From 54c714b2bf3bb95a632b95b3fbbbe75222d038a7 Mon Sep 17 00:00:00 2001 From: Stoiko Ivanov Date: Tue, 4 Jun 2024 14:33:16 +0200 Subject: [PATCH] update SpamAssassin signatures after installing the package with version 4.0.1 Signed-off-by: Stoiko Ivanov --- sa-updates/20_advance_fee.cf | 2 +- sa-updates/20_body_tests.cf | 2 +- sa-updates/20_compensate.cf | 2 +- sa-updates/20_dnsbl_tests.cf | 86 ++-- sa-updates/20_drugs.cf | 2 +- sa-updates/20_dynrdns.cf | 2 +- sa-updates/20_fake_helo_tests.cf | 2 +- sa-updates/20_head_tests.cf | 2 +- sa-updates/20_html_tests.cf | 2 +- sa-updates/20_meta_tests.cf | 2 +- sa-updates/20_net_tests.cf | 2 +- sa-updates/20_phrases.cf | 2 +- sa-updates/20_porn.cf | 2 +- sa-updates/20_uri_tests.cf | 2 +- sa-updates/23_bayes.cf | 2 +- sa-updates/30_text_de.cf | 9 - sa-updates/30_text_fr.cf | 8 - sa-updates/30_text_nl.cf | 9 - sa-updates/30_text_pl.cf | 7 - sa-updates/30_text_pt_br.cf | 9 - sa-updates/50_scores.cf | 12 +- sa-updates/60_welcomelist_auth.cf | 2 - sa-updates/72_active.cf | 589 ++++++++++++------------- sa-updates/72_scores.cf | 464 ++++++++++--------- sa-updates/73_sandbox_manual_scores.cf | 2 +- 25 files changed, 560 insertions(+), 665 deletions(-) diff --git a/sa-updates/20_advance_fee.cf b/sa-updates/20_advance_fee.cf index fb057fc..7267d0c 100644 --- a/sa-updates/20_advance_fee.cf +++ b/sa-updates/20_advance_fee.cf @@ -23,7 +23,7 @@ # ########################################################################### -require_version 4.000000 +require_version 4.000001 # predicate naming used to avoid renumbering # 1. assign new rules a random unique three letter sequence diff --git a/sa-updates/20_body_tests.cf b/sa-updates/20_body_tests.cf index 7cba37c..b972bce 100644 --- a/sa-updates/20_body_tests.cf +++ b/sa-updates/20_body_tests.cf @@ -30,7 +30,7 @@ # ########################################################################### -require_version 4.000000 +require_version 4.000001 ########################################################################### # GTUBE test - the generic test for UBE. diff --git a/sa-updates/20_compensate.cf b/sa-updates/20_compensate.cf index 1a9972e..261d3e1 100644 --- a/sa-updates/20_compensate.cf +++ b/sa-updates/20_compensate.cf @@ -24,7 +24,7 @@ ########################################################################### # Header compensation tests -require_version 4.000000 +require_version 4.000001 header __HAS_RCVD exists:Received priority __HAS_RCVD -2000 # Bug 8078 diff --git a/sa-updates/20_dnsbl_tests.cf b/sa-updates/20_dnsbl_tests.cf index 8907552..59359ee 100644 --- a/sa-updates/20_dnsbl_tests.cf +++ b/sa-updates/20_dnsbl_tests.cf @@ -23,7 +23,7 @@ # ########################################################################### -require_version 4.000000 +require_version 4.000001 ########################################################################### @@ -39,63 +39,6 @@ ifplugin Mail::SpamAssassin::Plugin::DNSEval # DNSBLs do not return the A type (127.0.0.x) as part of the TXT reply. -# --------------------------------------------------------------------------- -# SORBS -# transfers: both axfr and ixfr available -# URL: http://www.dnsbl.sorbs.net/ -# pay-to-use: no -# delist: $50 fee for RCVD_IN_SORBS_SPAM, others have free retest on request - -header __RCVD_IN_SORBS eval:check_rbl('sorbs', 'dnsbl.sorbs.net.') -describe __RCVD_IN_SORBS SORBS: sender is listed in SORBS -tflags __RCVD_IN_SORBS net -reuse __RCVD_IN_SORBS - -header RCVD_IN_SORBS_HTTP eval:check_rbl_sub('sorbs', '127.0.0.2') -describe RCVD_IN_SORBS_HTTP SORBS: sender is open HTTP proxy server -tflags RCVD_IN_SORBS_HTTP net -reuse RCVD_IN_SORBS_HTTP - -header RCVD_IN_SORBS_SOCKS eval:check_rbl_sub('sorbs', '127.0.0.3') -describe RCVD_IN_SORBS_SOCKS SORBS: sender is open SOCKS proxy server -tflags RCVD_IN_SORBS_SOCKS net -reuse RCVD_IN_SORBS_SOCKS - -header RCVD_IN_SORBS_MISC eval:check_rbl_sub('sorbs', '127.0.0.4') -describe RCVD_IN_SORBS_MISC SORBS: sender is open proxy server -tflags RCVD_IN_SORBS_MISC net -reuse RCVD_IN_SORBS_MISC - -header RCVD_IN_SORBS_SMTP eval:check_rbl_sub('sorbs', '127.0.0.5') -describe RCVD_IN_SORBS_SMTP SORBS: sender is open SMTP relay -tflags RCVD_IN_SORBS_SMTP net -reuse RCVD_IN_SORBS_SMTP - -# delist: $50 fee -#header RCVD_IN_SORBS_SPAM eval:check_rbl_sub('sorbs', '127.0.0.6') -#describe RCVD_IN_SORBS_SPAM SORBS: sender is a spam source -#tflags RCVD_IN_SORBS_SPAM net -#reuse RCVD_IN_SORBS_SPAM RCVD_IN_SORBS_SPAM - -header RCVD_IN_SORBS_WEB eval:check_rbl_sub('sorbs', '127.0.0.7') -describe RCVD_IN_SORBS_WEB SORBS: sender is an abusable web server -tflags RCVD_IN_SORBS_WEB net -reuse RCVD_IN_SORBS_WEB - -header RCVD_IN_SORBS_BLOCK eval:check_rbl_sub('sorbs', '127.0.0.8') -describe RCVD_IN_SORBS_BLOCK SORBS: sender demands to never be tested -tflags RCVD_IN_SORBS_BLOCK net -reuse RCVD_IN_SORBS_BLOCK - -header RCVD_IN_SORBS_ZOMBIE eval:check_rbl_sub('sorbs', '127.0.0.9') -describe RCVD_IN_SORBS_ZOMBIE SORBS: sender is on a hijacked network -tflags RCVD_IN_SORBS_ZOMBIE net -reuse RCVD_IN_SORBS_ZOMBIE - -header RCVD_IN_SORBS_DUL eval:check_rbl('sorbs-lastexternal', 'dnsbl.sorbs.net.', '127.0.0.10') -describe RCVD_IN_SORBS_DUL SORBS: sent directly from dynamic IP address -tflags RCVD_IN_SORBS_DUL net -reuse RCVD_IN_SORBS_DUL # --------------------------------------------------------------------------- # Spamhaus ZEN includes SBL+CSS+XBL+PBL @@ -208,27 +151,48 @@ reuse RCVD_IN_IADB_VOUCHED # Certified: # https://www.validity.com/resource-center/fact-sheet-certification/ # (replaces RCVD_IN_BSP_TRUSTED, RCVD_IN_BSP_OTHER, RCVD_IN_SSC_TRUSTED_COI, RCVD_IN_RP_CERTIFIED) -header RCVD_IN_VALIDITY_CERTIFIED eval:check_rbl_txt('ssc-firsttrusted', 'sa-trusted.bondedsender.org.') +header RCVD_IN_VALIDITY_CERTIFIED eval:check_rbl('ssc-firsttrusted', 'sa-trusted.bondedsender.org.', '^127\.0\.0\.') describe RCVD_IN_VALIDITY_CERTIFIED Sender in Validity Certification - Contact certification@validity.com tflags RCVD_IN_VALIDITY_CERTIFIED net nice publish reuse RCVD_IN_VALIDITY_CERTIFIED RCVD_IN_RP_CERTIFIED +header RCVD_IN_VALIDITY_CERTIFIED_BLOCKED eval:check_rbl('ssc-firsttrusted', 'sa-trusted.bondedsender.org.', '127.255.255.255') +describe RCVD_IN_VALIDITY_CERTIFIED_BLOCKED ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. +tflags RCVD_IN_VALIDITY_CERTIFIED_BLOCKED net publish +reuse RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RCVD_IN_VALIDITY_CERTIFIED_BLOCKED + # Safe: # https://www.validity.com/resource-center/fact-sheet-certification/ # (replaces HABEAS_ACCREDITED_COI, HABEAS_ACCREDITED_SOI, HABEAS_CHECKED, RCVD_IN_RP_SAFE) -header RCVD_IN_VALIDITY_SAFE eval:check_rbl_txt('ssc-firsttrusted','sa-accredit.habeas.com.') +header RCVD_IN_VALIDITY_SAFE eval:check_rbl('ssc-firsttrusted', 'sa-accredit.habeas.com.', '^127\.0\.0\.') describe RCVD_IN_VALIDITY_SAFE Sender in Validity Safe - Contact certification@validity.com tflags RCVD_IN_VALIDITY_SAFE net nice publish reuse RCVD_IN_VALIDITY_SAFE RCVD_IN_RP_SAFE +header RCVD_IN_VALIDITY_SAFE_BLOCKED eval:check_rbl('ssc-firsttrusted', 'sa-accredit.habeas.com.', '127.255.255.255') +describe RCVD_IN_VALIDITY_SAFE_BLOCKED ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. +tflags RCVD_IN_VALIDITY_SAFE_BLOCKED net publish +reuse RCVD_IN_VALIDITY_SAFE_BLOCKED RCVD_IN_VALIDITY_SAFE_BLOCKED + # Validity RPBL (née Return Path Reputation Network Blacklist - RNBL): # https://www.senderscore.org/blocklistlookup/ # (replaces RCVD_IN_RP_RNBL) -header RCVD_IN_VALIDITY_RPBL eval:check_rbl('rnbl-lastexternal','bl.score.senderscore.com.') +header RCVD_IN_VALIDITY_RPBL eval:check_rbl('rnbl-lastexternal', 'bl.score.senderscore.com.', '^127\.0\.0\.') describe RCVD_IN_VALIDITY_RPBL Relay in Validity RPBL, https://senderscore.org/blocklistlookup/ tflags RCVD_IN_VALIDITY_RPBL net publish reuse RCVD_IN_VALIDITY_RPBL RCVD_IN_RP_RNBL +header RCVD_IN_VALIDITY_RPBL_BLOCKED eval:check_rbl('rnbl-lastexternal', 'bl.score.senderscore.com.', '127.255.255.255') +describe RCVD_IN_VALIDITY_RPBL_BLOCKED ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. +tflags RCVD_IN_VALIDITY_RPBL_BLOCKED net publish +reuse RCVD_IN_VALIDITY_RPBL_BLOCKED RCVD_IN_VALIDITY_RPBL_BLOCKED + +if can(Mail::SpamAssassin::Conf::feature_dns_block_rule) +dns_block_rule RCVD_IN_VALIDITY_CERTIFIED_BLOCKED sa-trusted.bondedsender.org +dns_block_rule RCVD_IN_VALIDITY_SAFE_BLOCKED sa-accredit.habeas.com +dns_block_rule RCVD_IN_VALIDITY_RPBL_BLOCKED bl.score.senderscore.com +endif + endif #These are old and useless - The zones are no longer supported by SpamHaus 2018-12-12 diff --git a/sa-updates/20_drugs.cf b/sa-updates/20_drugs.cf index a52237b..40c13a4 100644 --- a/sa-updates/20_drugs.cf +++ b/sa-updates/20_drugs.cf @@ -31,7 +31,7 @@ # ########################################################################### -require_version 4.000000 +require_version 4.000001 ########################################################################### # header rules diff --git a/sa-updates/20_dynrdns.cf b/sa-updates/20_dynrdns.cf index dddc96d..28e9cdd 100644 --- a/sa-updates/20_dynrdns.cf +++ b/sa-updates/20_dynrdns.cf @@ -25,7 +25,7 @@ # ########################################################################### -require_version 4.000000 +require_version 4.000001 # --------------------------------------------------------------------------- diff --git a/sa-updates/20_fake_helo_tests.cf b/sa-updates/20_fake_helo_tests.cf index c2fdde8..9f9bfcf 100644 --- a/sa-updates/20_fake_helo_tests.cf +++ b/sa-updates/20_fake_helo_tests.cf @@ -25,7 +25,7 @@ # ########################################################################### -require_version 4.000000 +require_version 4.000001 #--------------------------------------------------------------------------- # Handle hosts that look like HELO_DYNAMIC hosts diff --git a/sa-updates/20_head_tests.cf b/sa-updates/20_head_tests.cf index e648823..b6f52e8 100644 --- a/sa-updates/20_head_tests.cf +++ b/sa-updates/20_head_tests.cf @@ -23,7 +23,7 @@ # ########################################################################### -require_version 4.000000 +require_version 4.000001 ########################################################################### diff --git a/sa-updates/20_html_tests.cf b/sa-updates/20_html_tests.cf index f3503a9..2645db7 100644 --- a/sa-updates/20_html_tests.cf +++ b/sa-updates/20_html_tests.cf @@ -23,7 +23,7 @@ # ########################################################################### -require_version 4.000000 +require_version 4.000001 # HTML parser tests # diff --git a/sa-updates/20_meta_tests.cf b/sa-updates/20_meta_tests.cf index 449392a..f18f117 100644 --- a/sa-updates/20_meta_tests.cf +++ b/sa-updates/20_meta_tests.cf @@ -29,7 +29,7 @@ # ########################################################################### -require_version 4.000000 +require_version 4.000001 # some tests that will trigger FPs on ISO-2022-JP mails. diff --git a/sa-updates/20_net_tests.cf b/sa-updates/20_net_tests.cf index f8198f8..77bd512 100644 --- a/sa-updates/20_net_tests.cf +++ b/sa-updates/20_net_tests.cf @@ -30,7 +30,7 @@ # ########################################################################### -require_version 4.000000 +require_version 4.000001 # bug 2220. nice results meta DIGEST_MULTIPLE RAZOR2_CHECK + DCC_CHECK + PYZOR_CHECK > 1 diff --git a/sa-updates/20_phrases.cf b/sa-updates/20_phrases.cf index c54189e..35df0c1 100644 --- a/sa-updates/20_phrases.cf +++ b/sa-updates/20_phrases.cf @@ -27,7 +27,7 @@ # ########################################################################### -require_version 4.000000 +require_version 4.000001 ########################################################################### diff --git a/sa-updates/20_porn.cf b/sa-updates/20_porn.cf index 4989034..10e3467 100644 --- a/sa-updates/20_porn.cf +++ b/sa-updates/20_porn.cf @@ -27,7 +27,7 @@ # ########################################################################### -require_version 4.000000 +require_version 4.000001 ########################################################################### diff --git a/sa-updates/20_uri_tests.cf b/sa-updates/20_uri_tests.cf index c6afc96..1ed80be 100644 --- a/sa-updates/20_uri_tests.cf +++ b/sa-updates/20_uri_tests.cf @@ -23,7 +23,7 @@ # ########################################################################### -require_version 4.000000 +require_version 4.000001 # possible IDN spoofing attack: https://web.archive.org/web/20141006091906/https://www.shmoo.com/idn/homograph.txt # not expecting any hits on this (yet) diff --git a/sa-updates/23_bayes.cf b/sa-updates/23_bayes.cf index e0ed2e7..69f7c14 100644 --- a/sa-updates/23_bayes.cf +++ b/sa-updates/23_bayes.cf @@ -23,7 +23,7 @@ # ########################################################################### -require_version 4.000000 +require_version 4.000001 ########################################################################### diff --git a/sa-updates/30_text_de.cf b/sa-updates/30_text_de.cf index 39e4a05..50ccee2 100644 --- a/sa-updates/30_text_de.cf +++ b/sa-updates/30_text_de.cf @@ -77,15 +77,6 @@ lang de describe EMAIL_ROT13 Eventuell ROT13-kodierte E-Mail-Adresse im Text lang de describe BLANK_LINES_80_90 Nachrichtentext besteht zu 80-90% aus Leerzeilen lang de describe LONGWORDS Eine Reihe von langen Wörtern hintereinander lang de describe ALL_TRUSTED Nachricht wurde nur über vertrauenswürdige Rechner weitergeleitet -lang de describe __RCVD_IN_SORBS SORBS: Senderechner in Liste von dnsbl.sorbs.net -lang de describe RCVD_IN_SORBS_HTTP SORBS: Senderechner als "open HTTP proxy" gemeldet -lang de describe RCVD_IN_SORBS_MISC SORBS: Senderechner als "open proxy" gemeldet -lang de describe RCVD_IN_SORBS_SMTP SORBS: Senderechner ist ein ungesicherter Mail-Server -lang de describe RCVD_IN_SORBS_SOCKS SORBS: Senderechner als "open SOCKS proxy" gemeldet -lang de describe RCVD_IN_SORBS_WEB SORBS: Senderechner ist ein ungesicherter WWW-Server -lang de describe RCVD_IN_SORBS_BLOCK SORBS: Senderechner verweigert Tests -lang de describe RCVD_IN_SORBS_ZOMBIE SORBS: Senderechner in Liste "entführter" Adressblöcke -lang de describe RCVD_IN_SORBS_DUL SORBS: Senderechner nur temporär mit Internet verbunden lang de describe RCVD_IN_SBL Transportiert via Rechner in SBL-Liste (https://www.spamhaus.org/sbl/) lang de describe RCVD_IN_XBL Transportiert via Rechner in XBL-Liste (https://www.spamhaus.org/xbl/) lang de describe RCVD_IN_BL_SPAMCOP_NET Transportiert via Rechner in Liste von www.spamcop.net diff --git a/sa-updates/30_text_fr.cf b/sa-updates/30_text_fr.cf index 840f8e0..39e8731 100644 --- a/sa-updates/30_text_fr.cf +++ b/sa-updates/30_text_fr.cf @@ -213,19 +213,11 @@ lang fr describe RATWARE_OE_MALFORMED En-t lang fr describe RCVD_AM_PM En-tête Received: falsifié (AM/PM) lang fr describe RCVD_FAKE_HELO_DOTCOM En-tête Received contient nom d'hôte falsifié dans le HELO lang fr describe RCVD_IN_BL_SPAMCOP_NET Relais listé dans http://spamcop.net/bl.shtml -lang fr describe RCVD_IN_SORBS_DUL Envoyé directement depuis une adresse IP dynamique lang fr describe RCVD_IN_MAPS_DUL Relais listé dans DUL, http://www.mail-abuse.org/dul/ lang fr describe RCVD_IN_MAPS_NML Relais listé dans NML, http://www.mail-abuse.org/nml/ lang fr describe RCVD_IN_MAPS_RBL Relais listé dans RBL, http://www.mail-abuse.org/rbl/ lang fr describe RCVD_IN_MAPS_RSS Relais listé dans RSS, http://www.mail-abuse.org/rss/ lang fr describe RCVD_IN_SBL Relais listé dans https://www.spamhaus.org/sbl/ -lang fr describe RCVD_IN_SORBS_BLOCK SORBS: Relais refusant d'être testé par SORBS -lang fr describe RCVD_IN_SORBS_HTTP SORBS: Envoyé par un proxy HTTP ouvert -lang fr describe RCVD_IN_SORBS_MISC SORBS: Envoyé par un proxy ouvert -lang fr describe RCVD_IN_SORBS_SMTP SORBS: Envoyé par un relais SMTP ouvert -lang fr describe RCVD_IN_SORBS_SOCKS SORBS: Envoyé par un proxy SOCKS ouvert -lang fr describe RCVD_IN_SORBS_WEB SORBS: Envoyé depuis un serveur web vulnérable -lang fr describe RCVD_IN_SORBS_ZOMBIE SORBS: Envoyé depuis un réseau IP piraté lang fr describe REFINANCE_NOW Offre de refinancement immobilier lang fr describe REFINANCE_YOUR_HOME Offre de refinancement immobilier lang fr describe SORTED_RECIPS La liste des destinataires est triée par ordre alphabétique diff --git a/sa-updates/30_text_nl.cf b/sa-updates/30_text_nl.cf index 882f015..8e0f616 100644 --- a/sa-updates/30_text_nl.cf +++ b/sa-updates/30_text_nl.cf @@ -64,15 +64,6 @@ lang nl describe MPART_ALT_DIFF HTML en tekst delen zijn versch lang nl describe CHARSET_FARAWAY Karakterset wijst op vreemde taal lang nl describe EMAIL_ROT13 Body bevat een ROT13-versleuteld emailadres lang nl describe BLANK_LINES_80_90 Bericht bestaat voor 80-90% uit witregels -lang nl describe __RCVD_IN_SORBS SORBS: verzender is gevonden in SORBS -lang nl describe RCVD_IN_SORBS_HTTP SORBS: verzender is een open HTTP proxy server -lang nl describe RCVD_IN_SORBS_MISC SORBS: verzender is een open proxy server -lang nl describe RCVD_IN_SORBS_SMTP SORBS: verzender is een open SMTP relay -lang nl describe RCVD_IN_SORBS_SOCKS SORBS: verzender is een open SOCKS proxy server -lang nl describe RCVD_IN_SORBS_WEB SORBS: verzender is een misbruikbare web server -lang nl describe RCVD_IN_SORBS_BLOCK SORBS: verzender weigert getest te worden -lang nl describe RCVD_IN_SORBS_ZOMBIE SORBS: verzender is een gekaapt netwerk -lang nl describe RCVD_IN_SORBS_DUL SORBS: bericht is direct verstuurd vanaf een dynamisch IP adres lang nl describe RCVD_IN_SBL Ontvangen via een relay die gevonden is in Spamhaus SBL lang nl describe RCVD_IN_XBL Ontvangen via een relay die gevonden is in Spamhaus XBL lang nl describe RCVD_IN_BL_SPAMCOP_NET Ontvangen via een relay die gevonden is in bl.spamcop.net diff --git a/sa-updates/30_text_pl.cf b/sa-updates/30_text_pl.cf index c249b4e..360f30b 100644 --- a/sa-updates/30_text_pl.cf +++ b/sa-updates/30_text_pl.cf @@ -204,13 +204,6 @@ lang pl describe RCVD_IN_MAPS_NML "open relay" wed lang pl describe RCVD_IN_MAPS_RBL "open relay" wed³ug RBL, http://www.mail-abuse.org/rbl/ lang pl describe RCVD_IN_MAPS_RSS "open relay" wed³ug RSS, http://www.mail-abuse.org/rss/ lang pl describe RCVD_IN_SBL Otrzymano przez relay listowany w Spamhaus Block List -lang pl describe RCVD_IN_SORBS_BLOCK SORBS: nadawca nie pozwala siê testowaæ -lang pl describe RCVD_IN_SORBS_HTTP SORBS: nadawca jest otwartym serwerem HTTP -lang pl describe RCVD_IN_SORBS_MISC SORBS: nadawca jest otwartym serwerem proxy -lang pl describe RCVD_IN_SORBS_SMTP SORBS: nadawca posiada otwarty serwer (Open Relay) -lang pl describe RCVD_IN_SORBS_SOCKS SORBS: nadawca jest otwartym serwerem SOCKS proxy -lang pl describe RCVD_IN_SORBS_WEB SORBS: nadawca posiada nadu¿ywany serwer WWW -lang pl describe RCVD_IN_SORBS_ZOMBIE SORBS: nadawca jest z sieci bez kontroli lang pl describe REFINANCE_NOW Refinansowanie domów lang pl describe REFINANCE_YOUR_HOME Refinansowanie domów lang pl describe SORTED_RECIPS Lista odbiorców posortowana wed³ug adresu diff --git a/sa-updates/30_text_pt_br.cf b/sa-updates/30_text_pt_br.cf index 3b8b358..a21a947 100644 --- a/sa-updates/30_text_pt_br.cf +++ b/sa-updates/30_text_pt_br.cf @@ -97,15 +97,6 @@ lang pt_BR describe ALL_TRUSTED Mensagem passou via SMTP apenas por hosts confi lang pt_BR describe NO_RELAYS Informação: mensagem não foi recebida via SMTP # 20_dnsbl_tests.cf -lang pt_BR describe __RCVD_IN_SORBS Recebida por um relay listado em SORBS -lang pt_BR describe RCVD_IN_SORBS_HTTP SORBS: remetente é um proxy HTTP aberto -lang pt_BR describe RCVD_IN_SORBS_SOCKS SORBS: remetente é um proxy SOCKS aberto -lang pt_BR describe RCVD_IN_SORBS_MISC SORBS: remetente é um proxy aberto -lang pt_BR describe RCVD_IN_SORBS_SMTP SORBS: remetente é um relay SMTP aberto -lang pt_BR describe RCVD_IN_SORBS_WEB SORBS: remetente é um servidor web explorável -lang pt_BR describe RCVD_IN_SORBS_BLOCK SORBS: remetente requer que não seja testado -lang pt_BR describe RCVD_IN_SORBS_ZOMBIE SORBS: remetente está em uma rede comprometida -lang pt_BR describe RCVD_IN_SORBS_DUL SORBS: mensagem enviada a partir de um IP dinâmico lang pt_BR describe __RCVD_IN_ZEN Recebida por um relay listado em Spamhaus Zen lang pt_BR describe RCVD_IN_SBL Recebida por um relay listado em Spamhaus SBL lang pt_BR describe RCVD_IN_XBL Recebida por um relay listado em Spamhaus XBL diff --git a/sa-updates/50_scores.cf b/sa-updates/50_scores.cf index 3f3cd3f..7301fe4 100644 --- a/sa-updates/50_scores.cf +++ b/sa-updates/50_scores.cf @@ -285,6 +285,7 @@ score RCVD_FORGED_WROTE2 0 # n=0 n=1 n=2 n=3 #score RCVD_IN_BRBL_LASTEXT 0 1.644 0 1.449 # n=0 n=2 score RCVD_IN_PSBL 0 2.700 0 2.700 # n=0 n=2 score RCVD_IN_VALIDITY_RPBL 0 1.284 0 1.310 # n=0 n=2 +score RCVD_IN_VALIDITY_RPBL_BLOCKED 0 0.001 0 0.001 score RCVD_MAIL_COM 0 # n=0 n=1 n=2 n=3 score RDNS_DYNAMIC 2.639 0.363 1.663 0.982 score RDNS_LOCALHOST 3.700 0.969 2.345 0.001 @@ -504,15 +505,6 @@ score RCVD_IN_IADB_UT_CPEAR 0 # n=0 n=1 n=2 n=3 score RCVD_IN_IADB_UT_CPR_30 0 # n=0 n=1 n=2 n=3 score RCVD_IN_IADB_UT_CPR_MAT 0 -0.095 0 -0.001 # n=0 n=1 n=2 score RCVD_IN_SBL 0 2.596 0 0.141 # n=0 n=2 -score RCVD_IN_SORBS_BLOCK 0 # n=0 n=1 n=2 n=3 -score RCVD_IN_SORBS_DUL 0 0.001 0 0.001 # n=0 n=2 -score RCVD_IN_SORBS_HTTP 0 2.499 0 0.001 # n=0 n=2 -score RCVD_IN_SORBS_MISC 0 # n=0 n=1 n=2 n=3 -score RCVD_IN_SORBS_SMTP 0 # n=0 n=1 n=2 n=3 -score RCVD_IN_SORBS_SOCKS 0 2.443 0 1.927 # n=0 n=2 -#score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5 -score RCVD_IN_SORBS_WEB 0 1.5 0 1.5 -score RCVD_IN_SORBS_ZOMBIE 0 # n=0 n=1 n=2 n=3 score RCVD_IN_XBL 0 0.724 0 0.375 # n=0 n=2 score RCVD_IN_PBL 0 3.558 0 3.335 # n=0 n=2 score RCVD_IN_SBL_CSS 0 3.558 0 3.335 # n=0 n=2 @@ -528,7 +520,9 @@ score RCVD_IN_ZEN_BLOCKED 0 0.001 0 0.001 # CERTIFIED is a subset of SAFE, thus the score is cumulative. # -2 + -3 = -5 points for CERTIFIED score RCVD_IN_VALIDITY_CERTIFIED 0.0 -3.0 0.0 -3.0 +score RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0 0.001 0 0.001 score RCVD_IN_VALIDITY_SAFE 0.0 -2.0 0.0 -2.0 +score RCVD_IN_VALIDITY_SAFE_BLOCKED 0 0.001 0 0.001 # DNSWL is a commercial service that requires payment for servers over 100K queries daily. # Unfortunately, they will return true answers for DNS servers they consider abusive so diff --git a/sa-updates/60_welcomelist_auth.cf b/sa-updates/60_welcomelist_auth.cf index fab31c7..2208f9e 100644 --- a/sa-updates/60_welcomelist_auth.cf +++ b/sa-updates/60_welcomelist_auth.cf @@ -402,7 +402,6 @@ def_welcomelist_auth *@*.nea.org def_welcomelist_auth *@*.bhg.com def_welcomelist_auth *@*.nest.com def_welcomelist_auth *@*.colehaan.com -def_welcomelist_auth *@*.microsoft.com def_welcomelist_auth *@*.vanheusen.com def_welcomelist_auth *@*.shoppbs.org def_welcomelist_auth *@*.roku.com @@ -1379,7 +1378,6 @@ def_whitelist_auth *@*.nea.org def_whitelist_auth *@*.bhg.com def_whitelist_auth *@*.nest.com def_whitelist_auth *@*.colehaan.com -def_whitelist_auth *@*.microsoft.com def_whitelist_auth *@*.vanheusen.com def_whitelist_auth *@*.shoppbs.org def_whitelist_auth *@*.roku.com diff --git a/sa-updates/72_active.cf b/sa-updates/72_active.cf index b3b48c2..e20c555 100644 --- a/sa-updates/72_active.cf +++ b/sa-updates/72_active.cf @@ -23,7 +23,7 @@ # ########################################################################### -require_version 4.000000 +require_version 4.000001 ##{ ACCT_PHISHING_MANY @@ -330,12 +330,6 @@ meta AXB_XMAILER_MIMEOLE_OL_024C2 (__AXB_XM_OL_024C2 && __AXB_MO_OL_024C2) describe AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait ##} AXB_XMAILER_MIMEOLE_OL_024C2 -##{ AXB_X_FF_SEZ_S - -header AXB_X_FF_SEZ_S X-Forefront-Antispam-Report =~ /\bSFV\:SPM\b/ -describe AXB_X_FF_SEZ_S Forefront sez this is spam -##} AXB_X_FF_SEZ_S - ##{ BANKING_LAWS body BANKING_LAWS /banking laws/i @@ -382,6 +376,13 @@ describe BIGNUM_EMAILS_MANY Lots of email addresses/leads, over an tflags BIGNUM_EMAILS_MANY publish ##} BIGNUM_EMAILS_MANY +##{ BILLION_OVERLAP + +meta BILLION_OVERLAP (BILLION_DOLLARS + T_US_DOLLARS_3 >= 2) +#score BILLION_OVERLAP -1.0 +describe BILLION_OVERLAP Reducing score for overlap of similar rules +##} BILLION_OVERLAP + ##{ BITCOIN_BOMB meta BITCOIN_BOMB __BITCOIN_ID && __EXPLOSIVE_DEVICE && !BITCOIN_EXTORT_01 @@ -598,20 +599,6 @@ describe BITCOIN_YOUR_INFO BitCoin with your personal info tflags BITCOIN_YOUR_INFO publish ##} BITCOIN_YOUR_INFO -##{ BODY_SINGLE_URI - -meta BODY_SINGLE_URI __BODY_SINGLE_URI && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP && !__VIA_ML -describe BODY_SINGLE_URI Message body is only a URI -#score BODY_SINGLE_URI 2.500 # limit -##} BODY_SINGLE_URI - -##{ BODY_SINGLE_WORD - -meta BODY_SINGLE_WORD __BODY_SINGLE_WORD && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP -describe BODY_SINGLE_WORD Message body is only one word (no spaces) -#score BODY_SINGLE_WORD 2.500 # limit -##} BODY_SINGLE_WORD - ##{ BODY_URI_ONLY meta BODY_URI_ONLY __BODY_URI_ONLY && !__NOT_SPOOFED && !__TO_EQ_FROM_DOM && !__X_CRON_ENV && !__DKIM_EXISTS && !__VIA_ML && !__HAS_X_REF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD && !__URI_GOOGLE_DRV @@ -789,14 +776,6 @@ endif body CURR_PRICE /\bCurrent Price:/ ##} CURR_PRICE -##{ DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval - -ifplugin Mail::SpamAssassin::Plugin::HeaderEval -header DATE_IN_FUTURE_Q_PLUS eval:check_for_shifted_date('2920', 'undef') -describe DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date -endif -##} DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval - ##{ DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) @@ -813,6 +792,12 @@ body DEAR_BENEFICIARY /\b(?:De[ae]r\s|At+(?:ention|n):?\s?)(?:\S+\s) describe DEAR_BENEFICIARY Dear Beneficiary: ##} DEAR_BENEFICIARY +##{ DEAR_NOBODY + +rawbody DEAR_NOBODY /^\s*Dear\b[^a-zA-Z]{1,70}\n/mi +describe DEAR_NOBODY Message contains Dear but with no name +##} DEAR_NOBODY + ##{ DEAR_WINNER body DEAR_WINNER /\bdear.{1,20}winner/i @@ -1102,6 +1087,15 @@ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags endif ##} FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags +##{ FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags + +ifplugin Mail::SpamAssassin::Plugin::ReplaceTags + meta FILL_THIS_FORM_LOAN __FILL_THIS_FORM_LOAN && !__COMMENT_EXISTS && !__HTML_LINK_IMAGE + describe FILL_THIS_FORM_LOAN Answer loan question(s) +# score FILL_THIS_FORM_LOAN 2.0 +endif +##} FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags + ##{ FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags @@ -1530,12 +1524,6 @@ header FROM_UNBAL1 From:raw =~ / < [^>]* $/xm describe FROM_UNBAL1 From with unbalanced angle brackets, '>' missing ##} FROM_UNBAL1 -##{ FROM_UNBAL2 - -header FROM_UNBAL2 From:raw =~ /^ [^<]* > /xm -describe FROM_UNBAL2 From with unbalanced angle brackets, '<' missing -##} FROM_UNBAL2 - ##{ FROM_WSP_TRAIL header FROM_WSP_TRAIL From:raw =~ /< [^>]* \s > [^<>]* \z/xm @@ -1561,11 +1549,6 @@ describe FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam header FSL_FAKE_HOTMAIL_RVCD X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/ ##} FSL_FAKE_HOTMAIL_RVCD -##{ FSL_HAS_TINYURL - -uri FSL_HAS_TINYURL /tinyurl\.com\// -##} FSL_HAS_TINYURL - ##{ FSL_HELO_BARE_IP_1 meta FSL_HELO_BARE_IP_1 __FSL_HELO_BARE_IP_1 && !ALL_TRUSTED @@ -2046,6 +2029,26 @@ describe HAS_X_OUTGOING_SPAM_STAT Has header claiming outbound spam scan - tflags HAS_X_OUTGOING_SPAM_STAT publish ##} HAS_X_OUTGOING_SPAM_STAT +##{ HDRS_LCASE + +describe HDRS_LCASE Odd capitalization of message header +#score HDRS_LCASE 0.10 # limit +##} HDRS_LCASE + +##{ HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) + +if !plugin(Mail::SpamAssassin::Plugin::FreeMail) + meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO +endif +##} HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) + +##{ HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail + +ifplugin Mail::SpamAssassin::Plugin::FreeMail + meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO +endif +##} HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail + ##{ HDRS_LCASE_IMGONLY meta HDRS_LCASE_IMGONLY __HDRS_LCASE && __HTML_IMG_ONLY && !__HDRS_LCASE_KNOWN @@ -2116,11 +2119,6 @@ endif header HELO_FRIEND X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i ##} HELO_FRIEND -##{ HELO_LH_HOME - -header HELO_LH_HOME X-Spam-Relays-External =~ /^[^\]]+ helo=\S+\.(?:home|lan) /i -##} HELO_LH_HOME - ##{ HELO_LH_LD header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i @@ -2131,13 +2129,6 @@ header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdoma header HELO_LOCALHOST X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i ##} HELO_LOCALHOST -##{ HELO_MISC_IP - -meta HELO_MISC_IP (__HELO_MISC_IP && !HELO_DYNAMIC_IPADDR && !HELO_DYNAMIC_IPADDR2 && !HELO_DYNAMIC_SPLIT_IP && !HELO_DYNAMIC_HCC && !HELO_DYNAMIC_DIALIN && ((TVD_RCVD_IP4 + TVD_RCVD_IP + __FSL_HELO_BARE_IP_2) <2)) -describe HELO_MISC_IP Looking for more Dynamic IP Relays -#score HELO_MISC_IP 0.25 -##} HELO_MISC_IP - ##{ HELO_NO_DOMAIN meta HELO_NO_DOMAIN __HELO_NO_DOMAIN && !HELO_LOCALHOST @@ -2202,7 +2193,7 @@ endif ##{ HK_RANDOM_ENVFROM -header HK_RANDOM_ENVFROM EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi +header HK_RANDOM_ENVFROM EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mc(?:b|g)r|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi describe HK_RANDOM_ENVFROM Envelope sender username looks random #score HK_RANDOM_ENVFROM 1 tflags HK_RANDOM_ENVFROM publish @@ -2210,7 +2201,7 @@ tflags HK_RANDOM_ENVFROM publish ##{ HK_RANDOM_FROM -header HK_RANDOM_FROM From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi +header HK_RANDOM_FROM From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mc(?:b|g)r|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi describe HK_RANDOM_FROM From username looks random #score HK_RANDOM_FROM 1 tflags HK_RANDOM_FROM publish @@ -2218,7 +2209,7 @@ tflags HK_RANDOM_FROM publish ##{ HK_RANDOM_REPLYTO -header HK_RANDOM_REPLYTO Reply-To:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi +header HK_RANDOM_REPLYTO Reply-To:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mc(?:b|g)r|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi describe HK_RANDOM_REPLYTO Reply-To username looks random #score HK_RANDOM_REPLYTO 1 tflags HK_RANDOM_REPLYTO publish @@ -2238,6 +2229,12 @@ meta HK_SCAM __HK_SCAM_N2 || __HK_SCAM_N3 || __HK_SCAM_N8 || __HK_SCAM_N15 || tflags HK_SCAM publish ##} HK_SCAM +##{ HK_WIN + +meta HK_WIN ((__hk_win_2 + __hk_win_3 + __hk_win_4 + __hk_win_5 + __hk_win_7 + __hk_win_8 + __hk_win_9 + __hk_win_0 + __hk_win_a + __hk_win_b + __hk_win_c + __hk_win_d + __hk_win_i + __hk_win_j + __hk_win_l + __hk_win_m + __hk_win_n + __hk_win_o) >= 2) +#score HK_WIN 1 +##} HK_WIN + ##{ HOSTED_IMG_DIRECT_MX meta HOSTED_IMG_DIRECT_MX __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS && !__HDR_RCVD_AMAZON @@ -2394,11 +2391,6 @@ body HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10') endif ##} HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch -##{ IMG_DIRECT_TO_MX - -meta IMG_DIRECT_TO_MX __DOS_DIRECT_TO_MX && __JPEG_ATTACH && __ONE_IMG && __IMG_LE_300K -##} IMG_DIRECT_TO_MX - ##{ IMG_ONLY_FM_DOM_INFO meta IMG_ONLY_FM_DOM_INFO __HTML_IMG_ONLY && __FROM_DOM_INFO @@ -2509,13 +2501,6 @@ describe LINKEDIN_IMG_NOT_RCVD_LNKN Linkedin hosted image but message not fro tflags LINKEDIN_IMG_NOT_RCVD_LNKN publish ##} LINKEDIN_IMG_NOT_RCVD_LNKN -##{ LIST_PARTIAL_SHORT_MSG - -meta LIST_PARTIAL_SHORT_MSG __LIST_PARTIAL_SHORT_MSG && !__DKIM_EXISTS -describe LIST_PARTIAL_SHORT_MSG Incomplete mailing list headers + short message -#score LIST_PARTIAL_SHORT_MSG 2.500 # limit -##} LIST_PARTIAL_SHORT_MSG - ##{ LIST_PRTL_PUMPDUMP meta LIST_PRTL_PUMPDUMP __LIST_PRTL_PUMPDUMP && !__DKIM_EXISTS @@ -2537,13 +2522,6 @@ tflags LIST_PRTL_SAME_USER publish uri LIVEFILESTORE m~livefilestore.com/~ ##} LIVEFILESTORE -##{ LONGLN_LOW_CONTRAST - -meta LONGLN_LOW_CONTRAST __LONGLN_LOW_CONTRAST && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__TRAVEL_ITINERARY -describe LONGLN_LOW_CONTRAST Excessively long line + hidden text -#score LONGLN_LOW_CONTRAST 2.500 # limit -##} LONGLN_LOW_CONTRAST - ##{ LONG_HEX_URI meta LONG_HEX_URI __128_HEX_URI && !__LCL__KAM_BODY_LENGTH_LT_1024 @@ -2619,6 +2597,20 @@ meta LOTTERY_1 (__DBLCLAIM && __CASHPRZ) meta LOTTERY_PH_004470 (__AFF_004470_NUMBER && __AFF_LOTTERY) ##} LOTTERY_PH_004470 +##{ LOTTO_AGENT + +meta LOTTO_AGENT __LOTTO_AGENT && !__HAS_IN_REPLY_TO && !__THREADED && !__TO_YOUR_ORG && !__DKIM_EXISTS && !__TRAVEL_ITINERARY && !__AUTO_ACCIDENT && !__HAS_ERRORS_TO && !__RP_MATCHES_RCVD +describe LOTTO_AGENT Claims Agent +#score LOTTO_AGENT 1.50 # limit +##} LOTTO_AGENT + +##{ LOTTO_DEPT + +meta LOTTO_DEPT __LOTTO_DEPT && !__COMMENT_EXISTS && !__HAS_IN_REPLY_TO && !__THREADED && !__VIA_ML && !__TO_YOUR_ORG && !__TRAVEL_ITINERARY && !__AUTO_ACCIDENT +describe LOTTO_DEPT Claims Department +#score LOTTO_DEPT 2.00 # limit +##} LOTTO_DEPT + ##{ LUCRATIVE meta LUCRATIVE ( __LUCRATIVE && __HELO_NO_DOMAIN ) && !ALL_TRUSTED @@ -2776,6 +2768,11 @@ describe MIXED_CENTER_CASE Has center tag in mixed case tflags MIXED_CENTER_CASE publish ##} MIXED_CENTER_CASE +##{ MIXED_CTYPE_CASE + +header MIXED_CTYPE_CASE Content-Type =~ m;^(?i:text/)(?!html|HTML)[Hh][Tt][Mm][Ll]; +##} MIXED_CTYPE_CASE + ##{ MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags if can(Mail::SpamAssassin::Conf::feature_bug6558_free) @@ -2854,6 +2851,13 @@ meta MONEY_ATM_CARD __MONEY_ATM_CARD && !__COMMENT_EXISTS && !__TAG_EXISTS describe MONEY_ATM_CARD Lots of money on an ATM card ##} MONEY_ATM_CARD +##{ MONEY_BARRISTER + +meta MONEY_BARRISTER __BARRISTER && LOTS_OF_MONEY +describe MONEY_BARRISTER Lots of money from a UK lawyer +#score MONEY_BARRISTER 1.000 # limit +##} MONEY_BARRISTER + ##{ MONEY_FORM meta MONEY_FORM __MONEY_FORM && !__FB_TOUR && !__FM_MY_PRICE && !__FR_SPACING_8 && !__COMMENT_EXISTS && !__CAN_HELP @@ -2990,13 +2994,6 @@ describe NICE_REPLY_A Looks like a legit reply (A) tflags NICE_REPLY_A nice ##} NICE_REPLY_A -##{ NORDNS_LOW_CONTRAST - -meta NORDNS_LOW_CONTRAST __NORDNS_LOW_CONTRAST && !ALL_TRUSTED && !__HAS_CID && !__THREADED -describe NORDNS_LOW_CONTRAST No rDNS + hidden text -#score NORDNS_LOW_CONTRAST 2.500 # limit -##} NORDNS_LOW_CONTRAST - ##{ NOT_SPAM body NOT_SPAM /\b(?:(?:this (?:e?-?mail|message)|we) (?:is not|are not|cannot be considered) Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)/i @@ -3115,49 +3112,13 @@ describe PDS_DBL_URL_TNB_RUNON Double-url and To no arrows, from runon #score PDS_DBL_URL_TNB_RUNON 2.0 ##} PDS_DBL_URL_TNB_RUNON -##{ PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta PDS_EMPTYSUBJ_URISHRT __URL_SHORTENER && __SUBJECT_EMPTY && __PDS_MSG_1024 -describe PDS_EMPTYSUBJ_URISHRT Empty subject with little more than URI shortener -#score PDS_EMPTYSUBJ_URISHRT 1.5 # limit -endif -endif -##} PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -##{ PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta PDS_FREEMAIL_REPLYTO_URISHRT __URL_SHORTENER && __freemail_hdr_replyto && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048 -describe PDS_FREEMAIL_REPLYTO_URISHRT Freemail replyto with URI shortener -#score PDS_FREEMAIL_REPLYTO_URISHRT 1.5 # limit -endif -endif -##} PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - ##{ PDS_FRNOM_TODOM_DBL_URL -meta PDS_FRNOM_TODOM_DBL_URL PDS_FROM_NAME_TO_DOMAIN && __PDS_DOUBLE_URL +meta PDS_FRNOM_TODOM_DBL_URL T_PDS_FROM_NAME_TO_DOMAIN && __PDS_DOUBLE_URL describe PDS_FRNOM_TODOM_DBL_URL From Name to domain, double URL #score PDS_FRNOM_TODOM_DBL_URL 1.5 ##} PDS_FRNOM_TODOM_DBL_URL -##{ PDS_FRNOM_TODOM_NAKED_TO - -meta PDS_FRNOM_TODOM_NAKED_TO __NAKED_TO && PDS_FROM_NAME_TO_DOMAIN -describe PDS_FRNOM_TODOM_NAKED_TO Naked to From name equals to Domain -#score PDS_FRNOM_TODOM_NAKED_TO 1.5 -##} PDS_FRNOM_TODOM_NAKED_TO - -##{ PDS_FROM_NAME_TO_DOMAIN - -meta PDS_FROM_NAME_TO_DOMAIN __PDS_FROM_NAME_TO_DOMAIN -#score PDS_FROM_NAME_TO_DOMAIN 2.0 -describe PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain -##} PDS_FROM_NAME_TO_DOMAIN - ##{ PDS_HELO_SPF_FAIL meta PDS_HELO_SPF_FAIL SPF_HELO_FAIL && __HELO_HIGHPROFILE @@ -3173,13 +3134,6 @@ describe PDS_HP_HELO_NORDNS High profile HELO with no sender rDNS #score PDS_HP_HELO_NORDNS 1.0 ##} PDS_HP_HELO_NORDNS -##{ PDS_NAKED_TO_NUMERO - -meta PDS_NAKED_TO_NUMERO __NAKED_TO && __NUMBERONLY_TLD -describe PDS_NAKED_TO_NUMERO Naked-to, numberonly domain -#score PDS_NAKED_TO_NUMERO 2.0 -##} PDS_NAKED_TO_NUMERO - ##{ PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) @@ -3191,6 +3145,13 @@ endif endif ##} PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval +##{ PDS_PHPEXP_BOT + +meta PDS_PHPEXP_BOT __SENDER_BOT && (__PDS_TONAME_EQ_TOLOCAL + __NAKED_TO >= 1) && (__PDS_PHP_EVAL2 + __PDS_PHP_EVAL1 + T_PDS_X_PHP_WP_EXP + __PDS_X_PHP_WELLKNOWN >= 1) +describe PDS_PHPEXP_BOT PHP exploit bot sender +#score PDS_PHPEXP_BOT 1.5 +##} PDS_PHPEXP_BOT + ##{ PDS_PHP_EVAL meta PDS_PHP_EVAL __PDS_PHP_EVAL1 @@ -3198,24 +3159,6 @@ describe PDS_PHP_EVAL PHP header shows eval'd code #score PDS_PHP_EVAL 1.5 ##} PDS_PHP_EVAL -##{ PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta PDS_TINYSUBJ_URISHRT __URL_SHORTENER && __SUBJ_SHORT && __PDS_MSG_1024 -describe PDS_TINYSUBJ_URISHRT Short subject with URL shortener -#score PDS_TINYSUBJ_URISHRT 1.5 # limit -endif -endif -##} PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -##{ PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE - -meta PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE __PDS_TONAME_EQ_TOLOCAL && __HDRS_LCASE -describe PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE To: name matches everything in local email - LCASE headers -#score PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE 2.0 # limit -##} PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE - ##{ PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader @@ -3241,6 +3184,15 @@ describe PHISH_FBASEAPP Probable phishing via hosted web app tflags PHISH_FBASEAPP publish ##} PHISH_FBASEAPP +##{ PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) + +if can(Mail::SpamAssassin::Conf::feature_bug6558_free) + meta PHOTO_EDITING_DIRECT (__PHOTO_RETOUCHING && __DOS_DIRECT_TO_MX) && !ALL_TRUSTED && !__HAS_HREF + describe PHOTO_EDITING_DIRECT Image editing service, direct to MX +# score PHOTO_EDITING_DIRECT 3.000 # limit +endif +##} PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) + ##{ PHP_NOVER_MUA describe PHP_NOVER_MUA Mail from PHP with no version number @@ -3432,13 +3384,6 @@ describe RCVD_DOTEDU_SHORT Via .edu MTA + short message tflags RCVD_DOTEDU_SHORT publish ##} RCVD_DOTEDU_SHORT -##{ RCVD_DOTEDU_SUSP - -meta RCVD_DOTEDU_SUSP __RCVD_DOTEDU_SUSP && !__HAS_X_LOOP && !__HAS_X_REF -describe RCVD_DOTEDU_SUSP Via .edu MTA + suspicious content -#score RCVD_DOTEDU_SUSP 2.000 # limit -##} RCVD_DOTEDU_SUSP - ##{ RCVD_DOTEDU_SUSP_URI meta RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_SUSP_URI @@ -3763,7 +3708,7 @@ meta REPLYTO_WITHOUT_TO_CC (__HAS_REPLY_TO && !__TOCC_EXISTS) ##{ REPTO_419_FRAUD -header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:mail)\@101private\.com|(?:(?:alfredcheuk002|mavis_wanczyk))\@126\.com|(?:(?:alfredcheuk_yuchow|ehagler))\@163\.com|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:ibrahimtafa)\@abienceinvestmentsfze\.com|(?:russia2018worldcuplotto5)\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:(?:infovsa|maria\.louge|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:attorneygeorgewalter|jessikasingh|lawmensa|travisalex))\@aliyun\.com|(?:(?:deanie_ron|mundo\.europe|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:support)\@apostlesfoundation\.com|(?:jeromecgb12)\@asia\.com|(?:jefferson)\@athenaeumbd\.com|(?:(?:bllphillips|desousafam05))\@att\.net|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:costruire)\@bigmat\.it|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:onmydestiny18)\@boulevardmalls\.com|(?:luciamariacampbell)\@boximail\.com|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:judith_faulkner63)\@cash4u\.com|(?:cbn)\@cbofficialmail\.cf|(?:201(?:47237|5(?:5765|648[48])))\@ce\.pucmm\.edu\.do|(?:gregwingo)\@cheapnet\.it|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|dbank12|fbipayment(?:50|600)|harunajim667|manuel\.rabelais|paul\.wilson|r(?:alphwjohnson|ev_markbless)|trustees101))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:mundo_seguros)\@contorli\.site|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:investmentfince\.com|lottery(?:\.support|usa\.com)))\@cpn\.it|(?:(?:angelicainiguez|brunoso|lisatroutman))\@currently\.com|(?:(?:dmalpasswb|i(?:lanasoloshneor|nfo90000)|joseramonjr1|mynewmission|r(?:e(?:covered\-tax|em(?:2018|alhashimi|ealhashimi|hashimi2020))|onconway)))\@daum\.net|(?:info)\@dieterchwarz-charity\.com|(?:blythemasters)\@digitalassetholding\.org|(?:jorgezalesky)\@diplomats\.com|(?:bar_sahil)\@dominionassociates\.uk|(?:zahvoedir)\@donations\.christchurchliverpool\.xyz|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:health\-support)\@drjohnashworthherbalmeds\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:rogersteare02)\@e1\.ru|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:(?:denbrink|facebook\.in(?:structor|tructor)|kathy_gerald1965|pch\.cliamdept))\@email\.com|(?:infoleonfredberbst)\@emailgroups\.net|(?:info)\@euro-pinnacle\.com|(?:(?:advancedsegurosespana|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:lottomax)\@execs\.com|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:jeferrey)\@financier\.com|(?:mrsdebbielevin)\@firemail\.de|(?:steve_dickson)\@firemail\.eu|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:info)\@fnconsultant\.biz|(?:(?:egolan2|gella1|qatardonations16|smadartsadik|tepnherve00))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:mmpaulsmith145)\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:octaviancm)\@gmx\.co\.uk|(?:(?:ahmet\.broker|f(?:aridaomar|er3nrod1512)|kevin\-office|p\.hamedmoff|rosicboteruff|w(?:alter_anderson|esternunionrespond)))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:juliairis)\@gmx\.net|(?:(?:arthur1alan|joxford))\@gmx\.us|(?:m(?:\.johnson10012|aryclayton123))\@googlemail\.com|(?:solotexglobalcouriercompany)\@groupesgb\.net|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:christgoldwilliams)\@hotmail\.fr|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:bo_li)\@imgrantfunds\.com|(?:irdi33)\@inbox\.lt|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:a\.josepaulino|jonardossantos|m(?:\.wood|ingmui0012)|offer2021|pierresgift_2021))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:info)\@intarpol-int\.online|(?:jacek_urbanski)\@irishdoorsystemsltd\.com|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:contactme)\@jimmyofficial\.info|(?:info)\@johannaconsultancy\.com|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:(?:annzainab2022|h(?:ashimirrr22|re187390)|lotteryusa\.com|paulagonzalez|re(?:e(?:m\.alhashimi|ninvestor111)|mmhashimi)))\@kakao\.com|(?:europsenderscouriers)\@keemail\.me|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:bmwofficeinfo)\@mail2consultant\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:bjic)\@mail2one\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|kateclough1|mriamchombo1968|philiproger101))\@mail\.com|(?:ayishagddafio?)\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:cb(?:nofficemail|officemail))\@mailsire\.com|(?:managing\-director_schaefflergroup)\@mariaelisabeth\.gisb\.com\.my|(?:doo\.yusin)\@matherline-trade\.com|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:cadpayout01)\@my\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:benoitdageville2023|nancytseling|reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:info)\@officepch\.com|(?:lindsaytrembley)\@oimail\.com|(?:(?:accountingdrg|emmy\.marty))\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:info)\@onlinepch\.com|(?:jarramos)\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:info)\@ousos-elearning\.com|(?:schaefflermariaelisabeth)\@outlook\.de|(?:ahmed3khan)\@outlook\.fr|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:wood)\@poczta\.onet\.eu|(?:(?:m(?:aryjosen|boyaeth)|uncch\-info))\@post\.com|(?:martinahrivnakova)\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:(?:charitylisajohnrobinson700|leonardbain|noelldosi|stwrightsmaxinvestment))\@proton\.me|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:franciscoperezc|garethbull808|mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:trust\-wallet)\@redirectionsdepartment\.xyz|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:msn)\@resrubini\.com|(?:wanczykmavis101)\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:mrs\.rachel2013)\@safe-mail\.net|(?:deputygov_kuben)\@safrica\.com|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:(?:jimyang77|kentpace))\@sina\.com|(?:stan)\@soborka\.net|(?:dycheseaan)\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:info\.jschneider)\@spainmail\.com|(?:mroliverbergmuellers)\@specialautokins\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:alexander)\@stny\.rr\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:mhua)\@tbochk\.com|(?:clory)\@technet\.it|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:bobby\.william)\@tradent\.net|(?:lopez\.rios)\@udttld\.com|(?:2100973645smsgateway)\@ukraine\.wheat-farmers\.website|(?:info)\@un-grant\.info|(?:(?:david\.r\.malpass|info\.(?:clev\.frb|imfamerica)|kristinewellensteinn|policyaddmin\.file))\@usa\.com|(?:team)\@veraphanteepsuwan\.com|(?:dataphilanthropy)\@vipmail\.hu|(?:bmuczdh)\@virgilio\.it|(?:holt1231)\@w\.cn|(?:daydreamin)\@wanadoo\.fr|(?:weboffice05)\@web\.de|(?:portiaw)\@webbe\.work|(?:b(?:\-calebfirm2007|enklerk\-postpact2|oriscaleb121))\@webmail\.co\.za|(?:(?:elizabethlyonsfield|frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|jeffwilliam207|owengreen70|samue95))\@yahoo\.co\.uk|(?:(?:changgordon946|thomaspeter227))\@yahoo\.com\.hk|(?:boa2cb)\@yahoo\.com\.vn|(?:contactus88\-00)\@yahoo\.es|(?:fortinsandrine)\@yahoo\.fr|(?:dr\.amelia\.george1)\@yandex\.ru|(?:(?:alfred_cheuk_chow|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:jefflindsay)\@zoho\.com|(?:(?:benaffleck1977|monicadaniels909))\@zohomail\.com|(?:laprimitivaes)\@zohomail\.eu)$/i +header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:mail)\@101private\.com|(?:(?:alfredcheuk002|mavis_wanczyk))\@126\.com|(?:(?:alfredcheuk_yuchow|ehagler))\@163\.com|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:ibrahimtafa)\@abienceinvestmentsfze\.com|(?:russia2018worldcuplotto5)\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:(?:infovsa|maria\.louge|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:attorneygeorgewalter|jessikasingh|lawmensa|travisalex))\@aliyun\.com|(?:(?:deanie_ron|mundo\.europe|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:support)\@apostlesfoundation\.com|(?:jeromecgb12)\@asia\.com|(?:jefferson)\@athenaeumbd\.com|(?:(?:bllphillips|desousafam05))\@att\.net|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:costruire)\@bigmat\.it|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:onmydestiny18)\@boulevardmalls\.com|(?:luciamariacampbell)\@boximail\.com|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:jessica)\@cadencebankdept\.us|(?:judith_faulkner63)\@cash4u\.com|(?:cbn)\@cbofficialmail\.cf|(?:201(?:47237|5(?:5765|648[48])))\@ce\.pucmm\.edu\.do|(?:gregwingo)\@cheapnet\.it|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|dbank12|fbipayment(?:50|600)|harunajim667|manuel\.rabelais|paul\.wilson|r(?:alphwjohnson|ev_markbless)|trustees101))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:mundo_seguros)\@contorli\.site|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:investmentfince\.com|lottery(?:\.support|usa\.com)|sama_williams|warren_edward))\@cpn\.it|(?:(?:angelicainiguez|brunoso|lisatroutman))\@currently\.com|(?:(?:dmalpasswb|i(?:lanasoloshneor|nfo90000)|joseramonjr1|m(?:hzitafrank0|ynewmission)|r(?:e(?:covered\-tax|em(?:2018|alhashimi|ealhashimi|hashimi2020))|onconway)))\@daum\.net|(?:info)\@dieterchwarz-charity\.com|(?:blythemasters)\@digitalassetholding\.org|(?:jorgezalesky)\@diplomats\.com|(?:bar_sahil)\@dominionassociates\.uk|(?:zahvoedir)\@donations\.christchurchliverpool\.xyz|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:health\-support)\@drjohnashworthherbalmeds\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:rogersteare02)\@e1\.ru|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:(?:denbrink|facebook\.in(?:structor|tructor)|kathy_gerald1965|pch\.cliamdept))\@email\.com|(?:infoleonfredberbst)\@emailgroups\.net|(?:info)\@emteslastock\.com|(?:info)\@euro-pinnacle\.com|(?:(?:a(?:bogado\.antoniopaco|dvancedsegurosespana)|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:lottomax)\@execs\.com|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:jeferrey)\@financier\.com|(?:mrsdebbielevin)\@firemail\.de|(?:steve_dickson)\@firemail\.eu|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:info)\@fnconsultant\.biz|(?:(?:egolan2|gella1|qatardonations16|smadartsadik|tepnherve00))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:mmpaulsmith145)\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:octaviancm)\@gmx\.co\.uk|(?:(?:ahmet\.broker|f(?:aridaomar|er3nrod1512)|kevin\-office|p\.hamedmoff|rosicboteruff|w(?:alter_anderson|esternunionrespond)))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:juliairis)\@gmx\.net|(?:(?:arthur1alan|joxford))\@gmx\.us|(?:m(?:\.johnson10012|aryclayton123))\@googlemail\.com|(?:solotexglobalcouriercompany)\@groupesgb\.net|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:christgoldwilliams)\@hotmail\.fr|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:bo_li)\@imgrantfunds\.com|(?:irdi33)\@inbox\.lt|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:a\.josepaulino|jonardossantos|m(?:\.wood|ingmui0012)|offer2021|pierresgift_2021))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:info)\@intarpol-int\.online|(?:jacek_urbanski)\@irishdoorsystemsltd\.com|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:contactme)\@jimmyofficial\.info|(?:info)\@johannaconsultancy\.com|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:(?:annzainab2022|h(?:ashimirrr22|re187390)|lotteryusa\.com|paulagonzalez|re(?:e(?:m\.alhashimi|ninvestor111)|mmhashimi)))\@kakao\.com|(?:europsenderscouriers)\@keemail\.me|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:bmwofficeinfo)\@mail2consultant\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:bjic)\@mail2one\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|johnkofithomas|kateclough1|mriamchombo1968|philiproger101))\@mail\.com|(?:ayishagddafio?)\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:cb(?:nofficemail|officemail))\@mailsire\.com|(?:managing\-director_schaefflergroup)\@mariaelisabeth\.gisb\.com\.my|(?:doo\.yusin)\@matherline-trade\.com|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:cadpayout01)\@my\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:benoitdageville2023|nancytseling|reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:info)\@officepch\.com|(?:lindsaytrembley)\@oimail\.com|(?:(?:accountingdrg|emmy\.marty))\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:info)\@onlinepch\.com|(?:dieterbe451)\@onmail\.com|(?:jarramos)\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:info)\@ousos-elearning\.com|(?:schaeffler(?:ariaelisabeth|mariaelisabeth))\@outlook\.de|(?:ahmed3khan)\@outlook\.fr|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:support)\@piraeusegrecebnk\.com|(?:wood)\@poczta\.onet\.eu|(?:(?:m(?:aryjosen|boyaeth)|uncch\-info))\@post\.com|(?:martinahrivnakova)\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:(?:charitylisajohnrobinson700|leonardbain|noelldosi|stwrightsmaxinvestment))\@proton\.me|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:franciscoperezc|garethbull808|mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:trust\-wallet)\@redirectionsdepartment\.xyz|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:msn)\@resrubini\.com|(?:wanczykmavis101)\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:mrs\.rachel2013)\@safe-mail\.net|(?:(?:deputygov_kuben|rcassim\.sarb))\@safrica\.com|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:olena\.shevchenko)\@shumejda\.co\.uk|(?:(?:jimyang77|kentpace))\@sina\.com|(?:stan)\@soborka\.net|(?:dycheseaan)\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:info\.jschneider)\@spainmail\.com|(?:mroliverbergmuellers)\@specialautokins\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:alexander)\@stny\.rr\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:mhua)\@tbochk\.com|(?:clory)\@technet\.it|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:bobby\.william)\@tradent\.net|(?:lopez\.rios)\@udttld\.com|(?:2100973645smsgateway)\@ukraine\.wheat-farmers\.website|(?:info)\@un-grant\.info|(?:(?:david\.r\.malpass|info\.(?:clev\.frb|imfamerica)|kristinewellensteinn|policyaddmin\.file))\@usa\.com|(?:team)\@veraphanteepsuwan\.com|(?:dataphilanthropy)\@vipmail\.hu|(?:bmuczdh)\@virgilio\.it|(?:holt1231)\@w\.cn|(?:daydreamin)\@wanadoo\.fr|(?:weboffice05)\@web\.de|(?:portiaw)\@webbe\.work|(?:b(?:\-calebfirm2007|enklerk\-postpact2|oriscaleb121))\@webmail\.co\.za|(?:(?:elizabethlyonsfield|frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|jeffwilliam207|owengreen70|samue95))\@yahoo\.co\.uk|(?:(?:changgordon946|thomaspeter227))\@yahoo\.com\.hk|(?:boa2cb)\@yahoo\.com\.vn|(?:contactus88\-00)\@yahoo\.es|(?:fortinsandrine)\@yahoo\.fr|(?:dr\.amelia\.george1)\@yandex\.ru|(?:(?:alfred_cheuk_chow|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:jefflindsay)\@zoho\.com|(?:(?:benaffleck1977|monicadaniels909))\@zohomail\.com|(?:(?:laprimitivaes|robert166003))\@zohomail\.eu)$/i describe REPTO_419_FRAUD Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD 3.000 tflags REPTO_419_FRAUD publish @@ -3795,7 +3740,7 @@ tflags REPTO_419_FRAUD_CNS publish ##{ REPTO_419_FRAUD_GM -header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|1magnumsecuritiesllc|7912richardtony|9porssts9|a(?:\.wafager1|b(?:d(?:97412345|u(?:kfahim|llahmundani019))|u(?:lkareem461|shadi0004))|c(?:count\.optionsmr\.jonasarmstrong|ecere001)|d(?:iallo\.boa|rabidiahmed)|isha(?:1976(?:algaddafi|gaddafi25)|gaddafi(?:aam|sdaughter))|l(?:\.jo60691737|an\.austin(?:041|223)|ex(?:anderpeterson4499|hoffman3319)|ghafrij13|icedoris0000|kasimunadi221|l(?:enholden121|isoncluade11)|nizmaria|ure\.wawrenka1472)|m(?:bassadormarybethleonardl4|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|medjahed95))|n(?:d(?:rewumehunitedbankforafrica|yfox0022)|n(?:a(?:llee091|sigurlaug458)|ettrevor|jenijohnsonn)|t(?:hony(?:alvaradollc|jblinken61)|o(?:meuenio|niopaco20consultant)))|office1office1|r(?:adka01|chibaldhamble|thur11alan)|shwestwood7|t(?:mcarddepartment0024|tohlawoffice\.tg)|ustinbillmark9|w1614860|z(?:i(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50))|zedineguessous))|b(?:a(?:nkcentralasiahalobca34|ochang7a|r(?:bersmadar75|clays\.kenya\.bank|rister(?:\.fidelisokafor|clarkephillips(?:2(?:02|4)|4[59])|lordruben94)|teld\.huisman01))|bongo593|e(?:alitoniua9|linekra1|n(?:ezero392|gatl80|jaminsarah195)|tsyholden940)|ill\.lawrence0747|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi)|r(?:andy\.heavenscenttt|endalaporte112)|uff(?:ettwarrene21|ookj)|w1832621)|c(?:1nicele|a(?:pinolly|rtwrighttownhomesllc)|claimsa|elicerez|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:es(?:luenga01|wrightdepartments)|tonnewmanus1)))|e(?:mchung1011|nchung1011)|ienkwongp)|iticonsultantjohncg0|kruger00017|l(?:axtonpaul00|s79408)|o(?:l(?:edavid77032|husseinharmuchc(?:cj|j)|ombasjuan53)|mp(?:asationsettlement|ensationcommitteboard)|n(?:sult(?:matthias|sto\.u)|tactad00[04]))|pt\.eugenebarash|r(?:abbechambers|ist(?:bru(?:05|n05)|davis67|i1537bru|ydavis(?:donation1|foundation0101)))|ustomerservicelacaixa2)|d(?:29laws|a(?:n(?:008629|i(?:el35508109|shlokija)|n(?:uar4|ydan24532))|tukannuarbinmusa|vi(?:d(?:\.loanfirm18|kaltschmidtmaureend|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98))|cole77032|e(?:n(?:iwalts|nisclark659)|partmentofstate123|tlefeckhardd)|hsdevice|i(?:ane\.s\.wojcicki|gitalassetholding|plomatsshenry)|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.meirh|abodid|davidrhama221|jamesdee|kennedyuzo|meier\.heidi?|owenfrederick)|u(?:breuilgmbh|nsilva58|stinmoskovitz\.2facebook)|v\.metus|willslevens)|e(?:benezero392|christina937|drunity|l(?:i(?:bethgomez(?:175|499)|sabeth(?:gmuer11|maria600)|zabethedw0)|o(?:diesawadogo123|tocashoffice1?))|m(?:2keld|efiele(?:328|g757)|ilyrichmond391)|ngr\.des01|r(?:e(?:nakgeorge123|zcelic0)|ioncarter\.private)|stherkatherine1960|vgpatmow|wynn284)|f(?:\.mikhail025|a(?:ithdesrie511|tme\.mehmed001)|blott47|e(?:deralreservebankdallasdst|lix88995)|g0067333|irstbank(?:49966|6669|k49666)|j569282|l(?:556249|uhmann\.dn)|oundations\.west|p462558|r(?:a(?:100dub132|n(?:c(?:espatrickconnolly(?:5050|4)|iscamendoza960)|k(?:j(?:ane984|ody2|wangg)|linpiesie6)))|eelottosweepstake51)|spero8[02]|u(?:lanlan28|ngg1w))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|riel(?:eschmitt002|kalia1102))|r(?:ciavincent500|ethbull112016))|b(?:528796|ill4880)|e(?:neralwilliamstony990|orgekwame481|raldjhjh11)|i(?:idp955|ocastano21)|l(?:enmoore0011|oriachow5052)|o(?:dfreyscottdonation|glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219))|r(?:aceobia001|e(?:ant311|energeoffrey776))|veraallen|w522834)|h(?:a(?:r(?:gate2909|ryebert101)|s(?:h(?:imyreem78|mireem801)|sanalshujairy)|uperthilbigbeate|zimissa03)|e(?:atherbrooeke101|cto(?:alon|r(?:castillos653|scastillo6))|l(?:en(?:adamsidaho|giggs88)|pdesk47321))|g(?:8669000|old8080)|i(?:ldad837|toshurui)|o(?:nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|uichmh)|i(?:1955smael|amannjejosonn|b(?:ed627|rahimelizabeth654)|mf(?:deputyoff000|grantinter)|n(?:fo(?:\.(?:a(?:bogadosmfontana|nnedouglas10)|g00gleclaim|marviswanczyk360|ulmusau)|64240|asminternationalpk|bankofamerikaa|dessk\.dfwairportonline|fdrserve|t(?:ech4st255|tcuckk))|gridrolle2)|rvinekim67|smail(?:eman874|tarkan533))|j(?:35809121|a(?:6002932|888179|m(?:alpriv8un|esokoh82)|n(?:nsjonifer|usensecureprivate)|sonyeungchiwai|vierlesme001)|b(?:5406424|lsuntrust)|c2222222rrr|e(?:fferydean1960|nniannjhsonn|robtt)|josvu|k3311131|m(?:3461128|powellfr)|o(?:edward023|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|nietaylor242|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|uba234|walterlove2010)|monkzza|n(?:athanhaskel377|hugo1964|monkssa)|seph(?:acevedo024|babatunde192|ichael41)|vannyanderson001|yce00011)|rawlings007|s4fernado|u(?:liewatson975|sticellawgroup)|w6935997)|k(?:a(?:dulinayulii(?:ia|a)|l(?:iaksandr5|tschmidtdavid8)|malnizar000|rabo\.ramala39|t(?:ebaron(?:barr|xq)|jamess043|rinaziako56))|en(?:mckenziejr|nedy\.sawadogo19)|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|r(?:istinewellenstein024|nkl1109)|un(?:gwei7777|ioue28))|l(?:a(?:rrytoms200|ursent892|w(?:officealouancooparation|rencefoundation30))|blackshirepm|e(?:enasinghs97|onidasresearch|rynne(?:0west99|west(?:2289|5412)))|i(?:amfinchus(?:11|3)|ezlnatashavanessa|fecshortt63|li(?:ane\.bettencourt1945|ianchrstph)|nelink008|sa(?:milner001|robin117))|john6132|o(?:ganntomas|rrainewirengee|ughreymargaret67)|p319765|s(?:arbn01|chantal86)|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|diawright836|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:a(?:bel\.manaku|ckenzbezos|damkoenig\.ruhama1b|incare655|j(?:ialfutt|or(?:dennishornbeck53|townsend01))|kaltschmidt|ll(?:am\.mlawal|etman2021)|mastar33m|n(?:ankovefimovich|duesq58|fran6(?:30|56)|uelfranco(?:727|donation02|foundation0|spende8))|r(?:i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00)|opabl26|tinesecurityusa)|kroth456|shalh011|tin(?:amayer903|eziglesiasabogados|jrschwarz)|y(?:franson56|josen(?:62|81)))|thewriaanza|u(?:hin52|noveutileina|rhinck11?)|viswan(?:142|czyk(?:01478|1(?:19|987)|4(?:89|5)|775|foundation45|k112))|xaajn|ydetratt)|brons667|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|l(?:aniekreiss1971|lagolan|vidabullock5))|gfrederick80|husameddine|i(?:c(?:h(?:ael\.woosley1972|eal(?:sjohnj|wuu002))|paulla|w954)|k(?:e\.weirsky\.foundational001|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|ntonjustin98|ss(?:\.(?:aminaibrahim|melisa\.mehmett|yasmineibrahim101)|yaelronen))|jminabii|k(?:ent7117|untjoro52)|m(?:1086771|argaritalouisdreyfus|ohammadaljllilati|rstephen16)|nmalarge|oham(?:edabdul1717|m(?:daljililati1|edshamekh24))|r(?:\.(?:elbahi\.mohammed\.2021|justinmaxwell09|lusee)|cjames001|d517341|eric(?:franck|schmid4002)|hanimuhammad627|jamesmc6|morgangomez56|r(?:echardthomas|ichardanthony1)|s(?:\.(?:janetolsen?|marinakuznetsov|olsenjanett|su(?:sanread12|zarawanmaling))|a(?:ishaalqadafi1976|ngela454|shaalqaddfi117)|catherineyokes|dominiquethomas7777|evelynbrown7|fatimaamiraqureshi1983|gezeria|h(?:amima60|ristinemadeleine)|isabelladz|j(?:ackman123|lleach)|lisamilner08|m(?:a(?:riaelizabethscheffle98|ureens847|yaoliver31)|ugan)|r(?:eem362|obinsanders185|uthsmith9900)|sarahbenjamin103|v(?:eraaellen|ictoriaedmond03))|tomcrist\.ca|viktorzubkovv)|s(?:\.ellagolan56|agent02|golaan4|smadar44)|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter968)|icholas\.jose73|obuyuki\.hirano128|tawdglobal|v637245)|o(?:\.peace004|3344nb|ffic(?:e(?:\.012123|rricherd876|windowterms)|ialserviceuae)|hallkenneth1|lenasheve73|marinyandeng|nufoundationclaims|pcwkdw|xfaminternationa1980)|p(?:a(?:trick(?:\.efcc|andfrancessconnolly)|ul(?:eed1969|n8018))|b(?:ph202lay2|rookk0)|e(?:130304|ndingredirections|rezdonlorenzo336|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|hillip\.richead218|ilz37754|olloke|r(?:imecapitalfianceltd|o1nvstream)|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymondaba200)|e(?:alyh596|beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n(?:2214|asser003302))|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|v(?:\.jamesabel1|ernestcebi|fr(?:ankjackson91|paulwilliams2)))|icha(?:miller18|rd(?:lustig4u|w(?:ahl511|il(?:lis815|son19091))))|josh200000|main2028|o(?:b(?:erthanandez6655|inf036)|naldmorris786|s(?:a\.gomes0044|ekipkalya934))|raya9989|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|u(?:ddicklana561|ssiaworldcuppromo))|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid(?:09|7000))|nchoscozfifa|rfiafarfask7)|cott(?:henryjames91|peters7989)|e(?:cretservicce[78]|rgeantrobertbrown1)|g(?:\.offiice\.group|t(?:\.monicab03|ireneb2))|h(?:a(?:msiahmohamadyunusbnegara|nemissler(?:2009|3))|ery(?:\.gtl131|etr03)|inawatrathaksin93)|im(?:lkheng5|onhei47)|op(?:adam3|hiajesse41)|p(?:agentrose|eelman1972)|t(?:anleyjohn1469|e(?:phen(?:7tam|tam1(?:47|6))|venchamberonline))|u(?:iyang(?:\.boc|02)|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|weeneyjohnson384)|t(?:a(?:mmywebster24|y(?:ebsouami0|lorcathy362))|ch33555|davalvse|e(?:nreyrosilvana54|rryparkins11)|h(?:ailandbankoffice01|e(?:ara\.choy2|odorosloannis9))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|ander231|c(?:hrist1995|rist(?:52|donation12|foundation99|world))|spende480)|ny(?:\.chung760|zimpro11)|pchronodesk|shikazusendo101)|p2911220|tkhan69s)|u(?:derleyen52|kponguko|marukareem8|n(?:claimedfunds554|ited(?:bankforafrica\.plc102|nation(?:organization70|s(?:8182|councilrefunds))))|s(?:alotery2|departmentofjustice80))|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|linagreen|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|pjeferrey)|johannes271|n935990|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett2)|b(?:271981|6159980)|c5000dle|ellensteinfoundation251|hatsappofficial001|i(?:elandherzog\.sw\.herad16|ll(?:clark(?:2618|629)|iamsmartyrs888))|kfinancialservice|orldbankregionalmanageroffice|u\.office212|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974|inglukshinawtra|o(?:ngkm00|usefzongo5722))|z(?:bank8876|enithbankplconline98|kiaslan1963|minhong65|ubkovmrviktor)))\@gmail\.com$/i +header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|1magnumsecuritiesllc|7912richardtony|9porssts9|a(?:\.wafager1|12udubello|b(?:d(?:97412345|u(?:kfahim|llahmundani019))|u(?:lkareem461|shadi0004))|c(?:count\.optionsmr\.jonasarmstrong|ecere001)|d(?:iallo\.boa|rabidiahmed)|isha(?:1976(?:algaddafi|gaddafi25)|gaddafi(?:aam|sdaughter))|l(?:\.jo60691737|an\.austin(?:041|223)|ex(?:anderpeterson4499|hoffman3319)|ghafrij13|icedoris0000|kasimunadi221|l(?:enholden121|isoncluade11)|nizmaria|phabankofgreecerepublic|ure\.wawrenka1472)|m(?:bassadormarybethleonardl4|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|medjahed95))|n(?:d(?:rewumehunitedbankforafrica|yfox0022)|n(?:a(?:llee091|sigurlaug458)|ettrevor|jenijohnsonn)|t(?:hony(?:alvaradollc|jblinken61)|o(?:meuenio|niopaco20consultant)))|office1office1|r(?:adka01|chibaldhamble|thur11alan)|shwestwood7|t(?:mcarddepartment0024|tohlawoffice\.tg)|ustinbillmark9|w1614860|z(?:i(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50))|zedineguessous))|b(?:a(?:nkcentralasiahalobca34|ochang7a|r(?:bersmadar75|clays\.kenya\.bank|rister(?:\.fidelisokafor|clarkephillips(?:2(?:02|4)|4[59])|lordruben94)|teld\.huisman01))|bongo593|e(?:alitoniua9|linekra1|n(?:ezero392|gatl80|jaminsarah195)|tsyholden940)|ill\.lawrence0747|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi)|r(?:andy\.heavenscenttt|endalaporte112)|uff(?:ettwarrene21|ookj)|w1832621)|c(?:1nicele|a(?:pinolly|rtwrighttownhomesllc)|claimsa|e(?:da\.ogada77|licerez)|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:es(?:luenga01|wrightdepartments)|tonnewmanus1)))|e(?:mchung1011|nchung1011)|ienkwongp)|iticonsultantjohncg0|kruger00017|l(?:axtonpaul00|s79408)|o(?:l(?:edavid77032|husseinharmuchc(?:cj|j)|ombasjuan53)|mp(?:asationsettlement|ensationcommitteboard)|n(?:sult(?:matthias|sto\.u)|tactad00[04]))|pt\.eugenebarash|r(?:abbechambers|ist(?:bru(?:05|n05)|davis67|i1537bru|ydavis(?:donation1|foundation0101)))|u(?:nninghammrssharonloren|stomerservicelacaixa2))|d(?:29laws|a(?:n(?:008629|i(?:el35508109|shlokija)|n(?:uar4|ydan24532))|tukannuarbinmusa|vi(?:d(?:\.loanfirm18|kaltschmidtmaureend|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98))|cole77032|e(?:n(?:iwalts|nisclark659)|partmentofstate123|tlefeckhardd)|h(?:lexpresscompany176|sdevice)|i(?:ane\.s\.wojcicki|gitalassetholding|plomatsshenry)|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.meirh|abodid|davidrhama221|jamesdee|kennedyuzo|meier\.heidi?|owenfrederick|rhamahassan22)|u(?:breuilgmbh|nsilva58|stinmoskovitz\.2facebook)|v\.metus|willslevens)|e(?:benezero392|christina937|d(?:mundventura689|runity)|l(?:i(?:bethgomez(?:175|499)|sabeth(?:gmuer11|maria600)|zabethedw0)|o(?:diesawadogo123|tocashoffice1?))|m(?:2keld|efiele(?:328|g757)|ilyrichmond391)|ngr\.des01|r(?:e(?:nakgeorge123|zcelic0)|ioncarter\.private)|stherkatherine1960|vgpatmow|wynn284)|f(?:\.mikhail025|a(?:ithdesrie511|rahwasam101|tme\.mehmed001)|b(?:589767|lott47)|e(?:deralreservebankdallasdst|lix88995)|g0067333|irstbank(?:49966|6669|k49666)|j569282|l(?:556249|uhmann\.dn)|oundations\.west|p462558|r(?:a(?:100dub132|n(?:c(?:es(?:\.connelly2|patrickconnolly(?:5050|4))|iscamendoza960)|k(?:j(?:ane984|ody2|wangg)|linpiesie6)))|eelottosweepstake51)|spero8[02]|u(?:lanlan28|ngg1w))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|riel(?:eschmitt002|kalia1102))|r(?:ciavincent500|ethbull112016))|b(?:528796|ill4880)|e(?:neralwilliamstony990|orgekwame481|raldjhjh11)|i(?:idp955|ocastano21)|l(?:enmoore0011|oriachow5052)|o(?:dfreyscottdonation|glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219))|r(?:aceobia001|e(?:ant311|energeoffrey776))|veraallen|w522834)|h(?:a(?:r(?:gate2909|ryebert101)|s(?:h(?:imyreem78|mireem801)|sanalshujairy)|uperthilbigbeate|zimissa03)|e(?:atherbrooeke101|cto(?:alon|r(?:castillos653|scastillo6))|l(?:en(?:adamsidaho|giggs88)|pdesk47321)|ritagetrustbank1985)|g(?:8669000|old8080)|i(?:ldad837|toshurui)|o(?:nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|uichmh)|i(?:1955smael|amannjejosonn|b(?:ed627|rahimelizabeth654)|mf(?:deputyoff000|grantinter)|n(?:fo(?:\.(?:a(?:bogadosmfontana|nnedouglas10)|g00gleclaim|marviswanczyk360|orangedor|ulmusau)|64240|asminternationalpk|bankofamerikaa|dessk\.dfwairportonline|fdrserve|t(?:ech4st255|tcuckk))|gridrolle2)|rvinekim67|smail(?:eman874|tarkan533))|j(?:35809121|a(?:6002932|888179|m(?:alpriv8un|esokoh82)|n(?:nsjonifer|usensecureprivate)|sonyeungchiwai|vierlesme001)|b(?:5406424|lsuntrust)|c2222222rrr|e(?:fferydean1960|nniannjhsonn|robtt)|josvu|k3311131|m(?:3461128|powellfr)|o(?:edward023|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|nietaylor242|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|uba234|walterlove2010)|monkzza|n(?:a(?:haskel19|thanhaskel377)|hugo1964|monkssa)|seph(?:acevedo024|babatunde192|ichael41)|vannyanderson001|yce00011)|rawlings007|s4fernado|u(?:liewatson975|sticellawgroup)|w6935997)|k(?:a(?:dulinayulii(?:ia|a)|l(?:iaksandr5|tschmidtdavid8)|malnizar000|rabo\.ramala39|t(?:ebaron(?:barr|xq)|jamess043|rinaziako56))|en(?:mckenziejr|nedy\.sawadogo19)|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|r(?:istinewellenstein024|nkl1109)|un(?:gwei7777|ioue28))|l(?:a(?:rrytoms200|ursent892|w(?:officealouancooparation|rencefoundation30))|blackshirepm|e(?:enasinghs97|onidasresearch|rynne(?:0west99|west(?:2289|5412)))|i(?:amfinchus(?:11|3)|ezlnatashavanessa|fecshortt63|li(?:ane\.bettencourt1945|ianchrstph)|nelink008|sa(?:milner001|robin117))|john6132|o(?:ganntomas|rrainewirengee|ughreymargaret67)|p319765|s(?:arbn01|chantal86)|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|diawright836|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:a(?:bel\.manaku|ckenzbezos|damkoenig\.ruhama1b|incare655|j(?:ialfutt|or(?:dennishornbeck53|townsend01))|kaltschmidt|ll(?:am\.mlawal|etman2021)|mastar33m|n(?:ankovefimovich|duesq58|fran6(?:30|56)|uelfranco(?:727|donation02|foundation0|spende8))|r(?:i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00)|opabl26|tinesecurityusa)|kroth456|shalh011|tin(?:amayer903|eziglesiasabogados|jrschwarz)|y(?:franson56|josen(?:62|81)))|thewriaanza|u(?:hin52|noveutileina|rhinck11?)|viswan(?:142|czyk(?:01478|1(?:19|987)|4(?:89|5)|775|foundation45|k112))|xaajn|ydetratt|zerfexi)|brons667|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|l(?:aniekreiss1971|lagolan|vidabullock5))|gfrederick80|husameddine|i(?:c(?:h(?:ael\.woosley1972|eal(?:sjohnj|wuu002))|paulla|w954)|k(?:e\.weirsky\.foundational001|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|ntonjustin98|ss(?:\.(?:aminaibrahim|melisa\.mehmett|yasmineibrahim101)|yaelronen))|jminabii|k(?:ent7117|untjoro52)|m(?:1086771|argaritalouisdreyfus|ohammadaljllilati|rstephen16)|nmalarge|oham(?:edabdul1717|m(?:daljililati1|edshamekh24))|r(?:\.(?:elbahi\.mohammed\.2021|justinmaxwell09|lusee|tonyelumelu60)|cjames001|d517341|eric(?:franck|schmid4002)|georgeemera|hanimuhammad627|jamesmc6|morgangomez56|r(?:echardthomas|ichardanthony1)|s(?:\.(?:janetolsen?|marinakuznetsov|olsenjanett|su(?:sanread12|zarawanmaling))|a(?:ishaalqadafi1976|ngela454|shaalqaddfi117)|catherineyokes|dominiquethomas7777|evelynbrown7|fatimaamiraqureshi1983|gezeria|h(?:amima60|ristinemadeleine)|isabelladz|j(?:ackman123|lleach)|lisamilner08|m(?:a(?:riaelizabethscheffle98|ureens847|yaoliver31)|ugan)|r(?:eem362|obinsanders185|uthsmith9900)|sar(?:ahbenjamin103|iamirahwulu)|v(?:eraaellen|ictoriaedmond03))|tomcrist\.ca|viktorzubkovv)|s(?:\.ellagolan56|agent02|golaan4|smadar44)|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter968)|icholas\.jose73|obuyuki\.hirano128|tawdglobal|v637245)|o(?:\.peace004|3344nb|ffi(?:c(?:e(?:\.012123|emaill0002|rricherd876|windowterms)|ialserviceuae)|zielllk)|hallkenneth1|lenasheve73|marinyandeng|nufoundationclaims|pcwkdw|rabankheadofficelometogo1985|xfaminternationa1980)|p(?:a(?:trick(?:\.efcc|andfrancessconnolly)|ul(?:eed1969|n8018))|b(?:ph202lay2|rookk0)|e(?:130304|ndingredirections|rezdonlorenzo336|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|hillip\.richead218|ilz37754|o(?:lloke|usazgullaume)|r(?:imecapitalfianceltd|o1nvstream)|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymondaba200)|e(?:alyh596|beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n(?:2214|asser003302))|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|v(?:\.jamesabel1|ernestcebi|fr(?:ankjackson91|paulwilliams2)))|icha(?:miller18|rd(?:lustig4u|w(?:ahl511|il(?:lis815|son19091))))|josh200000|main2028|o(?:b(?:erthanandez6655|inf036)|naldmorris786|s(?:a\.gomes0044|ekipkalya934))|raya9989|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|u(?:ddicklana561|ssiaworldcuppromo))|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid(?:09|7000))|nchoscozfifa|rfiafarfask7)|cott(?:henryjames91|peters7989)|e(?:cretservicce[789]|rgeantrobertbrown1)|g(?:\.offiice\.group|t(?:\.monicab03|ireneb2))|h(?:a(?:msiahmohamadyunusbnegara|nemissler(?:2009|3))|ery(?:\.gtl131|etr03)|inawatrathaksin93)|im(?:lkheng5|onhei47)|op(?:adam3|hiajesse41)|p(?:a(?:cex\.inititative|gentrose)|eelman1972)|t(?:anleyjohn1469|e(?:phen(?:7tam|tam1(?:47|6))|venchamberonline))|u(?:iyang(?:\.boc|02)|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|weeneyjohnson384)|t(?:a(?:mmywebster24|y(?:ebsouami0|lorcathy362))|ch33555|davalvse|e(?:nreyrosilvana54|rryparkins11)|h(?:ailandbankoffice01|e(?:ara\.choy2|odorosloannis9))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|ander231|c(?:hrist1995|rist(?:52|donation12|foundation99|world))|spende480)|ny(?:\.chung760|robins777|zimpro11)|pchronodesk|shikazusendo101)|p2911220|tkhan69s)|u(?:ba\.bankofaffican|derleyen52|kponguko|marukareem8|n(?:claimedfunds554|ited(?:bankforafrica\.plc102|nation(?:organization70|s(?:8182|councilrefunds))))|s(?:alotery2|departmentofjustice80))|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|linagreen|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|pjeferrey)|johannes271|n935990|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett(?:398|2))|b(?:271981|6159980)|c5000dle|ellensteinfoundation251|hatsappofficial001|i(?:elandherzog\.sw\.herad16|ll(?:clark(?:2618|629)|iamsmartyrs888))|kfinancialservice|orldbankregionalmanageroffice|u\.office212|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974|inglukshinawtra|o(?:ngkm00|usefzongo5722))|z(?:bank8876|enithbankplconline98|kiaslan1963|minhong65|ubkovmrviktor)))\@gmail\.com$/i describe REPTO_419_FRAUD_GM Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_GM 3.000 tflags REPTO_419_FRAUD_GM publish @@ -3811,7 +3756,7 @@ tflags REPTO_419_FRAUD_GM_LOOSE publish ##{ REPTO_419_FRAUD_HM -header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|licewalton7653|n(?:ikal01|nagray00)|zezul\.idrisazezulidris)|c(?:h(?:angxinjuan|oi21)|laytousey)|d(?:ealings100|l13139|r\.dukanalycoulibaly)|egorbunova22|f(?:axttransfer\.skyebk\.service\.care\.th|ridmanmikhail511)|infos(?:43|8)|katabettencourt2018|l(?:e(?:a_edem|galcosme|wisarm44)|ulihongm)|m(?:oneygrampayfund|r(?:abrahambeniamfc|pedrohilldonations|s(?:\.chantal_bill|micheleallison2003)))|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|powen10001|quickcashloansservices|s(?:a(?:jda\.andleeb|nchamps798)|tuboardgntdirector|ulaimaninfante)|t(?:a(?:baka_williamshsbbc|shacap)|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i +header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|licewalton7653|n(?:ikal01|nagray00)|zezul\.idrisazezulidris)|c(?:h(?:angxinjuan|oi21)|laytousey)|d(?:ealings100|l13139|r\.dukanalycoulibaly)|egorbunova22|f(?:axttransfer\.skyebk\.service\.care\.th|ridmanmikhail511)|infos(?:43|8)|jacques\.bouchex|katabettencourt2018|l(?:e(?:a_edem|galcosme|wisarm44)|ulihongm)|m(?:oneygrampayfund|r(?:abrahambeniamfc|pedrohilldonations|s(?:\.chantal_bill|micheleallison2003)))|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|powen10001|quickcashloansservices|s(?:a(?:jda\.andleeb|nchamps798)|tuboardgntdirector|ulaimaninfante)|t(?:a(?:baka_williamshsbbc|shacap)|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i describe REPTO_419_FRAUD_HM Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_HM 3.000 tflags REPTO_419_FRAUD_HM publish @@ -3819,7 +3764,7 @@ tflags REPTO_419_FRAUD_HM publish ##{ REPTO_419_FRAUD_OL -header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:16u71|b(?:rahamwilliamsonrpsltduk|s0000200)|lbertchebe|ndrewgamble7)|b(?:asidris|etty\.c_investment|illgfile203)|c(?:bforeignremitdept|harlie\.j\.goodmand|laimunit\.facebook|ompensationfunding)|d(?:eborahleeconsult|hl(?:customercares|express\.fastservice)|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020|mr01|oundation701|p\.conn|rancescogaetano01)|g(?:20compessdesk|race\.manonfoundation)|j(?:ackson4steve|e(?:anedo1|ssicameir30))|k(?:aujong|officollins)|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|b(?:illgate9|ryandavisuk44)|mduku|s(?:\.olhaoschad|_elizabeth20|michelleallison|roseallen))|spvt2020)|olhalytvynenko20|philcohen0012|r(?:ichardwahlfreegrant|obertleeonly01)|s(?:aaman10|gi2019|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019)|unvanzyl_mrs|w(?:esteruniontransferunite7|hatsapp_givewin|inuklotocash2018)))\@outlook\.com$/i +header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:16u71|b(?:rahamwilliamsonrpsltduk|s0000200)|lbertchebe|ndrewgamble7)|b(?:a(?:rrmarkphillip|sidris)|etty\.c_investment|illgfile203)|c(?:bforeignremitdept|harlie\.j\.goodmand|laimunit\.facebook|ompensationfunding)|d(?:eborahleeconsult|hl(?:customercares|express\.fastservice)|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020|mr01|oundation701|p\.conn|rancescogaetano01)|g(?:20compessdesk|race\.manonfoundation)|j(?:ackson4steve|e(?:anedo1|ssicameir30))|k(?:aujong|officollins)|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|b(?:illgate9|ryandavisuk44)|mduku|s(?:\.olhaoschad|_elizabeth20|michelleallison|roseallen))|spvt2020)|olhalytvynenko20|philcohen0012|r(?:ichardwahlfreegrant|obertleeonly01)|s(?:aaman10|gi2019|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019)|unvanzyl_mrs|w(?:esteruniontransferunite7|hatsapp_givewin|inuklotocash2018)))\@outlook\.com$/i describe REPTO_419_FRAUD_OL Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_OL 3.000 tflags REPTO_419_FRAUD_OL publish @@ -3843,7 +3788,7 @@ tflags REPTO_419_FRAUD_QQ publish ##{ REPTO_419_FRAUD_YH -header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|ilmohammed11|lesiakalina2006|mbassador\.l|nnhester\.usa4)|b(?:a(?:che\.delfine|nk\.phbng14|rr\.thomasclark)|e(?:linekra1144|n(?:jaminb34|nicholas22))|illlawrenceee|riceangela45)|c(?:\.aroline90|abinet_maitre_emmanuel_patris|h(?:arlesscharf112|hoy\.t|jackson65)|juan852|ontelamine|ythiamiller\.un10)|d(?:hamilton9099|r(?:_raymondfung|kobiorah|obiorahkenneth|victorobaji))|e(?:denvictor71|ricalbert24)|f(?:bicompensation_funds|ederal\.r73)|i(?:\.project33411|befranfgnfmf|nfomoney|project32411)|j(?:a(?:ckson\.davis915|netemoon150)|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:altschmidtdavid8|elvinmark629|im(?:\.leang2018?|leang(?:575|90)))|l(?:e(?:a_edem13|hman(?:909|bila))|i(?:m_kaan|sarobinson_555)|o(?:an\.assist|rrainewirengee)|y_cheapiseth(?:11|2019))|m(?:\.kogi81|a(?:itre_arthur\.catheau|rie_avis12)|d(?:\.ps|zsesszika672)|elissalewis4004|o(?:hammedaahil46|keye79)|rs(?:\.esthernicolas|isabella\.dzesszikan)|s\.gracie_olakun)|o(?:biorahkenneth8|legkozyrev1|mranshaalan52)|p(?:ackerkelvin|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|o(?:bertbailey2004|serichard655))|s(?:amthong4040|igurlauganna34|leo25|opheap\.munny|pwalker101|te(?:fanopessina573|vecox\.98))|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|vanserge2001|will(?:clark0010|smi68)|xianglongdai60|zhaodonghk))\@yahoo\.com$/i +header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|ilmohammed11|lesiakalina2006|mbassador\.l|nnhester\.usa4)|b(?:a(?:che\.delfine|nk\.phbng14|rr\.thomasclark)|e(?:linekra1144|n(?:jaminb34|nicholas22))|illlawrenceee|riceangela45)|c(?:\.aroline90|abinet_maitre_emmanuel_patris|h(?:arlesscharf112|hoy\.t|jackson65)|juan852|ontelamine|ythiamiller\.un10)|d(?:hamilton9099|r(?:_raymondfung|kobiorah|obiorahkenneth|victorobaji))|e(?:denvictor71|ricalbert24)|f(?:bicompensation_funds|ederal\.r73)|i(?:\.project33411|befranfgnfmf|nfomoney|project32411)|j(?:a(?:ckson\.davis915|netemoon150)|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:altschmidtdavid8|elvinmark629|im(?:\.leang2018?|leang(?:575|90)))|l(?:e(?:a_edem13|hman(?:909|bila))|i(?:m_kaan|sarobinson_555)|o(?:an\.assist|rrainewirengee)|y_cheapiseth(?:11|2019))|m(?:\.kogi81|a(?:itre_arthur\.catheau|rie_avis12)|d(?:\.ps|zsesszika672)|elissalewis4004|o(?:hammedaahil46|keye79)|rs(?:\.esthernicolas|isabella\.dzesszikan)|s\.gracie_olakun)|o(?:biorahkenneth8|legkozyrev1|mranshaalan52)|p(?:ackerkelvin|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|o(?:bertbailey2004|serichard655))|s(?:amthong4040|igurlauganna34|leo25|o(?:ftc2|pheap\.munny)|pwalker101|te(?:fanopessina573|vecox\.98))|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|vanserge2001|will(?:clark0010|smi68)|xianglongdai60|zhaodonghk))\@yahoo\.com$/i describe REPTO_419_FRAUD_YH Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_YH 3.000 tflags REPTO_419_FRAUD_YH publish @@ -3873,13 +3818,6 @@ describe REPTO_419_FRAUD_YN Reply-To is known advance fee fraud collector mailbo tflags REPTO_419_FRAUD_YN publish ##} REPTO_419_FRAUD_YN -##{ REPTO_INFONUMSCOM - -meta REPTO_INFONUMSCOM __REPTO_INFONUMSCOM -#score REPTO_INFONUMSCOM 3.000 # limit -tflags REPTO_INFONUMSCOM publish -##} REPTO_INFONUMSCOM - ##{ RISK_FREE meta RISK_FREE __FRAUD_IOV && !__UNSUB_LINK && !__VIA_ML && !__HTML_LINK_IMAGE && !__SUBSCRIPTION_INFO && !__HS_SUBJ_RE_FW && !__LCL__ENV_AND_HDR_FROM_MATCH @@ -3897,11 +3835,14 @@ meta SCC_BODY_SINGLE_WORD T_SCC_BODY_TEXT_LINE < 2 && !__EMPTY_BODY && !__SMI describe SCC_BODY_SINGLE_WORD Message body seems like one word ##} SCC_BODY_SINGLE_WORD -##{ SCC_BODY_URI_ONLY +##{ SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -meta SCC_BODY_URI_ONLY T_SCC_BODY_TEXT_LINE < 2 && __HAS_ANY_URI && !__SMIME_MESSAGE && !T_SCC_IS_DMARC_REP -describe SCC_BODY_URI_ONLY Very short body with something maybe clickable -##} SCC_BODY_URI_ONLY +ifplugin Mail::SpamAssassin::Plugin::MIMEHeader +meta SCC_BOGUS_CTE_1 __SCC_BOGUS_CTE_1 +describe SCC_BOGUS_CTE_1 Bogus Content-Transfer-Encoding header +tflags SCC_BOGUS_CTE_1 publish +endif +##} SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ##{ SCC_CANSPAM_1 @@ -3961,14 +3902,6 @@ rawbody SCC_SPECIAL_GUID /^[[:xdigit:]]{8}-[[:xdigit:]]{4}-([[:xdigit:]]{3})-\ tflags SCC_SPECIAL_GUID publish multiple maxhits=15 ##} SCC_SPECIAL_GUID -##{ SENDGRID_REDIR - -meta SENDGRID_REDIR __SENDGRID_REDIR_NOPHISH && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__HAS_X_MAILMAN_VERSION && !__STY_INVIS_MANY && !__HTML_SINGLET_10 && !__HAVE_BOUNCE_RELAYS -describe SENDGRID_REDIR Redirect URI via Sendgrid -#score SENDGRID_REDIR 1.500 # limit -tflags SENDGRID_REDIR publish -##} SENDGRID_REDIR - ##{ SENDGRID_REDIR_PHISH meta SENDGRID_REDIR_PHISH __SENDGRID_REDIR_PHISH @@ -3997,6 +3930,11 @@ describe SHOPIFY_IMG_NOT_RCVD_SFY Shopify hosted image but message not from tflags SHOPIFY_IMG_NOT_RCVD_SFY publish ##} SHOPIFY_IMG_NOT_RCVD_SFY +##{ SHORTENED_URL_SRC + +rawbody SHORTENED_URL_SRC /<[^>]{1,99}\ssrc=\W?https?:\/\/(?:bit\.ly|bit\.do|buff\.ly|tinyurl\.com|ow\.ly|owl\.li|is\.gd|tumblr\.com|mysp\.ac|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|goo\.io|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|ecs\.page\.link|cc\.uz|smarturl\.it|s\.apache\.org)\/[^\/]{3}/ +##} SHORTENED_URL_SRC + ##{ SHORTENER_SHORT_IMG meta SHORTENER_SHORT_IMG __URL_SHORTENER && HTML_SHORT_LINK_IMG_1 @@ -4005,13 +3943,6 @@ describe SHORTENER_SHORT_IMG Short HTML + image + URL shortener tflags SHORTENER_SHORT_IMG publish ##} SHORTENER_SHORT_IMG -##{ SHORTENER_SHORT_SUBJ - -meta SHORTENER_SHORT_SUBJ __SHORTENER_SHORT_SUBJ && !__DOS_HAS_LIST_UNSUB && !__HAS_LIST_ID && !__HDR_RCVD_GOOGLE && !__XPRIO -describe SHORTENER_SHORT_SUBJ URL shortener (avoiding URIBL?) + short subject -#score SHORTENER_SHORT_SUBJ 3.000 # limit -##} SHORTENER_SHORT_SUBJ - ##{ SHORT_HELO_AND_INLINE_IMAGE meta SHORT_HELO_AND_INLINE_IMAGE (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH) @@ -4074,7 +4005,7 @@ describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham ##{ SPAM_CWINDOWSNET -uri SPAM_CWINDOWSNET m;^https?://(?=[^/]+\.(?:blob|web)\.core\.windows\.net)(?:(?:aaaabbbbcdertfer(?:131|34)|b(?:9jwpncnsz2cg5bpbojgl|bbbccccddester61|dkbazmjnlvajmjjszdc|ulkma(?:ilmanager(?:im|snrperk|m)|nhegeteam))|calivokavoaka|d(?:fjmteeymhimuokqbwio|sfgdfgsdfg)|e(?:6tidwa3xtdxsxrv6fevh|fnzewdwwwxdormvkltxqj|riogsnkdqsdqsd32l|wialtlgncnagaebsuohhsz)|greatetchtoaitechnologyh|linkbulkmailpromanager|n(?:6w479nhk1tkyo6u1p844s|fnybcmyhaaphiglbzra)|o(?:ovgienjzlmmfkmwoyep|penbankstonecdn)|u(?:lqdjksdsdsd3sd|rqjlnefdqsdfik2k)|z(?:ahriiana59|c2mjw9btnqfgw6ps7ex)))\.(?:blob|web)\.core\.windows\.net/;i +uri SPAM_CWINDOWSNET m;^https?://(?=[^/]+\.(?:blob|web)\.core\.windows\.net)(?:(?:aaaa(?:aahadii5[89]|bbbbcdertfer(?:131|34))|b(?:9jwpncnsz2cg5bpbojgl|bbbccccddester61|c(?:kfomepldjxbehakdmem|nejjdolasiejdbcdhc)|dkbazmjnlvajmjjszdc|fnrikamdplejxxhd|ulkma(?:ilmanager(?:im|snrperk|m)|nhegeteam))|c(?:alivokavoaka|hfkeodlemajchebdhxdh|j(?:dejcpmalxokejcbdhsjd|flzpmidhwbcxhejdk)|n(?:djekdomalsijebqqhzs|fjelmsplekxjbshdje|rdnahxbhdjoalxkejd))|d(?:f(?:jmteeymhimuokqbwio|keoledjxbdheuakje)|hjepmalqkdbxheuajd|j(?:f(?:lepma(?:hxbdhasjdk|skdjxbhduejdkz)|oemapxkejxbdhed)|k(?:foepaljdhxvsgqhse|rolemalxjebehsyejd))|lrmeclforjbxheajsbdhe|sfgdfgsdfg)|e(?:6tidwa3xtdxsxrv6fevh|fnzewdwwwxdormvkltxqj|riogsnkdqsdqsd32l|wialtlgncnagaebsuohhsz)|f(?:j(?:flzpcmlrnxheilsdejdl|romlfjdhxbcgdyejhdh)|lropmedjxbexbdzhsd|mdplenxyejxbqgesk|pmrlcnruhwvxcsdrzt)|greatetchtoaitechnologyh|h(?:ckrpmzlcxrjzhxbejakdlem|djeialqmeporutncdbhqs)|jc(?:hdiepmaldiejxbhs|k(?:diemaoslejxbqhas|rmlzsxbhejalselma)|lrfpemdlxbehaksme|rkeldoeamdloruxbdhe)|kcleo(?:dmalejdbshekdje|maplejwbahqegsv)|l(?:djebxueomrplcnbsgxve|inkbulkmailpromanager)|mvkcjoigfks|n(?:6w479nhk1tkyo6u1p844s|ckfomeldncejdjsbdhjdxbd|fnybcmyhaaphiglbzra)|o(?:ovgienjzlmmfkmwoyep|penbankstonecdn)|relashwpakcbe2cjehsed|shdkrodmpcndjshedg|u(?:lqdjksdsdsd3sd|rqjlnefdqsdfik2k)|xbvomrplzncxhrbdgsd|z(?:ahriiana59|c2mjw9btnqfgw6ps7ex)))\.(?:blob|web)\.core\.windows\.net/;i describe SPAM_CWINDOWSNET Link to known hosted spam or phishing content #score SPAM_CWINDOWSNET 3.500 tflags SPAM_CWINDOWSNET publish @@ -4191,13 +4122,6 @@ meta SUBJECT_NEEDS_ENCODING (!__SUBJECT_ENCODED_B64 && !__SUBJECT_ENCODED_QP) describe SUBJECT_NEEDS_ENCODING Subject includes non-encoded illegal characters ##} SUBJECT_NEEDS_ENCODING -##{ SUBJ_ATTENTION - -meta SUBJ_ATTENTION __SUBJ_ATTENTION && !ALL_TRUSTED -describe SUBJ_ATTENTION ATTENTION in Subject -#score SUBJ_ATTENTION 0.500 # limit -##} SUBJ_ATTENTION - ##{ SUBJ_BRKN_WORDNUMS #score SUBJ_BRKN_WORDNUMS 1.500 # limit @@ -4218,6 +4142,12 @@ ifplugin Mail::SpamAssassin::Plugin::DKIM endif ##} SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM +##{ SUBJ_UNNEEDED_HTML + +meta SUBJ_UNNEEDED_HTML __SUBJ_UNNEEDED_HTML && !__NOT_SPOOFED && !__RP_MATCHES_RCVD && !__VIA_ML +describe SUBJ_UNNEEDED_HTML Unneeded HTML formatting in Subject: +##} SUBJ_UNNEEDED_HTML + ##{ SUSP_UTF8_WORD_FROM meta SUSP_UTF8_WORD_FROM __4BYTE_UTF8_WORD_FROM @@ -4225,12 +4155,12 @@ describe SUSP_UTF8_WORD_FROM Word in From name using only suspicious U #score SUSP_UTF8_WORD_FROM 2.000 # limit ##} SUSP_UTF8_WORD_FROM -##{ SUSP_UTF8_WORD_MANY +##{ SUSP_UTF8_WORD_SUBJ -meta SUSP_UTF8_WORD_MANY __4BYTE_UTF8_WORD_9 -describe SUSP_UTF8_WORD_MANY Many words using only suspicious UTF-8 characters -#score SUSP_UTF8_WORD_MANY 3.000 # limit -##} SUSP_UTF8_WORD_MANY +meta SUSP_UTF8_WORD_SUBJ __4BYTE_UTF8_WORD_SUBJ +describe SUSP_UTF8_WORD_SUBJ Word in Subject using only suspicious UTF-8 characters +#score SUSP_UTF8_WORD_SUBJ 2.000 # limit +##} SUSP_UTF8_WORD_SUBJ ##{ SYSADMIN @@ -4329,6 +4259,12 @@ meta TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FM_DOM_HTML_IMG && !__NOT_SPOOFE describe TO_EQ_FM_DOM_HTML_IMG To domain == From domain and HTML image link ##} TO_EQ_FM_DOM_HTML_IMG +##{ TO_EQ_FM_DOM_HTML_ONLY + +meta TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FM_DOM_HTML_ONLY && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !HTML_MIME_NO_HTML_TAG && !__IS_EXCH && !__MSGID_BEFORE_RECEIVED && !__FM_TO_ALL_NUMS && !__FROM_LOWER && !__HAS_IN_REPLY_TO && !__BUGGED_IMG && !__FROM_ENCODED_QP && !__MSGID_OK_HEX +describe TO_EQ_FM_DOM_HTML_ONLY To domain == From domain and HTML only +##} TO_EQ_FM_DOM_HTML_ONLY + ##{ TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF ifplugin Mail::SpamAssassin::Plugin::SPF @@ -4760,6 +4696,14 @@ describe T_DATE_IN_FUTURE_96_Q Date: is 4 days to 4 months after Received: da endif ##} T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval +##{ T_DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval + +ifplugin Mail::SpamAssassin::Plugin::HeaderEval +header T_DATE_IN_FUTURE_Q_PLUS eval:check_for_shifted_date('2920', 'undef') +describe T_DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date +endif +##} T_DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval + ##{ T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader @@ -4802,15 +4746,6 @@ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags endif ##} T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags -##{ T_FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta T_FILL_THIS_FORM_LOAN __FILL_THIS_FORM_LOAN && !__COMMENT_EXISTS && !__HTML_LINK_IMAGE - describe T_FILL_THIS_FORM_LOAN Answer loan question(s) -# score T_FILL_THIS_FORM_LOAN 2.0 -endif -##} T_FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - ##{ T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags @@ -4957,26 +4892,6 @@ endif endif ##} T_GB_YOUTUBE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) -##{ T_HDRS_LCASE - -describe T_HDRS_LCASE Odd capitalization of message header -#score T_HDRS_LCASE 0.10 # limit -##} T_HDRS_LCASE - -##{ T_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) - -if !plugin(Mail::SpamAssassin::Plugin::FreeMail) - meta T_HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO -endif -##} T_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) - -##{ T_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - meta T_HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO -endif -##} T_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail - ##{ T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail @@ -5053,13 +4968,6 @@ body T_LFUZ_PWRMALE /

/i endif ##} T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags -##{ T_LOTTO_AGENT - -meta T_LOTTO_AGENT __LOTTO_AGENT && !__HAS_IN_REPLY_TO && !__THREADED && !__TO_YOUR_ORG && !__DKIM_EXISTS && !__TRAVEL_ITINERARY && !__AUTO_ACCIDENT && !__HAS_ERRORS_TO && !__RP_MATCHES_RCVD -describe T_LOTTO_AGENT Claims Agent -#score T_LOTTO_AGENT 1.50 # limit -##} T_LOTTO_AGENT - ##{ T_LOTTO_AGENT_FM header T_LOTTO_AGENT_FM From =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize[\s_.]transfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i @@ -5199,6 +5107,28 @@ endif endif ##} T_PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval +##{ T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) + +ifplugin Mail::SpamAssassin::Plugin::WLBLEval +if (version >= 3.004000) +meta T_PDS_EMPTYSUBJ_URISHRT __URL_SHORTENER && __SUBJECT_EMPTY && __PDS_MSG_1024 +describe T_PDS_EMPTYSUBJ_URISHRT Empty subject with little more than URI shortener +#score T_PDS_EMPTYSUBJ_URISHRT 1.5 # limit +endif +endif +##} T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) + +##{ T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) + +ifplugin Mail::SpamAssassin::Plugin::WLBLEval +if (version >= 3.004000) +meta T_PDS_FREEMAIL_REPLYTO_URISHRT __URL_SHORTENER && __freemail_hdr_replyto && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048 +describe T_PDS_FREEMAIL_REPLYTO_URISHRT Freemail replyto with URI shortener +#score T_PDS_FREEMAIL_REPLYTO_URISHRT 1.5 # limit +endif +endif +##} T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) + ##{ T_PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) @@ -5219,6 +5149,13 @@ endif endif ##} T_PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) +##{ T_PDS_FROM_NAME_TO_DOMAIN + +meta T_PDS_FROM_NAME_TO_DOMAIN __PDS_FROM_NAME_TO_DOMAIN +#score T_PDS_FROM_NAME_TO_DOMAIN 2.0 +describe T_PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain +##} T_PDS_FROM_NAME_TO_DOMAIN + ##{ T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags @@ -5303,6 +5240,17 @@ endif endif ##} T_PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) +##{ T_PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) + +ifplugin Mail::SpamAssassin::Plugin::WLBLEval +if (version >= 3.004000) +meta T_PDS_TINYSUBJ_URISHRT __URL_SHORTENER && __SUBJ_SHORT && __PDS_MSG_1024 +describe T_PDS_TINYSUBJ_URISHRT Short subject with URL shortener +#score T_PDS_TINYSUBJ_URISHRT 1.5 # limit +endif +endif +##} T_PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) + ##{ T_PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) @@ -5322,14 +5270,12 @@ endif endif ##} T_PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) -##{ T_PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) +##{ T_PDS_X_PHP_WP_EXP -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta T_PHOTO_EDITING_DIRECT (__PHOTO_RETOUCHING && __DOS_DIRECT_TO_MX) && !ALL_TRUSTED && !__HAS_HREF - describe T_PHOTO_EDITING_DIRECT Image editing service, direct to MX -# score T_PHOTO_EDITING_DIRECT 3.000 # limit -endif -##} T_PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) +meta T_PDS_X_PHP_WP_EXP (__PDS_X_PHP_WPCONTENT || __PDS_X_PHP_WPINCLUDES || __PDS_X_PHP_WPADMIN || __PDS_X_PHP_WPJS) +describe T_PDS_X_PHP_WP_EXP X-PHP-Script shows sent from a Wordpress PHP script where you would not expect one +#score T_PDS_X_PHP_WP_EXP 1.5 +##} T_PDS_X_PHP_WP_EXP ##{ T_PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) @@ -5354,22 +5300,6 @@ meta T_SCC_BODY_TEXT_LINE __SCC_BODY_TEXT_LINE_FULL - __SCC_SUBJECT_HAS_NON_SPA tflags T_SCC_BODY_TEXT_LINE nice ##} T_SCC_BODY_TEXT_LINE -##{ T_SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -meta T_SCC_BOGUS_CTE_1 __SCC_BOGUS_CTE_1 -describe T_SCC_BOGUS_CTE_1 Bogus Content-Transfer-Encoding header -tflags T_SCC_BOGUS_CTE_1 publish -endif -##} T_SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ T_SCC_IS_DMARC_REP - -meta T_SCC_IS_DMARC_REP __SCC_DMARC_REP && __MIME_ATTACHMENT -describe T_SCC_IS_DMARC_REP Message looks like a DMARC report -tflags T_SCC_IS_DMARC_REP nice -##} T_SCC_IS_DMARC_REP - ##{ T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) @@ -5464,6 +5394,13 @@ body T_TVD_MIME_NO_HEADERS eval:check_msg_parse_flags('missing_mime_headers endif ##} T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval +##{ T_US_DOLLARS_3 + +body T_US_DOLLARS_3 /(?:\$|usd).?\d{1,3}[,.]\d{3}[,.]\d{3}(?:[,.]\d\d)?/i +describe T_US_DOLLARS_3 Mentions millions of $ ($NN,NNN,NNN.NN) +#score T_US_DOLLARS_3 2.0 +##} T_US_DOLLARS_3 + ##{ T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader @@ -5603,6 +5540,14 @@ describe URI_AZURE_CLOUDAPP Link to hosted azure web application, pos tflags URI_AZURE_CLOUDAPP publish ##} URI_AZURE_CLOUDAPP +##{ URI_CLOUDFLAREIPFS + +meta URI_CLOUDFLAREIPFS __URI_CLOUDFLAREIPFS +describe URI_CLOUDFLAREIPFS References Interplanetary File System PtP content via CloudFlare, likely phishing +#score URI_CLOUDFLAREIPFS 2.500 # limit +tflags URI_CLOUDFLAREIPFS publish +##} URI_CLOUDFLAREIPFS + ##{ URI_DASHGOVEDU meta URI_DASHGOVEDU __URI_DASHGOVEDU @@ -5666,7 +5611,7 @@ tflags URI_GOOGLE_PROXY publish ##{ URI_GOOG_STO_SPAMMY -uri URI_GOOG_STO_SPAMMY m;^https?://storage\.googleapis\.com/(?:(?:0(?:48dg9hjdjsr68rr409tdu516yts8d4s1yteq560dht|584d8aab5db65a3970e|ca91f665e5e9e3bff16)|1(?:479______00\-\-074\-4\-\-\-\-\-\-\-_\-\-\-\-\-\-0894_________\-\-\-\-\-\-\-\-\-______09|f28eb9c708059ce7b58|tactc1200)|2(?:024usa|2accc831928fe7a6d19)|3e6fc78af3b63110d89b|4(?:30bc3a2d98b15a0c58bf8df8f938d|hs3rzdz_r_us\-east\-1)|5(?:34c4e7320793c473d0b|a70f8147b2241c|lose1weight)|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|89azr4etr0t6k5jdh4rg9e8udo40kdj1h56gd4xd165jhkd5j04yd156j02|9c32d4d56b8ac7eb1296|a(?:1discover|4301cda1e5c450bab01|d(?:t100visa|vanced1500)|geless(?:brain|t001)|ir0doc5octor|l(?:liedtrust7?|zheimerbrain)|merican(?:ho(?:777|me(?:191|warranty))|w1)|n(?:c77emen777|dersens40|n(?:nuities0102|utsegtsety)|ti(?:1virus|dcfsdfzef))|pp(?:1ointment|empresa|itausa)|sb50118|tividade|udio0254)|b(?:337276797de5b3|6fa8ec81224238ce57a|7772dcb|a(?:ckmedic|th(?:and777|bhow98|dfgdfgdfh|rooomlki))|cvncv7845|d(?:fbgverhg|linkmanager|sgbsehtth|thdethydeth)|e(?:achskinnew|dvgervg|lly(?:00fetyy|gluca)|t(?:ter(?:09909|863|butter008)|umpoiytre))|io(?:swit(?:010|sh0908)|techinvest)|l(?:oo(?:ds(?:hark0508|ug(?:217|ar(?:010|blueprint)))|odsugarerte)|ue(?:0sky|printms0?))|o(?:bby\-dependencies|ostinglive01)|r(?:ain(?:232654|al87484)|i(?:an(?:0(?:101|509)|the0101)|eanfrg)|tghrh)|u(?:kssin|ll(?:gold|market)|rnomegaultra|tter(?:knife|spreader(?:0[48]|news)))|yte01smil1e)|c(?:a(?:99rshield|nvascheap|rt\-checkout|unlimited)|bd(?:11gummies|g(?:m0202|umm(?:ty|y005))|health7417|kfgdfg|sgummys)|dfeesde|ertificat01|hoicehom8270|ircaknee0|jowa|o(?:gnigenix|mp(?:erssac00232|r(?:e(?:essaa001|hensiveamericanhomewarranty|ss(?:a(?:0(?:105|201)|191)|ionsocks))|ovanteanexo))|n(?:7cealed|cealed(?:aff0054|tactical)|defesf|ne5ctrou4t0s)|ptquad5e1r|rrectskin|urankdmeksjsed|verageinsu)|quelleczema|reative14141)|d(?:0ujdusudu9s9u\.appspot\.com|159310a731c3ae80e0c|ac2a3ca82cd6a5f4896|e(?:mentiabrain|nta77fend|rma(?:01247|1correct|587475|7correc7t|acorrectskin|correct(?:001new1|new001|skin|1)|hdth|thbsdrhg)|tranmultas)|g(?:iadikir784|vdevgege)|i(?:abetes7|gitaldots1|recting77|ta0526)|lqjxjdxesmapldjehahnse|msksjskeoncbvevde|rtrebtgh747|ysfunction0707|zdzefef)|e(?:7co7verage|a(?:rsring01|sy(?:1canvas|canvasprints))|ingingears|l(?:eepexperts|iminatorlower)|n(?:e(?:nce7777|rgy(?:0icits|savings))|trega)|rec(?:01tions|tiledysfunction)|t(?:alsprcious|ernal07light)|vent(?:0saves01?|save(?:010?|s010))|xpertwindows(?:0102)?|yes(?:1ight|ightmax))|f(?:4747|d(?:128218622bd3f|fdfdzezr78|zdzelom)|edilty5401|habgfdgbfrtg|i(?:7(?:485612|542512)|d(?:el(?:ity(?:09|217|insulife)|ty(?:gbdtrbr|tyhjudtyu))|iity5660|y001)|ghttinnitusnow(?:(?:911|s))?|ltyredfezz|refig(?:22hting|hting)|tnesswatch|xguca777)|l(?:a(?:sh(?:light7fr7ee|tric540)|tbelly)|oodlight(?:010|slima))|o(?:mrulasugaa|od54451|toswhatsapps)|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|u(?:ng(?:01ft|9901|enail010|us(?:eliminator0807|fghgh))|turistic00insol))|g(?:7oldco|cumbmdys|eniusbutter|fhfjgfhfg|hetiop|lu(?:1lossn01k|lossn01k|ster)|old(?:ii00215|trust00)|r(?:7owtmaihn9ew|fgrgrg|ow(?:191|plus11|savage01085))|u(?:ardiao|mm(?:ies11cbd|yss|zdfefzf)|tter(?:0fr1(?:dian)?|protection7))|ympro22)|h(?:4(?:mhoyal1r0|ome1owne1r)|dfghbrh|e(?:1al1t4|a(?:lt(?:h(?:life|news|yhairremedy)|ycbd0909)|rt(?:14141|beat911))|rp(?:ly(?:24701|y0012)|y1414))|ome(?:1security|9865|choice45841|w(?:arranty|rr0216)))|i(?:n(?:formedetranmulta|ogen0065|s(?:1urance7net|7urance7net|t(?:9854|a(?:0541|1heater|863|f(?:atioplo|gregrerg)|hard0(?:0021|605)|nttranslator)|h(?:ard879477|eater001))|urance(?:7net|net))|vest777in)|ron479max5x|tchrelief)|k(?:757474|e(?:ranfvgdgfrder|to(?:0(?:102|202|81477)|191|7(?:878|rim)|adv217|ghghgh|healthnews|jkkfghk|o(?:2(?:22|45)|o7896)|rapid00888|s(?:hark0908|s0479)|toto2323))|iller1111|ne(?:e852|f6565))|l(?:a(?:bcream|wn(?:care3|trugreen001))|e(?:a(?:f7filt7er|nde0585)|ciofve1748)|giesnaturas0|i(?:berty77arran|fefiltrevdf|ve(?:r(?:0health0support|md|supp10)|wirenew024))|o(?:caweb|odlight(?:s0|0)|ss(?:00wrabido0|rapid01245|weightnew85))|u(?:llmattressne000|mi(?:00guard01|agudiidd|g(?:87[56]|uard(?:1074|87585)))))|m(?:a(?:galu|iltrk___newyear2024___g089dh4fg16qs804dsd1jh6g5sq|l(?:4e7e5nhanc7ement|e(?:0(?:1ed|541)|24700|77en|health475))|ttress0707)|e(?:di(?:ca(?:lsupplies|r(?:0085|123n|df747))|p0lanning)|llitox00545|morybooster|t(?:a(?:bolismlos|greens|lspr(?:ciou[0s]|ecious))|f(?:85|dfvde)))|iracl(?:ecannabidiol|sweight[0s]?|weight)|k_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|le(?:3mlemlm3lm\.appspot\.com|n(?:hsances?|shsance0s))|o(?:bile57mint|n(?:5g154g|t(?:ezuma0(?:01|101)|zdzsds))|onmenermaintain\-66j)|p_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|s____mailpro\-holiday2024__9s8h7140q6h84e6hs84g6s85d403|w_4098fae4grhtejy9r80t4qt1z984ui94yuiopoikjhnbvx\-\-\-2024|y(?:seniorpe?|theraposture001))|n(?:at(?:ional14587|uralgies)|badefdfg|e(?:sdsd|wtiniggrgr)|inoty74|lmsld|u(?:bupatches|trisd17))|o(?:m(?:eg(?:7aburn|a(?:7burn|n(?:ew|ow00?)))|gaburn)|ne(?:00shot|shot(?:0[01]|124578))|zmenshe)|p(?:a(?:in(?:en01(?:ew|sew)|supp(?:10|l8778)|wenes010)|rtnersav01)|e(?:rsonalized21|tplan85)|ho(?:01to001|tostick004)|leteroid|o(?:rtable(?:heater7|telescope045)|vsedfzef)|r(?:eadvanceds|i(?:mal(?:08544|fhdfh|grow)|ntsvalentine)|otectsecurity)|soidngf8147|ure(?:cbdgummies7|plant7))|r(?:apidecision77|e(?:5model1ro4om|adclub11|direct0gumm0|grow101|n(?:ew(?:al20consult|laemailved)|walllll0065)|v(?:caus181|e(?:alscause|rsirol0101)|kcaus181|scaus181))|i(?:ght0108|ngingearstinnitus|verb1986srt4)|oundupccancer|vices8|yokorout(?:(?:01|s010?))?)|s(?:___mailpro__evolution\-unitedstate_____78f40x1fg0|a(?:fety(?:homes?|shome0?)|mples7nuge7|v(?:age(?:0502|72|999|grow010)|es0even0t|ingsevent)|y(?:byebugs|life004))|coutstonenew|dfgwsd74fg|e(?:curity(?:homenew|providernew)|ni(?:147orperk|orserk77s))|gp008|h(?:arkcbd0808|owersafe)|i(?:gnlaotrrmp|mplex18742)|leepditch|o(?:lbeam004|uthbeach(?:001|skin))|preader35|sgummy777|t(?:ain245|eelprobite77|rictionbp0)|u(?:g(?:ar4701|hdetged)|mmersy0(?:10)?)|zdzdzdzd)|t(?:a(?:cflashlight72|lcumpowder)|e(?:ch________frebulkmnge________teamtechbuy|lescope001|rminix0909|stomus)|h(?:e(?:photostick2804|rasl(?:eeves|ves)|unbreakable)|opinall)|i(?:me0share|nnitus(?:102|new911))|mobile0sur1vey|o(?:enailfungus|p(?:inal|ol(?:\-web|io29034)))|r(?:4ans1lat5or|a(?:balhos|nslato10)|im1life0|ugreen(?:30|s30))|telescope44|unnifgdege)|u(?:berxlm|ltra(?:hgt|omegaburn|u(?:ifipro|wifip)|wifi(?:058|pro002))|n(?:breakable(?:0417|brain0087)|limitedcanvase[es]?)|rgentfung171|s(?:_bulk_click\-mail_oldfrom_9898409486498904948904548094804864xx|bmosquito|6)|tility3in1)|v(?:e(?:7hicle7cov|hi(?:7clesh7|cle01))|frgrerg|i(?:sa(?:alandere?|lander[es]?)|v(?:247w01|int(?:0(?:401|officially)|1010smart|967857)))|szdefzsfzef)|w(?:4enmedicra8|a(?:l(?:k(?:0015|7485|ghghgh|inbath(?:tub44|0))|lkk0409|mart010)|rranhome0012)|defgzegfze|e(?:atherproof|bwhatsfotos|edkiller[1s]?|ight(?:00loss|loss(?:005|newketo))|llgrove90)|i(?:fi(?:booste(?:01|r)|tiop)|n(?:0101|doexpr001))|painen01es)|xcbxcbopiaze|yusdgtduf777|z(?:antacdedzef|ipp874ype57t)))/;i +uri URI_GOOG_STO_SPAMMY m;^https?://storage\.googleapis\.com/(?:(?:0(?:48dg9hjdjsr68rr409tdu516yts8d4s1yteq560dht|584d8aab5db65a3970e|ca91f665e5e9e3bff16)|1(?:479______00\-\-074\-4\-\-\-\-\-\-\-_\-\-\-\-\-\-0894_________\-\-\-\-\-\-\-\-\-______09|f28eb9c708059ce7b58|tactc1200)|2(?:024usa|2accc831928fe7a6d19)|3e6fc78af3b63110d89b|4(?:30bc3a2d98b15a0c58bf8df8f938d|hs3rzdz_r_us\-east\-1)|5(?:34c4e7320793c473d0b|a70f8147b2241c|lose1weight)|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|89azr4etr0t6k5jdh4rg9e8udo40kdj1h56gd4xd165jhkd5j04yd156j02|9c32d4d56b8ac7eb1296|a(?:1discover|4301cda1e5c450bab01|d(?:t100visa|vanced1500)|geless(?:brain|t001)|ir0doc5octor|l(?:liedtrust7?|zheimerbrain)|merican(?:ho(?:777|me(?:191|warranty))|w1)|n(?:c77emen777|dersens40|n(?:nuities0102|utsegtsety)|ti(?:1virus|dcfsdfzef))|pp(?:1ointment|empresa|itausa)|sb50118|tividade|udio0254)|b(?:337276797de5b3|6fa8ec81224238ce57a|7772dcb|a(?:ckmedic|th(?:and777|bhow98|dfgdfgdfh|rooomlki))|cvncv7845|d(?:fbgverhg|linkmanager|sgbsehtth|thdethydeth)|e(?:achskinnew|dvgervg|lly(?:00fetyy|gluca)|t(?:ter(?:09909|863|butter008)|umpoiytre))|io(?:swit(?:010|sh0908)|techinvest)|l(?:oo(?:ds(?:hark0508|ug(?:217|ar(?:010|blueprint)))|odsugarerte)|ue(?:0sky|printms0?))|o(?:bby\-dependencies|ostinglive01)|r(?:ain(?:232654|al87484)|i(?:an(?:0(?:101|509)|the0101)|eanfrg)|tghrh)|u(?:kssin|ll(?:gold|market)|rnomegaultra|tter(?:knife|spreader(?:0[48]|news)))|yte01smil1e)|c(?:a(?:99rshield|nvascheap|rt\-checkout|unlimited)|bd(?:11gummies|g(?:m0202|umm(?:ty|y005))|health7417|kfgdfg|sgummys)|dfeesde|ertificat01|hoicehom8270|ircaknee0|jowa|o(?:gnigenix|mp(?:erssac00232|r(?:e(?:essaa001|hensiveamericanhomewarranty|ss(?:a(?:0(?:105|201)|191)|ionsocks))|ovanteanexo))|n(?:7cealed|cealed(?:aff0054|tactical)|defesf|ne5ctrou4t0s)|ptquad5e1r|rrectskin|urankdmeksjsed|verageinsu)|quelleczema|reative14141)|d(?:0ujdusudu9s9u\.appspot\.com|159310a731c3ae80e0c|ac2a3ca82cd6a5f4896|e(?:mentiabrain|nta77fend|rma(?:01247|1correct|587475|7correc7t|acorrectskin|correct(?:001new1|new001|skin|1)|hdth|thbsdrhg)|tranmultas)|g(?:iadikir784|vdevgege)|i(?:abetes7|gitaldots1|recting77|ta0526)|lqjxjdxesmapldjehahnse|msksjskeoncbvevde|rtrebtgh747|ysfunction0707|zdzefef)|e(?:7co7verage|a(?:rsring01|sy(?:1canvas|canvasprints))|ingingears|l(?:eepexperts|iminatorlower)|n(?:e(?:nce7777|rgy(?:0icits|savings))|trega)|rec(?:01tions|tiledysfunction)|t(?:alsprcious|ernal07light)|vent(?:0saves01?|save(?:010?|s010))|xpertwindows(?:0102)?|yes(?:1ight|ightmax))|f(?:4747|d(?:128218622bd3f|fdfdzezr78|zdzelom)|edilty5401|habgfdgbfrtg|i(?:7(?:485612|542512)|d(?:el(?:ity(?:09|217|insulife)|ty(?:gbdtrbr|tyhjudtyu))|iity5660|y001)|ghttinnitusnow(?:(?:911|s))?|ltyredfezz|refig(?:22hting|hting)|tnesswatch|xguca777)|l(?:a(?:sh(?:light7fr7ee|tric540)|tbelly)|oodlight(?:010|slima))|o(?:mrulasugaa|od54451|toswhatsapps)|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|u(?:ng(?:01ft|9901|enail010|us(?:eliminator0807|fghgh))|turistic00insol))|g(?:7oldco|cumbmdys|eniusbutter|fhfjgfhfg|hetiop|lu(?:1lossn01k|lossn01k|ster)|old(?:ii00215|trust00)|r(?:7owtmaihn9ew|fgrgrg|ow(?:191|plus11|savage01085))|u(?:ardiao|mm(?:ies11cbd|yss|zdfefzf)|tter(?:0fr1(?:dian)?|protection7))|ympro22)|h(?:4(?:mhoyal1r0|ome1owne1r)|dfghbrh|e(?:1al1t4|a(?:lt(?:h(?:life|news|yhairremedy)|ycbd0909)|rt(?:14141|beat911))|rp(?:ly(?:24701|y0012)|y1414))|ome(?:1security|9865|choice45841|w(?:arranty|rr0216)))|i(?:n(?:formedetranmulta|ogen0065|s(?:1urance7net|7urance7net|t(?:9854|a(?:0541|1heater|863|f(?:atioplo|gregrerg)|hard0(?:0021|605)|nttranslator)|h(?:ard879477|eater001))|urance(?:7net|net))|vest777in)|ron479max5x|tchrelief)|k(?:757474|e(?:ranfvgdgfrder|to(?:0(?:102|202|81477)|191|7(?:878|rim)|adv217|ghghgh|healthnews|jkkfghk|o(?:2(?:22|45)|o7896)|rapid00888|s(?:hark0908|s0479)|toto2323))|iller1111|ne(?:e852|f6565))|l(?:a(?:bcream|wn(?:care3|trugreen001))|e(?:a(?:f7filt7er|nde0585)|ciofve1748)|giesnaturas0|i(?:berty77arran|fefiltrevdf|ve(?:r(?:0health0support|md|supp10)|wirenew024))|o(?:caweb|odlight(?:s0|0)|ss(?:00wrabido0|rapid01245|weightnew85))|u(?:llmattressne000|mi(?:00guard01|agudiidd|g(?:87[56]|uard(?:1074|87585)))))|m(?:a(?:galu|il(?:bd667477388299_747472|trk___newyear2024___g089dh4fg16qs804dsd1jh6g5sq)|l(?:4e7e5nhanc7ement|e(?:0(?:1ed|541)|24700|77en|health475))|ttress0707)|e(?:di(?:ca(?:lsupplies|r(?:0085|123n|df747))|p0lanning)|llitox00545|morybooster|t(?:a(?:bolismlos|greens|lspr(?:ciou[0s]|ecious))|f(?:85|dfvde)))|iracl(?:ecannabidiol|sweight[0s]?|weight)|k_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|le(?:3mlemlm3lm\.appspot\.com|n(?:hsances?|shsance0s))|o(?:bile57mint|n(?:5g154g|t(?:ezuma0(?:01|101)|zdzsds))|onmenermaintain\-66j)|p_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|s____mailpro\-holiday2024__9s8h7140q6h84e6hs84g6s85d403|w_4098fae4grhtejy9r80t4qt1z984ui94yuiopoikjhnbvx\-\-\-2024|y(?:seniorpe?|theraposture001))|n(?:at(?:ional14587|uralgies)|badefdfg|e(?:sdsd|wtiniggrgr)|inoty74|lmsld|u(?:bupatches|trisd17))|o(?:m(?:eg(?:7aburn|a(?:7burn|n(?:ew|ow00?)))|gaburn)|ne(?:00shot|shot(?:0[01]|124578))|zmenshe)|p(?:a(?:in(?:en01(?:ew|sew)|supp(?:10|l8778)|wenes010)|rtnersav01)|e(?:rsonalized21|tplan85)|ho(?:01to001|tostick004)|leteroid|o(?:rtable(?:heater7|telescope045)|vsedfzef)|r(?:eadvanceds|i(?:mal(?:08544|fhdfh|grow)|ntsvalentine)|otectsecurity)|soidngf8147|ure(?:cbdgummies7|plant7))|r(?:apidecision77|e(?:5model1ro4om|adclub11|direct0gumm0|grow101|n(?:ew(?:al20consult|laemailved)|walllll0065)|v(?:caus181|e(?:alscause|rsirol0101)|kcaus181|scaus181))|i(?:ght0108|ngingearstinnitus|verb1986srt4)|oundupccancer|vices8|yokorout(?:(?:01|s010?))?)|s(?:___mailpro__evolution\-unitedstate_____78f40x1fg0|a(?:fety(?:homes?|shome0?)|mples7nuge7|v(?:age(?:0502|72|999|grow010)|es0even0t|ingsevent)|y(?:byebugs|life004))|bd_____mail___29302939298882777231|coutstonenew|dfgwsd74fg|e(?:curity(?:homenew|providernew)|ni(?:147orperk|orserk77s))|gp008|h(?:arkcbd0808|owersafe)|i(?:gnlaotrrmp|mplex18742)|leepditch|o(?:lbeam004|uthbeach(?:001|skin))|preader35|sgummy777|t(?:ain245|eelprobite77|rictionbp0)|u(?:g(?:ar4701|hdetged)|mmersy0(?:10)?)|zdzdzdzd)|t(?:a(?:cflashlight72|lcumpowder)|e(?:ch________frebulkmnge________teamtechbuy|lescope001|rminix0909|stomus)|h(?:e(?:photostick2804|rasl(?:eeves|ves)|unbreakable)|opinall)|i(?:me0share|nnitus(?:102|new911))|mobile0sur1vey|o(?:enailfungus|p(?:inal|ol(?:\-web|io29034)))|r(?:4ans1lat5or|a(?:balhos|nslato10)|im1life0|ugreen(?:30|s30))|telescope44|unnifgdege)|u(?:berxlm|ltra(?:hgt|omegaburn|u(?:ifipro|wifip)|wifi(?:058|pro002))|n(?:breakable(?:0417|brain0087)|limitedcanvase[es]?)|rgentfung171|s(?:_bulk_click\-mail_oldfrom_9898409486498904948904548094804864xx|bmosquito|6)|tility3in1)|v(?:e(?:7hicle7cov|hi(?:7clesh7|cle01))|frgrerg|i(?:sa(?:alandere?|lander[es]?)|v(?:247w01|int(?:0(?:401|officially)|1010smart|967857)))|szdefzsfzef)|w(?:4enmedicra8|a(?:l(?:k(?:0015|7485|ghghgh|inbath(?:tub44|0))|lkk0409|mart010)|rranhome0012)|defgzegfze|e(?:atherproof|bwhatsfotos|edkiller[1s]?|ight(?:00loss|loss(?:005|newketo))|llgrove90)|i(?:fi(?:booste(?:01|r)|tiop)|n(?:0101|doexpr001))|painen01es)|xcbxcbopiaze|yusdgtduf777|z(?:antacdedzef|ipp874ype57t)))/;i describe URI_GOOG_STO_SPAMMY Link to spammy content hosted by google storage #score URI_GOOG_STO_SPAMMY 3.000 tflags URI_GOOG_STO_SPAMMY publish @@ -5704,6 +5649,13 @@ describe URI_LONG_REPEAT Long identical host+domain tflags URI_LONG_REPEAT publish ##} URI_LONG_REPEAT +##{ URI_MALWARE_BH + +uri URI_MALWARE_BH /\.\w{2,4}\/[\d\w]{8}\/index\.html/i +describe URI_MALWARE_BH Possible BlackHole malware links / phishing +#score URI_MALWARE_BH 1.0 # limit +##} URI_MALWARE_BH + ##{ URI_MALWARE_SCMS uri URI_MALWARE_SCMS /\.SettingContent-ms\b/i @@ -5905,6 +5857,13 @@ describe XM_DIGITS_ONLY X-Mailer malformed tflags XM_DIGITS_ONLY publish ##} XM_DIGITS_ONLY +##{ XM_LIGHT_HEAVY + +meta XM_LIGHT_HEAVY __XM_LIGHT_HEAVY && !__HAS_X_BEEN_THERE +describe XM_LIGHT_HEAVY Special edition of a MUA +#score XM_LIGHT_HEAVY 2.500 # limit +##} XM_LIGHT_HEAVY + ##{ XM_PHPMAILER_FORGED meta XM_PHPMAILER_FORGED __XM_PHPMAILER_FORGED @@ -6804,7 +6763,7 @@ reuse T_SHORT_BODY_QUOTE reuse T_BODY_QUOTE_MALF_MSGID reuse SPOOFED_FREEMAIL_NO_RDNS reuse T_PDS_URI_HIDDEN_HELO_NO_DOMAIN -reuse PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE +reuse T_PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE reuse T_PDS_TONAME_EQ_TOLOCAL_SHORT reuse T_PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE reuse T_PDS_TONAME_EQ_TOLOCAL_VSHORT @@ -6836,13 +6795,10 @@ uri __45_ALNUM_URI m;[/?][0-9a-z]{45,}$;i meta __45_ALNUM_URI_O __45_ALNUM_URI && !__64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI -body __4BYTE_UTF8_WORD /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/ -tflags __4BYTE_UTF8_WORD multiple maxhits=10 - -meta __4BYTE_UTF8_WORD_9 __4BYTE_UTF8_WORD > 9 - header __4BYTE_UTF8_WORD_FROM From:name =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/ +header __4BYTE_UTF8_WORD_SUBJ Subject =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/ + uri __64_ANY_URI m;[/?]\w{64,}$;i body __ACCESS_RESTORE /\bto (?:(?:restore|regain) access|(?:remove|uplift) (?:the|this) suspens|continue using your (?:account|online|mailbox)|zugreifen wiederhergestellt)/i @@ -6937,7 +6893,7 @@ header __ADULTDATINGCOMPANY_FROM From:name =~ /\bAdultDatingCompany\b/i header __ADULTDATINGCOMPANY_REPTO Reply-To:name =~ /\bAdultDatingCompany\b/i -meta __ADVANCE_FEE_2_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + T_LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 1) && !__THREAD_INDEX_GOOD +meta __ADVANCE_FEE_2_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 1) && !__THREAD_INDEX_GOOD meta __ADVANCE_FEE_2_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW @@ -6945,7 +6901,7 @@ meta __ADVANCE_FEE_2_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __AD meta __ADVANCE_FEE_2_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW -meta __ADVANCE_FEE_3_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + T_LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 2) && !__THREAD_INDEX_GOOD +meta __ADVANCE_FEE_3_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 2) && !__THREAD_INDEX_GOOD meta __ADVANCE_FEE_3_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW @@ -6953,7 +6909,7 @@ meta __ADVANCE_FEE_3_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __AD meta __ADVANCE_FEE_3_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW -meta __ADVANCE_FEE_4_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + T_LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 3) && !__THREAD_INDEX_GOOD +meta __ADVANCE_FEE_4_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 3) && !__THREAD_INDEX_GOOD meta __ADVANCE_FEE_4_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW @@ -6961,7 +6917,7 @@ meta __ADVANCE_FEE_4_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __AD meta __ADVANCE_FEE_4_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW -meta __ADVANCE_FEE_5_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + T_LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 4) && !__THREAD_INDEX_GOOD +meta __ADVANCE_FEE_5_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 4) && !__THREAD_INDEX_GOOD meta __ADVANCE_FEE_5_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW @@ -7079,10 +7035,6 @@ meta __BITCOIN_WFH_01 __BITCOIN && __WFH_01 meta __BITCOIN_XPRIO __XPRIO && (__BITCOIN || __BITCOIN_ID) -meta __BODY_SINGLE_URI (__BODY_SINGLE_WORD && __HAS_ANY_URI) - -meta __BODY_SINGLE_WORD __BODY_TEXT_LINE < 3 && !__EMPTY_BODY && !__SMIME_MESSAGE && ((__SINGLE_WORD_LINE && !__SINGLE_WORD_SUBJ) || __SINGLE_WORD_LINE > 1) - body __BODY_STARTS_WITH_FROM_LINE /^From \S+ \S\S\S \S\S\S .. ..:..:.. \S+\s+\S+\: /s body __BODY_TEXT_LINE /^\s*\S/ @@ -7641,11 +7593,11 @@ header __FORGED_RELAY_MUA_TO_MX X-Spam-Relays-External =~ /^\[ ip=(?!127)( meta __FORGED_TBIRD_IMG __MUA_TBIRD && __JPEG_ATTACH && __MIME_BDRY_0D0D describe __FORGED_TBIRD_IMG Possibly forged Thunderbird image spam -meta __FORM_FRAUD (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 1) +meta __FORM_FRAUD (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 1) -meta __FORM_FRAUD_3 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3) +meta __FORM_FRAUD_3 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3) -meta __FORM_FRAUD_5 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5) +meta __FORM_FRAUD_5 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __FOR_SALE_LTP /00\.? (?:less 10%|LTP)/i @@ -7902,8 +7854,6 @@ header __FSL_HAS_LIST_UNSUB exists:List-Unsubscribe header __FSL_HELO_BARE_IP_1 X-Spam-Relays-External =~ /^[^\]]+ helo=(?!127)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} [^\]]*auth= /i -header __FSL_HELO_BARE_IP_2 X-Spam-Relays-Untrusted =~ /helo=(?!127)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} /i - header __FSL_HELO_USER_1 X-Spam-Relays-External =~ / helo=user /i header __FSL_HELO_USER_2 Received =~ /from User(?:\s+by|\s*[\[\(]|$)/i @@ -8160,8 +8110,6 @@ endif header __HELO_HIGHPROFILE X-Spam-Relays-External =~ /^[^\]]+ helo=\S*(?:hotmail|gmail|google|yahoo|msn|microsoft|outlook|paypal|xxx)\.[\w]+\b/i -header __HELO_MISC_IP X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^a-z\?]\S{0,30}(?:\d{1,3}[^\d]){4}[^\]]+ auth= /i - header __HELO_NOT_RDNS X-Spam-Relays-External =~ /^[^\]]+ rdns=(\S+) helo=(?!(?i)\1)\S/ header __HELO_NO_DOMAIN X-Spam-Relays-External =~ /^[^\]]+ helo=[^\.]+ / @@ -8283,8 +8231,6 @@ endif rawbody __HTML_SINGLET />\s*(?:[a-z"]|&\#(?:\d+|x[0-9a-f]+);)\s* 10 - meta __HTML_SINGLET_MANY __HTML_SINGLET > 20 ifplugin Mail::SpamAssassin::Plugin::HTMLEval @@ -8465,8 +8411,6 @@ meta __LINKED_IMG_NOT_RCVD_LINK __URI_IMG_LINKEDIN && !__HDR_RCVD_LINKEDI meta __LIST_PARTIAL __DOS_HAS_LIST_UNSUB && !__DOS_HAS_LIST_ID -meta __LIST_PARTIAL_SHORT_MSG __HTML_LENGTH_0000_1024 && __LIST_PARTIAL - meta __LIST_PRTL_PUMPDUMP __LIST_PARTIAL && __PD_CNT_1 meta __LIST_PRTL_SAME_USER __LIST_PARTIAL && __TO_EQ_FROM_USR @@ -8480,12 +8424,10 @@ tflags __LOCK_MAILBOX multiple maxhits=2 full __LONGLINE /^[^\r\n]{998}/m -meta __LONGLN_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __LONGLINE - rawbody __LONG_INVIS_DIV /[^<\s]{1400}/i if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta __LONG_STY_INVIS __STY_INVIS && __LONGLINE + meta __LONG_STY_INVIS __STY_INVIS_2 && __LONGLINE endif if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) @@ -8729,11 +8671,11 @@ meta __MONEY_FORM LOTS_OF_MONEY && __FILL_THIS_FORM meta __MONEY_FORM_SHORT LOTS_OF_MONEY && __FILL_THIS_FORM_SHORT -meta __MONEY_FRAUD_3 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3) +meta __MONEY_FRAUD_3 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3) -meta __MONEY_FRAUD_5 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5) +meta __MONEY_FRAUD_5 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5) -meta __MONEY_FRAUD_8 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 8) +meta __MONEY_FRAUD_8 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 8) ifplugin Mail::SpamAssassin::Plugin::FreeMail meta __MONEY_FREEMAIL_REPTO LOTS_OF_MONEY && __freemail_hdr_replyto @@ -8807,8 +8749,6 @@ body __NEXT_OF_KIN /\bnext[-\s]of[-\s]kin\b/i body __NIGERIA /\bnigeria\b/i -meta __NORDNS_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __RDNS_NONE - meta __NOT_A_PERSON __VACATION || ANY_BOUNCE_MESSAGE || __CHALLENGE_RESPONSE || __VIA_ML || __DOS_HAS_LIST_UNSUB || __SENDER_BOT || __UNSUB_LINK || __UNSUB_EMAIL || __MSGID_LIST || __SUBSCRIPTION_INFO tflags __NOT_A_PERSON nice @@ -9076,6 +9016,8 @@ endif header __PDS_PHP_EVAL1 X-PHP-Originating-Script =~ /eval..'d code/i +header __PDS_PHP_EVAL2 X-PHP-Originating-Script =~ /runtime-created function/ + if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) meta __PDS_QP_1024 0 endif @@ -9164,6 +9106,16 @@ meta __PDS_URISHORTENER __URL_SHORTENER endif endif +header __PDS_X_PHP_WELLKNOWN X-PHP-Script =~ m;/\.well-known/; + +header __PDS_X_PHP_WPADMIN X-PHP-Script =~ m;/wp-admin/(?:css|themes|js|images|user|maint)/[\S]+\.php for;i + +header __PDS_X_PHP_WPCONTENT X-PHP-Script =~ m;/wp-content/(?:themes|uploads)/[\S]+\.php for;i + +header __PDS_X_PHP_WPINCLUDES X-PHP-Script =~ m;/wp-includes/(?:css|fonts|js|pomo|Text|theme-compat)/[\S]+\.php for;i + +header __PDS_X_PHP_WPJS X-PHP-Script =~ m;/js/[\S]+\.php for;i + meta __PD_CNT_1 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 0 body __PENDING_MESSAGES /\b(?:messages pending|(?:your|\d+[\])}]?) (?:pending|un(?:delivered|received)) (?:messages|e?-?mails))\b/i @@ -9293,8 +9245,6 @@ header __RCVD_DOTEDU_EXT X-Spam-Relays-External =~ /\srdns=\S+\.ed meta __RCVD_DOTEDU_SHORT __RCVD_DOTEDU_EXT && ( __HTML_IMG_ONLY || __BODY_URI_ONLY || __HTML_LENGTH_1024_1536 ) -meta __RCVD_DOTEDU_SUSP __RCVD_DOTEDU_EXT && ( MIME_QP_LONG_LINE || __TVD_SPACE_RATIO || __FROM_RUNON || __USING_VERP1 ) - meta __RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_EXT && ( __45_ALNUM_URI || __45_ALNUM_URI_O || __64_ANY_URI ) header __RCVD_DOTGOV_EXT X-Spam-Relays-External =~ /\srdns=\S+\.gov\s/i @@ -9329,14 +9279,12 @@ header __REPLYTO_NOREPLY Reply-To =~ /\bno-?reply@/i header __REPTO_419_FRAUD_AOL_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:f\.|ljaber)|c(?:hanprivacy|laimdept|ristinabruno|ustom_service)|dhodgkins|evelynjoshua|f(?:d\.|ernandezfernandez)|george_clifford|hernandezrosemary|k\.doreen|l(?:erynnewest|ynnpage)|m(?:_l\.wanczyk|asayohara|rsjanetedwards)|officework|paulpollard|royalpalace|spwalker|usembassy|yurdaaytarkan))\d+\@aol\.com$/i -header __REPTO_419_FRAUD_GM_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:9porssts|a(?:\.wafager|b(?:dullahmundani|u(?:lkareem|shadi))|cecere|isha1976gaddafi|l(?:an\.austin|ex(?:anderpeterson|hoffman)|ghafrij|icedoris|kasimunadi|l(?:enholden|isoncluade)|ure\.wawrenka)|m(?:bassadormarybethleonardl|ericadeliverycomapny|ina(?:ltwaijiri|medjahed))|n(?:dyfox|na(?:llee|sigurlaug)|thonyjblinken)|office1office|radka|shwestwood|tmcarddepartment|ustinbillmark|zi(?:m(?:\.hpremji|hashim(?:donation)?)|z(?:dake|george)))|b(?:a(?:nkcentralasiahalobca|r(?:bersmadar|rister(?:clarkephillips|lordruben)|teld\.huisman))|bongo|e(?:alitoniua|linekra|n(?:ezero|gatl|jaminsarah)|tsyholden)|ill\.lawrence|mwautomobile|oarddept|rendalaporte|uffettwarrene)|c(?:h(?:a(?:ngching|r(?:itylisajohnrobinson|l(?:esluenga|tonnewmanus)))|e(?:mchung|nchung))|iticonsultantjohncg|laxtonpaul|o(?:lombasjuan|ntactad)|rist(?:brun?|davis|ydavis(?:donation|foundation))|ustomerservicelacaixa)|d(?:a(?:nnuar|vi(?:d(?:\.loanfirm|larbi|pere|ramirez\.luis)|scarolyn|yax))|e(?:nnisclark|partmentofstate)|minique|ona(?:ldwilliam|tionhelpercare)|rdavidrhama|unsilva)|e(?:benezero|christina|l(?:i(?:bethgomez|sabeth(?:gmuer|maria)|zabethedw)|o(?:diesawadogo|tocashoffice))|m(?:efieleg?|ilyrichmond)|ngr\.des|re(?:nakgeorge|zcelic)|stherkatherine|wynn)|f(?:\.mikhail|a(?:ithdesrie|tme\.mehmed)|blott|irstbank|r(?:a(?:100dub|n(?:c(?:espatrickconnolly|iscamendoza)|k(?:j(?:ane|ody)|linpiesie)))|eelottosweepstake)|spero|ulanlan)|g(?:00gleggewinner|a(?:briel(?:eschmitt|kalia)|rciavincent)|bill|e(?:neralwilliamstony|orgekwame|raldjhjh)|i(?:idp|ocastano)|l(?:enmoore|oriachow)|oo(?:golteam|oglegwiinner)|r(?:aceobia|e(?:ant|energeoffrey)))|h(?:a(?:r(?:gate|ryebert)|sh(?:imyreem|mireem)|zimissa)|e(?:atherbrooeke|ctor(?:castillos|scastillo)|lengiggs)|gold|ildad|o(?:nmackjohn|rnbeckmajordennis|seoky))|i(?:b(?:ed|rahimelizabeth)|mfdeputyoff|n(?:fo\.(?:annedouglas|marviswanczyk)|gridrolle)|rvinekim|smail(?:eman|tarkan))|j(?:a(?:mesokoh|vierlesme)|efferydean|o(?:edward|hn(?:griffn|nietaylor|r(?:awlings|oxfordjr)|sonwilson|uba|walterlove|a)|n(?:athanhaskel|hugo)|seph(?:acevedo|babatunde|ichael)|vannyanderson)|rawlings|uliewatson)|k(?:a(?:l(?:iaksandr|tschmidtdavid)|malnizar|rabo\.ramala|t(?:jamess|rinaziako))|ennedy\.sawadogo|halidbuhazza|kasbu|r(?:istinewellenstein|nkl)|un(?:gwei|ioue))|l(?:a(?:rrytoms|ursent|wrencefoundation)|e(?:enasinghs|rynne(?:0west|west))|i(?:amfinchus|fecshortt|liane\.bettencourt|nelink|sa(?:milner|robin))|john|oughreymargaret|s(?:arbn|chantal)|u(?:ckywinners|sba\.moored)|y(?:\.cheapiseth|diawright|n(?:\.arthur|cmba|nmkl)))|m(?:a(?:incare|jor(?:dennishornbeck|townsend)|lletman|n(?:duesq|fran|uelfranco(?:(?:donation|foundation|spende))?)|r(?:i(?:ahhills|opabl)|kroth|shalh|tinamayer|y(?:franson|josen))|u(?:hin|rhinck)|viswan(?:czyk(?:(?:foundation|k))?)?)|brons|c\.cheadychang|dredban|el(?:aniekreiss|vidabullock)|gfrederick|i(?:c(?:h(?:ael\.woosley|ealwuu)|w)|k(?:e\.weirsky\.foundational|hai(?:\.fridman|lfridm))|ntonjustin|ss\.yasmineibrahim)|k(?:ent|untjoro)|mrstephen|oham(?:edabdul|m(?:daljililati|edshamekh))|r(?:\.(?:elbahi\.mohammed\.|justinmaxwell)|cjames|ericschmid|hanimuhammad|jamesmc|morgangomez|richardanthony|s(?:\.susanread|a(?:ishaalqadafi|ngela|shaalqaddfi)|dominiquethomas|evelynbrown|fatimaamiraqureshi|hamima|jackman|lisamilner|ma(?:riaelizabethscheffle|ureens|yaoliver)|r(?:eem|obinsanders|uthsmith)|sarahbenjamin|victoriaedmond))|s(?:\.ellagolan|agent|golaan|smadar)|ustadris)|n(?:aomiiwasaki|eilt(?:rotter)?|icholas\.jose|obuyuki\.hirano)|o(?:\.peace|fficerricherd|hallkenneth|lenasheve|xfaminternationa)|p(?:aul(?:eed|n)|b(?:ph202lay|rookk)|e(?:rezdonlorenzo|ter(?:\.waddell|guggi|kenin|stephen))|hillip\.richead)|q(?:iquanzhou|nzeng)|r(?:a(?:kidy|lhashimi|ymondaba)|e(?:alyh|beccagarang|em(?:has(?:himy|m)|n)|plyback|v(?:\.jamesabel|fr(?:ankjackson|paulwilliams)))|icha(?:miller|rdw(?:ahl|illis))|main|o(?:b(?:erthanandez|inf)|naldmorris|s(?:a\.gomes|ekipkalya))|raya|t\.rev\.ericmark|uddicklana)|s(?:a(?:l(?:ehhussienconsult|imzaid)|rfiafarfask)|cott(?:henryjames|peters)|e(?:cretservicce|rgeantrobertbrown)|gt(?:\.monicab|ireneb)|h(?:anemissler|ery(?:\.gtl|etr)|inawatrathaksin)|im(?:lkheng|onhei)|op(?:adam|hiajesse)|peelman|t(?:anleyjohn|ephentam)|u(?:iyang|n\.hor|sanneklatten)|weeneyjohnson)|t(?:a(?:mmywebster|y(?:ebsouami|lorcathy))|e(?:nreyrosilvana|rryparkins)|h(?:ailandbankoffice|e(?:ara\.choy|odorosloannis))|imothymetheny|lyerdonald|o(?:m(?:ander|c(?:hrist|rist(?:(?:donation|foundation))?)|spende)|ny(?:\.chung|zimpro)|shikazusendo))|u(?:derleyen|marukareem|n(?:claimedfunds|ited(?:bankforafrica\.plc|nation(?:organization|s)))|s(?:alotery|departmentofjustice))|v(?:anderwesthuizen|e(?:enapatel|r(?:a(?:aellen|hollinkvan)|enichekaterinaekaterina))|i(?:ctoriaabraham|dalpamela|ngut)|johannes)|w(?:a(?:dp|hlr(?:ichard)?|nczykm|rrenebuffett)|ellensteinfoundation|hatsappofficial|i(?:elandherzog\.sw\.herad|ll(?:clark|iamsmartyrs))|u\.office|ww\.moneygram)|y(?:\.oguzhan|anghoseok|doo|o(?:ngkm|usefzongo))|z(?:bank|enithbankplconline|kiaslan|minhong)))\d+\@gmail\.com$/i +header __REPTO_419_FRAUD_GM_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:9porssts|a(?:\.wafager|b(?:dullahmundani|u(?:lkareem|shadi))|cecere|isha1976gaddafi|l(?:an\.austin|ex(?:anderpeterson|hoffman)|ghafrij|icedoris|kasimunadi|l(?:enholden|isoncluade)|ure\.wawrenka)|m(?:bassadormarybethleonardl|ericadeliverycomapny|ina(?:ltwaijiri|medjahed))|n(?:dyfox|na(?:llee|sigurlaug)|thonyjblinken)|office1office|radka|shwestwood|tmcarddepartment|ustinbillmark|zi(?:m(?:\.hpremji|hashim(?:donation)?)|z(?:dake|george)))|b(?:a(?:nkcentralasiahalobca|r(?:bersmadar|rister(?:clarkephillips|lordruben)|teld\.huisman))|bongo|e(?:alitoniua|linekra|n(?:ezero|gatl|jaminsarah)|tsyholden)|ill\.lawrence|mwautomobile|oarddept|rendalaporte|uffettwarrene)|c(?:eda\.ogada|h(?:a(?:ngching|r(?:itylisajohnrobinson|l(?:esluenga|tonnewmanus)))|e(?:mchung|nchung))|iticonsultantjohncg|laxtonpaul|o(?:lombasjuan|ntactad)|rist(?:brun?|davis|ydavis(?:donation|foundation))|ustomerservicelacaixa)|d(?:a(?:nnuar|vi(?:d(?:\.loanfirm|larbi|pere|ramirez\.luis)|scarolyn|yax))|e(?:nnisclark|partmentofstate)|hlexpresscompany|minique|ona(?:ldwilliam|tionhelpercare)|r(?:davidrhama|rhamahassan)|unsilva)|e(?:benezero|christina|dmundventura|l(?:i(?:bethgomez|sabeth(?:gmuer|maria)|zabethedw)|o(?:diesawadogo|tocashoffice))|m(?:efieleg?|ilyrichmond)|ngr\.des|re(?:nakgeorge|zcelic)|stherkatherine|wynn)|f(?:\.mikhail|a(?:ithdesrie|rahwasam|tme\.mehmed)|blott|irstbank|r(?:a(?:100dub|n(?:c(?:es(?:\.connelly|patrickconnolly)|iscamendoza)|k(?:j(?:ane|ody)|linpiesie)))|eelottosweepstake)|spero|ulanlan)|g(?:00gleggewinner|a(?:briel(?:eschmitt|kalia)|rciavincent)|bill|e(?:neralwilliamstony|orgekwame|raldjhjh)|i(?:idp|ocastano)|l(?:enmoore|oriachow)|oo(?:golteam|oglegwiinner)|r(?:aceobia|e(?:ant|energeoffrey)))|h(?:a(?:r(?:gate|ryebert)|sh(?:imyreem|mireem)|zimissa)|e(?:atherbrooeke|ctor(?:castillos|scastillo)|lengiggs|ritagetrustbank)|gold|ildad|o(?:nmackjohn|rnbeckmajordennis|seoky))|i(?:b(?:ed|rahimelizabeth)|mfdeputyoff|n(?:fo\.(?:annedouglas|marviswanczyk)|gridrolle)|rvinekim|smail(?:eman|tarkan))|j(?:a(?:mesokoh|vierlesme)|efferydean|o(?:edward|hn(?:griffn|nietaylor|r(?:awlings|oxfordjr)|sonwilson|uba|walterlove|a)|n(?:a(?:haskel|thanhaskel)|hugo)|seph(?:acevedo|babatunde|ichael)|vannyanderson)|rawlings|uliewatson)|k(?:a(?:l(?:iaksandr|tschmidtdavid)|malnizar|rabo\.ramala|t(?:jamess|rinaziako))|ennedy\.sawadogo|halidbuhazza|kasbu|r(?:istinewellenstein|nkl)|un(?:gwei|ioue))|l(?:a(?:rrytoms|ursent|wrencefoundation)|e(?:enasinghs|rynne(?:0west|west))|i(?:amfinchus|fecshortt|liane\.bettencourt|nelink|sa(?:milner|robin))|john|oughreymargaret|s(?:arbn|chantal)|u(?:ckywinners|sba\.moored)|y(?:\.cheapiseth|diawright|n(?:\.arthur|cmba|nmkl)))|m(?:a(?:incare|jor(?:dennishornbeck|townsend)|lletman|n(?:duesq|fran|uelfranco(?:(?:donation|foundation|spende))?)|r(?:i(?:ahhills|opabl)|kroth|shalh|tinamayer|y(?:franson|josen))|u(?:hin|rhinck)|viswan(?:czyk(?:(?:foundation|k))?)?)|brons|c\.cheadychang|dredban|el(?:aniekreiss|vidabullock)|gfrederick|i(?:c(?:h(?:ael\.woosley|ealwuu)|w)|k(?:e\.weirsky\.foundational|hai(?:\.fridman|lfridm))|ntonjustin|ss\.yasmineibrahim)|k(?:ent|untjoro)|mrstephen|oham(?:edabdul|m(?:daljililati|edshamekh))|r(?:\.(?:elbahi\.mohammed\.|justinmaxwell|tonyelumelu)|cjames|ericschmid|hanimuhammad|jamesmc|morgangomez|richardanthony|s(?:\.susanread|a(?:ishaalqadafi|ngela|shaalqaddfi)|dominiquethomas|evelynbrown|fatimaamiraqureshi|hamima|jackman|lisamilner|ma(?:riaelizabethscheffle|ureens|yaoliver)|r(?:eem|obinsanders|uthsmith)|sarahbenjamin|victoriaedmond))|s(?:\.ellagolan|agent|golaan|smadar)|ustadris)|n(?:aomiiwasaki|eilt(?:rotter)?|icholas\.jose|obuyuki\.hirano)|o(?:\.peace|ffice(?:emaill|rricherd)|hallkenneth|lenasheve|rabankheadofficelometogo|xfaminternationa)|p(?:aul(?:eed|n)|b(?:ph202lay|rookk)|e(?:rezdonlorenzo|ter(?:\.waddell|guggi|kenin|stephen))|hillip\.richead)|q(?:iquanzhou|nzeng)|r(?:a(?:kidy|lhashimi|ymondaba)|e(?:alyh|beccagarang|em(?:has(?:himy|m)|n)|plyback|v(?:\.jamesabel|fr(?:ankjackson|paulwilliams)))|icha(?:miller|rdw(?:ahl|illis))|main|o(?:b(?:erthanandez|inf)|naldmorris|s(?:a\.gomes|ekipkalya))|raya|t\.rev\.ericmark|uddicklana)|s(?:a(?:l(?:ehhussienconsult|imzaid)|rfiafarfask)|cott(?:henryjames|peters)|e(?:cretservicce|rgeantrobertbrown)|gt(?:\.monicab|ireneb)|h(?:anemissler|ery(?:\.gtl|etr)|inawatrathaksin)|im(?:lkheng|onhei)|op(?:adam|hiajesse)|peelman|t(?:anleyjohn|ephentam)|u(?:iyang|n\.hor|sanneklatten)|weeneyjohnson)|t(?:a(?:mmywebster|y(?:ebsouami|lorcathy))|e(?:nreyrosilvana|rryparkins)|h(?:ailandbankoffice|e(?:ara\.choy|odorosloannis))|imothymetheny|lyerdonald|o(?:m(?:ander|c(?:hrist|rist(?:(?:donation|foundation))?)|spende)|ny(?:\.chung|robins|zimpro)|shikazusendo))|u(?:derleyen|marukareem|n(?:claimedfunds|ited(?:bankforafrica\.plc|nation(?:organization|s)))|s(?:alotery|departmentofjustice))|v(?:anderwesthuizen|e(?:enapatel|r(?:a(?:aellen|hollinkvan)|enichekaterinaekaterina))|i(?:ctoriaabraham|dalpamela|ngut)|johannes)|w(?:a(?:dp|hlr(?:ichard)?|nczykm|rrenebuffett)|ellensteinfoundation|hatsappofficial|i(?:elandherzog\.sw\.herad|ll(?:clark|iamsmartyrs))|u\.office|ww\.moneygram)|y(?:\.oguzhan|anghoseok|doo|o(?:ngkm|usefzongo))|z(?:bank|enithbankplconline|kiaslan|minhong)))\d+\@gmail\.com$/i -header __REPTO_419_FRAUD_YH_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson|ilmohammed|lesiakalina|nnhester\.usa)|b(?:ank\.phbng|e(?:linekra|n(?:jaminb|nicholas))|riceangela)|c(?:\.aroline|h(?:arlesscharf|jackson)|juan|ythiamiller\.un)|dhamilton|e(?:denvictor|ricalbert)|federal\.r|j(?:a(?:ckson\.davis|netemoon)|kimyong)|k(?:altschmidtdavid|elvinmark|im(?:\.leang|leang))|l(?:e(?:a_edem|hman)|isarobinson_|y_cheapiseth)|m(?:\.kogi|arie_avis|dzsesszika|elissalewis|o(?:hammedaahil|keye))|o(?:biorahkenneth|legkozyrev|mranshaalan)|peterlee|r(?:alphw(?:\.johnson|johnson)|o(?:bertbailey|serichard))|s(?:amthong|igurlauganna|leo|pwalker|te(?:fanopessina|vecox\.))|tylerhess\.|vanserge|will(?:clark|smi)|xianglongdai))\d+\@yahoo\.com$/i +header __REPTO_419_FRAUD_YH_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson|ilmohammed|lesiakalina|nnhester\.usa)|b(?:ank\.phbng|e(?:linekra|n(?:jaminb|nicholas))|riceangela)|c(?:\.aroline|h(?:arlesscharf|jackson)|juan|ythiamiller\.un)|dhamilton|e(?:denvictor|ricalbert)|federal\.r|j(?:a(?:ckson\.davis|netemoon)|kimyong)|k(?:altschmidtdavid|elvinmark|im(?:\.leang|leang))|l(?:e(?:a_edem|hman)|isarobinson_|y_cheapiseth)|m(?:\.kogi|arie_avis|dzsesszika|elissalewis|o(?:hammedaahil|keye))|o(?:biorahkenneth|legkozyrev|mranshaalan)|peterlee|r(?:alphw(?:\.johnson|johnson)|o(?:bertbailey|serichard))|s(?:amthong|igurlauganna|leo|oftc|pwalker|te(?:fanopessina|vecox\.))|tylerhess\.|vanserge|will(?:clark|smi)|xianglongdai))\d+\@yahoo\.com$/i header __REPTO_CHN_FREEM Reply-To =~ /\@(?:sina|aliyun)\.com/i -header __REPTO_INFONUMSCOM Reply-To:addr =~ /^info@\d{5,}\.com$/i - header __REPTO_RUS_FREEM Reply-To =~ /\@mail\.ru/i if !((version >= 3.003000)) @@ -9368,8 +9316,6 @@ ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __SCC_CTMPP Content-Type =~ /multipart\/parallel/ endif -body __SCC_DMARC_REP /(DMARC|aggregate) .{0,12}report/ - header __SCC_SUBJECT_HAS_NON_SPACE Subject =~ /\S/ body __SECURITY_DEPT /\bsecurity dep(?:artmen)?t\b/i @@ -9379,16 +9325,12 @@ tflags __SENDER_BOT nice uri __SENDGRID_REDIR m,://u\d+\.ct\.sendgrid\.net/ls/click\?upn=, -meta __SENDGRID_REDIR_NOPHISH __SENDGRID_REDIR && !__SENDGRID_REDIR_PHISH - meta __SENDGRID_REDIR_PHISH __SENDGRID_REDIR && ( __PDS_FROM_NAME_TO_DOMAIN || __FORGED_RELAY_MUA_TO_MX || __TO_IN_SUBJ ) body __SHARE_IT /\b(?:(?:share|allocate|teilen|parteger(?:ez|ons)?|partage)\s(?:th(?:e|is)|das|les?|des)\s(?:proceeds|funds?|money|balance|account|geld|compte|fonds)|partager(?:ez|ons)? (?:avec (?:vous|moi)|ratio|suivant un pourcentage))\b/i meta __SHOPIFY_IMG_NOT_RCVD_SFY __URI_IMG_SHOPIFY && !__HDR_RCVD_SHOPIFY && !__HDR_ENVFROM_SHOPIFY -meta __SHORTENER_SHORT_SUBJ __URL_SHORTENER && __SUBJ_SHORT - uri __SHORT_URL /^https?:\/\/[^\/]{3,6}\.\w\w\/[^\/]{3,8}\/?$/ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags @@ -9479,8 +9421,6 @@ meta __SUBJECT_PRESENT_EMPTY __HAS_SUBJECT && __SUBJECT_EMPTY header __SUBJ_ADMIN Subject =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i -header __SUBJ_ATTENTION Subject =~ /ATTENTION/ - meta __SUBJ_BRKN_WORDNUMS __SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFU header __SUBJ_BROKEN_WORD Subject =~ /\s(?!i[PTM][aoh][bcdou]|e[MP]a[is])[a-z]{1,3}[A-Z][a-z]{2}/ @@ -9505,6 +9445,9 @@ header __SUBJ_RE Subject =~ /^(?:R[eE]|S[vV]|V[sS]|A[wW]):/ header __SUBJ_SHORT Subject =~ /^.{0,8}$/ +header __SUBJ_UNNEEDED_HTML Subject =~ /%[0-9a-f][0-9a-f]/i +tflags __SUBJ_UNNEEDED_HTML multiple maxhits=3 + header __SUBJ_USB_DRIVES Subject =~ /\bUSB (?:[Ff]lash )?[Dd]rives\b/ body __SUBSCRIPTION_INFO /\b(?:e?newsletters?|(?:un)?(?:subscrib|register)|you(?:r| are) subscri(?:b|ption)|opt(?:.|ing)?out\b|further info|you do ?n[o']t w(?:ish|ant)|remov\w{1,3}.{1,9}\blists?\b|to your white.?list)/i @@ -9548,6 +9491,8 @@ meta __TO_EQ_FM_DIRECT_MX __TO_EQ_FROM && __DOS_DIRECT_TO_MX meta __TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FROM_DOM && __HTML_LINK_IMAGE +meta __TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FROM_DOM && MIME_HTML_ONLY + if !plugin(Mail::SpamAssassin::Plugin::SPF) meta __TO_EQ_FM_DOM_SPF_FAIL 0 endif @@ -9839,6 +9784,8 @@ uri __URI_ADOBESPARK m,https?://branchlink\.adobespark\.com/,i uri __URI_AZURE_CLOUDAPP m,://(?:[^./]+\.)+cloudapp\.azure\.com/, +uri __URI_CLOUDFLAREIPFS m,://cloudflare-ipfs\.com/ipfs/,i + uri __URI_DASHGOVEDU m,://[^/]*-(?:gov|edu)\.com/,i uri __URI_DATA /^data:(?!image\/)[a-z]/i @@ -9947,7 +9894,7 @@ uri __URI_PHP_REDIR m;/redirect\.php\?;i uri __URI_PRODUCT_AMAZON m,://www\.amazon\.(?:com|co\.uk|[a-z][a-z])/dp/[a-z0-9]{10}/,i -uri __URI_TRY_3LD m,^https?://(?:try(?!r\.codeschool)|start|get(?!\.adobe)|save|check(?!out)|act|compare|join|learn(?!ing)|request|visit(?!or|\.vermont)|my(?!sub|turbotax|news\.apple|a\.godaddy|account|support|build|blob|images?|photos?)\w)[^.]*\.(?:(?!list-manage|lt\.)[^/.]+\.)+(?:com|net)\b,i +uri __URI_TRY_3LD m,^https?://(?:try(?!r\.codeschool)|start|get(?!\.adobe)|save|check(?!out)|act(?!ion)|compare|join|learn(?!ing)|request|visit(?!or|\.vermont)|my(?!sub|turbotax|news\.apple|a\.godaddy|account|support|build|blob|images?|photos?)\w)[^.]*\.(?:(?!list-manage|lt\.)[^/.]+\.)+(?:com|net)\b,i uri __URI_TRY_USME m,^https?://(?:try|start|get|save|check|act|compare|join|learn|request|visit|my)[^.]*\.[^/]+\.(?:us|me|mobi|club)\b,i @@ -10053,6 +10000,8 @@ header __XM_FORTE X-Mailer =~ /^Forte Agent \d/ header __XM_GNUS X-Mailer =~ /^Gnus v/ +header __XM_LIGHT_HEAVY X-Mailer =~ /\b(?:light|(?