# SpamAssassin rules file: tests.
#
# note: body tests are run with long lines, so be sure to limit the
# size of searches; use ".{0,30}" instead of ".*" to avoid huge
# search times.
###########################################################################
require_version 2.40
full RAZOR_CHECK eval:check_razor1()
describe RAZOR_CHECK Listed in Razor1, see http://razor.sourceforge.net/
tflags RAZOR_CHECK net
full RAZOR2_CHECK eval:check_razor2()
describe RAZOR2_CHECK Listed in Razor2, see http://razor.sourceforge.net/
tflags RAZOR2_CHECK net
full DCC_CHECK eval:check_dcc()
describe DCC_CHECK Listed in DCC, see http://www.rhyolite.com/anti-spam/dcc/dcc-tree/dcc.html
tflags DCC_CHECK net
full PYZOR_CHECK eval:check_pyzor()
describe PYZOR_CHECK Listed in Pyzor, see http://pyzor.sourceforge.net/
tflags PYZOR_CHECK net
###########################################################################
# Spam phrase scores are absolute numbers, not percentages.
#
# The Fibonacci sequence was used to reduce the dependence on the
# distribution and magnitude of scores and to avoid any sharp cut-offs.
body SPAM_PHRASE_00_01 eval:check_for_spam_phrases('00', '01')
describe SPAM_PHRASE_00_01 Spam phrases score is 00 to 01 (low)
body SPAM_PHRASE_01_02 eval:check_for_spam_phrases('01', '02')
describe SPAM_PHRASE_01_02 Spam phrases score is 01 to 02 (low)
body SPAM_PHRASE_02_03 eval:check_for_spam_phrases('02', '03')
describe SPAM_PHRASE_02_03 Spam phrases score is 02 to 03 (medium)
body SPAM_PHRASE_03_05 eval:check_for_spam_phrases('03', '05')
describe SPAM_PHRASE_03_05 Spam phrases score is 03 to 05 (medium)
body SPAM_PHRASE_05_08 eval:check_for_spam_phrases('05', '08')
describe SPAM_PHRASE_05_08 Spam phrases score is 05 to 08 (medium)
body SPAM_PHRASE_08_13 eval:check_for_spam_phrases('08', '13')
describe SPAM_PHRASE_08_13 Spam phrases score is 08 to 13 (medium)
body SPAM_PHRASE_13_21 eval:check_for_spam_phrases('13', '21')
describe SPAM_PHRASE_13_21 Spam phrases score is 13 to 21 (high)
body SPAM_PHRASE_21_34 eval:check_for_spam_phrases('21', '34')
describe SPAM_PHRASE_21_34 Spam phrases score is 21 to 34 (high)
body SPAM_PHRASE_34_55 eval:check_for_spam_phrases('34', '55')
describe SPAM_PHRASE_34_55 Spam phrases score is 34 to 55 (high)
body SPAM_PHRASE_55_XX eval:check_for_spam_phrases('55', 'undef')
describe SPAM_PHRASE_55_XX Spam phrases score 55 or higher (high)
###########################################################################
body REMOVE_SUBJ /remove.{1,15}subject/i
describe REMOVE_SUBJ List removal information
body SUBJ_REMOVE /\w.{0,40}subject.{1,15}remove/i
describe SUBJ_REMOVE List removal information
body REPLY_REMOVE_SUBJECT /reply.{1,15}remove.{1,15}subject/i
describe REPLY_REMOVE_SUBJECT List removal information
body REMOVE_IN_QUOTES /\"remove\"/i
describe REMOVE_IN_QUOTES List removal information
body DISCONTINUE /\"discontinue\".{1,15}no further notices/i
describe DISCONTINUE List removal information
###########################################################################
# HTML parser tests
body HTML_50_70 eval:html_percentage('50','70')
describe HTML_50_70 Message is 50-70% HTML tags
body HTML_70_90 eval:html_percentage('70','90')
describe HTML_70_90 Message is 70-90% HTML tags
body HTML_90_100 eval:html_percentage('90','100')
describe HTML_90_100 Message is 90-100% HTML tags
body TABLE_THICK_BORDER eval:html_test('thick_border')
describe TABLE_THICK_BORDER HTML table has thick border
body JAVASCRIPT eval:html_test('javascript')
describe JAVASCRIPT JavaScript code
body JAVASCRIPT_VERY_UNSAFE eval:html_test('javascript_very_unsafe')
describe JAVASCRIPT_VERY_UNSAFE Auto-executing JavaScript code
body HTML_WITH_BGCOLOR eval:html_test('bgcolor_nonwhite')
describe HTML_WITH_BGCOLOR HTML mail with non-white background
body BIG_FONT eval:html_test('big_font')
describe BIG_FONT FONT Size +2 and up or 3 and up
body WEB_BUGS eval:html_test('web_bugs')
describe WEB_BUGS Image tag with an ID code to identify you
body HTML_COMMENT_8BITS eval:html_test('comment_8bit')
describe HTML_COMMENT_8BITS HTML comment has 3 consecutive 8-bit characters
body HTML_COMMENT_SAVED_URL eval:html_test('comment_saved_url')
describe HTML_COMMENT_SAVED_URL HTML message is a saved web page
body HTML_FONT_COLOR_NOHASH eval:html_test('font_color_nohash')
describe HTML_FONT_COLOR_NOHASH HTML font color is missing hash (#) character
body HTML_FONT_COLOR_UNSAFE eval:html_test('font_color_unsafe')
describe HTML_FONT_COLOR_UNSAFE HTML font color not within safe 6x6x6 palette
body HTML_FONT_COLOR_NAME eval:html_test('font_color_name')
describe HTML_FONT_COLOR_NAME HTML font color has unusual name
body HTML_FONT_INVISIBLE eval:html_test('font_invisible')
describe HTML_FONT_INVISIBLE HTML font color is same as background
body HTML_FONT_COLOR_GRAY eval:html_test('font_gray')
describe HTML_FONT_COLOR_GRAY HTML font color is gray
body HTML_FONT_COLOR_RED eval:html_test('font_red')
describe HTML_FONT_COLOR_RED HTML font color is red
body HTML_FONT_COLOR_YELLOW eval:html_test('font_yellow')
describe HTML_FONT_COLOR_YELLOW HTML font color is yellow
body HTML_FONT_COLOR_GREEN eval:html_test('font_green')
describe HTML_FONT_COLOR_GREEN HTML font color is green
body HTML_FONT_COLOR_CYAN eval:html_test('font_cyan')
describe HTML_FONT_COLOR_CYAN HTML font color is cyan
body HTML_FONT_COLOR_BLUE eval:html_test('font_blue')
describe HTML_FONT_COLOR_BLUE HTML font color is blue
body HTML_FONT_COLOR_MAGENTA eval:html_test('font_magenta')
describe HTML_FONT_COLOR_MAGENTA HTML font color is magenta
body HTML_FONT_COLOR_UNKNOWN eval:html_test('font_color_unknown')
describe HTML_FONT_COLOR_UNKNOWN HTML font color is unknown to us
body HTML_FONT_FACE_BAD eval:html_test('font_face_bad')
describe HTML_FONT_FACE_BAD HTML font face is not a word
body HTML_FONT_FACE_ODD eval:html_test('font_face_odd')
describe HTML_FONT_FACE_ODD HTML font face is not a commonly used face
body HTML_FONT_FACE_CAPS eval:html_test('font_face_caps')
describe HTML_FONT_FACE_CAPS HTML font face has excess capital characters
# many spammers seem to do this nowadays (and probably track
# their customers with it). (contrib: WW)
body RELAYING_FRAME eval:html_test('relaying_frame')
describe RELAYING_FRAME Frame wanted to load outside URL
body HTML_EMBEDS eval:html_test('embeds')
describe HTML_EMBEDS HTML with embedded plugin object
###########################################################################
# rawbody HTML tests
rawbody JAVASCRIPT_UNSAFE /\bon(?:Blur|Change|Focus|Error|Key(?:Press|Down|Up)|Mouse(?:Down|Up|Over|Move|Out)|Resize|Move|Scroll|Stop|Click)[\s=3d\"\']*\S+[\"\']?/i
describe JAVASCRIPT_UNSAFE Easily-executed JavaScript code
# 0.001 0.000 0.002 0.00 1.00 JAVASCRIPT_OBFUSCATING (low matches)
#rawbody JAVASCRIPT_OBFUSCATING /charCodeAt|fromCharCode/i
#describe JAVASCRIPT_OBFUSCATING An attempt to hide spam inside obfuscating Javascript code
rawbody SPAM_FORM /CHANGE EMAIL ADDRESS IN ACTION OF FORM/
describe SPAM_FORM Form for changing email address
rawbody SPAM_FORM_RETURN /return validate_form/
describe SPAM_FORM_RETURN Form for checking email address
rawbody SPAM_FORM_ACTION /action="\&\#\d+;\&\#\d+;\&\#\d+;\&\#\d+;/i
describe SPAM_FORM_ACTION Obfuscated action attribute in HTML form
rawbody SPAM_FORM_INPUT /][^\s<]/
describe OBFUSCATING_COMMENT HTML comments which obfuscate text
rawbody HIDE_WIN_STATUS /<[^>]+onMouseOver=[^>]+window\.status=/i
describe HIDE_WIN_STATUS Javascript to hide URLs in browser
rawbody LINK_TO_NO_SCHEME /\s+href=['"]?www\./i
describe LINK_TO_NO_SCHEME Contains link without http:// prefix
rawbody HTML_WIN_OPEN /(?: