# Please don't modify this file as your changes will be overwritten with # the next update. # # <@LICENSE> # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to you under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at: # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # ########################################################################### # 2007/07/10 # 0.269 0.3293 0.0000 1.000 0.76 0.00 TVD_PDF_FINGER01 rawbody __TVD_BODY /\S{4}/ header __TVD_MIME_CT_MM Content-Type =~ /^multipart\/mixed/i meta __TVD_MIME_ATT __TVD_MIME_ATT_AP || __TVD_MIME_ATT_AOPDF meta TVD_PDF_FINGER01 __TVD_MIME_CT_MM && __TVD_MIME_ATT_TP && __TVD_MIME_ATT && !__TVD_BODY describe TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i endif # Mail::SpamAssassin::Plugin::MIMEHeader # 2007/09/20 meta CARD_DIRECT_WWW_ADDRESS (__CARD_DIRECT_WWW_ADDRESS && !__LEGIT_MARLO_CARD) body __CARD_DIRECT_WWW_ADDRESS /card's direct www address below while you are connected to the Internet/ body __LEGIT_MARLO_CARD /At our Card Pick Up site, enter BOTH the Directory/ score CARD_DIRECT_WWW_ADDRESS 1.577 header DOS_ANAL_SPAM_MAILER X-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/ describe DOS_ANAL_SPAM_MAILER X-mailer pattern common to anal porn site spam score DOS_ANAL_SPAM_MAILER 2.0 meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT header __DOS_HAS_LIST_ID exists:List-ID header __DOS_HAS_LIST_UNSUB exists:List-Unsubscribe header __DOS_HAS_MAILING_LIST exists:Mailing-List header __DOS_RELAYED_EXT ALL-EXTERNAL =~ /(?:^|\n)[Rr][eE][cC][eE][iI][vV][eE][dD]:\s.+\n[Rr][eE][cC][eE][iI][vV][eE][dD]:\s/s header __DOS_SINGLE_EXT_RELAY X-Spam-Relays-External =~ /^\[ [^\]]+ \]$/ ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /image\/(?:gif|jpeg|png)/ meta DOS_OE_TO_MX_IMAGE __OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH describe DOS_OE_TO_MX_IMAGE Direct to MX with OE headers and an image score DOS_OE_TO_MX_IMAGE 3.0 meta DOS_OUTLOOK_TO_MX_IMAGE __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH describe DOS_OUTLOOK_TO_MX_IMAGE Direct to MX with Outlook headers and an image score DOS_OUTLOOK_TO_MX_IMAGE 1.059 endif # Mail::SpamAssassin::Plugin::MIMEHeader meta DOS_OE_TO_MX __OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE describe DOS_OE_TO_MX Delivered direct to MX with OE headers score DOS_OE_TO_MX 2.75 meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OUTLOOK_TO_MX_IMAGE describe DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers score DOS_OUTLOOK_TO_MX 1.0 body FB_CASINO /(?!casino)Ca[\$s5][i1\|]n[o0]/i describe FB_CASINO Phrase: ca$ino score FB_CASINO 1.075 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_BEFORE /\b(?!before)\b/i describe FRT_BEFORE ReplaceTags: Before score FRT_BEFORE 2.381 endif # Mail::SpamAssassin::Plugin::ReplaceTags meta LOTTERY_PH_004470 (__AFF_004470_NUMBER && __AFF_LOTTERY) body __AFF_004470_NUMBER /(?:\+|00|011)\W{0,3}44\W{0,3}0?\W{0,3}70/ body __AFF_LOTTERY /(?:lottery|winner)/i score LOTTERY_PH_004470 2.015 ##{ HS_BOBAX_MID_1 header HS_BOBAX_MID_1 Message-Id =~ /^<\d{4}D\d{3}\.\d{6}\.\d{5}\@[A-Z]{4}>/ describe HS_BOBAX_MID_1 Bobax? Message-Id: <0000D000.000000.00000@AAAA> ##} HS_BOBAX_MID_1 ##{ HS_BOBAX_MID_2 header HS_BOBAX_MID_2 Message-Id =~ /^<\dIX\d{3}EJXVWDA\d{3}\@[a-z\-]+\.[a-z]+>/ describe HS_BOBAX_MID_2 Bobax? Message-Id: <0IX000EJXVWDA000@example.com> ##} HS_BOBAX_MID_2 ##{ HS_OUTLOOK_MID_NOBRK header HS_OUTLOOK_MID_NOBRK Message-ID =~ /^[a-f0-9]{12,13}(?:\$[a-f0-9]{8}){2}\@[A-Za-z0-9]+$/ describe HS_OUTLOOK_MID_NOBRK Outlook-esque message ID with no brackets. ##} HS_OUTLOOK_MID_NOBRK ##{ JM_REACTOR_MAILER meta JM_REACTOR_MAILER (__JM_REACTOR_MID && __JM_REACTOR_DATE && __JM_REACTOR_XM2900 && __JM_REACTOR_XMOLE) describe JM_REACTOR_MAILER Header patterns indicative of "Reactor Mailer" ratware ##} JM_REACTOR_MAILER header __JM_REACTOR_DATE Date =~ / \+0000$/ header __JM_REACTOR_MID Message-ID =~ /^<000\S+\@[a-z0-9]+>$/ header __JM_REACTOR_XM2900 X-Mailer =~ /^Microsoft Outlook Express 6.00.2900.3138$/ header __JM_REACTOR_XMOLE X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2900.3198$/