.com mm.st mmail.com mobimail.mn mobsters.com mobstop.com -freemail_domains modemnet.net modomail.com moldova.com moldovacc.com monarchy.com -freemail_domains montana.usa.com montevideo.com.uy moomia.com moose-mail.com mosaicfx.com -freemail_domains motormania.com movemail.com mr.outblaze.com mrspender.com -freemail_domains ms*.hinet.net mscold.com msn.com msn.co.uk msnzone.cn mundo-r.com -freemail_domains muslimsonline.com mustangs.com mxs.de myblue.cc mycabin.com mycity.com mycommail.com -freemail_domains mycool.com mydomain.com myeweb.com myfastmail.com myfunnymail.com mygrande.net mykolab.com -freemail_domains mygamingconsoles.com myiris.com myjazzmail.com mymacmail.com mymail.dk -freemail_domains mymail.ph.inter.net mymail.ro mynet.com mynet.com.tr myotw.net myopera.com -freemail_domains myownemail.com mypersonalemail.com myplace.com myrealbox.com -freemail_domains myspace.com myt.mu myway.com mzgchaos.de n2.com n2business.com n2mail.com -freemail_domains n2software.com nabble.com name.com nameplanet.com nanamail.co.il -freemail_domains nanaseaikawa.com nandomail.com naseej.com nastything.com national-champs.com -freemail_domains nativeweb.net narod.ru nate.com naveganas.com naver.com nebraska.usa.com nemra1.com nenter.com -freemail_domains nerdshack.com nervhq.org net.hr net4b.pt net4jesus.com net4you.at -freemail_domains netbounce.com netcabo.pt netcape.net netcourrier.com netexecutive.com -freemail_domains netfirms.com netkushi.com netmongol.com netpiper.com netposta.net -freemail_domains netscape.com netscape.net netscapeonline.co.uk netsquare.com nettaxi.com -freemail_domains netti.fi networld.com netzero.com netzero.net neustreet.com nevada.usa.com -freemail_domains newhampshire.usa.com newjersey.usa.com newmail.com newmail.net -freemail_domains newmail.ok.com newmail.ru newmexico.usa.com newspaperemail.com newyork.com -freemail_domains newyork.usa.com newyorkcity.com nfmail.com nicegal.com nightimeuk.com -freemail_domains nightly.com nightmail.com nightmail.ru noavar.com noemail.com nonomail.com nokiamail.com -freemail_domains noolhar.com northcarolina.usa.com northdakota.usa.com -freemail_domains nospammail.net nowzer.com ny.com nyc.com nz11.com -freemail_domains nzoomail.com o2.pl oceanfree.net ocsnet.net oddpost.com odeon.pl -freemail_domains odmail.com offshorewebmail.com ofir.dk ohio.usa.com oicexchange.com ok.ru -freemail_domains oklahoma.usa.com ole.com oleco.net olympist.net omaninfo.com onatoo.com -freemail_domains ondikoi.com onebox.com onenet.com.ar onet.pl ongc.net oninet.pt online.ie -freemail_domains online.ru onlinewiz.com onobox.com open.by openbg.com openforyou.com -freemail_domains opentransfer.com operamail.com oplusnet.com orange.fr orangehome.co.uk orange.es orange.jo orange.pl -freemail_domains orbitel.bg orcon.net.nz oregon.usa.com oreka.com organizer.net orgio.net -freemail_domains orthodox.com osite.com.br oso.com ourbrisbane.com ournet.md -freemail_domains ourprofile.net ourwest.com outgun.com outlook.* ownmail.net oxfoot.com ozu.es -freemail_domains pacer.com paginasamarillas.com -freemail_domains pakistanmail.com pandawa.com pando.com pandora.be paris.com parsimail.com -freemail_domains parspage.com patmail.com pattayacitythailand.com pc4me.us pcpostal.com -freemail_domains penguinmaster.com pennsylvania.usa.com peoplepc.com peopleweb.com -freemail_domains personal.ro personales.com peru.com petml.com -freemail_domains phreaker.net pigeonportal.com pilu.com pimagop.com -freemail_domains pinoymail.com pipni.cz pisem.net planet-school.de planetaccess.com -freemail_domains planetout.com plasa.com playersodds.com playful.com pluno.com -freemail_domains plusmail.com.br pmail.net pnetmail.co.za pobox.ru pobox.sk pochtamt.ru pochta.ru -freemail_domains poczta.fm poetic.com pogowave.com polbox.com -freemail_domains pop3.ru pop.co.th popmail.com poppymail.com popsmail.com popstar.com portafree.com -freemail_domains portaldosalunos.com portugalmail.com portugalmail.pt post.cz -freemail_domains post.expart.ne.jp post.pl post.sk posta.ge postaccesslite.com postiloota.net -freemail_domains postinbox.com postino.ch postino.it postmaster.co.uk postpro.net praize.com -freemail_domains press.co.jp primposta.com printesamargareta.ro -freemail_domains private.21cn.com probemail.com profesional.com profession.freemail.com.br -freemail_domains proinbox.com promessage.com prontomail.com protonmail.com protonmail.ch -freemail_domains provincial.net publicaccounting.com punkass.com puppy.com.my -freemail_domains q.com qatar.io qlmail.com qq.com qrio.com qsl.net qudsmail.com queerplaces.com quepasa.com -freemail_domains quick.cz quickwebmail.com r-o-o-t.com r320.hu raakim.com rbcmail.ru racingseat.com -freemail_domains radicalz.com radiojobbank.com ragingbull.com -freemail_domains raisingadaughter.com rallye-webmail.com rambler.ru ranmamail.com ravearena.com -freemail_domains ravemail.co.za razormail.com real.ro realemail.net reallyfast.biz -freemail_domains reallyfast.info rebels.com recife.net recme.net -freemail_domains rediffmail.com rediffmailpro.com redseven.de redwhitearmy.com -freemail_domains relia.com -freemail_domains revenue.com rexian.com rhodeisland.usa.com -freemail_domains ritmes.net rn.com roanokemail.com rochester-mail.com rock.com rocketmail.com -freemail_domains rockfan.com rockinghamgateway.com rojname.com rol.ro -freemail_domains rollin.com rome.com romymichele.com royal.net rpharmacist.com rt.nl ru.ru -freemail_domains rushpost.com russiamail.com rxpost.net s-mail.com saabnet.com -freemail_domains sacbeemail.com sacmail.com safe-mail.net safe-mailbox.com -freemail_domains saigonnet.vn saint-mike.org -freemail_domains samilan.net sandiego.com sanook.com sanriotown.com -freemail_domains sapibon.com sapo.pt saturnfans.com sayhi.net sbcglobal.com scfn.net -freemail_domains schweiz.org sci.fi sciaga.pl -freemail_domains scrapbookscrapbook.com seapole.com search417.com seark.com sebil.com -freemail_domains secretservices.net secure-jlnet.com seductive.com sendmail.ru -freemail_domains sendme.cz sent.as sent.at sent.com serga.com.ar sermix.com server4free.de -freemail_domains serverwench.com sesmail.com sexmagnet.com seznam.cz shadango.com she.com -freemail_domains shuf.com siamlocalhost.com siamnow.net sify.com sinamail.com singapore.com -freemail_domains singmail.com singnet.com.sg siraj.org sirindia.com sirunet.com sister.com sina.com sina.cn sinanail.com -freemail_domains sistersbrothers.com sizzling.com slamdunkfan.com slickriffs.co.uk -freemail_domains slingshot.com slo.net slomusic.net smartemail.co.uk smtp.ru snail-mail.net -freemail_domains sndt.net sneakemail.com snoopymail.com snowboarding.com -freemail_domains so-simple.org socamail.com softhome.net sohu.com -freemail_domains sol.dk solidmail.com soon.com sos.lv soundvillage.org -freemail_domains southcarolina.usa.com southdakota.usa.com space.com spacetowns.com -freemail_domains spamex.com spartapiet.com speed-racer.com speedpost.net -freemail_domains speedymail.org spils.com spinfinder.com sportemail.com spray.net spray.no -freemail_domains spray.se spymac.com srbbs.com srilankan.net ssan.com ssl-mail.com stade.fr -freemail_domains stalag13.com stampmail.com starbuzz.com starline.ee starmail.com -freemail_domains starmail.org starmedia.com starspath.com start.com.au start.no stribmail.com -freemail_domains strompost.* student.com student.ednet.ns.ca studmail.com sudanmail.net -freemail_domains suisse.org sunbella.net sunmail1.com sunpoint.net sunrise.ch -freemail_domains sunumail.sn sunuweb.net suomi24.fi superdada.it supereva.com supereva.it -freemail_domains supermailbox.com superposta.com surf3.net surfassistant.com surfsupnet.net -freemail_domains surfy.net surimail.com surnet.cl sverige.nu svizzera.org -freemail_domains sweb.cz swift-mail.com swissinfo.org -freemail_domains swissmail.net switzerland.org syom.com syriamail.com t-mail.com t-net.net.ve -freemail_domains t2mail.com tabasheer.com talk21.com talkcity.com tangmonkey.com tatanova.com -freemail_domains taxcutadvice.com techemail.com technisamail.co.za -freemail_domains teenmail.co.uk teenmail.co.za tejary.com telebot.com telefonica.net -freemail_domains telegraf.by teleline.es telinco.net telkom.net telpage.net telstra.com telenet.be -freemail_domains telusplanet.net tempting.com tenchiclub.com tennessee.usa.com -freemail_domains terrapins.com texas.usa.com texascrossroads.com tfz.net thai.com -freemail_domains thaimail.com thaimail.net the-fastest.net the-quickest.com thegame.com -freemail_domains theinternetemail.com theoffice.net thepostmaster.net -freemail_domains theracetrack.com theserverbiz.com thewatercooler.com -freemail_domains thewebpros.co.uk thinkpost.net thirdage.com thundermail.com tim.it -freemail_domains timemail.com tin.it tinati.net tiscali.* tiscali.co*.* tiscalinet.it -freemail_domains tjohoo.se tkcity.com tlcfan.com tlen.pl tmicha.net todito.com todoperros.com -freemail_domains tokyo.com topchat.com topmail.com.ar topmail.dk topmail.co.ie topmail.co.in topmail.co.nz topmail.co.uk topmail.co.za -freemail_domains topsurf.com toquedequeda.com torba.com torchmail.com -freemail_domains totalmail.com totalsurf.com totonline.net tough.com toughguy.net trav.se -freemail_domains trevas.net tripod-mail.com triton.net trmailbox.com tsamail.co.za -freemail_domains turbonett.com turkey.com tvnet.lv twc.com typemail.com u2club.com uae.ac -freemail_domains ubbi.com ubbi.com.br uboot.com ugeek.com uk2.net uk2net.com ukr.net -freemail_domains ukrpost.net ukrpost.ua uku.co.uk ulimit.com ummah.org unbounded.com -freemail_domains unicum.de unimail.mn unitedemailsystems.com universal.pt -freemail_domains universia.cl universia.edu.ve universia.es universia.net.co universia.net.mx -freemail_domains universia.pr universia.pt universiabrasil.net unofree.it uol.com.ar -freemail_domains uol.com.br uole.com uolmail.com uomail.com uraniomail.com urbi.com.br -freemail_domains ureach.com usanetmail.com userbeam.com utah.usa.com -freemail_domains uyuyuy.com v-sexi.com v3mail.com vegetarisme.be velnet.com velocall.com -freemail_domains vercorreo.com verizonmail.com vermont.usa.com verticalheaven.com -freemail_domains veryfast.biz veryspeedy.net vfemail.net vietmedia.com vip.gr virgilio.it -freemail_domains virgin.net virginia.usa.com virtual-mail.com visitmail.com visto.com -freemail_domains vivelared.com vjtimail.com vnn.vn vsnl.com vsnl.net vodamail.co.za voila.fr volkermord.com vosforums.com vodafone.* -freemail_domains w.cn walla.com walla.co.il wallet.com wam.co.za wanex.ge wap.hu -freemail_domains wapda.com wapicode.com wappi.com warpmail.net washington.usa.com wassup.com -freemail_domains waterloo.com waumail.com wazmail.com wearab.net web-mail.com.ar web.de -freemail_domains web.nl web2mail.com webaddressbook.com webbworks.com webcity.ca webdream.com -freemail_domains webemaillist.com webindia123.com webinfo.fi webjump.com webl-3.br.inter.net -freemail_domains webmail.co.yu webmail.co.za webmails.com webmailv.com webpim.cc -freemail_domains webspawner.com webstation.com websurfer.co.za webtopmail.com webtribe.net -freemail_domains webtv.net weedmail.com weekonline.com weirdness.com westvirginia.usa.com -freemail_domains whale-mail.com whipmail.com who.net whoever.com wildcats.com wildmail.com -freemail_domains williams.net.ar winning.com winningteam.com winwinhosting.com -freemail_domains wisconsin.usa.com witelcom.com witty.com wolverines.com wooow.it -freemail_domains workmail.co.za worldcrossing.com worldemail.com worldmedic.com -freemail_domains worldonline.de wowmail.com wp.pl wprost.pl wrongmail.com -freemail_domains wtonetwork.com wurtele.net www.com www.consulcredit.it wyoming.usa.com -freemail_domains x-mail.net xasa.com xemail.* xfreehosting.com xmail.net xmsg.com xnmsn.cn xoom.com xtra.co.nz xuite.net -freemail_domains xpectmore.com xrea.com xsmail.com xzapmail.com y7mail.com yahala.co.il -freemail_domains yaho.com yahoo.* yahoo.co*.* yalla.com.lb -freemail_domains ya.com yeah.net ya.ru yahoomail.com -freemail_domains yam.com yamal.info yandex.* yapost.com yawmail.com yebox.com yehey.com -freemail_domains yellow-jackets.com yellowstone.net yenimail.com yepmail.net yifan.net -freemail_domains ymail.com yopmail.com your-mail.com yours.com yourwap.com yyhmail.com z11.com z6.com -freemail_domains zednet.co.uk zeeman.nl ziplip.com zipmail.com.br zipmax.com -freemail_domains zmail.pt zmail.ru zona-andina.net zonai.com zoneview.net zonnet.nl -freemail_domains zoho.com zoomshare.com zoznam.sk zubee.com zuvio.com zwallet.com zworg.com -freemail_domains zybermail.com zzn.com - -# chinese numbers -freemail_domains 126.com 139.com 163.com 188.com 189.cn 263.net 9.cn - -# Vips -freemail_domains vip.126.com vip.163.com vip.188.com -freemail_domains vip.sina.com vip.sohu.com vip.sohu.net vip.tom.com vip.qq.com vipsohu.net - -# Bug 6903 - powered by VFEmail - 2013-02-19-AXB -freemail_domains clovermail.net mail-on.us chewiemail.com offcolormail.com powdermail.com tightmail.com toothandmail.com tushmail.com -freemail_domains openmail.cc expressmail.dk - -# Bug 6903 - powered by 5x2 Online 2013-02-19-AXB -freemail_domains 4xn.de 5x2.de 5x2.me aufdrogen.de auf-steroide.de -freemail_domains besser-als-du.de brainsurfer.de chillaxer.de cyberkriminell.de -freemail_domains danneben.so freemailen.de freemailn.de ist-der-mann.de -freemail_domains ist-der-wahnsinn.de ist-echt.so istecht.so ist-genialer.de -freemail_domains ist-schlauer.de ist-supersexy.de kann.so mag-spam.net -freemail_domains mega-schlau.de muss.so nerd4life.de ohne-drogen-gehts.net -freemail_domains on-steroids.de scheint.so staatsterrorist.de super-gerissen.de -freemail_domains unendlich-schlau.de vip-client.de will-keinen-spam.de -freemail_domains zu-geil.de - -# Bug 6903 - powered by Runbox - paid service, but offers 30 day free trial - 2013-02-19-AXB -freemail_domains runbox.* -freemail_domains rbox.me rbox.co - -freemail_domains tunome.com - -freemail_domains acatperson.com adogperson.com all4theskins.com -freemail_domains allsportsrock.com alwaysgrilling.com alwaysinthekitchen.com -freemail_domains alwayswatchingmovies.com alwayswatchingtv.com asylum.com -freemail_domains basketball-email.com beabookworm.com beagolfer.com beahealthnut.com -freemail_domains believeinliberty.com bestcoolcars.com bestjobcandidate.com besure2vote.com -freemail_domains bigtimecatperson.com bigtimedogperson.com bigtimereader.com -freemail_domains bigtimesportsfan.com blackvoices.com capsfanatic.com capshockeyfan.com -freemail_domains capsred.com car-nut.net cat-person.com catpeoplerule.com chat-with-me.com -freemail_domains cheatasrule.com crazy4baseball.com crazy4homeimprovement.com crazy4mail.com -freemail_domains crazyaboutfilms.net crazycarfan.com crazyforemail.com crazymoviefan.com -freemail_domains descriptivemail.com differentmail.com dog-person.com dogpeoplerule.com -freemail_domains easydoesit.com expertrenovator.com expressivemail.com fanaticos.com -freemail_domains fanofbooks.com fanofcomputers.com fanofcooking.com fanoftheweb.com -freemail_domains fieldmail.com fleetmail.com focusedonprofits.com focusedonreturns.com -freemail_domains futboladdict.com games.com getintobooks.com hail2theskins.com hitthepuck.com -freemail_domains i-dig-movies.com i-love-restaurants.com idigcomputers.com -freemail_domains idigelectronics.com idigvideos.com ilike2helpothers.com ilike2invest.com -freemail_domains ilike2workout.com ilikeelectronics.com ilikeworkingout.com -freemail_domains ilovehomeprojects.com iloveourteam.com iloveworkingout.com in2autos.net -freemail_domains interestedinthejob.com intomotors.com iwatchrealitytv.com lemondrop.com -freemail_domains love2exercise.com love2workout.com lovefantasysports.com lovetoexercise.com -freemail_domains luvfishing.com luvgolfing.com luvsoccer.com -freemail_domains mail4me.com majorgolfer.com majorshopaholic.com majortechie.com mcom.com -freemail_domains motor-nut.com moviefan.com mycapitalsmail.com mycatiscool.com -freemail_domains myfantasyteamrules.com myteamisbest.com netbusiness.com news-fanatic.com -freemail_domains newspaperfan.com onlinevideosrock.com realbookfan.com realhealthnut.com -freemail_domains realitytvaddict.net realitytvnut.com reallyintomusic.com realtravelfan.com -freemail_domains redskinscheer.com redskinsfamily.com redskinsfancentral.com redskinshog.com -freemail_domains redskinsrule.com redskinsspecialteams.com redskinsultimatefan.com -freemail_domains scoutmail.com skins4life.com stargate2.com stargateatlantis.com -freemail_domains stargatefanclub.com stargatesg1.com stargateu.com switched.com -freemail_domains t-online.de thegamefanatic.com total-techie.com totalfoodnut.com -freemail_domains totally-into-cooking.com totallyintobaseball.com totallyintobasketball.com -freemail_domains totallyintocooking.com totallyintofootball.com totallyintogolf.com -freemail_domains totallyintohockey.com totallyintomusic.com totallyintoreading.com -freemail_domains totallyintosports.com totallyintotravel.com totalmoviefan.com -freemail_domains travel2newplaces.com tvchannelsurfer.com ultimateredskinsfan.com -freemail_domains videogamesrock.com volunteeringisawesome.com wayintocomputers.com -freemail_domains whatmail.com when.com wild4music.com wildaboutelectronics.com -freemail_domains workingaroundthehouse.com workingonthehouse.com writesoon.com xmasmail.com - -# irq.ir / 091030 - -freemail_domains arab.ir denmark.ir egypt.ir icq.ir ir.ae iraq.ir ire.ir ireland.ir irr.ir -freemail_domains jpg.ir ksa.ir kuwait.ir london.ir paltalk.ir spain.ir sweden.ir tokyo.ir - - -# scraped http://www.zemskov.net/free-email-domains.html 2013-10-18-khopesh - -# bigmailbox.com -freemail_domains 111mail.com 123iran.com 37.com 420email.com 4degreez.com -freemail_domains 4-music-today.com actingbiz.com allhiphop.com anatomicrock.com -freemail_domains animeone.com asiancutes.com a-teens.net ausi.com autoindia.com -freemail_domains autopm.com barriolife.com b-boy.com beautifulboy.com bgay.com -freemail_domains bicycledata.com bicycling.com bigheavyworld.com bigmailbox.net -freemail_domains bikerheaven.net bikermail.com billssite.com -freemail_domains blackandchristian.com blackcity.net blackvault.com bmxtrix.com -freemail_domains boarderzone.com boatnerd.com bolbox.com bongmail.com bowl.com -freemail_domains butch-femme.org byke.com calle22.com cannabismail.com -freemail_domains catlovers.com certifiedbitches.com championboxing.com -freemail_domains chatway.com chillymail.com classprod.com classycouples.com -freemail_domains congiu.net coolshit.com corpusmail.com cyberunlimited.org -freemail_domains cycledata.com darkfear.com darkforces.com dirtythird.com -freemail_domains dopefiends.com draac.com drakmail.net dr-dre.com dreamstop.com -freemail_domains egypt.net emailfast.com envirocitizen.com escapeartist.com -freemail_domains ezsweeps.com famous.as farts.com feelingnaughty.com -freemail_domains firemyst.com freeonline.com fudge.com funkytimes.com -freemail_domains gamerssolution.com gazabo.net glittergrrrls.com goatrance.com -freemail_domains goddess.com gohip.com gospelcity.com gothicgirl.com -freemail_domains grapemail.net greatautos.org guy.com haitisurf.com -freemail_domains happyhippo.com hateinthebox.com houseofhorrors.com hugkiss.com -freemail_domains hullnumber.com idunno4recipes.com ihatenetscape.com -freemail_domains intimatefire.com irow.com jazzemail.com juanitabynum.com -freemail_domains kanoodle.com kickboxing.com kidrock.com kinkyemail.com -freemail_domains kool-things.com latinabarbie.com latinogreeks.com leesville.com -freemail_domains loveemail.com lowrider.com lucky7lotto.net madeniggaz.net -freemail_domains mailbomb.com marillion.net megarave.com mofa.com motley.com -freemail_domains music.com musician.net musicsites.com netbroadcaster.com -freemail_domains netfingers.com net-surf.com nocharge.com operationivy.com -freemail_domains paidoffers.net pcbee.com persian.com petrofind.com -freemail_domains phunkybitches.com pikaguam.com pinkcity.net pitbullmail.com -freemail_domains planetsmeg.com poop.com poormail.com potsmokersnet.com -freemail_domains primetap.com project420.com prolife.net puertoricowow.com -freemail_domains puppetweb.com rapstar.com rapworld.com rastamall.com ratedx.net -freemail_domains ravermail.com relapsecult.com remixer.com rockeros.com -freemail_domains romance106fm.com singalongcenter.com sketchyfriends.com -freemail_domains slayerized.com smartstocks.com soulja-beatz.org -freemail_domains specialoperations.com speedymail.net spells.com -freemail_domains streetracing.com subspacemail.com sugarray.com -freemail_domains superbikeclub.com superintendents.net surfguiden.com -freemail_domains sweetwishes.com tattoodesign.com teamster.net teenchatnow.com -freemail_domains the5thquarter.com theblackmarket.com tombstone.ws troamail.org -freemail_domains u2tours.com vitalogy.org whatisthis.com wrestlezone.com -# gawab.com -freemail_domains abha.cc agadir.cc ahsa.ws ajman.cc ajman.us ajman.ws albaha.cc -freemail_domains algerie.cc alriyadh.cc amman.cc aqaba.cc arar.ws aswan.cc -freemail_domains baalbeck.cc bahraini.cc banha.cc bizerte.cc blida.info -freemail_domains buraydah.cc cameroon.cc dhahran.cc dhofar.cc djibouti.cc -freemail_domains dominican.cc eritrea.cc falasteen.cc fujairah.cc fujairah.us -freemail_domains fujairah.ws gabes.cc gafsa.cc giza.cc guinea.cc hamra.cc -freemail_domains hasakah.com hebron.tv homs.cc ibra.cc irbid.ws ismailia.cc -freemail_domains jadida.cc jadida.org jerash.cc jizan.cc jouf.cc kairouan.cc -freemail_domains karak.cc khaimah.cc khartoum.cc khobar.cc kuwaiti.tv -freemail_domains kyrgyzstan.cc latakia.cc lebanese.cc lubnan.cc lubnan.ws -freemail_domains madinah.cc maghreb.cc manama.cc mansoura.tv marrakesh.cc -freemail_domains mascara.ws meknes.cc muscat.tv muscat.ws nabeul.cc nabeul.info -freemail_domains nablus.cc nador.cc najaf.cc omani.ws omdurman.cc oran.cc -freemail_domains oued.info oued.org oujda.biz oujda.cc pakistani.ws palmyra.cc -freemail_domains palmyra.ws portsaid.cc qassem.cc quds.cc rabat.cc rafah.cc -freemail_domains ramallah.cc safat.biz safat.info safat.us safat.ws salalah.cc -freemail_domains salmiya.biz sanaa.cc seeb.cc sfax.ws sharm.cc sinai.cc siria.cc -freemail_domains sousse.cc sudanese.cc suez.cc tabouk.cc tajikistan.cc -freemail_domains tangiers.cc tanta.cc tayef.cc tetouan.cc timor.cc tunisian.cc -freemail_domains urdun.cc yanbo.cc yemeni.cc yunus.cc zagazig.cc zambia.cc -# other -freemail_domains 5005.lv a.org.ua bmx.lv company.org.ua coolmail.ru dino.lv -freemail_domains eclub.lv e-mail.am fit.lv hacker.am human.lv iphon.biz -freemail_domains latchess.com loveis.lv lv-inter.net pookmail.com sexriga.lv - -# Microsoft's new service 2013-10-18-khopesh -freemail_domains *.onmicrosoft.com - - -endif - diff --git a/resources/spamassassin/20_freemail_mailcom_domains.cf b/resources/spamassassin/20_freemail_mailcom_domains.cf deleted file mode 100644 index 0d946ec0..00000000 --- a/resources/spamassassin/20_freemail_mailcom_domains.cf +++ /dev/null @@ -1,60 +0,0 @@ -# SpamAssassin - Mail.com Freemail domains file -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -# List contains commonly abused end user mail providers -# "freemail" is solely used for label purposes. - -# This dedicated list contains domains provided by mail.com - -# Updated 2014-09-17-axb - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - -freemail_domains accountant.com acdcfan.com activist.com adexec.com africamail.com aircraftmail.com allergist.com alumni.com alumnidirector.com angelic.com appraiser.net archaeologist.com arcticmail.com artlover.com asia-mail.com asia.com atheist.com auctioneer.net australiamail.com -freemail_domains bartender.net bellair.net berlin.com bikerider.com birdlover.com blader.com boardermail.com brazilmail.com brew-master.com brew-meister.com bsdmail.com -freemail_domains californiamail.com cash4u.com catlover.com cheerful.com chef.net chemist.com chinamail.com clerk.com clubmember.org collector.org columnist.com comic.com computer4u.com consultant.com contractor.net coolsite.net counsellor.com cutey.com cyber-wizard.com cyberdude.com cybergal.com cyberservices.com -freemail_domains dallasmail.com dbzmail.com deliveryman.com diplomats.com disciples.com discofan.com disposable.com doctor.com doglover.com doramail.com dr.com dublin.com dutchmail.com -freemail_domains elvisfan.com email.com engineer.com englandmail.com europe.com europemail.com execs.com -freemail_domains fastservice.com financier.com fireman.net -freemail_domains galaxyhit.com gardener.com geologist.com germanymail.com graduate.org graphic-designer.com greenmail.net groupmail.com -freemail_domains hackermail.com hairdresser.net hilarious.com hiphopfan.com homemail.com hot-shot.com housemail.com humanoid.net -freemail_domains iname.acom iname.com innocent.com inorbit.com instruction.com instructor.net insurer.com irelandmail.com israelmail.com italymail.com -freemail_domains job4u.com journalist.com -freemail_domains keromail.com kissfans.com kittymail.com koreamail.com -freemail_domains legislator.com linuxmail.org lobbyist.com lovecat.com -freemail_domains madonnafan.com mail-me.com mail.com marchmail.com metalfan.com mexicomail.com minister.com moscowmail.com munich.com musician.org muslim.com myself.com -freemail_domains net-shopping.com ninfan.com nonpartisan.com null.net nycmail.com -freemail_domains oath.com optician.com orthodontist.net -freemail_domains pacific-ocean.com pacificwest.com pediatrician.com petlover.com photographer.net physicist.net planetmail.com planetmail.net polandmail.com politician.com post.com presidency.com priest.com programmer.net protestant.com publicist.com -freemail_domains qualityservice.com -freemail_domains radiologist.net ravemail.com realtyagent.com reborn.com reggaefan.com registerednurses.com reincarnate.com religious.com repairman.com representative.com rescueteam.com rocketship.com -freemail_domains safrica.com saintly.com salesperson.net samerica.com sanfranmail.com scientist.com scotlandmail.com secretary.net snakebite.com socialworker.net sociologist.com solution4u.com songwriter.net spainmail.com surgical.net swedenmail.com swissmail.com -freemail_domains teachers.org tech-center.com techie.com technologist.com theplate.com therapist.net toke.com toothfairy.com torontomail.com tvstar.com -freemail_domains umpire.com usa.com uymail.com -freemail_domains webname.com worker.com workmail.com writeme.com - -endif - - diff --git a/resources/spamassassin/20_head_tests.cf b/resources/spamassassin/20_head_tests.cf deleted file mode 100644 index d68f0f6f..00000000 --- a/resources/spamassassin/20_head_tests.cf +++ /dev/null @@ -1,614 +0,0 @@ -# SpamAssassin rules file: header tests -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -require_version @@VERSION@@ - -########################################################################### - -# partial messages; currently-theoretical attack -# unsurprisingly this hits 0/0 right now. -header FRAGMENTED_MESSAGE Content-Type =~ /\bmessage\/partial/i -describe FRAGMENTED_MESSAGE Partial message -tflags FRAGMENTED_MESSAGE userconf - -########################################################################### - -header FROM_BLANK_NAME From =~ /(?:\s|^)"" <\S+>/i -describe FROM_BLANK_NAME From: contains empty name - -########################################################################### -# numeric address rules, these are written to avoid overlap with each other - -header __FROM_ENDS_IN_NUMS From:addr =~ /\D\d{8,}\@/i - -header FROM_STARTS_WITH_NUMS From:addr =~ /^\d{3,50}[^0-9\@]/ -describe FROM_STARTS_WITH_NUMS From: starts with several numbers - -# don't match US/Canada phone numbers: 10 digits optionally preceded by a "1" -header __FROM_ALL_NUMS From:addr =~ /^(?:\d{1,9}|[02-9]\d{10}|\d{12,})@/ - -########################################################################### - -header FROM_OFFERS From:addr =~ /\@\S*offers(?![eo]n\b)/i -describe FROM_OFFERS From address is "at something-offers" - -header FROM_NO_USER From =~ /(?:^\@|<\@| \@[^\)<]*$|<>)/ [if-unset: unset@unset.unset] -describe FROM_NO_USER From: has no local-part before @ sign - -# also 100% valid -# bug 6149: avoid common .jp false positives -header __PLING_QUERY Subject =~ /\?.*!|!.*\?/ -meta PLING_QUERY (__PLING_QUERY && !__ISO_2022_JP_DELIM) -describe PLING_QUERY Subject has exclamation mark and question mark - - - - -header MSGID_SPAM_CAPS Message-ID =~ /^\s*<?[A-Z]+\@(?!(?:mailcity|whowhere)\.com)/ -describe MSGID_SPAM_CAPS Spam tool Message-Id: (caps variant) - -header MSGID_SPAM_LETTERS Message-Id =~ /<[a-z]{5,}\@(\S+\.)+\S+>/ -describe MSGID_SPAM_LETTERS Spam tool Message-Id: (letters variant) - - - -# negative lookahead exempts this MUA from circa 1997-2000 -# X-Mailer: Microsoft Outlook Express 4.71.1712.3 -# Message-ID: <01bd45da$2649cdc0$LocalHost@andrew> -header __MSGID_DOLLARS_OK MESSAGEID =~ /<[0-9a-f]{4,}\$[0-9a-f]{4,}\$[0-9a-f]{4,}\@\S+>/ -header __MSGID_DOLLARS_MAYBE MESSAGEID =~ /<\w{4,}\$\w{4,}\$(?!localhost)\w{4,}\@\S+>/i -meta MSGID_DOLLARS_RANDOM __MSGID_DOLLARS_MAYBE && !__MSGID_DOLLARS_OK - -# bit of a ratware rule, but catches a bit more than just the one ratware -header __MSGID_RANDY Message-ID =~ /<[a-z\d][a-z\d\$-]{10,29}[a-z\d]\@[a-z\d][a-z\d.]{3,12}[a-z\d]>/ -# heuristic to eliminate most good Message-ID formats -header __MSGID_OK_HEX Message-ID =~ /\b[a-f\d]{8}\b/ -header __MSGID_OK_DIGITS Message-ID =~ /\d{10}/ -header __MSGID_OK_HOST Message-ID =~ /\@(?:\D{2,}|(?:\d{1,3}\.){3}\d{1,3})>/ -meta MSGID_RANDY (__MSGID_RANDY && !(__MSGID_OK_HEX || __MSGID_OK_DIGITS || __MSGID_OK_HOST)) -describe MSGID_RANDY Message-Id has pattern used in spam - -# bug 3395 -header MSGID_YAHOO_CAPS Message-ID =~ /<[A-Z]+\@yahoo.com>/ -describe MSGID_YAHOO_CAPS Message-ID has ALLCAPS@yahoo.com - -########################################################################### - -header __AT_AOL_MSGID MESSAGEID =~ /\@aol\.com\b/i -header __FROM_AOL_COM From =~ /\@aol\.com\b/i -meta FORGED_MSGID_AOL (__AT_AOL_MSGID && !__FROM_AOL_COM) -describe FORGED_MSGID_AOL Message-ID is forged, (aol.com) - -header __AT_EXCITE_MSGID MESSAGEID =~ /\@excite\.com\b/i -header __MY_RCVD_EXCITE Received =~ /\.excite\.com\b/i -meta FORGED_MSGID_EXCITE (__AT_EXCITE_MSGID && !__MY_RCVD_EXCITE) -describe FORGED_MSGID_EXCITE Message-ID is forged, (excite.com) - -header __AT_HOTMAIL_MSGID MESSAGEID =~ /\@hotmail\.com\b/i -header __FROM_HOTMAIL_COM From =~ /\@hotmail\.com\b/i -meta FORGED_MSGID_HOTMAIL (__AT_HOTMAIL_MSGID && (!__FROM_HOTMAIL_COM && !__FROM_MSN_COM && !__FROM_YAHOO_COM)) -describe FORGED_MSGID_HOTMAIL Message-ID is forged, (hotmail.com) - -header __AT_MSN_MSGID MESSAGEID =~ /\@msn\.com\b/i -header __FROM_MSN_COM From =~ /\@msn\.com\b/i -meta FORGED_MSGID_MSN (__AT_MSN_MSGID && (!__FROM_MSN_COM && !__FROM_HOTMAIL_COM && !__FROM_YAHOO_COM)) -describe FORGED_MSGID_MSN Message-ID is forged, (msn.com) - -header __AT_YAHOO_MSGID MESSAGEID =~ /\@yahoo\.com\b/i -header __FROM_YAHOO_COM From =~ /\@yahoo\.com\b/i -meta FORGED_MSGID_YAHOO (__AT_YAHOO_MSGID && !__FROM_YAHOO_COM) -describe FORGED_MSGID_YAHOO Message-ID is forged, (yahoo.com) - -########################################################################### - -header __MSGID_BEFORE_RECEIVED ALL =~ /^Message-Id:.*?^Received:/msi -header __MSGID_BEFORE_OKAY Message-Id =~ /\@[a-z0-9.-]+\.(?:yahoo|wanadoo)(?:\.[a-z]{2,3}){1,2}>/ - -meta MSGID_FROM_MTA_HEADER (__MSGID_BEFORE_RECEIVED && !__MSGID_BEFORE_OKAY && !__FROM_HOTMAIL_COM) -describe MSGID_FROM_MTA_HEADER Message-Id was added by a relay - - - -header MSGID_SHORT MESSAGEID =~ /^.{1,15}$|<.{0,4}\@/ -describe MSGID_SHORT Message-ID is unusually short - -#DEMOTED TO SANDBOX - 2012-03-21 -#header MSGID_MULTIPLE_AT MESSAGEID =~ /<[^>]*\@[^>]*\@/ -#describe MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters - -########################################################################### - -header DATE_SPAMWARE_Y2K Date =~ /^[A-Z][a-z]{2}, \d\d [A-Z][a-z]{2} [0-6]\d \d\d:\d\d:\d\d [A-Z]{3}$/ -describe DATE_SPAMWARE_Y2K Date header uses unusual Y2K formatting - -# as noted on the dev@ list, ":60" is valid for seconds when there's a leap -# second (12/31/2005 for instance), so let's accept that as valid. ISO 8601 -# apparently allows for it. -# there were a few whitespace issues in the original RE, and I wanted to avoid my -# two common, but yes invalid, date headers. specifically / \(GMT\)$/ and -# / 0000 GMT$/. dos has / "GMT"$/ - tvd -# 2.229 2.7267 0.0517 0.981 0.86 0.00 INVALID_DATE -# 2.263 2.7486 0.1368 0.953 0.78 0.00 INVALID_DATE_OLD -# -# WRT the tests, remember that ok and fail are reversed -- so valid dates -# should be "fail" and invalid dates should be "ok". -header INVALID_DATE Date !~ /^\s*(?:(?i:Mon|Tue|Wed|Thu|Fri|Sat|Sun),\s)?\s*(?:[12]\d|3[01]|0?[1-9])\s+(?i:Jan|Feb|Ma[ry]|Apr|Ju[nl]|Aug|Sep|Oct|Nov|Dec)\s+(?:19[7-9]\d|2\d{3})\s+(?:[01]?\d|2[0-3])\:[0-5]\d(?::(?:[0-5]\d|60))?(?:\s+[AP]M)?(?:\s+(?:[+-][0-9]{4}|UT|[A-Z]{2,3}T|0000 GMT|"GMT"))?(?:\s*\(.*\))?\s*$/ [if-unset: Wed, 31 Jul 2002 16:41:57 +0200] -describe INVALID_DATE Invalid Date: header (not RFC 2822) -test INVALID_DATE fail Sat, 31 Dec 2005 23:59:60 -0500 -test INVALID_DATE fail Wed, 31 Jul 2002 16:41:57 +0200 -test INVALID_DATE fail Sat, 31 Dec 2005 23:00:00 -test INVALID_DATE ok Sat, 31 Dec 2005 24:00:00 -0500 -test INVALID_DATE ok Thurs, 31 Jul 2002 16:41:57 +0200 - -# allow +1300, NZ timezone -header INVALID_DATE_TZ_ABSURD Date =~ /[-+](?!(?:0\d|1[0-4])(?:[03]0|[14]5))\d{4}$/ -describe INVALID_DATE_TZ_ABSURD Invalid Date: header (timezone does not exist) - -header INVALID_TZ_CST ALL =~ /[+-]\d\d[30]0(?<!-0600|-0500|\+0800|\+0930|\+1030)\s+(?:\bCST\b|\(CST\))/ -describe INVALID_TZ_CST Invalid date in header (wrong CST timezone) - -header INVALID_TZ_EST ALL =~ /[+-]\d\d[30]0(?<!-0500|-0300|\+1000|\+1100)\s+(?:\bEST\b|\(EST\))/ -describe INVALID_TZ_EST Invalid date in header (wrong EST timezone) - - -########################################################################### -# MIME encoding with spam characteristics - -ifplugin Mail::SpamAssassin::Plugin::HeaderEval -meta __SUBJECT_NEEDS_MIME __SUBJ_ILLEGAL_CHARS -endif - -header __SUBJECT_ENCODED_QP Subject:raw =~ /=\?\S+\?Q\?/i -header __SUBJECT_ENCODED_B64 Subject:raw =~ /=\?\S+\?B\?/i - - - -header __FROM_NEEDS_MIME From:name:raw =~ /[\x00-\x08\x0b\x0c\x0e-\x1f\x7f-\xff]/ -header __FROM_NEEDS_MIME2 From:name =~ /[\x00-\x08\x0b\x0c\x0e-\x1f\x7f-\xff]/ -header __FROM_ENCODED_QP From:raw =~ /=\?\S+\?Q\?/i -header __FROM_ENCODED_B64 From:raw =~ /=\?\S+\?B\?/i - - -meta FROM_EXCESS_BASE64 __FROM_ENCODED_B64 && !__FROM_NEEDS_MIME2 -describe FROM_EXCESS_BASE64 From: base64 encoded unnecessarily - - -########################################################################### -# ADV tags in various languages - -header ENGLISH_UCE_SUBJECT Subject =~ /^[^0-9a-z]*adv(?:ert)?\b/i -describe ENGLISH_UCE_SUBJECT Subject contains an English UCE tag - -# alan premselaar <alien@12inch.com>, see SpamAssassin-talk list 2003-03 -# quinlan: 2003-03-23 here are more generic Japanese iso-2022-jp codes -# ("not yet acceptance" or "email") + "announcement" -# FWIW, according to Peter Evans, this should be sufficient to catch the -# UCE tag and a common attempt at evasion (using the "sue" instead of -# "mi" Chinese character). 2006-10-12: updated by bug 4021. -header JAPANESE_UCE_SUBJECT Subject =~ /\e\$B.*(?:L\$>5Bz|EE;R%a!<%k)(?:8x|9-)9p/ -describe JAPANESE_UCE_SUBJECT Subject contains a Japanese UCE tag - -# check body for "shou nin daku kou koku" UCE tag (bug 4021) -body __JAPANESE_UCE_BODY /(?:L\$>5Bz|EE;R%a!<%k)(?:8x|9-)9p/ - -meta JAPANESE_UCE_BODY (__ISO_2022_JP_DELIM && __JAPANESE_UCE_BODY) -describe JAPANESE_UCE_BODY Body contains Japanese UCE tag - -# quinlan: "advertisement" in Russian KOI8-R -# (no longer common, but worth noting in future) -#header RUSSIAN_UCE_SUBJECT Subject =~ /\xf0\xe5\xea\xeb\xe0\xec\xf3/ -#describe RUSSIAN_UCE_SUBJECT Subject contains a Russian UCE tag - -# Korean UCE Subject: lines are usually 8-bit, but are occasionally encoded -# with quoted-printable or base64. -# -# \xbc\xba\xc0\xce means "adult" -# \xb1\xa4\xb0\xed means "advertisement" -# \xc1\xa4\xba\xb8 means "information" -# \xc8\xab\xba\xb8 means "publicity" -# -# Each two byte sequence is one Korean letter; the spaces and periods are -# sometimes used to obscure the words. \xb1\xa4\xb0\xed is the most common -# tag and is sometimes very obscured so we look harder. -# -header KOREAN_UCE_SUBJECT Subject =~ /[({[<][. ]*(?-i:\xbc\xba[. ]*\xc0\xce[. ]*)?(?-i:\xb1\xa4(?:[. ]*|[\x00-\x7f]{0,3})\xb0\xed|\xc1\xa4[. ]*\xba\xb8|\xc8\xab[. ]*\xba\xb8)[. ]*[)}\]>]/ -describe KOREAN_UCE_SUBJECT Subject: contains Korean unsolicited email tag - -########################################################################### - -# two reliable signatures -header __DOUBLE_IP_SPAM_1 Received =~ /from \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] by \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} with/ -header __DOUBLE_IP_SPAM_2 Received =~ /from\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+by\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3};/ -# loose match -header __DOUBLE_IP_LOOSE Received =~ /(?:\b(?:from|by)\b.{1,4}\b\d{1,3}[._-]\d{1,3}[._-]\d{1,3}[._-]\d{1,3}(?<!127\.0\.0\.1)\b.{0,4}){2}/i -# spam signature -meta RCVD_DOUBLE_IP_SPAM (__DOUBLE_IP_SPAM_1 || __DOUBLE_IP_SPAM_2) -describe RCVD_DOUBLE_IP_SPAM Bulk email fingerprint (double IP) found -# other matches -meta RCVD_DOUBLE_IP_LOOSE (__DOUBLE_IP_LOOSE && !RCVD_DOUBLE_IP_SPAM) -describe RCVD_DOUBLE_IP_LOOSE Received: by and from look like IP addresses - -header FORGED_TELESP_RCVD Received =~ /\.(?!br).. \(\d+-\d+-\d+-\d+\.dsl\.telesp\.net\.br / -describe FORGED_TELESP_RCVD Contains forged hostname for a DSL IP in Brazil - -# forgery meta-rules: more reliable than their inputs -meta CONFIRMED_FORGED (__FORGED_RCVD_TRAIL && (__FORGED_AOL_RCVD || __FORGED_HOTMAIL_RCVD || __FORGED_EUDORAMAIL_RCVD || FORGED_YAHOO_RCVD || __FORGED_JUNO_RCVD || FORGED_GMAIL_RCVD)) -describe CONFIRMED_FORGED Received headers are forged - -meta MULTI_FORGED ((__FORGED_AOL_RCVD + __FORGED_HOTMAIL_RCVD + __FORGED_EUDORAMAIL_RCVD + FORGED_YAHOO_RCVD + __FORGED_JUNO_RCVD + FORGED_GMAIL_RCVD) > 1) -describe MULTI_FORGED Received headers indicate multiple forgeries - -header NONEXISTENT_CHARSET Content-Type =~ /charset=.?DEFAULT/ -describe NONEXISTENT_CHARSET Character set doesn't exist - -header __HAS_MESSAGE_ID exists:Message-Id -priority __HAS_MESSAGE_ID -2000 # Bug 8078 -meta MISSING_MID !__HAS_MESSAGE_ID -describe MISSING_MID Missing Message-Id: header - -header __HAS_DATE exists:Date -priority __HAS_DATE -2000 # Bug 8078 -meta MISSING_DATE !__HAS_DATE -describe MISSING_DATE Missing Date: header - -header __HAS_SUBJECT exists:Subject -priority __HAS_SUBJECT -2000 # Bug 8078 -meta MISSING_SUBJECT !__HAS_SUBJECT -describe MISSING_SUBJECT Missing Subject: header - -# bug 6353 -header __HAS_FROM exists:From -priority __HAS_FROM -2000 # Bug 8078 -meta MISSING_FROM !__HAS_FROM -describe MISSING_FROM Missing From: header - -# bug 6149: avoid common .jp false positives -header __GAPPY_SUBJECT Subject =~ /\b(?:[a-z]([-_. =~\/:,*!\@\#\$\%\^&+;\"\'<>\\])\1{0,2}){4}/i -meta GAPPY_SUBJECT (__GAPPY_SUBJECT && !__ISO_2022_JP_DELIM) -describe GAPPY_SUBJECT Subject: contains G.a.p.p.y-T.e.x.t - -### header existence tests (description is added automatically) - -# X-Fix example: NTMail fixed non RFC822 compliant EMail message -# -# X-PMFLAGS is all caps -# -# Headers that seem to only be used by a single spamming software and -# are found together in the same message: -# 1. X-MailingID and X-ServerHost -# 2. X-Stormpost-To and X-List-Unsubscribe -# -# not spammish: X-EM-Registration, X-EM-Version, X-Antiabuse, X-List-Host, -# X-Message-Id -# bad FP rate: Comment, Date-warning - -header PREVENT_NONDELIVERY exists:Prevent-NonDelivery-Report -describe PREVENT_NONDELIVERY Message has Prevent-NonDelivery-Report header - -header X_IP exists:X-IP -describe X_IP Message has X-IP header - -header __HAS_MIMEOLE exists:X-MimeOLE -header __HAS_MSMAIL_PRI exists:X-MSMail-Priority -header __HAS_SQUIRRELMAIL_IN_MAILER X-Mailer =~ /SquirrelMail\b/ -# Ever growing Office version list without X-MimeOLE, bug 6346, 7122, 7463. -header __HAS_OFFICE1214_IN_MAILER X-Mailer =~ /^Microsoft (?:Office )?Outlook 1[2456]\.0/ -# CGP MAPI module fingerprint, to protect from MISSING_MIMEOLE -header __HAS_CGP_MAPI_IN_MAILER X-Mailer =~ /CommuniGate Pro MAPI/ -meta MISSING_MIMEOLE (__HAS_MSMAIL_PRI && !__HAS_MIMEOLE && !__HAS_SQUIRRELMAIL_IN_MAILER && !__HAS_OFFICE1214_IN_MAILER && !__HAS_CGP_MAPI_IN_MAILER && !__HDR_RCVD_TONLINEDE && !__MIME_BASE64 && !__DKIM_EXISTS) -describe MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE - -header __HAS_X_MAILER exists:X-Mailer - -header __IS_EXCH X-MimeOLE =~ /Produced By Microsoft Exchange V/ - -header SUBJ_AS_SEEN Subject =~ /\bAs Seen/i -describe SUBJ_AS_SEEN Subject contains "As Seen" - -header SUBJ_DOLLARS Subject =~ /^\$[0-9.,]+\b/ -describe SUBJ_DOLLARS Subject starts with dollar amount - - - - - - -#DISABLING DUE TO POOR S/O 2012-09-27 -#header SUBJ_YOUR_DEBT Subject =~ /Your (?:Bills|Debt|Credit)/i -#describe SUBJ_YOUR_DEBT Subject contains "Your Bills" or similar - -header SUBJ_YOUR_FAMILY Subject =~ /Your Family/i -describe SUBJ_YOUR_FAMILY Subject contains "Your Family" - - -# the real services never HELO as 'foo.com', instead 'mail.foo.com' or -# something like that. Note: be careful when expanding this... legit dotcom -# HELOers include: hotmail.com, drizzle.com, lockergnome.com. -header RCVD_FAKE_HELO_DOTCOM Received =~ /^from (?:msn|yahoo|yourwebsite|lycos|excite|cs|aol|localhost|koreanmail|allexecs|mydomain|juno|eudoramail|compuserve|desertmail|excite|caramail)\.com \(/m -describe RCVD_FAKE_HELO_DOTCOM Received contains a faked HELO hostname - -header SUBJECT_DIET Subject =~ /\bLose .*(?:pounds|lbs|weight)/i -describe SUBJECT_DIET Subject talks about losing pounds - - -# MIME boundary tests; spam tools use distinctive patterns. -header MIME_BOUND_DD_DIGITS Content-Type =~ /boundary=\"--\d+\"/ -describe MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary -header MIME_BOUND_DIGITS_15 Content-Type =~ /boundary=\"\d{15,}\"/ -describe MIME_BOUND_DIGITS_15 Spam tool pattern in MIME boundary -header MIME_BOUND_MANY_HEX Content-Type =~ /boundary="[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}"/ -describe MIME_BOUND_MANY_HEX Spam tool pattern in MIME boundary - -# note: the first alternation is anchored for speed -header TO_MALFORMED To !~ /(?:^|[^\S"])(?:(?:\"[^\"]+\"|\S+)\@\S+\.\S+|^\s*.+:\s*;|^\s*\"[^\"]+\":\s*;|^\s*\([^\)]*\)\s*$|<\S+(?:\!\S+){1,}>|^\s*$)/ [if-unset: unset@unset.unset] -describe TO_MALFORMED To: has a malformed address - -header __CD exists:Content-Disposition -header __CT exists:Content-Type -header __CTE exists:Content-Transfer-Encoding -header __MIME_VERSION exists:MIME-Version -header __CT_TEXT_PLAIN Content-Type =~ /^text\/plain\b/i -meta MIME_HEADER_CTYPE_ONLY (!__CD && !__CTE && __CT && !__MIME_VERSION && !__CT_TEXT_PLAIN) -describe MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME headers - -header WITH_LC_SMTP Received =~ /\swith\ssmtp;\s/ -describe WITH_LC_SMTP Received line contains spam-sign (lowercase smtp) - - -header SUBJ_BUY Subject =~ /^buy/i -describe SUBJ_BUY Subject line starts with Buy or Buying - -# seems to be ratware -header RCVD_AM_PM Received =~ /; [A-Z][a-z][a-z], \d{1,2} \d{4} \d{1,2}:\d\d:\d\d [AP]M [+-]\d{4}/ -describe RCVD_AM_PM Received headers forged (AM/PM) - -header __USER_AGENT_MSN X-Mailer =~ /^MSN Explorer / - -# host no longer exists according to administrator -header FAKE_OUTBLAZE_RCVD Received =~ /\.mr\.outblaze\.com/ -describe FAKE_OUTBLAZE_RCVD Received header contains faked 'mr.outblaze.com' - - -# thanks to David Ritz for passing this on -header UNCLOSED_BRACKET ALL =~ /\[\d+\r?\n/s -describe UNCLOSED_BRACKET Headers contain an unclosed bracket - -header FROM_DOMAIN_NOVOWEL From =~ /\@\S*[bcdfgjklmnpqrstvwxz]{7}/i -describe FROM_DOMAIN_NOVOWEL From: domain has series of non-vowel letters -tflags FROM_DOMAIN_NOVOWEL userconf # lock scores low - -header FROM_LOCAL_NOVOWEL From =~ /[bcdfgjklmnpqrstvwxz]{7}\S*\@/i -describe FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters -tflags FROM_LOCAL_NOVOWEL userconf # lock scores low - -header FROM_LOCAL_HEX From =~ /[0-9a-f]{11}\S*\@/i -describe FROM_LOCAL_HEX From: localpart has long hexadecimal sequence - -header FROM_LOCAL_DIGITS From =~ /\d{11}\S*\@/i -describe FROM_LOCAL_DIGITS From: localpart has long digit sequence - -header __TOCC_EXISTS exists:ToCc - -header X_PRIORITY_CC ALL =~ /^X-Priority:[^\n]{0,80}^Cc:/msi -describe X_PRIORITY_CC Cc: after X-Priority: (bulk email fingerprint) - -# catch non-RFC2047 compliant messages -# Apple Mail has a bug where headers will have whitespace around the encoded -# text, so try to ignore that -header BAD_ENC_HEADER ALL:raw =~ /=\?[^?\s]+\?[^?\s]\?\s*[^?]+\s(?!\?=)/ -describe BAD_ENC_HEADER Message has bad MIME encoding in the header - - -header __ML1 Precedence =~ m{\b(list|bulk)\b}i -meta __ML2 __HAS_LIST_ID -header __ML3 exists:List-Post -header __ML4 exists:Mailing-List -header __ML5 Return-Path:addr =~ m{^([^\@]+-(request|bounces|admin|owner)|owner-[^\@]+)(\@|\z)}i -meta __VIA_ML __ML1 || __ML2 || __ML3 || __ML4 || __ML5 -describe __VIA_ML Mail from a mailing list - - -# some clueless mailing lists (like zmailer with an RFC822TABS option on) -# are replacing a leading space by a TAB in header fields From, To, -# Cc, Date (Bug 6429) -header __ML_TURNS_SP_TO_TAB Received =~ /\(ORCPT <rfc822;/ -describe __ML_TURNS_SP_TO_TAB A mailing list changing a space to a TAB - - -# must keep it in sync with https://www.iana.org/assignments/ipv4-address-space/ -header RCVD_ILLEGAL_IP X-Spam-Relays-Untrusted =~ / (?:by|ip)=(?=\d+\.\d+\.\d+\.\d+ )(?:(?:0|2(?:2[4-9]|[3-5]\d)|192\.0\.2|198\.51\.100|203\.0\.113)\.|(?:\d+\.){0,3}(?!(?:2(?:[0-4]\d|5[0-5])|[01]?\d\d?)\b))/ -describe RCVD_ILLEGAL_IP Received: contains illegal IP address - - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::HeaderEval - -header __FORGED_AOL_RCVD eval:check_for_fake_aol_relay_in_rcvd() - -header CHARSET_FARAWAY_HEADER eval:check_for_faraway_charset_in_headers() -describe CHARSET_FARAWAY_HEADER A foreign language charset used in headers -tflags CHARSET_FARAWAY_HEADER userconf - - ################################################################### - -# illegal characters that should be MIME encoded -# might want to exempt users using languages that don't use Latin -# alphabets, but do it in the eval - -# Will FP without 4.0 and UTF-8 support -if (version >= 4.000000) - header __SUBJ_ILLEGAL_CHARS eval:check_illegal_chars('Subject','0.00','2') - meta SUBJ_ILLEGAL_CHARS (__SUBJ_ILLEGAL_CHARS && !__FROM_YAHOO_COM) - header FROM_ILLEGAL_CHARS eval:check_illegal_chars('From','0.20','2') - header __HEAD_ILLEGAL_CHARS eval:check_illegal_chars('ALL','0.010','2') - meta HEAD_ILLEGAL_CHARS __HEAD_ILLEGAL_CHARS && !__SUBJ_ILLEGAL_CHARS && !FROM_ILLEGAL_CHARS -endif -if (version < 4.000000) - meta __SUBJ_ILLEGAL_CHARS 0 - meta SUBJ_ILLEGAL_CHARS 0 - meta FROM_ILLEGAL_CHARS 0 - meta __HEAD_ILLEGAL_CHARS 0 - meta HEAD_ILLEGAL_CHARS 0 -endif - -describe SUBJ_ILLEGAL_CHARS Subject: has too many raw illegal characters -describe FROM_ILLEGAL_CHARS From: has too many raw illegal characters -describe HEAD_ILLEGAL_CHARS Headers have too many raw illegal characters - - ################################################################### - -# a forged Hotmail message; host HELO'd as hotmail.com, but it wasn't -header __FORGED_HOTMAIL_RCVD eval:check_for_forged_hotmail_received_headers() - -# this, by comparison is more common: from was @hotmail.com, but it wasn't -header FORGED_HOTMAIL_RCVD2 eval:check_for_no_hotmail_received_headers() -describe FORGED_HOTMAIL_RCVD2 hotmail.com 'From' address, but no 'Received:' - -header __FORGED_EUDORAMAIL_RCVD eval:check_for_forged_eudoramail_received_headers() - -header FORGED_YAHOO_RCVD eval:check_for_forged_yahoo_received_headers() -describe FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers - -if (version >= 3.004002) -header FORGED_GMAIL_RCVD eval:check_for_forged_gmail_received_headers() -describe FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers -endif - -header __FORGED_JUNO_RCVD eval:check_for_forged_juno_received_headers() - - - -header SORTED_RECIPS eval:sorted_recipients() -describe SORTED_RECIPS Recipient list is sorted by address - -header SUSPICIOUS_RECIPS eval:similar_recipients('0.65','undef') -describe SUSPICIOUS_RECIPS Similar addresses in recipient list - -# this is a quite common false positive, as it's legal to remove a To but leave -# a CC. so don't score it high. -header MISSING_HEADERS eval:check_for_missing_to_header() -describe MISSING_HEADERS Missing To: header - -header DATE_IN_PAST_03_06 eval:check_for_shifted_date('-6', '-3') -describe DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date - -header DATE_IN_PAST_06_12 eval:check_for_shifted_date('-12', '-6') -describe DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date - -header DATE_IN_PAST_12_24 eval:check_for_shifted_date('-24', '-12') -describe DATE_IN_PAST_12_24 Date: is 12 to 24 hours before Received: date - -header DATE_IN_PAST_24_48 eval:check_for_shifted_date('-48', '-24') -describe DATE_IN_PAST_24_48 Date: is 24 to 48 hours before Received: date - - -header DATE_IN_PAST_96_XX eval:check_for_shifted_date('undef', '-96') -describe DATE_IN_PAST_96_XX Date: is 96 hours or more before Received: date - -header DATE_IN_FUTURE_03_06 eval:check_for_shifted_date('3', '6') -describe DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date - -header DATE_IN_FUTURE_06_12 eval:check_for_shifted_date('6', '12') -describe DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date - -header DATE_IN_FUTURE_12_24 eval:check_for_shifted_date('12', '24') -describe DATE_IN_FUTURE_12_24 Date: is 12 to 24 hours after Received: date - -header DATE_IN_FUTURE_24_48 eval:check_for_shifted_date('24', '48') -describe DATE_IN_FUTURE_24_48 Date: is 24 to 48 hours after Received: date - -header DATE_IN_FUTURE_48_96 eval:check_for_shifted_date('48', '96') -describe DATE_IN_FUTURE_48_96 Date: is 48 to 96 hours after Received: date - -#header DATE_IN_FUTURE_96_XX eval:check_for_shifted_date('96', 'undef') -meta DATE_IN_FUTURE_96_XX (0) -describe DATE_IN_FUTURE_96_XX Date: is 96 hours or more after Received: date - -header UNRESOLVED_TEMPLATE eval:check_unresolved_template() -describe UNRESOLVED_TEMPLATE Headers contain an unresolved template - -header SUBJ_ALL_CAPS eval:subject_is_all_caps() -describe SUBJ_ALL_CAPS Subject is all capitals - - -header LOCALPART_IN_SUBJECT eval:check_for_to_in_subject('user') -describe LOCALPART_IN_SUBJECT Local part of To: address appears in Subject - -header MSGID_OUTLOOK_INVALID eval:check_outlook_message_id() -describe MSGID_OUTLOOK_INVALID Message-Id is fake (in Outlook Express format) - -header HEADER_COUNT_CTYPE eval:check_header_count_range('Content-Type','2','999') -describe HEADER_COUNT_CTYPE Multiple Content-Type headers found - -endif - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::MIMEEval - -# this is also mostly-theoretical, so allow 0 hits -header HEAD_LONG eval:check_msg_parse_flags('truncated_header') -describe HEAD_LONG Message headers are very long -tflags HEAD_LONG userconf - -header MISSING_HB_SEP eval:check_msg_parse_flags('missing_head_body_separator') -describe MISSING_HB_SEP Missing blank line between message header and body -tflags MISSING_HB_SEP userconf - -endif - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::RelayEval - -header __UNPARSEABLE_RELAY_COUNT eval:check_relays_unparseable() -tflags __UNPARSEABLE_RELAY_COUNT userconf - -meta UNPARSEABLE_RELAY (__UNPARSEABLE_RELAY_COUNT >= 1) -tflags UNPARSEABLE_RELAY userconf -describe UNPARSEABLE_RELAY Informational: message has unparseable relay lines - - -header RCVD_HELO_IP_MISMATCH eval:helo_ip_mismatch() -describe RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but should - -# not used directly right now due to FPs; but CONFIRMED_FORGED turns it -# into a 1.0 S/O rule anyway, so that's not a problem ;) -# 2.626 3.6340 1.5251 0.704 0.34 1.44 FORGED_RCVD_TRAIL -# 0.956 3.3890 0.0000 1.000 0.98 4.30 CONFIRMED_FORGED -header __FORGED_RCVD_TRAIL eval:check_for_forged_received_trail() - -header NO_RDNS_DOTCOM_HELO eval:check_for_no_rdns_dotcom_helo() -describe NO_RDNS_DOTCOM_HELO Host HELO'd as a big ISP, but had no rDNS - -endif - -ifplugin Mail::SpamAssassin::Plugin::HeaderEval - -header __ENV_AND_HDR_FROM_MATCH eval:check_for_matching_env_and_hdr_from() - -endif - diff --git a/resources/spamassassin/20_html_tests.cf b/resources/spamassassin/20_html_tests.cf deleted file mode 100644 index d6aa9c46..00000000 --- a/resources/spamassassin/20_html_tests.cf +++ /dev/null @@ -1,239 +0,0 @@ -# SpamAssassin rules file: HTML tests -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -require_version @@VERSION@@ - -# HTML parser tests -# -# please sort these by eval type then name - -meta HTML_SHORT_LINK_IMG_1 __HTML_LENGTH_0000_1024 && __HTML_LINK_IMAGE -meta HTML_SHORT_LINK_IMG_2 __HTML_LENGTH_1024_1536 && __HTML_LINK_IMAGE -meta HTML_SHORT_LINK_IMG_3 __HTML_LENGTH_1536_2048 && __HTML_LINK_IMAGE -describe HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image -describe HTML_SHORT_LINK_IMG_2 HTML is very short with a linked image -describe HTML_SHORT_LINK_IMG_3 HTML is very short with a linked image - - -meta HTML_SHORT_CENTER (__HTML_LENGTH_384 && __TAG_EXISTS_CENTER) -describe HTML_SHORT_CENTER HTML is very short with CENTER tag - - -meta HTML_TITLE_SUBJ_DIFF __HTML_TITLE_SUBJ_DIFF && !__MIME_ATTACHMENT - -meta HTML_CHARSET_FARAWAY (__HTML_CHARSET_FARAWAY && __HIGHBITS) -describe HTML_CHARSET_FARAWAY A foreign language charset used in HTML markup -tflags HTML_CHARSET_FARAWAY userconf - -meta HTML_MIME_NO_HTML_TAG MIME_HTML_ONLY && !__TAG_EXISTS_HTML -describe HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag - -meta HTML_MISSING_CTYPE (!__MIME_HTML && HTML_MESSAGE) -describe HTML_MISSING_CTYPE Message is HTML without HTML Content-Type - -########################################################################### -# rawbody HTML tests - -rawbody HIDE_WIN_STATUS /<[^>]{1,1000}onMouseOver=[^>]{1,1000}window\.status=/i -describe HIDE_WIN_STATUS Javascript to hide URLs in browser - -rawbody __OBFUSCATING_COMMENT_A /\w(?:<![^>]*>)+\w/ -rawbody __OBFUSCATING_COMMENT_B /[^\s>](?:<![^>]*>)+[^\s<]/ -ifplugin Mail::SpamAssassin::Plugin::HTMLEval -ifplugin Mail::SpamAssassin::Plugin::MIMEEval -meta OBFUSCATING_COMMENT ((__OBFUSCATING_COMMENT_A && HTML_MESSAGE) || (__OBFUSCATING_COMMENT_B && MIME_HTML_ONLY)) && !__ISO_2022_JP_DELIM -describe OBFUSCATING_COMMENT HTML comments which obfuscate text -endif -endif - -# spams that are assembled from a Javascript array -# look for the XOR op -rawbody __JS_FROMCHARCODE /String\.fromCharCode\s*\(\s*\S+\s*\[\s*\S+\s*\]\s*\^/ -rawbody __JS_DOCWRITE /document\.write/ -meta JS_FROMCHARCODE (__JS_FROMCHARCODE && __JS_DOCWRITE) -describe JS_FROMCHARCODE Document is built from a Javascript charcode array - -# a good possible rule that may resurface -# ! $ % ' ( ) , - . / : ; = ? @ _ -#rawbody ENTITY_DEC_OTHER /\&\#0*(?:3[3679]|4[014567]|5[89]|6[134]|95)\;/ -#describe ENTITY_DEC_OTHER HTML contains needlessly encoded punctuation - -body __HIGHBITS /(?:[\x80-\xff].?){4}/ -# note: __HIGHBITS is used by HTML_CHARSET_FARAWAY - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::HTMLEval - -# HTML control test, HTML spam rules should all have better S/O than this -body HTML_MESSAGE eval:html_test('html') -describe HTML_MESSAGE HTML included in message - -# HTML comment tests -body HTML_COMMENT_SHORT eval:html_text_match('comment', '<!(?!-).{0,6}>') -describe HTML_COMMENT_SHORT HTML comment is very short - -body HTML_COMMENT_SAVED_URL eval:html_text_match('comment', '<!-- saved from url=\(\d{4}\)') -describe HTML_COMMENT_SAVED_URL HTML message is a saved web page - -body HTML_EMBEDS eval:html_test('embeds') -describe HTML_EMBEDS HTML with embedded plugin object - - -body HTML_EXTRA_CLOSE eval:html_range('closed_extra_ratio', '0.09', 'inf') -describe HTML_EXTRA_CLOSE HTML contains far too many close tags - - - -body HTML_FONT_SIZE_LARGE eval:html_range('max_size', '5', '6') -describe HTML_FONT_SIZE_LARGE HTML font size is large - -body HTML_FONT_SIZE_HUGE eval:html_range('max_size', '6', 'inf') -describe HTML_FONT_SIZE_HUGE HTML font size is huge - - - - -body HTML_FONT_LOW_CONTRAST eval:html_test('font_low_contrast') -describe HTML_FONT_LOW_CONTRAST HTML font color similar or identical to background - -body HTML_FONT_FACE_BAD eval:html_test('font_face_bad') -describe HTML_FONT_FACE_BAD HTML font face is not a word - - -body HTML_FORMACTION_MAILTO eval:html_test('form_action_mailto') -describe HTML_FORMACTION_MAILTO HTML includes a form which sends mail - -# HTML_IMAGE_ONLY - not much raw HTML with images (absolute) -body HTML_IMAGE_ONLY_04 eval:html_image_only('0000','0400') -body HTML_IMAGE_ONLY_08 eval:html_image_only('0400','0800') -body HTML_IMAGE_ONLY_12 eval:html_image_only('0800','1200') -body HTML_IMAGE_ONLY_16 eval:html_image_only('1200','1600') -body HTML_IMAGE_ONLY_20 eval:html_image_only('1600','2000') -body HTML_IMAGE_ONLY_24 eval:html_image_only('2000','2400') -body HTML_IMAGE_ONLY_28 eval:html_image_only('2400','2800') -body HTML_IMAGE_ONLY_32 eval:html_image_only('2800','3200') -describe HTML_IMAGE_ONLY_04 HTML: images with 0-400 bytes of words -describe HTML_IMAGE_ONLY_08 HTML: images with 400-800 bytes of words -describe HTML_IMAGE_ONLY_12 HTML: images with 800-1200 bytes of words -describe HTML_IMAGE_ONLY_16 HTML: images with 1200-1600 bytes of words -describe HTML_IMAGE_ONLY_20 HTML: images with 1600-2000 bytes of words -describe HTML_IMAGE_ONLY_24 HTML: images with 2000-2400 bytes of words -describe HTML_IMAGE_ONLY_28 HTML: images with 2400-2800 bytes of words -describe HTML_IMAGE_ONLY_32 HTML: images with 2800-3200 bytes of words - -# HTML_IMAGE_RATIO - more image area than text (ratio) -body HTML_IMAGE_RATIO_02 eval:html_image_ratio('0.000','0.002') -body HTML_IMAGE_RATIO_04 eval:html_image_ratio('0.002','0.004') -body HTML_IMAGE_RATIO_06 eval:html_image_ratio('0.004','0.006') -body HTML_IMAGE_RATIO_08 eval:html_image_ratio('0.006','0.008') -describe HTML_IMAGE_RATIO_02 HTML has a low ratio of text to image area -describe HTML_IMAGE_RATIO_04 HTML has a low ratio of text to image area -describe HTML_IMAGE_RATIO_06 HTML has a low ratio of text to image area -describe HTML_IMAGE_RATIO_08 HTML has a low ratio of text to image area - -# HTML obfuscation -body HTML_OBFUSCATE_05_10 eval:html_range('obfuscation_ratio','.05','.1') -body HTML_OBFUSCATE_10_20 eval:html_range('obfuscation_ratio','.1','.2') -body HTML_OBFUSCATE_20_30 eval:html_range('obfuscation_ratio','.2','.3') -body HTML_OBFUSCATE_30_40 eval:html_range('obfuscation_ratio','.3','.4') -body HTML_OBFUSCATE_50_60 eval:html_range('obfuscation_ratio','.5','.6') -body HTML_OBFUSCATE_70_80 eval:html_range('obfuscation_ratio','.7','.8') -body HTML_OBFUSCATE_90_100 eval:html_range('obfuscation_ratio','.9','1.0') -describe HTML_OBFUSCATE_05_10 Message is 5% to 10% HTML obfuscation -describe HTML_OBFUSCATE_10_20 Message is 10% to 20% HTML obfuscation -describe HTML_OBFUSCATE_20_30 Message is 20% to 30% HTML obfuscation -describe HTML_OBFUSCATE_30_40 Message is 30% to 40% HTML obfuscation -describe HTML_OBFUSCATE_50_60 Message is 50% to 60% HTML obfuscation -describe HTML_OBFUSCATE_70_80 Message is 70% to 80% HTML obfuscation -describe HTML_OBFUSCATE_90_100 Message is 90% to 100% HTML obfuscation - -body HTML_TAG_BALANCE_BODY eval:html_tag_balance('body', '!= 0') -describe HTML_TAG_BALANCE_BODY HTML has unbalanced "body" tags - -body HTML_TAG_BALANCE_HEAD eval:html_tag_balance('head', '!= 0') -describe HTML_TAG_BALANCE_HEAD HTML has unbalanced "head" tags - -body HTML_TAG_EXIST_BGSOUND eval:html_tag_exists('bgsound') -describe HTML_TAG_EXIST_BGSOUND HTML has "bgsound" tag - -# percentage of tags that are not legal elements in HTML -body HTML_BADTAG_40_50 eval:html_range('bad_tag_ratio','0.40','0.50') -body HTML_BADTAG_50_60 eval:html_range('bad_tag_ratio','0.50','0.60') -body HTML_BADTAG_60_70 eval:html_range('bad_tag_ratio','0.60','0.70') -body HTML_BADTAG_90_100 eval:html_range('bad_tag_ratio','0.90','1.00') -describe HTML_BADTAG_40_50 HTML message is 40% to 50% bad tags -describe HTML_BADTAG_50_60 HTML message is 50% to 60% bad tags -describe HTML_BADTAG_60_70 HTML message is 60% to 70% bad tags -describe HTML_BADTAG_90_100 HTML message is 90% to 100% bad tags - -# percentage of unique non-elements in HTML -body HTML_NONELEMENT_30_40 eval:html_range('non_element_ratio','0.30','0.40') -body HTML_NONELEMENT_40_50 eval:html_range('non_element_ratio','0.40','0.50') -body HTML_NONELEMENT_60_70 eval:html_range('non_element_ratio','0.60','0.70') -body HTML_NONELEMENT_80_90 eval:html_range('non_element_ratio','0.80','0.90') -describe HTML_NONELEMENT_30_40 30% to 40% of HTML elements are non-standard -describe HTML_NONELEMENT_40_50 40% to 50% of HTML elements are non-standard -describe HTML_NONELEMENT_60_70 60% to 70% of HTML elements are non-standard -describe HTML_NONELEMENT_80_90 80% to 90% of HTML elements are non-standard - -# short HTML messages with certain attributes -body __HTML_LINK_IMAGE eval:html_text_match('anchor', '<img>') -body __HTML_LENGTH_0000_1024 eval:html_range('length', '0', '1024') -body __HTML_LENGTH_1024_1536 eval:html_range('length', '1024', '1536') -body __HTML_LENGTH_1536_2048 eval:html_range('length', '1536', '2048') - -body __HTML_LENGTH_512 eval:html_eval('length', '< 512') -body __COMMENT_EXISTS eval:html_text_match('comment', '<!.*?>') - -body __HTML_LENGTH_384 eval:html_eval('length', '< 384') -body __TAG_EXISTS_CENTER eval:html_tag_exists('center') - -body __HTML_TITLE_120 eval:html_text_match('title', '.{120}') - -body __HTML_TITLE_SUBJ_DIFF eval:html_title_subject_ratio('3.5') - - -body __HTML_CHARSET_FARAWAY eval:html_charset_faraway() - -body HTML_IFRAME_SRC eval:check_iframe_src() -describe HTML_IFRAME_SRC Message has HTML IFRAME tag with SRC URI - -else - -meta __COMMENT_EXISTS 0 -meta __TAG_EXISTS_CENTER 0 - -endif - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::MIMEEval - -# __MIME_ATTACHMENT also used in 20_meta_tests.cf -body __MIME_ATTACHMENT eval:check_for_mime('mime_attachment') -priority __MIME_ATTACHMENT -2000 # Bug 8078 - -endif diff --git a/resources/spamassassin/20_imageinfo.cf b/resources/spamassassin/20_imageinfo.cf deleted file mode 100644 index d9e809a4..00000000 --- a/resources/spamassassin/20_imageinfo.cf +++ /dev/null @@ -1,111 +0,0 @@ -# SpamAssassin rules file: Image information tests -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::ImageInfo - -## # you can match by image name -## body DC_IMAGE001_GIF eval:image_named('image001.gif') -## describe DC_IMAGE001_GIF Contains image named image001.gif - -## # you can do exact image size matches -## body DC_GIF_264_127 eval:image_size_exact('gif','264','127') -## describe DC_GIF_264_127 Found 264x127 pixel gif, possible pillz - -# you can do image to text, or image to html ratios -rawbody __DC_IMG_HTML_RATIO eval:image_to_text_ratio('all', '0.000', '0.015') -describe __DC_IMG_HTML_RATIO Low rawbody to pixel area ratio - -body __DC_IMG_TEXT_RATIO eval:image_to_text_ratio('all', '0.000', '0.008') -describe __DC_IMG_TEXT_RATIO Low body to pixel area ratio - -# body DC_GIF_TEXT_RATIO eval:image_to_text_ratio('gif',0.000, 0.008) -# describe DC_GIF_TEXT_RATIO Low body to GIF pixel area ratio - -# rawbody DC_GIF_HTML_RATIO eval:image_to_text_ratio('gif',0.000, 0.008) -# describe DC_GIF_HTML_RATIO Low rawbody to GIF pixel area ratio - -# using exact size match to identify things like screenshots -# body __SCREEN_640x480 eval:image_size_exact('all',800,600) -# body __SCREEN_800x600 eval:image_size_exact('all',800,600) -# body __SCREEN_1024x768 eval:image_size_exact('all',1024,768) -# body __SCREEN_1280x1024 eval:image_size_exact('all',1280,1024) -# meta DC_SCREENSHOT_JPG ( __SCREEN_640x480 || __SCREEN_800x600 || __SCREEN_1024x768 || __SCREEN_1280x1024 ) -# describe DC_SCREENSHOT_JPG Contains image matching common screen resolution -# score DC_SCREENSHOT_JPG -0.01 - -# you can do minimum demension matches -# body DC_GIF_300 eval:image_size_range('gif',300,300) -# describe DC_GIF_300 Contains a 300x300 pixels gif or larger -# score DC_GIF_300 0.01 - -# you can do ranged demension matches -# body DC_JPEG_200_300 eval:image_size_range('gif', 200, 300, 250, 350) -# describe DC_JPEG_200_300 Contains jpeg 200-250 (high) x 300-350 (wide) -# score DC_JPEG_200_300 0.01 - -# you can count the number of images (all or by image type) -body __GIF_ATTACH_1 eval:image_count('gif','1','1') -body __GIF_ATTACH_2P eval:image_count('gif','2') - -body __PNG_ATTACH_1 eval:image_count('png','1','1') -body __PNG_ATTACH_2P eval:image_count('png','2') - -body __JPEG_ATTACH_1 eval:image_count('jpeg',1,1) -body __JPEG_ATTACH_2P eval:image_count('jpeg',2) - -# you can determine pixel coverage (all or by image type) -body __GIF_AREA_180K eval:pixel_coverage('gif','180000','475000') -body __PNG_AREA_180K eval:pixel_coverage('png','180000','475000') -# body __JPEG_AREA_180K eval:pixel_coverage('jpeg',180000,475000) - -# meta together something useful -meta DC_GIF_UNO_LARGO ( __GIF_ATTACH_1 && __GIF_AREA_180K ) -describe DC_GIF_UNO_LARGO Message contains a single large gif image - -meta __DC_GIF_MULTI_LARGO ( __GIF_ATTACH_2P && __GIF_AREA_180K ) -describe __DC_GIF_MULTI_LARGO Message has 2+ inline gif covering lots of area - -meta DC_PNG_UNO_LARGO ( __PNG_ATTACH_1 && __PNG_AREA_180K ) -describe DC_PNG_UNO_LARGO Message contains a single large png image - -meta __DC_PNG_MULTI_LARGO ( __PNG_ATTACH_2P && __PNG_AREA_180K ) -describe __DC_PNG_MULTI_LARGO Message has 2+ png images covering lots of area - -# meta DC_JPEG_UNO_LARGO ( __JPEG_ATTACH_1 && __JPEG_AREA_180K ) -# describe DC_JPEG_UNO_LARGO Message hash single large jpeg image - -# meta DC_JPEG_MULTI_LARGO ( __JPEG_ATTACH_2P && __JPEG_AREA_180K ) -# describe DC_JPEG_MULTI_LARGO Message has 2+ jpeg images covering lots of area - -meta DC_IMAGE_SPAM_TEXT ( !__HAS_URI && __DC_IMG_TEXT_RATIO && ( DC_GIF_UNO_LARGO || DC_PNG_UNO_LARGO || __DC_GIF_MULTI_LARGO || __DC_PNG_MULTI_LARGO )) -describe DC_IMAGE_SPAM_TEXT Possible Image-only spam with little text - -# meta the stock rules together for HTML_IMAGE_ONLY_* -meta __HTML_IMG_ONLY ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 || HTML_IMAGE_ONLY_12 || HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_20 || HTML_IMAGE_ONLY_24 || HTML_IMAGE_ONLY_28 ) - -meta DC_IMAGE_SPAM_HTML (!__HAS_URI && ( __HTML_IMG_ONLY || __DC_IMG_HTML_RATIO ) && ( DC_GIF_UNO_LARGO || DC_PNG_UNO_LARGO || __DC_GIF_MULTI_LARGO || __DC_PNG_MULTI_LARGO )) -describe DC_IMAGE_SPAM_HTML Possible Image-only spam - -endif diff --git a/resources/spamassassin/20_mailspike.cf b/resources/spamassassin/20_mailspike.cf deleted file mode 100644 index ae942d2a..00000000 --- a/resources/spamassassin/20_mailspike.cf +++ /dev/null @@ -1,82 +0,0 @@ - -# MailSpike is included in SpamAssassin 3.4+ -if (version >= 3.004000) -ifplugin Mail::SpamAssassin::Plugin::DNSEval -## Spam sources -header __RCVD_IN_MSPIKE_B eval:check_rbl('mspikeb-lastexternal', 'bl.mailspike.net.') -tflags __RCVD_IN_MSPIKE_B net -reuse __RCVD_IN_MSPIKE_B - -## Ham sources -header __RCVD_IN_MSPIKE_L eval:check_rbl('mspikeg-firsttrusted', 'wl.mailspike.net.') -tflags __RCVD_IN_MSPIKE_L net -reuse __RCVD_IN_MSPIKE_L - -##### Reputation compensations -# Definitions - Bad senders -header __RCVD_IN_MSPIKE_Z eval:check_rbl_sub('mspikeb-lastexternal', '127.0.0.2') -describe __RCVD_IN_MSPIKE_Z Spam wave participant -tflags __RCVD_IN_MSPIKE_Z net -reuse __RCVD_IN_MSPIKE_Z - -header RCVD_IN_MSPIKE_L5 eval:check_rbl_sub('mspikeb-lastexternal', '127.0.0.10') -describe RCVD_IN_MSPIKE_L5 Very bad reputation (-5) -tflags RCVD_IN_MSPIKE_L5 net -reuse RCVD_IN_MSPIKE_L5 - -header RCVD_IN_MSPIKE_L4 eval:check_rbl_sub('mspikeb-lastexternal', '127.0.0.11') -describe RCVD_IN_MSPIKE_L4 Bad reputation (-4) -tflags RCVD_IN_MSPIKE_L4 net -reuse RCVD_IN_MSPIKE_L4 - -header RCVD_IN_MSPIKE_L3 eval:check_rbl_sub('mspikeb-lastexternal', '127.0.0.12') -describe RCVD_IN_MSPIKE_L3 Low reputation (-3) -tflags RCVD_IN_MSPIKE_L3 net -reuse RCVD_IN_MSPIKE_L3 - -header RCVD_IN_MSPIKE_L2 eval:check_rbl_sub('mspikeb-lastexternal', '127.0.0.13') -describe RCVD_IN_MSPIKE_L2 Suspicious reputation (-2) -tflags RCVD_IN_MSPIKE_L2 net -reuse RCVD_IN_MSPIKE_L2 - -# Definitions - Good senders -header RCVD_IN_MSPIKE_H5 eval:check_rbl_sub('mspikeg-firsttrusted', '127.0.0.20') -describe RCVD_IN_MSPIKE_H5 Excellent reputation (+5) -tflags RCVD_IN_MSPIKE_H5 nice net -reuse RCVD_IN_MSPIKE_H5 - -header RCVD_IN_MSPIKE_H4 eval:check_rbl_sub('mspikeg-firsttrusted', '127.0.0.19') -describe RCVD_IN_MSPIKE_H4 Very Good reputation (+4) -tflags RCVD_IN_MSPIKE_H4 nice net -reuse RCVD_IN_MSPIKE_H4 - -header RCVD_IN_MSPIKE_H3 eval:check_rbl_sub('mspikeg-firsttrusted', '127.0.0.18') -describe RCVD_IN_MSPIKE_H3 Good reputation (+3) -tflags RCVD_IN_MSPIKE_H3 nice net -reuse RCVD_IN_MSPIKE_H3 - -header RCVD_IN_MSPIKE_H2 eval:check_rbl_sub('mspikeg-firsttrusted', '127.0.0.17') -describe RCVD_IN_MSPIKE_H2 Average reputation (+2) -tflags RCVD_IN_MSPIKE_H2 nice net -reuse RCVD_IN_MSPIKE_H2 - -# *_L and *_Z may overlap each other, so account for that -meta __RCVD_IN_MSPIKE_LOW RCVD_IN_MSPIKE_L5 || RCVD_IN_MSPIKE_L4 || RCVD_IN_MSPIKE_L3 -tflags __RCVD_IN_MSPIKE_LOW net - -meta RCVD_IN_MSPIKE_ZBI __RCVD_IN_MSPIKE_Z && !__RCVD_IN_MSPIKE_LOW -tflags RCVD_IN_MSPIKE_ZBI net - -## Meta rules for aggregating good and bad senders -# Bad -meta RCVD_IN_MSPIKE_BL RCVD_IN_MSPIKE_L5 || RCVD_IN_MSPIKE_L4 || RCVD_IN_MSPIKE_L3 || __RCVD_IN_MSPIKE_Z -describe RCVD_IN_MSPIKE_BL Mailspike blocklisted -tflags RCVD_IN_MSPIKE_BL net - -# Good -meta RCVD_IN_MSPIKE_WL RCVD_IN_MSPIKE_H5 || RCVD_IN_MSPIKE_H4 || RCVD_IN_MSPIKE_H3 -describe RCVD_IN_MSPIKE_WL Mailspike good senders -tflags RCVD_IN_MSPIKE_WL nice net - - endif -endif diff --git a/resources/spamassassin/20_meta_tests.cf b/resources/spamassassin/20_meta_tests.cf deleted file mode 100644 index 3662bf46..00000000 --- a/resources/spamassassin/20_meta_tests.cf +++ /dev/null @@ -1,79 +0,0 @@ -# SpamAssassin rules file: meta tests -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# Add meta tests which cover *both* headers and body here. -# -# Note: body tests are run with long lines, so be sure to limit the -# size of searches; use /.{0,30}/ instead of /.*/ to avoid huge -# search times. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -require_version @@VERSION@@ - -# some tests that will trigger FPs on ISO-2022-JP mails. - -body __ISO_2022_JP_DELIM /\e\$B/ - -meta UPPERCASE_50_75 (!__ISO_2022_JP_DELIM && __UPPERCASE_50_75) -describe UPPERCASE_50_75 message body is 50-75% uppercase -meta UPPERCASE_75_100 (!__ISO_2022_JP_DELIM && __UPPERCASE_75_100) -describe UPPERCASE_75_100 message body is 75-100% uppercase - -header __SANE_MSGID MESSAGEID =~ /^<[^<>\\ \t\n\r\x0b\x80-\xff]+\@[^<>\\ \t\n\r\x0b\x80-\xff]+>\s*$/m -header __HAS_MSGID MESSAGEID =~ /\S/ -header __MSGID_COMMENT MESSAGEID =~ /\(.*\)/m -meta INVALID_MSGID __HAS_MSGID && !(__SANE_MSGID || __MSGID_COMMENT) -describe INVALID_MSGID Message-Id is not valid, according to RFC 2822 - -#See Bug 7411 -#header __MOZILLA_MUA X-Mailer =~ /\bMozilla\b/ -header __MOZILLA_MUA User-Agent =~ /^mozilla\b/i -header __MOZILLA_MSGID MESSAGEID =~ /^<(?:[a-f\d]{8}-(?:[a-f\d]{4}-){3}[a-f\d]{12}|[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7})\@\S+>$/m -meta FORGED_MUA_MOZILLA (__MOZILLA_MUA && !__UNUSABLE_MSGID && !__MOZILLA_MSGID) -describe FORGED_MUA_MOZILLA Forged mail pretending to be from Mozilla - -header __PC_RND_HEADER ALL =~ /%RA?ND(?:OM)?(?:_|\b|[A-Z]{3})/i -rawbody __PC_RND_RAWBODY /%RA?ND(?:OM)?(?:_|\b|[A-Z]{3})/i -meta PERCENT_RANDOM (__PC_RND_HEADER || __PC_RND_RAWBODY) -describe PERCENT_RANDOM Message has a random macro in it - -# __MIME_ATTACHMENT defined in 20_html_tests.cf -body __NONEMPTY_BODY /\S/ -tflags __NONEMPTY_BODY nosubject -priority __NONEMPTY_BODY -2000 # Bug 8078 -meta EMPTY_MESSAGE !__MIME_ATTACHMENT && !__NONEMPTY_BODY -describe EMPTY_MESSAGE Message appears to have no textual parts - -meta NO_HEADERS_MESSAGE (MISSING_DATE && MISSING_HEADERS && NO_RECEIVED && NO_RELAYS && MISSING_MID) -describe NO_HEADERS_MESSAGE Message appears to be missing most RFC-822 headers - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::MIMEEval - -body __UPPERCASE_25_50 eval:check_for_uppercase('25', '50') -body __UPPERCASE_50_75 eval:check_for_uppercase('50', '75') -body __UPPERCASE_75_100 eval:check_for_uppercase('75', '100') - -endif diff --git a/resources/spamassassin/20_net_tests.cf b/resources/spamassassin/20_net_tests.cf deleted file mode 100644 index 2825f76f..00000000 --- a/resources/spamassassin/20_net_tests.cf +++ /dev/null @@ -1,49 +0,0 @@ -# SpamAssassin rules file: network tests -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# Note: body tests are run with long lines, so be sure to limit the -# size of searches; use /.{0,30}/ instead of /.*/ to avoid huge -# search times. -# -# Note: If you are adding a rule which looks for a phrase in the body -# (as most of them do), please add it to rules/20_phrases.cf instead. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -require_version @@VERSION@@ - -# bug 2220. nice results -meta DIGEST_MULTIPLE RAZOR2_CHECK + DCC_CHECK + PYZOR_CHECK > 1 -describe DIGEST_MULTIPLE Message hits more than one network digest check -tflags DIGEST_MULTIPLE net -reuse DIGEST_MULTIPLE - -ifplugin Mail::SpamAssassin::Plugin::DNSEval - -header NO_DNS_FOR_FROM eval:check_dns_sender() -describe NO_DNS_FOR_FROM Envelope sender has no MX or A DNS records -tflags NO_DNS_FOR_FROM net -reuse NO_DNS_FOR_FROM - -endif - diff --git a/resources/spamassassin/20_pdfinfo.cf b/resources/spamassassin/20_pdfinfo.cf deleted file mode 100644 index cf0b3c96..00000000 --- a/resources/spamassassin/20_pdfinfo.cf +++ /dev/null @@ -1,315 +0,0 @@ -# SpamAssassin rules file: Pdfinfo rules -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -# 2014-12-02 - axb -# Info and disabled rules kept for historical & documentation reasons -# Updated rules may be added -# -# Original File: pdfinfo.cf -# Original Version: 0.6 -# Info: $Id: pdfinfo.cf 895 2007-07-27 10:31:08Z alexb $ -# Created: 2007-06-25 -# Modified: 2007-07-19 -# Original / Defunct Site URL: http://www.rulesemporium.com/plugins.htm#PDFinfo -# Author: Dallas Engelken (aka GMD :-) -# Rules contributed by Alex Broens -# Requires: PDFInfo.pm plugin -# Description: This plugin/ruleset combination will help you alleviate the new -# PDF based stock spam which began to appear mid-June, 2007. -# -# -# Changes: -# -# 0.6 - added easypdf producer rule and more no body text metas -# - tags support added, see USING TAGS below. -# 0.5 - added fuzzy test 7 -# 0.4 - added new fuzzy for encyprted pdf image spams. -# - added rule to check for encryption -# 0.3 - added rules based on the new pdf_match_details() function -# - added additional fuzzy md5 rules -# - disabled static md5 rules as they are no longer hitting. -# 0.2 - added static md5 to hit full page stock spam. -# 0.1 - initial ruleset. -# - -############################################ -# USING TAGS -############################################ - -# The follow tags can be defined in an add_header line -# -# _PDFCOUNT_ - total number of pdf mime parts in the email -# _PDFIMGCOUNT_ - total number of images found inside pdf mime parts -# _PDFVERSION_ - PDF Version, space seperated if there are > 1 pdf attachments -# _PDFNAME_ - Filenames as found in the mime headers of PDF parts -# _PDFPRODUCER_ - Producer/Application that created the PDF(s) -# _PDFAUTHOR_ - Author of the PDF -# _PDFCREATOR_ - Creator/Program that created the PDF(s) -# _PDFTITLE_ - Title of the PDF File, if available -# _PDFIMGDIM_ - If PDF Contains images, the dimensions of them will be put here -# _PDFIMGAREA_ - The total area of all combined images inside the PDF(s) -# _PDFMD5_ - MD5 checksum of PDF(s) - space seperated -# _PDFMD5FUZZY1_- Fuzzy1 MD5 checksum of PDF(s) - space seperated -# _PDFMD5FUZZY2_- Fuzzy2 MD5 checksum of PDF(s) - space seperated -# -# Example add_header lines -# -# add_header all PDF-Info pdf=_PDFCOUNT_, pdfimg=_PDFIMGCOUNT_, ver=_PDFVERSION_, name=_PDFNAME_ -# add_header all PDF-Details producer=_PDFPRODUCER_, author=_PDFAUTHOR_, creator=_PDFCREATOR_, title=_PDFTITLE_ -# add_header all PDF-ImageInfo dim=_PDFIMGDIM_, area=_PDFIMGAREA_ -# add_header all PDF-Md5 md5=_PDFMD5_, fuzzy1=_PDFMD5FUZZY1_, fuzzy2=_PDFMD5FUZZY2_ -# - -############################################ -# GENERIC RULE EXAMPLES SHOWING EVAL USAGE -############################################ - -# you can match by name -# body MY_TEST_PDF eval:pdf_named('mytest.pdf') - -# or you can write a regex to match dynamic file names. -# body MY_TEST_PDF eval:pdf_name_regex('/^(?:my|your)test\.pdf$/') - -# you can make it case insensitive by using modifiers -# body PDF_IMGXXXXX eval:pdf_name_regex('/^IMG\D+\.\.PDF$/i') - -# you can do exact image size matches -# body PDF_DEMS_150_400 eval:pdf_image_size_exact(150,400) - -# you can do image to text, or image to html ratios -# rawbody PDF_TO_HTML_RATIO eval:pdf_image_to_text_ratio(0.000, 0.015) -# body PDF_TO_TEXT_RATIO eval:pdf_image_to_text_ratio(0.000, 0.008) - -# you can do minimum demension matches -# body PDF_SIZE_RANGE_1 eval:pdf_image_size_range(300,300) - -# you can do ranged demension matches -# body PDF_SIZE_RANGE_2 eval:pdf_image_size_range(200, 300, 250, 350) - -# you can count the number of pdf mime partts -# body PDF_MIME_COUNT_1 eval:pdf_count(1,1) -# body PDF_MIME_COUNT_2_PLUS eval:pdf_count(2) - -# you can count the number of images inside the pdfs -# body PDF_IMG_COUNT_1 eval:pdf_image_count(1,1) -# body PDF_IMG_COUNT_2_PLUS eval:pdf_image_count(2) - -# you can determine pixel coverage -# body PDF_AREA_SMALL eval:pdf_pixel_coverage(1,100000) - - -# match a md5 or fuzzy md5 signature of the pdf - -# body PDF_BAD_MD5 eval:pdf_match_md5('C359F8F89B290DA99DC997ED50117CDF') -# body PDF_BAD_FUZZY eval:pdf_match_fuzzy_md5('7340821445D975EEF6F5BDE2EC257900') - -# Now you can match against certain details if they are found in the PDF. -# A regex match is used on the value specified, so if you want to do an -# exact match, use anchors ^value$ -# -# body GMD_AUTHOR_MOBILE eval:pdf_match_details('author','/^mobile$/') -# body GMD_PRODUCER_GPL eval:pdf_match_details('producer','/(?i)^gpl ghostscript/') -# body GMD_CREATOR_PSCRIPT5 eval:pdf_match_details('creator','/^PScript5/') -# body GMD_TITLE_WORD_DOC1 eval:pdf_match_details('title','/^Microsoft Word \- Document1$/) -# body GMD_CREATED_JULY07 eval:pdf_match_details('created','/^200707/') -# body GMD_MODIFIED_JULY07 eval:pdf_match_details('modified','/^200707/') - -ifplugin Mail::SpamAssassin::Plugin::PDFInfo - -####################################### -# DISABLED RULES, ENABLE IF YOU WANT -####################################### - -# Small area -# Disabled - Hits Ham -# body GMD_PDF_SMALL_AREA eval:pdf_pixel_coverage(1,100000) -# describe GMD_PDF_SMALL_AREA PDF Area covers 150k pixels or less -# score GMD_PDF_SMALL_AREA 0.75 -# counts GMD_PDF_SMALL_AREA 51s/15h of 10615 corpus (5652s/4963h AxB) 06/25/07 - -# NOTE - people do send pdf's without message bodies! -# Disabled - Hits Ham -# body GMD_PDF_NO_TXT eval:pdf_image_to_text_ratio(0.000, 0.005) -# describe GMD_PDF_NO_TXT Low rawbody to pixel area ratio -# score GMD_PDF_NO_TXT 0.01 -# counts GMD_PDF_NO_TXT 64s/3h of 10615 corpus (5652s/4963h AxB) 06/25/07 - -#################################### -# HERE ARE THE LIVE RULES -#################################### - - - -###################################################################################################### -# pdf image dimensions - -# thin horizontal, common stox. -body GMD_PDF_HORIZ eval:pdf_image_size_range(100, 450, 240, 800) -describe GMD_PDF_HORIZ Contains pdf 100-240 (high) x 450-800 (wide) -score GMD_PDF_HORIZ 0.25 -# counts GMD_PDF_HORIZ 135s/0h of 6132 corpus (4555s/1577h AxB-MANUAL) 07/11/07 -# counts GMD_PDF_HORIZ 278s/0h of 34051 corpus (33259s/792h AxB2-TRAPS) 07/13/07 - -# near square, and small. common stox. -body GMD_PDF_SQUARE eval:pdf_image_size_range(180, 180, 360, 360) -describe GMD_PDF_SQUARE Contains pdf 180-360 (high) x 180-360 (wide) -score GMD_PDF_SQUARE 0.50 -# counts GMD_PDF_SQUARE 36s/0h of 6132 corpus (4555s/1577h AxB-MANUAL) 07/11/07 -# counts GMD_PDF_SQUARE 46s/0h of 34051 corpus (33259s/792h AxB2-TRAPS) 07/13/07 - -# thin vertical, very tall. common stox. -body GMD_PDF_VERT eval:pdf_image_size_range(450, 100, 800, 240) -describe GMD_PDF_VERT Contains pdf 450-800 (high) x 100-240 (wide) -score GMD_PDF_VERT 0.90 -# counts GMD_PDF_VERT 24s/0h of 6132 corpus (4555s/1577h AxB-MANUAL) 07/11/07 -# counts GMD_PDF_VERT 10s/0h of 11773 corpus (10988s/785h AxB2-TRAPS) 07/11/07 - -###################################################################################################### -# static checksums - -# all static md5 spam runs are complete as of 7/11 -# if there are more, we'll add new rules. - -# removed fuzzy rules dated 2007 -# Get fuzzy info: -# cat msg.eml | spamassassin --debug pdfinfo 2>&1 | grep fuzzy 2>&1 - -# sample rules ONLY -# fuzzy checksum for bad stox -#body GMD_PDF_FUZZY1_T1 eval:pdf_match_fuzzy_md5('57EBC1FFB1A24CC14AE23E1E227C3484') -#describe GMD_PDF_FUZZY1_T1 Fuzzy MD5 Match 57EBC1FFB1A24CC14AE23E1E227C3484 -#score GMD_PDF_FUZZY1_T1 0.001 - -# same as rule above using fuzzy md5 of pdf structure -#body GMD_PDF_FUZZY2_T1 eval:pdf_match_fuzzy_md5('653C8AA9FDFD03D382523488058360A2') -#describe GMD_PDF_FUZZY2_T1 Fuzzy MD5 Match 653C8AA9FDFD03D382523488058360A2 -#score GMD_PDF_FUZZY2_T1 0.001 - - -###################################################################################################### -# pdf_match_details() - -# from embedded link spam -#body GMD_AUTHOR_COLET eval:pdf_match_details('author','/^colet$/') -#describe GMD_AUTHOR_COLET PDF author was 'colet' -#score GMD_AUTHOR_COLET 4.50 -# counts GMD_AUTHOR_COLET 1s/0h of 10767 corpus (9986s/781h AxB2-TRAPS) 07/11/07 -# counts GMD_AUTHOR_COLET 2s/0h of 6132 corpus (555s/1577h AxB-MANUAL) 07/11/07 - -# from full page pdf stock spammer. -#body GMD_AUTHOR_MOBILE eval:pdf_match_details('author','/^mobile$/') -#describe GMD_AUTHOR_MOBILE PDF author was 'mobile' -#score GMD_AUTHOR_MOBILE 2.75 -# counts GMD_AUTHOR_MOBILE 2s/0h of 6132 corpus (555s/1577h AxB-MANUAL) 07/11/07 -# counts GMD_AUTHOR_MOBILE 55s/0h of 10767 corpus (9986s/781h AxB2-TRAPS) 07/11/07 - -# txt only stock spam -#body GMD_AUTHOR_OOO eval:pdf_match_details('author','/^openofficeuser$/') -#describe GMD_AUTHOR_OOO PDF author was 'openofficeuser' -#score GMD_AUTHOR_OOO 1.75 -# counts GMD_AUTHOR_OOO 1s/0h of 10767 corpus (9986s/781h AxB2-TRAPS) 07/11/07 -# counts GMD_AUTHOR_OOO 118s/0h of 6132 corpus (555s/1577h AxB-MANUAL) 07/11/07 - -# txt only stock spam -#body GMD_AUTHOR_HPADMIN eval:pdf_match_details('author','/^HP_Administrator/') -#describe GMD_AUTHOR_HPADMIN PDF author was 'HP_Administrator' -#score GMD_AUTHOR_HPADMIN 0.25 -# counts GMD_AUTHOR_HPADMIN 105s/0h of 6132 corpus (4555s/1577h AxB-MANUAL) 07/11/07 -# counts GMD_AUTHOR_HPADMIN 27s/0h of 11773 corpus (10988s/785h AxB2-TRAPS) 07/11/07 - -# generic rule for software used to produce the pdf. -body GMD_PRODUCER_GPL eval:pdf_match_details('producer','/^(?:gnu|gpl) ghostscript/i') -describe GMD_PRODUCER_GPL PDF producer was GPL Ghostscript -score GMD_PRODUCER_GPL 0.25 -# counts GMD_PRODUCER_GPL 227s/0h of 6132 corpus (555s/1577h AxB-MANUAL) 07/11/07 -# counts GMD_PRODUCER_GPL 85s/0h of 10767 corpus (9986s/781h AxB2-TRAPS) 07/11/07 - -# generic rule for software used to produce the pdf. -body GMD_PRODUCER_POWERPDF eval:pdf_match_details('producer','/^PowerPdf 0\./') -describe GMD_PRODUCER_POWERPDF PDF producer was PowerPDF -score GMD_PRODUCER_POWERPDF 0.25 -# counts GMD_PRODUCER_POWERPDF 0s/0h of 10767 corpus (9986s/781h AxB2-TRAPS) 07/11/07 -# counts GMD_PRODUCER_POWERPDF 0s/0h of 5641 corpus (4064s/1577h AxB-MANUAL) 07/11/07 - -# producer is bcl -body GMD_PRODUCER_EASYPDF eval:pdf_match_details('producer','/^BCL easyPDF/') -describe GMD_PRODUCER_EASYPDF PDF producer was BCL easyPDF -score GMD_PRODUCER_EASYPDF 0.25 - -# simple check for encryption used inside pdf. -# recommend meta with something else... -body GMD_PDF_ENCRYPTED eval:pdf_is_encrypted() -describe GMD_PDF_ENCRYPTED Attached PDF is encrypted -score GMD_PDF_ENCRYPTED 0.60 -# counts GMD_PDF_ENCRYPTED 13s/0h of 34051 corpus (33259s/792h AxB2-TRAPS) 07/13/07 - -# simple check for empty msg body when there is one or more pdf attachments present. -body GMD_PDF_EMPTY_BODY eval:pdf_is_empty_body() -describe GMD_PDF_EMPTY_BODY Attached PDF with empty message body -score GMD_PDF_EMPTY_BODY 0.25 -# counts GMD_PDF_EMPTY_BODY 1638s/20h of 27034 corpus (24636s/2398h AxB-MANUAL) 07/19/07 -priority GMD_PDF_EMPTY_BODY 2000 # workaround for Bug 8070 - -###################################################################################################### -# metas -#meta __GMD_PDF_CHECKSUM ( GMD_PDF_FUZZY1_T1 || GMD_PDF_FUZZY2_T1 || GMD_PDF_FUZZY2_T2 || GMD_PDF_FUZZY2_T3 || GMD_PDF_FUZZY2_T4 || GMD_PDF_FUZZY2_T5 || GMD_PDF_FUZZY2_T6 || GMD_PDF_FUZZY2_T7 ||GMD_PDF_FUZZY2_T9 || GMD_PDF_FUZZY2_T10 || GMD_PDF_FUZZY2_T11 || GMD_PDF_FUZZY2_T12 ) -#meta __GMD_PDF_DETAIL ( GMD_AUTHOR_COLET || GMD_AUTHOR_MOBILE || GMD_AUTHOR_OOO || GMD_AUTHOR_HPADMIN || GMD_PRODUCER_GPL || GMD_PRODUCER_POWERPDF || GMD_PRODUCER_EASYPDF ) -meta __GMD_PDF_DIMS ( GMD_PDF_VERT || GMD_PDF_HORIZ || GMD_PDF_SQUARE ) -meta __GMD_PDF_PRODUCERS ( GMD_PRODUCER_GPL || GMD_PRODUCER_POWERPDF || GMD_PRODUCER_EASYPDF ) - -# rule hits ham by itself, so use just to meta. -body __GMD_PDF_NO_TXT eval:pdf_image_to_text_ratio(0.000, 0.005) - -# meta checksum hit with image dimensions -#meta GMD_PDF_STOX_M1 ( __GMD_PDF_CHECKSUM && __GMD_PDF_DIMS) -#describe GMD_PDF_STOX_M1 PDF Stox spam -#score GMD_PDF_STOX_M1 3.25 -# counts GMD_PDF_STOX_M1 159s/0h of 6132 corpus (555s/1577h AxB-MANUAL) 07/11/07 -# counts GMD_PDF_STOX_M1 40s/0h of 11773 corpus (10988s/785h AxB2-TRAPS) 07/11/07 - -# meta checksum hit to pdf details -#meta GMD_PDF_STOX_M2 ( __GMD_PDF_CHECKSUM && __GMD_PDF_DETAIL ) -#describe GMD_PDF_STOX_M2 PDF Stox spam -#score GMD_PDF_STOX_M2 2.95 -# counts GMD_PDF_STOX_M2 223s/0h of 6132 corpus (555s/1577h AxB-MANUAL) 07/11/07 -# counts GMD_PDF_STOX_M2 29s/0h of 10767 corpus (9986s/781h AxB2-TRAPS) 07/11/07 - -# meta dimensions and encryption -#meta GMD_PDF_STOX_M3 ( __GMD_PDF_DIMS && GMD_PDF_ENCRYPTED ) -#describe GMD_PDF_STOX_M3 PDF Stox spam -#score GMD_PDF_STOX_M3 2.25 -# counts GMD_PDF_STOX_M3 12s/0h of 34051 corpus (33259s/792h AxB2-TRAPS) 07/13/07 - -# meta checksum with no text -#meta GMD_PDF_STOX_M4 ( __GMD_PDF_CHECKSUM && (__GMD_PDF_NO_TXT || GMD_PDF_EMPTY_BODY)) -#describe GMD_PDF_STOX_M4 PDF Stox spam -#score GMD_PDF_STOX_M4 2.95 - -# meta no body text along with automated pdf production. -#meta GMD_PDF_STOX_M5 ( __GMD_PDF_PRODUCERS && (__GMD_PDF_NO_TXT || GMD_PDF_EMPTY_BODY)) -#describe GMD_PDF_STOX_M5 PDF Stox Spam -#score GMD_PDF_STOX_M5 1.00 - -endif diff --git a/resources/spamassassin/20_phrases.cf b/resources/spamassassin/20_phrases.cf deleted file mode 100644 index 07108d0e..00000000 --- a/resources/spamassassin/20_phrases.cf +++ /dev/null @@ -1,192 +0,0 @@ -# SpamAssassin rules file: phrase tests -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# Note: body tests are run with long lines, so be sure to limit the -# size of searches; use /.{0,30}/ instead of /.*/ to avoid huge -# search times. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -require_version @@VERSION@@ - -########################################################################### - -# new way to phrase unsubscribe link -body REMOVE_BEFORE_LINK m{(?:no thanks|not interested|unsubscribe here).{0,5}http://}i -describe REMOVE_BEFORE_LINK Removal phrase right before a link - -########################################################################### -# CLICK rules -# note HTML_LINK_CLICK* rules in HTML parser section - - -body GUARANTEED_100_PERCENT /100% GUARANTEED/i -describe GUARANTEED_100_PERCENT One hundred percent guaranteed -body DEAR_FRIEND /^\s*Dear Friend\b/i -describe DEAR_FRIEND Dear Friend? That's not very dear! -body DEAR_SOMETHING /\bDear (?:IT\W|Internet|candidate|sirs?|madam|investor|travell?er|car shopper|web)\b/i -describe DEAR_SOMETHING Contains 'Dear (something)' -body BILLION_DOLLARS /[BM]ILLION DOLLAR/ -describe BILLION_DOLLARS Talks about lots of money - -body EXCUSE_4 /To Be Removed,? Please/i -describe EXCUSE_4 Claims you can be removed from the list - -# strange pattern because otherwise it matches the std. majordomo line -# pls note the comment above. DO NOT just put "to" in the first group! - -body EXCUSE_REMOVE /to be removed from.{0,20}(?:mailings|offers)/i -describe EXCUSE_REMOVE Talks about how to be removed from mailings - -body STRONG_BUY /strong buy/i -describe STRONG_BUY Tells you about a strong buy - - -body STOCK_ALERT /\bstock alert/i -describe STOCK_ALERT Offers a alert about a stock -body NOT_ADVISOR /not a registered investment advisor/i -describe NOT_ADVISOR Not registered investment advisor - - -body PREST_NON_ACCREDITED /prestigi?ous\b.{0,20}\bnon-accredited\b.{0,20}\buniversities/i -describe PREST_NON_ACCREDITED 'Prestigious Non-Accredited Universities' - -body BODY_ENHANCEMENT /\b(?:enlarge|increase|grow|lengthen|larger\b|bigger\b|longer\b|thicker\b|\binches\b).{0,50}\b(?:penis|male organ|pee[ -]?pee|dick|sc?hlong|wh?anger|breast(?!\s+cancer))/i -describe BODY_ENHANCEMENT Information on growing body parts - -body BODY_ENHANCEMENT2 /\b(?:penis|male organ|pee[ -]?pee|dick|sc?hlong|wh?anger|breast(?!\s+cancer)).{0,50}\b(?:enlarge|increase|grow|lengthen|larger\b|bigger\b|longer\b|thicker\b|\binches\b|size)/i -describe BODY_ENHANCEMENT2 Information on getting larger body parts - -body IMPOTENCE /\b(?:impotence (?:problem|cure|solution)|Premature Ejaculation|erectile dysfunction)/i -describe IMPOTENCE Impotence cure - - - -#MOVED TO 20_rules_to_sandbox.cf - kmcgrail 2015-05-14 -#body NA_DOLLARS /\b(?:\d{1,3})?Million\b.{0,40}\b(?:Canadian Dollar?s?|US\$|U\.? ?S\.? Dollar)/i -#describe NA_DOLLARS Talks about a million North American dollars -# -#body US_DOLLARS_3 /(?:\$|usd).?\d{1,3}[,.]\d{3}[,.]\d{3}(?:[,.]\d\d)?/i -#describe US_DOLLARS_3 Mentions millions of $ ($NN,NNN,NNN.NN) -# -#body MILLION_USD /Million\b.{0,40}\b(?:United States? Dollars?|USD)/i -#describe MILLION_USD Talks about millions of dollars - - - -body __URG_BIZ /urgent.{0,16}(?:assistance|business|buy|confidential|notice|proposal|reply|request|response)/i -meta URG_BIZ __URG_BIZ -describe URG_BIZ Contains urgent matter - - - -body MONEY_BACK /money back guarantee/i -describe MONEY_BACK Money back guarantee - - - -body FREE_QUOTE_INSTANT /free.{0,12}(?:(?:instant|express|online|no.?obligation).{0,4})+.{0,32}\bquote/i -describe FREE_QUOTE_INSTANT Free express or no-obligation quote - -body BAD_CREDIT /\b((?:bad|poor|eliminate|repair|(?:re)?establish|damag).{0,10} (?:credit|debt)|no credit (?:check|histor|need))/i -describe BAD_CREDIT Eliminate Bad Credit - - -body REFINANCE_YOUR_HOME /\brefinance your(?: current)? (?:home|house)\b/i -describe REFINANCE_YOUR_HOME Home refinancing - -body REFINANCE_NOW /time to refinance|refinanc\w{1,3}\b.{0,16}\bnow\b/i -describe REFINANCE_NOW Home refinancing - -body NO_MEDICAL /\bno medical exam/i -describe NO_MEDICAL No Medical Exams - - -# seems like we vastly reduce FPs on this one with a small change or two -body DIET_1 /\b(?:(?:without|no) (?:exercis(?:e(?! price)|ing)|dieting)|weight.?loss|(?:extra|lose|lost|losing).{0,10}(?:pounds|weight|inches|lbs)|burn.{1,10}fat)\b/i -describe DIET_1 Lose Weight Spam - - -body FIN_FREE /\bfinancial(?:ly)? (?:free|independen)/i -describe FIN_FREE Freedom of a financial nature - -body FORWARD_LOOKING /\bcontains forward-looking statements\b/i -describe FORWARD_LOOKING Stock Disclaimer Statement - -body ONE_TIME /\bone\W+time (?:charge|investment|offer|promotion)/i -describe ONE_TIME One Time Rip Off - -body JOIN_MILLIONS /\bjoin (?:millions|thousands)\b/i -describe JOIN_MILLIONS Join Millions of Americans - -body MARKETING_PARTNERS /\b(?:marketing|network) partner|\bpartner (?:web)?site/i -describe MARKETING_PARTNERS Claims you registered with a partner - -body LOW_PRICE /\blow.{0,4} (?-i:P)rice/i -describe LOW_PRICE Lowest Price - -body UNCLAIMED_MONEY /\bunclaimed\s(?:assets?|accounts?|mon(?:ey|ies)|balance|funds?|prizes?|rewards?|payments?|deposits?)\b/i -describe UNCLAIMED_MONEY People just leave money laying around - -body OBSCURED_EMAIL /\w+\^\S+\(\w{2,4}\b/ -describe OBSCURED_EMAIL Message seems to contain rot13ed address - -body BANG_OPRAH /\boprah!/i -describe BANG_OPRAH Talks about Oprah with an exclamation! - -#adding boundary checks: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6870 -body ACT_NOW_CAPS /\bA(?i:ct) N(?i:ow)\b/ -describe ACT_NOW_CAPS Talks about 'acting now' with capitals - -body MORE_SEX /increased?.{0,9}(?:sex|stamina)/i -describe MORE_SEX Talks about a bigger drive for sex - -# explicitly capped at 1.0 score because of FP potential -body BANG_GUAR /\bguaranteed?\!/i -describe BANG_GUAR Something is emphatically guaranteed - - - -body __RUDE_HTML_1 /Get a capable html e-mailer/i -body __RUDE_HTML_2 /not support the display of HTML. Please view this message in a different/i -body __RUDE_HTML_3 /This message contains an HTML formatted message but your email client does/i -body __RUDE_HTML_4 /Your mailer do not support HTML messages. Switch to a better mailer/i -meta RUDE_HTML __RUDE_HTML_1 || __RUDE_HTML_2 || __RUDE_HTML_3 || __RUDE_HTML_4 -describe RUDE_HTML Spammer message says you need an HTML mailer - -body INVESTMENT_ADVICE /\binvestment advice/i -describe INVESTMENT_ADVICE Message mentions investment advice - - -body MALE_ENHANCE /male enhancement/i -describe MALE_ENHANCE Message talks about enhancing men - -body PRICES_ARE_AFFORDABLE /\baffordable .{0,10}prices\b/i -describe PRICES_ARE_AFFORDABLE Message says that prices aren't too expensive - -body REPLICA_WATCH /\breplica.{1,20}rolex/i -describe REPLICA_WATCH Message talks about a replica watch - -body EM_ROLEX /[^\s\w.]rolex/i -describe EM_ROLEX Message puts emphasis on the watch manufacturer - diff --git a/resources/spamassassin/20_porn.cf b/resources/spamassassin/20_porn.cf deleted file mode 100644 index 23336ae3..00000000 --- a/resources/spamassassin/20_porn.cf +++ /dev/null @@ -1,45 +0,0 @@ -# SpamAssassin rules file: porn tests -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# Note: body tests are run with long lines, so be sure to limit the -# size of searches; use /.{0,30}/ instead of /.*/ to avoid huge -# search times. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -require_version @@VERSION@@ - -########################################################################### - -body FREE_PORN /\bfree (?:porn|xxx|adult)/i -describe FREE_PORN Possible porn - Free Porn - -body CUM_SHOT /\bcum[ -]?shots?\b/i -describe CUM_SHOT Possible porn - Cum Shot - -# "live cam" is a very common nonspam phrase, removed -body LIVE_PORN /\blive .{0,9}(?:fuck(?:ing)?|sex|naked|girls?|virgins?|teens?|porno?)\b/i -describe LIVE_PORN Possible porn - Live Porn - -header SUBJECT_SEXUAL Subject =~ /[s5][e3\xE8-\xEB]x[u\xB5\xF9-\xFC][a4\xE0-\xE6@][l!|1](?:[l!|1]y)?.{0,3}[e3\xE8-\xEB]xp[l!|1][i1!|l\xEC-\xEF]c[i1!|l\xEC-\xEF]t/i -describe SUBJECT_SEXUAL Subject indicates sexually-explicit content diff --git a/resources/spamassassin/20_ratware.cf b/resources/spamassassin/20_ratware.cf deleted file mode 100644 index 685bf63c..00000000 --- a/resources/spamassassin/20_ratware.cf +++ /dev/null @@ -1,327 +0,0 @@ -# SpamAssassin rules file: known spam mailers -# -# Sometimes these leave 'sent by mailername' fingerprints in the -# headers, which provide a nice way for us to catch them. -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -header RATWARE_EGROUPS X-Mailer =~ /eGroups Message Poster/ -describe RATWARE_EGROUPS Bulk email fingerprint (eGroups) found - -# Note that the tests which look at the "ALL" pseudoheader are slower than -# the specific header. -# 100% overlap with X-Stormpost-To: header, but seems wise to leave it in -header RATWARE_OE_MALFORMED X-Mailer =~ /^Microsoft Outlook Express \d(?:\.\d+){3} \w+$/ -describe RATWARE_OE_MALFORMED X-Mailer has malformed Outlook Express version -header RATWARE_MOZ_MALFORMED User-Agent =~ /Mozilla\/5\.0\d\d/ -describe RATWARE_MOZ_MALFORMED Bulk email fingerprint (Mozilla malformed) found - -header RATWARE_MPOP_WEBMAIL X-Mailer =~ /mPOP Web-Mail/i -describe RATWARE_MPOP_WEBMAIL Bulk email fingerprint (mPOP Web-Mail) - -########################################################################### -# Now, detect forgeries of real MUAs -# -# NOTE: these rules should specify version numbers! - -# first define situations where servers rewrite message id so we can't use message id to detect forgeries - -header __HOTMAIL_BAYDAV_MSGID MESSAGEID =~ /^<[A-Z]{3}\d+-(?:DAV|SMTP)\d+[A-Z0-9]{25}\@phx\.gbl>$/m - -header __IPLANET_MESSAGING_SERVER Received =~ /iPlanet Messaging Server/ - -header __LYRIS_EZLM_REMAILER List-Unsubscribe =~ /<mailto:(?:leave-\S+|\S+-unsubscribe)\@\S+>$/ - -header __SYMPATICO_MSGID MESSAGEID =~ /^<BAYC\d+-PASMTP\d+[A-Z0-9]{25}\@CEZ\.ICE>$/m - -header __WACKY_SENDMAIL_VERSION Received =~ /\/CWT\/DCE\)/ - -header __GROUPSIO_MSGID MESSAGEID =~ /^<[[:xdigit:]]+\.[[:xdigit:]]+\@groups.io>$/m - -header __HAS_XORIGMSGID X-Orig-Message-Id =~ /^<.+\@.+>$/m - -meta __GROUPSIO_GATED __GROUPSIO_MSGID && __HAS_XORIGMSGID - -meta __UNUSABLE_MSGID (__LYRIS_EZLM_REMAILER || __GATED_THROUGH_RCVD_REMOVER || __WACKY_SENDMAIL_VERSION || __IPLANET_MESSAGING_SERVER || __HOTMAIL_BAYDAV_MSGID || __SYMPATICO_MSGID && __GROUPSIO_GATED) - -## now on to the forgery rules - -# AOL -header __AOL_MUA X-Mailer =~ /\bAOL\b/ - -# Internet Mail Service -header __IMS_MUA X-Mailer =~ /Internet Mail Service/ -header __IMS_MSGID MESSAGEID =~ /^<[A-F\d]{36,40}\@\S+>$/m -meta FORGED_MUA_IMS (__IMS_MUA && !__IMS_MSGID && !__UNUSABLE_MSGID) -describe FORGED_MUA_IMS Forged mail pretending to be from IMS - -# Message ID format introduced by Vista MAPI, maybe also Windows 2003 Server SP2 -header __VISTA_MSGID MESSAGEID =~ /^<[A-F\d]{32}\@\S+>$/m - -# Outlook Express 4, 5, and 6 -header __OE_MUA X-Mailer =~ /\bOutlook Express [456]\./ -header __OE_MSGID_1 MESSAGEID =~ /^<[A-Za-z0-9-]{7}[A-Za-z0-9]{20}\@hotmail\.com>$/m -header __OE_MSGID_2 MESSAGEID =~ /^<(?:[0-9a-f]{8}|[0-9a-f]{12})\$[0-9a-f]{8}\$[0-9a-f]{8}\@\S+>$/m -meta __FORGED_OE (__OE_MUA && !__OE_MSGID_1 && !__OE_MSGID_2 && !__UNUSABLE_MSGID) - -# Outlook versions that usually use "dollar signs" -header __OUTLOOK_DOLLARS_MUA X-Mailer =~ /^Microsoft Outlook(?: 8| CWS, Build 9|, Build 10)\./ -header __OUTLOOK_DOLLARS_OTHER MESSAGEID =~ /^<\!\~\!/m -meta __FORGED_OUTLOOK_DOLLARS (__OUTLOOK_DOLLARS_MUA && !__OE_MSGID_2 && !__OUTLOOK_DOLLARS_OTHER && !__VISTA_MSGID && !__IMS_MSGID && !__UNUSABLE_MSGID) -# use new meta rules to implement FORGED_MUA_OUTLOOK rule from 2.60 - -# bug 7567: obviously fake Outlook X-Mailer -header __OUTLOOK_FAKE_MUA X-Mailer =~ /^Outlook$/ - -# bug 5496: avoid some FPs -header __FMO_EXCL_O3416 X-Mailer =~ /^Microsoft Outlook, Build 10.0.3416$/ -header __FMO_EXCL_OE3790 X-Mailer =~ /^Microsoft Outlook Express 6.00.3790.3959$/ -# bug 5910: __VISTA_MSGID also now used by Outlook Express from XP SP3 -# -meta FORGED_MUA_OUTLOOK ((__FORGED_OE || __FORGED_OUTLOOK_DOLLARS || __OUTLOOK_FAKE_MUA) && !__FMO_EXCL_O3416 && !__FMO_EXCL_OE3790 && !__VISTA_MSGID) -describe FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook - -# Outlook IMO (Internet Mail Only) -header __OIMO_MUA X-Mailer =~ /Outlook IMO/ -header __OIMO_MSGID MESSAGEID =~ /^<[A-P]{28}\.[-\w.]+\@\S+>$/m -meta FORGED_MUA_OIMO (__OIMO_MUA && !__OIMO_MSGID && !__OE_MSGID_2 && !__UNUSABLE_MSGID) -describe FORGED_MUA_OIMO Forged mail pretending to be from MS Outlook IMO - -# Not Ratware... - -header __HAS_X_LOOP exists:X-Loop -header __HAS_X_MAILING_LIST exists:X-Mailing-List -header __HAS_X_MAILMAN_VERSION exists:X-Mailman-Version -describe MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager -meta MAILING_LIST_MULTI __HAS_X_LOOP + __HAS_X_MAILING_LIST + __HAS_X_MAILMAN_VERSION + __HAS_X_BEEN_THERE +__DOS_HAS_LIST_UNSUB + __ML1 + __ML2 + __ML3 + __ML4 + __ML5 > 2 -tflags MAILING_LIST_MULTI nice - -# QUALCOMM Eudora -# Note: uses X_LOOP and X_MAILING_LIST as subrules -# X-Mailer: QUALCOMM Windows Eudora Version 5.0 (and 5.1) -# X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 -# updated to fix bugs 2047, 2598, 2654 -# NOTE: this is the *only* spammish Eudora MUA pattern that wasn't -# ignored using __OLD_EUDORA1 and __OLD_EUDORA2 under previous rules. -# v7 can't be tested, as it sometimes doesn't generate MID -header __EUDORA_MUA X-Mailer =~ /^QUALCOMM Windows Eudora (?:Pro |Light )?Version [3456]\./ -header __EUDORA_MSGID MESSAGEID =~ /^<(?:\d\d?\.){3,5}\d{14}\.[a-f0-9]{8}\@\S+(?:\sport\s\d+)?>$/m -meta FORGED_MUA_EUDORA __EUDORA_MUA && !( __EUDORA_MSGID || __UNUSABLE_MSGID || MAILING_LIST_MULTI || MSGID_FROM_MTA_HEADER ) -describe FORGED_MUA_EUDORA Forged mail pretending to be from Eudora - -# From private mail with developers. Some top tips here! -header __THEBAT_MUA X-Mailer =~ /^The Bat!/ -header __THEBAT_MUA_V1 X-Mailer =~ /^The Bat! \(v1\./ -#header __THEBAT_MUA_V2 X-Mailer =~ /^The Bat! \(v2\./ -#header __THEBAT_MUA_V3 X-Mailer =~ /^The Bat! \(v3\./ -header __CTYPE_CHARSET_QUOTED Content-Type =~ /charset=\"/i -header __CTYPE_HAS_BOUNDARY Content-Type =~ /boundary/i -header __BAT_BOUNDARY Content-Type =~ /boundary=\"-{10}[A-F0-9]{4,}\"/ -header __MAILMAN_21 X-Mailman-Version =~ /\d/ -meta FORGED_MUA_THEBAT_CS (__THEBAT_MUA && __CTYPE_CHARSET_QUOTED && !__MAILMAN_21) -meta FORGED_MUA_THEBAT_BOUN (__THEBAT_MUA && __CTYPE_HAS_BOUNDARY && !__BAT_BOUNDARY && !__MAILMAN_21) -describe FORGED_MUA_THEBAT_CS Mail pretending to be from The Bat! (charset) -describe FORGED_MUA_THEBAT_BOUN Mail pretending to be from The Bat! (boundary) - -# bug 4649: bulk mail sent via Yahoo! often looks forged, even when it is not -header __YAHOO_BULK Received =~ /from \[\S+\] by \S+\.(?:groups|scd|dcn)\.yahoo\.com with NNFMP/ - -meta FORGED_OUTLOOK_HTML (!__YAHOO_BULK && __ANY_OUTLOOK_MUA && MIME_HTML_ONLY) -describe FORGED_OUTLOOK_HTML Outlook can't send HTML message only - -# bug 2525: FORGED_IMS_HTML fp'ing because new IMS *DOES* use text/html -# ctype. ARGH. This was noted in build 5.5.2656.59, so permit builds -# after that to get away with it. -header __IMS_HTML_BUILDS X-Mailer =~ /^Internet Mail Service .(?:[6789]\.|5\.[6789]|5\.5\.(?:[3456789]|2[789]|26[6789]|265[6789]))/ -header __IMS_HTML_RCVD Received =~ /\bby \S+ with Internet Mail Service .(?:[6789]\.|5\.[6789]|5\.5\.(?:[3456789]|2[789]|26[6789]|265[6789]))/ -meta FORGED_IMS_HTML (!__YAHOO_BULK && __IMS_MUA && MIME_HTML_ONLY && !(__IMS_HTML_BUILDS && __IMS_HTML_RCVD)) -describe FORGED_IMS_HTML IMS can't send HTML message only - -meta FORGED_THEBAT_HTML (__THEBAT_MUA_V1 && MIME_HTML_ONLY) -describe FORGED_THEBAT_HTML The Bat! can't send HTML message only - -# bug 2513 -header __REPTO_QUOTE Reply-To =~ /".*"\s*\</ -meta REPTO_QUOTE_AOL __REPTO_QUOTE && __AOL_MUA -describe REPTO_QUOTE_AOL AOL doesn't do quoting like this - -meta REPTO_QUOTE_IMS __REPTO_QUOTE && __IMS_MUA -describe REPTO_QUOTE_IMS IMS doesn't do quoting like this - -meta REPTO_QUOTE_MSN __REPTO_QUOTE && (__FROM_MSN_COM || __AT_MSN_MSGID) -describe REPTO_QUOTE_MSN MSN doesn't do quoting like this - -meta REPTO_QUOTE_QUALCOMM __REPTO_QUOTE && __ANY_QUALCOMM_MUA -describe REPTO_QUOTE_QUALCOMM Qualcomm/Eudora doesn't do quoting like this - -meta REPTO_QUOTE_YAHOO __REPTO_QUOTE && (__FROM_YAHOO_COM || __AT_YAHOO_MSGID) -describe REPTO_QUOTE_YAHOO Yahoo! doesn't do quoting like this - -# bug 1561 -# stronger version of USER_AGENT_APPLEMAIL -# Apple Mail doesn't send text/html at all (unless it's an attachment) -# It'll send text/plain, or multipart/alternative with text/plain and -# text/enriched parts (boundary of "Apple-Mail-\d--\d+"). It can, however, -# send a multipart/mixed with a single text/html attachment, so don't use -# MIME_HTML_ONLY. -# perhaps limit CTYPE to "text/plain", "multipart/alternative" with -# "text/plain" and "text/enhanced", or "multipart/mixed"? -# bug 4223: expand for new Apple Mail version format -header __X_MAILER_APPLEMAIL X-Mailer =~ /^Apple Mail \(\d\.\d+(?:\.\d+)?\)$/ -header __MSGID_APPLEMAIL Message-Id =~ /^<[0-9A-F]{8}-(?:[0-9A-F]{4}-){3}[0-9A-F]{12}\@\S+>$/ -header __MIME_VERSION_APPLEMAIL Mime-Version =~ /^1\.0 \(Apple Message framework v\d+(?:\.\d+)?\)$/ -meta __USER_AGENT_APPLEMAIL !__CTYPE_HTML && __X_MAILER_APPLEMAIL && (__MSGID_APPLEMAIL || __MIME_VERSION_APPLEMAIL) - -# 2003-02-23: quinlan -# some useful meta rule sub-elements -header __CTYPE_HTML Content-Type =~ /text\/html/i -header __ANY_IMS_MUA X-Mailer =~ /^Internet Mail Service\b/ -header __ANY_OUTLOOK_MUA X-Mailer =~ /^Microsoft (?:Office )?Outlook\b/ - -header __ANY_QUALCOMM_MUA X-Mailer =~ /\bQUALCOMM\b/ -meta FORGED_QUALCOMM_TAGS (__ANY_QUALCOMM_MUA && __MIME_HTML && !__TAG_EXISTS_HTML) -describe FORGED_QUALCOMM_TAGS QUALCOMM mailers can't send HTML in this format - -meta FORGED_IMS_TAGS (!__YAHOO_BULK && __ANY_IMS_MUA && __MIME_HTML && !(__TAG_EXISTS_HTML && __TAG_EXISTS_HEAD && __TAG_EXISTS_META && __TAG_EXISTS_BODY)) -describe FORGED_IMS_TAGS IMS mailers can't send HTML in this format - -meta FORGED_OUTLOOK_TAGS (!__YAHOO_BULK && __ANY_OUTLOOK_MUA && __MIME_HTML && !(__TAG_EXISTS_HTML && __TAG_EXISTS_HEAD && __TAG_EXISTS_META && __TAG_EXISTS_BODY)) -describe FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format - -# Send-Safe ratware (idea from Alan Curry) -# random alphanumerics, separated into groups of 16 by dashes (the first -# and last group may be shorter), with a lowercase "l" and a number -# appended. The final number is the length of the whole string not -# including the dashes or the "l<number>". Why? I have no idea. It's -# not a tracking code - the spamware does not save it locally. -# -# jm: it's specifically to throw off MIME base64 encoding, to evade AOL's -# filters. -# -# http://groups.google.com/groups?selm=atp1ip0n22%40enews3.newsguy.com -rawbody RATWARE_HASH_DASH /[a-z\d]-[a-z\d]{16}-[a-z\d]{1,16}(?-i:l)\d/i -describe RATWARE_HASH_DASH Contains a hashbuster in Send-Safe format - -######################################################################## -# Most ratware uses message templates I would guess. -# Here's two popular ones... - -######################################################################## -# This ratware always uses a +0000 TZ in the Date header, and has a multiplicity -# of From: header formats. ("From" header samples from Steven Champeon -# <schampeo.hesketh.com> via the spamtools.lists.abuse.net and SPAM-L lists). -# -# "First Last" <firstlast_[a-z][a-z]@somedomain> 1 -# "First Last" <firstlast[a-z][a-z]@somedomain> 1 -# "First Last" <first.last[a-z][a-z]@somedomain> 1 -# "First Last" <first_last[a-z][a-z]@somedomain> 1 -# "First Last" <first_last_[a-z][a-z]@somedomain> 1 -# "First Last" <flast_[a-z][a-z]@somedomain> 2 -# "First Last" <flast[a-z][a-z]@somedomain> 2 -# "First Last" <f.last_[a-z][a-z]@somedomain> 2 -# "First Last" <f.last[a-z][a-z]@somedomain> 2 -# "First Last" <f_last[a-z][a-z]@somedomain> 2 -# "First Last" <last[a-z][a-z]@somedomain> 3 -# "First M. Last" <firstlast_[a-z][a-z]@somedomain> 4 -# "First M. Last" <firstlast[a-z][a-z]@somedomain> 4 -# "First M. Last" <first.m.last[a-z][a-z]@somedomain> 5 -# "First M. Last" <firstmlast[a-z][a-z]@somedomain> 5 -# "First M. Last" <firstmlast_[a-z][a-z]@somedomain> 5 -# "First M. Last" <fmlast_[a-z][a-z]@somedomain> 6 -# "First M. Last" <mlast[a-z][a-z]@somedomain> 7 -# "First M. Last" <m.last[a-z][a-z]@somedomain> 7 -header __0_TZ_1 From =~ /^\"(\w)(\w+) (\w+)\" <\1\2[\._]?\3_?[a-z][a-z]\@/i -header __0_TZ_2 From =~ /^\"(\w)(\w+) (\w+)\" <\1[\._]?\3_?[a-z][a-z]\@/i -header __0_TZ_3 From =~ /^\"(\w)(\w+) (\w+)\" <\3_?[a-z][a-z]\@/i -header __0_TZ_4 From =~ /^\"(\w)(\w+) (\w)\. (\w+)\" <\1\2[\._]?\4_?[a-z][a-z]\@/i -header __0_TZ_5 From =~ /^\"(\w)(\w+) (\w)\. (\w+)\" <\1\2[\._]?\3[\._]?\4_?[a-z][a-z]\@/i -header __0_TZ_6 From =~ /^\"(\w)(\w+) (\w)\. (\w+)\" <\1\3\4_?[a-z][a-z]\@/i -header __0_TZ_7 From =~ /^\"(\w)(\w+) (\w)\. (\w+)\" <\3[\._]?\4_?[a-z][a-z]\@/i - -header __RATWARE_0_TZ_DATE Date =~ / \+0000$/ - -meta RATWARE_ZERO_TZ (__RATWARE_0_TZ_DATE && __CTYPE_HTML && (__0_TZ_1 || __0_TZ_2 || __0_TZ_3 || __0_TZ_4 || __0_TZ_5 || __0_TZ_6 || __0_TZ_7)) -describe RATWARE_ZERO_TZ Bulk email fingerprint (+0000) found - - -header X_MESSAGE_INFO exists:X-Message-Info -describe X_MESSAGE_INFO Bulk email fingerprint (X-Message-Info) found - -# case-sensitive rule -# only significant rules with no FPs, hit recently, on 2+ corpuses -header HEADER_SPAM ALL =~ /^(Alternate-Recipient|Antivirus|Approved|Delivery-Notification|Disclose-Recipients|Error-path|Language|Location|Mime-Subversion|Newsletter-ID|PID|Rot|UID|X-BounceTrace|X-CS-IP|X-Company-Address|X-Company-City|X-Company-Country|X-Company-State|X-Company-Zip|X-E(?:[Mm]ail)?|X-Encoding|X-Originating-Company|X-RMD-Text|X-SG4|X-SP-Track-ID|X-Webmail-Time|X-bounce-to):/m -describe HEADER_SPAM Bulk email fingerprint (header-based) found - -header RATWARE_RCVD_PF Received =~ / \(Postfix\) with ESMTP id [^;]+\; \S+ \d+ \S+ \d+ \d+:\d+:\d+ \S+$/s -describe RATWARE_RCVD_PF Bulk email fingerprint (Received PF) found - -header RATWARE_RCVD_AT Received =~ / by \S+\@\S+ with Microsoft SMTPSVC/ -describe RATWARE_RCVD_AT Bulk email fingerprint (Received @) found - -header __RCVD_WITH_EXCHANGE Received =~ /with Microsoft Exchange Server/ - -meta RATWARE_OUTLOOK_NONAME __MSGID_DOLLARS_OK && !__HAS_X_MAILER && !__RCVD_WITH_EXCHANGE -describe RATWARE_OUTLOOK_NONAME Bulk email fingerprint (Outlook no name) found - - - -header __MIMEOLE_MS X-MIMEOLE =~ /^Produced By Microsoft MimeOLE/ -meta RATWARE_MS_HASH __MSGID_DOLLARS_OK && !__MIMEOLE_MS && !__RCVD_WITH_EXCHANGE -describe RATWARE_MS_HASH Bulk email fingerprint (msgid ms hash) found - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::HeaderEval - -header __GATED_THROUGH_RCVD_REMOVER eval:gated_through_received_hdr_remover() - -header __RATWARE_NAME_ID eval:check_ratware_name_id() -meta RATWARE_NAME_ID __RATWARE_0_TZ_DATE && __RATWARE_NAME_ID -describe RATWARE_NAME_ID Bulk email fingerprint (msgid from) found - -header RATWARE_EFROM eval:check_ratware_envelope_from() -describe RATWARE_EFROM Bulk email fingerprint (envfrom) found - -endif - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::MIMEEval - -body __MIME_HTML eval:check_for_mime_html() - -endif - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::HTMLEval - -body __TAG_EXISTS_BODY eval:html_tag_exists('body') -body __TAG_EXISTS_HEAD eval:html_tag_exists('head') -body __TAG_EXISTS_HTML eval:html_tag_exists('html') -body __TAG_EXISTS_META eval:html_tag_exists('meta') -body __TAG_EXISTS_STYLE eval:html_tag_exists('style') -body __TAG_EXISTS_SCRIPT eval:html_tag_exists('script') - -endif diff --git a/resources/spamassassin/20_uri_tests.cf b/resources/spamassassin/20_uri_tests.cf deleted file mode 100644 index 0f62be88..00000000 --- a/resources/spamassassin/20_uri_tests.cf +++ /dev/null @@ -1,123 +0,0 @@ -# SpamAssassin rules file: URI tests -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -require_version @@VERSION@@ - -# possible IDN spoofing attack: https://web.archive.org/web/20141006091906/https://www.shmoo.com/idn/homograph.txt -# not expecting any hits on this (yet) -uri HIGH_CODEPAGE_URI /^https?:\/\/[^\/]*\&\#(?:\d{4,}|[3456789]\d\d);/i -tflags HIGH_CODEPAGE_URI userconf - -########################################################################### - -# Redirector URI patterns -redirector_pattern /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i -redirector_pattern /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i -redirector_pattern /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i -redirector_pattern /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i -redirector_pattern /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i -redirector_pattern m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&\#])'i -redirector_pattern m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i - -uri NUMERIC_HTTP_ADDR m{^https?://[\d.]+(?:[:/?\#]|$)}i -describe NUMERIC_HTTP_ADDR Uses a numeric IP address in URL - -# Theo sez: -# Have gotten FPs off this, and whitespace can't be in the host, so... -# % Visit my homepage: http://i.like.foo.com % -# Also ignore some bad parses like http://foo.bar%20http://foo.bar -uri HTTP_ESCAPED_HOST /^https?\:\/\/[^\/\s\?\&\#\']*(?!%(?:20|3[cCeE])(?:https?:|mailto:))%[0-9a-fA-F][0-9a-fA-F]/ -describe HTTP_ESCAPED_HOST Uses %-escapes inside a URL's hostname - -# look for URI with escaped 0-9, A-Z, or a-z characters (all other safe -# characters have been well-tested, but are sometimes unnecessarily escaped -# in nonspam; requiring "http" or "https" also reduces false positives). -uri HTTP_EXCESSIVE_ESCAPES /^https?:\/\/\S*%(?:3\d|[46][1-9a-f]|[57][\da])/i -describe HTTP_EXCESSIVE_ESCAPES Completely unnecessary %-escapes inside a URL - -# bug 1801 -uri IP_LINK_PLUS m{^https?://\d+\.\d+\.\d+\.\d+.{0,20}(?:cgi|click|ads|id=)}i -describe IP_LINK_PLUS Dotted-decimal IP address followed by CGI - -# allow ports 80 and 443 which are http and https, respectively -# we don't want to hit http://www.cnn.com:USArticle1840@www.liquidshirts.com/ -# though, which actually doesn't have a weird port in it. -uri WEIRD_PORT m{https?://[^/?\s]+?:\d+(?<!:80)(?<!:443)(?<!:8080)(?:/|\s|$)} -describe WEIRD_PORT Uses non-standard port number for HTTP - -# Matt Cline -# Pretty good for most folks, except for jm: I have a really stupid -# e-commerce bunch obfuscating their URLs with this for some reason. screw 'em -# jm: hesitant to remove this outright; it should be good against phishers -#uri HTTP_ENTITIES_HOST m{https?://[^\s\">/]*\&\#[\da-f]+}i -#describe HTTP_ENTITIES_HOST URI obscured with character entities - -uri YAHOO_RD_REDIR m{^https?\://rd\.yahoo\.com/(?:[0-9]{4}|partner\b|dir\b)}i -describe YAHOO_RD_REDIR Has Yahoo Redirect URI - -uri YAHOO_DRS_REDIR m{^https?://drs\.yahoo\.com/}i -describe YAHOO_DRS_REDIR Has Yahoo Redirect URI - -# "www" hidden as "%77%77%77", "ww%77", etc. -# note: *not* anchored to start of string, to catch use of redirectors -uri HTTP_77 /http:\/\/.{0,2}\%77/ -describe HTTP_77 Contains an URL-encoded hostname (HTTP77) - -# a.com.b.c -uri SPOOF_COM2OTH m{^https?://(?:\w+\.)+?com\.(?!(?:[a-z]{2}\.)?s3\.amazonaws\.com|\w+\.psmtp\.com)(?:\w+\.){2}}i -describe SPOOF_COM2OTH URI contains ".com" in middle - -# a.com.b.com -uri __SPOOF_COM2COM m{^https?://(?:\w+\.)+?com\.(?!(?:[a-z]{2}\.)?s3\.amazonaws\.com|\w+\.psmtp\.com)(?:\w+\.)+?com\b}i -meta SPOOF_COM2COM __SPOOF_COM2COM && !SPOOF_COM2OTH -describe SPOOF_COM2COM URI contains ".com" in middle and end - -# a.net.b.com -uri SPOOF_NET2COM m{^https?://(?:\w+\.)+?(?:net|org)\.(?!(?:[a-z]{2}\.)?s3\.amazonaws\.com)(?:\w+\.)+?com\b}i -describe SPOOF_NET2COM URI contains ".net" or ".org", then ".com" - -uri URI_HEX m%^https?://[^/?&\#]*\b(?![0-9a-f]{0,12}[a-f]{3})[0-9a-f]{6,}\b%i -describe URI_HEX URI hostname has long hexadecimal sequence - -uri URI_NOVOWEL m%^https?://[^/?&\#]*[bcdfgjklmnpqrstvwxz]{7}%i -describe URI_NOVOWEL URI hostname has long non-vowel sequence -tflags URI_NOVOWEL userconf # lock scores low - -uri URI_UNSUBSCRIBE /\b(?:gone|opened|out)\.php/i -describe URI_UNSUBSCRIBE URI contains suspicious unsubscribe link - - -# bug 3896: URIs in various TLDs, other than 3rd level www -uri URI_NO_WWW_INFO_CGI /^(?:https?:\/\/)?[^\/]+(?<!\/www)\.[^.]{7,}\.info\/(?=\S{15,})\S*\?/i -describe URI_NO_WWW_INFO_CGI CGI in .info TLD other than third-level "www" - -uri URI_NO_WWW_BIZ_CGI /^(?:https?:\/\/)?[^\/]+(?<!\/www)\.[^.]{7,}\.biz\/(?=\S{15,})\S*\?/i -describe URI_NO_WWW_BIZ_CGI CGI in .biz TLD other than third-level "www" - -########################################################################### - -uri NORMAL_HTTP_TO_IP m{^https?://(?!1(?:0|27|69\.254|72\.(?:1[6-9]|2\d|3[01])|92\.168)\.)\d+\.\d+\.\d+\.\d+\b(?![.-])}i -describe NORMAL_HTTP_TO_IP URI host has a public dotted-decimal IPv4 address - diff --git a/resources/spamassassin/20_vbounce.cf b/resources/spamassassin/20_vbounce.cf deleted file mode 100644 index aa2a50a1..00000000 --- a/resources/spamassassin/20_vbounce.cf +++ /dev/null @@ -1,338 +0,0 @@ -# A virus-bounce ruleset, suitable for use by anyone receiving a lot of joe-job -# virus-blowback, or spam-blowback bounce messages. -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### -# -# If you use this, set up procmail or your mail app to spot the -# "ANY_BOUNCE_MESSAGE" rule hits in the X-Spam-Status line, and move -# messages that match that to a 'vbounce' folder. -# -# You should also add 'welcomelist_bounce_relays' lines, describing the names of -# your own outgoing mail relays, like so: -# -# welcomelist_bounce_relays dogma.boxhost.net -# -# This is used to 'rescue' legitimate bounce messages that were generated in -# response to mail you really *did* send. If you don't do this, the -# "BOUNCE_MESSAGE" rule will not fire. See 'perldoc VBounce.pm' for more -# details. -# -# This ruleset is substantially based on -# https://www.timj.co.uk/linux/bogus-virus-warnings.cf ; the main difference is -# that I (jm) prefer to keep bounces and spam separate, so it now uses a single -# rule for each type of message, instead of having multiple individual rules -# with high scores. That way, you can spot the individual rule names, as -# described in the paragraph above. There's a couple of rules that were FPing, -# too, so I fixed or removed them; and there's been substantial additions, too. -# -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::VBounce - - -if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - body __MY_SERVERS_FOUND eval:check_welcomelist_bounce_relays() -endif -if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - body __MY_SERVERS_FOUND eval:check_whitelist_bounce_relays() -endif - -body __HAVE_BOUNCE_RELAYS eval:have_any_bounce_relays() - -# --------------------------------------------------------------------------- -# General bounce messages - -header __BOUNCE_FROM_DAEMON From =~ /(?:^(?:mail\S+daemon|d[ae][ae]mon|majordomo|postmaster|automated-response|mailadmin|mailmaster|surfcontrol|You_Got_Spammed|SMTP.gateway)\@|scanner\S*\@|<>)/i - -header __BOUNCE_RPATH_NULL Return-Path =~ /<>/ -header __BOUNCE_READ_NOTIFICATION Subject =~ /^Read: / - -header __BOUNCE_RPATH_MD Return-Path =~ /(?:mailer-(?:daemon|deamon)|quotaagent|pleaseforward|autoresponder|autoresponse-\S+|devnull\S*)\@/i - -# can appear in non-bounce mails with __XM_VBULLETIN, -# or with X-Cron-Env headers, so exclude those cases -header __XM_VBULLETIN X-Mailer =~ /^vBulletin Mail/ -header __X_CRON_ENV X-Cron-Env =~ /^</ - -header __AUTO_GEN_MS exists:X-MS-Embedded-Report -header __AUTO_GEN_AG exists:X-autogenerated -header __AUTO_GEN_CM exists:X-Choicemail-Registration-Request -header __AUTO_GEN_3 X-MailScanner =~ /generated/ -header __AUTO_GEN_4 X-Mailer =~ /autoresponder/i -header __AUTO_GEN_XXSP X-XSP-Msgclass =~ /NOTIFICATION/ -header __AUTO_GEN_PREC Precedence =~ /auto/ -meta __BOUNCE_AUTO_GENERATED ((__AUTO_GEN_MS||__AUTO_GEN_3||__AUTO_GEN_4||__AUTO_GEN_AG||__AUTO_GEN_XXSP ||__AUTO_GEN_CM||__AUTO_GEN_PREC) && !__XM_VBULLETIN && !__X_CRON_ENV) - -header __BOUNCE_Y_AUTOGEN Subject =~ /^Yahoo! Auto Response/ -header __BOUNCE_SYMANTEC Subject =~ /^Returned mail.{0,5}(?:Error During Delivery|see transcript for details|)$/i -header __BOUNCE_X_ERR_STAT X-Error-Status =~ /User unknown/ -header __BOUNCE_RETURNED Subject =~ /^Returned mail: (?:User unknown|unreachable recipients)/ -header __BOUNCE_MAILDELFAIL Subject =~ /^Mail delivery failed: / -header __BOUNCE_MSGDELFAIL Subject =~ /^Message Delivery Failure/ -body __BOUNCE_ESMTP /^This messages was created automatically by mail delivery software/ -# JM: prev versions used "automaticly", that was a typo - -body __BOUNCE_NEVER_SEE /\bThis is an autoresponder. I'll never see your message\b/i -body __BOUNCE_NONWORKING /\bYou have reached a non.?working address. Please check\b/i - -header __BOUNCE_UNDELIVERABLE Subject =~ /^Undeliverable(?: -|:) / -header __BOUNCE_UNDELIVERABLE_ML Subject =~ /^Undeliver(?:able|ed) Mail\b/ -header __BOUNCE_NOTDEL Subject =~ /^MESSAGE NOT DELIVERED: / -header __BOUNCE_ADDR_ERR Subject =~ /^e-mail addressing error \(/ -header __BOUNCE_NO_VAL Subject =~ /^No valid recipient in / -header __BOUNCE_DATA_FORMAT Subject =~ /^Returned mail: Data format error$/ -header __BOUNCE_COULD_NOT Subject =~ /^Mail could not be delivered$/ -header __BOUNCE_UNDEL_MSG Subject =~ /^Undeliverable (?:Message|Mail)$/ -header __BOUNCE_CTYPE Content-Type =~ /\bmultipart\/report\b/ -header __BOUNCE_DEL_FAIL Subject =~ /^Delivery Failure Notification/ -header __BOUNCE_STAT_FAIL Subject =~ /^Delivery Status Notification/ - -header __BOUNCE_NOTIF Subject =~ /^Notification d\'.tat de la distribution$/ -header __BOUNCE_RET_MAIL Subject =~ /^Returned Mail$/ -header __BOUNCE_DEL_FAIL Subject =~ /^DELIVERY FAILURE/i -header __BOUNCE_MAIL_DEL_FAIL Subject =~ /^Mail Delivery Failure$/ - -header __NONBOUNCE_READ_RECEIPT_CTYPE Content-Type =~ /\breport-type=disposition-notification\b/ -# bug 6051, some bounces *do* use that ctype -header __YESBOUNCE_AUTO_REPLIED_REJ Auto-Submitted =~ /^auto-replied \(rejected\)/ -meta __NONBOUNCE_READ_RECEIPT (__NONBOUNCE_READ_RECEIPT_CTYPE && !__YESBOUNCE_AUTO_REPLIED_REJ) - -# Return-path: <delete@errmail.kagoya.net> -# 'Invalid e-mail address.' -header __BOUNCE_RPATH_ERRMAIL Return-Path =~ /delete\@errmail\./i - -header __BOUNCE_AUTO_RESPOND Subject =~ /^(?:Automatically Generated Response from |Auto-Respond E-Mail from )/ -header __BOUNCE_AUTO_RESPONSE Subject =~ /^automated response$/i -body __BOUNCE_ETRUST /^eTrust Secure Content Manager SMTPMAIL could not deliver the e-mail / -header __BOUNCE_INTERSCAN From =~ /\bInterscan MSS Notification\b/ - -body __BOUNCE_NO_RESEND /\bPlease do not resend your original message\./ - -header __BOUNCE_AUTO_REPLY Subject =~ /\b(automatic reply|AutoReply)\b/ - -meta BOUNCE_MESSAGE __HAVE_BOUNCE_RELAYS && !OOOBOUNCE_MESSAGE && !__MY_SERVERS_FOUND && !ALL_TRUSTED && !__NONBOUNCE_READ_RECEIPT && (__BOUNCE_FROM_DAEMON || (__BOUNCE_RPATH_NULL && !__BOUNCE_READ_NOTIFICATION) || __BOUNCE_RPATH_MD || __BOUNCE_AUTO_GENERATED || __BOUNCE_Y_AUTOGEN || __BOUNCE_SYMANTEC || __BOUNCE_X_ERR_STAT || __BOUNCE_RETURNED || __BOUNCE_MAILDELFAIL || __BOUNCE_MSGDELFAIL || __BOUNCE_ESMTP || __BOUNCE_NEVER_SEE || __BOUNCE_NONWORKING || __BOUNCE_UNDELIVERABLE || __BOUNCE_UNDELIVERABLE_ML || __BOUNCE_NOTDEL || __BOUNCE_CTYPE || __BOUNCE_DEL_FAIL || __BOUNCE_STAT_FAIL || __BOUNCE_ADDR_ERR || __BOUNCE_NO_VAL || __BOUNCE_DATA_FORMAT || __BOUNCE_COULD_NOT || __BOUNCE_UNDEL_MSG || __BOUNCE_RPATH_ERRMAIL || __BOUNCE_INTERSCAN || __BOUNCE_ETRUST || __BOUNCE_AUTO_RESPONSE || __BOUNCE_AUTO_RESPOND || __BOUNCE_NO_RESEND || __BOUNCE_NOTIF || __BOUNCE_RET_MAIL || __BOUNCE_DEL_FAIL || __BOUNCE_MAIL_DEL_FAIL || __BOUNCE_AUTO_REPLY) - -describe BOUNCE_MESSAGE MTA bounce message - -# --------------------------------------------------------------------------- -# Out Of Office bounces - -# Do not use subject/body rules without checking for autoreply headers also -header __AUTOREPLY_XAR X-Autoreply =~ /\byes/i -header __AUTOREPLY_PRE Precedence =~ /\bauto_reply/i -header __AUTOREPLY_XPR X-Precedence =~ /\bauto_reply/i -header __AUTOREPLY_ASU Auto-Submitted =~ /\bauto-(?:replied|generated)(?! \(rejected\))/i -meta __BOUNCE_OOO_ARHDR __AUTOREPLY_XAR || __AUTOREPLY_PRE || __AUTOREPLY_XPR || __AUTOREPLY_ASU - -# Standalone subjects that are clearly out of office -header __BOUNCE_OOO_S1 Subject =~ /^R.ponse automatique d'absence du bureau/ -header __BOUNCE_OOO_S2 Subject =~ / \(away from the office\)$/ -header __BOUNCE_OOO_S3 Subject =~ /^Out Of Office\b/ -meta __BOUNCE_OOO_SUBJECT __BOUNCE_OOO_S1 || __BOUNCE_OOO_S2 || __BOUNCE_OOO_S3 - -# Standalone body clauses that are clearly out of office -body __BOUNCE_OOO_B1 /\bI ?.m away until .{10,20} and am unable to read your message\b/ -body __BOUNCE_OOO_B2 /\bI am currently out of the office\b/ -meta __BOUNCE_OOO_BODY __BOUNCE_OOO_B1 || __BOUNCE_OOO_B2 - -# Combined subject+body checks -header __BOUNCE_OOO_CS1 Subject =~ /^Automa(?:tic reply|attinen vastaus|tisch antwoord):/ -body __BOUNCE_OOO_CB1 /\bout of (?:the )?office\b/i -body __BOUNCE_OOO_CB2 /\bon (?:vacation|holiday)\b/i -body __BOUNCE_OOO_CB3 /\bolen lomalla\b/i -body __BOUNCE_OOO_CB4 /\breturn to (?:the )?office\b/i -meta __BOUNCE_OOO_SUBJBODY __BOUNCE_OOO_CS1 && (__BOUNCE_OOO_CB1 || __BOUNCE_OOO_CB2 || __BOUNCE_OOO_CB3 || __BOUNCE_OOO_CB4) - -meta OOOBOUNCE_MESSAGE __BOUNCE_OOO_ARHDR && (__BOUNCE_OOO_SUBJECT || __BOUNCE_OOO_BODY || __BOUNCE_OOO_SUBJBODY) - -describe OOOBOUNCE_MESSAGE Out Of Office bounce message - -# --------------------------------------------------------------------------- -# Challenge/Response bounces - -header __CRBOUNCE_UOL From =~ /\bAntiSpam UOL\b/ -header __CRBOUNCE_VERIF Subject =~ /^(?:Your email requires verification verify:\S|Please Verify Your Email Address)/ -header __CRBOUNCE_RP Return-Path =~ /<(?:spamblocker-challenge|spambush|apd\.sspam|spamhippo|devnull-quarantine)\@/i -header __CRBOUNCE_RP_2 Return-Path =~ /\@(?:spamstomp\.com|ipermitmail\.com)>$/i -header __CRBOUNCE_VANQ From =~ /<confirm-\S+\@spamguard\.vanquish\.com>/ -header __CRBOUNCE_QURB Subject =~ /\[Qurb .\d+\]$/ - -uri __CRBOUNCE_0SPAM1 /^http:\/\/www\.0spam\.com\/v/ -header __CRBOUNCE_0SPAM2 From:addr =~ /^verify\@0spam.com$/ -meta __CRBOUNCE_0SPAM (__CRBOUNCE_0SPAM1 && __CRBOUNCE_0SPAM2) - -header __CRBOUNCE_SPAMARREST exists:X-Spamarrest-noauth - -# https://mailinblack.com , a French C/R system with no other reliable -# signatures. annoying! -header __CRBOUNCE_MIB Content-Type =~ /mUlTiPaRtBoUnDaRy_MailInBlack/ - -uri __CRBOUNCE_SI1 m,^http://si20.com/auth, -header __CRBOUNCE_SI2 From:addr =~ /^siweb\@si20\.com/ -meta __CRBOUNCE_SI (__CRBOUNCE_SI1 && __CRBOUNCE_SI2) - -# very frequent, using unrelated From lines; either spam or C/R, not yet -# sure which -header __CRBOUNCE_GETRESP Return-Path =~ /<bounce\S+\@\S+\.getresponse\.com>/ - -header __CRBOUNCE_TMDA Message-Id =~ /\@\S+\-tmda\-confirm>$/ -header __CRBOUNCE_ASK X-AskVersion =~ /\d/ -header __CRBOUNCE_SZ X-Spamazoid-MD =~ /\d/ -header __CRBOUNCE_SPAMLION Spamlion =~ /\S/ - -# something called /cgi-bin/notaspammer does this! -header __CRBOUNCE_PREC_SPAM Precedence =~ /spam/ - -header __AUTO_GEN_XBT exists:X-Boxtrapper -header __AUTO_GEN_BBTL exists:X-Bluebottle-Request -meta __CRBOUNCE_HEADER (__AUTO_GEN_XBT || __AUTO_GEN_BBTL) - -header __CRBOUNCE_EXI X-ExiSpam =~ /ExiSpam/ - -header __CRBOUNCE_UNVERIF Subject =~ /^Unverified email to / -header __CRBOUNCE_BLOCKED Subject =~ /^\*\*Message you sent blocked by our bulk email filter\*\*$/ - -meta __CHALLENGE_RESPONSE __CRBOUNCE_UOL || __CRBOUNCE_VERIF || __CRBOUNCE_RP || __CRBOUNCE_VANQ || __CRBOUNCE_HEADER || __CRBOUNCE_QURB || __CRBOUNCE_0SPAM || __CRBOUNCE_GETRESP || __CRBOUNCE_TMDA || __CRBOUNCE_ASK || __CRBOUNCE_EXI || __CRBOUNCE_PREC_SPAM || __CRBOUNCE_SZ || __CRBOUNCE_SPAMLION || __CRBOUNCE_MIB || __CRBOUNCE_SI || __CRBOUNCE_UNVERIF || __CRBOUNCE_RP_2 || __CRBOUNCE_BLOCKED || __CRBOUNCE_SPAMARREST -meta CHALLENGE_RESPONSE __MY_SERVERS_FOUND && __CHALLENGE_RESPONSE -describe CHALLENGE_RESPONSE Challenge-Response message for mail you sent - -meta CRBOUNCE_MESSAGE !__MY_SERVERS_FOUND && __CHALLENGE_RESPONSE -describe CRBOUNCE_MESSAGE Challenge-Response bounce message - -# --------------------------------------------------------------------------- -# "Virus found in your mail" bounces - -# source: VirusBounceRules from the exit0 SA wiki - -body __VBOUNCE_EXIM /a potentially executable attachment / -body __VBOUNCE_STRIP_ATTACH /\bhas stripped one or more attachments from the following message\b/ -body __VBOUNCE_GUIN /message contains file attachments that are not permitted/ -body __VBOUNCE_CISCO /^Found virus \S+ in file \S/m -body __VBOUNCE_SMTP /host \S+ said: 5\d\d\s+Error: Message content rejected/ -body __VBOUNCE_AOL /TRANSACTION FAILED - Unrepairable Virus Detected. / -body __VBOUNCE_DUTCH /bevatte bijlage besmet welke besmet was met een virus/ -body __VBOUNCE_MAILMARSHAL /Mail.?Marshal Rule: Inbound Messages : Block Dangerous Attachments/ -header __VBOUNCE_MAILMARSHAL2 Subject =~ /^MailMarshal has detected possible spam in your message/ -header __VBOUNCE_NAVFAIL Subject =~ /^Norton Anti.?Virus failed to scan an attachment in a message you sent/ -header __VBOUNCE_REJECTED Subject =~ /^EMAIL REJECTED$/ -header __VBOUNCE_PROBLEME Subject:raw =~ /^=?iso-8859-1?Q?Messagerie_.{1,100}_=3A_probl=E8me_de_s=E9curit=E9=2E?=/ -header __VBOUNCE_NAV Subject =~ /^Norton Anti.?Virus detected and quarantined/ -header __VBOUNCE_MELDING Subject =~ /^Virusmelding$/ -body __VBOUNCE_VALERT /The mail message \S+ \S+ you sent to \S+ contains the virus/ -body __VBOUNCE_REJ_FILT /Reason: Rejected by filter/ -header __VBOUNCE_YOUSENT Subject =~ /^Warning - You sent a Virus Infected Email to / -body __VBOUNCE_MAILSWEEP /MAILsweeper has found that a \S+ \S+ \S+ \S+ one or more virus/ -header __VBOUNCE_SCREENSAVER Subject =~ /\b(?:Re: ?)Wicked screensaver\b/i -header __VBOUNCE_DISALLOWED Subject =~ /^Disallowed attachment type found/ -header __VBOUNCE_FROMPT From =~ /Security.?Scan Anti.?Virus/ -header __VBOUNCE_WARNING Subject =~ /^Warning:\s*E-?mail virus(es)? detected/i -header __VBOUNCE_DETECTED Subject =~ /^Virus detected /i -header __VBOUNCE_INTERSCAN Subject =~ /^Failed to clean virus\b/i -header __VBOUNCE_VIOLATION Subject =~ /^Content violation/i -header __VBOUNCE_ALERT Subject =~ /^Virus Alert\b/i -header __VBOUNCE_NAV2 Subject =~ /^NAV detected a virus in a document / -body __VBOUNCE_NAV3 /^Reporting-MTA: Norton Anti.?Virus Gateway/ -header __VBOUNCE_INTERSCAN2 Subject =~ /^InterScan MSS for SMTP has delivered a message/ -header __VBOUNCE_INTERSCAN3 Subject =~ /^InterScan NT Alert/ -header __VBOUNCE_ANTIGEN Subject =~ /^Antigen found\b/i -header __VBOUNCE_LUTHER From =~ /\blutherh\@stratcom.com\b/ -header __VBOUNCE_AMAVISD Subject =~ /^VIRUS IN YOUR MAIL /i -body __VBOUNCE_AMAVISD2 /\bV I R U S\b/ -header __VBOUNCE_GSHIELD Subject =~ /^McAfee GroupShield Alert/ - -# off: got an FP in a simple forward -# rawbody __VBOUNCE_SUBJ_IN_MAIL /^\s*Subject:\s*(Re: )*((my|your) )?(application|details)/i -# rawbody __VBOUNCE_SUBJ_IN_MAIL2 /^\s*Subject:\s*(Re: )*(Thank you!?|That movie|Wicked screensaver|Approved)/i - -header __VBOUNCE_SCANMAIL Subject =~ /^Scan.?Mail Message: .{0,30} virus found /i -header __VBOUNCE_DOMINO1 Subject =~ /^Report to Sender/ -body __VBOUNCE_DOMINO2 /^Incident Information:/ -header __VBOUNCE_RAV Subject =~ /^RAV Anti.?Virus scan results/ - -body __VBOUNCE_ATTACHMENT0 /(?:Attachment.{0,40}was Deleted|the infected attachment)/ -# Bart says: it appears that _ATTACHMENT0 is an alternate for _NAV -- both match the same messages. - -body __VBOUNCE_AVREPORT0 /(antivirus system report|the antivirus module has|illegal attachment|Unrepairable Virus Detected)/i -header __VBOUNCE_SENDER Subject =~ /^Virus to sender/ -body __VBOUNCE_MAILSWEEP2 /\bblocked by Mailsweeper\b/i - -header __VBOUNCE_MAILSWEEP3 From =~ /\bmailsweeper\b/i -# Bart says: This one could replace both MAILSWEEP2 and MAILSWEEP as far as I can tell. -# Perhaps it's too general? - -body __VBOUNCE_CLICKBANK /\bvirus scanner deleted your message\b/i -header __VBOUNCE_FORBIDDEN Subject =~ /\bFile type Forbidden\b/ -header __VBOUNCE_MMS Subject =~ /^MMS Notification/ -# added by JoeyKelly - -header __VBOUNCE_JMAIL Subject =~ /^Message Undeliverable: Possible Junk\/Spam Mail Identified$/ - -body __VBOUNCE_QUOTED_EXE /> TVqQAAMAAAAEAAAA/ - -# majordomo is really stupid about this stuff -header __MAJORDOMO_SUBJ Subject =~ /^Majordomo results: / -rawbody __MAJORDOMO_HELP_BODY /\*\*\*\* Help for [mM]ajordomo\@/ -rawbody __MAJORDOMO_HELP_BODY2 /\*\*\*\* Command \'.{0,80}\' not recognized\b/ -meta __VBOUNCE_MAJORDOMO_HELP (__MAJORDOMO_SUBJ && __MAJORDOMO_HELP_BODY && __MAJORDOMO_HELP_BODY2) - -header __VBOUNCE_AV_RESULTS Subject =~ /AntiVirus scan results/ -header __VBOUNCE_EMVD Subject =~ /^Warning: E-mail viruses detected/ -header __VBOUNCE_UNDELIV Subject =~ /^Undeliverable mail, invalid characters in header/ -header __VBOUNCE_BANNED_MAT Subject =~ /^Banned or potentially offensive material/ -header __VBOUNCE_NAV_DETECT Subject =~ /^Norton AntiVirus detected and quarantined/ -header __VBOUNCE_DEL_WARN Subject =~ /^Delivery (?:warning|error) report id=/ -header __VBOUNCE_MIME_INFO Subject =~ /^The MIME information you requested/ -header __VBOUNCE_EMAIL_REJ Subject =~ /^EMAIL REJECTED/ -header __VBOUNCE_CONT_VIOL Subject =~ /^Content violation/ -header __VBOUNCE_SYM_AVF Subject =~ /^Symantec AVF detected / -header __VBOUNCE_SYM_EMP Subject =~ /^Symantec E-Mail-Proxy / -header __VBOUNCE_VIR_FOUND Subject =~ /^Virus Found in message/ -header __VBOUNCE_INFLEX Subject =~ /^Inflex scan report \[/ -header __VBOUNCE_BITDEFENDER X-Mailer =~ /^BitDefender VShield/ -header __VBOUNCE_INF_ATTACH Subject =~ /^\[Mail Delivery .{20,100} infected attachment *removed/ - -header __VBOUNCE_RAPPORT Subject =~ /^Spam rapport \/ Spam report \S+ -\s+\(\S+\)$/ -header __VBOUNCE_GWAVA Subject =~ /^GWAVA Sender Notification \(RBL block\)$/ -header __VBOUNCE_GWAVA2 Subject =~ /Blocked Message \(RBL block\)$/ - -header __VBOUNCE_EMANAGER Subject =~ /^\[MailServer Notification\]/ -header __VBOUNCE_MSGLABS Return-Path =~ /alert\@notification\.messagelabs\.com/i -body __VBOUNCE_ATT_QUAR /\bThe attachment was quarantined\b/ -body __VBOUNCE_SECURIQ /\bGROUP securiQ.Wall\b/ - -header __VBOUNCE_PT_BLOCKED Subject =~ /^\*\*\*\s*Mensagem Bloqueada/i - -meta VBOUNCE_MESSAGE !__MY_SERVERS_FOUND && (__VBOUNCE_MSGLABS || __VBOUNCE_EXIM || __VBOUNCE_GUIN || __VBOUNCE_CISCO || __VBOUNCE_SMTP || __VBOUNCE_AOL || __VBOUNCE_DUTCH || __VBOUNCE_MAILMARSHAL || __VBOUNCE_MAILMARSHAL2 || __VBOUNCE_NAVFAIL || __VBOUNCE_REJECTED || __VBOUNCE_PROBLEME || __VBOUNCE_NAV || __VBOUNCE_MELDING || __VBOUNCE_VALERT || __VBOUNCE_REJ_FILT || __VBOUNCE_YOUSENT || __VBOUNCE_MAILSWEEP || __VBOUNCE_SCREENSAVER || __VBOUNCE_DISALLOWED || __VBOUNCE_FROMPT || __VBOUNCE_WARNING || __VBOUNCE_DETECTED || __VBOUNCE_INTERSCAN || __VBOUNCE_VIOLATION || __VBOUNCE_ALERT || __VBOUNCE_NAV2 || __VBOUNCE_NAV3 || __VBOUNCE_INTERSCAN2 || __VBOUNCE_INTERSCAN3 || __VBOUNCE_ANTIGEN || __VBOUNCE_LUTHER || __VBOUNCE_AMAVISD || __VBOUNCE_AMAVISD2 || __VBOUNCE_SCANMAIL || __VBOUNCE_DOMINO1 || __VBOUNCE_DOMINO2 || __VBOUNCE_RAV || __VBOUNCE_GSHIELD || __VBOUNCE_ATTACHMENT0 || __VBOUNCE_AVREPORT0 || __VBOUNCE_SENDER || __VBOUNCE_MAILSWEEP2 || __VBOUNCE_MAILSWEEP3 || __VBOUNCE_CLICKBANK || __VBOUNCE_FORBIDDEN || __VBOUNCE_MMS || __VBOUNCE_QUOTED_EXE || __VBOUNCE_MAJORDOMO_HELP || __VBOUNCE_AV_RESULTS || __VBOUNCE_EMVD || __VBOUNCE_UNDELIV || __VBOUNCE_BANNED_MAT || __VBOUNCE_NAV_DETECT || __VBOUNCE_DEL_WARN || __VBOUNCE_MIME_INFO || __VBOUNCE_EMAIL_REJ || __VBOUNCE_CONT_VIOL || __VBOUNCE_SYM_AVF || __VBOUNCE_SYM_EMP || __VBOUNCE_ATT_QUAR || __VBOUNCE_SECURIQ || __VBOUNCE_VIR_FOUND || __VBOUNCE_EMANAGER || __VBOUNCE_JMAIL || __VBOUNCE_GWAVA || __VBOUNCE_GWAVA2 || __VBOUNCE_PT_BLOCKED || __VBOUNCE_INFLEX || __VBOUNCE_INF_ATTACH || __VBOUNCE_STRIP_ATTACH || __VBOUNCE_BITDEFENDER) - -describe VBOUNCE_MESSAGE Virus-scanner bounce message - -# --------------------------------------------------------------------------- -# a catch-all type for all the above - -meta ANY_BOUNCE_MESSAGE (CRBOUNCE_MESSAGE||BOUNCE_MESSAGE||VBOUNCE_MESSAGE||OOOBOUNCE_MESSAGE) -describe ANY_BOUNCE_MESSAGE Message is some kind of bounce message - - -endif # Mail::SpamAssassin::Plugin::VBounce - diff --git a/resources/spamassassin/23_bayes.cf b/resources/spamassassin/23_bayes.cf deleted file mode 100644 index b0e4ca44..00000000 --- a/resources/spamassassin/23_bayes.cf +++ /dev/null @@ -1,83 +0,0 @@ -# SpamAssassin basic config file -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -require_version @@VERSION@@ - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::Bayes - -body BAYES_00 eval:check_bayes('0.00', '0.01') -body BAYES_05 eval:check_bayes('0.01', '0.05') -body BAYES_20 eval:check_bayes('0.05', '0.20') -body BAYES_40 eval:check_bayes('0.20', '0.40') - -# note: tread carefully around 0.5... the Bayesian classifier -# will use that for anything it's unsure about, or if it's untrained. -body BAYES_50 eval:check_bayes('0.40', '0.60') - -body BAYES_60 eval:check_bayes('0.60', '0.80') -body BAYES_80 eval:check_bayes('0.80', '0.95') -body BAYES_95 eval:check_bayes('0.95', '0.99') -body BAYES_99 eval:check_bayes('0.99', '1.00') - -#Additional rule to add more of a score to BAYES_99 FOR 99.9% to 100% -body BAYES_999 eval:check_bayes('0.999', '1.00') - -tflags BAYES_00 nice learn -tflags BAYES_05 nice learn -tflags BAYES_20 nice learn -tflags BAYES_40 nice learn -tflags BAYES_50 learn -tflags BAYES_60 learn -tflags BAYES_80 learn -tflags BAYES_95 learn -tflags BAYES_99 learn -tflags BAYES_999 learn - -describe BAYES_00 Bayes spam probability is 0 to 1% -describe BAYES_05 Bayes spam probability is 1 to 5% -describe BAYES_20 Bayes spam probability is 5 to 20% -describe BAYES_40 Bayes spam probability is 20 to 40% -describe BAYES_50 Bayes spam probability is 40 to 60% -describe BAYES_60 Bayes spam probability is 60 to 80% -describe BAYES_80 Bayes spam probability is 80 to 95% -describe BAYES_95 Bayes spam probability is 95 to 99% -describe BAYES_99 Bayes spam probability is 99 to 100% -describe BAYES_999 Bayes spam probability is 99.9 to 100% - -priority BAYES_00 -90 -priority BAYES_05 -90 -priority BAYES_20 -90 -priority BAYES_40 -90 -priority BAYES_50 -90 -priority BAYES_60 -90 -priority BAYES_80 -90 -priority BAYES_95 -90 -priority BAYES_99 -90 -priority BAYES_99 -90 -priority BAYES_999 -90 - -endif diff --git a/resources/spamassassin/25_accessdb.cf b/resources/spamassassin/25_accessdb.cf deleted file mode 100644 index 94dff4c8..00000000 --- a/resources/spamassassin/25_accessdb.cf +++ /dev/null @@ -1,36 +0,0 @@ -# SpamAssassin rules file: accessdb tests -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::AccessDB - -# this code uses an access database (sendmail, postfix, etc.) -# Since you need to actively create an accessdb to use it, the plugin -# and rule is considered userconf and is disabled by default. -header ACCESSDB eval:check_access_database('/etc/mail/access.db') -describe ACCESSDB Message would have been caught by accessdb -tflags ACCESSDB userconf -score ACCESSDB 0 - -endif diff --git a/resources/spamassassin/25_antivirus.cf b/resources/spamassassin/25_antivirus.cf deleted file mode 100644 index aabb37a5..00000000 --- a/resources/spamassassin/25_antivirus.cf +++ /dev/null @@ -1,36 +0,0 @@ -# SpamAssassin - anti-virus rules -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -# Requires the Mail::SpamAssassin::Plugin::AntiVirus plugin be loaded. - -ifplugin Mail::SpamAssassin::Plugin::AntiVirus - -body MICROSOFT_EXECUTABLE eval:check_microsoft_executable() -describe MICROSOFT_EXECUTABLE Message includes Microsoft executable program - -body MIME_SUSPECT_NAME eval:check_suspect_name() -describe MIME_SUSPECT_NAME MIME filename does not match content - -endif # Mail::SpamAssassin::Plugin::AntiVirus diff --git a/resources/spamassassin/25_asn.cf b/resources/spamassassin/25_asn.cf deleted file mode 100644 index 448b88fd..00000000 --- a/resources/spamassassin/25_asn.cf +++ /dev/null @@ -1,45 +0,0 @@ -# SpamAssassin - ASN rules -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -# Requires the Mail::SpamAssassin::Plugin::ASN plugin be loaded. - -# This plugin queries asn.routeviews.org for ASN and route info and adds a -# header containing the data returned so that it can be used by the bayes -# tokenizer. See the plugin's POD docs for more info. - -# Apply default ASN rules for pre-4.0 clients only. -# Usage changed in 4.0: there is also direct GeoDB/GeoIP support, -# users should configure manually as described in plugin documentation. -ifplugin Mail::SpamAssassin::Plugin::ASN -if !(can(Mail::SpamAssassin::Plugin::ASN::has_check_asn)) - asn_lookup asn.routeviews.org _ASN_ _ASNCIDR_ - add_header all ASN _ASN_ _ASNCIDR_ - - # IPv6 support (Bug 7211) - #if can(Mail::SpamAssassin::Plugin::ASN::has_asn_lookup_ipv6) - # asn_lookup_ipv6 origin6.asn.cymru.com _ASN_ _ASNCIDR_ - #endif -endif # !has_check_asn -endif # Mail::SpamAssassin::Plugin::ASN diff --git a/resources/spamassassin/25_dcc.cf b/resources/spamassassin/25_dcc.cf deleted file mode 100644 index daf5660f..00000000 --- a/resources/spamassassin/25_dcc.cf +++ /dev/null @@ -1,80 +0,0 @@ -# SpamAssassin rules file: dcc tests -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -## -## SpamAssassin 4.0.0 note: -## DCC rule priorities are automatically adjusted to -100 when dccifd in use -## (async lookup) -## - -ifplugin Mail::SpamAssassin::Plugin::DCC - -full DCC_CHECK eval:check_dcc() -describe DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net) -tflags DCC_CHECK net autolearn_body -priority DCC_CHECK 10 -reuse DCC_CHECK - - -# to receive reputation data from DCC servers requires a commercial license -# Update 2019: reputation data is free starting from DCC 2.x version - -full DCC_REPUT_00_12 eval:check_dcc_reputation_range(00,12) -describe DCC_REPUT_00_12 DCC reputation between 0 and 12 % (mostly ham) -tflags DCC_REPUT_00_12 nice net noautolearn -priority DCC_REPUT_00_12 10 -reuse DCC_REPUT_00_12 - -full DCC_REPUT_13_19 eval:check_dcc_reputation_range(13,19) -describe DCC_REPUT_13_19 DCC reputation between 13 and 19 % -tflags DCC_REPUT_13_19 net nice -priority DCC_REPUT_13_19 10 -reuse DCC_REPUT_13_19 - -full DCC_REPUT_70_89 eval:check_dcc_reputation_range(70,89) -describe DCC_REPUT_70_89 DCC reputation between 70 and 89 % -tflags DCC_REPUT_70_89 net -priority DCC_REPUT_70_89 10 -reuse DCC_REPUT_70_89 - -full DCC_REPUT_90_94 eval:check_dcc_reputation_range(90,94) -describe DCC_REPUT_90_94 DCC reputation between 90 and 94 % -tflags DCC_REPUT_90_94 net -priority DCC_REPUT_90_94 10 -reuse DCC_REPUT_90_94 - -full DCC_REPUT_95_98 eval:check_dcc_reputation_range(95,98) -describe DCC_REPUT_95_98 DCC reputation between 95 and 98 % (mostly spam) -tflags DCC_REPUT_95_98 net -priority DCC_REPUT_95_98 10 -reuse DCC_REPUT_95_98 - -full DCC_REPUT_99_100 eval:check_dcc_reputation_range(99) -describe DCC_REPUT_99_100 DCC reputation between 99 % or higher (spam) -tflags DCC_REPUT_99_100 net -priority DCC_REPUT_99_100 10 -reuse DCC_REPUT_99_100 - -endif diff --git a/resources/spamassassin/25_dkim.cf b/resources/spamassassin/25_dkim.cf deleted file mode 100644 index e93eb944..00000000 --- a/resources/spamassassin/25_dkim.cf +++ /dev/null @@ -1,147 +0,0 @@ -# SpamAssassin - DKIM rules -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -# Requires the Mail::SpamAssassin::Plugin::DKIM plugin be loaded. - -ifplugin Mail::SpamAssassin::Plugin::DKIM - -# Note: DKIM_SIGNED, DKIM_VALID and DKIM_VALID_AU are mainly informational -# rules, and can serve as a basis for meta rules; it is not difficult for a -# sender to cause hits on them or to prevent them from firing, so their score -# should be kept low. - -full DKIM_SIGNED eval:check_dkim_signed() -describe DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -tflags DKIM_SIGNED net -reuse DKIM_SIGNED - -full DKIM_VALID eval:check_dkim_valid() -describe DKIM_VALID Message has at least one valid DKIM or DK signature -tflags DKIM_VALID net nice -reuse DKIM_VALID - -meta DKIM_INVALID DKIM_SIGNED && !DKIM_VALID -describe DKIM_INVALID DKIM or DK signature exists, but is not valid - -full DKIM_VALID_AU eval:check_dkim_valid_author_sig() -describe DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -tflags DKIM_VALID_AU net nice -reuse DKIM_VALID_AU - -if (version >= 3.004002) -full DKIM_VALID_EF eval:check_dkim_valid_envelopefrom() -describe DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -tflags DKIM_VALID_EF net nice -reuse DKIM_VALID_EF -endif - -full __DKIM_DEPENDABLE eval:check_dkim_dependable() -describe __DKIM_DEPENDABLE A validation failure not attributable to truncation -reuse __DKIM_DEPENDABLE - -header DKIM_ADSP_NXDOMAIN eval:check_dkim_adsp('N') -describe DKIM_ADSP_NXDOMAIN No valid author signature and domain not in DNS -tflags DKIM_ADSP_NXDOMAIN net -reuse DKIM_ADSP_NXDOMAIN - -header DKIM_ADSP_DISCARD eval:check_dkim_adsp('D') -describe DKIM_ADSP_DISCARD No valid author signature, domain signs all mail and suggests discarding the rest -tflags DKIM_ADSP_DISCARD net -reuse DKIM_ADSP_DISCARD - -header DKIM_ADSP_ALL eval:check_dkim_adsp('A') -describe DKIM_ADSP_ALL No valid author signature, domain signs all mail -tflags DKIM_ADSP_ALL net -reuse DKIM_ADSP_ALL - -header DKIM_ADSP_CUSTOM_LOW eval:check_dkim_adsp('1') -describe DKIM_ADSP_CUSTOM_LOW No valid author signature, adsp_override is CUSTOM_LOW -tflags DKIM_ADSP_CUSTOM_LOW net userconf -reuse DKIM_ADSP_CUSTOM_LOW - -header DKIM_ADSP_CUSTOM_MED eval:check_dkim_adsp('2') -describe DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED -tflags DKIM_ADSP_CUSTOM_MED net userconf -reuse DKIM_ADSP_CUSTOM_MED - -header DKIM_ADSP_CUSTOM_HIGH eval:check_dkim_adsp('3') -describe DKIM_ADSP_CUSTOM_HIGH No valid author signature, adsp_override is CUSTOM_HIGH -tflags DKIM_ADSP_CUSTOM_HIGH net userconf -reuse DKIM_ADSP_CUSTOM_HIGH - -full __RESIGNER1 eval:check_dkim_valid('linkedin.com') -tflags __RESIGNER1 net -reuse __RESIGNER1 -full __RESIGNER2 eval:check_dkim_valid('googlegroups.com','yahoogroups.com','yahoogroups.de') -tflags __RESIGNER2 net -reuse __RESIGNER2 -meta __VIA_RESIGNER __RESIGNER1 || __RESIGNER2 -describe __VIA_RESIGNER Mail through a popular signing remailer - -meta NML_ADSP_CUSTOM_LOW DKIM_ADSP_CUSTOM_LOW && !__VIA_ML && !__VIA_RESIGNER -describe NML_ADSP_CUSTOM_LOW ADSP custom_low hit, and not from a mailing list - -meta NML_ADSP_CUSTOM_MED DKIM_ADSP_CUSTOM_MED && !__VIA_ML && !__VIA_RESIGNER -describe NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list - -meta NML_ADSP_CUSTOM_HIGH DKIM_ADSP_CUSTOM_HIGH && !__VIA_ML && !__VIA_RESIGNER -describe NML_ADSP_CUSTOM_HIGH ADSP custom_high hit, and not from a mailing list - -if can(Mail::SpamAssassin::Plugin::DKIM::has_arc) - full ARC_SIGNED eval:check_arc_signed() - describe ARC_SIGNED Message has a ARC signature - tflags ARC_SIGNED net - reuse ARC_SIGNED - - full ARC_VALID eval:check_arc_valid() - describe ARC_VALID Message has a valid ARC signature - tflags ARC_VALID net - reuse ARC_VALID - - meta ARC_INVALID ARC_SIGNED && !ARC_VALID - describe ARC_INVALID ARC signature exists, but is not valid -endif - -# -# old, declared for compatibility with pre-3.3, should have scores 0 -# - -full DKIM_VERIFIED eval:check_dkim_valid() -tflags DKIM_VERIFIED net nice -reuse DKIM_VERIFIED - -header DKIM_POLICY_TESTING eval:check_dkim_testing() -tflags DKIM_POLICY_TESTING net nice -reuse DKIM_POLICY_TESTING - -header DKIM_POLICY_SIGNSOME eval:check_dkim_signsome() -tflags DKIM_POLICY_SIGNSOME net nice -reuse DKIM_POLICY_SIGNSOME - -header DKIM_POLICY_SIGNALL eval:check_dkim_signall() -tflags DKIM_POLICY_SIGNALL net nice -reuse DKIM_POLICY_SIGNALL - -endif # Mail::SpamAssassin::Plugin::DKIM diff --git a/resources/spamassassin/25_dmarc.cf b/resources/spamassassin/25_dmarc.cf deleted file mode 100644 index dacc5e5d..00000000 --- a/resources/spamassassin/25_dmarc.cf +++ /dev/null @@ -1,62 +0,0 @@ -# SpamAssassin - DMARC rules -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -# Requires the Mail::SpamAssassin::Plugin::DMARC plugin be loaded. - -# Backwards compatible name (was renamed to DMARC in trunk before 4.0.0) -ifplugin Mail::SpamAssassin::Plugin::Dmarc - -header DMARC_PASS eval:check_dmarc_pass() -describe DMARC_PASS DMARC pass policy -priority DMARC_PASS 500 -tflags DMARC_PASS net nice -reuse DMARC_PASS - -header DMARC_REJECT eval:check_dmarc_reject() -describe DMARC_REJECT DMARC reject policy -priority DMARC_REJECT 500 -tflags DMARC_REJECT net -reuse DMARC_REJECT - -header DMARC_QUAR eval:check_dmarc_quarantine() -describe DMARC_QUAR DMARC quarantine policy -priority DMARC_QUAR 500 -tflags DMARC_QUAR net -reuse DMARC_QUAR - -header DMARC_NONE eval:check_dmarc_none() -describe DMARC_NONE DMARC none policy -priority DMARC_NONE 500 -tflags DMARC_NONE net -reuse DMARC_NONE - -header DMARC_MISSING eval:check_dmarc_missing() -describe DMARC_MISSING Missing DMARC policy -priority DMARC_MISSING 500 -tflags DMARC_MISSING net -reuse DMARC_MISSING - -endif - diff --git a/resources/spamassassin/25_dnswl.cf b/resources/spamassassin/25_dnswl.cf deleted file mode 100644 index ce02ecff..00000000 --- a/resources/spamassassin/25_dnswl.cf +++ /dev/null @@ -1,70 +0,0 @@ -# SpamAssassin rules file: DNSWL tests -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::DNSEval - -# 0.000 0.0000 0.0000 0.500 1.00 -8.00 T_RCVD_IN_DNSWL_HI -# 0.817 0.2509 3.5683 0.066 0.50 1.00 __RCVD_IN_DNSWL -# 0.059 0.0000 0.3481 0.000 0.50 -1.00 T_RCVD_IN_DNSWL_LOW -# 0.163 0.0000 0.9574 0.000 0.00 -4.00 T_RCVD_IN_DNSWL_MED - -header __RCVD_IN_DNSWL eval:check_rbl('dnswl-firsttrusted', 'list.dnswl.org.') -tflags __RCVD_IN_DNSWL nice net -reuse __RCVD_IN_DNSWL - -header RCVD_IN_DNSWL_NONE eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.0$') -describe RCVD_IN_DNSWL_NONE Sender listed at https://www.dnswl.org/, no trust -tflags RCVD_IN_DNSWL_NONE nice net -reuse RCVD_IN_DNSWL_NONE - -header RCVD_IN_DNSWL_LOW eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.1$') -describe RCVD_IN_DNSWL_LOW Sender listed at https://www.dnswl.org/, low trust -tflags RCVD_IN_DNSWL_LOW nice net -reuse RCVD_IN_DNSWL_LOW - -header RCVD_IN_DNSWL_MED eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.2$') -describe RCVD_IN_DNSWL_MED Sender listed at https://www.dnswl.org/, medium trust -tflags RCVD_IN_DNSWL_MED nice net -reuse RCVD_IN_DNSWL_MED - -header RCVD_IN_DNSWL_HI eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.3$') -describe RCVD_IN_DNSWL_HI Sender listed at https://www.dnswl.org/, high trust -tflags RCVD_IN_DNSWL_HI nice net -reuse RCVD_IN_DNSWL_HI - -## score RCVD_IN_DNSWL_LOW -1 -## score RCVD_IN_DNSWL_MED -4 -## score RCVD_IN_DNSWL_HI -8 - -header RCVD_IN_DNSWL_BLOCKED eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.255$') -describe RCVD_IN_DNSWL_BLOCKED ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. -tflags RCVD_IN_DNSWL_BLOCKED net noautolearn -reuse RCVD_IN_DNSWL_BLOCKED - -if can(Mail::SpamAssassin::Conf::feature_dns_block_rule) -dns_block_rule RCVD_IN_DNSWL_BLOCKED list.dnswl.org -endif - -endif diff --git a/resources/spamassassin/25_pyzor.cf b/resources/spamassassin/25_pyzor.cf deleted file mode 100644 index d7439b3a..00000000 --- a/resources/spamassassin/25_pyzor.cf +++ /dev/null @@ -1,40 +0,0 @@ -# SpamAssassin rules file: pyzor rules -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -## -## SpamAssassin 4.0.0 note: -## PYZOR rule priorities are automatically adjusted to -100 when pyzor_fork -## option is enabled (async lookup) -## - -ifplugin Mail::SpamAssassin::Plugin::Pyzor - -full PYZOR_CHECK eval:check_pyzor() -describe PYZOR_CHECK Listed in Pyzor (https://pyzor.readthedocs.io/en/latest/) -tflags PYZOR_CHECK net autolearn_body -priority PYZOR_CHECK 30 -reuse PYZOR_CHECK - -endif diff --git a/resources/spamassassin/25_razor2.cf b/resources/spamassassin/25_razor2.cf deleted file mode 100644 index 86e0b7a8..00000000 --- a/resources/spamassassin/25_razor2.cf +++ /dev/null @@ -1,72 +0,0 @@ -# SpamAssassin rules file: razor2 tests -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -## -## SpamAssassin 4.0.0 note: -## RAZOR rule priorities are automatically adjusted to -100 when razor_fork -## option is enabled (async lookup) -## - -ifplugin Mail::SpamAssassin::Plugin::Razor2 - -full RAZOR2_CHECK eval:check_razor2() -describe RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) -tflags RAZOR2_CHECK net autolearn_body -priority RAZOR2_CHECK 20 -reuse RAZOR2_CHECK - -lang de describe RAZOR2_CHECK Gelistet im "Razor2"-System (http://razor.sf.net/) -lang nl describe RAZOR2_CHECK Gevonden in Razor2 (http://razor.sf.net/) -lang fr describe RAZOR2_CHECK Message listé par Razor2, voir http://razor.sourceforge.net -lang pl describe RAZOR2_CHECK Na li¶cie Razor2 (http://razor.sf.net/) - -# cf (confidence level) is how likely the message is spam. RAZOR2_CHECK -# returns true if cf>=min_cf (as defined by user/config). These return -# true depending on what cf value the message has. The algorithm goes: -# check the message via razor, then go through each mime part and check -# how razor scored it. If the part is contested (ie: it's been reported -# as both ham and spam) it's ignored. SA takes the highest non-contested -# part cf score and returns it for the range rules. ie: This is essentially -# Razor 2's logic_method 4. -# -# Note: Disabling RAZOR2_CHECK (score RAZOR2_CHECK 0) will also disable -# these checks. -# -# Note: The scores are set to 0 on these tests right now until they get -# better integrated with SA overall. -# - -full RAZOR2_CF_RANGE_51_100 eval:check_razor2_range('','51','100') -tflags RAZOR2_CF_RANGE_51_100 net -priority RAZOR2_CF_RANGE_51_100 20 -reuse RAZOR2_CF_RANGE_51_100 -describe RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% - -lang de describe RAZOR2_CF_RANGE_51_100 Razor2 Spam-Bewertung liegt zwischen 51 und 100 -lang fr describe RAZOR2_CF_RANGE_51_100 Razor2 donne un indice de confiance entre 51 et 100 -lang nl describe RAZOR2_CF_RANGE_51_100 Razor2 geeft een zekerheid tussen 51 en 100 -lang pl describe RAZOR2_CF_RANGE_51_100 Razor2 stwierdzi³ pewno¶æ pomiêdzy 51 i 100 - -endif diff --git a/resources/spamassassin/25_replace.cf b/resources/spamassassin/25_replace.cf deleted file mode 100644 index b3b63363..00000000 --- a/resources/spamassassin/25_replace.cf +++ /dev/null @@ -1,210 +0,0 @@ -# SpamAssassin - ReplaceTags configuration -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -# Requires the Mail::SpamAssassin::Plugin::ReplaceTags plugin be loaded. - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -replace_tag A (?:[aA\@\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xe4\xe3\xe2\xe0\xe1\xe2\xe3\xe4\xe5\xe6]|[\xb6\xc1\xc4\xcb]|[\xc3][\x80\x81\x82\x83\x84\x85\xa0\xa1\xa2\xa3\xa4\xa5]|[\xc4][\x80\x81\x82\x83\x84\x85]|[\xce][\x86\x91\x94\x9b\xac\xb1]|[\xd0][\x90\xb0]|[\xd1][\xa6\xa7]|[\xd3][\x90\x91\x92\x93]|[\xe1](?:[\x8e][\xaa]|[\xb8][\x80\x81]|[\xba][\x9a\xa0-\xb7]|[\xbc][\x80-\x8f]|[\xbd][\xb0\xb1]|[\xbe][\x80-\x8f\xb0-\xbc])|[\xf0][\x9d](?:[\x90][\x80\x9a\xb4]|[\x91][\x8e\xa8]|[\x92][\x82\x9c\xb6]|[\x93][\x90\xaa]|[\x94][\xb8\x92]|[\x95][\x92]|[\x96][\xa0\xba]|[\x97][\x94\xae]|[\x98][\x88\xa2\xbc]|[\x99][\x96\xb0]|[\x9a][\x8a\xa8]|[\x9b][\x82\xa2\xbc]|[\x9c][\x9c\xb6]|[\x9d][\x96\xb0]|[\x9e][\x90\xaa])) -replace_tag B (?:[bB8\xc2\xe2]|[\xce][\x92\xb2]|[\xcf][\x90\xb8]|[\xc3][\x9f]|[\xc6][\x80\x81\x82\x83\x84\x85]|[\xce][\x92\xb2]|[\xcf][\x90]|[\xd0][\x91\x92\xac\xb1\xb2]|[\xd1][\x8a\x8c\xa2\xa3]|[\xd2][\x8c\x8d]|[\xe1](?:[\xb8][\x82-\x87]|[\xba][\x9e])|[\xf0][\x9d](?:[\x90][\x81\x9b\xb5]|[\x91][\x8f\xa9]|[\x92][\x83\x9d\xb7]|[\x93][\x91\xab]|[\x94][\x85\x9f\xb9]|[\x95][\x93\xad]|[\x96][\x87\xa1\xbb]|[\x97][\x95\xaf]|[\x98][\x89\xa3\xbd]|[\x99][\x97\xb1]|[\x9a][\x8b\xa9]|[\x9b][\x83\xa3\xbd]|[\x9c][\x9d\xb7]|[\x9d][\x97\xb1]|[\x9e][\x91\xab])) -replace_tag C (?:[cCk\xc7\xe7\xf2@]|[\xc3][\x87\xa7]|[\xc4][\x86\x87\x88\x89\x8a\x8b\x8c\x8d]|[\xc6][\x87\x88]|[\xcf][\x82\x9a\x9b\xb2\xb9\xbe]|[\xd0][\xa1]|[\xd1][\x81]|[\xd2][\x80\x81\xaa\xab]|[\xd5][\x87]|&\#(?:1(?:0(?:10|17|2[123]|57|89)|1(?:52|53|94|95)|99)|2(?:31|6[2-9])|39[12]|x(?:3(?:f2|f9|fe)|4(?:21|41|80|81|aa|ab)));|[\xe1](?:[\xb8][\x88\x89])|[\xf0][\x9d](?:[\x90][\x82\x9c\xb6]|[\x91][\x90\xaa]|[\x92][\x84\x9e\xb8]|[\x93][\x92\xac]|[\x94][\x86\xa0\xba]|[\x95][\x94\xae]|[\x96][\x88\xa2\xbc]|[\x97][\x96\xb0]|[\x98][\x8a\xa4\xbe]|[\x99][\x98\xb2]|[\x9a][\x8c]|[\x9b][\x93]|[\x9c][\x8d]|[\x9d][\x87]|[\x9e][\x81])) -replace_tag D (?:[dD\xd0]|[\xc3][\x90]|[\xc4][\x8e\x8f\x90\x91]|[\xc6][\x89\x8a]|[\xd4][\x80\x81]|[\xd5][\xaa]|[\xe1](?:[\xb8][\x8a-\x93])|[\xf0][\x9d](?:[\x90][\x83\x9d\xb7]|[\x91][\x91\xab]|[\x92][\x85\x9f\xb9]|[\x93][\x93\xad]|[\x94][\x87\xa1\xbb]|[\x95][\x95\xaf]|[\x96][\x89\xa3\xbd]|[\x97][\x97\xb1]|[\x98][\x8b\xa5\xbf]|[\x99][\x99\xb3]|[\x9a][\x8d])) -replace_tag E (?:[eE3\xb8\xc5\xd3\xdd\xe5\xee]|[\xc3][\x88\x89\x8a\x8b\xa8\xa9\xaa\xab]|[\xc4][\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b]|[\xc8][\x84\x85\x86\x87\xa8\xa9]|[\xce][\x88\x95\xa3\xad\xb5\xbe]|[\xcf][\xb5]|[\xd0][\x80\x81\x84\x95\xb5]|[\xd1][\x90\x91\x94\xb3]|[\xd2][\xbc\xbd\xbe\xbf]|[\xd3][\x96\x97\xa9\xab]|[\xd4][\x90\x91]|[\xc8\xc9\xca\xcb\xe8\xe9\xea\xeb\xa4]|&\#(?:1(?:0(?:13|2[458]|45|77)|108|2(?:1[2-5]|3[89]|9[67]))|2(?:0[0-3]|3[2-5]|7[4-9]|8[0-3])|400|51[6-9]|5[58][23]|603|9(?:04|17|[34]1|4[19]));|[\xe1](?:[\xb8][\x94-\x9d]|[\xba][\xb8-\xbf]|[\xbb][\x80-\x87]|[\xbc][\x90-\x9d]|[\xbd][\xb2\xb3]|[\xbf][\x88\x89])|[\xf0][\x9d](?:[\x90][\x84\x9e\xb8]|[\x91][\x92\xac]|[\x92][\x86\xa0\xba]|[\x93][\x94\xae]|[\x94][\xa2\xbc]|[\x95][\x96]|[\x96][\x8a\xa4\xbe]|[\x97][\x98\xb2]|[\x98][\x8c\xa6]|[\x99][\x80\x9a\xb4]|[\x9a][\x8e\xac\xba]|[\x9b][\x86\x9c\xa6\xb4]|[\x9c][\x80\x96\xa0\xae\xba]|[\x9d][\x90\x9a\xa8\xb4]|[\x9e][\x8a\x94\xa2\xae]|[\x9f][\x84])) -replace_tag F (?:[fF]|[\xcf][\x9c\x9d]|[\xd2][\x92\x93]|[\xd3][\xba\xbb]|[\xd4][\xb2]|[\xd5][\xa2]|[\xe1](?:[\xb8][\x9e\x9f]|[\xba][\x9b\x9c\x9d])|[\xf0][\x9d](?:[\x90][\x85\x9f\xb9]|[\x91][\x93\xad]|[\x92][\x87\xa1\xbb]|[\x93][\x95\xaf]|[\x94][\xa3\xbd]|[\x95][\x97\xb1]|[\x96][\x8b\xa5\xbf]|[\x97][\x99\xb3]|[\x98][\x8d\xa7]|[\x99][\x81\x9b\xb5]|[\x9a][\x8f]|[\x9f][\x8a\x8b])) -replace_tag G (?:[gGk]|[\xc4][\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3]|[\xd2][\xa8\xa9]|[\xd4][\x8c\x8d]|[\xd6][\x81]|[\xf0][\x9d](?:[\x90][\x86\xa0\xba]|[\x91][\x94\xae]|[\x92][\x88\xa2\xbc]|[\x93][\x96\xb0]|[\x94][\xa4\xbe]|[\x95][\x98]|[\x96][\x8c\xa6]|[\x97][\x80\x9a\xb4]|[\x98][\x8e\xa8]|[\x99][\x82\x9c\xb6]|[\x9a][\x90])) -replace_tag H (?:[hH\xb9\xc7]|[\xc4][\xa4\xa5\xa6\xa7]|[\xce][\x89\x97]|[\xcf][\xa6]|[\xd0][\x8a\x8b\x9d\xbd]|[\xd1][\x92\x9b]|[\xd2][\x94\x95\xa2\xa3\xa4\xa5\xba\xbb]|[\xd3][\x87\x88\x89\x8a]|[\xd4][\xbb]|[\xd5][\xab\xb0]|&\#(?:2(?:22[3-6]|9[2-5])|54[23]|1(?:0(?:53|85)|18[6-9]|8(?:0(?:8[89]|9[0-5])|1(?:38[89]|340)))|919);|[\xe1](?:[\xb8][\xa2-\xab]|[\xba][\x96]|[\xbc][\xa8-\xaf]|[\xbe][\x98-\x9f]|[\xbf][\x8a-\x8c])|[\xf0][\x9d](?:[\x90][\x87\xa1\xbb]|[\x91][\x95\xaf]|[\x92][\x89\xa3\xbd]|[\x93][\x97\xb1]|[\x94][\xbf]|[\x95][\x99]|[\x96][\xa7]|[\x97][\x81\x9b\xb5]|[\x98][\x8f\xa9]|[\x99][\x83\x9d\xb7]|[\x9a][\x91\xae]|[\x9b][\xa8]|[\x9c][\xa2]|[\x9d][\x9c]|[\x9e][\x96])) -replace_tag I (?:[iIl|!1y?\xcc\xcd\xce\xcf\xec\xed\xee\xef\xe9\xba\xc0\xc9\xda\xdf\xfa]|[\xc3][\x8c\x8d\x8e\x8f\xac\xad\xae\xaf]|[\xc4][\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1]|[\xc7][\x8f\x90]|[\xce][\x8a\x90\x99\xaa\xaf\xb9]|[\xcf][\x8a]|[\xd0][\x86\x87]|[\xd1][\x96\x97]|[\xd3][\x80\x8f]|[\xd5][\xac]|&\#(?:1(?:03[01]|11[01]|216|231)|2(?:0[4-7]|16|3[6-9]|9[6-9])|3(?:0[0-5])|4(?:0[67]|6[34])|52[0-3]);|[\xe1](?:[\xb8][\xac-\xaf]|[\xbb][\x88-\x8b]|[\xbc][\xb0-\xbf]|[\xbd][\xb6\xb7]|[\xbf][\x90-\x9b])|[\xf0][\x9d](?:[\x90][\x88\xa2\xbc]|[\x91][\x96\xb0]|[\x92][\x8a\xa4\xbe]|[\x93][\x98\xb2]|[\x94][\xa6]|[\x95][\x80\x9a]|[\x96][\x8e\xa8]|[\x97][\x82\x9c\xb6]|[\x98][\x90\xaa]|[\x99][\x84\x9e\xb8]|[\x9a][\x92\xb0]|[\x9b][\xaa]|[\x9c][\xa4]|[\x9d][\x9e]|[\x9e][\x98])) -replace_tag J (?:[jJ]|[\xc4][\xb4\xb5]|[\xcf][\xb3]|[\xd0][\x88]|[\xd1][\x98]|[\xd5][\xb5]|[\xf0][\x9d](?:[\x90][\x89\xa3\xbd]|[\x91][\x97\xb1]|[\x92][\x8b\xa5\xbf]|[\x93][\x99\xb3]|[\x94][\xa7]|[\x95][\x81\x9b]|[\x96][\x8f\xa9]|[\x97][\x83\x9d\xb7]|[\x98][\x91\xab]|[\x99][\x85\x9f\xb9]|[\x9a][\x93])) -replace_tag K (?:[kK\xca\xea]|[\xc4][\xb6\xb7\xb8]|[\xc7][\xa8\xa9]|[\xce][\x9a\xba]|[\xd0][\x8c\x9a\xba]|[\xd1][\x9c]|[\xd2][\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1]|[\xd3][\x83\x84]|[\xd4][\x9e\x9f]|&\#(?:31[0-2]|4[08][89]|9(?:22|54|75)|1(?:0(?:36|50|82)|1(?:16|7[89]|8[0-5])|219|220|31[01]));|[\xe1](?:[\xb8][\xb0-\xb5])|[\xf0][\x9d](?:[\x90][\x8a\xa4\xbe]|[\x91][\x98\xb2]|[\x92][\x8c\xa6]|[\x93][\x80\x9a\xb4]|[\x94][\xa8]|[\x95][\x82\x9c]|[\x96][\x90\xaa]|[\x97][\x84\x9e\xb8]|[\x98][\x92\xac]|[\x99][\x86\xa0\xba]|[\x9a][\x94\xb1]|[\x9b][\x8b\xab]|[\x9c][\x85\xa5\xbf]|[\x9d][\x9f\xb9]|[\x9e][\x99\xb3])) -replace_tag L (?:[ilL|!1\xa3]|[\xc4][\xb9\xba\xbb\xbc\xbd\xbe\xbf]|[\xc5][\x80\x81\x82]|[\xc8][\xbd]|[\xce][\x8a\x99\xaa\xaf\xb9]|[\xd3][\x80\x8f]|[\xd4][\xbc]|[\xd5][\xac]|[\xd6][\x82]|&\#(?:1340|3(?:1[3-9]|2[0-2])|573|671|x53c|76);|[\xe1](?:[\xb8][\xb6-\xbd]|[\xbc][\xb8-\xbf]|[\xbf][\x98-\x9b])|[\xf0][\x9d](?:[\x90][\x8b\xa5\xbf]|[\x91][\x99\xb3]|[\x92][\x8d\xa7]|[\x93][\x81\x9b\xb5]|[\x94][\xa9]|[\x95][\x83\x9d]|[\x96][\x91\xab]|[\x97][\x85\x9f\xb9]|[\x98][\x93\xad]|[\x99][\x87\xa1\xbb]|[\x9a][\x95]|[\x9d][\x9e]|[\x9e][\x98]|[\x9f][\x8f\x99\xad\xb7])) -replace_tag M (?:[mM\xcc]|rn|[\xc9][\xb1]|[\xce][\x9c]|[\xcf][\xba\xbb]|[\xd0][\x9c\xbc]|[\xd2][\xa7]|[\xd3][\x8d\x8e]|[\xe1](?:[\xb8][\xbe\xbf]|[\xb9][\x80-\x83])|[\xf0][\x9d](?:[\x90][\x8c\xa6]|[\x91][\x80\x9a\xb4]|[\x92][\x8e\xa8]|[\x93][\x82\x9c\xb6]|[\x94][\xaa]|[\x95][\x84\x9e]|[\x96][\x92\xac]|[\x97][\x86\xa0\xba]|[\x98][\x94\xae]|[\x99][\x88\xa2\xbc]|[\x9a][\x96\xb3]|[\x9b][\xad]|[\x9c][\xa7]|[\x9d][\xa1]|[\x9e][\x9b])) -replace_tag N (?:[nN\xcd\xd0\xd1\xde\xe7\xf0\xf1]|[\xc3][\x91\xb1]|[\xc5][\x83\x84\x85\x86\x87\x88\x89\x8a\x8b]|[\xc9][\xb2\xb3\xb4]|[\xce][\x9d\xae\xb7]|[\xcf][\x80]|[\xd0][\x98\x99\x9f\xb8\xb9\xbb\xbf]|[\xd1][\x9d]|[\xd2][\x8a\x8b]|[\xd3][\x86\xa2\xa3\xa4\xa5]|[\xd4][\xa5]|[\xd5][\x88\x8c\xa4\xa8\xb2\xb8\xbc]|[\xd6][\x80]|[\xe1](?:[\xb9][\x84-\x8b]|[\xbc][\xa0-\xa7]|[\xbd][\xb4\xb5]|[\xbe][\x90-\x97]|[\xbf][\x82-\x87])|[\xf0][\x9d](?:[\x90][\x8d\xa7]|[\x91][\x81\x9b\xb5]|[\x92][\x8f\xa9]|[\x93][\x83\x9d\xb7]|[\x94][\xab]|[\x95][\x85\x9f]|[\x96][\x93\xad]|[\x97][\x87\xa1\xbb]|[\x98][\x95\xaf]|[\x99][\x89\xa3\xbd]|[\x9a][\x97\xb4]|[\x9b][\x88\xae]|[\x9c][\x82\xa8\xbc]|[\x9d][\xa2\xb6]|[\x9e][\x9c\xb0])) -replace_tag O (?:[goO0u\xbc\xcf\xd2\xd3\xd4\xd5\xd6\xd8\xef\xf0\xf2\xf3\xf4\xf5\xf6\xf8\xfc]|[\xc3][\x92\x93\x94\x95\x96\x98\xb2\xb3\xb4\xb5\xb6\xb8]|[\xc5][\x8c\xbd\xbe\xbf\x90\x91]|[\xce][\x8c\x98\x9f\xbf]|[\xcf][\x8c\x98\x99]|[\xd0][\x9e\xae\xbe]|[\xd1][\xba\xbb]|[\xd3][\xa6\xa7\xa8\xaa]|[\xd4][\x9a]|[\xd5][\x95\xae]|[\xd6][\x85]|[\xd7][\xa1]|[\xe1](?:[\xb9][\x8c-\x93]|[\xbb][\x8c-\xa3]|[\xbd][\x80-\x8d\xb8\xb9]|[\xbf][\xb8\xb9])|[\xf0][\x9d](?:[\x90][\x8e\xa8]|[\x91][\x82\x9c\xb6]|[\x92][\x90\xaa]|[\x93][\x84\x9e\xb8]|[\x94][\xac]|[\x95][\x86\xa0]|[\x96][\x94\xae]|[\x97][\x88\xa2\xbc]|[\x98][\x96\xb0]|[\x99][\x8a\xa4\xbe]|[\x9a][\x98\xb6\xb9]|[\x9b][\x90\x94\xb0]|[\x9c][\x8a\x8e\xa3\xaa\xad\xbd]|[\x9d][\x84\x88\x9d\xa4\xa7\xbe]|[\x9e][\x82\x97\x9e\xa1\xb8\xbb]|[\x9f][\x8e\x98\xa2\xac])) -replace_tag P (?:[pP\xd1\xf1\xfe]|[\xce][\xa1]|[\xcf][\x81\xb7\xb8]|[\xd0][\xa0]|[\xd1][\x80]|[\xd2][\x8e\x8f]|[\xd4][\x97]|[\xd5][\xa9]|[\xd6][\x84]|[\xe1](?:[\xb9][\x94-\x97]|[\xbf][\xa4\xa5\xac])|[\xf0][\x9d](?:[\x90][\x8f\xa9]|[\x91][\x83\x9d\xb7]|[\x92][\x91]|[\x93][\x9f]|[\x95][\x87\xa1]|[\x96][\xaf]|[\x97][\x89\xa3\xbd]|[\x98][\x97\xb1]|[\x99][\x8b\xa5\xbf]|[\x9a][\x99\xb8]|[\x9b][\x92\xb2]|[\x9c][\x8c\xac]|[\x9d][\x86\xa6]|[\x9e][\x80\xa0\xba])) -replace_tag Q (?:[qQ]|[\xcf][\x98\xa4\xa5]|[\xd4][\x9a\x9b\xb3]|[\xd5][\xa3\xa6]|[\xf0][\x9d](?:[\x90][\x90\xaa]|[\x91][\x84\x9e\xb8]|[\x92][\x92]|[\x93][\x86\xba]|[\x94][\xae]|[\x95][\x88\xa2]|[\x96][\x96\xb0]|[\x97][\x8a\xa4\xbe]|[\x98][\x98\xb2]|[\x99][\x8c\xa6]|[\x9a][\x80\x9a])) -replace_tag R (?:[rR]|[\xc5][\x94\x95\x96\x97\x98\x99]|[\xc8][\x90\x91\x92\x93]|[\xd0][\x93\xaf]|[\xd1][\x8f\x93]|[\xd2][\x90\x91\x93]|[\xd3][\xb6\xb7]|[\xd4][\xb8\xbb]|[\xd5][\x90\x92]|[\xd6][\x80]|&\#(?:1(?:071|103)|34[0-5]|422|5(?:2[89]|3[01]|8[89])|6(?:3[67]|40));|[\xe1](?:[\xb9][\x98-\x9f])|[\xf0][\x9d](?:[\x90][\x91\xab]|[\x91][\x85\x9f\xb9]|[\x92][\x93\xad]|[\x93][\x87\xa1\xbb]|[\x94][\x95\xaf]|[\x95][\x89\xa3\xbd]|[\x96][\x97\xb1]|[\x97][\x8b\xa5\xbf]|[\x98][\x99\xb3]|[\x99][\x8d\xa7]|[\x9a][\x81\x9b])) -replace_tag S (?:[sSz\xa6\xa7]|[\xc5][\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1]|[\xd0][\x85]|[\xd1][\x95]|[\xd5][\x8f]|[\xe1](?:[\xb9][\xa0-\xa9])|[\xf0][\x9d](?:[\x90][\x92\xac]|[\x91][\x86\xa0\xba]|[\x92][\x94]|[\x94][\xb0]|[\x95][\x8a\xa4]|[\x96][\xb2]|[\x97][\x8c\xa6]|[\x98][\x80\x9a\xb4]|[\x99][\x8e\xa8]|[\x9a][\x82\x9c])) -replace_tag T (?:[tT\xc3\xd4\xf4]|[\xc5][\xa2\xa3\xa4\xa5\xa6\xa7]|[\xcd][\xb2\xb3]|[\xce][\xa4]|[\xcf][\x84\xae\xaf]|[\xd0][\x93\xa2]|[\xd1][\x82]|[\xd2][\x90\xac\xad]|[\xd3][\xb6]|[\xd4][\xb5\xb7]|[\xd5][\x92\xa7]|[\xe1](?:[\xb9][\xaa-\xb1]|[\xba][\x97])|[\xf0][\x9d](?:[\x90][\x93\xad]|[\x91][\x87\xa1\xbb]|[\x92][\x95]|[\x93][\x89\xbd]|[\x94][\xb1]|[\x95][\x8b\xa5]|[\x96][\x99\xb3]|[\x97][\x8d\xa7]|[\x98][\x81\x9b\xb5]|[\x99][\x8f\xa9]|[\x9a][\x83\x9d\xbb]|[\x9b][\x95\xb5]|[\x9c][\x8f\xaf]|[\x9d][\x89\xa9]|[\x9e][\x83\xa3\xbd])) -replace_tag U (?:[uUv\xb5\xd9\xda\xdb\xdc\xe0\xec\xf5\xfc\xfb\xfa\xf9\xfd]|[\xc3][\x99\x9a\x9b\x9c\xb9\xba\xbb\xbc]|[\xc5][\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3]|[\xcf][\x85\x8b\x8d]|[\xd0][\x8f\xa6]|[\xd1][\x86\x9f]|[\xd4][\xb1\xbf]|[\xd5][\x84\x8d\xb4\xb6\xbd\xbe]|[\xd6][\x87]|[\xe1](?:[\xb9][\xb2-\xbb]|[\xbb][\xa4-\xb1]|[\xbd][\x90-\x97\xba\xbb]|[\xbf][\xa0-\xa3\xa6\xa7])|[\xf0][\x9d](?:[\x90][\x94\xae]|[\x91][\x88\xa2\xbc]|[\x92][\x96\xb0]|[\x93][\x8a\xa4\xbe]|[\x94][\x98\xb2]|[\x95][\x8c\xa6]|[\x96][\x80\x9a\xb4]|[\x97][\x8e\xa8]|[\x98][\x82\x9c\xb6]|[\x99][\x90\xaa]|[\x9a][\x84\x9e]|[\x9b][\x8d\x96]|[\x9c][\x87\x90]|[\x9d][\x81\x8a\xbb]|[\x9e][\x84\xb5\xbe])) -replace_tag V (?:[vVu\xe3\xed]|\\\/|[\xce][\xbd]|[\xd1][\xb4\xb5\xb6\xb7]|[\xe1](?:[\xb9][\xbc-\xbf]|[\xbd][\x90-\x97\xba\xbb]|[\xbf][\xa0-\xa3\xa6\xa7])|[\xf0][\x9d](?:[\x90][\x95\xaf]|[\x91][\x89\xa3\xbd]|[\x92][\x97]|[\x93][\x8b\xa5\xbf]|[\x95][\x8d\xa7]|[\x96][\xb5]|[\x97][\x8f\xa9]|[\x98][\x83\x9d\xb7]|[\x99][\x91\xab]|[\x9a][\x85\x9f]|[\x9b][\x96]|[\x9c][\x88]|[\x9d][\x8a])) -replace_tag W (?:[wWv\xd8\xf8\xf9\xfe]|[\xc5][\xb4\xb5]|[\xc9][\xaf\xb0]|[\xce][\xa8]|[\xcf][\x86\x88\x89\x8e\x96\xa2\xa3]|[\xd0][\xa8\xa9]|[\xd1][\x88\x89\xa1\xb0\xb1\xbf]|[\xd4][\x9c\x9d]|[\xd5][\xa1\xba]|[\xe1](?:[\xba][\x80-\x89\x98]|[\xbd][\xa0-\xa7\xbc\xbd]|[\xbe][\xa0-\xa7]|[\xbf][\xb2-\xb7])|[\xf0][\x9d](?:[\x90][\x96\xb0]|[\x91][\x8a\xa4\xbe]|[\x92][\x98\xb2]|[\x93][\x8c\xa6]|[\x94][\x80\xb4]|[\x95][\x8e\xa8]|[\x96][\x9c\xb6]|[\x97][\x90\xaa]|[\x98][\x84\x9e\xb8]|[\x99][\x92\xac]|[\x9a][\x86\xa0\xbf]|[\x9b][\x97\x99\x9a\xa1\xb9]|[\x9c][\x91\x93\x94\x9b\xb3]|[\x9d][\x8b\x8d\x8e\x95\xad]|[\x9e][\x85\x87\x88\x8f\xa7\xbf]|[\x9f][\x81\x82\x89])) -replace_tag X (?:[xX\xd7\xf7]|><|[\xce][\xa7]|[\xcf][\x87\xa7\x97\xb0]|[\xd0][\x96\xa5\xb6]|[\xd1][\x85]|[\xd2][\x96\x97\xb2\xb3]|[\xd3][\x81\x82\x9c\x9d\xbc\xbd\xbe\xbf]|[\xe1](?:[\xba][\x8a-\x8d])|[\xf0][\x9d](?:[\x90][\x97\xb1]|[\x91][\x8b\xa5\xbf]|[\x92][\x99]|[\x93][\x8d]|[\x94][\x81\xb5]|[\x95][\x8f\xa9]|[\x96][\x83\x9d\xb7]|[\x97][\x91\xab]|[\x98][\x85\x9f\xb9]|[\x99][\x93\xad]|[\x9a][\x87\xa1\xbe]|[\x9b][\x98\x9e\xb8]|[\x9c][\x92\x98\xb2]|[\x9d][\x92\x9f]|[\x9e][\x86\x8c\xa6]|[\x9f][\x80\x86])) -replace_tag Y (?:[yY\xbe\xd5\xdb\xe3\xff\xfd\xa5j]|[\xc3][\x9d\xbd\xbf]|[\xc5][\xb6\xb7\xb8]|[\xce][\x8e\xa5\xab\xb3]|[\xcf][\x92\x93\x94]|[\xd0][\x8e\xa3]|[\xd1][\x83\x87\x9e]|[\xd2][\xae\xaf\xb0\xb1\xb6\xb7\xb8\xb9]|[\xd3][\x8b\x8c\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5]|[\xd4][\xbf]|[\xd5][\x8e\xaf\xbe]|[\xe1](?:[\xba][\x8e\x8f\x99]|[\xbb][\xb2-\xb9\xbe\xbf]|[\xbd][\x99-\x9f]|[\xbf][\xa8-\xab])|[\xf0][\x9d](?:[\x90][\x98\xb2]|[\x91][\x8c\xa6]|[\x92][\x80\x9a\xb4]|[\x93][\x8e\xa8]|[\x94][\x82]|[\x95][\x90\xaa]|[\x96][\xb8]|[\x97][\x92\xac]|[\x98][\x86\xa0\xba]|[\x99][\x94\xae]|[\x9a][\x88\xa2\xbc]|[\x9b][\x84\xb6\xbe]|[\x9c][\xb0\xb8]|[\x9d][\xaa\xb2]|[\x9e][\xa4\xac])) -replace_tag Z (?:[zZs\xc6]|[\xc5][\xb9\xba\xbb\xbc\xbd\xbe]|[\xce][\x96\xb6]|[\xe1](?:[\xba][\x90-\x95])|[\xf0][\x9d](?:[\x90][\x99\xb3]|[\x91][\x8d\xa7]|[\x92][\x81\x9b]|[\x95][\x91\xab]|[\x96][\xb9]|[\x97][\x93\xad]|[\x98][\x87\xa1\xbb]|[\x99][\x95\xaf]|[\x9a][\x89\xa3\xad]|[\x9b][\xa7]|[\x9c][\xa1]|[\x9d][\x9b]|[\x9e][\x95])) -replace_tag IMG (?:jpe?g|gif|png) -replace_tag SP [\s\d_*\$\%(),.:;?!}{\[\]|\/?^\#~\xa1`'+-] -replace_tag WS (?:=?\s|[\xe2](?:[\x80][\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\xaf]|[\x81][\x9f])|&(?:\#(?:8(?:19[2-9]|20[0-5]|239|287)|160|xa0)|(?:e[nm]|nb|thin)sp);) -replace_tag CUR [\$\xa5\xa3\xa4\xa2] - -replace_inter SP [\s\d_*\$\%(),.:;?!}{\[\]|\/?^\#~\xa1`'+-] -replace_inter W1 \W? -replace_inter W2 \W{0,2} -replace_inter W3 \W{0,3} - -replace_post P2 {1,2} -replace_post P3 {1,3} - -########################################################################### -# fuzzy header tests - -header SUBJECT_FUZZY_MEDS Subject =~ /(?:\b|_)(?!meds)<M><E><D><S>(?:\b|_)/i -describe SUBJECT_FUZZY_MEDS Attempt to obfuscate words in Subject: -replace_rules SUBJECT_FUZZY_MEDS - -header __SUBJECT_FUZZY_VPILL Subject =~ /<inter W2><post P3>(?!viagra)<V><I><A><G><R><A>/i -replace_rules __SUBJECT_FUZZY_VPILL -meta SUBJECT_FUZZY_VPILL __SUBJECT_FUZZY_VPILL && !FUZZY_VPILL -describe SUBJECT_FUZZY_VPILL Attempt to obfuscate words in Subject: - -header SUBJECT_FUZZY_CHEAP Subject =~ /<inter W2><post P3>\b(?!cheap)<C><H><E><A><P>(?:\b|<E>)/i -describe SUBJECT_FUZZY_CHEAP Attempt to obfuscate words in Subject: -replace_rules SUBJECT_FUZZY_CHEAP - -header SUBJECT_FUZZY_PENIS Subject =~ /<inter W3><post P3>\b(?!pen\s?(?:ie?s|ny[ ']?s))<P><E><N><I><S>\b/i -describe SUBJECT_FUZZY_PENIS Attempt to obfuscate words in Subject: -replace_rules SUBJECT_FUZZY_PENIS - -header SUBJECT_FUZZY_TION Subject =~ /<post P3>(?!tion)<T><I><O><N>/i -describe SUBJECT_FUZZY_TION Attempt to obfuscate words in Subject: -replace_rules SUBJECT_FUZZY_TION - -########################################################################### -# fuzzy body tests - -body FUZZY_AFFORDABLE /<inter W1><post P2>(?!affordable)<A><F><F><O><R><D><A><B><L><E>/i -describe FUZZY_AFFORDABLE Attempt to obfuscate words in spam -replace_rules FUZZY_AFFORDABLE - -# Not performing 6/2019, too much cpu -#body FUZZY_AMBIEN /<inter W1><post P2>(?<!t)(?!ambien)(?!ombien)<A><M><B><I><E><N>/i -#describe FUZZY_AMBIEN Attempt to obfuscate words in spam -#replace_rules FUZZY_AMBIEN - -body FUZZY_BILLION /(?!billion)<B><I><L><L><I><O><N>/i -describe FUZZY_BILLION Attempt to obfuscate words in spam -replace_rules FUZZY_BILLION - - -body FUZZY_CPILL /(?!ciali[sz])<C><I><A><L><I><S>/i -describe FUZZY_CPILL Attempt to obfuscate words in spam -replace_rules FUZZY_CPILL - -body FUZZY_CREDIT /<inter W1>(?![ck]r(?:[e\xe9]|\xc3\xa9)dit)<C><R><E><D><I><T>/i -describe FUZZY_CREDIT Attempt to obfuscate words in spam -replace_rules FUZZY_CREDIT - -# Not performing 6/2019, too much cpu -#body FUZZY_ERECT /<inter W2><post P3>(?!erection)<E><R><E><C><T><I><O><N>/i -#describe FUZZY_ERECT Attempt to obfuscate words in spam -#replace_rules FUZZY_ERECT - - -body FUZZY_GUARANTEE /<inter W1><post P2>(?!guarantee)<G><U><A><R><A><N><T><E><E>/i -describe FUZZY_GUARANTEE Attempt to obfuscate words in spam -replace_rules FUZZY_GUARANTEE - -body FUZZY_MEDICATION /<inter W1><post P2>(?!medicati[eo])<M><E><D><I><C><A><T><I><O><N>/i -describe FUZZY_MEDICATION Attempt to obfuscate words in spam -replace_rules FUZZY_MEDICATION - - -body FUZZY_MILLION /(?!milli?[o\xf3\xd3]n)<M><I><L><L><I><O><N>/i -describe FUZZY_MILLION Attempt to obfuscate words in spam -replace_rules FUZZY_MILLION - -body FUZZY_MONEY /(?!money)<M><O><N><E><Y>/i -describe FUZZY_MONEY Attempt to obfuscate words in spam -replace_rules FUZZY_MONEY - -body FUZZY_MORTGAGE /<inter W1><post P2>(?!mortgage)<M><O><R><T><G><A><G><E>/i -describe FUZZY_MORTGAGE Attempt to obfuscate words in spam -replace_rules FUZZY_MORTGAGE - -body FUZZY_OBLIGATION /<inter W1><post P2>(?!obligation)<O><B><L><I><G><A><T><I><O><N>/i -describe FUZZY_OBLIGATION Attempt to obfuscate words in spam -replace_rules FUZZY_OBLIGATION - -body FUZZY_OFFERS /(?!offers)<O><F><F><E><R><S>/i -describe FUZZY_OFFERS Attempt to obfuscate words in spam -replace_rules FUZZY_OFFERS - -body FUZZY_PHARMACY /<inter W2><post P2>(?!pharmacy)<P><H><A><R><M><A><C><Y>/i -describe FUZZY_PHARMACY Attempt to obfuscate words in spam -replace_rules FUZZY_PHARMACY - -body FUZZY_PHENT /<inter W1><post P2>(?!phentermine)<P><H><E><N><T><E><R><M><I><N><E>/i -describe FUZZY_PHENT Attempt to obfuscate words in spam -replace_rules FUZZY_PHENT - - -body FUZZY_PRESCRIPT /<inter W2><post P2>(?!prescription)<P><R><E><S><C><R><I><P><T><I><O><N>/i -describe FUZZY_PRESCRIPT Attempt to obfuscate words in spam -replace_rules FUZZY_PRESCRIPT - -# left S off of negative look-ahead on purpose -body FUZZY_PRICES /<inter W2><post P2>(?!price)<P><R><I><C><E><S>/i -describe FUZZY_PRICES Attempt to obfuscate words in spam -replace_rules FUZZY_PRICES - -body FUZZY_REFINANCE /<inter W2><post P2>(?!refinance)<R><E><F><I><N><A><N><C><E>/i -describe FUZZY_REFINANCE Attempt to obfuscate words in spam -replace_rules FUZZY_REFINANCE - -body FUZZY_REMOVE /(?!remove)<R><E><M><O><V><E>/i -describe FUZZY_REMOVE Attempt to obfuscate words in spam -replace_rules FUZZY_REMOVE - -# Not performing 6/2019, too much cpu -#body FUZZY_ROLEX /(?!rolex)<R><O><L><E><X>/i -#describe FUZZY_ROLEX Attempt to obfuscate words in spam -#replace_rules FUZZY_ROLEX - -body FUZZY_SOFTWARE /(?!software)<S><O><F><T><W><A><R><E>/i -describe FUZZY_SOFTWARE Attempt to obfuscate words in spam -replace_rules FUZZY_SOFTWARE - -body FUZZY_THOUSANDS /(?!thousands)<T><H><O><U><S><A><N><D><S>/i -describe FUZZY_THOUSANDS Attempt to obfuscate words in spam -replace_rules FUZZY_THOUSANDS - - -body FUZZY_VLIUM /<inter W1><post P2>(?!valium|verifiquem|volturno|vollum)<V><A><L><I><U><M>/i -describe FUZZY_VLIUM Attempt to obfuscate words in spam -replace_rules FUZZY_VLIUM - - -body FUZZY_VIOXX /<inter W1><post P2>(?!vioxx)<V><I><O><X><X>/i -describe FUZZY_VIOXX Attempt to obfuscate words in spam -replace_rules FUZZY_VIOXX - -body FUZZY_VPILL /(?!viagra)<V><I><A><G><R><A>/i -describe FUZZY_VPILL Attempt to obfuscate words in spam -replace_rules FUZZY_VPILL - -body FUZZY_XPILL /<inter W3><post P2>(?!xanax)<X><A><N><A><X>/i -describe FUZZY_XPILL Attempt to obfuscate words in spam -replace_rules FUZZY_XPILL - -endif # Mail::SpamAssassin::Plugin::ReplaceTags diff --git a/resources/spamassassin/25_spf.cf b/resources/spamassassin/25_spf.cf deleted file mode 100644 index 3bc817cb..00000000 --- a/resources/spamassassin/25_spf.cf +++ /dev/null @@ -1,124 +0,0 @@ -# SpamAssassin - SPF rules -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -# Requires the Mail::SpamAssassin::Plugin::SPF plugin be loaded. - -ifplugin Mail::SpamAssassin::Plugin::SPF - -# SPF support: -# "pass" is nice -# "neutral" is somewhat bad -# "fail" is bad -# "softfail" is bad, but not as bad as "fail" -# "permerror" is very bad, and means the domain doesn't have a valid spf record -# These are more trustworthy results than the SPF_HELO rules. - -# some are "userconf" so that scores are set by hand? - -header SPF_PASS eval:check_for_spf_pass() -describe SPF_PASS SPF: sender matches SPF record -tflags SPF_PASS nice userconf net -reuse SPF_PASS - -header SPF_NEUTRAL eval:check_for_spf_neutral() -describe SPF_NEUTRAL SPF: sender does not match SPF record (neutral) -tflags SPF_NEUTRAL net -reuse SPF_NEUTRAL - -header SPF_FAIL eval:check_for_spf_fail() -describe SPF_FAIL SPF: sender does not match SPF record (fail) -tflags SPF_FAIL net -reuse SPF_FAIL - -header SPF_SOFTFAIL eval:check_for_spf_softfail() -describe SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) -tflags SPF_SOFTFAIL net -reuse SPF_SOFTFAIL - - -# NOTE: SPF_HELO_PASS is not incredibly hard to fake, so shouldn't -# provide much in the way of points compared to SPF_PASS et al. -# However, a *failure* is still a very good spamsign. - -header SPF_HELO_PASS eval:check_for_spf_helo_pass() -describe SPF_HELO_PASS SPF: HELO matches SPF record -tflags SPF_HELO_PASS nice userconf net -reuse SPF_HELO_PASS - -header SPF_HELO_NEUTRAL eval:check_for_spf_helo_neutral() -describe SPF_HELO_NEUTRAL SPF: HELO does not match SPF record (neutral) -tflags SPF_HELO_NEUTRAL net -reuse SPF_HELO_NEUTRAL - -header SPF_HELO_FAIL eval:check_for_spf_helo_fail() -describe SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) -tflags SPF_HELO_FAIL net -reuse SPF_HELO_FAIL - -header SPF_HELO_SOFTFAIL eval:check_for_spf_helo_softfail() -describe SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail) -tflags SPF_HELO_SOFTFAIL net -reuse SPF_HELO_SOFTFAIL - -# Implementing the Sender Check for No SPF REcord defaulting to disabled so Admins can override -header SPF_NONE eval:check_for_spf_none() -describe SPF_NONE SPF: sender does not publish an SPF Record -tflags SPF_NONE net -reuse SPF_NONE - -header SPF_HELO_NONE eval:check_for_spf_helo_none() -describe SPF_HELO_NONE SPF: HELO does not publish an SPF Record -tflags SPF_HELO_NONE net -reuse SPF_HELO_NONE - - - -if can(Mail::SpamAssassin::Plugin::SPF::has_check_for_spf_errors) - -header T_SPF_PERMERROR eval:check_for_spf_permerror() -describe T_SPF_PERMERROR SPF: test of record failed (permerror) -tflags T_SPF_PERMERROR net -reuse T_SPF_PERMERROR - -header T_SPF_TEMPERROR eval:check_for_spf_temperror() -describe T_SPF_TEMPERROR SPF: test of record failed (temperror) -tflags T_SPF_TEMPERROR net -reuse T_SPF_TEMPERROR - -header T_SPF_HELO_PERMERROR eval:check_for_spf_helo_permerror() -describe T_SPF_HELO_PERMERROR SPF: test of HELO record failed (permerror) -tflags T_SPF_HELO_PERMERROR net -reuse T_SPF_HELO_PERMERROR - -header T_SPF_HELO_TEMPERROR eval:check_for_spf_helo_temperror() -describe T_SPF_HELO_TEMPERROR SPF: test of HELO record failed (temperror) -tflags T_SPF_HELO_TEMPERROR net -reuse T_SPF_HELO_TEMPERROR - -endif - - - -endif # Mail::SpamAssassin::Plugin::SPF diff --git a/resources/spamassassin/25_textcat.cf b/resources/spamassassin/25_textcat.cf deleted file mode 100644 index f2a20ba8..00000000 --- a/resources/spamassassin/25_textcat.cf +++ /dev/null @@ -1,43 +0,0 @@ -# SpamAssassin rules file: language tests -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# Note: body tests are run with long lines, so be sure to limit the -# size of searches; use /.{0,30}/ instead of /.*/ to avoid huge -# search times. -# -# Note: If you are adding a rule which looks for a phrase in the body -# (as most of them do), please add it to rules/20_phrases.cf instead. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::TextCat - -body UNWANTED_LANGUAGE_BODY eval:check_language() -describe UNWANTED_LANGUAGE_BODY Message written in an undesired language -tflags UNWANTED_LANGUAGE_BODY userconf - -body BODY_8BITS eval:check_body_8bits() -describe BODY_8BITS Body includes 8 consecutive 8-bit characters -tflags BODY_8BITS userconf - -endif diff --git a/resources/spamassassin/25_uribl.cf b/resources/spamassassin/25_uribl.cf deleted file mode 100644 index 16a95a7e..00000000 --- a/resources/spamassassin/25_uribl.cf +++ /dev/null @@ -1,364 +0,0 @@ -# SpamAssassin - URIDNSBL rules -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -# Requires the Mail::SpamAssassin::Plugin::URIDNSBL plugin be loaded. -# Note that this plugin defines a new config setting, 'uridnsbl', -# which lists the zones to look up in advance. The rules will -# not hit unless each rule has a corresponding 'uridnsbl' line. - -ifplugin Mail::SpamAssassin::Plugin::URIDNSBL - -########################################################################### -## Spamhaus - -uridnssub URIBL_SBL zen.spamhaus.org. A 127.0.0.2 -body URIBL_SBL eval:check_uridnsbl('URIBL_SBL') -describe URIBL_SBL Contains an URL's NS IP listed in the Spamhaus SBL blocklist -tflags URIBL_SBL net -reuse URIBL_SBL - -uridnssub URIBL_CSS zen.spamhaus.org. A 127.0.0.3 -body URIBL_CSS eval:check_uridnsbl('URIBL_CSS') -describe URIBL_CSS Contains an URL's NS IP listed in the Spamhaus CSS blocklist -tflags URIBL_CSS net -reuse URIBL_CSS - -# Only works correctly from 3.4.3, earlier versions basically run as URIBL_SBL duplicate -if can(Mail::SpamAssassin::Plugin::URIDNSBL::has_uridnsbl_for_a) - uridnssub URIBL_SBL_A zen.spamhaus.org. A 127.0.0.2 - body URIBL_SBL_A eval:check_uridnsbl('URIBL_SBL_A') - describe URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL blocklist - tflags URIBL_SBL_A net a - reuse URIBL_SBL_A - - uridnssub URIBL_CSS_A zen.spamhaus.org. A 127.0.0.3 - body URIBL_CSS_A eval:check_uridnsbl('URIBL_CSS_A') - describe URIBL_CSS_A Contains URL's A record listed in the Spamhaus CSS blocklist - tflags URIBL_CSS_A net a - reuse URIBL_CSS_A -endif - -# New blocked checks 10/2019 -uridnssub URIBL_ZEN_BLOCKED_OPENDNS zen.spamhaus.org. A 127.255.255.254 -body URIBL_ZEN_BLOCKED_OPENDNS eval:check_uridnsbl('URIBL_ZEN_BLOCKED_OPENDNS') -describe URIBL_ZEN_BLOCKED_OPENDNS ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ -tflags URIBL_ZEN_BLOCKED_OPENDNS net -reuse URIBL_ZEN_BLOCKED_OPENDNS - -# New blocked checks 10/2019 -uridnssub URIBL_ZEN_BLOCKED zen.spamhaus.org. A 127.255.255.255 -body URIBL_ZEN_BLOCKED eval:check_uridnsbl('URIBL_ZEN_BLOCKED') -describe URIBL_ZEN_BLOCKED ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/ -tflags URIBL_ZEN_BLOCKED net -reuse URIBL_ZEN_BLOCKED - -if can(Mail::SpamAssassin::Conf::feature_dns_block_rule) -dns_block_rule URIBL_ZEN_BLOCKED_OPENDNS zen.spamhaus.org -dns_block_rule URIBL_ZEN_BLOCKED zen.spamhaus.org -endif - - -# DBL, https://www.spamhaus.org/dbl/ -# changes axb 05-17-2014: as per https://www.spamhaus.org/news/article/713/ -# SH changes effective 06-01-2014 -if can(Mail::SpamAssassin::Plugin::URIDNSBL::has_tflags_domains_only) - -urirhssub URIBL_DBL_SPAM dbl.spamhaus.org. A 127.0.1.2 -body URIBL_DBL_SPAM eval:check_uridnsbl('URIBL_DBL_SPAM') -describe URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus DBL blocklist -tflags URIBL_DBL_SPAM net domains_only notrim -reuse URIBL_DBL_SPAM - -urirhssub URIBL_DBL_PHISH dbl.spamhaus.org. A 127.0.1.4 -body URIBL_DBL_PHISH eval:check_uridnsbl('URIBL_DBL_PHISH') -describe URIBL_DBL_PHISH Contains a Phishing URL listed in the Spamhaus DBL blocklist -tflags URIBL_DBL_PHISH net domains_only notrim -reuse URIBL_DBL_PHISH - -urirhssub URIBL_DBL_MALWARE dbl.spamhaus.org. A 127.0.1.5 -body URIBL_DBL_MALWARE eval:check_uridnsbl('URIBL_DBL_MALWARE') -describe URIBL_DBL_MALWARE Contains a malware URL listed in the Spamhaus DBL blocklist -tflags URIBL_DBL_MALWARE net domains_only notrim -reuse URIBL_DBL_MALWARE - -urirhssub URIBL_DBL_BOTNETCC dbl.spamhaus.org. A 127.0.1.6 -body URIBL_DBL_BOTNETCC eval:check_uridnsbl('URIBL_DBL_BOTNETCC') -describe URIBL_DBL_BOTNETCC Contains a botned C&C URL listed in the Spamhaus DBL blocklist -tflags URIBL_DBL_BOTNETCC net domains_only notrim -reuse URIBL_DBL_BOTNETCC - -urirhssub URIBL_DBL_ABUSE_SPAM dbl.spamhaus.org. A 127.0.1.102 -body URIBL_DBL_ABUSE_SPAM eval:check_uridnsbl('URIBL_DBL_ABUSE_SPAM') -describe URIBL_DBL_ABUSE_SPAM Contains an abused spamvertized URL listed in the Spamhaus DBL blocklist -tflags URIBL_DBL_ABUSE_SPAM net domains_only notrim -reuse URIBL_DBL_ABUSE_SPAM - -urirhssub URIBL_DBL_ABUSE_REDIR dbl.spamhaus.org. A 127.0.1.103 -body URIBL_DBL_ABUSE_REDIR eval:check_uridnsbl('URIBL_DBL_ABUSE_REDIR') -describe URIBL_DBL_ABUSE_REDIR Contains an abused redirector URL listed in the Spamhaus DBL blocklist -tflags URIBL_DBL_ABUSE_REDIR net domains_only notrim -reuse URIBL_DBL_ABUSE_REDIR - -urirhssub URIBL_DBL_ABUSE_PHISH dbl.spamhaus.org. A 127.0.1.104 -body URIBL_DBL_ABUSE_PHISH eval:check_uridnsbl('URIBL_DBL_ABUSE_PHISH') -describe URIBL_DBL_ABUSE_PHISH Contains an abused phishing URL listed in the Spamhaus DBL blocklist -tflags URIBL_DBL_ABUSE_PHISH net domains_only notrim -reuse URIBL_DBL_ABUSE_PHISH - -urirhssub URIBL_DBL_ABUSE_MALW dbl.spamhaus.org. A 127.0.1.105 -body URIBL_DBL_ABUSE_MALW eval:check_uridnsbl('URIBL_DBL_ABUSE_MALW') -describe URIBL_DBL_ABUSE_MALW Contains an abused malware URL listed in the Spamhaus DBL blocklist -tflags URIBL_DBL_ABUSE_MALW net domains_only notrim -reuse URIBL_DBL_ABUSE_MALW - -urirhssub URIBL_DBL_ABUSE_BOTCC dbl.spamhaus.org. A 127.0.1.106 -body URIBL_DBL_ABUSE_BOTCC eval:check_uridnsbl('URIBL_DBL_ABUSE_BOTCC') -describe URIBL_DBL_ABUSE_BOTCC Contains an abused botnet C&C URL listed in the Spamhaus DBL blocklist -tflags URIBL_DBL_ABUSE_BOTCC net domains_only notrim -reuse URIBL_DBL_ABUSE_BOTCC - - -# this indicates that IP-address queries were sent to DBL, and should -# never appear; if it does, something is wrong with SpamAssassin -urirhssub URIBL_DBL_ERROR dbl.spamhaus.org. A 127.0.1.255 -body URIBL_DBL_ERROR eval:check_uridnsbl('URIBL_DBL_ERROR') -describe URIBL_DBL_ERROR Error: queried the Spamhaus DBL blocklist for an IP -tflags URIBL_DBL_ERROR net domains_only notrim -reuse URIBL_DBL_ERROR - -# New blocked checks 10/2019 -urirhssub URIBL_DBL_BLOCKED_OPENDNS dbl.spamhaus.org. A 127.255.255.254 -body URIBL_DBL_BLOCKED_OPENDNS eval:check_uridnsbl('URIBL_DBL_BLOCKED_OPENDNS') -describe URIBL_DBL_BLOCKED_OPENDNS ADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ -tflags URIBL_DBL_BLOCKED_OPENDNS net domains_only notrim -reuse URIBL_DBL_BLOCKED_OPENDNS - -# New blocked checks 10/2019 -urirhssub URIBL_DBL_BLOCKED dbl.spamhaus.org. A 127.255.255.255 -body URIBL_DBL_BLOCKED eval:check_uridnsbl('URIBL_DBL_BLOCKED') -describe URIBL_DBL_BLOCKED ADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/ -tflags URIBL_DBL_BLOCKED net domains_only notrim -reuse URIBL_DBL_BLOCKED - -endif - -########################################################################### -## SURBL - -#MERGED INTO BIT 64 per bug 7279 -#urirhssub URIBL_SC_SURBL multi.surbl.org. A 2 -#body URIBL_SC_SURBL eval:check_uridnsbl('URIBL_SC_SURBL') -#describe URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist -#tflags URIBL_SC_SURBL net notrim -#reuse URIBL_SC_SURBL - -urirhssub URIBL_WS_SURBL multi.surbl.org. A 4 -body URIBL_WS_SURBL eval:check_uridnsbl('URIBL_WS_SURBL') -describe URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist -tflags URIBL_WS_SURBL net notrim -reuse URIBL_WS_SURBL - -urirhssub URIBL_PH_SURBL multi.surbl.org. A 8 -body URIBL_PH_SURBL eval:check_uridnsbl('URIBL_PH_SURBL') -describe URIBL_PH_SURBL Contains an URL listed in the PH SURBL blocklist -tflags URIBL_PH_SURBL net notrim -reuse URIBL_PH_SURBL - -urirhssub URIBL_MW_SURBL multi.surbl.org. A 16 -body URIBL_MW_SURBL eval:check_uridnsbl('URIBL_MW_SURBL') -describe URIBL_MW_SURBL Contains a URL listed in the MW SURBL blocklist -tflags URIBL_MW_SURBL net notrim -reuse URIBL_MW_SURBL - -urirhssub URIBL_CR_SURBL multi.surbl.org. A 128 -body URIBL_CR_SURBL eval:check_uridnsbl('URIBL_CR_SURBL') -describe URIBL_CR_SURBL Contains an URL listed in the CR SURBL blocklist -tflags URIBL_CR_SURBL net notrim -reuse URIBL_CR_SURBL - -#MERGED INTO BIT 64 per bug 7279 -#urirhssub URIBL_AB_SURBL multi.surbl.org. A 32 -#body URIBL_AB_SURBL eval:check_uridnsbl('URIBL_AB_SURBL') -#describe URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist -#tflags URIBL_AB_SURBL net notrim -#reuse URIBL_AB_SURBL - -#JP MOVED INTO ABUSE AS WELL AND BIT REUSED per bug 7279 -urirhssub URIBL_ABUSE_SURBL multi.surbl.org. A 64 -body URIBL_ABUSE_SURBL eval:check_uridnsbl('URIBL_ABUSE_SURBL') -describe URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist -tflags URIBL_ABUSE_SURBL net notrim -reuse URIBL_ABUSE_SURBL - -#SURBL BLOCK RULES - Bit 1 means your DNS has been blocked and this rule should be triggered to notify you. -urirhssub SURBL_BLOCKED multi.surbl.org. A 1 -body SURBL_BLOCKED eval:check_uridnsbl('SURBL_BLOCKED') -describe SURBL_BLOCKED ADMINISTRATOR NOTICE: The query to SURBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. -tflags SURBL_BLOCKED net noautolearn notrim -reuse SURBL_BLOCKED - -if can(Mail::SpamAssassin::Conf::feature_dns_block_rule) -dns_block_rule SURBL_BLOCKED multi.surbl.org -endif - -########################################################################### -## URIBL - -urirhssub URIBL_BLACK multi.uribl.com. A 2 -body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK') -describe URIBL_BLACK Contains an URL listed in the URIBL blacklist -tflags URIBL_BLACK net -reuse URIBL_BLACK - -urirhssub URIBL_GREY multi.uribl.com. A 4 -body URIBL_GREY eval:check_uridnsbl('URIBL_GREY') -describe URIBL_GREY Contains an URL listed in the URIBL greylist -tflags URIBL_GREY net -reuse URIBL_GREY - -urirhssub URIBL_RED multi.uribl.com. A 8 -body URIBL_RED eval:check_uridnsbl('URIBL_RED') -describe URIBL_RED Contains an URL listed in the URIBL redlist -tflags URIBL_RED net -reuse URIBL_RED - -#URIBL BLOCK RULES - Bit 1 means your DNS has been blocked and this rule should be triggered to notify you. -urirhssub URIBL_BLOCKED multi.uribl.com. A 1 -body URIBL_BLOCKED eval:check_uridnsbl('URIBL_BLOCKED') -describe URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. -tflags URIBL_BLOCKED net noautolearn -reuse URIBL_BLOCKED - -if can(Mail::SpamAssassin::Conf::feature_dns_block_rule) -dns_block_rule URIBL_BLOCKED multi.uribl.com -endif - -########################################################################### -## DOMAINS TO SKIP (KNOWN GOOD) - -# Linting -uridnsbl_skip_domain taint.org - -# Don't bother looking for example domains as per RFC 2606. -uridnsbl_skip_domain example.com example.net example.org - -uridnsbl_skip_domain local.cf - -# MUA CSS class definitions -uridnsbl_skip_domain div.tk p.tk li.tk no.tk - -# (roughly) top 200 domains not blacklisted by SURBL -uridnsbl_skip_domain 126.com 163.com 2o7.net 4at1.com -uridnsbl_skip_domain 5iantlavalamp.com about.com adelphia.net adobe.com addthis.com -uridnsbl_skip_domain agora-inc.com agoramedia.com akamai.net -uridnsbl_skip_domain akamaitech.net amazon.com ancestry.com aol.com -uridnsbl_skip_domain apache.org apple.com arcamax.com astrology.com apple.news -uridnsbl_skip_domain atdmt.com att.net bbc.co.uk -uridnsbl_skip_domain bcentral.com bellsouth.net bfi0.com -uridnsbl_skip_domain bridgetrack.com cafe24.com charter.net -uridnsbl_skip_domain citibank.com citizensbank.com cjb.net -uridnsbl_skip_domain classmates.com clickbank.net cnet.com -uridnsbl_skip_domain cnn.com com.com com.ne.kr comcast.net -uridnsbl_skip_domain corporate-ir.net cox.net cs.com -uridnsbl_skip_domain custhelp.com daum.net dd.se debian.org -uridnsbl_skip_domain dell.com directtrack.com directnic.com domain.com -uridnsbl_skip_domain dsbl.org earthlink.net ebay.co.uk ebay.com -uridnsbl_skip_domain ebayimg.com ebaystatic.com edgesuite.net ediets.com -uridnsbl_skip_domain egroups.com emode.com excite.com f-secure.com -uridnsbl_skip_domain free.fr freebsd.org -uridnsbl_skip_domain gentoo.org geocities.com gmail.com gmx.net -uridnsbl_skip_domain go.com google.com googleadservices.com grisoft.com -uridnsbl_skip_domain hallmark.com hinet.net hotbar.com hotmail.com -uridnsbl_skip_domain hotpop.com hp.com ibm.com incredimail.com -uridnsbl_skip_domain investorplace.com ivillage.com joingevalia.com -uridnsbl_skip_domain juno.com kernel.org livejournal.com lycos.com -uridnsbl_skip_domain m7z.net mac.com macromedia.com -uridnsbl_skip_domain mail.com mail.ru mailscanner.info marketwatch.com -uridnsbl_skip_domain mcafee.com mchsi.com messagelabs.com -uridnsbl_skip_domain microsoft.com military.com mindspring.com mit.edu -uridnsbl_skip_domain monster.com msn.com nate.com -uridnsbl_skip_domain netflix.com netscape.com netscape.net netzero.net -uridnsbl_skip_domain norman.com nytimes.com optonline.net osdn.com -uridnsbl_skip_domain overstock.com pacbell.net pandasoftware.com -uridnsbl_skip_domain paypal.com peoplepc.com plaxo.com -uridnsbl_skip_domain prodigy.net radaruol.com.br -uridnsbl_skip_domain real.com redhat.com regions.com regionsnet.com -uridnsbl_skip_domain rogers.com rr.com sbcglobal.net sec.gov sf.net -uridnsbl_skip_domain shaw.ca shockwave.com smithbarney.com -uridnsbl_skip_domain sourceforge.net spamcop.net speedera.net sportsline.com -uridnsbl_skip_domain sun.com suntrust.com sympatico.ca t-online.de -uridnsbl_skip_domain tails.nl telus.net terra.com.br ticketmaster.com -uridnsbl_skip_domain tinyurl.com tiscali.co.uk tom.com -uridnsbl_skip_domain tone.co.nz tux.org uol.com.br -uridnsbl_skip_domain ups.com verizon.net w3.org usps.com -uridnsbl_skip_domain wamu.com wanadoo.fr washingtonpost.com weatherbug.com -uridnsbl_skip_domain web.de webshots.com webtv.net wsj.com -uridnsbl_skip_domain yahoo.ca yahoo.co.kr yahoo.co.uk -uridnsbl_skip_domain yahoo.com yahoo.com.br yahoogroups.com yimg.com -uridnsbl_skip_domain yopi.de yoursite.com zdnet.com -uridnsbl_skip_domain openxmlformats.org passport.com xmlsoap.org -uridnsbl_skip_domain abc.xyz avast.com schema.org - -# wtogami's most frequent known good URIDNSBL lookups (1/1/2011) -uridnsbl_skip_domain alexa.com ask.com baidu.com bing.com craigslist.org -uridnsbl_skip_domain doubleclick.com ebay.de facebook.com flickr.com godaddy.com -uridnsbl_skip_domain google.co.in google.it mozilla.com myspace.com rediff.com -uridnsbl_skip_domain twitter.com wordpress.com yahoo.co.jp youtube.com - -# axb's frequent known good URIDNSBL lookups - -uridnsbl_skip_domain fedex.com -uridnsbl_skip_domain openoffice.org -uridnsbl_skip_domain vk.com - -# pointless footer noise -uridnsbl_skip_domain security.cloud -uridnsbl_skip_domain yac.mx - -# Microsoft on ns1.msedge.net -uridnsbl_skip_domain microsofttranslator.com office.com microsoftonline.com bing.com msedge.net - -# Some frequent known good URIDNSBL lookups 3.10.2018 -hk -uridnsbl_skip_domain aka.ms akamaihd.net alibaba.com alicdn.com amazon.co.uk -uridnsbl_skip_domain amazon.de amazonses.com bandcamp.com -uridnsbl_skip_domain booking.com cdninstagram.com dhl.com -uridnsbl_skip_domain dhl.fi dna.fi domain.fi dpd.de dropbox.com ebay.fr -uridnsbl_skip_domain elisa.fi elisanet.fi emltrk.com fbcdn.net ficora.fi -uridnsbl_skip_domain gappssmtp.com github.com google-analytics.com -uridnsbl_skip_domain google.de google.fi googleusercontent.com -uridnsbl_skip_domain gstatic.com hotels.com ikea.com images-amazon.com -uridnsbl_skip_domain inet.fi instagram.com kolumbus.fi licdn.com linkedin.com -uridnsbl_skip_domain media-amazon.com mtasv.net mzstatic.com nebula.fi -uridnsbl_skip_domain nic.fi onmicrosoft.com oracle.com paypalobjects.com -uridnsbl_skip_domain pinimg.com pinterest.com posti.com posti.fi pstmrk.it -uridnsbl_skip_domain skype.com soundcloud.com ssl-images-amazon.com -uridnsbl_skip_domain suomi24.fi t.co telia.com telia.fi tnt.com tori.fi -uridnsbl_skip_domain tripadvisor.com twimg.com youtu.be -# Some more frequent known good URIDNSBL lookups 10.4.2020 -hk -uridnsbl_skip_domain docs.google.com etuovi.com iki.fi nflxext.com nflximg.com -uridnsbl_skip_domain nflximg.net outlook.com postnord.com postnord.fi postnord.no -uridnsbl_skip_domain saunalahti.fi - -endif # Mail::SpamAssassin::Plugin::URIDNSBL diff --git a/resources/spamassassin/25_url_shortener.cf b/resources/spamassassin/25_url_shortener.cf deleted file mode 100644 index a0e8fbf4..00000000 --- a/resources/spamassassin/25_url_shortener.cf +++ /dev/null @@ -1,302 +0,0 @@ -# SpamAssassin - URL shortener rules -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -### -### Note that this file contains two separate lists, url_shortener and a -### backup regex generated from it. Both must updated and kept in sync. -### -### __URL_SHORTENER will always by set by either the plugin or regex -### - -# SpamAssassin 4.0 version required -if can(Mail::SpamAssassin::Plugin::DecodeShortURLs::has_short_url_redir) - -body __URL_SHORTENER eval:short_url() - -body URL_SHORTENER_CHAINED eval:short_url_chained() -describe URL_SHORTENER_CHAINED Message contains shortened URL chained to other shorteners -tflags URL_SHORTENER_CHAINED net -score URL_SHORTENER_CHAINED 0.01 - -uri URL_SHORTENER_DISABLED m,^https://(?:bitly\.com/a/blocked|tinyurl\.com/app/nospam), -describe URL_SHORTENER_DISABLED Message contains shortened URL that has been disabled due to abuse -tflags URL_SHORTENER_DISABLED net -score URL_SHORTENER_DISABLED 2 - -# -# Please only add entries that you manually verified as actual working -# redirectors that can have abusable custom URLs. Adding non-abusable -# services only generates unnecessary HTTP requests. -# -# After any changes, also update __URL_SHORTENER regex at end of file. -# - -# generic list of likely active services - cleaned up 25.05.2022 -url_shortener .ftn.app -url_shortener .page.link -url_shortener .short.gy -url_shortener .shortz.me -url_shortener 0rz.tw -url_shortener 4sq.com -url_shortener 4url.cc -url_shortener afly.co -url_shortener ai6.net -url_shortener amzn.com -url_shortener amzn.to -url_shortener b.link -url_shortener b23.ru -url_shortener binged.it -url_shortener bit.do -url_shortener bit.ly -url_shortener bitly.com -url_shortener bizj.us -url_shortener chilp.it -url_shortener conta.cc -url_shortener crks.me -url_shortener cutt.ly -url_shortener cutwin.biz -url_shortener dai.ly -url_shortener db.tt -url_shortener disq.us -url_shortener dlvr.it -url_shortener doi.org -url_shortener doiop.com -url_shortener eepurl.com -url_shortener fb.me -url_shortener fire.to -url_shortener firsturl.de -url_shortener firsturl.net -url_shortener flic.kr -url_shortener gdurl.com -url_shortener go.ly -url_shortener goo.gl -url_shortener goolnk.com -url_shortener gplinks.in -url_shortener guest.link -url_shortener hellotxt.com -url_shortener hop.kz -url_shortener hotshorturl.com -url_shortener hub.am -url_shortener huff.to -url_shortener hurl.it -url_shortener hyperurl.co -url_shortener inx.lv -url_shortener is.gd -url_shortener it2.in -url_shortener j.mp -url_shortener kore.us -url_shortener kurl.no -url_shortener l.bestsellers.to -url_shortener lnk.sk -url_shortener lnkd.in -url_shortener lnkiy.in -url_shortener lru.jp -url_shortener mrte.ch -url_shortener n9.cl -url_shortener ndurl.com -url_shortener onion.com -url_shortener ouo.io -url_shortener ow.ly -url_shortener owl.li -url_shortener pduda.mobi -url_shortener rb.gy -url_shortener redir.ec -url_shortener rotf.lol -url_shortener s.apache.org -url_shortener s.free.fr -url_shortener s.id -url_shortener shar.es -url_shortener shorl.com -url_shortener shortn.me -url_shortener shorturl.at -url_shortener simurl.net -url_shortener slidesha.re -url_shortener smarturl.it -url_shortener smfu.in -url_shortener snip.ly -url_shortener snkr.me -url_shortener stpmvt.com -url_shortener t.co -url_shortener t.ly -url_shortener tcrn.ch -url_shortener tgr.ph -url_shortener tiny.cc -url_shortener tiny.one -url_shortener tiny.pl -url_shortener tinylink.in -url_shortener tinyurl.com -url_shortener to.ly -url_shortener trib.al -url_shortener twixar.me -url_shortener u.nu -url_shortener u.to -url_shortener url.ie -url_shortener urlcut.com -url_shortener urlday.cc -url_shortener urls.im -url_shortener urlz.at -url_shortener urlzs.com -url_shortener utfg.sk -url_shortener wow.link -url_shortener wp.me -url_shortener x.co -url_shortener x.hypem.com -url_shortener xurl.es -url_shortener yhoo.it -url_shortener youtu.be -url_shortener z23.ru -url_shortener zurl.ws - -# www.shrunken.com - list validated 25.05.2022 -url_shortener www.shrunken.com -url_shortener 0.gp -url_shortener 2.gp -url_shortener 2.ly -url_shortener 3.ly -url_shortener 4.gp -url_shortener 4.ly -url_shortener 5.gp -url_shortener 6.gp -url_shortener 6.ly -url_shortener 7.ly -url_shortener 8.ly -url_shortener 9.ly -url_shortener g.asia -url_shortener p.asia -url_shortener ur3.us - -# shorturl.com - list validated 25.05.2022 -url_shortener alturl.com -url_shortener .1sta.com -url_shortener .24ex.com -url_shortener .2fear.com -url_shortener .2fortune.com -url_shortener .2freedom.com -url_shortener .2hell.com -url_shortener .2savvy.com -url_shortener .2truth.com -url_shortener .2tunes.com -url_shortener .2ya.com -url_shortener .alturl.com -url_shortener .antiblog.com -url_shortener .bigbig.com -url_shortener .dealtap.com -url_shortener .ebored.com -url_shortener .echoz.com -url_shortener .filetap.com -url_shortener .funurl.com -url_shortener .headplug.com -url_shortener .hereweb.com -url_shortener .hitart.com -url_shortener .mirrorz.com -url_shortener .mp3update.com -url_shortener .shorturl.com -url_shortener .spyw.com -url_shortener .vze.com - -# iscool.net - list validated 25.05.2022 -url_shortener .arecool.net -url_shortener .iscool.net -url_shortener .isfun.net -url_shortener .tux.nu - -# kisa.link - list validated 25.05.2022 -url_shortener kisa.link -url_shortener www.kisa.link -url_shortener bul.tc -url_shortener cy.tc -url_shortener fn.tc -url_shortener ftp.tc -url_shortener gr.tc -url_shortener hbr.tc -url_shortener heg.tc -url_shortener ins.tc -url_shortener ko.tc -url_shortener kod.tc -url_shortener lol.tc -url_shortener m2.tc -url_shortener ml.tc -url_shortener mmo.tc -url_shortener oy.tc -url_shortener pc.tc -url_shortener pubg.tc -url_shortener pvp.tc -url_shortener sro.tc -url_shortener tek.link -url_shortener tw.tc - -# grabify.link - list validated 25.05.2022 -url_shortener grabify.link -url_shortener catsnthing.com -url_shortener catsnthings.fun -url_shortener cheapcinema.club -url_shortener dateing.club -url_shortener fortnight.space -url_shortener fortnitechat.site -url_shortener freegiftcards.co -url_shortener gaming-at-my.best -url_shortener gamingfun.me -url_shortener headshot.monster -url_shortener imageshare.best -url_shortener joinmy.site -url_shortener leancoding.co -url_shortener locations.quest -url_shortener lovebird.guru -url_shortener myprivate.pics -url_shortener noodshare.pics -url_shortener partpicker.shop -url_shortener progaming.monster -url_shortener screenshare.pics -url_shortener screenshot.best -url_shortener shhh.lol -url_shortener shrekis.life -url_shortener sportshub.bar -url_shortener stopify.co -url_shortener trulove.guru -url_shortener yourmy.monster - -# GET method required for some services, keep the same services in url_shortener also -if can(Mail::SpamAssassin::Plugin::DecodeShortURLs::has_get) -url_shortener_get bit.ly -endif - -endif # has_short_url_redir - - -### -### Use a regex if DecodeShortURLs plugin is not loaded -### - -if !can(Mail::SpamAssassin::Plugin::DecodeShortURLs::has_short_url_redir) - -## Generate __URL_SHORTENER with this command, to keep it in sync with url_shortener list: -## -## perl -pe 'while (<>) {/^\s*url_shortener\s+(\S+)/ or next;$s=quotemeta($1);$s=~s/^\\./\\w+\\./;push @a,$s} print "uri __URL_SHORTENER m,^https?://(?:".join("|",@a).")/,i\n"' < 25_url_shortener.cf -## - -uri __URL_SHORTENER m,^https?://(?:\w+\.ftn\.app|\w+\.page\.link|\w+\.short\.gy|\w+\.shortz\.me|0rz\.tw|4sq\.com|4url\.cc|afly\.co|ai6\.net|amzn\.com|amzn\.to|b\.link|b23\.ru|binged\.it|bit\.do|bit\.ly|bitly\.com|bizj\.us|chilp\.it|conta\.cc|crks\.me|cutt\.ly|cutwin\.biz|dai\.ly|db\.tt|disq\.us|dlvr\.it|doi\.org|doiop\.com|eepurl\.com|fb\.me|fire\.to|firsturl\.de|firsturl\.net|flic\.kr|gdurl\.com|go\.ly|goo\.gl|goolnk\.com|gplinks\.in|guest\.link|hellotxt\.com|hop\.kz|hotshorturl\.com|hub\.am|huff\.to|hurl\.it|hyperurl\.co|inx\.lv|is\.gd|it2\.in|j\.mp|kore\.us|kurl\.no|l\.bestsellers\.to|lnk\.sk|lnkd\.in|lnkiy\.in|lru\.jp|mrte\.ch|n9\.cl|ndurl\.com|onion\.com|ouo\.io|ow\.ly|owl\.li|pduda\.mobi|rb\.gy|redir\.ec|rotf\.lol|s\.apache\.org|s\.free\.fr|s\.id|shar\.es|shorl\.com|shortn\.me|shorturl\.at|simurl\.net|slidesha\.re|smarturl\.it|smfu\.in|snip\.ly|snkr\.me|stpmvt\.com|t\.co|t\.ly|tcrn\.ch|tgr\.ph|tiny\.cc|tiny\.one|tiny\.pl|tinylink\.in|tinyurl\.com|to\.ly|trib\.al|twixar\.me|u\.nu|u\.to|url\.ie|urlcut\.com|urlday\.cc|urls\.im|urlz\.at|urlzs\.com|utfg\.sk|wow\.link|wp\.me|x\.co|x\.hypem\.com|xurl\.es|yhoo\.it|youtu\.be|z23\.ru|zurl\.ws|www\.shrunken\.com|0\.gp|2\.gp|2\.ly|3\.ly|4\.gp|4\.ly|5\.gp|6\.gp|6\.ly|7\.ly|8\.ly|9\.ly|g\.asia|p\.asia|ur3\.us|alturl\.com|\w+\.1sta\.com|\w+\.24ex\.com|\w+\.2fear\.com|\w+\.2fortune\.com|\w+\.2freedom\.com|\w+\.2hell\.com|\w+\.2savvy\.com|\w+\.2truth\.com|\w+\.2tunes\.com|\w+\.2ya\.com|\w+\.alturl\.com|\w+\.antiblog\.com|\w+\.bigbig\.com|\w+\.dealtap\.com|\w+\.ebored\.com|\w+\.echoz\.com|\w+\.filetap\.com|\w+\.funurl\.com|\w+\.headplug\.com|\w+\.hereweb\.com|\w+\.hitart\.com|\w+\.mirrorz\.com|\w+\.mp3update\.com|\w+\.shorturl\.com|\w+\.spyw\.com|\w+\.vze\.com|\w+\.arecool\.net|\w+\.iscool\.net|\w+\.isfun\.net|\w+\.tux\.nu|kisa\.link|www\.kisa\.link|bul\.tc|cy\.tc|fn\.tc|ftp\.tc|gr\.tc|hbr\.tc|heg\.tc|ins\.tc|ko\.tc|kod\.tc|lol\.tc|m2\.tc|ml\.tc|mmo\.tc|oy\.tc|pc\.tc|pubg\.tc|pvp\.tc|sro\.tc|tek\.link|tw\.tc|grabify\.link|catsnthing\.com|catsnthings\.fun|cheapcinema\.club|dateing\.club|fortnight\.space|fortnitechat\.site|freegiftcards\.co|gaming\-at\-my\.best|gamingfun\.me|headshot\.monster|imageshare\.best|joinmy\.site|leancoding\.co|locations\.quest|lovebird\.guru|myprivate\.pics|noodshare\.pics|partpicker\.shop|progaming\.monster|screenshare\.pics|screenshot\.best|shhh\.lol|shrekis\.life|sportshub\.bar|stopify\.co|trulove\.guru|yourmy\.monster)/,i - -endif - diff --git a/resources/spamassassin/30_text_de.cf b/resources/spamassassin/30_text_de.cf deleted file mode 100644 index 786bc1a1..00000000 --- a/resources/spamassassin/30_text_de.cf +++ /dev/null @@ -1,384 +0,0 @@ -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -# character set used in the following texts (no need for iso-8859-15) -lang de report_charset iso-8859-1 - -# ........................................................................ -lang de clear_report_template -lang de report Software zur Erkennung von "Spam" auf dem Rechner -lang de report -lang de report " _HOSTNAME_" -lang de report -lang de report hat die eingegangene E-mail als mögliche "Spam"-Nachricht identifiziert. -lang de report Die ursprüngliche Nachricht wurde an diesen Bericht angehängt, so dass -lang de report Sie sie anschauen können (falls es doch eine legitime E-Mail ist) oder -lang de report ähnliche unerwünschte Nachrichten in Zukunft markieren können. -lang de report Bei Fragen zu diesem Vorgang wenden Sie sich bitte an -lang de report -lang de report " _CONTACTADDRESS_" -lang de report -lang de report Vorschau: _PREVIEW_ -lang de report -lang de report Inhaltsanalyse im Detail: (_SCORE_ Punkte, _REQD_ benötigt) -lang de report -lang de report "Pkte Regelname Beschreibung" -lang de report ---- ---------------------- -------------------------------------------------- -lang de report _SUMMARY_ -# ........................................................................ - -# ........................................................................ -lang de clear_unsafe_report_template -lang de unsafe_report Die ursprüngliche Nachricht enthielt nicht ausschließlich Klartext -lang de unsafe_report (plain text) und kann eventuell eine Gefahr für einige E-Mail-Programme -lang de unsafe_report darstellen (falls sie z.B. einen Computervirus enthält). -lang de unsafe_report Möchten Sie die Nachricht dennoch ansehen, ist es wahrscheinlich -lang de unsafe_report sicherer, sie zuerst in einer Datei zu speichern und diese Datei danach -lang de unsafe_report mit einem Texteditor zu öffnen. -# ........................................................................ - -lang de describe GTUBE Test zur Prüfung von Anti-Spam-Software -lang de describe DIGEST_MULTIPLE Mehrere Internettests (Razor, DCC, Pyzor, etc.) treffen zu -lang de describe TRACKER_ID Beinhaltet eine Identitätsnummer zur Nutzerbeobachtung -lang de describe WEIRD_QUOTING Seltsame Häufung von Anführungszeichen im Nachrichtentext -lang de describe __MIME_BASE64 Enthält Anhang in base64-Kodierung -lang de describe __MIME_QP Enthält Anhang in "quoted-printable"-Kodierung -#lang de describe MIME_BASE64_BLANKS Überflüssige Leerzeilen bei der base64-Kodierung -lang de describe MIME_BASE64_TEXT Text getarnt durch base64-Kodierung -lang de describe MIME_HTML_MOSTLY Mehrteilige MIME-Nachricht überwiegend in HTML -lang de describe MIME_HTML_ONLY MIME-Nachricht besteht nur aus HTML -lang de describe MIME_HTML_ONLY_MULTI Mehrteilige MIME-Nachricht besteht nur aus HTML -lang de describe MIME_QP_LONG_LINE "quoted-printable"-kodierte Zeile länger als 76 Zeichen -lang de describe MIME_CHARSET_FARAWAY MIME-Zeichensatz deutet auf fremde Sprache hin -lang de describe MPART_ALT_DIFF Nachrichtentext im Text- und HTML-Format unterscheiden sich -lang de describe CHARSET_FARAWAY Zeichensatz deutet auf fremde Sprache hin -lang de describe EMAIL_ROT13 Eventuell ROT13-kodierte E-Mail-Adresse im Text -lang de describe BLANK_LINES_80_90 Nachrichtentext besteht zu 80-90% aus Leerzeilen -lang de describe LONGWORDS Eine Reihe von langen Wörtern hintereinander -lang de describe ALL_TRUSTED Nachricht wurde nur über vertrauenswürdige Rechner weitergeleitet -lang de describe __RCVD_IN_SORBS SORBS: Senderechner in Liste von dnsbl.sorbs.net -lang de describe RCVD_IN_SORBS_HTTP SORBS: Senderechner als "open HTTP proxy" gemeldet -lang de describe RCVD_IN_SORBS_MISC SORBS: Senderechner als "open proxy" gemeldet -lang de describe RCVD_IN_SORBS_SMTP SORBS: Senderechner ist ein ungesicherter Mail-Server -lang de describe RCVD_IN_SORBS_SOCKS SORBS: Senderechner als "open SOCKS proxy" gemeldet -lang de describe RCVD_IN_SORBS_WEB SORBS: Senderechner ist ein ungesicherter WWW-Server -lang de describe RCVD_IN_SORBS_BLOCK SORBS: Senderechner verweigert Tests -lang de describe RCVD_IN_SORBS_ZOMBIE SORBS: Senderechner in Liste "entführter" Adressblöcke -lang de describe RCVD_IN_SORBS_DUL SORBS: Senderechner nur temporär mit Internet verbunden -lang de describe RCVD_IN_SBL Transportiert via Rechner in SBL-Liste (https://www.spamhaus.org/sbl/) -lang de describe RCVD_IN_XBL Transportiert via Rechner in XBL-Liste (https://www.spamhaus.org/xbl/) -lang de describe RCVD_IN_BL_SPAMCOP_NET Transportiert via Rechner in Liste von www.spamcop.net -lang de describe RCVD_IN_MAPS_RBL Transportiert via Rechner in Liste von http://www.mail-abuse.org/rbl/ -lang de describe RCVD_IN_MAPS_DUL Transportiert via Rechner in Liste von http://www.mail-abuse.org/dul/ -lang de describe RCVD_IN_MAPS_RSS Transportiert via Rechner in Liste von http://www.mail-abuse.org/rss/ -lang de describe RCVD_IN_MAPS_NML Transportiert via Rechner in Liste von http://www.mail-abuse.org/nml/ -lang de describe SUBJECT_DRUG_GAP_C Betreff enthält 'cialis' mit L.ü.c.k.e.n -lang de describe SUBJECT_DRUG_GAP_L Betreff enthält 'levitra' mit L.ü.c.k.e.n -lang de describe SUBJECT_DRUG_GAP_S Betreff enthält 'soma' mit L.ü.c.k.e.n -#lang de describe SUBJECT_DRUG_GAP_VA Betreff enthält 'valium' mit L.ü.c.k.e.n -lang de describe SUBJECT_DRUG_GAP_X Betreff enthält 'xanax' mit L.ü.c.k.e.n -lang de describe DRUG_DOSAGE Erwähnt den Preis einer Dosis -lang de describe DRUG_ED_CAPS Erwähnt Medikament gegen Erektionsstörung -lang de describe DRUG_ED_SILD Chemische Bezeichnung eines Medikaments gegen Erektionsstörungen -lang de describe DRUG_ED_GENERIC Viagra als billiges Nachahmerpräparat -lang de describe DRUG_ED_ONLINE Schnelle Lieferung von Viagra -lang de describe ONLINE_PHARMACY Internetapotheke -lang de describe VIA_GAP_GRA Versucht das Wort 'viagra' zu tarnen -lang de describe DRUGS_ERECTILE Erwähnt ein Medikament gegen Erektionsstörungen -lang de describe DRUGS_ERECTILE_OBFU Erwähnt (getarnt) Medikamente gegen Erektionsstörungen -lang de describe DRUGS_DIET Erwähnt Diätmedikament -lang de describe DRUGS_DIET_OBFU Erwähnt (getarnt) Diätmedikament -lang de describe DRUGS_MUSCLE Erwähnt Muskelentspannungsmittel -lang de describe DRUGS_ANXIETY Erwähnt Medikament gegen Angstneurosen -lang de describe DRUGS_ANXIETY_OBFU Erwähnt (getarnt) Medikament gegen Angstneurosen -lang de describe DRUGS_SMEAR1 Zwei oder mehr Medikamente in einem Wort -lang de describe DRUGS_ANXIETY_EREC Erwähnt Medikamente gegen Erektionsstörungen und Angstneurosen -lang de describe DRUGS_SLEEP_EREC Erwähnt Medikament gegen Erektionsstörungen und Schlafmittel -lang de describe DRUGS_MANYKINDS Erwähnt mindestens vier Arten von Medikamenten -#lang de describe FAKE_HELO_MAIL_COM_DOM HELO-Rechnername verdächtig (mail.com) -lang de describe HELO_DYNAMIC_IPADDR HELO-Rechnername verdächtig (IP-Adresse 1) -lang de describe HELO_DYNAMIC_DHCP HELO-Rechnername verdächtig (DHCP) -lang de describe HELO_DYNAMIC_HCC HELO-Rechnername verdächtig (HCC) -lang de describe HELO_DYNAMIC_ROGERS HELO-Rechnername verdächtig (Rogers) -lang de describe HELO_DYNAMIC_DIALIN HELO-Rechnername verdächtig (T-Dialin) -lang de describe HELO_DYNAMIC_HEXIP HELO-Rechnername verdächtig (Hexadezimale IP-Adresse) -lang de describe HELO_DYNAMIC_SPLIT_IP HELO-Rechnername verdächtig (getrennte IP-Adresse) -lang de describe HELO_DYNAMIC_IPADDR2 HELO-Rechnername verdächtig (IP-Adresse 2) -lang de describe HELO_DYNAMIC_CHELLO_NL HELO-Rechnername verdächtig (Chello.nl) -lang de describe HELO_DYNAMIC_HOME_NL HELO-Rechnername verdächtig (Home.nl) -lang de describe FROM_STARTS_WITH_NUMS Absenderadresse beginnt mit Ziffern im Benutzernamen -lang de describe FROM_OFFERS Absenderadresse enthält "@...offers" -lang de describe FROM_NO_USER Adressteil vor dem @-Zeichen fehlt im Absender -lang de describe PLING_QUERY Betreff enthält Ausrufe- und Fragezeichen -lang de describe SUBJ_ALL_CAPS Betreff enthält nur Großbuchstaben -lang de describe MSGID_SPAM_CAPS Kopfzeile "Message-ID" von Spam-Software erzeugt (Großbuchstaben) -lang de describe MSGID_SPAM_LETTERS Kopfzeile "Message-ID" von Spam-Software erzeugt (Buchstaben) -lang de describe MSGID_OUTLOOK_INVALID Gefälschte Kopfzeile "Message-ID" im Format von Outlook Express -lang de describe MSGID_RANDY Muster in Kopfzeile "Message-ID" typisch für Spam -lang de describe MSGID_YAHOO_CAPS Kopfzeile "Message-ID" enthält GROSSBUCHSTABEN@yahoo.com -lang de describe MSGID_FROM_MTA_HEADER Kopfzeile "Message-ID" von fremdem Senderechner hinzugefügt -lang de describe DATE_SPAMWARE_Y2K Datumskopfzeile hat ungewöhnliches Format -lang de describe INVALID_DATE Datumskopfzeile nicht standardkonform zu RFC 2822 -lang de describe INVALID_DATE_TZ_ABSURD Ungültiges Datum, diese Zeitzone existiert nicht -lang de describe INVALID_TZ_CST Ungültiges Datum in Kopfzeile (falsche CST Zeitzone) -lang de describe INVALID_TZ_EST Ungültiges Datum in Kopfzeile (falsche EST Zeitzone) -lang de describe DATE_IN_PAST_03_06 Absendezeit 3 bis 6 Stunden vor Datum in "Received"-Kopfzeilen -lang de describe DATE_IN_PAST_06_12 Absendezeit 6 bis 12 Stunden vor Datum in "Received"-Kopfzeilen -lang de describe DATE_IN_PAST_12_24 Absendezeit 12 bis 24 Stunden vor Datum in "Received"-Kopfzeilen -lang de describe DATE_IN_PAST_24_48 Absendezeit 24 bis 48 Stunden vor Datum in "Received"-Kopfzeilen -lang de describe DATE_IN_PAST_96_XX Absendezeit mehr als 96 Stunden vor Datum in "Received"-Kopfzeilen -lang de describe DATE_IN_FUTURE_03_06 Absendezeit 3 bis 6 Stunden nach Datum in "Received"-Kopfzeilen -lang de describe DATE_IN_FUTURE_06_12 Absendezeit 6 bis 12 Stunden nach Datum in "Received"-Kopfzeilen -lang de describe DATE_IN_FUTURE_12_24 Absendezeit 12 bis 24 Stunden nach Datum in "Received"-Kopfzeilen -lang de describe DATE_IN_FUTURE_24_48 Absendezeit 24 bis 48 Stunden nach Datum in "Received"-Kopfzeilen -lang de describe DATE_IN_FUTURE_48_96 Absendezeit 48 bis 96 Stunden nach Datum in "Received"-Kopfzeilen -lang de describe DATE_IN_FUTURE_96_XX Absendezeit mehr als 96 Stunden nach Datum in "Received"-Kopfzeilen -lang de describe UNRESOLVED_TEMPLATE Kopfzeilen enthalten nicht ersetzte Variablen -lang de describe SUBJ_ILLEGAL_CHARS Betreff enthält zu viele ungültige Zeichen -lang de describe FROM_ILLEGAL_CHARS Absendeadresse enthält zu viele ungültige Zeichen -lang de describe HEAD_ILLEGAL_CHARS Kopfzeilen enthalten zu viele ungültige Zeichen -lang de describe ENGLISH_UCE_SUBJECT Betreff enthält englische Werbungskennzeichnung -lang de describe JAPANESE_UCE_SUBJECT Betreff enthält japanische Werbungskennzeichnung -lang de describe KOREAN_UCE_SUBJECT Betreff enthält koreanische Werbungskennzeichnung -lang de describe NO_DNS_FOR_FROM Domain der Absendeadresse nicht im DNS registriert (kein MX/A Eintrag) -lang de describe RCVD_HELO_IP_MISMATCH HELO-Name und IP-Adresse in Kopfzeilen passen nicht -lang de describe RCVD_ILLEGAL_IP "Received"-Kopfzeilen enthalten ungültige IP-Adresse -lang de describe RCVD_DOUBLE_IP_SPAM Kennzeichen von Spam-Software (doppelte IP-Adresse) -lang de describe RCVD_DOUBLE_IP_LOOSE Empfänger/Sender in Kopfzeilen sehen aus wie IP-Adressen -lang de describe FORGED_TELESP_RCVD Gefälschte Rechnernamen eines brasilianischen DSL-Providers -lang de describe FORGED_HOTMAIL_RCVD2 Absendeadresse von hotmail.com, aber keine passende "Received"-Zeile -lang de describe FORGED_YAHOO_RCVD Gefälschte "Received"-Kopfzeile von yahoo.com gefunden -lang de describe CONFIRMED_FORGED Gefälschte "Received"-Kopfzeilen -lang de describe MULTI_FORGED Mehrfach gefälschte "Received"-Kopfzeilen -lang de describe NONEXISTENT_CHARSET Den angegebenen Zeichensatz gibt es nicht -lang de describe CHARSET_FARAWAY_HEADER Fremdsprachlicher Zeichensatz in Kopfzeilen benutzt -lang de describe MISSING_DATE Datumskopfzeile fehlt -lang de describe MISSING_HEADERS Empfängeradresse ("To") fehlt -lang de describe MISSING_SUBJECT Betreff ("Subject") fehlt -lang de describe SUSPICIOUS_RECIPS Empfängeradressen sind sich ähnlich -lang de describe SORTED_RECIPS Empfänger sind nach Adressen sortiert -lang de describe GAPPY_SUBJECT Betreff enthält Text mit "L.ü.c.k.e.n" -lang de describe MISSING_MIMEOLE Kopfzeile "X-MSMail-Priority" aber kein "X-MimeOLE" -lang de describe SUBJ_AS_SEEN Betreff enthält "as seen" -lang de describe SUBJ_DOLLARS Betreff beginnt mit einem Dollar-Betrag -#lang de describe SUBJ_YOUR_DEBT Betreff dreht sich um Rechnungen oder Kredite -lang de describe SUBJ_YOUR_FAMILY Betreff enthält "Your Family" -lang de describe RCVD_FAKE_HELO_DOTCOM "Received"-Kopfzeilen enthalten gefälschten HELO-Rechnernamen -lang de describe SUBJECT_DIET Betreff dreht sich um Gewichtsabnahme -lang de describe MIME_BOUND_DD_DIGITS Bestimmtes Muster von Spam-Software in MIME-Begrenzung -lang de describe MIME_BOUND_DIGITS_15 Bestimmtes Muster von Spam-Software in MIME-Begrenzung -lang de describe MIME_BOUND_MANY_HEX Bestimmtes Muster von Spam-Software in MIME-Begrenzung -lang de describe TO_MALFORMED Format der Zieladresse inkorrekt -lang de describe MIME_HEADER_CTYPE_ONLY Kopfzeile "Content-Type" ohne MIME-Kopfzeilen gefunden -lang de describe WITH_LC_SMTP Kopfzeilen mit "smtp" in Kleinschreibung -lang de describe SUBJ_BUY Betreff dreht sich ums Kaufen ("buy...") -lang de describe RCVD_AM_PM Gefälschte "Received"-Kopfzeilen (AM/PM Zeitangabe) -lang de describe HEADER_COUNT_CTYPE Kopfzeile "Content-Type" mehrfach vorhanden -lang de describe NO_RDNS_DOTCOM_HELO HELO-Identifikation als großer Provider, aber rDNS-Name inkorrekt -lang de describe FAKE_OUTBLAZE_RCVD "mr.outblaze.com" in "Received"-Kopfzeile ist gefälscht -lang de describe HTML_MESSAGE Nachricht enthält HTML -lang de describe HTML_COMMENT_SHORT HTML-Kommentar ist sehr kurz -lang de describe HTML_COMMENT_SAVED_URL Nachricht ist eine gespeicherte Webseite -lang de describe HTML_EMBEDS HTML-Nachricht mit eingebettetem WWW-Plugin -lang de describe HTML_FONT_SIZE_LARGE HTML-Schriftgröße ist sehr groß -lang de describe HTML_FONT_SIZE_HUGE HTML-Schriftgröße ist riesig -lang de describe HTML_FONT_LOW_CONTRAST HTML-Schriftfarbe ähnlich der Hintergrundfarbe -lang de describe HTML_FONT_FACE_BAD HTML-Schriftart inkorrekt angegeben -lang de describe HTML_FORMACTION_MAILTO HTML-Formular in Nachricht verschickt E-mail -lang de describe HTML_IMAGE_ONLY_04 Außer Bildern nur 0-400 Zeichen Text -lang de describe HTML_IMAGE_ONLY_08 Außer Bildern nur 400-800 Zeichen Text -lang de describe HTML_IMAGE_ONLY_12 Außer Bildern nur 800-1200 Zeichen Text -lang de describe HTML_IMAGE_ONLY_16 Außer Bildern nur 1200-1600 Zeichen Text -lang de describe HTML_IMAGE_ONLY_20 Außer Bildern nur 1600-2000 Zeichen Text -lang de describe HTML_IMAGE_ONLY_24 Außer Bildern nur 2000-2400 Zeichen Text -lang de describe HTML_IMAGE_RATIO_02 Verhältnis Bilderfläche zu Text ist klein -lang de describe HTML_IMAGE_RATIO_04 Verhältnis Bilderfläche zu Text ist klein -lang de describe HTML_IMAGE_RATIO_06 Verhältnis Bilderfläche zu Text ist klein -lang de describe HTML_IMAGE_RATIO_08 Verhältnis Bilderfläche zu Text ist klein -lang de describe HTML_OBFUSCATE_05_10 Nachrichtentext enthält 0-10% wirres HTML -lang de describe HTML_OBFUSCATE_10_20 Nachrichtentext enthält 10-20% wirres HTML -lang de describe HTML_OBFUSCATE_20_30 Nachrichtentext enthält 20-30% wirres HTML -lang de describe HTML_OBFUSCATE_30_40 Nachrichtentext enthält 30-40% wirres HTML -lang de describe HTML_OBFUSCATE_50_60 Nachrichtentext enthält 50-60% wirres HTML -lang de describe HTML_OBFUSCATE_70_80 Nachrichtentext enthält 70-80% wirres HTML -lang de describe HTML_OBFUSCATE_90_100 Nachrichtentext enthält 90-100% wirres HTML -lang de describe HTML_TAG_BALANCE_BODY Anzahl "body"-Tags nicht ausgeglichen -lang de describe HTML_TAG_BALANCE_HEAD Anzahl "head"-Tags nicht ausgeglichen -lang de describe HTML_BADTAG_40_50 Nachricht enthält 40-50% inkorrekte HTML-Syntax -lang de describe HTML_BADTAG_50_60 Nachricht enthält 50-60% inkorrekte HTML-Syntax -lang de describe HTML_BADTAG_60_70 Nachricht enthält 60-70% inkorrekte HTML-Syntax -lang de describe HTML_BADTAG_90_100 Nachricht enthält 90-100% inkorrekte HTML-Syntax -lang de describe HTML_NONELEMENT_30_40 30-40% der HTML-Elemente entsprechen nicht dem Standard -lang de describe HTML_NONELEMENT_40_50 40-50% der HTML-Elemente entsprechen nicht dem Standard -lang de describe HTML_NONELEMENT_60_70 60-70% der HTML-Elemente entsprechen nicht dem Standard -lang de describe HTML_NONELEMENT_80_90 80-90% der HTML-Elemente entsprechen nicht dem Standard -lang de describe HTML_SHORT_CENTER Wenig HTML mit "center"-Element -lang de describe HTML_CHARSET_FARAWAY Fremdsprachlicher Zeichensatz für HTML benutzt -lang de describe HTML_MIME_NO_HTML_TAG Nachricht besteht nur aus HTML, hat aber kein "html"-Element -lang de describe HTML_MISSING_CTYPE HTML-Nachricht ohne passende Kopfzeile "Content-Type" -lang de describe HIDE_WIN_STATUS JavaScript-Anweisungen verstecken Hyperlinks -lang de describe OBFUSCATING_COMMENT HTML-Kommentar versucht Text zu verschleiern -lang de describe JS_FROMCHARCODE Dokument wird aus JavaScript-Programm erzeugt -lang de describe UPPERCASE_50_75 Nachrichtentext besteht zu 50-75% aus Großbuchstaben -lang de describe UPPERCASE_75_100 Nachrichtentext besteht zu 75-100% aus Großbuchstaben -lang de describe INVALID_MSGID "Message-ID"-Zeile ist ungültig gemäß RFC-2822 -lang de describe FORGED_MUA_MOZILLA Gefälschte E-Mail gibt vor vom Mailprogramm Mozilla zu kommen -lang de describe GUARANTEED_100_PERCENT Zu 100% garantiert... -lang de describe DEAR_FRIEND Anonyme Anrede ("dear friend") -lang de describe DEAR_SOMETHING Anonyme Anrede ("dear ...") -lang de describe BILLION_DOLLARS Erwähnt sehr große Geldbeträge -lang de describe EXCUSE_4 Behauptet, man könne sich von der Adressliste entfernen lassen -lang de describe EXCUSE_24 Angeblich haben möchten Sie diese Werbung bekommen -lang de describe EXCUSE_REMOVE Beschreibt, wie Sie diese Nachrichten wieder loswerden -lang de describe STRONG_BUY Erwähnt eine starke Kaufempfehlung (von Aktien?) -lang de describe STOCK_ALERT Bietet eine Benachrichtigung über Aktienwerte an -lang de describe NOT_ADVISOR Dreht sich um einen nicht registrierten Investmentberater -lang de describe PREST_NON_ACCREDITED Kaufen Sie Studienabschlüsse obskurer Universitäten -lang de describe BODY_ENHANCEMENT Informationen zur Penis-/Brustvergrößerung -lang de describe BODY_ENHANCEMENT2 Informationen zur Penis-/Brustvergrößerung -lang de describe IMPOTENCE Beseitigt Impotenz -#lang de describe NA_DOLLARS Handelt von einer Million Dollar aus den US oder Kanada -#lang de describe US_DOLLARS_3 Erwähnt Millonen von Dollar -#lang de describe MILLION_USD Erwähnt Millonen von Dollar -lang de describe URG_BIZ Dringende Geschäfte -lang de describe MONEY_BACK Mit Geld-zurück Garantie -lang de describe FREE_QUOTE_INSTANT Kostenlos ein schnelles Preisangebot, ohne Verpflichtung -lang de describe BAD_CREDIT Erwähnt geplatzte Kredite oder Kreditwürdigkeit -lang de describe REFINANCE_YOUR_HOME Dreht sich um Baufinanzierung -lang de describe REFINANCE_NOW Dreht sich um Baufinanzierung -lang de describe NO_MEDICAL Keine medizinischen Examen nötig -lang de describe DIET_1 Reduzieren Sie Ihr Gewicht -lang de describe FIN_FREE Finanzielle Unabhängigkeit -lang de describe FORWARD_LOOKING Enthält Formulierungen aus Aktienprospekten -lang de describe ONE_TIME Einmaliges Angebot/Gelegenheit -lang de describe JOIN_MILLIONS Machen Sie es Millionen von Amerikanern nach -lang de describe MARKETING_PARTNERS Angeblich haben Sie sich bei einem Partnerunternehmen registriert -lang de describe LOW_PRICE Niedrigste Preise -lang de describe UNCLAIMED_MONEY Geld oder Gewinne ohne Besitzer -lang de describe OBSCURED_EMAIL Eventuell ROT13-kodierte E-mail-Adresse im Text -lang de describe BANG_OPRAH Erwähnt Oprah (Winfrey), mit Ausrufezeichen -lang de describe ACT_NOW_CAPS Reagieren Sie jetzt (in Großbuchstaben) -lang de describe MORE_SEX Werden Sie sexuell aktiver -lang de describe BANG_GUAR Eine Garantie mit Ausrufezeichen -lang de describe FREE_PORN Eventuell Pornowerbung: Kostenlose Pornos -lang de describe CUM_SHOT Eventuell Pornowerbung: "cum shot" -lang de describe LIVE_PORN Eventuell Pornowerbung: Seien Sie live dabei -lang de describe SUBJECT_SEXUAL Betreff weist auf sexuellen Nachrichtentext hin -lang de describe RATWARE_EGROUPS Nachrichtenstruktur weist auf Spam-Software hin (eGroups) -lang de describe RATWARE_OE_MALFORMED Kopfzeilen enthalten gefälschte Hinweise auf Outlook Express -lang de describe RATWARE_MOZ_MALFORMED Kopfzeilen enthalten gefälschte Hinweise auf Mozilla -lang de describe FORGED_MUA_IMS E-Mail täuscht E-Mail-Software Exchange vor -lang de describe FORGED_MUA_OUTLOOK E-Mail täuscht E-Mail-Software Outlook vor -lang de describe FORGED_MUA_OIMO E-Mail täuscht E-Mail-Software Outlook vor -lang de describe FORGED_MUA_EUDORA E-Mail täuscht E-Mail-Software Eudora vor -lang de describe FORGED_MUA_THEBAT_CS E-Mail täuscht E-Mail-Software The Bat! vor -lang de describe FORGED_MUA_THEBAT_BOUN E-Mail täuscht E-Mail-Software The Bat! vor -lang de describe FORGED_OUTLOOK_HTML Outlook verschickt keine reinen HTML-Nachrichten -lang de describe FORGED_IMS_HTML Exchange verschickt keine reinen HTML-Nachrichten -lang de describe FORGED_THEBAT_HTML The Bat! v1 verschickt keine reinen HTML-Nachrichten -lang de describe FORGED_QUALCOMM_TAGS E-Mail-Programm von Qualcomm verwendet diese Art HTML nicht -lang de describe FORGED_IMS_TAGS Exchange verwendet diese Art HTML nicht -lang de describe FORGED_OUTLOOK_TAGS Outlook verwendet diese HTML-Markierung nicht -lang de describe RATWARE_HASH_DASH Enthält Abwehrmaßnahme gegen Anti-Spam-Software ("hashbuster") -lang de describe RATWARE_ZERO_TZ Seltsame Zeitzone (+0000) -lang de describe X_MESSAGE_INFO Kopfzeile "X-Message-Info" -lang de describe RATWARE_RCVD_PF Gefälschte "Received"-Kopfzeile von Postfix -lang de describe RATWARE_RCVD_AT "Received"-Kopfzeile mit @-Zeichen -lang de describe NUMERIC_HTTP_ADDR Benutzt eine einzige Zahl als IP-Adresse in einem Hyperlink -lang de describe HTTP_ESCAPED_HOST Benutzt %-Kodierung innerhalb des Hyperlinks -lang de describe HTTP_EXCESSIVE_ESCAPES Überflüssige %-Kodierung in Webadresse -lang de describe IP_LINK_PLUS IP-Adresse (a.b.c.d) gefolgt von CGI-Programm -lang de describe WEIRD_PORT Ungewöhnliche Portnummer in HTTP-Hyperlink -lang de describe YAHOO_RD_REDIR URL mit Umleitung über Yahoo -lang de describe YAHOO_DRS_REDIR URL mit Umleitung über Yahoo -lang de describe HTTP_77 Enthält URL mit kodiertem Rechnernamen - -# 23_bayes.cf -ifplugin Mail::SpamAssassin::Plugin::Bayes -lang de describe BAYES_00 Spamwahrscheinlichkeit nach Bayes-Test: 0-1% -lang de describe BAYES_05 Spamwahrscheinlichkeit nach Bayes-Test: 1-5% -lang de describe BAYES_20 Spamwahrscheinlichkeit nach Bayes-Test: 5-20% -lang de describe BAYES_40 Spamwahrscheinlichkeit nach Bayes-Test: 20-40% -lang de describe BAYES_50 Spamwahrscheinlichkeit nach Bayes-Test: 40-60% -lang de describe BAYES_60 Spamwahrscheinlichkeit nach Bayes-Test: 60-80% -lang de describe BAYES_80 Spamwahrscheinlichkeit nach Bayes-Test: 80-95% -lang de describe BAYES_95 Spamwahrscheinlichkeit nach Bayes-Test: 95-99% -lang de describe BAYES_99 Spamwahrscheinlichkeit nach Bayes-Test: 99-100% -lang de describe BAYES_999 Spamwahrscheinlichkeit nach Bayes-Test: 99.9-100% -endif -# -lang de describe USER_IN_BLOCKLIST Absenderadresse steht in Ihrer persönlichen schwarzen Liste -lang de describe USER_IN_WELCOMELIST Absenderadresse steht in Ihrer persönlichen weißen Liste -lang de describe USER_IN_DEF_WELCOMELIST Absenderadresse steht in der allgemeinen weißen Liste -lang de describe USER_IN_BLOCKLIST_TO Empfängeradresse steht in Ihrer persönlichen schwarzen Liste -lang de describe USER_IN_WELCOMELIST_TO Empfängeradresse steht in Ihrer persönlichen weißen Liste -lang de describe USER_IN_MORE_SPAM_TO Empfängeradresse soll fast alle (Spam-) Nachrichten erhalten -lang de describe USER_IN_ALL_SPAM_TO Empfängeradresse soll alle (Spam-) Nachrichten erhalten - -ifplugin Mail::SpamAssassin::Plugin::SPF -lang de describe SPF_PASS SPF: Senderechner entspricht SPF-Datensatz -lang de describe SPF_FAIL SPF: Senderechner entspricht nicht SPF-Datensatz (fail) -lang de describe SPF_SOFTFAIL Senderechner entspricht nicht SPF-Datensatz (softfail) -lang de describe SPF_HELO_PASS SPF: HELO-Name entspricht dem SPF-Datensatz -lang de describe SPF_HELO_FAIL HELO-Name entspricht nicht SPF-Datensatz (fail) -lang de describe SPF_HELO_SOFTFAIL HELO-Name entspricht nicht SPF-Datensatz (softfail) -endif - -ifplugin Mail::SpamAssassin::Plugin::URIDNSBL -lang de describe URIBL_SBL Enthält URL in SBL-Liste (https://www.spamhaus.org/sbl/) -#lang de describe URIBL_SC_SURBL Enthält URL in SC-Liste (www.surbl.org) - removed bug 7279 -lang de describe URIBL_WS_SURBL Enthält URL in WS-Liste (www.surbl.org) -lang de describe URIBL_PH_SURBL Enthält URL in PH-Liste (www.surbl.org) -#lang de describe URIBL_OB_SURBL Enthält URL in OB-Liste (www.surbl.org) - REMOVED BUG 6853 -#lang de describe URIBL_AB_SURBL Enthält URL in AB-Liste (www.surbl.org) - removed bug 7279 -lang de describe URIBL_ABUSE_SURBL Enthält URL in ABUSE-Liste (www.surbl.org) - changed from JP to ABUSE bug 7279 -endif - -ifplugin Mail::SpamAssassin::Plugin::AWL -lang de describe AWL Absenderadresse in der automatischen weißen Liste -endif - -ifplugin Mail::SpamAssassin::Plugin::AntiVirus -lang de describe MIME_SUSPECT_NAME MIME-Dateiname entspricht nicht dem MIME-Typ -endif - -ifplugin Mail::SpamAssassin::Plugin::DCC -lang de describe DCC_CHECK Als Massen-E-Mail erkannt von DCC (dcc-servers.net) -endif - -ifplugin Mail::SpamAssassin::Plugin::Pyzor -lang de describe PYZOR_CHECK Gelistet im Pyzor-System (https://pyzor.readthedocs.io/en/latest/) -endif - -ifplugin Mail::SpamAssassin::Plugin::TextCat -lang de describe BODY_8BITS Nachrichtentext enthält Folge von 8 oder mehr 8-Bit-Zeichen -lang de describe UNWANTED_LANGUAGE_BODY Nachrichtentext in unerwünschter Sprache -endif - -ifplugin Mail::SpamAssassin::Plugin::AccessDB -lang de describe ACCESSDB Nachricht wäre von access.db erkannt worden -endif - -lang de describe NORMAL_HTTP_TO_IP Benutzt eine IP-Adresse (a.b.c.d) in einem Hyperlink - diff --git a/resources/spamassassin/30_text_fr.cf b/resources/spamassassin/30_text_fr.cf deleted file mode 100644 index 3e7c70b5..00000000 --- a/resources/spamassassin/30_text_fr.cf +++ /dev/null @@ -1,283 +0,0 @@ -# SpamAssassin translations: Française -# -# Written by Michel Bouissou <michel@bouissou.net> for SpamAssassin 2.60 -# Latest revision: 2003/11/14 -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -# ...................................................................... -lang fr clear-report-template -lang fr report ------------------ Début de Rapport SpamAssassin --------------------- -lang fr report Ce message est probablement du SPAM (message non sollicité envoyé en -lang fr report masse, publicité, escroquerie...). -lang fr report -lang fr report Cette notice a été ajoutée par le système d'analyse "SpamAssassin" sur -lang fr report votre serveur de courrier "_HOSTNAME_", pour vous -lang fr report aider à identifier ce type de messages. -lang fr report -lang fr report Le système SpamAssassin ajoute un en-tête "X-Spam-Flag: YES" aux -lang fr report messages qu'il considère comme étant probablement du Spam. -lang fr report Vous pouvez si vous le souhaitez utiliser cette caractéristique -lang fr report pour régler un filtre dans votre logiciel de lecture de courrier, -lang fr report afin de détruire ou de classer à part ce type de message. -lang fr report -lang fr report Si ce robot a classifié incorrectement un message qui vous était -lang fr report destiné, ou pour toute question, veuillez contacter l'administrateur -lang fr report du système par e-mail à _CONTACTADDRESS_ . -lang fr report -lang fr report Voir https://spamassassin.apache.org/tag/ pour plus de détails (en anglais). -lang fr report -lang fr report Détails de l'analyse du message: (_SCORE_ points, _REQD_ requis) -lang fr report _SUMMARY_ -lang fr report -------------------- Fin de Rapport SpamAssassin --------------------- - -# ...................................................................... -# Vous devriez changer "report_contact" dans le fichier 10_misc.cf. -# _CONTACTADDRESS_ est remplacée par ce texte. -# ...................................................................... - -# ...................................................................... -lang fr clear-unsafe-report-template -lang fr unsafe-report Le message original n'étant pas au format text brut, il est peut-être -lang fr unsafe-report dangereux de l'ouvrir avec votre logiciel e-mail ; en particulier il -lang fr unsafe-report pourrait contenir un virus, ou confirmer à l'expéditeur que votre -lang fr unsafe-report adresse e-mail est active, et peut recevoir du spam. Si vous voulez -lang fr unsafe-report lire ce message, et n'êtes pas certain de la sécurité de votre logiciel -lang fr unsafe-report e-mail, il est plus prudent d'enregistrer ce message sur votre disque -lang fr unsafe-report dur, et de l'afficher ensuite avec un éditeur de texte. -# ...................................................................... - -############# -# 23_bayes.cf -ifplugin Mail::SpamAssassin::Plugin::Bayes -lang fr describe BAYES_00 L'algorithme Bayésien a évalué la probabilité de spam entre 0 et 1% -lang fr describe BAYES_05 L'algorithme Bayésien a évalué la probabilité de spam entre 1 et 5% -lang fr describe BAYES_20 L'algorithme Bayésien a évalué la probabilité de spam entre 5 et 20% -lang fr describe BAYES_40 L'algorithme Bayésien a évalué la probabilité de spam entre 20 et 40% -lang fr describe BAYES_50 L'algorithme Bayésien a évalué la probabilité de spam entre 40 et 60% -lang fr describe BAYES_60 L'algorithme Bayésien a évalué la probabilité de spam entre 60 et 80% -lang fr describe BAYES_80 L'algorithme Bayésien a évalué la probabilité de spam entre 80 et 95% -lang fr describe BAYES_95 L'algorithme Bayésien a évalué la probabilité de spam entre 95 et 99% -lang fr describe BAYES_99 L'algorithme Bayésien a évalué la probabilité de spam entre 99 et 100% -lang fr describe BAYES_999 L'algorithme Bayésien a évalué la probabilité de spam entre 99.9 et 100% -endif - -lang fr describe ACT_NOW_CAPS Demande d'agir immédiatement (en majuscules) -lang fr describe BAD_CREDIT Contient "Eliminate Bad Credit" -lang fr describe BANG_GUAR Quelque chose est "garanti" de manière emphatique -lang fr describe BANG_OPRAH Parle d'Oprah avec point d'exclamation ! -lang fr describe BILLION_DOLLARS Evoque des millions ou milliards de dollars -lang fr describe BLANK_LINES_80_90 Le corps du message a 80 à 90% de lignes vides -lang fr describe CHARSET_FARAWAY Message utilisant un jeu de caractères exotique -lang fr describe CHARSET_FARAWAY_HEADER En-tête utilisant un jeu de caractères exotique -lang fr describe CONFIRMED_FORGED Les en-têtes "Received:" ont été falsifiés -lang fr describe CUM_SHOT Pornographie probable, "gros plans d'éjaculations" -lang fr describe DATE_IN_PAST_03_06 Date: est 3 à 6 heures avant la date de l'en-tête Received: -lang fr describe DATE_IN_PAST_06_12 Date: est 6 à 12 heures avant la date de l'en-tête Received: -lang fr describe DATE_IN_PAST_12_24 Date: est 12 à 24 heures avant la date de l'en-tête Received: -lang fr describe DATE_IN_PAST_24_48 Date: est 24 à 48 heures avant la date de l'en-tête Received: -lang fr describe DATE_IN_PAST_96_XX Date: est plus de 96 heures avant la date de l'en-tête Received: -lang fr describe DATE_IN_FUTURE_03_06 Date: est 3 à 6 heures après la date de l'en-tête Received: -lang fr describe DATE_IN_FUTURE_06_12 Date: est 6 à 12 heures après la date de l'en-tête Received: -lang fr describe DATE_IN_FUTURE_12_24 Date: est 12 à 24 heures après la date de l'en-tête Received: -lang fr describe DATE_IN_FUTURE_24_48 Date: est 24 à 48 heures après la date de l'en-tête Received: -lang fr describe DATE_IN_FUTURE_48_96 Date: est 48 à 96 heures après la date de l'en-tête Received: -lang fr describe DATE_IN_FUTURE_96_XX Date: est plus de 96 heures après la date de l'en-tête Received: -lang fr describe MISSING_DATE En-tête "Date:" absent -lang fr describe DATE_SPAMWARE_Y2K L'en-tête date utilise un format Y2K inhabituel -lang fr describe DEAR_FRIEND Contient la formule "Dear friend" -lang fr describe DEAR_SOMETHING Le message contient "Dear... (quelqu'un)" -lang fr describe DIET_1 Spam proposant une perte de poids -lang fr describe EMAIL_ROT13 Corps contient une adresse mail encodée en ROT13 -lang fr describe EXCUSE_REMOVE Explique comment être retiré des listes de mailing (soi-disant...) -lang fr describe EXCUSE_4 Prétend que vous pouvez vous faire supprimer de leur liste -lang fr describe EXCUSE_24 Prétend que vous avez demandé à recevoir cette publicité -lang fr describe FIN_FREE Parle de "liberté financière" (Financial Freedom) -lang fr describe FORGED_HOTMAIL_RCVD2 From hotmail.com, mais sans "Received:" -lang fr describe FORGED_IMS_HTML IMS n'envoie pas de messages en HTML seul -lang fr describe FORGED_IMS_TAGS IMS n'envoie pas de HTML dans ce format -lang fr describe FORGED_MUA_EUDORA Message falsifié prétendant provenir du logiciel Eudora -lang fr describe FORGED_MUA_IMS Message falsifié prétendant provenir du logiciel IMS -lang fr describe FORGED_MUA_MOZILLA Message falsifié prétendant provenir du logiciel Mozilla -lang fr describe FORGED_MUA_OIMO Message falsifié prétendant provenir du logiciel MS Outlook IMO -lang fr describe FORGED_MUA_OUTLOOK Message falsifié prétendant provenir du logiciel MS Outlook -lang fr describe FORGED_MUA_THEBAT_BOUN Mail prétendant provenir de The Bat! (boundary) -lang fr describe FORGED_MUA_THEBAT_CS Mail pretendant provenir de The Bat! (charset) -lang fr describe FORGED_OUTLOOK_HTML Outlook n'envoie pas de messages en HTML seul -lang fr describe FORGED_OUTLOOK_TAGS Outlook n'envoie pas de HTML sous ce format -lang fr describe FORGED_QUALCOMM_TAGS QUALCOMM mailers n'envoient pas de HTML sous ce format -lang fr describe FORGED_TELESP_RCVD Contient un nom de machine falsifié chez un F.A.I. brésilien -lang fr describe FORGED_THEBAT_HTML The Bat! n'envoie pas de messages en HTML seul -lang fr describe FORGED_YAHOO_RCVD Contient un en-tête falsifié Received: yahoo.com -lang fr describe FORWARD_LOOKING Contient un "Stock Disclaimer Statement" (bourse) -lang fr describe FREE_PORN Pornographie probable "Free porn" -lang fr describe FREE_QUOTE_INSTANT Contient formule type "Free express" ou "no obligation" -lang fr describe FROM_ILLEGAL_CHARS From: contient trop de caractères bruts invalides -lang fr describe FROM_NO_USER L'en-tête From: n'a pas de nom d'utilisateur avant le signe @ -lang fr describe FROM_OFFERS L'adresse d'expéditeur est "at something-offers" -lang fr describe FROM_STARTS_WITH_NUMS L'en-tête From: commence par des chiffres -lang fr describe GAPPY_SUBJECT L'en-tête Subject: contient du "t e x t e e s p a c é" -lang fr describe GTUBE Test générique de courrier non sollicté en masse -lang fr describe GUARANTEED_100_PERCENT Contient "One hundred percent guaranteed" (100% garanti) -lang fr describe HEAD_ILLEGAL_CHARS En-tête contient trop de caractères bruts invalides -lang fr describe HEADER_COUNT_CTYPE Plusieurs en-têtes Content-Type -lang fr describe HIDE_WIN_STATUS Javascript destiné à camoufler une URL dans le navigateur -lang fr describe HTML_CHARSET_FARAWAY Jeu de caractères exotique utilisé pour le HTML -lang fr describe HTML_COMMENT_SAVED_URL Le message HTML est une page web sauvegardée -lang fr describe HTML_EMBEDS HTML: Inclusion d'objets -lang fr describe HTML_FONT_FACE_BAD Le nom de la police HTML n'est pas un mot -lang fr describe HTML_FONT_LOW_CONTRAST Police HTML de la même couleur que le fond -lang fr describe HTML_FORMACTION_MAILTO HTML inclut un formulaire d'envoi de mail -lang fr describe HTML_IMAGE_ONLY_04 HTML contient images avec 200 à 400 octets de texte -lang fr describe HTML_IMAGE_ONLY_08 HTML contient images avec 600 à 800 octets de texte -lang fr describe HTML_IMAGE_ONLY_12 HTML contient images avec 1000 à 1200 octets de texte -lang fr describe HTML_IMAGE_RATIO_02 HTML Faible ratio de texte par rapport aux images -lang fr describe HTML_IMAGE_RATIO_04 HTML Faible ratio de texte par rapport aux images -lang fr describe HTML_IMAGE_RATIO_06 HTML Faible ratio de texte par rapport aux images -lang fr describe HTML_IMAGE_RATIO_08 HTML Faible ratio de texte par rapport aux images -lang fr describe HTML_MESSAGE HTML inclus dans le message -lang fr describe HTML_MIME_NO_HTML_TAG Message en HTML seul, mais sans tags HTML -lang fr describe HTML_TAG_BALANCE_BODY Le tag de fermeture de "body" HTML est manquant -lang fr describe HTML_TAG_BALANCE_HEAD Le tag de fermeture de "head" HTML est manquant -lang fr describe HTTP_ESCAPED_HOST URI: Contient des %-escapes dans le nom de machine -lang fr describe HTTP_EXCESSIVE_ESCAPES URI: Contient des %-escapes nombreux et superflus -lang fr describe IMPOTENCE Prétend permettre de combattre l'impuissance -lang fr describe MORE_SEX Parle d'augmenter le désir sexuel -lang fr describe INVALID_DATE L'en-tête Date: est incorrect (il contient AM/PM) -lang fr describe INVALID_DATE_TZ_ABSURD L'en-tête Date: est incorrect (la zone de temps n'existe pas) -lang fr describe INVALID_MSGID Le Message-ID est invalide, selon la RFC-2822 -lang fr describe IP_LINK_PLUS Adresse IP en décimal suivie d'un CGI -lang fr describe JAPANESE_UCE_SUBJECT Sujet contient une marque japonaise de spam -lang fr describe JOIN_MILLIONS Contient "Join Millions of Americans" -lang fr describe KOREAN_UCE_SUBJECT Le sujet contient des caractères coréens -lang fr describe LIVE_PORN Pornographie probable: porno en direct-live -lang fr describe SUBJECT_DIET Le sujet parle de perte de poids -lang fr describe LOW_PRICE Contient "Lowest Price" (le prix le plus bas) -lang fr describe MARKETING_PARTNERS Prétend que vous vous êtes enregistré auprès d'un "partenaire" quelconque -#lang fr describe MILLION_USD Phrase clé d'escroquerie nigérienne (millions of dollars) -lang fr describe __MIME_BASE64 Inclut un attachement en BASE64 -#lang fr describe MIME_BASE64_BLANKS Ligne blanches surnuméraires dans l'encodage BASE64 -lang fr describe MIME_BASE64_TEXT Texte du message camouflé par encodage en BASE64 -lang fr describe MIME_BOUND_MANY_HEX Motif caractéristique d'outil de spam dans les délimiteurs MIME -lang fr describe MIME_CHARSET_FARAWAY Jeu de caractères MIME exotique -lang fr describe MIME_HEADER_CTYPE_ONLY En-tête "Content-Type" présent sans les en-têtes MIME requis -lang fr describe MIME_HTML_MOSTLY Message multipart principalement en MIME text/html -lang fr describe MIME_HTML_ONLY Le message possède uniquement des parties MIME text/html -lang fr describe MIME_HTML_ONLY_MULTI Message multipart uniquement en MIME text/html -lang fr describe __MIME_QP Contient en attachement en quoted-printable -lang fr describe MIME_QP_LONG_LINE Ligne quoted-printable de plus de 76 caractères -lang fr describe MISSING_HEADERS Le message ne comporte pas l'en-tête To: -lang fr describe MISSING_MIMEOLE Possède un en-tête X-MSMail-Priority, mais pas de X-MimeOLE -lang fr describe MONEY_BACK Vous garantit un "remboursement si insatisfait" (en anglais) -lang fr describe MSGID_FROM_MTA_HEADER Message-ID ajouté par un relais -lang fr describe MSGID_OUTLOOK_INVALID Message-ID falsifié (fortmat Outlook Express) -lang fr describe MULTI_FORGED les en-têtes "Received" montrent de nombreuses falsifications -#lang fr describe NA_DOLLARS Parle d'un million de dollars "nord-américains" -lang fr describe NONEXISTENT_CHARSET Message rédigé dans un jeu de caractères inexistant -lang fr describe NOT_ADVISOR Contient "Not registered investment advisor" -lang fr describe NO_DNS_FOR_FROM Adresse From: inconnue en DNS (pas d'enregistrement MX) -lang fr describe NO_MEDICAL Contient "No Medical Exams" (sans examen médical) -lang fr describe NO_RDNS_DOTCOM_HELO HELO de F.A.I. important, mais pas de rDNS -lang fr describe NUMERIC_HTTP_ADDR Utilise une adresse IP, sans points, dans une URL -lang fr describe OBFUSCATING_COMMENT Commentaires HTML inutiles destinés à camoufler le texte -lang fr describe OBSCURED_EMAIL Le message semble contenir une adresse mail camouflée par rot13 -lang fr describe ONLINE_PHARMACY Produits pharmaceutiques en ligne -lang fr describe BODY_ENHANCEMENT Arnaque prétendant augmenter la taile de votre pénis -lang fr describe BODY_ENHANCEMENT2 Arnaque prétendant augmenter la taile de votre pénis -lang fr describe PLING_QUERY Le sujet a un point d'interrogation ET un point d'exclamation -lang fr describe PREST_NON_ACCREDITED Fait référence a une "prestigieuse université" non reconnue -lang fr describe RATWARE_EGROUPS Trace de logiciel de mailing en masse (eGroups) dans les en-têtes -lang fr describe RATWARE_HASH_DASH Contient un "hashbuster" au format Send-Safe -lang fr describe RATWARE_OE_MALFORMED En-tête X-Mailer indique No de version Outlook Express malformé -lang fr describe RCVD_AM_PM En-tête Received: falsifié (AM/PM) -lang fr describe RCVD_FAKE_HELO_DOTCOM En-tête Received contient nom d'hôte falsifié dans le HELO -lang fr describe RCVD_IN_BL_SPAMCOP_NET Relais listé dans http://spamcop.net/bl.shtml -lang fr describe RCVD_IN_SORBS_DUL Envoyé directement depuis une adresse IP dynamique -lang fr describe RCVD_IN_MAPS_DUL Relais listé dans DUL, http://www.mail-abuse.org/dul/ -lang fr describe RCVD_IN_MAPS_NML Relais listé dans NML, http://www.mail-abuse.org/nml/ -lang fr describe RCVD_IN_MAPS_RBL Relais listé dans RBL, http://www.mail-abuse.org/rbl/ -lang fr describe RCVD_IN_MAPS_RSS Relais listé dans RSS, http://www.mail-abuse.org/rss/ -lang fr describe RCVD_IN_SBL Relais listé dans https://www.spamhaus.org/sbl/ -lang fr describe RCVD_IN_SORBS_BLOCK SORBS: Relais refusant d'être testé par SORBS -lang fr describe RCVD_IN_SORBS_HTTP SORBS: Envoyé par un proxy HTTP ouvert -lang fr describe RCVD_IN_SORBS_MISC SORBS: Envoyé par un proxy ouvert -lang fr describe RCVD_IN_SORBS_SMTP SORBS: Envoyé par un relais SMTP ouvert -lang fr describe RCVD_IN_SORBS_SOCKS SORBS: Envoyé par un proxy SOCKS ouvert -lang fr describe RCVD_IN_SORBS_WEB SORBS: Envoyé depuis un serveur web vulnérable -lang fr describe RCVD_IN_SORBS_ZOMBIE SORBS: Envoyé depuis un réseau IP piraté -lang fr describe REFINANCE_NOW Offre de refinancement immobilier -lang fr describe REFINANCE_YOUR_HOME Offre de refinancement immobilier -lang fr describe SORTED_RECIPS La liste des destinataires est triée par ordre alphabétique -lang fr describe STOCK_ALERT Contient la formule "stock alert" -lang fr describe STRONG_BUY Contient la formule "strong buy" -lang fr describe SUBJ_ALL_CAPS Le sujet est en majuscules -lang fr describe SUBJ_AS_SEEN Le sujet contient "As Seen" (généralement "vu à la télé"...) -lang fr describe SUBJ_BUY Le sujet commence par "Buy, Buying" (achetez, achat) -lang fr describe SUBJ_DOLLARS Le sujet commence par une somme en dollars -lang fr describe SUBJ_ILLEGAL_CHARS Subject: contient trop de caractères bruts invalides -#lang fr describe SUBJ_YOUR_DEBT Le sujet contient "Your Bills" (vos factures) ou similaire -lang fr describe SUBJ_YOUR_FAMILY Le sujet contient "Your Family" (votre famille) -lang fr describe SUSPICIOUS_RECIPS L'en-tête To: contient plus de dix fois le même nom de domaine -lang fr describe TO_MALFORMED L'en-tête To: contient une adresse mal formée -lang fr describe TRACKER_ID Contient un numéro permettant de vous identifier -lang fr describe UNCLAIMED_MONEY Argent non réclamé: Chacun sait que c'est courant ;-) -lang fr describe UPPERCASE_50_75 Message composé de 50 à 75% de majuscules -lang fr describe UPPERCASE_75_100 Message composé de 75 à 100% de majuscules -lang fr describe URG_BIZ Contient la formule "urgent business" -lang fr describe USER_IN_ALL_SPAM_TO Destinataire sur la liste "all_spam_to" (config SA locale) -lang fr describe USER_IN_BLOCKLIST Expéditeur sur la liste noire (config SA locale) -lang fr describe USER_IN_BLOCKLIST_TO Destinataire sur la liste "blocklist_to" (config SA locale) -lang fr describe USER_IN_DEF_WELCOMELIST Expéditeur dans la liste OK par défaut de SpamAssassin -lang fr describe USER_IN_MORE_SPAM_TO Destinataire sur la liste "more_spam_to" (config SA locale) -lang fr describe USER_IN_WELCOMELIST Expéditeur sur la liste blanche (OK) (config SA locale) -lang fr describe USER_IN_WELCOMELIST_TO Destinataire sur la liste blanche (config SA) -#lang fr describe US_DOLLARS_3 Escroq. nigérienne, version modifiée, phrase clé ($NN,NNN,NNN.NN) -lang fr describe DRUG_ED_ONLINE Vente de Viagra par correspondance -lang fr describe WEIRD_PORT Lien HTTP vers un numéro de port non standard -lang fr describe WEIRD_QUOTING Utilisation étrange de symboles de citations -lang fr describe WITH_LC_SMTP Une ligne Received: contient un signe de spam ("smtp" en minuscules) - -ifplugin Mail::SpamAssassin::Plugin::AntiVirus -lang fr describe MIME_SUSPECT_NAME Le nom du fichier joint MIME semble suspect (virus ?) -endif - -ifplugin Mail::SpamAssassin::Plugin::DCC -lang fr describe DCC_CHECK Message listé par DCC: http://www.www.dcc-servers.net/dcc/ -endif - -ifplugin Mail::SpamAssassin::Plugin::Pyzor -lang fr describe PYZOR_CHECK Message listé par Pyzor, voir https://pyzor.readthedocs.io/en/latest/ -endif - -ifplugin Mail::SpamAssassin::Plugin::TextCat -lang fr describe BODY_8BITS Contient plusieurs caractères 8-bits consécutifs -lang fr describe UNWANTED_LANGUAGE_BODY Message dans une langue non désirée (config locale) -endif - -ifplugin Mail::SpamAssassin::Plugin::AccessDB -lang fr describe ACCESSDB Ce message aurait été bloqué par accessdb -endif - -lang fr describe NORMAL_HTTP_TO_IP URI: Contient une adresse IP en notation décimale - diff --git a/resources/spamassassin/30_text_it.cf b/resources/spamassassin/30_text_it.cf deleted file mode 100644 index 8d03e000..00000000 --- a/resources/spamassassin/30_text_it.cf +++ /dev/null @@ -1,35 +0,0 @@ -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -# character set used in the following texts -#lang it report_charset iso-8859-1 - -# ........................................................................ -#lang it clear_unsafe_report_template -#lang it unsafe_report Attenzione: il messaggio originale non testo puro, e potrebbe essere -#lang it unsafe_report pericoloso da aprire con alcuni programmi di posta. Ad esempio, potrebbe -#lang it unsafe_report contenere un virus, o confermare ad un mittente di spam che il messaggio -#lang it unsafe_report stato letto. Un modo sicuro per visualizzarne il testo (ma non le -#lang it unsafe_report immagini o gli allegati) salvarlo in un file e aprirlo con un editor. -# ........................................................................ diff --git a/resources/spamassassin/30_text_nl.cf b/resources/spamassassin/30_text_nl.cf deleted file mode 100644 index f626026b..00000000 --- a/resources/spamassassin/30_text_nl.cf +++ /dev/null @@ -1,275 +0,0 @@ -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -# contributed by Jesse Houwing, bug 3197 -# -# .............................................................................. -lang nl report Spam detectie software op het systeem "_HOSTNAME_", heeft dit bericht -lang nl report als mogelijke spam aangemerkt. Het originele bericht is bijgevoegd als -lang nl report bijlage bij dit bericht zodat u het kunt bekijken (als het geen spam is) -lang nl report of soortgelijke toekomstige berichten blokkeren. Zie _CONTACTADDRESS_ -lang nl report voor meer details -lang nl report -lang nl report Gedeelte van de inhoud: _PREVIEW_ -lang nl report -lang nl report Analyse details: (_SCORE_ punten, _REQD_ vereist) -lang nl report -lang nl report " pnt regel naam omschrijving" -lang nl report ---- ---------------------- ------------------------------------------------- -lang nl report _SUMMARY_ -# .............................................................................. - -# ........................................................................ -lang nl unsafe_report Het originele bericht bestond niet geheel uit tekst en is mogelijk -lang nl unsafe_report onveilig om te openen im sommige emailprogramma's. Het bericht bevat -lang nl unsafe_report mogelijk een virus of code om te verifieren dat uw adres spam -lang nl unsafe_report berichten kan ontvangen. Het is veiliger om het bericht op te slaan -lang nl unsafe_report en het te bekijken in een tekstbewerkingsprogramma. -# ........................................................................ - -lang nl describe GTUBE Standaard test voor ongewenste bulk mail -lang nl describe TRACKER_ID Maakt gebruik van een nummer om het bericht te kunnen volgen -lang nl describe WEIRD_QUOTING Vreemde herhaalde dubbel aanhalingsteken -lang nl describe __MIME_BASE64 Bevat een base64 bijlage -lang nl describe __MIME_QP Bevat een quoted-printable bijlage -#lang nl describe MIME_BASE64_BLANKS Extra witregels in base64 codering -lang nl describe MIME_BASE64_TEXT Bericht verborgen door middel van base64 codering -lang nl describe MIME_HTML_MOSTLY Multipart bericht bestaat voornamelijk uit text/html MIME -lang nl describe MIME_HTML_ONLY Bericht bestaat enkel uit text/html MIME delen -lang nl describe MIME_HTML_ONLY_MULTI Bericht heeft enkel text/html MIME delen -lang nl describe MIME_QP_LONG_LINE Quoted-printable regel langer dan 76 karakters -lang nl describe MIME_CHARSET_FARAWAY MIME karakterset wijst op vreemde taal -lang nl describe MPART_ALT_DIFF HTML en tekst delen zijn verschillend -lang nl describe CHARSET_FARAWAY Karakterset wijst op vreemde taal -lang nl describe EMAIL_ROT13 Body bevat een ROT13-versleuteld emailadres -lang nl describe BLANK_LINES_80_90 Bericht bestaat voor 80-90% uit witregels -lang nl describe __RCVD_IN_SORBS SORBS: verzender is gevonden in SORBS -lang nl describe RCVD_IN_SORBS_HTTP SORBS: verzender is een open HTTP proxy server -lang nl describe RCVD_IN_SORBS_MISC SORBS: verzender is een open proxy server -lang nl describe RCVD_IN_SORBS_SMTP SORBS: verzender is een open SMTP relay -lang nl describe RCVD_IN_SORBS_SOCKS SORBS: verzender is een open SOCKS proxy server -lang nl describe RCVD_IN_SORBS_WEB SORBS: verzender is een misbruikbare web server -lang nl describe RCVD_IN_SORBS_BLOCK SORBS: verzender weigert getest te worden -lang nl describe RCVD_IN_SORBS_ZOMBIE SORBS: verzender is een gekaapt netwerk -lang nl describe RCVD_IN_SORBS_DUL SORBS: bericht is direct verstuurd vanaf een dynamisch IP adres -lang nl describe RCVD_IN_SBL Ontvangen via een relay die gevonden is in Spamhaus SBL -lang nl describe RCVD_IN_XBL Ontvangen via een relay die gevonden is in Spamhaus XBL -lang nl describe RCVD_IN_BL_SPAMCOP_NET Ontvangen via een relay die gevonden is in bl.spamcop.net -lang nl describe RCVD_IN_MAPS_RBL Relay in RBL, http://www.mail-abuse.org/rbl/ -lang nl describe RCVD_IN_MAPS_DUL Relay in DUL, http://www.mail-abuse.org/dul/ -lang nl describe RCVD_IN_MAPS_RSS Relay in RSS, http://www.mail-abuse.org/rss/ -lang nl describe RCVD_IN_MAPS_NML Relay in NML, http://www.mail-abuse.org/nml/ -lang nl describe FROM_STARTS_WITH_NUMS Van: begint met nummers -lang nl describe FROM_OFFERS Van: adres is van "at iets-aangeboden" -lang nl describe FROM_NO_USER Van: heeft geen lokaal deel voor het @-tje -lang nl describe PLING_QUERY Onderwerp heeft een uitroepteken en een vraagteken -lang nl describe SUBJ_ALL_CAPS Onderwerp bevat alleen hoofdletters -lang nl describe MSGID_SPAM_LETTERS Spam tool Message-Id: (letters variant) -lang nl describe MSGID_OUTLOOK_INVALID Message-Id is nep (in Outlook Express formaat) -lang nl describe MSGID_RANDY Message-Id bevat een patroon dat wordt gebruikt in SPAM -lang nl describe MSGID_FROM_MTA_HEADER Message-Id was door een relay toegevoegd -lang nl describe DATE_SPAMWARE_Y2K Datum heeft een vreemde Y2K opmaak -lang nl describe INVALID_DATE Ongeldige Date: header (niet RFC 2822) -lang nl describe INVALID_DATE_TZ_ABSURD Ongeldige Date: header (tijdzone bestaat niet) -lang nl describe DATE_IN_PAST_03_06 Date: is 3 tot 6 uur voor Received: datum -lang nl describe DATE_IN_PAST_06_12 Date: is 6 tot 12 uur voor Received: datum -lang nl describe DATE_IN_PAST_12_24 Date: is 12 tot 24 uur voor Received: datum -lang nl describe DATE_IN_PAST_24_48 Date: is 24 tot 48 uur voor Received: datum -lang nl describe DATE_IN_PAST_96_XX Date: is 96 of meer uur voor Received: datum -lang nl describe DATE_IN_FUTURE_03_06 Date: is 3 tot 6 uur na Received: datum -lang nl describe DATE_IN_FUTURE_06_12 Date: is 6 tot 12 uur na Received: datum -lang nl describe DATE_IN_FUTURE_12_24 Date: is 12 tot 24 uur na Received: datum -lang nl describe DATE_IN_FUTURE_24_48 Date: is 24 tot 48 uur na Received: datum -lang nl describe DATE_IN_FUTURE_48_96 Date: is 48 tot 96 uur na Received: datum -lang nl describe DATE_IN_FUTURE_96_XX Date: is 96 of meer uur na Received: datum -lang nl describe SUBJ_ILLEGAL_CHARS Onderwerp: bevat te veel 'raw' tekens -lang nl describe FROM_ILLEGAL_CHARS Van: bevat te veel 'raw' tekens -lang nl describe HEAD_ILLEGAL_CHARS Header: bevat te veel illegale tekens -lang nl describe JAPANESE_UCE_SUBJECT Onderwerp: bevat een Japanese UCE tag -lang nl describe KOREAN_UCE_SUBJECT Onderwerp: bevat een koreaanse ongewenste email tag -lang nl describe NO_DNS_FOR_FROM Domein in Van heeft geen MX of A DNS record -lang nl describe RCVD_DOUBLE_IP_SPAM Buld email vingerafdruk (dubbel IP) gevonden -lang nl describe RCVD_DOUBLE_IP_LOOSE Received: door en van lijken op IP adressen -lang nl describe FORGED_TELESP_RCVD Bevat een vervalde hostnaam voor een DSL IP in Brazilie -lang nl describe FORGED_HOTMAIL_RCVD2 hotmail.com 'Van' adres, maar geen 'Received:' -lang nl describe FORGED_YAHOO_RCVD 'Van' yahoo.com Komt niet overeen met 'Received' headers -lang nl describe CONFIRMED_FORGED Received headers zijn vervalst -lang nl describe MULTI_FORGED Received headers wijzen op meerdere vervalsingen -lang nl describe NONEXISTENT_CHARSET Karakterset bestaat niet -lang nl describe CHARSET_FARAWAY_HEADER Een buitenlandse taal wordt gebruikt in de headers -lang nl describe MISSING_HEADERS Ontbrekende Aan: header -lang nl describe SUSPICIOUS_RECIPS Vergelijkbare adressen in de ontvangerslijst -lang nl describe SORTED_RECIPS Ontvangerslijst is gesorteerd op alfabet -lang nl describe GAPPY_SUBJECT Onderwerp: bevat G.a.t.e.n.k.a.a.s -lang nl describe MISSING_MIMEOLE Bericht heeft een X-MSMail-Priority, maar geen X-MimeOLE -lang nl describe SUBJ_AS_SEEN Onderwerp bevat "As Seen" -lang nl describe SUBJ_DOLLARS Onderwerp begint met een bedrag in dollars -#lang nl describe SUBJ_YOUR_DEBT Onderwerp bevat "Your Bills" of iets dergelijks -lang nl describe SUBJ_YOUR_FAMILY Onderwerp bevat "Your Family" -lang nl describe RCVD_FAKE_HELO_DOTCOM Received bevat een vervalde HELO hostnaam -lang nl describe MIME_BOUND_DIGITS_15 Spam tool patroon in MIME grens -lang nl describe MIME_BOUND_MANY_HEX Spam tool patroon in MIME grens -lang nl describe TO_MALFORMED Aan: foutief opgesteld adres -lang nl describe MIME_HEADER_CTYPE_ONLY 'Content-Type' gevonden zonder de benodigde MIME headers -lang nl describe WITH_LC_SMTP Received regel bevat een spam merkteken (lowercase smtp) -lang nl describe SUBJ_BUY Onderwerp: begint met 'Buy(ing)' -lang nl describe RCVD_AM_PM Received headers vervalst (AM/PM) -lang nl describe HEADER_COUNT_CTYPE Meerdere Content-Type headers gevonden -lang nl describe NO_RDNS_DOTCOM_HELO Host HELO'd als een grote internet provider ISP, maar heeft geen rDNS -lang nl describe HTML_MESSAGE HTML opgenomen in het bericht -lang nl describe HTML_COMMENT_SAVED_URL HTML bericht is een opgeslagen webpagina -lang nl describe HTML_EMBEDS HTML met plugin -lang nl describe HTML_FONT_LOW_CONTRAST HTML tekstkleur lijkt er op de achtergrondkleur -lang nl describe HTML_FONT_FACE_BAD HTML lettertype naam is geen woord -lang nl describe HTML_FORMACTION_MAILTO HTML bevat een formulier dat email verstuurd -lang nl describe HTML_IMAGE_ONLY_04 HTML: plaatjes met 200-400 bytes aan woorden -lang nl describe HTML_IMAGE_ONLY_08 HTML: plaatjes met 600-800 bytes aan woorden -lang nl describe HTML_IMAGE_ONLY_12 HTML: plaatjes met 1000-1200 bytes aan woorden -lang nl describe HTML_IMAGE_RATIO_02 HTML heeft een lage verhouding tussen tekst en plaatjes -lang nl describe HTML_IMAGE_RATIO_04 HTML heeft een lage verhouding tussen tekst en plaatjes -lang nl describe HTML_IMAGE_RATIO_06 HTML heeft een lage verhouding tussen tekst en plaatjes -lang nl describe HTML_IMAGE_RATIO_08 HTML heeft een lage verhouding tussen tekst en plaatjes -lang nl describe HTML_OBFUSCATE_10_20 Bericht bevat 10% tot 20% HTML verdoezeling -lang nl describe HTML_OBFUSCATE_20_30 Bericht bevat 20% tot 30% HTML verdoezeling -lang nl describe HTML_OBFUSCATE_30_40 Bericht bevat 30% tot 40% HTML verdoezeling -lang nl describe HTML_OBFUSCATE_50_60 Bericht bevat 50% tot 60% HTML verdoezeling -lang nl describe HTML_OBFUSCATE_70_80 Bericht bevat 70% tot 80% HTML verdoezeling -lang nl describe HTML_OBFUSCATE_90_100 Bericht bevat 90% tot 100% HTML verdoezeling -lang nl describe HTML_TAG_BALANCE_BODY HTML bevat ongebalanceerde "body" tags -lang nl describe HTML_TAG_BALANCE_HEAD HTML bevat ongebalanceerde "head" tags -lang nl describe HTML_BADTAG_40_50 HTML bericht bevat 40% tot 50% foute tags -lang nl describe HTML_BADTAG_50_60 HTML bericht bevat 50% tot 60% foute tags -lang nl describe HTML_BADTAG_60_70 HTML bericht bevat 60% tot 70% foute tags -lang nl describe HTML_BADTAG_90_100 HTML bericht bevat 90% tot 100% foute tags -lang nl describe HTML_NONELEMENT_30_40 30% tot 40% van de HTML elementen zijn niet standaard -lang nl describe HTML_NONELEMENT_40_50 40% tot 50% van de HTML elementen zijn niet standaard -lang nl describe HTML_NONELEMENT_60_70 60% tot 70% van de HTML elementen zijn niet standaard -lang nl describe HTML_NONELEMENT_80_90 80% tot 90% van de HTML elementen zijn niet standaard -lang nl describe HTML_CHARSET_FARAWAY Een vreemde taal wordt gebruikt in de karakterset -lang nl describe HTML_MIME_NO_HTML_TAG HTML-only bericht, maar er is geen HTML tag -lang nl describe HIDE_WIN_STATUS Javascript om URLs te verbergen in het bericht -lang nl describe OBFUSCATING_COMMENT HTML commentaar om het bericht te verdoezelen -lang nl describe UPPERCASE_50_75 Bericht tekst bestaat voor 50-75% uit hoofdletters -lang nl describe UPPERCASE_75_100 Bericht tekst bestaat voor 75-100% uit hoofdletters -lang nl describe INVALID_MSGID Message-Id is ongeldig, volgens RFC 2822 -lang nl describe FORGED_MUA_MOZILLA Vervalste mail die afkomstig zou zijn van Mozilla -lang nl describe GUARANTEED_100_PERCENT 100% gegarandeerd -lang nl describe DEAR_FRIEND Beste vriend, klinkt niet erg bekend... -lang nl describe DEAR_SOMETHING Bevat 'Dear (iets)' -lang nl describe BILLION_DOLLARS Spreekt van heeel veel geld -lang nl describe EXCUSE_4 Claimt dat je van de lijst verwijderd kan worden -lang nl describe EXCUSE_24 Claimt dat je om deze advertentie hebt gevraagd -lang nl describe EXCUSE_REMOVE Heeft het over hoe je verwijderd kan worden van de lijst -lang nl describe STRONG_BUY Vertelt je over een goede aankoop -lang nl describe STOCK_ALERT Biedt aan je aandelen in de gaten te houden -lang nl describe NOT_ADVISOR Geen geregistreerde beleggings adviseur -lang nl describe PREST_NON_ACCREDITED 'Prestigieuze "Non-Accredited" Universiteiten' -lang nl describe BODY_ENHANCEMENT Informatie over het vergroten van lichaamsdelen -lang nl describe BODY_ENHANCEMENT2 Informatie over het vergroten van lichaamsdelen -lang nl describe IMPOTENCE Medicijn voor impotentie -#lang nl describe NA_DOLLARS Praat over een miljoen Noord-Amerikaanse dollars -#lang nl describe US_DOLLARS_3 Vermeldt miljoenen $ ($NN,NNN,NNN.NN) -#lang nl describe MILLION_USD Heeft het over miljoenen dollars -lang nl describe MONEY_BACK Niet-goed-geld-terug garantie -lang nl describe FREE_QUOTE_INSTANT Gratis offerte -lang nl describe BAD_CREDIT Los al uw leningen op -lang nl describe REFINANCE_YOUR_HOME Hyphoteek oversluiten -lang nl describe REFINANCE_NOW Hyphoteek oversluiten -lang nl describe NO_MEDICAL Geen medische keuring -lang nl describe FORWARD_LOOKING Aandelen waarschuwing -lang nl describe ONE_TIME Eenmalige afzettingspraktijk -lang nl describe JOIN_MILLIONS Voeg je bij miljoenen Amerikanen -lang nl describe ONLINE_PHARMACY Online apotheek -lang nl describe MARKETING_PARTNERS Zegt dat je je bij een partner bedrijf hebt geregistreerd -lang nl describe LOW_PRICE Laagste prijzen -lang nl describe UNCLAIMED_MONEY Mensen laten het geld rondslingeren -lang nl describe OBSCURED_EMAIL Bevat een rot13ed adres -lang nl describe BANG_OPRAH Iets met Oprah! -lang nl describe ACT_NOW_CAPS Heeft het in hoofdletters over "nu in actie komen" -lang nl describe BANG_GUAR ...gegaranderd! -lang nl describe FREE_PORN Dikke kans op porno - Gratis Porno -lang nl describe CUM_SHOT Dikke kans op porno - Kwakjes -lang nl describe LIVE_PORN Dikke kans op porno - Rechtstreekse Porno uitzending -lang nl describe RATWARE_EGROUPS Bulk email kenmerk (eGroups) gevonden -lang nl describe RATWARE_OE_MALFORMED X-Mailer bevat misvormde Outlook Express versie -lang nl describe FORGED_MUA_IMS Vals mailtje, pretendeert afkomstig te zijn van IMS -lang nl describe FORGED_MUA_OUTLOOK Vals mailtje, pretendeert afkomstig te zijn van MS Outlook -lang nl describe FORGED_MUA_OIMO Vals mailtje, pretendeert afkomstig te zijn van MS Outlook IMO -lang nl describe FORGED_MUA_EUDORA Vals mailtje, pretendeert afkomstig te zijn van Eudora -lang nl describe FORGED_MUA_THEBAT_CS Mailtje dat pretendeert afkomstig te zijn van The Bat! (charset) -lang nl describe FORGED_MUA_THEBAT_BOUN Mailtje dat pretendeert afkomstig te zijn van The Bat! (boundary) -lang nl describe FORGED_OUTLOOK_HTML Outlook kan geen berichten met alleen HTML versturen -lang nl describe FORGED_IMS_HTML IMS kan geen berichten met alleen HTML versturen -lang nl describe FORGED_THEBAT_HTML The Bat! kan geen berichten met alleen HTML versturen -lang nl describe FORGED_QUALCOMM_TAGS QUALCOMM email programma's versturen geen HTML zoals deze -lang nl describe FORGED_IMS_TAGS IMS email programma's versturen geen HTML zoals deze -lang nl describe FORGED_OUTLOOK_TAGS Outlook verstuurt geen HTML zoals deze -lang nl describe RATWARE_HASH_DASH Bevat een hashbuster in Send-Safe opmaak -lang nl describe NUMERIC_HTTP_ADDR Gebruikt een numeriek IP adres in een URL -lang nl describe HTTP_ESCAPED_HOST Gebruikt %-escapes in de hostname van een URL -lang nl describe HTTP_EXCESSIVE_ESCAPES Volkomen overbodige %-escapes in een URL -lang nl describe IP_LINK_PLUS "Dotted-decimal" IP address gevolgd door CGI -lang nl describe WEIRD_PORT Gebruikt een afwijkend poort nummer voor HTTP -lang nl describe YAHOO_RD_REDIR Bevat een Yahoo Redirect URI -lang nl describe YAHOO_DRS_REDIR Bevat een Yahoo Redirect URI - -# 23_bayes.cf -ifplugin Mail::SpamAssassin::Plugin::Bayes -lang nl describe BAYES_00 Bayesiaanse kans op spam is 0 tot 1% -lang nl describe BAYES_05 Bayesiaanse kans op spam is 1 tot 5% -lang nl describe BAYES_20 Bayesiaanse kans op spam is 5 tot 20% -lang nl describe BAYES_40 Bayesiaanse kans op spam is 20 tot 40% -lang nl describe BAYES_50 Bayesiaanse kans op spam is 40 tot 60% -lang nl describe BAYES_60 Bayesiaanse kans op spam is 60 tot 80% -lang nl describe BAYES_80 Bayesiaanse kans op spam is 80 tot 95% -lang nl describe BAYES_95 Bayesiaanse kans op spam is 95 tot 99% -lang nl describe BAYES_99 Bayesiaanse kans op spam is 99 tot 100% -lang nl describe BAYES_999 Bayesiaanse kans op spam is 99.9 tot 100% -endif -# -lang nl describe DRUG_DOSAGE Heeft het over een prijs per dosis - -ifplugin Mail::SpamAssassin::Plugin::AntiVirus -lang nl describe MIME_SUSPECT_NAME MIME bestandsnaam komt niet overeen met inhoud -endif - -ifplugin Mail::SpamAssassin::Plugin::DCC -lang nl describe DCC_CHECK Gevonden in DCC (https://www.dcc-servers.net/dcc/) -endif - -ifplugin Mail::SpamAssassin::Plugin::Pyzor -lang nl describe PYZOR_CHECK Gevonden in Pyzor (https://pyzor.readthedocs.io/en/latest/) -endif - -ifplugin Mail::SpamAssassin::Plugin::TextCat -lang nl describe BODY_8BITS Bericht bevat 8 aaneengesloten 8-bit karakters -lang nl describe UNWANTED_LANGUAGE_BODY Bericht is opgesteld in een ongewenste taal -endif - -ifplugin Mail::SpamAssassin::Plugin::AccessDB -lang nl describe ACCESSDB Bericht zou gevangen zijn door accessdb -endif - -lang nl describe NORMAL_HTTP_TO_IP Gebruikt een "dotted-decimal" IP adres in een URL - diff --git a/resources/spamassassin/30_text_pl.cf b/resources/spamassassin/30_text_pl.cf deleted file mode 100644 index 7bbd4bd9..00000000 --- a/resources/spamassassin/30_text_pl.cf +++ /dev/null @@ -1,267 +0,0 @@ -# SpamAssassin translations: Polish -# Charset: ISO-8859-2 -# -# Polish translation based on work started by <radek at alter dot pl> -# rewrite for version 2.60: Jerzy Szczud³owski <jerzy at jedwab dot net dot pl > -# (v0.2) -# -# Proszê nie modyfikowaæ tego pliku, gdy¿ wszelkie zmiany zostan± nadpisane -# podczas nastêpnego uaktualnienia. Zamiast tego, proszê u¿ywaæ -# @@LOCAL_RULES_DIR@@/local.cf. Szczegó³y w 'perldoc Mail::SpamAssassin::Conf' -# -# Ten program jest darmowy; mo¿na go rozprowadzaæ i/lub modyfikowaæ na -# warunkach Licencji Artystycznej lub Powszechnej Licencji Publicznej GNU -# publikowanej przez Free Software Foundation; zarówno w wersji 1 lub, -# którejkolwiek pó¼niejszej. Szczegó³y w pliku "License", znajduj±cym siê w -# g³ównym katalogu ze ¼ród³ami SpamAssassina. -# -# -# U¿ycie: -# - ustaw w /etc/procmailrc (lub lokalnie w ~/.procmailrc) zmienn± LANG=pl_PL -# - w konfiguracji SpamAssassina (globalnie local.cf, lokalnie user_prefs) -# dodaj opcjê: report_charset iso-8859-2 -# -########################################################################### - -############## ........................................................................ -lang pl clear_report_template -lang pl report ----------------- AUTOMATYCZNY raport antySPAMowy ---------------------- -lang pl report Oprogramowanie do wykrywania spamu, dzia³aj±ce na serwerze: -lang pl report *** "_HOSTNAME_" ***, -lang pl report zidentyfikowa³o ten email jako prawdopodobny spam. Oryginalna wiadomo¶æ -lang pl report zosta³a do³±czona do tej, aby mo¿na by³o j± przejrzeæ, zweryfikowaæ lub -lang pl report zablokowaæ na przysz³o¶æ. Je¿eli masz jakie¶ w±tpliwo¶ci, to kieruj je pod -lang pl report adres _CONTACTADDRESS_ -lang pl report -lang pl report Przegl±d zawarto¶ci: _PREVIEW_ -lang pl report -lang pl report Szczegó³y analizy zawarto¶ci: (_HITS_ zaliczonych, _REQD_ wymaganych) -lang pl report -lang pl report "pkt nazwa regu³y krótki opis" -lang pl report ---- ---------------------- ------------------------------------------- -lang pl report _SUMMARY_ -############## ........................................................................ - -########################################################################### -# szablon raportu wiadomo¶ci niebezpieczne-do-wgl±du -# -##################### ...................................................................... -lang pl clear_unsafe_report_template -lang pl unsafe_report Oryginalna wiadomo¶æ nie by³a w ca³o¶ci tekstowa, w zwi±zku z tym otwarcie -lang pl unsafe_report jej za pomoc± niektórych programów pocztowych mo¿e nie byæ ca³kowicie -lang pl unsafe_report bezpieczne; w szczególno¶ci, przesy³ka mo¿e zawieraæ wirusa lub kod -lang pl unsafe_report informuj±cy spamera, ¿e twój adres pocztowy jest prawid³owy i mo¿na na -lang pl unsafe_report niego przysy³aæ wiêcej spamu. Je¿eli chcesz j± przejrzeæ, bezpieczniej -lang pl unsafe_report bêdzie zapisaæ j± najpierw na dysk, a nastêpnie otworzyæ edytorem tekstu. -##################### ...................................................................... - - -# t³umaczenia regu³ - -lang pl describe ACT_NOW_CAPS Tekst 'ACTING NOW' -lang pl describe BAD_CREDIT Likwidacja problemów kredytowych -lang pl describe BANG_GUAR Dobitna gwarancja czego¶ -lang pl describe BANG_OPRAH Tre¶æ: o Oprah z wykrzyknikiem! - -# 23_bayes.cf -ifplugin Mail::SpamAssassin::Plugin::Bayes -lang pl describe BAYES_00 Bayesowskie prawdopodobieñstwo spamu wynosi 0 do 1% -lang pl describe BAYES_05 Bayesowskie prawdopodobieñstwo spamu wynosi 1 do 5% -lang pl describe BAYES_20 Bayesowskie prawdopodobieñstwo spamu wynosi 5 do 20% -lang pl describe BAYES_40 Bayesowskie prawdopodobieñstwo spamu wynosi 20 do 40% -lang pl describe BAYES_50 Bayesowskie prawdopodobieñstwo spamu wynosi 40 do 60% -lang pl describe BAYES_60 Bayesowskie prawdopodobieñstwo spamu wynosi 60 do 80% -lang pl describe BAYES_80 Bayesowskie prawdopodobieñstwo spamu wynosi 80 do 95% -lang pl describe BAYES_95 Bayesowskie prawdopodobieñstwo spamu wynosi 95 do 99% -lang pl describe BAYES_99 Bayesowskie prawdopodobieñstwo spamu wynosi 99 do 100% -lang pl describe BAYES_999 Bayesowskie prawdopodobieñstwo spamu wynosi 99.9 do 100% -endif -# -lang pl describe BILLION_DOLLARS Tre¶æ: o niesamowitej ilo¶ci pieniêdzy -lang pl describe BLANK_LINES_80_90 Tre¶æ zawiera 80-90% pustych linii -lang pl describe CHARSET_FARAWAY_HEADER Obcojêzyczny zestaw znaków w nag³ówkach -lang pl describe CHARSET_FARAWAY List zawiera typ znaków oznaczaj±cy jêzyk obcy -lang pl describe CONFIRMED_FORGED Nag³ówki Received: s± sfa³szowane -lang pl describe CUM_SHOT Prawdopodobnie porno - 'Wytrysk nasienia' -lang pl describe DATE_IN_FUTURE_03_06 Data: jest od 3 do 6 godzin po dacie z Received: -lang pl describe DATE_IN_FUTURE_06_12 Data: jest od 6 do 12 godzin po dacie z Received: -lang pl describe DATE_IN_FUTURE_12_24 Data: jest od 12 do 24 godzin po dacie z Received: -lang pl describe DATE_IN_FUTURE_24_48 Data: jest od 24 do 48 godzin po dacie z Received: -lang pl describe DATE_IN_FUTURE_48_96 Data: jest od 48 do 96 godzin po dacie z Received: -lang pl describe DATE_IN_FUTURE_96_XX Data: jest od 96 lub wiêcej godzin po dacie z Received: -lang pl describe DATE_IN_PAST_03_06 Data: jest od 3 do 6 godzin przed dat± z Received: -lang pl describe DATE_IN_PAST_06_12 Data: jest od 6 do 12 godzin przed dat± z Received: -lang pl describe DATE_IN_PAST_12_24 Data: jest od 12 do 24 godzin przed dat± z Received: -lang pl describe DATE_IN_PAST_24_48 Data: jest od 24 do 48 godzin przed dat± z Received: -lang pl describe DATE_IN_PAST_96_XX Data: jest od 96 lub wiêcej godzin przed dat± z Received: -lang pl describe MISSING_DATE Brakuje nag³ówka Data: -lang pl describe DATE_SPAMWARE_Y2K Nag³ówek Data: u¿ywa podejrzanego formatowania Y2k -lang pl describe DEAR_FRIEND 'Drogi Przyjacielu' (ang.) -lang pl describe DEAR_SOMETHING Zawiera 'Drogi Kto¶tam' (ang.) -lang pl describe EMAIL_ROT13 Tre¶æ zawiera adres email zakodowany ROT13 -lang pl describe EXCUSE_24 Twierdzi, ¿e chcia³e¶ tê reklamê -lang pl describe EXCUSE_4 Twierdzi, ¿e mo¿esz byæ usuniêty z listy -lang pl describe EXCUSE_REMOVE Pisze, jak mo¿na zostaæ usuniêtym z listy -lang pl describe FIN_FREE Wolno¶æ finansowa -lang pl describe FORGED_HOTMAIL_RCVD2 Od: hotmail.com, lecz bez 'Received:' -lang pl describe FORGED_IMS_HTML IMS nie potrafi wysy³aæ wiadomo¶ci ca³kowicie w HTML -lang pl describe FORGED_IMS_TAGS Programy pocztowe IMS nie potrafi± wysy³aæ HTMLa w tym formacie -lang pl describe FORGED_MUA_EUDORA Podrobiony mail udaj±cy przesy³kê z programu Eudora -lang pl describe FORGED_MUA_IMS Podrobiony mail udaj±cy przesy³kê z IMS -lang pl describe FORGED_MUA_MOZILLA Podrobiony mail udaj±cy przesy³kê z Mozilli -lang pl describe FORGED_MUA_OIMO Podrobiony mail udaj±cy przesy³kê z MS Outlook IMO -lang pl describe FORGED_MUA_OUTLOOK Podrobiony mail udaj±cy przesy³kê z MS Outlook -lang pl describe FORGED_MUA_THEBAT_BOUN Podrobiony mail udaj±cy przesy³kê z programu The Bat! (granica) -lang pl describe FORGED_MUA_THEBAT_CS Podrobiony mail udaj±cy przesy³kê z programu The Bat! (zestaw znaków) -lang pl describe FORGED_OUTLOOK_HTML Outlook nie potrafi wysy³aæ wiadomo¶ci ca³kowicie w HTML -lang pl describe FORGED_OUTLOOK_TAGS Outlook nie potrafi wysy³aæ wiadomo¶ci HTML w tym formacie -lang pl describe FORGED_QUALCOMM_TAGS Programy pocztowe QUALCOMM nie potrafi± wysy³aæ HTMLa w tym formacie -lang pl describe FORGED_TELESP_RCVD Zawiera podrobion± nazwê hosta pod IP DSLa z Brazylii -lang pl describe FORGED_THEBAT_HTML The Bat! nie potrafi wysy³aæ wiadomo¶ci ca³kowicie w HTML -lang pl describe FORGED_YAHOO_RCVD Od: yahoo.com nie zgadza siê z nag³ówkami Received: -lang pl describe FORWARD_LOOKING O¶wiadczenie rezygnuj±cego akcjonariusza -lang pl describe FREE_PORN Prawdopodobnie porno - darmowe porno -lang pl describe FREE_QUOTE_INSTANT Darmowe notowania (ekspresowe lub bez zobowi±zañ) -lang pl describe FROM_ILLEGAL_CHARS From: zawiera zbyt wiele niedozwolonych znaków -lang pl describe FROM_NO_USER Od: nie ma niczego przed znakiem @ -lang pl describe FROM_OFFERS Od: adresu typu "@wspania³a-okazja" -lang pl describe FROM_STARTS_WITH_NUMS Od: zaczyna siê cyframi -lang pl describe GAPPY_SUBJECT Temat: zawiera D.z.i.u.r.a.w.y-T.e.k.s.t -lang pl describe GTUBE Ogólny test na Niepo¿±dane Przesy³ki Email -lang pl describe GUARANTEED_100_PERCENT 100% gwarancji -lang pl describe HEADER_COUNT_CTYPE Znaleziono wielokrotne nag³ówki Content-Type -lang pl describe HEAD_ILLEGAL_CHARS Nag³ówek zawiera zbyt wiele niedozwolonych znaków -lang pl describe HIDE_WIN_STATUS U¿ywa Javascriptu by ukryæ URLe w przegl±darce -lang pl describe HTML_CHARSET_FARAWAY Obcy jêzyk u¿ywany w znacznikach HTML -lang pl describe HTML_COMMENT_SAVED_URL Wiadomo¶æ HTML jest stron± WWW -lang pl describe HTML_EMBEDS HTML z osadzonym obiektem typu wtyczka -lang pl describe HTML_FONT_FACE_BAD HTMLowy opis czcionki nie jest s³owem -lang pl describe HTML_FONT_LOW_CONTRAST kolor czcionki w HTML jest podobny do t³a -lang pl describe HTML_FORMACTION_MAILTO czê¶æ HTML zawiera formularz, który wysy³a pocztê -lang pl describe HTML_IMAGE_ONLY_04 HTML: grafika i 200-400 bajtów s³ów -lang pl describe HTML_IMAGE_ONLY_08 HTML: grafika i 600-800 bajtów s³ów -lang pl describe HTML_IMAGE_ONLY_12 HTML: grafika i 1000-1200 bajtów s³ów -lang pl describe HTML_IMAGE_RATIO_02 HTML posiada niski stosunek objêto¶ci tekstu do obrazu -lang pl describe HTML_IMAGE_RATIO_04 HTML posiada niski stosunek objêto¶ci tekstu do obrazu -lang pl describe HTML_IMAGE_RATIO_06 HTML posiada niski stosunek objêto¶ci tekstu do obrazu -lang pl describe HTML_IMAGE_RATIO_08 HTML posiada niski stosunek objêto¶ci tekstu do obrazu -lang pl describe HTML_MESSAGE Wiadomo¶æ zawiera kod HTML -lang pl describe HTML_MIME_NO_HTML_TAG Wiadomo¶æ ca³kowicie w HTML, lecz bez odpowiedniego oznaczenia -lang pl describe HTML_TAG_BALANCE_BODY HTML posiada niepozamykane znaczniki w "body" -lang pl describe HTML_TAG_BALANCE_HEAD HTML posiada niepozamykane znaczniki w "head" -lang pl describe HTTP_ESCAPED_HOST U¿ywa % wewn±trz nazwy hosta w URL -lang pl describe HTTP_EXCESSIVE_ESCAPES Ca³kowicie zbêdne % wewn±trz URL -lang pl describe IMPOTENCE Lekarstwo na impotencjê -lang pl describe INVALID_DATE Nieprawid³owa data (RFC 2822) -lang pl describe INVALID_DATE_TZ_ABSURD Nieprawid³owa data (nieistniej±ca strefa czasowa) -lang pl describe INVALID_MSGID Zgodnie z RFC 2822, Message-Id jest nieprawid³owe -lang pl describe IP_LINK_PLUS CGI poprzedzone kropkowo-dziesiêtnym adresem IP -lang pl describe JAPANESE_UCE_SUBJECT Temat: zawiera japoñski znacznik UCE -lang pl describe JOIN_MILLIONS Do³±cz do Milionów Amerykan -lang pl describe KOREAN_UCE_SUBJECT Temat: zawiera koreañski znacznik UCE -lang pl describe LIVE_PORN Prawdopodobnie porno - Porno na ¿ywo -lang pl describe LOW_PRICE Najni¿sza cena -lang pl describe MARKETING_PARTNERS Twierdzi, ¿e jeste¶ zarejestrowany jako partner -#lang pl describe MILLION_USD O milionach dolarów -#lang pl describe MIME_BASE64_BLANKS Dodatkowe puste linie kodowane w Base64 -lang pl describe MIME_BASE64_TEXT Tekst wiadomo¶ci zakamuflowany przy u¿yciu kodowania Base64 -lang pl describe __MIME_BASE64 Zawiera za³±cznik kodowany w Base64 -lang pl describe MIME_BOUND_MANY_HEX Na granicy MIME widaæ ¶lad narzêdzia spamerskiego -lang pl describe MIME_CHARSET_FARAWAY zestaw znaków MIME wskazuje na jêzyk obcy -lang pl describe MIME_HEADER_CTYPE_ONLY Znaleziono nag³ówek 'Content-Type' lecz bez nag³ówków MIME -lang pl describe MIME_HTML_MOSTLY Wiadomo¶æ wieloczê¶ciowa, g³ownie tekst/html MIME -lang pl describe MIME_HTML_ONLY_MULTI Wiadomo¶æ wieloczê¶ciowa posiada tylko czê¶ci tekstowe/html MIME -lang pl describe MIME_HTML_ONLY Wiadomo¶æ posiada tylko czê¶ci tekstowe/html MIME -lang pl describe MIME_QP_LONG_LINE Linia QP d³u¿sza ni¿ 76 znaków -lang pl describe __MIME_QP Zawiera za³±cznik kodowany w Quoted-Printable -lang pl describe MISSING_HEADERS Brakuje jednego z nag³ówków: Od, Dd lub Data -lang pl describe MISSING_MIMEOLE Wiadomo¶æ zawiera X-MSMail-Priority, lecz bez X-MimeOLE -lang pl describe MONEY_BACK Gwarancja zwrotu pieniêdzy -lang pl describe MSGID_FROM_MTA_HEADER Message-Id zosta³ dodany przez relay -lang pl describe MSGID_OUTLOOK_INVALID Sfa³szowany Message-Id (w formacie Outlook Express) -lang pl describe MULTI_FORGED Nag³ówki Received: wykazuj± wielokrotne fa³szowanie -#lang pl describe NA_DOLLARS O milionie Pó³nocno Amerykañskich dolarów -lang pl describe NO_DNS_FOR_FROM Domena w nag³ówku Do: nie posiada wpisu w DNS (MX lub A) -lang pl describe NO_MEDICAL Bez badañ medycznych -lang pl describe NONEXISTENT_CHARSET Nieznany zestaw znaków (jêzyk). -lang pl describe NO_RDNS_DOTCOM_HELO Odpowied¼ HELO hosta pokazuje wielkiego ISP, lecz brakuje rDNS -lang pl describe NOT_ADVISOR Niezarejestrowany doradca inwestycyjny -lang pl describe NUMERIC_HTTP_ADDR U¿ywa kropkowo-dziesiêtnego adresu IP w URL -lang pl describe OBFUSCATING_COMMENT Komentarze HTML zaciemniaj± tekst -lang pl describe OBSCURED_EMAIL Wiadomo¶æ zdaje siê zawieraæ zrotowany (rot13) adres -lang pl describe ONE_TIME Jednokrotna grabie¿ -lang pl describe ONLINE_PHARMACY Apteka on-line -lang pl describe PLING_QUERY Temat zawiera wykrzyknik i pytajnik -lang pl describe PREST_NON_ACCREDITED 'Presti¿owe nieakredytowane uniwersytety' -lang pl describe RATWARE_EGROUPS Znaleziono oznaczenie przesy³ki masowej (eGroups) -lang pl describe RATWARE_HASH_DASH Zawiera zabezpieczenia przeciwko detekcji spamu w formacie Send-Safe -lang pl describe RATWARE_OE_MALFORMED Nag³ówek X-Mailer podaje z³± wersjê Outlook Express -lang pl describe RCVD_AM_PM Sfa³szowane nag³ówki Received (AM/PM) -lang pl describe RCVD_FAKE_HELO_DOTCOM Nag³ówek Received zawiera sfa³szowan± nazwê hosta HELO -lang pl describe RCVD_IN_BL_SPAMCOP_NET Odebrane od systemu klasy RELAY w/g: bl.spamcop.net -lang pl describe RCVD_IN_MAPS_DUL "open relay" wed³ug DUL, http://www.mail-abuse.org/dul/ -lang pl describe RCVD_IN_MAPS_NML "open relay" wed³ug NML, http://www.mail-abuse.org/nml/ -lang pl describe RCVD_IN_MAPS_RBL "open relay" wed³ug RBL, http://www.mail-abuse.org/rbl/ -lang pl describe RCVD_IN_MAPS_RSS "open relay" wed³ug RSS, http://www.mail-abuse.org/rss/ -lang pl describe RCVD_IN_SBL Otrzymano przez relay listowany w Spamhaus Block List -lang pl describe RCVD_IN_SORBS_BLOCK SORBS: nadawca nie pozwala siê testowaæ -lang pl describe RCVD_IN_SORBS_HTTP SORBS: nadawca jest otwartym serwerem HTTP -lang pl describe RCVD_IN_SORBS_MISC SORBS: nadawca jest otwartym serwerem proxy -lang pl describe RCVD_IN_SORBS_SMTP SORBS: nadawca posiada otwarty serwer (Open Relay) -lang pl describe RCVD_IN_SORBS_SOCKS SORBS: nadawca jest otwartym serwerem SOCKS proxy -lang pl describe RCVD_IN_SORBS_WEB SORBS: nadawca posiada nadu¿ywany serwer WWW -lang pl describe RCVD_IN_SORBS_ZOMBIE SORBS: nadawca jest z sieci bez kontroli -lang pl describe REFINANCE_NOW Refinansowanie domów -lang pl describe REFINANCE_YOUR_HOME Refinansowanie domów -lang pl describe SORTED_RECIPS Lista odbiorców posortowana wed³ug adresu -lang pl describe STOCK_ALERT Oferuje powiadomienie o kursach akcji -lang pl describe STRONG_BUY Mówi o mocnym zakupie -lang pl describe SUBJ_ALL_CAPS Temat zawiera same du¿e litery -lang pl describe SUBJ_AS_SEEN Temat: zawiera "Jak pokazywano" -lang pl describe SUBJ_BUY Temat: zaczyna siê od Kup/Kupowanie -lang pl describe SUBJ_DOLLARS Temat: zaczyna siê od kwoty dolarów -lang pl describe SUBJ_ILLEGAL_CHARS Temat: zawiera zbyt wiele niedozwolonych znaków -#lang pl describe SUBJ_YOUR_DEBT Temat: zawiera "Twoje rachunki" lub podobnie -lang pl describe SUBJ_YOUR_FAMILY Temat: zawiera "Twoja rodzina" -lang pl describe SUSPICIOUS_RECIPS Do: zawiera tê sam± domenê przynajmniej 10 razy. -lang pl describe TO_MALFORMED Do: zawiera uszkodzony adres -lang pl describe TRACKER_ID Zawiera numer identyfikacyjny -lang pl describe UNCLAIMED_MONEY (ludzie po prostu rozrzucaj± pieni±dze dooko³a) -lang pl describe UPPERCASE_50_75 Tre¶æ jest w 50-75% wielkimi literami -lang pl describe UPPERCASE_75_100 Tre¶æ jest w 75-100% wielkimi literami -lang pl describe URG_BIZ Pilna sprawa -#lang pl describe US_DOLLARS_3 Wspomina miliony $ ($NN,NNN,NNN.NN) -lang pl describe USER_IN_ALL_SPAM_TO U¿ytkownik jest wymieniony w 'all_spam_to' -lang pl describe USER_IN_BLOCKLIST Od: zawiera adres z Twojej "czarnej listy" -lang pl describe USER_IN_BLOCKLIST_TO U¿ytkownik jest wymieniony w 'blocklist_to' -lang pl describe USER_IN_DEF_WELCOMELIST U¿ytkownik jest wymieniony w domy¶lnej welcome-list (bia³ej li¶cie) -lang pl describe USER_IN_MORE_SPAM_TO U¿ytkownik jest wymieniony w 'more_spam_to' -lang pl describe USER_IN_WELCOMELIST Od: zawiera adres z welcome-list (bia³ej listy) -lang pl describe USER_IN_WELCOMELIST_TO U¿ytkownik jest wymieniony w 'welcomelist_to' -lang pl describe WEIRD_PORT U¿ywa niestandardowego numeru portu dla HTTP -lang pl describe WEIRD_QUOTING Dziwne, powtarzaj±ce siê znaki podwójnego cytowania -lang pl describe WITH_LC_SMTP Linia 'Received' zawiera spamerski podpis (smtp) - -ifplugin Mail::SpamAssassin::Plugin::AntiVirus -lang pl describe MIME_SUSPECT_NAME Nazwa pliku MIME nie zgadza siê z zawarto¶ci± -endif - -ifplugin Mail::SpamAssassin::Plugin::DCC -lang pl describe DCC_CHECK Na li¶cie DCC (http://www.dcc-servers.net/dcc/) -endif - -ifplugin Mail::SpamAssassin::Plugin::Pyzor -lang pl describe PYZOR_CHECK Na li¶cie Pyzor (https://pyzor.readthedocs.io/en/latest/) -endif - -ifplugin Mail::SpamAssassin::Plugin::TextCat -lang pl describe BODY_8BITS Tre¶æ zawiera 8 kolejnych 8mio bitowych znaków -lang pl describe UNWANTED_LANGUAGE_BODY Wiadomo¶æ napisana w niepo¿±danym jêzyku -endif - -ifplugin Mail::SpamAssassin::Plugin::AccessDB -lang pl describe ACCESSDB Wiadomo¶æ zosta³aby przechwycona przez accessdb -endif - -lang pl describe NORMAL_HTTP_TO_IP U¿ywa kropkowo-dziesiêtnego adresu IP w URL - diff --git a/resources/spamassassin/30_text_pt_br.cf b/resources/spamassassin/30_text_pt_br.cf deleted file mode 100644 index 98a3bab7..00000000 --- a/resources/spamassassin/30_text_pt_br.cf +++ /dev/null @@ -1,609 +0,0 @@ -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -# character set -lang pt_BR report_charset iso-8859-1 - -# pt_BR translation by W3P Projetos Web (http://www.w3p.com.br/) - -lang pt_BR clear_report_template -lang pt_BR report O filtro de spam do servidor "_HOSTNAME_" identificou este -lang pt_BR report e-mail como um spam. A mensagem original está anexa a este -lang pt_BR report este e-mail para que possa ser visualizada (caso não seja -lang pt_BR report um spam) ou para que emails futuros similares a este sejam -lang pt_BR report marcados como spam também. Caso tenha alguma dúvida, entre -lang pt_br report em contato no email _CONTACTADDRESS_ para mais detalhes. -lang pt_BR report -lang pt_BR report Visualização de um trecho: _PREVIEW_ -lang pt_BR report -lang pt_BR report Detalhes da análise: (_SCORE_ pontos, mínimo de _REQD_) -lang pt_BR report -lang pt_BR report " pts regra descrição" -lang pt_BR report ---- ---------------------- -------------------------------------------------- -lang pt_BR report _SUMMARY_ - -lang pt_BR clear_unsafe_report_template -lang pt_BR unsafe_report A mensagem original não estava em texto puro e pode ser inseguro abrí-la -lang pt_BR unsafe_report em alguns clientes de email; mais especificamente, ela pode conter um vírus -lang pt_BR unsafe_report ou confirmar que seu endereço de email pode receber spam. -lang pt_BR unsafe_report Se quiser visualizar a mensagem, pode ser mais seguro salvá-la em um arquivo -lang pt_BR unsafe_report e abrí-la com um editor. - -lang pt_BR describe USER_IN_BLOCKLIST Endereço do From: está na blocklist do usuário -lang pt_BR describe USER_IN_WELCOMELIST Endereço do From: está na welcomelist do usuário -lang pt_BR describe USER_IN_DEF_WELCOMELIST Endereço do From: está na welcomelist padrão -lang pt_BR describe USER_IN_BLOCKLIST_TO Usuário está listado na 'blocklist_to' -lang pt_BR describe USER_IN_WELCOMELIST_TO Usuário está listado na 'welcomelist_to' -lang pt_BR describe USER_IN_MORE_SPAM_TO Usuário está listado na 'more_spam_to' -lang pt_BR describe USER_IN_ALL_SPAM_TO Usuário está listado na 'all_spam_to' - -ifplugin Mail::SpamAssassin::Plugin::AWL -lang pt_BR describe AWL Endereço do From: está na auto welcomelist -endif - -# 20_advance_fee.cf - These are removed and will break lint -#lang pt_BR describe ADVANCE_FEE_2 Aparenta ser fraude (Nigerian 419) -#lang pt_BR describe ADVANCE_FEE_3_NEW Aparenta ser fraude (Nigerian 419) -#lang pt_BR describe ADVANCE_FEE_4_NEW Aparenta ser fraude (Nigerian 419) - -# 20_body_tests.cf -lang pt_BR describe GTUBE Generic Test for Unsolicited Bulk Email -lang pt_BR describe TRACKER_ID Mensagem contém um código rastramento -lang pt_BR describe WEIRD_QUOTING Possui caracteres "" estranhos -lang pt_BR describe MIME_HTML_ONLY_MULTI Mensagem diz ser multipart mas só possui formato text/html -lang pt_BR describe MIME_CHARSET_FARAWAY MIME character set indica idioma estrangeiro -lang pt_BR describe EMAIL_ROT13 Mensagem contém um endereço de email codificado com ROT13 -lang pt_BR describe LONGWORDS Contém trechos longos de palavras extensas -lang pt_BR describe MPART_ALT_DIFF Versão HTML e versão Texto da mensagem são diferentes -lang pt_BR describe MPART_ALT_DIFF_COUNT Versão HTML e versão Texto da mensagem são diferentes -lang pt_BR describe BLANK_LINES_80_90 Corpo da mensagem é composto por 80-90% de linhas em branco -lang pt_BR describe CHARSET_FARAWAY Character set indica um idioma estrangeiro -lang pt_BR describe __MIME_BASE64 Possui anexo no formato base64 -lang pt_BR describe __MIME_QP Possui anexo no formato quoted-printable -#lang pt_BR describe MIME_BASE64_BLANKS Possui linhas vazias extras em codificação base64 -lang pt_BR describe MIME_BASE64_TEXT Texto da mensagem está disfarçado usando codificação base64 -lang pt_BR describe MISSING_MIME_HB_SEP Falta linha em branco entre MIME header e Body -lang pt_BR describe MIME_HTML_MOSTLY Mensagem multipart é composta em sua maioria por text/html -lang pt_BR describe MIME_HTML_ONLY Mensagem somente possui formato text/html -lang pt_BR describe MIME_QP_LONG_LINE Linha do tipo Quoted-printable maior que 76 caracteres -lang pt_BR describe MIME_BAD_ISO_CHARSET MIME character set é um charset ISO desconhecido -lang pt_BR describe HTTPS_IP_MISMATCH Link indica HTTPS, mas na verdade aponta para um IP -lang pt_BR describe URI_TRUNCATED Mensagem possui uma URI que foi truncada - -# 20_compensate.cf -lang pt_BR describe NO_RECEIVED Informação: mensagem não possui cabeçalho Received: -lang pt_BR describe ALL_TRUSTED Mensagem passou via SMTP apenas por hosts confiáveis -lang pt_BR describe NO_RELAYS Informação: mensagem não foi recebida via SMTP - -# 20_dnsbl_tests.cf -lang pt_BR describe __RCVD_IN_SORBS Recebida por um relay listado em SORBS -lang pt_BR describe RCVD_IN_SORBS_HTTP SORBS: remetente é um proxy HTTP aberto -lang pt_BR describe RCVD_IN_SORBS_SOCKS SORBS: remetente é um proxy SOCKS aberto -lang pt_BR describe RCVD_IN_SORBS_MISC SORBS: remetente é um proxy aberto -lang pt_BR describe RCVD_IN_SORBS_SMTP SORBS: remetente é um relay SMTP aberto -lang pt_BR describe RCVD_IN_SORBS_WEB SORBS: remetente é um servidor web explorável -lang pt_BR describe RCVD_IN_SORBS_BLOCK SORBS: remetente requer que não seja testado -lang pt_BR describe RCVD_IN_SORBS_ZOMBIE SORBS: remetente está em uma rede comprometida -lang pt_BR describe RCVD_IN_SORBS_DUL SORBS: mensagem enviada a partir de um IP dinâmico -lang pt_BR describe __RCVD_IN_ZEN Recebida por um relay listado em Spamhaus Zen -lang pt_BR describe RCVD_IN_SBL Recebida por um relay listado em Spamhaus SBL -lang pt_BR describe RCVD_IN_XBL Recebida por um relay listado em Spamhaus XBL -lang pt_BR describe RCVD_IN_PBL Recebida por um relay listado em Spamhaus PBL -lang pt_BR describe RCVD_IN_BL_SPAMCOP_NET Recebida por um relay listado em bl.spamcop.net -lang pt_BR describe RCVD_IN_MAPS_RBL Relay consta em RBL, http://www.mail-abuse.com/enduserinfo_rbl.html -lang pt_BR describe RCVD_IN_MAPS_DUL Relay consta em DUL, http://www.mail-abuse.com/enduserinfo_dul.html -lang pt_BR describe RCVD_IN_MAPS_RSS Relay consta em RSS, http://www.mail-abuse.com/enduserinfo_rss.html -lang pt_BR describe RCVD_IN_MAPS_OPS Relay consta em OPS, http://www.mail-abuse.com/enduserinfo_ops.html -lang pt_BR describe RCVD_IN_MAPS_NML Relay consta em NML, http://www.mail-abuse.com/enduserinfo_nml.html -lang pt_BR describe RCVD_IN_IADB_VOUCHED ISIPP IADB indica que o remetente é confiável (vouched-for sender) - -# 20_drugs.cf -lang pt_BR describe SUBJECT_DRUG_GAP_C Assunto contém uma modificação da palavra 'cialis' -lang pt_BR describe SUBJECT_DRUG_GAP_L Assunto contém uma modificação da palavra 'levitra' -lang pt_BR describe SUBJECT_DRUG_GAP_S Assunto contém uma modificação da palavra 'soma' -#lang pt_BR describe SUBJECT_DRUG_GAP_VA Assunto contém uma modificação da palavra 'valium' -lang pt_BR describe SUBJECT_DRUG_GAP_X Assunto contém uma modificação da palavra 'xanax' -lang pt_BR describe DRUG_DOSAGE Mensagem é sobre preço por dose (price per dose) -lang pt_BR describe DRUG_ED_CAPS Menciona uma droga para disfunção erétil -lang pt_BR describe DRUG_ED_SILD Menciona o princípio ativo de uma droga para disfunção erétil -lang pt_BR describe DRUG_ED_GENERIC Menciona "Generic Viagra" -lang pt_BR describe DRUG_ED_ONLINE Contém "Fast Viagra Delivery" -lang pt_BR describe ONLINE_PHARMACY Contém "Online Pharmacy" -lang pt_BR describe NO_PRESCRIPTION Contém a frase "No prescription needed" -lang pt_BR describe VIA_GAP_GRA Tentativa de disfarçar a palavra 'viagra' -lang pt_BR describe DRUGS_ERECTILE Refere-se a uma droga para disfunção erétil -lang pt_BR describe DRUGS_ERECTILE_OBFU Referência ofuscada a uma droga para disfunção erétil -lang pt_BR describe DRUGS_DIET Refere-se a uma droga para dieta -lang pt_BR describe DRUGS_DIET_OBFU Referência ofuscada a uma droga para dieta -lang pt_BR describe DRUGS_MUSCLE Referência a um relaxante muscular -lang pt_BR describe DRUGS_ANXIETY Referência a uma droga para controle de ansiedade -lang pt_BR describe DRUGS_ANXIETY_OBFU Referência ofuscada a uma droga para controle de ansiedade -lang pt_BR describe DRUGS_SMEAR1 Duas ou mais drogas em uma palavra só -lang pt_BR describe DRUGS_ANXIETY_EREC Refere-se a uma droga para disfunção erétil e outra para controle de ansiedade -lang pt_BR describe DRUGS_SLEEP_EREC Refere-se a uma droga para disfunção erétil e um calmante -lang pt_BR describe DRUGS_MANYKINDS Refere-se ao menos a quatro tipos de drogas diferentes - -# 20_dynrdns.cf -lang pt_BR describe __RDNS_DYNAMIC_IPADDR Comando HELO enviado usando hostname suspeito (IP addr 1) -lang pt_BR describe __RDNS_DYNAMIC_DHCP Comando HELO enviado usando hostname suspeito (DHCP) -lang pt_BR describe __RDNS_DYNAMIC_HCC Comando HELO enviado usando hostname suspeito (HCC) -lang pt_BR describe __RDNS_DYNAMIC_ATTBI Comando HELO enviado usando hostname suspeito (ATTBI.com) -lang pt_BR describe __RDNS_DYNAMIC_ROGERS Comando HELO enviado usando hostname suspeito (Rogers) -lang pt_BR describe __RDNS_DYNAMIC_ADELPHIA Comando HELO enviado usando hostname suspeito (Adelphia) -lang pt_BR describe __RDNS_DYNAMIC_DIALIN Comando HELO enviado usando hostname suspeito (T-Dialin) -lang pt_BR describe __RDNS_DYNAMIC_HEXIP Comando HELO enviado usando hostname suspeito (Hex IP) -lang pt_BR describe __RDNS_DYNAMIC_SPLIT_IP Comando HELO enviado usando hostname suspeito (Split IP) -lang pt_BR describe __RDNS_DYNAMIC_YAHOOBB Comando HELO enviado usando hostname suspeito (YahooBB) -lang pt_BR describe __RDNS_DYNAMIC_OOL Comando HELO enviado usando hostname suspeito (OptOnline) -lang pt_BR describe __RDNS_DYNAMIC_RR2 Comando HELO enviado usando hostname suspeito (RR 2) -lang pt_BR describe __RDNS_DYNAMIC_COMCAST Comando HELO enviado usando hostname suspeito (Comcast) -lang pt_BR describe __RDNS_DYNAMIC_TELIA Comando HELO enviado usando hostname suspeito (Telia) -lang pt_BR describe __RDNS_DYNAMIC_VTR Comando HELO enviado usando hostname suspeito (VTR) -lang pt_BR describe __RDNS_DYNAMIC_CHELLO_NO Comando HELO enviado usando hostname suspeito (Chello.no) -lang pt_BR describe __RDNS_DYNAMIC_CHELLO_NL Comando HELO enviado usando hostname suspeito (Chello.nl) -lang pt_BR describe __RDNS_DYNAMIC_VELOX Comando HELO enviado usando hostname suspeito (Veloxzone) -lang pt_BR describe __RDNS_DYNAMIC_NTL Comando HELO enviado usando hostname suspeito (NTL) -lang pt_BR describe RDNS_DYNAMIC Entregue a uma rede interna por um host com rDNS que parece ser dinâmico -lang pt_BR describe RDNS_NONE Entregue a uma rede interna por um host sem rDNS - -# 20_fake_helo_tests.cf -lang pt_BR describe HELO_STATIC_HOST Comando HELO enviado usando hostname estatico -#lang pt_BR describe FAKE_HELO_MAIL_COM_DOM Comando HELO enviado usando hostname suspeito (mail.com) -lang pt_BR describe HELO_DYNAMIC_IPADDR Comando HELO enviado usando hostname suspeito (IP addr 1) -lang pt_BR describe HELO_DYNAMIC_DHCP Comando HELO enviado usando hostname suspeito (DHCP) -lang pt_BR describe HELO_DYNAMIC_HCC Comando HELO enviado usando hostname suspeito (HCC) -lang pt_BR describe HELO_DYNAMIC_ROGERS Comando HELO enviado usando hostname suspeito (Rogers) -lang pt_BR describe HELO_DYNAMIC_DIALIN Comando HELO enviado usando hostname suspeito (T-Dialin) -lang pt_BR describe HELO_DYNAMIC_HEXIP Comando HELO enviado usando hostname suspeito (Hex IP) -lang pt_BR describe HELO_DYNAMIC_SPLIT_IP Comando HELO enviado usando hostname suspeito (Split IP) -lang pt_BR describe HELO_DYNAMIC_IPADDR2 Comando HELO enviado usando hostname suspeito (IP addr 2) -lang pt_BR describe HELO_DYNAMIC_CHELLO_NL Comando HELO enviado usando hostname suspeito (Chello.nl) -lang pt_BR describe HELO_DYNAMIC_HOME_NL Comando HELO enviado usando hostname suspeito (Home.nl) - -# 20_freemail.cf -lang pt_BR describe FREEMAIL_REPLYTO Reply-To/From ou Reply-To/body usam diferentes emails gratuitos -lang pt_BR describe FREEMAIL_REPLY From e body contém diferentes emails gratuitos -lang pt_BR describe FREEMAIL_FROM Remetente utiliza um email gratuito -lang pt_BR describe FREEMAIL_ENVFROM_END_DIGIT Nome de usuário de email gratuito no Envelope-From termina em dígito -lang pt_BR describe FREEMAIL_REPLYTO_END_DIGIT Nome de usuário de email gratuito no Reply-To termina em dígito -lang pt_BR describe FREEMAIL_FORGED_REPLYTO Email gratuito usado no Reply-To, mas não no From: - -# 20_head_tests.cf -lang pt_BR describe FRAGMENTED_MESSAGE Mensagem fragmentada -lang pt_BR describe FROM_BLANK_NAME From: contém um nome vazio -lang pt_BR describe FROM_STARTS_WITH_NUMS From: começa com muitos números -lang pt_BR describe FROM_OFFERS Endereço do From: contém "offers" -lang pt_BR describe FROM_NO_USER From: não tem nenhum nome de usuário antes do @ -lang pt_BR describe PLING_QUERY Assunto contém exclamação e interrogação -lang pt_BR describe MSGID_SPAM_CAPS Message-Id conhecido como spam (caps variant) -lang pt_BR describe MSGID_SPAM_LETTERS Message-Id conhecido como spam (letters variant) -lang pt_BR describe MSGID_RANDY Message-Id tem padrão comum encontrado em spam -lang pt_BR describe MSGID_YAHOO_CAPS Message-ID possui MAIUSCULAS@yahoo.com -lang pt_BR describe FORGED_MSGID_AOL Message-ID é forjado (aol.com) -lang pt_BR describe FORGED_MSGID_EXCITE Message-ID é forjado (excite.com) -lang pt_BR describe FORGED_MSGID_HOTMAIL Message-ID é forjado (hotmail.com) -lang pt_BR describe FORGED_MSGID_MSN Message-ID é forjado (msn.com) -lang pt_BR describe FORGED_MSGID_YAHOO Message-ID é forjado (yahoo.com) -lang pt_BR describe MSGID_FROM_MTA_HEADER Message-Id foi adicionado por um relay -lang pt_BR describe MSGID_SHORT Message-ID é curto demais -lang pt_BR describe DATE_SPAMWARE_Y2K Data no cabeçalho usa formatação estranha -lang pt_BR describe INVALID_DATE Cabeçalho Date: é inválido (não segue a RFC 2822) -lang pt_BR describe INVALID_DATE_TZ_ABSURD Cabeçalho Date: é inválido (timezone não existe) -lang pt_BR describe INVALID_TZ_CST Data inválida no header (timezone CST incorreta) -lang pt_BR describe INVALID_TZ_EST Data inválida no header (timezone EST incorreta) -lang pt_BR describe FROM_EXCESS_BASE64 Endereço do From: está desnecessariamente codificado em base64 -lang pt_BR describe ENGLISH_UCE_SUBJECT Assunto contém um texto comum de UCE (unsolicited commercial email) em inglês -lang pt_BR describe JAPANESE_UCE_SUBJECT Assunto contém um texto comum de UCE (unsolicited commercial email) em japonês -lang pt_BR describe JAPANESE_UCE_BODY Corpo da mensagem contém um texto comum de UCE (unsolicited commercial email) em japonês -lang pt_BR describe KOREAN_UCE_SUBJECT Assunto contém um texto comum de UCE (unsolicited commercial email) em coreano -lang pt_BR describe RCVD_DOUBLE_IP_SPAM Spam conhecido (double IP) -lang pt_BR describe RCVD_DOUBLE_IP_LOOSE "Received by" e "From" parecem ser endereços IP -lang pt_BR describe FORGED_TELESP_RCVD Contém um hostname forjado para um IP DSL do Brasil -lang pt_BR describe CONFIRMED_FORGED Cabeçalho Received é forjado -lang pt_BR describe MULTI_FORGED Cabeçalho Received contém várias entradas forjadas -lang pt_BR describe NONEXISTENT_CHARSET Codificação inexistente -lang pt_BR describe MISSING_MID Não possui header Message-Id -lang pt_BR describe MISSING_DATE Não possui header Date -lang pt_BR describe MISSING_SUBJECT Não possui header Subject -lang pt_BR describe GAPPY_SUBJECT Assunto contém T.e.x.t.o-E.s.t.r.a.n.h.o -lang pt_BR describe PREVENT_NONDELIVERY Mensagem possui cabeçaho Prevent-NonDelivery-Report -lang pt_BR describe X_IP Mensagem possui cabeçalho X-IP -lang pt_BR describe MISSING_MIMEOLE Mensagem possui X-MSMail-Priority mas não possui X-MimeOLE -lang pt_BR describe SUBJ_AS_SEEN Assunto contém "As Seen" -lang pt_BR describe SUBJ_DOLLARS Assunto começa com um valor em dólar -#lang pt_BR describe SUBJ_YOUR_DEBT Assunto contém "Your Bills" ou algo parecido -lang pt_BR describe SUBJ_YOUR_FAMILY Assunto contém "Your Family" ou algo parecido -lang pt_BR describe RCVD_FAKE_HELO_DOTCOM Cabeçalho Received contém um hostname de HELO falso -lang pt_BR describe SUBJECT_DIET Assunto fala sobre perda de peso -lang pt_BR describe MIME_BOUND_DD_DIGITS Padrão de spam conhecido em MIME boundary -lang pt_BR describe MIME_BOUND_DIGITS_15 Padrão de spam conhecido em MIME boundary -lang pt_BR describe MIME_BOUND_MANY_HEX Padrão de spam conhecido em MIME boundary -lang pt_BR describe FAKE_OUTBLAZE_RCVD Cabeçalho Received contém o hostname forjado 'mr.outblaze.com' -lang pt_BR describe TO_MALFORMED Cabeçalho To: possui um endereço malformado -lang pt_BR describe MIME_HEADER_CTYPE_ONLY 'Content-Type' encontrado mas não existe MIME headers necessários -lang pt_BR describe WITH_LC_SMTP Cabeçalho Received contém um indício de spam ("smtp" em caixa baixa) -lang pt_BR describe SUBJ_BUY Assunto começa com "Buy" ou "Buying" -lang pt_BR describe RCVD_AM_PM Cabeçalho Received forjado (AM/PM) -lang pt_BR describe UNCLOSED_BRACKET Cabeçalho contém um colchete aberto que não foi fechado -lang pt_BR describe FROM_DOMAIN_NOVOWEL Domínio do From: contém uma série de consoantes -lang pt_BR describe FROM_LOCAL_NOVOWEL Usuário do From: contém uma série de consoantes -lang pt_BR describe FROM_LOCAL_HEX Usuário do From: contém uma longa sequencia de hexadecimais -lang pt_BR describe FROM_LOCAL_DIGITS Usuário do From: contém uma longa sequencia de hexadecimais -lang pt_BR describe X_PRIORITY_CC Cabeçalho "Cc:" posicionado depois de "X-Priority:" (spam conhecido) -lang pt_BR describe BAD_ENC_HEADER Mensagem possui MIME encoding incorreto -lang pt_BR describe __VIA_ML Email de uma mailing list -lang pt_BR describe RCVD_ILLEGAL_IP Cabeçalho "Received:" contém endereço IP ilegal -lang pt_BR describe CHARSET_FARAWAY_HEADER Charset estrangeiro utilizado no header -lang pt_BR describe SUBJ_ILLEGAL_CHARS Assunto possui muitos caracteres ilegais -lang pt_BR describe FROM_ILLEGAL_CHARS "From:" possui muitos caracteres ilegais -lang pt_BR describe HEAD_ILLEGAL_CHARS Cabeçalho possui muitos caracteres ilegais -lang pt_BR describe FORGED_HOTMAIL_RCVD2 Endereço do From é do hotmail.com, mas não há hotmail.com no 'Received:' -lang pt_BR describe FORGED_YAHOO_RCVD Endereço do From é do yahoo.com, mas não há yahoo.com no 'Received:' -lang pt_BR describe SORTED_RECIPS Lista de destinatários está ordenada alfabeticamente -lang pt_BR describe SUSPICIOUS_RECIPS Lista de destinatários possui endereços semelhantes -lang pt_BR describe MISSING_HEADERS Não possui o cabeçalho To: -lang pt_BR describe DATE_IN_PAST_03_06 Date: é 3 a 6 horas antes da data do Received: -lang pt_BR describe DATE_IN_PAST_06_12 Date: é 6 a 12 horas antes da data Received: -lang pt_BR describe DATE_IN_PAST_12_24 Date: é 12 a 24 horas antes da data do Received: -lang pt_BR describe DATE_IN_PAST_24_48 Date: é 24 a 48 horas antes da data do Received: -lang pt_BR describe DATE_IN_PAST_96_XX Date: é 96 horas ou mais antes da data do Received: -lang pt_BR describe DATE_IN_FUTURE_03_06 Date: é 3 a 6 horas depois do Received: -lang pt_BR describe DATE_IN_FUTURE_06_12 Date: é 6 a 12 horas depois do Received: -lang pt_BR describe DATE_IN_FUTURE_12_24 Date: é 12 a 24 horas depois do Received: -lang pt_BR describe DATE_IN_FUTURE_24_48 Date: é 24 a 48 horas depois do Received: -lang pt_BR describe DATE_IN_FUTURE_48_96 Date: é 48 a 96 horas depois do Received: -lang pt_BR describe DATE_IN_FUTURE_96_XX Date: é 96 horas ou mais depois do Received: -lang pt_BR describe UNRESOLVED_TEMPLATE Cabeçalho contém um template não substituído -lang pt_BR describe SUBJ_ALL_CAPS Assunto é composto apenas por letras maiúsculas -lang pt_BR describe LOCALPART_IN_SUBJECT Destinatário do email aparece no assunto da mensagem -lang pt_BR describe MSGID_OUTLOOK_INVALID Message-Id é falso (no formato do Outlook Express) -lang pt_BR describe HEADER_COUNT_CTYPE Vários cabeçalhos Content-Type foram encontrados -lang pt_BR describe HEAD_LONG Cabeçalhos da mensagem são muito longos -lang pt_BR describe MISSING_HB_SEP Não há uma linha separando o cabeçalho do corpo da mensagem -lang pt_BR describe UNPARSEABLE_RELAY Info: mensagem possui dados de relay que não puderam ser lidos -lang pt_BR describe RCVD_HELO_IP_MISMATCH HELO e IP no "Received:" não conferem -lang pt_BR describe NO_RDNS_DOTCOM_HELO Comando HELO enviado como um provedor confiável, mas não possui rDNS - -# 20_html_tests.cf -lang pt_BR describe HTML_SHORT_LINK_IMG_1 O código HTML é muito pequeno, com uma imagem com link -lang pt_BR describe HTML_SHORT_LINK_IMG_2 O código HTML é muito pequeno, com uma imagem com link -lang pt_BR describe HTML_SHORT_LINK_IMG_3 O código HTML é muito pequeno, com uma imagem com link -lang pt_BR describe HTML_SHORT_CENTER O código HTML é muito curto e usa uma tag center. -lang pt_BR describe HTML_CHARSET_FARAWAY Um idioma estrangeiro foi declarado no charset do HTML -lang pt_BR describe HTML_MIME_NO_HTML_TAG A mensagem é em HTML, mas não há uma tag HTML -lang pt_BR describe HTML_MISSING_CTYPE A mensagem é em HTML mas não tem a declaração HTML Content-Type -lang pt_BR describe HIDE_WIN_STATUS Uso de Javascript para ocultar as URLS no navegador -lang pt_BR describe OBFUSCATING_COMMENT HTML possui comentários com texto suspeito -lang pt_BR describe JS_FROMCHARCODE Documento construído a partir de um array em Javascript -lang pt_BR describe HTML_MESSAGE HTML incluso na mensagem -lang pt_BR describe HTML_COMMENT_SHORT O comentário no HTML é muito curto -lang pt_BR describe HTML_COMMENT_SAVED_URL O HTML da mensagem foi salvo de uma página da web -lang pt_BR describe HTML_EMBEDS O HTML possui um objeto plugin incorporado -lang pt_BR describe HTML_EXTRA_CLOSE HTML contém muitas tags fechadas (que não foram abertas) -lang pt_BR describe HTML_FONT_SIZE_LARGE O HTML contém fonte de tamanho grande -lang pt_BR describe HTML_FONT_SIZE_HUGE O HTML contém fonte de tamanho muito grande -lang pt_BR describe HTML_FONT_LOW_CONTRAST Há textos com cores similares à cor de fundo -lang pt_BR describe HTML_FONT_FACE_BAD font face não é uma expressão -lang pt_BR describe HTML_FORMACTION_MAILTO O HTML contém um formulário que envia email -lang pt_BR describe HTML_IMAGE_ONLY_04 HTML: Código HTML possui entre 0-400 caracteres -lang pt_BR describe HTML_IMAGE_ONLY_08 HTML: Código HTML possui entre 400-800 caracteres -lang pt_BR describe HTML_IMAGE_ONLY_12 HTML: Código HTML possui entre 800-1200 caracteres -lang pt_BR describe HTML_IMAGE_ONLY_16 HTML: Código HTML possui entre 1200-1600 caracteres -lang pt_BR describe HTML_IMAGE_ONLY_20 HTML: Código HTML possui entre 1600-2000 caracteres -lang pt_BR describe HTML_IMAGE_ONLY_24 HTML: Código HTML possui entre 2000-2400 caracteres -lang pt_BR describe HTML_IMAGE_ONLY_28 HTML: Código HTML possui entre 2400-2800 caracteres -lang pt_BR describe HTML_IMAGE_ONLY_32 HTML: Código HTML possui entre 2800-320000 caracteres -lang pt_BR describe HTML_IMAGE_RATIO_02 O HTML tem pouco texto em relação às imagens -lang pt_BR describe HTML_IMAGE_RATIO_02 O HTML tem pouco texto em relação às imagens -lang pt_BR describe HTML_IMAGE_RATIO_02 O HTML tem pouco texto em relação às imagens -lang pt_BR describe HTML_IMAGE_RATIO_02 O HTML tem pouco texto em relação às imagens -lang pt_BR describe HTML_OBFUSCATE_05_10 HTML possui de 5% a 10% de tags vazias ou desnecessárias -lang pt_BR describe HTML_OBFUSCATE_10_20 HTML possui de 10% a 20% de tags vazias ou desnecessárias -lang pt_BR describe HTML_OBFUSCATE_20_30 HTML possui de 20% a 30% de tags vazias ou desnecessárias -lang pt_BR describe HTML_OBFUSCATE_30_40 HTML possui de 30% a 40% de tags vazias ou desnecessárias -lang pt_BR describe HTML_OBFUSCATE_50_60 HTML possui de 50% a 60% de tags vazias ou desnecessárias -lang pt_BR describe HTML_OBFUSCATE_70_80 HTML possui de 70% a 80% de tags vazias ou desnecessárias -lang pt_BR describe HTML_TAG_BALANCE_BODY HTML possui uma tag "body" que não foi aberta ou fechada -lang pt_BR describe HTML_TAG_BALANCE_HEAD HTML possui uma tag "head" que não foi aberta ou fechada -lang pt_BR describe HTML_TAG_EXIST_BGSOUND O HTML contém uma tag "bgsound" -lang pt_BR describe HTML_BADTAG_40_50 HTML da mensagem possui de 40% a 50% de tags inválidas -lang pt_BR describe HTML_BADTAG_40_50 HTML da mensagem possui de 50% a 60% de tags inválidas -lang pt_BR describe HTML_BADTAG_40_50 HTML da mensagem possui de 60% a 70% de tags inválidas -lang pt_BR describe HTML_BADTAG_40_50 HTML da mensagem possui de 90% a 100% de tags inválidas -lang pt_BR describe HTML_NONELEMENT_30_40 O HTML usa de 30% a 40% de elementos fora dos padrões -lang pt_BR describe HTML_NONELEMENT_30_40 O HTML usa de 40% a 50% de elementos fora dos padrões -lang pt_BR describe HTML_NONELEMENT_30_40 O HTML usa de 60% a 70% de elementos fora dos padrões -lang pt_BR describe HTML_NONELEMENT_30_40 O HTML usa de 80% a 90% de elementos fora dos padrões -lang pt_BR describe HTML_BADTAG_40_50 HTML da mensagem possui tah IFRAME com URL no src - -# 20_imageinfo.cf -lang pt_BR describe __DC_IMG_HTML_RATIO Low rawbody to pixel area ratio -lang pt_BR describe __DC_IMG_TEXT_RATIO Low body to pixel area ratio -lang pt_BR describe DC_GIF_UNO_LARGO Message contains a single large inline gif -lang pt_BR describe __DC_GIF_MULTI_LARGO Message has 2+ inline gif covering lots of area -lang pt_BR describe DC_PNG_UNO_LARGO Message contains a single large inline gif -lang pt_BR describe __DC_PNG_MULTI_LARGO Message has 2+ inline png covering lots of area -lang pt_BR describe DC_IMAGE_SPAM_TEXT Possible Image-only spam with little text -lang pt_BR describe DC_IMAGE_SPAM_HTML Possible Image-only spam - -# 20_meta_tests.cf -lang pt_BR describe UPPERCASE_50_75 Mensagem possui de 50% a 75% de textos em caixa alta. -lang pt_BR describe UPPERCASE_75_100 Mensagem possui de 75% a 100% de textos em caixa alta. -lang pt_BR describe INVALID_MSGID Message-ID inválido, de acordo com a RFC-2822 -lang pt_BR describe FORGED_MUA_MOZILLA Email forjado, tentando se passar como da Mozilla -lang pt_BR describe PERCENT_RANDOM Mensagem contém uma macro randômica -lang pt_BR describe EMPTY_MESSAGE Mensagem parece não conter texto no conteúdo. -lang pt_BR describe NO_HEADERS_MESSAGE Mensagem parece não conter grande parte dos cabeçalhos RFC-822 - -# 20_net_tests.cf -lang pt_BR describe DIGEST_MULTIPLE Remetente está listado em mais de uma blocklist -lang pt_BR describe NO_DNS_FOR_FROM Remetente não possui registros MX ou A no DNS - -# 20_phrases.cf -lang pt_BR describe REMOVE_BEFORE_LINK Frase indicando remoção de email de lista logo antes de um link -lang pt_BR describe GUARANTEED_100_PERCENT Contém "One hundred percent guaranteed" -lang pt_BR describe DEAR_FRIEND Contém "Dear Friend" -lang pt_BR describe DEAR_SOMETHING Contém 'Dear (alguma coisa)' -lang pt_BR describe BILLION_DOLLARS Fala sobre muito dinheiro -lang pt_BR describe EXCUSE_4 Afirma que você pode ser removido da lista se quiser -lang pt_BR describe EXCUSE_24 Afirma que você queria receber essa propaganda -lang pt_BR describe EXCUSE_REMOVE Informa como você pode ser removido da lista -lang pt_BR describe STRONG_BUY Contém "strong buy" -lang pt_BR describe STOCK_ALERT Contém um alerta sobre ações (stock) -lang pt_BR describe NOT_ADVISOR Contém "Not registered investment advisor" -lang pt_BR describe PREST_NON_ACCREDITED Contém "Prestigious Non-Accredited Universities" -lang pt_BR describe BODY_ENHANCEMENT Informação sobre como aumentar partes do corpo -lang pt_BR describe BODY_ENHANCEMENT2 Informação sobre como aumentar partes do corpo -lang pt_BR describe IMPOTENCE Fala sobre cura da impotência -#lang pt_BR describe NA_DOLLARS Fala sobre milhões de dólares norte americanos ou canadenses -#lang pt_BR describe US_DOLLARS_3 Contém $($NN,NNN,NNN.NN) -#lang pt_BR describe MILLION_USD Fala sobre milhões de dólares -lang pt_BR describe URG_BIZ Contém: "urgent matter" -lang pt_BR describe MONEY_BACK Contém: "Money back guarantee" -lang pt_BR describe FREE_QUOTE_INSTANT Contém: "Free express or no-obligation quote" -lang pt_BR describe BAD_CREDIT Contém: "Eliminate Bad Credit" -lang pt_BR describe REFINANCE_YOUR_HOME Contém: "Home refinancing" -lang pt_BR describe REFINANCE_NOW Contém: "Home refinancing" -lang pt_BR describe NO_MEDICAL Contém: "No Medical Exams" -lang pt_BR describe DIET_1 Spam de perda de peso -lang pt_BR describe FIN_FREE Contém: "Freedom of a financial nature" -lang pt_BR describe FORWARD_LOOKING Possui informações sobre o mercado de ações -lang pt_BR describe ONE_TIME Contém: "One Time (alguma coisa)" -lang pt_BR describe JOIN_MILLIONS Contém: "Join Millions of Americans" -lang pt_BR describe MARKETING_PARTNERS Afirma que você se cadastrou com um parceiro -lang pt_BR describe LOW_PRICE Contém: "Lowest Price" -lang pt_BR describe UNCLAIMED_MONEY Spam sobre dinheiro que pode ser seu -lang pt_BR describe OBSCURED_EMAIL Mensagem tenta esconder um endereço de email com codificação ROT13 -lang pt_BR describe BANG_OPRAH Contém: "Oprah!" -lang pt_BR describe ACT_NOW_CAPS Contém: "Act Now" -lang pt_BR describe MORE_SEX Fala sobre um maior desejo por sexo -lang pt_BR describe BANG_GUAR Spam sobre "alguma coisa" garantida ("guaranteed!") -lang pt_BR describe RUDE_HTML Mensagem diz que seu cliente de email não suporta HTML -lang pt_BR describe INVESTMENT_ADVICE Mensagem possui "conselhos" sobre investimentos -lang pt_BR describe MALE_ENHANCE Mensagem fala sobre melhorar a masculinidade -lang pt_BR describe PRICES_ARE_AFFORDABLE Mensagem diz que os preços são baixos -lang pt_BR describe REPLICA_WATCH Mensagem fala sobre réplicas de relógio -lang pt_BR describe EM_ROLEX Mensagem põe ênfase no fabricante do relógio - -# 20_porn.cf -lang pt_BR describe FREE_PORN Pornografia - mensagem contém "Free Porn" -lang pt_BR describe CUM_SHOT Pornografia - mensagem contém "Cum Shot" -lang pt_BR describe LIVE_PORN Pornografia - mensagem contém "Live Porn" -lang pt_BR describe SUBJECT_SEXUAL Assunto indica conteúdo sexualmente-explícito - -# 20_ratware.cf -lang pt_BR describe RATWARE_EGROUPS Detectado como email em massa já conhecido (eGroups) -lang pt_BR describe RATWARE_OE_MALFORMED X-Mailer mal-formado tentando indicar uma versão do Outlook Express -lang pt_BR describe RATWARE_MOZ_MALFORMED Detectado como email em massa já conhecido (Mozilla malformed) -lang pt_BR describe RATWARE_MPOP_WEBMAIL Detectado como email em massa já conhecido (mPOP Web-Mail) -lang pt_BR describe FORGED_MUA_IMS Email Email fingindo ser enviado pelo IMS -lang pt_BR describe FORGED_MUA_OUTLOOK Email fingindo ser enviado pelo MS Outlook -lang pt_BR describe FORGED_MUA_OIMO Email fingindo ser enviado pelo MS Outlook IMO -lang pt_BR describe FORGED_MUA_EUDORA Email fingindo ser enviado pelo Eudora -lang pt_BR describe FORGED_MUA_THEBAT_CS Email fingindo ser enviado pelo The Bat! (charset) -lang pt_BR describe FORGED_MUA_THEBAT_BOUN Email fingindo ser enviado pelo The Bat! (boundary) -lang pt_BR describe FORGED_OUTLOOK_HTML Outlook não consegue enviar mensagens apenas HTML -lang pt_BR describe FORGED_IMS_HTML IMS não consegue enviar mensagens apenas HTML -lang pt_BR describe FORGED_THEBAT_HTML The Bat! não consegue enviar mensagens apenas HTML -lang pt_BR describe REPTO_QUOTE_AOL AOL não usa o formato de citação usado no email -lang pt_BR describe REPTO_QUOTE_IMS IMS não usa o formato de citação usado no email -lang pt_BR describe REPTO_QUOTE_MSN MSN não usa o formato de citação usado no email -lang pt_BR describe REPTO_QUOTE_QUALCOMM Qualcomm/Eudora não usa o formato de citação usado no email -lang pt_BR describe REPTO_QUOTE_YAHOO Yahoo! não usa o formato de citação usado no email -lang pt_BR describe FORGED_QUALCOMM_TAGS QUALCOMM não consegue enviar emails HTML neste formato -lang pt_BR describe FORGED_IMS_TAGS IMS não consegue enviar emails HTML neste formato -lang pt_BR describe FORGED_OUTLOOK_TAGS Outlook não consegue enviar emails HTML neste formato -lang pt_BR describe RATWARE_HASH_DASH Contém hashbuster no formato Sender-Safe -lang pt_BR describe RATWARE_ZERO_TZ Detectado como email em massa já conhecido (+0000) -lang pt_BR describe X_MESSAGE_INFO Detectado como email em massa já conhecido (X-Message-Info) -lang pt_BR describe HEADER_SPAM Detectado como email em massa já conhecido (header-based) -lang pt_BR describe RATWARE_RCVD_PF Detectado como email em massa já conhecido (Received PF) -lang pt_BR describe RATWARE_RCVD_AT Detectado como email em massa já conhecido (Received @) -lang pt_BR describe RATWARE_OUTLOOK_NONAME Detectado como email em massa já conhecido (Outlook no name) -lang pt_BR describe RATWARE_MS_HASH Detectado como email em massa já conhecido (msgid ms hash) -lang pt_BR describe RATWARE_NAME_ID Detectado como email em massa já conhecido (msgid from) -lang pt_BR describe RATWARE_EFROM Detectado como email em massa já conhecido (envfrom) - -# 20_uri_tests.cf -lang pt_BR describe NUMERIC_HTTP_ADDR Utiliza um endereço em número IP na URL -lang pt_BR describe HTTP_ESCAPED_HOST Usa %-escapes no hostname de uma URL -lang pt_BR describe HTTP_EXCESSIVE_ESCAPES Usa %-escapes desnecessários dentro de uma URL -lang pt_BR describe WEIRD_PORT Usa um número de porta não padrão para o HTTP -lang pt_BR describe YAHOO_RD_REDIR Possui URI de Redirecionamento do Yahoo -lang pt_BR describe YAHOO_DRS_REDIR Possui URI de Redirecionamento do Yahoo -lang pt_BR describe SPOOF_COM2OTH URI contém ".com" no meio -lang pt_BR describe SPOOF_COM2COM URI contém ".com" no meio e no fim -lang pt_BR describe SPOOF_NET2COM URI contém ".net" ou ".org" e depois ".com" -lang pt_BR describe URI_HEX Hostname apresenta uma longa seqüência hexadecimal -lang pt_BR describe URI_NOVOWEL Hostname da URI contém uma longa seqüência sem vogal -lang pt_BR describe URI_UNSUBSCRIBE Contém link suspeito de opt-out -lang pt_BR describe IP_LINK_PLUS Endereço IP seguido de arquivo CGI -lang pt_BR describe NORMAL_HTTP_TO_IP Usa um endereço IP na URL -lang pt_BR describe URI_NO_WWW_INFO_CGI Domínio .info possui string suspeita ao invés de "www" -lang pt_BR describe URI_NO_WWW_BIZ_CGI Domínio .biz possui string suspeita ao invés de "www" -lang pt_BR describe HTTP_77 Contém uma URL codificada (URL-encoded) (HTTP77) - -# 20_vbounce.cf -lang pt_BR describe BOUNCE_MESSAGE Mensagem de bounce do MTA -lang pt_BR describe CHALLENGE_RESPONSE Mensagem Tira-Teima de um email que você enviou -lang pt_BR describe CRBOUNCE_MESSAGE Bounce de mensagem Tira-Teima -lang pt_BR describe VBOUNCE_MESSAGE Bounce de mensagem de antivirus -lang pt_BR describe ANY_BOUNCE_MESSAGE Mensagem é um bounce de algum email - -# 23_bayes.cf -ifplugin Mail::SpamAssassin::Plugin::Bayes -lang pt_BR describe BAYES_00 Probabilidade de ser spam entre 0 to 1% -lang pt_BR describe BAYES_05 Probabilidade de ser spam entre 1 to 5% -lang pt_BR describe BAYES_20 Probabilidade de ser spam entre 5 to 20% -lang pt_BR describe BAYES_40 Probabilidade de ser spam entre 20 to 40% -lang pt_BR describe BAYES_50 Probabilidade de ser spam entre 40 to 60% -lang pt_BR describe BAYES_60 Probabilidade de ser spam entre 60 to 80% -lang pt_BR describe BAYES_80 Probabilidade de ser spam entre 80 to 95% -lang pt_BR describe BAYES_95 Probabilidade de ser spam entre 95 to 99% -lang pt_BR describe BAYES_99 Probabilidade de ser spam entre 99 to 100% -lang pt_BR describe BAYES_999 Probabilidade de ser spam entre 99.9 to 100% -endif -# -# 25_accessdb.cf -ifplugin Mail::SpamAssassin::Plugin::AccessDB -lang pt_BR describe ACCESSDB Mensagem teria sido pega pela accessdb -endif - -# 25_antivirus.c -ifplugin Mail::SpamAssassin::Plugin::AntiVirus -lang pt_BR describe MICROSOFT_EXECUTABLE Mensagem contém um programa executável Microsoft -lang pt_BR describe MIME_SUSPECT_NAME Extensão do arquivo não corresponde ao seu conteúdo -endif - -# 25_dcc.cf -ifplugin Mail::SpamAssassin::Plugin::DCC -lang pt_BR describe DCC_CHECK Classificado como email em massa pelo DCC (dcc-servers.net) -lang pt_BR describe DCC_REPUT_00_12 Reputação no DCC entre 0 e 12 % (maioria não-spam) -lang pt_BR describe DCC_REPUT_70_89 Reputação no DCC entre 70 and 89 % -lang pt_BR describe DCC_REPUT_90_94 Reputação no DCC entre 90 and 94 % -lang pt_BR describe DCC_REPUT_95_98 Reputação no DCC entre 95 and 98 % (maioria de spam) -lang pt_BR describe DCC_REPUT_99_100 Reputação no DCC entre 99 % ou mais (definitamente spam) -endif - -# 25_dkim.cf -lang pt_BR describe DKIM_SIGNED Mensagem possui uma assinatura DKIM ou DK não necessariamente válida -lang pt_BR describe DKIM_VALID Mensagem possui ao menos uma assinatura DKIM ou DK válida -lang pt_BR describe DKIM_VALID_AU Mensagem possui uma assinatura DKIM ou DK válida do domínio do autor da mensagem -lang pt_BR describe __DKIM_DEPENDABLE Falha na validação DKIM -lang pt_BR describe DKIM_ADSP_NXDOMAIN Nenhuma assinatura válida e o domínio não consta no DNS -lang pt_BR describe DKIM_ADSP_DISCARD Nenhuma assinatura válida do autor da mensagem e o domínio assina todos os emails e sugere descartar o resto -lang pt_BR describe DKIM_ADSP_ALL Nenhuma assinatura válida do autor da mensagem e o domínio assina todos os emails -lang pt_BR describe DKIM_ADSP_CUSTOM_LOW Nenhuma assinatura válida do autor da mensagem. adsp_override = CUSTOM_LOW -lang pt_BR describe DKIM_ADSP_CUSTOM_MED Nenhuma assinatura válida do autor da mensagem. adsp_override = CUSTOM_MED -lang pt_BR describe DKIM_ADSP_CUSTOM_HIGH Nenhuma assinatura válida do autor da mensagem. adsp_override = CUSTOM_HIGH -lang pt_BR describe __VIA_RESIGNER Email passou por um Mail through a popular signing remailer -lang pt_BR describe NML_ADSP_CUSTOM_LOW ADSP custom_low foi atingida, e não foi de uma mailing list -lang pt_BR describe NML_ADSP_CUSTOM_MED ADSP custom_med foi atingida, e não foi de uma mailing list -lang pt_BR describe NML_ADSP_CUSTOM_HIGH ADSP custom_high foi atingida, e não foi de uma mailing list - -# 25_pyzor.cf -lang pt_BR describe PYZOR_CHECK Listado na Pyzor (https://pyzor.readthedocs.io/en/latest/) - -# 25_razor2.cf -lang pt_BR describe RAZOR2_CHECK Listado na Razor2 (http://razor.sf.net/) -lang pt_BR describe RAZOR2_CF_RANGE_51_100 Nível de confiança na Razor2 acima de 50% - -# 25_replace.cf -lang pt_BR describe SUBJECT_FUZZY_MEDS Tentativa de esconder palavras no Subject: -lang pt_BR describe SUBJECT_FUZZY_VPILL Tentativa de esconder palavras no Subject: -lang pt_BR describe SUBJECT_FUZZY_CHEAP Tentativa de esconder palavras no Subject: -lang pt_BR describe SUBJECT_FUZZY_PENIS Tentativa de esconder palavras no Subject: -lang pt_BR describe SUBJECT_FUZZY_TION Tentativa de esconder palavras no Subject: -lang pt_BR describe FUZZY_AFFORDABLE Tentativa de esconder palavras na mensagem -#lang pt_BR describe FUZZY_AMBIEN Tentativa de esconder palavras na mensagem -lang pt_BR describe FUZZY_BILLION Tentativa de esconder palavras na mensagem -lang pt_BR describe FUZZY_CPILL Tentativa de esconder palavras na mensagem -lang pt_BR describe FUZZY_CREDIT Tentativa de esconder palavras na mensagem -#lang pt_BR describe FUZZY_ERECT Tentativa de esconder palavras na mensagem -lang pt_BR describe FUZZY_GUARANTEE Tentativa de esconder palavras na mensagem -lang pt_BR describe FUZZY_MEDICATION Tentativa de esconder palavras na mensagem -lang pt_BR describe FUZZY_MILLION Tentativa de esconder palavras na mensagem -lang pt_BR describe FUZZY_MONEY Tentativa de esconder palavras na mensagem -lang pt_BR describe FUZZY_MORTGAGE Tentativa de esconder palavras na mensagem -lang pt_BR describe FUZZY_OBLIGATION Tentativa de esconder palavras na mensagem -lang pt_BR describe FUZZY_OFFERS Tentativa de esconder palavras na mensagem -lang pt_BR describe FUZZY_PHARMACY Tentativa de esconder palavras na mensagem -lang pt_BR describe FUZZY_PHENT Tentativa de esconder palavras na mensagem -lang pt_BR describe FUZZY_PRESCRIPT Tentativa de esconder palavras na mensagem -lang pt_BR describe FUZZY_PRICES Tentativa de esconder palavras na mensagem -lang pt_BR describe FUZZY_REFINANCE Tentativa de esconder palavras na mensagem -lang pt_BR describe FUZZY_REMOVE Tentativa de esconder palavras na mensagem -#lang pt_BR describe FUZZY_ROLEX Tentativa de esconder palavras na mensagem -lang pt_BR describe FUZZY_SOFTWARE Tentativa de esconder palavras na mensagem -lang pt_BR describe FUZZY_THOUSANDS Tentativa de esconder palavras na mensagem -lang pt_BR describe FUZZY_VLIUM Tentativa de esconder palavras na mensagem -lang pt_BR describe FUZZY_VIOXX Tentativa de esconder palavras na mensagem -lang pt_BR describe FUZZY_VPILL Tentativa de esconder palavras na mensagem -lang pt_BR describe FUZZY_XPILL Tentativa de esconder palavras na mensagem - -# 25_spf.cf -lang pt_BR describe SPF_PASS SPF: Remetente é válido de acordo com registro SPF -lang pt_BR describe SPF_NEUTRAL SPF: Remetente não confere com registro SPF (neutral) -lang pt_BR describe SPF_FAIL SPF: Remetente não confere com registro SPF (fail) -lang pt_BR describe SPF_SOFTFAIL SPF: Remetente não confere com registro SPF (softfail) -lang pt_BR describe SPF_HELO_PASS SPF: HELO confere com registro SPF -lang pt_BR describe SPF_HELO_NEUTRAL SPF: HELO não confere com registro SPF (neutral) -lang pt_BR describe SPF_HELO_FAIL SPF: HELO não confere com registro SPF (fail) -lang pt_BR describe SPF_HELO_SOFTFAIL SPF: HELO não confere com registro SPF (softfail) - -# 25_textcat.cf -ifplugin Mail::SpamAssassin::Plugin::TextCat -lang pt_BR describe UNWANTED_LANGUAGE_BODY Mensagem está escrita em um idioma indesejado -lang pt_BR describe BODY_8BITS Body contém 8 caracteres de 8-bit consecutivos -endif - -# 25_uribl.cf -lang pt_BR describe URIBL_SBL Contém uma URL listada na blocklist SBL -lang pt_BR describe URIBL_DBL_SPAM Contém uma URL listada na blocklist DBL blocklist -lang pt_BR describe URIBL_DBL_ERROR Erro: Consultou a DBL por um IP -#lang pt_BR describe URIBL_SC_SURBL Contém uma URL listada na blocklist SC SURBL - removed bug 7279 -lang pt_BR describe URIBL_WS_SURBL Contém uma URL listada na blocklist WS SURBL -lang pt_BR describe URIBL_PH_SURBL Contém uma URL listada na blocklist PH SURBL -#lang pt_BR describe URIBL_OB_SURBL Contém uma URL listada na blocklist OB SURBL - REMOVED BUG 6853 -#lang pt_BR describe URIBL_AB_SURBL Contém uma URL listada na blocklist AB SURBL - removed bug 7279 -#Changed from JP to ABUSE per bug 7279 -lang pt_BR describe URIBL_ABUSE_SURBL Contém uma URL listada na blocklist ABUSE SURBL -lang pt_BR describe URIBL_BLACK Contém uma URL listada na blocklist URIBL -lang pt_BR describe URIBL_GREY Contém uma URL listada na greylist URIBL -lang pt_BR describe URIBL_RED Contém uma URL listada na redlist URIBL - -# 60_shortcircuit.cf -ifplugin Mail::SpamAssassin::Plugin::Shortcircuit -lang pt_BR describe SHORTCIRCUIT Nem todas as regras foram executadas por causa de um problema em uma delas -endif - -# 60_welcomelist_dkim.cf -lang pt_BR describe USER_IN_DKIM_WELCOMELIST Endereço do From: está na welcomelist de DKIM do usuário -lang pt_BR describe USER_IN_DEF_DKIM_WL Endereço do From: está na welcomelist de DKIM padrão - -# 60_welcomelist_spf.cf -lang pt_BR describe USER_IN_SPF_WELCOMELIST Endereço do From: está na welcomelist de SPF do usuário -lang pt_BR describe USER_IN_DEF_SPF_WL Endereço do From: está na welcomelist de SPF padrão -lang pt_BR describe ENV_AND_HDR_SPF_MATCH Endereço do From: confere com Envelope From e está na welcomelist de SPF - diff --git a/resources/spamassassin/50_scores.cf b/resources/spamassassin/50_scores.cf deleted file mode 100644 index 9123730d..00000000 --- a/resources/spamassassin/50_scores.cf +++ /dev/null @@ -1,1014 +0,0 @@ -# SpamAssassin score file -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### -# Default scores. Note that if a test is named in the files, but a score is -# not assigned here, the default score will be set to 1. - -# The following block of scores were generated using the mass-checking -# scripts, and a perceptron to determine the optimum scores which -# resulted in minimum false positives or negatives. The scores are -# weighted to produce roughly 1 false positive in 2500 non-spam messages -# using the default threshold of 5.0. - -# Start of generated scores. <gen:mutable> - -score ACT_NOW_CAPS 0.1 -#score ADVANCE_FEE_2 2.314 2.294 1.198 1.053 -#score ADVANCE_FEE_3 2.686 1.898 3.505 3.817 -#score ADVANCE_FEE_4 0.001 0.001 0.001 0.271 -score ALL_TRUSTED -1.000 -score APOSTROPHE_FROM 0.148 0.786 0.651 0.545 # n=2 -score BAD_CREDIT 0.1 -score BANG_GUAR 1.0 -score BANG_OPRAH 0 # n=0 n=1 n=2 n=3 -score BANKING_LAWS 2.399 2.004 2.157 1.099 # n=2 -score BILLION_DOLLARS 0.001 1.451 1.229 1.638 -score BODY_ENHANCEMENT 0.927 1.611 0.974 0.001 -score BODY_ENHANCEMENT2 0.1 -score CONFIRMED_FORGED 0 # n=0 n=1 n=2 n=3 -score CORRUPT_FROM_LINE_IN_HDRS 0 # n=0 n=1 n=2 n=3 -score CTYPE_001C_A 0 # n=0 n=1 n=2 n=3 -score CTYPE_001C_B 0.001 0.001 0.001 0.001 # n=1 -score CUM_SHOT 0 # n=0 n=1 n=2 n=3 -score CURR_PRICE 0.001 # n=0 n=1 n=2 n=3 -score DATE_SPAMWARE_Y2K 0 # n=0 n=1 n=2 n=3 -score DEAR_FRIEND 2.683 2.604 1.801 2.577 -score DEAR_SOMETHING 1.999 1.731 1.787 1.973 -score DEAR_WINNER 3.099 3.099 2.309 3.099 # n=2 -score DIET_1 0.714 0.000 0.399 0.001 -score DIGEST_MULTIPLE 0 0.001 0 0.293 # n=0 n=2 -score DOS_ANAL_SPAM_MAILER 0 # n=0 n=1 n=2 -score DOS_FIX_MY_URI 0 # n=0 n=1 n=2 n=3 -score DOS_HIGH_BAT_TO_MX 0 # n=0 n=1 n=2 -score DOS_LET_GO_JOB 0 # n=0 n=1 n=2 n=3 -score DOS_OE_TO_MX 2.602 3.086 2.265 2.523 -score DOS_OE_TO_MX_IMAGE 2.886 1.886 2.425 3.699 -score DOS_OUTLOOK_TO_MX 2.636 1.449 1.737 2.845 -score DOS_RCVD_IP_TWICE_C 2.599 2.060 3.292 0.096 -score DOS_STOCK_BAT 0.001 # n=0 n=1 n=2 n=3 -score DOS_STOCK_BAT2 0 # n=0 n=1 n=2 n=3 -score DOS_URI_ASTERISK 0 # n=0 n=1 n=2 n=3 -score DOS_YOUR_PLACE 0 # n=0 n=1 n=2 n=3 -score DRUGS_ANXIETY 0.1 -score DRUGS_ANXIETY_EREC 0 # n=0 n=1 n=2 n=3 -score DRUGS_ANXIETY_OBFU 0 # n=0 n=1 n=2 n=3 -score DRUGS_DIET 2.660 0.757 1.831 0.337 -score DRUGS_DIET_OBFU 0 # n=0 n=1 n=2 n=3 -score DRUGS_ERECTILE 1.778 2.221 1.299 1.994 -score DRUGS_ERECTILE_OBFU 1.324 1.309 2.935 1.109 -score DRUGS_HDIA 0 # n=0 n=1 n=2 n=3 -score DRUGS_MANYKINDS 2.001 1.473 0.841 0.342 -score DRUGS_MUSCLE 0.001 2.499 0.392 0.164 -score DRUGS_SLEEP_EREC 0 # n=0 n=1 n=2 n=3 -score DRUGS_SMEAR1 3.300 2.051 3.148 0.235 # n=0 -score DRUGS_STOCK_MIMEOLE 2.699 1.681 2.478 1.321 # n=2 -score DRUG_DOSAGE 0 # n=0 n=1 n=2 n=3 -score DRUG_ED_CAPS 2.799 1.023 2.516 0.936 -score DRUG_ED_GENERIC 0 # n=0 n=1 n=2 n=3 -score DRUG_ED_ONLINE 0.696 1.152 1.221 0.608 # n=0 -score DRUG_ED_SILD 0.001 -score DYN_RDNS_AND_INLINE_IMAGE 1.345 1.344 1.434 1.168 # n=2 -score DYN_RDNS_SHORT_HELO_HTML 0.001 0.001 0.000 0.001 # n=2 -score DYN_RDNS_SHORT_HELO_IMAGE 1.825 2.516 2.285 1.013 # n=2 -score EMAIL_ROT13 0 # n=0 n=1 n=2 n=3 -score EMPTY_MESSAGE 2.195 2.344 1.552 2.320 -score EM_ROLEX 0.595 1.309 2.068 0.618 # n=0 -score ENGLISH_UCE_SUBJECT 0.953 1.542 2.569 2.899 # n=0 -score EXCUSE_4 2.399 1.687 2.399 1.325 -score EXCUSE_REMOVE 2.907 2.992 3.299 3.299 -#score FAKE_HELO_MAIL_COM_DOM 1.887 0.152 1.370 2.136 -score FAKE_OUTBLAZE_RCVD 0 # n=0 n=1 n=2 n=3 -score FAKE_REPLY_C 0.688 0.001 2.553 1.486 # n=2 -score FILL_THIS_FORM_FRAUD_PHISH 1.195 0.396 0.615 0.334 -score FILL_THIS_FORM_LOAN 2.092 2.237 1.836 2.880 -score FILL_THIS_FORM_LONG 3.800 3.476 2.300 3.404 -score FIN_FREE 0.1 -score FORGED_IMS_HTML 0 # n=0 n=1 n=2 n=3 -score FORGED_IMS_TAGS 0 # n=0 n=1 n=2 n=3 -score FORGED_MSGID_AOL 0 # n=0 n=1 n=2 n=3 -score FORGED_MSGID_EXCITE 2.399 1.899 1.649 0.528 # n=0 -score FORGED_MSGID_HOTMAIL 0 # n=0 n=1 n=2 n=3 -score FORGED_MSGID_MSN 0 # n=0 n=1 n=2 n=3 -score FORGED_MSGID_YAHOO 0.1 -score FORGED_MUA_EUDORA 2.828 2.510 1.962 0.001 -score FORGED_MUA_IMS 2.399 2.399 2.399 1.943 -score FORGED_MUA_MOZILLA 2.399 1.596 2.399 2.309 -score FORGED_MUA_OIMO 2.600 2.599 2.599 2.599 -score FORGED_MUA_OUTLOOK 3.999 2.785 2.500 1.927 -score FORGED_MUA_THEBAT_BOUN 3.046 3.220 3.207 3.399 -score FORGED_MUA_THEBAT_CS 0 # n=0 n=1 n=2 n=3 -score FORGED_OUTLOOK_HTML 0.001 0.001 0.001 0.021 -score FORGED_OUTLOOK_TAGS 0.003 0.565 0.001 0.052 -score FORGED_QUALCOMM_TAGS 0 # n=0 n=1 n=2 n=3 -score FORGED_TELESP_RCVD 2.499 2.499 2.499 1.841 # n=0 -score FORGED_THEBAT_HTML 0 # n=0 n=1 n=2 n=3 -score FORWARD_LOOKING 0 # n=0 n=1 n=2 n=3 -score FRAGMENTED_MESSAGE 0 # n=0 n=1 n=2 - -#FREEMAIL SCORES - Scores lowered per bug 6744 -score FREEMAIL_FORGED_REPLYTO 1.199 2.503 1.204 2.095 -score FREEMAIL_REPLY 1.0 -score FREEMAIL_REPLYTO 1.0 -score FREEMAIL_REPLYTO_END_DIGIT 0.25 -score FREEMAIL_ENVFROM_END_DIGIT 0.25 -score FREEMAIL_FROM 0.001 - -score FREE_PORN 0 # n=0 n=1 n=2 n=3 -score FREE_QUOTE_INSTANT 2.700 2.699 2.699 1.297 # n=2 -score FROM_BLANK_NAME 2.099 2.099 2.099 0.723 -score FROM_DOMAIN_NOVOWEL 0.500 -score FROM_EXCESS_BASE64 0.001 -score FROM_LOCAL_DIGITS 0.001 -score FROM_LOCAL_HEX 0.000 0.331 0.001 0.006 -score FROM_LOCAL_NOVOWEL 0.500 -score FROM_NO_USER 0.001 2.599 0.019 0.798 -#score FROM_OFFERS 2.699 2.699 2.510 2.699 # defer to nightly GA rescorer per bug 6580 -score FROM_STARTS_WITH_NUMS 2.801 0.553 1.201 0.738 -score FSL_FAKE_HOTMAIL_RVCD 2.631 1.816 2.011 2.365 -score FSL_HELO_BARE_IP_1 2.598 1.426 3.099 2.347 -score FSL_HELO_DEVICE 0.1 -score FSL_HELO_NON_FQDN_1 2.361 0.001 1.783 0.001 -score FSL_HELO_SETUP 0 # n=0 n=1 n=2 -score FSL_INTERIA_ABUSE 3.899 2.664 3.080 3.106 -score GAPPY_SUBJECT 0.1 -score GEO_QUERY_STRING 0 # n=0 n=1 n=2 n=3 -score GUARANTEED_100_PERCENT 2.699 2.699 2.480 2.699 -score HDR_ORDER_FTSDMCXX_001C 0 # n=0 n=1 n=2 n=3 -score HDR_ORDER_FTSDMCXX_BAT 0 # n=0 n=1 n=2 n=3 -score HEADER_SPAM 2.499 2.499 1.994 0.585 -score HEAD_LONG 0 # n=0 n=1 n=2 -score HELO_DYNAMIC_CHELLO_NL 2.412 1.918 2.019 2.428 -score HELO_DYNAMIC_DHCP 2.602 0.841 1.537 0.206 -score HELO_DYNAMIC_DIALIN 2.629 3.233 2.186 1.366 -score HELO_DYNAMIC_HCC 4.299 2.514 2.931 2.762 -score HELO_DYNAMIC_HEXIP 2.321 0.511 1.773 1.789 -score HELO_DYNAMIC_HOME_NL 2.385 1.530 1.024 1.459 -score HELO_DYNAMIC_IPADDR 2.633 3.243 3.680 1.951 -score HELO_DYNAMIC_IPADDR2 2.815 3.888 3.728 3.607 -score HELO_DYNAMIC_ROGERS 0 # n=0 n=1 n=2 n=3 -score HELO_DYNAMIC_SPLIT_IP 3.031 2.893 4.225 3.482 -score HELO_FRIEND 0 # n=0 n=1 n=2 n=3 -score HELO_LH_HOME 0.001 2.023 0.537 1.736 # n=2 -score HELO_LH_LD 0 # n=0 n=1 n=2 n=3 -score HELO_LOCALHOST 2.639 3.603 2.915 3.828 # n=2 -score HELO_OEM 2.899 2.899 1.234 0.270 # n=2 -score HIDE_WIN_STATUS 0.001 -score HIGH_CODEPAGE_URI 0 # n=0 n=1 n=2 -# score HK_LOTTO 3.599 2.755 2.993 3.599 # Allow GA manage score -score HK_NAME_DRUGS 4.299 0.001 3.077 0.552 -# score HK_RANDOM_ENVFROM 2.638 0.626 1.798 0.001 # Allow GA manage score -score HTML_MIME_NO_HTML_TAG 0.001 0.635 0.001 0.377 -score HTML_MISSING_CTYPE 0 # n=0 n=1 n=2 n=3 -score HTML_SHORT_CENTER 3.799 3.421 2.611 0.743 -score HTML_SHORT_LINK_IMG_1 2.215 0.139 0.480 0.001 -score HTML_SHORT_LINK_IMG_2 1.419 0.259 0.603 0.001 -score HTML_SHORT_LINK_IMG_3 0.691 0.328 0.001 0.148 -score HTML_TITLE_SUBJ_DIFF 1.149 2.171 1.801 2.036 -score HTTP_77 0 # n=0 n=1 n=2 n=3 -score HTTP_ESCAPED_HOST 0.1 -score HTTP_EXCESSIVE_ESCAPES 0.001 -score IMPOTENCE 1.539 2.144 3.028 1.374 -score INVALID_DATE 1.701 0.432 1.200 1.096 -score INVALID_DATE_TZ_ABSURD 0.262 0.632 0.706 0.491 -score INVALID_MSGID 2.602 1.167 1.328 0.568 -score INVALID_TZ_CST 0 # n=0 n=1 n=2 n=3 -score INVALID_TZ_EST 0 # n=0 n=1 n=2 n=3 -score INVESTMENT_ADVICE 0.1 -score IP_LINK_PLUS 0.001 0.001 0.246 0.012 -score JAPANESE_UCE_BODY 0 # n=0 n=1 n=2 n=3 -score JAPANESE_UCE_SUBJECT 0 # n=0 n=1 n=2 n=3 -score JM_I_FEEL_LUCKY 0 # n=0 n=1 n=2 -score JM_RCVD_QMAILV1 0 # n=0 n=1 n=2 n=3 -score JM_TORA_XM 0 # n=0 n=1 n=2 n=3 -score JOIN_MILLIONS 0.1 -score JS_FROMCHARCODE 0 # n=0 n=1 n=2 n=3 -score KB_DATE_CONTAINS_TAB 3.800 3.799 3.799 2.751 -score KB_FAKED_THE_BAT 2.432 3.441 2.008 2.694 -score KB_RATWARE_MSGID 4.099 2.987 2.108 1.700 -score KB_RATWARE_OUTLOOK_MID 4.400 4.400 2.503 1.499 -score KOREAN_UCE_SUBJECT 0 # n=0 n=1 n=2 n=3 -score LIVEFILESTORE 0.1 -score LIVE_PORN 0 # n=0 n=1 n=2 n=3 -score LONGWORDS 2.199 1.844 1.819 2.035 -score LONG_TERM_PRICE 0.001 # n=0 n=1 n=2 n=3 -score LOOPHOLE_1 0 # n=0 n=1 n=2 n=3 -score LOTTERY_1 0.001 1.488 1.630 0.087 # n=2 -score LOTTERY_PH_004470 0.1 -score LOW_PRICE 0.1 -score L_SPAM_TOOL_13 0.539 0.485 0.494 1.333 # n=2 -score MALE_ENHANCE 3.100 3.099 3.099 0.851 -score MARKETING_PARTNERS 0.553 0.235 0.689 0.001 -score MID_DEGREES 0 # n=0 n=1 n=2 n=3 -#score MILLION_USD 3.799 2.477 3.221 3.247 -score MIME_BOUND_DD_DIGITS 3.016 0.349 2.417 1.373 -score MIME_BOUND_DIGITS_15 0.1 -score MIME_BOUND_EQ_REL 0 # n=0 n=1 n=2 n=3 -score MIME_BOUND_MANY_HEX 0 # n=0 n=1 n=2 n=3 -score MIME_HEADER_CTYPE_ONLY 0.1 -score MIME_HTML_ONLY_MULTI 0.000 0.001 0.001 0.001 -score MIME_PHP_NO_TEXT 2.800 2.799 2.799 2.799 -score MISSING_DATE 2.739 1.396 1.800 1.360 # n=0 -score MISSING_HB_SEP 0 # n=0 n=1 n=2 -score MISSING_MID 0.552 0.140 1.199 0.497 # n=1 -score MISSING_MIMEOLE 0.392 1.843 0.571 1.899 -score MISSING_SUBJECT 0.001 1.767 1.300 1.799 -score MONEY_BACK 2.910 2.486 0.601 1.232 -score MORE_SEX 2.799 2.765 2.568 1.413 -score MSGID_DOLLARS_RANDOM 0 # n=0 n=1 n=2 n=3 -score MSGID_FROM_MTA_HEADER 0.401 0.001 0.473 0.001 -score MSGID_RANDY 2.196 2.599 2.599 2.599 -score MSGID_SHORT 0.001 0.337 0.001 0.001 -score MSGID_SPAM_CAPS 2.366 1.997 3.099 3.099 -score MSGID_SPAM_LETTERS 0 # n=0 n=1 n=2 n=3 -score MSGID_YAHOO_CAPS 0.797 1.413 2.278 1.411 -score MSOE_MID_WRONG_CASE 0.993 3.373 0.960 2.584 # n=2 -score MULTI_FORGED 0 # n=0 n=1 n=2 n=3 -#score NA_DOLLARS 3.599 -score NONEXISTENT_CHARSET 0 # n=0 n=1 n=2 n=3 -score NORMAL_HTTP_TO_IP 0.159 0.001 0.795 0.001 -score NOT_ADVISOR 0 # n=0 n=1 n=2 n=3 -score NO_MEDICAL 2.199 1.254 2.199 1.773 # n=0 -score NO_PRESCRIPTION 1.915 1.102 2.280 2.399 -score NULL_IN_BODY 0.511 0.498 2.056 1.596 # n=2 -score NUMERIC_HTTP_ADDR 0.000 0.001 0.001 1.242 -score OBFUSCATING_COMMENT 0.000 0.000 0.001 0.723 -score OBSCURED_EMAIL 0 # n=0 n=1 n=2 n=3 -score ONE_TIME 1.840 1.175 1.830 0.714 # n=0 -score ONLINE_PHARMACY 0.843 2.371 0.008 0.650 -score PERCENT_RANDOM 2.999 2.837 2.983 1.838 -score PLING_QUERY 0.1 -score PREST_NON_ACCREDITED 0 # n=0 n=1 n=2 n=3 -score PREVENT_NONDELIVERY 0 # n=0 n=1 n=2 n=3 -score PRICES_ARE_AFFORDABLE 0.794 0.851 1.112 0.551 -score RATWARE_EGROUPS 1.898 1.258 1.406 1.621 -score RATWARE_HASH_DASH 0 # n=0 n=1 n=2 n=3 -score RATWARE_MOZ_MALFORMED 0 # n=0 n=1 n=2 n=3 -score RATWARE_MPOP_WEBMAIL 1.153 1.338 1.229 1.999 # n=0 -# jhardin 05/2021 -# masscheck corpora thin or nonexistent, real world FPs reported - exposing to ruleqa for eval -#score RATWARE_MS_HASH 2.036 3.692 0.454 2.148 -score RATWARE_OE_MALFORMED 0 # n=0 n=1 n=2 n=3 -# jhardin 05/2021 -# masscheck corpora thin or nonexistent, real world FPs reported - exposing to ruleqa for eval -#score RATWARE_OUTLOOK_NONAME 2.964 0.033 2.685 2.950 -score RATWARE_RCVD_AT 0 # n=0 n=1 n=2 n=3 -score RATWARE_RCVD_PF 0 # n=0 n=1 n=2 n=3 -score RATWARE_ZERO_TZ 2.392 2.535 0.265 1.781 # n=0 -score RCVD_AM_PM 0 # n=0 n=1 n=2 n=3 -score RCVD_BAD_ID 0 # n=0 n=1 n=2 n=3 -score RCVD_DOUBLE_IP_LOOSE 1.150 0.960 1.042 1.012 -score RCVD_DOUBLE_IP_SPAM 2.411 2.777 1.912 1.808 -score RCVD_FAKE_HELO_DOTCOM 2.799 2.389 2.605 1.189 -score RCVD_FORGED_WROTE 0 # n=0 n=1 n=2 n=3 -score RCVD_FORGED_WROTE2 0 # n=0 n=1 n=2 n=3 -#score RCVD_IN_BRBL_LASTEXT 0 1.644 0 1.449 # n=0 n=2 -score RCVD_IN_PSBL 0 2.700 0 2.700 # n=0 n=2 -score RCVD_IN_VALIDITY_RPBL 0 1.284 0 1.310 # n=0 n=2 -score RCVD_MAIL_COM 0 # n=0 n=1 n=2 n=3 -score RDNS_DYNAMIC 2.639 0.363 1.663 0.982 -score RDNS_LOCALHOST 3.700 0.969 2.345 0.001 -score RDNS_NONE 2.399 1.274 1.228 0.793 -score REFINANCE_NOW 0 # n=0 n=1 n=2 n=3 -score REFINANCE_YOUR_HOME 0 # n=0 n=1 n=2 n=3 -score REMOVE_BEFORE_LINK 0.1 -score REPLICA_WATCH 3.487 3.164 4.074 3.775 -score REPLYTO_WITHOUT_TO_CC 2.399 1.946 0.607 1.552 -score REPTO_QUOTE_AOL 0 # n=0 n=1 n=2 n=3 -score REPTO_QUOTE_IMS 0 # n=0 n=1 n=2 n=3 -score REPTO_QUOTE_MSN 0 # n=0 n=1 n=2 n=3 -score REPTO_QUOTE_QUALCOMM 0 # n=0 n=1 n=2 n=3 -score REPTO_QUOTE_YAHOO 0.001 0.490 0.001 0.646 -score RUDE_HTML 0 # n=0 n=1 n=2 n=3 -score SB_GIF_AND_NO_URIS 2.199 2.199 2.200 2.199 # n=2 -score SHORT_HELO_AND_INLINE_IMAGE 0.1 -score SHORT_TERM_PRICE 0.001 # n=0 n=1 n=2 n=3 -score SPAMMY_XMAILER 2.650 0.862 1.993 2.491 # n=2 -score SPOOF_COM2COM 0.001 -score SPOOF_COM2OTH 0.001 -score SPOOF_NET2COM 0 # n=0 n=1 n=2 n=3 -score STOCK_ALERT 0 # n=0 n=1 n=2 n=3 -score STOCK_IMG_CTYPE 0.001 0.005 0.001 0.001 # n=2 -score STOCK_IMG_HDR_FROM 0.001 0.001 0.001 0.021 # n=2 -score STOCK_IMG_HTML 0.000 0.028 0.000 0.005 # n=2 -score STOCK_IMG_OUTLOOK 0.001 0.702 0.413 0.190 # n=2 -score STOCK_PRICES 0 # n=0 n=1 n=2 n=3 -score STOX_AND_PRICE 0 # n=0 n=1 n=2 n=3 -score STOX_REPLY_TYPE 1.898 0.212 0.141 0.439 # n=1 -score STOX_REPLY_TYPE_WITHOUT_QUOTES 3.099 1.860 1.629 1.757 -score STRONG_BUY 0 # n=0 n=1 n=2 n=3 -score SUBJECT_DIET 1.927 1.563 0.817 1.466 -score SUBJECT_DRUG_GAP_C 2.108 0.989 1.348 2.140 -score SUBJECT_DRUG_GAP_L 2.799 2.304 1.402 1.561 -score SUBJECT_DRUG_GAP_S 0 # n=0 n=1 n=2 n=3 -#score SUBJECT_DRUG_GAP_VA 0 # n=0 n=1 n=2 n=3 -score SUBJECT_DRUG_GAP_X 0 # n=0 n=1 n=2 n=3 -score SUBJECT_NEEDS_ENCODING 0.498 0.100 0.804 0.049 # n=2 -score SUBJECT_SEXUAL 0 # n=0 n=1 n=2 n=3 -score SUBJ_AS_SEEN 2.711 3.099 3.099 1.461 # n=0 -score SUBJ_BUY 0.594 1.498 0.001 0.639 -score SUBJ_DOLLARS 0.1 -#score SUBJ_YOUR_DEBT 3.299 3.045 1.199 0.987 -score SUBJ_YOUR_FAMILY 2.910 2.999 2.999 2.999 -score TBIRD_SUSP_MIME_BDRY 2.400 2.400 2.399 2.399 -score THEBAT_UNREG 2.599 1.843 2.324 1.524 -score TO_MALFORMED 0.1 -score TRACKER_ID 0.1 -score TT_MSGID_TRUNC 0.748 0.023 1.434 1.448 # n=2 -score TT_OBSCURED_VALIUM 0 # n=0 n=1 n=2 n=3 -score TT_OBSCURED_VIAGRA 0 # n=0 n=1 n=2 n=3 -score TVD_ACT_193 0 # n=0 n=1 n=2 n=3 -score TVD_DEAR_HOMEOWNER 0 # n=0 n=1 n=2 n=3 -score TVD_EB_PHISH 0 # n=0 n=1 n=2 n=3 -score TVD_ENVFROM_APOST 0 # n=0 n=1 n=2 n=3 -score TVD_FINGER_02 0.001 -score TVD_FLOAT_GENERAL 0 # n=0 n=1 n=2 n=3 -score TVD_INCREASE_SIZE 1.529 0.601 1.055 0.001 # n=1 -score TVD_LINK_SAVE 0 # n=0 n=1 n=2 n=3 -score TVD_PH_BODY_ACCOUNTS_PRE 0.001 #changed to 0.001 due to .211 S/O on 2015-05-01 but left due to Meta Use - #1.201 1.527 1.327 2.393 # n=1 -score TVD_PH_REC 0.1 -score TVD_PH_SEC 0.1 -score TVD_PP_PHISH 0 # n=0 n=1 n=2 n=3 -score TVD_QUAL_MEDS 2.697 2.397 2.799 2.483 # n=2 -score TVD_RATWARE_CB 0 # n=0 n=1 n=2 n=3 -score TVD_RATWARE_CB_2 0 # n=0 n=1 n=2 n=3 -score TVD_RATWARE_MSGID_02 0 # n=0 n=1 n=2 n=3 -#score TVD_RCVD_SPACE_BRACKET 0.001 0.001 0.001 0.001 # n=1 -score TVD_SECTION 0 # n=0 n=1 n=2 n=3 -score TVD_SILLY_URI_OBFU 0 # n=0 n=1 n=2 n=3 -score TVD_SPACED_SUBJECT_WORD3 0 # n=0 n=1 n=2 n=3 -score TVD_SUBJ_ACC_NUM 0.1 -score TVD_SUBJ_FINGER_03 0 # n=0 n=1 n=2 n=3 -score TVD_SUBJ_OWE 0 # n=0 n=1 n=2 n=3 -score TVD_SUBJ_WIPE_DEBT 2.599 2.291 2.599 1.004 # n=2 -score TVD_VISIT_PHARMA 1.957 1.196 0.417 1.406 # n=2 -score TVD_VIS_HIDDEN 0 # n=0 n=1 n=2 n=3 -score UNCLAIMED_MONEY 2.699 2.699 2.699 2.427 -score UNCLOSED_BRACKET 2.699 1.329 1.425 1.496 -score UPPERCASE_50_75 0.001 0.791 0.001 0.008 -score UPPERCASE_75_100 1.480 1.189 0.001 0.001 -score URG_BIZ 1.750 0.941 0.568 0.573 -score URI_NOVOWEL 0.500 -#score URI_NO_WWW_BIZ_CGI 2.399 2.399 2.400 2.399 # n=0 -#score URI_NO_WWW_INFO_CGI 2.299 2.299 0.292 2.071 -#score URI_OBFU_WWW 3.099 3.099 2.306 2.475 -score URI_UNSUBSCRIBE 0 # n=0 n=1 n=2 n=3 -#score US_DOLLARS_3 2.599 2.523 1.780 1.754 -score VIA_GAP_GRA 0 # n=0 n=1 n=2 n=3 -score WEIRD_PORT 0.001 0.001 0.097 0.001 -score WEIRD_QUOTING 0.001 0.001 0.001 0.001 -score WITH_LC_SMTP 0 # n=0 n=1 n=2 n=3 -score X_IP 0.001 0.001 0.001 0.001 -score X_MAILER_CME_6543_MSN 2.886 2.004 3.002 3.348 -score X_MESSAGE_INFO 0 # n=0 n=1 n=2 n=3 -score X_PRIORITY_CC 0 # n=0 n=1 n=2 n=3 -score YAHOO_DRS_REDIR 0 # n=0 n=1 n=2 n=3 -score YAHOO_RD_REDIR 0 # n=0 n=1 n=2 n=3 - -# End of generated scores. </gen:mutable> - - -# Bug 5700 - performing terribly 6/2019 -#score URI_HEX 2.800 1.313 1.206 1.122 -score URI_HEX 0.1 - -# Bug 6022, settle at informative score -score TVD_RCVD_IP 0.001 -score TVD_RCVD_IP4 0.001 -# Bug 6280, 5690, settle at informative score -score BAD_ENC_HEADER 0.001 - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::Shortcircuit -score SHORTCIRCUIT 0 -endif - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::AccessDB -score ACCESSDB 0 -endif - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::BodyEval -# <gen:mutable> -score BLANK_LINES_80_90 0 # n=0 n=1 n=2 n=3 -score MPART_ALT_DIFF 2.246 0.724 0.595 0.790 -score MPART_ALT_DIFF_COUNT 2.799 1.483 1.199 1.112 -score TVD_STOCK1 0 # n=0 n=1 n=2 n=3 -# </gen:mutable> -score TVD_SPACE_RATIO 0.001 -endif - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::HTMLEval -# <gen:mutable> -score HTML_COMMENT_SAVED_URL 0.198 0.357 0.899 1.391 -score HTML_COMMENT_SHORT 0 # n=0 n=1 n=2 n=3 -score HTML_EMBEDS 0.001 -score HTML_EXTRA_CLOSE 0.001 -score HTML_FONT_FACE_BAD 0.001 -score HTML_FONT_LOW_CONTRAST 0.713 0.001 0.786 0.001 -score HTML_FONT_SIZE_HUGE 0.001 -score HTML_FONT_SIZE_LARGE 0.001 -score HTML_FORMACTION_MAILTO 0 # n=0 n=1 n=2 n=3 -score HTML_IFRAME_SRC 0 # n=0 n=1 n=2 n=3 -score HTML_IMAGE_ONLY_04 1.680 0.342 1.799 1.172 -score HTML_IMAGE_ONLY_08 0.585 1.781 1.845 1.651 -score HTML_IMAGE_ONLY_12 1.381 1.629 1.400 2.059 -score HTML_IMAGE_ONLY_16 1.969 1.048 1.199 1.092 -score HTML_IMAGE_ONLY_20 2.109 0.700 1.300 1.546 -score HTML_IMAGE_ONLY_24 2.799 1.282 1.328 1.618 -score HTML_IMAGE_ONLY_28 2.799 0.726 1.512 1.404 -score HTML_IMAGE_ONLY_32 2.196 0.001 1.172 0.001 -score HTML_IMAGE_RATIO_02 0.001 -score HTML_IMAGE_RATIO_04 0.001 -score HTML_IMAGE_RATIO_06 0.001 0.001 0.001 0.001 -score HTML_IMAGE_RATIO_08 0.001 0.001 0.001 0.001 -score HTML_OBFUSCATE_05_10 0.601 0.001 0.718 0.260 -score HTML_OBFUSCATE_10_20 0.174 1.162 0.588 0.093 -score HTML_OBFUSCATE_20_30 2.499 2.441 1.449 1.999 -score HTML_OBFUSCATE_30_40 0 # n=0 n=1 n=2 n=3 -score HTML_OBFUSCATE_50_60 0 # n=0 n=1 n=2 n=3 -score HTML_OBFUSCATE_70_80 0 # n=0 n=1 n=2 n=3 -score HTML_OBFUSCATE_90_100 2.000 # n=0 n=1 n=2 n=3 - manually scored per list discussion -score HTML_BADTAG_40_50 0 # n=0 n=1 n=2 n=3 -score HTML_BADTAG_50_60 0 # n=0 n=1 n=2 n=3 -score HTML_BADTAG_60_70 0 # n=0 n=1 n=2 n=3 -score HTML_BADTAG_90_100 0 # n=0 n=1 n=2 n=3 -score HTML_NONELEMENT_30_40 0.000 0.001 0.308 0.001 -score HTML_NONELEMENT_40_50 0 # n=0 n=1 n=2 n=3 -score HTML_NONELEMENT_60_70 0 # n=0 n=1 n=2 n=3 -score HTML_NONELEMENT_80_90 0 # n=0 n=1 n=2 n=3 -score HTML_TAG_BALANCE_BODY 0.1 -score HTML_TAG_BALANCE_HEAD 0.520 0.000 0.600 0.817 -score HTML_TAG_EXIST_BGSOUND 0 # n=0 n=1 n=2 n=3 -# </gen:mutable> - -# HTML control test -score HTML_MESSAGE 0.001 - -endif - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -# <gen:mutable> -score RCVD_IN_BL_SPAMCOP_NET 0 1.246 0 1.347 # n=0 n=2 -score RCVD_IN_IADB_DK 0 -0.223 0 -0.095 # n=0 n=1 n=2 -score RCVD_IN_IADB_DOPTIN_GT50 0 # n=0 n=1 n=2 n=3 -score RCVD_IN_IADB_DOPTIN_LT50 0 -0.001 0 -0.001 # n=0 n=1 n=2 -score RCVD_IN_IADB_EDDB 0 # n=0 n=1 n=2 n=3 -score RCVD_IN_IADB_EPIA 0 # n=0 n=1 n=2 n=3 -score RCVD_IN_IADB_GOODMAIL 0 # n=0 n=1 n=2 n=3 -score RCVD_IN_IADB_LISTED 0 -0.380 0 -0.001 # n=0 n=2 -score RCVD_IN_IADB_LOOSE 0 # n=0 n=1 n=2 n=3 -score RCVD_IN_IADB_MI_CPEAR 0 # n=0 n=1 n=2 n=3 -score RCVD_IN_IADB_MI_CPR_30 0 # n=0 n=1 n=2 n=3 -score RCVD_IN_IADB_MI_CPR_MAT 0 -0.332 0 -0.000 # n=0 n=1 n=2 -score RCVD_IN_IADB_NOCONTROL 0 # n=0 n=1 n=2 n=3 -score RCVD_IN_IADB_OOO 0 # n=0 n=1 n=2 n=3 -score RCVD_IN_IADB_OPTIN 0 -2.057 0 -1.470 # n=0 n=1 n=2 -score RCVD_IN_IADB_OPTIN_GT50 0 -1.208 0 -0.007 # n=0 n=2 -score RCVD_IN_IADB_OPTIN_LT50 0 # n=0 n=1 n=2 n=3 -score RCVD_IN_IADB_OPTOUTONLY 0 # n=0 n=1 n=2 n=3 -score RCVD_IN_IADB_RDNS 0 -0.167 0 -0.235 # n=0 n=1 n=2 -score RCVD_IN_IADB_SENDERID 0 -0.001 0 -0.001 # n=0 n=2 -score RCVD_IN_IADB_SPF 0 -0.001 0 -0.059 # n=0 n=2 -score RCVD_IN_IADB_UNVERIFIED_1 0 # n=0 n=1 n=2 n=3 -score RCVD_IN_IADB_UNVERIFIED_2 0 # n=0 n=1 n=2 n=3 -score RCVD_IN_IADB_UT_CPEAR 0 # n=0 n=1 n=2 n=3 -score RCVD_IN_IADB_UT_CPR_30 0 # n=0 n=1 n=2 n=3 -score RCVD_IN_IADB_UT_CPR_MAT 0 -0.095 0 -0.001 # n=0 n=1 n=2 -score RCVD_IN_SBL 0 2.596 0 0.141 # n=0 n=2 -score RCVD_IN_SORBS_BLOCK 0 # n=0 n=1 n=2 n=3 -score RCVD_IN_SORBS_DUL 0 0.001 0 0.001 # n=0 n=2 -score RCVD_IN_SORBS_HTTP 0 2.499 0 0.001 # n=0 n=2 -score RCVD_IN_SORBS_MISC 0 # n=0 n=1 n=2 n=3 -score RCVD_IN_SORBS_SMTP 0 # n=0 n=1 n=2 n=3 -score RCVD_IN_SORBS_SOCKS 0 2.443 0 1.927 # n=0 n=2 -#score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5 -score RCVD_IN_SORBS_WEB 0 1.5 0 1.5 -score RCVD_IN_SORBS_ZOMBIE 0 # n=0 n=1 n=2 n=3 -score RCVD_IN_XBL 0 0.724 0 0.375 # n=0 n=2 -score RCVD_IN_PBL 0 3.558 0 3.335 # n=0 n=2 -score RCVD_IN_SBL_CSS 0 3.558 0 3.335 # n=0 n=2 - -score NO_DNS_FOR_FROM 0 0.379 0 0.001 # n=0 n=2 -# </gen:mutable> - -score RCVD_IN_ZEN_BLOCKED_OPENDNS 0 0.001 0 0.001 -score RCVD_IN_ZEN_BLOCKED 0 0.001 0 0.001 - -# Validity (née ReturnPath) Certified -# https://www.validity.com/resource-center/fact-sheet-certification/ -# CERTIFIED is a subset of SAFE, thus the score is cumulative. -# -2 + -3 = -5 points for CERTIFIED -score RCVD_IN_VALIDITY_CERTIFIED 0.0 -3.0 0.0 -3.0 -score RCVD_IN_VALIDITY_SAFE 0.0 -2.0 0.0 -2.0 - -# DNSWL is a commercial service that requires payment for servers over 100K queries daily. -# Unfortunately, they will return true answers for DNS servers they consider abusive so -# SA Admins must enable these rules manually. -# -score RCVD_IN_DNSWL_NONE 0 -0.0001 0 -0.0001 -score RCVD_IN_DNSWL_LOW 0 -0.7 0 -0.7 -score RCVD_IN_DNSWL_MED 0 -2.3 0 -2.3 -score RCVD_IN_DNSWL_HI 0 -5 0 -5 -score RCVD_IN_DNSWL_BLOCKED 0 0.001 0 0.001 - -# IADB -score RCVD_IN_IADB_VOUCHED 0 -2.2 0 -2.2 -score RCVD_IN_IADB_DOPTIN 0 -4 0 -4 -score RCVD_IN_IADB_ML_DOPTIN 0 -6 0 -6 - -# MAPS -# MAPS is a commercial service. If you pay for these, assign a score -# so they will be checked. -score RCVD_IN_MAPS_RBL 0 -score RCVD_IN_MAPS_DUL 0 -score RCVD_IN_MAPS_RSS 0 -score RCVD_IN_MAPS_OPS 0 -score RCVD_IN_MAPS_NML 0 - -endif - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::HeaderEval -# <gen:mutable> -score DATE_IN_FUTURE_03_06 3.399 2.426 2.997 3.027 -score DATE_IN_FUTURE_06_12 2.899 0.001 2.222 1.947 -score DATE_IN_FUTURE_12_24 2.603 2.489 3.199 3.199 -score DATE_IN_FUTURE_24_48 2.598 1.248 0.001 2.048 -score DATE_IN_FUTURE_48_96 2.384 0.813 1.078 2.181 -#score DATE_IN_FUTURE_96_XX 2.614 3.028 2.851 3.087 -score DATE_IN_FUTURE_96_XX 0 -score DATE_IN_PAST_03_06 2.399 1.076 1.200 1.592 -score DATE_IN_PAST_06_12 1.699 1.103 1.274 1.543 -score DATE_IN_PAST_12_24 0.001 0.804 1.190 1.049 -score DATE_IN_PAST_24_48 1.109 0.485 0.624 1.340 -score DATE_IN_PAST_96_XX 2.600 2.070 1.233 3.405 -score FORGED_HOTMAIL_RCVD2 0.001 1.187 0.698 0.874 -score FORGED_YAHOO_RCVD 2.397 1.022 2.599 1.630 -score FROM_ILLEGAL_CHARS 2.192 2.059 0.240 0.036 -score HEADER_COUNT_CTYPE 0 # n=0 n=1 n=2 n=3 -score HEADER_COUNT_SUBJECT 0 # n=0 n=1 n=2 n=3 -score HEAD_ILLEGAL_CHARS 0 # n=0 n=1 n=2 n=3 -score LOCALPART_IN_SUBJECT 0.001 0.730 1.199 1.107 -score MISSING_HEADERS 0.915 1.207 1.204 1.021 -score MSGID_OUTLOOK_INVALID 3.899 -score RATWARE_EFROM 0.1 -score RATWARE_NAME_ID 3.099 0.309 3.099 0.247 # n=0 -score SORTED_RECIPS 1.801 2.474 1.791 2.499 -score SUBJ_ALL_CAPS 0.5 -score SUBJ_ILLEGAL_CHARS 0.620 1.105 0.448 1.518 -score SUSPICIOUS_RECIPS 2.499 2.497 2.139 2.510 -score UNRESOLVED_TEMPLATE 3.035 0.716 2.424 1.252 -# </gen:mutable> - -# ok_locales -score CHARSET_FARAWAY_HEADER 3.200 - -endif - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::ImageInfo -# <gen:mutable> -score DC_GIF_UNO_LARGO 0.001 1.323 0.053 2.176 # n=2 -score DC_IMAGE_SPAM_HTML 0.1 -score DC_IMAGE_SPAM_TEXT 0.1 -score DC_PNG_UNO_LARGO 0.001 # n=0 n=1 n=2 n=3 -# </gen:mutable> - -endif - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::MIMEEval -# <gen:mutable> -score BASE64_LENGTH_78_79 0.1 -score BASE64_LENGTH_79_INF 1.379 2.019 0.583 1.502 # n=2 -score MIME_BAD_ISO_CHARSET 0 # n=0 n=1 n=2 n=3 -#score MIME_BASE64_BLANKS 0.001 0.001 0.001 0.001 -score MIME_BASE64_TEXT 0.001 0.001 0.001 1.741 -score MIME_HTML_MOSTLY 0.1 -score MIME_HTML_ONLY 0.1 -score MISSING_MIME_HB_SEP 0.001 0.001 0.001 0.001 -score MULTIPART_ALT_NON_TEXT 0 # n=0 n=1 n=2 n=3 -# </gen:mutable> -score MIME_QP_LONG_LINE 0.001 -score MIMEPART_LIMIT_EXCEEDED 0.001 - -# ok_locales -score CHARSET_FARAWAY 3.200 - -# we dare you -# score HEAD_LONG 2.5 -# score MISSING_HB_SEP 2.5 - -endif - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::RelayEval -# <gen:mutable> -score NO_RDNS_DOTCOM_HELO 3.100 0.433 3.099 0.823 -score RCVD_HELO_IP_MISMATCH 1.680 1.186 2.362 2.368 -# score RCVD_ILLEGAL_IP 3.399 -score RCVD_ILLEGAL_IP 1.3 -score RCVD_NUMERIC_HELO 0.001 0.865 0.001 1.164 -# </gen:mutable> - -# Informational rules about Received header parsing -score NO_RELAYS -0.001 -score UNPARSEABLE_RELAY 0.001 -score HELO_STATIC_HOST -0.001 - -# immutable (due to tflags userconf), see bug 5544 -# score ALL_TRUSTED -1.360 -1.440 -1.665 -1.800 - -endif - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::URIEval -# <gen:mutable> -score HTTPS_IP_MISMATCH 0 # n=0 n=1 n=2 n=3 -# </gen:mutable> -score URI_TRUNCATED 0.001 -endif - -########################################################################### - -# Scores for tests that are scored manually or with isolated rescore runs. -# Most are net tests, userconf tests, tests occuring with very low frequency, -# or tests with many false positives. - -# GTUBE - Generic Test for Unsolicited Bulk Email -score GTUBE 1000.000 - -# we dare you -# score FRAGMENTED_MESSAGE 2.5 -# score HIGH_CODEPAGE_URI 2.5 - -# make the Bayes scores unmutable (as discussed in bug 4505) -ifplugin Mail::SpamAssassin::Plugin::Bayes -score BAYES_00 0 0 -1.5 -1.9 -score BAYES_05 0 0 -0.3 -0.5 -score BAYES_20 0 0 -0.001 -0.001 -score BAYES_40 0 0 -0.001 -0.001 -score BAYES_50 0 0 2.0 0.8 -score BAYES_60 0 0 2.5 1.5 -score BAYES_80 0 0 2.7 2.0 -score BAYES_95 0 0 3.2 3.0 -score BAYES_99 0 0 3.8 3.5 -score BAYES_999 0 0 0.2 0.2 -endif - -# Informational rules about Received header parsing -score NO_RECEIVED -0.001 - -# Informational rule, URI parsing encountered an overlong URI - -# Informational rule, typically means corrupt corpus/input -score NO_HEADERS_MESSAGE 0.001 - -# ok_locales -score HTML_CHARSET_FARAWAY 0.500 -score MIME_CHARSET_FARAWAY 2.450 - -# rescore never changes the welcomelist/blocklist scores -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -#score USER_IN_BLOCKLIST 100.000 - Moved to 60_welcomelist.cf -#score USER_IN_WELCOMELIST -100.000 - Moved to 60_welcomelist.cf -#score USER_IN_DEF_WELCOMELIST -15.000 - Moved to 60_welcomelist.cf -#score USER_IN_BLOCKLIST_TO 10.000 - Moved to 60_welcomelist.cf -#score URI_HOST_IN_BLOCKLIST 100.0 - Moved to 60_welcomelist.cf -#score URI_HOST_IN_WELCOMELIST -100.0 - Moved to 60_welcomelist.cf -#Removed in bug 7256 -#score HEADER_HOST_IN_BLOCKLIST 100.0 -#score HEADER_HOST_IN_WELCOMELIST -100.0 - -# not really false positives but the user wants spam! -#score USER_IN_WELCOMELIST_TO -6.000 - Moved to 60_welcomelist.cf -score USER_IN_MORE_SPAM_TO -20.000 -score USER_IN_ALL_SPAM_TO -100.000 -endif - -ifplugin Mail::SpamAssassin::Plugin::SPF -score USER_IN_SPF_WELCOMELIST -100 # overridden in 60_welcomelist_spf.cf -score USER_IN_SPF_WHITELIST -100 # overridden in 60_welcomelist_spf.cf -score USER_IN_DEF_SPF_WL -7.500 -score ENV_AND_HDR_SPF_MATCH -0.5 -endif # Mail::SpamAssassin::Plugin::SPF - -# DKIM -ifplugin Mail::SpamAssassin::Plugin::DKIM -score USER_IN_DKIM_WELCOMELIST -100 # overridden in 60_welcomelist_dkim.cf -score USER_IN_DKIM_WHITELIST -100 # overridden in 60_welcomelist_dkim.cf -score USER_IN_DEF_DKIM_WL -7.500 -score DKIM_SIGNED 0.1 -score DKIM_VALID -0.1 -score DKIM_INVALID 0.1 -score DKIM_VALID_AU -0.1 - -if (version >= 3.004002) -score DKIM_VALID_EF -0.1 -endif - -if can(Mail::SpamAssassin::Plugin::DKIM::has_arc) - score ARC_SIGNED 0.001 - score ARC_VALID -0.1 - score ARC_INVALID 0.1 -endif - -score DKIM_VERIFIED 0 -score DKIM_POLICY_SIGNALL 0 -score DKIM_POLICY_SIGNSOME 0 -score DKIM_POLICY_TESTING 0 -score DKIM_ADSP_CUSTOM_LOW 0.001 -score DKIM_ADSP_CUSTOM_MED 0.001 -score DKIM_ADSP_CUSTOM_HIGH 0.001 -score NML_ADSP_CUSTOM_LOW 0 0.7 0 0.7 -score NML_ADSP_CUSTOM_MED 0 1.2 0 0.9 -score NML_ADSP_CUSTOM_HIGH 0 2.6 0 2.5 -# <gen:mutable> -score DKIM_ADSP_ALL 0 1.1 0 0.8 -score DKIM_ADSP_DISCARD 0 1.8 0 1.8 -score DKIM_ADSP_NXDOMAIN 0 0.8 0 0.9 -# </gen:mutable> -endif # Mail::SpamAssassin::Plugin::DKIM - -ifplugin Mail::SpamAssassin::Plugin::AskDNS -# <gen:mutable> -score DKIMDOMAIN_IN_DWL 0 -3.5 0 -3.5 -score DKIMDOMAIN_IN_DWL_UNKNOWN 0 -0.01 0 -0.01 -# </gen:mutable> -endif - -# SPF -# Note that the benefit for a valid SPF record is deliberately minimal; it's -# likely that more spammers would quickly move to setting valid SPF records -# otherwise. The penalties for an *incorrect* record, however, are large. ;) -ifplugin Mail::SpamAssassin::Plugin::SPF -score SPF_NONE 0.001 -score SPF_HELO_NONE 0.001 -score SPF_PASS -0.001 -score SPF_HELO_PASS -0.001 -# <gen:mutable> -score SPF_FAIL 0 0.919 0 0.001 # n=0 n=2 -score SPF_HELO_FAIL 0 0.001 0 0.001 # n=0 n=2 -score SPF_HELO_NEUTRAL 0 0.001 0 0.112 # n=0 n=2 -score SPF_HELO_SOFTFAIL 0 0.896 0 0.732 # n=0 n=2 -score SPF_NEUTRAL 0 0.652 0 0.779 # n=0 n=2 -score SPF_SOFTFAIL 0 0.972 0 0.665 # n=0 n=2 -# </gen:mutable> -endif # Mail::SpamAssassin::Plugin::SPF - -# DMARC -ifplugin Mail::SpamAssassin::Plugin::DMARC -score DMARC_PASS -0.001 -# <gen:mutable> -score DMARC_REJECT 0.001 1.797 0.001 1.797 # n=0 n=2 -score DMARC_QUAR 0.001 1.198 0.001 1.198 # n=0 n=2 -score DMARC_NONE 0.001 0.898 0.001 0.898 # n=0 n=2 -# </gen:mutable> -score DMARC_MISSING 0.001 -endif # Mail::SpamAssassin::Plugin::DMARC - -# URIDNSBL -ifplugin Mail::SpamAssassin::Plugin::URIDNSBL -# <gen:mutable> -#score URIBL_AB_SURBL 0 4.499 0 4.499 # n=0 n=2 - removed bug 7279 -#Changed below from JP to Abuse - bug 7279 -score URIBL_ABUSE_SURBL 0 1.948 0 1.250 # n=0 n=2 -score URIBL_PH_SURBL 0 0.001 0 0.610 # n=0 n=2 -score URIBL_RHS_DOB 0 0.276 0 1.514 # n=0 n=2 -score URIBL_SBL 0 0.644 0 1.623 # n=0 n=2 -score URIBL_CSS 0 0.1 0 0.1 -score URIBL_SBL_A 0 0.1 0 0.1 -score URIBL_CSS_A 0 0.1 0 0.1 -#score URIBL_SC_SURBL 0 0.001 0 0.568 # n=0 n=2 - removed bug 7279 -score URIBL_WS_SURBL 0 1.659 0 1.608 # n=0 n=2 -score URIBL_MW_SURBL 0 1.263 0 1.263 -score URIBL_CR_SURBL 0 1.263 0 1.263 -score URIBL_BLACK 0 1.7 0 1.7 # n=0 n=2 -score URIBL_GREY 0 1.084 0 0.424 # n=0 n=2 -score URIBL_DBL_SPAM 0 2.5 0 2.5 -score URIBL_DBL_PHISH 0 2.5 0 2.5 -score URIBL_DBL_MALWARE 0 2.5 0 2.5 -score URIBL_DBL_BOTNETCC 0 2.5 0 2.5 -score URIBL_DBL_ABUSE_SPAM 0 2.0 0 2.0 -score URIBL_DBL_ABUSE_REDIR 0 0.001 0 0.001 -score URIBL_DBL_ABUSE_PHISH 0 2.5 0 2.5 -score URIBL_DBL_ABUSE_MALW 0 2.5 0 2.5 -score URIBL_DBL_ABUSE_BOTCC 0 2.5 0 2.5 - -# </gen:mutable> -# score URIBL_GREY 0.25 -score URIBL_RED 0 0.001 0 0.001 -score URIBL_BLOCKED 0 0.001 0 0.001 -score URIBL_DBL_ERROR 0 0.001 0 0.001 -score URIBL_ZEN_BLOCKED_OPENDNS 0 0.001 0 0.001 -score URIBL_ZEN_BLOCKED 0 0.001 0 0.001 -score URIBL_DBL_BLOCKED_OPENDNS 0 0.001 0 0.001 -score URIBL_DBL_BLOCKED 0 0.001 0 0.001 -endif # Mail::SpamAssassin::Plugin::URIDNSBL - -# ReplaceTags -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags -# <gen:mutable> -score FUZZY_AFFORDABLE 0 # n=0 n=1 n=2 n=3 -#score FUZZY_AMBIEN 0.1 -score FUZZY_BILLION 0 # n=0 n=1 n=2 n=3 -score FUZZY_CPILL 0.001 0.001 0.001 0.001 -score FUZZY_CREDIT 1.699 1.413 0.601 1.678 -#score FUZZY_ERECT 0.1 -score FUZZY_GUARANTEE 0 # n=0 n=1 n=2 n=3 -score FUZZY_MEDICATION 0 # n=0 n=1 n=2 n=3 -score FUZZY_MERIDIA 0 # n=0 n=1 n=2 n=3 -score FUZZY_MILLION 0.1 -score FUZZY_MONEY 0 # n=0 n=1 n=2 n=3 -score FUZZY_MORTGAGE 0 # n=0 n=1 n=2 n=3 -score FUZZY_OBLIGATION 0 # n=0 n=1 n=2 n=3 -score FUZZY_OFFERS 0 # n=0 n=1 n=2 n=3 -score FUZZY_PHARMACY 2.960 3.299 1.967 1.353 -score FUZZY_PHENT 2.799 1.647 1.540 2.662 # n=0 -score FUZZY_PRESCRIPT 0 # n=0 n=1 n=2 n=3 -score FUZZY_PRICES 1.821 0.720 2.210 2.311 -score FUZZY_REFINANCE 0 # n=0 n=1 n=2 n=3 -score FUZZY_REMOVE 0 # n=0 n=1 n=2 n=3 -#score FUZZY_ROLEX 0.1 -score FUZZY_SOFTWARE 0 # n=0 n=1 n=2 n=3 -score FUZZY_THOUSANDS 0 # n=0 n=1 n=2 n=3 -score FUZZY_VLIUM 0 # n=0 n=1 n=2 n=3 -score FUZZY_VIOXX 0 # n=0 n=1 n=2 n=3 -score FUZZY_VPILL 0.001 0.494 0.796 1.014 -score FUZZY_XPILL 0.1 -score SUBJECT_FUZZY_CHEAP 0.641 1.831 0.833 0.001 # n=0 -score SUBJECT_FUZZY_MEDS 0 # n=0 n=1 n=2 n=3 -score SUBJECT_FUZZY_PENIS 0 # n=0 n=1 n=2 n=3 -score SUBJECT_FUZZY_TION 0 # n=0 n=1 n=2 n=3 -score SUBJECT_FUZZY_VPILL 0 # n=0 n=1 n=2 n=3 -score TVD_FUZZY_DEGREE 0 # n=0 n=1 n=2 n=3 -score TVD_FUZZY_FINANCE 0 # n=0 n=1 n=2 n=3 -score TVD_FUZZY_FIXED_RATE 0 # n=0 n=1 n=2 n=3 -score TVD_FUZZY_MICROCAP 0 # n=0 n=1 n=2 n=3 -score TVD_FUZZY_PHARMACEUTICAL 0 # n=0 n=1 n=2 n=3 -score TVD_FUZZY_SYMBOL 0 # n=0 n=1 n=2 n=3 -# </gen:mutable> -endif # Mail::SpamAssassin::Plugin::ReplaceTags - -# DCC -ifplugin Mail::SpamAssassin::Plugin::DCC -score DCC_CHECK 0 1.1 0 1.1 -score DCC_REPUT_00_12 0 -0.8 0 -0.4 -score DCC_REPUT_13_19 0 -0.1 0 -0.1 -score DCC_REPUT_70_89 0 0.1 0 0.1 -score DCC_REPUT_90_94 0 0.4 0 0.6 -score DCC_REPUT_95_98 0 0.7 0 1.0 -score DCC_REPUT_99_100 0 1.2 0 1.4 -endif # Mail::SpamAssassin::Plugin::DCC - -# Pyzor -ifplugin Mail::SpamAssassin::Plugin::Pyzor -# <gen:mutable> -score PYZOR_CHECK 0 1.985 0 1.392 # n=0 n=2 -# </gen:mutable> -endif # Mail::SpamAssassin::Plugin::Pyzor - -# Razor2 -ifplugin Mail::SpamAssassin::Plugin::Razor2 -# <gen:mutable> -score RAZOR2_CHECK 0 1.729 0 0.922 # n=0 n=2 -score RAZOR2_CF_RANGE_51_100 0 2.430 0 1.886 # n=0 n=2 -# </gen:mutable> -endif # Mail::SpamAssassin::Plugin::Razor2 - -# TextCat -ifplugin Mail::SpamAssassin::Plugin::TextCat -score UNWANTED_LANGUAGE_BODY 2.800 -score BODY_8BITS 1.500 -endif # Mail::SpamAssassin::Plugin::TextCat - -# AntiVirus -ifplugin Mail::SpamAssassin::Plugin::AntiVirus -score MICROSOFT_EXECUTABLE 0.1 -score MIME_SUSPECT_NAME 0.1 -endif # Mail::SpamAssassin::Plugin::AntiVirus - -# VBounce - anti-bounce message ruleset. All of these are informational, -# and should not be scored as antispam rules; instead the user needs -# to detect messages that hit ANY_BOUNCE_MESSAGE, and filter them aside -# as spurious bounces. -# -ifplugin Mail::SpamAssassin::Plugin::VBounce -score BOUNCE_MESSAGE 0.1 -score CRBOUNCE_MESSAGE 0.1 -score VBOUNCE_MESSAGE 0.1 -score OOOBOUNCE_MESSAGE 0.1 -score ANY_BOUNCE_MESSAGE 0.1 -endif # Mail::SpamAssassin::Plugin::VBounce - -# another informational rule: this is for C/R responses to mail the user -# really did sent -- the opposite of CRBOUNCE_MESSAGE. some users might -# like to block all C/R bounces, or filter them separately. -# -score CHALLENGE_RESPONSE 0.1 - -# It's still quite common for non-spam senders to send mail from hosts with -# no rDNS, or "dynamic-looking" rDNS. Lock these down to low values; -# some sites can increase them as a matter of local policy, and they -# make great fodder for meta rules, too. -# -# score RDNS_NONE 0 1.1 0 0.7 -# score RDNS_DYNAMIC 0 0.5 0 0.5 - - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -# <gen:mutable> -score CTYPE_8SPACE_GIF 0 # n=0 n=1 n=2 n=3 -# </gen:mutable> -endif - -ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch -# <gen:mutable> -score HTTPS_HTTP_MISMATCH 0.1 -# </gen:mutable> -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -# <gen:mutable> -score PART_CID_STOCK 0.001 0.001 0.001 0.000 # n=2 -# </gen:mutable> -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -# <gen:mutable> -score PART_CID_STOCK_LESS 0.000 0.036 0.745 0.894 # n=2 -# </gen:mutable> -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -# <gen:mutable> -score TVD_FW_GRAPHIC_NAME_LONG 0.001 0.648 0.836 1.293 # n=2 -# </gen:mutable> -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -# <gen:mutable> -score TVD_FW_GRAPHIC_NAME_MID 0.600 0.001 0.389 0.095 # n=2 -# </gen:mutable> -endif - -# Bug 6155 c115 -score KB_RATWARE_OUTLOOK_08 0 -score KB_RATWARE_OUTLOOK_12 0 -score KB_RATWARE_OUTLOOK_16 0 -score KB_RATWARE_BOUNDARY 0 - -# MAILSPIKE RBL ENABLED FOR SA3.4 and above - BUG 6400 -if (version >= 3.004000) - # FLOATING SCORES FOR GA - adjust after GA to make L3 - L5 linear - # Probably adjust up slightly to make up for the "reuse" imperfection -# <gen:mutable> - score RCVD_IN_MSPIKE_ZBI 2.7 - score RCVD_IN_MSPIKE_L5 2.5 - score RCVD_IN_MSPIKE_L4 1.7 - score RCVD_IN_MSPIKE_L3 0.9 -# </gen:mutable> - # FIXED SCORES - # TEMPORARILY LOWERED - adjust these higher after GA is done - # (pending discussion: Welcomelists need scores, but they shouldn't effect the scoring of spam detection rules.) - score RCVD_IN_MSPIKE_H3 -0.01 - score RCVD_IN_MSPIKE_H4 -0.01 - score RCVD_IN_MSPIKE_H5 -1.0 - # FIXED SCORES - informational rules, useful only for statistical comparisons - score RCVD_IN_MSPIKE_BL 0.01 - score RCVD_IN_MSPIKE_WL -0.01 -endif diff --git a/resources/spamassassin/60_adsp_override_dkim.cf b/resources/spamassassin/60_adsp_override_dkim.cf deleted file mode 100644 index e06eadf7..00000000 --- a/resources/spamassassin/60_adsp_override_dkim.cf +++ /dev/null @@ -1,218 +0,0 @@ -# SpamAssassin rules file: default DKIM ADSP overrides -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> - -########################################################################### -# DKIM ADSP overrides - -ifplugin Mail::SpamAssassin::Plugin::DKIM - -# Later rules override previous, so to override any of the pre-sets here, just -# declare the domain as unknown, e.g.: 'adsp_override somedomain unknown' . -# -# 'discardable' is implied in absence of the second argument. - -adsp_override ebay.com -adsp_override ebay.at -adsp_override ebay.be -adsp_override ebay.ca -adsp_override ebay.ch -adsp_override ebay.de -adsp_override ebay.ee -adsp_override ebay.es -adsp_override ebay.fr -adsp_override ebay.hu -adsp_override ebay.ie -adsp_override ebay.in -adsp_override ebay.it -adsp_override ebay.nl -adsp_override ebay.ph -adsp_override ebay.pl -adsp_override ebay.pt -adsp_override ebay.se -adsp_override ebay.co.kr -adsp_override ebay.co.uk -adsp_override ebay.com.au -adsp_override ebay.com.cn -adsp_override ebay.com.hk -adsp_override ebay.com.mx -adsp_override ebay.com.my -adsp_override ebay.com.sq - -adsp_override paypal.com -adsp_override paypal.co.uk - -adsp_override ealerts.bankofamerica.com -adsp_override alert.bankofamerica.com -adsp_override americangreetings.com -adsp_override yahoo.americangreetings.com -adsp_override msn.americangreetings.com -adsp_override egreetings.com -adsp_override bluemountain.com -adsp_override hallmark.com -adsp_override update.hallmark.com -adsp_override *.hallmark.com - -adsp_override amazon.com all -adsp_override amazon.co.uk all -adsp_override amazon.de all -adsp_override amazon.fr all -adsp_override birthdayalarm.com all -adsp_override astrology.com all -adsp_override linkedin.com all -adsp_override *.linkedin.com all -adsp_override facebookmail.com all -adsp_override *.greenpeace.org all -adsp_override lists.sourceforge.net all -adsp_override lufthansa.com all -adsp_override *.lufthansa.com all -adsp_override *.delivery.net all - -adsp_override youtube.com custom_high - -adsp_override google.com custom_med -adsp_override gmail.com custom_med -adsp_override googlemail.com custom_med - -adsp_override yahoo.com custom_med -adsp_override yahoo.com.ar custom_med -adsp_override yahoo.com.au custom_med -adsp_override yahoo.com.br custom_med -adsp_override yahoo.com.cn custom_med -adsp_override yahoo.com.hk custom_med -adsp_override yahoo.com.mx custom_med -adsp_override yahoo.com.my custom_med -adsp_override yahoo.com.ph custom_med -adsp_override yahoo.com.sg custom_med -adsp_override yahoo.com.tw custom_med -adsp_override yahoo.co.id custom_med -adsp_override yahoo.co.in custom_med -adsp_override yahoo.co.jp custom_med -adsp_override yahoo.co.nz custom_med -adsp_override yahoo.co.th custom_med -adsp_override yahoo.co.uk custom_med -adsp_override yahoo.ca custom_med -adsp_override yahoo.cn custom_med -adsp_override yahoo.de custom_med -adsp_override yahoo.dk custom_med -adsp_override yahoo.es custom_med -adsp_override yahoo.fr custom_med -adsp_override yahoo.gr custom_med -adsp_override yahoo.ie custom_med -adsp_override yahoo.it custom_med -adsp_override yahoo.no custom_med -adsp_override yahoo.pl custom_med -adsp_override yahoo.se custom_med - - -# Ignore linting, makes unnecessary lookups -adsp_override compiling.spamassassin.taint.org unknown - -# To effectively disable ADSP network DNS lookups for all other domains: -# adsp_override * unknown - - -# Currently few domains publish their signing practices (draft-ietf-dkim-ssp, -# ADSP), partly because the ADSP draft/rfc is rather new, partly because they -# think hardly any recipient bothers to check it, and partly for fear that -# some recipients might lose mail due to problems in their signature validation -# procedures or mail mangling by mailers beyond their control. -# -# Nevertheless, recipients could benefit by knowing signing practices of a -# sending (author's) domain, for example to recognize forged mail claiming -# to be from certain domains which are popular targets for phishing, like -# financial institutions. Unfortunately, as signing practices are seldom -# published or are weak, it is hardly justifiable to look them up in DNS. -# -# To overcome this chicken-or-the-egg problem, the adsp_override mechanism -# allows recipients using SpamAssassin to override published or defaulted -# ADSP for certain domains. This makes it possible to manually specify a -# stronger (or weaker) signing practices than a signing domain is willing -# to publish (explicitly or by default), and also save on a DNS lookup. -# -# Note that ADSP (published or overridden) is only consulted for messages -# which do not contain a valid DKIM signature from the author's domain. -# -# According to ADSP draft, signing practices can be one of the following: -# unknown, all and discardable. -# -# unknown: Messages from this domain might or might not have an author -# signature. This is a default if a domain exists in DNS but no ADSP record -# is found. -# -# all: All messages from this domain are signed with an Author Signature. -# -# discardable: All messages from this domain are signed with an Author -# Signature. If a message arrives without a valid Author Signature, the -# domain encourages the recipient(s) to discard it. -# -# ADSP lookup can also determine that a domain is "out of scope", i.e., the -# domain does not exist (NXDOMAIN) in the DNS. -# -# To override domain's signing practices in a SpamAssassin configuration file, -# specify an adsp_override directive for each sending domain to be overridden. -# -# Its first argument is a domain name. Author's domain is matched against it, -# matching is case insensitive. This is not a regular expression or a file-glob -# style wildcard, but limited wildcarding is still available: if this argument -# starts by a "*." (or is a sole "*"), author's domain matches if it is a -# subdomain (to one or more levels) of the argument. Otherwise (with no -# leading asterisk) the match must be exact (not a subdomain). -# -# An optional second parameter is one of the following keywords -# (case-insensitive): nxdomain, unknown, all, discardable, -# custom_low, custom_med, custom_high. -# -# Absence of this second parameter implies discardable. If a domain is not -# listed by a adsp_override directive nor does it explicitly publish any -# ADSP record, then unknown is implied for valid domains, and nxdomain -# for domains not existing in DNS. (Note: domain validity may be unchecked -# with current versions of Mail::DKIM, so nxdomain may never turn up.) -# -# The strong setting discardable is useful for domains which are known -# to always sign their mail and to always send it directly to recipients -# (not to mailing lists), and are frequent targets of fishing attempts, -# such as financial institutions. The discardable is also appropriate -# for domains which are known never to send any mail. -# -# When a message does not contain a valid signature by the author's domain -# (the domain in a From header field), the signing practices pertaining -# to author's domain determine which of the following rules fire and -# contributes its score: DKIM_ADSP_NXDOMAIN, DKIM_ADSP_ALL, DKIM_ADSP_DISCARD, -# DKIM_ADSP_CUSTOM_LOW, DKIM_ADSP_CUSTOM_MED, DKIM_ADSP_CUSTOM_HIGH. Not more -# than one of these rules can fire. The last three can only result from a -# 'signing_practices' as given in a adsp_override directive (not from a -# DNS lookup), and can serve as a convenient means of providing a different -# score if scores assigned to DKIM_ADSP_ALL or DKIM_ADSP_DISCARD are not -# considered suitable for some domains. -# -# As a precaution against firing DKIM_ADSP_* rules when there is a known -# local reason for a signature verification failure, the domain's ADSP is -# considered unknown when DNS lookups are disabled or a DNS lookup encountered -# a temporary problem on fetching a public key from the author's domain. -# Similarly, ADSP is considered unknown when this plugin did its own signature -# verification (signatures were not passed to SA by a caller) and a metarule -# __TRUNCATED was triggered, indicating the caller intentionally passed a -# truncated message to SpamAssassin, which was a likely reason for a signature -# verification failure. - -endif # Mail::SpamAssassin::Plugin::DKIM diff --git a/resources/spamassassin/60_awl.cf b/resources/spamassassin/60_awl.cf deleted file mode 100644 index ad978b17..00000000 --- a/resources/spamassassin/60_awl.cf +++ /dev/null @@ -1,37 +0,0 @@ -# SpamAssassin rules file: auto-welcomelist -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> - -ifplugin Mail::SpamAssassin::Plugin::AWL - -if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) -header AWL eval:check_from_in_auto_welcomelist() -endif -if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) -header AWL eval:check_from_in_auto_whitelist() -endif - -describe AWL Adjusted score from AWL reputation of From: address -tflags AWL userconf noautolearn -priority AWL 1000 - -endif # Mail::SpamAssassin::Plugin::AWL diff --git a/resources/spamassassin/60_bayes_stopwords.cf b/resources/spamassassin/60_bayes_stopwords.cf deleted file mode 100644 index 3b5546fc..00000000 --- a/resources/spamassassin/60_bayes_stopwords.cf +++ /dev/null @@ -1,69 +0,0 @@ -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> - -if (version >= 4.000000) - ifplugin Mail::SpamAssassin::Plugin::Bayes - if can(Mail::SpamAssassin::Conf::feature_bayes_stopwords) - # Danish - bayes_stopword_dk (?^:(?:a(?:lle|nden)|bl(?:ev|iver?)|d(?:e(?:nne|res|tte)|isse)|e(?:fter|ller)|h(?:a(?:ns|v(?:de|e))|endes?|v(?:ad|is|or))|ikke|kunne|m(?:ange|eget|ine)|nog(?:et|le)|o(?:gs\xc3\xa5|ver)|s(?:elv|ine|k(?:al|ulle)|\xc3\xa5dan)|under|v(?:ille|\xc3\xa6ret?))) - - # Dutch - bayes_stopword_nl (?^:(?:a(?:l(?:les|tijd)|ndere)|d(?:aar|eze|o(?:ch|en|or))|eens|ge(?:en|weest)|h(?:aar|e(?:bben|eft)|ier)|ie(?:mand|ts)|kunnen|m(?:aar|eer|ijn|oet)|n(?:aar|iets?)|o(?:mdat|nder|ver)|reeds|t(?:egen|o(?:ch|en))|v(?:eel|oor)|w(?:a(?:nt|ren)|e(?:rd|zen)|ord(?:en|t))|z(?:elf|i(?:ch|jn)|onder))) - - # German - bayes_stopword_de (?:a(?:ber|l(?:le[mnrs]?|so)|nder(?:(?:e[mnrs]?|[mnrs]))?|uch)|bist|d(?:a(?:mit|nn|ss(?:elbe)?|zu)|e(?:in(?:e[mnrs]?)?|mselben|n(?:selben|n)|r(?:er|selben?)|sse(?:lben|n))|i(?:ch|es(?:e(?:(?:lben?|[mnrs]))?)?)|o(?:ch|rt)|urch)|e(?:in(?:e[mnrs]?|ig(?:e[mnrs]?)?|mal)|twas|u(?:ch|er|re[mnrs]?))|ge(?:gen|wesen)|h(?:a(?:ben?|tten?)|i(?:er|nter))|i(?:h(?:nen|re[mnrs]?)|ndem)|je(?:de[mnrs]?|ne[mnrs]?|tzt)|k(?:ann|ein(?:e[mnrs]?)?|\xc3\xb6nn(?:en|te))|m(?:a(?:chen|nche[mnrs]?)|ein(?:e[mnrs]?)?|ich|uss(?:te)?)|n(?:ach|ichts?|och)|o(?:der|hne)|s(?:e(?:hr|in(?:e[mnrs]?)?|lbst)|i(?:ch|nd)|o(?:l(?:che[mnrs]?|l(?:te)?)|n(?:dern|st)))|un(?:ser(?:e[mns]?)?|ter)|viel|w(?:ar(?:en|st)|e(?:i(?:ter|l)|lche[mnrs]?|nn|rden?)|i(?:eder|ll|r(?:st|d))|oll(?:en|te)|\xc3(?:\xa4hrend|\xbcrden?))|zw(?:ar|ischen)|\xc3\xbcber) - - # English - bayes_stopword_en (?:a(?:ble|l(?:ready|l)|n[dy]|re)|b(?:ecause|oth)|c(?:an|ome)|e(?:ach|mail|ven)|f(?:ew|irst|or|rom)|give|h(?:a(?:ve|s)|ttp)|i(?:n(?:formation|to)|t\'s)|just|know|l(?:ike|o(?:ng|ok))|m(?:a(?:de|il(?:(?:ing|to))?|ke|ny)|o(?:re|st)|uch)|n(?:eed|o[tw]|umber)|o(?:ff|n(?:ly|e)|ut|wn)|p(?:eople|lace)|right|s(?:ame|ee|uch)|t(?:h(?:at|is|rough|e)|ime)|using|w(?:eb|h(?:ere|y)|ith(?:out)?|or(?:ld|k))|y(?:ears?|ou(?:(?:\'re|r))?))$ - # bayes_stopword_en (?:a(?:bo(?:ut|ve)|fter|gain(?:st)?|ren(?:\'t)?)|b(?:e(?:cause|en|fore|ing|low|tween)|oth)|couldn(?:\'t)?|d(?:idn(?:\'t)?|o(?:es(?:n(?:\'t)?)?|ing|n\'t|wn)|uring)|each|f(?:rom|urther)|h(?:a(?:dn(?:\'t)?|sn(?:\'t)?|v(?:e(?:n(?:\'t)?)?|ing))|er(?:s(?:elf)?|e)|imself)|i(?:nto|sn\'t|t(?:\'s|self))|just|m(?:ightn(?:\'t)?|o(?:re|st)|ustn(?:\'t)?|yself)|needn(?:\'t)?|o(?:n(?:ce|ly)|ther|urs(?:elves)?|ver)|s(?:ame|h(?:an(?:\'t)?|e\'s|ould(?:(?:\'ve|n(?:\'t)?))?)|ome|uch)|th(?:a(?:t(?:\'ll)?|n)|e(?:irs?|m(?:selves)?|re|se|[ny])|is|ose|rough)|un(?:der|til)|very|w(?:asn(?:\'t)?|ere(?:n(?:\'t)?)?|h(?:at|e(?:re|n)|i(?:ch|le)|om)|i(?:ll|th)|o(?:n\'t|uldn(?:\'t)?))|you(?:\'(?:ll|re|ve|d)|r(?:s(?:el(?:ves|f))?)?)) - - # Spanish - bayes_stopword_es (?:a(?:lg(?:un(?:as|os)|o)|ntes?)|c(?:o(?:mo|ntra)|ua(?:ndo|l))|d(?:esde|onde|urante)|e(?:ll(?:as?|os)|ntre|r(?:a(?:is|[ns])|es)|s(?:as|os|t(?:a(?:(?:ba(?:(?:is|[ns]))?|d(?:(?:as?|os?))?|mos|ndo|r(?:(?:emos|\xc3(?:\xa1[ns]?|\xa9(?:is)?|\xada(?:(?:is|mos|[ns]))?)))?|s))?|e(?:mos)?|o[sy]?|uv(?:i(?:e(?:r(?:a(?:(?:is|[ns]))?|on)|se(?:(?:is|[ns]))?)|mos|ste(?:is)?|\xc3\xa9(?:ramos|semos))|[eo])|\xc3(?:\xa1(?:(?:bamos|is|[ns]))?|\xa9(?:(?:is|[ns]))?))))|fu(?:e(?:r(?:a(?:(?:is|[ns]))?|on)|se(?:(?:is|[ns]))?)|i(?:mos|ste(?:is)?)|\xc3\xa9(?:ramos|semos))|h(?:a(?:b(?:i(?:d(?:as?|os?)|endo)|r(?:emos|\xc3(?:\xa1[ns]?|\xa9(?:is)?|\xada(?:(?:is|mos|[ns]))?))|\xc3(?:\xa9is|\xada(?:(?:is|mos|[ns]))?))|sta|y(?:a(?:(?:mos|[ns]))?|\xc3\xa1is))|emos|ub(?:i(?:e(?:r(?:a(?:(?:is|[ns]))?|on)|se(?:(?:is|[ns]))?)|mos|ste(?:is)?|\xc3\xa9(?:ramos|semos))|[eo]))|m(?:uchos?|\xc3\xad(?:as|os))|n(?:ada|osotr(?:as|os)|uestr(?:as?|os?))|otr(?:as?|os?)|p(?:ara|ero|o(?:co|rque))|quien(?:es)?|s(?:e(?:a(?:mos|[ns])|ntid(?:(?:as?|os?))?|r(?:emos|\xc3(?:\xa1[ns]?|\xa9(?:is)?|\xada(?:(?:is|mos|[ns]))?))|\xc3\xa1is)|i(?:ente|ntiendo)|o(?:bre|is|mos)|uy(?:as?|os?))|t(?:a(?:mbi\xc3\xa9n|nto)|en(?:dr(?:emos|\xc3(?:\xa1[ns]?|\xa9(?:is)?|\xada(?:(?:is|mos|[ns]))?))|e(?:mos|d)|g(?:a(?:(?:mos|[ns]))?|\xc3\xa1is|o)|i(?:d(?:as?|os?)|endo)|\xc3(?:\xa9is|\xada(?:(?:is|mos|[ns]))?))|iene[ns]?|odos?|u(?:v(?:i(?:e(?:r(?:a(?:(?:is|[ns]))?|on)|se(?:(?:is|[ns]))?)|mos|ste(?:is)?|\xc3\xa9(?:ramos|semos))|[eo])|y(?:as?|os?)))|unos|v(?:osotr(?:as|os)|uestr(?:as?|os?))|\xc3\xa9ramos) - - # Finnish - bayes_stopword_fi (?^:(?:e(?:iv\xc3\xa4t|mme|tt(?:\xc3\xa4|e))|h(?:ei(?:d\xc3\xa4[nt]|hin|l(?:l(?:\xc3\xa4|e)|t\xc3\xa4)|s(?:s\xc3\xa4|t\xc3\xa4)|t\xc3\xa4)|\xc3\xa4n(?:e(?:en|l(?:l(?:\xc3\xa4|e)|t\xc3\xa4)|s(?:s\xc3\xa4|t\xc3\xa4)|[nt])|t\xc3\xa4))|itse|jo(?:hon|i(?:den|hin|ksi|l(?:l[ae]|ta)|na|s(?:sa|ta)|ta)|k(?:si|a)|l(?:l[ae]|ta)|n(?:ka|a)|s(?:sa|ta)|t(?:ka|a))|k(?:anssa|e(?:i(?:den|hin|ksi|l(?:l(?:\xc3\xa4|e)|t\xc3\xa4)|n\xc3\xa4|s(?:s\xc3\xa4|t\xc3\xa4)|t\xc3\xa4)|ne(?:en|ksi|l(?:l(?:\xc3\xa4|e)|t\xc3\xa4)|n(?:\xc3\xa4)?|s(?:s\xc3\xa4|t\xc3\xa4)|t)|t(?:k\xc3\xa4|\xc3\xa4))|oska|u(?:in|ka))|m(?:ei(?:d\xc3\xa4[nt]|hin|l(?:l(?:\xc3\xa4|e)|t\xc3\xa4)|s(?:s\xc3\xa4|t\xc3\xa4)|t\xc3\xa4)|i(?:hin|k(?:si|\xc3\xa4)|l(?:l(?:\xc3\xa4|e)|t\xc3\xa4)|n(?:k\xc3\xa4|u(?:l(?:l[ae]|ta)|s(?:sa|ta)|un|[ant])|\xc3\xa4)|s(?:s\xc3\xa4|t\xc3\xa4)|t(?:k\xc3\xa4|\xc3\xa4))|u(?:kaan|tta))|n(?:ii(?:den|hin|ksi|l(?:l(?:\xc3\xa4|e)|t\xc3\xa4)|n(?:\xc3\xa4)?|s(?:s\xc3\xa4|t\xc3\xa4)|t\xc3\xa4)|oi(?:den|hin|ksi|l(?:l[ae]|ta)|na?|s(?:sa|ta)|ta)|\xc3\xa4(?:i(?:den|hin|ksi|l(?:l(?:\xc3\xa4|e)|t\xc3\xa4)|n\xc3\xa4|s(?:s\xc3\xa4|t\xc3\xa4)|t\xc3\xa4)|m\xc3\xa4))|o(?:l(?:e(?:mme|t(?:te)?|n)|i(?:mme|si(?:(?:mme|t(?:te)?|vat|n))?|t(?:te)?|vat|n)|l(?:eet|ut|a))|vat)|poikki|s(?:ek\xc3\xa4|i(?:i(?:hen|n\xc3\xa4|t\xc3\xa4)|ksi|l(?:l(?:\xc3\xa4|e)|t\xc3\xa4)|n(?:u(?:l(?:l[ae]|ta)|s(?:sa|ta)|un|[ant])|\xc3\xa4)|t\xc3\xa4))|t(?:all\xc3\xa4|ei(?:d\xc3\xa4[nt]|hin|l(?:l(?:\xc3\xa4|e)|t\xc3\xa4)|s(?:s\xc3\xa4|t\xc3\xa4)|t\xc3\xa4)|uo(?:hon|ksi|l(?:l[ae]|ta)|na?|s(?:sa|ta)|t\xc3\xa4)|\xc3\xa4(?:h\xc3\xa4n|ksi|l(?:le|t\xc3\xa4)|m\xc3\xa4n?|n\xc3\xa4|s(?:s\xc3\xa4|t\xc3\xa4)|t\xc3\xa4))|va(?:an|ikka))) - - # French - bayes_stopword_fr (?:a(?:ie(?:nt|s)|ur(?:a(?:(?:i(?:(?:ent|[st]))?|s))?|ez|i(?:ez|ons)|on[st])|v(?:ai(?:ent|[st])|e[cz]|i(?:ez|ons)|ons)|y(?:ant(?:(?:es?|s))?|ez|ons))|dans|e(?:lle|u(?:es|rent|ss(?:e(?:(?:nt|s))?|i(?:ez|ons)))|\xc3\xbb(?:mes|tes))|f(?:u(?:rent|ss(?:e(?:(?:nt|s))?|i(?:ez|ons)))|\xc3\xbb(?:mes|tes))|leur|m(?:ais|\xc3\xaame)|no(?:tre|us)|pour|s(?:er(?:a(?:(?:i(?:(?:ent|[st]))?|s))?|ez|i(?:ez|ons)|on[st])|o(?:i(?:ent|[st])|mmes|nt|y(?:ez|ons))|uis)|vo(?:tre|us)|\xc3(?:\xa9t(?:a(?:i(?:ent|[st])|nt(?:(?:es?|s))?)|i(?:ez|ons)|\xc3\xa9(?:es?|s))|\xaates)) - - # Greek - bayes_stopword_gr (?^:(?:\xce(?:\xb1(?:\xce(?:\xbb\xce\xbb\xce\xb1|\xbd\xcf\x84\xce\xb9)|\xcf\x85\xcf\x84(?:\xce(?:\xb5\xcf\x83|\xbf(?:(?:\xce\xb9|\xcf(?:\x85\xcf\x83|\x83)))?|[\xb1\xb7])|\xcf\x89\xce\xbd)|\xe1\xbd\x90\xcf\x84(?:\xcf\x8c\xcf\x83|\xe1\xbd\xb8\xcf\x82))|\xb3\xce\xbf\xe1\xbf\xa6\xce\xbd|\xb4\xce\xb1(?:\xce\xaf\xcf\x83|\xe1\xbd\xb6\xcf\x82)|\xb5(?:\xce(?:\xb9(?:\xce(?:\xbc\xce\xb1(?:\xce\xb9|\xcf\x83\xcf\x84\xce\xb5)|\xbd\xce\xb1\xce\xb9)|\xcf\x83(?:\xce\xb1\xce\xb9|\xcf\x84\xce\xb5))|\xba\xce\xb5\xce\xb9\xce\xbd(?:\xce(?:\xb5\xcf\x83|\xbf(?:(?:\xce\xb9|\xcf(?:\x85\xcf\x83|\x83)))?|[\xb1\xb7])|\xcf\x89\xce\xbd))|\xe1\xbc(?:\xb0\xce\xbc(?:\xce\xaf|\xe1\xbd\xb6)|\xb4(?:\xce\xbc\xce\xb9|\xcf\x84\xce\xb5)))|\xb9\xcf\x83\xcf\x89\xcf\x83|\xba\xce\xb1(?:\xce\xaf\xcf\x84\xce\xbf\xce\xb9|\xcf\x84(?:\xce[\xac\xb1]|\xe1\xbd\xb0))|\xbc\xce(?:\xae\xcf\x84\xce\xb5|\xb5\xcf\x84(?:\xce[\xac\xb1]|\xe1\xbd\xb0))|\xbf(?:\xce\xbc\xcf\x89\xcf\x83|\xcf\x80\xcf\x89\xcf\x83|\xe1\xbd(?:\x90(?:\xce\xb4(?:\xce(?:\xb5(?:\xce\xaf\xcf\x83|\xe1\xbd\xb6\xcf\x82)|\xad)|\xe1\xbd\xb2(?:\xce\xbd)?)|\xcf\x87\xe1\xbd\xb6)|\x94\xcf\x84\xce\xb5|\x95\xcf\x84\xcf\x89(?:\xcf[\x82\x83])?|\x97\xcf\x84\xce\xbf\xcf[\x82\x83])))|\xcf(?:\x80(?:\xce(?:\xb1\xcf\x81(?:\xce[\xac\xb1]|\xe1\xbd\xb0)|\xb5\xcf\x81(?:\xce\xaf|\xe1\xbd\xb6)|\xbf(?:\xce\xb9(?:\xce(?:\xb5\xcf\x83|\xbf(?:(?:\xce\xb9|\xcf(?:\x85\xcf\x83|\x83)))?|\xb1)|\xcf\x89\xce\xbd)|\xcf\x84\xce\xb5))|\xcf\x81(?:\xce\xbf\xcf\x83|\xcf\x8c\xcf\x83|\xe1\xbd\xb8\xcf\x82))|\x83\xcf\x84\xce(?:\xb7\xce\xbd|\xbf\xce\xbd)|\x84(?:\xce(?:\xb1\xe1\xbf\x96\xcf\x82|\xb9\xce\xbd\xce\xb1|\xbf(?:\xce\xb9\xce\xbf\xe1\xbf\xa6\xcf\x84\xce\xbf\xcf[\x82\x83]|\xcf(?:\x84\xce\xb5|\x8d\xcf\x83)|\xe1(?:\xbd\xba\xcf\x82|\xbf\x96\xcf\x82)))|\xcf\x8c\xcf\x84\xce\xb5))|\xe1(?:\xbc(?:\x80\xce\xbb\xce\xbb(?:\xce\xac|\xe1\xbd\xb0|\xe2\x80\x99|\')|\x84\xce\xbb\xce\xbb\xce\xbf\xcf[\x82\x83]|\x90(?:\xce\xbc(?:\xcf\x8c\xcf\x83|\xe1\xbd\xb8\xcf\x82)|\xcf(?:\x80\xce\xb5\xe1\xbd\xb6|\x83\xcf\x84\xce\xb9))|\x91\xce\xb1\xcf\x85\xcf\x84\xce\xbf\xe1\xbf\xa6)|\xbd(?:\x85(?:\xce\xb8\xce\xb5\xce\xbd|\xcf(?:\x80\xce\xb5\xcf\x81|\x83\xcf\x84\xce\xb9\xcf[\x82\x83]))|\x91(?:\xce\xbc\xcf\x8c\xcf\x83|\xcf\x80(?:\xce\xad\xcf\x81|\xe1\xbd\xb2\xcf\x81))|\xa5\xcf\x83\xcf\x84\xce\xb5)))) - - # Hungarian - bayes_stopword_hu (?^:(?:a(?:bban|h(?:hoz|o(?:gy|l))|k(?:ik|kor)|latt|m(?:ely(?:(?:e(?:k(?:(?:ben|et))?|t)|nek))?|i(?:kor|t)|olyan|\xc3\xadg)|nnak|rr(?:\xc3\xb3l|a)|z(?:o(?:n(?:ban)?|k)|t\xc3\xa1n|ut\xc3\xa1n|zal|\xc3\xa9rt))|be(?:l\xc3\xbcl|nne)|c(?:ikk(?:ek(?:et)?)?|sak)|e(?:bben|ddig|g(?:y(?:e(?:tlen|s)|ik|re|\xc3\xa9b)|\xc3\xa9sz)|hhez|kkor|l(?:len|s\xc3\xb5|\xc3(?:\xa9g|\xb5(?:sz\xc3\xb6r|tt)))|milyen|nnek|rre|z(?:e[kn]|zel|\xc3\xa9rt))|fel\xc3\xa9|h(?:anem|iszen|ogy(?:an)?)|i(?:gen|l(?:l(?:etve|\.)|yen(?:kor)?)|s(?:m\xc3\xa9t|on))|jobban|k(?:e(?:ll(?:ett)?|res(?:s\xc3\xbcnk|zt\xc3\xbcl))|\xc3(?:\xadv\xc3\xbcl|\xb6z\xc3(?:\xb6tt|\xbcl)))|le(?:g(?:al\xc3\xa1bb|yen)|het(?:ett)?|nn[ei]|sz|tt)|m(?:a(?:g(?:\xc3\xa1t|a)|jd)|e(?:l(?:lett|y(?:ek)?)|rt)|i(?:kor|lyen|n(?:d(?:en(?:(?:ki|t))?|ig)|t(?:ha)?)|vel|\xc3\xa9rt)|ost|\xc3\xa1sik)|n(?:agy(?:o(?:bb|n))?|ek(?:em|i)|incs|\xc3\xa9(?:h(?:\xc3\xa1ny|a)|lk\xc3\xbcl))|olyan|pe(?:dig|rsze)|s(?:aj\xc3\xa1t|emmi|ok(?:at|kal)|z(?:e(?:mben|rint)|inte|\xc3\xa1m\xc3\xa1ra))|t(?:al\xc3\xa1n|e(?:h\xc3\xa1t|ljes)|ov\xc3\xa1bb(?:\xc3\xa1)?|\xc3\xb6bb)|u(?:gyanis|t(?:ols\xc3\xb3|\xc3\xa1na?))|v(?:a(?:gy(?:(?:is|ok))?|l(?:a(?:ki|mi(?:nt)?)|\xc3\xb3)|nnak)|ele|is(?:sza|zont)|ol(?:na|t(?:(?:a[km]|unk))?))|\xc3(?:\xa1ltal(?:\xc3\xa1ban)?|\xa9ppen|\xb5ket|\xb6ssze|\xbaj(?:abb|ra)))) - - # Italian - bayes_stopword_it (?:a(?:bbia(?:(?:mo|no|te))?|gli|ll[aeo]|nche|v(?:e(?:mmo|ndo|s(?:s(?:e(?:ro)?|i(?:mo)?)|t[ei])|te|v(?:a(?:(?:mo|no|te))?|[io]))|r(?:a(?:nno|i)|e(?:bbe(?:ro)?|m(?:mo|o)|st[ei]|te|i)|\xc3[\xa0\xb2])|ut[aeio]))|co(?:me|ntro)|d(?:a(?:gli?|ll[aeo]?)|e(?:gli?|ll[aeo]?)|ove)|e(?:bb(?:e(?:ro)?|i)|ra(?:no|va(?:mo|te))|ssendo)|f(?:a(?:c(?:ci(?:a(?:(?:mo|no|te))?|o)|e(?:mmo|ndo|s(?:s(?:e(?:ro)?|i(?:mo)?)|t[ei])|v(?:a(?:(?:mo|no|te))?|[io])))|nno|r(?:a(?:nno|i)|e(?:bbe(?:ro)?|m(?:mo|o)|st[ei]|te|i)|\xc3[\xa0\xb2]))|ec(?:e(?:ro)?|i)|os(?:s(?:e(?:ro)?|i(?:mo)?)|t[ei])|u(?:mmo|rono))|hanno|loro|miei|n(?:e(?:gli?|ll[aeo]?)|ostr[aeio])|perch\xc3\xa9|qu(?:a(?:le|nt[aeio])|e(?:ll[aeio]|st[aeio]))|s(?:ar(?:a(?:nno|i)|e(?:bbe(?:ro)?|m(?:mo|o)|st[ei]|te|i)|\xc3[\xa0\xb2])|i(?:a(?:mo|no|te)|ete)|ono|t(?:a(?:n(?:do|no)|r(?:a(?:nno|i)|e(?:bbe(?:ro)?|m(?:mo|o)|st[ei]|te|i)|\xc3[\xa0\xb2])|v(?:a(?:(?:mo|no|te))?|[io])|i)|e(?:mmo|s(?:s(?:e(?:ro)?|i(?:mo)?)|t[ei])|tt(?:e(?:ro)?|i))|ia(?:(?:mo|no|te))?)|u(?:gli?|ll[aeo]?|oi))|tu(?:oi|tt[io])|vostr[aeio]) - - # Norwegian - bayes_stopword_no (?^:(?:alle|b(?:are|egge|l(?:ei|i(?:tt|r))|\xc3\xa5de)|d(?:e(?:i(?:r(?:es|a)|m)|nne|res?|tte)|i(?:sse|tt)|ykk(?:ar)?)|e(?:itt|lle[rs]|tter)|fordi|h(?:a(?:dde|ns)|enn(?:ar|es?)|o(?:nom|ss(?:en)?)|v(?:e[mr]|i(?:lken?|s)|or(?:(?:dan|for))?))|i(?:kk(?:je|e)|n(?:g(?:en|i)|kje|ni))|k(?:or(?:leis|so)|unne|v(?:ar(?:helst)?|en|ifor))|m(?:ange|e(?:dan|get|llom)|i(?:ne|tt)|ykje)|no(?:en|k(?:o[nr]?|re|a))|o(?:gs\xc3\xa5|ver)|s(?:amme|elv|i(?:d(?:an|en)|ne|tt)|j\xc3\xb8l|k(?:al|ulle)|lik|om(?:me|t)|\xc3\xa5nn)|uten|v(?:arte?|er(?:te|e)|ille|or[est]|\xc3\xa6r[et]))) - - # Portuguese - bayes_stopword_pt (?^:(?:aqu(?:el(?:as?|es?)|ilo)|como|de(?:l(?:as?|es?)|pois)|e(?:l(?:as|es)|ntre|ram|s(?:s(?:as?|es?)|t(?:a(?:(?:mos|vam?|s))?|e(?:(?:ja(?:m(?:os)?)?|ve|s))?|iv(?:e(?:(?:mos|r(?:(?:am?|em|mos))?|ssem?))?|\xc3\xa9(?:ramos|ssemos))|ou|\xc3(?:\xa1(?:vamos)?|\xa3o))))|f(?:o(?:mos|r(?:am?|em|mos)|ssem?)|\xc3\xb4(?:ramos|ssemos))|h(?:a(?:ja(?:m(?:os)?)?|vemos)|ouv(?:e(?:(?:mos|r(?:(?:am?|e(?:m(?:os)?|i)|iam?|mos|\xc3(?:\xa3o|\xadamos|\xa1)))?|ssem?))?|\xc3\xa9(?:ramos|ssemos)))|is(?:so|to)|lhes|m(?:ais|e(?:smo|us)|inhas?|uito)|n(?:oss(?:as?|os?)|uma)|p(?:ara|el(?:as?|os?))|qu(?:a(?:ndo|l)|em)|s(?:e(?:ja(?:m(?:os)?)?|r(?:e(?:mos|i)|iam?|\xc3(?:\xa3o|\xadamos|\xa1))|us)|omos|uas)|t(?:amb\xc3\xa9m|e(?:mos|nh(?:a(?:m(?:os)?)?|o)|r(?:e(?:mos|i)|iam?|\xc3(?:\xa3o|\xadamos|\xa1))|us|ve)|i(?:nham?|v(?:e(?:(?:mos|r(?:(?:am?|em|mos))?|ssem?))?|\xc3\xa9(?:ramos|ssemos)))|uas|\xc3\xadnhamos)|voc\xc3\xaas?|\xc3\xa9ramos)) - - # Russian - bayes_stopword_ru (?^:(?:\xd0(?:\xb1(?:\xd0\xbe\xd0\xbb(?:\xd0\xb5\xd0\xb5|\xd1\x8c\xd1\x88\xd0\xb5)|\xd1(?:\x83\xd0\xb4(?:\xd0\xb5\xd1\x82|\xd1\x82\xd0\xbe)|\x8b(?:\xd0\xbb\xd0[\xb0\xb8\xbe]|\xd1\x82\xd1\x8c)))|\xb2(?:\xd0(?:\xb4\xd1\x80\xd1\x83\xd0\xb3|\xb5\xd0\xb4\xd1\x8c|\xbf\xd1\x80\xd0\xbe\xd1\x87\xd0\xb5\xd0\xbc)|\xd1\x81\xd0\xb5(?:\xd0\xb3\xd0(?:\xb4\xd0\xb0|\xbe)|\xd1\x85))|\xb4(?:\xd0\xb0\xd0\xb6\xd0\xb5|\xd1\x80\xd1\x83\xd0\xb3\xd0\xbe\xd0\xb9)|\xb5\xd1\x81(?:\xd0\xbb\xd0\xb8|\xd1\x82\xd1\x8c)|\xb7\xd0(?:\xb0\xd1\x87\xd0\xb5\xd0\xbc|\xb4\xd0\xb5\xd1\x81\xd1\x8c)|\xb8\xd0\xbd\xd0\xbe\xd0\xb3\xd0\xb4\xd0\xb0|\xba(?:\xd0(?:\xb0\xd0\xba\xd0(?:\xb0\xd1\x8f|\xbe\xd0\xb9)|\xbe\xd0(?:\xb3\xd0\xb4\xd0\xb0|\xbd\xd0\xb5\xd1\x87\xd0\xbd\xd0\xbe))|\xd1\x83\xd0\xb4\xd0\xb0)|\xbb\xd1\x83\xd1\x87\xd1\x88\xd0\xb5|\xbc\xd0(?:\xb5\xd0(?:\xb6\xd0\xb4\xd1\x83|\xbd\xd1\x8f)|\xbd\xd0\xbe\xd0\xb3\xd0\xbe|\xbe\xd0\xb6\xd0(?:\xb5\xd1\x82|\xbd\xd0\xbe))|\xbd\xd0(?:\xb0\xd0(?:\xb4\xd0\xbe|\xba\xd0\xbe\xd0\xbd\xd0\xb5\xd1\x86)|\xb5\xd0(?:\xb3\xd0\xbe|\xbb\xd1\x8c\xd0\xb7\xd1\x8f)|\xb8(?:\xd0(?:\xb1\xd1\x83\xd0\xb4\xd1\x8c|\xba\xd0\xbe\xd0\xb3\xd0\xb4\xd0\xb0)|\xd1\x87\xd0\xb5\xd0\xb3\xd0\xbe))|\xbe\xd0(?:\xb4\xd0\xb8\xd0\xbd|\xbf\xd1\x8f\xd1\x82\xd1\x8c)|\xbf\xd0(?:\xb5\xd1\x80\xd0\xb5\xd0\xb4|\xbe\xd1(?:\x81\xd0\xbb\xd0\xb5|\x82\xd0\xbe\xd0\xbc(?:\xd1\x83)?|\x87\xd1\x82\xd0\xb8)))|\xd1(?:\x80\xd0\xb0\xd0\xb7\xd0\xb2\xd0\xb5|\x81\xd0(?:\xb2\xd0\xbe\xd1\x8e|\xb5\xd0(?:\xb1(?:\xd0\xb5|\xd1\x8f)|\xb9\xd1\x87\xd0\xb0\xd1\x81)|\xbe\xd0\xb2\xd1\x81\xd0\xb5\xd0\xbc)|\x82\xd0(?:\xb0\xd0\xba\xd0\xbe\xd0\xb9|\xb5\xd0(?:\xb1\xd1\x8f|\xbf\xd0\xb5\xd1\x80\xd1\x8c)|\xbe\xd0(?:\xb3\xd0(?:\xb4\xd0\xb0|\xbe)|\xb6\xd0\xb5|\xbb\xd1\x8c\xd0\xba\xd0\xbe))|\x85\xd0\xbe\xd1(?:\x80\xd0\xbe\xd1\x88\xd0\xbe|\x82\xd1\x8c)|\x87(?:\xd0\xb5(?:\xd0\xb3\xd0\xbe|\xd1\x80\xd0\xb5\xd0\xb7)|\xd1(?:\x82\xd0\xbe\xd0\xb1(?:\xd1\x8b)?|\x83\xd1\x82\xd1\x8c))|\x8d\xd1\x82\xd0\xbe(?:\xd0(?:\xb3\xd0\xbe|[\xb9\xbc])|\xd1\x82)))) - - # Swedish - bayes_stopword_se (?^:(?:all[at]|bl(?:ev|i(?:vit|r))|d(?:e(?:nna|ras|ssa?|tta)|i(?:na|tt))|e(?:fter|ller)|fr\xc3\xa5n|h(?:a(?:de|ns)|ennes?|onom)|i(?:cke|n(?:gen|om|te))|kunde|m(?:ellan|i(?:na|tt)|ycket)|n\xc3\xa5g(?:o[nt]|ra)|s(?:amma|edan|i(?:na|tta)|j\xc3\xa4lv|kulle|\xc3\xa5dan[at]?)|till|u(?:nder|tan)|v(?:ar(?:f\xc3\xb6r|it|je|[ast])|ilk(?:as?|e[nt])|\xc3\xa5r[at])|\xc3\xb6ver)) - - # Turkish - bayes_stopword_tr (?^:(?:a(?:caba|sl\xc4\xb1nda)|b(?:az\xc4\xb1|elki|ir(?:ka\xc3\xa7|\xc5\x9fey|i))|d(?:aha|efa|iye)|e\xc4\x9fer|gibi|hepsi|i\xc3\xa7in|n(?:as\xc4\xb1l|e(?:den|r(?:de|e(?:de|ye)))|i(?:ye|\xc3\xa7in))|sanki|veya|yani|\xc3\xa7\xc3\xbcnk\xc3\xbc)) - - endif - endif -endif diff --git a/resources/spamassassin/60_shortcircuit.cf b/resources/spamassassin/60_shortcircuit.cf deleted file mode 100644 index bb3e076d..00000000 --- a/resources/spamassassin/60_shortcircuit.cf +++ /dev/null @@ -1,57 +0,0 @@ -# SpamAssassin rules file: spam and ham shortcircuiting using priorities -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use /etc/mail/spamassassin/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> - -# SpamAssassin tries hard not to launch DNS queries before priority -100. -# If you want to shortcircuit without launching unneeded queries, make sure -# such rule priority is below -100. - -########################################################################### - -priority USER_IN_WELCOMELIST -1000 -priority USER_IN_WHITELIST -1000 -priority USER_IN_DEF_WELCOMELIST -1000 -priority USER_IN_DEF_WHITELIST -1000 -priority USER_IN_ALL_SPAM_TO -1000 - -priority ALL_TRUSTED -950 - -priority USER_IN_BLOCKLIST_TO -900 -priority USER_IN_BLOCKLIST -900 -priority USER_IN_BLACKLIST_TO -900 -priority USER_IN_BLACKLIST -900 - -########################################################################### - -ifplugin Mail::SpamAssassin::Plugin::Shortcircuit - -# override the default X-Spam-Status line from 10_basic.cf to -# include shortcircuit info. (TODO: do we need a better way -# to extend the default templates like this?) -add_header all Status "_YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ shortcircuit=_SCTYPE_ autolearn=_AUTOLEARN_ version=_VERSION_" - -header SHORTCIRCUIT eval:check_shortcircuit() -describe SHORTCIRCUIT Not all rules were run, due to a shortcircuited rule -tflags SHORTCIRCUIT userconf noautolearn - -endif # Mail::SpamAssassin::Plugin::Shortcircuit - diff --git a/resources/spamassassin/60_txrep.cf b/resources/spamassassin/60_txrep.cf deleted file mode 100644 index 7728fd4a..00000000 --- a/resources/spamassassin/60_txrep.cf +++ /dev/null @@ -1,31 +0,0 @@ -# SpamAssassin rules file: TxRep reputation system -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> - -ifplugin Mail::SpamAssassin::Plugin::TxRep - -header TXREP eval:check_senders_reputation() -describe TXREP Score normalizing based on sender's reputation -tflags TXREP userconf noautolearn -priority TXREP 1000 - -endif # Mail::SpamAssassin::Plugin::TxRep diff --git a/resources/spamassassin/60_welcomelist.cf b/resources/spamassassin/60_welcomelist.cf deleted file mode 100644 index ee45a247..00000000 --- a/resources/spamassassin/60_welcomelist.cf +++ /dev/null @@ -1,263 +0,0 @@ -# SpamAssassin rules file: default welcomelists -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -########################################################################### -# Welcomelist rules -# -# Note that most of these get 'noautolearn'. They should not be -# considered when deciding whether to auto-learn a message, as a -# user slip-up could result in scribbling side-effects in the bayes -# db as a result -- which is hard to remedy. - -# 4.0 / Bug 7826 renames whitelist to welcomelist and blacklist to blocklist -if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - header USER_IN_BLOCKLIST eval:check_from_in_blocklist() - describe USER_IN_BLOCKLIST From: user is listed in the block-list - tflags USER_IN_BLOCKLIST userconf noautolearn - score USER_IN_BLOCKLIST 100 - - # Backwards compatibility - # To disable set "enable_compat welcomelist_blocklist" in init.pre - if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) - meta USER_IN_BLACKLIST (USER_IN_BLOCKLIST) - describe USER_IN_BLACKLIST DEPRECATED: See USER_IN_BLOCKLIST - tflags USER_IN_BLACKLIST userconf noautolearn - score USER_IN_BLACKLIST 100 - score USER_IN_BLOCKLIST 0.01 - endif -endif -if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - header USER_IN_BLOCKLIST eval:check_from_in_blacklist() - describe USER_IN_BLOCKLIST From: user is listed in the block-list - tflags USER_IN_BLOCKLIST userconf noautolearn - score USER_IN_BLOCKLIST 0.01 - - meta USER_IN_BLACKLIST (USER_IN_BLOCKLIST) - describe USER_IN_BLACKLIST DEPRECATED: See USER_IN_BLOCKLIST - tflags USER_IN_BLACKLIST userconf noautolearn - score USER_IN_BLACKLIST 100 -endif - -if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - header USER_IN_WELCOMELIST eval:check_from_in_welcomelist() - describe USER_IN_WELCOMELIST User is listed in 'welcomelist_from' - tflags USER_IN_WELCOMELIST userconf nice noautolearn - score USER_IN_WELCOMELIST -100 - - if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) - meta USER_IN_WHITELIST (USER_IN_WELCOMELIST) - describe USER_IN_WHITELIST DEPRECATED: See USER_IN_WELCOMELIST - tflags USER_IN_WHITELIST userconf nice noautolearn - score USER_IN_WHITELIST -100 - score USER_IN_WELCOMELIST -0.01 - endif -endif -if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - header USER_IN_WELCOMELIST eval:check_from_in_whitelist() - describe USER_IN_WELCOMELIST User is listed in 'welcomelist_from' - tflags USER_IN_WELCOMELIST userconf nice noautolearn - score USER_IN_WELCOMELIST -0.01 - - meta USER_IN_WHITELIST (USER_IN_WELCOMELIST) - describe USER_IN_WHITELIST DEPRECATED: See USER_IN_WELCOMELIST - tflags USER_IN_WHITELIST userconf nice noautolearn - score USER_IN_WHITELIST -100 -endif - -if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - header USER_IN_DEF_WELCOMELIST eval:check_from_in_default_welcomelist() - describe USER_IN_DEF_WELCOMELIST From: user is listed in the default welcome-list - tflags USER_IN_DEF_WELCOMELIST userconf nice noautolearn - score USER_IN_DEF_WELCOMELIST -15 - - if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) - meta USER_IN_DEF_WHITELIST (USER_IN_DEF_WELCOMELIST) - describe USER_IN_DEF_WHITELIST DEPRECATED: See USER_IN_WELCOMELIST - tflags USER_IN_DEF_WHITELIST userconf nice noautolearn - score USER_IN_DEF_WHITELIST -15 - score USER_IN_DEF_WELCOMELIST -0.01 - endif -endif -if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - header USER_IN_DEF_WELCOMELIST eval:check_from_in_default_whitelist() - describe USER_IN_DEF_WELCOMELIST From: user is listed in the default welcome-list - tflags USER_IN_DEF_WELCOMELIST userconf nice noautolearn - score USER_IN_DEF_WELCOMELIST -0.01 - - meta USER_IN_DEF_WHITELIST (USER_IN_DEF_WELCOMELIST) - describe USER_IN_DEF_WHITELIST DEPRECATED: See USER_IN_DEF_WELCOMELIST - tflags USER_IN_DEF_WHITELIST userconf nice noautolearn - score USER_IN_DEF_WHITELIST -15 -endif - -if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - header USER_IN_BLOCKLIST_TO eval:check_to_in_blocklist() - describe USER_IN_BLOCKLIST_TO User is listed in 'blocklist_to' - tflags USER_IN_BLOCKLIST_TO userconf noautolearn - score USER_IN_BLOCKLIST_TO 10 - - if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) - meta USER_IN_BLACKLIST_TO (USER_IN_BLOCKLIST_TO) - describe USER_IN_BLACKLIST_TO DEPRECATED: See USER_IN_BLOCKLIST_TO - tflags USER_IN_BLACKLIST_TO userconf noautolearn - score USER_IN_BLACKLIST_TO 10 - score USER_IN_BLOCKLIST_TO 0.01 - endif -endif -if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - header USER_IN_BLOCKLIST_TO eval:check_to_in_blacklist() - describe USER_IN_BLOCKLIST_TO User is listed in 'blocklist_to' - tflags USER_IN_BLOCKLIST_TO userconf noautolearn - score USER_IN_BLOCKLIST_TO 0.01 - - meta USER_IN_BLACKLIST_TO (USER_IN_BLOCKLIST_TO) - describe USER_IN_BLACKLIST_TO DEPRECATED: See USER_IN_BLOCKLIST_TO - tflags USER_IN_BLACKLIST_TO userconf noautolearn - score USER_IN_BLACKLIST_TO 10 -endif - -if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - header USER_IN_WELCOMELIST_TO eval:check_to_in_welcomelist() - describe USER_IN_WELCOMELIST_TO User is listed in 'welcomelist_to' - tflags USER_IN_WELCOMELIST_TO userconf nice noautolearn - score USER_IN_WELCOMELIST_TO -6 - - if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) - meta USER_IN_WHITELIST_TO (USER_IN_WELCOMELIST_TO) - describe USER_IN_WHITELIST_TO DEPRECATED: See USER_IN_WELCOMELIST_TO - tflags USER_IN_WHITELIST_TO userconf nice noautolearn - score USER_IN_WHITELIST_TO -6 - score USER_IN_WELCOMELIST_TO -0.01 - endif -endif -if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - header USER_IN_WELCOMELIST_TO eval:check_to_in_whitelist() - describe USER_IN_WELCOMELIST_TO User is listed in 'welcomelist_to' - tflags USER_IN_WELCOMELIST_TO userconf nice noautolearn - score USER_IN_WELCOMELIST_TO -0.01 - - meta USER_IN_WHITELIST_TO (USER_IN_WELCOMELIST_TO) - describe USER_IN_WHITELIST_TO DEPRECATED: See USER_IN_WELCOMELIST_TO - tflags USER_IN_WHITELIST_TO userconf nice noautolearn - score USER_IN_WHITELIST_TO -6 -endif - -header USER_IN_MORE_SPAM_TO eval:check_to_in_more_spam() -describe USER_IN_MORE_SPAM_TO User is listed in 'more_spam_to' -tflags USER_IN_MORE_SPAM_TO userconf noautolearn - -header USER_IN_ALL_SPAM_TO eval:check_to_in_all_spam() -describe USER_IN_ALL_SPAM_TO User is listed in 'all_spam_to' -tflags USER_IN_ALL_SPAM_TO userconf noautolearn - -if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - body URI_HOST_IN_BLOCKLIST eval:check_uri_host_in_blocklist() - describe URI_HOST_IN_BLOCKLIST Host or Domain is listed in the user's URI block-list - tflags URI_HOST_IN_BLOCKLIST userconf noautolearn - score URI_HOST_IN_BLOCKLIST 100 - - if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) - meta URI_HOST_IN_BLACKLIST (URI_HOST_IN_BLOCKLIST) - describe URI_HOST_IN_BLACKLIST DEPRECATED: See URI_HOST_IN_BLOCKLIST - tflags URI_HOST_IN_BLACKLIST userconf noautolearn - score URI_HOST_IN_BLACKLIST 100 - score URI_HOST_IN_BLOCKLIST 0.01 - endif -endif -if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - if (version >= 3.004000) - body URI_HOST_IN_BLOCKLIST eval:check_uri_host_in_blacklist() - describe URI_HOST_IN_BLOCKLIST Host or Domain is listed in the user's URI block-list - tflags URI_HOST_IN_BLOCKLIST userconf noautolearn - score URI_HOST_IN_BLOCKLIST 0.01 - - meta URI_HOST_IN_BLACKLIST (URI_HOST_IN_BLOCKLIST) - describe URI_HOST_IN_BLACKLIST DEPRECATED: See URI_HOST_IN_BLOCKLIST - tflags URI_HOST_IN_BLACKLIST userconf noautolearn - score URI_HOST_IN_BLACKLIST 100 - endif -endif - -if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - body URI_HOST_IN_WELCOMELIST eval:check_uri_host_in_welcomelist() - describe URI_HOST_IN_WELCOMELIST Host or Domain is listed in the user's URI welcome-list - tflags URI_HOST_IN_WELCOMELIST userconf nice noautolearn - score URI_HOST_IN_WELCOMELIST -100 - - if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) - meta URI_HOST_IN_WHITELIST (URI_HOST_IN_WELCOMELIST) - describe URI_HOST_IN_WHITELIST DEPRECATED: See URI_HOST_IN_WELCOMELIST - tflags URI_HOST_IN_WHITELIST userconf nice noautolearn - score URI_HOST_IN_WHITELIST -100 - score URI_HOST_IN_WELCOMELIST -0.01 - endif -endif -if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - if (version >= 3.004000) - body URI_HOST_IN_WELCOMELIST eval:check_uri_host_in_whitelist() - describe URI_HOST_IN_WELCOMELIST Host or Domain is listed in the user's URI welcome-list - tflags URI_HOST_IN_WELCOMELIST userconf nice noautolearn - score URI_HOST_IN_WELCOMELIST -0.01 - - meta URI_HOST_IN_WHITELIST (URI_HOST_IN_WELCOMELIST) - describe URI_HOST_IN_WHITELIST DEPRECATED: See URI_HOST_IN_WELCOMELIST - tflags URI_HOST_IN_WHITELIST userconf nice noautolearn - score URI_HOST_IN_WHITELIST -100 - endif -endif - - # Bug 7256, using a header rule with an eval() function does not work the way - # this was intended. - - # header HEADER_HOST_IN_BLACKLIST eval:check_uri_host_listed('BLOCK') - # describe HEADER_HOST_IN_BLACKLIST Host or Domain in header is listed in the user's URI black-list - # tflags HEADER_HOST_IN_BLACKLIST userconf noautolearn - - # header HEADER_HOST_IN_WHITELIST eval:check_uri_host_listed('WELCOME') - # describe HEADER_HOST_IN_WHITELIST Host or Domain in header is listed in the user's URI white-list - # tflags HEADER_HOST_IN_WHITELIST userconf nice noautolearn - -########################################################################### -# Default welcomelists. These should be addresses which send mail that is often -# tagged (incorrectly) as spam; it also helps that they be addresses of big -# companies with lots of lawyers, so if spammers impersonate them, they'll get -# into big trouble, so it doesn't provide a shortcut around SpamAssassin. -# -# Welcomelist and blocklist addresses are now file-glob-style patterns, so -# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work. -# -# Please do not add unmoderated public mailing lists here. They are -# too easily abused by spammers. - -# Should really not be used these days, use def_welcomelist_auth if possible. - - # def_welcomelist_from_rcvd *@foo.com foo.com - -# -# -# - -endif # ifplugin Mail::SpamAssassin::Plugin::WLBLEval - diff --git a/resources/spamassassin/60_welcomelist_auth.cf b/resources/spamassassin/60_welcomelist_auth.cf deleted file mode 100644 index d089a0e1..00000000 --- a/resources/spamassassin/60_welcomelist_auth.cf +++ /dev/null @@ -1,1996 +0,0 @@ -# SpamAssassin rules file: default SPF and DKIM whitelists -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> - -########################################################################### -# SPF and DKIM whitelist rules - -########################################################################### -# These should be primarily envelope-from addresses which send mail that is -# often tagged (incorrectly) as spam or high-profile domains that are common -# targets of spoofing. -# These senders should be considered trusted following proper opt-in and -# opt-out practices, publish abuse reporting procedures, and handle reports -# of abuse promptly. -# -# Welcomelist and blocklist addresses are now file-glob-style patterns, so -# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work. -# -# -# IMPORTANT: Changes are needed in two places to support older versions of -# SA. Change the def_welcomelist_auth entry and search "older" and change -# the previous config entries in unison. - -# 4.0 / Bug 7826 renames whitelist to welcomelist and blacklist to blocklist -if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - -def_welcomelist_auth *@apache.org -def_welcomelist_auth *@*.apache.org - -# Lists with good SPF -def_welcomelist_auth *@lists.in.gov -def_welcomelist_auth *@listserv.syr.edu -def_welcomelist_auth *@list.indiana.edu -def_welcomelist_auth *@lists.asu.edu -def_welcomelist_auth *@lists.mailscanner.info -def_welcomelist_auth *@lists.wisc.edu - -# High profile targets for spoofing -def_welcomelist_auth *@facebookmail.com -def_welcomelist_auth *@*.facebookmail.com -def_welcomelist_auth *@google.com -def_welcomelist_auth *@accounts.google.com -def_welcomelist_auth *@walmart.com -def_welcomelist_auth *@*.walmart.com -def_welcomelist_auth *@*.usaa.com -def_welcomelist_auth *@citi.com -def_welcomelist_auth *@*.citi.com -def_welcomelist_auth *@chase.com -def_welcomelist_auth *@*.chase.com -def_welcomelist_auth *@*.dropboxmail.com -def_welcomelist_auth *@wellsfargo.com -def_welcomelist_auth *@*.wellsfargo.com -def_welcomelist_auth *@bankofamerica.com -def_welcomelist_auth *@*.bankofamerica.com -def_welcomelist_auth *@ally.com -def_welcomelist_auth *@*.ally.com -def_welcomelist_auth *@postmaster.aol.com -def_welcomelist_auth *@usbank.com -def_welcomelist_auth *@*.usbank.com -def_welcomelist_auth *@firsttennessee.com -def_welcomelist_auth *@usps.gov -def_welcomelist_auth *@*.usda.gov -def_welcomelist_auth *@instagram.com -def_welcomelist_auth *@*.instagram.com -def_welcomelist_auth *@indeedemail.com -def_welcomelist_auth *=pkginfo@ups.com -def_welcomelist_auth mcinfo@ups.com -def_welcomelist_auth *@fedex.com -def_welcomelist_auth *@*.fedex.com -def_welcomelist_auth americanexpress@aexpfeedback.com -def_welcomelist_auth *@capitalone.com -def_welcomelist_auth *@*.capitalone.com -def_welcomelist_auth *@*.capitaloneemail.com -def_welcomelist_auth *@*.khanacademy.org -def_welcomelist_auth *@*.wordpress.com -def_welcomelist_auth *@statefarm.com -def_welcomelist_auth *@*.statefarminfo.com -def_welcomelist_auth *@*.visa.com -def_welcomelist_auth *@visapayablesautomation.com -def_welcomelist_auth *@visadpsmessage.com -def_welcomelist_auth *@*.pinterest.com -def_welcomelist_auth *@indeed.com -def_welcomelist_auth *@docusign.net -def_welcomelist_auth *@*.docusign.com - -# Senders consistently scoring low with advanced tuned SA to help default SA configurations. -# -# Criteria to be listed below: -# - minimum of 100 emails over a week and -# - use a subdomain or specific left-half address and -# - not be a human mailbox that can be compromised and -# - average score for the week is low and -# - hit SPF_PASS and/or DKIM_VALID_AU and -# - not hit DMARC_FAIL or DMARC_REJECT (from OpenDMARC milter) -# -# These listings are intended to: -# - promote mass mailer sending from a subdomain -# - encourage system-generated to be sent from a subdomain -# - reward senders that send with good SPF, DKIM, and DMARC -# - allow for phishing/spoofed/fake emails to stand out more -# so local rules can be setup to add points without blocking -# authentic emails -# -def_welcomelist_auth *@*.indeed.com -def_welcomelist_auth *@*.wellframe.com -def_welcomelist_auth *@*.hyatt.com -def_welcomelist_auth *@*.sears.com -def_welcomelist_auth *@*.jcpenney.com -def_welcomelist_auth *@*.landsend.com -def_welcomelist_auth *@squaretrade.com -def_welcomelist_auth *@bn.com -def_welcomelist_auth *@emailbedbathandbeyond.com -def_welcomelist_auth *@*.joann.com -def_welcomelist_auth *@*.dollargeneral.com -def_welcomelist_auth *@*.talbots.com -def_welcomelist_auth *@*.wayfair.com -def_welcomelist_auth *@*.nordstrom.com -def_welcomelist_auth *@*.zillow.com -def_welcomelist_auth dillards@dillards.com -def_welcomelist_auth *@mktgdillards.com -def_welcomelist_auth *@*.hollisterco.com -def_welcomelist_auth *@*.us-cert.gov -def_welcomelist_auth *@*.rei.com -def_welcomelist_auth *@duluthtradingemail.com -def_welcomelist_auth *@hilton.com -def_welcomelist_auth *@*.hilton.com -def_welcomelist_auth *@*.starwoodhotels.com -def_welcomelist_auth *@craigslist.org -def_welcomelist_auth *@*.macys.com -def_welcomelist_auth *@*.staples.com -def_welcomelist_auth *@*.fandango.com -def_welcomelist_auth *@*.fandangonow.com -def_welcomelist_auth *@*.eddiebauer.com -def_welcomelist_auth *@*.eastbay.com -def_welcomelist_auth *@*.samsclub.com -def_welcomelist_auth *@*.potterybarn.com -def_welcomelist_auth *@*.travelocity.com -def_welcomelist_auth *@*.oriental-trading.com -def_welcomelist_auth *@*.efax.com -def_welcomelist_auth *@*.spamcop.net -def_welcomelist_auth noreply@apple.com -def_welcomelist_auth do_not_reply@apple.com -def_welcomelist_auth *@*.apple.com -def_welcomelist_auth *@*.insideapple.com -def_welcomelist_auth *@*.itunes.com -def_welcomelist_auth *@*.att-mail.com -def_welcomelist_auth *@*.vzw.com -def_welcomelist_auth *@*.vzwshop.com -def_welcomelist_auth *@*.fandango.com -def_welcomelist_auth *@*.aa.com -def_welcomelist_auth *@*.delta.com -def_welcomelist_auth *@*.southwest.com -def_welcomelist_auth *@*.southwestvacations.com -def_welcomelist_auth *@*.spirit-airlines.com -def_welcomelist_auth *@*.youversion.com -def_welcomelist_auth *@*.ashleystewart.com -def_welcomelist_auth *@*.creditkarma.com -def_welcomelist_auth *@*.creditsesame.com -def_welcomelist_auth *@*.amazon.com -def_welcomelist_auth *@*.livingsocial.com -def_welcomelist_auth *@*.yelp.com -def_welcomelist_auth *@*.opentable.com -def_welcomelist_auth *@*.pier1.com -def_welcomelist_auth *@*.nationalgeographic.com -def_welcomelist_auth *@*.lessonplanet.com -def_welcomelist_auth *@*.teacherspayteachers.com -def_welcomelist_auth *@*.childrensplace.com -def_welcomelist_auth *@*.uber.com -def_welcomelist_auth *@*.foxnews.com -def_welcomelist_auth *@*.cnn.com -def_welcomelist_auth *@*.walgreens.com -def_welcomelist_auth *@*.cvs.com -def_welcomelist_auth *@*.hgtv.com -def_welcomelist_auth *@*.starz.com -def_welcomelist_auth *@*.zales.com -def_welcomelist_auth *@*.partycity.com -def_welcomelist_auth *@*.petco.com -def_welcomelist_auth *@*.nyandcompany.com -def_welcomelist_auth *@*.govdelivery.com -def_welcomelist_auth *@*.us-cert.gov -def_welcomelist_auth *@*.senate.gov -def_welcomelist_auth *@*.priceline.com -def_welcomelist_auth *@*.travelzoo.com -def_welcomelist_auth *@*.uso.org -def_welcomelist_auth *@*.checksunlimited.com -def_welcomelist_auth *@*.nytimes.com -def_welcomelist_auth *@slickdeals.net -def_welcomelist_auth *@*.cancer.org -def_welcomelist_auth *@*.pinterest.com -def_welcomelist_auth *@*.hotwire.com -def_welcomelist_auth *@*.dominos.com -def_welcomelist_auth *@*.potterybarn.com -def_welcomelist_auth *@*.shopstyle.com -def_welcomelist_auth *@*.mealtrain.com -def_welcomelist_auth *@*.zazzle.com -def_welcomelist_auth *@*.finishline.com -def_welcomelist_auth *@*.rover.com -def_welcomelist_auth *@*.pandora.com -def_welcomelist_auth *@*.jcrew.com -def_welcomelist_auth *@*.lifeway.com -def_welcomelist_auth *@*.jossandmain.com -def_welcomelist_auth *@*.maurices.com -def_welcomelist_auth *@*.flipboard.com -def_welcomelist_auth *@*.nhl.com -def_welcomelist_auth *@*.nfl.com -def_welcomelist_auth *@*.nflshop.com -def_welcomelist_auth *@*.nba.com -def_welcomelist_auth *@*.mlb.com -def_welcomelist_auth *@*.mlblists.com -def_welcomelist_auth *@*.containerstore.com -def_welcomelist_auth *@*.fitbit.com -def_welcomelist_auth *@*.justfab.com -def_welcomelist_auth *@*.tripadvisor.com -def_welcomelist_auth *@*.care.com -def_welcomelist_auth *@*.tommiecopper.com -def_welcomelist_auth *@*.education.com -def_welcomelist_auth *@*.target.com -def_welcomelist_auth *@*.fanatics.com -def_welcomelist_auth *@*.loft.com -def_welcomelist_auth *@*.gymboree.com -def_welcomelist_auth *@*.craylola.com -def_welcomelist_auth *@*.bathandbodyworks.com -def_welcomelist_auth *@*.carters.com -def_welcomelist_auth *@*.fansedge.com -def_welcomelist_auth *@*.gap.com -def_welcomelist_auth *@*.gapfactory.com -def_welcomelist_auth *@*.carnivalcruiselineemail.com -def_welcomelist_auth *@*.carhartt-email.com -def_welcomelist_auth *@*.journeys.com -def_welcomelist_auth *@*.ashleystewart.com -def_welcomelist_auth *@*.grandhomefurnishings.com -def_welcomelist_auth *@*.americangreetings.com -def_welcomelist_auth *@*.ralphlauren.com -def_welcomelist_auth *@*.catofashions.com -def_welcomelist_auth *@*.tjmaxx.tjx.com -def_welcomelist_auth *@*.uso.org -def_welcomelist_auth *@*.sallybeauty.com -def_welcomelist_auth *@*.oshkosh.com -def_welcomelist_auth *@*.dealnews.com -def_welcomelist_auth *@*.victoriassecret.com -def_welcomelist_auth *@*.northerntoolemail.com -def_welcomelist_auth *@*.golfnow.com -def_welcomelist_auth *@*.keurig.com -def_welcomelist_auth *@*.bannanarepublicfactory.com -def_welcomelist_auth *@*.girlscouts.org -def_welcomelist_auth *@*.zumiez.com -def_welcomelist_auth *@*.cabelas.com -def_welcomelist_auth *@*.hbonow.com -def_welcomelist_auth *@*.menswearhouse.com -def_welcomelist_auth *@*.brecks.com -def_welcomelist_auth *@*.jostens.com -def_welcomelist_auth *@*.josabank.com -def_welcomelist_auth *@*.charteremails.com -def_welcomelist_auth *@*.golfdigest.com -def_welcomelist_auth *@*.neimanmarcusemail.com -def_welcomelist_auth *@*.bucklemail.com -def_welcomelist_auth *@*.baskinrobbins.com -def_welcomelist_auth *@*.draftkings.com -def_welcomelist_auth *@*.krogeremail.com -def_welcomelist_auth *@*.lowesforpros.com -def_welcomelist_auth *@*.campingworld.com -def_welcomelist_auth *@accountprotection.microsoft.com -def_welcomelist_auth *@*.dickies.com -def_welcomelist_auth *@*.stewardship.com -def_welcomelist_auth *@*.military.com -def_welcomelist_auth *@*.basecamp.com -def_welcomelist_auth *@*.savethechildren.org -def_welcomelist_auth *@*.anthem.com -def_welcomelist_auth *@*.nyandcompany.com -def_welcomelist_auth *@*.chicagotribune.com -def_welcomelist_auth *@*.underarmour.com -def_welcomelist_auth *@*.discounttire-email.com -def_welcomelist_auth *@*.mozilla.org -def_welcomelist_auth *@*.experian.com -def_welcomelist_auth *@*.wrangler.com -def_welcomelist_auth *@*.callofduty.com -def_welcomelist_auth *@*.davidsbridal.com -def_welcomelist_auth *@*.email-carmax.com -def_welcomelist_auth *@*.dunkindonuts.com -def_welcomelist_auth *@*.seaworld.com -def_welcomelist_auth *@*.lordandtaylor.com -def_welcomelist_auth *@*.wyndhamrewards.com -def_welcomelist_auth *@*.hallmark.com -def_welcomelist_auth *@*.thisoldhouse.com -def_welcomelist_auth *@*.grubhub.com -def_welcomelist_auth *@*.saks.com -def_welcomelist_auth *@*.saksoff5th.com -def_welcomelist_auth *@*.adidas.com -def_welcomelist_auth *@*.crocs-email.com -def_welcomelist_auth *@*.siriusxm.com -def_welcomelist_auth *@*.officedepot.com -def_welcomelist_auth *@*.thepamperedchef.com -def_welcomelist_auth *@*.kirklands.com -def_welcomelist_auth *@*.biglots.com -def_welcomelist_auth *@*.hulumail.com -def_welcomelist_auth *@*.homedepotemail.com -def_welcomelist_auth *@*.cisco.com -def_welcomelist_auth *@*.angieslist.com -def_welcomelist_auth *@*.livingsocial.com -def_welcomelist_auth *@*.channing-bete.com -def_welcomelist_auth *@*.accor-mail.com -def_welcomelist_auth *@*.highlights.com -def_welcomelist_auth *@*.scholastic.com -def_welcomelist_auth *@*.olivegarden.com -def_welcomelist_auth *@*.themailbox.com -def_welcomelist_auth *@*.steinmart.com -def_welcomelist_auth *@*.quill.com -def_welcomelist_auth *@*.netflix.com -def_welcomelist_auth *@*.expediamail.com -def_welcomelist_auth *@*.generalmills.com -def_welcomelist_auth *@*.overstock.com -def_welcomelist_auth *@*.grammarly.com -def_welcomelist_auth *@*.tractorsupply.com -def_welcomelist_auth *@*.hcahealthcare.com -def_welcomelist_auth *@*.foodservicedirector.com -def_welcomelist_auth *@*.suntrust.com -def_welcomelist_auth *@*.doverpublishing.com -def_welcomelist_auth *@*.thelimited.com -def_welcomelist_auth *@*.meetup.com -def_welcomelist_auth *@*.columbia.com -def_welcomelist_auth *@*.ocharleys.com -def_welcomelist_auth *@*.ancestry.com -def_welcomelist_auth *@*.shoecarnival.com -def_welcomelist_auth *@*.mattel.com -def_welcomelist_auth *@*.smilereminder.com -def_welcomelist_auth *@*.newyorktimes.com -def_welcomelist_auth *@*.booking.com -def_welcomelist_auth *@*.lids.com -def_welcomelist_auth *@*.macmillan.com -def_welcomelist_auth *@*.costco.com -def_welcomelist_auth *@*.nike.com -def_welcomelist_auth *@*.xbox.com -def_welcomelist_auth *@*.politicoemail.com -def_welcomelist_auth *@*.gamestop.com -def_welcomelist_auth *@*.dropbox.com -def_welcomelist_auth *@*.dcsg.com -#def_welcomelist_auth *@*.robly.com -def_welcomelist_auth *@*.ncaa.com -def_welcomelist_auth *@*.lendingclub.com -def_welcomelist_auth *@*.hotels.com -def_welcomelist_auth *@*.michaels.com -def_welcomelist_auth *@*.vistaprint.com -def_welcomelist_auth *@*.regions.com -def_welcomelist_auth *@*.dollywood.com -def_welcomelist_auth *@*.sears-optical.com -def_welcomelist_auth *@*.e-lenscrafters.com -def_welcomelist_auth *@*.email-advanceautoparts.com -def_welcomelist_auth *@*.evernote.com -def_welcomelist_auth *@*.ebates.com -def_welcomelist_auth *@*.sylvanlearning.com -def_welcomelist_auth *@*.ebay.com -def_welcomelist_auth *@*.officesupply.com -def_welcomelist_auth *@*.dsw.com -def_welcomelist_auth *@*.quicken.com -def_welcomelist_auth *@*.quickenloans.com -def_welcomelist_auth *@*.harpercollins.com -def_welcomelist_auth *@*.gofundme.com -def_welcomelist_auth *@*.peachjar.com -def_welcomelist_auth *@*.mystubhub.com -def_welcomelist_auth *@*.hertz.com -def_welcomelist_auth *@theupsstore.com -def_welcomelist_auth *@vocabulary.com -def_welcomelist_auth *@*.spotify.com -def_welcomelist_auth *@*.musiciansfriend.com -def_welcomelist_auth *@*.longhornsteakhouse.com -def_welcomelist_auth *@*.abercrombie.com -def_welcomelist_auth *@*.lakeside.com -def_welcomelist_auth *@*.dccc.org -def_welcomelist_auth *@*.remind.com -def_welcomelist_auth *@*.swimoutlet.com -def_welcomelist_auth *@*.visionworks.com -def_welcomelist_auth *@*.kraftrecipes.com -def_welcomelist_auth *@*.ebth.com -def_welcomelist_auth *@*.baker-taylor.com -def_welcomelist_auth *@*.usafootball.com -def_welcomelist_auth *@*.ikea-usa.com -def_welcomelist_auth *@*.jet.com -def_welcomelist_auth *@*.ezchildtrack.com -def_welcomelist_auth *@*.twinkl.co.uk -def_welcomelist_auth *@*.tgw.com -def_welcomelist_auth *@*.airbnb.com -def_welcomelist_auth *@*.nea.org -def_welcomelist_auth *@*.bhg.com -def_welcomelist_auth *@*.nest.com -def_welcomelist_auth *@*.colehaan.com -def_welcomelist_auth *@*.microsoft.com -def_welcomelist_auth *@*.vanheusen.com -def_welcomelist_auth *@*.shoppbs.org -def_welcomelist_auth *@*.roku.com -def_welcomelist_auth *@*.hearstmags.com -def_welcomelist_auth *@*.carlsonhotels.com -def_welcomelist_auth *@*.marykay.com -def_welcomelist_auth *@*.publix.com -def_welcomelist_auth *@*.eharmony.com -def_welcomelist_auth *@*.powerschool.com -def_welcomelist_auth *@*.dell.com -def_welcomelist_auth *@*.hp.com -def_welcomelist_auth *@*.microsoftrewards.com -def_welcomelist_auth *@*.untuckit.com -def_welcomelist_auth *@*.adobesystems.com -def_welcomelist_auth *@*.pumpitupfun.com -def_welcomelist_auth *@*.payless.com -def_welcomelist_auth *@*.consumerreports.org -def_welcomelist_auth *@*.blueapron.com -def_welcomelist_auth *@*.email-libertymutual.com -def_welcomelist_auth *@*.marthastewart.com -def_welcomelist_auth *@*.nm.com -def_welcomelist_auth *@*.nissanusa.com -def_welcomelist_auth *@*.discountschoolsupply.com -def_welcomelist_auth *@*.destinationmaternity.com -def_welcomelist_auth *@*.calendly.com -def_welcomelist_auth *@*.healthequity.com -def_welcomelist_auth *@investordelivery.com -def_welcomelist_auth *@*.topgolf.com -def_welcomelist_auth *@logmein.com -def_welcomelist_auth *@lastpass.com -def_welcomelist_auth *@*.seabourn.com -def_welcomelist_auth *@*.execucar.com -def_welcomelist_auth *@*.build.com -def_welcomelist_auth *@*.trulia.com -def_welcomelist_auth *@*.rentalcars.com -def_welcomelist_auth *@recommendedjobs.com -def_welcomelist_auth *@*.zendesk.com -def_welcomelist_auth *@*.advocareemail.com -def_welcomelist_auth *@*.plenti.com -def_welcomelist_auth *@*.amolatina.com -def_welcomelist_auth *@*.accutrain.com -def_welcomelist_auth *@*.barnesandnoble.com -def_welcomelist_auth *@*.bookbub.com -def_welcomelist_auth *@*.gnc.com -def_welcomelist_auth *@*.avon.com -def_welcomelist_auth *@*.mymapcorewards.com -def_welcomelist_auth *@*.teespring.com -def_welcomelist_auth *@*.bpdriverrewards.com -def_welcomelist_auth *@*.aenetworks.com -def_welcomelist_auth *@*.wellsfargoemail.com -def_welcomelist_auth *@*.ixl.com -def_welcomelist_auth *@*.digitalocean.com -def_welcomelist_auth *@*.mohela.com -def_welcomelist_auth *@*.wish.com -def_welcomelist_auth *@*.frontrowed.com -def_welcomelist_auth *@*.goodreads.com -def_welcomelist_auth *@*.myschoolcast.com -def_welcomelist_auth *@*.airfarewatchdog.com -def_welcomelist_auth *@*.express.com -def_welcomelist_auth *@*.ulta.com -def_welcomelist_auth *@*.bradsdeals.com -def_welcomelist_auth *@*.edlio.com -def_welcomelist_auth *@*.soma.com -def_welcomelist_auth *@*.mycollegeoptions.org -def_welcomelist_auth *@*.pch.com -def_welcomelist_auth *@*.lormanonlinelearning.com -def_welcomelist_auth *@*.jetsetter.com -def_welcomelist_auth *@*.ebags.com -def_welcomelist_auth *@*.titanlamco.com -def_welcomelist_auth *@*.understood.org -def_welcomelist_auth *@cvent-planner.com -def_welcomelist_auth *@remindmemd.com -def_welcomelist_auth *@*.wizehive.com -def_welcomelist_auth *@*.potterybarnkids.com -def_welcomelist_auth *@*.zoosk.com -def_welcomelist_auth *@*.whitehouseblackmarket.com -def_welcomelist_auth *@*.iheart.com -def_welcomelist_auth *@*.testout.com -def_welcomelist_auth *@*.surveymonkeyuser.com -def_welcomelist_auth *@*.lumosity.com -def_welcomelist_auth *@kayak.com -def_welcomelist_auth *@*.kayak.com -def_welcomelist_auth *@*.smartertravel.com -def_welcomelist_auth *@*.discover.com -def_welcomelist_auth *@*.neamemberbenefits.com -def_welcomelist_auth *@*.enterprise.com -def_welcomelist_auth *@*.jessicalondon.com -def_welcomelist_auth *@*.geico.com -def_welcomelist_auth *@*.tommy.com -def_welcomelist_auth *@cignasecure.com -def_welcomelist_auth *@*.aarp.org -def_welcomelist_auth *@*.aeropostale.com -def_welcomelist_auth *@*.zappos.com -def_welcomelist_auth *@*.redhat.com -def_welcomelist_auth *@*.planningcenteronline.com -def_welcomelist_auth *@*.ihg.com -def_welcomelist_auth *@*.opendns.com -def_welcomelist_auth *@*.loftoutlet.com -def_welcomelist_auth *@*.hrblock.com -def_welcomelist_auth *@secureworks.com -def_welcomelist_auth *@*.secureworks.com -def_welcomelist_auth *@*.crateandbarrel.com -def_welcomelist_auth *@*.redbox.com -def_welcomelist_auth *@*.lowfares.com -def_welcomelist_auth *@*.rocketloans.com -def_welcomelist_auth *@*.ganderoutdoors.com -def_welcomelist_auth *@*.mandarinoriental.com -def_welcomelist_auth *@*.retailmenot.com -def_welcomelist_auth *@*.overdrive.com -def_welcomelist_auth *@*.snapchat.com -def_welcomelist_auth *@*.cheaptickets.com -def_welcomelist_auth *@*.1800flowers.com -def_welcomelist_auth *@*.guitarcenter.com -def_welcomelist_auth *@*.vmware.com -def_welcomelist_auth *@*.katespade.com -def_welcomelist_auth *@*.gerber.com -def_welcomelist_auth *@*.pandora.net -def_welcomelist_auth *@*.alibaba.com -def_welcomelist_auth *@*.kahoot.com -def_welcomelist_auth *@email-od.com -def_welcomelist_auth *@gallupmail.com -def_welcomelist_auth *@*.stenhouse.com -def_welcomelist_auth *@*.horacemann.com -def_welcomelist_auth *@bmwusa.com -def_welcomelist_auth *@*.thumbtack.com -def_welcomelist_auth *@*.brylanehome.com -def_welcomelist_auth *@*.bradfordexchange.com -def_welcomelist_auth *@*.touchofmodern.com -def_welcomelist_auth *@*.berries.com -def_welcomelist_auth *@*.reddressboutique.com -def_welcomelist_auth *@*.progressive.com -def_welcomelist_auth *@*.forever21.com -def_welcomelist_auth *@*.consumercrafts.com -def_welcomelist_auth *@*.epriority.com -def_welcomelist_auth *@*.schwab.com -def_welcomelist_auth *@*.wwe.com -def_welcomelist_auth *@*.coldwatercreek.com -def_welcomelist_auth *@*.homechef.com -def_welcomelist_auth *@*.flyfrontier.com -def_welcomelist_auth *@*.charbroil.com -def_welcomelist_auth *@*.bludot.com -def_welcomelist_auth *@*.directgeneral.com -def_welcomelist_auth *@*.subaru.com -def_welcomelist_auth *@*.aexp.com -def_welcomelist_auth *@*.usssa.com -def_welcomelist_auth *@*.bestwesternrewards.com -def_welcomelist_auth *@*.email-weightwatchers.com -def_welcomelist_auth *@*.email-allstate.com -def_welcomelist_auth *@*.dove.com -def_welcomelist_auth *@*.teamusa.org -def_welcomelist_auth *@*.mylife.com -def_welcomelist_auth *@*.cbssports.com -def_welcomelist_auth *@*.fingerhut.com -def_welcomelist_auth *@*.fossil.com -def_welcomelist_auth *@*.adt.com -def_welcomelist_auth *@*.23andme.com -def_welcomelist_auth *@*.fashionnova.com -def_welcomelist_auth *@*.myfitnesspal.com -def_welcomelist_auth *@*.zayconfoods.com -def_welcomelist_auth *@*.housershoes.com -def_welcomelist_auth *@*.prepsportswear.com -def_welcomelist_auth *@*.freebiesfrenzy.com -def_welcomelist_auth *@*.minted.com -def_welcomelist_auth *@*.kickstarter.com -def_welcomelist_auth *@*.bluebellwholesale.com -def_welcomelist_auth tickets@amtrak.com -def_welcomelist_auth *@*.tyndale.com -def_welcomelist_auth reservations@druryhotels.com -def_welcomelist_auth *@*.autopartswarehouse.com -def_welcomelist_auth *@*.levi.com -def_welcomelist_auth *@*.echosign.com -def_welcomelist_auth *@*.carparts.com -def_welcomelist_auth *@*.jared.com -def_welcomelist_auth *@*.superjeweler.com -def_welcomelist_auth *@*.ticketnetwork.com -def_welcomelist_auth *@*.kay.com -def_welcomelist_auth *@*.grainger.com -def_welcomelist_auth *@*.fivebelow.com -def_welcomelist_auth *@*.destinationxl.com -def_welcomelist_auth *@*.perfectdeliver.com -def_welcomelist_auth *@*.buffalowildwings.com -def_welcomelist_auth *@*.macaronikid.com -def_welcomelist_auth *@*.marshallsonline.com -def_welcomelist_auth *@*.nordstromrack.com -def_welcomelist_auth *@*.kyliecosmetics.com -def_welcomelist_auth *@*.midwestsports.com -def_welcomelist_auth *@*.deluxe.com -def_welcomelist_auth *@*.fidelity.com -def_welcomelist_auth *@ticketmaster.com -def_welcomelist_auth *@mozillafoundation.org -def_welcomelist_auth *@*.uhc.com -def_welcomelist_auth *@*.sprint.com -def_welcomelist_auth *@*.rxhealthalerts.com -def_welcomelist_auth *@*.eventtracker.com -def_welcomelist_auth *@*.horoscope.com -def_welcomelist_auth *@*.email-lifetouch.com -def_welcomelist_auth *@*.evine.com -def_welcomelist_auth *@*.donorschoose.org -def_welcomelist_auth noreply@adt.com -def_welcomelist_auth *@tmomail.net -def_welcomelist_auth donotreply@dhl.com -def_welcomelist_auth *@travelodge.co.uk -def_welcomelist_auth bounce@ryanairemail.com -def_welcomelist_auth *@*.tpr.gov.uk -def_welcomelist_auth homedepotreceipt@homedepot.com -def_welcomelist_auth *@*.lifewaystores.com -def_welcomelist_auth *@*.paypalcredit.com -def_welcomelist_auth *@paypal-customerfeedback.com -def_welcomelist_auth no-reply@flyfrontier.com -def_welcomelist_auth *@*.canon.com -def_welcomelist_auth *@*.techtrnds.com -def_welcomelist_auth *@*.realsimple.com -def_welcomelist_auth *@espnmail.com -def_welcomelist_auth *@*.nickjr.com -def_welcomelist_auth *@*.eschoolnews.com -def_welcomelist_auth *@*.motosnap.com -def_welcomelist_auth *@*.gsnutsandmags.com -def_welcomelist_auth *@*.shutterfly.com -def_welcomelist_auth *@*.edgenuity.com -def_welcomelist_auth *@*.goodreads.com -def_welcomelist_auth *@*.shrm.org -def_welcomelist_auth *@*.mtshrm.org -def_welcomelist_auth *@*.gynzy.com -def_welcomelist_auth *@*.actionnetwork.org -def_welcomelist_auth *@*.teacherfindr.com -def_welcomelist_auth *@*.tladoonline.com -def_welcomelist_auth *@*.aaa.com -def_welcomelist_auth *@*.woot.com -def_welcomelist_auth *@*.nsba.org -def_welcomelist_auth *@*.teamapp.com -def_welcomelist_auth *@*.act.org -def_welcomelist_auth *@*.vetsandfamily.com -def_welcomelist_auth *@*.jeansforvets.org -def_welcomelist_auth *@*.welcomehomevet.org -def_welcomelist_auth *@*.readingeggs.com -def_welcomelist_auth *@*.myschoolcast.com -def_welcomelist_auth *@*.takethemameal.com -def_welcomelist_auth *@*.shape.com -def_welcomelist_auth *@*.videoblocks.com -def_welcomelist_auth *@*.wifeteachermommy.com -def_welcomelist_auth *@*.darice.com -def_welcomelist_auth *@*.everfi.net -def_welcomelist_auth *@godvinemail.com -def_welcomelist_auth *@*.doheny.com -def_welcomelist_auth *@*.nyansa.com -def_welcomelist_auth *@*.submittable.com -def_welcomelist_auth *@*.slideshare.net -def_welcomelist_auth *@*.ocm.com -def_welcomelist_auth *@*.dji.com -def_welcomelist_auth *@*.zyngamail.com -def_welcomelist_auth *@*.costasunglasses.com -def_welcomelist_auth *@*.baseballexpress.com -def_welcomelist_auth *@dishemail.com -def_welcomelist_auth *@*.promgirl.com -def_welcomelist_auth *@*.ed.gov -def_welcomelist_auth *@*.carecredit.com -def_welcomelist_auth *@*.trello.com -def_welcomelist_auth *@*.shopify.com -def_welcomelist_auth *@*.iclasspro.com -def_welcomelist_auth *@mail-fellowesbrands.com -def_welcomelist_auth *@*.planetfitness.com -def_welcomelist_auth *@*.shoppinkblush.com -def_welcomelist_auth *@*.webmdprofessional.com -def_welcomelist_auth *@*.omadahealth.com -def_welcomelist_auth *@*.vividseats.com -def_welcomelist_auth *@*.avis.com -def_welcomelist_auth *@*.square.com -def_welcomelist_auth *@*.ruthschris-email.com -def_welcomelist_auth *@*.zearn.org -def_welcomelist_auth *@*.careerbuilder.com -def_welcomelist_auth *@*.kelloggs.com -def_welcomelist_auth *@*.wunderground.com -def_welcomelist_auth *@*.silpada.com -def_welcomelist_auth *@*.toofaced.com -def_welcomelist_auth *@*.sonicwall.com -def_welcomelist_auth *@*.bebe.com -def_welcomelist_auth *@*.discoveryeducation.com -def_welcomelist_auth *@*.alison.com -def_welcomelist_auth *@*.livestream.com -def_welcomelist_auth *@*.rockauto.com -def_welcomelist_auth *@*.elfcosmetics.com -def_welcomelist_auth *@*.cars.com -def_welcomelist_auth *@*.puritan.com -def_welcomelist_auth *@*.cheddars.com -def_welcomelist_auth *@*.schoolmessenger.com -def_welcomelist_auth *@*.pinchme.com -def_welcomelist_auth *@*.clarksusa.com -def_welcomelist_auth *@*.smore.com -def_welcomelist_auth *@*.softball.com -def_welcomelist_auth *@*.commonsense-email.org -def_welcomelist_auth *@*.onekingslane.com -def_welcomelist_auth *@*.elfcosmetics.com -def_welcomelist_auth *@*.aclj.org -def_welcomelist_auth *@*.darice.com -def_welcomelist_auth *@*.shopify.com -def_welcomelist_auth *@*.doheny.com -def_welcomelist_auth *@*.improvementscatalog-email.com -def_welcomelist_auth *@*.promgirl.com -def_welcomelist_auth *@*.webmdprofessional.com -def_welcomelist_auth *@*.thrivecausemetics.com -def_welcomelist_auth *@*.toofaced.com -def_welcomelist_auth *@*.evanmoor-alerts.com -def_welcomelist_auth *@*.livestream.com -def_welcomelist_auth *@*.customerville.com -def_welcomelist_auth *@*.lmscheckout.com -def_welcomelist_auth *@*.shop-explorers.com -def_welcomelist_auth *@*.helpavet.co -def_welcomelist_auth *@*.aidtroops.com -def_welcomelist_auth *@*.denindays.org -def_welcomelist_auth *@*.helpourvets.us -def_welcomelist_auth *@*.denim-day.com -def_welcomelist_auth *@*.eldarion.com -def_welcomelist_auth *@*.wunderground.com -def_welcomelist_auth *@*.kelloggs.com -def_welcomelist_auth *@*.portfolium.com -def_welcomelist_auth *@*.iclasspro.com -def_welcomelist_auth *@*.socrative.com -def_welcomelist_auth *@*.vnnsports.net -def_welcomelist_auth *@*.americauncensored.com -def_welcomelist_auth *@*.email-allstate.com -def_welcomelist_auth *@*.omadahealth.com -def_welcomelist_auth *@*.rei.com -def_welcomelist_auth *@*.research.net -def_welcomelist_auth *@*.allinlearning.com -def_welcomelist_auth *@*.energage.com -def_welcomelist_auth *@*.aasa.org -def_welcomelist_auth *@*.constructionclaims.com -def_welcomelist_auth *@*.nsba.org -def_welcomelist_auth *@*.jeansdays.com -def_welcomelist_auth *@*.servicemansupport.org -def_welcomelist_auth *@*.learningally.org -def_welcomelist_auth *@*.quill.org -def_welcomelist_auth *@*.funrewardsforyou.com -def_welcomelist_auth *@*.digicert.com -def_welcomelist_auth *@*.venmo.com -def_welcomelist_auth *@*.bestbuddies.org -def_welcomelist_auth *@*.ashleydsg.com -def_welcomelist_auth *@*.homechef.com -def_welcomelist_auth *@*.morningconsult.com -def_welcomelist_auth *@*.stewardship.com -def_welcomelist_auth *@*.salsalabs.org -def_welcomelist_auth *@*.shop-backinthesaddle.com -def_welcomelist_auth *@*.bounceexchange.com -def_welcomelist_auth *@*.tobi.com -def_welcomelist_auth *@*.makermedia.com -def_welcomelist_auth *@*.adoptapet.com -def_welcomelist_auth *@*.wested.org -def_welcomelist_auth *@*.sfsdata.com -def_welcomelist_auth *@*.sonicdrivein.com -def_welcomelist_auth *@*.justflyemail.com -def_welcomelist_auth *@*.sling.com -def_welcomelist_auth *@*.zagg.com -def_welcomelist_auth *@*.turnoutpac.org -def_welcomelist_auth *@*.whirlpool.com -def_welcomelist_auth *@*.legendsoflearning.com -def_welcomelist_auth *@*.gallup.com -def_welcomelist_auth *@*.ereflect.com -def_welcomelist_auth *@*.asumag.com -def_welcomelist_auth *@*.commonblackcollegeapp.com -def_welcomelist_auth *@*.broadridge.com -def_welcomelist_auth *@*.greenrope.com -def_welcomelist_auth *@*.trackwrestling.com -def_welcomelist_auth *@*.blackboard.com -def_welcomelist_auth *@*.govdeals.com -def_welcomelist_auth *@*.shipstation.com -def_welcomelist_auth *@*.nyansa.com -def_welcomelist_auth *@*.sciencepubs.org -def_welcomelist_auth *@*.betabrand.com -def_welcomelist_auth *@*.hhs.gov -def_welcomelist_auth *@*.discover.com -def_welcomelist_auth *@*.bebe.com -def_welcomelist_auth *@*.homeadvisor.com -def_welcomelist_auth *@*.handsonaswegrow.com -def_welcomelist_auth *@*.in.gov -def_welcomelist_auth *@*.oldchicago.com -def_welcomelist_auth *@*.globalfitnesschallenge.com -def_welcomelist_auth *@*.virtualvocations.com -def_welcomelist_auth *@*.aopa.org -def_welcomelist_auth *@*.mail-zr.com -def_welcomelist_auth *@*.trovit.com -def_welcomelist_auth *@*.hscloudsuite.com -def_welcomelist_auth *@*.rothys.com -def_welcomelist_auth *@*.sgml3.com -def_welcomelist_auth *@*.fox13memphis.com -def_welcomelist_auth *@*.sprouts.com -def_welcomelist_auth *@*.ruthschris-email.com -def_welcomelist_auth *@*.softball.com -def_welcomelist_auth *@*.yankeecandle.com -def_welcomelist_auth *@*.candidcolorhosting.com -def_welcomelist_auth *@*.endcitizensunited.org -def_welcomelist_auth *@*.redditgifts.com -def_welcomelist_auth *@*.tdworld.com -def_welcomelist_auth *@*.thenorthface.com -def_welcomelist_auth *@*.center.io -def_welcomelist_auth *@*.movethisworld.com -def_welcomelist_auth *@*.pgsurveying.com -def_welcomelist_auth *@*.mealtrain.com -def_welcomelist_auth *@*.acemsd1.com -def_welcomelist_auth *@*.jobhat.com -def_welcomelist_auth *@*.earthfare.com -def_welcomelist_auth *@*.nassp.org -def_welcomelist_auth *@*.rasa.io -def_welcomelist_auth *@*.surveydirectlive.com -def_welcomelist_auth *@*.frontgate-email.com -def_welcomelist_auth *@*.job-tree.com -def_welcomelist_auth *@*.slideshare.net -def_welcomelist_auth *@*.cambridge.org -def_welcomelist_auth *@*.everytown.org -def_welcomelist_auth *@*.bitesquad.com -def_welcomelist_auth *@*.fit2fat2fit.com -def_welcomelist_auth *@*.nationsend18.com -def_welcomelist_auth *@*.livingwelldaily.com -def_welcomelist_auth *@*.robotevents.com -def_welcomelist_auth *@*.livetext.com -def_welcomelist_auth *@*.lightreading.com -def_welcomelist_auth *@*.uscourts.gov -def_welcomelist_auth *@*.fabfitfun.com -def_welcomelist_auth *@*.edlistservs.org -def_welcomelist_auth *@*.csid.com -def_welcomelist_auth *@*.spiceworks.com -def_welcomelist_auth *@*.dctemail.com -def_welcomelist_auth *@*.thetileapp.com -def_welcomelist_auth *@*.wendys.com -def_welcomelist_auth *@*.ylginc.com -def_welcomelist_auth *@*.servicenow.com -def_welcomelist_auth *@*.charmsmusic.com -def_welcomelist_auth *@*.opendns.com -def_welcomelist_auth *@*.gracegentry.com -def_welcomelist_auth *@*.digitalsports.com -def_welcomelist_auth *@*.dailymemphian.com -def_welcomelist_auth *@*.hobsonsradius.com -def_welcomelist_auth *@*.diversifiedemail.com -def_welcomelist_auth *@*.harlemglobetrotters.com -def_welcomelist_auth *@*.nationsend12.com -def_welcomelist_auth *@*.sf-notifications.com -def_welcomelist_auth *@*.noredink.com -def_welcomelist_auth *@*.amtrak.com -def_welcomelist_auth *@*.homegoods.com -def_welcomelist_auth *@*.bigteams.com -def_welcomelist_auth *@*.stansberryresearch.com -def_welcomelist_auth *@*.fafsa.gov -def_welcomelist_auth *@*.solarwinds.com -def_welcomelist_auth *@*.petsgeek.com -def_welcomelist_auth *@*.consumerservicesdirect.com -def_welcomelist_auth *@*.carfax.com -def_welcomelist_auth *@*.ismg-campaigns.com -def_welcomelist_auth *@*.passports.com -def_welcomelist_auth *@*.dailykos.com -def_welcomelist_auth *@*.loftoutlet.com -def_welcomelist_auth *@*.brit.co -def_welcomelist_auth *@*.cappex.com -def_welcomelist_auth *@*.neopost.com -def_welcomelist_auth *@*.adidas.com -def_welcomelist_auth *@*.verizonenterprise.com -def_welcomelist_auth *@*.zohodesk.com -def_welcomelist_auth *@*.renzullilearning.com -def_welcomelist_auth *@*.lumoslearning.com -def_welcomelist_auth *@*.sesamereminders.com -def_welcomelist_auth *@*.ninewest.com -def_welcomelist_auth *@*.agorafinancial.com -def_welcomelist_auth *@*.collegenet.com -def_welcomelist_auth *@*.greenrope.net -def_welcomelist_auth *@*.skyzone.com -def_welcomelist_auth *@*.adlmail.org -def_welcomelist_auth *@*.clarksusa.com -def_welcomelist_auth *@*.granicus.com -def_welcomelist_auth *@*.theblaze.com -def_welcomelist_auth *@*.lormanonlinecourses.com -def_welcomelist_auth *@*.chatbooks.com -def_welcomelist_auth *@*.tangocard.com -def_welcomelist_auth *@*.signup.com -def_welcomelist_auth *@*.aisleahead.com -def_welcomelist_auth *@*.pinkcoconutboutique.com -def_welcomelist_auth *@*.hallmark.com -def_welcomelist_auth *@*.emailpackers.com -def_welcomelist_auth *@*.windows.com -def_welcomelist_auth *@*.hartvillegroup.com -def_welcomelist_auth *@*.getresponse-mail.com -def_welcomelist_auth *@*.scholarships.com -def_welcomelist_auth *@*.wifeteachermommy.com -def_welcomelist_auth *@*.cheddars.com -def_welcomelist_auth *@*.berrylook.com -def_welcomelist_auth *@*.westernunion.com -def_welcomelist_auth *@*.aerialschoolimages.com -def_welcomelist_auth *@*.bitglass.com -def_welcomelist_auth *@*.purefitnessinnovations.com -def_welcomelist_auth *@*.coach.com -def_welcomelist_auth *@*.rockauto.com -def_welcomelist_auth *@*.americanbookcompany.com -def_welcomelist_auth *@*.rockbottomgolf.com -def_welcomelist_auth *@*.doordash.com -def_welcomelist_auth *@*.cainc.com -def_welcomelist_auth *@*.email-nationwide.com -def_welcomelist_auth *@*.honorsociety.org -def_welcomelist_auth *@*.dailysale.com -def_welcomelist_auth *@*.emsmtp.us -def_welcomelist_auth *@*.calm.com -def_welcomelist_auth *@*.snapsurveys.com -def_welcomelist_auth *@*.dropbox-mktg.com -def_welcomelist_auth *@*.striderite.com -def_welcomelist_auth *@*.stackcommerce.com -def_welcomelist_auth *@*.norton.com -def_welcomelist_auth *@*.aeds.com -def_welcomelist_auth *@*.dia.co -def_welcomelist_auth *@*.blackfriday.com -def_welcomelist_auth *@*.olay.com -def_welcomelist_auth confirmation@aircanada.ca -def_welcomelist_auth no-reply@enterprise.com -def_welcomelist_auth *@*.hubspotstarter.net -def_welcomelist_auth *@*.serverchamber.com -def_welcomelist_auth *@*.msbrooksclass.com -def_welcomelist_auth *@*.hickoryfarms.com -def_welcomelist_auth *@*.evesaddiction.com -def_welcomelist_auth *@*.sowntogrow.com -def_welcomelist_auth *@*.shopthemint.com -def_welcomelist_auth *@*.charlotterusse.com -def_welcomelist_auth *@*.moviepass.com -def_welcomelist_auth *@*.revrocket.us -def_welcomelist_auth *@*.nintendo.com -def_welcomelist_auth *@*.btr.com -def_welcomelist_auth *@*.gothamsteelstore.com -def_welcomelist_auth *@*.naturalizer.com -def_welcomelist_auth *@*.jerrysartarama.com -def_welcomelist_auth *@*.iconicgroup.com -def_welcomelist_auth *@*.spanx.com -def_welcomelist_auth *@*.haggar.com -def_welcomelist_auth *@*.change.org -def_welcomelist_auth *@*.headspace.com -def_welcomelist_auth *@*.firstsouth.com -def_welcomelist_auth *@*.instacart.com -def_welcomelist_auth *@*.kodakmoments.com -def_welcomelist_auth *@*.penzeys.com -def_welcomelist_auth *@*.rescueme.org -def_welcomelist_auth *@*.icr.org -def_welcomelist_auth *@*.joinhandshake.com -def_welcomelist_auth *@*.colourpop.com -def_welcomelist_auth *@*.actsend.com -def_welcomelist_auth *@*.audubon.org -def_welcomelist_auth *@*.noom.com -def_welcomelist_auth *@*.conexionamericas.org -def_welcomelist_auth *@*.hollywoodfeed.com -def_welcomelist_auth *@*.cio.com -def_welcomelist_auth *@*.55mulberry.com -def_welcomelist_auth *@*.knowatom.com -def_welcomelist_auth *@*.maxsamples.com -def_welcomelist_auth *@*.thekeyrewards.com -def_welcomelist_auth *@*.rakuten.com -def_welcomelist_auth *@*.tastycookerymailings.com -def_welcomelist_auth *@*.myenotice.com -def_welcomelist_auth *@*.sportclips.com -def_welcomelist_auth *@*.senzajobalerts.com -def_welcomelist_auth *@*.genghisgrill.com -def_welcomelist_auth *@*.fider.io -def_welcomelist_auth *@*.mchdata.com -def_welcomelist_auth *@*.fivestarlinemen.com -def_welcomelist_auth *@*.dunhamssports-email.com -def_welcomelist_auth *@*.vitals.com -def_welcomelist_auth *@*.thrivistlms.com -def_welcomelist_auth *@*.build.com -def_welcomelist_auth *@*.vacationmyrtlebeach.com -def_welcomelist_auth *@*.kidreports.com -def_welcomelist_auth *@*.jobframe.net -def_welcomelist_auth *@*.aegpresents.com -def_welcomelist_auth *@*.shmoop.com -def_welcomelist_auth *@*.brahminusa.com -def_welcomelist_auth *@*.stamats.com -def_welcomelist_auth *@*.wufoo.com -def_welcomelist_auth *@*.pre-kpages.com -def_welcomelist_auth *@*.listen360.com -def_welcomelist_auth *@*.silversingles.com -def_welcomelist_auth *@*.ruralking.com -def_welcomelist_auth *@*.yourhobbylobby.com -def_welcomelist_auth *@*.educationworld.com -def_welcomelist_auth *@*.theeducatorsnetwork.com -def_welcomelist_auth *@*.csoonline.com -def_welcomelist_auth *@*.youscience.com -def_welcomelist_auth *@*.konnectnow.com -def_welcomelist_auth *@*.esa.org -def_welcomelist_auth *@*.modcloth.com -def_welcomelist_auth *@*.harborfreight.com -def_welcomelist_auth *@*.eshakti.com -def_welcomelist_auth *@*.fda.gov -def_welcomelist_auth *@*.shermanstravel.com -def_welcomelist_auth *@*.naturalhealthresponse.com -def_welcomelist_auth *@*.epicgames.com -def_welcomelist_auth *@*.paisleygraceboutique.com -def_welcomelist_auth *@*.dhccare.com -def_welcomelist_auth *@*.spectrumemails.com -def_welcomelist_auth *@*.worldatwork.org -def_welcomelist_auth *@*.usatestprep.com -def_welcomelist_auth *@*.twinkl.com -def_welcomelist_auth *@*.opticsplanet.com -def_welcomelist_auth *@*.troxmail.com -def_welcomelist_auth *@*.carolina.com -def_welcomelist_auth *@*.teamviewer.com -def_welcomelist_auth *@*.bodybuilding.com -def_welcomelist_auth *@*.adobespark.com -def_welcomelist_auth *@*.entercom.com -def_welcomelist_auth *@*.hbonow.com -def_welcomelist_auth *@*.grandinroad-email.com -def_welcomelist_auth *@*.livongo.com -def_welcomelist_auth *@*.daxkoengage.com -def_welcomelist_auth *@*.lemonlimeadventures.com -def_welcomelist_auth *@*.lumosity.com -def_welcomelist_auth *@*.ihop-communications.com -def_welcomelist_auth *@*.dailysteals.com -def_welcomelist_auth *@*.testingmom.com -def_welcomelist_auth *@*.ceramicartsnetwork.org -def_welcomelist_auth *@*.verintefm.com - -endif # if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - - -# -# For older versions of SA, these old entries remain for SA before version 4.0 -# - -if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - -def_whitelist_auth *@apache.org -def_whitelist_auth *@*.apache.org - -# Lists with good SPF -def_whitelist_auth *@lists.in.gov -def_whitelist_auth *@listserv.syr.edu -def_whitelist_auth *@list.indiana.edu -def_whitelist_auth *@lists.asu.edu -def_whitelist_auth *@lists.mailscanner.info -def_whitelist_auth *@lists.wisc.edu - -# High profile targets for spoofing -def_whitelist_auth *@facebookmail.com -def_whitelist_auth *@*.facebookmail.com -def_whitelist_auth *@google.com -def_whitelist_auth *@accounts.google.com -def_whitelist_auth *@walmart.com -def_whitelist_auth *@*.walmart.com -def_whitelist_auth *@*.usaa.com -def_whitelist_auth *@citi.com -def_whitelist_auth *@*.citi.com -def_whitelist_auth *@chase.com -def_whitelist_auth *@*.chase.com -def_whitelist_auth *@*.dropboxmail.com -def_whitelist_auth *@wellsfargo.com -def_whitelist_auth *@*.wellsfargo.com -def_whitelist_auth *@bankofamerica.com -def_whitelist_auth *@*.bankofamerica.com -def_whitelist_auth *@ally.com -def_whitelist_auth *@*.ally.com -def_whitelist_auth *@postmaster.aol.com -def_whitelist_auth *@usbank.com -def_whitelist_auth *@*.usbank.com -def_whitelist_auth *@firsttennessee.com -def_whitelist_auth *@usps.gov -def_whitelist_auth *@*.usda.gov -def_whitelist_auth *@instagram.com -def_whitelist_auth *@*.instagram.com -def_whitelist_auth *@indeedemail.com -def_whitelist_auth *=pkginfo@ups.com -def_whitelist_auth mcinfo@ups.com -def_whitelist_auth *@fedex.com -def_whitelist_auth *@*.fedex.com -def_whitelist_auth americanexpress@aexpfeedback.com -def_whitelist_auth *@capitalone.com -def_whitelist_auth *@*.capitalone.com -def_whitelist_auth *@*.capitaloneemail.com -def_whitelist_auth *@*.khanacademy.org -def_whitelist_auth *@*.wordpress.com -def_whitelist_auth *@statefarm.com -def_whitelist_auth *@*.statefarminfo.com -def_whitelist_auth *@*.visa.com -def_whitelist_auth *@visapayablesautomation.com -def_whitelist_auth *@visadpsmessage.com -def_whitelist_auth *@*.pinterest.com -def_whitelist_auth *@indeed.com -def_whitelist_auth *@docusign.net -def_whitelist_auth *@*.docusign.com - -# Senders consistently scoring low with advanced tuned SA to help default SA configurations. -# -# Criteria to be listed below: -# - minimum of 100 emails over a week and -# - use a subdomain or specific left-half address and -# - not be a human mailbox that can be compromised and -# - average score for the week is low and -# - hit SPF_PASS and/or DKIM_VALID_AU and -# - not hit DMARC_FAIL or DMARC_REJECT (from OpenDMARC milter) -# -# These listings are intended to: -# - promote mass mailer sending from a subdomain -# - encourage system-generated to be sent from a subdomain -# - reward senders that send with good SPF, DKIM, and DMARC -# - allow for phishing/spoofed/fake emails to stand out more -# so local rules can be setup to add points without blocking -# authentic emails -# -def_whitelist_auth *@*.indeed.com -def_whitelist_auth *@*.hyatt.com -def_whitelist_auth *@*.sears.com -def_whitelist_auth *@*.jcpenney.com -def_whitelist_auth *@*.landsend.com -def_whitelist_auth *@squaretrade.com -def_whitelist_auth *@bn.com -def_whitelist_auth *@emailbedbathandbeyond.com -def_whitelist_auth *@*.joann.com -def_whitelist_auth *@*.dollargeneral.com -def_whitelist_auth *@*.talbots.com -def_whitelist_auth *@*.wayfair.com -def_whitelist_auth *@*.nordstrom.com -def_whitelist_auth *@*.zillow.com -def_whitelist_auth dillards@dillards.com -def_whitelist_auth *@mktgdillards.com -def_whitelist_auth *@*.hollisterco.com -def_whitelist_auth *@*.us-cert.gov -def_whitelist_auth *@*.rei.com -def_whitelist_auth *@duluthtradingemail.com -def_whitelist_auth *@hilton.com -def_whitelist_auth *@*.hilton.com -def_whitelist_auth *@*.starwoodhotels.com -def_whitelist_auth *@craigslist.org -def_whitelist_auth *@*.macys.com -def_whitelist_auth *@*.staples.com -def_whitelist_auth *@*.fandango.com -def_whitelist_auth *@*.fandangonow.com -def_whitelist_auth *@*.eddiebauer.com -def_whitelist_auth *@*.eastbay.com -def_whitelist_auth *@*.samsclub.com -def_whitelist_auth *@*.potterybarn.com -def_whitelist_auth *@*.travelocity.com -def_whitelist_auth *@*.oriental-trading.com -def_whitelist_auth *@*.efax.com -def_whitelist_auth *@*.spamcop.net -def_whitelist_auth noreply@apple.com -def_whitelist_auth do_not_reply@apple.com -def_whitelist_auth *@*.apple.com -def_whitelist_auth *@*.insideapple.com -def_whitelist_auth *@*.itunes.com -def_whitelist_auth *@*.att-mail.com -def_whitelist_auth *@*.vzw.com -def_whitelist_auth *@*.vzwshop.com -def_whitelist_auth *@*.fandango.com -def_whitelist_auth *@*.aa.com -def_whitelist_auth *@*.delta.com -def_whitelist_auth *@*.southwest.com -def_whitelist_auth *@*.southwestvacations.com -def_whitelist_auth *@*.spirit-airlines.com -def_whitelist_auth *@*.youversion.com -def_whitelist_auth *@*.ashleystewart.com -def_whitelist_auth *@*.creditkarma.com -def_whitelist_auth *@*.creditsesame.com -def_whitelist_auth *@*.amazon.com -def_whitelist_auth *@*.livingsocial.com -def_whitelist_auth *@*.yelp.com -def_whitelist_auth *@*.opentable.com -def_whitelist_auth *@*.pier1.com -def_whitelist_auth *@*.nationalgeographic.com -def_whitelist_auth *@*.lessonplanet.com -def_whitelist_auth *@*.teacherspayteachers.com -def_whitelist_auth *@*.childrensplace.com -def_whitelist_auth *@*.uber.com -def_whitelist_auth *@*.foxnews.com -def_whitelist_auth *@*.cnn.com -def_whitelist_auth *@*.walgreens.com -def_whitelist_auth *@*.cvs.com -def_whitelist_auth *@*.hgtv.com -def_whitelist_auth *@*.starz.com -def_whitelist_auth *@*.zales.com -def_whitelist_auth *@*.partycity.com -def_whitelist_auth *@*.petco.com -def_whitelist_auth *@*.nyandcompany.com -def_whitelist_auth *@*.govdelivery.com -def_whitelist_auth *@*.us-cert.gov -def_whitelist_auth *@*.senate.gov -def_whitelist_auth *@*.priceline.com -def_whitelist_auth *@*.travelzoo.com -def_whitelist_auth *@*.uso.org -def_whitelist_auth *@*.checksunlimited.com -def_whitelist_auth *@*.nytimes.com -def_whitelist_auth *@slickdeals.net -def_whitelist_auth *@*.cancer.org -def_whitelist_auth *@*.pinterest.com -def_whitelist_auth *@*.hotwire.com -def_whitelist_auth *@*.dominos.com -def_whitelist_auth *@*.potterybarn.com -def_whitelist_auth *@*.shopstyle.com -def_whitelist_auth *@*.mealtrain.com -def_whitelist_auth *@*.zazzle.com -def_whitelist_auth *@*.finishline.com -def_whitelist_auth *@*.rover.com -def_whitelist_auth *@*.pandora.com -def_whitelist_auth *@*.jcrew.com -def_whitelist_auth *@*.lifeway.com -def_whitelist_auth *@*.jossandmain.com -def_whitelist_auth *@*.maurices.com -def_whitelist_auth *@*.flipboard.com -def_whitelist_auth *@*.nhl.com -def_whitelist_auth *@*.nfl.com -def_whitelist_auth *@*.nflshop.com -def_whitelist_auth *@*.nba.com -def_whitelist_auth *@*.mlb.com -def_whitelist_auth *@*.mlblists.com -def_whitelist_auth *@*.containerstore.com -def_whitelist_auth *@*.fitbit.com -def_whitelist_auth *@*.justfab.com -def_whitelist_auth *@*.tripadvisor.com -def_whitelist_auth *@*.care.com -def_whitelist_auth *@*.tommiecopper.com -def_whitelist_auth *@*.education.com -def_whitelist_auth *@*.target.com -def_whitelist_auth *@*.fanatics.com -def_whitelist_auth *@*.loft.com -def_whitelist_auth *@*.gymboree.com -def_whitelist_auth *@*.craylola.com -def_whitelist_auth *@*.bathandbodyworks.com -def_whitelist_auth *@*.carters.com -def_whitelist_auth *@*.fansedge.com -def_whitelist_auth *@*.gap.com -def_whitelist_auth *@*.gapfactory.com -def_whitelist_auth *@*.carnivalcruiselineemail.com -def_whitelist_auth *@*.carhartt-email.com -def_whitelist_auth *@*.journeys.com -def_whitelist_auth *@*.ashleystewart.com -def_whitelist_auth *@*.grandhomefurnishings.com -def_whitelist_auth *@*.americangreetings.com -def_whitelist_auth *@*.ralphlauren.com -def_whitelist_auth *@*.catofashions.com -def_whitelist_auth *@*.tjmaxx.tjx.com -def_whitelist_auth *@*.uso.org -def_whitelist_auth *@*.sallybeauty.com -def_whitelist_auth *@*.oshkosh.com -def_whitelist_auth *@*.dealnews.com -def_whitelist_auth *@*.victoriassecret.com -def_whitelist_auth *@*.northerntoolemail.com -def_whitelist_auth *@*.golfnow.com -def_whitelist_auth *@*.keurig.com -def_whitelist_auth *@*.bannanarepublicfactory.com -def_whitelist_auth *@*.girlscouts.org -def_whitelist_auth *@*.zumiez.com -def_whitelist_auth *@*.cabelas.com -def_whitelist_auth *@*.hbonow.com -def_whitelist_auth *@*.menswearhouse.com -def_whitelist_auth *@*.brecks.com -def_whitelist_auth *@*.jostens.com -def_whitelist_auth *@*.josabank.com -def_whitelist_auth *@*.charteremails.com -def_whitelist_auth *@*.golfdigest.com -def_whitelist_auth *@*.neimanmarcusemail.com -def_whitelist_auth *@*.bucklemail.com -def_whitelist_auth *@*.baskinrobbins.com -def_whitelist_auth *@*.draftkings.com -def_whitelist_auth *@*.krogeremail.com -def_whitelist_auth *@*.lowesforpros.com -def_whitelist_auth *@*.campingworld.com -def_whitelist_auth *@accountprotection.microsoft.com -def_whitelist_auth *@*.dickies.com -def_whitelist_auth *@*.stewardship.com -def_whitelist_auth *@*.military.com -def_whitelist_auth *@*.basecamp.com -def_whitelist_auth *@*.savethechildren.org -def_whitelist_auth *@*.anthem.com -def_whitelist_auth *@*.nyandcompany.com -def_whitelist_auth *@*.chicagotribune.com -def_whitelist_auth *@*.underarmour.com -def_whitelist_auth *@*.discounttire-email.com -def_whitelist_auth *@*.mozilla.org -def_whitelist_auth *@*.experian.com -def_whitelist_auth *@*.wrangler.com -def_whitelist_auth *@*.callofduty.com -def_whitelist_auth *@*.davidsbridal.com -def_whitelist_auth *@*.email-carmax.com -def_whitelist_auth *@*.dunkindonuts.com -def_whitelist_auth *@*.seaworld.com -def_whitelist_auth *@*.lordandtaylor.com -def_whitelist_auth *@*.wyndhamrewards.com -def_whitelist_auth *@*.hallmark.com -def_whitelist_auth *@*.thisoldhouse.com -def_whitelist_auth *@*.grubhub.com -def_whitelist_auth *@*.saks.com -def_whitelist_auth *@*.saksoff5th.com -def_whitelist_auth *@*.adidas.com -def_whitelist_auth *@*.crocs-email.com -def_whitelist_auth *@*.siriusxm.com -def_whitelist_auth *@*.officedepot.com -def_whitelist_auth *@*.thepamperedchef.com -def_whitelist_auth *@*.kirklands.com -def_whitelist_auth *@*.biglots.com -def_whitelist_auth *@*.hulumail.com -def_whitelist_auth *@*.homedepotemail.com -def_whitelist_auth *@*.cisco.com -def_whitelist_auth *@*.angieslist.com -def_whitelist_auth *@*.livingsocial.com -def_whitelist_auth *@*.channing-bete.com -def_whitelist_auth *@*.accor-mail.com -def_whitelist_auth *@*.highlights.com -def_whitelist_auth *@*.scholastic.com -def_whitelist_auth *@*.olivegarden.com -def_whitelist_auth *@*.themailbox.com -def_whitelist_auth *@*.steinmart.com -def_whitelist_auth *@*.quill.com -def_whitelist_auth *@*.netflix.com -def_whitelist_auth *@*.expediamail.com -def_whitelist_auth *@*.generalmills.com -def_whitelist_auth *@*.overstock.com -def_whitelist_auth *@*.grammarly.com -def_whitelist_auth *@*.tractorsupply.com -def_whitelist_auth *@*.hcahealthcare.com -def_whitelist_auth *@*.foodservicedirector.com -def_whitelist_auth *@*.suntrust.com -def_whitelist_auth *@*.doverpublishing.com -def_whitelist_auth *@*.thelimited.com -def_whitelist_auth *@*.meetup.com -def_whitelist_auth *@*.columbia.com -def_whitelist_auth *@*.ocharleys.com -def_whitelist_auth *@*.ancestry.com -def_whitelist_auth *@*.shoecarnival.com -def_whitelist_auth *@*.mattel.com -def_whitelist_auth *@*.smilereminder.com -def_whitelist_auth *@*.newyorktimes.com -def_whitelist_auth *@*.booking.com -def_whitelist_auth *@*.lids.com -def_whitelist_auth *@*.macmillan.com -def_whitelist_auth *@*.costco.com -def_whitelist_auth *@*.nike.com -def_whitelist_auth *@*.xbox.com -def_whitelist_auth *@*.politicoemail.com -def_whitelist_auth *@*.gamestop.com -def_whitelist_auth *@*.dropbox.com -def_whitelist_auth *@*.dcsg.com -#def_whitelist_auth *@*.robly.com -def_whitelist_auth *@*.ncaa.com -def_whitelist_auth *@*.lendingclub.com -def_whitelist_auth *@*.hotels.com -def_whitelist_auth *@*.michaels.com -def_whitelist_auth *@*.vistaprint.com -def_whitelist_auth *@*.regions.com -def_whitelist_auth *@*.dollywood.com -def_whitelist_auth *@*.sears-optical.com -def_whitelist_auth *@*.e-lenscrafters.com -def_whitelist_auth *@*.email-advanceautoparts.com -def_whitelist_auth *@*.evernote.com -def_whitelist_auth *@*.ebates.com -def_whitelist_auth *@*.sylvanlearning.com -def_whitelist_auth *@*.ebay.com -def_whitelist_auth *@*.officesupply.com -def_whitelist_auth *@*.dsw.com -def_whitelist_auth *@*.quicken.com -def_whitelist_auth *@*.quickenloans.com -def_whitelist_auth *@*.harpercollins.com -def_whitelist_auth *@*.gofundme.com -def_whitelist_auth *@*.peachjar.com -def_whitelist_auth *@*.mystubhub.com -def_whitelist_auth *@*.hertz.com -def_whitelist_auth *@theupsstore.com -def_whitelist_auth *@vocabulary.com -def_whitelist_auth *@*.spotify.com -def_whitelist_auth *@*.musiciansfriend.com -def_whitelist_auth *@*.longhornsteakhouse.com -def_whitelist_auth *@*.abercrombie.com -def_whitelist_auth *@*.lakeside.com -def_whitelist_auth *@*.dccc.org -def_whitelist_auth *@*.remind.com -def_whitelist_auth *@*.swimoutlet.com -def_whitelist_auth *@*.visionworks.com -def_whitelist_auth *@*.kraftrecipes.com -def_whitelist_auth *@*.ebth.com -def_whitelist_auth *@*.baker-taylor.com -def_whitelist_auth *@*.usafootball.com -def_whitelist_auth *@*.ikea-usa.com -def_whitelist_auth *@*.jet.com -def_whitelist_auth *@*.ezchildtrack.com -def_whitelist_auth *@*.twinkl.co.uk -def_whitelist_auth *@*.tgw.com -def_whitelist_auth *@*.airbnb.com -def_whitelist_auth *@*.nea.org -def_whitelist_auth *@*.bhg.com -def_whitelist_auth *@*.nest.com -def_whitelist_auth *@*.colehaan.com -def_whitelist_auth *@*.microsoft.com -def_whitelist_auth *@*.vanheusen.com -def_whitelist_auth *@*.shoppbs.org -def_whitelist_auth *@*.roku.com -def_whitelist_auth *@*.hearstmags.com -def_whitelist_auth *@*.carlsonhotels.com -def_whitelist_auth *@*.marykay.com -def_whitelist_auth *@*.publix.com -def_whitelist_auth *@*.eharmony.com -def_whitelist_auth *@*.powerschool.com -def_whitelist_auth *@*.dell.com -def_whitelist_auth *@*.hp.com -def_whitelist_auth *@*.microsoftrewards.com -def_whitelist_auth *@*.untuckit.com -def_whitelist_auth *@*.adobesystems.com -def_whitelist_auth *@*.pumpitupfun.com -def_whitelist_auth *@*.payless.com -def_whitelist_auth *@*.consumerreports.org -def_whitelist_auth *@*.blueapron.com -def_whitelist_auth *@*.email-libertymutual.com -def_whitelist_auth *@*.marthastewart.com -def_whitelist_auth *@*.nm.com -def_whitelist_auth *@*.nissanusa.com -def_whitelist_auth *@*.discountschoolsupply.com -def_whitelist_auth *@*.destinationmaternity.com -def_whitelist_auth *@*.calendly.com -def_whitelist_auth *@*.healthequity.com -def_whitelist_auth *@investordelivery.com -def_whitelist_auth *@*.topgolf.com -def_whitelist_auth *@logmein.com -def_whitelist_auth *@lastpass.com -def_whitelist_auth *@*.seabourn.com -def_whitelist_auth *@*.execucar.com -def_whitelist_auth *@*.build.com -def_whitelist_auth *@*.trulia.com -def_whitelist_auth *@*.rentalcars.com -def_whitelist_auth *@recommendedjobs.com -def_whitelist_auth *@*.zendesk.com -def_whitelist_auth *@*.advocareemail.com -def_whitelist_auth *@*.plenti.com -def_whitelist_auth *@*.amolatina.com -def_whitelist_auth *@*.accutrain.com -def_whitelist_auth *@*.barnesandnoble.com -def_whitelist_auth *@*.bookbub.com -def_whitelist_auth *@*.gnc.com -def_whitelist_auth *@*.avon.com -def_whitelist_auth *@*.mymapcorewards.com -def_whitelist_auth *@*.teespring.com -def_whitelist_auth *@*.bpdriverrewards.com -def_whitelist_auth *@*.aenetworks.com -def_whitelist_auth *@*.wellsfargoemail.com -def_whitelist_auth *@*.ixl.com -def_whitelist_auth *@*.digitalocean.com -def_whitelist_auth *@*.mohela.com -def_whitelist_auth *@*.wish.com -def_whitelist_auth *@*.frontrowed.com -def_whitelist_auth *@*.goodreads.com -def_whitelist_auth *@*.myschoolcast.com -def_whitelist_auth *@*.airfarewatchdog.com -def_whitelist_auth *@*.express.com -def_whitelist_auth *@*.ulta.com -def_whitelist_auth *@*.bradsdeals.com -def_whitelist_auth *@*.edlio.com -def_whitelist_auth *@*.soma.com -def_whitelist_auth *@*.mycollegeoptions.org -def_whitelist_auth *@*.pch.com -def_whitelist_auth *@*.lormanonlinelearning.com -def_whitelist_auth *@*.jetsetter.com -def_whitelist_auth *@*.ebags.com -def_whitelist_auth *@*.titanlamco.com -def_whitelist_auth *@*.understood.org -def_whitelist_auth *@cvent-planner.com -def_whitelist_auth *@remindmemd.com -def_whitelist_auth *@*.wizehive.com -def_whitelist_auth *@*.potterybarnkids.com -def_whitelist_auth *@*.zoosk.com -def_whitelist_auth *@*.whitehouseblackmarket.com -def_whitelist_auth *@*.iheart.com -def_whitelist_auth *@*.testout.com -def_whitelist_auth *@*.surveymonkeyuser.com -def_whitelist_auth *@*.lumosity.com -def_whitelist_auth *@kayak.com -def_whitelist_auth *@*.kayak.com -def_whitelist_auth *@*.smartertravel.com -def_whitelist_auth *@*.discover.com -def_whitelist_auth *@*.neamemberbenefits.com -def_whitelist_auth *@*.enterprise.com -def_whitelist_auth *@*.jessicalondon.com -def_whitelist_auth *@*.geico.com -def_whitelist_auth *@*.tommy.com -def_whitelist_auth *@cignasecure.com -def_whitelist_auth *@*.aarp.org -def_whitelist_auth *@*.aeropostale.com -def_whitelist_auth *@*.zappos.com -def_whitelist_auth *@*.redhat.com -def_whitelist_auth *@*.planningcenteronline.com -def_whitelist_auth *@*.ihg.com -def_whitelist_auth *@*.opendns.com -def_whitelist_auth *@*.loftoutlet.com -def_whitelist_auth *@*.hrblock.com -def_whitelist_auth *@secureworks.com -def_whitelist_auth *@*.secureworks.com -def_whitelist_auth *@*.crateandbarrel.com -def_whitelist_auth *@*.redbox.com -def_whitelist_auth *@*.lowfares.com -def_whitelist_auth *@*.rocketloans.com -def_whitelist_auth *@*.ganderoutdoors.com -def_whitelist_auth *@*.mandarinoriental.com -def_whitelist_auth *@*.retailmenot.com -def_whitelist_auth *@*.overdrive.com -def_whitelist_auth *@*.snapchat.com -def_whitelist_auth *@*.cheaptickets.com -def_whitelist_auth *@*.1800flowers.com -def_whitelist_auth *@*.guitarcenter.com -def_whitelist_auth *@*.vmware.com -def_whitelist_auth *@*.katespade.com -def_whitelist_auth *@*.gerber.com -def_whitelist_auth *@*.pandora.net -def_whitelist_auth *@*.alibaba.com -def_whitelist_auth *@*.kahoot.com -def_whitelist_auth *@email-od.com -def_whitelist_auth *@gallupmail.com -def_whitelist_auth *@*.stenhouse.com -def_whitelist_auth *@*.horacemann.com -def_whitelist_auth *@bmwusa.com -def_whitelist_auth *@*.thumbtack.com -def_whitelist_auth *@*.brylanehome.com -def_whitelist_auth *@*.bradfordexchange.com -def_whitelist_auth *@*.touchofmodern.com -def_whitelist_auth *@*.berries.com -def_whitelist_auth *@*.reddressboutique.com -def_whitelist_auth *@*.progressive.com -def_whitelist_auth *@*.forever21.com -def_whitelist_auth *@*.consumercrafts.com -def_whitelist_auth *@*.epriority.com -def_whitelist_auth *@*.schwab.com -def_whitelist_auth *@*.wwe.com -def_whitelist_auth *@*.coldwatercreek.com -def_whitelist_auth *@*.homechef.com -def_whitelist_auth *@*.flyfrontier.com -def_whitelist_auth *@*.charbroil.com -def_whitelist_auth *@*.bludot.com -def_whitelist_auth *@*.directgeneral.com -def_whitelist_auth *@*.subaru.com -def_whitelist_auth *@*.aexp.com -def_whitelist_auth *@*.usssa.com -def_whitelist_auth *@*.bestwesternrewards.com -def_whitelist_auth *@*.email-weightwatchers.com -def_whitelist_auth *@*.email-allstate.com -def_whitelist_auth *@*.dove.com -def_whitelist_auth *@*.teamusa.org -def_whitelist_auth *@*.mylife.com -def_whitelist_auth *@*.cbssports.com -def_whitelist_auth *@*.fingerhut.com -def_whitelist_auth *@*.fossil.com -def_whitelist_auth *@*.adt.com -def_whitelist_auth *@*.23andme.com -def_whitelist_auth *@*.fashionnova.com -def_whitelist_auth *@*.myfitnesspal.com -def_whitelist_auth *@*.zayconfoods.com -def_whitelist_auth *@*.housershoes.com -def_whitelist_auth *@*.prepsportswear.com -def_whitelist_auth *@*.freebiesfrenzy.com -def_whitelist_auth *@*.minted.com -def_whitelist_auth *@*.kickstarter.com -def_whitelist_auth *@*.bluebellwholesale.com -def_whitelist_auth tickets@amtrak.com -def_whitelist_auth *@*.tyndale.com -def_whitelist_auth reservations@druryhotels.com -def_whitelist_auth *@*.autopartswarehouse.com -def_whitelist_auth *@*.levi.com -def_whitelist_auth *@*.echosign.com -def_whitelist_auth *@*.carparts.com -def_whitelist_auth *@*.jared.com -def_whitelist_auth *@*.superjeweler.com -def_whitelist_auth *@*.ticketnetwork.com -def_whitelist_auth *@*.kay.com -def_whitelist_auth *@*.grainger.com -def_whitelist_auth *@*.fivebelow.com -def_whitelist_auth *@*.destinationxl.com -def_whitelist_auth *@*.perfectdeliver.com -def_whitelist_auth *@*.buffalowildwings.com -def_whitelist_auth *@*.macaronikid.com -def_whitelist_auth *@*.marshallsonline.com -def_whitelist_auth *@*.nordstromrack.com -def_whitelist_auth *@*.kyliecosmetics.com -def_whitelist_auth *@*.midwestsports.com -def_whitelist_auth *@*.deluxe.com -def_whitelist_auth *@*.fidelity.com -def_whitelist_auth *@ticketmaster.com -def_whitelist_auth *@mozillafoundation.org -def_whitelist_auth *@*.uhc.com -def_whitelist_auth *@*.sprint.com -def_whitelist_auth *@*.rxhealthalerts.com -def_whitelist_auth *@*.eventtracker.com -def_whitelist_auth *@*.horoscope.com -def_whitelist_auth *@*.email-lifetouch.com -def_whitelist_auth *@*.evine.com -def_whitelist_auth *@*.donorschoose.org -def_whitelist_auth noreply@adt.com -def_whitelist_auth *@tmomail.net -def_whitelist_auth donotreply@dhl.com -def_whitelist_auth *@travelodge.co.uk -def_whitelist_auth bounce@ryanairemail.com -def_whitelist_auth *@*.tpr.gov.uk -def_whitelist_auth homedepotreceipt@homedepot.com -def_whitelist_auth *@*.lifewaystores.com -def_whitelist_auth *@*.paypalcredit.com -def_whitelist_auth *@paypal-customerfeedback.com -def_whitelist_auth no-reply@flyfrontier.com -def_whitelist_auth *@*.canon.com -def_whitelist_auth *@*.techtrnds.com -def_whitelist_auth *@*.realsimple.com -def_whitelist_auth *@espnmail.com -def_whitelist_auth *@*.nickjr.com -def_whitelist_auth *@*.eschoolnews.com -def_whitelist_auth *@*.motosnap.com -def_whitelist_auth *@*.gsnutsandmags.com -def_whitelist_auth *@*.shutterfly.com -def_whitelist_auth *@*.edgenuity.com -def_whitelist_auth *@*.goodreads.com -def_whitelist_auth *@*.shrm.org -def_whitelist_auth *@*.mtshrm.org -def_whitelist_auth *@*.gynzy.com -def_whitelist_auth *@*.actionnetwork.org -def_whitelist_auth *@*.teacherfindr.com -def_whitelist_auth *@*.tladoonline.com -def_whitelist_auth *@*.aaa.com -def_whitelist_auth *@*.woot.com -def_whitelist_auth *@*.nsba.org -def_whitelist_auth *@*.teamapp.com -def_whitelist_auth *@*.act.org -def_whitelist_auth *@*.vetsandfamily.com -def_whitelist_auth *@*.jeansforvets.org -def_whitelist_auth *@*.welcomehomevet.org -def_whitelist_auth *@*.readingeggs.com -def_whitelist_auth *@*.myschoolcast.com -def_whitelist_auth *@*.takethemameal.com -def_whitelist_auth *@*.shape.com -def_whitelist_auth *@*.videoblocks.com -def_whitelist_auth *@*.wifeteachermommy.com -def_whitelist_auth *@*.darice.com -def_whitelist_auth *@*.everfi.net -def_whitelist_auth *@godvinemail.com -def_whitelist_auth *@*.doheny.com -def_whitelist_auth *@*.nyansa.com -def_whitelist_auth *@*.submittable.com -def_whitelist_auth *@*.slideshare.net -def_whitelist_auth *@*.ocm.com -def_whitelist_auth *@*.dji.com -def_whitelist_auth *@*.zyngamail.com -def_whitelist_auth *@*.costasunglasses.com -def_whitelist_auth *@*.baseballexpress.com -def_whitelist_auth *@dishemail.com -def_whitelist_auth *@*.promgirl.com -def_whitelist_auth *@*.ed.gov -def_whitelist_auth *@*.carecredit.com -def_whitelist_auth *@*.trello.com -def_whitelist_auth *@*.shopify.com -def_whitelist_auth *@*.iclasspro.com -def_whitelist_auth *@mail-fellowesbrands.com -def_whitelist_auth *@*.planetfitness.com -def_whitelist_auth *@*.shoppinkblush.com -def_whitelist_auth *@*.webmdprofessional.com -def_whitelist_auth *@*.omadahealth.com -def_whitelist_auth *@*.vividseats.com -def_whitelist_auth *@*.avis.com -def_whitelist_auth *@*.square.com -def_whitelist_auth *@*.ruthschris-email.com -def_whitelist_auth *@*.zearn.org -def_whitelist_auth *@*.careerbuilder.com -def_whitelist_auth *@*.kelloggs.com -def_whitelist_auth *@*.wunderground.com -def_whitelist_auth *@*.silpada.com -def_whitelist_auth *@*.toofaced.com -def_whitelist_auth *@*.sonicwall.com -def_whitelist_auth *@*.bebe.com -def_whitelist_auth *@*.discoveryeducation.com -def_whitelist_auth *@*.alison.com -def_whitelist_auth *@*.livestream.com -def_whitelist_auth *@*.rockauto.com -def_whitelist_auth *@*.elfcosmetics.com -def_whitelist_auth *@*.cars.com -def_whitelist_auth *@*.puritan.com -def_whitelist_auth *@*.cheddars.com -def_whitelist_auth *@*.schoolmessenger.com -def_whitelist_auth *@*.pinchme.com -def_whitelist_auth *@*.clarksusa.com -def_whitelist_auth *@*.smore.com -def_whitelist_auth *@*.softball.com -def_whitelist_auth *@*.commonsense-email.org -def_whitelist_auth *@*.onekingslane.com -def_whitelist_auth *@*.elfcosmetics.com -def_whitelist_auth *@*.aclj.org -def_whitelist_auth *@*.darice.com -def_whitelist_auth *@*.shopify.com -def_whitelist_auth *@*.doheny.com -def_whitelist_auth *@*.improvementscatalog-email.com -def_whitelist_auth *@*.promgirl.com -def_whitelist_auth *@*.webmdprofessional.com -def_whitelist_auth *@*.thrivecausemetics.com -def_whitelist_auth *@*.toofaced.com -def_whitelist_auth *@*.evanmoor-alerts.com -def_whitelist_auth *@*.livestream.com -def_whitelist_auth *@*.customerville.com -def_whitelist_auth *@*.lmscheckout.com -def_whitelist_auth *@*.shop-explorers.com -def_whitelist_auth *@*.helpavet.co -def_whitelist_auth *@*.aidtroops.com -def_whitelist_auth *@*.denindays.org -def_whitelist_auth *@*.helpourvets.us -def_whitelist_auth *@*.denim-day.com -def_whitelist_auth *@*.eldarion.com -def_whitelist_auth *@*.wunderground.com -def_whitelist_auth *@*.kelloggs.com -def_whitelist_auth *@*.portfolium.com -def_whitelist_auth *@*.iclasspro.com -def_whitelist_auth *@*.socrative.com -def_whitelist_auth *@*.vnnsports.net -def_whitelist_auth *@*.americauncensored.com -def_whitelist_auth *@*.email-allstate.com -def_whitelist_auth *@*.omadahealth.com -def_whitelist_auth *@*.rei.com -def_whitelist_auth *@*.research.net -def_whitelist_auth *@*.allinlearning.com -def_whitelist_auth *@*.energage.com -def_whitelist_auth *@*.aasa.org -def_whitelist_auth *@*.constructionclaims.com -def_whitelist_auth *@*.nsba.org -def_whitelist_auth *@*.jeansdays.com -def_whitelist_auth *@*.servicemansupport.org -def_whitelist_auth *@*.learningally.org -def_whitelist_auth *@*.quill.org -def_whitelist_auth *@*.funrewardsforyou.com -def_whitelist_auth *@*.digicert.com -def_whitelist_auth *@*.venmo.com -def_whitelist_auth *@*.bestbuddies.org -def_whitelist_auth *@*.ashleydsg.com -def_whitelist_auth *@*.homechef.com -def_whitelist_auth *@*.morningconsult.com -def_whitelist_auth *@*.stewardship.com -def_whitelist_auth *@*.salsalabs.org -def_whitelist_auth *@*.shop-backinthesaddle.com -def_whitelist_auth *@*.bounceexchange.com -def_whitelist_auth *@*.tobi.com -def_whitelist_auth *@*.makermedia.com -def_whitelist_auth *@*.adoptapet.com -def_whitelist_auth *@*.wested.org -def_whitelist_auth *@*.sfsdata.com -def_whitelist_auth *@*.sonicdrivein.com -def_whitelist_auth *@*.justflyemail.com -def_whitelist_auth *@*.sling.com -def_whitelist_auth *@*.zagg.com -def_whitelist_auth *@*.turnoutpac.org -def_whitelist_auth *@*.whirlpool.com -def_whitelist_auth *@*.legendsoflearning.com -def_whitelist_auth *@*.gallup.com -def_whitelist_auth *@*.ereflect.com -def_whitelist_auth *@*.asumag.com -def_whitelist_auth *@*.commonblackcollegeapp.com -def_whitelist_auth *@*.broadridge.com -def_whitelist_auth *@*.greenrope.com -def_whitelist_auth *@*.trackwrestling.com -def_whitelist_auth *@*.blackboard.com -def_whitelist_auth *@*.govdeals.com -def_whitelist_auth *@*.shipstation.com -def_whitelist_auth *@*.nyansa.com -def_whitelist_auth *@*.sciencepubs.org -def_whitelist_auth *@*.betabrand.com -def_whitelist_auth *@*.hhs.gov -def_whitelist_auth *@*.discover.com -def_whitelist_auth *@*.bebe.com -def_whitelist_auth *@*.homeadvisor.com -def_whitelist_auth *@*.handsonaswegrow.com -def_whitelist_auth *@*.in.gov -def_whitelist_auth *@*.oldchicago.com -def_whitelist_auth *@*.globalfitnesschallenge.com -def_whitelist_auth *@*.virtualvocations.com -def_whitelist_auth *@*.aopa.org -def_whitelist_auth *@*.mail-zr.com -def_whitelist_auth *@*.trovit.com -def_whitelist_auth *@*.hscloudsuite.com -def_whitelist_auth *@*.rothys.com -def_whitelist_auth *@*.sgml3.com -def_whitelist_auth *@*.fox13memphis.com -def_whitelist_auth *@*.sprouts.com -def_whitelist_auth *@*.ruthschris-email.com -def_whitelist_auth *@*.softball.com -def_whitelist_auth *@*.yankeecandle.com -def_whitelist_auth *@*.candidcolorhosting.com -def_whitelist_auth *@*.endcitizensunited.org -def_whitelist_auth *@*.redditgifts.com -def_whitelist_auth *@*.tdworld.com -def_whitelist_auth *@*.thenorthface.com -def_whitelist_auth *@*.bark.com -def_whitelist_auth *@*.center.io -def_whitelist_auth *@*.movethisworld.com -def_whitelist_auth *@*.pgsurveying.com -def_whitelist_auth *@*.mealtrain.com -def_whitelist_auth *@*.acemsd1.com -def_whitelist_auth *@*.jobhat.com -def_whitelist_auth *@*.earthfare.com -def_whitelist_auth *@*.nassp.org -def_whitelist_auth *@*.rasa.io -def_whitelist_auth *@*.surveydirectlive.com -def_whitelist_auth *@*.frontgate-email.com -def_whitelist_auth *@*.job-tree.com -def_whitelist_auth *@*.slideshare.net -def_whitelist_auth *@*.cambridge.org -def_whitelist_auth *@*.everytown.org -def_whitelist_auth *@*.bitesquad.com -def_whitelist_auth *@*.fit2fat2fit.com -def_whitelist_auth *@*.nationsend18.com -def_whitelist_auth *@*.livingwelldaily.com -def_whitelist_auth *@*.robotevents.com -def_whitelist_auth *@*.livetext.com -def_whitelist_auth *@*.lightreading.com -def_whitelist_auth *@*.uscourts.gov -def_whitelist_auth *@*.fabfitfun.com -def_whitelist_auth *@*.edlistservs.org -def_whitelist_auth *@*.csid.com -def_whitelist_auth *@*.spiceworks.com -def_whitelist_auth *@*.dctemail.com -def_whitelist_auth *@*.thetileapp.com -def_whitelist_auth *@*.wendys.com -def_whitelist_auth *@*.ylginc.com -def_whitelist_auth *@*.servicenow.com -def_whitelist_auth *@*.charmsmusic.com -def_whitelist_auth *@*.opendns.com -def_whitelist_auth *@*.gracegentry.com -def_whitelist_auth *@*.digitalsports.com -def_whitelist_auth *@*.dailymemphian.com -def_whitelist_auth *@*.hobsonsradius.com -def_whitelist_auth *@*.diversifiedemail.com -def_whitelist_auth *@*.harlemglobetrotters.com -def_whitelist_auth *@*.nationsend12.com -def_whitelist_auth *@*.sf-notifications.com -def_whitelist_auth *@*.noredink.com -def_whitelist_auth *@*.amtrak.com -def_whitelist_auth *@*.homegoods.com -def_whitelist_auth *@*.bigteams.com -def_whitelist_auth *@*.stansberryresearch.com -def_whitelist_auth *@*.fafsa.gov -def_whitelist_auth *@*.solarwinds.com -def_whitelist_auth *@*.petsgeek.com -def_whitelist_auth *@*.consumerservicesdirect.com -def_whitelist_auth *@*.carfax.com -def_whitelist_auth *@*.ismg-campaigns.com -def_whitelist_auth *@*.passports.com -def_whitelist_auth *@*.dailykos.com -def_whitelist_auth *@*.loftoutlet.com -def_whitelist_auth *@*.brit.co -def_whitelist_auth *@*.cappex.com -def_whitelist_auth *@*.neopost.com -def_whitelist_auth *@*.adidas.com -def_whitelist_auth *@*.verizonenterprise.com -def_whitelist_auth *@*.zohodesk.com -def_whitelist_auth *@*.renzullilearning.com -def_whitelist_auth *@*.lumoslearning.com -def_whitelist_auth *@*.sesamereminders.com -def_whitelist_auth *@*.ninewest.com -def_whitelist_auth *@*.agorafinancial.com -def_whitelist_auth *@*.collegenet.com -def_whitelist_auth *@*.greenrope.net -def_whitelist_auth *@*.skyzone.com -def_whitelist_auth *@*.adlmail.org -def_whitelist_auth *@*.clarksusa.com -def_whitelist_auth *@*.granicus.com -def_whitelist_auth *@*.theblaze.com -def_whitelist_auth *@*.lormanonlinecourses.com -def_whitelist_auth *@*.chatbooks.com -def_whitelist_auth *@*.tangocard.com -def_whitelist_auth *@*.signup.com -def_whitelist_auth *@*.aisleahead.com -def_whitelist_auth *@*.pinkcoconutboutique.com -def_whitelist_auth *@*.hallmark.com -def_whitelist_auth *@*.emailpackers.com -def_whitelist_auth *@*.windows.com -def_whitelist_auth *@*.hartvillegroup.com -def_whitelist_auth *@*.getresponse-mail.com -def_whitelist_auth *@*.scholarships.com -def_whitelist_auth *@*.wifeteachermommy.com -def_whitelist_auth *@*.cheddars.com -def_whitelist_auth *@*.berrylook.com -def_whitelist_auth *@*.westernunion.com -def_whitelist_auth *@*.aerialschoolimages.com -def_whitelist_auth *@*.bitglass.com -def_whitelist_auth *@*.purefitnessinnovations.com -def_whitelist_auth *@*.coach.com -def_whitelist_auth *@*.rockauto.com -def_whitelist_auth *@*.americanbookcompany.com -def_whitelist_auth *@*.rockbottomgolf.com -def_whitelist_auth *@*.doordash.com -def_whitelist_auth *@*.cainc.com -def_whitelist_auth *@*.email-nationwide.com -def_whitelist_auth *@*.honorsociety.org -def_whitelist_auth *@*.dailysale.com -def_whitelist_auth *@*.emsmtp.us -def_whitelist_auth *@*.calm.com -def_whitelist_auth *@*.snapsurveys.com -def_whitelist_auth *@*.dropbox-mktg.com -def_whitelist_auth *@*.striderite.com -def_whitelist_auth *@*.stackcommerce.com -def_whitelist_auth *@*.norton.com -def_whitelist_auth *@*.aeds.com -def_whitelist_auth *@*.dia.co -def_whitelist_auth *@*.blackfriday.com -def_whitelist_auth *@*.olay.com -def_whitelist_auth confirmation@aircanada.ca -def_whitelist_auth no-reply@enterprise.com -def_whitelist_auth *@*.hubspotstarter.net -def_whitelist_auth *@*.serverchamber.com -def_whitelist_auth *@*.msbrooksclass.com -def_whitelist_auth *@*.hickoryfarms.com -def_whitelist_auth *@*.evesaddiction.com -def_whitelist_auth *@*.sowntogrow.com -def_whitelist_auth *@*.shopthemint.com -def_whitelist_auth *@*.charlotterusse.com -def_whitelist_auth *@*.moviepass.com -def_whitelist_auth *@*.revrocket.us -def_whitelist_auth *@*.nintendo.com -def_whitelist_auth *@*.btr.com -def_whitelist_auth *@*.gothamsteelstore.com -def_whitelist_auth *@*.naturalizer.com -def_whitelist_auth *@*.jerrysartarama.com -def_whitelist_auth *@*.iconicgroup.com -def_whitelist_auth *@*.spanx.com -def_whitelist_auth *@*.haggar.com -def_whitelist_auth *@*.change.org -def_whitelist_auth *@*.headspace.com -def_whitelist_auth *@*.firstsouth.com -def_whitelist_auth *@*.instacart.com -def_whitelist_auth *@*.kodakmoments.com -def_whitelist_auth *@*.penzeys.com -def_whitelist_auth *@*.rescueme.org -def_whitelist_auth *@*.icr.org -def_whitelist_auth *@*.joinhandshake.com -def_whitelist_auth *@*.colourpop.com -def_whitelist_auth *@*.actsend.com -def_whitelist_auth *@*.audubon.org -def_whitelist_auth *@*.noom.com -def_whitelist_auth *@*.conexionamericas.org -def_whitelist_auth *@*.hollywoodfeed.com -def_whitelist_auth *@*.cio.com -def_whitelist_auth *@*.55mulberry.com -def_whitelist_auth *@*.knowatom.com -def_whitelist_auth *@*.maxsamples.com -def_whitelist_auth *@*.thekeyrewards.com -def_whitelist_auth *@*.rakuten.com -def_whitelist_auth *@*.tastycookerymailings.com -def_whitelist_auth *@*.myenotice.com -def_whitelist_auth *@*.sportclips.com -def_whitelist_auth *@*.senzajobalerts.com -def_whitelist_auth *@*.genghisgrill.com -def_whitelist_auth *@*.fider.io -def_whitelist_auth *@*.mchdata.com -def_whitelist_auth *@*.fivestarlinemen.com -def_whitelist_auth *@*.dunhamssports-email.com -def_whitelist_auth *@*.vitals.com -def_whitelist_auth *@*.thrivistlms.com -def_whitelist_auth *@*.build.com -def_whitelist_auth *@*.vacationmyrtlebeach.com -def_whitelist_auth *@*.kidreports.com -def_whitelist_auth *@*.jobframe.net -def_whitelist_auth *@*.aegpresents.com -def_whitelist_auth *@*.shmoop.com -def_whitelist_auth *@*.brahminusa.com -def_whitelist_auth *@*.stamats.com -def_whitelist_auth *@*.wufoo.com -def_whitelist_auth *@*.pre-kpages.com -def_whitelist_auth *@*.listen360.com -def_whitelist_auth *@*.silversingles.com -def_whitelist_auth *@*.ruralking.com -def_whitelist_auth *@*.yourhobbylobby.com -def_whitelist_auth *@*.educationworld.com -def_whitelist_auth *@*.theeducatorsnetwork.com -def_whitelist_auth *@*.csoonline.com -def_whitelist_auth *@*.youscience.com -def_whitelist_auth *@*.konnectnow.com -def_whitelist_auth *@*.esa.org -def_whitelist_auth *@*.modcloth.com -def_whitelist_auth *@*.harborfreight.com -def_whitelist_auth *@*.eshakti.com -def_whitelist_auth *@*.fda.gov -def_whitelist_auth *@*.shermanstravel.com -def_whitelist_auth *@*.naturalhealthresponse.com -def_whitelist_auth *@*.epicgames.com -def_whitelist_auth *@*.paisleygraceboutique.com -def_whitelist_auth *@*.dhccare.com -def_whitelist_auth *@*.spectrumemails.com -def_whitelist_auth *@*.worldatwork.org -def_whitelist_auth *@*.usatestprep.com -def_whitelist_auth *@*.twinkl.com -def_whitelist_auth *@*.opticsplanet.com -def_whitelist_auth *@*.troxmail.com -def_whitelist_auth *@*.carolina.com -def_whitelist_auth *@*.teamviewer.com -def_whitelist_auth *@*.bodybuilding.com -def_whitelist_auth *@*.adobespark.com -def_whitelist_auth *@*.entercom.com -def_whitelist_auth *@*.hbonow.com -def_whitelist_auth *@*.grandinroad-email.com -def_whitelist_auth *@*.livongo.com -def_whitelist_auth *@*.daxkoengage.com -def_whitelist_auth *@*.lemonlimeadventures.com -def_whitelist_auth *@*.lumosity.com -def_whitelist_auth *@*.ihop-communications.com -def_whitelist_auth *@*.dailysteals.com -def_whitelist_auth *@*.testingmom.com -def_whitelist_auth *@*.ceramicartsnetwork.org -def_whitelist_auth *@*.verintefm.com - -endif # if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - diff --git a/resources/spamassassin/60_welcomelist_dkim.cf b/resources/spamassassin/60_welcomelist_dkim.cf deleted file mode 100644 index 54ce0aa4..00000000 --- a/resources/spamassassin/60_welcomelist_dkim.cf +++ /dev/null @@ -1,323 +0,0 @@ -# SpamAssassin rules file: default DKIM whitelists -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> - -ifplugin Mail::SpamAssassin::Plugin::DKIM - -########################################################################### -# DKIM whitelist rules - -# 4.0 / Bug 7826 renames whitelist to welcomelist and blacklist to blocklist -if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - header USER_IN_DKIM_WELCOMELIST eval:check_for_dkim_welcomelist_from() - describe USER_IN_DKIM_WELCOMELIST From: address is in the user's DKIM welcomelist - tflags USER_IN_DKIM_WELCOMELIST nice noautolearn net userconf - score USER_IN_DKIM_WELCOMELIST -100 - reuse USER_IN_DKIM_WELCOMELIST - - # Backwards compatibility - # To disable set "enable_compat welcomelist_blocklist" in init.pre - if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) - meta USER_IN_DKIM_WHITELIST (USER_IN_DKIM_WELCOMELIST) - describe USER_IN_DKIM_WHITELIST DEPRECATED: See USER_IN_DKIM_WELCOMELIST - tflags USER_IN_DKIM_WHITELIST nice noautolearn net userconf - score USER_IN_DKIM_WHITELIST -100 - reuse USER_IN_DKIM_WHITELIST - score USER_IN_DKIM_WELCOMELIST -0.01 - endif -endif -if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - header USER_IN_DKIM_WELCOMELIST eval:check_for_dkim_whitelist_from() - describe USER_IN_DKIM_WELCOMELIST From: address is in the user's DKIM welcomelist - tflags USER_IN_DKIM_WELCOMELIST nice noautolearn net userconf - score USER_IN_DKIM_WELCOMELIST -100 - reuse USER_IN_DKIM_WELCOMELIST - - if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) - meta USER_IN_DKIM_WHITELIST (USER_IN_DKIM_WELCOMELIST) - describe USER_IN_DKIM_WHITELIST DEPRECATED: See USER_IN_DKIM_WELCOMELIST - tflags USER_IN_DKIM_WHITELIST nice noautolearn net userconf - score USER_IN_DKIM_WHITELIST -100 - reuse USER_IN_DKIM_WHITELIST - score USER_IN_DKIM_WELCOMELIST -0.01 - endif -endif - -if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - header USER_IN_DEF_DKIM_WL eval:check_for_def_dkim_welcomelist_from() - describe USER_IN_DEF_DKIM_WL From: address is in the default DKIM welcome-list - tflags USER_IN_DEF_DKIM_WL nice noautolearn net - reuse USER_IN_DEF_DKIM_WL -endif -if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - header USER_IN_DEF_DKIM_WL eval:check_for_def_dkim_whitelist_from() - describe USER_IN_DEF_DKIM_WL From: address is in the default DKIM welcome-list - tflags USER_IN_DEF_DKIM_WL nice noautolearn net - reuse USER_IN_DEF_DKIM_WL -endif - -########################################################################### -# Default welcomelists. These should be e-mail addresses of authors (i.e. -# addresses in the From header field) which send mail that is often -# tagged (incorrectly) as spam. DKIM welcomelisting only applies to mail -# with a valid DKIM (or older DK) signature. An optional second parameter -# can specify a signing domain (the 'd' tag), if different from author's -# domain. Please see Mail::SpamAssassin::Plugin::DKIM man page for details. -# -# Whitelist and blacklist addresses are file-glob-style patterns, so -# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work. - -if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - -def_welcomelist_from_dkim *@*.ebay.com ebay.com -def_welcomelist_from_dkim *@ebay.com -def_welcomelist_from_dkim *@ebay.co.uk -def_welcomelist_from_dkim *@*.ebay.co.uk -def_welcomelist_from_dkim *@ebay.at -def_welcomelist_from_dkim *@*.ebay.at -def_welcomelist_from_dkim *@ebay.be -def_welcomelist_from_dkim *@*.ebay.be -def_welcomelist_from_dkim *@ebay.de -def_welcomelist_from_dkim *@*.ebay.de -def_welcomelist_from_dkim *@ebay.es -def_welcomelist_from_dkim *@*.ebay.es -def_welcomelist_from_dkim *@ebay.fr -def_welcomelist_from_dkim *@*.ebay.fr -def_welcomelist_from_dkim *@ebay.ie -def_welcomelist_from_dkim *@*.ebay.ie -def_welcomelist_from_dkim *@ebay.it -def_welcomelist_from_dkim *@*.ebay.it -def_welcomelist_from_dkim *@ebay.nl -def_welcomelist_from_dkim *@*.ebay.nl -def_welcomelist_from_dkim *@ebay.pt -def_welcomelist_from_dkim *@*.ebay.pt -def_welcomelist_from_dkim *@ebay.ca -def_welcomelist_from_dkim *@*.ebay.ca - -def_welcomelist_from_dkim *@* paypal.com -def_welcomelist_from_dkim *@paypal.com -def_welcomelist_from_dkim *@*.paypal.com -def_welcomelist_from_dkim *@paypal.co.uk -def_welcomelist_from_dkim *@*.paypal.co.uk -def_welcomelist_from_dkim *@paypal.at -def_welcomelist_from_dkim *@*.paypal.at -def_welcomelist_from_dkim *@paypal.be -def_welcomelist_from_dkim *@*.paypal.be -def_welcomelist_from_dkim *@paypal.de -def_welcomelist_from_dkim *@*.paypal.de -def_welcomelist_from_dkim *@paypal.es -def_welcomelist_from_dkim *@*.paypal.es -def_welcomelist_from_dkim *@paypal.fr -def_welcomelist_from_dkim *@*.paypal.fr -def_welcomelist_from_dkim *@paypal.ie -def_welcomelist_from_dkim *@*.paypal.ie -def_welcomelist_from_dkim *@paypal.it -def_welcomelist_from_dkim *@*.paypal.it -def_welcomelist_from_dkim *@paypal.nl -def_welcomelist_from_dkim *@*.paypal.nl -def_welcomelist_from_dkim *@paypal.pt -def_welcomelist_from_dkim *@*.paypal.pt -def_welcomelist_from_dkim *@paypal.ca -def_welcomelist_from_dkim *@*.paypal.ca - -def_welcomelist_from_dkim *@cisco.com -def_welcomelist_from_dkim *@lh.lufthansa.com -def_welcomelist_from_dkim *@*.milesandmore.com -def_welcomelist_from_dkim *@mail.hotels.com -def_welcomelist_from_dkim *@email.hotels.com -def_welcomelist_from_dkim *@alert.bankofamerica.com -def_welcomelist_from_dkim *@ealerts.bankofamerica.com -def_welcomelist_from_dkim *@cc.yahoo-inc.com yahoo-inc.com -def_welcomelist_from_dkim *@cc.yahoo-inc.com -def_welcomelist_from_dkim googlealerts-noreply@google.com -def_welcomelist_from_dkim *@*.google.com - -def_welcomelist_from_dkim *@springer.delivery.net -def_welcomelist_from_dkim *@sci.scientific-direct.net -def_welcomelist_from_dkim *@strongmail.the-scientist.com -def_welcomelist_from_dkim *@ealert.nature.com -def_welcomelist_from_dkim *@gateways.nature.com -def_welcomelist_from_dkim *@information.nature.com -def_welcomelist_from_dkim *@newsdesk.world-nuclear-news.org -def_welcomelist_from_dkim *@biocompare.com -def_welcomelist_from_dkim *@dentalcompare.com -def_welcomelist_from_dkim *@medcompare.com -def_welcomelist_from_dkim *@itbusinessedge.com -def_welcomelist_from_dkim *@nl.reuters.com -def_welcomelist_from_dkim *@email.washingtonpost.com -def_welcomelist_from_dkim *@washingtontimesmail.com -def_welcomelist_from_dkim *@info-aaas.org -def_welcomelist_from_dkim *@*.newsmax.com -def_welcomelist_from_dkim *@zdnet.online.com -def_welcomelist_from_dkim *@m-w.com - -def_welcomelist_from_dkim *@skype.net -def_welcomelist_from_dkim *@*.skype.net -def_welcomelist_from_dkim *@*.skype.net skype.net -def_welcomelist_from_dkim *@*.skype.com -def_welcomelist_from_dkim *@*.skype.com skype.com - -#consider also: -# def_welcomelist_from_dkim *@avaaz.org -# def_welcomelist_from_dkim *@techrepublic.online.com -# def_welcomelist_from_dkim ezines@arcamax.com -# def_welcomelist_from_dkim *@yousendit.com -# def_welcomelist_from_dkim *@meetup.com -# def_welcomelist_from_dkim *@astrology.com -# def_welcomelist_from_dkim *@google.com -# def_welcomelist_from_dkim *@amazon.com -# def_welcomelist_from_dkim *@amazon.co.uk -# def_welcomelist_from_dkim *@amazon.de -# def_welcomelist_from_dkim *@amazon.fr - -def_welcomelist_from_dkim *@imdb.com amazonses.com -def_welcomelist_from_dkim *@dhl.com -def_welcomelist_from_dkim *@tumblr.com -def_welcomelist_from_dkim *@fisglobal.com -def_welcomelist_from_dkim *@*.msgfocus.com -def_welcomelist_from_dkim *@boredpanda.com mailersend.com - -endif # if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - - -# -# For older versions of SA, these old entries remain for SA before version 4.0 -# - -if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - -def_whitelist_from_dkim *@*.ebay.com ebay.com -def_whitelist_from_dkim *@ebay.com -def_whitelist_from_dkim *@ebay.co.uk -def_whitelist_from_dkim *@*.ebay.co.uk -def_whitelist_from_dkim *@ebay.at -def_whitelist_from_dkim *@*.ebay.at -def_whitelist_from_dkim *@ebay.be -def_whitelist_from_dkim *@*.ebay.be -def_whitelist_from_dkim *@ebay.de -def_whitelist_from_dkim *@*.ebay.de -def_whitelist_from_dkim *@ebay.es -def_whitelist_from_dkim *@*.ebay.es -def_whitelist_from_dkim *@ebay.fr -def_whitelist_from_dkim *@*.ebay.fr -def_whitelist_from_dkim *@ebay.ie -def_whitelist_from_dkim *@*.ebay.ie -def_whitelist_from_dkim *@ebay.it -def_whitelist_from_dkim *@*.ebay.it -def_whitelist_from_dkim *@ebay.nl -def_whitelist_from_dkim *@*.ebay.nl -def_whitelist_from_dkim *@ebay.pt -def_whitelist_from_dkim *@*.ebay.pt -def_whitelist_from_dkim *@ebay.ca -def_whitelist_from_dkim *@*.ebay.ca - -def_whitelist_from_dkim *@* paypal.com -def_whitelist_from_dkim *@paypal.com -def_whitelist_from_dkim *@*.paypal.com -def_whitelist_from_dkim *@paypal.co.uk -def_whitelist_from_dkim *@*.paypal.co.uk -def_whitelist_from_dkim *@paypal.at -def_whitelist_from_dkim *@*.paypal.at -def_whitelist_from_dkim *@paypal.be -def_whitelist_from_dkim *@*.paypal.be -def_whitelist_from_dkim *@paypal.de -def_whitelist_from_dkim *@*.paypal.de -def_whitelist_from_dkim *@paypal.es -def_whitelist_from_dkim *@*.paypal.es -def_whitelist_from_dkim *@paypal.fr -def_whitelist_from_dkim *@*.paypal.fr -def_whitelist_from_dkim *@paypal.ie -def_whitelist_from_dkim *@*.paypal.ie -def_whitelist_from_dkim *@paypal.it -def_whitelist_from_dkim *@*.paypal.it -def_whitelist_from_dkim *@paypal.nl -def_whitelist_from_dkim *@*.paypal.nl -def_whitelist_from_dkim *@paypal.pt -def_whitelist_from_dkim *@*.paypal.pt -def_whitelist_from_dkim *@paypal.ca -def_whitelist_from_dkim *@*.paypal.ca - -def_whitelist_from_dkim *@cisco.com -def_whitelist_from_dkim *@lh.lufthansa.com -def_whitelist_from_dkim *@*.milesandmore.com -def_whitelist_from_dkim *@mail.hotels.com -def_whitelist_from_dkim *@email.hotels.com -def_whitelist_from_dkim *@alert.bankofamerica.com -def_whitelist_from_dkim *@ealerts.bankofamerica.com -def_whitelist_from_dkim *@cc.yahoo-inc.com yahoo-inc.com -def_whitelist_from_dkim *@cc.yahoo-inc.com -def_whitelist_from_dkim googlealerts-noreply@google.com -def_whitelist_from_dkim *@*.google.com - -def_whitelist_from_dkim *@springer.delivery.net -def_whitelist_from_dkim *@sci.scientific-direct.net -def_whitelist_from_dkim *@strongmail.the-scientist.com -def_whitelist_from_dkim *@ealert.nature.com -def_whitelist_from_dkim *@gateways.nature.com -def_whitelist_from_dkim *@information.nature.com -def_whitelist_from_dkim *@newsdesk.world-nuclear-news.org -def_whitelist_from_dkim *@biocompare.com -def_whitelist_from_dkim *@dentalcompare.com -def_whitelist_from_dkim *@medcompare.com -def_whitelist_from_dkim *@itbusinessedge.com -def_whitelist_from_dkim *@nl.reuters.com -def_whitelist_from_dkim *@email.washingtonpost.com -def_whitelist_from_dkim *@washingtontimesmail.com -def_whitelist_from_dkim *@info-aaas.org -def_whitelist_from_dkim *@*.newsmax.com -def_whitelist_from_dkim *@zdnet.online.com -def_whitelist_from_dkim *@m-w.com - -def_whitelist_from_dkim *@skype.net -def_whitelist_from_dkim *@*.skype.net -def_whitelist_from_dkim *@*.skype.net skype.net -def_whitelist_from_dkim *@*.skype.com -def_whitelist_from_dkim *@*.skype.com skype.com - -#consider also: -# def_whitelist_from_dkim *@avaaz.org -# def_whitelist_from_dkim *@techrepublic.online.com -# def_whitelist_from_dkim ezines@arcamax.com -# def_whitelist_from_dkim *@yousendit.com -# def_whitelist_from_dkim *@meetup.com -# def_whitelist_from_dkim *@astrology.com -# def_whitelist_from_dkim *@google.com -# def_whitelist_from_dkim *@amazon.com -# def_whitelist_from_dkim *@amazon.co.uk -# def_whitelist_from_dkim *@amazon.de -# def_whitelist_from_dkim *@amazon.fr - -def_whitelist_from_dkim *@imdb.com amazonses.com -def_whitelist_from_dkim *@dhl.com -def_whitelist_from_dkim *@tumblr.com -def_whitelist_from_dkim *@fisglobal.com -def_whitelist_from_dkim *@*.msgfocus.com -def_whitelist_from_dkim *@boredpanda.com mailersend.com - -endif # if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - -# -# -# - -endif # Mail::SpamAssassin::Plugin::DKIM - diff --git a/resources/spamassassin/60_welcomelist_spf.cf b/resources/spamassassin/60_welcomelist_spf.cf deleted file mode 100644 index 423b5e5e..00000000 --- a/resources/spamassassin/60_welcomelist_spf.cf +++ /dev/null @@ -1,170 +0,0 @@ -# SpamAssassin rules file: default SPF welcomelists -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> - -ifplugin Mail::SpamAssassin::Plugin::SPF - -########################################################################### -# SPF welcomelist rules - -# 4.0 / Bug 7826 renames whitelist to welcomelist and blacklist to blocklist -if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - header USER_IN_SPF_WELCOMELIST eval:check_for_spf_welcomelist_from() - describe USER_IN_SPF_WELCOMELIST From: address is in the user's SPF welcomelist - tflags USER_IN_SPF_WELCOMELIST userconf nice noautolearn net - score USER_IN_SPF_WELCOMELIST -100 - reuse USER_IN_SPF_WELCOMELIST - - # Backwards compatibility - # To disable set "enable_compat welcomelist_blocklist" in init.pre - if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) - meta USER_IN_SPF_WHITELIST (USER_IN_SPF_WELCOMELIST) - describe USER_IN_SPF_WHITELIST DEPRECATED: See USER_IN_SPF_WELCOMELIST - tflags USER_IN_SPF_WHITELIST userconf nice noautolearn net - score USER_IN_SPF_WHITELIST -100 - reuse USER_IN_SPF_WHITELIST - score USER_IN_SPF_WELCOMELIST -0.01 - endif - - header USER_IN_DEF_SPF_WL eval:check_for_def_spf_welcomelist_from() - describe USER_IN_DEF_SPF_WL From: address is in the default SPF welcome-list - tflags USER_IN_DEF_SPF_WL userconf nice noautolearn net - reuse USER_IN_DEF_SPF_WL -endif -if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - header USER_IN_SPF_WELCOMELIST eval:check_for_spf_whitelist_from() - describe USER_IN_SPF_WELCOMELIST From: address is in the user's SPF welcomelist - tflags USER_IN_SPF_WELCOMELIST userconf nice noautolearn net - score USER_IN_SPF_WELCOMELIST -0.01 - reuse USER_IN_SPF_WELCOMELIST - - meta USER_IN_SPF_WHITELIST (USER_IN_SPF_WELCOMELIST) - describe USER_IN_SPF_WHITELIST DEPRECATED: See USER_IN_SPF_WELCOMELIST - tflags USER_IN_SPF_WHITELIST userconf nice noautolearn net - score USER_IN_SPF_WHITELIST -100 - reuse USER_IN_SPF_WHITELIST - - header USER_IN_DEF_SPF_WL eval:check_for_def_spf_whitelist_from() - describe USER_IN_DEF_SPF_WL From: address is in the default SPF welcome-list - tflags USER_IN_DEF_SPF_WL userconf nice noautolearn net - reuse USER_IN_DEF_SPF_WL -endif - -meta ENV_AND_HDR_SPF_MATCH (USER_IN_DEF_SPF_WL && __ENV_AND_HDR_FROM_MATCH) -describe ENV_AND_HDR_SPF_MATCH Env and Hdr From used in default SPF WL Match -tflags ENV_AND_HDR_SPF_MATCH userconf nice noautolearn net - -########################################################################### -# Default welcomelists. These should be addresses which send mail that is often -# tagged (incorrectly) as spam; it also helps that they be addresses of big -# companies with lots of lawyers, so if spammers impersonate them, they'll get -# into big trouble, so it doesn't provide a shortcut around SpamAssassin. -# -# Whitelist and blacklist addresses are now file-glob-style patterns, so -# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work. -# -# Please do not add unmoderated public mailing lists here. They are -# too easily abused by spammers. - -if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - -def_welcomelist_from_spf *@nytimes.com -def_welcomelist_from_spf *@amazon.com -def_welcomelist_from_spf *@amazon.co.uk -def_welcomelist_from_spf *@*.amazon.co.uk -def_welcomelist_from_spf *@ora.com -def_welcomelist_from_spf *@*.ora.com -def_welcomelist_from_spf *@mypoints.com -def_welcomelist_from_spf *@*.mypoints.com -def_welcomelist_from_spf *@paypal.com -def_welcomelist_from_spf *@ebay.com -def_welcomelist_from_spf *@foolsubs.com -def_welcomelist_from_spf *@match.com - -# bugtraq: can contain malicious Javascript etc. -def_welcomelist_from_spf *@securityfocus.com - -def_welcomelist_from_spf *@mediaunspun.imakenews.net - -# sender of Cringley newsletter -def_welcomelist_from_spf *@bdcimail.com - -# Silicon.com newslettters - we see thousands of these -def_welcomelist_from_spf *@silicon.com - -# C|Net news.com newsletters -def_welcomelist_from_spf *@newsletter.online.com - -# bug 1348 -def_welcomelist_from_spf *@enews.buy.com -def_welcomelist_from_spf *@palm.m0.net -def_welcomelist_from_spf *@handspring.4at1.com - -endif - - -### -### For <4.0 compatibility -### - -if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) - -def_whitelist_from_spf *@nytimes.com -def_whitelist_from_spf *@amazon.com -def_whitelist_from_spf *@amazon.co.uk -def_whitelist_from_spf *@*.amazon.co.uk -def_whitelist_from_spf *@ora.com -def_whitelist_from_spf *@*.ora.com -def_whitelist_from_spf *@mypoints.com -def_whitelist_from_spf *@*.mypoints.com -def_whitelist_from_spf *@paypal.com -def_whitelist_from_spf *@ebay.com -def_whitelist_from_spf *@foolsubs.com -def_whitelist_from_spf *@match.com - -# bugtraq: can contain malicious Javascript etc. -def_whitelist_from_spf *@securityfocus.com - -def_whitelist_from_spf *@mediaunspun.imakenews.net - -# sender of Cringley newsletter -def_whitelist_from_spf *@bdcimail.com - -# Silicon.com newslettters - we see thousands of these -def_whitelist_from_spf *@silicon.com - -# C|Net news.com newsletters -def_whitelist_from_spf *@newsletter.online.com - -# bug 1348 -def_whitelist_from_spf *@enews.buy.com -def_whitelist_from_spf *@palm.m0.net -def_whitelist_from_spf *@handspring.4at1.com - -endif - -### -### -### - -endif # Mail::SpamAssassin::Plugin::SPF - diff --git a/resources/spamassassin/60_welcomelist_subject.cf b/resources/spamassassin/60_welcomelist_subject.cf deleted file mode 100644 index 9b329ae2..00000000 --- a/resources/spamassassin/60_welcomelist_subject.cf +++ /dev/null @@ -1,87 +0,0 @@ -# SpamAssassin rules file: default welcomelist/blocklist subject -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> - -########################################################################### -# Welcomelist/Blocklist rules -# -# Note that most of these get 'noautolearn'. They should not be -# considered when deciding whether to auto-learn a message, as a -# user slip-up could result in scribbling side-effects in the bayes -# db as a result -- which is hard to remedy. - -# 4.0 / Bug 7826 renames whitelist to welcomelist and blacklist to blocklist -# Module was renamed WhiteListSubject -> WelcomeListSubject -ifplugin Mail::SpamAssassin::Plugin::WelcomeListSubject - header SUBJECT_IN_WELCOMELIST eval:check_subject_in_welcomelist() - describe SUBJECT_IN_WELCOMELIST Subject: contains string in the user's welcome-list - tflags SUBJECT_IN_WELCOMELIST userconf nice noautolearn - score SUBJECT_IN_WELCOMELIST -100 - - # Backwards compatibility - # To disable set "enable_compat welcomelist_blocklist" in init.pre - if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) - meta SUBJECT_IN_WHITELIST (SUBJECT_IN_WELCOMELIST) - describe SUBJECT_IN_WHITELIST DEPRECATED: See SUBJECT_IN_WELCOMELIST - tflags SUBJECT_IN_WHITELIST userconf nice noautolearn - score SUBJECT_IN_WHITELIST -100 - score SUBJECT_IN_WELCOMELIST -0.01 - endif - - header SUBJECT_IN_BLOCKLIST eval:check_subject_in_blocklist() - describe SUBJECT_IN_BLOCKLIST Subject: contains string in the user's block-list - tflags SUBJECT_IN_BLOCKLIST userconf noautolearn - score SUBJECT_IN_BLOCKLIST 100 - - if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) - meta SUBJECT_IN_BLACKLIST (SUBJECT_IN_BLOCKLIST) - describe SUBJECT_IN_BLACKLIST DEPRECATED: See SUBJECT_IN_BLOCKLIST - tflags SUBJECT_IN_BLACKLIST userconf noautolearn - score SUBJECT_IN_BLACKLIST 100 - score SUBJECT_IN_BLOCKLIST 0.01 - endif -endif - -if !plugin(Mail::SpamAssassin::Plugin::WelcomeListSubject) -ifplugin Mail::SpamAssassin::Plugin::WhiteListSubject - header SUBJECT_IN_WELCOMELIST eval:check_subject_in_whitelist() - describe SUBJECT_IN_WELCOMELIST Subject: contains string in the user's welcome-list - tflags SUBJECT_IN_WELCOMELIST userconf nice noautolearn - score SUBJECT_IN_WELCOMELIST -0.01 - - meta SUBJECT_IN_WHITELIST (SUBJECT_IN_WELCOMELIST) - describe SUBJECT_IN_WHITELIST DEPRECATED: See SUBJECT_IN_WELCOMELIST - tflags SUBJECT_IN_WHITELIST userconf nice noautolearn - score SUBJECT_IN_WHITELIST -100 - - header SUBJECT_IN_BLOCKLIST eval:check_subject_in_blacklist() - describe SUBJECT_IN_BLOCKLIST Subject: contains string in the user's block-list - tflags SUBJECT_IN_BLOCKLIST userconf noautolearn - score SUBJECT_IN_BLOCKLIST 0.01 - - meta SUBJECT_IN_BLACKLIST (SUBJECT_IN_BLOCKLIST) - describe SUBJECT_IN_BLACKLIST DEPRECATED: See SUBJECT_IN_BLOCKLIST - tflags SUBJECT_IN_BLACKLIST userconf noautolearn - score SUBJECT_IN_BLACKLIST 100 -endif -endif - diff --git a/resources/spamassassin/72_active.cf b/resources/spamassassin/72_active.cf deleted file mode 100644 index ea93c248..00000000 --- a/resources/spamassassin/72_active.cf +++ /dev/null @@ -1,9710 +0,0 @@ -# SpamAssassin rules file -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -require_version @@VERSION@@ - -##{ AC_BR_BONANZA - -rawbody AC_BR_BONANZA /(?:<br>\s*){30}/i -describe AC_BR_BONANZA Too many newlines in a row... spammy template -#score AC_BR_BONANZA 0.001 -tflags AC_BR_BONANZA publish -##} AC_BR_BONANZA - -##{ AC_DIV_BONANZA - -rawbody AC_DIV_BONANZA /(?:<div>(?:\s*<\/div>)?\s*){10}/i -describe AC_DIV_BONANZA Too many divs in a row... spammy template -#score AC_DIV_BONANZA 0.001 -tflags AC_DIV_BONANZA publish -##} AC_DIV_BONANZA - -##{ AC_FROM_MANY_DOTS - -meta AC_FROM_MANY_DOTS __AC_FROM_MANY_DOTS_MINFP -#score AC_FROM_MANY_DOTS 3.000 # limit -describe AC_FROM_MANY_DOTS Multiple periods in From user name -tflags AC_FROM_MANY_DOTS publish -##} AC_FROM_MANY_DOTS - -##{ AC_HTML_NONSENSE_TAGS - -rawbody AC_HTML_NONSENSE_TAGS /(?:<[A-Za-z0-9]{4,}>\s*){10}/ -describe AC_HTML_NONSENSE_TAGS Many consecutive multi-letter HTML tags, likely nonsense/spam -#score AC_HTML_NONSENSE_TAGS 2.0 -tflags AC_HTML_NONSENSE_TAGS publish -##} AC_HTML_NONSENSE_TAGS - -##{ AC_POST_EXTRAS - -meta AC_POST_EXTRAS __AC_POST_EXTRAS && !__URI_MAILTO && !__HAS_LIST_ID -describe AC_POST_EXTRAS Suspicious URL -#score AC_POST_EXTRAS 2.500 # limit -tflags AC_POST_EXTRAS publish -##} AC_POST_EXTRAS - -##{ AC_SPAMMY_URI_PATTERNS1 - -meta AC_SPAMMY_URI_PATTERNS1 (__AC_OUTL_URI && __AC_OUTI_URI) -describe AC_SPAMMY_URI_PATTERNS1 link combos match highly spammy template -#score AC_SPAMMY_URI_PATTERNS1 4.0 -tflags AC_SPAMMY_URI_PATTERNS1 publish -##} AC_SPAMMY_URI_PATTERNS1 - -##{ AC_SPAMMY_URI_PATTERNS10 - -meta AC_SPAMMY_URI_PATTERNS10 __AC_PUNCTNUMS_URI -describe AC_SPAMMY_URI_PATTERNS10 link combos match highly spammy template -#score AC_SPAMMY_URI_PATTERNS10 4.0 -tflags AC_SPAMMY_URI_PATTERNS10 publish -##} AC_SPAMMY_URI_PATTERNS10 - -##{ AC_SPAMMY_URI_PATTERNS11 - -meta AC_SPAMMY_URI_PATTERNS11 __AC_NDOMLONGNASPX_URI -describe AC_SPAMMY_URI_PATTERNS11 link combos match highly spammy template -#score AC_SPAMMY_URI_PATTERNS11 4.0 -tflags AC_SPAMMY_URI_PATTERNS11 publish -##} AC_SPAMMY_URI_PATTERNS11 - -##{ AC_SPAMMY_URI_PATTERNS12 - -meta AC_SPAMMY_URI_PATTERNS12 (__AC_CHDSEQ_URI && __AC_MHDSEQ_URI && __AC_UHDSEQ_URI) -describe AC_SPAMMY_URI_PATTERNS12 link combos match highly spammy template -#score AC_SPAMMY_URI_PATTERNS12 4.0 -tflags AC_SPAMMY_URI_PATTERNS12 publish -##} AC_SPAMMY_URI_PATTERNS12 - -##{ AC_SPAMMY_URI_PATTERNS2 - -meta AC_SPAMMY_URI_PATTERNS2 (__AC_LAND_URI && __AC_UNSUB_URI && __AC_REPORT_URI) -describe AC_SPAMMY_URI_PATTERNS2 link combos match highly spammy template -#score AC_SPAMMY_URI_PATTERNS2 4.0 -tflags AC_SPAMMY_URI_PATTERNS2 publish -##} AC_SPAMMY_URI_PATTERNS2 - -##{ AC_SPAMMY_URI_PATTERNS3 - -meta AC_SPAMMY_URI_PATTERNS3 (__AC_PHPOFFTOP_URI && __AC_PHPOFFSUB_URI) -describe AC_SPAMMY_URI_PATTERNS3 link combos match highly spammy template -#score AC_SPAMMY_URI_PATTERNS3 4.0 -tflags AC_SPAMMY_URI_PATTERNS3 publish -##} AC_SPAMMY_URI_PATTERNS3 - -##{ AC_SPAMMY_URI_PATTERNS4 - -meta AC_SPAMMY_URI_PATTERNS4 __AC_NUMS_URI -describe AC_SPAMMY_URI_PATTERNS4 link combos match highly spammy template -#score AC_SPAMMY_URI_PATTERNS4 4.0 -tflags AC_SPAMMY_URI_PATTERNS4 publish -##} AC_SPAMMY_URI_PATTERNS4 - -##{ AC_SPAMMY_URI_PATTERNS8 - -meta AC_SPAMMY_URI_PATTERNS8 __AC_LONGSEQ_URI -describe AC_SPAMMY_URI_PATTERNS8 link combos match highly spammy template -#score AC_SPAMMY_URI_PATTERNS8 4.0 -tflags AC_SPAMMY_URI_PATTERNS8 publish -##} AC_SPAMMY_URI_PATTERNS8 - -##{ AC_SPAMMY_URI_PATTERNS9 - -meta AC_SPAMMY_URI_PATTERNS9 (__AC_1SEQC_URI && (__AC_1SEQV_URI || __AC_RMOVE_URI)) -describe AC_SPAMMY_URI_PATTERNS9 link combos match highly spammy template -#score AC_SPAMMY_URI_PATTERNS9 4.0 -tflags AC_SPAMMY_URI_PATTERNS9 publish -##} AC_SPAMMY_URI_PATTERNS9 - -##{ ADMAIL - -meta ADMAIL __ADMAIL && !__DKIM_EXISTS && !__COMMENT_EXISTS -describe ADMAIL "admail" and variants -tflags ADMAIL publish -##} ADMAIL - -##{ ADMITS_SPAM - -meta ADMITS_SPAM __ADMITS_SPAM && !__FROM_LOWER && !__MSGID_JAVAMAIL && !__HAS_CAMPAIGNID && !__STY_INVIS_2 && !__LYRIS_EZLM_REMAILER && !__RCD_RDNS_OB -describe ADMITS_SPAM Admits this is an ad -tflags ADMITS_SPAM publish -##} ADMITS_SPAM - -##{ ADULT_DATING_COMPANY - -meta ADULT_DATING_COMPANY __ADULTDATINGCOMPANY_BODY || __ADULTDATINGCOMPANY_FROM || __ADULTDATINGCOMPANY_REPTO -#score ADULT_DATING_COMPANY 10.000 # limit -tflags ADULT_DATING_COMPANY publish -##} ADULT_DATING_COMPANY - -##{ ADVANCE_FEE_2_NEW_FORM - -meta ADVANCE_FEE_2_NEW_FORM (__ADVANCE_FEE_2_NEW_FORM && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__FROM_LOWER && !__HAS_X_LOOP -describe ADVANCE_FEE_2_NEW_FORM Advance Fee fraud and a form -#score ADVANCE_FEE_2_NEW_FORM 2.000 # limit -tflags ADVANCE_FEE_2_NEW_FORM publish -##} ADVANCE_FEE_2_NEW_FORM - -##{ ADVANCE_FEE_2_NEW_FRM_MNY - -meta ADVANCE_FEE_2_NEW_FRM_MNY (__ADVANCE_FEE_2_NEW_FRM_MNY && !__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP -describe ADVANCE_FEE_2_NEW_FRM_MNY Advance Fee fraud form and lots of money -#score ADVANCE_FEE_2_NEW_FRM_MNY 2.500 -tflags ADVANCE_FEE_2_NEW_FRM_MNY publish -##} ADVANCE_FEE_2_NEW_FRM_MNY - -##{ ADVANCE_FEE_2_NEW_MONEY - -meta ADVANCE_FEE_2_NEW_MONEY (__ADVANCE_FEE_2_NEW_MONEY && !__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__LYRIS_EZLM_REMAILER && !__COMMENT_EXISTS && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG -describe ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money -#score ADVANCE_FEE_2_NEW_MONEY 2.000 # limit -tflags ADVANCE_FEE_2_NEW_MONEY publish -##} ADVANCE_FEE_2_NEW_MONEY - -##{ ADVANCE_FEE_3_NEW - -meta ADVANCE_FEE_3_NEW (__ADVANCE_FEE_3_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_4_NEW && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__HAS_SENDER && !__HAS_X_LOOP && !__TO_YOUR_ORG && !__BUGGED_IMG -describe ADVANCE_FEE_3_NEW Appears to be advance fee fraud (Nigerian 419) -#score ADVANCE_FEE_3_NEW 3.5 # limit -tflags ADVANCE_FEE_3_NEW publish -##} ADVANCE_FEE_3_NEW - -##{ ADVANCE_FEE_3_NEW_FORM - -meta ADVANCE_FEE_3_NEW_FORM (__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__THREADED && !__HAS_SENDER && !__FROM_LOWER && !__HAS_X_LOOP -describe ADVANCE_FEE_3_NEW_FORM Advance Fee fraud and a form -tflags ADVANCE_FEE_3_NEW_FORM publish -##} ADVANCE_FEE_3_NEW_FORM - -##{ ADVANCE_FEE_3_NEW_FRM_MNY - -meta ADVANCE_FEE_3_NEW_FRM_MNY (__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP -describe ADVANCE_FEE_3_NEW_FRM_MNY Advance Fee fraud form and lots of money -tflags ADVANCE_FEE_3_NEW_FRM_MNY publish -##} ADVANCE_FEE_3_NEW_FRM_MNY - -##{ ADVANCE_FEE_3_NEW_MONEY - -meta ADVANCE_FEE_3_NEW_MONEY (__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG -describe ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money -tflags ADVANCE_FEE_3_NEW_MONEY publish -##} ADVANCE_FEE_3_NEW_MONEY - -##{ ADVANCE_FEE_4_NEW - -meta ADVANCE_FEE_4_NEW (__ADVANCE_FEE_4_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__HAS_ERRORS_TO && !__HAS_X_LOOP && !__BUGGED_IMG -describe ADVANCE_FEE_4_NEW Appears to be advance fee fraud (Nigerian 419) -tflags ADVANCE_FEE_4_NEW publish -##} ADVANCE_FEE_4_NEW - -##{ ADVANCE_FEE_4_NEW_FORM - -meta ADVANCE_FEE_4_NEW_FORM (__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) -describe ADVANCE_FEE_4_NEW_FORM Advance Fee fraud and a form -tflags ADVANCE_FEE_4_NEW_FORM publish -##} ADVANCE_FEE_4_NEW_FORM - -##{ ADVANCE_FEE_4_NEW_FRM_MNY - -meta ADVANCE_FEE_4_NEW_FRM_MNY (__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) -describe ADVANCE_FEE_4_NEW_FRM_MNY Advance Fee fraud form and lots of money -tflags ADVANCE_FEE_4_NEW_FRM_MNY publish -##} ADVANCE_FEE_4_NEW_FRM_MNY - -##{ ADVANCE_FEE_4_NEW_MONEY - -meta ADVANCE_FEE_4_NEW_MONEY (__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG -describe ADVANCE_FEE_4_NEW_MONEY Advance Fee fraud and lots of money -tflags ADVANCE_FEE_4_NEW_MONEY publish -##} ADVANCE_FEE_4_NEW_MONEY - -##{ ADVANCE_FEE_5_NEW - -meta ADVANCE_FEE_5_NEW (__ADVANCE_FEE_5_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY) && !__BUGGED_IMG -describe ADVANCE_FEE_5_NEW Appears to be advance fee fraud (Nigerian 419) -tflags ADVANCE_FEE_5_NEW publish -##} ADVANCE_FEE_5_NEW - -##{ ADVANCE_FEE_5_NEW_FORM - -meta ADVANCE_FEE_5_NEW_FORM __ADVANCE_FEE_5_NEW_FORM -describe ADVANCE_FEE_5_NEW_FORM Advance Fee fraud and a form -tflags ADVANCE_FEE_5_NEW_FORM publish -##} ADVANCE_FEE_5_NEW_FORM - -##{ ADVANCE_FEE_5_NEW_FRM_MNY - -meta ADVANCE_FEE_5_NEW_FRM_MNY __ADVANCE_FEE_5_NEW_FRM_MNY -describe ADVANCE_FEE_5_NEW_FRM_MNY Advance Fee fraud form and lots of money -tflags ADVANCE_FEE_5_NEW_FRM_MNY publish -##} ADVANCE_FEE_5_NEW_FRM_MNY - -##{ ADVANCE_FEE_5_NEW_MONEY - -meta ADVANCE_FEE_5_NEW_MONEY __ADVANCE_FEE_5_NEW_MONEY && !__BOUNCE_CTYPE && !__BUGGED_IMG -describe ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money -tflags ADVANCE_FEE_5_NEW_MONEY publish -##} ADVANCE_FEE_5_NEW_MONEY - -##{ AD_PREFS - -body AD_PREFS /(?:\b|_)(?:ad(?:vert[i1l]s[i1l]ng)?|promo(?:tion)?|marketing)[- _](?:pref(?:s|erences)|settings)(?:\b|_)/i -describe AD_PREFS Advertising preferences -#score AD_PREFS 0.500 # limit -tflags AD_PREFS publish -##} AD_PREFS - -##{ ALIBABA_IMG_NOT_RCVD_ALI - -meta ALIBABA_IMG_NOT_RCVD_ALI __ALIBABA_IMG_NOT_RCVD_ALI && !__YOUR_PASSWORD && !__UNSUB_LINK && !__MSGID_BEFORE_RECEIVED && !__HAS_HREF_ONECASE -#score ALIBABA_IMG_NOT_RCVD_ALI 2.500 # limit -describe ALIBABA_IMG_NOT_RCVD_ALI Alibaba hosted image but message not from Alibaba -tflags ALIBABA_IMG_NOT_RCVD_ALI publish -##} ALIBABA_IMG_NOT_RCVD_ALI - -##{ AMAZON_IMG_NOT_RCVD_AMZN - -meta AMAZON_IMG_NOT_RCVD_AMZN __AMAZON_IMG_NOT_RCVD_AMZN && !__HDR_RCVD_KEEPA && !__URI_DBL_DOM && !__RCD_RDNS_SMTP && !__RCD_RDNS_MTA && !__DATE_LOWER && !__MSGID_LIST && !__URI_PRODUCT_AMAZON && !__HAS_ERRORS_TO -#score AMAZON_IMG_NOT_RCVD_AMZN 2.500 # limit -describe AMAZON_IMG_NOT_RCVD_AMZN Amazon hosted image but message not from Amazon -tflags AMAZON_IMG_NOT_RCVD_AMZN publish -##} AMAZON_IMG_NOT_RCVD_AMZN - -##{ APOSTROPHE_FROM - -header APOSTROPHE_FROM From:addr =~ /'/ -describe APOSTROPHE_FROM From address contains an apostrophe -##} APOSTROPHE_FROM - -##{ APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta APP_DEVELOPMENT_FREEM __APP_DEVELOPMENT_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) - describe APP_DEVELOPMENT_FREEM App development pitch, freemail or CHN replyto -# score APP_DEVELOPMENT_FREEM 3.500 # limit - tflags APP_DEVELOPMENT_FREEM publish -endif -##} APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta APP_DEVELOPMENT_NORDNS __APP_DEVELOPMENT && __RDNS_NONE - describe APP_DEVELOPMENT_NORDNS App development pitch, no rDNS -# score APP_DEVELOPMENT_NORDNS 2.000 # limit - tflags APP_DEVELOPMENT_NORDNS publish -endif -##} APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ AXB_XMAILER_MIMEOLE_OL_024C2 - -meta AXB_XMAILER_MIMEOLE_OL_024C2 (__AXB_XM_OL_024C2 && __AXB_MO_OL_024C2) -describe AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait -##} AXB_XMAILER_MIMEOLE_OL_024C2 - -##{ AXB_X_FF_SEZ_S - -header AXB_X_FF_SEZ_S X-Forefront-Antispam-Report =~ /\bSFV\:SPM\b/ -describe AXB_X_FF_SEZ_S Forefront sez this is spam -##} AXB_X_FF_SEZ_S - -##{ BANKING_LAWS - -body BANKING_LAWS /banking laws/i -describe BANKING_LAWS Talks about banking laws -##} BANKING_LAWS - -##{ BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval - -ifplugin Mail::SpamAssassin::Plugin::MIMEEval -body BASE64_LENGTH_78_79 eval:check_base64_length('78','79') -endif -##} BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval - -##{ BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval - -ifplugin Mail::SpamAssassin::Plugin::MIMEEval -describe BASE64_LENGTH_79_INF base64 encoded email part uses line length of 78 or 79 characters -body BASE64_LENGTH_79_INF eval:check_base64_length('79') -describe BASE64_LENGTH_79_INF base64 encoded email part uses line length greater than 79 characters -endif -##} BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval - -##{ BAT_BDRY_TO_MALF - -meta BAT_BDRY_TO_MALF __BAT_BOUNDARY && __TO_NO_ARROWS_R -describe BAT_BDRY_TO_MALF Bat boundary + misformatted To: address -#score BAT_BDRY_TO_MALF 2.500 # limit -##} BAT_BDRY_TO_MALF - -##{ BEBEE_IMG_NOT_RCVD_BB - -meta BEBEE_IMG_NOT_RCVD_BB __BEBEE_IMG_NOT_RCVD_BB -#score BEBEE_IMG_NOT_RCVD_BB 2.000 # limit -describe BEBEE_IMG_NOT_RCVD_BB Bebee hosted image but message not from Bebee -tflags BEBEE_IMG_NOT_RCVD_BB publish -##} BEBEE_IMG_NOT_RCVD_BB - -##{ BIGNUM_EMAILS_FREEM - -meta BIGNUM_EMAILS_FREEM __BIGNUM_EMAILS_FREEM -describe BIGNUM_EMAILS_FREEM Lots of email addresses/leads, free email account -#score BIGNUM_EMAILS_FREEM 3.00 # limit -tflags BIGNUM_EMAILS_FREEM publish -##} BIGNUM_EMAILS_FREEM - -##{ BIGNUM_EMAILS_MANY - -meta BIGNUM_EMAILS_MANY __BIGNUM_EMAILS_3 && !__HAS_ERRORS_TO && !__HAS_CAMPAIGNID && !__DATE_LOWER -describe BIGNUM_EMAILS_MANY Lots of email addresses/leads, over and over -#score BIGNUM_EMAILS_MANY 3.00 # limit -tflags BIGNUM_EMAILS_MANY publish -##} BIGNUM_EMAILS_MANY - -##{ BITCOIN_BOMB - -meta BITCOIN_BOMB __BITCOIN_ID && __EXPLOSIVE_DEVICE && !BITCOIN_EXTORT_01 -describe BITCOIN_BOMB BitCoin + bomb -#score BITCOIN_BOMB 3.000 # limit -tflags BITCOIN_BOMB publish -##} BITCOIN_BOMB - -##{ BITCOIN_DEADLINE - -meta BITCOIN_DEADLINE __BITCOIN_ID && __HOURS_DEADLINE && !BITCOIN_EXTORT_01 -describe BITCOIN_DEADLINE BitCoin with a deadline -#score BITCOIN_DEADLINE 3.000 # limit -tflags BITCOIN_DEADLINE publish -##} BITCOIN_DEADLINE - -##{ BITCOIN_EXTORT_01 - -meta BITCOIN_EXTORT_01 (__BITCOIN_ID && __EXTORT_MANY) && !( __FROM_FULL_NAME && __SENDER_BOT && __SINGLE_WORD_LINE && __MIME_HTML && __PHPMAILER_MUA ) -describe BITCOIN_EXTORT_01 Extortion spam, pay via BitCoin -#score BITCOIN_EXTORT_01 5.000 # limit -tflags BITCOIN_EXTORT_01 publish -##} BITCOIN_EXTORT_01 - -##{ BITCOIN_EXTORT_02 - -meta BITCOIN_EXTORT_02 __OBFU_BITCOIN_NOID && __EXTORT_MANY -describe BITCOIN_EXTORT_02 Extortion spam, pay via BitCoin -#score BITCOIN_EXTORT_02 5.000 # limit -tflags BITCOIN_EXTORT_02 publish -##} BITCOIN_EXTORT_02 - -##{ BITCOIN_IMGUR - -meta BITCOIN_IMGUR __BITCOIN_IMGUR -describe BITCOIN_IMGUR Bitcoin + hosted image -#score BITCOIN_IMGUR 3.500 # limit -tflags BITCOIN_IMGUR publish -##} BITCOIN_IMGUR - -##{ BITCOIN_MALF_HTML - -meta BITCOIN_MALF_HTML HTML_EXTRA_CLOSE && (__BITCOIN || __BITCOIN_ID) -describe BITCOIN_MALF_HTML Bitcoin + malformed HTML -#score BITCOIN_MALF_HTML 3.500 # limit -##} BITCOIN_MALF_HTML - -##{ BITCOIN_MALWARE - -meta BITCOIN_MALWARE __BITCOIN_ID && __MY_MALWARE && !BITCOIN_EXTORT_01 && !__NOT_SPOOFED -describe BITCOIN_MALWARE BitCoin + malware bragging -#score BITCOIN_MALWARE 3.500 # limit -tflags BITCOIN_MALWARE publish -##} BITCOIN_MALWARE - -##{ BITCOIN_OBFU_SUBJ - -meta BITCOIN_OBFU_SUBJ __BITCOIN_OBFU_SUBJ && !__128_ALNUM_URI -describe BITCOIN_OBFU_SUBJ Bitcoin + obfuscated subject -#score BITCOIN_OBFU_SUBJ 3.500 # limit -tflags BITCOIN_OBFU_SUBJ publish -##} BITCOIN_OBFU_SUBJ - -##{ BITCOIN_ONAN - -meta BITCOIN_ONAN __BITCOIN_ID && __YOUR_ONAN && __KHOP_NO_FULL_NAME && !BITCOIN_EXTORT_01 -describe BITCOIN_ONAN BitCoin + [censored] -#score BITCOIN_ONAN 3.000 # limit -tflags BITCOIN_ONAN publish -##} BITCOIN_ONAN - -##{ BITCOIN_PAY_ME - -meta BITCOIN_PAY_ME __BITCOIN_ID && __PAY_ME && !BITCOIN_EXTORT_01 -describe BITCOIN_PAY_ME Pay me via BitCoin -#score BITCOIN_PAY_ME 3.000 # limit -tflags BITCOIN_PAY_ME publish -##} BITCOIN_PAY_ME - -##{ BITCOIN_SPAM_01 - -meta BITCOIN_SPAM_01 __BITCOIN_ID && HTML_MIME_NO_HTML_TAG -describe BITCOIN_SPAM_01 BitCoin spam pattern 01 -#score BITCOIN_SPAM_01 2.500 # limit -tflags BITCOIN_SPAM_01 publish -##} BITCOIN_SPAM_01 - -##{ BITCOIN_SPAM_02 - -meta BITCOIN_SPAM_02 __BITCOIN_SPAM_02 && !__URL_BTC_ID -describe BITCOIN_SPAM_02 BitCoin spam pattern 02 -#score BITCOIN_SPAM_02 2.500 # limit -tflags BITCOIN_SPAM_02 publish -##} BITCOIN_SPAM_02 - -##{ BITCOIN_SPAM_03 - -meta BITCOIN_SPAM_03 __BITCOIN_ID && __SINGLE_WORD_SUBJ -describe BITCOIN_SPAM_03 BitCoin spam pattern 03 -#score BITCOIN_SPAM_03 2.500 # limit -tflags BITCOIN_SPAM_03 publish -##} BITCOIN_SPAM_03 - -##{ BITCOIN_SPAM_04 - -meta BITCOIN_SPAM_04 __BITCOIN_ID && __freemail_hdr_replyto -describe BITCOIN_SPAM_04 BitCoin spam pattern 04 -#score BITCOIN_SPAM_04 1.500 # limit -tflags BITCOIN_SPAM_04 publish -##} BITCOIN_SPAM_04 - -##{ BITCOIN_SPAM_05 - -meta BITCOIN_SPAM_05 __BITCOIN_SPAM_05 && !__HAS_IN_REPLY_TO -describe BITCOIN_SPAM_05 BitCoin spam pattern 05 -#score BITCOIN_SPAM_05 2.500 # limit -tflags BITCOIN_SPAM_05 net publish -##} BITCOIN_SPAM_05 - -##{ BITCOIN_SPAM_06 - -meta BITCOIN_SPAM_06 __BITCOIN_ID && TVD_RCVD_SPACE_BRACKET -describe BITCOIN_SPAM_06 BitCoin spam pattern 06 -#score BITCOIN_SPAM_06 1.500 # limit -tflags BITCOIN_SPAM_06 publish -##} BITCOIN_SPAM_06 - -##{ BITCOIN_SPAM_07 - -meta BITCOIN_SPAM_07 __BITCOIN_SPAM_07 && !__DKIM_EXISTS -describe BITCOIN_SPAM_07 BitCoin spam pattern 07 -#score BITCOIN_SPAM_07 3.500 # limit -tflags BITCOIN_SPAM_07 publish -##} BITCOIN_SPAM_07 - -##{ BITCOIN_SPAM_08 - -meta BITCOIN_SPAM_08 __BITCOIN_ID && __TO_IN_SUBJ -describe BITCOIN_SPAM_08 BitCoin spam pattern 08 -#score BITCOIN_SPAM_08 2.500 # limit -tflags BITCOIN_SPAM_08 publish -##} BITCOIN_SPAM_08 - -##{ BITCOIN_SPAM_09 - -meta BITCOIN_SPAM_09 __BITCOIN_ID && ( __DESTROY_ME || __DESTROY_YOU ) -describe BITCOIN_SPAM_09 BitCoin spam pattern 09 -#score BITCOIN_SPAM_09 1.500 # limit -tflags BITCOIN_SPAM_09 publish -##} BITCOIN_SPAM_09 - -##{ BITCOIN_SPAM_10 - -meta BITCOIN_SPAM_10 __BITCOIN_ID && ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 ) -describe BITCOIN_SPAM_10 BitCoin spam pattern 10 -#score BITCOIN_SPAM_10 2.500 # limit -tflags BITCOIN_SPAM_10 publish -##} BITCOIN_SPAM_10 - -##{ BITCOIN_SPAM_11 - -meta BITCOIN_SPAM_11 __BITCOIN_ID && HTML_MESSAGE && __HTML_SHRT_CMNT_OBFU -describe BITCOIN_SPAM_11 BitCoin spam pattern 11 -#score BITCOIN_SPAM_11 2.500 # limit -tflags BITCOIN_SPAM_11 publish -##} BITCOIN_SPAM_11 - -##{ BITCOIN_SPAM_12 - -meta BITCOIN_SPAM_12 __BITCOIN_ID && __BOGUS_MIME_HDR_MANY -describe BITCOIN_SPAM_12 BitCoin spam pattern 12 -#score BITCOIN_SPAM_12 2.500 # limit -tflags BITCOIN_SPAM_12 publish -##} BITCOIN_SPAM_12 - -##{ BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS - -if (version >= 3.004001) -ifplugin Mail::SpamAssassin::Plugin::AskDNS -meta BITCOIN_SPF_ONLYALL __PDS_SPF_ONLYALL && __BITCOIN_ID -tflags BITCOIN_SPF_ONLYALL net publish -describe BITCOIN_SPF_ONLYALL Bitcoin from a domain specifically set to pass +all SPF -#score BITCOIN_SPF_ONLYALL 2.0 # limit -endif -endif -##} BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS - -##{ BITCOIN_WFH_01 - -meta BITCOIN_WFH_01 __BITCOIN_WFH_01 -describe BITCOIN_WFH_01 Work-from-Home + bitcoin -tflags BITCOIN_WFH_01 publish -##} BITCOIN_WFH_01 - -##{ BITCOIN_XPRIO - -meta BITCOIN_XPRIO __BITCOIN_XPRIO && !__ML1 && !__HAS_SENDER && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY -describe BITCOIN_XPRIO Bitcoin + priority -#score BITCOIN_XPRIO 2.500 # limit -##} BITCOIN_XPRIO - -##{ BITCOIN_YOUR_INFO - -meta BITCOIN_YOUR_INFO __BITCOIN_ID && __YOUR_PERSONAL && !BITCOIN_EXTORT_01 -describe BITCOIN_YOUR_INFO BitCoin with your personal info -#score BITCOIN_YOUR_INFO 3.000 # limit -tflags BITCOIN_YOUR_INFO publish -##} BITCOIN_YOUR_INFO - -##{ BODY_URI_ONLY - -meta BODY_URI_ONLY __BODY_URI_ONLY && !__NOT_SPOOFED && !__TO_EQ_FROM_DOM && !__X_CRON_ENV && !__DKIM_EXISTS && !__VIA_ML && !__HAS_X_REF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD && !__URI_GOOGLE_DRV -describe BODY_URI_ONLY Message body is only a URI in one line of text or for an image -#score BODY_URI_ONLY 3.000 # limit -tflags BODY_URI_ONLY publish -##} BODY_URI_ONLY - -##{ BOGUS_MIME_VERSION - -meta BOGUS_MIME_VERSION __BOGUS_MIME_VER_02 || __MALF_MIME_VER -#score BOGUS_MIME_VERSION 3.500 # limit -describe BOGUS_MIME_VERSION Mime version header is bogus -tflags BOGUS_MIME_VERSION publish -##} BOGUS_MIME_VERSION - -##{ BOGUS_MSM_HDRS - -meta BOGUS_MSM_HDRS __BOGUS_MSM_HDRS -describe BOGUS_MSM_HDRS Apparently bogus Microsoft email headers -#score BOGUS_MSM_HDRS 3.000 # limit -tflags BOGUS_MSM_HDRS publish -##} BOGUS_MSM_HDRS - -##{ BOMB_FREEM - -meta BOMB_FREEM __EXPLOSIVE_DEVICE && __freemail_hdr_replyto -describe BOMB_FREEM Bomb + freemail -#score BOMB_FREEM 2.000 # limit -tflags BOMB_FREEM publish -##} BOMB_FREEM - -##{ BOMB_MONEY - -meta BOMB_MONEY __EXPLOSIVE_DEVICE && ( __ADVANCE_FEE_3_NEW || __ADVANCE_FEE_4_NEW || __ADVANCE_FEE_5_NEW ) -describe BOMB_MONEY Bomb + money: bomb threat? -#score BOMB_MONEY 2.500 # limit -tflags BOMB_MONEY publish -##} BOMB_MONEY - -##{ BTC_ORG - -describe BTC_ORG Bitcoin wallet ID + unusual header -#score BTC_ORG 2.500 # limit -##} BTC_ORG - -##{ BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM) - -if !plugin(Mail::SpamAssassin::Plugin::DKIM) - meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST -endif -##} BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM) - -##{ BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM - -ifplugin Mail::SpamAssassin::Plugin::DKIM - meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST && !DKIM_SIGNED -endif -##} BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM - -##{ BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -meta BULK_RE_SUSP_NTLD __SUBJ_RE && __ML1 && __FROM_ADDRLIST_SUSPNTLD -tflags BULK_RE_SUSP_NTLD publish -describe BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD -#score BULK_RE_SUSP_NTLD 1.0 # limit -endif -endif -##} BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -##{ CANT_SEE_AD - -meta CANT_SEE_AD (__CANT_SEE_AD_1 || __CANT_SEE_AD_2) && !__DOS_HAS_LIST_UNSUB -describe CANT_SEE_AD You really want to see our spam. -#score CANT_SEE_AD 2.500 # limit -tflags CANT_SEE_AD publish -##} CANT_SEE_AD - -##{ CK_HELO_GENERIC - -header CK_HELO_GENERIC X-Spam-Relays-Untrusted =~ /^[^\]]+helo=(?=\S*(?:pool|dyna|lease|dial|dip|static))\S*\d+[^\d\s]+\d+[^\]]+ auth= /i -describe CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or Generic rPTR -#score CK_HELO_GENERIC 0.25 -##} CK_HELO_GENERIC - -##{ CN_B2B_SPAMMER - -body CN_B2B_SPAMMER /\bWe are (?:(?:a )?(?:China|Taiwan)[-\s]based|(?:one of (?:the )?best|(?:a )?leading) (?:international|[^\.]{10,90} (?:in|from) (?:\w+, )?(?:China|Taiwan)))\b/i -describe CN_B2B_SPAMMER Chinese company introducing itself -tflags CN_B2B_SPAMMER publish -##} CN_B2B_SPAMMER - -##{ COMMENT_GIBBERISH - -meta COMMENT_GIBBERISH __COMMENT_GIBBERISH && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__SENDER_BOT -describe COMMENT_GIBBERISH Nonsense in long HTML comment -#score COMMENT_GIBBERISH 1.50 # limit -tflags COMMENT_GIBBERISH publish -##} COMMENT_GIBBERISH - -##{ COMPENSATION - -describe COMPENSATION "Compensation" -#score COMPENSATION 1.50 # limit -##} COMPENSATION - -##{ COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM) - -if !plugin(Mail::SpamAssassin::Plugin::DKIM) - meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD -endif -##} COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM) - -##{ COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM - -ifplugin Mail::SpamAssassin::Plugin::DKIM - meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD && !__DKIM_DEPENDABLE -endif -##} COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM - -##{ CONTENT_AFTER_HTML - -meta CONTENT_AFTER_HTML __CONTENT_AFTER_HTML && (__L_CTE_8BIT || __RDNS_NUMERIC_TLD || __HTML_TAG_BALANCE_CENTER || __STY_INVIS_MANY || __TO_EQ_FROM_USR || __TO_EQ_FROM_USR_2 || __KAM_HTML_FONT_INVALID || __SUBJECT_ENCODED_B64 ) -describe CONTENT_AFTER_HTML More content after HTML close tag + other spam signs -#score CONTENT_AFTER_HTML 2.500 # limit -tflags CONTENT_AFTER_HTML publish -##} CONTENT_AFTER_HTML - -##{ CONTENT_AFTER_HTML_WEAK - -meta CONTENT_AFTER_HTML_WEAK __CONTENT_AFTER_HTML && !CONTENT_AFTER_HTML && !__CT_TEXT_PLAIN && !__BOUNCE_FROM_DAEMON && !__MSGID_OK_HEX && !__HAS_SENDER && !__LYRIS_EZLM_REMAILER && !MAILING_LIST_MULTI && !__HAS_CID && !__URI_DOTGOV -describe CONTENT_AFTER_HTML_WEAK More content after HTML close tag -#score CONTENT_AFTER_HTML_WEAK 1.500 # limit -tflags CONTENT_AFTER_HTML_WEAK publish -##} CONTENT_AFTER_HTML_WEAK - -##{ CORRUPT_FROM_LINE_IN_HDRS - -meta CORRUPT_FROM_LINE_IN_HDRS (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS) -describe CORRUPT_FROM_LINE_IN_HDRS Informational: message is corrupt, with a From line in its headers -tflags CORRUPT_FROM_LINE_IN_HDRS userconf publish -#score CORRUPT_FROM_LINE_IN_HDRS 0.001 -##} CORRUPT_FROM_LINE_IN_HDRS - -##{ CTE_8BIT_MISMATCH - -meta CTE_8BIT_MISMATCH (__CT_TEXT_PLAIN && (!__CTE || __L_CTE_7BIT) && __L_BODY_8BITS) -describe CTE_8BIT_MISMATCH Header says 7bits but body disagrees -#score CTE_8BIT_MISMATCH 1 -tflags CTE_8BIT_MISMATCH publish -##} CTE_8BIT_MISMATCH - -##{ CTYPE_001C_A - -meta CTYPE_001C_A (0) # obsolete -##} CTYPE_001C_A - -##{ CTYPE_001C_B - -header CTYPE_001C_B Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/ -##} CTYPE_001C_B - -##{ CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -mimeheader CTYPE_8SPACE_GIF Content-Type:raw =~ /^image\/gif;\n {8}name=\".+?\"$/s -describe CTYPE_8SPACE_GIF Stock spam image part 'Content-Type' found (8 spc) -endif -##} CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ CURR_PRICE - -body CURR_PRICE /\bCurrent Price:/ -##} CURR_PRICE - -##{ DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval - -ifplugin Mail::SpamAssassin::Plugin::HeaderEval -header DATE_IN_FUTURE_Q_PLUS eval:check_for_shifted_date('2920', 'undef') -describe DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date -endif -##} DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval - -##{ DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta DAY_I_EARNED __DAY_I_EARNED >= 3 -# score DAY_I_EARNED 3.000 # limit - describe DAY_I_EARNED Work-at-home spam - tflags DAY_I_EARNED publish -endif -##} DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ DEAR_BENEFICIARY - -body DEAR_BENEFICIARY /\b(?:De[ae]r\s|At+(?:ention|n):?\s?)(?:\S+\s)?Ben[ei]ficiary\b/i -describe DEAR_BENEFICIARY Dear Beneficiary: -##} DEAR_BENEFICIARY - -##{ DEAR_WINNER - -body DEAR_WINNER /\bdear.{1,20}winner/i -describe DEAR_WINNER Spam with generic salutation of "dear winner" -##} DEAR_WINNER - -##{ DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS - -ifplugin Mail::SpamAssassin::Plugin::AskDNS -meta DKIMWL_BL __DKIMWL_WL_BL -tflags DKIMWL_BL net publish -describe DKIMWL_BL DKIMwl.org - Blocked sender -#score DKIMWL_BL 3.0 # limit -endif -##} DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS - -##{ DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS - -ifplugin Mail::SpamAssassin::Plugin::AskDNS -meta DKIMWL_BLOCKED __DKIMWL_BLOCKED -tflags DKIMWL_BLOCKED net publish -describe DKIMWL_BLOCKED ADMINISTRATOR NOTICE: The query to DKIMWL.org was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. -#score DKIMWL_BLOCKED 0.001 # limit -endif -##} DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS - -##{ DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS - -ifplugin Mail::SpamAssassin::Plugin::AskDNS -meta DKIMWL_WL_HIGH __DKIMWL_WL_HI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL || __DKIMWL_BULKMAIL) -tflags DKIMWL_WL_HIGH net nice publish -describe DKIMWL_WL_HIGH DKIMwl.org - High trust sender -#score DKIMWL_WL_HIGH -3.0 # limit -endif -##} DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS - -##{ DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS - -ifplugin Mail::SpamAssassin::Plugin::AskDNS -meta DKIMWL_WL_MED __DKIMWL_WL_MED && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL) -tflags DKIMWL_WL_MED net nice publish -describe DKIMWL_WL_MED DKIMwl.org - Medium trust sender -#score DKIMWL_WL_MED -0.5 # limit -endif -##} DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS - -##{ DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS - -ifplugin Mail::SpamAssassin::Plugin::AskDNS -meta DKIMWL_WL_MEDHI __DKIMWL_WL_MEDHI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL) -tflags DKIMWL_WL_MEDHI net nice publish -describe DKIMWL_WL_MEDHI DKIMwl.org - Medium-high trust sender -#score DKIMWL_WL_MEDHI -1.0 # limit -endif -##} DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS - -##{ DOS_ANAL_SPAM_MAILER - -header DOS_ANAL_SPAM_MAILER X-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/ -describe DOS_ANAL_SPAM_MAILER X-mailer pattern common to anal porn site spam -tflags DOS_ANAL_SPAM_MAILER publish -##} DOS_ANAL_SPAM_MAILER - -##{ DOS_DEREK_AUG08 - -meta DOS_DEREK_AUG08 __DOS_SINGLE_EXT_RELAY && __DOS_HAS_ANY_URI && __NAKED_TO && __LAST_UNTRUSTED_RELAY_NO_AUTH && SPF_PASS && __TVD_MIME_ATT_TP && __CT_TEXT_PLAIN && (__DOS_MSGID_DIGITS9 || __DOS_MSGID_DIGITS10) -##} DOS_DEREK_AUG08 - -##{ DOS_FIX_MY_URI - -meta DOS_FIX_MY_URI __MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINK -describe DOS_FIX_MY_URI Looks like a "fix my obfu'd URI please" spam -##} DOS_FIX_MY_URI - -##{ DOS_HIGH_BAT_TO_MX - -meta DOS_HIGH_BAT_TO_MX __DOS_DIRECT_TO_MX && __HIGHBITS && __LAST_UNTRUSTED_RELAY_NO_AUTH && __THEBAT_MUA -describe DOS_HIGH_BAT_TO_MX The Bat! Direct to MX with High Bits -##} DOS_HIGH_BAT_TO_MX - -##{ DOS_LET_GO_JOB - -meta DOS_LET_GO_JOB __DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOME -describe DOS_LET_GO_JOB Let go from their job and now makes lots of dough! -##} DOS_LET_GO_JOB - -##{ DOS_OE_TO_MX - -meta DOS_OE_TO_MX __OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE -describe DOS_OE_TO_MX Delivered direct to MX with OE headers -##} DOS_OE_TO_MX - -##{ DOS_OE_TO_MX_IMAGE - -meta DOS_OE_TO_MX_IMAGE __OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH -describe DOS_OE_TO_MX_IMAGE Direct to MX with OE headers and an image -##} DOS_OE_TO_MX_IMAGE - -##{ DOS_OUTLOOK_TO_MX - -meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !T_DOS_OUTLOOK_TO_MX_IMAGE -describe DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers -##} DOS_OUTLOOK_TO_MX - -##{ DOS_RCVD_IP_TWICE_C - -header DOS_RCVD_IP_TWICE_C X-Spam-Relays-External =~ /^\s*\[ ip=(?!127)([\d.]+) [^\[]*\bhelo=(?:![\d.]{7,15}!)? [^\[]*\[ ip=\1 [^\]]*\]\s*$/ -describe DOS_RCVD_IP_TWICE_C Received from the same IP twice in a row (only one external relay; empty or IP helo) -##} DOS_RCVD_IP_TWICE_C - -##{ DOS_STOCK_BAT - -meta DOS_STOCK_BAT __THEBAT_MUA && (__DOS_BODY_STOCK || __DOS_BODY_TICKER) && (__DOS_REF_TODAY || __DOS_REF_NEXT_WK_DAY || __DOS_REF_2_WK_DAYS) -describe DOS_STOCK_BAT Probable pump and dump stock spam -##} DOS_STOCK_BAT - -##{ DOS_STOCK_BAT2 - -meta DOS_STOCK_BAT2 DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2) -##} DOS_STOCK_BAT2 - -##{ DOS_URI_ASTERISK - -uri DOS_URI_ASTERISK m{^[Hh][Tt]{2}[Pp][Ss]?://[^/:]+(?:\*[A-Za-z0-9-]*\.|\*)[A-Za-z]{2,3}(?:\.[A-Za-z]{2})?(?:$|:|/)} -describe DOS_URI_ASTERISK Found an asterisk in a URI -##} DOS_URI_ASTERISK - -##{ DOS_YOUR_PLACE - -meta DOS_YOUR_PLACE (__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE || __DOS_CORRESPOND_EMAIL || __DOS_EMAIL_DIRECTLY || __DOS_I_AM_25 || __DOS_WRITE_ME_AT || __DOS_PERSONAL_EMAIL)) -describe DOS_YOUR_PLACE Russian dating spam -##} DOS_YOUR_PLACE - -##{ DOTGOV_IMAGE - -meta DOTGOV_IMAGE __DOTGOV_IMAGE && !__HAVE_BOUNCE_RELAYS -describe DOTGOV_IMAGE .gov URI + hosted image -#score DOTGOV_IMAGE 3.000 # limit -tflags DOTGOV_IMAGE publish -##} DOTGOV_IMAGE - -##{ DRUGS_HDIA - -header DRUGS_HDIA Subject =~ /\bhoodia\b/i -describe DRUGS_HDIA Subject mentions "hoodia" -##} DRUGS_HDIA - -##{ DX_TEXT_02 - -body DX_TEXT_02 /\b(?:change|modif(?:y|ications?)) (?:of|to|(?:yo)?ur) (?:message|sub|comm) stat/i -describe DX_TEXT_02 "change your message stat" -tflags DX_TEXT_02 publish -##} DX_TEXT_02 - -##{ DX_TEXT_03 - -body DX_TEXT_03 /\b[A-Z]{3} Media (?:Group|Relations)\b/ -describe DX_TEXT_03 "XXX Media Group" -tflags DX_TEXT_03 publish -##} DX_TEXT_03 - -##{ DYNAMIC_IMGUR - -meta DYNAMIC_IMGUR __DYNAMIC_IMGUR -describe DYNAMIC_IMGUR dynamic IP + hosted image -#score DYNAMIC_IMGUR 4.000 # limit -tflags DYNAMIC_IMGUR publish -##} DYNAMIC_IMGUR - -##{ DYN_RDNS_AND_INLINE_IMAGE - -meta DYN_RDNS_AND_INLINE_IMAGE (RDNS_DYNAMIC && __ANY_IMAGE_ATTACH) -describe DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic rDNS -##} DYN_RDNS_AND_INLINE_IMAGE - -##{ DYN_RDNS_SHORT_HELO_HTML - -meta DYN_RDNS_SHORT_HELO_HTML (__HELO_NO_DOMAIN && RDNS_DYNAMIC && HTML_MESSAGE) -describe DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML -##} DYN_RDNS_SHORT_HELO_HTML - -##{ DYN_RDNS_SHORT_HELO_IMAGE - -meta DYN_RDNS_SHORT_HELO_IMAGE (__HELO_NO_DOMAIN && RDNS_DYNAMIC && __ANY_IMAGE_ATTACH) -describe DYN_RDNS_SHORT_HELO_IMAGE Short HELO string, dynamic rDNS, inline image -##} DYN_RDNS_SHORT_HELO_IMAGE - -##{ EBAY_IMG_NOT_RCVD_EBAY - -meta EBAY_IMG_NOT_RCVD_EBAY __EBAY_IMG_NOT_RCVD_EBAY && !__URI_MAILTO && !__RCD_RDNS_MAIL && !__DKIM_EXISTS -#score EBAY_IMG_NOT_RCVD_EBAY 3.000 # limit -describe EBAY_IMG_NOT_RCVD_EBAY E-bay hosted image but message not from E-bay -tflags EBAY_IMG_NOT_RCVD_EBAY publish -##} EBAY_IMG_NOT_RCVD_EBAY - -##{ EMRCP - -body EMRCP /\bExcess (?:Maximum )?Return Capital (?:Profits?|Funds?)\b/i -describe EMRCP "Excess Maximum Return Capital Profit" scam -tflags EMRCP publish -##} EMRCP - -##{ ENCRYPTED_MESSAGE - -meta ENCRYPTED_MESSAGE __CT_ENCRYPTED -describe ENCRYPTED_MESSAGE Message is encrypted, not likely to be spam -#score ENCRYPTED_MESSAGE -1.000 -tflags ENCRYPTED_MESSAGE nice publish -##} ENCRYPTED_MESSAGE - -##{ END_FUTURE_EMAILS - -describe END_FUTURE_EMAILS Spammy unsubscribe -#score END_FUTURE_EMAILS 2.500 # limit -##} END_FUTURE_EMAILS - -##{ END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM) - -if !plugin(Mail::SpamAssassin::Plugin::DKIM) - meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER -endif -##} END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM) - -##{ END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM - -ifplugin Mail::SpamAssassin::Plugin::DKIM - meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER && !__DKIM_DEPENDABLE && !DKIM_SIGNED -endif -##} END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM - -##{ ENVFROM_GOOG_TRIX - -meta ENVFROM_GOOG_TRIX __ENVFROM_GOOG_TRIX_SPAMMY -describe ENVFROM_GOOG_TRIX From suspicious Google subdomain -#score ENVFROM_GOOG_TRIX 3.000 # limit -tflags ENVFROM_GOOG_TRIX publish -##} ENVFROM_GOOG_TRIX - -##{ EXCUSE_24 - -body EXCUSE_24 /you(?:'ve|'re| have| are)? receiv(?:e|ed|ing) this (?:advertisement|offer|special|recurring|paid).{0,16}\b(?:by either|because)/i -describe EXCUSE_24 Claims you wanted this ad -##} EXCUSE_24 - -##{ FACEBOOK_IMG_NOT_RCVD_FB - -meta FACEBOOK_IMG_NOT_RCVD_FB __FACEBOOK_IMG_NOT_RCVD_FB && !__VIA_ML && !__ONE_IMG && !__RCD_RDNS_SMTP -#score FACEBOOK_IMG_NOT_RCVD_FB 2.000 # limit -describe FACEBOOK_IMG_NOT_RCVD_FB Facebook hosted image but message not from Facebook -tflags FACEBOOK_IMG_NOT_RCVD_FB publish -##} FACEBOOK_IMG_NOT_RCVD_FB - -##{ FAKE_REPLY_C - -meta FAKE_REPLY_C (__SUBJ_RE && __MISSING_REF && __NO_INR_YES_REF) -##} FAKE_REPLY_C - -##{ FBI_MONEY - -meta FBI_MONEY __FBI_SPOOF && LOTS_OF_MONEY -describe FBI_MONEY The FBI wants to give you lots of money? -#score FBI_MONEY 2.00 # limit -tflags FBI_MONEY publish -##} FBI_MONEY - -##{ FBI_SPOOF - -meta FBI_SPOOF __FBI_SPOOF -describe FBI_SPOOF Claims to be FBI, but not from FBI domain -#score FBI_SPOOF 2.00 # limit -tflags FBI_SPOOF publish -##} FBI_SPOOF - -##{ FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta FILL_THIS_FORM __FILL_THIS_FORM && !__THREADED && !__FB_TOUR && !__VIA_ML - describe FILL_THIS_FORM Fill in a form with personal information - tflags FILL_THIS_FORM publish -endif -##} FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG && !__VIA_ML && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__TRAVEL_MANY - describe FILL_THIS_FORM_LONG Fill in a form with personal information -# score FILL_THIS_FORM_LONG 2.00 # limit -endif -##} FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta FONT_INVIS_DIRECT __FONT_INVIS_DIRECT && !__UNSUB_LINK && !__HAS_ERRORS_TO && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__URI_DOTGOV && !__NAKED_TO && !__MSGID_OK_HEX - describe FONT_INVIS_DIRECT Invisible text + direct-to-MX -# score FONT_INVIS_DIRECT 3.500 # limit - tflags FONT_INVIS_DIRECT publish -endif -##} FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta FONT_INVIS_DOTGOV __FONT_INVIS_DOTGOV && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__HAS_LIST_ID - describe FONT_INVIS_DOTGOV Invisible text + .gov URI -# score FONT_INVIS_DOTGOV 3.500 # limit - tflags FONT_INVIS_DOTGOV publish -endif -##} FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta FONT_INVIS_HTML_NOHTML __FONT_INVIS_HTML_NOHTML && !__RDNS_LONG - describe FONT_INVIS_HTML_NOHTML Invisible text + malformed HTML -# score FONT_INVIS_HTML_NOHTML 3.000 # limit - tflags FONT_INVIS_HTML_NOHTML publish -endif -##} FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta FONT_INVIS_LONG_LINE __FONT_INVIS_LONG_LINE && !__HTML_SINGLET - describe FONT_INVIS_LONG_LINE Invisible text + long lines -# score FONT_INVIS_LONG_LINE 3.000 # limit - tflags FONT_INVIS_LONG_LINE publish -endif -##} FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta FONT_INVIS_MSGID __FONT_INVIS_MSGID && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__HAS_ERRORS_TO && !__RCD_RDNS_MAIL && !__MAIL_LINK && !__HDR_RCVD_AMAZON && !__MIME_QP && !__HAS_CAMPAIGNID && !__HAS_THREAD_INDEX && !__RCD_RDNS_MTA - describe FONT_INVIS_MSGID Invisible text + suspicious message ID -# score FONT_INVIS_MSGID 2.500 # limit - tflags FONT_INVIS_MSGID publish -endif -##} FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta FONT_INVIS_NORDNS __FONT_INVIS_NORDNS && !__HTML_SINGLET && !__LYRIS_EZLM_REMAILER && !__YOUR_PERSONAL && !__HAS_X_MAILER - describe FONT_INVIS_NORDNS Invisible text + no rDNS -# score FONT_INVIS_NORDNS 2.500 # limit - tflags FONT_INVIS_NORDNS publish -endif -##} FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta FONT_INVIS_POSTEXTRAS (__FONT_INVIS || __STY_INVIS) && __AC_POST_EXTRAS - describe FONT_INVIS_POSTEXTRAS Invisible text + suspicious URI -# score FONT_INVIS_POSTEXTRAS 3.500 # limit - tflags FONT_INVIS_POSTEXTRAS publish -endif -##} FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ FORGED_SPF_HELO - -meta FORGED_SPF_HELO __HELO_NOT_RDNS && SPF_HELO_PASS && !SPF_PASS -##} FORGED_SPF_HELO - -##{ FORM_FRAUD - -meta FORM_FRAUD (__FORM_FRAUD && !__FORM_FRAUD_3 && !__FORM_FRAUD_5) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__UPPERCASE_URI && !__UNSUB_LINK -describe FORM_FRAUD Fill a form and a fraud phrase -#score FORM_FRAUD 1.000 # limit -tflags FORM_FRAUD publish -##} FORM_FRAUD - -##{ FORM_FRAUD_3 - -meta FORM_FRAUD_3 (__FORM_FRAUD_3 && !__FORM_FRAUD_5 && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_3_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__MIME_QP && !__DOS_BODY_FRI && !__UNSUB_LINK && !__BUGGED_IMG && !__NOT_SPOOFED -describe FORM_FRAUD_3 Fill a form and several fraud phrases -tflags FORM_FRAUD_3 publish -##} FORM_FRAUD_3 - -##{ FORM_FRAUD_5 - -meta FORM_FRAUD_5 (__FORM_FRAUD_5 && !__ADVANCE_FEE_5_NEW_FORM && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__BOUNCE_CTYPE -describe FORM_FRAUD_5 Fill a form and many fraud phrases -tflags FORM_FRAUD_5 publish -##} FORM_FRAUD_5 - -##{ FOUND_YOU - -meta FOUND_YOU __FOUND_YOU && !__DKIM_EXISTS && !__SUBJ_RE && !__HAS_X_REF && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__HAS_ERRORS_TO && !__HAS_IN_REPLY_TO -#score FOUND_YOU 3.25 # limit -describe FOUND_YOU I found you... -tflags FOUND_YOU publish -##} FOUND_YOU - -##{ FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - ifplugin Mail::SpamAssassin::Plugin::HeaderEval - if (version >= 3.004000) - meta FREEMAIL_FORGED_FROMDOMAIN FREEMAIL_FROM && HEADER_FROM_DIFFERENT_DOMAINS - describe FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different -# score FREEMAIL_FORGED_FROMDOMAIN 0.25 - tflags FREEMAIL_FORGED_FROMDOMAIN publish -endif -endif -endif -##} FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) - -##{ FREEMAIL_WFH_01 - -meta FREEMAIL_WFH_01 __FREEMAIL_WFH_01 -describe FREEMAIL_WFH_01 Work-from-Home + freemail -tflags FREEMAIL_WFH_01 publish -##} FREEMAIL_WFH_01 - -##{ FREEM_FRNUM_UNICD_EMPTY - -meta FREEM_FRNUM_UNICD_EMPTY __FREEM_FRNUM_UNICD_EMPTY -describe FREEM_FRNUM_UNICD_EMPTY Numeric freemail From address, unicode From name and Subject, empty body -#score FREEM_FRNUM_UNICD_EMPTY 3.750 # limit -tflags FREEM_FRNUM_UNICD_EMPTY publish -##} FREEM_FRNUM_UNICD_EMPTY - -##{ FRNAME_IN_MSG_XPRIO_NO_SUB - -meta FRNAME_IN_MSG_XPRIO_NO_SUB (__FROM_NAME_IN_MSG && __XPRIO && (__SUBJECT_EMPTY || __SUBJ_SHORT)) && !__DKIM_EXISTS && !__SUBJ_NOT_SHORT && !ALL_TRUSTED -describe FRNAME_IN_MSG_XPRIO_NO_SUB From name in message + X-Priority + short or no subject -#score FRNAME_IN_MSG_XPRIO_NO_SUB 2.500 # limit -tflags FRNAME_IN_MSG_XPRIO_NO_SUB publish -##} FRNAME_IN_MSG_XPRIO_NO_SUB - -##{ FROM_2_EMAILS_SHORT - -meta FROM_2_EMAILS_SHORT __KAM_BODY_LENGTH_LT_512 && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF) -describe FROM_2_EMAILS_SHORT Short body and From looks like 2 different emails -#score FROM_2_EMAILS_SHORT 3.0 # limit -##} FROM_2_EMAILS_SHORT - -##{ FROM_ADDR_WS - -meta FROM_ADDR_WS __FROM_ADDR_WS && !__RCD_RDNS_MTA_MESSY && !ANY_BOUNCE_MESSAGE && !__FROM_ENCODED_QP && !__RCD_RDNS_MAIL -describe FROM_ADDR_WS Malformed From address -#score FROM_ADDR_WS 3.000 # limit -tflags FROM_ADDR_WS publish -##} FROM_ADDR_WS - -##{ FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -meta FROM_BANK_NOAUTH __FROM_ADDRLIST_BANKS && (! NO_RELAYS && ! ALL_TRUSTED) && (! SPF_PASS && ! DKIM_VALID_AU) -tflags FROM_BANK_NOAUTH publish net -describe FROM_BANK_NOAUTH From Bank domain but no SPF or DKIM -#score FROM_BANK_NOAUTH 1.0 # limit -endif -endif -##} FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -##{ FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS - -if (version >= 3.004001) -ifplugin Mail::SpamAssassin::Plugin::AskDNS -meta FROM_FMBLA_NDBLOCKED __FROM_FMBLA_NDBLOCKED -describe FROM_FMBLA_NDBLOCKED ADMINISTRATOR NOTICE: The query to fresh.fmb.la was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. -tflags FROM_FMBLA_NDBLOCKED net publish -#score FROM_FMBLA_NDBLOCKED 0.001 # limit -endif -endif -##} FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS - -##{ FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS - -if (version >= 3.004001) -ifplugin Mail::SpamAssassin::Plugin::AskDNS -meta FROM_FMBLA_NEWDOM __FROM_FMBLA_NEWDOM -describe FROM_FMBLA_NEWDOM From domain was registered in last 7 days -tflags FROM_FMBLA_NEWDOM net -#score FROM_FMBLA_NEWDOM 1.5 # limit -endif -endif -##} FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS - -##{ FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS - -if (version >= 3.004001) -ifplugin Mail::SpamAssassin::Plugin::AskDNS -meta FROM_FMBLA_NEWDOM14 __FROM_FMBLA_NEWDOM14 -describe FROM_FMBLA_NEWDOM14 From domain was registered in last 7-14 days -tflags FROM_FMBLA_NEWDOM14 publish net -#score FROM_FMBLA_NEWDOM14 1.0 # limit -endif -endif -##} FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS - -##{ FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS - -if (version >= 3.004001) -ifplugin Mail::SpamAssassin::Plugin::AskDNS -meta FROM_FMBLA_NEWDOM28 __FROM_FMBLA_NEWDOM28 -describe FROM_FMBLA_NEWDOM28 From domain was registered in last 14-28 days -tflags FROM_FMBLA_NEWDOM28 net publish -#score FROM_FMBLA_NEWDOM28 0.8 # limit -endif -endif -##} FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS - -##{ FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -meta FROM_GOV_DKIM_AU DKIM_VALID_AU && __FROM_ADDRLIST_GOV -tflags FROM_GOV_DKIM_AU net nice publish -describe FROM_GOV_DKIM_AU From Government address and DKIM signed -#score FROM_GOV_DKIM_AU -1.0 # limit -endif -endif -##} FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -##{ FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -meta FROM_GOV_REPLYTO_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_GOV && !DKIM_VALID_AU -tflags FROM_GOV_REPLYTO_FREEMAIL net publish -describe FROM_GOV_REPLYTO_FREEMAIL From Government domain but ReplyTo is FREEMAIL -#score FROM_GOV_REPLYTO_FREEMAIL 2.0 -endif -endif -##} FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -##{ FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -meta FROM_GOV_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_GOV && (! NO_RELAYS && ! ALL_TRUSTED) -tflags FROM_GOV_SPOOF net publish -describe FROM_GOV_SPOOF From Government domain but matches SPOOFED -#score FROM_GOV_SPOOF 1.0 # limit -endif -endif -##} FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -##{ FROM_IN_TO_AND_SUBJ - -meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1) && !__HAS_LIST_ID -describe FROM_IN_TO_AND_SUBJ From address is in To and Subject -tflags FROM_IN_TO_AND_SUBJ publish -##} FROM_IN_TO_AND_SUBJ - -##{ FROM_MISSPACED - -meta FROM_MISSPACED __FROM_MISSPACED && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__UNSUB_LINK && !__TO___LOWER && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__TO_EQ_FROM_DOM && !__MAIL_LINK && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA -describe FROM_MISSPACED From: missing whitespace -#score FROM_MISSPACED 2.00 -##} FROM_MISSPACED - -##{ FROM_MISSP_DYNIP - -meta FROM_MISSP_DYNIP __FROM_RUNON && RDNS_DYNAMIC -describe FROM_MISSP_DYNIP From misspaced + dynamic rDNS -##} FROM_MISSP_DYNIP - -##{ FROM_MISSP_EH_MATCH - -meta FROM_MISSP_EH_MATCH __FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA -describe FROM_MISSP_EH_MATCH From misspaced, matches envelope -#score FROM_MISSP_EH_MATCH 2.00 # max -##} FROM_MISSP_EH_MATCH - -##{ FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - meta FROM_MISSP_FREEMAIL __FROM_MISSP_FREEMAIL && !__TO_EQ_FROM_DOM && !__MTLANDROID_MUA - describe FROM_MISSP_FREEMAIL From misspaced + freemail provider -endif -##} FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail - -##{ FROM_MISSP_MSFT - -meta FROM_MISSP_MSFT __FROM_RUNON && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS) -describe FROM_MISSP_MSFT From misspaced + supposed Microsoft tool -##} FROM_MISSP_MSFT - -##{ FROM_MISSP_REPLYTO - -meta FROM_MISSP_REPLYTO __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY && !__DOS_HAS_LIST_UNSUB -describe FROM_MISSP_REPLYTO From misspaced, has Reply-To -#score FROM_MISSP_REPLYTO 2.500 # limit -##} FROM_MISSP_REPLYTO - -##{ FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF - -ifplugin Mail::SpamAssassin::Plugin::SPF - meta FROM_MISSP_SPF_FAIL (__FROM_RUNON && SPF_FAIL) - tflags FROM_MISSP_SPF_FAIL net -# score FROM_MISSP_SPF_FAIL 2.00 # limit -endif -##} FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF - -##{ FROM_MISSP_USER - -meta FROM_MISSP_USER (__FROM_RUNON && NSL_RCVD_FROM_USER) -describe FROM_MISSP_USER From misspaced, from "User" -##} FROM_MISSP_USER - -##{ FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - -if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - meta FROM_MULTI_NORDNS __FROM_MULTI_NORDNS - describe FROM_MULTI_NORDNS Multiple From addresses + no rDNS -endif -##} FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - -##{ FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS - -if (version >= 3.004001) -ifplugin Mail::SpamAssassin::Plugin::AskDNS -meta FROM_NEWDOM_BTC __PDS_BTC_ID && __PDS_NEWDOMAIN -describe FROM_NEWDOM_BTC Newdomain with Bitcoin ID -#score FROM_NEWDOM_BTC 2.0 # limit -tflags FROM_NEWDOM_BTC net -endif -endif -##} FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS - -##{ FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -meta FROM_NTLD_LINKBAIT __LCL__KAM_BODY_LENGTH_LT_512 && __FROM_ADDRLIST_SUSPNTLD && __BODY_URI_ONLY -tflags FROM_NTLD_LINKBAIT publish -describe FROM_NTLD_LINKBAIT From abused NTLD with little more than a URI -#score FROM_NTLD_LINKBAIT 2.0 # limit -endif -endif -##} FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -##{ FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -meta FROM_NTLD_REPLY_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_SUSPNTLD -tflags FROM_NTLD_REPLY_FREEMAIL publish -describe FROM_NTLD_REPLY_FREEMAIL From abused NTLD and Reply-To is FREEMAIL -#score FROM_NTLD_REPLY_FREEMAIL 2.0 # limit -endif -endif -##} FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -##{ FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS - -if (version >= 3.004001) -ifplugin Mail::SpamAssassin::Plugin::AskDNS -meta FROM_NUMBERO_NEWDOMAIN __NUMBERONLY_TLD && __PDS_NEWDOMAIN -describe FROM_NUMBERO_NEWDOMAIN Fingerprint and new domain -#score FROM_NUMBERO_NEWDOMAIN 2.0 # limit -tflags FROM_NUMBERO_NEWDOMAIN net publish -endif -endif -##} FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS - -##{ FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -meta FROM_PAYPAL_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_PAYPAL && (! NO_RELAYS && ! ALL_TRUSTED) -tflags FROM_PAYPAL_SPOOF publish net -describe FROM_PAYPAL_SPOOF From PayPal domain but matches SPOOFED -#score FROM_PAYPAL_SPOOF 1.6 # limit -endif -endif -##} FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -##{ FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -meta FROM_SUSPICIOUS_NTLD __FROM_ADDRLIST_SUSPNTLD -tflags FROM_SUSPICIOUS_NTLD publish -describe FROM_SUSPICIOUS_NTLD From abused NTLD -#score FROM_SUSPICIOUS_NTLD 0.5 # limit -endif -endif -##} FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -##{ FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -meta FROM_SUSPICIOUS_NTLD_FP __FROM_ADDRLIST_SUSPNTLD && !__HAS_SENDER && !__HAS_IN_REPLY_TO && !__HAS_X_MAILING_LIST -tflags FROM_SUSPICIOUS_NTLD_FP publish -describe FROM_SUSPICIOUS_NTLD_FP From abused NTLD -#score FROM_SUSPICIOUS_NTLD_FP 2.0 # limit -endif -endif -##} FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -##{ FROM_WSP_TRAIL - -header FROM_WSP_TRAIL From:raw =~ /< [^>]* \s > [^<>]* \z/xm -describe FROM_WSP_TRAIL Trailing whitespace before '>' in From header field -##} FROM_WSP_TRAIL - -##{ FSL_BULK_SIG - -meta FSL_BULK_SIG (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK) && !__FSL_HAS_LIST_UNSUB && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__RCVD_IN_DNSWL && !__JM_REACTOR_DATE && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__USING_VERP1 && !__KAM_BODY_LENGTH_LT_128 -describe FSL_BULK_SIG Bulk signature with no Unsubscribe -#score FSL_BULK_SIG 2.500 # limit -tflags FSL_BULK_SIG net publish -##} FSL_BULK_SIG - -##{ FSL_CTYPE_WIN1251 - -header FSL_CTYPE_WIN1251 Content-Type =~ /charset="Windows-1251"/ -describe FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam -##} FSL_CTYPE_WIN1251 - -##{ FSL_FAKE_HOTMAIL_RVCD - -header FSL_FAKE_HOTMAIL_RVCD X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/ -##} FSL_FAKE_HOTMAIL_RVCD - -##{ FSL_HELO_BARE_IP_1 - -meta FSL_HELO_BARE_IP_1 __FSL_HELO_BARE_IP_1 && !ALL_TRUSTED -##} FSL_HELO_BARE_IP_1 - -##{ FSL_HELO_DEVICE - -header FSL_HELO_DEVICE X-Spam-Relays-External =~ /\bhelo=(?:(?:dsl)?device|speedtouch)\.lan\b/i -##} FSL_HELO_DEVICE - -##{ FSL_HELO_NON_FQDN_1 - -header FSL_HELO_NON_FQDN_1 X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i -##} FSL_HELO_NON_FQDN_1 - -##{ FSL_HELO_SETUP - -header FSL_HELO_SETUP X-Spam-Relays-External =~ /\bhelo=\S+\.setup\b/i -##} FSL_HELO_SETUP - -##{ FSL_INTERIA_ABUSE - -uri FSL_INTERIA_ABUSE /\/\S+\.(?:w|eu|fm)\.interia\.pl/ -##} FSL_INTERIA_ABUSE - -##{ FSL_NEW_HELO_USER - -meta FSL_NEW_HELO_USER (__FSL_HELO_USER_1 || __FSL_HELO_USER_2 || __FSL_HELO_USER_3) -describe FSL_NEW_HELO_USER Spam's using Helo and User -#score FSL_NEW_HELO_USER 2.0 -tflags FSL_NEW_HELO_USER publish -##} FSL_NEW_HELO_USER - -##{ FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body FUZZY_AMAZON /(?:^|\W)(?=<A>)(?!amazon)<A><M><A><Z><O><N>(?:$|\W)/i - describe FUZZY_AMAZON Obfuscated "amazon" - tflags FUZZY_AMAZON publish -endif -##} FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body FUZZY_ANDROID /(?=<A>)(?!android)<A><N><D><R><O><I><D>/i - describe FUZZY_ANDROID Obfuscated "android" - tflags FUZZY_ANDROID publish -endif -##} FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body FUZZY_APPLE /(?:^|\W)(?=<A>)(?!appl[ey])<A><P><P><L><E>(?:$|\W)/i - describe FUZZY_APPLE Obfuscated "apple" - tflags FUZZY_APPLE publish -endif -##} FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body FUZZY_BITCOIN /(?=<B>)(?!bit[-\s]?coin)<B>[-\s]?<I>[-\s]?<T>[-\s]?<C>[-\s]?<O>[-\s]?<I>[-\s]?<N>/i - describe FUZZY_BITCOIN Obfuscated "Bitcoin" - tflags FUZZY_BITCOIN publish -endif -##} FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body FUZZY_BROWSER /(?=<B>)(?!browser)<B><R><O><W><S><E><R>/i - describe FUZZY_BROWSER Obfuscated "browser" - tflags FUZZY_BROWSER publish -endif -##} FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta FUZZY_BTC_WALLET FUZZY_BITCOIN && FUZZY_WALLET - describe FUZZY_BTC_WALLET Heavily obfuscated "bitcoin wallet" - tflags FUZZY_BTC_WALLET publish -endif -##} FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body FUZZY_CLICK_HERE /(?=<C>)(?!click(?:\s| )here)<C><WS>*<L><WS>*<I><WS>*<C><WS>*<K><WS>+<H><WS>*<E><WS>*<R><WS>*<E>/i - describe FUZZY_CLICK_HERE Obfuscated "click here" - tflags FUZZY_CLICK_HERE publish -endif -##} FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta FUZZY_DR_OZ __FUZZY_DR_OZ && !__VIA_ML - describe FUZZY_DR_OZ Obfuscated Doctor Oz - tflags FUZZY_DR_OZ publish -endif -##} FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body FUZZY_FACEBOOK /(?=<F>)(?!fa[ck]ebook)<F><A><C><E><B><O><O><K>/i - describe FUZZY_FACEBOOK Obfuscated "facebook" - tflags FUZZY_FACEBOOK publish -endif -##} FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body FUZZY_IMPORTANT /(?=<I>)(?!important)<I>(?:<M>|<N>)<P><O><R><T><A><N><T>/i - describe FUZZY_IMPORTANT Obfuscated "important" - tflags FUZZY_IMPORTANT publish -endif -##} FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags -body FUZZY_MERIDIA /<inter W3><post P2>\b(?!meridia)<M><E><R><I><D><I><A>\b/i -describe FUZZY_MERIDIA Obfuscation of the word "meridia" -endif -##} FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body FUZZY_MICROSOFT /(?=<M>)(?!microsoft)<M><I><C><R><O><S><O><F><T>/i - describe FUZZY_MICROSOFT Obfuscated "microsoft" - tflags FUZZY_MICROSOFT publish -endif -##} FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ FUZZY_MONERO - -meta FUZZY_MONERO __FUZZY_MONERO -describe FUZZY_MONERO Obfuscated "Monero" -tflags FUZZY_MONERO publish -##} FUZZY_MONERO - -##{ FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body FUZZY_NORTON /(?:^|\W)(?=<N>)(?!norton)<N><O><R><T><O><N>(?:$|\W)/i - describe FUZZY_NORTON Obfuscated "norton" - tflags FUZZY_NORTON publish -endif -##} FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body FUZZY_OVERSTOCK /(?:^|\W)(?=<O>)(?!over[-\s]?stock)<O><V><E><R>[-\s]?<S><T><O><C><K>(?:$|\W)/i - describe FUZZY_OVERSTOCK Obfuscated "overstock" - tflags FUZZY_OVERSTOCK publish -endif -##} FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body FUZZY_PAYPAL /(?:^|\W)(?=<P>)(?!pay[-\s]?pal)<P><A><Y>[-\s]?<P><A><L>(?:$|\W)/i - describe FUZZY_PAYPAL Obfuscated "paypal" - tflags FUZZY_PAYPAL publish -endif -##} FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta FUZZY_PORN __FUZZY_PORN && !( __ENV_AND_HDR_FROM_MATCH && __SENDER_BOT ) - describe FUZZY_PORN Obfuscated "Pornography" or "Pornographic" - tflags FUZZY_PORN publish -endif -##} FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body FUZZY_PRIVACY /(?=<P>)(?!privacy)<P><R><I><V><A><C><Y>/i - describe FUZZY_PRIVACY Obfuscated "privacy" - tflags FUZZY_PRIVACY publish -endif -##} FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body FUZZY_PROMOTION /(?=<P>)(?!promotion)<P><R><O><M><O><T><I><O><N>/i - describe FUZZY_PROMOTION Obfuscated "promotion" - tflags FUZZY_PROMOTION publish -endif -##} FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body FUZZY_SAVINGS /(?=<S>)(?!savings)<S><A><V><I><N><G><S>/i - describe FUZZY_SAVINGS Obfuscated "savings" - tflags FUZZY_SAVINGS publish -endif -##} FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body FUZZY_SECURITY /(?=<S>)(?!security)(?!seguridad)(?!s\xc3\xa9curit\xc3\xa9)<S><E>(?:<C>|<G>)<U><R><I>(?:<T><Y>|<D><A><D>)/i - describe FUZZY_SECURITY Obfuscated "security" - tflags FUZZY_SECURITY publish -endif -##} FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body FUZZY_UNSUBSCRIBE /(?=<U>)(?!unsubscribe)<U><N><S><U><B><S><C><R><I><B><E>/i - describe FUZZY_UNSUBSCRIBE Obfuscated "unsubscribe" - tflags FUZZY_UNSUBSCRIBE publish -endif -##} FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body FUZZY_WALLET /(?=<W>)(?!wallet)<W><A><L><L><E><T>/i - describe FUZZY_WALLET Obfuscated "Wallet" - tflags FUZZY_WALLET publish -endif -##} FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta GAPPY_SALES_LEADS_FREEM __GAPPY_SALES_LEADS_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) - describe GAPPY_SALES_LEADS_FREEM Obfuscated marketing text, freemail or CHN replyto -# score GAPPY_SALES_LEADS_FREEM 3.500 # limit - tflags GAPPY_SALES_LEADS_FREEM publish -endif -##} GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ GB_BITCOIN_CP - -meta GB_BITCOIN_CP ( __GB_BITCOIN_CP_DE || __GB_BITCOIN_CP_ES || __GB_BITCOIN_CP_EN || __GB_BITCOIN_CP_FR || __GB_BITCOIN_CP_IT || __GB_BITCOIN_CP_NL || __GB_BITCOIN_CP_SE ) -describe GB_BITCOIN_CP Localized Bitcoin scam -#score GB_BITCOIN_CP 3.0 # limit -##} GB_BITCOIN_CP - -##{ GB_BITCOIN_NH - -meta GB_BITCOIN_NH ( __BITCOIN_ID && !__URL_BTC_ID && ( __NEVER_HEAR_EN || __NEVER_HEAR_IT ) ) -describe GB_BITCOIN_NH Localized Bitcoin scam -#score GB_BITCOIN_NH 3.0 # limit -##} GB_BITCOIN_NH - -##{ GB_CUSTOM_HTM_URI if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) - -if (version >= 4.000000) -if can(Mail::SpamAssassin::Conf::feature_capture_rules) - meta GB_CUSTOM_HTM_URI ( __GB_CUSTOM_HTM_URI0 || __GB_CUSTOM_HTM_URI1 || __GB_CUSTOM_HTM_URI2 || __GB_DRUPAL_URI ) - describe GB_CUSTOM_HTM_URI Custom html uri -# score GB_CUSTOM_HTM_URI 1.500 # limit - tflags GB_CUSTOM_HTM_URI publish -endif -endif -##} GB_CUSTOM_HTM_URI if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) - -##{ GB_FAKE_RF_SHORT - -meta GB_FAKE_RF_SHORT ( ! __THREADED && __GB_FAKE_RF && __URL_SHORTENER ) -describe GB_FAKE_RF_SHORT Fake reply or forward with url shortener -#score GB_FAKE_RF_SHORT 2.000 # limit -tflags GB_FAKE_RF_SHORT publish -##} GB_FAKE_RF_SHORT - -##{ GB_FORGED_MUA_POSTFIX - -meta GB_FORGED_MUA_POSTFIX ( __FORGED_MUA_POSTFIX0 || __FORGED_MUA_POSTFIX1 ) -describe GB_FORGED_MUA_POSTFIX Forged Postfix mua headers -tflags GB_FORGED_MUA_POSTFIX publish -#score GB_FORGED_MUA_POSTFIX 2.0 # limit -##} GB_FORGED_MUA_POSTFIX - -##{ GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - meta GB_FREEMAIL_DISPTO ( __FREEMAIL_DISPTO && !__freemail_safe ) - describe GB_FREEMAIL_DISPTO Disposition-Notification-To/From or Disposition-Notification-To/body contain different freemails -# score GB_FREEMAIL_DISPTO 0.50 # limit - tflags GB_FREEMAIL_DISPTO publish -endif -##} GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail - -##{ GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - meta GB_FREEMAIL_DISPTO_NOTFREEM ( __FREEMAIL_DISPTO && !__freemail_safe && !FREEMAIL_FROM ) - describe GB_FREEMAIL_DISPTO_NOTFREEM Disposition-Notification-To/From contain different freemails but mailfrom is not a freemail -# score GB_FREEMAIL_DISPTO_NOTFREEM 0.50 # limit - tflags GB_FREEMAIL_DISPTO_NOTFREEM publish -endif -##} GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail - -##{ GB_GOOGLE_OBFUR - -uri GB_GOOGLE_OBFUR /^https:\/\/www\.google\.([a-z]{2,3})\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=([0-9])*\&(cad=rja\&uact=([0-9]+)\&ved=.{1,50}\&)?url=https?:\/\/.{1,50}(&usg=.{1,50})?/ -describe GB_GOOGLE_OBFUR Obfuscate url through Google redirect -#score GB_GOOGLE_OBFUR 0.75 # limit -tflags GB_GOOGLE_OBFUR publish -##} GB_GOOGLE_OBFUR - -##{ GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL - -if (version >= 3.004003) - ifplugin Mail::SpamAssassin::Plugin::HashBL - body GB_HASHBL_BTC eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?<!=)([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,62})\b') - tflags GB_HASHBL_BTC net publish - describe GB_HASHBL_BTC Message contains BTC address found on BTCBL -# score GB_HASHBL_BTC 5.0 # limit -endif -endif -##} GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL - -##{ GB_STORAGE_GOOGLE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) - -if (version >= 4.000000) -if can(Mail::SpamAssassin::Conf::feature_capture_rules) - uri GB_STORAGE_GOOGLE_EMAIL m|^https?://storage\.cloud\.google\.com/.{4,128}\#%{GB_TO_ADDR}|i - describe GB_STORAGE_GOOGLE_EMAIL Google storage cloud abuse -# score GB_STORAGE_GOOGLE_EMAIL 2.000 # limit - tflags GB_STORAGE_GOOGLE_EMAIL publish -endif -endif -##} GB_STORAGE_GOOGLE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) - -##{ GB_URI_FLEEK_STO_HTM - -uri GB_URI_FLEEK_STO_HTM m,^https?://storageapi\.fleek\.co/.*\.html?,i -describe GB_URI_FLEEK_STO_HTM Html file stored on Fleek cloud -#score GB_URI_FLEEK_STO_HTM 1.000 # limit -tflags GB_URI_FLEEK_STO_HTM multiple maxhits=5 -##} GB_URI_FLEEK_STO_HTM - -##{ GEO_QUERY_STRING - -uri GEO_QUERY_STRING /^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i -##} GEO_QUERY_STRING - -##{ GOOGLE_DOCS_PHISH - -meta GOOGLE_DOCS_PHISH (__GOOGLE_DOCS_PHISH_1 || __GOOGLE_DOCS_PHISH_2) -describe GOOGLE_DOCS_PHISH Possible phishing via a Google Docs form -#score GOOGLE_DOCS_PHISH 3.00 # limit -tflags GOOGLE_DOCS_PHISH publish -##} GOOGLE_DOCS_PHISH - -##{ GOOGLE_DOCS_PHISH_MANY - -meta GOOGLE_DOCS_PHISH_MANY __URI_GOOGLE_DOC && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY) -describe GOOGLE_DOCS_PHISH_MANY Phishing via a Google Docs form -#score GOOGLE_DOCS_PHISH_MANY 4.00 # limit -tflags GOOGLE_DOCS_PHISH_MANY publish -##} GOOGLE_DOCS_PHISH_MANY - -##{ GOOGLE_DOC_SUSP - -meta GOOGLE_DOC_SUSP __GOOGLE_DOC_SUSP && !GOOGLE_DOCS_PHISH_MANY && !__HAS_SENDER && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__USING_VERP1 && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_SMTP && ! __HAS_LIST_ID && !__SURVEY && !__BUGGED_IMG -describe GOOGLE_DOC_SUSP Suspicious use of Google Docs -#score GOOGLE_DOC_SUSP 3.000 # limit -tflags GOOGLE_DOC_SUSP publish -##} GOOGLE_DOC_SUSP - -##{ GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -meta GOOGLE_DRIVE_REPLY_BAD_NTLD __PDS_GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD -tflags GOOGLE_DRIVE_REPLY_BAD_NTLD publish -describe GOOGLE_DRIVE_REPLY_BAD_NTLD From Google Drive and Reply-To is from a suspicious TLD -#score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0 # limit -endif -endif -##} GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -##{ GOOG_MALWARE_DNLD - -meta GOOG_MALWARE_DNLD __GOOG_MALWARE_DNLD -describe GOOG_MALWARE_DNLD File download via Google - Malware? -#score GOOG_MALWARE_DNLD 5.000 # limit -tflags GOOG_MALWARE_DNLD publish -##} GOOG_MALWARE_DNLD - -##{ GOOG_REDIR_DOCUSIGN - -uri GOOG_REDIR_DOCUSIGN m;://www\.google\.com/url\?.*q=https?://www\.docusign\.com/;i -describe GOOG_REDIR_DOCUSIGN Indirect docusign link, probable phishing -tflags GOOG_REDIR_DOCUSIGN publish -##} GOOG_REDIR_DOCUSIGN - -##{ GOOG_REDIR_HTML_ONLY - -meta GOOG_REDIR_HTML_ONLY (__GOOG_REDIR && MIME_HTML_ONLY) && !RDNS_NONE && !__LCL__KAM_BODY_LENGTH_LT_512 -describe GOOG_REDIR_HTML_ONLY Google redirect to obscure spamvertised website + HTML only -#score GOOG_REDIR_HTML_ONLY 2.000 # limit -##} GOOG_REDIR_HTML_ONLY - -##{ GOOG_REDIR_NORDNS - -meta GOOG_REDIR_NORDNS __GOOG_REDIR && RDNS_NONE -describe GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website + no rDNS -##} GOOG_REDIR_NORDNS - -##{ GOOG_REDIR_SHORT - -meta GOOG_REDIR_SHORT __GOOG_REDIR && __LCL__KAM_BODY_LENGTH_LT_512 -describe GOOG_REDIR_SHORT Google redirect to obscure spamvertised website + short message -tflags GOOG_REDIR_SHORT publish -##} GOOG_REDIR_SHORT - -##{ GOOG_STO_EMAIL_PHISH - -meta GOOG_STO_EMAIL_PHISH __URI_GOOG_STO_EMAIL && (__PDS_FROM_NAME_TO_DOMAIN || __TO_IN_SUBJ || __FROM_ADMIN || __VERIFY_ACCOUNT) -describe GOOG_STO_EMAIL_PHISH Possible phishing with google hosted content URI having email address -#score GOOG_STO_EMAIL_PHISH 3.00 # limit -tflags GOOG_STO_EMAIL_PHISH publish -##} GOOG_STO_EMAIL_PHISH - -##{ GOOG_STO_HTML_PHISH - -meta GOOG_STO_HTML_PHISH __GOOG_STO_HTML_PHISH -describe GOOG_STO_HTML_PHISH Possible phishing with google content hosting to avoid URIBL -#score GOOG_STO_HTML_PHISH 3.00 # limit -tflags GOOG_STO_HTML_PHISH publish -##} GOOG_STO_HTML_PHISH - -##{ GOOG_STO_HTML_PHISH_MANY - -meta GOOG_STO_HTML_PHISH_MANY __URI_GOOG_STO_HTML && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY) -describe GOOG_STO_HTML_PHISH_MANY Phishing with google content hosting to avoid URIBL -#score GOOG_STO_HTML_PHISH_MANY 4.00 # limit -tflags GOOG_STO_HTML_PHISH_MANY publish -##} GOOG_STO_HTML_PHISH_MANY - -##{ GOOG_STO_IMG_HTML - -meta GOOG_STO_IMG_HTML __GOOG_STO_IMG_HTML_1 && !URI_GOOG_STO_SPAMMY -describe GOOG_STO_IMG_HTML Apparently using google content hosting to avoid URIBL -#score GOOG_STO_IMG_HTML 3.000 # limit -tflags GOOG_STO_IMG_HTML publish -##} GOOG_STO_IMG_HTML - -##{ GOOG_STO_IMG_NOHTML - -meta GOOG_STO_IMG_NOHTML __GOOG_STO_IMG_NOHTML && (__RDNS_NONE || HTML_TEXT_INVISIBLE_STYLE || THIS_AD || __SUBJECT_ENCODED_B64 || __LOTTO_ADMITS || __REPTO_QUOTE) && !__USING_VERP1 && !__HAS_ERRORS_TO && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__HAS_CID && !URI_GOOG_STO_SPAMMY -describe GOOG_STO_IMG_NOHTML Apparently using google content hosting to avoid URIBL -#score GOOG_STO_IMG_NOHTML 2.500 # limit -tflags GOOG_STO_IMG_NOHTML publish -##} GOOG_STO_IMG_NOHTML - -##{ GOOG_STO_NOIMG_HTML - -meta GOOG_STO_NOIMG_HTML __GOOG_STO_NOIMG_HTML && !URI_GOOG_STO_SPAMMY -describe GOOG_STO_NOIMG_HTML Apparently using google content hosting to avoid URIBL -#score GOOG_STO_NOIMG_HTML 3.000 # limit -tflags GOOG_STO_NOIMG_HTML publish -##} GOOG_STO_NOIMG_HTML - -##{ HAS_X_NO_RELAY - -meta HAS_X_NO_RELAY __HAS_X_NO_RELAY && !__TO_EQ_FROM_1 -describe HAS_X_NO_RELAY Has spammy header -#score HAS_X_NO_RELAY 2.500 # limit -tflags HAS_X_NO_RELAY publish -##} HAS_X_NO_RELAY - -##{ HAS_X_OUTGOING_SPAM_STAT - -meta HAS_X_OUTGOING_SPAM_STAT __HAS_X_OUTGOING_SPAM_STAT && !MAILING_LIST_MULTI && !__HAS_X_MAILMAN_VERSION && !__AUTOREPLY_ASU && !__THREAD_INDEX_GOOD && !__HAS_X_LOOP && !__DOC_ATTACH && !__PDF_ATTACH && !__FROM_EQ_ORG_1 && !__HAS_IN_REPLY_TO -describe HAS_X_OUTGOING_SPAM_STAT Has header claiming outbound spam scan - why trust the results? -#score HAS_X_OUTGOING_SPAM_STAT 2.000 # limit -tflags HAS_X_OUTGOING_SPAM_STAT publish -##} HAS_X_OUTGOING_SPAM_STAT - -##{ HDRS_LCASE_IMGONLY - -meta HDRS_LCASE_IMGONLY __HDRS_LCASE && __HTML_IMG_ONLY && !__HDRS_LCASE_KNOWN -describe HDRS_LCASE_IMGONLY Odd capitalization of message headers + image-only HTML -#score HDRS_LCASE_IMGONLY 0.10 # limit -##} HDRS_LCASE_IMGONLY - -##{ HDRS_MISSP - -meta HDRS_MISSP __HDRS_MISSP && !ALL_TRUSTED && !(__FROM_ALL_HEX && __SUBJECT_PRESENT_EMPTY) -describe HDRS_MISSP Misspaced headers -#score HDRS_MISSP 2.500 # limit -tflags HDRS_MISSP publish -##} HDRS_MISSP - -##{ HDR_ORDER_FTSDMCXX_001C - -meta HDR_ORDER_FTSDMCXX_001C (__HDR_ORDER_FTSDMCXXXX && __MID_START_001C) -describe HDR_ORDER_FTSDMCXX_001C Header order similar to spam (FTSDMCXX/MID variant) -##} HDR_ORDER_FTSDMCXX_001C - -##{ HDR_ORDER_FTSDMCXX_BAT - -meta HDR_ORDER_FTSDMCXX_BAT (__HDR_ORDER_FTSDMCXXXX && __BAT_BOUNDARY) -describe HDR_ORDER_FTSDMCXX_BAT Header order similar to spam (FTSDMCXX/boundary variant) -##} HDR_ORDER_FTSDMCXX_BAT - -##{ HDR_ORDER_FTSDMCXX_DIRECT - -meta HDR_ORDER_FTSDMCXX_DIRECT (__HDR_ORDER_FTSDMCXXXX && __DOS_SINGLE_EXT_RELAY) && !ALL_TRUSTED && !__VIA_ML -describe HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam (FTSDMCXX/boundary variant) + direct-to-MX -#score HDR_ORDER_FTSDMCXX_DIRECT 2.000 # limit -tflags HDR_ORDER_FTSDMCXX_DIRECT publish -##} HDR_ORDER_FTSDMCXX_DIRECT - -##{ HDR_ORDER_FTSDMCXX_NORDNS - -meta HDR_ORDER_FTSDMCXX_NORDNS (__HDR_ORDER_FTSDMCXXXX && __RDNS_NONE) && !ALL_TRUSTED -describe HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam (FTSDMCXX/boundary variant) + no rDNS -#score HDR_ORDER_FTSDMCXX_NORDNS 3.500 # limit -tflags HDR_ORDER_FTSDMCXX_NORDNS publish -##} HDR_ORDER_FTSDMCXX_NORDNS - -##{ HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval - -ifplugin Mail::SpamAssassin::Plugin::HeaderEval -header HEADER_COUNT_SUBJECT eval:check_header_count_range('Subject','2','999') -describe HEADER_COUNT_SUBJECT Multiple Subject headers found -endif -##} HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval - -##{ HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - ifplugin Mail::SpamAssassin::Plugin::HeaderEval - if (version >= 3.004000) - header HEADER_FROM_DIFFERENT_DOMAINS eval:check_equal_from_domains() - describe HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -# score HEADER_FROM_DIFFERENT_DOMAINS 0.25 - tflags HEADER_FROM_DIFFERENT_DOMAINS publish -endif -endif -endif -##} HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) - -##{ HELO_FRIEND - -header HELO_FRIEND X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i -##} HELO_FRIEND - -##{ HELO_LH_LD - -header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i -##} HELO_LH_LD - -##{ HELO_LOCALHOST - -header HELO_LOCALHOST X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i -##} HELO_LOCALHOST - -##{ HELO_NO_DOMAIN - -meta HELO_NO_DOMAIN __HELO_NO_DOMAIN && !HELO_LOCALHOST -describe HELO_NO_DOMAIN Relay reports its domain incorrectly -tflags HELO_NO_DOMAIN publish -##} HELO_NO_DOMAIN - -##{ HELO_OEM - -header HELO_OEM X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc|oem\S*) /i -##} HELO_OEM - -##{ HEXHASH_WORD - -meta HEXHASH_WORD (__HEXHASHWORD_S2EU > 1) && !ALL_TRUSTED && !__LYRIS_EZLM_REMAILER && !__MSGID_HEXISH && !__RDNS_SHORT && !__CTYPE_MULTIPART_MIXED && !__HAS_X_REF && !__HAS_IMG_SRC_ONECASE && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__HAS_SENDER -describe HEXHASH_WORD Multiple instances of word + hexadecimal hash -#score HEXHASH_WORD 3.000 # limit -tflags HEXHASH_WORD publish -##} HEXHASH_WORD - -##{ HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -mimeheader HK_CTE_RAW Content-Transfer-Encoding =~ /^raw$/ -#score HK_CTE_RAW 2 -tflags HK_CTE_RAW publish -endif -##} HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ HK_LOTTO - -meta HK_LOTTO __HK_LOTTO_2 || __HK_LOTTO_STAATS || __HK_LOTTO_BALLOT -#score HK_LOTTO 1 -##} HK_LOTTO - -##{ HK_NAME_DRUGS - -header HK_NAME_DRUGS From:name =~ /(viagra|\bcialis|cialis\b)/mi -describe HK_NAME_DRUGS From name contains drugs -#score HK_NAME_DRUGS 2 -##} HK_NAME_DRUGS - -##{ HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::FreeMail -if (version >= 3.004000) - meta HK_NAME_MR_MRS __HK_NAME_MR_MRS && !FREEMAIL_FROM -# score HK_NAME_MR_MRS 1.0 -endif -endif -##} HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) - -##{ HK_RANDOM_ENVFROM - -header HK_RANDOM_ENVFROM EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi -describe HK_RANDOM_ENVFROM Envelope sender username looks random -#score HK_RANDOM_ENVFROM 1 -tflags HK_RANDOM_ENVFROM publish -##} HK_RANDOM_ENVFROM - -##{ HK_RANDOM_FROM - -header HK_RANDOM_FROM From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi -describe HK_RANDOM_FROM From username looks random -#score HK_RANDOM_FROM 1 -tflags HK_RANDOM_FROM publish -##} HK_RANDOM_FROM - -##{ HK_RANDOM_REPLYTO - -header HK_RANDOM_REPLYTO Reply-To:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi -describe HK_RANDOM_REPLYTO Reply-To username looks random -#score HK_RANDOM_REPLYTO 1 -tflags HK_RANDOM_REPLYTO publish -##} HK_RANDOM_REPLYTO - -##{ HK_RCVD_IP_MULTICAST - -header HK_RCVD_IP_MULTICAST X-Spam-Relays-External =~ / ip=(?:22[4-9]|23[0-9])\./ -#score HK_RCVD_IP_MULTICAST 2 -tflags HK_RCVD_IP_MULTICAST publish -##} HK_RCVD_IP_MULTICAST - -##{ HK_SCAM - -meta HK_SCAM __HK_SCAM_N2 || __HK_SCAM_N3 || __HK_SCAM_N8 || __HK_SCAM_N15 || __HK_SCAM_N16 || __HK_SCAM_S1 || __HK_SCAM_S15 || __HK_SCAM_S25 -#score HK_SCAM 2 -tflags HK_SCAM publish -##} HK_SCAM - -##{ HOSTED_IMG_DIRECT_MX - -meta HOSTED_IMG_DIRECT_MX __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS -#score HOSTED_IMG_DIRECT_MX 3.500 # limit -describe HOSTED_IMG_DIRECT_MX Image hosted at large ecomm, CDN or hosting site, message direct-to-mx -tflags HOSTED_IMG_DIRECT_MX publish -##} HOSTED_IMG_DIRECT_MX - -##{ HOSTED_IMG_DQ_UNSUB - -meta HOSTED_IMG_DQ_UNSUB __HOSTED_IMG_DQ_UNSUB -#score HOSTED_IMG_DQ_UNSUB 3.500 # limit -describe HOSTED_IMG_DQ_UNSUB Image hosted at large ecomm site, IP addr unsub link -tflags HOSTED_IMG_DQ_UNSUB publish -##} HOSTED_IMG_DQ_UNSUB - -##{ HOSTED_IMG_FREEM - -meta HOSTED_IMG_FREEM __HOSTED_IMG_FREEM && !__THREADED -#score HOSTED_IMG_FREEM 3.500 # limit -describe HOSTED_IMG_FREEM Image hosted at large ecomm, CDN or hosting site or redirected, freemail from or reply-to -tflags HOSTED_IMG_FREEM publish -##} HOSTED_IMG_FREEM - -##{ HOSTED_IMG_MULTI - -meta HOSTED_IMG_MULTI __HOSTED_IMG_MULTI && !__DKIM_EXISTS -#score HOSTED_IMG_MULTI 3.000 # limit -describe HOSTED_IMG_MULTI Multiple images hosted at different large ecomm, CDN or hosting sites, free image sites, or redirected -tflags HOSTED_IMG_MULTI publish -##} HOSTED_IMG_MULTI - -##{ HOSTED_IMG_MULTI_PUB_01 - -meta HOSTED_IMG_MULTI_PUB_01 (__IMGUR_IMG_2 || __IMGUR_IMG_3) && !__DATE_LOWER && !__BOTH_INR_AND_REF && !__HAS_IN_REPLY_TO -describe HOSTED_IMG_MULTI_PUB_01 Multiple hosted images at public site -#score HOSTED_IMG_MULTI_PUB_01 3.000 # limit -tflags HOSTED_IMG_MULTI_PUB_01 publish -##} HOSTED_IMG_MULTI_PUB_01 - -##{ HTML_ENTITY_ASCII - -meta HTML_ENTITY_ASCII __HTML_ENTITY_ASCII_MINFP -describe HTML_ENTITY_ASCII Obfuscated ASCII -#score HTML_ENTITY_ASCII 3.000 # limit -tflags HTML_ENTITY_ASCII publish -##} HTML_ENTITY_ASCII - -##{ HTML_ENTITY_ASCII_TINY - -meta HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII_TINY && !__HAS_IN_REPLY_TO -describe HTML_ENTITY_ASCII_TINY Obfuscated ASCII + tiny fonts -#score HTML_ENTITY_ASCII_TINY 3.000 # limit -tflags HTML_ENTITY_ASCII_TINY publish -##} HTML_ENTITY_ASCII_TINY - -##{ HTML_FONT_TINY_NORDNS - -meta HTML_FONT_TINY_NORDNS __HTML_FONT_TINY_NORDNS && !__HAS_CID -describe HTML_FONT_TINY_NORDNS Font too small to read, no rDNS -#score HTML_FONT_TINY_NORDNS 2.000 # limit -##} HTML_FONT_TINY_NORDNS - -##{ HTML_OFF_PAGE - -meta HTML_OFF_PAGE __HTML_OFF_PAGE && !__RP_MATCHES_RCVD && !__LONGLINE && !__DKIM_EXISTS -describe HTML_OFF_PAGE HTML element rendered well off the displayed page -#score HTML_OFF_PAGE 3.000 # limit -tflags HTML_OFF_PAGE publish -##} HTML_OFF_PAGE - -##{ HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU_MANY - describe HTML_SHRT_CMNT_OBFU_MANY Obfuscation with many short HTML comments -# score HTML_SHRT_CMNT_OBFU_MANY 2.500 # limit - tflags HTML_SHRT_CMNT_OBFU_MANY publish -endif -##} HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ HTML_SINGLET_MANY - -meta HTML_SINGLET_MANY __HTML_SINGLET_MANY && !__RCD_RDNS_MTA_MESSY && !__NOT_SPOOFED && !ALL_TRUSTED && !__USING_VERP1 && !__MIME_QP -describe HTML_SINGLET_MANY Many single-letter HTML format blocks -#score HTML_SINGLET_MANY 2.500 # limit -tflags HTML_SINGLET_MANY publish -##} HTML_SINGLET_MANY - -##{ HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval - -ifplugin Mail::SpamAssassin::Plugin::HTMLEval - meta HTML_TAG_BALANCE_CENTER __HTML_TAG_BALANCE_CENTER && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY - describe HTML_TAG_BALANCE_CENTER Malformatted HTML -endif -##} HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval - -##{ HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta HTML_TEXT_INVISIBLE_FONT __FONT_INVIS_MANY && !__HAS_ERRORS_TO && !__URI_DOTGOV && !__LYRIS_EZLM_REMAILER && !__ML3 && !__THREADED && !__DKIMWL_WL_HI && !USER_IN_DEF_DKIM_WL && !__MOZILLA_MSGID - describe HTML_TEXT_INVISIBLE_FONT HTML hidden text - word obfuscation? -# score HTML_TEXT_INVISIBLE_FONT 2.000 # limit - tflags HTML_TEXT_INVISIBLE_FONT publish -endif -##} HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta HTML_TEXT_INVISIBLE_STYLE __STY_INVIS_MANY && (__RDNS_NONE || __HDRS_LCASE || __UNSUB_EMAIL || __ADMITS_SPAM || __FROM_DOM_INFO || __HTML_TAG_BALANCE_CENTER || __MSGID_RANDY ) && !__RDNS_LONG && !__FROM_ENCODED_QP && !__HAS_THREAD_INDEX - describe HTML_TEXT_INVISIBLE_STYLE HTML hidden text + other spam signs -# score HTML_TEXT_INVISIBLE_STYLE 3.500 # limit - tflags HTML_TEXT_INVISIBLE_STYLE publish -endif -##} HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch - -ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch -body HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10') -endif -##} HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch - -##{ IMG_ONLY_FM_DOM_INFO - -meta IMG_ONLY_FM_DOM_INFO __HTML_IMG_ONLY && __FROM_DOM_INFO -describe IMG_ONLY_FM_DOM_INFO HTML image-only message from .info domain -#score IMG_ONLY_FM_DOM_INFO 2.500 # limit -tflags IMG_ONLY_FM_DOM_INFO publish -##} IMG_ONLY_FM_DOM_INFO - -##{ JH_SPAMMY_HEADERS - -meta JH_SPAMMY_HEADERS __HAS_COMPLAINT_TO || __HAS_TRACKING_CODE || __HAS_LOGID || __HAS_X_LETTER || __HAS_X_EBSERVER || __HAS_LIST_OPEN -describe JH_SPAMMY_HEADERS Has unusual message header(s) seen primarily in spam -#score JH_SPAMMY_HEADERS 3.500 # limit -tflags JH_SPAMMY_HEADERS publish -##} JH_SPAMMY_HEADERS - -##{ JH_SPAMMY_PATTERN01 - -rawbody JH_SPAMMY_PATTERN01 m;<img src=['"](https?://[^'"]{1,80}/)C([^/.]{1,30}\.jpg)['"]>.{0,200}<img src="\1U\2";ism -describe JH_SPAMMY_PATTERN01 Unusual pattern seen in spam campaign -#score JH_SPAMMY_PATTERN01 3.000 # limit -tflags JH_SPAMMY_PATTERN01 publish -##} JH_SPAMMY_PATTERN01 - -##{ JH_SPAMMY_PATTERN02 - -rawbody JH_SPAMMY_PATTERN02 m;<img [^>]{0,50}src=['"](https?://[^"'\s]{1,80}\.php\?)t=o(\&[^"'\s]{1,50})["'][>\s].{0,200}<a href="\1t=c\2".{0,200}<a href="\1t=u\2";ism -describe JH_SPAMMY_PATTERN02 Unusual pattern seen in spam campaign -#score JH_SPAMMY_PATTERN02 3.000 # limit -tflags JH_SPAMMY_PATTERN02 publish -##} JH_SPAMMY_PATTERN02 - -##{ JM_I_FEEL_LUCKY - -uri JM_I_FEEL_LUCKY /(?:\&|\?)btnI=ec(?:$|\&)/ -tflags JM_I_FEEL_LUCKY publish # low hitrate, but always a good sign -##} JM_I_FEEL_LUCKY - -##{ JM_RCVD_QMAILV1 - -header JM_RCVD_QMAILV1 Received =~ /by \S+ \(Qmailv1\) with ESMTP/ -##} JM_RCVD_QMAILV1 - -##{ JM_TORA_XM - -meta JM_TORA_XM (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO) -##} JM_TORA_XM - -##{ KB_DATE_CONTAINS_TAB - -meta KB_DATE_CONTAINS_TAB __KB_DATE_CONTAINS_TAB && !__ML_TURNS_SP_TO_TAB -#score KB_DATE_CONTAINS_TAB 0.5 -##} KB_DATE_CONTAINS_TAB - -##{ KB_FAKED_THE_BAT - -meta KB_FAKED_THE_BAT (__THEBAT_MUA && KB_DATE_CONTAINS_TAB) -##} KB_FAKED_THE_BAT - -##{ KB_RATWARE_BOUNDARY - -meta KB_RATWARE_BOUNDARY __RATWARE_BOUND_A || __RATWARE_BOUND_B -##} KB_RATWARE_BOUNDARY - -##{ KB_RATWARE_MSGID - -meta KB_RATWARE_MSGID (__KB_MSGID_OUTLOOK_888 && __ANY_OUTLOOK_MUA) -##} KB_RATWARE_MSGID - -##{ KB_RATWARE_OUTLOOK_08 - -header KB_RATWARE_OUTLOOK_08 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary="----=_NextPart_000_...._\1\./msi # " -##} KB_RATWARE_OUTLOOK_08 - -##{ KB_RATWARE_OUTLOOK_12 - -header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # " -##} KB_RATWARE_OUTLOOK_12 - -##{ KB_RATWARE_OUTLOOK_16 - -header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # " -##} KB_RATWARE_OUTLOOK_16 - -##{ KB_RATWARE_OUTLOOK_MID - -header KB_RATWARE_OUTLOOK_MID ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$[0-9a-f]{8}\@.{100,400}boundary="----=_NextPart_000_...._\1\.\2"/msi -##} KB_RATWARE_OUTLOOK_MID - -##{ KHOP_HELO_FCRDNS - -meta KHOP_HELO_FCRDNS __HELO_NOT_RDNS && !(__VIA_ML || __freemail_safe || __RCVD_IN_DNSWL || __NOT_SPOOFED || __RDNS_SHORT) -describe KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS -#score KHOP_HELO_FCRDNS 0.4 # 20090603 -##} KHOP_HELO_FCRDNS - -##{ KHOP_JS_OBFUSCATION - -meta KHOP_JS_OBFUSCATION __TR_JS_EXTRA_UNESCAPE || __TR_JS_EXTRA_CONCAT || __TR_JS_CONCATINATED_HTTP -describe KHOP_JS_OBFUSCATION Script: unnecessarily complex string composition -##} KHOP_JS_OBFUSCATION - -##{ LINKEDIN_IMG_NOT_RCVD_LNKN - -meta LINKEDIN_IMG_NOT_RCVD_LNKN __LINKED_IMG_NOT_RCVD_LINK && !__LUNSUB_BEFORE_SUBJDT -#score LINKEDIN_IMG_NOT_RCVD_LNKN 2.500 # limit -describe LINKEDIN_IMG_NOT_RCVD_LNKN Linkedin hosted image but message not from Linkedin -tflags LINKEDIN_IMG_NOT_RCVD_LNKN publish -##} LINKEDIN_IMG_NOT_RCVD_LNKN - -##{ LIST_PRTL_PUMPDUMP - -meta LIST_PRTL_PUMPDUMP __LIST_PRTL_PUMPDUMP && !__DKIM_EXISTS -describe LIST_PRTL_PUMPDUMP Incomplete List-* headers and stock pump-and-dump -#score LIST_PRTL_PUMPDUMP 2.000 # limit -tflags LIST_PRTL_PUMPDUMP publish -##} LIST_PRTL_PUMPDUMP - -##{ LIST_PRTL_SAME_USER - -meta LIST_PRTL_SAME_USER __LIST_PRTL_SAME_USER && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_ERRORS_TO -describe LIST_PRTL_SAME_USER Incomplete List-* headers and from+to user the same -#score LIST_PRTL_SAME_USER 3.000 # limit -tflags LIST_PRTL_SAME_USER publish -##} LIST_PRTL_SAME_USER - -##{ LIVEFILESTORE - -uri LIVEFILESTORE m~livefilestore.com/~ -##} LIVEFILESTORE - -##{ LONGLN_LOW_CONTRAST - -meta LONGLN_LOW_CONTRAST __LONGLN_LOW_CONTRAST && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__TRAVEL_ITINERARY -describe LONGLN_LOW_CONTRAST Excessively long line + hidden text -#score LONGLN_LOW_CONTRAST 2.500 # limit -##} LONGLN_LOW_CONTRAST - -##{ LONG_HEX_URI - -meta LONG_HEX_URI __128_HEX_URI && !__LCL__KAM_BODY_LENGTH_LT_1024 -describe LONG_HEX_URI Very long purely hexadecimal URI -#score LONG_HEX_URI 3.000 # limit -tflags LONG_HEX_URI publish -##} LONG_HEX_URI - -##{ LONG_IMG_URI - -meta LONG_IMG_URI __45_ALNUM_IMG && !ALL_TRUSTED && !__HAS_ERRORS_TO -describe LONG_IMG_URI Image URI with very long path component - web bug? -#score LONG_IMG_URI 3.000 # limit -tflags LONG_IMG_URI publish -##} LONG_IMG_URI - -##{ LONG_INVISIBLE_TEXT - -describe LONG_INVISIBLE_TEXT Long block of hidden text - bayes poison? -#score LONG_INVISIBLE_TEXT 3.000 # limit -tflags LONG_INVISIBLE_TEXT publish -##} LONG_INVISIBLE_TEXT - -##{ LONG_INVISIBLE_TEXT if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) - -if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) - meta LONG_INVISIBLE_TEXT __LONG_INVIS_DIV -endif -##} LONG_INVISIBLE_TEXT if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) - -##{ LONG_INVISIBLE_TEXT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta LONG_INVISIBLE_TEXT __LONG_INVIS_DIV || (__LONG_STY_INVIS && !__UNSUB_LINK && !__RCD_RDNS_MTA_MESSY && !__USING_VERP1 && !__RCD_RDNS_MTA && !__RCD_RDNS_MTA_MESSY && !__MIME_QP && !__HAS_X_MAILER && !__REPTO_QUOTE && !__USING_VERP1 ) -endif -##} LONG_INVISIBLE_TEXT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ LONG_TERM_PRICE - -body LONG_TERM_PRICE /long\W+term\W+(target|projected)(\W+price)?/i -##} LONG_TERM_PRICE - -##{ LOOPHOLE_1 - -body LOOPHOLE_1 /loop-?hole in the banking/i -describe LOOPHOLE_1 A loop hole in the banking laws? -##} LOOPHOLE_1 - -##{ LOTS_OF_MONEY if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta LOTS_OF_MONEY 0 -endif -##} LOTS_OF_MONEY if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - -##{ LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta LOTS_OF_MONEY (__LOTSA_MONEY_00 || __LOTSA_MONEY_01 || __LOTSA_MONEY_02 || __LOTSA_MONEY_03 || __LOTSA_MONEY_04 || __LOTSA_MONEY_05) && !__TRAVEL_ITINERARY - describe LOTS_OF_MONEY Huge... sums of money -# score LOTS_OF_MONEY 0.01 - tflags LOTS_OF_MONEY publish -endif -##} LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ LOTTERY_1 - -meta LOTTERY_1 (__DBLCLAIM && __CASHPRZ) -##} LOTTERY_1 - -##{ LOTTERY_PH_004470 - -meta LOTTERY_PH_004470 (__AFF_004470_NUMBER && __AFF_LOTTERY) -##} LOTTERY_PH_004470 - -##{ LOTTO_AGENT - -meta LOTTO_AGENT __LOTTO_AGENT && !__HAS_IN_REPLY_TO && !__THREADED && !__TO_YOUR_ORG && !__DKIM_EXISTS && !__TRAVEL_ITINERARY && !__AUTO_ACCIDENT && !__HAS_ERRORS_TO && !__RP_MATCHES_RCVD -describe LOTTO_AGENT Claims Agent -#score LOTTO_AGENT 1.50 # limit -##} LOTTO_AGENT - -##{ LOTTO_DEPT - -meta LOTTO_DEPT __LOTTO_DEPT && !__COMMENT_EXISTS && !__HAS_IN_REPLY_TO && !__THREADED && !__VIA_ML && !__TO_YOUR_ORG && !__TRAVEL_ITINERARY && !__AUTO_ACCIDENT -describe LOTTO_DEPT Claims Department -#score LOTTO_DEPT 2.00 # limit -##} LOTTO_DEPT - -##{ LUCRATIVE - -meta LUCRATIVE ( __LUCRATIVE && __HELO_NO_DOMAIN ) && !ALL_TRUSTED -describe LUCRATIVE Make lots of money! -#score LUCRATIVE 2.00 # limit -tflags LUCRATIVE publish -##} LUCRATIVE - -##{ L_SPAM_TOOL_13 - -header L_SPAM_TOOL_13 Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/ -##} L_SPAM_TOOL_13 - -##{ MALF_HTML_B64 - -meta MALF_HTML_B64 MIME_BASE64_TEXT && HTML_MIME_NO_HTML_TAG -describe MALF_HTML_B64 Malformatted base64-encoded HTML content -#score MALF_HTML_B64 3.500 # limit -tflags MALF_HTML_B64 publish -##} MALF_HTML_B64 - -##{ MALWARE_NORDNS - -meta MALWARE_NORDNS __MALWARE_NORDNS && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01 -describe MALWARE_NORDNS Malware bragging + no rDNS -#score MALWARE_NORDNS 3.500 # limit -tflags MALWARE_NORDNS publish -##} MALWARE_NORDNS - -##{ MALWARE_PASSWORD - -meta MALWARE_PASSWORD __MALWARE_PASSWORD && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01 -describe MALWARE_PASSWORD Malware bragging + "password" -#score MALWARE_PASSWORD 3.500 # limit -tflags MALWARE_PASSWORD publish -##} MALWARE_PASSWORD - -##{ MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - meta MALW_ATTACH __MALW_ATTACH && !__HAS_THREAD_INDEX - describe MALW_ATTACH Attachment filename suspicious, probable malware exploit - tflags MALW_ATTACH publish -endif -##} MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ MANY_SPAN_IN_TEXT - -meta MANY_SPAN_IN_TEXT __MANY_SPAN_IN_TEXT && !__VIA_ML -describe MANY_SPAN_IN_TEXT Many <SPAN> tags embedded within text -tflags MANY_SPAN_IN_TEXT publish -##} MANY_SPAN_IN_TEXT - -##{ MAY_BE_FORGED - -meta MAY_BE_FORGED __MAY_BE_FORGED && !__NOT_SPOOFED && !__VIA_ML -describe MAY_BE_FORGED Relay IP's reverse DNS does not resolve to IP -##} MAY_BE_FORGED - -##{ MID_DEGREES - -header MID_DEGREES Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/ -##} MID_DEGREES - -##{ MILLION_HUNDRED - -body MILLION_HUNDRED /Million\s+\S+\s+Hundred/i -describe MILLION_HUNDRED Million "One to Nine" Hundred -tflags MILLION_HUNDRED publish -##} MILLION_HUNDRED - -##{ MILLION_USD - -body MILLION_USD /Million\b.{0,40}\b(?:United States? Dollars?|USD)/i -describe MILLION_USD Talks about millions of dollars -#score MILLION_USD 2 -##} MILLION_USD - -##{ MIMEOLE_DIRECT_TO_MX - -meta MIMEOLE_DIRECT_TO_MX __MIMEOLE_DIRECT_TO_MX && !__ANY_IMAGE_ATTACH && !__DKIM_EXISTS -describe MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX -#score MIMEOLE_DIRECT_TO_MX 2.000 # limit -tflags MIMEOLE_DIRECT_TO_MX publish -##} MIMEOLE_DIRECT_TO_MX - -##{ MIME_BOUND_EQ_REL - -header MIME_BOUND_EQ_REL Content-Type =~ /boundary="=====================_\d+==\.REL"/s -##} MIME_BOUND_EQ_REL - -##{ MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - meta MIME_NO_TEXT __MIME_NO_TEXT && !__BOUNCE_CTYPE && !__CT_ENCRYPTED && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__USER_AGENT_APPLEMAIL && !__HAS_IN_REPLY_TO && !__HAS_X_REF && !__HS_SUBJ_RE_FW && !__PDF_ATTACH && !__LCL__KAM_BODY_LENGTH_LT_128 -# score MIME_NO_TEXT 2.00 # limit - describe MIME_NO_TEXT No (properly identified) text body parts - tflags MIME_NO_TEXT publish -endif -##} MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - meta MIME_PHP_NO_TEXT (MIME_NO_TEXT && __PHP_MUA) - describe MIME_PHP_NO_TEXT No text body parts, X-Mailer: PHP -endif -##} MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ MIXED_AREA_CASE - -meta MIXED_AREA_CASE __MIXED_AREA_CASE -describe MIXED_AREA_CASE Has area tag in mixed case -#score MIXED_AREA_CASE 2.500 # limit -tflags MIXED_AREA_CASE publish -##} MIXED_AREA_CASE - -##{ MIXED_CENTER_CASE - -meta MIXED_CENTER_CASE __MIXED_CENTER_CASE -describe MIXED_CENTER_CASE Has center tag in mixed case -#score MIXED_CENTER_CASE 2.500 # limit -tflags MIXED_CENTER_CASE publish -##} MIXED_CENTER_CASE - -##{ MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta MIXED_ES ( ! HTML_IMAGE_ONLY_16 ) && ( __LOWER_E > 20 ) && ( __E_LIKE_LETTER > ( (__LOWER_E * 14 ) / 10) ) && ( __E_LIKE_LETTER < ( 10 * __LOWER_E ) ) - describe MIXED_ES Too many es are not es - tflags MIXED_ES publish -# lang pl score MIXED_ES 0.01 -# lang cz score MIXED_ES 0.01 -# lang sk score MIXED_ES 0.01 -# lang hr score MIXED_ES 0.01 -# lang el score MIXED_ES 0.01 -endif -endif -##} MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ MIXED_FONT_CASE - -meta MIXED_FONT_CASE __MIXED_FONT_CASE -describe MIXED_FONT_CASE Has font tag in mixed case -#score MIXED_FONT_CASE 2.500 # limit -tflags MIXED_FONT_CASE publish -##} MIXED_FONT_CASE - -##{ MIXED_HREF_CASE - -meta MIXED_HREF_CASE __MIXED_HREF_CASE_JH -describe MIXED_HREF_CASE Has href in mixed case -#score MIXED_HREF_CASE 2.000 # limit -tflags MIXED_HREF_CASE publish -##} MIXED_HREF_CASE - -##{ MIXED_IMG_CASE - -meta MIXED_IMG_CASE __MIXED_IMG_CASE_JH && !__MSGID_JAVAMAIL -describe MIXED_IMG_CASE Has img tag in mixed case -#score MIXED_IMG_CASE 3.000 # limit -tflags MIXED_IMG_CASE publish -##} MIXED_IMG_CASE - -##{ MONERO_DEADLINE - -meta MONERO_DEADLINE __MONERO && __HOURS_DEADLINE && !MONERO_EXTORT_01 -describe MONERO_DEADLINE Monero cryptocurrency with a deadline -#score MONERO_DEADLINE 3.000 # limit -tflags MONERO_DEADLINE publish -##} MONERO_DEADLINE - -##{ MONERO_EXTORT_01 - -meta MONERO_EXTORT_01 __MONERO && __EXTORT_MANY -describe MONERO_EXTORT_01 Extortion spam, pay via Monero cryptocurrency -#score MONERO_EXTORT_01 5.000 # limit -tflags MONERO_EXTORT_01 publish -##} MONERO_EXTORT_01 - -##{ MONERO_MALWARE - -meta MONERO_MALWARE __MONERO && __MY_MALWARE && !MONERO_EXTORT_01 -describe MONERO_MALWARE Monero cryptocurrency + malware bragging -#score MONERO_MALWARE 3.500 # limit -tflags MONERO_MALWARE publish -##} MONERO_MALWARE - -##{ MONERO_PAY_ME - -meta MONERO_PAY_ME __MONERO && __PAY_ME && !MONERO_EXTORT_01 -describe MONERO_PAY_ME Pay me via Monero cryptocurrency -#score MONERO_PAY_ME 3.000 # limit -tflags MONERO_PAY_ME publish -##} MONERO_PAY_ME - -##{ MONEY_ATM_CARD - -meta MONEY_ATM_CARD __MONEY_ATM_CARD && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE -describe MONEY_ATM_CARD Lots of money on an ATM card -##} MONEY_ATM_CARD - -##{ MONEY_FORM - -meta MONEY_FORM __MONEY_FORM && !__FB_TOUR && !__FM_MY_PRICE && !__FR_SPACING_8 && !__COMMENT_EXISTS && !__CAN_HELP -describe MONEY_FORM Lots of money if you fill out a form -##} MONEY_FORM - -##{ MONEY_FORM_SHORT - -meta MONEY_FORM_SHORT __MONEY_FORM_SHORT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HTML_LINK_IMAGE && !__UPPERCASE_URI && !__THREADED && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__THREAD_INDEX_GOOD -describe MONEY_FORM_SHORT Lots of money if you fill out a short form -#score MONEY_FORM_SHORT 2.500 # limit -##} MONEY_FORM_SHORT - -##{ MONEY_FRAUD_3 - -meta MONEY_FRAUD_3 (__MONEY_FRAUD_3 && !__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_3_NEW_MONEY) && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__IS_EXCH && !__VIA_ML && !__HAS_THREAD_INDEX && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__HTML_LINK_IMAGE && !__THREADED && !__DOS_BODY_THU && !__URL_SHORTENER && !__TAG_EXISTS_STYLE -describe MONEY_FRAUD_3 Lots of money and several fraud phrases -tflags MONEY_FRAUD_3 publish -##} MONEY_FRAUD_3 - -##{ MONEY_FRAUD_5 - -meta MONEY_FRAUD_5 (__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_5_NEW_MONEY) && !__VIA_ML && !__HAS_THREAD_INDEX && !__COMMENT_EXISTS && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__URL_SHORTENER && !__TAG_EXISTS_STYLE -describe MONEY_FRAUD_5 Lots of money and many fraud phrases -tflags MONEY_FRAUD_5 publish -##} MONEY_FRAUD_5 - -##{ MONEY_FRAUD_8 - -meta MONEY_FRAUD_8 __MONEY_FRAUD_8 && !__VIA_ML && !__HAS_THREAD_INDEX && !__BUGGED_IMG -describe MONEY_FRAUD_8 Lots of money and very many fraud phrases -tflags MONEY_FRAUD_8 publish -##} MONEY_FRAUD_8 - -##{ MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - meta MONEY_FREEMAIL_REPTO __MONEY_FREEMAIL_REPTO && !__HAS_CAMPAIGNID - describe MONEY_FREEMAIL_REPTO Lots of money from someone using free email? -# score MONEY_FREEMAIL_REPTO 3.000 # limit - tflags MONEY_FREEMAIL_REPTO publish -endif -##} MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail - -##{ MONEY_FROM_41 - -meta MONEY_FROM_41 __MONEY_FROM_41 -describe MONEY_FROM_41 Lots of money from Africa -#score MONEY_FROM_41 2.00 # limit -##} MONEY_FROM_41 - -##{ MONEY_FROM_MISSP - -meta MONEY_FROM_MISSP LOTS_OF_MONEY && __FROM_MISSPACED && !__MIME_QP -describe MONEY_FROM_MISSP Lots of money and misspaced From -#score MONEY_FROM_MISSP 2.000 # limit -##} MONEY_FROM_MISSP - -##{ MSGID_DOLLARS_URI_IMG - -meta MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_URI_IMG && !__THREADED && !__HS_SUBJ_RE_FW -describe MSGID_DOLLARS_URI_IMG Suspicious Message-ID and image -#score MSGID_DOLLARS_URI_IMG 3.000 # limit -tflags MSGID_DOLLARS_URI_IMG publish -##} MSGID_DOLLARS_URI_IMG - -##{ MSGID_HDR_MALF - -meta MSGID_HDR_MALF __HAS_MESSAGEID -describe MSGID_HDR_MALF Has invalid message ID header -#score MSGID_HDR_MALF 3.500 # limit -tflags MSGID_HDR_MALF publish -##} MSGID_HDR_MALF - -##{ MSGID_MULTIPLE_AT - -header MSGID_MULTIPLE_AT MESSAGEID =~ /<[^>]*\@[^>]*\@/ -describe MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters -#score MSGID_MULTIPLE_AT 0.001 -##} MSGID_MULTIPLE_AT - -##{ MSMAIL_PRI_ABNORMAL - -meta MSMAIL_PRI_ABNORMAL __MSMAIL_PRI_ABNORMAL && !ALL_TRUSTED && !__ANY_OUTLOOK_MUA && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__MSOE_MID_WRONG_CASE && !__HAS_X_MAILER && !__HAS_UA && !__MSMAIL_PRI_HIGH -describe MSMAIL_PRI_ABNORMAL Email priority often abused -#score MSMAIL_PRI_ABNORMAL 1.500 # limit -##} MSMAIL_PRI_ABNORMAL - -##{ MSM_PRIO_REPTO - -meta MSM_PRIO_REPTO __MSM_PRIO_REPTO && !__ENV_AND_HDR_FROM_MATCH -describe MSM_PRIO_REPTO MSMail priority header + Reply-to + short subject -#score MSM_PRIO_REPTO 2.500 # limit -tflags MSM_PRIO_REPTO publish -##} MSM_PRIO_REPTO - -##{ MSOE_MID_WRONG_CASE - -meta MSOE_MID_WRONG_CASE (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106) -##} MSOE_MID_WRONG_CASE - -##{ NAME_EMAIL_DIFF - -meta NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL -describe NAME_EMAIL_DIFF Sender NAME is an unrelated email address -##} NAME_EMAIL_DIFF - -##{ NA_DOLLARS - -body NA_DOLLARS /\b(?:\d{1,3})?Million\b.{0,40}\b(?:Canadian Dollar?s?|US\$|U\.? ?S\.? Dollar)/i -describe NA_DOLLARS Talks about a million North American dollars -#score NA_DOLLARS 1.5 -##} NA_DOLLARS - -##{ NEWEGG_IMG_NOT_RCVD_NEGG - -meta NEWEGG_IMG_NOT_RCVD_NEGG __NEWEGG_IMG_NOT_RCVD_NEGG -#score NEWEGG_IMG_NOT_RCVD_NEGG 2.500 # limit -describe NEWEGG_IMG_NOT_RCVD_NEGG Newegg hosted image but message not from Newegg -tflags NEWEGG_IMG_NOT_RCVD_NEGG publish -##} NEWEGG_IMG_NOT_RCVD_NEGG - -##{ NEW_PRODUCTS - -meta NEW_PRODUCTS __NEW_PRODUCTS && !__STY_INVIS_MANY -#score NEW_PRODUCTS 1.250 # limit -tflags NEW_PRODUCTS publish -##} NEW_PRODUCTS - -##{ NICE_REPLY_A - -meta NICE_REPLY_A (__SUBJ_RE && !__MISSING_REPLY && !__MISSING_REF && __BOTH_INR_AND_REF) -describe NICE_REPLY_A Looks like a legit reply (A) -tflags NICE_REPLY_A nice -##} NICE_REPLY_A - -##{ NORDNS_LOW_CONTRAST - -meta NORDNS_LOW_CONTRAST __NORDNS_LOW_CONTRAST && !ALL_TRUSTED && !__HAS_CID && !__THREADED -describe NORDNS_LOW_CONTRAST No rDNS + hidden text -#score NORDNS_LOW_CONTRAST 2.500 # limit -##} NORDNS_LOW_CONTRAST - -##{ NOT_SPAM - -body NOT_SPAM /\b(?:(?:this (?:e?-?mail|message)|we) (?:is not|are not|cannot be considered) Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)/i -describe NOT_SPAM I'm not spam! Really! I'm not, I'm not, I'm not! -tflags NOT_SPAM publish -##} NOT_SPAM - -##{ NO_FM_NAME_IP_HOSTN - -meta NO_FM_NAME_IP_HOSTN (__KHOP_NO_FULL_NAME && __IP_IN_RELAY) && !__DOS_RELAYED_EXT -describe NO_FM_NAME_IP_HOSTN No From name + hostname using IP address -#score NO_FM_NAME_IP_HOSTN 2.500 # limit -tflags NO_FM_NAME_IP_HOSTN publish -##} NO_FM_NAME_IP_HOSTN - -##{ NSL_RCVD_FROM_USER - -header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/ -describe NSL_RCVD_FROM_USER Received from User -##} NSL_RCVD_FROM_USER - -##{ NSL_RCVD_HELO_USER - -header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i -describe NSL_RCVD_HELO_USER Received from HELO User -##} NSL_RCVD_HELO_USER - -##{ NULL_IN_BODY - -full NULL_IN_BODY /\x00/ -describe NULL_IN_BODY Message has NUL (ASCII 0) byte in message -##} NULL_IN_BODY - -##{ NUMBERONLY_BITCOIN_EXP - -meta NUMBERONLY_BITCOIN_EXP __NUMBERONLY_TLD && __BITCOIN_ID && __NAKED_TO -describe NUMBERONLY_BITCOIN_EXP Domain ends in a large number and very short body with link -#score NUMBERONLY_BITCOIN_EXP 2.0 # limit -##} NUMBERONLY_BITCOIN_EXP - -##{ OBFU_BITCOIN - -meta OBFU_BITCOIN __OBFU_BITCOIN -describe OBFU_BITCOIN Obfuscated BitCoin references -#score OBFU_BITCOIN 3.000 # limit -tflags OBFU_BITCOIN publish -##} OBFU_BITCOIN - -##{ OBFU_JVSCR_ESC - -rawbody OBFU_JVSCR_ESC /document\.write\(unescape\(["'](?:%[0-9a-f]{2}){10}/i -describe OBFU_JVSCR_ESC Injects content using obfuscated javascript -tflags OBFU_JVSCR_ESC publish -##} OBFU_JVSCR_ESC - -##{ OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader OBFU_TEXT_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.txt\b,i - describe OBFU_TEXT_ATTACH Text attachment with non-text MIME type - tflags OBFU_TEXT_ATTACH publish -endif -##} OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ OBFU_UNSUB_UL - -meta OBFU_UNSUB_UL __OBFU_UNSUB_UL && !MAILING_LIST_MULTI -describe OBFU_UNSUB_UL Obfuscated unsubscribe text -tflags OBFU_UNSUB_UL publish -##} OBFU_UNSUB_UL - -##{ ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - meta ODD_FREEM_REPTO __freemail_mailreplyto - describe ODD_FREEM_REPTO Has unusual reply-to header -# score ODD_FREEM_REPTO 3.000 # limit - tflags ODD_FREEM_REPTO publish -endif -##} ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail - -##{ PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -meta PART_CID_STOCK (__ANY_IMAGE_ATTACH&&__PART_STOCK_CID&&!__PART_STOCK_CL&&!__PART_STOCK_CD_F) -describe PART_CID_STOCK Has a spammy image attachment (by Content-ID) -endif -##} PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -meta PART_CID_STOCK_LESS (__ANY_IMAGE_ATTACH&&__PART_CID_STOCK_LESS) -describe PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, more specific) -endif -##} PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ PDS_BAD_THREAD_QP_64 - -meta PDS_BAD_THREAD_QP_64 __PDS_QP_64 && __HAS_THREAD_INDEX && !__THREAD_INDEX_GOOD -describe PDS_BAD_THREAD_QP_64 Bad thread header - short QP -#score PDS_BAD_THREAD_QP_64 1.0 -##} PDS_BAD_THREAD_QP_64 - -##{ PDS_BTC_ID - -meta PDS_BTC_ID __PDS_BTC_ID -describe PDS_BTC_ID FP reduced Bitcoin ID -#score PDS_BTC_ID 0.5 -##} PDS_BTC_ID - -##{ PDS_BTC_MSGID - -meta PDS_BTC_MSGID __PDS_BTC_ID && __MSGID_NOFQDN2 -describe PDS_BTC_MSGID Bitcoin ID with T_MSGID_NOFQDN2 -#score PDS_BTC_MSGID 1.0 -##} PDS_BTC_MSGID - -##{ PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -meta PDS_BTC_NTLD ( __BITCOIN_ID && __FROM_ADDRLIST_SUSPNTLD ) -describe PDS_BTC_NTLD Bitcoin suspect NTLD -#score PDS_BTC_NTLD 2.0 # limit -endif -endif -##} PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -##{ PDS_DBL_URL_TNB_RUNON - -meta PDS_DBL_URL_TNB_RUNON __TO_NO_BRKTS_FROM_RUNON && __PDS_DOUBLE_URL -describe PDS_DBL_URL_TNB_RUNON Double-url and To no arrows, from runon -#score PDS_DBL_URL_TNB_RUNON 2.0 -##} PDS_DBL_URL_TNB_RUNON - -##{ PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - -if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - meta PDS_FROM_2_EMAILS __PDS_FROM_2_EMAILS && !__VIA_ML && !__VIA_RESIGNER && !__MSGID_JAVAMAIL && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__DKIM_EXISTS - describe PDS_FROM_2_EMAILS From header has multiple different addresses -# score PDS_FROM_2_EMAILS 3.500 # limit -endif -##} PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - -##{ PDS_HELO_SPF_FAIL - -meta PDS_HELO_SPF_FAIL SPF_HELO_FAIL && __HELO_HIGHPROFILE -describe PDS_HELO_SPF_FAIL High profile HELO that fails SPF -#score PDS_HELO_SPF_FAIL 2.0 -tflags PDS_HELO_SPF_FAIL net -##} PDS_HELO_SPF_FAIL - -##{ PDS_NAKED_TO_NUMERO - -meta PDS_NAKED_TO_NUMERO __NAKED_TO && __NUMBERONLY_TLD -describe PDS_NAKED_TO_NUMERO Naked-to, numberonly domain -#score PDS_NAKED_TO_NUMERO 2.0 -##} PDS_NAKED_TO_NUMERO - -##{ PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta PDS_NO_FULL_NAME_SPOOFED_URL __PDS_MSG_1024 && __KHOP_NO_FULL_NAME && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER) -describe PDS_NO_FULL_NAME_SPOOFED_URL HTML message short, T_SPOOFED_URL and T_KHOP_NO_FULL_NAME -#score PDS_NO_FULL_NAME_SPOOFED_URL 0.75 # limit -endif -endif -##} PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -##{ PDS_RDNS_DYNAMIC_FP - -meta PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC && !__PDS_RDNS_MTA -#score PDS_RDNS_DYNAMIC_FP 0.01 -describe PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC with FP steps -##} PDS_RDNS_DYNAMIC_FP - -##{ PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta PDS_SHORT_SPOOFED_URL __PDS_MSG_1024 && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER) -describe PDS_SHORT_SPOOFED_URL HTML message short and T_SPOOFED_URL (S_U_FP) -#score PDS_SHORT_SPOOFED_URL 2.0 -endif -endif -##} PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -##{ PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta PDS_TINYSUBJ_URISHRT __URL_SHORTENER && __SUBJ_SHORT && __PDS_MSG_1024 -describe PDS_TINYSUBJ_URISHRT Short subject with URL shortener -#score PDS_TINYSUBJ_URISHRT 1.5 # limit -endif -endif -##} PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -##{ PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE - -meta PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE FREEMAIL_FORGED_REPLYTO && __PDS_TONAME_EQ_TOLOCAL -describe PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE Forged replyto and __PDS_TONAME_EQ_TOLOCAL -#score PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE 2.0 # limit -##} PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE - -##{ PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - meta PHISH_ATTACH (__PHISH_ATTACH_01_01 || __PHISH_ATTACH_01_02) && !__HAS_SENDER - describe PHISH_ATTACH Attachment filename suspicious, probable phishing - tflags PHISH_ATTACH publish -endif -##} PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ PHISH_AZURE_CLOUDAPP - -uri PHISH_AZURE_CLOUDAPP m;^https?://(?=[^/]+\.cloudapp\.azure\.com)(?:(?:b(?:illetedecalle\.northeurope|urofaxnotificado\.eastus)|comprobante(?:digital\.southcentralus|fiscale\.eastus)|infracciondeestacionamiento(?:\.eastus|s\.ukwest)|multa(?:detrafico\.eastus|prev\.eastus|s\.(?:eastus|southcentralus))|notificadosburofax\.eastus|penadetransitomulta\.eastus))\.cloudapp\.azure\.com/;i -describe PHISH_AZURE_CLOUDAPP Link to known phishing web application -#score PHISH_AZURE_CLOUDAPP 3.500 -tflags PHISH_AZURE_CLOUDAPP publish -##} PHISH_AZURE_CLOUDAPP - -##{ PHISH_FBASEAPP - -meta PHISH_FBASEAPP __PHISH_FBASE_01 -describe PHISH_FBASEAPP Probable phishing via hosted web app -#score PHISH_FBASEAPP 3.000 # limit -tflags PHISH_FBASEAPP publish -##} PHISH_FBASEAPP - -##{ PHP_NOVER_MUA - -describe PHP_NOVER_MUA Mail from PHP with no version number -#score PHP_NOVER_MUA 3.000 # limit -tflags PHP_NOVER_MUA publish -##} PHP_NOVER_MUA - -##{ PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM) - -if !plugin(Mail::SpamAssassin::Plugin::DKIM) - meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH -endif -##} PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM) - -##{ PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM - -ifplugin Mail::SpamAssassin::Plugin::DKIM - meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__DKIM_DEPENDABLE && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH -endif -##} PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM - -##{ PHP_ORIG_SCRIPT - -meta PHP_ORIG_SCRIPT __PHP_ORIG_SCRIPT_SONLY && !ALL_TRUSTED && !__SUBSCRIPTION_INFO && !__MSGID_BEFORE_RECEIVED && !MSGID_FROM_MTA_HEADER -describe PHP_ORIG_SCRIPT Sent by bot & other signs -#score PHP_ORIG_SCRIPT 2.500 # limit -tflags PHP_ORIG_SCRIPT publish -##} PHP_ORIG_SCRIPT - -##{ PHP_SCRIPT - -meta PHP_SCRIPT __HAS_PHP_SCRIPT && !ALL_TRUSTED && !__PHP_NOVER_MUA && !__TO___LOWER && !__MIME_BASE64 && !__HAS_ANY_EMAIL && !__L_CTE_7BIT -describe PHP_SCRIPT Sent by PHP script -#score PHP_SCRIPT 2.500 # limit -tflags PHP_SCRIPT publish -##} PHP_SCRIPT - -##{ PHP_SCRIPT_MUA - -meta PHP_SCRIPT_MUA __HAS_PHP_SCRIPT && __PHP_NOVER_MUA -describe PHP_SCRIPT_MUA Sent by PHP script, no version number -#score PHP_SCRIPT_MUA 2.000 # limit -tflags PHP_SCRIPT_MUA publish -##} PHP_SCRIPT_MUA - -##{ POSSIBLE_APPLE_PHISH_02 - -meta POSSIBLE_APPLE_PHISH_02 (__FROM_NAME_APPLECOM && !__HDR_RCVD_APPLE) -describe POSSIBLE_APPLE_PHISH_02 Claims to be from apple but not processed by any apple MTA -tflags POSSIBLE_APPLE_PHISH_02 publish -##} POSSIBLE_APPLE_PHISH_02 - -##{ POSSIBLE_EBAY_PHISH_02 - -meta POSSIBLE_EBAY_PHISH_02 (__FROM_NAME_EBAYCOM && !__HDR_RCVD_EBAY) -describe POSSIBLE_EBAY_PHISH_02 Claims to be from ebay but not processed by any ebay MTA -tflags POSSIBLE_EBAY_PHISH_02 publish -##} POSSIBLE_EBAY_PHISH_02 - -##{ POSSIBLE_PAYPAL_PHISH_01 - -meta POSSIBLE_PAYPAL_PHISH_01 (__FROM_NAME_PAYPALCOM && __NAME_EMAIL_DIFF) -describe POSSIBLE_PAYPAL_PHISH_01 Claims to be from paypal but has non-paypal from email address -tflags POSSIBLE_PAYPAL_PHISH_01 publish -##} POSSIBLE_PAYPAL_PHISH_01 - -##{ POSSIBLE_PAYPAL_PHISH_02 - -meta POSSIBLE_PAYPAL_PHISH_02 (__FROM_NAME_PAYPALCOM && !__HDR_RCVD_PAYPAL) -describe POSSIBLE_PAYPAL_PHISH_02 Claims to be from paypal but not processed by any paypal MTA -tflags POSSIBLE_PAYPAL_PHISH_02 publish -##} POSSIBLE_PAYPAL_PHISH_02 - -##{ PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal) - -ifplugin Mail::SpamAssassin::Plugin::MIMEEval - if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal) - body PP_MIME_FAKE_ASCII_TEXT eval:check_for_ascii_text_illegal() - describe PP_MIME_FAKE_ASCII_TEXT MIME text/plain claims to be ASCII but isn't -# score PP_MIME_FAKE_ASCII_TEXT 1.0 - tflags PP_MIME_FAKE_ASCII_TEXT publish -endif -endif -##} PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal) - -##{ PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) - -ifplugin Mail::SpamAssassin::Plugin::MIMEEval - if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) - body PP_TOO_MUCH_UNICODE02 eval:check_abundant_unicode_ratio(0.02) - describe PP_TOO_MUCH_UNICODE02 Is text/plain but has many unicode escapes -# score PP_TOO_MUCH_UNICODE02 0.5 - tflags PP_TOO_MUCH_UNICODE02 publish -endif -endif -##} PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) - -##{ PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) - -ifplugin Mail::SpamAssassin::Plugin::MIMEEval - if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) - body PP_TOO_MUCH_UNICODE05 eval:check_abundant_unicode_ratio(0.05) - describe PP_TOO_MUCH_UNICODE05 Is text/plain but has many unicode escapes -# score PP_TOO_MUCH_UNICODE05 1.0 - tflags PP_TOO_MUCH_UNICODE05 publish -endif -endif -##} PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) - -##{ PUMPDUMP - -meta PUMPDUMP (__PUMPDUMP_01 || __PUMPDUMP_02 || __PUMPDUMP_03 || __PUMPDUMP_04 || __PUMPDUMP_05 || __PUMPDUMP_06 || __PUMPDUMP_07 || __PUMPDUMP_08 || __PUMPDUMP_09 || __PUMPDUMP_10) && !PUMPDUMP_MULTI -describe PUMPDUMP Pump-and-dump stock scam phrase -#score PUMPDUMP 1.000 # limit -tflags PUMPDUMP publish -##} PUMPDUMP - -##{ PUMPDUMP_MULTI - -meta PUMPDUMP_MULTI (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1 -describe PUMPDUMP_MULTI Pump-and-dump stock scam phrases -#score PUMPDUMP_MULTI 3.500 # limit -tflags PUMPDUMP_MULTI publish -##} PUMPDUMP_MULTI - -##{ PUMPDUMP_TIP - -meta PUMPDUMP_TIP __PD_CNT_1 && __STOCK_TIP -describe PUMPDUMP_TIP Pump-and-dump stock tip -tflags PUMPDUMP_TIP publish -##} PUMPDUMP_TIP - -##{ RAND_HEADER_LIST_SPOOF - -meta RAND_HEADER_LIST_SPOOF __RAND_HEADER && __LIST_PARTIAL -describe RAND_HEADER_LIST_SPOOF Random gibberish message header(s) + pretending to be a mailing list -#score RAND_HEADER_LIST_SPOOF 3.000 # limit -tflags RAND_HEADER_LIST_SPOOF publish -##} RAND_HEADER_LIST_SPOOF - -##{ RAND_HEADER_MANY - -meta RAND_HEADER_MANY __RAND_HEADER_2 -describe RAND_HEADER_MANY Multiple random gibberish message headers -#score RAND_HEADER_MANY 3.000 # limit -tflags RAND_HEADER_MANY publish -##} RAND_HEADER_MANY - -##{ RAND_MKTG_HEADER - -meta RAND_MKTG_HEADER __RAND_MKTG_HEADER && !__HAVE_BOUNCE_RELAYS && !__HAS_THREAD_INDEX && !__HAS_X_MAILING_LIST -describe RAND_MKTG_HEADER Has partially-randomized marketing/tracking header(s) -#score RAND_MKTG_HEADER 2.000 # limit -tflags RAND_MKTG_HEADER publish -##} RAND_MKTG_HEADER - -##{ RATWARE_NO_RDNS - -meta RATWARE_NO_RDNS __RATWARE_BOUND_A && __RDNS_NONE && __MIME_HTML && __MISSING_REF -describe RATWARE_NO_RDNS Suspicious MsgID and MIME boundary + no rDNS -#score RATWARE_NO_RDNS 3.000 # limit -##} RATWARE_NO_RDNS - -##{ RCVD_BAD_ID - -header RCVD_BAD_ID Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\$\%&'()*<=>?\@\[\]^\`{|}~]|;\S)/ -describe RCVD_BAD_ID Received header contains id field with bad characters -##} RCVD_BAD_ID - -##{ RCVD_DBL_DQ - -header RCVD_DBL_DQ Received =~ /(?:\[\d+\.\d+\.\d+\.\d+\]){2}/ -describe RCVD_DBL_DQ Malformatted message header -tflags RCVD_DBL_DQ publish -##} RCVD_DBL_DQ - -##{ RCVD_DOTEDU_SHORT - -meta RCVD_DOTEDU_SHORT __RCVD_DOTEDU_SHORT && !ALL_TRUSTED && !__FS_SUBJ_RE && !__HAS_LIST_ID -describe RCVD_DOTEDU_SHORT Via .edu MTA + short message -#score RCVD_DOTEDU_SHORT 1.500 # limit -tflags RCVD_DOTEDU_SHORT publish -##} RCVD_DOTEDU_SHORT - -##{ RCVD_DOTEDU_SUSP_URI - -meta RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_SUSP_URI -describe RCVD_DOTEDU_SUSP_URI Via .edu MTA + suspicious URI -#score RCVD_DOTEDU_SUSP_URI 3.000 # limit -tflags RCVD_DOTEDU_SUSP_URI publish -##} RCVD_DOTEDU_SUSP_URI - -##{ RCVD_FORGED_WROTE - -header RCVD_FORGED_WROTE Received =~ / by \S+ with esmtp \([^a-z ]{6,} [^a-z ]{3,}\) id/ -describe RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam) -##} RCVD_FORGED_WROTE - -##{ RCVD_FORGED_WROTE2 - -header RCVD_FORGED_WROTE2 Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s -##} RCVD_FORGED_WROTE2 - -##{ RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_DK eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.3') -describe RCVD_IN_IADB_DK IADB: Sender publishes Domain Keys record -tflags RCVD_IN_IADB_DK net nice -endif -##} RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.10') -describe RCVD_IN_IADB_DOPTIN IADB: All mailing list mail is confirmed opt-in -tflags RCVD_IN_IADB_DOPTIN net nice -endif -##} RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_DOPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.9') -describe RCVD_IN_IADB_DOPTIN_GT50 IADB: Confirmed opt-in used more than 50% of the time -tflags RCVD_IN_IADB_DOPTIN_GT50 net nice -endif -##} RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_DOPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.8') -describe RCVD_IN_IADB_DOPTIN_LT50 IADB: Confirmed opt-in used less than 50% of the time -tflags RCVD_IN_IADB_DOPTIN_LT50 net nice -endif -##} RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_EDDB eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.1') -describe RCVD_IN_IADB_EDDB IADB: Participates in Email Deliverability Database -tflags RCVD_IN_IADB_EDDB net nice -endif -##} RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_EPIA eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.2') -describe RCVD_IN_IADB_EPIA IADB: Member of Email Processing Industry Alliance -tflags RCVD_IN_IADB_EPIA net nice -endif -##} RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_GOODMAIL eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.103') -describe RCVD_IN_IADB_GOODMAIL IADB: Sender has been certified by GoodMail -tflags RCVD_IN_IADB_GOODMAIL net nice -endif -##} RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_LISTED eval:check_rbl_sub('iadb-firsttrusted', '^127\.0\.0\.[12]$') -describe RCVD_IN_IADB_LISTED Participates in the IADB system -tflags RCVD_IN_IADB_LISTED net nice -endif -##} RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_LOOSE eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.4') -describe RCVD_IN_IADB_LOOSE IADB: Adds relationship addrs w/out opt-in -tflags RCVD_IN_IADB_LOOSE net nice -endif -##} RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_MI_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.1.10') -describe RCVD_IN_IADB_MI_CPEAR IADB: Complies with Michigan's CPEAR law -tflags RCVD_IN_IADB_MI_CPEAR net nice -endif -##} RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_MI_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.101.10') -describe RCVD_IN_IADB_MI_CPR_30 IADB: Checked lists against Michigan's CPR within 30 days -tflags RCVD_IN_IADB_MI_CPR_30 net nice -endif -##} RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_MI_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.201.10') -describe RCVD_IN_IADB_MI_CPR_MAT IADB: Sends no material under Michigan's CPR -tflags RCVD_IN_IADB_MI_CPR_MAT net nice -endif -##} RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_ML_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.100') -describe RCVD_IN_IADB_ML_DOPTIN IADB: Mailing list email only, confirmed opt-in -tflags RCVD_IN_IADB_ML_DOPTIN net nice -endif -##} RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_NOCONTROL eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.0') -describe RCVD_IN_IADB_NOCONTROL IADB: Has absolutely no mailing controls in place -tflags RCVD_IN_IADB_NOCONTROL net nice -endif -##} RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_OOO eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.200') -describe RCVD_IN_IADB_OOO IADB: One-to-one/transactional email only -tflags RCVD_IN_IADB_OOO net nice -endif -##} RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_OPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.7') -describe RCVD_IN_IADB_OPTIN IADB: All mailing list mail is opt-in -tflags RCVD_IN_IADB_OPTIN net nice -endif -##} RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_OPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.6') -describe RCVD_IN_IADB_OPTIN_GT50 IADB: Opt-in used more than 50% of the time -tflags RCVD_IN_IADB_OPTIN_GT50 net nice -endif -##} RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_OPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.5') -describe RCVD_IN_IADB_OPTIN_LT50 IADB: Opt-in used less than 50% of the time -tflags RCVD_IN_IADB_OPTIN_LT50 net nice -endif -##} RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_OPTOUTONLY eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.1') -describe RCVD_IN_IADB_OPTOUTONLY IADB: Scrapes addresses, pure opt-out only -tflags RCVD_IN_IADB_OPTOUTONLY net nice -endif -##} RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_RDNS eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.4') -describe RCVD_IN_IADB_RDNS IADB: Sender has reverse DNS record -tflags RCVD_IN_IADB_RDNS net nice -endif -##} RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_SENDERID eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.2') -describe RCVD_IN_IADB_SENDERID IADB: Sender publishes Sender ID record -tflags RCVD_IN_IADB_SENDERID net nice -endif -##} RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_SPF eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.1') -describe RCVD_IN_IADB_SPF IADB: Sender publishes SPF record -tflags RCVD_IN_IADB_SPF net nice -endif -##} RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_UNVERIFIED_1 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.2') -describe RCVD_IN_IADB_UNVERIFIED_1 IADB: Accepts unverified sign-ups -tflags RCVD_IN_IADB_UNVERIFIED_1 net nice -endif -##} RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_UNVERIFIED_2 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.3') -describe RCVD_IN_IADB_UNVERIFIED_2 IADB: Accepts unverified sign-ups, gives chance to opt out -tflags RCVD_IN_IADB_UNVERIFIED_2 net nice -endif -##} RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_UT_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.2.10') -describe RCVD_IN_IADB_UT_CPEAR IADB: Complies with Utah's CPEAR law -tflags RCVD_IN_IADB_UT_CPEAR net nice -endif -##} RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_UT_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.102.10') -describe RCVD_IN_IADB_UT_CPR_30 IADB: Checked lists against Utah's CPR within 30 days -tflags RCVD_IN_IADB_UT_CPR_30 net nice -endif -##} RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -header RCVD_IN_IADB_UT_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.202.10') -describe RCVD_IN_IADB_UT_CPR_MAT IADB: Sends no material under Utah's CPR -tflags RCVD_IN_IADB_UT_CPR_MAT net nice -endif -##} RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval - -##{ RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # { - -ifplugin Mail::SpamAssassin::Plugin::DNSEval # { -header RCVD_IN_PSBL eval:check_rbl('psbl-lastexternal', 'psbl.surriel.com.') -describe RCVD_IN_PSBL Received via a relay in PSBL -tflags RCVD_IN_PSBL net -endif -##} RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # { - -##{ RCVD_MAIL_COM - -header RCVD_MAIL_COM Received =~ /[\s\(\[](?:post|mail)\.com[\s\)\]]/is -describe RCVD_MAIL_COM Forged Received header (contains post.com or mail.com) -##} RCVD_MAIL_COM - -##{ RDNS_LOCALHOST - -header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i -describe RDNS_LOCALHOST Sender's public rDNS is "localhost" -##} RDNS_LOCALHOST - -##{ RDNS_NUM_TLD_ATCHNX - -meta RDNS_NUM_TLD_ATCHNX __RDNS_NUMERIC_TLD && __ATTACH_NAME_NO_EXT -describe RDNS_NUM_TLD_ATCHNX Relay rDNS has numeric TLD + suspicious attachment -#score RDNS_NUM_TLD_ATCHNX 3.000 # limit -tflags RDNS_NUM_TLD_ATCHNX publish -##} RDNS_NUM_TLD_ATCHNX - -##{ RDNS_NUM_TLD_XM - -meta RDNS_NUM_TLD_XM __RDNS_NUMERIC_TLD && (__HAS_XM_SID || __HAS_XM_LID || __HAS_XM_RECPTID || __HAS_XM_SENTBY) -describe RDNS_NUM_TLD_XM Relay rDNS has numeric TLD + suspicious headers -#score RDNS_NUM_TLD_XM 3.000 # limit -tflags RDNS_NUM_TLD_XM publish -##} RDNS_NUM_TLD_XM - -##{ READY_TO_SHIP - -body READY_TO_SHIP /(?:(?:in our (?:stock|warehouse|store|storage facility)(?: today| now| right away)?[.,:]\s|our (?:\w+,? ){2,8}(?:is |now )+)Ready (?:to (?:be )?|for )+(?:ship|send|deliver)|ready (?:for shipping|to (?:ship|send)) (?:(?:in|from|by) our (?:warehouse|stock|stor(?:e|age))|(?:to|for)(?: global(?:ly)?| worldwide| customers){2})|(?:(?:our|this|a|great|fine|wonderful|cool|popular) new product|we have(?: \w+){1,6} available|ready) in (?:our )?(?:warehouse|stock|stor(?:e|age))|just arrived in our (?:warehouse|stor(?:e|age))|we will (?:contact the (?:warehouse|logistics|store|storage(?: facility)) to )?arrange (?:the )?(?:shipment|delivery)|a new (?:\w+ ){1,3}in our (?:warehouse|storage)|this (?:new )?(?:merchandise|product|item) is (?:now )?(?:ready (?:to ship )?|available )(?:at|in|from) our (?:warehouse|stock|stor(?:e|age)))/i -#score READY_TO_SHIP 1.250 # limit -##} READY_TO_SHIP - -##{ REPLYTO_WITHOUT_TO_CC - -meta REPLYTO_WITHOUT_TO_CC (__HAS_REPLY_TO && !__TOCC_EXISTS) -##} REPLYTO_WITHOUT_TO_CC - -##{ REPTO_419_FRAUD - -header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:mail)\@101private\.com|(?:(?:alfredcheuk002|mavis_wanczyk))\@126\.com|(?:(?:alfredcheuk_yuchow|ehagler))\@163\.com|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:russia2018worldcuplotto5)\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:(?:infovsa|maria\.louge|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:jessikasingh|travisalex))\@aliyun\.com|(?:(?:deanie_ron|mundo\.europe|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:support)\@apostlesfoundation\.com|(?:jeromecgb12)\@asia\.com|(?:bllphillips)\@att\.net|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:costruire)\@bigmat\.it|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:onmydestiny18)\@boulevardmalls\.com|(?:luciamariacampbell)\@boximail\.com|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:gregwingo)\@cheapnet\.it|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|dbank12|fbipayment(?:50|600)|harunajim667|manuel\.rabelais|paul\.wilson|r(?:alphwjohnson|ev_markbless)|trustees101))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:brunoso|lisatroutman))\@currently\.com|(?:(?:dmalpasswb|i(?:lanasoloshneor|nfo90000)|joseramonjr1|re(?:covered\-tax|em(?:2018|alhashimi|ealhashimi|hashimi2020))))\@daum\.net|(?:blythemasters)\@digitalassetholding\.org|(?:bar_sahil)\@dominionassociates\.uk|(?:zahvoedir)\@donations\.christchurchliverpool\.xyz|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:rogersteare02)\@e1\.ru|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:(?:denbrink|kathy_gerald1965|pch\.cliamdept))\@email\.com|(?:infoleonfredberbst)\@emailgroups\.net|(?:info)\@euro-pinnacle\.com|(?:(?:advancedsegurosespana|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:lottomax)\@execs\.com|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:jeferrey)\@financier\.com|(?:mrsdebbielevin)\@firemail\.de|(?:steve_dickson)\@firemail\.eu|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:info)\@fnconsultant\.biz|(?:(?:egolan2|gella1|qatardonations16|smadartsadik|tepnherve00))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:mmpaulsmith145)\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:octaviancm)\@gmx\.co\.uk|(?:(?:ahmet\.broker|f(?:aridaomar|er3nrod1512)|kevin\-office|p\.hamedmoff|rosicboteruff|walter_anderson))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:(?:arthur1alan|joxford))\@gmx\.us|(?:m(?:\.johnson10012|aryclayton123))\@googlemail\.com|(?:solotexglobalcouriercompany)\@groupesgb\.net|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:christgoldwilliams)\@hotmail\.fr|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:bo_li)\@imgrantfunds\.com|(?:irdi33)\@inbox\.lt|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:a\.josepaulino|jonardossantos|mingmui0012|offer2021|pierresgift_2021))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:info)\@intarpol-int\.online|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:info)\@johannaconsultancy\.com|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:(?:annzainab2022|h(?:ashimirrr22|re187390)|re(?:e(?:m\.alhashimi|ninvestor111)|mmhashimi)))\@kakao\.com|(?:europsenderscouriers)\@keemail\.me|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:bmwofficeinfo)\@mail2consultant\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|kateclough1|mriamchombo1968))\@mail\.com|(?:ayishagddafio?)\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:cb(?:nofficemail|officemail))\@mailsire\.com|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:cadpayout01)\@my\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:lindsaytrembley)\@oimail\.com|(?:(?:accountingdrg|emmy\.marty))\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:jarramos)\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:ahmed3khan)\@outlook\.fr|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:wood)\@poczta\.onet\.eu|(?:(?:m(?:aryjosen|boyaeth)|uncch\-info))\@post\.com|(?:martinahrivnakova)\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:charitylisajohnrobinson700)\@proton\.me|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:franciscoperezc|mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:wanczykmavis101)\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:mrs\.rachel2013)\@safe-mail\.net|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:(?:jimyang77|kentpace))\@sina\.com|(?:stan)\@soborka\.net|(?:dycheseaan)\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:info\.jschneider)\@spainmail\.com|(?:mroliverbergmuellers)\@specialautokins\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:alexander)\@stny\.rr\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:mhua)\@tbochk\.com|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:bobby\.william)\@tradent\.net|(?:lopez\.rios)\@udttld\.com|(?:2100973645smsgateway)\@ukraine\.wheat-farmers\.website|(?:info)\@un-grant\.info|(?:(?:info\.(?:clev\.frb|imfamerica)|policyaddmin\.file))\@usa\.com|(?:dataphilanthropy)\@vipmail\.hu|(?:bmuczdh)\@virgilio\.it|(?:holt1231)\@w\.cn|(?:daydreamin)\@wanadoo\.fr|(?:weboffice05)\@web\.de|(?:portiaw)\@webbe\.work|(?:b(?:\-calebfirm2007|enklerk\-postpact2|oriscaleb121))\@webmail\.co\.za|(?:(?:elizabethlyonsfield|frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|jeffwilliam207|owengreen70|samue95))\@yahoo\.co\.uk|(?:(?:changgordon946|thomaspeter227))\@yahoo\.com\.hk|(?:boa2cb)\@yahoo\.com\.vn|(?:contactus88\-00)\@yahoo\.es|(?:fortinsandrine)\@yahoo\.fr|(?:dr\.amelia\.george1)\@yandex\.ru|(?:(?:alfred_cheuk_chow|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:jefflindsay)\@zoho\.com|(?:(?:benaffleck1977|monicadaniels909))\@zohomail\.com|(?:laprimitivaes)\@zohomail\.eu)$/i -describe REPTO_419_FRAUD Reply-To is known advance fee fraud collector mailbox -#score REPTO_419_FRAUD 3.000 -tflags REPTO_419_FRAUD publish -##} REPTO_419_FRAUD - -##{ REPTO_419_FRAUD_AOL - -header REPTO_419_FRAUD_AOL Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:brajjohn|f\.2[06]|ljaber111|meliageorge|nd(?:_bley|rew_hans)|rthur\.alan)|b(?:a(?:anidleewy|rr_luc)|claimdept)|c(?:\.european|allumfoundation|h(?:anprivacy03|eungdavidd|ngeric|ristyruwalt)|laimdept21|ristinabruno38|ustom_service58)|d(?:avid\.kms|hodgkins001|ianwaynie)|e(?:ricalbertdpm|velynjoshua44)|f(?:d\.29|ernandezfernandez3|oundation\.charity)|g(?:arang\.rebeca|eorge_clifford4|roupfacility)|hernandezrosemary632|jmesaud|k\.doreen00|l(?:\.b162k|erynnewest99|isarobinson5\.0|orrainewirangee|ynnpage44)|m(?:_l\.wanczyk62|a(?:sayohara21|viswanczyk[do])|rs(?:isabelladzsesszika|janetedwards0001|safiagaddafi))|officework172|p(?:aulpollard2|otfolio\.management)|royalpalace2018|s(?:\.fofo|afiiagadafi|ovchan|pwalker721|t(?:aatsloterijnederlands|efano_pessina))|usembassy330|wattson\.renwick|yurdaaytarkan5))\@aol\.com$/i -describe REPTO_419_FRAUD_AOL Reply-To is known advance fee fraud collector mailbox -#score REPTO_419_FRAUD_AOL 3.000 -tflags REPTO_419_FRAUD_AOL publish -##} REPTO_419_FRAUD_AOL - -##{ REPTO_419_FRAUD_AOL_LOOSE - -meta REPTO_419_FRAUD_AOL_LOOSE __REPTO_419_FRAUD_AOL_LOOSE && !REPTO_419_FRAUD_AOL -describe REPTO_419_FRAUD_AOL_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox -#score REPTO_419_FRAUD_AOL_LOOSE 1.000 -tflags REPTO_419_FRAUD_AOL_LOOSE publish -##} REPTO_419_FRAUD_AOL_LOOSE - -##{ REPTO_419_FRAUD_CNS - -header REPTO_419_FRAUD_CNS Reply-To:addr =~ /^(?=[^\s<>@]+\@consultant\.com)(?:(?:anthonyalvarad|davidhenri|lottomaxclaims7|morrisherb|t(?:eo\.westin|he\.trustees1|rustees202000)|westernuniopayment\.agent0018))\@consultant\.com$/i -describe REPTO_419_FRAUD_CNS Reply-To is known advance fee fraud collector mailbox -#score REPTO_419_FRAUD_CNS 3.000 -tflags REPTO_419_FRAUD_CNS publish -##} REPTO_419_FRAUD_CNS - -##{ REPTO_419_FRAUD_GM - -header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|7912richardtony|9porssts9|a(?:\.wafager1|b(?:d(?:97412345|ullahmundani019)|u(?:lkareem461|shadi0004))|c(?:count\.optionsmr\.jonasarmstrong|ecere001)|d(?:iallo\.boa|rabidiahmed)|isha(?:1976algaddafi|gaddafiaam)|l(?:\.jo60691737|an\.austin(?:041|223)|ex(?:anderpeterson4499|hoffman3319)|ghafrij13|kasimunadi221|l(?:enholden121|isoncluade11)|nizmaria|ure\.wawrenka1472)|m(?:bassadormarybethleonardl4|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|medjahed95))|n(?:d(?:rewumehunitedbankforafrica|yfox0022)|n(?:a(?:llee091|sigurlaug458)|ettrevor|jenijohnsonn)|t(?:honyalvaradollc|o(?:meuenio|niopaco20consultant)))|office1office1|r(?:adka01|chibaldhamble|thur11alan)|shwestwood7|ttohlawoffice\.tg|ustinbillmark9|w1614860|z(?:i(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50))|zedineguessous))|b(?:a(?:nkcentralasiahalobca34|ochang7a|r(?:bersmadar75|clays\.kenya\.bank|rister(?:\.fidelisokafor|lordruben94)|teld\.huisman01))|bongo593|e(?:alitoniua9|linekra1|n(?:ezero392|gatl80|jaminsarah195))|ill\.lawrence0747|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi)|r(?:andy\.heavenscenttt|endalaporte112)|uff(?:ettwarrene21|ookj)|w1832621)|c(?:artwrighttownhomesllc|claimsa|elicerez|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:es(?:luenga01|wrightdepartments)|tonnewmanus1)))|e(?:mchung1011|nchung1011)|ienkwongp)|iticonsultantjohncg0|kruger00017|l(?:axtonpaul00|s79408)|o(?:l(?:edavid77032|husseinharmuchc(?:cj|j)|ombasjuan53)|mp(?:asationsettlement|ensationcommitteboard)|n(?:sult(?:matthias|sto\.u)|tactad00[04]))|pt\.eugenebarash|r(?:abbechambers|ist(?:bru(?:05|n05)|davis67|i1537bru|ydavisdonation1))|ustomerservicelacaixa2)|d(?:29laws|a(?:n(?:008629|i(?:el35508109|shlokija)|n(?:uar4|ydan24532))|tukannuarbinmusa|vi(?:d(?:\.loanfirm18|kaltschmidtmaureend|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98))|cole77032|e(?:n(?:iwalts|nisclark659)|partmentofstate123|tlefeckhardd)|hsdevice|i(?:ane\.s\.wojcicki|gitalassetholding|plomatsshenry)|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.meirh|abodid|davidrhama221|jamesdee|kennedyuzo|meier\.heidi?|owenfrederick)|u(?:nsilva58|stinmoskovitz\.2facebook)|v\.metus)|e(?:benezero392|christina937|drunity|l(?:i(?:bethgomez(?:175|499)|sabethmaria600|zabethedw0)|o(?:diesawadogo123|tocashoffice1?))|m(?:2keld|efiele(?:328|g757)|ilyrichmond391)|r(?:e(?:nakgeorge123|zcelic0)|ioncarter\.private)|stherkatherine1960|vgpatmow|wynn284)|f(?:\.mikhail025|a(?:ithdesrie511|tme\.mehmed001)|blott47|e(?:deralreservebankdallasdst|lix88995)|g0067333|irstbank(?:49966|6669|k49666)|j569282|l(?:556249|uhmann\.dn)|oundations\.west|p462558|r(?:a(?:100dub132|n(?:c(?:espatrickconnolly(?:5050|4)|iscamendoza960)|k(?:j(?:ane984|wangg)|linpiesie6)))|eelottosweepstake51)|spero8[02]|u(?:lanlan28|ngg1w))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|riel(?:eschmitt002|kalia1102))|r(?:ciavincent500|ethbull112016))|b(?:528796|ill4880)|e(?:neralwilliamstony990|orgekwame481|raldjhjh11)|iidp955|l(?:enmoore0011|oriachow5052)|o(?:dfreyscottdonation|glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219))|r(?:aceobia001|e(?:ant311|energeoffrey776))|veraallen)|h(?:a(?:r(?:gate2909|ryebert101)|s(?:h(?:imyreem78|mireem801)|sanalshujairy))|e(?:atherbrooeke101|cto(?:alon|r(?:castillos653|scastillo6))|l(?:en(?:adamsidaho|giggs88)|pdesk47321))|gold8080|i(?:ldad837|toshurui)|o(?:nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|uichmh)|i(?:1955smael|amannjejosonn|bed627|mf(?:deputyoff000|grantinter)|n(?:fo(?:\.(?:a(?:bogadosmfontana|nnedouglas10)|g00gleclaim|ulmusau)|64240|asminternationalpk|bankofamerikaa|dessk\.dfwairportonline|fdrserve|ttcuckk)|gridrolle2)|smail(?:eman874|tarkan533))|j(?:35809121|a(?:6002932|888179|m(?:alpriv8un|esokoh82)|n(?:nsjonifer|usensecureprivate)|sonyeungchiwai|vierlesme001)|b5406424|c2222222rrr|e(?:fferydean1960|nniannjhsonn|robtt)|josvu|k3311131|m(?:3461128|powellfr)|o(?:edward023|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|uba234|walterlove2010)|monkzza|n(?:athanhaskel377|hugo1964|monkssa)|sephacevedo024|vannyanderson001|yce00011)|rawlings007|s4fernado|uliewatson975|w6935997)|k(?:a(?:l(?:iaksandr5|tschmidtdavid8)|malnizar000|rabo\.ramala39|t(?:ebaron(?:barr|xq)|jamess043|rinaziako56))|en(?:mckenziejr|nedy\.sawadogo19)|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|rnkl1109|un(?:gwei7777|ioue28))|l(?:a(?:rrytoms200|ursent892|w(?:officealouancooparation|rencefoundation30))|blackshirepm|e(?:enasinghs97|onidasresearch|rynne(?:0west99|west2289))|i(?:amfinchus(?:11|3)|ezlnatashavanessa|fecshortt63|li(?:ane\.bettencourt1945|ianchrstph)|nelink008|sa(?:milner001|robin117))|john6132|o(?:ganntomas|rrainewirengee|ughreymargaret67)|p319765|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|diawright836|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:a(?:bel\.manaku|ckenzbezos|damkoenig\.ruhama1b|incare655|j(?:ialfutt|or(?:dennishornbeck53|townsend01))|kaltschmidt|ll(?:am\.mlawal|etman2021)|mastar33m|n(?:ankovefimovich|duesq58|fran630|uelfranco(?:727|donation02|foundation0|spende8))|r(?:i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00)|opabl26|tinesecurityusa)|kroth456|shalh011|tin(?:amayer903|eziglesiasabogados|jrschwarz)|y(?:franson56|josen(?:62|81)))|thewriaanza|u(?:noveutileina|rhinck11?)|viswan(?:142|czyk(?:01478|1(?:19|987)|4(?:89|5)|775|foundation45|k112))|xaajn|ydetratt)|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|l(?:lagolan|vidabullock5))|gfrederick80|husameddine|i(?:c(?:h(?:ael\.woosley1972|eal(?:sjohnj|wuu002))|paulla|w954)|k(?:e\.weirsky\.foundational001|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|ss(?:\.(?:melisa\.mehmett|yasmineibrahim101)|yaelronen))|jminabii|k(?:ent7117|untjoro52)|m(?:1086771|argaritalouisdreyfus|ohammadaljllilati)|nmalarge|oham(?:edabdul1717|m(?:daljililati1|edshamekh24))|r(?:\.(?:elbahi\.mohammed\.2021|justinmaxwell09|lusee)|cjames001|d517341|eric(?:franck|schmid4002)|hanimuhammad627|jamesmc6|r(?:echardthomas|ichardanthony1)|s(?:\.(?:janetolsen?|olsenjanett|susanread12)|a(?:ishaalqadafi1976|ngela454)|dominiquethomas7777|evelynbrown7|fatimaamiraqureshi1983|gezeria|h(?:amima60|ristinemadeleine)|isabelladz|j(?:ackman123|lleach)|lisamilner08|maureens847|r(?:obinsanders185|uthsmith9900)|sarahbenjamin103|v(?:eraaellen|ictoriaedmond03))|tomcrist\.ca|viktorzubkovv)|s(?:\.ellagolan56|agent02|golaan4|smadar44)|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter968)|icholas\.jose73|obuyuki\.hirano128|tawdglobal|v637245)|o(?:\.peace004|3344nb|ffice(?:\.012123|rricherd876|windowterms)|hallkenneth1|marinyandeng|nufoundationclaims|pcwkdw|xfaminternationa1980)|p(?:a(?:trick(?:\.efcc|andfrancessconnolly)|ul(?:eed1969|n8018))|b(?:ph202lay2|rookk0)|e(?:130304|rezdonlorenzo336|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|hillip\.richead218|ilz37754|olloke|ro1nvstream|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymondaba200)|e(?:beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n(?:2214|asser003302))|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|v(?:\.jamesabel1|ernestcebi|fr(?:ankjackson91|paulwilliams2)))|icha(?:miller18|rd(?:lustig4u|w(?:ahl511|il(?:lis815|son19091))))|josh200000|o(?:b(?:erthanandez6655|inf036)|naldmorris786|s(?:a\.gomes0044|ekipkalya934))|raya9989|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|ussiaworldcuppromo)|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid7000)|nchoscozfifa|rfiafarfask7)|cottpeters7989|e(?:cretservicce[78]|rgeantrobertbrown1)|g(?:\.offiice\.group|t(?:\.monicab03|ireneb2))|h(?:a(?:msiahmohamadyunusbnegara|nemissler2009)|ery(?:\.gtl131|etr03)|inawatrathaksin93)|im(?:lkheng5|onhei47)|op(?:adam3|hiajesse41)|peelman1972|t(?:anleyjohn1469|ephentam1(?:47|6))|u(?:iyang(?:\.boc|02)|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|weeneyjohnson384)|t(?:a(?:mmywebster24|y(?:ebsouami0|lorcathy362))|ch33555|davalvse|erryparkins11|h(?:ailandbankoffice01|e(?:ara\.choy2|odorosloannis9))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|ander231|c(?:hrist1995|rist(?:52|donation12|foundation99|world))|spende480)|ny(?:\.chung760|zimpro11)|pchronodesk|shikazusendo101)|p2911220|tkhan69s)|u(?:kponguko|marukareem8|n(?:claimedfunds554|itednation(?:organization70|s(?:8182|councilrefunds)))|s(?:alotery2|departmentofjustice80))|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|linagreen|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|pjeferrey)|n935990|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett2)|b(?:271981|6159980)|hatsappofficial001|i(?:elandherzog\.sw\.herad16|ll(?:clark(?:2618|629)|iamsmartyrs888))|kfinancialservice|orldbankregionalmanageroffice|u\.office212|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974|ousefzongo5722)|z(?:bank8876|enithbankplconline98|kiaslan1963|minhong65|ubkovmrviktor)))\@gmail\.com$/i -describe REPTO_419_FRAUD_GM Reply-To is known advance fee fraud collector mailbox -#score REPTO_419_FRAUD_GM 3.000 -tflags REPTO_419_FRAUD_GM publish -##} REPTO_419_FRAUD_GM - -##{ REPTO_419_FRAUD_GM_LOOSE - -meta REPTO_419_FRAUD_GM_LOOSE __REPTO_419_FRAUD_GM_LOOSE && !REPTO_419_FRAUD_GM -describe REPTO_419_FRAUD_GM_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox -#score REPTO_419_FRAUD_GM_LOOSE 1.000 -tflags REPTO_419_FRAUD_GM_LOOSE publish -##} REPTO_419_FRAUD_GM_LOOSE - -##{ REPTO_419_FRAUD_HM - -header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|n(?:ikal01|nagray00)|zezul\.idrisazezulidris)|c(?:hoi21|laytousey)|d(?:l13139|r\.dukanalycoulibaly)|egorbunova22|faxttransfer\.skyebk\.service\.care\.th|infos(?:43|8)|katabettencourt2018|l(?:e(?:a_edem|galcosme|wisarm44)|ulihongm)|mr(?:abrahambeniamfc|pedrohilldonations|s(?:\.chantal_bill|micheleallison2003))|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|powen10001|quickcashloansservices|s(?:a(?:jda\.andleeb|nchamps798)|ulaimaninfante)|t(?:ashacap|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i -describe REPTO_419_FRAUD_HM Reply-To is known advance fee fraud collector mailbox -#score REPTO_419_FRAUD_HM 3.000 -tflags REPTO_419_FRAUD_HM publish -##} REPTO_419_FRAUD_HM - -##{ REPTO_419_FRAUD_OL - -header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:16u71|b(?:rahamwilliamsonrpsltduk|s0000200)|lbertchebe|ndrewgamble7)|b(?:asidris|etty\.c_investment|illgfile203)|c(?:bforeignremitdept|harlie\.j\.goodmand|laimunit\.facebook|ompensationfunding)|d(?:eborahleeconsult|hl(?:customercares|express\.fastservice)|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020|mr01|oundation701|p\.conn)|g(?:20compessdesk|race\.manonfoundation)|j(?:ackson4steve|e(?:anedo1|ssicameir30))|kaujong|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|b(?:illgate9|ryandavisuk44)|mduku|s(?:_elizabeth20|michelleallison|roseallen))|spvt2020)|philcohen0012|richardwahlfreegrant|s(?:aaman10|gi2019|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019)|unvanzyl_mrs|w(?:esteruniontransferunite7|hatsapp_givewin|inuklotocash2018)))\@outlook\.com$/i -describe REPTO_419_FRAUD_OL Reply-To is known advance fee fraud collector mailbox -#score REPTO_419_FRAUD_OL 3.000 -tflags REPTO_419_FRAUD_OL publish -##} REPTO_419_FRAUD_OL - -##{ REPTO_419_FRAUD_PM - -header REPTO_419_FRAUD_PM Reply-To:addr =~ /^(?=[^\s<>@]+\@protonmail\.com)(?:(?:armstrong0244|berndkoch|davidmetus|euclaim|p(?:a(?:melagriffi|t\.nwankwo)|rotonydonation)|scottpeter012|the\.trustees1|v\.brianpierre|yihsbltan|ziraatbankasi))\@protonmail\.com$/i -describe REPTO_419_FRAUD_PM Reply-To is known advance fee fraud collector mailbox -#score REPTO_419_FRAUD_PM 3.000 -tflags REPTO_419_FRAUD_PM publish -##} REPTO_419_FRAUD_PM - -##{ REPTO_419_FRAUD_QQ - -header REPTO_419_FRAUD_QQ Reply-To:addr =~ /^(?=[^\s<>@]+\@qq\.com)(?:(?:1731419584|2(?:032508290|3(?:72948239|89029403|97857528))|3523284224|akia\.j55|l\.valiant|peterwong20177|qatarfoundation01|wang_cjianlin))\@qq\.com$/i -describe REPTO_419_FRAUD_QQ Reply-To is known advance fee fraud collector mailbox -#score REPTO_419_FRAUD_QQ 3.000 -tflags REPTO_419_FRAUD_QQ publish -##} REPTO_419_FRAUD_QQ - -##{ REPTO_419_FRAUD_YH - -header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|ilmohammed11|lesiakalina2006|mbassador\.l|nnhester\.usa4)|b(?:a(?:che\.delfine|nk\.phbng14|rr\.thomasclark)|en(?:jaminb34|nicholas22)|illlawrenceee|riceangela45)|c(?:\.aroline90|abinet_maitre_emmanuel_patris|h(?:arlesscharf112|hoy\.t|jackson65)|juan852|ontelamine|ythiamiller\.un10)|d(?:hamilton9099|r(?:_raymondfung|kobiorah|obiorahkenneth|victorobaji))|e(?:denvictor71|ricalbert24)|f(?:bicompensation_funds|ederal\.r73)|i(?:\.project33411|befranfgnfmf|nfomoney|project32411)|j(?:a(?:ckson\.davis915|netemoon150)|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:altschmidtdavid8|elvinmark629|im(?:\.leang2018?|leang(?:575|90)))|l(?:e(?:a_edem13|hman(?:909|bila))|i(?:m_kaan|sarobinson_555)|o(?:an\.assist|rrainewirengee)|y_cheapiseth(?:11|2019))|m(?:\.kogi81|a(?:itre_arthur\.catheau|rie_avis12)|d(?:\.ps|zsesszika672)|elissalewis4004|o(?:hammedaahil46|keye79)|rs(?:\.esthernicolas|isabella\.dzesszikan)|s\.gracie_olakun)|o(?:legkozyrev1|mranshaalan52)|p(?:ackerkelvin|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|o(?:bertbailey2004|serichard655))|s(?:amthong4040|igurlauganna34|leo25|opheap\.munny|pwalker101|te(?:fanopessina573|vecox\.98))|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|vanserge2001|will(?:clark0010|smi68)|xianglongdai60|zhaodonghk))\@yahoo\.com$/i -describe REPTO_419_FRAUD_YH Reply-To is known advance fee fraud collector mailbox -#score REPTO_419_FRAUD_YH 3.000 -tflags REPTO_419_FRAUD_YH publish -##} REPTO_419_FRAUD_YH - -##{ REPTO_419_FRAUD_YH_LOOSE - -meta REPTO_419_FRAUD_YH_LOOSE __REPTO_419_FRAUD_YH_LOOSE && !REPTO_419_FRAUD_YH -describe REPTO_419_FRAUD_YH_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox -#score REPTO_419_FRAUD_YH_LOOSE 1.000 -tflags REPTO_419_FRAUD_YH_LOOSE publish -##} REPTO_419_FRAUD_YH_LOOSE - -##{ REPTO_419_FRAUD_YJ - -header REPTO_419_FRAUD_YJ Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.co\.jp)(?:(?:a(?:drianbayford|lainminc73)|d(?:eborahmark2|raymndch)|e(?:d(?:032000100|ithi0iochou)|millybrownnc)|fred_gamba|henrybanko1970|m(?:24erc|aryp1799_8335|eghanbutlerfca|oneygram100|rs_chen_00001)|r(?:acheljude000|itawi668)|s(?:andrabates418|d203077)))\@yahoo\.co\.jp$/i -describe REPTO_419_FRAUD_YJ Reply-To is known advance fee fraud collector mailbox -#score REPTO_419_FRAUD_YJ 3.000 -tflags REPTO_419_FRAUD_YJ publish -##} REPTO_419_FRAUD_YJ - -##{ REPTO_419_FRAUD_YN - -header REPTO_419_FRAUD_YN Reply-To:addr =~ /^(?=[^\s<>@]+\@yandex\.com)(?:(?:a(?:lhashimi123|m(?:andarandle|g3333txx101)|n(?:a\.mariposa|n(?:acooper2019|zainab))|wesome\.mariacarmen)|c(?:harles\.kable|lemlau)|de(?:edee\-paul|jongpeter|ptoversea)|f(?:3dex\.courier|ed\.r3v|reedommarketinvestments)|gadd4fi\.aisha|h(?:ashimireem|halesbbanddd?)|joseph\-scott2k5|l(?:es20sc|otointernational\.elgordo)|m(?:arcarmenguty|fdpm|r(?:\.kongkea|akram\.elkerrami|spercy))|p(?:aragonloansinc|rincedarren0244)|rich(?:ard\.wahl|lawands)|tresor\.mambo|w(?:b\.foundation|ill(?:1amsmarg1|iam(?:simon1960|wilbert1)))|za\.dc2016))\@yandex\.com$/i -describe REPTO_419_FRAUD_YN Reply-To is known advance fee fraud collector mailbox -#score REPTO_419_FRAUD_YN 3.000 -tflags REPTO_419_FRAUD_YN publish -##} REPTO_419_FRAUD_YN - -##{ REPTO_INFONUMSCOM - -meta REPTO_INFONUMSCOM __REPTO_INFONUMSCOM -#score REPTO_INFONUMSCOM 3.000 # limit -tflags REPTO_INFONUMSCOM publish -##} REPTO_INFONUMSCOM - -##{ SB_GIF_AND_NO_URIS - -meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL) -##} SB_GIF_AND_NO_URIS - -##{ SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -meta SCC_BOGUS_CTE_1 __SCC_BOGUS_CTE_1 -describe SCC_BOGUS_CTE_1 Bogus Content-Transfer-Encoding header -tflags SCC_BOGUS_CTE_1 publish -endif -##} SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ SCC_CANSPAM_1 - -describe SCC_CANSPAM_1 Interesting compliance language -body SCC_CANSPAM_1 /The advertiser does not manage your subscription/ -##} SCC_CANSPAM_1 - -##{ SCC_CANSPAM_2 - -describe SCC_CANSPAM_2 Interesting compliance language -body SCC_CANSPAM_2 /you may unsubscribe by clicking here or by writing to/ -##} SCC_CANSPAM_2 - -##{ SCC_CTMPP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -describe SCC_CTMPP Uncommon Content-Type -meta SCC_CTMPP __SCC_CTMPP -tflags SCC_CTMPP publish -endif -##} SCC_CTMPP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ SCC_ISEMM_LID_1 - -describe SCC_ISEMM_LID_1 Fingerprint of a particular spammer using an old spamware -header SCC_ISEMM_LID_1 X-Mailer-LID =~ /54,55,56,58,53/ -tflags SCC_ISEMM_LID_1 publish -#score SCC_ISEMM_LID_1 3.5 -##} SCC_ISEMM_LID_1 - -##{ SCC_ISEMM_LID_1A - -describe SCC_ISEMM_LID_1A Fingerprint of a particular spammer using an old spamware -header SCC_ISEMM_LID_1A X-Mailer-LID =~ /54,55,56,/ -tflags SCC_ISEMM_LID_1A publish -#score SCC_ISEMM_LID_1A 3.5 -##} SCC_ISEMM_LID_1A - -##{ SCC_ISEMM_LID_1B - -describe SCC_ISEMM_LID_1B Genericized spammer fingerprint -header SCC_ISEMM_LID_1B X-Mailer-LID =~ /([56][0-9],)+/ -tflags SCC_ISEMM_LID_1B publish -#score SCC_ISEMM_LID_1B 1.5 -##} SCC_ISEMM_LID_1B - -##{ SCC_SPECIAL_GUID - -describe SCC_SPECIAL_GUID Unique in a similar way -rawbody SCC_SPECIAL_GUID /^([[:xdigit:]]{8})-([[:xdigit:]]{4})-([[:xdigit:]]{3})-\3-([[:xdigit:]]{12})$/m -tflags SCC_SPECIAL_GUID publish multiple maxhits=15 -##} SCC_SPECIAL_GUID - -##{ SENDGRID_REDIR - -meta SENDGRID_REDIR __SENDGRID_REDIR_NOPHISH && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__HAS_X_MAILMAN_VERSION && !__STY_INVIS_MANY && !__HTML_SINGLET_10 && !__HAVE_BOUNCE_RELAYS -describe SENDGRID_REDIR Redirect URI via Sendgrid -#score SENDGRID_REDIR 1.500 # limit -tflags SENDGRID_REDIR publish -##} SENDGRID_REDIR - -##{ SENDGRID_REDIR_PHISH - -meta SENDGRID_REDIR_PHISH __SENDGRID_REDIR_PHISH -describe SENDGRID_REDIR_PHISH Redirect URI via Sendgrid + phishing signs -#score SENDGRID_REDIR_PHISH 3.500 # limit -tflags SENDGRID_REDIR_PHISH publish -##} SENDGRID_REDIR_PHISH - -##{ SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -meta SEO_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && (__PDS_SEO1 + __PDS_SEO2 >= 1) -tflags SEO_SUSP_NTLD publish -describe SEO_SUSP_NTLD SEO offer from suspicious TLD -#score SEO_SUSP_NTLD 1.2 # limit -endif -endif -##} SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -##{ SERGIO_SUBJECT_VIAGRA01 - -header SERGIO_SUBJECT_VIAGRA01 Subject =~ /v[^a-zA-Z0-9]{0,3}[i1l][^a-zA-Z0-9]{0,3}a[^a-zA-Z0-9 ]{0,3}g[^a-zA-Z0-9]{0,3}r[^a-zA-Z0-9]{0,3}a/i -describe SERGIO_SUBJECT_VIAGRA01 Viagra garbled subject -##} SERGIO_SUBJECT_VIAGRA01 - -##{ SHOPIFY_IMG_NOT_RCVD_SFY - -meta SHOPIFY_IMG_NOT_RCVD_SFY __SHOPIFY_IMG_NOT_RCVD_SFY && !MIME_QP_LONG_LINE && !__RCD_RDNS_MTA_MESSY && !__AC_UNSUB_URI && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_ORGANIZATION && !__RCD_RDNS_OB && !__DOS_LINK -#score SHOPIFY_IMG_NOT_RCVD_SFY 2.500 # limit -describe SHOPIFY_IMG_NOT_RCVD_SFY Shopify hosted image but message not from Shopify -tflags SHOPIFY_IMG_NOT_RCVD_SFY publish -##} SHOPIFY_IMG_NOT_RCVD_SFY - -##{ SHORTENER_SHORT_IMG - -meta SHORTENER_SHORT_IMG __URL_SHORTENER && HTML_SHORT_LINK_IMG_1 -describe SHORTENER_SHORT_IMG Short HTML + image + URL shortener -#score SHORTENER_SHORT_IMG 2.500 # limit -tflags SHORTENER_SHORT_IMG publish -##} SHORTENER_SHORT_IMG - -##{ SHORT_HELO_AND_INLINE_IMAGE - -meta SHORT_HELO_AND_INLINE_IMAGE (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH) -describe SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image -##} SHORT_HELO_AND_INLINE_IMAGE - -##{ SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -meta SHORT_IMG_SUSP_NTLD __LCL__KAM_BODY_LENGTH_LT_1024 && __HTML_LINK_IMAGE && __FROM_ADDRLIST_SUSPNTLD -tflags SHORT_IMG_SUSP_NTLD publish -describe SHORT_IMG_SUSP_NTLD Short HTML + image + suspicious TLD -#score SHORT_IMG_SUSP_NTLD 1.5 # limit -endif -endif -##} SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -##{ SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta SHORT_SHORTNER __PDS_MSG_512 && __URL_SHORTENER && !DRUGS_ERECTILE -describe SHORT_SHORTNER Short body with little more than a link to a shortener -#score SHORT_SHORTNER 2.0 # limit -endif -endif -##} SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -##{ SHORT_TERM_PRICE - -body SHORT_TERM_PRICE /short\W+term\W+(target|projected)(\W+price)?/i -##} SHORT_TERM_PRICE - -##{ SPAMMY_XMAILER - -meta SPAMMY_XMAILER (__XM_OL_28001441||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4) -describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham -##} SPAMMY_XMAILER - -##{ SPOOFED_FREEMAIL - -meta SPOOFED_FREEMAIL __SPOOFED_FREEMAIL && !__HAS_IN_REPLY_TO && !__FS_SUBJ_RE && !__MSGID_GUID && !__freemail_safe && !__THREADED && !__HDRS_LCASE_KNOWN && !__HDR_RCVD_GOOGLE && !__HDR_RCVD_TONLINEDE -#score SPOOFED_FREEMAIL 2.000 # limit -tflags SPOOFED_FREEMAIL net -##} SPOOFED_FREEMAIL - -##{ SPOOFED_FREEMAIL_NO_RDNS - -meta SPOOFED_FREEMAIL_NO_RDNS __SPOOFED_FREEMAIL && __RDNS_NONE -describe SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS -#score SPOOFED_FREEMAIL_NO_RDNS 1.5 -##} SPOOFED_FREEMAIL_NO_RDNS - -##{ SPOOFED_FREEM_REPTO - -meta SPOOFED_FREEM_REPTO __SPOOFED_FREEM_REPTO && !__AC_TINY_FONT && !__HAS_IN_REPLY_TO && !__HAS_THREAD_INDEX -describe SPOOFED_FREEM_REPTO Forged freemail sender with freemail reply-to -#score SPOOFED_FREEM_REPTO 2.500 -tflags SPOOFED_FREEM_REPTO net publish -##} SPOOFED_FREEM_REPTO - -##{ SPOOFED_FREEM_REPTO_CHN - -meta SPOOFED_FREEM_REPTO_CHN (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_CHN_FREEM -describe SPOOFED_FREEM_REPTO_CHN Forged freemail sender with Chinese freemail reply-to -#score SPOOFED_FREEM_REPTO_CHN 3.500 -tflags SPOOFED_FREEM_REPTO_CHN net publish -##} SPOOFED_FREEM_REPTO_CHN - -##{ SPOOFED_FREEM_REPTO_RUS - -meta SPOOFED_FREEM_REPTO_RUS (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_RUS_FREEM -describe SPOOFED_FREEM_REPTO_RUS Forged freemail sender with Russian freemail reply-to -#score SPOOFED_FREEM_REPTO_RUS 3.500 -tflags SPOOFED_FREEM_REPTO_RUS net publish -##} SPOOFED_FREEM_REPTO_RUS - -##{ SPOOF_GMAIL_MID - -meta SPOOF_GMAIL_MID SPOOFED_FREEMAIL && __PDS_SPOOF_GMAIL_MID -#score SPOOF_GMAIL_MID 1.5 -describe SPOOF_GMAIL_MID From Gmail but it doesn't seem to be... -##} SPOOF_GMAIL_MID - -##{ STATIC_XPRIO_OLE - -meta STATIC_XPRIO_OLE __STATIC_XPRIO_OLE -describe STATIC_XPRIO_OLE Static RDNS + X-Priority + MIMEOLE -#score STATIC_XPRIO_OLE 2.000 # limit -tflags STATIC_XPRIO_OLE publish -##} STATIC_XPRIO_OLE - -##{ STOCK_IMG_CTYPE - -meta STOCK_IMG_CTYPE (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__CTYPE_ONETAB_GIF&&__HTML_IMG_ONLY) -describe STOCK_IMG_CTYPE Stock spam image part, with distinctive Content-Type header -##} STOCK_IMG_CTYPE - -##{ STOCK_IMG_HDR_FROM - -meta STOCK_IMG_HDR_FROM (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY) -describe STOCK_IMG_HDR_FROM Stock spam image part, with distinctive From line -##} STOCK_IMG_HDR_FROM - -##{ STOCK_IMG_HTML - -meta STOCK_IMG_HTML (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY) -describe STOCK_IMG_HTML Stock spam image part, with distinctive HTML -##} STOCK_IMG_HTML - -##{ STOCK_IMG_OUTLOOK - -meta STOCK_IMG_OUTLOOK (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__XM_MS_IN_GENERAL&&__HTML_LENGTH_1536_2048) -describe STOCK_IMG_OUTLOOK Stock spam image part, with Outlook-like features -##} STOCK_IMG_OUTLOOK - -##{ STOCK_PRICES - -meta STOCK_PRICES (SHORT_TERM_PRICE && LONG_TERM_PRICE) -##} STOCK_PRICES - -##{ STOCK_TIP - -meta STOCK_TIP __STOCK_TIP && !__DKIM_EXISTS -describe STOCK_TIP Stock tips -#score STOCK_TIP 3.000 # limit -tflags STOCK_TIP publish -##} STOCK_TIP - -##{ STOX_AND_PRICE - -meta STOX_AND_PRICE CURR_PRICE && STOX_REPLY_TYPE -##} STOX_AND_PRICE - -##{ STOX_BOUND_090909_B - -header STOX_BOUND_090909_B Content-Type:raw =~ /;\n boundary=\"------------0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]\"$/s -##} STOX_BOUND_090909_B - -##{ STOX_REPLY_TYPE - -header STOX_REPLY_TYPE Content-Type =~ /text\/plain; .* reply-type=original/ -##} STOX_REPLY_TYPE - -##{ STOX_REPLY_TYPE_WITHOUT_QUOTES - -meta STOX_REPLY_TYPE_WITHOUT_QUOTES (STOX_REPLY_TYPE && !(__HS_SUBJ_RE_FW || __HS_QUOTE)) -##} STOX_REPLY_TYPE_WITHOUT_QUOTES - -##{ SUBJECT_NEEDS_ENCODING - -meta SUBJECT_NEEDS_ENCODING (!__SUBJECT_ENCODED_B64 && !__SUBJECT_ENCODED_QP) && __SUBJECT_NEEDS_MIME -describe SUBJECT_NEEDS_ENCODING Subject includes non-encoded illegal characters -##} SUBJECT_NEEDS_ENCODING - -##{ SUBJ_ATTENTION - -meta SUBJ_ATTENTION __SUBJ_ATTENTION && !ALL_TRUSTED -describe SUBJ_ATTENTION ATTENTION in Subject -#score SUBJ_ATTENTION 0.500 # limit -##} SUBJ_ATTENTION - -##{ SUBJ_BRKN_WORDNUMS - -#score SUBJ_BRKN_WORDNUMS 1.500 # limit -describe SUBJ_BRKN_WORDNUMS Subject contains odd word breaks and numbers -##} SUBJ_BRKN_WORDNUMS - -##{ SUBJ_BRKN_WORDNUMS if !plugin(Mail::SpamAssassin::Plugin::DKIM) - -if !plugin(Mail::SpamAssassin::Plugin::DKIM) - meta SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS -endif -##} SUBJ_BRKN_WORDNUMS if !plugin(Mail::SpamAssassin::Plugin::DKIM) - -##{ SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM - -ifplugin Mail::SpamAssassin::Plugin::DKIM - meta SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS && !DKIM_SIGNED && !__TO___LOWER -endif -##} SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM - -##{ SUSP_UTF8_WORD_SUBJ - -meta SUSP_UTF8_WORD_SUBJ __4BYTE_UTF8_WORD_SUBJ -describe SUSP_UTF8_WORD_SUBJ Word in Subject using only suspicious UTF-8 characters -#score SUSP_UTF8_WORD_SUBJ 2.000 # limit -##} SUSP_UTF8_WORD_SUBJ - -##{ SYSADMIN - -meta SYSADMIN __SYSADMIN && !ALL_TRUSTED && !__ANY_TEXT_ATTACH && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_OK_DIGITS -describe SYSADMIN Supposedly from your IT department -#score SYSADMIN 3.500 # limit -tflags SYSADMIN publish -##} SYSADMIN - -##{ TAGSTAT_IMG_NOT_RCVD_TGST - -meta TAGSTAT_IMG_NOT_RCVD_TGST __TAGSTAT_IMG_NOT_RCVD_TGST -#score TAGSTAT_IMG_NOT_RCVD_TGST 2.000 # limit -describe TAGSTAT_IMG_NOT_RCVD_TGST Tagstat hosted image but message not from Tagstat -tflags TAGSTAT_IMG_NOT_RCVD_TGST publish -##} TAGSTAT_IMG_NOT_RCVD_TGST - -##{ TARINGANET_IMG_NOT_RCVD_TN - -meta TARINGANET_IMG_NOT_RCVD_TN __TARINGANET_IMG_NOT_RCVD_TN -#score TARINGANET_IMG_NOT_RCVD_TN 2.000 # limit -describe TARINGANET_IMG_NOT_RCVD_TN media.taringa.net hosted image but message not from taringa.net -tflags TARINGANET_IMG_NOT_RCVD_TN publish -##} TARINGANET_IMG_NOT_RCVD_TN - -##{ TBIRD_SUSP_MIME_BDRY - -meta TBIRD_SUSP_MIME_BDRY __MUA_TBIRD && __TB_MIME_BDRY_NO_Z -describe TBIRD_SUSP_MIME_BDRY Unlikely Thunderbird MIME boundary -##} TBIRD_SUSP_MIME_BDRY - -##{ TEQF_USR_IMAGE - -meta TEQF_USR_IMAGE __TO_EQ_FROM_USR_NN_MINFP && __ANY_IMAGE_ATTACH -describe TEQF_USR_IMAGE To and from user nearly same + image -tflags TEQF_USR_IMAGE publish -##} TEQF_USR_IMAGE - -##{ TEQF_USR_MSGID_HEX - -meta TEQF_USR_MSGID_HEX __TO_EQ_FROM_USR_NN_MINFP && __MSGID_OK_HEX && !__MSGID_NOFQDN2 -describe TEQF_USR_MSGID_HEX To and from user nearly same + unusual message ID -tflags TEQF_USR_MSGID_HEX publish -##} TEQF_USR_MSGID_HEX - -##{ TEQF_USR_MSGID_MALF - -meta TEQF_USR_MSGID_MALF __TO_EQ_FROM_USR_NN_MINFP && __MSGID_NOFQDN2 -describe TEQF_USR_MSGID_MALF To and from user nearly same + malformed message ID -tflags TEQF_USR_MSGID_MALF publish -##} TEQF_USR_MSGID_MALF - -##{ THEBAT_UNREG - -header THEBAT_UNREG X-Mailer =~ /^The Bat! .{0,20} UNREG$/ -##} THEBAT_UNREG - -##{ THIS_AD - -meta THIS_AD __THIS_AD && !__MOZILLA_MSGID && !__FROM_ENCODED_QP && !__CR_IN_SUBJ && !__RP_MATCHES_RCVD -describe THIS_AD "This ad" and variants -tflags THIS_AD publish -##} THIS_AD - -##{ THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -meta THIS_IS_ADV_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && __ADMITS_SPAM -tflags THIS_IS_ADV_SUSP_NTLD publish -describe THIS_IS_ADV_SUSP_NTLD This is an advertisement from a suspicious TLD -#score THIS_IS_ADV_SUSP_NTLD 1.5 # limit -endif -endif -##} THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -##{ TONLINE_FAKE_DKIM - -meta TONLINE_FAKE_DKIM __HDR_RCVD_TONLINEDE && __DKIM_EXISTS -describe TONLINE_FAKE_DKIM t-online.de doesn't do DKIM -#score TONLINE_FAKE_DKIM 3.000 # limit -tflags TONLINE_FAKE_DKIM publish -##} TONLINE_FAKE_DKIM - -##{ TO_EQ_FM_DIRECT_MX - -meta TO_EQ_FM_DIRECT_MX __TO_EQ_FM_DIRECT_MX && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__CTYPE_MULTIPART_MIXED -describe TO_EQ_FM_DIRECT_MX To == From and direct-to-MX -#score TO_EQ_FM_DIRECT_MX 2.500 # limit -tflags TO_EQ_FM_DIRECT_MX publish -##} TO_EQ_FM_DIRECT_MX - -##{ TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF - -ifplugin Mail::SpamAssassin::Plugin::SPF - meta TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FM_DOM_SPF_FAIL && !__THREADED && !ALL_TRUSTED - describe TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF failed - tflags TO_EQ_FM_DOM_SPF_FAIL net -endif -##} TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF - -##{ TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF - -ifplugin Mail::SpamAssassin::Plugin::SPF - meta TO_EQ_FM_SPF_FAIL __TO_EQ_FM_SPF_FAIL && !__THREADED && !ALL_TRUSTED - describe TO_EQ_FM_SPF_FAIL To == From and external SPF failed - tflags TO_EQ_FM_SPF_FAIL net -endif -##} TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF - -##{ TO_IN_SUBJ - -meta TO_IN_SUBJ __TO_IN_SUBJ && !__VIA_ML && !MISSING_MIMEOLE && !__THREAD_INDEX_GOOD && !__FSL_RELAY_GOOGLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HS_SUBJ_RE_FW -describe TO_IN_SUBJ To address is in Subject -tflags TO_IN_SUBJ publish -#score TO_IN_SUBJ 0.1 -##} TO_IN_SUBJ - -##{ TO_NAME_SUBJ_NO_RDNS - -meta TO_NAME_SUBJ_NO_RDNS LOCALPART_IN_SUBJECT && __RDNS_NONE -describe TO_NAME_SUBJ_NO_RDNS Recipient username in subject + no rDNS -#score TO_NAME_SUBJ_NO_RDNS 3.000 # limit -tflags TO_NAME_SUBJ_NO_RDNS publish -##} TO_NAME_SUBJ_NO_RDNS - -##{ TO_NO_BRKTS_FROM_MSSP - -meta TO_NO_BRKTS_FROM_MSSP __TO_NO_BRKTS_FROM_RUNON && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__TO___LOWER && !__BUGGED_IMG && !__SUBJECT_ENCODED_QP && !__VIA_ML && !__FR_SPACING_8 && !__TAG_EXISTS_CENTER && !__RCVD_ZIXMAIL && !__RP_MATCHES_RCVD && !__HAS_SENDER -#score TO_NO_BRKTS_FROM_MSSP 2.50 # max -describe TO_NO_BRKTS_FROM_MSSP Multiple header formatting problems -##} TO_NO_BRKTS_FROM_MSSP - -##{ TO_NO_BRKTS_HTML_IMG - -meta TO_NO_BRKTS_HTML_IMG __TO_NO_BRKTS_HTML_IMG && !__FM_TO_ALL_NUMS && !__FROM_FULL_NAME && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__HAS_SENDER && !__THREADED && !__LONGLINE -describe TO_NO_BRKTS_HTML_IMG To: lacks brackets and HTML and one image -#score TO_NO_BRKTS_HTML_IMG 2.000 # limit -tflags TO_NO_BRKTS_HTML_IMG publish -##} TO_NO_BRKTS_HTML_IMG - -##{ TO_NO_BRKTS_HTML_ONLY - -meta TO_NO_BRKTS_HTML_ONLY __TO_NO_BRKTS_HTML_ONLY && !RDNS_NONE && !__MIME_QP && !__MSGID_JAVAMAIL && !__CTYPE_CHARSET_QUOTED && !__SUBJECT_ENCODED_B64 && !__VIA_ML && !__MSGID_BEFORE_RECEIVED && !__MIME_BASE64 && !__RCD_RDNS_MAIL_MESSY && !__COMMENT_EXISTS && !LOTS_OF_MONEY && !__TAG_EXISTS_CENTER && !__UPPERCASE_URI && !__UNSUB_LINK && !__RCD_RDNS_MX_MESSY && !__DKIM_EXISTS && !__BUGGED_IMG && !__FM_TO_ALL_NUMS && !__URI_12LTRDOM && !__RDNS_NO_SUBDOM && !__HDRS_LCASE && !__LCL__ENV_AND_HDR_FROM_MATCH -#score TO_NO_BRKTS_HTML_ONLY 2.00 # limit -describe TO_NO_BRKTS_HTML_ONLY To: lacks brackets and HTML only -tflags TO_NO_BRKTS_HTML_ONLY publish -##} TO_NO_BRKTS_HTML_ONLY - -##{ TO_NO_BRKTS_MSFT - -meta TO_NO_BRKTS_MSFT __TO_NO_BRKTS_MSFT && !__VIA_ML && !__LYRIS_EZLM_REMAILER && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__UNSUB_LINK && !__NOT_SPOOFED && !__DOS_HAS_LIST_UNSUB && !__NAME_EQ_EMAIL && !__SUBJECT_ENCODED_QP && !__THREADED && !__HAS_THREAD_INDEX && !__HAS_X_REF && !__HAS_IN_REPLY_TO && !__FROM_ENCODED_QP && !__RP_MATCHES_RCVD -describe TO_NO_BRKTS_MSFT To: lacks brackets and supposed Microsoft tool -#score TO_NO_BRKTS_MSFT 2.50 # limit -##} TO_NO_BRKTS_MSFT - -##{ TO_NO_BRKTS_NORDNS_HTML - -meta TO_NO_BRKTS_NORDNS_HTML __TO_NO_BRKTS_NORDNS_HTML && !ALL_TRUSTED && !__MSGID_JAVAMAIL && !__MSGID_BEFORE_RECEIVED && !__VIA_ML && !__UA_MUTT && !__COMMENT_EXISTS && !__HTML_LENGTH_384 && !__MIME_BASE64 && !__UPPERCASE_URI && !__TO___LOWER && !__TAG_EXISTS_CENTER && !__LONGLINE && !__DKIM_EXISTS -#score TO_NO_BRKTS_NORDNS_HTML 2.00 # limit -describe TO_NO_BRKTS_NORDNS_HTML To: lacks brackets and no rDNS and HTML only -tflags TO_NO_BRKTS_NORDNS_HTML publish -##} TO_NO_BRKTS_NORDNS_HTML - -##{ TO_NO_BRKTS_PCNT - -meta TO_NO_BRKTS_PCNT __TO_NO_BRKTS_PCNT && !__SUBJECT_ENCODED_B64 && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__ISO_2022_JP_DELIM && !__IMS_MSGID && !__THREAD_INDEX_GOOD && !__RCD_RDNS_MX_MESSY && !__UNSUB_LINK && !__LONGLINE && !URI_HEX && !__RP_MATCHES_RCVD && !__MAIL_LINK && !__BUGGED_IMG && !__MIME_QP && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HAS_X_MAILER && !__HTML_LINK_IMAGE && !__SENDER_BOT && !__DKIM_EXISTS && !__KHOP_NO_FULL_NAME && !__THREADED -describe TO_NO_BRKTS_PCNT To: lacks brackets + percentage -#score TO_NO_BRKTS_PCNT 2.50 # limit -tflags TO_NO_BRKTS_PCNT publish -##} TO_NO_BRKTS_PCNT - -##{ TO_TOO_MANY_WFH_01 - -meta TO_TOO_MANY_WFH_01 __TO_TOO_MANY_WFH_01 -describe TO_TOO_MANY_WFH_01 Work-from-Home + many recipients -tflags TO_TOO_MANY_WFH_01 publish -##} TO_TOO_MANY_WFH_01 - -##{ TT_MSGID_TRUNC - -header TT_MSGID_TRUNC Message-Id =~ /^\s*<?[^<>\s]+\[\d+$/ -describe TT_MSGID_TRUNC Scora: Message-Id ends after left-bracket + digits -##} TT_MSGID_TRUNC - -##{ TT_OBSCURED_VALIUM - -meta TT_OBSCURED_VALIUM ( __TT_BROKEN_VALIUM || __TT_OBSCURED_VALIUM ) && ! __TT_VALIUM -describe TT_OBSCURED_VALIUM Scora: obscured "VALIUM" in subject -##} TT_OBSCURED_VALIUM - -##{ TT_OBSCURED_VIAGRA - -meta TT_OBSCURED_VIAGRA ( __TT_BROKEN_VIAGRA || __TT_OBSCURED_VIAGRA ) && ! __TT_VIAGRA -describe TT_OBSCURED_VIAGRA Scora: obscured "VIAGRA" in subject -##} TT_OBSCURED_VIAGRA - -##{ TVD_ACT_193 - -body TVD_ACT_193 /\bact of (?:193|nineteen thirty)/i -describe TVD_ACT_193 Message refers to an act passed in the 1930s -##} TVD_ACT_193 - -##{ TVD_APPROVED - -body TVD_APPROVED /you.{1,2}re .{0,20}approved/i -describe TVD_APPROVED Body states that the recipient has been approved -##} TVD_APPROVED - -##{ TVD_DEAR_HOMEOWNER - -body TVD_DEAR_HOMEOWNER /^dear homeowner/i -describe TVD_DEAR_HOMEOWNER Spam with generic salutation of "dear homeowner" -##} TVD_DEAR_HOMEOWNER - -##{ TVD_EB_PHISH - -meta TVD_EB_PHISH __FROM_EBAY && NORMAL_HTTP_TO_IP -##} TVD_EB_PHISH - -##{ TVD_ENVFROM_APOST - -header TVD_ENVFROM_APOST EnvelopeFrom =~ /\'/ -describe TVD_ENVFROM_APOST Envelope From contains single-quote -##} TVD_ENVFROM_APOST - -##{ TVD_FINGER_02 - -header TVD_FINGER_02 Content-Type =~ /^text\/plain(?:; (?:format=flowed|charset="Windows-1252"|reply-type=original)){3}/i -##} TVD_FINGER_02 - -##{ TVD_FLOAT_GENERAL - -rawbody TVD_FLOAT_GENERAL /\bstyle\s*=\s*"[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]+\s*</i -describe TVD_FLOAT_GENERAL Message uses CSS float style -##} TVD_FLOAT_GENERAL - -##{ TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags -body TVD_FUZZY_DEGREE /<inter W1><post P2>\b(?!degree)<D><E><G><R><E><E>\b/i -describe TVD_FUZZY_DEGREE Obfuscation of the word "degree" -endif -##} TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags -body TVD_FUZZY_FINANCE /(?!finance)<F><I><N><A><N><C><E>/i -describe TVD_FUZZY_FINANCE Obfuscation of the word "finance" -endif -##} TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags -body TVD_FUZZY_FIXED_RATE /<inter W2><post P2>(?!fixed rate)<F><I><X><E><D>\s+<R><A><T><E>/i -describe TVD_FUZZY_FIXED_RATE Obfuscation of the phrase "fixed rate" -endif -##} TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags -body TVD_FUZZY_MICROCAP /<inter W2><post P2>(?!microcap)(?!micro-cap)<M><I><C><R><O>-?<C><A><P>/i -describe TVD_FUZZY_MICROCAP Obfuscation of the word "micro-cap" -endif -##} TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags -body TVD_FUZZY_PHARMACEUTICAL /<inter W2><post P2>(?!pharmaceutical)<P><H><A><R><M><A><C><E><U><T><I><C><A><L>/i -describe TVD_FUZZY_PHARMACEUTICAL Obfuscation of the word "pharmaceutical" -endif -##} TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags -body TVD_FUZZY_SYMBOL /<inter W2><post P2>(?!symboo?l)<S><Y><M><B><O><L>/i -describe TVD_FUZZY_SYMBOL Obfuscation of the word "symbol" -endif -##} TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -mimeheader TVD_FW_GRAPHIC_NAME_LONG Content-Type =~ /\bname="[a-z]{8,}\.gif/ -describe TVD_FW_GRAPHIC_NAME_LONG Long image attachment name -endif -##} TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -mimeheader TVD_FW_GRAPHIC_NAME_MID Content-Type =~ /\bname="[a-z]{6,7}\.gif/ -describe TVD_FW_GRAPHIC_NAME_MID Medium sized image attachment name -endif -##} TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ TVD_INCREASE_SIZE - -body TVD_INCREASE_SIZE /\bsize of .{1,20}(?:penis|dick|manhood)/i -describe TVD_INCREASE_SIZE Advertising for penis enlargement -##} TVD_INCREASE_SIZE - -##{ TVD_LINK_SAVE - -body TVD_LINK_SAVE /\blink to save\b/i -describe TVD_LINK_SAVE Spam with the text "link to save" -##} TVD_LINK_SAVE - -##{ TVD_PH_BODY_ACCOUNTS_PRE - -meta TVD_PH_BODY_ACCOUNTS_PRE __TVD_PH_BODY_ACCOUNTS_PRE -describe TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as "accounts suspended", "account credited", "account verification" -##} TVD_PH_BODY_ACCOUNTS_PRE - -##{ TVD_PH_BODY_META - -meta TVD_PH_BODY_META __TVD_PH_BODY_META -##} TVD_PH_BODY_META - -##{ TVD_PH_REC - -body TVD_PH_REC /\byour .{0,40}account .{0,40}record/i -describe TVD_PH_REC Message includes a phrase commonly used in phishing mails -##} TVD_PH_REC - -##{ TVD_PH_SEC - -body TVD_PH_SEC /\byour .{0,40}account .{0,40}security/i -describe TVD_PH_SEC Message includes a phrase commonly used in phishing mails -##} TVD_PH_SEC - -##{ TVD_PP_PHISH - -meta TVD_PP_PHISH __FROM_PAYPAL && NORMAL_HTTP_TO_IP -##} TVD_PP_PHISH - -##{ TVD_QUAL_MEDS - -body TVD_QUAL_MEDS /\bquality med(?:ication)?s\b/i -describe TVD_QUAL_MEDS The body matches phrases such as "quality meds" or "quality medication" -##} TVD_QUAL_MEDS - -##{ TVD_RATWARE_CB - -header TVD_RATWARE_CB Content-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/i -describe TVD_RATWARE_CB Content-Type header that is commonly indicative of ratware -##} TVD_RATWARE_CB - -##{ TVD_RATWARE_CB_2 - -header TVD_RATWARE_CB_2 Content-Type =~ /\bboundary\s*=\s*"?-+\d+=+\.MRA/ -describe TVD_RATWARE_CB_2 Content-Type header that is commonly indicative of ratware -##} TVD_RATWARE_CB_2 - -##{ TVD_RATWARE_MSGID_02 - -header TVD_RATWARE_MSGID_02 Message-ID =~ /^[^<]*<[a-z]+\@/ -describe TVD_RATWARE_MSGID_02 Ratware with a Message-ID header that is entirely lower-case -##} TVD_RATWARE_MSGID_02 - -##{ TVD_RCVD_IP - -header TVD_RCVD_IP Received =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/ -describe TVD_RCVD_IP Message was received from an IP address -##} TVD_RCVD_IP - -##{ TVD_RCVD_IP4 - -header TVD_RCVD_IP4 Received =~ /^from\s+(?:\d+\.){3}\d+\s/ -describe TVD_RCVD_IP4 Message was received from an IPv4 address -##} TVD_RCVD_IP4 - -##{ TVD_RCVD_SPACE_BRACKET - -header TVD_RCVD_SPACE_BRACKET Received =~ /\(\[(?!unix)[^\[\]]*\s/i -##} TVD_RCVD_SPACE_BRACKET - -##{ TVD_SECTION - -body TVD_SECTION /\bSection (?:27A|21B)/i -describe TVD_SECTION References to specific legal codes -##} TVD_SECTION - -##{ TVD_SILLY_URI_OBFU - -body TVD_SILLY_URI_OBFU m!https?://[a-z0-9-]+\.[a-z0-9-]*\.?[^a-z0-9.:/\s"'\@?\)>-]+[a-z0-9.-]*[a-z]{3}(?:\s|$)!i -describe TVD_SILLY_URI_OBFU URI obfuscation that can fool a URIBL or a uri rule -##} TVD_SILLY_URI_OBFU - -##{ TVD_SPACED_SUBJECT_WORD3 - -header TVD_SPACED_SUBJECT_WORD3 Subject =~ /^(?:(?:Re|Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+$/ -describe TVD_SPACED_SUBJECT_WORD3 Entire subject is "UPPERlowerUPPER" with no whitespace -##} TVD_SPACED_SUBJECT_WORD3 - -##{ TVD_SPACE_ENCODED - -meta TVD_SPACE_ENCODED __TVD_SPACE_ENCODED && !__NOT_SPOOFED && !__VIA_ML && !__HS_SUBJ_RE_FW && !__SUBSCRIPTION_INFO && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL && !__ISO_2022_JP_DELIM -#score TVD_SPACE_ENCODED 2.500 # limit -describe TVD_SPACE_ENCODED Space ratio & encoded subject -##} TVD_SPACE_ENCODED - -##{ TVD_SPACE_RATIO_MINFP - -meta TVD_SPACE_RATIO_MINFP __TVD_SPACE_RATIO && !__CT_ENCRYPTED && !__X_CRON_ENV && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !ALL_TRUSTED && !__MIME_NO_TEXT && !__LONGLINE && !__THREADED && !__SUBSCRIPTION_INFO && !__VIA_ML && !__HELO_HIGHPROFILE && !__DKIM_EXISTS && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MAIL && !__EMPTY_BODY && !__XM_APPLEMAIL -#score TVD_SPACE_RATIO_MINFP 2.500 # limit -describe TVD_SPACE_RATIO_MINFP Space ratio (vertical text obfuscation?) -##} TVD_SPACE_RATIO_MINFP - -##{ TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval - -ifplugin Mail::SpamAssassin::Plugin::BodyEval -body TVD_STOCK1 eval:check_stock_info('2') -describe TVD_STOCK1 Spam related to stock trading -endif -##} TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval - -##{ TVD_SUBJ_ACC_NUM - -header TVD_SUBJ_ACC_NUM Subject =~ /\b[a-zA-Z]+ [\#\s]{1,4}\d+[A-Z]+/ -describe TVD_SUBJ_ACC_NUM Subject has spammy looking monetary reference -##} TVD_SUBJ_ACC_NUM - -##{ TVD_SUBJ_FINGER_03 - -header TVD_SUBJ_FINGER_03 Subject =~ /^\s*\*\s+(?:\w+\W+)+\*\s*$/ -describe TVD_SUBJ_FINGER_03 Entire subject is enclosed in asterisks "* like so *" -##} TVD_SUBJ_FINGER_03 - -##{ TVD_SUBJ_OWE - -header TVD_SUBJ_OWE Subject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe|indebted)\s+(?:\w+\s+)+an\s*other/i -describe TVD_SUBJ_OWE Subject line states that the recipieint is in debt -##} TVD_SUBJ_OWE - -##{ TVD_SUBJ_WIPE_DEBT - -header TVD_SUBJ_WIPE_DEBT Subject =~ /(?:wipe out|remove|get (?:rid|out) of|eradicate) .{0,20}(?:owe|debt|obligation)/i -describe TVD_SUBJ_WIPE_DEBT Spam advertising a way to eliminate debt -##} TVD_SUBJ_WIPE_DEBT - -##{ TVD_VISIT_PHARMA - -body TVD_VISIT_PHARMA /Online Ph.rmacy/i -describe TVD_VISIT_PHARMA Body mentions online pharmacy -##} TVD_VISIT_PHARMA - -##{ TVD_VIS_HIDDEN - -rawbody TVD_VIS_HIDDEN /<TEXTAREA[^>]+style\s*=\s*"visibility:\s*hidden\b/i -describe TVD_VIS_HIDDEN Invisible textarea HTML tags -##} TVD_VIS_HIDDEN - -##{ TW_GIBBERISH_MANY - -meta TW_GIBBERISH_MANY __TENWORD_GIBBERISH > 20 -describe TW_GIBBERISH_MANY Lots of gibberish text to spoof pattern matching filters -#score TW_GIBBERISH_MANY 2.000 # limit -tflags TW_GIBBERISH_MANY publish -##} TW_GIBBERISH_MANY - -##{ T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - meta T_ACH_CANCELLED_EXE __ACH_CANCELLED_EXE - describe T_ACH_CANCELLED_EXE "ACH cancelled" probable malware -endif -##} T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta T_ANY_PILL_PRICE (__PILL_PRICE_01 || __PILL_PRICE_02) && !__NOT_A_PERSON - describe T_ANY_PILL_PRICE Prices for pills -endif -##} T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader T_CDISP_SZ_MANY Content-Disposition =~ /\bsize\s?=\s?\d.*\bsize\s?=\s?\d/ - describe T_CDISP_SZ_MANY Suspicious MIME header -# score T_CDISP_SZ_MANY 2.0 # limit -endif -##} T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ T_CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - meta T_CTYPE_NULL __CTYPE_NULL - describe T_CTYPE_NULL Malformed Content-Type header -endif -##} T_CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval - -ifplugin Mail::SpamAssassin::Plugin::HeaderEval -header T_DATE_IN_FUTURE_96_Q eval:check_for_shifted_date('96', '2920') -describe T_DATE_IN_FUTURE_96_Q Date: is 4 days to 4 months after Received: date -endif -##} T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval - -##{ T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - meta T_DOC_ATTACH_NO_EXT __ATTACH_NAME_NO_EXT && (__PDF_ATTACH_MT || __DOC_ATTACH_MT) - describe T_DOC_ATTACH_NO_EXT Document attachment with suspicious name -endif -##} T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ T_DOS_OUTLOOK_TO_MX_IMAGE - -meta T_DOS_OUTLOOK_TO_MX_IMAGE __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH -describe T_DOS_OUTLOOK_TO_MX_IMAGE Direct to MX with Outlook headers and an image -##} T_DOS_OUTLOOK_TO_MX_IMAGE - -##{ T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader T_DOS_ZIP_HARDCORE Content-Type =~ /^application\/zip;\sname="hardcore\.zip"$/ - describe T_DOS_ZIP_HARDCORE hardcore.zip file attached; quite certainly a virus -# score T_DOS_ZIP_HARDCORE 2.5 -endif -##} T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta T_DRUGS_ERECTILE_SHORT_SHORTNER __PDS_HTML_LENGTH_1024 && __URL_SHORTENER && DRUGS_ERECTILE -describe T_DRUGS_ERECTILE_SHORT_SHORTNER Short erectile drugs advert with T_URL_SHORTENER -#score T_DRUGS_ERECTILE_SHORT_SHORTNER 1.5 # limit -endif -endif -##} T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -##{ T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta T_FILL_THIS_FORM_FRAUD_PHISH __FILL_THIS_FORM_FRAUD_PHISH && !__SPOOFED_URL && !__VIA_ML && !__HAS_IN_REPLY_TO && !__THREADED && !__HDR_RCVD_SHOPIFY && !__HAS_ERRORS_TO - describe T_FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s) -endif -##} T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ T_FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta T_FILL_THIS_FORM_LOAN __FILL_THIS_FORM_LOAN && !__COMMENT_EXISTS && !__HTML_LINK_IMAGE - describe T_FILL_THIS_FORM_LOAN Answer loan question(s) -# score T_FILL_THIS_FORM_LOAN 2.0 -endif -##} T_FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta T_FILL_THIS_FORM_SHORT __FILL_THIS_FORM_SHORT && !__VIA_ML && !__MSGID_JAVAMAIL - describe T_FILL_THIS_FORM_SHORT Fill in a short form with personal information -# score T_FILL_THIS_FORM_SHORT 1.00 # limit -endif -##} T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo - -ifplugin Mail::SpamAssassin::Plugin::ImageInfo - meta T_FORGED_TBIRD_IMG_SIZE __FORGED_TBIRD_IMG && __ONE_IMG && __IMG_LE_300K - describe T_FORGED_TBIRD_IMG_SIZE Likely forged Thunderbird image spam -endif -##} T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo - -##{ T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - meta T_FREEMAIL_DOC_PDF __FREEMAIL_DOC_PDF - describe T_FREEMAIL_DOC_PDF MS document or PDF attachment, from freemail -endif -##} T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail - -##{ T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - meta T_FREEMAIL_DOC_PDF_BCC __FREEMAIL_DOC_PDF && __TO_UNDISCLOSED - describe T_FREEMAIL_DOC_PDF_BCC MS document or PDF attachment, from freemail, all recipients hidden -endif -##} T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail - -##{ T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - meta T_FREEMAIL_RVW_ATTCH (__PLS_REVIEW || __DLND_ATTACH) && __FREEMAIL_DOC_PDF - describe T_FREEMAIL_RVW_ATTCH Please review attached document, from freemail -endif -##} T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail - -##{ T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof - -ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof -meta T_FROMNAME_EQUALS_TO __PLUGIN_FROMNAME_EQUALS_TO -describe T_FROMNAME_EQUALS_TO From:name matches To: -#score T_FROMNAME_EQUALS_TO 1.0 -tflags T_FROMNAME_EQUALS_TO publish -endif -##} T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof - -##{ T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof - -ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof -meta T_FROMNAME_SPOOFED_EMAIL (__PLUGIN_FROMNAME_SPOOF && !__VIA_ML && !__VIA_RESIGNER && !__RP_MATCHES_RCVD) -describe T_FROMNAME_SPOOFED_EMAIL From:name looks like a spoofed email -#score T_FROMNAME_SPOOFED_EMAIL 0.3 -tflags T_FROMNAME_SPOOFED_EMAIL publish -endif -##} T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof - -##{ T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - -if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - meta T_FROM_MULTI_SHORT_IMG __FROM_MULTI_SHORT_IMG && !__RCD_RDNS_MX_MESSY - describe T_FROM_MULTI_SHORT_IMG Multiple From addresses + short message with image -endif -##} T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - -##{ T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body T_FUZZY_OPTOUT /(?:$|\W)(?=<O>)(?!opt[-\s]?out)<O><P><T>[-\s]?<O><U><T>(?:$|\W)/i - describe T_FUZZY_OPTOUT Obfuscated opt-out text -endif -##} T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags -body T_FUZZY_SPRM /<inter W1><post P2><S><P><U><R><M>/i -endif -##} T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ T_FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta T_FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM - describe T_FUZZY_WELLSFARGO Obfuscated "Wells Fargo" -endif -##} T_FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof - meta T_GB_FREEM_FROM_NOT_REPLY ( !__FROM_EQ_REPLY && FREEMAIL_FROM && FREEMAIL_REPLYTO ) - describe T_GB_FREEM_FROM_NOT_REPLY From: and Reply-To: have different freemail domains -# score T_GB_FREEM_FROM_NOT_REPLY 1.500 # limit - tflags T_GB_FREEM_FROM_NOT_REPLY publish -endif -endif -##} T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof - -##{ T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof - -ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof - meta T_GB_FROMNAME_SPOOFED_EMAIL_IP ( T_FROMNAME_SPOOFED_EMAIL && !__NOT_SPOOFED ) - describe T_GB_FROMNAME_SPOOFED_EMAIL_IP From:name looks like a spoofed email from a spoofed ip -# score T_GB_FROMNAME_SPOOFED_EMAIL_IP 0.50 # limit - tflags T_GB_FROMNAME_SPOOFED_EMAIL_IP publish -endif -##} T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof - -##{ T_GB_WEBFORM ifplugin Mail::SpamAssassin::Plugin::FreeMail - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - meta T_GB_WEBFORM ( ( __XMAIL_CODEIGN || __XMAIL_PHPMAIL ) && __URL_SHORTENER && FREEMAIL_FROM ) - describe T_GB_WEBFORM Webform with url shortener -# score T_GB_WEBFORM 1.500 # limit -endif -##} T_GB_WEBFORM ifplugin Mail::SpamAssassin::Plugin::FreeMail - -##{ T_HDRS_LCASE - -describe T_HDRS_LCASE Odd capitalization of message header -#score T_HDRS_LCASE 0.10 # limit -##} T_HDRS_LCASE - -##{ T_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) - -if !plugin(Mail::SpamAssassin::Plugin::FreeMail) - meta T_HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO -endif -##} T_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) - -##{ T_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - meta T_HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO -endif -##} T_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail - -##{ T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::FreeMail -if (version >= 3.004000) - meta T_HK_NAME_FM_FROM __HK_NAME_FROM && FREEMAIL_FROM -# score T_HK_NAME_FM_FROM 1.5 -endif -endif -##} T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) - -##{ T_HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::FreeMail -if (version >= 3.004000) - meta T_HK_NAME_FM_MR_MRS __HK_NAME_MR_MRS && FREEMAIL_FROM -# score T_HK_NAME_FM_MR_MRS 1.5 -endif -endif -##} T_HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) - -##{ T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::FreeMail -if (version >= 3.004000) - meta T_HK_NAME_FROM __HK_NAME_FROM && !FREEMAIL_FROM -# score T_HK_NAME_FROM 1.0 -endif -endif -##} T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) - -##{ T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -meta T_HK_SPAMMY_FILENAME __HK_SPAMMY_CTFN || __HK_SPAMMY_CDFN -endif -##} T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - meta T_HTML_ATTACH __HTML_ATTACH_01 || __HTML_ATTACH_02 - describe T_HTML_ATTACH HTML attachment to bypass scanning? -endif -##} T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - meta T_ISO_ATTACH __ISO_ATTACH || __ISO_ATTACH_MT - describe T_ISO_ATTACH ISO attachment - possible malware delivery -# score T_ISO_ATTACH 3.000 # limit -endif -##} T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval - -ifplugin Mail::SpamAssassin::Plugin::HTMLEval -meta T_KAM_HTML_FONT_INVALID __KAM_HTML_FONT_INVALID -describe T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML -#score T_KAM_HTML_FONT_INVALID 0.1 -endif -##} T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval - -##{ T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta T_LARGE_PCT_AFTER_MANY __LARGE_PERCENT_AFTER > 3 - describe T_LARGE_PCT_AFTER_MANY Many large percentages after... -endif -##} T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags -body T_LFUZ_PWRMALE /<inter W1><post P2><P><O><W><E><R><M><A><L><E>/i -endif -##} T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ T_LOTTO_AGENT_FM - -header T_LOTTO_AGENT_FM From =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize[\s_.]transfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i -describe T_LOTTO_AGENT_FM Claims Agent -##} T_LOTTO_AGENT_FM - -##{ T_LOTTO_AGENT_RPLY - -meta T_LOTTO_AGENT_RPLY __LOTTO_AGENT_RPLY && !__TO_YOUR_ORG -describe T_LOTTO_AGENT_RPLY Claims Agent -##} T_LOTTO_AGENT_RPLY - -##{ T_LOTTO_URI - -uri T_LOTTO_URI /(?:claim(?:s|ing)?(?:[-_]?processing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)?[-_]?rem+it+ance|award)[-_]?(?:department|dept|unit|group|committee|office|agent|manager|secretary)/i -describe T_LOTTO_URI Claims Department URL -##} T_LOTTO_URI - -##{ T_MANY_HDRS_LCASE - -describe T_MANY_HDRS_LCASE Odd capitalization of multiple message headers -#score T_MANY_HDRS_LCASE 0.10 # limit -##} T_MANY_HDRS_LCASE - -##{ T_MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) - -if !plugin(Mail::SpamAssassin::Plugin::FreeMail) - meta T_MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE -endif -##} T_MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) - -##{ T_MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - meta T_MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE -endif -##} T_MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail - -##{ T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta T_MANY_PILL_PRICE (__PILL_PRICE_01 + __PILL_PRICE_02) > 2 - describe T_MANY_PILL_PRICE Prices for many pills -endif -##} T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ T_MIME_MALF if (version >= 3.004000) - -if (version >= 3.004000) - meta T_MIME_MALF __MIME_MALF && !ALL_TRUSTED - describe T_MIME_MALF Malformed MIME: headers in body -# score T_MIME_MALF 2.00 # limit -endif -##} T_MIME_MALF if (version >= 3.004000) - -##{ T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta T_MONEY_PERCENT LOTS_OF_MONEY && (__PCT_FOR_YOU || __PCT_OF_PMTS || __FIFTY_FIFTY) - describe T_MONEY_PERCENT X% of a lot of money for you -endif -##} T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - meta T_OBFU_ATTACH_MISSP __FROM_RUNON && (T_OBFU_HTML_ATTACH || OBFU_TEXT_ATTACH || T_OBFU_DOC_ATTACH || T_OBFU_PDF_ATTACH || T_OBFU_JPG_ATTACH || T_OBFU_GIF_ATTACH) - describe T_OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From -endif -##} T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader T_OBFU_DOC_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.(?:doc|rtf)\b,i - describe T_OBFU_DOC_ATTACH MS Document attachment with generic MIME type -endif -##} T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader T_OBFU_GIF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.gif\b,i - describe T_OBFU_GIF_ATTACH GIF attachment with generic MIME type -endif -##} T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader T_OBFU_HTML_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.s?html?\b,i - describe T_OBFU_HTML_ATTACH HTML attachment with non-text MIME type -endif -##} T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - meta T_OBFU_HTML_ATT_MALW __ZIP_ATTACH_NOFN && __HTML_ATTACH_02 - describe T_OBFU_HTML_ATT_MALW HTML attachment with incorrect MIME type - possible malware -endif -##} T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader T_OBFU_JPG_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.jpe?g\b,i - describe T_OBFU_JPG_ATTACH JPG attachment with generic MIME type -endif -##} T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader T_OBFU_PDF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.pdf\b,i - describe T_OBFU_PDF_ATTACH PDF attachment with generic MIME type -endif -##} T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ T_OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -meta T_OFFER_ONLY_AMERICA __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA -describe T_OFFER_ONLY_AMERICA Offer only available to US -#score T_OFFER_ONLY_AMERICA 2.0 # limit -endif -endif -##} T_OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -##{ T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta T_PDS_BTC_AHACKER ( __PDS_BTC_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON ) - describe T_PDS_BTC_AHACKER Bitcoin Hacker -# score T_PDS_BTC_AHACKER 3.0 # limit -endif -##} T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta T_PDS_BTC_HACKER ( __PDS_BTC_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM ) - describe T_PDS_BTC_HACKER Bitcoin Hacker -# score T_PDS_BTC_HACKER 2.0 # limit -endif -##} T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta T_PDS_EMPTYSUBJ_URISHRT __URL_SHORTENER && __SUBJECT_EMPTY && __PDS_MSG_1024 -describe T_PDS_EMPTYSUBJ_URISHRT Empty subject with little more than URI shortener -#score T_PDS_EMPTYSUBJ_URISHRT 1.5 # limit -endif -endif -##} T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -##{ T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta T_PDS_FREEMAIL_REPLYTO_URISHRT __URL_SHORTENER && __freemail_hdr_replyto && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048 -describe T_PDS_FREEMAIL_REPLYTO_URISHRT Freemail replyto with URI shortener -#score T_PDS_FREEMAIL_REPLYTO_URISHRT 1.5 # limit -endif -endif -##} T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -##{ T_PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta T_PDS_FROM_2_EMAILS_SHRTNER __URL_SHORTENER && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF) && __BODY_URI_ONLY -describe T_PDS_FROM_2_EMAILS_SHRTNER From 2 emails short email with little more than a URI shortener -#score T_PDS_FROM_2_EMAILS_SHRTNER 1.5 # limit -endif -endif -##} T_PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -##{ T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta T_PDS_LTC_AHACKER ( __PDS_LITECOIN_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON ) - describe T_PDS_LTC_AHACKER Litecoin Hacker -# score T_PDS_LTC_AHACKER 3.0 # limit -endif -##} T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta T_PDS_LTC_HACKER ( __PDS_LITECOIN_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM ) - describe T_PDS_LTC_HACKER Litecoin Hacker -# score T_PDS_LTC_HACKER 2.0 # limit -endif -##} T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ T_PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -header T_PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD') -#score T_PDS_OTHER_BAD_TLD 2.0 -describe T_PDS_OTHER_BAD_TLD Untrustworthy TLDs -endif -endif -##} T_PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -##{ T_PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -header T_PDS_PRO_TLD eval:check_uri_host_listed('SUSP_URI_NTLD_PRO') -#score T_PDS_PRO_TLD 1.0 -describe T_PDS_PRO_TLD .pro TLD -endif -endif -##} T_PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -##{ T_PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta T_PDS_SHORTFWD_URISHRT __URL_SHORTENER && (__THREADED || __HAS_IN_REPLY_TO || __HAS_THREAD_INDEX || __URI_MAILTO || __REPTO_QUOTE) && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048 -describe T_PDS_SHORTFWD_URISHRT Threaded email with URI shortener -#score T_PDS_SHORTFWD_URISHRT 1.5 # limit -endif -endif -##} T_PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -##{ T_PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta T_PDS_SHORTFWD_URISHRT_FP __URL_SHORTENER && __HS_SUBJ_RE_FW && __PDS_MSG_512 -describe T_PDS_SHORTFWD_URISHRT_FP Apparently a short fwd/re with URI shortener -#score T_PDS_SHORTFWD_URISHRT_FP 1.5 # limit -endif -endif -##} T_PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -##{ T_PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta T_PDS_SHORTFWD_URISHRT_QP __URL_SHORTENER && __HS_SUBJ_RE_FW && __T_PDS_MSG_512 && !T_PDS_SHORTFWD_URISHRT_FP -describe T_PDS_SHORTFWD_URISHRT_QP Apparently a short fwd/re with URI shortener -#score T_PDS_SHORTFWD_URISHRT_QP 1.5 # limit -endif -endif -##} T_PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -##{ T_PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - -if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - meta T_PDS_TO_EQ_FROM_NAME (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) && !__HAS_SENDER - describe T_PDS_TO_EQ_FROM_NAME From: name same as To: address -endif -##} T_PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - -##{ T_PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta T_PDS_URISHRT_LOCALPART_SUBJ LOCALPART_IN_SUBJECT && __URL_SHORTENER && __PDS_MSG_1024 -describe T_PDS_URISHRT_LOCALPART_SUBJ Localpart of To in subject -#score T_PDS_URISHRT_LOCALPART_SUBJ 1.0 -endif -endif -##} T_PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -##{ T_PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta T_PHOTO_EDITING_DIRECT (__PHOTO_RETOUCHING && __DOS_DIRECT_TO_MX) && !ALL_TRUSTED && !__HAS_HREF - describe T_PHOTO_EDITING_DIRECT Image editing service, direct to MX -# score T_PHOTO_EDITING_DIRECT 3.000 # limit -endif -##} T_PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ T_PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta T_PHOTO_EDITING_FREEM __PHOTO_RETOUCHING > 4 && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) - describe T_PHOTO_EDITING_FREEM Image editing service, freemail or CHN replyto -# score T_PHOTO_EDITING_FREEM 3.750 # limit -endif -##} T_PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { - meta T_REMOTE_IMAGE __REMOTE_IMAGE - describe T_REMOTE_IMAGE Message contains an external image -endif -##} T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { - -##{ T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -meta T_SENT_TO_EMAIL_ADDR __FROM_ADDRLIST_SUSPNTLD && __PDS_SENT_TO_EMAIL_ADDR -describe T_SENT_TO_EMAIL_ADDR Email was sent to email address -#score T_SENT_TO_EMAIL_ADDR 2.0 # limit -endif -endif -##} T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -##{ T_SHARE_50_50 - -meta T_SHARE_50_50 (__SHARE_IT || __AGREED_RATIO) && __FIFTY_FIFTY -describe T_SHARE_50_50 Share the money 50/50 -##} T_SHARE_50_50 - -##{ T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta T_STY_INVIS_DIRECT __STY_INVIS_DIRECT && !__L_BODY_8BITS && !__UNSUB_LINK && !__HDR_RCVD_AMAZON && !__TO___LOWER && !__PDS_DOUBLE_URL && !__MAIL_LINK - describe T_STY_INVIS_DIRECT HTML hidden text + direct-to-MX -# score T_STY_INVIS_DIRECT 2.500 # limit -endif -##} T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -meta T_SUSPNTLD_EXPIRATION_EXTORT LOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLD -describe T_SUSPNTLD_EXPIRATION_EXTORT Susp NTLD with an expiration notice and lotsa money -#score T_SUSPNTLD_EXPIRATION_EXTORT 2.0 # limit -endif -endif -##} T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -##{ T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta T_TONOM_EQ_TOLOC_SHRT_PSHRTNER __PDS_SHORT_URL && __PDS_TONAME_EQ_TOLOCAL && __SUBJ_SHORT -describe T_TONOM_EQ_TOLOC_SHRT_PSHRTNER Short subject with potential shortener and To:name eq To:local -#score T_TONOM_EQ_TOLOC_SHRT_PSHRTNER 1.5 # limit -endif -endif -##} T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -##{ T_TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta T_TONOM_EQ_TOLOC_SHRT_SHRTNER __URL_SHORTENER && __PDS_TONAME_EQ_TOLOCAL && __PDS_MSG_1024 -describe T_TONOM_EQ_TOLOC_SHRT_SHRTNER Short email with shortener and To:name eq To:local -#score T_TONOM_EQ_TOLOC_SHRT_SHRTNER 1.5 # limit -endif -endif -##} T_TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -##{ T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags -body T_TVD_FUZZY_SECTOR /(?!sector)<S><E><C><T><O><R>/i -endif -##} T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags -body T_TVD_FUZZY_SECURITIES /<inter W2><post P2>(?!securities)(?!security,? es)<S><E><C><U><R><I><T><I><E><S>/i -endif -##} T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -##{ T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -mimeheader T_TVD_FW_GRAPHIC_ID2 Content-Id =~ /<(?:[0-9A-F]{8}\.){3}[0-9A-F]{8}/ -endif -##} T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval - -ifplugin Mail::SpamAssassin::Plugin::MIMEEval -body T_TVD_MIME_EPI eval:check_msg_parse_flags('mime_epilogue_exists') -endif -##} T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval - -##{ T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval - -ifplugin Mail::SpamAssassin::Plugin::MIMEEval -body T_TVD_MIME_NO_HEADERS eval:check_msg_parse_flags('missing_mime_headers') -endif -##} T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval - -##{ T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - meta T_WON_MONEY_ATTACH __YOU_WON && LOTS_OF_MONEY && (__PDF_ATTACH || __DOC_ATTACH) - describe T_WON_MONEY_ATTACH You won lots of money! See attachment. -endif -##} T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - meta T_WON_NBDY_ATTACH __YOU_WON && __EMPTY_BODY && (__PDF_ATTACH || __DOC_ATTACH || __GIF_ATTACH || __JPEG_ATTACH) - describe T_WON_NBDY_ATTACH You won lots of money! See attachment. -endif -##} T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta T_ZW_OBFU_BITCOIN __UNICODE_OBFU_ZW && __BITCOIN_ID - describe T_ZW_OBFU_BITCOIN Obfuscated text + bitcoin ID - possible extortion -# score T_ZW_OBFU_BITCOIN 2.500 # limit -endif -##} T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta T_ZW_OBFU_FREEM __UNICODE_OBFU_ZW && __freemail_hdr_replyto - describe T_ZW_OBFU_FREEM Obfuscated text + freemail -# score T_ZW_OBFU_FREEM 2.000 # limit -endif -##} T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta T_ZW_OBFU_FROMTOSUBJ __UNICODE_OBFU_ZW && FROM_IN_TO_AND_SUBJ - describe T_ZW_OBFU_FROMTOSUBJ Obfuscated text + from in to and subject -# score T_ZW_OBFU_FROMTOSUBJ 2.000 # limit -endif -##} T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ UC_GIBBERISH_OBFU - -meta UC_GIBBERISH_OBFU (__UC_GIBB_OBFU > 1) && !__RP_MATCHES_RCVD && !__VIA_ML && !__DKIM_EXISTS && !ALL_TRUSTED -describe UC_GIBBERISH_OBFU Multiple instances of "word VERYLONGGIBBERISH word" -#score UC_GIBBERISH_OBFU 3.000 # Limit -tflags UC_GIBBERISH_OBFU publish -##} UC_GIBBERISH_OBFU - -##{ UNDISC_FREEM - -meta UNDISC_FREEM __UNDISC_FREEM -describe UNDISC_FREEM Undisclosed recipients + freemail reply-to -tflags UNDISC_FREEM publish -##} UNDISC_FREEM - -##{ UNDISC_MONEY - -meta UNDISC_MONEY __UNDISC_MONEY && !__VIA_ML && !__MSGID_HEXISH -describe UNDISC_MONEY Undisclosed recipients + money/fraud signs -tflags UNDISC_MONEY publish -##} UNDISC_MONEY - -##{ UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta UNICODE_OBFU_ASC __UNICODE_OBFU_ASC && !__SPAN_BEG_TEXT && !HTML_IMAGE_ONLY_32 - describe UNICODE_OBFU_ASC Obfuscating text with unicode -# score UNICODE_OBFU_ASC 2.500 # limit - tflags UNICODE_OBFU_ASC publish -endif -##} UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta UNICODE_OBFU_ZW __UNICODE_OBFU_ZW_2 && !__SUBSCRIPTION_INFO && !__RCD_RDNS_MAIL_MESSY && !__DOS_HAS_LIST_ID && !__USING_VERP1 && !__DOS_HAS_LIST_UNSUB && !__RCD_RDNS_SMTP && !__DKIM_EXISTS - describe UNICODE_OBFU_ZW Obfuscating text with hidden characters -# score UNICODE_OBFU_ZW 3.500 # limit - tflags UNICODE_OBFU_ZW publish -endif -##} UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ UNSUB_GOOG_FORM - -meta UNSUB_GOOG_FORM __UNSUB_GOOG_FORM -describe UNSUB_GOOG_FORM Unsubscribe via Google Docs form -#score UNSUB_GOOG_FORM 2.500 # limit -tflags UNSUB_GOOG_FORM publish -##} UNSUB_GOOG_FORM - -##{ URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL - -ifplugin Mail::SpamAssassin::Plugin::URIDNSBL -urirhssub URIBL_RHS_DOB dob.sibl.support-intelligence.net A 2 -body URIBL_RHS_DOB eval:check_uridnsbl('URIBL_RHS_DOB') -describe URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread) -tflags URIBL_RHS_DOB net -endif -##} URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL - -##{ URI_ADOBESPARK - -meta URI_ADOBESPARK __URI_ADOBESPARK -#score URI_ADOBESPARK 3.500 # limit -tflags URI_ADOBESPARK publish -##} URI_ADOBESPARK - -##{ URI_AZURE_CLOUDAPP - -meta URI_AZURE_CLOUDAPP __URI_AZURE_CLOUDAPP && __NAKED_TO && !__HDR_RCVD_GOOGLE -describe URI_AZURE_CLOUDAPP Link to hosted azure web application, possible phishing -#score URI_AZURE_CLOUDAPP 3.000 # limit -tflags URI_AZURE_CLOUDAPP publish -##} URI_AZURE_CLOUDAPP - -##{ URI_DASHGOVEDU - -meta URI_DASHGOVEDU __URI_DASHGOVEDU -describe URI_DASHGOVEDU Suspicious domain name -#score URI_DASHGOVEDU 3.500 # limit -tflags URI_DASHGOVEDU publish -##} URI_DASHGOVEDU - -##{ URI_DATA - -meta URI_DATA __URI_DATA && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__VIA_ML && !__ENV_AND_HDR_FROM_MATCH && !__DOS_HAS_LIST_UNSUB -describe URI_DATA "data:" URI - possible malware or phish -#score URI_DATA 3.250 # limit -tflags URI_DATA publish -##} URI_DATA - -##{ URI_DOTEDU - -meta URI_DOTEDU __URI_DOTEDU && !__RCVD_DOTEDU_EXT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HAS_X_MAILER && !ALL_TRUSTED && !__UNSUB_LINK && !__RDNS_SHORT && !__MAIL_LINK -describe URI_DOTEDU Has .edu URI -#score URI_DOTEDU 2.000 # limit -tflags URI_DOTEDU publish -##} URI_DOTEDU - -##{ URI_DOTEDU_ENTITY - -meta URI_DOTEDU_ENTITY __URI_DOTEDU_ENTITY && !__SUBSCRIPTION_INFO -describe URI_DOTEDU_ENTITY Via .edu MTA + suspicious HTML content -#score URI_DOTEDU_ENTITY 3.000 # limit -tflags URI_DOTEDU_ENTITY publish -##} URI_DOTEDU_ENTITY - -##{ URI_DOTTY_HEX - -meta URI_DOTTY_HEX __URI_DOTTY_HEX -describe URI_DOTTY_HEX Suspicious URI format -tflags URI_DOTTY_HEX publish -##} URI_DOTTY_HEX - -##{ URI_DQ_UNSUB - -meta URI_DQ_UNSUB __URI_DQ_UNSUB -describe URI_DQ_UNSUB IP-address unsubscribe URI -tflags URI_DQ_UNSUB publish -##} URI_DQ_UNSUB - -##{ URI_FIREBASEAPP - -meta URI_FIREBASEAPP __URI_FIREBASEAPP || __URI_WEBAPP -describe URI_FIREBASEAPP Link to hosted firebase web application, possible phishing -#score URI_FIREBASEAPP 3.000 # limit -tflags URI_FIREBASEAPP publish -##} URI_FIREBASEAPP - -##{ URI_GOOGLE_PROXY - -meta URI_GOOGLE_PROXY __URI_GOOGLE_PROXY && !__FSL_RELAY_GOOGLE && !__TO___LOWER && !__MSGID_OK_HEX && !__HAS_CAMPAIGNID -describe URI_GOOGLE_PROXY Accessing a blacklisted URI or obscuring source of phish via Google proxy? -tflags URI_GOOGLE_PROXY publish -##} URI_GOOGLE_PROXY - -##{ URI_GOOG_STO_SPAMMY - -uri URI_GOOG_STO_SPAMMY m;^https?://storage\.googleapis\.com/(?:(?:1tactc1200|430bc3a2d98b15a0c58bf8df8f938d|5(?:a70f8147b2241c|lose1weight)|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|a(?:1discover|d(?:t100visa|vanced1500)|geless(?:brain|t001)|ir0doc5octor|l(?:liedtrust7?|zheimerbrain)|merican(?:ho(?:777|me(?:191|warranty))|w1)|n(?:c77emen777|dersens40|n(?:nuities0102|utsegtsety)|ti(?:1virus|dcfsdfzef))|pp(?:1ointment|empresa|itausa)|tividade|udio0254)|b(?:337276797de5b3|7772dcb|a(?:ckmedic|th(?:and777|bhow98|dfgdfgdfh|rooomlki))|cvncv7845|d(?:fbgverhg|sgbsehtth|thdethydeth)|e(?:achskinnew|dvgervg|lly(?:00fetyy|gluca)|t(?:ter(?:09909|863|butter008)|umpoiytre))|io(?:swit(?:010|sh0908)|techinvest)|l(?:oo(?:ds(?:hark0508|ug(?:217|ar(?:010|blueprint)))|odsugarerte)|ue(?:0sky|printms0?))|o(?:bby\-dependencies|ostinglive01)|r(?:ain(?:232654|al87484)|i(?:an(?:0(?:101|509)|the0101)|eanfrg)|tghrh)|u(?:kssin|ll(?:gold|market)|rnomegaultra|tter(?:knife|spreader(?:0[48]|news)))|yte01smil1e)|c(?:a(?:99rshield|nvascheap|rt\-checkout|unlimited)|bd(?:11gummies|g(?:m0202|umm(?:ty|y005))|health7417|kfgdfg|sgummys)|dfeesde|ertificat01|hoicehom8270|ircaknee0|jowa|o(?:gnigenix|mp(?:erssac00232|r(?:e(?:essaa001|hensiveamericanhomewarranty|ss(?:a(?:0(?:105|201)|191)|ionsocks))|ovanteanexo))|n(?:7cealed|cealed(?:aff0054|tactical)|defesf|ne5ctrou4t0s)|ptquad5e1r|rrectskin|verageinsu)|quelleczema|reative14141)|d(?:0ujdusudu9s9u\.appspot\.com|e(?:mentiabrain|nta77fend|rma(?:01247|1correct|587475|7correc7t|acorrectskin|correct(?:001new1|new001|skin|1)|hdth|thbsdrhg)|tranmultas)|g(?:iadikir784|vdevgege)|i(?:abetes7|gitaldots1|recting77|ta0526)|rtrebtgh747|ysfunction0707|zdzefef)|e(?:7co7verage|a(?:rsring01|sy(?:1canvas|canvasprints))|ingingears|l(?:eepexperts|iminatorlower)|n(?:e(?:nce7777|rgy(?:0icits|savings))|trega)|rec(?:01tions|tiledysfunction)|t(?:alsprcious|ernal07light)|vent(?:0saves01?|save(?:010?|s010))|xpertwindows(?:0102)?|yes(?:1ight|ightmax))|f(?:4747|d(?:128218622bd3f|fdfdzezr78|zdzelom)|edilty5401|habgfdgbfrtg|i(?:7(?:485612|542512)|d(?:el(?:ity(?:09|217|insulife)|ty(?:gbdtrbr|tyhjudtyu))|iity5660|y001)|ghttinnitusnow(?:(?:911|s))?|ltyredfezz|refig(?:22hting|hting)|tnesswatch|xguca777)|l(?:a(?:sh(?:light7fr7ee|tric540)|tbelly)|oodlight(?:010|slima))|o(?:mrulasugaa|od54451|toswhatsapps)|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|u(?:ng(?:01ft|9901|enail010|us(?:eliminator0807|fghgh))|turistic00insol))|g(?:7oldco|cumbmdys|eniusbutter|fhfjgfhfg|hetiop|lu(?:1lossn01k|lossn01k|ster)|old(?:ii00215|trust00)|r(?:7owtmaihn9ew|fgrgrg|ow(?:191|plus11|savage01085))|u(?:ardiao|mm(?:ies11cbd|yss|zdfefzf)|tter(?:0fr1(?:dian)?|protection7))|ympro22)|h(?:4ome1owne1r|dfghbrh|e(?:1al1t4|a(?:lt(?:h(?:life|news|yhairremedy)|ycbd0909)|rt(?:14141|beat911))|rp(?:ly(?:24701|y0012)|y1414))|ome(?:1security|9865|choice45841|w(?:arranty|rr0216)))|i(?:n(?:formedetranmulta|ogen0065|s(?:1urance7net|7urance7net|t(?:9854|a(?:0541|1heater|863|f(?:atioplo|gregrerg)|hard0(?:0021|605)|nttranslator)|h(?:ard879477|eater001))|urance(?:7net|net))|vest777in)|ron479max5x|tchrelief)|k(?:757474|e(?:ranfvgdgfrder|to(?:0(?:102|202|81477)|191|7(?:878|rim)|adv217|ghghgh|healthnews|jkkfghk|o(?:2(?:22|45)|o7896)|rapid00888|s(?:hark0908|s0479)|toto2323))|iller1111|ne(?:e852|f6565))|l(?:a(?:bcream|wn(?:care3|trugreen001))|e(?:a(?:f7filt7er|nde0585)|ciofve1748)|giesnaturas0|i(?:berty77arran|fefiltrevdf|ve(?:r(?:0health0support|md|supp10)|wirenew024))|o(?:caweb|odlight(?:s0|0)|ss(?:00wrabido0|rapid01245|weightnew85))|u(?:llmattressne000|mi(?:00guard01|agudiidd|g(?:87[56]|uard(?:1074|87585)))))|m(?:a(?:galu|l(?:4e7e5nhanc7ement|e(?:0(?:1ed|541)|24700|77en|health475))|ttress0707)|e(?:di(?:ca(?:lsupplies|r(?:0085|123n|df747))|p0lanning)|llitox00545|morybooster|t(?:a(?:bolismlos|greens|lspr(?:ciou[0s]|ecious))|f(?:85|dfvde)))|iracl(?:ecannabidiol|sweight[0s]?|weight)|le(?:3mlemlm3lm\.appspot\.com|n(?:hsances?|shsance0s))|o(?:bile57mint|n(?:5g154g|t(?:ezuma0(?:01|101)|zdzsds))|onmenermaintain\-66j)|y(?:seniorpe?|theraposture001))|n(?:at(?:ional14587|uralgies)|badefdfg|e(?:sdsd|wtiniggrgr)|inoty74|lmsld|u(?:bupatches|trisd17))|o(?:m(?:eg(?:7aburn|a(?:7burn|n(?:ew|ow00?)))|gaburn)|ne(?:00shot|shot(?:0[01]|124578))|zmenshe)|p(?:a(?:in(?:en01(?:ew|sew)|supp(?:10|l8778)|wenes010)|rtnersav01)|e(?:rsonalized21|tplan85)|ho(?:01to001|tostick004)|leteroid|o(?:rtable(?:heater7|telescope045)|vsedfzef)|r(?:eadvanceds|i(?:mal(?:08544|fhdfh|grow)|ntsvalentine)|otectsecurity)|soidngf8147|ure(?:cbdgummies7|plant7))|r(?:apidecision77|e(?:5model1ro4om|adclub11|direct0gumm0|grow101|n(?:ew(?:al20consult|laemailved)|walllll0065)|v(?:caus181|e(?:alscause|rsirol0101)|kcaus181|scaus181))|i(?:ght0108|ngingearstinnitus|verb1986srt4)|oundupccancer|vices8|yokorout(?:(?:01|s010?))?)|s(?:a(?:fety(?:homes?|shome0?)|mples7nuge7|v(?:age(?:0502|72|999|grow010)|es0even0t|ingsevent)|y(?:byebugs|life004))|coutstonenew|dfgwsd74fg|e(?:curity(?:homenew|providernew)|ni(?:147orperk|orserk77s))|gp008|h(?:arkcbd0808|owersafe)|i(?:gnlaotrrmp|mplex18742)|leepditch|o(?:lbeam004|uthbeach(?:001|skin))|preader35|sgummy777|t(?:ain245|eelprobite77|rictionbp0)|u(?:g(?:ar4701|hdetged)|mmersy0(?:10)?)|zdzdzdzd)|t(?:a(?:cflashlight72|lcumpowder)|e(?:lescope001|rminix0909|stomus)|h(?:e(?:photostick2804|rasl(?:eeves|ves)|unbreakable)|opinall)|i(?:me0share|nnitus(?:102|new911))|mobile0sur1vey|o(?:enailfungus|p(?:inal|olio29034))|r(?:4ans1lat5or|a(?:balhos|nslato10)|im1life0|ugreen(?:30|s30))|telescope44|unnifgdege)|u(?:berxlm|ltra(?:hgt|omegaburn|u(?:ifipro|wifip)|wifi(?:058|pro002))|n(?:breakable(?:0417|brain0087)|limitedcanvase[es]?)|rgentfung171|s(?:bmosquito|6)|tility3in1)|v(?:e(?:7hicle7cov|hi(?:7clesh7|cle01))|frgrerg|i(?:sa(?:alandere?|lander[es]?)|v(?:247w01|int(?:0(?:401|officially)|1010smart|967857)))|szdefzsfzef)|w(?:4enmedicra8|a(?:l(?:k(?:0015|7485|ghghgh|inbath(?:tub44|0))|lkk0409|mart010)|rranhome0012)|defgzegfze|e(?:atherproof|bwhatsfotos|edkiller[1s]?|ight(?:00loss|loss(?:005|newketo))|llgrove90)|i(?:fi(?:booste(?:01|r)|tiop)|n(?:0101|doexpr001))|painen01es)|xcbxcbopiaze|yusdgtduf777|z(?:antacdedzef|ipp874ype57t)))/;i -describe URI_GOOG_STO_SPAMMY Link to spammy content hosted by google storage -#score URI_GOOG_STO_SPAMMY 3.000 -tflags URI_GOOG_STO_SPAMMY publish -##} URI_GOOG_STO_SPAMMY - -##{ URI_HEX_IP - -meta URI_HEX_IP __URI_HEX_IP -#score URI_HEX_IP 2.500 # limit -describe URI_HEX_IP URI with hex-encoded IP-address host -tflags URI_HEX_IP publish -##} URI_HEX_IP - -##{ URI_IMG_WP_REDIR - -meta URI_IMG_WP_REDIR __URI_IMG_WP_REDIR -#score URI_IMG_WP_REDIR 3.000 # limit -describe URI_IMG_WP_REDIR Image via WordPress "accelerator" proxy -tflags URI_IMG_WP_REDIR publish -##} URI_IMG_WP_REDIR - -##{ URI_LONG_REPEAT - -meta URI_LONG_REPEAT __URI_LONG_REPEAT -describe URI_LONG_REPEAT Long identical host+domain -#score URI_LONG_REPEAT 2.500 # limit -tflags URI_LONG_REPEAT publish -##} URI_LONG_REPEAT - -##{ URI_MALWARE_SCMS - -uri URI_MALWARE_SCMS /\.SettingContent-ms\b/i -describe URI_MALWARE_SCMS Link to malware exploit download (.SettingContent-ms file) -tflags URI_MALWARE_SCMS publish -##} URI_MALWARE_SCMS - -##{ URI_OBFU_DOM - -meta URI_OBFU_DOM __URI_OBFU_DOM && !__VIA_ML -describe URI_OBFU_DOM URI pretending to be different domain -##} URI_OBFU_DOM - -##{ URI_ONLY_MSGID_MALF - - meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO && !RCVD_IN_DNSWL_LOW - tflags URI_ONLY_MSGID_MALF net - meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO -describe URI_ONLY_MSGID_MALF URI only + malformed message ID -#score URI_ONLY_MSGID_MALF 2.000 # limit -tflags URI_ONLY_MSGID_MALF publish -##} URI_ONLY_MSGID_MALF - -##{ URI_OPTOUT_3LD - -uri URI_OPTOUT_3LD m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:com|net)\b,i -describe URI_OPTOUT_3LD Opt-out URI, suspicious hostname -#score URI_OPTOUT_3LD 2.000 # limit -tflags URI_OPTOUT_3LD publish -##} URI_OPTOUT_3LD - -##{ URI_OPTOUT_USME - -uri URI_OPTOUT_USME m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:us|me|mobi|club)\b,i -describe URI_OPTOUT_USME Opt-out URI, unusual TLD -tflags URI_OPTOUT_USME publish -##} URI_OPTOUT_USME - -##{ URI_PHISH - -describe URI_PHISH Phishing using web form -#score URI_PHISH 4.00 # limit -tflags URI_PHISH publish -##} URI_PHISH - -##{ URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT -endif -##} URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - -##{ URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT -endif -##} URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ URI_PHP_REDIR - -meta URI_PHP_REDIR __URI_PHP_REDIR && !__USING_VERP1 && !__RCD_RDNS_MTA -#score URI_PHP_REDIR 3.500 # limit -describe URI_PHP_REDIR PHP redirect to different URL (link obfuscation) -tflags URI_PHP_REDIR publish -##} URI_PHP_REDIR - -##{ URI_TRY_3LD - -meta URI_TRY_3LD __URI_TRY_3LD && !__HAS_ERRORS_TO && !__HDR_RCVD_ALIBABA && !__HDR_CASE_REVERSED && !__XM_EC_MESSENGER && !__CHARITY && !__URI_DOTEDU && !__HAS_X_REF && !__HDR_RCVD_APPLE -describe URI_TRY_3LD "Try it" URI, suspicious hostname -#score URI_TRY_3LD 2.000 # limit -tflags URI_TRY_3LD publish -##} URI_TRY_3LD - -##{ URI_TRY_USME - -meta URI_TRY_USME __URI_TRY_USME && !__DKIM_EXISTS -describe URI_TRY_USME "Try it" URI, unusual TLD -#score URI_TRY_USME 2.000 # limit -tflags URI_TRY_USME publish -##} URI_TRY_USME - -##{ URI_WPADMIN - -meta URI_WPADMIN __URI_WPADMIN -describe URI_WPADMIN WordPress login/admin URI, possible phishing -tflags URI_WPADMIN publish -##} URI_WPADMIN - -##{ URI_WP_DIRINDEX - -meta URI_WP_DIRINDEX __URI_WPDIRINDEX -describe URI_WP_DIRINDEX URI for compromised WordPress site, possible malware -#score URI_WP_DIRINDEX 3.500 # limit -tflags URI_WP_DIRINDEX publish -##} URI_WP_DIRINDEX - -##{ URI_WP_HACKED - -meta URI_WP_HACKED (__URI_WPCONTENT || __URI_WPINCLUDES) && !__VIA_ML && !__HAS_ERRORS_TO && !__RCD_RDNS_SMTP && !__THREADED && !ALL_TRUSTED && !__NOT_SPOOFED -describe URI_WP_HACKED URI for compromised WordPress site, possible malware -#score URI_WP_HACKED 3.500 # limit -tflags URI_WP_HACKED publish -##} URI_WP_HACKED - -##{ URI_WP_HACKED_2 - -meta URI_WP_HACKED_2 (__PS_TEST_LOC_WP && !URI_WP_HACKED) && !__HAS_LIST_ID && !__THREADED && !__USING_VERP1 -describe URI_WP_HACKED_2 URI for compromised WordPress site, possible malware -#score URI_WP_HACKED_2 2.500 # limit -tflags URI_WP_HACKED_2 publish -##} URI_WP_HACKED_2 - -##{ USB_DRIVES - -meta USB_DRIVES __SUBJ_USB_DRIVES -describe USB_DRIVES Trying to sell custom USB flash drives -#score USB_DRIVES 2.000 # limit -tflags USB_DRIVES publish -##} USB_DRIVES - -##{ VFY_ACCT_NORDNS - -meta VFY_ACCT_NORDNS __VFY_ACCT_NORDNS && !__STY_INVIS_MANY -describe VFY_ACCT_NORDNS Verify your account to a poorly-configured MTA - probable phishing -#score VFY_ACCT_NORDNS 3.000 # limit -tflags VFY_ACCT_NORDNS publish -##} VFY_ACCT_NORDNS - -##{ VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -meta VPS_NO_NTLD __VPSNUMBERONLY_TLD && __FROM_ADDRLIST_SUSPNTLD -tflags VPS_NO_NTLD publish -describe VPS_NO_NTLD vps[0-9] domain at a suspiscious TLD -#score VPS_NO_NTLD 1.0 # limit -endif -endif -##} VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -##{ WALMART_IMG_NOT_RCVD_WAL - -meta WALMART_IMG_NOT_RCVD_WAL __WALMART_IMG_NOT_RCVD_WAL && !__DKIM_EXISTS -#score WALMART_IMG_NOT_RCVD_WAL 2.500 # limit -describe WALMART_IMG_NOT_RCVD_WAL Walmart hosted image but message not from Walmart -tflags WALMART_IMG_NOT_RCVD_WAL publish -##} WALMART_IMG_NOT_RCVD_WAL - -##{ WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta WORD_INVIS __WORD_INVIS_MINFP && !WORD_INVIS_MANY - describe WORD_INVIS A hidden word -# score WORD_INVIS 3.000 # limit - tflags WORD_INVIS publish -endif -##} WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta WORD_INVIS_MANY __WORD_INVIS_2 - describe WORD_INVIS_MANY Multiple individual hidden words -# score WORD_INVIS_MANY 3.000 # limit - tflags WORD_INVIS_MANY publish -endif -##} WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ XFER_LOTSA_MONEY - -meta XFER_LOTSA_MONEY __XFER_LOTSA_MONEY && !__VIA_ML && !__HAS_SENDER && !__SUBSCRIPTION_INFO -describe XFER_LOTSA_MONEY Transfer a lot of money -#score XFER_LOTSA_MONEY 1.000 # limit -##} XFER_LOTSA_MONEY - -##{ XM_DIGITS_ONLY - -meta XM_DIGITS_ONLY __XM_DIGITS_ONLY -describe XM_DIGITS_ONLY X-Mailer malformed -#score XM_DIGITS_ONLY 3.000 # limit -tflags XM_DIGITS_ONLY publish -##} XM_DIGITS_ONLY - -##{ XM_PHPMAILER_FORGED - -meta XM_PHPMAILER_FORGED __XM_PHPMAILER_FORGED -describe XM_PHPMAILER_FORGED Apparently forged header -tflags XM_PHPMAILER_FORGED publish -##} XM_PHPMAILER_FORGED - -##{ XM_RANDOM - -meta XM_RANDOM __XM_RANDOM && !__STY_INVIS_3 && !__HAS_IN_REPLY_TO && !__XM_UC_ONLY && !__XM_ASPQMAIL && !__XM_VERY_LONG -describe XM_RANDOM X-Mailer apparently random -#score XM_RANDOM 2.500 # limit -tflags XM_RANDOM publish -##} XM_RANDOM - -##{ XPRIO - -describe XPRIO Has X-Priority header -#score XPRIO 2.250 # limit -tflags XPRIO publish -##} XPRIO - -##{ XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM) - -if !plugin(Mail::SpamAssassin::Plugin::DKIM) - meta XPRIO __XPRIO_MINFP -endif -##} XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM) - -##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM - -ifplugin Mail::SpamAssassin::Plugin::DKIM - tflags XPRIO net -endif -##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM - -##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF) - -ifplugin Mail::SpamAssassin::Plugin::DKIM -if !plugin(Mail::SpamAssassin::Plugin::SPF) - meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE -endif -endif -##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF) - -##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF - -ifplugin Mail::SpamAssassin::Plugin::DKIM - ifplugin Mail::SpamAssassin::Plugin::SPF - meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE && !SPF_PASS -endif -endif -##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF - -##{ XPRIO_SHORT_SUBJ - -meta XPRIO_SHORT_SUBJ __XPRIO_SHORT_SUBJ && !__MSM_PRIO_REPTO && !ALL_TRUSTED && !__DKIM_EXISTS && !__RELAY_THRU_WWW && !__CTYPE_HAS_BOUNDARY && !__RCD_RDNS_MTA && !__HAS_HREF -describe XPRIO_SHORT_SUBJ Has X Priority header + short subject -#score XPRIO_SHORT_SUBJ 2.500 # limit -tflags XPRIO_SHORT_SUBJ publish -##} XPRIO_SHORT_SUBJ - -##{ XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta XPRIO_URL_SHORTNER __XPRIO_MINFP && __URL_SHORTENER -describe XPRIO_URL_SHORTNER X-Priority header and short URL -#score XPRIO_URL_SHORTNER 1.0 # limit -endif -endif -##} XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -##{ X_MAILER_CME_6543_MSN - -header X_MAILER_CME_6543_MSN X-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*$/ -##} X_MAILER_CME_6543_MSN - -##{ YOUR_DELIVERY_ADDRESS - -body YOUR_DELIVERY_ADDRESS /(?:(?:respond|reply|answer) (?:to )?(?:our|this) ?e?mail (?:[\w,]+\s){0,10}(?:with|and send(?: us)?)|we need to know|let us know|(?:send|provide|tell|inform)(?: us)?(?: of)?|confirm|indicate)(?: t?he (?:order )?quantity and)? (?:your |the )?(?:detailed |specific |exact )?(?:(?:delivery |shipping |mailing |shipment |receiving )?(?:address|location)(?:\s?[,.;]|(?: and| so)? we| if you)|address (?:for|of) (?:shipping|delivery|shipment))|(?:provide|give) us (?:with |details of )(?:the |your )?address,? (?:and )?we will contact (?:the )?(?:warehouse|logistics|storage(?: facility))|your (?:mailing|shipping) address to (?:arrange|set ?up) (?:shipment|delivery) (?:(?:for|to) you|of th)/i -#score YOUR_DELIVERY_ADDRESS 1.250 # limit -##} YOUR_DELIVERY_ADDRESS - -##{ YOU_INHERIT - -meta YOU_INHERIT __YOU_INHERIT -describe YOU_INHERIT Discussing your inheritance -##} YOU_INHERIT - -##{ bayes_ignore_header_sandbox - -bayes_ignore_header X-ACL-Warn -bayes_ignore_header X-Alimail-AntiSpam -bayes_ignore_header X-Amavis-Modified -bayes_ignore_header X-Anti-Spam -bayes_ignore_header X-Anti-Virus -bayes_ignore_header X-Anti-Virus-Version -bayes_ignore_header X-AntiAbuse -bayes_ignore_header X-Antispam -bayes_ignore_header X-Antivirus -bayes_ignore_header X-Antivirus-Code -bayes_ignore_header X-Antivirus-Status -bayes_ignore_header X-Antivirus-Version -bayes_ignore_header x-aol-global-disposition -bayes_ignore_header X-ASF-Spam-Status -bayes_ignore_header X-ASG-Debug-ID -bayes_ignore_header X-ASG-Orig-Subj -bayes_ignore_header X-ASG-Recipient-Whitelist -bayes_ignore_header X-ASG-Tag -bayes_ignore_header X-Assp-Version -bayes_ignore_header X-Authority-Analysis -bayes_ignore_header X-Authvirus -bayes_ignore_header X-Auto-Response-Suppress -bayes_ignore_header X-AV-Do-Run -bayes_ignore_header X-AV-Status -bayes_ignore_header x-avast-antispam -bayes_ignore_header X-Backend -bayes_ignore_header X-Barracuda-Apparent-Source-IP -bayes_ignore_header X-Barracuda-Bayes -bayes_ignore_header X-Barracuda-BBL-IP -bayes_ignore_header X-Barracuda-BRTS-Status -bayes_ignore_header X-Barracuda-BRTS-URL-Found -bayes_ignore_header X-Barracuda-Connect -bayes_ignore_header X-Barracuda-Encrypted -bayes_ignore_header X-Barracuda-Envelope-From -bayes_ignore_header X-Barracuda-Fingerprint-Found -bayes_ignore_header X-Barracuda-Orig-Rcpt -bayes_ignore_header X-Barracuda-RBL-IP -bayes_ignore_header X-Barracuda-RBL-Trusted-Forwarder -bayes_ignore_header X-Barracuda-Spam-Report -bayes_ignore_header X-Barracuda-Spam-Score -bayes_ignore_header X-Barracuda-Spam-Status -bayes_ignore_header X-Barracuda-Start-Time -bayes_ignore_header X-Barracuda-UID -bayes_ignore_header X-Barracuda-URL -bayes_ignore_header X-Barracuda-Virus-Alert -bayes_ignore_header X-Bayes-Prob -bayes_ignore_header X-Bayesian-Result -bayes_ignore_header X-BitDefender-Spam -bayes_ignore_header X-BitDefender-SpamStamp -bayes_ignore_header X-BL -bayes_ignore_header X-Bogosity -bayes_ignore_header X-Boxtrapper -bayes_ignore_header X-Brightmail-Tracker -bayes_ignore_header X-BTI-AntiSpam -bayes_ignore_header X-Bugzilla-Version -bayes_ignore_header X-CanIt-Geo -bayes_ignore_header X-Canit-Stats-ID -bayes_ignore_header X-CanItPRO-Stream -bayes_ignore_header X-Clapf-spamicity -bayes_ignore_header X-Cloud-Security -bayes_ignore_header X-CM-Score -bayes_ignore_header X-CMAE-Analysis -bayes_ignore_header X-CMAE-Match -bayes_ignore_header X-CMAE-Score -bayes_ignore_header X-CMAE-Verdict -bayes_ignore_header X-CNFS-Analysis -bayes_ignore_header X-Company -bayes_ignore_header X-Coremail-Antispam -bayes_ignore_header X-CRM114-CacheID -bayes_ignore_header X-CRM114-Status -bayes_ignore_header X-CRM114-Version -bayes_ignore_header X-CT-Spam -bayes_ignore_header X-CTCH-SenderID -bayes_ignore_header X-CTCH-SenderID-TotalBulk -bayes_ignore_header X-CTCH-SenderID-TotalConfirmed -bayes_ignore_header X-CTCH-SenderID-TotalMessages -bayes_ignore_header X-CTCH-SenderID-TotalRecipients -bayes_ignore_header X-CTCH-SenderID-TotalSpam -bayes_ignore_header X-CTCH-SenderID-TotalSuspected -bayes_ignore_header X-CTCH-SenderID-TotalVirus -bayes_ignore_header X-CTCH-Spam -bayes_ignore_header X-CTCH-VOD -bayes_ignore_header X-Drweb-SpamState -bayes_ignore_header X-DSPAM-Confidence -bayes_ignore_header X-DSPAM-Factors -bayes_ignore_header X-DSPAM-Improbability -bayes_ignore_header X-DSPAM-Probability -bayes_ignore_header X-DSPAM-Processed -bayes_ignore_header X-DSPAM-Result -bayes_ignore_header X-DSPAM-Signature -bayes_ignore_header x-eavas -bayes_ignore_header x-eavas-action -bayes_ignore_header x-eavas-eavasid -bayes_ignore_header X-Enigmail-Version -bayes_ignore_header X-EsetId -bayes_ignore_header X-EsetResult -bayes_ignore_header X-Exchange-Antispam-Report -bayes_ignore_header X-ExtloopSabreCommercials1 -bayes_ignore_header X-EYOU-SPAMVALUE -bayes_ignore_header X-FB-OUTBOUND-SPAM -bayes_ignore_header X-FEAS-SBL -bayes_ignore_header X-FILTER-SCORE -bayes_ignore_header X-Forefront-Antispam-Report -bayes_ignore_header X-Forefront-PRVS -bayes_ignore_header X-Fuglu-Spamstatus -bayes_ignore_header X-Fuglu-Suspect -bayes_ignore_header X-getmail-filter-classifier -bayes_ignore_header X-GFIME-MASPAM -bayes_ignore_header X-Gmane-NNTP-Posting-Host -bayes_ignore_header X-GMX-Antispam -bayes_ignore_header X-GMX-Antivirus -bayes_ignore_header X-He-Spam -bayes_ignore_header X-hMailServer-Spam -bayes_ignore_header X-IAS -bayes_ignore_header X-iGspam-global -bayes_ignore_header X-Injected-Via-Gmane -bayes_ignore_header X-Interia-Antivirus -bayes_ignore_header X-IP-Spam-Verdict -bayes_ignore_header X-Ironport -bayes_ignore_header X-IronPort-Anti-Spam-Filtered -bayes_ignore_header X-IronPort-Anti-Spam-Result -bayes_ignore_header X-IronPort-AV -bayes_ignore_header X-Ironport-HAT -bayes_ignore_header X-Ironport-HOSTNAME -bayes_ignore_header X-Ironport-LNR -bayes_ignore_header X-Ironport-MessageFilter -bayes_ignore_header X-Ironport-MFP -bayes_ignore_header X-Ironport-MID -bayes_ignore_header X-IronPort-Outgoing-Antispam -bayes_ignore_header X-Ironport-RIF -bayes_ignore_header X-Ironport-SBRS -bayes_ignore_header X-Ironport-SENDER -bayes_ignore_header X-Ironport-SUBJECT -bayes_ignore_header X-Junk-Score -bayes_ignore_header X-Junkmail -bayes_ignore_header X-KLMS-AntiPhishing -bayes_ignore_header X-Klms-Antispam -bayes_ignore_header X-KLMS-AntiSpam-Info -bayes_ignore_header X-KLMS-AntiSpam-Interceptor-Info -bayes_ignore_header X-KLMS-AntiSpam-Lua-Profiles -bayes_ignore_header X-KLMS-AntiSpam-Method -bayes_ignore_header X-KLMS-AntiSpam-Moebius-Timestamps -bayes_ignore_header X-KLMS-AntiSpam-Rate -bayes_ignore_header X-KLMS-AntiSpam-Status -bayes_ignore_header X-KLMS-AntiSpam-Version -bayes_ignore_header X-KLMS-AntiVirus -bayes_ignore_header X-KLMS-AntiVirus-Status -bayes_ignore_header X-KLMS-Message-Action -bayes_ignore_header X-KLMS-Rule-ID -bayes_ignore_header X-KMail-EncryptionState -bayes_ignore_header X-KMail-MDN-Sent -bayes_ignore_header X-KMail-SignatureState -bayes_ignore_header X-MailCleaner-SpamChec -bayes_ignore_header X-MailCleaner-SpamCheck -bayes_ignore_header X-MailFoundry -bayes_ignore_header X-MDMailLookup-Result -bayes_ignore_header X-ME-Bayesian -bayes_ignore_header X-ME-Content -bayes_ignore_header X-MessageFilter -bayes_ignore_header X-Microsoft-Antispam -bayes_ignore_header X-Mlf-Version -bayes_ignore_header X-MXScan-AntiSpam -bayes_ignore_header X-MXScan-AntiVirus -bayes_ignore_header X-MXScan-Country-Sequence -bayes_ignore_header X-MXScan-License -bayes_ignore_header X-MXScan-Msgid -bayes_ignore_header X-MXScan-ProcessingTime -bayes_ignore_header X-MXScan-Scan -bayes_ignore_header X-NAI-Spam-Flag -bayes_ignore_header X-NAI-Spam-Rules -bayes_ignore_header X-NAI-Spam-Score -bayes_ignore_header X-NAI-Spam-Threshold -bayes_ignore_header X-NetStation-Status -bayes_ignore_header X-OVH-SPAMCAUSE -bayes_ignore_header X-OVH-SPAMCAUSE: -bayes_ignore_header X-OVH-SPAMSCORE -bayes_ignore_header X-OVH-SPAMSTATE -bayes_ignore_header X-PerlMx-Spam -bayes_ignore_header X-PerlMx-Virus-Scanned -bayes_ignore_header X-PFSI-Info -bayes_ignore_header X-PMX-Spam -bayes_ignore_header X-PMX-Version -bayes_ignore_header X-Policy-Service -bayes_ignore_header X-policyd-weight -bayes_ignore_header X-PreRBLs -bayes_ignore_header X-Probable-Spam -bayes_ignore_header X-PROLinux-SpamCheck -bayes_ignore_header X-Proofpoint-Spam-Reason -bayes_ignore_header X-Proofpoint-Virus-Version -bayes_ignore_header x-purgate-eavas: clean -bayes_ignore_header x-purgate-id -bayes_ignore_header x-purgate-size -bayes_ignore_header x-purgate-type -bayes_ignore_header X-Qmail-Scanner-Diagnostics -bayes_ignore_header X-Qmail-Scanner-MOVED-X-Spam-Status -bayes_ignore_header X-Quarantine-ID -bayes_ignore_header X-RSpam-Report -bayes_ignore_header X-SA-Do-Not-Run -bayes_ignore_header X-SA-Exim-Version -bayes_ignore_header X-Scanned-by -bayes_ignore_header X-SmarterMail-CustomSpamHeader -bayes_ignore_header X-Spam -bayes_ignore_header X-Spam-Action -bayes_ignore_header X-SPAM-AISP -bayes_ignore_header X-Spam-Check-By -bayes_ignore_header X-Spam-Checker-Version -bayes_ignore_header X-Spam-CMAE-Analysis -bayes_ignore_header X-Spam-CMAESCORE -bayes_ignore_header X-Spam-CTCH-RefID -bayes_ignore_header X-Spam-Flag -bayes_ignore_header X-Spam-Level -bayes_ignore_header X-Spam-Processed -bayes_ignore_header X-Spam-Report -bayes_ignore_header X-Spam-Scanned -bayes_ignore_header X-Spam-Score -bayes_ignore_header X-Spam-Score-Int -bayes_ignore_header X-Spam-SmartLearn -bayes_ignore_header X-Spam-Status -bayes_ignore_header X-Spam-Threshold -bayes_ignore_header X-Spam_bar -bayes_ignore_header X-Spambayes-Classification -bayes_ignore_header X-SpamExperts-Domain -bayes_ignore_header X-SpamExperts-Outgoing-Class -bayes_ignore_header X-SpamExperts-Outgoing-Evidence -bayes_ignore_header X-SpamExperts-Username -bayes_ignore_header X-Spamfilter-host -bayes_ignore_header X-Spamina-Bogosity -bayes_ignore_header X-Spamina-Spam-Report -bayes_ignore_header X-Spamina-Spam-Score -bayes_ignore_header X-SpamInfo -bayes_ignore_header X-Spamsave -bayes_ignore_header X-SpamTest-Group-ID -bayes_ignore_header X-SpamTest-Info -bayes_ignore_header X-SpamTest-Method -bayes_ignore_header X-SpamTest-Rate -bayes_ignore_header X-SpamTest-SPF -bayes_ignore_header X-SpamTest-Status -bayes_ignore_header X-SpamTest-Status-Extended -bayes_ignore_header X-SPF-Scan-By -bayes_ignore_header X-STA-Metric -bayes_ignore_header X-STA-NotSpam -bayes_ignore_header X-STA-Spam -bayes_ignore_header X-StarScan-Version -bayes_ignore_header X-SurGATE-Result -bayes_ignore_header X-SWITCHham-Score -bayes_ignore_header X-UI-Filterresults -bayes_ignore_header X-UI-Loop -bayes_ignore_header X-UI-Out-Filterresults -bayes_ignore_header X-Univie-Spam-Checker-Version -bayes_ignore_header X-Univie-Virus-Scan -bayes_ignore_header X-Virus -bayes_ignore_header X-Virus-Checker-Version -bayes_ignore_header X-Virus-Scanned -bayes_ignore_header X-Virus-Scanner-Result -bayes_ignore_header X-Virus-Scanner-Version -bayes_ignore_header X-Virus-Status -bayes_ignore_header X-VirusChecked -bayes_ignore_header X-VR-SCORE -bayes_ignore_header X-VR-SPAMCAUSE -bayes_ignore_header X-VR-STATUS -bayes_ignore_header X-WatchGuard-Mail-Client-IP -bayes_ignore_header X-WatchGuard-Mail-From -bayes_ignore_header X-WatchGuard-Mail-Recipients -bayes_ignore_header X-WatchGuard-Spam-ID -bayes_ignore_header X-WatchGuard-Spam-Score -bayes_ignore_header X-Whitelist-Domain -bayes_ignore_header X-WUM-CCI -bayes_ignore_header X_CMAE_Category##} bayes_ignore_header_sandbox - -##{ if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox - -if (version >= 3.004001) -ifplugin Mail::SpamAssassin::Plugin::AskDNS -askdns __FROM_FMBLA_NEWDOM _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.2$/ -askdns __FROM_FMBLA_NEWDOM14 _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.14$/ -askdns __FROM_FMBLA_NEWDOM28 _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.28$/ -askdns __FROM_FMBLA_NDBLOCKED _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.255\.255\.255$/ -reuse FROM_FMBLA_NEWDOM -reuse FROM_FMBLA_NEWDOM14 -reuse FROM_FMBLA_NEWDOM28 -reuse FROM_FMBLA_NDBLOCKED -reuse __PDS_NEWDOMAIN -reuse FROM_NUMBERO_NEWDOMAIN -reuse FROM_NEWDOM_BTC -askdns __PDS_SPF_ONLYALL _SENDERDOMAIN_ TXT /^v=spf1 \+all$/ -reuse BITCOIN_SPF_ONLYALL -endif -endif -##} if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox - -##{ if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -enlist_addrlist (PAYPAL) *@paypal.com *@paypal.co.uk *@paypal.de *@paypal.com.au *@paypal.it -enlist_addrlist (PAYPAL) *@paypal.es *@paypal.fr *@paypal.de *@paypal.com.hk -enlist_addrlist (PAYPAL) *@*.paypal.com *@*.paypal.co.uk -reuse __FROM_ADDRLIST_PAYPAL -reuse FROM_PAYPAL_SPOOF -enlist_addrlist (BANKS) *@abbey.co.uk *@abbey.com *@abbeyinternational.com *@abbeyinternational.co.uk *@abbeynational.com *@abbeynational.co.uk -enlist_addrlist (BANKS) *@allianceleicester.com *@allianceleicester.co.uk *@alliance-leicester.com *@alliance-leicester.co.uk -enlist_addrlist (BANKS) *@bankofamerica.com *@bankofamerica.co.uk -enlist_addrlist (BANKS) *@barclaycard.com *@barclays.com -enlist_addrlist (BANKS) *@citibank.com -enlist_addrlist (BANKS) *@firstdirect.com *@firstdirect.co.uk -enlist_addrlist (BANKS) *@halifax.com *@halifax.co.uk *@halifax-online.co.uk *@halifax-online.com -enlist_addrlist (BANKS) *@hbos.com *@hbos.co.uk -enlist_addrlist (BANKS) *@hsbc.com *@hsbc.co.uk *@hsbc.hk *@hsbcgroup.com *@hsbcgroup.co.uk -enlist_addrlist (BANKS) *@lloydstsb.com *@lloydstsb.co.uk *@lloyds.com -enlist_addrlist (BANKS) *@mbna.com -enlist_addrlist (BANKS) *@nationwide.com *@nationwide.co.uk -enlist_addrlist (BANKS) *@natwest.com *@natwest.co.uk -enlist_addrlist (BANKS) *@santander.com *@santander.co.uk -enlist_addrlist (BANKS) *@standardbank.co.za -enlist_addrlist (BANKS) *@ybonline.co.uk *@ybonline.com -reuse __FROM_ADDRLIST_BANKS -reuse FROM_BANK_NOAUTH -enlist_addrlist (GOV) *@*.gov -enlist_addrlist (GOV) *@*.gov.uk *@parliament.uk *@*.parliament.uk -reuse __FROM_ADDRLIST_GOV -reuse FROM_GOV_SPOOF -reuse FROM_GOV_DKIM_AU -reuse FROM_GOV_REPLYTO_FREEMAIL -enlist_addrlist (SUSP_NTLD) *@*.icu -enlist_addrlist (SUSP_NTLD) *@*.online -enlist_addrlist (SUSP_NTLD) *@*.work -enlist_addrlist (SUSP_NTLD) *@*.date -enlist_addrlist (SUSP_NTLD) *@*.top -enlist_addrlist (SUSP_NTLD) *@*.fun -enlist_addrlist (SUSP_NTLD) *@*.life -enlist_addrlist (SUSP_NTLD) *@*.review -enlist_addrlist (SUSP_NTLD) *@*.xyz -enlist_addrlist (SUSP_NTLD) *@*.bid -enlist_addrlist (SUSP_NTLD) *@*.stream -enlist_addrlist (SUSP_NTLD) *@*.site -enlist_addrlist (SUSP_NTLD) *@*.gdn -enlist_addrlist (SUSP_NTLD) *@*.click -enlist_addrlist (SUSP_NTLD) *@*.world -enlist_addrlist (SUSP_NTLD) *@*.fit -enlist_addrlist (SUSP_NTLD) *@*.ooo -enlist_addrlist (SUSP_NTLD) *@*.faith -enlist_addrlist (SUSP_NTLD) *@*.buzz -enlist_addrlist (SUSP_NTLD) *@*.trade -enlist_addrlist (SUSP_NTLD) *@*.cyou -enlist_addrlist (SUSP_NTLD) *@*.vip -enlist_uri_host (SUSP_URI_NTLD) icu -enlist_uri_host (SUSP_URI_NTLD) online -enlist_uri_host (SUSP_URI_NTLD) work -enlist_uri_host (SUSP_URI_NTLD) date -enlist_uri_host (SUSP_URI_NTLD) top -enlist_uri_host (SUSP_URI_NTLD) fun -enlist_uri_host (SUSP_URI_NTLD) life -enlist_uri_host (SUSP_URI_NTLD) review -enlist_uri_host (SUSP_URI_NTLD) xyz -enlist_uri_host (SUSP_URI_NTLD) bid -enlist_uri_host (SUSP_URI_NTLD) stream -enlist_uri_host (SUSP_URI_NTLD) site -enlist_uri_host (SUSP_URI_NTLD) gdn -enlist_uri_host (SUSP_URI_NTLD) click -enlist_uri_host (SUSP_URI_NTLD) world -enlist_uri_host (SUSP_URI_NTLD) fit -enlist_uri_host (SUSP_URI_NTLD) ooo -enlist_uri_host (SUSP_URI_NTLD) faith -enlist_uri_host (SUSP_URI_NTLD) buzz -enlist_uri_host (SUSP_URI_NTLD) trade -enlist_uri_host (SUSP_URI_NTLD) cyou -enlist_uri_host (SUSP_URI_NTLD) vip -enlist_uri_host (SUSP_URI_NTLD_PRO) pro -reuse __FROM_ADDRLIST_SUSPNTLD -reuse __REPLYTO_ADDRLIST_SUSPNTLD -reuse FROM_SUSPICIOUS_NTLD -reuse GOOGLE_DRIVE_REPLY_BAD_NTLD -reuse VPS_NO_NTLD -endif -endif -##} if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox - -##{ if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox - -if (version >= 3.004003) - ifplugin Mail::SpamAssassin::Plugin::HashBL - priority GB_HASHBL_BTC -100 - reuse GB_HASHBL_BTC -endif -endif -##} if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox - -##{ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - replace_tag lcase_e (?:e|\xc3[\xa8\xa9\xaa\xab]|\xc4[\x93\x95\x97\x99\x9b]|\xc8[\x85\x87\x80]|\xcf\xb5|\xd0\xb5|\xd1[\x90\x91\x94\xb3]|\xd2[\xbc\xbd\xbe\xbf]|\xd3[\x07\xa9\xab]) - replace_rules __E_LIKE_LETTER -endif -endif -##} if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox - -##{ ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox - -ifplugin Mail::SpamAssassin::Plugin::AskDNS -askdns __DKIMWL_FREEMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.3\.\d+$/ -reuse __DKIMWL_FREEMAIL -askdns __DKIMWL_BULKMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.2\.\d+$/ -reuse __DKIMWL_BULKMAIL -askdns __DKIMWL_WL_HI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.5$/ -reuse __DKIMWL_WL_HI -askdns __DKIMWL_WL_MEDHI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.4$/ -reuse __DKIMWL_WL_MEDHI -askdns __DKIMWL_WL_MED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.3$/ -reuse __DKIMWL_WL_MED -askdns __DKIMWL_WL_BL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.0$/ -reuse __DKIMWL_WL_BL -askdns __DKIMWL_BLOCKED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.255\.255\.255$/ -reuse __DKIMWL_BLOCKED -reuse DKIMWL_WL_HIGH -reuse DKIMWL_WL_MEDHI -reuse DKIMWL_WL_MED -reuse DKIMWL_BL -reuse DKIMWL_BLOCKED -askdns __HELO_DNS _LASTEXTERNALHELO_ A /./ -endif -##} ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox - -##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox - -ifplugin Mail::SpamAssassin::Plugin::DNSEval # { -reuse RCVD_IN_PSBL -endif -##} ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox - -##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox - -ifplugin Mail::SpamAssassin::Plugin::DNSEval -reuse RCVD_IN_IADB_LISTED -reuse RCVD_IN_IADB_EDDB -reuse RCVD_IN_IADB_EPIA -reuse RCVD_IN_IADB_SPF -reuse RCVD_IN_IADB_SENDERID -reuse RCVD_IN_IADB_DK -reuse RCVD_IN_IADB_RDNS -reuse RCVD_IN_IADB_GOODMAIL -reuse RCVD_IN_IADB_NOCONTROL -reuse RCVD_IN_IADB_OPTOUTONLY -reuse RCVD_IN_IADB_UNVERIFIED_1 -reuse RCVD_IN_IADB_UNVERIFIED_2 -reuse RCVD_IN_IADB_LOOSE -reuse RCVD_IN_IADB_OPTIN_LT50 -reuse RCVD_IN_IADB_OPTIN_GT50 -reuse RCVD_IN_IADB_OPTIN -reuse RCVD_IN_IADB_DOPTIN_LT50 -reuse RCVD_IN_IADB_DOPTIN_GT50 -reuse RCVD_IN_IADB_DOPTIN -reuse RCVD_IN_IADB_ML_DOPTIN -reuse RCVD_IN_IADB_OOO -reuse RCVD_IN_IADB_MI_CPEAR -reuse RCVD_IN_IADB_UT_CPEAR -reuse RCVD_IN_IADB_MI_CPR_30 -reuse RCVD_IN_IADB_UT_CPR_30 -reuse RCVD_IN_IADB_MI_CPR_MAT -reuse RCVD_IN_IADB_UT_CPR_MAT -endif -##} ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox - -##{ ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox - -ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof -fns_ignore_dkim linkedin.com googlegroups.com yahoogroups.com yahoogroups.de -fns_ignore_headers List-Id -fns_check 1 -reuse __PLUGIN_FROMNAME_SPOOF -reuse __PLUGIN_FROMNAME_EQUALS_TO -endif -##} ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox - -##{ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags -replace_rules T_FUZZY_SPRM -replace_rules FUZZY_MERIDIA -replace_rules TVD_FUZZY_PHARMACEUTICAL -replace_rules TVD_FUZZY_SYMBOL -replace_rules T_TVD_FUZZY_SECURITIES -replace_rules TVD_FUZZY_FINANCE -replace_rules TVD_FUZZY_FIXED_RATE -replace_rules TVD_FUZZY_MICROCAP -replace_rules T_TVD_FUZZY_SECTOR -replace_rules TVD_FUZZY_DEGREE - replace_rules __COPY_PASTE_EN - replace_tag FF_LNNO (?:(?:\d{1,3}(?:[)}\]:.,]{1,80}|(?:st|nd|rd|th)[)}\]:.,]{0,3})|\W?\([\div]{1,5}\)|\W?\{\d{1,3}\}|\[\d{1,3}\]|\*{1,5}|\#{1,5}|\(?[A-K][)}\]:.,]{1,3})\s?) - replace_tag FF_YOUR (?:a?\s?copy\sof\s)?(?:(?:your|din|seu|twoje)[\s,:]{1,5})?(?:present\s|c[uo]rrent\s|full(?:st[\xe4]ndigt)?\s?|complete\s|direct\s|private?\s|valid\s|personal\s|nuvarande\s|vollst[\xe4]ndige\s|aktuelle\s|pe\s(?:ne\s)?){0,3} - replace_tag ANDOR (?:\s?[\/&+,]\s?|\sor\s|\sand?\s) - replace_tag NUMBER (?:(?:ruf)?num(?:[bm]er)?\(?s?\)?|nos?\.|no\b|n[\xb0]|\#s?|nbrs?\.?) - replace_tag FF_SUFFIX (?:\sin\s(?:full|words)|\scompleto)?:?(?:\s?[({][^)}]{1,30}[)}])? - replace_tag FF_BLANK1 (?:[\s:;]{0,4}(?:(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){3,100})) - replace_tag FF_BLANK2 (?:[^-=_.,:;*\w]{0,3}(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){1,100}) - replace_tag FF_A1 (?:(?:countr?y|city|province|ter+itory|(?:zip|post(?:al)?)(?:\s?code)?|st?ates?|ad+res+e?)<ANDOR>?){1,3}(?:\sof\s(?:residence|birth|employment|citizenship|origin))? - replace_tag FF_A2 (?:(?:contact|full|house|home|resident[ia]+l|busines+|mailing|work|delivery|ship+ing|post(?:al)?|of+ice|e-?mail|bostads|wohn)<ANDOR>?){0,3}\s?(?:ad+res+[es]{0,2}|location|endere[\xe7]o)(?:\sline)?(?:\s[0-9])? - replace_tag FF_N1 (?:company|first|last|all|busines+|legal|ben[ei]ficiary|user|vollstaendigen)?\s?(?:name?[sn]?|navne|nome|nazwy)(?:<ANDOR>ad+res+)? - replace_tag FF_P1 (?:(?:(?:busines+|contact|fax|voice|house|home|mobile?|cel+(?:ular)?|of+ice|tel+e?(?:\s?(?:ph|f)one?)?|(?:ph|f)one|private)(?:\s(?:ph|f)one)?<ANDOR>?){1,3}(?:\s?<NUMBER>)?<ANDOR>?){1,3} - replace_tag FF_M1 (?:(?:ages?|marital\s?statu[se]|sex|gender|male\sor\sfemale|(?:date\s(?:of\s)?)?birth|religion|nationality|(?:user )?email|next\sof\skin|alter|staatsangehoerigkeit|nationalitet|idade|weik)<ANDOR>?){1,3} - replace_tag FF_L1 (?:(?:previous\s)?work(?:ing)\s?experience|employment|position|profes+ion|(?:monthly|an+ual)?\s?income|purpose\sof\sl(?:oa|ao)n|an+ual\sturn\s?over|l(?:oa|ao)n\sduration|oc+up[ae]tion(?:\/position)?s?|(?:l(?:oa|ao)n\s|the\s)?amount(?:\sneed(ed)?|\sdesired)?(?:\s(?:as|of)\sloan)?|beruf|zaw(?:=F3|[\xf3])d) - replace_tag FF_F1 (?:(?:bank(?:ing)?|beneficiary|billing|acc(?:oun)?t|rout(?:ing)?|swift|receiver|user)<ANDOR>?){1,3}\s(?:(?:name|ad+res+(?:es)?|location|code|details|institution|a\/c|<NUMBER>)<ANDOR>?){1,3} - replace_tag FF_F2 (?:(?:(?:international\s)?driver'?s?\sli[sc]+(?:en[sc]e)?|pas+\s?port|id\scard|[ia]d(?:entification|entity)(?:\s(?:card|<NUMBER>|papers?))?)<ANDOR>?){1,3}(?:\s<NUMBER>)? - replace_tag FF_F3 (?:picture|zdj\scie|test\squestion|answer|amount\swon|(?:inheritance\s)?funds?\svalue|(?:e-?mail\s)?pas+word|e-?mai?l\sid|amount\s[\w\s]{0,30}lost[\w\s]{0,15}) - replace_tag FF_F4 (?:log[-\s]?in|(?:e-?mail\s)?user)\s?names? - replace_tag FF_F5 (?:ref(?:erence)?|batch|win+ing|award|billet)[-\s]?<NUMBER> - replace_tag FF_ALL (?:<FF_A1>|<FF_A2>|<FF_N1>|<FF_P1>|<FF_M1>|<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>|<FF_L1>) - replace_rules __FILL_THIS_FORM_LONG1 - replace_rules __FILL_THIS_FORM_LONG2 - replace_rules __FILL_THIS_FORM_PARTIAL - replace_rules __FILL_THIS_FORM_PARTIAL_RAW - replace_rules __FILL_THIS_FORM_SHORT1 - replace_rules __FILL_THIS_FORM_SHORT2 - replace_rules __FILL_THIS_FORM_LOAN1 - replace_rules __FILL_THIS_FORM_FRAUD_PHISH1 - replace_tag CURRENCY (?:[\(\[]?(?:\bU[Ss][D\$]{0,2}|\$(?:US)?|usd|USD|CAD|GBP|=[Aa][34]|\xa3|&\#16[34];|(?i:pounds\ssterling)|\xa4|EUR(?:OS?)?|(?:d')?[Ee]uro?s?|(?i:eur)\sde|CHF|FCFA|d[\xf3]lares\sde\slos\sE+\.\s?U+\.)[\]\)]?) - replace_tag GB_UK \b(?:U\.?K\.?|(?:Great\s)?Brit(?:ain|ish)|G\.?B\.?)\b - replace_tag NUM_NOT_DATE [1-9](?!\d\d\d\.\d\d\.\d\d\s)(?!\d?\.\d\d?\.\d\d\d\d\s) - replace_tag NUM_NOT_DATE_IP <NUM_NOT_DATE>(?!\d{0,2}(?:\.0|\.[1-2]\d{0,2}){3}(?:\D|$)) - replace_rules __LOTSA_MONEY_00 __LOTSA_MONEY_01 __LOTSA_MONEY_02 __LOTSA_MONEY_03 __LOTSA_MONEY_04 - replace_tag PERCENT \b(?:\d\d|ten|[a-z]+teen|(?:twen|thir|fou?r|fif)ty(?:-?[a-z]+)?)\s?(?:%|percent) - replace_rules __PCT_FOR_YOU_1 __PCT_FOR_YOU_2 __PCT_FOR_YOU_3 __PCT_OF_PMTS - replace_rules T_FUZZY_OPTOUT - replace_rules __FRT_PRICE - replace_rules FUZZY_UNSUBSCRIBE - replace_rules FUZZY_ANDROID - replace_rules FUZZY_PROMOTION - replace_rules FUZZY_PRIVACY - replace_rules FUZZY_BROWSER - replace_rules FUZZY_SAVINGS - replace_rules FUZZY_IMPORTANT - replace_rules FUZZY_SECURITY - replace_rules __FUZZY_DR_OZ - replace_rules FUZZY_CLICK_HERE - replace_rules FUZZY_BITCOIN - replace_rules __BITCOIN - replace_rules FUZZY_WALLET - replace_rules __FUZZY_MONERO - replace_rules __FUZZY_WELLSFARGO_BODY - replace_rules __FUZZY_WELLSFARGO_FROM - replace_rules __FUZZY_PORN - replace_rules FUZZY_AMAZON - replace_rules FUZZY_APPLE - replace_rules FUZZY_MICROSOFT - replace_rules FUZZY_FACEBOOK - replace_rules FUZZY_PAYPAL - replace_rules FUZZY_NORTON - replace_rules FUZZY_OVERSTOCK - replace_rules __MY_VICTIM - replace_rules __MY_MALWARE - replace_rules __PAY_ME - replace_rules __YOUR_PASSWORD - replace_rules __YOUR_WEBCAM - replace_rules __YOUR_ONAN - replace_rules __YOUR_PERSONAL - replace_rules __HOURS_DEADLINE - replace_rules __EXPLOSIVE_DEVICE -replace_rules T_LFUZ_PWRMALE - replace_rules __PDS_BTC_HACKER __PDS_BTC_PIRATE - reuse T_PDS_BTC_AHACKER - reuse T_PDS_BTC_HACKER - reuse T_PDS_LTC_AHACKER - reuse T_PDS_LTC_HACKER -endif -##} ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox - -##{ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox - -ifplugin Mail::SpamAssassin::Plugin::URIDNSBL -reuse URIBL_RHS_DOB -endif -##} ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox - -##{ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -enlist_uri_host (PDS_CASHSHORTENER) cutpaid.com -enlist_uri_host (PDS_CASHSHORTENER) caat.site -enlist_uri_host (PDS_CASHSHORTENER) triabicia.com -enlist_uri_host (PDS_CASHSHORTENER) 2xs.io -enlist_uri_host (PDS_CASHSHORTENER) ocest.site -enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz -enlist_uri_host (PDS_CASHSHORTENER) waar.site -enlist_uri_host (PDS_CASHSHORTENER) cpmlink.net -enlist_uri_host (PDS_CASHSHORTENER) cowner.net -enlist_uri_host (PDS_CASHSHORTENER) adfoc.us -enlist_uri_host (PDS_CASHSHORTENER) shrinkhere.xyz -enlist_uri_host (PDS_CASHSHORTENER) gurl.pw -enlist_uri_host (PDS_CASHSHORTENER) shortearn.eu -enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz -enlist_uri_host (PDS_CASHSHORTENER) libittarc.com -enlist_uri_host (PDS_CASHSHORTENER) pc.cd -enlist_uri_host (PDS_CASHSHORTENER) fc.lc -enlist_uri_host (PDS_CASHSHORTENER) dares.xyz -enlist_uri_host (PDS_CASHSHORTENER) trendlouds.com -enlist_uri_host (PDS_CASHSHORTENER) yogaf.xyz -enlist_uri_host (PDS_CASHSHORTENER) cobs.xyz -enlist_uri_host (PDS_CASHSHORTENER) olnew.xyz -enlist_uri_host (PDS_CASHSHORTENER) cleft.xyz -enlist_uri_host (PDS_CASHSHORTENER) 7r6.com -enlist_uri_host (PDS_CASHSHORTENER) mitly.us -enlist_uri_host (PDS_CASHSHORTENER) kutpay.com -enlist_uri_host (PDS_CASHSHORTENER) gsurl.me -enlist_uri_host (PDS_CASHSHORTENER) gurl.ly -enlist_uri_host (PDS_CASHSHORTENER) gsurl.in -enlist_uri_host (PDS_CASHSHORTENER) acitoate.com -enlist_uri_host (PDS_CASHSHORTENER) aclabink.com -enlist_uri_host (PDS_CASHSHORTENER) activeation.com -enlist_uri_host (PDS_CASHSHORTENER) activeterium.com -enlist_uri_host (PDS_CASHSHORTENER) adflyforum.com -enlist_uri_host (PDS_CASHSHORTENER) adflymail.com -enlist_uri_host (PDS_CASHSHORTENER) adult.xyz -enlist_uri_host (PDS_CASHSHORTENER) agileurbia.com -enlist_uri_host (PDS_CASHSHORTENER) atomcurve.com -enlist_uri_host (PDS_CASHSHORTENER) ay.gy -enlist_uri_host (PDS_CASHSHORTENER) battleate.com -enlist_uri_host (PDS_CASHSHORTENER) biastonu.com -enlist_uri_host (PDS_CASHSHORTENER) bitigee.com -enlist_uri_host (PDS_CASHSHORTENER) briskrange.com -enlist_uri_host (PDS_CASHSHORTENER) brisktopia.com -enlist_uri_host (PDS_CASHSHORTENER) casualient.com -enlist_uri_host (PDS_CASHSHORTENER) clesolea.com -enlist_uri_host (PDS_CASHSHORTENER) code404.biz -enlist_uri_host (PDS_CASHSHORTENER) coginator.com -enlist_uri_host (PDS_CASHSHORTENER) cogismith.com -enlist_uri_host (PDS_CASHSHORTENER) covelign.com -enlist_uri_host (PDS_CASHSHORTENER) crefranek.com -enlist_uri_host (PDS_CASHSHORTENER) dashsphere.com -enlist_uri_host (PDS_CASHSHORTENER) dataurbia.com -enlist_uri_host (PDS_CASHSHORTENER) deciomm.com -enlist_uri_host (PDS_CASHSHORTENER) ducolomal.com -enlist_uri_host (PDS_CASHSHORTENER) east-jones.com -enlist_uri_host (PDS_CASHSHORTENER) ecleneue.com -enlist_uri_host (PDS_CASHSHORTENER) ellevolaw.com -enlist_uri_host (PDS_CASHSHORTENER) endroudo.com -enlist_uri_host (PDS_CASHSHORTENER) eunsetee.com -enlist_uri_host (PDS_CASHSHORTENER) fainbory.com -enlist_uri_host (PDS_CASHSHORTENER) fasttory.com -enlist_uri_host (PDS_CASHSHORTENER) fawright.com -enlist_uri_host (PDS_CASHSHORTENER) flyserve.co -enlist_uri_host (PDS_CASHSHORTENER) greponozy.com -enlist_uri_host (PDS_CASHSHORTENER) homoluath.com -enlist_uri_host (PDS_CASHSHORTENER) hopigrarn.com -enlist_uri_host (PDS_CASHSHORTENER) infopade.com -enlist_uri_host (PDS_CASHSHORTENER) j.gs -enlist_uri_host (PDS_CASHSHORTENER) kaitect.com -enlist_uri_host (PDS_CASHSHORTENER) kializer.com -enlist_uri_host (PDS_CASHSHORTENER) kibuilder.com -enlist_uri_host (PDS_CASHSHORTENER) kimechanic.com -enlist_uri_host (PDS_CASHSHORTENER) kudoflow.com -enlist_uri_host (PDS_CASHSHORTENER) legeerook.com -enlist_uri_host (PDS_CASHSHORTENER) libittarc.com -enlist_uri_host (PDS_CASHSHORTENER) linkjaunt.com -enlist_uri_host (PDS_CASHSHORTENER) locinealy.com -enlist_uri_host (PDS_CASHSHORTENER) maetrimal.com -enlist_uri_host (PDS_CASHSHORTENER) metastead.com -enlist_uri_host (PDS_CASHSHORTENER) mmoity.com -enlist_uri_host (PDS_CASHSHORTENER) mondoagram.com -enlist_uri_host (PDS_CASHSHORTENER) neswery.com -enlist_uri_host (PDS_CASHSHORTENER) nimbleinity.com -enlist_uri_host (PDS_CASHSHORTENER) onisedeo.com -enlist_uri_host (PDS_CASHSHORTENER) optitopt.com -enlist_uri_host (PDS_CASHSHORTENER) picocurl.com -enlist_uri_host (PDS_CASHSHORTENER) pladollmo.com -enlist_uri_host (PDS_CASHSHORTENER) preofery.com -enlist_uri_host (PDS_CASHSHORTENER) prereheus.com -enlist_uri_host (PDS_CASHSHORTENER) q.gs -enlist_uri_host (PDS_CASHSHORTENER) quainator.com -enlist_uri_host (PDS_CASHSHORTENER) quamiller.com -enlist_uri_host (PDS_CASHSHORTENER) queuecosm.bid -enlist_uri_host (PDS_CASHSHORTENER) raboninco.com -enlist_uri_host (PDS_CASHSHORTENER) rapidteria.com -enlist_uri_host (PDS_CASHSHORTENER) rapidtory.com -enlist_uri_host (PDS_CASHSHORTENER) sapolatsu.com -enlist_uri_host (PDS_CASHSHORTENER) scapognel.com -enlist_uri_host (PDS_CASHSHORTENER) simizer.com -enlist_uri_host (PDS_CASHSHORTENER) skamaker.com -enlist_uri_host (PDS_CASHSHORTENER) skamason.com -enlist_uri_host (PDS_CASHSHORTENER) sluppend.com -enlist_uri_host (PDS_CASHSHORTENER) sprysphere.com -enlist_uri_host (PDS_CASHSHORTENER) streamvoyage.com -enlist_uri_host (PDS_CASHSHORTENER) swarife.com -enlist_uri_host (PDS_CASHSHORTENER) swiftation.com -enlist_uri_host (PDS_CASHSHORTENER) swifttopia.com -enlist_uri_host (PDS_CASHSHORTENER) techigo.com -enlist_uri_host (PDS_CASHSHORTENER) threadsphere.bid -enlist_uri_host (PDS_CASHSHORTENER) tinyical.com -enlist_uri_host (PDS_CASHSHORTENER) tonancos.com -enlist_uri_host (PDS_CASHSHORTENER) triabicia.com -enlist_uri_host (PDS_CASHSHORTENER) turboagram.com -enlist_uri_host (PDS_CASHSHORTENER) twineer.com -enlist_uri_host (PDS_CASHSHORTENER) twiriock.com -enlist_uri_host (PDS_CASHSHORTENER) userlab66.com -enlist_uri_host (PDS_CASHSHORTENER) vaugette.com -enlist_uri_host (PDS_CASHSHORTENER) velocicosm.com -enlist_uri_host (PDS_CASHSHORTENER) velociterium.com -enlist_uri_host (PDS_CASHSHORTENER) viahold.com -enlist_uri_host (PDS_CASHSHORTENER) vializer.com -enlist_uri_host (PDS_CASHSHORTENER) viwright.com -enlist_uri_host (PDS_CASHSHORTENER) whareotiv.com -enlist_uri_host (PDS_CASHSHORTENER) wirecellar.com -enlist_uri_host (PDS_CASHSHORTENER) x19.biz -enlist_uri_host (PDS_CASHSHORTENER) x19network.com -enlist_uri_host (PDS_CASHSHORTENER) yabuilder.com -enlist_uri_host (PDS_CASHSHORTENER) yamechanic.com -enlist_uri_host (PDS_CASHSHORTENER) yoalizer.com -enlist_uri_host (PDS_CASHSHORTENER) yobuilder.com -enlist_uri_host (PDS_CASHSHORTENER) yoineer.com -enlist_uri_host (PDS_CASHSHORTENER) yoitect.com -enlist_uri_host (PDS_CASHSHORTENER) zipansion.com -enlist_uri_host (PDS_CASHSHORTENER) zipteria.com -enlist_uri_host (PDS_CASHSHORTENER) zipvale.com -reuse T_PDS_SHORTFWD_URISHRT -endif -endif -##} ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox - -##{ redirector_pattern_sandbox - -redirector_pattern m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&\#])'i -redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i -redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:site|inurl):(.*?)(?:$|%20|[\s+&\#])'i -redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&\#])'i -redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&\#])'i -redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/pagead/iclk\?.*?(?<=[?&])adurl=(.*?)(?:$|[&\#])'i -redirector_pattern m'^https?:/*(?:\w+\.)?aol\.com/redir\.adp\?.*(?<=[?&])_url=(.*?)(?:$|[&\#])'i -redirector_pattern m'^https?/*(?:\w+\.)?facebook\.com/l/;(.*)'i -##} redirector_pattern_sandbox - -##{ reuse_sandbox - -reuse T_PDS_HIDDEN_UK_BUSINESSLOAN -reuse T_PDS_DOUBLE_URL -reuse T_PDS_DBL_URL_LINKBAIT -reuse PDS_DBL_URL_TNB_RUNON -reuse T_PDS_DBL_URL_ILLEGAL_CHARS -reuse FROM_2_EMAILS_SHORT -reuse T_SHORT_BODY_QUOTE -reuse T_BODY_QUOTE_MALF_MSGID -reuse SPOOFED_FREEMAIL_NO_RDNS -reuse T_PDS_URI_HIDDEN_HELO_NO_DOMAIN -reuse T_PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE -reuse T_PDS_TONAME_EQ_TOLOCAL_SHORT -reuse PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE -reuse T_PDS_TONAME_EQ_TOLOCAL_VSHORT -reuse T_PDS_LITECOIN_ID -reuse PDS_BTC_ID -reuse PDS_BTC_MSGID -reuse __PDS_GOOGLE_DRIVE_SHARE_1 -reuse __PDS_GOOGLE_DRIVE_SHARE_2 -reuse __PDS_GOOGLE_DRIVE_SHARE_3 -reuse __PDS_GOOGLE_DRIVE_SHARE -reuse T_GOOGLE_DRIVE_DEAR_SOMETHING -reuse __PDS_GOOGLE_DRIVE_FILE -reuse __SHORT_BODY_G_DRIVE -reuse __SHORT_BODY_G_DRIVE_DYN -reuse T_SHORT_BODY_G_DRIVE_DYN -reuse T_FROM_NAME_EQ_TO_G_DRIVE -##} reuse_sandbox - - -uri __128_ALNUM_URI m;[/?][0-9a-z]{128,}$;i - -uri __128_HEX_URI m,/[0-9a-f]{128}, - -uri __128_LC_URI m;[/?][a-z]{128,}$; - -uri __45_ALNUM_IMG m;/[0-9a-z]{45,}/\w+\.(?:png|gif|jpe?g)$;i - -uri __45_ALNUM_URI m;[/?][0-9a-z]{45,}$;i - -meta __45_ALNUM_URI_O __45_ALNUM_URI && !__64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI - -header __4BYTE_UTF8_WORD_SUBJ Subject =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/ - -uri __64_ANY_URI m;[/?]\w{64,}$;i - -body __ACCESS_RESTORE /\bto (?:(?:restore|regain) access|(?:remove|uplift) (?:the|this) suspens|continue using your (?:account|online|mailbox)|zugreifen wiederhergestellt)/i - -body __ACCESS_REVOKE /(?:(?:temporary|permanent) (?:de-?activation|removal) of your (?:\w{1,30} )?(?:access|account)|Ihre Kreditkarte wird gesperrt)/i - -body __ACCESS_SUSPENDED /\b(?:(?:access|account|e?-?mails) (?:suspension|(?:has|have) (?:been )?(?:temporar(?:il)?y (?:been )?)?(?:suspended|blocked|locked|blacklisted))|suspend (?:you from|your) access(?:ing)?|suspen(?:sion|se|ded) noti(?:ce|fication))\b/i -tflags __ACCESS_SUSPENDED multiple maxhits=2 - -body __ACCOUNT_DISRUPT /\b(?:ensure (?:that )?your (?:account|access) is not (?:disrupted|suspended|interrupted)|(?:avoid|incoming) (?:[a-z]+ ){0,5}e?-?mails? (?:from )?being rejected|avoid (?:account|e?-?mail(?: ?box)? )?(?:shut ?down|suspension|locking|termination|expiration)|will terminate (?:your|its) service)\b/i -tflags __ACCOUNT_DISRUPT multiple maxhits=2 - -body __ACCOUNT_ERROR /\b(?:your account (?:is|appears to be) (?:incorrect|missing|in error|invalid))\b/i - -body __ACCOUNT_REACTIV /(?:(?:account|access) (?:has been )?(?:successfully )?(?:reviewed and )?re-?(?:activat(?:ion|ed)|new(?:al|ed))|(?:unlock|re-?activate|restore|recover) (?:your|the|this) (?:account|access))/i - -body __ACCOUNT_SECURE /\b(?:make your (?:"?[^\@\s]+\@\S+"? |e-?mail )?account more secure|Ihre Kreditkarte weist einige Sicherheitsprobleme)\b/i - -body __ACCOUNT_UPGRADE /\b(?:upgrade (?:of )your (?:account|access)|your (?:access|account) is[\w\s]{0,40}being upgraded|Weiter zur Aktualisierung)\b/i - -meta __ACCT_PHISH (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __PDS_FROM_NAME_TO_DOMAIN) > 1 && !__ACCT_PHISH_MANY - -meta __ACCT_PHISH_MANY (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + __PDS_FROM_NAME_TO_DOMAIN) > 3 - -body __ACH_CANCELLED_01 /\b(?:(?-i:ACH)|dividend)[-_ ](?:payment|transfer|transaction|was)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i - -body __ACH_CANCELLED_02 /(?:rejected|cancel+ed|declined|your)[-_ ](?:(?-i:ACH)|direct[-_ ]deposit)[-_ ](?:payment|transfer|transaction|declin(?:ed|ing))/i - -body __ACH_CANCELLED_03 /\bwire[-_ ]?(?:payment|transfer|transaction)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i - -body __ACH_CANCELLED_04 /\bregarding[-_ ]your[-_ ]direct[-_ ]deposit[-_ ]via[-_ ](?-i:ACH)/i - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - meta __ACH_CANCELLED_EXE (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && __EXE_ATTACH -endif - -uri __AC_1SEQC_URI /\/1[a-z0-9]8[a-z0-9_]{20,}\/C\// - -uri __AC_1SEQV_URI /\/1[a-z0-9]8[a-z0-9_]{20,}\/V\// - -uri __AC_CHDSEQ_URI /\/chd[a-z0-9]{20,}/ - -header __AC_FROM_MANY_DOTS From =~ /<(?:\w{2,}\.){2,}\w+@/ - -meta __AC_FROM_MANY_DOTS_MINFP __AC_FROM_MANY_DOTS && !ALL_TRUSTED && !FREEMAIL_FORGED_FROMDOMAIN && !FORGED_GMAIL_RCVD && !__UNSUB_LINK && !__XM_VBULLETIN && !__RDNS_SHORT && !__REPTO_QUOTE && !__FSL_RELAY_GOOGLE && !__HAS_IN_REPLY_TO && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_MX_MESSY && !__CTYPE_MULTIPART_MIXED && !__RCD_RDNS_MTA && !__VIA_ML && !__HAS_ERRORS_TO - -rawbody __AC_HTML_ENTITY_BONANZA_SHRT_RAW /(?:&[A-Z0-9\#]{2,};\s{0,64}){10}/i - -uri __AC_LAND_URI /\/land\// - -uri __AC_LONGSEQ_URI /\/[A-Z0-9]{50,}\.(?:php|html|cgi)\b/ - -uri __AC_MHDSEQ_URI /\/mhd[a-z0-9]{20,}/ - -uri __AC_NDOMLONGNASPX_URI /[A-Za-z]+[0-9]{2}\.[A-Za-z0-9-]+\.me\/(?:[A-Za-z0-9-]{10,}\/){2}[0-9]{8,}\/[A-Za-z]+\.aspx/ - -uri __AC_NUMS_URI /(?:\/[0-9]+){5}\.[0-9a-zA-Z]+\.(:?php|html)\b/ - -uri __AC_OUTI_URI /\/outi\b/ - -uri __AC_OUTL_URI /\/outl\b/ - -uri __AC_PHPOFFSUB_URI /\/php\/off\/[0-9.]+\/sub\// - -uri __AC_PHPOFFTOP_URI /\/php\/off\/[0-9.]+\/top\// - -uri __AC_POSTHTMLEXTRAS /(?:main[0-9]?|mian|start(?:page)?|info(?:page|source|center)?|(?:one|view)?(?:site|source)(?:view|[0-9])?|(?:hub|file)one|index(?:[0-9]|page)?|mediafile|userlink|faction1)[.,]html?\/\w{2,}\b/i - -uri __AC_POSTIMGEXTRAS /(?:(?:main|external|hosted|new|file)?(?:im(?:g|age)?|user|one)s?-?(?:view(?:er)?|file|map|finder|portal|hub|online)?s?|library|media(?:source|-?files?)?|main|png|view|begin|file|port|space|webpics|host)(?:[-]?(?:[0-9]|one|two|three|four|five|six|seven|eight|nine))?[.,](?:jpe?g|png|gif)\/\w{2,}\b/i - -meta __AC_POST_EXTRAS (__AC_POSTHTMLEXTRAS || __AC_POSTIMGEXTRAS) - -uri __AC_PUNCTNUMS_URI /\.com\/[A-Za-z+=\/.?_-]{4,}[0-9]{9,12}[a-z0-9]{1,2}[A-Za-z+=\/.?_-]+[0-9]{7,9}[A-Za-z+=\/.?_-]{6,}[0-9]{7,9}\b/ - -uri __AC_REPORT_URI /\/report\// - -uri __AC_RMOVE_URI /\/r\/move\/[0-9]+\// - -rawbody __AC_TINY_FONT /(?:font-size)\s*:\s*[1-3]\s*(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i - -uri __AC_UHDSEQ_URI /\/uhd[a-z0-9]{20,}/ - -uri __AC_UNSUB_URI /\/unsub\// - -body __ADMAIL /(?:\b|_)ad-?(?:mail|message)s?(?:\b|_)/i - -body __ADMITS_SPAM /\bth(?:e[- ]+above|is)(?:\?+s|[- ]+is)[- ]+(?:intended[- ]+as[- ]+)?an?[- ]+(?:e-?mail[- ]+)?[a@]dvert[i1l]sement\b/i - -body __ADULTDATINGCOMPANY_BODY /\bAdultDatingCompany\b/i - -header __ADULTDATINGCOMPANY_FROM From:name =~ /\bAdultDatingCompany\b/i - -header __ADULTDATINGCOMPANY_REPTO Reply-To:name =~ /\bAdultDatingCompany\b/i - -meta __ADVANCE_FEE_2_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 1) && !__THREAD_INDEX_GOOD - -meta __ADVANCE_FEE_2_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW - -meta __ADVANCE_FEE_2_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW - -meta __ADVANCE_FEE_2_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW - -meta __ADVANCE_FEE_3_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 2) && !__THREAD_INDEX_GOOD - -meta __ADVANCE_FEE_3_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW - -meta __ADVANCE_FEE_3_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW - -meta __ADVANCE_FEE_3_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW - -meta __ADVANCE_FEE_4_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 3) && !__THREAD_INDEX_GOOD - -meta __ADVANCE_FEE_4_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW - -meta __ADVANCE_FEE_4_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW - -meta __ADVANCE_FEE_4_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW - -meta __ADVANCE_FEE_5_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 4) && !__THREAD_INDEX_GOOD - -meta __ADVANCE_FEE_5_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW - -meta __ADVANCE_FEE_5_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW - -meta __ADVANCE_FEE_5_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW - -body __AFF_004470_NUMBER /(?:\+|00|011)\W{0,3}44\W{0,3}0?\W{0,3}70/ - -body __AFF_LOTTERY /(?:lottery|winner)/i - -meta __AFRICAN_STATE (__NIGERIA || __IVORY_COAST || __BURKINA_FASO || __GHANA || __BENIN || __AFR_UNION) - -body __AFR_UNION /\bafrican\sunion\b/i - -body __AGREED_RATIO /\b(?:agreed|sharing)\s(?:ratios?|percent\w+)\b/i - -meta __ALIBABA_IMG_NOT_RCVD_ALI __URI_IMG_ALICDN && !__HDR_RCVD_ALIBABA - -header __AMADEUSMS_MUA X-Mailer =~ /^Amadeus Messaging Server/ - -meta __AMAZON_IMG_NOT_RCVD_AMZN __URI_IMG_AMAZON && !__HDR_RCVD_AMAZON && !__HDR_RCVD_AMAZON_HELO - -body __AM_DYING /\b(?:am\s(?:\S+\s)?dying|terminally\sill|cancer|en\sphase\sterminale|(?:become|is|devenu|maladie)\sincurable|que\sje\smeurs)\b/i - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /\bimage\//i -endif - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta __ANY_TEXT_ATTACH 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -mimeheader __ANY_TEXT_ATTACH_DOC Content-Type =~ /text\/\w+/i -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - body __APP_DEVELOPMENT /\b(?:mobile apps|(?:apps?|portal) (?:dev(?:elop(?:ment|ed))?|design|test(?:ing)?|U[IX]|maintenance|support)|(?:we |can |have )+(?:design(?:ed)?|buil[dt]|maintain(?:ed)?|created?)(?: over| more than)?[\s0-9]+apps|different platforms|we are (?:[-a-z]+ ){1,4}(?:software|apps?) (?:company|develop(?:ers|ment)))\b/i - tflags __APP_DEVELOPMENT multiple maxhits=6 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __APP_DEVELOPMENT_MANY __APP_DEVELOPMENT > 5 -endif - -body __ATM_CARD /\b(?:your|the|this|through|via|by\smeans\sof\|that\sa|issue\s(?:(?:to|for)\s)?you\sa)[\s\(](?:\w{1,20}\s)?(?:atm|debit|(?:money[\s-]?gram\s)?fast\scash)(?:\smaster|swift|value?|cash)?[\s\)]card/i - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - meta __ATTACH_MSO_MHTML __TEXT_XML_MT && __MSO_THEME_MT && __X_MSO_MT -endif - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta __ATTACH_NAME_NO_EXT 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __ATTACH_NAME_NO_EXT Content-Type =~ m,\bname\s?=\s?"(?!=\?)[^."]+",i -endif - -body __ATTN_MAIL_USER /\b(?:att(?:entio)?n|dear|caro) (?:web ?(?:mail)?\s\S\s)?(?:web ?|e-?)?mail (?:user|DO USU(?:=E1|[\xe1]|[\xc3][\xa1])RIO)[:;,]/i - -body __AUTO_ACCIDENT /auto(?:mobile)? accident/i - -header __AXB_MO_OL_024C2 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2600\.0000/ - -header __AXB_XM_OL_024C2 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2600\.0000/ - -body __BACK_SCRATCH /\bmutual+y?\s(?:benefi(?:t|cial)|interest)\b/i - -body __BANK_DRAFT /\bbank\sdraft/i - -body __BARRISTER /\b(?:barrister|solicitor at law|barr\.)/i - -meta __BEBEE_IMG_NOT_RCVD_BB __URI_IMG_BEBEE && !__HDR_RCVD_BEBEE - -body __BENEFICIARY /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])n(?:e|=E9|[\xe9]|[\xc3][\xa9])fi(?:c|sh)i?ai?r(?:y|ies|es?)/i - -body __BENIN /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])nin\b/i - -body __BIGNUM_EMAILS /\b(?:thousand|million|\d[,1-9]{0,6}(?:[,0]{2,}k?|k))\s(?:(?!and|or|your|place|baby|suspicious|supportive|subpoenaed)\w+\s)?(?:e-?mail(?:(?![-:.\)\>\]])s?|\saddresses)|fax numbers|leads|names)\b/i -tflags __BIGNUM_EMAILS multiple maxhits=5 - -meta __BIGNUM_EMAILS_3 __BIGNUM_EMAILS > 2 - -meta __BIGNUM_EMAILS_FREEM __BIGNUM_EMAILS && __freemail_hdr_replyto - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - body __BITCOIN /\bB[-\s]?i[-\s]?t[-\s]?c[-\s]?o[-\s]?i[-\s]?n\b/i -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __BITCOIN /<B>[-\s]?<I>[-\s]?<T>[-\s]?<C>[-\s]?<O>[-\s]?<I>[-\s]?<N>/i -endif - -body __BITCOIN_ID /\b(?<!=)(?:[13](?:(?:[-_=\s][a-km-zA-HJ-NP-Z1-9]){29,34}|[a-km-zA-HJ-NP-Z1-9]{29,34})|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90}|b[-_=\s]c[-_=\s]1(?:[-_=\s][acdefghjklmnpqrstuvwxyz234567890]){30,90})\b/ - -meta __BITCOIN_IMGUR __IMGUR_IMG && __BITCOIN - -meta __BITCOIN_OBFU_SUBJ __BITCOIN && __SUBJ_OBFU_PUNCT - -meta __BITCOIN_SPAM_02 __BITCOIN_ID && __BOTH_INR_AND_REF - -meta __BITCOIN_SPAM_05 __BITCOIN_ID && __SPOOFED_FREEMAIL - -meta __BITCOIN_SPAM_07 __BITCOIN_ID && __TO_EQ_FROM - -meta __BITCOIN_WFH_01 __BITCOIN && __WFH_01 - -meta __BITCOIN_XPRIO __XPRIO && (__BITCOIN || __BITCOIN_ID) - -body __BODY_STARTS_WITH_FROM_LINE /^From \S+ \S\S\S \S\S\S .. ..:..:.. \S+\s+\S+\: /s - -body __BODY_TEXT_LINE /^\s*\S/ -tflags __BODY_TEXT_LINE multiple maxhits=3 - -meta __BODY_URI_ONLY __BODY_TEXT_LINE < 3 && __HAS_ANY_URI && !__SMIME_MESSAGE - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - full __BOGUS_MIME_HDR /\bContent-[XYZ]-[a-z]{6,15}:\s+[a-z]{6,15}\b/ - tflags __BOGUS_MIME_HDR multiple maxhits=8 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __BOGUS_MIME_HDR_MANY __BOGUS_MIME_HDR > 7 -endif - -header __BOGUS_MIME_VER_02 MIME-Version =~ /^(?!.*\b1\.0\b).+/ - -meta __BOGUS_MSM_HDRS __HAS_MSMAIL_PRI && __MSOE_MID_WRONG_CASE && __HDR_ORDER_FTSDMCXXXX - -body __BONUS_LAST_DAY /\b(?:last|final) day of the (?:\$\d+ |\d+ dollars? )?bonus offer(?:ing)?\b/i - -meta __BOTH_INR_AND_REF (__XM_BALSA || __XM_CALYPSO || __XM_FORTE || __XM_MHE || __XM_SQRLMAIL || __XM_SYLPHEED || __THEBAT_MUA || __XM_VM || __XM_XIMEVOL || __UA_KMAIL || __UA_MOZ5 || __UA_OPERA7) - -body __BTC_OBFU_2 /\b\W{0,10}b(?!it[-\s]?coin)\W{0,10}i\W{0,10}t\W{0,10}c\W{0,10}o\W{0,10}i\W{0,10}n\W{0,10}\b/i - -body __BTC_OBFU_3 /\b\W{0,10}b(?!tc\b)\W{0,10}t\W{0,10}c\W{0,10}\b/i - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - body __BTC_OBFU_4 /\bb(?!itcoin)[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i -endif - -body __BTC_OBFU_5 /&\#x62;&\#x69;&\#x74;&\#x63;&\#x6F;&\#x69;&\#x6E;/i - -rawbody __BUGGED_IMG m{<img\b[^>]{0,100}\ssrc=.?https?://[^>]{6,80}(?:\?[^>]{8}|[^a-z](?![a-f]{3}|20\d\d[01]\d[0-3]\d)[0-9a-f]{8})}i - -body __BURKINA_FASO /\bburkina\s?faso\b/i - -body __CANT_SEE_AD_1 /\b(?:can(?:no|')?t|(?:aren'?t[-,!\s]{1,3}|not[-,!\s]{1,3}|un)able[-,!\s]{1,3}to)[-,!\s]{1,3}(?:(?!our|this|the)\w{1,12}[-,\s]{1,3}){1,2}(?:our|this|the)[-.,\s*]{1,3}(?:commercial[-.,\s]{1,3}|ad(?:v[-.]?ert[i1l]se-?ment)?[-.,\s]{1,3}|images |newsletter |mailing ){1,2}(?:at all|(?:(?:down )?(?:below|underneath))|in (?:your|this) mail|(?:due to|because(?: of)?|as|from) (?:no |missing |unloaded |blocked )?(?:images|graphics))\b/i - -body __CANT_SEE_AD_2 /\b(?:issue|problem|trouble) (?:getting|viewing|with) (?:(?:our|the) )?(?:message|content|e-?mail|details)(?: below)?[.?] (?:please|go ahead and) (?:click|browse)\b/i - -body __CAN_HELP /\bcan help\b/i - -body __CASHPRZ /cash prize of/ - -body __CHARITY /\b(?:charit(?:y|[ai]ble)|orphans?|homeless|orphelins|sans\sabri)\b/i - -body __CLEAN_MAILBOX /\b(?:(?:e-?mail|mail\s?box|violation:|(?-i:CLICK)) (?:quota size|clean(?:-?up))|clean ?up click ?here|(?:please|automatically) reduce (?:your|the) e?-?mail ?box size|reduce (?:your |the )?(?:e?-?mail(?: ?box)? )?size automatically)\b/i -tflags __CLEAN_MAILBOX multiple maxhits=2 - -rawbody __COMMENT_GIBBERISH /<!--(?:\s{1,10}[-\w'"]{1,40}){100}/im - -body __COMPENSATION /\b(?:compensat(?:e|ion)|recompensed?|ausgleich)\b/i - -body __CONTACT_ATTY /\bcontact(?:er)?\s(?:my|(?:de\s)?mon)\s(?:barrister|attou?rney|lawyer|avocat|gestionnaire)\b/i - -body __CONTACT_YOU /\b(?:contact(?:ing)\syou|vous\scontacter?)\b/i - -rawbody __CONTENT_AFTER_HTML /<\/html>\s*[a-z0-9]/i - -body __COPY_PASTE_DE /Kopieren Sie es und f(?:\xfc|\xc3\xbc)gen Sie es ein|Kopieren \& Einf(?:\xfc|\xc3\xbc)gen/i - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - body __COPY_PASTE_EN /Copy (and|\+|\&) paste/i -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __COPY_PASTE_EN /<C><O><P><Y> (?:<A><N><D>|\+|\&) <P><A><S><T><E>/i -endif - -body __COPY_PASTE_ES /copiarlo y pegarlo/i - -body __COPY_PASTE_FR /le copier (et le|\+) coller/i - -body __COPY_PASTE_IT /copia(r?)lo (e|\&) incolla(r?)lo/i - -body __COPY_PASTE_NL /kopieer en plak het/i - -body __COPY_PASTE_SE /kopiera den och klistra in/i - -body __COURIER /\bcourier\s(?:company|service)\b/i - -header __CR_IN_SUBJ Subject:raw =~ /\015/ - -header __CTYPE_MULTIPART_ANY Content-Type =~ /multipart\/\w+/i - -header __CTYPE_MULTIPART_MIXED Content-Type =~ /multipart\/mixed/i - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta __CTYPE_NULL 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __CTYPE_NULL Content-Type =~ /^\s*;/ -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -mimeheader __CTYPE_ONETAB_GIF Content-Type:raw =~ /^image\/gif;\n\tname=\".+?\"$/s -endif - -header __CT_ENCRYPTED Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/ - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -mimeheader __CT_UTF7 Content-Type =~ /\bcharset=.?utf-7\b/i -endif - -header __DATE_LOWER ALL =~ /date:\s\S{5}/ - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - body __DAY_I_EARNED /day,?\sI\s(?:earned|got|received|made|brought\sin)\s\$\s?\d{3}/i - tflags __DAY_I_EARNED multiple maxhits=4 -endif - -body __DBLCLAIM /avoid double claiming/ - -body __DEAD_PARENT /\b(?:my|meu)\s(?:(?:deceased|dead)\s(?:father|mother|husband)|(?:father|dad|mother|mom|husband|marido)(?:'?s)?\s(?:death|died|passed\saway|murder|was\s(?:killed|murdered|poisoned)|faleceu))/i - -body __DEAL /\b(?:(?:business|financial|this|the|mutual|die(?:se)?r?|cette|profitable)\s(?:deal|transa[ck]tion|proposal|off[er]{2}|venture|suggestion|partnership)|your\spartnership)/i - -body __DECEASED /\b(?:the|my|your|der|du|le|meu?)\s(?:deceased|late|verstorbenen|d(?:i|e|=E9|[\xe9]|[\xc3][\xa9])funto?|d(?:e|=E9|[\xe9]|[\xc3][\xa9])nt|falecido)\b/i - -body __DESTROY_ME /\b(?:destroy|hunt|quemar)\sm[eyi]\b/i - -body __DESTROY_YOU /\b(?:destroy\syou|deine Zukunft zerst\S{1,3}ren)/i - -body __DIED_IN /\bdied\sin\b/i - -body __DIPLOMATIC /\bdiplomatic\b/i - -ifplugin Mail::SpamAssassin::Plugin::AskDNS -tflags __DKIMWL_BLOCKED net -endif - -ifplugin Mail::SpamAssassin::Plugin::AskDNS -tflags __DKIMWL_BULKMAIL net -endif - -ifplugin Mail::SpamAssassin::Plugin::AskDNS -tflags __DKIMWL_FREEMAIL net -endif - -ifplugin Mail::SpamAssassin::Plugin::AskDNS -tflags __DKIMWL_WL_BL net -endif - -ifplugin Mail::SpamAssassin::Plugin::AskDNS -tflags __DKIMWL_WL_HI net -endif - -ifplugin Mail::SpamAssassin::Plugin::AskDNS -tflags __DKIMWL_WL_MED net -endif - -ifplugin Mail::SpamAssassin::Plugin::AskDNS -tflags __DKIMWL_WL_MEDHI net -endif - -header __DKIM_EXISTS exists:DKIM-Signature -tflags __DKIM_EXISTS nice - -body __DLND_ATTACH /\bdownload\sthe\sattach(?:ed|ment)\b/i - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta __DOC_ATTACH 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - meta __DOC_ATTACH (__DOC_ATTACH_MT || __DOC_ATTACH_FN1 || __DOC_ATTACH_FN2) -endif - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta __DOC_ATTACH_FN1 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __DOC_ATTACH_FN1 Content-Type =~ /="[^"]+\.(?:docx?|rtf)"/i -endif - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta __DOC_ATTACH_FN2 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __DOC_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.(?:docx?|rtf)"/i -endif - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta __DOC_ATTACH_MT 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __DOC_ATTACH_MT Content-Type =~ m,\bapplication/(?:msword|rtf|vnd\.ms-word|vnd\.openxmlformats-officedocument\.wordprocessingml\.document)\b,i -endif - -body __DORMANT_ACCT /\b(?:(?:dormant|abandoned|left\s?over)\s(?:account|fund|transaction|sum|deposit)|fonds\sdorment)/i - -body __DOS_BODY_FRI /\bfri(?:day)?\b/i - -body __DOS_BODY_MON /\bmon(?:day)?\b/i - -body __DOS_BODY_SAT /\bsat(?:day)?\b/i - -body __DOS_BODY_STOCK /\bstock\b/i - -body __DOS_BODY_SUN /\bsun(?:day)?\b/i - -body __DOS_BODY_THU /\bthu(?:r(?:s(?:day)?)?)?\b/i - -body __DOS_BODY_TICKER /\b[A-Z]{4}\.(?:OB|PK)\b/ - -body __DOS_BODY_TUE /\btue(?:s(?:day)?)?\b/i - -body __DOS_BODY_WED /\bwed(?:nesday)?\b/i - -body __DOS_COMING_TO_YOUR_PLACE /I (?:am|might(?: be)?) c[a-z]?o[a-z]?m[a-z]?(?:i[a-z]?n[a-z]?g[a-z]{0,2}|e down) to y[!a-z]{2,4}r (?:city|place[a-z]{0,2}|co[a-z]?u[a-z]?n[a-z]?t[a-z]?ry) in (?:f[a-z]?e[a-z]?w|\d{1,2}) (?:day|week)s/ - -body __DOS_CORRESPOND_EMAIL /correspond with me using my email/ - -meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT - -meta __DOS_DIRECT_TO_MX_UNTRUSTED __DOS_DIRECT_TO_MX && !ALL_TRUSTED - -body __DOS_DROP_ME_A_LINE /Drop me a line at/ - -body __DOS_EMAIL_DIRECTLY /(?:Email m[a-z]?e|address) direc(?:tl|lt)y at/ - -body __DOS_FIN_ADVANTAGE /\bfinancial advantage/i - -uri __DOS_HAS_ANY_URI /^\w+:\/\// - -header __DOS_HAS_LIST_ID exists:List-ID - -header __DOS_HAS_LIST_UNSUB exists:List-Unsubscribe - -header __DOS_HAS_MAILING_LIST exists:Mailing-List - -body __DOS_HI /^Hi,$/ - -body __DOS_I_AM_25 /I a.?m 25/ - -body __DOS_I_DRIVE_A /I drive a/ - -body __DOS_LET_GO_JOB /I was (?:let go|fired|layed off|dismissed) from a job I h(?:el|a)d for (?:2\d years|\d{3} months)/ - -body __DOS_LINK /\blink\b/ - -body __DOS_MEET_EACH_OTHER /(?:meet each other|[Mm]ay ?be we can meet)/ - -header __DOS_MSGID_DIGITS10 Message-ID =~ /<1[013-9]\d{8}\@.*>/ - -header __DOS_MSGID_DIGITS9 Message-ID =~ /<\d{9}\@.*>/ - -body __DOS_MY_OLD_JOB /my old job/ - -body __DOS_PERSONAL_EMAIL /personal email at/ - -header __DOS_RCVD_FRI Received =~ / Fri, / - -header __DOS_RCVD_MON Received =~ / Mon, / - -header __DOS_RCVD_SAT Received =~ / Sat, / - -header __DOS_RCVD_SUN Received =~ / Sun, / - -header __DOS_RCVD_THU Received =~ / Thu, / - -header __DOS_RCVD_TUE Received =~ / Tue, / - -header __DOS_RCVD_WED Received =~ / Wed, / - -meta __DOS_REF_2_WK_DAYS (__DOS_RCVD_MON && __DOS_BODY_WED) || (__DOS_RCVD_TUE && __DOS_BODY_THU) || (__DOS_RCVD_WED && __DOS_BODY_FRI) || (__DOS_RCVD_THU && __DOS_BODY_MON) || (__DOS_RCVD_FRI && __DOS_BODY_TUE) || (__DOS_RCVD_SAT && __DOS_BODY_TUE) || (__DOS_RCVD_SUN && __DOS_BODY_TUE) - -meta __DOS_REF_NEXT_WK_DAY (__DOS_RCVD_MON && __DOS_BODY_TUE) || (__DOS_RCVD_TUE && __DOS_BODY_WED) || (__DOS_RCVD_WED && __DOS_BODY_THU) || (__DOS_RCVD_THU && __DOS_BODY_FRI) || (__DOS_RCVD_FRI && __DOS_BODY_MON) || (__DOS_RCVD_SAT && __DOS_BODY_MON) || (__DOS_RCVD_SUN && __DOS_BODY_MON) - -meta __DOS_REF_TODAY (__DOS_RCVD_MON && __DOS_BODY_MON) || (__DOS_RCVD_TUE && __DOS_BODY_TUE) || (__DOS_RCVD_WED && __DOS_BODY_WED) || (__DOS_RCVD_THU && __DOS_BODY_THU) || (__DOS_RCVD_FRI && __DOS_BODY_FRI) || (__DOS_RCVD_SAT && __DOS_BODY_SAT) || (__DOS_RCVD_SUN && __DOS_BODY_SUN) - -header __DOS_RELAYED_EXT ALL-EXTERNAL =~ /(?:^|\n)[Rr][eE][cC][eE][iI][vV][eE][dD]:\s.+\n[Rr][eE][cC][eE][iI][vV][eE][dD]:\s/s - -header __DOS_SINGLE_EXT_RELAY X-Spam-Relays-External =~ /^\[ [^\]]+ \]$/ - -body __DOS_STEADY_COURSE /\bsteady (?:and increasing )?course\b/i - -body __DOS_STRONG_CF /\bstrong cash flow/i - -body __DOS_TAKING_HOME /Taking home \d (?:digit level|figures) in \d{1,2} months/ - -body __DOS_WRITE_ME_AT /[Ww].?r.?i.?t.?e me at/ - -meta __DOTGOV_IMAGE __URI_DOTGOV && __REMOTE_IMAGE - -meta __DYNAMIC_IMGUR __IMGUR_IMG && __RDNS_DYNAMIC_IPADDR - -body __EARLY_DEMISE /\buntimely\sdeath\b/i - -meta __EBAY_IMG_NOT_RCVD_EBAY __URI_IMG_EBAY && !__HDR_RCVD_EBAY - -meta __EMAIL_PHISH (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN) > 1) && !__EMAIL_PHISH_MANY - -meta __EMAIL_PHISH_MANY (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN || __TO_IN_SUBJ) > 3) - -meta __EMPTY_BODY __BODY_TEXT_LINE < 2 && !__SMIME_MESSAGE - -body __END_FUTURE_EMAILS /\b(?:end|stop(?! receiving these (?:alerts|emails))|cease|discontinue|removed?|(?:do(?! not wish to receive [\w\s]{0,20}emails)|would|you(?:'d)?) (?:not (?:wish|want|like|desire)|(?:prefer|wish|want|like|desire) not) to|exclude yourself|fore?go)[- ](?:get |receiv(?:ing|e) |or |(?:a-z{1,30} ){0,4}from )?(?:these|our|(?:any )?(?:future|further)) (?:(?:e|ad)?-?m(?:ail(?:ing)?|es+[age]{3})|alert|PSA|marketing|notice)[- ]?(?:ad|update)?s?\b/i - -header __ENVFROM_GOOG_TRIX EnvelopeFrom =~ /(?:@|=)trix\.bounces\.google\.com(?:$|=)/ - -meta __ENVFROM_GOOG_TRIX_SPAMMY __ENVFROM_GOOG_TRIX && (__GOOGLE_DOC_SUSP || FREEMAIL_REPLYTO_END_DIGIT || __ADVANCE_FEE_2_NEW || FORGED_GMAIL_RCVD || LOTS_OF_MONEY || __HAS_X_SOURCE_DIR ) - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta __EXE_ATTACH 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __EXE_ATTACH Content-Type =~ /\.exe\b/i -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - body __EXPLOSIVE_DEVICE /\b(?:explosive\sdevice|bomb)\b/i -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __EXPLOSIVE_DEVICE /(?:^|\s)(?:<E><X><P><L><O><S><I><V><E>\s<D><E><V><I><C><E>|<B><O><M><B>)\s/i -endif - -meta __EXTORT_MANY (__MY_MALWARE + __PAY_ME + __MY_VICTIM + __YOUR_WEBCAM + __YOUR_ONAN + __YOUR_PERSONAL + __HOURS_DEADLINE + __YOUR_PASSWORD + LOCALPART_IN_SUBJECT + __DESTROY_ME + __DESTROY_YOU + __EXPLOSIVE_DEVICE + __PAXFUL + __HUSH_HUSH) > 3 - -body __EX_CUSTOMER /\b(?:(?:dead|deceased|late|verstorbenen|death\sof\sthe)\s(?:[ck]lient|customer|ac+ount|invest[eo]r|beneficiary|depositor|mr\.|kunde|engr?\.?)|titulaire\sdu\scompte\sest\sd(?:e|=E9|[\xe9]|[\xc3][\xa9])c(?:e|=E9|[\xe9]|[\xc3][\xa9])d(?:e|=E9|[\xe9]|[\xc3][\xa9])|invest[eo]r\sdied|(?:e|=E9|[\xe9]|[\xc3][\xa9])tranger\sd(?:e|=E9|[\xe9]|[\xc3][\xa9])c(?:e|=E9|[\xe9]|[\xc3][\xa9])d(?:e|=E9|[\xe9]|[\xc3][\xa9])|(?:[ck]lient|customer|ac+ount|invest[eo]r|beneficiary|mr\.|kunde|engr?\.?)\s(?:[a-z]{1,10}\s)?(?:dead|deceased|verstorbenen))/i - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __E_LIKE_LETTER /<lcase_e>/ - tflags __E_LIKE_LETTER multiple maxhits=320 -endif -endif - -meta __FACEBOOK_IMG_NOT_RCVD_FB __URI_IMG_FACEBOOK && !__HDR_RCVD_FACEBOOK - -body __FAILED_LOGINS /unsuc+es+ful log-?[io]n at+empts/i - -body __FBI_BODY_SHOUT_1 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/ - -rawbody __FBI_BODY_SHOUT_2 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/m - -header __FBI_FM_DOM From:addr =~ /\bfbi\.gov$/ - -header __FBI_FM_NAME From:name =~ /federal\sbureau\sof\sinvestigation/i - -header __FBI_RCVD_DOM X-Spam-Relays-External =~ / rdns=\S+\bfbi\.gov / - -meta __FBI_SPOOF (__FBI_FM_NAME || __FBI_FM_DOM || __FBI_BODY_SHOUT_1 || __FBI_BODY_SHOUT_2) && !__FBI_RCVD_DOM && __HAS_REPLY_TO - -body __FB_COST /\bcost\b/i - -body __FB_NUM_PERCNT /\d\s?\%/ - -body __FB_S_PRICE /pri{1,2}c[a-z]?e/i - -body __FB_S_STOCK /\bstock/i - -body __FB_TOUR /\btour/i - -body __FEES /\b(?:security|safe\w*|courier|registration|pay|paid|up-?front|processing|delivery|transfer|keeping)[\s\w]{0,15}\s(?:fee|charge)s?\b/i - -body __FIFTY_FIFTY /\b(?:50|fifty)(?:%?[\/:]50%?|%|\spercent)/i - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __FILL_THIS_FORM 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta __FILL_THIS_FORM (__FILL_THIS_FORM_LONG || __FILL_THIS_FORM_PARTIAL > 4 || __FILL_THIS_FORM_PARTIAL_RAW > 4) -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __FILL_THIS_FORM_FRAUD_PHISH 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta __FILL_THIS_FORM_FRAUD_PHISH (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FILL_THIS_FORM_FRAUD_PHISH1 || __EMAIL_PHISH || __ACCT_PHISH) -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __FILL_THIS_FORM_FRAUD_PHISH1 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __FILL_THIS_FORM_FRAUD_PHISH1 /<FF_YOUR>(?:<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>)<FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __FILL_THIS_FORM_LOAN 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta __FILL_THIS_FORM_LOAN __FILL_THIS_FORM && __FILL_THIS_FORM_LOAN1 -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __FILL_THIS_FORM_LOAN1 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __FILL_THIS_FORM_LOAN1 /<FF_YOUR><FF_L1><FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __FILL_THIS_FORM_LONG 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta __FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG1 || __FILL_THIS_FORM_LONG2 -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __FILL_THIS_FORM_LONG1 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __FILL_THIS_FORM_LONG1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __FILL_THIS_FORM_LONG2 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __FILL_THIS_FORM_LONG2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __FILL_THIS_FORM_PARTIAL 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __FILL_THIS_FORM_PARTIAL /^\s?<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20){1,4}$)/im - tflags __FILL_THIS_FORM_PARTIAL multiple maxhits=5 -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __FILL_THIS_FORM_PARTIAL_RAW 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - rawbody __FILL_THIS_FORM_PARTIAL_RAW /^(?>\s{0,50})<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20| |<\/\w+>){0,4}$)/im - tflags __FILL_THIS_FORM_PARTIAL_RAW multiple maxhits=5 -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __FILL_THIS_FORM_SHORT 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta __FILL_THIS_FORM_SHORT !__FILL_THIS_FORM && (__FILL_THIS_FORM_SHORT1 || __FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_PARTIAL > 2 || __FILL_THIS_FORM_PARTIAL_RAW > 2) -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __FILL_THIS_FORM_SHORT1 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __FILL_THIS_FORM_SHORT1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __FILL_THIS_FORM_SHORT2 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __FILL_THIS_FORM_SHORT2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i -endif - -header __FLASHMAIL_MUA X-Mailer =~ /^NetEase Flash Mail \d/ - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __FM_MY_PRICE __FB_S_PRICE -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta __FM_MY_PRICE (__FB_S_PRICE || __FRT_PRICE) -endif - -meta __FM_TO_ALL_NUMS __FROM_ALL_NUMS && __TO_ALL_NUMS - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - rawbody __FONT_INVIS /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|pc|ch|rem|lh|vmax|%)|0+(?:\.0\d*)(?:em|ex|in))(?:\s[a-z]|\s*[;'])|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w/i - tflags __FONT_INVIS multiple maxhits=11 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __FONT_INVIS_10 __FONT_INVIS > 10 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __FONT_INVIS_2 __FONT_INVIS > 2 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __FONT_INVIS_5 __FONT_INVIS > 5 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __FONT_INVIS_CENTER __FONT_INVIS && __TAG_EXISTS_CENTER -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __FONT_INVIS_DIRECT __FONT_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __FONT_INVIS_DOTGOV __FONT_INVIS && __URI_DOTGOV -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __FONT_INVIS_HTML_NOHTML __FONT_INVIS && HTML_MIME_NO_HTML_TAG -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __FONT_INVIS_LONG_LINE __FONT_INVIS && __LONGLINE -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __FONT_INVIS_MANY __FONT_INVIS_2 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __FONT_INVIS_MSGID __FONT_INVIS && __MSGID_OK_HOST -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __FONT_INVIS_NORDNS __FONT_INVIS && __RDNS_NONE -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __FONT_INVIS_SINGLET __FONT_INVIS && __HTML_SINGLET -endif - -header __FORGED_MUA_POSTFIX0 User-Agent =~ /Postfix/ - -header __FORGED_MUA_POSTFIX1 X-Mailer =~ /Postfix/ - -header __FORGED_RELAY_MUA_TO_MX X-Spam-Relays-External =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\[]+ helo=(!(?!(?:10|127|169\.254|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\.)| )[^\[]+$/ - -meta __FORGED_TBIRD_IMG __MUA_TBIRD && __JPEG_ATTACH && __MIME_BDRY_0D0D -describe __FORGED_TBIRD_IMG Possibly forged Thunderbird image spam - -meta __FORM_FRAUD (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 1) - -meta __FORM_FRAUD_3 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3) - -meta __FORM_FRAUD_5 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - body __FOR_SALE_LTP /00\.? (?:less 10%|LTP)/i - tflags __FOR_SALE_LTP multiple maxhits=11 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __FOR_SALE_LTP_MANY __FOR_SALE_LTP > 10 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - body __FOR_SALE_NET /00\.? NET/i - tflags __FOR_SALE_NET multiple maxhits=11 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __FOR_SALE_NET_MANY __FOR_SALE_NET > 10 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - body __FOR_SALE_OBO /\bor best offer\b/i - tflags __FOR_SALE_OBO multiple maxhits=6 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __FOR_SALE_OBO_MANY __FOR_SALE_OBO > 5 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - body __FOR_SALE_PRC_100K /\bprice:? \$\d\d\d,\d\d\d/i - tflags __FOR_SALE_PRC_100K multiple maxhits=11 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __FOR_SALE_PRC_100K_MANY __FOR_SALE_PRC_100K > 5 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - body __FOR_SALE_PRC_10K /\bprice:? \$\d\d,\d\d\d/i - tflags __FOR_SALE_PRC_10K multiple maxhits=11 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __FOR_SALE_PRC_10K_MANY __FOR_SALE_PRC_10K > 10 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - body __FOR_SALE_PRC_1K /\bprice:? \$\d,?\d\d\d[.\s]/i - tflags __FOR_SALE_PRC_1K multiple maxhits=11 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __FOR_SALE_PRC_1K_MANY __FOR_SALE_PRC_1K > 10 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - rawbody __FOR_SALE_PRC_EOL /\s\$\d{1,3},\d00(?:\.00)?$/m - tflags __FOR_SALE_PRC_EOL multiple maxhits=11 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __FOR_SALE_PRC_EOL_MANY __FOR_SALE_PRC_EOL > 10 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __FOR_SALE_PRC_MANY (__FOR_SALE_PRC_1K + __FOR_SALE_PRC_10K + __FOR_SALE_PRC_100K) > 20 -endif - -body __FOUND_YOU /\b(?:I|we)\sfound\syour?\b/i - -body __FRAUD /\b(?:de)?fraud/i - -body __FRAUD_IOV /\b(?:no risks?|risky?[- ]{0,3}free|free of risks?|100% safe|v\S{1,3}llig Risikofrei ist)\b/i - -body __FRAUD_PTX /\b(?:ass?ass?inat(?:ed|ion)|murder(?:e?d)?|poison(?:e?d)?|kill(?:ed|ing|ers)\b[^.]{0,99}\b(?:war veterans|rebels?)|les tueurs)\b/i - -body __FRAUD_XWW /\b(?:honest(?:ly)?\sco(?:-?operat(?:e|ion)|llaborat(?:e|ion))|ehrliche\szusammenarbeit|sichere [kc]o+p[eo]ration|col+aboration\swith\sme)\b/i - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - header __FREEMAIL_DISPTO eval:check_freemail_header('Disposition-Notification-To') -endif - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - meta __FREEMAIL_DOC_PDF (__DOC_ATTACH || __PDF_ATTACH) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) -endif - -meta __FREEMAIL_WFH_01 (FREEMAIL_FROM || FREEMAIL_REPLYTO) && __WFH_01 - -meta __FREEM_FRNUM_UNICD_EMPTY FREEMAIL_FROM && __FROM_ALL_NUMS && __FROM_ENCODED_B64 && __SUBJECT_ENCODED_B64 && __EMPTY_BODY - -if !plugin(Mail::SpamAssassin::Plugin::FreeMail) - meta __FROM_41_FREEMAIL 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - meta __FROM_41_FREEMAIL (__NSL_ORIG_FROM_41 || __NSL_RCVD_FROM_41) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) && !__THREADED - describe __FROM_41_FREEMAIL Sent from Africa + freemail provider -endif - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -header __FROM_ADDRLIST_BANKS eval:check_from_in_list('BANKS') -endif -endif - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -header __FROM_ADDRLIST_GOV eval:check_from_in_list('GOV') -endif -endif - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -header __FROM_ADDRLIST_PAYPAL eval:check_from_in_list('PAYPAL') -endif -endif - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -header __FROM_ADDRLIST_SUSPNTLD eval:check_from_in_list('SUSP_NTLD') -endif -endif - -header __FROM_ADDR_WS From:addr =~ /\s/ - -header __FROM_ADMIN From =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i - -header __FROM_ALL_HEX From:addr =~ /^(?!(?:19|20)\d\d[01]\d[0-3]\d)(?![0-9a-f]*[a-f]{3})[0-9a-f]+\@/ - -header __FROM_ALL_NUMS From:addr =~ /^\d+@/ - -header __FROM_DNS From =~ /(?<![^\w.-])dns(?:admin)?\@/i - -meta __FROM_DOM_ADMIN __FROM_ADMIN && __PDS_FROM_NAME_TO_DOMAIN - -header __FROM_DOM_INFO From:addr =~ /\.info$/i - -header __FROM_EBAY From:addr =~ /\@ebay\.com$/i - -header __FROM_EQ_ORG_1 ALL =~ /\nFrom: "?([^\n]+)"? <[^>]+>\n.*Organization: \1\n/ism - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof - header __FROM_EQ_REPLY eval:check_fromname_equals_replyto() -endif -endif - -if (version >= 3.004001) -ifplugin Mail::SpamAssassin::Plugin::AskDNS -tflags __FROM_FMBLA_NDBLOCKED net -endif -endif - -if (version >= 3.004001) -ifplugin Mail::SpamAssassin::Plugin::AskDNS -tflags __FROM_FMBLA_NEWDOM net -endif -endif - -if (version >= 3.004001) -ifplugin Mail::SpamAssassin::Plugin::AskDNS -tflags __FROM_FMBLA_NEWDOM14 net -endif -endif - -if (version >= 3.004001) -ifplugin Mail::SpamAssassin::Plugin::AskDNS -tflags __FROM_FMBLA_NEWDOM28 net -endif -endif - -header __FROM_FULL_NAME From:name =~ /^[^a-z[:punct:][:cntrl:]\d\s][^[:punct:][:cntrl:]\d\s]*[[:punct:]\s]+[^a-z[:punct:][:cntrl:]\d\s]/ -tflags __FROM_FULL_NAME nice - -header __FROM_INFO From =~ /(?<![^\w.-])info\@/i - -header __FROM_LOWER ALL =~ /from:\s\S{5}/ - -header __FROM_MISSPACED From =~ /^\s*"[^"]*"</ - -meta __FROM_MISSP_EH_MATCH __FROM_RUNON_UNCODED && __LCL__ENV_AND_HDR_FROM_MATCH - -if !plugin(Mail::SpamAssassin::Plugin::FreeMail) - meta __FROM_MISSP_FREEMAIL 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - meta __FROM_MISSP_FREEMAIL __FROM_RUNON && (FREEMAIL_FROM || FREEMAIL_REPLYTO) -endif - -meta __FROM_MISSP_REPLYTO __FROM_RUNON && __HAS_REPLY_TO - -if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - meta __FROM_MULTI_NORDNS __PDS_FROM_2_EMAILS && __RDNS_NONE -endif - -if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - meta __FROM_MULTI_SHORT_IMG __PDS_FROM_2_EMAILS && (HTML_IMAGE_ONLY_16 || HTML_SHORT_LINK_IMG_2 || __HTML_IMG_ONLY) -endif - -header __FROM_NAME_APPLECOM From:name =~ /\bapple\.com\b/i - -header __FROM_NAME_EBAYCOM From:name =~ /\bebay\.com\b/i - -full __FROM_NAME_IN_MSG /^From:\s+([^<]\S+\s\S+)\s(?=.{1,2048}^\1\r?$)/sm - -header __FROM_NAME_PAYPALCOM From:name =~ /\bpaypal\.com\b/i - -header __FROM_PAYPAL From:addr =~ /\@paypal\.com$/i - -header __FROM_RUNON From =~ /\S+<\w+/ - -header __FROM_RUNON_UNCODED From:raw =~ /\S+(?<!\?=)<\w+/ - -header __FROM_WEB_DAEMON From:addr =~ /(?:apache|www|web|tomcat|\biis\b).*\@/i - -header __FROM_WORDY From:addr =~ /^(?:(?:[A-Z][A-Za-z]+|or|&)\.)+[A-Z][A-Za-z]+\@/ - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __FRT_PRICE 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __FRT_PRICE /<inter SP><post P2>\b(?!price)<P><R><X><C><E>\b/i -endif - -rawbody __FR_SPACING_8 /[a-z0-9]{6}\s{8}[a-z0-9]{5}/i - -header __FSL_HAS_LIST_UNSUB exists:List-Unsubscribe - -header __FSL_HELO_BARE_IP_1 X-Spam-Relays-External =~ /^[^\]]+ helo=(?!127)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} [^\]]*auth= /i - -header __FSL_HELO_USER_1 X-Spam-Relays-External =~ / helo=user /i - -header __FSL_HELO_USER_2 Received =~ /from User(?:\s+by|\s*[\[\(]|$)/i - -header __FSL_HELO_USER_3 Received =~ /(?:eh|he)lo(?:=|\s)User\)/i - -header __FSL_RELAY_GOOGLE X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.google\.com\.? /i - -header __FS_SUBJ_RE Subject =~ /^Re: / - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __FUZZY_DR_OZ /(?=<D>)(?!(?-i:D(?:r.|octor)(?:\s| )Oz))(?:<R>|<O><C>(?:<T><O><R>)?)\.?<WS>*<O><Z>(?:$|\W)/i -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __FUZZY_MONERO 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __FUZZY_MONERO /(?=<M>)(?!monero)<M><O><N><E><R><O>/i -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __FUZZY_PORN /(?=<P>)(?!pornograph?(?:y|i[ca]|er))<P><O><R><N><O><G><R><A><P><H>?(?:<Y>|<I><C>|<E><R>)/i -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __FUZZY_WELLSFARGO_BODY /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>[-\s]?<F><A><R><G><O>/i -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - header __FUZZY_WELLSFARGO_FROM From:name =~ /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>[-\s]?<F><A><R><G><O>/i -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - body __GAPPY_SALES_LEADS /\b(?:business|e?-?mail|your|marketing|advertising)\s(?!sales|leads|campaign)(?:s\s?a\s?l\s?e\s?s|l\s?e\s?a\s?d\s?s|c\s?a\s?m\s?p\s?a\s?i\s?g\s?n)\b/i - tflags __GAPPY_SALES_LEADS multiple maxhits=3 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __GAPPY_SALES_LEADS_MANY __GAPPY_SALES_LEADS > 2 -endif - -meta __GB_BITCOIN_CP_DE ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_DE ) -describe __GB_BITCOIN_CP_DE German Bitcoin scam - -meta __GB_BITCOIN_CP_EN ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_EN ) -describe __GB_BITCOIN_CP_EN English Bitcoin scam - -meta __GB_BITCOIN_CP_ES ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_ES ) -describe __GB_BITCOIN_CP_ES Spanish Bitcoin scam - -meta __GB_BITCOIN_CP_FR ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_FR ) -describe __GB_BITCOIN_CP_FR French Bitcoin scam - -meta __GB_BITCOIN_CP_IT ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_IT ) -describe __GB_BITCOIN_CP_IT Italian Bitcoin scam - -meta __GB_BITCOIN_CP_NL ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_NL ) -describe __GB_BITCOIN_CP_NL Dutch Bitcoin scam - -meta __GB_BITCOIN_CP_SE ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_SE ) -describe __GB_BITCOIN_CP_SE Swedish Bitcoin scam - -if (version >= 4.000000) -if can(Mail::SpamAssassin::Conf::feature_capture_rules) - uri __GB_CUSTOM_HTM_URI0 m;^https?://.{10,128}(?:\.html?|\.php|\/)(?:\#|\?&e=)%{GB_TO_ADDR};i -endif -endif - -if (version >= 4.000000) -if can(Mail::SpamAssassin::Conf::feature_capture_rules) - uri __GB_CUSTOM_HTM_URI1 m|^https?://.{10,64}\=https?://.{4,64}\#%{GB_TO_ADDR}|i -endif -endif - -if (version >= 4.000000) -if can(Mail::SpamAssassin::Conf::feature_capture_rules) - uri __GB_CUSTOM_HTM_URI2 m;^https?://.{10,256}(?:\/\?)?(?:email=|wapp\#)%{GB_TO_ADDR};i -endif -endif - -if (version >= 4.000000) -if can(Mail::SpamAssassin::Conf::feature_capture_rules) - uri __GB_DRUPAL_URI m|^https?://.{10,64}/default/files/(?:\@)?\#%{GB_TO_ADDR}|i -endif -endif - -header __GB_FAKE_RF Subject =~ /(Fw|Re)\:{1,2}[\W+]/i - -if (version >= 4.000000) -if can(Mail::SpamAssassin::Conf::feature_capture_rules) - header __GB_TO_ADDR To:addr =~ /(?<GB_TO_ADDR>.*)/ -endif -endif - -body __GHANA /\bghana\b/i - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -mimeheader __GIF_ATTACH Content-Type =~ /^image\/gif\b/i -endif - -body __GIVE_MONEY /\b(?:(?:give\syou\s(?:this\s)?(?:money|fund|inheritance))|(?:donated?\s(?:\w\+\s){0,3}(?:the\ssum\sof|(?:(?:the|this|some)\s(?:money|funds?|inheritance)|to\s)(?:you|(?:(?:the|a)\s)?church|charit(?:y|ies)|humanit\w+|needy|poor|orphan(?:age)?s?|philanthropists\?)))|de vous donner cet argent|faire don de la somme|voudrais en faire don|tego funduszu do dom(?:=F3|[\xf3])w (?:dziecka|wdowy))\b/i - -meta __GOOGLE_DOCS_PHISH_1 __URI_GOOGLE_DOC && (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST) - -meta __GOOGLE_DOCS_PHISH_2 __URI_GOOGLE_DOC && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY - -meta __GOOGLE_DOC_SUSP __URI_GOOGLE_DOC && (__HAS_DOMAINKEY_SIG || __RDNS_NONE || __SYSADMIN || __STY_INVIS || LOTS_OF_MONEY || __XFER_MONEY || __ADVANCE_FEE_2_NEW) && !ALL_TRUSTED - -uri __GOOG_MALWARE_DNLD m;^https?://[^/]*\.google\.com/[^?]*url\?.*[\?&/]download;i - -uri __GOOG_REDIR m;^https?://[^/]*\.google\.com/url\?;i - -meta __GOOG_STO_HTML_PHISH __URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY - -meta __GOOG_STO_IMG_HTML_1 __URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML - -meta __GOOG_STO_IMG_NOHTML __URI_GOOG_STO_IMG && !__URI_GOOG_STO_HTML - -meta __GOOG_STO_NOIMG_HTML !__URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML - -body __HAS_ANY_EMAIL /\w@\S+\.\w/ - -uri __HAS_ANY_URI /^\w+:\/\// - -header __HAS_CAMPAIGNID exists:X-Campaignid - -header __HAS_CID exists:X-CID - -header __HAS_COMPLAINT_TO exists:Complaint-To - -header __HAS_DOMAINKEY_SIG exists:DomainKey-Signature - -describe __HAS_HREF Has an anchor tag with a href attribute in non-quoted line -rawbody __HAS_HREF /^[^>].*?<a href=/im -tflags __HAS_HREF multiple maxhits=100 - -describe __HAS_HREF_ONECASE Has an anchor tag with a href attribute in non-quoted line with consistent case -rawbody __HAS_HREF_ONECASE /^[^>].*?<(a href|A HREF)=/m -tflags __HAS_HREF_ONECASE multiple maxhits=100 - -describe __HAS_IMG_SRC Has an img tag on a non-quoted line -rawbody __HAS_IMG_SRC /^[^>].*?<img src=/im -tflags __HAS_IMG_SRC multiple maxhits=100 - -rawbody __HAS_IMG_SRC_DATA /^[^>].*?<img src=['"]data/im - -describe __HAS_IMG_SRC_ONECASE Has an img tag on a non-quoted line with consistent case -rawbody __HAS_IMG_SRC_ONECASE /^[^>].*?<(img src|IMG SRC)=/m -tflags __HAS_IMG_SRC_ONECASE multiple maxhits=100 - -header __HAS_LIST_OPEN exists:List-Open - -header __HAS_LOGID exists:logid - -header __HAS_MESSAGEID exists:MessageID - -header __HAS_PHP_ORIG_SCRIPT exists:X-PHP-Originating-Script - -header __HAS_PHP_SCRIPT exists:X-PHP-Script - -header __HAS_THREAD_INDEX exists:Thread-Index - -header __HAS_TRACKING_CODE exists:Tracking-Code - -body __HAS_WON_01 /\bque ha ganado\b/i - -header __HAS_XM_LID exists:X-Mailer-LID - -header __HAS_XM_RECPTID exists:X-Mailer-RecptId - -header __HAS_XM_SENTBY exists:X-Mailer-Sent-By - -header __HAS_XM_SID exists:X-Mailer-SID - -header __HAS_X_EBSERVER exists:X-EBSERVER - -header __HAS_X_LETTER exists:X-Letter - -header __HAS_X_NO_RELAY exists:X-No-Relay - -header __HAS_X_OUTGOING_SPAM_STAT exists:X-OutGoing-Spam-Status - -header __HAS_X_SENDER exists:X-Sender - -header __HAS_X_SOURCE_DIR exists:X-Source-Dir - -header __HDRS_LCASE ALL =~ /\n(?:Message-id|Content-type|X-MSMail-priority|from|subject|to|cc|Disposition-notification-to):/sm -tflags __HDRS_LCASE multiple maxhits=3 - -meta __HDRS_LCASE_KNOWN __MSGID_JAVAMAIL || __UA_MSOEMAC || __UA_MSOMAC || __MSGID_APPLEMAIL || __MSGID_HEX_UID || __MSGID_HEXISH - -header __HDRS_MISSP ALL:raw =~ /^(?:Subject|From|To|Reply-To):\S/ism - -header __HDR_CASE_REVERSED ALL =~ /^(?!DomainKey)[^-:\s]*[a-z][A-Z]/m -tflags __HDR_CASE_REVERSED multiple maxhits=4 - -header __HDR_ENVFROM_SHOPIFY X-Spam-Relays-External =~ /\shelo=\S+\.mailer\.shopify\.com\s(?:[^\]\s]+\s)*envfrom=\S+\.shopifyemail\.com\s/ - -header __HDR_ORDER_FTSDMCXXXX ALL =~ /\nFrom: .{1,80}?\nTo: .{1,80}?\nSubject: .{1,200}?\nDate: .{1,40}?\nMIME-Version: .{1,40}?\nContent-Type: .{1,120}?\nX-Priority: .{1,40}?\nX-MSMail-Priority: .{1,40}?\nX-Mailer: .{1,80}?\nX-MimeOLE:/s - -header __HDR_RCVD_ALIBABA X-Spam-Relays-External =~ /\srdns=\S+\.alibaba\.com\s/ - -header __HDR_RCVD_AMAZON X-Spam-Relays-External =~ /\srdns=\S+\.amazon(?:ses)?\.com\s/ - -header __HDR_RCVD_AMAZON_HELO X-Spam-Relays-External =~ /\srdns=\shelo=[^.]+\.smtp-out\.amazonses\.com\s/ - -header __HDR_RCVD_APPLE X-Spam-Relays-External =~ /\srdns=\S+\.apple\.com\s/ - -header __HDR_RCVD_BEBEE X-Spam-Relays-External =~ /\srdns=\S+\.bebee\.com\s/ - -header __HDR_RCVD_EBAY X-Spam-Relays-External =~ /\srdns=\S+\.ebay\.com\s/ - -header __HDR_RCVD_FACEBOOK X-Spam-Relays-External =~ /\srdns=\S+\.facebook\.com\s/ - -header __HDR_RCVD_GOOGLE X-Spam-Relays-External =~ / rdns=mail-\S+\.google\.com\.?\s/ - -header __HDR_RCVD_KEEPA X-Spam-Relays-External =~ /\srdns=\S+\.keepa\.com\s/ - -header __HDR_RCVD_LINKEDIN X-Spam-Relays-External =~ /\srdns=\S+\.linkedin\.com\s/ - -header __HDR_RCVD_NEWEGG X-Spam-Relays-External =~ /\srdns=\S+\.newegg\.com\s/ - -header __HDR_RCVD_PAYPAL X-Spam-Relays-External =~ /\srdns=\S+\.paypal\.com\s/ - -header __HDR_RCVD_SHOPIFY X-Spam-Relays-External =~ /\srdns=\S+\.shopify\.com\s/ - -header __HDR_RCVD_TAGSTAT X-Spam-Relays-External =~ /\srdns=\S+\.tagstat\.com\s/ - -header __HDR_RCVD_TARINGANET X-Spam-Relays-External =~ /\srdns=\S+\.taringa\.net\s/ - -header __HDR_RCVD_TONLINEDE X-Spam-Relays-External =~ /\srdns=\S+\.t-online\.de\s/ - -header __HDR_RCVD_WALMART X-Spam-Relays-External =~ /\srdns=\S+\.walmart\.com\s/ - -ifplugin Mail::SpamAssassin::Plugin::AskDNS -tflags __HELO_DNS net -endif - -header __HELO_HIGHPROFILE X-Spam-Relays-External =~ /^[^\]]+ helo=\S*(?:hotmail|gmail|google|yahoo|msn|microsoft|outlook|paypal|xxx)\.[\w]+\b/i - -header __HELO_NOT_RDNS X-Spam-Relays-External =~ /^[^\]]+ rdns=(\S+) helo=(?!(?i)\1)\S/ - -header __HELO_NO_DOMAIN X-Spam-Relays-External =~ /^[^\]]+ helo=[^\.]+ / - -body __HEXHASHWORD_S2EU /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[a-z]{0,10}(?!-?\d{1,5}-)(?!\d{10}\s)(?:(?!--)[-0-9a-f]){10,64}(?:[g-z][a-z]{0,10})?\s[A-Z]?[a-z]{1,15}\b/ -tflags __HEXHASHWORD_S2EU multiple maxhits=4 - -body __HK_LOTTO_2 /\blot(?:eri[ej]|t(?:ery|o)) ?(?:(?:inter)?national|foundation|mercato|univers|euro ?million|e-?mail|euro-pw|bill ?gates|swiss|prestige|cristal|am.ricaine|coca.?cola|fiduciary|department)/i - -body __HK_LOTTO_BALLOT /\b(?:promotional|on.?line|computer|internet|e-?mail|fran.aise) (?:ballot|draw|sweepstake)/i - -body __HK_LOTTO_STAATS /\bstaatsloteri/i - -ifplugin Mail::SpamAssassin::Plugin::FreeMail -if (version >= 3.004000) - header __HK_NAME_FROM From:name =~ /^FROM\b/mi -endif -endif - -ifplugin Mail::SpamAssassin::Plugin::FreeMail -if (version >= 3.004000) - header __HK_NAME_MR_MRS From:name =~ /^M(?:RS?|ISS)\b/mi -endif -endif - -body __HK_SCAM_N15 /\b(?:account (?:overseas?|offshore)|(?:overseas?|offshore) account)\b/i - -body __HK_SCAM_N16 /\b(?:arrangement secret|secret arrangement)\b/i - -body __HK_SCAM_N2 /\bnext of kin\b/i - -body __HK_SCAM_N3 /\bdirect telephone numbers?\b/i - -body __HK_SCAM_N8 /\byour compensation\b/i - -body __HK_SCAM_S1 /pay you the sum of/i - -body __HK_SCAM_S15 /(?:discovered a dormant account|can you be my partner)/i - -body __HK_SCAM_S25 /\bbank (?:in|of) ghana/i - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -mimeheader __HK_SPAMMY_CDFN Content-Disposition =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -mimeheader __HK_SPAMMY_CTFN Content-Type =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi -endif - -meta __HOSTED_IMG_DIRECT_MX __DOS_DIRECT_TO_MX && __URI_HOSTED_IMG - -meta __HOSTED_IMG_DQ_UNSUB __URI_DQ_UNSUB && __URI_HOSTED_IMG - -meta __HOSTED_IMG_FREEM ( FREEMAIL_REPLYTO || FREEMAIL_FROM ) && __URI_HOSTED_IMG - -meta __HOSTED_IMG_MULTI ( __URI_IMG_EBAY + __URI_IMG_AMAZON + __URI_IMG_ALICDN + __URI_IMG_WALMART + __URI_IMG_NEWEGG + __URI_IMG_SHOPIFY + __URI_IMG_YTIMG + __URI_IMG_JOOMCDN + __URI_IMG_WISH + __URI_IMG_WP_REDIR + __URI_IMG_STATICBG + __URI_IMG_CHANNYPIC + __URI_IMG_TOPHATTER + __URI_IMG_GBTCDN + __URI_IMG_LINKEDIN + __URI_IMG_TUMBLR + __URI_IMG_TAGSTAT + __URI_IMG_FACEBOOK + __URI_IMG_TARINGANET + __URI_IMG_BEBEE + __URI_IMG_EFUSERASSETS + __URI_IMG_IMGBOX_THUMB + __URI_IMG_500PXORG + __URI_IMG_WIXMP + __URI_IMG_POSTIMGCC + __URI_IMG_GTRACING + __URI_IMG_JOOMCDN + __URI_IMG_DHRESOURCE) > 1 - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - body __HOURS_DEADLINE /\b(?:(?:give\syou|gebe\sihnen(?:\snur)?|you\s(?:will\s)?have(?:\sonly|\sjust)?|within)(?:(\sthe)?\s(?:last|next))?\s(?:\d+|one|two|three|a few)\s?(?:hours?|hr(?:\s?s)?|days?|stunden)|(?:by|to|until|before)\sthe\send\sof\sthe\s(?:work(?:ing)?\s)?day|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\shours?\sbefore\s(?:sending|releasing|exposing|publishing)|(?:the|your)\sdeadline\s(?:is|will\sbe))\b/i -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __HOURS_DEADLINE /(?:^|\s)(?:(?:<G><I><V><E>\s<Y><O><U>|<G><E><B><E>\s<I><H><N><E><N>(?:\s<N><U><R>)?|<Y><O><U>\s(?:<W><I><L><L>\s)?<H><A><V><E>(?:\s<O><N><L><Y>|\s<J><U><S><T>)?|<W><I><T><H><I><N>)(?:(\s<T><H><E>)?\s(?:<L><A><S><T>|<N><E><X><T>))?\s(?:\d+|<O><N><E>|<T><W><O>|<T><H><R><E><E>|<A> <F><E><W>)\s?(?:<H><O><U><R><S>?|<H><R>\s?<S>?|<D><A><Y><S>?|<S><T><U><N><D><E><N>)|(?:<B><Y>|<T><O>|<U><N><T><I><L>|<B><E><F><O><R><E>)\s<T><H><E>\s<E><N><D>\s<O><F>\s<T><H><E>\s(?:<W><O><R><K>(?:<I><N><G>)?\s)?<D><A><Y>|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\s<H><O><U><R><S>?\s<B><E><F><O><R><E>\s(?:<S><E><N><D><I><N><G>|<R><E><L><E><A><S><I><N><G>|<E><X><P><O><S><I><N><G>|<P><U><B><L><I><S><H><I><N><G>)|(?:<T><H><E>|<Y><O><U><R>)\s<D><E><A><D><L><I><N><E>\s(?:<I><S>|<W><I><L><L>\s<B><E>))/i -endif - -rawbody __HS_QUOTE /^> / - -header __HS_SUBJ_RE_FW Subject =~ /^(?i:re|fw):/ - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta __HTML_ATTACH_01 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __HTML_ATTACH_01 Content-Type =~ m,\btext/html\b.+\.s?html?\b,i -endif - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta __HTML_ATTACH_02 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __HTML_ATTACH_02 Content-Disposition =~ m,\bfilename="?[^"]+\.s?html?\b,i -endif - -rawbody __HTML_ENTITY_ASCII /(?:&\#(?:(?:\d{1,2}|1[01]\d|12[0-7])|x[0-7][0-9a-f])\s{0,64};\s{0,64}){10}/i - -meta __HTML_ENTITY_ASCII_MINFP __HTML_ENTITY_ASCII && !__DKIM_EXISTS && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__JM_REACTOR_DATE && !__HAS_ERRORS_TO && !__L_BODY_8BITS && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML - -meta __HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII && (__HTML_FONT_TINY_01 || __HTML_FONT_TINY_02 || __AC_TINY_FONT) - -rawbody __HTML_FONT_TINY_01 /font-size:\s{0,5}[0-4]px;/i - -rawbody __HTML_FONT_TINY_02 /<font\s[^>]{0,80}size\s*=\s*["']?-(?:[2-9]|[1-9]\d+)["']?[^>]{0,80}>/i - -meta __HTML_FONT_TINY_NORDNS (__HTML_FONT_TINY_01 || __HTML_FONT_TINY_02 || __AC_TINY_FONT) && __RDNS_NONE - -rawbody __HTML_OFF_PAGE /;(?:top|left):-\d{3,9}px;/i - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - rawbody __HTML_SHRT_CMNT_OBFU /\w<!--\s*\w+\s*-->\w/ - tflags __HTML_SHRT_CMNT_OBFU multiple maxhits=10 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU > 5 && HTML_MESSAGE -endif - -rawbody __HTML_SINGLET />\s*(?:[a-z"]|&\#(?:\d+|x[0-9a-f]+);)\s*</i -tflags __HTML_SINGLET multiple maxhits=21 - -meta __HTML_SINGLET_10 __HTML_SINGLET > 10 - -meta __HTML_SINGLET_MANY __HTML_SINGLET > 20 - -ifplugin Mail::SpamAssassin::Plugin::HTMLEval - body __HTML_TAG_BALANCE_CENTER eval:html_tag_balance('center', '!= 0') -endif - -body __HUSH_HUSH /\b(?:confiden[tc]i[ae]l(?:\b|ity\b|it(?:=E9|[\xe9]|[\xc3][\xa9]))|private\b|secr[e\xe8](?:te?|cy)\b|sensitive\b|concealed\b|obscured?\b|discre(?:et|tion)\b|very\sdiscrete|top\ssecret|vertraulich(?:en)?\b|geheim\b|priv(?:e|=E9|[\xe9]|[\xc3][\xa9]))/i - -uri __IMGUR_IMG m,^https?://(?:[^.]+\.)?imgur\.com/[a-z0-9]{7}\.(?:png|gif|jpe?g)$,i -tflags __IMGUR_IMG multiple maxhits=4 - -meta __IMGUR_IMG_2 __IMGUR_IMG == 2 - -meta __IMGUR_IMG_3 __IMGUR_IMG == 3 - -if !plugin(Mail::SpamAssassin::Plugin::ImageInfo) - meta __IMG_LE_300K 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ImageInfo - body __IMG_LE_300K eval:pixel_coverage('all',62500,300000) -endif - -body __INHERIT_PMT /\binheritance\spayment\s/i - -body __INTL_BANK /\b(?:international\s(?:\w+\s)?bank|banque\sinternationale)\b/i - -body __INVEST_COUNTRY /\binvest\sin\syour?\scountry\b/i - -body __INVEST_MONEY /\binvest(?:ir)?\s(?:this|ces|d[ae]s|sur ce|de ces)\s(?:money|f[ou]nds?)\b/i - -header __IP_IN_RELAY X-Spam-Relays-External =~ /^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) (?:[^\]]* )?(?:rdns|helo)=\S*(?:\1\D\2\D\3\D\4|\4\D\3\D\2\D\1)/ - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta __ISO_ATTACH 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __ISO_ATTACH Content-Disposition =~ m,\bfilename="?[^"]+\.iso[";$],i -endif - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta __ISO_ATTACH_MT 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __ISO_ATTACH_MT Content-Type =~ m,\bapplication/x-iso9660-image\b,i -endif - -body __IS_LEGAL /\b(?:(?:(this|esta)\s(?:deal|offer|transac[tc]i(?:o|[\xc3][\xb3])n|proposal|exchange|arrangement|work)|it)?\s[ie]s\s(?:(?:guaranteed|completely|absolutely|perfectly|100%|very|fully)\s)?(?:legal|hitch-free|seguro|legitimate)|legitimate\sarrangement|toute?\sl(?:e|=E9|[\xe9]|[\xc3][\xa9])gale)\b/i - -body __IVORY_COAST /\b(?:Cote\s?D.Ivoire|Ivory\s?Coast|Costa\sde\sMarfil)\b/i - -body __I_INHERIT /\b(?:I|eu)\s[a-z\s]{0,30}(?:inherited|herdei)\b/i - -body __I_WILL_YOU /\bwill(?:ed)?\s(?:[a-z\s]{0,20}(?:fortune|money|\$[\d,]+[a-z]{0,9})\s)?to\syou\b/i - -header __JM_REACTOR_DATE Date =~ / \+0000$/ - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __JPEG_ATTACH Content-Type =~ /image\/jpe?g/i -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -mimeheader __KAM_BLOCK_UTF7_2 Content-Type =~ /charset=(?:unicode-\d+-\d+-)?utf-7/i -endif - -ifplugin Mail::SpamAssassin::Plugin::BodyEval - if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) - body __KAM_BODY_LENGTH_LT_1024 eval:check_body_length('1024') - describe __KAM_BODY_LENGTH_LT_1024 The length of the body of the email is less than 1024 bytes. -endif -endif - -ifplugin Mail::SpamAssassin::Plugin::BodyEval - if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) - body __KAM_BODY_LENGTH_LT_128 eval:check_body_length('128') - describe __KAM_BODY_LENGTH_LT_128 The length of the body of the email is less than 128 bytes. -endif -endif - -ifplugin Mail::SpamAssassin::Plugin::BodyEval - if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) - body __KAM_BODY_LENGTH_LT_256 eval:check_body_length('256') - describe __KAM_BODY_LENGTH_LT_256 The length of the body of the email is less than 256 bytes. -endif -endif - -ifplugin Mail::SpamAssassin::Plugin::BodyEval - if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) - body __KAM_BODY_LENGTH_LT_512 eval:check_body_length('512') - describe __KAM_BODY_LENGTH_LT_512 The length of the body of the email is less than 512 bytes. -endif -endif - -if !plugin(Mail::SpamAssassin::Plugin::HTMLEval) -meta __KAM_HTML_FONT_INVALID 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::HTMLEval -body __KAM_HTML_FONT_INVALID eval:html_test('font_invalid_color') -endif - -body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|batch number|reference number|promotion date)/is - -header __KB_DATE_CONTAINS_TAB Date:raw =~ /^\t/ - -header __KB_MSGID_OUTLOOK_888 Message-Id =~ /^<[0-9a-f]{8}(?:\$[0-9a-f]{8}){2}\@/ - -meta __KHOP_NO_FULL_NAME !(__NOT_A_PERSON || __FROM_ENCODED_QP || __FROM_NEEDS_MIME || __FROM_FULL_NAME) - -if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) - meta __LARGE_PERCENT_AFTER 0 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - body __LARGE_PERCENT_AFTER /\d{3}% after/i - tflags __LARGE_PERCENT_AFTER multiple maxhits=4 -endif - -if !plugin(Mail::SpamAssassin::Plugin::HeaderEval) - meta __LCL__ENV_AND_HDR_FROM_MATCH 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::HeaderEval - meta __LCL__ENV_AND_HDR_FROM_MATCH __ENV_AND_HDR_FROM_MATCH -endif - -if !plugin(Mail::SpamAssassin::Plugin::BodyEval) - meta __LCL__KAM_BODY_LENGTH_LT_1024 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::BodyEval -if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)) - meta __LCL__KAM_BODY_LENGTH_LT_1024 0 -endif -endif - -ifplugin Mail::SpamAssassin::Plugin::BodyEval - if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) - meta __LCL__KAM_BODY_LENGTH_LT_1024 __KAM_BODY_LENGTH_LT_1024 -endif -endif - -if !plugin(Mail::SpamAssassin::Plugin::BodyEval) - meta __LCL__KAM_BODY_LENGTH_LT_128 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::BodyEval -if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)) - meta __LCL__KAM_BODY_LENGTH_LT_128 0 -endif -endif - -ifplugin Mail::SpamAssassin::Plugin::BodyEval - if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) - meta __LCL__KAM_BODY_LENGTH_LT_128 __KAM_BODY_LENGTH_LT_128 -endif -endif - -if !plugin(Mail::SpamAssassin::Plugin::BodyEval) - meta __LCL__KAM_BODY_LENGTH_LT_512 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::BodyEval -if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)) - meta __LCL__KAM_BODY_LENGTH_LT_512 0 -endif -endif - -ifplugin Mail::SpamAssassin::Plugin::BodyEval - if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) - meta __LCL__KAM_BODY_LENGTH_LT_512 __KAM_BODY_LENGTH_LT_512 -endif -endif - -meta __LINKED_IMG_NOT_RCVD_LINK __URI_IMG_LINKEDIN && !__HDR_RCVD_LINKEDIN - -meta __LIST_PARTIAL __DOS_HAS_LIST_UNSUB && !__DOS_HAS_LIST_ID - -meta __LIST_PRTL_PUMPDUMP __LIST_PARTIAL && __PD_CNT_1 - -meta __LIST_PRTL_SAME_USER __LIST_PARTIAL && __TO_EQ_FROM_USR - -body __LITECOIN_ID /\b(?<!=)[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b/ - -uri __LOCAL_PP_NONPPURL m'https?://(?:[A-Za-z0-9-_]+)\.(?!paypal\.com)(?:[A-Za-z0-9-_\.]+)'i - -body __LOCK_MAILBOX /\b(?:(?:deactivate|lock(?: up)?|lose ac+ess to|los[se] (?:of )?(?:important )?(?:information|mail|messages) in) (?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|your (?:mail\s?box|(?:(?:web ?|e-?)mail)(?: account)?) (?:(?:will|may) be(?:come)? )?(?:in-?a(?:ctive|cess[ia]ble)|locked|disabled|deleted|removed)\b|ditt konto vara "?deaktiverad"?|begr(?:=E4|\xe4|[\xc3][\xa4])nsad tillg(?:=E5|[\xe5]|[\xc3][\xa5])ng till din brevl(?:=E5|[\xe5]|[\xc3][\xa5])da|contas? de (?:web ?|e-?)mail (?:ser(?:=E1|[\xe1]|[\xc3][\xa1]) (?:desativado|exclu(?:=ED|[\xed]|[\xc3][\xad])do)|(?:=E9|[\xe9]|[\xc3][\xa9]) exclu(?:=ED|[\xed]|[\xc3][\xad])do)|destruir a sua caixa de (?:correio|entrada)|tw(?:=F3|[\xf3])j konto zostalo ograniczone|straci swoje e-?mail na sta[\xc5][\x82]e|konto zostanie automatycznie wy[\xc5][\x82][\xc4][\x85]czona|e-?mail account[^.]{0,30}deactivated (?:in|from) our (?:database|system|server)|you will be deactivated|(?:account|e?-?mail(?: ?box)?) (?:will (?:be )?)?(?:shut ?down|expire|deactivate)|we have (?:stopped|suspended) (?:processing|accepting) (?:any )?(?:incoming|new|fresh) email)/i -tflags __LOCK_MAILBOX multiple maxhits=2 - -full __LONGLINE /^[^\r\n]{998}/m - -meta __LONGLN_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __LONGLINE - -rawbody __LONG_INVIS_DIV /<div\s+style\s*=\s*"(?:(?<!-)visibility\s*:\s*hidden|display\s*:\s*none)\s*">[^<\s]{1400}/i - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __LONG_STY_INVIS __STY_INVIS && __LONGLINE -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __LOTSA_MONEY_00 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __LOTSA_MONEY_00 /<CURRENCY>[\s\.]?<NUM_NOT_DATE>[\dOo][,\.][\dOo]{3}(?:(?!\d)|\b)/ -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __LOTSA_MONEY_01 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __LOTSA_MONEY_01 /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)[\s\.]?<NUM_NOT_DATE_IP>[\d.,\sOo]{5,20}[\dOo](?<!\.00)\b/ -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __LOTSA_MONEY_02 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __LOTSA_MONEY_02 /(?<![-\d])<NUM_NOT_DATE_IP>[\d.,\sOo]{5,20}[\dOo][\)\]\(]?\s?(?:<CURRENCY>|Pounds|(?i:dollars?|bucks))\b/ -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __LOTSA_MONEY_03 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __LOTSA_MONEY_03 /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)<NUM_NOT_DATE>[\d.,\sOo]{0,5}[\)\]]?\s?(?i:M(?i:il+)?\b|mil+(?i:io|<O>)n|hund?[re]+a?[dt]|thousand|tausend|milh[\xf5]es)/ -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __LOTSA_MONEY_04 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __LOTSA_MONEY_04 /(?:(?<![-\d])<NUM_NOT_DATE>[\d\.,]{0,4}(?:M|\smilli?one?s|\s?mln)|million(?!s)|mill<O>n|hund?rea?d(?!s)[^\.]{1,25}thousand(?!s)|cents?[^\.]{1,25}mille|hundert[^\.]{1,30}tausend|ientos?[^\.]{1,20}mil|cent[a-z\s]{1,20}mil\s[a-z]{1,20}centos)[^\.\$]{0,50}?(?:(?:U\.?\s?S\.?\s?(?:A\.?\s?)?|united\s?states\s|E\.\s?U\.\s|canad(?:ian|a)\s|(?:ia\s)?de\s)?d(?:[o\xf3]|[\xc3][\xb3])l+are?s?|\bbucks|USD|GBP|<GB_UK>\spounds?|(?:<GB_UK>\s)?pounds?\ssterling|pounds(?!\sof)|(?:d'\s?)?euros?|francs?)\b/i -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __LOTSA_MONEY_05 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __LOTSA_MONEY_05 /(?:(?:sum|value|amount)\sof\s)<NUM_NOT_DATE_IP>[\d.,\sO]{7,20}[\dO\.][\)\]\(\s]{0,3}(?:pounds?|dollars?|euros?|bucks)\b/i -endif - -meta __LOTTO_ADMITS __LOTTO_ADMITS_1 || __LOTTO_ADMITS_2 || __LOTTO_ADMITS_3 || __LOTTO_ATTACH_1 || __LOTTO_ATTACH_2 - -body __LOTTO_ADMITS_1 /\b(?:on-?line|e-?mail|ballot|(?:inter)?national|state|(?:UK|euro)[- ]?(?:mil+ions?|PW)|Canada|Microsoft|MSN|internet|mega|jackpot+|Royal Heritage|foundation|cash\sgrant|mercato|univers|staatsloterij|bill\s?gates|Olympics?|swiss|this|est[ea]|internationaux de gagnants de)(?:\s(?!lot|swe|prom)\w{1,20}){0,3}\s?(?:lot(?:to|t+ery|eri[ea])|sweepstakes?|promo(?:tion|cao|cion)?|jackpot+)\b/i - -body __LOTTO_ADMITS_2 /\b(?:free)?(?:lot(?:to|tery|erie)|sweepstakes)\s(?:(?:inter)?na[tz]ional|department|bureau|group|award|microsoft)/i - -uri __LOTTO_ADMITS_3 /lott+ery/i - -meta __LOTTO_AGENT __LOTTO_AGENT_01 || __LOTTO_AGENT_02 - -body __LOTTO_AGENT_01 /\b(?:(?:(?:the|y?our)(?:\s\w{1,20})?|contact|accredited|listed)\sclaim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:prize|international|intl|foreign|win+ing)(?:[\s,.]+(?:rem+it+ance|settlement|payment|payout|award|transfer))+|payment|payout|immunity|(?<!memory\s)grants?(?!\smanager))\s?(?:agent|manager|officer|secretary|director|mgr\b)/i - -body __LOTTO_AGENT_02 /\blot+ery[^\.]{1,40} ticket agent/i - -header __LOTTO_AGENT_RPLY Reply-To =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize\stransfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta __LOTTO_ATTACH_1 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __LOTTO_ATTACH_1 Content-Type =~ /lott(?:o|ery)/i -endif - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta __LOTTO_ATTACH_2 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __LOTTO_ATTACH_2 Content-Disposition =~ /lott(?:o|ery)/i -endif - -body __LOTTO_DEPT /\b(?:claim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)(?:\s(?:rem+it+ance|settlement|payment|award))+|payment|award|compensation|lot+ery)(?:\s\w+)?\s?(?:department|dept|unit|group|committee|bureau)/i - -body __LOTTO_RELATED /\b(?:lot+(?:o|ery)|sweepstakes)\s(?:prize|draw(?:s|ing)?|(?:ge)?win(?:n?er|n?ing)?|jackpot+|award|fund|com+it+e+|com+is+ion|guild|promotion|promocao|program|day|online|company|(?:in)?corporat|agent|co[-,]?ordinator|team)/i - -body __LOTTO_VERIFY /\bpromo\sverification/i - -body __LOTTO_WINNINGS /\b(?:claim|process(?:ing)?|transfert?(?:\s\w+)?|redeem|payment|virement|zahlung|reivindicar|demandar|remise)\s(?:(?:[a-z]{1,5}\s)?(?:your|of|the|this|de|ihrer|seu|tu)\s)+(?:win+ings?|money|(?:cash\s)?prize|award|f[ou]nds?|grant|gewinne|premio|gain)\b/i - -body __LOTTO_WIN_01 /\bwin+ing\s(?:prize|number|notification|draw|check|cheque|details|information|payment)/i - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __LOWER_E /e/ - tflags __LOWER_E multiple maxhits=230 -endif -endif - -body __LUCKY_WINNER /\b(?:lucky|gl.cklich(?:en)?|afortunados)\s(?:(?:ge)?win+ers?|ganador(?:es)?|individuals?)\b/i - -body __LUCRATIVE /\b(?:lucrative|profitable|tr[\xe8]s\ssalutaire)\b/i - -header __LUNSUB_BEFORE_SUBJDT ALL =~ /^List-unsubscribe: (?:[^\n]+\n){1,40}^(?:Subject|Date): /ism - -rawbody __L_BODY_8BITS /[\x80-\xff]/ - -header __L_CTE_7BIT Content-Transfer-Encoding =~ /^7bit$/ - -header __L_CTE_8BIT Content-Transfer-Encoding =~ /^8bit$/ - -body __MAILBOX_FULL /\b(?:you(?:r (?:mail\s?box|(?:e-?|web ?)mail))? (?:is (?:almost )?full|quota is running low|(?:quota )?ha(?:s|ve) (?:reached|exceeded|passed) (?:the|your|it'?s?) (?:university )?(?:size|storage|set|(?:e-?|web ?)mail|quota|folder|mail ?box)[\/\s](?:limit |quota |account )+)|over your mail\s?box (?:size )?(?:limit|quota)|maximum mail\s?box (?:size )?(?:limit|quota) exceeded|sua (?:conta|caixa) de (?:(?:e-?|web ?)mail|correio) (?:excedeu (?:sua|o) limite|est(?:=E1|[\xe1]|[\xc3][\xa1]) quase cheio))\b/i - -body __MAILBOX_FULL_SE /(?:\b=F6|[\xf6]|[\xc3][\xb6])verskridit gr(?:=E4|[\xe4]|[\xc3][\xa4])nsen f(?:=F6|[\xf6]|[\xc3][\xb6])r din postl(?:=E5|[\xe5]|[\xc3][\xa5])da\b/i - -header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/ - -body __MAIL_ACCT_ACCESS1 /\b(?:your (?:web ?|e-?)?mail (?:account|log-?in) (?:has )?been accessed|r(?:=F3|[\xf3])zne komputery zalogowaniu sie)\b/i - -body __MAIL_ACCT_ACCESS2 /\blo+se ac+es+ to your (?:web|e-?)?mail ?(?:account|log-?in|box|address)\b/i - -uri __MAIL_LINK /\?.{0,200}\w\@[\w-]{1,20}.\w\w\w?\b/i -tflags __MAIL_LINK nice - -body __MAKE_XTRA_DOLLAR /\bmake an extra dollar\b/i - -header __MALF_MIME_VER MIME-Version =~ /^1\.0\S/ - -meta __MALWARE_NORDNS __MY_MALWARE && __RDNS_NONE - -meta __MALWARE_PASSWORD __MY_MALWARE && __PASSWORD - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - meta __MALW_ATTACH __MALW_ATTACH_01_01 || __MALW_ATTACH_01_02 || __MALW_ATTACH_02_01 || __MALW_ATTACH_02_02 -endif - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta __MALW_ATTACH_01_01 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __MALW_ATTACH_01_01 Content-Disposition =~ /\bfilename(?:="?[^"]+|\*(?:\d+\*)?=(?:UTF-8'')?\S+)\.SettingContent-ms\b/i -endif - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta __MALW_ATTACH_01_02 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __MALW_ATTACH_01_02 Content-Type =~ /\bname="?[^"]+\.SettingContent-ms\b/i -endif - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta __MALW_ATTACH_02_01 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __MALW_ATTACH_02_01 Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:invoice|statement|payment(?: advice)?|(?:[.,_]|%C2%B7|[\xc2][\xb7])(?:pdf|img|png|gif|jpe?g))\.(?:ace|zip|rar|r17|[7g]?z|iso)[";$]/i -endif - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta __MALW_ATTACH_02_02 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __MALW_ATTACH_02_02 Content-Type =~ /\bname="?[^"]*(?:invoice|statement|payment(?: advice)?|(?:[.,_]|[\xc2][\xb7])(?:pdf|img|png|gif|jpe?g))\.(?:ace|zip|rar|r17|[7g]?z|iso)[";$]/i -endif - -meta __MANY_HDRS_LCASE __HDRS_LCASE > 1 - -meta __MANY_SPAN_IN_TEXT (__SPAN_BEG_TEXT > 4) && (__SPAN_END_TEXT > 4) - -header __MAY_BE_FORGED Received =~ /\(may be forged\)/ - -header __MID_START_001C Message-ID =~ /^<000001c/ - -body __MILLIONS /\bmillions\sof\s(?:dollar|euro|pound)/i - -header __MIMEOLE_1106 X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2800.1106$/ - -meta __MIMEOLE_DIRECT_TO_MX __HAS_MIMEOLE && __DOS_DIRECT_TO_MX - -header __MIME_BDRY_0D0D Content-Type =~ /boundary="-{12}(?:0[1-9]){12}/ - -if !((version >= 3.004000)) - meta __MIME_CTYPE_IN_BODY 0 -endif - -if (version >= 3.004000) - body __MIME_CTYPE_IN_BODY /^Content-Type:\s/ -endif - -if !((version >= 3.004000)) - meta __MIME_MALF 0 -endif - -if (version >= 3.004000) - meta __MIME_MALF __CTYPE_MULTIPART_ANY && __MIME_CTYPE_IN_BODY -endif - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta __MIME_NO_TEXT 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - meta __MIME_NO_TEXT (__CTYPE_MULTIPART_ANY && !__ANY_TEXT_ATTACH) -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEEval - rawbody __MIME_QPC eval:check_for_mime('mime_qp_count') -endif - -header __MISSING_REF References =~ /^UNSET$/ [if-unset: UNSET] - -header __MISSING_REPLY In-Reply-To =~ /^UNSET$/ [if-unset: UNSET] - -rawbody __MIXED_AREA_CASE /<(?!AREA|area)[Aa][Rr][Ee][Aa]\s/ - -rawbody __MIXED_CENTER_CASE /<(?!CENTER|center)[Cc][Ee][Nn][Tt][Ee][Rr]>/ - -rawbody __MIXED_FONT_CASE /<(?!FONT|font)[Ff][Oo][Nn][Tt]\s/ - -rawbody __MIXED_HREF_CASE_JH /<[Aa](?i:rea)?\s+(?!HREF|href)[Hh][Rr][Ee][Ff]=/ - -rawbody __MIXED_IMG_CASE_JH /<(?!IMG|img)[Ii][Mm][Gg]\s/ - -header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/ - -meta __MONERO (__MONERO_ID || __MONERO_CURNCY || __URI_MONERO || __FUZZY_MONERO) - -body __MONERO_CURNCY /Monero \(XMR\)/ - -body __MONERO_ID /\b4[0-9AB][1-9A-HJ-NP-Za-km-z]{93,104}\b/ - -meta __MONEY_ATM_CARD LOTS_OF_MONEY && __ATM_CARD - -meta __MONEY_FORM LOTS_OF_MONEY && __FILL_THIS_FORM - -meta __MONEY_FORM_SHORT LOTS_OF_MONEY && __FILL_THIS_FORM_SHORT - -meta __MONEY_FRAUD_3 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3) - -meta __MONEY_FRAUD_5 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5) - -meta __MONEY_FRAUD_8 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 8) - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - meta __MONEY_FREEMAIL_REPTO LOTS_OF_MONEY && __freemail_hdr_replyto -endif - -meta __MONEY_FROM_41 __NSL_RCVD_FROM_41 && LOTS_OF_MONEY - -body __MOVE_MONEY /\b(?:(?:receive|re-?profile|transfer(?:ring|ir|t)?|release|repatriat(?:e|ion)|rapatrier|secure|r(?:e|=E9|[\xe9]|[\xc3][\xa9])clamation|possession|virer|dona(?:te|r)|depositante|dep[\xc3][\xb3]sito)\s(?:th(?:e(?:se)?|is)|d[ae]s|sur ce|de ce[st]|cet|est[eao]s?|del?)|re-?profiling|receive|re-?locat(?:e|ing)(?:\s\w{1,15})?)\s(?:of\s|your\s|the\s){0,2}(?:sums?\sof\s|inheritance\s)?(?:proceeds|funds?|money|balance|account|g[eo]ld|compte|fond[so]{1,2}|dinero|argent)\b/i - -meta __MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_MAYBE && __HAS_ANY_URI && __HTML_LINK_IMAGE - -header __MSGID_GUID Message-ID =~ /^<?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}\@/i - -header __MSGID_HEXISH Message-ID =~ /^<?OF[0-9A-F]{8}\.[0-9A-F]{8}-ON[0-9A-F]{8}\.[0-9A-F]{8}(?:-[0-9A-F]{8}\.[0-9A-F]{8})?\@/ - -header __MSGID_HEX_UID Message-ID =~ /^<?[0-9A-F]{8}\.[0-9A-F]{2,5}%[a-zA-Z]/ - -header __MSGID_JAVAMAIL Message-ID =~ /\.JavaMail\./ -tflags __MSGID_JAVAMAIL nice - -header __MSGID_LIST Message-ID =~ /-\w+\#[\w.]+\.\w{2,4}\@/ -tflags __MSGID_LIST nice - -header __MSGID_NOFQDN2 Message-ID =~ /<.*\@[A-Za-z0-9]+>/m - -meta __MSMAIL_PRI_ABNORMAL __HAS_MSMAIL_PRI && !__MSMAIL_PRI_NORMAL - -header __MSMAIL_PRI_HIGH X-MSMail-Priority =~ /^(?:high|urgent)$/i - -header __MSMAIL_PRI_NORMAL X-MSMail-Priority =~ /^normal$/i - -meta __MSM_PRIO_REPTO __HAS_MSMAIL_PRI && __HAS_REPLY_TO && __SUBJ_SHORT - -header __MSOE_MID_WRONG_CASE ALL =~ /\nMessage-Id: / - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __MSO_THEME_MT Content-Type =~ m,\bapplication/vnd.ms-officetheme\b,i -endif - -header __MTLANDROID_MUA X-Mailer =~ /\bMotorola android mail \d+\.\d/ - -header __MUA_TBIRD User-Agent =~ /^Mozilla\/(.*) Thunderbird/ - -body __MY_FORTUNE /\b(?:my|his|her)\s(?:fortune|heritage)\b/i - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - body __MY_MALWARE /\b(?:(?:I(?:'ve|\shave)?\s(?:put|set\s?up|installed|buil[td]\sin|placed)\s(?:a\s)?|my\s(?:personal\s|background\s|hidden\s)?)(?:mal+ware|virus|spy\s?ware|trojan|program\srecorded|expl[o0]it|backdoor|(?:sneaky\s|hidden\s|malicious\s)+(?:app|stuff))|(?:application|mal+ware)[^\.]{1,30}(?:enable[sd]|allow(?:s|ed))\sme\sto\s(?:access|control)|I\s(?:contaminated|infected|hacked|toxified|poisoned)\s(?:your|this)\s(?:machine|computer|gadget|(?:smart\s?)?phone|device|email)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|mein\shinterhältiges\sProgramm|I\s?am\s?a\s?hacker|(?:(?:trojan|virus|spyware|mal+ware)\s)+giv(?:es|ing)\sme)\b/i -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __MY_MALWARE /(?:^|\s)(?:(?:<I>(?:'<V><E>|\s<H><A><V><E>)?\s(?:<P><U><T><|><S><E><T>\s?<U><P>|<I><N><S><T><A><L><L><E><D>|<B><U><I><L>(?:<T>|<D>)\s<I><N>|<P><L><A><C><E><D>)\s(?:<A>\s)?|<M><Y>\s(?:<P><E><R><S><O><N><A><L>\s|<B><A><C><K><G><R><O><U><N><D>\s|<H><I><D><D><E><N>\s)?)(?:<M><A><L>+<W><A><R><E>|<V><I><R><U><S>|<S><P><Y>\s?<W><A><R><E>|<T><R><O><J><A><N>|<P><R><O><G><R><A><M>\s<R><E><C><O><R><D><E><D>|<E><X><P><L>(?:<O>|0)<I><T>|<B><A><C><K><D><O><O><R>|(?:<S><N><E><A><K><Y>\s|<H><I><D><D><E><N>\s|<M><A><L><I><C><I><O><U><S>\s)+(?:<A><P><P>|<S><T><U><F><F>))|(?:<A><P><P><L><I><C><A><T><I><O><N>|<M><A><L>+<W><A><R><E>)[^\.]{1,30}(?:<E><N><A><B><L><E>(?:<D>|<S>)|<A><L><L><O><W>(?:<S>|<E><D>))\s<M><E>\s<T><O>\s(?:<A><C><C><E><S><S>|<C><O><N><T><R><O><L>)|<I>\s(?:<C><O><N><T><A><M><I><N><A><T><E><D>|<I><N><F><E><C><T><E><D>|<H><A><C><K><E><D>|<T><O><X><I><F><I><E><D>|<P><O><I><S><O><N><E><D>)\s(?:<Y><O><U><R>|<T><H><I><S>)\s(?:<M><A><C><H><I><N><E>|<C><O><M><P><U><T><E><R>|<G><A><D><G><E><T>|(?:<S><M><A><R><T>\s?)?<P><H><O><N><E>|<D><E><V><I><C><E>|<E><M><A><I><L>)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|<M><E><I><N>\s<H><I><N><T><E><R><H><A><L><T><I><G><E><S>\s<P><R><O><G><R><A><M>+|<I>\s?<A><M>\s?<A>\s?<H><A><C><K><E><R>|(?:(?:<T><R><O><J><A><N>|<V><I><R><U><S>|<S><P><Y><W><A><R><E>|<M><A><L>+<W><A><R><E>)\s)+<G><I><V>(?:<E><S>|<I><N><G>)\s<M><E>)[\s\.,]/i -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - body __MY_VICTIM /\b(?:hi|hello),?(?:\smy)?\s(?:victim|prey)\b/i -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __MY_VICTIM /(?:<H><I>|<H><E><L><L><O>),?(?:\s<M><Y>)?\s(?:<V><I><C><T><I><M>|<P><R><E><Y>)/i -endif - -header __NAKED_TO To =~ /^[^\s<>]+\@[^\s<>]+$/ - -meta __NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL - -header __NAME_EQ_EMAIL From:raw =~ /([\w+.-]+\@[\w.-]+\.\w\w+)["'`\s]*<\s*\1>/i - -header __NAME_IS_EMAIL From:raw =~ /\w\@[\w.-]+\.\w\w+["'`]*\s*<\w+\@\w/ - -body __NEVER_HEAR_EN /(never hear me again|destroy all your secrets|not bother you again|leave you alone)/i - -body __NEVER_HEAR_IT /eliminare tutti i tuoi segreti|Ti garantisco che non ti disturbe/i - -meta __NEWEGG_IMG_NOT_RCVD_NEGG __URI_IMG_NEWEGG && !__HDR_RCVD_NEWEGG - -body __NEW_PRODUCTS /\bhere are new products|\b(?:Our company|we) (?:has |have )?(?:(?:recently|just|newly) (?:introduce|release|launche)[ds](?: a| our| the)? (?:new|(?:\w+\s){1,5}below)|a new (?!cat\s|kitten\s|dog\s|puppy\s|pet\s|baby\s|child\s|boy\s|girl\s)(?:\w+\s){1,5} here)|recently,? our company (?:launch|releas)ed|\bI want to recommend a new (?:\w+ ){1,5}(?:we|our)\b|latest version of our (?:stock|product)|\b(?:our|a) new (?:\w+ ){1,3}has (?:recently|just) been released/i - -body __NEXT_OF_KIN /\bnext[-\s]of[-\s]kin\b/i - -body __NIGERIA /\bnigeria\b/i - -meta __NORDNS_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __RDNS_NONE - -meta __NOT_A_PERSON __VACATION || ANY_BOUNCE_MESSAGE || __CHALLENGE_RESPONSE || __VIA_ML || __DOS_HAS_LIST_UNSUB || __SENDER_BOT || __UNSUB_LINK || __UNSUB_EMAIL || __MSGID_LIST || __SUBSCRIPTION_INFO -tflags __NOT_A_PERSON nice - -body __NOT_DEAD_YET /\b(?:will\sinherit|que\sherede|your\sdeath|your?\sbeing\sdead)\b/i - -body __NOT_SCAM /\b(?:not\sa\sscam|(?:not|never)\sscam\syou)\b/i - -tflags __NOT_SPOOFED nice - -if !(!plugin(Mail::SpamAssassin::Plugin::DKIM)) -if !plugin(Mail::SpamAssassin::Plugin::SPF) - meta __NOT_SPOOFED DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, no SPF -endif -endif - -if !(!plugin(Mail::SpamAssassin::Plugin::DKIM)) - ifplugin Mail::SpamAssassin::Plugin::SPF - meta __NOT_SPOOFED SPF_PASS || DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, yes SPF -endif -endif - -if !plugin(Mail::SpamAssassin::Plugin::DKIM) -if !plugin(Mail::SpamAssassin::Plugin::SPF) - meta __NOT_SPOOFED __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, no SPF. -endif -endif - -if !plugin(Mail::SpamAssassin::Plugin::DKIM) - ifplugin Mail::SpamAssassin::Plugin::SPF - meta __NOT_SPOOFED SPF_PASS || __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, yes SPF -endif -endif - -meta __NO_INR_YES_REF (__XM_GNUS || __XM_MSOE5 || __XM_MSOE6 || __XM_MOZ4 || __XM_SKYRI || __XM_WWWMAIL || __UA_GNUS || __UA_KNODE || __UA_MUTT || __UA_PAN || __UA_XNEWS) - -header __NSL_ORIG_FROM_41 X-Originating-IP =~ /^(?:.+\[)?41\./ -describe __NSL_ORIG_FROM_41 Originates from 41.0.0.0/8 - -header __NSL_RCVD_FROM_41 X-Spam-Relays-External =~ / ip=41\./ -describe __NSL_RCVD_FROM_41 Received from 41.0.0.0/8 - -header __NUMBERONLY_TLD From:addr =~ /\@[0-9]{4,}(\.[a-z]{2,4})?\.[a-z]+$/i - -header __NUMBERS_IN_SUBJ Subject =~ /\d{3}/ - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) ) -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) ) -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) ) -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) ) -endif - -body __OBFU_UNSUB_UL /(?:click_here|remove_your|our_e?mail|this_list|to_unsubscribe|future_e?mail|our_list)/ - -if !plugin(Mail::SpamAssassin::Plugin::ImageInfo) - meta __ONE_IMG 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ImageInfo - body __ONE_IMG eval:image_count('all',1,1) -endif - -header __OPERA_MID_NON_OP Message-ID =~ /^<[^o][^p]\./ - -body __OUR_BEHALF /\b(?:on\s(?:my|our)\sbehalf|of\sbehalf\sof)\b/i - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -mimeheader __PART_CID_STOCK_LESS Content-ID =~ /^<00[a-f0-9]{10}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[A-Za-z]+>$/ -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -mimeheader __PART_STOCK_CD_F Content-Disposition =~ /filename/ -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -mimeheader __PART_STOCK_CID Content-ID =~ /^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[^\s\.]+>$/ -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -mimeheader __PART_STOCK_CL Content-Location =~ /./ -endif - -body __PASSIVE_INCOME /\bpassive income\b/i - -body __PASSWORD /\bp[-\s_]?a[-\s_]?s[-\s_]?s[-\s_]?w[-\s_]?o[-\s_]?r[-\s_]?d\b/i - -body __PASSWORD_EXP_CLUMSY /\bpassword is due for expiration yesterday\b/i - -body __PASSWORD_UPGRADE /\bpassword upgrade\b/i - -body __PAXFUL /\bp-?a+-?x+-?f-?u+-?l\b/i - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - body __PAY_ME /\b(?:pay\sme|(?:(?:send|transmit|give)\s(?:to\s)?me|(?:send(?:en\ssie)?|transfer)\s(?:the\samount\sof|exactly|genau)|I\swant|den\sbetrag\svon|payment\sof)\s(?:[\d,'.\$£]+\s?(?:usd?|eur?(?:os)?|gbp|BTC)?|bitcoin|BTC)|(?:make|perform|send|transmit)\sthe\spayment|amount\sfor\smy\ssilence|(?:pay|fund)\sthis\s(?:bitcoin|monero)[-\s](?:address|wallet|brieftasche)|my bribe(?:ry)?)\b/i -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __PAY_ME /(?:^|\s)(?:<P><A><Y>\s<M><E>|(?:(?:<S><E><N><D>|<T><R><A><N><S><M><I><T>|<G><I><V><E>)\s(?:<T><O>\s)?<M><E>|(?:<S><E><N><D>(?:<E><N>\s<S><I><E>)?|<T><R><A><N><S><F><E><R>)\s(?:<T><H><E>\s<A><M><O><U><N><T>\s<O><F>|<E><X><A><C><T><L><Y>|<G><E><N><A><U>)|<I>\s<W><A><N><T>|<D><E><N>\s<B><E><T><R><A><G>\s<V><O><N>|<P><A><Y><M><E><N><T>\s<O><F>)\s(?:[\d,'.\$£]+\s?(?:<U><S><D>?|<E><U><R>?(?:<O><S>)?|<G><B><P>|<B><T><C>)?|<B><I><T><C><O><I><N>|<B><T><C>)|(?:<M><A><K><E>|<P><E><R><F><O><R><M>|<S><E><N><D>|<T><R><A><N><S><M><I><T>)\s<T><H><E>\s<P><A><Y><M><E><N><T>|<A><M><O><U><N><T>\s<F><O><R>\s<M><Y>\s<S><I><L><E><N><C><E>|(?:<P><A><Y>|<F><U><N><D>)\s<T><H><I><S>\s(?:<B><I><T><C><O><I><N>|<M><O><N><E><R><O>)[-\s](?:<A><D><D><R><E><S><S>|<W><A><L><L><E><T>|<B><R><I><E><F><T><A><S><C><H><E>|<M><Y> <B><R><I><B><E>(?:<R><Y>)?))[\s\.,]/i -endif - -body __PAY_YOU /\bpay\syou\b/ - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __PCT_FOR_YOU 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta __PCT_FOR_YOU __PCT_FOR_YOU_1 || __PCT_FOR_YOU_2 || __PCT_FOR_YOU_3 || T_SHARE_50_50 -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __PCT_FOR_YOU_1 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __PCT_FOR_YOU_1 /<PERCENT>[\s)]{0,3}(?:(?:of\s[\w\s]{0,35}?)?(?:for|to|as)\syour?|(?:[^\s.]{1,15}\s)?an uns beide)/i -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __PCT_FOR_YOU_2 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __PCT_FOR_YOU_2 /\b(?:(?:give|offer)\syou|vous\s(?:aurez\sdroit\s(?:=E0|[\xe0])|donnerai|all(?:e|=E9|[\xe9]|[\xc3][\xa9])\srecevoir\sautour\sde)|ihnen)\s<PERCENT>/i -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __PCT_FOR_YOU_3 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __PCT_FOR_YOU_3 /\byour?\s(?!can)(?:(?!you)\w{1,15}\s){0,10}(?:(?:share|entiti?le(?:d|ment)?|percentage|fee|assist(?:ance)?|comp[ea]nsat(?:ed?|tion)|reward(?:ed)?|renumerat(?:e|tion)|com+is+ion|paid|deduct|account|tage|(?:will|shall|would|(?:are|stand|going)\sto)\s(?:be\s)?(?:tak(?:e|ing)|earn|get(?:ting)?|remit|subtract|with+old)|(?:deduct|taken?|subtract(?:ed)?)\syour|keep(?:ing)?|receiv(?:e|ing)|retain(?:ing)?|have|half|giv(?:en|ing)|paid|(?:give|pay|offer)\s(?:me|you|him)|bank\saccount|to\s(?:take|use)|(?:time|country)\sand|ratio\sof)(?:\s(?!you)\w{1,15}){0,10})\s(?<!by\s)(?<!up\sto\s)<PERCENT>/i -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - meta __PCT_OF_PMTS 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __PCT_OF_PMTS /<PERCENT>[\s)]+(?:of\s[\w\s]{0,35}?)?(?:of|du|de)\s(?:(?:the|la)\s)?(?:total\s)?(?:payments?|rem+it+ances?|capital|chec(?:k|que)s?|mon(?:ey|ies)|suma?)/i -endif - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta __PDF_ATTACH 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - meta __PDF_ATTACH (__PDF_ATTACH_MT || __PDF_ATTACH_FN1 || __PDF_ATTACH_FN2) -endif - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta __PDF_ATTACH_FN1 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __PDF_ATTACH_FN1 Content-Type =~ /="[^"]+\.pdf"/i -endif - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta __PDF_ATTACH_FN2 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __PDF_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.pdf"/i -endif - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta __PDF_ATTACH_MT 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __PDF_ATTACH_MT Content-Type =~ m,\bapplication/pdf\b,i -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - header __PDS_BTC_ANON From:name =~ /\bAnon/ -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta __PDS_BTC_BADFROM ( __PDS_BTC_HACKER || __PDS_BTC_PIRATE ) -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - header __PDS_BTC_HACKER From:name =~ /h<A>ck<E>r/i -endif - -meta __PDS_BTC_ID ( __BITCOIN_ID && !__URL_BTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG) - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - header __PDS_BTC_PIRATE From:name =~ /p<I>r<A>t<E>/i -endif - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -header __PDS_CASHSHORTENER eval:check_uri_host_listed('PDS_CASHSHORTENER') -endif -endif - -uri __PDS_DOUBLE_URL m;https?://[\S]+(?:\?|=)https?://[\S]+[\w]+$; - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -body __PDS_EXPIRATION_NOTICE /\bexpiration (notice|alert|date)\b/i -endif -endif - -if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - header __PDS_FROM_2_EMAILS From =~ /(?:^|<|"| )([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i -endif - -header __PDS_FROM_GMAIL From:addr =~ /\@g(?:oogle)?mail\.com$/i - -header __PDS_FROM_NAME_TO_DOMAIN ALL =~ /From: ["']?([a-z0-9\.-]+\.[0-9a-z\.-]+)["']? [^\n]+\nTo:[^\n]+\@\1/ism - -header __PDS_GMAIL_MID Message-Id =~ /\@mail.gmail.com>$/ - -meta __PDS_GOOGLE_DRIVE_SHARE (__PDS_GOOGLE_DRIVE_SHARE_1 + __PDS_GOOGLE_DRIVE_SHARE_2 + __PDS_GOOGLE_DRIVE_SHARE_3 >= 2) - -header __PDS_GOOGLE_DRIVE_SHARE_1 References =~ /\@docs\-share\.google\.com\>/ - -header __PDS_GOOGLE_DRIVE_SHARE_2 From:addr =~ /^drive\-shares\-noreply\@google\.com$/ - -header __PDS_GOOGLE_DRIVE_SHARE_3 X-Envelope-From:addr =~ /\@doclist\.bounces\.google\.com$/ - -ifplugin Mail::SpamAssassin::Plugin::AskDNS -meta __PDS_HP_HELO_NODNS (__HELO_HIGHPROFILE && !__HELO_DNS) -tflags __PDS_HP_HELO_NODNS net -endif - -ifplugin Mail::SpamAssassin::Plugin::HTMLEval -meta __PDS_HTML_LENGTH_1024 __HTML_LENGTH_0000_1024 -endif - -ifplugin Mail::SpamAssassin::Plugin::HTMLEval -meta __PDS_HTML_LENGTH_2048 __HTML_LENGTH_0000_1024 || __HTML_LENGTH_1024_1536 || __HTML_LENGTH_1536_2048 -endif - -meta __PDS_LITECOIN_ID (__LITECOIN_ID && !__URL_LTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG) - -meta __PDS_MSG_1024 (__KAM_BODY_LENGTH_LT_1024 || __PDS_HTML_LENGTH_1024) - -meta __PDS_MSG_512 (__KAM_BODY_LENGTH_LT_512 || __HTML_LENGTH_512) - -if (version >= 3.004001) -ifplugin Mail::SpamAssassin::Plugin::AskDNS -meta __PDS_NEWDOMAIN (__FROM_FMBLA_NEWDOM || __FROM_FMBLA_NEWDOM14 || __FROM_FMBLA_NEWDOM28) -tflags __PDS_NEWDOMAIN net -endif -endif - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -body __PDS_OFFER_ONLY_AMERICA /This offer (?:is )?(?:only )?for (United States|USA)/i -endif -endif - -if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) - meta __PDS_QP_1024 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEEval - meta __PDS_QP_1024 (__MIME_QPC > 0) && (__MIME_QPC < 1024) -endif - -if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) - meta __PDS_QP_128 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEEval - meta __PDS_QP_128 (__MIME_QPC > 0) && (__MIME_QPC < 128) -endif - -if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) - meta __PDS_QP_512 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEEval - meta __PDS_QP_512 (__MIME_QPC > 0) && (__MIME_QPC < 512) -endif - -if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) - meta __PDS_QP_64 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEEval - meta __PDS_QP_64 (__MIME_QPC > 0) && (__MIME_QPC < 64) -endif - -header __PDS_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(mta|mail|mx|smtp)\b\S* /i - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -body __PDS_SENT_TO_EMAIL_ADDR /This message was sent to Email Address\./i -endif -endif - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -body __PDS_SEO1 /(?:top|first page|1st) (?:(?:results|rank(?:ing)?) )?(?:in|of|on) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building/i -endif -endif - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -body __PDS_SEO2 /losing your (?:[a-z]+ )?(?:rank(?:ing)?|results)|rank well on [a-z]+\b/i -endif -endif - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta __PDS_SHORT_URL __SHORT_URL && !__URL_SHORTENER && !ALL_TRUSTED -endif -endif - -if (version >= 3.004001) -ifplugin Mail::SpamAssassin::Plugin::AskDNS -tflags __PDS_SPF_ONLYALL net -endif -endif - -meta __PDS_SPOOF_GMAIL_MID __PDS_FROM_GMAIL && !__PDS_GMAIL_MID && !__FSL_RELAY_GOOGLE - -header __PDS_TONAME_EQ_TOLOCAL To:raw =~ /^\s*['"]?([^'"]+)['"]? <?\1\@/ - -if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - header __PDS_TO_EQ_FROM_NAME_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\W+(\1)([^\n\w<]++<)?((?!\1)[^\n">]++)>?\n/ism -endif - -if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - header __PDS_TO_EQ_FROM_NAME_2 ALL =~ /\nFrom:\W+"([\w+.-]+\@[\w.-]+\.\w\w+)(?:[^\n\w<]{0,80}<)?((?!\1)[^\n">]++)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n<]{0,80}<)?(\1)>?/ism -endif - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta __PDS_TO_SUBJ_URISHRT __TO_IN_SUBJ && __URL_SHORTENER && __PDS_MSG_1024 -endif -endif - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta __PDS_URISHORTENER __URL_SHORTENER -endif -endif - -meta __PD_CNT_1 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 0 - -body __PENDING_MESSAGES /\b(?:messages pending|(?:your|\d+[\])}]?) (?:pending|un(?:delivered|received)) (?:messages|e?-?mails))\b/i - -body __PERFECT_BINARY /\bperfect binary option\b/i - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __PHISH_ATTACH_01_01 Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:\.|%C2%B7|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __PHISH_ATTACH_01_02 Content-Type =~ /\bname="?[^"]*(?:\.|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i -endif - -meta __PHISH_FBASE_01 (__URI_FIREBASEAPP || __URI_WEBAPP) && __PDS_FROM_NAME_TO_DOMAIN && __MAIL_LINK - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - body __PHOTO_RETOUCHING /\b(?:(?:retouching|(?:image|photo|pic)s? (?:[a-z]{1,15} ){0,3}(?:edit(?:ing|ors)|team|(?:cut+|mask|clip+|clean|crop+|resiz|enhanc|etch)ing|cut+(?:ing)?[-\s]?out|enhancement|manipulation|restoration|compositing|working|(?:color|contrast|brightnes+|background|make-?up) (?:cor+ection|change)|solution|work|services?)|(?<!that\s)(?<!\.\s)your (?:imag(?:es|ing)|pics)|photo\s?shop (?:expert|service)s?|(?:deliver (?:the|your) |(?:(?:send|throw|ship|drop|deliver|give|provide|e-?mail) us|(?:cut+(?:ing)?[-\s]?out|masking|(?:test|edit)(?:ing)?) (?:for|of|on|with)) (?:(?:an?|one|your|some|sample|test|example|the) )+)(?:image|photo|pic)s?|(?:proces+|edit)(?:\sover|\smore th[ae]n)? \d{2,5}\D? (?:image|photo|pic)s|improv(?:e|ing) (?:(?:image|photo|picture|pic) (?:quality|lighting)|(?:(?:image|photo|picture|pic) )?(?:resolution|contrast|background|color))|cor+ecting (?:color|contrast|brightnes+|background))\b|(?:e-?com+erce|website|jew[el]+r(?:[y's]+|ies)|model+(?:s|ing)?|products?|portraits?|graduation['s]*|school['s]*|bab(?:[y's]+|ies)|famil(?:[y's]+|ies)|kids|wedding|beauty|glamou?r|catalog['s]*|store['s]*|shop['s]*|(?:cut+(?:ing)?[-\s]?out|clip+ing\spath|(?:all|any) kinds? of|enhance|retouch|edit(?:ing)?)[,;]?(?:\s[a-z]{1,15}){0,4})\s(?:image|photo|pic)s?(?:[.,?]|$|\sand\b|\sor\b|\setc\b)|\b(?:imag(?:es|ing)|photos)\s\d+$)/i - tflags __PHOTO_RETOUCHING multiple maxhits=5 -endif - -header __PHPMAILER_MUA X-Mailer =~ /^PHPMailer\b/ - -meta __PHP_MUA __PHP_MUA_1 || __PHP_MUA_2 - -header __PHP_MUA_1 X-Mailer =~ /^PHP\s?v?\/?\d\./ - -header __PHP_MUA_2 X-Mailer =~ /^PHP\d$/ - -header __PHP_NOVER_MUA X-Mailer =~ /^PHP$/ - -meta __PHP_ORIG_SCRIPT_SONLY __HAS_PHP_ORIG_SCRIPT && (__TVD_SPACE_RATIO || __SINGLE_WORD_SUBJ || __OBFUSCATING_COMMENT_B) - -if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) - meta __PILL_PRICE_01 0 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - body __PILL_PRICE_01 m;(?=[\d .f])(?:free|[\d .]{3}(?:/|per|each)) ?(?=[ptc])(?:pill|tablet|cap(?:sule|let))s?\b;i - tflags __PILL_PRICE_01 multiple maxhits=3 -endif - -if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) - meta __PILL_PRICE_02 0 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - body __PILL_PRICE_02 /(?=[ptc])(?:pill|tablet|cap(?:sule|let))s[-= :]{1,5}\$?[\d .]{3}/i - tflags __PILL_PRICE_02 multiple maxhits=3 -endif - -body __PLS_REVIEW /\b(?:please|kindly)\s(?:(?:re)?view|see)(?:\s\w+)?\sattach(?:ed|ment)\b/i - -ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof -header __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to() -endif - -ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof -header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof() -endif - -uri __PS_TEST_LOC_WP m;/(?:wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module)/.{1,128}(?!\.gif|\.jpg|\.png|\.bmp|\.ico|\.pdf|\.svg)[^?]{4}(?:\?[^?]{1,5})?$;i - -body __PUMPDUMP_01 /\b(?:times|multiply|tripl(?:e|ing)|quadrupl(?:e|ing)|quintupl(?:e|ing)) (?:your|an) (?:princip(?:al|le)|investment)\b/i - -body __PUMPDUMP_02 /\b(?:sto[ck]{2}|share price) (?:will |may |is (?:(?:about|poised|positioned|ready) to |gonna ))?(?:triple|quadruple|quintuple|soar|go(?:es?) (?:nuts|crazy|sky high|way up))\b/i - -body __PUMPDUMP_03 /\bbuy (?:[^.!]{1,30} )?(?:(?:(?:mon|tues|wednes|thurs|fri)day|tomorrow) (?:first thing|open|morning)|(?:first thing|opens|before) (?:(?:mon|tues|wednes|thurs|fri)day|tomorrow))/i - -body __PUMPDUMP_04 /\bmake you (?:big bucks|hundreds|thousands)\b/i - -body __PUMPDUMP_05 /\b(?:tripled|quadrupled|quintupled|(?:shares|value|company) (?:go up|increase|has (?:increased|gained)) (?:by|more than) [a-z\s]{0,20}\d+(?: times| percent| ?%)) (?:and that )?in (?:(?:\d|a (?:span of|few)) days|a very short period)\b/i - -body __PUMPDUMP_06 /\brecommend(?:ed|s)? (?:a|this) (?:company|stock)\b/i - -body __PUMPDUMP_07 /\b(?:buy|grab it) for (?:around |about |less than )?\d+ cents\b/i - -body __PUMPDUMP_08 /\b?(:sto[ck]{2}|sotk) of the year/i - -body __PUMPDUMP_09 /\b(?:buy|get|snap up|grab) as many shares (?:of it )?as (?:you|I) can\b/i - -body __PUMPDUMP_10 /\btrading at (?:such )?a (?:bargain|cheap|low)\b/i - -body __RANDOM_PICK /\b(?:random(?:ly)?\s(?:\w+\s)?(?:select(?:ion|ed)|pick(?:ed)?|computer)|(?:select|pick)ed\s(?:at\s)?random(?:ly)?|(?:esco(?:g|lh)idos|seleccion) (?:aleatoria(?:mente)?|al azar))\b/i - -header __RAND_HEADER ALL =~ /^(?!Accept-Language|Authentication-Results|Content-|DomainKey-Signature|DKIM-|List-|MIME-|Received-SPF|Return-Path|Thread-|User-Agent|Tracking-Code)(?:[a-z]{4,}-[a-z]{3,}|[a-z]{3,}-[a-z]{4,}):\s+\d(?=\S{6,}\s*$)[\da-f]*(?:[-.]\w+)*\s*$/ism -tflags __RAND_HEADER multiple maxhits=4 - -meta __RAND_HEADER_2 __RAND_HEADER > 1 - -header __RAND_MKTG_HEADER ALL =~ /^X-(?:[a-z]{2}){1,2}-(?:EBS|(?:Tracking|Subscriber|Delivery|Customer|Campaign)-[DSU]?id):/ism - -header __RATWARE_BOUND_A ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{10,400}boundary="----=_NextPart_000_...._\1\./msi # " - -header __RATWARE_BOUND_B ALL =~ /boundary="----=_NextPart_000_...._([0-9a-f]{8})\..{10,400}^Message-Id: <....\1\$[0-9a-f]{8}\$/msi # " - -header __RCD_RDNS_MAIL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmail[^a-z]/i -tflags __RCD_RDNS_MAIL nice - -header __RCD_RDNS_MAIL_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mail/i -tflags __RCD_RDNS_MAIL_MESSY nice - -header __RCD_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmta[^a-z]/i -tflags __RCD_RDNS_MTA nice - -header __RCD_RDNS_MTA_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mta/i -tflags __RCD_RDNS_MTA_MESSY nice - -header __RCD_RDNS_MX X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmx[^a-z]/i -tflags __RCD_RDNS_MX nice - -header __RCD_RDNS_MX_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mx/ -tflags __RCD_RDNS_MX_MESSY nice - -header __RCD_RDNS_OB X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\boutbounds?[^a-z]/i -tflags __RCD_RDNS_OB nice - -header __RCD_RDNS_SMTP X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bsmtps?[^a-z]/i -tflags __RCD_RDNS_SMTP nice - -header __RCD_RDNS_SMTP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*smtp/ -tflags __RCD_RDNS_SMTP_MESSY nice - -header __RCVD_DOTEDU_EXT X-Spam-Relays-External =~ /\srdns=\S+\.edu\s/i - -meta __RCVD_DOTEDU_SHORT __RCVD_DOTEDU_EXT && ( __HTML_IMG_ONLY || __BODY_URI_ONLY || __HTML_LENGTH_1024_1536 ) - -meta __RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_EXT && ( __45_ALNUM_URI || __45_ALNUM_URI_O || __64_ANY_URI ) - -header __RCVD_DOTGOV_EXT X-Spam-Relays-External =~ /\srdns=\S+\.gov\s/i - -header __RCVD_ZIXMAIL X-Spam-Relays-Untrusted =~ / helo=smtpout\.zixmail\.net / - -header __RDNS_LONG X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{30}/ - -header __RDNS_NO_SUBDOM X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\.\w+ / - -header __RDNS_NUMERIC_TLD X-Spam-Relays-External =~ /\srdns=\S+\.\d+\s/ - -header __RDNS_SHORT X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{4,14} / - -body __RECEIVE_BONUS /\byou(?:'ll)?(?: also| will)* (?:rec[ei]*ve|get|earn|collect|be (?:awarded|handed|remitted|given|paid|(?:greeted|welcomed|started) with)) (?:an? )?(?:gift|bonus|extra)(?: of|:)? \$[\d,]+/i - -header __RELAY_THRU_WWW Received =~ /from (?:[^ \@]+\@)?www\./ - -body __RELEASE_MESSAGES /\b(?:release messages|(?:retrieve|release|download) your(?: undelivered|unreceived|held|pending)? e?-?mails|(?:e?-?mails|messages).{1,20}download them now)\b/i - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { - meta __REMOTE_IMAGE (__HTML_IMG_ONLY || __HTML_LINK_IMAGE) && !(__SUBSCRIPTION_INFO || __VIA_ML || __SENDER_BOT || __ANY_IMAGE_ATTACH) -endif - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -header __REPLYTO_ADDRLIST_SUSPNTLD eval:check_replyto_in_list('SUSP_NTLD') -endif -endif - -header __REPTO_419_FRAUD_AOL_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:f\.|ljaber)|c(?:hanprivacy|laimdept|ristinabruno|ustom_service)|dhodgkins|evelynjoshua|f(?:d\.|ernandezfernandez)|george_clifford|hernandezrosemary|k\.doreen|l(?:erynnewest|ynnpage)|m(?:_l\.wanczyk|asayohara|rsjanetedwards)|officework|paulpollard|royalpalace|spwalker|usembassy|yurdaaytarkan))\d+\@aol\.com$/i - -header __REPTO_419_FRAUD_GM_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:9porssts|a(?:\.wafager|b(?:dullahmundani|u(?:lkareem|shadi))|cecere|l(?:an\.austin|ex(?:anderpeterson|hoffman)|ghafrij|kasimunadi|l(?:enholden|isoncluade)|ure\.wawrenka)|m(?:bassadormarybethleonardl|ericadeliverycomapny|ina(?:ltwaijiri|medjahed))|n(?:dyfox|na(?:llee|sigurlaug))|office1office|radka|shwestwood|ustinbillmark|zi(?:m(?:\.hpremji|hashim(?:donation)?)|z(?:dake|george)))|b(?:a(?:nkcentralasiahalobca|r(?:bersmadar|risterlordruben|teld\.huisman))|bongo|e(?:alitoniua|linekra|n(?:ezero|gatl|jaminsarah))|ill\.lawrence|mwautomobile|oarddept|rendalaporte|uffettwarrene)|c(?:h(?:a(?:ngching|r(?:itylisajohnrobinson|l(?:esluenga|tonnewmanus)))|e(?:mchung|nchung))|iticonsultantjohncg|laxtonpaul|o(?:lombasjuan|ntactad)|rist(?:brun?|davis|ydavisdonation)|ustomerservicelacaixa)|d(?:a(?:nnuar|vi(?:d(?:\.loanfirm|larbi|pere|ramirez\.luis)|scarolyn|yax))|e(?:nnisclark|partmentofstate)|minique|ona(?:ldwilliam|tionhelpercare)|rdavidrhama|unsilva)|e(?:benezero|christina|l(?:i(?:bethgomez|sabethmaria|zabethedw)|o(?:diesawadogo|tocashoffice))|m(?:efieleg?|ilyrichmond)|re(?:nakgeorge|zcelic)|stherkatherine|wynn)|f(?:\.mikhail|a(?:ithdesrie|tme\.mehmed)|blott|irstbank|r(?:a(?:100dub|n(?:c(?:espatrickconnolly|iscamendoza)|k(?:jane|linpiesie)))|eelottosweepstake)|spero|ulanlan)|g(?:00gleggewinner|a(?:briel(?:eschmitt|kalia)|rciavincent)|bill|e(?:neralwilliamstony|orgekwame|raldjhjh)|iidp|l(?:enmoore|oriachow)|oo(?:golteam|oglegwiinner)|r(?:aceobia|e(?:ant|energeoffrey)))|h(?:a(?:r(?:gate|ryebert)|sh(?:imyreem|mireem))|e(?:atherbrooeke|ctor(?:castillos|scastillo)|lengiggs)|gold|ildad|o(?:nmackjohn|rnbeckmajordennis|seoky))|i(?:bed|mfdeputyoff|n(?:fo\.annedouglas|gridrolle)|smail(?:eman|tarkan))|j(?:a(?:mesokoh|vierlesme)|efferydean|o(?:edward|hn(?:griffn|r(?:awlings|oxfordjr)|sonwilson|uba|walterlove|a)|n(?:athanhaskel|hugo)|sephacevedo|vannyanderson)|rawlings|uliewatson)|k(?:a(?:l(?:iaksandr|tschmidtdavid)|malnizar|rabo\.ramala|t(?:jamess|rinaziako))|ennedy\.sawadogo|halidbuhazza|kasbu|rnkl|un(?:gwei|ioue))|l(?:a(?:rrytoms|ursent|wrencefoundation)|e(?:enasinghs|rynne(?:0west|west))|i(?:amfinchus|fecshortt|liane\.bettencourt|nelink|sa(?:milner|robin))|john|oughreymargaret|u(?:ckywinners|sba\.moored)|y(?:\.cheapiseth|diawright|n(?:\.arthur|cmba|nmkl)))|m(?:a(?:incare|jor(?:dennishornbeck|townsend)|lletman|n(?:duesq|fran|uelfranco(?:(?:donation|foundation|spende))?)|r(?:i(?:ahhills|opabl)|kroth|shalh|tinamayer|y(?:franson|josen))|urhinck|viswan(?:czyk(?:(?:foundation|k))?)?)|c\.cheadychang|dredban|elvidabullock|gfrederick|i(?:c(?:h(?:ael\.woosley|ealwuu)|w)|k(?:e\.weirsky\.foundational|hai(?:\.fridman|lfridm))|ss\.yasmineibrahim)|k(?:ent|untjoro)|oham(?:edabdul|m(?:daljililati|edshamekh))|r(?:\.(?:elbahi\.mohammed\.|justinmaxwell)|cjames|ericschmid|hanimuhammad|jamesmc|richardanthony|s(?:\.susanread|a(?:ishaalqadafi|ngela)|dominiquethomas|evelynbrown|fatimaamiraqureshi|hamima|jackman|lisamilner|maureens|r(?:obinsanders|uthsmith)|sarahbenjamin|victoriaedmond))|s(?:\.ellagolan|agent|golaan|smadar)|ustadris)|n(?:aomiiwasaki|eilt(?:rotter)?|icholas\.jose|obuyuki\.hirano)|o(?:\.peace|fficerricherd|hallkenneth|xfaminternationa)|p(?:aul(?:eed|n)|b(?:ph202lay|rookk)|e(?:rezdonlorenzo|ter(?:\.waddell|guggi|kenin|stephen))|hillip\.richead)|q(?:iquanzhou|nzeng)|r(?:a(?:kidy|lhashimi|ymondaba)|e(?:beccagarang|em(?:has(?:himy|m)|n)|plyback|v(?:\.jamesabel|fr(?:ankjackson|paulwilliams)))|icha(?:miller|rdw(?:ahl|illis))|o(?:b(?:erthanandez|inf)|naldmorris|s(?:a\.gomes|ekipkalya))|raya|t\.rev\.ericmark)|s(?:a(?:l(?:ehhussienconsult|imzaid)|rfiafarfask)|cottpeters|e(?:cretservicce|rgeantrobertbrown)|gt(?:\.monicab|ireneb)|h(?:anemissler|ery(?:\.gtl|etr)|inawatrathaksin)|im(?:lkheng|onhei)|op(?:adam|hiajesse)|peelman|t(?:anleyjohn|ephentam)|u(?:iyang|n\.hor|sanneklatten)|weeneyjohnson)|t(?:a(?:mmywebster|y(?:ebsouami|lorcathy))|erryparkins|h(?:ailandbankoffice|e(?:ara\.choy|odorosloannis))|imothymetheny|lyerdonald|o(?:m(?:ander|c(?:hrist|rist(?:(?:donation|foundation))?)|spende)|ny(?:\.chung|zimpro)|shikazusendo))|u(?:marukareem|n(?:claimedfunds|itednation(?:organization|s))|s(?:alotery|departmentofjustice))|v(?:anderwesthuizen|e(?:enapatel|r(?:a(?:aellen|hollinkvan)|enichekaterinaekaterina))|i(?:ctoriaabraham|dalpamela|ngut))|w(?:a(?:dp|hlr(?:ichard)?|nczykm|rrenebuffett)|hatsappofficial|i(?:elandherzog\.sw\.herad|ll(?:clark|iamsmartyrs))|u\.office|ww\.moneygram)|y(?:\.oguzhan|anghoseok|doo|ousefzongo)|z(?:bank|enithbankplconline|kiaslan|minhong)))\d+\@gmail\.com$/i - -header __REPTO_419_FRAUD_YH_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson|ilmohammed|lesiakalina|nnhester\.usa)|b(?:ank\.phbng|en(?:jaminb|nicholas)|riceangela)|c(?:\.aroline|h(?:arlesscharf|jackson)|juan|ythiamiller\.un)|dhamilton|e(?:denvictor|ricalbert)|federal\.r|j(?:a(?:ckson\.davis|netemoon)|kimyong)|k(?:altschmidtdavid|elvinmark|im(?:\.leang|leang))|l(?:e(?:a_edem|hman)|isarobinson_|y_cheapiseth)|m(?:\.kogi|arie_avis|dzsesszika|elissalewis|o(?:hammedaahil|keye))|o(?:legkozyrev|mranshaalan)|peterlee|r(?:alphw(?:\.johnson|johnson)|o(?:bertbailey|serichard))|s(?:amthong|igurlauganna|leo|pwalker|te(?:fanopessina|vecox\.))|tylerhess\.|vanserge|will(?:clark|smi)|xianglongdai))\d+\@yahoo\.com$/i - -header __REPTO_CHN_FREEM Reply-To =~ /\@(?:sina|aliyun)\.com/i - -header __REPTO_INFONUMSCOM Reply-To:addr =~ /^info@\d{5,}\.com$/i - -header __REPTO_RUS_FREEM Reply-To =~ /\@mail\.ru/i - -if !((version >= 3.003000)) - meta __RP_MATCHES_RCVD 0 -endif - -if (version >= 3.003000) -if !plugin(Mail::SpamAssassin::Plugin::WLBLEval) - meta __RP_MATCHES_RCVD 0 -endif -endif - -if (version >= 3.003000) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval - header __RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd() -endif -endif - -body __SCAM /\bscam(?:m?e[dr])?s?\b/i - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -mimeheader __SCC_BOGUS_CTE_1 Content-Transfer-Encoding =~ /^Hexa/i -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -mimeheader __SCC_CTMPP Content-Type =~ /multipart\/parallel/ -endif - -body __SECURITY_DEPT /\bsecurity dep(?:artmen)?t\b/i - -header __SENDER_BOT ALL =~ /(?:not?\W?repl[yi]|bounce|contact|daemon|subscri|report|respon[ds]e?r?s?\b|\b(?:root|news|nobody|agent|(?:post|web)?master|manag|send(?:er|ing)?|out|(?:bot|web|www)\b))[^\@ >]{0,5}s?\@\w/i -tflags __SENDER_BOT nice - -uri __SENDGRID_REDIR m,://u\d+\.ct\.sendgrid\.net/ls/click\?upn=, - -meta __SENDGRID_REDIR_NOPHISH __SENDGRID_REDIR && !__SENDGRID_REDIR_PHISH - -meta __SENDGRID_REDIR_PHISH __SENDGRID_REDIR && ( __PDS_FROM_NAME_TO_DOMAIN || __FORGED_RELAY_MUA_TO_MX || __TO_IN_SUBJ ) - -body __SHARE_IT /\b(?:(?:share|allocate|teilen|parteger(?:ez|ons)?|partage)\s(?:th(?:e|is)|das|les?|des)\s(?:proceeds|funds?|money|balance|account|geld|compte|fonds)|partager(?:ez|ons)? (?:avec (?:vous|moi)|ratio|suivant un pourcentage))\b/i - -meta __SHOPIFY_IMG_NOT_RCVD_SFY __URI_IMG_SHOPIFY && !__HDR_RCVD_SHOPIFY && !__HDR_ENVFROM_SHOPIFY - -uri __SHORT_URL /^https?:\/\/[^\/]{3,6}\.\w\w\/[^\/]{3,8}\/?$/ - -body __SINGLE_WORD_LINE /^\s?\S{1,60}\s?$/ -tflags __SINGLE_WORD_LINE multiple maxhits=2 - -header __SINGLE_WORD_SUBJ Subject =~ /^\s*\S{1,60}\s*$/ - -header __SMIME_MESSAGE Content-Type =~ /application\/pkcs7-mime;/i - -rawbody __SPAN_BEG_TEXT /[a-z]{2}<(?i:span)\s/ -tflags __SPAN_BEG_TEXT multiple maxhits=5 - -rawbody __SPAN_END_TEXT /[^;>]<\/(?i:span)>[a-z]{3}/ -tflags __SPAN_END_TEXT multiple maxhits=5 - -if !plugin(Mail::SpamAssassin::Plugin::SPF) - meta __SPF_FULL_PASS 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::SPF - meta __SPF_FULL_PASS (SPF_PASS && SPF_HELO_PASS) - tflags __SPF_FULL_PASS net -endif - -if !plugin(Mail::SpamAssassin::Plugin::SPF) - meta __SPF_RANDOM_SENDER 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::SPF - meta __SPF_RANDOM_SENDER (SPF_HELO_PASS && !SPF_PASS) - tflags __SPF_RANDOM_SENDER net -endif - -meta __SPOOFED_FREEMAIL !__NOT_SPOOFED && FREEMAIL_FROM -tflags __SPOOFED_FREEMAIL net - -meta __SPOOFED_FREEM_REPTO __SPOOFED_FREEMAIL && FREEMAIL_REPLYTO -tflags __SPOOFED_FREEM_REPTO net - -rawbody __SPOOFED_URL m/<a\s[^>]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\# ]{8,29}[^>"'\# :\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i - -meta __STATIC_XPRIO_OLE __XPRIO && __RDNS_STATIC && __HAS_MIMEOLE - -body __STAY_HOME /\b(?:going out of|leaving)(?: your)? (?:home|house|residence)\b/i - -body __STOCK_TIP /\bsto[ck]{2}\s?tip\b/i - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - rawbody __STY_INVIS /\bstyle\s*=\s*"[^">]{0,80}(?:(?<!-)visibility\s*:\s*hidden\s*|display\s*:\s*none\s*)[;"!]/i - tflags __STY_INVIS multiple maxhits=6 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __STY_INVIS_1 __STY_INVIS == 1 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __STY_INVIS_1_MINFP __STY_INVIS_1 && !MIME_QP_LONG_LINE && !__MOZILLA_MSGID -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __STY_INVIS_2 __STY_INVIS > 1 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __STY_INVIS_3 __STY_INVIS > 2 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __STY_INVIS_DIRECT __STY_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __STY_INVIS_MANY __STY_INVIS > 5 -endif - -header __SUBJECT_EMPTY Subject:raw =~ /^\s*$/ - -meta __SUBJECT_PRESENT_EMPTY __HAS_SUBJECT && __SUBJECT_EMPTY - -header __SUBJ_ADMIN Subject =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i - -header __SUBJ_ATTENTION Subject =~ /ATTENTION/ - -meta __SUBJ_BRKN_WORDNUMS __SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFU - -header __SUBJ_BROKEN_WORD Subject =~ /\s(?!i[PTM][aoh][bcdou]|e[MP]a[is])[a-z]{1,3}[A-Z][a-z]{2}/ -tflags __SUBJ_BROKEN_WORD multiple maxhits=2 - -meta __SUBJ_DOM_ADMIN __SUBJ_ADMIN && __PDS_FROM_NAME_TO_DOMAIN - -header __SUBJ_HAS_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*Subject:\s+[^\n]{0,100}\1[>,:\s\n]/ism - -header __SUBJ_HAS_TO_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n(?:[^\n]{1,200}\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism - -header __SUBJ_HAS_TO_2 ALL =~ /\nReceived:[^\n]{0,200} for <?([^\n\s>;]+)>?;(?:[^\n]+\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism - -header __SUBJ_HAS_TO_3 ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n)*To:\s+[^\n]{0,100}\1[^a-z0-9.]/ism - -header __SUBJ_NOT_SHORT Subject =~ /^.{16}/ - -header __SUBJ_OBFU_PUNCT Subject =~ /(?:[-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;][a-z][-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;\s]|(?:[a-z][~`"!@\#$%^&*()_+={}|\\?<>,.:;][a-z](?![a-z])))/i -tflags __SUBJ_OBFU_PUNCT multiple maxhits=4 - -header __SUBJ_RE Subject =~ /^(?:R[eE]|S[vV]|V[sS]|A[wW]):/ - -header __SUBJ_SHORT Subject =~ /^.{0,8}$/ - -header __SUBJ_USB_DRIVES Subject =~ /\bUSB (?:[Ff]lash )?[Dd]rives\b/ - -body __SUBSCRIPTION_INFO /\b(?:e?newsletters?|(?:un)?(?:subscrib|register)|you(?:r| are) subscri(?:b|ption)|opt(?:.|ing)?out\b|further info|you do ?n[o']t w(?:ish|ant)|remov\w{1,3}.{1,9}\blists?\b|to your white.?list)/i -tflags __SUBSCRIPTION_INFO nice - -body __SUM_OF_FUND /\b(?:sum|release|freigabe)\s(?:of|der)\s(?:amount|fund|investment|mittel)\b/i - -body __SURVEY /\bsurvey\b/i - -body __SURVIVORS /\b(?:widow|son|daughter|husband|wife|brother|sister|attorney|vi(?:=FA|[\xfa]|[\xc3][\xba])va|esposa|veuve)\s(?:of|to|do|de)\s(?:the\s)?(?:late|falecido|finales|feu|d(?:e|=E9|[\xe9]|[\xc3][\xa9])funt|mr\.?)\s\w+\b/i - -body __SUSPICION_LOGIN /\bsuspicion login\b/i - -body __SYSADMIN /\b(?:help?[- ]?desk|(?:(?:web ?)?mail ?|sys(?:tem )?)admin(?:istrator)|local[- ]host|(?:support|upgrade|management|security|admin(?:istrat(?:or|ion))?) (?:team|center)|message from administrator|university mail server copyright|suporte t(?:=E9|[\xe9]|[\xc3][\xa9])cnico|administrador do sistema)\b/i - -meta __TAGSTAT_IMG_NOT_RCVD_TGST __URI_IMG_TAGSTAT && !__HDR_RCVD_TAGSTAT - -meta __TARINGANET_IMG_NOT_RCVD_TN __URI_IMG_TARINGANET && !__HDR_RCVD_TARINGANET - -header __TB_MIME_BDRY_NO_Z Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/ - -rawbody __TENWORD_GIBBERISH /^\s*(?:[a-z]+\s+){10}\.$/m -tflags __TENWORD_GIBBERISH multiple maxhits=21 - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __TEXT_XML_MT Content-Type =~ m,\btext/xml\b,i -endif - -body __THEY_INHERIT /\b(?:inherit\sth(?:e|is)\smoney|herede\sest[ea]\sdinero)\b/i - -body __THIS_AD /(?:\b|_)this[- _]+(?:ad(?:vert[i1l]sement)?|promo(?:tion)?)s?(?:\b|_)/i - -meta __THREADED (!__MISSING_REPLY && !__NO_INR_YES_REF) || (__MISSING_REPLY && !__MISSING_REF) -tflags __THREADED nice - -header __THREAD_INDEX_GOOD Thread-Index =~ m,^A[a-z0-9][A-Za-z0-9+/]{27}(?:[A-Za-z0-9+/]{20})?(?:[AQgw]==|[A-Za-z0-9+/]{7}|[A-Za-z0-9+/]{13}[AEIMQUYcgkosw048]=)$, - -header __TO_ALL_NUMS To:addr =~ /^\d+@/ - -meta __TO_EQ_FM_DIRECT_MX __TO_EQ_FROM && __DOS_DIRECT_TO_MX - -if !plugin(Mail::SpamAssassin::Plugin::SPF) - meta __TO_EQ_FM_DOM_SPF_FAIL 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::SPF - meta __TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FROM_DOM && SPF_FAIL - tflags __TO_EQ_FM_DOM_SPF_FAIL net -endif - -if !plugin(Mail::SpamAssassin::Plugin::SPF) - meta __TO_EQ_FM_SPF_FAIL 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::SPF - meta __TO_EQ_FM_SPF_FAIL __TO_EQ_FROM && SPF_FAIL - tflags __TO_EQ_FM_SPF_FAIL net -endif - -meta __TO_EQ_FROM (__TO_EQ_FROM_1 || __TO_EQ_FROM_2) -describe __TO_EQ_FROM To: same as From: - -header __TO_EQ_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism - -header __TO_EQ_FROM_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism - -meta __TO_EQ_FROM_DOM (__TO_EQ_FROM_DOM_1 || __TO_EQ_FROM_DOM_2) -describe __TO_EQ_FROM_DOM To: domain same as From: domain - -header __TO_EQ_FROM_DOM_1 ALL =~ /\nFrom:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+[^\n]+@\1[>,\s\n]/ism - -header __TO_EQ_FROM_DOM_2 ALL =~ /\nTo:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+[^\n]+@\1[>,\s\n]/ism - -meta __TO_EQ_FROM_USR (__TO_EQ_FROM_USR_1 || __TO_EQ_FROM_USR_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT) -describe __TO_EQ_FROM_USR To: username same as From: username - -header __TO_EQ_FROM_USR_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism - -header __TO_EQ_FROM_USR_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism - -meta __TO_EQ_FROM_USR_NN (__TO_EQ_FROM_USR_NN_1 || __TO_EQ_FROM_USR_NN_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT) -describe __TO_EQ_FROM_USR_NN To: username same as From: username sans trailing nums - -header __TO_EQ_FROM_USR_NN_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism - -header __TO_EQ_FROM_USR_NN_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism - -meta __TO_EQ_FROM_USR_NN_MINFP __TO_EQ_FROM_USR_NN && !__TO_EQ_FROM_USR_1 && !__TO_EQ_FROM && !__TO_EQ_FROM_DOM && !__LCL__ENV_AND_HDR_FROM_MATCH && !__DKIM_EXISTS && !__NOT_SPOOFED && !__RCD_RDNS_SMTP && !__RCD_RDNS_MX_MESSY && !__THREADED - -meta __TO_IN_SUBJ (__SUBJ_HAS_TO_1 || __SUBJ_HAS_TO_2 || __SUBJ_HAS_TO_3) - -header __TO_NO_ARROWS_R To !~ /(?:>$|>,)/ - -if !plugin(Mail::SpamAssassin::Plugin::FreeMail) - meta __TO_NO_BRKTS_FREEMAIL 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - meta __TO_NO_BRKTS_FREEMAIL __TO_NO_ARROWS_R && (FREEMAIL_FROM || FREEMAIL_REPLYTO) -endif - -meta __TO_NO_BRKTS_FROM_RUNON __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && __FROM_RUNON - -meta __TO_NO_BRKTS_HTML_IMG __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && HTML_MESSAGE && __ONE_IMG - -meta __TO_NO_BRKTS_HTML_ONLY __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && MIME_HTML_ONLY - -meta __TO_NO_BRKTS_MSFT __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS) - -meta __TO_NO_BRKTS_NORDNS_HTML __TO_NO_BRKTS_HTML_ONLY && RDNS_NONE - -meta __TO_NO_BRKTS_PCNT __TO_NO_ARROWS_R && __FB_NUM_PERCNT - -meta __TO_TOO_MANY_WFH_01 __TO_WAY_TOO_MANY && __WFH_01 - -header __TO_UNDISCLOSED To =~ /\b(?:undisclosed[-\s]recipients|destinataires inconnus|destinatari nascosti)\b/i - -header __TO_WAY_TOO_MANY ToCc =~ /(?:,[^,]{1,90}){50}/ - -body __TO_YOUR_ACCT /\b(?:(?:f[uo]nds|money|f[uo]ndo|dinheiro|bank)\s(?:\w{1,10}\s){0,4}(?:transfer(?:red)?|transferido|sont)|\d+)\s(?:to|para|en)\s(?:your?|sua|votre)\s(?:account|conta|pos+es+ion)/i - -body __TO_YOUR_ORG /\b(?:to|for) your organi[sz]ation\b/i - -header __TO___LOWER ALL =~ /to:\s\S{5}/ - -body __TRANSFORM_LIFE /\b(transform|change) your (?:daily )?life(?:style)?\b/i - -body __TRAVEL_AGENT /\btravel\sagen(?:t|cy)\b/i - -body __TRAVEL_BUSINESS /\bbusiness\stravel\b/i - -body __TRAVEL_ITINERARY /(?:travel|ticketed|your|current) itinerary/i - -meta __TRAVEL_MANY (__TRAVEL_PROFILE + __TRAVEL_RESERV + __TRAVEL_BUSINESS + __TRAVEL_AGENT) > 2 - -body __TRAVEL_PROFILE /\btravel+er\sprofile\b/i - -body __TRAVEL_RESERV /\b(?:reservation\s(?:confirmed|number)|travel\sreservations?)\b/i - -body __TRTMT_DEFILED /\bdefiled\sall\s(?:forms\sof\s)?(?:medical\s)?treatments?\b/i - -body __TRUNK_BOX /\b(?:(?:trunk|metallic|proof|security|consignment)\sbox(?:es)?|sealed\ssafe|une mallette m(?:e|=E9|[\xe9]|[\xc3][\xa9])tallique)\b/i - -body __TRUSTED_CHECK /\b(?:cashier'?s?|certified)\sche(?:ck|que)/i - -rawbody __TR_JS_CONCATINATED_HTTP m@\b(?!http:/)h["'+]{0,3}(?:t["'+]{0,3}){2}p['"+]{0,3}:['"+]{0,3}/@ -describe __TR_JS_CONCATINATED_HTTP Contains concatenated URI like "htt"+"p://..." - -rawbody __TR_JS_EXTRA_CONCAT /[+=(]\s{0,9}["'][a-z0-9.]{1,32}["'] ?\+ ?["'][a-z0-9]{1,32}["']/i -describe __TR_JS_EXTRA_CONCAT JavaScript: Unnecessary string concatenation - -rawbody __TR_JS_EXTRA_UNESCAPE /[+=(]\s{0,9}unescape\s{0,9}\(\s{0,9}["']%(?i:6[1-9A-F]|7[0-9A])/ -describe __TR_JS_EXTRA_UNESCAPE JavaScript: Unnecessary URI escaping - -header __TT_BROKEN_VALIUM Subject =~ /V[:^."%()*\[\\]?A[:^."%()*\[\\]?L[:^."%()*\[\\]?I[:^."%()*\[\\]?U[:^."%()*\[\\]?M/i - -header __TT_BROKEN_VIAGRA Subject =~ /V[:^."%()*\[\\]?I[:^."%()*\[\\]?A[:^."%()*\[\\]?G[:^."%()*\[\\]?R[:^."%()*\[\\]?A/i - -header __TT_OBSCURED_VALIUM Subject =~ /(v|V|\\\/)(a|A|\(a\)|4|@)(l|L|\|)(i|I|1|\xef|\|)(u|U|\(u\))(m|M)/ - -header __TT_OBSCURED_VIAGRA Subject =~ /(v|V|\\\/)(i|I|1|\xef|\|)(a|A|\(a\)|4|@)(g|G)(r|R)(a|A|\(a\)|4|@)/ - -header __TT_VALIUM Subject =~ /VALIUM/i - -header __TT_VIAGRA Subject =~ /VIAGRA/i - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -mimeheader __TVD_FW_GRAPHIC_ID1 Content-Id =~ /<[0-9a-f]{12}(?:\$[0-9a-f]{8}){2}\@/ -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -mimeheader __TVD_OUTLOOK_IMG Content-Id =~ /<image\d+\.(?:gif|jpe?g|png)\@/ -endif - -body __TVD_PH_BODY_01 /\baccount .{0,20}placed? [io]n restricted status/i - -body __TVD_PH_BODY_02 /\brecords (?:[a-z_,-]+ )+?(?:feature|(?:a|re)ward)/i - -body __TVD_PH_BODY_03 /\byou(?:'ve| have) been (?:[a-z_,-]+ )+?payment/i - -body __TVD_PH_BODY_04 /\bfunds? (?!transfer from)(?!from)(?!in)(?!via)(?:[a-z_,-]+ )+?to your (?:[a-z_,-]+ )*?account/i - -body __TVD_PH_BODY_05 /\bthis is (?:[a-z_,-]+ )+?protect (?:[a-z_,-]+ )+?your/i - -body __TVD_PH_BODY_06 /Dear [a-z]+ bank (?:member|customer)/i - -body __TVD_PH_BODY_07 /\bguarantee the safety of your (?:[a-z_,-]+ )*?account/i - -body __TVD_PH_BODY_08 /\bmultiple password failures/i - -body __TVD_PH_BODY_ACCOUNTS_POST /\b(?:(?:[dr]e-?)?activat[a-z]*|(?:re-?)?validate|secure|restore|confirm|update|suspend) (?!your)(?:[a-z_,-]+ )+?accounts?\b/i - -body __TVD_PH_BODY_ACCOUNTS_PRE /\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*|suspen[a-z]+|notif(?:y|ication)|updated|verifications?|credited)\b/i - -meta __TVD_PH_BODY_META __TVD_PH_BODY_01 || __TVD_PH_BODY_02 || __TVD_PH_BODY_03 || __TVD_PH_BODY_04 || __TVD_PH_BODY_05 || __TVD_PH_BODY_06 || __TVD_PH_BODY_07 || __TVD_PH_BODY_08 - -header __TVD_PH_SUBJ_00 Subject =~ /\brewards? survey\b/i - -header __TVD_PH_SUBJ_02 Subject =~ /\byour payment has been sent\b/i - -header __TVD_PH_SUBJ_04 Subject =~ /\baccounts? profile\b/i - -header __TVD_PH_SUBJ_15 Subject =~ /\binvestment for (?:[a-z_,-]+ )*?to(?:morrow|day)\b/i - -header __TVD_PH_SUBJ_17 Subject =~ /\bremove limitations?\b/i - -header __TVD_PH_SUBJ_18 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?changes\b/i - -header __TVD_PH_SUBJ_19 Subject =~ /\bmessage (?:[a-z_,-]+ )*?bank\b/i - -header __TVD_PH_SUBJ_29 Subject =~ /^notice(?::|[\s\W]*$)/i - -header __TVD_PH_SUBJ_31 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?verification\b/i - -header __TVD_PH_SUBJ_36 Subject =~ /\bconsumer notice\b/i - -header __TVD_PH_SUBJ_37 Subject =~ /\bvalued member[a-z]*\b/i - -header __TVD_PH_SUBJ_38 Subject =~ /\bonline bank[a-z]*\b/i - -header __TVD_PH_SUBJ_39 Subject =~ /\bonline department\b/i - -header __TVD_PH_SUBJ_41 Subject =~ /\bunusual activity\b/i - -header __TVD_PH_SUBJ_52 Subject =~ /\b(?:account|online) profile\b/i - -header __TVD_PH_SUBJ_54 Subject =~ /\bun-?authorized access(?:es)?\b/i - -header __TVD_PH_SUBJ_56 Subject =~ /\brespond now\b/i - -header __TVD_PH_SUBJ_58 Subject =~ /\bbilling service\b/i - -header __TVD_PH_SUBJ_59 Subject =~ /\bquestion from (?:[a-z_,-]+ )*?member\b/i - -header __TVD_PH_SUBJ_ACCESS_POST Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)) (?:[a-z_,-]+ )*?access\b/i - -meta __TVD_PH_SUBJ_META __TVD_PH_SUBJ_00 || __TVD_PH_SUBJ_02 || __TVD_PH_SUBJ_04 || __TVD_PH_SUBJ_15 || __TVD_PH_SUBJ_17 || __TVD_PH_SUBJ_18 || __TVD_PH_SUBJ_19 || __TVD_PH_SUBJ_29 || __TVD_PH_SUBJ_31 || __TVD_PH_SUBJ_36 || __TVD_PH_SUBJ_37 || __TVD_PH_SUBJ_38 || __TVD_PH_SUBJ_39 || __TVD_PH_SUBJ_41 || __TVD_PH_SUBJ_52 || __TVD_PH_SUBJ_54 || __TVD_PH_SUBJ_56 || __TVD_PH_SUBJ_58 || __TVD_PH_SUBJ_59 || __TVD_PH_SUBJ_ACCESS_POST - -meta __TVD_SPACE_ENCODED (__TVD_SPACE_RATIO && __SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED) - -if !plugin(Mail::SpamAssassin::Plugin::BodyEval) - meta __TVD_SPACE_RATIO 0 -endif - -header __TVD_SUBJ_NUM_OBFU Subject =~ /[a-z]{3,}\d+[a-z]{2,}/i - -meta __T_PDS_MSG_512 (__KAM_BODY_LENGTH_LT_512 || __HTML_LENGTH_512 || __PDS_QP_512) - -header __UA_GNUS User-Agent =~ /^Gnus/ - -header __UA_KMAIL User-Agent =~ /^KMail/ - -header __UA_KNODE User-Agent =~ /^KNode/ - -header __UA_MOZ5 User-Agent =~ /^Mozilla\/5/ - -header __UA_MSOEMAC User-Agent =~ /^Microsoft-Outlook-Express-Mac/ - -header __UA_MSOMAC User-Agent =~ /^Microsoft-MacOutlook\/(?:\d+\.){3}/ - -header __UA_MUTT User-Agent =~ /^Mutt/ - -header __UA_OPERA7 User-Agent =~ /^Opera7/ - -header __UA_PAN User-Agent =~ /^Pan/ - -header __UA_XNEWS User-Agent =~ /^Xnews/ - -body __UC_GIBB_OBFU /\b[A-Za-z][a-z]{0,20}[,;)]?\s[A-Z]{16,}[a-z]?\s[A-Za-z][a-z]{1,15}\b/ -tflags __UC_GIBB_OBFU multiple maxhits=2 - -body __UN /\bunited\snations?\b/i - -meta __UNDISC_FREEM __TO_UNDISCLOSED && __freemail_replyto - -meta __UNDISC_MONEY __TO_UNDISCLOSED && (__ADVANCE_FEE_2_NEW || LOTS_OF_MONEY) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - body __UNICODE_OBFU_ASC /[a-z0-9\s](?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9]{1,8}(?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9\s]/i - tflags __UNICODE_OBFU_ASC multiple maxhits=10 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __UNICODE_OBFU_ASC_MANY __UNICODE_OBFU_ASC > 9 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - body __UNICODE_OBFU_ZW /[a-z0-9\s](?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+(?!\s)[a-z0-9\s]{1,8}(?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+[a-z0-9\s]/i - tflags __UNICODE_OBFU_ZW multiple maxhits=10 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __UNICODE_OBFU_ZW_10 __UNICODE_OBFU_ZW > 9 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __UNICODE_OBFU_ZW_2 __UNICODE_OBFU_ZW > 1 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __UNICODE_OBFU_ZW_3 __UNICODE_OBFU_ZW > 2 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __UNICODE_OBFU_ZW_5 __UNICODE_OBFU_ZW > 4 -endif - -body __UNSUB_EMAIL /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b[-a-z_0-9.+=]{0,60}\@[a-z0-9][-a-z_0-9.]{4,20}(?:[^a-z_0-9.-]|$)/i -tflags __UNSUB_EMAIL nice - -body __UNSUB_GOOG_FORM m,Unsub?sc?ribe\s<?https?://docs\.google\.com/forms/,i - -uri __UNSUB_LINK /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b/i -tflags __UNSUB_LINK nice - -body __UPGR_MAILBOX /\b(?:up(?:g[ra]+d(?:e|ing)|date) (?:(?:[hw]as|and)\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|(?:web ?|e-?)mail Upgrade cuenta|atualiz(?:e|ar) (?:a|sua) caixa de correio|click\S{0,10} (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?|below)(?: link)? to (?:(?:complete|finish|increase) )?(?:(?:the|this|your)\s)?(?:up(?:date|grade)|(?:web ?|e-?)?mail(?:\s?box)? (?:size|quota|limit))|utrzymania aktywnego konta|request (?:for )additional storage|you (?:have )?(?:failed|refused) to up(?:date|grade))\b/i - -uri __UPPERCASE_URI /^[^:A-Z]+[A-Z]/ - -uri __URI_12LTRDOM m,://(?:[^./]+\.)*[a-z]{12}\.[^./]+/,i - -uri __URI_ADOBESPARK m,https?://branchlink\.adobespark\.com/,i - -uri __URI_AZURE_CLOUDAPP m,://(?:[^./]+\.)+cloudapp\.azure\.com/, - -uri __URI_DASHGOVEDU m,://[^/]*-(?:gov|edu)\.com/,i - -uri __URI_DATA /^data:(?!image\/)[a-z]/i - -uri __URI_DBL_DOM m,^https?://[^.]+\.(?!amazon\.com)([^/]+)/.*https?://[^.]+\.\1/,i - -uri __URI_DOTEDU m;^https?://(?:[^./]+\.)+edu/;i - -meta __URI_DOTEDU_ENTITY __URI_DOTEDU && __AC_HTML_ENTITY_BONANZA_SHRT_RAW - -uri __URI_DOTGOV m;^https?://(?:[^./]+\.)+gov/;i - -uri __URI_DOTTY_HEX /(?:\.[0-9a-f]{2}){30}/ - -uri __URI_DQ_UNSUB m;^[a-z]+://(?:\d+\.){3}\d+/.*unsubscribe;i - -uri __URI_FIREBASEAPP m,://[^./]+\.firebaseapp\.com/, - -uri __URI_GOOGLE_DOC m,^https?://docs\.google\.com/(?:[^/]+/)*(?:view(?:form)?\?(?:[^&]+&)*(?:id|formkey|usp)=|document/),i - -uri __URI_GOOGLE_DRV m,^https?://(?:drive\.google|googledrive)\.com/,i - -uri __URI_GOOGLE_PROXY m;^https?://[^.]+\.googleusercontent\.com/proxy/;i - -uri __URI_GOOG_STO_EMAIL m;^https?://(?:firebase)?storage\.googleapis\.com/.*[a-z0-9]@(?:[a-z0-9]{2,20}\.){1,3}[a-z]{2,3}$;i - -uri __URI_GOOG_STO_HTML m,^https?://(?:firebase)?storage\.googleapis\.com/.*\.html?(?:$|\?),i -tflags __URI_GOOG_STO_HTML multiple maxhits=5 - -uri __URI_GOOG_STO_IMG m,^https?://(?:firebase)?storage\.googleapis\.com/.*\.(?:png|jpe?g|gif)$,i -tflags __URI_GOOG_STO_IMG multiple maxhits=5 - -uri __URI_HEX_IP m;://0x[0-9A-F]{8,}[:/];i - -meta __URI_HOSTED_IMG ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC || __URI_IMG_TOPHATTER || __URI_IMG_GBTCDN || __URI_IMG_LINKEDIN || __URI_IMG_TUMBLR || __URI_IMG_TAGSTAT || __URI_IMG_FACEBOOK || __URI_IMG_TARINGANET || __URI_IMG_BEBEE || __URI_IMG_EFUSERASSETS || __URI_IMG_IMGBOX_THUMB || __URI_IMG_500PXORG || __URI_IMG_WIXMP || __URI_IMG_POSTIMGCC || __URI_IMG_GTRACING || __URI_IMG_JOOMCDN || __URI_IMG_DHRESOURCE ) - -uri __URI_IMG_500PXORG m;://drscdn\.500px\.org/photo/;i - -uri __URI_IMG_ALICDN m,//(?:[^/.]+\.)*alicdn\.com/.+\.(?:jpe?g|gif|png|webp),i - -uri __URI_IMG_AMAZON m,://[^/?]+\.(?:ssl-)?(?:images|media)-amazon\.com/.*\.(?:png|gif|jpe?g|webp)$,i - -uri __URI_IMG_BEBEE m;://contents\.bebee\.com/users/.+\.(?:jpe?g|gif|png|webp);i - -uri __URI_IMG_CHANNYPIC m,://www\.channypicture\.com/pic/,i - -uri __URI_IMG_DHRESOURCE m;://www\.dhresource\.com/.+\.(?:jpe?g|gif|png|webp);i - -uri __URI_IMG_EBAY m,://[^/?]+\.ebayimg\.com/,i - -uri __URI_IMG_EFUSERASSETS m;://\d+\.efuserassets\.com/\d+/.+\.(?:jpe?g|gif|png|webp);i - -uri __URI_IMG_FACEBOOK m;://([^/.]+\.)+fbcdn\.net/v/.+\.(?:jpe?g|gif|png|webp);i - -uri __URI_IMG_GBTCDN m;://des\.gbtcdn\.com/storage/store/[0-9a-f/]{30,}\.(?:png|gif|jpe?g|webp)$;i - -uri __URI_IMG_GTRACING m;://shopify\.gtracing\.com/img/.+\.(?:jpe?g|gif|png|webp);i - -uri __URI_IMG_IMGBOX_THUMB m;://thumbs\d*\.imgbox\.com/.+\.(?:jpe?g|gif|png|webp);i - -uri __URI_IMG_JOOMCDN m,://img\.joomcdn\.net/,i -uri __URI_IMG_JOOMCDN m;://img\.joomcdn\.net/.+\.(?:jpe?g|gif|png|webp);i - -uri __URI_IMG_LINKEDIN m;://media-exp\d\.licdn\.com/dms/image/;i - -uri __URI_IMG_NEWEGG m,://[^/?]+\.neweggimages\.com/,i - -uri __URI_IMG_POSTIMGCC m;://i\.postimg\.cc/.+\.(?:jpe?g|gif|png|webp);i - -uri __URI_IMG_SHOPIFY m,://cdn\.shopify\.com/.+\.(?:jpe?g|gif|png|webp),i - -uri __URI_IMG_STATICBG m,://imgaz\.staticbg\.com/images/,i - -uri __URI_IMG_TAGSTAT m;://i\d+\.tagstat\.com/.+\.(?:jpe?g|gif|png|webp);i - -uri __URI_IMG_TARINGANET m;://media\.taringa\.net/knn/;i - -uri __URI_IMG_TOPHATTER m;://images\.tophatter\.com/[0-9a-f]{30,}/;i - -uri __URI_IMG_TUMBLR m;://\d+\.media\.tumblr\.com/.+\.(?:jpe?g|gif|png|webp);i - -uri __URI_IMG_WALMART m,://[^/?]+\.walmartimages\.com/,i - -uri __URI_IMG_WISH m,://contestimg\.wish\.com/,i - -uri __URI_IMG_WIXMP m;://images-wixmp-[0-9a-f]{20,}\.wixmp\.com/;i - -uri __URI_IMG_WP_REDIR m;://i[02]\.wp\.com/.*\.(?:jpe?g|gif|png)$;i - -uri __URI_IMG_YTIMG m,://[^/?]+\.ytimg\.com/,i - -uri __URI_LONG_REPEAT m;(?:://|@)(?:\w+\.)*(\w{7,}\.)\1;i - -uri __URI_MAILTO /^mailto:/i -tflags __URI_MAILTO multiple maxhits=16 - -uri __URI_MONERO /buy-monero/i - -uri __URI_OBFU_DOM /:\/\/(?:\w+\.)+(?:com|gov|net|org)(?:\.\w+){3,}\//i - -meta __URI_ONLY_MSGID_MALF __BODY_URI_ONLY && __MSGID_NOFQDN2 - -meta __URI_PHISH __HAS_ANY_URI && !__URI_GOOGLE_DOC && !__URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH) - -uri __URI_PHP_REDIR m;/redirect\.php\?;i - -uri __URI_PRODUCT_AMAZON m,://www\.amazon\.(?:com|co\.uk|[a-z][a-z])/dp/[a-z0-9]{10}/,i - -uri __URI_TRY_3LD m,^https?://(?:try(?!r\.codeschool)|start|get(?!\.adobe)|save|check(?!out)|act|compare|join|learn(?!ing)|request|visit(?!or|\.vermont)|my(?!sub|turbotax|news\.apple|a\.godaddy|account|support|build|blob|images?|photos?)\w)[^.]*\.(?:(?!list-manage\.)[^/.]+\.)+(?:com|net)\b,i - -uri __URI_TRY_USME m,^https?://(?:try|start|get|save|check|act|compare|join|learn|request|visit|my)[^.]*\.[^/]+\.(?:us|me|mobi|club)\b,i - -uri __URI_WEBAPP m,://[^./]+\.web\.app/, - -uri __URI_WPADMIN m,/wp-admin/\w+/,i - -uri __URI_WPCONTENT m,/wp-content/.*\.(?:php|html?)\b,i - -uri __URI_WPDIRINDEX m,/wp-(?:content|includes)/.*/$,i - -uri __URI_WPINCLUDES m,/wp-includes/.*\.(?:php|html?)\b,i - -uri __URL_BTC_ID m;[/.](?:[13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})(?:/|$); - -uri __URL_LTC_ID m;[/.][LM3][a-km-zA-HJ-NP-Z1-9]{26,33}(?:/|$); - -header __USING_VERP1 Return-Path =~ /[+-].*=/ - -header __VACATION Subject =~ /\b(?:vacatio|away|out.of.offic|auto.?re|confirm)/i -tflags __VACATION nice - -body __VALIDATE_MAILBOX /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta|you (?:have )?(?:failed|refused) to (?:verify|validate)|(?:e-?mail|confirm) verification|verify k?now|logs?in below to (\S+\s){0,10}(?:download|release|retrieve) your (?:messages|e?-?mails)|verify [a-z][a-z0-9_]{3,40}@[a-z][a-z0-9]{2,30}\.[a-z]{2,6}|your mailbox [^@\s]{3,30}@\S{3,30} (?:(?:needs to|must) be verified|(?:needs|requires) verification))\b/i -tflags __VALIDATE_MAILBOX multiple maxhits=2 - -body __VALIDATE_MBOX_SE /(?:\b=E5|[\xe5]|[\xc3][\xa5])terst(?:=E4|\xe4|[\xc3][\xa4])lla ditt konto\b/i - -body __VERIFY_ACCOUNT /(?:confirm|updated?|verif(?:y|ied)) (?:your|the) (?:(?:account|current|billing|personal|online)? ?(?:records?|information|account|identity|access|data|login)|"?[^\@\s]+\@\S+"? (?:account|mail ?box)|confirm verification|verify k?now|Ihre Angaben .berpr.ft und best.tigt)/i -tflags __VERIFY_ACCOUNT multiple maxhits=2 - -meta __VFY_ACCT_NORDNS __VERIFY_ACCOUNT && __RDNS_NONE - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -header __VPSNUMBERONLY_TLD From:addr =~ /\@vps[0-9]{4,}\.[a-z]+$/i -endif -endif - -meta __WALMART_IMG_NOT_RCVD_WAL __URI_IMG_WALMART && !__HDR_RCVD_WALMART - -body __WEBMAIL_ACCT /\byour web ?mail account/i - -body __WE_PAID /\bwe have (?:already )?(?:paid|sent|remitted|issued) \$?\d+(?:,\d+)* (?:thousand )?(?:dollars )?to our (?:users|subscribers|members|clients|affiliates|partners)\b/i - -meta __WFH_01 ( __PERFECT_BINARY + __WE_PAID + __MAKE_XTRA_DOLLAR + __BONUS_LAST_DAY + __PASSIVE_INCOME + __WITHOUT_EFFORT + __TRANSFORM_LIFE + __STAY_HOME + __RECEIVE_BONUS ) > 2 - -body __WIDOW /\b(?:widow(?:e[rd])'?s?|veuve)\b/i - -body __WILL_LEGAL /\b(?:codicil|last\stestament|probate|executor|intestate|bequest|mandamus)\b/i - -body __WIRE_XFR /\b(?:wire|telegraph(?:ic)?|bank)\s?transfer/i - -body __WITHOUT_EFFORT /\bwith(?:out(?: a(?:ny)?| the)?| no)(?: great| special| extra)? effort\b/i - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - rawbody __WORD_INVIS /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|in|pc|em|ex|ch|rem|lh|vmax))\s*[;'a-z]|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w{1,20}</i - tflags __WORD_INVIS multiple maxhits=6 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __WORD_INVIS_2 __WORD_INVIS > 1 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __WORD_INVIS_5 __WORD_INVIS > 5 -endif - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __WORD_INVIS_MINFP __WORD_INVIS && !__SURVEY && !MIME_QP_LONG_LINE && !__FB_TOUR && !__MSGID_GUID -endif - -header __XEROXWORKCTR_MUA X-Mailer =~ /^WorkCentre \D?\d[\d\.]\d+/ - -meta __XFER_LOTSA_MONEY __XFER_MONEY && LOTS_OF_MONEY - -meta __XFER_MONEY (__WIRE_XFR || __TRUSTED_CHECK || __BANK_DRAFT || __MOVE_MONEY || __TO_YOUR_ACCT || __PAY_YOU || __GIVE_MONEY) - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - header __XMAIL_CODEIGN X-Mailer =~ /CodeIgniter/ -endif - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - header __XMAIL_PHPMAIL X-Mailer =~ /PHPMailer/ -endif - -header __XM_APPLEMAIL X-Mailer =~ /^Apple Mail/ - -header __XM_ASPQMAIL X-Mailer =~ /^AspQMail/ - -header __XM_BALSA X-Mailer =~ /^Balsa \d/ - -header __XM_CALYPSO X-Mailer =~ /^Calypso/ - -header __XM_DIGITS_ONLY X-Mailer =~ /^\s*\d+\s*$/ - -header __XM_EC_MESSENGER X-Mailer =~ /\beC-Messenger\b/ - -header __XM_FORTE X-Mailer =~ /^Forte Agent \d/ - -header __XM_GNUS X-Mailer =~ /^Gnus v/ - -header __XM_MHE X-Mailer =~ /^mh-e \d/ - -header __XM_MOZ4 X-Mailer =~ /^Mozilla 4/ - -header __XM_MSOE5 X-Mailer =~ /^Microsoft Outlook Express 5/ - -header __XM_MSOE6 X-Mailer =~ /^Microsoft Outlook Express 6/ - -header __XM_MS_IN_GENERAL X-Mailer =~ /\bMSCRM\b|Microsoft (?:CDO|Outlook|Office Outlook)\b/ - -header __XM_OL_10_0_4115 X-Mailer =~ /^Microsoft Outlook, Build 10.0.4115$/ - -header __XM_OL_28001441 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.1441$/ - -header __XM_OL_28004682 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.4682$/ - -header __XM_OL_48072300 X-Mailer =~ /^Microsoft Outlook Express 5.50.4807.2300$/ - -header __XM_OL_4_72_2106_4 X-Mailer =~ /^Microsoft Outlook Express 4.72.2106.4$/ - -header __XM_OUTLOOK_EXPRESS X-Mailer =~ /^Microsoft Outlook Express \d/ - -header __XM_PHPMAILER_FORGED X-Mailer =~ /PHPMailer\s.*version\D+$/ - -header __XM_RANDOM X-Mailer =~ /q(?!(?:q|box|i\s)?mail|\d|[-\w]*=+;)[^u]/i - -header __XM_SKYRI X-Mailer =~ /^SKYRiXgreen/ - -header __XM_SQRLMAIL X-Mailer =~ /^SquirrelMail/ - -header __XM_SYLPHEED X-Mailer =~ /^Sylpheed/ - -header __XM_UC_ONLY X-Mailer =~ /^[^a-z]+$/ - -header __XM_VERY_LONG X-Mailer =~ /.{50}/ - -header __XM_VM X-Mailer =~ /^VM \d/ - -header __XM_WWWMAIL X-Mailer =~ /^WWW-Mail \d/ - -header __XM_XIMEVOL X-Mailer =~ /^Ximian Evolution/ - -meta __XPRIO_MINFP __XPRIO && !__CT_ENCRYPTED && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_IMG_SRC && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__PHPMAILER_MUA && !__AC_TINY_FONT && !__HAS_PHP_SCRIPT && !__DOS_HAS_LIST_UNSUB && !__HAS_IMG_SRC_ONECASE && !__NAKED_TO && !__HAS_THREAD_INDEX && !__HAS_TNEF && !__HAS_SENDER && !__UNPARSEABLE_RELAY_COUNT && !__PDS_RDNS_MTA && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MX_MESSY && !__TO___LOWER && !__FROM_WORDY && !__RP_MATCHES_RCVD && !__DKIM_EXISTS && !__FROM_WEB_DAEMON && !__RDNS_SHORT && !__L_BODY_8BITS && !__HAS_X_SENDER - -meta __XPRIO_SHORT_SUBJ __XPRIO_MINFP && __SUBJ_SHORT - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __X_MSO_MT Content-Type =~ m,\bapplication/x-mso\b,i -endif - -body __YOUR_BANK /\byour?\s(?:full\s)?bank(?:ing)?\sinformations?\b/i - -body __YOUR_CONSIGNMENT /\b(?:received?|pa(?:y|id)|sen[dt]|h[oe]ld|delay(?:ed)?|impound(?:ed)?|released?|ship(?:ped)?)\syour(?:\s\w+)?\sconsignment\b/i - -body __YOUR_FUND /\b(?:your|ihr)\s(?:unpaid\s|win+ing\s|ap+roved\s|foreign\s|overdue\s|outstanding\s|contract\s|inheritance\s|nicht\sausbezahlten\s){0,3}(?:fund|f\su\sn\sd|payment|geld)\b/i - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - body __YOUR_ONAN /\b(?:your?|ihrer)\s(?:ma+s+t+[ur]+b+a+t+(?:ion|ing|e)(?:svideo)?|onanism|solitary\ssex|hand\sfucking|Selbstbefriedigung|(?:pleasur(?:e|ing)|satisfy(?:ing)?)\syourself)\b/i -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __YOUR_ONAN /(?:^|\s)(?:<Y><O><U><R>?|<I><H><R><E><R>)\s(?:<M>+<A>+<S>+<T>+(?:<U>|<R>)+<B>+<A>+<T>+(?:<I><O><N>|<I><N><G>|<E>)(?:<S><V><I><D><E><O>)?|<O><N><A><N><I><S><M>|<S><O><L><I><T><A><R><Y>\s<S><E><X>|<H><A><N><D>\s<F><U><C><K><I><N><G>|<S><E><L><B><S><T><B><E><F><R><I><E><D><I><G><U><N><G>|(?:<P><L><E><A><S><U><R>(?:<E>|<I><N><G>)|<S><A><T><I><S><F><Y>(?:<I><N><G>)?)\s<Y><O><U><R><S><E><L><F>)/i -endif - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - body __YOUR_PASSWORD /\b(?:your|(?:change|modify|update|reset|alter|fix)\sthe)\s(?:account\s|e-?mail\s)?(?:pass[-\s_]?word|pswd)\b/i -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __YOUR_PASSWORD /(?:^|\s)(?:<Y><O><U><R>|(?:<C><H><A><N><G><E>|<M><O><D><I><F><Y>|<U><P><D><A><T><E>|<R><E><S><E><T>|<A><L><T><E><R>|<F><I><X>)\s<T><H><E>)\s(?:<A><C><C><O><U><N><T>\s|<E>-?<M><A><I><L>\s)?(?:<P><A><S><S>[-\s_]?<W><O><R><D>|<P><S><W><D>\s)/i -endif - -body __YOUR_PERM /\byour\spermission\b/i - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - body __YOUR_PERSONAL /\b(?:your\s(?:personal|private|social\scontact|address|friends)\s(?:info(?:rmation)?|data|details|book|secrets)|all\s(?:of\s)?your\s(?:files|contacts|secrets|correspondence))\b/i -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __YOUR_PERSONAL /(?:^|\s)(?:<Y><O><U><R>\s(?:<P><E><R><S><O><N><A><L>|<P><R><I><V><A><T><E>|<S><O><C><I><A><L>\s<C><O><N><T><A><C><T>|<A><D><D><R><E><S><S>|<F><R><I><E><N><D><S>)\s(?:<I><N><F><O>(?:<R><M><A><T><I><O><N>)?|<D><A><T><A>|<D><E><T><A><I><L><S>|<B><O><O><K>|<S><E><C><R><E><T><S>)|<A><L><L>\s(?:<O><F>\s)?<Y><O><U><R>\s(?:<F><I><L><E><S>|<C><O><N><T><A><C><T><S>|<S><E><C><R><E><T><S>|<C><O><R><R><E><S><P><O><N><D><E><N><C><E>))[\s\.,]/i -endif - -body __YOUR_PROFIT /\byour?\sprofit/i - -if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) - body __YOUR_WEBCAM /\b(?:from|your|with|and|on)\s(?:(?:screen|desktop|microphone)\sand\s|own\s)?(?:web[-\s]?|front[-\s]?|network\s|your\s)camer+a/i -endif - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - body __YOUR_WEBCAM /(?:^|\s)(?:<F><R><O><M>|<Y><O><U><R>|<W><I><T><H>|<A><N><D>|<O><N>)\s(?:(?:<S><C><R><E><E><N>|<D><E><S><K><T><O><P>|<M><I><C><R><O><P><H><O><N><E>)\s<A><N><D>\s|<O><W><N>\s)?(?:<W><E><B>[-\s]?|<F><R><O><N><T>[-\s]?|<N><E><T><W><O><R><K>\s|<Y><O><U><R>\s)<C><A><M><E><R>+<A>/i -endif - -body __YOU_ASSIST /\b(?:your\sas+istan(?:ce|t)|votre\s(?:as+istance|aide))\b/i - -body __YOU_INHERIT /\byour\s[a-z\s]{0,30}inherit+ance\b/i - -meta __YOU_WON __YOU_WON_01 || __YOU_WON_02 || __YOU_WON_03 || __YOU_WON_04 || __HAS_WON_01 || (__YOU_WON_05 && (__MOVE_MONEY || __GIVE_MONEY)) - -body __YOU_WON_01 /\byou(?:r|'re|'ve|'ll|\shave|\sdid)?\s(?:e-?mail\s)?(?:\w+\s){0,2}(?:a\s)?w[io]n+(?:er|ing)?(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i - -body __YOU_WON_02 /\bw[io]n\s(?:(?:for|by)\s)?your?\b/i - -body __YOU_WON_03 /\b(?:your?|win+ing|win+ers?|beneficiaries|participants?|individuals?|address(?:es)?|accounts?|emails?)(?:\s[-a-z\s]{4,40})?\s(?:w(?:ere|as)|ha(?:ve|s) be(?:en)?)\s(?:automatically\s)?(?:(?:randomly|raffly)\s(?:selected|cho+sen|cho+sing|picked)|(?:selected|cho+sen|cho+sing|picked)\s(?:[a-z\s]{2,40}?\srandom(?:ly)?|online|lottery|computer\s(?:ballot|wahlgang))|(?:selected|cho+sen|cho+sing|picked)(?:\sas?|\sthe){0,3}\swin+er)/i - -body __YOU_WON_04 /\bqu[ei]\s?(?:vous (?:[\xc3][\xaa]|=C3=AA|[\xea]|e)tes\s?gagnant|en\scons(?:e|=E9|[\xe9]|[\xc3][\xa9])quence\sgagne)\b/i - -body __YOU_WON_05 /\bI won(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta __ZIP_ATTACH_MT 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __ZIP_ATTACH_MT Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)\b,i -endif - -if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) - meta __ZIP_ATTACH_NOFN 0 -endif - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader __ZIP_ATTACH_NOFN Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)[;\s]*$,i -endif - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - header __freemail_mailreplyto eval:check_freemail_header('Mail-Reply-To') -endif - -body __hk_bigmoney /(?:EURO?|USD?|GBP|CFA|\&\#163;|[\xa3\xa4]|\$|sum of).{0,4}(?:[0-9]{3}[^0-9a-z]?[0-9]{3}|[0-9.,]{1,4}(?: ?M\b| ?(?:de )?Mil))/i - -ifplugin Mail::SpamAssassin::Plugin::FreeMail -header __smf_freemail_hdr_replyto eval:check_freemail_header('Reply-To:addr') -endif diff --git a/resources/spamassassin/72_scores.cf b/resources/spamassassin/72_scores.cf deleted file mode 100644 index 600b25a7..00000000 --- a/resources/spamassassin/72_scores.cf +++ /dev/null @@ -1,407 +0,0 @@ -score AC_BR_BONANZA 0.001 0.001 0.001 0.001 -score AC_DIV_BONANZA 0.001 0.001 0.001 0.001 -score AC_FROM_MANY_DOTS 2.999 2.999 2.999 2.999 -score AC_HTML_NONSENSE_TAGS 1.999 1.999 1.999 1.999 -score AC_POST_EXTRAS 1.000 1.000 1.000 1.000 -score AC_SPAMMY_URI_PATTERNS1 1.000 1.000 1.000 1.000 -score AC_SPAMMY_URI_PATTERNS10 1.000 1.000 1.000 1.000 -score AC_SPAMMY_URI_PATTERNS11 1.000 1.000 1.000 1.000 -score AC_SPAMMY_URI_PATTERNS12 1.000 1.000 1.000 1.000 -score AC_SPAMMY_URI_PATTERNS2 1.000 1.000 1.000 1.000 -score AC_SPAMMY_URI_PATTERNS3 1.000 1.000 1.000 1.000 -score AC_SPAMMY_URI_PATTERNS4 1.000 1.000 1.000 1.000 -score AC_SPAMMY_URI_PATTERNS8 1.000 1.000 1.000 1.000 -score AC_SPAMMY_URI_PATTERNS9 1.000 1.000 1.000 1.000 -score ADMITS_SPAM 3.299 0.001 3.299 0.001 -score ADULT_DATING_COMPANY 10.000 10.000 10.000 10.000 -score ADVANCE_FEE_2_NEW_FORM 1.000 1.000 1.000 1.000 -score ADVANCE_FEE_2_NEW_FRM_MNY 1.000 1.000 1.000 1.000 -score ADVANCE_FEE_2_NEW_MONEY 1.999 1.999 1.999 1.999 -score ADVANCE_FEE_3_NEW 2.350 2.776 2.350 2.776 -score ADVANCE_FEE_3_NEW_MONEY 0.488 2.599 0.488 2.599 -score ADVANCE_FEE_4_NEW 2.499 2.399 2.499 2.399 -score ADVANCE_FEE_4_NEW_MONEY 2.126 0.001 2.126 0.001 -score ADVANCE_FEE_5_NEW_FRM_MNY 0.841 2.499 0.841 2.499 -score ADVANCE_FEE_5_NEW_MONEY 0.001 0.001 0.001 0.001 -score AD_PREFS 0.499 0.001 0.499 0.001 -score ALIBABA_IMG_NOT_RCVD_ALI 1.000 1.000 1.000 1.000 -score AMAZON_IMG_NOT_RCVD_AMZN 0.001 0.001 0.001 0.001 -score APP_DEVELOPMENT_FREEM 1.000 1.000 1.000 1.000 -score APP_DEVELOPMENT_NORDNS 1.000 1.000 1.000 1.000 -score ARC_SIGNED 0.001 0.001 0.001 0.001 -score ARC_VALID 0.001 0.001 0.001 0.001 -score AXB_XMAILER_MIMEOLE_OL_024C2 0.001 0.001 0.001 0.001 -score AXB_X_FF_SEZ_S 2.499 2.699 2.499 2.699 -score BAT_BDRY_TO_MALF 2.499 2.499 2.499 2.499 -score BEBEE_IMG_NOT_RCVD_BB 1.000 1.000 1.000 1.000 -score BIGNUM_EMAILS_FREEM 0.001 0.001 0.001 0.001 -score BIGNUM_EMAILS_MANY 2.999 2.999 2.999 2.999 -score BITCOIN_BOMB 1.000 1.000 1.000 1.000 -score BITCOIN_DEADLINE 2.999 2.278 2.999 2.278 -score BITCOIN_EXTORT_01 2.102 1.793 2.102 1.793 -score BITCOIN_EXTORT_02 1.000 1.000 1.000 1.000 -score BITCOIN_IMGUR 1.000 1.000 1.000 1.000 -score BITCOIN_MALF_HTML 2.834 0.776 2.834 0.776 -score BITCOIN_MALWARE 1.670 0.001 1.670 0.001 -score BITCOIN_OBFU_SUBJ 1.000 1.000 1.000 1.000 -score BITCOIN_ONAN 1.146 2.042 1.146 2.042 -score BITCOIN_PAY_ME 1.000 1.000 1.000 1.000 -score BITCOIN_SPAM_01 1.000 1.000 1.000 1.000 -score BITCOIN_SPAM_02 1.436 0.696 1.436 0.696 -score BITCOIN_SPAM_03 2.499 2.500 2.499 2.500 -score BITCOIN_SPAM_04 1.000 1.000 1.000 1.000 -score BITCOIN_SPAM_05 0.001 1.565 0.001 1.565 -score BITCOIN_SPAM_06 1.000 1.000 1.000 1.000 -score BITCOIN_SPAM_07 1.000 1.000 1.000 1.000 -score BITCOIN_SPAM_08 1.000 1.000 1.000 1.000 -score BITCOIN_SPAM_09 1.499 1.499 1.499 1.499 -score BITCOIN_SPAM_10 1.000 1.000 1.000 1.000 -score BITCOIN_SPAM_11 1.000 1.000 1.000 1.000 -score BITCOIN_SPAM_12 1.000 1.000 1.000 1.000 -score BITCOIN_SPF_ONLYALL 0.001 1.000 0.001 1.000 -score BITCOIN_XPRIO 0.510 0.001 0.510 0.001 -score BITCOIN_YOUR_INFO 1.395 1.916 1.395 1.916 -score BODY_URI_ONLY 1.153 0.484 1.153 0.484 -score BOGUS_MIME_VERSION 1.000 1.000 1.000 1.000 -score BOGUS_MSM_HDRS 1.000 1.000 1.000 1.000 -score BOMB_FREEM 1.000 1.000 1.000 1.000 -score BOMB_MONEY 1.000 1.000 1.000 1.000 -score BTC_ORG 1.000 1.000 1.000 1.000 -score BULK_RE_SUSP_NTLD 0.920 1.000 0.920 1.000 -score CANT_SEE_AD 1.000 1.000 1.000 1.000 -score CK_HELO_GENERIC 0.250 0.249 0.250 0.249 -score COMMENT_GIBBERISH 1.000 1.000 1.000 1.000 -score COMPENSATION 1.000 0.001 1.000 0.001 -score CONTENT_AFTER_HTML 1.000 1.000 1.000 1.000 -score CONTENT_AFTER_HTML_WEAK 1.000 1.000 1.000 1.000 -score CTE_8BIT_MISMATCH 0.999 0.001 0.999 0.001 -score DATE_IN_FUTURE_Q_PLUS 2.699 2.699 2.699 2.699 -score DAY_I_EARNED 1.000 1.000 1.000 1.000 -score DEAR_BENEFICIARY 1.865 1.387 1.865 1.387 -score DKIMWL_BL 0.001 1.000 0.001 1.000 -score DKIMWL_BLOCKED 0.001 0.001 0.001 0.001 -score DKIMWL_WL_HIGH 0.001 -0.001 0.001 -0.001 -score DKIMWL_WL_MED 0.001 -0.001 0.001 -0.001 -score DKIMWL_WL_MEDHI 0.001 -0.214 0.001 -0.214 -score DOTGOV_IMAGE 1.000 1.000 1.000 1.000 -score DX_TEXT_03 1.699 1.799 1.699 1.799 -score DYNAMIC_IMGUR 1.000 1.000 1.000 1.000 -score EBAY_IMG_NOT_RCVD_EBAY 1.000 1.000 1.000 1.000 -score ENCRYPTED_MESSAGE -1.000 -0.999 -1.000 -0.999 -score END_FUTURE_EMAILS 2.500 2.499 2.500 2.499 -score ENVFROM_GOOG_TRIX 1.000 1.000 1.000 1.000 -score FACEBOOK_IMG_NOT_RCVD_FB 1.000 1.000 1.000 1.000 -score FBI_MONEY 1.000 0.001 1.000 0.001 -score FBI_SPOOF 1.000 1.109 1.000 1.109 -score FILL_THIS_FORM 0.799 0.699 0.799 0.699 -score FONT_INVIS_DIRECT 0.001 0.001 0.001 0.001 -score FONT_INVIS_DOTGOV 1.000 1.000 1.000 1.000 -score FONT_INVIS_HTML_NOHTML 1.000 1.000 1.000 1.000 -score FONT_INVIS_LONG_LINE 2.999 3.000 2.999 3.000 -score FONT_INVIS_MSGID 1.762 1.942 1.762 1.942 -score FONT_INVIS_NORDNS 0.001 1.614 0.001 1.614 -score FONT_INVIS_POSTEXTRAS 0.155 1.389 0.155 1.389 -score FORM_FRAUD 0.001 1.000 0.001 1.000 -score FORM_FRAUD_3 2.399 0.001 2.399 0.001 -score FORM_FRAUD_5 0.889 0.001 0.889 0.001 -score FOUND_YOU 1.000 1.000 1.000 1.000 -score FREEMAIL_FORGED_FROMDOMAIN 0.249 0.001 0.249 0.001 -score FREEM_FRNUM_UNICD_EMPTY 1.000 1.000 1.000 1.000 -score FRNAME_IN_MSG_XPRIO_NO_SUB 1.000 1.000 1.000 1.000 -score FROM_2_EMAILS_SHORT 0.001 1.306 0.001 1.306 -score FROM_ADDR_WS 1.000 2.999 1.000 2.999 -score FROM_BANK_NOAUTH 0.001 1.000 0.001 1.000 -score FROM_FMBLA_NDBLOCKED 0.001 0.001 0.001 0.001 -score FROM_FMBLA_NEWDOM 0.001 1.500 0.001 1.500 -score FROM_FMBLA_NEWDOM14 0.001 1.000 0.001 1.000 -score FROM_FMBLA_NEWDOM28 0.001 0.799 0.001 0.799 -score FROM_GOV_DKIM_AU 0.001 -0.001 0.001 -0.001 -score FROM_GOV_REPLYTO_FREEMAIL 0.001 1.000 0.001 1.000 -score FROM_GOV_SPOOF 0.001 1.000 0.001 1.000 -score FROM_MISSPACED 2.000 1.999 2.000 1.999 -score FROM_MISSP_EH_MATCH 1.999 1.595 1.999 1.595 -score FROM_MISSP_FREEMAIL 0.001 1.017 0.001 1.017 -score FROM_MISSP_MSFT 0.001 0.001 0.001 0.001 -score FROM_MISSP_REPLYTO 2.198 0.001 2.198 0.001 -score FROM_MISSP_SPF_FAIL 0.001 0.185 0.001 0.185 -score FROM_MISSP_USER 0.001 0.001 0.001 0.001 -score FROM_MULTI_NORDNS 1.786 1.002 1.786 1.002 -score FROM_NEWDOM_BTC 0.001 1.000 0.001 1.000 -score FROM_NTLD_LINKBAIT 1.000 1.000 1.000 1.000 -score FROM_NTLD_REPLY_FREEMAIL 1.000 1.000 1.000 1.000 -score FROM_NUMBERO_NEWDOMAIN 0.001 1.000 0.001 1.000 -score FROM_PAYPAL_SPOOF 0.001 1.599 0.001 1.599 -score FROM_SUSPICIOUS_NTLD 0.499 0.499 0.499 0.499 -score FROM_SUSPICIOUS_NTLD_FP 1.999 1.999 1.999 1.999 -score FSL_BULK_SIG 0.001 0.001 0.001 0.001 -score FSL_CTYPE_WIN1251 0.001 0.001 0.001 0.001 -score FSL_NEW_HELO_USER 0.001 0.001 0.001 0.001 -score FUZZY_AMAZON 0.001 0.001 0.001 0.001 -score FUZZY_BITCOIN 0.001 0.001 0.001 0.001 -score FUZZY_PORN 0.269 0.001 0.269 0.001 -score FUZZY_WALLET 1.799 0.001 1.799 0.001 -score GAPPY_SALES_LEADS_FREEM 1.000 1.000 1.000 1.000 -score GB_BITCOIN_CP 1.004 2.910 1.004 2.910 -score GB_BITCOIN_NH 0.965 0.737 0.965 0.737 -score GB_CUSTOM_HTM_URI 1.499 0.490 1.499 0.490 -score GB_FAKE_RF_SHORT 1.061 1.460 1.061 1.460 -score GB_FORGED_MUA_POSTFIX 1.000 1.000 1.000 1.000 -score GB_FREEMAIL_DISPTO 0.499 0.500 0.499 0.500 -score GB_FREEMAIL_DISPTO_NOTFREEM 0.500 0.500 0.500 0.500 -score GB_GOOGLE_OBFUR 0.750 0.750 0.750 0.750 -score GB_HASHBL_BTC 0.001 0.001 0.001 0.001 -score GB_STORAGE_GOOGLE_EMAIL 1.000 1.000 1.000 1.000 -score GB_URI_FLEEK_STO_HTM 0.999 0.999 0.999 0.999 -score GOOGLE_DOCS_PHISH 1.000 1.000 1.000 1.000 -score GOOGLE_DOCS_PHISH_MANY 1.000 1.000 1.000 1.000 -score GOOGLE_DOC_SUSP 1.000 1.000 1.000 1.000 -score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.000 1.000 1.000 1.000 -score GOOG_MALWARE_DNLD 1.000 1.000 1.000 1.000 -score GOOG_REDIR_HTML_ONLY 2.000 1.999 2.000 1.999 -score GOOG_REDIR_NORDNS 2.499 2.549 2.499 2.549 -score GOOG_STO_EMAIL_PHISH 1.000 1.000 1.000 1.000 -score GOOG_STO_HTML_PHISH 1.000 1.000 1.000 1.000 -score GOOG_STO_HTML_PHISH_MANY 1.000 1.000 1.000 1.000 -score GOOG_STO_IMG_HTML 1.000 1.000 1.000 1.000 -score GOOG_STO_IMG_NOHTML 2.499 2.499 2.499 2.499 -score GOOG_STO_NOIMG_HTML 2.999 2.891 2.999 2.891 -score HAS_X_NO_RELAY 1.000 1.000 1.000 1.000 -score HAS_X_OUTGOING_SPAM_STAT 0.503 0.728 0.503 0.728 -score HDRS_LCASE_IMGONLY 0.099 0.100 0.099 0.100 -score HDRS_MISSP 2.500 2.499 2.500 2.499 -score HDR_ORDER_FTSDMCXX_DIRECT 0.001 0.001 0.001 0.001 -score HDR_ORDER_FTSDMCXX_NORDNS 0.001 0.001 0.001 0.001 -score HEADER_FROM_DIFFERENT_DOMAINS 0.250 0.249 0.250 0.249 -score HELO_NO_DOMAIN 0.001 0.001 0.001 0.001 -score HEXHASH_WORD 1.000 1.000 1.000 1.000 -score HK_CTE_RAW 1.000 1.000 1.000 1.000 -score HK_LOTTO 0.626 0.001 0.626 0.001 -score HK_NAME_MR_MRS 1.000 0.999 1.000 0.999 -score HK_RANDOM_ENVFROM 0.999 0.999 0.999 0.999 -score HK_RANDOM_FROM 0.999 0.999 0.999 0.999 -score HK_RANDOM_REPLYTO 0.999 0.999 0.999 0.999 -score HK_RCVD_IP_MULTICAST 1.000 1.000 1.000 1.000 -score HK_SCAM 1.999 1.999 1.999 1.999 -score HOSTED_IMG_DIRECT_MX 0.001 0.289 0.001 0.289 -score HOSTED_IMG_DQ_UNSUB 1.000 1.000 1.000 1.000 -score HOSTED_IMG_FREEM 3.499 3.464 3.499 3.464 -score HOSTED_IMG_MULTI 1.000 1.000 1.000 1.000 -score HOSTED_IMG_MULTI_PUB_01 2.999 2.999 2.999 2.999 -score HTML_ENTITY_ASCII 2.999 2.999 2.999 2.999 -score HTML_ENTITY_ASCII_TINY 1.000 1.000 1.000 1.000 -score HTML_FONT_TINY_NORDNS 1.886 1.085 1.886 1.085 -score HTML_OFF_PAGE 2.601 0.977 2.601 0.977 -score HTML_SHRT_CMNT_OBFU_MANY 1.000 1.000 1.000 1.000 -score HTML_SINGLET_MANY 2.499 1.000 2.499 1.000 -score HTML_TAG_BALANCE_CENTER 2.599 2.816 2.599 2.816 -score HTML_TEXT_INVISIBLE_FONT 1.924 0.609 1.924 0.609 -score HTML_TEXT_INVISIBLE_STYLE 0.472 1.312 0.472 1.312 -score IMG_ONLY_FM_DOM_INFO 1.000 1.000 1.000 1.000 -score JH_SPAMMY_HEADERS 3.499 3.499 3.499 3.499 -score JH_SPAMMY_PATTERN01 1.000 1.000 1.000 1.000 -score JH_SPAMMY_PATTERN02 1.000 1.000 1.000 1.000 -score KHOP_HELO_FCRDNS 0.399 0.001 0.399 0.001 -score KHOP_JS_OBFUSCATION 3.099 0.001 3.099 0.001 -score LINKEDIN_IMG_NOT_RCVD_LNKN 1.000 1.000 1.000 1.000 -score LIST_PRTL_PUMPDUMP 1.000 1.000 1.000 1.000 -score LIST_PRTL_SAME_USER 1.000 1.000 1.000 1.000 -score LONGLN_LOW_CONTRAST 0.123 1.329 0.123 1.329 -score LONG_HEX_URI 2.679 1.617 2.679 1.617 -score LONG_IMG_URI 2.599 0.001 2.599 0.001 -score LONG_INVISIBLE_TEXT 2.999 2.364 2.999 2.364 -score LOTS_OF_MONEY 0.010 0.009 0.010 0.009 -score LOTTO_AGENT 1.000 1.499 1.000 1.499 -score LOTTO_DEPT 0.754 1.096 0.754 1.096 -score LUCRATIVE 1.000 1.000 1.000 1.000 -score MALF_HTML_B64 1.000 1.000 1.000 1.000 -score MALWARE_NORDNS 0.001 0.616 0.001 0.616 -score MALWARE_PASSWORD 1.000 1.000 1.000 1.000 -score MAY_BE_FORGED 1.599 0.001 1.599 0.001 -score MILLION_HUNDRED 0.440 0.391 0.440 0.391 -score MILLION_USD 1.307 0.194 1.307 0.194 -score MIMEOLE_DIRECT_TO_MX 0.001 0.001 0.001 0.001 -score MIME_NO_TEXT 1.000 1.000 1.000 1.000 -score MIXED_AREA_CASE 1.000 1.000 1.000 1.000 -score MIXED_CENTER_CASE 1.000 1.000 1.000 1.000 -score MIXED_ES 2.199 2.399 2.199 2.399 -score MIXED_FONT_CASE 1.000 1.000 1.000 1.000 -score MIXED_HREF_CASE 1.000 1.000 1.000 1.000 -score MIXED_IMG_CASE 1.957 2.999 1.957 2.999 -score MONERO_DEADLINE 1.000 1.000 1.000 1.000 -score MONERO_EXTORT_01 1.000 1.000 1.000 1.000 -score MONERO_MALWARE 1.000 1.000 1.000 1.000 -score MONERO_PAY_ME 1.000 1.000 1.000 1.000 -score MONEY_ATM_CARD 0.560 1.599 0.560 1.599 -score MONEY_FORM 0.001 0.001 0.001 0.001 -score MONEY_FORM_SHORT 2.499 0.001 2.499 0.001 -score MONEY_FRAUD_3 2.499 2.499 2.499 2.499 -score MONEY_FRAUD_5 0.001 0.001 0.001 0.001 -score MONEY_FRAUD_8 0.001 0.001 0.001 0.001 -score MONEY_FREEMAIL_REPTO 2.999 1.155 2.999 1.155 -score MONEY_FROM_41 1.000 1.000 1.000 1.000 -score MONEY_FROM_MISSP 0.001 0.001 0.001 0.001 -score MSGID_DOLLARS_URI_IMG 1.000 1.000 1.000 1.000 -score MSGID_HDR_MALF 1.000 1.000 1.000 1.000 -score MSMAIL_PRI_ABNORMAL 1.499 1.499 1.499 1.499 -score MSM_PRIO_REPTO 1.000 1.000 1.000 1.000 -score NAME_EMAIL_DIFF 1.727 0.001 1.727 0.001 -score NA_DOLLARS 1.499 1.499 1.499 1.499 -score NEWEGG_IMG_NOT_RCVD_NEGG 1.000 1.000 1.000 1.000 -score NEW_PRODUCTS 1.000 1.000 1.000 1.000 -score NICE_REPLY_A -0.438 -0.001 -0.438 -0.001 -score NORDNS_LOW_CONTRAST 0.001 0.770 0.001 0.770 -score NO_FM_NAME_IP_HOSTN 0.001 0.001 0.001 0.001 -score NSL_RCVD_FROM_USER 0.001 0.001 0.001 0.001 -score NSL_RCVD_HELO_USER 0.001 0.001 0.001 0.001 -score NUMBERONLY_BITCOIN_EXP 1.735 1.787 1.735 1.787 -score OBFU_BITCOIN 0.001 0.001 0.001 0.001 -score OBFU_TEXT_ATTACH 1.499 1.444 1.499 1.444 -score ODD_FREEM_REPTO 2.999 1.845 2.999 1.845 -score PDS_BAD_THREAD_QP_64 0.999 0.999 0.999 0.999 -score PDS_BTC_ID 0.499 0.499 0.499 0.499 -score PDS_BTC_MSGID 0.302 0.001 0.302 0.001 -score PDS_BTC_NTLD 1.000 1.000 1.000 1.000 -score PDS_DBL_URL_TNB_RUNON 1.999 1.000 1.999 1.000 -score PDS_FROM_2_EMAILS 0.714 2.460 0.714 2.460 -score PDS_HELO_SPF_FAIL 0.001 1.000 0.001 1.000 -score PDS_NAKED_TO_NUMERO 1.999 2.000 1.999 2.000 -score PDS_NO_FULL_NAME_SPOOFED_URL 0.750 0.750 0.750 0.750 -score PDS_RDNS_DYNAMIC_FP 0.001 0.001 0.001 0.001 -score PDS_SHORT_SPOOFED_URL 1.999 1.999 1.999 1.999 -score PDS_TINYSUBJ_URISHRT 1.000 1.000 1.000 1.000 -score PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE 1.000 1.000 1.000 1.000 -score PHISH_AZURE_CLOUDAPP 3.500 3.500 3.500 3.500 -score PHISH_FBASEAPP 1.000 1.000 1.000 1.000 -score PHP_NOVER_MUA 1.000 1.000 1.000 1.000 -score PHP_ORIG_SCRIPT 2.001 2.036 2.001 2.036 -score PHP_SCRIPT 2.499 2.499 2.499 2.499 -score PHP_SCRIPT_MUA 1.000 1.000 1.000 1.000 -score PP_MIME_FAKE_ASCII_TEXT 0.999 0.001 0.999 0.001 -score PP_TOO_MUCH_UNICODE02 0.500 0.500 0.500 0.500 -score PP_TOO_MUCH_UNICODE05 1.000 1.000 1.000 1.000 -score PUMPDUMP 1.000 1.000 1.000 1.000 -score PUMPDUMP_MULTI 1.000 1.000 1.000 1.000 -score RAND_HEADER_LIST_SPOOF 1.000 1.000 1.000 1.000 -score RAND_HEADER_MANY 1.000 1.000 1.000 1.000 -score RAND_MKTG_HEADER 1.999 1.999 1.999 1.999 -score RATWARE_NO_RDNS 1.864 0.001 1.864 0.001 -score RCVD_DOTEDU_SHORT 1.000 1.000 1.000 1.000 -score RCVD_DOTEDU_SUSP_URI 1.000 1.000 1.000 1.000 -score RCVD_IN_MSPIKE_BL 0.001 0.001 0.001 0.001 -score RCVD_IN_MSPIKE_H2 0.001 -0.001 0.001 -0.001 -score RCVD_IN_MSPIKE_H3 0.001 0.001 0.001 0.001 -score RCVD_IN_MSPIKE_H4 0.001 0.001 0.001 0.001 -score RCVD_IN_MSPIKE_H5 0.001 0.001 0.001 0.001 -score RCVD_IN_MSPIKE_L2 0.001 0.001 0.001 0.001 -score RCVD_IN_MSPIKE_L3 0.001 0.001 0.001 0.001 -score RCVD_IN_MSPIKE_L4 0.001 0.001 0.001 0.001 -score RCVD_IN_MSPIKE_L5 0.001 0.001 0.001 0.001 -score RCVD_IN_MSPIKE_WL 0.001 0.001 0.001 0.001 -score RCVD_IN_MSPIKE_ZBI 0.001 0.001 0.001 0.001 -score RDNS_NUM_TLD_ATCHNX 1.000 1.000 1.000 1.000 -score RDNS_NUM_TLD_XM 2.681 2.999 2.681 2.999 -score READY_TO_SHIP 1.000 1.000 1.000 1.000 -score REPTO_419_FRAUD 1.000 1.000 1.000 1.000 -score REPTO_419_FRAUD_AOL 1.000 1.000 1.000 1.000 -score REPTO_419_FRAUD_AOL_LOOSE 1.000 1.000 1.000 1.000 -score REPTO_419_FRAUD_CNS 1.000 1.000 1.000 1.000 -score REPTO_419_FRAUD_GM 1.000 1.000 1.000 1.000 -score REPTO_419_FRAUD_GM_LOOSE 1.000 1.000 1.000 1.000 -score REPTO_419_FRAUD_HM 1.000 1.000 1.000 1.000 -score REPTO_419_FRAUD_OL 1.000 1.000 1.000 1.000 -score REPTO_419_FRAUD_PM 1.000 1.000 1.000 1.000 -score REPTO_419_FRAUD_QQ 1.000 1.000 1.000 1.000 -score REPTO_419_FRAUD_YH 1.000 1.000 1.000 1.000 -score REPTO_419_FRAUD_YH_LOOSE 1.000 1.000 1.000 1.000 -score REPTO_419_FRAUD_YJ 1.000 1.000 1.000 1.000 -score REPTO_419_FRAUD_YN 1.000 1.000 1.000 1.000 -score REPTO_INFONUMSCOM 1.000 1.000 1.000 1.000 -score SCC_CANSPAM_1 2.300 0.001 2.300 0.001 -score SCC_CANSPAM_2 2.299 2.599 2.299 2.599 -score SCC_ISEMM_LID_1 1.000 1.000 1.000 1.000 -score SCC_ISEMM_LID_1A 1.000 1.000 1.000 1.000 -score SCC_ISEMM_LID_1B 1.499 1.499 1.499 1.499 -score SENDGRID_REDIR 1.499 1.068 1.499 1.068 -score SENDGRID_REDIR_PHISH 1.000 1.000 1.000 1.000 -score SEO_SUSP_NTLD 1.000 1.000 1.000 1.000 -score SERGIO_SUBJECT_VIAGRA01 2.699 2.656 2.699 2.656 -score SHOPIFY_IMG_NOT_RCVD_SFY 2.499 2.499 2.499 2.499 -score SHORTENER_SHORT_IMG 0.001 1.002 0.001 1.002 -score SHORT_IMG_SUSP_NTLD 1.000 1.000 1.000 1.000 -score SHORT_SHORTNER 1.999 1.999 1.999 1.999 -score SPOOFED_FREEMAIL 0.001 0.001 0.001 0.001 -score SPOOFED_FREEMAIL_NO_RDNS 0.001 0.001 0.001 0.001 -score SPOOFED_FREEM_REPTO 0.001 0.001 0.001 0.001 -score SPOOFED_FREEM_REPTO_CHN 0.001 1.000 0.001 1.000 -score SPOOFED_FREEM_REPTO_RUS 0.001 1.000 0.001 1.000 -score SPOOF_GMAIL_MID 1.499 0.001 1.499 0.001 -score STATIC_XPRIO_OLE 0.001 0.001 0.001 0.001 -score STOCK_TIP 1.000 1.000 1.000 1.000 -score STOX_BOUND_090909_B 0.001 0.001 0.001 0.001 -score SUBJ_ATTENTION 0.128 0.500 0.128 0.500 -score SUBJ_BRKN_WORDNUMS 1.000 1.000 1.000 1.000 -score SURBL_BLOCKED 0.001 0.001 0.001 0.001 -score SUSP_UTF8_WORD_SUBJ 1.999 1.970 1.999 1.970 -score SYSADMIN 1.000 1.000 1.000 1.000 -score TAGSTAT_IMG_NOT_RCVD_TGST 1.000 1.000 1.000 1.000 -score TARINGANET_IMG_NOT_RCVD_TN 1.000 1.000 1.000 1.000 -score THIS_AD 2.099 1.815 2.099 1.815 -score THIS_IS_ADV_SUSP_NTLD 1.000 1.000 1.000 1.000 -score TONLINE_FAKE_DKIM 1.000 1.000 1.000 1.000 -score TO_EQ_FM_DIRECT_MX 1.000 1.000 1.000 1.000 -score TO_EQ_FM_DOM_SPF_FAIL 0.001 0.001 0.001 0.001 -score TO_EQ_FM_SPF_FAIL 0.001 0.001 0.001 0.001 -score TO_IN_SUBJ 0.100 0.100 0.100 0.100 -score TO_NAME_SUBJ_NO_RDNS 0.338 1.000 0.338 1.000 -score TO_NO_BRKTS_FROM_MSSP 2.499 2.499 2.499 2.499 -score TO_NO_BRKTS_HTML_IMG 1.999 1.999 1.999 1.999 -score TO_NO_BRKTS_HTML_ONLY 1.999 1.999 1.999 1.999 -score TO_NO_BRKTS_MSFT 0.001 0.001 0.001 0.001 -score TO_NO_BRKTS_NORDNS_HTML 1.999 1.597 1.999 1.597 -score TO_NO_BRKTS_PCNT 2.500 2.499 2.500 2.499 -score TVD_PH_BODY_META 2.099 2.299 2.099 2.299 -score TVD_RCVD_SPACE_BRACKET 2.554 1.427 2.554 1.427 -score TVD_SPACE_ENCODED 1.821 0.001 1.821 0.001 -score TVD_SPACE_RATIO_MINFP 0.238 0.001 0.238 0.001 -score TW_GIBBERISH_MANY 1.000 1.000 1.000 1.000 -score UC_GIBBERISH_OBFU 1.000 1.000 1.000 1.000 -score UNDISC_FREEM 2.699 2.700 2.699 2.700 -score UNDISC_MONEY 2.899 3.099 2.899 3.099 -score UNICODE_OBFU_ASC 2.499 2.499 2.499 2.499 -score UNICODE_OBFU_ZW 1.000 1.000 1.000 1.000 -score UNSUB_GOOG_FORM 1.000 1.000 1.000 1.000 -score URI_ADOBESPARK 1.000 1.000 1.000 1.000 -score URI_AZURE_CLOUDAPP 1.000 1.000 1.000 1.000 -score URI_DASHGOVEDU 1.000 1.000 1.000 1.000 -score URI_DATA 1.000 1.000 1.000 1.000 -score URI_DOTEDU 1.999 1.278 1.999 1.278 -score URI_DOTEDU_ENTITY 1.000 1.000 1.000 1.000 -score URI_FIREBASEAPP 1.000 1.000 1.000 1.000 -score URI_GOOGLE_PROXY 1.999 1.999 1.999 1.999 -score URI_GOOG_STO_SPAMMY 3.000 3.000 3.000 3.000 -score URI_HEX_IP 1.000 1.000 1.000 1.000 -score URI_IMG_WP_REDIR 1.000 1.000 1.000 1.000 -score URI_LONG_REPEAT 1.000 1.000 1.000 1.000 -score URI_ONLY_MSGID_MALF 0.001 1.000 0.001 1.000 -score URI_OPTOUT_3LD 1.000 1.000 1.000 1.000 -score URI_PHISH 3.999 3.695 3.999 3.695 -score URI_PHP_REDIR 1.000 1.000 1.000 1.000 -score URI_TRY_3LD 1.950 0.956 1.950 0.956 -score URI_TRY_USME 1.000 1.000 1.000 1.000 -score URI_WPADMIN 1.685 2.099 1.685 2.099 -score URI_WP_DIRINDEX 1.000 1.000 1.000 1.000 -score URI_WP_HACKED 1.685 3.499 1.685 3.499 -score URI_WP_HACKED_2 2.499 2.499 2.499 2.499 -score USB_DRIVES 1.000 1.000 1.000 1.000 -score VFY_ACCT_NORDNS 2.633 2.551 2.633 2.551 -score VPS_NO_NTLD 1.000 1.000 1.000 1.000 -score WALMART_IMG_NOT_RCVD_WAL 1.000 1.000 1.000 1.000 -score WORD_INVIS 0.972 0.001 0.972 0.001 -score WORD_INVIS_MANY 2.999 2.999 2.999 2.999 -score XFER_LOTSA_MONEY 0.999 0.999 0.999 0.999 -score XM_DIGITS_ONLY 1.000 1.000 1.000 1.000 -score XM_RANDOM 1.665 0.256 1.665 0.256 -score XPRIO 0.617 0.001 0.617 0.001 -score XPRIO_SHORT_SUBJ 1.133 2.172 1.133 2.172 -score XPRIO_URL_SHORTNER 0.429 0.613 0.429 0.613 -score YOUR_DELIVERY_ADDRESS 1.000 1.000 1.000 1.000 diff --git a/resources/spamassassin/73_sandbox_manual_scores.cf b/resources/spamassassin/73_sandbox_manual_scores.cf deleted file mode 100644 index f424c605..00000000 --- a/resources/spamassassin/73_sandbox_manual_scores.cf +++ /dev/null @@ -1,121 +0,0 @@ -# SpamAssassin rules file -# -# Manual override of the automatically-generated scores -# for automatically-published sandbox rules -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -require_version @@VERSION@@ - -# jhardin -# things depend on these -# score as informative just for the hits header -score LOTS_OF_MONEY 0.001 -score FILL_THIS_FORM 0.001 - -# jhardin -# reevolved Advance Fee rules -# scores are cumulative (i.e. 3 hits 2, 4 hits 3 and 2) -# Commented out if GA is scoring reasonably -#score ADVANCE_FEE_2_NEW_MONEY 0.50 -#score ADVANCE_FEE_2_NEW_FORM 0.75 -#score ADVANCE_FEE_3_NEW 0.50 -#score ADVANCE_FEE_3_NEW_MONEY 1.00 -#score ADVANCE_FEE_3_NEW_FORM 1.00 -#score ADVANCE_FEE_4_NEW 1.00 -#score ADVANCE_FEE_5_NEW 1.50 -score ADVANCE_FEE_5_NEW_MONEY 3.00 - -# jhardin -# metas using Advance Fee component rules -# Commented out if GA is scoring reasonably -#score FORM_FRAUD_3 0.50 -#score FORM_FRAUD_5 0.50 -#score MONEY_FRAUD_3 1.00 -#score MONEY_FRAUD_5 0.50 -#score MONEY_FRAUD_8 0.50 - -# jhardin -# GA scores this unreasonably high, and -# the fact that this is defined in an #ifplugin -# appears to be preventing score limiting from working -score FILL_THIS_FORM_LONG 2.00 - -# jhardin -# misc rules -# Commented out if GA is scoring reasonably -#score FROM_MISSP_MSFT 0.50 -#score TO_NO_BRKTS_DYNIP 0.50 -#score LOTTO_AGENT 0.50 - -# jhardin -# 1.000 S/O, hits only <= 6 points, but GA is not publishing it! -# perhaps because very few examples in spam corpus -# 12/24/12 GA likes it now -#score GOOGLE_DOCS_PHISH 3.00 -# similar: .990 S/O, hits primarily spam <= 5 points -# 01/07/13 GA likes it now -#score EMAIL_URI_PHISH 2.50 -# Reliable but not widespread (low corpus count, ahead of the curve?), boost the score -score PHISH_AZURE_CLOUDAPP 3.50 -score URI_GOOG_STO_SPAMMY 3.50 - -# jhardin -# double-extension file attachments, low corpus count -score PHISH_ATTACH 3.50 -score MALW_ATTACH 3.50 - -# hege -# FPs reported [bug 6417], GA assigning 3+ points -# reduce score until that's resolved -# score HK_FAKENAME_MICROSOFT 2.50 -# RULE DISABLED IN 20_hk.cf - -# jhardin for mmartinec -# Lots of hate; score as informative hammy, may override locally -score RP_MATCHES_RCVD -0.001 - -# until rule or rescoring issues sorted, hits 20%+ ham -# too problematic, disabled entirely -#score STYLE_GIBBERISH 0.1 - -# jhardin -# Limit some network scores until rule changes can be evaluated by weekly net masscheck -# Dangit, relative scores are broken - see bug#7721 -#score FROM_IN_TO_AND_SUBJ (0) 0.001 (0) 0.001 -#score OBFU_TEXT_ATTACH (0) 0.001 (0) 0.001 -#score MIME_NO_TEXT (0) 0.001 (0) 0.001 -#score AD_PREFS (0) 0.001 (0) 0.001 -score AD_PREFS 0.250 -#score URI_WP_HACKED_2 (0) 0.001 (0) 0.001 -#score STYLE_GIBBERISH (0) 0.001 (0) 0.001 -#score UC_GIBBERISH_OBFU (0) 0.001 (0) 0.001 -#score LUCRATIVE (0) 0.001 (0) 0.001 -#score HEXHASH_WORD (0) 0.001 (0) 0.001 -#score FROM_WORDY (0) 0.001 (0) 0.001 -#score AC_HTML_NONSENSE_TAGS (0) 0.001 (0) 0.001 -#score LONG_HEX_URI (0) 0.001 (0) 0.001 -#score FROM_PAYPAL_SPOOF (0) 0.001 (0) 0.001 - - -# jhardin -# Don't joe-job a SA dev's wife -score ADULT_DATING_COMPANY 20.000 - diff --git a/resources/spamassassin/Mail-SpamAssassin-rules-4.0.0.r1905950.tgz b/resources/spamassassin/Mail-SpamAssassin-rules-4.0.0.r1905950.tgz Binary files differdeleted file mode 100644 index 69e2e642..00000000 --- a/resources/spamassassin/Mail-SpamAssassin-rules-4.0.0.r1905950.tgz +++ /dev/null diff --git a/resources/spamassassin/STATISTICS-set0-72_scores.cf.txt b/resources/spamassassin/STATISTICS-set0-72_scores.cf.txt deleted file mode 100644 index 4ee2b542..00000000 --- a/resources/spamassassin/STATISTICS-set0-72_scores.cf.txt +++ /dev/null @@ -1,40 +0,0 @@ -##### WITH NEW RULES AND SCORES ##### - -# SUMMARY for threshold 5.0: -# Correctly non-spam: 295376 69.870% (99.568% of non-spam corpus) -# Correctly spam: 90325 21.366% (71.634% of spam corpus) -# False positives: 1282 0.303% (0.432% of nonspam, 19065 weighted) -# False negatives: 35767 8.461% (28.366% of spam, 50278 weighted) -# Average score for spam: 8.9 nonspam: 0.7 -# Average for false-pos: 7.0 false-neg: 1.4 -# TOTAL: 422750 100.00% - -Reading scores from "tmprules"... -Reading per-message hit stat logs and scores... - -# SUMMARY for threshold 5.0: -# Correctly non-spam: 36853 99.58% -# Correctly spam: 11338 71.64% -# False positives: 155 0.42% -# False negatives: 4489 28.36% -# TCR(l=50): 1.293161 SpamRecall: 71.637% SpamPrec: 98.651% - -##### WITHOUT NEW RULES AND SCORES ##### -Reading scores from "../rules-base"... -Reading per-message hit stat logs and scores... - -# SUMMARY for threshold 5.0: -# Correctly non-spam: 289677 97.65% -# Correctly spam: 73447 58.25% -# False positives: 6981 2.35% -# False negatives: 52645 41.75% -# TCR(l=50): 0.313900 SpamRecall: 58.249% SpamPrec: 91.320% -Reading scores from "../rules-base"... -Reading per-message hit stat logs and scores... - -# SUMMARY for threshold 5.0: -# Correctly non-spam: 36132 97.63% -# Correctly spam: 9229 58.31% -# False positives: 876 2.37% -# False negatives: 6598 41.69% -# TCR(l=50): 0.314040 SpamRecall: 58.312% SpamPrec: 91.331% diff --git a/resources/spamassassin/STATISTICS-set1-72_scores.cf.txt b/resources/spamassassin/STATISTICS-set1-72_scores.cf.txt deleted file mode 100644 index 3ae102a6..00000000 --- a/resources/spamassassin/STATISTICS-set1-72_scores.cf.txt +++ /dev/null @@ -1,40 +0,0 @@ -##### WITH NEW RULES AND SCORES ##### - -# SUMMARY for threshold 5.0: -# Correctly non-spam: 297244 68.072% (99.304% of non-spam corpus) -# Correctly spam: 102975 23.582% (74.980% of spam corpus) -# False positives: 2082 0.477% (0.696% of nonspam, 82501 weighted) -# False negatives: 34362 7.869% (25.020% of spam, 59356 weighted) -# Average score for spam: 13.0 nonspam: -0.0 -# Average for false-pos: 8.6 false-neg: 1.7 -# TOTAL: 436663 100.00% - -Reading scores from "tmprules"... -Reading per-message hit stat logs and scores... - -# SUMMARY for threshold 5.0: -# Correctly non-spam: 37058 99.18% -# Correctly spam: 13021 75.69% -# False positives: 307 0.82% -# False negatives: 4182 24.31% -# TCR(l=50): 0.880760 SpamRecall: 75.690% SpamPrec: 97.697% - -##### WITHOUT NEW RULES AND SCORES ##### -Reading scores from "../rules-base"... -Reading per-message hit stat logs and scores... - -# SUMMARY for threshold 5.0: -# Correctly non-spam: 297291 99.32% -# Correctly spam: 88670 64.56% -# False positives: 2035 0.68% -# False negatives: 48667 35.44% -# TCR(l=50): 0.913042 SpamRecall: 64.564% SpamPrec: 97.756% -Reading scores from "../rules-base"... -Reading per-message hit stat logs and scores... - -# SUMMARY for threshold 5.0: -# Correctly non-spam: 37082 99.24% -# Correctly spam: 11166 64.91% -# False positives: 283 0.76% -# False negatives: 6037 35.09% -# TCR(l=50): 0.852182 SpamRecall: 64.907% SpamPrec: 97.528% diff --git a/resources/spamassassin/STATISTICS-set2-72_scores.cf.txt b/resources/spamassassin/STATISTICS-set2-72_scores.cf.txt deleted file mode 100644 index e69de29b..00000000 --- a/resources/spamassassin/STATISTICS-set2-72_scores.cf.txt +++ /dev/null diff --git a/resources/spamassassin/STATISTICS-set3-72_scores.cf.txt b/resources/spamassassin/STATISTICS-set3-72_scores.cf.txt deleted file mode 100644 index e69de29b..00000000 --- a/resources/spamassassin/STATISTICS-set3-72_scores.cf.txt +++ /dev/null diff --git a/resources/spamassassin/languages b/resources/spamassassin/languages Binary files differdeleted file mode 100644 index b3c4a952..00000000 --- a/resources/spamassassin/languages +++ /dev/null diff --git a/resources/spamassassin/local.cf b/resources/spamassassin/local.cf deleted file mode 100644 index fb1d1111..00000000 --- a/resources/spamassassin/local.cf +++ /dev/null @@ -1,112 +0,0 @@ -# This is the right place to customize your installation of SpamAssassin. -# -# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be -# tweaked. -# -# Only a small subset of options are listed below -# -########################################################################### - -# A 'contact address' users should contact for more info. (replaces -# _CONTACTADDRESS_ in the report template) -# report_contact youremailaddress@domain.tld - - -# Add *****SPAM***** to the Subject header of spam e-mails -# -# rewrite_header Subject *****SPAM***** - - -# Save spam messages as a message/rfc822 MIME attachment instead of -# modifying the original message (0: off, 2: use text/plain instead) -# -# report_safe 1 - - -# Set which networks or hosts are considered 'trusted' by your mail -# server (i.e. not spammers) -# -# trusted_networks 212.17.35. - - -# Set file-locking method (flock is not safe over NFS, but is faster) -# -# lock_method flock - - -# Set the threshold at which a message is considered spam (default: 5.0) -# -# required_score 5.0 - - -# Use Bayesian classifier (default: 1) -# -# use_bayes 1 - - -# Bayesian classifier auto-learning (default: 1) -# -# bayes_auto_learn 1 - - -# Set headers which may provide inappropriate cues to the Bayesian -# classifier -# -# bayes_ignore_header X-Bogosity -# bayes_ignore_header X-Spam-Flag -# bayes_ignore_header X-Spam-Status - - -# Whether to decode non- UTF-8 and non-ASCII textual parts and recode -# them to UTF-8 before the text is given over to rules processing. -# -# normalize_charset 1 - -# Textual body scan limit (default: 50000) -# -# Amount of data per email text/* mimepart, that will be run through body -# rules. This enables safer and faster scanning of large messages, -# perhaps having very large textual attachments. There should be no need -# to change this well tested default. -# -# body_part_scan_size 50000 - -# Textual rawbody data scan limit (default: 500000) -# -# Amount of data per email text/* mimepart, that will be run through -# rawbody rules. -# -# rawbody_part_scan_size 500000 - -# Some shortcircuiting, if the plugin is enabled -# -ifplugin Mail::SpamAssassin::Plugin::Shortcircuit -# -# default: strongly-welcomelisted mails are *really* welcomelisted now, if -# the shortcircuiting plugin is active, causing early exit to save CPU -# load. Uncomment to turn this on -# -# SpamAssassin tries hard not to launch DNS queries before priority -100. -# If you want to shortcircuit without launching unneeded queries, make -# sure such rule priority is below -100. These examples are already: -# -# shortcircuit USER_IN_WELCOMELIST on -# shortcircuit USER_IN_DEF_WELCOMELIST on -# shortcircuit USER_IN_ALL_SPAM_TO on - -# the opposite; blocklisted mails can also save CPU -# -# shortcircuit USER_IN_BLOCKLIST on -# shortcircuit USER_IN_BLOCKLIST_TO on - -# if you have taken the time to correctly specify your "trusted_networks", -# this is another good way to save CPU -# -# shortcircuit ALL_TRUSTED on - -# and a well-trained bayes DB can save running rules, too -# -# shortcircuit BAYES_99 spam -# shortcircuit BAYES_00 ham - -endif # Mail::SpamAssassin::Plugin::Shortcircuit diff --git a/resources/spamassassin/regression_tests.cf b/resources/spamassassin/regression_tests.cf deleted file mode 100644 index 872aaafe..00000000 --- a/resources/spamassassin/regression_tests.cf +++ /dev/null @@ -1,62 +0,0 @@ -# SpamAssassin rules file: regression tests -# -# This file contains tests performed on `make test`. It should not be -# distributed. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# </@LICENSE> -# -########################################################################### - -test DEAR_SOMETHING ok Dear IT professional, -test DEAR_SOMETHING ok Dear Internet Investor: -test DEAR_FRIEND ok Dear friend, -test DEAR_FRIEND fail Dear Mr. Ithacus, - -test FROM_STARTS_WITH_NUMS ok 12345678matt@sergeant.org -test FROM_STARTS_WITH_NUMS fail matt@sergeant.org -test FORGED_YAHOO_RCVD fail by mf1.lng.yahoo.com (8.11.1/8.11.1) id g3SDfPH19426 -test NUMERIC_HTTP_ADDR ok http://123456789/foo/bar - -test US_DOLLARS_3 fail $-$NFbMF$K!"A49q$+$iLd$$9g$o$;$,;&E~$7$F$$$^$9!# -test US_DOLLARS_3 ok OF US$75,000,000.00 ( SEVENTYFIVE -test US_DOLLARS_3 ok DOLLAR(USD$30,000,000,00.) -test US_DOLLARS_3 ok ($21,500,000.) -test US_DOLLARS_3 ok ($ 152,000.000.00) - -# note: have to use "." instead of "#", as it's the comment char - -test TRACKER_ID ok 2174Hzdm0-105YUqT8863DiDg0-616mqbE4931HEBc0-732qBHd6314l52 -test TRACKER_ID ok ofsknxxdqgtgqvsoiytkivajvtj -test TRACKER_ID fail <!-- ADMINISTRIVIA --> -test TRACKER_ID fail Donau-Dampfschifffahrts-Kapitaen - -test __OBFUSCATING_COMMENT_A ok This is a te<!--foo-->st -test __OBFUSCATING_COMMENT_A fail Not a <!-- problem --> here -test __OBFUSCATING_COMMENT_A fail or<!--problem--> here -test __OBFUSCATING_COMMENT_A fail This <tag><!-- neither --></tag> I hope - -test HIDE_WIN_STATUS ok <a href=foo onMouseOver="window.status='bar';> -test HIDE_WIN_STATUS fail attributes like href=foo onMouseOver="window.status='bar'" -test HIDE_WIN_STATUS fail attributes like href=foo onMouseOver="flashiness" - -test BAD_CREDIT ok no credit checks -test BAD_CREDIT ok reestablish credit -test BAD_CREDIT ok establish good credit -test BAD_CREDIT ok repair your credit -test BAD_CREDIT fail NOTICE: Your credit card company may place the words "San Antonio" - diff --git a/resources/spamassassin/sa-update-pubkey.txt b/resources/spamassassin/sa-update-pubkey.txt deleted file mode 100644 index b0190f39..00000000 --- a/resources/spamassassin/sa-update-pubkey.txt +++ /dev/null @@ -1,80 +0,0 @@ -This is the GPG key that updates are signed with (currently, -as of Wed Dec 21 19:31:38 PST 2005. Please contact <dev /at/ -spamassassin.apache.org> with any questions. - - ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.2 (SunOS) - -mQILBEOnbDQBEADBfda+hU8cGXD/2WYrIHsZ5CmvC2eCYKgQ87W706tzwmxoZWQS -JfnRpkZnBqS5WDhXhNBOhk9CgF5/e9yHnDQCusNYfRstKd+t0XTFvq30/tacrJNe -67zgq+DtWqIK9C7akfElc+2M5NkX6mF4cjaMXZoW17ltPy0XSSeirf584nvK3pXf -oEFLYQ/0AUV9EBpo9+i2DkMUd8d5tz7A6O5foB3ijYPzIcVtVJ1eyCg6gO1I4cIA -YbIZCH0WIVx5MQjydfKyCR4D7VFPpZgwcZ1PmyZSsy3lrigGVvYEoUS2fWTt2jUO -pB3wg5pgzuu9hN5CpChZGvq65t4PGtAeShnBkddIH4l+iDC6sAc6W06KidSaUCW1 -BKvNMa39lyEkO4bfLblZRjoZbj7Tjq3wQV/PLpPyKDa8ZZ88GfWaeRDUNRgZG6Qq -e6UKlFGfrw2RXOImUje7Sjy/eG4Ud/BOeGkV913yWBm9CHsPNtaVDK+iQI6vkAWS -3QkiPjBkXGTZFHsUx9/i3k5Iga6d4Gq2cBIVBur3sDxjKuuSazLwA9OAybpzQe2s -PvTzbGc/f1P7plT++HBFlBHwFtl/v68Q8pkbMWlEc5M9nYJ6yXHATHZzFfThxBwt -OYfF25XGaclUMkOMX++RiRkmjaEaT7Whv5aPbeb3+H3v6Omjvnebge24lQAGKbQ/ -dXBkYXRlcy5zcGFtYXNzYXNzaW4ub3JnIFNpZ25pbmcgS2V5IDxyZWxlYXNlQHNw -YW1hc3Nhc3Npbi5vcmc+iQI2BBMBAgAgBQJDp2w0AhsDBgsJCAcDAgQVAggDBBYC -AwECHgECF4AACgkQQFamGlJE7EVkfg//ZjBQ6UXDizX9UPsEmogWXIqbBsyP5DJH -uToaFa6OzCbOJqcYnXNfOjovYdDOTje+x3ZEkwbx+y6MSfhmDuHPDPqBU7hXenxx -oRktC68mJasKo0wXym2YfyWFnhSZMlXXFQ9We48zNGcVRckzaxLzM67BFJuRUfOM -EV6Lf3HxMvoUK3/Xzq9YPEq2sqFO1Eu+qPC3nq726Tj/aYBBFHgHmbjDrZTaQNyV -fHvEjDzPcDRjlJI+vZw1UEuXG+BKATPpiT7U7I1OGLDa2ExDIxh0+eJnsmA3YyHG -VweE7nDN2GmkXMVfa5vXHH49Ae9Ee8jIIRipfgMgZWnkZ0XYDvLj2ueH0Ixu4o9R -D2zJIwqzRh1sytG+1YOfHrOMUCplImJaY/ARgOM324ZdBvhkgIi1XvT7Sy/ZmGWd -DKFo+GjX0r2cujR8Pd4i7VlKsF9wRypk+n/aupXiaz5GY44EIVbnweyS5IlCNrwn -4UtqcB9/9uk1tmUNIcC5xjbq5ud/Y+iMIqCKCH0C9WUwSNSdsg+K+9xoZuvlaXY0 -JeXWNcDdq+tMir+x+/o0U4ENVYBkSFesnotmHwN6jZj4lSMRmvcFHPBljXqLqzM+ -y5wZxnCo1N7T+erZaI7BUrpJYm8JxcJ2VCWV0JFoO1Ec//B6XYB0pckbRuSTX/Zw -pKEkNqOdmjm5AgsEQ6dsigEQAKvdggbwqJgfDbRE2Lcy2gsn4j7haqu3IVBbyUDn -kGuuDuEtSeoRjCZXEb5DaKibIpEy5vzvRGvCFFkrBs4KXk/uamkgCpGnQZFnoz/S -rNZ8U7+e1pecEePpIkhQyafUKox9+p43UVoq4UybdPRDvE9SmQ1qaNUhyQY2FP9S -WT1a63u5GA73aH4puGO0BuZ9R3MNaDYZe/MOlRRjmlAsbY4oqWOudlNVaZ71EV3O -FFmOH4pnpxdO0X0l6sF6nvqvO5/gdZ3dI5iqrJjUneVgVOmPkREq7tQ5qHS/2pny -rDrH8NZCDNT5TXciBxBrt53bxxL/V/HWaolmtJi8gK82uXt8YlmT6zuEsofufDmu -P/HMDZ+BhGI+ggNzY2AVwERTRD6ecHDOI3iIuCP4Ck26YNHRCLyocL3CSlIpjQPu -tb3qfdAcqKLJ/fVyLtGkXr24crel6IeJY7/AGjYBrfh47DWnK7Xds8bAqJ8VCjOc -/q1usFTHgGkYocvtv0gmcjbu8YypzuG8HxOg9Yk9qRLQgg1fNhzXE2lqEPyMlBfj -eLmMNRvKP70fH8CK8adinPIegaRrS6gZ/iIdv8+YV+1rlEt28qzzGJxnmzUEmW6X -Xj44u91umg9WOsLxTOCQWdjGHonytHqj/xIsf45N2JIGLhU0lF04hYfEo5p65AyM -PpYhAAYpiQIfBBgBAgAJBQJDp2yKAhsCAAoJEEBWphpSROxFungP/iWKe7o8szOz -VmXkj89xDVFZ69nthVKkbgSYIZYQC+QLF8P1MWRnNWO/8TY+XsaCT3SrqxDFQ/R/ -9mlAPGUM1ySVihOPmP/DPiOlWLCsc0mb6OzYF2olcOR33s05MqvJlqXSmIrdB+hI -KkC7G5byZ+XZwPXVj4XlxIEOzs18+0YJqy0IPZPXTiMet4k2KyWyWkJpJYUCb19G -R6QC8hZQD97EYTbkbr5Ss26jjY/9AqLofW5F1/98pLDo+ron7pI2k8Ymn5DngEsa -XoGsQuyvPfTAjS4p9q/XwExJcX3gvQesdw18mpoSaGAOgDISolBPRqpHpy7v7vuw -3UMnsefKOX3F0Rossevw+c2/JCulnGmJDlgz6nHSR6FhHsbrDKF8oBeYPfGW/Kjw -NvzB1i9yubAMrsTQVu1Q8e5LsnL/MNYKb6oEJbBywdeHxBkehGWFXVdSoFvVSih/ -VNqX9f7jlybpLZW/n8cQ2r1ax19v7FleO/xSGvkYm7B1+4BW0mjy6A5dta5+e5WG -D5R06Uya3/xRAPGdmV6t4Mw8fFsuyCvs+vC73PR3+eS1UvCYsDpcQD8KpVBnsHaA -duWRKKhjuFL0vdOWAr25tFOTKAj5Ywas47PBukO0isov2WBCA1rVqOr6FUvdP76y -mqHv/0E6/vnTLxFoNsu4Ce42nAQ/A/jRiQQ+BBgBAgAJAhsCBQJHhbheAinBXSAE -GQECAAYFAkOnbIoACgkQbFU5eCT0NM68MQ/8DvYqxRm3vP0Gwnr+63kzET8S+6vf -gxOghnU+eMlqUeUu/ajqnVDMzoAIRDw9QgQc9ZZoklOSJQwOuloAbdpL4TwQ2XfJ -MLU60JkZWnEOXJwClb0qG1GqtcBPbMEUPfZcQfphdRL3jpWZlaexFiJRSD+A0riw -7q3NZKPDt4FrF7F3GY9krFy+P0nRt5f462DeDhCYZgguBQH+oGtjc5Hx+kOVWDsS -txo5xkt4/0DG50ZklPkTlCohmJwRLACy+NswdQ9q83eWAhzKOPgkal7xF6a+LyE+ -ytVYy2EgEU74r2gVw5iizy92FDj//Z2QAUyf/c4BMuAhvfwVIHd8n2DPHvpMP15L -6fwoymh0OjzmhwK94Z2u1YqNC1CK27/hfB6okQ/Tct7/Ik61dBjtiYdUC9tTA5Ze -W8X5ouSmttS1QFixx+Z4hiXV7Qj12lgVKuJohjrVshfcbVzTHljjAo3YkOZIHIoA -IJTUMRNzTIx9k4hrPVbxbVQhKjKTwFNtBuxvmptGTcLEIv9THpqlq8jkcStJ2Zrd -hhofPCWRT/Kzo+WE+Kgefv88T5Li7Ku12U/UpiK85+6nRspXj3rnkfDOUbLZjGM+ -1NET0xQTPuyxN6CXF7MMxfGCpszCudYxMANDQqNXu9brcPN/+EIxGRjqin4E7q+h -kYUaY7Ki8mXtJ8cJEEBWphpSROxFktcQALWQv996bFq1iFcGuQ0ITxNDlOWCsses -bgEM5zR10DH+6s2bXEO8xyDHQJtrvdCPetRDosnuOToBMnGMXTYVytnWzwwAzwq1 -YM+bGAeTHaIX+2UmxwFyX4GMOdqsNB+xDZ8pmRKjamJSgUQt6e18YpZlg1Y4QkxS -Vptq7OZBjiKeLUhLhGJ6GWgEIedLcoCtFzKCfz3zwn0Oxl+1EnVu8yqN+quWTf8P -7EZn+0ztqZY059BrcK2jmOyXvtOZBcAHXCUknh/uPHwAJV2WFWSNid2kNiLOrV+J -3eLTs5sF9wNhxWRhl6/10cwTzjy0Onv5cJh2tjdwksigMRMwz4c839zXORni/tnY -+IY22kNTKu84gB8rBuqUq8MQXNdS3bbROwwNUzpC0D1C1z1fBvyXDL1EwJdz70Wc -2m/Sw6tIid5g98+XMW+Ibt43Jk2XbK71JLhbVbePbAcHVh/UXEtnjhRfX7oyWlwS -a+lkKMiJd/6CQ6bvYsgklE7uEzTpRskpkkOcCk1O+8jfl+DsDwKrvVaNu8tpx45k -TtV4JDA6iEHKakD/zZdVTR79W2CFqBvRfRikc5INOl1OfMQ4ODmjkMl3yI9wrHwS -SQQxdq2XsS7xbU9HDFBEguQDu0rfzILZ9DuKIVHyr/CsRoJ5joj+JvKaUQC81ywQ -aB8EKy5bg4U6 -=IbYW ------END PGP PUBLIC KEY BLOCK----- diff --git a/resources/spamassassin/user_prefs.template b/resources/spamassassin/user_prefs.template deleted file mode 100644 index 74ed3b4f..00000000 --- a/resources/spamassassin/user_prefs.template +++ /dev/null @@ -1,43 +0,0 @@ -# SpamAssassin user preferences file. See 'perldoc Mail::SpamAssassin::Conf' -# for details of what can be tweaked. -#* -#* Note: this file is not read by SpamAssassin until copied into the user -#* directory. At runtime, if a user has no preferences in their home directory -#* already, it will be copied for them, allowing them to perform personalised -#* customisation. If you want to make changes to the site-wide defaults, -#* create a file in /etc/spamassassin or /etc/mail/spamassassin instead. -########################################################################### - -# How many points before a mail is considered spam. -# required_score 5 - -# Welcomelist and blocklist addresses are now file-glob-style patterns, so -# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work. -# welcomelist_from someone@somewhere.com -# welcomelist_to someone@mydomain.com - -# Add your own customised scores for some tests below. The default scores are -# read from the installed spamassassin rules files, but you can override them -# here. To see the list of tests and their default scores, go to -# https://spamassassin.apache.org/tests.html . -# -# score SYMBOLIC_TEST_NAME n.nn - -# Speakers of Asian languages, like Chinese, Japanese and Korean, will almost -# definitely want to uncomment the following lines. They will switch off some -# rules that detect 8-bit characters, which commonly trigger on mails using CJK -# character sets, or that assume a western-style charset is in use. -# -# score HTML_COMMENT_8BITS 0 -# score UPPERCASE_25_50 0 -# score UPPERCASE_50_75 0 -# score UPPERCASE_75_100 0 -# score OBSCURED_EMAIL 0 - -# Speakers of any language that uses non-English, accented characters may wish -# to uncomment the following lines. They turn off rules that fire on -# misformatted messages generated by common mail apps in contravention of the -# email RFCs. - -# score SUBJ_ILLEGAL_CHARS 0 - diff --git a/tests/resources/smtp/antispam/headers.test b/tests/resources/smtp/antispam/headers.test new file mode 100644 index 00000000..fa1eea47 --- /dev/null +++ b/tests/resources/smtp/antispam/headers.test @@ -0,0 +1,58 @@ +expect HAS_X_PRIO_ONE + +X-Priority: 1 +From: test@test.com +To: test@test.com + +Test +<!-- NEXT TEST --> +expect MULTIPLE_UNIQUE_HEADERS HAS_X_PRIO_TWO + +X-Mailer: my mailer 1 +X-Priority: 2 +From: test@test.com +From: test@test.com +To: test@test.com + +Test +<!-- NEXT TEST --> +expect XM_CASE HAS_LIST_UNSUB HAS_XOIP HAS_ORG_HEADER PRECEDENCE_BULK MULTIPLE_UNIQUE_HEADERS + +X-mailer: my mailer 1 +X-Originating-IP: 127.0.0.1 +List-Unsubscribe: <unsub@list.org> +Precedence: bulk +Organization: my org +Subject: first subject +Subject: second subject + +Test +<!-- NEXT TEST --> +expect KLMS_SPAM UNITEDINTERNET_SPAM SPAM_FLAG XM_UA_NO_VERSION + +X-Mailer: my mailer +X-KLMS-AntiSpam-Status: spam +X-Spam: Yes +X-UI-Filterresults: JUNK +Subject: test + +Test +<!-- NEXT TEST --> +expect X_PHP_EVAL HAS_X_POS HAS_X_SOURCE HAS_X_PHP_SCRIPT PHP_XPS_PATTERN HIDDEN_SOURCE_OBJ HAS_X_GMSV HAS_X_ANTIABUSE HAS_X_AS HAS_XAW + +X-PHP-Script: sendmail.php +X-PHP-Originating-Script: eval() +X-Source-Args: ../script +X-Authenticated-Sender: sender: test@test.org +X-Get-Message-Sender-Via: authenticated_id: 123 +X-AntiAbuse: 1 +X-Authentication-Warning: 1 +Subject: test + +Test +<!-- NEXT TEST --> +expect HEADER_EMPTY_DELIMITER + +Subject:test + +Test diff --git a/tests/resources/smtp/antispam/html.test b/tests/resources/smtp/antispam/html.test index 03f3ff1b..616f4ab6 100644 --- a/tests/resources/smtp/antispam/html.test +++ b/tests/resources/smtp/antispam/html.test @@ -74,7 +74,7 @@ Content-Transfer-Encoding: 8bit <head></head> <body> <p>some text</p> -<a href="https://8.8.8.8/phisherino.php">https://mydomain.com</a> +<a href="https://8.8.8.8/phisherino.php">https://8.8.8.8</a> </body> --=====================_714967308==_.ALT-- @@ -237,3 +237,99 @@ Content-Transfer-Encoding: 8bit </html> --=====================_714967308==_.ALT-- +<!-- NEXT TEST --> +expect HTML_META_REFRESH_URL MIME_HTML_ONLY + +Content-Type: text/html; charset="utf-8" +Content-Transfer-Encoding: 8bit + +<head> +<meta http-equiv="refresh" content="5; url=https://example.com/"> +</head> +<body> +<p>some text</p> +</body> +<!-- NEXT TEST --> +expect MIME_HTML_ONLY + +Content-Type: text/html; charset="utf-8" +Content-Transfer-Encoding: 8bit + +<head> +<meta http-equiv="refresh" content="5"> +</head> +<body> +<p>some text</p> +</body> +<!-- NEXT TEST --> +expect HAS_DATA_URI DATA_URI_OBFU MIME_HTML_ONLY + +Content-Type: text/html; charset="utf-8" +Content-Transfer-Encoding: 8bit + +<head> +<meta http-equiv="refresh" content="5"> +</head> +<body> +<p>some text</p> +<a href="data:text/plain;base64,SGVsbG8sIHdvcmxkIQ==">Click me for a hello message</a> +</body> +<!-- NEXT TEST --> +expect HAS_DATA_URI MIME_HTML_ONLY + +Content-Type: text/html; charset="utf-8" +Content-Transfer-Encoding: 8bit + +<head> +<meta http-equiv="refresh" content="5"> +</head> +<body> +<p>some text</p> +<img src="data:image/png;base64,iVBORw0KGg...." alt="Red dot" /> +<a href="data:other">Click me for a hello message</a> +</body> +<!-- NEXT TEST --> +expect PHISHING MIME_HTML_ONLY + +Content-Type: text/html; charset="utf-8" +Content-Transfer-Encoding: 8bit + +<head></head><body><p>some text</p> +<a href="https://domain1.com/query">https://domain2.com/otherquery</a> +</body> +<!-- NEXT TEST --> +expect MIME_HTML_ONLY + +Content-Type: text/html; charset="utf-8" +Content-Transfer-Encoding: 8bit + +<head></head><body><p>some text</p> +<a href="https://domain1.co.uk/query">https://subdomain.domain1.co.uk/otherquery</a> +</body> +<!-- NEXT TEST --> +expect PHISHING MIME_HTML_ONLY + +Content-Type: text/html; charset="utf-8" +Content-Transfer-Encoding: 8bit + +<head></head><body><p>some text</p> +<a href="https://domain1.com/query">domain2.com/otherquery</a> +</body> +<!-- NEXT TEST --> +expect MIME_HTML_ONLY + +Content-Type: text/html; charset="utf-8" +Content-Transfer-Encoding: 8bit + +<head></head><body><p>some text</p> +<a href="https://domain1.co.uk/query">subdomain.domain1.co.uk/otherquery</a> +</body> +<!-- NEXT TEST --> +expect MIME_HTML_ONLY + +Content-Type: text/html; charset="utf-8" +Content-Transfer-Encoding: 8bit + +<head></head><body><p>some text</p> +<a href="https://domain1.co.uk/query">normal text</a> +</body> diff --git a/tests/resources/smtp/antispam/mime.test b/tests/resources/smtp/antispam/mime.test new file mode 100644 index 00000000..22a8ebee --- /dev/null +++ b/tests/resources/smtp/antispam/mime.test @@ -0,0 +1,354 @@ +expect MISSING_MIME_VERSION + +Content-Type: text/plain; charset="us-ascii" + +Test +<!-- NEXT TEST --> +expect MV_CASE + +Content-Type: text/plain; charset="us-ascii" +Mime-Version: 1.0 + +Test +<!-- NEXT TEST --> +expect CTE_CASE CT_EXTRA_SEMI + +Content-Type: text/plain; charset="us-ascii"; +Content-Transfer-Encoding: 7Bit +MIME-Version: 1.0 + +Test +<!-- NEXT TEST --> +expect BROKEN_CONTENT_TYPE + +Content-Type: ; tag=1 +Content-Transfer-Encoding: 7bit +MIME-Version: 1.0 + +Test +<!-- NEXT TEST --> +expect MIME_HEADER_CTYPE_ONLY MISSING_MIME_VERSION + +Content-Type: text/html; charset="us-ascii" + +Test +<!-- NEXT TEST --> +expect R_BAD_CTE_7BIT + +Content-Type: text/plain +Content-Transfer-Encoding: 7bit +MIME-Version: 1.0 + +TéstÃng +<!-- NEXT TEST --> +expect R_MISSING_CHARSET + +Content-Type: text/plain +Content-Transfer-Encoding: 8bit +MIME-Version: 1.0 + +Test +<!-- NEXT TEST --> +expect MIME_BASE64_TEXT_BOGUS MIME_BASE64_TEXT + +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: base64 +MIME-Version: 1.0 + +aGVsbG8gd29ybGQK + +<!-- NEXT TEST --> +expect MIME_BASE64_TEXT + +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: base64 +MIME-Version: 1.0 + +aMOpbGzDsyB3w7NybGQK + +<!-- NEXT TEST --> +expect + +MIME-Version: 1.0 +Content-Type: multipart/alternative; + boundary="boundary" + +--boundary +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 7bit + +Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor +incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud +exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. +Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore +eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in +culpa qui officia deserunt mollit anim id est laborum. + +--boundary +Content-Type: text/html; charset="utf-8" +Content-Transfer-Encoding: 7bit + +<html> +<p>Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor +incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud +exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.</p> +<p>Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore +eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in +culpa qui officia deserunt mollit anim id est laborum.</p> +</html> + +--boundary-- +<!-- NEXT TEST --> +expect MIME_MA_MISSING_TEXT + +MIME-Version: 1.0 +Content-Type: multipart/alternative; + boundary="boundary" + +--boundary +Content-Type: text/html; charset="utf-8" +Content-Transfer-Encoding: 7bit + +<html> +<p>Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor +incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud +exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.</p> +<p>Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore +eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in +culpa qui officia deserunt mollit anim id est laborum.</p> +</html> + +--boundary-- +<!-- NEXT TEST --> +expect MIME_MA_MISSING_HTML + +MIME-Version: 1.0 +Content-Type: multipart/alternative; + boundary="boundary" + +--boundary +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 7bit + +Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor +incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud +exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. +Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore +eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in +culpa qui officia deserunt mollit anim id est laborum. + +--boundary-- +<!-- NEXT TEST --> +expect R_PARTS_DIFFER + +MIME-Version: 1.0 +Content-Type: multipart/alternative; + boundary="boundary" + +--boundary +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 7bit + +Lorem ipsum dolor sit amet, Rcnsectetur Radipiscing elit, Rsed do Reiusmod tempor +incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud +exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. +Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore +eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in +culpa qui officia deserunt mollit anim id est laborum. + +--boundary +Content-Type: text/html; charset="utf-8" +Content-Transfer-Encoding: 7bit + +<html> +<p>Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor +incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud +exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.</p> +<p>Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore +eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in +culpa qui officia deserunt mollit anim id est laborum.</p> +</html> +--boundary-- +<!-- NEXT TEST --> +expect URI_COUNT_ODD + +MIME-Version: 1.0 +Content-Type: multipart/alternative; + boundary="boundary" + +--boundary +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 7bit + +Find me at http://www.example.com or http://www.example.org + +--boundary +Content-Type: text/html; charset="utf-8" +Content-Transfer-Encoding: 7bit + +<html> +<p>Find me at http://www.example.com or</p> +</html> +--boundary-- +<!-- NEXT TEST --> +expect + +MIME-Version: 1.0 +Content-Type: multipart/alternative; + boundary="boundary" + +--boundary +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 7bit + +Find me at http://www.example.com or http://www.example.org + +--boundary +Content-Type: text/html; charset="utf-8" +Content-Transfer-Encoding: 7bit + +<html> +<p>Find me at http://www.example.com or http://example.org</p> +</html> +--boundary-- +<!-- NEXT TEST --> +expect CTYPE_MIXED_BOGUS + +MIME-Version: 1.0 +Content-Type: multipart/mixed; + boundary="boundary" + +--boundary +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 7bit + +this is a test + +--boundary +Content-Type: text/html; charset="utf-8" +Content-Transfer-Encoding: 7bit + +<html> +<p>this is a test</p> +</html> +--boundary-- +<!-- NEXT TEST --> +expect + +MIME-Version: 1.0 +Content-Type: multipart/mixed; + boundary="boundary" + +--boundary +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 7bit + +this is a test + +--boundary +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 7bit + +another test + +--boundary +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 7bit + +last test + +--boundary-- +<!-- NEXT TEST --> +expect HAS_ATTACHMENT + +MIME-Version: 1.0 +Content-Type: multipart/mixed; + boundary="boundary" + +--boundary +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 7bit + +this is a test + +--boundary +Content-Type: application/octet-stream +Content-Disposition: attachment +Content-Transfer-Encoding: 7bit + +<html> +<p>this is a test</p> +</html> +--boundary-- +<!-- NEXT TEST --> +expect CTYPE_MISSING_DISPOSITION HAS_ATTACHMENT + +Content-Type: application/octet-stream +MIME-Version: 1.0 + +Test +<!-- NEXT TEST --> +expect ENCRYPTED_PGP ENCRYPTED_SMIME SIGNED_PGP SIGNED_SMIME HAS_ATTACHMENT + +MIME-Version: 1.0 +Content-Type: multipart/encrypted; + boundary="boundary" + +--boundary +Content-Type: application/pkcs7-mime +Content-Transfer-Encoding: 7bit + +this is a test + +--boundary +Content-Type: application/pkcs7-signature +Content-Transfer-Encoding: 7bit + +this is a test + +--boundary +Content-Type: application/pgp-encrypted +Content-Transfer-Encoding: 7bit + +this is a test + +--boundary +Content-Type: application/pgp-signature +Content-Transfer-Encoding: 7bit + +this is a test + +--boundary +Content-Type: application/octet-stream +Content-Transfer-Encoding: 7bit + +this is a test + +--boundary-- +<!-- NEXT TEST --> +expect CTYPE_MISSING_DISPOSITION HAS_ATTACHMENT + +Content-Type: application/octet-stream +MIME-Version: 1.0 + +Test +<!-- NEXT TEST --> +expect BOGUS_ENCRYPTED_AND_TEXT ENCRYPTED_SMIME + +MIME-Version: 1.0 +Content-Type: multipart/encrypted; + boundary="boundary" + +--boundary +Content-Type: application/pkcs7-mime +Content-Transfer-Encoding: 7bit + +this is a test + +--boundary +Content-Type: text/html +Content-Transfer-Encoding: 7bit + +this is a test + +--boundary-- diff --git a/tests/resources/smtp/antispam/recipient.test b/tests/resources/smtp/antispam/recipient.test index c65e80ec..c610e251 100644 --- a/tests/resources/smtp/antispam/recipient.test +++ b/tests/resources/smtp/antispam/recipient.test @@ -124,3 +124,68 @@ Cc: user@gmail.com Bcc: some@guerrillamail.com Test +<!-- NEXT TEST --> +envelope_from test@test.com +expect SORTED_RECIPS RCPT_COUNT_SEVEN TO_DN_NONE + +To: a@domain.com, b@domain.com, c@domain.com, d@domain.com +Cc: e@domain.com, f@domain.com, g@domain.com + +Test +<!-- NEXT TEST --> +envelope_from test@test.com +expect RCPT_COUNT_SEVEN TO_DN_NONE + +To: tom@domain.com, mark@domain.com, bill@domain.com, peter@domain.com +Cc: jane@domain.com, mary@domain.com, lucy@domain.com + +Test +<!-- NEXT TEST --> +envelope_from test@test.com +expect SUSPICIOUS_RECIPS RCPT_COUNT_SEVEN TO_DN_NONE + +To: tim@domain.com, tom@domain.com, tum@domain.com, tem@domain.com +Cc: tam@domain.com, tron@domain.com, tym@domain.com + +Test +<!-- NEXT TEST --> +envelope_from info@notalist.org +envelope_to info@notalist.org +expect INFO_TO_INFO_LU RCPT_COUNT_ONE TO_MATCH_ENVRCPT_ALL TO_DN_NONE + +From: info@notalist.org +To: info@notalist.org +List-Unsubscribe: <info@notalist.org> + +Test +<!-- NEXT TEST --> +envelope_from info@notalist.org +envelope_to info@notalist.org +expect RCPT_COUNT_ONE TO_MATCH_ENVRCPT_ALL TO_DN_NONE + +From: info@notalist.org +To: info@notalist.org + +Test +<!-- NEXT TEST --> +envelope_from hello@test.org +envelope_to user@test.org +envelope_to test@test.org +expect TO_WRAPPED_IN_SPACES RCPT_COUNT_TWO TO_MATCH_ENVRCPT_ALL TO_DN_NONE + +From: hello@test.org +To: < user@test.org > +Cc: test@test.org + +Test +<!-- NEXT TEST --> +envelope_from hello@test.org +envelope_to user@test.org +envelope_to test@test.org +expect TO_WRAPPED_IN_SPACES RCPT_COUNT_TWO TO_MATCH_ENVRCPT_ALL TO_DN_SOME + +From: hello@test.org +To: user@test.org +Cc: "Test" <test@test.org > + +Test diff --git a/tests/resources/smtp/antispam/url.test b/tests/resources/smtp/antispam/url.test new file mode 100644 index 00000000..56a5d39e --- /dev/null +++ b/tests/resources/smtp/antispam/url.test @@ -0,0 +1,81 @@ +expect HFILTER_URL_ONLY + +Subject: test + +https://url.org +<!-- NEXT TEST --> +expect + +Subject: test + +my site is https://url.org +<!-- NEXT TEST --> +expect R_SUSPICIOUS_URL + +Subject: test + +my site is https://192.168.1.1 +<!-- NEXT TEST --> +expect CONFUSABLE_URL + +Subject: test + +my site is https://xn--youtue-tg7b.com +<!-- NEXT TEST --> +expect R_MIXED_CHARSET_URL CONFUSABLE_URL + +Subject: test + +my site is https://www.xn--80ak6aa92e.com/ +<!-- NEXT TEST --> +expect R_SUSPICIOUS_URL + +Subject: test + +login to your account at https://bánk.com/ +<!-- NEXT TEST --> +expect URL_REDIRECTOR_NESTED REDIRECTOR_URL + +Subject: nested redirect + +login to https://redirect.com/?https://redirect.org/?https://redirect.net/?https://redirect.io/?https://redirect.me/?https://redirect.com +<!-- NEXT TEST --> +expect REDIRECTOR_URL CONFUSABLE_URL + +Subject: redirect to confusable + +login to https://www.redirect.com/?https://xn--twiter-507b.com +<!-- NEXT TEST --> +expect HAS_ONION_URI + +Subject: url in title darkweb.onion/login + +test +<!-- NEXT TEST --> +expect HAS_IPFS_GATEWAY_URL HAS_WP_URI URI_HIDDEN_PATH + +Subject: html test + +<link href="site.com/ipfs/Qm123"> +<a href="https://web.org/../../login.php"><img src="http://site.org/wp-static/img.png"></a> + +<!-- NEXT TEST --> +expect HAS_GUC_PROXY_URI HAS_GOOGLE_FIREBASE_URL HAS_GOOGLE_REDIR + +Subject: mixed urls googleusercontent.com/proxy/url + +<a href="https://firebasestorage.googleapis.com/content">google.com/url?otherurl.org</a> + +<!-- NEXT TEST --> +expect WP_COMPROMISED HAS_WP_URI + +Subject: plain test + +http://url.com/Well-known/../assetlinks.json +http://wp.com/WP-content/content.pdf +<!-- NEXT TEST --> +expect REDIRECTOR_URL + +Subject: test + +go to my site https://tinyurl.com/4fbkcb6m diff --git a/tests/resources/smtp/lists/redirectors.txt b/tests/resources/smtp/lists/redirectors.txt new file mode 100644 index 00000000..0d31b158 --- /dev/null +++ b/tests/resources/smtp/lists/redirectors.txt @@ -0,0 +1,8 @@ +bit.ly +redirect.io +redirect.me +redirect.org +redirect.com +redirect.net +t.ly +tinyurl.com diff --git a/tests/src/smtp/inbound/antispam.rs b/tests/src/smtp/inbound/antispam.rs index 0a144803..f0218cad 100644 --- a/tests/src/smtp/inbound/antispam.rs +++ b/tests/src/smtp/inbound/antispam.rs @@ -1,4 +1,11 @@ -use std::{collections::HashMap, fs, path::PathBuf, sync::Arc}; +use std::{ + borrow::Cow, + collections::HashMap, + fs, + path::PathBuf, + sync::Arc, + time::{Duration, Instant}, +}; use crate::smtp::session::TestSession; use ahash::AHashMap; @@ -10,7 +17,7 @@ use smtp::{ core::{Session, SessionAddress, SMTP}, inbound::AuthResult, scripts::{ - functions::html::{get_attribute, html_img_area, html_to_tokens}, + functions::html::{get_attribute, html_attr_tokens, html_img_area, html_to_tokens}, ScriptResult, }, }; @@ -57,13 +64,18 @@ type = "glob" comment = '#' values = ["file://%LIST_PATH%/disposable-domains.txt"] +[directory."spam".lookup."redirectors"] +type = "glob" +comment = '#' +values = ["file://%LIST_PATH%/redirectors.txt"] + [resolver] public-suffix = "file://%LIST_PATH%/public-suffix.dat" [sieve.scripts] "#; -#[tokio::test] +#[tokio::test(flavor = "multi_thread")] async fn antispam() { /*tracing::subscriber::set_global_default( tracing_subscriber::FmtSubscriber::builder() @@ -83,6 +95,9 @@ async fn antispam() { "from", "replyto", "recipient", + "mime", + "headers", + "url", ]; let mut core = SMTP::test(); let qr = core.init_test_queue("smtp_antispam_test"); @@ -120,6 +135,19 @@ async fn antispam() { core.sieve = config.parse_sieve(&mut ctx).unwrap(); let config = &mut core.session.config; config.rcpt.relay = IfBlock::new(true); + + // Add mock DNS entries + core.resolvers.dns.ipv4_add( + "bank.com", + vec!["127.0.0.1".parse().unwrap()], + Instant::now() + Duration::from_secs(100), + ); + core.resolvers.dns.ipv4_add( + "apple.com", + vec!["127.0.0.1".parse().unwrap()], + Instant::now() + Duration::from_secs(100), + ); + let core = Arc::new(core); // Run tests @@ -404,6 +432,69 @@ fn html_tokens() { assert_eq!(html_to_tokens(input), expected, "Failed for '{:?}'", input); } + for (input, expected) in [ + ( + concat!( + "<a href=\"a\">text</a>", + "<a href =\"b\">text</a>", + "<a href= \"c\">text</a>", + "<a href = \"d\">text</a>", + "< a href = \"e\" >text</a>", + "<a hrefer = \"ignore\" >text</a>", + "< anchor href = \"x\">text</a>", + ), + vec![ + Variable::String("a".to_string()), + Variable::String("b".to_string()), + Variable::String("c".to_string()), + Variable::String("d".to_string()), + Variable::String("e".to_string()), + ], + ), + ( + concat!( + "<a href=a>text</a>", + "<a href =b>text</a>", + "<a href= c>text</a>", + "<a href = d>text</a>", + "< a href = e >text</a>", + "<a hrefer = ignore>text</a>", + "<anchor href=x>text</a>", + ), + vec![ + Variable::String("a".to_string()), + Variable::String("b".to_string()), + Variable::String("c".to_string()), + Variable::String("d".to_string()), + Variable::String("e".to_string()), + ], + ), + ( + concat!( + "<!-- <a href=a>text</a>", + "<a href =b>text</a>", + "<a href= c>--text</a>-->", + "<a href = \"hello world\">text</a>", + "< a href = test ignore>text</a>", + "< a href = fudge href ignore>text</a>", + "<a href=foobar> a href = \"unknown\" </a>", + ), + vec![ + Variable::String("hello world".to_string()), + Variable::String("test".to_string()), + Variable::String("fudge".to_string()), + Variable::String("foobar".to_string()), + ], + ), + ] { + assert_eq!( + html_attr_tokens(input, "a", vec![Cow::from("href")]), + expected, + "Failed for '{:?}'", + input + ); + } + for (tag, attr_name, expected) in [ ("<img width=200 height=400", "width", "200"), ("<img width=200 height=400", "height", "400"), |