# SpamAssassin rules file: compensation for common false positives
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
###########################################################################
# Header compensation tests
#
# Note: HTML compensation tests are in 20_body_tests.cf

require_version @@VERSION@@

# support for Habeas sender-warranted email: http://www.habeas.com/
header HABEAS_SWE               eval:message_is_habeas_swe()
describe HABEAS_SWE             Uses the Habeas warrant mark (http://www.habeas.com/)
tflags HABEAS_SWE               nice

header GENUINE_EBAY_RCVD        eval:check_for_from_domain_in_received_headers('ebay.com', 'true')
describe GENUINE_EBAY_RCVD      Message from eBay
tflags GENUINE_EBAY_RCVD	nice

header   APPROVED_BY            exists:Approved-By
describe APPROVED_BY            Has an Approved-By moderated list header
tflags APPROVED_BY		nice

header   EXCHANGE_SERVER        X-Mailer =~ /Internet Mail Service \([\d\.]+\)/
describe EXCHANGE_SERVER        Came via Internet Mail Service plugin
tflags EXCHANGE_SERVER		nice

# This is a Bugzilla bug status report e-mail and probably OK
header BUGZILLA_BUG             eval:message_from_bugzilla()
describe BUGZILLA_BUG           Looks like a Bugzilla bug
tflags BUGZILLA_BUG		nice

header DEBIAN_BTS_BUG           eval:message_from_debian_bts()
describe DEBIAN_BTS_BUG         Looks like a Debian BTS bug
tflags DEBIAN_BTS_BUG		nice

# give a negative score to Majordomo results.
header   MAJORDOMO              Subject =~ /Majordomo (?:request )?results/
describe MAJORDOMO              From Majordomo
tflags MAJORDOMO		nice

header REFERENCES		References =~ /^(<(?:[a-zA-Z0-9.!\#\$%&'*\+\/=?\^_{}|~-]+|\".+\")\@(?:[a-zA-Z0-9.-]+|\[\d{1,3}(?:\.\d{1,3}){3}\])>\s*)+$/
describe REFERENCES		Has a valid-looking References header
tflags REFERENCES               nice

# User-Agent isn't usually found with spam, but ignore it if we already account with a compensate rule
header __USER_AGENT		exists:User-Agent
meta USER_AGENT			( __USER_AGENT && !USER_AGENT_PINE && !USER_AGENT_MUTT && !USER_AGENT_MOZILLA_UA && !USER_AGENT_MOZILLA_XM && !USER_AGENT_MACOE && !USER_AGENT_ENTOURAGE && !USER_AGENT_KMAIL && !USER_AGENT_IMP && !USER_AGENT_TONLINE && !USER_AGENT_APPLEMAIL && !USER_AGENT_GNUS_UA && !USER_AGENT_GNUS_XM && !USER_AGENT_VM && !USER_AGENT_MSN && !USER_AGENT_FORTE && !USER_AGENT_XIMIAN )
describe USER_AGENT		Has a User-Agent header
tflags USER_AGENT               nice

# these headers have very low correlation with spam
header CRON_ENV                 exists:X-Cron-Env
header IN_REP_TO                exists:In-Reply-To
header X_AUTH_WARNING           exists:X-Authentication-Warning
header X_MAILING_LIST           exists:X-Mailing-List
header X_LOOP                   exists:X-Loop
header X_ACCEPT_LANG            exists:X-Accept-Language
header RESENT_TO                exists:Resent-To
describe CRON_ENV		Has a X-Cron-Env header
describe IN_REP_TO		Has a In-Reply-To header
describe X_AUTH_WARNING		Has a X-Authentication-Warning header
describe X_MAILING_LIST		Has a X-Mailing-List header
describe X_LOOP			Has a X-Loop header
describe X_ACCEPT_LANG		Has a X-Accept-Language  header
describe RESENT_TO		Has a Resent-To header
tflags CRON_ENV                 nice
tflags IN_REP_TO                nice
tflags X_AUTH_WARNING           nice
tflags X_MAILING_LIST           nice
tflags X_LOOP                   nice
tflags X_ACCEPT_LANG            nice
tflags RESENT_TO                nice

# came from a known mailing list system -- but one which does *not* have built-in
# (or working!) spam filtering.
header   KNOWN_MAILING_LIST     eval:detect_mailing_list()
describe KNOWN_MAILING_LIST     Email came from some known mailing list software
tflags KNOWN_MAILING_LIST	nice

# from Theo Van Dinter, see http://www.hughes-family.org/bugzilla/show_bug.cgi?id=591
body MSN_GROUPS                 eval:check_for_msn_groups_headers()
describe MSN_GROUPS             Came from MSN Communities
tflags MSN_GROUPS               nice

header NMS_CGI_NOT_BUGGY        X-Mailer =~ /^NMS FormMail\.pl.*v\d/
describe NMS_CGI_NOT_BUGGY      Not Matt's Scripts formmail.pl
tflags NMS_CGI_NOT_BUGGY	nice

# some non-spam rules from http://www.darkmere.gen.nz/2002/0628.html
header Q_FOR_SELLER             Subject =~ /Question.*(?:for|to|from eBay).*(?:seller|Member)/
describe Q_FOR_SELLER           Subject is an eBay question
tflags Q_FOR_SELLER		nice

header SUBJECT_IS_IN_REVIEW     Subject =~ /\bin review\b/i
describe SUBJECT_IS_IN_REVIEW   Subject contains newsletter header (in review)
tflags SUBJECT_IS_IN_REVIEW	nice

header FROM_EGROUPS             X-eGroups-Return =~ /^sentto-.*\@returns\.groups\.yahoo\.com$/
describe FROM_EGROUPS           Appears to be from yahoo groups
tflags FROM_EGROUPS		nice

# compensate for common false pos on above rule: Yahoo! webmail
header YAHOO_MSGID_ADDED        ALL =~ /Message-Id: <\S+\.mail\.yahoo\.com>\nReceived: .*by \S+mail\.yahoo\.com via HTTP;/s
describe YAHOO_MSGID_ADDED      'Message-Id' was added by yahoo.com, that's OK
tflags YAHOO_MSGID_ADDED        nice

###########################################################################
# Body compensation tests
###########################################################################

body HOTMAIL_FOOTER1             /Send and receive Hotmail on your mobile device\b/
describe HOTMAIL_FOOTER1        Common footer for Hotmail
tflags HOTMAIL_FOOTER1		nice

body HOTMAIL_FOOTER2            /Get your FREE download of MSN Explorer at\b/
describe HOTMAIL_FOOTER2        Common footer for Hotmail
tflags HOTMAIL_FOOTER2		nice

body HOTMAIL_FOOTER3            /Get Your Private, Free E-mail from MSN Hotmail at http:\/\/www\.hotmail\.com\./
describe HOTMAIL_FOOTER3        Common footer for Hotmail
tflags HOTMAIL_FOOTER3		nice

body HOTMAIL_FOOTER5            /Chat with friends online, try MSN Messenger\b/
describe HOTMAIL_FOOTER5        Common footer for Hotmail
tflags HOTMAIL_FOOTER5		nice

body MSN_FOOTER1                /MSN Photos is the easiest way to share and print your photos\b/
describe MSN_FOOTER1            Common footer for MSN
tflags MSN_FOOTER1		nice

body GROUPS_YAHOO_1             /^Your use of Yahoo! Groups is subject to http:\/\/\Qdocs.yahoo.com\E\/info\/terms\//
describe GROUPS_YAHOO_1         Yahoo! Groups message
tflags GROUPS_YAHOO_1		nice

# signature tests
full SIGNATURE_SHORT_DENSE	eval:check_signature('1', '7', '0')
describe SIGNATURE_SHORT_DENSE	Short signature present (no empty lines)
tflags SIGNATURE_SHORT_DENSE	nice

full SIGNATURE_SHORT_SPARSE	eval:check_signature('1', '7', '1')
describe SIGNATURE_SHORT_SPARSE	Short signature present (empty lines)
tflags SIGNATURE_SHORT_SPARSE	nice

full SIGNATURE_LONG_DENSE	eval:check_signature('8', '15', '0')
describe SIGNATURE_LONG_DENSE	Long signature present (no empty lines)
tflags SIGNATURE_LONG_DENSE	nice

full SIGNATURE_LONG_SPARSE	eval:check_signature('8', '15', '1')
describe SIGNATURE_LONG_SPARSE	Long signature present (empty lines)
tflags SIGNATURE_LONG_SPARSE	nice

body MAILMAN_CONFIRM            /^We have received a request from \S+ for subscription of your email address, \S+, to the \S+ mailing list\./
describe MAILMAN_CONFIRM        A MailMan confirm-your-address message
tflags MAILMAN_CONFIRM		nice

rawbody __PGP_BEGIN		/^-----BEGIN PGP SIGNATURE-----$/
rawbody __PGP_MIDDLE		/^[0-9A-Za-z+\/]{64}$/
rawbody __PGP_END		/^-----END PGP SIGNATURE-----$/
meta PGP_SIGNATURE		(__PGP_BEGIN && __PGP_MIDDLE && __PGP_END)
describe PGP_SIGNATURE		Contains a PGP-signed message
tflags PGP_SIGNATURE		nice

header PGP_SIGNATURE_2		Content-Type =~ /protocol=.?application\/pgp-signature.?;/i
describe PGP_SIGNATURE_2	Contains a PGP-signed message (signature attached)
tflags PGP_SIGNATURE_2		nice

header __SMIME_SIGNED_HDR       Content-Type =~ /multipart\/signed;.*protocol=/i
full __SMIME_SIGNED_BODY        /\nContent-Type: application\/x-pkcs7-signature;/
meta SMIME_SIGNATURE            (__SMIME_SIGNED_HDR && __SMIME_SIGNED_BODY)
describe SMIME_SIGNATURE        Contains an S/MIME-signed message
tflags SMIME_SIGNATURE          nice

rawbody PATCH_UNIFIED_DIFF	/^\@\@ [-+0-9]+,[0-9]+ [-+0-9]+,[0-9]+ \@\@$/
describe PATCH_UNIFIED_DIFF	Contains what looks like a patch from diff -u
tflags PATCH_UNIFIED_DIFF	nice

rawbody PATCH_CONTEXT_DIFF	/^\*{3} \S+\s+.{10,}\b\d{2}:\d{2}:\d{2}\s/
describe PATCH_CONTEXT_DIFF	Contains what looks like a patch from diff -c
tflags PATCH_CONTEXT_DIFF	nice

body DISCLAIMER_LEGALESE        /This e?-?mail.{1,20}confidential.{1,20}legally privileged/i
describe DISCLAIMER_LEGALESE    Contains what looks like an 'E-Mail Disclaimer'
tflags DISCLAIMER_LEGALESE	nice

# The regexp begins with "(?:\"|--- )?" because, in addition to
# possibly begining with a double quote, it might also begin with
# "--- ", which is used by the Yahoo! groups web form when
# doing attribution.
#
# The regexp ends with "\s*(?:$|>)" rather than "$" because, by
# the time the "body" tests are done, this:
#
#   foo@bar.com writes:
#   > blah blah blah
#
# becomes
#
#   foo@bar.com writes: > blah blah blah
#
body EMAIL_ATTRIBUTION          /^(?:\"|--- )?\w.{4,80} (?:wrote|writes):\s*(?:$|>)/
describe EMAIL_ATTRIBUTION	Contains what looks like an email attribution
tflags EMAIL_ATTRIBUTION	nice

rawbody QUOTED_EMAIL_TEXT       /^>+\s+.{60,72}$/
describe QUOTED_EMAIL_TEXT	Contains what looks like a quoted email text
tflags QUOTED_EMAIL_TEXT	nice

body QUOTE_TWICE_1              /^> >\s/
describe QUOTE_TWICE_1          Contains twice quoted reply
tflags QUOTE_TWICE_1            nice

# spamassassin@davidgreenaway.com (David Greenaway)
body     FORGOTTEN_PASSWORD     /[fF]org[oe]t.{0,25}[pP]assword/
describe FORGOTTEN_PASSWORD     Contains a password retrieval system
tflags   FORGOTTEN_PASSWORD     nice

body     REG_THANKS             /\bThank you for registering\b/i
describe REG_THANKS             Something about registration
tflags   REG_THANKS             nice

###########################################################################
# meta compensation tests
###########################################################################

header __EVITE_CTYPE		Content-Type =~ /(?:multipart\/alternative|text\/(?:plain|html));/
header __EVITE_RCVD		Received =~ /\b(?:evite|evt\S*\.citysearch)\.com/
uri __EVITE_URI			/\bevite(?:\.citysearch)?\.com\/.*iid=[A-Z]{20}/
meta EVITE			((__EVITE_RCVD && __EVITE_URI) || (__EVITE_CTYPE && (__EVITE_RCVD || __EVITE_URI)))
describe EVITE			Message looks like an Evite
tflags EVITE			nice

meta REPLY_WITH_QUOTES		((IN_REP_TO + REFERENCES + EMAIL_ATTRIBUTION + QUOTED_EMAIL_TEXT) > 2)
describe REPLY_WITH_QUOTES	Reply with quoted text
tflags REPLY_WITH_QUOTES	nice

###########################################################################

# Till now no spammer told me where he's working at :o)
#   -- Malte
# freqs:  2.273    0.383    3.416    0.10    1.00  HAS_ORGANIZATION
header HAS_ORGANIZATION         exists:Organization
describe HAS_ORGANIZATION       Where are you working at?
tflags HAS_ORGANIZATION         nice

body HOTMAIL_FOOTER4            /Join the world's largest e-mail service with MSN Hotmail\./
describe HOTMAIL_FOOTER4        Common footer for Hotmail
tflags HOTMAIL_FOOTER4          nice

header MAILER_DAEMON            From =~ /^(?:Mail Delivery \w+ )?<?mailer.?daemon\@\S+>?(?: \(Mail Delivery \w+\))?$/i
describe MAILER_DAEMON          From the Mailer-Daemon
tflags MAILER_DAEMON            nice

header   FAILURE_NOTICE_1       Subject =~ /^(?:failure notice|returned mail:|Delivery Status Notification|Undeliverable:)/i
describe FAILURE_NOTICE_1       Mailer daemon failure notice (1)
tflags   FAILURE_NOTICE_1       nice

body     FAILURE_NOTICE_2       /\b(?:Delivery to the following recipients failed|This Message was undeliverable|The following addresses had permanent fatal errors|did not reach the following recipient)\b/i
describe FAILURE_NOTICE_2       Mailer daemon failure notice (2)
tflags   FAILURE_NOTICE_2       nice

header FWD_MSG                  Subject =~ /Fwd:\s/
describe FWD_MSG                Forwarded email
tflags FWD_MSG                  nice
test FWD_MSG ok Subject: Fwd: Dracula
test FWD_MSG ok Subject: [landho] Fwd: tell rod
test FWD_MSG fail Subject: Fwd:Pure Opt-In for half the price
test FWD_MSG fail Subject: Re: RE: FWD: search results        .       .       .

header __ORIG_MESSAGE_AGENT	X-Mailer =~ /\b(?:Microsoft Outlook|Internet Mail Service|Mozilla|AOL)\b/
rawbody __ORIG_MESSAGE_LINE	/^-{5,8} ?Original Message ?-{5,8}$/
meta ORIGINAL_MESSAGE		(__ORIG_MESSAGE_AGENT && __ORIG_MESSAGE_LINE)
describe ORIGINAL_MESSAGE	Looks like a reply to a message
tflags ORIGINAL_MESSAGE		nice

#  3.351   0.0060   4.5117    0.001   0.97   -1.00  T_MSGID_GOOD_EXCHANGE
header MSGID_GOOD_EXCHANGE	Message-Id =~ /^<[A-Z]{28}\.\S+\@\S+>$/
describe MSGID_GOOD_EXCHANGE	Message-Id indicates the message was sent from MS Exchange
tflags MSGID_GOOD_EXCHANGE	nice

# mailman list reminder mails are getting tagged in 2.41, adding a rule to check for these
header __FROM_MAILMAN_OWNER     From:addr =~ /^mailman-owner@/
header __SUBJECT_MAILMAN_REMIND Subject =~ /\bmailing list memberships reminder\b/
meta MAILMAN_REMINDER		(__FROM_MAILMAN_OWNER && __SUBJECT_MAILMAN_REMIND)
describe MAILMAN_REMINDER	Mail headers indicate a mailman membership reminder
tflags MAILMAN_REMINDER		nice