# uri         __MALWARE_DROPBOX_JAR_URI   m;^https?://[^.]+\.dropbox\.com/(\w+)/(\w+)/(\w+)\.jar\?dl\=1;i
# meta        GB_MALWARE_DROPBOX_JAR_URI	( __MALWARE_DROPBOX_JAR_URI && (HTML_SHORT_LINK_IMG_1 || HTML_SHORT_LINK_IMG_2 || HTML_SHORT_LINK_IMG_3) )
# describe    GB_MALWARE_DROPBOX_JAR_URI Dropbox that forces user to download jar file

uri         GB_GOOGLE_OBFU	/^https:\/\/www\.google\.([a-z]{2,3})\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=([0-9])+\&cad=rja\&uact=([0-9]+)\&ved=(.*)\&url=https?:\/\/(.*)&usg=(.*)/
describe    GB_GOOGLE_OBFU	Obfuscate url through Google redirect
score       GB_GOOGLE_OBFU      0.75 # limit
tflags      GB_GOOGLE_OBFU      publish

header      __COPY_OF       Subject =~ /Copy of:|offers for you/
meta        GB_COPY_OF_SHORT   ( __URL_SHORTENER && __COPY_OF && __KAM_BODY_LENGTH_LT_1024 )
describe    GB_COPY_OF_SHORT   Url shortnener spam

ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
  meta      GB_FROMNAME_SPOOFED_EMAIL_IP  ( FROMNAME_SPOOFED_EMAIL && !__NOT_SPOOFED )
  describe  GB_FROMNAME_SPOOFED_EMAIL_IP  From:name looks like a spoofed email from a spoofed ip
endif

header     __HDR_RCVD_GOOGLE           X-Spam-Relays-External =~ /rdns=mail-\S+\.google\.com\s/
uri        __URI_IMG_GDRIVE            /^https:\/\/www\.google\.com\/drive\/static\/images\/drive\/logo-drive\.png/
uri        __URI_IMG_GPHOTO            /^https:\/\/www\.google\.com\/photos\/about\/static\/images\/logo_photos_64dp\.svg/

meta       __GDRIVE_IMG_NOT_RCVD_GOOG  __URI_IMG_GDRIVE && !__HDR_RCVD_GOOGLE
meta       __GPHOTO_IMG_NOT_RCVD_GOOG  __URI_IMG_GPHOTO && !__HDR_RCVD_GOOGLE
meta       GB_GOOG_IMG_NOT_RCVD_GOOG   ( __GDRIVE_IMG_NOT_RCVD_GOOG || __GPHOTO_IMG_NOT_RCVD_GOOG ) && !__HAS_ERRORS_TO && !__MSGID_LIST && !__MSGID_GUID && !__RCD_RDNS_SMTP
describe   GB_GOOG_IMG_NOT_RCVD_GOOG   Google hosted image but message not from Google
score      GB_GOOG_IMG_NOT_RCVD_GOOG   2.500    # limit
# tflags     GB_GOOG_IMG_NOT_RCVD_GOOG   publish

header     __HDR_RCVD_LINKEDIN           X-Spam-Relays-External =~ /rdns=mail\S+\-\S+\.linkedin\.com\s/
uri        __URI_IMG_LINKEDIN            /^https:\/\/static\.licdn\.com\/scds\/common\/u\/images\/email\/artdeco\/illustrations\/56\/magnifying-glass\.png/

meta       __LINKED_IMG_NOT_RCVD_LINK    __URI_IMG_LINKEDIN && !__HDR_RCVD_LINKEDIN
meta       GB_LINKED_IMG_NOT_RCVD_LINK   __LINKED_IMG_NOT_RCVD_LINK && !__HAS_ERRORS_TO && !__MSGID_LIST && !__MSGID_GUID && !__RCD_RDNS_SMTP
describe   GB_LINKED_IMG_NOT_RCVD_LINK   Linkedin hosted image but message not from Linkedin
score      GB_LINKED_IMG_NOT_RCVD_LINK   2.500    # limit
tflags     GB_LINKED_IMG_NOT_RCVD_LINK   publish

# header     __HDR_RCVD_PAYPAL		 X-Spam-Relays-External =~ /rdns=mx\S+\.slc\.paypal\.com\s/
# uri        __URI_IMG_PAYPAL		 /^https:\/\/www\.paypalobjects\.com\/en_US\/i\/logo\/logo_emailheader_113wx46h\.gif/
# meta       __PAYPAL_IMG_NOT_RCVD_LINK    __URI_IMG_PAYPAL && !__HDR_RCVD_PAYPAL
# meta       GB_PAYPAL_IMG_NOT_RCVD_LINK   __PAYPAL_IMG_NOT_RCVD_LINK && !__HAS_ERRORS_TO && !__MSGID_LIST && !__MSGID_GUID && !__RCD_RDNS_SMTP
# describe   GB_PAYPAL_IMG_NOT_RCVD_LINK   Paypal hosted image but message not from Paypal
# score      GB_PAYPAL_IMG_NOT_RCVD_LINK   2.500    # limit

# header     GB_PHP_BADVERSION		 X-Mailer =~ /PHP\/' \. phpversion\(\);/
# describe   GB_PHP_BADVERSION		 Impossible Php version
# score      GB_PHP_BADVERSION		 1.000	 # limit