# These are oddities seen in Other People's Spam, i.e. I have no hits in my test corpora
describe __HAS_IMG_SRC Has an img tag on a non-quoted line
rawbody __HAS_IMG_SRC /^[^>].*?].*?].*?<(img src|IMG SRC)=/m
tflags __HAS_IMG_SRC_ONECASE multiple maxhits=100
describe __HAS_HREF_ONECASE Has an anchor tag with a href attribute in non-quoted line with consistent case
rawbody __HAS_HREF_ONECASE /^[^>].*?<(a href|A HREF)=/m
tflags __HAS_HREF_ONECASE multiple maxhits=100
describe __MIXED_IMG_CASE Has img tags with mixed-up cases in non-quoted lines
meta __MIXED_IMG_CASE __HAS_IMG_SRC - __HAS_IMG_SRC_ONECASE > 0
describe __MIXED_HREF_CASE Has anchor tags with mixed-up cases in non-quoted lines
meta __MIXED_HREF_CASE __HAS_HREF - __HAS_HREF_ONECASE > 0
describe __MIXED_TAG_CASE Has multiple mixed-case tags in non-quoted lines.
meta __MIXED_TAG_CASE __MIXED_IMG_CASE && __MIXED_HREF_CASE
describe SCC_THREE_WORD_MONTY Are you POTUS or a mass murderer?
header SCC_THREE_WORD_MONTY From =~ /(\w{2,}) (\w{2,}) (\w{2,}) <\1.\2.\3/
# Fingerprint Majordomo lists
header __SCC_MD_UNSUB List-Unsubscribe =~ /: 1
tflags SCC_MAJORDOMO nice
describe SCC_ODD_MUA Unlikely MUA for a modern human
header SCC_ODD_MUA X-Mailer =~ /^X-Mailer: Microsoft Outlook 14.0$/
describe SCC_SPECIAL_GUID Unique in a similar way
rawbody SCC_SPECIAL_GUID /^([[:xdigit:]]{8})-([[:xdigit:]]{4})-([[:xdigit:]]{3})-\3-([[:xdigit:]]{12})$/m
tflags SCC_SPECIAL_GUID publish multiple maxhits=15
#score SCC_SPECIAL_GUID 0.3
describe __NO_EXTERNALS No external relays
header __NO_EXTERNALS X-Spam-Relays-External =~ /^$/
describe ALL_INTERNAL Has only internal relays
meta ALL_INTERNAL __NO_EXTERNALS && !NO_RELAYS
tflags ALL_INTERNAL nice
describe SCC_NEWBIE_HASBEENS Abused gTLDs seen in spam from Google Apps.
header SCC_NEWBIE_HASBEENS X-Beenthere =~ /\.(today|online|monster)/
describe T_SCC_HTML_OBJOBJ Contains an object
rawbody T_SCC_HTML_OBJOBJ /< *object +\w{65,80} *>/
describe SCC_ISEMM_LID_1 Fingerprint of a particular spammer using an old spamware
header SCC_ISEMM_LID_1 X-Mailer-LID =~ /54,55,56,58,53/
tflags SCC_ISEMM_LID_1 publish
# TESTING a few domains that are in our "suspicious" list but are known to have some good senders
describe T_SCC_TLD_SPACE From domain in *.space
header T_SCC_TLD_SPACE From =~ /<[^ @]+@[^ @>]+\.space>/
describe T_SCC_TLD_ONLINE From domain in *.online
header T_SCC_TLD_ONLINE From =~ /<[^ @]+@[^ @>]+\.online>/
describe T_SCC_TLD_XYZ From domain in *.xyz
header T_SCC_TLD_XYZ From =~ /<[^ @]+@[^ @>]+\.xyz>/
describe T_SCC_URL_NOTIONSITE has a notion.site URL
uri T_SCC_URL_NOTIONSITE /https?:\/\/[^ ]*\.notion.site/
tflags T_SCC_URL_NOTIONSITE multiple maxhits=5
describe T_SCC_URL_CLOUDINARY Has Cloudinary backend(?) URL
uri T_SCC_URL_CLOUDINARY /https?:\/\/res.cloudinary.com/
tflags T_SCC_URL_CLOUDINARY multiple maxhits=5