#
###########################################################################
-require_version 4.000000
+require_version 4.000001
# predicate naming used to avoid renumbering
# 1. assign new rules a random unique three letter sequence
#
###########################################################################
-require_version 4.000000
+require_version 4.000001
###########################################################################
# GTUBE test - the generic test for UBE.
###########################################################################
# Header compensation tests
-require_version 4.000000
+require_version 4.000001
header __HAS_RCVD exists:Received
priority __HAS_RCVD -2000 # Bug 8078
#
###########################################################################
-require_version 4.000000
+require_version 4.000001
###########################################################################
# DNSBLs do not return the A type (127.0.0.x) as part of the TXT reply.
-# ---------------------------------------------------------------------------
-# SORBS
-# transfers: both axfr and ixfr available
-# URL: http://www.dnsbl.sorbs.net/
-# pay-to-use: no
-# delist: $50 fee for RCVD_IN_SORBS_SPAM, others have free retest on request
-
-header __RCVD_IN_SORBS eval:check_rbl('sorbs', 'dnsbl.sorbs.net.')
-describe __RCVD_IN_SORBS SORBS: sender is listed in SORBS
-tflags __RCVD_IN_SORBS net
-reuse __RCVD_IN_SORBS
-
-header RCVD_IN_SORBS_HTTP eval:check_rbl_sub('sorbs', '127.0.0.2')
-describe RCVD_IN_SORBS_HTTP SORBS: sender is open HTTP proxy server
-tflags RCVD_IN_SORBS_HTTP net
-reuse RCVD_IN_SORBS_HTTP
-
-header RCVD_IN_SORBS_SOCKS eval:check_rbl_sub('sorbs', '127.0.0.3')
-describe RCVD_IN_SORBS_SOCKS SORBS: sender is open SOCKS proxy server
-tflags RCVD_IN_SORBS_SOCKS net
-reuse RCVD_IN_SORBS_SOCKS
-
-header RCVD_IN_SORBS_MISC eval:check_rbl_sub('sorbs', '127.0.0.4')
-describe RCVD_IN_SORBS_MISC SORBS: sender is open proxy server
-tflags RCVD_IN_SORBS_MISC net
-reuse RCVD_IN_SORBS_MISC
-
-header RCVD_IN_SORBS_SMTP eval:check_rbl_sub('sorbs', '127.0.0.5')
-describe RCVD_IN_SORBS_SMTP SORBS: sender is open SMTP relay
-tflags RCVD_IN_SORBS_SMTP net
-reuse RCVD_IN_SORBS_SMTP
-
-# delist: $50 fee
-#header RCVD_IN_SORBS_SPAM eval:check_rbl_sub('sorbs', '127.0.0.6')
-#describe RCVD_IN_SORBS_SPAM SORBS: sender is a spam source
-#tflags RCVD_IN_SORBS_SPAM net
-#reuse RCVD_IN_SORBS_SPAM RCVD_IN_SORBS_SPAM
-
-header RCVD_IN_SORBS_WEB eval:check_rbl_sub('sorbs', '127.0.0.7')
-describe RCVD_IN_SORBS_WEB SORBS: sender is an abusable web server
-tflags RCVD_IN_SORBS_WEB net
-reuse RCVD_IN_SORBS_WEB
-
-header RCVD_IN_SORBS_BLOCK eval:check_rbl_sub('sorbs', '127.0.0.8')
-describe RCVD_IN_SORBS_BLOCK SORBS: sender demands to never be tested
-tflags RCVD_IN_SORBS_BLOCK net
-reuse RCVD_IN_SORBS_BLOCK
-
-header RCVD_IN_SORBS_ZOMBIE eval:check_rbl_sub('sorbs', '127.0.0.9')
-describe RCVD_IN_SORBS_ZOMBIE SORBS: sender is on a hijacked network
-tflags RCVD_IN_SORBS_ZOMBIE net
-reuse RCVD_IN_SORBS_ZOMBIE
-
-header RCVD_IN_SORBS_DUL eval:check_rbl('sorbs-lastexternal', 'dnsbl.sorbs.net.', '127.0.0.10')
-describe RCVD_IN_SORBS_DUL SORBS: sent directly from dynamic IP address
-tflags RCVD_IN_SORBS_DUL net
-reuse RCVD_IN_SORBS_DUL
# ---------------------------------------------------------------------------
# Spamhaus ZEN includes SBL+CSS+XBL+PBL
# Certified:
# https://www.validity.com/resource-center/fact-sheet-certification/
# (replaces RCVD_IN_BSP_TRUSTED, RCVD_IN_BSP_OTHER, RCVD_IN_SSC_TRUSTED_COI, RCVD_IN_RP_CERTIFIED)
-header RCVD_IN_VALIDITY_CERTIFIED eval:check_rbl_txt('ssc-firsttrusted', 'sa-trusted.bondedsender.org.')
+header RCVD_IN_VALIDITY_CERTIFIED eval:check_rbl('ssc-firsttrusted', 'sa-trusted.bondedsender.org.', '^127\.0\.0\.')
describe RCVD_IN_VALIDITY_CERTIFIED Sender in Validity Certification - Contact certification@validity.com
tflags RCVD_IN_VALIDITY_CERTIFIED net nice publish
reuse RCVD_IN_VALIDITY_CERTIFIED RCVD_IN_RP_CERTIFIED
+header RCVD_IN_VALIDITY_CERTIFIED_BLOCKED eval:check_rbl('ssc-firsttrusted', 'sa-trusted.bondedsender.org.', '127.255.255.255')
+describe RCVD_IN_VALIDITY_CERTIFIED_BLOCKED ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information.
+tflags RCVD_IN_VALIDITY_CERTIFIED_BLOCKED net publish
+reuse RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RCVD_IN_VALIDITY_CERTIFIED_BLOCKED
+
# Safe:
# https://www.validity.com/resource-center/fact-sheet-certification/
# (replaces HABEAS_ACCREDITED_COI, HABEAS_ACCREDITED_SOI, HABEAS_CHECKED, RCVD_IN_RP_SAFE)
-header RCVD_IN_VALIDITY_SAFE eval:check_rbl_txt('ssc-firsttrusted','sa-accredit.habeas.com.')
+header RCVD_IN_VALIDITY_SAFE eval:check_rbl('ssc-firsttrusted', 'sa-accredit.habeas.com.', '^127\.0\.0\.')
describe RCVD_IN_VALIDITY_SAFE Sender in Validity Safe - Contact certification@validity.com
tflags RCVD_IN_VALIDITY_SAFE net nice publish
reuse RCVD_IN_VALIDITY_SAFE RCVD_IN_RP_SAFE
+header RCVD_IN_VALIDITY_SAFE_BLOCKED eval:check_rbl('ssc-firsttrusted', 'sa-accredit.habeas.com.', '127.255.255.255')
+describe RCVD_IN_VALIDITY_SAFE_BLOCKED ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information.
+tflags RCVD_IN_VALIDITY_SAFE_BLOCKED net publish
+reuse RCVD_IN_VALIDITY_SAFE_BLOCKED RCVD_IN_VALIDITY_SAFE_BLOCKED
+
# Validity RPBL (née Return Path Reputation Network Blacklist - RNBL):
# https://www.senderscore.org/blocklistlookup/
# (replaces RCVD_IN_RP_RNBL)
-header RCVD_IN_VALIDITY_RPBL eval:check_rbl('rnbl-lastexternal','bl.score.senderscore.com.')
+header RCVD_IN_VALIDITY_RPBL eval:check_rbl('rnbl-lastexternal', 'bl.score.senderscore.com.', '^127\.0\.0\.')
describe RCVD_IN_VALIDITY_RPBL Relay in Validity RPBL, https://senderscore.org/blocklistlookup/
tflags RCVD_IN_VALIDITY_RPBL net publish
reuse RCVD_IN_VALIDITY_RPBL RCVD_IN_RP_RNBL
+header RCVD_IN_VALIDITY_RPBL_BLOCKED eval:check_rbl('rnbl-lastexternal', 'bl.score.senderscore.com.', '127.255.255.255')
+describe RCVD_IN_VALIDITY_RPBL_BLOCKED ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information.
+tflags RCVD_IN_VALIDITY_RPBL_BLOCKED net publish
+reuse RCVD_IN_VALIDITY_RPBL_BLOCKED RCVD_IN_VALIDITY_RPBL_BLOCKED
+
+if can(Mail::SpamAssassin::Conf::feature_dns_block_rule)
+dns_block_rule RCVD_IN_VALIDITY_CERTIFIED_BLOCKED sa-trusted.bondedsender.org
+dns_block_rule RCVD_IN_VALIDITY_SAFE_BLOCKED sa-accredit.habeas.com
+dns_block_rule RCVD_IN_VALIDITY_RPBL_BLOCKED bl.score.senderscore.com
+endif
+
endif
#These are old and useless - The zones are no longer supported by SpamHaus 2018-12-12
#
###########################################################################
-require_version 4.000000
+require_version 4.000001
###########################################################################
# header rules
#
###########################################################################
-require_version 4.000000
+require_version 4.000001
# ---------------------------------------------------------------------------
#
###########################################################################
-require_version 4.000000
+require_version 4.000001
#---------------------------------------------------------------------------
# Handle hosts that look like HELO_DYNAMIC hosts
#
###########################################################################
-require_version 4.000000
+require_version 4.000001
###########################################################################
#
###########################################################################
-require_version 4.000000
+require_version 4.000001
# HTML parser tests
#
#
###########################################################################
-require_version 4.000000
+require_version 4.000001
# some tests that will trigger FPs on ISO-2022-JP mails.
#
###########################################################################
-require_version 4.000000
+require_version 4.000001
# bug 2220. nice results
meta DIGEST_MULTIPLE RAZOR2_CHECK + DCC_CHECK + PYZOR_CHECK > 1
#
###########################################################################
-require_version 4.000000
+require_version 4.000001
###########################################################################
#
###########################################################################
-require_version 4.000000
+require_version 4.000001
###########################################################################
#
###########################################################################
-require_version 4.000000
+require_version 4.000001
# possible IDN spoofing attack: https://web.archive.org/web/20141006091906/https://www.shmoo.com/idn/homograph.txt
# not expecting any hits on this (yet)
#
###########################################################################
-require_version 4.000000
+require_version 4.000001
###########################################################################
lang de describe BLANK_LINES_80_90 Nachrichtentext besteht zu 80-90% aus Leerzeilen
lang de describe LONGWORDS Eine Reihe von langen Wörtern hintereinander
lang de describe ALL_TRUSTED Nachricht wurde nur über vertrauenswürdige Rechner weitergeleitet
-lang de describe __RCVD_IN_SORBS SORBS: Senderechner in Liste von dnsbl.sorbs.net
-lang de describe RCVD_IN_SORBS_HTTP SORBS: Senderechner als "open HTTP proxy" gemeldet
-lang de describe RCVD_IN_SORBS_MISC SORBS: Senderechner als "open proxy" gemeldet
-lang de describe RCVD_IN_SORBS_SMTP SORBS: Senderechner ist ein ungesicherter Mail-Server
-lang de describe RCVD_IN_SORBS_SOCKS SORBS: Senderechner als "open SOCKS proxy" gemeldet
-lang de describe RCVD_IN_SORBS_WEB SORBS: Senderechner ist ein ungesicherter WWW-Server
-lang de describe RCVD_IN_SORBS_BLOCK SORBS: Senderechner verweigert Tests
-lang de describe RCVD_IN_SORBS_ZOMBIE SORBS: Senderechner in Liste "entführter" Adressblöcke
-lang de describe RCVD_IN_SORBS_DUL SORBS: Senderechner nur temporär mit Internet verbunden
lang de describe RCVD_IN_SBL Transportiert via Rechner in SBL-Liste (https://www.spamhaus.org/sbl/)
lang de describe RCVD_IN_XBL Transportiert via Rechner in XBL-Liste (https://www.spamhaus.org/xbl/)
lang de describe RCVD_IN_BL_SPAMCOP_NET Transportiert via Rechner in Liste von www.spamcop.net
lang fr describe RCVD_AM_PM En-tête Received: falsifié (AM/PM)
lang fr describe RCVD_FAKE_HELO_DOTCOM En-tête Received contient nom d'hôte falsifié dans le HELO
lang fr describe RCVD_IN_BL_SPAMCOP_NET Relais listé dans http://spamcop.net/bl.shtml
-lang fr describe RCVD_IN_SORBS_DUL Envoyé directement depuis une adresse IP dynamique
lang fr describe RCVD_IN_MAPS_DUL Relais listé dans DUL, http://www.mail-abuse.org/dul/
lang fr describe RCVD_IN_MAPS_NML Relais listé dans NML, http://www.mail-abuse.org/nml/
lang fr describe RCVD_IN_MAPS_RBL Relais listé dans RBL, http://www.mail-abuse.org/rbl/
lang fr describe RCVD_IN_MAPS_RSS Relais listé dans RSS, http://www.mail-abuse.org/rss/
lang fr describe RCVD_IN_SBL Relais listé dans https://www.spamhaus.org/sbl/
-lang fr describe RCVD_IN_SORBS_BLOCK SORBS: Relais refusant d'être testé par SORBS
-lang fr describe RCVD_IN_SORBS_HTTP SORBS: Envoyé par un proxy HTTP ouvert
-lang fr describe RCVD_IN_SORBS_MISC SORBS: Envoyé par un proxy ouvert
-lang fr describe RCVD_IN_SORBS_SMTP SORBS: Envoyé par un relais SMTP ouvert
-lang fr describe RCVD_IN_SORBS_SOCKS SORBS: Envoyé par un proxy SOCKS ouvert
-lang fr describe RCVD_IN_SORBS_WEB SORBS: Envoyé depuis un serveur web vulnérable
-lang fr describe RCVD_IN_SORBS_ZOMBIE SORBS: Envoyé depuis un réseau IP piraté
lang fr describe REFINANCE_NOW Offre de refinancement immobilier
lang fr describe REFINANCE_YOUR_HOME Offre de refinancement immobilier
lang fr describe SORTED_RECIPS La liste des destinataires est triée par ordre alphabétique
lang nl describe CHARSET_FARAWAY Karakterset wijst op vreemde taal
lang nl describe EMAIL_ROT13 Body bevat een ROT13-versleuteld emailadres
lang nl describe BLANK_LINES_80_90 Bericht bestaat voor 80-90% uit witregels
-lang nl describe __RCVD_IN_SORBS SORBS: verzender is gevonden in SORBS
-lang nl describe RCVD_IN_SORBS_HTTP SORBS: verzender is een open HTTP proxy server
-lang nl describe RCVD_IN_SORBS_MISC SORBS: verzender is een open proxy server
-lang nl describe RCVD_IN_SORBS_SMTP SORBS: verzender is een open SMTP relay
-lang nl describe RCVD_IN_SORBS_SOCKS SORBS: verzender is een open SOCKS proxy server
-lang nl describe RCVD_IN_SORBS_WEB SORBS: verzender is een misbruikbare web server
-lang nl describe RCVD_IN_SORBS_BLOCK SORBS: verzender weigert getest te worden
-lang nl describe RCVD_IN_SORBS_ZOMBIE SORBS: verzender is een gekaapt netwerk
-lang nl describe RCVD_IN_SORBS_DUL SORBS: bericht is direct verstuurd vanaf een dynamisch IP adres
lang nl describe RCVD_IN_SBL Ontvangen via een relay die gevonden is in Spamhaus SBL
lang nl describe RCVD_IN_XBL Ontvangen via een relay die gevonden is in Spamhaus XBL
lang nl describe RCVD_IN_BL_SPAMCOP_NET Ontvangen via een relay die gevonden is in bl.spamcop.net
lang pl describe RCVD_IN_MAPS_RBL "open relay" wed³ug RBL, http://www.mail-abuse.org/rbl/
lang pl describe RCVD_IN_MAPS_RSS "open relay" wed³ug RSS, http://www.mail-abuse.org/rss/
lang pl describe RCVD_IN_SBL Otrzymano przez relay listowany w Spamhaus Block List
-lang pl describe RCVD_IN_SORBS_BLOCK SORBS: nadawca nie pozwala siê testowaæ
-lang pl describe RCVD_IN_SORBS_HTTP SORBS: nadawca jest otwartym serwerem HTTP
-lang pl describe RCVD_IN_SORBS_MISC SORBS: nadawca jest otwartym serwerem proxy
-lang pl describe RCVD_IN_SORBS_SMTP SORBS: nadawca posiada otwarty serwer (Open Relay)
-lang pl describe RCVD_IN_SORBS_SOCKS SORBS: nadawca jest otwartym serwerem SOCKS proxy
-lang pl describe RCVD_IN_SORBS_WEB SORBS: nadawca posiada nadu¿ywany serwer WWW
-lang pl describe RCVD_IN_SORBS_ZOMBIE SORBS: nadawca jest z sieci bez kontroli
lang pl describe REFINANCE_NOW Refinansowanie domów
lang pl describe REFINANCE_YOUR_HOME Refinansowanie domów
lang pl describe SORTED_RECIPS Lista odbiorców posortowana wed³ug adresu
lang pt_BR describe NO_RELAYS Informação: mensagem não foi recebida via SMTP
# 20_dnsbl_tests.cf
-lang pt_BR describe __RCVD_IN_SORBS Recebida por um relay listado em SORBS
-lang pt_BR describe RCVD_IN_SORBS_HTTP SORBS: remetente é um proxy HTTP aberto
-lang pt_BR describe RCVD_IN_SORBS_SOCKS SORBS: remetente é um proxy SOCKS aberto
-lang pt_BR describe RCVD_IN_SORBS_MISC SORBS: remetente é um proxy aberto
-lang pt_BR describe RCVD_IN_SORBS_SMTP SORBS: remetente é um relay SMTP aberto
-lang pt_BR describe RCVD_IN_SORBS_WEB SORBS: remetente é um servidor web explorável
-lang pt_BR describe RCVD_IN_SORBS_BLOCK SORBS: remetente requer que não seja testado
-lang pt_BR describe RCVD_IN_SORBS_ZOMBIE SORBS: remetente está em uma rede comprometida
-lang pt_BR describe RCVD_IN_SORBS_DUL SORBS: mensagem enviada a partir de um IP dinâmico
lang pt_BR describe __RCVD_IN_ZEN Recebida por um relay listado em Spamhaus Zen
lang pt_BR describe RCVD_IN_SBL Recebida por um relay listado em Spamhaus SBL
lang pt_BR describe RCVD_IN_XBL Recebida por um relay listado em Spamhaus XBL
#score RCVD_IN_BRBL_LASTEXT 0 1.644 0 1.449 # n=0 n=2
score RCVD_IN_PSBL 0 2.700 0 2.700 # n=0 n=2
score RCVD_IN_VALIDITY_RPBL 0 1.284 0 1.310 # n=0 n=2
+score RCVD_IN_VALIDITY_RPBL_BLOCKED 0 0.001 0 0.001
score RCVD_MAIL_COM 0 # n=0 n=1 n=2 n=3
score RDNS_DYNAMIC 2.639 0.363 1.663 0.982
score RDNS_LOCALHOST 3.700 0.969 2.345 0.001
score RCVD_IN_IADB_UT_CPR_30 0 # n=0 n=1 n=2 n=3
score RCVD_IN_IADB_UT_CPR_MAT 0 -0.095 0 -0.001 # n=0 n=1 n=2
score RCVD_IN_SBL 0 2.596 0 0.141 # n=0 n=2
-score RCVD_IN_SORBS_BLOCK 0 # n=0 n=1 n=2 n=3
-score RCVD_IN_SORBS_DUL 0 0.001 0 0.001 # n=0 n=2
-score RCVD_IN_SORBS_HTTP 0 2.499 0 0.001 # n=0 n=2
-score RCVD_IN_SORBS_MISC 0 # n=0 n=1 n=2 n=3
-score RCVD_IN_SORBS_SMTP 0 # n=0 n=1 n=2 n=3
-score RCVD_IN_SORBS_SOCKS 0 2.443 0 1.927 # n=0 n=2
-#score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5
-score RCVD_IN_SORBS_WEB 0 1.5 0 1.5
-score RCVD_IN_SORBS_ZOMBIE 0 # n=0 n=1 n=2 n=3
score RCVD_IN_XBL 0 0.724 0 0.375 # n=0 n=2
score RCVD_IN_PBL 0 3.558 0 3.335 # n=0 n=2
score RCVD_IN_SBL_CSS 0 3.558 0 3.335 # n=0 n=2
# CERTIFIED is a subset of SAFE, thus the score is cumulative.
# -2 + -3 = -5 points for CERTIFIED
score RCVD_IN_VALIDITY_CERTIFIED 0.0 -3.0 0.0 -3.0
+score RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0 0.001 0 0.001
score RCVD_IN_VALIDITY_SAFE 0.0 -2.0 0.0 -2.0
+score RCVD_IN_VALIDITY_SAFE_BLOCKED 0 0.001 0 0.001
# DNSWL is a commercial service that requires payment for servers over 100K queries daily.
# Unfortunately, they will return true answers for DNS servers they consider abusive so
def_welcomelist_auth *@*.bhg.com
def_welcomelist_auth *@*.nest.com
def_welcomelist_auth *@*.colehaan.com
-def_welcomelist_auth *@*.microsoft.com
def_welcomelist_auth *@*.vanheusen.com
def_welcomelist_auth *@*.shoppbs.org
def_welcomelist_auth *@*.roku.com
def_whitelist_auth *@*.bhg.com
def_whitelist_auth *@*.nest.com
def_whitelist_auth *@*.colehaan.com
-def_whitelist_auth *@*.microsoft.com
def_whitelist_auth *@*.vanheusen.com
def_whitelist_auth *@*.shoppbs.org
def_whitelist_auth *@*.roku.com
#
###########################################################################
-require_version 4.000000
+require_version 4.000001
##{ ACCT_PHISHING_MANY
describe AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait
##} AXB_XMAILER_MIMEOLE_OL_024C2
-##{ AXB_X_FF_SEZ_S
-
-header AXB_X_FF_SEZ_S X-Forefront-Antispam-Report =~ /\bSFV\:SPM\b/
-describe AXB_X_FF_SEZ_S Forefront sez this is spam
-##} AXB_X_FF_SEZ_S
-
##{ BANKING_LAWS
body BANKING_LAWS /banking laws/i
tflags BIGNUM_EMAILS_MANY publish
##} BIGNUM_EMAILS_MANY
+##{ BILLION_OVERLAP
+
+meta BILLION_OVERLAP (BILLION_DOLLARS + T_US_DOLLARS_3 >= 2)
+#score BILLION_OVERLAP -1.0
+describe BILLION_OVERLAP Reducing score for overlap of similar rules
+##} BILLION_OVERLAP
+
##{ BITCOIN_BOMB
meta BITCOIN_BOMB __BITCOIN_ID && __EXPLOSIVE_DEVICE && !BITCOIN_EXTORT_01
tflags BITCOIN_YOUR_INFO publish
##} BITCOIN_YOUR_INFO
-##{ BODY_SINGLE_URI
-
-meta BODY_SINGLE_URI __BODY_SINGLE_URI && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP && !__VIA_ML
-describe BODY_SINGLE_URI Message body is only a URI
-#score BODY_SINGLE_URI 2.500 # limit
-##} BODY_SINGLE_URI
-
-##{ BODY_SINGLE_WORD
-
-meta BODY_SINGLE_WORD __BODY_SINGLE_WORD && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP
-describe BODY_SINGLE_WORD Message body is only one word (no spaces)
-#score BODY_SINGLE_WORD 2.500 # limit
-##} BODY_SINGLE_WORD
-
##{ BODY_URI_ONLY
meta BODY_URI_ONLY __BODY_URI_ONLY && !__NOT_SPOOFED && !__TO_EQ_FROM_DOM && !__X_CRON_ENV && !__DKIM_EXISTS && !__VIA_ML && !__HAS_X_REF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD && !__URI_GOOGLE_DRV
body CURR_PRICE /\bCurrent Price:/
##} CURR_PRICE
-##{ DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval
-
-ifplugin Mail::SpamAssassin::Plugin::HeaderEval
-header DATE_IN_FUTURE_Q_PLUS eval:check_for_shifted_date('2920', 'undef')
-describe DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date
-endif
-##} DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval
-
##{ DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
describe DEAR_BENEFICIARY Dear Beneficiary:
##} DEAR_BENEFICIARY
+##{ DEAR_NOBODY
+
+rawbody DEAR_NOBODY /^\s*Dear\b[^a-zA-Z]{1,70}\n/mi
+describe DEAR_NOBODY Message contains Dear but with no name
+##} DEAR_NOBODY
+
##{ DEAR_WINNER
body DEAR_WINNER /\bdear.{1,20}winner/i
endif
##} FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+##{ FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+
+ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+ meta FILL_THIS_FORM_LOAN __FILL_THIS_FORM_LOAN && !__COMMENT_EXISTS && !__HTML_LINK_IMAGE
+ describe FILL_THIS_FORM_LOAN Answer loan question(s)
+# score FILL_THIS_FORM_LOAN 2.0
+endif
+##} FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+
##{ FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
describe FROM_UNBAL1 From with unbalanced angle brackets, '>' missing
##} FROM_UNBAL1
-##{ FROM_UNBAL2
-
-header FROM_UNBAL2 From:raw =~ /^ [^<]* > /xm
-describe FROM_UNBAL2 From with unbalanced angle brackets, '<' missing
-##} FROM_UNBAL2
-
##{ FROM_WSP_TRAIL
header FROM_WSP_TRAIL From:raw =~ /< [^>]* \s > [^<>]* \z/xm
header FSL_FAKE_HOTMAIL_RVCD X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/
##} FSL_FAKE_HOTMAIL_RVCD
-##{ FSL_HAS_TINYURL
-
-uri FSL_HAS_TINYURL /tinyurl\.com\//
-##} FSL_HAS_TINYURL
-
##{ FSL_HELO_BARE_IP_1
meta FSL_HELO_BARE_IP_1 __FSL_HELO_BARE_IP_1 && !ALL_TRUSTED
tflags HAS_X_OUTGOING_SPAM_STAT publish
##} HAS_X_OUTGOING_SPAM_STAT
+##{ HDRS_LCASE
+
+describe HDRS_LCASE Odd capitalization of message header
+#score HDRS_LCASE 0.10 # limit
+##} HDRS_LCASE
+
+##{ HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
+
+if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
+ meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
+endif
+##} HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
+
+##{ HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
+
+ifplugin Mail::SpamAssassin::Plugin::FreeMail
+ meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
+endif
+##} HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
+
##{ HDRS_LCASE_IMGONLY
meta HDRS_LCASE_IMGONLY __HDRS_LCASE && __HTML_IMG_ONLY && !__HDRS_LCASE_KNOWN
header HELO_FRIEND X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i
##} HELO_FRIEND
-##{ HELO_LH_HOME
-
-header HELO_LH_HOME X-Spam-Relays-External =~ /^[^\]]+ helo=\S+\.(?:home|lan) /i
-##} HELO_LH_HOME
-
##{ HELO_LH_LD
header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i
header HELO_LOCALHOST X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i
##} HELO_LOCALHOST
-##{ HELO_MISC_IP
-
-meta HELO_MISC_IP (__HELO_MISC_IP && !HELO_DYNAMIC_IPADDR && !HELO_DYNAMIC_IPADDR2 && !HELO_DYNAMIC_SPLIT_IP && !HELO_DYNAMIC_HCC && !HELO_DYNAMIC_DIALIN && ((TVD_RCVD_IP4 + TVD_RCVD_IP + __FSL_HELO_BARE_IP_2) <2))
-describe HELO_MISC_IP Looking for more Dynamic IP Relays
-#score HELO_MISC_IP 0.25
-##} HELO_MISC_IP
-
##{ HELO_NO_DOMAIN
meta HELO_NO_DOMAIN __HELO_NO_DOMAIN && !HELO_LOCALHOST
##{ HK_RANDOM_ENVFROM
-header HK_RANDOM_ENVFROM EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
+header HK_RANDOM_ENVFROM EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mc(?:b|g)r|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
describe HK_RANDOM_ENVFROM Envelope sender username looks random
#score HK_RANDOM_ENVFROM 1
tflags HK_RANDOM_ENVFROM publish
##{ HK_RANDOM_FROM
-header HK_RANDOM_FROM From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
+header HK_RANDOM_FROM From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mc(?:b|g)r|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
describe HK_RANDOM_FROM From username looks random
#score HK_RANDOM_FROM 1
tflags HK_RANDOM_FROM publish
##{ HK_RANDOM_REPLYTO
-header HK_RANDOM_REPLYTO Reply-To:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
+header HK_RANDOM_REPLYTO Reply-To:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mc(?:b|g)r|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
describe HK_RANDOM_REPLYTO Reply-To username looks random
#score HK_RANDOM_REPLYTO 1
tflags HK_RANDOM_REPLYTO publish
tflags HK_SCAM publish
##} HK_SCAM
+##{ HK_WIN
+
+meta HK_WIN ((__hk_win_2 + __hk_win_3 + __hk_win_4 + __hk_win_5 + __hk_win_7 + __hk_win_8 + __hk_win_9 + __hk_win_0 + __hk_win_a + __hk_win_b + __hk_win_c + __hk_win_d + __hk_win_i + __hk_win_j + __hk_win_l + __hk_win_m + __hk_win_n + __hk_win_o) >= 2)
+#score HK_WIN 1
+##} HK_WIN
+
##{ HOSTED_IMG_DIRECT_MX
meta HOSTED_IMG_DIRECT_MX __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS && !__HDR_RCVD_AMAZON
endif
##} HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
-##{ IMG_DIRECT_TO_MX
-
-meta IMG_DIRECT_TO_MX __DOS_DIRECT_TO_MX && __JPEG_ATTACH && __ONE_IMG && __IMG_LE_300K
-##} IMG_DIRECT_TO_MX
-
##{ IMG_ONLY_FM_DOM_INFO
meta IMG_ONLY_FM_DOM_INFO __HTML_IMG_ONLY && __FROM_DOM_INFO
tflags LINKEDIN_IMG_NOT_RCVD_LNKN publish
##} LINKEDIN_IMG_NOT_RCVD_LNKN
-##{ LIST_PARTIAL_SHORT_MSG
-
-meta LIST_PARTIAL_SHORT_MSG __LIST_PARTIAL_SHORT_MSG && !__DKIM_EXISTS
-describe LIST_PARTIAL_SHORT_MSG Incomplete mailing list headers + short message
-#score LIST_PARTIAL_SHORT_MSG 2.500 # limit
-##} LIST_PARTIAL_SHORT_MSG
-
##{ LIST_PRTL_PUMPDUMP
meta LIST_PRTL_PUMPDUMP __LIST_PRTL_PUMPDUMP && !__DKIM_EXISTS
uri LIVEFILESTORE m~livefilestore.com/~
##} LIVEFILESTORE
-##{ LONGLN_LOW_CONTRAST
-
-meta LONGLN_LOW_CONTRAST __LONGLN_LOW_CONTRAST && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__TRAVEL_ITINERARY
-describe LONGLN_LOW_CONTRAST Excessively long line + hidden text
-#score LONGLN_LOW_CONTRAST 2.500 # limit
-##} LONGLN_LOW_CONTRAST
-
##{ LONG_HEX_URI
meta LONG_HEX_URI __128_HEX_URI && !__LCL__KAM_BODY_LENGTH_LT_1024
meta LOTTERY_PH_004470 (__AFF_004470_NUMBER && __AFF_LOTTERY)
##} LOTTERY_PH_004470
+##{ LOTTO_AGENT
+
+meta LOTTO_AGENT __LOTTO_AGENT && !__HAS_IN_REPLY_TO && !__THREADED && !__TO_YOUR_ORG && !__DKIM_EXISTS && !__TRAVEL_ITINERARY && !__AUTO_ACCIDENT && !__HAS_ERRORS_TO && !__RP_MATCHES_RCVD
+describe LOTTO_AGENT Claims Agent
+#score LOTTO_AGENT 1.50 # limit
+##} LOTTO_AGENT
+
+##{ LOTTO_DEPT
+
+meta LOTTO_DEPT __LOTTO_DEPT && !__COMMENT_EXISTS && !__HAS_IN_REPLY_TO && !__THREADED && !__VIA_ML && !__TO_YOUR_ORG && !__TRAVEL_ITINERARY && !__AUTO_ACCIDENT
+describe LOTTO_DEPT Claims Department
+#score LOTTO_DEPT 2.00 # limit
+##} LOTTO_DEPT
+
##{ LUCRATIVE
meta LUCRATIVE ( __LUCRATIVE && __HELO_NO_DOMAIN ) && !ALL_TRUSTED
tflags MIXED_CENTER_CASE publish
##} MIXED_CENTER_CASE
+##{ MIXED_CTYPE_CASE
+
+header MIXED_CTYPE_CASE Content-Type =~ m;^(?i:text/)(?!html|HTML)[Hh][Tt][Mm][Ll];
+##} MIXED_CTYPE_CASE
+
##{ MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
describe MONEY_ATM_CARD Lots of money on an ATM card
##} MONEY_ATM_CARD
+##{ MONEY_BARRISTER
+
+meta MONEY_BARRISTER __BARRISTER && LOTS_OF_MONEY
+describe MONEY_BARRISTER Lots of money from a UK lawyer
+#score MONEY_BARRISTER 1.000 # limit
+##} MONEY_BARRISTER
+
##{ MONEY_FORM
meta MONEY_FORM __MONEY_FORM && !__FB_TOUR && !__FM_MY_PRICE && !__FR_SPACING_8 && !__COMMENT_EXISTS && !__CAN_HELP
tflags NICE_REPLY_A nice
##} NICE_REPLY_A
-##{ NORDNS_LOW_CONTRAST
-
-meta NORDNS_LOW_CONTRAST __NORDNS_LOW_CONTRAST && !ALL_TRUSTED && !__HAS_CID && !__THREADED
-describe NORDNS_LOW_CONTRAST No rDNS + hidden text
-#score NORDNS_LOW_CONTRAST 2.500 # limit
-##} NORDNS_LOW_CONTRAST
-
##{ NOT_SPAM
body NOT_SPAM /\b(?:(?:this (?:e?-?mail|message)|we) (?:is not|are not|cannot be considered) Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)/i
#score PDS_DBL_URL_TNB_RUNON 2.0
##} PDS_DBL_URL_TNB_RUNON
-##{ PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
-
-ifplugin Mail::SpamAssassin::Plugin::WLBLEval
-if (version >= 3.004000)
-meta PDS_EMPTYSUBJ_URISHRT __URL_SHORTENER && __SUBJECT_EMPTY && __PDS_MSG_1024
-describe PDS_EMPTYSUBJ_URISHRT Empty subject with little more than URI shortener
-#score PDS_EMPTYSUBJ_URISHRT 1.5 # limit
-endif
-endif
-##} PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
-
-##{ PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
-
-ifplugin Mail::SpamAssassin::Plugin::WLBLEval
-if (version >= 3.004000)
-meta PDS_FREEMAIL_REPLYTO_URISHRT __URL_SHORTENER && __freemail_hdr_replyto && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048
-describe PDS_FREEMAIL_REPLYTO_URISHRT Freemail replyto with URI shortener
-#score PDS_FREEMAIL_REPLYTO_URISHRT 1.5 # limit
-endif
-endif
-##} PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
-
##{ PDS_FRNOM_TODOM_DBL_URL
-meta PDS_FRNOM_TODOM_DBL_URL PDS_FROM_NAME_TO_DOMAIN && __PDS_DOUBLE_URL
+meta PDS_FRNOM_TODOM_DBL_URL T_PDS_FROM_NAME_TO_DOMAIN && __PDS_DOUBLE_URL
describe PDS_FRNOM_TODOM_DBL_URL From Name to domain, double URL
#score PDS_FRNOM_TODOM_DBL_URL 1.5
##} PDS_FRNOM_TODOM_DBL_URL
-##{ PDS_FRNOM_TODOM_NAKED_TO
-
-meta PDS_FRNOM_TODOM_NAKED_TO __NAKED_TO && PDS_FROM_NAME_TO_DOMAIN
-describe PDS_FRNOM_TODOM_NAKED_TO Naked to From name equals to Domain
-#score PDS_FRNOM_TODOM_NAKED_TO 1.5
-##} PDS_FRNOM_TODOM_NAKED_TO
-
-##{ PDS_FROM_NAME_TO_DOMAIN
-
-meta PDS_FROM_NAME_TO_DOMAIN __PDS_FROM_NAME_TO_DOMAIN
-#score PDS_FROM_NAME_TO_DOMAIN 2.0
-describe PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain
-##} PDS_FROM_NAME_TO_DOMAIN
-
##{ PDS_HELO_SPF_FAIL
meta PDS_HELO_SPF_FAIL SPF_HELO_FAIL && __HELO_HIGHPROFILE
#score PDS_HP_HELO_NORDNS 1.0
##} PDS_HP_HELO_NORDNS
-##{ PDS_NAKED_TO_NUMERO
-
-meta PDS_NAKED_TO_NUMERO __NAKED_TO && __NUMBERONLY_TLD
-describe PDS_NAKED_TO_NUMERO Naked-to, numberonly domain
-#score PDS_NAKED_TO_NUMERO 2.0
-##} PDS_NAKED_TO_NUMERO
-
##{ PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004002)
endif
##} PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
+##{ PDS_PHPEXP_BOT
+
+meta PDS_PHPEXP_BOT __SENDER_BOT && (__PDS_TONAME_EQ_TOLOCAL + __NAKED_TO >= 1) && (__PDS_PHP_EVAL2 + __PDS_PHP_EVAL1 + T_PDS_X_PHP_WP_EXP + __PDS_X_PHP_WELLKNOWN >= 1)
+describe PDS_PHPEXP_BOT PHP exploit bot sender
+#score PDS_PHPEXP_BOT 1.5
+##} PDS_PHPEXP_BOT
+
##{ PDS_PHP_EVAL
meta PDS_PHP_EVAL __PDS_PHP_EVAL1
#score PDS_PHP_EVAL 1.5
##} PDS_PHP_EVAL
-##{ PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
-
-ifplugin Mail::SpamAssassin::Plugin::WLBLEval
-if (version >= 3.004000)
-meta PDS_TINYSUBJ_URISHRT __URL_SHORTENER && __SUBJ_SHORT && __PDS_MSG_1024
-describe PDS_TINYSUBJ_URISHRT Short subject with URL shortener
-#score PDS_TINYSUBJ_URISHRT 1.5 # limit
-endif
-endif
-##} PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
-
-##{ PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE
-
-meta PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE __PDS_TONAME_EQ_TOLOCAL && __HDRS_LCASE
-describe PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE To: name matches everything in local email - LCASE headers
-#score PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE 2.0 # limit
-##} PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE
-
##{ PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
tflags PHISH_FBASEAPP publish
##} PHISH_FBASEAPP
+##{ PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
+
+if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
+ meta PHOTO_EDITING_DIRECT (__PHOTO_RETOUCHING && __DOS_DIRECT_TO_MX) && !ALL_TRUSTED && !__HAS_HREF
+ describe PHOTO_EDITING_DIRECT Image editing service, direct to MX
+# score PHOTO_EDITING_DIRECT 3.000 # limit
+endif
+##} PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
+
##{ PHP_NOVER_MUA
describe PHP_NOVER_MUA Mail from PHP with no version number
tflags RCVD_DOTEDU_SHORT publish
##} RCVD_DOTEDU_SHORT
-##{ RCVD_DOTEDU_SUSP
-
-meta RCVD_DOTEDU_SUSP __RCVD_DOTEDU_SUSP && !__HAS_X_LOOP && !__HAS_X_REF
-describe RCVD_DOTEDU_SUSP Via .edu MTA + suspicious content
-#score RCVD_DOTEDU_SUSP 2.000 # limit
-##} RCVD_DOTEDU_SUSP
-
##{ RCVD_DOTEDU_SUSP_URI
meta RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_SUSP_URI
##{ REPTO_419_FRAUD
-header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:mail)\@101private\.com|(?:(?:alfredcheuk002|mavis_wanczyk))\@126\.com|(?:(?:alfredcheuk_yuchow|ehagler))\@163\.com|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:ibrahimtafa)\@abienceinvestmentsfze\.com|(?:russia2018worldcuplotto5)\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:(?:infovsa|maria\.louge|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:attorneygeorgewalter|jessikasingh|lawmensa|travisalex))\@aliyun\.com|(?:(?:deanie_ron|mundo\.europe|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:support)\@apostlesfoundation\.com|(?:jeromecgb12)\@asia\.com|(?:jefferson)\@athenaeumbd\.com|(?:(?:bllphillips|desousafam05))\@att\.net|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:costruire)\@bigmat\.it|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:onmydestiny18)\@boulevardmalls\.com|(?:luciamariacampbell)\@boximail\.com|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:judith_faulkner63)\@cash4u\.com|(?:cbn)\@cbofficialmail\.cf|(?:201(?:47237|5(?:5765|648[48])))\@ce\.pucmm\.edu\.do|(?:gregwingo)\@cheapnet\.it|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|dbank12|fbipayment(?:50|600)|harunajim667|manuel\.rabelais|paul\.wilson|r(?:alphwjohnson|ev_markbless)|trustees101))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:mundo_seguros)\@contorli\.site|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:investmentfince\.com|lottery(?:\.support|usa\.com)))\@cpn\.it|(?:(?:angelicainiguez|brunoso|lisatroutman))\@currently\.com|(?:(?:dmalpasswb|i(?:lanasoloshneor|nfo90000)|joseramonjr1|mynewmission|r(?:e(?:covered\-tax|em(?:2018|alhashimi|ealhashimi|hashimi2020))|onconway)))\@daum\.net|(?:info)\@dieterchwarz-charity\.com|(?:blythemasters)\@digitalassetholding\.org|(?:jorgezalesky)\@diplomats\.com|(?:bar_sahil)\@dominionassociates\.uk|(?:zahvoedir)\@donations\.christchurchliverpool\.xyz|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:health\-support)\@drjohnashworthherbalmeds\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:rogersteare02)\@e1\.ru|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:(?:denbrink|facebook\.in(?:structor|tructor)|kathy_gerald1965|pch\.cliamdept))\@email\.com|(?:infoleonfredberbst)\@emailgroups\.net|(?:info)\@euro-pinnacle\.com|(?:(?:advancedsegurosespana|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:lottomax)\@execs\.com|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:jeferrey)\@financier\.com|(?:mrsdebbielevin)\@firemail\.de|(?:steve_dickson)\@firemail\.eu|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:info)\@fnconsultant\.biz|(?:(?:egolan2|gella1|qatardonations16|smadartsadik|tepnherve00))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:mmpaulsmith145)\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:octaviancm)\@gmx\.co\.uk|(?:(?:ahmet\.broker|f(?:aridaomar|er3nrod1512)|kevin\-office|p\.hamedmoff|rosicboteruff|w(?:alter_anderson|esternunionrespond)))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:juliairis)\@gmx\.net|(?:(?:arthur1alan|joxford))\@gmx\.us|(?:m(?:\.johnson10012|aryclayton123))\@googlemail\.com|(?:solotexglobalcouriercompany)\@groupesgb\.net|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:christgoldwilliams)\@hotmail\.fr|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:bo_li)\@imgrantfunds\.com|(?:irdi33)\@inbox\.lt|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:a\.josepaulino|jonardossantos|m(?:\.wood|ingmui0012)|offer2021|pierresgift_2021))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:info)\@intarpol-int\.online|(?:jacek_urbanski)\@irishdoorsystemsltd\.com|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:contactme)\@jimmyofficial\.info|(?:info)\@johannaconsultancy\.com|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:(?:annzainab2022|h(?:ashimirrr22|re187390)|lotteryusa\.com|paulagonzalez|re(?:e(?:m\.alhashimi|ninvestor111)|mmhashimi)))\@kakao\.com|(?:europsenderscouriers)\@keemail\.me|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:bmwofficeinfo)\@mail2consultant\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:bjic)\@mail2one\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|kateclough1|mriamchombo1968|philiproger101))\@mail\.com|(?:ayishagddafio?)\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:cb(?:nofficemail|officemail))\@mailsire\.com|(?:managing\-director_schaefflergroup)\@mariaelisabeth\.gisb\.com\.my|(?:doo\.yusin)\@matherline-trade\.com|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:cadpayout01)\@my\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:benoitdageville2023|nancytseling|reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:info)\@officepch\.com|(?:lindsaytrembley)\@oimail\.com|(?:(?:accountingdrg|emmy\.marty))\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:info)\@onlinepch\.com|(?:jarramos)\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:info)\@ousos-elearning\.com|(?:schaefflermariaelisabeth)\@outlook\.de|(?:ahmed3khan)\@outlook\.fr|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:wood)\@poczta\.onet\.eu|(?:(?:m(?:aryjosen|boyaeth)|uncch\-info))\@post\.com|(?:martinahrivnakova)\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:(?:charitylisajohnrobinson700|leonardbain|noelldosi|stwrightsmaxinvestment))\@proton\.me|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:franciscoperezc|garethbull808|mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:trust\-wallet)\@redirectionsdepartment\.xyz|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:msn)\@resrubini\.com|(?:wanczykmavis101)\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:mrs\.rachel2013)\@safe-mail\.net|(?:deputygov_kuben)\@safrica\.com|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:(?:jimyang77|kentpace))\@sina\.com|(?:stan)\@soborka\.net|(?:dycheseaan)\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:info\.jschneider)\@spainmail\.com|(?:mroliverbergmuellers)\@specialautokins\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:alexander)\@stny\.rr\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:mhua)\@tbochk\.com|(?:clory)\@technet\.it|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:bobby\.william)\@tradent\.net|(?:lopez\.rios)\@udttld\.com|(?:2100973645smsgateway)\@ukraine\.wheat-farmers\.website|(?:info)\@un-grant\.info|(?:(?:david\.r\.malpass|info\.(?:clev\.frb|imfamerica)|kristinewellensteinn|policyaddmin\.file))\@usa\.com|(?:team)\@veraphanteepsuwan\.com|(?:dataphilanthropy)\@vipmail\.hu|(?:bmuczdh)\@virgilio\.it|(?:holt1231)\@w\.cn|(?:daydreamin)\@wanadoo\.fr|(?:weboffice05)\@web\.de|(?:portiaw)\@webbe\.work|(?:b(?:\-calebfirm2007|enklerk\-postpact2|oriscaleb121))\@webmail\.co\.za|(?:(?:elizabethlyonsfield|frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|jeffwilliam207|owengreen70|samue95))\@yahoo\.co\.uk|(?:(?:changgordon946|thomaspeter227))\@yahoo\.com\.hk|(?:boa2cb)\@yahoo\.com\.vn|(?:contactus88\-00)\@yahoo\.es|(?:fortinsandrine)\@yahoo\.fr|(?:dr\.amelia\.george1)\@yandex\.ru|(?:(?:alfred_cheuk_chow|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:jefflindsay)\@zoho\.com|(?:(?:benaffleck1977|monicadaniels909))\@zohomail\.com|(?:laprimitivaes)\@zohomail\.eu)$/i
+header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:mail)\@101private\.com|(?:(?:alfredcheuk002|mavis_wanczyk))\@126\.com|(?:(?:alfredcheuk_yuchow|ehagler))\@163\.com|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:ibrahimtafa)\@abienceinvestmentsfze\.com|(?:russia2018worldcuplotto5)\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:(?:infovsa|maria\.louge|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:attorneygeorgewalter|jessikasingh|lawmensa|travisalex))\@aliyun\.com|(?:(?:deanie_ron|mundo\.europe|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:support)\@apostlesfoundation\.com|(?:jeromecgb12)\@asia\.com|(?:jefferson)\@athenaeumbd\.com|(?:(?:bllphillips|desousafam05))\@att\.net|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:costruire)\@bigmat\.it|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:onmydestiny18)\@boulevardmalls\.com|(?:luciamariacampbell)\@boximail\.com|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:jessica)\@cadencebankdept\.us|(?:judith_faulkner63)\@cash4u\.com|(?:cbn)\@cbofficialmail\.cf|(?:201(?:47237|5(?:5765|648[48])))\@ce\.pucmm\.edu\.do|(?:gregwingo)\@cheapnet\.it|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|dbank12|fbipayment(?:50|600)|harunajim667|manuel\.rabelais|paul\.wilson|r(?:alphwjohnson|ev_markbless)|trustees101))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:mundo_seguros)\@contorli\.site|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:investmentfince\.com|lottery(?:\.support|usa\.com)|sama_williams|warren_edward))\@cpn\.it|(?:(?:angelicainiguez|brunoso|lisatroutman))\@currently\.com|(?:(?:dmalpasswb|i(?:lanasoloshneor|nfo90000)|joseramonjr1|m(?:hzitafrank0|ynewmission)|r(?:e(?:covered\-tax|em(?:2018|alhashimi|ealhashimi|hashimi2020))|onconway)))\@daum\.net|(?:info)\@dieterchwarz-charity\.com|(?:blythemasters)\@digitalassetholding\.org|(?:jorgezalesky)\@diplomats\.com|(?:bar_sahil)\@dominionassociates\.uk|(?:zahvoedir)\@donations\.christchurchliverpool\.xyz|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:health\-support)\@drjohnashworthherbalmeds\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:rogersteare02)\@e1\.ru|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:(?:denbrink|facebook\.in(?:structor|tructor)|kathy_gerald1965|pch\.cliamdept))\@email\.com|(?:infoleonfredberbst)\@emailgroups\.net|(?:info)\@emteslastock\.com|(?:info)\@euro-pinnacle\.com|(?:(?:a(?:bogado\.antoniopaco|dvancedsegurosespana)|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:lottomax)\@execs\.com|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:jeferrey)\@financier\.com|(?:mrsdebbielevin)\@firemail\.de|(?:steve_dickson)\@firemail\.eu|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:info)\@fnconsultant\.biz|(?:(?:egolan2|gella1|qatardonations16|smadartsadik|tepnherve00))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:mmpaulsmith145)\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:octaviancm)\@gmx\.co\.uk|(?:(?:ahmet\.broker|f(?:aridaomar|er3nrod1512)|kevin\-office|p\.hamedmoff|rosicboteruff|w(?:alter_anderson|esternunionrespond)))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:juliairis)\@gmx\.net|(?:(?:arthur1alan|joxford))\@gmx\.us|(?:m(?:\.johnson10012|aryclayton123))\@googlemail\.com|(?:solotexglobalcouriercompany)\@groupesgb\.net|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:christgoldwilliams)\@hotmail\.fr|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:bo_li)\@imgrantfunds\.com|(?:irdi33)\@inbox\.lt|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:a\.josepaulino|jonardossantos|m(?:\.wood|ingmui0012)|offer2021|pierresgift_2021))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:info)\@intarpol-int\.online|(?:jacek_urbanski)\@irishdoorsystemsltd\.com|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:contactme)\@jimmyofficial\.info|(?:info)\@johannaconsultancy\.com|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:(?:annzainab2022|h(?:ashimirrr22|re187390)|lotteryusa\.com|paulagonzalez|re(?:e(?:m\.alhashimi|ninvestor111)|mmhashimi)))\@kakao\.com|(?:europsenderscouriers)\@keemail\.me|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:bmwofficeinfo)\@mail2consultant\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:bjic)\@mail2one\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|johnkofithomas|kateclough1|mriamchombo1968|philiproger101))\@mail\.com|(?:ayishagddafio?)\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:cb(?:nofficemail|officemail))\@mailsire\.com|(?:managing\-director_schaefflergroup)\@mariaelisabeth\.gisb\.com\.my|(?:doo\.yusin)\@matherline-trade\.com|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:cadpayout01)\@my\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:benoitdageville2023|nancytseling|reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:info)\@officepch\.com|(?:lindsaytrembley)\@oimail\.com|(?:(?:accountingdrg|emmy\.marty))\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:info)\@onlinepch\.com|(?:dieterbe451)\@onmail\.com|(?:jarramos)\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:info)\@ousos-elearning\.com|(?:schaeffler(?:ariaelisabeth|mariaelisabeth))\@outlook\.de|(?:ahmed3khan)\@outlook\.fr|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:support)\@piraeusegrecebnk\.com|(?:wood)\@poczta\.onet\.eu|(?:(?:m(?:aryjosen|boyaeth)|uncch\-info))\@post\.com|(?:martinahrivnakova)\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:(?:charitylisajohnrobinson700|leonardbain|noelldosi|stwrightsmaxinvestment))\@proton\.me|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:franciscoperezc|garethbull808|mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:trust\-wallet)\@redirectionsdepartment\.xyz|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:msn)\@resrubini\.com|(?:wanczykmavis101)\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:mrs\.rachel2013)\@safe-mail\.net|(?:(?:deputygov_kuben|rcassim\.sarb))\@safrica\.com|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:olena\.shevchenko)\@shumejda\.co\.uk|(?:(?:jimyang77|kentpace))\@sina\.com|(?:stan)\@soborka\.net|(?:dycheseaan)\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:info\.jschneider)\@spainmail\.com|(?:mroliverbergmuellers)\@specialautokins\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:alexander)\@stny\.rr\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:mhua)\@tbochk\.com|(?:clory)\@technet\.it|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:bobby\.william)\@tradent\.net|(?:lopez\.rios)\@udttld\.com|(?:2100973645smsgateway)\@ukraine\.wheat-farmers\.website|(?:info)\@un-grant\.info|(?:(?:david\.r\.malpass|info\.(?:clev\.frb|imfamerica)|kristinewellensteinn|policyaddmin\.file))\@usa\.com|(?:team)\@veraphanteepsuwan\.com|(?:dataphilanthropy)\@vipmail\.hu|(?:bmuczdh)\@virgilio\.it|(?:holt1231)\@w\.cn|(?:daydreamin)\@wanadoo\.fr|(?:weboffice05)\@web\.de|(?:portiaw)\@webbe\.work|(?:b(?:\-calebfirm2007|enklerk\-postpact2|oriscaleb121))\@webmail\.co\.za|(?:(?:elizabethlyonsfield|frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|jeffwilliam207|owengreen70|samue95))\@yahoo\.co\.uk|(?:(?:changgordon946|thomaspeter227))\@yahoo\.com\.hk|(?:boa2cb)\@yahoo\.com\.vn|(?:contactus88\-00)\@yahoo\.es|(?:fortinsandrine)\@yahoo\.fr|(?:dr\.amelia\.george1)\@yandex\.ru|(?:(?:alfred_cheuk_chow|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:jefflindsay)\@zoho\.com|(?:(?:benaffleck1977|monicadaniels909))\@zohomail\.com|(?:(?:laprimitivaes|robert166003))\@zohomail\.eu)$/i
describe REPTO_419_FRAUD Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD 3.000
tflags REPTO_419_FRAUD publish
##{ REPTO_419_FRAUD_GM
-header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|1magnumsecuritiesllc|7912richardtony|9porssts9|a(?:\.wafager1|b(?:d(?:97412345|u(?:kfahim|llahmundani019))|u(?:lkareem461|shadi0004))|c(?:count\.optionsmr\.jonasarmstrong|ecere001)|d(?:iallo\.boa|rabidiahmed)|isha(?:1976(?:algaddafi|gaddafi25)|gaddafi(?:aam|sdaughter))|l(?:\.jo60691737|an\.austin(?:041|223)|ex(?:anderpeterson4499|hoffman3319)|ghafrij13|icedoris0000|kasimunadi221|l(?:enholden121|isoncluade11)|nizmaria|ure\.wawrenka1472)|m(?:bassadormarybethleonardl4|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|medjahed95))|n(?:d(?:rewumehunitedbankforafrica|yfox0022)|n(?:a(?:llee091|sigurlaug458)|ettrevor|jenijohnsonn)|t(?:hony(?:alvaradollc|jblinken61)|o(?:meuenio|niopaco20consultant)))|office1office1|r(?:adka01|chibaldhamble|thur11alan)|shwestwood7|t(?:mcarddepartment0024|tohlawoffice\.tg)|ustinbillmark9|w1614860|z(?:i(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50))|zedineguessous))|b(?:a(?:nkcentralasiahalobca34|ochang7a|r(?:bersmadar75|clays\.kenya\.bank|rister(?:\.fidelisokafor|clarkephillips(?:2(?:02|4)|4[59])|lordruben94)|teld\.huisman01))|bongo593|e(?:alitoniua9|linekra1|n(?:ezero392|gatl80|jaminsarah195)|tsyholden940)|ill\.lawrence0747|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi)|r(?:andy\.heavenscenttt|endalaporte112)|uff(?:ettwarrene21|ookj)|w1832621)|c(?:1nicele|a(?:pinolly|rtwrighttownhomesllc)|claimsa|elicerez|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:es(?:luenga01|wrightdepartments)|tonnewmanus1)))|e(?:mchung1011|nchung1011)|ienkwongp)|iticonsultantjohncg0|kruger00017|l(?:axtonpaul00|s79408)|o(?:l(?:edavid77032|husseinharmuchc(?:cj|j)|ombasjuan53)|mp(?:asationsettlement|ensationcommitteboard)|n(?:sult(?:matthias|sto\.u)|tactad00[04]))|pt\.eugenebarash|r(?:abbechambers|ist(?:bru(?:05|n05)|davis67|i1537bru|ydavis(?:donation1|foundation0101)))|ustomerservicelacaixa2)|d(?:29laws|a(?:n(?:008629|i(?:el35508109|shlokija)|n(?:uar4|ydan24532))|tukannuarbinmusa|vi(?:d(?:\.loanfirm18|kaltschmidtmaureend|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98))|cole77032|e(?:n(?:iwalts|nisclark659)|partmentofstate123|tlefeckhardd)|hsdevice|i(?:ane\.s\.wojcicki|gitalassetholding|plomatsshenry)|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.meirh|abodid|davidrhama221|jamesdee|kennedyuzo|meier\.heidi?|owenfrederick)|u(?:breuilgmbh|nsilva58|stinmoskovitz\.2facebook)|v\.metus|willslevens)|e(?:benezero392|christina937|drunity|l(?:i(?:bethgomez(?:175|499)|sabeth(?:gmuer11|maria600)|zabethedw0)|o(?:diesawadogo123|tocashoffice1?))|m(?:2keld|efiele(?:328|g757)|ilyrichmond391)|ngr\.des01|r(?:e(?:nakgeorge123|zcelic0)|ioncarter\.private)|stherkatherine1960|vgpatmow|wynn284)|f(?:\.mikhail025|a(?:ithdesrie511|tme\.mehmed001)|blott47|e(?:deralreservebankdallasdst|lix88995)|g0067333|irstbank(?:49966|6669|k49666)|j569282|l(?:556249|uhmann\.dn)|oundations\.west|p462558|r(?:a(?:100dub132|n(?:c(?:espatrickconnolly(?:5050|4)|iscamendoza960)|k(?:j(?:ane984|ody2|wangg)|linpiesie6)))|eelottosweepstake51)|spero8[02]|u(?:lanlan28|ngg1w))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|riel(?:eschmitt002|kalia1102))|r(?:ciavincent500|ethbull112016))|b(?:528796|ill4880)|e(?:neralwilliamstony990|orgekwame481|raldjhjh11)|i(?:idp955|ocastano21)|l(?:enmoore0011|oriachow5052)|o(?:dfreyscottdonation|glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219))|r(?:aceobia001|e(?:ant311|energeoffrey776))|veraallen|w522834)|h(?:a(?:r(?:gate2909|ryebert101)|s(?:h(?:imyreem78|mireem801)|sanalshujairy)|uperthilbigbeate|zimissa03)|e(?:atherbrooeke101|cto(?:alon|r(?:castillos653|scastillo6))|l(?:en(?:adamsidaho|giggs88)|pdesk47321))|g(?:8669000|old8080)|i(?:ldad837|toshurui)|o(?:nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|uichmh)|i(?:1955smael|amannjejosonn|b(?:ed627|rahimelizabeth654)|mf(?:deputyoff000|grantinter)|n(?:fo(?:\.(?:a(?:bogadosmfontana|nnedouglas10)|g00gleclaim|marviswanczyk360|ulmusau)|64240|asminternationalpk|bankofamerikaa|dessk\.dfwairportonline|fdrserve|t(?:ech4st255|tcuckk))|gridrolle2)|rvinekim67|smail(?:eman874|tarkan533))|j(?:35809121|a(?:6002932|888179|m(?:alpriv8un|esokoh82)|n(?:nsjonifer|usensecureprivate)|sonyeungchiwai|vierlesme001)|b(?:5406424|lsuntrust)|c2222222rrr|e(?:fferydean1960|nniannjhsonn|robtt)|josvu|k3311131|m(?:3461128|powellfr)|o(?:edward023|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|nietaylor242|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|uba234|walterlove2010)|monkzza|n(?:athanhaskel377|hugo1964|monkssa)|seph(?:acevedo024|babatunde192|ichael41)|vannyanderson001|yce00011)|rawlings007|s4fernado|u(?:liewatson975|sticellawgroup)|w6935997)|k(?:a(?:dulinayulii(?:ia|a)|l(?:iaksandr5|tschmidtdavid8)|malnizar000|rabo\.ramala39|t(?:ebaron(?:barr|xq)|jamess043|rinaziako56))|en(?:mckenziejr|nedy\.sawadogo19)|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|r(?:istinewellenstein024|nkl1109)|un(?:gwei7777|ioue28))|l(?:a(?:rrytoms200|ursent892|w(?:officealouancooparation|rencefoundation30))|blackshirepm|e(?:enasinghs97|onidasresearch|rynne(?:0west99|west(?:2289|5412)))|i(?:amfinchus(?:11|3)|ezlnatashavanessa|fecshortt63|li(?:ane\.bettencourt1945|ianchrstph)|nelink008|sa(?:milner001|robin117))|john6132|o(?:ganntomas|rrainewirengee|ughreymargaret67)|p319765|s(?:arbn01|chantal86)|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|diawright836|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:a(?:bel\.manaku|ckenzbezos|damkoenig\.ruhama1b|incare655|j(?:ialfutt|or(?:dennishornbeck53|townsend01))|kaltschmidt|ll(?:am\.mlawal|etman2021)|mastar33m|n(?:ankovefimovich|duesq58|fran6(?:30|56)|uelfranco(?:727|donation02|foundation0|spende8))|r(?:i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00)|opabl26|tinesecurityusa)|kroth456|shalh011|tin(?:amayer903|eziglesiasabogados|jrschwarz)|y(?:franson56|josen(?:62|81)))|thewriaanza|u(?:hin52|noveutileina|rhinck11?)|viswan(?:142|czyk(?:01478|1(?:19|987)|4(?:89|5)|775|foundation45|k112))|xaajn|ydetratt)|brons667|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|l(?:aniekreiss1971|lagolan|vidabullock5))|gfrederick80|husameddine|i(?:c(?:h(?:ael\.woosley1972|eal(?:sjohnj|wuu002))|paulla|w954)|k(?:e\.weirsky\.foundational001|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|ntonjustin98|ss(?:\.(?:aminaibrahim|melisa\.mehmett|yasmineibrahim101)|yaelronen))|jminabii|k(?:ent7117|untjoro52)|m(?:1086771|argaritalouisdreyfus|ohammadaljllilati|rstephen16)|nmalarge|oham(?:edabdul1717|m(?:daljililati1|edshamekh24))|r(?:\.(?:elbahi\.mohammed\.2021|justinmaxwell09|lusee)|cjames001|d517341|eric(?:franck|schmid4002)|hanimuhammad627|jamesmc6|morgangomez56|r(?:echardthomas|ichardanthony1)|s(?:\.(?:janetolsen?|marinakuznetsov|olsenjanett|su(?:sanread12|zarawanmaling))|a(?:ishaalqadafi1976|ngela454|shaalqaddfi117)|catherineyokes|dominiquethomas7777|evelynbrown7|fatimaamiraqureshi1983|gezeria|h(?:amima60|ristinemadeleine)|isabelladz|j(?:ackman123|lleach)|lisamilner08|m(?:a(?:riaelizabethscheffle98|ureens847|yaoliver31)|ugan)|r(?:eem362|obinsanders185|uthsmith9900)|sarahbenjamin103|v(?:eraaellen|ictoriaedmond03))|tomcrist\.ca|viktorzubkovv)|s(?:\.ellagolan56|agent02|golaan4|smadar44)|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter968)|icholas\.jose73|obuyuki\.hirano128|tawdglobal|v637245)|o(?:\.peace004|3344nb|ffic(?:e(?:\.012123|rricherd876|windowterms)|ialserviceuae)|hallkenneth1|lenasheve73|marinyandeng|nufoundationclaims|pcwkdw|xfaminternationa1980)|p(?:a(?:trick(?:\.efcc|andfrancessconnolly)|ul(?:eed1969|n8018))|b(?:ph202lay2|rookk0)|e(?:130304|ndingredirections|rezdonlorenzo336|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|hillip\.richead218|ilz37754|olloke|r(?:imecapitalfianceltd|o1nvstream)|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymondaba200)|e(?:alyh596|beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n(?:2214|asser003302))|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|v(?:\.jamesabel1|ernestcebi|fr(?:ankjackson91|paulwilliams2)))|icha(?:miller18|rd(?:lustig4u|w(?:ahl511|il(?:lis815|son19091))))|josh200000|main2028|o(?:b(?:erthanandez6655|inf036)|naldmorris786|s(?:a\.gomes0044|ekipkalya934))|raya9989|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|u(?:ddicklana561|ssiaworldcuppromo))|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid(?:09|7000))|nchoscozfifa|rfiafarfask7)|cott(?:henryjames91|peters7989)|e(?:cretservicce[78]|rgeantrobertbrown1)|g(?:\.offiice\.group|t(?:\.monicab03|ireneb2))|h(?:a(?:msiahmohamadyunusbnegara|nemissler(?:2009|3))|ery(?:\.gtl131|etr03)|inawatrathaksin93)|im(?:lkheng5|onhei47)|op(?:adam3|hiajesse41)|p(?:agentrose|eelman1972)|t(?:anleyjohn1469|e(?:phen(?:7tam|tam1(?:47|6))|venchamberonline))|u(?:iyang(?:\.boc|02)|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|weeneyjohnson384)|t(?:a(?:mmywebster24|y(?:ebsouami0|lorcathy362))|ch33555|davalvse|e(?:nreyrosilvana54|rryparkins11)|h(?:ailandbankoffice01|e(?:ara\.choy2|odorosloannis9))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|ander231|c(?:hrist1995|rist(?:52|donation12|foundation99|world))|spende480)|ny(?:\.chung760|zimpro11)|pchronodesk|shikazusendo101)|p2911220|tkhan69s)|u(?:derleyen52|kponguko|marukareem8|n(?:claimedfunds554|ited(?:bankforafrica\.plc102|nation(?:organization70|s(?:8182|councilrefunds))))|s(?:alotery2|departmentofjustice80))|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|linagreen|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|pjeferrey)|johannes271|n935990|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett2)|b(?:271981|6159980)|c5000dle|ellensteinfoundation251|hatsappofficial001|i(?:elandherzog\.sw\.herad16|ll(?:clark(?:2618|629)|iamsmartyrs888))|kfinancialservice|orldbankregionalmanageroffice|u\.office212|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974|inglukshinawtra|o(?:ngkm00|usefzongo5722))|z(?:bank8876|enithbankplconline98|kiaslan1963|minhong65|ubkovmrviktor)))\@gmail\.com$/i
+header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|1magnumsecuritiesllc|7912richardtony|9porssts9|a(?:\.wafager1|12udubello|b(?:d(?:97412345|u(?:kfahim|llahmundani019))|u(?:lkareem461|shadi0004))|c(?:count\.optionsmr\.jonasarmstrong|ecere001)|d(?:iallo\.boa|rabidiahmed)|isha(?:1976(?:algaddafi|gaddafi25)|gaddafi(?:aam|sdaughter))|l(?:\.jo60691737|an\.austin(?:041|223)|ex(?:anderpeterson4499|hoffman3319)|ghafrij13|icedoris0000|kasimunadi221|l(?:enholden121|isoncluade11)|nizmaria|phabankofgreecerepublic|ure\.wawrenka1472)|m(?:bassadormarybethleonardl4|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|medjahed95))|n(?:d(?:rewumehunitedbankforafrica|yfox0022)|n(?:a(?:llee091|sigurlaug458)|ettrevor|jenijohnsonn)|t(?:hony(?:alvaradollc|jblinken61)|o(?:meuenio|niopaco20consultant)))|office1office1|r(?:adka01|chibaldhamble|thur11alan)|shwestwood7|t(?:mcarddepartment0024|tohlawoffice\.tg)|ustinbillmark9|w1614860|z(?:i(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50))|zedineguessous))|b(?:a(?:nkcentralasiahalobca34|ochang7a|r(?:bersmadar75|clays\.kenya\.bank|rister(?:\.fidelisokafor|clarkephillips(?:2(?:02|4)|4[59])|lordruben94)|teld\.huisman01))|bongo593|e(?:alitoniua9|linekra1|n(?:ezero392|gatl80|jaminsarah195)|tsyholden940)|ill\.lawrence0747|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi)|r(?:andy\.heavenscenttt|endalaporte112)|uff(?:ettwarrene21|ookj)|w1832621)|c(?:1nicele|a(?:pinolly|rtwrighttownhomesllc)|claimsa|e(?:da\.ogada77|licerez)|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:es(?:luenga01|wrightdepartments)|tonnewmanus1)))|e(?:mchung1011|nchung1011)|ienkwongp)|iticonsultantjohncg0|kruger00017|l(?:axtonpaul00|s79408)|o(?:l(?:edavid77032|husseinharmuchc(?:cj|j)|ombasjuan53)|mp(?:asationsettlement|ensationcommitteboard)|n(?:sult(?:matthias|sto\.u)|tactad00[04]))|pt\.eugenebarash|r(?:abbechambers|ist(?:bru(?:05|n05)|davis67|i1537bru|ydavis(?:donation1|foundation0101)))|u(?:nninghammrssharonloren|stomerservicelacaixa2))|d(?:29laws|a(?:n(?:008629|i(?:el35508109|shlokija)|n(?:uar4|ydan24532))|tukannuarbinmusa|vi(?:d(?:\.loanfirm18|kaltschmidtmaureend|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98))|cole77032|e(?:n(?:iwalts|nisclark659)|partmentofstate123|tlefeckhardd)|h(?:lexpresscompany176|sdevice)|i(?:ane\.s\.wojcicki|gitalassetholding|plomatsshenry)|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.meirh|abodid|davidrhama221|jamesdee|kennedyuzo|meier\.heidi?|owenfrederick|rhamahassan22)|u(?:breuilgmbh|nsilva58|stinmoskovitz\.2facebook)|v\.metus|willslevens)|e(?:benezero392|christina937|d(?:mundventura689|runity)|l(?:i(?:bethgomez(?:175|499)|sabeth(?:gmuer11|maria600)|zabethedw0)|o(?:diesawadogo123|tocashoffice1?))|m(?:2keld|efiele(?:328|g757)|ilyrichmond391)|ngr\.des01|r(?:e(?:nakgeorge123|zcelic0)|ioncarter\.private)|stherkatherine1960|vgpatmow|wynn284)|f(?:\.mikhail025|a(?:ithdesrie511|rahwasam101|tme\.mehmed001)|b(?:589767|lott47)|e(?:deralreservebankdallasdst|lix88995)|g0067333|irstbank(?:49966|6669|k49666)|j569282|l(?:556249|uhmann\.dn)|oundations\.west|p462558|r(?:a(?:100dub132|n(?:c(?:es(?:\.connelly2|patrickconnolly(?:5050|4))|iscamendoza960)|k(?:j(?:ane984|ody2|wangg)|linpiesie6)))|eelottosweepstake51)|spero8[02]|u(?:lanlan28|ngg1w))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|riel(?:eschmitt002|kalia1102))|r(?:ciavincent500|ethbull112016))|b(?:528796|ill4880)|e(?:neralwilliamstony990|orgekwame481|raldjhjh11)|i(?:idp955|ocastano21)|l(?:enmoore0011|oriachow5052)|o(?:dfreyscottdonation|glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219))|r(?:aceobia001|e(?:ant311|energeoffrey776))|veraallen|w522834)|h(?:a(?:r(?:gate2909|ryebert101)|s(?:h(?:imyreem78|mireem801)|sanalshujairy)|uperthilbigbeate|zimissa03)|e(?:atherbrooeke101|cto(?:alon|r(?:castillos653|scastillo6))|l(?:en(?:adamsidaho|giggs88)|pdesk47321)|ritagetrustbank1985)|g(?:8669000|old8080)|i(?:ldad837|toshurui)|o(?:nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|uichmh)|i(?:1955smael|amannjejosonn|b(?:ed627|rahimelizabeth654)|mf(?:deputyoff000|grantinter)|n(?:fo(?:\.(?:a(?:bogadosmfontana|nnedouglas10)|g00gleclaim|marviswanczyk360|orangedor|ulmusau)|64240|asminternationalpk|bankofamerikaa|dessk\.dfwairportonline|fdrserve|t(?:ech4st255|tcuckk))|gridrolle2)|rvinekim67|smail(?:eman874|tarkan533))|j(?:35809121|a(?:6002932|888179|m(?:alpriv8un|esokoh82)|n(?:nsjonifer|usensecureprivate)|sonyeungchiwai|vierlesme001)|b(?:5406424|lsuntrust)|c2222222rrr|e(?:fferydean1960|nniannjhsonn|robtt)|josvu|k3311131|m(?:3461128|powellfr)|o(?:edward023|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|nietaylor242|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|uba234|walterlove2010)|monkzza|n(?:a(?:haskel19|thanhaskel377)|hugo1964|monkssa)|seph(?:acevedo024|babatunde192|ichael41)|vannyanderson001|yce00011)|rawlings007|s4fernado|u(?:liewatson975|sticellawgroup)|w6935997)|k(?:a(?:dulinayulii(?:ia|a)|l(?:iaksandr5|tschmidtdavid8)|malnizar000|rabo\.ramala39|t(?:ebaron(?:barr|xq)|jamess043|rinaziako56))|en(?:mckenziejr|nedy\.sawadogo19)|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|r(?:istinewellenstein024|nkl1109)|un(?:gwei7777|ioue28))|l(?:a(?:rrytoms200|ursent892|w(?:officealouancooparation|rencefoundation30))|blackshirepm|e(?:enasinghs97|onidasresearch|rynne(?:0west99|west(?:2289|5412)))|i(?:amfinchus(?:11|3)|ezlnatashavanessa|fecshortt63|li(?:ane\.bettencourt1945|ianchrstph)|nelink008|sa(?:milner001|robin117))|john6132|o(?:ganntomas|rrainewirengee|ughreymargaret67)|p319765|s(?:arbn01|chantal86)|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|diawright836|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:a(?:bel\.manaku|ckenzbezos|damkoenig\.ruhama1b|incare655|j(?:ialfutt|or(?:dennishornbeck53|townsend01))|kaltschmidt|ll(?:am\.mlawal|etman2021)|mastar33m|n(?:ankovefimovich|duesq58|fran6(?:30|56)|uelfranco(?:727|donation02|foundation0|spende8))|r(?:i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00)|opabl26|tinesecurityusa)|kroth456|shalh011|tin(?:amayer903|eziglesiasabogados|jrschwarz)|y(?:franson56|josen(?:62|81)))|thewriaanza|u(?:hin52|noveutileina|rhinck11?)|viswan(?:142|czyk(?:01478|1(?:19|987)|4(?:89|5)|775|foundation45|k112))|xaajn|ydetratt|zerfexi)|brons667|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|l(?:aniekreiss1971|lagolan|vidabullock5))|gfrederick80|husameddine|i(?:c(?:h(?:ael\.woosley1972|eal(?:sjohnj|wuu002))|paulla|w954)|k(?:e\.weirsky\.foundational001|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|ntonjustin98|ss(?:\.(?:aminaibrahim|melisa\.mehmett|yasmineibrahim101)|yaelronen))|jminabii|k(?:ent7117|untjoro52)|m(?:1086771|argaritalouisdreyfus|ohammadaljllilati|rstephen16)|nmalarge|oham(?:edabdul1717|m(?:daljililati1|edshamekh24))|r(?:\.(?:elbahi\.mohammed\.2021|justinmaxwell09|lusee|tonyelumelu60)|cjames001|d517341|eric(?:franck|schmid4002)|georgeemera|hanimuhammad627|jamesmc6|morgangomez56|r(?:echardthomas|ichardanthony1)|s(?:\.(?:janetolsen?|marinakuznetsov|olsenjanett|su(?:sanread12|zarawanmaling))|a(?:ishaalqadafi1976|ngela454|shaalqaddfi117)|catherineyokes|dominiquethomas7777|evelynbrown7|fatimaamiraqureshi1983|gezeria|h(?:amima60|ristinemadeleine)|isabelladz|j(?:ackman123|lleach)|lisamilner08|m(?:a(?:riaelizabethscheffle98|ureens847|yaoliver31)|ugan)|r(?:eem362|obinsanders185|uthsmith9900)|sar(?:ahbenjamin103|iamirahwulu)|v(?:eraaellen|ictoriaedmond03))|tomcrist\.ca|viktorzubkovv)|s(?:\.ellagolan56|agent02|golaan4|smadar44)|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter968)|icholas\.jose73|obuyuki\.hirano128|tawdglobal|v637245)|o(?:\.peace004|3344nb|ffi(?:c(?:e(?:\.012123|emaill0002|rricherd876|windowterms)|ialserviceuae)|zielllk)|hallkenneth1|lenasheve73|marinyandeng|nufoundationclaims|pcwkdw|rabankheadofficelometogo1985|xfaminternationa1980)|p(?:a(?:trick(?:\.efcc|andfrancessconnolly)|ul(?:eed1969|n8018))|b(?:ph202lay2|rookk0)|e(?:130304|ndingredirections|rezdonlorenzo336|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|hillip\.richead218|ilz37754|o(?:lloke|usazgullaume)|r(?:imecapitalfianceltd|o1nvstream)|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymondaba200)|e(?:alyh596|beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n(?:2214|asser003302))|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|v(?:\.jamesabel1|ernestcebi|fr(?:ankjackson91|paulwilliams2)))|icha(?:miller18|rd(?:lustig4u|w(?:ahl511|il(?:lis815|son19091))))|josh200000|main2028|o(?:b(?:erthanandez6655|inf036)|naldmorris786|s(?:a\.gomes0044|ekipkalya934))|raya9989|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|u(?:ddicklana561|ssiaworldcuppromo))|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid(?:09|7000))|nchoscozfifa|rfiafarfask7)|cott(?:henryjames91|peters7989)|e(?:cretservicce[789]|rgeantrobertbrown1)|g(?:\.offiice\.group|t(?:\.monicab03|ireneb2))|h(?:a(?:msiahmohamadyunusbnegara|nemissler(?:2009|3))|ery(?:\.gtl131|etr03)|inawatrathaksin93)|im(?:lkheng5|onhei47)|op(?:adam3|hiajesse41)|p(?:a(?:cex\.inititative|gentrose)|eelman1972)|t(?:anleyjohn1469|e(?:phen(?:7tam|tam1(?:47|6))|venchamberonline))|u(?:iyang(?:\.boc|02)|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|weeneyjohnson384)|t(?:a(?:mmywebster24|y(?:ebsouami0|lorcathy362))|ch33555|davalvse|e(?:nreyrosilvana54|rryparkins11)|h(?:ailandbankoffice01|e(?:ara\.choy2|odorosloannis9))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|ander231|c(?:hrist1995|rist(?:52|donation12|foundation99|world))|spende480)|ny(?:\.chung760|robins777|zimpro11)|pchronodesk|shikazusendo101)|p2911220|tkhan69s)|u(?:ba\.bankofaffican|derleyen52|kponguko|marukareem8|n(?:claimedfunds554|ited(?:bankforafrica\.plc102|nation(?:organization70|s(?:8182|councilrefunds))))|s(?:alotery2|departmentofjustice80))|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|linagreen|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|pjeferrey)|johannes271|n935990|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett(?:398|2))|b(?:271981|6159980)|c5000dle|ellensteinfoundation251|hatsappofficial001|i(?:elandherzog\.sw\.herad16|ll(?:clark(?:2618|629)|iamsmartyrs888))|kfinancialservice|orldbankregionalmanageroffice|u\.office212|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974|inglukshinawtra|o(?:ngkm00|usefzongo5722))|z(?:bank8876|enithbankplconline98|kiaslan1963|minhong65|ubkovmrviktor)))\@gmail\.com$/i
describe REPTO_419_FRAUD_GM Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_GM 3.000
tflags REPTO_419_FRAUD_GM publish
##{ REPTO_419_FRAUD_HM
-header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|licewalton7653|n(?:ikal01|nagray00)|zezul\.idrisazezulidris)|c(?:h(?:angxinjuan|oi21)|laytousey)|d(?:ealings100|l13139|r\.dukanalycoulibaly)|egorbunova22|f(?:axttransfer\.skyebk\.service\.care\.th|ridmanmikhail511)|infos(?:43|8)|katabettencourt2018|l(?:e(?:a_edem|galcosme|wisarm44)|ulihongm)|m(?:oneygrampayfund|r(?:abrahambeniamfc|pedrohilldonations|s(?:\.chantal_bill|micheleallison2003)))|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|powen10001|quickcashloansservices|s(?:a(?:jda\.andleeb|nchamps798)|tuboardgntdirector|ulaimaninfante)|t(?:a(?:baka_williamshsbbc|shacap)|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i
+header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|licewalton7653|n(?:ikal01|nagray00)|zezul\.idrisazezulidris)|c(?:h(?:angxinjuan|oi21)|laytousey)|d(?:ealings100|l13139|r\.dukanalycoulibaly)|egorbunova22|f(?:axttransfer\.skyebk\.service\.care\.th|ridmanmikhail511)|infos(?:43|8)|jacques\.bouchex|katabettencourt2018|l(?:e(?:a_edem|galcosme|wisarm44)|ulihongm)|m(?:oneygrampayfund|r(?:abrahambeniamfc|pedrohilldonations|s(?:\.chantal_bill|micheleallison2003)))|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|powen10001|quickcashloansservices|s(?:a(?:jda\.andleeb|nchamps798)|tuboardgntdirector|ulaimaninfante)|t(?:a(?:baka_williamshsbbc|shacap)|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i
describe REPTO_419_FRAUD_HM Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_HM 3.000
tflags REPTO_419_FRAUD_HM publish
##{ REPTO_419_FRAUD_OL
-header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:16u71|b(?:rahamwilliamsonrpsltduk|s0000200)|lbertchebe|ndrewgamble7)|b(?:asidris|etty\.c_investment|illgfile203)|c(?:bforeignremitdept|harlie\.j\.goodmand|laimunit\.facebook|ompensationfunding)|d(?:eborahleeconsult|hl(?:customercares|express\.fastservice)|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020|mr01|oundation701|p\.conn|rancescogaetano01)|g(?:20compessdesk|race\.manonfoundation)|j(?:ackson4steve|e(?:anedo1|ssicameir30))|k(?:aujong|officollins)|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|b(?:illgate9|ryandavisuk44)|mduku|s(?:\.olhaoschad|_elizabeth20|michelleallison|roseallen))|spvt2020)|olhalytvynenko20|philcohen0012|r(?:ichardwahlfreegrant|obertleeonly01)|s(?:aaman10|gi2019|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019)|unvanzyl_mrs|w(?:esteruniontransferunite7|hatsapp_givewin|inuklotocash2018)))\@outlook\.com$/i
+header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:16u71|b(?:rahamwilliamsonrpsltduk|s0000200)|lbertchebe|ndrewgamble7)|b(?:a(?:rrmarkphillip|sidris)|etty\.c_investment|illgfile203)|c(?:bforeignremitdept|harlie\.j\.goodmand|laimunit\.facebook|ompensationfunding)|d(?:eborahleeconsult|hl(?:customercares|express\.fastservice)|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020|mr01|oundation701|p\.conn|rancescogaetano01)|g(?:20compessdesk|race\.manonfoundation)|j(?:ackson4steve|e(?:anedo1|ssicameir30))|k(?:aujong|officollins)|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|b(?:illgate9|ryandavisuk44)|mduku|s(?:\.olhaoschad|_elizabeth20|michelleallison|roseallen))|spvt2020)|olhalytvynenko20|philcohen0012|r(?:ichardwahlfreegrant|obertleeonly01)|s(?:aaman10|gi2019|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019)|unvanzyl_mrs|w(?:esteruniontransferunite7|hatsapp_givewin|inuklotocash2018)))\@outlook\.com$/i
describe REPTO_419_FRAUD_OL Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_OL 3.000
tflags REPTO_419_FRAUD_OL publish
##{ REPTO_419_FRAUD_YH
-header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|ilmohammed11|lesiakalina2006|mbassador\.l|nnhester\.usa4)|b(?:a(?:che\.delfine|nk\.phbng14|rr\.thomasclark)|e(?:linekra1144|n(?:jaminb34|nicholas22))|illlawrenceee|riceangela45)|c(?:\.aroline90|abinet_maitre_emmanuel_patris|h(?:arlesscharf112|hoy\.t|jackson65)|juan852|ontelamine|ythiamiller\.un10)|d(?:hamilton9099|r(?:_raymondfung|kobiorah|obiorahkenneth|victorobaji))|e(?:denvictor71|ricalbert24)|f(?:bicompensation_funds|ederal\.r73)|i(?:\.project33411|befranfgnfmf|nfomoney|project32411)|j(?:a(?:ckson\.davis915|netemoon150)|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:altschmidtdavid8|elvinmark629|im(?:\.leang2018?|leang(?:575|90)))|l(?:e(?:a_edem13|hman(?:909|bila))|i(?:m_kaan|sarobinson_555)|o(?:an\.assist|rrainewirengee)|y_cheapiseth(?:11|2019))|m(?:\.kogi81|a(?:itre_arthur\.catheau|rie_avis12)|d(?:\.ps|zsesszika672)|elissalewis4004|o(?:hammedaahil46|keye79)|rs(?:\.esthernicolas|isabella\.dzesszikan)|s\.gracie_olakun)|o(?:biorahkenneth8|legkozyrev1|mranshaalan52)|p(?:ackerkelvin|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|o(?:bertbailey2004|serichard655))|s(?:amthong4040|igurlauganna34|leo25|opheap\.munny|pwalker101|te(?:fanopessina573|vecox\.98))|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|vanserge2001|will(?:clark0010|smi68)|xianglongdai60|zhaodonghk))\@yahoo\.com$/i
+header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|ilmohammed11|lesiakalina2006|mbassador\.l|nnhester\.usa4)|b(?:a(?:che\.delfine|nk\.phbng14|rr\.thomasclark)|e(?:linekra1144|n(?:jaminb34|nicholas22))|illlawrenceee|riceangela45)|c(?:\.aroline90|abinet_maitre_emmanuel_patris|h(?:arlesscharf112|hoy\.t|jackson65)|juan852|ontelamine|ythiamiller\.un10)|d(?:hamilton9099|r(?:_raymondfung|kobiorah|obiorahkenneth|victorobaji))|e(?:denvictor71|ricalbert24)|f(?:bicompensation_funds|ederal\.r73)|i(?:\.project33411|befranfgnfmf|nfomoney|project32411)|j(?:a(?:ckson\.davis915|netemoon150)|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:altschmidtdavid8|elvinmark629|im(?:\.leang2018?|leang(?:575|90)))|l(?:e(?:a_edem13|hman(?:909|bila))|i(?:m_kaan|sarobinson_555)|o(?:an\.assist|rrainewirengee)|y_cheapiseth(?:11|2019))|m(?:\.kogi81|a(?:itre_arthur\.catheau|rie_avis12)|d(?:\.ps|zsesszika672)|elissalewis4004|o(?:hammedaahil46|keye79)|rs(?:\.esthernicolas|isabella\.dzesszikan)|s\.gracie_olakun)|o(?:biorahkenneth8|legkozyrev1|mranshaalan52)|p(?:ackerkelvin|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|o(?:bertbailey2004|serichard655))|s(?:amthong4040|igurlauganna34|leo25|o(?:ftc2|pheap\.munny)|pwalker101|te(?:fanopessina573|vecox\.98))|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|vanserge2001|will(?:clark0010|smi68)|xianglongdai60|zhaodonghk))\@yahoo\.com$/i
describe REPTO_419_FRAUD_YH Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_YH 3.000
tflags REPTO_419_FRAUD_YH publish
tflags REPTO_419_FRAUD_YN publish
##} REPTO_419_FRAUD_YN
-##{ REPTO_INFONUMSCOM
-
-meta REPTO_INFONUMSCOM __REPTO_INFONUMSCOM
-#score REPTO_INFONUMSCOM 3.000 # limit
-tflags REPTO_INFONUMSCOM publish
-##} REPTO_INFONUMSCOM
-
##{ RISK_FREE
meta RISK_FREE __FRAUD_IOV && !__UNSUB_LINK && !__VIA_ML && !__HTML_LINK_IMAGE && !__SUBSCRIPTION_INFO && !__HS_SUBJ_RE_FW && !__LCL__ENV_AND_HDR_FROM_MATCH
describe SCC_BODY_SINGLE_WORD Message body seems like one word
##} SCC_BODY_SINGLE_WORD
-##{ SCC_BODY_URI_ONLY
+##{ SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
-meta SCC_BODY_URI_ONLY T_SCC_BODY_TEXT_LINE < 2 && __HAS_ANY_URI && !__SMIME_MESSAGE && !T_SCC_IS_DMARC_REP
-describe SCC_BODY_URI_ONLY Very short body with something maybe clickable
-##} SCC_BODY_URI_ONLY
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+meta SCC_BOGUS_CTE_1 __SCC_BOGUS_CTE_1
+describe SCC_BOGUS_CTE_1 Bogus Content-Transfer-Encoding header
+tflags SCC_BOGUS_CTE_1 publish
+endif
+##} SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ SCC_CANSPAM_1
tflags SCC_SPECIAL_GUID publish multiple maxhits=15
##} SCC_SPECIAL_GUID
-##{ SENDGRID_REDIR
-
-meta SENDGRID_REDIR __SENDGRID_REDIR_NOPHISH && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__HAS_X_MAILMAN_VERSION && !__STY_INVIS_MANY && !__HTML_SINGLET_10 && !__HAVE_BOUNCE_RELAYS
-describe SENDGRID_REDIR Redirect URI via Sendgrid
-#score SENDGRID_REDIR 1.500 # limit
-tflags SENDGRID_REDIR publish
-##} SENDGRID_REDIR
-
##{ SENDGRID_REDIR_PHISH
meta SENDGRID_REDIR_PHISH __SENDGRID_REDIR_PHISH
tflags SHOPIFY_IMG_NOT_RCVD_SFY publish
##} SHOPIFY_IMG_NOT_RCVD_SFY
+##{ SHORTENED_URL_SRC
+
+rawbody SHORTENED_URL_SRC /<[^>]{1,99}\ssrc=\W?https?:\/\/(?:bit\.ly|bit\.do|buff\.ly|tinyurl\.com|ow\.ly|owl\.li|is\.gd|tumblr\.com|mysp\.ac|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|goo\.io|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|ecs\.page\.link|cc\.uz|smarturl\.it|s\.apache\.org)\/[^\/]{3}/
+##} SHORTENED_URL_SRC
+
##{ SHORTENER_SHORT_IMG
meta SHORTENER_SHORT_IMG __URL_SHORTENER && HTML_SHORT_LINK_IMG_1
tflags SHORTENER_SHORT_IMG publish
##} SHORTENER_SHORT_IMG
-##{ SHORTENER_SHORT_SUBJ
-
-meta SHORTENER_SHORT_SUBJ __SHORTENER_SHORT_SUBJ && !__DOS_HAS_LIST_UNSUB && !__HAS_LIST_ID && !__HDR_RCVD_GOOGLE && !__XPRIO
-describe SHORTENER_SHORT_SUBJ URL shortener (avoiding URIBL?) + short subject
-#score SHORTENER_SHORT_SUBJ 3.000 # limit
-##} SHORTENER_SHORT_SUBJ
-
##{ SHORT_HELO_AND_INLINE_IMAGE
meta SHORT_HELO_AND_INLINE_IMAGE (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH)
##{ SPAM_CWINDOWSNET
-uri SPAM_CWINDOWSNET m;^https?://(?=[^/]+\.(?:blob|web)\.core\.windows\.net)(?:(?:aaaabbbbcdertfer(?:131|34)|b(?:9jwpncnsz2cg5bpbojgl|bbbccccddester61|dkbazmjnlvajmjjszdc|ulkma(?:ilmanager(?:im|snrperk|m)|nhegeteam))|calivokavoaka|d(?:fjmteeymhimuokqbwio|sfgdfgsdfg)|e(?:6tidwa3xtdxsxrv6fevh|fnzewdwwwxdormvkltxqj|riogsnkdqsdqsd32l|wialtlgncnagaebsuohhsz)|greatetchtoaitechnologyh|linkbulkmailpromanager|n(?:6w479nhk1tkyo6u1p844s|fnybcmyhaaphiglbzra)|o(?:ovgienjzlmmfkmwoyep|penbankstonecdn)|u(?:lqdjksdsdsd3sd|rqjlnefdqsdfik2k)|z(?:ahriiana59|c2mjw9btnqfgw6ps7ex)))\.(?:blob|web)\.core\.windows\.net/;i
+uri SPAM_CWINDOWSNET m;^https?://(?=[^/]+\.(?:blob|web)\.core\.windows\.net)(?:(?:aaaa(?:aahadii5[89]|bbbbcdertfer(?:131|34))|b(?:9jwpncnsz2cg5bpbojgl|bbbccccddester61|c(?:kfomepldjxbehakdmem|nejjdolasiejdbcdhc)|dkbazmjnlvajmjjszdc|fnrikamdplejxxhd|ulkma(?:ilmanager(?:im|snrperk|m)|nhegeteam))|c(?:alivokavoaka|hfkeodlemajchebdhxdh|j(?:dejcpmalxokejcbdhsjd|flzpmidhwbcxhejdk)|n(?:djekdomalsijebqqhzs|fjelmsplekxjbshdje|rdnahxbhdjoalxkejd))|d(?:f(?:jmteeymhimuokqbwio|keoledjxbdheuakje)|hjepmalqkdbxheuajd|j(?:f(?:lepma(?:hxbdhasjdk|skdjxbhduejdkz)|oemapxkejxbdhed)|k(?:foepaljdhxvsgqhse|rolemalxjebehsyejd))|lrmeclforjbxheajsbdhe|sfgdfgsdfg)|e(?:6tidwa3xtdxsxrv6fevh|fnzewdwwwxdormvkltxqj|riogsnkdqsdqsd32l|wialtlgncnagaebsuohhsz)|f(?:j(?:flzpcmlrnxheilsdejdl|romlfjdhxbcgdyejhdh)|lropmedjxbexbdzhsd|mdplenxyejxbqgesk|pmrlcnruhwvxcsdrzt)|greatetchtoaitechnologyh|h(?:ckrpmzlcxrjzhxbejakdlem|djeialqmeporutncdbhqs)|jc(?:hdiepmaldiejxbhs|k(?:diemaoslejxbqhas|rmlzsxbhejalselma)|lrfpemdlxbehaksme|rkeldoeamdloruxbdhe)|kcleo(?:dmalejdbshekdje|maplejwbahqegsv)|l(?:djebxueomrplcnbsgxve|inkbulkmailpromanager)|mvkcjoigfks|n(?:6w479nhk1tkyo6u1p844s|ckfomeldncejdjsbdhjdxbd|fnybcmyhaaphiglbzra)|o(?:ovgienjzlmmfkmwoyep|penbankstonecdn)|relashwpakcbe2cjehsed|shdkrodmpcndjshedg|u(?:lqdjksdsdsd3sd|rqjlnefdqsdfik2k)|xbvomrplzncxhrbdgsd|z(?:ahriiana59|c2mjw9btnqfgw6ps7ex)))\.(?:blob|web)\.core\.windows\.net/;i
describe SPAM_CWINDOWSNET Link to known hosted spam or phishing content
#score SPAM_CWINDOWSNET 3.500
tflags SPAM_CWINDOWSNET publish
describe SUBJECT_NEEDS_ENCODING Subject includes non-encoded illegal characters
##} SUBJECT_NEEDS_ENCODING
-##{ SUBJ_ATTENTION
-
-meta SUBJ_ATTENTION __SUBJ_ATTENTION && !ALL_TRUSTED
-describe SUBJ_ATTENTION ATTENTION in Subject
-#score SUBJ_ATTENTION 0.500 # limit
-##} SUBJ_ATTENTION
-
##{ SUBJ_BRKN_WORDNUMS
#score SUBJ_BRKN_WORDNUMS 1.500 # limit
endif
##} SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM
+##{ SUBJ_UNNEEDED_HTML
+
+meta SUBJ_UNNEEDED_HTML __SUBJ_UNNEEDED_HTML && !__NOT_SPOOFED && !__RP_MATCHES_RCVD && !__VIA_ML
+describe SUBJ_UNNEEDED_HTML Unneeded HTML formatting in Subject:
+##} SUBJ_UNNEEDED_HTML
+
##{ SUSP_UTF8_WORD_FROM
meta SUSP_UTF8_WORD_FROM __4BYTE_UTF8_WORD_FROM
#score SUSP_UTF8_WORD_FROM 2.000 # limit
##} SUSP_UTF8_WORD_FROM
-##{ SUSP_UTF8_WORD_MANY
+##{ SUSP_UTF8_WORD_SUBJ
-meta SUSP_UTF8_WORD_MANY __4BYTE_UTF8_WORD_9
-describe SUSP_UTF8_WORD_MANY Many words using only suspicious UTF-8 characters
-#score SUSP_UTF8_WORD_MANY 3.000 # limit
-##} SUSP_UTF8_WORD_MANY
+meta SUSP_UTF8_WORD_SUBJ __4BYTE_UTF8_WORD_SUBJ
+describe SUSP_UTF8_WORD_SUBJ Word in Subject using only suspicious UTF-8 characters
+#score SUSP_UTF8_WORD_SUBJ 2.000 # limit
+##} SUSP_UTF8_WORD_SUBJ
##{ SYSADMIN
describe TO_EQ_FM_DOM_HTML_IMG To domain == From domain and HTML image link
##} TO_EQ_FM_DOM_HTML_IMG
+##{ TO_EQ_FM_DOM_HTML_ONLY
+
+meta TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FM_DOM_HTML_ONLY && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !HTML_MIME_NO_HTML_TAG && !__IS_EXCH && !__MSGID_BEFORE_RECEIVED && !__FM_TO_ALL_NUMS && !__FROM_LOWER && !__HAS_IN_REPLY_TO && !__BUGGED_IMG && !__FROM_ENCODED_QP && !__MSGID_OK_HEX
+describe TO_EQ_FM_DOM_HTML_ONLY To domain == From domain and HTML only
+##} TO_EQ_FM_DOM_HTML_ONLY
+
##{ TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
ifplugin Mail::SpamAssassin::Plugin::SPF
endif
##} T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval
+##{ T_DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval
+
+ifplugin Mail::SpamAssassin::Plugin::HeaderEval
+header T_DATE_IN_FUTURE_Q_PLUS eval:check_for_shifted_date('2920', 'undef')
+describe T_DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date
+endif
+##} T_DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval
+
##{ T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
endif
##} T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
-##{ T_FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
-
-ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
- meta T_FILL_THIS_FORM_LOAN __FILL_THIS_FORM_LOAN && !__COMMENT_EXISTS && !__HTML_LINK_IMAGE
- describe T_FILL_THIS_FORM_LOAN Answer loan question(s)
-# score T_FILL_THIS_FORM_LOAN 2.0
-endif
-##} T_FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
-
##{ T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
endif
##} T_GB_YOUTUBE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)
-##{ T_HDRS_LCASE
-
-describe T_HDRS_LCASE Odd capitalization of message header
-#score T_HDRS_LCASE 0.10 # limit
-##} T_HDRS_LCASE
-
-##{ T_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
-
-if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
- meta T_HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
-endif
-##} T_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
-
-##{ T_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
-
-ifplugin Mail::SpamAssassin::Plugin::FreeMail
- meta T_HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
-endif
-##} T_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
-
##{ T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::FreeMail
endif
##} T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
-##{ T_LOTTO_AGENT
-
-meta T_LOTTO_AGENT __LOTTO_AGENT && !__HAS_IN_REPLY_TO && !__THREADED && !__TO_YOUR_ORG && !__DKIM_EXISTS && !__TRAVEL_ITINERARY && !__AUTO_ACCIDENT && !__HAS_ERRORS_TO && !__RP_MATCHES_RCVD
-describe T_LOTTO_AGENT Claims Agent
-#score T_LOTTO_AGENT 1.50 # limit
-##} T_LOTTO_AGENT
-
##{ T_LOTTO_AGENT_FM
header T_LOTTO_AGENT_FM From =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize[\s_.]transfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i
endif
##} T_PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
+##{ T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+
+ifplugin Mail::SpamAssassin::Plugin::WLBLEval
+if (version >= 3.004000)
+meta T_PDS_EMPTYSUBJ_URISHRT __URL_SHORTENER && __SUBJECT_EMPTY && __PDS_MSG_1024
+describe T_PDS_EMPTYSUBJ_URISHRT Empty subject with little more than URI shortener
+#score T_PDS_EMPTYSUBJ_URISHRT 1.5 # limit
+endif
+endif
+##} T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+
+##{ T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+
+ifplugin Mail::SpamAssassin::Plugin::WLBLEval
+if (version >= 3.004000)
+meta T_PDS_FREEMAIL_REPLYTO_URISHRT __URL_SHORTENER && __freemail_hdr_replyto && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048
+describe T_PDS_FREEMAIL_REPLYTO_URISHRT Freemail replyto with URI shortener
+#score T_PDS_FREEMAIL_REPLYTO_URISHRT 1.5 # limit
+endif
+endif
+##} T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+
##{ T_PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
endif
##} T_PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+##{ T_PDS_FROM_NAME_TO_DOMAIN
+
+meta T_PDS_FROM_NAME_TO_DOMAIN __PDS_FROM_NAME_TO_DOMAIN
+#score T_PDS_FROM_NAME_TO_DOMAIN 2.0
+describe T_PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain
+##} T_PDS_FROM_NAME_TO_DOMAIN
+
##{ T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
endif
##} T_PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+##{ T_PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+
+ifplugin Mail::SpamAssassin::Plugin::WLBLEval
+if (version >= 3.004000)
+meta T_PDS_TINYSUBJ_URISHRT __URL_SHORTENER && __SUBJ_SHORT && __PDS_MSG_1024
+describe T_PDS_TINYSUBJ_URISHRT Short subject with URL shortener
+#score T_PDS_TINYSUBJ_URISHRT 1.5 # limit
+endif
+endif
+##} T_PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+
##{ T_PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
endif
##} T_PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
-##{ T_PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
+##{ T_PDS_X_PHP_WP_EXP
-if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
- meta T_PHOTO_EDITING_DIRECT (__PHOTO_RETOUCHING && __DOS_DIRECT_TO_MX) && !ALL_TRUSTED && !__HAS_HREF
- describe T_PHOTO_EDITING_DIRECT Image editing service, direct to MX
-# score T_PHOTO_EDITING_DIRECT 3.000 # limit
-endif
-##} T_PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
+meta T_PDS_X_PHP_WP_EXP (__PDS_X_PHP_WPCONTENT || __PDS_X_PHP_WPINCLUDES || __PDS_X_PHP_WPADMIN || __PDS_X_PHP_WPJS)
+describe T_PDS_X_PHP_WP_EXP X-PHP-Script shows sent from a Wordpress PHP script where you would not expect one
+#score T_PDS_X_PHP_WP_EXP 1.5
+##} T_PDS_X_PHP_WP_EXP
##{ T_PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
tflags T_SCC_BODY_TEXT_LINE nice
##} T_SCC_BODY_TEXT_LINE
-##{ T_SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
-
-ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
-meta T_SCC_BOGUS_CTE_1 __SCC_BOGUS_CTE_1
-describe T_SCC_BOGUS_CTE_1 Bogus Content-Transfer-Encoding header
-tflags T_SCC_BOGUS_CTE_1 publish
-endif
-##} T_SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
-
-##{ T_SCC_IS_DMARC_REP
-
-meta T_SCC_IS_DMARC_REP __SCC_DMARC_REP && __MIME_ATTACHMENT
-describe T_SCC_IS_DMARC_REP Message looks like a DMARC report
-tflags T_SCC_IS_DMARC_REP nice
-##} T_SCC_IS_DMARC_REP
-
##{ T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004002)
endif
##} T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval
+##{ T_US_DOLLARS_3
+
+body T_US_DOLLARS_3 /(?:\$|usd).?\d{1,3}[,.]\d{3}[,.]\d{3}(?:[,.]\d\d)?/i
+describe T_US_DOLLARS_3 Mentions millions of $ ($NN,NNN,NNN.NN)
+#score T_US_DOLLARS_3 2.0
+##} T_US_DOLLARS_3
+
##{ T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
tflags URI_AZURE_CLOUDAPP publish
##} URI_AZURE_CLOUDAPP
+##{ URI_CLOUDFLAREIPFS
+
+meta URI_CLOUDFLAREIPFS __URI_CLOUDFLAREIPFS
+describe URI_CLOUDFLAREIPFS References Interplanetary File System PtP content via CloudFlare, likely phishing
+#score URI_CLOUDFLAREIPFS 2.500 # limit
+tflags URI_CLOUDFLAREIPFS publish
+##} URI_CLOUDFLAREIPFS
+
##{ URI_DASHGOVEDU
meta URI_DASHGOVEDU __URI_DASHGOVEDU
##{ URI_GOOG_STO_SPAMMY
-uri URI_GOOG_STO_SPAMMY m;^https?://storage\.googleapis\.com/(?:(?:0(?:48dg9hjdjsr68rr409tdu516yts8d4s1yteq560dht|584d8aab5db65a3970e|ca91f665e5e9e3bff16)|1(?:479______00\-\-074\-4\-\-\-\-\-\-\-_\-\-\-\-\-\-0894_________\-\-\-\-\-\-\-\-\-______09|f28eb9c708059ce7b58|tactc1200)|2(?:024usa|2accc831928fe7a6d19)|3e6fc78af3b63110d89b|4(?:30bc3a2d98b15a0c58bf8df8f938d|hs3rzdz_r_us\-east\-1)|5(?:34c4e7320793c473d0b|a70f8147b2241c|lose1weight)|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|89azr4etr0t6k5jdh4rg9e8udo40kdj1h56gd4xd165jhkd5j04yd156j02|9c32d4d56b8ac7eb1296|a(?:1discover|4301cda1e5c450bab01|d(?:t100visa|vanced1500)|geless(?:brain|t001)|ir0doc5octor|l(?:liedtrust7?|zheimerbrain)|merican(?:ho(?:777|me(?:191|warranty))|w1)|n(?:c77emen777|dersens40|n(?:nuities0102|utsegtsety)|ti(?:1virus|dcfsdfzef))|pp(?:1ointment|empresa|itausa)|sb50118|tividade|udio0254)|b(?:337276797de5b3|6fa8ec81224238ce57a|7772dcb|a(?:ckmedic|th(?:and777|bhow98|dfgdfgdfh|rooomlki))|cvncv7845|d(?:fbgverhg|linkmanager|sgbsehtth|thdethydeth)|e(?:achskinnew|dvgervg|lly(?:00fetyy|gluca)|t(?:ter(?:09909|863|butter008)|umpoiytre))|io(?:swit(?:010|sh0908)|techinvest)|l(?:oo(?:ds(?:hark0508|ug(?:217|ar(?:010|blueprint)))|odsugarerte)|ue(?:0sky|printms0?))|o(?:bby\-dependencies|ostinglive01)|r(?:ain(?:232654|al87484)|i(?:an(?:0(?:101|509)|the0101)|eanfrg)|tghrh)|u(?:kssin|ll(?:gold|market)|rnomegaultra|tter(?:knife|spreader(?:0[48]|news)))|yte01smil1e)|c(?:a(?:99rshield|nvascheap|rt\-checkout|unlimited)|bd(?:11gummies|g(?:m0202|umm(?:ty|y005))|health7417|kfgdfg|sgummys)|dfeesde|ertificat01|hoicehom8270|ircaknee0|jowa|o(?:gnigenix|mp(?:erssac00232|r(?:e(?:essaa001|hensiveamericanhomewarranty|ss(?:a(?:0(?:105|201)|191)|ionsocks))|ovanteanexo))|n(?:7cealed|cealed(?:aff0054|tactical)|defesf|ne5ctrou4t0s)|ptquad5e1r|rrectskin|urankdmeksjsed|verageinsu)|quelleczema|reative14141)|d(?:0ujdusudu9s9u\.appspot\.com|159310a731c3ae80e0c|ac2a3ca82cd6a5f4896|e(?:mentiabrain|nta77fend|rma(?:01247|1correct|587475|7correc7t|acorrectskin|correct(?:001new1|new001|skin|1)|hdth|thbsdrhg)|tranmultas)|g(?:iadikir784|vdevgege)|i(?:abetes7|gitaldots1|recting77|ta0526)|lqjxjdxesmapldjehahnse|msksjskeoncbvevde|rtrebtgh747|ysfunction0707|zdzefef)|e(?:7co7verage|a(?:rsring01|sy(?:1canvas|canvasprints))|ingingears|l(?:eepexperts|iminatorlower)|n(?:e(?:nce7777|rgy(?:0icits|savings))|trega)|rec(?:01tions|tiledysfunction)|t(?:alsprcious|ernal07light)|vent(?:0saves01?|save(?:010?|s010))|xpertwindows(?:0102)?|yes(?:1ight|ightmax))|f(?:4747|d(?:128218622bd3f|fdfdzezr78|zdzelom)|edilty5401|habgfdgbfrtg|i(?:7(?:485612|542512)|d(?:el(?:ity(?:09|217|insulife)|ty(?:gbdtrbr|tyhjudtyu))|iity5660|y001)|ghttinnitusnow(?:(?:911|s))?|ltyredfezz|refig(?:22hting|hting)|tnesswatch|xguca777)|l(?:a(?:sh(?:light7fr7ee|tric540)|tbelly)|oodlight(?:010|slima))|o(?:mrulasugaa|od54451|toswhatsapps)|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|u(?:ng(?:01ft|9901|enail010|us(?:eliminator0807|fghgh))|turistic00insol))|g(?:7oldco|cumbmdys|eniusbutter|fhfjgfhfg|hetiop|lu(?:1lossn01k|lossn01k|ster)|old(?:ii00215|trust00)|r(?:7owtmaihn9ew|fgrgrg|ow(?:191|plus11|savage01085))|u(?:ardiao|mm(?:ies11cbd|yss|zdfefzf)|tter(?:0fr1(?:dian)?|protection7))|ympro22)|h(?:4(?:mhoyal1r0|ome1owne1r)|dfghbrh|e(?:1al1t4|a(?:lt(?:h(?:life|news|yhairremedy)|ycbd0909)|rt(?:14141|beat911))|rp(?:ly(?:24701|y0012)|y1414))|ome(?:1security|9865|choice45841|w(?:arranty|rr0216)))|i(?:n(?:formedetranmulta|ogen0065|s(?:1urance7net|7urance7net|t(?:9854|a(?:0541|1heater|863|f(?:atioplo|gregrerg)|hard0(?:0021|605)|nttranslator)|h(?:ard879477|eater001))|urance(?:7net|net))|vest777in)|ron479max5x|tchrelief)|k(?:757474|e(?:ranfvgdgfrder|to(?:0(?:102|202|81477)|191|7(?:878|rim)|adv217|ghghgh|healthnews|jkkfghk|o(?:2(?:22|45)|o7896)|rapid00888|s(?:hark0908|s0479)|toto2323))|iller1111|ne(?:e852|f6565))|l(?:a(?:bcream|wn(?:care3|trugreen001))|e(?:a(?:f7filt7er|nde0585)|ciofve1748)|giesnaturas0|i(?:berty77arran|fefiltrevdf|ve(?:r(?:0health0support|md|supp10)|wirenew024))|o(?:caweb|odlight(?:s0|0)|ss(?:00wrabido0|rapid01245|weightnew85))|u(?:llmattressne000|mi(?:00guard01|agudiidd|g(?:87[56]|uard(?:1074|87585)))))|m(?:a(?:galu|iltrk___newyear2024___g089dh4fg16qs804dsd1jh6g5sq|l(?:4e7e5nhanc7ement|e(?:0(?:1ed|541)|24700|77en|health475))|ttress0707)|e(?:di(?:ca(?:lsupplies|r(?:0085|123n|df747))|p0lanning)|llitox00545|morybooster|t(?:a(?:bolismlos|greens|lspr(?:ciou[0s]|ecious))|f(?:85|dfvde)))|iracl(?:ecannabidiol|sweight[0s]?|weight)|k_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|le(?:3mlemlm3lm\.appspot\.com|n(?:hsances?|shsance0s))|o(?:bile57mint|n(?:5g154g|t(?:ezuma0(?:01|101)|zdzsds))|onmenermaintain\-66j)|p_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|s____mailpro\-holiday2024__9s8h7140q6h84e6hs84g6s85d403|w_4098fae4grhtejy9r80t4qt1z984ui94yuiopoikjhnbvx\-\-\-2024|y(?:seniorpe?|theraposture001))|n(?:at(?:ional14587|uralgies)|badefdfg|e(?:sdsd|wtiniggrgr)|inoty74|lmsld|u(?:bupatches|trisd17))|o(?:m(?:eg(?:7aburn|a(?:7burn|n(?:ew|ow00?)))|gaburn)|ne(?:00shot|shot(?:0[01]|124578))|zmenshe)|p(?:a(?:in(?:en01(?:ew|sew)|supp(?:10|l8778)|wenes010)|rtnersav01)|e(?:rsonalized21|tplan85)|ho(?:01to001|tostick004)|leteroid|o(?:rtable(?:heater7|telescope045)|vsedfzef)|r(?:eadvanceds|i(?:mal(?:08544|fhdfh|grow)|ntsvalentine)|otectsecurity)|soidngf8147|ure(?:cbdgummies7|plant7))|r(?:apidecision77|e(?:5model1ro4om|adclub11|direct0gumm0|grow101|n(?:ew(?:al20consult|laemailved)|walllll0065)|v(?:caus181|e(?:alscause|rsirol0101)|kcaus181|scaus181))|i(?:ght0108|ngingearstinnitus|verb1986srt4)|oundupccancer|vices8|yokorout(?:(?:01|s010?))?)|s(?:___mailpro__evolution\-unitedstate_____78f40x1fg0|a(?:fety(?:homes?|shome0?)|mples7nuge7|v(?:age(?:0502|72|999|grow010)|es0even0t|ingsevent)|y(?:byebugs|life004))|coutstonenew|dfgwsd74fg|e(?:curity(?:homenew|providernew)|ni(?:147orperk|orserk77s))|gp008|h(?:arkcbd0808|owersafe)|i(?:gnlaotrrmp|mplex18742)|leepditch|o(?:lbeam004|uthbeach(?:001|skin))|preader35|sgummy777|t(?:ain245|eelprobite77|rictionbp0)|u(?:g(?:ar4701|hdetged)|mmersy0(?:10)?)|zdzdzdzd)|t(?:a(?:cflashlight72|lcumpowder)|e(?:ch________frebulkmnge________teamtechbuy|lescope001|rminix0909|stomus)|h(?:e(?:photostick2804|rasl(?:eeves|ves)|unbreakable)|opinall)|i(?:me0share|nnitus(?:102|new911))|mobile0sur1vey|o(?:enailfungus|p(?:inal|ol(?:\-web|io29034)))|r(?:4ans1lat5or|a(?:balhos|nslato10)|im1life0|ugreen(?:30|s30))|telescope44|unnifgdege)|u(?:berxlm|ltra(?:hgt|omegaburn|u(?:ifipro|wifip)|wifi(?:058|pro002))|n(?:breakable(?:0417|brain0087)|limitedcanvase[es]?)|rgentfung171|s(?:_bulk_click\-mail_oldfrom_9898409486498904948904548094804864xx|bmosquito|6)|tility3in1)|v(?:e(?:7hicle7cov|hi(?:7clesh7|cle01))|frgrerg|i(?:sa(?:alandere?|lander[es]?)|v(?:247w01|int(?:0(?:401|officially)|1010smart|967857)))|szdefzsfzef)|w(?:4enmedicra8|a(?:l(?:k(?:0015|7485|ghghgh|inbath(?:tub44|0))|lkk0409|mart010)|rranhome0012)|defgzegfze|e(?:atherproof|bwhatsfotos|edkiller[1s]?|ight(?:00loss|loss(?:005|newketo))|llgrove90)|i(?:fi(?:booste(?:01|r)|tiop)|n(?:0101|doexpr001))|painen01es)|xcbxcbopiaze|yusdgtduf777|z(?:antacdedzef|ipp874ype57t)))/;i
+uri URI_GOOG_STO_SPAMMY m;^https?://storage\.googleapis\.com/(?:(?:0(?:48dg9hjdjsr68rr409tdu516yts8d4s1yteq560dht|584d8aab5db65a3970e|ca91f665e5e9e3bff16)|1(?:479______00\-\-074\-4\-\-\-\-\-\-\-_\-\-\-\-\-\-0894_________\-\-\-\-\-\-\-\-\-______09|f28eb9c708059ce7b58|tactc1200)|2(?:024usa|2accc831928fe7a6d19)|3e6fc78af3b63110d89b|4(?:30bc3a2d98b15a0c58bf8df8f938d|hs3rzdz_r_us\-east\-1)|5(?:34c4e7320793c473d0b|a70f8147b2241c|lose1weight)|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|89azr4etr0t6k5jdh4rg9e8udo40kdj1h56gd4xd165jhkd5j04yd156j02|9c32d4d56b8ac7eb1296|a(?:1discover|4301cda1e5c450bab01|d(?:t100visa|vanced1500)|geless(?:brain|t001)|ir0doc5octor|l(?:liedtrust7?|zheimerbrain)|merican(?:ho(?:777|me(?:191|warranty))|w1)|n(?:c77emen777|dersens40|n(?:nuities0102|utsegtsety)|ti(?:1virus|dcfsdfzef))|pp(?:1ointment|empresa|itausa)|sb50118|tividade|udio0254)|b(?:337276797de5b3|6fa8ec81224238ce57a|7772dcb|a(?:ckmedic|th(?:and777|bhow98|dfgdfgdfh|rooomlki))|cvncv7845|d(?:fbgverhg|linkmanager|sgbsehtth|thdethydeth)|e(?:achskinnew|dvgervg|lly(?:00fetyy|gluca)|t(?:ter(?:09909|863|butter008)|umpoiytre))|io(?:swit(?:010|sh0908)|techinvest)|l(?:oo(?:ds(?:hark0508|ug(?:217|ar(?:010|blueprint)))|odsugarerte)|ue(?:0sky|printms0?))|o(?:bby\-dependencies|ostinglive01)|r(?:ain(?:232654|al87484)|i(?:an(?:0(?:101|509)|the0101)|eanfrg)|tghrh)|u(?:kssin|ll(?:gold|market)|rnomegaultra|tter(?:knife|spreader(?:0[48]|news)))|yte01smil1e)|c(?:a(?:99rshield|nvascheap|rt\-checkout|unlimited)|bd(?:11gummies|g(?:m0202|umm(?:ty|y005))|health7417|kfgdfg|sgummys)|dfeesde|ertificat01|hoicehom8270|ircaknee0|jowa|o(?:gnigenix|mp(?:erssac00232|r(?:e(?:essaa001|hensiveamericanhomewarranty|ss(?:a(?:0(?:105|201)|191)|ionsocks))|ovanteanexo))|n(?:7cealed|cealed(?:aff0054|tactical)|defesf|ne5ctrou4t0s)|ptquad5e1r|rrectskin|urankdmeksjsed|verageinsu)|quelleczema|reative14141)|d(?:0ujdusudu9s9u\.appspot\.com|159310a731c3ae80e0c|ac2a3ca82cd6a5f4896|e(?:mentiabrain|nta77fend|rma(?:01247|1correct|587475|7correc7t|acorrectskin|correct(?:001new1|new001|skin|1)|hdth|thbsdrhg)|tranmultas)|g(?:iadikir784|vdevgege)|i(?:abetes7|gitaldots1|recting77|ta0526)|lqjxjdxesmapldjehahnse|msksjskeoncbvevde|rtrebtgh747|ysfunction0707|zdzefef)|e(?:7co7verage|a(?:rsring01|sy(?:1canvas|canvasprints))|ingingears|l(?:eepexperts|iminatorlower)|n(?:e(?:nce7777|rgy(?:0icits|savings))|trega)|rec(?:01tions|tiledysfunction)|t(?:alsprcious|ernal07light)|vent(?:0saves01?|save(?:010?|s010))|xpertwindows(?:0102)?|yes(?:1ight|ightmax))|f(?:4747|d(?:128218622bd3f|fdfdzezr78|zdzelom)|edilty5401|habgfdgbfrtg|i(?:7(?:485612|542512)|d(?:el(?:ity(?:09|217|insulife)|ty(?:gbdtrbr|tyhjudtyu))|iity5660|y001)|ghttinnitusnow(?:(?:911|s))?|ltyredfezz|refig(?:22hting|hting)|tnesswatch|xguca777)|l(?:a(?:sh(?:light7fr7ee|tric540)|tbelly)|oodlight(?:010|slima))|o(?:mrulasugaa|od54451|toswhatsapps)|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|u(?:ng(?:01ft|9901|enail010|us(?:eliminator0807|fghgh))|turistic00insol))|g(?:7oldco|cumbmdys|eniusbutter|fhfjgfhfg|hetiop|lu(?:1lossn01k|lossn01k|ster)|old(?:ii00215|trust00)|r(?:7owtmaihn9ew|fgrgrg|ow(?:191|plus11|savage01085))|u(?:ardiao|mm(?:ies11cbd|yss|zdfefzf)|tter(?:0fr1(?:dian)?|protection7))|ympro22)|h(?:4(?:mhoyal1r0|ome1owne1r)|dfghbrh|e(?:1al1t4|a(?:lt(?:h(?:life|news|yhairremedy)|ycbd0909)|rt(?:14141|beat911))|rp(?:ly(?:24701|y0012)|y1414))|ome(?:1security|9865|choice45841|w(?:arranty|rr0216)))|i(?:n(?:formedetranmulta|ogen0065|s(?:1urance7net|7urance7net|t(?:9854|a(?:0541|1heater|863|f(?:atioplo|gregrerg)|hard0(?:0021|605)|nttranslator)|h(?:ard879477|eater001))|urance(?:7net|net))|vest777in)|ron479max5x|tchrelief)|k(?:757474|e(?:ranfvgdgfrder|to(?:0(?:102|202|81477)|191|7(?:878|rim)|adv217|ghghgh|healthnews|jkkfghk|o(?:2(?:22|45)|o7896)|rapid00888|s(?:hark0908|s0479)|toto2323))|iller1111|ne(?:e852|f6565))|l(?:a(?:bcream|wn(?:care3|trugreen001))|e(?:a(?:f7filt7er|nde0585)|ciofve1748)|giesnaturas0|i(?:berty77arran|fefiltrevdf|ve(?:r(?:0health0support|md|supp10)|wirenew024))|o(?:caweb|odlight(?:s0|0)|ss(?:00wrabido0|rapid01245|weightnew85))|u(?:llmattressne000|mi(?:00guard01|agudiidd|g(?:87[56]|uard(?:1074|87585)))))|m(?:a(?:galu|il(?:bd667477388299_747472|trk___newyear2024___g089dh4fg16qs804dsd1jh6g5sq)|l(?:4e7e5nhanc7ement|e(?:0(?:1ed|541)|24700|77en|health475))|ttress0707)|e(?:di(?:ca(?:lsupplies|r(?:0085|123n|df747))|p0lanning)|llitox00545|morybooster|t(?:a(?:bolismlos|greens|lspr(?:ciou[0s]|ecious))|f(?:85|dfvde)))|iracl(?:ecannabidiol|sweight[0s]?|weight)|k_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|le(?:3mlemlm3lm\.appspot\.com|n(?:hsances?|shsance0s))|o(?:bile57mint|n(?:5g154g|t(?:ezuma0(?:01|101)|zdzsds))|onmenermaintain\-66j)|p_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|s____mailpro\-holiday2024__9s8h7140q6h84e6hs84g6s85d403|w_4098fae4grhtejy9r80t4qt1z984ui94yuiopoikjhnbvx\-\-\-2024|y(?:seniorpe?|theraposture001))|n(?:at(?:ional14587|uralgies)|badefdfg|e(?:sdsd|wtiniggrgr)|inoty74|lmsld|u(?:bupatches|trisd17))|o(?:m(?:eg(?:7aburn|a(?:7burn|n(?:ew|ow00?)))|gaburn)|ne(?:00shot|shot(?:0[01]|124578))|zmenshe)|p(?:a(?:in(?:en01(?:ew|sew)|supp(?:10|l8778)|wenes010)|rtnersav01)|e(?:rsonalized21|tplan85)|ho(?:01to001|tostick004)|leteroid|o(?:rtable(?:heater7|telescope045)|vsedfzef)|r(?:eadvanceds|i(?:mal(?:08544|fhdfh|grow)|ntsvalentine)|otectsecurity)|soidngf8147|ure(?:cbdgummies7|plant7))|r(?:apidecision77|e(?:5model1ro4om|adclub11|direct0gumm0|grow101|n(?:ew(?:al20consult|laemailved)|walllll0065)|v(?:caus181|e(?:alscause|rsirol0101)|kcaus181|scaus181))|i(?:ght0108|ngingearstinnitus|verb1986srt4)|oundupccancer|vices8|yokorout(?:(?:01|s010?))?)|s(?:___mailpro__evolution\-unitedstate_____78f40x1fg0|a(?:fety(?:homes?|shome0?)|mples7nuge7|v(?:age(?:0502|72|999|grow010)|es0even0t|ingsevent)|y(?:byebugs|life004))|bd_____mail___29302939298882777231|coutstonenew|dfgwsd74fg|e(?:curity(?:homenew|providernew)|ni(?:147orperk|orserk77s))|gp008|h(?:arkcbd0808|owersafe)|i(?:gnlaotrrmp|mplex18742)|leepditch|o(?:lbeam004|uthbeach(?:001|skin))|preader35|sgummy777|t(?:ain245|eelprobite77|rictionbp0)|u(?:g(?:ar4701|hdetged)|mmersy0(?:10)?)|zdzdzdzd)|t(?:a(?:cflashlight72|lcumpowder)|e(?:ch________frebulkmnge________teamtechbuy|lescope001|rminix0909|stomus)|h(?:e(?:photostick2804|rasl(?:eeves|ves)|unbreakable)|opinall)|i(?:me0share|nnitus(?:102|new911))|mobile0sur1vey|o(?:enailfungus|p(?:inal|ol(?:\-web|io29034)))|r(?:4ans1lat5or|a(?:balhos|nslato10)|im1life0|ugreen(?:30|s30))|telescope44|unnifgdege)|u(?:berxlm|ltra(?:hgt|omegaburn|u(?:ifipro|wifip)|wifi(?:058|pro002))|n(?:breakable(?:0417|brain0087)|limitedcanvase[es]?)|rgentfung171|s(?:_bulk_click\-mail_oldfrom_9898409486498904948904548094804864xx|bmosquito|6)|tility3in1)|v(?:e(?:7hicle7cov|hi(?:7clesh7|cle01))|frgrerg|i(?:sa(?:alandere?|lander[es]?)|v(?:247w01|int(?:0(?:401|officially)|1010smart|967857)))|szdefzsfzef)|w(?:4enmedicra8|a(?:l(?:k(?:0015|7485|ghghgh|inbath(?:tub44|0))|lkk0409|mart010)|rranhome0012)|defgzegfze|e(?:atherproof|bwhatsfotos|edkiller[1s]?|ight(?:00loss|loss(?:005|newketo))|llgrove90)|i(?:fi(?:booste(?:01|r)|tiop)|n(?:0101|doexpr001))|painen01es)|xcbxcbopiaze|yusdgtduf777|z(?:antacdedzef|ipp874ype57t)))/;i
describe URI_GOOG_STO_SPAMMY Link to spammy content hosted by google storage
#score URI_GOOG_STO_SPAMMY 3.000
tflags URI_GOOG_STO_SPAMMY publish
tflags URI_LONG_REPEAT publish
##} URI_LONG_REPEAT
+##{ URI_MALWARE_BH
+
+uri URI_MALWARE_BH /\.\w{2,4}\/[\d\w]{8}\/index\.html/i
+describe URI_MALWARE_BH Possible BlackHole malware links / phishing
+#score URI_MALWARE_BH 1.0 # limit
+##} URI_MALWARE_BH
+
##{ URI_MALWARE_SCMS
uri URI_MALWARE_SCMS /\.SettingContent-ms\b/i
tflags XM_DIGITS_ONLY publish
##} XM_DIGITS_ONLY
+##{ XM_LIGHT_HEAVY
+
+meta XM_LIGHT_HEAVY __XM_LIGHT_HEAVY && !__HAS_X_BEEN_THERE
+describe XM_LIGHT_HEAVY Special edition of a MUA
+#score XM_LIGHT_HEAVY 2.500 # limit
+##} XM_LIGHT_HEAVY
+
##{ XM_PHPMAILER_FORGED
meta XM_PHPMAILER_FORGED __XM_PHPMAILER_FORGED
reuse T_BODY_QUOTE_MALF_MSGID
reuse SPOOFED_FREEMAIL_NO_RDNS
reuse T_PDS_URI_HIDDEN_HELO_NO_DOMAIN
-reuse PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE
+reuse T_PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE
reuse T_PDS_TONAME_EQ_TOLOCAL_SHORT
reuse T_PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE
reuse T_PDS_TONAME_EQ_TOLOCAL_VSHORT
meta __45_ALNUM_URI_O __45_ALNUM_URI && !__64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI
-body __4BYTE_UTF8_WORD /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/
-tflags __4BYTE_UTF8_WORD multiple maxhits=10
-
-meta __4BYTE_UTF8_WORD_9 __4BYTE_UTF8_WORD > 9
-
header __4BYTE_UTF8_WORD_FROM From:name =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/
+header __4BYTE_UTF8_WORD_SUBJ Subject =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/
+
uri __64_ANY_URI m;[/?]\w{64,}$;i
body __ACCESS_RESTORE /\bto (?:(?:restore|regain) access|(?:remove|uplift) (?:the|this) suspens|continue using your (?:account|online|mailbox)|zugreifen wiederhergestellt)/i
header __ADULTDATINGCOMPANY_REPTO Reply-To:name =~ /\bAdultDatingCompany\b/i
-meta __ADVANCE_FEE_2_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + T_LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 1) && !__THREAD_INDEX_GOOD
+meta __ADVANCE_FEE_2_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 1) && !__THREAD_INDEX_GOOD
meta __ADVANCE_FEE_2_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW
meta __ADVANCE_FEE_2_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW
-meta __ADVANCE_FEE_3_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + T_LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 2) && !__THREAD_INDEX_GOOD
+meta __ADVANCE_FEE_3_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 2) && !__THREAD_INDEX_GOOD
meta __ADVANCE_FEE_3_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW
meta __ADVANCE_FEE_3_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW
-meta __ADVANCE_FEE_4_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + T_LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 3) && !__THREAD_INDEX_GOOD
+meta __ADVANCE_FEE_4_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 3) && !__THREAD_INDEX_GOOD
meta __ADVANCE_FEE_4_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW
meta __ADVANCE_FEE_4_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW
-meta __ADVANCE_FEE_5_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + T_LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 4) && !__THREAD_INDEX_GOOD
+meta __ADVANCE_FEE_5_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 4) && !__THREAD_INDEX_GOOD
meta __ADVANCE_FEE_5_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW
meta __BITCOIN_XPRIO __XPRIO && (__BITCOIN || __BITCOIN_ID)
-meta __BODY_SINGLE_URI (__BODY_SINGLE_WORD && __HAS_ANY_URI)
-
-meta __BODY_SINGLE_WORD __BODY_TEXT_LINE < 3 && !__EMPTY_BODY && !__SMIME_MESSAGE && ((__SINGLE_WORD_LINE && !__SINGLE_WORD_SUBJ) || __SINGLE_WORD_LINE > 1)
-
body __BODY_STARTS_WITH_FROM_LINE /^From \S+ \S\S\S \S\S\S .. ..:..:.. \S+\s+\S+\: /s
body __BODY_TEXT_LINE /^\s*\S/
meta __FORGED_TBIRD_IMG __MUA_TBIRD && __JPEG_ATTACH && __MIME_BDRY_0D0D
describe __FORGED_TBIRD_IMG Possibly forged Thunderbird image spam
-meta __FORM_FRAUD (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 1)
+meta __FORM_FRAUD (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 1)
-meta __FORM_FRAUD_3 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3)
+meta __FORM_FRAUD_3 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3)
-meta __FORM_FRAUD_5 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5)
+meta __FORM_FRAUD_5 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
body __FOR_SALE_LTP /00\.? (?:less 10%|LTP)/i
header __FSL_HELO_BARE_IP_1 X-Spam-Relays-External =~ /^[^\]]+ helo=(?!127)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} [^\]]*auth= /i
-header __FSL_HELO_BARE_IP_2 X-Spam-Relays-Untrusted =~ /helo=(?!127)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} /i
-
header __FSL_HELO_USER_1 X-Spam-Relays-External =~ / helo=user /i
header __FSL_HELO_USER_2 Received =~ /from User(?:\s+by|\s*[\[\(]|$)/i
header __HELO_HIGHPROFILE X-Spam-Relays-External =~ /^[^\]]+ helo=\S*(?:hotmail|gmail|google|yahoo|msn|microsoft|outlook|paypal|xxx)\.[\w]+\b/i
-header __HELO_MISC_IP X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^a-z\?]\S{0,30}(?:\d{1,3}[^\d]){4}[^\]]+ auth= /i
-
header __HELO_NOT_RDNS X-Spam-Relays-External =~ /^[^\]]+ rdns=(\S+) helo=(?!(?i)\1)\S/
header __HELO_NO_DOMAIN X-Spam-Relays-External =~ /^[^\]]+ helo=[^\.]+ /
rawbody __HTML_SINGLET />\s*(?:[a-z"]|&\#(?:\d+|x[0-9a-f]+);)\s*</i
tflags __HTML_SINGLET multiple maxhits=21
-meta __HTML_SINGLET_10 __HTML_SINGLET > 10
-
meta __HTML_SINGLET_MANY __HTML_SINGLET > 20
ifplugin Mail::SpamAssassin::Plugin::HTMLEval
meta __LIST_PARTIAL __DOS_HAS_LIST_UNSUB && !__DOS_HAS_LIST_ID
-meta __LIST_PARTIAL_SHORT_MSG __HTML_LENGTH_0000_1024 && __LIST_PARTIAL
-
meta __LIST_PRTL_PUMPDUMP __LIST_PARTIAL && __PD_CNT_1
meta __LIST_PRTL_SAME_USER __LIST_PARTIAL && __TO_EQ_FROM_USR
full __LONGLINE /^[^\r\n]{998}/m
-meta __LONGLN_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __LONGLINE
-
rawbody __LONG_INVIS_DIV /<div\s+style\s*=\s*"(?:(?<!-)visibility\s*:\s*hidden|display\s*:\s*none)\s*">[^<\s]{1400}/i
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
- meta __LONG_STY_INVIS __STY_INVIS && __LONGLINE
+ meta __LONG_STY_INVIS __STY_INVIS_2 && __LONGLINE
endif
if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
meta __MONEY_FORM_SHORT LOTS_OF_MONEY && __FILL_THIS_FORM_SHORT
-meta __MONEY_FRAUD_3 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3)
+meta __MONEY_FRAUD_3 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3)
-meta __MONEY_FRAUD_5 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5)
+meta __MONEY_FRAUD_5 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5)
-meta __MONEY_FRAUD_8 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 8)
+meta __MONEY_FRAUD_8 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 8)
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta __MONEY_FREEMAIL_REPTO LOTS_OF_MONEY && __freemail_hdr_replyto
body __NIGERIA /\bnigeria\b/i
-meta __NORDNS_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __RDNS_NONE
-
meta __NOT_A_PERSON __VACATION || ANY_BOUNCE_MESSAGE || __CHALLENGE_RESPONSE || __VIA_ML || __DOS_HAS_LIST_UNSUB || __SENDER_BOT || __UNSUB_LINK || __UNSUB_EMAIL || __MSGID_LIST || __SUBSCRIPTION_INFO
tflags __NOT_A_PERSON nice
header __PDS_PHP_EVAL1 X-PHP-Originating-Script =~ /eval..'d code/i
+header __PDS_PHP_EVAL2 X-PHP-Originating-Script =~ /runtime-created function/
+
if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
meta __PDS_QP_1024 0
endif
endif
endif
+header __PDS_X_PHP_WELLKNOWN X-PHP-Script =~ m;/\.well-known/;
+
+header __PDS_X_PHP_WPADMIN X-PHP-Script =~ m;/wp-admin/(?:css|themes|js|images|user|maint)/[\S]+\.php for;i
+
+header __PDS_X_PHP_WPCONTENT X-PHP-Script =~ m;/wp-content/(?:themes|uploads)/[\S]+\.php for;i
+
+header __PDS_X_PHP_WPINCLUDES X-PHP-Script =~ m;/wp-includes/(?:css|fonts|js|pomo|Text|theme-compat)/[\S]+\.php for;i
+
+header __PDS_X_PHP_WPJS X-PHP-Script =~ m;/js/[\S]+\.php for;i
+
meta __PD_CNT_1 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 0
body __PENDING_MESSAGES /\b(?:messages pending|(?:your|\d+[\])}]?) (?:pending|un(?:delivered|received)) (?:messages|e?-?mails))\b/i
meta __RCVD_DOTEDU_SHORT __RCVD_DOTEDU_EXT && ( __HTML_IMG_ONLY || __BODY_URI_ONLY || __HTML_LENGTH_1024_1536 )
-meta __RCVD_DOTEDU_SUSP __RCVD_DOTEDU_EXT && ( MIME_QP_LONG_LINE || __TVD_SPACE_RATIO || __FROM_RUNON || __USING_VERP1 )
-
meta __RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_EXT && ( __45_ALNUM_URI || __45_ALNUM_URI_O || __64_ANY_URI )
header __RCVD_DOTGOV_EXT X-Spam-Relays-External =~ /\srdns=\S+\.gov\s/i
header __REPTO_419_FRAUD_AOL_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:f\.|ljaber)|c(?:hanprivacy|laimdept|ristinabruno|ustom_service)|dhodgkins|evelynjoshua|f(?:d\.|ernandezfernandez)|george_clifford|hernandezrosemary|k\.doreen|l(?:erynnewest|ynnpage)|m(?:_l\.wanczyk|asayohara|rsjanetedwards)|officework|paulpollard|royalpalace|spwalker|usembassy|yurdaaytarkan))\d+\@aol\.com$/i
-header __REPTO_419_FRAUD_GM_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:9porssts|a(?:\.wafager|b(?:dullahmundani|u(?:lkareem|shadi))|cecere|isha1976gaddafi|l(?:an\.austin|ex(?:anderpeterson|hoffman)|ghafrij|icedoris|kasimunadi|l(?:enholden|isoncluade)|ure\.wawrenka)|m(?:bassadormarybethleonardl|ericadeliverycomapny|ina(?:ltwaijiri|medjahed))|n(?:dyfox|na(?:llee|sigurlaug)|thonyjblinken)|office1office|radka|shwestwood|tmcarddepartment|ustinbillmark|zi(?:m(?:\.hpremji|hashim(?:donation)?)|z(?:dake|george)))|b(?:a(?:nkcentralasiahalobca|r(?:bersmadar|rister(?:clarkephillips|lordruben)|teld\.huisman))|bongo|e(?:alitoniua|linekra|n(?:ezero|gatl|jaminsarah)|tsyholden)|ill\.lawrence|mwautomobile|oarddept|rendalaporte|uffettwarrene)|c(?:h(?:a(?:ngching|r(?:itylisajohnrobinson|l(?:esluenga|tonnewmanus)))|e(?:mchung|nchung))|iticonsultantjohncg|laxtonpaul|o(?:lombasjuan|ntactad)|rist(?:brun?|davis|ydavis(?:donation|foundation))|ustomerservicelacaixa)|d(?:a(?:nnuar|vi(?:d(?:\.loanfirm|larbi|pere|ramirez\.luis)|scarolyn|yax))|e(?:nnisclark|partmentofstate)|minique|ona(?:ldwilliam|tionhelpercare)|rdavidrhama|unsilva)|e(?:benezero|christina|l(?:i(?:bethgomez|sabeth(?:gmuer|maria)|zabethedw)|o(?:diesawadogo|tocashoffice))|m(?:efieleg?|ilyrichmond)|ngr\.des|re(?:nakgeorge|zcelic)|stherkatherine|wynn)|f(?:\.mikhail|a(?:ithdesrie|tme\.mehmed)|blott|irstbank|r(?:a(?:100dub|n(?:c(?:espatrickconnolly|iscamendoza)|k(?:j(?:ane|ody)|linpiesie)))|eelottosweepstake)|spero|ulanlan)|g(?:00gleggewinner|a(?:briel(?:eschmitt|kalia)|rciavincent)|bill|e(?:neralwilliamstony|orgekwame|raldjhjh)|i(?:idp|ocastano)|l(?:enmoore|oriachow)|oo(?:golteam|oglegwiinner)|r(?:aceobia|e(?:ant|energeoffrey)))|h(?:a(?:r(?:gate|ryebert)|sh(?:imyreem|mireem)|zimissa)|e(?:atherbrooeke|ctor(?:castillos|scastillo)|lengiggs)|gold|ildad|o(?:nmackjohn|rnbeckmajordennis|seoky))|i(?:b(?:ed|rahimelizabeth)|mfdeputyoff|n(?:fo\.(?:annedouglas|marviswanczyk)|gridrolle)|rvinekim|smail(?:eman|tarkan))|j(?:a(?:mesokoh|vierlesme)|efferydean|o(?:edward|hn(?:griffn|nietaylor|r(?:awlings|oxfordjr)|sonwilson|uba|walterlove|a)|n(?:athanhaskel|hugo)|seph(?:acevedo|babatunde|ichael)|vannyanderson)|rawlings|uliewatson)|k(?:a(?:l(?:iaksandr|tschmidtdavid)|malnizar|rabo\.ramala|t(?:jamess|rinaziako))|ennedy\.sawadogo|halidbuhazza|kasbu|r(?:istinewellenstein|nkl)|un(?:gwei|ioue))|l(?:a(?:rrytoms|ursent|wrencefoundation)|e(?:enasinghs|rynne(?:0west|west))|i(?:amfinchus|fecshortt|liane\.bettencourt|nelink|sa(?:milner|robin))|john|oughreymargaret|s(?:arbn|chantal)|u(?:ckywinners|sba\.moored)|y(?:\.cheapiseth|diawright|n(?:\.arthur|cmba|nmkl)))|m(?:a(?:incare|jor(?:dennishornbeck|townsend)|lletman|n(?:duesq|fran|uelfranco(?:(?:donation|foundation|spende))?)|r(?:i(?:ahhills|opabl)|kroth|shalh|tinamayer|y(?:franson|josen))|u(?:hin|rhinck)|viswan(?:czyk(?:(?:foundation|k))?)?)|brons|c\.cheadychang|dredban|el(?:aniekreiss|vidabullock)|gfrederick|i(?:c(?:h(?:ael\.woosley|ealwuu)|w)|k(?:e\.weirsky\.foundational|hai(?:\.fridman|lfridm))|ntonjustin|ss\.yasmineibrahim)|k(?:ent|untjoro)|mrstephen|oham(?:edabdul|m(?:daljililati|edshamekh))|r(?:\.(?:elbahi\.mohammed\.|justinmaxwell)|cjames|ericschmid|hanimuhammad|jamesmc|morgangomez|richardanthony|s(?:\.susanread|a(?:ishaalqadafi|ngela|shaalqaddfi)|dominiquethomas|evelynbrown|fatimaamiraqureshi|hamima|jackman|lisamilner|ma(?:riaelizabethscheffle|ureens|yaoliver)|r(?:eem|obinsanders|uthsmith)|sarahbenjamin|victoriaedmond))|s(?:\.ellagolan|agent|golaan|smadar)|ustadris)|n(?:aomiiwasaki|eilt(?:rotter)?|icholas\.jose|obuyuki\.hirano)|o(?:\.peace|fficerricherd|hallkenneth|lenasheve|xfaminternationa)|p(?:aul(?:eed|n)|b(?:ph202lay|rookk)|e(?:rezdonlorenzo|ter(?:\.waddell|guggi|kenin|stephen))|hillip\.richead)|q(?:iquanzhou|nzeng)|r(?:a(?:kidy|lhashimi|ymondaba)|e(?:alyh|beccagarang|em(?:has(?:himy|m)|n)|plyback|v(?:\.jamesabel|fr(?:ankjackson|paulwilliams)))|icha(?:miller|rdw(?:ahl|illis))|main|o(?:b(?:erthanandez|inf)|naldmorris|s(?:a\.gomes|ekipkalya))|raya|t\.rev\.ericmark|uddicklana)|s(?:a(?:l(?:ehhussienconsult|imzaid)|rfiafarfask)|cott(?:henryjames|peters)|e(?:cretservicce|rgeantrobertbrown)|gt(?:\.monicab|ireneb)|h(?:anemissler|ery(?:\.gtl|etr)|inawatrathaksin)|im(?:lkheng|onhei)|op(?:adam|hiajesse)|peelman|t(?:anleyjohn|ephentam)|u(?:iyang|n\.hor|sanneklatten)|weeneyjohnson)|t(?:a(?:mmywebster|y(?:ebsouami|lorcathy))|e(?:nreyrosilvana|rryparkins)|h(?:ailandbankoffice|e(?:ara\.choy|odorosloannis))|imothymetheny|lyerdonald|o(?:m(?:ander|c(?:hrist|rist(?:(?:donation|foundation))?)|spende)|ny(?:\.chung|zimpro)|shikazusendo))|u(?:derleyen|marukareem|n(?:claimedfunds|ited(?:bankforafrica\.plc|nation(?:organization|s)))|s(?:alotery|departmentofjustice))|v(?:anderwesthuizen|e(?:enapatel|r(?:a(?:aellen|hollinkvan)|enichekaterinaekaterina))|i(?:ctoriaabraham|dalpamela|ngut)|johannes)|w(?:a(?:dp|hlr(?:ichard)?|nczykm|rrenebuffett)|ellensteinfoundation|hatsappofficial|i(?:elandherzog\.sw\.herad|ll(?:clark|iamsmartyrs))|u\.office|ww\.moneygram)|y(?:\.oguzhan|anghoseok|doo|o(?:ngkm|usefzongo))|z(?:bank|enithbankplconline|kiaslan|minhong)))\d+\@gmail\.com$/i
+header __REPTO_419_FRAUD_GM_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:9porssts|a(?:\.wafager|b(?:dullahmundani|u(?:lkareem|shadi))|cecere|isha1976gaddafi|l(?:an\.austin|ex(?:anderpeterson|hoffman)|ghafrij|icedoris|kasimunadi|l(?:enholden|isoncluade)|ure\.wawrenka)|m(?:bassadormarybethleonardl|ericadeliverycomapny|ina(?:ltwaijiri|medjahed))|n(?:dyfox|na(?:llee|sigurlaug)|thonyjblinken)|office1office|radka|shwestwood|tmcarddepartment|ustinbillmark|zi(?:m(?:\.hpremji|hashim(?:donation)?)|z(?:dake|george)))|b(?:a(?:nkcentralasiahalobca|r(?:bersmadar|rister(?:clarkephillips|lordruben)|teld\.huisman))|bongo|e(?:alitoniua|linekra|n(?:ezero|gatl|jaminsarah)|tsyholden)|ill\.lawrence|mwautomobile|oarddept|rendalaporte|uffettwarrene)|c(?:eda\.ogada|h(?:a(?:ngching|r(?:itylisajohnrobinson|l(?:esluenga|tonnewmanus)))|e(?:mchung|nchung))|iticonsultantjohncg|laxtonpaul|o(?:lombasjuan|ntactad)|rist(?:brun?|davis|ydavis(?:donation|foundation))|ustomerservicelacaixa)|d(?:a(?:nnuar|vi(?:d(?:\.loanfirm|larbi|pere|ramirez\.luis)|scarolyn|yax))|e(?:nnisclark|partmentofstate)|hlexpresscompany|minique|ona(?:ldwilliam|tionhelpercare)|r(?:davidrhama|rhamahassan)|unsilva)|e(?:benezero|christina|dmundventura|l(?:i(?:bethgomez|sabeth(?:gmuer|maria)|zabethedw)|o(?:diesawadogo|tocashoffice))|m(?:efieleg?|ilyrichmond)|ngr\.des|re(?:nakgeorge|zcelic)|stherkatherine|wynn)|f(?:\.mikhail|a(?:ithdesrie|rahwasam|tme\.mehmed)|blott|irstbank|r(?:a(?:100dub|n(?:c(?:es(?:\.connelly|patrickconnolly)|iscamendoza)|k(?:j(?:ane|ody)|linpiesie)))|eelottosweepstake)|spero|ulanlan)|g(?:00gleggewinner|a(?:briel(?:eschmitt|kalia)|rciavincent)|bill|e(?:neralwilliamstony|orgekwame|raldjhjh)|i(?:idp|ocastano)|l(?:enmoore|oriachow)|oo(?:golteam|oglegwiinner)|r(?:aceobia|e(?:ant|energeoffrey)))|h(?:a(?:r(?:gate|ryebert)|sh(?:imyreem|mireem)|zimissa)|e(?:atherbrooeke|ctor(?:castillos|scastillo)|lengiggs|ritagetrustbank)|gold|ildad|o(?:nmackjohn|rnbeckmajordennis|seoky))|i(?:b(?:ed|rahimelizabeth)|mfdeputyoff|n(?:fo\.(?:annedouglas|marviswanczyk)|gridrolle)|rvinekim|smail(?:eman|tarkan))|j(?:a(?:mesokoh|vierlesme)|efferydean|o(?:edward|hn(?:griffn|nietaylor|r(?:awlings|oxfordjr)|sonwilson|uba|walterlove|a)|n(?:a(?:haskel|thanhaskel)|hugo)|seph(?:acevedo|babatunde|ichael)|vannyanderson)|rawlings|uliewatson)|k(?:a(?:l(?:iaksandr|tschmidtdavid)|malnizar|rabo\.ramala|t(?:jamess|rinaziako))|ennedy\.sawadogo|halidbuhazza|kasbu|r(?:istinewellenstein|nkl)|un(?:gwei|ioue))|l(?:a(?:rrytoms|ursent|wrencefoundation)|e(?:enasinghs|rynne(?:0west|west))|i(?:amfinchus|fecshortt|liane\.bettencourt|nelink|sa(?:milner|robin))|john|oughreymargaret|s(?:arbn|chantal)|u(?:ckywinners|sba\.moored)|y(?:\.cheapiseth|diawright|n(?:\.arthur|cmba|nmkl)))|m(?:a(?:incare|jor(?:dennishornbeck|townsend)|lletman|n(?:duesq|fran|uelfranco(?:(?:donation|foundation|spende))?)|r(?:i(?:ahhills|opabl)|kroth|shalh|tinamayer|y(?:franson|josen))|u(?:hin|rhinck)|viswan(?:czyk(?:(?:foundation|k))?)?)|brons|c\.cheadychang|dredban|el(?:aniekreiss|vidabullock)|gfrederick|i(?:c(?:h(?:ael\.woosley|ealwuu)|w)|k(?:e\.weirsky\.foundational|hai(?:\.fridman|lfridm))|ntonjustin|ss\.yasmineibrahim)|k(?:ent|untjoro)|mrstephen|oham(?:edabdul|m(?:daljililati|edshamekh))|r(?:\.(?:elbahi\.mohammed\.|justinmaxwell|tonyelumelu)|cjames|ericschmid|hanimuhammad|jamesmc|morgangomez|richardanthony|s(?:\.susanread|a(?:ishaalqadafi|ngela|shaalqaddfi)|dominiquethomas|evelynbrown|fatimaamiraqureshi|hamima|jackman|lisamilner|ma(?:riaelizabethscheffle|ureens|yaoliver)|r(?:eem|obinsanders|uthsmith)|sarahbenjamin|victoriaedmond))|s(?:\.ellagolan|agent|golaan|smadar)|ustadris)|n(?:aomiiwasaki|eilt(?:rotter)?|icholas\.jose|obuyuki\.hirano)|o(?:\.peace|ffice(?:emaill|rricherd)|hallkenneth|lenasheve|rabankheadofficelometogo|xfaminternationa)|p(?:aul(?:eed|n)|b(?:ph202lay|rookk)|e(?:rezdonlorenzo|ter(?:\.waddell|guggi|kenin|stephen))|hillip\.richead)|q(?:iquanzhou|nzeng)|r(?:a(?:kidy|lhashimi|ymondaba)|e(?:alyh|beccagarang|em(?:has(?:himy|m)|n)|plyback|v(?:\.jamesabel|fr(?:ankjackson|paulwilliams)))|icha(?:miller|rdw(?:ahl|illis))|main|o(?:b(?:erthanandez|inf)|naldmorris|s(?:a\.gomes|ekipkalya))|raya|t\.rev\.ericmark|uddicklana)|s(?:a(?:l(?:ehhussienconsult|imzaid)|rfiafarfask)|cott(?:henryjames|peters)|e(?:cretservicce|rgeantrobertbrown)|gt(?:\.monicab|ireneb)|h(?:anemissler|ery(?:\.gtl|etr)|inawatrathaksin)|im(?:lkheng|onhei)|op(?:adam|hiajesse)|peelman|t(?:anleyjohn|ephentam)|u(?:iyang|n\.hor|sanneklatten)|weeneyjohnson)|t(?:a(?:mmywebster|y(?:ebsouami|lorcathy))|e(?:nreyrosilvana|rryparkins)|h(?:ailandbankoffice|e(?:ara\.choy|odorosloannis))|imothymetheny|lyerdonald|o(?:m(?:ander|c(?:hrist|rist(?:(?:donation|foundation))?)|spende)|ny(?:\.chung|robins|zimpro)|shikazusendo))|u(?:derleyen|marukareem|n(?:claimedfunds|ited(?:bankforafrica\.plc|nation(?:organization|s)))|s(?:alotery|departmentofjustice))|v(?:anderwesthuizen|e(?:enapatel|r(?:a(?:aellen|hollinkvan)|enichekaterinaekaterina))|i(?:ctoriaabraham|dalpamela|ngut)|johannes)|w(?:a(?:dp|hlr(?:ichard)?|nczykm|rrenebuffett)|ellensteinfoundation|hatsappofficial|i(?:elandherzog\.sw\.herad|ll(?:clark|iamsmartyrs))|u\.office|ww\.moneygram)|y(?:\.oguzhan|anghoseok|doo|o(?:ngkm|usefzongo))|z(?:bank|enithbankplconline|kiaslan|minhong)))\d+\@gmail\.com$/i
-header __REPTO_419_FRAUD_YH_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson|ilmohammed|lesiakalina|nnhester\.usa)|b(?:ank\.phbng|e(?:linekra|n(?:jaminb|nicholas))|riceangela)|c(?:\.aroline|h(?:arlesscharf|jackson)|juan|ythiamiller\.un)|dhamilton|e(?:denvictor|ricalbert)|federal\.r|j(?:a(?:ckson\.davis|netemoon)|kimyong)|k(?:altschmidtdavid|elvinmark|im(?:\.leang|leang))|l(?:e(?:a_edem|hman)|isarobinson_|y_cheapiseth)|m(?:\.kogi|arie_avis|dzsesszika|elissalewis|o(?:hammedaahil|keye))|o(?:biorahkenneth|legkozyrev|mranshaalan)|peterlee|r(?:alphw(?:\.johnson|johnson)|o(?:bertbailey|serichard))|s(?:amthong|igurlauganna|leo|pwalker|te(?:fanopessina|vecox\.))|tylerhess\.|vanserge|will(?:clark|smi)|xianglongdai))\d+\@yahoo\.com$/i
+header __REPTO_419_FRAUD_YH_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson|ilmohammed|lesiakalina|nnhester\.usa)|b(?:ank\.phbng|e(?:linekra|n(?:jaminb|nicholas))|riceangela)|c(?:\.aroline|h(?:arlesscharf|jackson)|juan|ythiamiller\.un)|dhamilton|e(?:denvictor|ricalbert)|federal\.r|j(?:a(?:ckson\.davis|netemoon)|kimyong)|k(?:altschmidtdavid|elvinmark|im(?:\.leang|leang))|l(?:e(?:a_edem|hman)|isarobinson_|y_cheapiseth)|m(?:\.kogi|arie_avis|dzsesszika|elissalewis|o(?:hammedaahil|keye))|o(?:biorahkenneth|legkozyrev|mranshaalan)|peterlee|r(?:alphw(?:\.johnson|johnson)|o(?:bertbailey|serichard))|s(?:amthong|igurlauganna|leo|oftc|pwalker|te(?:fanopessina|vecox\.))|tylerhess\.|vanserge|will(?:clark|smi)|xianglongdai))\d+\@yahoo\.com$/i
header __REPTO_CHN_FREEM Reply-To =~ /\@(?:sina|aliyun)\.com/i
-header __REPTO_INFONUMSCOM Reply-To:addr =~ /^info@\d{5,}\.com$/i
-
header __REPTO_RUS_FREEM Reply-To =~ /\@mail\.ru/i
if !((version >= 3.003000))
mimeheader __SCC_CTMPP Content-Type =~ /multipart\/parallel/
endif
-body __SCC_DMARC_REP /(DMARC|aggregate) .{0,12}report/
-
header __SCC_SUBJECT_HAS_NON_SPACE Subject =~ /\S/
body __SECURITY_DEPT /\bsecurity dep(?:artmen)?t\b/i
uri __SENDGRID_REDIR m,://u\d+\.ct\.sendgrid\.net/ls/click\?upn=,
-meta __SENDGRID_REDIR_NOPHISH __SENDGRID_REDIR && !__SENDGRID_REDIR_PHISH
-
meta __SENDGRID_REDIR_PHISH __SENDGRID_REDIR && ( __PDS_FROM_NAME_TO_DOMAIN || __FORGED_RELAY_MUA_TO_MX || __TO_IN_SUBJ )
body __SHARE_IT /\b(?:(?:share|allocate|teilen|parteger(?:ez|ons)?|partage)\s(?:th(?:e|is)|das|les?|des)\s(?:proceeds|funds?|money|balance|account|geld|compte|fonds)|partager(?:ez|ons)? (?:avec (?:vous|moi)|ratio|suivant un pourcentage))\b/i
meta __SHOPIFY_IMG_NOT_RCVD_SFY __URI_IMG_SHOPIFY && !__HDR_RCVD_SHOPIFY && !__HDR_ENVFROM_SHOPIFY
-meta __SHORTENER_SHORT_SUBJ __URL_SHORTENER && __SUBJ_SHORT
-
uri __SHORT_URL /^https?:\/\/[^\/]{3,6}\.\w\w\/[^\/]{3,8}\/?$/
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
header __SUBJ_ADMIN Subject =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i
-header __SUBJ_ATTENTION Subject =~ /ATTENTION/
-
meta __SUBJ_BRKN_WORDNUMS __SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFU
header __SUBJ_BROKEN_WORD Subject =~ /\s(?!i[PTM][aoh][bcdou]|e[MP]a[is])[a-z]{1,3}[A-Z][a-z]{2}/
header __SUBJ_SHORT Subject =~ /^.{0,8}$/
+header __SUBJ_UNNEEDED_HTML Subject =~ /%[0-9a-f][0-9a-f]/i
+tflags __SUBJ_UNNEEDED_HTML multiple maxhits=3
+
header __SUBJ_USB_DRIVES Subject =~ /\bUSB (?:[Ff]lash )?[Dd]rives\b/
body __SUBSCRIPTION_INFO /\b(?:e?newsletters?|(?:un)?(?:subscrib|register)|you(?:r| are) subscri(?:b|ption)|opt(?:.|ing)?out\b|further info|you do ?n[o']t w(?:ish|ant)|remov\w{1,3}.{1,9}\blists?\b|to your white.?list)/i
meta __TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FROM_DOM && __HTML_LINK_IMAGE
+meta __TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FROM_DOM && MIME_HTML_ONLY
+
if !plugin(Mail::SpamAssassin::Plugin::SPF)
meta __TO_EQ_FM_DOM_SPF_FAIL 0
endif
uri __URI_AZURE_CLOUDAPP m,://(?:[^./]+\.)+cloudapp\.azure\.com/,
+uri __URI_CLOUDFLAREIPFS m,://cloudflare-ipfs\.com/ipfs/,i
+
uri __URI_DASHGOVEDU m,://[^/]*-(?:gov|edu)\.com/,i
uri __URI_DATA /^data:(?!image\/)[a-z]/i
uri __URI_PRODUCT_AMAZON m,://www\.amazon\.(?:com|co\.uk|[a-z][a-z])/dp/[a-z0-9]{10}/,i
-uri __URI_TRY_3LD m,^https?://(?:try(?!r\.codeschool)|start|get(?!\.adobe)|save|check(?!out)|act|compare|join|learn(?!ing)|request|visit(?!or|\.vermont)|my(?!sub|turbotax|news\.apple|a\.godaddy|account|support|build|blob|images?|photos?)\w)[^.]*\.(?:(?!list-manage|lt\.)[^/.]+\.)+(?:com|net)\b,i
+uri __URI_TRY_3LD m,^https?://(?:try(?!r\.codeschool)|start|get(?!\.adobe)|save|check(?!out)|act(?!ion)|compare|join|learn(?!ing)|request|visit(?!or|\.vermont)|my(?!sub|turbotax|news\.apple|a\.godaddy|account|support|build|blob|images?|photos?)\w)[^.]*\.(?:(?!list-manage|lt\.)[^/.]+\.)+(?:com|net)\b,i
uri __URI_TRY_USME m,^https?://(?:try|start|get|save|check|act|compare|join|learn|request|visit|my)[^.]*\.[^/]+\.(?:us|me|mobi|club)\b,i
header __XM_GNUS X-Mailer =~ /^Gnus v/
+header __XM_LIGHT_HEAVY X-Mailer =~ /\b(?:light|(?<!::)lite|standard|business|pro(?:fessional)?|educational|personal)\b/i
+
header __XM_MHE X-Mailer =~ /^mh-e \d/
header __XM_MOZ4 X-Mailer =~ /^Mozilla 4/
body __hk_bigmoney /(?:EURO?|USD?|GBP|CFA|\&\#163;|[\xa3\xa4]|\$|sum of).{0,4}(?:[0-9]{3}[^0-9a-z]?[0-9]{3}|[0-9.,]{1,4}(?: ?M\b| ?(?:de )?Mil))/i
+body __hk_win_0 /\byour? e-?mail just w[oi]n/i
+
+body __hk_win_2 /\battn.{0,10}winner/i
+
+body __hk_win_3 /\bhappily aa?nnounce/i
+
+body __hk_win_4 /\bpleas(?:ure|ed) to inform/i
+
+body __hk_win_5 /\b(?:notice the|your) winning/i
+
+body __hk_win_7 /\bcongratulations? to your/i
+
+body __hk_win_8 /\bunexpected luck/i
+
+body __hk_win_9 /\blucky (?:nl )number/i
+
+body __hk_win_a /\bwinning (?:e-?mail|numbers|information)/i
+
+body __hk_win_b /\byour e-?mail (?:address )?(?:has )?w[io]n/i
+
+body __hk_win_c /\bune adresse e-?mail sur internet/i
+
+body __hk_win_d /\bcategory (?:\S{0,5} )?winner of our/i
+
+body __hk_win_i /\bfunds? transfer/i
+
+body __hk_win_j /\b(?:winning|ready for|sum) pay ?out/i
+
+body __hk_win_l /\b(?:make|file) (?:for )?your claim/i
+
+body __hk_win_m /\br.clamation de votre prix/i
+
+body __hk_win_n /\bcollect your prize/i
+
+body __hk_win_o /\bclarification and procedure/i
+
ifplugin Mail::SpamAssassin::Plugin::FreeMail
header __smf_freemail_hdr_replyto eval:check_freemail_header('Reply-To:addr')
endif
-score ACCT_PHISHING_MANY 2.561 2.999 2.561 2.999
+score ACCT_PHISHING_MANY 2.999 2.999 2.999 2.999
score AC_BR_BONANZA 0.001 0.001 0.001 0.001
score AC_DIV_BONANZA 0.001 0.001 0.001 0.001
-score AC_FROM_MANY_DOTS 2.499 2.499 2.499 2.499
+score AC_FROM_MANY_DOTS 0.717 2.499 0.717 2.499
score AC_HTML_NONSENSE_TAGS 1.999 1.999 1.999 1.999
-score AC_POST_EXTRAS 0.001 1.417 0.001 1.417
+score AC_POST_EXTRAS 0.001 0.429 0.001 0.429
score AC_SPAMMY_URI_PATTERNS1 1.000 1.000 1.000 1.000
score AC_SPAMMY_URI_PATTERNS10 1.000 1.000 1.000 1.000
score AC_SPAMMY_URI_PATTERNS11 1.000 1.000 1.000 1.000
score AC_SPAMMY_URI_PATTERNS2 1.000 1.000 1.000 1.000
score AC_SPAMMY_URI_PATTERNS3 1.000 1.000 1.000 1.000
score AC_SPAMMY_URI_PATTERNS4 1.000 1.000 1.000 1.000
-score AC_SPAMMY_URI_PATTERNS8 1.000 1.000 1.000 1.000
+score AC_SPAMMY_URI_PATTERNS8 1.000 3.999 1.000 3.999
score AC_SPAMMY_URI_PATTERNS9 1.000 1.000 1.000 1.000
-score ADMITS_SPAM 3.199 3.099 3.199 3.099
+score ADMITS_SPAM 2.096 0.184 2.096 0.184
score ADULT_DATING_COMPANY 10.000 10.000 10.000 10.000
score ADVANCE_FEE_2_NEW_FORM 1.000 1.000 1.000 1.000
-score ADVANCE_FEE_2_NEW_FRM_MNY 1.000 2.063 1.000 2.063
-score ADVANCE_FEE_2_NEW_MONEY 1.999 1.999 1.999 1.999
-score ADVANCE_FEE_3_NEW 3.499 3.266 3.499 3.266
+score ADVANCE_FEE_2_NEW_FRM_MNY 1.623 1.083 1.623 1.083
+score ADVANCE_FEE_2_NEW_MONEY 2.000 1.999 2.000 1.999
+score ADVANCE_FEE_3_NEW 3.043 2.527 3.043 2.527
+score ADVANCE_FEE_3_NEW_FRM_MNY 1.013 0.085 1.013 0.085
score ADVANCE_FEE_3_NEW_MONEY 0.001 0.001 0.001 0.001
-score ADVANCE_FEE_4_NEW 0.803 0.001 0.803 0.001
-score ADVANCE_FEE_4_NEW_FRM_MNY 0.674 1.242 0.674 1.242
+score ADVANCE_FEE_4_NEW 0.001 0.001 0.001 0.001
+score ADVANCE_FEE_4_NEW_FRM_MNY 0.001 0.001 0.001 0.001
score ADVANCE_FEE_4_NEW_MONEY 0.001 0.001 0.001 0.001
+score ADVANCE_FEE_5_NEW 2.399 1.823 2.399 1.823
score ADVANCE_FEE_5_NEW_FRM_MNY 0.001 0.001 0.001 0.001
-score ADVANCE_FEE_5_NEW_MONEY 0.001 0.662 0.001 0.662
-score AD_PREFS 0.001 0.001 0.001 0.001
+score ADVANCE_FEE_5_NEW_MONEY 0.001 0.001 0.001 0.001
+score AD_PREFS 0.250 0.499 0.250 0.499
score ALIBABA_IMG_NOT_RCVD_ALI 1.000 1.000 1.000 1.000
score AMAZON_IMG_NOT_RCVD_AMZN 2.499 2.499 2.499 2.499
score APP_DEVELOPMENT_FREEM 1.000 1.000 1.000 1.000
-score APP_DEVELOPMENT_NORDNS 1.000 1.000 1.000 1.000
+score APP_DEVELOPMENT_NORDNS 0.365 1.999 0.365 1.999
score ARC_SIGNED 0.001 0.001 0.001 0.001
score ARC_VALID 0.001 0.001 0.001 0.001
score AXB_XMAILER_MIMEOLE_OL_024C2 0.001 0.001 0.001 0.001
-score AXB_X_FF_SEZ_S 3.499 3.399 3.499 3.399
score BEBEE_IMG_NOT_RCVD_BB 1.000 1.000 1.000 1.000
-score BIGNUM_EMAILS_FREEM 1.000 1.000 1.000 1.000
+score BIGNUM_EMAILS_FREEM 0.001 0.001 0.001 0.001
score BIGNUM_EMAILS_MANY 1.000 1.000 1.000 1.000
+score BILLION_OVERLAP -0.999 -0.317 -0.999 -0.317
score BITCOIN_BOMB 1.000 1.000 1.000 1.000
-score BITCOIN_DEADLINE 1.586 2.999 1.586 2.999
-score BITCOIN_EXTORT_01 2.103 0.001 2.103 0.001
+score BITCOIN_DEADLINE 1.401 2.602 1.401 2.602
+score BITCOIN_EXTORT_01 2.104 1.734 2.104 1.734
score BITCOIN_EXTORT_02 1.000 1.000 1.000 1.000
score BITCOIN_IMGUR 1.000 1.000 1.000 1.000
-score BITCOIN_MALWARE 3.406 0.986 3.406 0.986
+score BITCOIN_MALWARE 0.001 0.001 0.001 0.001
score BITCOIN_OBFU_SUBJ 1.000 1.000 1.000 1.000
-score BITCOIN_ONAN 1.642 1.116 1.642 1.116
+score BITCOIN_ONAN 1.873 0.218 1.873 0.218
score BITCOIN_PAY_ME 1.000 1.000 1.000 1.000
score BITCOIN_SPAM_01 1.000 1.000 1.000 1.000
-score BITCOIN_SPAM_02 2.499 2.321 2.499 2.321
-score BITCOIN_SPAM_03 2.499 1.683 2.499 1.683
+score BITCOIN_SPAM_02 1.551 2.499 1.551 2.499
+score BITCOIN_SPAM_03 2.499 2.499 2.499 2.499
score BITCOIN_SPAM_04 1.000 1.000 1.000 1.000
score BITCOIN_SPAM_05 0.001 1.000 0.001 1.000
score BITCOIN_SPAM_06 1.000 1.000 1.000 1.000
-score BITCOIN_SPAM_07 2.903 0.001 2.903 0.001
+score BITCOIN_SPAM_07 0.602 0.001 0.602 0.001
score BITCOIN_SPAM_08 1.000 1.000 1.000 1.000
score BITCOIN_SPAM_09 1.499 1.499 1.499 1.499
score BITCOIN_SPAM_10 1.000 1.000 1.000 1.000
score BITCOIN_SPAM_11 1.000 1.000 1.000 1.000
score BITCOIN_SPAM_12 1.000 1.000 1.000 1.000
score BITCOIN_SPF_ONLYALL 0.001 1.000 0.001 1.000
-score BITCOIN_TOEQFM 1.597 1.539 1.597 1.539
-score BITCOIN_VISTA 0.001 3.016 0.001 3.016
-score BITCOIN_XPRIO 2.499 2.499 2.499 2.499
-score BITCOIN_YOUR_INFO 1.000 1.000 1.000 1.000
-score BODY_SINGLE_URI 1.680 0.547 1.680 0.547
-score BODY_SINGLE_WORD 0.784 0.001 0.784 0.001
-score BODY_URI_ONLY 0.178 0.001 0.178 0.001
-score BOGUS_MIME_VERSION 3.499 2.706 3.499 2.706
-score BOGUS_MSM_HDRS 2.355 2.528 2.355 2.528
+score BITCOIN_TOEQFM 3.499 2.863 3.499 2.863
+score BITCOIN_VISTA 0.001 0.001 0.001 0.001
+score BITCOIN_XPRIO 0.001 0.001 0.001 0.001
+score BITCOIN_YOUR_INFO 0.618 0.001 0.618 0.001
+score BODY_URI_ONLY 0.001 0.001 0.001 0.001
+score BOGUS_MIME_VERSION 3.499 3.499 3.499 3.499
+score BOGUS_MSM_HDRS 2.197 0.161 2.197 0.161
score BOMB_FREEM 1.000 1.000 1.000 1.000
score BOMB_MONEY 1.000 1.000 1.000 1.000
score BTC_ORG 1.000 1.000 1.000 1.000
score BULK_RE_SUSP_NTLD 1.000 1.000 1.000 1.000
score CANT_SEE_AD 1.000 1.000 1.000 1.000
-score CK_HELO_GENERIC 0.249 0.249 0.249 0.249
+score CK_HELO_GENERIC 0.250 0.249 0.250 0.249
score COMMENT_GIBBERISH 1.000 1.000 1.000 1.000
-score COMPENSATION 1.499 0.538 1.499 0.538
-score CONTENT_AFTER_HTML 1.000 1.000 1.000 1.000
-score CONTENT_AFTER_HTML_WEAK 1.000 1.000 1.000 1.000
-score CTE_8BIT_MISMATCH 0.999 0.001 0.999 0.001
-score DATE_IN_FUTURE_Q_PLUS 2.760 2.006 2.760 2.006
+score COMPENSATION 1.342 0.068 1.342 0.068
+score CONTENT_AFTER_HTML 2.499 2.499 2.499 2.499
+score CONTENT_AFTER_HTML_WEAK 1.499 1.500 1.499 1.500
+score CTE_8BIT_MISMATCH 0.999 0.260 0.999 0.260
score DAY_I_EARNED 1.000 1.000 1.000 1.000
-score DEAR_BENEFICIARY 3.099 2.446 3.099 2.446
+score DEAR_BENEFICIARY 3.399 2.451 3.399 2.451
+score DEAR_NOBODY 2.999 2.559 2.999 2.559
score DKIMWL_BL 0.001 1.000 0.001 1.000
score DKIMWL_BLOCKED 0.001 0.001 0.001 0.001
-score DKIMWL_WL_HIGH 0.001 -0.014 0.001 -0.014
+score DKIMWL_WL_HIGH 0.001 -0.141 0.001 -0.141
score DKIMWL_WL_MED 0.001 -0.001 0.001 -0.001
score DKIMWL_WL_MEDHI 0.001 -0.001 0.001 -0.001
score DOTGOV_IMAGE 1.000 1.000 1.000 1.000
-score DSN_NO_MIMEVERSION 1.999 1.999 1.999 1.999
-score DYNAMIC_IMGUR 1.000 1.000 1.000 1.000
+score DSN_NO_MIMEVERSION 2.000 1.999 2.000 1.999
+score DYNAMIC_IMGUR 2.324 1.244 2.324 1.244
score EBAY_IMG_NOT_RCVD_EBAY 1.000 1.000 1.000 1.000
score ENCRYPTED_MESSAGE -0.999 -0.999 -0.999 -0.999
score END_FUTURE_EMAILS 2.499 2.499 2.499 2.499
score ENVFROM_GOOG_TRIX 1.000 1.000 1.000 1.000
score FACEBOOK_IMG_NOT_RCVD_FB 1.999 1.999 1.999 1.999
-score FBI_MONEY 1.000 1.000 1.000 1.000
-score FBI_SPOOF 1.000 1.000 1.000 1.000
-score FILL_THIS_FORM 0.798 0.801 0.798 0.801
-score FONT_INVIS_DIRECT 0.001 0.001 0.001 0.001
+score FBI_MONEY 1.999 1.999 1.999 1.999
+score FBI_SPOOF 0.378 0.385 0.378 0.385
+score FILL_THIS_FORM 0.001 0.001 0.001 0.001
+score FONT_INVIS_DIRECT 1.363 0.214 1.363 0.214
score FONT_INVIS_DOTGOV 1.000 1.000 1.000 1.000
-score FONT_INVIS_HTML_NOHTML 2.487 1.018 2.487 1.018
-score FONT_INVIS_LONG_LINE 2.162 2.999 2.162 2.999
+score FONT_INVIS_HTML_NOHTML 2.999 2.481 2.999 2.481
+score FONT_INVIS_LONG_LINE 1.944 2.999 1.944 2.999
score FONT_INVIS_MSGID 2.499 2.499 2.499 2.499
-score FONT_INVIS_NORDNS 0.001 0.710 0.001 0.710
-score FONT_INVIS_POSTEXTRAS 2.590 0.872 2.590 0.872
+score FONT_INVIS_NORDNS 0.001 0.672 0.001 0.672
+score FONT_INVIS_POSTEXTRAS 2.646 2.967 2.646 2.967
score FORM_FRAUD 0.999 0.999 0.999 0.999
-score FORM_FRAUD_3 2.253 1.199 2.253 1.199
-score FORM_FRAUD_5 2.453 1.619 2.453 1.619
-score FOUND_YOU 1.000 1.000 1.000 1.000
-score FREEMAIL_FORGED_FROMDOMAIN 0.001 0.001 0.001 0.001
+score FORM_FRAUD_3 2.799 2.699 2.799 2.699
+score FORM_FRAUD_5 0.001 0.001 0.001 0.001
+score FOUND_YOU 1.416 3.055 1.416 3.055
+score FREEMAIL_FORGED_FROMDOMAIN 0.250 0.001 0.250 0.001
score FREEM_FRNUM_UNICD_EMPTY 1.000 1.000 1.000 1.000
score FRNAME_IN_MSG_XPRIO_NO_SUB 1.000 1.000 1.000 1.000
-score FROM_ADDR_WS 1.050 0.001 1.050 0.001
+score FROM_ADDR_WS 2.999 1.548 2.999 1.548
score FROM_BANK_NOAUTH 0.001 1.000 0.001 1.000
score FROM_FMBLA_NDBLOCKED 0.001 0.001 0.001 0.001
-score FROM_FMBLA_NEWDOM 0.001 1.352 0.001 1.352
+score FROM_FMBLA_NEWDOM 0.001 1.499 0.001 1.499
score FROM_FMBLA_NEWDOM14 0.001 0.999 0.001 0.999
score FROM_FMBLA_NEWDOM28 0.001 0.799 0.001 0.799
-score FROM_GOV_DKIM_AU 0.001 -0.156 0.001 -0.156
+score FROM_GOV_DKIM_AU 0.001 -0.469 0.001 -0.469
score FROM_GOV_REPLYTO_FREEMAIL 0.001 1.000 0.001 1.000
-score FROM_GOV_SPOOF 0.001 1.000 0.001 1.000
-score FROM_IN_TO_AND_SUBJ 1.799 1.799 1.799 1.799
-score FROM_MISSPACED 1.999 1.149 1.999 1.149
-score FROM_MISSP_DYNIP 1.661 0.533 1.661 0.533
-score FROM_MISSP_EH_MATCH 1.999 2.000 1.999 2.000
-score FROM_MISSP_FREEMAIL 2.304 2.401 2.304 2.401
-score FROM_MISSP_MSFT 0.892 0.001 0.892 0.001
-score FROM_MISSP_PHISH 2.782 3.002 2.782 3.002
-score FROM_MISSP_REPLYTO 2.500 0.858 2.500 0.858
-score FROM_MISSP_SPF_FAIL 0.001 1.779 0.001 1.779
-score FROM_MISSP_TO_UNDISC 3.203 2.332 3.203 2.332
+score FROM_GOV_SPOOF 0.001 0.999 0.001 0.999
+score FROM_IN_TO_AND_SUBJ 1.899 1.799 1.899 1.799
+score FROM_MISSPACED 0.201 0.001 0.201 0.001
+score FROM_MISSP_DYNIP 0.001 0.792 0.001 0.792
+score FROM_MISSP_EH_MATCH 0.001 0.001 0.001 0.001
+score FROM_MISSP_FREEMAIL 2.252 3.199 2.252 3.199
+score FROM_MISSP_MSFT 0.001 0.001 0.001 0.001
+score FROM_MISSP_PHISH 3.499 3.499 3.499 3.499
+score FROM_MISSP_REPLYTO 1.111 0.001 1.111 0.001
+score FROM_MISSP_SPF_FAIL 0.001 1.312 0.001 1.312
+score FROM_MISSP_TO_UNDISC 2.146 1.256 2.146 1.256
score FROM_MISSP_USER 0.001 0.001 0.001 0.001
-score FROM_MISSP_XPRIO 2.500 2.499 2.500 2.499
+score FROM_MISSP_XPRIO 0.001 0.001 0.001 0.001
score FROM_NEWDOM_BTC 0.001 1.000 0.001 1.000
-score FROM_NTLD_LINKBAIT 1.000 1.000 1.000 1.000
-score FROM_NTLD_REPLY_FREEMAIL 1.663 1.000 1.663 1.000
+score FROM_NTLD_LINKBAIT 0.800 0.610 0.800 0.610
+score FROM_NTLD_REPLY_FREEMAIL 0.001 0.001 0.001 0.001
score FROM_NUMBERO_NEWDOMAIN 0.001 1.000 0.001 1.000
-score FROM_PAYPAL_SPOOF 0.001 0.001 0.001 0.001
+score FROM_PAYPAL_SPOOF 0.001 1.599 0.001 1.599
score FROM_SUSPICIOUS_NTLD 0.499 0.499 0.499 0.499
-score FROM_SUSPICIOUS_NTLD_FP 1.999 1.999 1.999 1.999
-score FROM_UNBAL1 2.266 2.020 2.266 2.020
-score FROM_WSP_TRAIL 2.699 2.699 2.699 2.699
-score FSL_BULK_SIG 0.001 0.714 0.001 0.714
+score FROM_SUSPICIOUS_NTLD_FP 1.999 0.409 1.999 0.409
+score FROM_UNBAL1 2.499 2.399 2.499 2.399
+score FROM_WSP_TRAIL 2.699 2.599 2.699 2.599
+score FSL_BULK_SIG 0.001 0.001 0.001 0.001
score FSL_CTYPE_WIN1251 0.001 0.001 0.001 0.001
-score FSL_HAS_TINYURL 2.799 2.699 2.799 2.699
score FSL_NEW_HELO_USER 0.001 0.001 0.001 0.001
-score FUZZY_AMAZON 2.599 2.499 2.599 2.499
-score FUZZY_IMPORTANT 2.399 1.996 2.399 1.996
-score FUZZY_PRIVACY 2.699 2.699 2.699 2.699
-score FUZZY_SECURITY 2.599 2.499 2.599 2.499
-score FUZZY_WALLET 1.787 0.001 1.787 0.001
+score FUZZY_AMAZON 1.729 0.688 1.729 0.688
+score FUZZY_CLICK_HERE 3.500 3.399 3.500 3.399
+score FUZZY_IMPORTANT 2.699 2.699 2.699 2.699
+score FUZZY_WALLET 1.016 0.001 1.016 0.001
score GAPPY_SALES_LEADS_FREEM 1.000 1.000 1.000 1.000
-score GB_BITCOIN_CP 3.000 2.999 3.000 2.999
-score GB_CUSTOM_HTM_URI 1.499 0.001 1.499 0.001
-score GB_FAKE_RF_SHORT 1.939 1.999 1.939 1.999
+score GB_BITCOIN_CP 2.036 1.851 2.036 1.851
+score GB_CUSTOM_HTM_URI 1.037 0.001 1.037 0.001
+score GB_FAKE_RF_SHORT 1.228 1.593 1.228 1.593
score GB_FORGED_MUA_POSTFIX 1.000 1.000 1.000 1.000
score GB_FREEMAIL_DISPTO 0.001 0.001 0.001 0.001
-score GB_FREEMAIL_DISPTO_NOTFREEM 0.500 0.500 0.500 0.500
+score GB_FREEMAIL_DISPTO_NOTFREEM 0.499 0.499 0.499 0.499
score GB_GOOGLE_OBFUR 0.750 0.750 0.750 0.750
-score GB_HASHBL_BTC 0.001 4.852 0.001 4.852
+score GB_HASHBL_BTC 0.001 0.360 0.001 0.360
score GOOGLE_DOCS_PHISH 1.000 1.000 1.000 1.000
score GOOGLE_DOCS_PHISH_MANY 1.000 1.000 1.000 1.000
score GOOGLE_DOC_SUSP 1.000 1.000 1.000 1.000
score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.000 1.000 1.000 1.000
-score GOOG_MALWARE_DNLD 3.889 3.186 3.889 3.186
-score GOOG_REDIR_HTML_ONLY 1.999 1.999 1.999 1.999
-score GOOG_REDIR_NORDNS 2.498 0.899 2.498 0.899
+score GOOG_MALWARE_DNLD 3.613 1.000 3.613 1.000
+score GOOG_REDIR_HTML_ONLY 2.000 1.999 2.000 1.999
+score GOOG_REDIR_NORDNS 0.501 0.012 0.501 0.012
score GOOG_STO_EMAIL_PHISH 1.000 1.000 1.000 1.000
score GOOG_STO_HTML_PHISH 1.000 1.000 1.000 1.000
score GOOG_STO_HTML_PHISH_MANY 1.000 1.000 1.000 1.000
-score GOOG_STO_IMG_HTML 2.501 2.523 2.501 2.523
-score GOOG_STO_IMG_NOHTML 1.000 1.000 1.000 1.000
-score GOOG_STO_NOIMG_HTML 2.496 1.524 2.496 1.524
+score GOOG_STO_IMG_HTML 2.000 2.225 2.000 2.225
+score GOOG_STO_IMG_NOHTML 1.937 2.499 1.937 2.499
+score GOOG_STO_NOIMG_HTML 2.999 2.999 2.999 2.999
score HAS_X_NO_RELAY 1.000 1.000 1.000 1.000
-score HAS_X_OUTGOING_SPAM_STAT 1.000 1.000 1.000 1.000
-score HDRS_LCASE_IMGONLY 0.099 0.099 0.099 0.099
-score HDRS_MISSP 2.500 2.499 2.500 2.499
-score HDR_ORDER_FTSDMCXX_DIRECT 1.999 1.787 1.999 1.787
-score HDR_ORDER_FTSDMCXX_NORDNS 3.499 1.931 3.499 1.931
-score HEADER_FROM_DIFFERENT_DOMAINS 0.249 0.250 0.249 0.250
-score HELO_MISC_IP 0.250 0.249 0.250 0.249
-score HELO_NO_DOMAIN 0.001 0.443 0.001 0.443
-score HEXHASH_WORD 1.000 1.000 1.000 1.000
+score HAS_X_OUTGOING_SPAM_STAT 1.000 0.044 1.000 0.044
+score HDRS_LCASE 0.100 0.001 0.100 0.001
+score HDRS_LCASE_IMGONLY 0.036 0.100 0.036 0.100
+score HDRS_MISSP 2.149 2.249 2.149 2.249
+score HDR_ORDER_FTSDMCXX_DIRECT 1.999 0.001 1.999 0.001
+score HDR_ORDER_FTSDMCXX_NORDNS 2.609 3.499 2.609 3.499
+score HEADER_FROM_DIFFERENT_DOMAINS 0.250 0.249 0.250 0.249
+score HELO_NO_DOMAIN 0.001 0.001 0.001 0.001
+score HEXHASH_WORD 2.343 2.996 2.343 2.996
score HK_CTE_RAW 1.000 1.000 1.000 1.000
-score HK_LOTTO 0.999 0.999 0.999 0.999
-score HK_NAME_FM_MR_MRS 1.299 0.402 1.299 0.402
-score HK_NAME_MR_MRS 0.999 0.999 0.999 0.999
-score HK_RANDOM_ENVFROM 0.999 0.674 0.999 0.674
-score HK_RANDOM_FROM 0.999 1.000 0.999 1.000
-score HK_RANDOM_REPLYTO 0.999 0.999 0.999 0.999
-score HK_RCVD_IP_MULTICAST 1.000 1.000 1.000 1.000
-score HK_SCAM 1.999 1.999 1.999 1.999
-score HOSTED_IMG_DIRECT_MX 3.499 3.220 3.499 3.220
+score HK_LOTTO 0.001 0.036 0.001 0.036
+score HK_NAME_FM_MR_MRS 0.913 0.001 0.913 0.001
+score HK_NAME_MR_MRS 1.000 0.999 1.000 0.999
+score HK_RANDOM_ENVFROM 0.001 0.001 0.001 0.001
+score HK_RANDOM_FROM 0.997 0.001 0.997 0.001
+score HK_RANDOM_REPLYTO 1.000 0.999 1.000 0.999
+score HK_RCVD_IP_MULTICAST 1.000 0.001 1.000 0.001
+score HK_SCAM 2.000 0.097 2.000 0.097
+score HK_WIN 0.001 0.001 0.001 0.001
+score HOSTED_IMG_DIRECT_MX 0.001 0.001 0.001 0.001
score HOSTED_IMG_DQ_UNSUB 1.000 1.000 1.000 1.000
score HOSTED_IMG_FREEM 0.001 0.001 0.001 0.001
score HOSTED_IMG_MULTI 1.000 1.000 1.000 1.000
score HOSTED_IMG_MULTI_PUB_01 2.999 2.999 2.999 2.999
-score HREF_EMPTY_NORDNS 0.004 0.522 0.004 0.522
+score HREF_EMPTY_NORDNS 0.194 0.001 0.194 0.001
score HREF_EMPTY_PHPMAIL 1.000 1.000 1.000 1.000
score HREF_EMPTY_XANTIABUSE 1.000 1.000 1.000 1.000
score HREF_EMPTY_XAUTHED 1.000 1.000 1.000 1.000
-score HTML_BADATTR 1.000 1.000 1.000 1.000
+score HTML_BADATTR 0.999 0.999 0.999 0.999
score HTML_ENTITY_ASCII 2.999 2.999 2.999 2.999
score HTML_ENTITY_ASCII_TINY 1.000 1.000 1.000 1.000
-score HTML_FONT_TINY_NORDNS 1.999 1.818 1.999 1.818
-score HTML_OFF_PAGE 2.999 2.999 2.999 2.999
+score HTML_FONT_TINY_NORDNS 1.574 0.001 1.574 0.001
+score HTML_OFF_PAGE 1.000 1.000 1.000 1.000
score HTML_SHRT_CMNT_OBFU_MANY 1.000 1.000 1.000 1.000
-score HTML_SINGLET_MANY 2.499 2.499 2.499 2.499
-score HTML_TEXT_INVISIBLE_FONT 1.343 1.148 1.343 1.148
-score HTML_TEXT_INVISIBLE_STYLE 1.130 0.858 1.130 0.858
-score IMG_DIRECT_TO_MX 0.521 0.040 0.521 0.040
-score IMG_ONLY_FM_DOM_INFO 1.000 1.000 1.000 1.000
+score HTML_SINGLET_MANY 1.861 1.306 1.861 1.306
+score HTML_TEXT_INVISIBLE_FONT 0.186 0.001 0.186 0.001
+score HTML_TEXT_INVISIBLE_STYLE 0.920 2.726 0.920 2.726
+score IMG_ONLY_FM_DOM_INFO 2.499 1.779 2.499 1.779
score JH_SPAMMY_HEADERS 3.499 3.499 3.499 3.499
score JH_SPAMMY_PATTERN01 1.000 1.000 1.000 1.000
score JH_SPAMMY_PATTERN02 1.000 1.000 1.000 1.000
score KHOP_FAKE_EBAY 0.001 0.001 0.001 0.001
-score KHOP_HELO_FCRDNS 0.399 0.259 0.399 0.259
+score KHOP_HELO_FCRDNS 0.400 0.399 0.400 0.399
score LINKEDIN_IMG_NOT_RCVD_LNKN 1.000 1.000 1.000 1.000
-score LIST_PARTIAL_SHORT_MSG 2.370 1.001 2.370 1.001
score LIST_PRTL_PUMPDUMP 1.000 1.000 1.000 1.000
score LIST_PRTL_SAME_USER 1.000 1.000 1.000 1.000
-score LONGLN_LOW_CONTRAST 2.124 0.001 2.124 0.001
-score LONG_HEX_URI 3.000 2.158 3.000 2.158
-score LONG_IMG_URI 1.944 0.443 1.944 0.443
-score LONG_INVISIBLE_TEXT 2.154 2.098 2.154 2.098
-score LOTS_OF_MONEY 0.010 0.010 0.010 0.010
+score LONG_HEX_URI 2.999 1.615 2.999 1.615
+score LONG_IMG_URI 1.685 2.365 1.685 2.365
+score LONG_INVISIBLE_TEXT 1.683 1.350 1.683 1.350
+score LOTS_OF_MONEY 0.010 0.001 0.010 0.001
+score LOTTO_AGENT 0.001 0.132 0.001 0.132
+score LOTTO_DEPT 1.162 0.001 1.162 0.001
score LUCRATIVE 1.000 1.000 1.000 1.000
-score MALFORMED_FREEMAIL 2.268 1.248 2.268 1.248
+score MALFORMED_FREEMAIL 3.026 2.693 3.026 2.693
score MALF_HTML_B64 1.000 1.000 1.000 1.000
-score MALWARE_NORDNS 0.839 1.471 0.839 1.471
+score MALWARE_NORDNS 0.001 0.001 0.001 0.001
score MALWARE_PASSWORD 1.000 1.000 1.000 1.000
-score MANY_HDRS_LCASE 0.100 0.001 0.100 0.001
-score MANY_SUBDOM 3.199 3.100 3.199 3.100
-score MAY_BE_FORGED 2.099 0.001 2.099 0.001
+score MALW_ATTACH 2.299 2.199 2.299 2.199
+score MANY_HDRS_LCASE 0.100 0.100 0.100 0.100
+score MANY_SPAN_IN_TEXT 2.199 1.756 2.199 1.756
+score MANY_SUBDOM 3.000 2.999 3.000 2.999
+score MAY_BE_FORGED 1.426 1.539 1.426 1.539
score MILLION_HUNDRED 0.001 0.001 0.001 0.001
-score MILLION_USD 1.736 0.435 1.736 0.435
-score MIMEOLE_DIRECT_TO_MX 1.999 1.126 1.999 1.126
-score MIME_NO_TEXT 1.000 1.000 1.000 1.000
+score MILLION_USD 0.001 0.001 0.001 0.001
+score MIMEOLE_DIRECT_TO_MX 1.999 0.001 1.999 0.001
+score MIME_NO_TEXT 1.999 1.832 1.999 1.832
score MIXED_AREA_CASE 1.000 1.000 1.000 1.000
-score MIXED_CENTER_CASE 2.499 2.238 2.499 2.238
-score MIXED_ES 2.199 2.199 2.199 2.199
-score MIXED_FONT_CASE 1.194 0.739 1.194 0.739
-score MIXED_HREF_CASE 1.999 1.999 1.999 1.999
+score MIXED_CENTER_CASE 1.000 2.208 1.000 2.208
+score MIXED_CTYPE_CASE 1.852 2.154 1.852 2.154
+score MIXED_ES 2.599 2.499 2.599 2.499
+score MIXED_FONT_CASE 1.000 1.000 1.000 1.000
+score MIXED_HREF_CASE 1.939 1.999 1.939 1.999
score MIXED_IMG_CASE 1.000 1.000 1.000 1.000
score MONERO_DEADLINE 1.000 1.000 1.000 1.000
score MONERO_EXTORT_01 1.000 1.000 1.000 1.000
score MONERO_MALWARE 1.000 1.000 1.000 1.000
score MONERO_PAY_ME 1.000 1.000 1.000 1.000
-score MONEY_ATM_CARD 0.219 0.330 0.219 0.330
+score MONEY_ATM_CARD 0.001 3.099 0.001 3.099
+score MONEY_BARRISTER 0.999 0.999 0.999 0.999
score MONEY_FORM 0.001 0.001 0.001 0.001
-score MONEY_FORM_SHORT 1.272 1.787 1.272 1.787
-score MONEY_FRAUD_3 0.953 0.262 0.953 0.262
+score MONEY_FORM_SHORT 1.548 1.613 1.548 1.613
+score MONEY_FRAUD_3 2.999 2.799 2.999 2.799
score MONEY_FRAUD_5 0.001 0.001 0.001 0.001
-score MONEY_FRAUD_8 3.099 2.999 3.099 2.999
-score MONEY_FREEMAIL_REPTO 2.999 1.084 2.999 1.084
+score MONEY_FRAUD_8 0.001 0.001 0.001 0.001
+score MONEY_FREEMAIL_REPTO 2.489 0.598 2.489 0.598
score MONEY_FROM_41 1.999 1.999 1.999 1.999
score MONEY_FROM_MISSP 0.001 0.001 0.001 0.001
-score MONEY_NOHTML 2.499 2.499 2.499 2.499
+score MONEY_NOHTML 2.499 2.298 2.499 2.298
score MSGID_DOLLARS_URI_IMG 1.000 1.000 1.000 1.000
-score MSGID_HDR_MALF 2.395 2.997 2.395 2.997
-score MSGID_NOFQDN1 0.001 1.935 0.001 1.935
-score MSM_PRIO_REPTO 1.000 1.000 1.000 1.000
-score NA_DOLLARS 1.499 0.001 1.499 0.001
+score MSGID_HDR_MALF 1.000 1.000 1.000 1.000
+score MSGID_NOFQDN1 1.748 2.999 1.748 2.999
+score MSM_PRIO_REPTO 2.500 2.499 2.500 2.499
+score NA_DOLLARS 1.499 0.277 1.499 0.277
score NEWEGG_IMG_NOT_RCVD_NEGG 1.000 1.000 1.000 1.000
score NEW_PRODUCTS 1.000 1.000 1.000 1.000
-score NICE_REPLY_A -1.545 -1.553 -1.545 -1.553
-score NORDNS_LOW_CONTRAST 0.001 0.953 0.001 0.953
+score NICE_REPLY_A -2.836 -3.565 -2.836 -3.565
score NO_FM_NAME_IP_HOSTN 0.001 0.001 0.001 0.001
score NSL_RCVD_FROM_USER 0.001 0.001 0.001 0.001
-score NSL_RCVD_HELO_USER 0.001 0.107 0.001 0.107
+score NSL_RCVD_HELO_USER 0.001 0.001 0.001 0.001
score OBFU_BITCOIN 1.000 1.000 1.000 1.000
-score OBFU_TEXT_ATTACH 1.499 1.599 1.499 1.599
-score ODD_FREEM_REPTO 1.000 1.000 1.000 1.000
-score PDS_BAD_THREAD_QP_64 0.999 0.001 0.999 0.001
-score PDS_BTC_ID 0.499 0.499 0.499 0.499
-score PDS_BTC_MSGID 0.001 0.674 0.001 0.674
-score PDS_DBL_URL_TNB_RUNON 1.999 2.000 1.999 2.000
-score PDS_EMPTYSUBJ_URISHRT 0.736 1.499 0.736 1.499
-score PDS_FREEMAIL_REPLYTO_URISHRT 1.499 0.891 1.499 0.891
-score PDS_FRNOM_TODOM_DBL_URL 0.001 0.001 0.001 0.001
-score PDS_FRNOM_TODOM_NAKED_TO 1.499 0.291 1.499 0.291
-score PDS_FROM_NAME_TO_DOMAIN 2.000 1.130 2.000 1.130
+score OBFU_JVSCR_ESC 0.007 0.001 0.007 0.001
+score ODD_FREEM_REPTO 2.999 1.396 2.999 1.396
+score PDS_BAD_THREAD_QP_64 0.999 0.999 0.999 0.999
+score PDS_BTC_ID 0.499 0.500 0.499 0.500
+score PDS_BTC_MSGID 0.001 0.537 0.001 0.537
+score PDS_DBL_URL_TNB_RUNON 0.403 0.001 0.403 0.001
+score PDS_FRNOM_TODOM_DBL_URL 0.001 1.271 0.001 1.271
score PDS_HELO_SPF_FAIL 0.001 1.999 0.001 1.999
-score PDS_HP_HELO_NORDNS 0.498 0.001 0.498 0.001
-score PDS_NAKED_TO_NUMERO 1.000 1.000 1.000 1.000
+score PDS_HP_HELO_NORDNS 0.669 0.001 0.669 0.001
score PDS_OTHER_BAD_TLD 1.999 1.999 1.999 1.999
-score PDS_PHP_EVAL 1.500 1.499 1.500 1.499
-score PDS_TINYSUBJ_URISHRT 0.001 1.499 0.001 1.499
-score PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE 1.999 1.999 1.999 1.999
+score PDS_PHPEXP_BOT 1.499 1.242 1.499 1.242
+score PDS_PHP_EVAL 1.499 1.499 1.499 1.499
score PHISH_AZURE_CLOUDAPP 3.500 3.500 3.500 3.500
score PHISH_FBASEAPP 1.000 1.000 1.000 1.000
+score PHOTO_EDITING_DIRECT 1.360 1.815 1.360 1.815
score PHP_NOVER_MUA 1.000 1.000 1.000 1.000
-score PHP_ORIG_SCRIPT 1.000 1.000 1.000 1.000
-score PHP_ORIG_SCRIPT_EVAL 3.000 2.999 3.000 2.999
+score PHP_ORIG_SCRIPT 1.399 2.130 1.399 2.130
+score PHP_ORIG_SCRIPT_EVAL 2.999 2.999 2.999 2.999
score PHP_SCRIPT 2.499 2.499 2.499 2.499
score PHP_SCRIPT_MUA 1.000 1.000 1.000 1.000
score PP_MIME_FAKE_ASCII_TEXT 0.999 0.001 0.999 0.001
score PUMPDUMP_MULTI 1.000 1.000 1.000 1.000
score RAND_HEADER_LIST_SPOOF 1.000 1.000 1.000 1.000
score RAND_HEADER_MANY 1.000 1.000 1.000 1.000
-score RAND_MKTG_HEADER 2.000 1.969 2.000 1.969
-score RATWARE_NO_RDNS 2.682 1.148 2.682 1.148
+score RAND_MKTG_HEADER 1.999 1.999 1.999 1.999
+score RATWARE_NO_RDNS 0.837 0.069 0.837 0.069
score RCVD_DOTEDU_SHORT 1.000 1.000 1.000 1.000
-score RCVD_DOTEDU_SUSP 0.331 0.914 0.331 0.914
score RCVD_DOTEDU_SUSP_URI 1.000 1.000 1.000 1.000
score RCVD_IN_IADB_COURT 0.001 -0.001 0.001 -0.001
score RCVD_IN_IADB_LEG_MAND 0.001 -0.001 0.001 -0.001
score RCVD_IN_MSPIKE_ZBI 0.001 0.001 0.001 0.001
score RDNS_NUM_TLD_ATCHNX 1.000 1.000 1.000 1.000
score RDNS_NUM_TLD_XM 1.000 1.000 1.000 1.000
-score REPTO_419_FRAUD 1.000 1.000 1.000 1.000
+score REPTO_419_FRAUD 2.999 2.999 2.999 2.999
score REPTO_419_FRAUD_AOL 1.000 1.000 1.000 1.000
score REPTO_419_FRAUD_AOL_LOOSE 1.000 1.000 1.000 1.000
score REPTO_419_FRAUD_CNS 1.000 1.000 1.000 1.000
-score REPTO_419_FRAUD_GM 2.999 2.794 2.999 2.794
+score REPTO_419_FRAUD_GM 2.999 2.505 2.999 2.505
score REPTO_419_FRAUD_GM_LOOSE 0.999 0.999 0.999 0.999
score REPTO_419_FRAUD_HM 1.000 1.000 1.000 1.000
-score REPTO_419_FRAUD_OL 1.000 1.000 1.000 1.000
+score REPTO_419_FRAUD_OL 2.670 2.119 2.670 2.119
score REPTO_419_FRAUD_PM 1.000 1.000 1.000 1.000
score REPTO_419_FRAUD_QQ 1.000 1.000 1.000 1.000
score REPTO_419_FRAUD_YH 1.000 1.000 1.000 1.000
score REPTO_419_FRAUD_YH_LOOSE 1.000 1.000 1.000 1.000
-score REPTO_419_FRAUD_YJ 1.000 1.639 1.000 1.639
+score REPTO_419_FRAUD_YJ 1.000 1.000 1.000 1.000
score REPTO_419_FRAUD_YN 1.000 1.000 1.000 1.000
-score REPTO_INFONUMSCOM 1.000 1.000 1.000 1.000
-score RISK_FREE 0.001 0.354 0.001 0.354
-score SCC_BODY_SINGLE_WORD 0.001 0.001 0.001 0.001
-score SCC_BODY_URI_ONLY 1.940 2.699 1.940 2.699
-score SCC_CANSPAM_1 1.941 0.202 1.941 0.202
-score SCC_CANSPAM_2 3.799 3.599 3.799 3.599
-score SCC_CTMPP 2.210 1.756 2.210 1.756
+score RISK_FREE 2.299 0.001 2.299 0.001
+score SCC_BODY_SINGLE_WORD 1.629 0.166 1.629 0.166
+score SCC_BOGUS_CTE_1 0.001 0.001 0.001 0.001
+score SCC_CANSPAM_1 2.199 0.001 2.199 0.001
+score SCC_CANSPAM_2 2.000 3.522 2.000 3.522
score SCC_ISEMM_LID_1 1.000 1.000 1.000 1.000
score SCC_ISEMM_LID_1A 1.000 1.000 1.000 1.000
score SCC_ISEMM_LID_1B 1.499 1.499 1.499 1.499
-score SCC_SPAMMER_ADDR_2 2.243 2.803 2.243 2.803
-score SENDGRID_REDIR 1.500 1.500 1.500 1.500
+score SCC_SPAMMER_ADDR_2 0.302 0.001 0.302 0.001
+score SENDGRID_REDIR 0.001 0.001 0.001 0.001
score SENDGRID_REDIR_PHISH 1.000 1.000 1.000 1.000
score SEO_SUSP_NTLD 1.000 1.000 1.000 1.000
score SHOPIFY_IMG_NOT_RCVD_SFY 2.499 2.499 2.499 2.499
-score SHORTENER_SHORT_IMG 0.001 0.739 0.001 0.739
-score SHORTENER_SHORT_SUBJ 0.238 0.001 0.238 0.001
-score SHORT_IMG_SUSP_NTLD 1.000 1.000 1.000 1.000
-score SHORT_SHORTNER 1.999 0.001 1.999 0.001
+score SHORTENER_SHORT_IMG 0.001 2.051 0.001 2.051
+score SHORT_IMG_SUSP_NTLD 1.093 1.483 1.093 1.483
+score SHORT_SHORTNER 0.867 0.001 0.867 0.001
score SHY_OBFU_EXPIRE 1.000 1.000 1.000 1.000
score SHY_OBFU_PASSWORD 1.000 1.000 1.000 1.000
-score SPAM_CWINDOWSNET 0.349 0.685 0.349 0.685
-score SPOOFED_FREEMAIL 0.001 1.795 0.001 1.795
-score SPOOFED_FREEMAIL_NO_RDNS 1.155 0.001 1.155 0.001
-score SPOOFED_FREEM_REPTO 0.001 2.075 0.001 2.075
+score SPAM_CWINDOWSNET 1.118 2.112 1.118 2.112
+score SPOOFED_FREEMAIL 0.001 0.746 0.001 0.746
+score SPOOFED_FREEMAIL_NO_RDNS 0.432 0.001 0.432 0.001
+score SPOOFED_FREEM_REPTO 0.001 2.499 0.001 2.499
score SPOOFED_FREEM_REPTO_CHN 0.001 1.000 0.001 1.000
score SPOOFED_FREEM_REPTO_RUS 0.001 1.000 0.001 1.000
-score SPOOF_GMAIL_MID 1.499 0.998 1.499 0.998
-score STATIC_XPRIO_OLE 1.995 0.764 1.995 0.764
+score SPOOF_GMAIL_MID 1.499 1.338 1.499 1.338
+score STATIC_XPRIO_OLE 0.001 0.754 0.001 0.754
score STOCK_TIP 1.000 1.000 1.000 1.000
-score SUBJ_ATTENTION 0.499 0.499 0.499 0.499
score SUBJ_BRKN_WORDNUMS 1.000 1.000 1.000 1.000
score SURBL_BLOCKED 0.001 0.001 0.001 0.001
score SUSP_UTF8_WORD_FROM 1.999 1.999 1.999 1.999
-score SUSP_UTF8_WORD_MANY 2.999 2.999 2.999 2.999
+score SUSP_UTF8_WORD_SUBJ 1.999 1.999 1.999 1.999
score SYSADMIN 1.000 1.000 1.000 1.000
score TAGSTAT_IMG_NOT_RCVD_TGST 1.000 1.000 1.000 1.000
score TARINGANET_IMG_NOT_RCVD_TN 1.000 1.000 1.000 1.000
-score THIS_AD 2.299 2.155 2.299 2.155
-score THIS_IS_ADV_SUSP_NTLD 1.226 1.499 1.226 1.499
+score THIS_AD 1.299 1.366 1.299 1.366
+score THIS_IS_ADV_SUSP_NTLD 1.000 1.000 1.000 1.000
score TONLINE_FAKE_DKIM 1.000 1.000 1.000 1.000
score TO_EQ_FM_DIRECT_MX 0.001 0.001 0.001 0.001
-score TO_EQ_FM_DOM_SPF_FAIL 0.001 0.690 0.001 0.690
-score TO_EQ_FM_HTML_ONLY 0.001 0.001 0.001 0.001
-score TO_EQ_FM_SPF_FAIL 0.001 0.213 0.001 0.213
-score TO_IN_SUBJ 0.100 0.099 0.100 0.099
-score TO_NAME_SUBJ_NO_RDNS 2.915 1.801 2.915 1.801
-score TO_NO_BRKTS_FROM_MSSP 2.500 2.499 2.500 2.499
-score TO_NO_BRKTS_HTML_IMG 1.902 1.799 1.902 1.799
-score TO_NO_BRKTS_HTML_ONLY 1.999 1.999 1.999 1.999
-score TO_NO_BRKTS_MSFT 1.006 2.129 1.006 2.129
-score TO_NO_BRKTS_NORDNS_HTML 1.999 1.626 1.999 1.626
-score TO_NO_BRKTS_PCNT 2.500 2.499 2.500 2.499
-score TVD_SPACE_ENCODED 2.499 1.260 2.499 1.260
-score TVD_SPACE_RATIO_MINFP 2.352 0.001 2.352 0.001
+score TO_EQ_FM_DOM_HTML_IMG 2.499 2.091 2.499 2.091
+score TO_EQ_FM_DOM_HTML_ONLY 0.001 1.312 0.001 1.312
+score TO_EQ_FM_DOM_SPF_FAIL 0.001 0.001 0.001 0.001
+score TO_EQ_FM_HTML_ONLY 0.001 0.312 0.001 0.312
+score TO_EQ_FM_SPF_FAIL 0.001 1.054 0.001 1.054
+score TO_IN_SUBJ 0.099 0.100 0.099 0.100
+score TO_NAME_SUBJ_NO_RDNS 2.786 2.999 2.786 2.999
+score TO_NO_BRKTS_FROM_MSSP 2.499 1.319 2.499 1.319
+score TO_NO_BRKTS_HTML_IMG 1.999 1.999 1.999 1.999
+score TO_NO_BRKTS_HTML_ONLY 1.999 2.000 1.999 2.000
+score TO_NO_BRKTS_MSFT 0.001 0.001 0.001 0.001
+score TO_NO_BRKTS_NORDNS_HTML 1.787 1.134 1.787 1.134
+score TO_NO_BRKTS_PCNT 2.499 2.400 2.499 2.400
+score TVD_RCVD_SPACE_BRACKET 2.535 2.599 2.535 2.599
+score TVD_SPACE_ENCODED 1.364 0.001 1.364 0.001
+score TVD_SPACE_RATIO_MINFP 1.239 0.001 1.239 0.001
score TW_GIBBERISH_MANY 1.000 1.000 1.000 1.000
score UC_GIBBERISH_OBFU 1.000 1.000 1.000 1.000
-score UNDISC_FREEM 2.699 2.599 2.699 2.599
-score UNDISC_MONEY 2.999 2.900 2.999 2.900
+score UNDISC_FREEM 2.699 2.208 2.699 2.208
+score UNDISC_MONEY 2.091 0.812 2.091 0.812
score UNICODE_OBFU_ASC 2.499 2.499 2.499 2.499
score UNICODE_OBFU_ZW 1.000 1.000 1.000 1.000
score UNICODE_OBFU_ZW_MANY 0.001 0.001 0.001 0.001
score UNSUB_GOOG_FORM 1.000 1.000 1.000 1.000
score URI_ADOBESPARK 1.000 1.000 1.000 1.000
-score URI_AZURE_CLOUDAPP 2.999 2.999 2.999 2.999
+score URI_AZURE_CLOUDAPP 1.000 1.000 1.000 1.000
+score URI_CLOUDFLAREIPFS 2.499 2.500 2.499 2.500
score URI_DASHGOVEDU 1.000 1.000 1.000 1.000
score URI_DATA 1.000 1.000 1.000 1.000
-score URI_DOTEDU 1.999 1.999 1.999 1.999
+score URI_DOTEDU 1.999 1.000 1.999 1.000
score URI_DOTEDU_ENTITY 1.000 1.000 1.000 1.000
-score URI_DQ_UNSUB 2.399 2.240 2.399 2.240
score URI_FIREBASEAPP 1.000 1.000 1.000 1.000
-score URI_GOOGLE_PROXY 2.199 2.199 2.199 2.199
-score URI_GOOG_STO_SPAMMY 3.000 2.999 3.000 2.999
+score URI_GOOGLE_PROXY 2.299 2.115 2.299 2.115
+score URI_GOOG_STO_SPAMMY 2.999 2.999 2.999 2.999
score URI_HEX_IP 1.000 1.000 1.000 1.000
-score URI_IMG_CWINDOWSNET 3.129 1.911 3.129 1.911
+score URI_IMG_CWINDOWSNET 0.001 0.001 0.001 0.001
score URI_IMG_WP_REDIR 1.000 1.000 1.000 1.000
score URI_LONG_REPEAT 1.000 1.000 1.000 1.000
-score URI_ONLY_MSGID_MALF 0.528 1.999 0.528 1.999
+score URI_MALWARE_BH 0.999 0.999 0.999 0.999
+score URI_ONLY_MSGID_MALF 1.999 1.999 1.999 1.999
score URI_OPTOUT_3LD 1.000 1.000 1.000 1.000
-score URI_PHISH 3.999 3.999 3.999 3.999
+score URI_PHISH 0.001 0.001 0.001 0.001
score URI_PHP_REDIR 1.000 1.000 1.000 1.000
score URI_TRY_3LD 1.999 1.999 1.999 1.999
score URI_TRY_USME 1.000 1.000 1.000 1.000
-score URI_WPADMIN 2.399 2.399 2.399 2.399
+score URI_WPADMIN 2.399 2.199 2.399 2.199
score URI_WP_DIRINDEX 1.000 1.000 1.000 1.000
-score URI_WP_HACKED 3.499 3.499 3.499 3.499
-score URI_WP_HACKED_2 2.499 2.499 2.499 2.499
+score URI_WP_HACKED 1.803 3.499 1.803 3.499
+score URI_WP_HACKED_2 0.727 0.596 0.727 0.596
score USB_DRIVES 1.000 1.000 1.000 1.000
-score VFY_ACCT_NORDNS 2.881 2.999 2.881 2.999
-score VISTA_COST 1.000 1.000 1.000 1.000
-score VISTA_TONOM_EQ_TOLOC 2.499 0.860 2.499 0.860
+score VFY_ACCT_NORDNS 2.798 2.999 2.798 2.999
+score VISTA_COST 2.115 2.499 2.115 2.499
+score VISTA_TONOM_EQ_TOLOC 0.491 0.001 0.491 0.001
score VPS_NO_NTLD 1.000 1.000 1.000 1.000
score WALMART_IMG_NOT_RCVD_WAL 1.000 1.000 1.000 1.000
-score WIKI_IMG 3.199 3.099 3.199 3.099
-score WORD_INVIS 1.572 1.898 1.572 1.898
+score WIKI_IMG 3.399 2.399 3.399 2.399
+score WORD_INVIS 1.000 1.000 1.000 1.000
score WORD_INVIS_MANY 2.999 2.999 2.999 2.999
score XFER_LOTSA_MONEY 0.001 0.001 0.001 0.001
score XM_DIGITS_ONLY 1.000 1.000 1.000 1.000
+score XM_LIGHT_HEAVY 2.499 2.499 2.499 2.499
score XM_RANDOM 2.499 2.499 2.499 2.499
-score XM_RECPTID 3.000 2.999 3.000 2.999
-score XPRIO 0.700 2.249 0.700 2.249
+score XM_RECPTID 2.999 2.395 2.999 2.395
+score XPRIO 0.001 0.452 0.001 0.452
score XPRIO_SHORT_SUBJ 1.000 1.000 1.000 1.000
-score XPRIO_VISTA 1.000 1.000 1.000 1.000
-score YOU_INHERIT 2.266 1.682 2.266 1.682
+score XPRIO_VISTA 1.172 0.001 1.172 0.001
+score YOU_INHERIT 1.792 2.142 1.792 2.142
#
###########################################################################
-require_version 4.000000
+require_version 4.000001
# jhardin
# things depend on these