#
#header		REPLYTO_MANY_AT	Reply-To =~ /\@.+\@/
#describe	REPLYTO_MANY_AT	More than one @ in Reply-To:
#
#header		SENDER_MANY_AT	Sender =~ /\@.+\@/
#describe	SENDER_MANY_AT	More than one @ in Sender:
#
#header		FROM_MANY_AT	From =~ /\@.+\@/
#describe	FROM_MANY_AT	More than one @ in From:
#

header         RDNS_LOCALHOST  X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i
describe       RDNS_LOCALHOST  Sender's public rDNS is "localhost"

#body		EU_SPAM_LAW	m,Directive 2000/31/EC of the European Parliament,i
#describe	EU_SPAM_LAW	Quoting "European Parliament" spam law

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   HTML_ATTACH    Content-Type =~ m,text/html;.+\.html?\b,i
  describe     HTML_ATTACH    HTML attachment to bypass scanning?

  mimeheader   OBFU_TEXT_ATTACH    Content-Type =~ m,application/octet-stream;.+\.txt\b,i
  describe     OBFU_TEXT_ATTACH    Text attachment with non-text MIME type
endif

# general case of spample observation
#header         MUA_ONE_WORD       X-Mailer =~ /^[A-Za-z][a-z]*$/
#describe       MUA_ONE_WORD       Single word X-Mailer: not CamelCase

body           DEAR_BENEFICIARY		/^\s?(?:Dear\s|At+(?:ention|n):\s?)Beneficiary\b/i
describe       DEAR_BENEFICIARY		Dear Beneficiary:

body           DEAR_EMAIL_USER		/^\s?(?:Dear\s|Attention:\s?)(?:E|Web)-?mail\sUser\b/i
describe       DEAR_EMAIL_USER		Dear Email User:
score          DEAR_EMAIL_USER		3.0


# from users list spamples 8/2009
uri            URI_NUMERIC_CCTLD     m;^[a-z]+://(?:\d+\.){2,}[a-z][a-z]/;i
describe       URI_NUMERIC_CCTLD     CCTLD URI with multiple numeric subdomains


# From should have whitespace between the comment and the address
header         __FROM_MISSPACED      From =~ /^\s*"[^"]*"</
describe       __FROM_MISSPACED      From: missing whitespace

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta         FROM_MISSP_FREEMAIL   __FROM_MISSPACED && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
  describe     FROM_MISSP_FREEMAIL   From misspaced + freemail provider
endif

meta           FROM_MISSP_MSFT       __FROM_MISSPACED && (__ANY_OUTLOOK_MUA || __HAS_MIMEOLE || __MIMEOLE_MS)
describe       FROM_MISSP_MSFT       From misspaced + supposed Microsoft tool

meta           FROM_MISSP_DYNIP      __FROM_MISSPACED && RDNS_DYNAMIC
describe       FROM_MISSP_DYNIP      From misspaced + dynamic rDNS


# observed in spam 8/2009
header         __MUA_EQ_ORG_1        ALL =~ /\nX-Mailer: ([^\n]+)\n.*Organization: \1\n/ism
header         __MUA_EQ_ORG_2        ALL =~ /\nOrganization: ([^\n]+)\n.*X-Mailer: \1\n/ism
meta           MAILER_EQ_ORG         __MUA_EQ_ORG_1 || __MUA_EQ_ORG_2
describe       MAILER_EQ_ORG         X-Mailer: same as Organization:

# observed in UCE 9/2009
header         __HDRS_LCASE          ALL =~ /\n(?:Reply-to|Message-id|Content-type|X-MSMail-priority|from|subject|to):/sm
tflags         __HDRS_LCASE          multiple
meta           HDRS_LCASE            __HDRS_LCASE > 2
describe       HDRS_LCASE            Odd capitalization of multiple message headers

# observed in spam 9/2009
header         HDRS_MISSP            ALL =~ /\n(?:Subject|From):\S/ism
describe       HDRS_MISSP            Misspaced headers

header         SPAMMY_MIME_BDRY_01  Content-Type =~ /boundary="\@\@BOUNDARY"/
describe       SPAMMY_MIME_BDRY_01  Spammy MIME boundary string
score          SPAMMY_MIME_BDRY_01  0.10

# testing
header         __TB_MIME_BDRY_NO_Z   Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/
meta           TBIRD_SUSP_MIME_BDRY  __MUA_TBIRD && __TB_MIME_BDRY_NO_Z
describe       TBIRD_SUSP_MIME_BDRY  Unlikely Thunderbird MIME boundary

# seen in a few HTML fraud spams
rawbody        RUNON_SHY          /(?:\&shy;){3}/i
describe       RUNON_SHY          Repeating soft hyphens
score          RUNON_SHY          0.1

# Seen all too often
header         LAZY_LISTWASHING   To =~ /\@(?:example\.com|example\.domain|your\.domain|some\.domain|domain\.dom|somewhere\.tld|somewhere\.com|your\.?domain\.com|your\.favorite\.machine)\b/i
describe       LAZY_LISTWASHING   Lazy spammer, painfully obvious bogus addresses
score          LAZY_LISTWASHING   0.25

# Little to work with
body           __PLS_REVIEW       /\b(?:please|kindly)\sreview(\s\w+)?\sattach(?:ed|ment)\b/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __DOC_ATTACH_MT    Content-Type =~ m,\bapplication/(?:msword|rtf|vnd\.ms-word|vnd\.openxmlformats-officedocument\.wordprocessingml\.document)\b,i
  mimeheader   __DOC_ATTACH_FN1   Content-Type =~ /="[^"]+\.(?:docx?|rtf)"/i
  mimeheader   __DOC_ATTACH_FN2   Content-Disposition =~ /="[^"]+\.(?:docx?|rtf)"/i
  meta         __DOC_ATTACH       (__DOC_ATTACH_MT || __DOC_ATTACH_FN1 || __DOC_ATTACH_FN2)
  mimeheader   __PDF_ATTACH_MT    Content-Type =~ m,\bapplication/pdf\b,i
  mimeheader   __PDF_ATTACH_FN1   Content-Type =~ /="[^"]+\.pdf"/i
  mimeheader   __PDF_ATTACH_FN2   Content-Disposition =~ /="[^"]+\.pdf"/i
  meta         __PDF_ATTACH       (__PDF_ATTACH_MT || __PDF_ATTACH_FN1 || __PDF_ATTACH_FN2)
endif

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta         RVW_ATTCH_FREEMAIL   __PLS_REVIEW && (__DOC_ATTACH || __PDF_ATTACH) && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
  describe     RVW_ATTCH_FREEMAIL   Please review attachment, from freemail
  score        RVW_ATTCH_FREEMAIL   1.0
endif