#testrules
header   __FSL_RELAY_GOOGLE	X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.google\.com /i
header   __FSL_ENVFROM_GOOGLE	X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@g(?:mail|oogle)\.com /i
meta     FSL_NOT_FROM_GOOGLE	__FSL_ENVFROM_GOOGLE && !__FSL_RELAY_GOOGLE
score    FSL_NOT_FROM_GOOGLE	2.0
describe FSL_NOT_FROM_GOOGLE    Envelope-From GMail or Google but not originated from Google systems

header   __FSL_RELAY_YAHOO      X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.yahoo(?:dns)?\.co(?:m|\.jp) /i
header   __FSL_ENVFROM_YAHOO    X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@yahoo(?:groups)?\./i
header   __FSL_ENVFROM_YMAIL    X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@ymail\.com /i
header   __FSL_ENVFROM_ROCKET   X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@rocketmail\.com /i
meta     FSL_NOT_FROM_YAHOO     ((__FSL_ENVFROM_YAHOO || __FSL_ENVFROM_YMAIL || __FSL_ENVFROM_ROCKET) && !__FSL_RELAY_YAHOO)
score    FSL_NOT_FROM_YAHOO     2.0
describe FSL_NOT_FROM_YAHOO     Envelope-From Yahoo or Yahoo Groups but not originated from Yahoo systems

header   __FSL_RELAY_HOTMAIL    X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.hotmail\.com /i
header   __FSL_ENVFROM_HOTMAIL  X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@hotmail\./i
header   __FSL_ENVFROM_LIVE     X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@live\./i
meta     FSL_NOT_FROM_HOTMAIL   (__FSL_ENVFROM_HOTMAIL || __FSL_ENVFROM_LIVE) && !__FSL_RELAY_HOTMAIL
score    FSL_NOT_FROM_HOTMAIL   2.0
describe FSL_NOT_FROM_HOTMAIL   Envelope-From Hotmail/Live but not originated from Hotmail systems

header   __FSL_RELAY_AOL        X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.aol\.com/i
header   __FSL_ENVFROM_AOL      X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@aol\./i
meta     FSL_NOT_FROM_AOL       __FSL_ENVFROM_AOL && !__FSL_RELAY_AOL
score    FSL_NOT_FROM_AOL       2.0
describe FSL_NOT_FROM_AOL       Envelope-From AOL but not originated from AOL systems

header   FSL_UNDISCLOSED_RCPTS  To =~ /\bundisclosed[- ]recipients\b/i
score    FSL_UNDISCLOSED_RCPTS  0.01
describe FSL_UNDISCLOSED_RCPTS  To undisclosed recipients

header   FSL_FROM_INFO_DOM      From:addr =~ /\.info$/
score    FSL_FROM_INFO_DOM      1.0
describe FSL_FROM_INFO_DOM      From address is in .info

body     FSL_ADV                /\bThis(?:\s*is an)? advert(?:isement)?\b/i
score    FSL_ADV                1.0
describe FSL_ADV                This is an advertisement

body     FSL_OPEN_ATTACH        /\b(?:OPEN|VIEW|READ|SEE|YOUR|ARE)\s*(?:THE\s*)?ATTACH(?:ED|MENT)\b?/
score    FSL_OPEN_ATTACH        2.0
describe FSL_OPEN_ATTACH        DEMANDS that you open the attachment!

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader FSL_OPEN_ATTACH_MH   Content-Disposition =~ /\b(?:OPEN|VIEW|READ|SEE|YOUR|ARE)\s*(?:THE\s*)?ATTACH(?:ED|MENT)\b?/
score      FSL_OPEN_ATTACH_MH   2.0
describe   FSL_OPEN_ATTACH_MH   Filename demands that you open the attachment!
endif

body     __FSL_PHISH_UN         /\buser\s*name\s*:/i
body     __FSL_PHISH_PW         /\bpass\s*word\s*:/i
body     __FSL_PHISH_DE         /\bdeactivat(?:ed?|ion)\b/i
body     __FSL_PHISH_MB         /\b(?:this|your|you're) (?:e|e-)?mailbox (?:has|is)\b/i
body     __FSL_PHISH_RV         /\bre-?validat(?:ed?|ion)\b/i
header   __FSL_PHISH_ADMIN      From:name =~ /admin(?:istrator)?\b/i
meta     FSL_PHISH_EMAIL        (__FSL_PHISH_UN + __FSL_PHISH_PW + __FSL_PHISH_DE + __FSL_PHISH_MB + __FSL_PHISH_RV + __FSL_PHISH_ADMIN) >= 3
score    FSL_PHISH_EMAIL        1.0
describe FSL_PHISH_EMAIL        Likely phishing for e-mail account details

header   FSL_ABUSED_WEB_1       exists:X-AntiAbuse
score    FSL_ABUSED_WEB_1       0.01
describe FSL_ABUSED_WEB_1       Has X-AntiAbuse header

header   FSL_ABUSED_WEB_2       exists:X-PHP-Script
score    FSL_ABUSED_WEB_2       0.01
describe FSL_ABUSED_WEB_2       Has X-PHP-Script header

header   FSL_ABUSED_WEB_3       exists:X-PHP-Originating-Script
score    FSL_ABUSED_WEB_3       0.01
describe FSL_ABUSED_WEB_3       Has X-PHP-Originating-Script header

body     FSL_SUPPLY            /\b(?:i|we|company)\s*(?:can|is|am|are)?\s*(?:sell(?:ing)?|offer(?:ing)?|provid(?:es?|ing|supply(?:ing)))\b/i
describe FSL_SUPPLY            Something can be supplied
score    FSL_SUPPLY            1.0

meta     FSL_SUPPLY_FM         (FREEMAIL_FROM && FSL_SUPPLY)
describe FSL_SUPPLY_FM         Something can be supplied and from Freemail account
score    FSL_SUPPLY_FM         1.0

header   __FSL_SUBJ_SEO_1      Subject =~ /\bSEO\b/i
header   __FSL_SUBJ_SEO_2      Subject =~ /\bsearch engine optimi[sz]ation\b/i
meta     FSL_SUBJ_SEO          (__FSL_SUBJ_SEO_1 || __FSL_SUBJ_SEO_2)
describe FSL_SUBJ_SEO          Search engine optimisation
score    FSL_SUBJ_SEO          1.0

body     __FSL_BODY_SEO_1      /\bSEO\b/
body     __FSL_BODY_SEO_2      /\bsearch engine optimi[sz]ation\b/i
meta     FSL_BODY_SEO          (__FSL_BODY_SEO_1 || __FSL_BODY_SEO_2)
describe FSL_BODY_SEO          Search engine optimisation
score    FSL_BODY_SEO          1.0

meta     FSL_FREEMAIL_SEO      (FREEMAIL_FROM && (FSL_SUBJ_SEO || FSL_BODY_SEO))
describe FSL_FREEMAIL_SEO      Freemail account offering SEO
score    FSL_FREEMAIL_SEO      5.0

meta     FSL_UNDISCLOSED_BULK  (FSL_UNDISCLOSED_RCPTS && (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK))
describe FSL_UNDISCLOSED_BULK  Undisclosed recipients and bulk signature
score    FSL_UNDISCLOSED_BULK  3.0

header   __FSL_TO_COMMON_ROLE  To:addr =~ /^((?:post|web|domain)master|info|sales|(?:tech)?support|(?:sys)?admin(?:istrator)?|abuse|noc|root|security|compliance|registrar)@/i
meta     FSL_TO_ROLE_BULK      (__FSL_TO_COMMON_ROLE && (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK))
describe FSL_TO_ROLE_BULK      Bulk signature and to a role account
score    FSL_TO_ROLE_BULK      1.0

# Received: from hwyhsxwaxz (amandacallow@113.162.65.176 with login) by
header   __FSL_YAHOO_AUTH1      Received =~ /from [a-z]{10} \([^\@ ]+\@\d+\.\d+\.\d+\.\d+ with (?:plain|login)\) /
# Received: from localhost (rhinotrick@46.185.178.15 with login) by
header   __FSL_YAHOO_AUTH2      Received =~ /from localhost \([^\@ ]+\@\d+\.\d+\.\d+\.\d+ with (?:plain|login)\) /i
header   __FSL_YAHOO_AUTH3      Received =~ /from user \([^\@ ]+\@\d+\.\d+\.\d+\.\d+ with (?:plain|login)\) /i
meta     FSL_YAHOO_AUTH_SIG     (__FSL_RELAY_YAHOO && (__FSL_YAHOO_AUTH1 || __FSL_YAHOO_AUTH2 || __FSL_YAHOO_AUTH3))
describe FSL_YAHOO_AUTH_SIG     Yahoo SMTP AUTH observed patterns
score    FSL_YAHOO_AUTH_SIG     5.0

uri      FSL_UNSUB_RATWARE     /unsubscribe\.php\?M=[0-9]+&C=[^& ]+&L=[0-9]+&N=[0-9]+/
describe FSL_UNSUB_RATWARE     Unsubscribe ratware signature
score    FSL_UNSUB_RATWARE     3.0

body     FSL_I_AM              /^I(?:'m| am)(?! a | by | pretty | very | excited | seeking )\s*[a-zA-Z.-]+(?:\s*\S+){1,3}(?:\s*from\s*\S+[,.]|[,.])/
describe FSL_I_AM              I am ...
score    FSL_I_AM              0.1

# Based on John Hardin's MONEY_FROM_41
header   __FSL_IPV4_41         ALL =~ /(?:\(|\s+)?\[?41\.(?:[0-9]{1,3}\.){2}[0-9]{1,3}\]?/
body     __FSL_URGENT_ASSIST   /your urgent assist/i
body     __FSL_MAIL_HAS        /your mail has/i
header   __FSL_SUBJECT_EMAIL   Subject =~ /\b[^\@ ]+\@[^\@ ]+\b/
body     __FSL_ATM_CARD        /\bATM [Cc][Aa][Rr][Dd]\b/
meta     FSL_FRAUD_FROM_41     (__FSL_IPV4_41 && (LOTS_OF_MONEY || FSL_MY_NAME_IS || FSL_I_AM || __FSL_URGENT_ASSIST || __FSL_MAIL_HAS || __FSL_SUBJECT_EMAIL || __FSL_ATM_CARD))
score    FSL_FRAUD_FROM_41     1.0

rawbody  FSL_CSS_NO_DISPLAY      /display:[^:]+\bnone\b/i
rawbody  FSL_HTML_COMMENT        /<!--/

header   __FSL_FROM_EQ_REPTO     ALL =~ /(?:Reply-To|From):\s*([^<]+)\s*<[^\@ ]+@[^> ]+>.*(?:From|Reply-To):\s*\1/msi
body     __FSL_FRIEND_SPAM       /^\s*h(?:i|ello)\s+\S+\s+http:\/\//mi
meta     FSL_FRIEND_SPAM         (__FSL_FROM_EQ_REPTO && __FSL_FRIEND_SPAM && FREEMAIL_REPLYTO)
score    FSL_FRIEND_SPAM         10.0