# uri __MALWARE_DROPBOX_JAR_URI m;^https?://[^.]+\.dropbox\.com/(\w+)/(\w+)/(\w+)\.jar\?dl\=1;i # meta GB_MALWARE_DROPBOX_JAR_URI ( __MALWARE_DROPBOX_JAR_URI && (HTML_SHORT_LINK_IMG_1 || HTML_SHORT_LINK_IMG_2 || HTML_SHORT_LINK_IMG_3) ) # describe GB_MALWARE_DROPBOX_JAR_URI Dropbox that forces user to download jar file uri GB_GOOGLE_OBFUR /^https:\/\/www\.google\.([a-z]{2,3})\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=([0-9])+\&cad=rja\&uact=([0-9]+)\&ved=.{1,50}\&url=https?:\/\/.{1,50}&usg=.{1,50}/ describe GB_GOOGLE_OBFUR Obfuscate url through Google redirect score GB_GOOGLE_OBFUR 0.75 # limit tflags GB_GOOGLE_OBFUR publish uri GB_GOOGLE_OBFUS /^https:\/\/www\.google\.([a-z]{2,3})\/search\?ei=.{1,50}\&gs_l=.{1,20}/ describe GB_GOOGLE_OBFUS Obfuscate url through Google search score GB_GOOGLE_OBFUS 0.75 # limit #tflags GB_GOOGLE_OBFUS publish header __COPY_OF Subject =~ /Copy of:|offers for you/ meta GB_COPY_OF_SHORT ( __URL_SHORTENER && __COPY_OF && __KAM_BODY_LENGTH_LT_1024 ) describe GB_COPY_OF_SHORT Url shortnener spam ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof meta GB_FROMNAME_SPOOFED_EMAIL_IP ( FROMNAME_SPOOFED_EMAIL && !__NOT_SPOOFED ) describe GB_FROMNAME_SPOOFED_EMAIL_IP From:name looks like a spoofed email from a spoofed ip score GB_FROMNAME_SPOOFED_EMAIL_IP 0.50 # limit tflags GB_FROMNAME_SPOOFED_EMAIL_IP publish endif header __HDR_RCVD_GOOGLE X-Spam-Relays-External =~ /rdns=mail-\S+\.google\.com\s/ uri __URI_IMG_GDRIVE /^https:\/\/www\.google\.com\/drive\/static\/images\/drive\/logo-drive\.png/ uri __URI_IMG_GPHOTO /^https:\/\/www\.google\.com\/photos\/about\/static\/images\/logo_photos_64dp\.svg/ meta __GDRIVE_IMG_NOT_RCVD_GOOG __URI_IMG_GDRIVE && !__HDR_RCVD_GOOGLE meta __GPHOTO_IMG_NOT_RCVD_GOOG __URI_IMG_GPHOTO && !__HDR_RCVD_GOOGLE meta GB_GOOG_IMG_NOT_RCVD_GOOG ( __GDRIVE_IMG_NOT_RCVD_GOOG || __GPHOTO_IMG_NOT_RCVD_GOOG ) && !__HAS_ERRORS_TO && !__MSGID_LIST && !__MSGID_GUID && !__RCD_RDNS_SMTP describe GB_GOOG_IMG_NOT_RCVD_GOOG Google hosted image but message not from Google score GB_GOOG_IMG_NOT_RCVD_GOOG 2.500 # limit # tflags GB_GOOG_IMG_NOT_RCVD_GOOG publish header __HDR_RCVD_LINKEDIN X-Spam-Relays-External =~ /rdns=mail\S+\-\S+\.linkedin\.com\s/ uri __URI_IMG_LINKEDIN /^https:\/\/static\.licdn\.com\/scds\/common\/u\/images\/email\/artdeco\/illustrations\/56\/magnifying-glass\.png/ meta __LINKED_IMG_NOT_RCVD_LINK __URI_IMG_LINKEDIN && !__HDR_RCVD_LINKEDIN meta GB_LINKED_IMG_NOT_RCVD_LINK __LINKED_IMG_NOT_RCVD_LINK && !__HAS_ERRORS_TO && !__MSGID_LIST && !__MSGID_GUID && !__RCD_RDNS_SMTP describe GB_LINKED_IMG_NOT_RCVD_LINK Linkedin hosted image but message not from Linkedin score GB_LINKED_IMG_NOT_RCVD_LINK 2.500 # limit tflags GB_LINKED_IMG_NOT_RCVD_LINK publish # header __HDR_RCVD_PAYPAL X-Spam-Relays-External =~ /rdns=mx\S+\.slc\.paypal\.com\s/ # uri __URI_IMG_PAYPAL /^https:\/\/www\.paypalobjects\.com\/en_US\/i\/logo\/logo_emailheader_113wx46h\.gif/ # meta __PAYPAL_IMG_NOT_RCVD_LINK __URI_IMG_PAYPAL && !__HDR_RCVD_PAYPAL # meta GB_PAYPAL_IMG_NOT_RCVD_LINK __PAYPAL_IMG_NOT_RCVD_LINK && !__HAS_ERRORS_TO && !__MSGID_LIST && !__MSGID_GUID && !__RCD_RDNS_SMTP # describe GB_PAYPAL_IMG_NOT_RCVD_LINK Paypal hosted image but message not from Paypal # score GB_PAYPAL_IMG_NOT_RCVD_LINK 2.500 # limit header __HDR_RCVD_UNICREDIT X-Spam-Relays-External =~ /rdns=mx\d+\.unicredit\.eu\s/ uri __URI_IMG_UNICREDIT /^https:\/\/www\.unicreditgroup\.eu\/etc\/designs\/unicreditgroupn\/img\/static\/logoHiRes\.png/ meta __UNICR_IMG_NOT_RCVD_LINK __URI_IMG_UNICREDIT && !__HDR_RCVD_UNICREDIT meta GB_UNICR_IMG_NOT_RCVD_LINK __UNICR_IMG_NOT_RCVD_LINK && !__HAS_ERRORS_TO && !__MSGID_LIST && !__MSGID_GUID && !__RCD_RDNS_SMTP describe GB_UNICR_IMG_NOT_RCVD_LINK Unicredit Bank hosted image but message not from Unicredit # score GB_UNICR_IMG_NOT_RCVD_LINK 2.500 # limit header __FROM_NAME_WETRANSFER From:name =~ /WeTransfer/i meta GB_WETRANSFER_HTM ( HTML_ATTACH && __FROM_NAME_WETRANSFER ) describe GB_WETRANSFER_HTM WeTransfer html attachment score GB_WETRANSFER_HTM 2.0 # limit