# SpamAssassin rules file: CVS rules under test
#
# This file is a placeholder for rules "under probation", ie. checked into
# CVS for testing. It should not be distributed; if the rules have good
# stats after a mass-check or two, then fold them into the distributed
# rules files.
#
# I suggest adding a prefix to rules in this file, "T_" -- this
# helps identify probationary rules in test output.
#
# See the file "License" in the top level of the SpamAssassin distribution
# for usage terms.
#
###########################################################################

# for activation after 2.50 release:

#header T_MSGID_SPAMSIGN_99X9XX99	MESSAGEID =~ /^<\d\d\d\d\d\d[a-z]\d[a-z][a-z]\d\d\$[a-z][a-z][a-z]\d\d\d\d\d\$\d\d\d\d\d\d\d\d\@/
#describe T_MSGID_SPAMSIGN_99X9XX99	Message-Id generated by spam tool (99x9xx99 variant)

# header T_RCVD_6_CAPS_ESMTP_ID		Received =~ /^from \[\d+\.\d+\.\d+\.\d+\] by\s+\S+\s+with\s+ESMTP\s+id\s+[A-Z]{6};/
# describe T_RCVD_6_CAPS_ESMTP_ID		Received header forged by spam tool (6-caps ESMTP ID variant)

# header T_DATE_SPAMWARE_Y2K		Date =~ /^[A-Z][a-z]{2}, \d\d [A-Z][a-z]{2} [0-6]\d \d\d:\d\d:\d\d [A-Z]{3}$/
# describe T_DATE_SPAMWARE_Y2K		Date header uses unusual Y2K formatting

# header __SUBJ_BASE64			Subject:raw =~ /=\?[^\?]+\?B\?/
# header __SUBJ_QP			Subject:raw =~ /=\?[^\?]+\?Q\?/
# header __SUBJ_HAS_NON_ASCII		Subject =~ /[\x00-\x06\x0e-\x1f\x80-\xff]/
# meta T_UNNECESSARY_SUBJ_B64_ENCODING	(__SUBJ_BASE64 && !__SUBJ_HAS_NON_ASCII)
# meta T_UNNECESSARY_SUBJ_QP_ENCODING	(__SUBJ_QP && !__SUBJ_HAS_NON_ASCII)
# describe T_UNNECESSARY_SUBJ_B64_ENCODING Subject encoded to hide from filters (B64)
# describe T_UNNECESSARY_SUBJ_QP_ENCODING Subject encoded to hide from filters (QP)

# A new spamware creates invalid Date stamps, using printf ("%d:%d:%d").
# Catch it here (assuming one of the above doesn't catch it anyway).
# header __POSS_INVALID_DATE_TIME	Date =~ / \d{1,2}:\d{1,2}:\d{1,2} /
# header __DATE_TIME_VALID	Date =~ / \d\d:\d\d:\d\d /
# header __XM_FOXMAIL		X-Mailer =~ /FoxMail/
# header __XM_EARTHLINK		X-Mailer =~ /EarthLink MailBox \d\.\d/
# meta T_INVALID_DATE_HMS	(__POSS_INVALID_DATE_TIME && !__DATE_TIME_VALID && !__XM_FOXMAIL && !__XM_EARTHLINK)
# describe T_INVALID_DATE_HMS	Date header does not use valid HH:MM:SS formatting

# possible replacement for INVALID_DATE.
# header __INVALID_DATE		Date !~ /^\s*(?:(?:Mon|Tue|Wed|Thu|Fri|Sat|Sun), )?[0-3 ]?[0-9] (?:Jan|Feb|Ma[ry]|Apr|Ju[nl]|Aug|Sep|Oct|Nov|Dec) (?:[12][901]?[0-9]{2} [0-2][0-9](?:\:[0-5][0-9]){1,2} (?:[+-][0-9]{4}|UT|[A-Z]{2,3}T)(?:\s+\(.*\))?\s*$/ [if-unset: Wed, 31 Jul 2002 16:41:57 +0200]
# header __XM_FOXMAIL           X-Mailer =~ /FoxMail/
# header __XM_EARTHLINK         X-Mailer =~ /EarthLink MailBox \d\.\d/
# meta T_INVALID_DATE_2		(__INVALID_DATE && !__XM_FOXMAIL && !__XM_EARTHLINK)
# describe T_INVALID_DATE_2	Invalid Date: header (not RFC 2822)

# Wierd.  Can only assume this is caused by PEBKAC on the sending side...
# header T_SEZ_HTML_BUT_NOT	(MIME_HTML_ONLY && !HTML_MESSAGE)
# describe T_SEZ_HTML_BUT_NOT	Claims to be HTML, but is actually plain text

# Jul  3 2002 jm: modified PENIS_ENLARGE patterns: removed "add", replaced with "inches",
# because that seems to be another typical word in the pattern.
# Feb 11 2003 jm: removed "PP" from pattern, since "pp. 234-237" is std usage
# in academic circles.  I don't think the hit-rate will be affected. ;)
# bug: http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1471
# body T_PENIS_ENLARGE		/\b(?:enlarge|increase|grow|lengthen|larger\b|bigger\b|longer\b|thicker\b|\binches\b).{0,50}\b(?:penis|male organ|pee[ -]?pee|dick|sc?hlong|wh?anger|breast)/i
# describe T_PENIS_ENLARGE		Information on getting a larger penis or breasts
# body T_PENIS_ENLARGE2		/\b(?:penis|male organ|pee[ -]?pee|dick|sc?hlong|wh?anger|breast).{0,50}\b(?:enlarge|increase|grow|lengthen|larger\b|bigger\b|longer\b|thicker\b|\binches\b)/i
# describe T_PENIS_ENLARGE2		Information on getting a larger penis or breasts (2)

# Feb 18 2003 jm: another Nigerian scam
# body T_NIGERIAN_SCAM_VIRTUE	/by virtue of its nature as being utterly confidential/i
# describe T_NIGERIAN_SCAM_VIRTUE	Contains Nigerian scam text (virtue of its nature)

# Feb 18 2003 jm: try another combo.  I'm not sure __NIGERIAN_HONESTY is req'd.
# body __NIGERIAN_CODE_CONDUCT		/\bcode of conduct\b/i
# body __NIGERIAN_CIV_SERVICE		/\bcivil service\b/i
# body __NIGERIAN_TOP_SECRET		/\btop secret\b/i
# body __NIGERIAN_STRICT_CONF		/\b(?:strictest confidence|utmost secrecy)\b/i
# body __NIGERIAN_HONESTY		/\btransparent honesty\b/i
# body __NIGERIAN_DISBURSE		/\bdisburs/i
# meta T_NIGERIAN_BODY_GOVT_6	((__NIGERIAN_CODE_CONDUCT + __NIGERIAN_CIV_SERVICE + __NIGERIAN_HONESTY + __NIGERIAN_TOP_SECRET + __NIGERIAN_STRICT_CONF + __NIGERIAN_DISBURSE) >= 6)
# meta T_NIGERIAN_BODY_GOVT_5	((__NIGERIAN_CODE_CONDUCT + __NIGERIAN_CIV_SERVICE + __NIGERIAN_HONESTY + __NIGERIAN_TOP_SECRET + __NIGERIAN_STRICT_CONF + __NIGERIAN_DISBURSE) >= 5)
# meta T_NIGERIAN_BODY_GOVT_4	((__NIGERIAN_CODE_CONDUCT + __NIGERIAN_CIV_SERVICE + __NIGERIAN_HONESTY + __NIGERIAN_TOP_SECRET + __NIGERIAN_STRICT_CONF + __NIGERIAN_DISBURSE) >= 4)
# meta T_NIGERIAN_BODY_GOVT_3	((__NIGERIAN_CODE_CONDUCT + __NIGERIAN_CIV_SERVICE + __NIGERIAN_HONESTY + __NIGERIAN_TOP_SECRET + __NIGERIAN_STRICT_CONF + __NIGERIAN_DISBURSE) >= 3)