#
#header         REPLYTO_MANY_AT Reply-To =~ /\@.+\@/
#describe       REPLYTO_MANY_AT More than one @ in Reply-To:
#
#header         SENDER_MANY_AT  Sender =~ /\@.+\@/
#describe       SENDER_MANY_AT  More than one @ in Sender:
#
#header         FROM_MANY_AT    From =~ /\@.+\@/
#describe       FROM_MANY_AT    More than one @ in From:
#

header         RDNS_LOCALHOST  X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i
describe       RDNS_LOCALHOST  Sender's public rDNS is "localhost"

#body           EU_SPAM_LAW     m,Directive 2000/31/EC of the European Parliament,i
#describe       EU_SPAM_LAW     Quoting "European Parliament" spam law

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   HTML_ATTACH    Content-Type =~ m,text/html;.+\.html?\b,i
  describe     HTML_ATTACH    HTML attachment to bypass scanning?

  mimeheader   OBFU_HTML_ATTACH    Content-Type =~ m,application/octet-stream;.+\.html?\b,i
  describe     OBFU_HTML_ATTACH    HTML attachment with non-text MIME type

  mimeheader   OBFU_TEXT_ATTACH    Content-Type =~ m,application/octet-stream;.+\.txt\b,i
  describe     OBFU_TEXT_ATTACH    Text attachment with non-text MIME type
  score        OBFU_TEXT_ATTACH    2.5
  tflags       OBFU_TEXT_ATTACH    publish

  mimeheader   OBFU_DOC_ATTACH     Content-Type =~ m,application/octet-stream;.+\.(?:doc|rtf)\b,i
  describe     OBFU_DOC_ATTACH     MS Document attachment with generic MIME type
  score        OBFU_DOC_ATTACH     0.25

  mimeheader   OBFU_PDF_ATTACH     Content-Type =~ m,application/octet-stream;.+\.pdf\b,i
  describe     OBFU_PDF_ATTACH     PDF attachment with generic MIME type
  score        OBFU_PDF_ATTACH     0.25

  meta         OBFU_ATTACH_MISSP   __FROM_RUNON && (OBFU_HTML_ATTACH || OBFU_TEXT_ATTACH || OBFU_DOC_ATTACH || OBFU_PDF_ATTACH)
  describe     OBFU_ATTACH_MISSP   Obfuscated attachment type and misspaced From
endif

# general case of spample observation
#header         MUA_ONE_WORD       X-Mailer =~ /^[A-Za-z][a-z]*$/
#describe       MUA_ONE_WORD       Single word X-Mailer: not CamelCase

body           DEAR_EMAIL_USER          /^\s?(?:Dear\s|Attention:?\s?)(?:E|Web)-?mail\s(?:account\s)?User\b/i
describe       DEAR_EMAIL_USER          Dear Email User:
score          DEAR_EMAIL_USER          3.0


# from users list spamples 8/2009
uri            URI_NUMERIC_CCTLD     m;^[a-z]+://(?:\d+\.){2,}[a-z][a-z]/;i
describe       URI_NUMERIC_CCTLD     CCTLD URI with multiple numeric subdomains


# From should have whitespace between the comment and the address
# Better S/O, good enough for standalone rule
header         FROM_MISSPACED        From =~ /^\s*"[^"]*"</
describe       FROM_MISSPACED        From: missing whitespace

# Poorer S/O than FROM_MISSPACED but better performance in metas
header         __FROM_RUNON          From =~ /\S+<\w+/

#meta           FROM_MISSP_SPF_FAIL1  (__FROM_RUNON && !SPF_PASS)
#tflags         FROM_MISSP_SPF_FAIL1  net
meta           FROM_MISSP_SPF_FAIL  (__FROM_RUNON && SPF_FAIL)
tflags         FROM_MISSP_SPF_FAIL  net

meta           FROM_MISSP_EH_MATCH   (__FROM_RUNON && __ENV_AND_HDR_FROM_MATCH)
describe       FROM_MISSP_EH_MATCH   From misspaced, matches envelope

meta           FROM_MISSP_URI        (__FROM_RUNON && __HAS_ANY_URI)
describe       FROM_MISSP_URI        From misspaced, has URI

meta           FROM_MISSP_USER       (__FROM_RUNON && NSL_RCVD_FROM_USER)
describe       FROM_MISSP_USER       From misspaced, from "User"

meta           FROM_MISSP_NO_TO      (__FROM_RUNON && MISSING_HEADERS)
describe       FROM_MISSP_NO_TO      From misspaced, To missing

meta           FROM_MISSP_TO_UNDISC  (__FROM_RUNON && __TO_UNDISCLOSED)
describe       FROM_MISSP_TO_UNDISC  From misspaced, To undisclosed

meta           FROM_MISSP_DKIM       (__FROM_RUNON && __DKIM_DEPENDABLE)
describe       FROM_MISSP_DKIM       From misspaced, DKIM dependable

meta           FROM_MISSP_REPLYTO    (__FROM_RUNON && __REPLYTO_EXISTS)
describe       FROM_MISSP_REPLYTO    From misspaced, has Reply-To

## To the same
#header         TO_MISSPACED          To =~ /^\s*"[^"]*"</
#describe       TO_MISSPACED          To: missing whitespace
#score          TO_MISSPACED          0.25

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta         FROM_MISSP_FREEMAIL   __FROM_RUNON && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
  describe     FROM_MISSP_FREEMAIL   From misspaced + freemail provider
  score        FROM_MISSP_FREEMAIL   2.0
endif

meta           FROM_MISSP_MSFT       __FROM_RUNON && (__ANY_OUTLOOK_MUA || __HAS_MIMEOLE || __MIMEOLE_MS)
describe       FROM_MISSP_MSFT       From misspaced + supposed Microsoft tool
score          FROM_MISSP_MSFT       3.5

meta           FROM_MISSP_DYNIP      __FROM_RUNON && RDNS_DYNAMIC
describe       FROM_MISSP_DYNIP      From misspaced + dynamic rDNS
score          FROM_MISSP_DYNIP      2.0


# observed in spam 8/2009
header         __MUA_EQ_ORG_1        ALL =~ /\nX-Mailer: ([^\n]+)\n.*Organization: \1\n/ism
header         __MUA_EQ_ORG_2        ALL =~ /\nOrganization: ([^\n]+)\n.*X-Mailer: \1\n/ism
meta           MAILER_EQ_ORG         __MUA_EQ_ORG_1 || __MUA_EQ_ORG_2
describe       MAILER_EQ_ORG         X-Mailer: same as Organization:
tflags         MAILER_EQ_ORG         publish

# observed in UCE 9/2009
#header         __HDRS_LCASE          ALL =~ /\n(?:Reply-to|Message-id|Content-type|X-MSMail-priority|from|subject|to|Disposition-notification-to):/sm
header         __HDRS_LCASE          ALL =~ /\n(?:Message-id|Content-type|X-MSMail-priority|from|subject|to|Disposition-notification-to):/sm
tflags         __HDRS_LCASE          multiple
meta           HDRS_LCASE            __HDRS_LCASE > 1
describe       HDRS_LCASE            Odd capitalization of multiple message headers

# observed in UCE from India, 9/2009
header         MDN_BOTCHED           Disposition-notification-to =~ /<>/
describe       MDN_BOTCHED           Malformed return receipt header

# observed in spam 9/2009
header         HDRS_MISSP            ALL =~ /\n(?:Subject|From|To):\S/ism
describe       HDRS_MISSP            Misspaced headers
score          HDRS_MISSP            2.0

header         SPAMMY_MIME_BDRY_01  Content-Type =~ /boundary="\@\@BOUNDARY"/
describe       SPAMMY_MIME_BDRY_01  Spammy MIME boundary string
score          SPAMMY_MIME_BDRY_01  0.10

# testing
header         __TB_MIME_BDRY_NO_Z   Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/
meta           TBIRD_SUSP_MIME_BDRY  __MUA_TBIRD && __TB_MIME_BDRY_NO_Z
describe       TBIRD_SUSP_MIME_BDRY  Unlikely Thunderbird MIME boundary

# seen in a few HTML fraud spams
rawbody        RUNON_SHY          /(?:\&shy;){3}/i
describe       RUNON_SHY          Repeating soft hyphens
score          RUNON_SHY          0.1
tflags         RUNON_SHY          nopublish

# Seen all too often
header         LAZY_LISTWASHING   To =~ /\@(?:example\.com|example\.domain|your\.domain|some\.domain|domain\.dom|somewhere\.tld|somewhere\.com|your\.?domain\.com|your\.favorite\.machine)\b/i
describe       LAZY_LISTWASHING   Lazy spammer, painfully obvious bogus addresses
score          LAZY_LISTWASHING   0.25

# Little to work with
body           __PLS_REVIEW       /\b(?:please|kindly)\s(?:(?:re)?view|see)(?:\s\w+)?\sattach(?:ed|ment)\b/i
body           __DLND_ATTACH      /\bdownload\sthe\sattach(?:ed|ment)\b/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __DOC_ATTACH_MT    Content-Type =~ m,\bapplication/(?:msword|rtf|vnd\.ms-word|vnd\.openxmlformats-officedocument\.wordprocessingml\.document)\b,i
  mimeheader   __DOC_ATTACH_FN1   Content-Type =~ /="[^"]+\.(?:docx?|rtf)"/i
  mimeheader   __DOC_ATTACH_FN2   Content-Disposition =~ /="[^"]+\.(?:docx?|rtf)"/i
  meta         __DOC_ATTACH       (__DOC_ATTACH_MT || __DOC_ATTACH_FN1 || __DOC_ATTACH_FN2)
  mimeheader   __PDF_ATTACH_MT    Content-Type =~ m,\bapplication/pdf\b,i
  mimeheader   __PDF_ATTACH_FN1   Content-Type =~ /="[^"]+\.pdf"/i
  mimeheader   __PDF_ATTACH_FN2   Content-Disposition =~ /="[^"]+\.pdf"/i
  meta         __PDF_ATTACH       (__PDF_ATTACH_MT || __PDF_ATTACH_FN1 || __PDF_ATTACH_FN2)
endif

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta         FREEMAIL_DOC_PDF     (__DOC_ATTACH || __PDF_ATTACH) && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
  describe     FREEMAIL_DOC_PDF     MS document or PDF attachment, from freemail

  meta         FREEMAIL_RVW_ATTCH   (__PLS_REVIEW || __DLND_ATTACH) && FREEMAIL_DOC_PDF
  describe     FREEMAIL_RVW_ATTCH   Please review attached document, from freemail
endif

body           END_FUTURE_EMAILS   /\bend future (?:email|alert)s?\b/i
describe       END_FUTURE_EMAILS   Pump-and-dump unsubscribe

body           AD_COMPLAINTS       /\bcomplaints about this ad+\b/i
describe       AD_COMPLAINTS       Complain about this spam

# observed in bank phishing 09/2009
rawbody        MISQ_HTML           /<\w{2,20}[^>=]{1,30}=[^"][^">]{1,30}[^=]"[\s>]/
describe       MISQ_HTML           Unbalanced quotes in HTML tag
tflags         MISQ_HTML           nopublish

# observed in bank phishing 09/2009
uri            WIKI_IMG            m,^https?://[^/]+wiki[mp]edia\.org/.+\.(?:png|gif|jpe?g),i
describe       WIKI_IMG            Image from wikipedia

# observed in spam 09/2009
header         SUBJ_RE_CLNCLN      Subject =~ /^\s*RE::/
describe       SUBJ_RE_CLNCLN      Subject RE::

uri            MANY_SUBDOM         m;^https?://(?:[^\./]{1,30}\.){6};
describe       MANY_SUBDOM         Lots and lots of subdomain parts in a URI

# by request of Benny Pedersen <me@junc.org> on the users list 10/9/2009
meta           RFC_ABUSE_POST      (__DNS_FROM_RFC_ABUSE && __DNS_FROM_RFC_POST)
describe       RFC_ABUSE_POST      Both abuse and postmaster missing on sender domain
score          RFC_ABUSE_POST      0.01

body           CALL_SKYPE            /\bCall this phone number [\w\s]{0,30}with Skype\b/

# <SPAN> tags shouldn't appear in the midst of text
rawbody        __SPAN_BEG_TEXT     /[a-z]{2}<(?i:span)\s/
tflags         __SPAN_BEG_TEXT     multiple
rawbody        __SPAN_END_TEXT     /[^;>]<\/(?i:span)>[a-z]{3}/
tflags         __SPAN_END_TEXT     multiple
meta           MANY_SPAN_IN_TEXT   (__SPAN_BEG_TEXT > 4) && (__SPAN_END_TEXT > 4)
describe       MANY_SPAN_IN_TEXT   Many <SPAN> tags embedded within text

uri            __FEEDPROXY_URI     m;http://feedproxy\.google\.com/;i
rawbody        __FEEDPROXY         m;http://feedproxy\.google\.com/;i
tflags         __FEEDPROXY         multiple
meta           MANY_GOOG_PROXY     __FEEDPROXY > 4
describe       MANY_GOOG_PROXY     Many Google feedproxy URIs

rawbody        TINY_FLOAT         /\bstyle\s*=\s*"[^"]{0,40}?(?:(?:FONT-SIZE\s*:\s+\dpx|FLOAT\s*:\s+(?:right|left))(?:;\s+)?(?:(?!(?:FONT-SIZE|FLOAT))\w+:\s+\w+;?\s*)*){2}/i
describe       TINY_FLOAT         Has small-font floating HTML - text obfuscation?
score          TINY_FLOAT         2.00


# endless requests on the users list...
header         __TO_EQ_FROM_1       ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]+<)?\1[>,\s\n]/ism
header         __TO_EQ_FROM_2       ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]+<)?\1[>,\s\n]/ism
meta           __TO_EQ_FROM         (__TO_EQ_FROM_1 || __TO_EQ_FROM_2)
describe       __TO_EQ_FROM         To: same as From:

meta           TO_EQ_FM_HTML_ONLY   (__TO_EQ_FROM && MIME_HTML_ONLY)
describe       TO_EQ_FM_HTML_ONLY   To == From and HTML only

meta           TO_EQ_FM_DIRECT_MX   (__TO_EQ_FROM && __DOS_DIRECT_TO_MX)
describe       TO_EQ_FM_DIRECT_MX   To == From and direct-to-MX

meta           TO_EQ_FM_HTML_DIRECT  (__TO_EQ_FROM && MIME_HTML_ONLY && __DOS_DIRECT_TO_MX)
describe       TO_EQ_FM_HTML_DIRECT  To == From and HTML only, direct-to-MX


# Evaluate ReturnPath and blacklist collisions
meta           __RP_SAFE_BRBL             RCVD_IN_RP_SAFE && __RCVD_IN_BRBL
meta           __RP_CERTIFIED_BRBL        RCVD_IN_RP_CERTIFIED && __RCVD_IN_BRBL
tflags         __RP_SAFE_BRBL             net nopublish
tflags         __RP_CERTIFIED_BRBL        net nopublish
meta           __RP_SAFE_ZEN              RCVD_IN_RP_SAFE && __RCVD_IN_ZEN
meta           __RP_CERTIFIED_ZEN         RCVD_IN_RP_CERTIFIED && __RCVD_IN_ZEN
tflags         __RP_SAFE_ZEN              net nopublish
tflags         __RP_CERTIFIED_ZEN         net nopublish
meta           __RP_SAFE_SORBS            RCVD_IN_RP_SAFE && __RCVD_IN_SORBS
meta           __RP_CERTIFIED_SORBS       RCVD_IN_RP_CERTIFIED && __RCVD_IN_SORBS
tflags         __RP_SAFE_SORBS            net nopublish
tflags         __RP_CERTIFIED_SORBS       net nopublish
meta           __RP_SAFE_NJABL            RCVD_IN_RP_SAFE && __RCVD_IN_NJABL
meta           __RP_CERTIFIED_NJABL       RCVD_IN_RP_CERTIFIED && __RCVD_IN_NJABL
tflags         __RP_SAFE_NJABL            net nopublish
tflags         __RP_CERTIFIED_NJABL       net nopublish
meta           __RP_SAFE_XBL              RCVD_IN_RP_SAFE && RCVD_IN_XBL
meta           __RP_CERTIFIED_XBL         RCVD_IN_RP_CERTIFIED && RCVD_IN_XBL
tflags         __RP_SAFE_XBL              net nopublish
tflags         __RP_CERTIFIED_XBL         net nopublish
meta           __RP_SAFE_PSBL             RCVD_IN_RP_SAFE && RCVD_IN_PSBL
meta           __RP_CERTIFIED_PSBL        RCVD_IN_RP_CERTIFIED && RCVD_IN_PSBL
tflags         __RP_SAFE_PSBL             net nopublish
tflags         __RP_CERTIFIED_PSBL        net nopublish
meta           __RP_SAFE_ANBREP_L3        RCVD_IN_RP_SAFE && RCVD_IN_ANBREP_L3
meta           __RP_CERTIFIED_ANBREP_L3   RCVD_IN_RP_CERTIFIED && RCVD_IN_ANBREP_L3
tflags         __RP_SAFE_ANBREP_L3        net nopublish
tflags         __RP_CERTIFIED_ANBREP_L3   net nopublish

# a URI in the From comment text, to bypass URIBL checks
# simplistic URI format for now
header         FROM_URI       From =~ /[^\@]www[.\s][^\s"<\@]+[.\s](?:com|net|info|biz|org|\w\w)\b.*["<]/i

# observed in spam feb 2010
# Apparently-To per RFC2821 SHOULD NOT be used
header         __APPARENTLY_TO            Apparently-To =~ /<.*>/
tflags         __APPARENTLY_TO            multiple nopublish
meta           HAS_APPARENTLY_TO          __APPARENTLY_TO > 0
describe       HAS_APPARENTLY_TO          Has deprecated Apparently-To header
score          HAS_APPARENTLY_TO          0.50
tflags         HAS_APPARENTLY_TO          nopublish
meta           MANY_APPARENTLY_TO         __APPARENTLY_TO > 20
describe       MANY_APPARENTLY_TO         Has many Apparently-To headers
score          MANY_APPARENTLY_TO         2.00
tflags         MANY_APPARENTLY_TO         nopublish

# obfuscation of "opt out"
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body           FUZZY_OPTOUT             /\b(?!opt.?out)<O><P><T>.?<O><U><T>\b/i
  replace_rules  FUZZY_OPTOUT
  describe       FUZZY_OPTOUT             Obfuscated opt-out text
endif

# stock spam disclaimer obfuscation
# body           GAPPY_TRADING              /\b(?!trading)t[^a-z\s]?r[^a-z\s]?a[^a-z\s]?d[^a-z\s]?i[^a-z\s]?n[^a-z\s]?g/i
# body           GAPPY_SECURITIES           /\b(?!securities)s[^a-z\s]?e[^a-z\s]?c[^a-z\s]?u[^a-z\s]?r[^a-z\s]?i[^a-z\s]?t[^a-z\s]?i[^a-z\s]?e[^a-z\s]?s/i
# body           GAPPY_RISK                 /\b(?!risky?)r[^a-z\s]?i[^a-z\s]?s[^a-z\s]?k(?:[^a-z\s]?y)?/i
# body           GAPPY_SELLING              /\b(?!selling)s[^a-z\s]?e[^a-z\s]?l[^a-z\s]?l[^a-z\s]?i[^a-z\s]?n[^a-z\s]?g/i
# body           GAPPY_HUNDRED              /\b(?!hundred)h[^a-z\s]?u[^a-z\s]?n[^a-z\s]?d[^a-z\s]?r[^a-z\s]?e[^a-z\s]?d/i
# body           GAPPY_THOUSAND             /\b(?!thousand)t[^a-z\s]?h[^a-z\s]?o[^a-z\s]?u[^a-z\s]?s[^a-z\s]?a[^a-z\s]?n[^a-z\s]?d/i
# body           GAPPY_EXPENSES             /\b(?!expenses)e[^a-z\s]?x[^a-z\s]?p[^a-z\s]?e[^a-z\s]?n[^a-z\s]?s[^a-z\s]?e[^a-z\s]?s/i
# body           GAPPY_DOLLARS              /\b(?!dollars)d[^a-z\s]?o[^a-z\s]?l[^a-z\s]?l[^a-z\s]?a[^a-z\s]?r[^a-z\s]?s/i
# 
# describe       GAPPY_TRADING              Possible obfuscated stock disclaimer
# describe       GAPPY_SECURITIES           Possible obfuscated stock disclaimer
# describe       GAPPY_RISK                 Possible obfuscated stock disclaimer
# describe       GAPPY_SELLING              Possible obfuscated stock disclaimer
# describe       GAPPY_HUNDRED              Possible obfuscated stock disclaimer
# describe       GAPPY_THOUSAND             Possible obfuscated stock disclaimer
# describe       GAPPY_EXPENSES             Possible obfuscated stock disclaimer
# describe       GAPPY_DOLLARS              Possible obfuscated stock disclaimer


rawbody        STYLE_GIBBERISH          /<style[^>]{0,30}>(?:\s{0,80}[^\s:;<]){150}/im
#tflags         STYLE_GIBBERISH          nopublish

body           __SCRIPT_TAG_IN_BODY     /<script>/i
rawbody        __SCRIPT_GIBBERISH       /<script>[^;<]{100}/im
meta           SCRIPT_GIBBERISH         __SCRIPT_GIBBERISH && !__SCRIPT_TAG_IN_BODY 
#tflags         SCRIPT_GIBBERISH           nopublish

#rawbody        MANY_DIV_5                   /(?:<div[^>]{0,30}>\s{0,80}){5}/im
#tflags         MANY_DIV_5                    nopublish
#rawbody        MANY_DIV_6                   /(?:<div[^>]{0,30}>\s{0,80}){6}/im
#tflags         MANY_DIV_6                    nopublish
#rawbody        MANY_DIV_7                   /(?:<div[^>]{0,30}>\s{0,80}){7}/im
#tflags         MANY_DIV_7                    nopublish
#rawbody        MANY_DIV_8                   /(?:<div[^>]{0,30}>\s{0,80}){8}/im
#tflags         MANY_DIV_8                    nopublish
#rawbody        MANY_DIV_9                   /(?:<div[^>]{0,30}>\s{0,80}){9}/im
#tflags         MANY_DIV_9                    nopublish
#rawbody        MANY_DIV_10                   /(?:<div[^>]{0,30}>\s{0,80}){10}/im
#tflags         MANY_DIV_10                   nopublish

header         FROM_TRL_UNDR              From =~ /_\@/
tflags         FROM_TRL_UNDR              nopublish

body           LOTSA_EMAILS               /\b(?:thousand|million)\se-?mail(?:\saddresse)?s?\b/i
tflags         LOTSA_EMAILS               nopublish

body           NUM_EMAILS                 /\b\d[,\d]{3,}\s(?:(?!and|or)\w+\s)?e-?mail\saddress(?:es)?\b/i
tflags         NUM_EMAILS                 nopublish

#rawbody        __HTML_ELEM_OBFU           /[a-z\s]&\#[91]\d\d?[a-z]/
#tflags         __HTML_ELEM_OBFU           multiple nopublish
#meta           HTML_ELEM_OBFU_25          __HTML_ELEM_OBFU > 25
#tflags         HTML_ELEM_OBFU_25          nopublish
#meta           HTML_ELEM_OBFU_50          __HTML_ELEM_OBFU > 50
#tflags         HTML_ELEM_OBFU_50          nopublish
#meta           HTML_ELEM_OBFU_100         __HTML_ELEM_OBFU > 100
#tflags         HTML_ELEM_OBFU_100         nopublish
#meta           HTML_ELEM_OBFU_150         __HTML_ELEM_OBFU > 150
#tflags         HTML_ELEM_OBFU_150         nopublish

header         PPMC_FROM_1                From =~ /\bPayPa[IL](?:\.Com)?\b/
describe       PPMC_FROM_1                Paypal phishing sign

uri            URI_HIDDEN_2               m;.{8}(?:[/\\]|%(?i:5c|2f))(?!\.\.?[/%\\])\..;
describe       URI_HIDDEN_2               URI contains a hidden file or directory



# Catch spam originating from 41.0.0.0/8 (Africa, incl S.Africa)
# Ned Slider, SAU list, 3/11/2010
header          __NSL_ORIG_FROM_41        X-Originating-IP =~ /^(?:.+\[)?41\./
describe        __NSL_ORIG_FROM_41        Originates from 41.0.0.0/8

# Catch spam injected from 41.0.0.0/8 (Africa, incl S.Africa)
# Ned Slider, SAU list, 3/11/2010
header          __NSL_RCVD_FROM_41        Received =~ /\[41\./
describe        __NSL_RCVD_FROM_41        Received from 41.0.0.0/8

# some metas with the above, maybe reduce FPs
ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta         __FROM_41_FREEMAIL         (__NSL_ORIG_FROM_41 || __NSL_RCVD_FROM_41) && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
  describe     __FROM_41_FREEMAIL         Sent from Africa + freemail provider
endif

# More from Ned
header         NSL_RCVD_HELO_USER       Received =~ /helo[= ]user\)/i
describe       NSL_RCVD_HELO_USER       Received from HELO User

header         NSL_RCVD_FROM_USER       Received =~ /from User [\[\(]/
describe       NSL_RCVD_FROM_USER       Received from User


# observed in spam 3/11/2010
header          DATE_DOTS               Date =~ /\d\d\.\d\d\.\d\d/
describe        DATE_DOTS               Periods in date header

uri             IMAGESHACK_URI          /\.imageshack\.us\//i
describe        IMAGESHACK_URI          URI contains imageshack.us

uri             __BITLY_URI             /\/\/bit\.ly\//i
describe        __BITLY_URI             URI contains bit.ly

uri             URI_DOM_OBFU            /:\/\/(?:\w+\.)+(?:com|gov|net|org)(?:\.\w+){3,}\//i
describe        URI_DOM_OBFU            URI pretending to be different domain

uri             DQ_URI_DOM_IN_PATH      /:\/\/[\d\.]+\/[^\/]+\/[^\@]+[a-z0-9]\w{3,}\.(?:com|gov|net)/i
describe        DQ_URI_DOM_IN_PATH      DQ URI having a domain name in the path part

uri             LH_URI_DOM_IN_PATH      /:\/\/[^\/]{25,}\/[^\/]+\/[^\@]+[a-z0-9]\w{3,}\.(?:com|gov|net)/i
describe        LH_URI_DOM_IN_PATH      Long-host URI having a domain name in the path part

# observed in phish 4/10/10
uri             URI_1234                m,//1\.2\.3\.4/,

# requested by Benny Pedersen 17 Apr 2010
meta            __SPF_FULL_PASS         (SPF_PASS && SPF_HELO_PASS)

# Spam from ZA
header          CAN_SPAM_HDR            CAN-SPAM_Compliant =~ /./
header          RPT_SPAM_HDR            Report-SPAM =~ /./