# uri         __MALWARE_DROPBOX_JAR_URI   m;^https?://[^.]+\.dropbox\.com/(\w+)/(\w+)/(\w+)\.jar\?dl\=1;i
# meta        GB_MALWARE_DROPBOX_JAR_URI	( __MALWARE_DROPBOX_JAR_URI && (HTML_SHORT_LINK_IMG_1 || HTML_SHORT_LINK_IMG_2 || HTML_SHORT_LINK_IMG_3) )
# describe    GB_MALWARE_DROPBOX_JAR_URI Dropbox that forces user to download jar file

uri         GB_GOOGLE_OBFUR	/^https:\/\/www\.google\.([a-z]{2,3})\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=([0-9])+\&cad=rja\&uact=([0-9]+)\&ved=.{1,50}\&url=https?:\/\/.{1,50}&usg=.{1,50}/
describe    GB_GOOGLE_OBFUR	Obfuscate url through Google redirect
score       GB_GOOGLE_OBFUR     0.75 # limit
tflags      GB_GOOGLE_OBFUR     publish

uri         GB_GOOGLE_OBFUS	/^https:\/\/www\.google\.([a-z]{2,3})\/search\?ei=.{1,50}\&gs_l=.{1,20}/
describe    GB_GOOGLE_OBFUS	Obfuscate url through Google search
score       GB_GOOGLE_OBFUS     0.75 # limit
#tflags      GB_GOOGLE_OBFUS     publish

header      __COPY_OF       Subject =~ /Copy of:|offers for you/
meta        GB_COPY_OF_SHORT   ( __URL_SHORTENER && __COPY_OF && __KAM_BODY_LENGTH_LT_1024 )
describe    GB_COPY_OF_SHORT   Url shortnener spam

ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
  meta      GB_FROMNAME_SPOOFED_EMAIL_IP  ( FROMNAME_SPOOFED_EMAIL && !__NOT_SPOOFED )
  describe  GB_FROMNAME_SPOOFED_EMAIL_IP  From:name looks like a spoofed email from a spoofed ip
  score     GB_FROMNAME_SPOOFED_EMAIL_IP  0.50 # limit
  tflags    GB_FROMNAME_SPOOFED_EMAIL_IP  publish
endif

header     __HDR_RCVD_GOOGLE           X-Spam-Relays-External =~ / rdns=mail-\S+\.google\.com\.?\s/
uri        __URI_IMG_GDRIVE            /^https:\/\/www\.google\.com\/drive\/static\/images\/drive\/logo-drive\.png/
uri        __URI_IMG_GPHOTO            /^https:\/\/www\.google\.com\/photos\/about\/static\/images\/logo_photos_64dp\.svg/

meta       __GDRIVE_IMG_NOT_RCVD_GOOG  __URI_IMG_GDRIVE && !__HDR_RCVD_GOOGLE
meta       __GPHOTO_IMG_NOT_RCVD_GOOG  __URI_IMG_GPHOTO && !__HDR_RCVD_GOOGLE
meta       GB_GOOG_IMG_NOT_RCVD_GOOG   ( __GDRIVE_IMG_NOT_RCVD_GOOG || __GPHOTO_IMG_NOT_RCVD_GOOG ) && !__HAS_ERRORS_TO && !__MSGID_LIST && !__MSGID_GUID && !__RCD_RDNS_SMTP
describe   GB_GOOG_IMG_NOT_RCVD_GOOG   Google hosted image but message not from Google
score      GB_GOOG_IMG_NOT_RCVD_GOOG   2.500    # limit
# tflags     GB_GOOG_IMG_NOT_RCVD_GOOG   publish

header     __HDR_RCVD_LINKEDIN           X-Spam-Relays-External =~ /rdns=mail\S+\-\S+\.linkedin\.com\s/
uri        __URI_IMG_LINKEDIN            /^https:\/\/static\.licdn\.com\/scds\/common\/u\/images\/email\/artdeco\/illustrations\/56\/magnifying-glass\.png/

meta       __LINKED_IMG_NOT_RCVD_LINK    __URI_IMG_LINKEDIN && !__HDR_RCVD_LINKEDIN
meta       GB_LINKED_IMG_NOT_RCVD_LINK   __LINKED_IMG_NOT_RCVD_LINK && !__HAS_ERRORS_TO && !__MSGID_LIST && !__MSGID_GUID && !__RCD_RDNS_SMTP
describe   GB_LINKED_IMG_NOT_RCVD_LINK   Linkedin hosted image but message not from Linkedin
score      GB_LINKED_IMG_NOT_RCVD_LINK   2.500    # limit
tflags     GB_LINKED_IMG_NOT_RCVD_LINK   publish

uri        __SENDINBLUE_REDIR            m~://.{4,5}\.r\.a[a-z]?\.d\.sendibm[0-9]\.com/mk/([a-z]){2}/~
meta       SENDINBLUE_REDIR              __SENDINBLUE_REDIR && !MIME_HTML_MOSTLY && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__HAS_X_MAILMAN_VERSION
describe   SENDINBLUE_REDIR              Redirect URI via Sendinblue
score      SENDINBLUE_REDIR              2.000    # limit
# tflags     SENDINBLUE_REDIR            publish

meta       __SENDINBLUE_REDIR_PHISH      __SENDINBLUE_REDIR && ( __PDS_FROM_NAME_TO_DOMAIN || FORGED_RELAY_MUA_TO_MX || __TO_IN_SUBJ )
meta       SENDINBLUE_REDIR_PHISH        __SENDINBLUE_REDIR_PHISH
describe   SENDINBLUE_REDIR_PHISH        Redirect URI via Sendinblue + phishing signs
score      SENDINBLUE_REDIR_PHISH        3.500    # limit
# tflags     SENDINBLUE_REDIR_PHISH        publish