From dfdd1e08195d8fe7ba146cd43991f5c923c2b733 Mon Sep 17 00:00:00 2001 From: Stoiko Ivanov Date: Mon, 28 Nov 2022 13:49:06 +0100 Subject: [PATCH] update SpamAssassin signatures Signed-off-by: Stoiko Ivanov --- sa-updates/20_aux_tlds.cf | 269 ++- sa-updates/20_dnsbl_tests.cf | 2 +- sa-updates/20_freemail_domains.cf | 2 +- sa-updates/20_mailspike.cf | 2 +- sa-updates/20_pdfinfo.cf | 1 + sa-updates/20_vbounce.cf | 22 +- sa-updates/25_dcc.cf | 2 +- sa-updates/25_dkim.cf | 15 + .../{60_whitelist_subject.cf => 25_dmarc.cf} | 52 +- sa-updates/25_pyzor.cf | 2 +- sa-updates/25_razor2.cf | 2 +- sa-updates/25_uribl.cf | 6 +- sa-updates/25_url_shortener.cf | 301 +++ sa-updates/30_text_de.cf | 8 +- sa-updates/30_text_fr.cf | 8 +- sa-updates/30_text_pl.cf | 10 +- sa-updates/30_text_pt_br.cf | 50 +- sa-updates/50_scores.cf | 48 +- sa-updates/60_awl.cf | 8 +- sa-updates/60_shortcircuit.cf | 18 +- sa-updates/60_welcomelist.cf | 263 +++ ...itelist_auth.cf => 60_welcomelist_auth.cf} | 22 +- ...itelist_dkim.cf => 60_welcomelist_dkim.cf} | 108 +- sa-updates/60_welcomelist_spf.cf | 170 ++ sa-updates/60_welcomelist_subject.cf | 87 + sa-updates/60_whitelist.cf | 286 --- sa-updates/60_whitelist_spf.cf | 87 - sa-updates/72_active.cf | 1818 +++++------------ sa-updates/72_scores.cf | 474 +++-- sa-updates/languages | Bin 107916 -> 133600 bytes 30 files changed, 1886 insertions(+), 2257 deletions(-) rename sa-updates/{60_whitelist_subject.cf => 25_dmarc.cf} (52%) create mode 100644 sa-updates/25_url_shortener.cf create mode 100644 sa-updates/60_welcomelist.cf rename sa-updates/{60_whitelist_auth.cf => 60_welcomelist_auth.cf} (99%) rename sa-updates/{60_whitelist_dkim.cf => 60_welcomelist_dkim.cf} (81%) create mode 100644 sa-updates/60_welcomelist_spf.cf create mode 100644 sa-updates/60_welcomelist_subject.cf delete mode 100644 sa-updates/60_whitelist.cf delete mode 100644 sa-updates/60_whitelist_spf.cf diff --git a/sa-updates/20_aux_tlds.cf b/sa-updates/20_aux_tlds.cf index 551bb61..e433910 100644 --- a/sa-updates/20_aux_tlds.cf +++ b/sa-updates/20_aux_tlds.cf @@ -51,149 +51,148 @@ endif # this block # # For an up to date list of IDN TLDs that can be pasted into this block, run this command: -# wget https://data.iana.org/TLD/tlds-alpha-by-domain.txt -q -O - | grep -i '^xn--' | tr '\n' ' ' | fold -w 80 -s | perl -pe 'chomp; s/.*/util_rb_tld \L$_\n/' +# wget https://data.iana.org/TLD/tlds-alpha-by-domain.txt -q -O - | grep -i '^xn--' | tr '\n' ' ' | fold -w 80 -s | perl -pe 's/\s+$//; s/.*/util_rb_tld \L$_\n/' # Since version 4.0 the util_rb_tld also accepts Unicode IDN labels (encoded as UTF-8), e.g.: -# wget https://data.iana.org/TLD/tlds-alpha-by-domain.txt -q -O - | grep -i '^xn--' | idn -u | tr '\n' ' ' | fold -w 80 -s | perl -pe 'chomp; s/.*/util_rb_tld \L$_\n/' +# wget https://data.iana.org/TLD/tlds-alpha-by-domain.txt -q -O - | grep -i '^xn--' | idn -u | tr '\n' ' ' | fold -w 80 -s | perl -pe 's/\s+$//; s/.*/util_rb_tld \L$_\n/' if can(Mail::SpamAssassin::Conf::feature_registryboundaries) -util_rb_tld xn--11b4c3d xn--1ck2e1b xn--1qqw23a xn--2scrj9c xn--30rr7y xn--3bst00m -util_rb_tld xn--3ds443g xn--3e0b707e xn--3hcrj9c xn--3oq18vl8pn36a xn--3pxu8k xn--42c2d9a -util_rb_tld xn--45br5cyl xn--45brj9c xn--45q11c xn--4gbrim xn--54b7fta0cc xn--55qw42g -util_rb_tld xn--55qx5d xn--5su34j936bgsg xn--5tzm5g xn--6frz82g xn--6qq986b3xl xn--80adxhks -util_rb_tld xn--80ao21a xn--80aqecdr1a xn--80asehdb xn--80aswg xn--8y0a063a xn--90a3ac -util_rb_tld xn--90ae xn--90ais xn--9dbq2a xn--9et52u xn--9krt00a xn--b4w605ferd -util_rb_tld xn--bck1b9a5dre4c xn--c1avg xn--c2br7g xn--cck2b3b xn--cg4bki -util_rb_tld xn--clchc0ea0b2g2a9gcd xn--czr694b xn--czrs0t xn--czru2d xn--d1acj3b xn--d1alf -util_rb_tld xn--e1a4c xn--eckvdtc9d xn--efvy88h xn--estv75g xn--fct429k xn--fhbei -util_rb_tld xn--fiq228c5hs xn--fiq64b xn--fiqs8s xn--fiqz9s xn--fjq720a xn--flw351e -util_rb_tld xn--fpcrj9c3d xn--fzc2c9e2c xn--fzys8d69uvgm xn--g2xx48c xn--gckr3f0f -util_rb_tld xn--gecrj9c xn--gk3at1e xn--h2breg3eve xn--h2brj9c xn--h2brj9c8c xn--hxt814e -util_rb_tld xn--i1b6b1a6a2e xn--imr513n xn--io0a7i xn--j1aef xn--j1amh xn--j6w193g -util_rb_tld xn--jlq61u9w7b xn--jvr189m xn--kcrx77d1x4a xn--kprw13d xn--kpry57d xn--kpu716f -util_rb_tld xn--kput3i xn--l1acc xn--lgbbat1ad8j xn--mgb9awbf xn--mgba3a3ejt -util_rb_tld xn--mgba3a4f16a xn--mgba7c0bbn0a xn--mgbaakc7dvf xn--mgbaam7a8h xn--mgbab2bd -util_rb_tld xn--mgbai9azgqp6j xn--mgbayh7gpa xn--mgbb9fbpob xn--mgbbh1a xn--mgbbh1a71e -util_rb_tld xn--mgbc0a9azcg xn--mgbca7dzdo xn--mgberp4a5d4ar xn--mgbgu82a xn--mgbi4ecexp -util_rb_tld xn--mgbpl2fh xn--mgbt3dhd xn--mgbtx2b xn--mgbx4cd0ab xn--mix891f xn--mk1bu44c -util_rb_tld xn--mxtq1m xn--ngbc5azd xn--ngbe9e0a xn--ngbrx xn--node xn--nqv7f -util_rb_tld xn--nqv7fs00ema xn--nyqy26a xn--o3cw4h xn--ogbpf8fl xn--otu796d xn--p1acf -util_rb_tld xn--p1ai xn--pbt977c xn--pgbs0dh xn--pssy2u xn--q9jyb4c xn--qcka1pmc xn--qxam -util_rb_tld xn--rhqv96g xn--rovu88b xn--rvc1e0am3e xn--s9brj9c xn--ses554g xn--t60b56a -util_rb_tld xn--tckwe xn--tiq49xqyj xn--unup4y xn--vermgensberater-ctb -util_rb_tld xn--vermgensberatung-pwb xn--vhquv xn--vuq861b xn--w4r85el8fhu5dnra xn--w4rs40l -util_rb_tld xn--wgbh1c xn--wgbl6a xn--xhq521b xn--xkc2al3hye2a xn--xkc2dl3a5ee0h xn--y9a3aq +# Updated 2022-10-18 +util_rb_tld xn--11b4c3d xn--1ck2e1b xn--1qqw23a xn--2scrj9c xn--30rr7y xn--3bst00m +util_rb_tld xn--3ds443g xn--3e0b707e xn--3hcrj9c xn--3pxu8k xn--42c2d9a xn--45br5cyl +util_rb_tld xn--45brj9c xn--45q11c xn--4dbrk0ce xn--4gbrim xn--54b7fta0cc xn--55qw42g +util_rb_tld xn--55qx5d xn--5su34j936bgsg xn--5tzm5g xn--6frz82g xn--6qq986b3xl xn--80adxhks +util_rb_tld xn--80ao21a xn--80aqecdr1a xn--80asehdb xn--80aswg xn--8y0a063a xn--90a3ac +util_rb_tld xn--90ae xn--90ais xn--9dbq2a xn--9et52u xn--9krt00a xn--b4w605ferd +util_rb_tld xn--bck1b9a5dre4c xn--c1avg xn--c2br7g xn--cck2b3b xn--cckwcxetd xn--cg4bki +util_rb_tld xn--clchc0ea0b2g2a9gcd xn--czr694b xn--czrs0t xn--czru2d xn--d1acj3b xn--d1alf +util_rb_tld xn--e1a4c xn--eckvdtc9d xn--efvy88h xn--fct429k xn--fhbei xn--fiq228c5hs +util_rb_tld xn--fiq64b xn--fiqs8s xn--fiqz9s xn--fjq720a xn--flw351e xn--fpcrj9c3d +util_rb_tld xn--fzc2c9e2c xn--fzys8d69uvgm xn--g2xx48c xn--gckr3f0f xn--gecrj9c xn--gk3at1e +util_rb_tld xn--h2breg3eve xn--h2brj9c xn--h2brj9c8c xn--hxt814e xn--i1b6b1a6a2e +util_rb_tld xn--imr513n xn--io0a7i xn--j1aef xn--j1amh xn--j6w193g xn--jlq480n2rg +util_rb_tld xn--jlq61u9w7b xn--jvr189m xn--kcrx77d1x4a xn--kprw13d xn--kpry57d xn--kput3i +util_rb_tld xn--l1acc xn--lgbbat1ad8j xn--mgb9awbf xn--mgba3a3ejt xn--mgba3a4f16a +util_rb_tld xn--mgba7c0bbn0a xn--mgbaakc7dvf xn--mgbaam7a8h xn--mgbab2bd xn--mgbah1a3hjkrd +util_rb_tld xn--mgbai9azgqp6j xn--mgbayh7gpa xn--mgbbh1a xn--mgbbh1a71e xn--mgbc0a9azcg +util_rb_tld xn--mgbca7dzdo xn--mgbcpq6gpa1a xn--mgberp4a5d4ar xn--mgbgu82a xn--mgbi4ecexp +util_rb_tld xn--mgbpl2fh xn--mgbt3dhd xn--mgbtx2b xn--mgbx4cd0ab xn--mix891f xn--mk1bu44c +util_rb_tld xn--mxtq1m xn--ngbc5azd xn--ngbe9e0a xn--ngbrx xn--node xn--nqv7f +util_rb_tld xn--nqv7fs00ema xn--nyqy26a xn--o3cw4h xn--ogbpf8fl xn--otu796d xn--p1acf +util_rb_tld xn--p1ai xn--pgbs0dh xn--pssy2u xn--q7ce6a xn--q9jyb4c xn--qcka1pmc xn--qxa6a +util_rb_tld xn--qxam xn--rhqv96g xn--rovu88b xn--rvc1e0am3e xn--s9brj9c xn--ses554g +util_rb_tld xn--t60b56a xn--tckwe xn--tiq49xqyj xn--unup4y xn--vermgensberater-ctb +util_rb_tld xn--vermgensberatung-pwb xn--vhquv xn--vuq861b xn--w4r85el8fhu5dnra xn--w4rs40l +util_rb_tld xn--wgbh1c xn--wgbl6a xn--xhq521b xn--xkc2al3hye2a xn--xkc2dl3a5ee0h xn--y9a3aq util_rb_tld xn--yfro4i67o xn--ygbi2ammx xn--zfr164b endif # Standard List # For an up to date list of TLDs that can be pasted into this block, run this command: -# wget https://data.iana.org/TLD/tlds-alpha-by-domain.txt -q -O - | tail -n+2 | grep -vi '^xn--' | tr '\n' ' ' | fold -w 80 -s | perl -pe 'chomp; s/.*/util_rb_tld \L$_\n/' +# wget https://data.iana.org/TLD/tlds-alpha-by-domain.txt -q -O - | tail -n+2 | grep -vi '^xn--' | tr '\n' ' ' | fold -w 80 -s | perl -pe 's/\s+$//; s/.*/util_rb_tld \L$_\n/' -util_rb_tld aaa aarp abarth abb abbott abbvie abc able abogado abudhabi ac academy -util_rb_tld accenture accountant accountants aco actor ad adac ads adult ae aeg aero aetna -util_rb_tld af afamilycompany afl africa ag agakhan agency ai aig airbus airforce airtel -util_rb_tld akdn al alfaromeo alibaba alipay allfinanz allstate ally alsace alstom am -util_rb_tld amazon americanexpress americanfamily amex amfam amica amsterdam analytics -util_rb_tld android anquan anz ao aol apartments app apple aq aquarelle ar arab aramco -util_rb_tld archi army arpa art arte as asda asia associates at athleta attorney au auction -util_rb_tld audi audible audio auspost author auto autos avianca aw aws ax axa az azure ba -util_rb_tld baby baidu banamex bananarepublic band bank bar barcelona barclaycard barclays -util_rb_tld barefoot bargains baseball basketball bauhaus bayern bb bbc bbt bbva bcg bcn bd -util_rb_tld be beats beauty beer bentley berlin best bestbuy bet bf bg bh bharti bi bible -util_rb_tld bid bike bing bingo bio biz bj black blackfriday blockbuster blog bloomberg -util_rb_tld blue bm bms bmw bn bnpparibas bo boats boehringer bofa bom bond boo book -util_rb_tld booking bosch bostik boston bot boutique box br bradesco bridgestone broadway -util_rb_tld broker brother brussels bs bt budapest bugatti build builders business buy buzz -util_rb_tld bv bw by bz bzh ca cab cafe cal call calvinklein cam camera camp cancerresearch -util_rb_tld canon capetown capital capitalone car caravan cards care career careers cars -util_rb_tld casa case caseih cash casino cat catering catholic cba cbn cbre cbs cc cd ceb -util_rb_tld center ceo cern cf cfa cfd cg ch chanel channel charity chase chat cheap -util_rb_tld chintai christmas chrome church ci cipriani circle cisco citadel citi citic -util_rb_tld city cityeats ck cl claims cleaning click clinic clinique clothing cloud club -util_rb_tld clubmed cm cn co coach codes coffee college cologne com comcast commbank -util_rb_tld community company compare computer comsec condos construction consulting -util_rb_tld contact contractors cooking cookingchannel cool coop corsica country coupon -util_rb_tld coupons courses cpa cr credit creditcard creditunion cricket crown crs cruise -util_rb_tld cruises csc cu cuisinella cv cw cx cy cymru cyou cz dabur dad dance data date -util_rb_tld dating datsun day dclk dds de deal dealer deals degree delivery dell deloitte -util_rb_tld delta democrat dental dentist desi design dev dhl diamonds diet digital direct -util_rb_tld directory discount discover dish diy dj dk dm dnp do docs doctor dog domains -util_rb_tld dot download drive dtv dubai duck dunlop dupont durban dvag dvr dz earth eat ec -util_rb_tld eco edeka edu education ee eg email emerck energy engineer engineering -util_rb_tld enterprises epson equipment er ericsson erni es esq estate et etisalat eu -util_rb_tld eurovision eus events exchange expert exposed express extraspace fage fail -util_rb_tld fairwinds faith family fan fans farm farmers fashion fast fedex feedback -util_rb_tld ferrari ferrero fi fiat fidelity fido film final finance financial fire -util_rb_tld firestone firmdale fish fishing fit fitness fj fk flickr flights flir florist -util_rb_tld flowers fly fm fo foo food foodnetwork football ford forex forsale forum -util_rb_tld foundation fox fr free fresenius frl frogans frontdoor frontier ftr fujitsu -util_rb_tld fujixerox fun fund furniture futbol fyi ga gal gallery gallo gallup game games -util_rb_tld gap garden gay gb gbiz gd gdn ge gea gent genting george gf gg ggee gh gi gift -util_rb_tld gifts gives giving gl glade glass gle global globo gm gmail gmbh gmo gmx gn -util_rb_tld godaddy gold goldpoint golf goo goodyear goog google gop got gov gp gq gr -util_rb_tld grainger graphics gratis green gripe grocery group gs gt gu guardian gucci guge -util_rb_tld guide guitars guru gw gy hair hamburg hangout haus hbo hdfc hdfcbank health -util_rb_tld healthcare help helsinki here hermes hgtv hiphop hisamitsu hitachi hiv hk hkt -util_rb_tld hm hn hockey holdings holiday homedepot homegoods homes homesense honda horse -util_rb_tld hospital host hosting hot hoteles hotels hotmail house how hr hsbc ht hu hughes -util_rb_tld hyatt hyundai ibm icbc ice icu id ie ieee ifm ikano il im imamat imdb immo -util_rb_tld immobilien in inc industries infiniti info ing ink institute insurance insure -util_rb_tld int intel international intuit investments io ipiranga iq ir irish is ismaili -util_rb_tld ist istanbul it itau itv iveco jaguar java jcb jcp je jeep jetzt jewelry jio -util_rb_tld jll jm jmp jnj jo jobs joburg jot joy jp jpmorgan jprs juegos juniper kaufen -util_rb_tld kddi ke kerryhotels kerrylogistics kerryproperties kfh kg kh ki kia kim kinder -util_rb_tld kindle kitchen kiwi km kn koeln komatsu kosher kp kpmg kpn kr krd kred -util_rb_tld kuokgroup kw ky kyoto kz la lacaixa lamborghini lamer lancaster lancia land -util_rb_tld landrover lanxess lasalle lat latino latrobe law lawyer lb lc lds lease leclerc -util_rb_tld lefrak legal lego lexus lgbt li lidl life lifeinsurance lifestyle lighting like -util_rb_tld lilly limited limo lincoln linde link lipsy live living lixil lk llc llp loan -util_rb_tld loans locker locus loft lol london lotte lotto love lpl lplfinancial lr ls lt -util_rb_tld ltd ltda lu lundbeck lupin luxe luxury lv ly ma macys madrid maif maison makeup -util_rb_tld man management mango map market marketing markets marriott marshalls maserati -util_rb_tld mattel mba mc mckinsey md me med media meet melbourne meme memorial men menu -util_rb_tld merckmsd metlife mg mh miami microsoft mil mini mint mit mitsubishi mk ml mlb -util_rb_tld mls mm mma mn mo mobi mobile moda moe moi mom monash money monster mormon -util_rb_tld mortgage moscow moto motorcycles mov movie mp mq mr ms msd mt mtn mtr mu museum -util_rb_tld mutual mv mw mx my mz na nab nagoya name nationwide natura navy nba nc ne nec -util_rb_tld net netbank netflix network neustar new newholland news next nextdirect nexus -util_rb_tld nf nfl ng ngo nhk ni nico nike nikon ninja nissan nissay nl no nokia -util_rb_tld northwesternmutual norton now nowruz nowtv np nr nra nrw ntt nu nyc nz obi -util_rb_tld observer off office okinawa olayan olayangroup oldnavy ollo om omega one ong -util_rb_tld onl online onyourside ooo open oracle orange org organic origins osaka otsuka -util_rb_tld ott ovh pa page panasonic paris pars partners parts party passagens pay pccw pe -util_rb_tld pet pf pfizer pg ph pharmacy phd philips phone photo photography photos physio -util_rb_tld pics pictet pictures pid pin ping pink pioneer pizza pk pl place play -util_rb_tld playstation plumbing plus pm pn pnc pohl poker politie porn post pr pramerica -util_rb_tld praxi press prime pro prod productions prof progressive promo properties -util_rb_tld property protection pru prudential ps pt pub pw pwc py qa qpon quebec quest qvc -util_rb_tld racing radio raid re read realestate realtor realty recipes red redstone -util_rb_tld redumbrella rehab reise reisen reit reliance ren rent rentals repair report -util_rb_tld republican rest restaurant review reviews rexroth rich richardli ricoh -util_rb_tld rightathome ril rio rip rmit ro rocher rocks rodeo rogers room rs rsvp ru rugby -util_rb_tld ruhr run rw rwe ryukyu sa saarland safe safety sakura sale salon samsclub -util_rb_tld samsung sandvik sandvikcoromant sanofi sap sarl sas save saxo sb sbi sbs sc sca -util_rb_tld scb schaeffler schmidt scholarships school schule schwarz science scjohnson -util_rb_tld scot sd se search seat secure security seek select sener services ses seven sew -util_rb_tld sex sexy sfr sg sh shangrila sharp shaw shell shia shiksha shoes shop shopping -util_rb_tld shouji show showtime shriram si silk sina singles site sj sk ski skin sky skype -util_rb_tld sl sling sm smart smile sn sncf so soccer social softbank software sohu solar -util_rb_tld solutions song sony soy space sport spot spreadbetting sr srl ss st stada -util_rb_tld staples star statebank statefarm stc stcgroup stockholm storage store stream -util_rb_tld studio study style su sucks supplies supply support surf surgery suzuki sv -util_rb_tld swatch swiftcover swiss sx sy sydney symantec systems sz tab taipei talk taobao -util_rb_tld target tatamotors tatar tattoo tax taxi tc tci td tdk team tech technology tel -util_rb_tld temasek tennis teva tf tg th thd theater theatre tiaa tickets tienda tiffany -util_rb_tld tips tires tirol tj tjmaxx tjx tk tkmaxx tl tm tmall tn to today tokyo tools -util_rb_tld top toray toshiba total tours town toyota toys tr trade trading training travel -util_rb_tld travelchannel travelers travelersinsurance trust trv tt tube tui tunes tushu tv -util_rb_tld tvs tw tz ua ubank ubs ug uk unicom university uno uol ups us uy uz va -util_rb_tld vacations vana vanguard vc ve vegas ventures verisign versicherung vet vg vi -util_rb_tld viajes video vig viking villas vin vip virgin visa vision viva vivo vlaanderen -util_rb_tld vn vodka volkswagen volvo vote voting voto voyage vu vuelos wales walmart -util_rb_tld walter wang wanggou watch watches weather weatherchannel webcam weber website -util_rb_tld wed wedding weibo weir wf whoswho wien wiki williamhill win windows wine -util_rb_tld winners wme wolterskluwer woodside work works world wow ws wtc wtf xbox xerox -util_rb_tld xfinity xihuan xin xxx xyz yachts yahoo yamaxun yandex ye yodobashi yoga +# Updated 2022-10-18 +util_rb_tld aaa aarp abarth abb abbott abbvie abc able abogado abudhabi ac academy +util_rb_tld accenture accountant accountants aco actor ad adac ads adult ae aeg aero aetna +util_rb_tld af afl africa ag agakhan agency ai aig airbus airforce airtel akdn al alfaromeo +util_rb_tld alibaba alipay allfinanz allstate ally alsace alstom am amazon americanexpress +util_rb_tld americanfamily amex amfam amica amsterdam analytics android anquan anz ao aol +util_rb_tld apartments app apple aq aquarelle ar arab aramco archi army arpa art arte as +util_rb_tld asda asia associates at athleta attorney au auction audi audible audio auspost +util_rb_tld author auto autos avianca aw aws ax axa az azure ba baby baidu banamex +util_rb_tld bananarepublic band bank bar barcelona barclaycard barclays barefoot bargains +util_rb_tld baseball basketball bauhaus bayern bb bbc bbt bbva bcg bcn bd be beats beauty +util_rb_tld beer bentley berlin best bestbuy bet bf bg bh bharti bi bible bid bike bing +util_rb_tld bingo bio biz bj black blackfriday blockbuster blog bloomberg blue bm bms bmw +util_rb_tld bn bnpparibas bo boats boehringer bofa bom bond boo book booking bosch bostik +util_rb_tld boston bot boutique box br bradesco bridgestone broadway broker brother +util_rb_tld brussels bs bt build builders business buy buzz bv bw by bz bzh ca cab cafe cal +util_rb_tld call calvinklein cam camera camp canon capetown capital capitalone car caravan +util_rb_tld cards care career careers cars casa case cash casino cat catering catholic cba +util_rb_tld cbn cbre cbs cc cd center ceo cern cf cfa cfd cg ch chanel channel charity +util_rb_tld chase chat cheap chintai christmas chrome church ci cipriani circle cisco +util_rb_tld citadel citi citic city cityeats ck cl claims cleaning click clinic clinique +util_rb_tld clothing cloud club clubmed cm cn co coach codes coffee college cologne com +util_rb_tld comcast commbank community company compare computer comsec condos construction +util_rb_tld consulting contact contractors cooking cookingchannel cool coop corsica country +util_rb_tld coupon coupons courses cpa cr credit creditcard creditunion cricket crown crs +util_rb_tld cruise cruises cu cuisinella cv cw cx cy cymru cyou cz dabur dad dance data +util_rb_tld date dating datsun day dclk dds de deal dealer deals degree delivery dell +util_rb_tld deloitte delta democrat dental dentist desi design dev dhl diamonds diet +util_rb_tld digital direct directory discount discover dish diy dj dk dm dnp do docs doctor +util_rb_tld dog domains dot download drive dtv dubai dunlop dupont durban dvag dvr dz earth +util_rb_tld eat ec eco edeka edu education ee eg email emerck energy engineer engineering +util_rb_tld enterprises epson equipment er ericsson erni es esq estate et etisalat eu +util_rb_tld eurovision eus events exchange expert exposed express extraspace fage fail +util_rb_tld fairwinds faith family fan fans farm farmers fashion fast fedex feedback +util_rb_tld ferrari ferrero fi fiat fidelity fido film final finance financial fire +util_rb_tld firestone firmdale fish fishing fit fitness fj fk flickr flights flir florist +util_rb_tld flowers fly fm fo foo food foodnetwork football ford forex forsale forum +util_rb_tld foundation fox fr free fresenius frl frogans frontdoor frontier ftr fujitsu fun +util_rb_tld fund furniture futbol fyi ga gal gallery gallo gallup game games gap garden gay +util_rb_tld gb gbiz gd gdn ge gea gent genting george gf gg ggee gh gi gift gifts gives +util_rb_tld giving gl glass gle global globo gm gmail gmbh gmo gmx gn godaddy gold +util_rb_tld goldpoint golf goo goodyear goog google gop got gov gp gq gr grainger graphics +util_rb_tld gratis green gripe grocery group gs gt gu guardian gucci guge guide guitars +util_rb_tld guru gw gy hair hamburg hangout haus hbo hdfc hdfcbank health healthcare help +util_rb_tld helsinki here hermes hgtv hiphop hisamitsu hitachi hiv hk hkt hm hn hockey +util_rb_tld holdings holiday homedepot homegoods homes homesense honda horse hospital host +util_rb_tld hosting hot hoteles hotels hotmail house how hr hsbc ht hu hughes hyatt hyundai +util_rb_tld ibm icbc ice icu id ie ieee ifm ikano il im imamat imdb immo immobilien in inc +util_rb_tld industries infiniti info ing ink institute insurance insure int international +util_rb_tld intuit investments io ipiranga iq ir irish is ismaili ist istanbul it itau itv +util_rb_tld jaguar java jcb je jeep jetzt jewelry jio jll jm jmp jnj jo jobs joburg jot joy +util_rb_tld jp jpmorgan jprs juegos juniper kaufen kddi ke kerryhotels kerrylogistics +util_rb_tld kerryproperties kfh kg kh ki kia kids kim kinder kindle kitchen kiwi km kn +util_rb_tld koeln komatsu kosher kp kpmg kpn kr krd kred kuokgroup kw ky kyoto kz la +util_rb_tld lacaixa lamborghini lamer lancaster lancia land landrover lanxess lasalle lat +util_rb_tld latino latrobe law lawyer lb lc lds lease leclerc lefrak legal lego lexus lgbt +util_rb_tld li lidl life lifeinsurance lifestyle lighting like lilly limited limo lincoln +util_rb_tld linde link lipsy live living lk llc llp loan loans locker locus loft lol london +util_rb_tld lotte lotto love lpl lplfinancial lr ls lt ltd ltda lu lundbeck luxe luxury lv +util_rb_tld ly ma macys madrid maif maison makeup man management mango map market marketing +util_rb_tld markets marriott marshalls maserati mattel mba mc mckinsey md me med media meet +util_rb_tld melbourne meme memorial men menu merckmsd mg mh miami microsoft mil mini mint +util_rb_tld mit mitsubishi mk ml mlb mls mm mma mn mo mobi mobile moda moe moi mom monash +util_rb_tld money monster mormon mortgage moscow moto motorcycles mov movie mp mq mr ms msd +util_rb_tld mt mtn mtr mu museum music mutual mv mw mx my mz na nab nagoya name natura navy +util_rb_tld nba nc ne nec net netbank netflix network neustar new news next nextdirect +util_rb_tld nexus nf nfl ng ngo nhk ni nico nike nikon ninja nissan nissay nl no nokia +util_rb_tld northwesternmutual norton now nowruz nowtv np nr nra nrw ntt nu nyc nz obi +util_rb_tld observer office okinawa olayan olayangroup oldnavy ollo om omega one ong onl +util_rb_tld online ooo open oracle orange org organic origins osaka otsuka ott ovh pa page +util_rb_tld panasonic paris pars partners parts party passagens pay pccw pe pet pf pfizer +util_rb_tld pg ph pharmacy phd philips phone photo photography photos physio pics pictet +util_rb_tld pictures pid pin ping pink pioneer pizza pk pl place play playstation plumbing +util_rb_tld plus pm pn pnc pohl poker politie porn post pr pramerica praxi press prime pro +util_rb_tld prod productions prof progressive promo properties property protection pru +util_rb_tld prudential ps pt pub pw pwc py qa qpon quebec quest racing radio re read +util_rb_tld realestate realtor realty recipes red redstone redumbrella rehab reise reisen +util_rb_tld reit reliance ren rent rentals repair report republican rest restaurant review +util_rb_tld reviews rexroth rich richardli ricoh ril rio rip ro rocher rocks rodeo rogers +util_rb_tld room rs rsvp ru rugby ruhr run rw rwe ryukyu sa saarland safe safety sakura +util_rb_tld sale salon samsclub samsung sandvik sandvikcoromant sanofi sap sarl sas save +util_rb_tld saxo sb sbi sbs sc sca scb schaeffler schmidt scholarships school schule +util_rb_tld schwarz science scot sd se search seat secure security seek select sener +util_rb_tld services ses seven sew sex sexy sfr sg sh shangrila sharp shaw shell shia +util_rb_tld shiksha shoes shop shopping shouji show showtime si silk sina singles site sj +util_rb_tld sk ski skin sky skype sl sling sm smart smile sn sncf so soccer social softbank +util_rb_tld software sohu solar solutions song sony soy spa space sport spot sr srl ss st +util_rb_tld stada staples star statebank statefarm stc stcgroup stockholm storage store +util_rb_tld stream studio study style su sucks supplies supply support surf surgery suzuki +util_rb_tld sv swatch swiss sx sy sydney systems sz tab taipei talk taobao target +util_rb_tld tatamotors tatar tattoo tax taxi tc tci td tdk team tech technology tel temasek +util_rb_tld tennis teva tf tg th thd theater theatre tiaa tickets tienda tiffany tips tires +util_rb_tld tirol tj tjmaxx tjx tk tkmaxx tl tm tmall tn to today tokyo tools top toray +util_rb_tld toshiba total tours town toyota toys tr trade trading training travel +util_rb_tld travelchannel travelers travelersinsurance trust trv tt tube tui tunes tushu tv +util_rb_tld tvs tw tz ua ubank ubs ug uk unicom university uno uol ups us uy uz va +util_rb_tld vacations vana vanguard vc ve vegas ventures verisign versicherung vet vg vi +util_rb_tld viajes video vig viking villas vin vip virgin visa vision viva vivo vlaanderen +util_rb_tld vn vodka volkswagen volvo vote voting voto voyage vu vuelos wales walmart +util_rb_tld walter wang wanggou watch watches weather weatherchannel webcam weber website +util_rb_tld wed wedding weibo weir wf whoswho wien wiki williamhill win windows wine +util_rb_tld winners wme wolterskluwer woodside work works world wow ws wtc wtf xbox xerox +util_rb_tld xfinity xihuan xin xxx xyz yachts yahoo yamaxun yandex ye yodobashi yoga util_rb_tld yokohama you youtube yt yun za zappos zara zero zip zm zone zuerich zw # @@ -450,7 +449,7 @@ util_rb_2tld nextmail.ru util_rb_2tld nightmail.ru util_rb_2tld nm.ru util_rb_2tld notlong.com -util_rb_2tld page.tl +util_rb_2tld page.tl page.link util_rb_2tld pochta.ru util_rb_2tld pochtamt.ru util_rb_2tld pop3.ru diff --git a/sa-updates/20_dnsbl_tests.cf b/sa-updates/20_dnsbl_tests.cf index d905124..5d615f2 100644 --- a/sa-updates/20_dnsbl_tests.cf +++ b/sa-updates/20_dnsbl_tests.cf @@ -1,4 +1,4 @@ -# SpamAssassin rules file: DNS blacklist and whitelist tests +# SpamAssassin rules file: DNS blocklist and welcomelist tests # # Please don't modify this file as your changes will be overwritten with # the next update. Use /etc/mail/spamassassin/local.cf instead. diff --git a/sa-updates/20_freemail_domains.cf b/sa-updates/20_freemail_domains.cf index 2b15b1c..c2cd98e 100644 --- a/sa-updates/20_freemail_domains.cf +++ b/sa-updates/20_freemail_domains.cf @@ -49,7 +49,7 @@ freemail_domains adres.nl advalvas.be aeiou.pt aeneasmail.com afrik.com freemail_domains afropoets.com aggies.com ahaa.dk aichi.com aim.com airpost.net aiutamici.com freemail_domains aklan.com aknet.kg alabama.usa.com alaska.usa.com alavatotal.com freemail_domains albafind.com albawaba.com alburaq.net aldeax.com aldeax.com.ar alex4all.com aliyun.com -freemail_domains alexandria.cc algeria.com alice.it alinto.com allmail.net +freemail_domains alexandria.cc algeria.com alice.it allmail.net freemail_domains alskens.dk altavista.se altbox.org alternativagratis.com alum.com freemail_domains alunos.unipar.br alvilag.hu amenworld.com america.hm freemail_domains americamail.com amnetsal.com amorous.com ananzi.co.za anet.ne.jp anfmail.com diff --git a/sa-updates/20_mailspike.cf b/sa-updates/20_mailspike.cf index 3af7ff5..ae942d2 100644 --- a/sa-updates/20_mailspike.cf +++ b/sa-updates/20_mailspike.cf @@ -70,7 +70,7 @@ tflags RCVD_IN_MSPIKE_ZBI net ## Meta rules for aggregating good and bad senders # Bad meta RCVD_IN_MSPIKE_BL RCVD_IN_MSPIKE_L5 || RCVD_IN_MSPIKE_L4 || RCVD_IN_MSPIKE_L3 || __RCVD_IN_MSPIKE_Z -describe RCVD_IN_MSPIKE_BL Mailspike blacklisted +describe RCVD_IN_MSPIKE_BL Mailspike blocklisted tflags RCVD_IN_MSPIKE_BL net # Good diff --git a/sa-updates/20_pdfinfo.cf b/sa-updates/20_pdfinfo.cf index d6963a2..52f469b 100644 --- a/sa-updates/20_pdfinfo.cf +++ b/sa-updates/20_pdfinfo.cf @@ -270,6 +270,7 @@ body GMD_PDF_EMPTY_BODY eval:pdf_is_empty_body() describe GMD_PDF_EMPTY_BODY Attached PDF with empty message body score GMD_PDF_EMPTY_BODY 0.25 # counts GMD_PDF_EMPTY_BODY 1638s/20h of 27034 corpus (24636s/2398h AxB-MANUAL) 07/19/07 +priority GMD_PDF_EMPTY_BODY 2000 # workaround for Bug 8070 ###################################################################################################### # metas diff --git a/sa-updates/20_vbounce.cf b/sa-updates/20_vbounce.cf index 3c877a7..3a1a39c 100644 --- a/sa-updates/20_vbounce.cf +++ b/sa-updates/20_vbounce.cf @@ -48,18 +48,16 @@ # ########################################################################### -if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist) - ifplugin Mail::SpamAssassin::Plugin::VBounce - body __MY_SERVERS_FOUND eval:check_welcomelist_bounce_relays() - endif -else - ifplugin Mail::SpamAssassin::Plugin::VBounce - body __MY_SERVERS_FOUND eval:check_whitelist_bounce_relays() - endif -endif - ifplugin Mail::SpamAssassin::Plugin::VBounce + +if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + body __MY_SERVERS_FOUND eval:check_welcomelist_bounce_relays() +endif +if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + body __MY_SERVERS_FOUND eval:check_whitelist_bounce_relays() +endif + body __HAVE_BOUNCE_RELAYS eval:have_any_bounce_relays() # --------------------------------------------------------------------------- @@ -335,4 +333,6 @@ describe VBOUNCE_MESSAGE Virus-scanner bounce message meta ANY_BOUNCE_MESSAGE (CRBOUNCE_MESSAGE||BOUNCE_MESSAGE||VBOUNCE_MESSAGE||OOOBOUNCE_MESSAGE) describe ANY_BOUNCE_MESSAGE Message is some kind of bounce message -endif + +endif # Mail::SpamAssassin::Plugin::VBounce + diff --git a/sa-updates/25_dcc.cf b/sa-updates/25_dcc.cf index a95dd22..d698e84 100644 --- a/sa-updates/25_dcc.cf +++ b/sa-updates/25_dcc.cf @@ -33,7 +33,7 @@ ifplugin Mail::SpamAssassin::Plugin::DCC full DCC_CHECK eval:check_dcc() describe DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net) -tflags DCC_CHECK net +tflags DCC_CHECK net autolearn_body priority DCC_CHECK 10 reuse DCC_CHECK diff --git a/sa-updates/25_dkim.cf b/sa-updates/25_dkim.cf index 5c19243..8cb9831 100644 --- a/sa-updates/25_dkim.cf +++ b/sa-updates/25_dkim.cf @@ -109,6 +109,21 @@ describe NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list meta NML_ADSP_CUSTOM_HIGH DKIM_ADSP_CUSTOM_HIGH && !__VIA_ML && !__VIA_RESIGNER describe NML_ADSP_CUSTOM_HIGH ADSP custom_high hit, and not from a mailing list +if can(Mail::SpamAssassin::Plugin::DKIM::has_arc) + full ARC_SIGNED eval:check_arc_signed() + describe ARC_SIGNED Message has a ARC signature + tflags ARC_SIGNED net + reuse ARC_SIGNED + + full ARC_VALID eval:check_arc_valid() + describe ARC_VALID Message has a valid ARC signature + tflags ARC_VALID net + reuse ARC_VALID + + meta ARC_INVALID ARC_SIGNED && !ARC_VALID + describe ARC_INVALID ARC signature exists, but is not valid +endif + # # old, declared for compatibility with pre-3.3, should have scores 0 # diff --git a/sa-updates/60_whitelist_subject.cf b/sa-updates/25_dmarc.cf similarity index 52% rename from sa-updates/60_whitelist_subject.cf rename to sa-updates/25_dmarc.cf index 970c808..48afd49 100644 --- a/sa-updates/60_whitelist_subject.cf +++ b/sa-updates/25_dmarc.cf @@ -1,4 +1,4 @@ -# SpamAssassin rules file: default whitelist/blacklist subject +# SpamAssassin - DMARC rules # # Please don't modify this file as your changes will be overwritten with # the next update. Use /etc/mail/spamassassin/local.cf instead. @@ -20,23 +20,43 @@ # See the License for the specific language governing permissions and # limitations under the License. # - -########################################################################### -# Whitelist/Blacklist rules # -# Note that most of these get 'noautolearn'. They should not be -# considered when deciding whether to auto-learn a message, as a -# user slip-up could result in scribbling side-effects in the bayes -# db as a result -- which is hard to remedy. +########################################################################### -ifplugin Mail::SpamAssassin::Plugin::WhiteListSubject +# Requires the Mail::SpamAssassin::Plugin::DMARC plugin be loaded. -header SUBJECT_IN_WHITELIST eval:check_subject_in_whitelist() -describe SUBJECT_IN_WHITELIST Subject: contains string in the user's white-list -tflags SUBJECT_IN_WHITELIST userconf nice noautolearn +# Backwards compatible name (was renamed to DMARC in trunk before 4.0.0) +ifplugin Mail::SpamAssassin::Plugin::Dmarc -header SUBJECT_IN_BLACKLIST eval:check_subject_in_blacklist() -describe SUBJECT_IN_BLACKLIST Subject: contains string in the user's black-list -tflags SUBJECT_IN_BLACKLIST userconf noautolearn +header DMARC_PASS eval:check_dmarc_pass() +describe DMARC_PASS DMARC pass policy +priority DMARC_PASS 500 +tflags DMARC_PASS net nice +reuse DMARC_PASS + +header DMARC_REJECT eval:check_dmarc_reject() +describe DMARC_REJECT DMARC reject policy +priority DMARC_REJECT 500 +tflags DMARC_REJECT net +reuse DMARC_REJECT + +header DMARC_QUAR eval:check_dmarc_quarantine() +describe DMARC_QUAR DMARC quarantine policy +priority DMARC_QUAR 500 +tflags DMARC_QUAR net +reuse DMARC_QUAR + +header DMARC_NONE eval:check_dmarc_none() +describe DMARC_NONE DMARC none policy +priority DMARC_NONE 500 +tflags DMARC_NONE net +reuse DMARC_NONE + +header DMARC_MISSING eval:check_dmarc_missing() +describe DMARC_MISSING Missing DMARC policy +priority DMARC_MISSING 500 +tflags DMARC_MISSING net +reuse DMARC_MISSING + +endif -endif # Mail::SpamAssassin::Plugin::WhiteListSubject diff --git a/sa-updates/25_pyzor.cf b/sa-updates/25_pyzor.cf index 12495ec..990312a 100644 --- a/sa-updates/25_pyzor.cf +++ b/sa-updates/25_pyzor.cf @@ -33,7 +33,7 @@ ifplugin Mail::SpamAssassin::Plugin::Pyzor full PYZOR_CHECK eval:check_pyzor() describe PYZOR_CHECK Listed in Pyzor (https://pyzor.readthedocs.io/en/latest/) -tflags PYZOR_CHECK net +tflags PYZOR_CHECK net autolearn_body priority PYZOR_CHECK 30 reuse PYZOR_CHECK diff --git a/sa-updates/25_razor2.cf b/sa-updates/25_razor2.cf index 0626b73..a32bbea 100644 --- a/sa-updates/25_razor2.cf +++ b/sa-updates/25_razor2.cf @@ -33,7 +33,7 @@ ifplugin Mail::SpamAssassin::Plugin::Razor2 full RAZOR2_CHECK eval:check_razor2() describe RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) -tflags RAZOR2_CHECK net +tflags RAZOR2_CHECK net autolearn_body priority RAZOR2_CHECK 20 reuse RAZOR2_CHECK diff --git a/sa-updates/25_uribl.cf b/sa-updates/25_uribl.cf index c61abe8..f575ed9 100644 --- a/sa-updates/25_uribl.cf +++ b/sa-updates/25_uribl.cf @@ -342,12 +342,12 @@ uridnsbl_skip_domain microsofttranslator.com office.com microsoftonline.com bing # Some frequent known good URIDNSBL lookups 3.10.2018 -hk uridnsbl_skip_domain aka.ms akamaihd.net alibaba.com alicdn.com amazon.co.uk -uridnsbl_skip_domain amazon.de amazonaws.com amazonses.com bandcamp.com -uridnsbl_skip_domain booking.com cdninstagram.com cloudfront.net dhl.com +uridnsbl_skip_domain amazon.de amazonses.com bandcamp.com +uridnsbl_skip_domain booking.com cdninstagram.com dhl.com uridnsbl_skip_domain dhl.fi dna.fi domain.fi dpd.de dropbox.com ebay.fr uridnsbl_skip_domain elisa.fi elisanet.fi emltrk.com fbcdn.net ficora.fi uridnsbl_skip_domain gappssmtp.com github.com goo.gl google-analytics.com -uridnsbl_skip_domain google.de google.fi googleapis.com googleusercontent.com +uridnsbl_skip_domain google.de google.fi googleusercontent.com uridnsbl_skip_domain gstatic.com hotels.com ikea.com images-amazon.com uridnsbl_skip_domain inet.fi instagram.com kolumbus.fi licdn.com linkedin.com uridnsbl_skip_domain media-amazon.com mtasv.net mzstatic.com nebula.fi diff --git a/sa-updates/25_url_shortener.cf b/sa-updates/25_url_shortener.cf new file mode 100644 index 0000000..b5ddffd --- /dev/null +++ b/sa-updates/25_url_shortener.cf @@ -0,0 +1,301 @@ +# SpamAssassin - URL shortener rules +# +# Please don't modify this file as your changes will be overwritten with +# the next update. Use /etc/mail/spamassassin/local.cf instead. +# See 'perldoc Mail::SpamAssassin::Conf' for details. +# +# <@LICENSE> +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to you under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# +########################################################################### + +### +### Note that this file contains two separate lists, url_shortener and a +### backup regex generated from it. Both must updated and kept in sync. +### +### __URL_SHORTENER will always by set by either the plugin or regex +### + +# SpamAssassin 4.0 version required +if can(Mail::SpamAssassin::Plugin::DecodeShortURLs::has_short_url_redir) + +body __URL_SHORTENER eval:short_url() + +body URL_SHORTENER_CHAINED eval:short_url_chained() +describe URL_SHORTENER_CHAINED Message contains shortened URL chained to other shorteners +tflags URL_SHORTENER_CHAINED net +score URL_SHORTENER_CHAINED 0.01 + +uri URL_SHORTENER_DISABLED m,^https://(?:bitly\.com/a/blocked|tinyurl\.com/app/nospam), +describe URL_SHORTENER_DISABLED Message contains shortened URL that has been disabled due to abuse +tflags URL_SHORTENER_DISABLED net +score URL_SHORTENER_DISABLED 2 + +# +# Please only add entries that you manually verified as actual working +# redirectors that can have abusable custom URLs. Adding non-abusable +# services only generates unnecessary HTTP requests. +# +# After any changes, also update __URL_SHORTENER regex at end of file. +# + +# generic list of likely active services - cleaned up 25.05.2022 +url_shortener .ftn.app +url_shortener .page.link +url_shortener .short.gy +url_shortener .shortz.me +url_shortener 0rz.tw +url_shortener 4sq.com +url_shortener 4url.cc +url_shortener afly.co +url_shortener ai6.net +url_shortener amzn.com +url_shortener amzn.to +url_shortener b.link +url_shortener b23.ru +url_shortener binged.it +url_shortener bit.do +url_shortener bit.ly +url_shortener bitly.com +url_shortener bizj.us +url_shortener chilp.it +url_shortener conta.cc +url_shortener crks.me +url_shortener cutt.ly +url_shortener cutwin.biz +url_shortener dai.ly +url_shortener db.tt +url_shortener disq.us +url_shortener dlvr.it +url_shortener doi.org +url_shortener doiop.com +url_shortener eepurl.com +url_shortener fb.me +url_shortener fire.to +url_shortener firsturl.de +url_shortener firsturl.net +url_shortener flic.kr +url_shortener gdurl.com +url_shortener go.ly +url_shortener goo.gl +url_shortener goolnk.com +url_shortener gplinks.in +url_shortener guest.link +url_shortener hellotxt.com +url_shortener hop.kz +url_shortener hotshorturl.com +url_shortener hub.am +url_shortener huff.to +url_shortener hurl.it +url_shortener hyperurl.co +url_shortener inx.lv +url_shortener is.gd +url_shortener it2.in +url_shortener j.mp +url_shortener kore.us +url_shortener kurl.no +url_shortener l.bestsellers.to +url_shortener lnk.sk +url_shortener lnkd.in +url_shortener lnkiy.in +url_shortener lru.jp +url_shortener mrte.ch +url_shortener n9.cl +url_shortener ndurl.com +url_shortener onion.com +url_shortener ouo.io +url_shortener ow.ly +url_shortener owl.li +url_shortener pduda.mobi +url_shortener rb.gy +url_shortener redir.ec +url_shortener rotf.lol +url_shortener s.apache.org +url_shortener s.id +url_shortener shar.es +url_shortener shorl.com +url_shortener shortn.me +url_shortener shorturl.at +url_shortener simurl.net +url_shortener slidesha.re +url_shortener smarturl.it +url_shortener smfu.in +url_shortener snip.ly +url_shortener snkr.me +url_shortener stpmvt.com +url_shortener t.co +url_shortener t.ly +url_shortener tcrn.ch +url_shortener tgr.ph +url_shortener tiny.cc +url_shortener tiny.one +url_shortener tiny.pl +url_shortener tinylink.in +url_shortener tinyurl.com +url_shortener to.ly +url_shortener trib.al +url_shortener twixar.me +url_shortener u.nu +url_shortener u.to +url_shortener url.ie +url_shortener urlcut.com +url_shortener urlday.cc +url_shortener urls.im +url_shortener urlz.at +url_shortener urlzs.com +url_shortener utfg.sk +url_shortener wow.link +url_shortener wp.me +url_shortener x.co +url_shortener x.hypem.com +url_shortener xurl.es +url_shortener yhoo.it +url_shortener youtu.be +url_shortener z23.ru +url_shortener zurl.ws + +# www.shrunken.com - list validated 25.05.2022 +url_shortener www.shrunken.com +url_shortener 0.gp +url_shortener 2.gp +url_shortener 2.ly +url_shortener 3.ly +url_shortener 4.gp +url_shortener 4.ly +url_shortener 5.gp +url_shortener 6.gp +url_shortener 6.ly +url_shortener 7.ly +url_shortener 8.ly +url_shortener 9.ly +url_shortener g.asia +url_shortener p.asia +url_shortener ur3.us + +# shorturl.com - list validated 25.05.2022 +url_shortener alturl.com +url_shortener .1sta.com +url_shortener .24ex.com +url_shortener .2fear.com +url_shortener .2fortune.com +url_shortener .2freedom.com +url_shortener .2hell.com +url_shortener .2savvy.com +url_shortener .2truth.com +url_shortener .2tunes.com +url_shortener .2ya.com +url_shortener .alturl.com +url_shortener .antiblog.com +url_shortener .bigbig.com +url_shortener .dealtap.com +url_shortener .ebored.com +url_shortener .echoz.com +url_shortener .filetap.com +url_shortener .funurl.com +url_shortener .headplug.com +url_shortener .hereweb.com +url_shortener .hitart.com +url_shortener .mirrorz.com +url_shortener .mp3update.com +url_shortener .shorturl.com +url_shortener .spyw.com +url_shortener .vze.com + +# iscool.net - list validated 25.05.2022 +url_shortener .arecool.net +url_shortener .iscool.net +url_shortener .isfun.net +url_shortener .tux.nu + +# kisa.link - list validated 25.05.2022 +url_shortener kisa.link +url_shortener www.kisa.link +url_shortener bul.tc +url_shortener cy.tc +url_shortener fn.tc +url_shortener ftp.tc +url_shortener gr.tc +url_shortener hbr.tc +url_shortener heg.tc +url_shortener ins.tc +url_shortener ko.tc +url_shortener kod.tc +url_shortener lol.tc +url_shortener m2.tc +url_shortener ml.tc +url_shortener mmo.tc +url_shortener oy.tc +url_shortener pc.tc +url_shortener pubg.tc +url_shortener pvp.tc +url_shortener sro.tc +url_shortener tek.link +url_shortener tw.tc + +# grabify.link - list validated 25.05.2022 +url_shortener grabify.link +url_shortener catsnthing.com +url_shortener catsnthings.fun +url_shortener cheapcinema.club +url_shortener dateing.club +url_shortener fortnight.space +url_shortener fortnitechat.site +url_shortener freegiftcards.co +url_shortener gaming-at-my.best +url_shortener gamingfun.me +url_shortener headshot.monster +url_shortener imageshare.best +url_shortener joinmy.site +url_shortener leancoding.co +url_shortener locations.quest +url_shortener lovebird.guru +url_shortener myprivate.pics +url_shortener noodshare.pics +url_shortener partpicker.shop +url_shortener progaming.monster +url_shortener screenshare.pics +url_shortener screenshot.best +url_shortener shhh.lol +url_shortener shrekis.life +url_shortener sportshub.bar +url_shortener stopify.co +url_shortener trulove.guru +url_shortener yourmy.monster + +# GET method required for some services, keep the same services in url_shortener also +if can(Mail::SpamAssassin::Plugin::DecodeShortURLs::has_get) +url_shortener_get bit.ly +endif + +endif # has_short_url_redir + + +### +### Use a regex if DecodeShortURLs plugin is not loaded +### + +if !can(Mail::SpamAssassin::Plugin::DecodeShortURLs::has_short_url_redir) + +## Generate __URL_SHORTENER with this command, to keep it in sync with url_shortener list: +## +## perl -pe 'while (<>) {/^\s*url_shortener\s+(\S+)/ or next;$s=quotemeta($1);$s=~s/^\\./\\w+\\./;push @a,$s} print "uri __URL_SHORTENER m,^https?://(?:".join("|",@a).")/,i\n"' < 25_url_shortener.cf +## + +uri __URL_SHORTENER m,^https?://(?:\w+\.ftn\.app|\w+\.page\.link|\w+\.short\.gy|\w+\.shortz\.me|0rz\.tw|4sq\.com|4url\.cc|afly\.co|ai6\.net|amzn\.com|amzn\.to|b\.link|b23\.ru|binged\.it|bit\.do|bit\.ly|bitly\.com|bizj\.us|chilp\.it|conta\.cc|crks\.me|cutt\.ly|cutwin\.biz|dai\.ly|db\.tt|disq\.us|dlvr\.it|doi\.org|doiop\.com|eepurl\.com|fb\.me|fire\.to|firsturl\.de|firsturl\.net|flic\.kr|gdurl\.com|go\.ly|goo\.gl|goolnk\.com|gplinks\.in|guest\.link|hellotxt\.com|hop\.kz|hotshorturl\.com|hub\.am|huff\.to|hurl\.it|hyperurl\.co|inx\.lv|is\.gd|it2\.in|j\.mp|kore\.us|kurl\.no|l\.bestsellers\.to|lnk\.sk|lnkd\.in|lnkiy\.in|lru\.jp|mrte\.ch|n9\.cl|ndurl\.com|onion\.com|ouo\.io|ow\.ly|owl\.li|pduda\.mobi|rb\.gy|redir\.ec|rotf\.lol|s\.apache\.org|s\.id|shar\.es|shorl\.com|shortn\.me|shorturl\.at|simurl\.net|slidesha\.re|smarturl\.it|smfu\.in|snip\.ly|snkr\.me|stpmvt\.com|t\.co|t\.ly|tcrn\.ch|tgr\.ph|tiny\.cc|tiny\.one|tiny\.pl|tinylink\.in|tinyurl\.com|to\.ly|trib\.al|twixar\.me|u\.nu|u\.to|url\.ie|urlcut\.com|urlday\.cc|urls\.im|urlz\.at|urlzs\.com|utfg\.sk|wow\.link|wp\.me|x\.co|x\.hypem\.com|xurl\.es|yhoo\.it|youtu\.be|z23\.ru|zurl\.ws|www\.shrunken\.com|0\.gp|2\.gp|2\.ly|3\.ly|4\.gp|4\.ly|5\.gp|6\.gp|6\.ly|7\.ly|8\.ly|9\.ly|g\.asia|p\.asia|ur3\.us|alturl\.com|\w+\.1sta\.com|\w+\.24ex\.com|\w+\.2fear\.com|\w+\.2fortune\.com|\w+\.2freedom\.com|\w+\.2hell\.com|\w+\.2savvy\.com|\w+\.2truth\.com|\w+\.2tunes\.com|\w+\.2ya\.com|\w+\.alturl\.com|\w+\.antiblog\.com|\w+\.bigbig\.com|\w+\.dealtap\.com|\w+\.ebored\.com|\w+\.echoz\.com|\w+\.filetap\.com|\w+\.funurl\.com|\w+\.headplug\.com|\w+\.hereweb\.com|\w+\.hitart\.com|\w+\.mirrorz\.com|\w+\.mp3update\.com|\w+\.shorturl\.com|\w+\.spyw\.com|\w+\.vze\.com|\w+\.arecool\.net|\w+\.iscool\.net|\w+\.isfun\.net|\w+\.tux\.nu|kisa\.link|www\.kisa\.link|bul\.tc|cy\.tc|fn\.tc|ftp\.tc|gr\.tc|hbr\.tc|heg\.tc|ins\.tc|ko\.tc|kod\.tc|lol\.tc|m2\.tc|ml\.tc|mmo\.tc|oy\.tc|pc\.tc|pubg\.tc|pvp\.tc|sro\.tc|tek\.link|tw\.tc|grabify\.link|catsnthing\.com|catsnthings\.fun|cheapcinema\.club|dateing\.club|fortnight\.space|fortnitechat\.site|freegiftcards\.co|gaming\-at\-my\.best|gamingfun\.me|headshot\.monster|imageshare\.best|joinmy\.site|leancoding\.co|locations\.quest|lovebird\.guru|myprivate\.pics|noodshare\.pics|partpicker\.shop|progaming\.monster|screenshare\.pics|screenshot\.best|shhh\.lol|shrekis\.life|sportshub\.bar|stopify\.co|trulove\.guru|yourmy\.monster)/,i + +endif + diff --git a/sa-updates/30_text_de.cf b/sa-updates/30_text_de.cf index 7025146..c14b3e3 100644 --- a/sa-updates/30_text_de.cf +++ b/sa-updates/30_text_de.cf @@ -328,10 +328,10 @@ lang de describe BAYES_99 Spamwahrscheinlichkeit nach Bayes-Test: 99-100% lang de describe BAYES_999 Spamwahrscheinlichkeit nach Bayes-Test: 99.9-100% endif # -lang de describe USER_IN_BLACKLIST Absenderadresse steht in Ihrer persönlichen schwarzen Liste -lang de describe USER_IN_WHITELIST Absenderadresse steht in Ihrer persönlichen weißen Liste -lang de describe USER_IN_DEF_WHITELIST Absenderadresse steht in der allgemeinen weißen Liste -lang de describe USER_IN_BLACKLIST_TO Empfängeradresse steht in Ihrer persönlichen schwarzen Liste +lang de describe USER_IN_BLOCKLIST Absenderadresse steht in Ihrer persönlichen schwarzen Liste +lang de describe USER_IN_WELCOMELIST Absenderadresse steht in Ihrer persönlichen weißen Liste +lang de describe USER_IN_DEF_WELCOMELIST Absenderadresse steht in der allgemeinen weißen Liste +lang de describe USER_IN_BLOCKLIST_TO Empfängeradresse steht in Ihrer persönlichen schwarzen Liste lang de describe USER_IN_WELCOMELIST_TO Empfängeradresse steht in Ihrer persönlichen weißen Liste lang de describe USER_IN_MORE_SPAM_TO Empfängeradresse soll fast alle (Spam-) Nachrichten erhalten lang de describe USER_IN_ALL_SPAM_TO Empfängeradresse soll alle (Spam-) Nachrichten erhalten diff --git a/sa-updates/30_text_fr.cf b/sa-updates/30_text_fr.cf index a511300..840f8e0 100644 --- a/sa-updates/30_text_fr.cf +++ b/sa-updates/30_text_fr.cf @@ -246,11 +246,11 @@ lang fr describe UPPERCASE_50_75 Message compos lang fr describe UPPERCASE_75_100 Message composé de 75 à 100% de majuscules lang fr describe URG_BIZ Contient la formule "urgent business" lang fr describe USER_IN_ALL_SPAM_TO Destinataire sur la liste "all_spam_to" (config SA locale) -lang fr describe USER_IN_BLACKLIST Expéditeur sur la liste noire (config SA locale) -lang fr describe USER_IN_BLACKLIST_TO Destinataire sur la liste "blacklist_to" (config SA locale) -lang fr describe USER_IN_DEF_WHITELIST Expéditeur dans la liste OK par défaut de SpamAssassin +lang fr describe USER_IN_BLOCKLIST Expéditeur sur la liste noire (config SA locale) +lang fr describe USER_IN_BLOCKLIST_TO Destinataire sur la liste "blocklist_to" (config SA locale) +lang fr describe USER_IN_DEF_WELCOMELIST Expéditeur dans la liste OK par défaut de SpamAssassin lang fr describe USER_IN_MORE_SPAM_TO Destinataire sur la liste "more_spam_to" (config SA locale) -lang fr describe USER_IN_WHITELIST Expéditeur sur la liste blanche (OK) (config SA locale) +lang fr describe USER_IN_WELCOMELIST Expéditeur sur la liste blanche (OK) (config SA locale) lang fr describe USER_IN_WELCOMELIST_TO Destinataire sur la liste blanche (config SA) #lang fr describe US_DOLLARS_3 Escroq. nigérienne, version modifiée, phrase clé ($NN,NNN,NNN.NN) lang fr describe DRUG_ED_ONLINE Vente de Viagra par correspondance diff --git a/sa-updates/30_text_pl.cf b/sa-updates/30_text_pl.cf index 37712dc..c249b4e 100644 --- a/sa-updates/30_text_pl.cf +++ b/sa-updates/30_text_pl.cf @@ -232,12 +232,12 @@ lang pl describe UPPERCASE_75_100 Tre lang pl describe URG_BIZ Pilna sprawa #lang pl describe US_DOLLARS_3 Wspomina miliony $ ($NN,NNN,NNN.NN) lang pl describe USER_IN_ALL_SPAM_TO U¿ytkownik jest wymieniony w 'all_spam_to' -lang pl describe USER_IN_BLACKLIST Od: zawiera adres z Twojej "czarnej listy" -lang pl describe USER_IN_BLACKLIST_TO U¿ytkownik jest wymieniony w 'blacklist_to' -lang pl describe USER_IN_DEF_WHITELIST U¿ytkownik jest wymieniony w domy¶lnej white-list (bia³ej li¶cie) +lang pl describe USER_IN_BLOCKLIST Od: zawiera adres z Twojej "czarnej listy" +lang pl describe USER_IN_BLOCKLIST_TO U¿ytkownik jest wymieniony w 'blocklist_to' +lang pl describe USER_IN_DEF_WELCOMELIST U¿ytkownik jest wymieniony w domy¶lnej welcome-list (bia³ej li¶cie) lang pl describe USER_IN_MORE_SPAM_TO U¿ytkownik jest wymieniony w 'more_spam_to' -lang pl describe USER_IN_WHITELIST Od: zawiera adres z white-list (bia³ej listy) -lang pl describe USER_IN_WELCOMELIST_TO U¿ytkownik jest wymieniony w 'whitelist_to' +lang pl describe USER_IN_WELCOMELIST Od: zawiera adres z welcome-list (bia³ej listy) +lang pl describe USER_IN_WELCOMELIST_TO U¿ytkownik jest wymieniony w 'welcomelist_to' lang pl describe WEIRD_PORT U¿ywa niestandardowego numeru portu dla HTTP lang pl describe WEIRD_QUOTING Dziwne, powtarzaj±ce siê znaki podwójnego cytowania lang pl describe WITH_LC_SMTP Linia 'Received' zawiera spamerski podpis (smtp) diff --git a/sa-updates/30_text_pt_br.cf b/sa-updates/30_text_pt_br.cf index 1e6f859..182d75c 100644 --- a/sa-updates/30_text_pt_br.cf +++ b/sa-updates/30_text_pt_br.cf @@ -50,16 +50,16 @@ lang pt_BR unsafe_report ou confirmar que seu endere lang pt_BR unsafe_report Se quiser visualizar a mensagem, pode ser mais seguro salvá-la em um arquivo lang pt_BR unsafe_report e abrí-la com um editor. -lang pt_BR describe USER_IN_BLACKLIST Endereço do From: está na blacklist do usuário -lang pt_BR describe USER_IN_WHITELIST Endereço do From: está na whitelist do usuário -lang pt_BR describe USER_IN_DEF_WHITELIST Endereço do From: está na whitelist padrão -lang pt_BR describe USER_IN_BLACKLIST_TO Usuário está listado na 'blacklist_to' -lang pt_BR describe USER_IN_WELCOMELIST_TO Usuário está listado na 'whitelist_to' +lang pt_BR describe USER_IN_BLOCKLIST Endereço do From: está na blocklist do usuário +lang pt_BR describe USER_IN_WELCOMELIST Endereço do From: está na welcomelist do usuário +lang pt_BR describe USER_IN_DEF_WELCOMELIST Endereço do From: está na welcomelist padrão +lang pt_BR describe USER_IN_BLOCKLIST_TO Usuário está listado na 'blocklist_to' +lang pt_BR describe USER_IN_WELCOMELIST_TO Usuário está listado na 'welcomelist_to' lang pt_BR describe USER_IN_MORE_SPAM_TO Usuário está listado na 'more_spam_to' lang pt_BR describe USER_IN_ALL_SPAM_TO Usuário está listado na 'all_spam_to' ifplugin Mail::SpamAssassin::Plugin::AWL -lang pt_BR describe AWL Endereço do From: está na auto whitelist +lang pt_BR describe AWL Endereço do From: está na auto welcomelist endif # 20_advance_fee.cf - These are removed and will break lint @@ -357,7 +357,7 @@ lang pt_BR describe EMPTY_MESSAGE Mensagem parece n lang pt_BR describe NO_HEADERS_MESSAGE Mensagem parece não conter grande parte dos cabeçalhos RFC-822 # 20_net_tests.cf -lang pt_BR describe DIGEST_MULTIPLE Remetente está listado em mais de uma blacklist +lang pt_BR describe DIGEST_MULTIPLE Remetente está listado em mais de uma blocklist lang pt_BR describe NO_DNS_FOR_FROM Remetente não possui registros MX ou A no DNS # 20_phrases.cf @@ -579,17 +579,17 @@ lang pt_BR describe BODY_8BITS Body cont endif # 25_uribl.cf -lang pt_BR describe URIBL_SBL Contém uma URL listada na blacklist SBL -lang pt_BR describe URIBL_DBL_SPAM Contém uma URL listada na blacklist DBL blocklist +lang pt_BR describe URIBL_SBL Contém uma URL listada na blocklist SBL +lang pt_BR describe URIBL_DBL_SPAM Contém uma URL listada na blocklist DBL blocklist lang pt_BR describe URIBL_DBL_ERROR Erro: Consultou a DBL por um IP -#lang pt_BR describe URIBL_SC_SURBL Contém uma URL listada na blacklist SC SURBL - removed bug 7279 -lang pt_BR describe URIBL_WS_SURBL Contém uma URL listada na blacklist WS SURBL -lang pt_BR describe URIBL_PH_SURBL Contém uma URL listada na blacklist PH SURBL -#lang pt_BR describe URIBL_OB_SURBL Contém uma URL listada na blacklist OB SURBL - REMOVED BUG 6853 -#lang pt_BR describe URIBL_AB_SURBL Contém uma URL listada na blacklist AB SURBL - removed bug 7279 +#lang pt_BR describe URIBL_SC_SURBL Contém uma URL listada na blocklist SC SURBL - removed bug 7279 +lang pt_BR describe URIBL_WS_SURBL Contém uma URL listada na blocklist WS SURBL +lang pt_BR describe URIBL_PH_SURBL Contém uma URL listada na blocklist PH SURBL +#lang pt_BR describe URIBL_OB_SURBL Contém uma URL listada na blocklist OB SURBL - REMOVED BUG 6853 +#lang pt_BR describe URIBL_AB_SURBL Contém uma URL listada na blocklist AB SURBL - removed bug 7279 #Changed from JP to ABUSE per bug 7279 -lang pt_BR describe URIBL_ABUSE_SURBL Contém uma URL listada na blacklist ABUSE SURBL -lang pt_BR describe URIBL_BLACK Contém uma URL listada na blacklist URIBL +lang pt_BR describe URIBL_ABUSE_SURBL Contém uma URL listada na blocklist ABUSE SURBL +lang pt_BR describe URIBL_BLACK Contém uma URL listada na blocklist URIBL lang pt_BR describe URIBL_GREY Contém uma URL listada na greylist URIBL lang pt_BR describe URIBL_RED Contém uma URL listada na redlist URIBL @@ -598,16 +598,12 @@ ifplugin Mail::SpamAssassin::Plugin::Shortcircuit lang pt_BR describe SHORTCIRCUIT Nem todas as regras foram executadas por causa de um problema em uma delas endif -# 60_whitelist_dkim.cf -lang pt_BR describe USER_IN_DKIM_WHITELIST Endereço do From: está na whitelist de DKIM do usuário -lang pt_BR describe USER_IN_DEF_DKIM_WL Endereço do From: está na whitelist de DKIM padrão +# 60_welcomelist_dkim.cf +lang pt_BR describe USER_IN_DKIM_WELCOMELIST Endereço do From: está na welcomelist de DKIM do usuário +lang pt_BR describe USER_IN_DEF_DKIM_WL Endereço do From: está na welcomelist de DKIM padrão -# 60_whitelist_spf.cf -lang pt_BR describe USER_IN_SPF_WHITELIST Endereço do From: está na whitelist de SPF do usuário -lang pt_BR describe USER_IN_DEF_SPF_WL Endereço do From: está na whitelist de SPF padrão -lang pt_BR describe ENV_AND_HDR_SPF_MATCH Endereço do From: confere com Envelope From e está na whitelist de SPF - -# 60_whitelist_subject.cf -lang pt_BR describe SUBJECT_IN_WHITELIST Assunto contém palavra que está na whitelist do usuário -lang pt_BR describe SUBJECT_IN_BLACKLIST Assunto contém palavra que está na blacklist do usuário +# 60_welcomelist_spf.cf +lang pt_BR describe USER_IN_SPF_WELCOMELIST Endereço do From: está na welcomelist de SPF do usuário +lang pt_BR describe USER_IN_DEF_SPF_WL Endereço do From: está na welcomelist de SPF padrão +lang pt_BR describe ENV_AND_HDR_SPF_MATCH Endereço do From: confere com Envelope From e está na welcomelist de SPF diff --git a/sa-updates/50_scores.cf b/sa-updates/50_scores.cf index 5667af5..8df7bdd 100644 --- a/sa-updates/50_scores.cf +++ b/sa-updates/50_scores.cf @@ -702,38 +702,35 @@ score NO_HEADERS_MESSAGE 0.001 score HTML_CHARSET_FARAWAY 0.500 score MIME_CHARSET_FARAWAY 2.450 -# rescore never changes the whitelist/blacklist scores +# rescore never changes the welcomelist/blocklist scores ifplugin Mail::SpamAssassin::Plugin::WLBLEval -#score USER_IN_BLACKLIST 100.000 - Moved to 60_whitelist.cf -#score USER_IN_WHITELIST -100.000 - Moved to 60_whitelist.cf -#score USER_IN_DEF_WHITELIST -15.000 - Moved to 60_whitelist.cf -#score USER_IN_BLACKLIST_TO 10.000 - Moved to 60_whitelist.cf -#score URI_HOST_IN_BLACKLIST 100.0 - Moved to 60_whitelist.cf -#score URI_HOST_IN_WHITELIST -100.0 - Moved to 60_whitelist.cf +#score USER_IN_BLOCKLIST 100.000 - Moved to 60_welcomelist.cf +#score USER_IN_WELCOMELIST -100.000 - Moved to 60_welcomelist.cf +#score USER_IN_DEF_WELCOMELIST -15.000 - Moved to 60_welcomelist.cf +#score USER_IN_BLOCKLIST_TO 10.000 - Moved to 60_welcomelist.cf +#score URI_HOST_IN_BLOCKLIST 100.0 - Moved to 60_welcomelist.cf +#score URI_HOST_IN_WELCOMELIST -100.0 - Moved to 60_welcomelist.cf #Removed in bug 7256 -#score HEADER_HOST_IN_BLACKLIST 100.0 -#score HEADER_HOST_IN_WHITELIST -100.0 +#score HEADER_HOST_IN_BLOCKLIST 100.0 +#score HEADER_HOST_IN_WELCOMELIST -100.0 # not really false positives but the user wants spam! -#score USER_IN_WHITELIST_TO -6.000 - Moved to 60_whitelist.cf +#score USER_IN_WELCOMELIST_TO -6.000 - Moved to 60_welcomelist.cf score USER_IN_MORE_SPAM_TO -20.000 score USER_IN_ALL_SPAM_TO -100.000 endif -ifplugin Mail::SpamAssassin::Plugin::WhiteListSubject -score SUBJECT_IN_WHITELIST -100 -score SUBJECT_IN_BLACKLIST 100 -endif # Mail::SpamAssassin::Plugin::WhiteListSubject - ifplugin Mail::SpamAssassin::Plugin::SPF -score USER_IN_SPF_WHITELIST -100.000 +score USER_IN_SPF_WELCOMELIST -100 # overridden in 60_welcomelist_spf.cf +score USER_IN_SPF_WHITELIST -100 # overridden in 60_welcomelist_spf.cf score USER_IN_DEF_SPF_WL -7.500 score ENV_AND_HDR_SPF_MATCH -0.5 endif # Mail::SpamAssassin::Plugin::SPF # DKIM ifplugin Mail::SpamAssassin::Plugin::DKIM -#score USER_IN_DKIM_WHITELIST -100.000 - Moved to 60_whitelist_dkim.cf +score USER_IN_DKIM_WELCOMELIST -100 # overridden in 60_welcomelist_dkim.cf +score USER_IN_DKIM_WHITELIST -100 # overridden in 60_welcomelist_dkim.cf score USER_IN_DEF_DKIM_WL -7.500 score DKIM_SIGNED 0.1 score DKIM_VALID -0.1 @@ -744,6 +741,12 @@ if (version >= 3.004002) score DKIM_VALID_EF -0.1 endif +if can(Mail::SpamAssassin::Plugin::DKIM::has_arc) + score ARC_SIGNED 0.001 + score ARC_VALID -0.1 + score ARC_INVALID 0.1 +endif + score DKIM_VERIFIED 0 score DKIM_POLICY_SIGNALL 0 score DKIM_POLICY_SIGNSOME 0 @@ -787,6 +790,17 @@ score SPF_SOFTFAIL 0 0.972 0 0.665 # n=0 n=2 # endif # Mail::SpamAssassin::Plugin::SPF +# DMARC +ifplugin Mail::SpamAssassin::Plugin::DMARC +score DMARC_PASS -0.001 +# +score DMARC_REJECT 0.001 1.797 0.001 1.797 # n=0 n=2 +score DMARC_QUAR 0.001 1.198 0.001 1.198 # n=0 n=2 +score DMARC_NONE 0.001 0.898 0.001 0.898 # n=0 n=2 +# +score DMARC_MISSING 0.001 +endif # Mail::SpamAssassin::Plugin::DMARC + # URIDNSBL ifplugin Mail::SpamAssassin::Plugin::URIDNSBL # diff --git a/sa-updates/60_awl.cf b/sa-updates/60_awl.cf index 6b86007..6e74e0d 100644 --- a/sa-updates/60_awl.cf +++ b/sa-updates/60_awl.cf @@ -1,4 +1,4 @@ -# SpamAssassin rules file: auto-whitelist +# SpamAssassin rules file: auto-welcomelist # # Please don't modify this file as your changes will be overwritten with # the next update. Use /etc/mail/spamassassin/local.cf instead. @@ -23,7 +23,13 @@ ifplugin Mail::SpamAssassin::Plugin::AWL +if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) +header AWL eval:check_from_in_auto_welcomelist() +endif +if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) header AWL eval:check_from_in_auto_whitelist() +endif + describe AWL Adjusted score from AWL reputation of From: address tflags AWL userconf noautolearn priority AWL 1000 diff --git a/sa-updates/60_shortcircuit.cf b/sa-updates/60_shortcircuit.cf index fb855a8..bb3e076 100644 --- a/sa-updates/60_shortcircuit.cf +++ b/sa-updates/60_shortcircuit.cf @@ -27,16 +27,18 @@ ########################################################################### -priority USER_IN_WHITELIST -1000 -priority USER_IN_DEF_WHITELIST -1000 -priority USER_IN_ALL_SPAM_TO -1000 -priority SUBJECT_IN_WHITELIST -1000 +priority USER_IN_WELCOMELIST -1000 +priority USER_IN_WHITELIST -1000 +priority USER_IN_DEF_WELCOMELIST -1000 +priority USER_IN_DEF_WHITELIST -1000 +priority USER_IN_ALL_SPAM_TO -1000 -priority ALL_TRUSTED -950 +priority ALL_TRUSTED -950 -priority SUBJECT_IN_BLACKLIST -900 -priority USER_IN_BLACKLIST_TO -900 -priority USER_IN_BLACKLIST -900 +priority USER_IN_BLOCKLIST_TO -900 +priority USER_IN_BLOCKLIST -900 +priority USER_IN_BLACKLIST_TO -900 +priority USER_IN_BLACKLIST -900 ########################################################################### diff --git a/sa-updates/60_welcomelist.cf b/sa-updates/60_welcomelist.cf new file mode 100644 index 0000000..9e59156 --- /dev/null +++ b/sa-updates/60_welcomelist.cf @@ -0,0 +1,263 @@ +# SpamAssassin rules file: default welcomelists +# +# Please don't modify this file as your changes will be overwritten with +# the next update. Use /etc/mail/spamassassin/local.cf instead. +# See 'perldoc Mail::SpamAssassin::Conf' for details. +# +# <@LICENSE> +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to you under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +ifplugin Mail::SpamAssassin::Plugin::WLBLEval + +########################################################################### +# Welcomelist rules +# +# Note that most of these get 'noautolearn'. They should not be +# considered when deciding whether to auto-learn a message, as a +# user slip-up could result in scribbling side-effects in the bayes +# db as a result -- which is hard to remedy. + +# 4.0 / Bug 7826 renames whitelist to welcomelist and blacklist to blocklist +if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + header USER_IN_BLOCKLIST eval:check_from_in_blocklist() + describe USER_IN_BLOCKLIST From: user is listed in the block-list + tflags USER_IN_BLOCKLIST userconf nice noautolearn + score USER_IN_BLOCKLIST 100 + + # Backwards compatibility + # To disable set "enable_compat welcomelist_blocklist" in init.pre + if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) + meta USER_IN_BLACKLIST (USER_IN_BLOCKLIST) + describe USER_IN_BLACKLIST DEPRECATED: See USER_IN_BLOCKLIST + tflags USER_IN_BLACKLIST userconf nice noautolearn + score USER_IN_BLACKLIST 100 + score USER_IN_BLOCKLIST 0.01 + endif +endif +if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + header USER_IN_BLOCKLIST eval:check_from_in_blacklist() + describe USER_IN_BLOCKLIST From: user is listed in the block-list + tflags USER_IN_BLOCKLIST userconf nice noautolearn + score USER_IN_BLOCKLIST 0.01 + + meta USER_IN_BLACKLIST (USER_IN_BLOCKLIST) + describe USER_IN_BLACKLIST DEPRECATED: See USER_IN_BLOCKLIST + tflags USER_IN_BLACKLIST userconf nice noautolearn + score USER_IN_BLACKLIST 100 +endif + +if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + header USER_IN_WELCOMELIST eval:check_from_in_welcomelist() + describe USER_IN_WELCOMELIST User is listed in 'welcomelist_from' + tflags USER_IN_WELCOMELIST userconf nice noautolearn + score USER_IN_WELCOMELIST -100 + + if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) + meta USER_IN_WHITELIST (USER_IN_WELCOMELIST) + describe USER_IN_WHITELIST DEPRECATED: See USER_IN_WELCOMELIST + tflags USER_IN_WHITELIST userconf nice noautolearn + score USER_IN_WHITELIST -100 + score USER_IN_WELCOMELIST -0.01 + endif +endif +if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + header USER_IN_WELCOMELIST eval:check_from_in_whitelist() + describe USER_IN_WELCOMELIST User is listed in 'welcomelist_from' + tflags USER_IN_WELCOMELIST userconf nice noautolearn + score USER_IN_WELCOMELIST -0.01 + + meta USER_IN_WHITELIST (USER_IN_WELCOMELIST) + describe USER_IN_WHITELIST DEPRECATED: See USER_IN_WELCOMELIST + tflags USER_IN_WHITELIST userconf nice noautolearn + score USER_IN_WHITELIST -100 +endif + +if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + header USER_IN_DEF_WELCOMELIST eval:check_from_in_default_welcomelist() + describe USER_IN_DEF_WELCOMELIST From: user is listed in the default welcome-list + tflags USER_IN_DEF_WELCOMELIST userconf nice noautolearn + score USER_IN_DEF_WELCOMELIST -15 + + if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) + meta USER_IN_DEF_WHITELIST (USER_IN_DEF_WELCOMELIST) + describe USER_IN_DEF_WHITELIST DEPRECATED: See USER_IN_WELCOMELIST + tflags USER_IN_DEF_WHITELIST userconf nice noautolearn + score USER_IN_DEF_WHITELIST -15 + score USER_IN_DEF_WELCOMELIST -0.01 + endif +endif +if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + header USER_IN_DEF_WELCOMELIST eval:check_from_in_default_whitelist() + describe USER_IN_DEF_WELCOMELIST From: user is listed in the default welcome-list + tflags USER_IN_DEF_WELCOMELIST userconf nice noautolearn + score USER_IN_DEF_WELCOMELIST -0.01 + + meta USER_IN_DEF_WHITELIST (USER_IN_DEF_WELCOMELIST) + describe USER_IN_DEF_WHITELIST DEPRECATED: See USER_IN_DEF_WELCOMELIST + tflags USER_IN_DEF_WHITELIST userconf nice noautolearn + score USER_IN_DEF_WHITELIST -15 +endif + +if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + header USER_IN_BLOCKLIST_TO eval:check_to_in_blocklist() + describe USER_IN_BLOCKLIST_TO User is listed in 'blocklist_to' + tflags USER_IN_BLOCKLIST_TO userconf nice noautolearn + score USER_IN_BLOCKLIST_TO 10 + + if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) + meta USER_IN_BLACKLIST_TO (USER_IN_BLOCKLIST_TO) + describe USER_IN_BLACKLIST_TO DEPRECATED: See USER_IN_BLOCKLIST_TO + tflags USER_IN_BLACKLIST_TO userconf nice noautolearn + score USER_IN_BLACKLIST_TO 10 + score USER_IN_BLOCKLIST_TO 0.01 + endif +endif +if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + header USER_IN_BLOCKLIST_TO eval:check_to_in_blacklist() + describe USER_IN_BLOCKLIST_TO User is listed in 'blocklist_to' + tflags USER_IN_BLOCKLIST_TO userconf nice noautolearn + score USER_IN_BLOCKLIST_TO 0.01 + + meta USER_IN_BLACKLIST_TO (USER_IN_BLOCKLIST_TO) + describe USER_IN_BLACKLIST_TO DEPRECATED: See USER_IN_BLOCKLIST_TO + tflags USER_IN_BLACKLIST_TO userconf nice noautolearn + score USER_IN_BLACKLIST_TO 10 +endif + +if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + header USER_IN_WELCOMELIST_TO eval:check_to_in_welcomelist() + describe USER_IN_WELCOMELIST_TO User is listed in 'welcomelist_to' + tflags USER_IN_WELCOMELIST_TO userconf nice noautolearn + score USER_IN_WELCOMELIST_TO -6 + + if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) + meta USER_IN_WHITELIST_TO (USER_IN_WELCOMELIST_TO) + describe USER_IN_WHITELIST_TO DEPRECATED: See USER_IN_WELCOMELIST_TO + tflags USER_IN_WHITELIST_TO userconf nice noautolearn + score USER_IN_WHITELIST_TO -6 + score USER_IN_WELCOMELIST_TO -0.01 + endif +endif +if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + header USER_IN_WELCOMELIST_TO eval:check_to_in_whitelist() + describe USER_IN_WELCOMELIST_TO User is listed in 'welcomelist_to' + tflags USER_IN_WELCOMELIST_TO userconf nice noautolearn + score USER_IN_WELCOMELIST_TO -0.01 + + meta USER_IN_WHITELIST_TO (USER_IN_WELCOMELIST_TO) + describe USER_IN_WHITELIST_TO DEPRECATED: See USER_IN_WELCOMELIST_TO + tflags USER_IN_WHITELIST_TO userconf nice noautolearn + score USER_IN_WHITELIST_TO -6 +endif + +header USER_IN_MORE_SPAM_TO eval:check_to_in_more_spam() +describe USER_IN_MORE_SPAM_TO User is listed in 'more_spam_to' +tflags USER_IN_MORE_SPAM_TO userconf nice noautolearn + +header USER_IN_ALL_SPAM_TO eval:check_to_in_all_spam() +describe USER_IN_ALL_SPAM_TO User is listed in 'all_spam_to' +tflags USER_IN_ALL_SPAM_TO userconf nice noautolearn + +if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + body URI_HOST_IN_BLOCKLIST eval:check_uri_host_in_blocklist() + describe URI_HOST_IN_BLOCKLIST Host or Domain is listed in the user's URI block-list + tflags URI_HOST_IN_BLOCKLIST userconf noautolearn + score URI_HOST_IN_BLOCKLIST 100 + + if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) + meta URI_HOST_IN_BLACKLIST (URI_HOST_IN_BLOCKLIST) + describe URI_HOST_IN_BLACKLIST DEPRECATED: See URI_HOST_IN_BLOCKLIST + tflags URI_HOST_IN_BLACKLIST userconf noautolearn + score URI_HOST_IN_BLACKLIST 100 + score URI_HOST_IN_BLOCKLIST 0.01 + endif +endif +if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + if (version >= 3.004000) + body URI_HOST_IN_BLOCKLIST eval:check_uri_host_in_blacklist() + describe URI_HOST_IN_BLOCKLIST Host or Domain is listed in the user's URI block-list + tflags URI_HOST_IN_BLOCKLIST userconf noautolearn + score URI_HOST_IN_BLOCKLIST 0.01 + + meta URI_HOST_IN_BLACKLIST (URI_HOST_IN_BLOCKLIST) + describe URI_HOST_IN_BLACKLIST DEPRECATED: See URI_HOST_IN_BLOCKLIST + tflags URI_HOST_IN_BLACKLIST userconf noautolearn + score URI_HOST_IN_BLACKLIST 100 + endif +endif + +if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + body URI_HOST_IN_WELCOMELIST eval:check_uri_host_in_welcomelist() + describe URI_HOST_IN_WELCOMELIST Host or Domain is listed in the user's URI welcome-list + tflags URI_HOST_IN_WELCOMELIST userconf nice noautolearn + score URI_HOST_IN_WELCOMELIST -100 + + if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) + meta URI_HOST_IN_WHITELIST (URI_HOST_IN_WELCOMELIST) + describe URI_HOST_IN_WHITELIST DEPRECATED: See URI_HOST_IN_WELCOMELIST + tflags URI_HOST_IN_WHITELIST userconf nice noautolearn + score URI_HOST_IN_WHITELIST -100 + score URI_HOST_IN_WELCOMELIST -0.01 + endif +endif +if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + if (version >= 3.004000) + body URI_HOST_IN_WELCOMELIST eval:check_uri_host_in_whitelist() + describe URI_HOST_IN_WELCOMELIST Host or Domain is listed in the user's URI welcome-list + tflags URI_HOST_IN_WELCOMELIST userconf nice noautolearn + score URI_HOST_IN_WELCOMELIST -0.01 + + meta URI_HOST_IN_WHITELIST (URI_HOST_IN_WELCOMELIST) + describe URI_HOST_IN_WHITELIST DEPRECATED: See URI_HOST_IN_WELCOMELIST + tflags URI_HOST_IN_WHITELIST userconf nice noautolearn + score URI_HOST_IN_WHITELIST -100 + endif +endif + + # Bug 7256, using a header rule with an eval() function does not work the way + # this was intended. + + # header HEADER_HOST_IN_BLACKLIST eval:check_uri_host_listed('BLOCK') + # describe HEADER_HOST_IN_BLACKLIST Host or Domain in header is listed in the user's URI black-list + # tflags HEADER_HOST_IN_BLACKLIST userconf noautolearn + + # header HEADER_HOST_IN_WHITELIST eval:check_uri_host_listed('WELCOME') + # describe HEADER_HOST_IN_WHITELIST Host or Domain in header is listed in the user's URI white-list + # tflags HEADER_HOST_IN_WHITELIST userconf nice noautolearn + +########################################################################### +# Default welcomelists. These should be addresses which send mail that is often +# tagged (incorrectly) as spam; it also helps that they be addresses of big +# companies with lots of lawyers, so if spammers impersonate them, they'll get +# into big trouble, so it doesn't provide a shortcut around SpamAssassin. +# +# Welcomelist and blocklist addresses are now file-glob-style patterns, so +# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work. +# +# Please do not add unmoderated public mailing lists here. They are +# too easily abused by spammers. + +# Should really not be used these days, use def_welcomelist_auth if possible. + + # def_welcomelist_from_rcvd *@foo.com foo.com + +# +# +# + +endif # ifplugin Mail::SpamAssassin::Plugin::WLBLEval + diff --git a/sa-updates/60_whitelist_auth.cf b/sa-updates/60_welcomelist_auth.cf similarity index 99% rename from sa-updates/60_whitelist_auth.cf rename to sa-updates/60_welcomelist_auth.cf index bd9f3d6..1fed9e7 100644 --- a/sa-updates/60_whitelist_auth.cf +++ b/sa-updates/60_welcomelist_auth.cf @@ -24,8 +24,6 @@ ########################################################################### # SPF and DKIM whitelist rules -if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist) - ########################################################################### # These should be primarily envelope-from addresses which send mail that is # often tagged (incorrectly) as spam or high-profile domains that are common @@ -42,6 +40,9 @@ if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist) # SA. Change the def_welcomelist_auth entry and search "older" and change # the previous config entries in unison. +# 4.0 / Bug 7826 renames whitelist to welcomelist and blacklist to blocklist +if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + def_welcomelist_auth *@apache.org def_welcomelist_auth *@*.apache.org @@ -120,6 +121,7 @@ def_welcomelist_auth *@*.docusign.com # authentic emails # def_welcomelist_auth *@*.indeed.com +def_welcomelist_auth *@*.wellframe.com def_welcomelist_auth *@*.hyatt.com def_welcomelist_auth *@*.sears.com def_welcomelist_auth *@*.jcpenney.com @@ -433,7 +435,6 @@ def_welcomelist_auth *@logmein.com def_welcomelist_auth *@lastpass.com def_welcomelist_auth *@*.seabourn.com def_welcomelist_auth *@*.execucar.com -def_welcomelist_auth *@*.intuit.com def_welcomelist_auth *@*.build.com def_welcomelist_auth *@*.trulia.com def_welcomelist_auth *@*.rentalcars.com @@ -496,7 +497,6 @@ def_welcomelist_auth *@*.aarp.org def_welcomelist_auth *@*.aeropostale.com def_welcomelist_auth *@*.zappos.com def_welcomelist_auth *@*.redhat.com -def_welcomelist_auth *@*.freshdesk.com def_welcomelist_auth *@*.planningcenteronline.com def_welcomelist_auth *@*.ihg.com def_welcomelist_auth *@*.opendns.com @@ -796,7 +796,6 @@ def_welcomelist_auth *@*.endcitizensunited.org def_welcomelist_auth *@*.redditgifts.com def_welcomelist_auth *@*.tdworld.com def_welcomelist_auth *@*.thenorthface.com -def_welcomelist_auth *@*.bark.com def_welcomelist_auth *@*.center.io def_welcomelist_auth *@*.movethisworld.com def_welcomelist_auth *@*.pgsurveying.com @@ -1014,9 +1013,14 @@ def_welcomelist_auth *@*.testingmom.com def_welcomelist_auth *@*.ceramicartsnetwork.org def_welcomelist_auth *@*.verintefm.com -else +endif # if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) -#For older versions of SA, these old entries remain for SA before version 4.0 + +# +# For older versions of SA, these old entries remain for SA before version 4.0 +# + +if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) def_whitelist_auth *@apache.org def_whitelist_auth *@*.apache.org @@ -1409,7 +1413,6 @@ def_whitelist_auth *@logmein.com def_whitelist_auth *@lastpass.com def_whitelist_auth *@*.seabourn.com def_whitelist_auth *@*.execucar.com -def_whitelist_auth *@*.intuit.com def_whitelist_auth *@*.build.com def_whitelist_auth *@*.trulia.com def_whitelist_auth *@*.rentalcars.com @@ -1472,7 +1475,6 @@ def_whitelist_auth *@*.aarp.org def_whitelist_auth *@*.aeropostale.com def_whitelist_auth *@*.zappos.com def_whitelist_auth *@*.redhat.com -def_whitelist_auth *@*.freshdesk.com def_whitelist_auth *@*.planningcenteronline.com def_whitelist_auth *@*.ihg.com def_whitelist_auth *@*.opendns.com @@ -1990,5 +1992,5 @@ def_whitelist_auth *@*.testingmom.com def_whitelist_auth *@*.ceramicartsnetwork.org def_whitelist_auth *@*.verintefm.com -endif # if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist) +endif # if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) diff --git a/sa-updates/60_whitelist_dkim.cf b/sa-updates/60_welcomelist_dkim.cf similarity index 81% rename from sa-updates/60_whitelist_dkim.cf rename to sa-updates/60_welcomelist_dkim.cf index 8e4e067..2f3d024 100644 --- a/sa-updates/60_whitelist_dkim.cf +++ b/sa-updates/60_welcomelist_dkim.cf @@ -21,60 +21,59 @@ # limitations under the License. # +ifplugin Mail::SpamAssassin::Plugin::DKIM + ########################################################################### # DKIM whitelist rules -#For those wondering why there's not just an ifplugin in front of all of this, there's a big involving it -#in nested if statements -if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist) - ifplugin Mail::SpamAssassin::Plugin::DKIM - #bz7826 renames whitelist to welcomelist and blacklist to blocklist - header USER_IN_DKIM_WELCOMELIST eval:check_for_dkim_welcomelist_from() - describe USER_IN_DKIM_WELCOMELIST From: address is in the user's DKIM welcomelist - tflags USER_IN_DKIM_WELCOMELIST nice noautolearn net userconf - score USER_IN_DKIM_WELCOMELIST -100.000 - - ifplugin Mail::SpamAssassin::Plugin::RaciallyCharged - meta USER_IN_DKIM_WHITELIST (USER_IN_DKIM_WELCOMELIST) - describe USER_IN_DKIM_WHITELIST DEPRECATED: See USER_IN_DKIM_WELCOMELIST - tflags USER_IN_DKIM_WHITELIST nice noautolearn net userconf - score USER_IN_DKIM_WELCOMELIST -0.01 - score USER_IN_DKIM_WHITELIST -100.000 - endif - endif - - #might be a way to only have one instance of the below block, unsure if it's even necessary - reuse USER_IN_DKIM_WHITELSIT +# 4.0 / Bug 7826 renames whitelist to welcomelist and blacklist to blocklist +if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + header USER_IN_DKIM_WELCOMELIST eval:check_for_dkim_welcomelist_from() + describe USER_IN_DKIM_WELCOMELIST From: address is in the user's DKIM welcomelist + tflags USER_IN_DKIM_WELCOMELIST nice noautolearn net userconf + score USER_IN_DKIM_WELCOMELIST -100 reuse USER_IN_DKIM_WELCOMELIST -else - ifplugin Mail::SpamAssassin::Plugin::DKIM - header USER_IN_DKIM_WELCOMELIST eval:check_for_dkim_whitelist_from() - describe USER_IN_DKIM_WELCOMELIST From: address is in the user's DKIM welcomelist - tflags USER_IN_DKIM_WELCOMELIST nice noautolearn net userconf - score USER_IN_DKIM_WELCOMELIST -0.01 - + # Backwards compatibility + # To disable set "enable_compat welcomelist_blocklist" in init.pre + if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) meta USER_IN_DKIM_WHITELIST (USER_IN_DKIM_WELCOMELIST) - describe USER_IN_DKIM_WHITELIST DEPRECATED: See USER_IN_DKIM_WELCOMELIST - tflags USER_IN_DKIM_WHITELIST nice noautolearn net userconf - score USER_IN_DKIM_WHITELIST -100.000 + describe USER_IN_DKIM_WHITELIST DEPRECATED: See USER_IN_DKIM_WELCOMELIST + tflags USER_IN_DKIM_WHITELIST nice noautolearn net userconf + score USER_IN_DKIM_WHITELIST -100 + reuse USER_IN_DKIM_WHITELIST + score USER_IN_DKIM_WELCOMELIST -0.01 endif - - reuse USER_IN_DKIM_WHITELSIT +endif +if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + header USER_IN_DKIM_WELCOMELIST eval:check_for_dkim_whitelist_from() + describe USER_IN_DKIM_WELCOMELIST From: address is in the user's DKIM welcomelist + tflags USER_IN_DKIM_WELCOMELIST nice noautolearn net userconf + score USER_IN_DKIM_WELCOMELIST -100 reuse USER_IN_DKIM_WELCOMELIST + if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) + meta USER_IN_DKIM_WHITELIST (USER_IN_DKIM_WELCOMELIST) + describe USER_IN_DKIM_WHITELIST DEPRECATED: See USER_IN_DKIM_WELCOMELIST + tflags USER_IN_DKIM_WHITELIST nice noautolearn net userconf + score USER_IN_DKIM_WHITELIST -100 + reuse USER_IN_DKIM_WHITELIST + score USER_IN_DKIM_WELCOMELIST -0.01 + endif endif - -if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist) -ifplugin Mail::SpamAssassin::Plugin::DKIM - -# The backwards compatibility for this rule will be after the else statement below -header USER_IN_DEF_DKIM_WL eval:check_for_def_dkim_welcomelist_from() -describe USER_IN_DEF_DKIM_WL From: address is in the default DKIM welcome-list -tflags USER_IN_DEF_DKIM_WL nice noautolearn net -reuse USER_IN_DEF_DKIM_WL - +if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + header USER_IN_DEF_DKIM_WL eval:check_for_def_dkim_welcomelist_from() + describe USER_IN_DEF_DKIM_WL From: address is in the default DKIM welcome-list + tflags USER_IN_DEF_DKIM_WL nice noautolearn net + reuse USER_IN_DEF_DKIM_WL +endif +if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + header USER_IN_DEF_DKIM_WL eval:check_for_def_dkim_whitelist_from() + describe USER_IN_DEF_DKIM_WL From: address is in the default DKIM welcome-list + tflags USER_IN_DEF_DKIM_WL nice noautolearn net + reuse USER_IN_DEF_DKIM_WL +endif ########################################################################### # Default welcomelists. These should be e-mail addresses of authors (i.e. @@ -87,6 +86,8 @@ reuse USER_IN_DEF_DKIM_WL # Whitelist and blacklist addresses are file-glob-style patterns, so # "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work. +if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + def_welcomelist_from_dkim *@*.ebay.com ebay.com def_welcomelist_from_dkim *@ebay.com def_welcomelist_from_dkim *@ebay.co.uk @@ -195,22 +196,14 @@ def_welcomelist_from_dkim *@fisglobal.com def_welcomelist_from_dkim *@*.msgfocus.com def_welcomelist_from_dkim *@boredpanda.com mailersend.com -endif # Mail::SpamAssassin::Plugin::DKIM - - +endif # if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) # # For older versions of SA, these old entries remain for SA before version 4.0 # -else -ifplugin Mail::SpamAssassin::Plugin::DKIM - -header USER_IN_DEF_DKIM_WL eval:check_for_def_dkim_whitelist_from() -describe USER_IN_DEF_DKIM_WL From: address is in the default DKIM welcome-list -tflags USER_IN_DEF_DKIM_WL nice noautolearn net -reuse USER_IN_DEF_DKIM_WL +if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) def_whitelist_from_dkim *@*.ebay.com ebay.com def_whitelist_from_dkim *@ebay.com @@ -320,6 +313,11 @@ def_whitelist_from_dkim *@fisglobal.com def_whitelist_from_dkim *@*.msgfocus.com def_whitelist_from_dkim *@boredpanda.com mailersend.com -endif # Mail::SpamAssassin::Plugin::DKIM -endif # if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist) +endif # if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + +# +# +# + +endif # Mail::SpamAssassin::Plugin::DKIM diff --git a/sa-updates/60_welcomelist_spf.cf b/sa-updates/60_welcomelist_spf.cf new file mode 100644 index 0000000..b814455 --- /dev/null +++ b/sa-updates/60_welcomelist_spf.cf @@ -0,0 +1,170 @@ +# SpamAssassin rules file: default SPF welcomelists +# +# Please don't modify this file as your changes will be overwritten with +# the next update. Use /etc/mail/spamassassin/local.cf instead. +# See 'perldoc Mail::SpamAssassin::Conf' for details. +# +# <@LICENSE> +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to you under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +ifplugin Mail::SpamAssassin::Plugin::SPF + +########################################################################### +# SPF welcomelist rules + +# 4.0 / Bug 7826 renames whitelist to welcomelist and blacklist to blocklist +if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + header USER_IN_SPF_WELCOMELIST eval:check_for_spf_welcomelist_from() + describe USER_IN_SPF_WELCOMELIST From: address is in the user's SPF welcomelist + tflags USER_IN_SPF_WELCOMELIST userconf nice noautolearn net + score USER_IN_SPF_WELCOMELIST -100 + reuse USER_IN_SPF_WELCOMELIST + + # Backwards compatibility + # To disable set "enable_compat welcomelist_blocklist" in init.pre + if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) + meta USER_IN_SPF_WHITELIST (USER_IN_SPF_WELCOMELIST) + describe USER_IN_SPF_WHITELIST DEPRECATED: See USER_IN_SPF_WELCOMELIST + tflags USER_IN_SPF_WHITELIST userconf nice noautolearn net + score USER_IN_SPF_WHITELIST -100 + reuse USER_IN_SPF_WHITELIST + score USER_IN_SPF_WELCOMELIST -0.01 + endif + + header USER_IN_DEF_SPF_WL eval:check_for_def_spf_welcomelist_from() + describe USER_IN_DEF_SPF_WL From: address is in the default SPF welcome-list + tflags USER_IN_DEF_SPF_WL userconf nice noautolearn net + reuse USER_IN_DEF_SPF_WL +endif +if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + header USER_IN_SPF_WELCOMELIST eval:check_for_spf_whitelist_from() + describe USER_IN_SPF_WELCOMELIST From: address is in the user's SPF welcomelist + tflags USER_IN_SPF_WELCOMELIST userconf nice noautolearn net + score USER_IN_SPF_WELCOMELIST -0.01 + reuse USER_IN_SPF_WELCOMELIST + + meta USER_IN_SPF_WHITELIST (USER_IN_SPF_WELCOMELIST) + describe USER_IN_SPF_WHITELIST DEPRECATED: See USER_IN_SPF_WELCOMELIST + tflags USER_IN_SPF_WHITELIST userconf nice noautolearn net + score USER_IN_SPF_WHITELIST -100 + reuse USER_IN_SPF_WHITELIST + + header USER_IN_DEF_SPF_WL eval:check_for_def_spf_whitelist_from() + describe USER_IN_DEF_SPF_WL From: address is in the default SPF welcome-list + tflags USER_IN_DEF_SPF_WL userconf nice noautolearn net + reuse USER_IN_DEF_SPF_WL +endif + +meta ENV_AND_HDR_SPF_MATCH (USER_IN_DEF_SPF_WL && __ENV_AND_HDR_FROM_MATCH) +describe ENV_AND_HDR_SPF_MATCH Env and Hdr From used in default SPF WL Match +tflags ENV_AND_HDR_SPF_MATCH userconf nice noautolearn net + +########################################################################### +# Default welcomelists. These should be addresses which send mail that is often +# tagged (incorrectly) as spam; it also helps that they be addresses of big +# companies with lots of lawyers, so if spammers impersonate them, they'll get +# into big trouble, so it doesn't provide a shortcut around SpamAssassin. +# +# Whitelist and blacklist addresses are now file-glob-style patterns, so +# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work. +# +# Please do not add unmoderated public mailing lists here. They are +# too easily abused by spammers. + +if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + +def_welcomelist_from_spf *@nytimes.com +def_welcomelist_from_spf *@amazon.com +def_welcomelist_from_spf *@amazon.co.uk +def_welcomelist_from_spf *@*.amazon.co.uk +def_welcomelist_from_spf *@ora.com +def_welcomelist_from_spf *@*.ora.com +def_welcomelist_from_spf *@mypoints.com +def_welcomelist_from_spf *@*.mypoints.com +def_welcomelist_from_spf *@paypal.com +def_welcomelist_from_spf *@ebay.com +def_welcomelist_from_spf *@foolsubs.com +def_welcomelist_from_spf *@match.com + +# bugtraq: can contain malicious Javascript etc. +def_welcomelist_from_spf *@securityfocus.com + +def_welcomelist_from_spf *@mediaunspun.imakenews.net + +# sender of Cringley newsletter +def_welcomelist_from_spf *@bdcimail.com + +# Silicon.com newslettters - we see thousands of these +def_welcomelist_from_spf *@silicon.com + +# C|Net news.com newsletters +def_welcomelist_from_spf *@newsletter.online.com + +# bug 1348 +def_welcomelist_from_spf *@enews.buy.com +def_welcomelist_from_spf *@palm.m0.net +def_welcomelist_from_spf *@handspring.4at1.com + +endif + + +### +### For <4.0 compatibility +### + +if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + +def_whitelist_from_spf *@nytimes.com +def_whitelist_from_spf *@amazon.com +def_whitelist_from_spf *@amazon.co.uk +def_whitelist_from_spf *@*.amazon.co.uk +def_whitelist_from_spf *@ora.com +def_whitelist_from_spf *@*.ora.com +def_whitelist_from_spf *@mypoints.com +def_whitelist_from_spf *@*.mypoints.com +def_whitelist_from_spf *@paypal.com +def_whitelist_from_spf *@ebay.com +def_whitelist_from_spf *@foolsubs.com +def_whitelist_from_spf *@match.com + +# bugtraq: can contain malicious Javascript etc. +def_whitelist_from_spf *@securityfocus.com + +def_whitelist_from_spf *@mediaunspun.imakenews.net + +# sender of Cringley newsletter +def_whitelist_from_spf *@bdcimail.com + +# Silicon.com newslettters - we see thousands of these +def_whitelist_from_spf *@silicon.com + +# C|Net news.com newsletters +def_whitelist_from_spf *@newsletter.online.com + +# bug 1348 +def_whitelist_from_spf *@enews.buy.com +def_whitelist_from_spf *@palm.m0.net +def_whitelist_from_spf *@handspring.4at1.com + +endif + +### +### +### + +endif # Mail::SpamAssassin::Plugin::SPF + diff --git a/sa-updates/60_welcomelist_subject.cf b/sa-updates/60_welcomelist_subject.cf new file mode 100644 index 0000000..072e4a4 --- /dev/null +++ b/sa-updates/60_welcomelist_subject.cf @@ -0,0 +1,87 @@ +# SpamAssassin rules file: default welcomelist/blocklist subject +# +# Please don't modify this file as your changes will be overwritten with +# the next update. Use /etc/mail/spamassassin/local.cf instead. +# See 'perldoc Mail::SpamAssassin::Conf' for details. +# +# <@LICENSE> +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to you under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +########################################################################### +# Welcomelist/Blocklist rules +# +# Note that most of these get 'noautolearn'. They should not be +# considered when deciding whether to auto-learn a message, as a +# user slip-up could result in scribbling side-effects in the bayes +# db as a result -- which is hard to remedy. + +# 4.0 / Bug 7826 renames whitelist to welcomelist and blacklist to blocklist +# Module was renamed WhiteListSubject -> WelcomeListSubject +ifplugin Mail::SpamAssassin::Plugin::WelcomeListSubject + header SUBJECT_IN_WELCOMELIST eval:check_subject_in_welcomelist() + describe SUBJECT_IN_WELCOMELIST Subject: contains string in the user's welcome-list + tflags SUBJECT_IN_WELCOMELIST userconf nice noautolearn + score SUBJECT_IN_WELCOMELIST -100 + + # Backwards compatibility + # To disable set "enable_compat welcomelist_blocklist" in init.pre + if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) + meta SUBJECT_IN_WHITELIST (SUBJECT_IN_WELCOMELIST) + describe SUBJECT_IN_WHITELIST DEPRECATED: See SUBJECT_IN_WELCOMELIST + tflags SUBJECT_IN_WHITELIST userconf nice noautolearn + score SUBJECT_IN_WHITELIST -100 + score SUBJECT_IN_WELCOMELIST -0.01 + endif + + header SUBJECT_IN_BLOCKLIST eval:check_subject_in_blocklist() + describe SUBJECT_IN_BLOCKLIST Subject: contains string in the user's block-list + tflags SUBJECT_IN_BLOCKLIST userconf noautolearn + score SUBJECT_IN_BLOCKLIST 100 + + if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) + meta SUBJECT_IN_BLACKLIST (SUBJECT_IN_BLOCKLIST) + describe SUBJECT_IN_BLACKLIST DEPRECATED: See SUBJECT_IN_BLOCKLIST + tflags SUBJECT_IN_BLACKLIST userconf noautolearn + score SUBJECT_IN_BLACKLIST 100 + score SUBJECT_IN_BLOCKLIST 0.01 + endif +endif + +if !plugin(Mail::SpamAssassin::Plugin::WelcomeListSubject) +ifplugin Mail::SpamAssassin::Plugin::WhiteListSubject + header SUBJECT_IN_WELCOMELIST eval:check_subject_in_whitelist() + describe SUBJECT_IN_WELCOMELIST Subject: contains string in the user's welcome-list + tflags SUBJECT_IN_WELCOMELIST userconf nice noautolearn + score SUBJECT_IN_WELCOMELIST -0.01 + + meta SUBJECT_IN_WHITELIST (SUBJECT_IN_WELCOMELIST) + describe SUBJECT_IN_WHITELIST DEPRECATED: See SUBJECT_IN_WELCOMELIST + tflags SUBJECT_IN_WHITELIST userconf nice noautolearn + score SUBJECT_IN_WHITELIST -100 + + header SUBJECT_IN_BLOCKLIST eval:check_subject_in_blacklist() + describe SUBJECT_IN_BLOCKLIST Subject: contains string in the user's block-list + tflags SUBJECT_IN_BLOCKLIST userconf noautolearn + score SUBJECT_IN_BLOCKLIST 0.01 + + meta SUBJECT_IN_BLACKLIST (SUBJECT_IN_BLOCKLIST) + describe SUBJECT_IN_BLACKLIST DEPRECATED: See SUBJECT_IN_BLOCKLIST + tflags SUBJECT_IN_BLACKLIST userconf noautolearn + score SUBJECT_IN_BLACKLIST 100 +endif +endif + diff --git a/sa-updates/60_whitelist.cf b/sa-updates/60_whitelist.cf deleted file mode 100644 index 46268ac..0000000 --- a/sa-updates/60_whitelist.cf +++ /dev/null @@ -1,286 +0,0 @@ -# SpamAssassin rules file: default welcomelists -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use /etc/mail/spamassassin/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -########################################################################### -# Welcomelist rules -# -# Note that most of these get 'noautolearn'. They should not be -# considered when deciding whether to auto-learn a message, as a -# user slip-up could result in scribbling side-effects in the bayes -# db as a result -- which is hard to remedy. - -if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist) - ifplugin Mail::SpamAssassin::Plugin::WLBLEval - - #bz7826 renames whitelist to welcomelist and blacklist to blocklist - header USER_IN_BLOCKLIST eval:check_from_in_blocklist() - describe USER_IN_BLOCKLIST From: user is listed in the block-list - tflags USER_IN_BLOCKLIST userconf nice noautolearn - score USER_IN_BLOCKLIST 100.0 - - ifplugin Mail::SpamAssassin::Plugin::RaciallyCharged - meta USER_IN_BLACKLIST (USER_IN_BLOCKLIST) - describe USER_IN_BLACKLIST DEPRECATED: See USER_IN_BLOCKLIST - tflags USER_IN_BLACKLIST userconf nice noautolearn - score USER_IN_BLOCKLIST 0.01 - score USER_IN_BLACKLIST 100.0 - endif - endif -else - ifplugin Mail::SpamAssassin::Plugin::WLBLEval - header USER_IN_BLOCKLIST eval:check_from_in_blacklist() - describe USER_IN_BLOCKLIST From: user is listed in the block-list - tflags USER_IN_BLOCKLIST userconf nice noautolearn - score USER_IN_BLOCKLIST 0.01 - - meta USER_IN_BLACKLIST (USER_IN_BLOCKLIST) - describe USER_IN_BLACKLIST DEPRECATED: See USER_IN_BLOCKLIST - tflags USER_IN_BLACKLIST userconf nice noautolearn - score USER_IN_BLACKLIST 100.0 - endif -endif - -if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist) - ifplugin Mail::SpamAssassin::Plugin::WLBLEval - #bz7826 renames whitelist to welcomelist and blacklist to blocklist - header USER_IN_WELCOMELIST eval:check_from_in_welcomelist() - describe USER_IN_WELCOMELIST User is listed in 'welcomelist_from' - tflags USER_IN_WELCOMELIST userconf nice noautolearn - score USER_IN_WELCOMELIST -100.0 - - ifplugin Mail::SpamAssassin::Plugin::RaciallyCharged - meta USER_IN_WHITELIST (USER_IN_WELCOMELIST) - describe USER_IN_WHITELIST DEPRECATED: See USER_IN_WELCOMELIST - tflags USER_IN_WHITELIST userconf nice noautolearn - score USER_IN_WELCOMELIST -0.01 - score USER_IN_WHITELIST -100.0 - endif - endif -else - ifplugin Mail::SpamAssassin::Plugin::WLBLEval - header USER_IN_WELCOMELIST eval:check_from_in_whitelist() - describe USER_IN_WELCOMELIST User is listed in 'welcomelist_from' - tflags USER_IN_WELCOMELIST userconf nice noautolearn - score USER_IN_WELCOMELIST -0.01 - - meta USER_IN_WHITELIST (USER_IN_WELCOMELIST) - describe USER_IN_WHITELIST DEPRECATED: See USER_IN_WELCOMELIST - tflags USER_IN_WHITELIST userconf nice noautolearn - score USER_IN_WHITELIST -100.0 - endif -endif - -if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist) - ifplugin Mail::SpamAssassin::Plugin::WLBLEval - #bz7826 renames whitelist to welcomelist and blacklist to blocklist - header USER_IN_DEF_WELCOMELIST eval:check_from_in_default_welcomelist() - describe USER_IN_DEF_WELCOMELIST From: user is listed in the default welcome-list - tflags USER_IN_DEF_WELCOMELIST userconf nice noautolearn - score USER_IN_DEF_WELCOMELIST -15.0 - - ifplugin Mail::SpamAssassin::Plugin::RaciallyCharged - meta USER_IN_DEF_WHITELIST (USER_IN_DEF_WELCOMELIST) - describe USER_IN_DEF_WHITELIST DEPRECATED: See USER_IN_WELCOMELIST - tflags USER_IN_DEF_WHITELIST userconf nice noautolearn - score USER_IN_DEF_WELCOMELIST -0.01 - score USER_IN_DEF_WHITELIST -15.0 - endif - endif -else - ifplugin Mail::SpamAssassin::Plugin::WLBLEval - header USER_IN_DEF_WELCOMELIST eval:check_from_in_default_whitelist() - describe USER_IN_DEF_WELCOMELIST From: user is listed in the default welcome-list - tflags USER_IN_DEF_WELCOMELIST userconf nice noautolearn - score USER_IN_DEF_WELCOMELIST -0.01 - - meta USER_IN_DEF_WHITELIST (USER_IN_DEF_WELCOMELIST) - describe USER_IN_DEF_WHITELIST DEPRECATED: See USER_IN_DEF_WELCOMELIST - tflags USER_IN_DEF_WHITELIST userconf nice noautolearn - score USER_IN_DEF_WHITELIST -15.0 - endif -endif - -if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist) - ifplugin Mail::SpamAssassin::Plugin::WLBLEval - #bz7826 renames whitelist to welcomelist and blacklist to blocklist - header USER_IN_BLOCKLIST_TO eval:check_to_in_blocklist() - describe USER_IN_BLOCKLIST_TO User is listed in 'blocklist_to' - tflags USER_IN_BLOCKLIST_TO userconf nice noautolearn - score USER_IN_BLOCKLIST 10.0 - - ifplugin Mail::SpamAssassin::Plugin::RaciallyCharged - meta USER_IN_BLACKLIST_TO (USER_IN_BLOCKLIST_TO) - describe USER_IN_BLACKLIST_TO DEPRECATED: See USER_IN_BLOCKLIST_TO - tflags USER_IN_BLACKLIST_TO userconf nice noautolearn - score USER_IN_BLOCKLIST_TO 0.01 - score USER_IN_BLACKLIST_TO 10.0 - endif - endif -else - ifplugin Mail::SpamAssassin::Plugin::WLBLEval - header USER_IN_BLOCKLIST_TO eval:check_to_in_blacklist() - describe USER_IN_BLOCKLIST_TO User is listed in 'blocklist_to' - tflags USER_IN_BLOCKLIST_TO userconf nice noautolearn - score USER_IN_BLOCKLIST_TO 0.01 - - meta USER_IN_BLACKLIST_TO (USER_IN_BLOCKLIST_TO) - describe USER_IN_BLACKLIST_TO DEPRECATED: See USER_IN_BLOCKLIST_TO - tflags USER_IN_BLACKLIST_TO userconf nice noautolearn - score USER_IN_BLACKLIST_TO 10.0 - endif -endif - -if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist) - ifplugin Mail::SpamAssassin::Plugin::WLBLEval - #bz7826 renames whitelist to welcomelist and blacklist to blocklist - header USER_IN_WELCOMELIST_TO eval:check_to_in_welcomelist() - describe USER_IN_WELCOMELIST_TO User is listed in 'welcomelist_to' - tflags USER_IN_WELCOMELIST_TO userconf nice noautolearn - score USER_IN_WELCOMELIST_TO -6.0 - - ifplugin Mail::SpamAssassin::Plugin::RaciallyCharged - meta USER_IN_WHITELIST_TO (USER_IN_WELCOMELIST_TO) - describe USER_IN_WHITELIST_TO DEPRECATED: See USER_IN_WELCOMELIST_TO - tflags USER_IN_WHITELIST_TO userconf nice noautolearn - score USER_IN_WELCOMELIST_TO -0.01 - score USER_IN_WHITELIST_TO -6.0 - endif - endif -else - ifplugin Mail::SpamAssassin::Plugin::WLBLEval - header USER_IN_WELCOMELIST_TO eval:check_to_in_whitelist() - describe USER_IN_WELCOMELIST_TO User is listed in 'welcomelist_to' - tflags USER_IN_WELCOMELIST_TO userconf nice noautolearn - score USER_IN_WELCOMELIST_TO -0.01 - - meta USER_IN_WHITELIST_TO (USER_IN_WELCOMELIST_TO) - describe USER_IN_WHITELIST_TO DEPRECATED: See USER_IN_WELCOMELIST_TO - tflags USER_IN_WHITELIST_TO userconf nice noautolearn - score USER_IN_WHITELIST_TO -6.0 - endif -endif - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval - header USER_IN_MORE_SPAM_TO eval:check_to_in_more_spam() - describe USER_IN_MORE_SPAM_TO User is listed in 'more_spam_to' - tflags USER_IN_MORE_SPAM_TO userconf nice noautolearn - - header USER_IN_ALL_SPAM_TO eval:check_to_in_all_spam() - describe USER_IN_ALL_SPAM_TO User is listed in 'all_spam_to' - tflags USER_IN_ALL_SPAM_TO userconf nice noautolearn -endif - -if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist) - ifplugin Mail::SpamAssassin::Plugin::WLBLEval - #bz7826 renames whitelist to welcomelist and blacklist to blocklist - body URI_HOST_IN_BLOCKLIST eval:check_uri_host_in_blocklist() - describe URI_HOST_IN_BLOCKLIST Host or Domain is listed in the user's URI block-list - tflags URI_HOST_IN_BLOCKLIST userconf noautolearn - score URI_HOST_IN_BLOCKLIST 100.0 - - ifplugin Mail::SpamAssassin::Plugin::RaciallyCharged - meta URI_HOST_IN_BLACKLIST (URI_HOST_IN_BLOCKLIST) - describe URI_HOST_IN_BLACKLIST DEPRECATED: See URI_HOST_IN_BLOCKLIST - tflags URI_HOST_IN_BLACKLIST userconf noautolearn - score URI_HOST_IN_BLOCKLIST -0.01 - score URI_HOST_IN_BLACKLIST 100.0 - endif - endif -else - if (version >= 3.004000) - ifplugin Mail::SpamAssassin::Plugin::WLBLEval - body URI_HOST_IN_BLOCKLIST eval:check_uri_host_in_blacklist() - describe URI_HOST_IN_BLOCKLIST Host or Domain is listed in the user's URI block-list - tflags URI_HOST_IN_BLOCKLIST userconf noautolearn - score URI_HOST_IN_BLOCKLIST -0.01 - - meta URI_HOST_IN_BLACKLIST (URI_HOST_IN_BLOCKLIST) - describe URI_HOST_IN_BLACKLIST DEPRECATED: See URI_HOST_IN_BLOCKLIST - tflags URI_HOST_IN_BLACKLIST userconf noautolearn - score URI_HOST_IN_BLACKLIST 100.0 - endif - endif -endif - -if can(Mail::SpamAssassin::Conf::feature_blocklist_welcomelist) - ifplugin Mail::SpamAssassin::Plugin::WLBLEval - #bz7826 renames whitelist to welcomelist and blacklist to blocklist - body URI_HOST_IN_WELCOMELIST eval:check_uri_host_in_welcomelist() - describe URI_HOST_IN_WELCOMELIST Host or Domain is listed in the user's URI welcome-list - tflags URI_HOST_IN_WELCOMELIST userconf nice noautolearn - score URI_HOST_IN_WELCOMELIST -100.0 - - ifplugin Mail::SpamAssassin::Plugin::RaciallyCharged - meta URI_HOST_IN_WHITELIST (URI_HOST_IN_WELCOMELIST) - describe URI_HOST_IN_WHITELIST DEPRECATED: See URI_HOST_IN_WELCOMELIST - tflags URI_HOST_IN_WHITELIST userconf nice noautolearn - score URI_HOST_IN_WELCOMELIST -0.01 - score URI_HOST_IN_WHITELIST -100.0 - endif - endif -else - if (version >= 3.004000) - ifplugin Mail::SpamAssassin::Plugin::WLBLEval - body URI_HOST_IN_WELCOMELIST eval:check_uri_host_in_whitelist() - describe URI_HOST_IN_WELCOMELIST Host or Domain is listed in the user's URI welcome-list - tflags URI_HOST_IN_WELCOMELIST userconf nice noautolearn - score URI_HOST_IN_WELCOMELIST -0.01 - - meta URI_HOST_IN_WHITELIST (URI_HOST_IN_WELCOMELIST) - describe URI_HOST_IN_WHITELIST DEPRECATED: See URI_HOST_IN_WELCOMELIST - tflags URI_HOST_IN_WHITELIST userconf nice noautolearn - score URI_HOST_IN_WHITELIST -100.0 - endif - endif -endif - - # Bug 7256, using a header rule with an eval() function does not work the way - # this was intended. - - # header HEADER_HOST_IN_BLACKLIST eval:check_uri_host_listed('BLACK') - # describe HEADER_HOST_IN_BLACKLIST Host or Domain in header is listed in the user's URI black-list - # tflags HEADER_HOST_IN_BLACKLIST userconf noautolearn - - # header HEADER_HOST_IN_WHITELIST eval:check_uri_host_listed('WHITE') - # describe HEADER_HOST_IN_WHITELIST Host or Domain in header is listed in the user's URI white-list - # tflags HEADER_HOST_IN_WHITELIST userconf nice noautolearn - -########################################################################### -# Default welcomelists. These should be addresses which send mail that is often -# tagged (incorrectly) as spam; it also helps that they be addresses of big -# companies with lots of lawyers, so if spammers impersonate them, they'll get -# into big trouble, so it doesn't provide a shortcut around SpamAssassin. -# -# Welcomelist and blocklist addresses are now file-glob-style patterns, so -# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work. -# -# Please do not add unmoderated public mailing lists here. They are -# too easily abused by spammers. - -# Should really not be used these days, use def_welcomelist_auth if possible. - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval - - # def_welcomelist_from_rcvd *@foo.com foo.com - -endif diff --git a/sa-updates/60_whitelist_spf.cf b/sa-updates/60_whitelist_spf.cf deleted file mode 100644 index d845f46..0000000 --- a/sa-updates/60_whitelist_spf.cf +++ /dev/null @@ -1,87 +0,0 @@ -# SpamAssassin rules file: default SPF whitelists -# -# Please don't modify this file as your changes will be overwritten with -# the next update. Use /etc/mail/spamassassin/local.cf instead. -# See 'perldoc Mail::SpamAssassin::Conf' for details. -# -# <@LICENSE> -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -########################################################################### -# SPF whitelist rules - -ifplugin Mail::SpamAssassin::Plugin::SPF - -header USER_IN_SPF_WHITELIST eval:check_for_spf_whitelist_from() -describe USER_IN_SPF_WHITELIST From: address is in the user's SPF whitelist -tflags USER_IN_SPF_WHITELIST userconf nice noautolearn net -reuse USER_IN_SPF_WHITELIST - -header USER_IN_DEF_SPF_WL eval:check_for_def_spf_whitelist_from() -describe USER_IN_DEF_SPF_WL From: address is in the default SPF white-list -tflags USER_IN_DEF_SPF_WL userconf nice noautolearn net -reuse USER_IN_DEF_SPF_WL - -meta ENV_AND_HDR_SPF_MATCH (USER_IN_DEF_SPF_WL && __ENV_AND_HDR_FROM_MATCH) -describe ENV_AND_HDR_SPF_MATCH Env and Hdr From used in default SPF WL Match -tflags ENV_AND_HDR_SPF_MATCH userconf nice noautolearn net - -########################################################################### -# Default whitelists. These should be addresses which send mail that is often -# tagged (incorrectly) as spam; it also helps that they be addresses of big -# companies with lots of lawyers, so if spammers impersonate them, they'll get -# into big trouble, so it doesn't provide a shortcut around SpamAssassin. -# -# Whitelist and blacklist addresses are now file-glob-style patterns, so -# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work. -# -# Please do not add unmoderated public mailing lists here. They are -# too easily abused by spammers. - -def_whitelist_from_spf *@nytimes.com -def_whitelist_from_spf *@amazon.com -def_whitelist_from_spf *@amazon.co.uk -def_whitelist_from_spf *@*.amazon.co.uk -def_whitelist_from_spf *@ora.com -def_whitelist_from_spf *@*.ora.com -def_whitelist_from_spf *@mypoints.com -def_whitelist_from_spf *@*.mypoints.com -def_whitelist_from_spf *@paypal.com -def_whitelist_from_spf *@ebay.com -def_whitelist_from_spf *@foolsubs.com -def_whitelist_from_spf *@match.com - -# bugtraq: can contain malicious Javascript etc. -def_whitelist_from_spf *@securityfocus.com - -def_whitelist_from_spf *@mediaunspun.imakenews.net - -# sender of Cringley newsletter -def_whitelist_from_spf *@bdcimail.com - -# Silicon.com newslettters - we see thousands of these -def_whitelist_from_spf *@silicon.com - -# C|Net news.com newsletters -def_whitelist_from_spf *@newsletter.online.com - -# bug 1348 -def_whitelist_from_spf *@enews.buy.com -def_whitelist_from_spf *@palm.m0.net -def_whitelist_from_spf *@handspring.4at1.com - -endif # Mail::SpamAssassin::Plugin::SPF diff --git a/sa-updates/72_active.cf b/sa-updates/72_active.cf index 550fbc1..7bfb621 100644 --- a/sa-updates/72_active.cf +++ b/sa-updates/72_active.cf @@ -25,13 +25,6 @@ require_version 3.004006 -##{ ACCT_PHISHING_MANY - -meta ACCT_PHISHING_MANY (__ACCT_PHISH_MANY || __EMAIL_PHISH_MANY) && !GOOGLE_DOCS_PHISH_MANY && !GOOG_STO_HTML_PHISH_MANY -describe ACCT_PHISHING_MANY Phishing for account information -#score ACCT_PHISHING_MANY 3.000 # limit -##} ACCT_PHISHING_MANY - ##{ AC_BR_BONANZA rawbody AC_BR_BONANZA /(?:
\s*){30}/i @@ -298,14 +291,6 @@ describe AMAZON_IMG_NOT_RCVD_AMZN Amazon hosted image but message not from tflags AMAZON_IMG_NOT_RCVD_AMZN publish ##} AMAZON_IMG_NOT_RCVD_AMZN -##{ ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta ANY_PILL_PRICE (__PILL_PRICE_01 || __PILL_PRICE_02) && !__NOT_A_PERSON - describe ANY_PILL_PRICE Prices for pills -endif -##} ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - ##{ APOSTROPHE_FROM header APOSTROPHE_FROM From:addr =~ /'/ @@ -338,16 +323,11 @@ meta AXB_XMAILER_MIMEOLE_OL_024C2 (__AXB_XM_OL_024C2 && __AXB_MO_OL_024C2) describe AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait ##} AXB_XMAILER_MIMEOLE_OL_024C2 -##{ AXB_XMAILER_MIMEOLE_OL_1ECD5 +##{ AXB_X_FF_SEZ_S -meta AXB_XMAILER_MIMEOLE_OL_1ECD5 (__AXB_XM_OL_1ECD5 && __AXB_MO_OL_1ECD5) -describe AXB_XMAILER_MIMEOLE_OL_1ECD5 Yet another X header trait##} AXB_XMAILER_MIMEOLE_OL_1ECD5 - -##{ AXB_XM_FORGED_OL2600 - -meta AXB_XM_FORGED_OL2600 (__AXB_XM_OL_2600 && !__AXB_MO_OL_2600 ) -describe AXB_XM_FORGED_OL2600 Forged OE v. 6.2600 -##} AXB_XM_FORGED_OL2600 +header AXB_X_FF_SEZ_S X-Forefront-Antispam-Report =~ /\bSFV\:SPM\b/ +describe AXB_X_FF_SEZ_S Forefront sez this is spam +##} AXB_X_FF_SEZ_S ##{ BANKING_LAWS @@ -371,6 +351,13 @@ describe BASE64_LENGTH_79_INF base64 encoded email part uses line length great endif ##} BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval +##{ BAT_BDRY_TO_MALF + +meta BAT_BDRY_TO_MALF __BAT_BOUNDARY && __TO_NO_ARROWS_R +describe BAT_BDRY_TO_MALF Bat boundary + misformatted To: address +#score BAT_BDRY_TO_MALF 2.500 # limit +##} BAT_BDRY_TO_MALF + ##{ BEBEE_IMG_NOT_RCVD_BB meta BEBEE_IMG_NOT_RCVD_BB __BEBEE_IMG_NOT_RCVD_BB @@ -604,20 +591,6 @@ describe BITCOIN_YOUR_INFO BitCoin with your personal info tflags BITCOIN_YOUR_INFO publish ##} BITCOIN_YOUR_INFO -##{ BODY_SINGLE_URI - -meta BODY_SINGLE_URI __BODY_SINGLE_URI && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP && !__VIA_ML -describe BODY_SINGLE_URI Message body is only a URI -#score BODY_SINGLE_URI 2.500 # limit -##} BODY_SINGLE_URI - -##{ BODY_SINGLE_WORD - -meta BODY_SINGLE_WORD __BODY_SINGLE_WORD && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP -describe BODY_SINGLE_WORD Message body is only one word (no spaces) -#score BODY_SINGLE_WORD 2.500 # limit -##} BODY_SINGLE_WORD - ##{ BODY_URI_ONLY meta BODY_URI_ONLY __BODY_URI_ONLY && !__NOT_SPOOFED && !__TO_EQ_FROM_DOM && !__X_CRON_ENV && !__DKIM_EXISTS && !__VIA_ML && !__HAS_X_REF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD && !__URI_GOOGLE_DRV @@ -742,12 +715,20 @@ endif ##{ CONTENT_AFTER_HTML -meta CONTENT_AFTER_HTML __CONTENT_AFTER_HTML && !__HAS_SENDER && !__LYRIS_EZLM_REMAILER && !__HAS_CID && !__RCD_RDNS_MTA_MESSY && !__URI_DOTGOV -describe CONTENT_AFTER_HTML More content after HTML close tag +meta CONTENT_AFTER_HTML __CONTENT_AFTER_HTML && (__L_CTE_8BIT || __RDNS_NUMERIC_TLD || __HTML_TAG_BALANCE_CENTER || __STY_INVIS_MANY || __TO_EQ_FROM_USR || __TO_EQ_FROM_USR_2 || __KAM_HTML_FONT_INVALID || __SUBJECT_ENCODED_B64 ) +describe CONTENT_AFTER_HTML More content after HTML close tag + other spam signs #score CONTENT_AFTER_HTML 2.500 # limit tflags CONTENT_AFTER_HTML publish ##} CONTENT_AFTER_HTML +##{ CONTENT_AFTER_HTML_WEAK + +meta CONTENT_AFTER_HTML_WEAK __CONTENT_AFTER_HTML && !CONTENT_AFTER_HTML && !__CT_TEXT_PLAIN && !__BOUNCE_FROM_DAEMON && !__MSGID_OK_HEX && !__HAS_SENDER && !__LYRIS_EZLM_REMAILER && !MAILING_LIST_MULTI && !__HAS_CID && !__URI_DOTGOV +describe CONTENT_AFTER_HTML_WEAK More content after HTML close tag +#score CONTENT_AFTER_HTML_WEAK 1.500 # limit +tflags CONTENT_AFTER_HTML_WEAK publish +##} CONTENT_AFTER_HTML_WEAK + ##{ CORRUPT_FROM_LINE_IN_HDRS meta CORRUPT_FROM_LINE_IN_HDRS (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS) @@ -782,19 +763,19 @@ describe CTYPE_8SPACE_GIF Stock spam image part 'Content-Type' found (8 spc) endif ##} CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -##{ CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - meta CTYPE_NULL __CTYPE_NULL - describe CTYPE_NULL Malformed Content-Type header -endif -##} CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - ##{ CURR_PRICE body CURR_PRICE /\bCurrent Price:/ ##} CURR_PRICE +##{ DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval + +ifplugin Mail::SpamAssassin::Plugin::HeaderEval +header DATE_IN_FUTURE_Q_PLUS eval:check_for_shifted_date('2920', 'undef') +describe DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date +endif +##} DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval + ##{ DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) @@ -1207,14 +1188,6 @@ describe FOUND_YOU I found you... tflags FOUND_YOU publish ##} FOUND_YOU -##{ FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - meta FREEMAIL_DOC_PDF_BCC __FREEMAIL_DOC_PDF && __TO_UNDISCLOSED - describe FREEMAIL_DOC_PDF_BCC MS document or PDF attachment, from freemail, all recipients hidden -endif -##} FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail - ##{ FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail @@ -1404,13 +1377,6 @@ meta FROM_MISSP_MSFT __FROM_RUNON && (__ANY_OUTLOOK_MUA || __MIM describe FROM_MISSP_MSFT From misspaced + supposed Microsoft tool ##} FROM_MISSP_MSFT -##{ FROM_MISSP_PHISH - -meta FROM_MISSP_PHISH __FROM_MISSP_PHISH && !__DOS_HAS_LIST_UNSUB -describe FROM_MISSP_PHISH Malformed, claims to be from financial organization - possible phish -#score FROM_MISSP_PHISH 3.500 # limit -##} FROM_MISSP_PHISH - ##{ FROM_MISSP_REPLYTO meta FROM_MISSP_REPLYTO __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY && !__DOS_HAS_LIST_UNSUB @@ -1427,12 +1393,6 @@ ifplugin Mail::SpamAssassin::Plugin::SPF endif ##} FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF -##{ FROM_MISSP_TO_UNDISC - -meta FROM_MISSP_TO_UNDISC (__FROM_RUNON && __TO_UNDISCLOSED) -describe FROM_MISSP_TO_UNDISC From misspaced, To undisclosed -##} FROM_MISSP_TO_UNDISC - ##{ FROM_MISSP_USER meta FROM_MISSP_USER (__FROM_RUNON && NSL_RCVD_FROM_USER) @@ -1495,13 +1455,6 @@ endif endif ##} FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS -##{ FROM_NUMERIC_TLD - -header FROM_NUMERIC_TLD From:addr =~ /\.\d+$/ -describe FROM_NUMERIC_TLD From: address has numeric TLD -#score FROM_NUMERIC_TLD 3.000 # limit -##} FROM_NUMERIC_TLD - ##{ FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) @@ -1538,12 +1491,6 @@ endif endif ##} FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval -##{ FROM_WSP_TRAIL - -header FROM_WSP_TRAIL From:raw =~ /< [^>]* \s > [^<>]* \z/xm -describe FROM_WSP_TRAIL Trailing whitespace before '>' in From header field -##} FROM_WSP_TRAIL - ##{ FSL_BULK_SIG meta FSL_BULK_SIG (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK) && !__FSL_HAS_LIST_UNSUB && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__RCVD_IN_DNSWL && !__JM_REACTOR_DATE && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__USING_VERP1 && !__KAM_BODY_LENGTH_LT_128 @@ -1573,11 +1520,6 @@ meta FSL_HELO_BARE_IP_1 __FSL_HELO_BARE_IP_1 && !ALL_TRUSTED header FSL_HELO_DEVICE X-Spam-Relays-External =~ /\bhelo=(?:(?:dsl)?device|speedtouch)\.lan\b/i ##} FSL_HELO_DEVICE -##{ FSL_HELO_FAKE - -header FSL_HELO_FAKE X-Spam-Relays-External =~ /\bhelo=(?:yandex.ru|(?:hotmail|gmail|google|yahoo|msn|microsoft)\.com)\b/i -##} FSL_HELO_FAKE - ##{ FSL_HELO_NON_FQDN_1 header FSL_HELO_NON_FQDN_1 X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i @@ -1805,13 +1747,6 @@ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags endif ##} FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags -##{ GAPPY_LOW_CONTRAST - -meta GAPPY_LOW_CONTRAST __GAPPY_LOW_CONTRAST && !__HAS_LIST_ID -describe GAPPY_LOW_CONTRAST Gappy subject + hidden text -#score GAPPY_LOW_CONTRAST 2.500 # limit -##} GAPPY_LOW_CONTRAST - ##{ GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) @@ -1822,9 +1757,35 @@ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) endif ##} GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) +##{ GB_BITCOIN_CP + +meta GB_BITCOIN_CP ( __GB_BITCOIN_CP_DE || __GB_BITCOIN_CP_ES || __GB_BITCOIN_CP_EN || __GB_BITCOIN_CP_FR || __GB_BITCOIN_CP_IT || __GB_BITCOIN_CP_NL || __GB_BITCOIN_CP_SE ) +describe GB_BITCOIN_CP Localized Bitcoin scam +#score GB_BITCOIN_CP 3.0 # limit +##} GB_BITCOIN_CP + +##{ GB_BITCOIN_NH + +meta GB_BITCOIN_NH ( __BITCOIN_ID && !__URL_BTC_ID && ( __NEVER_HEAR_EN || __NEVER_HEAR_IT ) ) +describe GB_BITCOIN_NH Localized Bitcoin scam +#score GB_BITCOIN_NH 3.0 # limit +##} GB_BITCOIN_NH + +##{ GB_CUSTOM_HTM_URI if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) + +if (version >= 4.000000) +if can(Mail::SpamAssassin::Conf::feature_capture_rules) + meta GB_CUSTOM_HTM_URI ( __GB_CUSTOM_HTM_URI0 || __GB_CUSTOM_HTM_URI1 || __GB_CUSTOM_HTM_URI2 || __GB_DRUPAL_URI ) + describe GB_CUSTOM_HTM_URI Custom html uri +# score GB_CUSTOM_HTM_URI 1.500 # limit + tflags GB_CUSTOM_HTM_URI publish +endif +endif +##} GB_CUSTOM_HTM_URI if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) + ##{ GB_FAKE_RF_SHORT -meta GB_FAKE_RF_SHORT ( ! __THREADED && __GB_FAKE_RF && __PDS_URISHORTENER ) +meta GB_FAKE_RF_SHORT ( ! __THREADED && __GB_FAKE_RF && __URL_SHORTENER ) describe GB_FAKE_RF_SHORT Fake reply or forward with url shortener #score GB_FAKE_RF_SHORT 2.000 # limit tflags GB_FAKE_RF_SHORT publish @@ -1866,12 +1827,37 @@ describe GB_GOOGLE_OBFUR Obfuscate url through Google redirect tflags GB_GOOGLE_OBFUR publish ##} GB_GOOGLE_OBFUR -##{ GB_GOOG_IMG_NOT_RCVD_GOOG +##{ GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL -meta GB_GOOG_IMG_NOT_RCVD_GOOG ( __GDRIVE_IMG_NOT_RCVD_GOOG || __GPHOTO_IMG_NOT_RCVD_GOOG ) && !__HAS_ERRORS_TO && !__MSGID_LIST && !__MSGID_GUID && !__RCD_RDNS_SMTP -describe GB_GOOG_IMG_NOT_RCVD_GOOG Google hosted image but message not from Google -#score GB_GOOG_IMG_NOT_RCVD_GOOG 2.500 # limit -##} GB_GOOG_IMG_NOT_RCVD_GOOG +if (version >= 3.004003) + ifplugin Mail::SpamAssassin::Plugin::HashBL + body GB_HASHBL_BTC eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL + +##{ GB_STORAGE_GOOGLE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) + +if (version >= 4.000000) +if can(Mail::SpamAssassin::Conf::feature_capture_rules) + uri GB_STORAGE_GOOGLE_EMAIL m|^https?://storage\.cloud\.google\.com/.{4,128}\#%{GB_TO_ADDR}|i + describe GB_STORAGE_GOOGLE_EMAIL Google storage cloud abuse +# score GB_STORAGE_GOOGLE_EMAIL 2.000 # limit + tflags GB_STORAGE_GOOGLE_EMAIL publish +endif +endif +##} GB_STORAGE_GOOGLE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) + +##{ GB_URI_FLEEK_STO_HTM + +uri GB_URI_FLEEK_STO_HTM m,^https?://storageapi\.fleek\.co/.*\.html?,i +describe GB_URI_FLEEK_STO_HTM Html file stored on Fleek cloud +#score GB_URI_FLEEK_STO_HTM 1.000 # limit +tflags GB_URI_FLEEK_STO_HTM multiple maxhits=5 +##} GB_URI_FLEEK_STO_HTM ##{ GEO_QUERY_STRING @@ -2196,19 +2182,6 @@ meta HK_SCAM __HK_SCAM_N2 || __HK_SCAM_N3 || __HK_SCAM_N8 || __HK_SCAM_N15 || tflags HK_SCAM publish ##} HK_SCAM -##{ HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -meta HK_SPAMMY_FILENAME __HK_SPAMMY_CTFN || __HK_SPAMMY_CDFN -endif -##} HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - -##{ HK_WIN - -meta HK_WIN ((__hk_win_2 + __hk_win_3 + __hk_win_4 + __hk_win_5 + __hk_win_7 + __hk_win_8 + __hk_win_9 + __hk_win_0 + __hk_win_a + __hk_win_b + __hk_win_c + __hk_win_d + __hk_win_i + __hk_win_j + __hk_win_l + __hk_win_m + __hk_win_n + __hk_win_o) >= 2) -#score HK_WIN 1 -##} HK_WIN - ##{ HOSTED_IMG_DIRECT_MX meta HOSTED_IMG_DIRECT_MX __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS @@ -2464,13 +2437,6 @@ tflags LIST_PRTL_SAME_USER publish uri LIVEFILESTORE m~livefilestore.com/~ ##} LIVEFILESTORE -##{ LONGLN_LOW_CONTRAST - -meta LONGLN_LOW_CONTRAST __LONGLN_LOW_CONTRAST && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__TRAVEL_ITINERARY -describe LONGLN_LOW_CONTRAST Excessively long line + hidden text -#score LONGLN_LOW_CONTRAST 2.500 # limit -##} LONGLN_LOW_CONTRAST - ##{ LONG_HEX_URI meta LONG_HEX_URI __128_HEX_URI && !__LCL__KAM_BODY_LENGTH_LT_1024 @@ -2553,13 +2519,6 @@ describe LOTTO_AGENT Claims Agent #score LOTTO_AGENT 1.50 # limit ##} LOTTO_AGENT -##{ LOTTO_DEPT - -meta LOTTO_DEPT __LOTTO_DEPT && !__COMMENT_EXISTS && !__HAS_IN_REPLY_TO && !__THREADED && !__VIA_ML && !__TO_YOUR_ORG && !__TRAVEL_ITINERARY && !__AUTO_ACCIDENT -describe LOTTO_DEPT Claims Department -#score LOTTO_DEPT 2.00 # limit -##} LOTTO_DEPT - ##{ LUCRATIVE meta LUCRATIVE ( __LUCRATIVE && __HELO_NO_DOMAIN ) && !ALL_TRUSTED @@ -2573,6 +2532,12 @@ tflags LUCRATIVE publish header L_SPAM_TOOL_13 Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/ ##} L_SPAM_TOOL_13 +##{ MALFORMED_FREEMAIL + +meta MALFORMED_FREEMAIL (MISSING_HEADERS||__HDRS_LCASE) && FREEMAIL_FROM +describe MALFORMED_FREEMAIL Bad headers on message from free email service +##} MALFORMED_FREEMAIL + ##{ MALF_HTML_B64 meta MALF_HTML_B64 MIME_BASE64_TEXT && HTML_MIME_NO_HTML_TAG @@ -2606,26 +2571,6 @@ ifplugin Mail::SpamAssassin::Plugin::MIMEHeader endif ##} MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -##{ MANY_HDRS_LCASE - -describe MANY_HDRS_LCASE Odd capitalization of multiple message headers -#score MANY_HDRS_LCASE 0.10 # limit -##} MANY_HDRS_LCASE - -##{ MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) - -if !plugin(Mail::SpamAssassin::Plugin::FreeMail) - meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE -endif -##} MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) - -##{ MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE -endif -##} MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail - ##{ MANY_SPAN_IN_TEXT meta MANY_SPAN_IN_TEXT __MANY_SPAN_IN_TEXT && !__VIA_ML @@ -2651,6 +2596,13 @@ describe MILLION_HUNDRED Million "One to Nine" Hundred tflags MILLION_HUNDRED publish ##} MILLION_HUNDRED +##{ MILLION_USD + +body MILLION_USD /Million\b.{0,40}\b(?:United States? Dollars?|USD)/i +describe MILLION_USD Talks about millions of dollars +#score MILLION_USD 2 +##} MILLION_USD + ##{ MIMEOLE_DIRECT_TO_MX meta MIMEOLE_DIRECT_TO_MX __MIMEOLE_DIRECT_TO_MX && !__ANY_IMAGE_ATTACH && !__DKIM_EXISTS @@ -2770,6 +2722,12 @@ describe MONERO_PAY_ME Pay me via Monero cryptocurrency tflags MONERO_PAY_ME publish ##} MONERO_PAY_ME +##{ MONEY_ATM_CARD + +meta MONEY_ATM_CARD __MONEY_ATM_CARD && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE +describe MONEY_ATM_CARD Lots of money on an ATM card +##} MONEY_ATM_CARD + ##{ MONEY_FORM meta MONEY_FORM __MONEY_FORM && !__FB_TOUR && !__FM_MY_PRICE && !__FR_SPACING_8 && !__COMMENT_EXISTS && !__CAN_HELP @@ -2851,12 +2809,6 @@ describe MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters #score MSGID_MULTIPLE_AT 0.001 ##} MSGID_MULTIPLE_AT -##{ MSGID_NOFQDN1 - -meta MSGID_NOFQDN1 __MSGID_NOFQDN1 -describe MSGID_NOFQDN1 Message-ID with no domain name -##} MSGID_NOFQDN1 - ##{ MSMAIL_PRI_ABNORMAL meta MSMAIL_PRI_ABNORMAL __MSMAIL_PRI_ABNORMAL && !ALL_TRUSTED && !__ANY_OUTLOOK_MUA && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__MSOE_MID_WRONG_CASE && !__HAS_X_MAILER && !__HAS_UA && !__MSMAIL_PRI_HIGH @@ -2877,6 +2829,12 @@ tflags MSM_PRIO_REPTO publish meta MSOE_MID_WRONG_CASE (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106) ##} MSOE_MID_WRONG_CASE +##{ NAME_EMAIL_DIFF + +meta NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL +describe NAME_EMAIL_DIFF Sender NAME is an unrelated email address +##} NAME_EMAIL_DIFF + ##{ NA_DOLLARS body NA_DOLLARS /\b(?:\d{1,3})?Million\b.{0,40}\b(?:Canadian Dollar?s?|US\$|U\.? ?S\.? Dollar)/i @@ -2906,13 +2864,6 @@ describe NICE_REPLY_A Looks like a legit reply (A) tflags NICE_REPLY_A nice ##} NICE_REPLY_A -##{ NORDNS_LOW_CONTRAST - -meta NORDNS_LOW_CONTRAST __NORDNS_LOW_CONTRAST && !ALL_TRUSTED && !__HAS_CID && !__THREADED -describe NORDNS_LOW_CONTRAST No rDNS + hidden text -#score NORDNS_LOW_CONTRAST 2.500 # limit -##} NORDNS_LOW_CONTRAST - ##{ NOT_SPAM body NOT_SPAM /\b(?:(?:this (?:e?-?mail|message)|we) (?:is not|are not|cannot be considered) Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)/i @@ -2946,6 +2897,13 @@ full NULL_IN_BODY /\x00/ describe NULL_IN_BODY Message has NUL (ASCII 0) byte in message ##} NULL_IN_BODY +##{ NUMBERONLY_BITCOIN_EXP + +meta NUMBERONLY_BITCOIN_EXP __NUMBERONLY_TLD && __BITCOIN_ID && __NAKED_TO +describe NUMBERONLY_BITCOIN_EXP Domain ends in a large number and very short body with link +#score NUMBERONLY_BITCOIN_EXP 2.0 # limit +##} NUMBERONLY_BITCOIN_EXP + ##{ OBFU_BITCOIN meta OBFU_BITCOIN __OBFU_BITCOIN @@ -2987,17 +2945,6 @@ ifplugin Mail::SpamAssassin::Plugin::FreeMail endif ##} ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail -##{ OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -meta OFFER_ONLY_AMERICA __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA -describe OFFER_ONLY_AMERICA Offer only available to US -#score OFFER_ONLY_AMERICA 2.0 # limit -endif -endif -##} OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - ##{ PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader @@ -3014,6 +2961,13 @@ describe PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, more endif ##} PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader +##{ PDS_BAD_THREAD_QP_64 + +meta PDS_BAD_THREAD_QP_64 __PDS_QP_64 && __HAS_THREAD_INDEX && !__THREAD_INDEX_GOOD +describe PDS_BAD_THREAD_QP_64 Bad thread header - short QP +#score PDS_BAD_THREAD_QP_64 1.0 +##} PDS_BAD_THREAD_QP_64 + ##{ PDS_BTC_ID meta PDS_BTC_ID __PDS_BTC_ID @@ -3046,26 +3000,14 @@ describe PDS_DBL_URL_TNB_RUNON Double-url and To no arrows, from runon #score PDS_DBL_URL_TNB_RUNON 2.0 ##} PDS_DBL_URL_TNB_RUNON -##{ PDS_FRNOM_TODOM_DBL_URL +##{ PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) -meta PDS_FRNOM_TODOM_DBL_URL PDS_FROM_NAME_TO_DOMAIN && __PDS_DOUBLE_URL -describe PDS_FRNOM_TODOM_DBL_URL From Name to domain, double URL -#score PDS_FRNOM_TODOM_DBL_URL 1.5 -##} PDS_FRNOM_TODOM_DBL_URL - -##{ PDS_FRNOM_TODOM_NAKED_TO - -meta PDS_FRNOM_TODOM_NAKED_TO __NAKED_TO && PDS_FROM_NAME_TO_DOMAIN -describe PDS_FRNOM_TODOM_NAKED_TO Naked to From name equals to Domain -#score PDS_FRNOM_TODOM_NAKED_TO 1.5 -##} PDS_FRNOM_TODOM_NAKED_TO - -##{ PDS_FROM_NAME_TO_DOMAIN - -meta PDS_FROM_NAME_TO_DOMAIN __PDS_FROM_NAME_TO_DOMAIN -#score PDS_FROM_NAME_TO_DOMAIN 2.0 -describe PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain -##} PDS_FROM_NAME_TO_DOMAIN +if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) + meta PDS_FROM_2_EMAILS __PDS_FROM_2_EMAILS && !__VIA_ML && !__VIA_RESIGNER && !__MSGID_JAVAMAIL && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__DKIM_EXISTS + describe PDS_FROM_2_EMAILS From header has multiple different addresses +# score PDS_FROM_2_EMAILS 3.500 # limit +endif +##} PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) ##{ PDS_HELO_SPF_FAIL @@ -3075,12 +3017,23 @@ describe PDS_HELO_SPF_FAIL High profile HELO that fails SPF tflags PDS_HELO_SPF_FAIL net ##} PDS_HELO_SPF_FAIL -##{ PDS_HP_HELO_NORDNS +##{ PDS_NAKED_TO_NUMERO -meta PDS_HP_HELO_NORDNS RDNS_NONE && __HELO_HIGHPROFILE -describe PDS_HP_HELO_NORDNS High profile HELO with no sender rDNS -#score PDS_HP_HELO_NORDNS 1.0 -##} PDS_HP_HELO_NORDNS +meta PDS_NAKED_TO_NUMERO __NAKED_TO && __NUMBERONLY_TLD +describe PDS_NAKED_TO_NUMERO Naked-to, numberonly domain +#score PDS_NAKED_TO_NUMERO 2.0 +##} PDS_NAKED_TO_NUMERO + +##{ PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) + +ifplugin Mail::SpamAssassin::Plugin::WLBLEval +if (version >= 3.004000) +meta PDS_NO_FULL_NAME_SPOOFED_URL __PDS_MSG_1024 && __KHOP_NO_FULL_NAME && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER) +describe PDS_NO_FULL_NAME_SPOOFED_URL HTML message short, T_SPOOFED_URL and T_KHOP_NO_FULL_NAME +#score PDS_NO_FULL_NAME_SPOOFED_URL 0.75 # limit +endif +endif +##} PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ##{ PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval @@ -3093,20 +3046,6 @@ endif endif ##} PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval -##{ PDS_PHPEXP_BOT - -meta PDS_PHPEXP_BOT __SENDER_BOT && (__PDS_TONAME_EQ_TOLOCAL + __NAKED_TO >= 1) && (__PDS_PHP_EVAL2 + __PDS_PHP_EVAL1 + T_PDS_X_PHP_WP_EXP + __PDS_X_PHP_WELLKNOWN >= 1) -describe PDS_PHPEXP_BOT PHP exploit bot sender -#score PDS_PHPEXP_BOT 1.5 -##} PDS_PHPEXP_BOT - -##{ PDS_PHP_EVAL - -meta PDS_PHP_EVAL __PDS_PHP_EVAL1 -describe PDS_PHP_EVAL PHP header shows eval'd code -#score PDS_PHP_EVAL 1.5 -##} PDS_PHP_EVAL - ##{ PDS_RDNS_DYNAMIC_FP meta PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC && !__PDS_RDNS_MTA @@ -3114,11 +3053,22 @@ meta PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC && !__PDS_RDNS_MTA describe PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC with FP steps ##} PDS_RDNS_DYNAMIC_FP +##{ PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) + +ifplugin Mail::SpamAssassin::Plugin::WLBLEval +if (version >= 3.004000) +meta PDS_SHORT_SPOOFED_URL __PDS_MSG_1024 && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER) +describe PDS_SHORT_SPOOFED_URL HTML message short and T_SPOOFED_URL (S_U_FP) +#score PDS_SHORT_SPOOFED_URL 2.0 +endif +endif +##} PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) + ##{ PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) -meta PDS_TINYSUBJ_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && __SUBJ_SHORT && __PDS_MSG_1024 +meta PDS_TINYSUBJ_URISHRT __URL_SHORTENER && __SUBJ_SHORT && __PDS_MSG_1024 describe PDS_TINYSUBJ_URISHRT Short subject with URL shortener #score PDS_TINYSUBJ_URISHRT 1.5 # limit endif @@ -3132,21 +3082,6 @@ describe PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE Forged replyto and __PDS_TONAME_EQ_TO #score PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE 2.0 # limit ##} PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE -##{ PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE - -meta PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE __PDS_TONAME_EQ_TOLOCAL && __HDRS_LCASE -describe PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE To: name matches everything in local email - LCASE headers -#score PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE 2.0 # limit -##} PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE - -##{ PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - -if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - meta PDS_TO_EQ_FROM_NAME (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) && !__HAS_SENDER - describe PDS_TO_EQ_FROM_NAME From: name same as To: address -endif -##} PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - ##{ PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader @@ -3172,24 +3107,6 @@ describe PHISH_FBASEAPP Probable phishing via hosted web app tflags PHISH_FBASEAPP publish ##} PHISH_FBASEAPP -##{ PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta PHOTO_EDITING_DIRECT (__PHOTO_RETOUCHING && __DOS_DIRECT_TO_MX) && !ALL_TRUSTED && !__HAS_HREF - describe PHOTO_EDITING_DIRECT Image editing service, direct to MX -# score PHOTO_EDITING_DIRECT 3.000 # limit -endif -##} PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -##{ PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - -if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta PHOTO_EDITING_FREEM __PHOTO_RETOUCHING > 4 && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) - describe PHOTO_EDITING_FREEM Image editing service, freemail or CHN replyto -# score PHOTO_EDITING_FREEM 3.750 # limit -endif -##} PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - ##{ PHP_NOVER_MUA describe PHP_NOVER_MUA Mail from PHP with no version number @@ -3219,13 +3136,6 @@ describe PHP_ORIG_SCRIPT Sent by bot & other signs tflags PHP_ORIG_SCRIPT publish ##} PHP_ORIG_SCRIPT -##{ PHP_ORIG_SCRIPT_EVAL - -meta PHP_ORIG_SCRIPT_EVAL __PHP_ORIG_SCRIPT_EVAL -describe PHP_ORIG_SCRIPT_EVAL From suspicious PHP source -#score PHP_ORIG_SCRIPT_EVAL 3.000 # limit -##} PHP_ORIG_SCRIPT_EVAL - ##{ PHP_SCRIPT meta PHP_SCRIPT __HAS_PHP_SCRIPT && !ALL_TRUSTED && !__PHP_NOVER_MUA && !__TO___LOWER && !__MIME_BASE64 && !__HAS_ANY_EMAIL && !__L_CTE_7BIT @@ -3242,11 +3152,6 @@ describe PHP_SCRIPT_MUA Sent by PHP script, no version number tflags PHP_SCRIPT_MUA publish ##} PHP_SCRIPT_MUA -##{ POSSIBLE_AMAZON_PHISH_02 - -meta POSSIBLE_AMAZON_PHISH_02 (__FROM_NAME_AMAZONCOM && !__HDR_RCVD_AMAZON && !__HDR_RCVD_AMAZON_HELO) -##} POSSIBLE_AMAZON_PHISH_02 - ##{ POSSIBLE_APPLE_PHISH_02 meta POSSIBLE_APPLE_PHISH_02 (__FROM_NAME_APPLECOM && !__HDR_RCVD_APPLE) @@ -3685,11 +3590,11 @@ describe RDNS_NUM_TLD_XM Relay rDNS has numeric TLD + suspicious h tflags RDNS_NUM_TLD_XM publish ##} RDNS_NUM_TLD_XM -##{ REPLYTO_EMPTY +##{ READY_TO_SHIP -header REPLYTO_EMPTY Reply-To =~ /<>/ -describe REPLYTO_EMPTY Reply-To undeliverable -##} REPLYTO_EMPTY +body READY_TO_SHIP /(?:(?:in our (?:stock|warehouse|store|storage facility)(?: today| now| right away)?[.,:]\s|our (?:\w+,? ){2,8}(?:is |now )+)Ready (?:to (?:be )?|for )+(?:ship|send|deliver)|ready (?:for shipping|to (?:ship|send)) (?:(?:in|from|by) our (?:warehouse|stock|stor(?:e|age))|(?:to|for)(?: global(?:ly)?| worldwide| customers){2})|(?:(?:our|this|a|great|fine|wonderful|cool|popular) new product|we have(?: \w+){1,6} available|ready) in (?:our )?(?:warehouse|stock|stor(?:e|age))|just arrived in our (?:warehouse|stor(?:e|age))|we will (?:contact the (?:warehouse|logistics|store|storage(?: facility)) to )?arrange (?:the )?(?:shipment|delivery)|a new (?:\w+ ){1,3}in our (?:warehouse|storage)|this (?:new )?(?:merchandise|product|item) is (?:now )?(?:ready (?:to ship )?|available )(?:at|in|from) our (?:warehouse|stock|stor(?:e|age)))/i +#score READY_TO_SHIP 1.250 # limit +##} READY_TO_SHIP ##{ REPLYTO_WITHOUT_TO_CC @@ -3698,7 +3603,7 @@ meta REPLYTO_WITHOUT_TO_CC (__HAS_REPLY_TO && !__TOCC_EXISTS) ##{ REPTO_419_FRAUD -header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:mail)\@101private\.com|(?:(?:alfredcheuk002|mavis_wanczyk))\@126\.com|(?:(?:alfredcheuk_yuchow|ehagler))\@163\.com|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:russia2018worldcuplotto5)\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:(?:infovsa|maria\.louge|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:jessikasingh|travisalex))\@aliyun\.com|(?:(?:deanie_ron|mundo\.europe|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:support)\@apostlesfoundation\.com|(?:jeromecgb12)\@asia\.com|(?:bllphillips)\@att\.net|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:costruire)\@bigmat\.it|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:onmydestiny18)\@boulevardmalls\.com|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|fbipayment(?:50|600)|harunajim667|ralphwjohnson))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:dmalpasswb|joseramonjr1|re(?:covered\-tax|em(?:2018|alhashimi|hashimi2020))))\@daum\.net|(?:blythemasters)\@digitalassetholding\.org|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:rogersteare02)\@e1\.ru|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:(?:denbrink|kathy_gerald1965|pch\.cliamdept))\@email\.com|(?:info)\@euro-pinnacle\.com|(?:(?:advancedsegurosespana|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:lottomax)\@execs\.com|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:jeferrey)\@financier\.com|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:info)\@fnconsultant\.biz|(?:(?:egolan2|gella1|qatardonations16|smadartsadik|tepnherve00))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:mmpaulsmith145)\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:octaviancm)\@gmx\.co\.uk|(?:(?:ahmet\.broker|f(?:aridaomar|er3nrod1512)|kevin\-office|p\.hamedmoff|rosicboteruff|walter_anderson))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:joxford)\@gmx\.us|(?:m\.johnson10012)\@googlemail\.com|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:christgoldwilliams)\@hotmail\.fr|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:offer2021|pierresgift_2021))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:info)\@johannaconsultancy\.com|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:(?:hre187390|re(?:em\.alhashimi|mmhashimi)))\@kakao\.com|(?:europsenderscouriers)\@keemail\.me|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:bmwofficeinfo)\@mail2consultant\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|kateclough1|mriamchombo1968))\@mail\.com|(?:ayishagddafio)\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:cadpayout01)\@my\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:lindsaytrembley)\@oimail\.com|(?:accountingdrg)\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:jarramos)\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:ahmed3khan)\@outlook\.fr|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:wood)\@poczta\.onet\.eu|(?:m(?:aryjosen|boyaeth))\@post\.com|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:franciscoperezc|mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:wanczykmavis101)\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:mrs\.rachel2013)\@safe-mail\.net|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:(?:jimyang77|kentpace))\@sina\.com|(?:stan)\@soborka\.net|(?:dycheseaan)\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:info\.jschneider)\@spainmail\.com|(?:mroliverbergmuellers)\@specialautokins\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:mhua)\@tbochk\.com|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:bobby\.william)\@tradent\.net|(?:lopez\.rios)\@udttld\.com|(?:info)\@un-grant\.info|(?:(?:info\.(?:clev\.frb|imfamerica)|policyaddmin\.file))\@usa\.com|(?:bmuczdh)\@virgilio\.it|(?:holt1231)\@w\.cn|(?:daydreamin)\@wanadoo\.fr|(?:weboffice05)\@web\.de|(?:portiaw)\@webbe\.work|(?:b(?:\-calebfirm2007|enklerk\-postpact2|oriscaleb121))\@webmail\.co\.za|(?:(?:frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|jeffwilliam207|owengreen70|samue95))\@yahoo\.co\.uk|(?:(?:changgordon946|thomaspeter227))\@yahoo\.com\.hk|(?:boa2cb)\@yahoo\.com\.vn|(?:contactus88\-00)\@yahoo\.es|(?:fortinsandrine)\@yahoo\.fr|(?:dr\.amelia\.george1)\@yandex\.ru|(?:(?:alfred_cheuk_chow|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:jefflindsay)\@zoho\.com|(?:benaffleck1977)\@zohomail\.com|(?:laprimitivaes)\@zohomail\.eu)$/i +header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:mail)\@101private\.com|(?:(?:alfredcheuk002|mavis_wanczyk))\@126\.com|(?:(?:alfredcheuk_yuchow|ehagler))\@163\.com|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:russia2018worldcuplotto5)\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:(?:infovsa|maria\.louge|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:jessikasingh|travisalex))\@aliyun\.com|(?:(?:deanie_ron|mundo\.europe|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:support)\@apostlesfoundation\.com|(?:jeromecgb12)\@asia\.com|(?:bllphillips)\@att\.net|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:costruire)\@bigmat\.it|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:onmydestiny18)\@boulevardmalls\.com|(?:luciamariacampbell)\@boximail\.com|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:gregwingo)\@cheapnet\.it|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|dbank12|fbipayment(?:50|600)|harunajim667|manuel\.rabelais|paul\.wilson|r(?:alphwjohnson|ev_markbless)|trustees101))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:brunoso|lisatroutman))\@currently\.com|(?:(?:dmalpasswb|i(?:lanasoloshneor|nfo90000)|joseramonjr1|re(?:covered\-tax|em(?:2018|alhashimi|ealhashimi|hashimi2020))))\@daum\.net|(?:blythemasters)\@digitalassetholding\.org|(?:bar_sahil)\@dominionassociates\.uk|(?:zahvoedir)\@donations\.christchurchliverpool\.xyz|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:rogersteare02)\@e1\.ru|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:(?:denbrink|kathy_gerald1965|pch\.cliamdept))\@email\.com|(?:infoleonfredberbst)\@emailgroups\.net|(?:info)\@euro-pinnacle\.com|(?:(?:advancedsegurosespana|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:lottomax)\@execs\.com|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:jeferrey)\@financier\.com|(?:mrsdebbielevin)\@firemail\.de|(?:steve_dickson)\@firemail\.eu|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:info)\@fnconsultant\.biz|(?:(?:egolan2|gella1|qatardonations16|smadartsadik|tepnherve00))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:mmpaulsmith145)\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:octaviancm)\@gmx\.co\.uk|(?:(?:ahmet\.broker|f(?:aridaomar|er3nrod1512)|kevin\-office|p\.hamedmoff|rosicboteruff|walter_anderson))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:(?:arthur1alan|joxford))\@gmx\.us|(?:m(?:\.johnson10012|aryclayton123))\@googlemail\.com|(?:solotexglobalcouriercompany)\@groupesgb\.net|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:christgoldwilliams)\@hotmail\.fr|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:bo_li)\@imgrantfunds\.com|(?:irdi33)\@inbox\.lt|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:a\.josepaulino|jonardossantos|mingmui0012|offer2021|pierresgift_2021))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:info)\@intarpol-int\.online|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:info)\@johannaconsultancy\.com|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:(?:annzainab2022|h(?:ashimirrr22|re187390)|re(?:e(?:m\.alhashimi|ninvestor111)|mmhashimi)))\@kakao\.com|(?:europsenderscouriers)\@keemail\.me|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:bmwofficeinfo)\@mail2consultant\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|kateclough1|mriamchombo1968))\@mail\.com|(?:ayishagddafio?)\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:cb(?:nofficemail|officemail))\@mailsire\.com|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:cadpayout01)\@my\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:lindsaytrembley)\@oimail\.com|(?:(?:accountingdrg|emmy\.marty))\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:jarramos)\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:ahmed3khan)\@outlook\.fr|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:wood)\@poczta\.onet\.eu|(?:(?:m(?:aryjosen|boyaeth)|uncch\-info))\@post\.com|(?:martinahrivnakova)\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:charitylisajohnrobinson700)\@proton\.me|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:franciscoperezc|mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:wanczykmavis101)\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:mrs\.rachel2013)\@safe-mail\.net|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:(?:jimyang77|kentpace))\@sina\.com|(?:stan)\@soborka\.net|(?:dycheseaan)\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:info\.jschneider)\@spainmail\.com|(?:mroliverbergmuellers)\@specialautokins\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:alexander)\@stny\.rr\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:mhua)\@tbochk\.com|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:bobby\.william)\@tradent\.net|(?:lopez\.rios)\@udttld\.com|(?:2100973645smsgateway)\@ukraine\.wheat-farmers\.website|(?:info)\@un-grant\.info|(?:(?:info\.(?:clev\.frb|imfamerica)|policyaddmin\.file))\@usa\.com|(?:dataphilanthropy)\@vipmail\.hu|(?:bmuczdh)\@virgilio\.it|(?:holt1231)\@w\.cn|(?:daydreamin)\@wanadoo\.fr|(?:weboffice05)\@web\.de|(?:portiaw)\@webbe\.work|(?:b(?:\-calebfirm2007|enklerk\-postpact2|oriscaleb121))\@webmail\.co\.za|(?:(?:elizabethlyonsfield|frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|jeffwilliam207|owengreen70|samue95))\@yahoo\.co\.uk|(?:(?:changgordon946|thomaspeter227))\@yahoo\.com\.hk|(?:boa2cb)\@yahoo\.com\.vn|(?:contactus88\-00)\@yahoo\.es|(?:fortinsandrine)\@yahoo\.fr|(?:dr\.amelia\.george1)\@yandex\.ru|(?:(?:alfred_cheuk_chow|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:jefflindsay)\@zoho\.com|(?:(?:benaffleck1977|monicadaniels909))\@zohomail\.com|(?:laprimitivaes)\@zohomail\.eu)$/i describe REPTO_419_FRAUD Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD 3.000 tflags REPTO_419_FRAUD publish @@ -3706,7 +3611,7 @@ tflags REPTO_419_FRAUD publish ##{ REPTO_419_FRAUD_AOL -header REPTO_419_FRAUD_AOL Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:f\.2[06]|ljaber111|meliageorge|nd(?:_bley|rew_hans)|rthur\.alan)|b(?:aanidleewy|claimdept)|c(?:\.european|allumfoundation|h(?:anprivacy03|eungdavidd|ngeric|ristyruwalt)|laimdept21|ristinabruno38|ustom_service58)|d(?:avid\.kms|hodgkins001|ianwaynie)|e(?:ricalbertdpm|velynjoshua44)|f(?:d\.29|ernandezfernandez3|oundation\.charity)|g(?:arang\.rebeca|eorge_clifford4|roupfacility)|hernandezrosemary632|jmesaud|k\.doreen00|l(?:\.b162k|erynnewest99|isarobinson5\.0|orrainewirangee)|m(?:_l\.wanczyk62|aviswanczyk[do]|rs(?:isabelladzsesszika|safiagaddafi))|officework172|p(?:aulpollard2|otfolio\.management)|royalpalace2018|s(?:afiiagadafi|ovchan|pwalker721|t(?:aatsloterijnederlands|efano_pessina))|usembassy330|wattson\.renwick|yurdaaytarkan5))\@aol\.com$/i +header REPTO_419_FRAUD_AOL Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:brajjohn|f\.2[06]|ljaber111|meliageorge|nd(?:_bley|rew_hans)|rthur\.alan)|b(?:a(?:anidleewy|rr_luc)|claimdept)|c(?:\.european|allumfoundation|h(?:anprivacy03|eungdavidd|ngeric|ristyruwalt)|laimdept21|ristinabruno38|ustom_service58)|d(?:avid\.kms|hodgkins001|ianwaynie)|e(?:ricalbertdpm|velynjoshua44)|f(?:d\.29|ernandezfernandez3|oundation\.charity)|g(?:arang\.rebeca|eorge_clifford4|roupfacility)|hernandezrosemary632|jmesaud|k\.doreen00|l(?:\.b162k|erynnewest99|isarobinson5\.0|orrainewirangee|ynnpage44)|m(?:_l\.wanczyk62|a(?:sayohara21|viswanczyk[do])|rs(?:isabelladzsesszika|janetedwards0001|safiagaddafi))|officework172|p(?:aulpollard2|otfolio\.management)|royalpalace2018|s(?:\.fofo|afiiagadafi|ovchan|pwalker721|t(?:aatsloterijnederlands|efano_pessina))|usembassy330|wattson\.renwick|yurdaaytarkan5))\@aol\.com$/i describe REPTO_419_FRAUD_AOL Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_AOL 3.000 tflags REPTO_419_FRAUD_AOL publish @@ -3722,7 +3627,7 @@ tflags REPTO_419_FRAUD_AOL_LOOSE publish ##{ REPTO_419_FRAUD_CNS -header REPTO_419_FRAUD_CNS Reply-To:addr =~ /^(?=[^\s<>@]+\@consultant\.com)(?:(?:anthonyalvarad|davidhenri|lottomaxclaims7|morrisherb|t(?:eo\.westin|he\.trustees1|rustees202000)))\@consultant\.com$/i +header REPTO_419_FRAUD_CNS Reply-To:addr =~ /^(?=[^\s<>@]+\@consultant\.com)(?:(?:anthonyalvarad|davidhenri|lottomaxclaims7|morrisherb|t(?:eo\.westin|he\.trustees1|rustees202000)|westernuniopayment\.agent0018))\@consultant\.com$/i describe REPTO_419_FRAUD_CNS Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_CNS 3.000 tflags REPTO_419_FRAUD_CNS publish @@ -3730,7 +3635,7 @@ tflags REPTO_419_FRAUD_CNS publish ##{ REPTO_419_FRAUD_GM -header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|7912richardtony|a(?:b(?:d97412345|u(?:lkareem461|shadi0004))|c(?:count\.optionsmr\.jonasarmstrong|ecere001)|d(?:iallo\.boa|rabidiahmed)|isha(?:1976algaddafi|gaddafiaam)|l(?:\.jo60691737|an\.austin(?:041|223)|ex(?:anderpeterson4499|hoffman3319)|ghafrij13|kasimunadi221|l(?:enholden121|isoncluade11)|nizmaria|ure\.wawrenka1472)|m(?:ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|medjahed95))|n(?:d(?:rewumehunitedbankforafrica|yfox0022)|n(?:a(?:llee091|sigurlaug458)|jenijohnsonn)|t(?:honyalvaradollc|o(?:meuenio|niopaco20consultant)))|r(?:adka01|chibaldhamble|thur11alan)|shwestwood7|ttohlawoffice\.tg|w1614860|zi(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50)))|b(?:a(?:nkcentralasiahalobca34|ochang7a|r(?:bersmadar75|clays\.kenya\.bank|rister(?:\.fidelisokafor|lordruben94)|teld\.huisman01))|bongo593|e(?:alitoniua9|linekra1|n(?:ezero392|jaminsarah195))|ill\.lawrence0747|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi)|r(?:andy\.heavenscenttt|endalaporte112)|uff(?:ettwarrene21|ookj))|c(?:artwrighttownhomesllc|claimsa|elicerez|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:esluenga01|tonnewmanus1)))|e(?:mchung1011|nchung1011)|ienkwongp)|iticonsultantjohncg0|kruger00017|l(?:axtonpaul00|s79408)|o(?:l(?:edavid77032|husseinharmuchc(?:cj|j)|ombasjuan53)|mp(?:asationsettlement|ensationcommitteboard)|n(?:sult(?:matthias|sto\.u)|tactad00[04]))|pt\.eugenebarash|r(?:abbechambers|ist(?:bru(?:05|n05)|i1537bru))|ustomerservicelacaixa2)|d(?:29laws|a(?:n(?:008629|iel35508109|nydan24532)|tukannuarbinmusa|vi(?:d(?:\.loanfirm18|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98))|cole77032|e(?:n(?:iwalts|nisclark659)|partmentofstate123|tlefeckhardd)|i(?:ane\.s\.wojcicki|gitalassetholding|plomatsshenry)|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.meirh|abodid|davidrhama221|jamesdee|kennedyuzo|meier\.heidi?|owenfrederick)|u(?:nsilva58|stinmoskovitz\.2facebook)|v\.metus)|e(?:benezero392|christina937|drunity|l(?:i(?:bethgomez(?:175|499)|sabethmaria600|zabethedw0)|otocashoffice1?)|m(?:2keld|efiele(?:328|g757)|ilyrichmond391)|r(?:e(?:nakgeorge123|zcelic0)|ioncarter\.private)|stherkatherine1960|vgpatmow|wynn284)|f(?:\.mikhail025|a(?:ithdesrie511|tme\.mehmed001)|blott47|e(?:deralreservebankdallasdst|lix88995)|g0067333|irstbank(?:49966|6669|k49666)|j569282|l(?:556249|uhmann\.dn)|oundations\.west|r(?:a(?:100dub132|n(?:c(?:espatrickconnolly(?:5050|4)|iscamendoza960)|kj(?:ane984|wangg)))|eelottosweepstake51)|spero80|u(?:lanlan28|ngg1w))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|rielkalia1102)|rethbull112016)|bill4880|e(?:neralwilliamstony990|orgekwame481|raldjhjh11)|iidp955|l(?:enmoore0011|oriachow5052)|o(?:glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219))|r(?:aceobia001|e(?:ant311|energeoffrey776))|veraallen)|h(?:a(?:rryebert101|s(?:h(?:imyreem78|mireem801)|sanalshujairy))|e(?:atherbrooeke101|cto(?:alon|r(?:castillos653|scastillo6))|l(?:enadamsidaho|pdesk47321))|gold8080|i(?:ldad837|toshurui)|o(?:nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|uichmh)|i(?:1955smael|amannjejosonn|bed627|mfgrantinter|n(?:fo(?:\.(?:abogadosmfontana|g00gleclaim|ulmusau)|64240|asminternationalpk|dessk\.dfwairportonline|fdrserve)|gridrolle2)|smailtarkan533)|j(?:35809121|a(?:6002932|888179|m(?:alpriv8un|esokoh82)|nusensecureprivate|sonyeungchiwai|vierlesme001)|b5406424|c2222222rrr|e(?:fferydean1960|nniannjhsonn)|k3311131|m(?:3461128|powellfr)|o(?:edward023|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|uba234|walterlove2010)|monkzza|n(?:athanhaskel377|hugo1964|monkssa)|sephacevedo024|yce00011)|rawlings007|s4fernado|w6935997)|k(?:a(?:malnizar000|rabo\.ramala39|t(?:ebaronbarr|jamess043|rinaziako56))|en(?:mckenziejr|nedy\.sawadogo19)|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|rnkl1109|un(?:gwei7777|ioue28))|l(?:a(?:rrytoms200|ursent892|wrencefoundation30)|blackshirepm|erynne(?:0west99|west2289)|i(?:amfinchus(?:11|3)|ezlnatashavanessa|li(?:ane\.bettencourt1945|ianchrstph)|nelink008)|john6132|o(?:ganntomas|rrainewirengee|ughreymargaret67)|p319765|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|diawright836|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:a(?:bel\.manaku|ckenzbezos|incare655|j(?:ialfutt|or(?:dennishornbeck53|townsend01))|kaltschmidt|n(?:duesq58|fran630|uelfranco(?:727|foundation0))|r(?:i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00)|opabl26)|kroth456|tinamayer903|yfranson56)|thewriaanza|u(?:noveutileina|rhinck11?)|viswan(?:142|czyk(?:1(?:19|987)|4(?:89|5)|775|foundation45|k112))|xaajn|ydetratt)|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|l(?:lagolan|vidabullock5))|gfrederick80|husameddine|i(?:c(?:h(?:ael\.woosley1972|eal(?:sjohnj|wuu002))|paulla|w954)|kh(?:\.fridman|ai(?:\.fridman261|lfridm32))|ss(?:\.melisa\.mehmett|yaelronen))|jminabii|k(?:ent7117|untjoro52)|m(?:1086771|argaritalouisdreyfus)|nmalarge|ohamedabdul1717|r(?:\.(?:justinmaxwell09|lusee)|cjames001|d517341|ericfranck|hanimuhammad627|jamesmc6|r(?:echardthomas|ichardanthony1)|s(?:\.(?:janetolsen?|olsenjanett|susanread12)|a(?:ishaalqadafi1976|ngela454)|fatimaamiraqureshi1983|gezeria|h(?:amima60|ristinemadeleine)|j(?:ackman123|lleach)|maureens847|r(?:obinsanders185|uthsmith9900)|sarahbenjamin103|veraaellen)|tomcrist\.ca)|s(?:agent02|golaan4|smadar44)|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter968)|obuyuki\.hirano128|tawdglobal)|o(?:\.peace004|3344nb|ffice(?:\.012123|rricherd876|windowterms)|hallkenneth1|marinyandeng|nufoundationclaims|pcwkdw)|p(?:a(?:trick(?:\.efcc|andfrancessconnolly)|ul(?:eed1969|n8018))|b(?:ph202lay2|rookk0)|e(?:130304|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|hillip\.richead218|ilz37754|olloke|ro1nvstream|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymondaba200)|e(?:beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n2214)|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|v(?:\.jamesabel1|ernestcebi|frankjackson91))|ichard(?:lustig4u|w(?:ahl511|illis815))|josh200000|o(?:berthanandez6655|naldmorris786|s(?:a\.gomes0044|ekipkalya934))|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|ussiaworldcuppromo)|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid7000)|nchoscozfifa|rfiafarfask7)|cottpeters7989|e(?:cretservicce[78]|rgeantrobertbrown1)|g(?:\.offiice\.group|tireneb2)|h(?:a(?:msiahmohamadyunusbnegara|nemissler2009)|ery(?:\.gtl131|etr03)|inawatrathaksin93)|imlkheng5|op(?:adam3|hiajesse41)|peelman1972|tephentam1(?:47|6)|u(?:iyang(?:\.boc|02)|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|weeneyjohnson384)|t(?:ay(?:ebsouami0|lorcathy362)|davalvse|erryparkins11|h(?:ailandbankoffice01|e(?:ara\.choy2|odorosloannis9))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|c(?:hrist1995|rist(?:52|donation12|foundation99|world)))|ny(?:\.chung760|zimpro11)|pchronodesk|shikazusendo101)|p2911220|tkhan69s)|u(?:kponguko|marukareem8|n(?:claimedfunds554|itednation(?:organization70|s(?:8182|councilrefunds)))|sdepartmentofjustice80)|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|pjeferrey)|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett2)|b(?:271981|6159980)|i(?:elandherzog\.sw\.herad16|ll(?:clark2618|iamsmartyrs888))|kfinancialservice|orldbankregionalmanageroffice|u\.office212|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974|ousefzongo5722)|z(?:enithbankplconline98|kiaslan1963|minhong65)))\@gmail\.com$/i +header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|7912richardtony|9porssts9|a(?:\.wafager1|b(?:d(?:97412345|ullahmundani019)|u(?:lkareem461|shadi0004))|c(?:count\.optionsmr\.jonasarmstrong|ecere001)|d(?:iallo\.boa|rabidiahmed)|isha(?:1976algaddafi|gaddafiaam)|l(?:\.jo60691737|an\.austin(?:041|223)|ex(?:anderpeterson4499|hoffman3319)|ghafrij13|kasimunadi221|l(?:enholden121|isoncluade11)|nizmaria|ure\.wawrenka1472)|m(?:bassadormarybethleonardl4|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|medjahed95))|n(?:d(?:rewumehunitedbankforafrica|yfox0022)|n(?:a(?:llee091|sigurlaug458)|ettrevor|jenijohnsonn)|t(?:honyalvaradollc|o(?:meuenio|niopaco20consultant)))|office1office1|r(?:adka01|chibaldhamble|thur11alan)|shwestwood7|ttohlawoffice\.tg|ustinbillmark9|w1614860|z(?:i(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50))|zedineguessous))|b(?:a(?:nkcentralasiahalobca34|ochang7a|r(?:bersmadar75|clays\.kenya\.bank|rister(?:\.fidelisokafor|lordruben94)|teld\.huisman01))|bongo593|e(?:alitoniua9|linekra1|n(?:ezero392|gatl80|jaminsarah195))|ill\.lawrence0747|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi)|r(?:andy\.heavenscenttt|endalaporte112)|uff(?:ettwarrene21|ookj)|w1832621)|c(?:artwrighttownhomesllc|claimsa|elicerez|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:es(?:luenga01|wrightdepartments)|tonnewmanus1)))|e(?:mchung1011|nchung1011)|ienkwongp)|iticonsultantjohncg0|kruger00017|l(?:axtonpaul00|s79408)|o(?:l(?:edavid77032|husseinharmuchc(?:cj|j)|ombasjuan53)|mp(?:asationsettlement|ensationcommitteboard)|n(?:sult(?:matthias|sto\.u)|tactad00[04]))|pt\.eugenebarash|r(?:abbechambers|ist(?:bru(?:05|n05)|davis67|i1537bru|ydavisdonation1))|ustomerservicelacaixa2)|d(?:29laws|a(?:n(?:008629|i(?:el35508109|shlokija)|n(?:uar4|ydan24532))|tukannuarbinmusa|vi(?:d(?:\.loanfirm18|kaltschmidtmaureend|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98))|cole77032|e(?:n(?:iwalts|nisclark659)|partmentofstate123|tlefeckhardd)|hsdevice|i(?:ane\.s\.wojcicki|gitalassetholding|plomatsshenry)|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.meirh|abodid|davidrhama221|jamesdee|kennedyuzo|meier\.heidi?|owenfrederick)|u(?:nsilva58|stinmoskovitz\.2facebook)|v\.metus)|e(?:benezero392|christina937|drunity|l(?:i(?:bethgomez(?:175|499)|sabethmaria600|zabethedw0)|o(?:diesawadogo123|tocashoffice1?))|m(?:2keld|efiele(?:328|g757)|ilyrichmond391)|r(?:e(?:nakgeorge123|zcelic0)|ioncarter\.private)|stherkatherine1960|vgpatmow|wynn284)|f(?:\.mikhail025|a(?:ithdesrie511|tme\.mehmed001)|blott47|e(?:deralreservebankdallasdst|lix88995)|g0067333|irstbank(?:49966|6669|k49666)|j569282|l(?:556249|uhmann\.dn)|oundations\.west|p462558|r(?:a(?:100dub132|n(?:c(?:espatrickconnolly(?:5050|4)|iscamendoza960)|k(?:j(?:ane984|wangg)|linpiesie6)))|eelottosweepstake51)|spero8[02]|u(?:lanlan28|ngg1w))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|riel(?:eschmitt002|kalia1102))|r(?:ciavincent500|ethbull112016))|b(?:528796|ill4880)|e(?:neralwilliamstony990|orgekwame481|raldjhjh11)|iidp955|l(?:enmoore0011|oriachow5052)|o(?:dfreyscottdonation|glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219))|r(?:aceobia001|e(?:ant311|energeoffrey776))|veraallen)|h(?:a(?:r(?:gate2909|ryebert101)|s(?:h(?:imyreem78|mireem801)|sanalshujairy))|e(?:atherbrooeke101|cto(?:alon|r(?:castillos653|scastillo6))|l(?:en(?:adamsidaho|giggs88)|pdesk47321))|gold8080|i(?:ldad837|toshurui)|o(?:nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|uichmh)|i(?:1955smael|amannjejosonn|bed627|mf(?:deputyoff000|grantinter)|n(?:fo(?:\.(?:a(?:bogadosmfontana|nnedouglas10)|g00gleclaim|ulmusau)|64240|asminternationalpk|bankofamerikaa|dessk\.dfwairportonline|fdrserve|ttcuckk)|gridrolle2)|smail(?:eman874|tarkan533))|j(?:35809121|a(?:6002932|888179|m(?:alpriv8un|esokoh82)|n(?:nsjonifer|usensecureprivate)|sonyeungchiwai|vierlesme001)|b5406424|c2222222rrr|e(?:fferydean1960|nniannjhsonn|robtt)|josvu|k3311131|m(?:3461128|powellfr)|o(?:edward023|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|uba234|walterlove2010)|monkzza|n(?:athanhaskel377|hugo1964|monkssa)|sephacevedo024|vannyanderson001|yce00011)|rawlings007|s4fernado|uliewatson975|w6935997)|k(?:a(?:l(?:iaksandr5|tschmidtdavid8)|malnizar000|rabo\.ramala39|t(?:ebaron(?:barr|xq)|jamess043|rinaziako56))|en(?:mckenziejr|nedy\.sawadogo19)|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|rnkl1109|un(?:gwei7777|ioue28))|l(?:a(?:rrytoms200|ursent892|w(?:officealouancooparation|rencefoundation30))|blackshirepm|e(?:enasinghs97|onidasresearch|rynne(?:0west99|west2289))|i(?:amfinchus(?:11|3)|ezlnatashavanessa|fecshortt63|li(?:ane\.bettencourt1945|ianchrstph)|nelink008|sa(?:milner001|robin117))|john6132|o(?:ganntomas|rrainewirengee|ughreymargaret67)|p319765|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|diawright836|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:a(?:bel\.manaku|ckenzbezos|damkoenig\.ruhama1b|incare655|j(?:ialfutt|or(?:dennishornbeck53|townsend01))|kaltschmidt|ll(?:am\.mlawal|etman2021)|mastar33m|n(?:ankovefimovich|duesq58|fran630|uelfranco(?:727|donation02|foundation0|spende8))|r(?:i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00)|opabl26|tinesecurityusa)|kroth456|shalh011|tin(?:amayer903|eziglesiasabogados|jrschwarz)|y(?:franson56|josen(?:62|81)))|thewriaanza|u(?:noveutileina|rhinck11?)|viswan(?:142|czyk(?:01478|1(?:19|987)|4(?:89|5)|775|foundation45|k112))|xaajn|ydetratt)|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|l(?:lagolan|vidabullock5))|gfrederick80|husameddine|i(?:c(?:h(?:ael\.woosley1972|eal(?:sjohnj|wuu002))|paulla|w954)|k(?:e\.weirsky\.foundational001|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|ss(?:\.(?:melisa\.mehmett|yasmineibrahim101)|yaelronen))|jminabii|k(?:ent7117|untjoro52)|m(?:1086771|argaritalouisdreyfus|ohammadaljllilati)|nmalarge|oham(?:edabdul1717|m(?:daljililati1|edshamekh24))|r(?:\.(?:elbahi\.mohammed\.2021|justinmaxwell09|lusee)|cjames001|d517341|eric(?:franck|schmid4002)|hanimuhammad627|jamesmc6|r(?:echardthomas|ichardanthony1)|s(?:\.(?:janetolsen?|olsenjanett|susanread12)|a(?:ishaalqadafi1976|ngela454)|evelynbrown7|fatimaamiraqureshi1983|gezeria|h(?:amima60|ristinemadeleine)|isabelladz|j(?:ackman123|lleach)|maureens847|r(?:obinsanders185|uthsmith9900)|sarahbenjamin103|v(?:eraaellen|ictoriaedmond03))|tomcrist\.ca|viktorzubkovv)|s(?:\.ellagolan56|agent02|golaan4|smadar44)|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter968)|icholas\.jose73|obuyuki\.hirano128|tawdglobal|v637245)|o(?:\.peace004|3344nb|ffice(?:\.012123|rricherd876|windowterms)|hallkenneth1|marinyandeng|nufoundationclaims|pcwkdw|xfaminternationa1980)|p(?:a(?:trick(?:\.efcc|andfrancessconnolly)|ul(?:eed1969|n8018))|b(?:ph202lay2|rookk0)|e(?:130304|rezdonlorenzo336|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|hillip\.richead218|ilz37754|olloke|ro1nvstream|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymondaba200)|e(?:beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n(?:2214|asser003302))|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|v(?:\.jamesabel1|ernestcebi|fr(?:ankjackson91|paulwilliams2)))|icha(?:miller18|rd(?:lustig4u|w(?:ahl511|il(?:lis815|son19091))))|josh200000|o(?:b(?:erthanandez6655|inf036)|naldmorris786|s(?:a\.gomes0044|ekipkalya934))|raya9989|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|ussiaworldcuppromo)|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid7000)|nchoscozfifa|rfiafarfask7)|cottpeters7989|e(?:cretservicce[78]|rgeantrobertbrown1)|g(?:\.offiice\.group|t(?:\.monicab03|ireneb2))|h(?:a(?:msiahmohamadyunusbnegara|nemissler2009)|ery(?:\.gtl131|etr03)|inawatrathaksin93)|im(?:lkheng5|onhei47)|op(?:adam3|hiajesse41)|peelman1972|t(?:anleyjohn1469|ephentam1(?:47|6))|u(?:iyang(?:\.boc|02)|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|weeneyjohnson384)|t(?:a(?:mmywebster24|y(?:ebsouami0|lorcathy362))|ch33555|davalvse|erryparkins11|h(?:ailandbankoffice01|e(?:ara\.choy2|odorosloannis9))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|ander231|c(?:hrist1995|rist(?:52|donation12|foundation99|world))|spende480)|ny(?:\.chung760|zimpro11)|pchronodesk|shikazusendo101)|p2911220|tkhan69s)|u(?:kponguko|marukareem8|n(?:claimedfunds554|itednation(?:organization70|s(?:8182|councilrefunds)))|s(?:alotery2|departmentofjustice80))|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|linagreen|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|pjeferrey)|n935990|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett2)|b(?:271981|6159980)|hatsappofficial001|i(?:elandherzog\.sw\.herad16|ll(?:clark(?:2618|629)|iamsmartyrs888))|kfinancialservice|orldbankregionalmanageroffice|u\.office212|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974|ousefzongo5722)|z(?:bank8876|enithbankplconline98|kiaslan1963|minhong65|ubkovmrviktor)))\@gmail\.com$/i describe REPTO_419_FRAUD_GM Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_GM 3.000 tflags REPTO_419_FRAUD_GM publish @@ -3746,7 +3651,7 @@ tflags REPTO_419_FRAUD_GM_LOOSE publish ##{ REPTO_419_FRAUD_HM -header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|n(?:ikal01|nagray00)|zezul\.idrisazezulidris)|choi21|d(?:l13139|r\.dukanalycoulibaly)|egorbunova22|faxttransfer\.skyebk\.service\.care\.th|infos(?:43|8)|katabettencourt2018|l(?:e(?:a_edem|galcosme|wisarm44)|ulihongm)|mr(?:abrahambeniamfc|pedrohilldonations|smicheleallison2003)|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|powen10001|s(?:ajda\.andleeb|ulaimaninfante)|t(?:ashacap|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i +header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|n(?:ikal01|nagray00)|zezul\.idrisazezulidris)|c(?:hoi21|laytousey)|d(?:l13139|r\.dukanalycoulibaly)|egorbunova22|faxttransfer\.skyebk\.service\.care\.th|infos(?:43|8)|katabettencourt2018|l(?:e(?:a_edem|galcosme|wisarm44)|ulihongm)|mr(?:abrahambeniamfc|pedrohilldonations|s(?:\.chantal_bill|micheleallison2003))|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|powen10001|quickcashloansservices|s(?:a(?:jda\.andleeb|nchamps798)|ulaimaninfante)|t(?:ashacap|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i describe REPTO_419_FRAUD_HM Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_HM 3.000 tflags REPTO_419_FRAUD_HM publish @@ -3754,7 +3659,7 @@ tflags REPTO_419_FRAUD_HM publish ##{ REPTO_419_FRAUD_OL -header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:brahamwilliamsonrpsltduk|lbertchebe|ndrewgamble7)|b(?:asidris|etty\.c_investment|illgfile203)|c(?:bforeignremitdept|harlie\.j\.goodmand|laimunit\.facebook|ompensationfunding)|d(?:eborahleeconsult|hl(?:customercares|express\.fastservice)|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020)|g(?:20compessdesk|race\.manonfoundation)|j(?:ackson4steve|e(?:anedo1|ssicameir30))|kaujong|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|bryandavisuk44|mduku|s(?:_elizabeth20|michelleallison|roseallen))|spvt2020)|philcohen0012|richardwahlfreegrant|s(?:aaman10|gi2019|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019)|unvanzyl_mrs|winuklotocash2018))\@outlook\.com$/i +header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:16u71|b(?:rahamwilliamsonrpsltduk|s0000200)|lbertchebe|ndrewgamble7)|b(?:asidris|etty\.c_investment|illgfile203)|c(?:bforeignremitdept|harlie\.j\.goodmand|laimunit\.facebook|ompensationfunding)|d(?:eborahleeconsult|hl(?:customercares|express\.fastservice)|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020|mr01|oundation701|p\.conn)|g(?:20compessdesk|race\.manonfoundation)|j(?:ackson4steve|e(?:anedo1|ssicameir30))|kaujong|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|b(?:illgate9|ryandavisuk44)|mduku|s(?:_elizabeth20|michelleallison|roseallen))|spvt2020)|philcohen0012|richardwahlfreegrant|s(?:aaman10|gi2019|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019)|unvanzyl_mrs|w(?:esteruniontransferunite7|hatsapp_givewin|inuklotocash2018)))\@outlook\.com$/i describe REPTO_419_FRAUD_OL Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_OL 3.000 tflags REPTO_419_FRAUD_OL publish @@ -3762,7 +3667,7 @@ tflags REPTO_419_FRAUD_OL publish ##{ REPTO_419_FRAUD_PM -header REPTO_419_FRAUD_PM Reply-To:addr =~ /^(?=[^\s<>@]+\@protonmail\.com)(?:(?:armstrong0244|berndkoch|davidmetus|euclaim|p(?:a(?:melagriffi|t\.nwankwo)|rotonydonation)|scottpeter012|v\.brianpierre|yihsbltan|ziraatbankasi))\@protonmail\.com$/i +header REPTO_419_FRAUD_PM Reply-To:addr =~ /^(?=[^\s<>@]+\@protonmail\.com)(?:(?:armstrong0244|berndkoch|davidmetus|euclaim|p(?:a(?:melagriffi|t\.nwankwo)|rotonydonation)|scottpeter012|the\.trustees1|v\.brianpierre|yihsbltan|ziraatbankasi))\@protonmail\.com$/i describe REPTO_419_FRAUD_PM Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_PM 3.000 tflags REPTO_419_FRAUD_PM publish @@ -3778,7 +3683,7 @@ tflags REPTO_419_FRAUD_QQ publish ##{ REPTO_419_FRAUD_YH -header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|lesiakalina2006|mbassador\.l|nnhester\.usa4)|b(?:a(?:che\.delfine|nk\.phbng14|rr\.thomasclark)|en(?:jaminb34|nicholas22)|illlawrenceee|riceangela45)|c(?:\.aroline90|abinet_maitre_emmanuel_patris|h(?:arlesscharf112|hoy\.t|jackson65)|juan852|ontelamine|ythiamiller\.un10)|d(?:hamilton9099|r(?:_raymondfung|kobiorah|victorobaji))|ericalbert24|f(?:bicompensation_funds|ederal\.r73)|i(?:\.project33411|befranfgnfmf|nfomoney|project32411)|j(?:a(?:ckson\.davis915|netemoon150)|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:elvinmark629|im(?:\.leang2018?|leang(?:575|90)))|l(?:e(?:a_edem13|hman(?:909|bila))|i(?:m_kaan|sarobinson_555)|orrainewirengee|y_cheapiseth(?:11|2019))|m(?:a(?:itre_arthur\.catheau|rie_avis12)|d(?:\.ps|zsesszika672)|elissalewis4004|o(?:hammedaahil46|keye79)|rs(?:\.esthernicolas|isabella\.dzesszikan)|s\.gracie_olakun)|o(?:legkozyrev1|mranshaalan52)|p(?:ackerkelvin|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|o(?:bertbailey2004|serichard655))|s(?:amthong4040|igurlauganna34|leo25|opheap\.munny|pwalker101|tevecox\.98)|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|vanserge2001|willclark0010|xianglongdai60|zhaodonghk))\@yahoo\.com$/i +header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|ilmohammed11|lesiakalina2006|mbassador\.l|nnhester\.usa4)|b(?:a(?:che\.delfine|nk\.phbng14|rr\.thomasclark)|en(?:jaminb34|nicholas22)|illlawrenceee|riceangela45)|c(?:\.aroline90|abinet_maitre_emmanuel_patris|h(?:arlesscharf112|hoy\.t|jackson65)|juan852|ontelamine|ythiamiller\.un10)|d(?:hamilton9099|r(?:_raymondfung|kobiorah|obiorahkenneth|victorobaji))|e(?:denvictor71|ricalbert24)|f(?:bicompensation_funds|ederal\.r73)|i(?:\.project33411|befranfgnfmf|nfomoney|project32411)|j(?:a(?:ckson\.davis915|netemoon150)|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:altschmidtdavid8|elvinmark629|im(?:\.leang2018?|leang(?:575|90)))|l(?:e(?:a_edem13|hman(?:909|bila))|i(?:m_kaan|sarobinson_555)|o(?:an\.assist|rrainewirengee)|y_cheapiseth(?:11|2019))|m(?:\.kogi81|a(?:itre_arthur\.catheau|rie_avis12)|d(?:\.ps|zsesszika672)|elissalewis4004|o(?:hammedaahil46|keye79)|rs(?:\.esthernicolas|isabella\.dzesszikan)|s\.gracie_olakun)|o(?:legkozyrev1|mranshaalan52)|p(?:ackerkelvin|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|o(?:bertbailey2004|serichard655))|s(?:amthong4040|igurlauganna34|leo25|opheap\.munny|pwalker101|te(?:fanopessina573|vecox\.98))|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|vanserge2001|will(?:clark0010|smi68)|xianglongdai60|zhaodonghk))\@yahoo\.com$/i describe REPTO_419_FRAUD_YH Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_YH 3.000 tflags REPTO_419_FRAUD_YH publish @@ -3802,12 +3707,19 @@ tflags REPTO_419_FRAUD_YJ publish ##{ REPTO_419_FRAUD_YN -header REPTO_419_FRAUD_YN Reply-To:addr =~ /^(?=[^\s<>@]+\@yandex\.com)(?:(?:a(?:m(?:andarandle|g3333txx101)|na\.mariposa|wesome\.mariacarmen)|clemlau|dejongpeter|f(?:3dex\.courier|ed\.r3v|reedommarketinvestments)|gadd4fi\.aisha|h(?:ashimireem|halesbbanddd?)|joseph\-scott2k5|l(?:es20sc|otointernational\.elgordo)|m(?:arcarmenguty|fdpm|r(?:\.kongkea|akram\.elkerrami|spercy))|p(?:aragonloansinc|rincedarren0244)|rich(?:ard\.wahl|lawands)|tresor\.mambo|w(?:b\.foundation|ill(?:1amsmarg1|iam(?:simon1960|wilbert1)))|za\.dc2016))\@yandex\.com$/i +header REPTO_419_FRAUD_YN Reply-To:addr =~ /^(?=[^\s<>@]+\@yandex\.com)(?:(?:a(?:lhashimi123|m(?:andarandle|g3333txx101)|n(?:a\.mariposa|n(?:acooper2019|zainab))|wesome\.mariacarmen)|c(?:harles\.kable|lemlau)|de(?:edee\-paul|jongpeter|ptoversea)|f(?:3dex\.courier|ed\.r3v|reedommarketinvestments)|gadd4fi\.aisha|h(?:ashimireem|halesbbanddd?)|joseph\-scott2k5|l(?:es20sc|otointernational\.elgordo)|m(?:arcarmenguty|fdpm|r(?:\.kongkea|akram\.elkerrami|spercy))|p(?:aragonloansinc|rincedarren0244)|rich(?:ard\.wahl|lawands)|tresor\.mambo|w(?:b\.foundation|ill(?:1amsmarg1|iam(?:simon1960|wilbert1)))|za\.dc2016))\@yandex\.com$/i describe REPTO_419_FRAUD_YN Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_YN 3.000 tflags REPTO_419_FRAUD_YN publish ##} REPTO_419_FRAUD_YN +##{ REPTO_INFONUMSCOM + +meta REPTO_INFONUMSCOM __REPTO_INFONUMSCOM +#score REPTO_INFONUMSCOM 3.000 # limit +tflags REPTO_INFONUMSCOM publish +##} REPTO_INFONUMSCOM + ##{ RISK_FREE meta RISK_FREE __FRAUD_IOV && !__UNSUB_LINK && !__VIA_ML && !__HTML_LINK_IMAGE && !__SUBSCRIPTION_INFO && !__HS_SUBJ_RE_FW && !__LCL__ENV_AND_HDR_FROM_MATCH @@ -3819,11 +3731,60 @@ describe RISK_FREE No risk! meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL) ##} SB_GIF_AND_NO_URIS -##{ SCRIPT_GIBBERISH +##{ SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -meta SCRIPT_GIBBERISH __SCRIPT_GIBBERISH && (__BODY_XHTML || !__SCRIPT_TAG_IN_BODY) && !__TAG_EXISTS_META -describe SCRIPT_GIBBERISH Nonsense in HTML