# Rules that have tested OK in mass-checks
# and can be considered for promotion.

# DISABLED - VERY, VERY PRONE TO FPs
#body     FSL_MY_NAME_IS        /\bmy name is\b/i
#describe FSL_MY_NAME_IS        My name is ...

header   __FSL_HAS_LIST_UNSUB  exists:List-Unsubscribe
meta     FSL_BULK_SIG          ((DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK) && !__FSL_HAS_LIST_UNSUB)
describe FSL_BULK_SIG          Bulk signature with no Unsubscribe

uri      FSL_LINK_AWS_S3_WEB    /http:\/\/[^. ]+\.s3-website-[^. ]+\.amazonaws\.com/i
describe FSL_LINK_AWS_S3_WEB    Contains a link to Amazon S3 website

meta     FSL_LINK_AWS_S3_WEB_FM (FREEMAIL_FROM && FSL_LINK_AWS_S3_WEB)
describe FSL_LINK_AWS_S3_WEB_FM Contains a link to Amazon S3 website and from a Freemail address

header   FSL_PHP_EXPLOIT_41    X-PHP-Script =~ / 41\.\d+\.\d+\.\d+\b/
describe FSL_PHP_EXPLOIT_41    PHP Script being run by someone in Africa