diff --git a/sa-updates/20_advance_fee.cf b/sa-updates/20_advance_fee.cf index 5d83f97..fb057fc 100644 --- a/sa-updates/20_advance_fee.cf +++ b/sa-updates/20_advance_fee.cf @@ -23,7 +23,7 @@ # ########################################################################### -require_version 3.004006 +require_version 4.000000 # predicate naming used to avoid renumbering # 1. assign new rules a random unique three letter sequence diff --git a/sa-updates/20_body_tests.cf b/sa-updates/20_body_tests.cf index 700bd42..7cba37c 100644 --- a/sa-updates/20_body_tests.cf +++ b/sa-updates/20_body_tests.cf @@ -30,7 +30,7 @@ # ########################################################################### -require_version 3.004006 +require_version 4.000000 ########################################################################### # GTUBE test - the generic test for UBE. diff --git a/sa-updates/20_compensate.cf b/sa-updates/20_compensate.cf index 83ba608..1a9972e 100644 --- a/sa-updates/20_compensate.cf +++ b/sa-updates/20_compensate.cf @@ -24,9 +24,10 @@ ########################################################################### # Header compensation tests -require_version 3.004006 +require_version 4.000000 header __HAS_RCVD exists:Received +priority __HAS_RCVD -2000 # Bug 8078 meta NO_RECEIVED (!__HAS_RCVD) tflags NO_RECEIVED nice userconf describe NO_RECEIVED Informational: message has no Received headers diff --git a/sa-updates/20_dnsbl_tests.cf b/sa-updates/20_dnsbl_tests.cf index 5d615f2..8907552 100644 --- a/sa-updates/20_dnsbl_tests.cf +++ b/sa-updates/20_dnsbl_tests.cf @@ -23,7 +23,7 @@ # ########################################################################### -require_version 3.004006 +require_version 4.000000 ########################################################################### diff --git a/sa-updates/20_drugs.cf b/sa-updates/20_drugs.cf index 124695f..a52237b 100644 --- a/sa-updates/20_drugs.cf +++ b/sa-updates/20_drugs.cf @@ -31,7 +31,7 @@ # ########################################################################### -require_version 3.004006 +require_version 4.000000 ########################################################################### # header rules diff --git a/sa-updates/20_dynrdns.cf b/sa-updates/20_dynrdns.cf index 98d783b..dddc96d 100644 --- a/sa-updates/20_dynrdns.cf +++ b/sa-updates/20_dynrdns.cf @@ -25,7 +25,7 @@ # ########################################################################### -require_version 3.004006 +require_version 4.000000 # --------------------------------------------------------------------------- diff --git a/sa-updates/20_fake_helo_tests.cf b/sa-updates/20_fake_helo_tests.cf index e18a829..21b732c 100644 --- a/sa-updates/20_fake_helo_tests.cf +++ b/sa-updates/20_fake_helo_tests.cf @@ -25,7 +25,7 @@ # ########################################################################### -require_version 3.004006 +require_version 4.000000 #--------------------------------------------------------------------------- # Handle hosts that look like HELO_DYNAMIC hosts diff --git a/sa-updates/20_head_tests.cf b/sa-updates/20_head_tests.cf index 5d9f71b..060c8b5 100644 --- a/sa-updates/20_head_tests.cf +++ b/sa-updates/20_head_tests.cf @@ -23,7 +23,7 @@ # ########################################################################### -require_version 3.004006 +require_version 4.000000 ########################################################################### @@ -264,19 +264,23 @@ header NONEXISTENT_CHARSET Content-Type =~ /charset=.?DEFAULT/ describe NONEXISTENT_CHARSET Character set doesn't exist header __HAS_MESSAGE_ID exists:Message-Id +priority __HAS_MESSAGE_ID -2000 # Bug 8078 meta MISSING_MID !__HAS_MESSAGE_ID describe MISSING_MID Missing Message-Id: header header __HAS_DATE exists:Date +priority __HAS_DATE -2000 # Bug 8078 meta MISSING_DATE !__HAS_DATE describe MISSING_DATE Missing Date: header header __HAS_SUBJECT exists:Subject +priority __HAS_SUBJECT -2000 # Bug 8078 meta MISSING_SUBJECT !__HAS_SUBJECT describe MISSING_SUBJECT Missing Subject: header # bug 6353 header __HAS_FROM exists:From +priority __HAS_FROM -2000 # Bug 8078 meta MISSING_FROM !__HAS_FROM describe MISSING_FROM Missing From: header diff --git a/sa-updates/20_html_tests.cf b/sa-updates/20_html_tests.cf index 0745e7d..f3503a9 100644 --- a/sa-updates/20_html_tests.cf +++ b/sa-updates/20_html_tests.cf @@ -23,7 +23,7 @@ # ########################################################################### -require_version 3.004006 +require_version 4.000000 # HTML parser tests # @@ -234,5 +234,6 @@ ifplugin Mail::SpamAssassin::Plugin::MIMEEval # __MIME_ATTACHMENT also used in 20_meta_tests.cf body __MIME_ATTACHMENT eval:check_for_mime('mime_attachment') +priority __MIME_ATTACHMENT -2000 # Bug 8078 endif diff --git a/sa-updates/20_meta_tests.cf b/sa-updates/20_meta_tests.cf index aad82fe..449392a 100644 --- a/sa-updates/20_meta_tests.cf +++ b/sa-updates/20_meta_tests.cf @@ -29,7 +29,7 @@ # ########################################################################### -require_version 3.004006 +require_version 4.000000 # some tests that will trigger FPs on ISO-2022-JP mails. @@ -60,8 +60,10 @@ describe PERCENT_RANDOM Message has a random macro in it # __MIME_ATTACHMENT defined in 20_html_tests.cf body __NONEMPTY_BODY /\S/ +tflags __NONEMPTY_BODY nosubject +priority __NONEMPTY_BODY -2000 # Bug 8078 meta EMPTY_MESSAGE !__MIME_ATTACHMENT && !__NONEMPTY_BODY -describe EMPTY_MESSAGE Message appears to have no textual parts and no Subject: text +describe EMPTY_MESSAGE Message appears to have no textual parts meta NO_HEADERS_MESSAGE (MISSING_DATE && MISSING_HEADERS && NO_RECEIVED && NO_RELAYS && MISSING_MID) describe NO_HEADERS_MESSAGE Message appears to be missing most RFC-822 headers diff --git a/sa-updates/20_net_tests.cf b/sa-updates/20_net_tests.cf index 3f2da4c..f8198f8 100644 --- a/sa-updates/20_net_tests.cf +++ b/sa-updates/20_net_tests.cf @@ -30,7 +30,7 @@ # ########################################################################### -require_version 3.004006 +require_version 4.000000 # bug 2220. nice results meta DIGEST_MULTIPLE RAZOR2_CHECK + DCC_CHECK + PYZOR_CHECK > 1 diff --git a/sa-updates/20_phrases.cf b/sa-updates/20_phrases.cf index 4601c33..cd439c3 100644 --- a/sa-updates/20_phrases.cf +++ b/sa-updates/20_phrases.cf @@ -27,7 +27,7 @@ # ########################################################################### -require_version 3.004006 +require_version 4.000000 ########################################################################### diff --git a/sa-updates/20_porn.cf b/sa-updates/20_porn.cf index 487ce3e..4989034 100644 --- a/sa-updates/20_porn.cf +++ b/sa-updates/20_porn.cf @@ -27,7 +27,7 @@ # ########################################################################### -require_version 3.004006 +require_version 4.000000 ########################################################################### diff --git a/sa-updates/20_uri_tests.cf b/sa-updates/20_uri_tests.cf index 11bb24b..c6afc96 100644 --- a/sa-updates/20_uri_tests.cf +++ b/sa-updates/20_uri_tests.cf @@ -23,7 +23,7 @@ # ########################################################################### -require_version 3.004006 +require_version 4.000000 # possible IDN spoofing attack: https://web.archive.org/web/20141006091906/https://www.shmoo.com/idn/homograph.txt # not expecting any hits on this (yet) diff --git a/sa-updates/23_bayes.cf b/sa-updates/23_bayes.cf index 274f424..e0ed2e7 100644 --- a/sa-updates/23_bayes.cf +++ b/sa-updates/23_bayes.cf @@ -23,7 +23,7 @@ # ########################################################################### -require_version 3.004006 +require_version 4.000000 ########################################################################### diff --git a/sa-updates/25_dkim.cf b/sa-updates/25_dkim.cf index 8cb9831..2067427 100644 --- a/sa-updates/25_dkim.cf +++ b/sa-updates/25_dkim.cf @@ -117,7 +117,7 @@ if can(Mail::SpamAssassin::Plugin::DKIM::has_arc) full ARC_VALID eval:check_arc_valid() describe ARC_VALID Message has a valid ARC signature - tflags ARC_VALID net + tflags ARC_VALID net nice reuse ARC_VALID meta ARC_INVALID ARC_SIGNED && !ARC_VALID diff --git a/sa-updates/25_uribl.cf b/sa-updates/25_uribl.cf index f575ed9..55133a3 100644 --- a/sa-updates/25_uribl.cf +++ b/sa-updates/25_uribl.cf @@ -174,11 +174,12 @@ endif #tflags URIBL_SC_SURBL net notrim #reuse URIBL_SC_SURBL -urirhssub URIBL_WS_SURBL multi.surbl.org. A 4 -body URIBL_WS_SURBL eval:check_uridnsbl('URIBL_WS_SURBL') -describe URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist -tflags URIBL_WS_SURBL net notrim -reuse URIBL_WS_SURBL +#REMOVED per bug 8093 +#urirhssub URIBL_WS_SURBL multi.surbl.org. A 4 +#body URIBL_WS_SURBL eval:check_uridnsbl('URIBL_WS_SURBL') +#describe URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist +#tflags URIBL_WS_SURBL net notrim +#reuse URIBL_WS_SURBL urirhssub URIBL_PH_SURBL multi.surbl.org. A 8 body URIBL_PH_SURBL eval:check_uridnsbl('URIBL_PH_SURBL') @@ -308,7 +309,7 @@ uridnsbl_skip_domain real.com redhat.com regions.com regionsnet.com uridnsbl_skip_domain rogers.com rr.com sbcglobal.net sec.gov sf.net uridnsbl_skip_domain shaw.ca shockwave.com smithbarney.com uridnsbl_skip_domain sourceforge.net spamcop.net speedera.net sportsline.com -uridnsbl_skip_domain sun.com suntrust.com sympatico.ca t-online.de +uridnsbl_skip_domain sun.com suntrust.com t-online.de uridnsbl_skip_domain tails.nl telus.net terra.com.br ticketmaster.com uridnsbl_skip_domain tinyurl.com tiscali.co.uk tom.com uridnsbl_skip_domain tone.co.nz tux.org uol.com.br @@ -346,7 +347,7 @@ uridnsbl_skip_domain amazon.de amazonses.com bandcamp.com uridnsbl_skip_domain booking.com cdninstagram.com dhl.com uridnsbl_skip_domain dhl.fi dna.fi domain.fi dpd.de dropbox.com ebay.fr uridnsbl_skip_domain elisa.fi elisanet.fi emltrk.com fbcdn.net ficora.fi -uridnsbl_skip_domain gappssmtp.com github.com goo.gl google-analytics.com +uridnsbl_skip_domain gappssmtp.com github.com google-analytics.com uridnsbl_skip_domain google.de google.fi googleusercontent.com uridnsbl_skip_domain gstatic.com hotels.com ikea.com images-amazon.com uridnsbl_skip_domain inet.fi instagram.com kolumbus.fi licdn.com linkedin.com diff --git a/sa-updates/25_url_shortener.cf b/sa-updates/25_url_shortener.cf index b5ddffd..4327a85 100644 --- a/sa-updates/25_url_shortener.cf +++ b/sa-updates/25_url_shortener.cf @@ -54,6 +54,7 @@ score URL_SHORTENER_DISABLED 2 # # generic list of likely active services - cleaned up 25.05.2022 +url_shortener .app.link url_shortener .ftn.app url_shortener .page.link url_shortener .short.gy @@ -113,6 +114,7 @@ url_shortener lnk.sk url_shortener lnkd.in url_shortener lnkiy.in url_shortener lru.jp +url_shortener lukora.cz url_shortener mrte.ch url_shortener n9.cl url_shortener ndurl.com @@ -125,6 +127,7 @@ url_shortener rb.gy url_shortener redir.ec url_shortener rotf.lol url_shortener s.apache.org +url_shortener s.free.fr url_shortener s.id url_shortener shar.es url_shortener shorl.com @@ -295,7 +298,7 @@ if !can(Mail::SpamAssassin::Plugin::DecodeShortURLs::has_short_url_redir) ## perl -pe 'while (<>) {/^\s*url_shortener\s+(\S+)/ or next;$s=quotemeta($1);$s=~s/^\\./\\w+\\./;push @a,$s} print "uri __URL_SHORTENER m,^https?://(?:".join("|",@a).")/,i\n"' < 25_url_shortener.cf ## -uri __URL_SHORTENER m,^https?://(?:\w+\.ftn\.app|\w+\.page\.link|\w+\.short\.gy|\w+\.shortz\.me|0rz\.tw|4sq\.com|4url\.cc|afly\.co|ai6\.net|amzn\.com|amzn\.to|b\.link|b23\.ru|binged\.it|bit\.do|bit\.ly|bitly\.com|bizj\.us|chilp\.it|conta\.cc|crks\.me|cutt\.ly|cutwin\.biz|dai\.ly|db\.tt|disq\.us|dlvr\.it|doi\.org|doiop\.com|eepurl\.com|fb\.me|fire\.to|firsturl\.de|firsturl\.net|flic\.kr|gdurl\.com|go\.ly|goo\.gl|goolnk\.com|gplinks\.in|guest\.link|hellotxt\.com|hop\.kz|hotshorturl\.com|hub\.am|huff\.to|hurl\.it|hyperurl\.co|inx\.lv|is\.gd|it2\.in|j\.mp|kore\.us|kurl\.no|l\.bestsellers\.to|lnk\.sk|lnkd\.in|lnkiy\.in|lru\.jp|mrte\.ch|n9\.cl|ndurl\.com|onion\.com|ouo\.io|ow\.ly|owl\.li|pduda\.mobi|rb\.gy|redir\.ec|rotf\.lol|s\.apache\.org|s\.id|shar\.es|shorl\.com|shortn\.me|shorturl\.at|simurl\.net|slidesha\.re|smarturl\.it|smfu\.in|snip\.ly|snkr\.me|stpmvt\.com|t\.co|t\.ly|tcrn\.ch|tgr\.ph|tiny\.cc|tiny\.one|tiny\.pl|tinylink\.in|tinyurl\.com|to\.ly|trib\.al|twixar\.me|u\.nu|u\.to|url\.ie|urlcut\.com|urlday\.cc|urls\.im|urlz\.at|urlzs\.com|utfg\.sk|wow\.link|wp\.me|x\.co|x\.hypem\.com|xurl\.es|yhoo\.it|youtu\.be|z23\.ru|zurl\.ws|www\.shrunken\.com|0\.gp|2\.gp|2\.ly|3\.ly|4\.gp|4\.ly|5\.gp|6\.gp|6\.ly|7\.ly|8\.ly|9\.ly|g\.asia|p\.asia|ur3\.us|alturl\.com|\w+\.1sta\.com|\w+\.24ex\.com|\w+\.2fear\.com|\w+\.2fortune\.com|\w+\.2freedom\.com|\w+\.2hell\.com|\w+\.2savvy\.com|\w+\.2truth\.com|\w+\.2tunes\.com|\w+\.2ya\.com|\w+\.alturl\.com|\w+\.antiblog\.com|\w+\.bigbig\.com|\w+\.dealtap\.com|\w+\.ebored\.com|\w+\.echoz\.com|\w+\.filetap\.com|\w+\.funurl\.com|\w+\.headplug\.com|\w+\.hereweb\.com|\w+\.hitart\.com|\w+\.mirrorz\.com|\w+\.mp3update\.com|\w+\.shorturl\.com|\w+\.spyw\.com|\w+\.vze\.com|\w+\.arecool\.net|\w+\.iscool\.net|\w+\.isfun\.net|\w+\.tux\.nu|kisa\.link|www\.kisa\.link|bul\.tc|cy\.tc|fn\.tc|ftp\.tc|gr\.tc|hbr\.tc|heg\.tc|ins\.tc|ko\.tc|kod\.tc|lol\.tc|m2\.tc|ml\.tc|mmo\.tc|oy\.tc|pc\.tc|pubg\.tc|pvp\.tc|sro\.tc|tek\.link|tw\.tc|grabify\.link|catsnthing\.com|catsnthings\.fun|cheapcinema\.club|dateing\.club|fortnight\.space|fortnitechat\.site|freegiftcards\.co|gaming\-at\-my\.best|gamingfun\.me|headshot\.monster|imageshare\.best|joinmy\.site|leancoding\.co|locations\.quest|lovebird\.guru|myprivate\.pics|noodshare\.pics|partpicker\.shop|progaming\.monster|screenshare\.pics|screenshot\.best|shhh\.lol|shrekis\.life|sportshub\.bar|stopify\.co|trulove\.guru|yourmy\.monster)/,i +uri __URL_SHORTENER m,^https?://(?:\w+\.app\.link|\w+\.ftn\.app|\w+\.page\.link|\w+\.short\.gy|\w+\.shortz\.me|0rz\.tw|4sq\.com|4url\.cc|afly\.co|ai6\.net|amzn\.com|amzn\.to|b\.link|b23\.ru|binged\.it|bit\.do|bit\.ly|bitly\.com|bizj\.us|chilp\.it|conta\.cc|crks\.me|cutt\.ly|cutwin\.biz|dai\.ly|db\.tt|disq\.us|dlvr\.it|doi\.org|doiop\.com|eepurl\.com|fb\.me|fire\.to|firsturl\.de|firsturl\.net|flic\.kr|gdurl\.com|go\.ly|goo\.gl|goolnk\.com|gplinks\.in|guest\.link|hellotxt\.com|hop\.kz|hotshorturl\.com|hub\.am|huff\.to|hurl\.it|hyperurl\.co|inx\.lv|is\.gd|it2\.in|j\.mp|kore\.us|kurl\.no|l\.bestsellers\.to|lnk\.sk|lnkd\.in|lnkiy\.in|lru\.jp|lukora\.cz|mrte\.ch|n9\.cl|ndurl\.com|onion\.com|ouo\.io|ow\.ly|owl\.li|pduda\.mobi|rb\.gy|redir\.ec|rotf\.lol|s\.apache\.org|s\.free\.fr|s\.id|shar\.es|shorl\.com|shortn\.me|shorturl\.at|simurl\.net|slidesha\.re|smarturl\.it|smfu\.in|snip\.ly|snkr\.me|stpmvt\.com|t\.co|t\.ly|tcrn\.ch|tgr\.ph|tiny\.cc|tiny\.one|tiny\.pl|tinylink\.in|tinyurl\.com|to\.ly|trib\.al|twixar\.me|u\.nu|u\.to|url\.ie|urlcut\.com|urlday\.cc|urls\.im|urlz\.at|urlzs\.com|utfg\.sk|wow\.link|wp\.me|x\.co|x\.hypem\.com|xurl\.es|yhoo\.it|youtu\.be|z23\.ru|zurl\.ws|www\.shrunken\.com|0\.gp|2\.gp|2\.ly|3\.ly|4\.gp|4\.ly|5\.gp|6\.gp|6\.ly|7\.ly|8\.ly|9\.ly|g\.asia|p\.asia|ur3\.us|alturl\.com|\w+\.1sta\.com|\w+\.24ex\.com|\w+\.2fear\.com|\w+\.2fortune\.com|\w+\.2freedom\.com|\w+\.2hell\.com|\w+\.2savvy\.com|\w+\.2truth\.com|\w+\.2tunes\.com|\w+\.2ya\.com|\w+\.alturl\.com|\w+\.antiblog\.com|\w+\.bigbig\.com|\w+\.dealtap\.com|\w+\.ebored\.com|\w+\.echoz\.com|\w+\.filetap\.com|\w+\.funurl\.com|\w+\.headplug\.com|\w+\.hereweb\.com|\w+\.hitart\.com|\w+\.mirrorz\.com|\w+\.mp3update\.com|\w+\.shorturl\.com|\w+\.spyw\.com|\w+\.vze\.com|\w+\.arecool\.net|\w+\.iscool\.net|\w+\.isfun\.net|\w+\.tux\.nu|kisa\.link|www\.kisa\.link|bul\.tc|cy\.tc|fn\.tc|ftp\.tc|gr\.tc|hbr\.tc|heg\.tc|ins\.tc|ko\.tc|kod\.tc|lol\.tc|m2\.tc|ml\.tc|mmo\.tc|oy\.tc|pc\.tc|pubg\.tc|pvp\.tc|sro\.tc|tek\.link|tw\.tc|grabify\.link|catsnthing\.com|catsnthings\.fun|cheapcinema\.club|dateing\.club|fortnight\.space|fortnitechat\.site|freegiftcards\.co|gaming\-at\-my\.best|gamingfun\.me|headshot\.monster|imageshare\.best|joinmy\.site|leancoding\.co|locations\.quest|lovebird\.guru|myprivate\.pics|noodshare\.pics|partpicker\.shop|progaming\.monster|screenshare\.pics|screenshot\.best|shhh\.lol|shrekis\.life|sportshub\.bar|stopify\.co|trulove\.guru|yourmy\.monster)/,i endif diff --git a/sa-updates/30_text_de.cf b/sa-updates/30_text_de.cf index c14b3e3..39e4a05 100644 --- a/sa-updates/30_text_de.cf +++ b/sa-updates/30_text_de.cf @@ -348,7 +348,7 @@ endif ifplugin Mail::SpamAssassin::Plugin::URIDNSBL lang de describe URIBL_SBL Enthält URL in SBL-Liste (https://www.spamhaus.org/sbl/) #lang de describe URIBL_SC_SURBL Enthält URL in SC-Liste (www.surbl.org) - removed bug 7279 -lang de describe URIBL_WS_SURBL Enthält URL in WS-Liste (www.surbl.org) +#lang de describe URIBL_WS_SURBL Enthält URL in WS-Liste (www.surbl.org) lang de describe URIBL_PH_SURBL Enthält URL in PH-Liste (www.surbl.org) #lang de describe URIBL_OB_SURBL Enthält URL in OB-Liste (www.surbl.org) - REMOVED BUG 6853 #lang de describe URIBL_AB_SURBL Enthält URL in AB-Liste (www.surbl.org) - removed bug 7279 diff --git a/sa-updates/30_text_pt_br.cf b/sa-updates/30_text_pt_br.cf index 182d75c..3b8b358 100644 --- a/sa-updates/30_text_pt_br.cf +++ b/sa-updates/30_text_pt_br.cf @@ -353,7 +353,7 @@ lang pt_BR describe UPPERCASE_75_100 Mensagem possui de 75% a 100% de textos em lang pt_BR describe INVALID_MSGID Message-ID inválido, de acordo com a RFC-2822 lang pt_BR describe FORGED_MUA_MOZILLA Email forjado, tentando se passar como da Mozilla lang pt_BR describe PERCENT_RANDOM Mensagem contém uma macro randômica -lang pt_BR describe EMPTY_MESSAGE Mensagem parece não conter texto no conteúdo e no Assunto. +lang pt_BR describe EMPTY_MESSAGE Mensagem parece não conter texto no conteúdo. lang pt_BR describe NO_HEADERS_MESSAGE Mensagem parece não conter grande parte dos cabeçalhos RFC-822 # 20_net_tests.cf @@ -583,7 +583,7 @@ lang pt_BR describe URIBL_SBL Cont lang pt_BR describe URIBL_DBL_SPAM Contém uma URL listada na blocklist DBL blocklist lang pt_BR describe URIBL_DBL_ERROR Erro: Consultou a DBL por um IP #lang pt_BR describe URIBL_SC_SURBL Contém uma URL listada na blocklist SC SURBL - removed bug 7279 -lang pt_BR describe URIBL_WS_SURBL Contém uma URL listada na blocklist WS SURBL +#lang pt_BR describe URIBL_WS_SURBL Contém uma URL listada na blocklist WS SURBL lang pt_BR describe URIBL_PH_SURBL Contém uma URL listada na blocklist PH SURBL #lang pt_BR describe URIBL_OB_SURBL Contém uma URL listada na blocklist OB SURBL - REMOVED BUG 6853 #lang pt_BR describe URIBL_AB_SURBL Contém uma URL listada na blocklist AB SURBL - removed bug 7279 diff --git a/sa-updates/50_scores.cf b/sa-updates/50_scores.cf index 8df7bdd..3f3cd3f 100644 --- a/sa-updates/50_scores.cf +++ b/sa-updates/50_scores.cf @@ -814,7 +814,7 @@ score URIBL_CSS 0 0.1 0 0.1 score URIBL_SBL_A 0 0.1 0 0.1 score URIBL_CSS_A 0 0.1 0 0.1 #score URIBL_SC_SURBL 0 0.001 0 0.568 # n=0 n=2 - removed bug 7279 -score URIBL_WS_SURBL 0 1.659 0 1.608 # n=0 n=2 +#score URIBL_WS_SURBL 0 1.659 0 1.608 # n=0 n=2 - Removed bug 8093 score URIBL_MW_SURBL 0 1.263 0 1.263 score URIBL_CR_SURBL 0 1.263 0 1.263 score URIBL_BLACK 0 1.7 0 1.7 # n=0 n=2 diff --git a/sa-updates/60_welcomelist.cf b/sa-updates/60_welcomelist.cf index 9e59156..08dd083 100644 --- a/sa-updates/60_welcomelist.cf +++ b/sa-updates/60_welcomelist.cf @@ -35,7 +35,7 @@ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) header USER_IN_BLOCKLIST eval:check_from_in_blocklist() describe USER_IN_BLOCKLIST From: user is listed in the block-list - tflags USER_IN_BLOCKLIST userconf nice noautolearn + tflags USER_IN_BLOCKLIST userconf noautolearn score USER_IN_BLOCKLIST 100 # Backwards compatibility @@ -43,7 +43,7 @@ if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) meta USER_IN_BLACKLIST (USER_IN_BLOCKLIST) describe USER_IN_BLACKLIST DEPRECATED: See USER_IN_BLOCKLIST - tflags USER_IN_BLACKLIST userconf nice noautolearn + tflags USER_IN_BLACKLIST userconf noautolearn score USER_IN_BLACKLIST 100 score USER_IN_BLOCKLIST 0.01 endif @@ -51,12 +51,12 @@ endif if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) header USER_IN_BLOCKLIST eval:check_from_in_blacklist() describe USER_IN_BLOCKLIST From: user is listed in the block-list - tflags USER_IN_BLOCKLIST userconf nice noautolearn + tflags USER_IN_BLOCKLIST userconf noautolearn score USER_IN_BLOCKLIST 0.01 meta USER_IN_BLACKLIST (USER_IN_BLOCKLIST) describe USER_IN_BLACKLIST DEPRECATED: See USER_IN_BLOCKLIST - tflags USER_IN_BLACKLIST userconf nice noautolearn + tflags USER_IN_BLACKLIST userconf noautolearn score USER_IN_BLACKLIST 100 endif @@ -115,13 +115,13 @@ endif if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) header USER_IN_BLOCKLIST_TO eval:check_to_in_blocklist() describe USER_IN_BLOCKLIST_TO User is listed in 'blocklist_to' - tflags USER_IN_BLOCKLIST_TO userconf nice noautolearn + tflags USER_IN_BLOCKLIST_TO userconf noautolearn score USER_IN_BLOCKLIST_TO 10 if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) meta USER_IN_BLACKLIST_TO (USER_IN_BLOCKLIST_TO) describe USER_IN_BLACKLIST_TO DEPRECATED: See USER_IN_BLOCKLIST_TO - tflags USER_IN_BLACKLIST_TO userconf nice noautolearn + tflags USER_IN_BLACKLIST_TO userconf noautolearn score USER_IN_BLACKLIST_TO 10 score USER_IN_BLOCKLIST_TO 0.01 endif @@ -129,12 +129,12 @@ endif if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) header USER_IN_BLOCKLIST_TO eval:check_to_in_blacklist() describe USER_IN_BLOCKLIST_TO User is listed in 'blocklist_to' - tflags USER_IN_BLOCKLIST_TO userconf nice noautolearn + tflags USER_IN_BLOCKLIST_TO userconf noautolearn score USER_IN_BLOCKLIST_TO 0.01 meta USER_IN_BLACKLIST_TO (USER_IN_BLOCKLIST_TO) describe USER_IN_BLACKLIST_TO DEPRECATED: See USER_IN_BLOCKLIST_TO - tflags USER_IN_BLACKLIST_TO userconf nice noautolearn + tflags USER_IN_BLACKLIST_TO userconf noautolearn score USER_IN_BLACKLIST_TO 10 endif @@ -166,11 +166,11 @@ endif header USER_IN_MORE_SPAM_TO eval:check_to_in_more_spam() describe USER_IN_MORE_SPAM_TO User is listed in 'more_spam_to' -tflags USER_IN_MORE_SPAM_TO userconf nice noautolearn +tflags USER_IN_MORE_SPAM_TO userconf noautolearn header USER_IN_ALL_SPAM_TO eval:check_to_in_all_spam() describe USER_IN_ALL_SPAM_TO User is listed in 'all_spam_to' -tflags USER_IN_ALL_SPAM_TO userconf nice noautolearn +tflags USER_IN_ALL_SPAM_TO userconf noautolearn if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) body URI_HOST_IN_BLOCKLIST eval:check_uri_host_in_blocklist() diff --git a/sa-updates/72_active.cf b/sa-updates/72_active.cf index 7bfb621..a3fa4a7 100644 --- a/sa-updates/72_active.cf +++ b/sa-updates/72_active.cf @@ -23,7 +23,14 @@ # ########################################################################### -require_version 3.004006 +require_version 4.000000 + +##{ ACCT_PHISHING_MANY + +meta ACCT_PHISHING_MANY (__ACCT_PHISH_MANY || __EMAIL_PHISH_MANY) && !GOOGLE_DOCS_PHISH_MANY && !GOOG_STO_HTML_PHISH_MANY +describe ACCT_PHISHING_MANY Phishing for account information +#score ACCT_PHISHING_MANY 3.000 # limit +##} ACCT_PHISHING_MANY ##{ AC_BR_BONANZA @@ -351,13 +358,6 @@ describe BASE64_LENGTH_79_INF base64 encoded email part uses line length great endif ##} BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval -##{ BAT_BDRY_TO_MALF - -meta BAT_BDRY_TO_MALF __BAT_BOUNDARY && __TO_NO_ARROWS_R -describe BAT_BDRY_TO_MALF Bat boundary + misformatted To: address -#score BAT_BDRY_TO_MALF 2.500 # limit -##} BAT_BDRY_TO_MALF - ##{ BEBEE_IMG_NOT_RCVD_BB meta BEBEE_IMG_NOT_RCVD_BB __BEBEE_IMG_NOT_RCVD_BB @@ -591,6 +591,13 @@ describe BITCOIN_YOUR_INFO BitCoin with your personal info tflags BITCOIN_YOUR_INFO publish ##} BITCOIN_YOUR_INFO +##{ BODY_SINGLE_URI + +meta BODY_SINGLE_URI __BODY_SINGLE_URI && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP && !__VIA_ML +describe BODY_SINGLE_URI Message body is only a URI +#score BODY_SINGLE_URI 2.500 # limit +##} BODY_SINGLE_URI + ##{ BODY_URI_ONLY meta BODY_URI_ONLY __BODY_URI_ONLY && !__NOT_SPOOFED && !__TO_EQ_FROM_DOM && !__X_CRON_ENV && !__DKIM_EXISTS && !__VIA_ML && !__HAS_X_REF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD && !__URI_GOOGLE_DRV @@ -693,26 +700,6 @@ describe COMMENT_GIBBERISH Nonsense in long HTML comment tflags COMMENT_GIBBERISH publish ##} COMMENT_GIBBERISH -##{ COMPENSATION - -describe COMPENSATION "Compensation" -#score COMPENSATION 1.50 # limit -##} COMPENSATION - -##{ COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM) - -if !plugin(Mail::SpamAssassin::Plugin::DKIM) - meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD -endif -##} COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM) - -##{ COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM - -ifplugin Mail::SpamAssassin::Plugin::DKIM - meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD && !__DKIM_DEPENDABLE -endif -##} COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM - ##{ CONTENT_AFTER_HTML meta CONTENT_AFTER_HTML __CONTENT_AFTER_HTML && (__L_CTE_8BIT || __RDNS_NUMERIC_TLD || __HTML_TAG_BALANCE_CENTER || __STY_INVIS_MANY || __TO_EQ_FROM_USR || __TO_EQ_FROM_USR_2 || __KAM_HTML_FONT_INVALID || __SUBJECT_ENCODED_B64 ) @@ -768,14 +755,6 @@ endif body CURR_PRICE /\bCurrent Price:/ ##} CURR_PRICE -##{ DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval - -ifplugin Mail::SpamAssassin::Plugin::HeaderEval -header DATE_IN_FUTURE_Q_PLUS eval:check_for_shifted_date('2920', 'undef') -describe DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date -endif -##} DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval - ##{ DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) @@ -1225,13 +1204,6 @@ describe FRNAME_IN_MSG_XPRIO_NO_SUB From name in message + X-Priority + short tflags FRNAME_IN_MSG_XPRIO_NO_SUB publish ##} FRNAME_IN_MSG_XPRIO_NO_SUB -##{ FROM_2_EMAILS_SHORT - -meta FROM_2_EMAILS_SHORT __KAM_BODY_LENGTH_LT_512 && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF) -describe FROM_2_EMAILS_SHORT Short body and From looks like 2 different emails -#score FROM_2_EMAILS_SHORT 3.0 # limit -##} FROM_2_EMAILS_SHORT - ##{ FROM_ADDR_WS meta FROM_ADDR_WS __FROM_ADDR_WS && !__RCD_RDNS_MTA_MESSY && !ANY_BOUNCE_MESSAGE && !__FROM_ENCODED_QP && !__RCD_RDNS_MAIL @@ -1350,12 +1322,6 @@ describe FROM_MISSPACED From: missing whitespace #score FROM_MISSPACED 2.00 ##} FROM_MISSPACED -##{ FROM_MISSP_DYNIP - -meta FROM_MISSP_DYNIP __FROM_RUNON && RDNS_DYNAMIC -describe FROM_MISSP_DYNIP From misspaced + dynamic rDNS -##} FROM_MISSP_DYNIP - ##{ FROM_MISSP_EH_MATCH meta FROM_MISSP_EH_MATCH __FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA @@ -1399,14 +1365,6 @@ meta FROM_MISSP_USER (__FROM_RUNON && NSL_RCVD_FROM_USER) describe FROM_MISSP_USER From misspaced, from "User" ##} FROM_MISSP_USER -##{ FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - -if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - meta FROM_MULTI_NORDNS __FROM_MULTI_NORDNS - describe FROM_MULTI_NORDNS Multiple From addresses + no rDNS -endif -##} FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - ##{ FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS if (version >= 3.004001) @@ -1491,6 +1449,12 @@ endif endif ##} FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval +##{ FROM_UNBAL1 + +header FROM_UNBAL1 From:raw =~ / < [^>]* $/xm +describe FROM_UNBAL1 From with unbalanced angle brackets, '>' missing +##} FROM_UNBAL1 + ##{ FSL_BULK_SIG meta FSL_BULK_SIG (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK) && !__FSL_HAS_LIST_UNSUB && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__RCVD_IN_DNSWL && !__JM_REACTOR_DATE && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__USING_VERP1 && !__KAM_BODY_LENGTH_LT_128 @@ -1510,6 +1474,11 @@ describe FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam header FSL_FAKE_HOTMAIL_RVCD X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/ ##} FSL_FAKE_HOTMAIL_RVCD +##{ FSL_HAS_TINYURL + +uri FSL_HAS_TINYURL /tinyurl\.com\// +##} FSL_HAS_TINYURL + ##{ FSL_HELO_BARE_IP_1 meta FSL_HELO_BARE_IP_1 __FSL_HELO_BARE_IP_1 && !ALL_TRUSTED @@ -1915,6 +1884,13 @@ describe GOOG_REDIR_DOCUSIGN Indirect docusign link, probable phishing tflags GOOG_REDIR_DOCUSIGN publish ##} GOOG_REDIR_DOCUSIGN +##{ GOOG_REDIR_HTML_ONLY + +meta GOOG_REDIR_HTML_ONLY (__GOOG_REDIR && MIME_HTML_ONLY) && !RDNS_NONE && !__LCL__KAM_BODY_LENGTH_LT_512 +describe GOOG_REDIR_HTML_ONLY Google redirect to obscure spamvertised website + HTML only +#score GOOG_REDIR_HTML_ONLY 2.000 # limit +##} GOOG_REDIR_HTML_ONLY + ##{ GOOG_REDIR_NORDNS meta GOOG_REDIR_NORDNS __GOOG_REDIR && RDNS_NONE @@ -2092,6 +2068,13 @@ header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdoma header HELO_LOCALHOST X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i ##} HELO_LOCALHOST +##{ HELO_MISC_IP + +meta HELO_MISC_IP (__HELO_MISC_IP && !HELO_DYNAMIC_IPADDR && !HELO_DYNAMIC_IPADDR2 && !HELO_DYNAMIC_SPLIT_IP && !HELO_DYNAMIC_HCC && !HELO_DYNAMIC_DIALIN && ((TVD_RCVD_IP4 + TVD_RCVD_IP + __FSL_HELO_BARE_IP_2) <2)) +describe HELO_MISC_IP Looking for more Dynamic IP Relays +#score HELO_MISC_IP 0.25 +##} HELO_MISC_IP + ##{ HELO_NO_DOMAIN meta HELO_NO_DOMAIN __HELO_NO_DOMAIN && !HELO_LOCALHOST @@ -2182,6 +2165,12 @@ meta HK_SCAM __HK_SCAM_N2 || __HK_SCAM_N3 || __HK_SCAM_N8 || __HK_SCAM_N15 || tflags HK_SCAM publish ##} HK_SCAM +##{ HK_WIN + +meta HK_WIN ((__hk_win_2 + __hk_win_3 + __hk_win_4 + __hk_win_5 + __hk_win_7 + __hk_win_8 + __hk_win_9 + __hk_win_0 + __hk_win_a + __hk_win_b + __hk_win_c + __hk_win_d + __hk_win_i + __hk_win_j + __hk_win_l + __hk_win_m + __hk_win_n + __hk_win_o) >= 2) +#score HK_WIN 1 +##} HK_WIN + ##{ HOSTED_IMG_DIRECT_MX meta HOSTED_IMG_DIRECT_MX __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS @@ -2519,6 +2508,13 @@ describe LOTTO_AGENT Claims Agent #score LOTTO_AGENT 1.50 # limit ##} LOTTO_AGENT +##{ LOTTO_DEPT + +meta LOTTO_DEPT __LOTTO_DEPT && !__COMMENT_EXISTS && !__HAS_IN_REPLY_TO && !__THREADED && !__VIA_ML && !__TO_YOUR_ORG && !__TRAVEL_ITINERARY && !__AUTO_ACCIDENT +describe LOTTO_DEPT Claims Department +#score LOTTO_DEPT 2.00 # limit +##} LOTTO_DEPT + ##{ LUCRATIVE meta LUCRATIVE ( __LUCRATIVE && __HELO_NO_DOMAIN ) && !ALL_TRUSTED @@ -2532,12 +2528,6 @@ tflags LUCRATIVE publish header L_SPAM_TOOL_13 Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/ ##} L_SPAM_TOOL_13 -##{ MALFORMED_FREEMAIL - -meta MALFORMED_FREEMAIL (MISSING_HEADERS||__HDRS_LCASE) && FREEMAIL_FROM -describe MALFORMED_FREEMAIL Bad headers on message from free email service -##} MALFORMED_FREEMAIL - ##{ MALF_HTML_B64 meta MALF_HTML_B64 MIME_BASE64_TEXT && HTML_MIME_NO_HTML_TAG @@ -2728,6 +2718,13 @@ meta MONEY_ATM_CARD __MONEY_ATM_CARD && !__COMMENT_EXISTS && !__TAG_EXISTS describe MONEY_ATM_CARD Lots of money on an ATM card ##} MONEY_ATM_CARD +##{ MONEY_BARRISTER + +meta MONEY_BARRISTER __BARRISTER && LOTS_OF_MONEY +describe MONEY_BARRISTER Lots of money from a UK lawyer +#score MONEY_BARRISTER 1.000 # limit +##} MONEY_BARRISTER + ##{ MONEY_FORM meta MONEY_FORM __MONEY_FORM && !__FB_TOUR && !__FM_MY_PRICE && !__FR_SPACING_8 && !__COMMENT_EXISTS && !__CAN_HELP @@ -2772,13 +2769,6 @@ ifplugin Mail::SpamAssassin::Plugin::FreeMail endif ##} MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail -##{ MONEY_FROM_41 - -meta MONEY_FROM_41 __MONEY_FROM_41 -describe MONEY_FROM_41 Lots of money from Africa -#score MONEY_FROM_41 2.00 # limit -##} MONEY_FROM_41 - ##{ MONEY_FROM_MISSP meta MONEY_FROM_MISSP LOTS_OF_MONEY && __FROM_MISSPACED && !__MIME_QP @@ -2829,12 +2819,6 @@ tflags MSM_PRIO_REPTO publish meta MSOE_MID_WRONG_CASE (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106) ##} MSOE_MID_WRONG_CASE -##{ NAME_EMAIL_DIFF - -meta NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL -describe NAME_EMAIL_DIFF Sender NAME is an unrelated email address -##} NAME_EMAIL_DIFF - ##{ NA_DOLLARS body NA_DOLLARS /\b(?:\d{1,3})?Million\b.{0,40}\b(?:Canadian Dollar?s?|US\$|U\.? ?S\.? Dollar)/i @@ -2864,6 +2848,13 @@ describe NICE_REPLY_A Looks like a legit reply (A) tflags NICE_REPLY_A nice ##} NICE_REPLY_A +##{ NORDNS_LOW_CONTRAST + +meta NORDNS_LOW_CONTRAST __NORDNS_LOW_CONTRAST && !ALL_TRUSTED && !__HAS_CID && !__THREADED +describe NORDNS_LOW_CONTRAST No rDNS + hidden text +#score NORDNS_LOW_CONTRAST 2.500 # limit +##} NORDNS_LOW_CONTRAST + ##{ NOT_SPAM body NOT_SPAM /\b(?:(?:this (?:e?-?mail|message)|we) (?:is not|are not|cannot be considered) Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)/i @@ -3000,14 +2991,27 @@ describe PDS_DBL_URL_TNB_RUNON Double-url and To no arrows, from runon #score PDS_DBL_URL_TNB_RUNON 2.0 ##} PDS_DBL_URL_TNB_RUNON -##{ PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) +##{ PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) -if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - meta PDS_FROM_2_EMAILS __PDS_FROM_2_EMAILS && !__VIA_ML && !__VIA_RESIGNER && !__MSGID_JAVAMAIL && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__DKIM_EXISTS - describe PDS_FROM_2_EMAILS From header has multiple different addresses -# score PDS_FROM_2_EMAILS 3.500 # limit +ifplugin Mail::SpamAssassin::Plugin::WLBLEval +if (version >= 3.004000) +meta PDS_EMPTYSUBJ_URISHRT __URL_SHORTENER && __SUBJECT_EMPTY && __PDS_MSG_1024 +describe PDS_EMPTYSUBJ_URISHRT Empty subject with little more than URI shortener +#score PDS_EMPTYSUBJ_URISHRT 1.5 # limit endif -##} PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) +endif +##} PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) + +##{ PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) + +ifplugin Mail::SpamAssassin::Plugin::WLBLEval +if (version >= 3.004000) +meta PDS_FROM_2_EMAILS_SHRTNER __URL_SHORTENER && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF) && __BODY_URI_ONLY +describe PDS_FROM_2_EMAILS_SHRTNER From 2 emails short email with little more than a URI shortener +#score PDS_FROM_2_EMAILS_SHRTNER 1.5 # limit +endif +endif +##} PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ PDS_HELO_SPF_FAIL @@ -3035,16 +3039,12 @@ endif endif ##} PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) -##{ PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval +##{ PDS_PHP_EVAL -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -header PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD') -#score PDS_OTHER_BAD_TLD 2.0 -describe PDS_OTHER_BAD_TLD Untrustworthy TLDs -endif -endif -##} PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval +meta PDS_PHP_EVAL __PDS_PHP_EVAL1 +describe PDS_PHP_EVAL PHP header shows eval'd code +#score PDS_PHP_EVAL 1.5 +##} PDS_PHP_EVAL ##{ PDS_RDNS_DYNAMIC_FP @@ -3082,6 +3082,13 @@ describe PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE Forged replyto and __PDS_TONAME_EQ_TO #score PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE 2.0 # limit ##} PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE +##{ PDS_TONAME_EQ_TOLOCAL_VSHORT + +meta PDS_TONAME_EQ_TOLOCAL_VSHORT __KAM_BODY_LENGTH_LT_128 && __PDS_TONAME_EQ_TOLOCAL +describe PDS_TONAME_EQ_TOLOCAL_VSHORT Very short body and From looks like 2 different emails +#score PDS_TONAME_EQ_TOLOCAL_VSHORT 1.0 # limit +##} PDS_TONAME_EQ_TOLOCAL_VSHORT + ##{ PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader @@ -3136,6 +3143,13 @@ describe PHP_ORIG_SCRIPT Sent by bot & other signs tflags PHP_ORIG_SCRIPT publish ##} PHP_ORIG_SCRIPT +##{ PHP_ORIG_SCRIPT_EVAL + +meta PHP_ORIG_SCRIPT_EVAL __PHP_ORIG_SCRIPT_EVAL +describe PHP_ORIG_SCRIPT_EVAL From suspicious PHP source +#score PHP_ORIG_SCRIPT_EVAL 3.000 # limit +##} PHP_ORIG_SCRIPT_EVAL + ##{ PHP_SCRIPT meta PHP_SCRIPT __HAS_PHP_SCRIPT && !ALL_TRUSTED && !__PHP_NOVER_MUA && !__TO___LOWER && !__MIME_BASE64 && !__HAS_ANY_EMAIL && !__L_CTE_7BIT @@ -3166,6 +3180,12 @@ describe POSSIBLE_EBAY_PHISH_02 Claims to be from ebay but not processed tflags POSSIBLE_EBAY_PHISH_02 publish ##} POSSIBLE_EBAY_PHISH_02 +##{ POSSIBLE_GMAIL_PHISHER + +meta POSSIBLE_GMAIL_PHISHER (__FROM_ADDR_GMAIL && __NAME_EMAIL_DIFF) +describe POSSIBLE_GMAIL_PHISHER Apparent phishing email sent from a gmail account +##} POSSIBLE_GMAIL_PHISHER + ##{ POSSIBLE_PAYPAL_PHISH_01 meta POSSIBLE_PAYPAL_PHISH_01 (__FROM_NAME_PAYPALCOM && __NAME_EMAIL_DIFF) @@ -3590,12 +3610,6 @@ describe RDNS_NUM_TLD_XM Relay rDNS has numeric TLD + suspicious h tflags RDNS_NUM_TLD_XM publish ##} RDNS_NUM_TLD_XM -##{ READY_TO_SHIP - -body READY_TO_SHIP /(?:(?:in our (?:stock|warehouse|store|storage facility)(?: today| now| right away)?[.,:]\s|our (?:\w+,? ){2,8}(?:is |now )+)Ready (?:to (?:be )?|for )+(?:ship|send|deliver)|ready (?:for shipping|to (?:ship|send)) (?:(?:in|from|by) our (?:warehouse|stock|stor(?:e|age))|(?:to|for)(?: global(?:ly)?| worldwide| customers){2})|(?:(?:our|this|a|great|fine|wonderful|cool|popular) new product|we have(?: \w+){1,6} available|ready) in (?:our )?(?:warehouse|stock|stor(?:e|age))|just arrived in our (?:warehouse|stor(?:e|age))|we will (?:contact the (?:warehouse|logistics|store|storage(?: facility)) to )?arrange (?:the )?(?:shipment|delivery)|a new (?:\w+ ){1,3}in our (?:warehouse|storage)|this (?:new )?(?:merchandise|product|item) is (?:now )?(?:ready (?:to ship )?|available )(?:at|in|from) our (?:warehouse|stock|stor(?:e|age)))/i -#score READY_TO_SHIP 1.250 # limit -##} READY_TO_SHIP - ##{ REPLYTO_WITHOUT_TO_CC meta REPLYTO_WITHOUT_TO_CC (__HAS_REPLY_TO && !__TOCC_EXISTS) @@ -3603,7 +3617,7 @@ meta REPLYTO_WITHOUT_TO_CC (__HAS_REPLY_TO && !__TOCC_EXISTS) ##{ REPTO_419_FRAUD -header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:mail)\@101private\.com|(?:(?:alfredcheuk002|mavis_wanczyk))\@126\.com|(?:(?:alfredcheuk_yuchow|ehagler))\@163\.com|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:russia2018worldcuplotto5)\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:(?:infovsa|maria\.louge|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:jessikasingh|travisalex))\@aliyun\.com|(?:(?:deanie_ron|mundo\.europe|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:support)\@apostlesfoundation\.com|(?:jeromecgb12)\@asia\.com|(?:bllphillips)\@att\.net|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:costruire)\@bigmat\.it|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:onmydestiny18)\@boulevardmalls\.com|(?:luciamariacampbell)\@boximail\.com|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:gregwingo)\@cheapnet\.it|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|dbank12|fbipayment(?:50|600)|harunajim667|manuel\.rabelais|paul\.wilson|r(?:alphwjohnson|ev_markbless)|trustees101))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:brunoso|lisatroutman))\@currently\.com|(?:(?:dmalpasswb|i(?:lanasoloshneor|nfo90000)|joseramonjr1|re(?:covered\-tax|em(?:2018|alhashimi|ealhashimi|hashimi2020))))\@daum\.net|(?:blythemasters)\@digitalassetholding\.org|(?:bar_sahil)\@dominionassociates\.uk|(?:zahvoedir)\@donations\.christchurchliverpool\.xyz|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:rogersteare02)\@e1\.ru|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:(?:denbrink|kathy_gerald1965|pch\.cliamdept))\@email\.com|(?:infoleonfredberbst)\@emailgroups\.net|(?:info)\@euro-pinnacle\.com|(?:(?:advancedsegurosespana|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:lottomax)\@execs\.com|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:jeferrey)\@financier\.com|(?:mrsdebbielevin)\@firemail\.de|(?:steve_dickson)\@firemail\.eu|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:info)\@fnconsultant\.biz|(?:(?:egolan2|gella1|qatardonations16|smadartsadik|tepnherve00))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:mmpaulsmith145)\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:octaviancm)\@gmx\.co\.uk|(?:(?:ahmet\.broker|f(?:aridaomar|er3nrod1512)|kevin\-office|p\.hamedmoff|rosicboteruff|walter_anderson))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:(?:arthur1alan|joxford))\@gmx\.us|(?:m(?:\.johnson10012|aryclayton123))\@googlemail\.com|(?:solotexglobalcouriercompany)\@groupesgb\.net|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:christgoldwilliams)\@hotmail\.fr|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:bo_li)\@imgrantfunds\.com|(?:irdi33)\@inbox\.lt|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:a\.josepaulino|jonardossantos|mingmui0012|offer2021|pierresgift_2021))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:info)\@intarpol-int\.online|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:info)\@johannaconsultancy\.com|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:(?:annzainab2022|h(?:ashimirrr22|re187390)|re(?:e(?:m\.alhashimi|ninvestor111)|mmhashimi)))\@kakao\.com|(?:europsenderscouriers)\@keemail\.me|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:bmwofficeinfo)\@mail2consultant\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|kateclough1|mriamchombo1968))\@mail\.com|(?:ayishagddafio?)\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:cb(?:nofficemail|officemail))\@mailsire\.com|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:cadpayout01)\@my\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:lindsaytrembley)\@oimail\.com|(?:(?:accountingdrg|emmy\.marty))\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:jarramos)\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:ahmed3khan)\@outlook\.fr|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:wood)\@poczta\.onet\.eu|(?:(?:m(?:aryjosen|boyaeth)|uncch\-info))\@post\.com|(?:martinahrivnakova)\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:charitylisajohnrobinson700)\@proton\.me|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:franciscoperezc|mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:wanczykmavis101)\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:mrs\.rachel2013)\@safe-mail\.net|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:(?:jimyang77|kentpace))\@sina\.com|(?:stan)\@soborka\.net|(?:dycheseaan)\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:info\.jschneider)\@spainmail\.com|(?:mroliverbergmuellers)\@specialautokins\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:alexander)\@stny\.rr\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:mhua)\@tbochk\.com|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:bobby\.william)\@tradent\.net|(?:lopez\.rios)\@udttld\.com|(?:2100973645smsgateway)\@ukraine\.wheat-farmers\.website|(?:info)\@un-grant\.info|(?:(?:info\.(?:clev\.frb|imfamerica)|policyaddmin\.file))\@usa\.com|(?:dataphilanthropy)\@vipmail\.hu|(?:bmuczdh)\@virgilio\.it|(?:holt1231)\@w\.cn|(?:daydreamin)\@wanadoo\.fr|(?:weboffice05)\@web\.de|(?:portiaw)\@webbe\.work|(?:b(?:\-calebfirm2007|enklerk\-postpact2|oriscaleb121))\@webmail\.co\.za|(?:(?:elizabethlyonsfield|frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|jeffwilliam207|owengreen70|samue95))\@yahoo\.co\.uk|(?:(?:changgordon946|thomaspeter227))\@yahoo\.com\.hk|(?:boa2cb)\@yahoo\.com\.vn|(?:contactus88\-00)\@yahoo\.es|(?:fortinsandrine)\@yahoo\.fr|(?:dr\.amelia\.george1)\@yandex\.ru|(?:(?:alfred_cheuk_chow|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:jefflindsay)\@zoho\.com|(?:(?:benaffleck1977|monicadaniels909))\@zohomail\.com|(?:laprimitivaes)\@zohomail\.eu)$/i +header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:mail)\@101private\.com|(?:(?:alfredcheuk002|mavis_wanczyk))\@126\.com|(?:(?:alfredcheuk_yuchow|ehagler))\@163\.com|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:russia2018worldcuplotto5)\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:(?:infovsa|maria\.louge|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:jessikasingh|lawmensa|travisalex))\@aliyun\.com|(?:(?:deanie_ron|mundo\.europe|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:support)\@apostlesfoundation\.com|(?:jeromecgb12)\@asia\.com|(?:bllphillips)\@att\.net|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:costruire)\@bigmat\.it|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:onmydestiny18)\@boulevardmalls\.com|(?:luciamariacampbell)\@boximail\.com|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:20156488)\@ce\.pucmm\.edu\.do|(?:gregwingo)\@cheapnet\.it|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|dbank12|fbipayment(?:50|600)|harunajim667|manuel\.rabelais|paul\.wilson|r(?:alphwjohnson|ev_markbless)|trustees101))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:mundo_seguros)\@contorli\.site|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:brunoso|lisatroutman))\@currently\.com|(?:(?:dmalpasswb|i(?:lanasoloshneor|nfo90000)|joseramonjr1|re(?:covered\-tax|em(?:2018|alhashimi|ealhashimi|hashimi2020))))\@daum\.net|(?:blythemasters)\@digitalassetholding\.org|(?:bar_sahil)\@dominionassociates\.uk|(?:zahvoedir)\@donations\.christchurchliverpool\.xyz|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:rogersteare02)\@e1\.ru|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:(?:denbrink|kathy_gerald1965|pch\.cliamdept))\@email\.com|(?:infoleonfredberbst)\@emailgroups\.net|(?:info)\@euro-pinnacle\.com|(?:(?:advancedsegurosespana|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:lottomax)\@execs\.com|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:jeferrey)\@financier\.com|(?:mrsdebbielevin)\@firemail\.de|(?:steve_dickson)\@firemail\.eu|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:info)\@fnconsultant\.biz|(?:(?:egolan2|gella1|qatardonations16|smadartsadik|tepnherve00))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:mmpaulsmith145)\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:octaviancm)\@gmx\.co\.uk|(?:(?:ahmet\.broker|f(?:aridaomar|er3nrod1512)|kevin\-office|p\.hamedmoff|rosicboteruff|walter_anderson))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:juliairis)\@gmx\.net|(?:(?:arthur1alan|joxford))\@gmx\.us|(?:m(?:\.johnson10012|aryclayton123))\@googlemail\.com|(?:solotexglobalcouriercompany)\@groupesgb\.net|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:christgoldwilliams)\@hotmail\.fr|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:bo_li)\@imgrantfunds\.com|(?:irdi33)\@inbox\.lt|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:a\.josepaulino|jonardossantos|mingmui0012|offer2021|pierresgift_2021))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:info)\@intarpol-int\.online|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:info)\@johannaconsultancy\.com|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:(?:annzainab2022|h(?:ashimirrr22|re187390)|re(?:e(?:m\.alhashimi|ninvestor111)|mmhashimi)))\@kakao\.com|(?:europsenderscouriers)\@keemail\.me|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:bmwofficeinfo)\@mail2consultant\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|kateclough1|mriamchombo1968))\@mail\.com|(?:ayishagddafio?)\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:cb(?:nofficemail|officemail))\@mailsire\.com|(?:doo\.yusin)\@matherline-trade\.com|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:cadpayout01)\@my\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:lindsaytrembley)\@oimail\.com|(?:(?:accountingdrg|emmy\.marty))\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:jarramos)\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:ahmed3khan)\@outlook\.fr|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:wood)\@poczta\.onet\.eu|(?:(?:m(?:aryjosen|boyaeth)|uncch\-info))\@post\.com|(?:martinahrivnakova)\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:(?:charitylisajohnrobinson700|leonardbain|stwrightsmaxinvestment))\@proton\.me|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:franciscoperezc|garethbull808|mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:msn)\@resrubini\.com|(?:wanczykmavis101)\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:mrs\.rachel2013)\@safe-mail\.net|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:(?:jimyang77|kentpace))\@sina\.com|(?:stan)\@soborka\.net|(?:dycheseaan)\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:info\.jschneider)\@spainmail\.com|(?:mroliverbergmuellers)\@specialautokins\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:alexander)\@stny\.rr\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:mhua)\@tbochk\.com|(?:clory)\@technet\.it|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:bobby\.william)\@tradent\.net|(?:lopez\.rios)\@udttld\.com|(?:2100973645smsgateway)\@ukraine\.wheat-farmers\.website|(?:info)\@un-grant\.info|(?:(?:info\.(?:clev\.frb|imfamerica)|policyaddmin\.file))\@usa\.com|(?:dataphilanthropy)\@vipmail\.hu|(?:bmuczdh)\@virgilio\.it|(?:holt1231)\@w\.cn|(?:daydreamin)\@wanadoo\.fr|(?:weboffice05)\@web\.de|(?:portiaw)\@webbe\.work|(?:b(?:\-calebfirm2007|enklerk\-postpact2|oriscaleb121))\@webmail\.co\.za|(?:(?:elizabethlyonsfield|frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|jeffwilliam207|owengreen70|samue95))\@yahoo\.co\.uk|(?:(?:changgordon946|thomaspeter227))\@yahoo\.com\.hk|(?:boa2cb)\@yahoo\.com\.vn|(?:contactus88\-00)\@yahoo\.es|(?:fortinsandrine)\@yahoo\.fr|(?:dr\.amelia\.george1)\@yandex\.ru|(?:(?:alfred_cheuk_chow|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:jefflindsay)\@zoho\.com|(?:(?:benaffleck1977|monicadaniels909))\@zohomail\.com|(?:laprimitivaes)\@zohomail\.eu)$/i describe REPTO_419_FRAUD Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD 3.000 tflags REPTO_419_FRAUD publish @@ -3635,7 +3649,7 @@ tflags REPTO_419_FRAUD_CNS publish ##{ REPTO_419_FRAUD_GM -header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|7912richardtony|9porssts9|a(?:\.wafager1|b(?:d(?:97412345|ullahmundani019)|u(?:lkareem461|shadi0004))|c(?:count\.optionsmr\.jonasarmstrong|ecere001)|d(?:iallo\.boa|rabidiahmed)|isha(?:1976algaddafi|gaddafiaam)|l(?:\.jo60691737|an\.austin(?:041|223)|ex(?:anderpeterson4499|hoffman3319)|ghafrij13|kasimunadi221|l(?:enholden121|isoncluade11)|nizmaria|ure\.wawrenka1472)|m(?:bassadormarybethleonardl4|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|medjahed95))|n(?:d(?:rewumehunitedbankforafrica|yfox0022)|n(?:a(?:llee091|sigurlaug458)|ettrevor|jenijohnsonn)|t(?:honyalvaradollc|o(?:meuenio|niopaco20consultant)))|office1office1|r(?:adka01|chibaldhamble|thur11alan)|shwestwood7|ttohlawoffice\.tg|ustinbillmark9|w1614860|z(?:i(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50))|zedineguessous))|b(?:a(?:nkcentralasiahalobca34|ochang7a|r(?:bersmadar75|clays\.kenya\.bank|rister(?:\.fidelisokafor|lordruben94)|teld\.huisman01))|bongo593|e(?:alitoniua9|linekra1|n(?:ezero392|gatl80|jaminsarah195))|ill\.lawrence0747|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi)|r(?:andy\.heavenscenttt|endalaporte112)|uff(?:ettwarrene21|ookj)|w1832621)|c(?:artwrighttownhomesllc|claimsa|elicerez|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:es(?:luenga01|wrightdepartments)|tonnewmanus1)))|e(?:mchung1011|nchung1011)|ienkwongp)|iticonsultantjohncg0|kruger00017|l(?:axtonpaul00|s79408)|o(?:l(?:edavid77032|husseinharmuchc(?:cj|j)|ombasjuan53)|mp(?:asationsettlement|ensationcommitteboard)|n(?:sult(?:matthias|sto\.u)|tactad00[04]))|pt\.eugenebarash|r(?:abbechambers|ist(?:bru(?:05|n05)|davis67|i1537bru|ydavisdonation1))|ustomerservicelacaixa2)|d(?:29laws|a(?:n(?:008629|i(?:el35508109|shlokija)|n(?:uar4|ydan24532))|tukannuarbinmusa|vi(?:d(?:\.loanfirm18|kaltschmidtmaureend|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98))|cole77032|e(?:n(?:iwalts|nisclark659)|partmentofstate123|tlefeckhardd)|hsdevice|i(?:ane\.s\.wojcicki|gitalassetholding|plomatsshenry)|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.meirh|abodid|davidrhama221|jamesdee|kennedyuzo|meier\.heidi?|owenfrederick)|u(?:nsilva58|stinmoskovitz\.2facebook)|v\.metus)|e(?:benezero392|christina937|drunity|l(?:i(?:bethgomez(?:175|499)|sabethmaria600|zabethedw0)|o(?:diesawadogo123|tocashoffice1?))|m(?:2keld|efiele(?:328|g757)|ilyrichmond391)|r(?:e(?:nakgeorge123|zcelic0)|ioncarter\.private)|stherkatherine1960|vgpatmow|wynn284)|f(?:\.mikhail025|a(?:ithdesrie511|tme\.mehmed001)|blott47|e(?:deralreservebankdallasdst|lix88995)|g0067333|irstbank(?:49966|6669|k49666)|j569282|l(?:556249|uhmann\.dn)|oundations\.west|p462558|r(?:a(?:100dub132|n(?:c(?:espatrickconnolly(?:5050|4)|iscamendoza960)|k(?:j(?:ane984|wangg)|linpiesie6)))|eelottosweepstake51)|spero8[02]|u(?:lanlan28|ngg1w))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|riel(?:eschmitt002|kalia1102))|r(?:ciavincent500|ethbull112016))|b(?:528796|ill4880)|e(?:neralwilliamstony990|orgekwame481|raldjhjh11)|iidp955|l(?:enmoore0011|oriachow5052)|o(?:dfreyscottdonation|glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219))|r(?:aceobia001|e(?:ant311|energeoffrey776))|veraallen)|h(?:a(?:r(?:gate2909|ryebert101)|s(?:h(?:imyreem78|mireem801)|sanalshujairy))|e(?:atherbrooeke101|cto(?:alon|r(?:castillos653|scastillo6))|l(?:en(?:adamsidaho|giggs88)|pdesk47321))|gold8080|i(?:ldad837|toshurui)|o(?:nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|uichmh)|i(?:1955smael|amannjejosonn|bed627|mf(?:deputyoff000|grantinter)|n(?:fo(?:\.(?:a(?:bogadosmfontana|nnedouglas10)|g00gleclaim|ulmusau)|64240|asminternationalpk|bankofamerikaa|dessk\.dfwairportonline|fdrserve|ttcuckk)|gridrolle2)|smail(?:eman874|tarkan533))|j(?:35809121|a(?:6002932|888179|m(?:alpriv8un|esokoh82)|n(?:nsjonifer|usensecureprivate)|sonyeungchiwai|vierlesme001)|b5406424|c2222222rrr|e(?:fferydean1960|nniannjhsonn|robtt)|josvu|k3311131|m(?:3461128|powellfr)|o(?:edward023|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|uba234|walterlove2010)|monkzza|n(?:athanhaskel377|hugo1964|monkssa)|sephacevedo024|vannyanderson001|yce00011)|rawlings007|s4fernado|uliewatson975|w6935997)|k(?:a(?:l(?:iaksandr5|tschmidtdavid8)|malnizar000|rabo\.ramala39|t(?:ebaron(?:barr|xq)|jamess043|rinaziako56))|en(?:mckenziejr|nedy\.sawadogo19)|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|rnkl1109|un(?:gwei7777|ioue28))|l(?:a(?:rrytoms200|ursent892|w(?:officealouancooparation|rencefoundation30))|blackshirepm|e(?:enasinghs97|onidasresearch|rynne(?:0west99|west2289))|i(?:amfinchus(?:11|3)|ezlnatashavanessa|fecshortt63|li(?:ane\.bettencourt1945|ianchrstph)|nelink008|sa(?:milner001|robin117))|john6132|o(?:ganntomas|rrainewirengee|ughreymargaret67)|p319765|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|diawright836|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:a(?:bel\.manaku|ckenzbezos|damkoenig\.ruhama1b|incare655|j(?:ialfutt|or(?:dennishornbeck53|townsend01))|kaltschmidt|ll(?:am\.mlawal|etman2021)|mastar33m|n(?:ankovefimovich|duesq58|fran630|uelfranco(?:727|donation02|foundation0|spende8))|r(?:i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00)|opabl26|tinesecurityusa)|kroth456|shalh011|tin(?:amayer903|eziglesiasabogados|jrschwarz)|y(?:franson56|josen(?:62|81)))|thewriaanza|u(?:noveutileina|rhinck11?)|viswan(?:142|czyk(?:01478|1(?:19|987)|4(?:89|5)|775|foundation45|k112))|xaajn|ydetratt)|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|l(?:lagolan|vidabullock5))|gfrederick80|husameddine|i(?:c(?:h(?:ael\.woosley1972|eal(?:sjohnj|wuu002))|paulla|w954)|k(?:e\.weirsky\.foundational001|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|ss(?:\.(?:melisa\.mehmett|yasmineibrahim101)|yaelronen))|jminabii|k(?:ent7117|untjoro52)|m(?:1086771|argaritalouisdreyfus|ohammadaljllilati)|nmalarge|oham(?:edabdul1717|m(?:daljililati1|edshamekh24))|r(?:\.(?:elbahi\.mohammed\.2021|justinmaxwell09|lusee)|cjames001|d517341|eric(?:franck|schmid4002)|hanimuhammad627|jamesmc6|r(?:echardthomas|ichardanthony1)|s(?:\.(?:janetolsen?|olsenjanett|susanread12)|a(?:ishaalqadafi1976|ngela454)|evelynbrown7|fatimaamiraqureshi1983|gezeria|h(?:amima60|ristinemadeleine)|isabelladz|j(?:ackman123|lleach)|maureens847|r(?:obinsanders185|uthsmith9900)|sarahbenjamin103|v(?:eraaellen|ictoriaedmond03))|tomcrist\.ca|viktorzubkovv)|s(?:\.ellagolan56|agent02|golaan4|smadar44)|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter968)|icholas\.jose73|obuyuki\.hirano128|tawdglobal|v637245)|o(?:\.peace004|3344nb|ffice(?:\.012123|rricherd876|windowterms)|hallkenneth1|marinyandeng|nufoundationclaims|pcwkdw|xfaminternationa1980)|p(?:a(?:trick(?:\.efcc|andfrancessconnolly)|ul(?:eed1969|n8018))|b(?:ph202lay2|rookk0)|e(?:130304|rezdonlorenzo336|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|hillip\.richead218|ilz37754|olloke|ro1nvstream|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymondaba200)|e(?:beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n(?:2214|asser003302))|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|v(?:\.jamesabel1|ernestcebi|fr(?:ankjackson91|paulwilliams2)))|icha(?:miller18|rd(?:lustig4u|w(?:ahl511|il(?:lis815|son19091))))|josh200000|o(?:b(?:erthanandez6655|inf036)|naldmorris786|s(?:a\.gomes0044|ekipkalya934))|raya9989|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|ussiaworldcuppromo)|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid7000)|nchoscozfifa|rfiafarfask7)|cottpeters7989|e(?:cretservicce[78]|rgeantrobertbrown1)|g(?:\.offiice\.group|t(?:\.monicab03|ireneb2))|h(?:a(?:msiahmohamadyunusbnegara|nemissler2009)|ery(?:\.gtl131|etr03)|inawatrathaksin93)|im(?:lkheng5|onhei47)|op(?:adam3|hiajesse41)|peelman1972|t(?:anleyjohn1469|ephentam1(?:47|6))|u(?:iyang(?:\.boc|02)|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|weeneyjohnson384)|t(?:a(?:mmywebster24|y(?:ebsouami0|lorcathy362))|ch33555|davalvse|erryparkins11|h(?:ailandbankoffice01|e(?:ara\.choy2|odorosloannis9))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|ander231|c(?:hrist1995|rist(?:52|donation12|foundation99|world))|spende480)|ny(?:\.chung760|zimpro11)|pchronodesk|shikazusendo101)|p2911220|tkhan69s)|u(?:kponguko|marukareem8|n(?:claimedfunds554|itednation(?:organization70|s(?:8182|councilrefunds)))|s(?:alotery2|departmentofjustice80))|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|linagreen|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|pjeferrey)|n935990|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett2)|b(?:271981|6159980)|hatsappofficial001|i(?:elandherzog\.sw\.herad16|ll(?:clark(?:2618|629)|iamsmartyrs888))|kfinancialservice|orldbankregionalmanageroffice|u\.office212|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974|ousefzongo5722)|z(?:bank8876|enithbankplconline98|kiaslan1963|minhong65|ubkovmrviktor)))\@gmail\.com$/i +header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|7912richardtony|9porssts9|a(?:\.wafager1|b(?:d(?:97412345|ullahmundani019)|u(?:lkareem461|shadi0004))|c(?:count\.optionsmr\.jonasarmstrong|ecere001)|d(?:iallo\.boa|rabidiahmed)|isha(?:1976(?:algaddafi|gaddafi25)|gaddafiaam)|l(?:\.jo60691737|an\.austin(?:041|223)|ex(?:anderpeterson4499|hoffman3319)|ghafrij13|kasimunadi221|l(?:enholden121|isoncluade11)|nizmaria|ure\.wawrenka1472)|m(?:bassadormarybethleonardl4|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|medjahed95))|n(?:d(?:rewumehunitedbankforafrica|yfox0022)|n(?:a(?:llee091|sigurlaug458)|ettrevor|jenijohnsonn)|t(?:honyalvaradollc|o(?:meuenio|niopaco20consultant)))|office1office1|r(?:adka01|chibaldhamble|thur11alan)|shwestwood7|ttohlawoffice\.tg|ustinbillmark9|w1614860|z(?:i(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50))|zedineguessous))|b(?:a(?:nkcentralasiahalobca34|ochang7a|r(?:bersmadar75|clays\.kenya\.bank|rister(?:\.fidelisokafor|lordruben94)|teld\.huisman01))|bongo593|e(?:alitoniua9|linekra1|n(?:ezero392|gatl80|jaminsarah195))|ill\.lawrence0747|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi)|r(?:andy\.heavenscenttt|endalaporte112)|uff(?:ettwarrene21|ookj)|w1832621)|c(?:artwrighttownhomesllc|claimsa|elicerez|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:es(?:luenga01|wrightdepartments)|tonnewmanus1)))|e(?:mchung1011|nchung1011)|ienkwongp)|iticonsultantjohncg0|kruger00017|l(?:axtonpaul00|s79408)|o(?:l(?:edavid77032|husseinharmuchc(?:cj|j)|ombasjuan53)|mp(?:asationsettlement|ensationcommitteboard)|n(?:sult(?:matthias|sto\.u)|tactad00[04]))|pt\.eugenebarash|r(?:abbechambers|ist(?:bru(?:05|n05)|davis67|i1537bru|ydavisdonation1))|ustomerservicelacaixa2)|d(?:29laws|a(?:n(?:008629|i(?:el35508109|shlokija)|n(?:uar4|ydan24532))|tukannuarbinmusa|vi(?:d(?:\.loanfirm18|kaltschmidtmaureend|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98))|cole77032|e(?:n(?:iwalts|nisclark659)|partmentofstate123|tlefeckhardd)|hsdevice|i(?:ane\.s\.wojcicki|gitalassetholding|plomatsshenry)|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.meirh|abodid|davidrhama221|jamesdee|kennedyuzo|meier\.heidi?|owenfrederick)|u(?:nsilva58|stinmoskovitz\.2facebook)|v\.metus)|e(?:benezero392|christina937|drunity|l(?:i(?:bethgomez(?:175|499)|sabethmaria600|zabethedw0)|o(?:diesawadogo123|tocashoffice1?))|m(?:2keld|efiele(?:328|g757)|ilyrichmond391)|r(?:e(?:nakgeorge123|zcelic0)|ioncarter\.private)|stherkatherine1960|vgpatmow|wynn284)|f(?:\.mikhail025|a(?:ithdesrie511|tme\.mehmed001)|blott47|e(?:deralreservebankdallasdst|lix88995)|g0067333|irstbank(?:49966|6669|k49666)|j569282|l(?:556249|uhmann\.dn)|oundations\.west|p462558|r(?:a(?:100dub132|n(?:c(?:espatrickconnolly(?:5050|4)|iscamendoza960)|k(?:j(?:ane984|wangg)|linpiesie6)))|eelottosweepstake51)|spero8[02]|u(?:lanlan28|ngg1w))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|riel(?:eschmitt002|kalia1102))|r(?:ciavincent500|ethbull112016))|b(?:528796|ill4880)|e(?:neralwilliamstony990|orgekwame481|raldjhjh11)|iidp955|l(?:enmoore0011|oriachow5052)|o(?:dfreyscottdonation|glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219))|r(?:aceobia001|e(?:ant311|energeoffrey776))|veraallen)|h(?:a(?:r(?:gate2909|ryebert101)|s(?:h(?:imyreem78|mireem801)|sanalshujairy))|e(?:atherbrooeke101|cto(?:alon|r(?:castillos653|scastillo6))|l(?:en(?:adamsidaho|giggs88)|pdesk47321))|g(?:8669000|old8080)|i(?:ldad837|toshurui)|o(?:nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|uichmh)|i(?:1955smael|amannjejosonn|bed627|mf(?:deputyoff000|grantinter)|n(?:fo(?:\.(?:a(?:bogadosmfontana|nnedouglas10)|g00gleclaim|ulmusau)|64240|asminternationalpk|bankofamerikaa|dessk\.dfwairportonline|fdrserve|ttcuckk)|gridrolle2)|rvinekim67|smail(?:eman874|tarkan533))|j(?:35809121|a(?:6002932|888179|m(?:alpriv8un|esokoh82)|n(?:nsjonifer|usensecureprivate)|sonyeungchiwai|vierlesme001)|b(?:5406424|lsuntrust)|c2222222rrr|e(?:fferydean1960|nniannjhsonn|robtt)|josvu|k3311131|m(?:3461128|powellfr)|o(?:edward023|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|uba234|walterlove2010)|monkzza|n(?:athanhaskel377|hugo1964|monkssa)|seph(?:acevedo024|ichael41)|vannyanderson001|yce00011)|rawlings007|s4fernado|uliewatson975|w6935997)|k(?:a(?:l(?:iaksandr5|tschmidtdavid8)|malnizar000|rabo\.ramala39|t(?:ebaron(?:barr|xq)|jamess043|rinaziako56))|en(?:mckenziejr|nedy\.sawadogo19)|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|rnkl1109|un(?:gwei7777|ioue28))|l(?:a(?:rrytoms200|ursent892|w(?:officealouancooparation|rencefoundation30))|blackshirepm|e(?:enasinghs97|onidasresearch|rynne(?:0west99|west2289))|i(?:amfinchus(?:11|3)|ezlnatashavanessa|fecshortt63|li(?:ane\.bettencourt1945|ianchrstph)|nelink008|sa(?:milner001|robin117))|john6132|o(?:ganntomas|rrainewirengee|ughreymargaret67)|p319765|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|diawright836|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:a(?:bel\.manaku|ckenzbezos|damkoenig\.ruhama1b|incare655|j(?:ialfutt|or(?:dennishornbeck53|townsend01))|kaltschmidt|ll(?:am\.mlawal|etman2021)|mastar33m|n(?:ankovefimovich|duesq58|fran630|uelfranco(?:727|donation02|foundation0|spende8))|r(?:i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00)|opabl26|tinesecurityusa)|kroth456|shalh011|tin(?:amayer903|eziglesiasabogados|jrschwarz)|y(?:franson56|josen(?:62|81)))|thewriaanza|u(?:noveutileina|rhinck11?)|viswan(?:142|czyk(?:01478|1(?:19|987)|4(?:89|5)|775|foundation45|k112))|xaajn|ydetratt)|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|l(?:lagolan|vidabullock5))|gfrederick80|husameddine|i(?:c(?:h(?:ael\.woosley1972|eal(?:sjohnj|wuu002))|paulla|w954)|k(?:e\.weirsky\.foundational001|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|ss(?:\.(?:melisa\.mehmett|yasmineibrahim101)|yaelronen))|jminabii|k(?:ent7117|untjoro52)|m(?:1086771|argaritalouisdreyfus|ohammadaljllilati)|nmalarge|oham(?:edabdul1717|m(?:daljililati1|edshamekh24))|r(?:\.(?:elbahi\.mohammed\.2021|justinmaxwell09|lusee)|cjames001|d517341|eric(?:franck|schmid4002)|hanimuhammad627|jamesmc6|r(?:echardthomas|ichardanthony1)|s(?:\.(?:janetolsen?|olsenjanett|susanread12)|a(?:ishaalqadafi1976|ngela454)|dominiquethomas7777|evelynbrown7|fatimaamiraqureshi1983|gezeria|h(?:amima60|ristinemadeleine)|isabelladz|j(?:ackman123|lleach)|lisamilner08|ma(?:ureens847|yaoliver31)|r(?:obinsanders185|uthsmith9900)|sarahbenjamin103|v(?:eraaellen|ictoriaedmond03))|tomcrist\.ca|viktorzubkovv)|s(?:\.ellagolan56|agent02|golaan4|smadar44)|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter968)|icholas\.jose73|obuyuki\.hirano128|tawdglobal|v637245)|o(?:\.peace004|3344nb|ffice(?:\.012123|rricherd876|windowterms)|hallkenneth1|marinyandeng|nufoundationclaims|pcwkdw|xfaminternationa1980)|p(?:a(?:trick(?:\.efcc|andfrancessconnolly)|ul(?:eed1969|n8018))|b(?:ph202lay2|rookk0)|e(?:130304|rezdonlorenzo336|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|hillip\.richead218|ilz37754|olloke|ro1nvstream|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymondaba200)|e(?:alyh596|beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n(?:2214|asser003302))|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|v(?:\.jamesabel1|ernestcebi|fr(?:ankjackson91|paulwilliams2)))|icha(?:miller18|rd(?:lustig4u|w(?:ahl511|il(?:lis815|son19091))))|josh200000|main2028|o(?:b(?:erthanandez6655|inf036)|naldmorris786|s(?:a\.gomes0044|ekipkalya934))|raya9989|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|u(?:ddicklana561|ssiaworldcuppromo))|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid7000)|nchoscozfifa|rfiafarfask7)|cottpeters7989|e(?:cretservicce[78]|rgeantrobertbrown1)|g(?:\.offiice\.group|t(?:\.monicab03|ireneb2))|h(?:a(?:msiahmohamadyunusbnegara|nemissler2009)|ery(?:\.gtl131|etr03)|inawatrathaksin93)|im(?:lkheng5|onhei47)|op(?:adam3|hiajesse41)|peelman1972|t(?:anleyjohn1469|ephentam1(?:47|6))|u(?:iyang(?:\.boc|02)|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|weeneyjohnson384)|t(?:a(?:mmywebster24|y(?:ebsouami0|lorcathy362))|ch33555|davalvse|erryparkins11|h(?:ailandbankoffice01|e(?:ara\.choy2|odorosloannis9))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|ander231|c(?:hrist1995|rist(?:52|donation12|foundation99|world))|spende480)|ny(?:\.chung760|zimpro11)|pchronodesk|shikazusendo101)|p2911220|tkhan69s)|u(?:kponguko|marukareem8|n(?:claimedfunds554|itednation(?:organization70|s(?:8182|councilrefunds)))|s(?:alotery2|departmentofjustice80))|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|linagreen|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|pjeferrey)|n935990|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett2)|b(?:271981|6159980)|c5000dle|hatsappofficial001|i(?:elandherzog\.sw\.herad16|ll(?:clark(?:2618|629)|iamsmartyrs888))|kfinancialservice|orldbankregionalmanageroffice|u\.office212|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974|o(?:ngkm00|usefzongo5722))|z(?:bank8876|enithbankplconline98|kiaslan1963|minhong65|ubkovmrviktor)))\@gmail\.com$/i describe REPTO_419_FRAUD_GM Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_GM 3.000 tflags REPTO_419_FRAUD_GM publish @@ -3659,7 +3673,7 @@ tflags REPTO_419_FRAUD_HM publish ##{ REPTO_419_FRAUD_OL -header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:16u71|b(?:rahamwilliamsonrpsltduk|s0000200)|lbertchebe|ndrewgamble7)|b(?:asidris|etty\.c_investment|illgfile203)|c(?:bforeignremitdept|harlie\.j\.goodmand|laimunit\.facebook|ompensationfunding)|d(?:eborahleeconsult|hl(?:customercares|express\.fastservice)|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020|mr01|oundation701|p\.conn)|g(?:20compessdesk|race\.manonfoundation)|j(?:ackson4steve|e(?:anedo1|ssicameir30))|kaujong|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|b(?:illgate9|ryandavisuk44)|mduku|s(?:_elizabeth20|michelleallison|roseallen))|spvt2020)|philcohen0012|richardwahlfreegrant|s(?:aaman10|gi2019|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019)|unvanzyl_mrs|w(?:esteruniontransferunite7|hatsapp_givewin|inuklotocash2018)))\@outlook\.com$/i +header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:16u71|b(?:rahamwilliamsonrpsltduk|s0000200)|lbertchebe|ndrewgamble7)|b(?:asidris|etty\.c_investment|illgfile203)|c(?:bforeignremitdept|harlie\.j\.goodmand|laimunit\.facebook|ompensationfunding)|d(?:eborahleeconsult|hl(?:customercares|express\.fastservice)|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020|mr01|oundation701|p\.conn)|g(?:20compessdesk|race\.manonfoundation)|j(?:ackson4steve|e(?:anedo1|ssicameir30))|k(?:aujong|officollins)|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|b(?:illgate9|ryandavisuk44)|mduku|s(?:_elizabeth20|michelleallison|roseallen))|spvt2020)|philcohen0012|r(?:ichardwahlfreegrant|obertleeonly01)|s(?:aaman10|gi2019|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019)|unvanzyl_mrs|w(?:esteruniontransferunite7|hatsapp_givewin|inuklotocash2018)))\@outlook\.com$/i describe REPTO_419_FRAUD_OL Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_OL 3.000 tflags REPTO_419_FRAUD_OL publish @@ -3740,12 +3754,6 @@ tflags SCC_BOGUS_CTE_1 publish endif ##} SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -##{ SCC_CANSPAM_2 - -describe SCC_CANSPAM_2 Interesting compliance language -body SCC_CANSPAM_2 /you may unsubscribe by clicking here or by writing to/ -##} SCC_CANSPAM_2 - ##{ SCC_CTMPP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader @@ -3763,14 +3771,6 @@ tflags SCC_ISEMM_LID_1 publish #score SCC_ISEMM_LID_1 3.5 ##} SCC_ISEMM_LID_1 -##{ SCC_ISEMM_LID_1A - -describe SCC_ISEMM_LID_1A Fingerprint of a particular spammer using an old spamware -header SCC_ISEMM_LID_1A X-Mailer-LID =~ /54,55,56,/ -tflags SCC_ISEMM_LID_1A publish -#score SCC_ISEMM_LID_1A 3.5 -##} SCC_ISEMM_LID_1A - ##{ SCC_ISEMM_LID_1B describe SCC_ISEMM_LID_1B Genericized spammer fingerprint @@ -3814,12 +3814,6 @@ endif endif ##} SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval -##{ SERGIO_SUBJECT_VIAGRA01 - -header SERGIO_SUBJECT_VIAGRA01 Subject =~ /v[^a-zA-Z0-9]{0,3}[i1l][^a-zA-Z0-9]{0,3}a[^a-zA-Z0-9 ]{0,3}g[^a-zA-Z0-9]{0,3}r[^a-zA-Z0-9]{0,3}a/i -describe SERGIO_SUBJECT_VIAGRA01 Viagra garbled subject -##} SERGIO_SUBJECT_VIAGRA01 - ##{ SHOPIFY_IMG_NOT_RCVD_SFY meta SHOPIFY_IMG_NOT_RCVD_SFY __SHOPIFY_IMG_NOT_RCVD_SFY && !MIME_QP_LONG_LINE && !__RCD_RDNS_MTA_MESSY && !__AC_UNSUB_URI && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_ORGANIZATION && !__RCD_RDNS_OB && !__DOS_LINK @@ -3828,6 +3822,11 @@ describe SHOPIFY_IMG_NOT_RCVD_SFY Shopify hosted image but message not from tflags SHOPIFY_IMG_NOT_RCVD_SFY publish ##} SHOPIFY_IMG_NOT_RCVD_SFY +##{ SHORTENED_URL_SRC + +rawbody SHORTENED_URL_SRC /<[^>]{1,99}\ssrc=\W?https?:\/\/(?:bit\.ly|bit\.do|buff\.ly|tinyurl\.com|ow\.ly|owl\.li|is\.gd|tumblr\.com|mysp\.ac|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|goo\.io|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|ecs\.page\.link|cc\.uz|smarturl\.it|s\.apache\.org)\/[^\/]{3}/ +##} SHORTENED_URL_SRC + ##{ SHORTENER_SHORT_IMG meta SHORTENER_SHORT_IMG __URL_SHORTENER && HTML_SHORT_LINK_IMG_1 @@ -3971,6 +3970,11 @@ tflags STOCK_TIP publish meta STOX_AND_PRICE CURR_PRICE && STOX_REPLY_TYPE ##} STOX_AND_PRICE +##{ STOX_BOUND_090909_B + +header STOX_BOUND_090909_B Content-Type:raw =~ /;\n boundary=\"------------0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]\"$/s +##} STOX_BOUND_090909_B + ##{ STOX_REPLY_TYPE header STOX_REPLY_TYPE Content-Type =~ /text\/plain; .* reply-type=original/ @@ -3987,13 +3991,6 @@ meta SUBJECT_NEEDS_ENCODING (!__SUBJECT_ENCODED_B64 && !__SUBJECT_ENCODED_QP) describe SUBJECT_NEEDS_ENCODING Subject includes non-encoded illegal characters ##} SUBJECT_NEEDS_ENCODING -##{ SUBJ_ATTENTION - -meta SUBJ_ATTENTION __SUBJ_ATTENTION && !ALL_TRUSTED -describe SUBJ_ATTENTION ATTENTION in Subject -#score SUBJ_ATTENTION 0.500 # limit -##} SUBJ_ATTENTION - ##{ SUBJ_BRKN_WORDNUMS #score SUBJ_BRKN_WORDNUMS 1.500 # limit @@ -4014,12 +4011,6 @@ ifplugin Mail::SpamAssassin::Plugin::DKIM endif ##} SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM -##{ SUBJ_UNNEEDED_HTML - -meta SUBJ_UNNEEDED_HTML __SUBJ_UNNEEDED_HTML && !__NOT_SPOOFED && !__RP_MATCHES_RCVD && !__VIA_ML -describe SUBJ_UNNEEDED_HTML Unneeded HTML formatting in Subject: -##} SUBJ_UNNEEDED_HTML - ##{ SUSP_UTF8_WORD_SUBJ meta SUSP_UTF8_WORD_SUBJ __4BYTE_UTF8_WORD_SUBJ @@ -4110,6 +4101,17 @@ describe TONLINE_FAKE_DKIM t-online.de doesn't do DKIM tflags TONLINE_FAKE_DKIM publish ##} TONLINE_FAKE_DKIM +##{ TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) + +ifplugin Mail::SpamAssassin::Plugin::WLBLEval +if (version >= 3.004000) +meta TONOM_EQ_TOLOC_SHRT_SHRTNER __URL_SHORTENER && __PDS_TONAME_EQ_TOLOCAL && __PDS_MSG_1024 +describe TONOM_EQ_TOLOC_SHRT_SHRTNER Short email with shortener and To:name eq To:local +#score TONOM_EQ_TOLOC_SHRT_SHRTNER 1.5 # limit +endif +endif +##} TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) + ##{ TO_EQ_FM_DIRECT_MX meta TO_EQ_FM_DIRECT_MX __TO_EQ_FM_DIRECT_MX && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__CTYPE_MULTIPART_MIXED @@ -4339,6 +4341,11 @@ body TVD_LINK_SAVE /\blink to save\b/i describe TVD_LINK_SAVE Spam with the text "link to save" ##} TVD_LINK_SAVE +##{ TVD_PH_7 + +body TVD_PH_7 /\baccount .{0,20}suspen/i +##} TVD_PH_7 + ##{ TVD_PH_BODY_ACCOUNTS_PRE meta TVD_PH_BODY_ACCOUNTS_PRE __TVD_PH_BODY_ACCOUNTS_PRE @@ -4421,20 +4428,6 @@ header TVD_SPACED_SUBJECT_WORD3 Subject =~ /^(?:(?:Re|Fw)[^:]{0,5}: )?[A-Z]+[a-z describe TVD_SPACED_SUBJECT_WORD3 Entire subject is "UPPERlowerUPPER" with no whitespace ##} TVD_SPACED_SUBJECT_WORD3 -##{ TVD_SPACE_ENCODED - -meta TVD_SPACE_ENCODED __TVD_SPACE_ENCODED && !__NOT_SPOOFED && !__VIA_ML && !__HS_SUBJ_RE_FW && !__SUBSCRIPTION_INFO && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL && !__ISO_2022_JP_DELIM -#score TVD_SPACE_ENCODED 2.500 # limit -describe TVD_SPACE_ENCODED Space ratio & encoded subject -##} TVD_SPACE_ENCODED - -##{ TVD_SPACE_RATIO_MINFP - -meta TVD_SPACE_RATIO_MINFP __TVD_SPACE_RATIO && !__CT_ENCRYPTED && !__X_CRON_ENV && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !ALL_TRUSTED && !__MIME_NO_TEXT && !__LONGLINE && !__THREADED && !__SUBSCRIPTION_INFO && !__VIA_ML && !__HELO_HIGHPROFILE && !__DKIM_EXISTS && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MAIL && !__EMPTY_BODY && !__XM_APPLEMAIL -#score TVD_SPACE_RATIO_MINFP 2.500 # limit -describe TVD_SPACE_RATIO_MINFP Space ratio (vertical text obfuscation?) -##} TVD_SPACE_RATIO_MINFP - ##{ TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval ifplugin Mail::SpamAssassin::Plugin::BodyEval @@ -4449,6 +4442,11 @@ header TVD_SUBJ_ACC_NUM Subject =~ /\b[a-zA-Z]+ [\#\s]{1,4}\d+[A-Z]+/ describe TVD_SUBJ_ACC_NUM Subject has spammy looking monetary reference ##} TVD_SUBJ_ACC_NUM +##{ TVD_SUBJ_APPR_LOAN + +header TVD_SUBJ_APPR_LOAN Subject =~ /approved? .{0,20}loan/i +##} TVD_SUBJ_APPR_LOAN + ##{ TVD_SUBJ_FINGER_03 header TVD_SUBJ_FINGER_03 Subject =~ /^\s*\*\s+(?:\w+\W+)+\*\s*$/ @@ -4517,6 +4515,26 @@ ifplugin Mail::SpamAssassin::Plugin::MIMEHeader endif ##} T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader +##{ T_COMPENSATION + +describe T_COMPENSATION "Compensation" +#score T_COMPENSATION 1.50 # limit +##} T_COMPENSATION + +##{ T_COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM) + +if !plugin(Mail::SpamAssassin::Plugin::DKIM) + meta T_COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD +endif +##} T_COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM) + +##{ T_COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM + +ifplugin Mail::SpamAssassin::Plugin::DKIM + meta T_COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD && !__DKIM_DEPENDABLE +endif +##} T_COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM + ##{ T_CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader @@ -4533,6 +4551,14 @@ describe T_DATE_IN_FUTURE_96_Q Date: is 4 days to 4 months after Received: da endif ##} T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval +##{ T_DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval + +ifplugin Mail::SpamAssassin::Plugin::HeaderEval +header T_DATE_IN_FUTURE_Q_PLUS eval:check_for_shifted_date('2920', 'undef') +describe T_DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date +endif +##} T_DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval + ##{ T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader @@ -4645,6 +4671,14 @@ tflags T_FROMNAME_SPOOFED_EMAIL publish endif ##} T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof +##{ T_FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) + +if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) + meta T_FROM_MULTI_NORDNS __FROM_MULTI_NORDNS + describe T_FROM_MULTI_NORDNS Multiple From addresses + no rDNS +endif +##} T_FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) + ##{ T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) @@ -4933,17 +4967,6 @@ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags endif ##} T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags -##{ T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta T_PDS_EMPTYSUBJ_URISHRT __URL_SHORTENER && __SUBJECT_EMPTY && __PDS_MSG_1024 -describe T_PDS_EMPTYSUBJ_URISHRT Empty subject with little more than URI shortener -#score T_PDS_EMPTYSUBJ_URISHRT 1.5 # limit -endif -endif -##} T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - ##{ T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval @@ -4955,16 +4978,14 @@ endif endif ##} T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) -##{ T_PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) +##{ T_PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta T_PDS_FROM_2_EMAILS_SHRTNER __URL_SHORTENER && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF) && __BODY_URI_ONLY -describe T_PDS_FROM_2_EMAILS_SHRTNER From 2 emails short email with little more than a URI shortener -#score T_PDS_FROM_2_EMAILS_SHRTNER 1.5 # limit +if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) + meta T_PDS_FROM_2_EMAILS __PDS_FROM_2_EMAILS && !__VIA_ML && !__VIA_RESIGNER && !__MSGID_JAVAMAIL && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__DKIM_EXISTS + describe T_PDS_FROM_2_EMAILS From header has multiple different addresses +# score T_PDS_FROM_2_EMAILS 3.500 # limit endif -endif -##} T_PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) +##} T_PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) ##{ T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags @@ -4984,6 +5005,17 @@ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags endif ##} T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags +##{ T_PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval + +if (version >= 3.004002) +ifplugin Mail::SpamAssassin::Plugin::WLBLEval +header T_PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD') +#score T_PDS_OTHER_BAD_TLD 2.0 +describe T_PDS_OTHER_BAD_TLD Untrustworthy TLDs +endif +endif +##} T_PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval + ##{ T_PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) @@ -5121,17 +5153,6 @@ endif endif ##} T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) -##{ T_TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta T_TONOM_EQ_TOLOC_SHRT_SHRTNER __URL_SHORTENER && __PDS_TONAME_EQ_TOLOCAL && __PDS_MSG_1024 -describe T_TONOM_EQ_TOLOC_SHRT_SHRTNER Short email with shortener and To:name eq To:local -#score T_TONOM_EQ_TOLOC_SHRT_SHRTNER 1.5 # limit -endif -endif -##} T_TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - ##{ T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags @@ -5385,12 +5406,6 @@ describe URI_MALWARE_SCMS Link to malware exploit download (.SettingContent tflags URI_MALWARE_SCMS publish ##} URI_MALWARE_SCMS -##{ URI_OBFU_DOM - -meta URI_OBFU_DOM __URI_OBFU_DOM && !__VIA_ML -describe URI_OBFU_DOM URI pretending to be different domain -##} URI_OBFU_DOM - ##{ URI_ONLY_MSGID_MALF meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO && !RCVD_IN_DNSWL_LOW @@ -5578,6 +5593,13 @@ describe XM_RANDOM X-Mailer apparently random tflags XM_RANDOM publish ##} XM_RANDOM +##{ XM_RECPTID + +meta XM_RECPTID __HAS_XM_RECPTID && !__TAG_EXISTS_SCRIPT && !__REPLYTO_NOREPLY && !__ENVFROM_AMAZONSES && !__DOS_DIRECT_TO_MX && !__FRAUD_PTX +describe XM_RECPTID Has spammy message header +#score XM_RECPTID 3.000 # limit +##} XM_RECPTID + ##{ XPRIO describe XPRIO Has X-Priority header @@ -5649,6 +5671,24 @@ describe YOU_INHERIT Discussing your inheritance ##{ bayes_ignore_header_sandbox +bayes_ignore_header ARC-Authentication-Results +bayes_ignore_header ARC-Message-Signature +bayes_ignore_header ARC-Seal +bayes_ignore_header Authentication-Results +bayes_ignore_header Auto-Submitted +bayes_ignore_header Autocrypt +bayes_ignore_header CTCH-SenderID-TotalSpam +bayes_ignore_header IronPort-SDR +bayes_ignore_header List-Archive +bayes_ignore_header List-Help +bayes_ignore_header List-Id +bayes_ignore_header List-Post +bayes_ignore_header List-Subscribe +bayes_ignore_header List-Unsubscribe +bayes_ignore_header Mailing-List +bayes_ignore_header Precedence +bayes_ignore_header Received-SPF +bayes_ignore_header suggested_attachment_session_id bayes_ignore_header X-ACL-Warn bayes_ignore_header X-Alimail-AntiSpam bayes_ignore_header X-Amavis-Modified @@ -5668,6 +5708,7 @@ bayes_ignore_header X-ASG-Orig-Subj bayes_ignore_header X-ASG-Recipient-Whitelist bayes_ignore_header X-ASG-Tag bayes_ignore_header X-Assp-Version +bayes_ignore_header X-Attachment-Id bayes_ignore_header X-Authority-Analysis bayes_ignore_header X-Authvirus bayes_ignore_header X-Auto-Response-Suppress @@ -5696,6 +5737,7 @@ bayes_ignore_header X-Barracuda-URL bayes_ignore_header X-Barracuda-Virus-Alert bayes_ignore_header X-Bayes-Prob bayes_ignore_header X-Bayesian-Result +bayes_ignore_header X-BeenThere bayes_ignore_header X-BitDefender-Spam bayes_ignore_header X-BitDefender-SpamStamp bayes_ignore_header X-BL @@ -5708,6 +5750,7 @@ bayes_ignore_header X-CanIt-Geo bayes_ignore_header X-Canit-Stats-ID bayes_ignore_header X-CanItPRO-Stream bayes_ignore_header X-Clapf-spamicity +bayes_ignore_header X-ClientProxiedBy bayes_ignore_header X-Cloud-Security bayes_ignore_header X-CM-Score bayes_ignore_header X-CMAE-Analysis @@ -5716,6 +5759,7 @@ bayes_ignore_header X-CMAE-Score bayes_ignore_header X-CMAE-Verdict bayes_ignore_header X-CNFS-Analysis bayes_ignore_header X-Company +bayes_ignore_header X-Complaints-To bayes_ignore_header X-Coremail-Antispam bayes_ignore_header X-CRM114-CacheID bayes_ignore_header X-CRM114-Status @@ -5731,6 +5775,7 @@ bayes_ignore_header X-CTCH-SenderID-TotalSuspected bayes_ignore_header X-CTCH-SenderID-TotalVirus bayes_ignore_header X-CTCH-Spam bayes_ignore_header X-CTCH-VOD +bayes_ignore_header X-Delivered-To bayes_ignore_header X-Drweb-SpamState bayes_ignore_header X-DSPAM-Confidence bayes_ignore_header X-DSPAM-Factors @@ -5746,20 +5791,25 @@ bayes_ignore_header X-Enigmail-Version bayes_ignore_header X-EsetId bayes_ignore_header X-EsetResult bayes_ignore_header X-Exchange-Antispam-Report +bayes_ignore_header X-Exchange-Antispam-Report-CFA-Test bayes_ignore_header X-ExtloopSabreCommercials1 bayes_ignore_header X-EYOU-SPAMVALUE bayes_ignore_header X-FB-OUTBOUND-SPAM bayes_ignore_header X-FEAS-SBL bayes_ignore_header X-FILTER-SCORE bayes_ignore_header X-Forefront-Antispam-Report +bayes_ignore_header X-Forefront-Antispam-Report-Untrusted bayes_ignore_header X-Forefront-PRVS +bayes_ignore_header X-Freemail-From bayes_ignore_header X-Fuglu-Spamstatus bayes_ignore_header X-Fuglu-Suspect bayes_ignore_header X-getmail-filter-classifier bayes_ignore_header X-GFIME-MASPAM +bayes_ignore_header X-Gm-Message-State bayes_ignore_header X-Gmane-NNTP-Posting-Host bayes_ignore_header X-GMX-Antispam bayes_ignore_header X-GMX-Antivirus +bayes_ignore_header X-Google-DKIM-Signature bayes_ignore_header X-He-Spam bayes_ignore_header X-hMailServer-Spam bayes_ignore_header X-IAS @@ -5784,6 +5834,7 @@ bayes_ignore_header X-Ironport-SENDER bayes_ignore_header X-Ironport-SUBJECT bayes_ignore_header X-Junk-Score bayes_ignore_header X-Junkmail +bayes_ignore_header X-Klms-Anti bayes_ignore_header X-KLMS-AntiPhishing bayes_ignore_header X-Klms-Antispam bayes_ignore_header X-KLMS-AntiSpam-Info @@ -5801,15 +5852,42 @@ bayes_ignore_header X-KLMS-Rule-ID bayes_ignore_header X-KMail-EncryptionState bayes_ignore_header X-KMail-MDN-Sent bayes_ignore_header X-KMail-SignatureState +bayes_ignore_header X-Kse-Anti +bayes_ignore_header X-Loom-IP bayes_ignore_header X-MailCleaner-SpamChec bayes_ignore_header X-MailCleaner-SpamCheck bayes_ignore_header X-MailFoundry +bayes_ignore_header X-Mailman-Version +bayes_ignore_header X-MDAV-Processed bayes_ignore_header X-MDMailLookup-Result bayes_ignore_header X-ME-Bayesian bayes_ignore_header X-ME-Content bayes_ignore_header X-MessageFilter -bayes_ignore_header X-Microsoft-Antispam +bayes_ignore_header x-microsoft-antispam +bayes_ignore_header X-Microsoft-Antispam-Message-Info +bayes_ignore_header X-Microsoft-Antispam-Message-Info-Original +bayes_ignore_header X-Microsoft-Antispam-Untrusted +bayes_ignore_header X-Microsoft-Exchange-Diagnostics bayes_ignore_header X-Mlf-Version +bayes_ignore_header X-Mozilla-Keys +bayes_ignore_header X-Mozilla-Status +bayes_ignore_header X-Mozilla-Status2 +bayes_ignore_header x-ms-exchange-antispam-messagedata +bayes_ignore_header x-ms-exchange-antispam-messagedata-0 +bayes_ignore_header X-MS-Exchange-CrossTenant-AuthAs +bayes_ignore_header X-MS-Exchange-CrossTenant-AuthSource +bayes_ignore_header X-MS-Exchange-CrossTenant-FromEntityHeader +bayes_ignore_header x-ms-exchange-crosstenant-id +bayes_ignore_header x-ms-exchange-crosstenant-network-message-id +bayes_ignore_header X-MS-Exchange-CrossTenant-OriginalArrivalTime +bayes_ignore_header x-ms-exchange-crosstenant-rms-persistedconsumerorg +bayes_ignore_header X-MS-Exchange-CrossTenant-userprincipalname +bayes_ignore_header x-ms-exchange-slblob-mailprops +bayes_ignore_header X-MS-Exchange-Transport-CrossTenantHeadersStamped +bayes_ignore_header x-ms-office365-filtering-correlation-id +bayes_ignore_header X-MS-TrafficTypeDiagnostic +bayes_ignore_header X-MSFBL +bayes_ignore_header X-MSMail-Priority bayes_ignore_header X-MXScan-AntiSpam bayes_ignore_header X-MXScan-AntiVirus bayes_ignore_header X-MXScan-Country-Sequence @@ -5822,6 +5900,8 @@ bayes_ignore_header X-NAI-Spam-Rules bayes_ignore_header X-NAI-Spam-Score bayes_ignore_header X-NAI-Spam-Threshold bayes_ignore_header X-NetStation-Status +bayes_ignore_header X-No-Relay +bayes_ignore_header X-OriginatorOrg bayes_ignore_header X-OVH-SPAMCAUSE bayes_ignore_header X-OVH-SPAMCAUSE: bayes_ignore_header X-OVH-SPAMSCORE @@ -5838,6 +5918,7 @@ bayes_ignore_header X-Probable-Spam bayes_ignore_header X-PROLinux-SpamCheck bayes_ignore_header X-Proofpoint-Spam-Reason bayes_ignore_header X-Proofpoint-Virus-Version +bayes_ignore_header X-Provags-ID bayes_ignore_header x-purgate-eavas: clean bayes_ignore_header x-purgate-id bayes_ignore_header x-purgate-size @@ -5845,10 +5926,14 @@ bayes_ignore_header x-purgate-type bayes_ignore_header X-Qmail-Scanner-Diagnostics bayes_ignore_header X-Qmail-Scanner-MOVED-X-Spam-Status bayes_ignore_header X-Quarantine-ID +bayes_ignore_header X-Received bayes_ignore_header X-RSpam-Report bayes_ignore_header X-SA-Do-Not-Run bayes_ignore_header X-SA-Exim-Version bayes_ignore_header X-Scanned-by +bayes_ignore_header X-ServerMaster-MailScanner +bayes_ignore_header X-SG-EID +bayes_ignore_header X-SG-ID bayes_ignore_header X-SmarterMail-CustomSpamHeader bayes_ignore_header X-Spam bayes_ignore_header X-Spam-Action @@ -5916,7 +6001,8 @@ bayes_ignore_header X-WatchGuard-Spam-ID bayes_ignore_header X-WatchGuard-Spam-Score bayes_ignore_header X-Whitelist-Domain bayes_ignore_header X-WUM-CCI -bayes_ignore_header X_CMAE_Category##} bayes_ignore_header_sandbox +bayes_ignore_header X_CMAE_Category +##} bayes_ignore_header_sandbox ##{ if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox @@ -5980,10 +6066,8 @@ enlist_addrlist (SUSP_NTLD) *@*.top enlist_addrlist (SUSP_NTLD) *@*.fun enlist_addrlist (SUSP_NTLD) *@*.life enlist_addrlist (SUSP_NTLD) *@*.review -enlist_addrlist (SUSP_NTLD) *@*.xyz enlist_addrlist (SUSP_NTLD) *@*.bid enlist_addrlist (SUSP_NTLD) *@*.stream -enlist_addrlist (SUSP_NTLD) *@*.site enlist_addrlist (SUSP_NTLD) *@*.gdn enlist_addrlist (SUSP_NTLD) *@*.click enlist_addrlist (SUSP_NTLD) *@*.world @@ -6002,10 +6086,8 @@ enlist_uri_host (SUSP_URI_NTLD) top enlist_uri_host (SUSP_URI_NTLD) fun enlist_uri_host (SUSP_URI_NTLD) life enlist_uri_host (SUSP_URI_NTLD) review -enlist_uri_host (SUSP_URI_NTLD) xyz enlist_uri_host (SUSP_URI_NTLD) bid enlist_uri_host (SUSP_URI_NTLD) stream -enlist_uri_host (SUSP_URI_NTLD) site enlist_uri_host (SUSP_URI_NTLD) gdn enlist_uri_host (SUSP_URI_NTLD) click enlist_uri_host (SUSP_URI_NTLD) world @@ -6386,7 +6468,7 @@ reuse T_PDS_DOUBLE_URL reuse T_PDS_DBL_URL_LINKBAIT reuse PDS_DBL_URL_TNB_RUNON reuse T_PDS_DBL_URL_ILLEGAL_CHARS -reuse FROM_2_EMAILS_SHORT +reuse T_FROM_2_EMAILS_SHORT reuse T_SHORT_BODY_QUOTE reuse T_BODY_QUOTE_MALF_MSGID reuse SPOOFED_FREEMAIL_NO_RDNS @@ -6394,7 +6476,7 @@ reuse T_PDS_URI_HIDDEN_HELO_NO_DOMAIN reuse T_PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE reuse T_PDS_TONAME_EQ_TOLOCAL_SHORT reuse PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE -reuse T_PDS_TONAME_EQ_TOLOCAL_VSHORT +reuse PDS_TONAME_EQ_TOLOCAL_VSHORT reuse T_PDS_LITECOIN_ID reuse PDS_BTC_ID reuse PDS_BTC_MSGID @@ -6659,6 +6741,10 @@ meta __BITCOIN_WFH_01 __BITCOIN && __WFH_01 meta __BITCOIN_XPRIO __XPRIO && (__BITCOIN || __BITCOIN_ID) +meta __BODY_SINGLE_URI (__BODY_SINGLE_WORD && __HAS_ANY_URI) + +meta __BODY_SINGLE_WORD __BODY_TEXT_LINE < 3 && !__EMPTY_BODY && !__SMIME_MESSAGE && ((__SINGLE_WORD_LINE && !__SINGLE_WORD_SUBJ) || __SINGLE_WORD_LINE > 1) + body __BODY_STARTS_WITH_FROM_LINE /^From \S+ \S\S\S \S\S\S .. ..:..:.. \S+\s+\S+\: /s body __BODY_TEXT_LINE /^\s*\S/ @@ -6966,6 +7052,8 @@ meta __EMPTY_BODY __BODY_TEXT_LINE < 2 && !__SMIME_MESSAGE body __END_FUTURE_EMAILS /\b(?:end|stop(?! receiving these (?:alerts|emails))|cease|discontinue|removed?|(?:do(?! not wish to receive [\w\s]{0,20}emails)|would|you(?:'d)?) (?:not (?:wish|want|like|desire)|(?:prefer|wish|want|like|desire) not) to|exclude yourself|fore?go)[- ](?:get |receiv(?:ing|e) |or |(?:a-z{1,30} ){0,4}from )?(?:these|our|(?:any )?(?:future|further)) (?:(?:e|ad)?-?m(?:ail(?:ing)?|es+[age]{3})|alert|PSA|marketing|notice)[- ]?(?:ad|update)?s?\b/i +header __ENVFROM_AMAZONSES EnvelopeFrom =~ /\@amazonses\.com$/ + header __ENVFROM_GOOG_TRIX EnvelopeFrom =~ /(?:@|=)trix\.bounces\.google\.com(?:$|=)/ meta __ENVFROM_GOOG_TRIX_SPAMMY __ENVFROM_GOOG_TRIX && (__GOOGLE_DOC_SUSP || FREEMAIL_REPLYTO_END_DIGIT || __ADVANCE_FEE_2_NEW || FORGED_GMAIL_RCVD || LOTS_OF_MONEY || __HAS_X_SOURCE_DIR ) @@ -7335,6 +7423,8 @@ header __FROM_ADDRLIST_SUSPNTLD eval:check_from_in_list('SUSP_NTLD') endif endif +header __FROM_ADDR_GMAIL From:addr =~ /\@gmail\.com>?$/i + header __FROM_ADDR_WS From:addr =~ /\s/ header __FROM_ADMIN From =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i @@ -7444,6 +7534,8 @@ header __FSL_HAS_LIST_UNSUB exists:List-Unsubscribe header __FSL_HELO_BARE_IP_1 X-Spam-Relays-External =~ /^[^\]]+ helo=(?!127)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} [^\]]*auth= /i +header __FSL_HELO_BARE_IP_2 X-Spam-Relays-Untrusted =~ /helo=(?!127)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} /i + header __FSL_HELO_USER_1 X-Spam-Relays-External =~ / helo=user /i header __FSL_HELO_USER_2 Received =~ /from User(?:\s+by|\s*[\[\(]|$)/i @@ -7686,6 +7778,8 @@ endif header __HELO_HIGHPROFILE X-Spam-Relays-External =~ /^[^\]]+ helo=\S*(?:hotmail|gmail|google|yahoo|msn|microsoft|outlook|paypal|xxx)\.[\w]+\b/i +header __HELO_MISC_IP X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^a-z\?]\S{0,30}(?:\d{1,3}[^\d]){4}[^\]]+ auth= /i + header __HELO_NOT_RDNS X-Spam-Relays-External =~ /^[^\]]+ rdns=(\S+) helo=(?!(?i)\1)\S/ header __HELO_NO_DOMAIN X-Spam-Relays-External =~ /^[^\]]+ helo=[^\.]+ / @@ -8246,8 +8340,6 @@ ifplugin Mail::SpamAssassin::Plugin::FreeMail meta __MONEY_FREEMAIL_REPTO LOTS_OF_MONEY && __freemail_hdr_replyto endif -meta __MONEY_FROM_41 __NSL_RCVD_FROM_41 && LOTS_OF_MONEY - body __MOVE_MONEY /\b(?:(?:receive|re-?profile|transfer(?:ring|ir|t)?|release|repatriat(?:e|ion)|rapatrier|secure|r(?:e|=E9|[\xe9]|[\xc3][\xa9])clamation|possession|virer|dona(?:te|r)|depositante|dep[\xc3][\xb3]sito)\s(?:th(?:e(?:se)?|is)|d[ae]s|sur ce|de ce[st]|cet|est[eao]s?|del?)|re-?profiling|receive|re-?locat(?:e|ing)(?:\s\w{1,15})?)\s(?:of\s|your\s|the\s){0,2}(?:sums?\sof\s|inheritance\s)?(?:proceeds|funds?|money|balance|account|g[eo]ld|compte|fond[so]{1,2}|dinero|argent)\b/i meta __MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_MAYBE && __HAS_ANY_URI && __HTML_LINK_IMAGE @@ -8322,6 +8414,8 @@ body __NEXT_OF_KIN /\bnext[-\s]of[-\s]kin\b/i body __NIGERIA /\bnigeria\b/i +meta __NORDNS_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __RDNS_NONE + meta __NOT_A_PERSON __VACATION || ANY_BOUNCE_MESSAGE || __CHALLENGE_RESPONSE || __VIA_ML || __DOS_HAS_LIST_UNSUB || __SENDER_BOT || __UNSUB_LINK || __UNSUB_EMAIL || __MSGID_LIST || __SUBSCRIPTION_INFO tflags __NOT_A_PERSON nice @@ -8587,6 +8681,8 @@ body __PDS_OFFER_ONLY_AMERICA /This offer (?:is )?(?:only )?for (United Stat endif endif +header __PDS_PHP_EVAL1 X-PHP-Originating-Script =~ /eval..'d code/i + if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) meta __PDS_QP_1024 0 endif @@ -8706,6 +8802,8 @@ header __PHP_MUA_2 X-Mailer =~ /^PHP\d$/ header __PHP_NOVER_MUA X-Mailer =~ /^PHP$/ +header __PHP_ORIG_SCRIPT_EVAL X-PHP-Originating-Script =~ /\beval\b.*\bcode\b/i + meta __PHP_ORIG_SCRIPT_SONLY __HAS_PHP_ORIG_SCRIPT && (__TVD_SPACE_RATIO || __SINGLE_WORD_SUBJ || __OBFUSCATING_COMMENT_B) if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) @@ -8832,9 +8930,11 @@ header __REPLYTO_ADDRLIST_SUSPNTLD eval:check_replyto_in_list('SUSP_NTLD') endif endif +header __REPLYTO_NOREPLY Reply-To =~ /\bno-?reply@/i + header __REPTO_419_FRAUD_AOL_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:f\.|ljaber)|c(?:hanprivacy|laimdept|ristinabruno|ustom_service)|dhodgkins|evelynjoshua|f(?:d\.|ernandezfernandez)|george_clifford|hernandezrosemary|k\.doreen|l(?:erynnewest|ynnpage)|m(?:_l\.wanczyk|asayohara|rsjanetedwards)|officework|paulpollard|royalpalace|spwalker|usembassy|yurdaaytarkan))\d+\@aol\.com$/i -header __REPTO_419_FRAUD_GM_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:9porssts|a(?:\.wafager|b(?:dullahmundani|u(?:lkareem|shadi))|cecere|l(?:an\.austin|ex(?:anderpeterson|hoffman)|ghafrij|kasimunadi|l(?:enholden|isoncluade)|ure\.wawrenka)|m(?:bassadormarybethleonardl|ericadeliverycomapny|ina(?:ltwaijiri|medjahed))|n(?:dyfox|na(?:llee|sigurlaug))|office1office|radka|shwestwood|ustinbillmark|zi(?:m(?:\.hpremji|hashim(?:donation)?)|z(?:dake|george)))|b(?:a(?:nkcentralasiahalobca|r(?:bersmadar|risterlordruben|teld\.huisman))|bongo|e(?:alitoniua|linekra|n(?:ezero|gatl|jaminsarah))|ill\.lawrence|mwautomobile|oarddept|rendalaporte|uffettwarrene)|c(?:h(?:a(?:ngching|r(?:itylisajohnrobinson|l(?:esluenga|tonnewmanus)))|e(?:mchung|nchung))|iticonsultantjohncg|laxtonpaul|o(?:lombasjuan|ntactad)|rist(?:brun?|davis|ydavisdonation)|ustomerservicelacaixa)|d(?:a(?:nnuar|vi(?:d(?:\.loanfirm|larbi|pere|ramirez\.luis)|scarolyn|yax))|e(?:nnisclark|partmentofstate)|minique|ona(?:ldwilliam|tionhelpercare)|rdavidrhama|unsilva)|e(?:benezero|christina|l(?:i(?:bethgomez|sabethmaria|zabethedw)|o(?:diesawadogo|tocashoffice))|m(?:efieleg?|ilyrichmond)|re(?:nakgeorge|zcelic)|stherkatherine|wynn)|f(?:\.mikhail|a(?:ithdesrie|tme\.mehmed)|blott|irstbank|r(?:a(?:100dub|n(?:c(?:espatrickconnolly|iscamendoza)|k(?:jane|linpiesie)))|eelottosweepstake)|spero|ulanlan)|g(?:00gleggewinner|a(?:briel(?:eschmitt|kalia)|rciavincent)|bill|e(?:neralwilliamstony|orgekwame|raldjhjh)|iidp|l(?:enmoore|oriachow)|oo(?:golteam|oglegwiinner)|r(?:aceobia|e(?:ant|energeoffrey)))|h(?:a(?:r(?:gate|ryebert)|sh(?:imyreem|mireem))|e(?:atherbrooeke|ctor(?:castillos|scastillo)|lengiggs)|gold|ildad|o(?:nmackjohn|rnbeckmajordennis|seoky))|i(?:bed|mfdeputyoff|n(?:fo\.annedouglas|gridrolle)|smail(?:eman|tarkan))|j(?:a(?:mesokoh|vierlesme)|efferydean|o(?:edward|hn(?:griffn|r(?:awlings|oxfordjr)|sonwilson|uba|walterlove|a)|n(?:athanhaskel|hugo)|sephacevedo|vannyanderson)|rawlings|uliewatson)|k(?:a(?:l(?:iaksandr|tschmidtdavid)|malnizar|rabo\.ramala|t(?:jamess|rinaziako))|ennedy\.sawadogo|halidbuhazza|kasbu|rnkl|un(?:gwei|ioue))|l(?:a(?:rrytoms|ursent|wrencefoundation)|e(?:enasinghs|rynne(?:0west|west))|i(?:amfinchus|fecshortt|liane\.bettencourt|nelink|sa(?:milner|robin))|john|oughreymargaret|u(?:ckywinners|sba\.moored)|y(?:\.cheapiseth|diawright|n(?:\.arthur|cmba|nmkl)))|m(?:a(?:incare|jor(?:dennishornbeck|townsend)|lletman|n(?:duesq|fran|uelfranco(?:(?:donation|foundation|spende))?)|r(?:i(?:ahhills|opabl)|kroth|shalh|tinamayer|y(?:franson|josen))|urhinck|viswan(?:czyk(?:(?:foundation|k))?)?)|c\.cheadychang|dredban|elvidabullock|gfrederick|i(?:c(?:h(?:ael\.woosley|ealwuu)|w)|k(?:e\.weirsky\.foundational|hai(?:\.fridman|lfridm))|ss\.yasmineibrahim)|k(?:ent|untjoro)|oham(?:edabdul|m(?:daljililati|edshamekh))|r(?:\.(?:elbahi\.mohammed\.|justinmaxwell)|cjames|ericschmid|hanimuhammad|jamesmc|richardanthony|s(?:\.susanread|a(?:ishaalqadafi|ngela)|evelynbrown|fatimaamiraqureshi|hamima|jackman|maureens|r(?:obinsanders|uthsmith)|sarahbenjamin|victoriaedmond))|s(?:\.ellagolan|agent|golaan|smadar)|ustadris)|n(?:aomiiwasaki|eilt(?:rotter)?|icholas\.jose|obuyuki\.hirano)|o(?:\.peace|fficerricherd|hallkenneth|xfaminternationa)|p(?:aul(?:eed|n)|b(?:ph202lay|rookk)|e(?:rezdonlorenzo|ter(?:\.waddell|guggi|kenin|stephen))|hillip\.richead)|q(?:iquanzhou|nzeng)|r(?:a(?:kidy|lhashimi|ymondaba)|e(?:beccagarang|em(?:has(?:himy|m)|n)|plyback|v(?:\.jamesabel|fr(?:ankjackson|paulwilliams)))|icha(?:miller|rdw(?:ahl|illis))|o(?:b(?:erthanandez|inf)|naldmorris|s(?:a\.gomes|ekipkalya))|raya|t\.rev\.ericmark)|s(?:a(?:l(?:ehhussienconsult|imzaid)|rfiafarfask)|cottpeters|e(?:cretservicce|rgeantrobertbrown)|gt(?:\.monicab|ireneb)|h(?:anemissler|ery(?:\.gtl|etr)|inawatrathaksin)|im(?:lkheng|onhei)|op(?:adam|hiajesse)|peelman|t(?:anleyjohn|ephentam)|u(?:iyang|n\.hor|sanneklatten)|weeneyjohnson)|t(?:a(?:mmywebster|y(?:ebsouami|lorcathy))|erryparkins|h(?:ailandbankoffice|e(?:ara\.choy|odorosloannis))|imothymetheny|lyerdonald|o(?:m(?:ander|c(?:hrist|rist(?:(?:donation|foundation))?)|spende)|ny(?:\.chung|zimpro)|shikazusendo))|u(?:marukareem|n(?:claimedfunds|itednation(?:organization|s))|s(?:alotery|departmentofjustice))|v(?:anderwesthuizen|e(?:enapatel|r(?:a(?:aellen|hollinkvan)|enichekaterinaekaterina))|i(?:ctoriaabraham|dalpamela|ngut))|w(?:a(?:dp|hlr(?:ichard)?|nczykm|rrenebuffett)|hatsappofficial|i(?:elandherzog\.sw\.herad|ll(?:clark|iamsmartyrs))|u\.office|ww\.moneygram)|y(?:\.oguzhan|anghoseok|doo|ousefzongo)|z(?:bank|enithbankplconline|kiaslan|minhong)))\d+\@gmail\.com$/i +header __REPTO_419_FRAUD_GM_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:9porssts|a(?:\.wafager|b(?:dullahmundani|u(?:lkareem|shadi))|cecere|isha1976gaddafi|l(?:an\.austin|ex(?:anderpeterson|hoffman)|ghafrij|kasimunadi|l(?:enholden|isoncluade)|ure\.wawrenka)|m(?:bassadormarybethleonardl|ericadeliverycomapny|ina(?:ltwaijiri|medjahed))|n(?:dyfox|na(?:llee|sigurlaug))|office1office|radka|shwestwood|ustinbillmark|zi(?:m(?:\.hpremji|hashim(?:donation)?)|z(?:dake|george)))|b(?:a(?:nkcentralasiahalobca|r(?:bersmadar|risterlordruben|teld\.huisman))|bongo|e(?:alitoniua|linekra|n(?:ezero|gatl|jaminsarah))|ill\.lawrence|mwautomobile|oarddept|rendalaporte|uffettwarrene)|c(?:h(?:a(?:ngching|r(?:itylisajohnrobinson|l(?:esluenga|tonnewmanus)))|e(?:mchung|nchung))|iticonsultantjohncg|laxtonpaul|o(?:lombasjuan|ntactad)|rist(?:brun?|davis|ydavisdonation)|ustomerservicelacaixa)|d(?:a(?:nnuar|vi(?:d(?:\.loanfirm|larbi|pere|ramirez\.luis)|scarolyn|yax))|e(?:nnisclark|partmentofstate)|minique|ona(?:ldwilliam|tionhelpercare)|rdavidrhama|unsilva)|e(?:benezero|christina|l(?:i(?:bethgomez|sabethmaria|zabethedw)|o(?:diesawadogo|tocashoffice))|m(?:efieleg?|ilyrichmond)|re(?:nakgeorge|zcelic)|stherkatherine|wynn)|f(?:\.mikhail|a(?:ithdesrie|tme\.mehmed)|blott|irstbank|r(?:a(?:100dub|n(?:c(?:espatrickconnolly|iscamendoza)|k(?:jane|linpiesie)))|eelottosweepstake)|spero|ulanlan)|g(?:00gleggewinner|a(?:briel(?:eschmitt|kalia)|rciavincent)|bill|e(?:neralwilliamstony|orgekwame|raldjhjh)|iidp|l(?:enmoore|oriachow)|oo(?:golteam|oglegwiinner)|r(?:aceobia|e(?:ant|energeoffrey)))|h(?:a(?:r(?:gate|ryebert)|sh(?:imyreem|mireem))|e(?:atherbrooeke|ctor(?:castillos|scastillo)|lengiggs)|gold|ildad|o(?:nmackjohn|rnbeckmajordennis|seoky))|i(?:bed|mfdeputyoff|n(?:fo\.annedouglas|gridrolle)|rvinekim|smail(?:eman|tarkan))|j(?:a(?:mesokoh|vierlesme)|efferydean|o(?:edward|hn(?:griffn|r(?:awlings|oxfordjr)|sonwilson|uba|walterlove|a)|n(?:athanhaskel|hugo)|seph(?:acevedo|ichael)|vannyanderson)|rawlings|uliewatson)|k(?:a(?:l(?:iaksandr|tschmidtdavid)|malnizar|rabo\.ramala|t(?:jamess|rinaziako))|ennedy\.sawadogo|halidbuhazza|kasbu|rnkl|un(?:gwei|ioue))|l(?:a(?:rrytoms|ursent|wrencefoundation)|e(?:enasinghs|rynne(?:0west|west))|i(?:amfinchus|fecshortt|liane\.bettencourt|nelink|sa(?:milner|robin))|john|oughreymargaret|u(?:ckywinners|sba\.moored)|y(?:\.cheapiseth|diawright|n(?:\.arthur|cmba|nmkl)))|m(?:a(?:incare|jor(?:dennishornbeck|townsend)|lletman|n(?:duesq|fran|uelfranco(?:(?:donation|foundation|spende))?)|r(?:i(?:ahhills|opabl)|kroth|shalh|tinamayer|y(?:franson|josen))|urhinck|viswan(?:czyk(?:(?:foundation|k))?)?)|c\.cheadychang|dredban|elvidabullock|gfrederick|i(?:c(?:h(?:ael\.woosley|ealwuu)|w)|k(?:e\.weirsky\.foundational|hai(?:\.fridman|lfridm))|ss\.yasmineibrahim)|k(?:ent|untjoro)|oham(?:edabdul|m(?:daljililati|edshamekh))|r(?:\.(?:elbahi\.mohammed\.|justinmaxwell)|cjames|ericschmid|hanimuhammad|jamesmc|richardanthony|s(?:\.susanread|a(?:ishaalqadafi|ngela)|dominiquethomas|evelynbrown|fatimaamiraqureshi|hamima|jackman|lisamilner|ma(?:ureens|yaoliver)|r(?:obinsanders|uthsmith)|sarahbenjamin|victoriaedmond))|s(?:\.ellagolan|agent|golaan|smadar)|ustadris)|n(?:aomiiwasaki|eilt(?:rotter)?|icholas\.jose|obuyuki\.hirano)|o(?:\.peace|fficerricherd|hallkenneth|xfaminternationa)|p(?:aul(?:eed|n)|b(?:ph202lay|rookk)|e(?:rezdonlorenzo|ter(?:\.waddell|guggi|kenin|stephen))|hillip\.richead)|q(?:iquanzhou|nzeng)|r(?:a(?:kidy|lhashimi|ymondaba)|e(?:alyh|beccagarang|em(?:has(?:himy|m)|n)|plyback|v(?:\.jamesabel|fr(?:ankjackson|paulwilliams)))|icha(?:miller|rdw(?:ahl|illis))|main|o(?:b(?:erthanandez|inf)|naldmorris|s(?:a\.gomes|ekipkalya))|raya|t\.rev\.ericmark|uddicklana)|s(?:a(?:l(?:ehhussienconsult|imzaid)|rfiafarfask)|cottpeters|e(?:cretservicce|rgeantrobertbrown)|gt(?:\.monicab|ireneb)|h(?:anemissler|ery(?:\.gtl|etr)|inawatrathaksin)|im(?:lkheng|onhei)|op(?:adam|hiajesse)|peelman|t(?:anleyjohn|ephentam)|u(?:iyang|n\.hor|sanneklatten)|weeneyjohnson)|t(?:a(?:mmywebster|y(?:ebsouami|lorcathy))|erryparkins|h(?:ailandbankoffice|e(?:ara\.choy|odorosloannis))|imothymetheny|lyerdonald|o(?:m(?:ander|c(?:hrist|rist(?:(?:donation|foundation))?)|spende)|ny(?:\.chung|zimpro)|shikazusendo))|u(?:marukareem|n(?:claimedfunds|itednation(?:organization|s))|s(?:alotery|departmentofjustice))|v(?:anderwesthuizen|e(?:enapatel|r(?:a(?:aellen|hollinkvan)|enichekaterinaekaterina))|i(?:ctoriaabraham|dalpamela|ngut))|w(?:a(?:dp|hlr(?:ichard)?|nczykm|rrenebuffett)|hatsappofficial|i(?:elandherzog\.sw\.herad|ll(?:clark|iamsmartyrs))|u\.office|ww\.moneygram)|y(?:\.oguzhan|anghoseok|doo|o(?:ngkm|usefzongo))|z(?:bank|enithbankplconline|kiaslan|minhong)))\d+\@gmail\.com$/i header __REPTO_419_FRAUD_YH_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson|ilmohammed|lesiakalina|nnhester\.usa)|b(?:ank\.phbng|en(?:jaminb|nicholas)|riceangela)|c(?:\.aroline|h(?:arlesscharf|jackson)|juan|ythiamiller\.un)|dhamilton|e(?:denvictor|ricalbert)|federal\.r|j(?:a(?:ckson\.davis|netemoon)|kimyong)|k(?:altschmidtdavid|elvinmark|im(?:\.leang|leang))|l(?:e(?:a_edem|hman)|isarobinson_|y_cheapiseth)|m(?:\.kogi|arie_avis|dzsesszika|elissalewis|o(?:hammedaahil|keye))|o(?:legkozyrev|mranshaalan)|peterlee|r(?:alphw(?:\.johnson|johnson)|o(?:bertbailey|serichard))|s(?:amthong|igurlauganna|leo|pwalker|te(?:fanopessina|vecox\.))|tylerhess\.|vanserge|will(?:clark|smi)|xianglongdai))\d+\@yahoo\.com$/i @@ -8967,8 +9067,6 @@ meta __SUBJECT_PRESENT_EMPTY __HAS_SUBJECT && __SUBJECT_EMPTY header __SUBJ_ADMIN Subject =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i -header __SUBJ_ATTENTION Subject =~ /ATTENTION/ - meta __SUBJ_BRKN_WORDNUMS __SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFU header __SUBJ_BROKEN_WORD Subject =~ /\s(?!i[PTM][aoh][bcdou]|e[MP]a[is])[a-z]{1,3}[A-Z][a-z]{2}/ @@ -8993,9 +9091,6 @@ header __SUBJ_RE Subject =~ /^(?:R[eE]|S[vV]|V[sS]|A[wW]):/ header __SUBJ_SHORT Subject =~ /^.{0,8}$/ -header __SUBJ_UNNEEDED_HTML Subject =~ /%[0-9a-f][0-9a-f]/i -tflags __SUBJ_UNNEEDED_HTML multiple maxhits=3 - header __SUBJ_USB_DRIVES Subject =~ /\bUSB (?:[Ff]lash )?[Dd]rives\b/ body __SUBSCRIPTION_INFO /\b(?:e?newsletters?|(?:un)?(?:subscrib|register)|you(?:r| are) subscri(?:b|ption)|opt(?:.|ing)?out\b|further info|you do ?n[o']t w(?:ish|ant)|remov\w{1,3}.{1,9}\blists?\b|to your white.?list)/i @@ -9237,8 +9332,6 @@ header __TVD_PH_SUBJ_ACCESS_POST Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure| meta __TVD_PH_SUBJ_META __TVD_PH_SUBJ_00 || __TVD_PH_SUBJ_02 || __TVD_PH_SUBJ_04 || __TVD_PH_SUBJ_15 || __TVD_PH_SUBJ_17 || __TVD_PH_SUBJ_18 || __TVD_PH_SUBJ_19 || __TVD_PH_SUBJ_29 || __TVD_PH_SUBJ_31 || __TVD_PH_SUBJ_36 || __TVD_PH_SUBJ_37 || __TVD_PH_SUBJ_38 || __TVD_PH_SUBJ_39 || __TVD_PH_SUBJ_41 || __TVD_PH_SUBJ_52 || __TVD_PH_SUBJ_54 || __TVD_PH_SUBJ_56 || __TVD_PH_SUBJ_58 || __TVD_PH_SUBJ_59 || __TVD_PH_SUBJ_ACCESS_POST -meta __TVD_SPACE_ENCODED (__TVD_SPACE_RATIO && __SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED) - if !plugin(Mail::SpamAssassin::Plugin::BodyEval) meta __TVD_SPACE_RATIO 0 endif @@ -9422,8 +9515,6 @@ tflags __URI_MAILTO multiple maxhits=16 uri __URI_MONERO /buy-monero/i -uri __URI_OBFU_DOM /:\/\/(?:\w+\.)+(?:com|gov|net|org)(?:\.\w+){3,}\//i - meta __URI_ONLY_MSGID_MALF __BODY_URI_ONLY && __MSGID_NOFQDN2 meta __URI_PHISH __HAS_ANY_URI && !__URI_GOOGLE_DOC && !__URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH) @@ -9518,8 +9609,6 @@ ifplugin Mail::SpamAssassin::Plugin::FreeMail header __XMAIL_PHPMAIL X-Mailer =~ /PHPMailer/ endif -header __XM_APPLEMAIL X-Mailer =~ /^Apple Mail/ - header __XM_ASPQMAIL X-Mailer =~ /^AspQMail/ header __XM_BALSA X-Mailer =~ /^Balsa \d/ @@ -9664,6 +9753,42 @@ endif body __hk_bigmoney /(?:EURO?|USD?|GBP|CFA|\&\#163;|[\xa3\xa4]|\$|sum of).{0,4}(?:[0-9]{3}[^0-9a-z]?[0-9]{3}|[0-9.,]{1,4}(?: ?M\b| ?(?:de )?Mil))/i +body __hk_win_0 /\byour? e-?mail just w[oi]n/i + +body __hk_win_2 /\battn.{0,10}winner/i + +body __hk_win_3 /\bhappily aa?nnounce/i + +body __hk_win_4 /\bpleas(?:ure|ed) to inform/i + +body __hk_win_5 /\b(?:notice the|your) winning/i + +body __hk_win_7 /\bcongratulations? to your/i + +body __hk_win_8 /\bunexpected luck/i + +body __hk_win_9 /\blucky (?:nl )number/i + +body __hk_win_a /\bwinning (?:e-?mail|numbers|information)/i + +body __hk_win_b /\byour e-?mail (?:address )?(?:has )?w[io]n/i + +body __hk_win_c /\bune adresse e-?mail sur internet/i + +body __hk_win_d /\bcategory (?:\S{0,5} )?winner of our/i + +body __hk_win_i /\bfunds? transfer/i + +body __hk_win_j /\b(?:winning|ready for|sum) pay ?out/i + +body __hk_win_l /\b(?:make|file) (?:for )?your claim/i + +body __hk_win_m /\br.clamation de votre prix/i + +body __hk_win_n /\bcollect your prize/i + +body __hk_win_o /\bclarification and procedure/i + ifplugin Mail::SpamAssassin::Plugin::FreeMail header __smf_freemail_hdr_replyto eval:check_freemail_header('Reply-To:addr') endif diff --git a/sa-updates/72_scores.cf b/sa-updates/72_scores.cf index a288713..1ac8901 100644 --- a/sa-updates/72_scores.cf +++ b/sa-updates/72_scores.cf @@ -1,7 +1,8 @@ +score ACCT_PHISHING_MANY 1.000 1.000 1.000 1.000 score AC_BR_BONANZA 0.001 0.001 0.001 0.001 score AC_DIV_BONANZA 0.001 0.001 0.001 0.001 -score AC_FROM_MANY_DOTS 2.999 2.999 2.999 2.999 -score AC_HTML_NONSENSE_TAGS 2.000 1.999 2.000 1.999 +score AC_FROM_MANY_DOTS 2.999 1.544 2.999 1.544 +score AC_HTML_NONSENSE_TAGS 1.999 1.999 1.999 1.999 score AC_POST_EXTRAS 1.000 1.000 1.000 1.000 score AC_SPAMMY_URI_PATTERNS1 1.000 1.000 1.000 1.000 score AC_SPAMMY_URI_PATTERNS10 1.000 1.000 1.000 1.000 @@ -12,272 +13,270 @@ score AC_SPAMMY_URI_PATTERNS3 1.000 1.000 1.000 1.000 score AC_SPAMMY_URI_PATTERNS4 1.000 1.000 1.000 1.000 score AC_SPAMMY_URI_PATTERNS8 1.000 1.000 1.000 1.000 score AC_SPAMMY_URI_PATTERNS9 1.000 1.000 1.000 1.000 -score ADMITS_SPAM 3.200 3.113 3.200 3.113 score ADULT_DATING_COMPANY 10.000 10.000 10.000 10.000 score ADVANCE_FEE_2_NEW_FORM 1.000 1.000 1.000 1.000 score ADVANCE_FEE_2_NEW_FRM_MNY 1.000 1.000 1.000 1.000 -score ADVANCE_FEE_2_NEW_MONEY 1.999 1.999 1.999 1.999 -score ADVANCE_FEE_3_NEW 2.039 3.448 2.039 3.448 -score ADVANCE_FEE_3_NEW_MONEY 0.342 2.523 0.342 2.523 -score ADVANCE_FEE_4_NEW 2.400 2.192 2.400 2.192 -score ADVANCE_FEE_4_NEW_MONEY 1.643 1.642 1.643 1.642 -score ADVANCE_FEE_5_NEW_FRM_MNY 0.001 0.001 0.001 0.001 -score ADVANCE_FEE_5_NEW_MONEY 0.001 0.001 0.001 0.001 -score AD_PREFS 0.499 0.001 0.499 0.001 +score ADVANCE_FEE_2_NEW_MONEY 2.000 1.999 2.000 1.999 +score ADVANCE_FEE_3_NEW 3.499 3.499 3.499 3.499 +score ADVANCE_FEE_3_NEW_MONEY 2.399 2.399 2.399 2.399 +score ADVANCE_FEE_4_NEW 2.199 2.199 2.199 2.199 +score ADVANCE_FEE_4_NEW_FRM_MNY 0.001 0.001 0.001 0.001 +score ADVANCE_FEE_4_NEW_MONEY 2.485 2.499 2.485 2.499 +score ADVANCE_FEE_5_NEW 2.199 0.821 2.199 0.821 +score ADVANCE_FEE_5_NEW_FRM_MNY 1.592 2.202 1.592 2.202 +score ADVANCE_FEE_5_NEW_MONEY 2.136 0.001 2.136 0.001 +score AD_PREFS 0.366 0.097 0.366 0.097 score ALIBABA_IMG_NOT_RCVD_ALI 1.000 1.000 1.000 1.000 -score AMAZON_IMG_NOT_RCVD_AMZN 0.001 0.001 0.001 0.001 +score AMAZON_IMG_NOT_RCVD_AMZN 0.001 1.845 0.001 1.845 score APP_DEVELOPMENT_FREEM 1.000 1.000 1.000 1.000 score APP_DEVELOPMENT_NORDNS 1.000 1.000 1.000 1.000 -score ARC_SIGNED 0.001 0.001 0.001 0.001 -score ARC_VALID 0.001 0.001 0.001 0.001 score AXB_XMAILER_MIMEOLE_OL_024C2 0.001 0.001 0.001 0.001 -score AXB_X_FF_SEZ_S 3.099 3.100 3.099 3.100 -score BAT_BDRY_TO_MALF 2.499 1.637 2.499 1.637 +score AXB_X_FF_SEZ_S 2.700 1.196 2.700 1.196 score BEBEE_IMG_NOT_RCVD_BB 1.000 1.000 1.000 1.000 -score BIGNUM_EMAILS_FREEM 1.336 0.017 1.336 0.017 -score BIGNUM_EMAILS_MANY 2.743 1.670 2.743 1.670 +score BIGNUM_EMAILS_FREEM 1.000 0.384 1.000 0.384 +score BIGNUM_EMAILS_MANY 1.000 1.000 1.000 1.000 score BITCOIN_BOMB 1.000 1.000 1.000 1.000 -score BITCOIN_DEADLINE 1.753 1.000 1.753 1.000 -score BITCOIN_EXTORT_01 2.102 2.692 2.102 2.692 +score BITCOIN_DEADLINE 1.500 1.449 1.500 1.449 +score BITCOIN_EXTORT_01 4.500 0.941 4.500 0.941 score BITCOIN_EXTORT_02 1.000 1.000 1.000 1.000 score BITCOIN_IMGUR 1.000 1.000 1.000 1.000 -score BITCOIN_MALF_HTML 2.095 0.142 2.095 0.142 -score BITCOIN_MALWARE 1.043 0.001 1.043 0.001 +score BITCOIN_MALF_HTML 3.499 3.084 3.499 3.084 +score BITCOIN_MALWARE 2.094 2.501 2.094 2.501 score BITCOIN_OBFU_SUBJ 1.000 1.000 1.000 1.000 -score BITCOIN_ONAN 2.011 2.867 2.011 2.867 +score BITCOIN_ONAN 1.000 1.000 1.000 1.000 score BITCOIN_PAY_ME 1.000 1.000 1.000 1.000 score BITCOIN_SPAM_01 1.000 1.000 1.000 1.000 -score BITCOIN_SPAM_02 2.189 1.279 2.189 1.279 -score BITCOIN_SPAM_03 2.225 0.919 2.225 0.919 -score BITCOIN_SPAM_04 1.000 1.000 1.000 1.000 -score BITCOIN_SPAM_05 0.001 2.027 0.001 2.027 +score BITCOIN_SPAM_02 0.001 0.001 0.001 0.001 +score BITCOIN_SPAM_03 1.000 2.499 1.000 2.499 +score BITCOIN_SPAM_04 1.000 0.184 1.000 0.184 +score BITCOIN_SPAM_05 0.001 2.475 0.001 2.475 score BITCOIN_SPAM_06 1.000 1.000 1.000 1.000 score BITCOIN_SPAM_07 1.000 1.000 1.000 1.000 score BITCOIN_SPAM_08 1.000 1.000 1.000 1.000 -score BITCOIN_SPAM_09 1.499 1.499 1.499 1.499 +score BITCOIN_SPAM_09 1.000 1.092 1.000 1.092 score BITCOIN_SPAM_10 1.000 1.000 1.000 1.000 score BITCOIN_SPAM_11 1.000 1.000 1.000 1.000 score BITCOIN_SPAM_12 1.000 1.000 1.000 1.000 score BITCOIN_SPF_ONLYALL 0.001 1.000 0.001 1.000 -score BITCOIN_XPRIO 1.051 0.001 1.051 0.001 -score BITCOIN_YOUR_INFO 1.268 0.708 1.268 0.708 -score BODY_URI_ONLY 2.499 1.958 2.499 1.958 +score BITCOIN_XPRIO 0.234 0.001 0.234 0.001 +score BITCOIN_YOUR_INFO 3.000 1.481 3.000 1.481 +score BODY_SINGLE_URI 1.004 0.302 1.004 0.302 +score BODY_URI_ONLY 1.154 1.654 1.154 1.654 score BOGUS_MIME_VERSION 1.000 1.000 1.000 1.000 -score BOGUS_MSM_HDRS 1.126 0.001 1.126 0.001 +score BOGUS_MSM_HDRS 1.000 1.000 1.000 1.000 score BOMB_FREEM 1.000 1.000 1.000 1.000 score BOMB_MONEY 1.000 1.000 1.000 1.000 score BTC_ORG 1.000 1.000 1.000 1.000 -score BULK_RE_SUSP_NTLD 0.999 1.000 0.999 1.000 +score BULK_RE_SUSP_NTLD 1.000 1.000 1.000 1.000 score CANT_SEE_AD 1.000 1.000 1.000 1.000 score CK_HELO_GENERIC 0.249 0.001 0.249 0.001 score COMMENT_GIBBERISH 1.000 1.000 1.000 1.000 -score COMPENSATION 1.000 1.000 1.000 1.000 score CONTENT_AFTER_HTML 1.000 1.000 1.000 1.000 score CONTENT_AFTER_HTML_WEAK 1.000 1.000 1.000 1.000 -score CTE_8BIT_MISMATCH 0.999 0.001 0.999 0.001 -score DATE_IN_FUTURE_Q_PLUS 2.700 2.700 2.700 2.700 +score CTE_8BIT_MISMATCH 0.999 0.163 0.999 0.163 score DAY_I_EARNED 1.000 1.000 1.000 1.000 -score DEAR_BENEFICIARY 1.641 2.148 1.641 2.148 -score DKIMWL_BL 0.001 1.000 0.001 1.000 +score DEAR_BENEFICIARY 0.699 0.001 0.699 0.001 +score DKIMWL_BL 0.001 1.295 0.001 1.295 score DKIMWL_BLOCKED 0.001 0.001 0.001 0.001 score DKIMWL_WL_HIGH 0.001 -0.001 0.001 -0.001 score DKIMWL_WL_MED 0.001 -0.001 0.001 -0.001 -score DKIMWL_WL_MEDHI 0.001 -0.001 0.001 -0.001 +score DKIMWL_WL_MEDHI 0.001 -0.263 0.001 -0.263 score DOTGOV_IMAGE 1.000 1.000 1.000 1.000 -score DX_TEXT_03 1.200 1.299 1.200 1.299 score DYNAMIC_IMGUR 1.000 1.000 1.000 1.000 score EBAY_IMG_NOT_RCVD_EBAY 1.000 1.000 1.000 1.000 score ENCRYPTED_MESSAGE -1.000 -0.999 -1.000 -0.999 -score END_FUTURE_EMAILS 2.499 1.000 2.499 1.000 +score END_FUTURE_EMAILS 2.499 2.499 2.499 2.499 score ENVFROM_GOOG_TRIX 1.000 1.000 1.000 1.000 -score FACEBOOK_IMG_NOT_RCVD_FB 1.000 1.000 1.000 1.000 -score FBI_MONEY 0.227 0.911 0.227 0.911 -score FBI_SPOOF 1.573 0.887 1.573 0.887 -score FILL_THIS_FORM 0.952 1.000 0.952 1.000 +score FACEBOOK_IMG_NOT_RCVD_FB 1.000 1.551 1.000 1.551 +score FBI_MONEY 1.000 1.000 1.000 1.000 +score FBI_SPOOF 1.000 1.000 1.000 1.000 +score FILL_THIS_FORM 0.899 1.223 0.899 1.223 score FONT_INVIS_DIRECT 0.001 0.001 0.001 0.001 score FONT_INVIS_DOTGOV 1.000 1.000 1.000 1.000 score FONT_INVIS_HTML_NOHTML 1.000 1.000 1.000 1.000 -score FONT_INVIS_LONG_LINE 2.999 2.999 2.999 2.999 -score FONT_INVIS_MSGID 1.942 2.195 1.942 2.195 -score FONT_INVIS_NORDNS 0.001 1.894 0.001 1.894 -score FONT_INVIS_POSTEXTRAS 1.174 2.900 1.174 2.900 -score FORM_FRAUD 0.999 0.999 0.999 0.999 -score FORM_FRAUD_3 2.399 0.001 2.399 0.001 -score FORM_FRAUD_5 0.001 1.742 0.001 1.742 +score FONT_INVIS_LONG_LINE 1.286 0.726 1.286 0.726 +score FONT_INVIS_MSGID 1.155 1.438 1.155 1.438 +score FONT_INVIS_NORDNS 1.000 1.000 1.000 1.000 +score FONT_INVIS_POSTEXTRAS 0.002 1.896 0.002 1.896 +score FORGED_SPF_HELO 0.001 0.001 0.001 0.001 +score FORM_FRAUD 0.999 1.000 0.999 1.000 +score FORM_FRAUD_5 0.001 0.001 0.001 0.001 score FOUND_YOU 1.000 1.000 1.000 1.000 -score FREEMAIL_FORGED_FROMDOMAIN 0.250 0.001 0.250 0.001 +score FREEMAIL_FORGED_FROMDOMAIN 0.250 0.250 0.250 0.250 score FREEM_FRNUM_UNICD_EMPTY 1.000 1.000 1.000 1.000 score FRNAME_IN_MSG_XPRIO_NO_SUB 1.000 1.000 1.000 1.000 -score FROM_2_EMAILS_SHORT 0.001 0.921 0.001 0.921 -score FROM_ADDR_WS 3.000 2.999 3.000 2.999 +score FROM_ADDR_WS 2.999 2.349 2.999 2.349 score FROM_BANK_NOAUTH 0.001 1.000 0.001 1.000 score FROM_FMBLA_NDBLOCKED 0.001 0.001 0.001 0.001 -score FROM_FMBLA_NEWDOM 0.001 1.499 0.001 1.499 -score FROM_FMBLA_NEWDOM14 0.001 0.999 0.001 0.999 -score FROM_FMBLA_NEWDOM28 0.001 0.001 0.001 0.001 -score FROM_GOV_DKIM_AU 0.001 -0.001 0.001 -0.001 +score FROM_FMBLA_NEWDOM 0.001 1.000 0.001 1.000 +score FROM_FMBLA_NEWDOM14 0.001 1.000 0.001 1.000 +score FROM_FMBLA_NEWDOM28 0.001 0.799 0.001 0.799 +score FROM_GOV_DKIM_AU 0.001 -0.766 0.001 -0.766 score FROM_GOV_REPLYTO_FREEMAIL 0.001 1.000 0.001 1.000 score FROM_GOV_SPOOF 0.001 1.000 0.001 1.000 -score FROM_MISSPACED 1.999 1.999 1.999 1.999 -score FROM_MISSP_DYNIP 1.928 0.042 1.928 0.042 -score FROM_MISSP_EH_MATCH 1.999 1.201 1.999 1.201 -score FROM_MISSP_FREEMAIL 0.001 1.149 0.001 1.149 -score FROM_MISSP_MSFT 0.001 0.001 0.001 0.001 -score FROM_MISSP_REPLYTO 2.199 0.001 2.199 0.001 +score FROM_MISSPACED 1.999 1.601 1.999 1.601 +score FROM_MISSP_EH_MATCH 2.000 1.399 2.000 1.399 +score FROM_MISSP_FREEMAIL 2.699 0.001 2.699 0.001 +score FROM_MISSP_MSFT 0.601 0.001 0.601 0.001 +score FROM_MISSP_REPLYTO 1.199 0.901 1.199 0.901 score FROM_MISSP_SPF_FAIL 0.001 0.001 0.001 0.001 score FROM_MISSP_USER 0.001 0.001 0.001 0.001 -score FROM_MULTI_NORDNS 1.332 1.895 1.332 1.895 score FROM_NEWDOM_BTC 0.001 1.000 0.001 1.000 score FROM_NTLD_LINKBAIT 1.000 1.000 1.000 1.000 -score FROM_NTLD_REPLY_FREEMAIL 1.512 1.000 1.512 1.000 +score FROM_NTLD_REPLY_FREEMAIL 1.000 1.000 1.000 1.000 score FROM_NUMBERO_NEWDOMAIN 0.001 1.000 0.001 1.000 -score FROM_PAYPAL_SPOOF 0.001 1.599 0.001 1.599 -score FROM_SUSPICIOUS_NTLD 0.500 0.001 0.500 0.001 -score FROM_SUSPICIOUS_NTLD_FP 1.999 0.694 1.999 0.694 -score FSL_BULK_SIG 0.001 0.001 0.001 0.001 +score FROM_PAYPAL_SPOOF 0.001 1.451 0.001 1.451 +score FROM_SUSPICIOUS_NTLD 0.499 0.499 0.499 0.499 +score FROM_SUSPICIOUS_NTLD_FP 1.999 1.999 1.999 1.999 +score FROM_UNBAL1 2.299 2.299 2.299 2.299 +score FSL_BULK_SIG 0.001 0.815 0.001 0.815 score FSL_CTYPE_WIN1251 0.001 0.001 0.001 0.001 +score FSL_HAS_TINYURL 2.799 2.699 2.799 2.699 score FSL_NEW_HELO_USER 0.001 0.001 0.001 0.001 -score FUZZY_AMAZON 0.001 0.001 0.001 0.001 -score FUZZY_BITCOIN 0.001 0.001 0.001 0.001 -score FUZZY_IMPORTANT 2.700 1.190 2.700 1.190 -score FUZZY_PORN 1.836 0.001 1.836 0.001 -score FUZZY_SECURITY 2.399 2.299 2.399 2.299 -score FUZZY_WALLET 1.799 0.001 1.799 0.001 +score FUZZY_IMPORTANT 3.799 0.633 3.799 0.633 +score FUZZY_WALLET 1.799 0.078 1.799 0.078 score GAPPY_SALES_LEADS_FREEM 1.000 1.000 1.000 1.000 -score GB_BITCOIN_CP 2.645 2.999 2.645 2.999 -score GB_BITCOIN_NH 1.994 0.001 1.994 0.001 -score GB_CUSTOM_HTM_URI 0.350 0.036 0.350 0.036 -score GB_FAKE_RF_SHORT 1.292 0.820 1.292 0.820 +score GB_BITCOIN_CP 2.977 0.598 2.977 0.598 +score GB_BITCOIN_NH 1.000 1.980 1.000 1.980 +score GB_CUSTOM_HTM_URI 1.499 0.001 1.499 0.001 +score GB_FAKE_RF_SHORT 1.000 1.000 1.000 1.000 score GB_FORGED_MUA_POSTFIX 1.000 1.000 1.000 1.000 -score GB_FREEMAIL_DISPTO 0.499 0.166 0.499 0.166 +score GB_FREEMAIL_DISPTO 0.001 0.001 0.001 0.001 score GB_FREEMAIL_DISPTO_NOTFREEM 0.500 0.500 0.500 0.500 score GB_GOOGLE_OBFUR 0.750 0.750 0.750 0.750 -score GB_HASHBL_BTC 0.001 0.562 0.001 0.562 +score GB_HASHBL_BTC 0.001 0.504 0.001 0.504 score GB_STORAGE_GOOGLE_EMAIL 1.000 1.000 1.000 1.000 -score GB_URI_FLEEK_STO_HTM 0.999 0.999 0.999 0.999 +score GB_URI_FLEEK_STO_HTM 1.000 1.000 1.000 1.000 score GOOGLE_DOCS_PHISH 1.000 1.000 1.000 1.000 score GOOGLE_DOCS_PHISH_MANY 1.000 1.000 1.000 1.000 score GOOGLE_DOC_SUSP 1.000 1.000 1.000 1.000 score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.000 1.000 1.000 1.000 score GOOG_MALWARE_DNLD 1.000 1.000 1.000 1.000 -score GOOG_REDIR_NORDNS 2.502 2.899 2.502 2.899 +score GOOG_REDIR_HTML_ONLY 1.999 1.999 1.999 1.999 +score GOOG_REDIR_NORDNS 2.600 2.900 2.600 2.900 score GOOG_STO_EMAIL_PHISH 1.000 1.000 1.000 1.000 score GOOG_STO_HTML_PHISH 1.000 1.000 1.000 1.000 score GOOG_STO_HTML_PHISH_MANY 1.000 1.000 1.000 1.000 score GOOG_STO_IMG_HTML 1.000 1.000 1.000 1.000 -score GOOG_STO_IMG_NOHTML 2.500 2.499 2.500 2.499 -score GOOG_STO_NOIMG_HTML 2.706 2.893 2.706 2.893 +score GOOG_STO_IMG_NOHTML 1.000 2.500 1.000 2.500 +score GOOG_STO_NOIMG_HTML 3.000 2.949 3.000 2.949 score HAS_X_NO_RELAY 1.000 1.000 1.000 1.000 -score HAS_X_OUTGOING_SPAM_STAT 0.502 0.207 0.502 0.207 -score HDRS_LCASE 0.100 0.001 0.100 0.001 -score HDRS_LCASE_IMGONLY 0.099 0.099 0.099 0.099 -score HDRS_MISSP 2.499 2.499 2.499 2.499 -score HDR_ORDER_FTSDMCXX_DIRECT 0.001 0.001 0.001 0.001 -score HDR_ORDER_FTSDMCXX_NORDNS 0.349 0.001 0.349 0.001 +score HAS_X_OUTGOING_SPAM_STAT 0.502 0.001 0.502 0.001 +score HDRS_LCASE 0.001 0.100 0.001 0.100 +score HDRS_LCASE_IMGONLY 0.100 0.099 0.100 0.099 +score HDRS_MISSP 2.499 0.718 2.499 0.718 +score HDR_ORDER_FTSDMCXX_DIRECT 0.865 0.001 0.865 0.001 +score HDR_ORDER_FTSDMCXX_NORDNS 0.001 0.001 0.001 0.001 score HEADER_FROM_DIFFERENT_DOMAINS 0.250 0.250 0.250 0.250 +score HELO_MISC_IP 0.250 0.001 0.250 0.001 score HELO_NO_DOMAIN 0.001 0.001 0.001 0.001 -score HEXHASH_WORD 1.000 1.000 1.000 1.000 +score HEXHASH_WORD 1.000 1.973 1.000 1.973 score HK_CTE_RAW 1.000 1.000 1.000 1.000 -score HK_LOTTO 0.999 0.242 0.999 0.242 +score HK_LOTTO 1.000 0.120 1.000 0.120 score HK_NAME_MR_MRS 0.999 0.999 0.999 0.999 -score HK_RANDOM_ENVFROM 1.000 0.001 1.000 0.001 -score HK_RANDOM_FROM 0.999 1.000 0.999 1.000 +score HK_RANDOM_ENVFROM 0.387 0.999 0.387 0.999 +score HK_RANDOM_FROM 1.000 1.000 1.000 1.000 score HK_RANDOM_REPLYTO 0.999 1.000 0.999 1.000 score HK_RCVD_IP_MULTICAST 1.000 1.000 1.000 1.000 score HK_SCAM 1.999 1.999 1.999 1.999 -score HOSTED_IMG_DIRECT_MX 0.001 0.001 0.001 0.001 +score HK_WIN 1.000 1.000 1.000 1.000 +score HOSTED_IMG_DIRECT_MX 0.001 2.707 0.001 2.707 score HOSTED_IMG_DQ_UNSUB 1.000 1.000 1.000 1.000 -score HOSTED_IMG_FREEM 3.499 2.673 3.499 2.673 +score HOSTED_IMG_FREEM 1.000 1.000 1.000 1.000 score HOSTED_IMG_MULTI 1.000 1.000 1.000 1.000 -score HOSTED_IMG_MULTI_PUB_01 2.999 0.001 2.999 0.001 -score HTML_ENTITY_ASCII 1.000 2.999 1.000 2.999 +score HOSTED_IMG_MULTI_PUB_01 1.000 2.999 1.000 2.999 +score HTML_ENTITY_ASCII 2.999 2.999 2.999 2.999 score HTML_ENTITY_ASCII_TINY 1.000 1.000 1.000 1.000 -score HTML_FONT_TINY_NORDNS 1.999 1.824 1.999 1.824 -score HTML_OFF_PAGE 2.601 2.996 2.601 2.996 +score HTML_FONT_TINY_NORDNS 1.850 1.823 1.850 1.823 +score HTML_OFF_PAGE 1.932 1.000 1.932 1.000 score HTML_SHRT_CMNT_OBFU_MANY 1.000 1.000 1.000 1.000 -score HTML_SINGLET_MANY 2.499 1.000 2.499 1.000 -score HTML_TAG_BALANCE_CENTER 1.940 3.099 1.940 3.099 -score HTML_TEXT_INVISIBLE_FONT 1.999 0.258 1.999 0.258 -score HTML_TEXT_INVISIBLE_STYLE 1.275 0.892 1.275 0.892 +score HTML_SINGLET_MANY 2.499 2.455 2.499 2.455 +score HTML_TAG_BALANCE_CENTER 2.899 2.799 2.899 2.799 +score HTML_TEXT_INVISIBLE_FONT 1.402 1.111 1.402 1.111 +score HTML_TEXT_INVISIBLE_STYLE 2.050 1.207 2.050 1.207 score IMG_ONLY_FM_DOM_INFO 1.000 1.000 1.000 1.000 -score JH_SPAMMY_HEADERS 3.499 3.500 3.499 3.500 +score JH_SPAMMY_HEADERS 3.499 3.499 3.499 3.499 score JH_SPAMMY_PATTERN01 1.000 1.000 1.000 1.000 score JH_SPAMMY_PATTERN02 1.000 1.000 1.000 1.000 -score KHOP_FAKE_EBAY 0.001 0.001 0.001 0.001 -score KHOP_HELO_FCRDNS 0.399 0.001 0.399 0.001 +score KHOP_HELO_FCRDNS 0.399 0.399 0.399 0.399 score LINKEDIN_IMG_NOT_RCVD_LNKN 1.000 1.000 1.000 1.000 score LIST_PRTL_PUMPDUMP 1.000 1.000 1.000 1.000 score LIST_PRTL_SAME_USER 1.000 1.000 1.000 1.000 -score LONG_HEX_URI 2.999 1.614 2.999 1.614 -score LONG_IMG_URI 2.802 0.001 2.802 0.001 -score LONG_INVISIBLE_TEXT 2.990 2.999 2.990 2.999 +score LONG_HEX_URI 2.999 2.870 2.999 2.870 +score LONG_IMG_URI 0.568 2.472 0.568 2.472 +score LONG_INVISIBLE_TEXT 2.999 2.999 2.999 2.999 score LOTS_OF_MONEY 0.010 0.010 0.010 0.010 -score LOTTO_AGENT 1.499 1.499 1.499 1.499 +score LOTTO_AGENT 1.000 1.011 1.000 1.011 +score LOTTO_DEPT 0.001 0.001 0.001 0.001 score LUCRATIVE 1.000 1.000 1.000 1.000 -score MALFORMED_FREEMAIL 2.899 2.999 2.899 2.999 score MALF_HTML_B64 1.000 1.000 1.000 1.000 -score MALWARE_NORDNS 0.001 0.126 0.001 0.126 -score MALWARE_PASSWORD 1.000 1.000 1.000 1.000 -score MAY_BE_FORGED 1.699 0.001 1.699 0.001 -score MILLION_HUNDRED 0.241 1.309 0.241 1.309 -score MILLION_USD 0.548 0.449 0.548 0.449 +score MALWARE_NORDNS 0.937 2.591 0.937 2.591 +score MALWARE_PASSWORD 2.970 3.499 2.970 3.499 +score MALW_ATTACH 2.199 2.299 2.199 2.299 +score MANY_SPAN_IN_TEXT 2.499 2.399 2.499 2.399 +score MILLION_HUNDRED 0.595 1.738 0.595 1.738 +score MILLION_USD 1.212 0.994 1.212 0.994 score MIMEOLE_DIRECT_TO_MX 0.001 0.001 0.001 0.001 score MIME_NO_TEXT 1.000 1.000 1.000 1.000 score MIXED_AREA_CASE 1.000 1.000 1.000 1.000 -score MIXED_CENTER_CASE 1.000 1.000 1.000 1.000 -score MIXED_ES 2.699 2.599 2.699 2.599 +score MIXED_CENTER_CASE 1.000 1.596 1.000 1.596 +score MIXED_ES 1.799 1.999 1.799 1.999 score MIXED_FONT_CASE 1.000 1.000 1.000 1.000 -score MIXED_HREF_CASE 1.000 1.000 1.000 1.000 -score MIXED_IMG_CASE 2.999 1.509 2.999 1.509 +score MIXED_HREF_CASE 1.000 0.487 1.000 0.487 +score MIXED_IMG_CASE 1.000 2.274 1.000 2.274 score MONERO_DEADLINE 1.000 1.000 1.000 1.000 score MONERO_EXTORT_01 1.000 1.000 1.000 1.000 score MONERO_MALWARE 1.000 1.000 1.000 1.000 score MONERO_PAY_ME 1.000 1.000 1.000 1.000 -score MONEY_ATM_CARD 1.799 2.899 1.799 2.899 +score MONEY_ATM_CARD 0.001 0.001 0.001 0.001 +score MONEY_BARRISTER 0.001 0.480 0.001 0.480 score MONEY_FORM 0.001 0.001 0.001 0.001 -score MONEY_FORM_SHORT 2.499 2.499 2.499 2.499 -score MONEY_FRAUD_3 2.472 2.599 2.472 2.599 -score MONEY_FRAUD_5 0.001 0.001 0.001 0.001 -score MONEY_FRAUD_8 0.039 0.001 0.039 0.001 -score MONEY_FREEMAIL_REPTO 3.000 2.379 3.000 2.379 -score MONEY_FROM_41 1.999 0.840 1.999 0.840 -score MONEY_FROM_MISSP 0.001 0.001 0.001 0.001 +score MONEY_FORM_SHORT 2.499 1.078 2.499 1.078 +score MONEY_FRAUD_3 2.573 1.185 2.573 1.185 +score MONEY_FRAUD_5 2.503 1.406 2.503 1.406 +score MONEY_FRAUD_8 1.240 2.037 1.240 2.037 +score MONEY_FREEMAIL_REPTO 2.999 1.109 2.999 1.109 +score MONEY_FROM_MISSP 1.322 0.001 1.322 0.001 score MSGID_DOLLARS_URI_IMG 1.000 1.000 1.000 1.000 score MSGID_HDR_MALF 1.000 1.000 1.000 1.000 -score MSMAIL_PRI_ABNORMAL 1.499 0.912 1.499 0.912 +score MSMAIL_PRI_ABNORMAL 0.209 1.067 0.209 1.067 score MSM_PRIO_REPTO 1.000 1.000 1.000 1.000 -score NAME_EMAIL_DIFF 1.729 0.001 1.729 0.001 -score NA_DOLLARS 1.281 1.499 1.281 1.499 +score NA_DOLLARS 1.499 1.499 1.499 1.499 score NEWEGG_IMG_NOT_RCVD_NEGG 1.000 1.000 1.000 1.000 score NEW_PRODUCTS 1.000 1.000 1.000 1.000 -score NICE_REPLY_A -0.001 -0.257 -0.001 -0.257 +score NICE_REPLY_A -0.001 -0.001 -0.001 -0.001 +score NORDNS_LOW_CONTRAST 0.001 1.152 0.001 1.152 score NO_FM_NAME_IP_HOSTN 0.001 0.001 0.001 0.001 score NSL_RCVD_FROM_USER 0.001 0.001 0.001 0.001 -score NSL_RCVD_HELO_USER 0.001 0.001 0.001 0.001 -score NUMBERONLY_BITCOIN_EXP 0.001 1.228 0.001 1.228 -score OBFU_BITCOIN 0.001 0.001 0.001 0.001 -score OBFU_TEXT_ATTACH 0.569 1.444 0.569 1.444 -score ODD_FREEM_REPTO 3.000 2.532 3.000 2.532 -score PDS_BAD_THREAD_QP_64 0.001 0.180 0.001 0.180 -score PDS_BTC_ID 0.500 0.318 0.500 0.318 +score NSL_RCVD_HELO_USER 0.001 2.259 0.001 2.259 +score NUMBERONLY_BITCOIN_EXP 1.999 1.999 1.999 1.999 +score OBFU_BITCOIN 1.000 1.000 1.000 1.000 +score OBFU_TEXT_ATTACH 0.046 0.898 0.046 0.898 +score ODD_FREEM_REPTO 2.999 2.557 2.999 2.557 +score PDS_BAD_THREAD_QP_64 0.001 0.001 0.001 0.001 +score PDS_BTC_ID 0.499 0.292 0.499 0.292 score PDS_BTC_MSGID 0.001 0.001 0.001 0.001 -score PDS_BTC_NTLD 0.515 0.554 0.515 0.554 +score PDS_BTC_NTLD 0.789 0.027 0.789 0.027 score PDS_DBL_URL_TNB_RUNON 1.999 1.000 1.999 1.000 -score PDS_FROM_2_EMAILS 1.268 1.923 1.268 1.923 -score PDS_HELO_SPF_FAIL 0.001 1.000 0.001 1.000 -score PDS_NAKED_TO_NUMERO 1.999 1.999 1.999 1.999 -score PDS_NO_FULL_NAME_SPOOFED_URL 0.750 0.750 0.750 0.750 -score PDS_OTHER_BAD_TLD 1.999 1.999 1.999 1.999 -score PDS_RDNS_DYNAMIC_FP 0.001 0.001 0.001 0.001 +score PDS_EMPTYSUBJ_URISHRT 1.477 1.419 1.477 1.419 +score PDS_FROM_2_EMAILS_SHRTNER 0.605 1.445 0.605 1.445 +score PDS_HELO_SPF_FAIL 0.001 1.999 0.001 1.999 +score PDS_NAKED_TO_NUMERO 1.996 1.149 1.996 1.149 +score PDS_NO_FULL_NAME_SPOOFED_URL 0.749 0.749 0.749 0.749 +score PDS_PHP_EVAL 1.000 1.499 1.000 1.499 +score PDS_RDNS_DYNAMIC_FP 0.001 0.010 0.001 0.010 score PDS_SHORT_SPOOFED_URL 1.999 1.999 1.999 1.999 -score PDS_TINYSUBJ_URISHRT 1.000 1.000 1.000 1.000 +score PDS_TINYSUBJ_URISHRT 1.499 1.356 1.499 1.356 score PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE 1.000 1.000 1.000 1.000 +score PDS_TONAME_EQ_TOLOCAL_VSHORT 0.999 0.999 0.999 0.999 score PHISH_AZURE_CLOUDAPP 3.500 3.500 3.500 3.500 score PHISH_FBASEAPP 1.000 1.000 1.000 1.000 score PHP_NOVER_MUA 1.000 1.000 1.000 1.000 -score PHP_ORIG_SCRIPT 2.499 2.491 2.499 2.491 -score PHP_SCRIPT 2.499 2.352 2.499 2.352 +score PHP_ORIG_SCRIPT 2.347 1.351 2.347 1.351 +score PHP_ORIG_SCRIPT_EVAL 1.000 2.999 1.000 2.999 +score PHP_SCRIPT 2.499 2.398 2.499 2.398 score PHP_SCRIPT_MUA 1.000 1.000 1.000 1.000 +score POSSIBLE_GMAIL_PHISHER 1.382 0.694 1.382 0.694 score PP_MIME_FAKE_ASCII_TEXT 0.999 0.001 0.999 0.001 score PP_TOO_MUCH_UNICODE02 0.500 0.500 0.500 0.500 score PP_TOO_MUCH_UNICODE05 1.000 1.000 1.000 1.000 @@ -286,23 +285,12 @@ score PUMPDUMP_MULTI 1.000 1.000 1.000 1.000 score RAND_HEADER_LIST_SPOOF 1.000 1.000 1.000 1.000 score RAND_HEADER_MANY 1.000 1.000 1.000 1.000 score RAND_MKTG_HEADER 1.999 1.999 1.999 1.999 -score RATWARE_NO_RDNS 0.001 0.001 0.001 0.001 +score RATWARE_NO_RDNS 0.001 1.897 0.001 1.897 score RCVD_DOTEDU_SHORT 1.000 1.000 1.000 1.000 score RCVD_DOTEDU_SUSP_URI 1.000 1.000 1.000 1.000 -score RCVD_IN_MSPIKE_BL 0.001 0.001 0.001 0.001 score RCVD_IN_MSPIKE_H2 0.001 -0.001 0.001 -0.001 -score RCVD_IN_MSPIKE_H3 0.001 0.001 0.001 0.001 -score RCVD_IN_MSPIKE_H4 0.001 0.001 0.001 0.001 -score RCVD_IN_MSPIKE_H5 0.001 0.001 0.001 0.001 -score RCVD_IN_MSPIKE_L2 0.001 0.001 0.001 0.001 -score RCVD_IN_MSPIKE_L3 0.001 0.001 0.001 0.001 -score RCVD_IN_MSPIKE_L4 0.001 0.001 0.001 0.001 -score RCVD_IN_MSPIKE_L5 0.001 0.001 0.001 0.001 -score RCVD_IN_MSPIKE_WL 0.001 0.001 0.001 0.001 -score RCVD_IN_MSPIKE_ZBI 0.001 0.001 0.001 0.001 score RDNS_NUM_TLD_ATCHNX 1.000 1.000 1.000 1.000 score RDNS_NUM_TLD_XM 1.000 1.000 1.000 1.000 -score READY_TO_SHIP 1.000 1.000 1.000 1.000 score REPTO_419_FRAUD 1.000 1.000 1.000 1.000 score REPTO_419_FRAUD_AOL 1.000 1.000 1.000 1.000 score REPTO_419_FRAUD_AOL_LOOSE 1.000 1.000 1.000 1.000 @@ -318,91 +306,86 @@ score REPTO_419_FRAUD_YH_LOOSE 1.000 1.000 1.000 1.000 score REPTO_419_FRAUD_YJ 1.000 1.000 1.000 1.000 score REPTO_419_FRAUD_YN 1.000 1.000 1.000 1.000 score REPTO_INFONUMSCOM 1.000 1.000 1.000 1.000 -score RISK_FREE 0.001 0.001 0.001 0.001 -score SCC_CANSPAM_2 2.700 0.631 2.700 0.631 score SCC_ISEMM_LID_1 1.000 1.000 1.000 1.000 -score SCC_ISEMM_LID_1A 3.301 3.499 3.301 3.499 score SCC_ISEMM_LID_1B 1.499 1.499 1.499 1.499 -score SENDGRID_REDIR 1.499 1.062 1.499 1.062 +score SENDGRID_REDIR 1.499 1.068 1.499 1.068 score SENDGRID_REDIR_PHISH 1.000 1.000 1.000 1.000 score SEO_SUSP_NTLD 1.000 1.000 1.000 1.000 -score SERGIO_SUBJECT_VIAGRA01 3.135 1.313 3.135 1.313 -score SHOPIFY_IMG_NOT_RCVD_SFY 2.038 2.499 2.038 2.499 -score SHORTENER_SHORT_IMG 1.045 1.296 1.045 1.296 +score SHOPIFY_IMG_NOT_RCVD_SFY 2.499 2.298 2.499 2.298 +score SHORTENER_SHORT_IMG 1.000 1.000 1.000 1.000 score SHORT_IMG_SUSP_NTLD 1.000 1.000 1.000 1.000 -score SHORT_SHORTNER 1.999 1.999 1.999 1.999 +score SHORT_SHORTNER 1.999 1.108 1.999 1.108 score SPOOFED_FREEMAIL 0.001 0.001 0.001 0.001 score SPOOFED_FREEMAIL_NO_RDNS 0.001 0.001 0.001 0.001 -score SPOOFED_FREEM_REPTO 0.001 0.502 0.001 0.502 -score SPOOFED_FREEM_REPTO_CHN 0.001 1.000 0.001 1.000 +score SPOOFED_FREEM_REPTO 0.001 2.499 0.001 2.499 +score SPOOFED_FREEM_REPTO_CHN 0.001 1.215 0.001 1.215 score SPOOFED_FREEM_REPTO_RUS 0.001 1.000 0.001 1.000 score SPOOF_GMAIL_MID 1.499 0.001 1.499 0.001 -score STATIC_XPRIO_OLE 0.001 0.001 0.001 0.001 +score STATIC_XPRIO_OLE 0.001 1.865 0.001 1.865 score STOCK_TIP 1.000 1.000 1.000 1.000 -score SUBJ_ATTENTION 0.499 0.499 0.499 0.499 +score STOX_BOUND_090909_B 1.674 0.001 1.674 0.001 score SUBJ_BRKN_WORDNUMS 1.000 1.000 1.000 1.000 -score SURBL_BLOCKED 0.001 0.001 0.001 0.001 -score SUSP_UTF8_WORD_SUBJ 2.000 0.367 2.000 0.367 +score SUSP_UTF8_WORD_SUBJ 2.000 1.999 2.000 1.999 score SYSADMIN 1.000 1.000 1.000 1.000 score TAGSTAT_IMG_NOT_RCVD_TGST 1.000 1.000 1.000 1.000 score TARINGANET_IMG_NOT_RCVD_TN 1.000 1.000 1.000 1.000 -score THIS_AD 1.899 1.799 1.899 1.799 +score THIS_AD 2.400 1.262 2.400 1.262 score THIS_IS_ADV_SUSP_NTLD 1.000 1.000 1.000 1.000 score TONLINE_FAKE_DKIM 1.000 1.000 1.000 1.000 +score TONOM_EQ_TOLOC_SHRT_SHRTNER 0.001 0.001 0.001 0.001 score TO_EQ_FM_DIRECT_MX 1.000 1.000 1.000 1.000 score TO_EQ_FM_DOM_SPF_FAIL 0.001 0.001 0.001 0.001 score TO_EQ_FM_SPF_FAIL 0.001 0.001 0.001 0.001 score TO_IN_SUBJ 0.100 0.100 0.100 0.100 -score TO_NAME_SUBJ_NO_RDNS 1.000 1.000 1.000 1.000 +score TO_NAME_SUBJ_NO_RDNS 2.605 0.950 2.605 0.950 score TO_NO_BRKTS_FROM_MSSP 2.499 2.499 2.499 2.499 score TO_NO_BRKTS_HTML_IMG 1.999 1.999 1.999 1.999 -score TO_NO_BRKTS_HTML_ONLY 1.999 1.999 1.999 1.999 -score TO_NO_BRKTS_MSFT 0.001 0.001 0.001 0.001 -score TO_NO_BRKTS_NORDNS_HTML 2.000 1.999 2.000 1.999 +score TO_NO_BRKTS_HTML_ONLY 2.000 1.999 2.000 1.999 +score TO_NO_BRKTS_MSFT 0.001 0.546 0.001 0.546 +score TO_NO_BRKTS_NORDNS_HTML 1.999 1.370 1.999 1.370 score TO_NO_BRKTS_PCNT 2.499 2.500 2.499 2.500 -score TVD_RCVD_SPACE_BRACKET 0.126 0.557 0.126 0.557 -score TVD_SPACE_ENCODED 2.046 0.001 2.046 0.001 -score TVD_SPACE_RATIO_MINFP 0.796 0.001 0.796 0.001 +score TVD_PH_7 2.199 2.299 2.199 2.299 +score TVD_SUBJ_APPR_LOAN 0.001 2.200 0.001 2.200 score TW_GIBBERISH_MANY 1.000 1.000 1.000 1.000 score UC_GIBBERISH_OBFU 1.000 1.000 1.000 1.000 -score UNDISC_FREEM 2.899 2.799 2.899 2.799 -score UNDISC_MONEY 3.299 3.200 3.299 3.200 -score UNICODE_OBFU_ASC 2.499 2.499 2.499 2.499 +score UNDISC_FREEM 2.999 2.899 2.999 2.899 +score UNDISC_MONEY 2.748 1.979 2.748 1.979 +score UNICODE_OBFU_ASC 1.000 2.499 1.000 2.499 score UNICODE_OBFU_ZW 1.000 1.000 1.000 1.000 score UNSUB_GOOG_FORM 1.000 1.000 1.000 1.000 score URI_ADOBESPARK 1.000 1.000 1.000 1.000 score URI_AZURE_CLOUDAPP 1.000 1.000 1.000 1.000 score URI_DASHGOVEDU 1.000 1.000 1.000 1.000 score URI_DATA 1.000 1.000 1.000 1.000 -score URI_DOTEDU 1.999 1.265 1.999 1.265 +score URI_DOTEDU 1.000 1.678 1.000 1.678 score URI_DOTEDU_ENTITY 1.000 1.000 1.000 1.000 score URI_FIREBASEAPP 1.000 1.000 1.000 1.000 -score URI_GOOGLE_PROXY 2.199 2.199 2.199 2.199 +score URI_GOOGLE_PROXY 1.799 1.599 1.799 1.599 score URI_GOOG_STO_SPAMMY 3.000 3.000 3.000 3.000 score URI_HEX_IP 1.000 1.000 1.000 1.000 score URI_IMG_WP_REDIR 1.000 1.000 1.000 1.000 score URI_LONG_REPEAT 1.000 1.000 1.000 1.000 -score URI_OBFU_DOM 2.499 2.500 2.499 2.500 -score URI_ONLY_MSGID_MALF 0.001 1.000 0.001 1.000 -score URI_OPTOUT_3LD 1.000 1.000 1.000 1.000 -score URI_PHISH 3.999 3.699 3.999 3.699 +score URI_ONLY_MSGID_MALF 1.000 1.000 1.000 1.000 +score URI_OPTOUT_3LD 1.000 2.000 1.000 2.000 +score URI_PHISH 3.999 3.627 3.999 3.627 score URI_PHP_REDIR 1.000 1.000 1.000 1.000 -score URI_TRY_3LD 1.948 0.378 1.948 0.378 +score URI_TRY_3LD 1.999 1.667 1.999 1.667 score URI_TRY_USME 1.000 1.000 1.000 1.000 -score URI_WPADMIN 1.686 2.199 1.686 2.199 +score URI_WPADMIN 0.001 2.299 0.001 2.299 score URI_WP_DIRINDEX 1.000 1.000 1.000 1.000 -score URI_WP_HACKED 1.686 3.499 1.686 3.499 +score URI_WP_HACKED 3.500 3.499 3.500 3.499 score URI_WP_HACKED_2 2.499 2.499 2.499 2.499 score USB_DRIVES 1.000 1.000 1.000 1.000 -score VFY_ACCT_NORDNS 2.528 1.970 2.528 1.970 +score VFY_ACCT_NORDNS 2.622 2.999 2.622 2.999 score VPS_NO_NTLD 1.000 1.000 1.000 1.000 score WALMART_IMG_NOT_RCVD_WAL 1.000 1.000 1.000 1.000 -score WORD_INVIS 0.544 0.001 0.544 0.001 -score WORD_INVIS_MANY 2.999 2.999 2.999 2.999 -score XFER_LOTSA_MONEY 0.999 0.001 0.999 0.001 +score WORD_INVIS 1.576 0.504 1.576 0.504 +score WORD_INVIS_MANY 3.000 2.999 3.000 2.999 +score XFER_LOTSA_MONEY 0.541 0.498 0.541 0.498 score XM_DIGITS_ONLY 1.000 1.000 1.000 1.000 -score XM_RANDOM 1.799 0.001 1.799 0.001 -score XPRIO 1.104 0.001 1.104 0.001 -score XPRIO_SHORT_SUBJ 1.170 2.499 1.170 2.499 -score XPRIO_URL_SHORTNER 0.999 0.999 0.999 0.999 -score YOU_INHERIT 1.606 2.237 1.606 2.237 +score XM_RANDOM 1.352 2.302 1.352 2.302 +score XM_RECPTID 2.999 1.602 2.999 1.602 +score XPRIO 0.397 0.001 0.397 0.001 +score XPRIO_SHORT_SUBJ 1.000 1.000 1.000 1.000 +score XPRIO_URL_SHORTNER 0.523 0.999 0.523 0.999 +score YOU_INHERIT 0.926 1.345 0.926 1.345 diff --git a/sa-updates/73_sandbox_manual_scores.cf b/sa-updates/73_sandbox_manual_scores.cf index 5bc7527..d8ed347 100644 --- a/sa-updates/73_sandbox_manual_scores.cf +++ b/sa-updates/73_sandbox_manual_scores.cf @@ -22,7 +22,7 @@ # ########################################################################### -require_version 3.004006 +require_version 4.000000 # jhardin # things depend on these