rawbody __HTML_UTF7 /]{0,200}\bcharset=.?utf-7\b/i
####
#### Basic stuff
####
uri URI_IN_URI_5 /(?::\/\/.*?){5}/
describe URI_IN_URI_5 Multiple URIs inside URI
uri URI_IN_URI_10 /(?::\/\/.*?){10}/
describe URI_IN_URI_10 Multiple URIs inside URI
uri URI_IN_URI_20 /(?::\/\/.*?){20}/
describe URI_IN_URI_20 Multiple URIs inside URI
body MILLION_HUNDRED /Million\s+\S+\s+Hundred/i
describe MILLION_HUNDRED Million "One to Nine" Hundred
tflags MILLION_HUNDRED publish
body HK_FIRST_NAME_TMPL /__FIRST_NAME__/
score HK_FIRST_NAME_TMPL 1
body HK_UNSUB_TMPL /__UNSUBSCRIBE_/
score HK_UNSUB_TMPL 1
#header HK_XOIP_4SINGLES X-Originating-IP =~ /^\[?\d\.\d\.\d\.\d\]?$/
#score HK_XOIP_3SINGLES 1
#header HK_XOIP_3SINGLES X-Originating-IP =~ /^\[?(?:\d\d+\.\d\.\d\.\d|\d\.\d\d+\.\d\.\d|\d\.\d\.\d\d+\.\d|\d\.\d\.\d\.\d\d+)\]?$/
#score HK_XOIP_3SINGLES 1
#header HK_XOIP_0FRONT X-Originating-IP =~ /(?:^\[?|\.)0[1-9]/
#score HK_XOIP_0FRONT 1
#header HK_XOIP_0 X-Originating-IP =~ /(?:^\[?|\.)0+(?:\.|\]?$)/
#score HK_XOIP_0 1
#header HK_EMPTY_DKIM_S DKIM-Signature =~ /[\s;]s=\s*;/
#score HK_EMPTY_DKIM_S 1
header HK_RCVD_IP_MULTICAST X-Spam-Relays-External =~ / ip=(?:22[4-9]|23[0-9])\./
score HK_RCVD_IP_MULTICAST 2
tflags HK_RCVD_IP_MULTICAST publish
header HK_RANDOM_ENVFROM EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
header HK_RANDOM_FROM From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
header HK_RANDOM_REPLYTO Reply-To:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
describe HK_RANDOM_ENVFROM Envelope sender username looks random
score HK_RANDOM_ENVFROM 1
tflags HK_RANDOM_ENVFROM publish
describe HK_RANDOM_FROM From username looks random
score HK_RANDOM_FROM 1
tflags HK_RANDOM_FROM publish
describe HK_RANDOM_REPLYTO Reply-To username looks random
score HK_RANDOM_REPLYTO 1
tflags HK_RANDOM_REPLYTO publish
#header HK_RANDOM_FROM_NAME From:name =~ /^(?!.*?(?:@|cnnbc|nlpbr)).*?(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
#describe HK_RANDOM_FROM_NAME From name looks random
#header HK_RANDOM_REPLYTO_NAME Reply-To:name =~ /^(?!.*?(?:@|cnnbc|nlpbr)).*?(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
#describe HK_RANDOM_REPLYTO_NAME Reply-To name looks random
header HK_NAME_DRUGS From:name =~ /(viagra|\bcialis|cialis\b)/mi
describe HK_NAME_DRUGS From name contains drugs
score HK_NAME_DRUGS 2
#header HK_NAME_FREE From:name =~ /\b(?:get)?free(?!\.fr)\b/mi
#describe HK_NAME_FREE From name mentions free stuff
#score HK_NAME_FREE 0.5
#header HK_SUBJECT_SPACES Subject =~ /^(?!.{80}\#).*?\s{10}/
#describe HK_SUBJECT_SPACES Lots of spaces in Subject
#header HK_SUBJECT_SPACES_SC Subject =~ /\s{10}(?:[a-z]|\d{1,4})(?:\s|$)/i
#describe HK_SUBJECT_SPACES_SC Lots of spaces in Subject with some obfuscation
#body __hk_million /(?:(?:[0-9]{3}[ ,.]?){2,4}|[0-9] ?M\b|mill(?:(?:es?|ons?)(?: de\b)?|ion)).{0,18}(?:\$|[\xa3\xa4]|eur\b|usd\b|gbp\b|cfa\b|euro?s?\b|dollard?s?\b|pounds?\b|francs?\b)/i
#body __hk_million2 /(?:\$|[\xa3\xa4]|eur|usd?|gbp|cfa|euro?s?|dollard?s?|pounds?|francs?)(?: de\b)? mill(?:(?:es?|ons?)|ion)/
#body __hk_hthousand /hundred.{0,20}thousand.{0,20}(?:eur|usd|gbp|cfa|euro?s?|dollard?s?|pounds?|francs?)\b/i
body __hk_bigmoney /(?:EURO?|USD?|GBP|CFA|\&\#163;|[\xa3\xa4]|\$|sum of).{0,4}(?:[0-9]{3}[^0-9a-z]?[0-9]{3}|[0-9.,]{1,4}(?: ?M\b| ?(?:de )?Mil))/i
#meta HK_MUCHMONEY __hk_million || __hk_million2 || __hk_hthousand || __hk_bigmoney
#describe HK_MUCHMONEY Message refers to hundreds of thousands or millions
#score HK_MUCHMONEY 0.001
#body __hk_win_1 /\b(?:prize|lucky|dear|emerged(?: a)?) (?:winner|money)/i
body __hk_win_2 /\battn.{0,10}winner/i
body __hk_win_3 /\bhappily aa?nnounce/i
body __hk_win_4 /\bpleas(?:ure|ed) to inform/i
body __hk_win_5 /\b(?:notice the|your) winning/i
#body __hk_win_6 /\b(?:ha(?:s|ve)|you) w[io]n/i
body __hk_win_7 /\bcongratulations? to your/i
body __hk_win_8 /\bunexpected luck/i
body __hk_win_9 /\blucky (?:nl )number/i
body __hk_win_0 /\byour? e-?mail just w[oi]n/i
body __hk_win_a /\bwinning (?:e-?mail|numbers|information)/i
body __hk_win_b /\byour e-?mail (?:address )?(?:has )?w[io]n/i
body __hk_win_c /\bune adresse e-?mail sur internet/i
body __hk_win_d /\bcategory (?:\S{0,5} )?winner of our/i
#body __hk_win_e /\b(?:tic(?:ket)?|batch|\bbt|serial|\bsr|\brf|ref(?:erence)?)(?:\:| ?(?:number|no\b|nr))/i
#body __hk_win_f /\bnum.ro de (?:ticket|s.rie|r.f.rence|lot)/i
#body __hk_win_g /\bselected randomly/i
#body __hk_win_h /\brandomly selected/i
body __hk_win_i /\bfunds? transfer/i
body __hk_win_j /\b(?:winning|ready for|sum) pay ?out/i
#body __hk_win_k /\bclaim(?:s? officer| your| procedure)/i
body __hk_win_l /\b(?:make|file) (?:for )?your claim/i
body __hk_win_m /\br.clamation de votre prix/i
body __hk_win_n /\bcollect your prize/i
body __hk_win_o /\bclarification and procedure/i
meta HK_WIN ((__hk_win_2 + __hk_win_3 + __hk_win_4 + __hk_win_5 + __hk_win_7 + __hk_win_8 + __hk_win_9 + __hk_win_0 + __hk_win_a + __hk_win_b + __hk_win_c + __hk_win_d + __hk_win_i + __hk_win_j + __hk_win_l + __hk_win_m + __hk_win_n + __hk_win_o) >= 2)
score HK_WIN 1
#body __HK_LOTTO_1 /\b(?:(?:inter)?national|foundation|mercato|univers|euro ?million|e-?mail|euro-pw|bill ?gates|swiss|prestige|cristal|am.ricaine|coca.?cola|fiduciary|department) ?lot(?:eri[ej]|t(?:ery|o))/i
body __HK_LOTTO_2 /\blot(?:eri[ej]|t(?:ery|o)) ?(?:(?:inter)?national|foundation|mercato|univers|euro ?million|e-?mail|euro-pw|bill ?gates|swiss|prestige|cristal|am.ricaine|coca.?cola|fiduciary|department)/i
#body __HK_LOTTO_JACKPOT /\bmega jackpot\b/i
body __HK_LOTTO_STAATS /\bstaatsloteri/i
body __HK_LOTTO_BALLOT /\b(?:promotional|on.?line|computer|internet|e-?mail|fran.aise) (?:ballot|draw|sweepstake)/i
#body __HK_LOTTO_AWARD /(?:cash prize|prize awards?|you have been awarded|award (?:notification|notice))/i
meta HK_LOTTO __HK_LOTTO_2 || __HK_LOTTO_STAATS || __HK_LOTTO_BALLOT
score HK_LOTTO 1
#header HK_LOTTO_SUBJECT Subject =~ /\blot(?:eri[ej]|t(?:ery|o))\b/mi
#score HK_LOTTO_SUBJECT 1
#header HK_LOTTO_NAME From =~ /^[^@]*(?:lot(?:eri[ej]|t(?:ery|o))|award|winner)/mi
#score HK_LOTTO_NAME 1
#body __HK_SCAM_N1 /\b(?:widow|son|daughter|husband|wife|brother|sister) of (?:the )?(?:late|sacked|dead|passed)\b/i
body __HK_SCAM_N2 /\bnext of kin\b/i
body __HK_SCAM_N3 /\bdirect telephone numbers?\b/i
#body __HK_SCAM_N4 /\b(?:e?mail me below|reply (?:me to )?this e?mail (?:at|to)?|send your reply (?:to|at))\b/i
body __HK_SCAM_N8 /\byour compensation\b/i
#body __HK_SCAM_N9 /\bseek for your indulgence\b/i
#body __HK_SCAM_N12 /\binsured with your email\b/i
#body __HK_SCAM_N13 /\b(?:business|important|discreet) transaction\b/i
#body __HK_SCAM_N14 /\bsum of amount\b/i
body __HK_SCAM_N15 /\b(?:account (?:overseas?|offshore)|(?:overseas?|offshore) account)\b/i
body __HK_SCAM_N16 /\b(?:arrangement secret|secret arrangement)\b/i
body __HK_SCAM_S1 /pay you the sum of/i
#body __HK_SCAM_S7 /(?:(?:investment|proposed|lucrative) (?:business|venture)|(?:business|venture) (?:enterprise|propos(?:al|ition)))/i
#body __HK_SCAM_S12 /fidelity investments international/i
body __HK_SCAM_S15 /(?:discovered a dormant account|can you be my partner)/i
body __HK_SCAM_S25 /\bbank (?:in|of) ghana/i
#body __HK_SCAM_S3 /invest(?:ment (?:in your area|partner)|in your country|assist me in an investment)/i
#body __HK_SCAM_S4 /transfer (?:this|my|of )?funds?/i
#body __HK_SCAM_S22 /\bmining companies/i
#body __HK_SCAM_S23 /(?:\b(?:urgent alert|start trade|get it at monday)\b|\b(?:5-|five )day price:)/i
meta HK_SCAM __HK_SCAM_N2 || __HK_SCAM_N3 || __HK_SCAM_N8 || __HK_SCAM_N15 || __HK_SCAM_N16 || __HK_SCAM_S1 || __HK_SCAM_S15 || __HK_SCAM_S25
score HK_SCAM 2
tflags HK_SCAM publish
body HK_GOLDDUST /\bgold ?dust\b/i
#body HK_PNIS /\bpenis\b/i
#score HK_PNIS 1
#body HK_PNISES /\bpenises\b/i
#score HK_PNISES 1
# From Mike Cappella
header __TAB_IN_FROM From:raw =~ /^\t/s
describe __TAB_IN_FROM From starts with a tab
meta TAB_IN_FROM __TAB_IN_FROM && !__ML_TURNS_SP_TO_TAB
describe TAB_IN_FROM From starts with a tab
score TAB_IN_FROM 0.5
####
#### FreeMail related
####
ifplugin Mail::SpamAssassin::Plugin::FreeMail
#REQUIRING VERSION 3.4 BECAUSE From:name works improperly prior to that version.
if (version >= 3.004000)
header __HK_NAME_MR_MRS From:name =~ /^M(?:RS?|ISS)\b/mi
meta HK_NAME_MR_MRS __HK_NAME_MR_MRS && !FREEMAIL_FROM
score HK_NAME_MR_MRS 1.0
meta HK_NAME_FM_MR_MRS __HK_NAME_MR_MRS && FREEMAIL_FROM
score HK_NAME_FM_MR_MRS 1.5
header __HK_NAME_FROM From:name =~ /^FROM\b/mi
meta HK_NAME_FROM __HK_NAME_FROM && !FREEMAIL_FROM
score HK_NAME_FROM 1.0
meta HK_NAME_FM_FROM __HK_NAME_FROM && FREEMAIL_FROM
score HK_NAME_FM_FROM 1.5
endif
#header __HK_NAME_DR From:name =~ /^DR\b/mi
#meta HK_NAME_DR __HK_NAME_DR && !FREEMAIL_FROM
#score HK_NAME_DR 1.0
#meta HK_NAME_FM_DR __HK_NAME_DR && FREEMAIL_FROM
#score HK_NAME_FM_DR 1.5
endif
####
#### MIMEHeader
####
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __HK_SPAMMY_CTFN Content-Type =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi
mimeheader __HK_SPAMMY_CDFN Content-Disposition =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi
meta HK_SPAMMY_FILENAME __HK_SPAMMY_CTFN || __HK_SPAMMY_CDFN
mimeheader HK_CTE_RAW Content-Transfer-Encoding =~ /^raw$/
score HK_CTE_RAW 2
tflags HK_CTE_RAW publish
mimeheader __CT_UTF7 Content-Type =~ /\bcharset=.?utf-7\b/i
endif
####
#### Some fakename tests which rely in SPF & DKIM
####
#ifplugin Mail::SpamAssassin::Plugin::SPF
#ifplugin Mail::SpamAssassin::Plugin::DKIM
# check spf and dkim for all, false hits per bug 6417
#header __HK_NAME_MICROSOFT From:name =~ /(microsoft|\bmsn\b)/i
#header __HK_HELO_MICROSOFT X-Spam-Relays-External =~ / helo=\S+\.(?:microsoft(?:email)?|msn)\.com /
#meta HK_FAKENAME_MICROSOFT __HK_NAME_MICROSOFT && !__HK_HELO_MICROSOFT && !SPF_PASS && !DKIM_VALID_AU
#describe HK_FAKENAME_MICROSOFT From name mentions Microsoft, but not relayed from there
#header __HK_NAME_YAHOO From:name =~ /\byahoo\b/i
#header __HK_HELO_YAHOO X-Spam-Relays-External =~ / helo=[^ ]+\.yahoo\.com /
#meta HK_FAKENAME_YAHOO __HK_NAME_YAHOO && !__HK_HELO_YAHOO && !SPF_PASS && !DKIM_VALID_AU
#describe HK_FAKENAME_YAHOO From name mentions Yahoo, but not relayed from there
#header __HK_NAME_PAYPAL From:name =~ /\bpaypal\b/i
#header __HK_HELO_PAYPAL X-Spam-Relays-External =~ / helo=[^ ]+\.paypal\b/
#meta HK_FAKENAME_PAYPAL __HK_NAME_PAYPAL && !__HK_HELO_PAYPAL && !SPF_PASS && !DKIM_VALID_AU
#describe HK_FAKENAME_PAYPAL From name mentions PayPal, but not relayed from there
#header __HK_NAME_EBAY From:name =~ /\bebay\b/i
#header __HK_HELO_EBAY X-Spam-Relays-External =~ / helo=[^ ]+\.(?:ebay|emarsys)\b/
#meta HK_FAKENAME_EBAY __HK_NAME_EBAY && !__HK_HELO_EBAY && !SPF_PASS && !DKIM_VALID_AU
#describe HK_FAKENAME_EBAY From name mentions eBay, but not relayed from there
#endif
#endif