#testrules
header   __FSL_RELAY_GOOGLE	X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.google\.com /i
header   __FSL_ENVFROM_GOOGLE	X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@g(?:mail|oogle)\.com /i
meta     FSL_NOT_FROM_GOOGLE	__FSL_ENVFROM_GOOGLE && !__FSL_RELAY_GOOGLE
score    FSL_NOT_FROM_GOOGLE	2.0
describe FSL_NOT_FROM_GOOGLE    Envelope-From GMail or Google but not originated from Google systems

header   __FSL_RELAY_YAHOO      X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.yahoo(?:dns)?\.co(?:m|\.jp) /i
header   __FSL_ENVFROM_YAHOO    X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@yahoo(?:groups)?\./i
header   __FSL_ENVFROM_YMAIL    X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@ymail\.com /i
header   __FSL_ENVFROM_ROCKET   X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@rocketmail\.com /i
meta     FSL_NOT_FROM_YAHOO     ((__FSL_ENVFROM_YAHOO || __FSL_ENVFROM_YMAIL || __FSL_ENVFROM_ROCKET) && !__FSL_RELAY_YAHOO)
score    FSL_NOT_FROM_YAHOO     2.0
describe FSL_NOT_FROM_YAHOO     Envelope-From Yahoo or Yahoo Groups but not originated from Yahoo systems

header   __FSL_RELAY_HOTMAIL    X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.hotmail\.com /i
header   __FSL_ENVFROM_HOTMAIL  X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@hotmail\./i
header   __FSL_ENVFROM_LIVE     X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@live\./i
meta     FSL_NOT_FROM_HOTMAIL   (__FSL_ENVFROM_HOTMAIL || __FSL_ENVFROM_LIVE) && !__FSL_RELAY_HOTMAIL
score    FSL_NOT_FROM_HOTMAIL   2.0
describe FSL_NOT_FROM_HOTMAIL   Envelope-From Hotmail/Live but not originated from Hotmail systems

header   __FSL_RELAY_AOL        X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.aol\.com/i
header   __FSL_ENVFROM_AOL      X-Spam-Relays-External =~ /^[^\]]+ envfrom=[^\@ ]+\@aol\./i
meta     FSL_NOT_FROM_AOL       __FSL_ENVFROM_AOL && !__FSL_RELAY_AOL
score    FSL_NOT_FROM_AOL       2.0
describe FSL_NOT_FROM_AOL       Envelope-From AOL but not originated from AOL systems

header   FSL_UNDISCLOSED_RCPTS  To =~ /\bundisclosed[- ]recipients\b/i
score    FSL_UNDISCLOSED_RCPTS  0.01
describe FSL_UNDISCLOSED_RCPTS  To undisclosed recipients

header   FSL_ABUSED_WEB_1       exists:X-AntiAbuse
score    FSL_ABUSED_WEB_1       0.01
describe FSL_ABUSED_WEB_1       Has X-AntiAbuse header

header   FSL_ABUSED_WEB_2       exists:X-PHP-Script
score    FSL_ABUSED_WEB_2       0.01
describe FSL_ABUSED_WEB_2       Has X-PHP-Script header

header   FSL_ABUSED_WEB_3       exists:X-PHP-Originating-Script
score    FSL_ABUSED_WEB_3       0.01
describe FSL_ABUSED_WEB_3       Has X-PHP-Originating-Script header

meta     FSL_UNDISCLOSED_BULK  (FSL_UNDISCLOSED_RCPTS && (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK))
describe FSL_UNDISCLOSED_BULK  Undisclosed recipients and bulk signature
score    FSL_UNDISCLOSED_BULK  3.0

# Received: from hwyhsxwaxz (amandacallow@113.162.65.176 with login) by
header   __FSL_YAHOO_AUTH1      Received =~ /from [a-z]{10} \([^\@ ]+\@\d+\.\d+\.\d+\.\d+ with (?:plain|login)\) /
# Received: from localhost (rhinotrick@46.185.178.15 with login) by
header   __FSL_YAHOO_AUTH2      Received =~ /from localhost \([^\@ ]+\@\d+\.\d+\.\d+\.\d+ with (?:plain|login)\) /i
header   __FSL_YAHOO_AUTH3      Received =~ /from user \([^\@ ]+\@\d+\.\d+\.\d+\.\d+ with (?:plain|login)\) /i
meta     FSL_YAHOO_AUTH_SIG     (__FSL_RELAY_YAHOO && (__FSL_YAHOO_AUTH1 || __FSL_YAHOO_AUTH2 || __FSL_YAHOO_AUTH3))
describe FSL_YAHOO_AUTH_SIG     Yahoo SMTP AUTH observed patterns
score    FSL_YAHOO_AUTH_SIG     5.0

ifplugin Mail::SpamAssassin::Plugin::FreeMail
# Test potential error in base rules
header   __smf_freemail_hdr_replyto  eval:check_freemail_header('Reply-To:addr')
meta     SMF_FM_FORGED_REPLYTO  __smf_freemail_hdr_replyto && !FREEMAIL_FROM && !__freemail_safe
describe SMF_FM_FORGED_REPLYTO  Freemail in Reply-To, but not From
tflags	 SMF_FM_FORGED_REPLYTO  nopublish
#score    SMF_FM_FORGED_REPLYTO  0.1
endif

# Theory: most glue adds their own Received headers be SpamAssassin
# sees the message, so NO_RECEIVED will never fire when run in that
# way.  So lets see if a single Untrusted/External is an indicator.
header   __FSL_COUNT_TRUST      X-Spam-Relays-Trusted =~ /\[[^\]]+\]/
tflags   __FSL_COUNT_TRUST	multiple
meta     FSL_RCVD_TR_1          (__FSL_COUNT_TRUST == 1)
score    FSL_RCVD_TR_1		0.01
meta     FSL_RCVD_TR_2          (__FSL_COUNT_TRUST == 2)
score    FSL_RCVD_TR_2		0.01
meta     FSL_RCVD_TR_3          (__FSL_COUNT_TRUST == 3)
score    FSL_RCVD_TR_3		0.01
meta     FSL_RCVD_TR_4          (__FSL_COUNT_TRUST == 4)
score    FSL_RCVD_TR_4		0.01
meta     FSL_RCVD_TR_5          (__FSL_COUNT_TRUST == 5)
score    FSL_RCVD_TR_5		0.01
meta     FSL_RCVD_TR_GT_5       (__FSL_COUNT_TRUST > 5)

header   __FSL_COUNT_UNTRUST	X-Spam-Relays-Untrusted =~ /\[[^\]]+\]/
tflags   __FSL_COUNT_UNTRUST	multiple
meta     FSL_RCVD_UT_1          (__FSL_COUNT_UNTRUST == 1)
score    FSL_RCVD_UT_1		0.01
meta     FSL_RCVD_UT_2          (__FSL_COUNT_UNTRUST == 2)
score    FSL_RCVD_UT_2		0.01
meta     FSL_RCVD_UT_3          (__FSL_COUNT_UNTRUST == 3)
score    FSL_RCVD_UT_3		0.01
meta     FSL_RCVD_UT_4          (__FSL_COUNT_UNTRUST == 4)
score    FSL_RCVD_UT_4		0.01
meta     FSL_RCVD_UT_5          (__FSL_COUNT_UNTRUST == 5)
score    FSL_RCVD_UT_5		0.01
meta     FSL_RCVD_UT_GT_5       (__FSL_COUNT_UNTRUST > 5)
score    FSL_RCVD_UT_GT_5	0.01

header   __FSL_COUNT_EXTERN	X-Spam-Relays-External =~ /\[[^\]]+\]/
tflags   __FSL_COUNT_EXTERN	multiple
meta     FSL_RCVD_EX_0		(__FSL_COUNT_EXTERN == 0)
score    FSL_RCVD_EX_0		0.01
meta     FSL_RCVD_EX_1          (__FSL_COUNT_EXTERN == 1)
score    FSL_RCVD_EX_1		0.01
meta     FSL_RCVD_EX_2          (__FSL_COUNT_EXTERN == 2)
score    FSL_RCVD_EX_2		0.01
meta     FSL_RCVD_EX_3          (__FSL_COUNT_EXTERN == 3)
score    FSL_RCVD_EX_3		0.01
meta     FSL_RCVD_EX_4          (__FSL_COUNT_EXTERN == 4)
score    FSL_RCVD_EX_4		0.01
meta     FSL_RCVD_EX_5          (__FSL_COUNT_EXTERN == 5)
score    FSL_RCVD_EX_5		0.01
meta     FSL_RCVD_EX_GT_5       (__FSL_COUNT_EXTERN > 5)

meta     FSL_NO_RCVD_1          (__FSL_COUNT_TRUST > 0 && __FSL_COUNT_UNTRUST == 0)
score    FSL_NO_RCVD_1		0.01

rawbody  __FSL_HTML_BLOCKS      /<((?:div|span))[^>]+>.{1,10}?<\/\1[^>]*>.{0,20}?<\1/si
tflags   __FSL_HTML_BLOCKS      multiple

meta     FSL_HTML_BLOCK_LOTS_1  (__FSL_HTML_BLOCKS > __FSL_BODY_TEXT_LINE)
describe FSL_HTML_BLOCK_LOTS_1  More <div> or <span> blocks than lines
score    FSL_HTML_BLOCK_LOTS_1  0.01

meta     FSL_HTML_BLOCK_LOTS_2  (__FSL_HTML_BLOCKS > (__FSL_BODY_TEXT_LINE * 2))
describe FSL_HTML_BLOCK_LOTS_2  More <div> or <span> blocks than twice the amount of lines
score    FSL_HTML_BLOCK_LOTS_2  0.01

meta     FSL_HTML_BLOCK_LOTS_3  (__FSL_HTML_BLOCKS > (__FSL_BODY_TEXT_LINE * 4))
describe FSL_HTML_BLOCK_LOTS_3  More <div> or <span> blocks than 4x the amount of lines
score    FSL_HTML_BLOCK_LOTS_3  0.01

rawbody  __FSL_HTML_ENTITIES    /\&(?!(?:nbsp|cent|pound|yen|copy|reg|\#1[678][0-9];|\#x[AB][0-9A-F];))(?:\#(?:x[a-f0-9]+|\d{3,4})|[a-zA-Z]+)\;/si
tflags   __FSL_HTML_ENTITIES    multiple

meta     FSL_HTML_ENT_LOTS_1    (__FSL_HTML_ENTITIES > (__FSL_BODY_TEXT_LINE * 2))
describe FSL_HTML_ENT_LOTS_1    Lots of HTML entities x2
score    FSL_HTML_ENT_LOTS_1    0.01

meta     FSL_HTML_ENT_LOTS_2    (__FSL_HTML_ENTITIES > (__FSL_BODY_TEXT_LINE * 8))
describe FSL_HTML_ENT_LOTS_2    Lots of HTML entities x8
score    FSL_HTML_ENT_LOTS_2    0.01

meta     FSL_HTML_ENT_LOTS_3    (__FSL_HTML_ENTITIES > (__FSL_BODY_TEXT_LINE * 24))
describe FSL_HTML_ENT_LOTS_3    Lots of HTML entities x24
score    FSL_HTML_ENT_LOTS_3    0.01