# SpamAssassin rules file: compensation for common false positives
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
###########################################################################
# Header compensation tests

require_version @@VERSION@@

# support for Habeas sender-warranted email: http://www.habeas.com/
header HABEAS_SWE               eval:message_is_habeas_swe()
describe HABEAS_SWE             Uses the Habeas warrant mark (http://www.habeas.com/)
tflags HABEAS_SWE               nice

header GENUINE_EBAY_RCVD        eval:check_for_from_domain_in_received_headers('ebay.com', 'true')
describe GENUINE_EBAY_RCVD      Message from eBay
tflags GENUINE_EBAY_RCVD	nice

header   APPROVED_BY            exists:Approved-By
describe APPROVED_BY            Has an Approved-By moderated list header
tflags APPROVED_BY		nice

header   EXCHANGE_SERVER        X-Mailer =~ /Internet Mail Service \([\d\.]+\)/
describe EXCHANGE_SERVER        Came via Internet Mail Service plugin
tflags EXCHANGE_SERVER		nice

# This is a Bugzilla bug status report e-mail and probably OK
header BUGZILLA_BUG             eval:message_from_bugzilla()
describe BUGZILLA_BUG           Looks like a Bugzilla bug
tflags BUGZILLA_BUG		nice

header DEBIAN_BTS_BUG           eval:message_from_debian_bts()
describe DEBIAN_BTS_BUG         Looks like a Debian BTS bug
tflags DEBIAN_BTS_BUG		nice

# give a negative score to Majordomo results.
header   MAJORDOMO              Subject =~ /Majordomo (?:request )?results/
describe MAJORDOMO              From Majordomo
tflags MAJORDOMO		nice

header REFERENCES		References =~ /^(<(?:[a-zA-Z0-9.!\#\$%&'*\+\/=?\^_{}|~-]+|\".+\")\@(?:[a-zA-Z0-9.-]+|\[\d{1,3}(?:\.\d{1,3}){3}\])>\s*)+$/
describe REFERENCES		Has a valid-looking References header
tflags REFERENCES               nice

# these headers have very low correlation with spam
header CRON_ENV                 exists:X-Cron-Env
header IN_REP_TO                exists:In-Reply-To
header USER_AGENT               exists:User-Agent
header X_AUTH_WARNING           exists:X-Authentication-Warning
header X_MAILING_LIST           exists:X-Mailing-List
header X_LOOP                   exists:X-Loop
header X_ACCEPT_LANG            exists:X-Accept-Language
header RESENT_TO                exists:Resent-To
tflags CRON_ENV                 nice
tflags IN_REP_TO                nice
tflags USER_AGENT               nice
tflags X_AUTH_WARNING           nice
tflags X_MAILING_LIST           nice
tflags X_LOOP                   nice
tflags X_ACCEPT_LANG            nice
tflags RESENT_TO                nice

header PGP_SIGNATURE_2          Content-Type =~ /protocol=.?application\/pgp-signature.?;/i
describe PGP_SIGNATURE_2        Contains a PGP-signed message (signature attached)
tflags PGP_SIGNATURE_2		nice

# came from a known mailing list system -- but one which does *not* have built-in
# (or working!) spam filtering.
header   KNOWN_MAILING_LIST     eval:detect_mailing_list()
describe KNOWN_MAILING_LIST     Email came from some known mailing list software
tflags KNOWN_MAILING_LIST	nice

# from Theo Van Dinter, see http://www.hughes-family.org/bugzilla/show_bug.cgi?id=591
body MSN_GROUPS                 eval:check_for_msn_groups_headers()
describe MSN_GROUPS             Came from MSN Communities
tflags MSN_GROUPS               nice

header NMS_CGI_NOT_BUGGY        X-Mailer =~ /^NMS FormMail\.pl.*v\d/
describe NMS_CGI_NOT_BUGGY      Not Matt's Scripts formmail.pl
tflags NMS_CGI_NOT_BUGGY	nice

# some non-spam rules from http://www.darkmere.gen.nz/2002/0628.html
header Q_FOR_SELLER             Subject =~ /Question.*(?:for|to|from eBay).*(?:seller|Member)/
describe Q_FOR_SELLER           Subject is an eBay question
tflags Q_FOR_SELLER		nice

header SUBJECT_IS_LIST          Subject =~ /\blist\b/i
describe SUBJECT_IS_LIST        Subject contains newsletter header (list)
tflags SUBJECT_IS_LIST		nice

header SUBJECT_IS_IN_REVIEW     Subject =~ /\bin review\b/i
describe SUBJECT_IS_IN_REVIEW   Subject contains newsletter header (in review)
tflags SUBJECT_IS_IN_REVIEW	nice

header FROM_EGROUPS             X-eGroups-Return =~ /^sentto-.*\@returns\.groups\.yahoo\.com$/
describe FROM_EGROUPS           Appears to be from yahoo groups
tflags FROM_EGROUPS		nice

# compensate for common false pos on above rule: Yahoo! webmail
header YAHOO_MSGID_ADDED        ALL =~ /Message-Id: <\S+\.mail\.yahoo\.com>\nReceived: .*by \S+mail\.yahoo\.com via HTTP;/s
describe YAHOO_MSGID_ADDED      'Message-Id' was added by yahoo.com, that's OK
tflags YAHOO_MSGID_ADDED        nice

###########################################################################
# Body compensation tests
###########################################################################

body HOTMAIL_FOOTER1             /Send and receive Hotmail on your mobile device\b/
describe HOTMAIL_FOOTER1        Common footer for Hotmail
tflags HOTMAIL_FOOTER1		nice

body HOTMAIL_FOOTER2            /Get your FREE download of MSN Explorer at\b/
describe HOTMAIL_FOOTER2        Common footer for Hotmail
tflags HOTMAIL_FOOTER2		nice

body HOTMAIL_FOOTER3            /Get Your Private, Free E-mail from MSN Hotmail at http:\/\/www\.hotmail\.com\./
describe HOTMAIL_FOOTER3        Common footer for Hotmail
tflags HOTMAIL_FOOTER3		nice

body HOTMAIL_FOOTER5            /Chat with friends online, try MSN Messenger\b/
describe HOTMAIL_FOOTER5        Common footer for Hotmail
tflags HOTMAIL_FOOTER5		nice

body MSN_FOOTER1                /MSN Photos is the easiest way to share and print your photos\b/
describe MSN_FOOTER1            Common footer for MSN
tflags MSN_FOOTER1		nice


body GROUPS_YAHOO_1             /^Your use of Yahoo! Groups is subject to http:\/\/\Qdocs.yahoo.com\E\/info\/terms\//
describe GROUPS_YAHOO_1         Yahoo! Groups message
tflags GROUPS_YAHOO_1		nice

# signature tests
full SIGNATURE_SHORT_DENSE	eval:check_signature('1', '7', '0')
describe SIGNATURE_SHORT_DENSE	Short signature present (no empty lines)
tflags SIGNATURE_SHORT_DENSE	nice

full SIGNATURE_SHORT_SPARSE	eval:check_signature('1', '7', '1')
describe SIGNATURE_SHORT_SPARSE	Short signature present (empty lines)
tflags SIGNATURE_SHORT_SPARSE	nice

full SIGNATURE_LONG_DENSE	eval:check_signature('8', '15', '0')
describe SIGNATURE_LONG_DENSE	Long signature present (no empty lines)
tflags SIGNATURE_LONG_DENSE	nice

full SIGNATURE_LONG_SPARSE	eval:check_signature('8', '15', '1')
describe SIGNATURE_LONG_SPARSE	Long signature present (empty lines)
tflags SIGNATURE_LONG_SPARSE	nice

rawbody EGP_HTML_BANNER         /^<!-- \S+begin egp html banner/
describe EGP_HTML_BANNER        non-spam Yahoo! Groups banner found
tflags EGP_HTML_BANNER		nice

body MAILMAN_CONFIRM            /^We have received a request from \S+ for subscription of your email address, \S+, to the \S+ mailing list\./
describe MAILMAN_CONFIRM        A MailMan confirm-your-address message
tflags MAILMAN_CONFIRM		nice

rawbody PGP_SIGNATURE           /-----BEGIN PGP SIGNATURE-----/
describe PGP_SIGNATURE          Contains a PGP-signed message
tflags PGP_SIGNATURE		nice

rawbody PATCH_UNIFIED_DIFF	/^\@\@ [-+0-9]+,[0-9]+ [-+0-9]+,[0-9]+ \@\@$/
describe PATCH_UNIFIED_DIFF	Contains what looks like a patch from diff -u
tflags PATCH_UNIFIED_DIFF	nice

rawbody PATCH_CONTEXT_DIFF	/^\*{3} \S+\s+.{10,}\b\d{2}:\d{2}:\d{2}\s/
describe PATCH_CONTEXT_DIFF	Contains what looks like a patch from diff -c
tflags PATCH_CONTEXT_DIFF	nice

body DISCLAIMER_LEGALESE        /This e?-?mail.{1,20}confidential.{1,20}legally privileged/i
describe DISCLAIMER_LEGALESE    Contains what looks like an 'E-Mail Disclaimer'
tflags DISCLAIMER_LEGALESE	nice

# The regexp begins with "(?:\"|--- )?" because, in addition to
# possibly begining with a double quote, it might also begin with
# "--- ", which is used by the Yahoo! groups web form when
# doing attribution.
#
# The regexp ends with "\s*(?:$|>)" rather than "$" because, by
# the time the "body" tests are done, this:
#
#   foo@bar.com writes:
#   > blah blah blah
#
# becomes
#
#   foo@bar.com writes: > blah blah blah
#
body EMAIL_ATTRIBUTION         /^(?:\"|--- )?\w.{4,80} (?:wrote|writes):\s*(?:$|>)/
describe EMAIL_ATTRIBUTION	Contains what looks like an email attribution
tflags EMAIL_ATTRIBUTION	nice



rawbody QUOTED_EMAIL_TEXT	/^>+ +.{60,72}$/
describe QUOTED_EMAIL_TEXT	Contains what looks like a quoted email text
tflags QUOTED_EMAIL_TEXT	nice

# matt@nightrealms.com (Matthew Cline)



# spamassassin@davidgreenaway.com (David Greenaway)
body     FORGOTTEN_PASSWORD     /[fF]org[oe]t.{0,25}[pP]assword/
describe FORGOTTEN_PASSWORD     Contains a password retrieval system
tflags   FORGOTTEN_PASSWORD     nice

body     REG_THANKS             /\bThank you for registering\b/i
describe REG_THANKS             Something about registration
tflags   REG_THANKS             nice

###########################################################################
# meta compensation tests
###########################################################################

header __EVITE_CTYPE		Content-Type =~ /(?:multipart\/alternative|text\/(?:plain|html));/
header __EVITE_RCVD		Received =~ /(?:evite|citysearch)\.com/
uri __EVITE_URI			/\.(?:evite|citysearch)\.com\/.*iid=[A-Z]{20}/
meta EVITE			((__EVITE_RCVD && __EVITE_URI) || (__EVITE_CTYPE && (__EVITE_RCVD || __EVITE_URI)))
describe EVITE			Message looks like an Evite
tflags EVITE			nice

meta REPLY_WITH_QUOTES		((IN_REP_TO + REFERENCES + EMAIL_ATTRIBUTION + QUOTED_EMAIL_TEXT) > 2)
describe REPLY_WITH_QUOTES	Reply with quoted text
tflags REPLY_WITH_QUOTES	nice

###########################################################################

# Till now no spammer told me where he's working at :o)
#   -- Malte
# freqs:  2.273    0.383    3.416    0.10    1.00  NOSPAM_INC
header NOSPAM_INC             exists:Organization
describe NOSPAM_INC           Where are you working at?
tflags NOSPAM_INC             nice

body HOTMAIL_FOOTER4            /Join the world's largest e-mail service with MSN Hotmail\./
describe HOTMAIL_FOOTER4        Common footer for Hotmail
tflags HOTMAIL_FOOTER4          nice

header MAILER_DAEMON            From =~ /^(?:Mail Delivery \w+ )?<?mailer.?daemon\@\S+>?(?: \(Mail Delivery \w+\))?$/i
describe MAILER_DAEMON          From the Mailer-Daemon
tflags MAILER_DAEMON            nice

#   0.149    0.221    0.105    0.68   -1.00  FAILURE_NOTICE_1
header   FAILURE_NOTICE_1       Subject =~ /^(?:failure notice|returned mail:|Delivery Status Notification|Undeliverable:)/i
describe FAILURE_NOTICE_1       Mailer daemon failure notice (1)
tflags   FAILURE_NOTICE_1       nice

#   0.534    0.593    0.499    0.54   -1.00  FWD_MSG
header FWD_MSG                  Subject =~ /Fwd:\s/
describe FWD_MSG                Forwarded email
tflags FWD_MSG                  nice
test FWD_MSG ok Subject: Fwd: Dracula
test FWD_MSG ok Subject: [landho] Fwd: tell rod
test FWD_MSG fail Subject: Fwd:Pure Opt-In for half the price
test FWD_MSG fail Subject: Re: RE: FWD: search results        .       .       .