####
#### Basic stuff
####

header T_BUG6353_1 From:addr !~ /\@.+\.[a-z]+$/i [if-unset: foo@bar.com]
header T_BUG6353_2 From:addr !~ /\.[a-z]+$/i [if-unset: foo@bar.com]
header T_BUG6353_3 From:addr !~ /\@.+?\.[a-z]/i [if-unset: foo@bar.com]
header T_BUG6353_4 From:addr !~ /\@[^@]+\.(?:[a-z]{2,}|xn--[a-z0-9]+(?:-[a-z0-9]*)?)$/i
header T_BUG6353_5 From:addr !~ /\@[^@]+\.(?:[a-z]{2,}|xn--[a-z0-9]+(?:-[a-z0-9]*)?)$/i [if-unset: foo@bar.com]
header T_BUG6353_6 From:addr !~ /\@[^@]+\.(?:[a-z0-9-]+)$/i
header T_BUG6353_7 From:addr !~ /\@[^@]+\.(?:[a-z0-9-]+)$/i [if-unset: foo@bar.com]
header T_MISSING_FROM From =~ /^UNSET$/ [if-unset: UNSET]

# cheers to spam-l
header		RCVD_HAS_FROM_USER	Received =~ /\bfrom\sUser\b/im
header		RCVD_HAS_HELO_USER	Received =~ /\bHELO[\s=]User\b/im

header		HK_RANDOM_ENVFROM	EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr|-mailer@)|[^@]{20})[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
describe	HK_RANDOM_ENVFROM	Envelope sender username looks random
header		HK_RANDOM_FROM		From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr|-mailer@)|[^@]{26}|.*?@.{0,20}\bcmp-info\.com$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
describe	HK_RANDOM_FROM		From username looks random
header		HK_RANDOM_FROM_NAME	From:name =~ /^(?!.*?(?:@|cnnbc|nlpbr)).*?(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
describe	HK_RANDOM_FROM_NAME	From name looks random
header		HK_RANDOM_REPLYTO	Reply-To:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr|-mailer@)|[^@]{26}|.*?@.{0,20}\b(?:cmpgnr|cnn)\.com$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
describe	HK_RANDOM_REPLYTO	Reply-To username looks random
header		HK_RANDOM_REPLYTO_NAME	Reply-To:name =~ /^(?!.*?(?:@|cnnbc|nlpbr)).*?(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
describe	HK_RANDOM_REPLYTO_NAME	Reply-To name looks random

header		HK_NAME_DRUGS		From:name =~ /(viagra|cialis)/mi
describe	HK_NAME_DRUGS		From name contains drugs

header		HK_NAME_FREE		From:name =~ /\b(?:get)?free(?!\.fr)\b/mi
describe	HK_NAME_FREE		From name mentions free stuff

header		HK_SUBJECT_SPACES	Subject =~ /^(?!.{80}\#).*?\s{10}/
describe	HK_SUBJECT_SPACES	Lots of spaces in Subject

header		HK_SUBJECT_SPACES_SC	Subject =~ /\s{10}(?:[a-z]|\d{1,4})(?:\s|$)/i
describe	HK_SUBJECT_SPACES_SC	Lots of spaces in Subject with some obfuscation

header		__HK_NAME_MICROSOFT	From:name =~ /(microsoft|\bmsn\b)/i
header		__HK_HELO_MICROSOFT	X-Spam-Relays-External =~ / helo=\S+\.(?:microsoft(?:email)?|msn)\.com /
# false hits per bug 6417
ifplugin Mail::SpamAssassin::Plugin::SPF
  meta		HK_FAKENAME_MICROSOFT	__HK_NAME_MICROSOFT && !__HK_HELO_MICROSOFT && !SPF_PASS
  describe	HK_FAKENAME_MICROSOFT	From name mentions Microsoft, but not relayed from there
endif

header		__HK_NAME_YAHOO		From:name =~ /\byahoo\b/i
header		__HK_HELO_YAHOO		X-Spam-Relays-External =~ / helo=[^ ]+\.yahoo\.com /
meta		HK_FAKENAME_YAHOO	__HK_NAME_YAHOO && !__HK_HELO_YAHOO
describe	HK_FAKENAME_YAHOO	From name mentions Yahoo, but not relayed from there

header		__HK_NAME_PAYPAL	From:name =~ /\bpaypal\b/i
header		__HK_HELO_PAYPAL	X-Spam-Relays-External =~ / helo=[^ ]+\.paypal\b/
meta		HK_FAKENAME_PAYPAL	__HK_NAME_PAYPAL && !__HK_HELO_PAYPAL
describe	HK_FAKENAME_PAYPAL	From name mentions PayPal, but not relayed from there

header		__HK_NAME_EBAY		From:name =~ /\bebay\b/i
header		__HK_HELO_EBAY		X-Spam-Relays-External =~ / helo=[^ ]+\.(?:ebay|emarsys)\b/
meta		HK_FAKENAME_EBAY	__HK_NAME_EBAY && !__HK_HELO_EBAY
describe	HK_FAKENAME_EBAY	From name mentions eBay, but not relayed from there

body		__hk_million		/(?:(?:[0-9]{3}[ ,.]?){2,4}|[0-9] ?M\b|mill(?:(?:es?|ons?)(?: de\b)?|ion)).{0,18}(?:\$|[\xa3\xa4]|eur\b|usd\b|gbp\b|cfa\b|euro?s?\b|dollard?s?\b|pounds?\b|francs?\b)/i
body		__hk_million2		/(?:\$|[\xa3\xa4]|eur|usd?|gbp|cfa|euro?s?|dollard?s?|pounds?|francs?)(?: de\b)? mill(?:(?:es?|ons?)|ion)/
body		__hk_hthousand		/hundred.{0,20}thousand.{0,20}(?:eur|usd|gbp|cfa|euro?s?|dollard?s?|pounds?|francs?)\b/i
body		__hk_bigmoney		/(?:EURO?|USD?|GBP|CFA|\&\#163;|[\xa3\xa4]|\$|sum of).{0,4}(?:[0-9]{3}[^0-9a-z]?[0-9]{3}|[0-9.,]{1,4}(?: ?M\b| ?(?:de )?Mil))/i
meta		HK_MUCHMONEY		__hk_million || __hk_million2 || __hk_hthousand || __hk_bigmoney
describe	HK_MUCHMONEY		Message refers to hundreds of thousands or millions
score		HK_MUCHMONEY		0.001

body		__hk_win_1		/\b(?:prize|lucky|dear|emerged(?: a)?) (?:winner|money)/i
body		__hk_win_2		/\battn.{0,10}winner/i
body		__hk_win_3		/\bhappily aa?nnounce/i
body		__hk_win_4		/\bpleas(?:ure|ed) to inform/i
body		__hk_win_5		/\b(?:notice the|your) winning/i
body		__hk_win_6		/\b(?:ha(?:s|ve)|you) w[io]n/i
body		__hk_win_7		/\bcongratulations? to your/i
body		__hk_win_8		/\bunexpected luck/i
body		__hk_win_9		/\blucky (?:nl )number/i
body		__hk_win_0		/\byour? e-?mail just w[oi]n/i
body		__hk_win_a		/\bwinning (?:e-?mail|numbers|information)/i
body		__hk_win_b		/\byour e-?mail (?:address )?(?:has )?w[io]n/i
body		__hk_win_c		/\bune adresse e-?mail sur internet/i
body		__hk_win_d		/\bcategory (?:\S{0,5} )?winner of our/i
body		__hk_win_e		/\b(?:tic(?:ket)?|batch|\bbt|serial|\bsr|\brf|ref(?:erence)?)(?:\:| ?(?:number|no\b|nr))/i
body		__hk_win_f		/\bnum.ro de (?:ticket|s.rie|r.f.rence|lot)/i
body		__hk_win_g		/\bselected randomly/i
body		__hk_win_h		/\brandomly selected/i
body		__hk_win_i		/\bfunds? transfer/i
body		__hk_win_j		/\b(?:winning|ready for|sum) pay ?out/i
body		__hk_win_k		/\bclaim(?:s? officer| your| procedure)/i
body		__hk_win_l		/\b(?:make|file) (?:for )?your claim/i
body		__hk_win_m		/\br.clamation de votre prix/i
body		__hk_win_n		/\bcollect your prize/i
body		__hk_win_o		/\bclarification and procedure/i
meta		HK_WIN			__hk_win_1 || __hk_win_2 || __hk_win_3 || __hk_win_4 || __hk_win_5 || __hk_win_6 || __hk_win_7 || __hk_win_8 || __hk_win_9 || __hk_win_0 || __hk_win_a || __hk_win_b || __hk_win_c || __hk_win_d || __hk_win_e || __hk_win_f || __hk_win_g || __hk_win_h || __hk_win_i || __hk_win_j || __hk_win_k || __hk_win_l || __hk_win_m || __hk_win_n || __hk_win_o

body		__HK_LOTTO_1		/\b(?:(?:inter)?national|foundation|mercato|univers|euro ?million|e-?mail|euro-pw|bill ?gates|swiss|prestige|cristal|am.ricaine|coca.?cola|fiduciary|department) ?lot(?:eri[ej]|t(?:ery|o))/i
body		__HK_LOTTO_2		/\blot(?:eri[ej]|t(?:ery|o)) ?(?:(?:inter)?national|foundation|mercato|univers|euro ?million|e-?mail|euro-pw|bill ?gates|swiss|prestige|cristal|am.ricaine|coca.?cola|fiduciary|department)/i
body		__HK_LOTTO_JACKPOT	/\bmega jackpot\b/i
body		__HK_LOTTO_STAATS	/\bstaatsloteri/i
body		__HK_LOTTO_BALLOT	/\b(?:promotional|on.?line|computer|internet|e-?mail|fran.aise) (?:ballot|draw|sweepstake)/i
body		__HK_LOTTO_AWARD	/(?:cash prize|prize awards?|you have been awarded|award (?:notification|notice))/i
meta		HK_LOTTO		__HK_LOTTO_1 || __HK_LOTTO_2 || __HK_LOTTO_JACKPOT || __HK_LOTTO_STAATS || __HK_LOTTO_BALLOT

header		HK_LOTTO_SUBJECT	Subject =~ /\blot(?:eri[ej]|t(?:ery|o))\b/mi
header		HK_LOTTO_NAME		From =~ /^[^@]*(?:lot(?:eri[ej]|t(?:ery|o))|award|winner)/mi

body		HK_SCAM_N1		/\b(?:widow|son|daughter|husband|wife|brother|sister) of (?:the )?(?:late|sacked|dead|passed)\b/i
body		HK_SCAM_N2		/\bnext of kin\b/i
body		HK_SCAM_N3		/\bdirect telephone numbers?\b/i
body		HK_SCAM_N4		/\b(?:e?mail me below|reply (?:me to )?this e?mail (?:at|to)?|send your reply (?:to|at))\b/i
body		HK_SCAM_N8		/\byour compensation\b/i
body		HK_SCAM_N9		/\bseek for your indulgence\b/i
body		HK_SCAM_N12		/\binsured with your email\b/i
body		HK_SCAM_N13		/\b(?:business|important|discreet) transaction\b/i
body		HK_SCAM_N14		/\bsum of amount\b/i
body		HK_SCAM_N15		/\b(?:account (?:overseas?|offshore)|(?:overseas?|offshore) account)\b/i
body		HK_SCAM_N16		/\b(?:arrangement secret|secret arrangement)\b/i
	
body		HK_SCAM_S15		/(?:discovered a dormant account|can you be my partner)/i
body		HK_SCAM_S7		/(?:(?:investment|proposed|lucrative) (?:business|venture)|(?:business|venture) (?:enterprise|propos(?:al|ition)))/i
body		HK_SCAM_S12		/fidelity investments international/i
body		HK_SCAM_S25		/\bbank (?:in|of) ghana/i

body		HK_SCAM_S1		/pay you the sum of/i
body		HK_SCAM_S3		/invest(?:ment (?:in your area|partner)|in your country|assist me in an investment)/i
body		HK_SCAM_S4		/transfer (?:this|my|of )?funds?/i
body		HK_SCAM_S22		/\bmining companies/i
body		HK_SCAM_S23		/(?:\b(?:urgent alert|start trade|get it at monday)\b|\b(?:5-|five )day price:)/i

body		HK_GOLDDUST		/\bgold ?dust\b/i

body		HK_PNIS			/\bpenis\b/i
body		HK_PNISES		/\bpenises\b/i

# From Mike Cappella
header		TAB_IN_FROM		From:raw =~ /^\t/s
describe	TAB_IN_FROM		From starts with a tab


####
#### FreeMail related
####

ifplugin Mail::SpamAssassin::Plugin::FreeMail

header		__HK_NAME_MR_MRS	From:name =~ /^M(?:RS?|ISS)\b/mi
header		__HK_NAME_DR		From:name =~ /^DR\b/mi
header		__HK_NAME_FROM		From:name =~ /^FROM\b/mi
meta		HK_NAME_MR_MRS		__HK_NAME_MR_MRS && !FREEMAIL_FROM
meta		HK_NAME_FM_MR_MRS	__HK_NAME_MR_MRS && FREEMAIL_FROM
meta		HK_NAME_DR		__HK_NAME_DR && !FREEMAIL_FROM
meta		HK_NAME_FM_DR		__HK_NAME_DR && FREEMAIL_FROM
meta		HK_NAME_FROM		__HK_NAME_FROM && !FREEMAIL_FROM
meta		HK_NAME_FM_FROM		__HK_NAME_FROM && FREEMAIL_FROM

endif


####
#### MIMEHeader
####

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

mimeheader	__HK_SPAMMY_CTFN	Content-Type =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi
mimeheader	__HK_SPAMMY_CDFN	Content-Disposition =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi
meta		HK_SPAMMY_FILENAME	__HK_SPAMMY_CTFN || __HK_SPAMMY_CDFN

endif