### khop-blessed.cf     v 2010032819
###
### Spamassassin rules written by Adam Katz <antispamATkhopiscom>
### http://khopesh.com/Anti-spam
### khopesh on irc://irc.freenode.net/#spamassassin
###
### sa-update --gpgkey E8B493D6 --channel khop-blessed.sa.khopesh.com
#
## SVN version; minor tweaks, removed scores and redundant sandbox rules.
#
#header  __BSD_REPORT       Subject =~ /.(?:ail|ecurit|eekl|onthl)y run output$/
#meta    KHOP_BSD_REPORT    __BSD_REPORT && ALL_TRUSTED
#describe KHOP_BSD_REPORT    Regular run output from a BSD system
#tflags  KHOP_BSD_REPORT    nice noautolearn nopublish
##score  KHOP_BSD_REPORT    -8  # 20050822
#
#header  __LOGWATCH_REPORT      Subject =~ /^Log[Ww]atch for /
#meta    KHOP_LOGWATCH_REPORT   __LOGWATCH_REPORT && ALL_TRUSTED
#describe KHOP_LOGWATCH_REPORT   System report from LogWatch
#tflags  KHOP_LOGWATCH_REPORT   nice noautolearn nopublish
##score  KHOP_LOGWATCH_REPORT   -8      # 20050822
#
#
#### ENCRYPTION
#
#header  KHOP_ENCRYPTED_CONTENT Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/
#describe KHOP_ENCRYPTED_CONTENT        Message is encrypted
#tflags  KHOP_ENCRYPTED_CONTENT nice noautolearn nopublish
##score  KHOP_ENCRYPTED_CONTENT -7.5    # 20070227
## Note, encrypted pgp/mime data will trigger EMPTY_MESSAGE
#
## 2007/02/27 - Syntax taken from the OpenPGP standard, RFC 2440 section 6.2
#if ! plugin (Mail::SpamAssassin::Plugin::OpenPGP)
#  # moved from rawbody to body 20091021
#  body     __KHOP_PGP_I1       /-----BEGIN PGP (?:SIGNATURE|MESSAGE|PUBLIC|PRIVATE)(?:, PART [0-9]{1,4}\/[0-9]{1,4}| KEY BLOCK)?-----/
#  tflags   __KHOP_PGP_I1       nice
#  body     __KHOP_PGP_I2       /-----END PGP/
#  tflags   __KHOP_PGP_I2       nice
#  meta     __PGP_INLINE        ( __KHOP_PGP_I1 && __KHOP_PGP_I2 )
#  tflags   __PGP_INLINE        nice noautolearn
#  meta     KHOP_PGP_INLINE     __PGP_INLINE
#  describe KHOP_PGP_INLINE     BODY: Contains PGP data
#  tflags   KHOP_PGP_INLINE     nice noautolearn nopublish
#  #score    KHOP_PGP_INLINE    -2 -2 -3 -3
#
#  # 2005/12/14 - worthwhile even though we're not verifying the sig
#  header   __PGP_SIGNED        Content-Type =~ /multipart\/signed;.*\/pgp-signature/s
#  tflags   __PGP_SIGNED        nice noautolearn
#  meta     KHOP_PGP_SIGNED     __PGP_SIGNED
#  describe KHOP_PGP_SIGNED     Message seems to contain PGP signature
#  tflags   KHOP_PGP_SIGNED     nice noautolearn nopublish
#  #score    KHOP_PGP_SIGNED    -2 -2 -3 -3
#endif
#
## 2007/02/27 mimic KHOP_PGP_SIGNED for s/mime
#header __SMIME_SIGNED  Content-Type =~ /multipart\/signed;.*\/x-pkcs7-signatu/s
#meta    KHOP_SMIME_SIGNED      __SMIME_SIGNED
#describe KHOP_SMIME_SIGNED     Message seems to contain S/MIME signature
#tflags  KHOP_SMIME_SIGNED      nice noautolearn nopublish
#score   KHOP_SMIME_SIGNED      -2 -2 -3 -3
#
## MASSCHECK DETAIL from  20091028-r830464-n
##   SPAM%     HAM%      S/O    RANK    NAME
##  97.5085  71.0054    0.579   0.49    __MISSING_THREAD
##  99.9395  61.6540    0.618   0.49    __MISSING_REF
##  99.7691  59.9134    0.625   0.49    __MISSING_REPLY
##   4.0280   8.7871    0.314   0.21    __INR_AND_NO_REF
##
#
## 20091016 after much testing, has yet to hit a SINGLE spam (hits ~38% of ham)
meta    __THREADED     (!__MISSING_REPLY && !__NO_INR_YES_REF) || (__MISSING_REPLY && !__MISSING_REF)
tflags  __THREADED     nice

#meta    KHOP_THREADED  __THREADED

## Note that this does NOT verify legitimacy of referenced MSGIDs.
#describe KHOP_THREADED Message references or replies to another message
#tflags  KHOP_THREADED  nice nopublish
##score  KHOP_THREADED  -0.5 -0.5 -1.5 -1.5 # EASILY abused -- keep minimal
#
#