proxmox-mirrors/proxmox-spamassassin
1
0
Fork 0
mirror of https://git.proxmox.com/git/proxmox-spamassassin synced 2025-04-28 14:08:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

update SpamAssassin signatures

Browse Source 
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
This commit is contained in:
Stoiko Ivanov 2021-03-24 17:52:33 +01:00
parent e04a3a9b6c
commit b780ea8d4f
61 changed files with 23421 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
sa-updates.tgz
View File

Binary file not shown.

184
sa-updates/10_default_prefs.cf Normal file
View File

@ -0,0 +1,184 @@
# SpamAssassin basic config file
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
# Default template. Try to keep it under 78 columns (inside the the dots below).
# ........................................................................
clear_report_template
if can(Mail::SpamAssassin::Conf::feature_yesno_takes_args)
report Spam detection software, running on the system "_HOSTNAME_",
report has_YESNO(, NOT)_ identified this incoming email as_YESNO( possible,)_ spam. The original
report message has been attached to this so you can view it or label
else
report Spam detection software, running on the system "_HOSTNAME_", has
report identified this incoming email as possible spam. The original message
report has been attached to this so you can view it (if it isn't spam) or label
endif
report similar future email. If you have any questions, see
report _CONTACTADDRESS_ for details.
report
report Content preview: _PREVIEW_
report
report Content analysis details: (_SCORE_ points, _REQD_ required)
report
report " pts rule name description"
report ---- ---------------------- --------------------------------------------------
report _SUMMARY_
# ........................................................................
# A 'contact address' users should contact for more info. (replaces
# _CONTACTADDRESS_ above if present)
report_contact the administrator of that system
###########################################################################
# Unsafe-for-viewing message report template.
#
# ......................................................................
clear_unsafe_report_template
unsafe_report The original message was not completely plain text, and may be unsafe to
unsafe_report open with some email clients; in particular, it may contain a virus,
unsafe_report or confirm that your address can receive spam. If you wish to view
unsafe_report it, it may be safer to save it to a file and open it with an editor.
# ......................................................................
###########################################################################
# Database configuration options.
#
# user_scores_dsn MUST be in the form:
# DBI:databasetype:databasename:hostname:port
# ex. DBI:mysql:spamassassin:localhost
#
# user_scores_sql_username is the authorized username to connect to DSN
# user_scores_sql_password is the password for the database username
#user_scores_dsn DBI:mysql:spamassassin:localhost
#user_scores_sql_username spam
#user_scores_sql_password spamfilter
##########################################################################
# Headers to be added to mail (can be overriden by users in
# ~/.spamassassin/user_prefs)
# Make sure the header stays entirely on one line here
clear_headers
#X-Spam-Checker-Version: SpamAssassin 2.60-cvs (1.188-2003-05-24-exp)
add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_
#X-Spam-Flag: YES
add_header spam Flag _YESNOCAPS_
#X-Spam-Level: *************
add_header all Level _STARS(*)_
#X-Spam-Status: Yes, score=14.0 required=5.0 tests=BAYES_99,CALL_FREE
# DATE_IN_PAST_12_24,DCC_CHECK,DRASTIC_REDUCED,FROM_HAS_MIXED_NUMS
# FROM_HAS_MIXED_NUMS3,HOME_EMPLOYMENT,INVALID_DATE,INVALID_MSGID
# LINES_OF_YELLING,MSGID_HAS_NO_AT,NO_REAL_NAME,ONCE_IN_LIFETIME
# UNDISC_RECIPS autolearn=spam version=2.60-cvs
add_header all Status "_YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_"
###########################################################################
# Default prefs values: users can override these in their
# ~/.spamassassin/user_prefs files.
# How many points before a mail is considered spam.
required_score 5
# Mail using locales used in these country codes will not be marked
# as being possibly spam in a foreign language.
ok_locales all
# Mail using languages used in these country codes will not be marked
# as being possibly spam in a foreign language. This is an expensive
# classification, so it is is disabled in init.pre by default.
ifplugin Mail::SpamAssassin::Plugin::TextCat
ok_languages all
endif # Mail::SpamAssassin::Plugin::TextCat
# Mail which scores outside this range will be fed back into SpamAssassin's
# learning system automatically, to train the Bayesian scanner.
ifplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold
bayes_auto_learn_threshold_nonspam 0.1
bayes_auto_learn_threshold_spam 12.0
endif # Mail::SpamAssassin::Plugin::AutoLearnThreshold
# Set this to 0 to turn off auto-learning.
bayes_auto_learn 1
# report_safe controls the markup of spam. If you set it to 0, the message
# body of spam messages will not be modified
report_safe 1
# Headers to parse for originating IP address
if can(Mail::SpamAssassin::Conf::feature_originating_ip_headers)
clear_originating_ip_headers
originating_ip_headers X-Yahoo-Post-IP X-Originating-IP X-Apparently-From
originating_ip_headers X-SenderIP X-AOL-IP
originating_ip_headers X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp
endif
if can(Mail::SpamAssassin::Conf::feature_dns_local_ports_permit_avoid)
# leave out the more densely populated port number ranges
dns_local_ports_avoid 0-11000
# leave out some ephemeral ports, making them available to other programs
dns_local_ports_avoid 49152-49408
# avoid IANA assigned high port numbers
dns_local_ports_avoid 11000-11001 11106 11111-11112 11161-11165 11201 11208
dns_local_ports_avoid 11211 11319-11321 11367 11371 11600 11720 11751 11967
dns_local_ports_avoid 12000-12008 12012-12013 12109 12121 12168 12172 12300
dns_local_ports_avoid 12321-12322 12345 12753 13160 13216-13218 13223-13224
dns_local_ports_avoid 13720-13722 13724 13782-13783 13785-13786 13818-13822
dns_local_ports_avoid 13929 14000-14001 14033-14034 14141-14142 14145 14149
dns_local_ports_avoid 14154 14250 14414 14936-14937 15000 15345 15363 15555
dns_local_ports_avoid 15660 15740 16161 16309-16311 16360-16361 16367-16368
dns_local_ports_avoid 16384 16900 16950 16991-16995 17007 17185 17219 17235
dns_local_ports_avoid 17500 17729 17754-17756 18000 18181-18187 18241 18262
dns_local_ports_avoid 18463 18634-18635 18769 18881 18888 19000 19191 19194
dns_local_ports_avoid 19283 19315 19398 19410-19412 19539-19541 19999-20003
dns_local_ports_avoid 20005 20014 20034 20046 20049 20167 20202 20222 20480
dns_local_ports_avoid 20670 20999-21000 21554 21590 21800 21845-21849
dns_local_ports_avoid 22000-22005 22273 22305 22343 22347 22350 22555 22763
dns_local_ports_avoid 22800 22951 23000-23005 23272 23333 23400-23402
dns_local_ports_avoid 24000-24006 24242 24249 24321 24386 24465 24554
dns_local_ports_avoid 24676-24678 24680 24922 25000-25009 25793 25900-25903
dns_local_ports_avoid 26000 26133 26208 26260-26263 26486-26487 26489 27345
dns_local_ports_avoid 27442 27504 27782 27999-28000 28240 29167 30001-30002
dns_local_ports_avoid 30260 30999 31416 31457 31620 31765 31948-31949 32034
dns_local_ports_avoid 32249 32483 32635-32636 32767-32777 32801 32896 33123
dns_local_ports_avoid 33331 33434 33656 34249 34378-34379 34962-34964 34980
dns_local_ports_avoid 36001 36865 37475 37654 38201-38203 39681 40000
dns_local_ports_avoid 40841-40843 41111 41794-41795 42508-42510 43188-43190
dns_local_ports_avoid 43440-43441 44321-44322 44553 44818 45054 45678 45825
dns_local_ports_avoid 45966 46999-47000 47557 47624 47806 47808 48000-48003
dns_local_ports_avoid 48128-48129 48556 48619
endif
# Some common prefs settings can be set here, to take effect site-wide
# unless the user override them. See the user_prefs.template file for
# explanations.

89
sa-updates/10_hasbase.cf Normal file
View File

@ -0,0 +1,89 @@
# SpamAssassin rules file: Base __HAS_* rules for meta rules
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
# PLEASE KEEP THIS TIDY
# According to Bug 6781
# Header rules
header __HAS_SENDER exists:Sender
header __HAS_FROM exists:From
header __HAS_TO exists:To
header __HAS_CC exists:CC
header __HAS_REPLY_TO exists:Reply-To
header __HAS_ORGANIZATION exists:Organization
# Webmail
# MUA & User Agents
header __HAS_UA exists:User-Agent
header __HAS_XMAIL exists:X-Mailer
# Other
header __HAS_DKIM_SIGHD exists:DKIM-Signature
header __HAS_TNEF exists:X-MS-TNEF-Correlator
header __HAS_ERRORS_TO exists:Errors-To
header __HAS_ORIGINALLY exists:X-Originally-To
header __HAS_LIST_ID exists:List-Id
header __HAS_X_BEEN_THERE exists:X-BeenThere
header __HAS_X_REF exists:References
header __HAS_IN_REPLY_TO exists:In-Reply-To
header __XPRIO exists:X-Priority
header __DISPONOT exists:Disposition-Notification-To
header __RRCPTO exists:Return-Receipt-To
header __OLDPEG exists:X-Confirm-Reading-To
header __AOL_IP exists:X-AOL-IP
# Rawbody rules
# Mimeheader rules
# should be encapsulated in if ... endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
# Put rules below
#
endif
# URI rules
uri __HAS_URI /./

96
sa-updates/20_advance_fee.cf Normal file
View File

@ -0,0 +1,96 @@
# SpamAssassin rules file: advance fee fraud rules (Nigerian 419 scams)
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
require_version 3.004005
# predicate naming used to avoid renumbering
# 1. assign new rules a random unique three letter sequence
# 2. sort on rule definition, not rule name
header __FRAUD_VQE Subject =~ /^(?:Re:|\[.{1,10}\])?\s*(?:very )?urgent\s+(?:(?:and|&)\s+)?(?:confidential|assistance|business|attention|reply|response|help)\b/i
body __FRAUD_DBI /(?:\bdollars?\b|\busd(?:ollars)?(?:[0-9]|\b)|\bus\$|\$[0-9,.]{6,}|\$[0-9].{0,8}[mb]illion|\$[0-9.,]{2,10} ?m|\beuros?\b|u[.]?s[.]? [0-9.]+ m)/i
body __FRAUD_KJV /(?:claim|concerning) (?:the|this) money/i
body __FRAUD_IRJ /(?:finance|holding|securit(?:ies|y)) (?:company|firm|storage house)/i
body __FRAUD_NEB /(?:government|bank) of nigeria/i
body __FRAUD_XJR /(?:who was a|as a|an? honest|you being a|to any) foreigner/i
body __FRAUD_DPR /\b(?:(?:respond|reply) (?:urgently|immediately)|(?:urgent|immediate|earliest) (?:reply|response))\b/i
body __FRAUD_PTS /\b(?:ass?ass?inat(?:ed|ion)|murder(?:e?d)?|kill(?:ed|ing)\b[^.]{0,99}\b(?:war veterans|rebels?))\b/i
body __FRAUD_BEP /\b(?:bank of nigeria|central bank of|trust bank|apex bank|amalgamated bank)\b/i
body __FRAUD_TDP /\b(?:business partner(?:s|ship)?|silent partner(?:s|ship)?)\b/i
body __FRAUD_GAN /\b(?:charles taylor|serena|abacha|gu[eéè]i|sese[- ]?seko|kabila)\b/i
body __FRAUD_IRT /\b(?:compliments? of the|dear friend|dear sir|yours faithfully|season'?s greetings)\b/i
body __FRAUD_AON /\b(?:confidential|private|alternate|alternative) (?:(?:e-? *)?mail)\b/i
body __FRAUD_WNY /\b(?:disburse?(?:ment)?|incurr?(?:ed)?|remunerr?at(?:ed?|ion)|remm?itt?(?:ed|ance|ing)?)\b/i
body __FRAUD_IPK /\b(?:in|to|visit) your country\b/i
body __FRAUD_QXX /\b(?:my name is|i am) (?:mrs?|engr|barrister|dr|prince(?:ss)?)[. ]/i
body __FRAUD_IOU /\b(?:no risks?|risk-? *free|free of risks?|100% safe)\b/i
body __FRAUD_EZY /\b(?:of|the) late president\b/i
body __FRAUD_MLY /\b(?:reply|respond)\b[^.]{0,50}\b(?:to|through)\b[^.]{0,50}\@\b/i
body __FRAUD_ZFJ /\b(?:wife|son|brother|daughter) of the late\b/i
body __FRAUD_KDT /\bU\.?S\.?(?:D\.?)?\s*(?:\$\s*)?(?:\d+,\d+,\d+|\d+\.\d+\.\d+|\d+(?:\.\d+)?\s*milli?on)/i
body __FRAUD_ULK /\baffidavits?\b/i
body __FRAUD_BGP /\battached to ticket number\b/i
body __FRAUD_FBI /\bdisburs/i
body __FRAUD_JBU /\bforeign account\b/i
body __FRAUD_YWW /\bfurnish you with\b/i
body __FRAUD_JYG /\bgive\s+you .{0,15}(?:fund|money|total|sum|contact|percent)\b/i
body __FRAUD_XVW /\bhonest cooperation\b/i
body __FRAUD_UUY /\blegitimate business(?:es)?\b/i
body __FRAUD_SNT /\blocate(?: .{1,20})? extended relative/i
body __FRAUD_LTX /\bmilli?on (?:.{1,25} thousand\s*)?(?:(?:united states|u\.?s\.?) dollars|(?i:U\.?S\.?D?))\b/i
body __FRAUD_JNB /\boperat(?:e|ing)\b[^.]{0,99}\b(?:for(?:ei|ie)gn|off-? ?shore|over-? ?seas?) (?:bank )?accounts?\b/i
body __FRAUD_QFY /\bover-? *(?:invoiced?|cost(?:s|ing)?)\b/i
body __FRAUD_WDR /\bprivate lawyer\b/i
body __FRAUD_WFC /\bsecur(?:e|ing) (?:the )?(?:funds?|monies)\b/i
body __FRAUD_AUM /\bthe desk of\b/i
body __FRAUD_MCQ /\btransaction\b.{1,30}\b(?:magnitude|diplomatic|strict|absolute|secret|confiden(?:tial|ce)|guarantee)/i
body __FRAUD_ETX /\byour\b[^.]{0,99}\b(?:contact (?:details|information)|private (?:e?[- ]?mail|telephone|tel|phone|fax))\b/i
body __FRAUD_PVN /as the beneficiary/i
body __FRAUD_FVU /award notification/i
body __FRAUD_CKF /computer ballot system/i
body __FRAUD_FCW /fiduciary agent/i
body __FRAUD_MQO /foreign (?:business partner|customer)/i
body __FRAUD_TCC /foreign (?:offshore )?(?:bank|account)/i
body __FRAUD_GBW /god gives .{1,10}second chance/i
body __FRAUD_NRG /i am contacting you/i
body __FRAUD_RLX /lott(?:o|ery) (?:co,?ordinator|international)/i
body __FRAUD_AXF /magnanimity/i
body __FRAUD_THJ /modalit(?:y|ies)/i
body __FRAUD_YQV /nigerian? (?:national|government)/i
body __FRAUD_YJA /over-invoice/i
body __FRAUD_YPO /the total sum/i
body __FRAUD_UOQ /vital documents/i
#
# jhardin: temporarily disable to gauge and score ADVANCE_FEE_NEW rules in isolation
#
# meta ADVANCE_FEE_2 (__FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_EZY + __FRAUD_ZFJ + __FRAUD_KDT + __FRAUD_BGP + __FRAUD_FBI + __FRAUD_JBU + __FRAUD_JYG + __FRAUD_XVW + __FRAUD_SNT + __FRAUD_LTX + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_FCW + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_NRG + __FRAUD_RLX + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __FRAUD_DBI + __FRAUD_BEP + __FRAUD_DPR + __FRAUD_QXX + __FRAUD_QFY + __FRAUD_PTS + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IPK + __FRAUD_AON + __FRAUD_WNY + __FRAUD_AUM + __FRAUD_WFC + __FRAUD_YWW + __FRAUD_ULK + __FRAUD_IOU + __FRAUD_JNB + __FRAUD_IRT + __FRAUD_ETX + __FRAUD_WDR + __FRAUD_UUY + __FRAUD_MLY > 2)
# meta ADVANCE_FEE_3 (__FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_EZY + __FRAUD_ZFJ + __FRAUD_KDT + __FRAUD_BGP + __FRAUD_FBI + __FRAUD_JBU + __FRAUD_JYG + __FRAUD_XVW + __FRAUD_SNT + __FRAUD_LTX + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_FCW + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_NRG + __FRAUD_RLX + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __FRAUD_DBI + __FRAUD_BEP + __FRAUD_DPR + __FRAUD_QXX + __FRAUD_QFY + __FRAUD_PTS + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IPK + __FRAUD_AON + __FRAUD_WNY + __FRAUD_AUM + __FRAUD_WFC + __FRAUD_YWW + __FRAUD_ULK + __FRAUD_IOU + __FRAUD_JNB + __FRAUD_IRT + __FRAUD_ETX + __FRAUD_WDR + __FRAUD_UUY + __FRAUD_MLY > 3)
# meta ADVANCE_FEE_4 (__FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_EZY + __FRAUD_ZFJ + __FRAUD_KDT + __FRAUD_BGP + __FRAUD_FBI + __FRAUD_JBU + __FRAUD_JYG + __FRAUD_XVW + __FRAUD_SNT + __FRAUD_LTX + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_FCW + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_NRG + __FRAUD_RLX + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __FRAUD_DBI + __FRAUD_BEP + __FRAUD_DPR + __FRAUD_QXX + __FRAUD_QFY + __FRAUD_PTS + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IPK + __FRAUD_AON + __FRAUD_WNY + __FRAUD_AUM + __FRAUD_WFC + __FRAUD_YWW + __FRAUD_ULK + __FRAUD_IOU + __FRAUD_JNB + __FRAUD_IRT + __FRAUD_ETX + __FRAUD_WDR + __FRAUD_UUY + __FRAUD_MLY > 4)
#
# describe ADVANCE_FEE_2 Appears to be advance fee fraud (Nigerian 419)
# describe ADVANCE_FEE_3 Appears to be advance fee fraud (Nigerian 419)
# describe ADVANCE_FEE_4 Appears to be advance fee fraud (Nigerian 419)

746
sa-updates/20_aux_tlds.cf Normal file
View File

@ -0,0 +1,746 @@
# SpamAssassin - Auxiliary TLD Definitions
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
# This file replaces the SARE http://www.rulesemporium.com/rules/90_2tld.cf
# which will be deprecated as from 2010-05-01
# File updated 2014-09-17 to contain complete TLD lists, they are no longer
# hardcoded into SA codebase and Util/RegistrarBoundaries.pm is deprecated
# in favor of Mail::SpamAssassin::RegistryBoundaries.
# Let's clear the internal TLD list, we only want to read from this config
# file and ignore possible old hardcoded lists.
if can(Mail::SpamAssassin::Conf::feature_registryboundaries)
clear_util_rb
endif
#
# 1st level TLD list
#
# Basic list can be obtained with the following command:
# wget https://data.iana.org/TLD/tlds-alpha-by-domain.txt -q -O - | tail -n+2 | perl -ne 'print lc'
# Current list may include more or less.. TODO easier maintenance?
# util_rb_tld only accepts alpha (a-z) input before RegistryBoundaries was
# implemented in 3.4.1(?), put IDN TLDs with numeric, hyphen (0-9-) etc in
# this block
#
# For an up to date list of IDN TLDs that can be pasted into this block, run this command:
# wget https://data.iana.org/TLD/tlds-alpha-by-domain.txt -q -O - | grep -i '^xn--' | tr '\n' ' ' | fold -w 80 -s | perl -pe 'chomp; s/.*/util_rb_tld \L$_\n/'
# Since version 4.0 the util_rb_tld also accepts Unicode IDN labels (encoded as UTF-8), e.g.:
# wget https://data.iana.org/TLD/tlds-alpha-by-domain.txt -q -O - | grep -i '^xn--' | idn -u | tr '\n' ' ' | fold -w 80 -s | perl -pe 'chomp; s/.*/util_rb_tld \L$_\n/'
if can(Mail::SpamAssassin::Conf::feature_registryboundaries)
util_rb_tld xn--11b4c3d xn--1ck2e1b xn--1qqw23a xn--2scrj9c xn--30rr7y xn--3bst00m
util_rb_tld xn--3ds443g xn--3e0b707e xn--3hcrj9c xn--3oq18vl8pn36a xn--3pxu8k xn--42c2d9a
util_rb_tld xn--45br5cyl xn--45brj9c xn--45q11c xn--4gbrim xn--54b7fta0cc xn--55qw42g
util_rb_tld xn--55qx5d xn--5su34j936bgsg xn--5tzm5g xn--6frz82g xn--6qq986b3xl xn--80adxhks
util_rb_tld xn--80ao21a xn--80aqecdr1a xn--80asehdb xn--80aswg xn--8y0a063a xn--90a3ac
util_rb_tld xn--90ae xn--90ais xn--9dbq2a xn--9et52u xn--9krt00a xn--b4w605ferd
util_rb_tld xn--bck1b9a5dre4c xn--c1avg xn--c2br7g xn--cck2b3b xn--cg4bki
util_rb_tld xn--clchc0ea0b2g2a9gcd xn--czr694b xn--czrs0t xn--czru2d xn--d1acj3b xn--d1alf
util_rb_tld xn--e1a4c xn--eckvdtc9d xn--efvy88h xn--estv75g xn--fct429k xn--fhbei
util_rb_tld xn--fiq228c5hs xn--fiq64b xn--fiqs8s xn--fiqz9s xn--fjq720a xn--flw351e
util_rb_tld xn--fpcrj9c3d xn--fzc2c9e2c xn--fzys8d69uvgm xn--g2xx48c xn--gckr3f0f
util_rb_tld xn--gecrj9c xn--gk3at1e xn--h2breg3eve xn--h2brj9c xn--h2brj9c8c xn--hxt814e
util_rb_tld xn--i1b6b1a6a2e xn--imr513n xn--io0a7i xn--j1aef xn--j1amh xn--j6w193g
util_rb_tld xn--jlq61u9w7b xn--jvr189m xn--kcrx77d1x4a xn--kprw13d xn--kpry57d xn--kpu716f
util_rb_tld xn--kput3i xn--l1acc xn--lgbbat1ad8j xn--mgb9awbf xn--mgba3a3ejt
util_rb_tld xn--mgba3a4f16a xn--mgba7c0bbn0a xn--mgbaakc7dvf xn--mgbaam7a8h xn--mgbab2bd
util_rb_tld xn--mgbai9azgqp6j xn--mgbayh7gpa xn--mgbb9fbpob xn--mgbbh1a xn--mgbbh1a71e
util_rb_tld xn--mgbc0a9azcg xn--mgbca7dzdo xn--mgberp4a5d4ar xn--mgbgu82a xn--mgbi4ecexp
util_rb_tld xn--mgbpl2fh xn--mgbt3dhd xn--mgbtx2b xn--mgbx4cd0ab xn--mix891f xn--mk1bu44c
util_rb_tld xn--mxtq1m xn--ngbc5azd xn--ngbe9e0a xn--ngbrx xn--node xn--nqv7f
util_rb_tld xn--nqv7fs00ema xn--nyqy26a xn--o3cw4h xn--ogbpf8fl xn--otu796d xn--p1acf
util_rb_tld xn--p1ai xn--pbt977c xn--pgbs0dh xn--pssy2u xn--q9jyb4c xn--qcka1pmc xn--qxam
util_rb_tld xn--rhqv96g xn--rovu88b xn--rvc1e0am3e xn--s9brj9c xn--ses554g xn--t60b56a
util_rb_tld xn--tckwe xn--tiq49xqyj xn--unup4y xn--vermgensberater-ctb
util_rb_tld xn--vermgensberatung-pwb xn--vhquv xn--vuq861b xn--w4r85el8fhu5dnra xn--w4rs40l
util_rb_tld xn--wgbh1c xn--wgbl6a xn--xhq521b xn--xkc2al3hye2a xn--xkc2dl3a5ee0h xn--y9a3aq
util_rb_tld xn--yfro4i67o xn--ygbi2ammx xn--zfr164b
endif
# Standard List
# For an up to date list of TLDs that can be pasted into this block, run this command:
# wget https://data.iana.org/TLD/tlds-alpha-by-domain.txt -q -O - | tail -n+2 | grep -vi '^xn--' | tr '\n' ' ' | fold -w 80 -s | perl -pe 'chomp; s/.*/util_rb_tld \L$_\n/'
util_rb_tld aaa aarp abarth abb abbott abbvie abc able abogado abudhabi ac academy
util_rb_tld accenture accountant accountants aco actor ad adac ads adult ae aeg aero aetna
util_rb_tld af afamilycompany afl africa ag agakhan agency ai aig airbus airforce airtel
util_rb_tld akdn al alfaromeo alibaba alipay allfinanz allstate ally alsace alstom am
util_rb_tld amazon americanexpress americanfamily amex amfam amica amsterdam analytics
util_rb_tld android anquan anz ao aol apartments app apple aq aquarelle ar arab aramco
util_rb_tld archi army arpa art arte as asda asia associates at athleta attorney au auction
util_rb_tld audi audible audio auspost author auto autos avianca aw aws ax axa az azure ba
util_rb_tld baby baidu banamex bananarepublic band bank bar barcelona barclaycard barclays
util_rb_tld barefoot bargains baseball basketball bauhaus bayern bb bbc bbt bbva bcg bcn bd
util_rb_tld be beats beauty beer bentley berlin best bestbuy bet bf bg bh bharti bi bible
util_rb_tld bid bike bing bingo bio biz bj black blackfriday blockbuster blog bloomberg
util_rb_tld blue bm bms bmw bn bnpparibas bo boats boehringer bofa bom bond boo book
util_rb_tld booking bosch bostik boston bot boutique box br bradesco bridgestone broadway
util_rb_tld broker brother brussels bs bt budapest bugatti build builders business buy buzz
util_rb_tld bv bw by bz bzh ca cab cafe cal call calvinklein cam camera camp cancerresearch
util_rb_tld canon capetown capital capitalone car caravan cards care career careers cars
util_rb_tld casa case caseih cash casino cat catering catholic cba cbn cbre cbs cc cd ceb
util_rb_tld center ceo cern cf cfa cfd cg ch chanel channel charity chase chat cheap
util_rb_tld chintai christmas chrome church ci cipriani circle cisco citadel citi citic
util_rb_tld city cityeats ck cl claims cleaning click clinic clinique clothing cloud club
util_rb_tld clubmed cm cn co coach codes coffee college cologne com comcast commbank
util_rb_tld community company compare computer comsec condos construction consulting
util_rb_tld contact contractors cooking cookingchannel cool coop corsica country coupon
util_rb_tld coupons courses cpa cr credit creditcard creditunion cricket crown crs cruise
util_rb_tld cruises csc cu cuisinella cv cw cx cy cymru cyou cz dabur dad dance data date
util_rb_tld dating datsun day dclk dds de deal dealer deals degree delivery dell deloitte
util_rb_tld delta democrat dental dentist desi design dev dhl diamonds diet digital direct
util_rb_tld directory discount discover dish diy dj dk dm dnp do docs doctor dog domains
util_rb_tld dot download drive dtv dubai duck dunlop dupont durban dvag dvr dz earth eat ec
util_rb_tld eco edeka edu education ee eg email emerck energy engineer engineering
util_rb_tld enterprises epson equipment er ericsson erni es esq estate et etisalat eu
util_rb_tld eurovision eus events exchange expert exposed express extraspace fage fail
util_rb_tld fairwinds faith family fan fans farm farmers fashion fast fedex feedback
util_rb_tld ferrari ferrero fi fiat fidelity fido film final finance financial fire
util_rb_tld firestone firmdale fish fishing fit fitness fj fk flickr flights flir florist
util_rb_tld flowers fly fm fo foo food foodnetwork football ford forex forsale forum
util_rb_tld foundation fox fr free fresenius frl frogans frontdoor frontier ftr fujitsu
util_rb_tld fujixerox fun fund furniture futbol fyi ga gal gallery gallo gallup game games
util_rb_tld gap garden gay gb gbiz gd gdn ge gea gent genting george gf gg ggee gh gi gift
util_rb_tld gifts gives giving gl glade glass gle global globo gm gmail gmbh gmo gmx gn
util_rb_tld godaddy gold goldpoint golf goo goodyear goog google gop got gov gp gq gr
util_rb_tld grainger graphics gratis green gripe grocery group gs gt gu guardian gucci guge
util_rb_tld guide guitars guru gw gy hair hamburg hangout haus hbo hdfc hdfcbank health
util_rb_tld healthcare help helsinki here hermes hgtv hiphop hisamitsu hitachi hiv hk hkt
util_rb_tld hm hn hockey holdings holiday homedepot homegoods homes homesense honda horse
util_rb_tld hospital host hosting hot hoteles hotels hotmail house how hr hsbc ht hu hughes
util_rb_tld hyatt hyundai ibm icbc ice icu id ie ieee ifm ikano il im imamat imdb immo
util_rb_tld immobilien in inc industries infiniti info ing ink institute insurance insure
util_rb_tld int intel international intuit investments io ipiranga iq ir irish is ismaili
util_rb_tld ist istanbul it itau itv iveco jaguar java jcb jcp je jeep jetzt jewelry jio
util_rb_tld jll jm jmp jnj jo jobs joburg jot joy jp jpmorgan jprs juegos juniper kaufen
util_rb_tld kddi ke kerryhotels kerrylogistics kerryproperties kfh kg kh ki kia kim kinder
util_rb_tld kindle kitchen kiwi km kn koeln komatsu kosher kp kpmg kpn kr krd kred
util_rb_tld kuokgroup kw ky kyoto kz la lacaixa lamborghini lamer lancaster lancia land
util_rb_tld landrover lanxess lasalle lat latino latrobe law lawyer lb lc lds lease leclerc
util_rb_tld lefrak legal lego lexus lgbt li lidl life lifeinsurance lifestyle lighting like
util_rb_tld lilly limited limo lincoln linde link lipsy live living lixil lk llc llp loan
util_rb_tld loans locker locus loft lol london lotte lotto love lpl lplfinancial lr ls lt
util_rb_tld ltd ltda lu lundbeck lupin luxe luxury lv ly ma macys madrid maif maison makeup
util_rb_tld man management mango map market marketing markets marriott marshalls maserati
util_rb_tld mattel mba mc mckinsey md me med media meet melbourne meme memorial men menu
util_rb_tld merckmsd metlife mg mh miami microsoft mil mini mint mit mitsubishi mk ml mlb
util_rb_tld mls mm mma mn mo mobi mobile moda moe moi mom monash money monster mormon
util_rb_tld mortgage moscow moto motorcycles mov movie mp mq mr ms msd mt mtn mtr mu museum
util_rb_tld mutual mv mw mx my mz na nab nagoya name nationwide natura navy nba nc ne nec
util_rb_tld net netbank netflix network neustar new newholland news next nextdirect nexus
util_rb_tld nf nfl ng ngo nhk ni nico nike nikon ninja nissan nissay nl no nokia
util_rb_tld northwesternmutual norton now nowruz nowtv np nr nra nrw ntt nu nyc nz obi
util_rb_tld observer off office okinawa olayan olayangroup oldnavy ollo om omega one ong
util_rb_tld onl online onyourside ooo open oracle orange org organic origins osaka otsuka
util_rb_tld ott ovh pa page panasonic paris pars partners parts party passagens pay pccw pe
util_rb_tld pet pf pfizer pg ph pharmacy phd philips phone photo photography photos physio
util_rb_tld pics pictet pictures pid pin ping pink pioneer pizza pk pl place play
util_rb_tld playstation plumbing plus pm pn pnc pohl poker politie porn post pr pramerica
util_rb_tld praxi press prime pro prod productions prof progressive promo properties
util_rb_tld property protection pru prudential ps pt pub pw pwc py qa qpon quebec quest qvc
util_rb_tld racing radio raid re read realestate realtor realty recipes red redstone
util_rb_tld redumbrella rehab reise reisen reit reliance ren rent rentals repair report
util_rb_tld republican rest restaurant review reviews rexroth rich richardli ricoh
util_rb_tld rightathome ril rio rip rmit ro rocher rocks rodeo rogers room rs rsvp ru rugby
util_rb_tld ruhr run rw rwe ryukyu sa saarland safe safety sakura sale salon samsclub
util_rb_tld samsung sandvik sandvikcoromant sanofi sap sarl sas save saxo sb sbi sbs sc sca
util_rb_tld scb schaeffler schmidt scholarships school schule schwarz science scjohnson
util_rb_tld scot sd se search seat secure security seek select sener services ses seven sew
util_rb_tld sex sexy sfr sg sh shangrila sharp shaw shell shia shiksha shoes shop shopping
util_rb_tld shouji show showtime shriram si silk sina singles site sj sk ski skin sky skype
util_rb_tld sl sling sm smart smile sn sncf so soccer social softbank software sohu solar
util_rb_tld solutions song sony soy space sport spot spreadbetting sr srl ss st stada
util_rb_tld staples star statebank statefarm stc stcgroup stockholm storage store stream
util_rb_tld studio study style su sucks supplies supply support surf surgery suzuki sv
util_rb_tld swatch swiftcover swiss sx sy sydney symantec systems sz tab taipei talk taobao
util_rb_tld target tatamotors tatar tattoo tax taxi tc tci td tdk team tech technology tel
util_rb_tld temasek tennis teva tf tg th thd theater theatre tiaa tickets tienda tiffany
util_rb_tld tips tires tirol tj tjmaxx tjx tk tkmaxx tl tm tmall tn to today tokyo tools
util_rb_tld top toray toshiba total tours town toyota toys tr trade trading training travel
util_rb_tld travelchannel travelers travelersinsurance trust trv tt tube tui tunes tushu tv
util_rb_tld tvs tw tz ua ubank ubs ug uk unicom university uno uol ups us uy uz va
util_rb_tld vacations vana vanguard vc ve vegas ventures verisign versicherung vet vg vi
util_rb_tld viajes video vig viking villas vin vip virgin visa vision viva vivo vlaanderen
util_rb_tld vn vodka volkswagen volvo vote voting voto voyage vu vuelos wales walmart
util_rb_tld walter wang wanggou watch watches weather weatherchannel webcam weber website
util_rb_tld wed wedding weibo weir wf whoswho wien wiki williamhill win windows wine
util_rb_tld winners wme wolterskluwer woodside work works world wow ws wtc wtf xbox xerox
util_rb_tld xfinity xihuan xin xxx xyz yachts yahoo yamaxun yandex ye yodobashi yoga
util_rb_tld yokohama you youtube yt yun za zappos zara zero zip zm zone zuerich zw
#
# 2nd level TLD list
#
# http://www.neustar.us/policies/docs/rfc_1480.txt
# data originally from http://spamcheck.freeapp.net/two-level-tlds
# The freeapp.net site now says that information on the site is obsolete
# See discussion and sources in comments of bug 5677
# updated as per bug 5815
# cleanup in progress per bug 6795 (axb)
# Unsorted sources:
# .ua : https://hostmaster.ua
# .hu : http://www.domain.hu/domain/English/szabalyzat/sld.html
util_rb_2tld com.ac edu.ac gov.ac mil.ac net.ac org.ac
util_rb_2tld nom.ad
util_rb_2tld ac.ae co.ae com.ae gov.ae mil.ae name.ae net.ae org.ae pro.ae sch.ae
util_rb_2tld com.af edu.af gov.af net.af
util_rb_2tld co.ag com.ag net.ag nom.ag org.ag
util_rb_2tld com.ai edu.ai gov.ai net.ai off.ai org.ai
util_rb_2tld com.al edu.al gov.al net.al org.al
util_rb_2tld com.an edu.an net.an org.an
util_rb_2tld co.ao ed.ao gv.ao it.ao og.ao pb.ao
util_rb_2tld com.ar edu.ar gov.ar int.ar mil.ar net.ar org.ar
util_rb_2tld e164.arpa in-addr.arpa ip6.arpa iris.arpa uri.arpa urn.arpa
util_rb_2tld ac.at co.at gv.at or.at priv.at
util_rb_2tld act.au asn.au com.au conf.au csiro.au edu.au gov.au id.au info.au net.au nsw.au nt.au org.au otc.au oz.au qld.au sa.au tas.au telememo.au vic.au wa.au
util_rb_2tld com.aw
util_rb_2tld biz.az com.az edu.az gov.az info.az int.az mil.az name.az net.az org.az pp.az
util_rb_2tld co.ba com.ba edu.ba gov.ba mil.ba net.ba org.ba rs.ba unbi.ba unsa.ba
util_rb_2tld com.bb edu.bb gov.bb net.bb org.bb
util_rb_2tld ac.bd com.bd edu.bd gov.bd mil.bd net.bd org.bd
util_rb_2tld ac.be belgie.be dns.be fgov.be
util_rb_2tld gov.bf
util_rb_2tld biz.bh cc.bh com.bh edu.bh gov.bh info.bh net.bh org.bh
util_rb_2tld com.bm edu.bm gov.bm net.bm org.bm
util_rb_2tld com.bn edu.bn net.bn org.bn
util_rb_2tld com.bo edu.bo gob.bo gov.bo int.bo mil.bo net.bo org.bo tv.bo
util_rb_2tld adm.br adv.br agr.br am.br arq.br art.br ato.br bio.br bmd.br cim.br cng.br cnt.br com.br coop.br dpn.br eco.br ecn.br edu.br eng.br esp.br etc.br eti.br far.br fm.br fnd.br fot.br fst.br g12.br ggf.br gov.br imb.br ind.br inf.br jor.br lel.br mat.br med.br mil.br mus.br net.br nom.br not.br ntr.br odo.br org.br ppg.br pro.br psc.br psi.br qsl.br rec.br slg.br srv.br tmp.br trd.br tur.br tv.br vet.br zlg.br
util_rb_2tld com.bs net.bs org.bs
util_rb_2tld com.bt edu.bt gov.bt net.bt org.bt
util_rb_2tld co.bw org.bw
util_rb_2tld gov.by mil.by
util_rb_2tld com.bz net.bz org.bz
util_rb_2tld ab.ca bc.ca gc.ca mb.ca nb.ca nf.ca nl.ca ns.ca nt.ca nu.ca on.ca pe.ca qc.ca sk.ca yk.ca
util_rb_2tld co.ck edu.ck gov.ck net.ck org.ck
util_rb_2tld ac.cn ah.cn bj.cn com.cn cq.cn edu.cn fj.cn gd.cn gov.cn gs.cn gx.cn gz.cn ha.cn hb.cn he.cn hi.cn hk.cn hl.cn hn.cn jl.cn js.cn jx.cn ln.cn mo.cn net.cn nm.cn nx.cn org.cn qh.cn sc.cn sd.cn sh.cn sn.cn sx.cn tj.cn tw.cn xj.cn xz.cn yn.cn zj.cn
util_rb_2tld arts.co com.co edu.co firm.co gov.co info.co int.co mil.co net.co nom.co org.co rec.co web.co
util_rb_2tld co.cm com.cm net.cm
util_rb_2tld au.com br.com cn.com de.com eu.com gb.com hu.com no.com qc.com ru.com sa.com se.com uk.com us.com uy.com za.com
util_rb_2tld ac.cr co.cr ed.cr fi.cr go.cr or.cr sa.cr
util_rb_2tld com.cu edu.cu gov.cu inf.cu net.cu org.cu
util_rb_2tld gov.cx
util_rb_2tld ac.cy biz.cy com.cy ekloges.cy gov.cy ltd.cy name.cy net.cy org.cy parliament.cy press.cy pro.cy tm.cy
util_rb_2tld co.dk
util_rb_2tld com.dm edu.dm gov.dm net.dm org.dm
util_rb_2tld art.do com.do edu.do gob.do gov.do mil.do net.do org.do sld.do web.do
util_rb_2tld art.dz asso.dz com.dz edu.dz gov.dz net.dz org.dz pol.dz
util_rb_2tld com.ec edu.ec fin.ec gov.ec info.ec k12.ec med.ec mil.ec net.ec org.ec pro.ec gob.ec
util_rb_2tld co.ee com.ee edu.ee fie.ee med.ee org.ee pri.ee
util_rb_2tld com.eg edu.eg eun.eg gov.eg mil.eg net.eg org.eg sci.eg
util_rb_2tld com.er edu.er gov.er ind.er mil.er net.er org.er
util_rb_2tld com.es edu.es gob.es nom.es org.es
util_rb_2tld biz.et com.et edu.et gov.et info.et name.et net.et org.et
util_rb_2tld aland.fi
util_rb_2tld ac.fj biz.fj com.fj gov.fj id.fj info.fj mil.fj name.fj net.fj org.fj pro.fj school.fj
util_rb_2tld ac.fk co.fk com.fk gov.fk net.fk nom.fk org.fk
util_rb_2tld tm.fr asso.fr nom.fr prd.fr presse.fr com.fr gouv.fr
util_rb_2tld com.ge edu.ge gov.ge mil.ge net.ge org.ge pvt.ge
util_rb_2tld ac.gg alderney.gg co.gg gov.gg guernsey.gg ind.gg ltd.gg net.gg org.gg sark.gg sch.gg
util_rb_2tld com.gh edu.gh gov.gh mil.gh org.gh
util_rb_2tld com.gi edu.gi gov.gi ltd.gi mod.gi org.gi
util_rb_2tld ac.gn com.gn gov.gn net.gn org.gn
util_rb_2tld asso.gp com.gp edu.gp net.gp org.gp
util_rb_2tld com.gr edu.gr gov.gr net.gr org.gr
util_rb_2tld com.gt edu.gt gob.gt ind.gt mil.gt net.gt org.gt
util_rb_2tld com.gu edu.gu gov.gu mil.gu net.gu org.gu
util_rb_2tld com.hk edu.hk gov.hk idv.hk net.hk org.hk
util_rb_2tld com.hn edu.hn gob.hn mil.hn net.hn org.hn
util_rb_2tld com.hr from.hr iz.hr name.hr
util_rb_2tld adult.ht art.ht asso.ht com.ht coop.ht edu.ht firm.ht gouv.ht info.ht med.ht net.ht org.ht perso.ht pol.ht pro.ht rel.ht shop.ht
util_rb_2tld 2000.hu agrar.hu bolt.hu casino.hu city.hu co.hu erotica.hu erotika.hu film.hu forum.hu games.hu hotel.hu info.hu ingatlan.hu jogasz.hu konyvelo.hu lakas.hu media.hu news.hu org.hu priv.hu reklam.hu sex.hu shop.hu sport.hu suli.hu szex.hu tm.hu tozsde.hu utazas.hu video.hu
util_rb_2tld ac.id co.id go.id mil.id net.id or.id sch.id web.id
util_rb_2tld gov.ie
util_rb_2tld ac.il co.il gov.il idf.il k12.il muni.il net.il org.il
util_rb_2tld ac.im co.im com.im gov.im net.im nic.im org.im
util_rb_2tld ac.in co.in edu.in ernet.in firm.in gen.in gov.in ind.in mil.in net.in nic.in org.in res.in
util_rb_2tld com.io gov.io mil.io net.io org.io
util_rb_2tld gov.iq
util_rb_2tld ac.ir co.ir gov.ir id.ir net.ir org.ir sch.ir
util_rb_2tld edu.it gov.it
util_rb_2tld ac.je co.je gov.je ind.je jersey.je ltd.je net.je org.je sch.je
util_rb_2tld com.jm edu.jm gov.jm net.jm org.jm
util_rb_2tld com.jo edu.jo gov.jo mil.jo net.jo org.jo
util_rb_2tld ac.jp ad.jp aichi.jp akita.jp aomori.jp chiba.jp co.jp ed.jp ehime.jp fukui.jp fukuoka.jp fukushima.jp gifu.jp go.jp gov.jp gr.jp gunma.jp hiroshima.jp hokkaido.jp hyogo.jp ibaraki.jp ishikawa.jp iwate.jp kagawa.jp kagoshima.jp kanagawa.jp kanazawa.jp kawasaki.jp kitakyushu.jp kobe.jp kochi.jp kumamoto.jp kyoto.jp lg.jp matsuyama.jp mie.jp miyagi.jp miyazaki.jp nagano.jp nagasaki.jp nagoya.jp nara.jp ne.jp net.jp niigata.jp oita.jp okayama.jp okinawa.jp or.jp org.jp osaka.jp saga.jp saitama.jp sapporo.jp sendai.jp shiga.jp shimane.jp shizuoka.jp takamatsu.jp tochigi.jp tokushima.jp tokyo.jp tottori.jp toyama.jp utsunomiya.jp wakayama.jp yamagata.jp yamaguchi.jp yamanashi.jp yokohama.jp
util_rb_2tld ac.ke co.ke go.ke ne.ke new.ke or.ke sc.ke
util_rb_2tld com.kg edu.kg gov.kg mil.kg net.kg org.kg
util_rb_2tld com.kh edu.kh gov.kh mil.kh net.kh org.kh per.kh
util_rb_2tld ac.kr busan.kr chungbuk.kr chungnam.kr co.kr daegu.kr daejeon.kr es.kr gangwon.kr go.kr gwangju.kr gyeongbuk.kr gyeonggi.kr gyeongnam.kr hs.kr incheon.kr jeju.kr jeonbuk.kr jeonnam.kr kg.kr kyonggi.kr mil.kr ms.kr ne.kr or.kr pe.kr re.kr sc.kr seoul.kr ulsan.kr
util_rb_2tld com.kw edu.kw gov.kw mil.kw net.kw org.kw
util_rb_2tld com.ky edu.ky gov.ky net.ky org.ky
util_rb_2tld com.kz edu.kz gov.kz mil.kz net.kz org.kz
util_rb_2tld com.la net.la org.la
util_rb_2tld com.lb edu.lb gov.lb mil.lb net.lb org.lb
util_rb_2tld com.lc edu.lc gov.lc net.lc org.lc
util_rb_2tld assn.lk com.lk edu.lk gov.lk grp.lk hotel.lk int.lk ltd.lk net.lk ngo.lk org.lk sch.lk soc.lk web.lk
util_rb_2tld com.lr edu.lr gov.lr net.lr org.lr
util_rb_2tld co.ls org.ls
util_rb_2tld gov.lt mil.lt
util_rb_2tld asn.lv com.lv conf.lv edu.lv gov.lv id.lv mil.lv net.lv org.lv
util_rb_2tld biz.ly com.ly edu.ly gov.ly id.ly med.ly net.ly org.ly plc.ly sch.ly
util_rb_2tld ac.ma co.ma gov.ma net.ma org.ma press.ma
util_rb_2tld asso.mc tm.mc
util_rb_2tld ac.me co.me edu.me gov.me its.me net.me org.me priv.me
util_rb_2tld com.mg edu.mg gov.mg mil.mg nom.mg org.mg prd.mg tm.mg
util_rb_2tld army.mil navy.mil
util_rb_2tld com.mk org.mk
util_rb_2tld com.mm edu.mm gov.mm net.mm org.mm
util_rb_2tld edu.mn gov.mn org.mn
util_rb_2tld com.mo edu.mo gov.mo net.mo org.mo
util_rb_2tld music.mobi weather.mobi
util_rb_2tld co.mp edu.mp gov.mp net.mp org.mp
util_rb_2tld com.mt edu.mt gov.mt net.mt org.mt tm.mt uu.mt
util_rb_2tld co.mu com.mu
util_rb_2tld aero.mv biz.mv com.mv coop.mv edu.mv gov.mv info.mv int.mv mil.mv museum.mv name.mv net.mv org.mv pro.mv
util_rb_2tld ac.mw co.mw com.mw coop.mw edu.mw gov.mw int.mw museum.mw net.mw org.mw
util_rb_2tld com.mx edu.mx gob.mx net.mx org.mx
util_rb_2tld com.my edu.my gov.my mil.my name.my net.my org.my
util_rb_2tld co.mz net.mz org.mz ac.mz gov.mz edu.mz
util_rb_2tld alt.na com.na cul.na edu.na net.na org.na telecom.na unam.na
util_rb_2tld com.nc net.nc org.nc
util_rb_2tld de.net gb.net uk.net
util_rb_2tld ac.ng com.ng edu.ng gov.ng net.ng org.ng sch.ng
util_rb_2tld ac.ni biz.ni com.ni edu.ni gob.ni in.ni info.ni int.ni mil.ni net.ni nom.ni org.ni web.ni
util_rb_2tld fhs.no folkebibl.no fylkesbibl.no herad.no idrett.no kommune.no mil.no museum.no priv.no stat.no tel.no vgs.no
util_rb_2tld com.np edu.np gov.np mil.np net.np org.np
util_rb_2tld biz.nr co.nr com.nr edu.nr fax.nr gov.nr info.nr mob.nr mobil.nr mobile.nr net.nr org.nr tel.nr tlf.nr
util_rb_2tld ac.nz co.nz cri.nz geek.nz gen.nz govt.nz iwi.nz kiwi.nz maori.nz mil.nz net.nz org.nz parliament.nz school.nz
util_rb_2tld ac.om biz.om co.om com.om edu.om gov.om med.om mil.om mod.om museum.om net.om org.om pro.om sch.om
util_rb_2tld dk.org eu.org
util_rb_2tld abo.pa ac.pa com.pa edu.pa gob.pa ing.pa med.pa net.pa nom.pa org.pa sld.pa
util_rb_2tld com.pe edu.pe gob.pe mil.pe net.pe nom.pe org.pe
util_rb_2tld com.pf edu.pf org.pf
util_rb_2tld ac.pg com.pg net.pg
util_rb_2tld com.ph edu.ph gov.ph mil.ph net.ph ngo.ph org.ph
util_rb_2tld biz.pk com.pk edu.pk fam.pk gob.pk gok.pk gon.pk gop.pk gos.pk gov.pk net.pk org.pk web.pk
util_rb_2tld art.pl biz.pl com.pl edu.pl gov.pl info.pl mil.pl net.pl ngo.pl org.pl
util_rb_2tld biz.pr com.pr edu.pr gov.pr info.pr isla.pr name.pr net.pr org.pr pro.pr
util_rb_2tld cpa.pro law.pro med.pro
util_rb_2tld com.ps edu.ps gov.ps net.ps org.ps plo.ps sec.ps
util_rb_2tld com.pt edu.pt gov.pt int.pt net.pt nome.pt org.pt publ.pt
util_rb_2tld com.py edu.py gov.py net.py org.py
util_rb_2tld com.qa edu.qa gov.qa net.qa org.qa
util_rb_2tld asso.re com.re nom.re
util_rb_2tld arts.ro com.ro firm.ro info.ro nom.ro nt.ro org.ro rec.ro store.ro tm.ro www.ro
util_rb_2tld ac.rs co.rs edu.rs gov.rs in.rs org.rs
util_rb_2tld ac.ru com.ru edu.ru gov.ru int.ru mil.ru net.ru org.ru pp.ru
util_rb_2tld ac.rw co.rw com.rw edu.rw gouv.rw gov.rw int.rw mil.rw net.rw
util_rb_2tld com.sa edu.sa gov.sa med.sa net.sa org.sa pub.sa sch.sa
util_rb_2tld com.sb edu.sb gov.sb net.sb org.sb
util_rb_2tld com.sc edu.sc gov.sc net.sc org.sc
util_rb_2tld com.sd edu.sd gov.sd info.sd med.sd net.sd org.sd sch.sd tv.sd
util_rb_2tld ab.se ac.se bd.se brand.se c.se d.se e.se f.se fh.se fhsk.se fhv.se g.se h.se i.se k.se komforb.se kommunalforbund.se komvux.se lanarb.se lanbib.se m.se mil.se n.se naturbruksgymn.se o.se org.se parti.se pp.se press.se s.se sshn.se t.se tm.se u.se w.se x.se y.se z.se
util_rb_2tld com.sg edu.sg gov.sg idn.sg net.sg org.sg per.sg
util_rb_2tld com.sh edu.sh gov.sh mil.sh net.sh org.sh
util_rb_2tld edu.sk gov.sk mil.sk
util_rb_2tld co.st com.st consulado.st edu.st embaixada.st gov.st mil.st net.st org.st principe.st saotome.st store.st
util_rb_2tld com.sv edu.sv gob.sv org.sv red.sv
util_rb_2tld com.sy gov.sy net.sy org.sy
util_rb_2tld at.tf bg.tf ca.tf ch.tf cz.tf de.tf edu.tf eu.tf int.tf net.tf pl.tf ru.tf sg.tf us.tf
util_rb_2tld ac.th co.th go.th in.th mi.th net.th or.th
util_rb_2tld ac.tj biz.tj co.tj com.tj edu.tj go.tj gov.tj int.tj mil.tj name.tj net.tj org.tj web.tj
util_rb_2tld com.tn edunet.tn ens.tn fin.tn gov.tn ind.tn info.tn intl.tn nat.tn net.tn org.tn rnrt.tn rns.tn rnu.tn tourism.tn
util_rb_2tld gov.to
util_rb_2tld gov.tp
util_rb_2tld av.tr bbs.tr bel.tr biz.tr com.tr dr.tr edu.tr gen.tr gov.tr info.tr k12.tr mil.tr name.tr net.tr org.tr pol.tr tel.tr web.tr
util_rb_2tld aero.tt at.tt au.tt be.tt biz.tt ca.tt co.tt com.tt coop.tt de.tt dk.tt edu.tt es.tt eu.tt fr.tt gov.tt info.tt int.tt it.tt jobs.tt mobi.tt museum.tt name.tt net.tt nic.tt org.tt pro.tt se.tt travel.tt uk.tt us.tt
util_rb_2tld co.tv gov.tv
util_rb_2tld club.tw com.tw ebiz.tw edu.tw game.tw gov.tw idv.tw mil.tw net.tw org.tw
util_rb_2tld ac.tz co.tz go.tz ne.tz or.tz
util_rb_2tld cherkassy.ua chernigov.ua chernovtsy.ua ck.ua cn.ua co.ua com.ua crimea.ua cv.ua dn.ua dnepropetrovsk.ua donetsk.ua dp.ua edu.ua gov.ua if.ua in.ua ivano-frankivsk.ua kh.ua kharkov.ua kherson.ua khmelnitskiy.ua kiev.ua kirovograd.ua km.ua kr.ua ks.ua kv.ua lg.ua lugansk.ua lutsk.ua lviv.ua mk.ua net.ua nikolaev.ua od.ua odessa.ua org.ua pl.ua poltava.ua rovno.ua rv.ua sebastopol.ua sumy.ua te.ua ternopil.ua uzhgorod.ua vinnica.ua vn.ua zaporizhzhe.ua zhitomir.ua zp.ua zt.ua
util_rb_2tld ac.ug co.ug go.ug ne.ug or.ug sc.ug
util_rb_2tld ac.uk bl.uk british-library.uk co.uk edu.uk gov.uk icnet.uk jet.uk ltd.uk me.uk mod.uk national-library-scotland.uk net.uk nhs.uk nic.uk nls.uk org.uk parliament.uk plc.uk police.uk sch.uk
util_rb_2tld ak.us al.us ar.us az.us ca.us co.us ct.us dc.us de.us dni.us fed.us fl.us ga.us hi.us ia.us id.us il.us in.us isa.us kids.us ks.us ky.us la.us ma.us md.us me.us mi.us mn.us mo.us ms.us mt.us nc.us nd.us ne.us nh.us nj.us nm.us nsn.us nv.us ny.us oh.us ok.us or.us pa.us ri.us sc.us sd.us tn.us tx.us ut.us va.us vt.us wa.us wi.us wv.us wy.us
util_rb_2tld com.uy edu.uy gub.uy mil.uy net.uy org.uy
util_rb_2tld vatican.va
util_rb_2tld arts.ve bib.ve co.ve com.ve edu.ve firm.ve gov.ve info.ve int.ve mil.ve net.ve nom.ve org.ve rec.ve store.ve tec.ve web.ve
util_rb_2tld co.vi com.vi edu.vi gov.vi net.vi org.vi
util_rb_2tld ac.vn biz.vn com.vn edu.vn gov.vn health.vn info.vn int.vn name.vn net.vn org.vn pro.vn
util_rb_2tld ch.vu com.vu de.vu edu.vu fr.vu net.vu org.vu
util_rb_2tld com.ws edu.ws gov.ws net.ws org.ws
util_rb_2tld com.ye edu.ye gov.ye mil.ye net.ye org.ye
util_rb_2tld ac.za alt.za bourse.za city.za co.za edu.za gov.za law.za mil.za net.za ngo.za nom.za org.za school.za tm.za web.za
util_rb_2tld ac.zm co.zm com.zm edu.zm gov.zm org.zm sch.zm
util_rb_2tld ac.zw co.zw gov.zw org.zw
#
util_rb_2tld 110mb.com
util_rb_2tld 9k.com
util_rb_2tld addr.com
util_rb_2tld altervista.org
util_rb_2tld biz.tm
util_rb_2tld blogger.ca
util_rb_2tld blogger.cf
util_rb_2tld blogger.ch
util_rb_2tld blogspot.com
util_rb_2tld blogger.cv
util_rb_2tld blogger.jp
util_rb_2tld blogger.pl
util_rb_2tld blogger.re
util_rb_2tld blogger.se
util_rb_2tld blogspot.ca
util_rb_2tld blogspot.cv
util_rb_2tld blogspot.de
util_rb_2tld blogspot.fr
util_rb_2tld blogspot.in
util_rb_2tld blogspot.it
util_rb_2tld blogspot.jp
util_rb_2tld blogspot.mx
util_rb_2tld blogspot.pt
util_rb_2tld blogspot.re
util_rb_2tld blogspot.se
util_rb_2tld bravehost.com
util_rb_2tld bravejournal.com
util_rb_2tld by.ru
util_rb_2tld chat.ru
util_rb_2tld cjb.net
util_rb_2tld es.tl
util_rb_2tld extra.hu
util_rb_2tld freehostia.com
util_rb_2tld front.ru
util_rb_2tld geocities.com
util_rb_2tld getmyip.com
util_rb_2tld googlepages.com
util_rb_2tld helloweb.eu
util_rb_2tld host.sk
util_rb_2tld hotbox.ru
util_rb_2tld hotmail.ru
util_rb_2tld hu2.ru
util_rb_2tld hut2.ru
util_rb_2tld iblogger.org
util_rb_2tld ic.cz
util_rb_2tld id.ru
util_rb_2tld kwik.to
util_rb_2tld land.ru
util_rb_2tld mine.nu
util_rb_2tld mooo.com
util_rb_2tld narod.ru
util_rb_2tld netsolhost.com
util_rb_2tld na.by
util_rb_2tld newmail.ru
util_rb_2tld nextmail.ru
util_rb_2tld nightmail.ru
util_rb_2tld nm.ru
util_rb_2tld notlong.com
util_rb_2tld page.tl
util_rb_2tld pochta.ru
util_rb_2tld pochtamt.ru
util_rb_2tld pop3.ru
util_rb_2tld proboards.com
util_rb_2tld rbcmail.ru
util_rb_2tld rm.ru
util_rb_2tld smtp.ru
util_rb_2tld sol.ru
util_rb_2tld t35.com
util_rb_2tld tripod.com
util_rb_2tld uk.to
util_rb_2tld unblog.fr
util_rb_2tld us.to
util_rb_2tld web-soft.ru
util_rb_2tld wz.cz
util_rb_2tld zmail.ru
util_rb_2tld t35.net
util_rb_2tld t35.com
util_rb_2tld wordpress.com
util_rb_2tld jino-net.ru
util_rb_2tld 6a.org
util_rb_2tld xf.cz
util_rb_2tld fr.tc
util_rb_2tld googlegroups.com
util_rb_2tld 150m.com
util_rb_2tld bravepages.com
util_rb_2tld ucoz.ru
util_rb_2tld ucoz.com
util_rb_2tld ucoz.net
util_rb_2tld szm.com
util_rb_2tld geocities.jp
util_rb_2tld gmxhome.de
util_rb_2tld freeservercity.com
util_rb_2tld iquebec.com
util_rb_2tld mail2k.ru
util_rb_2tld mail.ru
util_rb_2tld ath.cx
util_rb_2tld go.ro
util_rb_2tld z8.ru
util_rb_2tld appspot.com
util_rb_2tld gigazu.net
util_rb_2tld weebly.com
util_rb_2tld ifrance.com
util_rb_2tld jimdo.com
util_rb_2tld kimsufi.com
util_rb_2tld mail333.su
util_rb_2tld pisem.su
util_rb_2tld mail15.su
util_rb_2tld prserv.net
util_rb_2tld angelfire.com
util_rb_2tld 163.to
util_rb_2tld home.pl
util_rb_2tld redirectme.net
util_rb_2tld interia.pl
util_rb_2tld co.kg
util_rb_2tld ning.com
util_rb_2tld xorg.pl
util_rb_2tld free.fr
util_rb_2tld we.bs
util_rb_2tld net.tc
util_rb_2tld isuisse.com
util_rb_2tld de.ki
util_rb_2tld funpic.de
util_rb_2tld interii.pl
util_rb_2tld selfip.com
#util_rb_2tld livejournal.com - Removed per bug 6662 4/7/15 - KAM
util_rb_2tld t3.to
util_rb_2tld fx.to
util_rb_2tld iespana.es
util_rb_2tld go.com
util_rb_2tld hostevo.com
util_rb_2tld iwebsource.com
util_rb_2tld one.pl
util_rb_2tld gratishost.com
util_rb_2tld netfirms.com
util_rb_2tld ibelgique.com
util_rb_2tld to.it
util_rb_2tld whsites.net
util_rb_2tld home.ro
util_rb_2tld 1blu.de
util_rb_2tld co.cc
util_rb_2tld cc.cc
util_rb_2tld webs.com
util_rb_2tld webcindario.com
util_rb_2tld idoo.com
util_rb_2tld selfip.net
util_rb_2tld ovh.net
util_rb_2tld sapo.pt
util_rb_2tld homeip.net
util_rb_2tld unlugar.com
util_rb_2tld nov.ru
util_rb_2tld republika.pl
util_rb_2tld blog.com
util_rb_2tld sosblog.com
util_rb_2tld servebbs.com
util_rb_2tld serveftp.com
util_rb_2tld gob.ve
util_rb_2tld xanga.com
util_rb_2tld com.vc
util_rb_2tld net.vc
util_rb_2tld org.vc
util_rb_2tld kickme.to
util_rb_2tld asso.ws
util_rb_2tld url.st
util_rb_2tld at.pn
util_rb_2tld au.pn
util_rb_2tld ca.pn
util_rb_2tld ch.pn
util_rb_2tld cn.pn
util_rb_2tld co.pn
util_rb_2tld corp.st
util_rb_2tld societe.st
util_rb_2tld de.pn
util_rb_2tld es.pn
util_rb_2tld eu.pn
util_rb_2tld euro.tm
util_rb_2tld fr.pn
util_rb_2tld gov.pn
util_rb_2tld government.pn
util_rb_2tld it.pn
util_rb_2tld jp.pn
util_rb_2tld perso.tc
util_rb_2tld site.tc
util_rb_2tld societe.st
util_rb_2tld url.st
util_rb_2tld blog.ru
util_rb_2tld eu.tc
util_rb_2tld us.tc
util_rb_2tld pro.tc
util_rb_2tld de.tc
util_rb_2tld at.tc
util_rb_2tld it.tc
util_rb_2tld es.tc
util_rb_2tld ru.tc
util_rb_2tld se.tc
util_rb_2tld dk.tc
util_rb_2tld be.tc
util_rb_2tld no.tc
util_rb_2tld int.tc
util_rb_2tld pl.tc
util_rb_2tld bg.tc
util_rb_2tld cz.tc
util_rb_2tld mx.tc
util_rb_2tld br.tc
util_rb_2tld hk.tc
util_rb_2tld kr.tc
util_rb_2tld th.tc
util_rb_2tld ph.tc
util_rb_2tld at.lv
util_rb_2tld de.lv
util_rb_2tld ch.lv
util_rb_2tld org.rw
util_rb_2tld myvnc.com
util_rb_2tld blog4ever.com
util_rb_2tld sytes.net
util_rb_2tld multiply.com
util_rb_2tld 80.hk
util_rb_2tld shutterfly.com
util_rb_2tld chez.com
util_rb_2tld ce.ms
util_rb_2tld zapto.org
util_rb_2tld cz.cc
util_rb_2tld fromru.su
util_rb_2tld krovatka.su
util_rb_2tld pochta.com
util_rb_2tld 5ballov.ru
util_rb_2tld usa.cc
util_rb_2tld jpn.com
util_rb_2tld yolasite.com
util_rb_2tld in.net
util_rb_2tld com.de
util_rb_2tld biz.ua
util_rb_2tld azurewebsites.net
util_rb_2tld azureedge.net
util_rb_2tld zohosites.com
util_rb_2tld wixsite.com
util_rb_2tld firebaseapp.com
util_rb_2tld web.app
#
util_rb_2tld neostrada.pl
util_rb_2tld vv.cc
util_rb_2tld co.be
util_rb_2tld uni.cc
util_rb_2tld shop.co
util_rb_2tld tumblr.com
util_rb_2tld fileave.com
util_rb_2tld de.tl
util_rb_2tld co.com
# Dyndns.com
util_rb_2tld dyndns-at-home.com
util_rb_2tld dyndns-at-work.com
util_rb_2tld dyndns-blog.com
util_rb_2tld dyndns-free.com
util_rb_2tld dyndns-home.com
util_rb_2tld dyndns-ip.com
util_rb_2tld dyndns-mail.com
util_rb_2tld dyndns-office.com
util_rb_2tld dyndns-pics.com
util_rb_2tld dyndns-remote.com
util_rb_2tld dyndns-server.com
util_rb_2tld dyndns-web.com
util_rb_2tld dyndns-wiki.com
util_rb_2tld dyndns-work.com
util_rb_2tld dyndns.biz
util_rb_2tld dyndns.info
util_rb_2tld dyndns.org
util_rb_2tld dyndns.tv
util_rb_2tld dyndns.dk
util_rb_2tld dyndns.ws
util_rb_2tld mydyndns.org
util_rb_2tld qip.ru
#
util_rb_2tld no-ip.biz
util_rb_2tld no-ip.ca
util_rb_2tld no-ip.com
util_rb_2tld no-ip.info
util_rb_2tld no-ip.net
util_rb_2tld no-ip.org
#
util_rb_2tld gotdns.ch
util_rb_2tld ddnsking.com
util_rb_2tld ddns.net
util_rb_2tld bounceme.net
util_rb_2tld hopto.org
util_rb_2tld serveblog.net
util_rb_2tld myftp.org
util_rb_2tld myftp.biz
#
# 3rd level TLD list (SA 3.3+)
#
# There was a bug before 3.4.1(?), only one 3TLD per line works!
#
if (version >= 3.003000)
util_rb_3tld demon.co.uk
util_rb_3tld esc.edu.ar
util_rb_3tld lkd.co.im
util_rb_3tld plc.co.im
util_rb_3tld ltd.co.im
#
util_rb_3tld bay.livefilestore.com
util_rb_3tld blu.livefilestore.com
util_rb_3tld groups.live.com
util_rb_3tld spaces.live.com
util_rb_3tld profile.live.com
util_rb_3tld web.aplus.net
util_rb_3tld cloud.prohosting.com
util_rb_3tld skydrive.live.com
util_rb_3tld docs.google.com
util_rb_3tld spaces.msn.com
util_rb_3tld blog.friendster.com
util_rb_3tld plc.co.im
util_rb_3tld ltd.co.im
util_rb_3tld sakura.ne.jp
util_rb_3tld web.officelive.com
util_rb_3tld com.sapo.pt
util_rb_3tld paginas.sapo.pt
util_rb_3tld no.sapo.pt
util_rb_3tld home.sapo.pt
util_rb_3tld do.sapo.pt
util_rb_3tld homepage.t-online.de
util_rb_3tld privat.t-online.de
util_rb_3tld web.fc2.com
util_rb_3tld co.uk.pn
util_rb_3tld com.au.pn
util_rb_3tld co.at.pn
util_rb_3tld co.at.lv
util_rb_3tld or.at.lv
util_rb_3tld co.at.tc
util_rb_3tld qld.edu.au
util_rb_3tld perso.neuf.fr
util_rb_3tld perso.sfr.fr
util_rb_3tld hop.clickbank.net
util_rb_3tld user.icpnet.pl
util_rb_3tld en.alibaba.com
#
util_rb_3tld blogspot.co.nz
util_rb_3tld blogspot.co.uk
util_rb_3tld blogspot.com.ar
util_rb_3tld blogspot.com.au
util_rb_3tld blogspot.com.br
util_rb_3tld blogspot.com.es
#
util_rb_3tld no-ip.co.uk
#
util_rb_3tld mobile.web.tr
endif

169
sa-updates/20_body_tests.cf Normal file
View File

@ -0,0 +1,169 @@
# SpamAssassin rules file: body tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# Note: body tests are run with long lines, so be sure to limit the
# size of searches; use /.{0,30}/ instead of /.*/ to avoid huge
# search times.
#
# Note: If you are adding a rule which looks for a phrase in the body
# (as most of them do), please add it to rules/20_phrases.cf instead.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
require_version 3.004005
###########################################################################
# GTUBE test - the generic test for UBE.
body GTUBE /XJS\*C4JDBQADN1\.NSBN3\*2IDNEN\*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL\*C\.34X/
describe GTUBE Generic Test for Unsolicited Bulk Email
tflags GTUBE userconf noautolearn
###########################################################################
# this seems to be the new fashion (as of Jul 5 2002). base64-encoded
# parts need to be stripped before this match
body TRACKER_ID /^[a-z0-9]{6,24}[-_a-z0-9]{12,36}[a-z0-9]{6,24}\s*\z/is
describe TRACKER_ID Incorporates a tracking ID number
body WEIRD_QUOTING /[\042\223\224\262\263\271]{2}\S{0,16}[\042\223\224\262\263\271]{2}/
describe WEIRD_QUOTING Weird repeated double-quotation marks
###########################################################################
# multipart/alternative has very good accuracy, other multipart types are
# similar to MIME_HTML_ONLY so they don't need a separate rule
header __CTYPE_MULTIPART_ALT Content-Type =~ /multipart\/alternative/i
meta MIME_HTML_ONLY_MULTI (__CTYPE_MULTIPART_ALT && MIME_HTML_ONLY)
describe MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts
# note: __HIGHBITS is used in rules/20_html_tests.cf, HTML_CHARSET_FARAWAY
meta MIME_CHARSET_FARAWAY (__MIME_CHARSET_FARAWAY && __HIGHBITS)
describe MIME_CHARSET_FARAWAY MIME character set indicates foreign language
tflags MIME_CHARSET_FARAWAY userconf
###########################################################################
# duncf
body EMAIL_ROT13 /\b[a-z(\]-]+\^[a-z-]+\([a-z]{2,3}\b/
describe EMAIL_ROT13 Body contains a ROT13-encoded email address
test EMAIL_ROT13 ok qhabs^ebtref(pbz
test EMAIL_ROT13 ok zxrggyre^riv-vap(pbz
test EMAIL_ROT13 fail duncf-nospam@rogers.com
# this could use more work
body __LONGWORDS_A /\b(?:[a-z]{8,}[\s\.]+){6}/
body __LONGWORDS_B /\b(?:[a-z]{6,}[\s\.]+){9}/
body __LONGWORDS_C /\b(?:[a-z]{5,}[\s\.]+){10}/
meta LONGWORDS (__LONGWORDS_A + __LONGWORDS_B + __LONGWORDS_C > 1)
describe LONGWORDS Long string of long words
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::BodyEval
# This rule uses a simple algorithm to determine if the text and html
# parts of an multipart/alternative message are different.
body MPART_ALT_DIFF eval:multipart_alternative_difference('99', '100')
describe MPART_ALT_DIFF HTML and text parts are different
body MPART_ALT_DIFF_COUNT eval:multipart_alternative_difference_count('3', '1')
describe MPART_ALT_DIFF_COUNT HTML and text parts are different
body BLANK_LINES_80_90 eval:check_blank_line_ratio('80','90','4')
describe BLANK_LINES_80_90 Message body has 80-90% blank lines
# it's the ratio of spaces to non-spaces in each paragraph. apparently
# messages where generally there are lots of spaces mean the message is spam.
# 8.532 10.6051 0.1897 0.982 0.75 0.01 T_VERTICAL_WORDS_TVD_1
# bug 6149: avoid common .jp false positives
header __SUBJECT_UTF8_B_ENCODED Subject:raw =~ /=\?UTF-?8\?B\?/i
body __TVD_SPACE_RATIO eval:tvd_vertical_words('0','10')
meta TVD_SPACE_RATIO (__TVD_SPACE_RATIO && !__ISO_2022_JP_DELIM && !__SUBJECT_UTF8_B_ENCODED && !__HIGHBITS)
endif
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
# 0.767 0.9097 0.0000 1.000 0.84 1.00 MULTIPART_ALT_NON_TEXT
body MULTIPART_ALT_NON_TEXT eval:check_ma_non_text()
body CHARSET_FARAWAY eval:check_for_faraway_charset()
describe CHARSET_FARAWAY Character set indicates a foreign language
tflags CHARSET_FARAWAY userconf
# these tests doesn't actually use rawbody since rawbody isn't raw enough;
# they must be written very carefully to avoid modifying the original content
# MIME Content-Transfer-Encoding control rules
rawbody __MIME_BASE64 eval:check_for_mime('mime_base64_count')
describe __MIME_BASE64 Includes a base64 attachment
rawbody __MIME_QP eval:check_for_mime('mime_qp_count')
describe __MIME_QP Includes a quoted-printable attachment
# No longer used in MIMEEval
#rawbody MIME_BASE64_BLANKS eval:check_for_mime('mime_base64_blanks')
#describe MIME_BASE64_BLANKS Extra blank lines in base64 encoding
rawbody MIME_BASE64_TEXT eval:check_for_mime('mime_base64_encoded_text')
describe MIME_BASE64_TEXT Message text disguised using base64 encoding
body MISSING_MIME_HB_SEP eval:check_msg_parse_flags('missing_mime_head_body_separator')
describe MISSING_MIME_HB_SEP Missing blank line between MIME header and body
body MIME_HTML_MOSTLY eval:check_mime_multipart_ratio('0.00','0.01')
describe MIME_HTML_MOSTLY Multipart message mostly text/html MIME
# Steve Linford via Charlie Watts: good test!
body MIME_HTML_ONLY eval:check_for_mime_html_only()
describe MIME_HTML_ONLY Message only has text/html MIME parts
rawbody MIME_QP_LONG_LINE eval:check_for_mime('mime_qp_long_line')
describe MIME_QP_LONG_LINE Quoted-printable line longer than 76 chars
rawbody __MIME_CHARSET_FARAWAY eval:check_for_mime('mime_faraway_charset')
body MIME_BAD_ISO_CHARSET eval:check_for_mime('mime_bad_iso_charset')
describe MIME_BAD_ISO_CHARSET MIME character set is an unknown ISO charset
body MIMEPART_LIMIT_EXCEEDED eval:check_for_mime('mimepart_limit_exceeded')
describe MIMEPART_LIMIT_EXCEEDED Message has too many MIME parts
endif
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::URIEval
body HTTPS_IP_MISMATCH eval:check_https_ip_mismatch()
describe HTTPS_IP_MISMATCH IP to HTTPS link found in HTML
body URI_TRUNCATED eval:check_uri_truncated()
describe URI_TRUNCATED Message contained a URI which was truncated
endif

47
sa-updates/20_compensate.cf Normal file
View File

@ -0,0 +1,47 @@
# SpamAssassin rules file: compensation for common false positives
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
# Header compensation tests
require_version 3.004005
header __HAS_RCVD exists:Received
meta NO_RECEIVED (!__HAS_RCVD)
tflags NO_RECEIVED nice userconf
describe NO_RECEIVED Informational: message has no Received headers
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::RelayEval
# The message was never sent via an untrustworthy host.
header ALL_TRUSTED eval:check_all_trusted()
describe ALL_TRUSTED Passed through trusted hosts only via SMTP
tflags ALL_TRUSTED nice userconf
header NO_RELAYS eval:check_no_relays()
tflags NO_RELAYS nice userconf
describe NO_RELAYS Informational: message was not relayed via SMTP
endif

248
sa-updates/20_dnsbl_tests.cf Normal file
View File

@ -0,0 +1,248 @@
# SpamAssassin rules file: DNS blacklist and whitelist tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
require_version 3.004005
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::DNSEval
# See the Mail::SpamAssassin::Conf manual page for details of how to use
# check_rbl().
# ---------------------------------------------------------------------------
# Multizone / Multi meaning BLs first.
#
# Note that currently TXT queries cannot be used for these, since the
# DNSBLs do not return the A type (127.0.0.x) as part of the TXT reply.
# ---------------------------------------------------------------------------
# SORBS
# transfers: both axfr and ixfr available
# URL: http://www.dnsbl.sorbs.net/
# pay-to-use: no
# delist: $50 fee for RCVD_IN_SORBS_SPAM, others have free retest on request
header __RCVD_IN_SORBS eval:check_rbl('sorbs', 'dnsbl.sorbs.net.')
describe __RCVD_IN_SORBS SORBS: sender is listed in SORBS
tflags __RCVD_IN_SORBS net
reuse __RCVD_IN_SORBS
header RCVD_IN_SORBS_HTTP eval:check_rbl_sub('sorbs', '127.0.0.2')
describe RCVD_IN_SORBS_HTTP SORBS: sender is open HTTP proxy server
tflags RCVD_IN_SORBS_HTTP net
reuse RCVD_IN_SORBS_HTTP
header RCVD_IN_SORBS_SOCKS eval:check_rbl_sub('sorbs', '127.0.0.3')
describe RCVD_IN_SORBS_SOCKS SORBS: sender is open SOCKS proxy server
tflags RCVD_IN_SORBS_SOCKS net
reuse RCVD_IN_SORBS_SOCKS
header RCVD_IN_SORBS_MISC eval:check_rbl_sub('sorbs', '127.0.0.4')
describe RCVD_IN_SORBS_MISC SORBS: sender is open proxy server
tflags RCVD_IN_SORBS_MISC net
reuse RCVD_IN_SORBS_MISC
header RCVD_IN_SORBS_SMTP eval:check_rbl_sub('sorbs', '127.0.0.5')
describe RCVD_IN_SORBS_SMTP SORBS: sender is open SMTP relay
tflags RCVD_IN_SORBS_SMTP net
reuse RCVD_IN_SORBS_SMTP
# delist: $50 fee
#header RCVD_IN_SORBS_SPAM eval:check_rbl_sub('sorbs', '127.0.0.6')
#describe RCVD_IN_SORBS_SPAM SORBS: sender is a spam source
#tflags RCVD_IN_SORBS_SPAM net
#reuse RCVD_IN_SORBS_SPAM RCVD_IN_SORBS_SPAM
header RCVD_IN_SORBS_WEB eval:check_rbl_sub('sorbs', '127.0.0.7')
describe RCVD_IN_SORBS_WEB SORBS: sender is an abusable web server
tflags RCVD_IN_SORBS_WEB net
reuse RCVD_IN_SORBS_WEB
header RCVD_IN_SORBS_BLOCK eval:check_rbl_sub('sorbs', '127.0.0.8')
describe RCVD_IN_SORBS_BLOCK SORBS: sender demands to never be tested
tflags RCVD_IN_SORBS_BLOCK net
reuse RCVD_IN_SORBS_BLOCK
header RCVD_IN_SORBS_ZOMBIE eval:check_rbl_sub('sorbs', '127.0.0.9')
describe RCVD_IN_SORBS_ZOMBIE SORBS: sender is on a hijacked network
tflags RCVD_IN_SORBS_ZOMBIE net
reuse RCVD_IN_SORBS_ZOMBIE
header RCVD_IN_SORBS_DUL eval:check_rbl('sorbs-lastexternal', 'dnsbl.sorbs.net.', '127.0.0.10')
describe RCVD_IN_SORBS_DUL SORBS: sent directly from dynamic IP address
tflags RCVD_IN_SORBS_DUL net
reuse RCVD_IN_SORBS_DUL
# ---------------------------------------------------------------------------
# Spamhaus ZEN includes SBL+CSS+XBL+PBL
# https://www.spamhaus.org/faq/section/DNSBL%20Usage#200
#
# Spamhaus XBL contains the Abuseat CBL data (cbl.abuseat.org)
header __RCVD_IN_ZEN eval:check_rbl('zen', 'zen.spamhaus.org.')
describe __RCVD_IN_ZEN Received via a relay in Spamhaus Zen
tflags __RCVD_IN_ZEN net
reuse __RCVD_IN_ZEN
# SBL is the Spamhaus Block List: https://www.spamhaus.org/sbl/
header RCVD_IN_SBL eval:check_rbl_sub('zen', '127.0.0.2')
describe RCVD_IN_SBL Received via a relay in Spamhaus SBL
tflags RCVD_IN_SBL net
reuse RCVD_IN_SBL
# XBL is the Exploits Block List: https://www.spamhaus.org/xbl/
header RCVD_IN_XBL eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '^127\.0\.0\.[4567]$')
describe RCVD_IN_XBL Received via a relay in Spamhaus XBL
tflags RCVD_IN_XBL net
reuse RCVD_IN_XBL
# PBL is the Policy Block List: https://www.spamhaus.org/pbl/
header RCVD_IN_PBL eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '^127\.0\.0\.1[01]$')
describe RCVD_IN_PBL Received via a relay in Spamhaus PBL
tflags RCVD_IN_PBL net
reuse RCVD_IN_PBL
# CSS is the Spamhaus CSS Component of the SBL List: https://www.spamhaus.org/css/
header RCVD_IN_SBL_CSS eval:check_rbl_sub('zen', '127.0.0.3')
describe RCVD_IN_SBL_CSS Received via a relay in Spamhaus SBL-CSS
tflags RCVD_IN_SBL_CSS net
reuse RCVD_IN_SBL_CSS
# New blocked checks 10/2019
header RCVD_IN_ZEN_BLOCKED_OPENDNS eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '^127\.255\.255\.254$')
describe RCVD_IN_ZEN_BLOCKED_OPENDNS ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/
tflags RCVD_IN_ZEN_BLOCKED_OPENDNS net
reuse RCVD_IN_ZEN_BLOCKED_OPENDNS
# New blocked checks 10/2019
header RCVD_IN_ZEN_BLOCKED eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '^127\.255\.255\.255$')
describe RCVD_IN_ZEN_BLOCKED ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/
tflags RCVD_IN_ZEN_BLOCKED net
reuse RCVD_IN_ZEN_BLOCKED
if can(Mail::SpamAssassin::Conf::feature_dns_block_rule)
dns_block_rule RCVD_IN_ZEN_BLOCKED_OPENDNS zen.spamhaus.org
dns_block_rule RCVD_IN_ZEN_BLOCKED zen.spamhaus.org
endif
# Now, single zone BLs follow:
# ---------------------------------------------------------------------------
# NOTE: donation tests, see README file for details
header RCVD_IN_BL_SPAMCOP_NET eval:check_rbl_txt('spamcop', 'bl.spamcop.net.', '(?i:spamcop)')
describe RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net
tflags RCVD_IN_BL_SPAMCOP_NET net
reuse RCVD_IN_BL_SPAMCOP_NET
# ---------------------------------------------------------------------------
# NOTE: commercial tests, see README file for details
header RCVD_IN_MAPS_RBL eval:check_rbl('rblplus', 'activationcode.r.mail-abuse.com.', '1')
describe RCVD_IN_MAPS_RBL Relay in RBL, http://www.mail-abuse.com/enduserinfo_rbl.html
tflags RCVD_IN_MAPS_RBL net
reuse RCVD_IN_MAPS_RBL
header RCVD_IN_MAPS_DUL eval:check_rbl('rblplus-lastexternal', 'activationcode.r.mail-abuse.com.', '2')
describe RCVD_IN_MAPS_DUL Relay in DUL, http://www.mail-abuse.com/enduserinfo_dul.html
tflags RCVD_IN_MAPS_DUL net
reuse RCVD_IN_MAPS_DUL
header RCVD_IN_MAPS_RSS eval:check_rbl_sub('rblplus', '4')
describe RCVD_IN_MAPS_RSS Relay in RSS, http://www.mail-abuse.com/enduserinfo_rss.html
tflags RCVD_IN_MAPS_RSS net
reuse RCVD_IN_MAPS_RSS
header RCVD_IN_MAPS_OPS eval:check_rbl_sub('rblplus', '8')
describe RCVD_IN_MAPS_OPS Relay in OPS, http://www.mail-abuse.com/enduserinfo_ops.html
tflags RCVD_IN_MAPS_OPS net
reuse RCVD_IN_MAPS_OPS
# The NML isn't part of the RBL+ and I find any documentation for it - is it dead?
header RCVD_IN_MAPS_NML eval:check_rbl('nml', 'nonconfirm.mail-abuse.com.')
describe RCVD_IN_MAPS_NML Relay in NML, http://www.mail-abuse.com/enduserinfo_nml.html
tflags RCVD_IN_MAPS_NML net
reuse RCVD_IN_MAPS_NML
# ---------------------------------------------------------------------------
# Section for DNS WL related lookups below.
# IADB support ...
header __RCVD_IN_IADB eval:check_rbl('iadb-firsttrusted', 'iadb.isipp.com.')
tflags __RCVD_IN_IADB net nice
reuse __RCVD_IN_IADB
header RCVD_IN_IADB_VOUCHED eval:check_rbl_sub('iadb-firsttrusted', '127.0.1.255')
describe RCVD_IN_IADB_VOUCHED ISIPP IADB lists as vouched-for sender
tflags RCVD_IN_IADB_VOUCHED net nice
reuse RCVD_IN_IADB_VOUCHED
# ---------------------------------------------------------------------------
# Return Path Certified:
# https://www.returnpath.net/internetserviceprovider/certification/
# (replaces RCVD_IN_BSP_TRUSTED, RCVD_IN_BSP_OTHER, RCVD_IN_SSC_TRUSTED_COI)
header RCVD_IN_RP_CERTIFIED eval:check_rbl_txt('ssc-firsttrusted', 'sa-trusted.bondedsender.org.')
describe RCVD_IN_RP_CERTIFIED Sender in ReturnPath Certified - Contact cert-sa@returnpath.net
tflags RCVD_IN_RP_CERTIFIED net nice
reuse RCVD_IN_RP_CERTIFIED
# Return Path Safe:
# https://www.returnpath.net/internetserviceprovider/certification/
# (replaces HABEAS_ACCREDITED_COI, HABEAS_ACCREDITED_SOI, HABEAS_CHECKED)
header RCVD_IN_RP_SAFE eval:check_rbl_txt('ssc-firsttrusted','sa-accredit.habeas.com.')
describe RCVD_IN_RP_SAFE Sender in ReturnPath Safe - Contact safe-sa@returnpath.net
tflags RCVD_IN_RP_SAFE net nice
reuse RCVD_IN_RP_SAFE
# Return Path Reputation Network Blacklist (RNBL):
# https://senderscore.org/blacklistlookup/
header RCVD_IN_RP_RNBL eval:check_rbl('rnbl-lastexternal','bl.score.senderscore.com.')
describe RCVD_IN_RP_RNBL Relay in RNBL, https://senderscore.org/blacklistlookup/
tflags RCVD_IN_RP_RNBL net
reuse RCVD_IN_RP_RNBL
endif
#These are old and useless - The zones are no longer supported by SpamHaus 2018-12-12
#ifplugin Mail::SpamAssassin::Plugin::AskDNS
#
#askdns DKIMDOMAIN_IN_DWL _DKIMDOMAIN_._vouch.dwl.spamhaus.org TXT /^([a-z]+ )*(transaction|list|all)( [a-z]+)*$/
#tflags DKIMDOMAIN_IN_DWL net nice
#describe DKIMDOMAIN_IN_DWL Signing domain listed in Spamhaus DWL
#reuse DKIMDOMAIN_IN_DWL
#
#askdns __DKIMDOMAIN_IN_DWL_ANY _DKIMDOMAIN_._vouch.dwl.spamhaus.org TXT
#tflags __DKIMDOMAIN_IN_DWL_ANY net nice
#describe __DKIMDOMAIN_IN_DWL_ANY Any TXT response received from a Spamhaus DWL
#reuse __DKIMDOMAIN_IN_DWL_ANY
#
#meta DKIMDOMAIN_IN_DWL_UNKNOWN __DKIMDOMAIN_IN_DWL_ANY && !DKIMDOMAIN_IN_DWL
#tflags DKIMDOMAIN_IN_DWL_UNKNOWN net nice
#describe DKIMDOMAIN_IN_DWL_UNKNOWN Unrecognized response from Spamhaus DWL
#
#endif

277
sa-updates/20_drugs.cf Normal file
View File

@ -0,0 +1,277 @@
# SpamAssassin rules file: drug tests
#
# This ruleset is intended to detect common "pill spam" however, it is not
# appropriate for all environments. It may not be appropriate for a medical or
# pharmaceutical environment. If in doubt, adjust the scores of all the rules
# to 0.01 and see if they fire off on your daily nonspam.
#
# Please don't modify this file as your changes will be overwritten with the
# next update. Use /etc/mail/spamassassin/local.cf instead. See 'perldoc
# Mail::SpamAssassin::Conf' for details.
#
# Note: body tests are run with long lines, so be sure to limit the size of
# searches; use /.{0,30}/ instead of /.*/ to avoid huge search times.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
require_version 3.004005
###########################################################################
# header rules
# (only use sufficiently long drug name to make name unique)
header SUBJECT_DRUG_GAP_C Subject =~ /\bc(?!ialis(?:t|\xc3\xa9|\xe9))[\sc]{0,2}i[\si]{0,2}a[\sa]{0,2}l[\sl]{0,2}i[\si]{0,2}s{1,3}\b/i
describe SUBJECT_DRUG_GAP_C Subject contains a gappy version of 'cialis'
header SUBJECT_DRUG_GAP_L Subject =~ /l.{0,2}e.{0,2}v.{0,2}i.{0,2}t.{0,2}r.{0,2}a/i
describe SUBJECT_DRUG_GAP_L Subject contains a gappy version of 'levitra'
header SUBJECT_DRUG_GAP_S Subject =~ /\bs.{0,1}o.{0,1}m.{0,1}a\b/i
describe SUBJECT_DRUG_GAP_S Subject contains a gappy version of 'soma'
# Bug 5396 - Hits visa and random finnish words
#header SUBJECT_DRUG_GAP_VA Subject =~ /v.{0,2}a.{0,2}l.{0,2}i.{0,2}u.{0,2}m/i
#describe SUBJECT_DRUG_GAP_VA Subject contains a gappy version of 'valium'
header SUBJECT_DRUG_GAP_X Subject =~ /x.{0,2}a.{0,2}n.{0,2}a.{0,2}x/i
describe SUBJECT_DRUG_GAP_X Subject contains a gappy version of 'xanax'
###########################################################################
# body rules
body DRUG_DOSAGE m{[\d\.]+ *\$? *(?:[\\/]|per) *d.?o.?s.?e}i
describe DRUG_DOSAGE Talks about price per dose
# jm: keep this case-sensitive, otherwise it FP's
body DRUG_ED_CAPS /\b(?:CIALIS|LEVITRA|VIAGRA)/
describe DRUG_ED_CAPS Mentions an E.D. drug
body DRUG_ED_SILD /\bsildenafil\b/i
describe DRUG_ED_SILD Talks about an E.D. drug using its chemical name
body DRUG_ED_GENERIC /\bGeneric Viagra\b/
describe DRUG_ED_GENERIC Mentions Generic Viagra
body DRUG_ED_ONLINE /\bviagra .{0,25}(?:express|online|overnight)/i
describe DRUG_ED_ONLINE Fast Viagra Delivery
body ONLINE_PHARMACY /\bonline pharmacy|\b(?:drugs|medications) online/i
describe ONLINE_PHARMACY Online Pharmacy
# Updated bug 6448
body NO_PRESCRIPTION /N[o0].{1,10}P(?:er|re)scr[i1]pt[i1][o0]n.{1,10}(?:n[e3][e3]d[e3]d|requ[1i]re|n[e3]c[e3]ssary)/i
describe NO_PRESCRIPTION No prescription needed
# too easy
body VIA_GAP_GRA /\bvia.gra\b/i
describe VIA_GAP_GRA Attempts to disguise the word 'viagra'
########################################################################
# male sexual dysfunction drugs
#
# This section is undergoing improvements and I'm trying to track down a
# FP case that seems to mostly affect technical emails.
# However, all of the test cases so far fail to match when retested.
# note: The regex /v.i.a.g.r.a/ was intentionally not used
# due to potential false positive cases with PGP signatures
# and other base-64ish stuff.
# instead other patterns are used catch non alphanumeric gapping patterns
# note: \W = "non word character"
# Note: many of the drugs named in here are brand-names and are trademarked.
# All trademarks are property of the respective owners.
#current best char substitutions
# i - [i1!|l\xEC-\xEF]
# a - [a4\xE0-\xE6@]
# e - [e3\xE8-\xEB]
# o - [o0\xF2-\xF6]
# u - [u\xB5\xF9-\xFC]
# v - (?:\\\/|V)
# l - [l!|1]
#
# Also see 25_replace.cf
#
# If you're adding accented-character exclusions, include the HTML entity tags
# as well to cover the case where they appear in plain-text body parts.
#
#plain Viagra and Cialis (used in obfu detection)
body __DRUGS_ERECTILE_V /\bViagra\b/i
body __DRUGS_ERECTILE_C /\bCialis(?!\xc3\xa9|\xe9)\b/i
body __DRUGS_ERECTILE_L /\bLevitra\b/i
# obfu/plain and mis-spelled Viagra variants
body __DRUGS_ERECTILE1 /(?:\b|\s)[_\W]{0,3}(?:\\\/|V)[_\W]{0,3}[ij1!|l\xEC\xED\xEE\xEF][_\W]{0,3}[a40\xE0-\xE6@][_\W]{0,3}[xyz]?[gj][_\W]{0,3}r[_\W]{0,3}[a40\xE0-\xE6@][_\W]{0,3}x?[_\W]{0,3}(?:\b|\s)/i
body __DRUGS_ERECTILE2 /\bV(?:agira|igara|iaggra|iaegra)\b/i
# cialis variants (spelling correct now)
# note: the rather strange pre-amble is to avoid FPs on french words containing high-ascii chars surrounding
# "cialis".
# try to avoid FPs on "specialist" and FR "spécialisé"
body __DRUGS_ERECTILE3 /(?:\A|[\s\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f])[_\W]{0,3}(?!cialis(?:t|\xc3\xa9|\xe9|\&\#xe9\;|\&eacute\;)|c i a l i s (?:t|\xc3\xa9|\xe9|\&\#xe9\;|\&eacute\;))C[_\W]{0,3}[ij1!|l\xEC\xED\xEE\xEF][_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}l?[l!|1][_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}s[_\W]{0,3}(?:\b|\s)/i
body __DRUGS_ERECTILE4 /\bC(?:alis|ilias|ilais)\b/i
# generic names
#sildenafil citrate
body __DRUGS_ERECTILE5 /\b_{0,3}s[_\W]?[i1!|l\xEC-\xEF][_\W]?l[_\W]?d[_\W]?[e3\xE8-\xEB][_\W]?n[_\W]?[a4\xE0-\xE6@][_\W]?f[_\W]?[i1!|l\xEC-\xEF][_\W]?l c[_\W]?[i1!|l\xEC-\xEF][_\W]?t[_\W]?r[_\W]?[a4\xE0-\xE6@][_\W]?t[_\W]?[e3\xE8-\xEB]_{0,3}(?:\b|\s)/i
#Levitra
body __DRUGS_ERECTILE6 /\b_{0,3}L[_\W]?[e3\xE8-\xEB][_\W]?(?:\\\/|V)[_\W]?[i1!|l\xEC-\xEF][_\W]?t[_\W]?r[_\W]?[a4\xE0-\xE6@][_\W]?(?:\b|\s)/i
#tadalafil
body __DRUGS_ERECTILE8 /\b_{0,3}T[_\W]?[a4\xE0-\xE6@][_\W]?d[_\W]?[a4\xE0-\xE6@][_\W]?l[_\W]?[a4\xE0-\xE6@][_\W]?f[_\W]?[i1!|l\xEC-\xEF][_\W]?l_{0,3}\b/i
# gapped/obfu viagra variants using funky html-style character codes
rawbody __DRUGS_ERECTILE10 /\b_{0,3}V[_\W]?(?:i|\&iuml\;)[_\W]?(?:a|\&agrave|\&aring)\;?[_\W]?g[_\W]?r[_\W]?(?:a|\&agrave|\&aring)\b/i
#apcalis - a generic of cialis
body __DRUGS_ERECTILE11 /(?:\b|\s)_{0,3}[a4\xE0-\xE6@][_\W]{0,3}p[_\W]{0,3}c[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}[l!|1][_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}s_{0,3}\b/i
meta DRUGS_ERECTILE (__DRUGS_ERECTILE1 || __DRUGS_ERECTILE2 || __DRUGS_ERECTILE3 || __DRUGS_ERECTILE4 || __DRUGS_ERECTILE5 || __DRUGS_ERECTILE6 || __DRUGS_ERECTILE8 || __DRUGS_ERECTILE10 || __DRUGS_ERECTILE11 )
describe DRUGS_ERECTILE Refers to an erectile drug
meta DRUGS_ERECTILE_OBFU ( (__DRUGS_ERECTILE1 &&!__DRUGS_ERECTILE_V) || (__DRUGS_ERECTILE3 && !__DRUGS_ERECTILE_C) ||__DRUGS_ERECTILE2 || (__DRUGS_ERECTILE10 &&!__DRUGS_ERECTILE_V) || (__DRUGS_ERECTILE6 &&!__DRUGS_ERECTILE_L))
describe DRUGS_ERECTILE_OBFU Obfuscated reference to an erectile drug
#diet
body __DRUGS_DIET_PHEN /\bphentermine\b/i
#phentermine
body __DRUGS_DIET1 /(?:\b|\s)[_\W]{0,3}p[_\W]{0,3}h[_\W]{0,3}[e3\xE8-\xEB][_\W]{0,3}n[_\W]{0,3}t[_\W]{0,3}[e3\xE8-\xEB][_\W]{0,3}r[_\W]{0,3}m[_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}n[_\W]{0,3}[e3\xE8-\xEB][_\W]{0,3}(?:\b|\s)/i
#ionamin
body __DRUGS_DIET2 /(?:\b|\s)_{0,3}[i1!|l\xEC-\xEF][_\W]?o[_\W]?n[_\W]?[a4\xE0-\xE6@][_\W]?m[_\W]?[i1!|l\xEC-\xEF][_\W]?n_{0,3}\b/i
#bontril
body __DRUGS_DIET3 /\bbontril\b/i
#phendimetrazine
body __DRUGS_DIET4 /\bphendimetrazine\b/i
#diethylpropion, generic of Tenuate, uncommon in spam
body __DRUGS_DIET5 /\bdiethylpropion\b/i
#Meridia
body __DRUGS_DIET6 /(?:\b|\s)[_\W]{0,3}M[_\W]{0,3}[e3\xE8-\xEB][_\W]{0,3}r[_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}d[_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}(?:\b|\s)/i
#tenuate
body __DRUGS_DIET7 /\b_{0,3}t[_\W]?[e3\xE8-\xEB][_\W]?n[_\W]?u[_\W]?a[_\W]?t[_\W]?[e3\xE8-\xEB]_{0,3}(?:\b|\s)/i
#didrex
body __DRUGS_DIET8 /\b_{0,3}d[_\W]?[i1!|l\xEC-\xEF][_\W]?d[_\W]?r[_\W][e3\xE8-\xEB[_\W]?xx?_{0,3}\b/i
#adipex
body __DRUGS_DIET9 /\b_{0,3}a[_\W]?d[_\W]?[i1!|l\xEC-\xEF][_\W]?p[_\W]?[e3\xE8-\xEB][_\W]?x_{0,3}\b/i
#xenical
body __DRUGS_DIET10 /\b_{0,3}x?x[_\W]?[e3\xE8-\xEB][_\W]?n[_\W]?[i1!|l\xEC-\xEF][_\W]?c[_\W]?[a4\xE0-\xE6@][_\W]?l_{0,3}\b/i
meta DRUGS_DIET (__DRUGS_DIET1 || __DRUGS_DIET2 || __DRUGS_DIET3 || __DRUGS_DIET4 ||__DRUGS_DIET5 ||__DRUGS_DIET6 ||__DRUGS_DIET7 ||__DRUGS_DIET8 || __DRUGS_DIET9 || __DRUGS_DIET10 )
describe DRUGS_DIET Refers to a diet drug
meta DRUGS_DIET_OBFU (__DRUGS_DIET1 && !__DRUGS_DIET_PHEN)
describe DRUGS_DIET_OBFU Obfuscated reference to a diet drug
# pain relief drugs
body __DRUGS_PAIN_VICO /vicodin/i
body __DRUGS_PAIN_VIOXX /vioxx/i
body __DRUGS_PAIN_FIO /fioricet/i
body __DRUGS_PAIN1 /\b_{0,3}h[_\W]?y[_\W]?d[_\W]?r[_\W]?[o0\xF2-\xF6][_\W]?c[_\W]?[o0\xF2-\xF6][_\W]?d[_\W]?[o0\xF2-\xF6][_\W]?n[_\W]?e_{0,3}\b/i
body __DRUGS_PAIN2 /\b_{0,3}c[o0\xF2-\xF6]deine_{0,3}\b/i
#ultram
body __DRUGS_PAIN3 /(?:\b|\s)[_\W]{0,3}[u\xB5\xF9-\xFC][_\W]{0,3}l[_\W]{0,3}t[_\W]{0,3}r[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}m_{0,3}\b/i
#vicodin
body __DRUGS_PAIN4 /(?:\b|\s)[_\W]{0,3}(?:\\\/|V)[_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}c[_\W]{0,3}[o0\xF2-\xF6][_\W]{0,3}d[_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}ns?[_\W]{0,3}(?:\b|\s)/i
#tramadol
body __DRUGS_PAIN5 /\b_{0,3}t[_\W]?r[_\W]?[a4\xE0-\xE6@][_\W]?m[_\W]?[a4\xE0-\xE6@][_\W]?d[_\W]?[o0\xF2-\xF6][_\W]?[l!|1]_{0,3}\b/i
# ultracet, uncommon in spam.
body __DRUGS_PAIN6 /\b_{0,3}u[_\W]?l[_\W]?t[_\W]?r[_\W]?a[_\W]?c[_\W]?e[_\W]?t_{0,3}\b/i
#fioricet
body __DRUGS_PAIN7 /\b_{0,3}f[_\W]?[i1!|l\xEC-\xEF][_\W]?[o0\xF2-\xF6][_\W]?r[_\W]?[i1!|l\xEC-\xEF][_\W]?c[_\W]?[e3\xE8-\xEB][_\W]?[t7]_{0,3}\b/i
#celebrex
body __DRUGS_PAIN8 /\b_{0,3}c[_\W]?[e3\xE8-\xEB][_\W]?l[_\W]?[e3\xE8-\xEB][_\W]?b[_\W]?r[_\W]?[e3\xE8-\xEB][_\W]?x_{0,3}\b/i
#imitrex
body __DRUGS_PAIN9 /(?:\b|\s)_{0,3}[i1!|l\xEC-\xEF]m[i1!|l\xEC-\xEF]tr[e3\xE8-\xEB]x_{0,3}\b/i
#vioxx
body __DRUGS_PAIN10 /(?:\b|\s)[_\W]{0,3}(?:\\\/|V)[_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}[o0\xF2-\xF6][_\W]{0,3}x[_\W]{0,3}xx?_{0,3}\b/i
#zebutal, uncommon in spam.
body __DRUGS_PAIN11 /\bzebutal\b/i
#esgic plus, uncommon in spam.
body __DRUGS_PAIN12 /\besgic plus\b/i
#Darvon - a prescription narcotic
body __DRUGS_PAIN13 /\bD[_\W]?[a4\xE0-\xE6@][_\W]?r[_\W]?v[_\W]?[o0\xF2-\xF6][_\W]?n\b/i
body __DRUGS_PAIN14 /N[o0\xF2-\xF6]rc[o0\xF2-\xF6]/i
meta __DRUGS_PAIN (__DRUGS_PAIN1 || __DRUGS_PAIN2 || __DRUGS_PAIN3 || __DRUGS_PAIN4 ||__DRUGS_PAIN5 ||__DRUGS_PAIN6 ||__DRUGS_PAIN7 ||__DRUGS_PAIN8 || __DRUGS_PAIN9 || __DRUGS_PAIN10|| __DRUGS_PAIN11 || __DRUGS_PAIN12 || __DRUGS_PAIN13 ||__DRUGS_PAIN14)
#sleep aids
#ativan and lorazepam already under anxiety
#Ambien, brand of zolpidem tartrate
body __DRUGS_SLEEP1 /(?:\b|\s)[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}m[_\W]{0,3}b[_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}[e3\xE8-\xEB][_\W]{0,3}n[_\W]{0,3}(?:\b|\s)/i
#sonata, brand of zaleplon
body __DRUGS_SLEEP2 /(?:\b|\s)[_\W]{0,3}S[_\W]{0,3}[o0\xF2-\xF6][_\W]{0,3}n[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}t[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}(?:\b|\s)/i
#Restoril, brand of temazepam, uncommon in spam
body __DRUGS_SLEEP3 /\b_{0,3}R[_\W]?[e3\xE8-\xEB][_\W]?s[_\W]?t[_\W]?[o0\xF2-\xF6][_\W]?r[_\W]?i[_\W]?l_{0,3}\b/i
#Halcion, brand of triazolam
body __DRUGS_SLEEP4 /\b_{0,3}H[_\W]?[a4\xE0-\xE6@][_\W]?l[_\W]?c[_\W]?i[_\W]?[o0\xF2-\xF6][_\W]?n_{0,3}\b/i
meta __DRUGS_SLEEP (__DRUGS_SLEEP1 || __DRUGS_SLEEP2 || __DRUGS_SLEEP3 ||__DRUGS_SLEEP4)
#muscle relaxants
#soma - removed due to Bug 7612
#body __DRUGS_MUSCLE1 /(?:\b|\s)[_\W]{0,3}s[_\W]{0,3}[o0\xF2-\xF6][_\W]{0,3}m[_\W]{0,3}[a4\xE0-\xE3\xE5\xE6@][_\W]{0,3}(?:\b|\s)/i
#cyclobenzaprine
body __DRUGS_MUSCLE2 /\b_{0,3}cycl[o0\xF2-\xF6]b[e3\xE8-\xEB]nz[a4\xE0-\xE6@]pr[i1!|l\xEC-\xEF]n[e3\xE8-\xEB]_{0,3}(?:\b|\s)/i
#flexeril
body __DRUGS_MUSCLE3 /\b_{0,3}f[_\W]?l[_\W]?[e3\xE8-\xEB][_\W]?x[_\W]?[e3\xE8-\xEB][_\W]?r[_\W]?[i1!|l\xEC-\xEF]_{0,3}[_\W]?l_{0,3}\b/i
#zanaflex
body __DRUGS_MUSCLE4 /\b_{0,3}z[_\W]?a[_\W]?n[_\W]?a[_\W]?f[_\W]?l[_\W]?e[_\W]?x_{0,3}\b/i
#skelaxin
body __DRUGS_MUSCLE5 /\bskelaxin\b/i
meta DRUGS_MUSCLE (__DRUGS_MUSCLE2 || __DRUGS_MUSCLE3 || __DRUGS_MUSCLE4 ||__DRUGS_MUSCLE5 )
describe DRUGS_MUSCLE Refers to a muscle relaxant
#anti-anxiety
#these two rules are used to differentiate between obfu and non-obfu spellings
body __DRUGS_ANXIETY_XAN /xan[ae]x/i
body __DRUGS_ANXIETY_VAL /valium/i
#xanax - note: second a sometimes done as e.
body __DRUGS_ANXIETY1 /(?:\b|\s)[_\W]{0,3}x?x[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}n[_\W]{0,3}[ea4\xE1\xE2\xE3@][_\W]{0,3}xx?_{0,3}\b/i
#alprazolam
body __DRUGS_ANXIETY2 /\bAlprazolam\b/i
#valium
body __DRUGS_ANXIETY3 /(?:\b|\s)[_\W]{0,3}(?:\\\/|V)[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}[l|][_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}[u\xB5\xF9-\xFC][_\W]{0,3}m\b/i
#diazepam, generic of valium
body __DRUGS_ANXIETY4 /\b_{0,3}D[_\W]?[i1!|l\xEC-\xEF][_\W]?[a4\xE0-\xE6@][_\W]?z[_\W]?[ea3\xE9\xEA\xEB][_\W]?p[_\W]?[a4\xE0-\xE6@][_\W]?m_{0,3}\b/i
#ativan
body __DRUGS_ANXIETY5 /(?:\b|\s)[a4\xE0-\xE6@][_\W]?t[_\W]?[i1!|l\xEC-\xEF][_\W]?v[_\W]?[a4\xE0-\xE6@][_\W]?n_{0,3}\b/i
#lorazepam - generic of ativan, uncommon in spam
body __DRUGS_ANXIETY6 /\b_{0,3}l[_\W]?[o0\xF2-\xF6][_\W]?r[_\W]?[a4\xE0-\xE6@][_\W]?z[_\W]?[e3\xE8-\xEB][_\W]?p[_\W]?[a4\xE0-\xE6@][_\W]?m_{0,3}\b/i
#clonazepam, generic.
body __DRUGS_ANXIETY7 /\b_{0,3}c[_\W]?l[_\W]?[o0\xF2-\xF6][_\W]?n[_\W]?[a4\xE0-\xE6@][_\W]?z[_\W]?e[_\W]?p[_\W]?[a4\xE0-\xE6@][_\W]?m\b/i
#klonopin, brand of clonazepam, uncommon in spam
body __DRUGS_ANXIETY8 /\bklonopin\b/i
#rivotril, brand of clonazepam, uncommon in spam
body __DRUGS_ANXIETY9 /\brivotril\b/i
meta DRUGS_ANXIETY (__DRUGS_ANXIETY1 || __DRUGS_ANXIETY2 || __DRUGS_ANXIETY3 || __DRUGS_ANXIETY4 ||__DRUGS_ANXIETY5 ||__DRUGS_ANXIETY6 ||__DRUGS_ANXIETY7 ||__DRUGS_ANXIETY8 || __DRUGS_ANXIETY9 )
describe DRUGS_ANXIETY Refers to an anxiety control drug
meta DRUGS_ANXIETY_OBFU ( (__DRUGS_ANXIETY1 &&! __DRUGS_ANXIETY_XAN) || (__DRUGS_ANXIETY3 && !__DRUGS_ANXIETY_VAL))
describe DRUGS_ANXIETY_OBFU Obfuscated reference to an anxiety control drug
body DRUGS_SMEAR1 /(?:Viagra|Valium|Xanax|Soma|Cialis){2}/i
describe DRUGS_SMEAR1 Two or more drugs crammed together into one word
#search for "weird" combinations that are unlikely to
#be prescribed together for a single event, thus unlikely to be
#mentioned in the same email, except an online pharmacy ad.
meta DRUGS_ANXIETY_EREC (DRUGS_ERECTILE && DRUGS_ANXIETY)
describe DRUGS_ANXIETY_EREC Refers to both an erectile and an anxiety drug
meta DRUGS_SLEEP_EREC (DRUGS_ERECTILE && __DRUGS_SLEEP)
describe DRUGS_SLEEP_EREC Refers to both an erectile and a sleep aid drug
# note: some 3 item combos are "normal" ie: a patient might legitimately
# be prescribed depression, anxiety and sleep aid drugs all at once.
# however, I know of no "normal" 4-item combinations.
meta DRUGS_MANYKINDS (DRUGS_ERECTILE + DRUGS_DIET + __DRUGS_PAIN + __DRUGS_SLEEP + DRUGS_MUSCLE + DRUGS_ANXIETY > 3)
describe DRUGS_MANYKINDS Refers to at least four kinds of drugs
########################################################################

213
sa-updates/20_dynrdns.cf Normal file
View File

@ -0,0 +1,213 @@
# SpamAssassin rules file: dynamic-ish rDNS tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# We should write a new ruletype for these, to save typing.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
require_version 3.004005
# ---------------------------------------------------------------------------
# Note the '^[^\]]+ ' stanza: this ensures that we only match spamware
# connecting to a internal relay; if a mail came from a dynamic addr but
# was relayed through their smarthost, that's fine.
# See bug #5856, all references of "trusted" were changed to "external"
# All of the RDNS_DYNAMIC rules require that the last external relay
# did not use SMTP authentication. These rules should not be firing on
# friendlies!
header __LAST_UNTRUSTED_RELAY_NO_AUTH X-Spam-Relays-Untrusted =~ /^[^\]]+ auth= /
header __LAST_EXTERNAL_RELAY_NO_AUTH X-Spam-Relays-External =~ /^[^\]]+ auth= /
# dhcp024-210-034-053.columbus.rr.com [24.210.34.53]
# c-66-176-16-108.se.client2.attbi.com [66.176.16.108]
# c-67-168-174-61.client.comcast.net [67.168.174.61]
# NNN-NNN-NNN-NNN.fibertel.com.ar
# NN.NN.NNN.NNN.ap.yournet.ne.jp
# NN.NNN.NN-NN.rev.gaoland.net
# vaise-1-82-67-44-166.fbx.proxad.net [82.67.44.166]
# lns-vlq-11-62-147-186-141.adsl.proxad.net [62.147.186.141]
# dsl-200-95-109-107.prod-infinitum.com.mx [200.95.109.107]
# port-212-202-77-203.reverse.qsc.de [212.202.77.203]
# pool-151-203-32-68.bos.east.verizon.net [151.203.32.68]
# c-67-164-133-216.client.comcast.net [67.164.133.216]
# 200-171-228-6.customer.telesp.net.br [200.171.228.6]
# modemcable090.28-201-24.mc.videotron.ca [24.201.28.90]
# 80-218-47-160.dclient.hispeed.ch [80.218.47.160]
# cdm-68-226-239-16.laft.cox-internet.com [68.226.239.16]
# d53-64-35-171.nap.wideopenwest.com [64.53.171.35]
# 74.67-201-80.adsl.skynet.be [80.201.67.74]
# 12-218-225-223.client.mchsi.com [12.218.225.223]
# pptp-81-30-186-139.ufanet.ru [81.30.186.139]
# (require an alpha first, as legit HELO'ing-as-IP-address is hit otherwise)
header __RDNS_DYNAMIC_IPADDR X-Spam-Relays-External =~ /^[^\]]+ rdns=(?![^\s\]]+[-.]static[-.])\S*\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]\d+\S*\.\S+\.\S/i
describe __RDNS_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1)
# dhcp024-210-034-053.columbus.rr.com [24.210.34.53]
# catv-506237d8.miskcatv.broadband.hu [80.98.55.216]
# node-c-8b22.a2000.nl
# cm89.omega139.maxonline.com.sg
# cm114.gamma208.maxonline.com.sg
header __RDNS_DYNAMIC_DHCP X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(?:cm|catv|docsis|cable|dsl|dhcp|cpe|node)\S*\d+[^\d\s]+\d/i
describe __RDNS_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP)
# fia83-8.dsl.hccnet.nl [62.251.8.83]
# fia160-115-100.dsl.hccnet.nl [80.100.115.160]
header __RDNS_DYNAMIC_HCC X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\d+[^\d\s]+\d+\S*\.(?:docsis|cable|dsl|adsl|dhcp|cpe)\./i
describe __RDNS_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC)
# h0002a5d76857.ne.client2.attbi.com [65.96.12.59]
header __RDNS_DYNAMIC_ATTBI X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+\d+\S+\.client2\.attbi\.com/i
describe __RDNS_DYNAMIC_ATTBI Relay HELO'd using suspicious hostname (ATTBI.com)
# CPE0004e2372711-CM000a73666706.cpe.net.cable.rogers.com
# CPE00e0184f0eba-CM014490118324.cpe.net.cable.rogers.com [24.43.109.140]
header __RDNS_DYNAMIC_ROGERS X-Spam-Relays-External =~ /^[^\]]+ rdns=CPE\d+\S+\.rogers\.com/i
describe __RDNS_DYNAMIC_ROGERS Relay HELO'd using suspicious hostname (Rogers)
# ca-morpark-cuda1-zone7-b-159.vnnyca.adelphia.net[67.23.129.159]
# tn-greenvillecuda1cable7a-36.atlaga.adelphia.net [68.171.113.36]
# ky-richmond2a-123.rhmdky.adelphia.net [68.71.36.123]
# ny-lackawannacadent4-chtwga3a-b-117.buf.adelphia.net [68.71.205.117]
# fl-edel-u2-c3c-233.pbc.adelphia.net [68.64.89.233]
header __RDNS_DYNAMIC_ADELPHIA X-Spam-Relays-External =~ /^[^\]]+ rdns=[a-z]{2}-\S+-\d{1,3}\.[a-z]{3,8}\.adelphia\.net/i
describe __RDNS_DYNAMIC_ADELPHIA Relay HELO'd using suspicious hostname (Adelphia)
# pD9E4F89F.dip.t-dialin.net [217.228.248.159]
header __RDNS_DYNAMIC_DIALIN X-Spam-Relays-External =~ /^[^\]]+ rdns=[a-z][A-F0-9]+\.dip\./
describe __RDNS_DYNAMIC_DIALIN Relay HELO'd using suspicious hostname (T-Dialin)
# 0xd5aaf40b.dhcp.kabelnettet.dk
# 0x50a46949.virnxx11.adsl-dhcp.tele.dk
header __RDNS_DYNAMIC_HEXIP X-Spam-Relays-External =~ /^[^\]]+ rdns=0x[a-f0-9]{8}\./
describe __RDNS_DYNAMIC_HEXIP Relay HELO'd using suspicious hostname (Hex IP)
# 118.Red-80-35-201.pooles.rima-tde.net
header __RDNS_DYNAMIC_SPLIT_IP X-Spam-Relays-External =~ /^[^\]]+ rdns=\d+\.\S+\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]/
describe __RDNS_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split IP)
# YahooBB219173000034.bbtec.net [219.173.0.34]
header __RDNS_DYNAMIC_YAHOOBB X-Spam-Relays-External =~ /^[^\]]+ rdns=YahooBB/i
describe __RDNS_DYNAMIC_YAHOOBB Relay HELO'd using suspicious hostname (YahooBB)
# ool-18be1aaf.dyn.optonline.net [24.190.26.175]
header __RDNS_DYNAMIC_OOL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+\.dyn\.optonline\.net/
describe __RDNS_DYNAMIC_OOL Relay HELO'd using suspicious hostname (OptOnline)
# wiley-170-10231.roadrunner.nf.net [205.251.210.249]
header __RDNS_DYNAMIC_RR2 X-Spam-Relays-External =~ /^[^\]]+ rdns=[a-z]+-\d{1,3}-\d{1,5}\.roadrunner/i
describe __RDNS_DYNAMIC_RR2 Relay HELO'd using suspicious hostname (RR 2)
# pcp04024417pcs.toresd01.pa.comcast.net [68.86.206.126]
# bgp542174bgs.ewndsr01.nj.comcast.net[68.38.144.91]
# Computer-udp135632uds.union01.nj.comcast.net [68.39.99.32]
header __RDNS_DYNAMIC_COMCAST X-Spam-Relays-External =~ /^[^\]]+ rdns=[a-z-]+\d+[a-z]{3}\.[a-z0-9]+\...\.comcast/i
describe __RDNS_DYNAMIC_COMCAST Relay HELO'd using suspicious hostname (Comcast)
# h234n2fls32o895.telia.com [217.208.73.234]
# h53n2fls32o828.telia.com
# h116n2fls32o1111.telia.com
# h29n1fls306o1003.telia.com
header __RDNS_DYNAMIC_TELIA X-Spam-Relays-External =~ /^[^\]]+ rdns=h\d+n\d+fls\S+\.telia\.com/i
describe __RDNS_DYNAMIC_TELIA Relay HELO'd using suspicious hostname (Telia)
# CM-vina5-168-207.cm.vtr.net [200.104.168.207]
# CM-anto1-98-153.cm.vtr.net [200.104.98.153]
header __RDNS_DYNAMIC_VTR X-Spam-Relays-External =~ /^[^\]]+ rdns=cm-[a-z]+\d+-\d+-\d+\.cm\.vtr/i
describe __RDNS_DYNAMIC_VTR Relay HELO'd using suspicious hostname (VTR)
# ec9z5l.cm.chello.no
header __RDNS_DYNAMIC_CHELLO_NO X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+\.cm\.chello\.no/i
describe __RDNS_DYNAMIC_CHELLO_NO Relay HELO'd using suspicious hostname (Chello.no)
# g225174.upc-g.chello.nl
# a151145.upc-a.chello.nl
# a96134.upc-a.chello.nl
header __RDNS_DYNAMIC_CHELLO_NL X-Spam-Relays-External =~ /^[^\]]+ rdns=[a-z]\d+\.upc-[a-z]\.chello\.nl/i
describe __RDNS_DYNAMIC_CHELLO_NL Relay HELO'd using suspicious hostname (Chello.nl)
# MG001182.user.veloxzone.com.br
# ba199058073.user.veloxzone.com.br
header __RDNS_DYNAMIC_VELOX X-Spam-Relays-External =~ /^[^\]]+ rdns=[a-z]{2}\d+\.user\.veloxzone\./i
describe __RDNS_DYNAMIC_VELOX Relay HELO'd using suspicious hostname (Veloxzone)
# public4-seve6-5-cust173.lond.broadband.ntl.com
# spr1-bolt5-5-0-cust9.manc.broadband.ntl.com
# spc1-lewi4-6-0-cust190.lond.broadband.ntl.com
header __RDNS_DYNAMIC_NTL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+\d+-\d+-cust\d+\.[a-z]{4,6}\.broadband\.ntl\.com/i
describe __RDNS_DYNAMIC_NTL Relay HELO'd using suspicious hostname (NTL)
# (I'm quite sure these may be a good spamsign in future)
# nwblwi-nrp3-l10-a671.nwblwi.tds.net
header __RDNS_DYNAMIC_TDS X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+-[a-z]\d+\.[a-z]{6}\.tds\.net/i
header __RDNS_DYNAMIC_VIRTUA X-Spam-Relays-External =~ /^[^\]]+ rdns=\d+\.cps\./i
# sp1-c700-131.spacelan.ne.jp
header __RDNS_DYNAMIC_SPACELAN X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+-[a-z]\d+-\d+\./i
# rDNS host-type indicators, as per
# https://tools.ietf.org/id/draft-msullivan-dnsop-generic-naming-schemes-00.txt
header __RDNS_INDICATOR_DYN X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+[\-\.]dyn(?:amic)?[\-\.]/i
# surprisingly large ham hitrate
header __RDNS_INDICATOR_TYPE X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+[\-\.](?:dial|modem|isdn|dov|\S?dsl|cable|wireless)[\-\.]/i
# this hits a little ham, not too much though
header __RDNS_INDICATOR_RES X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+[\-\.](?:res|resnet|client)[\-\.]/i
# these are non-standard, but common in the field; 100% spam correlation!
# (I think that's a fluke)
header __RDNS_INDICATOR_TYPE2 X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+[\-\.](?:docsis|dhcp|cpe|catv)[\-\.]/i
# dsl.dynamic8510023760.ttnet.net.tr
header __RDNS_DYNAMIC_TTNET X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+[\-\.]dyn(?:amic)?\d/i
# c221106.ppp.asahi-net.or.jp
# i253064.ppp.asahi-net.or.jp
# u035201.ppp.asahi-net.or.jp
# w158034.ppp.asahi-net.or.jp
header __RDNS_DYNAMIC_ASAHI X-Spam-Relays-External =~ /^[^\]]+ rdns=[a-z][0-9]+\.ppp\.asahi-net\.or\.jp/i
# exceptions (bug 5397):
# exceptions: 66-220-155-151.mail-mail.facebook.com
# exceptions: o167-89-97-77.outbound-mail.sendgrid.net (bug 7592)
header __RDNS_STATIC X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(?:fix|static|fixip|dedicated|mail\-mail|outbound-mail)/i
# bug 5586:
header __CGATE_RCVD Received =~ /by \S+ \(CommuniGate Pro/
# bug 5926:
header __DOMINO_RCVD Received =~ /by \S+ \(Lotus Domino /
header __RDNS_NONE X-Spam-Relays-External =~ /^[^\]]+ rdns= /
###########################################################################
meta RDNS_DYNAMIC (__LAST_EXTERNAL_RELAY_NO_AUTH && !__RDNS_STATIC && (__RDNS_DYNAMIC_IPADDR || __RDNS_DYNAMIC_DHCP || __RDNS_DYNAMIC_HCC || __RDNS_DYNAMIC_ATTBI || __RDNS_DYNAMIC_ROGERS || __RDNS_DYNAMIC_ADELPHIA || __RDNS_DYNAMIC_DIALIN || __RDNS_DYNAMIC_HEXIP || __RDNS_DYNAMIC_SPLIT_IP || __RDNS_DYNAMIC_YAHOOBB || __RDNS_DYNAMIC_OOL || __RDNS_DYNAMIC_RR2 || __RDNS_DYNAMIC_COMCAST || __RDNS_DYNAMIC_TELIA || __RDNS_DYNAMIC_VTR || __RDNS_DYNAMIC_CHELLO_NO || __RDNS_DYNAMIC_CHELLO_NL || __RDNS_DYNAMIC_VELOX || __RDNS_DYNAMIC_NTL || __RDNS_DYNAMIC_TDS || __RDNS_DYNAMIC_VIRTUA || __RDNS_DYNAMIC_SPACELAN || __RDNS_INDICATOR_DYN || __RDNS_INDICATOR_RES || __RDNS_INDICATOR_TYPE2 || __RDNS_DYNAMIC_TTNET || __RDNS_DYNAMIC_ASAHI))
describe RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS
meta RDNS_NONE (__RDNS_NONE && !__CGATE_RCVD && !__DOMINO_RCVD)
describe RDNS_NONE Delivered to internal network by a host with no rDNS

160
sa-updates/20_fake_helo_tests.cf Normal file
View File

@ -0,0 +1,160 @@
# SpamAssassin rules file: fake-HELO tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# We should write a new ruletype for these, to save typing.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
require_version 3.004005
#---------------------------------------------------------------------------
# Handle hosts that look like HELO_DYNAMIC hosts
# cmr-208-124-139-194.cr.net.cable.rogers.com) [208.124.139.194]
# cmr-208-97-119-114.cr.net.cable.rogers.com) [208.97.119.114]
header __HELO_STATIC_ROGERS X-Spam-Relays-External =~ /^[^\]]+ helo=cmr-\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}\S+\.rogers\.com[^\]]+ auth= /i
# o167-89-97-77.outbound-mail.sendgrid.net (bug 7592)
header __HELO_STATIC_SENDGRID X-Spam-Relays-External =~ /^[^\]]+ helo=o\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}\.outbound-mail\.sendgrid\.net\s[^\]]+ auth= /i
# 50-203-126-142-static.hfc.comcastbusiness.net
header __HELO_STATIC_COMCAST X-Spam-Relays-External =~ /^[^\]]+ helo=\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}-static\.hfc\.comcastbusiness\.net\s[^\]]+ auth= /i
describe HELO_STATIC_HOST Relay HELO'd using static hostname
meta HELO_STATIC_HOST (__HELO_STATIC_ROGERS || __HELO_STATIC_SENDGRID || __HELO_STATIC_COMCAST)
# ---------------------------------------------------------------------------
# Suresh says: these will never be used as HELOs from real mail.com relays.
# Just check the most recent handover; the connection to a internal host.
# This way a legit sender can send to their MSA using that HELO (quite a few
# MUAs will do that), but a spammer gets caught. (List of domains comes from
# the drop-down list on the Mail.com signup page.)
#header FAKE_HELO_MAIL_COM_DOM X-Spam-Relays-External =~ /^[^\]]+ helo=(?:\S+\.|)(?:(?:mail|email|iname|cheerful|consultant|europe|mindless|myself|post|techie|usa|writeme|2die4|artlover|bikerider|catlover|cliffhanger|cutey|doglover|gardener|hot-shot|inorbit|loveable|mad\.scientist|playful|poetic|popstar|saintly|seductive|soon|whoever|winning|witty|yours|africamail|arcticmail|asia|australiamail|europe|japan|samerica|usa|berlin|dublin|london|madrid|moscowmail|munich|nycmail|paris|rome|sanfranmail|singapore|tokyo|accountant|adexec|allergist|alumnidirector|archaeologist|chemist|clerk|columnist|comic|consultant|counsellor|deliveryman|diplomats|doctor|dr|engineer|execs|financier|geologist|graphic-designer|insurer|journalist|lawyer|legislator|lobbyist|minister|optician|pediatrician|presidency|priest|publicist|realtyagent|registerednurses|repairman|representative|rescueteam|scientist|sociologist|teacher|techietechnologist|umpire)\.com|(?:programmer|earthling|hairdresser)\.net|musician\.org) /i
#describe FAKE_HELO_MAIL_COM_DOM Relay HELO'd with suspicious hostname (mail.com)
# ---------------------------------------------------------------------------
# Interesting new feature; spamware HELO'ing, from a dialup IP addr,
# using that IP's rDNS entry. We can catch this easily. There aren't
# many legit mailservers calling themselves
# 'dhcp024-210-034-053.columbus.rr.com'. ;)
#
# Note the '^[^\]]+ ' stanza: this ensures that we only match spamware
# connecting to a internal relay; if a mail came from a dynamic addr but
# was relayed through their smarthost, that's fine.
# See bug #5856, all references of trusted were changed to internal
# dhcp024-210-034-053.columbus.rr.com [24.210.34.53]
# c-66-176-16-108.se.client2.attbi.com [66.176.16.108]
# c-67-168-174-61.client.comcast.net [67.168.174.61]
# NNN-NNN-NNN-NNN.fibertel.com.ar
# NN.NN.NNN.NNN.ap.yournet.ne.jp
# NN.NNN.NN-NN.rev.gaoland.net
# vaise-1-82-67-44-166.fbx.proxad.net [82.67.44.166]
# lns-vlq-11-62-147-186-141.adsl.proxad.net [62.147.186.141]
# dsl-200-95-109-107.prod-infinitum.com.mx [200.95.109.107]
# port-212-202-77-203.reverse.qsc.de [212.202.77.203]
# pool-151-203-32-68.bos.east.verizon.net [151.203.32.68]
# c-67-164-133-216.client.comcast.net [67.164.133.216]
# 200-171-228-6.customer.telesp.net.br [200.171.228.6]
# modemcable090.28-201-24.mc.videotron.ca [24.201.28.90]
# 80-218-47-160.dclient.hispeed.ch [80.218.47.160]
# cdm-68-226-239-16.laft.cox-internet.com [68.226.239.16]
# d53-64-35-171.nap.wideopenwest.com [64.53.171.35]
# 74.67-201-80.adsl.skynet.be [80.201.67.74]
# 12-218-225-223.client.mchsi.com [12.218.225.223]
# (require an alpha first, as legit HELO'ing-as-IP-address is hit otherwise)
header __HELO_DYNAMIC_IPADDR X-Spam-Relays-External =~ /^[^\]]+ helo=(?![^\s\]]+[-.]static[-.])[a-z]\S*\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]\d+[^\d\s][^\.]*\.\S+\.\S+[^\]]+ auth= /i
meta HELO_DYNAMIC_IPADDR (__HELO_DYNAMIC_IPADDR && !HELO_STATIC_HOST)
describe HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1)
# dhcp024-210-034-053.columbus.rr.com [24.210.34.53]
# catv-506237d8.miskcatv.broadband.hu [80.98.55.216]
# node-c-8b22.a2000.nl
# cm89.omega139.maxonline.com.sg
# cm114.gamma208.maxonline.com.sg
header __HELO_DYNAMIC_DHCP X-Spam-Relays-External =~ /^[^\]]+ helo=\S*(?:(?<!a)cm|catv|docsis|cable|dsl|dhcp|cpe|node)\S*\d+[^\d\s]+\d+[^\]]+ auth= /i
meta HELO_DYNAMIC_DHCP (__HELO_DYNAMIC_DHCP && !HELO_STATIC_HOST)
describe HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP)
# fia83-8.dsl.hccnet.nl [62.251.8.83]
# fia160-115-100.dsl.hccnet.nl [80.100.115.160]
header __HELO_DYNAMIC_HCC X-Spam-Relays-External =~ /^[^\]]+ helo=\S*\d+[^\d\s]+\d+\S*\.(?:docsis|cable|dsl|adsl|dhcp|cpe)\.[^\]]+ auth= /i
meta HELO_DYNAMIC_HCC (__HELO_DYNAMIC_HCC && !HELO_STATIC_HOST)
describe HELO_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC)
# h0002a5d76857.ne.client2.attbi.com [65.96.12.59]
# CPE0004e2372711-CM000a73666706.cpe.net.cable.rogers.com
# CPE00e0184f0eba-CM014490118324.cpe.net.cable.rogers.com [24.43.109.140]
header HELO_DYNAMIC_ROGERS X-Spam-Relays-External =~ /^[^\]]+ helo=CPE\d+\S+\.rogers\.com[^\]]+ auth= /i
describe HELO_DYNAMIC_ROGERS Relay HELO'd using suspicious hostname (Rogers)
# pD9E4F89F.dip.t-dialin.net [217.228.248.159]
header HELO_DYNAMIC_DIALIN X-Spam-Relays-External =~ /^[^\]]+ helo=[a-z][A-F0-9]+\.dip\./
describe HELO_DYNAMIC_DIALIN Relay HELO'd using suspicious hostname (T-Dialin)
# 0xd5aaf40b.dhcp.kabelnettet.dk
# 0x50a46949.virnxx11.adsl-dhcp.tele.dk
header HELO_DYNAMIC_HEXIP X-Spam-Relays-External =~ /^[^\]]+ helo=0x[a-f0-9]{8}\./
describe HELO_DYNAMIC_HEXIP Relay HELO'd using suspicious hostname (Hex IP)
# 118.Red-80-35-201.pooles.rima-tde.net
header HELO_DYNAMIC_SPLIT_IP X-Spam-Relays-External =~ /^[^\]]+ helo=\d+\.\S+\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]/
describe HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split IP)
# YahooBB219173000034.bbtec.net [219.173.0.34]
# 10-35-124-91.pool.ukrtel.net [91.124.35.10]
# 89-215-186-91.2073241113.ddns-lan.rakovski.ekk.bg [217.18.240.147]
# 200.109.193-29.dyn.dsl.cantv.net [200.109.193.29]
# 113x35x70x11.ap113.ftth.ucom.ne.jp [113.35.70.11]
# 98x9x3p5siouq.kvknv3sv1quk.3ejp4xzv.com [213.250.20.156]
# 1.0/24.137.95.202.in-addr.arpa [202.95.137.1]
header __HELO_DYNAMIC_IPADDR2 X-Spam-Relays-External =~ /^[^\]]+ helo=(?![^\s\]]+[-.](?:static|mail|smtp|mx)\d*[-.])\d{1,3}(?:[\Wx_]\d{1,3}){3}[^\d\s][^\s.]*\.\S+\.\S+[^\]]+ auth= /i
meta HELO_DYNAMIC_IPADDR2 (__HELO_DYNAMIC_IPADDR2 && !HELO_DYNAMIC_SPLIT_IP)
describe HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2)
# h234n2fls32o895.telia.com [217.208.73.234]
# h53n2fls32o828.telia.com
# h116n2fls32o1111.telia.com
# h29n1fls306o1003.telia.com
# CM-vina5-168-207.cm.vtr.net [200.104.168.207]
# CM-anto1-98-153.cm.vtr.net [200.104.98.153]
# ec9z5l.cm.chello.no
# g225174.upc-g.chello.nl
# a151145.upc-a.chello.nl
# a96134.upc-a.chello.nl
header HELO_DYNAMIC_CHELLO_NL X-Spam-Relays-External =~ /^[^\]]+ helo=[a-z]\d+\.upc-[a-z]\.chello\.nl[^\]]+ auth= /i
describe HELO_DYNAMIC_CHELLO_NL Relay HELO'd using suspicious hostname (Chello.nl)
# cp160000-a.mill1.nb.home.nl
# cp341468-b.venra1.lb.home.nl
header HELO_DYNAMIC_HOME_NL X-Spam-Relays-External =~ /^[^\]]+ helo=[a-z]{2}\d+-\S\.\S+\d\.[a-z]{2}\.home\.nl[^]]+ auth= /i
describe HELO_DYNAMIC_HOME_NL Relay HELO'd using suspicious hostname (Home.nl)

65
sa-updates/20_freemail.cf Normal file
View File

@ -0,0 +1,65 @@
# SpamAssassin - FreeMail rules
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::FreeMail
body __freemail_safe_fwd /---\s?(?:(?:Forwarded|Original) message|Alkuper(?:\xe4|\xc3\xa4)inen viesti)/i
header __freemail_safe_rls X-Spam-Relays-External =~ /^[^\]]+ rdns=\S+\.(?:tfbnw\.net|ebay\.com|tieto\.com) /
meta __freemail_safe __freemail_safe_fwd || __ML2 || __ML4 || __HAS_X_MAILING_LIST || __HAS_X_MAILMAN_VERSION || __freemail_safe_rls
header __freemail_replyto eval:check_freemail_replyto('replyto')
meta FREEMAIL_REPLYTO __freemail_replyto && !__freemail_safe
describe FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different freemails
score FREEMAIL_REPLYTO 2
header __freemail_reply eval:check_freemail_replyto('reply')
meta FREEMAIL_REPLY __freemail_reply && !__freemail_replyto && !__freemail_safe
describe FREEMAIL_REPLY From and body contain different freemails
score FREEMAIL_REPLY 0.5
header FREEMAIL_FROM eval:check_freemail_from()
describe FREEMAIL_FROM Sender email is commonly abused enduser mail provider
score FREEMAIL_FROM 0.001
header FREEMAIL_ENVFROM_END_DIGIT eval:check_freemail_header('EnvelopeFrom', '\d@')
describe FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit
score FREEMAIL_ENVFROM_END_DIGIT 0.1
header FREEMAIL_REPLYTO_END_DIGIT eval:check_freemail_header('Reply-To', '\d@')
describe FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit
score FREEMAIL_REPLYTO_END_DIGIT 0.1
#header FREEMAIL_SUBJECT eval:check_freemail_header('Subject')
#describe FREEMAIL_SUBJECT Subject contains freemail
#score FREEMAIL_SUBJECT 0.001
# Idea from John Hardin
header __freemail_hdr_replyto eval:check_freemail_header('Reply-To')
meta FREEMAIL_FORGED_REPLYTO __freemail_hdr_replyto && !FREEMAIL_FROM && !__freemail_safe
describe FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From
score FREEMAIL_FORGED_REPLYTO 0.1
endif

545
sa-updates/20_freemail_domains.cf Normal file
View File

@ -0,0 +1,545 @@
# SpamAssassin - FreeMail domains file
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
# List contains commonly abused end user mail providers
# "freemail" is solely used for label purposes.
# weed out domains that already exist given a FILE of one domain per line:
# perl -lane 'if (@F and shift(@F) eq "freemail_domains") {
# for (@F) { s/\./\\./g; s/\?/./g; s/\*/[^.]*/g; print }
# }' rules/*.cf |grep -wvf- FILE
# Updated 2016-08-18-axb
ifplugin Mail::SpamAssassin::Plugin::FreeMail
# Initial import from old FreeMail.pm / 090428
freemail_domains 020.co.uk 123.com 123box.net 123india.com 123mail.cl
freemail_domains 123mail.org 123qwe.co.uk 138mail.com 141.ro 150mail.com 150ml.com 16mail.com
freemail_domains 1963chevrolet.com 1963pontiac.com 1netdrive.com 1st-website.com 1stpd.net
freemail_domains 2-mail.com 20after4.com 21cn.com 24h.co.jp 24horas.com 271soundview.com
freemail_domains 2die4.com 2mydns.com 2net.us 3000.it 3ammagazine.com 3email.com 3xl.net
freemail_domains 444.net 4email.com 4email.net 4newyork.com 50mail.com 55mail.cc 5fm.za.com
freemail_domains 6210.hu 6sens.com 702mail.co.za 7110.hu 8848.net 8m.com 8m.net 8x.com.br 8u8.com 8u8.hk 8u8.tw
freemail_domains a-topmail.at about.com abv.bg acceso.or.cr access4less.net accessgcc.com
freemail_domains acmemail.net adiga.com adinet.com.uy
freemail_domains adres.nl advalvas.be aeiou.pt aeneasmail.com afrik.com
freemail_domains afropoets.com aggies.com ahaa.dk aichi.com aim.com airpost.net aiutamici.com
freemail_domains aklan.com aknet.kg alabama.usa.com alaska.usa.com alavatotal.com
freemail_domains albafind.com albawaba.com alburaq.net aldeax.com aldeax.com.ar alex4all.com aliyun.com
freemail_domains alexandria.cc algeria.com alice.it alinto.com allmail.net
freemail_domains alskens.dk altavista.se altbox.org alternativagratis.com alum.com
freemail_domains alunos.unipar.br alvilag.hu amenworld.com america.hm
freemail_domains americamail.com amnetsal.com amorous.com ananzi.co.za anet.ne.jp anfmail.com
freemail_domains angelfire.com animail.net aniverse.com anjungcafe.com
freemail_domains another.com antedoonsub.com antwerpen.com anunciador.net anytimenow.com
freemail_domains aol.* aol.co*.* aon.at apexmail.com apollo.lv approvers.net aprava.com
freemail_domains apropo.ro arcor.de argentina.com
freemail_domains arizona.usa.com arkansas.usa.com armmail.com army.com arnet.com.ar aroma.com
freemail_domains arrl.net aruba.it asheville.com asia-links.com
freemail_domains asiamail.com assala.com assamesemail.com asurfer.com
freemail_domains atl.lv atlas.cz atlas.sk atozasia.com atreillou.com att.net *.att.ne.jp au.ru aubenin.com
freemail_domains aus-city.com aussiemail.com.au avasmail.com.mv axarnet.com
freemail_domains ayna.com azet.sk babbalu.com badgers.com bakpaka.com bakpaka.net
freemail_domains balochistan.org baluch.com bama-fan.com bancora.net bankersmail.com
freemail_domains barlick.net beeebank.com beehive.org
freemail_domains been-there.com beirut.com belizehome.com belizemail.net
freemail_domains belizeweb.com bellsouth.net berlin.de bestmail.us bflomail.com
freemail_domains bgnmail.com bharatmail.com big-orange.com bigboss.cz bigfoot.com bigger.com
freemail_domains bigmailbox.com bigmir.net bigstring.com bip.net bigpond.com
freemail_domains bitwiser.com biz.by bizhosting.com black-sea.ro blackburnmail.com
freemail_domains blackglobalnetwork.net blink182.net blue.devils.com bluebottle.com
freemail_domains bluemail.ch blumail.org blvds.com bol.com.br bolando.com
freemail_domains bollywood2000.com bollywoodz.com bombka.dyn.pl bonbon.net boom.com
freemail_domains bootmail.com bostonoffice.com box.az boxbg.com boxemail.com brain.com.pk
freemail_domains brasilia.net bravanese.com brazilmail.com.br breathe.com
freemail_domains brestonline.com brfree.com.br brujula.net btcc.org
freemail_domains buffaloes.com bulgaria.com bulldogs.com bumerang.ro burntmail.com
freemail_domains butch-femme.net buzy.com buzzjakkerz.com c-box.cz c3.hu c4.com cadinfo.net
freemail_domains calcfacil.com.br calcware.org california.usa.com
freemail_domains callnetuk.com camaroclubsweden.com canada-11.com canada.com canal21.com
freemail_domains canoemail.com caramail.com cardblvd.com care-mail.com care2.com caress.com
freemail_domains carioca.net cashette.com casino.com casinomail.com cataloniamail.com
freemail_domains catalunyamail.com cataz.com catcha.com catholic.org caths.co.uk
freemail_domains caxess.net cbrmail.com cc.lv cemelli.com centoper.it centralpets.com
freemail_domains centrum.cz centrum.sk centurylink.net cercaziende.it cgac.es chaiyo.com chaiyomail.com
freemail_domains chance2mail.com channelonetv.com charter.net chattown.com checkitmail.at
freemail_domains chelny.com cheshiremail.com chil-e.com chillimail.com
freemail_domains china.com christianmail.org ciaoweb.it cine.com ciphercom.net
freemail_domains circlemail.com cititrustbank1.cjb.net citromail.hu citynetusa.com ciudad.com.ar
freemail_domains claramail.com classicmail.co.za cliffhanger.com clix.pt
freemail_domains close2you.net cluemail.com clujnapoca.ro collegeclub.com
freemail_domains colombia.com colorado.usa.com comcast.net comfortable.com
freemail_domains compaqnet.fr compuserve.com computer.net computermail.net
freemail_domains computhouse.com conevyt.org.mx connect4free.net connecticut.usa.com
freemail_domains coolgoose.com coolkiwi.com coollist.com coxinet.net
freemail_domains coolmail.com coolmail.net coolsend.com cooltoad.com cooperation.net
freemail_domains copacabana.com copticmail.com corporateattorneys.com corporation.net
freemail_domains correios.net.br correomagico.com cosmo.com cosmosurf.net cougars.com
freemail_domains count.com countrybass.com couple.com criticalpath.net
freemail_domains critterpost.com crosspaths.net crosswinds.net cryingmail.com cs.com
freemail_domains csucsposta.hu cumbriamail.com curio-city.com custmail.com
freemail_domains cwazy.co.uk cwazy.net cww.de cyberaccess.com.pk
freemail_domains cybergirls.dk cyberguys.dk cybernet.it cymail.net
freemail_domains dabsol.net dada.net dadanet.it dailypioneer.com damuc.org.br
freemail_domains dansegulvet.com darkhorsefan.net data54.com davegracey.com dayzers.com
freemail_domains daum.net dbmail.com dcemail.com dcsi.net deacons.com deadlymob.org deal-maker.com
freemail_domains dearriba.com degoo.com delajaonline.org delaware.usa.com delfi.lv
freemail_domains delhimail.com demon.deacons.com desertonline.com
freemail_domains desidrivers.com deskpilot.com despammed.com detik.com devils.com dexara.net
freemail_domains dhmail.net di-ve.com didamail.com digitaltrue.com
freemail_domains direccion.com director-general.com diri.com discardmail.com
freemail_domains discoverymail.net disinfo.net djmillenium.com dmailman.com
freemail_domains dnsmadeeasy.com do.net.ar dodgeit.com dogmail.co.uk
freemail_domains doityourself.com domaindiscover.com domainmanager.com doneasy.com
freemail_domains dontexist.org dores.com dostmail.com dot5hosting.com dotcom.fr
freemail_domains dotnow.com dott.it doubt.com dplanet.ch dragoncon.net dragonfans.com
freemail_domains dropzone.com dserver.org dubaiwebcity.com dublin.ie dustdevil.com
freemail_domains dynamitemail.com dyndns.org e-apollo.lv e-hkma.com
freemail_domains e-mail.cz e-mail.ph e-mailanywhere.com e-milio.com e-tapaal.com e-webtec.com earthalliance.com
freemail_domains earthling.net eastmail.com eastrolog.com easy-pages.com easy.com
freemail_domains easyinfomail.co.za easypeasy.com echina.com ecn.org ecplaza.net eircom.net
freemail_domains edsamail.com.ph educacao.te.pt edumail.co.za eeism.com ego.co.th ekolay.net
freemail_domains elforotv.com.ar elitemail.org elsitio.com eltimon.com elvis.com
freemail_domains email.com.br email.cz email.bg email.it email.lu email.lviv.ua email.nu
freemail_domains email.ro email.si email2me.com emailacc.com emailaccount.com
freemail_domains emailaddresses.com emailchoice.com emailcorner.net emailn.de emailengine.net
freemail_domains emailengine.org emailgaul.com emailgroups.net emailhut.net emailpinoy.com
freemail_domains emailplanet.com emailplus.org emailuser.net ematic.com embarqmail.com
freemail_domains embroideryforums.com eml.cc emoka.ro emptymail.com enel.net enelpunto.net
freemail_domains england.com enterate.com.ar entryweb.it entusiastisk.com
freemail_domains enusmail.com epatra.com epix.net epomail.com epost.de eprompter.com eqqu.com
freemail_domains eramail.co.za eresmas.com eriga.lv ertelecom.ru esde-s.org esfera.cl estadao.com.br
freemail_domains etllao.com euromail.net euroseek.com
freemail_domains euskalmail.com evafan.com everyday.com.kh everymail.net everyone.net
freemail_domains excite.* excite.co*.* execs2k.com executivemail.co.za
freemail_domains expn.com ezilon.com ezrs.com f-m.fm facilmail.com fadrasha.net fadrasha.org
freemail_domains faithhighway.com faithmail.com familymailbox.com familyroll.com
freemail_domains familysafeweb.net fan.com fan.net faroweb.com fast-email.com fast-mail.org
freemail_domains fastem.com fastemail.us fastemailer.com fastermail.com fastest.cc
freemail_domains fastimap.com fastmail.* fastmail.co*.* fastmailbox.net
freemail_domains fastmessaging.com fastwebmail.it fawz.net fea.st federalcontractors.com
freemail_domains fedxmail.com feelings.com female.ru fepg.net ffanet.com fiberia.com
freemail_domains filipinolinks.com financesource.com findmail.com
freemail_domains fiscal.net flashmail.com flipcode.com florida.usa.com floridagators.com
freemail_domains fmail.co.uk fmailbox.com fmgirl.com fmguy.com fnmail.com footballer.com foxmail.com
freemail_domains forfree.at forsythmissouri.org fortuncity.com forum.dk free.com.pe free.fr
freemail_domains free.net.nz freeaccess.nl freegates.be freeghana.com freehosting.nl
freemail_domains freei.co.th freeler.nl freemail.* freemail.*.* freemail.globalsite.com.br
freemail_domains freemuslim.net freenet.de freenet.kg freeola.net freepgs.com freesbee.fr
freemail_domains freeservers.com freestart.hu freesurf.ch freesurf.fr
freemail_domains freesurf.nl freeuk.com freeuk.net freeweb.it freewebemail.com freeyellow.com
freemail_domains frisurf.no frontiernet.net fsmail.net fsnet.co.uk ftml.net fuelie.org
freemail_domains fun-greetings-jokes.com fun.21cn.com fusemail.com fut.es gala.net
freemail_domains galmail.co.za gamebox.net gamecocks.com gawab.com gay.com
freemail_domains gaymailbox.com gaza.net gazeta.pl gci.net gdi.net geeklife.com gemari.or.id
freemail_domains genxemail.com geopia.com georgia.usa.com getmail.no
freemail_domains ggaweb.ch giga4u.de gjk.dk glay.org glendale.net globalfree.it globomail.com
freemail_domains globalpinoy.com globalsite.com.br globalum.com globetrotter.net gmail.com
freemail_domains gmx.* go-bama.com go-cavs.com go-chargers.com go-dawgs.com go-gators.com
freemail_domains go-hogs.com go-irish.com go-spartans.com go-tigers.com go.aggies.com
freemail_domains go.air-force.com go.badgers.com go.big-orange.com go.blue.devils.com
freemail_domains go.buffaloes.com go.bulldogs.com go.com go.cougars.com go.dores.com
freemail_domains go.gamecocks.com go.huskies.com go.longhorns.com go.mustangs.com
freemail_domains go.rebels.com go.ro go.ru go.terrapins.com go.wildcats.com go.wolverines.com
freemail_domains go.yellow-jackets.com go2net.com go4.it gofree.co.uk golfemail.com
freemail_domains goliadtexas.com gomail.com.ua gonowmail.com gonuts4free.com googlemail.com
freemail_domains goplay.com gorontalo.net gotmail.com gotomy.com govzone.com grad.com
freemail_domains graffiti.net gratisweb.com gtechnics.com
freemail_domains guate.net guessmail.com gwalla.com h-mail.us haberx.com hailmail.net
freemail_domains halejob.com hamptonroads.com handbag.com hanmail.net happemail.com
freemail_domains happycounsel.com hawaii.com hawaii.usa.com hayahaya.tg hedgeai.com
freemail_domains heesun.net heremail.com hetnet.nl highveldmail.co.za hildebrands.de
freemail_domains hingis.org hispavista.com hitmanrecords.com hockeyghiaccio.com
freemail_domains hockeymail.com holapuravida.com home.no.net home.ro home.se homelocator.com
freemail_domains homemail.co.za homenetmail.com homestead.com homosexual.net hongkong.com hong-kong-1.com
freemail_domains hopthu.com hosanna.net hot.ee hotbot.com hotbox.ru hotcoolmail.com hotdak.com
freemail_domains hotfire.net hotinbox.com hotmail.* hotmail.co*.*
freemail_domains hotpop.com hotvoice.com hour.com howling.com huhmail.com
freemail_domains humour.com hurra.de hush.ai hush.com hushmail.com huskies.com
freemail_domains hutchcity.com i-france.com i-p.com i12.com i2828.com ibatam.com ibest.com.br
freemail_domains ibizdns.com icafe.com ice.is icestorm.com icloud.com icq.com icqmail.com icrazy.com
freemail_domains id.ru idaho.usa.com idirect.com idncafe.com ieg.com.br iespalomeras.net
freemail_domains iespana.es ifrance.com ig.com.br ignazio.it illinois.usa.com ilse.net
freemail_domains ilse.nl imail.ru imailbox.com imap-mail.com imap.cc imapmail.org imel.org
freemail_domains in-box.net inbox.com inbox.ge inbox.lv inbox.net inbox.ru in.com
freemail_domains incamail.com indexa.fr india.com indiamail.com indiana.usa.com
freemail_domains indiatimes.com induquimica.org inet.com.ua infinito.it infoapex.com
freemail_domains infohq.com infomail.es infomart.or.jp infosat.net infovia.com.ar inicia.es
freemail_domains inmail.sk inmail24.com inoutbox.com
freemail_domains intelnet.net.gt intelnett.com interblod.com
freemail_domains interfree.it interia.pl interlap.com.ar intermail.hu internet-e-mail.com
freemail_domains internet-mail.org internet.lu internetegypt.com internetemails.net
freemail_domains internetmailing.net inwind.it iobox.com iobox.fi iol.it iol.pt iowa.usa.com
freemail_domains ip3.com ipermitmail.com iqemail.com iquebec.com iran.com irangate.net
freemail_domains iscool.net islandmama.com ismart.net isonews2.com isonfire.com isp9.net
freemail_domains ispey.com itelgua.com itloox.com itmom.com
freemail_domains ivenus.com iwan-fals.com iwon.com ixp.net japan.com jaydemail.com
freemail_domains jedrzejow.pl jetemail.net jingjo.net jippii.fi jmail.co.za jojomail.com
freemail_domains jovem.te.pt joymail.com jubii.dk jubiipost.dk jumpy.it
freemail_domains juno.com justemail.net justmailz.com k.ro kaazoo.com kabissa.org kaixo.com
freemail_domains kalluritimes.com kalpoint.com kansas.usa.com katamail.com kataweb.it
freemail_domains kayafmmail.co.za keko.com.ar kentucky.usa.com keptprivate.com
freemail_domains kimo.com kiwitown.com klik.it klikni.cz kmtn.ru koko.com kolozsvar.ro kombud.com
freemail_domains koreanmail.com kotaksuratku.info krunis.com kukamail.com
freemail_domains kuronowish.com kyokodate.com kyokofukada.net ladymail.cz lagoon.nc
freemail_domains lahaonline.com lamalla.net lancsmail.com land.ru laposte.net latinmail.com
freemail_domains lawyer.com lawyersmail.com lawyerzone.com lebanonatlas.com leehom.net
freemail_domains leonardo.it leonlai.net letsjam.com letterbox.org
freemail_domains letterboxes.org levele.com lexpress.net libero.it liberomail.com
freemail_domains libertysurf.net libre.net lightwines.org linkmaster.com linuxfreemail.com
freemail_domains lionsfan.com.au live.* livedoor.com llandudno.com
freemail_domains llangollen.com lmxmail.sk loggain.net loggain.nu lolnetwork.net
freemail_domains london.com longhorns.com look.com looksmart.co.uk looksmart.com
freemail_domains looksmart.com.au loteria.net lotonazo.com louisiana.usa.com louiskoo.com
freemail_domains loveable.com lovemail.com lovingjesus.com lpemail.com luckymail.com luso.pt
freemail_domains lusoweb.pt luukku.com lycos.* lycos.co*.* lycosmail.com mac.com
freemail_domains machinecandy.com macmail.com mad.scientist.com madcrazy.com
freemail_domains madonno.com madrid.com mag2.com magicmail.co.za magik-net.com mail-atlas.net
freemail_domains mail-awu.de mail-box.cz mail.by mail-center.com mail-central.com mail-jp.org
freemail_domains mail-online.dk mail-page.com mail-x-change.com mail.austria.com mail.az
freemail_domains mail.de mail.be mail.bg mail.bulgaria.com mail.co.za mail.dk mail.ee
freemail_domains mail.goo.ne.jp mail.gr mail.lawguru.com mail.md mail.mn mail.org mail.pf
freemail_domains mail.pt mail.ru mail.yahoo.co.jp mail15.com mail2*.com mail3000.com mail333.com
freemail_domains mail8.com mailandftp.com mailandnews.com mailas.com mailasia.com mailbg.com
freemail_domains mailblocks.com mailbolt.com mailbox.as mailbox.co.za mailbox.gr mailbox.hu
freemail_domains mailbox.sk mailc.net mailcan.com mailcircuit.com mailclub.fr mailclub.net
freemail_domains maildozy.com mailfly.com mailforce.net mailftp.com mailglobal.net
freemail_domains mailhaven.com mailinator.com mailingaddress.org mailingweb.com mailisent.com
freemail_domains mailite.com mailme.dk mailmight.com mailmij.nl mailnew.com mailops.com
freemail_domains mailpanda.com mailpersonal.com mailroom.com mailru.com mails.de mailsent.net
freemail_domains mailserver.dk mailservice.ms mailsnare.net mailsurf.com mailup.net
freemail_domains mailvault.com mailworks.org maine.usa.com majorana.martina-franca.ta.it
freemail_domains maktoob.com malayalamtelevision.net malayalapathram.com male.ru manager.de
freemail_domains manlymail.net mantrafreenet.com mantramail.com mantraonline.com
freemail_domains marihuana.ro marijuana.nl marketweighton.com maryland.usa.com
freemail_domains masrawy.com massachusetts.usa.com mauimail.com mbox.com.au mcrmail.com me.by me.com
freemail_domains medicinatv.com meetingmall.com megamail.pt menara.ma merseymail.com mesra.net
freemail_domains messagez.com metacrawler.com mexico.com miaoweb.net
freemail_domains michigan.usa.com micro2media.com miesto.sk mighty.co.za milacamn.net
freemail_domains milmail.com mindless.com mindviz.com minnesota.usa.com
freemail_domains mississippi.usa.com missouri.usa.com mixmail.com ml1.net ml2clan.com
freemail_domains mlanime.com mm.st mmail.com mobimail.mn mobsters.com mobstop.com
freemail_domains modemnet.net modomail.com moldova.com moldovacc.com monarchy.com
freemail_domains montana.usa.com montevideo.com.uy moomia.com moose-mail.com mosaicfx.com
freemail_domains motormania.com movemail.com mr.outblaze.com mrspender.com
freemail_domains ms*.hinet.net mscold.com msn.com msn.co.uk msnzone.cn mundo-r.com
freemail_domains muslimsonline.com mustangs.com mxs.de myblue.cc mycabin.com mycity.com mycommail.com
freemail_domains mycool.com mydomain.com myeweb.com myfastmail.com myfunnymail.com mygrande.net mykolab.com
freemail_domains mygamingconsoles.com myiris.com myjazzmail.com mymacmail.com mymail.dk
freemail_domains mymail.ph.inter.net mymail.ro mynet.com mynet.com.tr myotw.net myopera.com
freemail_domains myownemail.com mypersonalemail.com myplace.com myrealbox.com
freemail_domains myspace.com myt.mu myway.com mzgchaos.de n2.com n2business.com n2mail.com
freemail_domains n2software.com nabble.com name.com nameplanet.com nanamail.co.il
freemail_domains nanaseaikawa.com nandomail.com naseej.com nastything.com national-champs.com
freemail_domains nativeweb.net narod.ru nate.com naveganas.com naver.com nebraska.usa.com nemra1.com nenter.com
freemail_domains nerdshack.com nervhq.org net.hr net4b.pt net4jesus.com net4you.at
freemail_domains netbounce.com netcabo.pt netcape.net netcourrier.com netexecutive.com
freemail_domains netfirms.com netkushi.com netmongol.com netpiper.com netposta.net
freemail_domains netscape.com netscape.net netscapeonline.co.uk netsquare.com nettaxi.com
freemail_domains netti.fi networld.com netzero.com netzero.net neustreet.com nevada.usa.com
freemail_domains newhampshire.usa.com newjersey.usa.com newmail.com newmail.net
freemail_domains newmail.ok.com newmail.ru newmexico.usa.com newspaperemail.com newyork.com
freemail_domains newyork.usa.com newyorkcity.com nfmail.com nicegal.com nightimeuk.com
freemail_domains nightly.com nightmail.com nightmail.ru noavar.com noemail.com nonomail.com nokiamail.com
freemail_domains noolhar.com northcarolina.usa.com northdakota.usa.com
freemail_domains nospammail.net nowzer.com ny.com nyc.com nz11.com
freemail_domains nzoomail.com o2.pl oceanfree.net ocsnet.net oddpost.com odeon.pl
freemail_domains odmail.com offshorewebmail.com ofir.dk ohio.usa.com oicexchange.com ok.ru
freemail_domains oklahoma.usa.com ole.com oleco.net olympist.net omaninfo.com onatoo.com
freemail_domains ondikoi.com onebox.com onenet.com.ar onet.pl ongc.net oninet.pt online.ie
freemail_domains online.ru onlinewiz.com onobox.com open.by openbg.com openforyou.com
freemail_domains opentransfer.com operamail.com oplusnet.com orange.fr orangehome.co.uk orange.es orange.jo orange.pl
freemail_domains orbitel.bg orcon.net.nz oregon.usa.com oreka.com organizer.net orgio.net
freemail_domains orthodox.com osite.com.br oso.com ourbrisbane.com ournet.md
freemail_domains ourprofile.net ourwest.com outgun.com outlook.* ownmail.net oxfoot.com ozu.es
freemail_domains pacer.com paginasamarillas.com
freemail_domains pakistanmail.com pandawa.com pando.com pandora.be paris.com parsimail.com
freemail_domains parspage.com patmail.com pattayacitythailand.com pc4me.us pcpostal.com
freemail_domains penguinmaster.com pennsylvania.usa.com peoplepc.com peopleweb.com
freemail_domains personal.ro personales.com peru.com petml.com
freemail_domains phreaker.net pigeonportal.com pilu.com pimagop.com
freemail_domains pinoymail.com pipni.cz pisem.net planet-school.de planetaccess.com
freemail_domains planetout.com plasa.com playersodds.com playful.com pluno.com
freemail_domains plusmail.com.br pmail.net pnetmail.co.za pobox.ru pobox.sk pochtamt.ru pochta.ru
freemail_domains poczta.fm poetic.com pogowave.com polbox.com
freemail_domains pop3.ru pop.co.th popmail.com poppymail.com popsmail.com popstar.com portafree.com
freemail_domains portaldosalunos.com portugalmail.com portugalmail.pt post.cz
freemail_domains post.expart.ne.jp post.pl post.sk posta.ge postaccesslite.com postiloota.net
freemail_domains postinbox.com postino.ch postino.it postmaster.co.uk postpro.net praize.com
freemail_domains press.co.jp primposta.com printesamargareta.ro
freemail_domains private.21cn.com probemail.com profesional.com profession.freemail.com.br
freemail_domains proinbox.com promessage.com prontomail.com protonmail.com protonmail.ch
freemail_domains provincial.net publicaccounting.com punkass.com puppy.com.my
freemail_domains q.com qatar.io qlmail.com qq.com qrio.com qsl.net qudsmail.com queerplaces.com quepasa.com
freemail_domains quick.cz quickwebmail.com r-o-o-t.com r320.hu raakim.com rbcmail.ru racingseat.com
freemail_domains radicalz.com radiojobbank.com ragingbull.com
freemail_domains raisingadaughter.com rallye-webmail.com rambler.ru ranmamail.com ravearena.com
freemail_domains ravemail.co.za razormail.com real.ro realemail.net reallyfast.biz
freemail_domains reallyfast.info rebels.com recife.net recme.net
freemail_domains rediffmail.com rediffmailpro.com redseven.de redwhitearmy.com
freemail_domains relia.com
freemail_domains revenue.com rexian.com rhodeisland.usa.com
freemail_domains ritmes.net rn.com roanokemail.com rochester-mail.com rock.com rocketmail.com
freemail_domains rockfan.com rockinghamgateway.com rojname.com rol.ro
freemail_domains rollin.com rome.com romymichele.com royal.net rpharmacist.com rt.nl ru.ru
freemail_domains rushpost.com russiamail.com rxpost.net s-mail.com saabnet.com
freemail_domains sacbeemail.com sacmail.com safe-mail.net safe-mailbox.com
freemail_domains saigonnet.vn saint-mike.org
freemail_domains samilan.net sandiego.com sanook.com sanriotown.com
freemail_domains sapibon.com sapo.pt saturnfans.com sayhi.net sbcglobal.com scfn.net
freemail_domains schweiz.org sci.fi sciaga.pl
freemail_domains scrapbookscrapbook.com seapole.com search417.com seark.com sebil.com
freemail_domains secretservices.net secure-jlnet.com seductive.com sendmail.ru
freemail_domains sendme.cz sent.as sent.at sent.com serga.com.ar sermix.com server4free.de
freemail_domains serverwench.com sesmail.com sexmagnet.com seznam.cz shadango.com she.com
freemail_domains shuf.com siamlocalhost.com siamnow.net sify.com sinamail.com singapore.com
freemail_domains singmail.com singnet.com.sg siraj.org sirindia.com sirunet.com sister.com sina.com sina.cn sinanail.com
freemail_domains sistersbrothers.com sizzling.com slamdunkfan.com slickriffs.co.uk
freemail_domains slingshot.com slo.net slomusic.net smartemail.co.uk smtp.ru snail-mail.net
freemail_domains sndt.net sneakemail.com snoopymail.com snowboarding.com
freemail_domains so-simple.org socamail.com softhome.net sohu.com
freemail_domains sol.dk solidmail.com soon.com sos.lv soundvillage.org
freemail_domains southcarolina.usa.com southdakota.usa.com space.com spacetowns.com
freemail_domains spamex.com spartapiet.com speed-racer.com speedpost.net
freemail_domains speedymail.org spils.com spinfinder.com sportemail.com spray.net spray.no
freemail_domains spray.se spymac.com srbbs.com srilankan.net ssan.com ssl-mail.com stade.fr
freemail_domains stalag13.com stampmail.com starbuzz.com starline.ee starmail.com
freemail_domains starmail.org starmedia.com starspath.com start.com.au start.no stribmail.com
freemail_domains strompost.* student.com student.ednet.ns.ca studmail.com sudanmail.net
freemail_domains suisse.org sunbella.net sunmail1.com sunpoint.net sunrise.ch
freemail_domains sunumail.sn sunuweb.net suomi24.fi superdada.it supereva.com supereva.it
freemail_domains supermailbox.com superposta.com surf3.net surfassistant.com surfsupnet.net
freemail_domains surfy.net surimail.com surnet.cl sverige.nu svizzera.org
freemail_domains sweb.cz swift-mail.com swissinfo.org
freemail_domains swissmail.net switzerland.org syom.com syriamail.com t-mail.com t-net.net.ve
freemail_domains t2mail.com tabasheer.com talk21.com talkcity.com tangmonkey.com tatanova.com
freemail_domains taxcutadvice.com techemail.com technisamail.co.za
freemail_domains teenmail.co.uk teenmail.co.za tejary.com telebot.com telefonica.net
freemail_domains telegraf.by teleline.es telinco.net telkom.net telpage.net telstra.com telenet.be
freemail_domains telusplanet.net tempting.com tenchiclub.com tennessee.usa.com
freemail_domains terrapins.com texas.usa.com texascrossroads.com tfz.net thai.com
freemail_domains thaimail.com thaimail.net the-fastest.net the-quickest.com thegame.com
freemail_domains theinternetemail.com theoffice.net thepostmaster.net
freemail_domains theracetrack.com theserverbiz.com thewatercooler.com
freemail_domains thewebpros.co.uk thinkpost.net thirdage.com thundermail.com tim.it
freemail_domains timemail.com tin.it tinati.net tiscali.* tiscali.co*.* tiscalinet.it
freemail_domains tjohoo.se tkcity.com tlcfan.com tlen.pl tmicha.net todito.com todoperros.com
freemail_domains tokyo.com topchat.com topmail.com.ar topmail.dk topmail.co.ie topmail.co.in topmail.co.nz topmail.co.uk topmail.co.za
freemail_domains topsurf.com toquedequeda.com torba.com torchmail.com
freemail_domains totalmail.com totalsurf.com totonline.net tough.com toughguy.net trav.se
freemail_domains trevas.net tripod-mail.com triton.net trmailbox.com tsamail.co.za
freemail_domains turbonett.com turkey.com tvnet.lv twc.com typemail.com u2club.com uae.ac
freemail_domains ubbi.com ubbi.com.br uboot.com ugeek.com uk2.net uk2net.com ukr.net
freemail_domains ukrpost.net ukrpost.ua uku.co.uk ulimit.com ummah.org unbounded.com
freemail_domains unican.es unicum.de unimail.mn unitedemailsystems.com universal.pt
freemail_domains universia.cl universia.edu.ve universia.es universia.net.co universia.net.mx
freemail_domains universia.pr universia.pt universiabrasil.net unofree.it uol.com.ar
freemail_domains uol.com.br uole.com uolmail.com uomail.com uraniomail.com urbi.com.br
freemail_domains ureach.com usanetmail.com userbeam.com utah.usa.com
freemail_domains uyuyuy.com v-sexi.com v3mail.com vegetarisme.be velnet.com velocall.com
freemail_domains vercorreo.com verizonmail.com vermont.usa.com verticalheaven.com
freemail_domains veryfast.biz veryspeedy.net vfemail.net vietmedia.com vip.gr virgilio.it
freemail_domains virgin.net virginia.usa.com virtual-mail.com visitmail.com visto.com
freemail_domains vivelared.com vjtimail.com vnn.vn vsnl.com vsnl.net vodamail.co.za voila.fr volkermord.com vosforums.com vodafone.*
freemail_domains w.cn walla.com walla.co.il wallet.com wam.co.za wanex.ge wap.hu
freemail_domains wapda.com wapicode.com wappi.com warpmail.net washington.usa.com wassup.com
freemail_domains waterloo.com waumail.com wazmail.com wearab.net web-mail.com.ar web.de
freemail_domains web.nl web2mail.com webaddressbook.com webbworks.com webcity.ca webdream.com
freemail_domains webemaillist.com webindia123.com webinfo.fi webjump.com webl-3.br.inter.net
freemail_domains webmail.co.yu webmail.co.za webmails.com webmailv.com webpim.cc
freemail_domains webspawner.com webstation.com websurfer.co.za webtopmail.com webtribe.net
freemail_domains webtv.net weedmail.com weekonline.com weirdness.com westvirginia.usa.com
freemail_domains whale-mail.com whipmail.com who.net whoever.com wildcats.com wildmail.com
freemail_domains williams.net.ar winning.com winningteam.com winwinhosting.com
freemail_domains wisconsin.usa.com witelcom.com witty.com wolverines.com wooow.it
freemail_domains workmail.co.za worldcrossing.com worldemail.com worldmedic.com
freemail_domains worldonline.de wowmail.com wp.pl wprost.pl wrongmail.com
freemail_domains wtonetwork.com wurtele.net www.com www.consulcredit.it wyoming.usa.com
freemail_domains x-mail.net xasa.com xemail.* xfreehosting.com xmail.net xmsg.com xnmsn.cn xoom.com xtra.co.nz xuite.net
freemail_domains xpectmore.com xrea.com xsmail.com xzapmail.com y7mail.com yahala.co.il
freemail_domains yaho.com yahoo.* yahoo.co*.* yalla.com.lb
freemail_domains ya.com yeah.net ya.ru yahoomail.com
freemail_domains yam.com yamal.info yandex.* yapost.com yawmail.com yebox.com yehey.com
freemail_domains yellow-jackets.com yellowstone.net yenimail.com yepmail.net yifan.net
freemail_domains ymail.com yopmail.com your-mail.com yours.com yourwap.com yyhmail.com z11.com z6.com
freemail_domains zednet.co.uk zeeman.nl ziplip.com zipmail.com.br zipmax.com
freemail_domains zmail.pt zmail.ru zona-andina.net zonai.com zoneview.net zonnet.nl
freemail_domains zoho.com zoomshare.com zoznam.sk zubee.com zuvio.com zwallet.com zworg.com
freemail_domains zybermail.com zzn.com
# chinese numbers
freemail_domains 126.com 139.com 163.com 188.com 189.cn 263.net 9.cn
# Vips
freemail_domains vip.126.com vip.163.com vip.188.com
freemail_domains vip.sina.com vip.sohu.com vip.sohu.net vip.tom.com vip.qq.com vipsohu.net
# Bug 6903 - powered by VFEmail - 2013-02-19-AXB
freemail_domains clovermail.net mail-on.us chewiemail.com offcolormail.com powdermail.com tightmail.com toothandmail.com tushmail.com
freemail_domains openmail.cc expressmail.dk
# Bug 6903 - powered by 5x2 Online 2013-02-19-AXB
freemail_domains 4xn.de 5x2.de 5x2.me aufdrogen.de auf-steroide.de
freemail_domains besser-als-du.de brainsurfer.de chillaxer.de cyberkriminell.de
freemail_domains danneben.so freemailen.de freemailn.de ist-der-mann.de
freemail_domains ist-der-wahnsinn.de ist-echt.so istecht.so ist-genialer.de
freemail_domains ist-schlauer.de ist-supersexy.de kann.so mag-spam.net
freemail_domains mega-schlau.de muss.so nerd4life.de ohne-drogen-gehts.net
freemail_domains on-steroids.de scheint.so staatsterrorist.de super-gerissen.de
freemail_domains unendlich-schlau.de vip-client.de will-keinen-spam.de
freemail_domains zu-geil.de
# Bug 6903 - powered by Runbox - paid service, but offers 30 day free trial - 2013-02-19-AXB
freemail_domains runbox.*
freemail_domains rbox.me rbox.co
freemail_domains tunome.com
freemail_domains acatperson.com adogperson.com all4theskins.com
freemail_domains allsportsrock.com alwaysgrilling.com alwaysinthekitchen.com
freemail_domains alwayswatchingmovies.com alwayswatchingtv.com asylum.com
freemail_domains basketball-email.com beabookworm.com beagolfer.com beahealthnut.com
freemail_domains believeinliberty.com bestcoolcars.com bestjobcandidate.com besure2vote.com
freemail_domains bigtimecatperson.com bigtimedogperson.com bigtimereader.com
freemail_domains bigtimesportsfan.com blackvoices.com capsfanatic.com capshockeyfan.com
freemail_domains capsred.com car-nut.net cat-person.com catpeoplerule.com chat-with-me.com
freemail_domains cheatasrule.com crazy4baseball.com crazy4homeimprovement.com crazy4mail.com
freemail_domains crazyaboutfilms.net crazycarfan.com crazyforemail.com crazymoviefan.com
freemail_domains descriptivemail.com differentmail.com dog-person.com dogpeoplerule.com
freemail_domains easydoesit.com expertrenovator.com expressivemail.com fanaticos.com
freemail_domains fanofbooks.com fanofcomputers.com fanofcooking.com fanoftheweb.com
freemail_domains fieldmail.com fleetmail.com focusedonprofits.com focusedonreturns.com
freemail_domains futboladdict.com games.com getintobooks.com hail2theskins.com hitthepuck.com
freemail_domains i-dig-movies.com i-love-restaurants.com idigcomputers.com
freemail_domains idigelectronics.com idigvideos.com ilike2helpothers.com ilike2invest.com
freemail_domains ilike2workout.com ilikeelectronics.com ilikeworkingout.com
freemail_domains ilovehomeprojects.com iloveourteam.com iloveworkingout.com in2autos.net
freemail_domains interestedinthejob.com intomotors.com iwatchrealitytv.com lemondrop.com
freemail_domains love2exercise.com love2workout.com lovefantasysports.com lovetoexercise.com
freemail_domains luvfishing.com luvgolfing.com luvsoccer.com
freemail_domains mail4me.com majorgolfer.com majorshopaholic.com majortechie.com mcom.com
freemail_domains motor-nut.com moviefan.com mycapitalsmail.com mycatiscool.com
freemail_domains myfantasyteamrules.com myteamisbest.com netbusiness.com news-fanatic.com
freemail_domains newspaperfan.com onlinevideosrock.com realbookfan.com realhealthnut.com
freemail_domains realitytvaddict.net realitytvnut.com reallyintomusic.com realtravelfan.com
freemail_domains redskinscheer.com redskinsfamily.com redskinsfancentral.com redskinshog.com
freemail_domains redskinsrule.com redskinsspecialteams.com redskinsultimatefan.com
freemail_domains scoutmail.com skins4life.com stargate2.com stargateatlantis.com
freemail_domains stargatefanclub.com stargatesg1.com stargateu.com switched.com
freemail_domains t-online.de thegamefanatic.com total-techie.com totalfoodnut.com
freemail_domains totally-into-cooking.com totallyintobaseball.com totallyintobasketball.com
freemail_domains totallyintocooking.com totallyintofootball.com totallyintogolf.com
freemail_domains totallyintohockey.com totallyintomusic.com totallyintoreading.com
freemail_domains totallyintosports.com totallyintotravel.com totalmoviefan.com
freemail_domains travel2newplaces.com tvchannelsurfer.com ultimateredskinsfan.com
freemail_domains videogamesrock.com volunteeringisawesome.com wayintocomputers.com
freemail_domains whatmail.com when.com wild4music.com wildaboutelectronics.com
freemail_domains workingaroundthehouse.com workingonthehouse.com writesoon.com xmasmail.com
# irq.ir / 091030
freemail_domains arab.ir denmark.ir egypt.ir icq.ir ir.ae iraq.ir ire.ir ireland.ir irr.ir
freemail_domains jpg.ir ksa.ir kuwait.ir london.ir paltalk.ir spain.ir sweden.ir tokyo.ir
# scraped http://www.zemskov.net/free-email-domains.html 2013-10-18-khopesh
# bigmailbox.com
freemail_domains 111mail.com 123iran.com 37.com 420email.com 4degreez.com
freemail_domains 4-music-today.com actingbiz.com allhiphop.com anatomicrock.com
freemail_domains animeone.com asiancutes.com a-teens.net ausi.com autoindia.com
freemail_domains autopm.com barriolife.com b-boy.com beautifulboy.com bgay.com
freemail_domains bicycledata.com bicycling.com bigheavyworld.com bigmailbox.net
freemail_domains bikerheaven.net bikermail.com billssite.com
freemail_domains blackandchristian.com blackcity.net blackvault.com bmxtrix.com
freemail_domains boarderzone.com boatnerd.com bolbox.com bongmail.com bowl.com
freemail_domains butch-femme.org byke.com calle22.com cannabismail.com
freemail_domains catlovers.com certifiedbitches.com championboxing.com
freemail_domains chatway.com chillymail.com classprod.com classycouples.com
freemail_domains congiu.net coolshit.com corpusmail.com cyberunlimited.org
freemail_domains cycledata.com darkfear.com darkforces.com dirtythird.com
freemail_domains dopefiends.com draac.com drakmail.net dr-dre.com dreamstop.com
freemail_domains egypt.net emailfast.com envirocitizen.com escapeartist.com
freemail_domains ezsweeps.com famous.as farts.com feelingnaughty.com
freemail_domains firemyst.com freeonline.com fudge.com funkytimes.com
freemail_domains gamerssolution.com gazabo.net glittergrrrls.com goatrance.com
freemail_domains goddess.com gohip.com gospelcity.com gothicgirl.com
freemail_domains grapemail.net greatautos.org guy.com haitisurf.com
freemail_domains happyhippo.com hateinthebox.com houseofhorrors.com hugkiss.com
freemail_domains hullnumber.com idunno4recipes.com ihatenetscape.com
freemail_domains intimatefire.com irow.com jazzemail.com juanitabynum.com
freemail_domains kanoodle.com kickboxing.com kidrock.com kinkyemail.com
freemail_domains kool-things.com latinabarbie.com latinogreeks.com leesville.com
freemail_domains loveemail.com lowrider.com lucky7lotto.net madeniggaz.net
freemail_domains mailbomb.com marillion.net megarave.com mofa.com motley.com
freemail_domains music.com musician.net musicsites.com netbroadcaster.com
freemail_domains netfingers.com net-surf.com nocharge.com operationivy.com
freemail_domains paidoffers.net pcbee.com persian.com petrofind.com
freemail_domains phunkybitches.com pikaguam.com pinkcity.net pitbullmail.com
freemail_domains planetsmeg.com poop.com poormail.com potsmokersnet.com
freemail_domains primetap.com project420.com prolife.net puertoricowow.com
freemail_domains puppetweb.com rapstar.com rapworld.com rastamall.com ratedx.net
freemail_domains ravermail.com relapsecult.com remixer.com rockeros.com
freemail_domains romance106fm.com singalongcenter.com sketchyfriends.com
freemail_domains slayerized.com smartstocks.com soulja-beatz.org
freemail_domains specialoperations.com speedymail.net spells.com
freemail_domains streetracing.com subspacemail.com sugarray.com
freemail_domains superbikeclub.com superintendents.net surfguiden.com
freemail_domains sweetwishes.com tattoodesign.com teamster.net teenchatnow.com
freemail_domains the5thquarter.com theblackmarket.com tombstone.ws troamail.org
freemail_domains u2tours.com vitalogy.org whatisthis.com wrestlezone.com
# gawab.com
freemail_domains abha.cc agadir.cc ahsa.ws ajman.cc ajman.us ajman.ws albaha.cc
freemail_domains algerie.cc alriyadh.cc amman.cc aqaba.cc arar.ws aswan.cc
freemail_domains baalbeck.cc bahraini.cc banha.cc bizerte.cc blida.info
freemail_domains buraydah.cc cameroon.cc dhahran.cc dhofar.cc djibouti.cc
freemail_domains dominican.cc eritrea.cc falasteen.cc fujairah.cc fujairah.us
freemail_domains fujairah.ws gabes.cc gafsa.cc giza.cc guinea.cc hamra.cc
freemail_domains hasakah.com hebron.tv homs.cc ibra.cc irbid.ws ismailia.cc
freemail_domains jadida.cc jadida.org jerash.cc jizan.cc jouf.cc kairouan.cc
freemail_domains karak.cc khaimah.cc khartoum.cc khobar.cc kuwaiti.tv
freemail_domains kyrgyzstan.cc latakia.cc lebanese.cc lubnan.cc lubnan.ws
freemail_domains madinah.cc maghreb.cc manama.cc mansoura.tv marrakesh.cc
freemail_domains mascara.ws meknes.cc muscat.tv muscat.ws nabeul.cc nabeul.info
freemail_domains nablus.cc nador.cc najaf.cc omani.ws omdurman.cc oran.cc
freemail_domains oued.info oued.org oujda.biz oujda.cc pakistani.ws palmyra.cc
freemail_domains palmyra.ws portsaid.cc qassem.cc quds.cc rabat.cc rafah.cc
freemail_domains ramallah.cc safat.biz safat.info safat.us safat.ws salalah.cc
freemail_domains salmiya.biz sanaa.cc seeb.cc sfax.ws sharm.cc sinai.cc siria.cc
freemail_domains sousse.cc sudanese.cc suez.cc tabouk.cc tajikistan.cc
freemail_domains tangiers.cc tanta.cc tayef.cc tetouan.cc timor.cc tunisian.cc
freemail_domains urdun.cc yanbo.cc yemeni.cc yunus.cc zagazig.cc zambia.cc
# other
freemail_domains 5005.lv a.org.ua bmx.lv company.org.ua coolmail.ru dino.lv
freemail_domains eclub.lv e-mail.am fit.lv hacker.am human.lv iphon.biz
freemail_domains latchess.com loveis.lv lv-inter.net pookmail.com sexriga.lv
# Microsoft's new service 2013-10-18-khopesh
freemail_domains *.onmicrosoft.com
endif

60
sa-updates/20_freemail_mailcom_domains.cf Normal file
View File

@ -0,0 +1,60 @@
# SpamAssassin - Mail.com Freemail domains file
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
# List contains commonly abused end user mail providers
# "freemail" is solely used for label purposes.
# This dedicated list contains domains provided by mail.com
# Updated 2014-09-17-axb
ifplugin Mail::SpamAssassin::Plugin::FreeMail
freemail_domains accountant.com acdcfan.com activist.com adexec.com africamail.com aircraftmail.com allergist.com alumni.com alumnidirector.com angelic.com appraiser.net archaeologist.com arcticmail.com artlover.com asia-mail.com asia.com atheist.com auctioneer.net australiamail.com
freemail_domains bartender.net bellair.net berlin.com bikerider.com birdlover.com blader.com boardermail.com brazilmail.com brew-master.com brew-meister.com bsdmail.com
freemail_domains californiamail.com cash4u.com catlover.com cheerful.com chef.net chemist.com chinamail.com clerk.com clubmember.org collector.org columnist.com comic.com computer4u.com consultant.com contractor.net coolsite.net counsellor.com cutey.com cyber-wizard.com cyberdude.com cybergal.com cyberservices.com
freemail_domains dallasmail.com dbzmail.com deliveryman.com diplomats.com disciples.com discofan.com disposable.com doctor.com doglover.com doramail.com dr.com dublin.com dutchmail.com
freemail_domains elvisfan.com email.com engineer.com englandmail.com europe.com europemail.com execs.com
freemail_domains fastservice.com financier.com fireman.net
freemail_domains galaxyhit.com gardener.com geologist.com germanymail.com graduate.org graphic-designer.com greenmail.net groupmail.com
freemail_domains hackermail.com hairdresser.net hilarious.com hiphopfan.com homemail.com hot-shot.com housemail.com humanoid.net
freemail_domains iname.acom iname.com innocent.com inorbit.com instruction.com instructor.net insurer.com irelandmail.com israelmail.com italymail.com
freemail_domains job4u.com journalist.com
freemail_domains keromail.com kissfans.com kittymail.com koreamail.com
freemail_domains legislator.com linuxmail.org lobbyist.com lovecat.com
freemail_domains madonnafan.com mail-me.com mail.com marchmail.com metalfan.com mexicomail.com minister.com moscowmail.com munich.com musician.org muslim.com myself.com
freemail_domains net-shopping.com ninfan.com nonpartisan.com null.net nycmail.com
freemail_domains oath.com optician.com orthodontist.net
freemail_domains pacific-ocean.com pacificwest.com pediatrician.com petlover.com photographer.net physicist.net planetmail.com planetmail.net polandmail.com politician.com post.com presidency.com priest.com programmer.net protestant.com publicist.com
freemail_domains qualityservice.com
freemail_domains radiologist.net ravemail.com realtyagent.com reborn.com reggaefan.com registerednurses.com reincarnate.com religious.com repairman.com representative.com rescueteam.com rocketship.com
freemail_domains safrica.com saintly.com salesperson.net samerica.com sanfranmail.com scientist.com scotlandmail.com secretary.net snakebite.com socialworker.net sociologist.com solution4u.com songwriter.net spainmail.com surgical.net swedenmail.com swissmail.com
freemail_domains teachers.org tech-center.com techie.com technologist.com theplate.com therapist.net toke.com toothfairy.com torontomail.com tvstar.com
freemail_domains umpire.com usa.com uymail.com
freemail_domains webname.com worker.com workmail.com writeme.com
endif

601
sa-updates/20_head_tests.cf Normal file
View File

@ -0,0 +1,601 @@
# SpamAssassin rules file: header tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
require_version 3.004005
###########################################################################
# partial messages; currently-theoretical attack
# unsurprisingly this hits 0/0 right now.
header FRAGMENTED_MESSAGE Content-Type =~ /\bmessage\/partial/i
describe FRAGMENTED_MESSAGE Partial message
tflags FRAGMENTED_MESSAGE userconf
###########################################################################
header FROM_BLANK_NAME From =~ /(?:\s|^)"" <\S+>/i
describe FROM_BLANK_NAME From: contains empty name
###########################################################################
# numeric address rules, these are written to avoid overlap with each other
header __FROM_ENDS_IN_NUMS From:addr =~ /\D\d{8,}\@/i
header FROM_STARTS_WITH_NUMS From:addr =~ /^\d{3,50}[^0-9\@]/
describe FROM_STARTS_WITH_NUMS From: starts with several numbers
# don't match US/Canada phone numbers: 10 digits optionally preceded by a "1"
header __FROM_ALL_NUMS From:addr =~ /^(?:\d{1,9}|[02-9]\d{10}|\d{12,})@/
###########################################################################
header FROM_OFFERS From:addr =~ /\@\S*offers(?![eo]n\b)/i
describe FROM_OFFERS From address is "at something-offers"
header FROM_NO_USER From =~ /(?:^\@|<\@| \@[^\)<]*$|<>)/ [if-unset: unset@unset.unset]
describe FROM_NO_USER From: has no local-part before @ sign
# also 100% valid
# bug 6149: avoid common .jp false positives
header __PLING_QUERY Subject =~ /\?.*!|!.*\?/
meta PLING_QUERY (__PLING_QUERY && !__ISO_2022_JP_DELIM)
describe PLING_QUERY Subject has exclamation mark and question mark
header MSGID_SPAM_CAPS Message-ID =~ /^\s*<?[A-Z]+\@(?!(?:mailcity|whowhere)\.com)/
describe MSGID_SPAM_CAPS Spam tool Message-Id: (caps variant)
header MSGID_SPAM_LETTERS Message-Id =~ /<[a-z]{5,}\@(\S+\.)+\S+>/
describe MSGID_SPAM_LETTERS Spam tool Message-Id: (letters variant)
# negative lookahead exempts this MUA from circa 1997-2000
# X-Mailer: Microsoft Outlook Express 4.71.1712.3
# Message-ID: <01bd45da$2649cdc0$LocalHost@andrew>
header __MSGID_DOLLARS_OK MESSAGEID =~ /<[0-9a-f]{4,}\$[0-9a-f]{4,}\$[0-9a-f]{4,}\@\S+>/
header __MSGID_DOLLARS_MAYBE MESSAGEID =~ /<\w{4,}\$\w{4,}\$(?!localhost)\w{4,}\@\S+>/i
meta MSGID_DOLLARS_RANDOM __MSGID_DOLLARS_MAYBE && !__MSGID_DOLLARS_OK
# bit of a ratware rule, but catches a bit more than just the one ratware
header __MSGID_RANDY Message-ID =~ /<[a-z\d][a-z\d\$-]{10,29}[a-z\d]\@[a-z\d][a-z\d.]{3,12}[a-z\d]>/
# heuristic to eliminate most good Message-ID formats
header __MSGID_OK_HEX Message-ID =~ /\b[a-f\d]{8}\b/
header __MSGID_OK_DIGITS Message-ID =~ /\d{10}/
header __MSGID_OK_HOST Message-ID =~ /\@(?:\D{2,}|(?:\d{1,3}\.){3}\d{1,3})>/
meta MSGID_RANDY (__MSGID_RANDY && !(__MSGID_OK_HEX || __MSGID_OK_DIGITS || __MSGID_OK_HOST))
describe MSGID_RANDY Message-Id has pattern used in spam
# bug 3395
header MSGID_YAHOO_CAPS Message-ID =~ /<[A-Z]+\@yahoo.com>/
describe MSGID_YAHOO_CAPS Message-ID has ALLCAPS@yahoo.com
###########################################################################
header __AT_AOL_MSGID MESSAGEID =~ /\@aol\.com\b/i
header __FROM_AOL_COM From =~ /\@aol\.com\b/i
meta FORGED_MSGID_AOL (__AT_AOL_MSGID && !__FROM_AOL_COM)
describe FORGED_MSGID_AOL Message-ID is forged, (aol.com)
header __AT_EXCITE_MSGID MESSAGEID =~ /\@excite\.com\b/i
header __MY_RCVD_EXCITE Received =~ /\.excite\.com\b/i
meta FORGED_MSGID_EXCITE (__AT_EXCITE_MSGID && !__MY_RCVD_EXCITE)
describe FORGED_MSGID_EXCITE Message-ID is forged, (excite.com)
header __AT_HOTMAIL_MSGID MESSAGEID =~ /\@hotmail\.com\b/i
header __FROM_HOTMAIL_COM From =~ /\@hotmail\.com\b/i
meta FORGED_MSGID_HOTMAIL (__AT_HOTMAIL_MSGID && (!__FROM_HOTMAIL_COM && !__FROM_MSN_COM && !__FROM_YAHOO_COM))
describe FORGED_MSGID_HOTMAIL Message-ID is forged, (hotmail.com)
header __AT_MSN_MSGID MESSAGEID =~ /\@msn\.com\b/i
header __FROM_MSN_COM From =~ /\@msn\.com\b/i
meta FORGED_MSGID_MSN (__AT_MSN_MSGID && (!__FROM_MSN_COM && !__FROM_HOTMAIL_COM && !__FROM_YAHOO_COM))
describe FORGED_MSGID_MSN Message-ID is forged, (msn.com)
header __AT_YAHOO_MSGID MESSAGEID =~ /\@yahoo\.com\b/i
header __FROM_YAHOO_COM From =~ /\@yahoo\.com\b/i
meta FORGED_MSGID_YAHOO (__AT_YAHOO_MSGID && !__FROM_YAHOO_COM)
describe FORGED_MSGID_YAHOO Message-ID is forged, (yahoo.com)
###########################################################################
header __MSGID_BEFORE_RECEIVED ALL =~ /^Message-Id:.*?^Received:/msi
header __MSGID_BEFORE_OKAY Message-Id =~ /\@[a-z0-9.-]+\.(?:yahoo|wanadoo)(?:\.[a-z]{2,3}){1,2}>/
meta MSGID_FROM_MTA_HEADER (__MSGID_BEFORE_RECEIVED && !__MSGID_BEFORE_OKAY && !__FROM_HOTMAIL_COM)
describe MSGID_FROM_MTA_HEADER Message-Id was added by a relay
header MSGID_SHORT MESSAGEID =~ /^.{1,15}$|<.{0,4}\@/
describe MSGID_SHORT Message-ID is unusually short
#DEMOTED TO SANDBOX - 2012-03-21
#header MSGID_MULTIPLE_AT MESSAGEID =~ /<[^>]*\@[^>]*\@/
#describe MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters
###########################################################################
header DATE_SPAMWARE_Y2K Date =~ /^[A-Z][a-z]{2}, \d\d [A-Z][a-z]{2} [0-6]\d \d\d:\d\d:\d\d [A-Z]{3}$/
describe DATE_SPAMWARE_Y2K Date header uses unusual Y2K formatting
# as noted on the dev@ list, ":60" is valid for seconds when there's a leap
# second (12/31/2005 for instance), so let's accept that as valid. ISO 8601
# apparently allows for it.
# there were a few whitespace issues in the original RE, and I wanted to avoid my
# two common, but yes invalid, date headers. specifically / \(GMT\)$/ and
# / 0000 GMT$/. dos has / "GMT"$/ - tvd
# 2.229 2.7267 0.0517 0.981 0.86 0.00 INVALID_DATE
# 2.263 2.7486 0.1368 0.953 0.78 0.00 INVALID_DATE_OLD
#
# WRT the tests, remember that ok and fail are reversed -- so valid dates
# should be "fail" and invalid dates should be "ok".
header INVALID_DATE Date !~ /^\s*(?:(?i:Mon|Tue|Wed|Thu|Fri|Sat|Sun),\s)?\s*(?:[12]\d|3[01]|0?[1-9])\s+(?i:Jan|Feb|Ma[ry]|Apr|Ju[nl]|Aug|Sep|Oct|Nov|Dec)\s+(?:19[7-9]\d|2\d{3})\s+(?:[01]?\d|2[0-3])\:[0-5]\d(?::(?:[0-5]\d|60))?(?:\s+[AP]M)?(?:\s+(?:[+-][0-9]{4}|UT|[A-Z]{2,3}T|0000 GMT|"GMT"))?(?:\s*\(.*\))?\s*$/ [if-unset: Wed, 31 Jul 2002 16:41:57 +0200]
describe INVALID_DATE Invalid Date: header (not RFC 2822)
test INVALID_DATE fail Sat, 31 Dec 2005 23:59:60 -0500
test INVALID_DATE fail Wed, 31 Jul 2002 16:41:57 +0200
test INVALID_DATE fail Sat, 31 Dec 2005 23:00:00
test INVALID_DATE ok Sat, 31 Dec 2005 24:00:00 -0500
test INVALID_DATE ok Thurs, 31 Jul 2002 16:41:57 +0200
# allow +1300, NZ timezone
header INVALID_DATE_TZ_ABSURD Date =~ /[-+](?!(?:0\d|1[0-4])(?:[03]0|[14]5))\d{4}$/
describe INVALID_DATE_TZ_ABSURD Invalid Date: header (timezone does not exist)
header INVALID_TZ_CST ALL =~ /[+-]\d\d[30]0(?<!-0600|-0500|\+0800|\+0930|\+1030)\s+(?:\bCST\b|\(CST\))/
describe INVALID_TZ_CST Invalid date in header (wrong CST timezone)
header INVALID_TZ_EST ALL =~ /[+-]\d\d[30]0(?<!-0500|-0300|\+1000|\+1100)\s+(?:\bEST\b|\(EST\))/
describe INVALID_TZ_EST Invalid date in header (wrong EST timezone)
###########################################################################
# MIME encoding with spam characteristics
ifplugin Mail::SpamAssassin::Plugin::HeaderEval
meta __SUBJECT_NEEDS_MIME __SUBJ_ILLEGAL_CHARS
endif
header __SUBJECT_ENCODED_QP Subject:raw =~ /=\?\S+\?Q\?/i
header __SUBJECT_ENCODED_B64 Subject:raw =~ /=\?\S+\?B\?/i
header __FROM_NEEDS_MIME From:name:raw =~ /[\x00-\x08\x0b\x0c\x0e-\x1f\x7f-\xff]/
header __FROM_NEEDS_MIME2 From:name =~ /[\x00-\x08\x0b\x0c\x0e-\x1f\x7f-\xff]/
header __FROM_ENCODED_QP From:raw =~ /=\?\S+\?Q\?/i
header __FROM_ENCODED_B64 From:raw =~ /=\?\S+\?B\?/i
meta FROM_EXCESS_BASE64 __FROM_ENCODED_B64 && !__FROM_NEEDS_MIME2
describe FROM_EXCESS_BASE64 From: base64 encoded unnecessarily
###########################################################################
# ADV tags in various languages
header ENGLISH_UCE_SUBJECT Subject =~ /^[^0-9a-z]*adv(?:ert)?\b/i
describe ENGLISH_UCE_SUBJECT Subject contains an English UCE tag
# alan premselaar <alien@12inch.com>, see SpamAssassin-talk list 2003-03
# quinlan: 2003-03-23 here are more generic Japanese iso-2022-jp codes
# ("not yet acceptance" or "email") + "announcement"
# FWIW, according to Peter Evans, this should be sufficient to catch the
# UCE tag and a common attempt at evasion (using the "sue" instead of
# "mi" Chinese character). 2006-10-12: updated by bug 4021.
header JAPANESE_UCE_SUBJECT Subject =~ /\e\$B.*(?:L\$>5Bz|EE;R%a!<%k)(?:8x|9-)9p/
describe JAPANESE_UCE_SUBJECT Subject contains a Japanese UCE tag
# check body for "shou nin daku kou koku" UCE tag (bug 4021)
body __JAPANESE_UCE_BODY /(?:L\$>5Bz|EE;R%a!<%k)(?:8x|9-)9p/
meta JAPANESE_UCE_BODY (__ISO_2022_JP_DELIM && __JAPANESE_UCE_BODY)
describe JAPANESE_UCE_BODY Body contains Japanese UCE tag
# quinlan: "advertisement" in Russian KOI8-R
# (no longer common, but worth noting in future)
#header RUSSIAN_UCE_SUBJECT Subject =~ /\xf0\xe5\xea\xeb\xe0\xec\xf3/
#describe RUSSIAN_UCE_SUBJECT Subject contains a Russian UCE tag
# Korean UCE Subject: lines are usually 8-bit, but are occasionally encoded
# with quoted-printable or base64.
#
# \xbc\xba\xc0\xce means "adult"
# \xb1\xa4\xb0\xed means "advertisement"
# \xc1\xa4\xba\xb8 means "information"
# \xc8\xab\xba\xb8 means "publicity"
#
# Each two byte sequence is one Korean letter; the spaces and periods are
# sometimes used to obscure the words. \xb1\xa4\xb0\xed is the most common
# tag and is sometimes very obscured so we look harder.
#
header KOREAN_UCE_SUBJECT Subject =~ /[({[<][. ]*(?-i:\xbc\xba[. ]*\xc0\xce[. ]*)?(?-i:\xb1\xa4(?:[. ]*|[\x00-\x7f]{0,3})\xb0\xed|\xc1\xa4[. ]*\xba\xb8|\xc8\xab[. ]*\xba\xb8)[. ]*[)}\]>]/
describe KOREAN_UCE_SUBJECT Subject: contains Korean unsolicited email tag
###########################################################################
# two reliable signatures
header __DOUBLE_IP_SPAM_1 Received =~ /from \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] by \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} with/
header __DOUBLE_IP_SPAM_2 Received =~ /from\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+by\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3};/
# loose match
header __DOUBLE_IP_LOOSE Received =~ /(?:\b(?:from|by)\b.{1,4}\b\d{1,3}[._-]\d{1,3}[._-]\d{1,3}[._-]\d{1,3}(?<!127\.0\.0\.1)\b.{0,4}){2}/i
# spam signature
meta RCVD_DOUBLE_IP_SPAM (__DOUBLE_IP_SPAM_1 || __DOUBLE_IP_SPAM_2)
describe RCVD_DOUBLE_IP_SPAM Bulk email fingerprint (double IP) found
# other matches
meta RCVD_DOUBLE_IP_LOOSE (__DOUBLE_IP_LOOSE && !RCVD_DOUBLE_IP_SPAM)
describe RCVD_DOUBLE_IP_LOOSE Received: by and from look like IP addresses
header FORGED_TELESP_RCVD Received =~ /\.(?!br).. \(\d+-\d+-\d+-\d+\.dsl\.telesp\.net\.br /
describe FORGED_TELESP_RCVD Contains forged hostname for a DSL IP in Brazil
# forgery meta-rules: more reliable than their inputs
meta CONFIRMED_FORGED (__FORGED_RCVD_TRAIL && (__FORGED_AOL_RCVD || __FORGED_HOTMAIL_RCVD || __FORGED_EUDORAMAIL_RCVD || FORGED_YAHOO_RCVD || __FORGED_JUNO_RCVD || FORGED_GMAIL_RCVD))
describe CONFIRMED_FORGED Received headers are forged
meta MULTI_FORGED ((__FORGED_AOL_RCVD + __FORGED_HOTMAIL_RCVD + __FORGED_EUDORAMAIL_RCVD + FORGED_YAHOO_RCVD + __FORGED_JUNO_RCVD + FORGED_GMAIL_RCVD) > 1)
describe MULTI_FORGED Received headers indicate multiple forgeries
header NONEXISTENT_CHARSET Content-Type =~ /charset=.?DEFAULT/
describe NONEXISTENT_CHARSET Character set doesn't exist
header __HAS_MESSAGE_ID exists:Message-Id
meta MISSING_MID !__HAS_MESSAGE_ID
describe MISSING_MID Missing Message-Id: header
header __HAS_DATE exists:Date
meta MISSING_DATE !__HAS_DATE
describe MISSING_DATE Missing Date: header
header __HAS_SUBJECT exists:Subject
meta MISSING_SUBJECT !__HAS_SUBJECT
describe MISSING_SUBJECT Missing Subject: header
# bug 6353
header __HAS_FROM exists:From
meta MISSING_FROM !__HAS_FROM
describe MISSING_FROM Missing From: header
# bug 6149: avoid common .jp false positives
header __GAPPY_SUBJECT Subject =~ /\b(?:[a-z]([-_. =~\/:,*!\@\#\$\%\^&+;\"\'<>\\])\1{0,2}){4}/i
meta GAPPY_SUBJECT (__GAPPY_SUBJECT && !__ISO_2022_JP_DELIM)
describe GAPPY_SUBJECT Subject: contains G.a.p.p.y-T.e.x.t
### header existence tests (description is added automatically)
# X-Fix example: NTMail fixed non RFC822 compliant EMail message
#
# X-PMFLAGS is all caps
#
# Headers that seem to only be used by a single spamming software and
# are found together in the same message:
# 1. X-MailingID and X-ServerHost
# 2. X-Stormpost-To and X-List-Unsubscribe
#
# not spammish: X-EM-Registration, X-EM-Version, X-Antiabuse, X-List-Host,
# X-Message-Id
# bad FP rate: Comment, Date-warning
header PREVENT_NONDELIVERY exists:Prevent-NonDelivery-Report
describe PREVENT_NONDELIVERY Message has Prevent-NonDelivery-Report header
header X_IP exists:X-IP
describe X_IP Message has X-IP header
header __HAS_MIMEOLE exists:X-MimeOLE
header __HAS_MSMAIL_PRI exists:X-MSMail-Priority
header __HAS_SQUIRRELMAIL_IN_MAILER X-Mailer =~ /SquirrelMail\b/
# Ever growing Office version list without X-MimeOLE, bug 6346, 7122, 7463.
header __HAS_OFFICE1214_IN_MAILER X-Mailer =~ /^Microsoft (?:Office )?Outlook 1[2456]\.0/
# CGP MAPI module fingerprint, to protect from MISSING_MIMEOLE
header __HAS_CGP_MAPI_IN_MAILER X-Mailer =~ /CommuniGate Pro MAPI/
meta MISSING_MIMEOLE (__HAS_MSMAIL_PRI && !__HAS_MIMEOLE && !__HAS_SQUIRRELMAIL_IN_MAILER && !__HAS_OFFICE1214_IN_MAILER && !__HAS_CGP_MAPI_IN_MAILER && !__HDR_RCVD_TONLINEDE && !__MIME_BASE64 && !__DKIM_EXISTS)
describe MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE
header __HAS_X_MAILER exists:X-Mailer
header __IS_EXCH X-MimeOLE =~ /Produced By Microsoft Exchange V/
header SUBJ_AS_SEEN Subject =~ /\bAs Seen/i
describe SUBJ_AS_SEEN Subject contains "As Seen"
header SUBJ_DOLLARS Subject =~ /^\$[0-9.,]+\b/
describe SUBJ_DOLLARS Subject starts with dollar amount
#DISABLING DUE TO POOR S/O 2012-09-27
#header SUBJ_YOUR_DEBT Subject =~ /Your (?:Bills|Debt|Credit)/i
#describe SUBJ_YOUR_DEBT Subject contains "Your Bills" or similar
header SUBJ_YOUR_FAMILY Subject =~ /Your Family/i
describe SUBJ_YOUR_FAMILY Subject contains "Your Family"
# the real services never HELO as 'foo.com', instead 'mail.foo.com' or
# something like that. Note: be careful when expanding this... legit dotcom
# HELOers include: hotmail.com, drizzle.com, lockergnome.com.
header RCVD_FAKE_HELO_DOTCOM Received =~ /^from (?:msn|yahoo|yourwebsite|lycos|excite|cs|aol|localhost|koreanmail|allexecs|mydomain|juno|eudoramail|compuserve|desertmail|excite|caramail)\.com \(/m
describe RCVD_FAKE_HELO_DOTCOM Received contains a faked HELO hostname
header SUBJECT_DIET Subject =~ /\bLose .*(?:pounds|lbs|weight)/i
describe SUBJECT_DIET Subject talks about losing pounds
# MIME boundary tests; spam tools use distinctive patterns.
header MIME_BOUND_DD_DIGITS Content-Type =~ /boundary=\"--\d+\"/
describe MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary
header MIME_BOUND_DIGITS_15 Content-Type =~ /boundary=\"\d{15,}\"/
describe MIME_BOUND_DIGITS_15 Spam tool pattern in MIME boundary
header MIME_BOUND_MANY_HEX Content-Type =~ /boundary="[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}"/
describe MIME_BOUND_MANY_HEX Spam tool pattern in MIME boundary
# note: the first alternation is anchored for speed
header TO_MALFORMED To !~ /(?:^|[^\S"])(?:(?:\"[^\"]+\"|\S+)\@\S+\.\S+|^\s*.+:\s*;|^\s*\"[^\"]+\":\s*;|^\s*\([^\)]*\)\s*$|<\S+(?:\!\S+){1,}>|^\s*$)/ [if-unset: unset@unset.unset]
describe TO_MALFORMED To: has a malformed address
header __CD exists:Content-Disposition
header __CT exists:Content-Type
header __CTE exists:Content-Transfer-Encoding
header __MIME_VERSION exists:MIME-Version
header __CT_TEXT_PLAIN Content-Type =~ /^text\/plain\b/i
meta MIME_HEADER_CTYPE_ONLY (!__CD && !__CTE && __CT && !__MIME_VERSION && !__CT_TEXT_PLAIN)
describe MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME headers
header WITH_LC_SMTP Received =~ /\swith\ssmtp;\s/
describe WITH_LC_SMTP Received line contains spam-sign (lowercase smtp)
header SUBJ_BUY Subject =~ /^buy/i
describe SUBJ_BUY Subject line starts with Buy or Buying
# seems to be ratware
header RCVD_AM_PM Received =~ /; [A-Z][a-z][a-z], \d{1,2} \d{4} \d{1,2}:\d\d:\d\d [AP]M [+-]\d{4}/
describe RCVD_AM_PM Received headers forged (AM/PM)
header __USER_AGENT_MSN X-Mailer =~ /^MSN Explorer /
# host no longer exists according to administrator
header FAKE_OUTBLAZE_RCVD Received =~ /\.mr\.outblaze\.com/
describe FAKE_OUTBLAZE_RCVD Received header contains faked 'mr.outblaze.com'
# thanks to David Ritz for passing this on
header UNCLOSED_BRACKET ALL =~ /\[\d+\r?\n/s
describe UNCLOSED_BRACKET Headers contain an unclosed bracket
header FROM_DOMAIN_NOVOWEL From =~ /\@\S*[bcdfgjklmnpqrstvwxz]{7}/i
describe FROM_DOMAIN_NOVOWEL From: domain has series of non-vowel letters
tflags FROM_DOMAIN_NOVOWEL userconf # lock scores low
header FROM_LOCAL_NOVOWEL From =~ /[bcdfgjklmnpqrstvwxz]{7}\S*\@/i
describe FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters
tflags FROM_LOCAL_NOVOWEL userconf # lock scores low
header FROM_LOCAL_HEX From =~ /[0-9a-f]{11}\S*\@/i
describe FROM_LOCAL_HEX From: localpart has long hexadecimal sequence
header FROM_LOCAL_DIGITS From =~ /\d{11}\S*\@/i
describe FROM_LOCAL_DIGITS From: localpart has long digit sequence
header __TOCC_EXISTS exists:ToCc
header X_PRIORITY_CC ALL =~ /^X-Priority:[^\n]{0,80}^Cc:/msi
describe X_PRIORITY_CC Cc: after X-Priority: (bulk email fingerprint)
# catch non-RFC2047 compliant messages
# Apple Mail has a bug where headers will have whitespace around the encoded
# text, so try to ignore that
header BAD_ENC_HEADER ALL:raw =~ /=\?[^?\s]+\?[^?\s]\?\s*[^?]+\s(?!\?=)/
describe BAD_ENC_HEADER Message has bad MIME encoding in the header
header __ML1 Precedence =~ m{\b(list|bulk)\b}i
header __ML2 exists:List-Id
header __ML3 exists:List-Post
header __ML4 exists:Mailing-List
header __ML5 Return-Path:addr =~ m{^([^\@]+-(request|bounces|admin|owner)|owner-[^\@]+)(\@|\z)}i
meta __VIA_ML __ML1 || __ML2 || __ML3 || __ML4 || __ML5
describe __VIA_ML Mail from a mailing list
# some clueless mailing lists (like zmailer with an RFC822TABS option on)
# are replacing a leading space by a TAB in header fields From, To,
# Cc, Date (Bug 6429)
header __ML_TURNS_SP_TO_TAB Received =~ /\(ORCPT <rfc822;/
describe __ML_TURNS_SP_TO_TAB A mailing list changing a space to a TAB
# must keep it in sync with https://www.iana.org/assignments/ipv4-address-space/
header RCVD_ILLEGAL_IP X-Spam-Relays-Untrusted =~ / (?:by|ip)=(?=\d+\.\d+\.\d+\.\d+ )(?:(?:0|2(?:2[4-9]|[3-5]\d)|192\.0\.2|198\.51\.100|203\.0\.113)\.|(?:\d+\.){0,3}(?!(?:2(?:[0-4]\d|5[0-5])|[01]?\d\d?)\b))/
describe RCVD_ILLEGAL_IP Received: contains illegal IP address
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::HeaderEval
header __FORGED_AOL_RCVD eval:check_for_fake_aol_relay_in_rcvd()
header CHARSET_FARAWAY_HEADER eval:check_for_faraway_charset_in_headers()
describe CHARSET_FARAWAY_HEADER A foreign language charset used in headers
tflags CHARSET_FARAWAY_HEADER userconf
###################################################################
# illegal characters that should be MIME encoded
# might want to exempt users using languages that don't use Latin
# alphabets, but do it in the eval
header __SUBJ_ILLEGAL_CHARS eval:check_illegal_chars('Subject','0.00','2')
meta SUBJ_ILLEGAL_CHARS (__SUBJ_ILLEGAL_CHARS && !__FROM_YAHOO_COM)
describe SUBJ_ILLEGAL_CHARS Subject: has too many raw illegal characters
header FROM_ILLEGAL_CHARS eval:check_illegal_chars('From','0.20','2')
describe FROM_ILLEGAL_CHARS From: has too many raw illegal characters
header __HEAD_ILLEGAL_CHARS eval:check_illegal_chars('ALL','0.010','2')
meta HEAD_ILLEGAL_CHARS __HEAD_ILLEGAL_CHARS && !__SUBJ_ILLEGAL_CHARS && !FROM_ILLEGAL_CHARS
describe HEAD_ILLEGAL_CHARS Headers have too many raw illegal characters
###################################################################
# a forged Hotmail message; host HELO'd as hotmail.com, but it wasn't
header __FORGED_HOTMAIL_RCVD eval:check_for_forged_hotmail_received_headers()
# this, by comparison is more common: from was @hotmail.com, but it wasn't
header FORGED_HOTMAIL_RCVD2 eval:check_for_no_hotmail_received_headers()
describe FORGED_HOTMAIL_RCVD2 hotmail.com 'From' address, but no 'Received:'
header __FORGED_EUDORAMAIL_RCVD eval:check_for_forged_eudoramail_received_headers()
header FORGED_YAHOO_RCVD eval:check_for_forged_yahoo_received_headers()
describe FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers
if (version >= 3.004002)
header FORGED_GMAIL_RCVD eval:check_for_forged_gmail_received_headers()
describe FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers
endif
header __FORGED_JUNO_RCVD eval:check_for_forged_juno_received_headers()
header SORTED_RECIPS eval:sorted_recipients()
describe SORTED_RECIPS Recipient list is sorted by address
header SUSPICIOUS_RECIPS eval:similar_recipients('0.65','undef')
describe SUSPICIOUS_RECIPS Similar addresses in recipient list
# this is a quite common false positive, as it's legal to remove a To but leave
# a CC. so don't score it high.
header MISSING_HEADERS eval:check_for_missing_to_header()
describe MISSING_HEADERS Missing To: header
header DATE_IN_PAST_03_06 eval:check_for_shifted_date('-6', '-3')
describe DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date
header DATE_IN_PAST_06_12 eval:check_for_shifted_date('-12', '-6')
describe DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date
header DATE_IN_PAST_12_24 eval:check_for_shifted_date('-24', '-12')
describe DATE_IN_PAST_12_24 Date: is 12 to 24 hours before Received: date
header DATE_IN_PAST_24_48 eval:check_for_shifted_date('-48', '-24')
describe DATE_IN_PAST_24_48 Date: is 24 to 48 hours before Received: date
header DATE_IN_PAST_96_XX eval:check_for_shifted_date('undef', '-96')
describe DATE_IN_PAST_96_XX Date: is 96 hours or more before Received: date
header DATE_IN_FUTURE_03_06 eval:check_for_shifted_date('3', '6')
describe DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date
header DATE_IN_FUTURE_06_12 eval:check_for_shifted_date('6', '12')
describe DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date
header DATE_IN_FUTURE_12_24 eval:check_for_shifted_date('12', '24')
describe DATE_IN_FUTURE_12_24 Date: is 12 to 24 hours after Received: date
header DATE_IN_FUTURE_24_48 eval:check_for_shifted_date('24', '48')
describe DATE_IN_FUTURE_24_48 Date: is 24 to 48 hours after Received: date
header DATE_IN_FUTURE_48_96 eval:check_for_shifted_date('48', '96')
describe DATE_IN_FUTURE_48_96 Date: is 48 to 96 hours after Received: date
#header DATE_IN_FUTURE_96_XX eval:check_for_shifted_date('96', 'undef')
meta DATE_IN_FUTURE_96_XX (0)
describe DATE_IN_FUTURE_96_XX Date: is 96 hours or more after Received: date
header UNRESOLVED_TEMPLATE eval:check_unresolved_template()
describe UNRESOLVED_TEMPLATE Headers contain an unresolved template
header SUBJ_ALL_CAPS eval:subject_is_all_caps()
describe SUBJ_ALL_CAPS Subject is all capitals
header LOCALPART_IN_SUBJECT eval:check_for_to_in_subject('user')
describe LOCALPART_IN_SUBJECT Local part of To: address appears in Subject
header MSGID_OUTLOOK_INVALID eval:check_outlook_message_id()
describe MSGID_OUTLOOK_INVALID Message-Id is fake (in Outlook Express format)
header HEADER_COUNT_CTYPE eval:check_header_count_range('Content-Type','2','999')
describe HEADER_COUNT_CTYPE Multiple Content-Type headers found
endif
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
# this is also mostly-theoretical, so allow 0 hits
header HEAD_LONG eval:check_msg_parse_flags('truncated_header')
describe HEAD_LONG Message headers are very long
tflags HEAD_LONG userconf
header MISSING_HB_SEP eval:check_msg_parse_flags('missing_head_body_separator')
describe MISSING_HB_SEP Missing blank line between message header and body
tflags MISSING_HB_SEP userconf
endif
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::RelayEval
header __UNPARSEABLE_RELAY_COUNT eval:check_relays_unparseable()
tflags __UNPARSEABLE_RELAY_COUNT userconf
meta UNPARSEABLE_RELAY (__UNPARSEABLE_RELAY_COUNT >= 1)
tflags UNPARSEABLE_RELAY userconf
describe UNPARSEABLE_RELAY Informational: message has unparseable relay lines
header RCVD_HELO_IP_MISMATCH eval:helo_ip_mismatch()
describe RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but should
# not used directly right now due to FPs; but CONFIRMED_FORGED turns it
# into a 1.0 S/O rule anyway, so that's not a problem ;)
# 2.626 3.6340 1.5251 0.704 0.34 1.44 FORGED_RCVD_TRAIL
# 0.956 3.3890 0.0000 1.000 0.98 4.30 CONFIRMED_FORGED
header __FORGED_RCVD_TRAIL eval:check_for_forged_received_trail()
header NO_RDNS_DOTCOM_HELO eval:check_for_no_rdns_dotcom_helo()
describe NO_RDNS_DOTCOM_HELO Host HELO'd as a big ISP, but had no rDNS
endif
ifplugin Mail::SpamAssassin::Plugin::HeaderEval
header __ENV_AND_HDR_FROM_MATCH eval:check_for_matching_env_and_hdr_from()
endif

238
sa-updates/20_html_tests.cf Normal file
View File

@ -0,0 +1,238 @@
# SpamAssassin rules file: HTML tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
require_version 3.004005
# HTML parser tests
#
# please sort these by eval type then name
meta HTML_SHORT_LINK_IMG_1 __HTML_LENGTH_0000_1024 && __HTML_LINK_IMAGE
meta HTML_SHORT_LINK_IMG_2 __HTML_LENGTH_1024_1536 && __HTML_LINK_IMAGE
meta HTML_SHORT_LINK_IMG_3 __HTML_LENGTH_1536_2048 && __HTML_LINK_IMAGE
describe HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image
describe HTML_SHORT_LINK_IMG_2 HTML is very short with a linked image
describe HTML_SHORT_LINK_IMG_3 HTML is very short with a linked image
meta HTML_SHORT_CENTER (__HTML_LENGTH_384 && __TAG_EXISTS_CENTER)
describe HTML_SHORT_CENTER HTML is very short with CENTER tag
meta HTML_TITLE_SUBJ_DIFF __HTML_TITLE_SUBJ_DIFF && !__MIME_ATTACHMENT
meta HTML_CHARSET_FARAWAY (__HTML_CHARSET_FARAWAY && __HIGHBITS)
describe HTML_CHARSET_FARAWAY A foreign language charset used in HTML markup
tflags HTML_CHARSET_FARAWAY userconf
meta HTML_MIME_NO_HTML_TAG MIME_HTML_ONLY && !__TAG_EXISTS_HTML
describe HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
meta HTML_MISSING_CTYPE (!__MIME_HTML && HTML_MESSAGE)
describe HTML_MISSING_CTYPE Message is HTML without HTML Content-Type
###########################################################################
# rawbody HTML tests
rawbody HIDE_WIN_STATUS /<[^>]{1,1000}onMouseOver=[^>]{1,1000}window\.status=/i
describe HIDE_WIN_STATUS Javascript to hide URLs in browser
rawbody __OBFUSCATING_COMMENT_A /\w(?:<![^>]*>)+\w/
rawbody __OBFUSCATING_COMMENT_B /[^\s>](?:<![^>]*>)+[^\s<]/
ifplugin Mail::SpamAssassin::Plugin::HTMLEval
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
meta OBFUSCATING_COMMENT ((__OBFUSCATING_COMMENT_A && HTML_MESSAGE) || (__OBFUSCATING_COMMENT_B && MIME_HTML_ONLY)) && !__ISO_2022_JP_DELIM
describe OBFUSCATING_COMMENT HTML comments which obfuscate text
endif
endif
# spams that are assembled from a Javascript array
# look for the XOR op
rawbody __JS_FROMCHARCODE /String\.fromCharCode\s*\(\s*\S+\s*\[\s*\S+\s*\]\s*\^/
rawbody __JS_DOCWRITE /document\.write/
meta JS_FROMCHARCODE (__JS_FROMCHARCODE && __JS_DOCWRITE)
describe JS_FROMCHARCODE Document is built from a Javascript charcode array
# a good possible rule that may resurface
# ! $ % ' ( ) , - . / : ; = ? @ _
#rawbody ENTITY_DEC_OTHER /\&\#0*(?:3[3679]|4[014567]|5[89]|6[134]|95)\;/
#describe ENTITY_DEC_OTHER HTML contains needlessly encoded punctuation
body __HIGHBITS /(?:[\x80-\xff].?){4}/
# note: __HIGHBITS is used by HTML_CHARSET_FARAWAY
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::HTMLEval
# HTML control test, HTML spam rules should all have better S/O than this
body HTML_MESSAGE eval:html_test('html')
describe HTML_MESSAGE HTML included in message
# HTML comment tests
body HTML_COMMENT_SHORT eval:html_text_match('comment', '<!(?!-).{0,6}>')
describe HTML_COMMENT_SHORT HTML comment is very short
body HTML_COMMENT_SAVED_URL eval:html_text_match('comment', '<!-- saved from url=\(\d{4}\)')
describe HTML_COMMENT_SAVED_URL HTML message is a saved web page
body HTML_EMBEDS eval:html_test('embeds')
describe HTML_EMBEDS HTML with embedded plugin object
body HTML_EXTRA_CLOSE eval:html_range('closed_extra_ratio', '0.09', 'inf')
describe HTML_EXTRA_CLOSE HTML contains far too many close tags
body HTML_FONT_SIZE_LARGE eval:html_range('max_size', '5', '6')
describe HTML_FONT_SIZE_LARGE HTML font size is large
body HTML_FONT_SIZE_HUGE eval:html_range('max_size', '6', 'inf')
describe HTML_FONT_SIZE_HUGE HTML font size is huge
body HTML_FONT_LOW_CONTRAST eval:html_test('font_low_contrast')
describe HTML_FONT_LOW_CONTRAST HTML font color similar or identical to background
body HTML_FONT_FACE_BAD eval:html_test('font_face_bad')
describe HTML_FONT_FACE_BAD HTML font face is not a word
body HTML_FORMACTION_MAILTO eval:html_test('form_action_mailto')
describe HTML_FORMACTION_MAILTO HTML includes a form which sends mail
# HTML_IMAGE_ONLY - not much raw HTML with images (absolute)
body HTML_IMAGE_ONLY_04 eval:html_image_only('0000','0400')
body HTML_IMAGE_ONLY_08 eval:html_image_only('0400','0800')
body HTML_IMAGE_ONLY_12 eval:html_image_only('0800','1200')
body HTML_IMAGE_ONLY_16 eval:html_image_only('1200','1600')
body HTML_IMAGE_ONLY_20 eval:html_image_only('1600','2000')
body HTML_IMAGE_ONLY_24 eval:html_image_only('2000','2400')
body HTML_IMAGE_ONLY_28 eval:html_image_only('2400','2800')
body HTML_IMAGE_ONLY_32 eval:html_image_only('2800','3200')
describe HTML_IMAGE_ONLY_04 HTML: images with 0-400 bytes of words
describe HTML_IMAGE_ONLY_08 HTML: images with 400-800 bytes of words
describe HTML_IMAGE_ONLY_12 HTML: images with 800-1200 bytes of words
describe HTML_IMAGE_ONLY_16 HTML: images with 1200-1600 bytes of words
describe HTML_IMAGE_ONLY_20 HTML: images with 1600-2000 bytes of words
describe HTML_IMAGE_ONLY_24 HTML: images with 2000-2400 bytes of words
describe HTML_IMAGE_ONLY_28 HTML: images with 2400-2800 bytes of words
describe HTML_IMAGE_ONLY_32 HTML: images with 2800-3200 bytes of words
# HTML_IMAGE_RATIO - more image area than text (ratio)
body HTML_IMAGE_RATIO_02 eval:html_image_ratio('0.000','0.002')
body HTML_IMAGE_RATIO_04 eval:html_image_ratio('0.002','0.004')
body HTML_IMAGE_RATIO_06 eval:html_image_ratio('0.004','0.006')
body HTML_IMAGE_RATIO_08 eval:html_image_ratio('0.006','0.008')
describe HTML_IMAGE_RATIO_02 HTML has a low ratio of text to image area
describe HTML_IMAGE_RATIO_04 HTML has a low ratio of text to image area
describe HTML_IMAGE_RATIO_06 HTML has a low ratio of text to image area
describe HTML_IMAGE_RATIO_08 HTML has a low ratio of text to image area
# HTML obfuscation
body HTML_OBFUSCATE_05_10 eval:html_range('obfuscation_ratio','.05','.1')
body HTML_OBFUSCATE_10_20 eval:html_range('obfuscation_ratio','.1','.2')
body HTML_OBFUSCATE_20_30 eval:html_range('obfuscation_ratio','.2','.3')
body HTML_OBFUSCATE_30_40 eval:html_range('obfuscation_ratio','.3','.4')
body HTML_OBFUSCATE_50_60 eval:html_range('obfuscation_ratio','.5','.6')
body HTML_OBFUSCATE_70_80 eval:html_range('obfuscation_ratio','.7','.8')
body HTML_OBFUSCATE_90_100 eval:html_range('obfuscation_ratio','.9','1.0')
describe HTML_OBFUSCATE_05_10 Message is 5% to 10% HTML obfuscation
describe HTML_OBFUSCATE_10_20 Message is 10% to 20% HTML obfuscation
describe HTML_OBFUSCATE_20_30 Message is 20% to 30% HTML obfuscation
describe HTML_OBFUSCATE_30_40 Message is 30% to 40% HTML obfuscation
describe HTML_OBFUSCATE_50_60 Message is 50% to 60% HTML obfuscation
describe HTML_OBFUSCATE_70_80 Message is 70% to 80% HTML obfuscation
describe HTML_OBFUSCATE_90_100 Message is 90% to 100% HTML obfuscation
body HTML_TAG_BALANCE_BODY eval:html_tag_balance('body', '!= 0')
describe HTML_TAG_BALANCE_BODY HTML has unbalanced "body" tags
body HTML_TAG_BALANCE_HEAD eval:html_tag_balance('head', '!= 0')
describe HTML_TAG_BALANCE_HEAD HTML has unbalanced "head" tags
body HTML_TAG_EXIST_BGSOUND eval:html_tag_exists('bgsound')
describe HTML_TAG_EXIST_BGSOUND HTML has "bgsound" tag
# percentage of tags that are not legal elements in HTML
body HTML_BADTAG_40_50 eval:html_range('bad_tag_ratio','0.40','0.50')
body HTML_BADTAG_50_60 eval:html_range('bad_tag_ratio','0.50','0.60')
body HTML_BADTAG_60_70 eval:html_range('bad_tag_ratio','0.60','0.70')
body HTML_BADTAG_90_100 eval:html_range('bad_tag_ratio','0.90','1.00')
describe HTML_BADTAG_40_50 HTML message is 40% to 50% bad tags
describe HTML_BADTAG_50_60 HTML message is 50% to 60% bad tags
describe HTML_BADTAG_60_70 HTML message is 60% to 70% bad tags
describe HTML_BADTAG_90_100 HTML message is 90% to 100% bad tags
# percentage of unique non-elements in HTML
body HTML_NONELEMENT_30_40 eval:html_range('non_element_ratio','0.30','0.40')
body HTML_NONELEMENT_40_50 eval:html_range('non_element_ratio','0.40','0.50')
body HTML_NONELEMENT_60_70 eval:html_range('non_element_ratio','0.60','0.70')
body HTML_NONELEMENT_80_90 eval:html_range('non_element_ratio','0.80','0.90')
describe HTML_NONELEMENT_30_40 30% to 40% of HTML elements are non-standard
describe HTML_NONELEMENT_40_50 40% to 50% of HTML elements are non-standard
describe HTML_NONELEMENT_60_70 60% to 70% of HTML elements are non-standard
describe HTML_NONELEMENT_80_90 80% to 90% of HTML elements are non-standard
# short HTML messages with certain attributes
body __HTML_LINK_IMAGE eval:html_text_match('anchor', '<img>')
body __HTML_LENGTH_0000_1024 eval:html_range('length', '0', '1024')
body __HTML_LENGTH_1024_1536 eval:html_range('length', '1024', '1536')
body __HTML_LENGTH_1536_2048 eval:html_range('length', '1536', '2048')
body __HTML_LENGTH_512 eval:html_eval('length', '< 512')
body __COMMENT_EXISTS eval:html_text_match('comment', '<!.*?>')
body __HTML_LENGTH_384 eval:html_eval('length', '< 384')
body __TAG_EXISTS_CENTER eval:html_tag_exists('center')
body __HTML_TITLE_120 eval:html_text_match('title', '.{120}')
body __HTML_TITLE_SUBJ_DIFF eval:html_title_subject_ratio('3.5')
body __HTML_CHARSET_FARAWAY eval:html_charset_faraway()
body HTML_IFRAME_SRC eval:check_iframe_src()
describe HTML_IFRAME_SRC Message has HTML IFRAME tag with SRC URI
else
meta __COMMENT_EXISTS 0
meta __TAG_EXISTS_CENTER 0
endif
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
# __MIME_ATTACHMENT also used in 20_meta_tests.cf
body __MIME_ATTACHMENT eval:check_for_mime('mime_attachment')
endif

111
sa-updates/20_imageinfo.cf Normal file
View File

@ -0,0 +1,111 @@
# SpamAssassin rules file: Image information tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::ImageInfo
## # you can match by image name
## body DC_IMAGE001_GIF eval:image_named('image001.gif')
## describe DC_IMAGE001_GIF Contains image named image001.gif
## # you can do exact image size matches
## body DC_GIF_264_127 eval:image_size_exact('gif','264','127')
## describe DC_GIF_264_127 Found 264x127 pixel gif, possible pillz
# you can do image to text, or image to html ratios
rawbody __DC_IMG_HTML_RATIO eval:image_to_text_ratio('all', '0.000', '0.015')
describe __DC_IMG_HTML_RATIO Low rawbody to pixel area ratio
body __DC_IMG_TEXT_RATIO eval:image_to_text_ratio('all', '0.000', '0.008')
describe __DC_IMG_TEXT_RATIO Low body to pixel area ratio
# body DC_GIF_TEXT_RATIO eval:image_to_text_ratio('gif',0.000, 0.008)
# describe DC_GIF_TEXT_RATIO Low body to GIF pixel area ratio
# rawbody DC_GIF_HTML_RATIO eval:image_to_text_ratio('gif',0.000, 0.008)
# describe DC_GIF_HTML_RATIO Low rawbody to GIF pixel area ratio
# using exact size match to identify things like screenshots
# body __SCREEN_640x480 eval:image_size_exact('all',800,600)
# body __SCREEN_800x600 eval:image_size_exact('all',800,600)
# body __SCREEN_1024x768 eval:image_size_exact('all',1024,768)
# body __SCREEN_1280x1024 eval:image_size_exact('all',1280,1024)
# meta DC_SCREENSHOT_JPG ( __SCREEN_640x480 || __SCREEN_800x600 || __SCREEN_1024x768 || __SCREEN_1280x1024 )
# describe DC_SCREENSHOT_JPG Contains image matching common screen resolution
# score DC_SCREENSHOT_JPG -0.01
# you can do minimum demension matches
# body DC_GIF_300 eval:image_size_range('gif',300,300)
# describe DC_GIF_300 Contains a 300x300 pixels gif or larger
# score DC_GIF_300 0.01
# you can do ranged demension matches
# body DC_JPEG_200_300 eval:image_size_range('gif', 200, 300, 250, 350)
# describe DC_JPEG_200_300 Contains jpeg 200-250 (high) x 300-350 (wide)
# score DC_JPEG_200_300 0.01
# you can count the number of images (all or by image type)
body __GIF_ATTACH_1 eval:image_count('gif','1','1')
body __GIF_ATTACH_2P eval:image_count('gif','2')
body __PNG_ATTACH_1 eval:image_count('png','1','1')
body __PNG_ATTACH_2P eval:image_count('png','2')
body __JPEG_ATTACH_1 eval:image_count('jpeg',1,1)
body __JPEG_ATTACH_2P eval:image_count('jpeg',2)
# you can determine pixel coverage (all or by image type)
body __GIF_AREA_180K eval:pixel_coverage('gif','180000','475000')
body __PNG_AREA_180K eval:pixel_coverage('png','180000','475000')
# body __JPEG_AREA_180K eval:pixel_coverage('jpeg',180000,475000)
# meta together something useful
meta DC_GIF_UNO_LARGO ( __GIF_ATTACH_1 && __GIF_AREA_180K )
describe DC_GIF_UNO_LARGO Message contains a single large gif image
meta __DC_GIF_MULTI_LARGO ( __GIF_ATTACH_2P && __GIF_AREA_180K )
describe __DC_GIF_MULTI_LARGO Message has 2+ inline gif covering lots of area
meta DC_PNG_UNO_LARGO ( __PNG_ATTACH_1 && __PNG_AREA_180K )
describe DC_PNG_UNO_LARGO Message contains a single large png image
meta __DC_PNG_MULTI_LARGO ( __PNG_ATTACH_2P && __PNG_AREA_180K )
describe __DC_PNG_MULTI_LARGO Message has 2+ png images covering lots of area
# meta DC_JPEG_UNO_LARGO ( __JPEG_ATTACH_1 && __JPEG_AREA_180K )
# describe DC_JPEG_UNO_LARGO Message hash single large jpeg image
# meta DC_JPEG_MULTI_LARGO ( __JPEG_ATTACH_2P && __JPEG_AREA_180K )
# describe DC_JPEG_MULTI_LARGO Message has 2+ jpeg images covering lots of area
meta DC_IMAGE_SPAM_TEXT ( !__HAS_URI && __DC_IMG_TEXT_RATIO && ( DC_GIF_UNO_LARGO || DC_PNG_UNO_LARGO || __DC_GIF_MULTI_LARGO || __DC_PNG_MULTI_LARGO ))
describe DC_IMAGE_SPAM_TEXT Possible Image-only spam with little text
# meta the stock rules together for HTML_IMAGE_ONLY_*
meta __HTML_IMG_ONLY ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 || HTML_IMAGE_ONLY_12 || HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_20 || HTML_IMAGE_ONLY_24 || HTML_IMAGE_ONLY_28 )
meta DC_IMAGE_SPAM_HTML (!__HAS_URI && ( __HTML_IMG_ONLY || __DC_IMG_HTML_RATIO ) && ( DC_GIF_UNO_LARGO || DC_PNG_UNO_LARGO || __DC_GIF_MULTI_LARGO || __DC_PNG_MULTI_LARGO ))
describe DC_IMAGE_SPAM_HTML Possible Image-only spam
endif

82
sa-updates/20_mailspike.cf Normal file
View File

@ -0,0 +1,82 @@
# MailSpike is included in SpamAssassin 3.4+
if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::DNSEval
## Spam sources
header __RCVD_IN_MSPIKE_B eval:check_rbl('mspikeb-lastexternal', 'bl.mailspike.net.')
tflags __RCVD_IN_MSPIKE_B net
reuse __RCVD_IN_MSPIKE_B
## Ham sources
header __RCVD_IN_MSPIKE_L eval:check_rbl('mspikeg-firsttrusted', 'wl.mailspike.net.')
tflags __RCVD_IN_MSPIKE_L net
reuse __RCVD_IN_MSPIKE_L
##### Reputation compensations
# Definitions - Bad senders
header __RCVD_IN_MSPIKE_Z eval:check_rbl_sub('mspikeb-lastexternal', '127.0.0.2')
describe __RCVD_IN_MSPIKE_Z Spam wave participant
tflags __RCVD_IN_MSPIKE_Z net
reuse __RCVD_IN_MSPIKE_Z
header RCVD_IN_MSPIKE_L5 eval:check_rbl_sub('mspikeb-lastexternal', '127.0.0.10')
describe RCVD_IN_MSPIKE_L5 Very bad reputation (-5)
tflags RCVD_IN_MSPIKE_L5 net
reuse RCVD_IN_MSPIKE_L5
header RCVD_IN_MSPIKE_L4 eval:check_rbl_sub('mspikeb-lastexternal', '127.0.0.11')
describe RCVD_IN_MSPIKE_L4 Bad reputation (-4)
tflags RCVD_IN_MSPIKE_L4 net
reuse RCVD_IN_MSPIKE_L4
header RCVD_IN_MSPIKE_L3 eval:check_rbl_sub('mspikeb-lastexternal', '127.0.0.12')
describe RCVD_IN_MSPIKE_L3 Low reputation (-3)
tflags RCVD_IN_MSPIKE_L3 net
reuse RCVD_IN_MSPIKE_L3
header RCVD_IN_MSPIKE_L2 eval:check_rbl_sub('mspikeb-lastexternal', '127.0.0.13')
describe RCVD_IN_MSPIKE_L2 Suspicious reputation (-2)
tflags RCVD_IN_MSPIKE_L2 net
reuse RCVD_IN_MSPIKE_L2
# Definitions - Good senders
header RCVD_IN_MSPIKE_H5 eval:check_rbl_sub('mspikeg-firsttrusted', '127.0.0.20')
describe RCVD_IN_MSPIKE_H5 Excellent reputation (+5)
tflags RCVD_IN_MSPIKE_H5 nice net
reuse RCVD_IN_MSPIKE_H5
header RCVD_IN_MSPIKE_H4 eval:check_rbl_sub('mspikeg-firsttrusted', '127.0.0.19')
describe RCVD_IN_MSPIKE_H4 Very Good reputation (+4)
tflags RCVD_IN_MSPIKE_H4 nice net
reuse RCVD_IN_MSPIKE_H4
header RCVD_IN_MSPIKE_H3 eval:check_rbl_sub('mspikeg-firsttrusted', '127.0.0.18')
describe RCVD_IN_MSPIKE_H3 Good reputation (+3)
tflags RCVD_IN_MSPIKE_H3 nice net
reuse RCVD_IN_MSPIKE_H3
header RCVD_IN_MSPIKE_H2 eval:check_rbl_sub('mspikeg-firsttrusted', '127.0.0.17')
describe RCVD_IN_MSPIKE_H2 Average reputation (+2)
tflags RCVD_IN_MSPIKE_H2 nice net
reuse RCVD_IN_MSPIKE_H2
# *_L and *_Z may overlap each other, so account for that
meta __RCVD_IN_MSPIKE_LOW RCVD_IN_MSPIKE_L5 || RCVD_IN_MSPIKE_L4 || RCVD_IN_MSPIKE_L3
tflags __RCVD_IN_MSPIKE_LOW net
meta RCVD_IN_MSPIKE_ZBI __RCVD_IN_MSPIKE_Z && !__RCVD_IN_MSPIKE_LOW
tflags RCVD_IN_MSPIKE_ZBI net
## Meta rules for aggregating good and bad senders
# Bad
meta RCVD_IN_MSPIKE_BL RCVD_IN_MSPIKE_L5 || RCVD_IN_MSPIKE_L4 || RCVD_IN_MSPIKE_L3 || __RCVD_IN_MSPIKE_Z
describe RCVD_IN_MSPIKE_BL Mailspike blacklisted
tflags RCVD_IN_MSPIKE_BL net
# Good
meta RCVD_IN_MSPIKE_WL RCVD_IN_MSPIKE_H5 || RCVD_IN_MSPIKE_H4 || RCVD_IN_MSPIKE_H3
describe RCVD_IN_MSPIKE_WL Mailspike good senders
tflags RCVD_IN_MSPIKE_WL nice net
endif
endif

77
sa-updates/20_meta_tests.cf Normal file
View File

@ -0,0 +1,77 @@
# SpamAssassin rules file: meta tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# Add meta tests which cover *both* headers and body here.
#
# Note: body tests are run with long lines, so be sure to limit the
# size of searches; use /.{0,30}/ instead of /.*/ to avoid huge
# search times.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
require_version 3.004005
# some tests that will trigger FPs on ISO-2022-JP mails.
body __ISO_2022_JP_DELIM /\e\$B/
meta UPPERCASE_50_75 (!__ISO_2022_JP_DELIM && __UPPERCASE_50_75)
describe UPPERCASE_50_75 message body is 50-75% uppercase
meta UPPERCASE_75_100 (!__ISO_2022_JP_DELIM && __UPPERCASE_75_100)
describe UPPERCASE_75_100 message body is 75-100% uppercase
header __SANE_MSGID MESSAGEID =~ /^<[^<>\\ \t\n\r\x0b\x80-\xff]+\@[^<>\\ \t\n\r\x0b\x80-\xff]+>\s*$/m
header __HAS_MSGID MESSAGEID =~ /\S/
header __MSGID_COMMENT MESSAGEID =~ /\(.*\)/m
meta INVALID_MSGID __HAS_MSGID && !(__SANE_MSGID || __MSGID_COMMENT)
describe INVALID_MSGID Message-Id is not valid, according to RFC 2822
#See Bug 7411
#header __MOZILLA_MUA X-Mailer =~ /\bMozilla\b/
header __MOZILLA_MUA User-Agent =~ /^mozilla\b/i
header __MOZILLA_MSGID MESSAGEID =~ /^<(?:[a-f\d]{8}-(?:[a-f\d]{4}-){3}[a-f\d]{12}|[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7})\@\S+>$/m
meta FORGED_MUA_MOZILLA (__MOZILLA_MUA && !__UNUSABLE_MSGID && !__MOZILLA_MSGID)
describe FORGED_MUA_MOZILLA Forged mail pretending to be from Mozilla
header __PC_RND_HEADER ALL =~ /%RA?ND(?:OM)?(?:_|\b|[A-Z]{3})/i
rawbody __PC_RND_RAWBODY /%RA?ND(?:OM)?(?:_|\b|[A-Z]{3})/i
meta PERCENT_RANDOM (__PC_RND_HEADER || __PC_RND_RAWBODY)
describe PERCENT_RANDOM Message has a random macro in it
# __MIME_ATTACHMENT defined in 20_html_tests.cf
body __NONEMPTY_BODY /\S/
meta EMPTY_MESSAGE !__MIME_ATTACHMENT && !__NONEMPTY_BODY
describe EMPTY_MESSAGE Message appears to have no textual parts and no Subject: text
meta NO_HEADERS_MESSAGE (MISSING_DATE && MISSING_HEADERS && NO_RECEIVED && NO_RELAYS && MISSING_MID)
describe NO_HEADERS_MESSAGE Message appears to be missing most RFC-822 headers
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
body __UPPERCASE_25_50 eval:check_for_uppercase('25', '50')
body __UPPERCASE_50_75 eval:check_for_uppercase('50', '75')
body __UPPERCASE_75_100 eval:check_for_uppercase('75', '100')
endif

49
sa-updates/20_net_tests.cf Normal file
View File

@ -0,0 +1,49 @@
# SpamAssassin rules file: network tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# Note: body tests are run with long lines, so be sure to limit the
# size of searches; use /.{0,30}/ instead of /.*/ to avoid huge
# search times.
#
# Note: If you are adding a rule which looks for a phrase in the body
# (as most of them do), please add it to rules/20_phrases.cf instead.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
require_version 3.004005
# bug 2220. nice results
meta DIGEST_MULTIPLE RAZOR2_CHECK + DCC_CHECK + PYZOR_CHECK > 1
describe DIGEST_MULTIPLE Message hits more than one network digest check
tflags DIGEST_MULTIPLE net
reuse DIGEST_MULTIPLE
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header NO_DNS_FOR_FROM eval:check_dns_sender()
describe NO_DNS_FOR_FROM Envelope sender has no MX or A DNS records
tflags NO_DNS_FOR_FROM net
reuse NO_DNS_FOR_FROM
endif

314
sa-updates/20_pdfinfo.cf Normal file
View File

@ -0,0 +1,314 @@
# SpamAssassin rules file: Pdfinfo rules
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
# 2014-12-02 - axb
# Info and disabled rules kept for historical & documentation reasons
# Updated rules may be added
#
# Original File: pdfinfo.cf
# Original Version: 0.6
# Info: $Id: pdfinfo.cf 895 2007-07-27 10:31:08Z alexb $
# Created: 2007-06-25
# Modified: 2007-07-19
# Original / Defunct Site URL: http://www.rulesemporium.com/plugins.htm#PDFinfo
# Author: Dallas Engelken (aka GMD :-)
# Rules contributed by Alex Broens
# Requires: PDFInfo.pm plugin
# Description: This plugin/ruleset combination will help you alleviate the new
# PDF based stock spam which began to appear mid-June, 2007.
#
#
# Changes:
#
# 0.6 - added easypdf producer rule and more no body text metas
# - tags support added, see USING TAGS below.
# 0.5 - added fuzzy test 7
# 0.4 - added new fuzzy for encyprted pdf image spams.
# - added rule to check for encryption
# 0.3 - added rules based on the new pdf_match_details() function
# - added additional fuzzy md5 rules
# - disabled static md5 rules as they are no longer hitting.
# 0.2 - added static md5 to hit full page stock spam.
# 0.1 - initial ruleset.
#
############################################
# USING TAGS
############################################
# The follow tags can be defined in an add_header line
#
# _PDFCOUNT_ - total number of pdf mime parts in the email
# _PDFIMGCOUNT_ - total number of images found inside pdf mime parts
# _PDFVERSION_ - PDF Version, space seperated if there are > 1 pdf attachments
# _PDFNAME_ - Filenames as found in the mime headers of PDF parts
# _PDFPRODUCER_ - Producer/Application that created the PDF(s)
# _PDFAUTHOR_ - Author of the PDF
# _PDFCREATOR_ - Creator/Program that created the PDF(s)
# _PDFTITLE_ - Title of the PDF File, if available
# _PDFIMGDIM_ - If PDF Contains images, the dimensions of them will be put here
# _PDFIMGAREA_ - The total area of all combined images inside the PDF(s)
# _PDFMD5_ - MD5 checksum of PDF(s) - space seperated
# _PDFMD5FUZZY1_- Fuzzy1 MD5 checksum of PDF(s) - space seperated
# _PDFMD5FUZZY2_- Fuzzy2 MD5 checksum of PDF(s) - space seperated
#
# Example add_header lines
#
# add_header all PDF-Info pdf=_PDFCOUNT_, pdfimg=_PDFIMGCOUNT_, ver=_PDFVERSION_, name=_PDFNAME_
# add_header all PDF-Details producer=_PDFPRODUCER_, author=_PDFAUTHOR_, creator=_PDFCREATOR_, title=_PDFTITLE_
# add_header all PDF-ImageInfo dim=_PDFIMGDIM_, area=_PDFIMGAREA_
# add_header all PDF-Md5 md5=_PDFMD5_, fuzzy1=_PDFMD5FUZZY1_, fuzzy2=_PDFMD5FUZZY2_
#
############################################
# GENERIC RULE EXAMPLES SHOWING EVAL USAGE
############################################
# you can match by name
# body MY_TEST_PDF eval:pdf_named('mytest.pdf')
# or you can write a regex to match dynamic file names.
# body MY_TEST_PDF eval:pdf_name_regex('/^(?:my|your)test\.pdf$/')
# you can make it case insensitive by using modifiers
# body PDF_IMGXXXXX eval:pdf_name_regex('/^IMG\D+\.\.PDF$/i')
# you can do exact image size matches
# body PDF_DEMS_150_400 eval:pdf_image_size_exact(150,400)
# you can do image to text, or image to html ratios
# rawbody PDF_TO_HTML_RATIO eval:pdf_image_to_text_ratio(0.000, 0.015)
# body PDF_TO_TEXT_RATIO eval:pdf_image_to_text_ratio(0.000, 0.008)
# you can do minimum demension matches
# body PDF_SIZE_RANGE_1 eval:pdf_image_size_range(300,300)
# you can do ranged demension matches
# body PDF_SIZE_RANGE_2 eval:pdf_image_size_range(200, 300, 250, 350)
# you can count the number of pdf mime partts
# body PDF_MIME_COUNT_1 eval:pdf_count(1,1)
# body PDF_MIME_COUNT_2_PLUS eval:pdf_count(2)
# you can count the number of images inside the pdfs
# body PDF_IMG_COUNT_1 eval:pdf_image_count(1,1)
# body PDF_IMG_COUNT_2_PLUS eval:pdf_image_count(2)
# you can determine pixel coverage
# body PDF_AREA_SMALL eval:pdf_pixel_coverage(1,100000)
# match a md5 or fuzzy md5 signature of the pdf
# body PDF_BAD_MD5 eval:pdf_match_md5('C359F8F89B290DA99DC997ED50117CDF')
# body PDF_BAD_FUZZY eval:pdf_match_fuzzy_md5('7340821445D975EEF6F5BDE2EC257900')
# Now you can match against certain details if they are found in the PDF.
# A regex match is used on the value specified, so if you want to do an
# exact match, use anchors ^value$
#
# body GMD_AUTHOR_MOBILE eval:pdf_match_details('author','/^mobile$/')
# body GMD_PRODUCER_GPL eval:pdf_match_details('producer','/(?i)^gpl ghostscript/')
# body GMD_CREATOR_PSCRIPT5 eval:pdf_match_details('creator','/^PScript5/')
# body GMD_TITLE_WORD_DOC1 eval:pdf_match_details('title','/^Microsoft Word \- Document1$/)
# body GMD_CREATED_JULY07 eval:pdf_match_details('created','/^200707/')
# body GMD_MODIFIED_JULY07 eval:pdf_match_details('modified','/^200707/')
ifplugin Mail::SpamAssassin::Plugin::PDFInfo
#######################################
# DISABLED RULES, ENABLE IF YOU WANT
#######################################
# Small area
# Disabled - Hits Ham
# body GMD_PDF_SMALL_AREA eval:pdf_pixel_coverage(1,100000)
# describe GMD_PDF_SMALL_AREA PDF Area covers 150k pixels or less
# score GMD_PDF_SMALL_AREA 0.75
# counts GMD_PDF_SMALL_AREA 51s/15h of 10615 corpus (5652s/4963h AxB) 06/25/07
# NOTE - people do send pdf's without message bodies!
# Disabled - Hits Ham
# body GMD_PDF_NO_TXT eval:pdf_image_to_text_ratio(0.000, 0.005)
# describe GMD_PDF_NO_TXT Low rawbody to pixel area ratio
# score GMD_PDF_NO_TXT 0.01
# counts GMD_PDF_NO_TXT 64s/3h of 10615 corpus (5652s/4963h AxB) 06/25/07
####################################
# HERE ARE THE LIVE RULES
####################################
######################################################################################################
# pdf image dimensions
# thin horizontal, common stox.
body GMD_PDF_HORIZ eval:pdf_image_size_range(100, 450, 240, 800)
describe GMD_PDF_HORIZ Contains pdf 100-240 (high) x 450-800 (wide)
score GMD_PDF_HORIZ 0.25
# counts GMD_PDF_HORIZ 135s/0h of 6132 corpus (4555s/1577h AxB-MANUAL) 07/11/07
# counts GMD_PDF_HORIZ 278s/0h of 34051 corpus (33259s/792h AxB2-TRAPS) 07/13/07
# near square, and small. common stox.
body GMD_PDF_SQUARE eval:pdf_image_size_range(180, 180, 360, 360)
describe GMD_PDF_SQUARE Contains pdf 180-360 (high) x 180-360 (wide)
score GMD_PDF_SQUARE 0.50
# counts GMD_PDF_SQUARE 36s/0h of 6132 corpus (4555s/1577h AxB-MANUAL) 07/11/07
# counts GMD_PDF_SQUARE 46s/0h of 34051 corpus (33259s/792h AxB2-TRAPS) 07/13/07
# thin vertical, very tall. common stox.
body GMD_PDF_VERT eval:pdf_image_size_range(450, 100, 800, 240)
describe GMD_PDF_VERT Contains pdf 450-800 (high) x 100-240 (wide)
score GMD_PDF_VERT 0.90
# counts GMD_PDF_VERT 24s/0h of 6132 corpus (4555s/1577h AxB-MANUAL) 07/11/07
# counts GMD_PDF_VERT 10s/0h of 11773 corpus (10988s/785h AxB2-TRAPS) 07/11/07
######################################################################################################
# static checksums
# all static md5 spam runs are complete as of 7/11
# if there are more, we'll add new rules.
# removed fuzzy rules dated 2007
# Get fuzzy info:
# cat msg.eml | spamassassin --debug pdfinfo 2>&1 | grep fuzzy 2>&1
# sample rules ONLY
# fuzzy checksum for bad stox
#body GMD_PDF_FUZZY1_T1 eval:pdf_match_fuzzy_md5('57EBC1FFB1A24CC14AE23E1E227C3484')
#describe GMD_PDF_FUZZY1_T1 Fuzzy MD5 Match 57EBC1FFB1A24CC14AE23E1E227C3484
#score GMD_PDF_FUZZY1_T1 0.001
# same as rule above using fuzzy md5 of pdf structure
#body GMD_PDF_FUZZY2_T1 eval:pdf_match_fuzzy_md5('653C8AA9FDFD03D382523488058360A2')
#describe GMD_PDF_FUZZY2_T1 Fuzzy MD5 Match 653C8AA9FDFD03D382523488058360A2
#score GMD_PDF_FUZZY2_T1 0.001
######################################################################################################
# pdf_match_details()
# from embedded link spam
#body GMD_AUTHOR_COLET eval:pdf_match_details('author','/^colet$/')
#describe GMD_AUTHOR_COLET PDF author was 'colet'
#score GMD_AUTHOR_COLET 4.50
# counts GMD_AUTHOR_COLET 1s/0h of 10767 corpus (9986s/781h AxB2-TRAPS) 07/11/07
# counts GMD_AUTHOR_COLET 2s/0h of 6132 corpus (555s/1577h AxB-MANUAL) 07/11/07
# from full page pdf stock spammer.
#body GMD_AUTHOR_MOBILE eval:pdf_match_details('author','/^mobile$/')
#describe GMD_AUTHOR_MOBILE PDF author was 'mobile'
#score GMD_AUTHOR_MOBILE 2.75
# counts GMD_AUTHOR_MOBILE 2s/0h of 6132 corpus (555s/1577h AxB-MANUAL) 07/11/07
# counts GMD_AUTHOR_MOBILE 55s/0h of 10767 corpus (9986s/781h AxB2-TRAPS) 07/11/07
# txt only stock spam
#body GMD_AUTHOR_OOO eval:pdf_match_details('author','/^openofficeuser$/')
#describe GMD_AUTHOR_OOO PDF author was 'openofficeuser'
#score GMD_AUTHOR_OOO 1.75
# counts GMD_AUTHOR_OOO 1s/0h of 10767 corpus (9986s/781h AxB2-TRAPS) 07/11/07
# counts GMD_AUTHOR_OOO 118s/0h of 6132 corpus (555s/1577h AxB-MANUAL) 07/11/07
# txt only stock spam
#body GMD_AUTHOR_HPADMIN eval:pdf_match_details('author','/^HP_Administrator/')
#describe GMD_AUTHOR_HPADMIN PDF author was 'HP_Administrator'
#score GMD_AUTHOR_HPADMIN 0.25
# counts GMD_AUTHOR_HPADMIN 105s/0h of 6132 corpus (4555s/1577h AxB-MANUAL) 07/11/07
# counts GMD_AUTHOR_HPADMIN 27s/0h of 11773 corpus (10988s/785h AxB2-TRAPS) 07/11/07
# generic rule for software used to produce the pdf.
body GMD_PRODUCER_GPL eval:pdf_match_details('producer','/^(?:gnu|gpl) ghostscript/i')
describe GMD_PRODUCER_GPL PDF producer was GPL Ghostscript
score GMD_PRODUCER_GPL 0.25
# counts GMD_PRODUCER_GPL 227s/0h of 6132 corpus (555s/1577h AxB-MANUAL) 07/11/07
# counts GMD_PRODUCER_GPL 85s/0h of 10767 corpus (9986s/781h AxB2-TRAPS) 07/11/07
# generic rule for software used to produce the pdf.
body GMD_PRODUCER_POWERPDF eval:pdf_match_details('producer','/^PowerPdf 0\./')
describe GMD_PRODUCER_POWERPDF PDF producer was PowerPDF
score GMD_PRODUCER_POWERPDF 0.25
# counts GMD_PRODUCER_POWERPDF 0s/0h of 10767 corpus (9986s/781h AxB2-TRAPS) 07/11/07
# counts GMD_PRODUCER_POWERPDF 0s/0h of 5641 corpus (4064s/1577h AxB-MANUAL) 07/11/07
# producer is bcl
body GMD_PRODUCER_EASYPDF eval:pdf_match_details('producer','/^BCL easyPDF/')
describe GMD_PRODUCER_EASYPDF PDF producer was BCL easyPDF
score GMD_PRODUCER_EASYPDF 0.25
# simple check for encryption used inside pdf.
# recommend meta with something else...
body GMD_PDF_ENCRYPTED eval:pdf_is_encrypted()
describe GMD_PDF_ENCRYPTED Attached PDF is encrypted
score GMD_PDF_ENCRYPTED 0.60
# counts GMD_PDF_ENCRYPTED 13s/0h of 34051 corpus (33259s/792h AxB2-TRAPS) 07/13/07
# simple check for empty msg body when there is one or more pdf attachments present.
body GMD_PDF_EMPTY_BODY eval:pdf_is_empty_body()
describe GMD_PDF_EMPTY_BODY Attached PDF with empty message body
score GMD_PDF_EMPTY_BODY 0.25
# counts GMD_PDF_EMPTY_BODY 1638s/20h of 27034 corpus (24636s/2398h AxB-MANUAL) 07/19/07
######################################################################################################
# metas
#meta __GMD_PDF_CHECKSUM ( GMD_PDF_FUZZY1_T1 || GMD_PDF_FUZZY2_T1 || GMD_PDF_FUZZY2_T2 || GMD_PDF_FUZZY2_T3 || GMD_PDF_FUZZY2_T4 || GMD_PDF_FUZZY2_T5 || GMD_PDF_FUZZY2_T6 || GMD_PDF_FUZZY2_T7 ||GMD_PDF_FUZZY2_T9 || GMD_PDF_FUZZY2_T10 || GMD_PDF_FUZZY2_T11 || GMD_PDF_FUZZY2_T12 )
#meta __GMD_PDF_DETAIL ( GMD_AUTHOR_COLET || GMD_AUTHOR_MOBILE || GMD_AUTHOR_OOO || GMD_AUTHOR_HPADMIN || GMD_PRODUCER_GPL || GMD_PRODUCER_POWERPDF || GMD_PRODUCER_EASYPDF )
meta __GMD_PDF_DIMS ( GMD_PDF_VERT || GMD_PDF_HORIZ || GMD_PDF_SQUARE )
meta __GMD_PDF_PRODUCERS ( GMD_PRODUCER_GPL || GMD_PRODUCER_POWERPDF || GMD_PRODUCER_EASYPDF )
# rule hits ham by itself, so use just to meta.
body __GMD_PDF_NO_TXT eval:pdf_image_to_text_ratio(0.000, 0.005)
# meta checksum hit with image dimensions
#meta GMD_PDF_STOX_M1 ( __GMD_PDF_CHECKSUM && __GMD_PDF_DIMS)
#describe GMD_PDF_STOX_M1 PDF Stox spam
#score GMD_PDF_STOX_M1 3.25
# counts GMD_PDF_STOX_M1 159s/0h of 6132 corpus (555s/1577h AxB-MANUAL) 07/11/07
# counts GMD_PDF_STOX_M1 40s/0h of 11773 corpus (10988s/785h AxB2-TRAPS) 07/11/07
# meta checksum hit to pdf details
#meta GMD_PDF_STOX_M2 ( __GMD_PDF_CHECKSUM && __GMD_PDF_DETAIL )
#describe GMD_PDF_STOX_M2 PDF Stox spam
#score GMD_PDF_STOX_M2 2.95
# counts GMD_PDF_STOX_M2 223s/0h of 6132 corpus (555s/1577h AxB-MANUAL) 07/11/07
# counts GMD_PDF_STOX_M2 29s/0h of 10767 corpus (9986s/781h AxB2-TRAPS) 07/11/07
# meta dimensions and encryption
#meta GMD_PDF_STOX_M3 ( __GMD_PDF_DIMS && GMD_PDF_ENCRYPTED )
#describe GMD_PDF_STOX_M3 PDF Stox spam
#score GMD_PDF_STOX_M3 2.25
# counts GMD_PDF_STOX_M3 12s/0h of 34051 corpus (33259s/792h AxB2-TRAPS) 07/13/07
# meta checksum with no text
#meta GMD_PDF_STOX_M4 ( __GMD_PDF_CHECKSUM && (__GMD_PDF_NO_TXT || GMD_PDF_EMPTY_BODY))
#describe GMD_PDF_STOX_M4 PDF Stox spam
#score GMD_PDF_STOX_M4 2.95
# meta no body text along with automated pdf production.
#meta GMD_PDF_STOX_M5 ( __GMD_PDF_PRODUCERS && (__GMD_PDF_NO_TXT || GMD_PDF_EMPTY_BODY))
#describe GMD_PDF_STOX_M5 PDF Stox Spam
#score GMD_PDF_STOX_M5 1.00
endif

192
sa-updates/20_phrases.cf Normal file
View File

@ -0,0 +1,192 @@
# SpamAssassin rules file: phrase tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# Note: body tests are run with long lines, so be sure to limit the
# size of searches; use /.{0,30}/ instead of /.*/ to avoid huge
# search times.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
require_version 3.004005
###########################################################################
# new way to phrase unsubscribe link
body REMOVE_BEFORE_LINK m{(?:no thanks|not interested|unsubscribe here).{0,5}http://}i
describe REMOVE_BEFORE_LINK Removal phrase right before a link
###########################################################################
# CLICK rules
# note HTML_LINK_CLICK* rules in HTML parser section
body GUARANTEED_100_PERCENT /100% GUARANTEED/i
describe GUARANTEED_100_PERCENT One hundred percent guaranteed
body DEAR_FRIEND /^\s*Dear Friend\b/i
describe DEAR_FRIEND Dear Friend? That's not very dear!
body DEAR_SOMETHING /\bDear (?:IT\W|Internet|candidate|sirs?|madam|investor|travell?er|car shopper|web)\b/i
describe DEAR_SOMETHING Contains 'Dear (something)'
body BILLION_DOLLARS /[BM]ILLION DOLLAR/
describe BILLION_DOLLARS Talks about lots of money
body EXCUSE_4 /To Be Removed,? Please/i
describe EXCUSE_4 Claims you can be removed from the list
# strange pattern because otherwise it matches the std. majordomo line
# pls note the comment above. DO NOT just put "to" in the first group!
body EXCUSE_REMOVE /to be removed from.{0,20}(?:mailings|offers)/i
describe EXCUSE_REMOVE Talks about how to be removed from mailings
body STRONG_BUY /strong buy/i
describe STRONG_BUY Tells you about a strong buy
body STOCK_ALERT /\bstock alert/i
describe STOCK_ALERT Offers a alert about a stock
body NOT_ADVISOR /not a registered investment advisor/i
describe NOT_ADVISOR Not registered investment advisor
body PREST_NON_ACCREDITED /prestigi?ous\b.{0,20}\bnon-accredited\b.{0,20}\buniversities/i
describe PREST_NON_ACCREDITED 'Prestigious Non-Accredited Universities'
body BODY_ENHANCEMENT /\b(?:enlarge|increase|grow|lengthen|larger\b|bigger\b|longer\b|thicker\b|\binches\b).{0,50}\b(?:penis|male organ|pee[ -]?pee|dick|sc?hlong|wh?anger|breast(?!\s+cancer))/i
describe BODY_ENHANCEMENT Information on growing body parts
body BODY_ENHANCEMENT2 /\b(?:penis|male organ|pee[ -]?pee|dick|sc?hlong|wh?anger|breast(?!\s+cancer)).{0,50}\b(?:enlarge|increase|grow|lengthen|larger\b|bigger\b|longer\b|thicker\b|\binches\b|size)/i
describe BODY_ENHANCEMENT2 Information on getting larger body parts
body IMPOTENCE /\b(?:impotence (?:problem|cure|solution)|Premature Ejaculation|erectile dysfunction)/i
describe IMPOTENCE Impotence cure
#MOVED TO 20_rules_to_sandbox.cf - kmcgrail 2015-05-14
#body NA_DOLLARS /\b(?:\d{1,3})?Million\b.{0,40}\b(?:Canadian Dollar?s?|US\$|U\.? ?S\.? Dollar)/i
#describe NA_DOLLARS Talks about a million North American dollars
#
#body US_DOLLARS_3 /(?:\$|usd).?\d{1,3}[,.]\d{3}[,.]\d{3}(?:[,.]\d\d)?/i
#describe US_DOLLARS_3 Mentions millions of $ ($NN,NNN,NNN.NN)
#
#body MILLION_USD /Million\b.{0,40}\b(?:United States? Dollars?|USD)/i
#describe MILLION_USD Talks about millions of dollars
body __URG_BIZ /urgent.{0,16}(?:assistance|business|buy|confidential|notice|proposal|reply|request|response)/i
meta URG_BIZ __URG_BIZ
describe URG_BIZ Contains urgent matter
body MONEY_BACK /money back guarantee/i
describe MONEY_BACK Money back guarantee
body FREE_QUOTE_INSTANT /free.{0,12}(?:(?:instant|express|online|no.?obligation).{0,4})+.{0,32}\bquote/i
describe FREE_QUOTE_INSTANT Free express or no-obligation quote
body BAD_CREDIT /\b((?:bad|poor|eliminate|repair|(?:re)?establish|damag).{0,10} (?:credit|debt)|no credit (?:check|histor|need))/i
describe BAD_CREDIT Eliminate Bad Credit
body REFINANCE_YOUR_HOME /\brefinance your(?: current)? (?:home|house)\b/i
describe REFINANCE_YOUR_HOME Home refinancing
body REFINANCE_NOW /time to refinance|refinanc\w{1,3}\b.{0,16}\bnow\b/i
describe REFINANCE_NOW Home refinancing
body NO_MEDICAL /\bno medical exam/i
describe NO_MEDICAL No Medical Exams
# seems like we vastly reduce FPs on this one with a small change or two
body DIET_1 /\b(?:(?:without|no) (?:exercis(?:e(?! price)|ing)|dieting)|weight.?loss|(?:extra|lose|lost|losing).{0,10}(?:pounds|weight|inches|lbs)|burn.{1,10}fat)\b/i
describe DIET_1 Lose Weight Spam
body FIN_FREE /\bfinancial(?:ly)? (?:free|independen)/i
describe FIN_FREE Freedom of a financial nature
body FORWARD_LOOKING /\bcontains forward-looking statements\b/i
describe FORWARD_LOOKING Stock Disclaimer Statement
body ONE_TIME /\bone\W+time (?:charge|investment|offer|promotion)/i
describe ONE_TIME One Time Rip Off
body JOIN_MILLIONS /\bjoin (?:millions|thousands)\b/i
describe JOIN_MILLIONS Join Millions of Americans
body MARKETING_PARTNERS /\b(?:marketing|network) partner|\bpartner (?:web)?site/i
describe MARKETING_PARTNERS Claims you registered with a partner
body LOW_PRICE /\blow.{0,4} (?-i:P)rice/i
describe LOW_PRICE Lowest Price
body UNCLAIMED_MONEY /\bunclaimed\s(?:assets?|accounts?|mon(?:ey|ies)|balance|funds?|prizes?|rewards?|payments?|deposits?)\b/i
describe UNCLAIMED_MONEY People just leave money laying around
body OBSCURED_EMAIL /\w+\^\S+\(\w{2,4}\b/
describe OBSCURED_EMAIL Message seems to contain rot13ed address
body BANG_OPRAH /\boprah!/i
describe BANG_OPRAH Talks about Oprah with an exclamation!
#adding boundary checks: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6870
body ACT_NOW_CAPS /\bA(?i:ct) N(?i:ow)\b/
describe ACT_NOW_CAPS Talks about 'acting now' with capitals
body MORE_SEX /increased?.{0,9}(?:sex|stamina)/i
describe MORE_SEX Talks about a bigger drive for sex
# explicitly capped at 1.0 score because of FP potential
body BANG_GUAR /\bguaranteed?\!/i
describe BANG_GUAR Something is emphatically guaranteed
body __RUDE_HTML_1 /Get a capable html e-mailer/i
body __RUDE_HTML_2 /not support the display of HTML. Please view this message in a different/i
body __RUDE_HTML_3 /This message contains an HTML formatted message but your email client does/i
body __RUDE_HTML_4 /Your mailer do not support HTML messages. Switch to a better mailer/i
meta RUDE_HTML __RUDE_HTML_1 || __RUDE_HTML_2 || __RUDE_HTML_3 || __RUDE_HTML_4
describe RUDE_HTML Spammer message says you need an HTML mailer
body INVESTMENT_ADVICE /\binvestment advice/i
describe INVESTMENT_ADVICE Message mentions investment advice
body MALE_ENHANCE /male enhancement/i
describe MALE_ENHANCE Message talks about enhancing men
body PRICES_ARE_AFFORDABLE /\baffordable .{0,10}prices\b/i
describe PRICES_ARE_AFFORDABLE Message says that prices aren't too expensive
body REPLICA_WATCH /\breplica.{1,20}rolex/i
describe REPLICA_WATCH Message talks about a replica watch
body EM_ROLEX /[^\s\w.]rolex/i
describe EM_ROLEX Message puts emphasis on the watch manufacturer

45
sa-updates/20_porn.cf Normal file
View File

@ -0,0 +1,45 @@
# SpamAssassin rules file: porn tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# Note: body tests are run with long lines, so be sure to limit the
# size of searches; use /.{0,30}/ instead of /.*/ to avoid huge
# search times.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
require_version 3.004005
###########################################################################
body FREE_PORN /\bfree (?:porn|xxx|adult)/i
describe FREE_PORN Possible porn - Free Porn
body CUM_SHOT /\bcum[ -]?shots?\b/i
describe CUM_SHOT Possible porn - Cum Shot
# "live cam" is a very common nonspam phrase, removed
body LIVE_PORN /\blive .{0,9}(?:fuck(?:ing)?|sex|naked|girls?|virgins?|teens?|porno?)\b/i
describe LIVE_PORN Possible porn - Live Porn
header SUBJECT_SEXUAL Subject =~ /[s5][e3\xE8-\xEB]x[u\xB5\xF9-\xFC][a4\xE0-\xE6@][l!|1](?:[l!|1]y)?.{0,3}[e3\xE8-\xEB]xp[l!|1][i1!|l\xEC-\xEF]c[i1!|l\xEC-\xEF]t/i
describe SUBJECT_SEXUAL Subject indicates sexually-explicit content

328
sa-updates/20_ratware.cf Normal file
View File

@ -0,0 +1,328 @@
# SpamAssassin rules file: known spam mailers
#
# Sometimes these leave 'sent by mailername' fingerprints in the
# headers, which provide a nice way for us to catch them.
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
header RATWARE_EGROUPS X-Mailer =~ /eGroups Message Poster/
describe RATWARE_EGROUPS Bulk email fingerprint (eGroups) found
# Note that the tests which look at the "ALL" pseudoheader are slower than
# the specific header.
# 100% overlap with X-Stormpost-To: header, but seems wise to leave it in
header RATWARE_OE_MALFORMED X-Mailer =~ /^Microsoft Outlook Express \d(?:\.\d+){3} \w+$/
describe RATWARE_OE_MALFORMED X-Mailer has malformed Outlook Express version
header RATWARE_MOZ_MALFORMED User-Agent =~ /Mozilla\/5\.0\d\d/
describe RATWARE_MOZ_MALFORMED Bulk email fingerprint (Mozilla malformed) found
header RATWARE_MPOP_WEBMAIL X-Mailer =~ /mPOP Web-Mail/i
describe RATWARE_MPOP_WEBMAIL Bulk email fingerprint (mPOP Web-Mail)
###########################################################################
# Now, detect forgeries of real MUAs
#
# NOTE: these rules should specify version numbers!
# first define situations where servers rewrite message id so we can't use message id to detect forgeries
header __HOTMAIL_BAYDAV_MSGID MESSAGEID =~ /^<[A-Z]{3}\d+-(?:DAV|SMTP)\d+[A-Z0-9]{25}\@phx\.gbl>$/m
header __IPLANET_MESSAGING_SERVER Received =~ /iPlanet Messaging Server/
header __LYRIS_EZLM_REMAILER List-Unsubscribe =~ /<mailto:(?:leave-\S+|\S+-unsubscribe)\@\S+>$/
header __SYMPATICO_MSGID MESSAGEID =~ /^<BAYC\d+-PASMTP\d+[A-Z0-9]{25}\@CEZ\.ICE>$/m
header __WACKY_SENDMAIL_VERSION Received =~ /\/CWT\/DCE\)/
header __GROUPSIO_MSGID MESSAGEID =~ /^<[[:xdigit:]]+\.[[:xdigit:]]+\@groups.io>$/m
header __HAS_XORIGMSGID X-Orig-Message-Id =~ /^<.+\@.+>$/m
meta __GROUPSIO_GATED __GROUPSIO_MSGID && __HAS_XORIGMSGID
meta __UNUSABLE_MSGID (__LYRIS_EZLM_REMAILER || __GATED_THROUGH_RCVD_REMOVER || __WACKY_SENDMAIL_VERSION || __IPLANET_MESSAGING_SERVER || __HOTMAIL_BAYDAV_MSGID || __SYMPATICO_MSGID && __GROUPSIO_GATED)
## now on to the forgery rules
# AOL
header __AOL_MUA X-Mailer =~ /\bAOL\b/
# Internet Mail Service
header __IMS_MUA X-Mailer =~ /Internet Mail Service/
header __IMS_MSGID MESSAGEID =~ /^<[A-F\d]{36,40}\@\S+>$/m
meta FORGED_MUA_IMS (__IMS_MUA && !__IMS_MSGID && !__UNUSABLE_MSGID)
describe FORGED_MUA_IMS Forged mail pretending to be from IMS
# Message ID format introduced by Vista MAPI, maybe also Windows 2003 Server SP2
header __VISTA_MSGID MESSAGEID =~ /^<[A-F\d]{32}\@\S+>$/m
# Outlook Express 4, 5, and 6
header __OE_MUA X-Mailer =~ /\bOutlook Express [456]\./
header __OE_MSGID_1 MESSAGEID =~ /^<[A-Za-z0-9-]{7}[A-Za-z0-9]{20}\@hotmail\.com>$/m
header __OE_MSGID_2 MESSAGEID =~ /^<(?:[0-9a-f]{8}|[0-9a-f]{12})\$[0-9a-f]{8}\$[0-9a-f]{8}\@\S+>$/m
meta __FORGED_OE (__OE_MUA && !__OE_MSGID_1 && !__OE_MSGID_2 && !__UNUSABLE_MSGID)
# Outlook versions that usually use "dollar signs"
header __OUTLOOK_DOLLARS_MUA X-Mailer =~ /^Microsoft Outlook(?: 8| CWS, Build 9|, Build 10)\./
header __OUTLOOK_DOLLARS_OTHER MESSAGEID =~ /^<\!\~\!/m
meta __FORGED_OUTLOOK_DOLLARS (__OUTLOOK_DOLLARS_MUA && !__OE_MSGID_2 && !__OUTLOOK_DOLLARS_OTHER && !__VISTA_MSGID && !__IMS_MSGID && !__UNUSABLE_MSGID)
# use new meta rules to implement FORGED_MUA_OUTLOOK rule from 2.60
# bug 7567: obviously fake Outlook X-Mailer
header __OUTLOOK_FAKE_MUA X-Mailer =~ /^Outlook$/
# bug 5496: avoid some FPs
header __FMO_EXCL_O3416 X-Mailer =~ /^Microsoft Outlook, Build 10.0.3416$/
header __FMO_EXCL_OE3790 X-Mailer =~ /^Microsoft Outlook Express 6.00.3790.3959$/
# bug 5910: __VISTA_MSGID also now used by Outlook Express from XP SP3
#
meta FORGED_MUA_OUTLOOK ((__FORGED_OE || __FORGED_OUTLOOK_DOLLARS || __OUTLOOK_FAKE_MUA) && !__FMO_EXCL_O3416 && !__FMO_EXCL_OE3790 && !__VISTA_MSGID)
describe FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
# Outlook IMO (Internet Mail Only)
header __OIMO_MUA X-Mailer =~ /Outlook IMO/
header __OIMO_MSGID MESSAGEID =~ /^<[A-P]{28}\.[-\w.]+\@\S+>$/m
meta FORGED_MUA_OIMO (__OIMO_MUA && !__OIMO_MSGID && !__OE_MSGID_2 && !__UNUSABLE_MSGID)
describe FORGED_MUA_OIMO Forged mail pretending to be from MS Outlook IMO
# Not Ratware...
header __HAS_X_LOOP exists:X-Loop
header __HAS_X_MAILING_LIST exists:X-Mailing-List
header __HAS_X_MAILMAN_VERSION exists:X-Mailman-Version
describe MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager
# __ML2 and __HAS_LIST_ID are exactly equivalent, don't double-count
meta MAILING_LIST_MULTI __HAS_X_LOOP + __HAS_X_MAILING_LIST + __HAS_X_MAILMAN_VERSION + __HAS_LIST_ID + __HAS_X_BEEN_THERE +__DOS_HAS_LIST_UNSUB + __ML1 + __ML3 + __ML4 + __ML5 > 2
tflags MAILING_LIST_MULTI nice
# QUALCOMM Eudora
# Note: uses X_LOOP and X_MAILING_LIST as subrules
# X-Mailer: QUALCOMM Windows Eudora Version 5.0 (and 5.1)
# X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22
# updated to fix bugs 2047, 2598, 2654
# NOTE: this is the *only* spammish Eudora MUA pattern that wasn't
# ignored using __OLD_EUDORA1 and __OLD_EUDORA2 under previous rules.
# v7 can't be tested, as it sometimes doesn't generate MID
header __EUDORA_MUA X-Mailer =~ /^QUALCOMM Windows Eudora (?:Pro |Light )?Version [3456]\./
header __EUDORA_MSGID MESSAGEID =~ /^<(?:\d\d?\.){3,5}\d{14}\.[a-f0-9]{8}\@\S+(?:\sport\s\d+)?>$/m
meta FORGED_MUA_EUDORA __EUDORA_MUA && !( __EUDORA_MSGID || __UNUSABLE_MSGID || MAILING_LIST_MULTI || MSGID_FROM_MTA_HEADER )
describe FORGED_MUA_EUDORA Forged mail pretending to be from Eudora
# From private mail with developers. Some top tips here!
header __THEBAT_MUA X-Mailer =~ /^The Bat!/
header __THEBAT_MUA_V1 X-Mailer =~ /^The Bat! \(v1\./
#header __THEBAT_MUA_V2 X-Mailer =~ /^The Bat! \(v2\./
#header __THEBAT_MUA_V3 X-Mailer =~ /^The Bat! \(v3\./
header __CTYPE_CHARSET_QUOTED Content-Type =~ /charset=\"/i
header __CTYPE_HAS_BOUNDARY Content-Type =~ /boundary/i
header __BAT_BOUNDARY Content-Type =~ /boundary=\"-{10}[A-F0-9]{4,}\"/
header __MAILMAN_21 X-Mailman-Version =~ /\d/
meta FORGED_MUA_THEBAT_CS (__THEBAT_MUA && __CTYPE_CHARSET_QUOTED && !__MAILMAN_21)
meta FORGED_MUA_THEBAT_BOUN (__THEBAT_MUA && __CTYPE_HAS_BOUNDARY && !__BAT_BOUNDARY && !__MAILMAN_21)
describe FORGED_MUA_THEBAT_CS Mail pretending to be from The Bat! (charset)
describe FORGED_MUA_THEBAT_BOUN Mail pretending to be from The Bat! (boundary)
# bug 4649: bulk mail sent via Yahoo! often looks forged, even when it is not
header __YAHOO_BULK Received =~ /from \[\S+\] by \S+\.(?:groups|scd|dcn)\.yahoo\.com with NNFMP/
meta FORGED_OUTLOOK_HTML (!__YAHOO_BULK && __ANY_OUTLOOK_MUA && MIME_HTML_ONLY)
describe FORGED_OUTLOOK_HTML Outlook can't send HTML message only
# bug 2525: FORGED_IMS_HTML fp'ing because new IMS *DOES* use text/html
# ctype. ARGH. This was noted in build 5.5.2656.59, so permit builds
# after that to get away with it.
header __IMS_HTML_BUILDS X-Mailer =~ /^Internet Mail Service .(?:[6789]\.|5\.[6789]|5\.5\.(?:[3456789]|2[789]|26[6789]|265[6789]))/
header __IMS_HTML_RCVD Received =~ /\bby \S+ with Internet Mail Service .(?:[6789]\.|5\.[6789]|5\.5\.(?:[3456789]|2[789]|26[6789]|265[6789]))/
meta FORGED_IMS_HTML (!__YAHOO_BULK && __IMS_MUA && MIME_HTML_ONLY && !(__IMS_HTML_BUILDS && __IMS_HTML_RCVD))
describe FORGED_IMS_HTML IMS can't send HTML message only
meta FORGED_THEBAT_HTML (__THEBAT_MUA_V1 && MIME_HTML_ONLY)
describe FORGED_THEBAT_HTML The Bat! can't send HTML message only
# bug 2513
header __REPTO_QUOTE Reply-To =~ /".*"\s*\</
meta REPTO_QUOTE_AOL __REPTO_QUOTE && __AOL_MUA
describe REPTO_QUOTE_AOL AOL doesn't do quoting like this
meta REPTO_QUOTE_IMS __REPTO_QUOTE && __IMS_MUA
describe REPTO_QUOTE_IMS IMS doesn't do quoting like this
meta REPTO_QUOTE_MSN __REPTO_QUOTE && (__FROM_MSN_COM || __AT_MSN_MSGID)
describe REPTO_QUOTE_MSN MSN doesn't do quoting like this
meta REPTO_QUOTE_QUALCOMM __REPTO_QUOTE && __ANY_QUALCOMM_MUA
describe REPTO_QUOTE_QUALCOMM Qualcomm/Eudora doesn't do quoting like this
meta REPTO_QUOTE_YAHOO __REPTO_QUOTE && (__FROM_YAHOO_COM || __AT_YAHOO_MSGID)
describe REPTO_QUOTE_YAHOO Yahoo! doesn't do quoting like this
# bug 1561
# stronger version of USER_AGENT_APPLEMAIL
# Apple Mail doesn't send text/html at all (unless it's an attachment)
# It'll send text/plain, or multipart/alternative with text/plain and
# text/enriched parts (boundary of "Apple-Mail-\d--\d+"). It can, however,
# send a multipart/mixed with a single text/html attachment, so don't use
# MIME_HTML_ONLY.
# perhaps limit CTYPE to "text/plain", "multipart/alternative" with
# "text/plain" and "text/enhanced", or "multipart/mixed"?
# bug 4223: expand for new Apple Mail version format
header __X_MAILER_APPLEMAIL X-Mailer =~ /^Apple Mail \(\d\.\d+(?:\.\d+)?\)$/
header __MSGID_APPLEMAIL Message-Id =~ /^<[0-9A-F]{8}-(?:[0-9A-F]{4}-){3}[0-9A-F]{12}\@\S+>$/
header __MIME_VERSION_APPLEMAIL Mime-Version =~ /^1\.0 \(Apple Message framework v\d+(?:\.\d+)?\)$/
meta __USER_AGENT_APPLEMAIL !__CTYPE_HTML && __X_MAILER_APPLEMAIL && (__MSGID_APPLEMAIL || __MIME_VERSION_APPLEMAIL)
# 2003-02-23: quinlan
# some useful meta rule sub-elements
header __CTYPE_HTML Content-Type =~ /text\/html/i
header __ANY_IMS_MUA X-Mailer =~ /^Internet Mail Service\b/
header __ANY_OUTLOOK_MUA X-Mailer =~ /^Microsoft (?:Office )?Outlook\b/
header __ANY_QUALCOMM_MUA X-Mailer =~ /\bQUALCOMM\b/
meta FORGED_QUALCOMM_TAGS (__ANY_QUALCOMM_MUA && __MIME_HTML && !__TAG_EXISTS_HTML)
describe FORGED_QUALCOMM_TAGS QUALCOMM mailers can't send HTML in this format
meta FORGED_IMS_TAGS (!__YAHOO_BULK && __ANY_IMS_MUA && __MIME_HTML && !(__TAG_EXISTS_HTML && __TAG_EXISTS_HEAD && __TAG_EXISTS_META && __TAG_EXISTS_BODY))
describe FORGED_IMS_TAGS IMS mailers can't send HTML in this format
meta FORGED_OUTLOOK_TAGS (!__YAHOO_BULK && __ANY_OUTLOOK_MUA && __MIME_HTML && !(__TAG_EXISTS_HTML && __TAG_EXISTS_HEAD && __TAG_EXISTS_META && __TAG_EXISTS_BODY))
describe FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
# Send-Safe ratware (idea from Alan Curry)
# random alphanumerics, separated into groups of 16 by dashes (the first
# and last group may be shorter), with a lowercase "l" and a number
# appended. The final number is the length of the whole string not
# including the dashes or the "l<number>". Why? I have no idea. It's
# not a tracking code - the spamware does not save it locally.
#
# jm: it's specifically to throw off MIME base64 encoding, to evade AOL's
# filters.
#
# http://groups.google.com/groups?selm=atp1ip0n22%40enews3.newsguy.com
rawbody RATWARE_HASH_DASH /[a-z\d]-[a-z\d]{16}-[a-z\d]{1,16}(?-i:l)\d/i
describe RATWARE_HASH_DASH Contains a hashbuster in Send-Safe format
########################################################################
# Most ratware uses message templates I would guess.
# Here's two popular ones...
########################################################################
# This ratware always uses a +0000 TZ in the Date header, and has a multiplicity
# of From: header formats. ("From" header samples from Steven Champeon
# <schampeo.hesketh.com> via the spamtools.lists.abuse.net and SPAM-L lists).
#
# "First Last" <firstlast_[a-z][a-z]@somedomain> 1
# "First Last" <firstlast[a-z][a-z]@somedomain> 1
# "First Last" <first.last[a-z][a-z]@somedomain> 1
# "First Last" <first_last[a-z][a-z]@somedomain> 1
# "First Last" <first_last_[a-z][a-z]@somedomain> 1
# "First Last" <flast_[a-z][a-z]@somedomain> 2
# "First Last" <flast[a-z][a-z]@somedomain> 2
# "First Last" <f.last_[a-z][a-z]@somedomain> 2
# "First Last" <f.last[a-z][a-z]@somedomain> 2
# "First Last" <f_last[a-z][a-z]@somedomain> 2
# "First Last" <last[a-z][a-z]@somedomain> 3
# "First M. Last" <firstlast_[a-z][a-z]@somedomain> 4
# "First M. Last" <firstlast[a-z][a-z]@somedomain> 4
# "First M. Last" <first.m.last[a-z][a-z]@somedomain> 5
# "First M. Last" <firstmlast[a-z][a-z]@somedomain> 5
# "First M. Last" <firstmlast_[a-z][a-z]@somedomain> 5
# "First M. Last" <fmlast_[a-z][a-z]@somedomain> 6
# "First M. Last" <mlast[a-z][a-z]@somedomain> 7
# "First M. Last" <m.last[a-z][a-z]@somedomain> 7
header __0_TZ_1 From =~ /^\"(\w)(\w+) (\w+)\" <\1\2[\._]?\3_?[a-z][a-z]\@/i
header __0_TZ_2 From =~ /^\"(\w)(\w+) (\w+)\" <\1[\._]?\3_?[a-z][a-z]\@/i
header __0_TZ_3 From =~ /^\"(\w)(\w+) (\w+)\" <\3_?[a-z][a-z]\@/i
header __0_TZ_4 From =~ /^\"(\w)(\w+) (\w)\. (\w+)\" <\1\2[\._]?\4_?[a-z][a-z]\@/i
header __0_TZ_5 From =~ /^\"(\w)(\w+) (\w)\. (\w+)\" <\1\2[\._]?\3[\._]?\4_?[a-z][a-z]\@/i
header __0_TZ_6 From =~ /^\"(\w)(\w+) (\w)\. (\w+)\" <\1\3\4_?[a-z][a-z]\@/i
header __0_TZ_7 From =~ /^\"(\w)(\w+) (\w)\. (\w+)\" <\3[\._]?\4_?[a-z][a-z]\@/i
header __RATWARE_0_TZ_DATE Date =~ / \+0000$/
meta RATWARE_ZERO_TZ (__RATWARE_0_TZ_DATE && __CTYPE_HTML && (__0_TZ_1 || __0_TZ_2 || __0_TZ_3 || __0_TZ_4 || __0_TZ_5 || __0_TZ_6 || __0_TZ_7))
describe RATWARE_ZERO_TZ Bulk email fingerprint (+0000) found
header X_MESSAGE_INFO exists:X-Message-Info
describe X_MESSAGE_INFO Bulk email fingerprint (X-Message-Info) found
# case-sensitive rule
# only significant rules with no FPs, hit recently, on 2+ corpuses
header HEADER_SPAM ALL =~ /^(Alternate-Recipient|Antivirus|Approved|Delivery-Notification|Disclose-Recipients|Error-path|Language|Location|Mime-Subversion|Newsletter-ID|PID|Rot|UID|X-BounceTrace|X-CS-IP|X-Company-Address|X-Company-City|X-Company-Country|X-Company-State|X-Company-Zip|X-E(?:[Mm]ail)?|X-Encoding|X-Originating-Company|X-RMD-Text|X-SG4|X-SP-Track-ID|X-Webmail-Time|X-bounce-to):/m
describe HEADER_SPAM Bulk email fingerprint (header-based) found
header RATWARE_RCVD_PF Received =~ / \(Postfix\) with ESMTP id [^;]+\; \S+ \d+ \S+ \d+ \d+:\d+:\d+ \S+$/s
describe RATWARE_RCVD_PF Bulk email fingerprint (Received PF) found
header RATWARE_RCVD_AT Received =~ / by \S+\@\S+ with Microsoft SMTPSVC/
describe RATWARE_RCVD_AT Bulk email fingerprint (Received @) found
header __RCVD_WITH_EXCHANGE Received =~ /with Microsoft Exchange Server/
meta RATWARE_OUTLOOK_NONAME __MSGID_DOLLARS_OK && !__HAS_X_MAILER && !__RCVD_WITH_EXCHANGE
describe RATWARE_OUTLOOK_NONAME Bulk email fingerprint (Outlook no name) found
header __MIMEOLE_MS X-MIMEOLE =~ /^Produced By Microsoft MimeOLE/
meta RATWARE_MS_HASH __MSGID_DOLLARS_OK && !__MIMEOLE_MS && !__RCVD_WITH_EXCHANGE
describe RATWARE_MS_HASH Bulk email fingerprint (msgid ms hash) found
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::HeaderEval
header __GATED_THROUGH_RCVD_REMOVER eval:gated_through_received_hdr_remover()
header __RATWARE_NAME_ID eval:check_ratware_name_id()
meta RATWARE_NAME_ID __RATWARE_0_TZ_DATE && __RATWARE_NAME_ID
describe RATWARE_NAME_ID Bulk email fingerprint (msgid from) found
header RATWARE_EFROM eval:check_ratware_envelope_from()
describe RATWARE_EFROM Bulk email fingerprint (envfrom) found
endif
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
body __MIME_HTML eval:check_for_mime_html()
endif
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::HTMLEval
body __TAG_EXISTS_BODY eval:html_tag_exists('body')
body __TAG_EXISTS_HEAD eval:html_tag_exists('head')
body __TAG_EXISTS_HTML eval:html_tag_exists('html')
body __TAG_EXISTS_META eval:html_tag_exists('meta')
body __TAG_EXISTS_STYLE eval:html_tag_exists('style')
body __TAG_EXISTS_SCRIPT eval:html_tag_exists('script')
endif

123
sa-updates/20_uri_tests.cf Normal file
View File

@ -0,0 +1,123 @@
# SpamAssassin rules file: URI tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
require_version 3.004005
# possible IDN spoofing attack: https://web.archive.org/web/20141006091906/https://www.shmoo.com/idn/homograph.txt
# not expecting any hits on this (yet)
uri HIGH_CODEPAGE_URI /^https?:\/\/[^\/]*\&\#(?:\d{4,}|[3456789]\d\d);/i
tflags HIGH_CODEPAGE_URI userconf
###########################################################################
# Redirector URI patterns
redirector_pattern /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i
redirector_pattern /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i
redirector_pattern /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i
redirector_pattern /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i
redirector_pattern /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i
redirector_pattern m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&\#])'i
redirector_pattern m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i
uri NUMERIC_HTTP_ADDR m{^https?://[\d.]+(?:[:/?\#]|$)}i
describe NUMERIC_HTTP_ADDR Uses a numeric IP address in URL
# Theo sez:
# Have gotten FPs off this, and whitespace can't be in the host, so...
# % Visit my homepage: http://i.like.foo.com %
# Also ignore some bad parses like http://foo.bar%20http://foo.bar
uri HTTP_ESCAPED_HOST /^https?\:\/\/[^\/\s\?\&\#\']*(?!%(?:20|3[cCeE])(?:https?:|mailto:))%[0-9a-fA-F][0-9a-fA-F]/
describe HTTP_ESCAPED_HOST Uses %-escapes inside a URL's hostname
# look for URI with escaped 0-9, A-Z, or a-z characters (all other safe
# characters have been well-tested, but are sometimes unnecessarily escaped
# in nonspam; requiring "http" or "https" also reduces false positives).
uri HTTP_EXCESSIVE_ESCAPES /^https?:\/\/\S*%(?:3\d|[46][1-9a-f]|[57][\da])/i
describe HTTP_EXCESSIVE_ESCAPES Completely unnecessary %-escapes inside a URL
# bug 1801
uri IP_LINK_PLUS m{^https?://\d+\.\d+\.\d+\.\d+.{0,20}(?:cgi|click|ads|id=)}i
describe IP_LINK_PLUS Dotted-decimal IP address followed by CGI
# allow ports 80 and 443 which are http and https, respectively
# we don't want to hit http://www.cnn.com:USArticle1840@www.liquidshirts.com/
# though, which actually doesn't have a weird port in it.
uri WEIRD_PORT m{https?://[^/?\s]+?:\d+(?<!:80)(?<!:443)(?<!:8080)(?:/|\s|$)}
describe WEIRD_PORT Uses non-standard port number for HTTP
# Matt Cline
# Pretty good for most folks, except for jm: I have a really stupid
# e-commerce bunch obfuscating their URLs with this for some reason. screw 'em
# jm: hesitant to remove this outright; it should be good against phishers
#uri HTTP_ENTITIES_HOST m{https?://[^\s\">/]*\&\#[\da-f]+}i
#describe HTTP_ENTITIES_HOST URI obscured with character entities
uri YAHOO_RD_REDIR m{^https?\://rd\.yahoo\.com/(?:[0-9]{4}|partner\b|dir\b)}i
describe YAHOO_RD_REDIR Has Yahoo Redirect URI
uri YAHOO_DRS_REDIR m{^https?://drs\.yahoo\.com/}i
describe YAHOO_DRS_REDIR Has Yahoo Redirect URI
# "www" hidden as "%77%77%77", "ww%77", etc.
# note: *not* anchored to start of string, to catch use of redirectors
uri HTTP_77 /http:\/\/.{0,2}\%77/
describe HTTP_77 Contains an URL-encoded hostname (HTTP77)
# a.com.b.c
uri SPOOF_COM2OTH m{^https?://(?:\w+\.)+?com\.(?!(?:[a-z]{2}\.)?s3\.amazonaws\.com|\w+\.psmtp\.com)(?:\w+\.){2}}i
describe SPOOF_COM2OTH URI contains ".com" in middle
# a.com.b.com
uri __SPOOF_COM2COM m{^https?://(?:\w+\.)+?com\.(?!(?:[a-z]{2}\.)?s3\.amazonaws\.com|\w+\.psmtp\.com)(?:\w+\.)+?com\b}i
meta SPOOF_COM2COM __SPOOF_COM2COM && !SPOOF_COM2OTH
describe SPOOF_COM2COM URI contains ".com" in middle and end
# a.net.b.com
uri SPOOF_NET2COM m{^https?://(?:\w+\.)+?(?:net|org)\.(?!(?:[a-z]{2}\.)?s3\.amazonaws\.com)(?:\w+\.)+?com\b}i
describe SPOOF_NET2COM URI contains ".net" or ".org", then ".com"
uri URI_HEX m%^https?://[^/?&\#]*\b(?![0-9a-f]{0,12}[a-f]{3})[0-9a-f]{6,}\b%i
describe URI_HEX URI hostname has long hexadecimal sequence
uri URI_NOVOWEL m%^https?://[^/?&\#]*[bcdfgjklmnpqrstvwxz]{7}%i
describe URI_NOVOWEL URI hostname has long non-vowel sequence
tflags URI_NOVOWEL userconf # lock scores low
uri URI_UNSUBSCRIBE /\b(?:gone|opened|out)\.php/i
describe URI_UNSUBSCRIBE URI contains suspicious unsubscribe link
# bug 3896: URIs in various TLDs, other than 3rd level www
uri URI_NO_WWW_INFO_CGI /^(?:https?:\/\/)?[^\/]+(?<!\/www)\.[^.]{7,}\.info\/(?=\S{15,})\S*\?/i
describe URI_NO_WWW_INFO_CGI CGI in .info TLD other than third-level "www"
uri URI_NO_WWW_BIZ_CGI /^(?:https?:\/\/)?[^\/]+(?<!\/www)\.[^.]{7,}\.biz\/(?=\S{15,})\S*\?/i
describe URI_NO_WWW_BIZ_CGI CGI in .biz TLD other than third-level "www"
###########################################################################
uri NORMAL_HTTP_TO_IP m{^https?://(?!1(?:0|27|69\.254|72\.(?:1[6-9]|2\d|3[01])|92\.168)\.)\d+\.\d+\.\d+\.\d+\b(?![.-])}i
describe NORMAL_HTTP_TO_IP URI host has a public dotted-decimal IPv4 address

338
sa-updates/20_vbounce.cf Normal file
View File

@ -0,0 +1,338 @@
# A virus-bounce ruleset, suitable for use by anyone receiving a lot of joe-job
# virus-blowback, or spam-blowback bounce messages.
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
#
# If you use this, set up procmail or your mail app to spot the
# "ANY_BOUNCE_MESSAGE" rule hits in the X-Spam-Status line, and move
# messages that match that to a 'vbounce' folder.
#
# You should also add 'welcomelist_bounce_relays' lines, describing the names of
# your own outgoing mail relays, like so:
#
# welcomelist_bounce_relays dogma.boxhost.net
#
# This is used to 'rescue' legitimate bounce messages that were generated in
# response to mail you really *did* send. If you don't do this, the
# "BOUNCE_MESSAGE" rule will not fire. See 'perldoc VBounce.pm' for more
# details.
#
# This ruleset is substantially based on
# https://www.timj.co.uk/linux/bogus-virus-warnings.cf ; the main difference is
# that I (jm) prefer to keep bounces and spam separate, so it now uses a single
# rule for each type of message, instead of having multiple individual rules
# with high scores. That way, you can spot the individual rule names, as
# described in the paragraph above. There's a couple of rules that were FPing,
# too, so I fixed or removed them; and there's been substantial additions, too.
#
###########################################################################
if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist)
ifplugin Mail::SpamAssassin::Plugin::VBounce
body __MY_SERVERS_FOUND eval:check_welcomelist_bounce_relays()
endif
else
ifplugin Mail::SpamAssassin::Plugin::VBounce
body __MY_SERVERS_FOUND eval:check_whitelist_bounce_relays()
endif
endif
ifplugin Mail::SpamAssassin::Plugin::VBounce
body __HAVE_BOUNCE_RELAYS eval:have_any_bounce_relays()
# ---------------------------------------------------------------------------
# General bounce messages
header __BOUNCE_FROM_DAEMON From =~ /(?:^(?:mail\S+daemon|d[ae][ae]mon|majordomo|postmaster|automated-response|mailadmin|mailmaster|surfcontrol|You_Got_Spammed|SMTP.gateway)\@|scanner\S*\@|<>)/i
header __BOUNCE_RPATH_NULL Return-Path =~ /<>/
header __BOUNCE_READ_NOTIFICATION Subject =~ /^Read: /
header __BOUNCE_RPATH_MD Return-Path =~ /(?:mailer-(?:daemon|deamon)|quotaagent|pleaseforward|autoresponder|autoresponse-\S+|devnull\S*)\@/i
# can appear in non-bounce mails with __XM_VBULLETIN,
# or with X-Cron-Env headers, so exclude those cases
header __XM_VBULLETIN X-Mailer =~ /^vBulletin Mail/
header __X_CRON_ENV X-Cron-Env =~ /^</
header __AUTO_GEN_MS exists:X-MS-Embedded-Report
header __AUTO_GEN_AG exists:X-autogenerated
header __AUTO_GEN_CM exists:X-Choicemail-Registration-Request
header __AUTO_GEN_3 X-MailScanner =~ /generated/
header __AUTO_GEN_4 X-Mailer =~ /autoresponder/i
header __AUTO_GEN_XXSP X-XSP-Msgclass =~ /NOTIFICATION/
header __AUTO_GEN_PREC Precedence =~ /auto/
meta __BOUNCE_AUTO_GENERATED ((__AUTO_GEN_MS||__AUTO_GEN_3||__AUTO_GEN_4||__AUTO_GEN_AG||__AUTO_GEN_XXSP ||__AUTO_GEN_CM||__AUTO_GEN_PREC) && !__XM_VBULLETIN && !__X_CRON_ENV)
header __BOUNCE_Y_AUTOGEN Subject =~ /^Yahoo! Auto Response/
header __BOUNCE_SYMANTEC Subject =~ /^Returned mail.{0,5}(?:Error During Delivery|see transcript for details|)$/i
header __BOUNCE_X_ERR_STAT X-Error-Status =~ /User unknown/
header __BOUNCE_RETURNED Subject =~ /^Returned mail: (?:User unknown|unreachable recipients)/
header __BOUNCE_MAILDELFAIL Subject =~ /^Mail delivery failed: /
header __BOUNCE_MSGDELFAIL Subject =~ /^Message Delivery Failure/
body __BOUNCE_ESMTP /^This messages was created automatically by mail delivery software/
# JM: prev versions used "automaticly", that was a typo
body __BOUNCE_NEVER_SEE /\bThis is an autoresponder. I'll never see your message\b/i
body __BOUNCE_NONWORKING /\bYou have reached a non.?working address. Please check\b/i
header __BOUNCE_UNDELIVERABLE Subject =~ /^Undeliverable(?: -|:) /
header __BOUNCE_UNDELIVERABLE_ML Subject =~ /^Undeliver(?:able|ed) Mail\b/
header __BOUNCE_NOTDEL Subject =~ /^MESSAGE NOT DELIVERED: /
header __BOUNCE_ADDR_ERR Subject =~ /^e-mail addressing error \(/
header __BOUNCE_NO_VAL Subject =~ /^No valid recipient in /
header __BOUNCE_DATA_FORMAT Subject =~ /^Returned mail: Data format error$/
header __BOUNCE_COULD_NOT Subject =~ /^Mail could not be delivered$/
header __BOUNCE_UNDEL_MSG Subject =~ /^Undeliverable (?:Message|Mail)$/
header __BOUNCE_CTYPE Content-Type =~ /\bmultipart\/report\b/
header __BOUNCE_DEL_FAIL Subject =~ /^Delivery Failure Notification/
header __BOUNCE_STAT_FAIL Subject =~ /^Delivery Status Notification/
header __BOUNCE_NOTIF Subject =~ /^Notification d\'.tat de la distribution$/
header __BOUNCE_RET_MAIL Subject =~ /^Returned Mail$/
header __BOUNCE_DEL_FAIL Subject =~ /^DELIVERY FAILURE/i
header __BOUNCE_MAIL_DEL_FAIL Subject =~ /^Mail Delivery Failure$/
header __NONBOUNCE_READ_RECEIPT_CTYPE Content-Type =~ /\breport-type=disposition-notification\b/
# bug 6051, some bounces *do* use that ctype
header __YESBOUNCE_AUTO_REPLIED_REJ Auto-Submitted =~ /^auto-replied \(rejected\)/
meta __NONBOUNCE_READ_RECEIPT (__NONBOUNCE_READ_RECEIPT_CTYPE && !__YESBOUNCE_AUTO_REPLIED_REJ)
# Return-path: <delete@errmail.kagoya.net>
# 'Invalid e-mail address.'
header __BOUNCE_RPATH_ERRMAIL Return-Path =~ /delete\@errmail\./i
header __BOUNCE_AUTO_RESPOND Subject =~ /^(?:Automatically Generated Response from |Auto-Respond E-Mail from )/
header __BOUNCE_AUTO_RESPONSE Subject =~ /^automated response$/i
body __BOUNCE_ETRUST /^eTrust Secure Content Manager SMTPMAIL could not deliver the e-mail /
header __BOUNCE_INTERSCAN From =~ /\bInterscan MSS Notification\b/
body __BOUNCE_NO_RESEND /\bPlease do not resend your original message\./
header __BOUNCE_AUTO_REPLY Subject =~ /\b(automatic reply|AutoReply)\b/
meta BOUNCE_MESSAGE __HAVE_BOUNCE_RELAYS && !OOOBOUNCE_MESSAGE && !__MY_SERVERS_FOUND && !ALL_TRUSTED && !__NONBOUNCE_READ_RECEIPT && (__BOUNCE_FROM_DAEMON || (__BOUNCE_RPATH_NULL && !__BOUNCE_READ_NOTIFICATION) || __BOUNCE_RPATH_MD || __BOUNCE_AUTO_GENERATED || __BOUNCE_Y_AUTOGEN || __BOUNCE_SYMANTEC || __BOUNCE_X_ERR_STAT || __BOUNCE_RETURNED || __BOUNCE_MAILDELFAIL || __BOUNCE_MSGDELFAIL || __BOUNCE_ESMTP || __BOUNCE_NEVER_SEE || __BOUNCE_NONWORKING || __BOUNCE_UNDELIVERABLE || __BOUNCE_UNDELIVERABLE_ML || __BOUNCE_NOTDEL || __BOUNCE_CTYPE || __BOUNCE_DEL_FAIL || __BOUNCE_STAT_FAIL || __BOUNCE_ADDR_ERR || __BOUNCE_NO_VAL || __BOUNCE_DATA_FORMAT || __BOUNCE_COULD_NOT || __BOUNCE_UNDEL_MSG || __BOUNCE_RPATH_ERRMAIL || __BOUNCE_INTERSCAN || __BOUNCE_ETRUST || __BOUNCE_AUTO_RESPONSE || __BOUNCE_AUTO_RESPOND || __BOUNCE_NO_RESEND || __BOUNCE_NOTIF || __BOUNCE_RET_MAIL || __BOUNCE_DEL_FAIL || __BOUNCE_MAIL_DEL_FAIL || __BOUNCE_AUTO_REPLY)
describe BOUNCE_MESSAGE MTA bounce message
# ---------------------------------------------------------------------------
# Out Of Office bounces
# Do not use subject/body rules without checking for autoreply headers also
header __AUTOREPLY_XAR X-Autoreply =~ /\byes/i
header __AUTOREPLY_PRE Precedence =~ /\bauto_reply/i
header __AUTOREPLY_XPR X-Precedence =~ /\bauto_reply/i
header __AUTOREPLY_ASU Auto-Submitted =~ /\bauto-(?:replied|generated)(?! \(rejected\))/i
meta __BOUNCE_OOO_ARHDR __AUTOREPLY_XAR || __AUTOREPLY_PRE || __AUTOREPLY_XPR || __AUTOREPLY_ASU
# Standalone subjects that are clearly out of office
header __BOUNCE_OOO_S1 Subject =~ /^R.ponse automatique d'absence du bureau/
header __BOUNCE_OOO_S2 Subject =~ / \(away from the office\)$/
header __BOUNCE_OOO_S3 Subject =~ /^Out Of Office\b/
meta __BOUNCE_OOO_SUBJECT __BOUNCE_OOO_S1 || __BOUNCE_OOO_S2 || __BOUNCE_OOO_S3
# Standalone body clauses that are clearly out of office
body __BOUNCE_OOO_B1 /\bI ?.m away until .{10,20} and am unable to read your message\b/
body __BOUNCE_OOO_B2 /\bI am currently out of the office\b/
meta __BOUNCE_OOO_BODY __BOUNCE_OOO_B1 || __BOUNCE_OOO_B2
# Combined subject+body checks
header __BOUNCE_OOO_CS1 Subject =~ /^Automa(?:tic reply|attinen vastaus|tisch antwoord):/
body __BOUNCE_OOO_CB1 /\bout of (?:the )?office\b/i
body __BOUNCE_OOO_CB2 /\bon (?:vacation|holiday)\b/i
body __BOUNCE_OOO_CB3 /\bolen lomalla\b/i
body __BOUNCE_OOO_CB4 /\breturn to (?:the )?office\b/i
meta __BOUNCE_OOO_SUBJBODY __BOUNCE_OOO_CS1 && (__BOUNCE_OOO_CB1 || __BOUNCE_OOO_CB2 || __BOUNCE_OOO_CB3 || __BOUNCE_OOO_CB4)
meta OOOBOUNCE_MESSAGE __BOUNCE_OOO_ARHDR && (__BOUNCE_OOO_SUBJECT || __BOUNCE_OOO_BODY || __BOUNCE_OOO_SUBJBODY)
describe OOOBOUNCE_MESSAGE Out Of Office bounce message
# ---------------------------------------------------------------------------
# Challenge/Response bounces
header __CRBOUNCE_UOL From =~ /\bAntiSpam UOL\b/
header __CRBOUNCE_VERIF Subject =~ /^(?:Your email requires verification verify:\S|Please Verify Your Email Address)/
header __CRBOUNCE_RP Return-Path =~ /<(?:spamblocker-challenge|spambush|apd\.sspam|spamhippo|devnull-quarantine)\@/i
header __CRBOUNCE_RP_2 Return-Path =~ /\@(?:spamstomp\.com|ipermitmail\.com)>$/i
header __CRBOUNCE_VANQ From =~ /<confirm-\S+\@spamguard\.vanquish\.com>/
header __CRBOUNCE_QURB Subject =~ /\[Qurb .\d+\]$/
uri __CRBOUNCE_0SPAM1 /^http:\/\/www\.0spam\.com\/v/
header __CRBOUNCE_0SPAM2 From:addr =~ /^verify\@0spam.com$/
meta __CRBOUNCE_0SPAM (__CRBOUNCE_0SPAM1 && __CRBOUNCE_0SPAM2)
header __CRBOUNCE_SPAMARREST exists:X-Spamarrest-noauth
# https://mailinblack.com , a French C/R system with no other reliable
# signatures. annoying!
header __CRBOUNCE_MIB Content-Type =~ /mUlTiPaRtBoUnDaRy_MailInBlack/
uri __CRBOUNCE_SI1 m,^http://si20.com/auth,
header __CRBOUNCE_SI2 From:addr =~ /^siweb\@si20\.com/
meta __CRBOUNCE_SI (__CRBOUNCE_SI1 && __CRBOUNCE_SI2)
# very frequent, using unrelated From lines; either spam or C/R, not yet
# sure which
header __CRBOUNCE_GETRESP Return-Path =~ /<bounce\S+\@\S+\.getresponse\.com>/
header __CRBOUNCE_TMDA Message-Id =~ /\@\S+\-tmda\-confirm>$/
header __CRBOUNCE_ASK X-AskVersion =~ /\d/
header __CRBOUNCE_SZ X-Spamazoid-MD =~ /\d/
header __CRBOUNCE_SPAMLION Spamlion =~ /\S/
# something called /cgi-bin/notaspammer does this!
header __CRBOUNCE_PREC_SPAM Precedence =~ /spam/
header __AUTO_GEN_XBT exists:X-Boxtrapper
header __AUTO_GEN_BBTL exists:X-Bluebottle-Request
meta __CRBOUNCE_HEADER (__AUTO_GEN_XBT || __AUTO_GEN_BBTL)
header __CRBOUNCE_EXI X-ExiSpam =~ /ExiSpam/
header __CRBOUNCE_UNVERIF Subject =~ /^Unverified email to /
header __CRBOUNCE_BLOCKED Subject =~ /^\*\*Message you sent blocked by our bulk email filter\*\*$/
meta __CHALLENGE_RESPONSE __CRBOUNCE_UOL || __CRBOUNCE_VERIF || __CRBOUNCE_RP || __CRBOUNCE_VANQ || __CRBOUNCE_HEADER || __CRBOUNCE_QURB || __CRBOUNCE_0SPAM || __CRBOUNCE_GETRESP || __CRBOUNCE_TMDA || __CRBOUNCE_ASK || __CRBOUNCE_EXI || __CRBOUNCE_PREC_SPAM || __CRBOUNCE_SZ || __CRBOUNCE_SPAMLION || __CRBOUNCE_MIB || __CRBOUNCE_SI || __CRBOUNCE_UNVERIF || __CRBOUNCE_RP_2 || __CRBOUNCE_BLOCKED || __CRBOUNCE_SPAMARREST
meta CHALLENGE_RESPONSE __MY_SERVERS_FOUND && __CHALLENGE_RESPONSE
describe CHALLENGE_RESPONSE Challenge-Response message for mail you sent
meta CRBOUNCE_MESSAGE !__MY_SERVERS_FOUND && __CHALLENGE_RESPONSE
describe CRBOUNCE_MESSAGE Challenge-Response bounce message
# ---------------------------------------------------------------------------
# "Virus found in your mail" bounces
# source: VirusBounceRules from the exit0 SA wiki
body __VBOUNCE_EXIM /a potentially executable attachment /
body __VBOUNCE_STRIP_ATTACH /\bhas stripped one or more attachments from the following message\b/
body __VBOUNCE_GUIN /message contains file attachments that are not permitted/
body __VBOUNCE_CISCO /^Found virus \S+ in file \S/m
body __VBOUNCE_SMTP /host \S+ said: 5\d\d\s+Error: Message content rejected/
body __VBOUNCE_AOL /TRANSACTION FAILED - Unrepairable Virus Detected. /
body __VBOUNCE_DUTCH /bevatte bijlage besmet welke besmet was met een virus/
body __VBOUNCE_MAILMARSHAL /Mail.?Marshal Rule: Inbound Messages : Block Dangerous Attachments/
header __VBOUNCE_MAILMARSHAL2 Subject =~ /^MailMarshal has detected possible spam in your message/
header __VBOUNCE_NAVFAIL Subject =~ /^Norton Anti.?Virus failed to scan an attachment in a message you sent/
header __VBOUNCE_REJECTED Subject =~ /^EMAIL REJECTED$/
header __VBOUNCE_PROBLEME Subject:raw =~ /^=?iso-8859-1?Q?Messagerie_.{1,100}_=3A_probl=E8me_de_s=E9curit=E9=2E?=/
header __VBOUNCE_NAV Subject =~ /^Norton Anti.?Virus detected and quarantined/
header __VBOUNCE_MELDING Subject =~ /^Virusmelding$/
body __VBOUNCE_VALERT /The mail message \S+ \S+ you sent to \S+ contains the virus/
body __VBOUNCE_REJ_FILT /Reason: Rejected by filter/
header __VBOUNCE_YOUSENT Subject =~ /^Warning - You sent a Virus Infected Email to /
body __VBOUNCE_MAILSWEEP /MAILsweeper has found that a \S+ \S+ \S+ \S+ one or more virus/
header __VBOUNCE_SCREENSAVER Subject =~ /\b(?:Re: ?)Wicked screensaver\b/i
header __VBOUNCE_DISALLOWED Subject =~ /^Disallowed attachment type found/
header __VBOUNCE_FROMPT From =~ /Security.?Scan Anti.?Virus/
header __VBOUNCE_WARNING Subject =~ /^Warning:\s*E-?mail virus(es)? detected/i
header __VBOUNCE_DETECTED Subject =~ /^Virus detected /i
header __VBOUNCE_INTERSCAN Subject =~ /^Failed to clean virus\b/i
header __VBOUNCE_VIOLATION Subject =~ /^Content violation/i
header __VBOUNCE_ALERT Subject =~ /^Virus Alert\b/i
header __VBOUNCE_NAV2 Subject =~ /^NAV detected a virus in a document /
body __VBOUNCE_NAV3 /^Reporting-MTA: Norton Anti.?Virus Gateway/
header __VBOUNCE_INTERSCAN2 Subject =~ /^InterScan MSS for SMTP has delivered a message/
header __VBOUNCE_INTERSCAN3 Subject =~ /^InterScan NT Alert/
header __VBOUNCE_ANTIGEN Subject =~ /^Antigen found\b/i
header __VBOUNCE_LUTHER From =~ /\blutherh\@stratcom.com\b/
header __VBOUNCE_AMAVISD Subject =~ /^VIRUS IN YOUR MAIL /i
body __VBOUNCE_AMAVISD2 /\bV I R U S\b/
header __VBOUNCE_GSHIELD Subject =~ /^McAfee GroupShield Alert/
# off: got an FP in a simple forward
# rawbody __VBOUNCE_SUBJ_IN_MAIL /^\s*Subject:\s*(Re: )*((my|your) )?(application|details)/i
# rawbody __VBOUNCE_SUBJ_IN_MAIL2 /^\s*Subject:\s*(Re: )*(Thank you!?|That movie|Wicked screensaver|Approved)/i
header __VBOUNCE_SCANMAIL Subject =~ /^Scan.?Mail Message: .{0,30} virus found /i
header __VBOUNCE_DOMINO1 Subject =~ /^Report to Sender/
body __VBOUNCE_DOMINO2 /^Incident Information:/
header __VBOUNCE_RAV Subject =~ /^RAV Anti.?Virus scan results/
body __VBOUNCE_ATTACHMENT0 /(?:Attachment.{0,40}was Deleted|the infected attachment)/
# Bart says: it appears that _ATTACHMENT0 is an alternate for _NAV -- both match the same messages.
body __VBOUNCE_AVREPORT0 /(antivirus system report|the antivirus module has|illegal attachment|Unrepairable Virus Detected)/i
header __VBOUNCE_SENDER Subject =~ /^Virus to sender/
body __VBOUNCE_MAILSWEEP2 /\bblocked by Mailsweeper\b/i
header __VBOUNCE_MAILSWEEP3 From =~ /\bmailsweeper\b/i
# Bart says: This one could replace both MAILSWEEP2 and MAILSWEEP as far as I can tell.
# Perhaps it's too general?
body __VBOUNCE_CLICKBANK /\bvirus scanner deleted your message\b/i
header __VBOUNCE_FORBIDDEN Subject =~ /\bFile type Forbidden\b/
header __VBOUNCE_MMS Subject =~ /^MMS Notification/
# added by JoeyKelly
header __VBOUNCE_JMAIL Subject =~ /^Message Undeliverable: Possible Junk\/Spam Mail Identified$/
body __VBOUNCE_QUOTED_EXE /> TVqQAAMAAAAEAAAA/
# majordomo is really stupid about this stuff
header __MAJORDOMO_SUBJ Subject =~ /^Majordomo results: /
rawbody __MAJORDOMO_HELP_BODY /\*\*\*\* Help for [mM]ajordomo\@/
rawbody __MAJORDOMO_HELP_BODY2 /\*\*\*\* Command \'.{0,80}\' not recognized\b/
meta __VBOUNCE_MAJORDOMO_HELP (__MAJORDOMO_SUBJ && __MAJORDOMO_HELP_BODY && __MAJORDOMO_HELP_BODY2)
header __VBOUNCE_AV_RESULTS Subject =~ /AntiVirus scan results/
header __VBOUNCE_EMVD Subject =~ /^Warning: E-mail viruses detected/
header __VBOUNCE_UNDELIV Subject =~ /^Undeliverable mail, invalid characters in header/
header __VBOUNCE_BANNED_MAT Subject =~ /^Banned or potentially offensive material/
header __VBOUNCE_NAV_DETECT Subject =~ /^Norton AntiVirus detected and quarantined/
header __VBOUNCE_DEL_WARN Subject =~ /^Delivery (?:warning|error) report id=/
header __VBOUNCE_MIME_INFO Subject =~ /^The MIME information you requested/
header __VBOUNCE_EMAIL_REJ Subject =~ /^EMAIL REJECTED/
header __VBOUNCE_CONT_VIOL Subject =~ /^Content violation/
header __VBOUNCE_SYM_AVF Subject =~ /^Symantec AVF detected /
header __VBOUNCE_SYM_EMP Subject =~ /^Symantec E-Mail-Proxy /
header __VBOUNCE_VIR_FOUND Subject =~ /^Virus Found in message/
header __VBOUNCE_INFLEX Subject =~ /^Inflex scan report \[/
header __VBOUNCE_BITDEFENDER X-Mailer =~ /^BitDefender VShield/
header __VBOUNCE_INF_ATTACH Subject =~ /^\[Mail Delivery .{20,100} infected attachment *removed/
header __VBOUNCE_RAPPORT Subject =~ /^Spam rapport \/ Spam report \S+ -\s+\(\S+\)$/
header __VBOUNCE_GWAVA Subject =~ /^GWAVA Sender Notification \(RBL block\)$/
header __VBOUNCE_GWAVA2 Subject =~ /Blocked Message \(RBL block\)$/
header __VBOUNCE_EMANAGER Subject =~ /^\[MailServer Notification\]/
header __VBOUNCE_MSGLABS Return-Path =~ /alert\@notification\.messagelabs\.com/i
body __VBOUNCE_ATT_QUAR /\bThe attachment was quarantined\b/
body __VBOUNCE_SECURIQ /\bGROUP securiQ.Wall\b/
header __VBOUNCE_PT_BLOCKED Subject =~ /^\*\*\*\s*Mensagem Bloqueada/i
meta VBOUNCE_MESSAGE !__MY_SERVERS_FOUND && (__VBOUNCE_MSGLABS || __VBOUNCE_EXIM || __VBOUNCE_GUIN || __VBOUNCE_CISCO || __VBOUNCE_SMTP || __VBOUNCE_AOL || __VBOUNCE_DUTCH || __VBOUNCE_MAILMARSHAL || __VBOUNCE_MAILMARSHAL2 || __VBOUNCE_NAVFAIL || __VBOUNCE_REJECTED || __VBOUNCE_PROBLEME || __VBOUNCE_NAV || __VBOUNCE_MELDING || __VBOUNCE_VALERT || __VBOUNCE_REJ_FILT || __VBOUNCE_YOUSENT || __VBOUNCE_MAILSWEEP || __VBOUNCE_SCREENSAVER || __VBOUNCE_DISALLOWED || __VBOUNCE_FROMPT || __VBOUNCE_WARNING || __VBOUNCE_DETECTED || __VBOUNCE_INTERSCAN || __VBOUNCE_VIOLATION || __VBOUNCE_ALERT || __VBOUNCE_NAV2 || __VBOUNCE_NAV3 || __VBOUNCE_INTERSCAN2 || __VBOUNCE_INTERSCAN3 || __VBOUNCE_ANTIGEN || __VBOUNCE_LUTHER || __VBOUNCE_AMAVISD || __VBOUNCE_AMAVISD2 || __VBOUNCE_SCANMAIL || __VBOUNCE_DOMINO1 || __VBOUNCE_DOMINO2 || __VBOUNCE_RAV || __VBOUNCE_GSHIELD || __VBOUNCE_ATTACHMENT0 || __VBOUNCE_AVREPORT0 || __VBOUNCE_SENDER || __VBOUNCE_MAILSWEEP2 || __VBOUNCE_MAILSWEEP3 || __VBOUNCE_CLICKBANK || __VBOUNCE_FORBIDDEN || __VBOUNCE_MMS || __VBOUNCE_QUOTED_EXE || __VBOUNCE_MAJORDOMO_HELP || __VBOUNCE_AV_RESULTS || __VBOUNCE_EMVD || __VBOUNCE_UNDELIV || __VBOUNCE_BANNED_MAT || __VBOUNCE_NAV_DETECT || __VBOUNCE_DEL_WARN || __VBOUNCE_MIME_INFO || __VBOUNCE_EMAIL_REJ || __VBOUNCE_CONT_VIOL || __VBOUNCE_SYM_AVF || __VBOUNCE_SYM_EMP || __VBOUNCE_ATT_QUAR || __VBOUNCE_SECURIQ || __VBOUNCE_VIR_FOUND || __VBOUNCE_EMANAGER || __VBOUNCE_JMAIL || __VBOUNCE_GWAVA || __VBOUNCE_GWAVA2 || __VBOUNCE_PT_BLOCKED || __VBOUNCE_INFLEX || __VBOUNCE_INF_ATTACH || __VBOUNCE_STRIP_ATTACH || __VBOUNCE_BITDEFENDER)
describe VBOUNCE_MESSAGE Virus-scanner bounce message
# ---------------------------------------------------------------------------
# a catch-all type for all the above
meta ANY_BOUNCE_MESSAGE (CRBOUNCE_MESSAGE||BOUNCE_MESSAGE||VBOUNCE_MESSAGE||OOOBOUNCE_MESSAGE)
describe ANY_BOUNCE_MESSAGE Message is some kind of bounce message
endif

83
sa-updates/23_bayes.cf Normal file
View File

@ -0,0 +1,83 @@
# SpamAssassin basic config file
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
require_version 3.004005
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::Bayes
body BAYES_00 eval:check_bayes('0.00', '0.01')
body BAYES_05 eval:check_bayes('0.01', '0.05')
body BAYES_20 eval:check_bayes('0.05', '0.20')
body BAYES_40 eval:check_bayes('0.20', '0.40')
# note: tread carefully around 0.5... the Bayesian classifier
# will use that for anything it's unsure about, or if it's untrained.
body BAYES_50 eval:check_bayes('0.40', '0.60')
body BAYES_60 eval:check_bayes('0.60', '0.80')
body BAYES_80 eval:check_bayes('0.80', '0.95')
body BAYES_95 eval:check_bayes('0.95', '0.99')
body BAYES_99 eval:check_bayes('0.99', '1.00')
#Additional rule to add more of a score to BAYES_99 FOR 99.9% to 100%
body BAYES_999 eval:check_bayes('0.999', '1.00')
tflags BAYES_00 nice learn
tflags BAYES_05 nice learn
tflags BAYES_20 nice learn
tflags BAYES_40 nice learn
tflags BAYES_50 learn
tflags BAYES_60 learn
tflags BAYES_80 learn
tflags BAYES_95 learn
tflags BAYES_99 learn
tflags BAYES_999 learn
describe BAYES_00 Bayes spam probability is 0 to 1%
describe BAYES_05 Bayes spam probability is 1 to 5%
describe BAYES_20 Bayes spam probability is 5 to 20%
describe BAYES_40 Bayes spam probability is 20 to 40%
describe BAYES_50 Bayes spam probability is 40 to 60%
describe BAYES_60 Bayes spam probability is 60 to 80%
describe BAYES_80 Bayes spam probability is 80 to 95%
describe BAYES_95 Bayes spam probability is 95 to 99%
describe BAYES_99 Bayes spam probability is 99 to 100%
describe BAYES_999 Bayes spam probability is 99.9 to 100%
priority BAYES_00 -90
priority BAYES_05 -90
priority BAYES_20 -90
priority BAYES_40 -90
priority BAYES_50 -90
priority BAYES_60 -90
priority BAYES_80 -90
priority BAYES_95 -90
priority BAYES_99 -90
priority BAYES_99 -90
priority BAYES_999 -90
endif

36
sa-updates/25_accessdb.cf Normal file
View File

@ -0,0 +1,36 @@
# SpamAssassin rules file: accessdb tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::AccessDB
# this code uses an access database (sendmail, postfix, etc.)
# Since you need to actively create an accessdb to use it, the plugin
# and rule is considered userconf and is disabled by default.
header ACCESSDB eval:check_access_database('/etc/mail/access.db')
describe ACCESSDB Message would have been caught by accessdb
tflags ACCESSDB userconf
score ACCESSDB 0
endif

36
sa-updates/25_antivirus.cf Normal file
View File

@ -0,0 +1,36 @@
# SpamAssassin - anti-virus rules
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
# Requires the Mail::SpamAssassin::Plugin::AntiVirus plugin be loaded.
ifplugin Mail::SpamAssassin::Plugin::AntiVirus
body MICROSOFT_EXECUTABLE eval:check_microsoft_executable()
describe MICROSOFT_EXECUTABLE Message includes Microsoft executable program
body MIME_SUSPECT_NAME eval:check_suspect_name()
describe MIME_SUSPECT_NAME MIME filename does not match content
endif # Mail::SpamAssassin::Plugin::AntiVirus

45
sa-updates/25_asn.cf Normal file
View File

@ -0,0 +1,45 @@
# SpamAssassin - ASN rules
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
# Requires the Mail::SpamAssassin::Plugin::ASN plugin be loaded.
# This plugin queries asn.routeviews.org for ASN and route info and adds a
# header containing the data returned so that it can be used by the bayes
# tokenizer. See the plugin's POD docs for more info.
# Apply default ASN rules for pre-4.0 clients only.
# Usage changed in 4.0: there is also direct GeoDB/GeoIP support,
# users should configure manually as described in plugin documentation.
ifplugin Mail::SpamAssassin::Plugin::ASN
if can(Mail::SpamAssassin::Plugin::ASN::has_check_asn)
asn_lookup asn.routeviews.org _ASN_ _ASNCIDR_
add_header all ASN _ASN_ _ASNCIDR_
# IPv6 support (Bug 7211)
#if can(Mail::SpamAssassin::Plugin::ASN::has_asn_lookup_ipv6)
# asn_lookup_ipv6 origin6.asn.cymru.com _ASN_ _ASNCIDR_
#endif
endif # has_check_asn
endif # Mail::SpamAssassin::Plugin::ASN

80
sa-updates/25_dcc.cf Normal file
View File

@ -0,0 +1,80 @@
# SpamAssassin rules file: dcc tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
##
## SpamAssassin 4.0.0 note:
## DCC rule priorities are automatically adjusted to -100 when dccifd in use
## (async lookup)
##
ifplugin Mail::SpamAssassin::Plugin::DCC
full DCC_CHECK eval:check_dcc()
describe DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
tflags DCC_CHECK net
priority DCC_CHECK 10
reuse DCC_CHECK
# to receive reputation data from DCC servers requires a commercial license
# Update 2019: reputation data is free starting from DCC 2.x version
full DCC_REPUT_00_12 eval:check_dcc_reputation_range(00,12)
describe DCC_REPUT_00_12 DCC reputation between 0 and 12 % (mostly ham)
tflags DCC_REPUT_00_12 nice net noautolearn
priority DCC_REPUT_00_12 10
reuse DCC_REPUT_00_12
full DCC_REPUT_13_19 eval:check_dcc_reputation_range(13,19)
describe DCC_REPUT_13_19 DCC reputation between 13 and 19 %
tflags DCC_REPUT_13_19 net nice
priority DCC_REPUT_13_19 10
reuse DCC_REPUT_13_19
full DCC_REPUT_70_89 eval:check_dcc_reputation_range(70,89)
describe DCC_REPUT_70_89 DCC reputation between 70 and 89 %
tflags DCC_REPUT_70_89 net
priority DCC_REPUT_70_89 10
reuse DCC_REPUT_70_89
full DCC_REPUT_90_94 eval:check_dcc_reputation_range(90,94)
describe DCC_REPUT_90_94 DCC reputation between 90 and 94 %
tflags DCC_REPUT_90_94 net
priority DCC_REPUT_90_94 10
reuse DCC_REPUT_90_94
full DCC_REPUT_95_98 eval:check_dcc_reputation_range(95,98)
describe DCC_REPUT_95_98 DCC reputation between 95 and 98 % (mostly spam)
tflags DCC_REPUT_95_98 net
priority DCC_REPUT_95_98 10
reuse DCC_REPUT_95_98
full DCC_REPUT_99_100 eval:check_dcc_reputation_range(99)
describe DCC_REPUT_99_100 DCC reputation between 99 % or higher (spam)
tflags DCC_REPUT_99_100 net
priority DCC_REPUT_99_100 10
reuse DCC_REPUT_99_100
endif

132
sa-updates/25_dkim.cf Normal file
View File

@ -0,0 +1,132 @@
# SpamAssassin - DKIM rules
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
# Requires the Mail::SpamAssassin::Plugin::DKIM plugin be loaded.
ifplugin Mail::SpamAssassin::Plugin::DKIM
# Note: DKIM_SIGNED, DKIM_VALID and DKIM_VALID_AU are mainly informational
# rules, and can serve as a basis for meta rules; it is not difficult for a
# sender to cause hits on them or to prevent them from firing, so their score
# should be kept low.
full DKIM_SIGNED eval:check_dkim_signed()
describe DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
tflags DKIM_SIGNED net
reuse DKIM_SIGNED
full DKIM_VALID eval:check_dkim_valid()
describe DKIM_VALID Message has at least one valid DKIM or DK signature
tflags DKIM_VALID net nice
reuse DKIM_VALID
meta DKIM_INVALID DKIM_SIGNED && !DKIM_VALID
describe DKIM_INVALID DKIM or DK signature exists, but is not valid
full DKIM_VALID_AU eval:check_dkim_valid_author_sig()
describe DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain
tflags DKIM_VALID_AU net nice
reuse DKIM_VALID_AU
if (version >= 3.004002)
full DKIM_VALID_EF eval:check_dkim_valid_envelopefrom()
describe DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain
tflags DKIM_VALID_EF net nice
reuse DKIM_VALID_EF
endif
full __DKIM_DEPENDABLE eval:check_dkim_dependable()
describe __DKIM_DEPENDABLE A validation failure not attributable to truncation
reuse __DKIM_DEPENDABLE
header DKIM_ADSP_NXDOMAIN eval:check_dkim_adsp('N')
describe DKIM_ADSP_NXDOMAIN No valid author signature and domain not in DNS
tflags DKIM_ADSP_NXDOMAIN net
reuse DKIM_ADSP_NXDOMAIN
header DKIM_ADSP_DISCARD eval:check_dkim_adsp('D')
describe DKIM_ADSP_DISCARD No valid author signature, domain signs all mail and suggests discarding the rest
tflags DKIM_ADSP_DISCARD net
reuse DKIM_ADSP_DISCARD
header DKIM_ADSP_ALL eval:check_dkim_adsp('A')
describe DKIM_ADSP_ALL No valid author signature, domain signs all mail
tflags DKIM_ADSP_ALL net
reuse DKIM_ADSP_ALL
header DKIM_ADSP_CUSTOM_LOW eval:check_dkim_adsp('1')
describe DKIM_ADSP_CUSTOM_LOW No valid author signature, adsp_override is CUSTOM_LOW
tflags DKIM_ADSP_CUSTOM_LOW net userconf
reuse DKIM_ADSP_CUSTOM_LOW
header DKIM_ADSP_CUSTOM_MED eval:check_dkim_adsp('2')
describe DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED
tflags DKIM_ADSP_CUSTOM_MED net userconf
reuse DKIM_ADSP_CUSTOM_MED
header DKIM_ADSP_CUSTOM_HIGH eval:check_dkim_adsp('3')
describe DKIM_ADSP_CUSTOM_HIGH No valid author signature, adsp_override is CUSTOM_HIGH
tflags DKIM_ADSP_CUSTOM_HIGH net userconf
reuse DKIM_ADSP_CUSTOM_HIGH
full __RESIGNER1 eval:check_dkim_valid('linkedin.com')
tflags __RESIGNER1 net
reuse __RESIGNER1
full __RESIGNER2 eval:check_dkim_valid('googlegroups.com','yahoogroups.com','yahoogroups.de')
tflags __RESIGNER2 net
reuse __RESIGNER2
meta __VIA_RESIGNER __RESIGNER1 || __RESIGNER2
describe __VIA_RESIGNER Mail through a popular signing remailer
meta NML_ADSP_CUSTOM_LOW DKIM_ADSP_CUSTOM_LOW && !__VIA_ML && !__VIA_RESIGNER
describe NML_ADSP_CUSTOM_LOW ADSP custom_low hit, and not from a mailing list
meta NML_ADSP_CUSTOM_MED DKIM_ADSP_CUSTOM_MED && !__VIA_ML && !__VIA_RESIGNER
describe NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list
meta NML_ADSP_CUSTOM_HIGH DKIM_ADSP_CUSTOM_HIGH && !__VIA_ML && !__VIA_RESIGNER
describe NML_ADSP_CUSTOM_HIGH ADSP custom_high hit, and not from a mailing list
#
# old, declared for compatibility with pre-3.3, should have scores 0
#
full DKIM_VERIFIED eval:check_dkim_valid()
tflags DKIM_VERIFIED net nice
reuse DKIM_VERIFIED
header DKIM_POLICY_TESTING eval:check_dkim_testing()
tflags DKIM_POLICY_TESTING net nice
reuse DKIM_POLICY_TESTING
header DKIM_POLICY_SIGNSOME eval:check_dkim_signsome()
tflags DKIM_POLICY_SIGNSOME net nice
reuse DKIM_POLICY_SIGNSOME
header DKIM_POLICY_SIGNALL eval:check_dkim_signall()
tflags DKIM_POLICY_SIGNALL net nice
reuse DKIM_POLICY_SIGNALL
endif # Mail::SpamAssassin::Plugin::DKIM

70
sa-updates/25_dnswl.cf Normal file
View File

@ -0,0 +1,70 @@
# SpamAssassin rules file: DNSWL tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::DNSEval
# 0.000 0.0000 0.0000 0.500 1.00 -8.00 T_RCVD_IN_DNSWL_HI
# 0.817 0.2509 3.5683 0.066 0.50 1.00 __RCVD_IN_DNSWL
# 0.059 0.0000 0.3481 0.000 0.50 -1.00 T_RCVD_IN_DNSWL_LOW
# 0.163 0.0000 0.9574 0.000 0.00 -4.00 T_RCVD_IN_DNSWL_MED
header __RCVD_IN_DNSWL eval:check_rbl('dnswl-firsttrusted', 'list.dnswl.org.')
tflags __RCVD_IN_DNSWL nice net
reuse __RCVD_IN_DNSWL
header RCVD_IN_DNSWL_NONE eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.0$')
describe RCVD_IN_DNSWL_NONE Sender listed at https://www.dnswl.org/, no trust
tflags RCVD_IN_DNSWL_NONE nice net
reuse RCVD_IN_DNSWL_NONE
header RCVD_IN_DNSWL_LOW eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.1$')
describe RCVD_IN_DNSWL_LOW Sender listed at https://www.dnswl.org/, low trust
tflags RCVD_IN_DNSWL_LOW nice net
reuse RCVD_IN_DNSWL_LOW
header RCVD_IN_DNSWL_MED eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.2$')
describe RCVD_IN_DNSWL_MED Sender listed at https://www.dnswl.org/, medium trust
tflags RCVD_IN_DNSWL_MED nice net
reuse RCVD_IN_DNSWL_MED
header RCVD_IN_DNSWL_HI eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.3$')
describe RCVD_IN_DNSWL_HI Sender listed at https://www.dnswl.org/, high trust
tflags RCVD_IN_DNSWL_HI nice net
reuse RCVD_IN_DNSWL_HI
## score RCVD_IN_DNSWL_LOW -1
## score RCVD_IN_DNSWL_MED -4
## score RCVD_IN_DNSWL_HI -8
header RCVD_IN_DNSWL_BLOCKED eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.255$')
describe RCVD_IN_DNSWL_BLOCKED ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
tflags RCVD_IN_DNSWL_BLOCKED net noautolearn
reuse RCVD_IN_DNSWL_BLOCKED
if can(Mail::SpamAssassin::Conf::feature_dns_block_rule)
dns_block_rule RCVD_IN_DNSWL_BLOCKED list.dnswl.org
endif
endif

40
sa-updates/25_pyzor.cf Normal file
View File

@ -0,0 +1,40 @@
# SpamAssassin rules file: pyzor rules
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
##
## SpamAssassin 4.0.0 note:
## PYZOR rule priorities are automatically adjusted to -100 when pyzor_fork
## option is enabled (async lookup)
##
ifplugin Mail::SpamAssassin::Plugin::Pyzor
full PYZOR_CHECK eval:check_pyzor()
describe PYZOR_CHECK Listed in Pyzor (https://pyzor.readthedocs.io/en/latest/)
tflags PYZOR_CHECK net
priority PYZOR_CHECK 30
reuse PYZOR_CHECK
endif

72
sa-updates/25_razor2.cf Normal file
View File

@ -0,0 +1,72 @@
# SpamAssassin rules file: razor2 tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
##
## SpamAssassin 4.0.0 note:
## RAZOR rule priorities are automatically adjusted to -100 when razor_fork
## option is enabled (async lookup)
##
ifplugin Mail::SpamAssassin::Plugin::Razor2
full RAZOR2_CHECK eval:check_razor2()
describe RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
tflags RAZOR2_CHECK net
priority RAZOR2_CHECK 20
reuse RAZOR2_CHECK
lang de describe RAZOR2_CHECK Gelistet im "Razor2"-System (http://razor.sf.net/)
lang nl describe RAZOR2_CHECK Gevonden in Razor2 (http://razor.sf.net/)
lang fr describe RAZOR2_CHECK Message listé par Razor2, voir http://razor.sourceforge.net
lang pl describe RAZOR2_CHECK Na licie Razor2 (http://razor.sf.net/)
# cf (confidence level) is how likely the message is spam. RAZOR2_CHECK
# returns true if cf>=min_cf (as defined by user/config). These return
# true depending on what cf value the message has. The algorithm goes:
# check the message via razor, then go through each mime part and check
# how razor scored it. If the part is contested (ie: it's been reported
# as both ham and spam) it's ignored. SA takes the highest non-contested
# part cf score and returns it for the range rules. ie: This is essentially
# Razor 2's logic_method 4.
#
# Note: Disabling RAZOR2_CHECK (score RAZOR2_CHECK 0) will also disable
# these checks.
#
# Note: The scores are set to 0 on these tests right now until they get
# better integrated with SA overall.
#
full RAZOR2_CF_RANGE_51_100 eval:check_razor2_range('','51','100')
tflags RAZOR2_CF_RANGE_51_100 net
priority RAZOR2_CF_RANGE_51_100 20
reuse RAZOR2_CF_RANGE_51_100
describe RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
lang de describe RAZOR2_CF_RANGE_51_100 Razor2 Spam-Bewertung liegt zwischen 51 und 100
lang fr describe RAZOR2_CF_RANGE_51_100 Razor2 donne un indice de confiance entre 51 et 100
lang nl describe RAZOR2_CF_RANGE_51_100 Razor2 geeft een zekerheid tussen 51 en 100
lang pl describe RAZOR2_CF_RANGE_51_100 Razor2 stwierdzi³ pewnoæ pomiêdzy 51 i 100
endif

210
sa-updates/25_replace.cf Normal file
View File

@ -0,0 +1,210 @@
# SpamAssassin - ReplaceTags configuration
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
# Requires the Mail::SpamAssassin::Plugin::ReplaceTags plugin be loaded.
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_tag A (?:[aA\@\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xe4\xe3\xe2\xe0\xe1\xe2\xe3\xe4\xe5\xe6]|[\xb6\xc1\xc4\xcb]|[\xc3][\x80\x81\x82\x83\x84\x85\xa0\xa1\xa2\xa3\xa4\xa5]|[\xc4][\x80\x81\x82\x83\x84\x85]|[\xce][\x86\x91\x94\x9b\xac\xb1]|[\xd0][\x90\xb0]|[\xd1][\xa6\xa7]|[\xd3][\x90\x91\x92\x93]|[\xe1](?:[\x8e][\xaa]|[\xb8][\x80\x81]|[\xba][\x9a\xa0-\xb7]|[\xbc][\x80-\x8f]|[\xbd][\xb0\xb1]|[\xbe][\x80-\x8f\xb0-\xbc])|[\xf0][\x9d](?:[\x90][\x80\x9a\xb4]|[\x91][\x8e\xa8]|[\x92][\x82\x9c\xb6]|[\x93][\x90\xaa]|[\x94][\xb8\x92]|[\x95][\x92]|[\x96][\xa0\xba]|[\x97][\x94\xae]|[\x98][\x88\xa2\xbc]|[\x99][\x96\xb0]|[\x9a][\x8a\xa8]|[\x9b][\x82\xa2\xbc]|[\x9c][\x9c\xb6]|[\x9d][\x96\xb0]|[\x9e][\x90\xaa]))
replace_tag B (?:[bB8\xc2\xe2]|[\xce][\x92\xb2]|[\xcf][\x90\xb8]|[\xc3][\x9f]|[\xc6][\x80\x81\x82\x83\x84\x85]|[\xce][\x92\xb2]|[\xcf][\x90]|[\xd0][\x91\x92\xac\xb1\xb2]|[\xd1][\x8a\x8c\xa2\xa3]|[\xd2][\x8c\x8d]|[\xe1](?:[\xb8][\x82-\x87]|[\xba][\x9e])|[\xf0][\x9d](?:[\x90][\x81\x9b\xb5]|[\x91][\x8f\xa9]|[\x92][\x83\x9d\xb7]|[\x93][\x91\xab]|[\x94][\x85\x9f\xb9]|[\x95][\x93\xad]|[\x96][\x87\xa1\xbb]|[\x97][\x95\xaf]|[\x98][\x89\xa3\xbd]|[\x99][\x97\xb1]|[\x9a][\x8b\xa9]|[\x9b][\x83\xa3\xbd]|[\x9c][\x9d\xb7]|[\x9d][\x97\xb1]|[\x9e][\x91\xab]))
replace_tag C (?:[cCk\xc7\xe7\xf2@]|[\xc3][\x87\xa7]|[\xc4][\x86\x87\x88\x89\x8a\x8b\x8c\x8d]|[\xc6][\x87\x88]|[\xcf][\x82\x9a\x9b\xb2\xb9\xbe]|[\xd0][\xa1]|[\xd1][\x81]|[\xd2][\x80\x81\xaa\xab]|[\xd5][\x87]|&\#(?:1(?:0(?:10|17|2[123]|57|89)|1(?:52|53|94|95)|99)|2(?:31|6[2-9])|39[12]|x(?:3(?:f2|f9|fe)|4(?:21|41|80|81|aa|ab)));|[\xe1](?:[\xb8][\x88\x89])|[\xf0][\x9d](?:[\x90][\x82\x9c\xb6]|[\x91][\x90\xaa]|[\x92][\x84\x9e\xb8]|[\x93][\x92\xac]|[\x94][\x86\xa0\xba]|[\x95][\x94\xae]|[\x96][\x88\xa2\xbc]|[\x97][\x96\xb0]|[\x98][\x8a\xa4\xbe]|[\x99][\x98\xb2]|[\x9a][\x8c]|[\x9b][\x93]|[\x9c][\x8d]|[\x9d][\x87]|[\x9e][\x81]))
replace_tag D (?:[dD\xd0]|[\xc3][\x90]|[\xc4][\x8e\x8f\x90\x91]|[\xc6][\x89\x8a]|[\xd4][\x80\x81]|[\xd5][\xaa]|[\xe1](?:[\xb8][\x8a-\x93])|[\xf0][\x9d](?:[\x90][\x83\x9d\xb7]|[\x91][\x91\xab]|[\x92][\x85\x9f\xb9]|[\x93][\x93\xad]|[\x94][\x87\xa1\xbb]|[\x95][\x95\xaf]|[\x96][\x89\xa3\xbd]|[\x97][\x97\xb1]|[\x98][\x8b\xa5\xbf]|[\x99][\x99\xb3]|[\x9a][\x8d]))
replace_tag E (?:[eE3\xb8\xc5\xd3\xdd\xe5\xee]|[\xc3][\x88\x89\x8a\x8b\xa8\xa9\xaa\xab]|[\xc4][\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b]|[\xc8][\x84\x85\x86\x87\xa8\xa9]|[\xce][\x88\x95\xa3\xad\xb5\xbe]|[\xcf][\xb5]|[\xd0][\x80\x81\x84\x95\xb5]|[\xd1][\x90\x91\x94\xb3]|[\xd2][\xbc\xbd\xbe\xbf]|[\xd3][\x96\x97\xa9\xab]|[\xd4][\x90\x91]|[\xc8\xc9\xca\xcb\xe8\xe9\xea\xeb\xa4]|&\#(?:1(?:0(?:13|2[458]|45|77)|108|2(?:1[2-5]|3[89]|9[67]))|2(?:0[0-3]|3[2-5]|7[4-9]|8[0-3])|400|51[6-9]|5[58][23]|603|9(?:04|17|[34]1|4[19]));|[\xe1](?:[\xb8][\x94-\x9d]|[\xba][\xb8-\xbf]|[\xbb][\x80-\x87]|[\xbc][\x90-\x9d]|[\xbd][\xb2\xb3]|[\xbf][\x88\x89])|[\xf0][\x9d](?:[\x90][\x84\x9e\xb8]|[\x91][\x92\xac]|[\x92][\x86\xa0\xba]|[\x93][\x94\xae]|[\x94][\xa2\xbc]|[\x95][\x96]|[\x96][\x8a\xa4\xbe]|[\x97][\x98\xb2]|[\x98][\x8c\xa6]|[\x99][\x80\x9a\xb4]|[\x9a][\x8e\xac\xba]|[\x9b][\x86\x9c\xa6\xb4]|[\x9c][\x80\x96\xa0\xae\xba]|[\x9d][\x90\x9a\xa8\xb4]|[\x9e][\x8a\x94\xa2\xae]|[\x9f][\x84]))
replace_tag F (?:[fF]|[\xcf][\x9c\x9d]|[\xd2][\x92\x93]|[\xd3][\xba\xbb]|[\xd4][\xb2]|[\xd5][\xa2]|[\xe1](?:[\xb8][\x9e\x9f]|[\xba][\x9b\x9c\x9d])|[\xf0][\x9d](?:[\x90][\x85\x9f\xb9]|[\x91][\x93\xad]|[\x92][\x87\xa1\xbb]|[\x93][\x95\xaf]|[\x94][\xa3\xbd]|[\x95][\x97\xb1]|[\x96][\x8b\xa5\xbf]|[\x97][\x99\xb3]|[\x98][\x8d\xa7]|[\x99][\x81\x9b\xb5]|[\x9a][\x8f]|[\x9f][\x8a\x8b]))
replace_tag G (?:[gGk]|[\xc4][\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3]|[\xd2][\xa8\xa9]|[\xd4][\x8c\x8d]|[\xd6][\x81]|[\xf0][\x9d](?:[\x90][\x86\xa0\xba]|[\x91][\x94\xae]|[\x92][\x88\xa2\xbc]|[\x93][\x96\xb0]|[\x94][\xa4\xbe]|[\x95][\x98]|[\x96][\x8c\xa6]|[\x97][\x80\x9a\xb4]|[\x98][\x8e\xa8]|[\x99][\x82\x9c\xb6]|[\x9a][\x90]))
replace_tag H (?:[hH\xb9\xc7]|[\xc4][\xa4\xa5\xa6\xa7]|[\xce][\x89\x97]|[\xcf][\xa6]|[\xd0][\x8a\x8b\x9d\xbd]|[\xd1][\x92\x9b]|[\xd2][\x94\x95\xa2\xa3\xa4\xa5\xba\xbb]|[\xd3][\x87\x88\x89\x8a]|[\xd4][\xbb]|[\xd5][\xab\xb0]|&\#(?:2(?:22[3-6]|9[2-5])|54[23]|1(?:0(?:53|85)|18[6-9]|8(?:0(?:8[89]|9[0-5])|1(?:38[89]|340)))|919);|[\xe1](?:[\xb8][\xa2-\xab]|[\xba][\x96]|[\xbc][\xa8-\xaf]|[\xbe][\x98-\x9f]|[\xbf][\x8a-\x8c])|[\xf0][\x9d](?:[\x90][\x87\xa1\xbb]|[\x91][\x95\xaf]|[\x92][\x89\xa3\xbd]|[\x93][\x97\xb1]|[\x94][\xbf]|[\x95][\x99]|[\x96][\xa7]|[\x97][\x81\x9b\xb5]|[\x98][\x8f\xa9]|[\x99][\x83\x9d\xb7]|[\x9a][\x91\xae]|[\x9b][\xa8]|[\x9c][\xa2]|[\x9d][\x9c]|[\x9e][\x96]))
replace_tag I (?:[iIl|!1y?\xcc\xcd\xce\xcf\xec\xed\xee\xef\xe9\xba\xc0\xc9\xda\xdf\xfa]|[\xc3][\x8c\x8d\x8e\x8f\xac\xad\xae\xaf]|[\xc4][\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1]|[\xc7][\x8f\x90]|[\xce][\x8a\x90\x99\xaa\xaf\xb9]|[\xcf][\x8a]|[\xd0][\x86\x87]|[\xd1][\x96\x97]|[\xd3][\x80\x8f]|[\xd5][\xac]|&\#(?:1(?:03[01]|11[01]|216|231)|2(?:0[4-7]|16|3[6-9]|9[6-9])|3(?:0[0-5])|4(?:0[67]|6[34])|52[0-3]);|[\xe1](?:[\xb8][\xac-\xaf]|[\xbb][\x88-\x8b]|[\xbc][\xb0-\xbf]|[\xbd][\xb6\xb7]|[\xbf][\x90-\x9b])|[\xf0][\x9d](?:[\x90][\x88\xa2\xbc]|[\x91][\x96\xb0]|[\x92][\x8a\xa4\xbe]|[\x93][\x98\xb2]|[\x94][\xa6]|[\x95][\x80\x9a]|[\x96][\x8e\xa8]|[\x97][\x82\x9c\xb6]|[\x98][\x90\xaa]|[\x99][\x84\x9e\xb8]|[\x9a][\x92\xb0]|[\x9b][\xaa]|[\x9c][\xa4]|[\x9d][\x9e]|[\x9e][\x98]))
replace_tag J (?:[jJ]|[\xc4][\xb4\xb5]|[\xcf][\xb3]|[\xd0][\x88]|[\xd1][\x98]|[\xd5][\xb5]|[\xf0][\x9d](?:[\x90][\x89\xa3\xbd]|[\x91][\x97\xb1]|[\x92][\x8b\xa5\xbf]|[\x93][\x99\xb3]|[\x94][\xa7]|[\x95][\x81\x9b]|[\x96][\x8f\xa9]|[\x97][\x83\x9d\xb7]|[\x98][\x91\xab]|[\x99][\x85\x9f\xb9]|[\x9a][\x93]))
replace_tag K (?:[kK\xca\xea]|[\xc4][\xb6\xb7\xb8]|[\xc7][\xa8\xa9]|[\xce][\x9a\xba]|[\xd0][\x8c\x9a\xba]|[\xd1][\x9c]|[\xd2][\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1]|[\xd3][\x83\x84]|[\xd4][\x9e\x9f]|&\#(?:31[0-2]|4[08][89]|9(?:22|54|75)|1(?:0(?:36|50|82)|1(?:16|7[89]|8[0-5])|219|220|31[01]));|[\xe1](?:[\xb8][\xb0-\xb5])|[\xf0][\x9d](?:[\x90][\x8a\xa4\xbe]|[\x91][\x98\xb2]|[\x92][\x8c\xa6]|[\x93][\x80\x9a\xb4]|[\x94][\xa8]|[\x95][\x82\x9c]|[\x96][\x90\xaa]|[\x97][\x84\x9e\xb8]|[\x98][\x92\xac]|[\x99][\x86\xa0\xba]|[\x9a][\x94\xb1]|[\x9b][\x8b\xab]|[\x9c][\x85\xa5\xbf]|[\x9d][\x9f\xb9]|[\x9e][\x99\xb3]))
replace_tag L (?:[ilL|!1\xa3]|[\xc4][\xb9\xba\xbb\xbc\xbd\xbe\xbf]|[\xc5][\x80\x81\x82]|[\xc8][\xbd]|[\xce][\x8a\x99\xaa\xaf\xb9]|[\xd3][\x80\x8f]|[\xd4][\xbc]|[\xd5][\xac]|[\xd6][\x82]|&\#(?:1340|3(?:1[3-9]|2[0-2])|573|671|x53c|76);|[\xe1](?:[\xb8][\xb6-\xbd]|[\xbc][\xb8-\xbf]|[\xbf][\x98-\x9b])|[\xf0][\x9d](?:[\x90][\x8b\xa5\xbf]|[\x91][\x99\xb3]|[\x92][\x8d\xa7]|[\x93][\x81\x9b\xb5]|[\x94][\xa9]|[\x95][\x83\x9d]|[\x96][\x91\xab]|[\x97][\x85\x9f\xb9]|[\x98][\x93\xad]|[\x99][\x87\xa1\xbb]|[\x9a][\x95]|[\x9d][\x9e]|[\x9e][\x98]|[\x9f][\x8f\x99\xad\xb7]))
replace_tag M (?:[mM\xcc]|rn|[\xc9][\xb1]|[\xce][\x9c]|[\xcf][\xba\xbb]|[\xd0][\x9c\xbc]|[\xd2][\xa7]|[\xd3][\x8d\x8e]|[\xe1](?:[\xb8][\xbe\xbf]|[\xb9][\x80-\x83])|[\xf0][\x9d](?:[\x90][\x8c\xa6]|[\x91][\x80\x9a\xb4]|[\x92][\x8e\xa8]|[\x93][\x82\x9c\xb6]|[\x94][\xaa]|[\x95][\x84\x9e]|[\x96][\x92\xac]|[\x97][\x86\xa0\xba]|[\x98][\x94\xae]|[\x99][\x88\xa2\xbc]|[\x9a][\x96\xb3]|[\x9b][\xad]|[\x9c][\xa7]|[\x9d][\xa1]|[\x9e][\x9b]))
replace_tag N (?:[nN\xcd\xd0\xd1\xde\xe7\xf0\xf1]|[\xc3][\x91\xb1]|[\xc5][\x83\x84\x85\x86\x87\x88\x89\x8a\x8b]|[\xc9][\xb2\xb3\xb4]|[\xce][\x9d\xae\xb7]|[\xcf][\x80]|[\xd0][\x98\x99\x9f\xb8\xb9\xbb\xbf]|[\xd1][\x9d]|[\xd2][\x8a\x8b]|[\xd3][\x86\xa2\xa3\xa4\xa5]|[\xd4][\xa5]|[\xd5][\x88\x8c\xa4\xa8\xb2\xb8\xbc]|[\xd6][\x80]|[\xe1](?:[\xb9][\x84-\x8b]|[\xbc][\xa0-\xa7]|[\xbd][\xb4\xb5]|[\xbe][\x90-\x97]|[\xbf][\x82-\x87])|[\xf0][\x9d](?:[\x90][\x8d\xa7]|[\x91][\x81\x9b\xb5]|[\x92][\x8f\xa9]|[\x93][\x83\x9d\xb7]|[\x94][\xab]|[\x95][\x85\x9f]|[\x96][\x93\xad]|[\x97][\x87\xa1\xbb]|[\x98][\x95\xaf]|[\x99][\x89\xa3\xbd]|[\x9a][\x97\xb4]|[\x9b][\x88\xae]|[\x9c][\x82\xa8\xbc]|[\x9d][\xa2\xb6]|[\x9e][\x9c\xb0]))
replace_tag O (?:[goO0u\xbc\xcf\xd2\xd3\xd4\xd5\xd6\xd8\xef\xf0\xf2\xf3\xf4\xf5\xf6\xf8\xfc]|[\xc3][\x92\x93\x94\x95\x96\x98\xb2\xb3\xb4\xb5\xb6\xb8]|[\xc5][\x8c\xbd\xbe\xbf\x90\x91]|[\xce][\x8c\x98\x9f\xbf]|[\xcf][\x8c\x98\x99]|[\xd0][\x9e\xae\xbe]|[\xd1][\xba\xbb]|[\xd3][\xa6\xa7\xa8\xaa]|[\xd4][\x9a]|[\xd5][\x95\xae]|[\xd6][\x85]|[\xd7][\xa1]|[\xe1](?:[\xb9][\x8c-\x93]|[\xbb][\x8c-\xa3]|[\xbd][\x80-\x8d\xb8\xb9]|[\xbf][\xb8\xb9])|[\xf0][\x9d](?:[\x90][\x8e\xa8]|[\x91][\x82\x9c\xb6]|[\x92][\x90\xaa]|[\x93][\x84\x9e\xb8]|[\x94][\xac]|[\x95][\x86\xa0]|[\x96][\x94\xae]|[\x97][\x88\xa2\xbc]|[\x98][\x96\xb0]|[\x99][\x8a\xa4\xbe]|[\x9a][\x98\xb6\xb9]|[\x9b][\x90\x94\xb0]|[\x9c][\x8a\x8e\xa3\xaa\xad\xbd]|[\x9d][\x84\x88\x9d\xa4\xa7\xbe]|[\x9e][\x82\x97\x9e\xa1\xb8\xbb]|[\x9f][\x8e\x98\xa2\xac]))
replace_tag P (?:[pP\xd1\xf1\xfe]|[\xce][\xa1]|[\xcf][\x81\xb7\xb8]|[\xd0][\xa0]|[\xd1][\x80]|[\xd2][\x8e\x8f]|[\xd4][\x97]|[\xd5][\xa9]|[\xd6][\x84]|[\xe1](?:[\xb9][\x94-\x97]|[\xbf][\xa4\xa5\xac])|[\xf0][\x9d](?:[\x90][\x8f\xa9]|[\x91][\x83\x9d\xb7]|[\x92][\x91]|[\x93][\x9f]|[\x95][\x87\xa1]|[\x96][\xaf]|[\x97][\x89\xa3\xbd]|[\x98][\x97\xb1]|[\x99][\x8b\xa5\xbf]|[\x9a][\x99\xb8]|[\x9b][\x92\xb2]|[\x9c][\x8c\xac]|[\x9d][\x86\xa6]|[\x9e][\x80\xa0\xba]))
replace_tag Q (?:[qQ]|[\xcf][\x98\xa4\xa5]|[\xd4][\x9a\x9b\xb3]|[\xd5][\xa3\xa6]|[\xf0][\x9d](?:[\x90][\x90\xaa]|[\x91][\x84\x9e\xb8]|[\x92][\x92]|[\x93][\x86\xba]|[\x94][\xae]|[\x95][\x88\xa2]|[\x96][\x96\xb0]|[\x97][\x8a\xa4\xbe]|[\x98][\x98\xb2]|[\x99][\x8c\xa6]|[\x9a][\x80\x9a]))
replace_tag R (?:[rR]|[\xc5][\x94\x95\x96\x97\x98\x99]|[\xc8][\x90\x91\x92\x93]|[\xd0][\x93\xaf]|[\xd1][\x8f\x93]|[\xd2][\x90\x91\x93]|[\xd3][\xb6\xb7]|[\xd4][\xb8\xbb]|[\xd5][\x90\x92]|[\xd6][\x80]|&\#(?:1(?:071|103)|34[0-5]|422|5(?:2[89]|3[01]|8[89])|6(?:3[67]|40));|[\xe1](?:[\xb9][\x98-\x9f])|[\xf0][\x9d](?:[\x90][\x91\xab]|[\x91][\x85\x9f\xb9]|[\x92][\x93\xad]|[\x93][\x87\xa1\xbb]|[\x94][\x95\xaf]|[\x95][\x89\xa3\xbd]|[\x96][\x97\xb1]|[\x97][\x8b\xa5\xbf]|[\x98][\x99\xb3]|[\x99][\x8d\xa7]|[\x9a][\x81\x9b]))
replace_tag S (?:[sSz\xa6\xa7]|[\xc5][\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1]|[\xd0][\x85]|[\xd1][\x95]|[\xd5][\x8f]|[\xe1](?:[\xb9][\xa0-\xa9])|[\xf0][\x9d](?:[\x90][\x92\xac]|[\x91][\x86\xa0\xba]|[\x92][\x94]|[\x94][\xb0]|[\x95][\x8a\xa4]|[\x96][\xb2]|[\x97][\x8c\xa6]|[\x98][\x80\x9a\xb4]|[\x99][\x8e\xa8]|[\x9a][\x82\x9c]))
replace_tag T (?:[tT\xc3\xd4\xf4]|[\xc5][\xa2\xa3\xa4\xa5\xa6\xa7]|[\xcd][\xb2\xb3]|[\xce][\xa4]|[\xcf][\x84\xae\xaf]|[\xd0][\x93\xa2]|[\xd1][\x82]|[\xd2][\x90\xac\xad]|[\xd3][\xb6]|[\xd4][\xb5\xb7]|[\xd5][\x92\xa7]|[\xe1](?:[\xb9][\xaa-\xb1]|[\xba][\x97])|[\xf0][\x9d](?:[\x90][\x93\xad]|[\x91][\x87\xa1\xbb]|[\x92][\x95]|[\x93][\x89\xbd]|[\x94][\xb1]|[\x95][\x8b\xa5]|[\x96][\x99\xb3]|[\x97][\x8d\xa7]|[\x98][\x81\x9b\xb5]|[\x99][\x8f\xa9]|[\x9a][\x83\x9d\xbb]|[\x9b][\x95\xb5]|[\x9c][\x8f\xaf]|[\x9d][\x89\xa9]|[\x9e][\x83\xa3\xbd]))
replace_tag U (?:[uUv\xb5\xd9\xda\xdb\xdc\xe0\xec\xf5\xfc\xfb\xfa\xf9\xfd]|[\xc3][\x99\x9a\x9b\x9c\xb9\xba\xbb\xbc]|[\xc5][\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3]|[\xcf][\x85\x8b\x8d]|[\xd0][\x8f\xa6]|[\xd1][\x86\x9f]|[\xd4][\xb1\xbf]|[\xd5][\x84\x8d\xb4\xb6\xbd\xbe]|[\xd6][\x87]|[\xe1](?:[\xb9][\xb2-\xbb]|[\xbb][\xa4-\xb1]|[\xbd][\x90-\x97\xba\xbb]|[\xbf][\xa0-\xa3\xa6\xa7])|[\xf0][\x9d](?:[\x90][\x94\xae]|[\x91][\x88\xa2\xbc]|[\x92][\x96\xb0]|[\x93][\x8a\xa4\xbe]|[\x94][\x98\xb2]|[\x95][\x8c\xa6]|[\x96][\x80\x9a\xb4]|[\x97][\x8e\xa8]|[\x98][\x82\x9c\xb6]|[\x99][\x90\xaa]|[\x9a][\x84\x9e]|[\x9b][\x8d\x96]|[\x9c][\x87\x90]|[\x9d][\x81\x8a\xbb]|[\x9e][\x84\xb5\xbe]))
replace_tag V (?:[vVu\xe3\xed]|\\\/|[\xce][\xbd]|[\xd1][\xb4\xb5\xb6\xb7]|[\xe1](?:[\xb9][\xbc-\xbf]|[\xbd][\x90-\x97\xba\xbb]|[\xbf][\xa0-\xa3\xa6\xa7])|[\xf0][\x9d](?:[\x90][\x95\xaf]|[\x91][\x89\xa3\xbd]|[\x92][\x97]|[\x93][\x8b\xa5\xbf]|[\x95][\x8d\xa7]|[\x96][\xb5]|[\x97][\x8f\xa9]|[\x98][\x83\x9d\xb7]|[\x99][\x91\xab]|[\x9a][\x85\x9f]|[\x9b][\x96]|[\x9c][\x88]|[\x9d][\x8a]))
replace_tag W (?:[wWv\xd8\xf8\xf9\xfe]|[\xc5][\xb4\xb5]|[\xc9][\xaf\xb0]|[\xce][\xa8]|[\xcf][\x86\x88\x89\x8e\x96\xa2\xa3]|[\xd0][\xa8\xa9]|[\xd1][\x88\x89\xa1\xb0\xb1\xbf]|[\xd4][\x9c\x9d]|[\xd5][\xa1\xba]|[\xe1](?:[\xba][\x80-\x89\x98]|[\xbd][\xa0-\xa7\xbc\xbd]|[\xbe][\xa0-\xa7]|[\xbf][\xb2-\xb7])|[\xf0][\x9d](?:[\x90][\x96\xb0]|[\x91][\x8a\xa4\xbe]|[\x92][\x98\xb2]|[\x93][\x8c\xa6]|[\x94][\x80\xb4]|[\x95][\x8e\xa8]|[\x96][\x9c\xb6]|[\x97][\x90\xaa]|[\x98][\x84\x9e\xb8]|[\x99][\x92\xac]|[\x9a][\x86\xa0\xbf]|[\x9b][\x97\x99\x9a\xa1\xb9]|[\x9c][\x91\x93\x94\x9b\xb3]|[\x9d][\x8b\x8d\x8e\x95\xad]|[\x9e][\x85\x87\x88\x8f\xa7\xbf]|[\x9f][\x81\x82\x89]))
replace_tag X (?:[xX\xd7\xf7]|><|[\xce][\xa7]|[\xcf][\x87\xa7\x97\xb0]|[\xd0][\x96\xa5\xb6]|[\xd1][\x85]|[\xd2][\x96\x97\xb2\xb3]|[\xd3][\x81\x82\x9c\x9d\xbc\xbd\xbe\xbf]|[\xe1](?:[\xba][\x8a-\x8d])|[\xf0][\x9d](?:[\x90][\x97\xb1]|[\x91][\x8b\xa5\xbf]|[\x92][\x99]|[\x93][\x8d]|[\x94][\x81\xb5]|[\x95][\x8f\xa9]|[\x96][\x83\x9d\xb7]|[\x97][\x91\xab]|[\x98][\x85\x9f\xb9]|[\x99][\x93\xad]|[\x9a][\x87\xa1\xbe]|[\x9b][\x98\x9e\xb8]|[\x9c][\x92\x98\xb2]|[\x9d][\x92\x9f]|[\x9e][\x86\x8c\xa6]|[\x9f][\x80\x86]))
replace_tag Y (?:[yY\xbe\xd5\xdb\xe3\xff\xfd\xa5j]|[\xc3][\x9d\xbd\xbf]|[\xc5][\xb6\xb7\xb8]|[\xce][\x8e\xa5\xab\xb3]|[\xcf][\x92\x93\x94]|[\xd0][\x8e\xa3]|[\xd1][\x83\x87\x9e]|[\xd2][\xae\xaf\xb0\xb1\xb6\xb7\xb8\xb9]|[\xd3][\x8b\x8c\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5]|[\xd4][\xbf]|[\xd5][\x8e\xaf\xbe]|[\xe1](?:[\xba][\x8e\x8f\x99]|[\xbb][\xb2-\xb9\xbe\xbf]|[\xbd][\x99-\x9f]|[\xbf][\xa8-\xab])|[\xf0][\x9d](?:[\x90][\x98\xb2]|[\x91][\x8c\xa6]|[\x92][\x80\x9a\xb4]|[\x93][\x8e\xa8]|[\x94][\x82]|[\x95][\x90\xaa]|[\x96][\xb8]|[\x97][\x92\xac]|[\x98][\x86\xa0\xba]|[\x99][\x94\xae]|[\x9a][\x88\xa2\xbc]|[\x9b][\x84\xb6\xbe]|[\x9c][\xb0\xb8]|[\x9d][\xaa\xb2]|[\x9e][\xa4\xac]))
replace_tag Z (?:[zZs\xc6]|[\xc5][\xb9\xba\xbb\xbc\xbd\xbe]|[\xce][\x96\xb6]|[\xe1](?:[\xba][\x90-\x95])|[\xf0][\x9d](?:[\x90][\x99\xb3]|[\x91][\x8d\xa7]|[\x92][\x81\x9b]|[\x95][\x91\xab]|[\x96][\xb9]|[\x97][\x93\xad]|[\x98][\x87\xa1\xbb]|[\x99][\x95\xaf]|[\x9a][\x89\xa3\xad]|[\x9b][\xa7]|[\x9c][\xa1]|[\x9d][\x9b]|[\x9e][\x95]))
replace_tag IMG (?:jpe?g|gif|png)
replace_tag SP [\s\d_*\$\%(),.:;?!}{\[\]|\/?^\#~\xa1`'+-]
replace_tag WS (?:=?\s|[\xe2](?:[\x80][\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\xaf]|[\x81][\x9f])|&(?:\#(?:8(?:19[2-9]|20[0-5]|239|287)|160|xa0)|(?:e[nm]|nb|thin)sp);)
replace_tag CUR [\$\xa5\xa3\xa4\xa2]
replace_inter SP [\s\d_*\$\%(),.:;?!}{\[\]|\/?^\#~\xa1`'+-]
replace_inter W1 \W?
replace_inter W2 \W{0,2}
replace_inter W3 \W{0,3}
replace_post P2 {1,2}
replace_post P3 {1,3}
###########################################################################
# fuzzy header tests
header SUBJECT_FUZZY_MEDS Subject =~ /(?:\b|_)(?!meds)<M><E><D><S>(?:\b|_)/i
describe SUBJECT_FUZZY_MEDS Attempt to obfuscate words in Subject:
replace_rules SUBJECT_FUZZY_MEDS
header __SUBJECT_FUZZY_VPILL Subject =~ /<inter W2><post P3>(?!viagra)<V><I><A><G><R><A>/i
replace_rules __SUBJECT_FUZZY_VPILL
meta SUBJECT_FUZZY_VPILL __SUBJECT_FUZZY_VPILL && !FUZZY_VPILL
describe SUBJECT_FUZZY_VPILL Attempt to obfuscate words in Subject:
header SUBJECT_FUZZY_CHEAP Subject =~ /<inter W2><post P3>\b(?!cheap)<C><H><E><A><P>(?:\b|<E>)/i
describe SUBJECT_FUZZY_CHEAP Attempt to obfuscate words in Subject:
replace_rules SUBJECT_FUZZY_CHEAP
header SUBJECT_FUZZY_PENIS Subject =~ /<inter W3><post P3>\b(?!pen\s?(?:ie?s|ny[ ']?s))<P><E><N><I><S>\b/i
describe SUBJECT_FUZZY_PENIS Attempt to obfuscate words in Subject:
replace_rules SUBJECT_FUZZY_PENIS
header SUBJECT_FUZZY_TION Subject =~ /<post P3>(?!tion)<T><I><O><N>/i
describe SUBJECT_FUZZY_TION Attempt to obfuscate words in Subject:
replace_rules SUBJECT_FUZZY_TION
###########################################################################
# fuzzy body tests
body FUZZY_AFFORDABLE /<inter W1><post P2>(?!affordable)<A><F><F><O><R><D><A><B><L><E>/i
describe FUZZY_AFFORDABLE Attempt to obfuscate words in spam
replace_rules FUZZY_AFFORDABLE
# Not performing 6/2019, too much cpu
#body FUZZY_AMBIEN /<inter W1><post P2>(?<!t)(?!ambien)(?!ombien)<A><M><B><I><E><N>/i
#describe FUZZY_AMBIEN Attempt to obfuscate words in spam
#replace_rules FUZZY_AMBIEN
body FUZZY_BILLION /(?!billion)<B><I><L><L><I><O><N>/i
describe FUZZY_BILLION Attempt to obfuscate words in spam
replace_rules FUZZY_BILLION
body FUZZY_CPILL /(?!ciali[sz])<C><I><A><L><I><S>/i
describe FUZZY_CPILL Attempt to obfuscate words in spam
replace_rules FUZZY_CPILL
body FUZZY_CREDIT /<inter W1>(?![ck]r(?:[e\xe9]|\xc3\xa9)dit)<C><R><E><D><I><T>/i
describe FUZZY_CREDIT Attempt to obfuscate words in spam
replace_rules FUZZY_CREDIT
# Not performing 6/2019, too much cpu
#body FUZZY_ERECT /<inter W2><post P3>(?!erection)<E><R><E><C><T><I><O><N>/i
#describe FUZZY_ERECT Attempt to obfuscate words in spam
#replace_rules FUZZY_ERECT
body FUZZY_GUARANTEE /<inter W1><post P2>(?!guarantee)<G><U><A><R><A><N><T><E><E>/i
describe FUZZY_GUARANTEE Attempt to obfuscate words in spam
replace_rules FUZZY_GUARANTEE
body FUZZY_MEDICATION /<inter W1><post P2>(?!medicati[eo])<M><E><D><I><C><A><T><I><O><N>/i
describe FUZZY_MEDICATION Attempt to obfuscate words in spam
replace_rules FUZZY_MEDICATION
body FUZZY_MILLION /(?!milli?[o\xf3\xd3]n)<M><I><L><L><I><O><N>/i
describe FUZZY_MILLION Attempt to obfuscate words in spam
replace_rules FUZZY_MILLION
body FUZZY_MONEY /(?!money)<M><O><N><E><Y>/i
describe FUZZY_MONEY Attempt to obfuscate words in spam
replace_rules FUZZY_MONEY
body FUZZY_MORTGAGE /<inter W1><post P2>(?!mortgage)<M><O><R><T><G><A><G><E>/i
describe FUZZY_MORTGAGE Attempt to obfuscate words in spam
replace_rules FUZZY_MORTGAGE
body FUZZY_OBLIGATION /<inter W1><post P2>(?!obligation)<O><B><L><I><G><A><T><I><O><N>/i
describe FUZZY_OBLIGATION Attempt to obfuscate words in spam
replace_rules FUZZY_OBLIGATION
body FUZZY_OFFERS /(?!offers)<O><F><F><E><R><S>/i
describe FUZZY_OFFERS Attempt to obfuscate words in spam
replace_rules FUZZY_OFFERS
body FUZZY_PHARMACY /<inter W2><post P2>(?!pharmacy)<P><H><A><R><M><A><C><Y>/i
describe FUZZY_PHARMACY Attempt to obfuscate words in spam
replace_rules FUZZY_PHARMACY
body FUZZY_PHENT /<inter W1><post P2>(?!phentermine)<P><H><E><N><T><E><R><M><I><N><E>/i
describe FUZZY_PHENT Attempt to obfuscate words in spam
replace_rules FUZZY_PHENT
body FUZZY_PRESCRIPT /<inter W2><post P2>(?!prescription)<P><R><E><S><C><R><I><P><T><I><O><N>/i
describe FUZZY_PRESCRIPT Attempt to obfuscate words in spam
replace_rules FUZZY_PRESCRIPT
# left S off of negative look-ahead on purpose
body FUZZY_PRICES /<inter W2><post P2>(?!price)<P><R><I><C><E><S>/i
describe FUZZY_PRICES Attempt to obfuscate words in spam
replace_rules FUZZY_PRICES
body FUZZY_REFINANCE /<inter W2><post P2>(?!refinance)<R><E><F><I><N><A><N><C><E>/i
describe FUZZY_REFINANCE Attempt to obfuscate words in spam
replace_rules FUZZY_REFINANCE
body FUZZY_REMOVE /(?!remove)<R><E><M><O><V><E>/i
describe FUZZY_REMOVE Attempt to obfuscate words in spam
replace_rules FUZZY_REMOVE
# Not performing 6/2019, too much cpu
#body FUZZY_ROLEX /(?!rolex)<R><O><L><E><X>/i
#describe FUZZY_ROLEX Attempt to obfuscate words in spam
#replace_rules FUZZY_ROLEX
body FUZZY_SOFTWARE /(?!software)<S><O><F><T><W><A><R><E>/i
describe FUZZY_SOFTWARE Attempt to obfuscate words in spam
replace_rules FUZZY_SOFTWARE
body FUZZY_THOUSANDS /(?!thousands)<T><H><O><U><S><A><N><D><S>/i
describe FUZZY_THOUSANDS Attempt to obfuscate words in spam
replace_rules FUZZY_THOUSANDS
body FUZZY_VLIUM /<inter W1><post P2>(?!valium|verifiquem|volturno|vollum)<V><A><L><I><U><M>/i
describe FUZZY_VLIUM Attempt to obfuscate words in spam
replace_rules FUZZY_VLIUM
body FUZZY_VIOXX /<inter W1><post P2>(?!vioxx)<V><I><O><X><X>/i
describe FUZZY_VIOXX Attempt to obfuscate words in spam
replace_rules FUZZY_VIOXX
body FUZZY_VPILL /(?!viagra)<V><I><A><G><R><A>/i
describe FUZZY_VPILL Attempt to obfuscate words in spam
replace_rules FUZZY_VPILL
body FUZZY_XPILL /<inter W3><post P2>(?!xanax)<X><A><N><A><X>/i
describe FUZZY_XPILL Attempt to obfuscate words in spam
replace_rules FUZZY_XPILL
endif # Mail::SpamAssassin::Plugin::ReplaceTags

124
sa-updates/25_spf.cf Normal file
View File

@ -0,0 +1,124 @@
# SpamAssassin - SPF rules
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
# Requires the Mail::SpamAssassin::Plugin::SPF plugin be loaded.
ifplugin Mail::SpamAssassin::Plugin::SPF
# SPF support:
# "pass" is nice
# "neutral" is somewhat bad
# "fail" is bad
# "softfail" is bad, but not as bad as "fail"
# "permerror" is very bad, and means the domain doesn't have a valid spf record
# These are more trustworthy results than the SPF_HELO rules.
# some are "userconf" so that scores are set by hand?
header SPF_PASS eval:check_for_spf_pass()
describe SPF_PASS SPF: sender matches SPF record
tflags SPF_PASS nice userconf net
reuse SPF_PASS
header SPF_NEUTRAL eval:check_for_spf_neutral()
describe SPF_NEUTRAL SPF: sender does not match SPF record (neutral)
tflags SPF_NEUTRAL net
reuse SPF_NEUTRAL
header SPF_FAIL eval:check_for_spf_fail()
describe SPF_FAIL SPF: sender does not match SPF record (fail)
tflags SPF_FAIL net
reuse SPF_FAIL
header SPF_SOFTFAIL eval:check_for_spf_softfail()
describe SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
tflags SPF_SOFTFAIL net
reuse SPF_SOFTFAIL
# NOTE: SPF_HELO_PASS is not incredibly hard to fake, so shouldn't
# provide much in the way of points compared to SPF_PASS et al.
# However, a *failure* is still a very good spamsign.
header SPF_HELO_PASS eval:check_for_spf_helo_pass()
describe SPF_HELO_PASS SPF: HELO matches SPF record
tflags SPF_HELO_PASS nice userconf net
reuse SPF_HELO_PASS
header SPF_HELO_NEUTRAL eval:check_for_spf_helo_neutral()
describe SPF_HELO_NEUTRAL SPF: HELO does not match SPF record (neutral)
tflags SPF_HELO_NEUTRAL net
reuse SPF_HELO_NEUTRAL
header SPF_HELO_FAIL eval:check_for_spf_helo_fail()
describe SPF_HELO_FAIL SPF: HELO does not match SPF record (fail)
tflags SPF_HELO_FAIL net
reuse SPF_HELO_FAIL
header SPF_HELO_SOFTFAIL eval:check_for_spf_helo_softfail()
describe SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail)
tflags SPF_HELO_SOFTFAIL net
reuse SPF_HELO_SOFTFAIL
# Implementing the Sender Check for No SPF REcord defaulting to disabled so Admins can override
header SPF_NONE eval:check_for_spf_none()
describe SPF_NONE SPF: sender does not publish an SPF Record
tflags SPF_NONE net
reuse SPF_NONE
header SPF_HELO_NONE eval:check_for_spf_helo_none()
describe SPF_HELO_NONE SPF: HELO does not publish an SPF Record
tflags SPF_HELO_NONE net
reuse SPF_HELO_NONE
if can(Mail::SpamAssassin::Plugin::SPF::has_check_for_spf_errors)
header T_SPF_PERMERROR eval:check_for_spf_permerror()
describe T_SPF_PERMERROR SPF: test of record failed (permerror)
tflags T_SPF_PERMERROR net
reuse T_SPF_PERMERROR
header T_SPF_TEMPERROR eval:check_for_spf_temperror()
describe T_SPF_TEMPERROR SPF: test of record failed (temperror)
tflags T_SPF_TEMPERROR net
reuse T_SPF_TEMPERROR
header T_SPF_HELO_PERMERROR eval:check_for_spf_helo_permerror()
describe T_SPF_HELO_PERMERROR SPF: test of HELO record failed (permerror)
tflags T_SPF_HELO_PERMERROR net
reuse T_SPF_HELO_PERMERROR
header T_SPF_HELO_TEMPERROR eval:check_for_spf_helo_temperror()
describe T_SPF_HELO_TEMPERROR SPF: test of HELO record failed (temperror)
tflags T_SPF_HELO_TEMPERROR net
reuse T_SPF_HELO_TEMPERROR
endif
endif # Mail::SpamAssassin::Plugin::SPF

43
sa-updates/25_textcat.cf Normal file
View File

@ -0,0 +1,43 @@
# SpamAssassin rules file: language tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# Note: body tests are run with long lines, so be sure to limit the
# size of searches; use /.{0,30}/ instead of /.*/ to avoid huge
# search times.
#
# Note: If you are adding a rule which looks for a phrase in the body
# (as most of them do), please add it to rules/20_phrases.cf instead.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::TextCat
body UNWANTED_LANGUAGE_BODY eval:check_language()
describe UNWANTED_LANGUAGE_BODY Message written in an undesired language
tflags UNWANTED_LANGUAGE_BODY userconf
body BODY_8BITS eval:check_body_8bits()
describe BODY_8BITS Body includes 8 consecutive 8-bit characters
tflags BODY_8BITS userconf
endif

364
sa-updates/25_uribl.cf Normal file
View File

@ -0,0 +1,364 @@
# SpamAssassin - URIDNSBL rules
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
# Requires the Mail::SpamAssassin::Plugin::URIDNSBL plugin be loaded.
# Note that this plugin defines a new config setting, 'uridnsbl',
# which lists the zones to look up in advance. The rules will
# not hit unless each rule has a corresponding 'uridnsbl' line.
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
###########################################################################
## Spamhaus
uridnssub URIBL_SBL zen.spamhaus.org. A 127.0.0.2
body URIBL_SBL eval:check_uridnsbl('URIBL_SBL')
describe URIBL_SBL Contains an URL's NS IP listed in the Spamhaus SBL blocklist
tflags URIBL_SBL net
reuse URIBL_SBL
uridnssub URIBL_CSS zen.spamhaus.org. A 127.0.0.3
body URIBL_CSS eval:check_uridnsbl('URIBL_CSS')
describe URIBL_CSS Contains an URL's NS IP listed in the Spamhaus CSS blocklist
tflags URIBL_CSS net
reuse URIBL_CSS
# Only works correctly from 3.4.3, earlier versions basically run as URIBL_SBL duplicate
if can(Mail::SpamAssassin::Plugin::URIDNSBL::has_uridnsbl_for_a)
uridnssub URIBL_SBL_A zen.spamhaus.org. A 127.0.0.2
body URIBL_SBL_A eval:check_uridnsbl('URIBL_SBL_A')
describe URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL blocklist
tflags URIBL_SBL_A net a
reuse URIBL_SBL_A
uridnssub URIBL_CSS_A zen.spamhaus.org. A 127.0.0.3
body URIBL_CSS_A eval:check_uridnsbl('URIBL_CSS_A')
describe URIBL_CSS_A Contains URL's A record listed in the Spamhaus CSS blocklist
tflags URIBL_CSS_A net a
reuse URIBL_CSS_A
endif
# New blocked checks 10/2019
uridnssub URIBL_ZEN_BLOCKED_OPENDNS zen.spamhaus.org. A 127.255.255.254
body URIBL_ZEN_BLOCKED_OPENDNS eval:check_uridnsbl('URIBL_ZEN_BLOCKED_OPENDNS')
describe URIBL_ZEN_BLOCKED_OPENDNS ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/
tflags URIBL_ZEN_BLOCKED_OPENDNS net
reuse URIBL_ZEN_BLOCKED_OPENDNS
# New blocked checks 10/2019
uridnssub URIBL_ZEN_BLOCKED zen.spamhaus.org. A 127.255.255.255
body URIBL_ZEN_BLOCKED eval:check_uridnsbl('URIBL_ZEN_BLOCKED')
describe URIBL_ZEN_BLOCKED ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/
tflags URIBL_ZEN_BLOCKED net
reuse URIBL_ZEN_BLOCKED
if can(Mail::SpamAssassin::Conf::feature_dns_block_rule)
dns_block_rule URIBL_ZEN_BLOCKED_OPENDNS zen.spamhaus.org
dns_block_rule URIBL_ZEN_BLOCKED zen.spamhaus.org
endif
# DBL, https://www.spamhaus.org/dbl/
# changes axb 05-17-2014: as per https://www.spamhaus.org/news/article/713/
# SH changes effective 06-01-2014
if can(Mail::SpamAssassin::Plugin::URIDNSBL::has_tflags_domains_only)
urirhssub URIBL_DBL_SPAM dbl.spamhaus.org. A 127.0.1.2
body URIBL_DBL_SPAM eval:check_uridnsbl('URIBL_DBL_SPAM')
describe URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus DBL blocklist
tflags URIBL_DBL_SPAM net domains_only
reuse URIBL_DBL_SPAM
urirhssub URIBL_DBL_PHISH dbl.spamhaus.org. A 127.0.1.4
body URIBL_DBL_PHISH eval:check_uridnsbl('URIBL_DBL_PHISH')
describe URIBL_DBL_PHISH Contains a Phishing URL listed in the Spamhaus DBL blocklist
tflags URIBL_DBL_PHISH net domains_only
reuse URIBL_DBL_PHISH
urirhssub URIBL_DBL_MALWARE dbl.spamhaus.org. A 127.0.1.5
body URIBL_DBL_MALWARE eval:check_uridnsbl('URIBL_DBL_MALWARE')
describe URIBL_DBL_MALWARE Contains a malware URL listed in the Spamhaus DBL blocklist
tflags URIBL_DBL_MALWARE net domains_only
reuse URIBL_DBL_MALWARE
urirhssub URIBL_DBL_BOTNETCC dbl.spamhaus.org. A 127.0.1.6
body URIBL_DBL_BOTNETCC eval:check_uridnsbl('URIBL_DBL_BOTNETCC')
describe URIBL_DBL_BOTNETCC Contains a botned C&C URL listed in the Spamhaus DBL blocklist
tflags URIBL_DBL_BOTNETCC net domains_only
reuse URIBL_DBL_BOTNETCC
urirhssub URIBL_DBL_ABUSE_SPAM dbl.spamhaus.org. A 127.0.1.102
body URIBL_DBL_ABUSE_SPAM eval:check_uridnsbl('URIBL_DBL_ABUSE_SPAM')
describe URIBL_DBL_ABUSE_SPAM Contains an abused spamvertized URL listed in the Spamhaus DBL blocklist
tflags URIBL_DBL_ABUSE_SPAM net domains_only
reuse URIBL_DBL_ABUSE_SPAM
urirhssub URIBL_DBL_ABUSE_REDIR dbl.spamhaus.org. A 127.0.1.103
body URIBL_DBL_ABUSE_REDIR eval:check_uridnsbl('URIBL_DBL_ABUSE_REDIR')
describe URIBL_DBL_ABUSE_REDIR Contains an abused redirector URL listed in the Spamhaus DBL blocklist
tflags URIBL_DBL_ABUSE_REDIR net domains_only
reuse URIBL_DBL_ABUSE_REDIR
urirhssub URIBL_DBL_ABUSE_PHISH dbl.spamhaus.org. A 127.0.1.104
body URIBL_DBL_ABUSE_PHISH eval:check_uridnsbl('URIBL_DBL_ABUSE_PHISH')
describe URIBL_DBL_ABUSE_PHISH Contains an abused phishing URL listed in the Spamhaus DBL blocklist
tflags URIBL_DBL_ABUSE_PHISH net domains_only
reuse URIBL_DBL_ABUSE_PHISH
urirhssub URIBL_DBL_ABUSE_MALW dbl.spamhaus.org. A 127.0.1.105
body URIBL_DBL_ABUSE_MALW eval:check_uridnsbl('URIBL_DBL_ABUSE_MALW')
describe URIBL_DBL_ABUSE_MALW Contains an abused malware URL listed in the Spamhaus DBL blocklist
tflags URIBL_DBL_ABUSE_MALW net domains_only
reuse URIBL_DBL_ABUSE_MALW
urirhssub URIBL_DBL_ABUSE_BOTCC dbl.spamhaus.org. A 127.0.1.106
body URIBL_DBL_ABUSE_BOTCC eval:check_uridnsbl('URIBL_DBL_ABUSE_BOTCC')
describe URIBL_DBL_ABUSE_BOTCC Contains an abused botnet C&C URL listed in the Spamhaus DBL blocklist
tflags URIBL_DBL_ABUSE_BOTCC net domains_only
reuse URIBL_DBL_ABUSE_BOTCC
# this indicates that IP-address queries were sent to DBL, and should
# never appear; if it does, something is wrong with SpamAssassin
urirhssub URIBL_DBL_ERROR dbl.spamhaus.org. A 127.0.1.255
body URIBL_DBL_ERROR eval:check_uridnsbl('URIBL_DBL_ERROR')
describe URIBL_DBL_ERROR Error: queried the Spamhaus DBL blocklist for an IP
tflags URIBL_DBL_ERROR net domains_only
reuse URIBL_DBL_ERROR
# New blocked checks 10/2019
urirhssub URIBL_DBL_BLOCKED_OPENDNS dbl.spamhaus.org. A 127.255.255.254
body URIBL_DBL_BLOCKED_OPENDNS eval:check_uridnsbl('URIBL_DBL_BLOCKED_OPENDNS')
describe URIBL_DBL_BLOCKED_OPENDNS ADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/
tflags URIBL_DBL_BLOCKED_OPENDNS net domains_only
reuse URIBL_DBL_BLOCKED_OPENDNS
# New blocked checks 10/2019
urirhssub URIBL_DBL_BLOCKED dbl.spamhaus.org. A 127.255.255.255
body URIBL_DBL_BLOCKED eval:check_uridnsbl('URIBL_DBL_BLOCKED')
describe URIBL_DBL_BLOCKED ADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/
tflags URIBL_DBL_BLOCKED net domains_only
reuse URIBL_DBL_BLOCKED
endif
###########################################################################
## SURBL
#MERGED INTO BIT 64 per bug 7279
#urirhssub URIBL_SC_SURBL multi.surbl.org. A 2
#body URIBL_SC_SURBL eval:check_uridnsbl('URIBL_SC_SURBL')
#describe URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
#tflags URIBL_SC_SURBL net
#reuse URIBL_SC_SURBL
urirhssub URIBL_WS_SURBL multi.surbl.org. A 4
body URIBL_WS_SURBL eval:check_uridnsbl('URIBL_WS_SURBL')
describe URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
tflags URIBL_WS_SURBL net
reuse URIBL_WS_SURBL
urirhssub URIBL_PH_SURBL multi.surbl.org. A 8
body URIBL_PH_SURBL eval:check_uridnsbl('URIBL_PH_SURBL')
describe URIBL_PH_SURBL Contains an URL listed in the PH SURBL blocklist
tflags URIBL_PH_SURBL net
reuse URIBL_PH_SURBL
urirhssub URIBL_MW_SURBL multi.surbl.org. A 16
body URIBL_MW_SURBL eval:check_uridnsbl('URIBL_MW_SURBL')
describe URIBL_MW_SURBL Contains a URL listed in the MW SURBL blocklist
tflags URIBL_MW_SURBL net
reuse URIBL_MW_SURBL
urirhssub URIBL_CR_SURBL multi.surbl.org. A 128
body URIBL_CR_SURBL eval:check_uridnsbl('URIBL_CR_SURBL')
describe URIBL_CR_SURBL Contains an URL listed in the CR SURBL blocklist
tflags URIBL_CR_SURBL net
reuse URIBL_CR_SURBL
#MERGED INTO BIT 64 per bug 7279
#urirhssub URIBL_AB_SURBL multi.surbl.org. A 32
#body URIBL_AB_SURBL eval:check_uridnsbl('URIBL_AB_SURBL')
#describe URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
#tflags URIBL_AB_SURBL net
#reuse URIBL_AB_SURBL
#JP MOVED INTO ABUSE AS WELL AND BIT REUSED per bug 7279
urirhssub URIBL_ABUSE_SURBL multi.surbl.org. A 64
body URIBL_ABUSE_SURBL eval:check_uridnsbl('URIBL_ABUSE_SURBL')
describe URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist
tflags URIBL_ABUSE_SURBL net
reuse URIBL_ABUSE_SURBL
#SURBL BLOCK RULES - Bit 1 means your DNS has been blocked and this rule should be triggered to notify you.
urirhssub SURBL_BLOCKED multi.surbl.org. A 1
body SURBL_BLOCKED eval:check_uridnsbl('SURBL_BLOCKED')
describe SURBL_BLOCKED ADMINISTRATOR NOTICE: The query to SURBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
tflags SURBL_BLOCKED net noautolearn
reuse SURBL_BLOCKED
if can(Mail::SpamAssassin::Conf::feature_dns_block_rule)
dns_block_rule SURBL_BLOCKED multi.surbl.org
endif
###########################################################################
## URIBL
urirhssub URIBL_BLACK multi.uribl.com. A 2
body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
describe URIBL_BLACK Contains an URL listed in the URIBL blacklist
tflags URIBL_BLACK net
reuse URIBL_BLACK
urirhssub URIBL_GREY multi.uribl.com. A 4
body URIBL_GREY eval:check_uridnsbl('URIBL_GREY')
describe URIBL_GREY Contains an URL listed in the URIBL greylist
tflags URIBL_GREY net
reuse URIBL_GREY
urirhssub URIBL_RED multi.uribl.com. A 8
body URIBL_RED eval:check_uridnsbl('URIBL_RED')
describe URIBL_RED Contains an URL listed in the URIBL redlist
tflags URIBL_RED net
reuse URIBL_RED
#URIBL BLOCK RULES - Bit 1 means your DNS has been blocked and this rule should be triggered to notify you.
urirhssub URIBL_BLOCKED multi.uribl.com. A 1
body URIBL_BLOCKED eval:check_uridnsbl('URIBL_BLOCKED')
describe URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
tflags URIBL_BLOCKED net noautolearn
reuse URIBL_BLOCKED
if can(Mail::SpamAssassin::Conf::feature_dns_block_rule)
dns_block_rule URIBL_BLOCKED multi.uribl.com
endif
###########################################################################
## DOMAINS TO SKIP (KNOWN GOOD)
# Linting
uridnsbl_skip_domain taint.org
# Don't bother looking for example domains as per RFC 2606.
uridnsbl_skip_domain example.com example.net example.org
uridnsbl_skip_domain local.cf
# MUA CSS class definitions
uridnsbl_skip_domain div.tk p.tk li.tk no.tk
# (roughly) top 200 domains not blacklisted by SURBL
uridnsbl_skip_domain 126.com 163.com 2o7.net 4at1.com
uridnsbl_skip_domain 5iantlavalamp.com about.com adelphia.net adobe.com addthis.com
uridnsbl_skip_domain agora-inc.com agoramedia.com akamai.net
uridnsbl_skip_domain akamaitech.net amazon.com ancestry.com aol.com
uridnsbl_skip_domain apache.org apple.com arcamax.com astrology.com apple.news
uridnsbl_skip_domain atdmt.com att.net bbc.co.uk
uridnsbl_skip_domain bcentral.com bellsouth.net bfi0.com
uridnsbl_skip_domain bridgetrack.com cafe24.com charter.net
uridnsbl_skip_domain citibank.com citizensbank.com cjb.net
uridnsbl_skip_domain classmates.com clickbank.net cnet.com
uridnsbl_skip_domain cnn.com com.com com.ne.kr comcast.net
uridnsbl_skip_domain corporate-ir.net cox.net cs.com
uridnsbl_skip_domain custhelp.com daum.net dd.se debian.org
uridnsbl_skip_domain dell.com directtrack.com directnic.com domain.com
uridnsbl_skip_domain dsbl.org earthlink.net ebay.co.uk ebay.com
uridnsbl_skip_domain ebayimg.com ebaystatic.com edgesuite.net ediets.com
uridnsbl_skip_domain egroups.com emode.com excite.com f-secure.com
uridnsbl_skip_domain free.fr freebsd.org
uridnsbl_skip_domain gentoo.org geocities.com gmail.com gmx.net
uridnsbl_skip_domain go.com google.com googleadservices.com grisoft.com
uridnsbl_skip_domain hallmark.com hinet.net hotbar.com hotmail.com
uridnsbl_skip_domain hotpop.com hp.com ibm.com incredimail.com
uridnsbl_skip_domain investorplace.com ivillage.com joingevalia.com
uridnsbl_skip_domain juno.com kernel.org livejournal.com lycos.com
uridnsbl_skip_domain m7z.net mac.com macromedia.com
uridnsbl_skip_domain mail.com mail.ru mailscanner.info marketwatch.com
uridnsbl_skip_domain mcafee.com mchsi.com messagelabs.com
uridnsbl_skip_domain microsoft.com military.com mindspring.com mit.edu
uridnsbl_skip_domain monster.com msn.com nate.com
uridnsbl_skip_domain netflix.com netscape.com netscape.net netzero.net
uridnsbl_skip_domain norman.com nytimes.com optonline.net osdn.com
uridnsbl_skip_domain overstock.com pacbell.net pandasoftware.com
uridnsbl_skip_domain paypal.com peoplepc.com plaxo.com
uridnsbl_skip_domain prodigy.net radaruol.com.br
uridnsbl_skip_domain real.com redhat.com regions.com regionsnet.com
uridnsbl_skip_domain rogers.com rr.com sbcglobal.net sec.gov sf.net
uridnsbl_skip_domain shaw.ca shockwave.com smithbarney.com
uridnsbl_skip_domain sourceforge.net spamcop.net speedera.net sportsline.com
uridnsbl_skip_domain sun.com suntrust.com sympatico.ca t-online.de
uridnsbl_skip_domain tails.nl telus.net terra.com.br ticketmaster.com
uridnsbl_skip_domain tinyurl.com tiscali.co.uk tom.com
uridnsbl_skip_domain tone.co.nz tux.org uol.com.br
uridnsbl_skip_domain ups.com verizon.net w3.org usps.com
uridnsbl_skip_domain wamu.com wanadoo.fr washingtonpost.com weatherbug.com
uridnsbl_skip_domain web.de webshots.com webtv.net wsj.com
uridnsbl_skip_domain yahoo.ca yahoo.co.kr yahoo.co.uk
uridnsbl_skip_domain yahoo.com yahoo.com.br yahoogroups.com yimg.com
uridnsbl_skip_domain yopi.de yoursite.com zdnet.com
uridnsbl_skip_domain openxmlformats.org passport.com xmlsoap.org
uridnsbl_skip_domain abc.xyz avast.com schema.org
# wtogami's most frequent known good URIDNSBL lookups (1/1/2011)
uridnsbl_skip_domain alexa.com ask.com baidu.com bing.com craigslist.org
uridnsbl_skip_domain doubleclick.com ebay.de facebook.com flickr.com godaddy.com
uridnsbl_skip_domain google.co.in google.it mozilla.com myspace.com rediff.com
uridnsbl_skip_domain twitter.com wordpress.com yahoo.co.jp youtube.com
# axb's frequent known good URIDNSBL lookups
uridnsbl_skip_domain fedex.com
uridnsbl_skip_domain openoffice.org
uridnsbl_skip_domain vk.com
# pointless footer noise
uridnsbl_skip_domain security.cloud
uridnsbl_skip_domain yac.mx
# Microsoft on ns1.msedge.net
uridnsbl_skip_domain microsofttranslator.com office.com microsoftonline.com bing.com msedge.net
# Some frequent known good URIDNSBL lookups 3.10.2018 -hk
uridnsbl_skip_domain aka.ms akamaihd.net alibaba.com alicdn.com amazon.co.uk
uridnsbl_skip_domain amazon.de amazonaws.com amazonses.com bandcamp.com
uridnsbl_skip_domain booking.com cdninstagram.com cloudfront.net dhl.com
uridnsbl_skip_domain dhl.fi dna.fi domain.fi dpd.de dropbox.com ebay.fr
uridnsbl_skip_domain elisa.fi elisanet.fi emltrk.com fbcdn.net ficora.fi
uridnsbl_skip_domain gappssmtp.com github.com goo.gl google-analytics.com
uridnsbl_skip_domain google.de google.fi googleapis.com googleusercontent.com
uridnsbl_skip_domain gstatic.com hotels.com ikea.com images-amazon.com
uridnsbl_skip_domain inet.fi instagram.com kolumbus.fi licdn.com linkedin.com
uridnsbl_skip_domain media-amazon.com mtasv.net mzstatic.com nebula.fi
uridnsbl_skip_domain nic.fi onmicrosoft.com oracle.com paypalobjects.com
uridnsbl_skip_domain pinimg.com pinterest.com posti.com posti.fi pstmrk.it
uridnsbl_skip_domain skype.com soundcloud.com ssl-images-amazon.com
uridnsbl_skip_domain suomi24.fi t.co telia.com telia.fi tnt.com tori.fi
uridnsbl_skip_domain tripadvisor.com twimg.com youtu.be
# Some more frequent known good URIDNSBL lookups 10.4.2020 -hk
uridnsbl_skip_domain docs.google.com etuovi.com iki.fi nflxext.com nflximg.com
uridnsbl_skip_domain nflximg.net outlook.com postnord.com postnord.fi postnord.no
uridnsbl_skip_domain saunalahti.fi
endif # Mail::SpamAssassin::Plugin::URIDNSBL

384
sa-updates/30_text_de.cf Normal file
View File

@ -0,0 +1,384 @@
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
# character set used in the following texts (no need for iso-8859-15)
lang de report_charset iso-8859-1
# ........................................................................
lang de clear_report_template
lang de report Software zur Erkennung von "Spam" auf dem Rechner
lang de report
lang de report " _HOSTNAME_"
lang de report
lang de report hat die eingegangene E-mail als mögliche "Spam"-Nachricht identifiziert.
lang de report Die ursprüngliche Nachricht wurde an diesen Bericht angehängt, so dass
lang de report Sie sie anschauen können (falls es doch eine legitime E-Mail ist) oder
lang de report ähnliche unerwünschte Nachrichten in Zukunft markieren können.
lang de report Bei Fragen zu diesem Vorgang wenden Sie sich bitte an
lang de report
lang de report " _CONTACTADDRESS_"
lang de report
lang de report Vorschau: _PREVIEW_
lang de report
lang de report Inhaltsanalyse im Detail: (_SCORE_ Punkte, _REQD_ benötigt)
lang de report
lang de report "Pkte Regelname Beschreibung"
lang de report ---- ---------------------- --------------------------------------------------
lang de report _SUMMARY_
# ........................................................................
# ........................................................................
lang de clear_unsafe_report_template
lang de unsafe_report Die ursprüngliche Nachricht enthielt nicht ausschließlich Klartext
lang de unsafe_report (plain text) und kann eventuell eine Gefahr für einige E-Mail-Programme
lang de unsafe_report darstellen (falls sie z.B. einen Computervirus enthält).
lang de unsafe_report Möchten Sie die Nachricht dennoch ansehen, ist es wahrscheinlich
lang de unsafe_report sicherer, sie zuerst in einer Datei zu speichern und diese Datei danach
lang de unsafe_report mit einem Texteditor zu öffnen.
# ........................................................................
lang de describe GTUBE Test zur Prüfung von Anti-Spam-Software
lang de describe DIGEST_MULTIPLE Mehrere Internettests (Razor, DCC, Pyzor, etc.) treffen zu
lang de describe TRACKER_ID Beinhaltet eine Identitätsnummer zur Nutzerbeobachtung
lang de describe WEIRD_QUOTING Seltsame Häufung von Anführungszeichen im Nachrichtentext
lang de describe __MIME_BASE64 Enthält Anhang in base64-Kodierung
lang de describe __MIME_QP Enthält Anhang in "quoted-printable"-Kodierung
#lang de describe MIME_BASE64_BLANKS Überflüssige Leerzeilen bei der base64-Kodierung
lang de describe MIME_BASE64_TEXT Text getarnt durch base64-Kodierung
lang de describe MIME_HTML_MOSTLY Mehrteilige MIME-Nachricht überwiegend in HTML
lang de describe MIME_HTML_ONLY MIME-Nachricht besteht nur aus HTML
lang de describe MIME_HTML_ONLY_MULTI Mehrteilige MIME-Nachricht besteht nur aus HTML
lang de describe MIME_QP_LONG_LINE "quoted-printable"-kodierte Zeile länger als 76 Zeichen
lang de describe MIME_CHARSET_FARAWAY MIME-Zeichensatz deutet auf fremde Sprache hin
lang de describe MPART_ALT_DIFF Nachrichtentext im Text- und HTML-Format unterscheiden sich
lang de describe CHARSET_FARAWAY Zeichensatz deutet auf fremde Sprache hin
lang de describe EMAIL_ROT13 Eventuell ROT13-kodierte E-Mail-Adresse im Text
lang de describe BLANK_LINES_80_90 Nachrichtentext besteht zu 80-90% aus Leerzeilen
lang de describe LONGWORDS Eine Reihe von langen Wörtern hintereinander
lang de describe ALL_TRUSTED Nachricht wurde nur über vertrauenswürdige Rechner weitergeleitet
lang de describe __RCVD_IN_SORBS SORBS: Senderechner in Liste von dnsbl.sorbs.net
lang de describe RCVD_IN_SORBS_HTTP SORBS: Senderechner als "open HTTP proxy" gemeldet
lang de describe RCVD_IN_SORBS_MISC SORBS: Senderechner als "open proxy" gemeldet
lang de describe RCVD_IN_SORBS_SMTP SORBS: Senderechner ist ein ungesicherter Mail-Server
lang de describe RCVD_IN_SORBS_SOCKS SORBS: Senderechner als "open SOCKS proxy" gemeldet
lang de describe RCVD_IN_SORBS_WEB SORBS: Senderechner ist ein ungesicherter WWW-Server
lang de describe RCVD_IN_SORBS_BLOCK SORBS: Senderechner verweigert Tests
lang de describe RCVD_IN_SORBS_ZOMBIE SORBS: Senderechner in Liste "entführter" Adressblöcke
lang de describe RCVD_IN_SORBS_DUL SORBS: Senderechner nur temporär mit Internet verbunden
lang de describe RCVD_IN_SBL Transportiert via Rechner in SBL-Liste (https://www.spamhaus.org/sbl/)
lang de describe RCVD_IN_XBL Transportiert via Rechner in XBL-Liste (https://www.spamhaus.org/xbl/)
lang de describe RCVD_IN_BL_SPAMCOP_NET Transportiert via Rechner in Liste von www.spamcop.net
lang de describe RCVD_IN_MAPS_RBL Transportiert via Rechner in Liste von http://www.mail-abuse.org/rbl/
lang de describe RCVD_IN_MAPS_DUL Transportiert via Rechner in Liste von http://www.mail-abuse.org/dul/
lang de describe RCVD_IN_MAPS_RSS Transportiert via Rechner in Liste von http://www.mail-abuse.org/rss/
lang de describe RCVD_IN_MAPS_NML Transportiert via Rechner in Liste von http://www.mail-abuse.org/nml/
lang de describe SUBJECT_DRUG_GAP_C Betreff enthält 'cialis' mit L.ü.c.k.e.n
lang de describe SUBJECT_DRUG_GAP_L Betreff enthält 'levitra' mit L.ü.c.k.e.n
lang de describe SUBJECT_DRUG_GAP_S Betreff enthält 'soma' mit L.ü.c.k.e.n
#lang de describe SUBJECT_DRUG_GAP_VA Betreff enthält 'valium' mit L.ü.c.k.e.n
lang de describe SUBJECT_DRUG_GAP_X Betreff enthält 'xanax' mit L.ü.c.k.e.n
lang de describe DRUG_DOSAGE Erwähnt den Preis einer Dosis
lang de describe DRUG_ED_CAPS Erwähnt Medikament gegen Erektionsstörung
lang de describe DRUG_ED_SILD Chemische Bezeichnung eines Medikaments gegen Erektionsstörungen
lang de describe DRUG_ED_GENERIC Viagra als billiges Nachahmerpräparat
lang de describe DRUG_ED_ONLINE Schnelle Lieferung von Viagra
lang de describe ONLINE_PHARMACY Internetapotheke
lang de describe VIA_GAP_GRA Versucht das Wort 'viagra' zu tarnen
lang de describe DRUGS_ERECTILE Erwähnt ein Medikament gegen Erektionsstörungen
lang de describe DRUGS_ERECTILE_OBFU Erwähnt (getarnt) Medikamente gegen Erektionsstörungen
lang de describe DRUGS_DIET Erwähnt Diätmedikament
lang de describe DRUGS_DIET_OBFU Erwähnt (getarnt) Diätmedikament
lang de describe DRUGS_MUSCLE Erwähnt Muskelentspannungsmittel
lang de describe DRUGS_ANXIETY Erwähnt Medikament gegen Angstneurosen
lang de describe DRUGS_ANXIETY_OBFU Erwähnt (getarnt) Medikament gegen Angstneurosen
lang de describe DRUGS_SMEAR1 Zwei oder mehr Medikamente in einem Wort
lang de describe DRUGS_ANXIETY_EREC Erwähnt Medikamente gegen Erektionsstörungen und Angstneurosen
lang de describe DRUGS_SLEEP_EREC Erwähnt Medikament gegen Erektionsstörungen und Schlafmittel
lang de describe DRUGS_MANYKINDS Erwähnt mindestens vier Arten von Medikamenten
#lang de describe FAKE_HELO_MAIL_COM_DOM HELO-Rechnername verdächtig (mail.com)
lang de describe HELO_DYNAMIC_IPADDR HELO-Rechnername verdächtig (IP-Adresse 1)
lang de describe HELO_DYNAMIC_DHCP HELO-Rechnername verdächtig (DHCP)
lang de describe HELO_DYNAMIC_HCC HELO-Rechnername verdächtig (HCC)
lang de describe HELO_DYNAMIC_ROGERS HELO-Rechnername verdächtig (Rogers)
lang de describe HELO_DYNAMIC_DIALIN HELO-Rechnername verdächtig (T-Dialin)
lang de describe HELO_DYNAMIC_HEXIP HELO-Rechnername verdächtig (Hexadezimale IP-Adresse)
lang de describe HELO_DYNAMIC_SPLIT_IP HELO-Rechnername verdächtig (getrennte IP-Adresse)
lang de describe HELO_DYNAMIC_IPADDR2 HELO-Rechnername verdächtig (IP-Adresse 2)
lang de describe HELO_DYNAMIC_CHELLO_NL HELO-Rechnername verdächtig (Chello.nl)
lang de describe HELO_DYNAMIC_HOME_NL HELO-Rechnername verdächtig (Home.nl)
lang de describe FROM_STARTS_WITH_NUMS Absenderadresse beginnt mit Ziffern im Benutzernamen
lang de describe FROM_OFFERS Absenderadresse enthält "@...offers"
lang de describe FROM_NO_USER Adressteil vor dem @-Zeichen fehlt im Absender
lang de describe PLING_QUERY Betreff enthält Ausrufe- und Fragezeichen
lang de describe SUBJ_ALL_CAPS Betreff enthält nur Großbuchstaben
lang de describe MSGID_SPAM_CAPS Kopfzeile "Message-ID" von Spam-Software erzeugt (Großbuchstaben)
lang de describe MSGID_SPAM_LETTERS Kopfzeile "Message-ID" von Spam-Software erzeugt (Buchstaben)
lang de describe MSGID_OUTLOOK_INVALID Gefälschte Kopfzeile "Message-ID" im Format von Outlook Express
lang de describe MSGID_RANDY Muster in Kopfzeile "Message-ID" typisch für Spam
lang de describe MSGID_YAHOO_CAPS Kopfzeile "Message-ID" enthält GROSSBUCHSTABEN@yahoo.com
lang de describe MSGID_FROM_MTA_HEADER Kopfzeile "Message-ID" von fremdem Senderechner hinzugefügt
lang de describe DATE_SPAMWARE_Y2K Datumskopfzeile hat ungewöhnliches Format
lang de describe INVALID_DATE Datumskopfzeile nicht standardkonform zu RFC 2822
lang de describe INVALID_DATE_TZ_ABSURD Ungültiges Datum, diese Zeitzone existiert nicht
lang de describe INVALID_TZ_CST Ungültiges Datum in Kopfzeile (falsche CST Zeitzone)
lang de describe INVALID_TZ_EST Ungültiges Datum in Kopfzeile (falsche EST Zeitzone)
lang de describe DATE_IN_PAST_03_06 Absendezeit 3 bis 6 Stunden vor Datum in "Received"-Kopfzeilen
lang de describe DATE_IN_PAST_06_12 Absendezeit 6 bis 12 Stunden vor Datum in "Received"-Kopfzeilen
lang de describe DATE_IN_PAST_12_24 Absendezeit 12 bis 24 Stunden vor Datum in "Received"-Kopfzeilen
lang de describe DATE_IN_PAST_24_48 Absendezeit 24 bis 48 Stunden vor Datum in "Received"-Kopfzeilen
lang de describe DATE_IN_PAST_96_XX Absendezeit mehr als 96 Stunden vor Datum in "Received"-Kopfzeilen
lang de describe DATE_IN_FUTURE_03_06 Absendezeit 3 bis 6 Stunden nach Datum in "Received"-Kopfzeilen
lang de describe DATE_IN_FUTURE_06_12 Absendezeit 6 bis 12 Stunden nach Datum in "Received"-Kopfzeilen
lang de describe DATE_IN_FUTURE_12_24 Absendezeit 12 bis 24 Stunden nach Datum in "Received"-Kopfzeilen
lang de describe DATE_IN_FUTURE_24_48 Absendezeit 24 bis 48 Stunden nach Datum in "Received"-Kopfzeilen
lang de describe DATE_IN_FUTURE_48_96 Absendezeit 48 bis 96 Stunden nach Datum in "Received"-Kopfzeilen
lang de describe DATE_IN_FUTURE_96_XX Absendezeit mehr als 96 Stunden nach Datum in "Received"-Kopfzeilen
lang de describe UNRESOLVED_TEMPLATE Kopfzeilen enthalten nicht ersetzte Variablen
lang de describe SUBJ_ILLEGAL_CHARS Betreff enthält zu viele ungültige Zeichen
lang de describe FROM_ILLEGAL_CHARS Absendeadresse enthält zu viele ungültige Zeichen
lang de describe HEAD_ILLEGAL_CHARS Kopfzeilen enthalten zu viele ungültige Zeichen
lang de describe ENGLISH_UCE_SUBJECT Betreff enthält englische Werbungskennzeichnung
lang de describe JAPANESE_UCE_SUBJECT Betreff enthält japanische Werbungskennzeichnung
lang de describe KOREAN_UCE_SUBJECT Betreff enthält koreanische Werbungskennzeichnung
lang de describe NO_DNS_FOR_FROM Domain der Absendeadresse nicht im DNS registriert (kein MX/A Eintrag)
lang de describe RCVD_HELO_IP_MISMATCH HELO-Name und IP-Adresse in Kopfzeilen passen nicht
lang de describe RCVD_ILLEGAL_IP "Received"-Kopfzeilen enthalten ungültige IP-Adresse
lang de describe RCVD_DOUBLE_IP_SPAM Kennzeichen von Spam-Software (doppelte IP-Adresse)
lang de describe RCVD_DOUBLE_IP_LOOSE Empfänger/Sender in Kopfzeilen sehen aus wie IP-Adressen
lang de describe FORGED_TELESP_RCVD Gefälschte Rechnernamen eines brasilianischen DSL-Providers
lang de describe FORGED_HOTMAIL_RCVD2 Absendeadresse von hotmail.com, aber keine passende "Received"-Zeile
lang de describe FORGED_YAHOO_RCVD Gefälschte "Received"-Kopfzeile von yahoo.com gefunden
lang de describe CONFIRMED_FORGED Gefälschte "Received"-Kopfzeilen
lang de describe MULTI_FORGED Mehrfach gefälschte "Received"-Kopfzeilen
lang de describe NONEXISTENT_CHARSET Den angegebenen Zeichensatz gibt es nicht
lang de describe CHARSET_FARAWAY_HEADER Fremdsprachlicher Zeichensatz in Kopfzeilen benutzt
lang de describe MISSING_DATE Datumskopfzeile fehlt
lang de describe MISSING_HEADERS Empfängeradresse ("To") fehlt
lang de describe MISSING_SUBJECT Betreff ("Subject") fehlt
lang de describe SUSPICIOUS_RECIPS Empfängeradressen sind sich ähnlich
lang de describe SORTED_RECIPS Empfänger sind nach Adressen sortiert
lang de describe GAPPY_SUBJECT Betreff enthält Text mit "L.ü.c.k.e.n"
lang de describe MISSING_MIMEOLE Kopfzeile "X-MSMail-Priority" aber kein "X-MimeOLE"
lang de describe SUBJ_AS_SEEN Betreff enthält "as seen"
lang de describe SUBJ_DOLLARS Betreff beginnt mit einem Dollar-Betrag
#lang de describe SUBJ_YOUR_DEBT Betreff dreht sich um Rechnungen oder Kredite
lang de describe SUBJ_YOUR_FAMILY Betreff enthält "Your Family"
lang de describe RCVD_FAKE_HELO_DOTCOM "Received"-Kopfzeilen enthalten gefälschten HELO-Rechnernamen
lang de describe SUBJECT_DIET Betreff dreht sich um Gewichtsabnahme
lang de describe MIME_BOUND_DD_DIGITS Bestimmtes Muster von Spam-Software in MIME-Begrenzung
lang de describe MIME_BOUND_DIGITS_15 Bestimmtes Muster von Spam-Software in MIME-Begrenzung
lang de describe MIME_BOUND_MANY_HEX Bestimmtes Muster von Spam-Software in MIME-Begrenzung
lang de describe TO_MALFORMED Format der Zieladresse inkorrekt
lang de describe MIME_HEADER_CTYPE_ONLY Kopfzeile "Content-Type" ohne MIME-Kopfzeilen gefunden
lang de describe WITH_LC_SMTP Kopfzeilen mit "smtp" in Kleinschreibung
lang de describe SUBJ_BUY Betreff dreht sich ums Kaufen ("buy...")
lang de describe RCVD_AM_PM Gefälschte "Received"-Kopfzeilen (AM/PM Zeitangabe)
lang de describe HEADER_COUNT_CTYPE Kopfzeile "Content-Type" mehrfach vorhanden
lang de describe NO_RDNS_DOTCOM_HELO HELO-Identifikation als großer Provider, aber rDNS-Name inkorrekt
lang de describe FAKE_OUTBLAZE_RCVD "mr.outblaze.com" in "Received"-Kopfzeile ist gefälscht
lang de describe HTML_MESSAGE Nachricht enthält HTML
lang de describe HTML_COMMENT_SHORT HTML-Kommentar ist sehr kurz
lang de describe HTML_COMMENT_SAVED_URL Nachricht ist eine gespeicherte Webseite
lang de describe HTML_EMBEDS HTML-Nachricht mit eingebettetem WWW-Plugin
lang de describe HTML_FONT_SIZE_LARGE HTML-Schriftgröße ist sehr groß
lang de describe HTML_FONT_SIZE_HUGE HTML-Schriftgröße ist riesig
lang de describe HTML_FONT_LOW_CONTRAST HTML-Schriftfarbe ähnlich der Hintergrundfarbe
lang de describe HTML_FONT_FACE_BAD HTML-Schriftart inkorrekt angegeben
lang de describe HTML_FORMACTION_MAILTO HTML-Formular in Nachricht verschickt E-mail
lang de describe HTML_IMAGE_ONLY_04 Außer Bildern nur 0-400 Zeichen Text
lang de describe HTML_IMAGE_ONLY_08 Außer Bildern nur 400-800 Zeichen Text
lang de describe HTML_IMAGE_ONLY_12 Außer Bildern nur 800-1200 Zeichen Text
lang de describe HTML_IMAGE_ONLY_16 Außer Bildern nur 1200-1600 Zeichen Text
lang de describe HTML_IMAGE_ONLY_20 Außer Bildern nur 1600-2000 Zeichen Text
lang de describe HTML_IMAGE_ONLY_24 Außer Bildern nur 2000-2400 Zeichen Text
lang de describe HTML_IMAGE_RATIO_02 Verhältnis Bilderfläche zu Text ist klein
lang de describe HTML_IMAGE_RATIO_04 Verhältnis Bilderfläche zu Text ist klein
lang de describe HTML_IMAGE_RATIO_06 Verhältnis Bilderfläche zu Text ist klein
lang de describe HTML_IMAGE_RATIO_08 Verhältnis Bilderfläche zu Text ist klein
lang de describe HTML_OBFUSCATE_05_10 Nachrichtentext enthält 0-10% wirres HTML
lang de describe HTML_OBFUSCATE_10_20 Nachrichtentext enthält 10-20% wirres HTML
lang de describe HTML_OBFUSCATE_20_30 Nachrichtentext enthält 20-30% wirres HTML
lang de describe HTML_OBFUSCATE_30_40 Nachrichtentext enthält 30-40% wirres HTML
lang de describe HTML_OBFUSCATE_50_60 Nachrichtentext enthält 50-60% wirres HTML
lang de describe HTML_OBFUSCATE_70_80 Nachrichtentext enthält 70-80% wirres HTML
lang de describe HTML_OBFUSCATE_90_100 Nachrichtentext enthält 90-100% wirres HTML
lang de describe HTML_TAG_BALANCE_BODY Anzahl "body"-Tags nicht ausgeglichen
lang de describe HTML_TAG_BALANCE_HEAD Anzahl "head"-Tags nicht ausgeglichen
lang de describe HTML_BADTAG_40_50 Nachricht enthält 40-50% inkorrekte HTML-Syntax
lang de describe HTML_BADTAG_50_60 Nachricht enthält 50-60% inkorrekte HTML-Syntax
lang de describe HTML_BADTAG_60_70 Nachricht enthält 60-70% inkorrekte HTML-Syntax
lang de describe HTML_BADTAG_90_100 Nachricht enthält 90-100% inkorrekte HTML-Syntax
lang de describe HTML_NONELEMENT_30_40 30-40% der HTML-Elemente entsprechen nicht dem Standard
lang de describe HTML_NONELEMENT_40_50 40-50% der HTML-Elemente entsprechen nicht dem Standard
lang de describe HTML_NONELEMENT_60_70 60-70% der HTML-Elemente entsprechen nicht dem Standard
lang de describe HTML_NONELEMENT_80_90 80-90% der HTML-Elemente entsprechen nicht dem Standard
lang de describe HTML_SHORT_CENTER Wenig HTML mit "center"-Element
lang de describe HTML_CHARSET_FARAWAY Fremdsprachlicher Zeichensatz für HTML benutzt
lang de describe HTML_MIME_NO_HTML_TAG Nachricht besteht nur aus HTML, hat aber kein "html"-Element
lang de describe HTML_MISSING_CTYPE HTML-Nachricht ohne passende Kopfzeile "Content-Type"
lang de describe HIDE_WIN_STATUS JavaScript-Anweisungen verstecken Hyperlinks
lang de describe OBFUSCATING_COMMENT HTML-Kommentar versucht Text zu verschleiern
lang de describe JS_FROMCHARCODE Dokument wird aus JavaScript-Programm erzeugt
lang de describe UPPERCASE_50_75 Nachrichtentext besteht zu 50-75% aus Großbuchstaben
lang de describe UPPERCASE_75_100 Nachrichtentext besteht zu 75-100% aus Großbuchstaben
lang de describe INVALID_MSGID "Message-ID"-Zeile ist ungültig gemäß RFC-2822
lang de describe FORGED_MUA_MOZILLA Gefälschte E-Mail gibt vor vom Mailprogramm Mozilla zu kommen
lang de describe GUARANTEED_100_PERCENT Zu 100% garantiert...
lang de describe DEAR_FRIEND Anonyme Anrede ("dear friend")
lang de describe DEAR_SOMETHING Anonyme Anrede ("dear ...")
lang de describe BILLION_DOLLARS Erwähnt sehr große Geldbeträge
lang de describe EXCUSE_4 Behauptet, man könne sich von der Adressliste entfernen lassen
lang de describe EXCUSE_24 Angeblich haben möchten Sie diese Werbung bekommen
lang de describe EXCUSE_REMOVE Beschreibt, wie Sie diese Nachrichten wieder loswerden
lang de describe STRONG_BUY Erwähnt eine starke Kaufempfehlung (von Aktien?)
lang de describe STOCK_ALERT Bietet eine Benachrichtigung über Aktienwerte an
lang de describe NOT_ADVISOR Dreht sich um einen nicht registrierten Investmentberater
lang de describe PREST_NON_ACCREDITED Kaufen Sie Studienabschlüsse obskurer Universitäten
lang de describe BODY_ENHANCEMENT Informationen zur Penis-/Brustvergrößerung
lang de describe BODY_ENHANCEMENT2 Informationen zur Penis-/Brustvergrößerung
lang de describe IMPOTENCE Beseitigt Impotenz
#lang de describe NA_DOLLARS Handelt von einer Million Dollar aus den US oder Kanada
#lang de describe US_DOLLARS_3 Erwähnt Millonen von Dollar
#lang de describe MILLION_USD Erwähnt Millonen von Dollar
lang de describe URG_BIZ Dringende Geschäfte
lang de describe MONEY_BACK Mit Geld-zurück Garantie
lang de describe FREE_QUOTE_INSTANT Kostenlos ein schnelles Preisangebot, ohne Verpflichtung
lang de describe BAD_CREDIT Erwähnt geplatzte Kredite oder Kreditwürdigkeit
lang de describe REFINANCE_YOUR_HOME Dreht sich um Baufinanzierung
lang de describe REFINANCE_NOW Dreht sich um Baufinanzierung
lang de describe NO_MEDICAL Keine medizinischen Examen nötig
lang de describe DIET_1 Reduzieren Sie Ihr Gewicht
lang de describe FIN_FREE Finanzielle Unabhängigkeit
lang de describe FORWARD_LOOKING Enthält Formulierungen aus Aktienprospekten
lang de describe ONE_TIME Einmaliges Angebot/Gelegenheit
lang de describe JOIN_MILLIONS Machen Sie es Millionen von Amerikanern nach
lang de describe MARKETING_PARTNERS Angeblich haben Sie sich bei einem Partnerunternehmen registriert
lang de describe LOW_PRICE Niedrigste Preise
lang de describe UNCLAIMED_MONEY Geld oder Gewinne ohne Besitzer
lang de describe OBSCURED_EMAIL Eventuell ROT13-kodierte E-mail-Adresse im Text
lang de describe BANG_OPRAH Erwähnt Oprah (Winfrey), mit Ausrufezeichen
lang de describe ACT_NOW_CAPS Reagieren Sie jetzt (in Großbuchstaben)
lang de describe MORE_SEX Werden Sie sexuell aktiver
lang de describe BANG_GUAR Eine Garantie mit Ausrufezeichen
lang de describe FREE_PORN Eventuell Pornowerbung: Kostenlose Pornos
lang de describe CUM_SHOT Eventuell Pornowerbung: "cum shot"
lang de describe LIVE_PORN Eventuell Pornowerbung: Seien Sie live dabei
lang de describe SUBJECT_SEXUAL Betreff weist auf sexuellen Nachrichtentext hin
lang de describe RATWARE_EGROUPS Nachrichtenstruktur weist auf Spam-Software hin (eGroups)
lang de describe RATWARE_OE_MALFORMED Kopfzeilen enthalten gefälschte Hinweise auf Outlook Express
lang de describe RATWARE_MOZ_MALFORMED Kopfzeilen enthalten gefälschte Hinweise auf Mozilla
lang de describe FORGED_MUA_IMS E-Mail täuscht E-Mail-Software Exchange vor
lang de describe FORGED_MUA_OUTLOOK E-Mail täuscht E-Mail-Software Outlook vor
lang de describe FORGED_MUA_OIMO E-Mail täuscht E-Mail-Software Outlook vor
lang de describe FORGED_MUA_EUDORA E-Mail täuscht E-Mail-Software Eudora vor
lang de describe FORGED_MUA_THEBAT_CS E-Mail täuscht E-Mail-Software The Bat! vor
lang de describe FORGED_MUA_THEBAT_BOUN E-Mail täuscht E-Mail-Software The Bat! vor
lang de describe FORGED_OUTLOOK_HTML Outlook verschickt keine reinen HTML-Nachrichten
lang de describe FORGED_IMS_HTML Exchange verschickt keine reinen HTML-Nachrichten
lang de describe FORGED_THEBAT_HTML The Bat! v1 verschickt keine reinen HTML-Nachrichten
lang de describe FORGED_QUALCOMM_TAGS E-Mail-Programm von Qualcomm verwendet diese Art HTML nicht
lang de describe FORGED_IMS_TAGS Exchange verwendet diese Art HTML nicht
lang de describe FORGED_OUTLOOK_TAGS Outlook verwendet diese HTML-Markierung nicht
lang de describe RATWARE_HASH_DASH Enthält Abwehrmaßnahme gegen Anti-Spam-Software ("hashbuster")
lang de describe RATWARE_ZERO_TZ Seltsame Zeitzone (+0000)
lang de describe X_MESSAGE_INFO Kopfzeile "X-Message-Info"
lang de describe RATWARE_RCVD_PF Gefälschte "Received"-Kopfzeile von Postfix
lang de describe RATWARE_RCVD_AT "Received"-Kopfzeile mit @-Zeichen
lang de describe NUMERIC_HTTP_ADDR Benutzt eine einzige Zahl als IP-Adresse in einem Hyperlink
lang de describe HTTP_ESCAPED_HOST Benutzt %-Kodierung innerhalb des Hyperlinks
lang de describe HTTP_EXCESSIVE_ESCAPES Überflüssige %-Kodierung in Webadresse
lang de describe IP_LINK_PLUS IP-Adresse (a.b.c.d) gefolgt von CGI-Programm
lang de describe WEIRD_PORT Ungewöhnliche Portnummer in HTTP-Hyperlink
lang de describe YAHOO_RD_REDIR URL mit Umleitung über Yahoo
lang de describe YAHOO_DRS_REDIR URL mit Umleitung über Yahoo
lang de describe HTTP_77 Enthält URL mit kodiertem Rechnernamen
# 23_bayes.cf
ifplugin Mail::SpamAssassin::Plugin::Bayes
lang de describe BAYES_00 Spamwahrscheinlichkeit nach Bayes-Test: 0-1%
lang de describe BAYES_05 Spamwahrscheinlichkeit nach Bayes-Test: 1-5%
lang de describe BAYES_20 Spamwahrscheinlichkeit nach Bayes-Test: 5-20%
lang de describe BAYES_40 Spamwahrscheinlichkeit nach Bayes-Test: 20-40%
lang de describe BAYES_50 Spamwahrscheinlichkeit nach Bayes-Test: 40-60%
lang de describe BAYES_60 Spamwahrscheinlichkeit nach Bayes-Test: 60-80%
lang de describe BAYES_80 Spamwahrscheinlichkeit nach Bayes-Test: 80-95%
lang de describe BAYES_95 Spamwahrscheinlichkeit nach Bayes-Test: 95-99%
lang de describe BAYES_99 Spamwahrscheinlichkeit nach Bayes-Test: 99-100%
lang de describe BAYES_999 Spamwahrscheinlichkeit nach Bayes-Test: 99.9-100%
endif
#
lang de describe USER_IN_BLACKLIST Absenderadresse steht in Ihrer persönlichen schwarzen Liste
lang de describe USER_IN_WHITELIST Absenderadresse steht in Ihrer persönlichen weißen Liste
lang de describe USER_IN_DEF_WHITELIST Absenderadresse steht in der allgemeinen weißen Liste
lang de describe USER_IN_BLACKLIST_TO Empfängeradresse steht in Ihrer persönlichen schwarzen Liste
lang de describe USER_IN_WELCOMELIST_TO Empfängeradresse steht in Ihrer persönlichen weißen Liste
lang de describe USER_IN_MORE_SPAM_TO Empfängeradresse soll fast alle (Spam-) Nachrichten erhalten
lang de describe USER_IN_ALL_SPAM_TO Empfängeradresse soll alle (Spam-) Nachrichten erhalten
ifplugin Mail::SpamAssassin::Plugin::SPF
lang de describe SPF_PASS SPF: Senderechner entspricht SPF-Datensatz
lang de describe SPF_FAIL SPF: Senderechner entspricht nicht SPF-Datensatz (fail)
lang de describe SPF_SOFTFAIL Senderechner entspricht nicht SPF-Datensatz (softfail)
lang de describe SPF_HELO_PASS SPF: HELO-Name entspricht dem SPF-Datensatz
lang de describe SPF_HELO_FAIL HELO-Name entspricht nicht SPF-Datensatz (fail)
lang de describe SPF_HELO_SOFTFAIL HELO-Name entspricht nicht SPF-Datensatz (softfail)
endif
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
lang de describe URIBL_SBL Enthält URL in SBL-Liste (https://www.spamhaus.org/sbl/)
#lang de describe URIBL_SC_SURBL Enthält URL in SC-Liste (www.surbl.org) - removed bug 7279
lang de describe URIBL_WS_SURBL Enthält URL in WS-Liste (www.surbl.org)
lang de describe URIBL_PH_SURBL Enthält URL in PH-Liste (www.surbl.org)
#lang de describe URIBL_OB_SURBL Enthält URL in OB-Liste (www.surbl.org) - REMOVED BUG 6853
#lang de describe URIBL_AB_SURBL Enthält URL in AB-Liste (www.surbl.org) - removed bug 7279
lang de describe URIBL_ABUSE_SURBL Enthält URL in ABUSE-Liste (www.surbl.org) - changed from JP to ABUSE bug 7279
endif
ifplugin Mail::SpamAssassin::Plugin::AWL
lang de describe AWL Absenderadresse in der automatischen weißen Liste
endif
ifplugin Mail::SpamAssassin::Plugin::AntiVirus
lang de describe MIME_SUSPECT_NAME MIME-Dateiname entspricht nicht dem MIME-Typ
endif
ifplugin Mail::SpamAssassin::Plugin::DCC
lang de describe DCC_CHECK Als Massen-E-Mail erkannt von DCC (dcc-servers.net)
endif
ifplugin Mail::SpamAssassin::Plugin::Pyzor
lang de describe PYZOR_CHECK Gelistet im Pyzor-System (https://pyzor.readthedocs.io/en/latest/)
endif
ifplugin Mail::SpamAssassin::Plugin::TextCat
lang de describe BODY_8BITS Nachrichtentext enthält Folge von 8 oder mehr 8-Bit-Zeichen
lang de describe UNWANTED_LANGUAGE_BODY Nachrichtentext in unerwünschter Sprache
endif
ifplugin Mail::SpamAssassin::Plugin::AccessDB
lang de describe ACCESSDB Nachricht wäre von access.db erkannt worden
endif
lang de describe NORMAL_HTTP_TO_IP Benutzt eine IP-Adresse (a.b.c.d) in einem Hyperlink

283
sa-updates/30_text_fr.cf Normal file
View File

@ -0,0 +1,283 @@
# SpamAssassin translations: Française
#
# Written by Michel Bouissou <michel@bouissou.net> for SpamAssassin 2.60
# Latest revision: 2003/11/14
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
# ......................................................................
lang fr clear-report-template
lang fr report ------------------ Début de Rapport SpamAssassin ---------------------
lang fr report Ce message est probablement du SPAM (message non sollicité envoyé en
lang fr report masse, publicité, escroquerie...).
lang fr report
lang fr report Cette notice a été ajoutée par le système d'analyse "SpamAssassin" sur
lang fr report votre serveur de courrier "_HOSTNAME_", pour vous
lang fr report aider à identifier ce type de messages.
lang fr report
lang fr report Le système SpamAssassin ajoute un en-tête "X-Spam-Flag: YES" aux
lang fr report messages qu'il considère comme étant probablement du Spam.
lang fr report Vous pouvez si vous le souhaitez utiliser cette caractéristique
lang fr report pour régler un filtre dans votre logiciel de lecture de courrier,
lang fr report afin de détruire ou de classer à part ce type de message.
lang fr report
lang fr report Si ce robot a classifié incorrectement un message qui vous était
lang fr report destiné, ou pour toute question, veuillez contacter l'administrateur
lang fr report du système par e-mail à _CONTACTADDRESS_ .
lang fr report
lang fr report Voir https://spamassassin.apache.org/tag/ pour plus de détails (en anglais).
lang fr report
lang fr report Détails de l'analyse du message: (_SCORE_ points, _REQD_ requis)
lang fr report _SUMMARY_
lang fr report -------------------- Fin de Rapport SpamAssassin ---------------------
# ......................................................................
# Vous devriez changer "report_contact" dans le fichier 10_misc.cf.
# _CONTACTADDRESS_ est remplacée par ce texte.
# ......................................................................
# ......................................................................
lang fr clear-unsafe-report-template
lang fr unsafe-report Le message original n'étant pas au format text brut, il est peut-être
lang fr unsafe-report dangereux de l'ouvrir avec votre logiciel e-mail ; en particulier il
lang fr unsafe-report pourrait contenir un virus, ou confirmer à l'expéditeur que votre
lang fr unsafe-report adresse e-mail est active, et peut recevoir du spam. Si vous voulez
lang fr unsafe-report lire ce message, et n'êtes pas certain de la sécurité de votre logiciel
lang fr unsafe-report e-mail, il est plus prudent d'enregistrer ce message sur votre disque
lang fr unsafe-report dur, et de l'afficher ensuite avec un éditeur de texte.
# ......................................................................
#############
# 23_bayes.cf
ifplugin Mail::SpamAssassin::Plugin::Bayes
lang fr describe BAYES_00 L'algorithme Bayésien a évalué la probabilité de spam entre 0 et 1%
lang fr describe BAYES_05 L'algorithme Bayésien a évalué la probabilité de spam entre 1 et 5%
lang fr describe BAYES_20 L'algorithme Bayésien a évalué la probabilité de spam entre 5 et 20%
lang fr describe BAYES_40 L'algorithme Bayésien a évalué la probabilité de spam entre 20 et 40%
lang fr describe BAYES_50 L'algorithme Bayésien a évalué la probabilité de spam entre 40 et 60%
lang fr describe BAYES_60 L'algorithme Bayésien a évalué la probabilité de spam entre 60 et 80%
lang fr describe BAYES_80 L'algorithme Bayésien a évalué la probabilité de spam entre 80 et 95%
lang fr describe BAYES_95 L'algorithme Bayésien a évalué la probabilité de spam entre 95 et 99%
lang fr describe BAYES_99 L'algorithme Bayésien a évalué la probabilité de spam entre 99 et 100%
lang fr describe BAYES_999 L'algorithme Bayésien a évalué la probabilité de spam entre 99.9 et 100%
endif
lang fr describe ACT_NOW_CAPS Demande d'agir immédiatement (en majuscules)
lang fr describe BAD_CREDIT Contient "Eliminate Bad Credit"
lang fr describe BANG_GUAR Quelque chose est "garanti" de manière emphatique
lang fr describe BANG_OPRAH Parle d'Oprah avec point d'exclamation !
lang fr describe BILLION_DOLLARS Evoque des millions ou milliards de dollars
lang fr describe BLANK_LINES_80_90 Le corps du message a 80 à 90% de lignes vides
lang fr describe CHARSET_FARAWAY Message utilisant un jeu de caractères exotique
lang fr describe CHARSET_FARAWAY_HEADER En-tête utilisant un jeu de caractères exotique
lang fr describe CONFIRMED_FORGED Les en-têtes "Received:" ont été falsifiés
lang fr describe CUM_SHOT Pornographie probable, "gros plans d'éjaculations"
lang fr describe DATE_IN_PAST_03_06 Date: est 3 à 6 heures avant la date de l'en-tête Received:
lang fr describe DATE_IN_PAST_06_12 Date: est 6 à 12 heures avant la date de l'en-tête Received:
lang fr describe DATE_IN_PAST_12_24 Date: est 12 à 24 heures avant la date de l'en-tête Received:
lang fr describe DATE_IN_PAST_24_48 Date: est 24 à 48 heures avant la date de l'en-tête Received:
lang fr describe DATE_IN_PAST_96_XX Date: est plus de 96 heures avant la date de l'en-tête Received:
lang fr describe DATE_IN_FUTURE_03_06 Date: est 3 à 6 heures après la date de l'en-tête Received:
lang fr describe DATE_IN_FUTURE_06_12 Date: est 6 à 12 heures après la date de l'en-tête Received:
lang fr describe DATE_IN_FUTURE_12_24 Date: est 12 à 24 heures après la date de l'en-tête Received:
lang fr describe DATE_IN_FUTURE_24_48 Date: est 24 à 48 heures après la date de l'en-tête Received:
lang fr describe DATE_IN_FUTURE_48_96 Date: est 48 à 96 heures après la date de l'en-tête Received:
lang fr describe DATE_IN_FUTURE_96_XX Date: est plus de 96 heures après la date de l'en-tête Received:
lang fr describe MISSING_DATE En-tête "Date:" absent
lang fr describe DATE_SPAMWARE_Y2K L'en-tête date utilise un format Y2K inhabituel
lang fr describe DEAR_FRIEND Contient la formule "Dear friend"
lang fr describe DEAR_SOMETHING Le message contient "Dear... (quelqu'un)"
lang fr describe DIET_1 Spam proposant une perte de poids
lang fr describe EMAIL_ROT13 Corps contient une adresse mail encodée en ROT13
lang fr describe EXCUSE_REMOVE Explique comment être retiré des listes de mailing (soi-disant...)
lang fr describe EXCUSE_4 Prétend que vous pouvez vous faire supprimer de leur liste
lang fr describe EXCUSE_24 Prétend que vous avez demandé à recevoir cette publicité
lang fr describe FIN_FREE Parle de "liberté financière" (Financial Freedom)
lang fr describe FORGED_HOTMAIL_RCVD2 From hotmail.com, mais sans "Received:"
lang fr describe FORGED_IMS_HTML IMS n'envoie pas de messages en HTML seul
lang fr describe FORGED_IMS_TAGS IMS n'envoie pas de HTML dans ce format
lang fr describe FORGED_MUA_EUDORA Message falsifié prétendant provenir du logiciel Eudora
lang fr describe FORGED_MUA_IMS Message falsifié prétendant provenir du logiciel IMS
lang fr describe FORGED_MUA_MOZILLA Message falsifié prétendant provenir du logiciel Mozilla
lang fr describe FORGED_MUA_OIMO Message falsifié prétendant provenir du logiciel MS Outlook IMO
lang fr describe FORGED_MUA_OUTLOOK Message falsifié prétendant provenir du logiciel MS Outlook
lang fr describe FORGED_MUA_THEBAT_BOUN Mail prétendant provenir de The Bat! (boundary)
lang fr describe FORGED_MUA_THEBAT_CS Mail pretendant provenir de The Bat! (charset)
lang fr describe FORGED_OUTLOOK_HTML Outlook n'envoie pas de messages en HTML seul
lang fr describe FORGED_OUTLOOK_TAGS Outlook n'envoie pas de HTML sous ce format
lang fr describe FORGED_QUALCOMM_TAGS QUALCOMM mailers n'envoient pas de HTML sous ce format
lang fr describe FORGED_TELESP_RCVD Contient un nom de machine falsifié chez un F.A.I. brésilien
lang fr describe FORGED_THEBAT_HTML The Bat! n'envoie pas de messages en HTML seul
lang fr describe FORGED_YAHOO_RCVD Contient un en-tête falsifié Received: yahoo.com
lang fr describe FORWARD_LOOKING Contient un "Stock Disclaimer Statement" (bourse)
lang fr describe FREE_PORN Pornographie probable "Free porn"
lang fr describe FREE_QUOTE_INSTANT Contient formule type "Free express" ou "no obligation"
lang fr describe FROM_ILLEGAL_CHARS From: contient trop de caractères bruts invalides
lang fr describe FROM_NO_USER L'en-tête From: n'a pas de nom d'utilisateur avant le signe @
lang fr describe FROM_OFFERS L'adresse d'expéditeur est "at something-offers"
lang fr describe FROM_STARTS_WITH_NUMS L'en-tête From: commence par des chiffres
lang fr describe GAPPY_SUBJECT L'en-tête Subject: contient du "t e x t e e s p a c é"
lang fr describe GTUBE Test générique de courrier non sollicté en masse
lang fr describe GUARANTEED_100_PERCENT Contient "One hundred percent guaranteed" (100% garanti)
lang fr describe HEAD_ILLEGAL_CHARS En-tête contient trop de caractères bruts invalides
lang fr describe HEADER_COUNT_CTYPE Plusieurs en-têtes Content-Type
lang fr describe HIDE_WIN_STATUS Javascript destiné à camoufler une URL dans le navigateur
lang fr describe HTML_CHARSET_FARAWAY Jeu de caractères exotique utilisé pour le HTML
lang fr describe HTML_COMMENT_SAVED_URL Le message HTML est une page web sauvegardée
lang fr describe HTML_EMBEDS HTML: Inclusion d'objets
lang fr describe HTML_FONT_FACE_BAD Le nom de la police HTML n'est pas un mot
lang fr describe HTML_FONT_LOW_CONTRAST Police HTML de la même couleur que le fond
lang fr describe HTML_FORMACTION_MAILTO HTML inclut un formulaire d'envoi de mail
lang fr describe HTML_IMAGE_ONLY_04 HTML contient images avec 200 à 400 octets de texte
lang fr describe HTML_IMAGE_ONLY_08 HTML contient images avec 600 à 800 octets de texte
lang fr describe HTML_IMAGE_ONLY_12 HTML contient images avec 1000 à 1200 octets de texte
lang fr describe HTML_IMAGE_RATIO_02 HTML Faible ratio de texte par rapport aux images
lang fr describe HTML_IMAGE_RATIO_04 HTML Faible ratio de texte par rapport aux images
lang fr describe HTML_IMAGE_RATIO_06 HTML Faible ratio de texte par rapport aux images
lang fr describe HTML_IMAGE_RATIO_08 HTML Faible ratio de texte par rapport aux images
lang fr describe HTML_MESSAGE HTML inclus dans le message
lang fr describe HTML_MIME_NO_HTML_TAG Message en HTML seul, mais sans tags HTML
lang fr describe HTML_TAG_BALANCE_BODY Le tag de fermeture de "body" HTML est manquant
lang fr describe HTML_TAG_BALANCE_HEAD Le tag de fermeture de "head" HTML est manquant
lang fr describe HTTP_ESCAPED_HOST URI: Contient des %-escapes dans le nom de machine
lang fr describe HTTP_EXCESSIVE_ESCAPES URI: Contient des %-escapes nombreux et superflus
lang fr describe IMPOTENCE Prétend permettre de combattre l'impuissance
lang fr describe MORE_SEX Parle d'augmenter le désir sexuel
lang fr describe INVALID_DATE L'en-tête Date: est incorrect (il contient AM/PM)
lang fr describe INVALID_DATE_TZ_ABSURD L'en-tête Date: est incorrect (la zone de temps n'existe pas)
lang fr describe INVALID_MSGID Le Message-ID est invalide, selon la RFC-2822
lang fr describe IP_LINK_PLUS Adresse IP en décimal suivie d'un CGI
lang fr describe JAPANESE_UCE_SUBJECT Sujet contient une marque japonaise de spam
lang fr describe JOIN_MILLIONS Contient "Join Millions of Americans"
lang fr describe KOREAN_UCE_SUBJECT Le sujet contient des caractères coréens
lang fr describe LIVE_PORN Pornographie probable: porno en direct-live
lang fr describe SUBJECT_DIET Le sujet parle de perte de poids
lang fr describe LOW_PRICE Contient "Lowest Price" (le prix le plus bas)
lang fr describe MARKETING_PARTNERS Prétend que vous vous êtes enregistré auprès d'un "partenaire" quelconque
#lang fr describe MILLION_USD Phrase clé d'escroquerie nigérienne (millions of dollars)
lang fr describe __MIME_BASE64 Inclut un attachement en BASE64
#lang fr describe MIME_BASE64_BLANKS Ligne blanches surnuméraires dans l'encodage BASE64
lang fr describe MIME_BASE64_TEXT Texte du message camouflé par encodage en BASE64
lang fr describe MIME_BOUND_MANY_HEX Motif caractéristique d'outil de spam dans les délimiteurs MIME
lang fr describe MIME_CHARSET_FARAWAY Jeu de caractères MIME exotique
lang fr describe MIME_HEADER_CTYPE_ONLY En-tête "Content-Type" présent sans les en-têtes MIME requis
lang fr describe MIME_HTML_MOSTLY Message multipart principalement en MIME text/html
lang fr describe MIME_HTML_ONLY Le message possède uniquement des parties MIME text/html
lang fr describe MIME_HTML_ONLY_MULTI Message multipart uniquement en MIME text/html
lang fr describe __MIME_QP Contient en attachement en quoted-printable
lang fr describe MIME_QP_LONG_LINE Ligne quoted-printable de plus de 76 caractères
lang fr describe MISSING_HEADERS Le message ne comporte pas l'en-tête To:
lang fr describe MISSING_MIMEOLE Possède un en-tête X-MSMail-Priority, mais pas de X-MimeOLE
lang fr describe MONEY_BACK Vous garantit un "remboursement si insatisfait" (en anglais)
lang fr describe MSGID_FROM_MTA_HEADER Message-ID ajouté par un relais
lang fr describe MSGID_OUTLOOK_INVALID Message-ID falsifié (fortmat Outlook Express)
lang fr describe MULTI_FORGED les en-têtes "Received" montrent de nombreuses falsifications
#lang fr describe NA_DOLLARS Parle d'un million de dollars "nord-américains"
lang fr describe NONEXISTENT_CHARSET Message rédigé dans un jeu de caractères inexistant
lang fr describe NOT_ADVISOR Contient "Not registered investment advisor"
lang fr describe NO_DNS_FOR_FROM Adresse From: inconnue en DNS (pas d'enregistrement MX)
lang fr describe NO_MEDICAL Contient "No Medical Exams" (sans examen médical)
lang fr describe NO_RDNS_DOTCOM_HELO HELO de F.A.I. important, mais pas de rDNS
lang fr describe NUMERIC_HTTP_ADDR Utilise une adresse IP, sans points, dans une URL
lang fr describe OBFUSCATING_COMMENT Commentaires HTML inutiles destinés à camoufler le texte
lang fr describe OBSCURED_EMAIL Le message semble contenir une adresse mail camouflée par rot13
lang fr describe ONLINE_PHARMACY Produits pharmaceutiques en ligne
lang fr describe BODY_ENHANCEMENT Arnaque prétendant augmenter la taile de votre pénis
lang fr describe BODY_ENHANCEMENT2 Arnaque prétendant augmenter la taile de votre pénis
lang fr describe PLING_QUERY Le sujet a un point d'interrogation ET un point d'exclamation
lang fr describe PREST_NON_ACCREDITED Fait référence a une "prestigieuse université" non reconnue
lang fr describe RATWARE_EGROUPS Trace de logiciel de mailing en masse (eGroups) dans les en-têtes
lang fr describe RATWARE_HASH_DASH Contient un "hashbuster" au format Send-Safe
lang fr describe RATWARE_OE_MALFORMED En-tête X-Mailer indique No de version Outlook Express malformé
lang fr describe RCVD_AM_PM En-tête Received: falsifié (AM/PM)
lang fr describe RCVD_FAKE_HELO_DOTCOM En-tête Received contient nom d'hôte falsifié dans le HELO
lang fr describe RCVD_IN_BL_SPAMCOP_NET Relais listé dans http://spamcop.net/bl.shtml
lang fr describe RCVD_IN_SORBS_DUL Envoyé directement depuis une adresse IP dynamique
lang fr describe RCVD_IN_MAPS_DUL Relais listé dans DUL, http://www.mail-abuse.org/dul/
lang fr describe RCVD_IN_MAPS_NML Relais listé dans NML, http://www.mail-abuse.org/nml/
lang fr describe RCVD_IN_MAPS_RBL Relais listé dans RBL, http://www.mail-abuse.org/rbl/
lang fr describe RCVD_IN_MAPS_RSS Relais listé dans RSS, http://www.mail-abuse.org/rss/
lang fr describe RCVD_IN_SBL Relais listé dans https://www.spamhaus.org/sbl/
lang fr describe RCVD_IN_SORBS_BLOCK SORBS: Relais refusant d'être testé par SORBS
lang fr describe RCVD_IN_SORBS_HTTP SORBS: Envoyé par un proxy HTTP ouvert
lang fr describe RCVD_IN_SORBS_MISC SORBS: Envoyé par un proxy ouvert
lang fr describe RCVD_IN_SORBS_SMTP SORBS: Envoyé par un relais SMTP ouvert
lang fr describe RCVD_IN_SORBS_SOCKS SORBS: Envoyé par un proxy SOCKS ouvert
lang fr describe RCVD_IN_SORBS_WEB SORBS: Envoyé depuis un serveur web vulnérable
lang fr describe RCVD_IN_SORBS_ZOMBIE SORBS: Envoyé depuis un réseau IP piraté
lang fr describe REFINANCE_NOW Offre de refinancement immobilier
lang fr describe REFINANCE_YOUR_HOME Offre de refinancement immobilier
lang fr describe SORTED_RECIPS La liste des destinataires est triée par ordre alphabétique
lang fr describe STOCK_ALERT Contient la formule "stock alert"
lang fr describe STRONG_BUY Contient la formule "strong buy"
lang fr describe SUBJ_ALL_CAPS Le sujet est en majuscules
lang fr describe SUBJ_AS_SEEN Le sujet contient "As Seen" (généralement "vu à la télé"...)
lang fr describe SUBJ_BUY Le sujet commence par "Buy, Buying" (achetez, achat)
lang fr describe SUBJ_DOLLARS Le sujet commence par une somme en dollars
lang fr describe SUBJ_ILLEGAL_CHARS Subject: contient trop de caractères bruts invalides
#lang fr describe SUBJ_YOUR_DEBT Le sujet contient "Your Bills" (vos factures) ou similaire
lang fr describe SUBJ_YOUR_FAMILY Le sujet contient "Your Family" (votre famille)
lang fr describe SUSPICIOUS_RECIPS L'en-tête To: contient plus de dix fois le même nom de domaine
lang fr describe TO_MALFORMED L'en-tête To: contient une adresse mal formée
lang fr describe TRACKER_ID Contient un numéro permettant de vous identifier
lang fr describe UNCLAIMED_MONEY Argent non réclamé: Chacun sait que c'est courant ;-)
lang fr describe UPPERCASE_50_75 Message composé de 50 à 75% de majuscules
lang fr describe UPPERCASE_75_100 Message composé de 75 à 100% de majuscules
lang fr describe URG_BIZ Contient la formule "urgent business"
lang fr describe USER_IN_ALL_SPAM_TO Destinataire sur la liste "all_spam_to" (config SA locale)
lang fr describe USER_IN_BLACKLIST Expéditeur sur la liste noire (config SA locale)
lang fr describe USER_IN_BLACKLIST_TO Destinataire sur la liste "blacklist_to" (config SA locale)
lang fr describe USER_IN_DEF_WHITELIST Expéditeur dans la liste OK par défaut de SpamAssassin
lang fr describe USER_IN_MORE_SPAM_TO Destinataire sur la liste "more_spam_to" (config SA locale)
lang fr describe USER_IN_WHITELIST Expéditeur sur la liste blanche (OK) (config SA locale)
lang fr describe USER_IN_WELCOMELIST_TO Destinataire sur la liste blanche (config SA)
#lang fr describe US_DOLLARS_3 Escroq. nigérienne, version modifiée, phrase clé ($NN,NNN,NNN.NN)
lang fr describe DRUG_ED_ONLINE Vente de Viagra par correspondance
lang fr describe WEIRD_PORT Lien HTTP vers un numéro de port non standard
lang fr describe WEIRD_QUOTING Utilisation étrange de symboles de citations
lang fr describe WITH_LC_SMTP Une ligne Received: contient un signe de spam ("smtp" en minuscules)
ifplugin Mail::SpamAssassin::Plugin::AntiVirus
lang fr describe MIME_SUSPECT_NAME Le nom du fichier joint MIME semble suspect (virus ?)
endif
ifplugin Mail::SpamAssassin::Plugin::DCC
lang fr describe DCC_CHECK Message listé par DCC: http://www.www.dcc-servers.net/dcc/
endif
ifplugin Mail::SpamAssassin::Plugin::Pyzor
lang fr describe PYZOR_CHECK Message listé par Pyzor, voir https://pyzor.readthedocs.io/en/latest/
endif
ifplugin Mail::SpamAssassin::Plugin::TextCat
lang fr describe BODY_8BITS Contient plusieurs caractères 8-bits consécutifs
lang fr describe UNWANTED_LANGUAGE_BODY Message dans une langue non désirée (config locale)
endif
ifplugin Mail::SpamAssassin::Plugin::AccessDB
lang fr describe ACCESSDB Ce message aurait été bloqué par accessdb
endif
lang fr describe NORMAL_HTTP_TO_IP URI: Contient une adresse IP en notation décimale

35
sa-updates/30_text_it.cf Normal file
View File

@ -0,0 +1,35 @@
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
# character set used in the following texts
#lang it report_charset iso-8859-1
# ........................................................................
#lang it clear_unsafe_report_template
#lang it unsafe_report Attenzione: il messaggio originale non testo puro, e potrebbe essere
#lang it unsafe_report pericoloso da aprire con alcuni programmi di posta. Ad esempio, potrebbe
#lang it unsafe_report contenere un virus, o confermare ad un mittente di spam che il messaggio
#lang it unsafe_report stato letto. Un modo sicuro per visualizzarne il testo (ma non le
#lang it unsafe_report immagini o gli allegati) salvarlo in un file e aprirlo con un editor.
# ........................................................................

275
sa-updates/30_text_nl.cf Normal file
View File

@ -0,0 +1,275 @@
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
# contributed by Jesse Houwing, bug 3197
#
# ..............................................................................
lang nl report Spam detectie software op het systeem "_HOSTNAME_", heeft dit bericht
lang nl report als mogelijke spam aangemerkt. Het originele bericht is bijgevoegd als
lang nl report bijlage bij dit bericht zodat u het kunt bekijken (als het geen spam is)
lang nl report of soortgelijke toekomstige berichten blokkeren. Zie _CONTACTADDRESS_
lang nl report voor meer details
lang nl report
lang nl report Gedeelte van de inhoud: _PREVIEW_
lang nl report
lang nl report Analyse details: (_SCORE_ punten, _REQD_ vereist)
lang nl report
lang nl report " pnt regel naam omschrijving"
lang nl report ---- ---------------------- -------------------------------------------------
lang nl report _SUMMARY_
# ..............................................................................
# ........................................................................
lang nl unsafe_report Het originele bericht bestond niet geheel uit tekst en is mogelijk
lang nl unsafe_report onveilig om te openen im sommige emailprogramma's. Het bericht bevat
lang nl unsafe_report mogelijk een virus of code om te verifieren dat uw adres spam
lang nl unsafe_report berichten kan ontvangen. Het is veiliger om het bericht op te slaan
lang nl unsafe_report en het te bekijken in een tekstbewerkingsprogramma.
# ........................................................................
lang nl describe GTUBE Standaard test voor ongewenste bulk mail
lang nl describe TRACKER_ID Maakt gebruik van een nummer om het bericht te kunnen volgen
lang nl describe WEIRD_QUOTING Vreemde herhaalde dubbel aanhalingsteken
lang nl describe __MIME_BASE64 Bevat een base64 bijlage
lang nl describe __MIME_QP Bevat een quoted-printable bijlage
#lang nl describe MIME_BASE64_BLANKS Extra witregels in base64 codering
lang nl describe MIME_BASE64_TEXT Bericht verborgen door middel van base64 codering
lang nl describe MIME_HTML_MOSTLY Multipart bericht bestaat voornamelijk uit text/html MIME
lang nl describe MIME_HTML_ONLY Bericht bestaat enkel uit text/html MIME delen
lang nl describe MIME_HTML_ONLY_MULTI Bericht heeft enkel text/html MIME delen
lang nl describe MIME_QP_LONG_LINE Quoted-printable regel langer dan 76 karakters
lang nl describe MIME_CHARSET_FARAWAY MIME karakterset wijst op vreemde taal
lang nl describe MPART_ALT_DIFF HTML en tekst delen zijn verschillend
lang nl describe CHARSET_FARAWAY Karakterset wijst op vreemde taal
lang nl describe EMAIL_ROT13 Body bevat een ROT13-versleuteld emailadres
lang nl describe BLANK_LINES_80_90 Bericht bestaat voor 80-90% uit witregels
lang nl describe __RCVD_IN_SORBS SORBS: verzender is gevonden in SORBS
lang nl describe RCVD_IN_SORBS_HTTP SORBS: verzender is een open HTTP proxy server
lang nl describe RCVD_IN_SORBS_MISC SORBS: verzender is een open proxy server
lang nl describe RCVD_IN_SORBS_SMTP SORBS: verzender is een open SMTP relay
lang nl describe RCVD_IN_SORBS_SOCKS SORBS: verzender is een open SOCKS proxy server
lang nl describe RCVD_IN_SORBS_WEB SORBS: verzender is een misbruikbare web server
lang nl describe RCVD_IN_SORBS_BLOCK SORBS: verzender weigert getest te worden
lang nl describe RCVD_IN_SORBS_ZOMBIE SORBS: verzender is een gekaapt netwerk
lang nl describe RCVD_IN_SORBS_DUL SORBS: bericht is direct verstuurd vanaf een dynamisch IP adres
lang nl describe RCVD_IN_SBL Ontvangen via een relay die gevonden is in Spamhaus SBL
lang nl describe RCVD_IN_XBL Ontvangen via een relay die gevonden is in Spamhaus XBL
lang nl describe RCVD_IN_BL_SPAMCOP_NET Ontvangen via een relay die gevonden is in bl.spamcop.net
lang nl describe RCVD_IN_MAPS_RBL Relay in RBL, http://www.mail-abuse.org/rbl/
lang nl describe RCVD_IN_MAPS_DUL Relay in DUL, http://www.mail-abuse.org/dul/
lang nl describe RCVD_IN_MAPS_RSS Relay in RSS, http://www.mail-abuse.org/rss/
lang nl describe RCVD_IN_MAPS_NML Relay in NML, http://www.mail-abuse.org/nml/
lang nl describe FROM_STARTS_WITH_NUMS Van: begint met nummers
lang nl describe FROM_OFFERS Van: adres is van "at iets-aangeboden"
lang nl describe FROM_NO_USER Van: heeft geen lokaal deel voor het @-tje
lang nl describe PLING_QUERY Onderwerp heeft een uitroepteken en een vraagteken
lang nl describe SUBJ_ALL_CAPS Onderwerp bevat alleen hoofdletters
lang nl describe MSGID_SPAM_LETTERS Spam tool Message-Id: (letters variant)
lang nl describe MSGID_OUTLOOK_INVALID Message-Id is nep (in Outlook Express formaat)
lang nl describe MSGID_RANDY Message-Id bevat een patroon dat wordt gebruikt in SPAM
lang nl describe MSGID_FROM_MTA_HEADER Message-Id was door een relay toegevoegd
lang nl describe DATE_SPAMWARE_Y2K Datum heeft een vreemde Y2K opmaak
lang nl describe INVALID_DATE Ongeldige Date: header (niet RFC 2822)
lang nl describe INVALID_DATE_TZ_ABSURD Ongeldige Date: header (tijdzone bestaat niet)
lang nl describe DATE_IN_PAST_03_06 Date: is 3 tot 6 uur voor Received: datum
lang nl describe DATE_IN_PAST_06_12 Date: is 6 tot 12 uur voor Received: datum
lang nl describe DATE_IN_PAST_12_24 Date: is 12 tot 24 uur voor Received: datum
lang nl describe DATE_IN_PAST_24_48 Date: is 24 tot 48 uur voor Received: datum
lang nl describe DATE_IN_PAST_96_XX Date: is 96 of meer uur voor Received: datum
lang nl describe DATE_IN_FUTURE_03_06 Date: is 3 tot 6 uur na Received: datum
lang nl describe DATE_IN_FUTURE_06_12 Date: is 6 tot 12 uur na Received: datum
lang nl describe DATE_IN_FUTURE_12_24 Date: is 12 tot 24 uur na Received: datum
lang nl describe DATE_IN_FUTURE_24_48 Date: is 24 tot 48 uur na Received: datum
lang nl describe DATE_IN_FUTURE_48_96 Date: is 48 tot 96 uur na Received: datum
lang nl describe DATE_IN_FUTURE_96_XX Date: is 96 of meer uur na Received: datum
lang nl describe SUBJ_ILLEGAL_CHARS Onderwerp: bevat te veel 'raw' tekens
lang nl describe FROM_ILLEGAL_CHARS Van: bevat te veel 'raw' tekens
lang nl describe HEAD_ILLEGAL_CHARS Header: bevat te veel illegale tekens
lang nl describe JAPANESE_UCE_SUBJECT Onderwerp: bevat een Japanese UCE tag
lang nl describe KOREAN_UCE_SUBJECT Onderwerp: bevat een koreaanse ongewenste email tag
lang nl describe NO_DNS_FOR_FROM Domein in Van heeft geen MX of A DNS record
lang nl describe RCVD_DOUBLE_IP_SPAM Buld email vingerafdruk (dubbel IP) gevonden
lang nl describe RCVD_DOUBLE_IP_LOOSE Received: door en van lijken op IP adressen
lang nl describe FORGED_TELESP_RCVD Bevat een vervalde hostnaam voor een DSL IP in Brazilie
lang nl describe FORGED_HOTMAIL_RCVD2 hotmail.com 'Van' adres, maar geen 'Received:'
lang nl describe FORGED_YAHOO_RCVD 'Van' yahoo.com Komt niet overeen met 'Received' headers
lang nl describe CONFIRMED_FORGED Received headers zijn vervalst
lang nl describe MULTI_FORGED Received headers wijzen op meerdere vervalsingen
lang nl describe NONEXISTENT_CHARSET Karakterset bestaat niet
lang nl describe CHARSET_FARAWAY_HEADER Een buitenlandse taal wordt gebruikt in de headers
lang nl describe MISSING_HEADERS Ontbrekende Aan: header
lang nl describe SUSPICIOUS_RECIPS Vergelijkbare adressen in de ontvangerslijst
lang nl describe SORTED_RECIPS Ontvangerslijst is gesorteerd op alfabet
lang nl describe GAPPY_SUBJECT Onderwerp: bevat G.a.t.e.n.k.a.a.s
lang nl describe MISSING_MIMEOLE Bericht heeft een X-MSMail-Priority, maar geen X-MimeOLE
lang nl describe SUBJ_AS_SEEN Onderwerp bevat "As Seen"
lang nl describe SUBJ_DOLLARS Onderwerp begint met een bedrag in dollars
#lang nl describe SUBJ_YOUR_DEBT Onderwerp bevat "Your Bills" of iets dergelijks
lang nl describe SUBJ_YOUR_FAMILY Onderwerp bevat "Your Family"
lang nl describe RCVD_FAKE_HELO_DOTCOM Received bevat een vervalde HELO hostnaam
lang nl describe MIME_BOUND_DIGITS_15 Spam tool patroon in MIME grens
lang nl describe MIME_BOUND_MANY_HEX Spam tool patroon in MIME grens
lang nl describe TO_MALFORMED Aan: foutief opgesteld adres
lang nl describe MIME_HEADER_CTYPE_ONLY 'Content-Type' gevonden zonder de benodigde MIME headers
lang nl describe WITH_LC_SMTP Received regel bevat een spam merkteken (lowercase smtp)
lang nl describe SUBJ_BUY Onderwerp: begint met 'Buy(ing)'
lang nl describe RCVD_AM_PM Received headers vervalst (AM/PM)
lang nl describe HEADER_COUNT_CTYPE Meerdere Content-Type headers gevonden
lang nl describe NO_RDNS_DOTCOM_HELO Host HELO'd als een grote internet provider ISP, maar heeft geen rDNS
lang nl describe HTML_MESSAGE HTML opgenomen in het bericht
lang nl describe HTML_COMMENT_SAVED_URL HTML bericht is een opgeslagen webpagina
lang nl describe HTML_EMBEDS HTML met plugin
lang nl describe HTML_FONT_LOW_CONTRAST HTML tekstkleur lijkt er op de achtergrondkleur
lang nl describe HTML_FONT_FACE_BAD HTML lettertype naam is geen woord
lang nl describe HTML_FORMACTION_MAILTO HTML bevat een formulier dat email verstuurd
lang nl describe HTML_IMAGE_ONLY_04 HTML: plaatjes met 200-400 bytes aan woorden
lang nl describe HTML_IMAGE_ONLY_08 HTML: plaatjes met 600-800 bytes aan woorden
lang nl describe HTML_IMAGE_ONLY_12 HTML: plaatjes met 1000-1200 bytes aan woorden
lang nl describe HTML_IMAGE_RATIO_02 HTML heeft een lage verhouding tussen tekst en plaatjes
lang nl describe HTML_IMAGE_RATIO_04 HTML heeft een lage verhouding tussen tekst en plaatjes
lang nl describe HTML_IMAGE_RATIO_06 HTML heeft een lage verhouding tussen tekst en plaatjes
lang nl describe HTML_IMAGE_RATIO_08 HTML heeft een lage verhouding tussen tekst en plaatjes
lang nl describe HTML_OBFUSCATE_10_20 Bericht bevat 10% tot 20% HTML verdoezeling
lang nl describe HTML_OBFUSCATE_20_30 Bericht bevat 20% tot 30% HTML verdoezeling
lang nl describe HTML_OBFUSCATE_30_40 Bericht bevat 30% tot 40% HTML verdoezeling
lang nl describe HTML_OBFUSCATE_50_60 Bericht bevat 50% tot 60% HTML verdoezeling
lang nl describe HTML_OBFUSCATE_70_80 Bericht bevat 70% tot 80% HTML verdoezeling
lang nl describe HTML_OBFUSCATE_90_100 Bericht bevat 90% tot 100% HTML verdoezeling
lang nl describe HTML_TAG_BALANCE_BODY HTML bevat ongebalanceerde "body" tags
lang nl describe HTML_TAG_BALANCE_HEAD HTML bevat ongebalanceerde "head" tags
lang nl describe HTML_BADTAG_40_50 HTML bericht bevat 40% tot 50% foute tags
lang nl describe HTML_BADTAG_50_60 HTML bericht bevat 50% tot 60% foute tags
lang nl describe HTML_BADTAG_60_70 HTML bericht bevat 60% tot 70% foute tags
lang nl describe HTML_BADTAG_90_100 HTML bericht bevat 90% tot 100% foute tags
lang nl describe HTML_NONELEMENT_30_40 30% tot 40% van de HTML elementen zijn niet standaard
lang nl describe HTML_NONELEMENT_40_50 40% tot 50% van de HTML elementen zijn niet standaard
lang nl describe HTML_NONELEMENT_60_70 60% tot 70% van de HTML elementen zijn niet standaard
lang nl describe HTML_NONELEMENT_80_90 80% tot 90% van de HTML elementen zijn niet standaard
lang nl describe HTML_CHARSET_FARAWAY Een vreemde taal wordt gebruikt in de karakterset
lang nl describe HTML_MIME_NO_HTML_TAG HTML-only bericht, maar er is geen HTML tag
lang nl describe HIDE_WIN_STATUS Javascript om URLs te verbergen in het bericht
lang nl describe OBFUSCATING_COMMENT HTML commentaar om het bericht te verdoezelen
lang nl describe UPPERCASE_50_75 Bericht tekst bestaat voor 50-75% uit hoofdletters
lang nl describe UPPERCASE_75_100 Bericht tekst bestaat voor 75-100% uit hoofdletters
lang nl describe INVALID_MSGID Message-Id is ongeldig, volgens RFC 2822
lang nl describe FORGED_MUA_MOZILLA Vervalste mail die afkomstig zou zijn van Mozilla
lang nl describe GUARANTEED_100_PERCENT 100% gegarandeerd
lang nl describe DEAR_FRIEND Beste vriend, klinkt niet erg bekend...
lang nl describe DEAR_SOMETHING Bevat 'Dear (iets)'
lang nl describe BILLION_DOLLARS Spreekt van heeel veel geld
lang nl describe EXCUSE_4 Claimt dat je van de lijst verwijderd kan worden
lang nl describe EXCUSE_24 Claimt dat je om deze advertentie hebt gevraagd
lang nl describe EXCUSE_REMOVE Heeft het over hoe je verwijderd kan worden van de lijst
lang nl describe STRONG_BUY Vertelt je over een goede aankoop
lang nl describe STOCK_ALERT Biedt aan je aandelen in de gaten te houden
lang nl describe NOT_ADVISOR Geen geregistreerde beleggings adviseur
lang nl describe PREST_NON_ACCREDITED 'Prestigieuze "Non-Accredited" Universiteiten'
lang nl describe BODY_ENHANCEMENT Informatie over het vergroten van lichaamsdelen
lang nl describe BODY_ENHANCEMENT2 Informatie over het vergroten van lichaamsdelen
lang nl describe IMPOTENCE Medicijn voor impotentie
#lang nl describe NA_DOLLARS Praat over een miljoen Noord-Amerikaanse dollars
#lang nl describe US_DOLLARS_3 Vermeldt miljoenen $ ($NN,NNN,NNN.NN)
#lang nl describe MILLION_USD Heeft het over miljoenen dollars
lang nl describe MONEY_BACK Niet-goed-geld-terug garantie
lang nl describe FREE_QUOTE_INSTANT Gratis offerte
lang nl describe BAD_CREDIT Los al uw leningen op
lang nl describe REFINANCE_YOUR_HOME Hyphoteek oversluiten
lang nl describe REFINANCE_NOW Hyphoteek oversluiten
lang nl describe NO_MEDICAL Geen medische keuring
lang nl describe FORWARD_LOOKING Aandelen waarschuwing
lang nl describe ONE_TIME Eenmalige afzettingspraktijk
lang nl describe JOIN_MILLIONS Voeg je bij miljoenen Amerikanen
lang nl describe ONLINE_PHARMACY Online apotheek
lang nl describe MARKETING_PARTNERS Zegt dat je je bij een partner bedrijf hebt geregistreerd
lang nl describe LOW_PRICE Laagste prijzen
lang nl describe UNCLAIMED_MONEY Mensen laten het geld rondslingeren
lang nl describe OBSCURED_EMAIL Bevat een rot13ed adres
lang nl describe BANG_OPRAH Iets met Oprah!
lang nl describe ACT_NOW_CAPS Heeft het in hoofdletters over "nu in actie komen"
lang nl describe BANG_GUAR ...gegaranderd!
lang nl describe FREE_PORN Dikke kans op porno - Gratis Porno
lang nl describe CUM_SHOT Dikke kans op porno - Kwakjes
lang nl describe LIVE_PORN Dikke kans op porno - Rechtstreekse Porno uitzending
lang nl describe RATWARE_EGROUPS Bulk email kenmerk (eGroups) gevonden
lang nl describe RATWARE_OE_MALFORMED X-Mailer bevat misvormde Outlook Express versie
lang nl describe FORGED_MUA_IMS Vals mailtje, pretendeert afkomstig te zijn van IMS
lang nl describe FORGED_MUA_OUTLOOK Vals mailtje, pretendeert afkomstig te zijn van MS Outlook
lang nl describe FORGED_MUA_OIMO Vals mailtje, pretendeert afkomstig te zijn van MS Outlook IMO
lang nl describe FORGED_MUA_EUDORA Vals mailtje, pretendeert afkomstig te zijn van Eudora
lang nl describe FORGED_MUA_THEBAT_CS Mailtje dat pretendeert afkomstig te zijn van The Bat! (charset)
lang nl describe FORGED_MUA_THEBAT_BOUN Mailtje dat pretendeert afkomstig te zijn van The Bat! (boundary)
lang nl describe FORGED_OUTLOOK_HTML Outlook kan geen berichten met alleen HTML versturen
lang nl describe FORGED_IMS_HTML IMS kan geen berichten met alleen HTML versturen
lang nl describe FORGED_THEBAT_HTML The Bat! kan geen berichten met alleen HTML versturen
lang nl describe FORGED_QUALCOMM_TAGS QUALCOMM email programma's versturen geen HTML zoals deze
lang nl describe FORGED_IMS_TAGS IMS email programma's versturen geen HTML zoals deze
lang nl describe FORGED_OUTLOOK_TAGS Outlook verstuurt geen HTML zoals deze
lang nl describe RATWARE_HASH_DASH Bevat een hashbuster in Send-Safe opmaak
lang nl describe NUMERIC_HTTP_ADDR Gebruikt een numeriek IP adres in een URL
lang nl describe HTTP_ESCAPED_HOST Gebruikt %-escapes in de hostname van een URL
lang nl describe HTTP_EXCESSIVE_ESCAPES Volkomen overbodige %-escapes in een URL
lang nl describe IP_LINK_PLUS "Dotted-decimal" IP address gevolgd door CGI
lang nl describe WEIRD_PORT Gebruikt een afwijkend poort nummer voor HTTP
lang nl describe YAHOO_RD_REDIR Bevat een Yahoo Redirect URI
lang nl describe YAHOO_DRS_REDIR Bevat een Yahoo Redirect URI
# 23_bayes.cf
ifplugin Mail::SpamAssassin::Plugin::Bayes
lang nl describe BAYES_00 Bayesiaanse kans op spam is 0 tot 1%
lang nl describe BAYES_05 Bayesiaanse kans op spam is 1 tot 5%
lang nl describe BAYES_20 Bayesiaanse kans op spam is 5 tot 20%
lang nl describe BAYES_40 Bayesiaanse kans op spam is 20 tot 40%
lang nl describe BAYES_50 Bayesiaanse kans op spam is 40 tot 60%
lang nl describe BAYES_60 Bayesiaanse kans op spam is 60 tot 80%
lang nl describe BAYES_80 Bayesiaanse kans op spam is 80 tot 95%
lang nl describe BAYES_95 Bayesiaanse kans op spam is 95 tot 99%
lang nl describe BAYES_99 Bayesiaanse kans op spam is 99 tot 100%
lang nl describe BAYES_999 Bayesiaanse kans op spam is 99.9 tot 100%
endif
#
lang nl describe DRUG_DOSAGE Heeft het over een prijs per dosis
ifplugin Mail::SpamAssassin::Plugin::AntiVirus
lang nl describe MIME_SUSPECT_NAME MIME bestandsnaam komt niet overeen met inhoud
endif
ifplugin Mail::SpamAssassin::Plugin::DCC
lang nl describe DCC_CHECK Gevonden in DCC (https://www.dcc-servers.net/dcc/)
endif
ifplugin Mail::SpamAssassin::Plugin::Pyzor
lang nl describe PYZOR_CHECK Gevonden in Pyzor (https://pyzor.readthedocs.io/en/latest/)
endif
ifplugin Mail::SpamAssassin::Plugin::TextCat
lang nl describe BODY_8BITS Bericht bevat 8 aaneengesloten 8-bit karakters
lang nl describe UNWANTED_LANGUAGE_BODY Bericht is opgesteld in een ongewenste taal
endif
ifplugin Mail::SpamAssassin::Plugin::AccessDB
lang nl describe ACCESSDB Bericht zou gevangen zijn door accessdb
endif
lang nl describe NORMAL_HTTP_TO_IP Gebruikt een "dotted-decimal" IP adres in een URL

267
sa-updates/30_text_pl.cf Normal file
View File

@ -0,0 +1,267 @@
# SpamAssassin translations: Polish
# Charset: ISO-8859-2
#
# Polish translation based on work started by <radek at alter dot pl>
# rewrite for version 2.60: Jerzy Szczudłowski <jerzy at jedwab dot net dot pl >
# (v0.2)
#
# Proszę nie modyfikować tego pliku, gdyż wszelkie zmiany zostaną nadpisane
# podczas następnego uaktualnienia. Zamiast tego, proszę używać
# /etc/mail/spamassassin/local.cf. Szczegóły w 'perldoc Mail::SpamAssassin::Conf'
#
# Ten program jest darmowy; można go rozprowadzać i/lub modyfikować na
# warunkach Licencji Artystycznej lub Powszechnej Licencji Publicznej GNU
# publikowanej przez Free Software Foundation; zarówno w wersji 1 lub,
# którejkolwiek późniejszej. Szczegóły w pliku "License", znajdującym się w
# głównym katalogu ze źródłami SpamAssassina.
#
#
# Użycie:
# - ustaw w /etc/procmailrc (lub lokalnie w ~/.procmailrc) zmienną LANG=pl_PL
# - w konfiguracji SpamAssassina (globalnie local.cf, lokalnie user_prefs)
# dodaj opcję: report_charset iso-8859-2
#
###########################################################################
############## ........................................................................
lang pl clear_report_template
lang pl report ----------------- AUTOMATYCZNY raport antySPAMowy ----------------------
lang pl report Oprogramowanie do wykrywania spamu, działające na serwerze:
lang pl report *** "_HOSTNAME_" ***,
lang pl report zidentyfikowało ten email jako prawdopodobny spam. Oryginalna wiadomość
lang pl report została dołączona do tej, aby można było przejrzeć, zweryfikować lub
lang pl report zablokować na przyszłość. Jeżeli masz jakieś wątpliwości, to kieruj je pod
lang pl report adres _CONTACTADDRESS_
lang pl report
lang pl report Przegląd zawartości: _PREVIEW_
lang pl report
lang pl report Szczegóły analizy zawartości: (_HITS_ zaliczonych, _REQD_ wymaganych)
lang pl report
lang pl report "pkt nazwa reguły krótki opis"
lang pl report ---- ---------------------- -------------------------------------------
lang pl report _SUMMARY_
############## ........................................................................
###########################################################################
# szablon raportu wiadomości niebezpieczne-do-wglądu
#
##################### ......................................................................
lang pl clear_unsafe_report_template
lang pl unsafe_report Oryginalna wiadomość nie była w całości tekstowa, w związku z tym otwarcie
lang pl unsafe_report jej za pomocą niektórych programów pocztowych może nie być całkowicie
lang pl unsafe_report bezpieczne; w szczególności, przesyłka może zawierać wirusa lub kod
lang pl unsafe_report informujący spamera, że twój adres pocztowy jest prawidłowy i można na
lang pl unsafe_report niego przysyłać więcej spamu. Jeżeli chcesz przejrzeć, bezpieczniej
lang pl unsafe_report będzie zapisać najpierw na dysk, a następnie otworzyć edytorem tekstu.
##################### ......................................................................
# tłumaczenia reguł
lang pl describe ACT_NOW_CAPS Tekst 'ACTING NOW'
lang pl describe BAD_CREDIT Likwidacja problemów kredytowych
lang pl describe BANG_GUAR Dobitna gwarancja czegoś
lang pl describe BANG_OPRAH Treść: o Oprah z wykrzyknikiem!
# 23_bayes.cf
ifplugin Mail::SpamAssassin::Plugin::Bayes
lang pl describe BAYES_00 Bayesowskie prawdopodobieństwo spamu wynosi 0 do 1%
lang pl describe BAYES_05 Bayesowskie prawdopodobieństwo spamu wynosi 1 do 5%
lang pl describe BAYES_20 Bayesowskie prawdopodobieństwo spamu wynosi 5 do 20%
lang pl describe BAYES_40 Bayesowskie prawdopodobieństwo spamu wynosi 20 do 40%
lang pl describe BAYES_50 Bayesowskie prawdopodobieństwo spamu wynosi 40 do 60%
lang pl describe BAYES_60 Bayesowskie prawdopodobieństwo spamu wynosi 60 do 80%
lang pl describe BAYES_80 Bayesowskie prawdopodobieństwo spamu wynosi 80 do 95%
lang pl describe BAYES_95 Bayesowskie prawdopodobieństwo spamu wynosi 95 do 99%
lang pl describe BAYES_99 Bayesowskie prawdopodobieństwo spamu wynosi 99 do 100%
lang pl describe BAYES_999 Bayesowskie prawdopodobieństwo spamu wynosi 99.9 do 100%
endif
#
lang pl describe BILLION_DOLLARS Treść: o niesamowitej ilości pieniędzy
lang pl describe BLANK_LINES_80_90 Treść zawiera 80-90% pustych linii
lang pl describe CHARSET_FARAWAY_HEADER Obcojęzyczny zestaw znaków w nagłówkach
lang pl describe CHARSET_FARAWAY List zawiera typ znaków oznaczający język obcy
lang pl describe CONFIRMED_FORGED Nagłówki Received: sfałszowane
lang pl describe CUM_SHOT Prawdopodobnie porno - 'Wytrysk nasienia'
lang pl describe DATE_IN_FUTURE_03_06 Data: jest od 3 do 6 godzin po dacie z Received:
lang pl describe DATE_IN_FUTURE_06_12 Data: jest od 6 do 12 godzin po dacie z Received:
lang pl describe DATE_IN_FUTURE_12_24 Data: jest od 12 do 24 godzin po dacie z Received:
lang pl describe DATE_IN_FUTURE_24_48 Data: jest od 24 do 48 godzin po dacie z Received:
lang pl describe DATE_IN_FUTURE_48_96 Data: jest od 48 do 96 godzin po dacie z Received:
lang pl describe DATE_IN_FUTURE_96_XX Data: jest od 96 lub więcej godzin po dacie z Received:
lang pl describe DATE_IN_PAST_03_06 Data: jest od 3 do 6 godzin przed datą z Received:
lang pl describe DATE_IN_PAST_06_12 Data: jest od 6 do 12 godzin przed datą z Received:
lang pl describe DATE_IN_PAST_12_24 Data: jest od 12 do 24 godzin przed datą z Received:
lang pl describe DATE_IN_PAST_24_48 Data: jest od 24 do 48 godzin przed datą z Received:
lang pl describe DATE_IN_PAST_96_XX Data: jest od 96 lub więcej godzin przed datą z Received:
lang pl describe MISSING_DATE Brakuje nagłówka Data:
lang pl describe DATE_SPAMWARE_Y2K Nagłówek Data: używa podejrzanego formatowania Y2k
lang pl describe DEAR_FRIEND 'Drogi Przyjacielu' (ang.)
lang pl describe DEAR_SOMETHING Zawiera 'Drogi Ktośtam' (ang.)
lang pl describe EMAIL_ROT13 Treść zawiera adres email zakodowany ROT13
lang pl describe EXCUSE_24 Twierdzi, że chciałeś reklamę
lang pl describe EXCUSE_4 Twierdzi, że możesz być usunięty z listy
lang pl describe EXCUSE_REMOVE Pisze, jak można zostać usuniętym z listy
lang pl describe FIN_FREE Wolność finansowa
lang pl describe FORGED_HOTMAIL_RCVD2 Od: hotmail.com, lecz bez 'Received:'
lang pl describe FORGED_IMS_HTML IMS nie potrafi wysyłać wiadomości całkowicie w HTML
lang pl describe FORGED_IMS_TAGS Programy pocztowe IMS nie potrafią wysyłać HTMLa w tym formacie
lang pl describe FORGED_MUA_EUDORA Podrobiony mail udający przesyłkę z programu Eudora
lang pl describe FORGED_MUA_IMS Podrobiony mail udający przesyłkę z IMS
lang pl describe FORGED_MUA_MOZILLA Podrobiony mail udający przesyłkę z Mozilli
lang pl describe FORGED_MUA_OIMO Podrobiony mail udający przesyłkę z MS Outlook IMO
lang pl describe FORGED_MUA_OUTLOOK Podrobiony mail udający przesyłkę z MS Outlook
lang pl describe FORGED_MUA_THEBAT_BOUN Podrobiony mail udający przesyłkę z programu The Bat! (granica)
lang pl describe FORGED_MUA_THEBAT_CS Podrobiony mail udający przesyłkę z programu The Bat! (zestaw znaków)
lang pl describe FORGED_OUTLOOK_HTML Outlook nie potrafi wysyłać wiadomości całkowicie w HTML
lang pl describe FORGED_OUTLOOK_TAGS Outlook nie potrafi wysyłać wiadomości HTML w tym formacie
lang pl describe FORGED_QUALCOMM_TAGS Programy pocztowe QUALCOMM nie potrafią wysyłać HTMLa w tym formacie
lang pl describe FORGED_TELESP_RCVD Zawiera podrobioną nazwę hosta pod IP DSLa z Brazylii
lang pl describe FORGED_THEBAT_HTML The Bat! nie potrafi wysyłać wiadomości całkowicie w HTML
lang pl describe FORGED_YAHOO_RCVD Od: yahoo.com nie zgadza się z nagłówkami Received:
lang pl describe FORWARD_LOOKING Oświadczenie rezygnującego akcjonariusza
lang pl describe FREE_PORN Prawdopodobnie porno - darmowe porno
lang pl describe FREE_QUOTE_INSTANT Darmowe notowania (ekspresowe lub bez zobowiązań)
lang pl describe FROM_ILLEGAL_CHARS From: zawiera zbyt wiele niedozwolonych znaków
lang pl describe FROM_NO_USER Od: nie ma niczego przed znakiem @
lang pl describe FROM_OFFERS Od: adresu typu "@wspaniała-okazja"
lang pl describe FROM_STARTS_WITH_NUMS Od: zaczyna się cyframi
lang pl describe GAPPY_SUBJECT Temat: zawiera D.z.i.u.r.a.w.y-T.e.k.s.t
lang pl describe GTUBE Ogólny test na Niepożądane Przesyłki Email
lang pl describe GUARANTEED_100_PERCENT 100% gwarancji
lang pl describe HEADER_COUNT_CTYPE Znaleziono wielokrotne nagłówki Content-Type
lang pl describe HEAD_ILLEGAL_CHARS Nagłówek zawiera zbyt wiele niedozwolonych znaków
lang pl describe HIDE_WIN_STATUS Używa Javascriptu by ukryć URLe w przeglądarce
lang pl describe HTML_CHARSET_FARAWAY Obcy język używany w znacznikach HTML
lang pl describe HTML_COMMENT_SAVED_URL Wiadomość HTML jest stroną WWW
lang pl describe HTML_EMBEDS HTML z osadzonym obiektem typu wtyczka
lang pl describe HTML_FONT_FACE_BAD HTMLowy opis czcionki nie jest słowem
lang pl describe HTML_FONT_LOW_CONTRAST kolor czcionki w HTML jest podobny do tła
lang pl describe HTML_FORMACTION_MAILTO część HTML zawiera formularz, który wysyła pocztę
lang pl describe HTML_IMAGE_ONLY_04 HTML: grafika i 200-400 bajtów słów
lang pl describe HTML_IMAGE_ONLY_08 HTML: grafika i 600-800 bajtów słów
lang pl describe HTML_IMAGE_ONLY_12 HTML: grafika i 1000-1200 bajtów słów
lang pl describe HTML_IMAGE_RATIO_02 HTML posiada niski stosunek objętości tekstu do obrazu
lang pl describe HTML_IMAGE_RATIO_04 HTML posiada niski stosunek objętości tekstu do obrazu
lang pl describe HTML_IMAGE_RATIO_06 HTML posiada niski stosunek objętości tekstu do obrazu
lang pl describe HTML_IMAGE_RATIO_08 HTML posiada niski stosunek objętości tekstu do obrazu
lang pl describe HTML_MESSAGE Wiadomość zawiera kod HTML
lang pl describe HTML_MIME_NO_HTML_TAG Wiadomość całkowicie w HTML, lecz bez odpowiedniego oznaczenia
lang pl describe HTML_TAG_BALANCE_BODY HTML posiada niepozamykane znaczniki w "body"
lang pl describe HTML_TAG_BALANCE_HEAD HTML posiada niepozamykane znaczniki w "head"
lang pl describe HTTP_ESCAPED_HOST Używa % wewnątrz nazwy hosta w URL
lang pl describe HTTP_EXCESSIVE_ESCAPES Całkowicie zbędne % wewnątrz URL
lang pl describe IMPOTENCE Lekarstwo na impotencję
lang pl describe INVALID_DATE Nieprawidłowa data (RFC 2822)
lang pl describe INVALID_DATE_TZ_ABSURD Nieprawidłowa data (nieistniejąca strefa czasowa)
lang pl describe INVALID_MSGID Zgodnie z RFC 2822, Message-Id jest nieprawidłowe
lang pl describe IP_LINK_PLUS CGI poprzedzone kropkowo-dziesiętnym adresem IP
lang pl describe JAPANESE_UCE_SUBJECT Temat: zawiera japoński znacznik UCE
lang pl describe JOIN_MILLIONS Dołącz do Milionów Amerykan
lang pl describe KOREAN_UCE_SUBJECT Temat: zawiera koreański znacznik UCE
lang pl describe LIVE_PORN Prawdopodobnie porno - Porno na żywo
lang pl describe LOW_PRICE Najniższa cena
lang pl describe MARKETING_PARTNERS Twierdzi, że jesteś zarejestrowany jako partner
#lang pl describe MILLION_USD O milionach dolarów
#lang pl describe MIME_BASE64_BLANKS Dodatkowe puste linie kodowane w Base64
lang pl describe MIME_BASE64_TEXT Tekst wiadomości zakamuflowany przy użyciu kodowania Base64
lang pl describe __MIME_BASE64 Zawiera załącznik kodowany w Base64
lang pl describe MIME_BOUND_MANY_HEX Na granicy MIME widać ślad narzędzia spamerskiego
lang pl describe MIME_CHARSET_FARAWAY zestaw znaków MIME wskazuje na język obcy
lang pl describe MIME_HEADER_CTYPE_ONLY Znaleziono nagłówek 'Content-Type' lecz bez nagłówków MIME
lang pl describe MIME_HTML_MOSTLY Wiadomość wieloczęściowa, głownie tekst/html MIME
lang pl describe MIME_HTML_ONLY_MULTI Wiadomość wieloczęściowa posiada tylko części tekstowe/html MIME
lang pl describe MIME_HTML_ONLY Wiadomość posiada tylko części tekstowe/html MIME
lang pl describe MIME_QP_LONG_LINE Linia QP dłuższa niż 76 znaków
lang pl describe __MIME_QP Zawiera załącznik kodowany w Quoted-Printable
lang pl describe MISSING_HEADERS Brakuje jednego z nagłówków: Od, Dd lub Data
lang pl describe MISSING_MIMEOLE Wiadomość zawiera X-MSMail-Priority, lecz bez X-MimeOLE
lang pl describe MONEY_BACK Gwarancja zwrotu pieniędzy
lang pl describe MSGID_FROM_MTA_HEADER Message-Id został dodany przez relay
lang pl describe MSGID_OUTLOOK_INVALID Sfałszowany Message-Id (w formacie Outlook Express)
lang pl describe MULTI_FORGED Nagłówki Received: wykazują wielokrotne fałszowanie
#lang pl describe NA_DOLLARS O milionie Północno Amerykańskich dolarów
lang pl describe NO_DNS_FOR_FROM Domena w nagłówku Do: nie posiada wpisu w DNS (MX lub A)
lang pl describe NO_MEDICAL Bez badań medycznych
lang pl describe NONEXISTENT_CHARSET Nieznany zestaw znaków (język).
lang pl describe NO_RDNS_DOTCOM_HELO Odpowiedź HELO hosta pokazuje wielkiego ISP, lecz brakuje rDNS
lang pl describe NOT_ADVISOR Niezarejestrowany doradca inwestycyjny
lang pl describe NUMERIC_HTTP_ADDR Używa kropkowo-dziesiętnego adresu IP w URL
lang pl describe OBFUSCATING_COMMENT Komentarze HTML zaciemniają tekst
lang pl describe OBSCURED_EMAIL Wiadomość zdaje się zawierać zrotowany (rot13) adres
lang pl describe ONE_TIME Jednokrotna grabież
lang pl describe ONLINE_PHARMACY Apteka on-line
lang pl describe PLING_QUERY Temat zawiera wykrzyknik i pytajnik
lang pl describe PREST_NON_ACCREDITED 'Prestiżowe nieakredytowane uniwersytety'
lang pl describe RATWARE_EGROUPS Znaleziono oznaczenie przesyłki masowej (eGroups)
lang pl describe RATWARE_HASH_DASH Zawiera zabezpieczenia przeciwko detekcji spamu w formacie Send-Safe
lang pl describe RATWARE_OE_MALFORMED Nagłówek X-Mailer podaje złą wersję Outlook Express
lang pl describe RCVD_AM_PM Sfałszowane nagłówki Received (AM/PM)
lang pl describe RCVD_FAKE_HELO_DOTCOM Nagłówek Received zawiera sfałszowaną nazwę hosta HELO
lang pl describe RCVD_IN_BL_SPAMCOP_NET Odebrane od systemu klasy RELAY w/g: bl.spamcop.net
lang pl describe RCVD_IN_MAPS_DUL "open relay" według DUL, http://www.mail-abuse.org/dul/
lang pl describe RCVD_IN_MAPS_NML "open relay" według NML, http://www.mail-abuse.org/nml/
lang pl describe RCVD_IN_MAPS_RBL "open relay" według RBL, http://www.mail-abuse.org/rbl/
lang pl describe RCVD_IN_MAPS_RSS "open relay" według RSS, http://www.mail-abuse.org/rss/
lang pl describe RCVD_IN_SBL Otrzymano przez relay listowany w Spamhaus Block List
lang pl describe RCVD_IN_SORBS_BLOCK SORBS: nadawca nie pozwala się testować
lang pl describe RCVD_IN_SORBS_HTTP SORBS: nadawca jest otwartym serwerem HTTP
lang pl describe RCVD_IN_SORBS_MISC SORBS: nadawca jest otwartym serwerem proxy
lang pl describe RCVD_IN_SORBS_SMTP SORBS: nadawca posiada otwarty serwer (Open Relay)
lang pl describe RCVD_IN_SORBS_SOCKS SORBS: nadawca jest otwartym serwerem SOCKS proxy
lang pl describe RCVD_IN_SORBS_WEB SORBS: nadawca posiada nadużywany serwer WWW
lang pl describe RCVD_IN_SORBS_ZOMBIE SORBS: nadawca jest z sieci bez kontroli
lang pl describe REFINANCE_NOW Refinansowanie domów
lang pl describe REFINANCE_YOUR_HOME Refinansowanie domów
lang pl describe SORTED_RECIPS Lista odbiorców posortowana według adresu
lang pl describe STOCK_ALERT Oferuje powiadomienie o kursach akcji
lang pl describe STRONG_BUY Mówi o mocnym zakupie
lang pl describe SUBJ_ALL_CAPS Temat zawiera same duże litery
lang pl describe SUBJ_AS_SEEN Temat: zawiera "Jak pokazywano"
lang pl describe SUBJ_BUY Temat: zaczyna się od Kup/Kupowanie
lang pl describe SUBJ_DOLLARS Temat: zaczyna się od kwoty dolarów
lang pl describe SUBJ_ILLEGAL_CHARS Temat: zawiera zbyt wiele niedozwolonych znaków
#lang pl describe SUBJ_YOUR_DEBT Temat: zawiera "Twoje rachunki" lub podobnie
lang pl describe SUBJ_YOUR_FAMILY Temat: zawiera "Twoja rodzina"
lang pl describe SUSPICIOUS_RECIPS Do: zawiera samą domenę przynajmniej 10 razy.
lang pl describe TO_MALFORMED Do: zawiera uszkodzony adres
lang pl describe TRACKER_ID Zawiera numer identyfikacyjny
lang pl describe UNCLAIMED_MONEY (ludzie po prostu rozrzucają pieniądze dookoła)
lang pl describe UPPERCASE_50_75 Treść jest w 50-75% wielkimi literami
lang pl describe UPPERCASE_75_100 Treść jest w 75-100% wielkimi literami
lang pl describe URG_BIZ Pilna sprawa
#lang pl describe US_DOLLARS_3 Wspomina miliony $ ($NN,NNN,NNN.NN)
lang pl describe USER_IN_ALL_SPAM_TO Użytkownik jest wymieniony w 'all_spam_to'
lang pl describe USER_IN_BLACKLIST Od: zawiera adres z Twojej "czarnej listy"
lang pl describe USER_IN_BLACKLIST_TO Użytkownik jest wymieniony w 'blacklist_to'
lang pl describe USER_IN_DEF_WHITELIST Użytkownik jest wymieniony w domyślnej white-list (białej liście)
lang pl describe USER_IN_MORE_SPAM_TO Użytkownik jest wymieniony w 'more_spam_to'
lang pl describe USER_IN_WHITELIST Od: zawiera adres z white-list (białej listy)
lang pl describe USER_IN_WELCOMELIST_TO Użytkownik jest wymieniony w 'whitelist_to'
lang pl describe WEIRD_PORT Używa niestandardowego numeru portu dla HTTP
lang pl describe WEIRD_QUOTING Dziwne, powtarzające się znaki podwójnego cytowania
lang pl describe WITH_LC_SMTP Linia 'Received' zawiera spamerski podpis (smtp)
ifplugin Mail::SpamAssassin::Plugin::AntiVirus
lang pl describe MIME_SUSPECT_NAME Nazwa pliku MIME nie zgadza się z zawartością
endif
ifplugin Mail::SpamAssassin::Plugin::DCC
lang pl describe DCC_CHECK Na liście DCC (http://www.dcc-servers.net/dcc/)
endif
ifplugin Mail::SpamAssassin::Plugin::Pyzor
lang pl describe PYZOR_CHECK Na liście Pyzor (https://pyzor.readthedocs.io/en/latest/)
endif
ifplugin Mail::SpamAssassin::Plugin::TextCat
lang pl describe BODY_8BITS Treść zawiera 8 kolejnych 8mio bitowych znaków
lang pl describe UNWANTED_LANGUAGE_BODY Wiadomość napisana w niepożądanym języku
endif
ifplugin Mail::SpamAssassin::Plugin::AccessDB
lang pl describe ACCESSDB Wiadomość zostałaby przechwycona przez accessdb
endif
lang pl describe NORMAL_HTTP_TO_IP Używa kropkowo-dziesiętnego adresu IP w URL

613
sa-updates/30_text_pt_br.cf Normal file
View File

@ -0,0 +1,613 @@
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
# character set
lang pt_BR report_charset iso-8859-1
# pt_BR translation by W3P Projetos Web (http://www.w3p.com.br/)
lang pt_BR clear_report_template
lang pt_BR report O filtro de spam do servidor "_HOSTNAME_" identificou este
lang pt_BR report e-mail como um spam. A mensagem original está anexa a este
lang pt_BR report este e-mail para que possa ser visualizada (caso não seja
lang pt_BR report um spam) ou para que emails futuros similares a este sejam
lang pt_BR report marcados como spam também. Caso tenha alguma dúvida, entre
lang pt_br report em contato no email _CONTACTADDRESS_ para mais detalhes.
lang pt_BR report
lang pt_BR report Visualização de um trecho: _PREVIEW_
lang pt_BR report
lang pt_BR report Detalhes da análise: (_SCORE_ pontos, mínimo de _REQD_)
lang pt_BR report
lang pt_BR report " pts regra descrição"
lang pt_BR report ---- ---------------------- --------------------------------------------------
lang pt_BR report _SUMMARY_
lang pt_BR clear_unsafe_report_template
lang pt_BR unsafe_report A mensagem original não estava em texto puro e pode ser inseguro abrí-la
lang pt_BR unsafe_report em alguns clientes de email; mais especificamente, ela pode conter um vírus
lang pt_BR unsafe_report ou confirmar que seu endereço de email pode receber spam.
lang pt_BR unsafe_report Se quiser visualizar a mensagem, pode ser mais seguro salvá-la em um arquivo
lang pt_BR unsafe_report e abrí-la com um editor.
lang pt_BR describe USER_IN_BLACKLIST Endereço do From: está na blacklist do usuário
lang pt_BR describe USER_IN_WHITELIST Endereço do From: está na whitelist do usuário
lang pt_BR describe USER_IN_DEF_WHITELIST Endereço do From: está na whitelist padrão
lang pt_BR describe USER_IN_BLACKLIST_TO Usuário está listado na 'blacklist_to'
lang pt_BR describe USER_IN_WELCOMELIST_TO Usuário está listado na 'whitelist_to'
lang pt_BR describe USER_IN_MORE_SPAM_TO Usuário está listado na 'more_spam_to'
lang pt_BR describe USER_IN_ALL_SPAM_TO Usuário está listado na 'all_spam_to'
ifplugin Mail::SpamAssassin::Plugin::AWL
lang pt_BR describe AWL Endereço do From: está na auto whitelist
endif
# 20_advance_fee.cf - These are removed and will break lint
#lang pt_BR describe ADVANCE_FEE_2 Aparenta ser fraude (Nigerian 419)
#lang pt_BR describe ADVANCE_FEE_3_NEW Aparenta ser fraude (Nigerian 419)
#lang pt_BR describe ADVANCE_FEE_4_NEW Aparenta ser fraude (Nigerian 419)
# 20_body_tests.cf
lang pt_BR describe GTUBE Generic Test for Unsolicited Bulk Email
lang pt_BR describe TRACKER_ID Mensagem contém um código rastramento
lang pt_BR describe WEIRD_QUOTING Possui caracteres "" estranhos
lang pt_BR describe MIME_HTML_ONLY_MULTI Mensagem diz ser multipart mas possui formato text/html
lang pt_BR describe MIME_CHARSET_FARAWAY MIME character set indica idioma estrangeiro
lang pt_BR describe EMAIL_ROT13 Mensagem contém um endereço de email codificado com ROT13
lang pt_BR describe LONGWORDS Contém trechos longos de palavras extensas
lang pt_BR describe MPART_ALT_DIFF Versão HTML e versão Texto da mensagem são diferentes
lang pt_BR describe MPART_ALT_DIFF_COUNT Versão HTML e versão Texto da mensagem são diferentes
lang pt_BR describe BLANK_LINES_80_90 Corpo da mensagem é composto por 80-90% de linhas em branco
lang pt_BR describe CHARSET_FARAWAY Character set indica um idioma estrangeiro
lang pt_BR describe __MIME_BASE64 Possui anexo no formato base64
lang pt_BR describe __MIME_QP Possui anexo no formato quoted-printable
#lang pt_BR describe MIME_BASE64_BLANKS Possui linhas vazias extras em codificação base64
lang pt_BR describe MIME_BASE64_TEXT Texto da mensagem está disfarçado usando codificação base64
lang pt_BR describe MISSING_MIME_HB_SEP Falta linha em branco entre MIME header e Body
lang pt_BR describe MIME_HTML_MOSTLY Mensagem multipart é composta em sua maioria por text/html
lang pt_BR describe MIME_HTML_ONLY Mensagem somente possui formato text/html
lang pt_BR describe MIME_QP_LONG_LINE Linha do tipo Quoted-printable maior que 76 caracteres
lang pt_BR describe MIME_BAD_ISO_CHARSET MIME character set é um charset ISO desconhecido
lang pt_BR describe HTTPS_IP_MISMATCH Link indica HTTPS, mas na verdade aponta para um IP
lang pt_BR describe URI_TRUNCATED Mensagem possui uma URI que foi truncada
# 20_compensate.cf
lang pt_BR describe NO_RECEIVED Informação: mensagem não possui cabeçalho Received:
lang pt_BR describe ALL_TRUSTED Mensagem passou via SMTP apenas por hosts confiáveis
lang pt_BR describe NO_RELAYS Informação: mensagem não foi recebida via SMTP
# 20_dnsbl_tests.cf
lang pt_BR describe __RCVD_IN_SORBS Recebida por um relay listado em SORBS
lang pt_BR describe RCVD_IN_SORBS_HTTP SORBS: remetente é um proxy HTTP aberto
lang pt_BR describe RCVD_IN_SORBS_SOCKS SORBS: remetente é um proxy SOCKS aberto
lang pt_BR describe RCVD_IN_SORBS_MISC SORBS: remetente é um proxy aberto
lang pt_BR describe RCVD_IN_SORBS_SMTP SORBS: remetente é um relay SMTP aberto
lang pt_BR describe RCVD_IN_SORBS_WEB SORBS: remetente é um servidor web explorável
lang pt_BR describe RCVD_IN_SORBS_BLOCK SORBS: remetente requer que não seja testado
lang pt_BR describe RCVD_IN_SORBS_ZOMBIE SORBS: remetente está em uma rede comprometida
lang pt_BR describe RCVD_IN_SORBS_DUL SORBS: mensagem enviada a partir de um IP dinâmico
lang pt_BR describe __RCVD_IN_ZEN Recebida por um relay listado em Spamhaus Zen
lang pt_BR describe RCVD_IN_SBL Recebida por um relay listado em Spamhaus SBL
lang pt_BR describe RCVD_IN_XBL Recebida por um relay listado em Spamhaus XBL
lang pt_BR describe RCVD_IN_PBL Recebida por um relay listado em Spamhaus PBL
lang pt_BR describe RCVD_IN_BL_SPAMCOP_NET Recebida por um relay listado em bl.spamcop.net
lang pt_BR describe RCVD_IN_MAPS_RBL Relay consta em RBL, http://www.mail-abuse.com/enduserinfo_rbl.html
lang pt_BR describe RCVD_IN_MAPS_DUL Relay consta em DUL, http://www.mail-abuse.com/enduserinfo_dul.html
lang pt_BR describe RCVD_IN_MAPS_RSS Relay consta em RSS, http://www.mail-abuse.com/enduserinfo_rss.html
lang pt_BR describe RCVD_IN_MAPS_OPS Relay consta em OPS, http://www.mail-abuse.com/enduserinfo_ops.html
lang pt_BR describe RCVD_IN_MAPS_NML Relay consta em NML, http://www.mail-abuse.com/enduserinfo_nml.html
lang pt_BR describe RCVD_IN_IADB_VOUCHED ISIPP IADB indica que o remetente é confiável (vouched-for sender)
# 20_drugs.cf
lang pt_BR describe SUBJECT_DRUG_GAP_C Assunto contém uma modificação da palavra 'cialis'
lang pt_BR describe SUBJECT_DRUG_GAP_L Assunto contém uma modificação da palavra 'levitra'
lang pt_BR describe SUBJECT_DRUG_GAP_S Assunto contém uma modificação da palavra 'soma'
#lang pt_BR describe SUBJECT_DRUG_GAP_VA Assunto contém uma modificação da palavra 'valium'
lang pt_BR describe SUBJECT_DRUG_GAP_X Assunto contém uma modificação da palavra 'xanax'
lang pt_BR describe DRUG_DOSAGE Mensagem é sobre preço por dose (price per dose)
lang pt_BR describe DRUG_ED_CAPS Menciona uma droga para disfunção erétil
lang pt_BR describe DRUG_ED_SILD Menciona o princípio ativo de uma droga para disfunção erétil
lang pt_BR describe DRUG_ED_GENERIC Menciona "Generic Viagra"
lang pt_BR describe DRUG_ED_ONLINE Contém "Fast Viagra Delivery"
lang pt_BR describe ONLINE_PHARMACY Contém "Online Pharmacy"
lang pt_BR describe NO_PRESCRIPTION Contém a frase "No prescription needed"
lang pt_BR describe VIA_GAP_GRA Tentativa de disfarçar a palavra 'viagra'
lang pt_BR describe DRUGS_ERECTILE Refere-se a uma droga para disfunção erétil
lang pt_BR describe DRUGS_ERECTILE_OBFU Referência ofuscada a uma droga para disfunção erétil
lang pt_BR describe DRUGS_DIET Refere-se a uma droga para dieta
lang pt_BR describe DRUGS_DIET_OBFU Referência ofuscada a uma droga para dieta
lang pt_BR describe DRUGS_MUSCLE Referência a um relaxante muscular
lang pt_BR describe DRUGS_ANXIETY Referência a uma droga para controle de ansiedade
lang pt_BR describe DRUGS_ANXIETY_OBFU Referência ofuscada a uma droga para controle de ansiedade
lang pt_BR describe DRUGS_SMEAR1 Duas ou mais drogas em uma palavra
lang pt_BR describe DRUGS_ANXIETY_EREC Refere-se a uma droga para disfunção erétil e outra para controle de ansiedade
lang pt_BR describe DRUGS_SLEEP_EREC Refere-se a uma droga para disfunção erétil e um calmante
lang pt_BR describe DRUGS_MANYKINDS Refere-se ao menos a quatro tipos de drogas diferentes
# 20_dynrdns.cf
lang pt_BR describe __RDNS_DYNAMIC_IPADDR Comando HELO enviado usando hostname suspeito (IP addr 1)
lang pt_BR describe __RDNS_DYNAMIC_DHCP Comando HELO enviado usando hostname suspeito (DHCP)
lang pt_BR describe __RDNS_DYNAMIC_HCC Comando HELO enviado usando hostname suspeito (HCC)
lang pt_BR describe __RDNS_DYNAMIC_ATTBI Comando HELO enviado usando hostname suspeito (ATTBI.com)
lang pt_BR describe __RDNS_DYNAMIC_ROGERS Comando HELO enviado usando hostname suspeito (Rogers)
lang pt_BR describe __RDNS_DYNAMIC_ADELPHIA Comando HELO enviado usando hostname suspeito (Adelphia)
lang pt_BR describe __RDNS_DYNAMIC_DIALIN Comando HELO enviado usando hostname suspeito (T-Dialin)
lang pt_BR describe __RDNS_DYNAMIC_HEXIP Comando HELO enviado usando hostname suspeito (Hex IP)
lang pt_BR describe __RDNS_DYNAMIC_SPLIT_IP Comando HELO enviado usando hostname suspeito (Split IP)
lang pt_BR describe __RDNS_DYNAMIC_YAHOOBB Comando HELO enviado usando hostname suspeito (YahooBB)
lang pt_BR describe __RDNS_DYNAMIC_OOL Comando HELO enviado usando hostname suspeito (OptOnline)
lang pt_BR describe __RDNS_DYNAMIC_RR2 Comando HELO enviado usando hostname suspeito (RR 2)
lang pt_BR describe __RDNS_DYNAMIC_COMCAST Comando HELO enviado usando hostname suspeito (Comcast)
lang pt_BR describe __RDNS_DYNAMIC_TELIA Comando HELO enviado usando hostname suspeito (Telia)
lang pt_BR describe __RDNS_DYNAMIC_VTR Comando HELO enviado usando hostname suspeito (VTR)
lang pt_BR describe __RDNS_DYNAMIC_CHELLO_NO Comando HELO enviado usando hostname suspeito (Chello.no)
lang pt_BR describe __RDNS_DYNAMIC_CHELLO_NL Comando HELO enviado usando hostname suspeito (Chello.nl)
lang pt_BR describe __RDNS_DYNAMIC_VELOX Comando HELO enviado usando hostname suspeito (Veloxzone)
lang pt_BR describe __RDNS_DYNAMIC_NTL Comando HELO enviado usando hostname suspeito (NTL)
lang pt_BR describe RDNS_DYNAMIC Entregue a uma rede interna por um host com rDNS que parece ser dinâmico
lang pt_BR describe RDNS_NONE Entregue a uma rede interna por um host sem rDNS
# 20_fake_helo_tests.cf
lang pt_BR describe HELO_STATIC_HOST Comando HELO enviado usando hostname estatico
#lang pt_BR describe FAKE_HELO_MAIL_COM_DOM Comando HELO enviado usando hostname suspeito (mail.com)
lang pt_BR describe HELO_DYNAMIC_IPADDR Comando HELO enviado usando hostname suspeito (IP addr 1)
lang pt_BR describe HELO_DYNAMIC_DHCP Comando HELO enviado usando hostname suspeito (DHCP)
lang pt_BR describe HELO_DYNAMIC_HCC Comando HELO enviado usando hostname suspeito (HCC)
lang pt_BR describe HELO_DYNAMIC_ROGERS Comando HELO enviado usando hostname suspeito (Rogers)
lang pt_BR describe HELO_DYNAMIC_DIALIN Comando HELO enviado usando hostname suspeito (T-Dialin)
lang pt_BR describe HELO_DYNAMIC_HEXIP Comando HELO enviado usando hostname suspeito (Hex IP)
lang pt_BR describe HELO_DYNAMIC_SPLIT_IP Comando HELO enviado usando hostname suspeito (Split IP)
lang pt_BR describe HELO_DYNAMIC_IPADDR2 Comando HELO enviado usando hostname suspeito (IP addr 2)
lang pt_BR describe HELO_DYNAMIC_CHELLO_NL Comando HELO enviado usando hostname suspeito (Chello.nl)
lang pt_BR describe HELO_DYNAMIC_HOME_NL Comando HELO enviado usando hostname suspeito (Home.nl)
# 20_freemail.cf
lang pt_BR describe FREEMAIL_REPLYTO Reply-To/From ou Reply-To/body usam diferentes emails gratuitos
lang pt_BR describe FREEMAIL_REPLY From e body contém diferentes emails gratuitos
lang pt_BR describe FREEMAIL_FROM Remetente utiliza um email gratuito
lang pt_BR describe FREEMAIL_ENVFROM_END_DIGIT Nome de usuário de email gratuito no Envelope-From termina em dígito
lang pt_BR describe FREEMAIL_REPLYTO_END_DIGIT Nome de usuário de email gratuito no Reply-To termina em dígito
lang pt_BR describe FREEMAIL_FORGED_REPLYTO Email gratuito usado no Reply-To, mas não no From:
# 20_head_tests.cf
lang pt_BR describe FRAGMENTED_MESSAGE Mensagem fragmentada
lang pt_BR describe FROM_BLANK_NAME From: contém um nome vazio
lang pt_BR describe FROM_STARTS_WITH_NUMS From: começa com muitos números
lang pt_BR describe FROM_OFFERS Endereço do From: contém "offers"
lang pt_BR describe FROM_NO_USER From: não tem nenhum nome de usuário antes do @
lang pt_BR describe PLING_QUERY Assunto contém exclamação e interrogação
lang pt_BR describe MSGID_SPAM_CAPS Message-Id conhecido como spam (caps variant)
lang pt_BR describe MSGID_SPAM_LETTERS Message-Id conhecido como spam (letters variant)
lang pt_BR describe MSGID_RANDY Message-Id tem padrão comum encontrado em spam
lang pt_BR describe MSGID_YAHOO_CAPS Message-ID possui MAIUSCULAS@yahoo.com
lang pt_BR describe FORGED_MSGID_AOL Message-ID é forjado (aol.com)
lang pt_BR describe FORGED_MSGID_EXCITE Message-ID é forjado (excite.com)
lang pt_BR describe FORGED_MSGID_HOTMAIL Message-ID é forjado (hotmail.com)
lang pt_BR describe FORGED_MSGID_MSN Message-ID é forjado (msn.com)
lang pt_BR describe FORGED_MSGID_YAHOO Message-ID é forjado (yahoo.com)
lang pt_BR describe MSGID_FROM_MTA_HEADER Message-Id foi adicionado por um relay
lang pt_BR describe MSGID_SHORT Message-ID é curto demais
lang pt_BR describe DATE_SPAMWARE_Y2K Data no cabeçalho usa formatação estranha
lang pt_BR describe INVALID_DATE Cabeçalho Date: é inválido (não segue a RFC 2822)
lang pt_BR describe INVALID_DATE_TZ_ABSURD Cabeçalho Date: é inválido (timezone não existe)
lang pt_BR describe INVALID_TZ_CST Data inválida no header (timezone CST incorreta)
lang pt_BR describe INVALID_TZ_EST Data inválida no header (timezone EST incorreta)
lang pt_BR describe FROM_EXCESS_BASE64 Endereço do From: está desnecessariamente codificado em base64
lang pt_BR describe ENGLISH_UCE_SUBJECT Assunto contém um texto comum de UCE (unsolicited commercial email) em inglês
lang pt_BR describe JAPANESE_UCE_SUBJECT Assunto contém um texto comum de UCE (unsolicited commercial email) em japonês
lang pt_BR describe JAPANESE_UCE_BODY Corpo da mensagem contém um texto comum de UCE (unsolicited commercial email) em japonês
lang pt_BR describe KOREAN_UCE_SUBJECT Assunto contém um texto comum de UCE (unsolicited commercial email) em coreano
lang pt_BR describe RCVD_DOUBLE_IP_SPAM Spam conhecido (double IP)
lang pt_BR describe RCVD_DOUBLE_IP_LOOSE "Received by" e "From" parecem ser endereços IP
lang pt_BR describe FORGED_TELESP_RCVD Contém um hostname forjado para um IP DSL do Brasil
lang pt_BR describe CONFIRMED_FORGED Cabeçalho Received é forjado
lang pt_BR describe MULTI_FORGED Cabeçalho Received contém várias entradas forjadas
lang pt_BR describe NONEXISTENT_CHARSET Codificação inexistente
lang pt_BR describe MISSING_MID Não possui header Message-Id
lang pt_BR describe MISSING_DATE Não possui header Date
lang pt_BR describe MISSING_SUBJECT Não possui header Subject
lang pt_BR describe GAPPY_SUBJECT Assunto contém T.e.x.t.o-E.s.t.r.a.n.h.o
lang pt_BR describe PREVENT_NONDELIVERY Mensagem possui cabeçaho Prevent-NonDelivery-Report
lang pt_BR describe X_IP Mensagem possui cabeçalho X-IP
lang pt_BR describe MISSING_MIMEOLE Mensagem possui X-MSMail-Priority mas não possui X-MimeOLE
lang pt_BR describe SUBJ_AS_SEEN Assunto contém "As Seen"
lang pt_BR describe SUBJ_DOLLARS Assunto começa com um valor em dólar
#lang pt_BR describe SUBJ_YOUR_DEBT Assunto contém "Your Bills" ou algo parecido
lang pt_BR describe SUBJ_YOUR_FAMILY Assunto contém "Your Family" ou algo parecido
lang pt_BR describe RCVD_FAKE_HELO_DOTCOM Cabeçalho Received contém um hostname de HELO falso
lang pt_BR describe SUBJECT_DIET Assunto fala sobre perda de peso
lang pt_BR describe MIME_BOUND_DD_DIGITS Padrão de spam conhecido em MIME boundary
lang pt_BR describe MIME_BOUND_DIGITS_15 Padrão de spam conhecido em MIME boundary
lang pt_BR describe MIME_BOUND_MANY_HEX Padrão de spam conhecido em MIME boundary
lang pt_BR describe FAKE_OUTBLAZE_RCVD Cabeçalho Received contém o hostname forjado 'mr.outblaze.com'
lang pt_BR describe TO_MALFORMED Cabeçalho To: possui um endereço malformado
lang pt_BR describe MIME_HEADER_CTYPE_ONLY 'Content-Type' encontrado mas não existe MIME headers necessários
lang pt_BR describe WITH_LC_SMTP Cabeçalho Received contém um indício de spam ("smtp" em caixa baixa)
lang pt_BR describe SUBJ_BUY Assunto começa com "Buy" ou "Buying"
lang pt_BR describe RCVD_AM_PM Cabeçalho Received forjado (AM/PM)
lang pt_BR describe UNCLOSED_BRACKET Cabeçalho contém um colchete aberto que não foi fechado
lang pt_BR describe FROM_DOMAIN_NOVOWEL Domínio do From: contém uma série de consoantes
lang pt_BR describe FROM_LOCAL_NOVOWEL Usuário do From: contém uma série de consoantes
lang pt_BR describe FROM_LOCAL_HEX Usuário do From: contém uma longa sequencia de hexadecimais
lang pt_BR describe FROM_LOCAL_DIGITS Usuário do From: contém uma longa sequencia de hexadecimais
lang pt_BR describe X_PRIORITY_CC Cabeçalho "Cc:" posicionado depois de "X-Priority:" (spam conhecido)
lang pt_BR describe BAD_ENC_HEADER Mensagem possui MIME encoding incorreto
lang pt_BR describe __VIA_ML Email de uma mailing list
lang pt_BR describe RCVD_ILLEGAL_IP Cabeçalho "Received:" contém endereço IP ilegal
lang pt_BR describe CHARSET_FARAWAY_HEADER Charset estrangeiro utilizado no header
lang pt_BR describe SUBJ_ILLEGAL_CHARS Assunto possui muitos caracteres ilegais
lang pt_BR describe FROM_ILLEGAL_CHARS "From:" possui muitos caracteres ilegais
lang pt_BR describe HEAD_ILLEGAL_CHARS Cabeçalho possui muitos caracteres ilegais
lang pt_BR describe FORGED_HOTMAIL_RCVD2 Endereço do From é do hotmail.com, mas não hotmail.com no 'Received:'
lang pt_BR describe FORGED_YAHOO_RCVD Endereço do From é do yahoo.com, mas não yahoo.com no 'Received:'
lang pt_BR describe SORTED_RECIPS Lista de destinatários está ordenada alfabeticamente
lang pt_BR describe SUSPICIOUS_RECIPS Lista de destinatários possui endereços semelhantes
lang pt_BR describe MISSING_HEADERS Não possui o cabeçalho To:
lang pt_BR describe DATE_IN_PAST_03_06 Date: é 3 a 6 horas antes da data do Received:
lang pt_BR describe DATE_IN_PAST_06_12 Date: é 6 a 12 horas antes da data Received:
lang pt_BR describe DATE_IN_PAST_12_24 Date: é 12 a 24 horas antes da data do Received:
lang pt_BR describe DATE_IN_PAST_24_48 Date: é 24 a 48 horas antes da data do Received:
lang pt_BR describe DATE_IN_PAST_96_XX Date: é 96 horas ou mais antes da data do Received:
lang pt_BR describe DATE_IN_FUTURE_03_06 Date: é 3 a 6 horas depois do Received:
lang pt_BR describe DATE_IN_FUTURE_06_12 Date: é 6 a 12 horas depois do Received:
lang pt_BR describe DATE_IN_FUTURE_12_24 Date: é 12 a 24 horas depois do Received:
lang pt_BR describe DATE_IN_FUTURE_24_48 Date: é 24 a 48 horas depois do Received:
lang pt_BR describe DATE_IN_FUTURE_48_96 Date: é 48 a 96 horas depois do Received:
lang pt_BR describe DATE_IN_FUTURE_96_XX Date: é 96 horas ou mais depois do Received:
lang pt_BR describe UNRESOLVED_TEMPLATE Cabeçalho contém um template não substituído
lang pt_BR describe SUBJ_ALL_CAPS Assunto é composto apenas por letras maiúsculas
lang pt_BR describe LOCALPART_IN_SUBJECT Destinatário do email aparece no assunto da mensagem
lang pt_BR describe MSGID_OUTLOOK_INVALID Message-Id é falso (no formato do Outlook Express)
lang pt_BR describe HEADER_COUNT_CTYPE Vários cabeçalhos Content-Type foram encontrados
lang pt_BR describe HEAD_LONG Cabeçalhos da mensagem são muito longos
lang pt_BR describe MISSING_HB_SEP Não uma linha separando o cabeçalho do corpo da mensagem
lang pt_BR describe UNPARSEABLE_RELAY Info: mensagem possui dados de relay que não puderam ser lidos
lang pt_BR describe RCVD_HELO_IP_MISMATCH HELO e IP no "Received:" não conferem
lang pt_BR describe NO_RDNS_DOTCOM_HELO Comando HELO enviado como um provedor confiável, mas não possui rDNS
# 20_html_tests.cf
lang pt_BR describe HTML_SHORT_LINK_IMG_1 O código HTML é muito pequeno, com uma imagem com link
lang pt_BR describe HTML_SHORT_LINK_IMG_2 O código HTML é muito pequeno, com uma imagem com link
lang pt_BR describe HTML_SHORT_LINK_IMG_3 O código HTML é muito pequeno, com uma imagem com link
lang pt_BR describe HTML_SHORT_CENTER O código HTML é muito curto e usa uma tag center.
lang pt_BR describe HTML_CHARSET_FARAWAY Um idioma estrangeiro foi declarado no charset do HTML
lang pt_BR describe HTML_MIME_NO_HTML_TAG A mensagem é em HTML, mas não uma tag HTML
lang pt_BR describe HTML_MISSING_CTYPE A mensagem é em HTML mas não tem a declaração HTML Content-Type
lang pt_BR describe HIDE_WIN_STATUS Uso de Javascript para ocultar as URLS no navegador
lang pt_BR describe OBFUSCATING_COMMENT HTML possui comentários com texto suspeito
lang pt_BR describe JS_FROMCHARCODE Documento construído a partir de um array em Javascript
lang pt_BR describe HTML_MESSAGE HTML incluso na mensagem
lang pt_BR describe HTML_COMMENT_SHORT O comentário no HTML é muito curto
lang pt_BR describe HTML_COMMENT_SAVED_URL O HTML da mensagem foi salvo de uma página da web
lang pt_BR describe HTML_EMBEDS O HTML possui um objeto plugin incorporado
lang pt_BR describe HTML_EXTRA_CLOSE HTML contém muitas tags fechadas (que não foram abertas)
lang pt_BR describe HTML_FONT_SIZE_LARGE O HTML contém fonte de tamanho grande
lang pt_BR describe HTML_FONT_SIZE_HUGE O HTML contém fonte de tamanho muito grande
lang pt_BR describe HTML_FONT_LOW_CONTRAST textos com cores similares à cor de fundo
lang pt_BR describe HTML_FONT_FACE_BAD font face não é uma expressão
lang pt_BR describe HTML_FORMACTION_MAILTO O HTML contém um formulário que envia email
lang pt_BR describe HTML_IMAGE_ONLY_04 HTML: Código HTML possui entre 0-400 caracteres
lang pt_BR describe HTML_IMAGE_ONLY_08 HTML: Código HTML possui entre 400-800 caracteres
lang pt_BR describe HTML_IMAGE_ONLY_12 HTML: Código HTML possui entre 800-1200 caracteres
lang pt_BR describe HTML_IMAGE_ONLY_16 HTML: Código HTML possui entre 1200-1600 caracteres
lang pt_BR describe HTML_IMAGE_ONLY_20 HTML: Código HTML possui entre 1600-2000 caracteres
lang pt_BR describe HTML_IMAGE_ONLY_24 HTML: Código HTML possui entre 2000-2400 caracteres
lang pt_BR describe HTML_IMAGE_ONLY_28 HTML: Código HTML possui entre 2400-2800 caracteres
lang pt_BR describe HTML_IMAGE_ONLY_32 HTML: Código HTML possui entre 2800-320000 caracteres
lang pt_BR describe HTML_IMAGE_RATIO_02 O HTML tem pouco texto em relação às imagens
lang pt_BR describe HTML_IMAGE_RATIO_02 O HTML tem pouco texto em relação às imagens
lang pt_BR describe HTML_IMAGE_RATIO_02 O HTML tem pouco texto em relação às imagens
lang pt_BR describe HTML_IMAGE_RATIO_02 O HTML tem pouco texto em relação às imagens
lang pt_BR describe HTML_OBFUSCATE_05_10 HTML possui de 5% a 10% de tags vazias ou desnecessárias
lang pt_BR describe HTML_OBFUSCATE_10_20 HTML possui de 10% a 20% de tags vazias ou desnecessárias
lang pt_BR describe HTML_OBFUSCATE_20_30 HTML possui de 20% a 30% de tags vazias ou desnecessárias
lang pt_BR describe HTML_OBFUSCATE_30_40 HTML possui de 30% a 40% de tags vazias ou desnecessárias
lang pt_BR describe HTML_OBFUSCATE_50_60 HTML possui de 50% a 60% de tags vazias ou desnecessárias
lang pt_BR describe HTML_OBFUSCATE_70_80 HTML possui de 70% a 80% de tags vazias ou desnecessárias
lang pt_BR describe HTML_TAG_BALANCE_BODY HTML possui uma tag "body" que não foi aberta ou fechada
lang pt_BR describe HTML_TAG_BALANCE_HEAD HTML possui uma tag "head" que não foi aberta ou fechada
lang pt_BR describe HTML_TAG_EXIST_BGSOUND O HTML contém uma tag "bgsound"
lang pt_BR describe HTML_BADTAG_40_50 HTML da mensagem possui de 40% a 50% de tags inválidas
lang pt_BR describe HTML_BADTAG_40_50 HTML da mensagem possui de 50% a 60% de tags inválidas
lang pt_BR describe HTML_BADTAG_40_50 HTML da mensagem possui de 60% a 70% de tags inválidas
lang pt_BR describe HTML_BADTAG_40_50 HTML da mensagem possui de 90% a 100% de tags inválidas
lang pt_BR describe HTML_NONELEMENT_30_40 O HTML usa de 30% a 40% de elementos fora dos padrões
lang pt_BR describe HTML_NONELEMENT_30_40 O HTML usa de 40% a 50% de elementos fora dos padrões
lang pt_BR describe HTML_NONELEMENT_30_40 O HTML usa de 60% a 70% de elementos fora dos padrões
lang pt_BR describe HTML_NONELEMENT_30_40 O HTML usa de 80% a 90% de elementos fora dos padrões
lang pt_BR describe HTML_BADTAG_40_50 HTML da mensagem possui tah IFRAME com URL no src
# 20_imageinfo.cf
lang pt_BR describe __DC_IMG_HTML_RATIO Low rawbody to pixel area ratio
lang pt_BR describe __DC_IMG_TEXT_RATIO Low body to pixel area ratio
lang pt_BR describe DC_GIF_UNO_LARGO Message contains a single large inline gif
lang pt_BR describe __DC_GIF_MULTI_LARGO Message has 2+ inline gif covering lots of area
lang pt_BR describe DC_PNG_UNO_LARGO Message contains a single large inline gif
lang pt_BR describe __DC_PNG_MULTI_LARGO Message has 2+ inline png covering lots of area
lang pt_BR describe DC_IMAGE_SPAM_TEXT Possible Image-only spam with little text
lang pt_BR describe DC_IMAGE_SPAM_HTML Possible Image-only spam
# 20_meta_tests.cf
lang pt_BR describe UPPERCASE_50_75 Mensagem possui de 50% a 75% de textos em caixa alta.
lang pt_BR describe UPPERCASE_75_100 Mensagem possui de 75% a 100% de textos em caixa alta.
lang pt_BR describe INVALID_MSGID Message-ID inválido, de acordo com a RFC-2822
lang pt_BR describe FORGED_MUA_MOZILLA Email forjado, tentando se passar como da Mozilla
lang pt_BR describe PERCENT_RANDOM Mensagem contém uma macro randômica
lang pt_BR describe EMPTY_MESSAGE Mensagem parece não conter texto no conteúdo e no Assunto.
lang pt_BR describe NO_HEADERS_MESSAGE Mensagem parece não conter grande parte dos cabeçalhos RFC-822
# 20_net_tests.cf
lang pt_BR describe DIGEST_MULTIPLE Remetente está listado em mais de uma blacklist
lang pt_BR describe NO_DNS_FOR_FROM Remetente não possui registros MX ou A no DNS
# 20_phrases.cf
lang pt_BR describe REMOVE_BEFORE_LINK Frase indicando remoção de email de lista logo antes de um link
lang pt_BR describe GUARANTEED_100_PERCENT Contém "One hundred percent guaranteed"
lang pt_BR describe DEAR_FRIEND Contém "Dear Friend"
lang pt_BR describe DEAR_SOMETHING Contém 'Dear (alguma coisa)'
lang pt_BR describe BILLION_DOLLARS Fala sobre muito dinheiro
lang pt_BR describe EXCUSE_4 Afirma que você pode ser removido da lista se quiser
lang pt_BR describe EXCUSE_24 Afirma que você queria receber essa propaganda
lang pt_BR describe EXCUSE_REMOVE Informa como você pode ser removido da lista
lang pt_BR describe STRONG_BUY Contém "strong buy"
lang pt_BR describe STOCK_ALERT Contém um alerta sobre ações (stock)
lang pt_BR describe NOT_ADVISOR Contém "Not registered investment advisor"
lang pt_BR describe PREST_NON_ACCREDITED Contém "Prestigious Non-Accredited Universities"
lang pt_BR describe BODY_ENHANCEMENT Informação sobre como aumentar partes do corpo
lang pt_BR describe BODY_ENHANCEMENT2 Informação sobre como aumentar partes do corpo
lang pt_BR describe IMPOTENCE Fala sobre cura da impotência
#lang pt_BR describe NA_DOLLARS Fala sobre milhões de dólares norte americanos ou canadenses
#lang pt_BR describe US_DOLLARS_3 Contém $($NN,NNN,NNN.NN)
#lang pt_BR describe MILLION_USD Fala sobre milhões de dólares
lang pt_BR describe URG_BIZ Contém: "urgent matter"
lang pt_BR describe MONEY_BACK Contém: "Money back guarantee"
lang pt_BR describe FREE_QUOTE_INSTANT Contém: "Free express or no-obligation quote"
lang pt_BR describe BAD_CREDIT Contém: "Eliminate Bad Credit"
lang pt_BR describe REFINANCE_YOUR_HOME Contém: "Home refinancing"
lang pt_BR describe REFINANCE_NOW Contém: "Home refinancing"
lang pt_BR describe NO_MEDICAL Contém: "No Medical Exams"
lang pt_BR describe DIET_1 Spam de perda de peso
lang pt_BR describe FIN_FREE Contém: "Freedom of a financial nature"
lang pt_BR describe FORWARD_LOOKING Possui informações sobre o mercado de ações
lang pt_BR describe ONE_TIME Contém: "One Time (alguma coisa)"
lang pt_BR describe JOIN_MILLIONS Contém: "Join Millions of Americans"
lang pt_BR describe MARKETING_PARTNERS Afirma que você se cadastrou com um parceiro
lang pt_BR describe LOW_PRICE Contém: "Lowest Price"
lang pt_BR describe UNCLAIMED_MONEY Spam sobre dinheiro que pode ser seu
lang pt_BR describe OBSCURED_EMAIL Mensagem tenta esconder um endereço de email com codificação ROT13
lang pt_BR describe BANG_OPRAH Contém: "Oprah!"
lang pt_BR describe ACT_NOW_CAPS Contém: "Act Now"
lang pt_BR describe MORE_SEX Fala sobre um maior desejo por sexo
lang pt_BR describe BANG_GUAR Spam sobre "alguma coisa" garantida ("guaranteed!")
lang pt_BR describe RUDE_HTML Mensagem diz que seu cliente de email não suporta HTML
lang pt_BR describe INVESTMENT_ADVICE Mensagem possui "conselhos" sobre investimentos
lang pt_BR describe MALE_ENHANCE Mensagem fala sobre melhorar a masculinidade
lang pt_BR describe PRICES_ARE_AFFORDABLE Mensagem diz que os preços são baixos
lang pt_BR describe REPLICA_WATCH Mensagem fala sobre réplicas de relógio
lang pt_BR describe EM_ROLEX Mensagem põe ênfase no fabricante do relógio
# 20_porn.cf
lang pt_BR describe FREE_PORN Pornografia - mensagem contém "Free Porn"
lang pt_BR describe CUM_SHOT Pornografia - mensagem contém "Cum Shot"
lang pt_BR describe LIVE_PORN Pornografia - mensagem contém "Live Porn"
lang pt_BR describe SUBJECT_SEXUAL Assunto indica conteúdo sexualmente-explícito
# 20_ratware.cf
lang pt_BR describe RATWARE_EGROUPS Detectado como email em massa conhecido (eGroups)
lang pt_BR describe RATWARE_OE_MALFORMED X-Mailer mal-formado tentando indicar uma versão do Outlook Express
lang pt_BR describe RATWARE_MOZ_MALFORMED Detectado como email em massa conhecido (Mozilla malformed)
lang pt_BR describe RATWARE_MPOP_WEBMAIL Detectado como email em massa conhecido (mPOP Web-Mail)
lang pt_BR describe FORGED_MUA_IMS Email Email fingindo ser enviado pelo IMS
lang pt_BR describe FORGED_MUA_OUTLOOK Email fingindo ser enviado pelo MS Outlook
lang pt_BR describe FORGED_MUA_OIMO Email fingindo ser enviado pelo MS Outlook IMO
lang pt_BR describe FORGED_MUA_EUDORA Email fingindo ser enviado pelo Eudora
lang pt_BR describe FORGED_MUA_THEBAT_CS Email fingindo ser enviado pelo The Bat! (charset)
lang pt_BR describe FORGED_MUA_THEBAT_BOUN Email fingindo ser enviado pelo The Bat! (boundary)
lang pt_BR describe FORGED_OUTLOOK_HTML Outlook não consegue enviar mensagens apenas HTML
lang pt_BR describe FORGED_IMS_HTML IMS não consegue enviar mensagens apenas HTML
lang pt_BR describe FORGED_THEBAT_HTML The Bat! não consegue enviar mensagens apenas HTML
lang pt_BR describe REPTO_QUOTE_AOL AOL não usa o formato de citação usado no email
lang pt_BR describe REPTO_QUOTE_IMS IMS não usa o formato de citação usado no email
lang pt_BR describe REPTO_QUOTE_MSN MSN não usa o formato de citação usado no email
lang pt_BR describe REPTO_QUOTE_QUALCOMM Qualcomm/Eudora não usa o formato de citação usado no email
lang pt_BR describe REPTO_QUOTE_YAHOO Yahoo! não usa o formato de citação usado no email
lang pt_BR describe FORGED_QUALCOMM_TAGS QUALCOMM não consegue enviar emails HTML neste formato
lang pt_BR describe FORGED_IMS_TAGS IMS não consegue enviar emails HTML neste formato
lang pt_BR describe FORGED_OUTLOOK_TAGS Outlook não consegue enviar emails HTML neste formato
lang pt_BR describe RATWARE_HASH_DASH Contém hashbuster no formato Sender-Safe
lang pt_BR describe RATWARE_ZERO_TZ Detectado como email em massa conhecido (+0000)
lang pt_BR describe X_MESSAGE_INFO Detectado como email em massa conhecido (X-Message-Info)
lang pt_BR describe HEADER_SPAM Detectado como email em massa conhecido (header-based)
lang pt_BR describe RATWARE_RCVD_PF Detectado como email em massa conhecido (Received PF)
lang pt_BR describe RATWARE_RCVD_AT Detectado como email em massa conhecido (Received @)
lang pt_BR describe RATWARE_OUTLOOK_NONAME Detectado como email em massa conhecido (Outlook no name)
lang pt_BR describe RATWARE_MS_HASH Detectado como email em massa conhecido (msgid ms hash)
lang pt_BR describe RATWARE_NAME_ID Detectado como email em massa conhecido (msgid from)
lang pt_BR describe RATWARE_EFROM Detectado como email em massa conhecido (envfrom)
# 20_uri_tests.cf
lang pt_BR describe NUMERIC_HTTP_ADDR Utiliza um endereço em número IP na URL
lang pt_BR describe HTTP_ESCAPED_HOST Usa %-escapes no hostname de uma URL
lang pt_BR describe HTTP_EXCESSIVE_ESCAPES Usa %-escapes desnecessários dentro de uma URL
lang pt_BR describe WEIRD_PORT Usa um número de porta não padrão para o HTTP
lang pt_BR describe YAHOO_RD_REDIR Possui URI de Redirecionamento do Yahoo
lang pt_BR describe YAHOO_DRS_REDIR Possui URI de Redirecionamento do Yahoo
lang pt_BR describe SPOOF_COM2OTH URI contém ".com" no meio
lang pt_BR describe SPOOF_COM2COM URI contém ".com" no meio e no fim
lang pt_BR describe SPOOF_NET2COM URI contém ".net" ou ".org" e depois ".com"
lang pt_BR describe URI_HEX Hostname apresenta uma longa seqüência hexadecimal
lang pt_BR describe URI_NOVOWEL Hostname da URI contém uma longa seqüência sem vogal
lang pt_BR describe URI_UNSUBSCRIBE Contém link suspeito de opt-out
lang pt_BR describe IP_LINK_PLUS Endereço IP seguido de arquivo CGI
lang pt_BR describe NORMAL_HTTP_TO_IP Usa um endereço IP na URL
lang pt_BR describe URI_NO_WWW_INFO_CGI Domínio .info possui string suspeita ao invés de "www"
lang pt_BR describe URI_NO_WWW_BIZ_CGI Domínio .biz possui string suspeita ao invés de "www"
lang pt_BR describe HTTP_77 Contém uma URL codificada (URL-encoded) (HTTP77)
# 20_vbounce.cf
lang pt_BR describe BOUNCE_MESSAGE Mensagem de bounce do MTA
lang pt_BR describe CHALLENGE_RESPONSE Mensagem Tira-Teima de um email que você enviou
lang pt_BR describe CRBOUNCE_MESSAGE Bounce de mensagem Tira-Teima
lang pt_BR describe VBOUNCE_MESSAGE Bounce de mensagem de antivirus
lang pt_BR describe ANY_BOUNCE_MESSAGE Mensagem é um bounce de algum email
# 23_bayes.cf
ifplugin Mail::SpamAssassin::Plugin::Bayes
lang pt_BR describe BAYES_00 Probabilidade de ser spam entre 0 to 1%
lang pt_BR describe BAYES_05 Probabilidade de ser spam entre 1 to 5%
lang pt_BR describe BAYES_20 Probabilidade de ser spam entre 5 to 20%
lang pt_BR describe BAYES_40 Probabilidade de ser spam entre 20 to 40%
lang pt_BR describe BAYES_50 Probabilidade de ser spam entre 40 to 60%
lang pt_BR describe BAYES_60 Probabilidade de ser spam entre 60 to 80%
lang pt_BR describe BAYES_80 Probabilidade de ser spam entre 80 to 95%
lang pt_BR describe BAYES_95 Probabilidade de ser spam entre 95 to 99%
lang pt_BR describe BAYES_99 Probabilidade de ser spam entre 99 to 100%
lang pt_BR describe BAYES_999 Probabilidade de ser spam entre 99.9 to 100%
endif
#
# 25_accessdb.cf
ifplugin Mail::SpamAssassin::Plugin::AccessDB
lang pt_BR describe ACCESSDB Mensagem teria sido pega pela accessdb
endif
# 25_antivirus.c
ifplugin Mail::SpamAssassin::Plugin::AntiVirus
lang pt_BR describe MICROSOFT_EXECUTABLE Mensagem contém um programa executável Microsoft
lang pt_BR describe MIME_SUSPECT_NAME Extensão do arquivo não corresponde ao seu conteúdo
endif
# 25_dcc.cf
ifplugin Mail::SpamAssassin::Plugin::DCC
lang pt_BR describe DCC_CHECK Classificado como email em massa pelo DCC (dcc-servers.net)
lang pt_BR describe DCC_REPUT_00_12 Reputação no DCC entre 0 e 12 % (maioria não-spam)
lang pt_BR describe DCC_REPUT_70_89 Reputação no DCC entre 70 and 89 %
lang pt_BR describe DCC_REPUT_90_94 Reputação no DCC entre 90 and 94 %
lang pt_BR describe DCC_REPUT_95_98 Reputação no DCC entre 95 and 98 % (maioria de spam)
lang pt_BR describe DCC_REPUT_99_100 Reputação no DCC entre 99 % ou mais (definitamente spam)
endif
# 25_dkim.cf
lang pt_BR describe DKIM_SIGNED Mensagem possui uma assinatura DKIM ou DK não necessariamente válida
lang pt_BR describe DKIM_VALID Mensagem possui ao menos uma assinatura DKIM ou DK válida
lang pt_BR describe DKIM_VALID_AU Mensagem possui uma assinatura DKIM ou DK válida do domínio do autor da mensagem
lang pt_BR describe __DKIM_DEPENDABLE Falha na validação DKIM
lang pt_BR describe DKIM_ADSP_NXDOMAIN Nenhuma assinatura válida e o domínio não consta no DNS
lang pt_BR describe DKIM_ADSP_DISCARD Nenhuma assinatura válida do autor da mensagem e o domínio assina todos os emails e sugere descartar o resto
lang pt_BR describe DKIM_ADSP_ALL Nenhuma assinatura válida do autor da mensagem e o domínio assina todos os emails
lang pt_BR describe DKIM_ADSP_CUSTOM_LOW Nenhuma assinatura válida do autor da mensagem. adsp_override = CUSTOM_LOW
lang pt_BR describe DKIM_ADSP_CUSTOM_MED Nenhuma assinatura válida do autor da mensagem. adsp_override = CUSTOM_MED
lang pt_BR describe DKIM_ADSP_CUSTOM_HIGH Nenhuma assinatura válida do autor da mensagem. adsp_override = CUSTOM_HIGH
lang pt_BR describe __VIA_RESIGNER Email passou por um Mail through a popular signing remailer
lang pt_BR describe NML_ADSP_CUSTOM_LOW ADSP custom_low foi atingida, e não foi de uma mailing list
lang pt_BR describe NML_ADSP_CUSTOM_MED ADSP custom_med foi atingida, e não foi de uma mailing list
lang pt_BR describe NML_ADSP_CUSTOM_HIGH ADSP custom_high foi atingida, e não foi de uma mailing list
# 25_pyzor.cf
lang pt_BR describe PYZOR_CHECK Listado na Pyzor (https://pyzor.readthedocs.io/en/latest/)
# 25_razor2.cf
lang pt_BR describe RAZOR2_CHECK Listado na Razor2 (http://razor.sf.net/)
lang pt_BR describe RAZOR2_CF_RANGE_51_100 Nível de confiança na Razor2 acima de 50%
# 25_replace.cf
lang pt_BR describe SUBJECT_FUZZY_MEDS Tentativa de esconder palavras no Subject:
lang pt_BR describe SUBJECT_FUZZY_VPILL Tentativa de esconder palavras no Subject:
lang pt_BR describe SUBJECT_FUZZY_CHEAP Tentativa de esconder palavras no Subject:
lang pt_BR describe SUBJECT_FUZZY_PENIS Tentativa de esconder palavras no Subject:
lang pt_BR describe SUBJECT_FUZZY_TION Tentativa de esconder palavras no Subject:
lang pt_BR describe FUZZY_AFFORDABLE Tentativa de esconder palavras na mensagem
#lang pt_BR describe FUZZY_AMBIEN Tentativa de esconder palavras na mensagem
lang pt_BR describe FUZZY_BILLION Tentativa de esconder palavras na mensagem
lang pt_BR describe FUZZY_CPILL Tentativa de esconder palavras na mensagem
lang pt_BR describe FUZZY_CREDIT Tentativa de esconder palavras na mensagem
#lang pt_BR describe FUZZY_ERECT Tentativa de esconder palavras na mensagem
lang pt_BR describe FUZZY_GUARANTEE Tentativa de esconder palavras na mensagem
lang pt_BR describe FUZZY_MEDICATION Tentativa de esconder palavras na mensagem
lang pt_BR describe FUZZY_MILLION Tentativa de esconder palavras na mensagem
lang pt_BR describe FUZZY_MONEY Tentativa de esconder palavras na mensagem
lang pt_BR describe FUZZY_MORTGAGE Tentativa de esconder palavras na mensagem
lang pt_BR describe FUZZY_OBLIGATION Tentativa de esconder palavras na mensagem
lang pt_BR describe FUZZY_OFFERS Tentativa de esconder palavras na mensagem
lang pt_BR describe FUZZY_PHARMACY Tentativa de esconder palavras na mensagem
lang pt_BR describe FUZZY_PHENT Tentativa de esconder palavras na mensagem
lang pt_BR describe FUZZY_PRESCRIPT Tentativa de esconder palavras na mensagem
lang pt_BR describe FUZZY_PRICES Tentativa de esconder palavras na mensagem
lang pt_BR describe FUZZY_REFINANCE Tentativa de esconder palavras na mensagem
lang pt_BR describe FUZZY_REMOVE Tentativa de esconder palavras na mensagem
#lang pt_BR describe FUZZY_ROLEX Tentativa de esconder palavras na mensagem
lang pt_BR describe FUZZY_SOFTWARE Tentativa de esconder palavras na mensagem
lang pt_BR describe FUZZY_THOUSANDS Tentativa de esconder palavras na mensagem
lang pt_BR describe FUZZY_VLIUM Tentativa de esconder palavras na mensagem
lang pt_BR describe FUZZY_VIOXX Tentativa de esconder palavras na mensagem
lang pt_BR describe FUZZY_VPILL Tentativa de esconder palavras na mensagem
lang pt_BR describe FUZZY_XPILL Tentativa de esconder palavras na mensagem
# 25_spf.cf
lang pt_BR describe SPF_PASS SPF: Remetente é válido de acordo com registro SPF
lang pt_BR describe SPF_NEUTRAL SPF: Remetente não confere com registro SPF (neutral)
lang pt_BR describe SPF_FAIL SPF: Remetente não confere com registro SPF (fail)
lang pt_BR describe SPF_SOFTFAIL SPF: Remetente não confere com registro SPF (softfail)
lang pt_BR describe SPF_HELO_PASS SPF: HELO confere com registro SPF
lang pt_BR describe SPF_HELO_NEUTRAL SPF: HELO não confere com registro SPF (neutral)
lang pt_BR describe SPF_HELO_FAIL SPF: HELO não confere com registro SPF (fail)
lang pt_BR describe SPF_HELO_SOFTFAIL SPF: HELO não confere com registro SPF (softfail)
# 25_textcat.cf
ifplugin Mail::SpamAssassin::Plugin::TextCat
lang pt_BR describe UNWANTED_LANGUAGE_BODY Mensagem está escrita em um idioma indesejado
lang pt_BR describe BODY_8BITS Body contém 8 caracteres de 8-bit consecutivos
endif
# 25_uribl.cf
lang pt_BR describe URIBL_SBL Contém uma URL listada na blacklist SBL
lang pt_BR describe URIBL_DBL_SPAM Contém uma URL listada na blacklist DBL blocklist
lang pt_BR describe URIBL_DBL_ERROR Erro: Consultou a DBL por um IP
#lang pt_BR describe URIBL_SC_SURBL Contém uma URL listada na blacklist SC SURBL - removed bug 7279
lang pt_BR describe URIBL_WS_SURBL Contém uma URL listada na blacklist WS SURBL
lang pt_BR describe URIBL_PH_SURBL Contém uma URL listada na blacklist PH SURBL
#lang pt_BR describe URIBL_OB_SURBL Contém uma URL listada na blacklist OB SURBL - REMOVED BUG 6853
#lang pt_BR describe URIBL_AB_SURBL Contém uma URL listada na blacklist AB SURBL - removed bug 7279
#Changed from JP to ABUSE per bug 7279
lang pt_BR describe URIBL_ABUSE_SURBL Contém uma URL listada na blacklist ABUSE SURBL
lang pt_BR describe URIBL_BLACK Contém uma URL listada na blacklist URIBL
lang pt_BR describe URIBL_GREY Contém uma URL listada na greylist URIBL
lang pt_BR describe URIBL_RED Contém uma URL listada na redlist URIBL
# 60_shortcircuit.cf
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
lang pt_BR describe SHORTCIRCUIT Nem todas as regras foram executadas por causa de um problema em uma delas
endif
# 60_whitelist_dkim.cf
lang pt_BR describe USER_IN_DKIM_WHITELIST Endereço do From: está na whitelist de DKIM do usuário
lang pt_BR describe USER_IN_DEF_DKIM_WL Endereço do From: está na whitelist de DKIM padrão
# 60_whitelist_spf.cf
lang pt_BR describe USER_IN_SPF_WHITELIST Endereço do From: está na whitelist de SPF do usuário
lang pt_BR describe USER_IN_DEF_SPF_WL Endereço do From: está na whitelist de SPF padrão
lang pt_BR describe ENV_AND_HDR_SPF_MATCH Endereço do From: confere com Envelope From e está na whitelist de SPF
# 60_whitelist_subject.cf
lang pt_BR describe SUBJECT_IN_WHITELIST Assunto contém palavra que está na whitelist do usuário
lang pt_BR describe SUBJECT_IN_BLACKLIST Assunto contém palavra que está na blacklist do usuário

997
sa-updates/50_scores.cf Normal file
View File

@ -0,0 +1,997 @@
# SpamAssassin score file
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
# Default scores. Note that if a test is named in the files, but a score is
# not assigned here, the default score will be set to 1.
# The following block of scores were generated using the mass-checking
# scripts, and a perceptron to determine the optimum scores which
# resulted in minimum false positives or negatives. The scores are
# weighted to produce roughly 1 false positive in 2500 non-spam messages
# using the default threshold of 5.0.
# Start of generated scores. <gen:mutable>
score ACT_NOW_CAPS 0.1
#score ADVANCE_FEE_2 2.314 2.294 1.198 1.053
#score ADVANCE_FEE_3 2.686 1.898 3.505 3.817
#score ADVANCE_FEE_4 0.001 0.001 0.001 0.271
score ALL_TRUSTED -1.000
score APOSTROPHE_FROM 0.148 0.786 0.651 0.545 # n=2
score BAD_CREDIT 0.1
score BANG_GUAR 1.0
score BANG_OPRAH 0 # n=0 n=1 n=2 n=3
score BANKING_LAWS 2.399 2.004 2.157 1.099 # n=2
score BILLION_DOLLARS 0.001 1.451 1.229 1.638
score BODY_ENHANCEMENT 0.927 1.611 0.974 0.001
score BODY_ENHANCEMENT2 0.1
score BUG6152_INVALID_DATE_TZ_ABSURD 0.1
score CONFIRMED_FORGED 0 # n=0 n=1 n=2 n=3
score CORRUPT_FROM_LINE_IN_HDRS 0 # n=0 n=1 n=2 n=3
score CTYPE_001C_A 0 # n=0 n=1 n=2 n=3
score CTYPE_001C_B 0.001 0.001 0.001 0.001 # n=1
score CUM_SHOT 0 # n=0 n=1 n=2 n=3
score CURR_PRICE 0.001 # n=0 n=1 n=2 n=3
score DATE_SPAMWARE_Y2K 0 # n=0 n=1 n=2 n=3
score DEAR_FRIEND 2.683 2.604 1.801 2.577
score DEAR_SOMETHING 1.999 1.731 1.787 1.973
score DEAR_WINNER 3.099 3.099 2.309 3.099 # n=2
score DIET_1 0.714 0.000 0.399 0.001
score DIGEST_MULTIPLE 0 0.001 0 0.293 # n=0 n=2
score DOS_ANAL_SPAM_MAILER 0 # n=0 n=1 n=2
score DOS_FIX_MY_URI 0 # n=0 n=1 n=2 n=3
score DOS_HIGH_BAT_TO_MX 0 # n=0 n=1 n=2
score DOS_LET_GO_JOB 0 # n=0 n=1 n=2 n=3
score DOS_OE_TO_MX 2.602 3.086 2.265 2.523
score DOS_OE_TO_MX_IMAGE 2.886 1.886 2.425 3.699
score DOS_OUTLOOK_TO_MX 2.636 1.449 1.737 2.845
score DOS_RCVD_IP_TWICE_C 2.599 2.060 3.292 0.096
score DOS_STOCK_BAT 0.001 # n=0 n=1 n=2 n=3
score DOS_STOCK_BAT2 0 # n=0 n=1 n=2 n=3
score DOS_URI_ASTERISK 0 # n=0 n=1 n=2 n=3
score DOS_YOUR_PLACE 0 # n=0 n=1 n=2 n=3
score DRUGS_ANXIETY 0.1
score DRUGS_ANXIETY_EREC 0 # n=0 n=1 n=2 n=3
score DRUGS_ANXIETY_OBFU 0 # n=0 n=1 n=2 n=3
score DRUGS_DIET 2.660 0.757 1.831 0.337
score DRUGS_DIET_OBFU 0 # n=0 n=1 n=2 n=3
score DRUGS_ERECTILE 1.778 2.221 1.299 1.994
score DRUGS_ERECTILE_OBFU 1.324 1.309 2.935 1.109
score DRUGS_HDIA 0 # n=0 n=1 n=2 n=3
score DRUGS_MANYKINDS 2.001 1.473 0.841 0.342
score DRUGS_MUSCLE 0.001 2.499 0.392 0.164
score DRUGS_SLEEP_EREC 0 # n=0 n=1 n=2 n=3
score DRUGS_SMEAR1 3.300 2.051 3.148 0.235 # n=0
score DRUGS_STOCK_MIMEOLE 2.699 1.681 2.478 1.321 # n=2
score DRUG_DOSAGE 0 # n=0 n=1 n=2 n=3
score DRUG_ED_CAPS 2.799 1.023 2.516 0.936
score DRUG_ED_GENERIC 0 # n=0 n=1 n=2 n=3
score DRUG_ED_ONLINE 0.696 1.152 1.221 0.608 # n=0
score DRUG_ED_SILD 0.001
score DYN_RDNS_AND_INLINE_IMAGE 1.345 1.344 1.434 1.168 # n=2
score DYN_RDNS_SHORT_HELO_HTML 0.001 0.001 0.000 0.001 # n=2
score DYN_RDNS_SHORT_HELO_IMAGE 1.825 2.516 2.285 1.013 # n=2
score EMAIL_ROT13 0 # n=0 n=1 n=2 n=3
score EMPTY_MESSAGE 2.195 2.344 1.552 2.320
score EM_ROLEX 0.595 1.309 2.068 0.618 # n=0
score ENGLISH_UCE_SUBJECT 0.953 1.542 2.569 2.899 # n=0
score EXCUSE_4 2.399 1.687 2.399 1.325
score EXCUSE_REMOVE 2.907 2.992 3.299 3.299
#score FAKE_HELO_MAIL_COM_DOM 1.887 0.152 1.370 2.136
score FAKE_OUTBLAZE_RCVD 0 # n=0 n=1 n=2 n=3
score FAKE_REPLY_C 0.688 0.001 2.553 1.486 # n=2
score FILL_THIS_FORM_FRAUD_PHISH 1.195 0.396 0.615 0.334
score FILL_THIS_FORM_LOAN 2.092 2.237 1.836 2.880
score FILL_THIS_FORM_LONG 3.800 3.476 2.300 3.404
score FIN_FREE 0.1
score FORGED_IMS_HTML 0 # n=0 n=1 n=2 n=3
score FORGED_IMS_TAGS 0 # n=0 n=1 n=2 n=3
score FORGED_MSGID_AOL 0 # n=0 n=1 n=2 n=3
score FORGED_MSGID_EXCITE 2.399 1.899 1.649 0.528 # n=0
score FORGED_MSGID_HOTMAIL 0 # n=0 n=1 n=2 n=3
score FORGED_MSGID_MSN 0 # n=0 n=1 n=2 n=3
score FORGED_MSGID_YAHOO 0.1
score FORGED_MUA_EUDORA 2.828 2.510 1.962 0.001
score FORGED_MUA_IMS 2.399 2.399 2.399 1.943
score FORGED_MUA_MOZILLA 2.399 1.596 2.399 2.309
score FORGED_MUA_OIMO 2.600 2.599 2.599 2.599
score FORGED_MUA_OUTLOOK 3.999 2.785 2.500 1.927
score FORGED_MUA_THEBAT_BOUN 3.046 3.220 3.207 3.399
score FORGED_MUA_THEBAT_CS 0 # n=0 n=1 n=2 n=3
score FORGED_OUTLOOK_HTML 0.001 0.001 0.001 0.021
score FORGED_OUTLOOK_TAGS 0.003 0.565 0.001 0.052
score FORGED_QUALCOMM_TAGS 0 # n=0 n=1 n=2 n=3
score FORGED_TELESP_RCVD 2.499 2.499 2.499 1.841 # n=0
score FORGED_THEBAT_HTML 0 # n=0 n=1 n=2 n=3
score FORWARD_LOOKING 0 # n=0 n=1 n=2 n=3
score FRAGMENTED_MESSAGE 0 # n=0 n=1 n=2
#FREEMAIL SCORES - Scores lowered per bug 6744
score FREEMAIL_FORGED_REPLYTO 1.199 2.503 1.204 2.095
score FREEMAIL_REPLY 1.0
score FREEMAIL_REPLYTO 1.0
score FREEMAIL_REPLYTO_END_DIGIT 0.25
score FREEMAIL_ENVFROM_END_DIGIT 0.25
score FREEMAIL_FROM 0.001
score FREE_PORN 0 # n=0 n=1 n=2 n=3
score FREE_QUOTE_INSTANT 2.700 2.699 2.699 1.297 # n=2
score FROM_BLANK_NAME 2.099 2.099 2.099 0.723
score FROM_DOMAIN_NOVOWEL 0.500
score FROM_EXCESS_BASE64 0.001
score FROM_LOCAL_DIGITS 0.001
score FROM_LOCAL_HEX 0.000 0.331 0.001 0.006
score FROM_LOCAL_NOVOWEL 0.500
score FROM_NO_USER 0.001 2.599 0.019 0.798
#score FROM_OFFERS 2.699 2.699 2.510 2.699 # defer to nightly GA rescorer per bug 6580
score FROM_STARTS_WITH_NUMS 2.801 0.553 1.201 0.738
score FSL_FAKE_HOTMAIL_RVCD 2.631 1.816 2.011 2.365
score FSL_HELO_BARE_IP_1 2.598 1.426 3.099 2.347
score FSL_HELO_DEVICE 0.1
score FSL_HELO_NON_FQDN_1 2.361 0.001 1.783 0.001
score FSL_HELO_SETUP 0 # n=0 n=1 n=2
score FSL_INTERIA_ABUSE 3.899 2.664 3.080 3.106
score GAPPY_SUBJECT 0.1
score GEO_QUERY_STRING 0 # n=0 n=1 n=2 n=3
score GUARANTEED_100_PERCENT 2.699 2.699 2.480 2.699
score HDR_ORDER_FTSDMCXX_001C 0 # n=0 n=1 n=2 n=3
score HDR_ORDER_FTSDMCXX_BAT 0 # n=0 n=1 n=2 n=3
score HEADER_SPAM 2.499 2.499 1.994 0.585
score HEAD_LONG 0 # n=0 n=1 n=2
score HELO_DYNAMIC_CHELLO_NL 2.412 1.918 2.019 2.428
score HELO_DYNAMIC_DHCP 2.602 0.841 1.537 0.206
score HELO_DYNAMIC_DIALIN 2.629 3.233 2.186 1.366
score HELO_DYNAMIC_HCC 4.299 2.514 2.931 2.762
score HELO_DYNAMIC_HEXIP 2.321 0.511 1.773 1.789
score HELO_DYNAMIC_HOME_NL 2.385 1.530 1.024 1.459
score HELO_DYNAMIC_IPADDR 2.633 3.243 3.680 1.951
score HELO_DYNAMIC_IPADDR2 2.815 3.888 3.728 3.607
score HELO_DYNAMIC_ROGERS 0 # n=0 n=1 n=2 n=3
score HELO_DYNAMIC_SPLIT_IP 3.031 2.893 4.225 3.482
score HELO_FRIEND 0 # n=0 n=1 n=2 n=3
score HELO_LH_HOME 0.001 2.023 0.537 1.736 # n=2
score HELO_LH_LD 0 # n=0 n=1 n=2 n=3
score HELO_LOCALHOST 2.639 3.603 2.915 3.828 # n=2
score HELO_OEM 2.899 2.899 1.234 0.270 # n=2
score HIDE_WIN_STATUS 0.001
score HIGH_CODEPAGE_URI 0 # n=0 n=1 n=2
# score HK_LOTTO 3.599 2.755 2.993 3.599 # Allow GA manage score
score HK_NAME_DRUGS 4.299 0.001 3.077 0.552
score HK_RANDOM_ENVFROM 2.638 0.626 1.798 0.001
score HTML_MIME_NO_HTML_TAG 0.001 0.635 0.001 0.377
score HTML_MISSING_CTYPE 0 # n=0 n=1 n=2 n=3
score HTML_SHORT_CENTER 3.799 3.421 2.611 0.743
score HTML_SHORT_LINK_IMG_1 2.215 0.139 0.480 0.001
score HTML_SHORT_LINK_IMG_2 1.419 0.259 0.603 0.001
score HTML_SHORT_LINK_IMG_3 0.691 0.328 0.001 0.148
score HTML_TITLE_SUBJ_DIFF 1.149 2.171 1.801 2.036
score HTTP_77 0 # n=0 n=1 n=2 n=3
score HTTP_ESCAPED_HOST 0.1
score HTTP_EXCESSIVE_ESCAPES 0.001
score IMPOTENCE 1.539 2.144 3.028 1.374
score INVALID_DATE 1.701 0.432 1.200 1.096
score INVALID_DATE_TZ_ABSURD 0.262 0.632 0.706 0.491
score INVALID_MSGID 2.602 1.167 1.328 0.568
score INVALID_TZ_CST 0 # n=0 n=1 n=2 n=3
score INVALID_TZ_EST 0 # n=0 n=1 n=2 n=3
score INVESTMENT_ADVICE 0.1
score IP_LINK_PLUS 0.001 0.001 0.246 0.012
score JAPANESE_UCE_BODY 0 # n=0 n=1 n=2 n=3
score JAPANESE_UCE_SUBJECT 0 # n=0 n=1 n=2 n=3
score JM_I_FEEL_LUCKY 0 # n=0 n=1 n=2
score JM_RCVD_QMAILV1 0 # n=0 n=1 n=2 n=3
score JM_TORA_XM 0 # n=0 n=1 n=2 n=3
score JOIN_MILLIONS 0.1
score JS_FROMCHARCODE 0 # n=0 n=1 n=2 n=3
score KB_DATE_CONTAINS_TAB 3.800 3.799 3.799 2.751
score KB_FAKED_THE_BAT 2.432 3.441 2.008 2.694
score KB_RATWARE_MSGID 4.099 2.987 2.108 1.700
score KB_RATWARE_OUTLOOK_MID 4.400 4.400 2.503 1.499
score KOREAN_UCE_SUBJECT 0 # n=0 n=1 n=2 n=3
score LIVEFILESTORE 0.1
score LIVE_PORN 0 # n=0 n=1 n=2 n=3
score LONGWORDS 2.199 1.844 1.819 2.035
score LONG_TERM_PRICE 0.001 # n=0 n=1 n=2 n=3
score LOOPHOLE_1 0 # n=0 n=1 n=2 n=3
score LOTTERY_1 0.001 1.488 1.630 0.087 # n=2
score LOTTERY_PH_004470 0.1
score LOW_PRICE 0.1
score L_SPAM_TOOL_13 0.539 0.485 0.494 1.333 # n=2
score MALE_ENHANCE 3.100 3.099 3.099 0.851
score MARKETING_PARTNERS 0.553 0.235 0.689 0.001
score MID_DEGREES 0 # n=0 n=1 n=2 n=3
#score MILLION_USD 3.799 2.477 3.221 3.247
score MIME_BOUND_DD_DIGITS 3.016 0.349 2.417 1.373
score MIME_BOUND_DIGITS_15 0.1
score MIME_BOUND_EQ_REL 0 # n=0 n=1 n=2 n=3
score MIME_BOUND_MANY_HEX 0 # n=0 n=1 n=2 n=3
score MIME_HEADER_CTYPE_ONLY 0.1
score MIME_HTML_ONLY_MULTI 0.000 0.001 0.001 0.001
score MIME_PHP_NO_TEXT 2.800 2.799 2.799 2.799
score MISSING_DATE 2.739 1.396 1.800 1.360 # n=0
score MISSING_HB_SEP 0 # n=0 n=1 n=2
score MISSING_MID 0.552 0.140 1.199 0.497 # n=1
score MISSING_MIMEOLE 0.392 1.843 0.571 1.899
score MISSING_SUBJECT 0.001 1.767 1.300 1.799
score MONEY_BACK 2.910 2.486 0.601 1.232
score MORE_SEX 2.799 2.765 2.568 1.413
score MSGID_DOLLARS_RANDOM 0 # n=0 n=1 n=2 n=3
score MSGID_FROM_MTA_HEADER 0.401 0.001 0.473 0.001
score MSGID_RANDY 2.196 2.599 2.599 2.599
score MSGID_SHORT 0.001 0.337 0.001 0.001
score MSGID_SPAM_CAPS 2.366 1.997 3.099 3.099
score MSGID_SPAM_LETTERS 0 # n=0 n=1 n=2 n=3
score MSGID_YAHOO_CAPS 0.797 1.413 2.278 1.411
score MSOE_MID_WRONG_CASE 0.993 3.373 0.960 2.584 # n=2
score MULTI_FORGED 0 # n=0 n=1 n=2 n=3
#score NA_DOLLARS 3.599
score NONEXISTENT_CHARSET 0 # n=0 n=1 n=2 n=3
score NORMAL_HTTP_TO_IP 0.159 0.001 0.795 0.001
score NOT_ADVISOR 0 # n=0 n=1 n=2 n=3
score NO_MEDICAL 2.199 1.254 2.199 1.773 # n=0
score NO_PRESCRIPTION 1.915 1.102 2.280 2.399
score NULL_IN_BODY 0.511 0.498 2.056 1.596 # n=2
score NUMERIC_HTTP_ADDR 0.000 0.001 0.001 1.242
score OBFUSCATING_COMMENT 0.000 0.000 0.001 0.723
score OBSCURED_EMAIL 0 # n=0 n=1 n=2 n=3
score ONE_TIME 1.840 1.175 1.830 0.714 # n=0
score ONLINE_PHARMACY 0.843 2.371 0.008 0.650
score PERCENT_RANDOM 2.999 2.837 2.983 1.838
score PLING_QUERY 0.1
score PREST_NON_ACCREDITED 0 # n=0 n=1 n=2 n=3
score PREVENT_NONDELIVERY 0 # n=0 n=1 n=2 n=3
score PRICES_ARE_AFFORDABLE 0.794 0.851 1.112 0.551
score RATWARE_EGROUPS 1.898 1.258 1.406 1.621
score RATWARE_HASH_DASH 0 # n=0 n=1 n=2 n=3
score RATWARE_MOZ_MALFORMED 0 # n=0 n=1 n=2 n=3
score RATWARE_MPOP_WEBMAIL 1.153 1.338 1.229 1.999 # n=0
score RATWARE_MS_HASH 2.036 3.692 0.454 2.148
score RATWARE_OE_MALFORMED 0 # n=0 n=1 n=2 n=3
score RATWARE_OUTLOOK_NONAME 2.964 0.033 2.685 2.950
score RATWARE_RCVD_AT 0 # n=0 n=1 n=2 n=3
score RATWARE_RCVD_PF 0 # n=0 n=1 n=2 n=3
score RATWARE_ZERO_TZ 2.392 2.535 0.265 1.781 # n=0
score RCVD_AM_PM 0 # n=0 n=1 n=2 n=3
score RCVD_BAD_ID 0 # n=0 n=1 n=2 n=3
score RCVD_DOUBLE_IP_LOOSE 1.150 0.960 1.042 1.012
score RCVD_DOUBLE_IP_SPAM 2.411 2.777 1.912 1.808
score RCVD_FAKE_HELO_DOTCOM 2.799 2.389 2.605 1.189
score RCVD_FORGED_WROTE 0 # n=0 n=1 n=2 n=3
score RCVD_FORGED_WROTE2 0 # n=0 n=1 n=2 n=3
#score RCVD_IN_BRBL_LASTEXT 0 1.644 0 1.449 # n=0 n=2
score RCVD_IN_PSBL 0 2.700 0 2.700 # n=0 n=2
score RCVD_IN_RP_RNBL 0 1.284 0 1.310 # n=0 n=2
score RCVD_MAIL_COM 0 # n=0 n=1 n=2 n=3
score RDNS_DYNAMIC 2.639 0.363 1.663 0.982
score RDNS_LOCALHOST 3.700 0.969 2.345 0.001
score RDNS_NONE 2.399 1.274 1.228 0.793
score REFINANCE_NOW 0 # n=0 n=1 n=2 n=3
score REFINANCE_YOUR_HOME 0 # n=0 n=1 n=2 n=3
score REMOVE_BEFORE_LINK 0.1
score REPLICA_WATCH 3.487 3.164 4.074 3.775
score REPLYTO_WITHOUT_TO_CC 2.399 1.946 0.607 1.552
score REPTO_QUOTE_AOL 0 # n=0 n=1 n=2 n=3
score REPTO_QUOTE_IMS 0 # n=0 n=1 n=2 n=3
score REPTO_QUOTE_MSN 0 # n=0 n=1 n=2 n=3
score REPTO_QUOTE_QUALCOMM 0 # n=0 n=1 n=2 n=3
score REPTO_QUOTE_YAHOO 0.001 0.490 0.001 0.646
score RUDE_HTML 0 # n=0 n=1 n=2 n=3
score SB_GIF_AND_NO_URIS 2.199 2.199 2.200 2.199 # n=2
score SHORT_HELO_AND_INLINE_IMAGE 0.1
score SHORT_TERM_PRICE 0.001 # n=0 n=1 n=2 n=3
score SPAMMY_XMAILER 2.650 0.862 1.993 2.491 # n=2
score SPOOF_COM2COM 0.001
score SPOOF_COM2OTH 0.001
score SPOOF_NET2COM 0 # n=0 n=1 n=2 n=3
score STOCK_ALERT 0 # n=0 n=1 n=2 n=3
score STOCK_IMG_CTYPE 0.001 0.005 0.001 0.001 # n=2
score STOCK_IMG_HDR_FROM 0.001 0.001 0.001 0.021 # n=2
score STOCK_IMG_HTML 0.000 0.028 0.000 0.005 # n=2
score STOCK_IMG_OUTLOOK 0.001 0.702 0.413 0.190 # n=2
score STOCK_PRICES 0 # n=0 n=1 n=2 n=3
score STOX_AND_PRICE 0 # n=0 n=1 n=2 n=3
score STOX_REPLY_TYPE 1.898 0.212 0.141 0.439 # n=1
score STOX_REPLY_TYPE_WITHOUT_QUOTES 3.099 1.860 1.629 1.757
score STRONG_BUY 0 # n=0 n=1 n=2 n=3
score SUBJECT_DIET 1.927 1.563 0.817 1.466
score SUBJECT_DRUG_GAP_C 2.108 0.989 1.348 2.140
score SUBJECT_DRUG_GAP_L 2.799 2.304 1.402 1.561
score SUBJECT_DRUG_GAP_S 0 # n=0 n=1 n=2 n=3
#score SUBJECT_DRUG_GAP_VA 0 # n=0 n=1 n=2 n=3
score SUBJECT_DRUG_GAP_X 0 # n=0 n=1 n=2 n=3
score SUBJECT_NEEDS_ENCODING 0.498 0.100 0.804 0.049 # n=2
score SUBJECT_SEXUAL 0 # n=0 n=1 n=2 n=3
score SUBJ_AS_SEEN 2.711 3.099 3.099 1.461 # n=0
score SUBJ_BUY 0.594 1.498 0.001 0.639
score SUBJ_DOLLARS 0.1
#score SUBJ_YOUR_DEBT 3.299 3.045 1.199 0.987
score SUBJ_YOUR_FAMILY 2.910 2.999 2.999 2.999
score TBIRD_SUSP_MIME_BDRY 2.400 2.400 2.399 2.399
score THEBAT_UNREG 2.599 1.843 2.324 1.524
score TO_MALFORMED 0.1
score TRACKER_ID 0.1
score TT_MSGID_TRUNC 0.748 0.023 1.434 1.448 # n=2
score TT_OBSCURED_VALIUM 0 # n=0 n=1 n=2 n=3
score TT_OBSCURED_VIAGRA 0 # n=0 n=1 n=2 n=3
score TVD_ACT_193 0 # n=0 n=1 n=2 n=3
score TVD_DEAR_HOMEOWNER 0 # n=0 n=1 n=2 n=3
score TVD_EB_PHISH 0 # n=0 n=1 n=2 n=3
score TVD_ENVFROM_APOST 0 # n=0 n=1 n=2 n=3
score TVD_FINGER_02 0.001
score TVD_FLOAT_GENERAL 0 # n=0 n=1 n=2 n=3
score TVD_INCREASE_SIZE 1.529 0.601 1.055 0.001 # n=1
score TVD_LINK_SAVE 0 # n=0 n=1 n=2 n=3
score TVD_PH_BODY_ACCOUNTS_PRE 0.001 #changed to 0.001 due to .211 S/O on 2015-05-01 but left due to Meta Use - #1.201 1.527 1.327 2.393 # n=1
score TVD_PH_REC 0.1
score TVD_PH_SEC 0.1
score TVD_PP_PHISH 0 # n=0 n=1 n=2 n=3
score TVD_QUAL_MEDS 2.697 2.397 2.799 2.483 # n=2
score TVD_RATWARE_CB 0 # n=0 n=1 n=2 n=3
score TVD_RATWARE_CB_2 0 # n=0 n=1 n=2 n=3
score TVD_RATWARE_MSGID_02 0 # n=0 n=1 n=2 n=3
#score TVD_RCVD_SPACE_BRACKET 0.001 0.001 0.001 0.001 # n=1
score TVD_SECTION 0 # n=0 n=1 n=2 n=3
score TVD_SILLY_URI_OBFU 0 # n=0 n=1 n=2 n=3
score TVD_SPACED_SUBJECT_WORD3 0 # n=0 n=1 n=2 n=3
score TVD_SUBJ_ACC_NUM 0.1
score TVD_SUBJ_FINGER_03 0 # n=0 n=1 n=2 n=3
score TVD_SUBJ_OWE 0 # n=0 n=1 n=2 n=3
score TVD_SUBJ_WIPE_DEBT 2.599 2.291 2.599 1.004 # n=2
score TVD_VISIT_PHARMA 1.957 1.196 0.417 1.406 # n=2
score TVD_VIS_HIDDEN 0 # n=0 n=1 n=2 n=3
score UNCLAIMED_MONEY 2.699 2.699 2.699 2.427
score UNCLOSED_BRACKET 2.699 1.329 1.425 1.496
score UPPERCASE_50_75 0.001 0.791 0.001 0.008
score UPPERCASE_75_100 1.480 1.189 0.001 0.001
score URG_BIZ 1.750 0.941 0.568 0.573
score URI_NOVOWEL 0.500
#score URI_NO_WWW_BIZ_CGI 2.399 2.399 2.400 2.399 # n=0
#score URI_NO_WWW_INFO_CGI 2.299 2.299 0.292 2.071
#score URI_OBFU_WWW 3.099 3.099 2.306 2.475
score URI_UNSUBSCRIBE 0 # n=0 n=1 n=2 n=3
#score US_DOLLARS_3 2.599 2.523 1.780 1.754
score VIA_GAP_GRA 0 # n=0 n=1 n=2 n=3
score WEIRD_PORT 0.001 0.001 0.097 0.001
score WEIRD_QUOTING 0.001 0.001 0.001 0.001
score WITH_LC_SMTP 0 # n=0 n=1 n=2 n=3
score X_IP 0.001 0.001 0.001 0.001
score X_MAILER_CME_6543_MSN 2.886 2.004 3.002 3.348
score X_MESSAGE_INFO 0 # n=0 n=1 n=2 n=3
score X_PRIORITY_CC 0 # n=0 n=1 n=2 n=3
score YAHOO_DRS_REDIR 0 # n=0 n=1 n=2 n=3
score YAHOO_RD_REDIR 0 # n=0 n=1 n=2 n=3
# End of generated scores. </gen:mutable>
# Bug 5700 - performing terribly 6/2019
#score URI_HEX 2.800 1.313 1.206 1.122
score URI_HEX 0.1
# Bug 6022, settle at informative score
score TVD_RCVD_IP 0.001
score TVD_RCVD_IP4 0.001
# Bug 6280, 5690, settle at informative score
score BAD_ENC_HEADER 0.001
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
score SHORTCIRCUIT 0
endif
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::AccessDB
score ACCESSDB 0
endif
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::BodyEval
# <gen:mutable>
score BLANK_LINES_80_90 0 # n=0 n=1 n=2 n=3
score MPART_ALT_DIFF 2.246 0.724 0.595 0.790
score MPART_ALT_DIFF_COUNT 2.799 1.483 1.199 1.112
score TVD_STOCK1 0 # n=0 n=1 n=2 n=3
# </gen:mutable>
score TVD_SPACE_RATIO 0.001
endif
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::HTMLEval
# <gen:mutable>
score HTML_COMMENT_SAVED_URL 0.198 0.357 0.899 1.391
score HTML_COMMENT_SHORT 0 # n=0 n=1 n=2 n=3
score HTML_EMBEDS 0.001
score HTML_EXTRA_CLOSE 0.001
score HTML_FONT_FACE_BAD 0.001
score HTML_FONT_LOW_CONTRAST 0.713 0.001 0.786 0.001
score HTML_FONT_SIZE_HUGE 0.001
score HTML_FONT_SIZE_LARGE 0.001
score HTML_FORMACTION_MAILTO 0 # n=0 n=1 n=2 n=3
score HTML_IFRAME_SRC 0 # n=0 n=1 n=2 n=3
score HTML_IMAGE_ONLY_04 1.680 0.342 1.799 1.172
score HTML_IMAGE_ONLY_08 0.585 1.781 1.845 1.651
score HTML_IMAGE_ONLY_12 1.381 1.629 1.400 2.059
score HTML_IMAGE_ONLY_16 1.969 1.048 1.199 1.092
score HTML_IMAGE_ONLY_20 2.109 0.700 1.300 1.546
score HTML_IMAGE_ONLY_24 2.799 1.282 1.328 1.618
score HTML_IMAGE_ONLY_28 2.799 0.726 1.512 1.404
score HTML_IMAGE_ONLY_32 2.196 0.001 1.172 0.001
score HTML_IMAGE_RATIO_02 0.001
score HTML_IMAGE_RATIO_04 0.001
score HTML_IMAGE_RATIO_06 0.001 0.001 0.001 0.001
score HTML_IMAGE_RATIO_08 0.001 0.001 0.001 0.001
score HTML_OBFUSCATE_05_10 0.601 0.001 0.718 0.260
score HTML_OBFUSCATE_10_20 0.174 1.162 0.588 0.093
score HTML_OBFUSCATE_20_30 2.499 2.441 1.449 1.999
score HTML_OBFUSCATE_30_40 0 # n=0 n=1 n=2 n=3
score HTML_OBFUSCATE_50_60 0 # n=0 n=1 n=2 n=3
score HTML_OBFUSCATE_70_80 0 # n=0 n=1 n=2 n=3
score HTML_OBFUSCATE_90_100 2.000 # n=0 n=1 n=2 n=3 - manually scored per list discussion
score HTML_BADTAG_40_50 0 # n=0 n=1 n=2 n=3
score HTML_BADTAG_50_60 0 # n=0 n=1 n=2 n=3
score HTML_BADTAG_60_70 0 # n=0 n=1 n=2 n=3
score HTML_BADTAG_90_100 0 # n=0 n=1 n=2 n=3
score HTML_NONELEMENT_30_40 0.000 0.001 0.308 0.001
score HTML_NONELEMENT_40_50 0 # n=0 n=1 n=2 n=3
score HTML_NONELEMENT_60_70 0 # n=0 n=1 n=2 n=3
score HTML_NONELEMENT_80_90 0 # n=0 n=1 n=2 n=3
score HTML_TAG_BALANCE_BODY 0.1
score HTML_TAG_BALANCE_HEAD 0.520 0.000 0.600 0.817
score HTML_TAG_EXIST_BGSOUND 0 # n=0 n=1 n=2 n=3
# </gen:mutable>
# HTML control test
score HTML_MESSAGE 0.001
endif
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::DNSEval
# <gen:mutable>
score RCVD_IN_BL_SPAMCOP_NET 0 1.246 0 1.347 # n=0 n=2
score RCVD_IN_IADB_DK 0 -0.223 0 -0.095 # n=0 n=1 n=2
score RCVD_IN_IADB_DOPTIN_GT50 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_DOPTIN_LT50 0 -0.001 0 -0.001 # n=0 n=1 n=2
score RCVD_IN_IADB_EDDB 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_EPIA 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_GOODMAIL 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_LISTED 0 -0.380 0 -0.001 # n=0 n=2
score RCVD_IN_IADB_LOOSE 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_MI_CPEAR 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_MI_CPR_30 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_MI_CPR_MAT 0 -0.332 0 -0.000 # n=0 n=1 n=2
score RCVD_IN_IADB_NOCONTROL 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_OOO 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_OPTIN 0 -2.057 0 -1.470 # n=0 n=1 n=2
score RCVD_IN_IADB_OPTIN_GT50 0 -1.208 0 -0.007 # n=0 n=2
score RCVD_IN_IADB_OPTIN_LT50 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_OPTOUTONLY 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_RDNS 0 -0.167 0 -0.235 # n=0 n=1 n=2
score RCVD_IN_IADB_SENDERID 0 -0.001 0 -0.001 # n=0 n=2
score RCVD_IN_IADB_SPF 0 -0.001 0 -0.059 # n=0 n=2
score RCVD_IN_IADB_UNVERIFIED_1 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_UNVERIFIED_2 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_UT_CPEAR 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_UT_CPR_30 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_UT_CPR_MAT 0 -0.095 0 -0.001 # n=0 n=1 n=2
score RCVD_IN_SBL 0 2.596 0 0.141 # n=0 n=2
score RCVD_IN_SORBS_BLOCK 0 # n=0 n=1 n=2 n=3
score RCVD_IN_SORBS_DUL 0 0.001 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_HTTP 0 2.499 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_MISC 0 # n=0 n=1 n=2 n=3
score RCVD_IN_SORBS_SMTP 0 # n=0 n=1 n=2 n=3
score RCVD_IN_SORBS_SOCKS 0 2.443 0 1.927 # n=0 n=2
#score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5
score RCVD_IN_SORBS_WEB 0 1.5 0 1.5
score RCVD_IN_SORBS_ZOMBIE 0 # n=0 n=1 n=2 n=3
score RCVD_IN_XBL 0 0.724 0 0.375 # n=0 n=2
score RCVD_IN_PBL 0 3.558 0 3.335 # n=0 n=2
score RCVD_IN_SBL_CSS 0 3.558 0 3.335 # n=0 n=2
score NO_DNS_FOR_FROM 0 0.379 0 0.001 # n=0 n=2
# </gen:mutable>
score RCVD_IN_ZEN_BLOCKED_OPENDNS 0 0.001 0 0.001
score RCVD_IN_ZEN_BLOCKED 0 0.001 0 0.001
# ReturnPath Certified
# https://www.returnpath.net/internetserviceprovider/certification/
# CERTIFIED is a subset of SAFE, thus the score is cumulative.
# -2 + -3 = -5 points for CERTIFIED
score RCVD_IN_RP_CERTIFIED 0.0 -3.0 0.0 -3.0
score RCVD_IN_RP_SAFE 0.0 -2.0 0.0 -2.0
# DNSWL is a commercial service that requires payment for servers over 100K queries daily.
# Unfortunately, they will return true answers for DNS servers they consider abusive so
# SA Admins must enable these rules manually.
#
score RCVD_IN_DNSWL_NONE 0 -0.0001 0 -0.0001
score RCVD_IN_DNSWL_LOW 0 -0.7 0 -0.7
score RCVD_IN_DNSWL_MED 0 -2.3 0 -2.3
score RCVD_IN_DNSWL_HI 0 -5 0 -5
score RCVD_IN_DNSWL_BLOCKED 0 0.001 0 0.001
# IADB
score RCVD_IN_IADB_VOUCHED 0 -2.2 0 -2.2
score RCVD_IN_IADB_DOPTIN 0 -4 0 -4
score RCVD_IN_IADB_ML_DOPTIN 0 -6 0 -6
# MAPS
# MAPS is a commercial service. If you pay for these, assign a score
# so they will be checked.
score RCVD_IN_MAPS_RBL 0
score RCVD_IN_MAPS_DUL 0
score RCVD_IN_MAPS_RSS 0
score RCVD_IN_MAPS_OPS 0
score RCVD_IN_MAPS_NML 0
endif
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::HeaderEval
# <gen:mutable>
score DATE_IN_FUTURE_03_06 3.399 2.426 2.997 3.027
score DATE_IN_FUTURE_06_12 2.899 0.001 2.222 1.947
score DATE_IN_FUTURE_12_24 2.603 2.489 3.199 3.199
score DATE_IN_FUTURE_24_48 2.598 1.248 0.001 2.048
score DATE_IN_FUTURE_48_96 2.384 0.813 1.078 2.181
#score DATE_IN_FUTURE_96_XX 2.614 3.028 2.851 3.087
score DATE_IN_FUTURE_96_XX 0
score DATE_IN_PAST_03_06 2.399 1.076 1.200 1.592
score DATE_IN_PAST_06_12 1.699 1.103 1.274 1.543
score DATE_IN_PAST_12_24 0.001 0.804 1.190 1.049
score DATE_IN_PAST_24_48 1.109 0.485 0.624 1.340
score DATE_IN_PAST_96_XX 2.600 2.070 1.233 3.405
score FORGED_HOTMAIL_RCVD2 0.001 1.187 0.698 0.874
score FORGED_YAHOO_RCVD 2.397 1.022 2.599 1.630
score FROM_ILLEGAL_CHARS 2.192 2.059 0.240 0.036
score HEADER_COUNT_CTYPE 0 # n=0 n=1 n=2 n=3
score HEADER_COUNT_SUBJECT 0 # n=0 n=1 n=2 n=3
score HEAD_ILLEGAL_CHARS 0 # n=0 n=1 n=2 n=3
score LOCALPART_IN_SUBJECT 0.001 0.730 1.199 1.107
score MISSING_HEADERS 0.915 1.207 1.204 1.021
score MSGID_OUTLOOK_INVALID 3.899
score RATWARE_EFROM 0.1
score RATWARE_NAME_ID 3.099 0.309 3.099 0.247 # n=0
score SORTED_RECIPS 1.801 2.474 1.791 2.499
score SUBJ_ALL_CAPS 0.5
score SUBJ_ILLEGAL_CHARS 0.620 1.105 0.448 1.518
score SUSPICIOUS_RECIPS 2.499 2.497 2.139 2.510
score UNRESOLVED_TEMPLATE 3.035 0.716 2.424 1.252
# </gen:mutable>
# ok_locales
score CHARSET_FARAWAY_HEADER 3.200
endif
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::ImageInfo
# <gen:mutable>
score DC_GIF_UNO_LARGO 0.001 1.323 0.053 2.176 # n=2
score DC_IMAGE_SPAM_HTML 0.1
score DC_IMAGE_SPAM_TEXT 0.1
score DC_PNG_UNO_LARGO 0.001 # n=0 n=1 n=2 n=3
# </gen:mutable>
endif
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
# <gen:mutable>
score BASE64_LENGTH_78_79 0.1
score BASE64_LENGTH_79_INF 1.379 2.019 0.583 1.502 # n=2
score MIME_BAD_ISO_CHARSET 0 # n=0 n=1 n=2 n=3
#score MIME_BASE64_BLANKS 0.001 0.001 0.001 0.001
score MIME_BASE64_TEXT 0.001 0.001 0.001 1.741
score MIME_HTML_MOSTLY 0.1
score MIME_HTML_ONLY 0.1
score MISSING_MIME_HB_SEP 0.001 0.001 0.001 0.001
score MULTIPART_ALT_NON_TEXT 0 # n=0 n=1 n=2 n=3
# </gen:mutable>
score MIME_QP_LONG_LINE 0.001
score MIMEPART_LIMIT_EXCEEDED 0.001
# ok_locales
score CHARSET_FARAWAY 3.200
# we dare you
# score HEAD_LONG 2.5
# score MISSING_HB_SEP 2.5
endif
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::RelayEval
# <gen:mutable>
score NO_RDNS_DOTCOM_HELO 3.100 0.433 3.099 0.823
score RCVD_HELO_IP_MISMATCH 1.680 1.186 2.362 2.368
# score RCVD_ILLEGAL_IP 3.399
score RCVD_ILLEGAL_IP 1.3
score RCVD_NUMERIC_HELO 0.001 0.865 0.001 1.164
# </gen:mutable>
# Informational rules about Received header parsing
score NO_RELAYS -0.001
score UNPARSEABLE_RELAY 0.001
score HELO_STATIC_HOST -0.001
# immutable (due to tflags userconf), see bug 5544
# score ALL_TRUSTED -1.360 -1.440 -1.665 -1.800
endif
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::URIEval
# <gen:mutable>
score HTTPS_IP_MISMATCH 0 # n=0 n=1 n=2 n=3
# </gen:mutable>
score URI_TRUNCATED 0.001
endif
###########################################################################
# Scores for tests that are scored manually or with isolated rescore runs.
# Most are net tests, userconf tests, tests occuring with very low frequency,
# or tests with many false positives.
# GTUBE - Generic Test for Unsolicited Bulk Email
score GTUBE 1000.000
# we dare you
# score FRAGMENTED_MESSAGE 2.5
# score HIGH_CODEPAGE_URI 2.5
# make the Bayes scores unmutable (as discussed in bug 4505)
ifplugin Mail::SpamAssassin::Plugin::Bayes
score BAYES_00 0 0 -1.5 -1.9
score BAYES_05 0 0 -0.3 -0.5
score BAYES_20 0 0 -0.001 -0.001
score BAYES_40 0 0 -0.001 -0.001
score BAYES_50 0 0 2.0 0.8
score BAYES_60 0 0 2.5 1.5
score BAYES_80 0 0 2.7 2.0
score BAYES_95 0 0 3.2 3.0
score BAYES_99 0 0 3.8 3.5
score BAYES_999 0 0 0.2 0.2
endif
# Informational rules about Received header parsing
score NO_RECEIVED -0.001
# Informational rule, URI parsing encountered an overlong URI
# Informational rule, typically means corrupt corpus/input
score NO_HEADERS_MESSAGE 0.001
# ok_locales
score HTML_CHARSET_FARAWAY 0.500
score MIME_CHARSET_FARAWAY 2.450
# rescore never changes the whitelist/blacklist scores
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
#score USER_IN_BLACKLIST 100.000 - Moved to 60_whitelist.cf
#score USER_IN_WHITELIST -100.000 - Moved to 60_whitelist.cf
#score USER_IN_DEF_WHITELIST -15.000 - Moved to 60_whitelist.cf
#score USER_IN_BLACKLIST_TO 10.000 - Moved to 60_whitelist.cf
score URI_HOST_IN_BLACKLIST 100.0
score URI_HOST_IN_WHITELIST -100.0
#Removed in bug 7256
#score HEADER_HOST_IN_BLACKLIST 100.0
#score HEADER_HOST_IN_WHITELIST -100.0
# not really false positives but the user wants spam!
#score USER_IN_WHITELIST_TO -6.000 - Moved to 60_whitelist.cf
score USER_IN_MORE_SPAM_TO -20.000
score USER_IN_ALL_SPAM_TO -100.000
endif
ifplugin Mail::SpamAssassin::Plugin::WhiteListSubject
score SUBJECT_IN_WHITELIST -100
score SUBJECT_IN_BLACKLIST 100
endif # Mail::SpamAssassin::Plugin::WhiteListSubject
ifplugin Mail::SpamAssassin::Plugin::SPF
score USER_IN_SPF_WHITELIST -100.000
score USER_IN_DEF_SPF_WL -7.500
score ENV_AND_HDR_SPF_MATCH -0.5
endif # Mail::SpamAssassin::Plugin::SPF
# DKIM
ifplugin Mail::SpamAssassin::Plugin::DKIM
score USER_IN_DKIM_WHITELIST -100.000
score USER_IN_DEF_DKIM_WL -7.500
score DKIM_SIGNED 0.1
score DKIM_VALID -0.1
score DKIM_INVALID 0.1
score DKIM_VALID_AU -0.1
if (version >= 3.004002)
score DKIM_VALID_EF -0.1
endif
score DKIM_VERIFIED 0
score DKIM_POLICY_SIGNALL 0
score DKIM_POLICY_SIGNSOME 0
score DKIM_POLICY_TESTING 0
score DKIM_ADSP_CUSTOM_LOW 0.001
score DKIM_ADSP_CUSTOM_MED 0.001
score DKIM_ADSP_CUSTOM_HIGH 0.001
score NML_ADSP_CUSTOM_LOW 0 0.7 0 0.7
score NML_ADSP_CUSTOM_MED 0 1.2 0 0.9
score NML_ADSP_CUSTOM_HIGH 0 2.6 0 2.5
# <gen:mutable>
score DKIM_ADSP_ALL 0 1.1 0 0.8
score DKIM_ADSP_DISCARD 0 1.8 0 1.8
score DKIM_ADSP_NXDOMAIN 0 0.8 0 0.9
# </gen:mutable>
endif # Mail::SpamAssassin::Plugin::DKIM
ifplugin Mail::SpamAssassin::Plugin::AskDNS
# <gen:mutable>
score DKIMDOMAIN_IN_DWL 0 -3.5 0 -3.5
score DKIMDOMAIN_IN_DWL_UNKNOWN 0 -0.01 0 -0.01
# </gen:mutable>
endif
# SPF
# Note that the benefit for a valid SPF record is deliberately minimal; it's
# likely that more spammers would quickly move to setting valid SPF records
# otherwise. The penalties for an *incorrect* record, however, are large. ;)
ifplugin Mail::SpamAssassin::Plugin::SPF
score SPF_NONE 0.001
score SPF_HELO_NONE 0.001
score SPF_PASS -0.001
score SPF_HELO_PASS -0.001
# <gen:mutable>
score SPF_FAIL 0 0.919 0 0.001 # n=0 n=2
score SPF_HELO_FAIL 0 0.001 0 0.001 # n=0 n=2
score SPF_HELO_NEUTRAL 0 0.001 0 0.112 # n=0 n=2
score SPF_HELO_SOFTFAIL 0 0.896 0 0.732 # n=0 n=2
score SPF_NEUTRAL 0 0.652 0 0.779 # n=0 n=2
score SPF_SOFTFAIL 0 0.972 0 0.665 # n=0 n=2
# </gen:mutable>
endif # Mail::SpamAssassin::Plugin::SPF
# URIDNSBL
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
# <gen:mutable>
#score URIBL_AB_SURBL 0 4.499 0 4.499 # n=0 n=2 - removed bug 7279
#Changed below from JP to Abuse - bug 7279
score URIBL_ABUSE_SURBL 0 1.948 0 1.250 # n=0 n=2
score URIBL_PH_SURBL 0 0.001 0 0.610 # n=0 n=2
score URIBL_RHS_DOB 0 0.276 0 1.514 # n=0 n=2
score URIBL_SBL 0 0.644 0 1.623 # n=0 n=2
score URIBL_CSS 0 0.1 0 0.1
score URIBL_SBL_A 0 0.1 0 0.1
score URIBL_CSS_A 0 0.1 0 0.1
#score URIBL_SC_SURBL 0 0.001 0 0.568 # n=0 n=2 - removed bug 7279
score URIBL_WS_SURBL 0 1.659 0 1.608 # n=0 n=2
score URIBL_MW_SURBL 0 1.263 0 1.263
score URIBL_CR_SURBL 0 1.263 0 1.263
score URIBL_BLACK 0 1.7 0 1.7 # n=0 n=2
score URIBL_GREY 0 1.084 0 0.424 # n=0 n=2
score URIBL_DBL_SPAM 0 2.5 0 2.5
score URIBL_DBL_PHISH 0 2.5 0 2.5
score URIBL_DBL_MALWARE 0 2.5 0 2.5
score URIBL_DBL_BOTNETCC 0 2.5 0 2.5
score URIBL_DBL_ABUSE_SPAM 0 2.0 0 2.0
score URIBL_DBL_ABUSE_REDIR 0 0.001 0 0.001
score URIBL_DBL_ABUSE_PHISH 0 2.5 0 2.5
score URIBL_DBL_ABUSE_MALW 0 2.5 0 2.5
score URIBL_DBL_ABUSE_BOTCC 0 2.5 0 2.5
# </gen:mutable>
# score URIBL_GREY 0.25
score URIBL_RED 0 0.001 0 0.001
score URIBL_BLOCKED 0 0.001 0 0.001
score URIBL_DBL_ERROR 0 0.001 0 0.001
score URIBL_ZEN_BLOCKED_OPENDNS 0 0.001 0 0.001
score URIBL_ZEN_BLOCKED 0 0.001 0 0.001
score URIBL_DBL_BLOCKED_OPENDNS 0 0.001 0 0.001
score URIBL_DBL_BLOCKED 0 0.001 0 0.001
endif # Mail::SpamAssassin::Plugin::URIDNSBL
# ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
# <gen:mutable>
score FUZZY_AFFORDABLE 0 # n=0 n=1 n=2 n=3
#score FUZZY_AMBIEN 0.1
score FUZZY_BILLION 0 # n=0 n=1 n=2 n=3
score FUZZY_CPILL 0.001 0.001 0.001 0.001
score FUZZY_CREDIT 1.699 1.413 0.601 1.678
#score FUZZY_ERECT 0.1
score FUZZY_GUARANTEE 0 # n=0 n=1 n=2 n=3
score FUZZY_MEDICATION 0 # n=0 n=1 n=2 n=3
score FUZZY_MERIDIA 0 # n=0 n=1 n=2 n=3
score FUZZY_MILLION 0.1
score FUZZY_MONEY 0 # n=0 n=1 n=2 n=3
score FUZZY_MORTGAGE 0 # n=0 n=1 n=2 n=3
score FUZZY_OBLIGATION 0 # n=0 n=1 n=2 n=3
score FUZZY_OFFERS 0 # n=0 n=1 n=2 n=3
score FUZZY_PHARMACY 2.960 3.299 1.967 1.353
score FUZZY_PHENT 2.799 1.647 1.540 2.662 # n=0
score FUZZY_PRESCRIPT 0 # n=0 n=1 n=2 n=3
score FUZZY_PRICES 1.821 0.720 2.210 2.311
score FUZZY_REFINANCE 0 # n=0 n=1 n=2 n=3
score FUZZY_REMOVE 0 # n=0 n=1 n=2 n=3
#score FUZZY_ROLEX 0.1
score FUZZY_SOFTWARE 0 # n=0 n=1 n=2 n=3
score FUZZY_THOUSANDS 0 # n=0 n=1 n=2 n=3
score FUZZY_VLIUM 0 # n=0 n=1 n=2 n=3
score FUZZY_VIOXX 0 # n=0 n=1 n=2 n=3
score FUZZY_VPILL 0.001 0.494 0.796 1.014
score FUZZY_XPILL 0.1
score SUBJECT_FUZZY_CHEAP 0.641 1.831 0.833 0.001 # n=0
score SUBJECT_FUZZY_MEDS 0 # n=0 n=1 n=2 n=3
score SUBJECT_FUZZY_PENIS 0 # n=0 n=1 n=2 n=3
score SUBJECT_FUZZY_TION 0 # n=0 n=1 n=2 n=3
score SUBJECT_FUZZY_VPILL 0 # n=0 n=1 n=2 n=3
score TVD_FUZZY_DEGREE 0 # n=0 n=1 n=2 n=3
score TVD_FUZZY_FINANCE 0 # n=0 n=1 n=2 n=3
score TVD_FUZZY_FIXED_RATE 0 # n=0 n=1 n=2 n=3
score TVD_FUZZY_MICROCAP 0 # n=0 n=1 n=2 n=3
score TVD_FUZZY_PHARMACEUTICAL 0 # n=0 n=1 n=2 n=3
score TVD_FUZZY_SYMBOL 0 # n=0 n=1 n=2 n=3
# </gen:mutable>
endif # Mail::SpamAssassin::Plugin::ReplaceTags
# DCC
ifplugin Mail::SpamAssassin::Plugin::DCC
score DCC_CHECK 0 1.1 0 1.1
score DCC_REPUT_00_12 0 -0.8 0 -0.4
score DCC_REPUT_13_19 0 -0.1 0 -0.1
score DCC_REPUT_70_89 0 0.1 0 0.1
score DCC_REPUT_90_94 0 0.4 0 0.6
score DCC_REPUT_95_98 0 0.7 0 1.0
score DCC_REPUT_99_100 0 1.2 0 1.4
endif # Mail::SpamAssassin::Plugin::DCC
# Pyzor
ifplugin Mail::SpamAssassin::Plugin::Pyzor
# <gen:mutable>
score PYZOR_CHECK 0 1.985 0 1.392 # n=0 n=2
# </gen:mutable>
endif # Mail::SpamAssassin::Plugin::Pyzor
# Razor2
ifplugin Mail::SpamAssassin::Plugin::Razor2
# <gen:mutable>
score RAZOR2_CHECK 0 1.729 0 0.922 # n=0 n=2
score RAZOR2_CF_RANGE_51_100 0 2.430 0 1.886 # n=0 n=2
# </gen:mutable>
endif # Mail::SpamAssassin::Plugin::Razor2
# TextCat
ifplugin Mail::SpamAssassin::Plugin::TextCat
score UNWANTED_LANGUAGE_BODY 2.800
score BODY_8BITS 1.500
endif # Mail::SpamAssassin::Plugin::TextCat
# AntiVirus
ifplugin Mail::SpamAssassin::Plugin::AntiVirus
score MICROSOFT_EXECUTABLE 0.1
score MIME_SUSPECT_NAME 0.1
endif # Mail::SpamAssassin::Plugin::AntiVirus
# VBounce - anti-bounce message ruleset. All of these are informational,
# and should not be scored as antispam rules; instead the user needs
# to detect messages that hit ANY_BOUNCE_MESSAGE, and filter them aside
# as spurious bounces.
#
ifplugin Mail::SpamAssassin::Plugin::VBounce
score BOUNCE_MESSAGE 0.1
score CRBOUNCE_MESSAGE 0.1
score VBOUNCE_MESSAGE 0.1
score OOOBOUNCE_MESSAGE 0.1
score ANY_BOUNCE_MESSAGE 0.1
endif # Mail::SpamAssassin::Plugin::VBounce
# another informational rule: this is for C/R responses to mail the user
# really did sent -- the opposite of CRBOUNCE_MESSAGE. some users might
# like to block all C/R bounces, or filter them separately.
#
score CHALLENGE_RESPONSE 0.1
# It's still quite common for non-spam senders to send mail from hosts with
# no rDNS, or "dynamic-looking" rDNS. Lock these down to low values;
# some sites can increase them as a matter of local policy, and they
# make great fodder for meta rules, too.
#
# score RDNS_NONE 0 1.1 0 0.7
# score RDNS_DYNAMIC 0 0.5 0 0.5
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
# <gen:mutable>
score CTYPE_8SPACE_GIF 0 # n=0 n=1 n=2 n=3
# </gen:mutable>
endif
ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
# <gen:mutable>
score HTTPS_HTTP_MISMATCH 0.1
# </gen:mutable>
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
# <gen:mutable>
score PART_CID_STOCK 0.001 0.001 0.001 0.000 # n=2
# </gen:mutable>
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
# <gen:mutable>
score PART_CID_STOCK_LESS 0.000 0.036 0.745 0.894 # n=2
# </gen:mutable>
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
# <gen:mutable>
score TVD_FW_GRAPHIC_NAME_LONG 0.001 0.648 0.836 1.293 # n=2
# </gen:mutable>
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
# <gen:mutable>
score TVD_FW_GRAPHIC_NAME_MID 0.600 0.001 0.389 0.095 # n=2
# </gen:mutable>
endif
# Bug 6155 c115
score KB_RATWARE_OUTLOOK_08 0
score KB_RATWARE_OUTLOOK_12 0
score KB_RATWARE_OUTLOOK_16 0
score KB_RATWARE_BOUNDARY 0
# MAILSPIKE RBL ENABLED FOR SA3.4 and above - BUG 6400
if (version >= 3.004000)
# FLOATING SCORES FOR GA - adjust after GA to make L3 - L5 linear
# Probably adjust up slightly to make up for the "reuse" imperfection
# <gen:mutable>
score RCVD_IN_MSPIKE_ZBI 2.7
score RCVD_IN_MSPIKE_L5 2.5
score RCVD_IN_MSPIKE_L4 1.7
score RCVD_IN_MSPIKE_L3 0.9
# </gen:mutable>
# FIXED SCORES
# TEMPORARILY LOWERED - adjust these higher after GA is done
# (pending discussion: Welcomelists need scores, but they shouldn't effect the scoring of spam detection rules.)
score RCVD_IN_MSPIKE_H3 -0.01
score RCVD_IN_MSPIKE_H4 -0.01
score RCVD_IN_MSPIKE_H5 -1.0
# FIXED SCORES - informational rules, useful only for statistical comparisons
score RCVD_IN_MSPIKE_BL 0.01
score RCVD_IN_MSPIKE_WL -0.01
endif

218
sa-updates/60_adsp_override_dkim.cf Normal file
View File

@ -0,0 +1,218 @@
# SpamAssassin rules file: default DKIM ADSP overrides
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
###########################################################################
# DKIM ADSP overrides
ifplugin Mail::SpamAssassin::Plugin::DKIM
# Later rules override previous, so to override any of the pre-sets here, just
# declare the domain as unknown, e.g.: 'adsp_override somedomain unknown' .
#
# 'discardable' is implied in absence of the second argument.
adsp_override ebay.com
adsp_override ebay.at
adsp_override ebay.be
adsp_override ebay.ca
adsp_override ebay.ch
adsp_override ebay.de
adsp_override ebay.ee
adsp_override ebay.es
adsp_override ebay.fr
adsp_override ebay.hu
adsp_override ebay.ie
adsp_override ebay.in
adsp_override ebay.it
adsp_override ebay.nl
adsp_override ebay.ph
adsp_override ebay.pl
adsp_override ebay.pt
adsp_override ebay.se
adsp_override ebay.co.kr
adsp_override ebay.co.uk
adsp_override ebay.com.au
adsp_override ebay.com.cn
adsp_override ebay.com.hk
adsp_override ebay.com.mx
adsp_override ebay.com.my
adsp_override ebay.com.sq
adsp_override paypal.com
adsp_override paypal.co.uk
adsp_override ealerts.bankofamerica.com
adsp_override alert.bankofamerica.com
adsp_override americangreetings.com
adsp_override yahoo.americangreetings.com
adsp_override msn.americangreetings.com
adsp_override egreetings.com
adsp_override bluemountain.com
adsp_override hallmark.com
adsp_override update.hallmark.com
adsp_override *.hallmark.com
adsp_override amazon.com all
adsp_override amazon.co.uk all
adsp_override amazon.de all
adsp_override amazon.fr all
adsp_override birthdayalarm.com all
adsp_override astrology.com all
adsp_override linkedin.com all
adsp_override *.linkedin.com all
adsp_override facebookmail.com all
adsp_override *.greenpeace.org all
adsp_override lists.sourceforge.net all
adsp_override lufthansa.com all
adsp_override *.lufthansa.com all
adsp_override *.delivery.net all
adsp_override youtube.com custom_high
adsp_override google.com custom_med
adsp_override gmail.com custom_med
adsp_override googlemail.com custom_med
adsp_override yahoo.com custom_med
adsp_override yahoo.com.ar custom_med
adsp_override yahoo.com.au custom_med
adsp_override yahoo.com.br custom_med
adsp_override yahoo.com.cn custom_med
adsp_override yahoo.com.hk custom_med
adsp_override yahoo.com.mx custom_med
adsp_override yahoo.com.my custom_med
adsp_override yahoo.com.ph custom_med
adsp_override yahoo.com.sg custom_med
adsp_override yahoo.com.tw custom_med
adsp_override yahoo.co.id custom_med
adsp_override yahoo.co.in custom_med
adsp_override yahoo.co.jp custom_med
adsp_override yahoo.co.nz custom_med
adsp_override yahoo.co.th custom_med
adsp_override yahoo.co.uk custom_med
adsp_override yahoo.ca custom_med
adsp_override yahoo.cn custom_med
adsp_override yahoo.de custom_med
adsp_override yahoo.dk custom_med
adsp_override yahoo.es custom_med
adsp_override yahoo.fr custom_med
adsp_override yahoo.gr custom_med
adsp_override yahoo.ie custom_med
adsp_override yahoo.it custom_med
adsp_override yahoo.no custom_med
adsp_override yahoo.pl custom_med
adsp_override yahoo.se custom_med
# Ignore linting, makes unnecessary lookups
adsp_override compiling.spamassassin.taint.org unknown
# To effectively disable ADSP network DNS lookups for all other domains:
# adsp_override * unknown
# Currently few domains publish their signing practices (draft-ietf-dkim-ssp,
# ADSP), partly because the ADSP draft/rfc is rather new, partly because they
# think hardly any recipient bothers to check it, and partly for fear that
# some recipients might lose mail due to problems in their signature validation
# procedures or mail mangling by mailers beyond their control.
#
# Nevertheless, recipients could benefit by knowing signing practices of a
# sending (author's) domain, for example to recognize forged mail claiming
# to be from certain domains which are popular targets for phishing, like
# financial institutions. Unfortunately, as signing practices are seldom
# published or are weak, it is hardly justifiable to look them up in DNS.
#
# To overcome this chicken-or-the-egg problem, the adsp_override mechanism
# allows recipients using SpamAssassin to override published or defaulted
# ADSP for certain domains. This makes it possible to manually specify a
# stronger (or weaker) signing practices than a signing domain is willing
# to publish (explicitly or by default), and also save on a DNS lookup.
#
# Note that ADSP (published or overridden) is only consulted for messages
# which do not contain a valid DKIM signature from the author's domain.
#
# According to ADSP draft, signing practices can be one of the following:
# unknown, all and discardable.
#
# unknown: Messages from this domain might or might not have an author
# signature. This is a default if a domain exists in DNS but no ADSP record
# is found.
#
# all: All messages from this domain are signed with an Author Signature.
#
# discardable: All messages from this domain are signed with an Author
# Signature. If a message arrives without a valid Author Signature, the
# domain encourages the recipient(s) to discard it.
#
# ADSP lookup can also determine that a domain is "out of scope", i.e., the
# domain does not exist (NXDOMAIN) in the DNS.
#
# To override domain's signing practices in a SpamAssassin configuration file,
# specify an adsp_override directive for each sending domain to be overridden.
#
# Its first argument is a domain name. Author's domain is matched against it,
# matching is case insensitive. This is not a regular expression or a file-glob
# style wildcard, but limited wildcarding is still available: if this argument
# starts by a "*." (or is a sole "*"), author's domain matches if it is a
# subdomain (to one or more levels) of the argument. Otherwise (with no
# leading asterisk) the match must be exact (not a subdomain).
#
# An optional second parameter is one of the following keywords
# (case-insensitive): nxdomain, unknown, all, discardable,
# custom_low, custom_med, custom_high.
#
# Absence of this second parameter implies discardable. If a domain is not
# listed by a adsp_override directive nor does it explicitly publish any
# ADSP record, then unknown is implied for valid domains, and nxdomain
# for domains not existing in DNS. (Note: domain validity may be unchecked
# with current versions of Mail::DKIM, so nxdomain may never turn up.)
#
# The strong setting discardable is useful for domains which are known
# to always sign their mail and to always send it directly to recipients
# (not to mailing lists), and are frequent targets of fishing attempts,
# such as financial institutions. The discardable is also appropriate
# for domains which are known never to send any mail.
#
# When a message does not contain a valid signature by the author's domain
# (the domain in a From header field), the signing practices pertaining
# to author's domain determine which of the following rules fire and
# contributes its score: DKIM_ADSP_NXDOMAIN, DKIM_ADSP_ALL, DKIM_ADSP_DISCARD,
# DKIM_ADSP_CUSTOM_LOW, DKIM_ADSP_CUSTOM_MED, DKIM_ADSP_CUSTOM_HIGH. Not more
# than one of these rules can fire. The last three can only result from a
# 'signing_practices' as given in a adsp_override directive (not from a
# DNS lookup), and can serve as a convenient means of providing a different
# score if scores assigned to DKIM_ADSP_ALL or DKIM_ADSP_DISCARD are not
# considered suitable for some domains.
#
# As a precaution against firing DKIM_ADSP_* rules when there is a known
# local reason for a signature verification failure, the domain's ADSP is
# considered unknown when DNS lookups are disabled or a DNS lookup encountered
# a temporary problem on fetching a public key from the author's domain.
# Similarly, ADSP is considered unknown when this plugin did its own signature
# verification (signatures were not passed to SA by a caller) and a metarule
# __TRUNCATED was triggered, indicating the caller intentionally passed a
# truncated message to SpamAssassin, which was a likely reason for a signature
# verification failure.
endif # Mail::SpamAssassin::Plugin::DKIM

31
sa-updates/60_awl.cf Normal file
View File

@ -0,0 +1,31 @@
# SpamAssassin rules file: auto-whitelist
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
ifplugin Mail::SpamAssassin::Plugin::AWL
header AWL eval:check_from_in_auto_whitelist()
describe AWL Adjusted score from AWL reputation of From: address
tflags AWL userconf noautolearn
priority AWL 1000
endif # Mail::SpamAssassin::Plugin::AWL

67
sa-updates/60_bayes_stopwords.cf Normal file
View File

@ -0,0 +1,67 @@
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
if (version >= 4.000000)
if can(Mail::SpamAssassin::Conf::feature_bayes_stopwords)
# Danish
bayes_stopword_dk (?^:(?:a(?:lle|nden)|bl(?:ev|iver?)|d(?:e(?:nne|res|tte)|isse)|e(?:fter|ller)|h(?:a(?:ns|v(?:de|e))|endes?|v(?:ad|is|or))|ikke|kunne|m(?:ange|eget|ine)|nog(?:et|le)|o(?:gs\xc3\xa5|ver)|s(?:elv|ine|k(?:al|ulle)|\xc3\xa5dan)|under|v(?:ille|\xc3\xa6ret?)))
# Dutch
bayes_stopword_nl (?^:(?:a(?:l(?:les|tijd)|ndere)|d(?:aar|eze|o(?:ch|en|or))|eens|ge(?:en|weest)|h(?:aar|e(?:bben|eft)|ier)|ie(?:mand|ts)|kunnen|m(?:aar|eer|ijn|oet)|n(?:aar|iets?)|o(?:mdat|nder|ver)|reeds|t(?:egen|o(?:ch|en))|v(?:eel|oor)|w(?:a(?:nt|ren)|e(?:rd|zen)|ord(?:en|t))|z(?:elf|i(?:ch|jn)|onder)))
# German
bayes_stopword_de (?:a(?:ber|l(?:le[mnrs]?|so)|nder(?:(?:e[mnrs]?|[mnrs]))?|uch)|bist|d(?:a(?:mit|nn|ss(?:elbe)?|zu)|e(?:in(?:e[mnrs]?)?|mselben|n(?:selben|n)|r(?:er|selben?)|sse(?:lben|n))|i(?:ch|es(?:e(?:(?:lben?|[mnrs]))?)?)|o(?:ch|rt)|urch)|e(?:in(?:e[mnrs]?|ig(?:e[mnrs]?)?|mal)|twas|u(?:ch|er|re[mnrs]?))|ge(?:gen|wesen)|h(?:a(?:ben?|tten?)|i(?:er|nter))|i(?:h(?:nen|re[mnrs]?)|ndem)|je(?:de[mnrs]?|ne[mnrs]?|tzt)|k(?:ann|ein(?:e[mnrs]?)?|\xc3\xb6nn(?:en|te))|m(?:a(?:chen|nche[mnrs]?)|ein(?:e[mnrs]?)?|ich|uss(?:te)?)|n(?:ach|ichts?|och)|o(?:der|hne)|s(?:e(?:hr|in(?:e[mnrs]?)?|lbst)|i(?:ch|nd)|o(?:l(?:che[mnrs]?|l(?:te)?)|n(?:dern|st)))|un(?:ser(?:e[mns]?)?|ter)|viel|w(?:ar(?:en|st)|e(?:i(?:ter|l)|lche[mnrs]?|nn|rden?)|i(?:eder|ll|r(?:st|d))|oll(?:en|te)|\xc3(?:\xa4hrend|\xbcrden?))|zw(?:ar|ischen)|\xc3\xbcber)
# English
bayes_stopword_en (?:a(?:ble|l(?:ready|l)|n[dy]|re)|b(?:ecause|oth)|c(?:an|ome)|e(?:ach|mail|ven)|f(?:ew|irst|or|rom)|give|h(?:a(?:ve|s)|ttp)|i(?:n(?:formation|to)|t\'s)|just|know|l(?:ike|o(?:ng|ok))|m(?:a(?:de|il(?:(?:ing|to))?|ke|ny)|o(?:re|st)|uch)|n(?:eed|o[tw]|umber)|o(?:ff|n(?:ly|e)|ut|wn)|p(?:eople|lace)|right|s(?:ame|ee|uch)|t(?:h(?:at|is|rough|e)|ime)|using|w(?:eb|h(?:ere|y)|ith(?:out)?|or(?:ld|k))|y(?:ears?|ou(?:(?:\'re|r))?))$
# bayes_stopword_en (?:a(?:bo(?:ut|ve)|fter|gain(?:st)?|ren(?:\'t)?)|b(?:e(?:cause|en|fore|ing|low|tween)|oth)|couldn(?:\'t)?|d(?:idn(?:\'t)?|o(?:es(?:n(?:\'t)?)?|ing|n\'t|wn)|uring)|each|f(?:rom|urther)|h(?:a(?:dn(?:\'t)?|sn(?:\'t)?|v(?:e(?:n(?:\'t)?)?|ing))|er(?:s(?:elf)?|e)|imself)|i(?:nto|sn\'t|t(?:\'s|self))|just|m(?:ightn(?:\'t)?|o(?:re|st)|ustn(?:\'t)?|yself)|needn(?:\'t)?|o(?:n(?:ce|ly)|ther|urs(?:elves)?|ver)|s(?:ame|h(?:an(?:\'t)?|e\'s|ould(?:(?:\'ve|n(?:\'t)?))?)|ome|uch)|th(?:a(?:t(?:\'ll)?|n)|e(?:irs?|m(?:selves)?|re|se|[ny])|is|ose|rough)|un(?:der|til)|very|w(?:asn(?:\'t)?|ere(?:n(?:\'t)?)?|h(?:at|e(?:re|n)|i(?:ch|le)|om)|i(?:ll|th)|o(?:n\'t|uldn(?:\'t)?))|you(?:\'(?:ll|re|ve|d)|r(?:s(?:el(?:ves|f))?)?))
# Spanish
bayes_stopword_es (?:a(?:lg(?:un(?:as|os)|o)|ntes?)|c(?:o(?:mo|ntra)|ua(?:ndo|l))|d(?:esde|onde|urante)|e(?:ll(?:as?|os)|ntre|r(?:a(?:is|[ns])|es)|s(?:as|os|t(?:a(?:(?:ba(?:(?:is|[ns]))?|d(?:(?:as?|os?))?|mos|ndo|r(?:(?:emos|\xc3(?:\xa1[ns]?|\xa9(?:is)?|\xada(?:(?:is|mos|[ns]))?)))?|s))?|e(?:mos)?|o[sy]?|uv(?:i(?:e(?:r(?:a(?:(?:is|[ns]))?|on)|se(?:(?:is|[ns]))?)|mos|ste(?:is)?|\xc3\xa9(?:ramos|semos))|[eo])|\xc3(?:\xa1(?:(?:bamos|is|[ns]))?|\xa9(?:(?:is|[ns]))?))))|fu(?:e(?:r(?:a(?:(?:is|[ns]))?|on)|se(?:(?:is|[ns]))?)|i(?:mos|ste(?:is)?)|\xc3\xa9(?:ramos|semos))|h(?:a(?:b(?:i(?:d(?:as?|os?)|endo)|r(?:emos|\xc3(?:\xa1[ns]?|\xa9(?:is)?|\xada(?:(?:is|mos|[ns]))?))|\xc3(?:\xa9is|\xada(?:(?:is|mos|[ns]))?))|sta|y(?:a(?:(?:mos|[ns]))?|\xc3\xa1is))|emos|ub(?:i(?:e(?:r(?:a(?:(?:is|[ns]))?|on)|se(?:(?:is|[ns]))?)|mos|ste(?:is)?|\xc3\xa9(?:ramos|semos))|[eo]))|m(?:uchos?|\xc3\xad(?:as|os))|n(?:ada|osotr(?:as|os)|uestr(?:as?|os?))|otr(?:as?|os?)|p(?:ara|ero|o(?:co|rque))|quien(?:es)?|s(?:e(?:a(?:mos|[ns])|ntid(?:(?:as?|os?))?|r(?:emos|\xc3(?:\xa1[ns]?|\xa9(?:is)?|\xada(?:(?:is|mos|[ns]))?))|\xc3\xa1is)|i(?:ente|ntiendo)|o(?:bre|is|mos)|uy(?:as?|os?))|t(?:a(?:mbi\xc3\xa9n|nto)|en(?:dr(?:emos|\xc3(?:\xa1[ns]?|\xa9(?:is)?|\xada(?:(?:is|mos|[ns]))?))|e(?:mos|d)|g(?:a(?:(?:mos|[ns]))?|\xc3\xa1is|o)|i(?:d(?:as?|os?)|endo)|\xc3(?:\xa9is|\xada(?:(?:is|mos|[ns]))?))|iene[ns]?|odos?|u(?:v(?:i(?:e(?:r(?:a(?:(?:is|[ns]))?|on)|se(?:(?:is|[ns]))?)|mos|ste(?:is)?|\xc3\xa9(?:ramos|semos))|[eo])|y(?:as?|os?)))|unos|v(?:osotr(?:as|os)|uestr(?:as?|os?))|\xc3\xa9ramos)
# Finnish
bayes_stopword_fi (?^:(?:e(?:iv\xc3\xa4t|mme|tt(?:\xc3\xa4|e))|h(?:ei(?:d\xc3\xa4[nt]|hin|l(?:l(?:\xc3\xa4|e)|t\xc3\xa4)|s(?:s\xc3\xa4|t\xc3\xa4)|t\xc3\xa4)|\xc3\xa4n(?:e(?:en|l(?:l(?:\xc3\xa4|e)|t\xc3\xa4)|s(?:s\xc3\xa4|t\xc3\xa4)|[nt])|t\xc3\xa4))|itse|jo(?:hon|i(?:den|hin|ksi|l(?:l[ae]|ta)|na|s(?:sa|ta)|ta)|k(?:si|a)|l(?:l[ae]|ta)|n(?:ka|a)|s(?:sa|ta)|t(?:ka|a))|k(?:anssa|e(?:i(?:den|hin|ksi|l(?:l(?:\xc3\xa4|e)|t\xc3\xa4)|n\xc3\xa4|s(?:s\xc3\xa4|t\xc3\xa4)|t\xc3\xa4)|ne(?:en|ksi|l(?:l(?:\xc3\xa4|e)|t\xc3\xa4)|n(?:\xc3\xa4)?|s(?:s\xc3\xa4|t\xc3\xa4)|t)|t(?:k\xc3\xa4|\xc3\xa4))|oska|u(?:in|ka))|m(?:ei(?:d\xc3\xa4[nt]|hin|l(?:l(?:\xc3\xa4|e)|t\xc3\xa4)|s(?:s\xc3\xa4|t\xc3\xa4)|t\xc3\xa4)|i(?:hin|k(?:si|\xc3\xa4)|l(?:l(?:\xc3\xa4|e)|t\xc3\xa4)|n(?:k\xc3\xa4|u(?:l(?:l[ae]|ta)|s(?:sa|ta)|un|[ant])|\xc3\xa4)|s(?:s\xc3\xa4|t\xc3\xa4)|t(?:k\xc3\xa4|\xc3\xa4))|u(?:kaan|tta))|n(?:ii(?:den|hin|ksi|l(?:l(?:\xc3\xa4|e)|t\xc3\xa4)|n(?:\xc3\xa4)?|s(?:s\xc3\xa4|t\xc3\xa4)|t\xc3\xa4)|oi(?:den|hin|ksi|l(?:l[ae]|ta)|na?|s(?:sa|ta)|ta)|\xc3\xa4(?:i(?:den|hin|ksi|l(?:l(?:\xc3\xa4|e)|t\xc3\xa4)|n\xc3\xa4|s(?:s\xc3\xa4|t\xc3\xa4)|t\xc3\xa4)|m\xc3\xa4))|o(?:l(?:e(?:mme|t(?:te)?|n)|i(?:mme|si(?:(?:mme|t(?:te)?|vat|n))?|t(?:te)?|vat|n)|l(?:eet|ut|a))|vat)|poikki|s(?:ek\xc3\xa4|i(?:i(?:hen|n\xc3\xa4|t\xc3\xa4)|ksi|l(?:l(?:\xc3\xa4|e)|t\xc3\xa4)|n(?:u(?:l(?:l[ae]|ta)|s(?:sa|ta)|un|[ant])|\xc3\xa4)|t\xc3\xa4))|t(?:all\xc3\xa4|ei(?:d\xc3\xa4[nt]|hin|l(?:l(?:\xc3\xa4|e)|t\xc3\xa4)|s(?:s\xc3\xa4|t\xc3\xa4)|t\xc3\xa4)|uo(?:hon|ksi|l(?:l[ae]|ta)|na?|s(?:sa|ta)|t\xc3\xa4)|\xc3\xa4(?:h\xc3\xa4n|ksi|l(?:le|t\xc3\xa4)|m\xc3\xa4n?|n\xc3\xa4|s(?:s\xc3\xa4|t\xc3\xa4)|t\xc3\xa4))|va(?:an|ikka)))
# French
bayes_stopword_fr (?:a(?:ie(?:nt|s)|ur(?:a(?:(?:i(?:(?:ent|[st]))?|s))?|ez|i(?:ez|ons)|on[st])|v(?:ai(?:ent|[st])|e[cz]|i(?:ez|ons)|ons)|y(?:ant(?:(?:es?|s))?|ez|ons))|dans|e(?:lle|u(?:es|rent|ss(?:e(?:(?:nt|s))?|i(?:ez|ons)))|\xc3\xbb(?:mes|tes))|f(?:u(?:rent|ss(?:e(?:(?:nt|s))?|i(?:ez|ons)))|\xc3\xbb(?:mes|tes))|leur|m(?:ais|\xc3\xaame)|no(?:tre|us)|pour|s(?:er(?:a(?:(?:i(?:(?:ent|[st]))?|s))?|ez|i(?:ez|ons)|on[st])|o(?:i(?:ent|[st])|mmes|nt|y(?:ez|ons))|uis)|vo(?:tre|us)|\xc3(?:\xa9t(?:a(?:i(?:ent|[st])|nt(?:(?:es?|s))?)|i(?:ez|ons)|\xc3\xa9(?:es?|s))|\xaates))
# Greek
bayes_stopword_gr (?^:(?:\xce(?:\xb1(?:\xce(?:\xbb\xce\xbb\xce\xb1|\xbd\xcf\x84\xce\xb9)|\xcf\x85\xcf\x84(?:\xce(?:\xb5\xcf\x83|\xbf(?:(?:\xce\xb9|\xcf(?:\x85\xcf\x83|\x83)))?|[\xb1\xb7])|\xcf\x89\xce\xbd)|\xe1\xbd\x90\xcf\x84(?:\xcf\x8c\xcf\x83|\xe1\xbd\xb8\xcf\x82))|\xb3\xce\xbf\xe1\xbf\xa6\xce\xbd|\xb4\xce\xb1(?:\xce\xaf\xcf\x83|\xe1\xbd\xb6\xcf\x82)|\xb5(?:\xce(?:\xb9(?:\xce(?:\xbc\xce\xb1(?:\xce\xb9|\xcf\x83\xcf\x84\xce\xb5)|\xbd\xce\xb1\xce\xb9)|\xcf\x83(?:\xce\xb1\xce\xb9|\xcf\x84\xce\xb5))|\xba\xce\xb5\xce\xb9\xce\xbd(?:\xce(?:\xb5\xcf\x83|\xbf(?:(?:\xce\xb9|\xcf(?:\x85\xcf\x83|\x83)))?|[\xb1\xb7])|\xcf\x89\xce\xbd))|\xe1\xbc(?:\xb0\xce\xbc(?:\xce\xaf|\xe1\xbd\xb6)|\xb4(?:\xce\xbc\xce\xb9|\xcf\x84\xce\xb5)))|\xb9\xcf\x83\xcf\x89\xcf\x83|\xba\xce\xb1(?:\xce\xaf\xcf\x84\xce\xbf\xce\xb9|\xcf\x84(?:\xce[\xac\xb1]|\xe1\xbd\xb0))|\xbc\xce(?:\xae\xcf\x84\xce\xb5|\xb5\xcf\x84(?:\xce[\xac\xb1]|\xe1\xbd\xb0))|\xbf(?:\xce\xbc\xcf\x89\xcf\x83|\xcf\x80\xcf\x89\xcf\x83|\xe1\xbd(?:\x90(?:\xce\xb4(?:\xce(?:\xb5(?:\xce\xaf\xcf\x83|\xe1\xbd\xb6\xcf\x82)|\xad)|\xe1\xbd\xb2(?:\xce\xbd)?)|\xcf\x87\xe1\xbd\xb6)|\x94\xcf\x84\xce\xb5|\x95\xcf\x84\xcf\x89(?:\xcf[\x82\x83])?|\x97\xcf\x84\xce\xbf\xcf[\x82\x83])))|\xcf(?:\x80(?:\xce(?:\xb1\xcf\x81(?:\xce[\xac\xb1]|\xe1\xbd\xb0)|\xb5\xcf\x81(?:\xce\xaf|\xe1\xbd\xb6)|\xbf(?:\xce\xb9(?:\xce(?:\xb5\xcf\x83|\xbf(?:(?:\xce\xb9|\xcf(?:\x85\xcf\x83|\x83)))?|\xb1)|\xcf\x89\xce\xbd)|\xcf\x84\xce\xb5))|\xcf\x81(?:\xce\xbf\xcf\x83|\xcf\x8c\xcf\x83|\xe1\xbd\xb8\xcf\x82))|\x83\xcf\x84\xce(?:\xb7\xce\xbd|\xbf\xce\xbd)|\x84(?:\xce(?:\xb1\xe1\xbf\x96\xcf\x82|\xb9\xce\xbd\xce\xb1|\xbf(?:\xce\xb9\xce\xbf\xe1\xbf\xa6\xcf\x84\xce\xbf\xcf[\x82\x83]|\xcf(?:\x84\xce\xb5|\x8d\xcf\x83)|\xe1(?:\xbd\xba\xcf\x82|\xbf\x96\xcf\x82)))|\xcf\x8c\xcf\x84\xce\xb5))|\xe1(?:\xbc(?:\x80\xce\xbb\xce\xbb(?:\xce\xac|\xe1\xbd\xb0|\xe2\x80\x99|\')|\x84\xce\xbb\xce\xbb\xce\xbf\xcf[\x82\x83]|\x90(?:\xce\xbc(?:\xcf\x8c\xcf\x83|\xe1\xbd\xb8\xcf\x82)|\xcf(?:\x80\xce\xb5\xe1\xbd\xb6|\x83\xcf\x84\xce\xb9))|\x91\xce\xb1\xcf\x85\xcf\x84\xce\xbf\xe1\xbf\xa6)|\xbd(?:\x85(?:\xce\xb8\xce\xb5\xce\xbd|\xcf(?:\x80\xce\xb5\xcf\x81|\x83\xcf\x84\xce\xb9\xcf[\x82\x83]))|\x91(?:\xce\xbc\xcf\x8c\xcf\x83|\xcf\x80(?:\xce\xad\xcf\x81|\xe1\xbd\xb2\xcf\x81))|\xa5\xcf\x83\xcf\x84\xce\xb5))))
# Hungarian
bayes_stopword_hu (?^:(?:a(?:bban|h(?:hoz|o(?:gy|l))|k(?:ik|kor)|latt|m(?:ely(?:(?:e(?:k(?:(?:ben|et))?|t)|nek))?|i(?:kor|t)|olyan|\xc3\xadg)|nnak|rr(?:\xc3\xb3l|a)|z(?:o(?:n(?:ban)?|k)|t\xc3\xa1n|ut\xc3\xa1n|zal|\xc3\xa9rt))|be(?:l\xc3\xbcl|nne)|c(?:ikk(?:ek(?:et)?)?|sak)|e(?:bben|ddig|g(?:y(?:e(?:tlen|s)|ik|re|\xc3\xa9b)|\xc3\xa9sz)|hhez|kkor|l(?:len|s\xc3\xb5|\xc3(?:\xa9g|\xb5(?:sz\xc3\xb6r|tt)))|milyen|nnek|rre|z(?:e[kn]|zel|\xc3\xa9rt))|fel\xc3\xa9|h(?:anem|iszen|ogy(?:an)?)|i(?:gen|l(?:l(?:etve|\.)|yen(?:kor)?)|s(?:m\xc3\xa9t|on))|jobban|k(?:e(?:ll(?:ett)?|res(?:s\xc3\xbcnk|zt\xc3\xbcl))|\xc3(?:\xadv\xc3\xbcl|\xb6z\xc3(?:\xb6tt|\xbcl)))|le(?:g(?:al\xc3\xa1bb|yen)|het(?:ett)?|nn[ei]|sz|tt)|m(?:a(?:g(?:\xc3\xa1t|a)|jd)|e(?:l(?:lett|y(?:ek)?)|rt)|i(?:kor|lyen|n(?:d(?:en(?:(?:ki|t))?|ig)|t(?:ha)?)|vel|\xc3\xa9rt)|ost|\xc3\xa1sik)|n(?:agy(?:o(?:bb|n))?|ek(?:em|i)|incs|\xc3\xa9(?:h(?:\xc3\xa1ny|a)|lk\xc3\xbcl))|olyan|pe(?:dig|rsze)|s(?:aj\xc3\xa1t|emmi|ok(?:at|kal)|z(?:e(?:mben|rint)|inte|\xc3\xa1m\xc3\xa1ra))|t(?:al\xc3\xa1n|e(?:h\xc3\xa1t|ljes)|ov\xc3\xa1bb(?:\xc3\xa1)?|\xc3\xb6bb)|u(?:gyanis|t(?:ols\xc3\xb3|\xc3\xa1na?))|v(?:a(?:gy(?:(?:is|ok))?|l(?:a(?:ki|mi(?:nt)?)|\xc3\xb3)|nnak)|ele|is(?:sza|zont)|ol(?:na|t(?:(?:a[km]|unk))?))|\xc3(?:\xa1ltal(?:\xc3\xa1ban)?|\xa9ppen|\xb5ket|\xb6ssze|\xbaj(?:abb|ra))))
# Italian
bayes_stopword_it (?:a(?:bbia(?:(?:mo|no|te))?|gli|ll[aeo]|nche|v(?:e(?:mmo|ndo|s(?:s(?:e(?:ro)?|i(?:mo)?)|t[ei])|te|v(?:a(?:(?:mo|no|te))?|[io]))|r(?:a(?:nno|i)|e(?:bbe(?:ro)?|m(?:mo|o)|st[ei]|te|i)|\xc3[\xa0\xb2])|ut[aeio]))|co(?:me|ntro)|d(?:a(?:gli?|ll[aeo]?)|e(?:gli?|ll[aeo]?)|ove)|e(?:bb(?:e(?:ro)?|i)|ra(?:no|va(?:mo|te))|ssendo)|f(?:a(?:c(?:ci(?:a(?:(?:mo|no|te))?|o)|e(?:mmo|ndo|s(?:s(?:e(?:ro)?|i(?:mo)?)|t[ei])|v(?:a(?:(?:mo|no|te))?|[io])))|nno|r(?:a(?:nno|i)|e(?:bbe(?:ro)?|m(?:mo|o)|st[ei]|te|i)|\xc3[\xa0\xb2]))|ec(?:e(?:ro)?|i)|os(?:s(?:e(?:ro)?|i(?:mo)?)|t[ei])|u(?:mmo|rono))|hanno|loro|miei|n(?:e(?:gli?|ll[aeo]?)|ostr[aeio])|perch\xc3\xa9|qu(?:a(?:le|nt[aeio])|e(?:ll[aeio]|st[aeio]))|s(?:ar(?:a(?:nno|i)|e(?:bbe(?:ro)?|m(?:mo|o)|st[ei]|te|i)|\xc3[\xa0\xb2])|i(?:a(?:mo|no|te)|ete)|ono|t(?:a(?:n(?:do|no)|r(?:a(?:nno|i)|e(?:bbe(?:ro)?|m(?:mo|o)|st[ei]|te|i)|\xc3[\xa0\xb2])|v(?:a(?:(?:mo|no|te))?|[io])|i)|e(?:mmo|s(?:s(?:e(?:ro)?|i(?:mo)?)|t[ei])|tt(?:e(?:ro)?|i))|ia(?:(?:mo|no|te))?)|u(?:gli?|ll[aeo]?|oi))|tu(?:oi|tt[io])|vostr[aeio])
# Norwegian
bayes_stopword_no (?^:(?:alle|b(?:are|egge|l(?:ei|i(?:tt|r))|\xc3\xa5de)|d(?:e(?:i(?:r(?:es|a)|m)|nne|res?|tte)|i(?:sse|tt)|ykk(?:ar)?)|e(?:itt|lle[rs]|tter)|fordi|h(?:a(?:dde|ns)|enn(?:ar|es?)|o(?:nom|ss(?:en)?)|v(?:e[mr]|i(?:lken?|s)|or(?:(?:dan|for))?))|i(?:kk(?:je|e)|n(?:g(?:en|i)|kje|ni))|k(?:or(?:leis|so)|unne|v(?:ar(?:helst)?|en|ifor))|m(?:ange|e(?:dan|get|llom)|i(?:ne|tt)|ykje)|no(?:en|k(?:o[nr]?|re|a))|o(?:gs\xc3\xa5|ver)|s(?:amme|elv|i(?:d(?:an|en)|ne|tt)|j\xc3\xb8l|k(?:al|ulle)|lik|om(?:me|t)|\xc3\xa5nn)|uten|v(?:arte?|er(?:te|e)|ille|or[est]|\xc3\xa6r[et])))
# Portuguese
bayes_stopword_pt (?^:(?:aqu(?:el(?:as?|es?)|ilo)|como|de(?:l(?:as?|es?)|pois)|e(?:l(?:as|es)|ntre|ram|s(?:s(?:as?|es?)|t(?:a(?:(?:mos|vam?|s))?|e(?:(?:ja(?:m(?:os)?)?|ve|s))?|iv(?:e(?:(?:mos|r(?:(?:am?|em|mos))?|ssem?))?|\xc3\xa9(?:ramos|ssemos))|ou|\xc3(?:\xa1(?:vamos)?|\xa3o))))|f(?:o(?:mos|r(?:am?|em|mos)|ssem?)|\xc3\xb4(?:ramos|ssemos))|h(?:a(?:ja(?:m(?:os)?)?|vemos)|ouv(?:e(?:(?:mos|r(?:(?:am?|e(?:m(?:os)?|i)|iam?|mos|\xc3(?:\xa3o|\xadamos|\xa1)))?|ssem?))?|\xc3\xa9(?:ramos|ssemos)))|is(?:so|to)|lhes|m(?:ais|e(?:smo|us)|inhas?|uito)|n(?:oss(?:as?|os?)|uma)|p(?:ara|el(?:as?|os?))|qu(?:a(?:ndo|l)|em)|s(?:e(?:ja(?:m(?:os)?)?|r(?:e(?:mos|i)|iam?|\xc3(?:\xa3o|\xadamos|\xa1))|us)|omos|uas)|t(?:amb\xc3\xa9m|e(?:mos|nh(?:a(?:m(?:os)?)?|o)|r(?:e(?:mos|i)|iam?|\xc3(?:\xa3o|\xadamos|\xa1))|us|ve)|i(?:nham?|v(?:e(?:(?:mos|r(?:(?:am?|em|mos))?|ssem?))?|\xc3\xa9(?:ramos|ssemos)))|uas|\xc3\xadnhamos)|voc\xc3\xaas?|\xc3\xa9ramos))
# Russian
bayes_stopword_ru (?^:(?:\xd0(?:\xb1(?:\xd0\xbe\xd0\xbb(?:\xd0\xb5\xd0\xb5|\xd1\x8c\xd1\x88\xd0\xb5)|\xd1(?:\x83\xd0\xb4(?:\xd0\xb5\xd1\x82|\xd1\x82\xd0\xbe)|\x8b(?:\xd0\xbb\xd0[\xb0\xb8\xbe]|\xd1\x82\xd1\x8c)))|\xb2(?:\xd0(?:\xb4\xd1\x80\xd1\x83\xd0\xb3|\xb5\xd0\xb4\xd1\x8c|\xbf\xd1\x80\xd0\xbe\xd1\x87\xd0\xb5\xd0\xbc)|\xd1\x81\xd0\xb5(?:\xd0\xb3\xd0(?:\xb4\xd0\xb0|\xbe)|\xd1\x85))|\xb4(?:\xd0\xb0\xd0\xb6\xd0\xb5|\xd1\x80\xd1\x83\xd0\xb3\xd0\xbe\xd0\xb9)|\xb5\xd1\x81(?:\xd0\xbb\xd0\xb8|\xd1\x82\xd1\x8c)|\xb7\xd0(?:\xb0\xd1\x87\xd0\xb5\xd0\xbc|\xb4\xd0\xb5\xd1\x81\xd1\x8c)|\xb8\xd0\xbd\xd0\xbe\xd0\xb3\xd0\xb4\xd0\xb0|\xba(?:\xd0(?:\xb0\xd0\xba\xd0(?:\xb0\xd1\x8f|\xbe\xd0\xb9)|\xbe\xd0(?:\xb3\xd0\xb4\xd0\xb0|\xbd\xd0\xb5\xd1\x87\xd0\xbd\xd0\xbe))|\xd1\x83\xd0\xb4\xd0\xb0)|\xbb\xd1\x83\xd1\x87\xd1\x88\xd0\xb5|\xbc\xd0(?:\xb5\xd0(?:\xb6\xd0\xb4\xd1\x83|\xbd\xd1\x8f)|\xbd\xd0\xbe\xd0\xb3\xd0\xbe|\xbe\xd0\xb6\xd0(?:\xb5\xd1\x82|\xbd\xd0\xbe))|\xbd\xd0(?:\xb0\xd0(?:\xb4\xd0\xbe|\xba\xd0\xbe\xd0\xbd\xd0\xb5\xd1\x86)|\xb5\xd0(?:\xb3\xd0\xbe|\xbb\xd1\x8c\xd0\xb7\xd1\x8f)|\xb8(?:\xd0(?:\xb1\xd1\x83\xd0\xb4\xd1\x8c|\xba\xd0\xbe\xd0\xb3\xd0\xb4\xd0\xb0)|\xd1\x87\xd0\xb5\xd0\xb3\xd0\xbe))|\xbe\xd0(?:\xb4\xd0\xb8\xd0\xbd|\xbf\xd1\x8f\xd1\x82\xd1\x8c)|\xbf\xd0(?:\xb5\xd1\x80\xd0\xb5\xd0\xb4|\xbe\xd1(?:\x81\xd0\xbb\xd0\xb5|\x82\xd0\xbe\xd0\xbc(?:\xd1\x83)?|\x87\xd1\x82\xd0\xb8)))|\xd1(?:\x80\xd0\xb0\xd0\xb7\xd0\xb2\xd0\xb5|\x81\xd0(?:\xb2\xd0\xbe\xd1\x8e|\xb5\xd0(?:\xb1(?:\xd0\xb5|\xd1\x8f)|\xb9\xd1\x87\xd0\xb0\xd1\x81)|\xbe\xd0\xb2\xd1\x81\xd0\xb5\xd0\xbc)|\x82\xd0(?:\xb0\xd0\xba\xd0\xbe\xd0\xb9|\xb5\xd0(?:\xb1\xd1\x8f|\xbf\xd0\xb5\xd1\x80\xd1\x8c)|\xbe\xd0(?:\xb3\xd0(?:\xb4\xd0\xb0|\xbe)|\xb6\xd0\xb5|\xbb\xd1\x8c\xd0\xba\xd0\xbe))|\x85\xd0\xbe\xd1(?:\x80\xd0\xbe\xd1\x88\xd0\xbe|\x82\xd1\x8c)|\x87(?:\xd0\xb5(?:\xd0\xb3\xd0\xbe|\xd1\x80\xd0\xb5\xd0\xb7)|\xd1(?:\x82\xd0\xbe\xd0\xb1(?:\xd1\x8b)?|\x83\xd1\x82\xd1\x8c))|\x8d\xd1\x82\xd0\xbe(?:\xd0(?:\xb3\xd0\xbe|[\xb9\xbc])|\xd1\x82))))
# Swedish
bayes_stopword_se (?^:(?:all[at]|bl(?:ev|i(?:vit|r))|d(?:e(?:nna|ras|ssa?|tta)|i(?:na|tt))|e(?:fter|ller)|fr\xc3\xa5n|h(?:a(?:de|ns)|ennes?|onom)|i(?:cke|n(?:gen|om|te))|kunde|m(?:ellan|i(?:na|tt)|ycket)|n\xc3\xa5g(?:o[nt]|ra)|s(?:amma|edan|i(?:na|tta)|j\xc3\xa4lv|kulle|\xc3\xa5dan[at]?)|till|u(?:nder|tan)|v(?:ar(?:f\xc3\xb6r|it|je|[ast])|ilk(?:as?|e[nt])|\xc3\xa5r[at])|\xc3\xb6ver))
# Turkish
bayes_stopword_tr (?^:(?:a(?:caba|sl\xc4\xb1nda)|b(?:az\xc4\xb1|elki|ir(?:ka\xc3\xa7|\xc5\x9fey|i))|d(?:aha|efa|iye)|e\xc4\x9fer|gibi|hepsi|i\xc3\xa7in|n(?:as\xc4\xb1l|e(?:den|r(?:de|e(?:de|ye)))|i(?:ye|\xc3\xa7in))|sanki|veya|yani|\xc3\xa7\xc3\xbcnk\xc3\xbc))
endif
endif

55
sa-updates/60_shortcircuit.cf Normal file
View File

@ -0,0 +1,55 @@
# SpamAssassin rules file: spam and ham shortcircuiting using priorities
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
# SpamAssassin tries hard not to launch DNS queries before priority -100.
# If you want to shortcircuit without launching unneeded queries, make sure
# such rule priority is below -100.
###########################################################################
priority USER_IN_WHITELIST -1000
priority USER_IN_DEF_WHITELIST -1000
priority USER_IN_ALL_SPAM_TO -1000
priority SUBJECT_IN_WHITELIST -1000
priority ALL_TRUSTED -950
priority SUBJECT_IN_BLACKLIST -900
priority USER_IN_BLACKLIST_TO -900
priority USER_IN_BLACKLIST -900
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
# override the default X-Spam-Status line from 10_basic.cf to
# include shortcircuit info. (TODO: do we need a better way
# to extend the default templates like this?)
add_header all Status "_YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ shortcircuit=_SCTYPE_ autolearn=_AUTOLEARN_ version=_VERSION_"
header SHORTCIRCUIT eval:check_shortcircuit()
describe SHORTCIRCUIT Not all rules were run, due to a shortcircuited rule
tflags SHORTCIRCUIT userconf noautolearn
endif # Mail::SpamAssassin::Plugin::Shortcircuit

31
sa-updates/60_txrep.cf Normal file
View File

@ -0,0 +1,31 @@
# SpamAssassin rules file: TxRep reputation system
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
ifplugin Mail::SpamAssassin::Plugin::TxRep
header TXREP eval:check_senders_reputation()
describe TXREP Score normalizing based on sender's reputation
tflags TXREP userconf noautolearn
priority TXREP 1000
endif # Mail::SpamAssassin::Plugin::TxRep

234
sa-updates/60_whitelist.cf Normal file
View File

@ -0,0 +1,234 @@
# SpamAssassin rules file: default welcomelists
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
###########################################################################
# Welcomelist rules
#
# Note that most of these get 'noautolearn'. They should not be
# considered when deciding whether to auto-learn a message, as a
# user slip-up could result in scribbling side-effects in the bayes
# db as a result -- which is hard to remedy.
if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
#bz7826 renames blacklist to blocklist
header USER_IN_BLOCKLIST eval:check_from_in_blocklist()
describe USER_IN_BLOCKLIST From: address is in the user's block-list
tflags USER_IN_BLOCKLIST userconf nice noautolearn
score USER_IN_BLOCKLIST 100.0
ifplugin Mail::SpamAssassin::Plugin::RaciallyCharged
meta USER_IN_BLACKLIST (USER_IN_BLOCKLIST)
describe USER_IN_BLACKLIST DEPRECATED: See USER_IN_BLOCKLIST
tflags USER_IN_BLACKLIST userconf nice noautolearn
score USER_IN_BLOCKLIST 0.01
score USER_IN_BLACKLIST 100.0
endif
endif
else
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header USER_IN_BLOCKLIST eval:check_from_in_blacklist()
describe USER_IN_BLOCKLIST From: address is in the user's block-list
tflags USER_IN_BLOCKLIST userconf nice noautolearn
score USER_IN_BLOCKLIST 0.01
meta USER_IN_BLACKLIST (USER_IN_BLOCKLIST)
describe USER_IN_BLACKLIST DEPRECATED: See USER_IN_BLOCKLIST
tflags USER_IN_BLACKLIST userconf nice noautolearn
score USER_IN_BLACKLIST 100.0
endif
endif
if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
#bz7826 renames whitelist to welcomelist
header USER_IN_WELCOMELIST eval:check_from_in_welcomelist()
describe USER_IN_WELCOMELIST user is listed in 'welcomelist_from'
tflags USER_IN_WELCOMELIST userconf nice noautolearn
score USER_IN_WELCOMELIST -100.0
ifplugin Mail::SpamAssassin::Plugin::RaciallyCharged
meta USER_IN_WHITELIST (USER_IN_WELCOMELIST)
describe USER_IN_WHITELIST DEPRECATED: See USER_IN_WELCOMELIST
tflags USER_IN_WHITELIST userconf nice noautolearn
score USER_IN_WELCOMELIST -0.01
score USER_IN_WHITELIST -100.0
endif
endif
else
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header USER_IN_WELCOMELIST eval:check_from_in_whitelist()
describe USER_IN_WELCOMELIST user is listed in 'welcomelist_from'
tflags USER_IN_WELCOMELIST userconf nice noautolearn
score USER_IN_WELCOMELIST -0.01
meta USER_IN_WHITELIST (USER_IN_WELCOMELIST)
describe USER_IN_WHITELIST DEPRECATED: See USER_IN_WELCOMELIST
tflags USER_IN_WHITELIST userconf nice noautolearn
score USER_IN_WHITELIST -100.0
endif
endif
if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
#bz7826 renames whitelist to welcomelist
header USER_IN_DEF_WELCOMELIST eval:check_from_in_default_welcomelist()
describe USER_IN_DEF_WELCOMELIST From: address is in the default welcome-list
tflags USER_IN_DEF_WELCOMELIST userconf nice noautolearn
score USER_IN_DEF_WELCOMELIST -15.0
ifplugin Mail::SpamAssassin::Plugin::RaciallyCharged
meta USER_IN_DEF_WHITELIST (USER_IN_DEF_WELCOMELIST)
describe USER_IN_DEF_WHITELIST DEPRECATED: See USER_IN_WELCOMELIST
tflags USER_IN_DEF_WHITELIST userconf nice noautolearn
score USER_IN_DEF_WELCOMELIST -0.01
score USER_IN_DEF_WHITELIST -15.0
endif
endif
else
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header USER_IN_DEF_WELCOMELIST eval:check_from_in_default_whitelist()
describe USER_IN_DEF_WELCOMELIST From: address is in the default welcome-list
tflags USER_IN_DEF_WELCOMELIST userconf nice noautolearn
score USER_IN_DEF_WELCOMELIST -0.01
meta USER_IN_DEF_WHITELIST (USER_IN_DEF_WELCOMELIST)
describe USER_IN_DEF_WHITELIST DEPRECATED: See USER_IN_DEF_WELCOMELIST
tflags USER_IN_DEF_WHITELIST userconf nice noautolearn
score USER_IN_DEF_WHITELIST -15.0
endif
endif
if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
#bz7826 renames blacklist to blocklist
header USER_IN_BLOCKLIST_TO eval:check_to_in_blocklist()
describe USER_IN_BLOCKLIST_TO User is listed in 'blocklist_to'
tflags USER_IN_BLOCKLIST_TO userconf nice noautolearn
score USER_IN_BLOCKLIST 10.0
ifplugin Mail::SpamAssassin::Plugin::RaciallyCharged
meta USER_IN_BLACKLIST_TO (USER_IN_BLOCKLIST_TO)
describe USER_IN_BLACKLIST_TO DEPRECATED: See USER_IN_BLOCKLIST_TO
tflags USER_IN_BLACKLIST_TO userconf nice noautolearn
score USER_IN_BLOCKLIST_TO 0.01
score USER_IN_BLACKLIST_TO 10.0
endif
endif
else
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header USER_IN_BLOCKLIST_TO eval:check_to_in_blacklist()
describe USER_IN_BLOCKLIST_TO User is listed in 'blocklist_to'
tflags USER_IN_BLOCKLIST_TO userconf nice noautolearn
score USER_IN_BLOCKLIST_TO 0.01
meta USER_IN_BLACKLIST_TO (USER_IN_BLOCKLIST_TO)
describe USER_IN_BLACKLIST_TO DEPRECATED: See USER_IN_BLOCKLIST_TO
tflags USER_IN_BLACKLIST_TO userconf nice noautolearn
score USER_IN_BLACKLIST_TO 10.0
endif
endif
if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
#bz7826 renames whitelist to welcomelist
header USER_IN_WELCOMELIST_TO eval:check_to_in_welcomelist()
describe USER_IN_WELCOMELIST_TO User is listed in 'welcomelist_to'
tflags USER_IN_WELCOMELIST_TO userconf nice noautolearn
score USER_IN_WELCOMELIST_TO -6.0
ifplugin Mail::SpamAssassin::Plugin::RaciallyCharged
meta USER_IN_WHITELIST_TO (USER_IN_WELCOMELIST_TO)
describe USER_IN_WHITELIST_TO DEPRECATED: See USER_IN_WELCOMELIST_TO
tflags USER_IN_WHITELIST_TO userconf nice noautolearn
score USER_IN_WELCOMELIST_TO -0.01
score USER_IN_WHITELIST_TO -6.0
endif
endif
else
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header USER_IN_WELCOMELIST_TO eval:check_to_in_whitelist()
describe USER_IN_WELCOMELIST_TO User is listed in 'welcomelist_to'
tflags USER_IN_WELCOMELIST_TO userconf nice noautolearn
score USER_IN_WELCOMELIST_TO -0.01
meta USER_IN_WHITELIST_TO (USER_IN_WELCOMELIST_TO)
describe USER_IN_WHITELIST_TO DEPRECATED: See USER_IN_WELCOMELIST_TO
tflags USER_IN_WHITELIST_TO userconf nice noautolearn
score USER_IN_WHITELIST_TO -6.0
endif
endif
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header USER_IN_MORE_SPAM_TO eval:check_to_in_more_spam()
describe USER_IN_MORE_SPAM_TO User is listed in 'more_spam_to'
tflags USER_IN_MORE_SPAM_TO userconf nice noautolearn
header USER_IN_ALL_SPAM_TO eval:check_to_in_all_spam()
describe USER_IN_ALL_SPAM_TO User is listed in 'all_spam_to'
tflags USER_IN_ALL_SPAM_TO userconf nice noautolearn
endif
if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
body URI_HOST_IN_BLACKLIST eval:check_uri_host_in_blacklist()
describe URI_HOST_IN_BLACKLIST Host or Domain is listed in the user's URI black-list
tflags URI_HOST_IN_BLACKLIST userconf noautolearn
body URI_HOST_IN_WHITELIST eval:check_uri_host_in_whitelist()
describe URI_HOST_IN_WHITELIST Host or Domain is listed in the user's URI white-list
tflags URI_HOST_IN_WHITELIST userconf nice noautolearn
# Bug 7256, using a header rule with an eval() function does not work the way
# this was intended.
# header HEADER_HOST_IN_BLACKLIST eval:check_uri_host_listed('BLACK')
# describe HEADER_HOST_IN_BLACKLIST Host or Domain in header is listed in the user's URI black-list
# tflags HEADER_HOST_IN_BLACKLIST userconf noautolearn
# header HEADER_HOST_IN_WHITELIST eval:check_uri_host_listed('WHITE')
# describe HEADER_HOST_IN_WHITELIST Host or Domain in header is listed in the user's URI white-list
# tflags HEADER_HOST_IN_WHITELIST userconf nice noautolearn
endif
endif
###########################################################################
# Default welcomelists. These should be addresses which send mail that is often
# tagged (incorrectly) as spam; it also helps that they be addresses of big
# companies with lots of lawyers, so if spammers impersonate them, they'll get
# into big trouble, so it doesn't provide a shortcut around SpamAssassin.
#
# Welcomelist and blocklist addresses are now file-glob-style patterns, so
# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work.
#
# Please do not add unmoderated public mailing lists here. They are
# too easily abused by spammers.
# Should really not be used these days, use def_welcomelist_auth if possible.
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
# def_welcomelist_from_rcvd *@foo.com foo.com
endif

2003
sa-updates/60_whitelist_auth.cf Normal file
View File

File diff suppressed because it is too large Load Diff

158
sa-updates/60_whitelist_dkim.cf Normal file
View File

@ -0,0 +1,158 @@
# SpamAssassin rules file: default DKIM whitelists
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
###########################################################################
# DKIM whitelist rules
ifplugin Mail::SpamAssassin::Plugin::DKIM
header USER_IN_DKIM_WHITELIST eval:check_for_dkim_whitelist_from()
describe USER_IN_DKIM_WHITELIST From: address is in the user's DKIM whitelist
tflags USER_IN_DKIM_WHITELIST nice noautolearn net userconf
reuse USER_IN_DKIM_WHITELIST
header USER_IN_DEF_DKIM_WL eval:check_for_def_dkim_whitelist_from()
describe USER_IN_DEF_DKIM_WL From: address is in the default DKIM white-list
tflags USER_IN_DEF_DKIM_WL nice noautolearn net
reuse USER_IN_DEF_DKIM_WL
###########################################################################
# Default whitelists. These should be e-mail addresses of authors (i.e.
# addresses in the From header field) which send mail that is often
# tagged (incorrectly) as spam. DKIM whitelisting only applies to mail
# with a valid DKIM (or older DK) signature. An optional second parameter
# can specify a signing domain (the 'd' tag), if different from author's
# domain. Please see Mail::SpamAssassin::Plugin::DKIM man page for details.
#
# Whitelist and blacklist addresses are file-glob-style patterns, so
# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work.
def_whitelist_from_dkim *@*.ebay.com ebay.com
def_whitelist_from_dkim *@ebay.com
def_whitelist_from_dkim *@ebay.co.uk
def_whitelist_from_dkim *@*.ebay.co.uk
def_whitelist_from_dkim *@ebay.at
def_whitelist_from_dkim *@*.ebay.at
def_whitelist_from_dkim *@ebay.be
def_whitelist_from_dkim *@*.ebay.be
def_whitelist_from_dkim *@ebay.de
def_whitelist_from_dkim *@*.ebay.de
def_whitelist_from_dkim *@ebay.es
def_whitelist_from_dkim *@*.ebay.es
def_whitelist_from_dkim *@ebay.fr
def_whitelist_from_dkim *@*.ebay.fr
def_whitelist_from_dkim *@ebay.ie
def_whitelist_from_dkim *@*.ebay.ie
def_whitelist_from_dkim *@ebay.it
def_whitelist_from_dkim *@*.ebay.it
def_whitelist_from_dkim *@ebay.nl
def_whitelist_from_dkim *@*.ebay.nl
def_whitelist_from_dkim *@ebay.pt
def_whitelist_from_dkim *@*.ebay.pt
def_whitelist_from_dkim *@ebay.ca
def_whitelist_from_dkim *@*.ebay.ca
def_whitelist_from_dkim *@* paypal.com
def_whitelist_from_dkim *@paypal.com
def_whitelist_from_dkim *@*.paypal.com
def_whitelist_from_dkim *@paypal.co.uk
def_whitelist_from_dkim *@*.paypal.co.uk
def_whitelist_from_dkim *@paypal.at
def_whitelist_from_dkim *@*.paypal.at
def_whitelist_from_dkim *@paypal.be
def_whitelist_from_dkim *@*.paypal.be
def_whitelist_from_dkim *@paypal.de
def_whitelist_from_dkim *@*.paypal.de
def_whitelist_from_dkim *@paypal.es
def_whitelist_from_dkim *@*.paypal.es
def_whitelist_from_dkim *@paypal.fr
def_whitelist_from_dkim *@*.paypal.fr
def_whitelist_from_dkim *@paypal.ie
def_whitelist_from_dkim *@*.paypal.ie
def_whitelist_from_dkim *@paypal.it
def_whitelist_from_dkim *@*.paypal.it
def_whitelist_from_dkim *@paypal.nl
def_whitelist_from_dkim *@*.paypal.nl
def_whitelist_from_dkim *@paypal.pt
def_whitelist_from_dkim *@*.paypal.pt
def_whitelist_from_dkim *@paypal.ca
def_whitelist_from_dkim *@*.paypal.ca
def_whitelist_from_dkim *@cisco.com
def_whitelist_from_dkim *@lh.lufthansa.com
def_whitelist_from_dkim *@*.milesandmore.com
def_whitelist_from_dkim *@mail.hotels.com
def_whitelist_from_dkim *@email.hotels.com
def_whitelist_from_dkim *@alert.bankofamerica.com
def_whitelist_from_dkim *@ealerts.bankofamerica.com
def_whitelist_from_dkim *@cc.yahoo-inc.com yahoo-inc.com
def_whitelist_from_dkim *@cc.yahoo-inc.com
def_whitelist_from_dkim googlealerts-noreply@google.com
def_whitelist_from_dkim *@*.google.com
def_whitelist_from_dkim *@springer.delivery.net
def_whitelist_from_dkim *@sci.scientific-direct.net
def_whitelist_from_dkim *@strongmail.the-scientist.com
def_whitelist_from_dkim *@ealert.nature.com
def_whitelist_from_dkim *@gateways.nature.com
def_whitelist_from_dkim *@information.nature.com
def_whitelist_from_dkim *@newsdesk.world-nuclear-news.org
def_whitelist_from_dkim *@biocompare.com
def_whitelist_from_dkim *@dentalcompare.com
def_whitelist_from_dkim *@medcompare.com
def_whitelist_from_dkim *@itbusinessedge.com
def_whitelist_from_dkim *@nl.reuters.com
def_whitelist_from_dkim *@email.washingtonpost.com
def_whitelist_from_dkim *@washingtontimesmail.com
def_whitelist_from_dkim *@info-aaas.org
def_whitelist_from_dkim *@*.newsmax.com
def_whitelist_from_dkim *@zdnet.online.com
def_whitelist_from_dkim *@m-w.com
def_whitelist_from_dkim *@skype.net
def_whitelist_from_dkim *@*.skype.net
def_whitelist_from_dkim *@*.skype.net skype.net
def_whitelist_from_dkim *@*.skype.com
def_whitelist_from_dkim *@*.skype.com skype.com
#consider also:
# def_whitelist_from_dkim *@avaaz.org
# def_whitelist_from_dkim *@techrepublic.online.com
# def_whitelist_from_dkim ezines@arcamax.com
# def_whitelist_from_dkim *@yousendit.com
# def_whitelist_from_dkim *@meetup.com
# def_whitelist_from_dkim *@astrology.com
# def_whitelist_from_dkim *@google.com
# def_whitelist_from_dkim *@amazon.com
# def_whitelist_from_dkim *@amazon.co.uk
# def_whitelist_from_dkim *@amazon.de
# def_whitelist_from_dkim *@amazon.fr
def_whitelist_from_dkim *@imdb.com amazonses.com
def_whitelist_from_dkim *@dhl.com
def_whitelist_from_dkim *@tumblr.com
def_whitelist_from_dkim *@fisglobal.com
def_whitelist_from_dkim *@*.msgfocus.com
def_whitelist_from_dkim *@boredpanda.com mailersend.com
endif # Mail::SpamAssassin::Plugin::DKIM

87
sa-updates/60_whitelist_spf.cf Normal file
View File

@ -0,0 +1,87 @@
# SpamAssassin rules file: default SPF whitelists
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
###########################################################################
# SPF whitelist rules
ifplugin Mail::SpamAssassin::Plugin::SPF
header USER_IN_SPF_WHITELIST eval:check_for_spf_whitelist_from()
describe USER_IN_SPF_WHITELIST From: address is in the user's SPF whitelist
tflags USER_IN_SPF_WHITELIST userconf nice noautolearn net
reuse USER_IN_SPF_WHITELIST
header USER_IN_DEF_SPF_WL eval:check_for_def_spf_whitelist_from()
describe USER_IN_DEF_SPF_WL From: address is in the default SPF white-list
tflags USER_IN_DEF_SPF_WL userconf nice noautolearn net
reuse USER_IN_DEF_SPF_WL
meta ENV_AND_HDR_SPF_MATCH (USER_IN_DEF_SPF_WL && __ENV_AND_HDR_FROM_MATCH)
describe ENV_AND_HDR_SPF_MATCH Env and Hdr From used in default SPF WL Match
tflags ENV_AND_HDR_SPF_MATCH userconf nice noautolearn net
###########################################################################
# Default whitelists. These should be addresses which send mail that is often
# tagged (incorrectly) as spam; it also helps that they be addresses of big
# companies with lots of lawyers, so if spammers impersonate them, they'll get
# into big trouble, so it doesn't provide a shortcut around SpamAssassin.
#
# Whitelist and blacklist addresses are now file-glob-style patterns, so
# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work.
#
# Please do not add unmoderated public mailing lists here. They are
# too easily abused by spammers.
def_whitelist_from_spf *@nytimes.com
def_whitelist_from_spf *@amazon.com
def_whitelist_from_spf *@amazon.co.uk
def_whitelist_from_spf *@*.amazon.co.uk
def_whitelist_from_spf *@ora.com
def_whitelist_from_spf *@*.ora.com
def_whitelist_from_spf *@mypoints.com
def_whitelist_from_spf *@*.mypoints.com
def_whitelist_from_spf *@paypal.com
def_whitelist_from_spf *@ebay.com
def_whitelist_from_spf *@foolsubs.com
def_whitelist_from_spf *@match.com
# bugtraq: can contain malicious Javascript etc.
def_whitelist_from_spf *@securityfocus.com
def_whitelist_from_spf *@mediaunspun.imakenews.net
# sender of Cringley newsletter
def_whitelist_from_spf *@bdcimail.com
# Silicon.com newslettters - we see thousands of these
def_whitelist_from_spf *@silicon.com
# C|Net news.com newsletters
def_whitelist_from_spf *@newsletter.online.com
# bug 1348
def_whitelist_from_spf *@enews.buy.com
def_whitelist_from_spf *@palm.m0.net
def_whitelist_from_spf *@handspring.4at1.com
endif # Mail::SpamAssassin::Plugin::SPF

42
sa-updates/60_whitelist_subject.cf Normal file
View File

@ -0,0 +1,42 @@
# SpamAssassin rules file: default whitelist/blacklist subject
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
###########################################################################
# Whitelist/Blacklist rules
#
# Note that most of these get 'noautolearn'. They should not be
# considered when deciding whether to auto-learn a message, as a
# user slip-up could result in scribbling side-effects in the bayes
# db as a result -- which is hard to remedy.
ifplugin Mail::SpamAssassin::Plugin::WhiteListSubject
header SUBJECT_IN_WHITELIST eval:check_subject_in_whitelist()
describe SUBJECT_IN_WHITELIST Subject: contains string in the user's white-list
tflags SUBJECT_IN_WHITELIST userconf nice noautolearn
header SUBJECT_IN_BLACKLIST eval:check_subject_in_blacklist()
describe SUBJECT_IN_BLACKLIST Subject: contains string in the user's black-list
tflags SUBJECT_IN_BLACKLIST userconf noautolearn
endif # Mail::SpamAssassin::Plugin::WhiteListSubject

10327
sa-updates/72_active.cf Normal file
View File

File diff suppressed because one or more lines are too long

424
sa-updates/72_scores.cf Normal file
View File

@ -0,0 +1,424 @@
score ACCT_PHISHING_MANY 2.999 2.999 2.999 2.999
score AC_BR_BONANZA 0.001 0.001 0.001 0.001
score AC_DIV_BONANZA 0.001 0.001 0.001 0.001
score AC_FROM_MANY_DOTS 3.000 2.999 3.000 2.999
score AC_HTML_NONSENSE_TAGS 1.999 1.999 1.999 1.999
score AC_POST_EXTRAS 1.000 1.000 1.000 1.000
score AC_SPAMMY_URI_PATTERNS1 1.000 1.000 1.000 1.000
score AC_SPAMMY_URI_PATTERNS10 1.000 1.000 1.000 1.000
score AC_SPAMMY_URI_PATTERNS11 1.000 1.000 1.000 1.000
score AC_SPAMMY_URI_PATTERNS12 1.000 1.000 1.000 1.000
score AC_SPAMMY_URI_PATTERNS2 1.000 1.000 1.000 1.000
score AC_SPAMMY_URI_PATTERNS3 1.000 1.000 1.000 1.000
score AC_SPAMMY_URI_PATTERNS4 1.000 1.000 1.000 1.000
score AC_SPAMMY_URI_PATTERNS8 1.000 1.000 1.000 1.000
score AC_SPAMMY_URI_PATTERNS9 1.000 1.000 1.000 1.000
score ADMITS_SPAM 4.099 3.699 4.099 3.699
score ADVANCE_FEE_2_NEW_FORM 1.000 1.000 1.000 1.000
score ADVANCE_FEE_2_NEW_FRM_MNY 1.419 2.499 1.419 2.499
score ADVANCE_FEE_2_NEW_MONEY 0.675 0.001 0.675 0.001
score ADVANCE_FEE_3_NEW 2.848 0.586 2.848 0.586
score ADVANCE_FEE_3_NEW_FRM_MNY 0.001 1.606 0.001 1.606
score ADVANCE_FEE_3_NEW_MONEY 2.999 2.899 2.999 2.899
score ADVANCE_FEE_4_NEW 2.550 2.149 2.550 2.149
score ADVANCE_FEE_4_NEW_FRM_MNY 0.001 0.001 0.001 0.001
score ADVANCE_FEE_4_NEW_MONEY 1.690 0.431 1.690 0.431
score ADVANCE_FEE_5_NEW 2.801 2.999 2.801 2.999
score ADVANCE_FEE_5_NEW_FRM_MNY 0.001 0.001 0.001 0.001
score ADVANCE_FEE_5_NEW_MONEY 0.001 0.001 0.001 0.001
score AD_PREFS 0.250 0.250 0.250 0.250
score ALIBABA_IMG_NOT_RCVD_ALI 2.500 2.499 2.500 2.499
score AMAZON_IMG_NOT_RCVD_AMZN 2.499 1.780 2.499 1.780
score APP_DEVELOPMENT_FREEM 1.000 1.000 1.000 1.000
score APP_DEVELOPMENT_NORDNS 1.999 1.999 1.999 1.999
score AXB_XMAILER_MIMEOLE_OL_024C2 0.001 0.001 0.001 0.001
score AXB_XMAILER_MIMEOLE_OL_1ECD5 1.097 0.558 1.097 0.558
score BIGNUM_EMAILS_FREEM 0.001 0.001 0.001 0.001
score BIGNUM_EMAILS_MANY 2.999 2.999 2.999 2.999
score BITCOIN_BOMB 1.000 1.000 1.000 1.000
score BITCOIN_DEADLINE 0.001 0.001 0.001 0.001
score BITCOIN_EXTORT_01 0.001 0.714 0.001 0.714
score BITCOIN_EXTORT_02 1.000 1.000 1.000 1.000
score BITCOIN_IMGUR 3.499 3.499 3.499 3.499
score BITCOIN_MALF_HTML 3.499 3.499 3.499 3.499
score BITCOIN_MALWARE 2.021 0.001 2.021 0.001
score BITCOIN_OBFU_SUBJ 0.055 2.966 0.055 2.966
score BITCOIN_ONAN 2.599 2.999 2.599 2.999
score BITCOIN_PAY_ME 1.000 1.000 1.000 1.000
score BITCOIN_SPAM_01 1.000 1.000 1.000 1.000
score BITCOIN_SPAM_02 2.480 1.790 2.480 1.790
score BITCOIN_SPAM_03 1.000 1.911 1.000 1.911
score BITCOIN_SPAM_04 1.000 1.000 1.000 1.000
score BITCOIN_SPAM_05 0.001 0.001 0.001 0.001
score BITCOIN_SPAM_06 1.000 1.000 1.000 1.000
score BITCOIN_SPAM_07 3.499 3.499 3.499 3.499
score BITCOIN_SPAM_08 1.000 1.000 1.000 1.000
score BITCOIN_SPAM_09 1.000 1.000 1.000 1.000
score BITCOIN_SPAM_10 1.000 1.000 1.000 1.000
score BITCOIN_SPAM_11 1.000 1.000 1.000 1.000
score BITCOIN_SPAM_12 1.000 1.000 1.000 1.000
score BITCOIN_SPF_ONLYALL 0.001 1.000 0.001 1.000
score BITCOIN_XPRIO 0.309 0.867 0.309 0.867
score BITCOIN_YOUR_INFO 2.113 0.001 2.113 0.001
score BODY_EMPTY 1.999 0.986 1.999 0.986
score BODY_SINGLE_URI 2.499 0.001 2.499 0.001
score BODY_SINGLE_WORD 0.245 0.964 0.245 0.964
score BODY_URI_ONLY 2.608 1.905 2.608 1.905
score BOGUS_MIME_VERSION 3.500 3.499 3.500 3.499
score BOGUS_MSM_HDRS 1.000 1.000 1.000 1.000
score BOMB_FREEM 1.999 1.373 1.999 1.373
score BOMB_MONEY 1.855 2.142 1.855 2.142
score BTC_ORG 1.000 1.000 1.000 1.000
score BULK_RE_SUSP_NTLD 1.000 1.000 1.000 1.000
score CANT_SEE_AD 1.000 1.000 1.000 1.000
score CK_HELO_GENERIC 0.249 0.250 0.249 0.250
score COMMENT_GIBBERISH 1.000 1.000 1.000 1.000
score COMPENSATION 1.126 1.000 1.126 1.000
score CONTENT_AFTER_HTML 2.499 2.499 2.499 2.499
score CTE_8BIT_MISMATCH 0.999 0.999 0.999 0.999
score DAY_I_EARNED 1.000 1.000 1.000 1.000
score DEAR_BENEFICIARY 0.001 0.001 0.001 0.001
score DKIMWL_BL 0.001 2.999 0.001 2.999
score DKIMWL_BLOCKED 0.001 0.001 0.001 0.001
score DKIMWL_WL_HIGH 0.001 -0.001 0.001 -0.001
score DKIMWL_WL_MED 0.001 -0.001 0.001 -0.001
score DKIMWL_WL_MEDHI 0.001 -1.000 0.001 -1.000
score DOTGOV_IMAGE 1.000 1.000 1.000 1.000
score DSN_NO_MIMEVERSION 1.999 1.999 1.999 1.999
score DYNAMIC_IMGUR 3.106 3.999 3.106 3.999
score EBAY_IMG_NOT_RCVD_EBAY 2.320 2.999 2.320 2.999
score ENCRYPTED_MESSAGE -1.000 -1.000 -1.000 -1.000
score END_FUTURE_EMAILS 2.100 1.571 2.100 1.571
score ENVFROM_GOOG_TRIX 1.000 1.000 1.000 1.000
score FAKE_REPLY_A1 3.099 2.600 3.099 2.600
score FBI_MONEY 1.000 1.000 1.000 1.000
score FBI_SPOOF 1.000 1.000 1.000 1.000
score FILL_THIS_FORM 1.199 0.001 1.199 0.001
score FONT_INVIS_DIRECT 1.445 2.946 1.445 2.946
score FONT_INVIS_DOTGOV 1.000 1.000 1.000 1.000
score FONT_INVIS_HTML_NOHTML 1.759 1.631 1.759 1.631
score FONT_INVIS_LONG_LINE 1.000 1.000 1.000 1.000
score FONT_INVIS_MSGID 2.425 1.710 2.425 1.710
score FONT_INVIS_NORDNS 2.499 2.500 2.499 2.500
score FONT_INVIS_POSTEXTRAS 1.000 1.000 1.000 1.000
score FORM_FRAUD 0.999 0.999 0.999 0.999
score FORM_FRAUD_3 0.001 0.001 0.001 0.001
score FORM_FRAUD_5 0.001 0.001 0.001 0.001
score FORM_LOW_CONTRAST 1.000 1.000 1.000 1.000
score FOUND_YOU 2.991 3.249 2.991 3.249
score FREEMAIL_FORGED_FROMDOMAIN 0.249 0.249 0.249 0.249
score FREEM_FRNUM_UNICD_EMPTY 1.000 1.000 1.000 1.000
score FRNAME_IN_MSG_XPRIO_NO_SUB 1.000 1.000 1.000 1.000
score FROM_2_EMAILS_SHORT 2.999 2.999 2.999 2.999
score FROM_ADDR_WS 2.999 2.999 2.999 2.999
score FROM_BANK_NOAUTH 0.001 1.000 0.001 1.000
score FROM_FMBLA_NDBLOCKED 0.001 0.001 0.001 0.001
score FROM_FMBLA_NEWDOM 0.001 1.499 0.001 1.499
score FROM_FMBLA_NEWDOM14 0.001 1.000 0.001 1.000
score FROM_FMBLA_NEWDOM28 0.001 0.799 0.001 0.799
score FROM_GOV_DKIM_AU 0.001 -0.001 0.001 -0.001
score FROM_GOV_REPLYTO_FREEMAIL 0.001 1.000 0.001 1.000
score FROM_GOV_SPOOF 0.001 0.999 0.001 0.999
score FROM_IN_TO_AND_SUBJ 2.399 2.199 2.399 2.199
score FROM_MISSPACED 0.001 0.001 0.001 0.001
score FROM_MISSP_DYNIP 1.582 2.299 1.582 2.299
score FROM_MISSP_EH_MATCH 0.001 0.001 0.001 0.001
score FROM_MISSP_FREEMAIL 0.397 0.001 0.397 0.001
score FROM_MISSP_MSFT 0.001 0.001 0.001 0.001
score FROM_MISSP_REPLYTO 0.001 0.001 0.001 0.001
score FROM_MISSP_SPF_FAIL 0.001 0.001 0.001 0.001
score FROM_MISSP_TO_UNDISC 1.457 1.981 1.457 1.981
score FROM_MISSP_USER 0.001 0.001 0.001 0.001
score FROM_MULTI_NORDNS 0.348 0.971 0.348 0.971
score FROM_NEWDOM_BTC 0.001 1.000 0.001 1.000
score FROM_NTLD_LINKBAIT 1.000 0.418 1.000 0.418
score FROM_NTLD_REPLY_FREEMAIL 1.484 1.999 1.484 1.999
score FROM_NUMBERO_NEWDOMAIN 0.001 1.000 0.001 1.000
score FROM_NUMERIC_TLD 1.000 1.000 1.000 1.000
score FROM_PAYPAL_SPOOF 0.001 0.434 0.001 0.434
score FROM_SUSPICIOUS_NTLD 0.499 0.500 0.499 0.500
score FROM_SUSPICIOUS_NTLD_FP 1.999 0.001 1.999 0.001
score FROM_WEBSITE 2.599 2.399 2.599 2.399
score FROM_WSP_TRAIL 2.131 2.299 2.131 2.299
score FSL_BULK_SIG 0.001 0.001 0.001 0.001
score FSL_CTYPE_WIN1251 0.001 0.001 0.001 0.001
score FSL_NEW_HELO_USER 0.001 0.001 0.001 0.001
score FUZZY_AMAZON 2.699 2.599 2.699 2.599
score FUZZY_BITCOIN 2.399 0.092 2.399 0.092
score GAPPY_SALES_LEADS_FREEM 1.000 1.000 1.000 1.000
score GB_FAKE_RF_SHORT 1.999 1.999 1.999 1.999
score GB_FORGED_MUA_POSTFIX 1.000 1.000 1.000 1.000
score GB_FREEMAIL_DISPTO 0.499 0.001 0.499 0.001
score GB_FREEMAIL_DISPTO_NOTFREEM 0.500 0.499 0.500 0.499
score GB_GOOGLE_OBFUR 0.750 0.750 0.750 0.750
score GB_GOOGLE_OBFUS 0.749 0.391 0.749 0.391
score GOOGLE_DOCS_PHISH 1.000 1.000 1.000 1.000
score GOOGLE_DOCS_PHISH_MANY 1.000 1.000 1.000 1.000
score GOOGLE_DOC_SUSP 2.999 2.999 2.999 2.999
score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.000 1.000 1.000 1.000
score GOOG_MALWARE_DNLD 1.000 1.000 1.000 1.000
score GOOG_REDIR_NORDNS 2.601 2.211 2.601 2.211
score GOOG_STO_HTML_PHISH 2.391 2.999 2.391 2.999
score GOOG_STO_HTML_PHISH_MANY 3.695 1.000 3.695 1.000
score GOOG_STO_IMG_HTML 3.000 2.999 3.000 2.999
score GOOG_STO_IMG_NOHTML 2.499 2.499 2.499 2.499
score GOOG_STO_NOIMG_HTML 2.999 2.999 2.999 2.999
score HAS_X_NO_RELAY 1.000 1.000 1.000 1.000
score HAS_X_OUTGOING_SPAM_STAT 2.151 2.562 2.151 2.562
score HDRS_LCASE 0.100 0.099 0.100 0.099
score HDRS_LCASE_IMGONLY 0.100 0.099 0.100 0.099
score HDRS_MISSP 2.447 1.939 2.447 1.939
score HDR_ORDER_FTSDMCXX_DIRECT 1.999 0.073 1.999 0.073
score HDR_ORDER_FTSDMCXX_NORDNS 0.001 0.001 0.001 0.001
score HEADER_FROM_DIFFERENT_DOMAINS 0.250 0.249 0.250 0.249
score HELO_MISC_IP 0.080 0.174 0.080 0.174
score HELO_NO_DOMAIN 0.001 0.001 0.001 0.001
score HEXHASH_WORD 1.000 1.000 1.000 1.000
score HK_CTE_RAW 1.000 1.000 1.000 1.000
score HK_NAME_FM_MR_MRS 1.499 1.499 1.499 1.499
score HK_NAME_MR_MRS 0.999 0.999 0.999 0.999
score HK_RANDOM_FROM 0.999 0.999 0.999 0.999
score HK_RANDOM_REPLYTO 0.001 0.001 0.001 0.001
score HK_RCVD_IP_MULTICAST 1.000 1.000 1.000 1.000
score HK_SCAM 0.001 0.001 0.001 0.001
score HK_WIN 0.999 0.999 0.999 0.999
score HOSTED_IMG_DIRECT_MX 3.297 2.351 3.297 2.351
score HOSTED_IMG_DQ_UNSUB 1.000 1.000 1.000 1.000
score HOSTED_IMG_FREEM 3.499 3.437 3.499 3.437
score HOSTED_IMG_MULTI 1.552 1.755 1.552 1.755
score HOSTED_IMG_MULTI_PUB_01 1.200 2.196 1.200 2.196
score HTML_ENTITY_ASCII 2.999 2.948 2.999 2.948
score HTML_ENTITY_ASCII_TINY 1.000 1.000 1.000 1.000
score HTML_OFF_PAGE 2.999 2.999 2.999 2.999
score HTML_SHRT_CMNT_OBFU_MANY 0.849 1.220 0.849 1.220
score HTML_SINGLET_MANY 0.780 1.331 0.780 1.331
score HTML_TEXT_INVISIBLE_FONT 1.999 1.999 1.999 1.999
score HTML_TEXT_INVISIBLE_STYLE 1.830 1.424 1.830 1.424
score IMG_ONLY_FM_DOM_INFO 0.001 0.712 0.001 0.712
score JH_SPAMMY_HEADERS 3.499 3.499 3.499 3.499
score JH_SPAMMY_PATTERN01 2.864 0.047 2.864 0.047
score JH_SPAMMY_PATTERN02 1.000 1.000 1.000 1.000
score KHOP_FAKE_EBAY 0.299 0.135 0.299 0.135
score KHOP_HELO_FCRDNS 0.400 0.399 0.400 0.399
score LIST_PRTL_PUMPDUMP 1.000 1.000 1.000 1.000
score LIST_PRTL_SAME_USER 0.001 0.697 0.001 0.697
score LONG_HEX_URI 2.844 1.887 2.844 1.887
score LONG_IMG_URI 1.688 1.178 1.688 1.178
score LONG_INVISIBLE_TEXT 0.588 1.326 0.588 1.326
score LOTS_OF_MONEY 0.010 0.010 0.010 0.010
score LOTTO_AGENT 0.001 0.001 0.001 0.001
score LUCRATIVE 1.000 1.000 1.000 1.000
score MALFORMED_FREEMAIL 3.099 1.003 3.099 1.003
score MALF_HTML_B64 1.000 1.000 1.000 1.000
score MALWARE_NORDNS 0.001 1.263 0.001 1.263
score MALWARE_PASSWORD 1.000 1.000 1.000 1.000
score MANY_HDRS_LCASE 0.100 0.100 0.100 0.100
score MANY_SPAN_IN_TEXT 2.399 2.299 2.399 2.299
score MAY_BE_FORGED 2.529 2.600 2.529 2.600
score MILLION_HUNDRED 0.001 0.001 0.001 0.001
score MILLION_USD 0.001 0.001 0.001 0.001
score MIMEOLE_DIRECT_TO_MX 0.001 0.001 0.001 0.001
score MIME_NO_TEXT 1.000 1.000 1.000 1.000
score MIXED_AREA_CASE 0.727 0.910 0.727 0.910
score MIXED_CENTER_CASE 2.499 2.499 2.499 2.499
score MIXED_CTYPE_CASE 0.965 1.479 0.965 1.479
score MIXED_ES 2.399 2.299 2.399 2.299
score MIXED_FONT_CASE 2.499 2.499 2.499 2.499
score MIXED_HREF_CASE 1.999 1.999 1.999 1.999
score MIXED_IMG_CASE 2.999 2.583 2.999 2.583
score MONERO_DEADLINE 1.000 1.000 1.000 1.000
score MONERO_EXTORT_01 1.000 1.000 1.000 1.000
score MONERO_MALWARE 1.000 1.000 1.000 1.000
score MONERO_PAY_ME 1.000 1.000 1.000 1.000
score MONEY_ATM_CARD 0.001 0.001 0.001 0.001
score MONEY_FORM 0.001 0.001 0.001 0.001
score MONEY_FORM_SHORT 0.001 0.001 0.001 0.001
score MONEY_FRAUD_3 2.799 2.699 2.799 2.699
score MONEY_FRAUD_5 0.001 0.001 0.001 0.001
score MONEY_FRAUD_8 0.001 0.001 0.001 0.001
score MONEY_FREEMAIL_REPTO 2.993 1.640 2.993 1.640
score MONEY_FROM_41 1.999 1.999 1.999 1.999
score MONEY_FROM_MISSP 0.001 0.001 0.001 0.001
score MONEY_NOHTML 1.246 0.590 1.246 0.590
score MSGID_DOLLARS_URI_IMG 1.000 1.000 1.000 1.000
score MSGID_HDR_MALF 2.359 3.499 2.359 3.499
score MSGID_NOFQDN1 0.498 0.001 0.498 0.001
score MSMAIL_PRI_ABNORMAL 0.517 0.671 0.517 0.671
score MSM_PRIO_REPTO 1.000 1.000 1.000 1.000
score NAME_EMAIL_DIFF 2.002 0.632 2.002 0.632
score NA_DOLLARS 1.499 1.499 1.499 1.499
score NEWEGG_IMG_NOT_RCVD_NEGG 1.000 1.000 1.000 1.000
score NICE_REPLY_A -0.001 -0.001 -0.001 -0.001
score NORDNS_LOW_CONTRAST 1.784 2.301 1.784 2.301
score NO_FM_NAME_IP_HOSTN 0.001 0.001 0.001 0.001
score NSL_RCVD_FROM_USER 0.001 0.001 0.001 0.001
score NSL_RCVD_HELO_USER 0.001 0.001 0.001 0.001
score NUMBEREND_LINKBAIT 0.582 0.001 0.582 0.001
score OBFU_BITCOIN 0.001 0.001 0.001 0.001
score OBFU_UNSUB_UL 2.400 2.199 2.400 2.199
score ODD_FREEM_REPTO 2.999 2.670 2.999 2.670
score OFFER_ONLY_AMERICA 1.310 1.999 1.310 1.999
score ONLINE_MKTG_CNSLT 2.599 0.001 2.599 0.001
score ORDER_TODAY 2.499 0.429 2.499 0.429
score PDS_BAD_THREAD_QP_64 1.000 0.999 1.000 0.999
score PDS_BTC_ID 0.500 0.499 0.500 0.499
score PDS_BTC_MSGID 0.001 0.001 0.001 0.001
score PDS_DBL_URL_TNB_RUNON 0.900 0.554 0.900 0.554
score PDS_EMPTYSUBJ_URISHRT 0.302 0.001 0.302 0.001
score PDS_FRNOM_TODOM_DBL_URL 1.499 1.499 1.499 1.499
score PDS_FRNOM_TODOM_NAKED_TO 1.499 1.499 1.499 1.499
score PDS_FROM_2_EMAILS 1.635 2.648 1.635 2.648
score PDS_FROM_2_EMAILS_SHRTNER 0.396 1.499 0.396 1.499
score PDS_FROM_NAME_TO_DOMAIN 1.999 1.999 1.999 1.999
score PDS_HELO_SPF_FAIL 0.001 1.000 0.001 1.000
score PDS_NO_FULL_NAME_SPOOFED_URL 0.284 0.344 0.284 0.344
score PDS_OTHER_BAD_TLD 1.999 1.999 1.999 1.999
score PDS_SHORTFWD_URISHRT_QP 1.499 1.079 1.499 1.079
score PDS_SHORT_SPOOFED_URL 0.989 1.999 0.989 1.999
score PDS_TINYSUBJ_URISHRT 1.499 0.001 1.499 0.001
score PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE 1.999 1.999 1.999 1.999
score PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE 1.999 1.999 1.999 1.999
score PDS_TONAME_EQ_TOLOCAL_SHORT 2.000 1.999 2.000 1.999
score PDS_TONAME_EQ_TOLOCAL_VSHORT 0.999 1.000 0.999 1.000
score PDS_TO_EQ_FROM_NAME 3.199 2.385 3.199 2.385
score PDS_URISHRT_LOCALPART_SUBJ 0.999 0.790 0.999 0.790
score PHISH_AZURE_CLOUDAPP 3.500 3.500 3.500 3.500
score PHISH_FBASEAPP 0.965 1.000 0.965 1.000
score PHOTO_EDITING_DIRECT 2.999 1.290 2.999 1.290
score PHOTO_EDITING_FREEM 1.000 1.000 1.000 1.000
score PHP_NOVER_MUA 1.000 1.000 1.000 1.000
score PHP_ORIG_SCRIPT 0.001 0.001 0.001 0.001
score PHP_SCRIPT 2.499 2.500 2.499 2.500
score PHP_SCRIPT_MUA 1.000 1.000 1.000 1.000
score PP_MIME_FAKE_ASCII_TEXT 1.000 0.233 1.000 0.233
score PP_TOO_MUCH_UNICODE02 0.500 0.500 0.500 0.500
score PP_TOO_MUCH_UNICODE05 1.000 1.000 1.000 1.000
score PUMPDUMP 1.000 1.000 1.000 1.000
score PUMPDUMP_MULTI 1.000 1.000 1.000 1.000
score RAND_HEADER_LIST_SPOOF 2.999 2.999 2.999 2.999
score RAND_HEADER_MANY 1.000 1.000 1.000 1.000
score RAND_MKTG_HEADER 1.999 1.999 1.999 1.999
score RATWARE_NO_RDNS 2.136 1.961 2.136 1.961
score RCVD_DOTEDU_SHORT 1.000 1.000 1.000 1.000
score RCVD_DOTEDU_SUSP_URI 2.999 2.999 2.999 2.999
score RCVD_IN_MSPIKE_BL 0.001 0.001 0.001 0.001
score RCVD_IN_MSPIKE_H2 0.001 -0.001 0.001 -0.001
score RCVD_IN_MSPIKE_H3 0.001 0.001 0.001 0.001
score RCVD_IN_MSPIKE_H4 0.001 0.001 0.001 0.001
score RCVD_IN_MSPIKE_H5 0.001 0.001 0.001 0.001
score RCVD_IN_MSPIKE_L2 0.001 0.001 0.001 0.001
score RCVD_IN_MSPIKE_L3 0.001 0.001 0.001 0.001
score RCVD_IN_MSPIKE_L4 0.001 0.001 0.001 0.001
score RCVD_IN_MSPIKE_L5 0.001 0.001 0.001 0.001
score RCVD_IN_MSPIKE_WL 0.001 0.001 0.001 0.001
score RCVD_IN_MSPIKE_ZBI 0.001 0.001 0.001 0.001
score RDNS_NUM_TLD_ATCHNX 1.000 1.000 1.000 1.000
score RDNS_NUM_TLD_XM 2.075 0.640 2.075 0.640
score READY_TO_SHIP 0.657 0.575 0.657 0.575
score REPTO_419_FRAUD 2.999 2.139 2.999 2.139
score REPTO_419_FRAUD_AOL 1.000 1.000 1.000 1.000
score REPTO_419_FRAUD_AOL_LOOSE 1.000 1.000 1.000 1.000
score REPTO_419_FRAUD_CNS 1.000 1.000 1.000 1.000
score REPTO_419_FRAUD_GM 2.999 2.999 2.999 2.999
score REPTO_419_FRAUD_GM_LOOSE 0.999 1.000 0.999 1.000
score REPTO_419_FRAUD_HM 1.000 1.000 1.000 1.000
score REPTO_419_FRAUD_OL 1.000 1.000 1.000 1.000
score REPTO_419_FRAUD_PM 1.000 1.000 1.000 1.000
score REPTO_419_FRAUD_QQ 2.999 2.999 2.999 2.999
score REPTO_419_FRAUD_YH 1.000 1.000 1.000 1.000
score REPTO_419_FRAUD_YH_LOOSE 1.000 1.000 1.000 1.000
score REPTO_419_FRAUD_YJ 0.001 0.001 0.001 0.001
score REPTO_419_FRAUD_YN 1.000 1.000 1.000 1.000
score RISK_FREE 3.199 3.100 3.199 3.100
score SENDGRID_REDIR 1.499 1.499 1.499 1.499
score SENDGRID_REDIR_PHISH 1.000 1.000 1.000 1.000
score SEO_SUSP_NTLD 1.199 1.000 1.199 1.000
score SERGIO_SUBJECT_VIAGRA01 3.398 4.099 3.398 4.099
score SHOPIFY_IMG_NOT_RCVD_SFY 2.499 2.500 2.499 2.500
score SHORTENER_SHORT_IMG 1.000 1.000 1.000 1.000
score SHORTENER_SHORT_SUBJ 2.999 2.706 2.999 2.706
score SHORT_IMG_SUSP_NTLD 0.001 0.001 0.001 0.001
score SHORT_SHORTNER 1.999 1.999 1.999 1.999
score SINGLETS_LOW_CONTRAST 0.001 0.001 0.001 0.001
score SPOOFED_FREEMAIL 0.001 1.564 0.001 1.564
score SPOOFED_FREEMAIL_NO_RDNS 1.500 0.332 1.500 0.332
score SPOOFED_FREEM_REPTO 0.001 2.433 0.001 2.433
score SPOOFED_FREEM_REPTO_CHN 0.001 1.000 0.001 1.000
score SPOOFED_FREEM_REPTO_RUS 0.001 1.000 0.001 1.000
score SPOOF_GMAIL_MID 1.499 0.001 1.499 0.001
score STATIC_XPRIO_OLE 0.001 0.001 0.001 0.001
score STOCK_LOW_CONTRAST 1.127 0.001 1.127 0.001
score STOCK_TIP 1.000 1.000 1.000 1.000
score SURBL_BLOCKED 0.001 0.001 0.001 0.001
score SYSADMIN 1.000 1.000 1.000 1.000
score THIS_AD 1.100 1.099 1.100 1.099
score THIS_IS_ADV_SUSP_NTLD 0.001 0.001 0.001 0.001
score TONLINE_FAKE_DKIM 1.000 1.000 1.000 1.000
score TONOM_EQ_TOLOC_SHRT_SHRTNER 1.499 1.499 1.499 1.499
score TO_EQ_FM_DIRECT_MX 0.001 0.001 0.001 0.001
score TO_EQ_FM_DOM_HTML_IMG 0.001 0.899 0.001 0.899
score TO_EQ_FM_DOM_HTML_ONLY 1.999 0.688 1.999 0.688
score TO_EQ_FM_DOM_SPF_FAIL 0.001 0.001 0.001 0.001
score TO_EQ_FM_HTML_ONLY 1.299 1.299 1.299 1.299
score TO_EQ_FM_SPF_FAIL 0.001 0.001 0.001 0.001
score TO_IN_SUBJ 0.100 0.100 0.100 0.100
score TO_NAME_SUBJ_NO_RDNS 2.497 2.238 2.497 2.238
score TO_NO_BRKTS_FROM_MSSP 2.499 0.001 2.499 0.001
score TO_NO_BRKTS_HTML_IMG 1.999 1.999 1.999 1.999
score TO_NO_BRKTS_HTML_ONLY 1.999 1.999 1.999 1.999
score TO_NO_BRKTS_MSFT 0.001 0.001 0.001 0.001
score TO_NO_BRKTS_NORDNS_HTML 1.999 1.999 1.999 1.999
score TO_NO_BRKTS_PCNT 2.499 2.499 2.499 2.499
score TRANSFORM_LIFE 2.500 2.499 2.500 2.499
score TVD_IP_HEX 1.652 2.992 1.652 2.992
score TVD_IP_SING_HEX 0.082 1.325 0.082 1.325
score TVD_RCVD_SPACE_BRACKET 2.699 0.869 2.699 0.869
score TVD_SPACE_ENCODED 2.499 0.618 2.499 0.618
score TVD_SPACE_RATIO_MINFP 2.500 2.499 2.500 2.499
score TW_GIBBERISH_MANY 1.000 1.000 1.000 1.000
score UC_GIBBERISH_OBFU 1.000 1.000 1.000 1.000
score UNDISC_FREEM 3.099 2.999 3.099 2.999
score UNDISC_MONEY 3.299 3.199 3.299 3.199
score UNICODE_OBFU_ASC 1.000 1.000 1.000 1.000
score UNICODE_OBFU_ZW 1.000 1.000 1.000 1.000
score UPGRADE_MAILBOX 1.099 0.001 1.099 0.001
score URI_ADOBESPARK 1.000 1.000 1.000 1.000
score URI_AZURE_CLOUDAPP 1.000 1.000 1.000 1.000
score URI_DASHGOVEDU 1.000 1.000 1.000 1.000
score URI_DATA 1.000 1.000 1.000 1.000
score URI_DOTDOT_LOW_CNTRST 1.369 2.054 1.369 2.054
score URI_DOTEDU 1.316 1.074 1.316 1.074
score URI_DOTEDU_ENTITY 1.000 1.000 1.000 1.000
score URI_FIREBASEAPP 2.999 2.999 2.999 2.999
score URI_GOOGLE_PROXY 2.999 1.611 2.999 1.611
score URI_GOOG_STO_SPAMMY 1.434 0.001 1.434 0.001
score URI_HEX_IP 2.104 1.669 2.104 1.669
score URI_IMG_WP_REDIR 1.000 1.000 1.000 1.000
score URI_LONG_REPEAT 2.104 1.055 2.104 1.055
score URI_ONLY_MSGID_MALF 1.676 1.999 1.676 1.999
score URI_OPTOUT_3LD 1.000 1.000 1.000 1.000
score URI_PHISH 3.999 0.844 3.999 0.844
score URI_PHP_REDIR 3.499 3.499 3.499 3.499
score URI_TRY_3LD 1.936 1.999 1.936 1.999
score URI_WPADMIN 2.899 2.699 2.899 2.699
score URI_WP_DIRINDEX 2.300 2.299 2.300 2.299
score URI_WP_HACKED 3.499 3.499 3.499 3.499
score URI_WP_HACKED_2 2.499 2.499 2.499 2.499
score USB_DRIVES 1.000 1.000 1.000 1.000
score VFY_ACCT_NORDNS 2.500 2.904 2.500 2.904
score VPS_NO_NTLD 1.000 1.000 1.000 1.000
score WALMART_IMG_NOT_RCVD_WAL 1.000 1.000 1.000 1.000
score WANT_TO_ORDER 1.499 1.435 1.499 1.435
score WIKI_IMG 3.099 2.999 3.099 2.999
score WORD_INVIS 1.000 1.000 1.000 1.000
score WORD_INVIS_MANY 1.000 2.898 1.000 2.898
score XFER_LOTSA_MONEY 0.999 0.543 0.999 0.543
score XM_DIGITS_ONLY 2.202 2.411 2.202 2.411
score XM_LIGHT_HEAVY 0.001 0.101 0.001 0.101
score XM_RANDOM 2.551 2.999 2.551 2.999
score XM_RECPTID 3.000 1.994 3.000 1.994
score XPRIO 0.690 1.000 0.690 1.000
score XPRIO_SHORT_SUBJ 1.000 1.000 1.000 1.000
score XPRIO_URL_SHORTNER 0.999 0.741 0.999 0.741
score YOUR_DELIVERY_ADDRESS 1.499 0.001 1.499 0.001
score YOU_INHERIT 2.799 2.499 2.799 2.499

115
sa-updates/73_sandbox_manual_scores.cf Normal file
View File

@ -0,0 +1,115 @@
# SpamAssassin rules file
#
# Manual override of the automatically-generated scores
# for automatically-published sandbox rules
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
require_version 3.004005
# jhardin
# things depend on these
# score as informative just for the hits header
score LOTS_OF_MONEY 0.001
score FILL_THIS_FORM 0.001
# jhardin
# reevolved Advance Fee rules
# scores are cumulative (i.e. 3 hits 2, 4 hits 3 and 2)
# Commented out if GA is scoring reasonably
#score ADVANCE_FEE_2_NEW_MONEY 0.50
#score ADVANCE_FEE_2_NEW_FORM 0.75
#score ADVANCE_FEE_3_NEW 0.50
#score ADVANCE_FEE_3_NEW_MONEY 1.00
#score ADVANCE_FEE_3_NEW_FORM 1.00
#score ADVANCE_FEE_4_NEW 1.00
#score ADVANCE_FEE_5_NEW 1.50
# jhardin
# metas using Advance Fee component rules
# Commented out if GA is scoring reasonably
#score FORM_FRAUD_3 0.50
#score FORM_FRAUD_5 0.50
#score MONEY_FRAUD_3 1.00
#score MONEY_FRAUD_5 0.50
#score MONEY_FRAUD_8 0.50
# jhardin
# GA scores this unreasonably high, and
# the fact that this is defined in an #ifplugin
# appears to be preventing score limiting from working
score FILL_THIS_FORM_LONG 2.00
# jhardin
# misc rules
# Commented out if GA is scoring reasonably
#score FROM_MISSP_MSFT 0.50
#score TO_NO_BRKTS_DYNIP 0.50
#score LOTTO_AGENT 0.50
# jhardin
# 1.000 S/O, hits only <= 6 points, but GA is not publishing it!
# perhaps because very few examples in spam corpus
# 12/24/12 GA likes it now
#score GOOGLE_DOCS_PHISH 3.00
# similar: .990 S/O, hits primarily spam <= 5 points
# 01/07/13 GA likes it now
#score EMAIL_URI_PHISH 2.50
# Reliable but not widespread (low corpus count, ahead of the curve?), boost the score
score PHISH_AZURE_CLOUDAPP 3.50
score URI_GOOG_STO_SPAMMY 3.50
# jhardin
# double-extension file attachments, low corpus count
score PHISH_ATTACH 3.50
score MALW_ATTACH 3.50
# hege
# FPs reported [bug 6417], GA assigning 3+ points
# reduce score until that's resolved
# score HK_FAKENAME_MICROSOFT 2.50
# RULE DISABLED IN 20_hk.cf
# jhardin for mmartinec
# Lots of hate; score as informative hammy, may override locally
score RP_MATCHES_RCVD -0.001
# until rule or rescoring issues sorted, hits 20%+ ham
# too problematic, disabled entirely
#score STYLE_GIBBERISH 0.1
# jhardin
# Limit some network scores until rule changes can be evaluated by weekly net masscheck
# Dangit, relative scores are broken - see bug#7721
#score FROM_IN_TO_AND_SUBJ (0) 0.001 (0) 0.001
#score OBFU_TEXT_ATTACH (0) 0.001 (0) 0.001
#score MIME_NO_TEXT (0) 0.001 (0) 0.001
#score AD_PREFS (0) 0.001 (0) 0.001
score AD_PREFS 0.250
#score URI_WP_HACKED_2 (0) 0.001 (0) 0.001
#score STYLE_GIBBERISH (0) 0.001 (0) 0.001
#score UC_GIBBERISH_OBFU (0) 0.001 (0) 0.001
#score LUCRATIVE (0) 0.001 (0) 0.001
#score HEXHASH_WORD (0) 0.001 (0) 0.001
#score FROM_WORDY (0) 0.001 (0) 0.001
#score AC_HTML_NONSENSE_TAGS (0) 0.001 (0) 0.001
#score LONG_HEX_URI (0) 0.001 (0) 0.001
#score FROM_PAYPAL_SPOOF (0) 0.001 (0) 0.001

BIN
sa-updates/languages Normal file
View File

Binary file not shown.

43
sa-updates/user_prefs.template Normal file
View File

@ -0,0 +1,43 @@
# SpamAssassin user preferences file. See 'perldoc Mail::SpamAssassin::Conf'
# for details of what can be tweaked.
#*
#* Note: this file is not read by SpamAssassin until copied into the user
#* directory. At runtime, if a user has no preferences in their home directory
#* already, it will be copied for them, allowing them to perform personalised
#* customisation. If you want to make changes to the site-wide defaults,
#* create a file in /etc/spamassassin or /etc/mail/spamassassin instead.
###########################################################################
# How many points before a mail is considered spam.
# required_score 5
# Welcomelist and blocklist addresses are now file-glob-style patterns, so
# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work.
# welcomelist_from someone@somewhere.com
# welcomelist_to someone@mydomain.com
# Add your own customised scores for some tests below. The default scores are
# read from the installed spamassassin rules files, but you can override them
# here. To see the list of tests and their default scores, go to
# https://spamassassin.apache.org/tests.html .
#
# score SYMBOLIC_TEST_NAME n.nn
# Speakers of Asian languages, like Chinese, Japanese and Korean, will almost
# definitely want to uncomment the following lines. They will switch off some
# rules that detect 8-bit characters, which commonly trigger on mails using CJK
# character sets, or that assume a western-style charset is in use.
#
# score HTML_COMMENT_8BITS 0
# score UPPERCASE_25_50 0
# score UPPERCASE_50_75 0
# score UPPERCASE_75_100 0
# score OBSCURED_EMAIL 0
# Speakers of any language that uses non-English, accented characters may wish
# to uncomment the following lines. They turn off rules that fire on
# misformatted messages generated by common mail apps in contravention of the
# email RFCs.
# score SUBJ_ILLEGAL_CHARS 0