# experiments based on masscheck results

meta	 MALFORMED_FREEMAIL	(MISSING_HEADERS||__HDRS_LCASE) && FREEMAIL_FROM
describe MALFORMED_FREEMAIL	Bad headers on message from free email service
#score	 MALFORMED_FREEMAIL	0.1

header	 FROM_WEBSITE	From:raw =~ m'\b(?:f|ht)tps?://[^\s"</\@]{3,60}\.\w\w'i
describe FROM_WEBSITE	Sender name appears to be a link

header	 FROM_2_EMAILS	From =~ /([^\@]{2,}\@[^\@]{2,60}\.\w\w).*(?!\1)[^\@]{2,}\@[^\@]/
describe FROM_2_EMAILS	Sender claims to have a different email

# Fix for __FROM_ALL_NUMS, which has a y2k bug in it.  Now it's a y2.1k bug.
header __FROM_ALL_NUMS_FIX  From:addr =~ /^(?!(?:19|20)\d\d[01]\d[0-3]\d)\d+\@/
header __FROM_ALL_HEX	    From:addr =~ /^(?!(?:19|20)\d\d[01]\d[0-3]\d)(?![0-9a-f]*[a-f]{3})[0-9a-f]+\@/

header	 KHOP_BIG_TO_CC      ToCc =~ /(?:[^,\@]{1,60}\@[^,]{4,25},){10}/
describe KHOP_BIG_TO_CC      Sent to 10+ recipients instaed of Bcc or a list

# see also 70_sare_spoof.cf's __EBAY_ADDRESS:
# header __EBAY_ADDRESS     From:addr =~ /[\@\.]ebay\.(?:com(?:\.au|\.cn|\.hk|\.my|\.sg)?|co\.uk|at|be|ca|fr|de|in|ie|it|nl|ph|pl|es|se|ch)/i
header	 __EBAY_ADDRESS 	From:addr =~ /[\@.]ebay\.\w\w\w?(?:\.\w\w)?$/i
meta	 KHOP_FAKE_EBAY 	__EBAY_ADDRESS && !__NOT_SPOOFED
describe KHOP_FAKE_EBAY 	Sender falsely claims to be from eBay
# 0.0684/0.0210 spam/ham, 0.765 s/o @ 20091204, though ruleqa ignores dkim
# 0.0017/0.0185 spam/ham, 0.092 s/o @ 20100203
# 0.0049/0.1999 spam/ham, 0.281 s/o @ 20100424 net.
# 0.0095/0.0246 spam/ham, 0.278 s/o @ 20100517

# masscheck doesn't cover ifplugin lines.  It takes the first hit anyway.
#if ! plugin (Mail::SpamAssassin::Plugin::URIDetail)
#  rawbody    KHOP_FOREIGN_CLICK	m{\bhref=[^>]{9,199}>[^<]{0,80}(?:<(?!/a\b)[^>]{0,299}>[^<]{0,80}){0,9}[^<]{0,80}\b(?:cli(?:quez\W|ck\Wa)ici\b|cli(?:cca\W|c\Wa|que\Wa)qu[^<.,a ]|klie?k(?:\Whi?er|ni(?:j|nite)\Wtu[tk]aj)\b)}si
#else
  # uri_detail doesn't support m{foo}i notation
#  uri_detail KHOP_FOREIGN_CLICK	text =~ /\b(?:cli(?:quez\W|ck\Wa)ici\b|cli(?:cca\W|c\Wa|que\Wa)qu[^<.,a ]|klie?k(?:\Whi?er|ni(?:j|nite)\Wtu[tk]aj)\b)/i
#endif
# includes fr, es, it, pt, nl, da, ca, sl, af, and probably others
#describe KHOP_FOREIGN_CLICK	Click here link in non-English Latin text
#score	 KHOP_FOREIGN_CLICK	0.01	# 20090526 see also SARE_UN7
#tflags	 KHOP_FOREIGN_CLICK	nopublish  # re-do ifplugin to publish
# 20100319.  0.8 -> 0.3, re-enabled in masscheck w/out ifplugin, output pending
# 0.0097/0.0100 spam/ham, 0.493 s/o @ 20100330  0.3 -> 0.1
# 0.0176/0.0116 spam/ham, 0.603 s/o @ 20100417 net.  0.1 -> 0.01
# 0.0175/0.0120 spam/ham, 0.594 s/o @ 20100425 net.  fired from khop-general.

# uri_detail lacks support for carrying matches across consecutive regexps
#uri_detail SPOOFED_URL	raw =~ /^https?:..(.{6,50})/ text =~ /\bhttps?:..(?!$1).{5}/
# reduced to 30 chars (35 w/ http:) for URL wrapping, e.g. LeadLander wraps @35
rawbody  __SPOOFED_URL	m/<a\s[^>]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\# ]{8,29}[^>"'\# :\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i
# even with scrubbing, probably can't handle 'legit' tracking redirectors
meta	 SPOOFED_URL	__SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER)
describe SPOOFED_URL	Has a link whose text is a different URL

uri	 __SHORT_URL	/^http:\/\/[^\/]{3,6}\.\w\w\/[^\/]{3,8}\/?$/
# list from http://techcrunch.com/2010/01/06/bit-ly-market-share/ containing
# anything that ranked 0.1% or more of twitter's traffic that day, plus anything
# bold below that threshold.
# 20130113 JHardin: split into __subrule + scored rule to fix dependencies broken by non-promotion
uri	 __URL_SHORTENER	/^http:\/\/(?:bit\.ly|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com)\/[^\/]{3}\/?/
meta	 URL_SHORTENER	__URL_SHORTENER
describe URL_SHORTENER	Has a shortened URL (can hide a blacklisted link)
tflags	 URL_SHORTENER	nopublish
#uri	 SHORT_URL	/^http:\/\/(!?(?:bit\.ly|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com)\/)[^\/]{3,6}\.\w\w\/[^\/]{3,8}\/?$/
meta	 SHORT_URL	__SHORT_URL && !__URL_SHORTENER && !ALL_TRUSTED
describe SHORT_URL	Has a short URL without a shortening service

rawbody	 SHORTENED_URL_SRC	/<[^>]{1,99}\ssrc=\W?http:\/\/(?:bit\.ly|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com)\/[^\/]{3}/
rawbody	 SHORTENED_URL_HREF	/<[^>]{1,99}\shref=\W?http:\/\/(?:bit\.ly|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com)\/[^\/]{3}/
score	SHORTENED_URL_HREF	1.0

# I don't think this ever fires
uri	 URI_HIDDEN	m'.{7}\/\.\.?/?\w'
describe URI_HIDDEN	Contains a hidden directory
#score	 URI_HIDDEN	0.7 # 20090515 13:29 by Adam Katz (me) on sa-users list


# no subdomain; sent by example.com rather than server.example.com
header __RDNS_NO_SUBDOM	X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\.\w+ /

header __RDNS_IS_WWW	X-Spam-Relays-External =~ /^[^\]]+ rdns=www\./
header __RELAY_THRU_WWW	Received =~ /from (?:[^ \@]+\@)?www\./
header __FROM_WEB_DAEMON From:addr =~ /(?:apache|www|web|tomcat|\biis\b).*\@/i
meta	 KHOP_FROM_WWW	(__RDNS_IS_WWW || __RELAY_THRU_WWW) && ! (__FROM_WEB_DAEMON || __MSGID_JAVAMAIL)

# a REALLY simple test...
header __RDNS_LONG	X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{30}/
header __RDNS_SHORT	X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{4,14} /


# Rough nonplugin regexs from John Rudd's Botnet plugin (v0.8, 2007-08-05).
# http://people.ucsc.edu/~jrudd/spamassassin/Botnet-0.8.tar
# I've purposefully removed anything alrady in RDNS_DYNAMIC
# NOTE: this is GPLv2, which is incompatible with the Apache License.
# My *brief* read is that Apache->GPLv2 is taboo but GPLv2->Apache is fine.
# I wrote the next four rules from his base words, so these are fine.
header __BOTNET_CLIENT1 X-Spam-Relays-External =~ /^[\]]+ rdns=\S*\b(?:ddns|dial-?(?:in|up)|dyn(?:amic)?ip|resident(?:ial)?|bredband)[^a-z]/i
header __BOTNET_CLIENT2 X-Spam-Relays-External =~ /^[\]]+ rdns=\S*(?:\b(?:pool|user)[^a-z]|[-.]ip[-.])/i
header __BOTNET_SERVER	X-Spam-Relays-External =~ /^[\]]+ rdns=\S*\b(?:e?mail(?:out)?|mta|mx(?:pool)?|relay|smtp|exch(?:ange)?)[^a-z]/i
meta BOTNET_NOPLUGIN	!__BOTNET_SERVER && (__BOTNET_CLIENT1||__BOTNET_CLIENT2)

# shawcable.net uses customer hostnames that don't match other botnet patterns
describe BOTNET_SHAWCABLE	Shawcable.net customer address
meta	 BOTNET_SHAWCABLE	(__BOTNET_SHAWCABLE && __BOTNET_NOTRUST)
header	 __BOTNET_SHAWCABLE	X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=s[0-9a-f]*\...\.shawcable\.net\b/i
#score	 BOTNET_SHAWCABLE	5.0
tflags	 BOTNET_SHAWCABLE	nopublish # confirm license with author first

# ocn.ne.jp uses customer hostnames that don't match other botnet patterns
describe BOTNET_OCNNEJP		Ocn.ne.jp customer address
meta	 BOTNET_OCNNEJP		(__BOTNET_OCNNEJP && __BOTNET_NOTRUST)
header	 __BOTNET_OCNNEJP	X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=p\d{4}-ip\S*\.ocn\.ne\.jp\b/i
#score	 BOTNET_OCNNEJP		5.0
tflags	 BOTNET_OCNNEJP	nopublish # confirm license with author first

# If the message was authenticated or hit a trusted host, then we want to
# exempt these 'non-module' rules.
describe __BOTNET_NOTRUST	Message has no trusted relays
header	 __BOTNET_NOTRUST	X-Spam-Relays-Trusted !~ /ip=/i
tflags	 __BOTNET_NOTRUST	nopublish # confirm license with author first


# Note: unfair regarding RFC 2821, see http://en.wikipedia.org/wiki/FCrDNS#Uses
header __HELO_NOT_RDNS	X-Spam-Relays-External =~ /^[^\]]+ rdns=(\S+) helo=(?!\1)\S/
meta	 KHOP_HELO_FCRDNS	__HELO_NOT_RDNS && !(__VIA_ML || __freemail_safe || __RCVD_IN_DNSWL || __NOT_SPOOFED || __RDNS_SHORT)
describe KHOP_HELO_FCRDNS	Relay HELO differs from its IP's reverse DNS
score	 KHOP_HELO_FCRDNS	0.4 # 20090603
# 33.9858/7.3415 spam/ham, 0.822 s/o @ 20100203
# 40.5025/2.1738 spam/ham, 0.949 s/o @ 20100417 net
# 44.5263/5.6620 spam/ham, 0.887 s/o @ 20100514.  Added rdns_short 5/17.
# 38.8872/2.9614 spam/ham, 0.929 s/o @ 20110812 @302k spam

# inspired by SPF HELO portion of http://www.chaosreigns.com/mtx/#comparisons
meta	 FORGED_SPF_HELO	__HELO_NOT_RDNS && SPF_HELO_PASS && !SPF_PASS
# nice theory, expecting poor practice, maybe 0.0453/0.1227 s/h @ 0.270 s/o

# This *really* needs properly defined trusted networks.
header	 __HELO_AS_VICTIM 	X-Spam-Relays-External =~ /^[^\]]+ helo=(\S+) [^\]]*\bby=\1 /
meta	 KHOP_HELO_AS_VICTIM	__HELO_AS_VICTIM && !__BOTNET_NOTRUST
tflags   KHOP_HELO_AS_VICTIM    nopublish # confirm license with author first for __BOTNET_NOTRUST

meta     HELO_NO_DOMAIN	__HELO_NO_DOMAIN && !HELO_LOCALHOST
describe HELO_NO_DOMAIN	Relay reports its domain incorrectly
#score	 HELO_NO_DOMAIN	2.375 0.327 1.497 0.884
# scores derived from 90% of RDNS_DYNAMIC's sa3.3 proposal (attachment 4565)
# because they have such similar definitions, numbers, and merits

header __NAME_IS_EMAIL	From:raw =~ /\w\@[\w.-]+\.\w\w+["'`]*\s*<\w+\@\w/
header __NAME_EQ_EMAIL	From:raw =~ /([\w+.-]+\@[\w.-]+\.\w\w+)["'`\s]*<\s*\1>/i
meta	 NAME_EMAIL_DIFF	__NAME_IS_EMAIL && ! __NAME_EQ_EMAIL
describe NAME_EMAIL_DIFF	Sender NAME is an unrelated email address
#score	 NAME_EMAIL_DIFF	0.375 # tot=0.5, low for noreply@dom  20090811

header	 ADV_SUBJ	Subject =~ /\[ ?(?:ADV|A D V) ?\]/i
describe ADV_SUBJ	Marked by sender as an advertisement
#score	 ADV_SUBJ 1.5 # 20090304


header __MSGID_JAVAMAIL	Message-ID =~ /\.JavaMail\./
tflags __MSGID_JAVAMAIL	nice

header __TAB_IN_SUBJ	Subject =~ /\t/
# "i owe u 4 something b4 tomorrow" hits this four times:
header __SUBJ_INFORMAL	Subject =~ /(?:^| )(?:[iuU4]|[Bb]4)(?: |$)/
header __SUBJ_ALL_LOWER	Subject =~ /^[a-z -]$/

# these two ignore leading things like "Re:" and "[foo list]"
header __SUBJ_4LOWER	Subject =~ /^(?:[a-zA-Z]{2,4}: +)?(?:\[[ \w]+\] +)?(?:.*[a-z]){4}/
header __SUBJ_2UPPER	Subject =~ /^(?:[a-zA-Z]{2,4}: +)?(?:\[[ \w]+\] +)?(?:.*[A-Z]){2}/
header __SUBJ_SHORT	Subject =~ /^.{0,8}$/
header __SUBJ_IMPORTANT	Subject =~ /\b(?:[Ii]mportant|IMPORTANT)\b/

# attempts to fix SUBJ_ALL_CAPS, which has an S/O of 0.563 yet is published
meta	 SUBJ_ALL_CAPS2	SUBJ_ALL_CAPS && __SUBJ_4LOWER && __SUBJ_2UPPER && !__SUBJ_SHORT
meta	 SUBJ_ALL_CAPS3	SUBJ_ALL_CAPS && __SUBJ_4LOWER && __SUBJ_2UPPER && !(__SUBJ_SHORT||__SUBJ_IMPORTANT)

header	 __HOTMAIL_HELO	Received =~ /from ([A-Z]{3})\d[^.]+ [^\n]+ by \1\d+-[^\n ]+\.\1\d+\.hotmail\.com with Microsoft/i
tflags	 __HOTMAIL_HELO 	nice
# 1 & 2 are in 20_head_tests.cf ... this one doesn't use eval rules
meta	 FORGED_HOTMAIL_RCVD3	__HOST_HOTMAIL && (!__HOTMAIL_HELO || __DOS_SINGLE_EXT_RELAY)

# A blend of sidney's UPPERCASE_HTTP and jhardin's URI_UC for bug 6408
# This one avoids Http: which I think is the biggest problem.
uri	 UPPERCASE_URI	/^[^:A-Z]+[A-Z]/
describe UPPERCASE_URI	Link protocol has unexpected mixed case


# doesn't match enough, has a higher S/O than __GREYLISTING, therefore useless.
# header	 __GREYLISTED	ALL =~ /(?:^|\n)X-(?:Scam-Grey|Greylist(?:ing)?):\s+delay(?:ed)? (?:for )?\d+(?: ?s(?:ec(?:ond)?s?)?|:\d\d)/im

# meta KHOP_GREYED __GREYLISTED && (RDNS_NONE||RDNS_DYNAMIC||__HELO_NO_DOMAIN)
# describe KHOP_GREYED	Greylisted and sent from dynamically-named relay
# score	 KHOP_GREYED	0.1


# This is useless while __DKIM_EXISTS continues to perform so well.
# This is useless while ruleqa continues to lack DKIM support.
ifplugin Mail::SpamAssassin::Plugin::DKIM
  meta	   DKIM_INVALID	__DKIM_EXISTS && !DKIM_VALID
  describe DKIM_INVALID	DKIM-Signature header exists but is not valid
  # masscheck ignores ifplugins and thus always has DKIM_INVALID==__DKIM_EXISTS
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
  # probably all over the place, indicating only a MS document is attached,
  # which might hit only ham and virii
  full	__BASE64_MDAW	/^(?:MDAw){12}/

  meta	__REMOTE_IMAGE	(__HTML_IMG_ONLY || __HTML_LINK_IMAGE) && !(__SUBSCRIPTION_INFO || __VIA_ML || __SENDER_BOT || __ANY_IMAGE_ATTACH)
  meta	REMOTE_IMAGE	__REMOTE_IMAGE
  describe REMOTE_IMAGE	Message contains an external image

endif # }

# rawbody  __BUGGED_IMG	m{<img\b[^>]{0,100}\ssrc=.?https?://[^>]{6,80}(?:\?[^>]{8}|[^a-z](?![a-f]{3}|20\d\d[01]\d[0-3]\d)[0-9a-f]{8})}i

# inspired by retired SA 2.x HTML_WEB_BUGS rule's eval:html_test('web_bugs')
# rawbody  __WEB_BUGS	m{<[^>]{4,100}\ssrc=[^>]{8,200}\.(?:pl|cgi|php\d?|asp|jsp|cfm|py|\?[^>]{4})\b}i

# Idea from Michael Scheidell of SECNAP on SpamAssassin Users List 2010-05-08
# http://old.nabble.com/yahoo-X-YMail-OSG-tp28496110p28496110.html
#header	 LONG_HEADER_LINE_80	ALL:raw =~ /^(?-xis:(?=(?!X-Spam|X-MailScan|Received).{80,159}$))/m
#header	 LONG_HEADER_LINE_160	ALL:raw =~ /^(?-xis:(?=(?!X-Spam|X-MailScan|Received).{160,239}$))/m
#header	 LONG_HEADER_LINE_240	ALL:raw =~ /^(?-xis:(?=(?!X-Spam|X-MailScan|Received).{240,319}$))/m
#header	 LONG_HEADER_LINE_320	ALL:raw =~ /^(?-xis:(?=(?!X-Spam|X-MailScan|Received).{320,399}$))/m
#header	 LONG_HEADER_LINE_400	ALL:raw =~ /^(?-xis:(?=(?!X-Spam|X-MailScan|Received).{400,499}$))/m
#header	 LONG_HEADER_LINE_500	ALL:raw =~ /^(?-xis:(?=(?!X-Spam|X-MailScan|Received).{500}))/m
#describe LONG_HEADER_LINE_80	A header line contains 80-159 characters
#describe LONG_HEADER_LINE_160	A header line contains 160-239 characters
#describe LONG_HEADER_LINE_240	A header line contains 240-319 characters
#describe LONG_HEADER_LINE_320	A header line contains 320-399 characters
#describe LONG_HEADER_LINE_400	A header line contains 400-499 characters
#describe LONG_HEADER_LINE_500	A header line contains 500+ characters

#header   __SINGLE_HEADER_1K	ALL:raw =~ /(?-xim:(?=(?!X-Spam|X-MailScan|D\w{3,8}-Signature)(?:^|\n)[^\s\n]+:(?:.(?!\n\S)){1024,2047}.(?:\n\S|$)))/s
#meta     SINGLE_HEADER_1K	__SINGLE_HEADER_1K && !__VIA_ML && !__THREADED

#header   SINGLE_HEADER_2K	ALL:raw =~ /(?-xim:(?=(?:^|\n)[^\s\n]+:(?:.(?!\n\S)){2048,3071}.(?:\n\S|$)))/s
#header   SINGLE_HEADER_3K	ALL:raw =~ /(?-xim:(?=(?:^|\n)[^\s\n]+:(?:.(?!\n\S)){3072,4095}.(?:\n\S|$)))/s
#header   SINGLE_HEADER_4K	ALL:raw =~ /(?-xim:(?=(?:^|\n)[^\s\n]+:(?:.(?!\n\S)){4096,5119}.(?:\n\S|$)))/s
#header   SINGLE_HEADER_5K	ALL:raw =~ /(?-xim:(?=(?:^|\n)[^\s\n]+:(?:.(?!\n\S)){5120}))/s
#describe SINGLE_HEADER_1K	A single header contains 1K-2K characters
#describe SINGLE_HEADER_2K	A single header contains 2K-3K characters
#describe SINGLE_HEADER_3K	A single header contains 3K-4K characters
#describe SINGLE_HEADER_4K	A single header contains 4K-5K characters
#describe SINGLE_HEADER_5K	A single header contains 5K+ characters

#header	 BIG_HEADERS_2K 	ALL:raw =~ /^(?=.{2048,3071}$)/s
#header	 BIG_HEADERS_3K 	ALL:raw =~ /^(?=.{3072,4095}$)/s
#header	 BIG_HEADERS_4K 	ALL:raw =~ /^(?=.{4096,5119}$)/s
#header	 BIG_HEADERS_5K 	ALL:raw =~ /^(?=.{5120})/s
#describe BIG_HEADERS_2K 	Headers contain 2K-3K characters total
#describe BIG_HEADERS_3K 	Headers contain 3K-4K characters total
#describe BIG_HEADERS_4K 	Headers contain 4K-5K characters total
#describe BIG_HEADERS_5K 	Headers contain 5K+ characters total

#header	 MS_XYMOSG_1K	X-YMail-OSG =~ /^(?=.{1024,2047}$)/s
#header	 MS_XYMOSG_2K	X-YMail-OSG =~ /^(?=.{2048,3071}$)/s
#header	 MS_XYMOSG_3K	X-YMail-OSG =~ /^(?=.{3072,4095}$)/s
#header	 MS_XYMOSG_4K	X-YMail-OSG =~ /^(?=.{4096,5119}$)/s
#header	 MS_XYMOSG_5K	X-YMail-OSG =~ /^(?=.{4096})/s

# from mailing list, subject "Tonns of russian DOT info spam" 2011-02-21
#header __LISTID_DEBIAN	List-Id =~ /\.lists\.debian\.org>/
#body   __RAJONAA_INFO	m' rajonaa: http://www\.[\w-]{0,50}\.info !$'
#meta	 DEB_RAJONAA	__LISTID_DEBIAN && __RAJONAA_INFO
#describe DEB_RAJONAA	Latvian text with .info URI on Debian List
#score	 DEB_RAJONAA	3.0

# Requested on sa-users list
# See http://old.nabble.com/username-in-from-address-tp31213779p31213779.html
# See also __TO_EQ_FROM_DOM
header	 __TO_EQ_FROM_USR_1	ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism
header	 __TO_EQ_FROM_USR_2	ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism
meta	 __TO_EQ_FROM_USR	(__TO_EQ_FROM_USR_1 || __TO_EQ_FROM_USR_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT)
describe __TO_EQ_FROM_USR	To: username same as From: username

header	 __TO_EQ_FROM_USR_NN_1	ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism
header	 __TO_EQ_FROM_USR_NN_2	ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism
meta	 __TO_EQ_FROM_USR_NN	(__TO_EQ_FROM_USR_NN_1 || __TO_EQ_FROM_USR_NN_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT)
describe __TO_EQ_FROM_USR_NN	To: username same as From: username sans trailing nums

# JHardin:
# __TO_EQ_FROM_USR_NN recent S/O is 0.992 on a large corpus
# with most hits at <= 5 points
# let's see if we can get those low-scored spams some more points
# FP observation: __TO_EQ_FROM_USR overlaps ~99% of _USER_NN ham hits and no spam;
#   this suggests the primary spam indicator is having *different* suffixes
# Many of the rest are fairly reliable ham indicators
# suggested scored FP avoidance rule:
meta	 __TO_EQ_FROM_USR_NN_MINFP	__TO_EQ_FROM_USR_NN && !__TO_EQ_FROM_USR_1 && !__TO_EQ_FROM && !__TO_EQ_FROM_DOM && !__LCL__ENV_AND_HDR_FROM_MATCH && !__DKIM_EXISTS && !__NOT_SPOOFED && !__RCD_RDNS_SMTP && !__RCD_RDNS_MX_MESSY && !__THREADED


header	 __SUBJ_NOT_SHORT	Subject =~ /^.{16}/
header	 __SUBJ_HAS_WORDS	Subject =~ /(?:^|\s)[^\W0-9_]{3,15}(?:\s|$)/
meta	 SUBJ_LACKS_WORDS	__SUBJ_NOT_SHORT && !__SUBJ_HAS_WORDS && !__SUBJECT_ENCODED_B64
describe SUBJ_LACKS_WORDS	Subject is not short yet lacks words