# SpamAssassin rules file: meta tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# Add meta tests which cover *both* headers and body here.
#
# Note: body tests are run with long lines, so be sure to limit the
# size of searches; use /.{0,30}/ instead of /.*/ to avoid huge
# search times.
#
###########################################################################

require_version @@VERSION@@

# some tests that will trigger FPs on ISO-2022-JP mails.

body __ISO_2022_JP_DELIM	/\e\$B/

body __THREE_DOLLARS		/\${3,}/
header __MANY_EXCLS             Subject =~ /![^!]+!/
header __PLING_PLING            Subject =~ /!!!/

body __UPPERCASE_25_50          eval:check_for_uppercase('25', '50')
body __UPPERCASE_50_75          eval:check_for_uppercase('50', '75')
body __UPPERCASE_75_100         eval:check_for_uppercase('75', '100')

meta CASHCASHCASH		(!__ISO_2022_JP_DELIM && __THREE_DOLLARS)
describe CASHCASHCASH		Contains at least 3 dollar signs in a row
meta MANY_EXCLAMATIONS          (!__ISO_2022_JP_DELIM && __MANY_EXCLS)
describe MANY_EXCLAMATIONS      Subject has many exclamations
meta UPPERCASE_25_50            (!__ISO_2022_JP_DELIM && __UPPERCASE_25_50)
describe UPPERCASE_25_50        message body is 25-50% uppercase
meta UPPERCASE_50_75            (!__ISO_2022_JP_DELIM && __UPPERCASE_50_75)
describe UPPERCASE_50_75        message body is 50-75% uppercase
meta UPPERCASE_75_100           (!__ISO_2022_JP_DELIM && __UPPERCASE_75_100)
describe UPPERCASE_75_100       message body is 75-100% uppercase
meta PLING_PLING                (!__ISO_2022_JP_DELIM && __PLING_PLING)
describe PLING_PLING            Subject has lots of exclamation marks

# Steve Linford via Charlie Watts: good test!
header __RCVD_BY_HOTMAIL	Received =~ / by hotmail\.com /
body __MIME_HTML_ONLY		eval:check_for_mime_html_only()
meta MIME_HTML_ONLY		(!__RCVD_BY_HOTMAIL && __MIME_HTML_ONLY)
describe MIME_HTML_ONLY		Message only has text/html MIME parts

##############################################################################

meta NIGERIAN_BODY	( __NIGERIAN_BODY_1 + __NIGERIAN_BODY_2 + __NIGERIAN_BODY_3 + __NIGERIAN_BODY_5 + __NIGERIAN_BODY_6 + __NIGERIAN_BODY_7 + __NIGERIAN_BODY_8 + __NIGERIAN_BODY_9 + __NIGERIAN_BODY_10 + __NIGERIAN_BODY_11 + __NIGERIAN_BODY_12 + __NIGERIAN_BODY_13 + __NIGERIAN_BODY_14 + __NIGERIAN_BODY_15 + __NIGERIAN_BODY_16 + __NIGERIAN_BODY_17 + __NIGERIAN_BODY_18 + __NIGERIAN_BODY_19 + __NIGERIAN_BODY_20 + __NIGERIAN_BODY_21 + __NIGERIAN_BODY_22 + __NIGERIAN_BODY_25 + __NIGERIAN_BODY_26 + __NIGERIAN_BODY_27 + __NIGERIAN_BODY_28 + __NIGERIAN_BODY_29 + __NIGERIAN_BODY_30 + __NIGERIAN_BODY_31 + __NIGERIAN_BODY_32 + __NIGERIAN_BODY_33 + __NIGERIAN_BODY_34 + __NIGERIAN_BODY_35 + __NIGERIAN_BODY_36 + __NIGERIAN_BODY_37 + __NIGERIAN_BODY_38 + __NIGERIAN_BODY_39 + __NIGERIAN_BODY_40 + __NIGERIAN_BODY_41 + __NIGERIAN_BODY_42 ) > 1
describe NIGERIAN_BODY	Message body has multiple indications of Nigerian spam
body __NIGERIAN_BODY_1		/\b(?:financial|confiden(?:tial|ce)|safe|mutual|secret|success|risk-?free|details|business).{1,30}\btransaction\b/i
body __NIGERIAN_BODY_2		/\btransaction\b.{1,30}\b(?:magnitude|diplomatic|strict|absolute|secret|confiden(?:tial|ce)|guarantee)/i
body __NIGERIAN_BODY_3		/BASED ON INFORMATION GATHERED ABOUT YOU, WE BELIEVE\s*YOU WOULD BE IN A POSITION TO HELP US IN TRANSFER/i
body __NIGERIAN_BODY_5		/\bpoisoned (?:to death )?by his business associate/i
body __NIGERIAN_BODY_6		/\bIt is with trust and confidentiality\b/i
body __NIGERIAN_BODY_7		/\bU\.?S\.?(?:D\.?)?\s*(?:\$\s*)?(?:\d+,\d+,\d+|\d+\.\d+\.\d+|\d+(?:\.\d+)?\s*milli?on)/i
body __NIGERIAN_BODY_8		/\b(?:You may be sur?prised to receive this letter from me|this (?:letter|mail) (?:(?:may|will) come to you as|will be) a sur?prise)\b/i
body __NIGERIAN_BODY_9		/\bthe .{1,10} son of\b/i
body __NIGERIAN_BODY_10		/\burgent and(?: very)? (?:profitable|confidential) business (?:proposal|proposition)\b/i
body __NIGERIAN_BODY_11		/\bassistance to relocate\b/i
body __NIGERIAN_BODY_12		/\bto which will be transferred the sum\b/i
body __NIGERIAN_BODY_13		/\byour(?: private)? (?:tele)?phone (?:and|&) fax Numbers?\b/i
body __NIGERIAN_BODY_14		/\bthe importance of Secrecy\b/i
body __NIGERIAN_BODY_15		/\bmodalities\b/i
body __NIGERIAN_BODY_16		/\bI am a Private Investigator\b/i
body __NIGERIAN_BODY_17		/\bWRITING THIS LETTER TO SOLICIT\b/i
body __NIGERIAN_BODY_18		/\bSEVERAL ATTEMPTS HAVE BEEN MADE WITH OUT SUCCESS\b/i
body __NIGERIAN_BODY_19		/\bMY PROPOSAL IS ACCEPTABLE\b/i
body __NIGERIAN_BODY_20		/\d+%.{0,15}\)? (?:of (?:the total|this|the) (?:amount|sum|money)|for you|for my investment|for (?:us|me)|.{0,15}\bfor your expenses)\b/i
body __NIGERIAN_BODY_21		/\bforeign account\b/i
body __NIGERIAN_BODY_22		/\btrust (?:and|&) confidentiality\b/i
body __NIGERIAN_BODY_25		/\bvery beneficial to both of us\b/i
body __NIGERIAN_BODY_26		/\bmilli?on (?:.{1,25} thousand\s*)?(?:(?:united states|u\.?s\.?) dollars|(?i:U\.?S\.?D?))\b/i
body __NIGERIAN_BODY_27		/\bcorrespondent branch\b/i
body __NIGERIAN_BODY_28		/\btransaction is .{1,15} risk free.\b/i
body __NIGERIAN_BODY_29		/\b(?:percentage|rate) of this money\b/i
body __NIGERIAN_BODY_30		/\bfavou?rable response\b/i
body __NIGERIAN_BODY_31		/\btotal acceptance and commitment\b/i
body __NIGERIAN_BODY_32		/\blocate(?: .{1,20})? extended relative/i
body __NIGERIAN_BODY_33		/\bhonest cooperation\b/i
body __NIGERIAN_BODY_34		/\b(?:wife|son|brother|daughter) of the late\b/i
body __NIGERIAN_BODY_35		/\bintuitive confidence/i
body __NIGERIAN_BODY_36		/\battached to ticket number\b/i
body __NIGERIAN_BODY_37		/\ball funds will be returned\b/i
body __NIGERIAN_BODY_38		/\b(?:International\b.{1,15}\bLottery|lottery\b.{1,15}\binternational)\b/i
body __NIGERIAN_BODY_39		/\bYOUR FULL NAMES?,?(?:and|&)? FULL CONTACT ADDRESS\b/i
body __NIGERIAN_BODY_40		/\bsend .{1,30}\byour telefax Numbers?\b/i
body __NIGERIAN_BODY_41		/(?:government|bank) of nigeria/i
body __NIGERIAN_BODY_42		/nigerian? (?:national|government)/i

##############################################################################

header __IDENT_NOBODY		Received =~ /ident[:=]nobody\b/i
header __REGSITE_COM		Received =~ /\.registeredsite\.com\s/
header __X_BEENTHERE		exists:X-BeenThere
header __IDENT_NOBODY_LOCALHOST Received =~ /\bident[:=]nobody\@localhost\b/i
meta IDENT_NOBODY		(__IDENT_NOBODY && !__IDENT_NOBODY_LOCALHOST && !__REGSITE_COM && !((FORGOTTEN_PASSWORD + __X_BEENTHERE + KNOWN_MAILING_LIST) > 1))
describe IDENT_NOBODY		Received lines include an 'ident:nobody' string

header __SANE_MSGID		MESSAGEID =~ /^<[^<>\\ \t\n\r\x0b\x80-\xff]+\@[^<>\\ \t\n\r\x0b\x80-\xff]+>\s*$/m
header __HAS_MSGID		MESSAGEID =~ /\S/
header __MSGID_COMMENT		MESSAGEID =~ /\(.*\)/m
meta INVALID_MSGID		__HAS_MSGID && !(__SANE_MSGID || __MSGID_COMMENT)
describe INVALID_MSGID		Message-Id is not valid, according to RFC 2822

header __MOZILLA_MUA		X-Mailer =~ /\bMozilla\b/
header __MOZILLA_MSGID		MESSAGEID =~ /^<[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7}\@\S+>$/m
meta FORGED_MUA_MOZILLA		(__MOZILLA_MUA && !__UNUSABLE_MSGID && !__MOZILLA_MSGID)
describe FORGED_MUA_MOZILLA	Forged mail pretending to be from Mozilla