# Ensure plugin-based rules used for FP avoidance exist
# even if the plugin is not loaded, or an older version is loaded
# __KAM_BODY_LENGTH_LT_128
ifplugin Mail::SpamAssassin::Plugin::BodyEval
  if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
    meta      __LCL__KAM_BODY_LENGTH_LT_128     __KAM_BODY_LENGTH_LT_128
  else
    meta      __LCL__KAM_BODY_LENGTH_LT_128     0
  endif
else
  meta      __LCL__KAM_BODY_LENGTH_LT_128     0
endif

# __KAM_BODY_LENGTH_LT_512
ifplugin Mail::SpamAssassin::Plugin::BodyEval
  if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
    meta      __LCL__KAM_BODY_LENGTH_LT_512     __KAM_BODY_LENGTH_LT_512
  else
    meta      __LCL__KAM_BODY_LENGTH_LT_512     0
  endif
else
  meta      __LCL__KAM_BODY_LENGTH_LT_512     0
endif

# __KAM_BODY_LENGTH_LT_1024
ifplugin Mail::SpamAssassin::Plugin::BodyEval
  if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
    meta      __LCL__KAM_BODY_LENGTH_LT_1024    __KAM_BODY_LENGTH_LT_1024
  else
    meta      __LCL__KAM_BODY_LENGTH_LT_1024    0
  endif
else
  meta      __LCL__KAM_BODY_LENGTH_LT_1024    0
endif

# __ENV_AND_HDR_FROM_MATCH
ifplugin Mail::SpamAssassin::Plugin::HeaderEval
  meta      __LCL__ENV_AND_HDR_FROM_MATCH     __ENV_AND_HDR_FROM_MATCH
else
  meta      __LCL__ENV_AND_HDR_FROM_MATCH     0
endif

# __TVD_SPACE_RATIO
ifplugin Mail::SpamAssassin::Plugin::BodyEval
  #
else
  meta      __TVD_SPACE_RATIO      0
endif



#
#header         REPLYTO_MANY_AT Reply-To =~ /\@.+\@/
#describe       REPLYTO_MANY_AT More than one @ in Reply-To:
#
#header         SENDER_MANY_AT  Sender =~ /\@.+\@/
#describe       SENDER_MANY_AT  More than one @ in Sender:
#
#header         FROM_MANY_AT    From =~ /\@.+\@/
#describe       FROM_MANY_AT    More than one @ in From:
#

header         RDNS_LOCALHOST  X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i
describe       RDNS_LOCALHOST  Sender's public rDNS is "localhost"

#body           EU_SPAM_LAW     m,Directive 2000/31/EC of the European Parliament,i
#describe       EU_SPAM_LAW     Quoting "European Parliament" spam law

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __HTML_ATTACH_01    Content-Type =~ m,\btext/html\b.+\.html?\b,i
  mimeheader   __HTML_ATTACH_02    Content-Disposition =~ m,\bfilename="?[^"]+\.html?\b,i
  meta         HTML_ATTACH         __HTML_ATTACH_01 || __HTML_ATTACH_02
  describe     HTML_ATTACH         HTML attachment to bypass scanning?

  mimeheader   OBFU_HTML_ATTACH    Content-Type =~ m,\bapplication/octet-stream\b.+\.html?\b,i
  describe     OBFU_HTML_ATTACH    HTML attachment with non-text MIME type

  mimeheader   OBFU_TEXT_ATTACH    Content-Type =~ m,\bapplication/octet-stream\b.+\.txt\b,i
  describe     OBFU_TEXT_ATTACH    Text attachment with non-text MIME type
  #score        OBFU_TEXT_ATTACH    2.5
  tflags       OBFU_TEXT_ATTACH    publish

  mimeheader   OBFU_DOC_ATTACH     Content-Type =~ m,\bapplication/octet-stream\b.+\.(?:doc|rtf)\b,i
  describe     OBFU_DOC_ATTACH     MS Document attachment with generic MIME type
  #score        OBFU_DOC_ATTACH     0.25

  mimeheader   OBFU_PDF_ATTACH     Content-Type =~ m,\bapplication/octet-stream\b.+\.pdf\b,i
  describe     OBFU_PDF_ATTACH     PDF attachment with generic MIME type
  #score        OBFU_PDF_ATTACH     0.25

  mimeheader   OBFU_JPG_ATTACH     Content-Type =~ m,\bapplication/octet-stream\b.+\.jpe?g\b,i
  describe     OBFU_JPG_ATTACH     JPG attachment with generic MIME type
  #score        OBFU_JPG_ATTACH     1.50

  mimeheader   OBFU_GIF_ATTACH     Content-Type =~ m,\bapplication/octet-stream\b.+\.gif\b,i
  describe     OBFU_GIF_ATTACH     GIF attachment with generic MIME type
  #score        OBFU_GIF_ATTACH     1.50

  meta         OBFU_ATTACH_MISSP   __FROM_RUNON && (OBFU_HTML_ATTACH || OBFU_TEXT_ATTACH || OBFU_DOC_ATTACH || OBFU_PDF_ATTACH || OBFU_JPG_ATTACH || OBFU_GIF_ATTACH)
  describe     OBFU_ATTACH_MISSP   Obfuscated attachment type and misspaced From

#  mimeheader   ECMSNGR_MH          X-ecm-part-format =~ /./
#  describe     ECMSNGR_MH          eC-Messenger header

  mimeheader   __CTYPE_NULL        Content-Type =~ /^\s*;/
  meta         CTYPE_NULL          __CTYPE_NULL
  describe     CTYPE_NULL          Malformed Content-Type header

  mimeheader   __ZIP_ATTACH_NOFN   Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)[;\s]*$,i
  meta         OBFU_HTML_ATT_MALW  __ZIP_ATTACH_NOFN && __HTML_ATTACH_02
  describe     OBFU_HTML_ATT_MALW  HTML attachment with incorrect MIME type - possible malware

  mimeheader   __PDF_ATTACH        Content-Type =~ m,\bapplication/pdf\b,i

  mimeheader   __ATTACH_NAME_NO_EXT Content-Type =~ m,\bname\s?=\s?"(?!=\?)[^."]+",i
  meta         DOC_ATTACH_NO_EXT   __ATTACH_NAME_NO_EXT && (__PDF_ATTACH || __DOC_ATTACH_MT)
  describe     DOC_ATTACH_NO_EXT   Document attachment with suspicious name

  mimeheader   __ZIP_ATTACH_MT     Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)\b,i
else
  meta         __HTML_ATTACH_01    0
  meta         __HTML_ATTACH_02    0
  meta         __CTYPE_NULL        0
  meta         __ZIP_ATTACH_NOFN   0
  meta         __PDF_ATTACH        0
  meta         __ATTACH_NAME_NO_EXT 0
  meta         __ZIP_ATTACH_MT     0
endif

# general case of spample observation
#header         MUA_ONE_WORD       X-Mailer =~ /^[A-Za-z][a-z]*$/
#describe       MUA_ONE_WORD       Single word X-Mailer: not CamelCase

body           DEAR_EMAIL_USER          /^\s?(?:Dear\s|Attention:?\s?)(?:E|Web)-?mail\s(?:account\s)?User\b/i
describe       DEAR_EMAIL_USER          Dear Email User:
#score          DEAR_EMAIL_USER          3.0


# from users list spamples 8/2009
uri            URI_NUMERIC_CCTLD     m;^[a-z]+://(?:\d+\.){2,}[a-z][a-z]/;i
describe       URI_NUMERIC_CCTLD     CCTLD URI with multiple numeric subdomains

# various MUAs
header  __PHP_NOVER_MUA       X-Mailer =~ /^PHP$/
header  __PHPMAILER_MUA       X-Mailer =~ /^PHPMailer\b/

ifplugin Mail::SpamAssassin::Plugin::DKIM
  meta    PHP_NOVER_MUA       __PHP_NOVER_MUA && !__DKIM_DEPENDABLE && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
else
  meta    PHP_NOVER_MUA       __PHP_NOVER_MUA && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
endif
describe  PHP_NOVER_MUA       Mail from PHP with no version number
score     PHP_NOVER_MUA       3.50	# limit
tflags    PHP_NOVER_MUA       publish


# From should have whitespace between the comment and the address
# Better S/O, good enough for standalone rule
header         __FROM_MISSPACED      From =~ /^\s*"[^"]*"</

# legit mailers known to misspace from
header         __MTLANDROID_MUA    X-Mailer =~ /\bMotorola android mail \d+\.\d/
header         __XEROXWORKCTR_MUA  X-Mailer =~ /^WorkCentre \D?\d[\d\.]\d+/
header         __AMADEUSMS_MUA     X-Mailer =~ /^Amadeus Messaging Server/
header         __FLASHMAIL_MUA     X-Mailer =~ /^NetEase Flash Mail \d/


# meta with some stuff to reduce FPs
meta           FROM_MISSPACED        __FROM_MISSPACED && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__UNSUB_LINK && !__TO___LOWER && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__TO_EQ_FROM_DOM && !__MAIL_LINK && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
describe       FROM_MISSPACED        From: missing whitespace
score          FROM_MISSPACED        2.00

# Encrypted mail provider unable to properly format their headers (as of 07/2011)
header         __RCVD_ZIXMAIL        X-Spam-Relays-Untrusted =~ / helo=smtpout\.zixmail\.net /

# Poorer S/O than FROM_MISSPACED but better performance in metas
header         __FROM_RUNON          From =~ /\S+<\w+/
header         __FROM_RUNON_UNCODED  From:raw =~ /\S+(?<!\?=)<\w+/

ifplugin Mail::SpamAssassin::Plugin::SPF
  #meta           FROM_MISSP_SPF_FAIL1  (__FROM_RUNON && !SPF_PASS)
  #tflags         FROM_MISSP_SPF_FAIL1  net
  meta           FROM_MISSP_SPF_FAIL  (__FROM_RUNON && SPF_FAIL)
  tflags         FROM_MISSP_SPF_FAIL  net
  score          FROM_MISSP_SPF_FAIL  2.00	# limit
endif

meta           __FROM_MISSP_EH_MATCH __FROM_RUNON_UNCODED && __LCL__ENV_AND_HDR_FROM_MATCH
meta           FROM_MISSP_EH_MATCH   __FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
describe       FROM_MISSP_EH_MATCH   From misspaced, matches envelope
score          FROM_MISSP_EH_MATCH   2.00	# max

# most hits > 10 points already
#meta           __FROM_MISSP_URI      __FROM_RUNON_UNCODED && __HAS_ANY_URI
#meta           FROM_MISSP_URI        __FROM_MISSP_URI && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !MISSING_MIMEOLE && !__REPTO_QUOTE && !__UNSUB_LINK && !__MSGID_OK_HEX && !__MAIL_LINK && !__MIME_QP && !__BUGGED_IMG && !MIME_BASE64_TEXT && !__CTYPE_MULTIPART_ALT && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD && !__THREADED && !__TAG_EXISTS_META
#describe       FROM_MISSP_URI        From misspaced, has URI
#score          FROM_MISSP_URI        2.00	# max

meta           FROM_MISSP_USER       (__FROM_RUNON && NSL_RCVD_FROM_USER)
describe       FROM_MISSP_USER       From misspaced, from "User"

# all hits > 10 points already
#meta           FROM_MISSP_NO_TO      (__FROM_RUNON && MISSING_HEADERS)
#describe       FROM_MISSP_NO_TO      From misspaced, To missing

meta           FROM_MISSP_TO_UNDISC  (__FROM_RUNON && __TO_UNDISCLOSED)
describe       FROM_MISSP_TO_UNDISC  From misspaced, To undisclosed

ifplugin Mail::SpamAssassin::Plugin::DKIM
  meta         __FROM_MISSP_DKIM     (__FROM_RUNON_UNCODED && __DKIM_DEPENDABLE)
  tflags       __FROM_MISSP_DKIM     net
  meta         FROM_MISSP_DKIM       __FROM_MISSP_DKIM && !__CTYPE_MULTIPART_ALT && !__MIME_QP && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__MIME_BASE64 && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
  describe     FROM_MISSP_DKIM       From misspaced, DKIM dependable
else
  meta         __FROM_MISSP_DKIM     0
endif

meta           __FROM_MISSP_REPLYTO  __FROM_RUNON && __REPLYTO_EXISTS
meta           FROM_MISSP_REPLYTO    __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY
describe       FROM_MISSP_REPLYTO    From misspaced, has Reply-To

## To the same
#header         TO_MISSPACED          To =~ /^\s*"[^"]*"</
#describe       TO_MISSPACED          To: missing whitespace
#score          TO_MISSPACED          0.25

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta         __FROM_MISSP_FREEMAIL __FROM_RUNON && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
  meta         FROM_MISSP_FREEMAIL   __FROM_MISSP_FREEMAIL && !__TO_EQ_FROM_DOM && !__MTLANDROID_MUA
  describe     FROM_MISSP_FREEMAIL   From misspaced + freemail provider
  #score        FROM_MISSP_FREEMAIL   2.0
else
  meta         __FROM_MISSP_FREEMAIL 0
endif

meta           FROM_MISSP_MSFT       __FROM_RUNON && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS)
describe       FROM_MISSP_MSFT       From misspaced + supposed Microsoft tool
#score          FROM_MISSP_MSFT       3.5

meta           FROM_MISSP_DYNIP      __FROM_RUNON && RDNS_DYNAMIC
describe       FROM_MISSP_DYNIP      From misspaced + dynamic rDNS
#score          FROM_MISSP_DYNIP      2.0


# observed in spam 8/2009
header         __MUA_EQ_ORG_1        ALL =~ /\nX-Mailer: ([^\n]+)\n.*Organization: \1\n/ism
header         __MUA_EQ_ORG_2        ALL =~ /\nOrganization: ([^\n]+)\n.*X-Mailer: \1\n/ism
meta           MAILER_EQ_ORG         __MUA_EQ_ORG_1 || __MUA_EQ_ORG_2
describe       MAILER_EQ_ORG         X-Mailer: same as Organization:
#tflags         MAILER_EQ_ORG         publish

header         __FROM_EQ_ORG_1       ALL =~ /\nFrom: "?([^\n]+)"? <[^>]+>\n.*Organization: \1\n/ism
header         __FROM_EQ_ORG_2       ALL =~ /\nOrganization: ([^\n]+)\n.*From: "?\1"?/ism
#meta           FROM_EQ_ORG           __FROM_EQ_ORG_1 || __FROM_EQ_ORG_2
#describe       FROM_EQ_ORG           From: same as Organization:
#tflags         FROM_EQ_ORG           publish


# observed in UCE 9/2009
#header         __HDRS_LCASE          ALL =~ /\n(?:Reply-to|Message-id|Content-type|X-MSMail-priority|from|subject|to|Disposition-notification-to):/sm
header         __HDRS_LCASE          ALL =~ /\n(?:Message-id|Content-type|X-MSMail-priority|from|subject|to|cc|Disposition-notification-to):/sm
tflags         __HDRS_LCASE          multiple maxhits=3

# __MSGID_APPLEMAIL is uppercase-only GUID message_id. This may be redundant.
header         __MSGID_GUID          Message-ID =~ /^<?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}\@/i
header         __MSGID_GUID_LOOSE    Message-ID =~ /^<?[0-9A-Z]{8}-(?:[0-9A-Z]{3,4}-){3}[0-9A-Z]{11,12}\@/
meta           __MSGID_GUID_FAKE     __MSGID_GUID_LOOSE && !__MSGID_GUID
# It would be nice if somebody could identify the MUA/MTA that generates this:
header         __MSGID_HEX_UID       Message-ID =~ /^<?[0-9A-F]{8}\.[0-9A-F]{2,5}%[a-zA-Z]/
# It would be nice if somebody could identify the MUA/MTA that generates this:
header         __MSGID_HEXISH        Message-ID =~ /^<?OF[0-9A-F]{8}\.[0-9A-F]{8}-ON[0-9A-F]{8}\.[0-9A-F]{8}(?:-[0-9A-F]{8}\.[0-9A-F]{8})?\@/

# MUAs and MTAs known or suspected to do this
header         __UA_MSOMAC           User-Agent =~ /^Microsoft-MacOutlook\/(?:\d+\.){3}/
meta           __HDRS_LCASE_KNOWN    __MSGID_JAVAMAIL || __UA_MSOEMAC || __UA_MSOMAC || __MSGID_APPLEMAIL || __MSGID_HEX_UID || __MSGID_HEXISH

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta         HDRS_LCASE            __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
else
  meta         HDRS_LCASE            __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
endif
describe       HDRS_LCASE            Odd capitalization of message header
score          HDRS_LCASE            0.10	# limit
meta           __MANY_HDRS_LCASE     __HDRS_LCASE > 1
meta           __TOOMANY_HDRS_LCASE  __HDRS_LCASE > 2
ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta         MANY_HDRS_LCASE       __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
else
  meta         MANY_HDRS_LCASE       __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
endif
describe       MANY_HDRS_LCASE       Odd capitalization of multiple message headers
score          MANY_HDRS_LCASE       0.10	# limit

# Some metas that appear to perform well in masscheck
#meta           __HDRS_LCASE_1K       __HDRS_LCASE && __SINGLE_HEADER_1K
#meta           HDRS_LCASE_1K         __HDRS_LCASE_1K && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__MIME_QP && !__BUGGED_IMG && !__BOUNCE_RPATH_NULL && !__NOT_SPOOFED && !__DKIM_EXISTS && !__RDNS_NONE
#describe       HDRS_LCASE_1K         Odd capitalization of message headers + long header
#score          HDRS_LCASE_1K         0.50	# limit
meta           HDRS_LCASE_IMGONLY    __HDRS_LCASE && __HTML_IMG_ONLY && !__HDRS_LCASE_KNOWN
describe       HDRS_LCASE_IMGONLY    Odd capitalization of message headers + image-only HTML
score          HDRS_LCASE_IMGONLY    0.10	# limit




# observed in UCE from India, 9/2009
header         MDN_BOTCHED           Disposition-notification-to =~ /<>/
describe       MDN_BOTCHED           Malformed return receipt header

# observed in spam 9/2009
header         __HDRS_MISSP          ALL =~ /\n(?:Subject|From|To):\S/ism
meta           HDRS_MISSP            __HDRS_MISSP && !__TAG_EXISTS_HEAD && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH 
describe       HDRS_MISSP            Misspaced headers
score          HDRS_MISSP            2.000	# limit

header         SPAMMY_MIME_BDRY_01  Content-Type =~ /boundary="\@\@BOUNDARY"/
describe       SPAMMY_MIME_BDRY_01  Spammy MIME boundary string
#score          SPAMMY_MIME_BDRY_01  0.10

# testing
header         __TB_MIME_BDRY_NO_Z   Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/
meta           TBIRD_SUSP_MIME_BDRY  __MUA_TBIRD && __TB_MIME_BDRY_NO_Z
describe       TBIRD_SUSP_MIME_BDRY  Unlikely Thunderbird MIME boundary

# too dangerous even if it has a good S/O and hits >20% of spam in masschecks
#meta           TBIRD_SPOOF           __MUA_TBIRD && !__HAS_IN_REPLY_TO && !__HAS_X_REF  && !__THREADED  && !__VIA_ML && !__NOT_SPOOFED && !__HAS_SENDER && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__RP_MATCHES_RCVD && !ALL_TRUSTED && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL_MESSY && !__MIME_BASE64 && !__S25R_1
#describe       TBIRD_SPOOF           Claims Thunderbird mail client but looks suspicious
#score          TBIRD_SPOOF           2.00	# limit

# seen in a few HTML fraud spams
rawbody        RUNON_SHY          /(?:\&shy;){3}/i
describe       RUNON_SHY          Repeating soft hyphens
#score          RUNON_SHY          0.1
tflags         RUNON_SHY          nopublish

# Seen all too often
header         LAZY_LISTWASHING   To =~ /\@(?:example\.com|example\.domain|your\.domain|some\.domain|domain\.dom|somewhere\.tld|somewhere\.com|your\.?domain\.com|your\.favorite\.machine)\b/i
describe       LAZY_LISTWASHING   Lazy spammer, painfully obvious bogus addresses
#score          LAZY_LISTWASHING   0.25

# Little to work with
body           __PLS_REVIEW       /\b(?:please|kindly)\s(?:(?:re)?view|see)(?:\s\w+)?\sattach(?:ed|ment)\b/i
body           __DLND_ATTACH      /\bdownload\sthe\sattach(?:ed|ment)\b/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __DOC_ATTACH_MT    Content-Type =~ m,\bapplication/(?:msword|rtf|vnd\.ms-word|vnd\.openxmlformats-officedocument\.wordprocessingml\.document)\b,i
  mimeheader   __DOC_ATTACH_FN1   Content-Type =~ /="[^"]+\.(?:docx?|rtf)"/i
  mimeheader   __DOC_ATTACH_FN2   Content-Disposition =~ /="[^"]+\.(?:docx?|rtf)"/i
  meta         __DOC_ATTACH       (__DOC_ATTACH_MT || __DOC_ATTACH_FN1 || __DOC_ATTACH_FN2)
  mimeheader   __PDF_ATTACH_MT    Content-Type =~ m,\bapplication/pdf\b,i
  mimeheader   __PDF_ATTACH_FN1   Content-Type =~ /="[^"]+\.pdf"/i
  mimeheader   __PDF_ATTACH_FN2   Content-Disposition =~ /="[^"]+\.pdf"/i
  meta         __PDF_ATTACH       (__PDF_ATTACH_MT || __PDF_ATTACH_FN1 || __PDF_ATTACH_FN2)

  # observed in 419 spam
  mimeheader   CDISP_SZ_MANY      Content-Disposition =~ /\bsize\s?=\s?\d.*\bsize\s?=\s?\d/
  describe     CDISP_SZ_MANY      Suspicious MIME header
  score        CDISP_SZ_MANY      2.0  # limit
else
  meta         __DOC_ATTACH_MT    0
  meta         __DOC_ATTACH_FN1   0
  meta         __DOC_ATTACH_FN2   0
  meta         __DOC_ATTACH       0
  meta         __PDF_ATTACH_MT    0
  meta         __PDF_ATTACH_FN1   0
  meta         __PDF_ATTACH_FN2   0
  meta         __PDF_ATTACH       0
endif

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta         __FREEMAIL_DOC_PDF     (__DOC_ATTACH || __PDF_ATTACH) && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
  meta         FREEMAIL_DOC_PDF       __FREEMAIL_DOC_PDF
  describe     FREEMAIL_DOC_PDF       MS document or PDF attachment, from freemail

  meta         FREEMAIL_DOC_PDF_BCC   __FREEMAIL_DOC_PDF && __TO_UNDISCLOSED
  describe     FREEMAIL_DOC_PDF_BCC   MS document or PDF attachment, from freemail, all recipients hidden

  meta         FREEMAIL_RVW_ATTCH     (__PLS_REVIEW || __DLND_ATTACH) && __FREEMAIL_DOC_PDF
  describe     FREEMAIL_RVW_ATTCH     Please review attached document, from freemail
endif

meta           EMPTY_RVW_ATTCH      (__PLS_REVIEW || __DLND_ATTACH) && __EMPTY_BODY
describe       EMPTY_RVW_ATTCH      Please review attached document, empty message

body           __END_FUTURE_EMAILS /\b(?:end|stop(?! receiving these (?:alerts|emails))|cease|discontinue|removed?|(?:do(?! not wish to receive [\w\s]{0,20}emails)|would|you(?:'d)?) (?:not (?:wish|want|like|desire)|(?:prefer|wish|want|like|desire) not) to|exclude yourself|fore?go)[- ](?:get |receiv(?:ing|e) |or |(?:a-z{1,30} ){0,4}from )?(?:these|our|(?:any )?(?:future|further)) (?:(?:e|ad)?-?m(?:ail(?:ing)?|es+[age]{3})|alert|PSA|marketing|notice)[- ]?(?:ad|update)?s?\b/i
ifplugin Mail::SpamAssassin::Plugin::DKIM
  meta         END_FUTURE_EMAILS   __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER && !__DKIM_DEPENDABLE && !DKIM_SIGNED
else
  meta         END_FUTURE_EMAILS   __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER
endif
describe       END_FUTURE_EMAILS   Spammy unsubscribe
score          END_FUTURE_EMAILS   2.500	# limit


body           AD_COMPLAINTS       /\bcomplaints about this ad+\b/i
describe       AD_COMPLAINTS       Complain about this spam

# observed in bank phishing 09/2009
#rawbody        MISQ_HTML           /<\w{2,20}[^>=]{1,30}=[^"][^">]{1,30}[^=]"[\s>]/
#describe       MISQ_HTML           Unbalanced quotes in HTML tag
#tflags         MISQ_HTML           nopublish

# observed in bank phishing 09/2009
uri            WIKI_IMG            m,^https?://[^/]+wiki[mp]edia\.org/.+\.(?:png|gif|jpe?g),i
describe       WIKI_IMG            Image from wikipedia

# observed in spam 09/2009
header         SUBJ_RE_CLNCLN      Subject =~ /^\s*RE::/
describe       SUBJ_RE_CLNCLN      Subject RE::

# observed in spam 02/2011
header         TO_SEM_SEM          To =~ /;;/
describe       TO_SEM_SEM          To has ";;"
tflags         TO_SEM_SEM          nopublish

uri            __MANY_SUBDOM       m;^https?://(?:[^\./]{1,30}\.){6};i
meta           MANY_SUBDOM         __MANY_SUBDOM && !__JM_REACTOR_DATE && !__UNSUB_LINK && !__VIA_ML && !NO_RELAYS && !__UPPERCASE_URI && !__MIME_QP
describe       MANY_SUBDOM         Lots and lots of subdomain parts in a URI

# by request of Benny Pedersen <me@junc.org> on the users list 10/9/2009
#meta           RFC_ABUSE_POST      (__DNS_FROM_RFC_ABUSE && __DNS_FROM_RFC_POST)
#describe       RFC_ABUSE_POST      Both abuse and postmaster missing on sender domain
#score          RFC_ABUSE_POST      0.01
#tflags         RFC_ABUSE_POST      net

body           CALL_SKYPE            /\bCall this phone number [\w\s]{0,30}with Skype\b/

# <SPAN> tags shouldn't appear in the midst of text
rawbody        __SPAN_BEG_TEXT     /[a-z]{2}<(?i:span)\s/
tflags         __SPAN_BEG_TEXT     multiple maxhits=5
rawbody        __SPAN_END_TEXT     /[^;>]<\/(?i:span)>[a-z]{3}/
tflags         __SPAN_END_TEXT     multiple maxhits=5
meta           __MANY_SPAN_IN_TEXT   (__SPAN_BEG_TEXT > 4) && (__SPAN_END_TEXT > 4)
meta           MANY_SPAN_IN_TEXT   __MANY_SPAN_IN_TEXT && !__VIA_ML
describe       MANY_SPAN_IN_TEXT   Many <SPAN> tags embedded within text
tflags         MANY_SPAN_IN_TEXT   publish
#score          MANY_SPAN_IN_TEXT   2.50

#uri            __FEEDPROXY_URI     m;http://feedproxy\.google\.com/;i
#rawbody        __FEEDPROXY         m;http://feedproxy\.google\.com/;i
#tflags         __FEEDPROXY         multiple maxhits=5
#meta           MANY_GOOG_PROXY     __FEEDPROXY > 4
#describe       MANY_GOOG_PROXY     Many Google feedproxy URIs

rawbody        TINY_FLOAT         /\bstyle\s*=\s*"[^"]{0,40}?(?:(?:FONT-SIZE\s*:\s+\dpx|FLOAT\s*:\s+(?:right|left))(?:;\s+)?(?:(?!(?:FONT-SIZE|FLOAT))\w+:\s+\w+;?\s*)*){2}/i
describe       TINY_FLOAT         Has small-font floating HTML - text obfuscation?
#score          TINY_FLOAT         2.00


# endless requests on the users list...
header         __TO_EQ_FROM_1       ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism
header         __TO_EQ_FROM_2       ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism
meta           __TO_EQ_FROM         (__TO_EQ_FROM_1 || __TO_EQ_FROM_2)
describe       __TO_EQ_FROM         To: same as From:
#tflags         __TO_EQ_FROM         publish

# Suggested by Hans-Werner Friedemann on users list 09/30/2010
header         __SUBJ_HAS_FROM_1    ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*Subject:\s+[^\n]{0,100}\1[>,\s\n]/ism
meta           FROM_IN_TO_AND_SUBJ  (__TO_EQ_FROM && __SUBJ_HAS_FROM_1)
describe       FROM_IN_TO_AND_SUBJ  From address is in To and Subject
tflags         FROM_IN_TO_AND_SUBJ  publish

header         __SUBJ_HAS_TO_1      ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n(?:[^\n]{1,200}\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
header         __SUBJ_HAS_TO_2      ALL =~ /\nReceived:[^\n]{0,200} for <?([^\n\s>;]+)>?;(?:[^\n]+\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
header         __SUBJ_HAS_TO_3      ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n)*To:\s+[^\n]{0,100}\1[^a-z0-9.]/ism
meta           __TO_IN_SUBJ         (__SUBJ_HAS_TO_1 || __SUBJ_HAS_TO_2 || __SUBJ_HAS_TO_3)
meta           TO_IN_SUBJ           __TO_IN_SUBJ && !__VIA_ML && !MISSING_MIMEOLE && !__THREAD_INDEX_GOOD && !__FSL_RELAY_GOOGLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HS_SUBJ_RE_FW
describe       TO_IN_SUBJ           To address is in Subject
tflags         TO_IN_SUBJ           publish
score          TO_IN_SUBJ           0.1

meta           __TO_EQ_FM_HTML_ONLY __TO_EQ_FROM && MIME_HTML_ONLY
meta           TO_EQ_FM_HTML_ONLY   __TO_EQ_FM_HTML_ONLY && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED && !__DKIM_EXISTS && !__ANY_IMAGE_ATTACH && !__FROM_LOWER && !__TAG_EXISTS_CENTER
describe       TO_EQ_FM_HTML_ONLY   To == From and HTML only
#tflags         TO_EQ_FM_HTML_ONLY   publish

meta           __TO_EQ_FM_DIRECT_MX __TO_EQ_FROM && __DOS_DIRECT_TO_MX
meta           TO_EQ_FM_DIRECT_MX   __TO_EQ_FM_DIRECT_MX && !__THREAD_INDEX_GOOD && !__IS_EXCH
describe       TO_EQ_FM_DIRECT_MX   To == From and direct-to-MX
#tflags         TO_EQ_FM_DIRECT_MX   publish

# Why __HUSH_HUSH hits ham on this in masscheck I don't know. Legit bank emails maybe?
meta           __TO_EQ_FM_HTML_DIRECT __TO_EQ_FM_DIRECT_MX && MIME_HTML_ONLY
meta           TO_EQ_FM_HTML_DIRECT  __TO_EQ_FM_HTML_DIRECT && !__HUSH_HUSH
describe       TO_EQ_FM_HTML_DIRECT  To == From and HTML only, direct-to-MX
#tflags         TO_EQ_FM_HTML_DIRECT  publish

ifplugin Mail::SpamAssassin::Plugin::SPF
  meta           __TO_EQ_FM_SPF_FAIL  __TO_EQ_FROM && SPF_FAIL
  tflags         __TO_EQ_FM_SPF_FAIL  net
  meta           TO_EQ_FM_SPF_FAIL    __TO_EQ_FM_SPF_FAIL && !__THREADED && !ALL_TRUSTED
  describe       TO_EQ_FM_SPF_FAIL    To == From and external SPF failed
  tflags         TO_EQ_FM_SPF_FAIL    net
else
  meta           __TO_EQ_FM_SPF_FAIL  0
endif

# Paul Stead on SA list 11/2014
# ++ not liked by perl 5.8.x
if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
  header     __PDS_TO_EQ_FROM_NAME_1  ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\W+(\1)([^\n\w<]++<)?((?!\1)[^\n">]++)>?\n/ism
  header     __PDS_TO_EQ_FROM_NAME_2  ALL =~ /\nFrom:\W+"([\w+.-]+\@[\w.-]+\.\w\w+)(?:[^\n\w<]{0,80}<)?((?!\1)[^\n">]++)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n<]{0,80}<)?(\1)>?/ism

  meta       PDS_TO_EQ_FROM_NAME      (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2)
  describe   PDS_TO_EQ_FROM_NAME      From: name same as To: address

  header     __PDS_FROM_2_EMAILS      From =~ /^\W+([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i
  meta       PDS_FROM_2_EMAILS        __PDS_FROM_2_EMAILS && !__VIA_ML && !__VIA_RESIGNER && !__CLICK_HERE && !__BUGGED_IMG && !__RP_MATCHES_RCVD 
endif

uri     __PDS_LOC_WP_POMO       m;/wp-includes/pomo/(?!(?:entry|po|mo|streams|translations)\.php).*;i


header         __FROM_ALL_NUMS      From:addr =~ /^\d+@/
header         __TO_ALL_NUMS        To:addr =~ /^\d+@/
meta           __FM_TO_ALL_NUMS     __FROM_ALL_NUMS && __TO_ALL_NUMS

header         __TO_EQ_FROM_DOM_1   ALL =~ /\nFrom:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+[^\n]+@\1[>,\s\n]/ism
header         __TO_EQ_FROM_DOM_2   ALL =~ /\nTo:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+[^\n]+@\1[>,\s\n]/ism
meta           __TO_EQ_FROM_DOM     (__TO_EQ_FROM_DOM_1 || __TO_EQ_FROM_DOM_2)
describe       __TO_EQ_FROM_DOM     To: domain same as From: domain

meta           __TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FROM_DOM && MIME_HTML_ONLY
meta           TO_EQ_FM_DOM_HTML_ONLY   __TO_EQ_FM_DOM_HTML_ONLY && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !HTML_MIME_NO_HTML_TAG && !__IS_EXCH && !__MSGID_BEFORE_RECEIVED && !__FM_TO_ALL_NUMS && !__FROM_LOWER && !__HAS_IN_REPLY_TO && !__BUGGED_IMG && !__FROM_ENCODED_QP && !__MSGID_OK_HEX
describe       TO_EQ_FM_DOM_HTML_ONLY   To domain == From domain and HTML only

meta           __TO_EQ_FM_DOM_HTML_IMG  __TO_EQ_FROM_DOM && __HTML_LINK_IMAGE
meta           TO_EQ_FM_DOM_HTML_IMG    __TO_EQ_FM_DOM_HTML_IMG && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !__IS_EXCH && !__UNSUB_LINK && !__COMMENT_EXISTS && !__FM_TO_ALL_NUMS && !__DKIM_EXISTS && !__HAS_THREAD_INDEX && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD
describe       TO_EQ_FM_DOM_HTML_IMG    To domain == From domain and HTML image link

ifplugin Mail::SpamAssassin::Plugin::SPF
  meta           __TO_EQ_FM_DOM_SPF_FAIL  __TO_EQ_FROM_DOM && SPF_FAIL
  tflags         __TO_EQ_FM_DOM_SPF_FAIL  net
  meta           TO_EQ_FM_DOM_SPF_FAIL    __TO_EQ_FM_DOM_SPF_FAIL && !__THREADED && !ALL_TRUSTED
  describe       TO_EQ_FM_DOM_SPF_FAIL    To domain == From domain and external SPF failed
  tflags         TO_EQ_FM_DOM_SPF_FAIL    net
else
  meta           __TO_EQ_FM_DOM_SPF_FAIL  0
endif


# Evaluate ReturnPath and blacklist collisions
meta           __RP_SAFE_BRBL             RCVD_IN_RP_SAFE && RCVD_IN_BRBL_LASTEXT
meta           __RP_CERTIFIED_BRBL        RCVD_IN_RP_CERTIFIED && RCVD_IN_BRBL_LASTEXT
tflags         __RP_SAFE_BRBL             net nopublish
tflags         __RP_CERTIFIED_BRBL        net nopublish
meta           __RP_SAFE_ZEN              RCVD_IN_RP_SAFE && __RCVD_IN_ZEN
meta           __RP_CERTIFIED_ZEN         RCVD_IN_RP_CERTIFIED && __RCVD_IN_ZEN
tflags         __RP_SAFE_ZEN              net nopublish
tflags         __RP_CERTIFIED_ZEN         net nopublish
meta           __RP_SAFE_SORBS            RCVD_IN_RP_SAFE && __RCVD_IN_SORBS
meta           __RP_CERTIFIED_SORBS       RCVD_IN_RP_CERTIFIED && __RCVD_IN_SORBS
tflags         __RP_SAFE_SORBS            net nopublish
tflags         __RP_CERTIFIED_SORBS       net nopublish
meta           __RP_SAFE_XBL              RCVD_IN_RP_SAFE && RCVD_IN_XBL
meta           __RP_CERTIFIED_XBL         RCVD_IN_RP_CERTIFIED && RCVD_IN_XBL
tflags         __RP_SAFE_XBL              net nopublish
tflags         __RP_CERTIFIED_XBL         net nopublish
meta           __RP_SAFE_PSBL             RCVD_IN_RP_SAFE && RCVD_IN_PSBL
meta           __RP_CERTIFIED_PSBL        RCVD_IN_RP_CERTIFIED && RCVD_IN_PSBL
tflags         __RP_SAFE_PSBL             net nopublish
tflags         __RP_CERTIFIED_PSBL        net nopublish
#meta           __RP_SAFE_ANBREP_L3        RCVD_IN_RP_SAFE && RCVD_IN_ANBREP_L3
#meta           __RP_CERTIFIED_ANBREP_L3   RCVD_IN_RP_CERTIFIED && RCVD_IN_ANBREP_L3
#tflags         __RP_SAFE_ANBREP_L3        net nopublish
#tflags         __RP_CERTIFIED_ANBREP_L3   net nopublish

# a URI in the From comment text, to bypass URIBL checks
# simplistic URI format for now
header         __FROM_URI_1               From =~ /[^\@]www[.\s][^\s"<\@]+[.\s](?:com|net|info|biz|org|\w\w)\b.*["<]/i
header         __FROM_URI_2               From =~ m;http://(?:[^.\s]+\.){1,3}(?:com|net|info|biz|org|\w\w)\b;i
meta           FROM_URI                   __FROM_URI_1 || __FROM_URI_2
describe       FROM_URI                   URI or www. in From

# observed in spam feb 2010
# Apparently-To per RFC2821 SHOULD NOT be used
header         __APPARENTLY_TO            Apparently-To =~ /<.*>/
tflags         __APPARENTLY_TO            multiple maxhits=21 nopublish
meta           HAS_APPARENTLY_TO          __APPARENTLY_TO > 0
describe       HAS_APPARENTLY_TO          Has deprecated Apparently-To header
#score          HAS_APPARENTLY_TO          0.50
tflags         HAS_APPARENTLY_TO          nopublish
meta           MANY_APPARENTLY_TO         __APPARENTLY_TO > 20
describe       MANY_APPARENTLY_TO         Has many Apparently-To headers
#score          MANY_APPARENTLY_TO         2.00
tflags         MANY_APPARENTLY_TO         nopublish

# obfuscation of "opt out"
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body           FUZZY_OPTOUT             /\b(?!opt.?out)<O><P><T>.?<O><U><T>\b/i
  replace_rules  FUZZY_OPTOUT
  describe       FUZZY_OPTOUT             Obfuscated opt-out text
endif

# stock spam disclaimer obfuscation
# body           GAPPY_TRADING              /\b(?!trading)t[^a-z\s]?r[^a-z\s]?a[^a-z\s]?d[^a-z\s]?i[^a-z\s]?n[^a-z\s]?g/i
# body           GAPPY_SECURITIES           /\b(?!securities)s[^a-z\s]?e[^a-z\s]?c[^a-z\s]?u[^a-z\s]?r[^a-z\s]?i[^a-z\s]?t[^a-z\s]?i[^a-z\s]?e[^a-z\s]?s/i
# body           GAPPY_RISK                 /\b(?!risky?)r[^a-z\s]?i[^a-z\s]?s[^a-z\s]?k(?:[^a-z\s]?y)?/i
# body           GAPPY_SELLING              /\b(?!selling)s[^a-z\s]?e[^a-z\s]?l[^a-z\s]?l[^a-z\s]?i[^a-z\s]?n[^a-z\s]?g/i
# body           GAPPY_HUNDRED              /\b(?!hundred)h[^a-z\s]?u[^a-z\s]?n[^a-z\s]?d[^a-z\s]?r[^a-z\s]?e[^a-z\s]?d/i
# body           GAPPY_THOUSAND             /\b(?!thousand)t[^a-z\s]?h[^a-z\s]?o[^a-z\s]?u[^a-z\s]?s[^a-z\s]?a[^a-z\s]?n[^a-z\s]?d/i
# body           GAPPY_EXPENSES             /\b(?!expenses)e[^a-z\s]?x[^a-z\s]?p[^a-z\s]?e[^a-z\s]?n[^a-z\s]?s[^a-z\s]?e[^a-z\s]?s/i
# body           GAPPY_DOLLARS              /\b(?!dollars)d[^a-z\s]?o[^a-z\s]?l[^a-z\s]?l[^a-z\s]?a[^a-z\s]?r[^a-z\s]?s/i
#
# describe       GAPPY_TRADING              Possible obfuscated stock disclaimer
# describe       GAPPY_SECURITIES           Possible obfuscated stock disclaimer
# describe       GAPPY_RISK                 Possible obfuscated stock disclaimer
# describe       GAPPY_SELLING              Possible obfuscated stock disclaimer
# describe       GAPPY_HUNDRED              Possible obfuscated stock disclaimer
# describe       GAPPY_THOUSAND             Possible obfuscated stock disclaimer
# describe       GAPPY_EXPENSES             Possible obfuscated stock disclaimer
# describe       GAPPY_DOLLARS              Possible obfuscated stock disclaimer

body           GAPPY_GENITALIA          /\bp(?!enis)(?!en is)[^a-z]?e[^a-z]?n[^a-z]?i[^a-z]?s(?:\b|_)/i
describe       GAPPY_GENITALIA          G.a.p.p.y male body parts

body           GAPPY_PILLS              /\bp(?!ills)[^a-z]?i[^a-z]?l[^a-z]?l[^a-z]?s(?:\b|_)/i
describe       GAPPY_PILLS              G.a.p.p.y pills

body           __STYLE_TAG_IN_BODY      /<style(?:[^>]{0,30})?>/i
body           __BODY_XHTML             /<x-html>/i
if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
  # possessive {0,4}+ requires perl 5.10 or better
  rawbody        __STYLE_GIBBERISH_1      /<style(?:\s[^>]{0,40})?>(?:\s{0,100}(?!<\/style>)(?:(?:\/\*(?:\s|[^*<]|\*(?!\/)|<(?!\/style>)){0,200}\*\/)|\#[^{<]{1,50}\{[^}<]{4,100}\})){0,4}+(?:\s{0,100}(?!<\/style>|\/\*)[^\s:;,]){150}/im
else
  # older perl, can't deal with style comments properly
  rawbody        __STYLE_GIBBERISH_1      /<style(?:\s[^>]{0,40})?>(?:\s{0,100}(?!<\/style>|\/\*)[^\s:;,]){150}/im
endif
rawbody        __STYLE_GIBBERISH_2      /\.style\w{0,20}\s{1,10}\{[^:;]{200}/im
rawbody        __STYLE_GIBBERISH_3      /<style(?:\s[^>]{0,40})?>\s{0,80}(?:[\w:]{1,30}\s{0,10}\{[^}]{1,50}\}\s{0,80}){1,5}(?:[\w,.']{1,30}\s{1,10}){40}/im
meta           __STYLE_GIBBERISH        (__STYLE_GIBBERISH_1 || __STYLE_GIBBERISH_2 || __STYLE_GIBBERISH_3)
meta           STYLE_GIBBERISH          __STYLE_GIBBERISH && (__BODY_XHTML || !__STYLE_TAG_IN_BODY) && !__RCD_RDNS_MX_MESSY && !__HAS_THREAD_INDEX && !__ANY_OUTLOOK_MUA && !__MIME_QP && !ALL_TRUSTED
describe       STYLE_GIBBERISH          Nonsense in HTML <STYLE> tag
score          STYLE_GIBBERISH          3.50	# limit
tflags         STYLE_GIBBERISH          publish

body           __SCRIPT_TAG_IN_BODY     /<script>/i
rawbody        __SCRIPT_GIBBERISH       /<script>[^;<]{100}/im
meta           SCRIPT_GIBBERISH         __SCRIPT_GIBBERISH && (__BODY_XHTML || !__SCRIPT_TAG_IN_BODY) && !__TAG_EXISTS_META
describe       SCRIPT_GIBBERISH         Nonsense in HTML <SCRIPT> tag

rawbody        __COMMENT_GIBBERISH      /<!--(?:\s{1,10}[-\w'"]{1,40}){100}/im
meta           COMMENT_GIBBERISH        __COMMENT_GIBBERISH && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__SENDER_BOT
describe       COMMENT_GIBBERISH        Nonsense in long HTML comment
score          COMMENT_GIBBERISH        1.50	# limit
tflags         COMMENT_GIBBERISH        publish

#rawbody        MANY_DIV_5                   /(?:<div[^>]{0,30}>\s{0,80}){5}/im
#tflags         MANY_DIV_5                    nopublish
#rawbody        MANY_DIV_6                   /(?:<div[^>]{0,30}>\s{0,80}){6}/im
#tflags         MANY_DIV_6                    nopublish
#rawbody        MANY_DIV_7                   /(?:<div[^>]{0,30}>\s{0,80}){7}/im
#tflags         MANY_DIV_7                    nopublish
#rawbody        MANY_DIV_8                   /(?:<div[^>]{0,30}>\s{0,80}){8}/im
#tflags         MANY_DIV_8                    nopublish
#rawbody        MANY_DIV_9                   /(?:<div[^>]{0,30}>\s{0,80}){9}/im
#tflags         MANY_DIV_9                    nopublish
#rawbody        MANY_DIV_10                   /(?:<div[^>]{0,30}>\s{0,80}){10}/im
#tflags         MANY_DIV_10                   nopublish

#header         FROM_TRL_UNDR              From =~ /_\@/
#tflags         FROM_TRL_UNDR              nopublish

#body           LOTSA_EMAILS               /\b(?:thousand|million)\se-?mail(?:\saddresse)?s?\b/i
#tflags         LOTSA_EMAILS               nopublish

body           __BIGNUM_EMAILS            /\b(?:thousand|million|\d[,\d]{4,})\s(?:(?!and|or|your)\w+\s)?(?:e-?mail\saddresses|leads|names)\b/i
meta           BIGNUM_EMAILS              __BIGNUM_EMAILS && !__SPOOFED_URL && !__BUGGED_IMG
describe       BIGNUM_EMAILS              Lots of email addresses/leads
score          BIGNUM_EMAILS              3.00		# limti
#tflags         BIGNUM_EMAILS              nopublish

#rawbody        __HTML_ELEM_OBFU           /[a-z\s]&\#[91]\d\d?[a-z]/
#tflags         __HTML_ELEM_OBFU           multiple nopublish
#meta           HTML_ELEM_OBFU_25          __HTML_ELEM_OBFU > 25
#tflags         HTML_ELEM_OBFU_25          nopublish
#meta           HTML_ELEM_OBFU_50          __HTML_ELEM_OBFU > 50
#tflags         HTML_ELEM_OBFU_50          nopublish
#meta           HTML_ELEM_OBFU_100         __HTML_ELEM_OBFU > 100
#tflags         HTML_ELEM_OBFU_100         nopublish
#meta           HTML_ELEM_OBFU_150         __HTML_ELEM_OBFU > 150
#tflags         HTML_ELEM_OBFU_150         nopublish

#header         PPMC_FROM_1                From =~ /\bPayPa[IL](?:\.Com)?\b/
#describe       PPMC_FROM_1                Paypal phishing sign

uri            URI_HIDDEN_2               m;.{8}(?:[/\\]|%(?i:5c|2f))(?!\.\.?[/%\\])\..;
describe       URI_HIDDEN_2               URI contains a hidden file or directory



# Catch spam originating from 41.0.0.0/8 (Africa, incl S.Africa)
# Ned Slider, SAU list, 3/11/2010
header          __NSL_ORIG_FROM_41        X-Originating-IP =~ /^(?:.+\[)?41\./
describe        __NSL_ORIG_FROM_41        Originates from 41.0.0.0/8

# Catch spam injected from 41.0.0.0/8 (Africa, incl S.Africa)
# Ned Slider, SAU list, 3/11/2010
# consider using khop __RCVD_VIA_AFRINIC_E instead
#header          __NSL_RCVD_FROM_41        Received =~ /[([]41\./
header          __NSL_RCVD_FROM_41        X-Spam-Relays-External =~ / ip=41\./
describe        __NSL_RCVD_FROM_41        Received from 41.0.0.0/8

meta            __MONEY_FROM_41           __NSL_RCVD_FROM_41 && LOTS_OF_MONEY
meta            MONEY_FROM_41             __MONEY_FROM_41
describe        MONEY_FROM_41             Lots of money from Africa
score           MONEY_FROM_41             2.00	# limit


# some metas with the above, maybe reduce FPs
ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta         __FROM_41_FREEMAIL         (__NSL_ORIG_FROM_41 || __NSL_RCVD_FROM_41) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) && !__THREADED
  describe     __FROM_41_FREEMAIL         Sent from Africa + freemail provider

#  meta         __FROM_AFR_FREEMAIL       __RCVD_VIA_AFRINIC_E && (FREEMAIL_FROM || FREEMAIL_REPLYTO) && !__THREADED
#  describe     __FROM_AFR_FREEMAIL       Sent from Africa + freemail provider
else
  meta         __FROM_41_FREEMAIL         0
endif

# More from Ned
header         NSL_RCVD_HELO_USER       Received =~ /helo[= ]user\)/i
describe       NSL_RCVD_HELO_USER       Received from HELO User

header         NSL_RCVD_FROM_USER       Received =~ /from User [\[\(]/
describe       NSL_RCVD_FROM_USER       Received from User


# observed in spam 3/11/2010
header          DATE_DOTS               Date =~ /\d\d\.\d\d\.\d\d/
describe        DATE_DOTS               Periods in date header

uri             IMAGESHACK_URI          /\.imageshack\.us\//i
describe        IMAGESHACK_URI          URI contains imageshack.us

#uri             __DYNDNS_URI            /\.dyndns\.org(?:\/.*)?/i
#tflags          __DYNDNS_URI            multiple maxhits=2
#meta            DYNDNS_URIS             __DYNDNS_URI > 1
#describe        DYNDNS_URIS             Has multiple dyndns.org URIs


## Does not perform better than URL_SHORTENER family
## the ones that misses are already scoring 7+ points
#uri             __BITLY_URI             /\/\/bit\.ly\//i
#meta            BITLY_URI               __BITLY_URI && !__HDR_CASE_REVERSED && !__HAS_SENDER && !__HAS_CAMPAIGNID && !__DOS_HAS_LIST_UNSUB && !__HAS_ERRORS_TO && !__MAIL_LINK && !__MSGID_JAVAMAIL && !__ENV_AND_HDR_FROM_MATCH && !__THREADED && !__USING_VERP1 && !__IMG_VIA_BITLY && !__URL_SHORTENER 
#describe        BITLY_URI               URI contains bit.ly
#score           BITLY_URI               3.000	# limit
#tflags          BITLY_URI               publish
#
## HTML image sourced via URL shortening service:
## <IMG border=0 hspace=0 alt="" src="http://bit.ly/1OiuN0y" width=26 height=25>
#rawbody         __IMG_VIA_BITLY         m;<img\s[^>]+\ssrc\s*=\s*"?https?://(?:www\.)?bit\.ly/;i
#meta            IMG_VIA_BITLY           __IMG_VIA_BITLY && !SHORTENED_URL_SRC 
#describe        IMG_VIA_BITLY           HTML image via URL shortener - URIBL avoidance?
#score           IMG_VIA_BITLY           2.500	# limit

uri             __URI_OBFU_DOM          /:\/\/(?:\w+\.)+(?:com|gov|net|org)(?:\.\w+){3,}\//i
meta            URI_OBFU_DOM            __URI_OBFU_DOM && !__VIA_ML
describe        URI_OBFU_DOM            URI pretending to be different domain

uri             DQ_URI_DOM_IN_PATH      /:\/\/[\d\.]+\/[^\/]+\/[^\@]+[a-z0-9]\w{3,}\.(?:com|gov|net)/i
describe        DQ_URI_DOM_IN_PATH      DQ URI having a domain name in the path part

uri             LH_URI_DOM_IN_PATH      /:\/\/[^\/]{25,}\/[^\/]+\/[^\@]+[a-z0-9]\w{3,}\.(?:com|gov|net)/i
describe        LH_URI_DOM_IN_PATH      Long-host URI having a domain name in the path part

# observed in phish 4/10/10
uri             URI_1234                m,//1\.2\.3\.4/,

# requested by Benny Pedersen 17 Apr 2010, 10 Aug 2011
ifplugin Mail::SpamAssassin::Plugin::SPF
  meta            __SPF_FULL_PASS         (SPF_PASS && SPF_HELO_PASS)
  tflags          __SPF_FULL_PASS         net
  meta            __SPF_RANDOM_SENDER     (SPF_HELO_PASS && !SPF_PASS)
  tflags          __SPF_RANDOM_SENDER     net
else
  meta            __SPF_FULL_PASS         0
  meta            __SPF_RANDOM_SENDER     0
endif

# Spam from ZA
header          CAN_SPAM_HDR            CAN-SPAM_Compliant =~ /./
header          RPT_SPAM_HDR            Report-SPAM =~ /./


#header          LONG_FROM               From =~ /<[^<@]{40,}\w\@/


#if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
#  body            __MANY_RECORDS_1        /\s[A-Z][a-z]{1,30}s(?:\sDatabase)?[-:\s]{2,5}(?i:1\smillion\s|\d[\d,.]{1,8}[Kk]?\s(?i:thousand\s|million\s)?)(?i:total\s|full\sdata\s)?(?i:email|record)s/
#  tflags          __MANY_RECORDS_1        multiple maxhits=16
#  body            __MANY_RECORDS_2        /\W{1,4}\s(?:[a-z\/]{1,20}\s){0,4}(?:doctor|physician|provider|therapist|counselor|dentist|veterinarian|clinic|hospital|agent|chiropractor|psychologist|companie|supplier)s/i
#  tflags          __MANY_RECORDS_2        multiple maxhits=16
#  body            __MANY_RECORDS_3        /\W{1,4}\s(?:(?:[A-Z]{1,2}[a-z\/]{0,20}|and)\s){0,4}[A-Z][a-z]{1,20}s Database/
#  tflags          __MANY_RECORDS_3        multiple maxhits=16
#  #meta            BIG_LISTS               (__MANY_RECORDS_1 + __MANY_RECORDS_2 + __MANY_RECORDS_3) > 5
#  meta            __MANY_BIG_LISTS        (__MANY_RECORDS_1 + __MANY_RECORDS_2 + __MANY_RECORDS_3) > 15
#  meta            MANY_BIG_LISTS          __MANY_BIG_LISTS && !HTML_MESSAGE && !__CTYPE_MULTIPART_ANY && !__HS_SUBJ_RE_FW && !__HAS_THREAD_INDEX
#  describe        MANY_BIG_LISTS          Lots of mailing lists / databases available!
#endif


# Suggested by Gerard Z 2010-08-15
#uri         __GZ_PILL_SQUAT1       /\/[a-z]{3,8}\d{2}\.html/i
#uri         __GZ_PILL_SQUAT2       /\/[a-z]{3,8}\d{2}\.jpg/i
#meta        __GZ_PILL_SQUATTERS    __GZ_PILL_SQUAT1 && __GZ_PILL_SQUAT2
#meta        GZ_PILL_SQUATTERS      __GZ_PILL_SQUATTERS && !__DOS_RELAYED_EXT && !__FROM_ISO_2022_JP && !__RCD_RDNS_MX_MESSY
#describe    GZ_PILL_SQUATTERS      Found a link to rogue pill pusher content

# observed in multiple spam
header      TO_JOHNZY              TO =~ /johnzy_the_king\@hotmail\.com/i
describe    TO_JOHNZY              To a spammy recipent
#score       TO_JOHNZY              3.00

# Discussed on list and observed in spam 10/15/2010
header      TO_ONE_CHAR            To =~ /^\s*"<"\s*</
describe    TO_ONE_CHAR            Bogus TO name
# Check From: as well...
header      FROM_ONE_CHAR          From =~ /^\s*"[^"]"\s*</
describe    FROM_ONE_CHAR          Bogus FROM name

# __ version of khop rule for FP filtering
meta           __NAME_EMAIL_DIFF   __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL

# 12-letter domain names, suggested by Len Conrad on the users list
header         __RCVD_12LTRDOM     Received =~ /[(\s.][a-z]{12}\./
header         __RPATH_12LTRDOM    Return-Path =~ /\@[a-z]{12}\./
uri            __URI_12LTRDOM      m,://(?:[^./]+\.)*[a-z]{12}\.[^./]+/,i

header         __FROM_12LTRDOM_1   From =~ /\@(?!facebookmail)[a-z]{12}\./
ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta         FROM_12LTRDOM       __FROM_12LTRDOM_1 && !__VIA_ML && !__TO___LOWER && !__FS_SUBJ_RE && !__RCD_RDNS_MAIL_MESSY && !__freemail_safe && !__UNSUB_LINK && !NO_RELAYS && !__UNUSABLE_MSGID && !DATE_IN_PAST_96_XX && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__RCD_RDNS_SMTP_MESSY && !__FB_NATIONAL && !__MAIL_LINK && !__NAME_EMAIL_DIFF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__SENDER_BOT && !__IMS_MSGID && !__HS_SUBJ_RE_FW && !__DOS_HAS_LIST_UNSUB && !__THREAD_INDEX_GOOD && !__TO_EQ_FROM_DOM && !__URI_MAILTO && !__SUBSCRIPTION_INFO
else
  meta         FROM_12LTRDOM       __FROM_12LTRDOM_1 && !__VIA_ML && !__TO___LOWER && !__FS_SUBJ_RE && !__RCD_RDNS_MAIL_MESSY && !__UNSUB_LINK && !NO_RELAYS && !__UNUSABLE_MSGID && !DATE_IN_PAST_96_XX && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__RCD_RDNS_SMTP_MESSY && !__FB_NATIONAL && !__MAIL_LINK && !__NAME_EMAIL_DIFF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__SENDER_BOT && !__IMS_MSGID && !__HS_SUBJ_RE_FW && !__DOS_HAS_LIST_UNSUB && !__THREAD_INDEX_GOOD && !__TO_EQ_FROM_DOM && !__URI_MAILTO && !__SUBSCRIPTION_INFO
endif
describe       FROM_12LTRDOM       From a 12-letter domain
#tflags         FROM_12LTRDOM       nopublish
score          FROM_12LTRDOM       0.10  	# limit

# promising masscheck results
meta           __MONEY_12LTRDOM    __FROM_12LTRDOM_1 && __LOTSA_MONEY_00
meta           MONEY_12LTRDOM      __MONEY_12LTRDOM
score          MONEY_12LTRDOM      0.10		# limit
describe       MONEY_12LTRDOM      Mentions lots of money and from a 12-letter domain

# spammer email addresses noted by D. German on users list 9/2010
body        DG_SPAMMER_EMAIL_B     /\b[a-z]{10,30}\.[a-z]{3,10}\@[a-z]{3,10}\.[a-z]{6,30}\.[a-z]{2,4}\b/
header      DG_SPAMMER_EMAIL_F     From =~ /\b[a-z]{10,30}\.[a-z]{3,10}\@[a-z]{3,10}\.[a-z]{6,30}\.[a-z]{2,4}\b/
describe    DG_SPAMMER_EMAIL_B     Recognized spammer email address in body
describe    DG_SPAMMER_EMAIL_F     Recognized spammer email address in From: header

# Spammers can't include the real name successfully...
body        __FORGED_FB_USERCP_01  /This message was intended for Want to control which emails you receive from Facebook\?/i

# Javascript obfuscation noted by J. Brennan on the Users list 09/2010
rawbody     OBFU_JVSCR_ESC         /document\.write\(unescape\("(?:%[0-9a-f]{2}){10}/i
describe    OBFU_JVSCR_ESC         Injects content using obfuscated javascript
#score       OBFU_JVSCR_ESC         2.75
tflags      OBFU_JVSCR_ESC         publish

# Starting to observe in spam
meta        __LIST_PARTIAL         __DOS_HAS_LIST_UNSUB && !__DOS_HAS_LIST_ID
meta        LIST_PARTIAL           __LIST_PARTIAL && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_SENDER && !__HAS_ERRORS_TO 
describe    LIST_PARTIAL           Has incomplete List-* header set
score       LIST_PARTIAL           1.000   # limit

meta        __LIST_PRTL_SAME_USER  __LIST_PARTIAL && __TO_EQ_FROM_USR
meta        LIST_PRTL_SAME_USER    __LIST_PRTL_SAME_USER && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_ERRORS_TO 
describe    LIST_PRTL_SAME_USER    Incomplete List-* headers and from+to user the same
score       LIST_PRTL_SAME_USER    3.000   # limit
tflags      LIST_PRTL_SAME_USER    publish

meta        __LIST_PRTL_PUMPDUMP   __LIST_PARTIAL && __PD_CNT_1
meta        LIST_PRTL_PUMPDUMP     __LIST_PRTL_PUMPDUMP && !__DKIM_EXISTS 
describe    LIST_PRTL_PUMPDUMP     Incomplete List-* headers and stock pump-and-dump
score       LIST_PRTL_PUMPDUMP     2.000   # limit
tflags      LIST_PRTL_PUMPDUMP     publish



# in lots of phishing
uri         __UCOZ_URI             /\.ucoz\.org\//i
describe    __UCOZ_URI             URI contains ucoz.org

# Intrust Domains is a persistent domain registration spammer
# recent sign, will likely change
#body        __ARTHUR_SIMMONS       /Arthur Simmons/
#body        __INTRUST_DOMS         /In[Tt]rust Domains/
#meta        ARTHUR_INTRUST         __ARTHUR_SIMMONS && __INTRUST_DOMS
#score       ARTHUR_INTRUST         4.5
#describe    ARTHUR_INTRUST         Arthur Simmons - registrar spammer extraordinaire

#header      ART_NAMES_ORG          Received =~ /\bart\.names\.org\b/i
#score       ART_NAMES_ORG          4.0
#describe    ART_NAMES_ORG          Arthur Simmons - registrar spammer extraordinaire

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  body        __PILL_PRICE_01        m;(?=[\d .f])(?:free|[\d .]{3}(?:/|per|each)) ?(?=[ptc])(?:pill|tablet|cap(?:sule|let))s?\b;i
  body        __PILL_PRICE_02        /(?=[ptc])(?:pill|tablet|cap(?:sule|let))s[-= :]{1,5}\$?[\d .]{3}/i
  tflags      __PILL_PRICE_01        multiple maxhits=3
  tflags      __PILL_PRICE_02        multiple maxhits=3
  meta        ANY_PILL_PRICE         (__PILL_PRICE_01 || __PILL_PRICE_02) && !__NOT_A_PERSON
  describe    ANY_PILL_PRICE         Prices for pills
  meta        MANY_PILL_PRICE        (__PILL_PRICE_01 + __PILL_PRICE_02) > 2
  describe    MANY_PILL_PRICE        Prices for many pills
else
  meta        __PILL_PRICE_01        0
  meta        __PILL_PRICE_02        0
endif

# More from Ned Slider
ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta        NSL_FREEMAIL_SUBJ      (FREEMAIL_FROM && MISSING_SUBJECT)
  describe    NSL_FREEMAIL_SUBJ      From freemail with missing subject
#  score       NSL_FREEMAIL_SUBJ      1.0
  tflags      NSL_FREEMAIL_SUBJ      nopublish

  meta        NSL_FREEMAIL_M1        (NSL_FREEMAIL_SUBJ && (__HAS_ANY_URI || __MANY_RECIPS))
  describe    NSL_FREEMAIL_M1        From freemail, missing subject and uri or many recips
#  score       NSL_FREEMAIL_M1        1.0
  tflags      NSL_FREEMAIL_M1        nopublish

  meta        NSL_FREEMAIL_M2        (FREEMAIL_FROM && __HAS_ANY_URI && __MANY_RECIPS)
  describe    NSL_FREEMAIL_M2        From freemail with uri and many recips
#  score       NSL_FREEMAIL_M2        1.0
  tflags      NSL_FREEMAIL_M2        nopublish
endif

header      NSL_TO_ENDS_COMMA      To =~ /,$/
describe    NSL_TO_ENDS_COMMA      To: ends with a comma
#score       NSL_TO_ENDS_COMMA      0.001
tflags      NSL_TO_ENDS_COMMA      nopublish


body        CN_B2B_SPAMMER         /\bWe are (?:(?:a )?(?:China|Taiwan)[-\s]based|(?:one of (?:the )?best|(?:a )?leading) (?:international|[^\.]{10,90} (?:in|from) (?:\w+, )?(?:China|Taiwan)))\b/i
describe    CN_B2B_SPAMMER         Chinese company introducing itself
tflags      CN_B2B_SPAMMER         publish

body        CN_OPTOUT_EML          /\b(?:pasamenzi|arinayuma)\@sina\.com\b/i
describe    CN_OPTOUT_EML          Opt-out email address in CN B2B spams

# __ version of khopesh UPPERCASE_URI, for use in metas
uri         __UPPERCASE_URI        /^[^:A-Z]+[A-Z]/

# __ version of khopesh SINGLE_HEADER_1K, for use in metas
#header      __SINGLE_HEADER_1K     ALL:raw =~ /(?-xim:(?=(?!X-Spam|X-MailScan)(?:^|\n)[^\s\n]+:(?:.(?!\n\S)){1024,2047}.(?:\n\S|$)))/s

# __ version of mmartinec RP_MATCHES_RCVD, for use in metas
if version >= 3.003000
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
  header      __RP_MATCHES_RCVD      eval:check_mailfrom_matches_rcvd()
else
  meta        __RP_MATCHES_RCVD      0
endif
else
  meta        __RP_MATCHES_RCVD      0
endif

# for sale newsletters
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  body        __FOR_SALE_OBO            /\bor best offer\b/i
  tflags      __FOR_SALE_OBO            multiple maxhits=6
  meta        __FOR_SALE_OBO_MANY       __FOR_SALE_OBO > 5

  body        __FOR_SALE_PRC_1K         /\bprice:? \$\d,?\d\d\d[.\s]/i
  tflags      __FOR_SALE_PRC_1K         multiple maxhits=11
  meta        __FOR_SALE_PRC_1K_MANY    __FOR_SALE_PRC_1K > 10

  body        __FOR_SALE_PRC_10K        /\bprice:? \$\d\d,\d\d\d/i
  tflags      __FOR_SALE_PRC_10K        multiple maxhits=11
  meta        __FOR_SALE_PRC_10K_MANY   __FOR_SALE_PRC_10K > 10

  body        __FOR_SALE_PRC_100K       /\bprice:? \$\d\d\d,\d\d\d/i
  tflags      __FOR_SALE_PRC_100K       multiple maxhits=11
  meta        __FOR_SALE_PRC_100K_MANY  __FOR_SALE_PRC_100K > 5

  meta        __FOR_SALE_PRC_MANY       (__FOR_SALE_PRC_1K + __FOR_SALE_PRC_10K + __FOR_SALE_PRC_100K) > 20

  body        __FOR_SALE_LTP            /00\.? (?:less 10%|LTP)/i
  tflags      __FOR_SALE_LTP            multiple maxhits=11
  meta        __FOR_SALE_LTP_MANY       __FOR_SALE_LTP > 10

  body        __FOR_SALE_NET            /00\.? NET/i
  tflags      __FOR_SALE_NET            multiple maxhits=11
  meta        __FOR_SALE_NET_MANY       __FOR_SALE_NET > 10

  rawbody     __FOR_SALE_PRC_EOL        /\s\$\d{1,3},\d00(?:\.00)?$/m
  tflags      __FOR_SALE_PRC_EOL        multiple maxhits=11
  meta        __FOR_SALE_PRC_EOL_MANY   __FOR_SALE_PRC_EOL > 10
endif

uri         __URI_MAILTO              /^mailto:/i
tflags      __URI_MAILTO              multiple maxhits=16
meta        __URI_MAILTO_MANY         __URI_MAILTO > 15


header      REPLYTO_EMPTY          Reply-To =~ /<>/
describe    REPLYTO_EMPTY          Reply-To undeliverable

header      __TO_MANY              To =~ /(?:,[^,]{1,90}){10}/
header      __CC_MANY              Cc =~ /(?:,[^,]{1,90}){10}/

header      __TO_TOO_MANY          To =~ /(?:,[^,]{1,90}){30}/
header      __CC_TOO_MANY          Cc =~ /(?:,[^,]{1,90}){30}/

header      __TO_WAY_TOO_MANY      ToCc =~ /(?:,[^,]{1,90}){50}/

meta        FREEMAIL_MANY_TO       __TO_WAY_TOO_MANY && FREEMAIL_FROM
describe    FREEMAIL_MANY_TO       Freemail sender, 50+ exposed recipients
score       FREEMAIL_MANY_TO       2.000	# limit


body        __GAPPY_PHONE_NA       /1 ?- \d \d \d ?- \d \d \d ?- \d \d \d \d/
meta        GAPPY_PHONE_NA         __GAPPY_PHONE_NA
describe    GAPPY_PHONE_NA         Phone number with lots of spaces

full        __GAPPY_HTML_01        m;</?[a-z]{1,6}(?:\s[^>]{0,40})?>(?:\s|=09){0,80}(?:(?!\d)[\w'()\#,.:!]{1,15}(?:\s|=09){4,80}){7}\S;
full        __GAPPY_HTML_02        m;\S(?:(?:\s|=09){4,80}(?!\d)[\w'()\#,.:!]{1,15}){7}(?:\s|=09){0,5}</?[a-z]{1,6}/?>;
#full        __GAPPY_HTML_03        /^(?:=09){5,20}</m
#tflags      __GAPPY_HTML_03        multiple maxhits=11
#full        __GAPPY_HTML_04        /^(?:=0A){5,20}/m
#tflags      __GAPPY_HTML_04        multiple maxhits=11
#meta        __GAPPY_HTML           __MIME_HTML && (__GAPPY_HTML_01 || __GAPPY_HTML_02 || (__GAPPY_HTML_03 > 10) || (__GAPPY_HTML_04 > 10))
meta        __GAPPY_HTML           __MIME_HTML && (__GAPPY_HTML_01 || __GAPPY_HTML_02)
meta        GAPPY_HTML             __GAPPY_HTML && !__UNSUB_LINK && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY
describe    GAPPY_HTML             HTML body with much useless whitespace

# Try to improve S/O per bug 6119
meta        TVD_SPACE_RATIO_MINFP  __TVD_SPACE_RATIO && !__CT_ENCRYPTED && !__LCL__ENV_AND_HDR_FROM_MATCH && !__SUBSCRIPTION_INFO && !__RCD_RDNS_MAIL && !__SUBJECT_ENCODED_QP && !__THREADED && !__TO_EQ_FROM_DOM && !__BOTH_INR_AND_REF && !__X_CRON_ENV && !__HAS_THREAD_INDEX && !__HDRS_LCASE_KNOWN && !__ISO_2022_JP_DELIM
#tflags      TVD_SPACE_RATIO_MINFP  nopublish
score       TVD_SPACE_RATIO_MINFP  2.750   # limit
describe    TVD_SPACE_RATIO_MINFP  Space ratio

# Only useful for English-language email
#meta        SUBJECT_UNNEEDED_ENCODING    (__SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED) && !__RCD_RDNS_MAIL && !__LCL__ENV_AND_HDR_FROM_MATCH && !__SUBSCRIPTION_INFO && !__THREADED && !__NONBOUNCE_READ_RECEIPT 
#describe    SUBJECT_UNNEEDED_ENCODING    Subject encoded but not non-ANSI?
#score       SUBJECT_UNNEEDED_ENCODING    1.000    # limit
#tflags      SUBJECT_UNNEEDED_ENCODING    publish

# Be sensitive to FP on legit japanese- and chinese-language mailing lists (09/2014)
meta        __TVD_SPACE_ENCODED    (__TVD_SPACE_RATIO && __SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED)
meta        TVD_SPACE_ENCODED      __TVD_SPACE_ENCODED && !__NOT_SPOOFED && !__VIA_ML && !__HS_SUBJ_RE_FW && !__SUBSCRIPTION_INFO && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL && !__ISO_2022_JP_DELIM
score       TVD_SPACE_ENCODED      2.500   # limit
describe    TVD_SPACE_ENCODED      Space ratio & encoded subject

meta        TVD_SPACE_ENC_FM_MIME  __TVD_SPACE_ENCODED && __FROM_NEEDS_MIME && !__ISO_2022_JP_DELIM
score       TVD_SPACE_ENC_FM_MIME  2.000   # limit
describe    TVD_SPACE_ENC_FM_MIME  Space ratio & encoded subject & MIME needed


# sample from users list:   Subject: Sta ffWork sFastToSen dTab le tsGood s
header      __SUBJ_BROKEN_WORD     Subject =~ /\s(?!i[PTM][aoh][bcdou]|e[MP]a[is])[a-z]{1,3}[A-Z][a-z]{2}/
tflags      __SUBJ_BROKEN_WORD     multiple maxhits=2
meta        SUBJ_BROKEN_WORD       __SUBJ_BROKEN_WORD && !ALL_TRUSTED && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__MIME_QP && !__DOS_HAS_LIST_UNSUB && !__HAS_IN_REPLY_TO && !__THREADED && !__MSGID_JAVAMAIL && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY && !__MSGID_OK_DIGITS && !__NOT_A_PERSON && !__LCL__ENV_AND_HDR_FROM_MATCH
describe    SUBJ_BROKEN_WORD       Subject contains odd word break
meta        SUBJ_BROKEN_WORDS      __SUBJ_BROKEN_WORD > 1 && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__MIME_QP && !__DOS_HAS_LIST_UNSUB && !__HAS_IN_REPLY_TO && !__THREADED && !__MSGID_JAVAMAIL && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY && !__MSGID_OK_DIGITS
describe    SUBJ_BROKEN_WORDS      Subject contains multiple odd word breaks

# felicity TVD_SUBJ_NUM_OBFU as subrule
header      __TVD_SUBJ_NUM_OBFU    Subject =~ /[a-z]{3,}\d+[a-z]{2,}/i
meta        __SUBJ_BRKN_WORDNUMS   __SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFU
ifplugin Mail::SpamAssassin::Plugin::DKIM
  meta      SUBJ_BRKN_WORDNUMS     __SUBJ_BRKN_WORDNUMS && !DKIM_SIGNED && !__TO___LOWER
  describe  SUBJ_BRKN_WORDNUMS     Subject contains odd word breaks and numbers
endif

meta        TVD_SUBJ_NUM_OBFU_MINFP   __TVD_SUBJ_NUM_OBFU && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !__X_CRON_ENV && !__NOT_A_PERSON && !__HAS_THREAD_INDEX && !__THREADED && !__NUMBERS_IN_SUBJ && !__URI_MAILTO

# from spample on users list 7/20/2011
header      __XM_PHPMAILER_FORGED  X-Mailer =~ /PHPMailer\s.*version\D+$/
meta        XM_PHPMAILER_FORGED    __XM_PHPMAILER_FORGED
describe    XM_PHPMAILER_FORGED    Apparently forged header
tflags      XM_PHPMAILER_FORGED    publish

# from spample on users list 7/24/2011
header      __XM_EC_MESSENGER      X-Mailer =~ /\beC-Messenger\b/
#meta        XM_EC_MESSENGER        __XM_EC_MESSENGER
#describe    XM_EC_MESSENGER        eC-Messenger bulk mail service

header      __SUBJ_OBFU_PUNCT      Subject =~ /(?:(?!<[a-z][a-z])[-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;][a-z][-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;\s]|[a-z][~`"!@\#$%^&*()_+={}|\\?<>,.:;][a-z])/i
tflags      __SUBJ_OBFU_PUNCT      multiple maxhits=4
meta        SUBJ_OBFU_PUNCT_FEW    __SUBJ_OBFU_PUNCT > 1 && !__THREADED && !__RP_MATCHES_RCVD && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH 
describe    SUBJ_OBFU_PUNCT_FEW    Possible punctuation-obfuscated Subject: header
score       SUBJ_OBFU_PUNCT_FEW    0.750
meta        SUBJ_OBFU_PUNCT_MANY   __SUBJ_OBFU_PUNCT > 2 && !__THREADED && !__RP_MATCHES_RCVD && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH 
describe    SUBJ_OBFU_PUNCT_MANY   Punctuation-obfuscated Subject: header
score       SUBJ_OBFU_PUNCT_MANY   1.750

#meta        SUBJ_MANGLED           __SUBJ_OBFU_PUNCT && __GAPPY_SUBJECT && !__RP_MATCHES_RCVD && !__HAS_X_MAILER && !__DOS_HAS_LIST_UNSUB 
#score       SUBJ_MANGLED           2.000    # limit

# A document was scanned and sentto you using a Hewlett-Packard HP Officejet
# A document was scanned and sent to you using a Hewlett-Packard HP Officejet
# Scan from Hewlet-Packard Officejet
# Scan from a HP Officejet
# Hewlett-Packard Officejet Location: machine location not set
# Xerox WorkCentre
# See http://isc.sans.edu/diary.html?storyid=11848#comment
body        __SCANNED              /\b(?:(?:document was scan+ed and sent ?to you using|Scan from)(?: an?)? (?:(?:Hewlet+-Packard |HP ){1,2}Officejet|Hewlet+-Packard Officejet Location: machine location not set)|Xerox\b)/i
meta        SCANNED_EXTERNAL       __SCANNED && !ALL_TRUSTED && !__XEROXWORKCTR_MUA
describe    SCANNED_EXTERNAL       "Scanned Document" email from external source - malware?
score       SCANNED_EXTERNAL       3.00		# limit

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
   # real estate / stock scam spams 11/2011
   # roughly similar to FS_LARGE_PERCENT2, better S/O?
   body        __LARGE_PERCENT_AFTER  /\d{3}% after/i
   tflags      __LARGE_PERCENT_AFTER  multiple maxhits=4
   meta        LARGE_PCT_AFTER_MANY   __LARGE_PERCENT_AFTER > 3
   describe    LARGE_PCT_AFTER_MANY   Many large percentages after...
else
   meta        __LARGE_PERCENT_AFTER  0
endif

# phish/malware 11/2011
body        __ACH_CANCELLED_01     /\b(?:(?-i:ACH)|dividend)[-_ ](?:payment|transfer|transaction|was)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i
body        __ACH_CANCELLED_02     /(?:rejected|cancel+ed|declined|your)[-_ ](?:(?-i:ACH)|direct[-_ ]deposit)[-_ ](?:payment|transfer|transaction|declin(?:ed|ing))/i
body        __ACH_CANCELLED_03     /\bwire[-_ ]?(?:payment|transfer|transaction)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i
body        __ACH_CANCELLED_04     /\bregarding[-_ ]your[-_ ]direct[-_ ]deposit[-_ ]via[-_ ](?-i:ACH)/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
	mimeheader   __EXE_ATTACH        Content-Type =~ /\.exe\b/i
	meta         __ACH_CANCELLED_EXE (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && __EXE_ATTACH
	meta         ACH_CANCELLED_EXE   __ACH_CANCELLED_EXE
	describe     ACH_CANCELLED_EXE   "ACH cancelled" probable malware
else
	meta         __EXE_ATTACH        0
endif

meta        __ACH_CANCELLED        (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && (__HAS_ANY_URI || LOTS_OF_MONEY)
meta        ACH_CANCELLED          __ACH_CANCELLED
describe    ACH_CANCELLED          "ACH cancelled" fraud / phish

# spams from users list query 03/2012
# Not useful as scored rules, may be useful meta'd with something else
uri         __URI_DBL_SUBDOM   m,^https?://(?!www\.amazon\.com)([^/]+)/.*https?://(?:[^.]+\.)?\1/,i
#meta        URI_DBL_SUBDOM     __URI_DBL_SUBDOM && !__RP_MATCHES_RCVD && !__FROM_LOWER && !__HAS_ERRORS_TO && !__TO_EQ_FROM_DOM
#score       URI_DBL_SUBDOM     1.00	# limit

uri         __URI_DBL_DOM      m,^https?://[^.]+\.(?!amazon\.com)([^/]+)/.*https?://[^.]+\.\1/,i

uri         __URI_DBL_INDIR    m,(?:=https?://(?!www\.amazon\.com).*?){2},i
meta        URI_DBL_INDIR      __URI_DBL_INDIR && !__URI_TRPL_INDIR
describe    URI_DBL_INDIR      A URI with two levels of indirection
uri         __URI_TRPL_INDIR   m,(?:=https?://(?!www\.amazon\.com).*?){3},i
meta        URI_TRPL_INDIR     __URI_TRPL_INDIR
describe    URI_TRPL_INDIR     A URI with at least three levels of indirection

# suggestion on users list 04/2012
header      SUBJ_ODD_CASE      ALL =~ /\n(?!(?:Subject:|SUBJECT:|subject:))(?i:subject:)/sm
describe    SUBJ_ODD_CASE      Oddly mixed-case Subject: header


# Somebody's resurrecting the dead 07/1012
body        BILL_1618          /\bUnder Bills?.1618(?: Title III)? passed by the 105th U\.S\. Congress\b/i
describe    BILL_1618          Mentions proposed US law supposedly permitting spamming
body        NOT_SPAM           /\b(?:this mail cannot be considered Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)\b/i
describe    NOT_SPAM           I'm not spam! Really! I'm not, I'm not, I'm not!


# suggested by http://isc.sans.edu/diary.html?storyid=13921
uri         URI_MALWARE_BH     /\.\w{2,4}\/[\d\w]{8}\/index\.html/i
describe    URI_MALWARE_BH     Possible BlackHole malware links / phishing
score       URI_MALWARE_BH     1.0	# limit

# suggested by https://isc.sans.edu/diary.html?storyid=13996
uri         __URI_DATA         /^data:[a-z]/i
meta        URI_DATA           __URI_DATA && !ALL_TRUSTED
describe    URI_DATA           "data:" URI - possible malware or phish
score       URI_DATA           1.0	# limit


header      __SUBJ_ATTENTION     Subject =~ /ATTENTION/
meta        SUBJ_ATTENTION       __SUBJ_ATTENTION && !ALL_TRUSTED
describe    SUBJ_ATTENTION       ATTENTION in Subject
score       SUBJ_ATTENTION       0.500	# limit

header      __IRS_FM_NAME        From:name =~ /internal\srevenue\sservice/i
header      __IRS_FM_DOM         From:addr =~ /\birs\.gov$/
header      __IRS_RCVD_DOM       X-Spam-Relays-External =~ / rdns=\S+\birs\.gov /
meta        __IRS_SPOOF          (__IRS_FM_NAME || __IRS_FM_DOM) && !__IRS_RCVD_DOM && __REPLYTO_EXISTS
meta        IRS_SPOOF            __IRS_SPOOF
describe    IRS_SPOOF            Claims to be IRS, but not from IRS domain
score       IRS_SPOOF            2.00	# limit


header      __FBI_FM_NAME        From:name =~ /federal\sbureau\sof\sinvestigation/i
header      __FBI_FM_DOM         From:addr =~ /\bfbi\.gov$/
header      __FBI_RCVD_DOM       X-Spam-Relays-External =~ / rdns=\S+\bfbi\.gov /
body        __FBI_BODY_SHOUT_1   /^FEDERAL BUREAU OF INVESTIGATIONS?\b/
rawbody     __FBI_BODY_SHOUT_2   /^FEDERAL BUREAU OF INVESTIGATIONS?\b/m
meta        __FBI_SPOOF          (__FBI_FM_NAME || __FBI_FM_DOM || __FBI_BODY_SHOUT_1 || __FBI_BODY_SHOUT_2) && !__FBI_RCVD_DOM && __REPLYTO_EXISTS
meta        FBI_SPOOF            __FBI_SPOOF
describe    FBI_SPOOF            Claims to be FBI, but not from FBI domain
score       FBI_SPOOF            2.00	# limit
tflags      FBI_SPOOF            publish

meta        FBI_MONEY            __FBI_SPOOF && LOTS_OF_MONEY
describe    FBI_MONEY            The FBI wants to give you lots of money?
score       FBI_MONEY            2.00	# limit
tflags      FBI_MONEY            publish


header      __FROM_ASB_BANK      From:addr =~ /\basb\.co\.nz$/i
header      __FROM_AMEX          From =~ /american\s?express/i
header      __FROM_BANK_LOOSE    From =~ /ban(?:k|co)/i
header      __FROM_CHASE         From:addr =~ /chase(?:2?-?paymentech)\.com$/i
header      __FROM_CMNWLTH_BANK  From:addr =~ /\bcommonwealth\.com\.au$/i
header      __FROM_EBAY_LOOSE    From =~ /\be-?bay\b/i
header      __FROM_HSBC          From:addr =~ /\bhsbc\.co\.uk$/i
header      __FROM_LLOYDSTSB     From:addr =~ /\blloyds(?:tsb)\.(?:co\.uk|com)$/i
header      __FROM_PAYPAL_LOOSE  From =~ /paypal/i
header      __FROM_WELLSFARGO    From:addr =~ /wellsfargo\.com$/i
header      __FROM_WESTERNUNION  From:addr =~ /westernunion\.com$/i

meta        __FROM_MISSP_PHISH   __FROM_MISSPACED && (__FROM_ASB_BANK || __FROM_AMEX || __FROM_BANK_LOOSE || __FROM_CHASE || __FROM_CMNWLTH_BANK || __FROM_EBAY_LOOSE || __FROM_HSBC || __FROM_LLOYDSTSB || __FROM_PAYPAL_LOOSE || __FROM_WELLSFARGO || __FROM_WESTERNUNION)
meta        FROM_MISSP_PHISH     __FROM_MISSP_PHISH
describe    FROM_MISSP_PHISH     Malformed, claims to be from financial organization - possible phish
score       FROM_MISSP_PHISH     4.75	# limit

# another upload-a-document-for-public-access site
uri         __URI_YOUSENDIT      m,^https?://www\.yousendit\.com/directdownload,i

# see also DOS_GOOGLE_DOCS
uri         __URI_GOOGLE_DOC     m,^https?://docs\.google\.com/(?:[^/]+/)*view(?:form)?\?(?:id|formkey)=,i
uri         __URI_GOOGLE_DRV     m,^https?://googledrive\.com/,i

body        __WEBMAIL_ACCT       /\byour web ?mail account/i
body        __MAILBOX_FULL       /\b(?:you(?:r (?:mail\s?box|(?:e-?|web ?)mail))? (?:is (?:almost )?full|(?:quota )?ha(?:s|ve) (?:reached|exceeded|passed) (?:the|your|it'?s?) (?:university )?(?:size|storage|set|(?:e-?|web ?)mail|quota|folder|mail ?box)[\/\s](?:limit |quota |account )+)|over your mail\s?box (?:size )?(?:limit|quota)|maximum mail\s?box (?:size )?(?:limit|quota) exceeded|sua (?:conta|caixa) de (?:(?:e-?|web ?)mail|correio) (?:excedeu (?:sua|o) limite|est(?:=E1|[\xe1]|[\xc3][\xa1]) quase cheio))\b/i
body        __CLEAN_MAILBOX      /\b(?:(?:e-?mail|mail\s?box|violation:|(?-i:CLICK)) (?:quota size|clean(?:-?up))|clean ?up click ?here)\b/i
body        __VALIDATE_MAILBOX   /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta)\b/i
body        __UPGR_MAILBOX       /\b(?:up(?:g[ra]+d(?:e|ing)|date) (?:[hw]as\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|(?:web ?|e-?)mail Upgrade cuenta|atualiz(?:e|ar) (?:a|sua) caixa de correio|click\S{0,10} (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?|below)(?: link)? to (?:(?:complete|finish|increase) )?(?:(?:the|this|your)\s)?(?:up(?:date|grade)|(?:web ?|e-?)?mail(?:\s?box)? (?:size|quota|limit))|utrzymania aktywnego konta|request (?:for )additional storage)\b/i
body        __LOCK_MAILBOX       /\b(?:(?:deactivate|lock|lose ac+ess to|los[se] (?:of )?(?:important )?(?:information|mail|messages) in) (?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|your (?:mail\s?box|(?:(?:web ?|e-?)mail)(?: account)?) (?:(?:will|may) be(?:come)? )?(?:in-?a(?:ctive|cess[ia]ble)|locked|disabled|deleted|removed)\b|ditt konto vara "?deaktiverad"?|begr(?:=E4|\xe4|[\xc3][\xa4])nsad tillg(?:=E5|[\xe5]|[\xc3][\xa5])ng till din brevl(?:=E5|[\xe5]|[\xc3][\xa5])da|contas? de (?:web ?|e-?)mail (?:ser(?:=E1|[\xe1]|[\xc3][\xa1]) (?:desativado|exclu(?:=ED|[\xed]|[\xc3][\xad])do)|(?:=E9|[\xe9]|[\xc3][\xa9]) exclu(?:=ED|[\xed]|[\xc3][\xad])do)|destruir a sua caixa de (?:correio|entrada)|tw(?:=F3|[\xf3])j konto zostalo ograniczone|straci swoje e-?mail na sta[\xc5][\x82]e|konto zostanie automatycznie wy[\xc5][\x82][\xc4][\x85]czona|e-?mail account[^.]{0,30}deactivated (?:in|from) our (?:database|system|server))/i
body        __SYSADMIN           /\b(?:help?[- ]?desk|(?:(?:web ?)?mail ?|sys(?:tem )?)admin(?:istrator)|local[- ]host|(?:support|upgrade|management) (?:team|center)|message from administrator|university mail server copyright|suporte t(?:=E9|[\xe9]|[\xc3][\xa9])cnico|administrador do sistema)\b/i
body        __ATTN_MAIL_USER     /\b(?:att(?:entio)?n|dear|caro) (?:web ?(?:mail)?\s\S\s)?(?:web ?|e-?)?mail (?:user|DO USU(?:=E1|[\xe1]|[\xc3][\xa1])RIO)[:;,]/i
body        __MAIL_ACCT_ACCESS1  /\b(?:your (?:web ?|e-?)?mail (?:account|log-?in) (?:has )?been accessed|r(?:=F3|[\xf3])zne komputery zalogowaniu sie)\b/i
body        __MAIL_ACCT_ACCESS2  /\blo+se ac+es+ to your (?:web|e-?)?mail (?:account|log-?in|box|address)\b/i

body        __MAILBOX_FULL_SE    /(?:\b=F6|[\xf6]|[\xc3][\xb6])verskridit gr(?:=E4|[\xe4]|[\xc3][\xa4])nsen f(?:=F6|[\xf6]|[\xc3][\xb6])r din postl(?:=E5|[\xe5]|[\xc3][\xa5])da\b/i
body        __VALIDATE_MBOX_SE   /(?:\b=E5|[\xe5]|[\xc3][\xa5])terst(?:=E4|\xe4|[\xc3][\xa4])lla ditt konto\b/i

meta        __EMAIL_PHISH        (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST) > 1)
meta        __EMAIL_PHISH_MANY   (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST) > 3)

meta        UPGRADE_MAILBOX      __UPGR_MAILBOX && __HTML_FONT_LOW_CONTRAST_MINFP 
describe    UPGRADE_MAILBOX      Upgrade your mailbox! (phishing?)

body        __ACCESS_SUSPENDED   /\b?(:(?:access|account) has been (?:temporar(?:il)?y )(?:suspended|blocked|locked)|suspend (?:you from|your) access(?:ing)?)\b/i
body        __ACCESS_RESTORE     /\bto (?:(?:restore|regain) access|(?:remove|uplift) (?:the|this) suspens|continue using your (?:account|online))/i
body        __ACCESS_REVOKE      /(?:temporary|permanent) (?:de-?activation|removal) of your (?:\w{1,30} )?(?:access|account)/i
body        __VERIFY_ACCOUNT     /(?:confirm|updated?|verify) (?:your|the) (?:account|current|billing|personal|online)? ?(?:records?|information|account|identity|access|data|login)/i
body        __FAILED_LOGINS      /unsuc+es+ful log-?[io]n at+empts/i
body        __ACCOUNT_REACTIV    /(?:(?:account|access) (?:has been )?(?:successfully )?(?:reviewed and )?re-?(?:activat(?:ion|ed)|new(?:al|ed))|(?:unlock|re-?activate|restore|recover) (?:your|the|this) (?:account|access))/i
body        __SECURITY_DEPT      /\bsecurity dep(?:artmen)?t\b/i
body        __ACCOUNT_ERROR      /your account (?:is|appears to be) (?:incorrect|missing|in error|invalid)/i
body        __ACCOUNT_DISRUPT    /ensure (?:that )?your (?:account|access) is not (?:disrupted|suspended|interrupted)/i
body        __ACCOUNT_UPGRADE    /(?:upgrade (?:of )your (?:account|access)|your (?:access|account) is[\w\s]{0,40}being upgraded)/i

meta        __ACCT_PHISH         (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE) > 1 && !__ACCT_PHISH_MANY
meta        __ACCT_PHISH_MANY    (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE) > 3
meta        ACCT_PHISHING        __ACCT_PHISH
describe    ACCT_PHISHING        Possible phishing for account information
score       ACCT_PHISHING        1.500  # limit
meta        ACCT_PHISHING_MANY   __ACCT_PHISH_MANY
describe    ACCT_PHISHING_MANY   Phishing for account information
score       ACCT_PHISHING_MANY   3.000  # limit

meta        PHISHING_FREEMAIL    (__EMAIL_PHISH || __EMAIL_PHISH_MANY || __ACCT_PHISH || __ACCT_PHISH_MANY) && FREEMAIL_FORGED_REPLYTO
describe    PHISHING_FREEMAIL    Send your login credentials to some random freemail account


# Google Docs observed on LOTS of phishes 2012
meta        __GOOGLE_DOCS_PHISH_1  __URI_GOOGLE_DOC && (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST)
meta        __GOOGLE_DOCS_PHISH_2  __URI_GOOGLE_DOC && (__EMAIL_PHISH || __ACCT_PHISH)
meta        GOOGLE_DOCS_PHISH    (__GOOGLE_DOCS_PHISH_1 || __GOOGLE_DOCS_PHISH_2)
describe    GOOGLE_DOCS_PHISH    Possible phishing via a Google Docs form
score       GOOGLE_DOCS_PHISH    3.00	# limit
tflags      GOOGLE_DOCS_PHISH    publish

meta        GOOGLE_DOCS_PHISH_MANY  __URI_GOOGLE_DOC && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY)
describe    GOOGLE_DOCS_PHISH_MANY  Phishing via a Google Docs form
score       GOOGLE_DOCS_PHISH_MANY  4.00	# limit
tflags      GOOGLE_DOCS_PHISH_MANY  publish

meta        URI_GOOGLE_DOCS      __URI_GOOGLE_DOC && !__DKIM_EXISTS && !__TO_EQ_FROM_DOM && !__DOS_REF_TODAY && !__DOS_BODY_FRI && !__DOS_BODY_WED && !__freemail_safe_fwd && !__TO_EQ_FROM_DOM && !__HAS_ERRORS_TO
describe    URI_GOOGLE_DOCS      URI for Google Docs, common in phishing
score       URI_GOOGLE_DOCS      1.00	# limit

meta        __URI_PHISH    __HAS_ANY_URI && !__URI_GOOGLE_DOC && (__EMAIL_PHISH || __ACCT_PHISH)
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  meta      URI_PHISH      __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE
else
  meta      URI_PHISH      __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney
endif
describe    URI_PHISH            Phishing using web form
score       URI_PHISH            4.00   # limit
tflags      URI_PHISH            publish

meta        SYSADMIN             __SYSADMIN && !ALL_TRUSTED && !__ANY_TEXT_ATTACH && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_OK_DIGITS 
describe    SYSADMIN             Supposedly from your IT department
score       SYSADMIN             3.500	# limit
tflags      SYSADMIN             publish

# suggested by MPerkel on the users list 11/10/2012
uri         __URI_PROTO_MC       /^(?!(?-i:(?:[Hh]ttps?|HTTPS?):))https?:/i
uri         __URI_WWW_MC         m,://(?!(?-i:www|WWW))www\.,i
uri         __URI_TLD_MC         /\.(?!(?-i:com|net|org|biz|info|COM|NET|ORG))(?:com|net|org|biz|info)\b/i
uri         __URI_GOOG_MC        /(?!(?-i:[Gg]oogle))google/i

rawbody     __HTML_FONT_TINY_01  /font-size:\s{0,5}[0-4]px;/i
meta        HTML_FONT_TINY       __HTML_FONT_TINY_01 && __TAG_EXISTS_BODY && !__DKIM_EXISTS && !__BUGGED_IMG && !__VIA_ML && !__RP_MATCHES_RCVD && !__THREADED && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_JAVAMAIL && !__FROM_LOWER && !__HAS_THREAD_INDEX && !__FROM_LOWER 
describe    HTML_FONT_TINY       Font too small to read
score       HTML_FONT_TINY       1.500	# limit

body        __BODY_TEXT_LINE     /^\s*\S/
tflags      __BODY_TEXT_LINE     multiple maxhits=3
meta        __EMPTY_BODY         __BODY_TEXT_LINE < 2 && !__SMIME_MESSAGE
# this hits 13% of masscheck corpus spam, 50% of that only scores 2 points
meta        BODY_EMPTY           __EMPTY_BODY && !__NUMBERS_IN_SUBJ && !__CTE && !__RP_MATCHES_RCVD && !__VIA_ML && !__MIME_ATTACHMENT && !__HAS_THREAD_INDEX && !__TO_EQ_FROM_DOM && !__LCL__ENV_AND_HDR_FROM_MATCH && !__FROM_LOWER && !__NOT_SPOOFED && !__MSGID_APPLEMAIL && !__RCD_RDNS_MAIL_MESSY && !NO_RELAYS && !__NOT_A_PERSON
describe    BODY_EMPTY           No body text in message
score       BODY_EMPTY           3.00	# limit


meta        __BODY_URI_ONLY      __BODY_TEXT_LINE < 3 && __HAS_ANY_URI && !__SMIME_MESSAGE
meta        BODY_URI_ONLY        __BODY_URI_ONLY && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH && !__TO_EQ_FROM_DOM && !__X_CRON_ENV 
describe    BODY_URI_ONLY        Message body is only a URI in one line of text or for an image
score       BODY_URI_ONLY        1.000   # limit
tflags      BODY_URI_ONLY        publish


body        __SINGLE_WORD_LINE  /^\s?\S{1,60}\s?$/
tflags      __SINGLE_WORD_LINE  multiple maxhits=2
header      __SINGLE_WORD_SUBJ  Subject =~ /^\s*\S{1,60}\s*$/
meta        __BODY_SINGLE_WORD    __BODY_TEXT_LINE < 3 && !__EMPTY_BODY && !__SMIME_MESSAGE && ((__SINGLE_WORD_LINE && !__SINGLE_WORD_SUBJ) || __SINGLE_WORD_LINE > 1)
meta        BODY_SINGLE_WORD    __BODY_SINGLE_WORD && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP
describe    BODY_SINGLE_WORD    Message body is only one word (no spaces)
score       BODY_SINGLE_WORD    3.00	# limit

meta        BODY_SINGLE_URI     (__BODY_SINGLE_WORD && __HAS_ANY_URI) && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP
describe    BODY_SINGLE_URI     Message body is only a URI
score       BODY_SINGLE_URI     3.00	# limit

#ifplugin Mail::SpamAssassin::Plugin::DKIM
#  # malformed DKIM signatures seen in the wild - see bug#6895
#  # see how well this performs
#  meta      __DKIM_MALFORMED	DKIM_SIGNED && !DKIM_VALID
#endif

#body        __YOUR_PHOTOS       /\byour photos (?:as p[rw]omised )?(?:here )?(?:- )?https?:/i
#meta        YOUR_PHOTOS         __YOUR_PHOTOS && !__HAS_ANY_EMAIL && !__HAS_REPLY_TO && !__DOS_HAS_LIST_UNSUB
#describe    YOUR_PHOTOS         "Your Photos" phishing or malware
#score       YOUR_PHOTOS         4.00	# limit

body        __UNSUBSCRIBE_ES   /\b(?:Para darte de baja y no recibir ning(?:=FA|[\xfa]|[\xc3][\xba])n|Si no desea que le enviemos publicidad|Si desea eliminar su correo [^\s@]{1,64}@[^\s@]{1,64} de nuestra lista|no recibir estos boletines a: [^\s@]{1,64}@[^\s@]{1,64} simplemente|Si no desea recibir m(?:=E1|[\xe1]|[\xc3][\xa1]|a)s notificaciones)\b/i
meta        UNSUBSCRIBE_ES     __UNSUBSCRIBE_ES
score       UNSUBSCRIBE_ES     2.500	# limit

body        __UNSUBSCRIBE_PT   /\bSe n(?:a|=E3|[\xe3]|[\xc3][\xa3])o desejar mais receber nossos e-?mails?\b/i
meta        UNSUBSCRIBE_PT     __UNSUBSCRIBE_PT
score       UNSUBSCRIBE_PT     2.500	# limit

body        __URI_DBL_PROTO    m,\b(?:https?:/+){2},i

uri         __URI_DOS_FILE     /^[A-Z]:\\/i

meta        __FORM_LOW_CONTRAST   (__FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_SHORT2) && __HTML_FONT_LOW_CONTRAST_MINFP
meta        FORM_LOW_CONTRAST     __FORM_LOW_CONTRAST && !__BUGGED_IMG && !__HAS_REPLY_TO && !__DKIM_EXISTS && !__DOS_HAS_LIST_UNSUB && !__MSGID_JAVAMAIL
describe    FORM_LOW_CONTRAST     Fill in a form with hidden text
score       FORM_LOW_CONTRAST     3.00	# Limit
tflags      FORM_LOW_CONTRAST     publish


# try to FP-reduce HTML_FONT_LOW_CONTRAST
meta        __HTML_FONT_LOW_CONTRAST_MINFP	HTML_FONT_LOW_CONTRAST && !__HAS_SENDER && !__VIA_ML && !__RP_MATCHES_RCVD && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED && !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN && !__DKIM_EXISTS && !__SENDER_BOT 

# some no-ham combinations
meta        GAPPY_LOW_CONTRAST    HTML_FONT_LOW_CONTRAST && __GAPPY_SUBJECT 
describe    GAPPY_LOW_CONTRAST    Gappy subject + hidden text
score       GAPPY_LOW_CONTRAST    2.500   # limit

meta        URI_ONLY_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __BODY_URI_ONLY 
score       URI_ONLY_LOW_CONTRAST 2.500   # limit

meta        SUBJ_OBFU_LOW_CNTRST  (HTML_FONT_LOW_CONTRAST && __SUBJ_OBFU_PUNCT) && !ALL_TRUSTED && !__NOT_A_PERSON && !__THREADED 
describe    SUBJ_OBFU_LOW_CNTRST  Subject obfuscation + hidden text
score       SUBJ_OBFU_LOW_CNTRST  2.500   # limit

meta        URI_DOTDOT_LOW_CNTRST HTML_FONT_LOW_CONTRAST && __URI_DOM_DOTDOT
describe    URI_DOTDOT_LOW_CNTRST Suspicious URI + hidden text
score       URI_DOTDOT_LOW_CNTRST 2.500   # limit

meta        STOCK_LOW_CONTRAST    (__HTML_FONT_LOW_CONTRAST_MINFP && __FB_S_STOCK) && !__BUGGED_IMG 
describe    STOCK_LOW_CONTRAST    Stocks + hidden text
score       STOCK_LOW_CONTRAST    2.500   # limit
tflags      STOCK_LOW_CONTRAST    publish

uri         __URI_DOM_DOTDOT      m,://[^/]+\.\.,

meta        FOUND_YOU          __FOUND_YOU && !__DKIM_EXISTS && !__SUBJ_RE && !__HAS_X_REF && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__HAS_ERRORS_TO && !__HAS_IN_REPLY_TO
score       FOUND_YOU          3.25	# limit
describe    FOUND_YOU          I found you...
tflags      FOUND_YOU          publish


#rawbody     __HTML_FONT_ONE_WORD_01   />\s{0,5}\S{1,15}\s{0,5}<\/font>/i
#tflags      __HTML_FONT_ONE_WORD_01   multiple maxhits=26
#meta        HTML_FONT_ONE_WORD_MANY   __HTML_FONT_ONE_WORD_01 > 25
#describe    HTML_FONT_ONE_WORD_MANY   Many one-word font changes
#score       HTML_FONT_ONE_WORD_MANY   0.50	# limit (initial)


#body        __ADMITS_CANSPAM  /\bThis is a CANSPAM ACT compliant advertising broadcast\b/i
#body        __ADMITS_CANSPAM  /\bThis is a CANSPAM ACT compliant\b/i
#meta        ADMITS_CANSPAM    __ADMITS_CANSPAM && !__VIA_ML
#describe    ADMITS_CANSPAM    Admits to being spam

body        __ADMITS_SPAM     /\bth(?:e[- ]+above|is)(?:\?+s|[- ]+is)[- ]+(?:intended[- ]+as[- ]+)?an?[- ]+(?:email[- ]+)?[a@]dvert[i1l]sement\b/i
meta        ADMITS_SPAM       __ADMITS_SPAM && !__TO___LOWER && !__MSOE_MID_WRONG_CASE && !__RP_MATCHES_RCVD 
describe    ADMITS_SPAM       Admits this is an ad

#body        __OBFU_ADVERT     /\badvert[1l]sement\b/i
#meta        OBFU_ADVERT       __OBFU_ADVERT
#describe    OBFU_ADVERT       Misspelled "advertisement"
#tflags      OBFU_ADVERT       publish


#body        __SEO_REGISTER    /\bsearch engine (?:registration|subscription|submission)\b/i
#tflags      __SEO_REGISTER    multiple maxhits=5
#meta        SEO_REGISTER      __SEO_REGISTER > 4
#score       SEO_REGISTER      2.50	# limit


#uri         REMOVE_YEAHNET    /imremove\@yeah\.net/i
#describe    REMOVE_YEAHNET    Opt-out address used by CN spammers


header      __FROM_LIC         From:name =~ /^Lic\./
header      __FROM_DOM_INFO    From:addr =~ /\.info$/i
meta        ES_LIC_FROM_INFO   __FROM_LIC && __FROM_DOM_INFO && __UNSUBSCRIBE_ES
describe    ES_LIC_FROM_INFO   Spanish-language spam from .info domain


header      __SMIME_MESSAGE    Content-Type =~ /application\/pkcs7-mime;/i


#uri         __JIMDO_PHISH      /(?:microsoft|outlook|access|helpdesk|upd?ates|newaccount)\w+\.jimdo\.com/i
body        __CLICK_HERE       /\bclick\shere\b/i

#meta        JIMDO_PHISH        __JIMDO_PHISH && __CLICK_HERE
#describe    JIMDO_PHISH        Apparent phishing via webform hosted at jimdo.com
#score       JIMDO_PHISH        3.00	# limit

body        __TRAVEL_PROFILE   /\btravel+er\sprofile\b/i
body        __TRAVEL_RESERV    /\b(?:reservation\s(?:confirmed|number)|travel\sreservations?)\b/i
body        __TRAVEL_BUSINESS  /\bbusiness\stravel\b/i
body        __TRAVEL_AGENT     /\btravel\sagen(?:t|cy)\b/i
meta        __TRAVEL_MANY      (__TRAVEL_PROFILE + __TRAVEL_RESERV + __TRAVEL_BUSINESS + __TRAVEL_AGENT) > 2

uri         __URI_WPADMIN      m,/wp-admin/\w+/,i
meta        URI_WPADMIN        __URI_WPADMIN
describe    URI_WPADMIN        WordPress login/admin URI, possible phishing
tflags      URI_WPADMIN        publish

uri         __URI_WPCONTENT    m,/wp-content/.*\.(?:php|html?)\b,i
uri         __URI_WPCONTENT_L  m,/wp-content/.*\.(?:(?!gif|jpg|png|bmp|ico|eot|pdf)[a-z]{3}|(?!jpeg)[a-z]{4})\b,i
uri         __URI_WPINCLUDES   m,/wp-includes/.*\.(?:php|html?)\b,i
uri         __URI_WPINCLUDES_L m,/wp-includes/.*\.(?:(?!gif|jpg|png|bmp|ico|eot|pdf)[a-z]{3}|(?!jpeg)[a-z]{4})\b,i
#uri         __URI_WP_WHITELIST m,/wp-content/plugins/civicrm/,i
meta        URI_WP_HACKED      (__URI_WPCONTENT || __URI_WPINCLUDES) && !__VIA_ML && !__HAS_ERRORS_TO && !__RCD_RDNS_SMTP && !__THREADED && !ALL_TRUSTED && !__NOT_SPOOFED 
describe    URI_WP_HACKED      URI for compromised WordPress site, possible malware
score       URI_WP_HACKED      3.000   # limit
tflags      URI_WP_HACKED      publish

uri         __URI_WPDIRINDEX   m,/wp-(?:content|includes)/.*/$,i
meta        URI_WP_DIRINDEX    __URI_WPDIRINDEX
describe    URI_WP_DIRINDEX    URI for compromised WordPress site, possible malware
score       URI_WP_DIRINDEX    3.000   # limit
tflags      URI_WP_DIRINDEX    publish

# this has some overlap with URI_WP_HACKED
uri         __PS_TEST_LOC_WP   m;/(?:wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module)/.{1,64}(?!\.gif|\.jpg|\.png|\.bmp|\.ico|\.pdf).{4}$;i
meta        URI_WP_HACKED_2    (__PS_TEST_LOC_WP && !URI_WP_HACKED) && !__TO_EQ_FROM && !__THREADED 
describe    URI_WP_HACKED_2    URI for compromised WordPress site, possible malware
score       URI_WP_HACKED_2    2.000   # limit
tflags      URI_WP_HACKED_2    publish


# subrules migrated from 00_FVGT_File001.cf

header      __SUBJ_LOWER       ALL =~ /subject:\s\S{5}/
header      __FROM_LOWER       ALL =~ /from:\s\S{5}/
header      __TO___LOWER       ALL =~ /to:\s\S{5}/
header      __DATE_LOWER       ALL =~ /date:\s\S{5}/


# duplicates __XPRIO
#header      __FH_HAS_XPRIORITY exists:X-Priority
meta        __XPRIO_MINFP      __XPRIO && !__CT_ENCRYPTED && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__THREADED && !__RP_MATCHES_RCVD && !__LONGLINE && !__MAIL_LINK && !__RCD_RDNS_SMTP && !__PDF_ATTACH && !__USING_VERP1 && !__HAS_DOMAINKEY_SIG && !__LIST_PARTIAL 

ifplugin Mail::SpamAssassin::Plugin::DKIM
  ifplugin Mail::SpamAssassin::Plugin::SPF
    meta    XPRIO              __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE && !SPF_PASS 
  else
    meta    XPRIO              __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE 
  endif
  tflags    XPRIO              net
  score     XPRIO              3.500	# limit
else
  meta      XPRIO              __XPRIO_MINFP
  score     XPRIO              2.000	# limit
endif
describe    XPRIO              Has X-Priority header
tflags      XPRIO              publish

# some no-ham combinations

meta        __XPRIO_SHORT_SUBJ __XPRIO && __SUBJ_SHORT 
meta        XPRIO_SHORT_SUBJ   __XPRIO_SHORT_SUBJ && !__HAS_ANY_URI && !__TO_NO_ARROWS_R && !__ENV_AND_HDR_FROM_MATCH && !__VISTA_MSGID 
describe    XPRIO_SHORT_SUBJ   Has X-Priority header + short subject
score       XPRIO_SHORT_SUBJ   2.500	# limit
tflags      XPRIO_SHORT_SUBJ   publish

meta        FROM_MISSP_XPRIO   __XPRIO && __FROM_MISSPACED 
describe    FROM_MISSP_XPRIO   Misspaced FROM + X-Priority
score       FROM_MISSP_XPRIO   2.500   # limit

meta        __STATIC_XPRIO_OLE   __XPRIO && __RDNS_STATIC && __HAS_MIMEOLE
meta        STATIC_XPRIO_OLE     __STATIC_XPRIO_OLE
describe    STATIC_XPRIO_OLE     Static RDNS + X-Priority + MIMEOLE
score       STATIC_XPRIO_OLE     4.500   # limit
tflags      STATIC_XPRIO_OLE     publish

# Apparent good performance is an artifact of certain corpora's collection mechanism
#meta        XPRIO_RPATH_NULL   (__XPRIO && __BOUNCE_RPATH_NULL) && !__HAS_ERRORS_TO && !__VIA_ML && !ANY_BOUNCE_MESSAGE && !__HAS_ORGANIZATION && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED 
#score       XPRIO_RPATH_NULL   2.500   # limit
#
#meta        TO_EQ_FM_NN_RPATH_NULL   (__TO_EQ_FROM_USR_NN && __BOUNCE_RPATH_NULL) && !__TO_EQ_FROM_USR 
#score       TO_EQ_FM_NN_RPATH_NULL   2.000   # limit
#tflags      TO_EQ_FM_NN_RPATH_NULL   publish


header      __FS_SUBJ_RE       Subject =~ /^Re: /
header      __NUMBERS_IN_SUBJ  Subject =~ /\d{3}/

body        __CAN_HELP         /\bcan help\b/i
body        __FB_COST          /\bcost\b/i
body        __FB_NATIONAL      /national/i
body        __FB_NUM_PERCNT    /\d\s?\%/
body        __FB_S_STOCK       /\bstock/i
body        __FB_TOUR          /\btour/i
body        __SURVEY           /\bsurvey\b/i

body        __FB_S_PRICE       /pri{1,2}c[a-z]?e/i

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
	body        __FRT_PRICE        /<inter SP2><post P2>\b(?!price)<P><R><IX><C><E>\b/i
	replace_rules                  __FRT_PRICE

	meta        __FM_MY_PRICE      (__FB_S_PRICE || __FRT_PRICE)
else
	meta        __FRT_PRICE        0
	meta        __FM_MY_PRICE      __FB_S_PRICE
endif

rawbody     __FR_SPACING_8     /[a-z0-9]{6}\s{8}[a-z0-9]{5}/i
rawbody     __FR_SPACING_9     /[a-z0-9]{6}\s{9}[a-z0-9]{5}/i
rawbody     __FR_SPACING_15    /[a-z0-9]{6}\s{15}[a-z0-9]{5}/i
rawbody     __FR_SPACING_17    /[a-z0-9]{6}\s{17}[a-z0-9]{5}/i
rawbody     __FR_SPACING_22    /[a-z0-9]{6}\s{22}[a-z0-9]{5}/i


# per users mailing list question from Joe Quinn
#body        __HEXHASHWORD_S    /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{18})[0-9a-f]{18}/
#tflags      __HEXHASHWORD_S    multiple maxhits=4
body        __HEXHASHWORD_S2EU /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[a-z]{0,10}(?!-?\d{1,5}-)(?!\d{10}\s)(?:(?!--)[-0-9a-f]){10,64}(?:[g-z][a-z]{0,10})?\s[A-Z]?[a-z]{1,15}\b/
tflags      __HEXHASHWORD_S2EU multiple maxhits=4
#body        __HEXHASHWORD_S2E  /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[a-z]{0,10}[0-9a-f]{10,64}(?:[g-z][a-z]{0,10})?\s[A-Z]?[a-z]{1,15}\b/
#tflags      __HEXHASHWORD_S2E  multiple maxhits=4
#body        __HEXHASHWORD_S2   /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[0-9a-f]{10,64}\s[A-Z]?[a-z]{1,15}\b/
#tflags      __HEXHASHWORD_S2   multiple maxhits=4
#body        __HEXHASHWORD      /\s[A-Z]?[a-z]{1,15}\s[0-9a-f]{30}/
#tflags      __HEXHASHWORD      multiple maxhits=4
meta        __HEXHASH_2        __HEXHASHWORD_S2EU > 1
meta        __HEXHASH_3        __HEXHASHWORD_S2EU > 2
meta        __HEXHASH_4        __HEXHASHWORD_S2EU > 3
#meta        __HEXHASH_5        __HEXHASHWORD_S2EU > 4
meta        HEXHASH_WORD       (__HEXHASHWORD_S2EU > 1) && !ALL_TRUSTED && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__LCL__ENV_AND_HDR_FROM_MATCH && !__LYRIS_EZLM_REMAILER && !__THREADED && !__HDRS_LCASE && !__MSGID_HEXISH && !__RDNS_SHORT 
describe    HEXHASH_WORD       Multiple instances of word + hexadecimal hash
score       HEXHASH_WORD       3.000	# limit
tflags      HEXHASH_WORD       publish

#  from users list spample provided by Larry Starr
body        __UC_GIBB_OBFU     /\b[A-Za-z][a-z]{0,20}[,;)]?\s[A-Z]{16,}[a-z]?\s[A-Za-z][a-z]{1,15}\b/
tflags      __UC_GIBB_OBFU     multiple maxhits=2
#meta        __UC_GIBB_2        __UC_GIBB_OBFU > 1
#meta        __UC_GIBB_3        __UC_GIBB_OBFU > 2
#meta        __UC_GIBB_4        __UC_GIBB_OBFU > 3
#meta        __UC_GIBB_5        __UC_GIBB_OBFU > 4
#meta        __UC_GIBB_6        __UC_GIBB_OBFU > 5
#meta        __UC_GIBB_7        __UC_GIBB_OBFU > 6
meta        UC_GIBBERISH_OBFU  (__UC_GIBB_OBFU > 1) && !__RP_MATCHES_RCVD && !__VIA_ML && !__DKIM_EXISTS && !ALL_TRUSTED
describe    UC_GIBBERISH_OBFU  Multiple instances of "word VERYLONGGIBBERISH word"
score       UC_GIBBERISH_OBFU  3.000	# Limit
tflags      UC_GIBBERISH_OBFU  publish


#body        __B2B_HELP         /\bhelp(?:ing)? (?:businesses like yours|your business)\b/i
#body        __YOUR_BIZ         /\bbusiness(?:es) like yours|(?<!of )your b(?:usiness|rand)\b/i


# will be removed with immediate effect from any further mailing list
# wish to receive information from us in the future
# This-link http://www.nowyehue.com/bon/dds/ will end messages.
# stop receiving these emails
# Unsubscribe me from this list
# We are not promoting any kind of SPAM.
# recieve any kind promotional email form us
# To stop receiving these emails
# exclude yourself from further ad-messages
# removal options
# Stop PSA alert

#body        __UNSUB_PSA       /\bstop PSA alert\b/i

#body        __UNSUB_EXCL      /\bexclude yourself from further ad\b/i
#meta        UNSUB_EXCL        __UNSUB_EXCL
#score       UNSUB_EXCL        2.000	# limit

#body        __UNSUB_OPT       /\bremoval options?\b/i
#meta        UNSUB_OPT         __UNSUB_OPT
#score       UNSUB_OPT         2.000	# limit

header	    __NO_TRUSTED_RELAY	X-Spam-Relays-Trusted !~ /ip=/i

#body        CANT_SEE_AD       /\b(?:can(?:no|')?t|(?:aren'?t |not |un)able to) (?:view|read|see|scan|witness|consider|look at|participate in|take in|(?:make|check|scope) out|eye|scrutinize|watch|display|observe) (?:our|this|the) (?:commercial[-. ]|ad(?:v[-.]?ert[i1l]se-?ment)? |images |newsletter |mailing ){1,2}(?:at all|(?:(?:down )?(?:below|underneath))|in (?:your|this) mail|(?:due to|because(?: of)?|as|from) (?:no |missing |unloaded |blocked )?images)\b/i
body        __CANT_SEE_AD_1   /\b(?:can(?:no|')?t|(?:aren'?t[-,!\s]{1,3}|not[-,!\s]{1,3}|un)able[-,!\s]{1,3}to)[-,!\s]{1,3}(?:(?!our|this|the)\w{1,12}[-,\s]{1,3}){1,2}(?:our|this|the)[-.,\s*]{1,3}(?:commercial[-.,\s]{1,3}|ad(?:v[-.]?ert[i1l]se-?ment)?[-.,\s]{1,3}|images |newsletter |mailing ){1,2}(?:at all|(?:(?:down )?(?:below|underneath))|in (?:your|this) mail|(?:due to|because(?: of)?|as|from) (?:no |missing |unloaded |blocked )?(?:images|graphics))\b/i
body        __CANT_SEE_AD_2   /\b(?:issue|problem|trouble) (?:getting|viewing|with) (?:(?:our|the) )?(?:message|content|e-?mail|details)(?: below)?[.?] (?:please|go ahead and) (?:click|browse)\b/i
meta        CANT_SEE_AD       __CANT_SEE_AD_1 || __CANT_SEE_AD_2
describe    CANT_SEE_AD       You really want to see our spam.
score       CANT_SEE_AD       3.000	# limit
tflags      CANT_SEE_AD       publish

uri         __128_HEX_URI     m,/[0-9a-f]{128},
#tflags      __128_HEX_URI     multiple maxhits=2
#uri         __192_HEX_URI     m,/[0-9a-f]{192},
#uri         __256_HEX_URI     m,/[0-9a-f]{256},
#uri         __384_HEX_URI     m,/[0-9a-f]{384},
#meta        __128_HEX_URI_SGL __128_HEX_URI == 1
#meta        __128_HEX_URI_MLT __128_HEX_URI > 1
meta        LONG_HEX_URI      __128_HEX_URI && !__LCL__KAM_BODY_LENGTH_LT_1024
describe    LONG_HEX_URI      Very long purely hexadecimal URI
score       LONG_HEX_URI      3.000	# limit
tflags      LONG_HEX_URI      publish

uri         __128_LC_URI        m;[/?][a-z]{128,}$;
uri         __128_LC_IMG        m;/[a-z]{128,}/\w+\.(?:png|gif|jpe?g)$;
uri         __128_ALNUM_URI     m;[/?][0-9a-z]{128,}$;i
uri         __128_ALNUM_IMG     m;/[0-9a-z]{128,}/\w+\.(?:png|gif|jpe?g)$;i
uri         __64_ANY_URI        m;[/?]\w{64,}$;i
uri         __64_ANY_IMG        m;/\w{64,}/\w+\.(?:png|gif|jpe?g)$;i
uri         __45_ALNUM_URI      m;[/?][0-9a-z]{45,}$;i
uri         __45_ALNUM_IMG      m;/[0-9a-z]{45,}/\w+\.(?:png|gif|jpe?g)$;i
meta        __128_LC_URI_IMG    __128_LC_URI && __128_LC_IMG
meta        __128_ALNUM_URI_O   __128_ALNUM_URI && !__128_LC_URI
meta        __128_ALNUM_IMG_O   __128_ALNUM_IMG && !__128_LC_IMG
meta        __128_ALNUM_URI_IMG __128_ALNUM_URI_O && __128_ALNUM_IMG_O
meta        __64_ANY_URI_O      __64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI
meta        __64_ANY_IMG_O      __64_ANY_IMG && !__128_ALNUM_IMG && !__128_LC_IMG
meta        __64_ALNUM_URI_IMG  __64_ANY_URI_O && __64_ANY_IMG_O
meta        __45_ALNUM_URI_O    __45_ALNUM_URI && !__64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI
meta        __45_ALNUM_IMG_O    __45_ALNUM_IMG && !__64_ANY_IMG && !__128_ALNUM_IMG && !__128_LC_IMG
meta        __45_ALNUM_URI_IMG  __45_ALNUM_URI_O && __45_ALNUM_IMG_O

meta        LONG_IMG_URI        __45_ALNUM_IMG && !ALL_TRUSTED && !__HAS_ERRORS_TO 
describe    LONG_IMG_URI        Image URI with very long path component - web bug?
score       LONG_IMG_URI        3.000	# limit
tflags      LONG_IMG_URI        publish


rawbody     __HTML_OFF_PAGE   /;(?:top|left):-\d{3,9}px;/i
meta        HTML_OFF_PAGE     __HTML_OFF_PAGE && !__RP_MATCHES_RCVD && !__LONGLINE && !__DKIM_EXISTS
describe    HTML_OFF_PAGE     HTML element rendered well off the displayed page
score       HTML_OFF_PAGE     2.000	# limit
tflags      HTML_OFF_PAGE     publish


body        __PUMPDUMP_01     /\b(?:times|multiply|tripl(?:e|ing)|quadrupl(?:e|ing)|quintupl(?:e|ing)) (?:your|an) (?:princip(?:al|le)|investment)\b/i
body        __PUMPDUMP_02     /\b(?:sto[ck]{2}|share price) (?:will |may |is (?:(?:about|poised|positioned|ready) to |gonna ))?(?:triple|quadruple|quintuple|soar|go(?:es?) (?:nuts|crazy|sky high|way up))\b/i
body        __PUMPDUMP_03     /\bbuy (?:[^.!]{1,30} )?(?:(?:(?:mon|tues|wednes|thurs|fri)day|tomorrow) (?:first thing|open|morning)|(?:first thing|opens|before) (?:(?:mon|tues|wednes|thurs|fri)day|tomorrow))/i
body        __PUMPDUMP_04     /\bmake you (?:big bucks|hundreds|thousands)\b/i
body        __PUMPDUMP_05     /\b(?:tripled|quadrupled|quintupled|(?:shares|value|company) (?:go up|increase|has (?:increased|gained)) (?:by|more than) [a-z\s]{0,20}\d+(?: times| percent| ?%)) (?:and that )?in (?:(?:\d|a (?:span of|few)) days|a very short period)\b/i
body        __PUMPDUMP_06     /\brecommend(?:ed|s)? (?:a|this) (?:company|stock)\b/i
body        __PUMPDUMP_07     /\b(?:buy|grab it) for (?:around |about |less than )?\d+ cents\b/i
body        __PUMPDUMP_08     /\b?(:sto[ck]{2}|sotk) of the year/i
body        __PUMPDUMP_09     /\b(?:buy|get|snap up|grab) as many shares (?:of it )?as (?:you|I) can\b/i
body        __PUMPDUMP_10     /\btrading at (?:such )?a (?:bargain|cheap|low)\b/i
meta        __PD_CNT_1        (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 0
meta        __PD_CNT_2        (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1
meta        __PD_CNT_3        (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 2
meta        __PD_CNT_4        (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 3
meta        __PD_CNT_5        (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 4
meta        __PD_CNT_6        (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 5
meta        __PD_CNT_7        (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 6
meta        PUMPDUMP          (__PUMPDUMP_01 || __PUMPDUMP_02 || __PUMPDUMP_03 || __PUMPDUMP_04 || __PUMPDUMP_05 || __PUMPDUMP_06 || __PUMPDUMP_07 || __PUMPDUMP_08 || __PUMPDUMP_09 || __PUMPDUMP_10) && !PUMPDUMP_MULTI
describe    PUMPDUMP          Pump-and-dump stock scam phrase
score       PUMPDUMP          1.000	# limit
tflags      PUMPDUMP          publish
meta        PUMPDUMP_MULTI    (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1
describe    PUMPDUMP_MULTI    Pump-and-dump stock scam phrases
score       PUMPDUMP_MULTI    3.500	# limit
tflags      PUMPDUMP_MULTI    publish

body        __STOCK_TIP       /\bsto[ck]{2}\s?tip\b/i
meta        STOCK_TIP         __STOCK_TIP && !__DKIM_EXISTS 
describe    STOCK_TIP         Stock tips
score       STOCK_TIP         3.000	# limit
tflags      STOCK_TIP         publish

meta        PUMPDUMP_TIP      __PD_CNT_1 && __STOCK_TIP
describe    PUMPDUMP_TIP      Pump-and-dump stock tip
tflags      PUMPDUMP_TIP      publish


#body        DR_OZ_OBFU        /\bD(?:r\.|oc(?:tor)?) ?0z\b/i
#describe    DR_OZ_OBFU        Obfuscated Doctor Oz
#
#body        DOC_OZ            /\b(?:doc oz|Dr\.?Oz)\b/
#describe    DOC_OZ            Doctor Oz


body        __ADMAIL          /(?:\b|_)ad-?(?:mail|message)s?(?:\b|_)/i
meta        ADMAIL            __ADMAIL && !__DKIM_EXISTS && !__COMMENT_EXISTS 
describe    ADMAIL            "admail" and variants
tflags      ADMAIL            publish

body        ORS               /\bOn-?line Rate Saver\b/i
describe    ORS               "Online Rate Saver"


# subrule version of MMartinec CR_IN_SUBJ
header      __CR_IN_SUBJ      Subject:raw =~ /\015/


body        __THIS_AD         /(?:\b|_)this[- _]+(?:ad(?:vert[i1l]sement)?|promo(?:tion)?)s?(?:\b|_)/i
meta        THIS_AD           __THIS_AD && !__MOZILLA_MSGID && !__FROM_ENCODED_QP && !__CR_IN_SUBJ && !__RP_MATCHES_RCVD 
describe    THIS_AD           "This ad" and variants
tflags      THIS_AD           publish

body        AD_PREFS          /(?:\b|_)(?:ad(?:vert[i1l]s[i1l]ng)?|promo(?:tion)?|marketing)[- _](?:pref(?:s|erences)|settings)(?:\b|_)/i
describe    AD_PREFS          Advertising preferences
tflags      AD_PREFS          publish

#body        OPT_OUT           /\bOpt-Out Here\b/i
#score       OPT_OUT           2.000

uri         URI_OPTOUT_USME   m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:us|me|mobi|club)\b,i
describe    URI_OPTOUT_USME   Opt-out URI, unusual TLD
tflags      URI_OPTOUT_USME   publish

uri         URI_OPTOUT_3LD    m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:com|net)\b,i
describe    URI_OPTOUT_3LD    Opt-out URI, suspicious hostname
score       URI_OPTOUT_3LD    2.000   # limit
tflags      URI_OPTOUT_3LD    publish

uri         __URI_TRY_USME    m,^https?://(?:try|start|get|save|check|act|compare|join|learn|request|visit|my)[^.]*\.[^/]+\.(?:us|me|mobi|club)\b,i
meta        URI_TRY_USME      __URI_TRY_USME && !__DKIM_EXISTS 
describe    URI_TRY_USME      "Try it" URI, unusual TLD
tflags      URI_TRY_USME      publish

uri         URI_TRY_3LD       m,^https?://(?:try|start|get|save|check(?!out)|act|compare|join|learn|request|visit(?!or)|my(?!sub)\w)[^.]*\.[^/]+\.(?:com|net)\b,i
describe    URI_TRY_3LD       "Try it" URI, suspicious hostname
score       URI_TRY_3LD       2.000   # limit
tflags      URI_TRY_3LD       publish



## REFINE THIS
#body        __INCOMING_FAX    /\bincoming fax\b/i
#body        __BANK            /\bbank\b/i
#body        __ACCT_STMT       /\bac(?:count|tivity) statement\b/i
#uri         __URI_DROPBOX     m,[/.]dropbox\.com\/,i
#meta        DROPBOX_MALW      (__INCOMING_FAX || (__BANK && __ACCT_STMT)) && __URI_DROPBOX && !ALL_TRUSTED 
#describe    DROPBOX_MALW      Spoofed FAX or bank statement with Dropbox link: PROBABLE MALWARE
#score       DROPBOX_MALW      10.00


ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          FUZZY_UNSUBSCRIBE   /<U>(?!nsubscribe)<N><S><U><B><S><C><R><I><B><E>/i
  replace_rules FUZZY_UNSUBSCRIBE
  describe      FUZZY_UNSUBSCRIBE   Obfuscated "unsubscribe"
  tflags        FUZZY_UNSUBSCRIBE   publish

  body          FUZZY_ANDROID       /<A>(?!ndroid)<N><D><R><O><I><D>/i
  replace_rules FUZZY_ANDROID
  describe      FUZZY_ANDROID       Obfuscated "android"
  tflags        FUZZY_ANDROID       publish

  body          FUZZY_PROMOTION     /<P>(?!romotion)<R><O><M><O><T><I><O><N>/i
  replace_rules FUZZY_PROMOTION
  describe      FUZZY_PROMOTION     Obfuscated "promotion"
  tflags        FUZZY_PROMOTION     publish

  body          FUZZY_PRIVACY       /<P>(?!rivacy)<R><I><V><A><C><Y>/i
  replace_rules FUZZY_PRIVACY
  describe      FUZZY_PRIVACY       Obfuscated "privacy"
  tflags        FUZZY_PRIVACY       publish

  body          FUZZY_BROWSER       /<B>(?!rowser)<R><O><W><S><E><R>/i
  replace_rules FUZZY_BROWSER
  describe      FUZZY_BROWSER       Obfuscated "browser"
  tflags        FUZZY_BROWSER       publish

  body          FUZZY_SAVINGS       /<S>(?!avings)<A><V><I><N><G><S>/i
  replace_rules FUZZY_SAVINGS
  describe      FUZZY_SAVINGS       Obfuscated "savings"
  tflags        FUZZY_SAVINGS       publish

  body          FUZZY_IMPORTANT     /<I>(?!mportant)<M><P><O><R><T><A><N><T>/i
  replace_rules FUZZY_IMPORTANT
  describe      FUZZY_IMPORTANT     Obfuscated "important"
  tflags        FUZZY_IMPORTANT     publish

  body          FUZZY_SECURITY      /<S>(?!ecurity)(?!eguridad)<E>(?:<C>|<G>)<U><R><I>(?:<T><Y>|<D><A><D>)/i
  replace_rules FUZZY_SECURITY
  describe      FUZZY_SECURITY      Obfuscated "security"
  tflags        FUZZY_SECURITY      publish

  body          __FUZZY_DR_OZ       /\bD(?!(?-i:(?:r.|octor)(?:\s|&nbsp;)Oz))(?:<R>|<O><C>(?:<T><O><R>)?)\.?<WS>*<O><Z>(?:$|\W)/i
  replace_rules __FUZZY_DR_OZ
  meta          FUZZY_DR_OZ         __FUZZY_DR_OZ && !__VIA_ML && !__DKIM_EXISTS && !__RP_MATCHES_RCVD 
  describe      FUZZY_DR_OZ         Obfuscated Doctor Oz
  tflags        FUZZY_DR_OZ         publish

  body          FUZZY_CLICK_HERE    /<C>(?!lick(?:\s|&nbsp;)here)<WS>*<L><WS>*<I><WS>*<C><WS>*<K><WS>+<H><WS>*<E><WS>*<R><WS>*<E>/i
  replace_rules FUZZY_CLICK_HERE
  describe      FUZZY_CLICK_HERE    Obfuscated "click here"
  tflags        FUZZY_CLICK_HERE    publish

endif


#body          NUM_FREE         /\b\d+free/i
#describe      NUM_FREE         Number + free

# seen in spam (malware?) 07/2014
#header        __DATE_SPACEY    ALL =~ /\nDate:\s{8}/ism

#uri           __FSL_LINK_AWS_S3_WEB_LOOSE       m,^https?://(?:[^./]+\.)*s3[^./]+\.amazonaws\.com,i


uri            URI_DQ_UNSUB     m;^[a-z]+://(?:\d+\.){3}\d+/.*unsubscribe;i
describe       URI_DQ_UNSUB     IP-address unsubscribe URI
tflags         URI_DQ_UNSUB     publish

uri            __URI_GOOGLE_PROXY     m;^https?://[^.]+\.googleusercontent\.com/proxy/;i
meta           URI_GOOGLE_PROXY       __URI_GOOGLE_PROXY && !__LONGLINE && !__ML1 && !__FSL_RELAY_GOOGLE && !__FROM_LOWER && !__RCD_RDNS_MAIL 
describe       URI_GOOGLE_PROXY       Accessing a blacklisted URI or obscuring source of phish via Google proxy?
tflags         URI_GOOGLE_PROXY       publish


# Apparent good performance is an artifact of certain corpora's collection mechanism
#meta           RPATH_NULL_CTCQ        __BOUNCE_RPATH_NULL && __CTYPE_CHARSET_QUOTED && !__VIA_ML && !__SUBJECT_ENCODED_QP && !ANY_BOUNCE_MESSAGE && !__DOS_HAS_LIST_UNSUB && !__TAG_EXISTS_STYLE && !__TAG_EXISTS_STYLE && !__HAS_THREAD_INDEX 
#score          RPATH_NULL_CTCQ        2.000   # limit

rawbody        __TENWORD_GIBBERISH    /^\s*(?:[a-z]+\s+){10}\.$/m
tflags         __TENWORD_GIBBERISH    multiple maxhits=21
meta           TW_GIBBERISH_MANY      __TENWORD_GIBBERISH > 20
describe       TW_GIBBERISH_MANY      Lots of gibberish text to spoof pattern matching filters
score          TW_GIBBERISH_MANY      2.000   # limit
tflags         TW_GIBBERISH_MANY      publish

#body           __OPTOUT_BRKT          /\[(?:unsub(?:scribe)|remove(?: me)|leave)\]/i
#tflags         __OPTOUT_BRKT          multiple maxhits=2
#meta           OPTOUT_BRKT_MANY       __OPTOUT_BRKT > 1
#describe       OPTOUT_BRKT_MANY       Repetitive opt-outs
#score          OPTOUT_BRKT_MANY       2.000   # limit


# Oh, the humanity! Is there no better way?
#full           __RECIP_IN_URL_DOM     m;^Received:[^:]{1,400}?\sfor\s<(\w+)\@.+?https?://\1\d*\.;ism
#describe       __RECIP_IN_URL_DOM     Recipient in body URL
#tflags         __RECIP_IN_URL_DOM     nopublish



# reported on users list 09/2014 jdebert <jdebert@garlic.com>
header      RCVD_DBL_DQ                Received =~ /(?:\[\d+\.\d+\.\d+\.\d+\]){2}/
describe    RCVD_DBL_DQ                Malformatted message header
tflags      RCVD_DBL_DQ                publish

# reported on users list 09/2014 George Johnson <georgejohnson@talaya.net>
header    __RAND_HEADER                ALL =~ /^(?!Accept-Language|Authentication-Results|Content-|DomainKey-Signature|DKIM-|List-|MIME-|Received-SPF|Return-Path|Thread-|User-Agent)(?:[a-z]{4,}-[a-z]{3,}|[a-z]{3,}-[a-z]{4,}):\s+\d(?=\S{6,}\s*$)[\da-f]*(?:[-.]\w+)*\s*$/ism
tflags    __RAND_HEADER                multiple, maxhits=4
meta      RAND_HEADER_MANY             __RAND_HEADER > 3
describe  RAND_HEADER_MANY             Many random gibberish message headers
score     RAND_HEADER_MANY             3.500   # limit
tflags    RAND_HEADER_MANY             publish


#body      FR_SPAM_LAW                  /article 34 de la loi 78-17\b/i
#describe  FR_SPAM_LAW                  References French privacy law
#score     FR_SPAM_LAW                  1.000   # limit

body      __EDGER_HOOVER                /\bedger hoover\b/i
header    __FM_EDGER_HOOVER             From =~ /\bedger hoover\b/i

body      __MYSTERY_SHOPPER             /\bmystery shoppers?\b/i

header    __HAS_NO_RELAY                X-No-Relay =~ /./

header    __DUP_SUSP_HDR                ALL =~ /\n(X-No-Relay)\s*:[ 	][^\n]{1,100}\n\1\s*:[ 	]/ism
meta      DUP_SUSP_HDR                  __DUP_SUSP_HDR
describe  DUP_SUSP_HDR                  Duplicate suspicious message headers
score     DUP_SUSP_HDR                  2.500	# limit

# seen 10/2014: "https://www.google.com/url?q=https://copy.com/ApbFn2848pQm/ShippingInvoice_6974.PDF.scr?download=1&sa=D&sntz=1&usg=AFQjCNGhvWhljnujQlP85tA6YUsddfuJow"
uri       __GOOG_MALWARE_DNLD           m;^https?://[^/]*\.google\.com/[^?]*url\?.*[\?&/]download;i
meta      GOOG_MALWARE_DNLD             __GOOG_MALWARE_DNLD
describe  GOOG_MALWARE_DNLD             File download via Google - Malware?
score     GOOG_MALWARE_DNLD             5.000   # limit
tflags    GOOG_MALWARE_DNLD             publish

uri       __GOOG_REDIR                  m;^https?://[^/]*\.google\.com/url\?;i

body      ONLINE_MKTG_CNSLT             /\bonline marketing consultant\b/i

body      SOLICIT_BIZ                   /\bbusiness solicitation messag/i

body      __SPELLED_OUT_NUM             /\b(?:(?:one|two|three|four|five|six|seven|eight|nine|zero)[\s_-]?){4,}/i
meta      SPELLED_OUT_NUMBER            __SPELLED_OUT_NUM && !__DKIM_EXISTS 
describe  SPELLED_OUT_NUMBER            Spelled out a number (one two three)
score     SPELLED_OUT_NUMBER            3.250   # limit

body      __NUM_SPCD_LTRS               /\d{4}\s(?:[a-z]\s){5}/i


header    __SUBJ_UNNEEDED_HTML          Subject =~ /%[0-9a-f][0-9a-f]/i
tflags    __SUBJ_UNNEEDED_HTML          multiple, maxhits=3
meta      __SUBJ_UNNEEDED_HTML_MANY     __SUBJ_UNNEEDED_HTML > 1
meta      SUBJ_UNNEEDED_HTML            __SUBJ_UNNEEDED_HTML && !__NOT_SPOOFED && !__RP_MATCHES_RCVD && !__VIA_ML 
describe  SUBJ_UNNEEDED_HTML            Unneeded HTML formatting in Subject:

body      __HELP_YOU_SUCCEED            /\bhelp you succeed\b/i

body      __WANT_BIZ                    /\b(?:I|we) want your business\b/i

meta      TEQF_USR_MSGID_MALF           __TO_EQ_FROM_USR_NN_MINFP && __MSGID_NOFQDN2 
describe  TEQF_USR_MSGID_MALF           To and from user nearly same + malformed message ID
tflags    TEQF_USR_MSGID_MALF           publish

meta      TEQF_USR_MSGID_HEX            __TO_EQ_FROM_USR_NN_MINFP && __MSGID_OK_HEX && !__MSGID_NOFQDN2
describe  TEQF_USR_MSGID_HEX            To and from user nearly same + unusual message ID
tflags    TEQF_USR_MSGID_HEX            publish

meta      TEQF_USR_IMAGE                __TO_EQ_FROM_USR_NN_MINFP && __ANY_IMAGE_ATTACH 
describe  TEQF_USR_IMAGE                To and from user nearly same + image
tflags    TEQF_USR_IMAGE                publish

meta      TEQF_USR_POLITE               __TO_EQ_FROM_USR_NN && __FRAUD_IRT 
describe  TEQF_USR_POLITE               To and from user nearly same + polite greeting
score     TEQF_USR_POLITE               2.000	# limit

meta      __MSGID_HEX_MALF              __MSGID_NOFQDN2 && __MSGID_OK_HEX

meta      __URI_ONLY_MSGID_MALF         __BODY_URI_ONLY && __MSGID_NOFQDN2
meta      URI_ONLY_MSGID_MALF           __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO 
describe  URI_ONLY_MSGID_MALF           URI only + malformed message ID
tflags    URI_ONLY_MSGID_MALF           publish

# These may be a bit risky, the masscheck ham corpus may not
# reflect how often these are legit in Real Life...
meta      GOOG_REDIR_SHORT              __GOOG_REDIR && __LCL__KAM_BODY_LENGTH_LT_512 
describe  GOOG_REDIR_SHORT              Google redirect to obscure spamvertised website + short message
tflags    GOOG_REDIR_SHORT              publish

meta      GOOG_REDIR_NORDNS             __GOOG_REDIR && RDNS_NONE
describe  GOOG_REDIR_NORDNS             Google redirect to obscure spamvertised website + no rDNS

meta      GOOG_REDIR_HTML_ONLY          (__GOOG_REDIR && MIME_HTML_ONLY) && !RDNS_NONE && !__LCL__KAM_BODY_LENGTH_LT_512
describe  GOOG_REDIR_HTML_ONLY          Google redirect to obscure spamvertised website + HTML only
score     GOOG_REDIR_HTML_ONLY          2.000	# limit



# low S/O, apparently lots of invisible ham...
rawbody   __STY_INVIS                   /\bstyle\s*=(?:3d)?\s*"\s*(?:visibility\s*:\s*hidden\s*;|display\s*:\s*none\s*;|background\s*:)/i
tflags    __STY_INVIS                   multiple, maxhits=6
meta      __STY_INVIS_MANY              __STY_INVIS > 5
#meta      HTML_TEXT_INVISIBLE           __STY_INVIS_MANY
#describe  HTML_TEXT_INVISIBLE           Hidden text
#score     HTML_TEXT_INVISIBLE           2.000   # limit

# Adapted from SARE rules __SARE_HTML_SINGLET*
rawbody   __HTML_SINGLET                />\s*(?:[a-z"]|&\#(?:\d+|x[0-9a-f]+);)\s*</i
tflags    __HTML_SINGLET                multiple, maxhits=21
meta      __HTML_SINGLET_MANY           __HTML_SINGLET > 20
#meta      HTML_SINGLET_MANY             __HTML_SINGLET_MANY
#describe  HTML_SINGLET_MANY             Many single-letter HTML format blocks
#score     HTML_SINGLET_MANY             1.000   # limit

meta      SINGLETS_LOW_CONTRAST         __HTML_SINGLET_MANY && __HTML_FONT_LOW_CONTRAST_MINFP
describe  SINGLETS_LOW_CONTRAST         Single-letter formatted HTML + hidden text
tflags    SINGLETS_LOW_CONTRAST         publish

# per users list, 10-11 2014
uri       MALWARE_HACKED_URI            m;/(?:dropbox|googlebox|bank\w+|newgdoc)/(?:doc(?:ument)?|invoice|message|index)\.php$;
describe  MALWARE_HACKED_URI            Malware or phishing hosted-file URI at hacked webserver

uri       __HACKED_PHP_URI              m;/\w+/(?:doc(?:ument)?|invoice|message)\.php$;
meta      HACKED_PHP_URI                __HACKED_PHP_URI
describe  HACKED_PHP_URI                Possible phishing/malware URI
score     HACKED_PHP_URI                2.000     # limit

# very poor S/O - this appears a lot more in ham than in spam??
body      __PUNCT_ODD_SPACING           /[a-z]{3}\s+[.,][a-z]{3}/
tflags    __PUNCT_ODD_SPACING           multiple, maxhits=3
meta      __PUNCT_ODD_SPACING_MANY      __PUNCT_ODD_SPACING > 2

header    XMAILER_MANY                  ALL =~ /\nX-Mailer:(?:[^\n]+\n)+X-Mailer:/ism
describe  XMAILER_MANY                  Has multiple X-Mailer: headers

#body      __RAW_TOKEN                   /\#(?:(?:First|Last)Name|Email)\#/i
#tflags    __RAW_TOKEN                   multiple maxhits=3
#meta      RAW_TOKENS                    __RAW_TOKEN > 2
#describe  RAW_TOKENS                    Raw mail merge tokens in body

header    __REPTO_CHN_FREEM             Reply-To =~ /\@(?:sina|aliyun)\.com/i

meta      __SPOOFED_FREEM_REPTO         __SPOOFED_FREEMAIL && FREEMAIL_REPLYTO

meta      SPOOFED_FREEM_REPTO_CHN       (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_CHN_FREEM
describe  SPOOFED_FREEM_REPTO_CHN       Forged freemail sender with Chinese freemail reply-to
score     SPOOFED_FREEM_REPTO_CHN       3.500
tflags    SPOOFED_FREEM_REPTO_CHN       publish

meta      SPOOFED_FREEM_REPTO           __SPOOFED_FREEM_REPTO && !__THREADED
describe  SPOOFED_FREEM_REPTO           Forged freemail sender with freemail reply-to
score     SPOOFED_FREEM_REPTO           2.500
tflags    SPOOFED_FREEM_REPTO           publish


header    __VERY_LONG_REPTO             Reply-To =~ /[^<\s\@]{25,}\@/

meta      __VERY_LONG_REPTO_SHORT_MSG   __VERY_LONG_REPTO && __HTML_LENGTH_0000_1024
#meta      VERY_LONG_REPTO_SHORT_MSG     __VERY_LONG_REPTO_SHORT_MSG && !__VIA_ML && !__TO_EQ_FROM_DOM && !__THREAD_INDEX_GOOD 
#describe  VERY_LONG_REPTO_SHORT_MSG     Very long Reply-To username + short message
#score     VERY_LONG_REPTO_SHORT_MSG     3.500	# limit
#tflags    VERY_LONG_REPTO_SHORT_MSG     publish


ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta      __VERY_LONG_FREEM_REPTO       __VERY_LONG_REPTO && FREEMAIL_REPLYTO
  meta      VERY_LONG_FREEM_REPTO         __VERY_LONG_FREEM_REPTO
  describe  VERY_LONG_FREEM_REPTO         Very long freemail Reply-To username
  score     VERY_LONG_FREEM_REPTO         2.500	# limit
  tflags    VERY_LONG_FREEM_REPTO         publish
endif

#	for <steve.stewart@fastnet.co.uk>; Mon, 2 Nov 2015 14:27:08 GMT
#        (envelope-from fastnet.co.uk.12056010.steve.stewart@vmta27.topreasonstovisit.com)
# S/O low, seems to be common in legit mailing lists
# Maybe in meta with "not a mailing list" rules?
#header    __RECIP_IN_ENV_FM_01          Received =~ /for\s+<([^\@]+)\@([^>]+)>.*envelope-from\s+\2\.\d+\.\1\@/i
#header    __RECIP_IN_ENV_FM_02          Received =~ /for\s+<([^\@]+)\@([^>]+)>.*envelope-from\s+[^@]*\2[^@]*\@/i


uri        URI_MALWARE_CWALL            /\/abuse_report\.php\?(?!username=)[^&\s.]{1,100}\./i
describe   URI_MALWARE_CWALL            Potential CryptoWall malware URL


meta       LIST_PARTIAL_SHORT_MSG       __HTML_LENGTH_0000_1024 && __LIST_PARTIAL 
describe   LIST_PARTIAL_SHORT_MSG       Incomplete mailing list headers + short message
score      LIST_PARTIAL_SHORT_MSG       2.000	# limit

# duplicates __HAS_MSMAIL_PRI
#header      __FH_HAS_XMSMAIL   exists:X-MSMail-Priority

meta       __BOGUS_MSM_HDRS             __HAS_MSMAIL_PRI && __MSOE_MID_WRONG_CASE && __HDR_ORDER_FTSDMCXXXX
meta       BOGUS_MSM_HDRS               __BOGUS_MSM_HDRS
describe   BOGUS_MSM_HDRS               Apparently bogus Microsoft email headers
score      BOGUS_MSM_HDRS               3.250	# limit
tflags     BOGUS_MSM_HDRS               publish

#meta       __BOGUS_MSM_PRIO             __HAS_MSMAIL_PRI && __HDR_ORDER_FTSDMCXXXX
#meta       __BOGUS_MSM_PRIO_MINFP       __BOGUS_MSM_PRIO && !__BOGUS_MSM_HDRS && !__MSGID_NOFQDN2 && !__ANY_OUTLOOK_MUA && !__RCD_RDNS_MAIL_MESSY

meta       __MSM_PRIO_REPTO             __HAS_MSMAIL_PRI && __REPLYTO_EXISTS && __SUBJ_SHORT 
meta       MSM_PRIO_REPTO              __MSM_PRIO_REPTO && !__ENV_AND_HDR_FROM_MATCH 
describe   MSM_PRIO_REPTO              MSMail priority header + Reply-to + short subject
score      MSM_PRIO_REPTO              2.500	# limit
tflags     MSM_PRIO_REPTO              publish

header     __XM_YAMAIL                 X-Mailer =~ /^Yamail/


# __GATED_THROUGH_RCVD_REMOVER includes messages with no Received headers *at all*.
# Don't consider those, only consider the ones where *some* Received headers may have been removed
meta        __RCVD_RMV_PARTIAL __GATED_THROUGH_RCVD_REMOVER && __HAS_RCVD

# Compare __GATED_THROUGH_RCVD_REMOVER and "via ezmlm"
header      __ML_EZMLM         Mailing-List =~ /\bezmlm\b/

## Apparent performance is an artifact of one damaged masscheck corpora 01/2016
#meta       __RCVD_RMV_URI_ONLY         __RCVD_RMV_PARTIAL && __BODY_URI_ONLY 
#meta       RCVD_RMV_URI_ONLY           __RCVD_RMV_URI_ONLY
#describe   RCVD_RMV_URI_ONLY           Headers removed + URI only
#score      RCVD_RMV_URI_ONLY           3.000	# limit
#tflags     RCVD_RMV_URI_ONLY           publish
#
#meta       __RCVD_RMV_XPRIO            __RCVD_RMV_PARTIAL && __XPRIO 
#meta       RCVD_RMV_XPRIO              __RCVD_RMV_XPRIO
#describe   RCVD_RMV_XPRIO              Headers removed + X-Priority
#score      RCVD_RMV_XPRIO              2.000	# limit
#tflags     RCVD_RMV_XPRIO              publish
#
#meta       RCVD_REMOVED                __RCVD_RMV_PARTIAL && !__BODY_URI_ONLY && !__XPRIO && !__DOS_HAS_LIST_ID && !__BOTH_INR_AND_REF 
#describe   RCVD_REMOVED                Headers removed
#score      RCVD_REMOVED                3.750	# limit
#tflags     RCVD_REMOVED                publish
#
## test some combos
#meta       __RCVD_RMV_BODY_SHORT       __RCVD_RMV_PARTIAL && __LCL__KAM_BODY_LENGTH_LT_128
#meta       __RCVD_RMV_FROM_TWO         __RCVD_RMV_PARTIAL && __PDS_FROM_2_EMAILS 
#meta       __RCVD_RMV_XMAIL            __RCVD_RMV_PARTIAL && __HAS_X_MAILER 
## Find spams not hitting already good-performing combos
#meta       __RCVD_RMV_TEST_01          __RCVD_RMV_PARTIAL && !__BODY_URI_ONLY && !__XPRIO && !__DOS_HAS_LIST_ID  && !__PDS_FROM_2_EMAILS
#meta       __RCVD_RMV_TEST_02          __RCVD_RMV_PARTIAL && !__BODY_URI_ONLY && !__XPRIO && !__DOS_HAS_LIST_ID 



# easy for spammers to forge a signed message and still have it displayed to the recipient?
#header  KHOP_ENCRYPTED_CONTENT Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/
header     __CT_ENCRYPTED              Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/
meta       ENCRYPTED_MESSAGE           __CT_ENCRYPTED
describe   ENCRYPTED_MESSAGE           Message is encrypted, not likely to be spam
score      ENCRYPTED_MESSAGE           -1.000
tflags     ENCRYPTED_MESSAGE           nice,publish


#body       __PHONE_GIBBERISH_01        /(?:\b\d\d\d-\d\d\d-\d\d\d\d\s+[a-z][^\d\s:.]+\s+){15}/

header      __HAS_GMX_BULK             exists:X-Gmx-Bulk

ifplugin Mail::SpamAssassin::Plugin::HTMLEval
  body       __HTML_TAG_BALANCE_CENTER     eval:html_tag_balance('center', '!= 0')
  meta       HTML_TAG_BALANCE_CENTER       __HTML_TAG_BALANCE_CENTER && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY 
  describe   HTML_TAG_BALANCE_CENTER       Malformatted HTML
endif


# more random garbage message headers 01/2016
header     __HDR_CASE_REVERSED         ALL =~ /^(?!DomainKey)[^-:\s]*[a-z][A-Z]/m
tflags     __HDR_CASE_REVERSED         multiple maxhits=4
meta       __HDR_CASE_REV_MANY         (__HDR_CASE_REVERSED > 3)

meta       HDR_CASE_REV_MANY           __HDR_CASE_REV_MANY
describe   HDR_CASE_REV_MANY           Multiple malformed (possibly random gibberish) message headers
score      HDR_CASE_REV_MANY           2.000	# limit

meta       HDR_CASE_REV_ENC            __HDR_CASE_REVERSED && (__FROM_ENCODED_B64 || __TVD_SPACE_ENCODED )
describe   HDR_CASE_REV_ENC            Malformed (possibly random gibberish) message header + suspicious encoding
score      HDR_CASE_REV_ENC            2.000	# limit



header     __HAS_CAMPAIGN              exists:X-Campaign 
header     __HAS_CAMPAIGNID            exists:X-Campaignid
header     __HAS_CID                   exists:X-CID
header     __HAS_XM_LID                exists:X-Mailer-LID
header     __HAS_XM_RECPTID            exists:X-Mailer-RecptId
header     __HAS_XM_SID                exists:X-Mailer-SID
header     __HAS_XM_SENTBY             exists:X-Mailer-Sent-By
header     __HAS_DOMAINKEY_SIG         exists:DomainKey-Signature
header     __HAS_PHP_SCRIPT            exists:X-PHP-Script
header     __HAS_PHP_ORIG_SCRIPT       exists:X-PHP-Originating-Script

header     __FROM_WORDY                From:addr =~ /(?:(?:[A-Z][A-Za-z]+|or|&)\.)+[A-Z][A-Za-z]+\@/
#header     __FROM_WORDY_3              From:addr =~ /(?:(?:[A-Z][A-Za-z]+|or|&)\.){2,}[A-Z][A-Za-z]+\@/

meta       __FROM_WORDY_SONLY          __FROM_WORDY && (__KHOP_NO_FULL_NAME || __CTYPE_HTML || __TO_EQ_FROM_DOM_2 || __HTML_IMG_ONLY || FREEMAIL_FORGED_REPLYTO )
meta       FROM_WORDY                  (__FROM_WORDY_SONLY && !__HTML_LENGTH_0000_1024) && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HAS_TNEF && !__USING_VERP1 && !__HDRS_LCASE_KNOWN 
describe   FROM_WORDY                  From address looks like a sentence
tflags     FROM_WORDY                  publish

meta       FROM_WORDY_SHORT            (__FROM_WORDY_SONLY && __HTML_LENGTH_0000_1024) && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HAS_TNEF && !__USING_VERP1 
describe   FROM_WORDY_SHORT            From address looks like a sentence + short message
tflags     FROM_WORDY_SHORT            publish

meta       PHP_SCRIPT_MUA              __HAS_PHP_SCRIPT && __PHP_NOVER_MUA 
describe   PHP_SCRIPT_MUA              Sent by PHP script, no version number
score      PHP_SCRIPT_MUA              2.000	# limit
tflags     PHP_SCRIPT_MUA              publish

meta       __PHP_SCRIPT_MIMENEEDED     __HAS_PHP_SCRIPT && __FROM_NEEDS_MIME 

meta       __PHP_ORIG_SCRIPT_SONLY     __HAS_PHP_ORIG_SCRIPT && (__TVD_SPACE_RATIO || __SINGLE_WORD_SUBJ || __OBFUSCATING_COMMENT_B)
meta       PHP_ORIG_SCRIPT             __PHP_ORIG_SCRIPT_SONLY && !ALL_TRUSTED && !__SUBSCRIPTION_INFO 
describe   PHP_ORIG_SCRIPT             Sent by bot & other signs
score      PHP_ORIG_SCRIPT             4.000	# limit
tflags     PHP_ORIG_SCRIPT             publish

#header     __FROM_AUTHORITY_COMPANY    From:name =~ /\b(?:court|fed-?ex|dhl|e-?zpass|invoice)\b/
#meta       __PHP_MALWARE_ATTACH        __HAS_PHP_SCRIPT && __FROM_AUTHORITY_COMPANY && __ZIP_ATTACH_MT

meta       __XMSID                     __HAS_XM_SID && !__CTYPE_MULTIPART_MIXED 
meta       __XMSID_SONLY               __HAS_XM_SID && (INVALID_MSGID || __XPRIO || __HAS_X_MAILER)