# 419 Spam
header  __FSL_HELO_USER_1   X-Spam-Relays-External =~ / helo=user /i
# KAM 3/14/2014 - BUG 6693 - Terminate with ( or [
header  __FSL_HELO_USER_2   Received =~ /from User(?:\s+by|\s*[\[\(]|$)/i
# KAM 3/14/2014 - BUG 6693 - Terminated with ) and added EHLO OR HELO matching
header  __FSL_HELO_USER_3   Received =~ /(?:eh|he)lo(?:=|\s)User\)/i
meta    FSL_NEW_HELO_USER   (__FSL_HELO_USER_1 || __FSL_HELO_USER_2 || __FSL_HELO_USER_3)
describe  FSL_NEW_HELO_USER Spam's using Helo and User
score   FSL_NEW_HELO_USER   2.0
tflags  FSL_NEW_HELO_USER   publish

# axb 2012-09-27 Disabled to avoid overlap with autogenerated rules
# 419 Spam
# header   FSL_XM_419   X-Mailer =~ /\s+6\.00\.2600\.0000$/
# describe FSL_XM_419   Old OE version in X-Mailer only seen in 419 spam
# score    FSL_XM_419   2.0

# 419 Spam
header   FSL_CTYPE_WIN1251   Content-Type =~ /charset="Windows-1251"/
describe FSL_CTYPE_WIN1251   Content-Type only seen in 419 spam
# score    FSL_CTYPE_WIN1251   2.0

# 419 Spam
header   FSL_MID_419   MESSAGE-ID =~ /\@User>$/
describe FSL_MID_419   Spam signature in Message-ID
# score    FSL_MID_419   2.0

# https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7028
# simplistic rule overlaps with FROM_MISSP_REPLYTO - FP Potential (axb - 04-31-2014)
#meta     FSL_MISSP_REPLYTO   (__FROM_MISSPACED && __HAS_REPLY_TO)
# describe FSL_MISSP_REPLYTO   Mis-spaced from and Reply-to
# score    FSL_MISSP_REPLYTO   2.0

# http://groups.yahoo.com/group/oftajscns/message
uri      FSL_YHG_ABUSE   /groups\.yahoo\.com\/group\/\S+\/message/
describe FSL_YHG_ABUSE   URI pointing to a message in an abused Yahoo Group
# score          FSL_YHG_ABUSE   2.0

# Bot spew
rawbody  FSL_BOTSPAM_1   /^[^\n]+\nhttp:\/\/[^\n]+\.ru\/\n$/s
describe FSL_BOTSPAM_1   Two-line spam with URI pointing to .ru domain
# score    FSL_BOTSPAM_1   2.0

# Mainsleaze
body     FSL_THIS_IS_ADV  /This is an advertisement\./
describe FSL_THIS_IS_ADV  This is an advertisement
# score    FSL_THIS_IS_ADV  3.0

# Bot spew
#rawbody  FSL_BOTSPAM_2   /alt="Click here to show image"/
# score    FSL_BOTSPAM_2   0.01

#rawbody  FSL_BOTSPAM_3   /<img alt="\*\*\* Click here \*\*\*"/
# score    FSL_BOTSPAM_3   0.01

# Fake Amazon order e-mails
#rawbody  FSL_BOTSPAM_4   /Sorry for taking your time\.\./
# score    FSL_BOTSPAM_4   0.01

#uri      FSL_RU_URL      /[^\/]+\.ru(?:$|\/|\?)/i
#tflags   FSL_RU_URL      nopublish
# score    FSL_RU_URL      0.01

# SpamEatingMonkey lists
# SEM-BACKSCATTER
#header RCVD_IN_SEMBACKSCATTER eval:check_rbl('sembackscatter-lastexternal', 'backscatter.spameatingmonkey.net')
#tflags RCVD_IN_SEMBACKSCATTER net
#describe RCVD_IN_SEMBACKSCATTER Received from an IP listed by SEM-BACKSCATTER
#score RCVD_IN_SEMBACKSCATTER 0.5

# SEM-BLACK
#header RCVD_IN_SEMBLACK eval:check_rbl('semblack-lastexternal', 'bl.spameatingmonkey.net')
#tflags RCVD_IN_SEMBLACK net
#describe RCVD_IN_SEMBLACK Received from an IP listed by SEM-BLACK
#score RCVD_IN_SEMBLACK 0.5

# SEM-URI
#urirhssub SEM_URI uribl.spameatingmonkey.net. A 2
#body SEM_URI eval:check_uridnsbl('SEM_URI')
#describe SEM_URI Contains a URI listed by SEM-URI
#tflags SEM_URI net
#score SEM_URI 0.5

# SEM-URIRED
#urirhssub SEM_URIRED urired.spameatingmonkey.net. A 2
#body SEM_URIRED eval:check_uridnsbl('SEM_URIRED')
#describe SEM_URIRED Contains a URI listed by SEM-URIRED
#tflags SEM_URIRED net
#score SEM_URIRED 0.5

# SEM-FRESH
#urirhssub SEM_FRESH fresh.spameatingmonkey.net. A 2
#body SEM_FRESH eval:check_uridnsbl('SEM_FRESH')
#describe SEM_FRESH Contains a domain registered less than 5 days ago
#tflags SEM_FRESH net
#score SEM_FRESH 0.5

#urirhssub SEM_FRESH_10 fresh10.spameatingmonkey.net. A 2
#body SEM_FRESH_10 eval:check_uridnsbl('SEM_FRESH_10')
#describe SEM_FRESH_10 Contains a domain registered less than 10 days ago
#tflags SEM_FRESH_10 net
#score SEM_FRESH_10 0.5

#urirhssub SEM_FRESH_15 fresh15.spameatingmonkey.net. A 2
#body SEM_FRESH_15 eval:check_uridnsbl('SEM_FRESH_15')
#describe SEM_FRESH_15 Contains a domain registered less than 15 days ago
#tflags SEM_FRESH_15 net
#score SEM_FRESH_15 0.5