AlkantarClanX12

Your IP : 3.138.69.39


Current Path : /proc/self/root/var/lib/spamassassin/3.004006/updates_spamassassin_org/
Upload File :
Current File : //proc/self/root/var/lib/spamassassin/3.004006/updates_spamassassin_org/72_active.cf

# SpamAssassin rules file
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at:
# 
#     http://www.apache.org/licenses/LICENSE-2.0
# 
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################

require_version 3.004006

##{ ACCT_PHISHING_MANY

meta        ACCT_PHISHING_MANY   (__ACCT_PHISH_MANY || __EMAIL_PHISH_MANY) && !GOOGLE_DOCS_PHISH_MANY && !GOOG_STO_HTML_PHISH_MANY
describe    ACCT_PHISHING_MANY   Phishing for account information
#score       ACCT_PHISHING_MANY   3.000  # limit
##} ACCT_PHISHING_MANY

##{ AC_BR_BONANZA

rawbody AC_BR_BONANZA   /(?:<br>\s*){30}/i
describe AC_BR_BONANZA  Too many newlines in a row... spammy template
#score AC_BR_BONANZA     0.001
tflags AC_BR_BONANZA	publish
##} AC_BR_BONANZA

##{ AC_DIV_BONANZA

rawbody AC_DIV_BONANZA  /(?:<div>(?:\s*<\/div>)?\s*){10}/i
describe AC_DIV_BONANZA Too many divs in a row... spammy template
#score AC_DIV_BONANZA    0.001
tflags AC_DIV_BONANZA	publish
##} AC_DIV_BONANZA

##{ AC_FROM_MANY_DOTS

meta       AC_FROM_MANY_DOTS           __AC_FROM_MANY_DOTS_MINFP
#score      AC_FROM_MANY_DOTS           2.500	# limit
describe   AC_FROM_MANY_DOTS           Multiple periods in From user name
tflags     AC_FROM_MANY_DOTS           publish
##} AC_FROM_MANY_DOTS

##{ AC_HTML_NONSENSE_TAGS

rawbody 	AC_HTML_NONSENSE_TAGS	/(?:<[A-Za-z0-9]{4,}>\s*){10}/
describe 	AC_HTML_NONSENSE_TAGS	Many consecutive multi-letter HTML tags, likely nonsense/spam
#score 		AC_HTML_NONSENSE_TAGS	2.0
tflags		AC_HTML_NONSENSE_TAGS	publish
##} AC_HTML_NONSENSE_TAGS

##{ AC_POST_EXTRAS

meta       AC_POST_EXTRAS              __AC_POST_EXTRAS && !__URI_MAILTO && !__HAS_LIST_ID 
describe   AC_POST_EXTRAS              Suspicious URL
#score      AC_POST_EXTRAS              2.500	# limit
tflags     AC_POST_EXTRAS              publish
##} AC_POST_EXTRAS

##{ AC_SPAMMY_URI_PATTERNS1

meta 		AC_SPAMMY_URI_PATTERNS1 (__AC_OUTL_URI && __AC_OUTI_URI)
describe 	AC_SPAMMY_URI_PATTERNS1	link combos match highly spammy template
#score 		AC_SPAMMY_URI_PATTERNS1	4.0
tflags 		AC_SPAMMY_URI_PATTERNS1	publish
##} AC_SPAMMY_URI_PATTERNS1

##{ AC_SPAMMY_URI_PATTERNS10

meta 		AC_SPAMMY_URI_PATTERNS10 __AC_PUNCTNUMS_URI
describe 	AC_SPAMMY_URI_PATTERNS10 link combos match highly spammy template
#score 		AC_SPAMMY_URI_PATTERNS10 4.0
tflags 		AC_SPAMMY_URI_PATTERNS10 publish
##} AC_SPAMMY_URI_PATTERNS10

##{ AC_SPAMMY_URI_PATTERNS11

meta 		AC_SPAMMY_URI_PATTERNS11 __AC_NDOMLONGNASPX_URI
describe 	AC_SPAMMY_URI_PATTERNS11 link combos match highly spammy template
#score 		AC_SPAMMY_URI_PATTERNS11 4.0
tflags 		AC_SPAMMY_URI_PATTERNS11 publish
##} AC_SPAMMY_URI_PATTERNS11

##{ AC_SPAMMY_URI_PATTERNS12

meta 		AC_SPAMMY_URI_PATTERNS12 (__AC_CHDSEQ_URI && __AC_MHDSEQ_URI && __AC_UHDSEQ_URI)
describe 	AC_SPAMMY_URI_PATTERNS12 link combos match highly spammy template
#score 		AC_SPAMMY_URI_PATTERNS12 4.0
tflags 		AC_SPAMMY_URI_PATTERNS12 publish
##} AC_SPAMMY_URI_PATTERNS12

##{ AC_SPAMMY_URI_PATTERNS2

meta 		AC_SPAMMY_URI_PATTERNS2 (__AC_LAND_URI && __AC_UNSUB_URI && __AC_REPORT_URI)
describe 	AC_SPAMMY_URI_PATTERNS2	link combos match highly spammy template
#score 		AC_SPAMMY_URI_PATTERNS2	4.0
tflags 		AC_SPAMMY_URI_PATTERNS2	publish
##} AC_SPAMMY_URI_PATTERNS2

##{ AC_SPAMMY_URI_PATTERNS3

meta 		AC_SPAMMY_URI_PATTERNS3 (__AC_PHPOFFTOP_URI && __AC_PHPOFFSUB_URI)
describe 	AC_SPAMMY_URI_PATTERNS3	link combos match highly spammy template
#score 		AC_SPAMMY_URI_PATTERNS3	4.0
tflags 		AC_SPAMMY_URI_PATTERNS3	publish
##} AC_SPAMMY_URI_PATTERNS3

##{ AC_SPAMMY_URI_PATTERNS4

meta 		AC_SPAMMY_URI_PATTERNS4 __AC_NUMS_URI
describe 	AC_SPAMMY_URI_PATTERNS4	link combos match highly spammy template
#score 		AC_SPAMMY_URI_PATTERNS4	4.0
tflags 		AC_SPAMMY_URI_PATTERNS4	publish
##} AC_SPAMMY_URI_PATTERNS4

##{ AC_SPAMMY_URI_PATTERNS8

meta 		AC_SPAMMY_URI_PATTERNS8 __AC_LONGSEQ_URI
describe 	AC_SPAMMY_URI_PATTERNS8	link combos match highly spammy template
#score 		AC_SPAMMY_URI_PATTERNS8	4.0
tflags 		AC_SPAMMY_URI_PATTERNS8	publish
##} AC_SPAMMY_URI_PATTERNS8

##{ AC_SPAMMY_URI_PATTERNS9

meta 		AC_SPAMMY_URI_PATTERNS9 (__AC_1SEQC_URI && (__AC_1SEQV_URI || __AC_RMOVE_URI))
describe 	AC_SPAMMY_URI_PATTERNS9	link combos match highly spammy template
#score 		AC_SPAMMY_URI_PATTERNS9	4.0
tflags 		AC_SPAMMY_URI_PATTERNS9	publish
##} AC_SPAMMY_URI_PATTERNS9

##{ ADMAIL

meta        ADMAIL            __ADMAIL && !__DKIM_EXISTS && !__COMMENT_EXISTS 
describe    ADMAIL            "admail" and variants
tflags      ADMAIL            publish
##} ADMAIL

##{ ADMITS_SPAM

meta        ADMITS_SPAM       __ADMITS_SPAM && !__FROM_LOWER && !__MSGID_JAVAMAIL && !__HAS_CAMPAIGNID && !__STY_INVIS_2 && !__LYRIS_EZLM_REMAILER && !__RCD_RDNS_OB 
describe    ADMITS_SPAM       Admits this is an ad
tflags      ADMITS_SPAM       publish
##} ADMITS_SPAM

##{ ADULT_DATING_COMPANY

meta       ADULT_DATING_COMPANY        __ADULTDATINGCOMPANY_BODY || __ADULTDATINGCOMPANY_FROM || __ADULTDATINGCOMPANY_REPTO
#score      ADULT_DATING_COMPANY        10.000	# limit
tflags     ADULT_DATING_COMPANY        publish
##} ADULT_DATING_COMPANY

##{ ADVANCE_FEE_2_NEW_FORM

meta      ADVANCE_FEE_2_NEW_FORM    (__ADVANCE_FEE_2_NEW_FORM && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__FROM_LOWER && !__HAS_X_LOOP
describe  ADVANCE_FEE_2_NEW_FORM    Advance Fee fraud and a form
#score     ADVANCE_FEE_2_NEW_FORM    2.000  # limit
tflags    ADVANCE_FEE_2_NEW_FORM     publish
##} ADVANCE_FEE_2_NEW_FORM

##{ ADVANCE_FEE_2_NEW_FRM_MNY

meta      ADVANCE_FEE_2_NEW_FRM_MNY    (__ADVANCE_FEE_2_NEW_FRM_MNY && !__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP
describe  ADVANCE_FEE_2_NEW_FRM_MNY    Advance Fee fraud form and lots of money
#score     ADVANCE_FEE_2_NEW_FRM_MNY    2.500
tflags    ADVANCE_FEE_2_NEW_FRM_MNY  publish
##} ADVANCE_FEE_2_NEW_FRM_MNY

##{ ADVANCE_FEE_2_NEW_MONEY

meta      ADVANCE_FEE_2_NEW_MONEY    (__ADVANCE_FEE_2_NEW_MONEY && !__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__LYRIS_EZLM_REMAILER && !__COMMENT_EXISTS && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG
describe  ADVANCE_FEE_2_NEW_MONEY    Advance Fee fraud and lots of money
#score     ADVANCE_FEE_2_NEW_MONEY    2.000  # limit
tflags    ADVANCE_FEE_2_NEW_MONEY    publish
##} ADVANCE_FEE_2_NEW_MONEY

##{ ADVANCE_FEE_3_NEW

meta      ADVANCE_FEE_3_NEW    (__ADVANCE_FEE_3_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_4_NEW && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__HAS_SENDER && !__HAS_X_LOOP && !__TO_YOUR_ORG && !__BUGGED_IMG 
describe  ADVANCE_FEE_3_NEW    Appears to be advance fee fraud (Nigerian 419)
#score     ADVANCE_FEE_3_NEW    3.5		# limit
tflags    ADVANCE_FEE_3_NEW          publish
##} ADVANCE_FEE_3_NEW

##{ ADVANCE_FEE_3_NEW_FORM

meta      ADVANCE_FEE_3_NEW_FORM    (__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__THREADED && !__HAS_SENDER && !__FROM_LOWER && !__HAS_X_LOOP
describe  ADVANCE_FEE_3_NEW_FORM    Advance Fee fraud and a form
tflags    ADVANCE_FEE_3_NEW_FORM     publish
##} ADVANCE_FEE_3_NEW_FORM

##{ ADVANCE_FEE_3_NEW_FRM_MNY

meta      ADVANCE_FEE_3_NEW_FRM_MNY    (__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP
describe  ADVANCE_FEE_3_NEW_FRM_MNY    Advance Fee fraud form and lots of money
tflags    ADVANCE_FEE_3_NEW_FRM_MNY  publish
##} ADVANCE_FEE_3_NEW_FRM_MNY

##{ ADVANCE_FEE_3_NEW_MONEY

meta      ADVANCE_FEE_3_NEW_MONEY    (__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG
describe  ADVANCE_FEE_3_NEW_MONEY    Advance Fee fraud and lots of money
tflags    ADVANCE_FEE_3_NEW_MONEY    publish
##} ADVANCE_FEE_3_NEW_MONEY

##{ ADVANCE_FEE_4_NEW

meta      ADVANCE_FEE_4_NEW    (__ADVANCE_FEE_4_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__HAS_ERRORS_TO && !__HAS_X_LOOP && !__BUGGED_IMG
describe  ADVANCE_FEE_4_NEW    Appears to be advance fee fraud (Nigerian 419)
tflags    ADVANCE_FEE_4_NEW          publish
##} ADVANCE_FEE_4_NEW

##{ ADVANCE_FEE_4_NEW_FORM

meta      ADVANCE_FEE_4_NEW_FORM    (__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM)
describe  ADVANCE_FEE_4_NEW_FORM    Advance Fee fraud and a form
tflags    ADVANCE_FEE_4_NEW_FORM     publish
##} ADVANCE_FEE_4_NEW_FORM

##{ ADVANCE_FEE_4_NEW_FRM_MNY

meta      ADVANCE_FEE_4_NEW_FRM_MNY    (__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY)
describe  ADVANCE_FEE_4_NEW_FRM_MNY    Advance Fee fraud form and lots of money
tflags    ADVANCE_FEE_4_NEW_FRM_MNY  publish
##} ADVANCE_FEE_4_NEW_FRM_MNY

##{ ADVANCE_FEE_4_NEW_MONEY

meta      ADVANCE_FEE_4_NEW_MONEY    (__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG
describe  ADVANCE_FEE_4_NEW_MONEY    Advance Fee fraud and lots of money
tflags    ADVANCE_FEE_4_NEW_MONEY    publish
##} ADVANCE_FEE_4_NEW_MONEY

##{ ADVANCE_FEE_5_NEW

meta      ADVANCE_FEE_5_NEW    (__ADVANCE_FEE_5_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY) && !__BUGGED_IMG
describe  ADVANCE_FEE_5_NEW    Appears to be advance fee fraud (Nigerian 419)
tflags    ADVANCE_FEE_5_NEW          publish
##} ADVANCE_FEE_5_NEW

##{ ADVANCE_FEE_5_NEW_FORM

meta      ADVANCE_FEE_5_NEW_FORM    __ADVANCE_FEE_5_NEW_FORM
describe  ADVANCE_FEE_5_NEW_FORM    Advance Fee fraud and a form
tflags    ADVANCE_FEE_5_NEW_FORM     publish
##} ADVANCE_FEE_5_NEW_FORM

##{ ADVANCE_FEE_5_NEW_FRM_MNY

meta      ADVANCE_FEE_5_NEW_FRM_MNY    __ADVANCE_FEE_5_NEW_FRM_MNY
describe  ADVANCE_FEE_5_NEW_FRM_MNY    Advance Fee fraud form and lots of money
tflags    ADVANCE_FEE_5_NEW_FRM_MNY  publish
##} ADVANCE_FEE_5_NEW_FRM_MNY

##{ ADVANCE_FEE_5_NEW_MONEY

meta      ADVANCE_FEE_5_NEW_MONEY    __ADVANCE_FEE_5_NEW_MONEY && !__BOUNCE_CTYPE && !__BUGGED_IMG
describe  ADVANCE_FEE_5_NEW_MONEY    Advance Fee fraud and lots of money
tflags    ADVANCE_FEE_5_NEW_MONEY    publish
##} ADVANCE_FEE_5_NEW_MONEY

##{ AD_PREFS

body        AD_PREFS          /(?:\b|_)(?:ad(?:vert[i1l]s[i1l]ng)?|promo(?:tion)?|marketing)[- _](?:pref(?:s|erences)|settings)(?:\b|_)/i
describe    AD_PREFS          Advertising preferences
#score       AD_PREFS          0.500	# limit
tflags      AD_PREFS          publish
##} AD_PREFS

##{ ALIBABA_IMG_NOT_RCVD_ALI

meta       ALIBABA_IMG_NOT_RCVD_ALI    __ALIBABA_IMG_NOT_RCVD_ALI && !__YOUR_PASSWORD && !__UNSUB_LINK && !__MSGID_BEFORE_RECEIVED && !__HAS_HREF_ONECASE 
#score      ALIBABA_IMG_NOT_RCVD_ALI    2.500	# limit
describe   ALIBABA_IMG_NOT_RCVD_ALI    Alibaba hosted image but message not from Alibaba
tflags     ALIBABA_IMG_NOT_RCVD_ALI    publish
##} ALIBABA_IMG_NOT_RCVD_ALI

##{ AMAZON_IMG_NOT_RCVD_AMZN

meta       AMAZON_IMG_NOT_RCVD_AMZN    __AMAZON_IMG_NOT_RCVD_AMZN && !__HDR_RCVD_KEEPA && !__URI_DBL_DOM && !__RCD_RDNS_SMTP && !__RCD_RDNS_MTA && !__DATE_LOWER && !__MSGID_LIST && !__URI_PRODUCT_AMAZON && !__HAS_ERRORS_TO 
#score      AMAZON_IMG_NOT_RCVD_AMZN    2.500	# limit
describe   AMAZON_IMG_NOT_RCVD_AMZN    Amazon hosted image but message not from Amazon
tflags     AMAZON_IMG_NOT_RCVD_AMZN    publish
##} AMAZON_IMG_NOT_RCVD_AMZN

##{ APOSTROPHE_FROM

header		APOSTROPHE_FROM	From:addr =~ /'/
describe	APOSTROPHE_FROM	From address contains an apostrophe
##} APOSTROPHE_FROM

##{ APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta       APP_DEVELOPMENT_FREEM       __APP_DEVELOPMENT_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
  describe   APP_DEVELOPMENT_FREEM       App development pitch, freemail or CHN replyto
#  score      APP_DEVELOPMENT_FREEM       3.500	# limit
  tflags     APP_DEVELOPMENT_FREEM       publish
endif
##} APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta       APP_DEVELOPMENT_NORDNS      __APP_DEVELOPMENT && __RDNS_NONE 
  describe   APP_DEVELOPMENT_NORDNS      App development pitch, no rDNS
#  score      APP_DEVELOPMENT_NORDNS      2.000	# limit
  tflags     APP_DEVELOPMENT_NORDNS      publish
endif
##} APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ AXB_XMAILER_MIMEOLE_OL_024C2

meta   AXB_XMAILER_MIMEOLE_OL_024C2  (__AXB_XM_OL_024C2 && __AXB_MO_OL_024C2)
describe AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait
##} AXB_XMAILER_MIMEOLE_OL_024C2

##{ BANKING_LAWS

body		BANKING_LAWS	/banking laws/i
describe	BANKING_LAWS	Talks about banking laws
##} BANKING_LAWS

##{ BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval

ifplugin Mail::SpamAssassin::Plugin::MIMEEval
body BASE64_LENGTH_78_79        eval:check_base64_length('78','79')
endif
##} BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval

##{ BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval

ifplugin Mail::SpamAssassin::Plugin::MIMEEval
describe BASE64_LENGTH_79_INF   base64 encoded email part uses line length of 78 or 79 characters
body BASE64_LENGTH_79_INF       eval:check_base64_length('79')
describe BASE64_LENGTH_79_INF   base64 encoded email part uses line length greater than 79 characters
endif
##} BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval

##{ BEBEE_IMG_NOT_RCVD_BB

meta       BEBEE_IMG_NOT_RCVD_BB       __BEBEE_IMG_NOT_RCVD_BB
#score      BEBEE_IMG_NOT_RCVD_BB       2.000  # limit
describe   BEBEE_IMG_NOT_RCVD_BB       Bebee hosted image but message not from Bebee
tflags     BEBEE_IMG_NOT_RCVD_BB       publish
##} BEBEE_IMG_NOT_RCVD_BB

##{ BIGNUM_EMAILS_FREEM

meta           BIGNUM_EMAILS_FREEM        __BIGNUM_EMAILS_FREEM
describe       BIGNUM_EMAILS_FREEM        Lots of email addresses/leads, free email account
#score          BIGNUM_EMAILS_FREEM        3.00		# limit
tflags         BIGNUM_EMAILS_FREEM        publish
##} BIGNUM_EMAILS_FREEM

##{ BIGNUM_EMAILS_MANY

meta           BIGNUM_EMAILS_MANY         __BIGNUM_EMAILS_3 && !__HAS_ERRORS_TO && !__HAS_CAMPAIGNID && !__DATE_LOWER 
describe       BIGNUM_EMAILS_MANY         Lots of email addresses/leads, over and over
#score          BIGNUM_EMAILS_MANY         3.00		# limit
tflags         BIGNUM_EMAILS_MANY         publish
##} BIGNUM_EMAILS_MANY

##{ BILL_1618

body        BILL_1618          /\bUnder Bill\s?s?.1618(?: Title III)? passed by the 105th U\.S\. Congress\b/i
describe    BILL_1618          Mentions proposed US law supposedly permitting spamming
tflags      BILL_1618          publish
##} BILL_1618

##{ BITCOIN_BOMB

meta           BITCOIN_BOMB           __BITCOIN_ID && __EXPLOSIVE_DEVICE && !BITCOIN_EXTORT_01
describe       BITCOIN_BOMB           BitCoin + bomb
#score          BITCOIN_BOMB           3.000	# limit
tflags         BITCOIN_BOMB           publish
##} BITCOIN_BOMB

##{ BITCOIN_DEADLINE

meta           BITCOIN_DEADLINE       __BITCOIN_ID && __HOURS_DEADLINE && !BITCOIN_EXTORT_01
describe       BITCOIN_DEADLINE       BitCoin with a deadline
#score          BITCOIN_DEADLINE       3.000	# limit
tflags         BITCOIN_DEADLINE       publish
##} BITCOIN_DEADLINE

##{ BITCOIN_EXTORT_01

meta           BITCOIN_EXTORT_01      (__BITCOIN_ID && __EXTORT_MANY) && !( __FROM_FULL_NAME && __SENDER_BOT && __SINGLE_WORD_LINE && __MIME_HTML && __PHPMAILER_MUA )
describe       BITCOIN_EXTORT_01      Extortion spam, pay via BitCoin
#score          BITCOIN_EXTORT_01      5.000	# limit
tflags         BITCOIN_EXTORT_01      publish
##} BITCOIN_EXTORT_01

##{ BITCOIN_EXTORT_02

meta           BITCOIN_EXTORT_02      __OBFU_BITCOIN_NOID && __EXTORT_MANY
describe       BITCOIN_EXTORT_02      Extortion spam, pay via BitCoin
#score          BITCOIN_EXTORT_02      5.000	# limit
tflags         BITCOIN_EXTORT_02      publish
##} BITCOIN_EXTORT_02

##{ BITCOIN_IMGUR

meta       BITCOIN_IMGUR               __BITCOIN_IMGUR
describe   BITCOIN_IMGUR               Bitcoin + hosted image
#score      BITCOIN_IMGUR               3.500	# limit
tflags     BITCOIN_IMGUR               publish
##} BITCOIN_IMGUR

##{ BITCOIN_MALWARE

meta           BITCOIN_MALWARE        __BITCOIN_ID && __MY_MALWARE && !BITCOIN_EXTORT_01 && !__NOT_SPOOFED
describe       BITCOIN_MALWARE        BitCoin + malware bragging
#score          BITCOIN_MALWARE        3.500	# limit
tflags         BITCOIN_MALWARE        publish
##} BITCOIN_MALWARE

##{ BITCOIN_OBFU_SUBJ

meta           BITCOIN_OBFU_SUBJ    __BITCOIN_OBFU_SUBJ && !__128_ALNUM_URI 
describe       BITCOIN_OBFU_SUBJ    Bitcoin + obfuscated subject
#score          BITCOIN_OBFU_SUBJ    3.500	# limit
tflags         BITCOIN_OBFU_SUBJ    publish
##} BITCOIN_OBFU_SUBJ

##{ BITCOIN_ONAN

meta           BITCOIN_ONAN           __BITCOIN_ID && __YOUR_ONAN && __KHOP_NO_FULL_NAME && !BITCOIN_EXTORT_01
describe       BITCOIN_ONAN           BitCoin + [censored]
#score          BITCOIN_ONAN           3.000	# limit
tflags         BITCOIN_ONAN           publish
##} BITCOIN_ONAN

##{ BITCOIN_PAY_ME

meta           BITCOIN_PAY_ME         __BITCOIN_ID && __PAY_ME && !BITCOIN_EXTORT_01
describe       BITCOIN_PAY_ME         Pay me via BitCoin
#score          BITCOIN_PAY_ME         3.000	# limit
tflags         BITCOIN_PAY_ME         publish
##} BITCOIN_PAY_ME

##{ BITCOIN_SPAM_01

meta           BITCOIN_SPAM_01  __BITCOIN_ID && HTML_MIME_NO_HTML_TAG
describe       BITCOIN_SPAM_01  BitCoin spam pattern 01
#score          BITCOIN_SPAM_01  2.500	# limit
tflags         BITCOIN_SPAM_01  publish
##} BITCOIN_SPAM_01

##{ BITCOIN_SPAM_02

meta           BITCOIN_SPAM_02    __BITCOIN_SPAM_02 && !__URL_BTC_ID 
describe       BITCOIN_SPAM_02    BitCoin spam pattern 02
#score          BITCOIN_SPAM_02    2.500	# limit
tflags         BITCOIN_SPAM_02    publish
##} BITCOIN_SPAM_02

##{ BITCOIN_SPAM_03

meta           BITCOIN_SPAM_03  __BITCOIN_ID && __SINGLE_WORD_SUBJ
describe       BITCOIN_SPAM_03  BitCoin spam pattern 03
#score          BITCOIN_SPAM_03  2.500	# limit
tflags         BITCOIN_SPAM_03  publish
##} BITCOIN_SPAM_03

##{ BITCOIN_SPAM_04

meta           BITCOIN_SPAM_04  __BITCOIN_ID && __freemail_hdr_replyto
describe       BITCOIN_SPAM_04  BitCoin spam pattern 04
#score          BITCOIN_SPAM_04  1.500	# limit
tflags         BITCOIN_SPAM_04  publish
##} BITCOIN_SPAM_04

##{ BITCOIN_SPAM_05

meta           BITCOIN_SPAM_05    __BITCOIN_SPAM_05 && !__HAS_IN_REPLY_TO 
describe       BITCOIN_SPAM_05    BitCoin spam pattern 05
#score          BITCOIN_SPAM_05    2.500	# limit
tflags         BITCOIN_SPAM_05    net publish
##} BITCOIN_SPAM_05

##{ BITCOIN_SPAM_06

meta           BITCOIN_SPAM_06  __BITCOIN_ID && TVD_RCVD_SPACE_BRACKET
describe       BITCOIN_SPAM_06  BitCoin spam pattern 06
#score          BITCOIN_SPAM_06  1.500	# limit
tflags         BITCOIN_SPAM_06  publish
##} BITCOIN_SPAM_06

##{ BITCOIN_SPAM_07

meta           BITCOIN_SPAM_07    __BITCOIN_SPAM_07 && !__DKIM_EXISTS 
describe       BITCOIN_SPAM_07    BitCoin spam pattern 07
#score          BITCOIN_SPAM_07    3.500	# limit
tflags         BITCOIN_SPAM_07    publish
##} BITCOIN_SPAM_07

##{ BITCOIN_SPAM_08

meta           BITCOIN_SPAM_08  __BITCOIN_ID && __TO_IN_SUBJ 
describe       BITCOIN_SPAM_08  BitCoin spam pattern 08
#score          BITCOIN_SPAM_08  2.500	# limit
tflags         BITCOIN_SPAM_08  publish
##} BITCOIN_SPAM_08

##{ BITCOIN_SPAM_09

meta           BITCOIN_SPAM_09  __BITCOIN_ID && ( __DESTROY_ME || __DESTROY_YOU )
describe       BITCOIN_SPAM_09  BitCoin spam pattern 09
#score          BITCOIN_SPAM_09  1.500	# limit
tflags         BITCOIN_SPAM_09  publish
##} BITCOIN_SPAM_09

##{ BITCOIN_SPAM_10

meta           BITCOIN_SPAM_10  __BITCOIN_ID && ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 )
describe       BITCOIN_SPAM_10  BitCoin spam pattern 10
#score          BITCOIN_SPAM_10  2.500	# limit
tflags         BITCOIN_SPAM_10  publish
##} BITCOIN_SPAM_10

##{ BITCOIN_SPAM_11

meta           BITCOIN_SPAM_11  __BITCOIN_ID && HTML_MESSAGE && __HTML_SHRT_CMNT_OBFU
describe       BITCOIN_SPAM_11  BitCoin spam pattern 11
#score          BITCOIN_SPAM_11  2.500	# limit
tflags         BITCOIN_SPAM_11  publish
##} BITCOIN_SPAM_11

##{ BITCOIN_SPAM_12

meta           BITCOIN_SPAM_12  __BITCOIN_ID && __BOGUS_MIME_HDR_MANY
describe       BITCOIN_SPAM_12  BitCoin spam pattern 12
#score          BITCOIN_SPAM_12  2.500	# limit
tflags         BITCOIN_SPAM_12  publish
##} BITCOIN_SPAM_12

##{ BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS

if (version >= 3.004001)
ifplugin Mail::SpamAssassin::Plugin::AskDNS
meta     BITCOIN_SPF_ONLYALL __PDS_SPF_ONLYALL && __BITCOIN_ID
tflags   BITCOIN_SPF_ONLYALL net publish
describe BITCOIN_SPF_ONLYALL Bitcoin from a domain specifically set to pass +all SPF
#score    BITCOIN_SPF_ONLYALL 2.0 # limit
endif
endif
##} BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS

##{ BITCOIN_TOEQFM

meta           BITCOIN_TOEQFM       __BITCOIN_TOEQFM
describe       BITCOIN_TOEQFM       Bitcoin + To same as From
#score          BITCOIN_TOEQFM       3.500	# limit
##} BITCOIN_TOEQFM

##{ BITCOIN_VISTA

meta           BITCOIN_VISTA        __BITCOIN && __VISTA_MSGID
describe       BITCOIN_VISTA        Bitcoin + old MSFT msgid format
#score          BITCOIN_VISTA        3.500	# limit
##} BITCOIN_VISTA

##{ BITCOIN_WFH_01

meta       BITCOIN_WFH_01              __BITCOIN_WFH_01
describe   BITCOIN_WFH_01              Work-from-Home + bitcoin
tflags     BITCOIN_WFH_01              publish
##} BITCOIN_WFH_01

##{ BITCOIN_XPRIO

meta           BITCOIN_XPRIO        __BITCOIN_XPRIO && !__ML1 && !__HAS_SENDER && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY 
describe       BITCOIN_XPRIO        Bitcoin + priority
#score          BITCOIN_XPRIO        2.500	# limit
##} BITCOIN_XPRIO

##{ BITCOIN_YOUR_INFO

meta           BITCOIN_YOUR_INFO      __BITCOIN_ID && __YOUR_PERSONAL && !BITCOIN_EXTORT_01
describe       BITCOIN_YOUR_INFO      BitCoin with your personal info
#score          BITCOIN_YOUR_INFO      3.000	# limit
tflags         BITCOIN_YOUR_INFO      publish
##} BITCOIN_YOUR_INFO

##{ BODY_URI_ONLY

meta        BODY_URI_ONLY        __BODY_URI_ONLY && !__NOT_SPOOFED && !__TO_EQ_FROM_DOM && !__X_CRON_ENV && !__DKIM_EXISTS && !__VIA_ML && !__HAS_X_REF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD && !__URI_GOOGLE_DRV 
describe    BODY_URI_ONLY        Message body is only a URI in one line of text or for an image
#score       BODY_URI_ONLY        3.000   # limit
tflags      BODY_URI_ONLY        publish
##} BODY_URI_ONLY

##{ BOGUS_MIME_VERSION

meta       BOGUS_MIME_VERSION          __BOGUS_MIME_VER_02 || __MALF_MIME_VER
#score      BOGUS_MIME_VERSION          3.500	# limit
describe   BOGUS_MIME_VERSION          Mime version header is bogus
tflags     BOGUS_MIME_VERSION          publish
##} BOGUS_MIME_VERSION

##{ BOGUS_MSM_HDRS

meta       BOGUS_MSM_HDRS               __BOGUS_MSM_HDRS
describe   BOGUS_MSM_HDRS               Apparently bogus Microsoft email headers
#score      BOGUS_MSM_HDRS               3.000	# limit
tflags     BOGUS_MSM_HDRS               publish
##} BOGUS_MSM_HDRS

##{ BOMB_FREEM

meta           BOMB_FREEM             __EXPLOSIVE_DEVICE && __freemail_hdr_replyto 
describe       BOMB_FREEM             Bomb + freemail
#score          BOMB_FREEM             2.000	# limit
tflags         BOMB_FREEM             publish
##} BOMB_FREEM

##{ BOMB_MONEY

meta           BOMB_MONEY             __EXPLOSIVE_DEVICE && ( __ADVANCE_FEE_3_NEW || __ADVANCE_FEE_4_NEW || __ADVANCE_FEE_5_NEW )
describe       BOMB_MONEY             Bomb + money: bomb threat?
#score          BOMB_MONEY             2.500	# limit
tflags         BOMB_MONEY             publish
##} BOMB_MONEY

##{ BTC_ORG

describe       BTC_ORG          Bitcoin wallet ID + unusual header
#score          BTC_ORG          2.500	# limit
##} BTC_ORG

##{ BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM)

if !plugin(Mail::SpamAssassin::Plugin::DKIM)
  meta           BTC_ORG          (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST 
endif
##} BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM)

##{ BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM

ifplugin Mail::SpamAssassin::Plugin::DKIM
  meta           BTC_ORG          (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST && !DKIM_SIGNED
endif
##} BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM

##{ BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta     BULK_RE_SUSP_NTLD __SUBJ_RE && __ML1 && __FROM_ADDRLIST_SUSPNTLD
tflags   BULK_RE_SUSP_NTLD publish
describe BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD
#score    BULK_RE_SUSP_NTLD 1.0 # limit
endif
endif
##} BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

##{ CANT_SEE_AD

meta        CANT_SEE_AD       (__CANT_SEE_AD_1 || __CANT_SEE_AD_2) && !__DOS_HAS_LIST_UNSUB
describe    CANT_SEE_AD       You really want to see our spam.
#score       CANT_SEE_AD       2.500	# limit
tflags      CANT_SEE_AD       publish
##} CANT_SEE_AD

##{ CN_B2B_SPAMMER

body        CN_B2B_SPAMMER         /\bWe are (?:(?:a )?(?:China|Taiwan)[-\s]based|(?:one of (?:the )?best|(?:a )?leading) (?:international|[^\.]{10,90} (?:in|from) (?:\w+, )?(?:China|Taiwan)))\b/i
describe    CN_B2B_SPAMMER         Chinese company introducing itself
tflags      CN_B2B_SPAMMER         publish
##} CN_B2B_SPAMMER

##{ COMMENT_GIBBERISH

meta           COMMENT_GIBBERISH        __COMMENT_GIBBERISH && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__SENDER_BOT
describe       COMMENT_GIBBERISH        Nonsense in long HTML comment
#score          COMMENT_GIBBERISH        1.50	# limit
tflags         COMMENT_GIBBERISH        publish
##} COMMENT_GIBBERISH

##{ COMPENSATION

describe COMPENSATION     "Compensation"
#score    COMPENSATION     1.50	# limit
##} COMPENSATION

##{ COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM)

if !plugin(Mail::SpamAssassin::Plugin::DKIM)
  meta   COMPENSATION     __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD
endif
##} COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM)

##{ COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM

ifplugin Mail::SpamAssassin::Plugin::DKIM
  meta   COMPENSATION     __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD && !__DKIM_DEPENDABLE
endif
##} COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM

##{ CONTENT_AFTER_HTML

meta       CONTENT_AFTER_HTML          __CONTENT_AFTER_HTML && (__L_CTE_8BIT || __RDNS_NUMERIC_TLD || __HTML_TAG_BALANCE_CENTER || __STY_INVIS_MANY || __TO_EQ_FROM_USR || __TO_EQ_FROM_USR_2 || __KAM_HTML_FONT_INVALID || __SUBJECT_ENCODED_B64 )
describe   CONTENT_AFTER_HTML          More content after HTML close tag + other spam signs
#score      CONTENT_AFTER_HTML          2.500	# limit
tflags     CONTENT_AFTER_HTML          publish
##} CONTENT_AFTER_HTML

##{ CONTENT_AFTER_HTML_WEAK

meta       CONTENT_AFTER_HTML_WEAK     __CONTENT_AFTER_HTML && !CONTENT_AFTER_HTML && !__CT_TEXT_PLAIN && !__BOUNCE_FROM_DAEMON && !__MSGID_OK_HEX && !__HAS_SENDER && !__LYRIS_EZLM_REMAILER && !MAILING_LIST_MULTI && !__HAS_CID && !__URI_DOTGOV 
describe   CONTENT_AFTER_HTML_WEAK     More content after HTML close tag
#score      CONTENT_AFTER_HTML_WEAK     1.500	# limit
tflags     CONTENT_AFTER_HTML_WEAK     publish
##} CONTENT_AFTER_HTML_WEAK

##{ CORRUPT_FROM_LINE_IN_HDRS

meta CORRUPT_FROM_LINE_IN_HDRS (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS)
describe CORRUPT_FROM_LINE_IN_HDRS Informational: message is corrupt, with a From line in its headers
tflags CORRUPT_FROM_LINE_IN_HDRS userconf publish
#score CORRUPT_FROM_LINE_IN_HDRS 0.001
##} CORRUPT_FROM_LINE_IN_HDRS

##{ CTE_8BIT_MISMATCH

meta CTE_8BIT_MISMATCH            (__CT_TEXT_PLAIN && (!__CTE || __L_CTE_7BIT) && __L_BODY_8BITS)
describe CTE_8BIT_MISMATCH        Header says 7bits but body disagrees
#score CTE_8BIT_MISMATCH           1
tflags CTE_8BIT_MISMATCH          publish
##} CTE_8BIT_MISMATCH

##{ CTYPE_001C_A

meta CTYPE_001C_A  (0)      # obsolete
##} CTYPE_001C_A

##{ CTYPE_001C_B

header CTYPE_001C_B Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/
##} CTYPE_001C_B

##{ CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader CTYPE_8SPACE_GIF Content-Type:raw =~ /^image\/gif;\n {8}name=\".+?\"$/s
describe CTYPE_8SPACE_GIF   Stock spam image part 'Content-Type' found (8 spc)
endif
##} CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ CURR_PRICE

body CURR_PRICE         /\bCurrent Price:/
##} CURR_PRICE

##{ DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval

ifplugin Mail::SpamAssassin::Plugin::HeaderEval
header   DATE_IN_FUTURE_96_Q    eval:check_for_shifted_date('96', '2920')
describe DATE_IN_FUTURE_96_Q    Date: is 4 days to 4 months after Received: date
endif
##} DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval

##{ DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta       DAY_I_EARNED              __DAY_I_EARNED >= 3
#  score      DAY_I_EARNED              3.000	# limit
  describe   DAY_I_EARNED              Work-at-home spam
  tflags     DAY_I_EARNED              publish
endif
##} DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ DEAR_BENEFICIARY

body     DEAR_BENEFICIARY         /\b(?:De[ae]r\s|At+(?:ention|n):?\s?)(?:\S+\s)?Ben[ei]ficiary\b/i
describe DEAR_BENEFICIARY         Dear Beneficiary:
##} DEAR_BENEFICIARY

##{ DEAR_WINNER

body DEAR_WINNER /\bdear.{1,20}winner/i
describe DEAR_WINNER   Spam with generic salutation of "dear winner"
##} DEAR_WINNER

##{ DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS

ifplugin Mail::SpamAssassin::Plugin::AskDNS
meta      DKIMWL_BL  __DKIMWL_WL_BL
tflags    DKIMWL_BL  net publish
describe  DKIMWL_BL  DKIMwl.org - Blocked sender
#score     DKIMWL_BL  3.0 # limit
endif
##} DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS

##{ DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS

ifplugin Mail::SpamAssassin::Plugin::AskDNS
meta      DKIMWL_BLOCKED  __DKIMWL_BLOCKED
tflags    DKIMWL_BLOCKED  net publish
describe  DKIMWL_BLOCKED  ADMINISTRATOR NOTICE: The query to DKIMWL.org was blocked.  See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
#score     DKIMWL_BLOCKED  0.001 # limit
endif
##} DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS

##{ DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS

ifplugin Mail::SpamAssassin::Plugin::AskDNS
meta      DKIMWL_WL_HIGH  __DKIMWL_WL_HI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL || __DKIMWL_BULKMAIL)
tflags    DKIMWL_WL_HIGH  net nice publish
describe  DKIMWL_WL_HIGH  DKIMwl.org - High trust sender
#score     DKIMWL_WL_HIGH  -3.0 # limit
endif
##} DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS

##{ DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS

ifplugin Mail::SpamAssassin::Plugin::AskDNS
meta      DKIMWL_WL_MED    __DKIMWL_WL_MED && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL)
tflags    DKIMWL_WL_MED    net nice publish
describe  DKIMWL_WL_MED    DKIMwl.org - Medium trust sender
#score     DKIMWL_WL_MED    -0.5 # limit
endif
##} DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS

##{ DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS

ifplugin Mail::SpamAssassin::Plugin::AskDNS
meta      DKIMWL_WL_MEDHI    __DKIMWL_WL_MEDHI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL)
tflags    DKIMWL_WL_MEDHI    net nice publish
describe  DKIMWL_WL_MEDHI    DKIMwl.org - Medium-high trust sender
#score     DKIMWL_WL_MEDHI    -1.0 # limit
endif
##} DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS

##{ DOS_ANAL_SPAM_MAILER

header DOS_ANAL_SPAM_MAILER	X-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/
describe DOS_ANAL_SPAM_MAILER	X-mailer pattern common to anal porn site spam
tflags DOS_ANAL_SPAM_MAILER	publish
##} DOS_ANAL_SPAM_MAILER

##{ DOS_BODY_HIGH_NO_MID

meta DOS_BODY_HIGH_NO_MID       __HIGHBITS && MISSING_MID
describe DOS_BODY_HIGH_NO_MID   High bit body and no message ID header
##} DOS_BODY_HIGH_NO_MID

##{ DOS_DEREK_AUG08

meta DOS_DEREK_AUG08    __DOS_SINGLE_EXT_RELAY && __DOS_HAS_ANY_URI && __NAKED_TO && __LAST_UNTRUSTED_RELAY_NO_AUTH && SPF_PASS && __TVD_MIME_ATT_TP && __CT_TEXT_PLAIN && (__DOS_MSGID_DIGITS9 || __DOS_MSGID_DIGITS10)
##} DOS_DEREK_AUG08

##{ DOS_FIX_MY_URI

meta DOS_FIX_MY_URI             __MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINK
describe DOS_FIX_MY_URI         Looks like a "fix my obfu'd URI please" spam
##} DOS_FIX_MY_URI

##{ DOS_HIGH_BAT_TO_MX

meta DOS_HIGH_BAT_TO_MX		__DOS_DIRECT_TO_MX && __HIGHBITS && __LAST_UNTRUSTED_RELAY_NO_AUTH && __THEBAT_MUA
describe DOS_HIGH_BAT_TO_MX	The Bat! Direct to MX with High Bits
##} DOS_HIGH_BAT_TO_MX

##{ DOS_LET_GO_JOB

meta DOS_LET_GO_JOB	__DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOME
describe DOS_LET_GO_JOB	Let go from their job and now makes lots of dough!
##} DOS_LET_GO_JOB

##{ DOS_OE_TO_MX

meta DOS_OE_TO_MX		__OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE
describe DOS_OE_TO_MX		Delivered direct to MX with OE headers
##} DOS_OE_TO_MX

##{ DOS_OE_TO_MX_IMAGE

meta DOS_OE_TO_MX_IMAGE		__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
describe DOS_OE_TO_MX_IMAGE	Direct to MX with OE headers and an image
##} DOS_OE_TO_MX_IMAGE

##{ DOS_OUTLOOK_TO_MX

meta DOS_OUTLOOK_TO_MX		__ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !T_DOS_OUTLOOK_TO_MX_IMAGE
describe DOS_OUTLOOK_TO_MX	Delivered direct to MX with Outlook headers
##} DOS_OUTLOOK_TO_MX

##{ DOS_RCVD_IP_TWICE_C

header DOS_RCVD_IP_TWICE_C	X-Spam-Relays-External =~ /^\s*\[ ip=(?!127)([\d.]+) [^\[]*\bhelo=(?:![\d.]{7,15}!)? [^\[]*\[ ip=\1 [^\]]*\]\s*$/
describe DOS_RCVD_IP_TWICE_C	Received from the same IP twice in a row (only one external relay; empty or IP helo)
##} DOS_RCVD_IP_TWICE_C

##{ DOS_STOCK_BAT

meta		DOS_STOCK_BAT		__THEBAT_MUA && (__DOS_BODY_STOCK || __DOS_BODY_TICKER) && (__DOS_REF_TODAY || __DOS_REF_NEXT_WK_DAY || __DOS_REF_2_WK_DAYS)
describe	DOS_STOCK_BAT		Probable pump and dump stock spam
##} DOS_STOCK_BAT

##{ DOS_STOCK_BAT2

meta		DOS_STOCK_BAT2		DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2)
##} DOS_STOCK_BAT2

##{ DOS_URI_ASTERISK

uri DOS_URI_ASTERISK    m{^[Hh][Tt]{2}[Pp][Ss]?://[^/:]+(?:\*[A-Za-z0-9-]*\.|\*)[A-Za-z]{2,3}(?:\.[A-Za-z]{2})?(?:$|:|/)}
describe DOS_URI_ASTERISK       Found an asterisk in a URI
##} DOS_URI_ASTERISK

##{ DOS_YOUR_PLACE

meta	DOS_YOUR_PLACE	(__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE || __DOS_CORRESPOND_EMAIL || __DOS_EMAIL_DIRECTLY || __DOS_I_AM_25 || __DOS_WRITE_ME_AT || __DOS_PERSONAL_EMAIL))
describe	DOS_YOUR_PLACE		Russian dating spam
##} DOS_YOUR_PLACE

##{ DOTGOV_IMAGE

meta       DOTGOV_IMAGE                __DOTGOV_IMAGE && !__HAVE_BOUNCE_RELAYS 
describe   DOTGOV_IMAGE                .gov URI + hosted image
#score      DOTGOV_IMAGE                3.000	# limit
tflags     DOTGOV_IMAGE                publish
##} DOTGOV_IMAGE

##{ DRUGS_HDIA

header DRUGS_HDIA       Subject =~ /\bhoodia\b/i
describe DRUGS_HDIA     Subject mentions "hoodia"
##} DRUGS_HDIA

##{ DSN_NO_MIMEVERSION

meta DSN_NO_MIMEVERSION (__BOUNCE_RPATH_NULL && !__MIME_VERSION)
describe DSN_NO_MIMEVERSION Return-Path <> and no MIME-Version: header
#score DSN_NO_MIMEVERSION 2
##} DSN_NO_MIMEVERSION

##{ DX_TEXT_02

body       DX_TEXT_02       /\b(?:change|modif(?:y|ications?)) (?:of|to|(?:yo)?ur) (?:message|sub|comm) stat/i
describe   DX_TEXT_02       "change your message stat"
tflags     DX_TEXT_02       publish
##} DX_TEXT_02

##{ DX_TEXT_03

body       DX_TEXT_03       /\b[A-Z]{3} Media (?:Group|Relations)\b/
describe   DX_TEXT_03       "XXX Media Group"
tflags     DX_TEXT_03       publish
##} DX_TEXT_03

##{ DYNAMIC_IMGUR

meta       DYNAMIC_IMGUR               __DYNAMIC_IMGUR
describe   DYNAMIC_IMGUR               dynamic IP + hosted image
#score      DYNAMIC_IMGUR               4.000	# limit
tflags     DYNAMIC_IMGUR               publish
##} DYNAMIC_IMGUR

##{ DYN_RDNS_AND_INLINE_IMAGE

meta DYN_RDNS_AND_INLINE_IMAGE     (RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
describe DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic rDNS
##} DYN_RDNS_AND_INLINE_IMAGE

##{ DYN_RDNS_SHORT_HELO_HTML

meta DYN_RDNS_SHORT_HELO_HTML      (__HELO_NO_DOMAIN && RDNS_DYNAMIC && HTML_MESSAGE)
describe DYN_RDNS_SHORT_HELO_HTML  Sent by dynamic rDNS, short HELO, and HTML
##} DYN_RDNS_SHORT_HELO_HTML

##{ DYN_RDNS_SHORT_HELO_IMAGE

meta DYN_RDNS_SHORT_HELO_IMAGE       (__HELO_NO_DOMAIN && RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
describe DYN_RDNS_SHORT_HELO_IMAGE    Short HELO string, dynamic rDNS, inline image
##} DYN_RDNS_SHORT_HELO_IMAGE

##{ EBAY_IMG_NOT_RCVD_EBAY

meta       EBAY_IMG_NOT_RCVD_EBAY      __EBAY_IMG_NOT_RCVD_EBAY && !__URI_MAILTO && !__RCD_RDNS_MAIL && !__DKIM_EXISTS
#score      EBAY_IMG_NOT_RCVD_EBAY      3.000	# limit
describe   EBAY_IMG_NOT_RCVD_EBAY      E-bay hosted image but message not from E-bay
tflags     EBAY_IMG_NOT_RCVD_EBAY      publish
##} EBAY_IMG_NOT_RCVD_EBAY

##{ EMRCP

body     EMRCP            /\bExcess (?:Maximum )?Return Capital (?:Profits?|Funds?)\b/i
describe EMRCP            "Excess Maximum Return Capital Profit" scam
tflags   EMRCP            publish
##} EMRCP

##{ ENCRYPTED_MESSAGE

meta       ENCRYPTED_MESSAGE           __CT_ENCRYPTED
describe   ENCRYPTED_MESSAGE           Message is encrypted, not likely to be spam
#score      ENCRYPTED_MESSAGE           -1.000
tflags     ENCRYPTED_MESSAGE           nice publish
##} ENCRYPTED_MESSAGE

##{ END_FUTURE_EMAILS

describe       END_FUTURE_EMAILS   Spammy unsubscribe
#score          END_FUTURE_EMAILS   2.500	# limit
##} END_FUTURE_EMAILS

##{ END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM)

if !plugin(Mail::SpamAssassin::Plugin::DKIM)
  meta         END_FUTURE_EMAILS   __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER
endif
##} END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM)

##{ END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM

ifplugin Mail::SpamAssassin::Plugin::DKIM
  meta         END_FUTURE_EMAILS   __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER && !__DKIM_DEPENDABLE && !DKIM_SIGNED
endif
##} END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM

##{ ENVFROM_GOOG_TRIX

meta       ENVFROM_GOOG_TRIX           __ENVFROM_GOOG_TRIX_SPAMMY
describe   ENVFROM_GOOG_TRIX           From suspicious Google subdomain
#score      ENVFROM_GOOG_TRIX           3.000	# limit
tflags     ENVFROM_GOOG_TRIX           publish
##} ENVFROM_GOOG_TRIX

##{ EXCUSE_24

body EXCUSE_24                  /you(?:'ve|'re| have| are)? receiv(?:e|ed|ing) this (?:advertisement|offer|special|recurring|paid).{0,16}\b(?:by either|because)/i
describe EXCUSE_24              Claims you wanted this ad
##} EXCUSE_24

##{ FACEBOOK_IMG_NOT_RCVD_FB

meta       FACEBOOK_IMG_NOT_RCVD_FB    __FACEBOOK_IMG_NOT_RCVD_FB && !__VIA_ML && !__ONE_IMG && !__RCD_RDNS_SMTP 
#score      FACEBOOK_IMG_NOT_RCVD_FB    2.000  # limit
describe   FACEBOOK_IMG_NOT_RCVD_FB    Facebook hosted image but message not from Facebook
tflags     FACEBOOK_IMG_NOT_RCVD_FB    publish
##} FACEBOOK_IMG_NOT_RCVD_FB

##{ FAKE_REPLY_C

meta     FAKE_REPLY_C		(__SUBJ_RE && __MISSING_REF && __NO_INR_YES_REF)
##} FAKE_REPLY_C

##{ FBI_MONEY

meta        FBI_MONEY            __FBI_SPOOF && LOTS_OF_MONEY
describe    FBI_MONEY            The FBI wants to give you lots of money?
#score       FBI_MONEY            2.00	# limit
tflags      FBI_MONEY            publish
##} FBI_MONEY

##{ FBI_SPOOF

meta        FBI_SPOOF            __FBI_SPOOF
describe    FBI_SPOOF            Claims to be FBI, but not from FBI domain
#score       FBI_SPOOF            2.00	# limit
tflags      FBI_SPOOF            publish
##} FBI_SPOOF

##{ FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta     FILL_THIS_FORM                 __FILL_THIS_FORM && !__THREADED && !__FB_TOUR && !__VIA_ML
  describe FILL_THIS_FORM                 Fill in a form with personal information
  tflags   FILL_THIS_FORM                 publish
endif
##} FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta     FILL_THIS_FORM_LONG            __FILL_THIS_FORM_LONG && !__VIA_ML && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__TRAVEL_MANY
  describe FILL_THIS_FORM_LONG            Fill in a form with personal information
#  score    FILL_THIS_FORM_LONG            2.00	# limit
endif
##} FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      FONT_INVIS_DIRECT             __FONT_INVIS_DIRECT && !__UNSUB_LINK && !__HAS_ERRORS_TO && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__URI_DOTGOV && !__NAKED_TO && !__MSGID_OK_HEX 
  describe  FONT_INVIS_DIRECT             Invisible text + direct-to-MX
#  score     FONT_INVIS_DIRECT             3.500	# limit
  tflags    FONT_INVIS_DIRECT             publish
endif
##} FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      FONT_INVIS_DOTGOV             __FONT_INVIS_DOTGOV && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__HAS_LIST_ID 
  describe  FONT_INVIS_DOTGOV             Invisible text + .gov URI
#  score     FONT_INVIS_DOTGOV             3.500	# limit
  tflags    FONT_INVIS_DOTGOV             publish
endif
##} FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      FONT_INVIS_HTML_NOHTML        __FONT_INVIS_HTML_NOHTML && !__RDNS_LONG 
  describe  FONT_INVIS_HTML_NOHTML        Invisible text + malformed HTML
#  score     FONT_INVIS_HTML_NOHTML        3.000	# limit
  tflags    FONT_INVIS_HTML_NOHTML        publish
endif
##} FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      FONT_INVIS_LONG_LINE          __FONT_INVIS_LONG_LINE && !__HTML_SINGLET 
  describe  FONT_INVIS_LONG_LINE          Invisible text + long lines
#  score     FONT_INVIS_LONG_LINE          3.000	# limit
  tflags    FONT_INVIS_LONG_LINE          publish
endif
##} FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      FONT_INVIS_MSGID              __FONT_INVIS_MSGID && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__HAS_ERRORS_TO && !__RCD_RDNS_MAIL && !__MAIL_LINK && !__HDR_RCVD_AMAZON && !__MIME_QP && !__HAS_CAMPAIGNID && !__HAS_THREAD_INDEX && !__RCD_RDNS_MTA 
  describe  FONT_INVIS_MSGID              Invisible text + suspicious message ID
#  score     FONT_INVIS_MSGID              2.500	# limit
  tflags    FONT_INVIS_MSGID              publish
endif
##} FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      FONT_INVIS_NORDNS             __FONT_INVIS_NORDNS && !__HTML_SINGLET && !__LYRIS_EZLM_REMAILER && !__YOUR_PERSONAL && !__HAS_X_MAILER 
  describe  FONT_INVIS_NORDNS             Invisible text + no rDNS
#  score     FONT_INVIS_NORDNS             2.500	# limit
  tflags    FONT_INVIS_NORDNS             publish
endif
##} FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      FONT_INVIS_POSTEXTRAS         (__FONT_INVIS || __STY_INVIS) && __AC_POST_EXTRAS
  describe  FONT_INVIS_POSTEXTRAS         Invisible text + suspicious URI
#  score     FONT_INVIS_POSTEXTRAS         3.500	# limit
  tflags    FONT_INVIS_POSTEXTRAS         publish
endif
##} FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ FORGED_SPF_HELO

meta	 FORGED_SPF_HELO	__HELO_NOT_RDNS && SPF_HELO_PASS && !SPF_PASS
##} FORGED_SPF_HELO

##{ FORM_FRAUD

meta     FORM_FRAUD       (__FORM_FRAUD && !__FORM_FRAUD_3 && !__FORM_FRAUD_5) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__UPPERCASE_URI && !__UNSUB_LINK
describe FORM_FRAUD       Fill a form and a fraud phrase
#score    FORM_FRAUD       1.000   # limit
tflags   FORM_FRAUD       publish
##} FORM_FRAUD

##{ FORM_FRAUD_3

meta     FORM_FRAUD_3    (__FORM_FRAUD_3 && !__FORM_FRAUD_5 && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_3_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__MIME_QP && !__DOS_BODY_FRI && !__UNSUB_LINK && !__BUGGED_IMG && !__NOT_SPOOFED
describe FORM_FRAUD_3    Fill a form and several fraud phrases
tflags   FORM_FRAUD_3    publish
##} FORM_FRAUD_3

##{ FORM_FRAUD_5

meta     FORM_FRAUD_5    (__FORM_FRAUD_5 && !__ADVANCE_FEE_5_NEW_FORM && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__BOUNCE_CTYPE 
describe FORM_FRAUD_5    Fill a form and many fraud phrases
tflags   FORM_FRAUD_5    publish
##} FORM_FRAUD_5

##{ FOUND_YOU

meta        FOUND_YOU          __FOUND_YOU && !__DKIM_EXISTS && !__SUBJ_RE && !__HAS_X_REF && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__HAS_ERRORS_TO && !__HAS_IN_REPLY_TO
#score       FOUND_YOU          3.25	# limit
describe    FOUND_YOU          I found you...
tflags      FOUND_YOU          publish
##} FOUND_YOU

##{ FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  ifplugin Mail::SpamAssassin::Plugin::HeaderEval 
    if (version >= 3.004000)
      meta     FREEMAIL_FORGED_FROMDOMAIN FREEMAIL_FROM && HEADER_FROM_DIFFERENT_DOMAINS
      describe FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different
#      score    FREEMAIL_FORGED_FROMDOMAIN 0.25
      tflags   FREEMAIL_FORGED_FROMDOMAIN publish
endif
endif
endif
##} FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)

##{ FREEMAIL_WFH_01

meta       FREEMAIL_WFH_01             __FREEMAIL_WFH_01
describe   FREEMAIL_WFH_01             Work-from-Home + freemail
tflags     FREEMAIL_WFH_01             publish
##} FREEMAIL_WFH_01

##{ FREEM_FRNUM_UNICD_EMPTY

meta       FREEM_FRNUM_UNICD_EMPTY    __FREEM_FRNUM_UNICD_EMPTY
describe   FREEM_FRNUM_UNICD_EMPTY    Numeric freemail From address, unicode From name and Subject, empty body
#score      FREEM_FRNUM_UNICD_EMPTY    3.750	# limit
tflags     FREEM_FRNUM_UNICD_EMPTY    publish
##} FREEM_FRNUM_UNICD_EMPTY

##{ FRNAME_IN_MSG_XPRIO_NO_SUB

meta       FRNAME_IN_MSG_XPRIO_NO_SUB (__FROM_NAME_IN_MSG && __XPRIO && (__SUBJECT_EMPTY || __SUBJ_SHORT)) && !__DKIM_EXISTS  && !__SUBJ_NOT_SHORT && !ALL_TRUSTED
describe   FRNAME_IN_MSG_XPRIO_NO_SUB From name in message + X-Priority + short or no subject
#score      FRNAME_IN_MSG_XPRIO_NO_SUB 2.500	# limit
tflags     FRNAME_IN_MSG_XPRIO_NO_SUB publish
##} FRNAME_IN_MSG_XPRIO_NO_SUB

##{ FROM_ADDR_WS

meta       FROM_ADDR_WS                __FROM_ADDR_WS && !__RCD_RDNS_MTA_MESSY && !ANY_BOUNCE_MESSAGE && !__FROM_ENCODED_QP && !__RCD_RDNS_MAIL 
describe   FROM_ADDR_WS                Malformed From address
#score      FROM_ADDR_WS                3.000	# limit
tflags     FROM_ADDR_WS                publish
##} FROM_ADDR_WS

##{ FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta     FROM_BANK_NOAUTH  __FROM_ADDRLIST_BANKS && (! NO_RELAYS && ! ALL_TRUSTED) && (! SPF_PASS && ! DKIM_VALID_AU)
tflags   FROM_BANK_NOAUTH  publish net
describe FROM_BANK_NOAUTH  From Bank domain but no SPF or DKIM
#score    FROM_BANK_NOAUTH  1.0 # limit
endif
endif
##} FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

##{ FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS

if (version >= 3.004001)
ifplugin Mail::SpamAssassin::Plugin::AskDNS
meta       FROM_FMBLA_NDBLOCKED __FROM_FMBLA_NDBLOCKED
describe   FROM_FMBLA_NDBLOCKED ADMINISTRATOR NOTICE: The query to fresh.fmb.la was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
tflags     FROM_FMBLA_NDBLOCKED net publish
#score      FROM_FMBLA_NDBLOCKED 0.001 # limit
endif
endif
##} FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS

##{ FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS

if (version >= 3.004001)
ifplugin Mail::SpamAssassin::Plugin::AskDNS
meta       FROM_FMBLA_NEWDOM    __FROM_FMBLA_NEWDOM
describe   FROM_FMBLA_NEWDOM    From domain was registered in last 7 days
tflags     FROM_FMBLA_NEWDOM    net
#score      FROM_FMBLA_NEWDOM    1.5 # limit
endif
endif
##} FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS

##{ FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS

if (version >= 3.004001)
ifplugin Mail::SpamAssassin::Plugin::AskDNS
meta       FROM_FMBLA_NEWDOM14  __FROM_FMBLA_NEWDOM14
describe   FROM_FMBLA_NEWDOM14  From domain was registered in last 7-14 days
tflags     FROM_FMBLA_NEWDOM14  publish net
#score      FROM_FMBLA_NEWDOM14  1.0 # limit
endif
endif
##} FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS

##{ FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS

if (version >= 3.004001)
ifplugin Mail::SpamAssassin::Plugin::AskDNS
meta       FROM_FMBLA_NEWDOM28  __FROM_FMBLA_NEWDOM28
describe   FROM_FMBLA_NEWDOM28  From domain was registered in last 14-28 days
tflags     FROM_FMBLA_NEWDOM28  net publish
#score      FROM_FMBLA_NEWDOM28  0.8 # limit
endif
endif
##} FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS

##{ FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta     FROM_GOV_DKIM_AU  DKIM_VALID_AU && __FROM_ADDRLIST_GOV
tflags   FROM_GOV_DKIM_AU  net nice publish
describe FROM_GOV_DKIM_AU  From Government address and DKIM signed
#score    FROM_GOV_DKIM_AU  -1.0 # limit
endif
endif
##} FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

##{ FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta     FROM_GOV_REPLYTO_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_GOV && !DKIM_VALID_AU
tflags   FROM_GOV_REPLYTO_FREEMAIL net publish
describe FROM_GOV_REPLYTO_FREEMAIL From Government domain but ReplyTo is FREEMAIL
#score    FROM_GOV_REPLYTO_FREEMAIL 2.0
endif
endif
##} FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

##{ FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta     FROM_GOV_SPOOF  !__NOT_SPOOFED && __FROM_ADDRLIST_GOV && (! NO_RELAYS && ! ALL_TRUSTED)
tflags   FROM_GOV_SPOOF  net publish
describe FROM_GOV_SPOOF  From Government domain but matches SPOOFED
#score    FROM_GOV_SPOOF  1.0 # limit
endif
endif
##} FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

##{ FROM_IN_TO_AND_SUBJ

meta           FROM_IN_TO_AND_SUBJ  (__TO_EQ_FROM && __SUBJ_HAS_FROM_1) && !__HAS_LIST_ID 
describe       FROM_IN_TO_AND_SUBJ  From address is in To and Subject
tflags         FROM_IN_TO_AND_SUBJ  publish
##} FROM_IN_TO_AND_SUBJ

##{ FROM_LONG_DOM

meta            FROM_LONG_DOM           __FROM_LONG_DOM && !FROM_LONG_DOM_MINFP
describe        FROM_LONG_DOM           Absurdly long From domain name
#score           FROM_LONG_DOM           1.500	# limit
tflags          FROM_LONG_DOM           publish
##} FROM_LONG_DOM

##{ FROM_LONG_DOM_MINFP

meta            FROM_LONG_DOM_MINFP     __FROM_LONG_DOM && !__RCD_RDNS_MAIL_MESSY && !__ENV_AND_HDR_FROM_MATCH 
describe        FROM_LONG_DOM_MINFP     Absurdly long From domain name, suspicious relays
#score           FROM_LONG_DOM_MINFP     2.500	# limit
tflags          FROM_LONG_DOM_MINFP     publish
##} FROM_LONG_DOM_MINFP

##{ FROM_MISSPACED

meta           FROM_MISSPACED        __FROM_MISSPACED && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__UNSUB_LINK && !__TO___LOWER && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__TO_EQ_FROM_DOM && !__MAIL_LINK && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
describe       FROM_MISSPACED        From: missing whitespace
#score          FROM_MISSPACED        2.00
##} FROM_MISSPACED

##{ FROM_MISSP_EH_MATCH

meta           FROM_MISSP_EH_MATCH   __FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
describe       FROM_MISSP_EH_MATCH   From misspaced, matches envelope
#score          FROM_MISSP_EH_MATCH   2.00	# max
##} FROM_MISSP_EH_MATCH

##{ FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta         FROM_MISSP_FREEMAIL   __FROM_MISSP_FREEMAIL && !__TO_EQ_FROM_DOM && !__MTLANDROID_MUA
  describe     FROM_MISSP_FREEMAIL   From misspaced + freemail provider
endif
##} FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail

##{ FROM_MISSP_MSFT

meta           FROM_MISSP_MSFT       __FROM_RUNON && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS)
describe       FROM_MISSP_MSFT       From misspaced + supposed Microsoft tool
##} FROM_MISSP_MSFT

##{ FROM_MISSP_PHISH

meta        FROM_MISSP_PHISH     __FROM_MISSP_PHISH && !__DOS_HAS_LIST_UNSUB 
describe    FROM_MISSP_PHISH     Malformed, claims to be from financial organization - possible phish
#score       FROM_MISSP_PHISH     3.500	# limit
##} FROM_MISSP_PHISH

##{ FROM_MISSP_REPLYTO

meta           FROM_MISSP_REPLYTO    __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY && !__DOS_HAS_LIST_UNSUB 
describe       FROM_MISSP_REPLYTO    From misspaced, has Reply-To
#score          FROM_MISSP_REPLYTO    2.500	# limit
##} FROM_MISSP_REPLYTO

##{ FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF

ifplugin Mail::SpamAssassin::Plugin::SPF
  meta           FROM_MISSP_SPF_FAIL  (__FROM_RUNON && SPF_FAIL)
  tflags         FROM_MISSP_SPF_FAIL  net
#  score          FROM_MISSP_SPF_FAIL  2.00	# limit
endif
##} FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF

##{ FROM_MISSP_USER

meta           FROM_MISSP_USER       (__FROM_RUNON && NSL_RCVD_FROM_USER)
describe       FROM_MISSP_USER       From misspaced, from "User"
##} FROM_MISSP_USER

##{ FROM_MISSP_XPRIO

meta        FROM_MISSP_XPRIO   (__XPRIO && __FROM_MISSPACED) && !__LYRIS_EZLM_REMAILER 
describe    FROM_MISSP_XPRIO   Misspaced FROM + X-Priority
#score       FROM_MISSP_XPRIO   2.500   # limit
##} FROM_MISSP_XPRIO

##{ FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)

if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
  meta       FROM_MULTI_NORDNS        __FROM_MULTI_NORDNS
  describe   FROM_MULTI_NORDNS        Multiple From addresses + no rDNS
endif
##} FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)

##{ FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS

if (version >= 3.004001)
ifplugin Mail::SpamAssassin::Plugin::AskDNS
meta     FROM_NEWDOM_BTC __PDS_BTC_ID && __PDS_NEWDOMAIN
describe FROM_NEWDOM_BTC Newdomain with Bitcoin ID
#score    FROM_NEWDOM_BTC 2.0 # limit
tflags   FROM_NEWDOM_BTC net
endif
endif
##} FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS

##{ FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta     FROM_NTLD_LINKBAIT __LCL__KAM_BODY_LENGTH_LT_512 && __FROM_ADDRLIST_SUSPNTLD && __BODY_URI_ONLY
tflags   FROM_NTLD_LINKBAIT publish
describe FROM_NTLD_LINKBAIT From abused NTLD with little more than a URI
#score    FROM_NTLD_LINKBAIT 2.0 # limit
endif
endif
##} FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

##{ FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta     FROM_NTLD_REPLY_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_SUSPNTLD
tflags   FROM_NTLD_REPLY_FREEMAIL publish
describe FROM_NTLD_REPLY_FREEMAIL From abused NTLD and Reply-To is FREEMAIL
#score    FROM_NTLD_REPLY_FREEMAIL 2.0 # limit
endif
endif
##} FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

##{ FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS

if (version >= 3.004001)
ifplugin Mail::SpamAssassin::Plugin::AskDNS
meta     FROM_NUMBERO_NEWDOMAIN __NUMBERONLY_TLD && __PDS_NEWDOMAIN
describe FROM_NUMBERO_NEWDOMAIN Fingerprint and new domain
#score    FROM_NUMBERO_NEWDOMAIN 2.0 # limit
tflags   FROM_NUMBERO_NEWDOMAIN net publish
endif
endif
##} FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS

##{ FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta     FROM_PAYPAL_SPOOF  !__NOT_SPOOFED && __FROM_ADDRLIST_PAYPAL && (! NO_RELAYS && ! ALL_TRUSTED)
tflags   FROM_PAYPAL_SPOOF  publish net
describe FROM_PAYPAL_SPOOF  From PayPal domain but matches SPOOFED
#score    FROM_PAYPAL_SPOOF  1.6 # limit
endif
endif
##} FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

##{ FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta     FROM_SUSPICIOUS_NTLD __FROM_ADDRLIST_SUSPNTLD
tflags   FROM_SUSPICIOUS_NTLD publish
describe FROM_SUSPICIOUS_NTLD From abused NTLD
#score    FROM_SUSPICIOUS_NTLD 0.5 # limit
endif
endif
##} FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

##{ FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta     FROM_SUSPICIOUS_NTLD_FP __FROM_ADDRLIST_SUSPNTLD && !__HAS_SENDER && !__HAS_IN_REPLY_TO && !__HAS_X_MAILING_LIST
tflags   FROM_SUSPICIOUS_NTLD_FP publish
describe FROM_SUSPICIOUS_NTLD_FP From abused NTLD
#score    FROM_SUSPICIOUS_NTLD_FP 2.0 # limit
endif
endif
##} FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

##{ FROM_UNBAL2

header   FROM_UNBAL2	From:raw =~ /^ [^<]* > /xm
describe FROM_UNBAL2	From with unbalanced angle brackets, '<' missing
##} FROM_UNBAL2

##{ FSL_BULK_SIG

meta     FSL_BULK_SIG          (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK) && !__FSL_HAS_LIST_UNSUB && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__JM_REACTOR_DATE && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__USING_VERP1 && !__KAM_BODY_LENGTH_LT_128 && !__RCVD_IN_DNSWL 
describe FSL_BULK_SIG          Bulk signature with no Unsubscribe
#score    FSL_BULK_SIG          2.500	# limit
tflags   FSL_BULK_SIG          net publish
##} FSL_BULK_SIG

##{ FSL_CTYPE_WIN1251

header   FSL_CTYPE_WIN1251   Content-Type =~ /charset="Windows-1251"/
describe FSL_CTYPE_WIN1251   Content-Type only seen in 419 spam
##} FSL_CTYPE_WIN1251

##{ FSL_FAKE_HOTMAIL_RVCD

header  FSL_FAKE_HOTMAIL_RVCD   X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/
##} FSL_FAKE_HOTMAIL_RVCD

##{ FSL_HELO_BARE_IP_1

meta    FSL_HELO_BARE_IP_1        __FSL_HELO_BARE_IP_1 && !ALL_TRUSTED
##} FSL_HELO_BARE_IP_1

##{ FSL_HELO_DEVICE

header  FSL_HELO_DEVICE         X-Spam-Relays-External =~ /\bhelo=(?:(?:dsl)?device|speedtouch)\.lan\b/i
##} FSL_HELO_DEVICE

##{ FSL_HELO_NON_FQDN_1

header  FSL_HELO_NON_FQDN_1     X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i
##} FSL_HELO_NON_FQDN_1

##{ FSL_HELO_SETUP

header  FSL_HELO_SETUP          X-Spam-Relays-External =~ /\bhelo=\S+\.setup\b/i
##} FSL_HELO_SETUP

##{ FSL_INTERIA_ABUSE

uri FSL_INTERIA_ABUSE /\/\S+\.(?:w|eu|fm)\.interia\.pl/
##} FSL_INTERIA_ABUSE

##{ FSL_NEW_HELO_USER

meta    FSL_NEW_HELO_USER   (__FSL_HELO_USER_1 || __FSL_HELO_USER_2 || __FSL_HELO_USER_3)
describe  FSL_NEW_HELO_USER Spam's using Helo and User
#score   FSL_NEW_HELO_USER   2.0
tflags  FSL_NEW_HELO_USER   publish
##} FSL_NEW_HELO_USER

##{ FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          FUZZY_AMAZON        /(?:^|\W)(?=<A>)(?!amazon)<A><M><A><Z><O><N>(?:$|\W)/i
  describe      FUZZY_AMAZON        Obfuscated "amazon"
  tflags        FUZZY_AMAZON        publish
endif
##} FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          FUZZY_ANDROID       /(?=<A>)(?!android)<A><N><D><R><O><I><D>/i
  describe      FUZZY_ANDROID       Obfuscated "android"
  tflags        FUZZY_ANDROID       publish
endif
##} FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          FUZZY_APPLE         /(?:^|\W)(?=<A>)(?!appl[ey])<A><P><P><L><E>(?:$|\W)/i
  describe      FUZZY_APPLE         Obfuscated "apple"
  tflags        FUZZY_APPLE         publish
endif
##} FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          FUZZY_BITCOIN       /(?=<B>)(?!bit[-\s]?coin)<B>[-\s]?<I>[-\s]?<T>[-\s]?<C>[-\s]?<O>[-\s]?<I>[-\s]?<N>/i
  describe      FUZZY_BITCOIN       Obfuscated "Bitcoin"
  tflags        FUZZY_BITCOIN       publish
endif
##} FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          FUZZY_BROWSER       /(?=<B>)(?!browser)<B><R><O><W><S><E><R>/i
  describe      FUZZY_BROWSER       Obfuscated "browser"
  tflags        FUZZY_BROWSER       publish
endif
##} FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta          FUZZY_BTC_WALLET    FUZZY_BITCOIN && FUZZY_WALLET
  describe      FUZZY_BTC_WALLET    Heavily obfuscated "bitcoin wallet"
  tflags        FUZZY_BTC_WALLET    publish
endif
##} FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          FUZZY_CLICK_HERE    /(?=<C>)(?!click(?:\s|&nbsp;)here)<C><WS>*<L><WS>*<I><WS>*<C><WS>*<K><WS>+<H><WS>*<E><WS>*<R><WS>*<E>/i
  describe      FUZZY_CLICK_HERE    Obfuscated "click here"
  tflags        FUZZY_CLICK_HERE    publish
endif
##} FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta          FUZZY_DR_OZ         __FUZZY_DR_OZ && !__VIA_ML
  describe      FUZZY_DR_OZ         Obfuscated Doctor Oz
  tflags        FUZZY_DR_OZ         publish
endif
##} FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          FUZZY_FACEBOOK      /(?=<F>)(?!fa[ck]ebook)<F><A><C><E><B><O><O><K>/i
  describe      FUZZY_FACEBOOK      Obfuscated "facebook"
  tflags        FUZZY_FACEBOOK      publish
endif
##} FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FUZZY_HARRIS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          FUZZY_HARRIS        /(?:^|\W)(?=<H>)(?!harris)<H><A><R><R><I><S>(?:$|\W)/i
  describe      FUZZY_HARRIS        Obfuscated "Harris"
  tflags        FUZZY_HARRIS        publish
endif
##} FUZZY_HARRIS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          FUZZY_IMPORTANT     /(?=<I>)(?!important)<I>(?:<M>|<N>)<P><O><R><T><A><N><T>/i
  describe      FUZZY_IMPORTANT     Obfuscated "important"
  tflags        FUZZY_IMPORTANT     publish
endif
##} FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body FUZZY_MERIDIA      /<inter W3><post P2>\b(?!meridia)<M><E><R><I><D><I><A>\b/i
describe FUZZY_MERIDIA  Obfuscation of the word "meridia"
endif
##} FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          FUZZY_MICROSOFT     /(?=<M>)(?!microsoft)<M><I><C><R><O><S><O><F><T>/i
  describe      FUZZY_MICROSOFT     Obfuscated "microsoft"
  tflags        FUZZY_MICROSOFT     publish
endif
##} FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FUZZY_MONERO

meta          FUZZY_MONERO        __FUZZY_MONERO
describe      FUZZY_MONERO        Obfuscated "Monero"
tflags        FUZZY_MONERO        publish
##} FUZZY_MONERO

##{ FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          FUZZY_NORTON        /(?:^|\W)(?=<N>)(?!norton)<N><O><R><T><O><N>(?:$|\W)/i
  describe      FUZZY_NORTON        Obfuscated "norton"
  tflags        FUZZY_NORTON        publish
endif
##} FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          FUZZY_OVERSTOCK     /(?:^|\W)(?=<O>)(?!over[-\s]?stock)<O><V><E><R>[-\s]?<S><T><O><C><K>(?:$|\W)/i
  describe      FUZZY_OVERSTOCK     Obfuscated "overstock"
  tflags        FUZZY_OVERSTOCK     publish
endif
##} FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          FUZZY_PAYPAL        /(?:^|\W)(?=<P>)(?!pay[-\s]?pal)<P><A><Y>[-\s]?<P><A><L>(?:$|\W)/i
  describe      FUZZY_PAYPAL        Obfuscated "paypal"
  tflags        FUZZY_PAYPAL        publish
endif
##} FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta          FUZZY_PORN          __FUZZY_PORN && !( __ENV_AND_HDR_FROM_MATCH && __SENDER_BOT )
  describe      FUZZY_PORN          Obfuscated "Pornography" or "Pornographic"
  tflags        FUZZY_PORN          publish
endif
##} FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          FUZZY_PRIVACY       /(?=<P>)(?!privacy)<P><R><I><V><A><C><Y>/i
  describe      FUZZY_PRIVACY       Obfuscated "privacy"
  tflags        FUZZY_PRIVACY       publish
endif
##} FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          FUZZY_PROMOTION     /(?=<P>)(?!promotion)<P><R><O><M><O><T><I><O><N>/i
  describe      FUZZY_PROMOTION     Obfuscated "promotion"
  tflags        FUZZY_PROMOTION     publish
endif
##} FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          FUZZY_SAVINGS       /(?=<S>)(?!savings)<S><A><V><I><N><G><S>/i
  describe      FUZZY_SAVINGS       Obfuscated "savings"
  tflags        FUZZY_SAVINGS       publish
endif
##} FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          FUZZY_SECURITY      /(?=<S>)(?!security)(?!seguridad)(?!s\xc3\xa9curit\xc3\xa9)<S><E>(?:<C>|<G>)<U><R><I>(?:<T><Y>|<D><A><D>)/i
  describe      FUZZY_SECURITY      Obfuscated "security"
  tflags        FUZZY_SECURITY      publish
endif
##} FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FUZZY_TRUMP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          FUZZY_TRUMP         /(?:^|\W)(?=<T>)(?!trump)<T><R><U><M><P>(?:$|\W)/i
  describe      FUZZY_TRUMP         Obfuscated "Trump"
  tflags        FUZZY_TRUMP         publish
endif
##} FUZZY_TRUMP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FUZZY_TRUSTWALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta          FUZZY_TRUSTWALLET   __FUZZY_TRUSTWALLET_BODY || __FUZZY_TRUSTWALLET_FROM
  describe      FUZZY_TRUSTWALLET   Obfuscated "Trust Wallet", probable phishing
  tflags        FUZZY_TRUSTWALLET   publish
endif
##} FUZZY_TRUSTWALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          FUZZY_UNSUBSCRIBE   /(?=<U>)(?!unsubscribe)<U><N><S><U><B><S><C><R><I><B><E>/i
  describe      FUZZY_UNSUBSCRIBE   Obfuscated "unsubscribe"
  tflags        FUZZY_UNSUBSCRIBE   publish
endif
##} FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          FUZZY_WALLET        /(?=<W>)(?!wallet)<W><A><L><L><E><T>/i
  describe      FUZZY_WALLET        Obfuscated "Wallet"
  tflags        FUZZY_WALLET        publish
endif
##} FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta          FUZZY_WELLSFARGO         __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM
  describe      FUZZY_WELLSFARGO         Obfuscated "Wells Fargo"
  tflags        FUZZY_WELLSFARGO         publish
endif
##} FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ GAPPY_HTML

meta        GAPPY_HTML             __GAPPY_HTML && !__UNSUB_LINK && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY
describe    GAPPY_HTML             HTML body with much useless whitespace
##} GAPPY_HTML

##{ GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta       GAPPY_SALES_LEADS_FREEM     __GAPPY_SALES_LEADS_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
  describe   GAPPY_SALES_LEADS_FREEM     Obfuscated marketing text, freemail or CHN replyto
#  score      GAPPY_SALES_LEADS_FREEM     3.500	# limit
  tflags     GAPPY_SALES_LEADS_FREEM     publish
endif
##} GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ GB_CUSTOM_HTM_URI if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)

if (version >= 4.000000)
if can(Mail::SpamAssassin::Conf::feature_capture_rules)
  meta          GB_CUSTOM_HTM_URI       ( __GB_CUSTOM_HTM_URI0 || __GB_CUSTOM_HTM_URI1 || __GB_CUSTOM_HTM_URI2 || __GB_DRUPAL_URI )
  describe      GB_CUSTOM_HTM_URI       Custom html uri
#  score         GB_CUSTOM_HTM_URI       1.500 # limit
  tflags        GB_CUSTOM_HTM_URI       publish
endif
endif
##} GB_CUSTOM_HTM_URI if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)

##{ GB_FAKE_RF_SHORT

meta       GB_FAKE_RF_SHORT              ( ! __THREADED && __GB_FAKE_RF && __URL_SHORTENER )
describe   GB_FAKE_RF_SHORT              Fake reply or forward with url shortener
#score      GB_FAKE_RF_SHORT              2.000 # limit
tflags     GB_FAKE_RF_SHORT              publish
##} GB_FAKE_RF_SHORT

##{ GB_FORGED_MUA_POSTFIX

meta	     GB_FORGED_MUA_POSTFIX	( __FORGED_MUA_POSTFIX0 || __FORGED_MUA_POSTFIX1 )
describe     GB_FORGED_MUA_POSTFIX	Forged Postfix mua headers
tflags       GB_FORGED_MUA_POSTFIX      publish
#score	     GB_FORGED_MUA_POSTFIX	2.0 # limit
##} GB_FORGED_MUA_POSTFIX

##{ GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta     GB_FREEMAIL_DISPTO  ( __FREEMAIL_DISPTO && !__freemail_safe )
  describe GB_FREEMAIL_DISPTO  Disposition-Notification-To/From or Disposition-Notification-To/body contain different freemails
#  score    GB_FREEMAIL_DISPTO  0.50 # limit
  tflags   GB_FREEMAIL_DISPTO  publish
endif
##} GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail

##{ GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta     GB_FREEMAIL_DISPTO_NOTFREEM  ( __FREEMAIL_DISPTO && !__freemail_safe && !FREEMAIL_FROM )
  describe GB_FREEMAIL_DISPTO_NOTFREEM  Disposition-Notification-To/From contain different freemails but mailfrom is not a freemail
#  score    GB_FREEMAIL_DISPTO_NOTFREEM  0.50 # limit
  tflags   GB_FREEMAIL_DISPTO_NOTFREEM  publish
endif
##} GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail

##{ GB_GOOGLE_OBFUR

uri         GB_GOOGLE_OBFUR	/^https:\/\/www\.google\.[a-z]{2,3}\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=(?:[0-9])*\&(?:cad=rja\&uact=[0-9]+\&ved=.{1,50}\&)?url=https?:\/\/.{1,50}(?:&usg=.{1,50})?/
describe    GB_GOOGLE_OBFUR	Obfuscate url through Google redirect
#score       GB_GOOGLE_OBFUR     0.75 # limit
tflags      GB_GOOGLE_OBFUR     publish
##} GB_GOOGLE_OBFUR

##{ GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL

if (version >= 3.004003)
  ifplugin Mail::SpamAssassin::Plugin::HashBL
    body          GB_HASHBL_BTC eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?<!=)([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,62})\b')
    tflags        GB_HASHBL_BTC net publish
    describe      GB_HASHBL_BTC Message contains BTC address found on BTCBL
#    score         GB_HASHBL_BTC 5.0 # limit
endif
endif
##} GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL

##{ GB_STORAGE_GOOGLE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)

if (version >= 4.000000)
if can(Mail::SpamAssassin::Conf::feature_capture_rules)
  uri           GB_STORAGE_GOOGLE_EMAIL m|^https?://storage\.cloud\.google\.com/.{4,128}\#%{GB_TO_ADDR}|i
  describe      GB_STORAGE_GOOGLE_EMAIL Google storage cloud abuse
#  score         GB_STORAGE_GOOGLE_EMAIL 2.000 # limit
  tflags        GB_STORAGE_GOOGLE_EMAIL publish
endif
endif
##} GB_STORAGE_GOOGLE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)

##{ GEO_QUERY_STRING

uri	GEO_QUERY_STRING	/^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i
##} GEO_QUERY_STRING

##{ GOOGLE_DOCS_PHISH

meta        GOOGLE_DOCS_PHISH    (__GOOGLE_DOCS_PHISH_1 || __GOOGLE_DOCS_PHISH_2)
describe    GOOGLE_DOCS_PHISH    Possible phishing via a Google Docs form
#score       GOOGLE_DOCS_PHISH    3.00	# limit
tflags      GOOGLE_DOCS_PHISH    publish
##} GOOGLE_DOCS_PHISH

##{ GOOGLE_DOCS_PHISH_MANY

meta        GOOGLE_DOCS_PHISH_MANY  __URI_GOOGLE_DOC && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY)
describe    GOOGLE_DOCS_PHISH_MANY  Phishing via a Google Docs form
#score       GOOGLE_DOCS_PHISH_MANY  4.00	# limit
tflags      GOOGLE_DOCS_PHISH_MANY  publish
##} GOOGLE_DOCS_PHISH_MANY

##{ GOOGLE_DOC_SUSP

meta        GOOGLE_DOC_SUSP      __GOOGLE_DOC_SUSP && !GOOGLE_DOCS_PHISH_MANY && !__HAS_SENDER && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__USING_VERP1 && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_SMTP && ! __HAS_LIST_ID && !__SURVEY && !__BUGGED_IMG 
describe    GOOGLE_DOC_SUSP      Suspicious use of Google Docs
#score       GOOGLE_DOC_SUSP      3.000	# limit
tflags      GOOGLE_DOC_SUSP      publish
##} GOOGLE_DOC_SUSP

##{ GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta     GOOGLE_DRIVE_REPLY_BAD_NTLD __PDS_GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD
tflags   GOOGLE_DRIVE_REPLY_BAD_NTLD publish
describe GOOGLE_DRIVE_REPLY_BAD_NTLD From Google Drive and Reply-To is from a suspicious TLD
#score    GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0 # limit
endif
endif
##} GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

##{ GOOG_MALWARE_DNLD

meta      GOOG_MALWARE_DNLD             __GOOG_MALWARE_DNLD
describe  GOOG_MALWARE_DNLD             File download via Google - Malware?
#score     GOOG_MALWARE_DNLD             5.000   # limit
tflags    GOOG_MALWARE_DNLD             publish
##} GOOG_MALWARE_DNLD

##{ GOOG_REDIR_DOCUSIGN

uri        GOOG_REDIR_DOCUSIGN         m;://www\.google\.com/url\?.*q=https?://www\.docusign\.com/;i
describe   GOOG_REDIR_DOCUSIGN         Indirect docusign link, probable phishing
tflags     GOOG_REDIR_DOCUSIGN         publish
##} GOOG_REDIR_DOCUSIGN

##{ GOOG_REDIR_NORDNS

meta      GOOG_REDIR_NORDNS             __GOOG_REDIR && RDNS_NONE
describe  GOOG_REDIR_NORDNS             Google redirect to obscure spamvertised website + no rDNS
##} GOOG_REDIR_NORDNS

##{ GOOG_REDIR_SHORT

meta      GOOG_REDIR_SHORT              __GOOG_REDIR && __LCL__KAM_BODY_LENGTH_LT_512 
describe  GOOG_REDIR_SHORT              Google redirect to obscure spamvertised website + short message
tflags    GOOG_REDIR_SHORT              publish
##} GOOG_REDIR_SHORT

##{ GOOG_STO_EMAIL_PHISH

meta        GOOG_STO_EMAIL_PHISH       __URI_GOOG_STO_EMAIL && (__PDS_FROM_NAME_TO_DOMAIN || __TO_IN_SUBJ || __FROM_ADMIN || __VERIFY_ACCOUNT)
describe    GOOG_STO_EMAIL_PHISH       Possible phishing with google hosted content URI having email address
#score       GOOG_STO_EMAIL_PHISH       3.00	# limit
tflags      GOOG_STO_EMAIL_PHISH       publish
##} GOOG_STO_EMAIL_PHISH

##{ GOOG_STO_HTML_PHISH

meta        GOOG_STO_HTML_PHISH       __GOOG_STO_HTML_PHISH
describe    GOOG_STO_HTML_PHISH       Possible phishing with google content hosting to avoid URIBL
#score       GOOG_STO_HTML_PHISH       3.00	# limit
tflags      GOOG_STO_HTML_PHISH       publish
##} GOOG_STO_HTML_PHISH

##{ GOOG_STO_HTML_PHISH_MANY

meta        GOOG_STO_HTML_PHISH_MANY  __URI_GOOG_STO_HTML && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY)
describe    GOOG_STO_HTML_PHISH_MANY  Phishing with google content hosting to avoid URIBL
#score       GOOG_STO_HTML_PHISH_MANY  4.00	# limit
tflags      GOOG_STO_HTML_PHISH_MANY  publish
##} GOOG_STO_HTML_PHISH_MANY

##{ GOOG_STO_IMG_HTML

meta       GOOG_STO_IMG_HTML          __GOOG_STO_IMG_HTML_1 && !URI_GOOG_STO_SPAMMY && !T_URI_GOOG_STO_SUBD_SPAMMY
describe   GOOG_STO_IMG_HTML          Apparently using google content hosting to avoid URIBL
#score      GOOG_STO_IMG_HTML          3.000	# limit
tflags     GOOG_STO_IMG_HTML          publish
##} GOOG_STO_IMG_HTML

##{ GOOG_STO_IMG_NOHTML

meta       GOOG_STO_IMG_NOHTML        __GOOG_STO_IMG_NOHTML && (__RDNS_NONE || HTML_TEXT_INVISIBLE_STYLE || THIS_AD || __SUBJECT_ENCODED_B64 || __LOTTO_ADMITS || __REPTO_QUOTE) && !__USING_VERP1 && !__HAS_ERRORS_TO && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__HAS_CID && !URI_GOOG_STO_SPAMMY && !T_URI_GOOG_STO_SUBD_SPAMMY
describe   GOOG_STO_IMG_NOHTML        Apparently using google content hosting to avoid URIBL
#score      GOOG_STO_IMG_NOHTML        2.500	# limit
tflags     GOOG_STO_IMG_NOHTML        publish
##} GOOG_STO_IMG_NOHTML

##{ GOOG_STO_NOIMG_HTML

meta       GOOG_STO_NOIMG_HTML        __GOOG_STO_NOIMG_HTML && !URI_GOOG_STO_SPAMMY && !T_URI_GOOG_STO_SUBD_SPAMMY
describe   GOOG_STO_NOIMG_HTML        Apparently using google content hosting to avoid URIBL
#score      GOOG_STO_NOIMG_HTML        3.000	# limit
tflags     GOOG_STO_NOIMG_HTML        publish
##} GOOG_STO_NOIMG_HTML

##{ HAS_X_NO_RELAY

meta      HAS_X_NO_RELAY                __HAS_X_NO_RELAY && !__TO_EQ_FROM_1 
describe  HAS_X_NO_RELAY                Has spammy header
#score     HAS_X_NO_RELAY                2.500	# limit
tflags    HAS_X_NO_RELAY                publish
##} HAS_X_NO_RELAY

##{ HAS_X_OUTGOING_SPAM_STAT

meta       HAS_X_OUTGOING_SPAM_STAT    __HAS_X_OUTGOING_SPAM_STAT && !MAILING_LIST_MULTI && !__HAS_X_MAILMAN_VERSION && !__AUTOREPLY_ASU && !__THREAD_INDEX_GOOD && !__HAS_X_LOOP && !__DOC_ATTACH && !__PDF_ATTACH && !__FROM_EQ_ORG_1 && !__HAS_IN_REPLY_TO 
describe   HAS_X_OUTGOING_SPAM_STAT    Has header claiming outbound spam scan - why trust the results?
#score      HAS_X_OUTGOING_SPAM_STAT    2.000	# limit
tflags     HAS_X_OUTGOING_SPAM_STAT    publish
##} HAS_X_OUTGOING_SPAM_STAT

##{ HDRS_MISSP

meta           HDRS_MISSP            __HDRS_MISSP && !ALL_TRUSTED && !(__FROM_ALL_HEX && __SUBJECT_PRESENT_EMPTY)
describe       HDRS_MISSP            Misspaced headers
#score          HDRS_MISSP            2.500	# limit
tflags         HDRS_MISSP            publish
##} HDRS_MISSP

##{ HDR_ORDER_FTSDMCXX_001C

meta HDR_ORDER_FTSDMCXX_001C  (__HDR_ORDER_FTSDMCXXXX && __MID_START_001C)
describe HDR_ORDER_FTSDMCXX_001C  Header order similar to spam (FTSDMCXX/MID variant)
##} HDR_ORDER_FTSDMCXX_001C

##{ HDR_ORDER_FTSDMCXX_BAT

meta HDR_ORDER_FTSDMCXX_BAT   (__HDR_ORDER_FTSDMCXXXX && __BAT_BOUNDARY)
describe HDR_ORDER_FTSDMCXX_BAT   Header order similar to spam (FTSDMCXX/boundary variant)
##} HDR_ORDER_FTSDMCXX_BAT

##{ HDR_ORDER_FTSDMCXX_DIRECT

meta       HDR_ORDER_FTSDMCXX_DIRECT  (__HDR_ORDER_FTSDMCXXXX && __DOS_SINGLE_EXT_RELAY) && !ALL_TRUSTED && !__VIA_ML
describe   HDR_ORDER_FTSDMCXX_DIRECT  Header order similar to spam (FTSDMCXX/boundary variant) + direct-to-MX
#score      HDR_ORDER_FTSDMCXX_DIRECT  2.000	# limit
tflags     HDR_ORDER_FTSDMCXX_DIRECT  publish
##} HDR_ORDER_FTSDMCXX_DIRECT

##{ HDR_ORDER_FTSDMCXX_NORDNS

meta       HDR_ORDER_FTSDMCXX_NORDNS  (__HDR_ORDER_FTSDMCXXXX && __RDNS_NONE) && !ALL_TRUSTED
describe   HDR_ORDER_FTSDMCXX_NORDNS  Header order similar to spam (FTSDMCXX/boundary variant) + no rDNS
#score      HDR_ORDER_FTSDMCXX_NORDNS  3.500	# limit
tflags     HDR_ORDER_FTSDMCXX_NORDNS  publish
##} HDR_ORDER_FTSDMCXX_NORDNS

##{ HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval

ifplugin Mail::SpamAssassin::Plugin::HeaderEval
header HEADER_COUNT_SUBJECT     eval:check_header_count_range('Subject','2','999')
describe HEADER_COUNT_SUBJECT   Multiple Subject headers found
endif
##} HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval

##{ HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  ifplugin Mail::SpamAssassin::Plugin::HeaderEval 
    if (version >= 3.004000)
      header   HEADER_FROM_DIFFERENT_DOMAINS eval:check_equal_from_domains()
      describe HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different
#      score    HEADER_FROM_DIFFERENT_DOMAINS 0.25
      tflags   HEADER_FROM_DIFFERENT_DOMAINS publish
endif
endif
endif
##} HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)

##{ HELO_FRIEND

header HELO_FRIEND  X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i
##} HELO_FRIEND

##{ HELO_LH_LD

header HELO_LH_LD   X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i
##} HELO_LH_LD

##{ HELO_LOCALHOST

header HELO_LOCALHOST   X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i
##} HELO_LOCALHOST

##{ HELO_NO_DOMAIN

meta     HELO_NO_DOMAIN	__HELO_NO_DOMAIN && !HELO_LOCALHOST
describe HELO_NO_DOMAIN	Relay reports its domain incorrectly
tflags   HELO_NO_DOMAIN	publish
##} HELO_NO_DOMAIN

##{ HELO_OEM

header HELO_OEM  X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc|oem\S*) /i
##} HELO_OEM

##{ HEXHASH_WORD

meta        HEXHASH_WORD       (__HEXHASHWORD_S2EU > 1) && !ALL_TRUSTED && !__LYRIS_EZLM_REMAILER && !__MSGID_HEXISH && !__RDNS_SHORT && !__CTYPE_MULTIPART_MIXED && !__HAS_X_REF && !__HAS_IMG_SRC_ONECASE && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__HAS_SENDER 
describe    HEXHASH_WORD       Multiple instances of word + hexadecimal hash
#score       HEXHASH_WORD       3.000	# limit
tflags      HEXHASH_WORD       publish
##} HEXHASH_WORD

##{ HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader	HK_CTE_RAW		Content-Transfer-Encoding =~ /^raw$/
#score		HK_CTE_RAW		2
tflags		HK_CTE_RAW		publish
endif
##} HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ HK_LOTTO

meta		HK_LOTTO		__HK_LOTTO_2 || __HK_LOTTO_STAATS || __HK_LOTTO_BALLOT
#score		HK_LOTTO		1
##} HK_LOTTO

##{ HK_NAME_DRUGS

header		HK_NAME_DRUGS		From:name =~ /(?:viagra|\bcialis|cialis\b)/mi
describe	HK_NAME_DRUGS		From name contains drugs
#score		HK_NAME_DRUGS		2
##} HK_NAME_DRUGS

##{ HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)

ifplugin Mail::SpamAssassin::Plugin::FreeMail
if (version >= 3.004000)
  meta		HK_NAME_MR_MRS		__HK_NAME_MR_MRS && !FREEMAIL_FROM
#  score		HK_NAME_MR_MRS		1.0
endif
endif
##} HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)

##{ HK_RANDOM_ENVFROM

header		HK_RANDOM_ENVFROM	 EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mc(?:b|g)r|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
describe	HK_RANDOM_ENVFROM	Envelope sender username looks random
#score		HK_RANDOM_ENVFROM	1
tflags		HK_RANDOM_ENVFROM	publish
##} HK_RANDOM_ENVFROM

##{ HK_RANDOM_FROM

header		HK_RANDOM_FROM	 	    From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mc(?:b|g)r|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
describe	HK_RANDOM_FROM		From username looks random
#score		HK_RANDOM_FROM		1
tflags		HK_RANDOM_FROM		publish
##} HK_RANDOM_FROM

##{ HK_RANDOM_REPLYTO

header		HK_RANDOM_REPLYTO	Reply-To:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mc(?:b|g)r|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
describe	HK_RANDOM_REPLYTO	Reply-To username looks random
#score		HK_RANDOM_REPLYTO	1
tflags		HK_RANDOM_REPLYTO	publish
##} HK_RANDOM_REPLYTO

##{ HK_RCVD_IP_MULTICAST

header		HK_RCVD_IP_MULTICAST	X-Spam-Relays-External =~ / ip=(?:22[4-9]|23[0-9])\./
#score		HK_RCVD_IP_MULTICAST	2
tflags		HK_RCVD_IP_MULTICAST	publish
##} HK_RCVD_IP_MULTICAST

##{ HK_SCAM

meta		HK_SCAM			__HK_SCAM_N2 || __HK_SCAM_N3 || __HK_SCAM_N8 || __HK_SCAM_N15 || __HK_SCAM_N16 || __HK_SCAM_S1 || __HK_SCAM_S15 || __HK_SCAM_S25
#score		HK_SCAM			2
tflags		HK_SCAM			publish
##} HK_SCAM

##{ HK_WIN

meta		HK_WIN			((__hk_win_2 + __hk_win_3 + __hk_win_4 + __hk_win_5 + __hk_win_7 + __hk_win_8 + __hk_win_9 + __hk_win_0 + __hk_win_a + __hk_win_b + __hk_win_c + __hk_win_d + __hk_win_i + __hk_win_j + __hk_win_l + __hk_win_m + __hk_win_n + __hk_win_o) >= 2)
#score		HK_WIN			1
##} HK_WIN

##{ HOSTED_IMG_DIRECT_MX

meta       HOSTED_IMG_DIRECT_MX        __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS && !__HDR_RCVD_AMAZON 
#score      HOSTED_IMG_DIRECT_MX        3.500	# limit
describe   HOSTED_IMG_DIRECT_MX        Image hosted at large ecomm, CDN or hosting site, message direct-to-mx
tflags     HOSTED_IMG_DIRECT_MX        publish
##} HOSTED_IMG_DIRECT_MX

##{ HOSTED_IMG_DQ_UNSUB

meta       HOSTED_IMG_DQ_UNSUB         __HOSTED_IMG_DQ_UNSUB
#score      HOSTED_IMG_DQ_UNSUB         3.500	# limit
describe   HOSTED_IMG_DQ_UNSUB         Image hosted at large ecomm, CDN or hosting site, IP addr unsub link
tflags     HOSTED_IMG_DQ_UNSUB         publish
##} HOSTED_IMG_DQ_UNSUB

##{ HOSTED_IMG_FREEM

meta       HOSTED_IMG_FREEM            __HOSTED_IMG_FREEM && !__THREADED 
#score      HOSTED_IMG_FREEM            3.500	# limit
describe   HOSTED_IMG_FREEM            Image hosted at large ecomm, CDN or hosting site or redirected, freemail from or reply-to
tflags     HOSTED_IMG_FREEM            publish
##} HOSTED_IMG_FREEM

##{ HOSTED_IMG_MULTI

meta       HOSTED_IMG_MULTI            __HOSTED_IMG_MULTI && !__DKIM_EXISTS && !__RCD_RDNS_MAIL 
#score      HOSTED_IMG_MULTI            3.000	# limit
describe   HOSTED_IMG_MULTI            Multiple images hosted at different large ecomm, CDN or hosting sites, free image sites, or redirected
tflags     HOSTED_IMG_MULTI            publish
##} HOSTED_IMG_MULTI

##{ HOSTED_IMG_MULTI_PUB_01

meta       HOSTED_IMG_MULTI_PUB_01     (__IMGUR_IMG_2 || __IMGUR_IMG_3) && !__DATE_LOWER && !__BOTH_INR_AND_REF && !__HAS_IN_REPLY_TO 
describe   HOSTED_IMG_MULTI_PUB_01     Multiple hosted images at public site
#score      HOSTED_IMG_MULTI_PUB_01     3.000	# limit
tflags     HOSTED_IMG_MULTI_PUB_01     publish
##} HOSTED_IMG_MULTI_PUB_01

##{ HREF_EMPTY_NORDNS

meta       HREF_EMPTY_NORDNS           __HREF_EMPTY_NORDNS
describe   HREF_EMPTY_NORDNS           Empty href + no rDNS
#score      HREF_EMPTY_NORDNS           2.500	# limit
tflags     HREF_EMPTY_NORDNS           publish
##} HREF_EMPTY_NORDNS

##{ HREF_EMPTY_PHPMAIL

meta       HREF_EMPTY_PHPMAIL          __HREF_EMPTY_PHPMAIL
describe   HREF_EMPTY_PHPMAIL          Empty href + PHP Mailer
#score      HREF_EMPTY_PHPMAIL          2.500	# limit
tflags     HREF_EMPTY_PHPMAIL          publish
##} HREF_EMPTY_PHPMAIL

##{ HREF_EMPTY_XANTIABUSE

meta       HREF_EMPTY_XANTIABUSE       __HREF_EMPTY_XANTIABUSE
describe   HREF_EMPTY_XANTIABUSE       Empty href + X-AntiAbuse
#score      HREF_EMPTY_XANTIABUSE       2.500	# limit
tflags     HREF_EMPTY_XANTIABUSE       publish
##} HREF_EMPTY_XANTIABUSE

##{ HREF_EMPTY_XAUTHED

meta       HREF_EMPTY_XAUTHED          __HREF_EMPTY_XAUTHED
describe   HREF_EMPTY_XAUTHED          Empty href + X-Authenticated-Sender
#score      HREF_EMPTY_XAUTHED          2.500	# limit
tflags     HREF_EMPTY_XAUTHED          publish
##} HREF_EMPTY_XAUTHED

##{ HTML_BADATTR

describe HTML_BADATTR Illegal char in HTML attribute name
rawbody  HTML_BADATTR /<[a-z]{1,10}\s[^>]{1,80}\/(?:src|href)\s*\=/
#score    HTML_BADATTR 1
tflags   HTML_BADATTR publish
##} HTML_BADATTR

##{ HTML_ENTITY_ASCII

meta       HTML_ENTITY_ASCII           __HTML_ENTITY_ASCII_MINFP
describe   HTML_ENTITY_ASCII           Obfuscated ASCII
#score      HTML_ENTITY_ASCII           3.000	# limit
tflags     HTML_ENTITY_ASCII           publish
##} HTML_ENTITY_ASCII

##{ HTML_ENTITY_ASCII_TINY

meta       HTML_ENTITY_ASCII_TINY      __HTML_ENTITY_ASCII_TINY && !__HAS_IN_REPLY_TO 
describe   HTML_ENTITY_ASCII_TINY      Obfuscated ASCII + tiny fonts
#score      HTML_ENTITY_ASCII_TINY      3.000	# limit
tflags     HTML_ENTITY_ASCII_TINY      publish
##} HTML_ENTITY_ASCII_TINY

##{ HTML_FONT_TINY_NORDNS

meta        HTML_FONT_TINY_NORDNS    __HTML_FONT_TINY_NORDNS && !__HAS_CID 
describe    HTML_FONT_TINY_NORDNS    Font too small to read, no rDNS
#score       HTML_FONT_TINY_NORDNS    2.000	# limit
##} HTML_FONT_TINY_NORDNS

##{ HTML_OFF_PAGE

meta        HTML_OFF_PAGE     __HTML_OFF_PAGE && !__RP_MATCHES_RCVD && !__LONGLINE && !__DKIM_EXISTS
describe    HTML_OFF_PAGE     HTML element rendered well off the displayed page
#score       HTML_OFF_PAGE     3.000	# limit
tflags      HTML_OFF_PAGE     publish
##} HTML_OFF_PAGE

##{ HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta       HTML_SHRT_CMNT_OBFU_MANY    __HTML_SHRT_CMNT_OBFU_MANY
  describe   HTML_SHRT_CMNT_OBFU_MANY    Obfuscation with many short HTML comments
#  score      HTML_SHRT_CMNT_OBFU_MANY    2.500	# limit
  tflags     HTML_SHRT_CMNT_OBFU_MANY    publish
endif
##} HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ HTML_SINGLET_MANY

meta      HTML_SINGLET_MANY             __HTML_SINGLET_MANY && !__RCD_RDNS_MTA_MESSY && !__NOT_SPOOFED && !ALL_TRUSTED && !__USING_VERP1 && !__MIME_QP 
describe  HTML_SINGLET_MANY             Many single-letter HTML format blocks
#score     HTML_SINGLET_MANY             2.500   # limit
tflags    HTML_SINGLET_MANY             publish
##} HTML_SINGLET_MANY

##{ HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval

ifplugin Mail::SpamAssassin::Plugin::HTMLEval
  meta       HTML_TAG_BALANCE_CENTER       __HTML_TAG_BALANCE_CENTER && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY 
  describe   HTML_TAG_BALANCE_CENTER       Malformatted HTML
endif
##} HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval

##{ HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      HTML_TEXT_INVISIBLE_FONT      __FONT_INVIS_MANY && !__HAS_ERRORS_TO && !__URI_DOTGOV && !__LYRIS_EZLM_REMAILER && !__ML3 && !__THREADED && !__DKIMWL_WL_HI && !USER_IN_DEF_DKIM_WL && !__MOZILLA_MSGID 
  describe  HTML_TEXT_INVISIBLE_FONT      HTML hidden text - word obfuscation?
#  score     HTML_TEXT_INVISIBLE_FONT      2.000   # limit
  tflags    HTML_TEXT_INVISIBLE_FONT      publish
endif
##} HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      HTML_TEXT_INVISIBLE_STYLE     __STY_INVIS_MANY && (__RDNS_NONE || __HDRS_LCASE || __UNSUB_EMAIL ||  __ADMITS_SPAM || __FROM_DOM_INFO || __HTML_TAG_BALANCE_CENTER || __MSGID_RANDY ) && !__RDNS_LONG && !__FROM_ENCODED_QP && !__HAS_THREAD_INDEX 
  describe  HTML_TEXT_INVISIBLE_STYLE     HTML hidden text + other spam signs
#  score     HTML_TEXT_INVISIBLE_STYLE     3.500   # limit
  tflags    HTML_TEXT_INVISIBLE_STYLE     publish
endif
##} HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch

ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
body  HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10')
endif
##} HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch

##{ IMG_DIRECT_TO_MX

meta       IMG_DIRECT_TO_MX        __DOS_DIRECT_TO_MX && __JPEG_ATTACH && __ONE_IMG && __IMG_LE_300K
##} IMG_DIRECT_TO_MX

##{ IMG_ONLY_FM_DOM_INFO

meta       IMG_ONLY_FM_DOM_INFO       __HTML_IMG_ONLY && __FROM_DOM_INFO
describe   IMG_ONLY_FM_DOM_INFO       HTML image-only message from .info domain
#score      IMG_ONLY_FM_DOM_INFO       2.500	# limit
tflags     IMG_ONLY_FM_DOM_INFO       publish
##} IMG_ONLY_FM_DOM_INFO

##{ JH_SPAMMY_HEADERS

meta       JH_SPAMMY_HEADERS           __HAS_COMPLAINT_TO || __HAS_TRACKING_CODE || __HAS_LOGID || __HAS_X_LETTER || __HAS_X_EBSERVER || __HAS_LIST_OPEN
describe   JH_SPAMMY_HEADERS           Has unusual message header(s) seen primarily in spam
#score      JH_SPAMMY_HEADERS           3.500	# limit
tflags     JH_SPAMMY_HEADERS           publish
##} JH_SPAMMY_HEADERS

##{ JH_SPAMMY_PATTERN01

rawbody    JH_SPAMMY_PATTERN01         m;<img src=['"](https?://[^'"]{1,80}/)C([^/.]{1,30}\.jpg)['"]>.{0,200}<img src="\1U\2";ism
describe   JH_SPAMMY_PATTERN01         Unusual pattern seen in spam campaign
#score      JH_SPAMMY_PATTERN01         3.000	# limit
tflags     JH_SPAMMY_PATTERN01         publish
##} JH_SPAMMY_PATTERN01

##{ JH_SPAMMY_PATTERN02

rawbody    JH_SPAMMY_PATTERN02         m;<img [^>]{0,50}src=['"](https?://[^"'\s]{1,80}\.php\?)t=o(\&[^"'\s]{1,50})["'][>\s].{0,200}<a href="\1t=c\2".{0,200}<a href="\1t=u\2";ism
describe   JH_SPAMMY_PATTERN02         Unusual pattern seen in spam campaign
#score      JH_SPAMMY_PATTERN02         3.000	# limit
tflags     JH_SPAMMY_PATTERN02         publish
##} JH_SPAMMY_PATTERN02

##{ JM_I_FEEL_LUCKY

uri JM_I_FEEL_LUCKY         /(?:\&|\?)btnI=ec(?:$|\&)/
tflags JM_I_FEEL_LUCKY  publish     # low hitrate, but always a good sign
##} JM_I_FEEL_LUCKY

##{ JM_RCVD_QMAILV1

header JM_RCVD_QMAILV1     Received =~ /by \S+ \(Qmailv1\) with ESMTP/
##} JM_RCVD_QMAILV1

##{ JM_TORA_XM

meta JM_TORA_XM     (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO)
##} JM_TORA_XM

##{ KB_DATE_CONTAINS_TAB

meta     KB_DATE_CONTAINS_TAB  __KB_DATE_CONTAINS_TAB && !__ML_TURNS_SP_TO_TAB 
#score	 KB_DATE_CONTAINS_TAB  0.5
##} KB_DATE_CONTAINS_TAB

##{ KB_FAKED_THE_BAT

meta     KB_FAKED_THE_BAT      (__THEBAT_MUA && KB_DATE_CONTAINS_TAB)
##} KB_FAKED_THE_BAT

##{ KB_RATWARE_BOUNDARY

meta   KB_RATWARE_BOUNDARY   __RATWARE_BOUND_A || __RATWARE_BOUND_B
##} KB_RATWARE_BOUNDARY

##{ KB_RATWARE_MSGID

meta   KB_RATWARE_MSGID        (__KB_MSGID_OUTLOOK_888 && __ANY_OUTLOOK_MUA)
##} KB_RATWARE_MSGID

##{ KB_RATWARE_OUTLOOK_08

header  KB_RATWARE_OUTLOOK_08  ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary="----=_NextPart_000_...._\1\./msi  # "
##} KB_RATWARE_OUTLOOK_08

##{ KB_RATWARE_OUTLOOK_12

header  KB_RATWARE_OUTLOOK_12  ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi  # "
##} KB_RATWARE_OUTLOOK_12

##{ KB_RATWARE_OUTLOOK_16

header  KB_RATWARE_OUTLOOK_16  ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi  # "
##} KB_RATWARE_OUTLOOK_16

##{ KB_RATWARE_OUTLOOK_MID

header  KB_RATWARE_OUTLOOK_MID  ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$[0-9a-f]{8}\@.{100,400}boundary="----=_NextPart_000_...._\1\.\2"/msi
##} KB_RATWARE_OUTLOOK_MID

##{ KHOP_FAKE_EBAY

meta	 KHOP_FAKE_EBAY 	__EBAY_ADDRESS && !__NOT_SPOOFED
describe KHOP_FAKE_EBAY 	Sender falsely claims to be from eBay
##} KHOP_FAKE_EBAY

##{ KHOP_HELO_FCRDNS

meta	 KHOP_HELO_FCRDNS	__HELO_NOT_RDNS && !(__VIA_ML || __freemail_safe || __RCVD_IN_DNSWL || __NOT_SPOOFED || __RDNS_SHORT)
describe KHOP_HELO_FCRDNS	Relay HELO differs from its IP's reverse DNS
#score	 KHOP_HELO_FCRDNS	0.4 # 20090603
##} KHOP_HELO_FCRDNS

##{ LINKEDIN_IMG_NOT_RCVD_LNKN

meta       LINKEDIN_IMG_NOT_RCVD_LNKN  __LINKED_IMG_NOT_RCVD_LINK && !__LUNSUB_BEFORE_SUBJDT 
#score      LINKEDIN_IMG_NOT_RCVD_LNKN  2.500  # limit
describe   LINKEDIN_IMG_NOT_RCVD_LNKN  Linkedin hosted image but message not from Linkedin
tflags     LINKEDIN_IMG_NOT_RCVD_LNKN  publish
##} LINKEDIN_IMG_NOT_RCVD_LNKN

##{ LIST_PRTL_PUMPDUMP

meta        LIST_PRTL_PUMPDUMP     __LIST_PRTL_PUMPDUMP && !__DKIM_EXISTS 
describe    LIST_PRTL_PUMPDUMP     Incomplete List-* headers and stock pump-and-dump
#score       LIST_PRTL_PUMPDUMP     2.000   # limit
tflags      LIST_PRTL_PUMPDUMP     publish
##} LIST_PRTL_PUMPDUMP

##{ LIST_PRTL_SAME_USER

meta        LIST_PRTL_SAME_USER    __LIST_PRTL_SAME_USER && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_ERRORS_TO 
describe    LIST_PRTL_SAME_USER    Incomplete List-* headers and from+to user the same
#score       LIST_PRTL_SAME_USER    3.000   # limit
tflags      LIST_PRTL_SAME_USER    publish
##} LIST_PRTL_SAME_USER

##{ LIVEFILESTORE

uri  LIVEFILESTORE       m~livefilestore.com/~
##} LIVEFILESTORE

##{ LONGLN_LOW_CONTRAST

meta        LONGLN_LOW_CONTRAST   __LONGLN_LOW_CONTRAST && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__TRAVEL_ITINERARY 
describe    LONGLN_LOW_CONTRAST   Excessively long line + hidden text
#score       LONGLN_LOW_CONTRAST   2.500   # limit
##} LONGLN_LOW_CONTRAST

##{ LONG_HEX_URI

meta        LONG_HEX_URI      __128_HEX_URI && !__LCL__KAM_BODY_LENGTH_LT_1024 && !__IMG_S3_AWS
describe    LONG_HEX_URI      Very long purely hexadecimal URI
#score       LONG_HEX_URI      3.000	# limit
tflags      LONG_HEX_URI      publish
##} LONG_HEX_URI

##{ LONG_IMG_URI

meta        LONG_IMG_URI        __45_ALNUM_IMG && !ALL_TRUSTED && !__HAS_ERRORS_TO 
describe    LONG_IMG_URI        Image URI with very long path component - web bug?
#score       LONG_IMG_URI        3.000	# limit
tflags      LONG_IMG_URI        publish
##} LONG_IMG_URI

##{ LONG_INVISIBLE_TEXT

describe  LONG_INVISIBLE_TEXT           Long block of hidden text - bayes poison?
#score     LONG_INVISIBLE_TEXT           3.000	# limit
tflags    LONG_INVISIBLE_TEXT           publish
##} LONG_INVISIBLE_TEXT

##{ LONG_INVISIBLE_TEXT if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))

if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
  meta      LONG_INVISIBLE_TEXT           __LONG_INVIS_DIV
endif
##} LONG_INVISIBLE_TEXT if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))

##{ LONG_INVISIBLE_TEXT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      LONG_INVISIBLE_TEXT           __LONG_INVIS_DIV || (__LONG_STY_INVIS && !__UNSUB_LINK && !__RCD_RDNS_MTA_MESSY && !__USING_VERP1 && !__RCD_RDNS_MTA && !__RCD_RDNS_MTA_MESSY && !__MIME_QP && !__HAS_X_MAILER && !__REPTO_QUOTE && !__USING_VERP1 )
endif
##} LONG_INVISIBLE_TEXT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ LONG_TERM_PRICE

body LONG_TERM_PRICE  /long\W+term\W+(?:target|projected)(?:\W+price)?/i
##} LONG_TERM_PRICE

##{ LOOPHOLE_1

body		LOOPHOLE_1	/loop-?hole in the banking/i
describe	LOOPHOLE_1	A loop hole in the banking laws?
##} LOOPHOLE_1

##{ LOTS_OF_MONEY if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta     LOTS_OF_MONEY      0
endif
##} LOTS_OF_MONEY if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)

##{ LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta     LOTS_OF_MONEY    (__LOTSA_MONEY_00 || __LOTSA_MONEY_01 || __LOTSA_MONEY_02 || __LOTSA_MONEY_03 || __LOTSA_MONEY_04 || __LOTSA_MONEY_05) && !__TRAVEL_ITINERARY
  describe LOTS_OF_MONEY    Huge... sums of money
#  score    LOTS_OF_MONEY    0.01
  tflags   LOTS_OF_MONEY    publish
endif
##} LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ LOTTERY_1

meta LOTTERY_1      (__DBLCLAIM && __CASHPRZ)
##} LOTTERY_1

##{ LOTTERY_PH_004470

meta LOTTERY_PH_004470  (__AFF_004470_NUMBER && __AFF_LOTTERY)
##} LOTTERY_PH_004470

##{ LOTTO_AGENT

meta     LOTTO_AGENT      __LOTTO_AGENT && !__HAS_IN_REPLY_TO && !__THREADED && !__TO_YOUR_ORG && !__DKIM_EXISTS && !__TRAVEL_ITINERARY && !__AUTO_ACCIDENT && !__HAS_ERRORS_TO && !__RP_MATCHES_RCVD 
describe LOTTO_AGENT      Claims Agent
#score    LOTTO_AGENT      1.50		# limit
##} LOTTO_AGENT

##{ LOTTO_DEPT

meta     LOTTO_DEPT       __LOTTO_DEPT && !__COMMENT_EXISTS && !__HAS_IN_REPLY_TO && !__THREADED && !__VIA_ML && !__TO_YOUR_ORG && !__TRAVEL_ITINERARY && !__AUTO_ACCIDENT
describe LOTTO_DEPT       Claims Department
#score    LOTTO_DEPT       2.00		# limit
##} LOTTO_DEPT

##{ LUCRATIVE

meta     LUCRATIVE        ( __LUCRATIVE && __HELO_NO_DOMAIN ) && !ALL_TRUSTED
describe LUCRATIVE        Make lots of money!
#score    LUCRATIVE        2.00	# limit
tflags   LUCRATIVE        publish
##} LUCRATIVE

##{ L_SPAM_TOOL_13

header L_SPAM_TOOL_13   Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/
##} L_SPAM_TOOL_13

##{ MALFORMED_FREEMAIL

meta	 MALFORMED_FREEMAIL	(MISSING_HEADERS||__HDRS_LCASE) && FREEMAIL_FROM
describe MALFORMED_FREEMAIL	Bad headers on message from free email service
##} MALFORMED_FREEMAIL

##{ MALF_HTML_B64

meta       MALF_HTML_B64               MIME_BASE64_TEXT && HTML_MIME_NO_HTML_TAG 
describe   MALF_HTML_B64               Malformatted base64-encoded HTML content
#score      MALF_HTML_B64               3.500	# limit
tflags     MALF_HTML_B64               publish
##} MALF_HTML_B64

##{ MALWARE_NORDNS

meta           MALWARE_NORDNS         __MALWARE_NORDNS && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01
describe       MALWARE_NORDNS         Malware bragging + no rDNS
#score          MALWARE_NORDNS         3.500	# limit
tflags         MALWARE_NORDNS         publish
##} MALWARE_NORDNS

##{ MALWARE_PASSWORD

meta           MALWARE_PASSWORD       __MALWARE_PASSWORD && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01
describe       MALWARE_PASSWORD       Malware bragging + "password"
#score          MALWARE_PASSWORD       3.500	# limit
tflags         MALWARE_PASSWORD       publish
##} MALWARE_PASSWORD

##{ MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  meta         MALW_ATTACH         __MALW_ATTACH && !__HAS_THREAD_INDEX 
  describe     MALW_ATTACH         Attachment filename suspicious, probable malware exploit
  tflags       MALW_ATTACH         publish
endif
##} MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ MANY_HDRS_LCASE

describe       MANY_HDRS_LCASE       Odd capitalization of multiple message headers
#score          MANY_HDRS_LCASE       0.10	# limit
##} MANY_HDRS_LCASE

##{ MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)

if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
  meta         MANY_HDRS_LCASE       __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
endif
##} MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)

##{ MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta         MANY_HDRS_LCASE       __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
endif
##} MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail

##{ MANY_SPAN_IN_TEXT

meta           MANY_SPAN_IN_TEXT   __MANY_SPAN_IN_TEXT && !__VIA_ML
describe       MANY_SPAN_IN_TEXT   Many <SPAN> tags embedded within text
tflags         MANY_SPAN_IN_TEXT   publish
##} MANY_SPAN_IN_TEXT

##{ MANY_SUBDOM

meta           MANY_SUBDOM         __MANY_SUBDOM && !__JM_REACTOR_DATE && !__UNSUB_LINK && !__VIA_ML && !NO_RELAYS && !__UPPERCASE_URI && !__MIME_QP
describe       MANY_SUBDOM         Lots and lots of subdomain parts in a URI
##} MANY_SUBDOM

##{ MAY_BE_FORGED

meta	 MAY_BE_FORGED	__MAY_BE_FORGED && !__NOT_SPOOFED && !__VIA_ML
describe MAY_BE_FORGED	Relay IP's reverse DNS does not resolve to IP
##} MAY_BE_FORGED

##{ MID_DEGREES

header MID_DEGREES  Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/
##} MID_DEGREES

##{ MILLION_HUNDRED

body		MILLION_HUNDRED		/Million\s+\S+\s+Hundred/i
describe	MILLION_HUNDRED		Million "One to Nine" Hundred
tflags		MILLION_HUNDRED		publish
##} MILLION_HUNDRED

##{ MILLION_USD

body MILLION_USD                /Million\b.{0,40}\b(?:United States? Dollars?|USD)/i
describe MILLION_USD            Talks about millions of dollars
#score MILLION_USD 2
##} MILLION_USD

##{ MIMEOLE_DIRECT_TO_MX

meta       MIMEOLE_DIRECT_TO_MX        __MIMEOLE_DIRECT_TO_MX && !__ANY_IMAGE_ATTACH && !__DKIM_EXISTS 
describe   MIMEOLE_DIRECT_TO_MX        MIMEOLE + direct-to-MX
#score      MIMEOLE_DIRECT_TO_MX        2.000	# limit
tflags     MIMEOLE_DIRECT_TO_MX        publish
##} MIMEOLE_DIRECT_TO_MX

##{ MIME_BOUND_EQ_REL

header MIME_BOUND_EQ_REL    Content-Type =~ /boundary="=====================_\d+==\.REL"/s
##} MIME_BOUND_EQ_REL

##{ MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  meta        MIME_NO_TEXT      __MIME_NO_TEXT && !__BOUNCE_CTYPE && !__CT_ENCRYPTED && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__USER_AGENT_APPLEMAIL && !__HAS_IN_REPLY_TO && !__HAS_X_REF && !__HS_SUBJ_RE_FW && !__PDF_ATTACH && !__LCL__KAM_BODY_LENGTH_LT_128 
#  score       MIME_NO_TEXT      2.00	# limit
  describe    MIME_NO_TEXT      No (properly identified) text body parts
  tflags      MIME_NO_TEXT      publish
endif
##} MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  meta        MIME_PHP_NO_TEXT  (MIME_NO_TEXT && __PHP_MUA)
  describe    MIME_PHP_NO_TEXT  No text body parts, X-Mailer: PHP
endif
##} MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ MIXED_AREA_CASE

meta       MIXED_AREA_CASE             __MIXED_AREA_CASE
describe   MIXED_AREA_CASE             Has area tag in mixed case
#score      MIXED_AREA_CASE             2.500	 # limit
tflags     MIXED_AREA_CASE             publish
##} MIXED_AREA_CASE

##{ MIXED_CENTER_CASE

meta       MIXED_CENTER_CASE           __MIXED_CENTER_CASE
describe   MIXED_CENTER_CASE           Has center tag in mixed case
#score      MIXED_CENTER_CASE           2.500	 # limit
tflags     MIXED_CENTER_CASE           publish
##} MIXED_CENTER_CASE

##{ MIXED_CTYPE_CASE

header     MIXED_CTYPE_CASE            Content-Type =~ m;^(?i:text/)(?!html|HTML)[Hh][Tt][Mm][Ll];
##} MIXED_CTYPE_CASE

##{ MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
    meta            MIXED_ES        ( ! HTML_IMAGE_ONLY_16 ) && ( __LOWER_E > 20 ) && ( __E_LIKE_LETTER > ( (__LOWER_E * 14 ) / 10) ) && ( __E_LIKE_LETTER < ( 10 * __LOWER_E ) )
    describe        MIXED_ES Too many es are not es
    tflags          MIXED_ES publish
#    lang pl  score MIXED_ES  0.01
#    lang cz  score MIXED_ES  0.01
#    lang sk  score MIXED_ES  0.01
#    lang hr  score MIXED_ES  0.01
#    lang el  score MIXED_ES  0.01
endif
endif
##} MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ MIXED_FONT_CASE

meta       MIXED_FONT_CASE             __MIXED_FONT_CASE
describe   MIXED_FONT_CASE             Has font tag in mixed case
#score      MIXED_FONT_CASE             2.500	 # limit
tflags     MIXED_FONT_CASE             publish
##} MIXED_FONT_CASE

##{ MIXED_HREF_CASE

meta       MIXED_HREF_CASE             __MIXED_HREF_CASE && !__LYRIS_EZLM_REMAILER && !__HAS_LIST_ID 
describe   MIXED_HREF_CASE             Has href in mixed case
#score      MIXED_HREF_CASE             2.000	 # limit
tflags     MIXED_HREF_CASE             publish
##} MIXED_HREF_CASE

##{ MIXED_IMG_CASE

meta       MIXED_IMG_CASE              __MIXED_IMG_CASE_JH && !__MSGID_JAVAMAIL 
describe   MIXED_IMG_CASE              Has img tag in mixed case
#score      MIXED_IMG_CASE              3.000	 # limit
tflags     MIXED_IMG_CASE              publish
##} MIXED_IMG_CASE

##{ MONERO_DEADLINE

meta           MONERO_DEADLINE        __MONERO && __HOURS_DEADLINE && !MONERO_EXTORT_01
describe       MONERO_DEADLINE        Monero cryptocurrency with a deadline
#score          MONERO_DEADLINE        3.000	# limit
tflags         MONERO_DEADLINE        publish
##} MONERO_DEADLINE

##{ MONERO_EXTORT_01

meta           MONERO_EXTORT_01       __MONERO && __EXTORT_MANY
describe       MONERO_EXTORT_01       Extortion spam, pay via Monero cryptocurrency
#score          MONERO_EXTORT_01       5.000	# limit
tflags         MONERO_EXTORT_01       publish
##} MONERO_EXTORT_01

##{ MONERO_MALWARE

meta           MONERO_MALWARE         __MONERO && __MY_MALWARE && !MONERO_EXTORT_01
describe       MONERO_MALWARE         Monero cryptocurrency + malware bragging
#score          MONERO_MALWARE         3.500	# limit
tflags         MONERO_MALWARE         publish
##} MONERO_MALWARE

##{ MONERO_PAY_ME

meta           MONERO_PAY_ME          __MONERO && __PAY_ME && !MONERO_EXTORT_01
describe       MONERO_PAY_ME          Pay me via Monero cryptocurrency
#score          MONERO_PAY_ME          3.000	# limit
tflags         MONERO_PAY_ME          publish
##} MONERO_PAY_ME

##{ MONEY_ATM_CARD

meta     MONEY_ATM_CARD   __MONEY_ATM_CARD && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE
describe MONEY_ATM_CARD   Lots of money on an ATM card
##} MONEY_ATM_CARD

##{ MONEY_FORM

meta     MONEY_FORM          __MONEY_FORM && !__FB_TOUR && !__FM_MY_PRICE && !__FR_SPACING_8 && !__COMMENT_EXISTS && !__CAN_HELP
describe MONEY_FORM          Lots of money if you fill out a form
##} MONEY_FORM

##{ MONEY_FORM_SHORT

meta     MONEY_FORM_SHORT    __MONEY_FORM_SHORT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HTML_LINK_IMAGE && !__UPPERCASE_URI && !__THREADED && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__THREAD_INDEX_GOOD 
describe MONEY_FORM_SHORT    Lots of money if you fill out a short form
#score    MONEY_FORM_SHORT    2.500	# limit
##} MONEY_FORM_SHORT

##{ MONEY_FRAUD_3

meta     MONEY_FRAUD_3    (__MONEY_FRAUD_3 && !__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_3_NEW_MONEY) && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__IS_EXCH && !__VIA_ML && !__HAS_THREAD_INDEX && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__HTML_LINK_IMAGE && !__THREADED && !__DOS_BODY_THU && !__URL_SHORTENER && !__TAG_EXISTS_STYLE
describe MONEY_FRAUD_3    Lots of money and several fraud phrases
tflags   MONEY_FRAUD_3    publish
##} MONEY_FRAUD_3

##{ MONEY_FRAUD_5

meta     MONEY_FRAUD_5    (__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_5_NEW_MONEY) && !__VIA_ML && !__HAS_THREAD_INDEX && !__COMMENT_EXISTS && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__URL_SHORTENER && !__TAG_EXISTS_STYLE
describe MONEY_FRAUD_5    Lots of money and many fraud phrases
tflags   MONEY_FRAUD_5    publish
##} MONEY_FRAUD_5

##{ MONEY_FRAUD_8

meta     MONEY_FRAUD_8    __MONEY_FRAUD_8 && !__VIA_ML && !__HAS_THREAD_INDEX && !__BUGGED_IMG 
describe MONEY_FRAUD_8    Lots of money and very many fraud phrases
tflags   MONEY_FRAUD_8    publish
##} MONEY_FRAUD_8

##{ MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta     MONEY_FREEMAIL_REPTO     __MONEY_FREEMAIL_REPTO && !__HAS_CAMPAIGNID 
  describe MONEY_FREEMAIL_REPTO     Lots of money from someone using free email?
#  score    MONEY_FREEMAIL_REPTO     3.000	# limit
  tflags   MONEY_FREEMAIL_REPTO     publish
endif
##} MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail

##{ MONEY_FROM_41

meta            MONEY_FROM_41             __MONEY_FROM_41
describe        MONEY_FROM_41             Lots of money from Africa
#score           MONEY_FROM_41             2.00	# limit
##} MONEY_FROM_41

##{ MONEY_FROM_MISSP

meta     MONEY_FROM_MISSP   LOTS_OF_MONEY && __FROM_MISSPACED && !__MIME_QP
describe MONEY_FROM_MISSP   Lots of money and misspaced From
#score    MONEY_FROM_MISSP   2.000	# limit
##} MONEY_FROM_MISSP

##{ MONEY_NOHTML

meta      MONEY_NOHTML        LOTS_OF_MONEY && __CT_TEXT_PLAIN 
describe  MONEY_NOHTML        Lots of money in plain text
#score     MONEY_NOHTML        2.500	# limit
##} MONEY_NOHTML

##{ MSGID_DOLLARS_URI_IMG

meta       MSGID_DOLLARS_URI_IMG       __MSGID_DOLLARS_URI_IMG && !__THREADED && !__HS_SUBJ_RE_FW 
describe   MSGID_DOLLARS_URI_IMG       Suspicious Message-ID and image
#score      MSGID_DOLLARS_URI_IMG       3.000	# limit
tflags     MSGID_DOLLARS_URI_IMG       publish
##} MSGID_DOLLARS_URI_IMG

##{ MSGID_HDR_MALF

meta       MSGID_HDR_MALF              __HAS_MESSAGEID
describe   MSGID_HDR_MALF              Has invalid message ID header
#score      MSGID_HDR_MALF              3.500	# limit
tflags     MSGID_HDR_MALF              publish
##} MSGID_HDR_MALF

##{ MSGID_MULTIPLE_AT

header 		MSGID_MULTIPLE_AT	MESSAGEID =~ /<[^>]*\@[^>]*\@/
describe 	MSGID_MULTIPLE_AT	Message-ID contains multiple '@' characters
#score 		MSGID_MULTIPLE_AT	0.001
##} MSGID_MULTIPLE_AT

##{ MSM_PRIO_REPTO

meta       MSM_PRIO_REPTO              __MSM_PRIO_REPTO && !__ENV_AND_HDR_FROM_MATCH 
describe   MSM_PRIO_REPTO              MSMail priority header + Reply-to + short subject
#score      MSM_PRIO_REPTO              2.500	# limit
tflags     MSM_PRIO_REPTO              publish
##} MSM_PRIO_REPTO

##{ MSOE_MID_WRONG_CASE

meta MSOE_MID_WRONG_CASE  (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106)
##} MSOE_MID_WRONG_CASE

##{ NA_DOLLARS

body NA_DOLLARS                        /\b(?:\d{1,3})?Million\b.{0,40}\b(?:Canadian Dollar?s?|US\$|U\.? ?S\.? Dollar)/i
describe NA_DOLLARS            Talks about a million North American dollars
#score NA_DOLLARS 1.5
##} NA_DOLLARS

##{ NEWEGG_IMG_NOT_RCVD_NEGG

meta       NEWEGG_IMG_NOT_RCVD_NEGG    __NEWEGG_IMG_NOT_RCVD_NEGG
#score      NEWEGG_IMG_NOT_RCVD_NEGG    2.500	# limit
describe   NEWEGG_IMG_NOT_RCVD_NEGG    Newegg hosted image but message not from Newegg
tflags     NEWEGG_IMG_NOT_RCVD_NEGG    publish
##} NEWEGG_IMG_NOT_RCVD_NEGG

##{ NEW_PRODUCTS

meta       NEW_PRODUCTS                __NEW_PRODUCTS && !__STY_INVIS_MANY 
#score      NEW_PRODUCTS                1.250	# limit
tflags     NEW_PRODUCTS                publish
##} NEW_PRODUCTS

##{ NICE_REPLY_A

meta     NICE_REPLY_A		(__SUBJ_RE && !__MISSING_REPLY && !__MISSING_REF && __BOTH_INR_AND_REF)
describe NICE_REPLY_A		Looks like a legit reply (A)
tflags   NICE_REPLY_A		nice
##} NICE_REPLY_A

##{ NORDNS_LOW_CONTRAST

meta        NORDNS_LOW_CONTRAST   __NORDNS_LOW_CONTRAST && !ALL_TRUSTED && !__HAS_CID && !__THREADED 
describe    NORDNS_LOW_CONTRAST   No rDNS + hidden text
#score       NORDNS_LOW_CONTRAST   2.500   # limit
##} NORDNS_LOW_CONTRAST

##{ NOT_SPAM

body        NOT_SPAM           /\b(?:(?:this (?:e?-?mail|message)|we) (?:is not|are not|cannot be considered) Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)/i
describe    NOT_SPAM           I'm not spam! Really! I'm not, I'm not, I'm not!
tflags      NOT_SPAM           publish
##} NOT_SPAM

##{ NO_FM_NAME_IP_HOSTN

meta       NO_FM_NAME_IP_HOSTN        (__KHOP_NO_FULL_NAME && __IP_IN_RELAY) && !__DOS_RELAYED_EXT 
describe   NO_FM_NAME_IP_HOSTN        No From name + hostname using IP address
#score      NO_FM_NAME_IP_HOSTN        2.500	# limit
tflags     NO_FM_NAME_IP_HOSTN        publish
##} NO_FM_NAME_IP_HOSTN

##{ NSL_RCVD_FROM_USER

header         NSL_RCVD_FROM_USER       Received =~ /from User [\[\(]/
describe       NSL_RCVD_FROM_USER       Received from User
##} NSL_RCVD_FROM_USER

##{ NSL_RCVD_HELO_USER

header         NSL_RCVD_HELO_USER       Received =~ /helo[= ]user\)/i
describe       NSL_RCVD_HELO_USER       Received from HELO User
##} NSL_RCVD_HELO_USER

##{ NULL_IN_BODY

full NULL_IN_BODY       /\x00/
describe NULL_IN_BODY   Message has NUL (ASCII 0) byte in message
##} NULL_IN_BODY

##{ OBFU_BITCOIN

meta           OBFU_BITCOIN     __OBFU_BITCOIN
describe       OBFU_BITCOIN     Obfuscated BitCoin references
#score          OBFU_BITCOIN     3.000	# limit
tflags         OBFU_BITCOIN     publish
##} OBFU_BITCOIN

##{ OBFU_JVSCR_ESC

rawbody     OBFU_JVSCR_ESC         /document\.write\(unescape\(["'](?:%[0-9a-f]{2}){10}/i
describe    OBFU_JVSCR_ESC         Injects content using obfuscated javascript
tflags      OBFU_JVSCR_ESC         publish
##} OBFU_JVSCR_ESC

##{ OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   OBFU_TEXT_ATTACH    Content-Type =~ m,\bapplication/octet-stream\b.+\.txt\b,i
  describe     OBFU_TEXT_ATTACH    Text attachment with non-text MIME type
  tflags       OBFU_TEXT_ATTACH    publish
endif
##} OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ OBFU_UNSUB_UL

meta       OBFU_UNSUB_UL               __OBFU_UNSUB_UL && !MAILING_LIST_MULTI 
describe   OBFU_UNSUB_UL               Obfuscated unsubscribe text
tflags     OBFU_UNSUB_UL               publish
##} OBFU_UNSUB_UL

##{ ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta       ODD_FREEM_REPTO             __freemail_mailreplyto
  describe   ODD_FREEM_REPTO             Has unusual reply-to header
#  score      ODD_FREEM_REPTO             3.000	# limit
  tflags     ODD_FREEM_REPTO             publish
endif
##} ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail

##{ PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta PART_CID_STOCK      (__ANY_IMAGE_ATTACH&&__PART_STOCK_CID&&!__PART_STOCK_CL&&!__PART_STOCK_CD_F)
describe PART_CID_STOCK  Has a spammy image attachment (by Content-ID)
endif
##} PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta PART_CID_STOCK_LESS (__ANY_IMAGE_ATTACH&&__PART_CID_STOCK_LESS)
describe PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, more specific)
endif
##} PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ PDS_BTC_ID

meta     PDS_BTC_ID __PDS_BTC_ID
describe PDS_BTC_ID FP reduced Bitcoin ID
#score    PDS_BTC_ID 0.5
##} PDS_BTC_ID

##{ PDS_BTC_MSGID

meta     PDS_BTC_MSGID __PDS_BTC_ID && __MSGID_NOFQDN2
describe PDS_BTC_MSGID Bitcoin ID with T_MSGID_NOFQDN2
#score    PDS_BTC_MSGID 1.0
##} PDS_BTC_MSGID

##{ PDS_DBL_URL_LINKBAIT

meta     PDS_DBL_URL_LINKBAIT __BODY_URI_ONLY && __PDS_DOUBLE_URL
describe PDS_DBL_URL_LINKBAIT Linkbait double-url
#score    PDS_DBL_URL_LINKBAIT 2.5 # limit
##} PDS_DBL_URL_LINKBAIT

##{ PDS_FRNOM_TODOM_DBL_URL

meta     PDS_FRNOM_TODOM_DBL_URL PDS_FROM_NAME_TO_DOMAIN && __PDS_DOUBLE_URL
describe PDS_FRNOM_TODOM_DBL_URL From Name to domain, double URL
#score    PDS_FRNOM_TODOM_DBL_URL 1.5
##} PDS_FRNOM_TODOM_DBL_URL

##{ PDS_FRNOM_TODOM_NAKED_TO

meta     PDS_FRNOM_TODOM_NAKED_TO __NAKED_TO && PDS_FROM_NAME_TO_DOMAIN
describe PDS_FRNOM_TODOM_NAKED_TO Naked to From name equals to Domain
#score    PDS_FRNOM_TODOM_NAKED_TO 1.5
##} PDS_FRNOM_TODOM_NAKED_TO

##{ PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)

if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
  meta       PDS_FROM_2_EMAILS        __PDS_FROM_2_EMAILS && !__VIA_ML && !__VIA_RESIGNER && !__MSGID_JAVAMAIL && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__DKIM_EXISTS 
  describe   PDS_FROM_2_EMAILS        From header has multiple different addresses
#  score      PDS_FROM_2_EMAILS        3.500	# limit
endif
##} PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)

##{ PDS_FROM_NAME_TO_DOMAIN

meta     PDS_FROM_NAME_TO_DOMAIN __PDS_FROM_NAME_TO_DOMAIN
#score    PDS_FROM_NAME_TO_DOMAIN 2.0
describe PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain
##} PDS_FROM_NAME_TO_DOMAIN

##{ PDS_HELO_SPF_FAIL

meta     PDS_HELO_SPF_FAIL SPF_HELO_FAIL && __HELO_HIGHPROFILE
describe PDS_HELO_SPF_FAIL High profile HELO that fails SPF
#score    PDS_HELO_SPF_FAIL 2.0
tflags   PDS_HELO_SPF_FAIL net
##} PDS_HELO_SPF_FAIL

##{ PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header   PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD')
#score    PDS_OTHER_BAD_TLD 2.0
describe PDS_OTHER_BAD_TLD Untrustworthy TLDs
endif
endif
##} PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

##{ PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  meta         PHISH_ATTACH          (__PHISH_ATTACH_01_01 || __PHISH_ATTACH_01_02) && !__HAS_SENDER 
  describe     PHISH_ATTACH          Attachment filename suspicious, probable phishing
  tflags       PHISH_ATTACH          publish
endif
##} PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ PHISH_AZURE_CLOUDAPP

uri PHISH_AZURE_CLOUDAPP m;^https?://(?=[^/]+\.cloudapp\.azure\.com)(?:(?:b(?:illetedecalle\.northeurope|urofaxnotificado\.eastus)|comprobante(?:digital\.southcentralus|fiscale\.eastus)|infracciondeestacionamiento(?:\.eastus|s\.ukwest)|multa(?:detrafico\.eastus|prev\.eastus|s\.(?:eastus|southcentralus))|notificadosburofax\.eastus|penadetransitomulta\.eastus))\.cloudapp\.azure\.com/;i
describe PHISH_AZURE_CLOUDAPP Link to known phishing web application
#score PHISH_AZURE_CLOUDAPP 3.500
tflags PHISH_AZURE_CLOUDAPP publish
##} PHISH_AZURE_CLOUDAPP

##{ PHISH_FBASEAPP

meta       PHISH_FBASEAPP              __PHISH_FBASE_01
describe   PHISH_FBASEAPP              Probable phishing via hosted web app
#score      PHISH_FBASEAPP              3.000	# limit
tflags     PHISH_FBASEAPP              publish
##} PHISH_FBASEAPP

##{ PHP_NOVER_MUA

describe  PHP_NOVER_MUA       Mail from PHP with no version number
#score     PHP_NOVER_MUA       3.000	# limit
tflags    PHP_NOVER_MUA       publish
##} PHP_NOVER_MUA

##{ PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM)

if !plugin(Mail::SpamAssassin::Plugin::DKIM)
  meta    PHP_NOVER_MUA       __PHP_NOVER_MUA && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
endif
##} PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM)

##{ PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM

ifplugin Mail::SpamAssassin::Plugin::DKIM
  meta    PHP_NOVER_MUA       __PHP_NOVER_MUA && !__DKIM_DEPENDABLE && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
endif
##} PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM

##{ PHP_ORIG_SCRIPT

meta       PHP_ORIG_SCRIPT             __PHP_ORIG_SCRIPT_SONLY && !ALL_TRUSTED && !__SUBSCRIPTION_INFO && !__MSGID_BEFORE_RECEIVED && !MSGID_FROM_MTA_HEADER
describe   PHP_ORIG_SCRIPT             Sent by bot & other signs
#score      PHP_ORIG_SCRIPT             2.500	# limit
tflags     PHP_ORIG_SCRIPT             publish
##} PHP_ORIG_SCRIPT

##{ PHP_SCRIPT

meta       PHP_SCRIPT                  __HAS_PHP_SCRIPT && !ALL_TRUSTED && !__PHP_NOVER_MUA && !__TO___LOWER && !__MIME_BASE64 && !__HAS_ANY_EMAIL && !__L_CTE_7BIT 
describe   PHP_SCRIPT                  Sent by PHP script
#score      PHP_SCRIPT                  2.500	# limit
tflags     PHP_SCRIPT                  publish
##} PHP_SCRIPT

##{ PHP_SCRIPT_MUA

meta       PHP_SCRIPT_MUA              __HAS_PHP_SCRIPT && __PHP_NOVER_MUA 
describe   PHP_SCRIPT_MUA              Sent by PHP script, no version number
#score      PHP_SCRIPT_MUA              2.000	# limit
tflags     PHP_SCRIPT_MUA              publish
##} PHP_SCRIPT_MUA

##{ POSSIBLE_APPLE_PHISH_02

meta       POSSIBLE_APPLE_PHISH_02     (__FROM_NAME_APPLECOM && !__HDR_RCVD_APPLE)
describe   POSSIBLE_APPLE_PHISH_02     Claims to be from apple but not processed by any apple MTA
tflags     POSSIBLE_APPLE_PHISH_02     publish
##} POSSIBLE_APPLE_PHISH_02

##{ POSSIBLE_EBAY_PHISH_02

meta       POSSIBLE_EBAY_PHISH_02      (__FROM_NAME_EBAYCOM && !__HDR_RCVD_EBAY)
describe   POSSIBLE_EBAY_PHISH_02      Claims to be from ebay but not processed by any ebay MTA
tflags     POSSIBLE_EBAY_PHISH_02      publish
##} POSSIBLE_EBAY_PHISH_02

##{ POSSIBLE_PAYPAL_PHISH_01

meta       POSSIBLE_PAYPAL_PHISH_01    (__FROM_NAME_PAYPALCOM && __NAME_EMAIL_DIFF)
describe   POSSIBLE_PAYPAL_PHISH_01    Claims to be from paypal but has non-paypal from email address
tflags     POSSIBLE_PAYPAL_PHISH_01    publish
##} POSSIBLE_PAYPAL_PHISH_01

##{ POSSIBLE_PAYPAL_PHISH_02

meta       POSSIBLE_PAYPAL_PHISH_02    (__FROM_NAME_PAYPALCOM && !__HDR_RCVD_PAYPAL)
describe   POSSIBLE_PAYPAL_PHISH_02    Claims to be from paypal but not processed by any paypal MTA
tflags     POSSIBLE_PAYPAL_PHISH_02    publish
##} POSSIBLE_PAYPAL_PHISH_02

##{ PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)

ifplugin Mail::SpamAssassin::Plugin::MIMEEval
  if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)
    body     PP_MIME_FAKE_ASCII_TEXT  eval:check_for_ascii_text_illegal()
    describe PP_MIME_FAKE_ASCII_TEXT  MIME text/plain claims to be ASCII but isn't
#    score    PP_MIME_FAKE_ASCII_TEXT  1.0
    tflags   PP_MIME_FAKE_ASCII_TEXT  publish
endif
endif
##} PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)

##{ PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)

ifplugin Mail::SpamAssassin::Plugin::MIMEEval
  if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
    body     PP_TOO_MUCH_UNICODE02      eval:check_abundant_unicode_ratio(0.02)
    describe PP_TOO_MUCH_UNICODE02      Is text/plain but has many unicode escapes
#    score    PP_TOO_MUCH_UNICODE02      0.5
    tflags   PP_TOO_MUCH_UNICODE02      publish
endif
endif
##} PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)

##{ PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)

ifplugin Mail::SpamAssassin::Plugin::MIMEEval
  if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
    body     PP_TOO_MUCH_UNICODE05	eval:check_abundant_unicode_ratio(0.05)
    describe PP_TOO_MUCH_UNICODE05	Is text/plain but has many unicode escapes
#    score    PP_TOO_MUCH_UNICODE05	1.0
    tflags   PP_TOO_MUCH_UNICODE05	publish
endif
endif
##} PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)

##{ PUMPDUMP

meta        PUMPDUMP          (__PUMPDUMP_01 || __PUMPDUMP_02 || __PUMPDUMP_03 || __PUMPDUMP_04 || __PUMPDUMP_05 || __PUMPDUMP_06 || __PUMPDUMP_07 || __PUMPDUMP_08 || __PUMPDUMP_09 || __PUMPDUMP_10) && !PUMPDUMP_MULTI
describe    PUMPDUMP          Pump-and-dump stock scam phrase
#score       PUMPDUMP          1.000	# limit
tflags      PUMPDUMP          publish
##} PUMPDUMP

##{ PUMPDUMP_MULTI

meta        PUMPDUMP_MULTI    (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1
describe    PUMPDUMP_MULTI    Pump-and-dump stock scam phrases
#score       PUMPDUMP_MULTI    3.500	# limit
tflags      PUMPDUMP_MULTI    publish
##} PUMPDUMP_MULTI

##{ PUMPDUMP_TIP

meta        PUMPDUMP_TIP      __PD_CNT_1 && __STOCK_TIP
describe    PUMPDUMP_TIP      Pump-and-dump stock tip
tflags      PUMPDUMP_TIP      publish
##} PUMPDUMP_TIP

##{ RAND_HEADER_LIST_SPOOF

meta      RAND_HEADER_LIST_SPOOF       __RAND_HEADER && __LIST_PARTIAL 
describe  RAND_HEADER_LIST_SPOOF       Random gibberish message header(s) + pretending to be a mailing list
#score     RAND_HEADER_LIST_SPOOF       3.000   # limit
tflags    RAND_HEADER_LIST_SPOOF       publish
##} RAND_HEADER_LIST_SPOOF

##{ RAND_HEADER_MANY

meta      RAND_HEADER_MANY             __RAND_HEADER_2
describe  RAND_HEADER_MANY             Multiple random gibberish message headers
#score     RAND_HEADER_MANY             3.000   # limit
tflags    RAND_HEADER_MANY             publish
##} RAND_HEADER_MANY

##{ RAND_MKTG_HEADER

meta      RAND_MKTG_HEADER             __RAND_MKTG_HEADER && !__HAVE_BOUNCE_RELAYS && !__HAS_THREAD_INDEX && !__HAS_X_MAILING_LIST 
describe  RAND_MKTG_HEADER             Has partially-randomized marketing/tracking header(s)
#score     RAND_MKTG_HEADER             2.000	# limit
tflags    RAND_MKTG_HEADER             publish
##} RAND_MKTG_HEADER

##{ RATWARE_NO_RDNS

meta       RATWARE_NO_RDNS            __RATWARE_BOUND_A && __RDNS_NONE && __MIME_HTML && __MISSING_REF 
describe   RATWARE_NO_RDNS            Suspicious MsgID and MIME boundary + no rDNS
#score      RATWARE_NO_RDNS            3.000	# limit
##} RATWARE_NO_RDNS

##{ RCVD_BAD_ID

header RCVD_BAD_ID      Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\$\%&'()*<=>?\@\[\]^\`{|}~]|;\S)/
describe RCVD_BAD_ID    Received header contains id field with bad characters
##} RCVD_BAD_ID

##{ RCVD_DBL_DQ

header      RCVD_DBL_DQ                Received =~ /(?:\[\d+\.\d+\.\d+\.\d+\]){2}/
describe    RCVD_DBL_DQ                Malformatted message header
tflags      RCVD_DBL_DQ                publish
##} RCVD_DBL_DQ

##{ RCVD_DOTEDU_SHORT

meta       RCVD_DOTEDU_SHORT           __RCVD_DOTEDU_SHORT && !ALL_TRUSTED && !__FS_SUBJ_RE && !__HAS_LIST_ID
describe   RCVD_DOTEDU_SHORT           Via .edu MTA + short message
#score      RCVD_DOTEDU_SHORT           1.500	# limit
tflags     RCVD_DOTEDU_SHORT           publish
##} RCVD_DOTEDU_SHORT

##{ RCVD_DOTEDU_SUSP_URI

meta       RCVD_DOTEDU_SUSP_URI        __RCVD_DOTEDU_SUSP_URI
describe   RCVD_DOTEDU_SUSP_URI        Via .edu MTA + suspicious URI
#score      RCVD_DOTEDU_SUSP_URI        3.000	# limit
tflags     RCVD_DOTEDU_SUSP_URI        publish
##} RCVD_DOTEDU_SUSP_URI

##{ RCVD_FORGED_WROTE

header RCVD_FORGED_WROTE    Received =~ / by \S+ with esmtp \([^a-z ]{6,} [^a-z ]{3,}\) id/
describe RCVD_FORGED_WROTE  Forged 'Received' header found ('wrote:' spam)
##} RCVD_FORGED_WROTE

##{ RCVD_FORGED_WROTE2

header RCVD_FORGED_WROTE2 Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s
##} RCVD_FORGED_WROTE2

##{ RCVD_IN_IADB_COURT ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_COURT		eval:check_rbl_sub('iadb-firsttrusted', '127.3.200.130')
describe RCVD_IN_IADB_COURT		IADB: Court-ordered email
tflags RCVD_IN_IADB_COURT		net nice
endif
##} RCVD_IN_IADB_COURT ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DK			eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.3')
describe RCVD_IN_IADB_DK		IADB: Sender publishes Domain Keys record
tflags RCVD_IN_IADB_DK			net nice
endif
##} RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_DMARC ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DMARC               eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.5')
describe RCVD_IN_IADB_DMARC             IADB: Sender has DMARC record
tflags RCVD_IN_IADB_DMARC               net nice
endif
##} RCVD_IN_IADB_DMARC ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DOPTIN		eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.10')
describe RCVD_IN_IADB_DOPTIN		IADB: All mailing list mail is confirmed opt-in
tflags RCVD_IN_IADB_DOPTIN		net nice
endif
##} RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DOPTIN_GT50		eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.9')
describe RCVD_IN_IADB_DOPTIN_GT50	IADB: Confirmed opt-in used more than 50% of the time
tflags RCVD_IN_IADB_DOPTIN_GT50		net nice
endif
##} RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DOPTIN_LT50		eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.8')
describe RCVD_IN_IADB_DOPTIN_LT50	IADB: Confirmed opt-in used less than 50% of the time
tflags RCVD_IN_IADB_DOPTIN_LT50		net nice
endif
##} RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_ECARD ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_ECARD		eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.213')
describe RCVD_IN_IADB_ECARD		IADB: ecard, e-invitation, or similar e-correspondence service
tflags RCVD_IN_IADB_ECARD		net nice
endif
##} RCVD_IN_IADB_ECARD ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_ESP ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_ESP			eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.214')
describe RCVD_IN_IADB_ESP		IADB: Email Service Provider (ESP)
tflags RCVD_IN_IADB_ESP			net nice
endif
##} RCVD_IN_IADB_ESP ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_LEG_BNPROFIT ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_LEG_BNPROFIT	eval:check_rbl_sub('iadb-firsttrusted', '127.3.200.110')
describe RCVD_IN_IADB_LEG_BNPROFIT	IADB: email sent on behalf of a non-profit organization
tflags RCVD_IN_IADB_LEG_BNPROFIT	net nice
endif
##} RCVD_IN_IADB_LEG_BNPROFIT ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_LEG_MAND ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_LEG_MAND		eval:check_rbl_sub('iadb-firsttrusted', '127.3.200.120')
describe RCVD_IN_IADB_LEG_MAND		IADB: Legally mandated email
tflags RCVD_IN_IADB_LEG_MAND		net nice
endif
##} RCVD_IN_IADB_LEG_MAND ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_LEG_NPROFIT ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_LEG_NPROFIT		eval:check_rbl_sub('iadb-firsttrusted', '127.3.200.100')
describe RCVD_IN_IADB_LEG_NPROFIT	IADB: email sent from a non-profit organization
tflags RCVD_IN_IADB_LEG_NPROFIT		net nice
endif
##} RCVD_IN_IADB_LEG_NPROFIT ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_LISTED		eval:check_rbl_sub('iadb-firsttrusted', '^127\.0\.0\.[12]$')
describe RCVD_IN_IADB_LISTED		Participates in the IADB system
tflags RCVD_IN_IADB_LISTED		net nice
endif
##} RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_LOOSE		eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.4')
describe RCVD_IN_IADB_LOOSE		IADB: Adds relationship addrs w/out opt-in
tflags RCVD_IN_IADB_LOOSE		net nice
endif
##} RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_MI_CPEAR		eval:check_rbl_sub('iadb-firsttrusted', '127.101.1.10')
describe RCVD_IN_IADB_MI_CPEAR		IADB: Complies with Michigan's CPEAR law
tflags RCVD_IN_IADB_MI_CPEAR		net nice
endif
##} RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_ML_DOPTIN		eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.100')
describe RCVD_IN_IADB_ML_DOPTIN		IADB: Mailing list email only, confirmed opt-in
tflags RCVD_IN_IADB_ML_DOPTIN		net nice
endif
##} RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_NOCONTROL		eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.0')
describe RCVD_IN_IADB_NOCONTROL		IADB: Has absolutely no mailing controls in place
tflags RCVD_IN_IADB_NOCONTROL		net nice
endif
##} RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OOO			eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.200')
describe RCVD_IN_IADB_OOO		IADB: One-to-one/transactional email only
tflags RCVD_IN_IADB_OOO			net nice
endif
##} RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OPTIN		eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.7')
describe RCVD_IN_IADB_OPTIN		IADB: All mailing list mail is opt-in
tflags RCVD_IN_IADB_OPTIN		net nice
endif
##} RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OPTIN_GT50		eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.6')
describe RCVD_IN_IADB_OPTIN_GT50	IADB: Opt-in used more than 50% of the time
tflags RCVD_IN_IADB_OPTIN_GT50		net nice
endif
##} RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OPTIN_LT50		eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.5')
describe RCVD_IN_IADB_OPTIN_LT50	IADB: Opt-in used less than 50% of the time
tflags RCVD_IN_IADB_OPTIN_LT50		net nice
endif
##} RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OPTOUTONLY		eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.1')
describe RCVD_IN_IADB_OPTOUTONLY 	IADB: Scrapes addresses, pure opt-out only
tflags RCVD_IN_IADB_OPTOUTONLY		net nice
endif
##} RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_RDNS		eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.4')
describe RCVD_IN_IADB_RDNS		IADB: Sender has reverse DNS record
tflags RCVD_IN_IADB_RDNS		net nice
endif
##} RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_SENDERID		eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.2')
describe RCVD_IN_IADB_SENDERID		IADB: Sender publishes Sender ID record
tflags RCVD_IN_IADB_SENDERID		net nice
endif
##} RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_SOCIAL ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_SOCIAL		eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.211')
describe RCVD_IN_IADB_SOCIAL		IADB: social networking service email
tflags RCVD_IN_IADB_SOCIAL		net nice
endif
##} RCVD_IN_IADB_SOCIAL ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_SPF			eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.1')
describe RCVD_IN_IADB_SPF		IADB: Sender publishes SPF record
tflags RCVD_IN_IADB_SPF			net nice
endif
##} RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_TRACK ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_TRACK		eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.212')
describe RCVD_IN_IADB_TRACK		IADB: email with open and read tracking services
tflags RCVD_IN_IADB_TRACK		net nice
endif
##} RCVD_IN_IADB_TRACK ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UNVERIFIED_1	eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.2')
describe RCVD_IN_IADB_UNVERIFIED_1	IADB: Accepts unverified sign-ups
tflags RCVD_IN_IADB_UNVERIFIED_1	net nice
endif
##} RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UNVERIFIED_2	eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.3')
describe RCVD_IN_IADB_UNVERIFIED_2	IADB: Accepts unverified sign-ups, gives chance to opt out
tflags RCVD_IN_IADB_UNVERIFIED_2	net nice
endif
##} RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_URG ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_URG			eval:check_rbl_sub('iadb-firsttrusted', '127.3.200.255')
describe RCVD_IN_IADB_URG		IADB: time-critical urgent or emergency communications
tflags RCVD_IN_IADB_URG			net nice
endif
##} RCVD_IN_IADB_URG ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UT_CPEAR		eval:check_rbl_sub('iadb-firsttrusted', '127.101.2.10')
describe RCVD_IN_IADB_UT_CPEAR		IADB: Complies with Utah's CPEAR law
tflags RCVD_IN_IADB_UT_CPEAR		net nice
endif
##} RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval

##{ RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # {

ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
header   RCVD_IN_PSBL  eval:check_rbl('psbl-lastexternal', 'psbl.surriel.com.')
describe RCVD_IN_PSBL  Received via a relay in PSBL
tflags   RCVD_IN_PSBL  net
endif
##} RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # {

##{ RCVD_MAIL_COM

header RCVD_MAIL_COM        Received =~ /[\s\(\[](?:post|mail)\.com[\s\)\]]/is
describe RCVD_MAIL_COM      Forged Received header (contains post.com or mail.com)
##} RCVD_MAIL_COM

##{ RDNS_LOCALHOST

header         RDNS_LOCALHOST  X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i
describe       RDNS_LOCALHOST  Sender's public rDNS is "localhost"
##} RDNS_LOCALHOST

##{ RDNS_NUM_TLD_ATCHNX

meta       RDNS_NUM_TLD_ATCHNX         __RDNS_NUMERIC_TLD && __ATTACH_NAME_NO_EXT
describe   RDNS_NUM_TLD_ATCHNX         Relay rDNS has numeric TLD + suspicious attachment
#score      RDNS_NUM_TLD_ATCHNX         3.000	# limit
tflags     RDNS_NUM_TLD_ATCHNX         publish
##} RDNS_NUM_TLD_ATCHNX

##{ RDNS_NUM_TLD_XM

meta       RDNS_NUM_TLD_XM             __RDNS_NUMERIC_TLD && (__HAS_XM_SID || __HAS_XM_LID || __HAS_XM_RECPTID || __HAS_XM_SENTBY)
describe   RDNS_NUM_TLD_XM             Relay rDNS has numeric TLD + suspicious headers
#score      RDNS_NUM_TLD_XM             3.000	# limit
tflags     RDNS_NUM_TLD_XM             publish
##} RDNS_NUM_TLD_XM

##{ REPLYTO_WITHOUT_TO_CC

meta REPLYTO_WITHOUT_TO_CC     (__HAS_REPLY_TO && !__TOCC_EXISTS)
##} REPLYTO_WITHOUT_TO_CC

##{ REPTO_419_FRAUD

header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:speakers)\@012\.net\.il|(?:mail)\@101private\.com|(?:(?:alfredcheuk002|fbi_1234|mavis_wanczyk))\@126\.com|(?:(?:alfredcheuk_yuchow|ehagler|google_promoaward0?|panyawein|wongshiu_ki))\@163\.com|(?:ray\-thomas7h)\@1email\.eu|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:ibrahimtafa)\@abienceinvestmentsfze\.com|(?:russia2018worldcuplotto5)\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:info)\@aidakj\.com|(?:(?:infovsa|maria\.louge|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:attorneygeorgewalter|jessikasingh|lawmensa|travisalex))\@aliyun\.com|(?:(?:director|info))\@anletco-jp\.com|(?:(?:deanie_ron|mundo\.europe|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:institutionaldepartment)\@aol\.nl|(?:support)\@apostlesfoundation\.com|(?:deajohn)\@arubacloub\.com|(?:djohns)\@arubacloud\.com|(?:jeromecgb12)\@asia\.com|(?:jefferson)\@athenaeumbd\.com|(?:(?:bllphillips|desousafam05))\@att\.net|(?:traoreahmed)\@barid\.com|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:noreply\.fujvfes)\@bibliothequegaillard\.com|(?:costruire)\@bigmat\.it|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:onmydestiny18)\@boulevardmalls\.com|(?:luciamariacampbell)\@boximail\.com|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:jessica)\@cadencebankdept\.us|(?:hello)\@captnbb\.com|(?:judith_faulkner63)\@cash4u\.com|(?:cbn)\@cbofficialmail\.cf|(?:201(?:47237|5(?:5765|648[48])))\@ce\.pucmm\.edu\.do|(?:duncanttodd)\@centrum\.cz|(?:gregwingo)\@cheapnet\.it|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|dbank12|fbipayment(?:50|600)|harunajim667|manuel\.rabelais|paul\.wilson|r(?:alphwjohnson|ev_markbless)|trustees101))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:mundo_seguros)\@contorli\.site|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:investmentfince\.com|lottery(?:\.support|usa\.com)|sama_williams|warren(?:\.buffett19|_edward)))\@cpn\.it|(?:(?:angelicainiguez|brunoso|lisatroutman))\@currently\.com|(?:(?:dmalpasswb|freeminds2024|i(?:lanasoloshneor|nfo90000)|joseramonjr1|m(?:hzitafrank0|ynewmission)|r(?:e(?:covered\-tax|em(?:2018|alhashimi|ealhashimi|hashimi2020))|onconway)))\@daum\.net|(?:rex)\@departmentofsecretary\.com|(?:info)\@dieterchwarz-charity\.com|(?:blythemasters)\@digitalassetholding\.org|(?:jorgezalesky)\@diplomats\.com|(?:bar_sahil)\@dominionassociates\.uk|(?:zahvoedir)\@donations\.christchurchliverpool\.xyz|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:health\-support)\@drjohnashworthherbalmeds\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:(?:herrick01|rogersteare02))\@e1\.ru|(?:olga\.ingrif)\@ecb-securities\.com|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:(?:denbrink|facebook\.in(?:structor|tructor)|kathy_gerald1965|megaclaimcenter|pch\.cliamdept))\@email\.com|(?:infoleonfredberbst)\@emailgroups\.net|(?:info)\@emteslastock\.com|(?:johnkadiri)\@englandmail\.com|(?:info)\@euro-pinnacle\.com|(?:(?:a(?:bogado\.antoniopaco|dvancedsegurosespana)|claimdpts|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:lottomax)\@execs\.com|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:(?:jeferrey|yakuyaya77))\@financier\.com|(?:customercare)\@findlaycb\.com|(?:mrsdebbielevin)\@firemail\.de|(?:steve_dickson)\@firemail\.eu|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:info)\@fnconsultant\.biz|(?:(?:e(?:golan2|u_payment)|gella1|k(?:aith\-angel|ossihpilip202)|pchwinningoffice1953|qatardonations16|smadartsadik|tepnherve00))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:(?:mmpaulsmith145|t\.fitzgerald))\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:octaviancm)\@gmx\.co\.uk|(?:(?:ahmet\.broker|f(?:aridaomar|er3nrod1512)|kevin\-office|p\.hamedmoff|rosicboteruff|w(?:alter_anderson|esternunionrespond)))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:juliairis)\@gmx\.net|(?:(?:arthur1alan|joxford))\@gmx\.us|(?:m(?:\.johnson10012|aryclayton123))\@googlemail\.com|(?:gordoncole)\@gordoncole\.co\.uk|(?:ceo)\@gpromo-team\.com|(?:garreth\.webb)\@grossfitconsultancy\.biz|(?:solotexglobalcouriercompany)\@groupesgb\.net|(?:irenegeorgiadou)\@hellenicbankcy\.com|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:(?:cocacolaofficialprize1|williamsdavid_3r))\@hotmail\.co\.uk|(?:christgoldwilliams)\@hotmail\.fr|(?:douglasflint)\@hsbcbank\.group|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:victorwang67)\@imail\.com|(?:bo_li)\@imgrantfunds\.com|(?:patrickc)\@inbox\.com|(?:irdi33)\@inbox\.lt|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:a\.josepaulino|jonardossantos|m(?:\.wood|ingmui0012)|off(?:er2021|iceme)|pierresgift_2021))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:baankston)\@instruction\.com|(?:info)\@intarpol-int\.online|(?:jacek_urbanski)\@irishdoorsystemsltd\.com|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:contactme)\@jimmyofficial\.info|(?:info)\@johannaconsultancy\.com|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:(?:annzainab2022|h(?:ashimirrr22|re187390)|lotteryusa\.com|paulagonzalez|re(?:e(?:m\.alhashimi|ninvestor111)|mmhashimi)))\@kakao\.com|(?:wbuk03)\@katamail\.com|(?:(?:ditmereduart|europsenderscouriers|lewiscarl))\@keemail\.me|(?:mikiwilliams)\@knol-power\.nl|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:philiphampton)\@lec20\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:bmwofficeinfo)\@mail2consultant\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:bjic)\@mail2one\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|info\.federalreserve\.org|johnkofithomas|kateclough1|mriamchombo1968|nancyvee80|philiproger101))\@mail\.com|(?:(?:ayishagddafio?|sambo_dasuki))\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:epowerball)\@mailbox\.sk|(?:cb(?:nofficemail|officemail))\@mailsire\.com|(?:managing\-director_schaefflergroup)\@mariaelisabeth\.gisb\.com\.my|(?:doo\.yusin)\@matherline-trade\.com|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:cadpayout01)\@my\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:benoitdageville2023|nancytseling|reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:zenith)\@nmk\.ugu\.pl|(?:maxedwards)\@octopusinvestment\.co\.uk|(?:info)\@officepch\.com|(?:lindsaytrembley)\@oimail\.com|(?:googleclaims111)\@one\.lt|(?:(?:accountingdrg|emmy\.marty))\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:secretservicce8)\@onionmail\.org|(?:info)\@onlinepch\.com|(?:dieterbe451)\@onmail\.com|(?:(?:castorock|infobiz2|jarramos|mrsalice09))\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:servicio\.correo)\@orange\.fr|(?:info)\@ousos-elearning\.com|(?:turkish\-air)\@outlook\.com\.tr|(?:schaeffler(?:ariaelisabeth|mariaelisabeth))\@outlook\.de|(?:(?:ahmed3khan|dpt_transferunionwestern|mr\.onyeadams))\@outlook\.fr|(?:m\.khan1)\@outlook\.sa|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:info)\@phillipsmorgan\.co\.za|(?:support)\@piraeusegrecebnk\.com|(?:wood)\@poczta\.onet\.eu|(?:(?:m(?:aryjosen|boyaeth)|uncch\-info))\@post\.com|(?:(?:martinahrivnakova|united\.globeawardoffice))\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:(?:charitylisajohnrobinson700|leonardbain|noelldosi|stwrightsmaxinvestment))\@proton\.me|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:franciscoperezc|garethbull808|leyen|mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:trust\-wallet)\@redirectionsdepartment\.xyz|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:msn)\@resrubini\.com|(?:(?:gmackenzie001|wanczykmavis101))\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:info)\@roycockrum\.org|(?:mrs\.rachel2013)\@safe-mail\.net|(?:(?:deputygov_kuben|rcassim\.sarb|vera))\@safrica\.com|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:peterddeng)\@secsuremailer\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:olena\.shevchenko)\@shumejda\.co\.uk|(?:(?:jimyang77|kentpace))\@sina\.com|(?:stan)\@soborka\.net|(?:(?:dycheseaan|sean(?:dyyches|sdychh)))\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:trevor)\@southernphone\.com\.au|(?:info\.jschneider)\@spainmail\.com|(?:mroliverbergmuellers)\@specialautokins\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:alexander)\@stny\.rr\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:xiankailu)\@taiyaubank-hk\.com|(?:mhua)\@tbochk\.com|(?:clory)\@technet\.it|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:zimcargoservicehelpdesks)\@tlen\.pl|(?:bobby\.william)\@tradent\.net|(?:punit)\@traficoanalytica\.com|(?:lopez\.rios)\@udttld\.com|(?:2100973645smsgateway)\@ukraine\.wheat-farmers\.website|(?:info)\@un-grant\.info|(?:(?:b(?:lueskyanimatedfilm|rown\.monica_l)|david\.r\.malpass|info\.(?:clev\.frb|imfamerica)|kristinewellensteinn|policyaddmin\.file))\@usa\.com|(?:team)\@veraphanteepsuwan\.com|(?:dataphilanthropy)\@vipmail\.hu|(?:bmuczdh)\@virgilio\.it|(?:itgiix)\@visa\.com|(?:jvona)\@viscom\.net|(?:holt1231)\@w\.cn|(?:daydreamin)\@wanadoo\.fr|(?:(?:foreignoperationmanager|mr\.(?:ikokuoya|olicadams)))\@web\.cg|(?:weboffice05)\@web\.de|(?:portiaw)\@webbe\.work|(?:b(?:\-calebfirm2007|enklerk\-postpact2|oriscaleb121))\@webmail\.co\.za|(?:(?:elizabethlyonsfield|frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:e\.shaw)\@wilmagroup\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|jeffwilliam207|owengreen70|samue95))\@yahoo\.co\.uk|(?:(?:changgordon(?:61|946)|thomaspeter227))\@yahoo\.com\.hk|(?:jessicp1)\@yahoo\.com\.sg|(?:boa2cb)\@yahoo\.com\.vn|(?:contactus88\-00)\@yahoo\.es|(?:(?:fortinsandrine|rita_will001))\@yahoo\.fr|(?:ukdebtmanagement5)\@yahool\.com|(?:dr\.amelia\.george1)\@yandex\.ru|(?:(?:alfred_cheuk_chow|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:(?:asiafoundationorg\.hr|jefflindsay))\@zoho\.com|(?:(?:benaffleck1977|monicadaniels909))\@zohomail\.com|(?:(?:laprimitivaes|robert166003))\@zohomail\.eu)$/i
describe REPTO_419_FRAUD Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD 3.000
tflags REPTO_419_FRAUD publish
##} REPTO_419_FRAUD

##{ REPTO_419_FRAUD_AOL

header REPTO_419_FRAUD_AOL Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:\.dordevicii|b(?:000137|rajjohn)|f\.2[06]|gneselizabethgiftfoundationssss|ljaber111|meliageorge|nd(?:_bley|rew_hans)|rthur\.alan)|b(?:a(?:anidleewy|rr_luc)|claimdept|rownchurchill2)|c(?:\.european|allumfoundation|h(?:anprivacy03|eungdavidd|ngeric|ristyruwalt)|laimdept21|ristinabruno38|ustom_service58)|d(?:avid\.kms|hodgkins001|ianwaynie|onald_anderson44)|e(?:ng(?:joej|r\.abdulla)|ricalbertdpm|velynjoshua44)|f(?:d\.29|ernandezfernandez3|oundation\.charity)|g(?:arang\.rebeca|eorge_clifford4|roupfacility)|hernandezrosemary632|info\.dieter_charity|jmesaud|k\.doreen00|l(?:\.b162k|erynnewest99|i(?:sarobinson5\.0|zcarroll101)|orrainewirangee|uciacorraomanagerbocub|ynnpage44)|m(?:\.francco91|_l\.wanczyk62|a(?:sayohara21|viswanczyk[do])|rs(?:isabelladzsesszika|janetedwards0001|safiagaddafi))|normapatto|o(?:fficework172|xf174)|p(?:a(?:tricia(?:\.hans|hans)|ulpollard2)|eterwong345|otfolio\.management)|royalpalace2018|s(?:\.fofo|afiiagadafi|ovchan|pwalker721|t(?:aatsloterijnederlands|efano_pessina))|usembassy330|w(?:attson\.renwick|ebank244)|yurdaaytarkan5))\@aol\.com$/i
describe REPTO_419_FRAUD_AOL Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_AOL 3.000
tflags REPTO_419_FRAUD_AOL publish
##} REPTO_419_FRAUD_AOL

##{ REPTO_419_FRAUD_AOL_LOOSE

meta REPTO_419_FRAUD_AOL_LOOSE __REPTO_419_FRAUD_AOL_LOOSE && !REPTO_419_FRAUD_AOL
describe REPTO_419_FRAUD_AOL_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_AOL_LOOSE 1.000
tflags REPTO_419_FRAUD_AOL_LOOSE publish
##} REPTO_419_FRAUD_AOL_LOOSE

##{ REPTO_419_FRAUD_CNS

header REPTO_419_FRAUD_CNS Reply-To:addr =~ /^(?=[^\s<>@]+\@consultant\.com)(?:(?:anthonyalvarad|davidhenri|l(?:egacylawfirmdakar|ottomaxclaims7)|m(?:iguel\-pinto|orrisherb)|pchonline|t(?:eo\.westin|he\.trustees1?|offoli\.gauthier|rustees202000)|westernunio(?:n1659|payment\.agent0018)))\@consultant\.com$/i
describe REPTO_419_FRAUD_CNS Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_CNS 3.000
tflags REPTO_419_FRAUD_CNS publish
##} REPTO_419_FRAUD_CNS

##{ REPTO_419_FRAUD_GM

header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|1magnumsecuritiesllc|7912richardtony|9porssts9|a(?:\.wafager1|12udubello|b(?:d(?:97412345|u(?:kfahim|llahmundani019))|u(?:lkareem461|shadi0004))|c(?:count\.optionsmr\.jonasarmstrong|ecere001)|d(?:iallo\.boa|rabidiahmed)|gent\.laryedwad|isha(?:1976(?:algaddafi|gaddafi25)|gaddafi(?:aam|libya5|sdaughter))|l(?:\.jo60691737|a(?:n\.austin(?:041|223)|scramac)|ber\.yang222|ex(?:anderpeterson4499|hoffman3319)|ghafrij13|icedoris0000|kasimunadi221|l(?:enholden121|isoncluade11)|nizmaria|phabankofgreecerepublic|ure\.wawrenka1472)|m(?:b(?:\.w\.stuart\.symington|assadormarybethleonardl4)|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|medjahed95))|n(?:d(?:rew(?:hawkins735|umehunitedbankforafrica)|yfox0022)|itaminarnguessan|n(?:a(?:choihkkic|llee091|sigurlaug458)|ettrevor|jenijohnsonn)|t(?:hony(?:alvaradollc|jblinken61)|o(?:meuenio|niopaco20consultant)))|office1office1|r(?:adka01|chibaldhamble|thur11alan)|s(?:h(?:0611jnag|westwood7)|sistance7agent)|t(?:mcarddepartment0024|tohlawoffice\.tg)|ustinbillmark9|w1614860|yevayawovi190|z(?:i(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50))|zedineguessous))|b(?:a(?:lla250abc|nk(?:centralasiahalobca34|ingcentralng)|ochang7a|r(?:bersmadar75|clays\.kenya\.bank|rister(?:\.fidelisokafor|clarkephillips(?:2(?:02|4)|4[59])|lordruben94)|teld\.huisman01)|uknechtk\.shoreline)|bongo593|c0996013|e(?:alitoniua9|linekra1|n(?:ezero392|gatl80|jaminsarah195)|rnard\.arnult01|tsyholden940)|i(?:anigercash|ll(?:\.lawrence0747|fhome))|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi|ussambairenepatricia)|r(?:a(?:ndy\.heavenscenttt|volpaul55)|endalaporte112)|uff(?:ettwarrene21|ookj)|w1832621)|c(?:1nicele|a(?:ixaseguros9810001|mluba2017|pinolly|r(?:eisu98|twrighttownhomesllc))|bnatm847|claimsa|e(?:da\.ogada77|li(?:cerez|neroullier(?:200|nm)))|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:es(?:luenga01|wrightdepartments)|tonnewmanus1)))|e(?:mchung1011|n(?:chung1011|gsaephanfoundation))|ienk(?:raymond|wongp))|iticonsultantjohncg0|kruger00017|l(?:a(?:im(?:adviser11|officeadm)|xtonpaul00)|s79408)|o(?:l(?:\.(?:ahmedmarani|hmedismari)|abdullahassi|edavid77032|husseinharmuchc(?:cj|j)|ombasjuan53)|mp(?:asationsettlement|ensationcommitteboard)|n(?:nellyfrances\.cf|sult(?:matthias|sto\.u)|tactad00[04])|operation612)|pt\.eugenebarash|r(?:a(?:bbechambers|wfordgillies1)|ist(?:bru(?:05|n05)|davis67|i1537bru|ydavis(?:donation1|foundation0101)))|u(?:nninghammrssharonloren|stomerservicelacaixa2))|d(?:29laws|a(?:n(?:008629|i(?:el35508109|shlokija)|n(?:uar4|ydan24532))|tukannuarbinmusa|vi(?:d(?:\.(?:loanfirm18|murray202)|ibe718|kaltschmidtmaureend|larbi11|mathers761|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98))|cole77032|e(?:btm123|n(?:iwalts|nis(?:clark659|quaid888))|partmentofstate(?:123|321)|tlefeckhardd)|h(?:ill27676|lexpresscompany176|sdevice)|i(?:ane\.s\.wojcicki|gitalassetholding|p(?:francis1|lomatsshenry))|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.(?:meirh|w(?:erneroyer563|ilsonpaul02))|abodid|davidrhama221|j(?:amesdee|oesimon77)|kennedyuzo|meier\.heidi?|owenfrederick|rhamahassan22)|u(?:a1155a|breuilgmbh|nsilva58|stinmoskovitz\.2facebook)|v\.metus|willslevens)|e(?:benezero392|christina937|d(?:mundventura689|runity)|fcc\.financial\.dept|l(?:i(?:bethgomez(?:175|499)|sabeth(?:gmuer11|maria600)|zabethedw0)|o(?:diesawadogo123|tocashoffice1?))|m(?:2keld|efiele(?:328|g757)|ilyrichmond391)|ngr\.des01|r(?:e(?:evemusk681|nakgeorge123|zcelic0)|ioncarter\.private)|s(?:sexlss1|therkatherine1960)|vgpatmow|wynn284)|f(?:\.mikhail025|a(?:ithdesrie511|rahwasam101|tme\.mehmed001)|b(?:589767|lott47)|e(?:deralreservebankdallasdst|lix88995|yzaybrahim)|g0067333|irstbank(?:49(?:666|966)|6669|k49666)|j569282|l(?:556249|uhmann\.dn)|o(?:ropunionbank|undations\.west)|p462558|r(?:a(?:100dub132|n(?:c(?:es(?:\.connelly2|patrickconnolly(?:5050|4))|isca(?:mendoza960|samendoza))|k(?:j(?:ane984|ody2|wangg)|l(?:aurarivera|inpiesie6))))|eelottosweepstake51)|spero8[02]|u(?:lanlan28|n(?:dinternationalmonetary214|gg1w)))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|riel(?:eschmitt002|kalia1102))|r(?:ciavincent500|ethbull112016|yakinson121))|b(?:528796|ill4880)|e(?:n(?:\.ahmedmsksi|eralwilliamstony990)|orge(?:brownhoward02|kwame481)|r(?:aldjhjh11|tjanvlieghe787))|i(?:idp955|lbert12oook|ocastano21)|kwasiiwusu1\.persona|l(?:enmoore0011|oriachow5052)|o(?:dfreyscottdonation|glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219))|r(?:aceobia001|e(?:ant311|energeoffrey776))|veraallen|w522834)|h(?:a(?:r(?:gate2909|ryebert101|twellbdaniel)|s(?:h(?:imyreem78|mireem801)|sanalshujairy)|uperthilbigbeate|zimissa03)|e(?:a(?:dofficecentre0210|therbrooeke101)|cto(?:alon|r(?:castillos653|scastillo6))|l(?:en(?:adamsidaho|giggs88)|pdesk47321)|ritagetrustbank1985)|g(?:8669000|old8080)|heba\.hhassan207|i(?:ldad837|toshurui)|o(?:lsemeyerole6|nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|trryt34|uichmh)|i(?:1955smael|amannjejosonn|b(?:ed627|rahimelizabeth654)|mf(?:deputyoff000|grantinter)|n(?:fo(?:\.(?:a(?:bogadosmfontana|nnedouglas10)|g00gleclaim|marviswanczyk360|orangedor|ulmusau)|64240|asminternationalpk|bankofamerikaa|dessk\.dfwairportonline|fdrserve|t(?:ech4st255|tcuckk))|gridrolle2|t(?:ernationallppp1|linvestorsfirm))|rvinekim67|smail(?:eman874|tarkan533))|j(?:35809121|a(?:6002932|888179|cobmaseon5995|m(?:alpriv8un|es(?:carlos17885|okoh82))|n(?:ahramadanabu|nsjonifer|usensecureprivate)|sonyeungchiwai|vierlesme001)|b(?:5406424|lsuntrust)|c(?:2222222rrr|jgourlt)|e(?:fferydean1960|nn(?:iannjhsonn|ybrown01222)|robtt|ssikasingh4)|j(?:7291634|osvu)|k3311131|m(?:3461128|powellfr)|o(?:edward023|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|nietaylor242|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|tanko214|uba234|walterlove2010)|monkzza|n(?:a(?:haskel19|thanhaskel377)|esandassociates68|hugo1964|monkssa)|seph(?:acevedo024|babatunde192|ichael41)|vannyanderson001|y(?:ce00011|mrskone5))|rawlings007|s4fernado|u(?:lie(?:t\.le(?:222|e2222)|watson975)|sticellawgroup)|w6935997)|k(?:a(?:dulinayulii(?:ia|a)|l(?:iaksandr5|stromjames3|tschmidtdavid8)|malnizar000|rabo\.ramala39|t(?:ebaron(?:barr|xq)|hilittman7|jamess043|rinaziako56))|e(?:lsawamelia55|n(?:mckenziejr|nedy\.sawadogo19))|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|r(?:istinewellenstein024|nkl1109)|un(?:gwei7777|ioue28)|wasiowusug)|l(?:a(?:r(?:ateambo|rytoms200)|ursent892|w(?:officealouancooparation|rencefoundation30))|blackshirepm|e(?:enasinghs97|ndfair\.co\.uk1|onidasresearch|rynne(?:0west99|west(?:2289|5412))|wisrichards378)|i(?:amfinchus(?:11|3)|ezlnatashavanessa|fecshortt63|li(?:ane\.bettencourt1945|ianchrstph)|n(?:elink008|glung104)|sa(?:milner001|robin117)|xiung(?:l48|9))|jo(?:bsfoundation|hn6132)|o(?:ganntomas|rrainewirengee|ttyoffice1|u(?:ghreymargaret67|isdreyfusmargarita5))|p319765|s(?:arbn01|chantal86)|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|diawright836|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:\.francco9[14]|a(?:bel\.manaku|ck(?:enzbezos|oliver324)|damkoenig\.ruhama1b|incare655|j(?:ialfutt|or(?:dennishornbeck53|townsend01))|kaltschmidt|ll(?:am\.mlawal|etman2021)|mastar33m|n(?:ankovefimovich|duesq58|fran6(?:30|56)|uelfranco(?:727|donation02|foundation0|spende8))|r(?:i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00|nnewoosley90)|nacoleman84|opabl26|tinesecurityusa)|k(?:roth456|uses200)|shalh011|tin(?:amayer903|eziglesiasabogados|jrschwarz)|y(?:franson56|josen(?:62|81)))|s(?:onmanny05|pencer5151)|thewriaanza|u(?:hin52|noveutileina|rhinck11?)|viswan(?:142|czyk(?:01478|1(?:19|987)|4(?:89|5)|775|foundation45|k112|zz))|xaajn|ydetratt|zerfexi)|brons667|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|engeoffrey|l(?:aniekreiss1971|lagolan|vidabullock5))|gfrederick80|husameddine|i(?:c(?:h(?:ael\.woosley1972|eal(?:sjohnj|wuu002))|paulla|w954)|k(?:e\.weirsky\.foundational001|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|n(?:fin\.gv|tonjustin98)|ss(?:\.(?:aminaibrahim|melisa\.mehmett|yasmineibrahim101)|boteogottai|yaelronen))|jminabii|k(?:ent7117|untjoro52)|lbriggs08860|m(?:1086771|argaritalouisdreyfus|ohammadaljllilati|rstephen16)|nmalarge|o(?:ham(?:edabdul1717|m(?:adraqab00|daljililati1|edshamekh24))|rienkal30)|r(?:\.(?:elbahi\.mohammed\.2021|justinmaxwell09|lusee|tonyelumelu60|wlsonkabore)|7672900|cjames001|d517341|eric(?:franck|schmid4002)|georgeemera|hanimuhammad627|jamesmc6|morgangomez56|r(?:echardthomas|ichardanthony1)|s(?:\.(?:biyufungchi16|janetolsen?|marinakuznetsov|olsenjanett|su(?:sanread12|zarawanmaling))|a(?:isha(?:alqadafi1976|gaddafi62)|ngela454|shaalqaddfi117)|catherineyokes|dominiquethomas7777|evelynbrown7|fatimaamiraqureshi1983|gezeria|h(?:amima60|ristinemadeleine)|isabelladz|j(?:ackman123|essicajeffrey3|lleach)|lisamilner08|m(?:a(?:riaelizabethscheffle98|ureens847|yaoliver31)|ugan)|nicolefr1marios|r(?:eem362|obinsanders185|uthsmith9900)|s(?:ar(?:ahbenjamin103|iamirahwulu)|ophiac)|v(?:eraaellen|ictoriaedmond03))|tomcrist\.ca|vi(?:ktorzubkovv|ncentandrea))|s(?:\.ellagolan56|agent02|golaan4|smadar44)|twvvv|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter(?:2017|968))|icholas\.jose73|obuyuki\.hirano128|tawdglobal|v637245)|o(?:\.peace004|3344nb|ffi(?:c(?:e(?:\.012123|emaill0002|rricherd876|windowterms)|ialserviceuae)|zielllk)|hallkenneth1|lenasheve73|marinyandeng|nufoundationclaims|pcwkdw|rabankheadofficelometogo1985|swald\.l(?:\.lewis|ewwis)|xfaminternationa1980)|p(?:a(?:storfrancesco1|tric(?:ia881a|k(?:\.efcc|andfrancessconnolly))|ul(?:eed1969|n8018)|ymentofficer14)|b(?:ph202lay2|rookk0)|e(?:130304|nding(?:redirections|waletsfortrust)|rezdonlorenzo336|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|h(?:\.cbnl|illip\.richead218)|i(?:eterstevens511|lz37754)|o(?:lloke|usazgullaume|wellmrwilliam)|r(?:esleybathini1|imecapitalfianceltd|o(?:1nvstream|cessing2013general))|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymond(?:aba200|damon15))|e(?:alyh596|beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n(?:2214|asser003302))|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|sultbox1404|v(?:\.(?:jamesabel1|mikedadax)|ernestcebi|fr(?:ankjackson91|paulwilliams2)))|i(?:ch(?:a(?:miller18|rd(?:lustig4u|w(?:ahl511|il(?:lis815|son19091))))|lawandds)|tawilliams4141)|josh200000|main2028|o(?:b(?:erthanandez6655|inf036)|naldmorris786|s(?:a\.gomes0044|ekipkalya934))|raya9989|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|u(?:ddicklana561|ssiaworldcuppromo|thshoreline))|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid(?:09|7000))|nchoscozfifa|rfiafarfask7|vicperez)|cott(?:henryjames91|peters7989)|e(?:cretservicce[789]|rgeantrobertbrown1|ydouthiebaconsultant)|g(?:\.offiice\.group|t(?:\.monicab03|ireneb2))|h(?:a(?:msiahmohamadyunusbnegara|nemissler(?:2009|3))|ery(?:\.gtl131|etr03)|inawatrathaksin93)|i(?:lverlakeconsultant|m(?:lkheng5|onhei47))|l5342743|o(?:fia\.adams201|p(?:adam3|hiajesse41)|u(?:rcingloggs|thwsltd))|p(?:a(?:cex\.inititative|gentrose)|eelman1972)|t(?:anleyjohn1469|e(?:fanopn75|phen(?:7tam|tam1(?:47|6))|venchamberonline))|u(?:iyang(?:\.boc|02)|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|w(?:eeneyjohnson384|islottnl))|t(?:a(?:mmy(?:21gill|webster24)|y(?:ebsouami0|lorcathy362))|ch33555|davalvse|e(?:am\.spacex02|nreyrosilvana54|rryparkins11)|h(?:ailandbankoffice01|e(?:ara\.choy2|odorosloannis9|resawilliams7661?|smithfm124))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|ander231|c(?:hrist1995|rist(?:52|donation12|foundation99|world))|spende480)|ny(?:\.chung760|robins777|zimpro11)|pchronodesk|shikazusendo101)|p2911220|rustfoundationsigridrausing|sfoundation65|tkhan69s)|u(?:ba(?:\.bankofaffican|bank(?:bjplc|headoffice471))|d(?:erleyen52|regwqr)|kponguko|marukareem8|n(?:claimedfunds554|ited(?:bankforafrica\.plc102|nation(?:organization70|s(?:8182|councilrefunds))))|s(?:alotery2|departmentofjustice80))|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|linagreen|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|p(?:financeace|jeferrey))|johannes271|n935990|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett(?:398|2))|b(?:271981|6159980|uffetdonationprogram)|c5000dle|d232633|ellensteinfoundation251|hatsappofficial001|i(?:elandherzog\.sw\.herad16|ll(?:clark(?:2618|629)|iam(?:robert3852|smartyrs888)))|kfinancialservice|orldbankregionalmanageroffice|u(?:\.office212|mt722)|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974|inglukshinawtra|o(?:ngkm00|usefzongo5722)|uliiakadulina197)|z(?:bank8876|enithbankplconline98|kiaslan1963|minhong65|ubkovmrviktor)))\@gmail\.com$/i
describe REPTO_419_FRAUD_GM Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_GM 3.000
tflags REPTO_419_FRAUD_GM publish
##} REPTO_419_FRAUD_GM

##{ REPTO_419_FRAUD_GM_LOOSE

meta REPTO_419_FRAUD_GM_LOOSE __REPTO_419_FRAUD_GM_LOOSE && !REPTO_419_FRAUD_GM
describe REPTO_419_FRAUD_GM_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_GM_LOOSE 1.000
tflags REPTO_419_FRAUD_GM_LOOSE publish
##} REPTO_419_FRAUD_GM_LOOSE

##{ REPTO_419_FRAUD_HM

header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|licewalton7653|n(?:ikal01|nagray00)|tlancorp|zezul\.idrisazezulidris)|benarnault0|c(?:h(?:angxinjuan|oi21)|laytousey)|d(?:ealings100|l13139|r\.dukanalycoulibaly)|egorbunova22|f(?:axttransfer\.skyebk\.service\.care\.th|ridmanmikhail511)|homlandsecdept|infos(?:43|8)|jacques\.bouchex|katabettencourt2018|l(?:e(?:a_edem|galcosme|wisarm44)|imfu201677|ulihongm)|m(?:oneygrampayfund|pay\-live00924|r(?:abrahambeniamfc|pedrohilldonations|s(?:\.(?:chantal_bill|roselinejac)|helenbgeorge|micheleallison2003)))|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|p(?:atrickmullinfinaceservs|owen10001)|quickcashloansservices|s(?:a(?:jda\.andleeb|nchamps798)|ilvanatenreyrompc|tuboardgntdirector|ulaimaninfante)|t(?:a(?:baka_williamshsbbc|shacap)|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i
describe REPTO_419_FRAUD_HM Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_HM 3.000
tflags REPTO_419_FRAUD_HM publish
##} REPTO_419_FRAUD_HM

##{ REPTO_419_FRAUD_OL

header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:16u71|a23423|b(?:rahamwilliamsonrpsltduk|s0000200)|l(?:bertchebe|exw113)|ndrew(?:_hai|gamble7))|b(?:a(?:rrmarkphillip|sidris)|etty\.c_investment|illgfile203)|c(?:bforeignremitdept|harlie\.j\.goodmand|laimunit\.facebook|ompensationfunding)|d(?:eborahleeconsult|hl(?:customercares|express\.fastservice)|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020|mr01|oundation701|p\.conn|rancescogaetano01)|g(?:20compessdesk|eoffreynicolas\.esq|ilbertowosukk|race\.manonfoundation)|huyennvoha|j(?:ackson4steve|e(?:anedo1?|ssicameir30))|k(?:aujong|kkunited1|officollins)|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|b(?:illgate9|ryandavisuk44)|mduku|s(?:\.(?:coraluttah|olhaoschad)|_elizabeth20|michelleallison|roseallen))|spvt2020)|olhalytvynenko20|p(?:aul\.walter120|hilcohen0012)|qanejmhffgg|r(?:ichardwahlfreegrant|obertleeonly01)|s(?:aaman10|gi2019|ilv(?:anatenreyro0|erlakeconsultantllc)|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019|reff11)|unvanzyl_mrs|w(?:esteruniontransferunite7|hatsapp_givewin|inuklotocash2018)))\@outlook\.com$/i
describe REPTO_419_FRAUD_OL Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_OL 3.000
tflags REPTO_419_FRAUD_OL publish
##} REPTO_419_FRAUD_OL

##{ REPTO_419_FRAUD_PM

header REPTO_419_FRAUD_PM Reply-To:addr =~ /^(?=[^\s<>@]+\@protonmail\.com)(?:(?:armstrong0244|berndkoch|davidmetus|euclaim|p(?:a(?:melagriffi|t\.nwankwo)|rotonydonation)|scottpeter012|the\.trustees1|v\.brianpierre|wraggsmk|yihsbltan|ziraatbankasi))\@protonmail\.com$/i
describe REPTO_419_FRAUD_PM Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_PM 3.000
tflags REPTO_419_FRAUD_PM publish
##} REPTO_419_FRAUD_PM

##{ REPTO_419_FRAUD_QQ

header REPTO_419_FRAUD_QQ Reply-To:addr =~ /^(?=[^\s<>@]+\@qq\.com)(?:(?:1(?:731419584|821317384)|2(?:0(?:32508290|90641921)|3(?:72948239|89029403|97857528))|3523284224|akia\.j55|claimoffice1|dennisonctrenton|l\.valiant|peterwong20177|qatarfoundation01|sabrinacrawford000|treasury_deptment0|wang_cjianlin))\@qq\.com$/i
describe REPTO_419_FRAUD_QQ Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_QQ 3.000
tflags REPTO_419_FRAUD_QQ publish
##} REPTO_419_FRAUD_QQ

##{ REPTO_419_FRAUD_YH

header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|gaaintl\-4g5ee\.w3|ilmohammed11|lesiakalina2006|mbassador\.l|nn(?:awax48|hester\.usa4))|b(?:a(?:che\.delfine|nk\.phbng14|rr(?:\.thomasclark|ister\.dennis11|william_davies))|e(?:linekra1144|n(?:jaminb34|nicholas22))|illlawrenceee|riceangela45)|c(?:\.(?:aroline90|coulibaly2)|a(?:binet_maitre_emmanuel_patris|mpbellwilliamms)|h(?:arlesscharf112|hoy\.t|jackson65)|juan852|o(?:mpliment\.sseason|ntelamine)|ythiamiller\.un10)|d(?:hamilton9099|iaanesoto190|r(?:\.aminramli|_raymondfung|kobiorah|obiorahkenneth|victorobaji))|e(?:denvictor71|ricalbert24)|f(?:aizaadama2016|bicompensation_funds|ederal\.r73)|g(?:ov\.ukmessageboard|uesfilet1336523)|harry1vans|i(?:\.project33411|befranfgnfmf|nfo(?:bank1|money)|project32411)|j(?:\.edwards228|a(?:ckson\.davis915|netemoon150)|essica\.p_family|inping\.tw|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:altschmidtdavid8|elvinmark629|im(?:\.leang2018?|leang(?:575|90)))|l(?:e(?:a_edem13|hman(?:909|bila))|i(?:m_kaan|sarobinson_555|uhngbin)|o(?:an\.assist|rrainewirengee)|y_cheapiseth(?:11|2019))|m(?:\.kogi81|a(?:itre_arthur\.catheau|rie_avis12)|d(?:\.ps|zsesszika672)|elissalewis(?:10001|4004)|iss\.zarryb|o(?:hammedaahil46|keye79)|r(?:\.viktorzubkovv|s(?:\.esthernicolas|isabella\.dzesszikan|themo))|s\.gracie_olakun|unny(?:\.sopheap207|_sopheap30))|n(?:adhowc|estordaniel2)|o(?:biorahkenneth8|fficial_franksylvester88|legkozyrev1|mranshaalan52)|p(?:ackerkelvin|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|i(?:chard\.w94|taadamsw10)|o(?:b(?:ertbailey2004|orts20)|serichard655))|s(?:amthong4040|igurlauganna34|leo25|mith(?:\.dr|colin767)|o(?:ftc2|pheap\.munny)|pwalker101|te(?:fanopessina573|vecox\.98))|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|u(?:butu16|kdebtmanagement5)|vanserge2001|will(?:clark0010|smi68)|xianglongdai60|zhaodonghk))\@yahoo\.com$/i
describe REPTO_419_FRAUD_YH Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_YH 3.000
tflags REPTO_419_FRAUD_YH publish
##} REPTO_419_FRAUD_YH

##{ REPTO_419_FRAUD_YH_LOOSE

meta REPTO_419_FRAUD_YH_LOOSE __REPTO_419_FRAUD_YH_LOOSE && !REPTO_419_FRAUD_YH
describe REPTO_419_FRAUD_YH_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_YH_LOOSE 1.000
tflags REPTO_419_FRAUD_YH_LOOSE publish
##} REPTO_419_FRAUD_YH_LOOSE

##{ REPTO_419_FRAUD_YJ

header REPTO_419_FRAUD_YJ Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.co\.jp)(?:(?:a(?:drianbayford|lainminc73)|b(?:arrevansthomas213|ealife4god)|d(?:eborahmark2|raymndch)|e(?:d(?:032000100|ithi0iochou)|millybrownnc|velynjoshua56)|fred_gamba|henrybanko1970|m(?:24erc|aryp1799_8335|eghanbutlerfca|oneygram100|rs_chen_00001)|nikbnson1|o(?:fficefile_0112|livia_mabor)|pamgells|r(?:acheljude000|eplykasikorn|itawi668)|s(?:andrabates418|d203077)))\@yahoo\.co\.jp$/i
describe REPTO_419_FRAUD_YJ Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_YJ 3.000
tflags REPTO_419_FRAUD_YJ publish
##} REPTO_419_FRAUD_YJ

##{ REPTO_419_FRAUD_YN

header REPTO_419_FRAUD_YN Reply-To:addr =~ /^(?=[^\s<>@]+\@yandex\.com)(?:(?:a(?:lhashimi123|m(?:andarandle|g3333txx101)|n(?:a\.mariposa|n(?:acooper2019|zainab))|wesome\.mariacarmen)|b(?:ayemahama|igghandgrant|radely\.j)|c(?:harles\.kable|lemlau)|de(?:edee\-paul|jongpeter|ptoversea)|f(?:3dex\.courier|ed\.r3v|reedommarketinvestments)|gadd4fi\.aisha|h(?:ashimireem|halesbbanddd?)|irenaa\.georgiadou|j(?:efrey\-dean|o(?:hnnicholsonjr|seph\-scott2k5)|uliet\.lee2222)|l(?:es20sc|otointernational\.elgordo)|m(?:a(?:hama\.baye|rcarmenguty)|fdpm|ohamed\.bennani|r(?:\.kongkea|akram\.elkerrami|s(?:\.elizabeth\.graham2022|percy)))|nokiahouse1[03]|olivia\.mabor|p(?:aragonloansinc|ri(?:ncedarren0244|vatemail24))|rich(?:ard\.wahl|lawands)|skyeloanand\.financelimited|t(?:\.baloyi|an\.sung|resor\.mambo)|w(?:b\.foundation|ill(?:1amsmarg1|iam(?:simon1960|wilbert1)))|za\.dc2016))\@yandex\.com$/i
describe REPTO_419_FRAUD_YN Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_YN 3.000
tflags REPTO_419_FRAUD_YN publish
##} REPTO_419_FRAUD_YN

##{ SB_GIF_AND_NO_URIS

meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL)
##} SB_GIF_AND_NO_URIS

##{ SCC_CANSPAM_2

describe SCC_CANSPAM_2		Interesting compliance language
body	 SCC_CANSPAM_2		/you may unsubscribe by clicking here or by writing to/
##} SCC_CANSPAM_2

##{ SCC_ISEMM_LID_1

describe SCC_ISEMM_LID_1	Fingerprint of a particular spammer using an old spamware
header SCC_ISEMM_LID_1		X-Mailer-LID =~ /54,55,56,58,53/
tflags SCC_ISEMM_LID_1		publish
#score SCC_ISEMM_LID_1		3.5
##} SCC_ISEMM_LID_1

##{ SCC_ISEMM_LID_1B

describe SCC_ISEMM_LID_1B	Genericized spammer fingerprint
header SCC_ISEMM_LID_1B		X-Mailer-LID =~ /(?:[56][0-9],)+/
tflags SCC_ISEMM_LID_1B		publish
#score SCC_ISEMM_LID_1B		1.5
##} SCC_ISEMM_LID_1B

##{ SCC_SPECIAL_GUID

describe  SCC_SPECIAL_GUID      Unique in a similar way
rawbody   SCC_SPECIAL_GUID	/^[[:xdigit:]]{8}-[[:xdigit:]]{4}-([[:xdigit:]]{3})-\1-[[:xdigit:]]{12}$/m
tflags    SCC_SPECIAL_GUID	publish multiple maxhits=15
##} SCC_SPECIAL_GUID

##{ SCRIPT_GIBBERISH

meta           SCRIPT_GIBBERISH         __SCRIPT_GIBBERISH && (__BODY_XHTML || !__SCRIPT_TAG_IN_BODY) && !__TAG_EXISTS_META
describe       SCRIPT_GIBBERISH         Nonsense in HTML <SCRIPT> tag
##} SCRIPT_GIBBERISH

##{ SENDGRID_REDIR_PHISH

meta       SENDGRID_REDIR_PHISH        __SENDGRID_REDIR_PHISH
describe   SENDGRID_REDIR_PHISH        Redirect URI via Sendgrid + phishing signs
#score      SENDGRID_REDIR_PHISH        3.500	# limit
tflags     SENDGRID_REDIR_PHISH        publish
##} SENDGRID_REDIR_PHISH

##{ SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta     SEO_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && (__PDS_SEO1 + __PDS_SEO2 >= 1)
tflags   SEO_SUSP_NTLD publish
describe SEO_SUSP_NTLD SEO offer from suspicious TLD
#score    SEO_SUSP_NTLD 1.2 # limit
endif
endif
##} SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

##{ SHOPIFY_IMG_NOT_RCVD_SFY

meta       SHOPIFY_IMG_NOT_RCVD_SFY    __SHOPIFY_IMG_NOT_RCVD_SFY && !MIME_QP_LONG_LINE && !__RCD_RDNS_MTA_MESSY && !__AC_UNSUB_URI && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_ORGANIZATION && !__RCD_RDNS_OB && !__DOS_LINK 
#score      SHOPIFY_IMG_NOT_RCVD_SFY    2.500	# limit
describe   SHOPIFY_IMG_NOT_RCVD_SFY    Shopify hosted image but message not from Shopify
tflags     SHOPIFY_IMG_NOT_RCVD_SFY    publish
##} SHOPIFY_IMG_NOT_RCVD_SFY

##{ SHORTENED_URL_SRC

rawbody	 SHORTENED_URL_SRC	/<[^>]{1,99}\ssrc=\W?https?:\/\/(?:bit\.ly|bit\.do|buff\.ly|tinyurl\.com|ow\.ly|owl\.li|is\.gd|v\.gd|tumblr\.com|mysp\.ac|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|goo\.io|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|ecs\.page\.link|cc\.uz|smarturl\.it|s\.apache\.org)\/[^\/]{3}/
##} SHORTENED_URL_SRC

##{ SHORTENER_SHORT_IMG

meta       SHORTENER_SHORT_IMG         __URL_SHORTENER && HTML_SHORT_LINK_IMG_1
describe   SHORTENER_SHORT_IMG         Short HTML + image + URL shortener
#score      SHORTENER_SHORT_IMG         2.500	# limit
tflags     SHORTENER_SHORT_IMG         publish
##} SHORTENER_SHORT_IMG

##{ SHORT_HELO_AND_INLINE_IMAGE

meta SHORT_HELO_AND_INLINE_IMAGE     (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH)
describe SHORT_HELO_AND_INLINE_IMAGE    Short HELO string, with inline image
##} SHORT_HELO_AND_INLINE_IMAGE

##{ SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta     SHORT_IMG_SUSP_NTLD __LCL__KAM_BODY_LENGTH_LT_1024 && __HTML_LINK_IMAGE && __FROM_ADDRLIST_SUSPNTLD
tflags   SHORT_IMG_SUSP_NTLD publish
describe SHORT_IMG_SUSP_NTLD Short HTML + image + suspicious TLD
#score    SHORT_IMG_SUSP_NTLD 1.5 # limit
endif
endif
##} SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

##{ SHORT_TERM_PRICE

body SHORT_TERM_PRICE /short\W+term\W+(?:target|projected)(?:\W+price)?/i
##} SHORT_TERM_PRICE

##{ SHY_OBFU_EXPIRE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta           SHY_OBFU_EXPIRE         __SHY_OBFU_EXPIRE  
  describe       SHY_OBFU_EXPIRE         Obfuscation, probable phishing
#  score          SHY_OBFU_EXPIRE         4.000	# limit
  tflags         SHY_OBFU_EXPIRE         publish
endif
##} SHY_OBFU_EXPIRE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ SHY_OBFU_PASSWORD ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta           SHY_OBFU_PASSWORD       __SHY_OBFU_PASSWORD
  describe       SHY_OBFU_PASSWORD       Obfuscation, probable phishing
#  score          SHY_OBFU_PASSWORD       4.000	# limit
  tflags         SHY_OBFU_PASSWORD       publish
endif
##} SHY_OBFU_PASSWORD ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ SPAMMY_XMAILER

meta SPAMMY_XMAILER (__XM_OL_28001441||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4)
describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham
##} SPAMMY_XMAILER

##{ SPOOFED_FREEMAIL

meta     SPOOFED_FREEMAIL       __SPOOFED_FREEMAIL && !__HAS_IN_REPLY_TO && !__FS_SUBJ_RE && !__MSGID_GUID && !__freemail_safe && !__THREADED && !__HDRS_LCASE_KNOWN && !__HDR_RCVD_GOOGLE && !__HDR_RCVD_TONLINEDE
#score    SPOOFED_FREEMAIL       2.000	# limit
tflags   SPOOFED_FREEMAIL       net
##} SPOOFED_FREEMAIL

##{ SPOOFED_FREEMAIL_NO_RDNS

meta     SPOOFED_FREEMAIL_NO_RDNS __SPOOFED_FREEMAIL && __RDNS_NONE
describe SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS
#score    SPOOFED_FREEMAIL_NO_RDNS 1.5
##} SPOOFED_FREEMAIL_NO_RDNS

##{ SPOOFED_FREEM_REPTO

meta      SPOOFED_FREEM_REPTO           __SPOOFED_FREEM_REPTO && !__AC_TINY_FONT && !__HAS_IN_REPLY_TO && !__HAS_THREAD_INDEX 
describe  SPOOFED_FREEM_REPTO           Forged freemail sender with freemail reply-to
#score     SPOOFED_FREEM_REPTO           2.500
tflags    SPOOFED_FREEM_REPTO           net publish
##} SPOOFED_FREEM_REPTO

##{ SPOOFED_FREEM_REPTO_CHN

meta      SPOOFED_FREEM_REPTO_CHN       (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_CHN_FREEM
describe  SPOOFED_FREEM_REPTO_CHN       Forged freemail sender with Chinese freemail reply-to
#score     SPOOFED_FREEM_REPTO_CHN       3.500
tflags    SPOOFED_FREEM_REPTO_CHN       net publish
##} SPOOFED_FREEM_REPTO_CHN

##{ SPOOFED_FREEM_REPTO_RUS

meta      SPOOFED_FREEM_REPTO_RUS       (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_RUS_FREEM
describe  SPOOFED_FREEM_REPTO_RUS       Forged freemail sender with Russian freemail reply-to
#score     SPOOFED_FREEM_REPTO_RUS       3.500
tflags    SPOOFED_FREEM_REPTO_RUS       net publish
##} SPOOFED_FREEM_REPTO_RUS

##{ SPOOF_GMAIL_MID

meta     SPOOF_GMAIL_MID SPOOFED_FREEMAIL && __PDS_SPOOF_GMAIL_MID
#score    SPOOF_GMAIL_MID 1.5
describe SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...
##} SPOOF_GMAIL_MID

##{ STATIC_XPRIO_OLE

meta        STATIC_XPRIO_OLE     __STATIC_XPRIO_OLE
describe    STATIC_XPRIO_OLE     Static RDNS + X-Priority + MIMEOLE
#score       STATIC_XPRIO_OLE     2.000   # limit
tflags      STATIC_XPRIO_OLE     publish
##} STATIC_XPRIO_OLE

##{ STOCK_IMG_CTYPE

meta STOCK_IMG_CTYPE (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__CTYPE_ONETAB_GIF&&__HTML_IMG_ONLY)
describe STOCK_IMG_CTYPE  Stock spam image part, with distinctive Content-Type header
##} STOCK_IMG_CTYPE

##{ STOCK_IMG_HDR_FROM

meta STOCK_IMG_HDR_FROM  (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY)
describe STOCK_IMG_HDR_FROM Stock spam image part, with distinctive From line
##} STOCK_IMG_HDR_FROM

##{ STOCK_IMG_HTML

meta STOCK_IMG_HTML  (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY)
describe STOCK_IMG_HTML   Stock spam image part, with distinctive HTML
##} STOCK_IMG_HTML

##{ STOCK_IMG_OUTLOOK

meta STOCK_IMG_OUTLOOK  (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__XM_MS_IN_GENERAL&&__HTML_LENGTH_1536_2048)
describe STOCK_IMG_OUTLOOK  Stock spam image part, with Outlook-like features
##} STOCK_IMG_OUTLOOK

##{ STOCK_PRICES

meta STOCK_PRICES (SHORT_TERM_PRICE && LONG_TERM_PRICE)
##} STOCK_PRICES

##{ STOCK_TIP

meta        STOCK_TIP         __STOCK_TIP && !__DKIM_EXISTS 
describe    STOCK_TIP         Stock tips
#score       STOCK_TIP         3.000	# limit
tflags      STOCK_TIP         publish
##} STOCK_TIP

##{ STOX_AND_PRICE

meta STOX_AND_PRICE     CURR_PRICE && STOX_REPLY_TYPE
##} STOX_AND_PRICE

##{ STOX_REPLY_TYPE

header STOX_REPLY_TYPE  Content-Type =~ /text\/plain; .* reply-type=original/
##} STOX_REPLY_TYPE

##{ STOX_REPLY_TYPE_WITHOUT_QUOTES

meta STOX_REPLY_TYPE_WITHOUT_QUOTES (STOX_REPLY_TYPE && !(__HS_SUBJ_RE_FW || __HS_QUOTE))
##} STOX_REPLY_TYPE_WITHOUT_QUOTES

##{ SUBJECT_NEEDS_ENCODING

meta SUBJECT_NEEDS_ENCODING    (!__SUBJECT_ENCODED_B64 && !__SUBJECT_ENCODED_QP) && __SUBJECT_NEEDS_MIME
describe SUBJECT_NEEDS_ENCODING  Subject includes non-encoded illegal characters
##} SUBJECT_NEEDS_ENCODING

##{ SUBJ_ATTENTION

meta        SUBJ_ATTENTION       __SUBJ_ATTENTION && !ALL_TRUSTED
describe    SUBJ_ATTENTION       ATTENTION in Subject
#score       SUBJ_ATTENTION       0.500	# limit
##} SUBJ_ATTENTION

##{ SUBJ_BRKN_WORDNUMS

#score     SUBJ_BRKN_WORDNUMS     1.500	# limit
describe  SUBJ_BRKN_WORDNUMS     Subject contains odd word breaks and numbers
##} SUBJ_BRKN_WORDNUMS

##{ SUBJ_BRKN_WORDNUMS if !plugin(Mail::SpamAssassin::Plugin::DKIM)

if !plugin(Mail::SpamAssassin::Plugin::DKIM)
  meta      SUBJ_BRKN_WORDNUMS     __SUBJ_BRKN_WORDNUMS
endif
##} SUBJ_BRKN_WORDNUMS if !plugin(Mail::SpamAssassin::Plugin::DKIM)

##{ SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM

ifplugin Mail::SpamAssassin::Plugin::DKIM
  meta      SUBJ_BRKN_WORDNUMS     __SUBJ_BRKN_WORDNUMS && !DKIM_SIGNED && !__TO___LOWER
endif
##} SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM

##{ SUBJ_UNNEEDED_HTML

meta      SUBJ_UNNEEDED_HTML            __SUBJ_UNNEEDED_HTML && !__NOT_SPOOFED && !__RP_MATCHES_RCVD && !__VIA_ML 
describe  SUBJ_UNNEEDED_HTML            Unneeded HTML formatting in Subject:
##} SUBJ_UNNEEDED_HTML

##{ SUSP_UTF8_WORD_COMBO

meta       SUSP_UTF8_WORD_COMBO        __4BYTE_UTF8_WORD && ( __LIST_PARTIAL || __RDNS_NONE || __CLICK_HERE || __PHPMAILER_MUA || __STY_INVIS_3 ||  __TO___LOWER || __MSGID_OK_DIGITS || __HTML_IMG_ONLY )
describe   SUSP_UTF8_WORD_COMBO        Words using only suspicious UTF-8 characters + other signs
#score      SUSP_UTF8_WORD_COMBO        3.000	# limit
##} SUSP_UTF8_WORD_COMBO

##{ SUSP_UTF8_WORD_FROM

meta       SUSP_UTF8_WORD_FROM         __4BYTE_UTF8_WORD_FROM
describe   SUSP_UTF8_WORD_FROM         Word in From name using only suspicious UTF-8 characters
#score      SUSP_UTF8_WORD_FROM         2.000	# limit
##} SUSP_UTF8_WORD_FROM

##{ SUSP_UTF8_WORD_SUBJ

meta       SUSP_UTF8_WORD_SUBJ         __4BYTE_UTF8_WORD_SUBJ && !__SUBJECT_ENCODED_QP 
describe   SUSP_UTF8_WORD_SUBJ         Word in Subject using only suspicious UTF-8 characters
#score      SUSP_UTF8_WORD_SUBJ         2.000	# limit
##} SUSP_UTF8_WORD_SUBJ

##{ SYSADMIN

meta        SYSADMIN             __SYSADMIN && !ALL_TRUSTED && !__ANY_TEXT_ATTACH && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_OK_DIGITS 
describe    SYSADMIN             Supposedly from your IT department
#score       SYSADMIN             3.500	# limit
tflags      SYSADMIN             publish
##} SYSADMIN

##{ TAGSTAT_IMG_NOT_RCVD_TGST

meta       TAGSTAT_IMG_NOT_RCVD_TGST   __TAGSTAT_IMG_NOT_RCVD_TGST
#score      TAGSTAT_IMG_NOT_RCVD_TGST   2.000  # limit
describe   TAGSTAT_IMG_NOT_RCVD_TGST   Tagstat hosted image but message not from Tagstat
tflags     TAGSTAT_IMG_NOT_RCVD_TGST   publish
##} TAGSTAT_IMG_NOT_RCVD_TGST

##{ TARINGANET_IMG_NOT_RCVD_TN

meta       TARINGANET_IMG_NOT_RCVD_TN    __TARINGANET_IMG_NOT_RCVD_TN
#score      TARINGANET_IMG_NOT_RCVD_TN    2.000  # limit
describe   TARINGANET_IMG_NOT_RCVD_TN    media.taringa.net hosted image but message not from taringa.net
tflags     TARINGANET_IMG_NOT_RCVD_TN    publish
##} TARINGANET_IMG_NOT_RCVD_TN

##{ TBIRD_SUSP_MIME_BDRY

meta           TBIRD_SUSP_MIME_BDRY  __MUA_TBIRD && __TB_MIME_BDRY_NO_Z
describe       TBIRD_SUSP_MIME_BDRY  Unlikely Thunderbird MIME boundary
##} TBIRD_SUSP_MIME_BDRY

##{ TEQF_USR_IMAGE

meta      TEQF_USR_IMAGE                __TO_EQ_FROM_USR_NN_MINFP && __ANY_IMAGE_ATTACH 
describe  TEQF_USR_IMAGE                To and from user nearly same + image
tflags    TEQF_USR_IMAGE                publish
##} TEQF_USR_IMAGE

##{ TEQF_USR_MSGID_HEX

meta      TEQF_USR_MSGID_HEX            __TO_EQ_FROM_USR_NN_MINFP && __MSGID_OK_HEX && !__MSGID_NOFQDN2
describe  TEQF_USR_MSGID_HEX            To and from user nearly same + unusual message ID
tflags    TEQF_USR_MSGID_HEX            publish
##} TEQF_USR_MSGID_HEX

##{ TEQF_USR_MSGID_MALF

meta      TEQF_USR_MSGID_MALF           __TO_EQ_FROM_USR_NN_MINFP && __MSGID_NOFQDN2 
describe  TEQF_USR_MSGID_MALF           To and from user nearly same + malformed message ID
tflags    TEQF_USR_MSGID_MALF           publish
##} TEQF_USR_MSGID_MALF

##{ TEQF_USR_POLITE

meta      TEQF_USR_POLITE               __TO_EQ_FROM_USR_NN && __FRAUD_IRT 
describe  TEQF_USR_POLITE               To and from user nearly same + polite greeting
#score     TEQF_USR_POLITE               2.000	# limit
##} TEQF_USR_POLITE

##{ THEBAT_UNREG

header  THEBAT_UNREG  X-Mailer =~ /^The Bat! .{0,20} UNREG$/
##} THEBAT_UNREG

##{ THIS_AD

meta        THIS_AD           __THIS_AD && !__MOZILLA_MSGID && !__FROM_ENCODED_QP && !__CR_IN_SUBJ && !__RP_MATCHES_RCVD 
describe    THIS_AD           "This ad" and variants
tflags      THIS_AD           publish
##} THIS_AD

##{ THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta     THIS_IS_ADV_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && __ADMITS_SPAM
tflags   THIS_IS_ADV_SUSP_NTLD publish
describe THIS_IS_ADV_SUSP_NTLD This is an advertisement from a suspicious TLD
#score    THIS_IS_ADV_SUSP_NTLD 1.5 # limit
endif
endif
##} THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

##{ TONLINE_FAKE_DKIM

meta        TONLINE_FAKE_DKIM          __HDR_RCVD_TONLINEDE && __DKIM_EXISTS 
describe    TONLINE_FAKE_DKIM          t-online.de doesn't do DKIM
#score       TONLINE_FAKE_DKIM          3.000	# limit
tflags      TONLINE_FAKE_DKIM          publish
##} TONLINE_FAKE_DKIM

##{ TO_EQ_FM_DIRECT_MX

meta           TO_EQ_FM_DIRECT_MX   __TO_EQ_FM_DIRECT_MX && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__CTYPE_MULTIPART_MIXED 
describe       TO_EQ_FM_DIRECT_MX   To == From and direct-to-MX
#score          TO_EQ_FM_DIRECT_MX   2.500	# limit
tflags         TO_EQ_FM_DIRECT_MX   publish
##} TO_EQ_FM_DIRECT_MX

##{ TO_EQ_FM_DOM_HTML_IMG

meta           TO_EQ_FM_DOM_HTML_IMG    __TO_EQ_FM_DOM_HTML_IMG && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !__IS_EXCH && !__UNSUB_LINK && !__COMMENT_EXISTS && !__FM_TO_ALL_NUMS && !__DKIM_EXISTS && !__HAS_THREAD_INDEX && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD
describe       TO_EQ_FM_DOM_HTML_IMG    To domain == From domain and HTML image link
##} TO_EQ_FM_DOM_HTML_IMG

##{ TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF

ifplugin Mail::SpamAssassin::Plugin::SPF
  meta           TO_EQ_FM_DOM_SPF_FAIL    __TO_EQ_FM_DOM_SPF_FAIL && !__THREADED && !ALL_TRUSTED
  describe       TO_EQ_FM_DOM_SPF_FAIL    To domain == From domain and external SPF failed
  tflags         TO_EQ_FM_DOM_SPF_FAIL    net
endif
##} TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF

##{ TO_EQ_FM_HTML_ONLY

meta           TO_EQ_FM_HTML_ONLY   __TO_EQ_FM_HTML_ONLY && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED && !__DKIM_EXISTS && !__ANY_IMAGE_ATTACH && !__FROM_LOWER && !__TAG_EXISTS_CENTER
describe       TO_EQ_FM_HTML_ONLY   To == From and HTML only
##} TO_EQ_FM_HTML_ONLY

##{ TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF

ifplugin Mail::SpamAssassin::Plugin::SPF
  meta           TO_EQ_FM_SPF_FAIL    __TO_EQ_FM_SPF_FAIL && !__THREADED && !ALL_TRUSTED
  describe       TO_EQ_FM_SPF_FAIL    To == From and external SPF failed
  tflags         TO_EQ_FM_SPF_FAIL    net
endif
##} TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF

##{ TO_IN_SUBJ

meta           TO_IN_SUBJ           __TO_IN_SUBJ && !__VIA_ML && !MISSING_MIMEOLE && !__THREAD_INDEX_GOOD && !__FSL_RELAY_GOOGLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HS_SUBJ_RE_FW
describe       TO_IN_SUBJ           To address is in Subject
tflags         TO_IN_SUBJ           publish
#score          TO_IN_SUBJ           0.1
##} TO_IN_SUBJ

##{ TO_NAME_SUBJ_NO_RDNS

meta       TO_NAME_SUBJ_NO_RDNS        LOCALPART_IN_SUBJECT && __RDNS_NONE 
describe   TO_NAME_SUBJ_NO_RDNS        Recipient username in subject + no rDNS
#score      TO_NAME_SUBJ_NO_RDNS        3.000	# limit
tflags     TO_NAME_SUBJ_NO_RDNS        publish
##} TO_NAME_SUBJ_NO_RDNS

##{ TO_NO_BRKTS_FROM_MSSP

meta       TO_NO_BRKTS_FROM_MSSP     __TO_NO_BRKTS_FROM_RUNON && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__TO___LOWER && !__BUGGED_IMG && !__SUBJECT_ENCODED_QP && !__VIA_ML && !__FR_SPACING_8 && !__TAG_EXISTS_CENTER && !__RCVD_ZIXMAIL && !__RP_MATCHES_RCVD && !__HAS_SENDER 
#score      TO_NO_BRKTS_FROM_MSSP     2.50	# max
describe   TO_NO_BRKTS_FROM_MSSP     Multiple header formatting problems
##} TO_NO_BRKTS_FROM_MSSP

##{ TO_NO_BRKTS_HTML_IMG

meta       TO_NO_BRKTS_HTML_IMG    __TO_NO_BRKTS_HTML_IMG && !__FM_TO_ALL_NUMS && !__FROM_FULL_NAME && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__HAS_SENDER && !__THREADED && !__LONGLINE 
describe   TO_NO_BRKTS_HTML_IMG    To: lacks brackets and HTML and one image
#score      TO_NO_BRKTS_HTML_IMG    2.000   # limit
tflags     TO_NO_BRKTS_HTML_IMG    publish
##} TO_NO_BRKTS_HTML_IMG

##{ TO_NO_BRKTS_HTML_ONLY

meta       TO_NO_BRKTS_HTML_ONLY   __TO_NO_BRKTS_HTML_ONLY && !RDNS_NONE && !__MIME_QP && !__MSGID_JAVAMAIL && !__CTYPE_CHARSET_QUOTED && !__SUBJECT_ENCODED_B64 && !__VIA_ML && !__MSGID_BEFORE_RECEIVED && !__MIME_BASE64 && !__RCD_RDNS_MAIL_MESSY && !__COMMENT_EXISTS && !LOTS_OF_MONEY && !__TAG_EXISTS_CENTER && !__UPPERCASE_URI && !__UNSUB_LINK && !__RCD_RDNS_MX_MESSY && !__DKIM_EXISTS && !__BUGGED_IMG && !__FM_TO_ALL_NUMS && !__URI_12LTRDOM && !__RDNS_NO_SUBDOM && !__HDRS_LCASE && !__LCL__ENV_AND_HDR_FROM_MATCH 
#score      TO_NO_BRKTS_HTML_ONLY   2.00	# limit
describe   TO_NO_BRKTS_HTML_ONLY   To: lacks brackets and HTML only
tflags     TO_NO_BRKTS_HTML_ONLY   publish
##} TO_NO_BRKTS_HTML_ONLY

##{ TO_NO_BRKTS_MSFT

meta       TO_NO_BRKTS_MSFT         __TO_NO_BRKTS_MSFT && !__VIA_ML && !__LYRIS_EZLM_REMAILER && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__UNSUB_LINK && !__NOT_SPOOFED && !__DOS_HAS_LIST_UNSUB && !__NAME_EQ_EMAIL && !__SUBJECT_ENCODED_QP && !__THREADED && !__HAS_THREAD_INDEX && !__HAS_X_REF && !__HAS_IN_REPLY_TO && !__FROM_ENCODED_QP && !__RP_MATCHES_RCVD
describe   TO_NO_BRKTS_MSFT         To: lacks brackets and supposed Microsoft tool
#score      TO_NO_BRKTS_MSFT         2.50	# limit
##} TO_NO_BRKTS_MSFT

##{ TO_NO_BRKTS_NORDNS_HTML

meta       TO_NO_BRKTS_NORDNS_HTML      __TO_NO_BRKTS_NORDNS_HTML && !ALL_TRUSTED && !__MSGID_JAVAMAIL && !__MSGID_BEFORE_RECEIVED && !__VIA_ML && !__UA_MUTT && !__COMMENT_EXISTS && !__HTML_LENGTH_384 && !__MIME_BASE64 && !__UPPERCASE_URI && !__TO___LOWER && !__TAG_EXISTS_CENTER && !__LONGLINE && !__DKIM_EXISTS 
#score      TO_NO_BRKTS_NORDNS_HTML      2.00	# limit
describe   TO_NO_BRKTS_NORDNS_HTML      To: lacks brackets and no rDNS and HTML only
tflags     TO_NO_BRKTS_NORDNS_HTML      publish
##} TO_NO_BRKTS_NORDNS_HTML

##{ TO_NO_BRKTS_PCNT

meta       TO_NO_BRKTS_PCNT         __TO_NO_BRKTS_PCNT && !__SUBJECT_ENCODED_B64 && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__ISO_2022_JP_DELIM && !__IMS_MSGID && !__THREAD_INDEX_GOOD && !__RCD_RDNS_MX_MESSY && !__UNSUB_LINK && !__LONGLINE && !URI_HEX && !__RP_MATCHES_RCVD && !__MAIL_LINK && !__BUGGED_IMG && !__MIME_QP && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HAS_X_MAILER && !__HTML_LINK_IMAGE && !__SENDER_BOT && !__DKIM_EXISTS && !__KHOP_NO_FULL_NAME && !__THREADED 
describe   TO_NO_BRKTS_PCNT         To: lacks brackets + percentage
#score      TO_NO_BRKTS_PCNT         2.50	# limit
tflags     TO_NO_BRKTS_PCNT         publish
##} TO_NO_BRKTS_PCNT

##{ TO_TOO_MANY_WFH_01

meta       TO_TOO_MANY_WFH_01          __TO_TOO_MANY_WFH_01
describe   TO_TOO_MANY_WFH_01          Work-from-Home + many recipients
tflags     TO_TOO_MANY_WFH_01          publish
##} TO_TOO_MANY_WFH_01

##{ TT_MSGID_TRUNC

header TT_MSGID_TRUNC   Message-Id =~ /^\s*<?[^<>\s]+\[\d+$/
describe TT_MSGID_TRUNC Scora: Message-Id ends after left-bracket + digits
##} TT_MSGID_TRUNC

##{ TT_OBSCURED_VALIUM

meta TT_OBSCURED_VALIUM         ( __TT_BROKEN_VALIUM || __TT_OBSCURED_VALIUM ) && ! __TT_VALIUM
describe TT_OBSCURED_VALIUM     Scora: obscured "VALIUM" in subject
##} TT_OBSCURED_VALIUM

##{ TT_OBSCURED_VIAGRA

meta TT_OBSCURED_VIAGRA         ( __TT_BROKEN_VIAGRA || __TT_OBSCURED_VIAGRA ) && ! __TT_VIAGRA
describe TT_OBSCURED_VIAGRA     Scora: obscured "VIAGRA" in subject
##} TT_OBSCURED_VIAGRA

##{ TVD_ACT_193

body TVD_ACT_193                /\bact of (?:193|nineteen thirty)/i
describe TVD_ACT_193            Message refers to an act passed in the 1930s
##} TVD_ACT_193

##{ TVD_APPROVED

body TVD_APPROVED               /you.{1,2}re .{0,20}approved/i
describe TVD_APPROVED           Body states that the recipient has been approved
##} TVD_APPROVED

##{ TVD_DEAR_HOMEOWNER

body TVD_DEAR_HOMEOWNER         /^dear homeowner/i
describe TVD_DEAR_HOMEOWNER     Spam with generic salutation of "dear homeowner"
##} TVD_DEAR_HOMEOWNER

##{ TVD_EB_PHISH

meta TVD_EB_PHISH	__FROM_EBAY && NORMAL_HTTP_TO_IP
##} TVD_EB_PHISH

##{ TVD_ENVFROM_APOST

header TVD_ENVFROM_APOST        EnvelopeFrom =~ /\'/
describe TVD_ENVFROM_APOST      Envelope From contains single-quote
##} TVD_ENVFROM_APOST

##{ TVD_FINGER_02

header TVD_FINGER_02    Content-Type =~ /^text\/plain(?:; (?:format=flowed|charset="Windows-1252"|reply-type=original)){3}/i
##} TVD_FINGER_02

##{ TVD_FLOAT_GENERAL

rawbody TVD_FLOAT_GENERAL       /\bstyle\s*=\s*"[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]+\s*</i
describe TVD_FLOAT_GENERAL      Message uses CSS float style
##} TVD_FLOAT_GENERAL

##{ TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body TVD_FUZZY_DEGREE   /<inter W1><post P1>\b(?!degree)<D><E><G><R><E><E>\b/i
describe TVD_FUZZY_DEGREE  Obfuscation of the word "degree"
endif
##} TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body TVD_FUZZY_FINANCE  /(?!finance)<F><I><N><A><N><C><E>/i
describe TVD_FUZZY_FINANCE  Obfuscation of the word "finance"
endif
##} TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body TVD_FUZZY_FIXED_RATE       /<inter W2><post P2>(?!fixed rate)<F><I><X><E><D>\s+<R><A><T><E>/i
describe TVD_FUZZY_FIXED_RATE   Obfuscation of the phrase "fixed rate"
endif
##} TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body TVD_FUZZY_MICROCAP /<inter W2><post P2>(?!microcap)(?!micro-cap)<M><I><C><R><O>-?<C><A><P>/i
describe TVD_FUZZY_MICROCAP  Obfuscation of the word "micro-cap"
endif
##} TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body TVD_FUZZY_PHARMACEUTICAL   /<inter W2><post P2>(?!pharmaceutical)<P><H><A><R><M><A><C><E><U><T><I><C><A><L>/i
describe TVD_FUZZY_PHARMACEUTICAL  Obfuscation of the word "pharmaceutical"
endif
##} TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body TVD_FUZZY_SYMBOL   /<inter W2><post P2>(?!symboo?l)<S><Y><M><B><O><L>/i
describe TVD_FUZZY_SYMBOL  Obfuscation of the word "symbol"
endif
##} TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader TVD_FW_GRAPHIC_NAME_LONG     Content-Type =~ /\bname="[a-z]{8,}\.gif/
describe   TVD_FW_GRAPHIC_NAME_LONG     Long image attachment name
endif
##} TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader TVD_FW_GRAPHIC_NAME_MID      Content-Type =~ /\bname="[a-z]{6,7}\.gif/
describe   TVD_FW_GRAPHIC_NAME_MID      Medium sized image attachment name
endif
##} TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ TVD_INCREASE_SIZE

body TVD_INCREASE_SIZE          /\bsize of .{1,20}(?:penis|dick|manhood)/i
describe TVD_INCREASE_SIZE      Advertising for penis enlargement
##} TVD_INCREASE_SIZE

##{ TVD_LINK_SAVE

body TVD_LINK_SAVE              /\blink to save\b/i
describe TVD_LINK_SAVE          Spam with the text "link to save"
##} TVD_LINK_SAVE

##{ TVD_PH_BODY_ACCOUNTS_PRE

meta TVD_PH_BODY_ACCOUNTS_PRE		__TVD_PH_BODY_ACCOUNTS_PRE
describe TVD_PH_BODY_ACCOUNTS_PRE	The body matches phrases such as "accounts suspended", "account credited", "account verification"
##} TVD_PH_BODY_ACCOUNTS_PRE

##{ TVD_PH_REC

body TVD_PH_REC		/\byour .{0,40}account .{0,40}record/i
describe TVD_PH_REC	Message includes a phrase commonly used in phishing mails
##} TVD_PH_REC

##{ TVD_PH_SEC

body TVD_PH_SEC		/\byour .{0,40}account .{0,40}security/i
describe TVD_PH_SEC	Message includes a phrase commonly used in phishing mails
##} TVD_PH_SEC

##{ TVD_PP_PHISH

meta TVD_PP_PHISH	__FROM_PAYPAL && NORMAL_HTTP_TO_IP
##} TVD_PP_PHISH

##{ TVD_QUAL_MEDS

body TVD_QUAL_MEDS              /\bquality med(?:ication)?s\b/i
describe TVD_QUAL_MEDS          The body matches phrases such as "quality meds" or "quality medication"
##} TVD_QUAL_MEDS

##{ TVD_RATWARE_CB

header TVD_RATWARE_CB           Content-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/i
describe TVD_RATWARE_CB         Content-Type header that is commonly indicative of ratware
##} TVD_RATWARE_CB

##{ TVD_RATWARE_CB_2

header TVD_RATWARE_CB_2         Content-Type =~ /\bboundary\s*=\s*"?-+\d+=+\.MRA/
describe TVD_RATWARE_CB_2       Content-Type header that is commonly indicative of ratware
##} TVD_RATWARE_CB_2

##{ TVD_RATWARE_MSGID_02

header TVD_RATWARE_MSGID_02     Message-ID =~ /^[^<]*<[a-z]+\@/
describe TVD_RATWARE_MSGID_02   Ratware with a Message-ID header that is entirely lower-case
##} TVD_RATWARE_MSGID_02

##{ TVD_RCVD_IP

header TVD_RCVD_IP  Received =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/
describe TVD_RCVD_IP  Message was received from an IP address
##} TVD_RCVD_IP

##{ TVD_RCVD_IP4

header TVD_RCVD_IP4 Received =~ /^from\s+(?:\d+\.){3}\d+\s/
describe TVD_RCVD_IP4  Message was received from an IPv4 address
##} TVD_RCVD_IP4

##{ TVD_RCVD_SPACE_BRACKET

header TVD_RCVD_SPACE_BRACKET Received =~ /\(\[(?!unix)[^\[\]]*\s/i
##} TVD_RCVD_SPACE_BRACKET

##{ TVD_SECTION

body TVD_SECTION                /\bSection (?:27A|21B)/i
describe TVD_SECTION            References to specific legal codes
##} TVD_SECTION

##{ TVD_SILLY_URI_OBFU

body TVD_SILLY_URI_OBFU         m!https?://[a-z0-9-]+\.[a-z0-9-]*\.?[^a-z0-9.:/\s"'\@?\)>-]+[a-z0-9.-]*[a-z]{3}(?:\s|$)!i
describe TVD_SILLY_URI_OBFU     URI obfuscation that can fool a URIBL or a uri rule
##} TVD_SILLY_URI_OBFU

##{ TVD_SPACED_SUBJECT_WORD3

header TVD_SPACED_SUBJECT_WORD3 Subject =~ /^(?:(?:Re|Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+$/
describe TVD_SPACED_SUBJECT_WORD3  Entire subject is "UPPERlowerUPPER" with no whitespace
##} TVD_SPACED_SUBJECT_WORD3

##{ TVD_SPACE_ENCODED

meta        TVD_SPACE_ENCODED      __TVD_SPACE_ENCODED && !__NOT_SPOOFED && !__VIA_ML && !__HS_SUBJ_RE_FW && !__SUBSCRIPTION_INFO && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL && !__ISO_2022_JP_DELIM
#score       TVD_SPACE_ENCODED      2.500   # limit
describe    TVD_SPACE_ENCODED      Space ratio & encoded subject
##} TVD_SPACE_ENCODED

##{ TVD_SPACE_RATIO_MINFP

meta        TVD_SPACE_RATIO_MINFP  __TVD_SPACE_RATIO && !__CT_ENCRYPTED && !__X_CRON_ENV && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !ALL_TRUSTED && !__MIME_NO_TEXT && !__LONGLINE && !__THREADED && !__SUBSCRIPTION_INFO && !__VIA_ML && !__HELO_HIGHPROFILE && !__DKIM_EXISTS && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MAIL && !__EMPTY_BODY && !__XM_APPLEMAIL 
#score       TVD_SPACE_RATIO_MINFP  2.500   # limit
describe    TVD_SPACE_RATIO_MINFP  Space ratio (vertical text obfuscation?)
##} TVD_SPACE_RATIO_MINFP

##{ TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval

ifplugin Mail::SpamAssassin::Plugin::BodyEval
body TVD_STOCK1    eval:check_stock_info('2')
describe TVD_STOCK1  Spam related to stock trading
endif
##} TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval

##{ TVD_SUBJ_ACC_NUM

header	TVD_SUBJ_ACC_NUM	Subject =~ /\b[a-zA-Z]+ [\#\s]{1,4}\d+[A-Z]+/
describe TVD_SUBJ_ACC_NUM	Subject has spammy looking monetary reference
##} TVD_SUBJ_ACC_NUM

##{ TVD_SUBJ_FINGER_03

header TVD_SUBJ_FINGER_03       Subject =~ /^\s*\*\s+(?:\w+\W+)+\*\s*$/
describe TVD_SUBJ_FINGER_03     Entire subject is enclosed in asterisks "* like so *"
##} TVD_SUBJ_FINGER_03

##{ TVD_SUBJ_OWE

header TVD_SUBJ_OWE Subject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe|indebted)\s+(?:\w+\s+)+an\s*other/i
describe TVD_SUBJ_OWE  Subject line states that the recipieint is in debt
##} TVD_SUBJ_OWE

##{ TVD_SUBJ_WIPE_DEBT

header TVD_SUBJ_WIPE_DEBT       Subject =~ /(?:wipe out|remove|get (?:rid|out) of|eradicate) .{0,20}(?:owe|debt|obligation)/i
describe TVD_SUBJ_WIPE_DEBT     Spam advertising a way to eliminate debt
##} TVD_SUBJ_WIPE_DEBT

##{ TVD_VISIT_PHARMA

body TVD_VISIT_PHARMA           /Online Ph.rmacy/i
describe TVD_VISIT_PHARMA       Body mentions online pharmacy
##} TVD_VISIT_PHARMA

##{ TVD_VIS_HIDDEN

rawbody TVD_VIS_HIDDEN /<TEXTAREA[^>]+style\s*=\s*"visibility:\s*hidden\b/i
describe TVD_VIS_HIDDEN Invisible textarea HTML tags
##} TVD_VIS_HIDDEN

##{ TW_GIBBERISH_MANY

meta           TW_GIBBERISH_MANY      __TENWORD_GIBBERISH > 20
describe       TW_GIBBERISH_MANY      Lots of gibberish text to spoof pattern matching filters
#score          TW_GIBBERISH_MANY      2.000   # limit
tflags         TW_GIBBERISH_MANY      publish
##} TW_GIBBERISH_MANY

##{ T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
	meta         T_ACH_CANCELLED_EXE   __ACH_CANCELLED_EXE
	describe     T_ACH_CANCELLED_EXE   "ACH cancelled" probable malware
endif
##} T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta        T_ANY_PILL_PRICE         (__PILL_PRICE_01 || __PILL_PRICE_02) && !__NOT_A_PERSON
  describe    T_ANY_PILL_PRICE         Prices for pills
endif
##} T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   T_CDISP_SZ_MANY      Content-Disposition =~ /\bsize\s?=\s?\d.*\bsize\s?=\s?\d/
  describe     T_CDISP_SZ_MANY      Suspicious MIME header
#  score        T_CDISP_SZ_MANY      2.0  # limit
endif
##} T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ T_CTE_BAS64 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  meta         T_CTE_BAS64           __CTE_BAS64
  describe     T_CTE_BAS64           Malformated Content-Type-Encoding
#  score        T_CTE_BAS64           2.000	# limit
  tflags       T_CTE_BAS64           publish
endif
##} T_CTE_BAS64 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ T_CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  meta         T_CTYPE_NULL          __CTYPE_NULL
  describe     T_CTYPE_NULL          Malformed Content-Type header
endif
##} T_CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ T_DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval

ifplugin Mail::SpamAssassin::Plugin::HeaderEval
header   T_DATE_IN_FUTURE_Q_PLUS  eval:check_for_shifted_date('2920', 'undef')
describe T_DATE_IN_FUTURE_Q_PLUS  Date: is over 4 months after Received: date
endif
##} T_DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval

##{ T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  meta         T_DOC_ATTACH_NO_EXT   __ATTACH_NAME_NO_EXT && (__PDF_ATTACH_MT || __DOC_ATTACH_MT)
  describe     T_DOC_ATTACH_NO_EXT   Document attachment with suspicious name
endif
##} T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ T_DOS_OUTLOOK_TO_MX_IMAGE

meta T_DOS_OUTLOOK_TO_MX_IMAGE		__ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
describe T_DOS_OUTLOOK_TO_MX_IMAGE	Direct to MX with Outlook headers and an image
##} T_DOS_OUTLOOK_TO_MX_IMAGE

##{ T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader    T_DOS_ZIP_HARDCORE        Content-Type =~ /^application\/zip;\sname="hardcore\.zip"$/
  describe      T_DOS_ZIP_HARDCORE        hardcore.zip file attached; quite certainly a virus
#  score         T_DOS_ZIP_HARDCORE        2.5
endif
##} T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
meta     T_DRUGS_ERECTILE_SHORT_SHORTNER __PDS_HTML_LENGTH_1024 && __URL_SHORTENER && DRUGS_ERECTILE
describe T_DRUGS_ERECTILE_SHORT_SHORTNER Short erectile drugs advert with T_URL_SHORTENER
#score    T_DRUGS_ERECTILE_SHORT_SHORTNER 1.5 # limit
endif
endif
##} T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

##{ T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta     T_FILL_THIS_FORM_FRAUD_PHISH     __FILL_THIS_FORM_FRAUD_PHISH && !__SPOOFED_URL && !__VIA_ML && !__HAS_IN_REPLY_TO && !__THREADED && !__HDR_RCVD_SHOPIFY && !__HAS_ERRORS_TO 
  describe T_FILL_THIS_FORM_FRAUD_PHISH     Answer suspicious question(s)
endif
##} T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ T_FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta     T_FILL_THIS_FORM_LOAN            __FILL_THIS_FORM_LOAN && !__COMMENT_EXISTS && !__HTML_LINK_IMAGE
  describe T_FILL_THIS_FORM_LOAN            Answer loan question(s)
#  score    T_FILL_THIS_FORM_LOAN            2.0
endif
##} T_FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta     T_FILL_THIS_FORM_SHORT           __FILL_THIS_FORM_SHORT && !__VIA_ML && !__MSGID_JAVAMAIL
  describe T_FILL_THIS_FORM_SHORT           Fill in a short form with personal information
#  score    T_FILL_THIS_FORM_SHORT           1.00	# limit
endif
##} T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo

ifplugin Mail::SpamAssassin::Plugin::ImageInfo
  meta       T_FORGED_TBIRD_IMG_SIZE   __FORGED_TBIRD_IMG && __ONE_IMG && __IMG_LE_300K
  describe   T_FORGED_TBIRD_IMG_SIZE   Likely forged Thunderbird image spam
endif
##} T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo

##{ T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta         T_FREEMAIL_DOC_PDF       __FREEMAIL_DOC_PDF
  describe     T_FREEMAIL_DOC_PDF       MS document or PDF attachment, from freemail
endif
##} T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail

##{ T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta         T_FREEMAIL_DOC_PDF_BCC   __FREEMAIL_DOC_PDF && __TO_UNDISCLOSED
  describe     T_FREEMAIL_DOC_PDF_BCC   MS document or PDF attachment, from freemail, all recipients hidden
endif
##} T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail

##{ T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta         T_FREEMAIL_RVW_ATTCH     (__PLS_REVIEW || __DLND_ATTACH) && __FREEMAIL_DOC_PDF
  describe     T_FREEMAIL_RVW_ATTCH     Please review attached document, from freemail
endif
##} T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail

##{ T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof

ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
meta     T_FROMNAME_EQUALS_TO __PLUGIN_FROMNAME_EQUALS_TO
describe T_FROMNAME_EQUALS_TO From:name matches To:
#score    T_FROMNAME_EQUALS_TO 1.0
tflags   T_FROMNAME_EQUALS_TO publish
endif
##} T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof

##{ T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof

ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
meta     T_FROMNAME_SPOOFED_EMAIL  (__PLUGIN_FROMNAME_SPOOF && !__VIA_ML && !__VIA_RESIGNER && !__RP_MATCHES_RCVD)
describe T_FROMNAME_SPOOFED_EMAIL From:name looks like a spoofed email
#score    T_FROMNAME_SPOOFED_EMAIL 0.3
tflags   T_FROMNAME_SPOOFED_EMAIL publish
endif
##} T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof

##{ T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)

if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
  meta       T_FROM_MULTI_SHORT_IMG     __FROM_MULTI_SHORT_IMG && !__RCD_RDNS_MX_MESSY 
  describe   T_FROM_MULTI_SHORT_IMG     Multiple From addresses + short message with image
endif
##} T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)

##{ T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body           T_FUZZY_OPTOUT             /(?:$|\W)(?=<O>)(?!opt[-\s]?out)<O><P><T>[-\s]?<O><U><T>(?:$|\W)/i
  describe       T_FUZZY_OPTOUT             Obfuscated opt-out text
endif
##} T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_FUZZY_SPRM /<inter W1><post P2><S><P><U><R><M>/i
endif
##} T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
    meta     T_GB_FREEM_FROM_NOT_REPLY    ( !__FROM_EQ_REPLY && FREEMAIL_FROM && FREEMAIL_REPLYTO )
    describe T_GB_FREEM_FROM_NOT_REPLY    From: and Reply-To: have different freemail domains
#    score    T_GB_FREEM_FROM_NOT_REPLY    1.500 # limit
    tflags   T_GB_FREEM_FROM_NOT_REPLY    publish
endif
endif
##} T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof

##{ T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof

ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
  meta      T_GB_FROMNAME_SPOOFED_EMAIL_IP  ( T_FROMNAME_SPOOFED_EMAIL && !__NOT_SPOOFED )
  describe  T_GB_FROMNAME_SPOOFED_EMAIL_IP  From:name looks like a spoofed email from a spoofed ip
#  score     T_GB_FROMNAME_SPOOFED_EMAIL_IP  0.50 # limit
  tflags    T_GB_FROMNAME_SPOOFED_EMAIL_IP  publish
endif
##} T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof

##{ T_GB_WEBFORM ifplugin Mail::SpamAssassin::Plugin::FreeMail

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta            T_GB_WEBFORM              ( ( __XMAIL_CODEIGN || __XMAIL_PHPMAIL ) && __URL_SHORTENER && FREEMAIL_FROM )
  describe        T_GB_WEBFORM              Webform with url shortener
#  score           T_GB_WEBFORM              1.500 # limit
endif
##} T_GB_WEBFORM ifplugin Mail::SpamAssassin::Plugin::FreeMail

##{ T_GB_YOUTUBE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)

if (version >= 4.000000)
if can(Mail::SpamAssassin::Conf::feature_capture_rules)
  uri           T_GB_YOUTUBE_EMAIL m|^https?://(?:www\.)?youtube\.com/attribution_link\?.{20,256}/%{GB_TO_ADDR}|i
  describe      T_GB_YOUTUBE_EMAIL Youtube attribution links abuse
#  score         T_GB_YOUTUBE_EMAIL 2.000 # limit
endif
endif
##} T_GB_YOUTUBE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)

##{ T_HDRS_LCASE

describe       T_HDRS_LCASE            Odd capitalization of message header
#score          T_HDRS_LCASE            0.10	# limit
##} T_HDRS_LCASE

##{ T_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)

if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
  meta         T_HDRS_LCASE            __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
endif
##} T_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)

##{ T_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta         T_HDRS_LCASE            __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
endif
##} T_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail

##{ T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)

ifplugin Mail::SpamAssassin::Plugin::FreeMail
if (version >= 3.004000)
  meta		T_HK_NAME_FM_FROM		__HK_NAME_FROM && FREEMAIL_FROM
#  score		T_HK_NAME_FM_FROM		1.5
endif
endif
##} T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)

##{ T_HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)

ifplugin Mail::SpamAssassin::Plugin::FreeMail
if (version >= 3.004000)
  meta		T_HK_NAME_FM_MR_MRS	__HK_NAME_MR_MRS && FREEMAIL_FROM
#  score		T_HK_NAME_FM_MR_MRS	1.5
endif
endif
##} T_HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)

##{ T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)

ifplugin Mail::SpamAssassin::Plugin::FreeMail
if (version >= 3.004000)
  meta		T_HK_NAME_FROM		__HK_NAME_FROM && !FREEMAIL_FROM
#  score		T_HK_NAME_FROM		1.0
endif
endif
##} T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)

##{ T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta		T_HK_SPAMMY_FILENAME	__HK_SPAMMY_CTFN || __HK_SPAMMY_CDFN
endif
##} T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  meta         T_HTML_ATTACH         __HTML_ATTACH_01 || __HTML_ATTACH_02
  describe     T_HTML_ATTACH         HTML attachment to bypass scanning?
endif
##} T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  meta         T_ISO_ATTACH          __ISO_ATTACH || __ISO_ATTACH_MT
  describe     T_ISO_ATTACH          ISO attachment - possible malware delivery
#  score        T_ISO_ATTACH          3.000	# limit
endif
##} T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval

ifplugin Mail::SpamAssassin::Plugin::HTMLEval
meta		T_KAM_HTML_FONT_INVALID		__KAM_HTML_FONT_INVALID
describe 	T_KAM_HTML_FONT_INVALID		Test for Invalidly Named or Formatted Colors in HTML
#score		T_KAM_HTML_FONT_INVALID		0.1
endif
##} T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval

##{ T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
   meta        T_LARGE_PCT_AFTER_MANY   __LARGE_PERCENT_AFTER > 3
   describe    T_LARGE_PCT_AFTER_MANY   Many large percentages after...
endif
##} T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_LFUZ_PWRMALE       /<inter W1><post P2><P><O><W><E><R><M><A><L><E>/i
endif
##} T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ T_LOTTO_AGENT_FM

header   T_LOTTO_AGENT_FM   From =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize[\s_.]transfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i
describe T_LOTTO_AGENT_FM   Claims Agent
##} T_LOTTO_AGENT_FM

##{ T_LOTTO_AGENT_RPLY

meta     T_LOTTO_AGENT_RPLY __LOTTO_AGENT_RPLY && !__TO_YOUR_ORG
describe T_LOTTO_AGENT_RPLY Claims Agent
##} T_LOTTO_AGENT_RPLY

##{ T_LOTTO_URI

uri      T_LOTTO_URI       /(?:claim(?:s|ing)?(?:[-_]?processing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)?[-_]?rem+it+ance|award)[-_]?(?:department|dept|unit|group|committee|office|agent|manager|secretary)/i
describe T_LOTTO_URI       Claims Department URL
##} T_LOTTO_URI

##{ T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta        T_MANY_PILL_PRICE        (__PILL_PRICE_01 + __PILL_PRICE_02) > 2
  describe    T_MANY_PILL_PRICE        Prices for many pills
endif
##} T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ T_MIME_MALF if (version >= 3.004000)

if (version >= 3.004000)
	meta        T_MIME_MALF        __MIME_MALF && !ALL_TRUSTED
	describe    T_MIME_MALF        Malformed MIME: headers in body
#	score       T_MIME_MALF        2.00	# limit
endif
##} T_MIME_MALF if (version >= 3.004000)

##{ T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta     T_MONEY_PERCENT    LOTS_OF_MONEY && (__PCT_FOR_YOU || __PCT_OF_PMTS || __FIFTY_FIFTY)
  describe T_MONEY_PERCENT    X% of a lot of money for you
endif
##} T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  meta         T_OBFU_ATTACH_MISSP   __FROM_RUNON && (T_OBFU_HTML_ATTACH || OBFU_TEXT_ATTACH || T_OBFU_DOC_ATTACH || T_OBFU_PDF_ATTACH || T_OBFU_JPG_ATTACH || T_OBFU_GIF_ATTACH)
  describe     T_OBFU_ATTACH_MISSP   Obfuscated attachment type and misspaced From
endif
##} T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   T_OBFU_DOC_ATTACH     Content-Type =~ m,\bapplication/octet-stream\b.+\.(?:doc|rtf)\b,i
  describe     T_OBFU_DOC_ATTACH     MS Document attachment with generic MIME type
endif
##} T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   T_OBFU_GIF_ATTACH     Content-Type =~ m,\bapplication/octet-stream\b.+\.gif\b,i
  describe     T_OBFU_GIF_ATTACH     GIF attachment with generic MIME type
endif
##} T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   T_OBFU_HTML_ATTACH    Content-Type =~ m,\bapplication/octet-stream\b.+\.[a-z]?html?\b,i
  describe     T_OBFU_HTML_ATTACH    HTML attachment with non-text MIME type
endif
##} T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  meta         T_OBFU_HTML_ATT_MALW  __ZIP_ATTACH_NOFN && __HTML_ATTACH_02
  describe     T_OBFU_HTML_ATT_MALW  HTML attachment with incorrect MIME type - possible malware
endif
##} T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   T_OBFU_JPG_ATTACH     Content-Type =~ m,\bapplication/octet-stream\b.+\.jpe?g\b,i
  describe     T_OBFU_JPG_ATTACH     JPG attachment with generic MIME type
endif
##} T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   T_OBFU_PDF_ATTACH     Content-Type =~ m,\bapplication/octet-stream\b.+\.pdf\b,i
  describe     T_OBFU_PDF_ATTACH     PDF attachment with generic MIME type
endif
##} T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ T_OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta     T_OFFER_ONLY_AMERICA __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA
describe T_OFFER_ONLY_AMERICA Offer only available to US
#score    T_OFFER_ONLY_AMERICA 2.0 # limit
endif
endif
##} T_OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

##{ T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta     T_PDS_BTC_AHACKER ( __PDS_BTC_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON )
  describe T_PDS_BTC_AHACKER Bitcoin Hacker
#  score    T_PDS_BTC_AHACKER 3.0 # limit
endif
##} T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta     T_PDS_BTC_HACKER ( __PDS_BTC_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM )
  describe T_PDS_BTC_HACKER Bitcoin Hacker
#  score    T_PDS_BTC_HACKER 2.0 # limit
endif
##} T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ T_PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta     T_PDS_BTC_NTLD ( __BITCOIN_ID && __FROM_ADDRLIST_SUSPNTLD )
describe T_PDS_BTC_NTLD Bitcoin suspect NTLD
#score    T_PDS_BTC_NTLD 2.0 # limit
endif
endif
##} T_PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

##{ T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
meta     T_PDS_EMPTYSUBJ_URISHRT __URL_SHORTENER && __SUBJECT_EMPTY && __PDS_MSG_1024
describe T_PDS_EMPTYSUBJ_URISHRT Empty subject with little more than URI shortener 
#score    T_PDS_EMPTYSUBJ_URISHRT 1.5 # limit
endif
endif
##} T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

##{ T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
meta     T_PDS_FREEMAIL_REPLYTO_URISHRT __URL_SHORTENER && __freemail_hdr_replyto && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048
describe T_PDS_FREEMAIL_REPLYTO_URISHRT Freemail replyto with URI shortener
#score    T_PDS_FREEMAIL_REPLYTO_URISHRT 1.5 # limit
endif
endif
##} T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

##{ T_PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
meta     T_PDS_FROM_2_EMAILS_SHRTNER __URL_SHORTENER && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF) && __BODY_URI_ONLY
describe T_PDS_FROM_2_EMAILS_SHRTNER From 2 emails short email with little more than a URI shortener
#score    T_PDS_FROM_2_EMAILS_SHRTNER 1.5 # limit
endif
endif
##} T_PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

##{ T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta     T_PDS_LTC_AHACKER ( __PDS_LITECOIN_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON )
  describe T_PDS_LTC_AHACKER Litecoin Hacker
#  score    T_PDS_LTC_AHACKER 3.0 # limit
endif
##} T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta     T_PDS_LTC_HACKER ( __PDS_LITECOIN_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM )
  describe T_PDS_LTC_HACKER Litecoin Hacker
#  score    T_PDS_LTC_HACKER 2.0 # limit
endif
##} T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ T_PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
meta     T_PDS_NO_FULL_NAME_SPOOFED_URL __PDS_MSG_1024 && __KHOP_NO_FULL_NAME && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER)
describe T_PDS_NO_FULL_NAME_SPOOFED_URL HTML message short, T_SPOOFED_URL and T_KHOP_NO_FULL_NAME
#score    T_PDS_NO_FULL_NAME_SPOOFED_URL 0.75 # limit
endif
endif
##} T_PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

##{ T_PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header   T_PDS_PRO_TLD eval:check_uri_host_listed('SUSP_URI_NTLD_PRO')
#score    T_PDS_PRO_TLD 1.0
describe T_PDS_PRO_TLD .pro TLD
endif
endif
##} T_PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

##{ T_PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
meta     T_PDS_SHORTFWD_URISHRT __URL_SHORTENER && (__THREADED || __HAS_IN_REPLY_TO || __HAS_THREAD_INDEX || __URI_MAILTO || __REPTO_QUOTE) && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048
describe T_PDS_SHORTFWD_URISHRT Threaded email with URI shortener
#score    T_PDS_SHORTFWD_URISHRT 1.5 # limit
endif
endif
##} T_PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

##{ T_PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
meta     T_PDS_SHORTFWD_URISHRT_FP __URL_SHORTENER && __HS_SUBJ_RE_FW && __PDS_MSG_512
describe T_PDS_SHORTFWD_URISHRT_FP Apparently a short fwd/re with URI shortener
#score    T_PDS_SHORTFWD_URISHRT_FP 1.5 # limit
endif
endif
##} T_PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

##{ T_PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
meta     T_PDS_SHORTFWD_URISHRT_QP __URL_SHORTENER && __HS_SUBJ_RE_FW && __T_PDS_MSG_512 && !T_PDS_SHORTFWD_URISHRT_FP
describe T_PDS_SHORTFWD_URISHRT_QP Apparently a short fwd/re with URI shortener
#score    T_PDS_SHORTFWD_URISHRT_QP 1.5 # limit
endif
endif
##} T_PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

##{ T_PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
meta     T_PDS_SHORT_SPOOFED_URL __PDS_MSG_1024 && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER)
describe T_PDS_SHORT_SPOOFED_URL HTML message short and T_SPOOFED_URL (S_U_FP)
#score    T_PDS_SHORT_SPOOFED_URL 2.0
endif
endif
##} T_PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

##{ T_PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
meta     T_PDS_TINYSUBJ_URISHRT __URL_SHORTENER && __SUBJ_SHORT && __PDS_MSG_1024
describe T_PDS_TINYSUBJ_URISHRT Short subject with URL shortener
#score    T_PDS_TINYSUBJ_URISHRT 1.5 # limit
endif
endif
##} T_PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

##{ T_PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)

if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
  meta       T_PDS_TO_EQ_FROM_NAME      (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) && !__HAS_SENDER 
  describe   T_PDS_TO_EQ_FROM_NAME      From: name same as To: address
endif
##} T_PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)

##{ T_PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
meta     T_PDS_URISHRT_LOCALPART_SUBJ LOCALPART_IN_SUBJECT && __URL_SHORTENER && __PDS_MSG_1024
describe T_PDS_URISHRT_LOCALPART_SUBJ Localpart of To in subject
#score    T_PDS_URISHRT_LOCALPART_SUBJ 1.0
endif
endif
##} T_PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

##{ T_PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta       T_PHOTO_EDITING_DIRECT       (__PHOTO_RETOUCHING && __DOS_DIRECT_TO_MX) && !ALL_TRUSTED && !__HAS_HREF
  describe   T_PHOTO_EDITING_DIRECT       Image editing service, direct to MX
#  score      T_PHOTO_EDITING_DIRECT       3.000	# limit
endif
##} T_PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ T_PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta       T_PHOTO_EDITING_FREEM        __PHOTO_RETOUCHING > 4 && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
  describe   T_PHOTO_EDITING_FREEM        Image editing service, freemail or CHN replyto
#  score      T_PHOTO_EDITING_FREEM        3.750	# limit
endif
##} T_PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
  meta	T_REMOTE_IMAGE	__REMOTE_IMAGE
  describe T_REMOTE_IMAGE	Message contains an external image
endif
##} T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {

##{ T_SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta		T_SCC_BOGUS_CTE_1	__SCC_BOGUS_CTE_1
describe	T_SCC_BOGUS_CTE_1	Bogus Content-Transfer-Encoding header
tflags		T_SCC_BOGUS_CTE_1 publish
endif
##} T_SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ T_SCC_CTMPP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
describe	T_SCC_CTMPP	Uncommon Content-Type
meta		T_SCC_CTMPP	__SCC_CTMPP
tflags		T_SCC_CTMPP	publish
endif
##} T_SCC_CTMPP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta     T_SENT_TO_EMAIL_ADDR __FROM_ADDRLIST_SUSPNTLD && __PDS_SENT_TO_EMAIL_ADDR
describe T_SENT_TO_EMAIL_ADDR Email was sent to email address
#score    T_SENT_TO_EMAIL_ADDR 2.0 # limit
endif
endif
##} T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

##{ T_SHARE_50_50

meta     T_SHARE_50_50     (__SHARE_IT || __AGREED_RATIO) && __FIFTY_FIFTY
describe T_SHARE_50_50     Share the money 50/50
##} T_SHARE_50_50

##{ T_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
meta     T_SHORT_SHORTNER __PDS_MSG_512 && __URL_SHORTENER && !DRUGS_ERECTILE
describe T_SHORT_SHORTNER Short body with little more than a link to a shortener
#score    T_SHORT_SHORTNER 2.0 # limit
endif
endif
##} T_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

##{ T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      T_STY_INVIS_DIRECT              __STY_INVIS_DIRECT && !__L_BODY_8BITS && !__UNSUB_LINK && !__HDR_RCVD_AMAZON && !__TO___LOWER && !__PDS_DOUBLE_URL && !__MAIL_LINK && !__USING_VERP1 && !__HAS_X_ENTITY_ID && !__RCD_RDNS_SMTP_MESSY && !__RDNS_STATIC 
  describe  T_STY_INVIS_DIRECT              HTML hidden text + direct-to-MX
#  score     T_STY_INVIS_DIRECT              2.500	# limit
endif
##} T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta     T_SUSPNTLD_EXPIRATION_EXTORT LOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLD
describe T_SUSPNTLD_EXPIRATION_EXTORT Susp NTLD with an expiration notice and lotsa money
#score    T_SUSPNTLD_EXPIRATION_EXTORT 2.0 # limit
endif
endif
##} T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

##{ T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
meta     T_TONOM_EQ_TOLOC_SHRT_PSHRTNER __PDS_SHORT_URL && __PDS_TONAME_EQ_TOLOCAL && __SUBJ_SHORT
describe T_TONOM_EQ_TOLOC_SHRT_PSHRTNER Short subject with potential shortener and To:name eq To:local
#score    T_TONOM_EQ_TOLOC_SHRT_PSHRTNER 1.5 # limit
endif
endif
##} T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

##{ T_TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
meta     T_TONOM_EQ_TOLOC_SHRT_SHRTNER __URL_SHORTENER && __PDS_TONAME_EQ_TOLOCAL && __PDS_MSG_1024
describe T_TONOM_EQ_TOLOC_SHRT_SHRTNER Short email with shortener and To:name eq To:local
#score    T_TONOM_EQ_TOLOC_SHRT_SHRTNER 1.5 # limit
endif
endif
##} T_TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

##{ T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_TVD_FUZZY_SECTOR   /(?!sector)<S><E><C><T><O><R>/i
endif
##} T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body T_TVD_FUZZY_SECURITIES       /<inter W2><post P2>(?!securities)(?!security,? es)<S><E><C><U><R><I><T><I><E><S>/i
endif
##} T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

##{ T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader T_TVD_FW_GRAPHIC_ID2   Content-Id =~ /<(?:[0-9A-F]{8}\.){3}[0-9A-F]{8}/
endif
##} T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval

ifplugin Mail::SpamAssassin::Plugin::MIMEEval
body T_TVD_MIME_EPI             eval:check_msg_parse_flags('mime_epilogue_exists')
endif
##} T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval

##{ T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval

ifplugin Mail::SpamAssassin::Plugin::MIMEEval
body T_TVD_MIME_NO_HEADERS      eval:check_msg_parse_flags('missing_mime_headers')
endif
##} T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval

##{ T_URI_GOOG_STO_SUBD_SPAMMY

uri T_URI_GOOG_STO_SUBD_SPAMMY m;^https?://(?:(?:0(?:000000000000000000000000000000000007|48dg9hjdjsr68rr409tdu516yts8d4s1yteq560dht|584d8aab5db65a3970e|89409404gdfg8401008gfd041087pioazsq56|ca91f665e5e9e3bff16)|1(?:479______00\-\-074\-4\-\-\-\-\-\-\-_\-\-\-\-\-\-0894_________\-\-\-\-\-\-\-\-\-______09|f28eb9c708059ce7b58|tactc1200)|2(?:024usa|2accc831928fe7a6d19)|3e6fc78af3b63110d89b|4(?:30bc3a2d98b15a0c58bf8df8f938d|hs3rzdz_r_us\-east\-1)|5(?:34c4e7320793c473d0b|a70f8147b2241c|lose1weight)|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|89azr4etr0t6k5jdh4rg9e8udo40kdj1h56gd4xd165jhkd5j04yd156j02|9(?:0845045041587041078491540894048940489451000|c32d4d56b8ac7eb1296)|a(?:1discover|4301cda1e5c450bab01|b__________mail_____oo|d(?:t100visa|vanced1500)|geless(?:brain|t001)|ir0doc5octor|l(?:l(?:_in_one_089498489045187410102003097841202|iedtrust7?)|zheimerbrain)|merican(?:ho(?:777|me(?:191|warranty))|w1)|n(?:c77emen777|dersens40|n(?:nuities0102|utsegtsety)|ti(?:1virus|dcfsdfzef))|pp(?:1ointment|empresa|itausa)|sb50118|tividade|udio0254)|b(?:337276797de5b3|6fa8ec81224238ce57a|7772dcb|a(?:ckmedic|th(?:and777|bhow98|dfgdfgdfh|rooomlki))|cvncv7845|d(?:_________mail____000|fbgverhg|linkmanager|sgbsehtth|thdethydeth)|e(?:achskinnew|dvgervg|lly(?:00fetyy|gluca)|t(?:ter(?:09909|863|butter008)|umpoiytre))|io(?:swit(?:010|sh0908)|techinvest)|l(?:oo(?:ds(?:hark0508|ug(?:217|ar(?:010|blueprint)))|odsugarerte)|ue(?:0sky|printms0?))|o(?:bby\-dependencies|ostinglive01)|r(?:ain(?:232654|al87484)|i(?:an(?:0(?:101|509)|the0101)|eanfrg)|tghrh)|u(?:kssin|ll(?:gold|market)|rnomegaultra|tter(?:knife|spreader(?:0[48]|news)))|yte01smil1e)|c(?:a(?:99rshield|nvascheap|rt\-checkout|unlimited)|bd(?:11gummies|g(?:m0202|umm(?:ty|y005))|health7417|kfgdfg|sgummys)|dfeesde|ertificat01|hoicehom8270|i(?:o_mailpro_bulkmail\-2024___________w87x5230_8940152|rcaknee0)|jowa|o(?:gnigenix|mp(?:erssac00232|r(?:e(?:essaa001|hensiveamericanhomewarranty|ss(?:a(?:0(?:105|201)|191)|ionsocks))|ovanteanexo))|n(?:7cealed|cealed(?:aff0054|tactical)|defesf|ne5ctrou4t0s)|ptquad5e1r|rrectskin|urankdmeksjsed|verageinsu)|quelleczema|reative14141)|d(?:0ujdusudu9s9u\.appspot\.com|159310a731c3ae80e0c|ac2a3ca82cd6a5f4896|e(?:mentiabrain|nta77fend|rma(?:01247|1correct|587475|7correc7t|acorrectskin|correct(?:001new1|new001|skin|1)|hdth|thbsdrhg)|tranmultas)|g(?:iadikir784|vdevgege)|i(?:abetes7|gitaldots1|recting77|ta0526)|lqjxjdxesmapldjehahnse|msksjskeoncbvevde|rtrebtgh747|ysfunction0707|zdzefef)|e(?:7co7verage|a(?:rsring01|sy(?:1canvas|canvasprints))|ingingears|l(?:eepexperts|iminatorlower)|n(?:e(?:nce7777|rgy(?:0icits|savings))|trega)|rec(?:01tions|tiledysfunction)|t(?:alsprcious|ernal07light)|vent(?:0saves01?|save(?:010?|s010))|xpertwindows(?:0102)?|yes(?:1ight|ightmax))|f(?:4747|d(?:128218622bd3f|fdfdzezr78|zdzelom)|edilty5401|habgfdgbfrtg|i(?:7(?:485612|542512)|d(?:el(?:ity(?:09|217|insulife)|ty(?:gbdtrbr|tyhjudtyu))|iity5660|y001)|ghttinnitusnow(?:(?:911|s))?|ltyredfezz|refig(?:22hting|hting)|tnesswatch|xguca777)|l(?:a(?:sh(?:light7fr7ee|tric540)|tbelly)|oodlight(?:010|slima))|o(?:mrulasugaa|od54451|toswhatsapps)|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|u(?:ng(?:01ft|9901|enail010|us(?:eliminator0807|fghgh))|turistic00insol))|g(?:7oldco|cumbmdys|eniusbutter|fhfjgfhfg|hetiop|lu(?:1lossn01k|lossn01k|ster)|old(?:ii00215|trust00)|r(?:7owtmaihn9ew|fgrgrg|ow(?:191|plus11|savage01085))|u(?:ardiao|mm(?:ies11cbd|yss|zdfefzf)|tter(?:0fr1(?:dian)?|protection7))|ympro22)|h(?:4(?:mhoyal1r0|ome1owne1r)|dfghbrh|e(?:1al1t4|a(?:lt(?:h(?:life|news|yhairremedy)|ycbd0909)|rt(?:14141|beat911))|rp(?:ly(?:24701|y0012)|y1414))|ome(?:1security|9865|choice45841|w(?:arranty|rr0216)))|i(?:n(?:formedetranmulta|ogen0065|s(?:1urance7net|7urance7net|t(?:9854|a(?:0541|1heater|863|f(?:atioplo|gregrerg)|hard0(?:0021|605)|nttranslator)|h(?:ard879477|eater001))|urance(?:7net|net))|vest777in)|ron479max5x|tchrelief)|k(?:757474|e(?:ranfvgdgfrder|to(?:0(?:102|202|81477)|191|7(?:878|rim)|adv217|ghghgh|healthnews|jkkfghk|o(?:2(?:22|45)|o7896)|rapid00888|s(?:hark0908|s0479)|toto2323))|iller1111|ne(?:e852|f6565))|l(?:a(?:bcream|wn(?:care3|trugreen001))|e(?:a(?:f7filt7er|nde0585)|ciofve1748)|giesnaturas0|i(?:berty77arran|fefiltrevdf|ve(?:r(?:0health0support|md|supp10)|wirenew024))|o(?:caweb|odlight(?:s0|0)|ss(?:00wrabido0|rapid01245|weightnew85))|u(?:llmattressne000|mi(?:00guard01|agudiidd|g(?:87[56]|uard(?:1074|87585)))))|m(?:a(?:galu|il(?:bd667477388299_747472|trk___newyear2024___g089dh4fg16qs804dsd1jh6g5sq)|l(?:4e7e5nhanc7ement|e(?:0(?:1ed|541)|24700|77en|health475))|ttress0707)|e(?:di(?:ca(?:lsupplies|r(?:0085|123n|df747))|p0lanning)|llitox00545|morybooster|t(?:a(?:bolismlos|greens|lspr(?:ciou[0s]|ecious))|f(?:85|dfvde)))|iracl(?:ecannabidiol|sweight[0s]?|weight)|k_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|le(?:3mlemlm3lm\.appspot\.com|n(?:hsances?|shsance0s))|o(?:bile57mint|n(?:5g154g|t(?:ezuma0(?:01|101)|zdzsds))|onmenermaintain\-66j)|p_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|s_(?:___mailpro\-holiday2024__9s8h7140q6h84e6hs84g6s85d403|g08zr7h48z6rt4hrzj74098j9r70j4894tj\-05hj6z(?:\-2024)?)|w_4098fae4grhtejy9r80t4qt1z984ui94yuiopoikjhnbvx\-\-\-2024|y(?:seniorpe?|theraposture001))|n(?:at(?:ional14587|uralgies)|badefdfg|e(?:sdsd|wtiniggrgr)|inoty74|lmsld|u(?:bupatches|trisd17))|o(?:m(?:eg(?:7aburn|a(?:7burn|n(?:ew|ow00?)))|gaburn)|ne(?:00shot|shot(?:0[01]|124578))|zmenshe)|p(?:a(?:in(?:en01(?:ew|sew)|supp(?:10|l8778)|wenes010)|rtnersav01)|e(?:rsonalized21|tplan85)|ho(?:01to001|tostick004)|leteroid|o(?:rtable(?:heater7|telescope045)|vsedfzef)|r(?:eadvanceds|i(?:mal(?:08544|fhdfh|grow)|ntsvalentine)|o(?:get1___bulkmail_trk_ses_984605129865_0|tectsecurity))|soidngf8147|ure(?:cbdgummies7|plant7))|r(?:apidecision77|e(?:5model1ro4om|adclub11|direct0gumm0|grow101|n(?:ew(?:al20consult|laemailved)|walllll0065)|v(?:caus181|e(?:alscause|rsirol0101)|kcaus181|scaus181))|i(?:ght0108|ngingearstinnitus|verb1986srt4)|oundupccancer|vices8|yokorout(?:(?:01|s010?))?)|s(?:___mailpro__evolution\-unitedstate_____78f40x1fg0|a(?:fety(?:homes?|shome0?)|mples7nuge7|v(?:age(?:0502|72|999|grow010)|es0even0t|ingsevent)|y(?:byebugs|life004))|bd_____mail___29302939298882777231|coutstonenew|d(?:___mailweb|fgwsd74fg)|e(?:curity(?:homenew|providernew)|ni(?:147orperk|orserk77s)|s(?:_trkg___mailbulkform\-045160d5h4fg8_______1jg20xxx|traking_____gmailbulk____tkn\-fkk_209041))|gp008|h(?:arkcbd0808|owersafe)|i(?:gnlaotrrmp|mplex18742)|leepditch|mail_blackfriday__bigusamail_2024\-f084sf|o(?:lbeam004|uthbeach(?:001|skin))|p(?:_trk_in_ses_mimogoodafterj56h6gd__2000_5|reader35)|sgummy777|t(?:ain245|eelprobite77|rictionbp0)|u(?:g(?:ar4701|hdetged)|mmersy0(?:10)?)|zdzdzdzd)|t(?:a(?:cflashlight72|lcumpowder)|e(?:ch________frebulkmnge________teamtechbuy|lescope001|rminix0909|stomus)|h(?:e(?:photostick2804|rasl(?:eeves|ves)|unbreakable)|opinall)|i(?:me0share|nnitus(?:102|new911))|k_mailpro\-bulkmail\-trkngnum89fs64g5\-usa__hallowen|mobile0sur1vey|o(?:enailfungus|p(?:inal|ol(?:\-web|io29034)))|r(?:4ans1lat5or|a(?:balhos|nslato10)|im1life0|ugreen(?:30|s30))|telescope44|unnifgdege)|u(?:berxlm|ltra(?:hgt|omegaburn|u(?:ifipro|wifip)|wifi(?:058|pro002))|n(?:breakable(?:0417|brain0087)|limitedcanvase[es]?)|rgentfung171|s(?:_bulk_click\-mail_oldfrom_9898409486498904948904548094804864xx|bmosquito|6)|tility3in1)|v(?:e(?:7hicle7cov|hi(?:7clesh7|cle01))|frgrerg|i(?:sa(?:alandere?|lander[es]?)|v(?:247w01|int(?:0(?:401|officially)|1010smart|967857)))|szdefzsfzef)|w(?:4enmedicra8|a(?:l(?:k(?:0015|7485|ghghgh|inbath(?:tub44|0))|lkk0409|mart010)|rranhome0012)|defgzegfze|e(?:atherproof|bwhatsfotos|edkiller[1s]?|ight(?:00loss|loss(?:005|newketo))|llgrove90)|i(?:fi(?:booste(?:01|r)|tiop)|n(?:0101|doexpr001))|painen01es)|xcbxcbopiaze|yusdgtduf777|z(?:antacdedzef|ipp874ype57t)))\.storage\.googleapis\.com/;i
describe T_URI_GOOG_STO_SUBD_SPAMMY Link to spammy content hosted by google storage
#score T_URI_GOOG_STO_SUBD_SPAMMY 3.000
tflags T_URI_GOOG_STO_SUBD_SPAMMY publish
##} T_URI_GOOG_STO_SUBD_SPAMMY

##{ T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  meta       T_WON_MONEY_ATTACH   __YOU_WON && LOTS_OF_MONEY && (__PDF_ATTACH || __DOC_ATTACH)
  describe   T_WON_MONEY_ATTACH   You won lots of money! See attachment.
endif
##} T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  meta       T_WON_NBDY_ATTACH    __YOU_WON && __EMPTY_BODY && (__PDF_ATTACH || __DOC_ATTACH || __GIF_ATTACH || __JPEG_ATTACH)
  describe   T_WON_NBDY_ATTACH    You won lots of money! See attachment.
endif
##} T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ T_XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
meta     T_XPRIO_URL_SHORTNER __XPRIO_MINFP && __URL_SHORTENER
describe T_XPRIO_URL_SHORTNER X-Priority header and short URL
#score    T_XPRIO_URL_SHORTNER 1.0 # limit
endif
endif
##} T_XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)

##{ T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta       T_ZW_OBFU_BITCOIN            __UNICODE_OBFU_ZW && __BITCOIN_ID
  describe   T_ZW_OBFU_BITCOIN            Obfuscated text + bitcoin ID - possible extortion
#  score      T_ZW_OBFU_BITCOIN            2.500	# limit
endif
##} T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta       T_ZW_OBFU_FREEM              __UNICODE_OBFU_ZW && __freemail_hdr_replyto 
  describe   T_ZW_OBFU_FREEM              Obfuscated text + freemail
#  score      T_ZW_OBFU_FREEM              2.000	# limit
endif
##} T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta       T_ZW_OBFU_FROMTOSUBJ         __UNICODE_OBFU_ZW && FROM_IN_TO_AND_SUBJ 
  describe   T_ZW_OBFU_FROMTOSUBJ         Obfuscated text + from in to and subject
#  score      T_ZW_OBFU_FROMTOSUBJ         2.000	# limit
endif
##} T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ UC_GIBBERISH_OBFU

meta        UC_GIBBERISH_OBFU  (__UC_GIBB_OBFU > 1) && !__RP_MATCHES_RCVD && !__VIA_ML && !__DKIM_EXISTS && !ALL_TRUSTED
describe    UC_GIBBERISH_OBFU  Multiple instances of "word VERYLONGGIBBERISH word"
#score       UC_GIBBERISH_OBFU  3.000	# Limit
tflags      UC_GIBBERISH_OBFU  publish
##} UC_GIBBERISH_OBFU

##{ UNDISC_FREEM

meta       UNDISC_FREEM                __UNDISC_FREEM
describe   UNDISC_FREEM                Undisclosed recipients + freemail reply-to
tflags     UNDISC_FREEM                publish
##} UNDISC_FREEM

##{ UNDISC_MONEY

meta       UNDISC_MONEY                __UNDISC_MONEY && !__VIA_ML && !__MSGID_HEXISH
describe   UNDISC_MONEY                Undisclosed recipients + money/fraud signs
tflags     UNDISC_MONEY                publish
##} UNDISC_MONEY

##{ UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta       UNICODE_OBFU_ASC           __UNICODE_OBFU_ASC && !__SPAN_BEG_TEXT && !HTML_IMAGE_ONLY_32
  describe   UNICODE_OBFU_ASC           Obfuscating text with unicode
#  score      UNICODE_OBFU_ASC           2.500	# limit
  tflags     UNICODE_OBFU_ASC           publish
endif
##} UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta       UNICODE_OBFU_ZW            __UNICODE_OBFU_ZW_2 && !__SUBSCRIPTION_INFO && !__RCD_RDNS_MAIL_MESSY && !__DOS_HAS_LIST_ID && !__USING_VERP1 && !__DOS_HAS_LIST_UNSUB && !__RCD_RDNS_SMTP && !__DKIM_EXISTS 
  describe   UNICODE_OBFU_ZW            Obfuscating text with hidden characters
#  score      UNICODE_OBFU_ZW            3.500	# limit
  tflags     UNICODE_OBFU_ZW            publish
endif
##} UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ UNICODE_OBFU_ZW_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta       UNICODE_OBFU_ZW_MANY       __UNICODE_OBFU_ZW_10 && !__RCD_RDNS_MAIL_MESSY
  describe   UNICODE_OBFU_ZW_MANY       Heavily obfuscating text with hidden characters
#  score      UNICODE_OBFU_ZW_MANY       3.000	# limit
  tflags     UNICODE_OBFU_ZW_MANY       publish
endif
##} UNICODE_OBFU_ZW_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ UNICODE_RTL_OBFU

meta        UNICODE_RTL_OBFU           __UNICODE_RTL_OBFU
describe    UNICODE_RTL_OBFU           Word obfuscation using Unicode right-to-left markers
#score       UNICODE_RTL_OBFU           1.500	# limit
tflags      UNICODE_RTL_OBFU           publish
##} UNICODE_RTL_OBFU

##{ UNSUB_GOOG_FORM

meta        UNSUB_GOOG_FORM      __UNSUB_GOOG_FORM
describe    UNSUB_GOOG_FORM      Unsubscribe via Google Docs form
#score       UNSUB_GOOG_FORM      2.500	# limit
tflags      UNSUB_GOOG_FORM      publish
##} UNSUB_GOOG_FORM

##{ UPPERCASE_URI

uri	 UPPERCASE_URI	/^[^:A-Z]+[A-Z][a-zA-Z]*:/
describe UPPERCASE_URI	Link protocol has unexpected mixed case
##} UPPERCASE_URI

##{ URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub URIBL_RHS_DOB         dob.sibl.support-intelligence.net  A   2
body URIBL_RHS_DOB              eval:check_uridnsbl('URIBL_RHS_DOB')
describe URIBL_RHS_DOB          Contains an URI of a new domain (Day Old Bread)
tflags URIBL_RHS_DOB            net
endif
##} URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL

##{ URI_ADOBESPARK

meta       URI_ADOBESPARK              __URI_ADOBESPARK
#score      URI_ADOBESPARK              3.500	# limit
tflags     URI_ADOBESPARK              publish
##} URI_ADOBESPARK

##{ URI_AZURE_CLOUDAPP

meta       URI_AZURE_CLOUDAPP          __URI_AZURE_CLOUDAPP && __NAKED_TO && !__HDR_RCVD_GOOGLE
describe   URI_AZURE_CLOUDAPP          Link to hosted azure web application, possible phishing
#score      URI_AZURE_CLOUDAPP          3.000	# limit
tflags     URI_AZURE_CLOUDAPP          publish
##} URI_AZURE_CLOUDAPP

##{ URI_BUFFLY

meta       URI_BUFFLY                  __URI_BUFFLY && !__DOS_HAS_LIST_UNSUB
describe   URI_BUFFLY                  buff.ly redirector URI
#score      URI_BUFFLY                  2.000	# limit
##} URI_BUFFLY

##{ URI_CLOUDFLAREIPFS

meta        URI_CLOUDFLAREIPFS         __URI_CLOUDFLAREIPFS
describe    URI_CLOUDFLAREIPFS         References Interplanetary File System PtP content via CloudFlare, likely phishing
#score       URI_CLOUDFLAREIPFS         3.500	# limit
tflags      URI_CLOUDFLAREIPFS         publish
##} URI_CLOUDFLAREIPFS

##{ URI_DASHGOVEDU

meta       URI_DASHGOVEDU              __URI_DASHGOVEDU
describe   URI_DASHGOVEDU              Suspicious domain name
#score      URI_DASHGOVEDU              3.500	# limit
tflags     URI_DASHGOVEDU              publish
##} URI_DASHGOVEDU

##{ URI_DATA

meta        URI_DATA           __URI_DATA && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__VIA_ML && !__ENV_AND_HDR_FROM_MATCH && !__DOS_HAS_LIST_UNSUB 
describe    URI_DATA           "data:" URI - possible malware or phish
#score       URI_DATA           3.250	# limit
tflags      URI_DATA           publish
##} URI_DATA

##{ URI_DOTEDU

meta       URI_DOTEDU                  __URI_DOTEDU && !__RCVD_DOTEDU_EXT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HAS_X_MAILER && !ALL_TRUSTED && !__UNSUB_LINK && !__RDNS_SHORT && !__MAIL_LINK 
describe   URI_DOTEDU                  Has .edu URI
#score      URI_DOTEDU                  2.000	# limit
tflags     URI_DOTEDU                  publish
##} URI_DOTEDU

##{ URI_DOTEDU_ENTITY

meta       URI_DOTEDU_ENTITY           __URI_DOTEDU_ENTITY && !__SUBSCRIPTION_INFO 
describe   URI_DOTEDU_ENTITY           Via .edu MTA + suspicious HTML content
#score      URI_DOTEDU_ENTITY           3.000	# limit
tflags     URI_DOTEDU_ENTITY           publish
##} URI_DOTEDU_ENTITY

##{ URI_DOTTY_HEX

meta        URI_DOTTY_HEX              __URI_DOTTY_HEX
describe    URI_DOTTY_HEX              Suspicious URI format
tflags      URI_DOTTY_HEX              publish
##} URI_DOTTY_HEX

##{ URI_DQ_UNSUB

meta           URI_DQ_UNSUB     __URI_DQ_UNSUB
describe       URI_DQ_UNSUB     IP-address unsubscribe URI
tflags         URI_DQ_UNSUB     publish
##} URI_DQ_UNSUB

##{ URI_DWEBIPFS

meta        URI_DWEBIPFS               __URI_DWEBIPFS
describe    URI_DWEBIPFS               References Interplanetary File System PtP content via dweb.link, likely phishing
#score       URI_DWEBIPFS               3.500	# limit
tflags      URI_DWEBIPFS               publish
##} URI_DWEBIPFS

##{ URI_EXCESS_SLASHES

meta        URI_EXCESS_SLASHES         __URI_EXCESS_SLASHES && !__RCD_RDNS_MAIL_MESSY 
#score       URI_EXCESS_SLASHES         2.500
describe    URI_EXCESS_SLASHES         Too many slashes in URI, possible attempt to bypass spam filtering
tflags      URI_EXCESS_SLASHES         publish
##} URI_EXCESS_SLASHES

##{ URI_FIREBASEAPP

meta       URI_FIREBASEAPP             __URI_FIREBASEAPP || __URI_WEBAPP
describe   URI_FIREBASEAPP             Link to hosted firebase web application, possible phishing
#score      URI_FIREBASEAPP             3.000	# limit
tflags     URI_FIREBASEAPP             publish
##} URI_FIREBASEAPP

##{ URI_FLKIPFSXYZIPFS

meta        URI_FLKIPFSXYZIPFS         __URI_FLKIPFSXYZIPFS
describe    URI_FLKIPFSXYZIPFS         References Interplanetary File System PtP content via flk-ipfs.xyz, likely phishing
#score       URI_FLKIPFSXYZIPFS         3.500	# limit
tflags      URI_FLKIPFSXYZIPFS         publish
##} URI_FLKIPFSXYZIPFS

##{ URI_GOOGDRAWPREVIEW

meta        URI_GOOGDRAWPREVIEW        __URI_GOOGDRAWPREVIEW && !URI_GOOGDRAWPREVIEW_MINFP && !__RCD_RDNS_SMTP && !__TVD_SPACE_RATIO
describe    URI_GOOGDRAWPREVIEW        Link to image at Google Docs, possible phishing
#score       URI_GOOGDRAWPREVIEW        3.000	# limit
tflags      URI_GOOGDRAWPREVIEW        publish
##} URI_GOOGDRAWPREVIEW

##{ URI_GOOGDRAWPREVIEW_MINFP

meta        URI_GOOGDRAWPREVIEW_MINFP  __URI_GOOGDRAWPREVIEW && (__SUBSCRIPTION_INFO || __HTML_TAG_BALANCE_CENTER || __TO_NO_BRKTS_HTML_ONLY) && !__RCD_RDNS_SMTP && !__TVD_SPACE_RATIO
describe    URI_GOOGDRAWPREVIEW_MINFP  Link to image at Google Docs, probable phishing
#score       URI_GOOGDRAWPREVIEW_MINFP  3.500	# limit
tflags      URI_GOOGDRAWPREVIEW_MINFP  publish
##} URI_GOOGDRAWPREVIEW_MINFP

##{ URI_GOOGLE_PROXY

meta           URI_GOOGLE_PROXY       __URI_GOOGLE_PROXY && !__FSL_RELAY_GOOGLE && !__TO___LOWER && !__MSGID_OK_HEX && !__HAS_CAMPAIGNID 
describe       URI_GOOGLE_PROXY       Accessing a blacklisted URI or obscuring source of phish via Google proxy?
tflags         URI_GOOGLE_PROXY       publish
##} URI_GOOGLE_PROXY

##{ URI_GOOG_STO_SPAMMY

uri URI_GOOG_STO_SPAMMY m;^https?://storage\.googleapis\.com/(?:(?:0(?:000000000000000000000000000000000007|48dg9hjdjsr68rr409tdu516yts8d4s1yteq560dht|584d8aab5db65a3970e|89409404gdfg8401008gfd041087pioazsq56|ca91f665e5e9e3bff16)|1(?:479______00\-\-074\-4\-\-\-\-\-\-\-_\-\-\-\-\-\-0894_________\-\-\-\-\-\-\-\-\-______09|f28eb9c708059ce7b58|tactc1200)|2(?:024usa|2accc831928fe7a6d19)|3e6fc78af3b63110d89b|4(?:30bc3a2d98b15a0c58bf8df8f938d|hs3rzdz_r_us\-east\-1)|5(?:34c4e7320793c473d0b|a70f8147b2241c|lose1weight)|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|89azr4etr0t6k5jdh4rg9e8udo40kdj1h56gd4xd165jhkd5j04yd156j02|9(?:0845045041587041078491540894048940489451000|c32d4d56b8ac7eb1296)|a(?:1discover|4301cda1e5c450bab01|b__________mail_____oo|d(?:t100visa|vanced1500)|geless(?:brain|t001)|ir0doc5octor|l(?:l(?:_in_one_089498489045187410102003097841202|iedtrust7?)|zheimerbrain)|merican(?:ho(?:777|me(?:191|warranty))|w1)|n(?:c77emen777|dersens40|n(?:nuities0102|utsegtsety)|ti(?:1virus|dcfsdfzef))|pp(?:1ointment|empresa|itausa)|sb50118|tividade|udio0254)|b(?:337276797de5b3|6fa8ec81224238ce57a|7772dcb|a(?:ckmedic|th(?:and777|bhow98|dfgdfgdfh|rooomlki))|cvncv7845|d(?:_________mail____000|fbgverhg|linkmanager|sgbsehtth|thdethydeth)|e(?:achskinnew|dvgervg|lly(?:00fetyy|gluca)|t(?:ter(?:09909|863|butter008)|umpoiytre))|io(?:swit(?:010|sh0908)|techinvest)|l(?:oo(?:ds(?:hark0508|ug(?:217|ar(?:010|blueprint)))|odsugarerte)|ue(?:0sky|printms0?))|o(?:bby\-dependencies|ostinglive01)|r(?:ain(?:232654|al87484)|i(?:an(?:0(?:101|509)|the0101)|eanfrg)|tghrh)|u(?:kssin|ll(?:gold|market)|rnomegaultra|tter(?:knife|spreader(?:0[48]|news)))|yte01smil1e)|c(?:a(?:99rshield|nvascheap|rt\-checkout|unlimited)|bd(?:11gummies|g(?:m0202|umm(?:ty|y005))|health7417|kfgdfg|sgummys)|dfeesde|ertificat01|hoicehom8270|i(?:o_mailpro_bulkmail\-2024___________w87x5230_8940152|rcaknee0)|jowa|o(?:gnigenix|mp(?:erssac00232|r(?:e(?:essaa001|hensiveamericanhomewarranty|ss(?:a(?:0(?:105|201)|191)|ionsocks))|ovanteanexo))|n(?:7cealed|cealed(?:aff0054|tactical)|defesf|ne5ctrou4t0s)|ptquad5e1r|rrectskin|urankdmeksjsed|verageinsu)|quelleczema|reative14141)|d(?:0ujdusudu9s9u\.appspot\.com|159310a731c3ae80e0c|ac2a3ca82cd6a5f4896|e(?:mentiabrain|nta77fend|rma(?:01247|1correct|587475|7correc7t|acorrectskin|correct(?:001new1|new001|skin|1)|hdth|thbsdrhg)|tranmultas)|g(?:iadikir784|vdevgege)|i(?:abetes7|gitaldots1|recting77|ta0526)|lqjxjdxesmapldjehahnse|msksjskeoncbvevde|rtrebtgh747|ysfunction0707|zdzefef)|e(?:7co7verage|a(?:rsring01|sy(?:1canvas|canvasprints))|ingingears|l(?:eepexperts|iminatorlower)|n(?:e(?:nce7777|rgy(?:0icits|savings))|trega)|rec(?:01tions|tiledysfunction)|t(?:alsprcious|ernal07light)|vent(?:0saves01?|save(?:010?|s010))|xpertwindows(?:0102)?|yes(?:1ight|ightmax))|f(?:4747|d(?:128218622bd3f|fdfdzezr78|zdzelom)|edilty5401|habgfdgbfrtg|i(?:7(?:485612|542512)|d(?:el(?:ity(?:09|217|insulife)|ty(?:gbdtrbr|tyhjudtyu))|iity5660|y001)|ghttinnitusnow(?:(?:911|s))?|ltyredfezz|refig(?:22hting|hting)|tnesswatch|xguca777)|l(?:a(?:sh(?:light7fr7ee|tric540)|tbelly)|oodlight(?:010|slima))|o(?:mrulasugaa|od54451|toswhatsapps)|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|u(?:ng(?:01ft|9901|enail010|us(?:eliminator0807|fghgh))|turistic00insol))|g(?:7oldco|cumbmdys|eniusbutter|fhfjgfhfg|hetiop|lu(?:1lossn01k|lossn01k|ster)|old(?:ii00215|trust00)|r(?:7owtmaihn9ew|fgrgrg|ow(?:191|plus11|savage01085))|u(?:ardiao|mm(?:ies11cbd|yss|zdfefzf)|tter(?:0fr1(?:dian)?|protection7))|ympro22)|h(?:4(?:mhoyal1r0|ome1owne1r)|dfghbrh|e(?:1al1t4|a(?:lt(?:h(?:life|news|yhairremedy)|ycbd0909)|rt(?:14141|beat911))|rp(?:ly(?:24701|y0012)|y1414))|ome(?:1security|9865|choice45841|w(?:arranty|rr0216)))|i(?:n(?:formedetranmulta|ogen0065|s(?:1urance7net|7urance7net|t(?:9854|a(?:0541|1heater|863|f(?:atioplo|gregrerg)|hard0(?:0021|605)|nttranslator)|h(?:ard879477|eater001))|urance(?:7net|net))|vest777in)|ron479max5x|tchrelief)|k(?:757474|e(?:ranfvgdgfrder|to(?:0(?:102|202|81477)|191|7(?:878|rim)|adv217|ghghgh|healthnews|jkkfghk|o(?:2(?:22|45)|o7896)|rapid00888|s(?:hark0908|s0479)|toto2323))|iller1111|ne(?:e852|f6565))|l(?:a(?:bcream|wn(?:care3|trugreen001))|e(?:a(?:f7filt7er|nde0585)|ciofve1748)|giesnaturas0|i(?:berty77arran|fefiltrevdf|ve(?:r(?:0health0support|md|supp10)|wirenew024))|o(?:caweb|odlight(?:s0|0)|ss(?:00wrabido0|rapid01245|weightnew85))|u(?:llmattressne000|mi(?:00guard01|agudiidd|g(?:87[56]|uard(?:1074|87585)))))|m(?:a(?:galu|il(?:bd667477388299_747472|trk___newyear2024___g089dh4fg16qs804dsd1jh6g5sq)|l(?:4e7e5nhanc7ement|e(?:0(?:1ed|541)|24700|77en|health475))|ttress0707)|e(?:di(?:ca(?:lsupplies|r(?:0085|123n|df747))|p0lanning)|llitox00545|morybooster|t(?:a(?:bolismlos|greens|lspr(?:ciou[0s]|ecious))|f(?:85|dfvde)))|iracl(?:ecannabidiol|sweight[0s]?|weight)|k_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|le(?:3mlemlm3lm\.appspot\.com|n(?:hsances?|shsance0s))|o(?:bile57mint|n(?:5g154g|t(?:ezuma0(?:01|101)|zdzsds))|onmenermaintain\-66j)|p_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|s_(?:___mailpro\-holiday2024__9s8h7140q6h84e6hs84g6s85d403|g08zr7h48z6rt4hrzj74098j9r70j4894tj\-05hj6z(?:\-2024)?)|w_4098fae4grhtejy9r80t4qt1z984ui94yuiopoikjhnbvx\-\-\-2024|y(?:seniorpe?|theraposture001))|n(?:at(?:ional14587|uralgies)|badefdfg|e(?:sdsd|wtiniggrgr)|inoty74|lmsld|u(?:bupatches|trisd17))|o(?:m(?:eg(?:7aburn|a(?:7burn|n(?:ew|ow00?)))|gaburn)|ne(?:00shot|shot(?:0[01]|124578))|zmenshe)|p(?:a(?:in(?:en01(?:ew|sew)|supp(?:10|l8778)|wenes010)|rtnersav01)|e(?:rsonalized21|tplan85)|ho(?:01to001|tostick004)|leteroid|o(?:rtable(?:heater7|telescope045)|vsedfzef)|r(?:eadvanceds|i(?:mal(?:08544|fhdfh|grow)|ntsvalentine)|o(?:get1___bulkmail_trk_ses_984605129865_0|tectsecurity))|soidngf8147|ure(?:cbdgummies7|plant7))|r(?:apidecision77|e(?:5model1ro4om|adclub11|direct0gumm0|grow101|n(?:ew(?:al20consult|laemailved)|walllll0065)|v(?:caus181|e(?:alscause|rsirol0101)|kcaus181|scaus181))|i(?:ght0108|ngingearstinnitus|verb1986srt4)|oundupccancer|vices8|yokorout(?:(?:01|s010?))?)|s(?:___mailpro__evolution\-unitedstate_____78f40x1fg0|a(?:fety(?:homes?|shome0?)|mples7nuge7|v(?:age(?:0502|72|999|grow010)|es0even0t|ingsevent)|y(?:byebugs|life004))|bd_____mail___29302939298882777231|coutstonenew|d(?:___mailweb|fgwsd74fg)|e(?:curity(?:homenew|providernew)|ni(?:147orperk|orserk77s)|s(?:_trkg___mailbulkform\-045160d5h4fg8_______1jg20xxx|traking_____gmailbulk____tkn\-fkk_209041))|gp008|h(?:arkcbd0808|owersafe)|i(?:gnlaotrrmp|mplex18742)|leepditch|mail_blackfriday__bigusamail_2024\-f084sf|o(?:lbeam004|uthbeach(?:001|skin))|p(?:_trk_in_ses_mimogoodafterj56h6gd__2000_5|reader35)|sgummy777|t(?:ain245|eelprobite77|rictionbp0)|u(?:g(?:ar4701|hdetged)|mmersy0(?:10)?)|zdzdzdzd)|t(?:a(?:cflashlight72|lcumpowder)|e(?:ch________frebulkmnge________teamtechbuy|lescope001|rminix0909|stomus)|h(?:e(?:photostick2804|rasl(?:eeves|ves)|unbreakable)|opinall)|i(?:me0share|nnitus(?:102|new911))|k_mailpro\-bulkmail\-trkngnum89fs64g5\-usa__hallowen|mobile0sur1vey|o(?:enailfungus|p(?:inal|ol(?:\-web|io29034)))|r(?:4ans1lat5or|a(?:balhos|nslato10)|im1life0|ugreen(?:30|s30))|telescope44|unnifgdege)|u(?:berxlm|ltra(?:hgt|omegaburn|u(?:ifipro|wifip)|wifi(?:058|pro002))|n(?:breakable(?:0417|brain0087)|limitedcanvase[es]?)|rgentfung171|s(?:_bulk_click\-mail_oldfrom_9898409486498904948904548094804864xx|bmosquito|6)|tility3in1)|v(?:e(?:7hicle7cov|hi(?:7clesh7|cle01))|frgrerg|i(?:sa(?:alandere?|lander[es]?)|v(?:247w01|int(?:0(?:401|officially)|1010smart|967857)))|szdefzsfzef)|w(?:4enmedicra8|a(?:l(?:k(?:0015|7485|ghghgh|inbath(?:tub44|0))|lkk0409|mart010)|rranhome0012)|defgzegfze|e(?:atherproof|bwhatsfotos|edkiller[1s]?|ight(?:00loss|loss(?:005|newketo))|llgrove90)|i(?:fi(?:booste(?:01|r)|tiop)|n(?:0101|doexpr001))|painen01es)|xcbxcbopiaze|yusdgtduf777|z(?:antacdedzef|ipp874ype57t)))/;i
describe URI_GOOG_STO_SPAMMY Link to spammy content hosted by google storage
#score URI_GOOG_STO_SPAMMY 3.000
tflags URI_GOOG_STO_SPAMMY publish
##} URI_GOOG_STO_SPAMMY

##{ URI_HEX_IP

meta       URI_HEX_IP                  __URI_HEX_IP
#score      URI_HEX_IP                  2.500	# limit
describe   URI_HEX_IP                  URI with hex-encoded IP-address host
tflags     URI_HEX_IP                  publish
##} URI_HEX_IP

##{ URI_IMG_CWINDOWSNET

meta       URI_IMG_CWINDOWSNET         __URI_IMG_CWINDOWSNET && !__RCD_RDNS_SMTP && !__REPTO_QUOTE && !__URI_DOTEDU 
#score      URI_IMG_CWINDOWSNET         3.500	# limit
describe   URI_IMG_CWINDOWSNET         Non-MSFT image hosted by Microsoft Azure infra, possible phishing
tflags     URI_IMG_CWINDOWSNET         publish
##} URI_IMG_CWINDOWSNET

##{ URI_IMG_WP_REDIR

meta       URI_IMG_WP_REDIR            __URI_IMG_WP_REDIR
#score      URI_IMG_WP_REDIR            3.000	# limit
describe   URI_IMG_WP_REDIR            Image via WordPress "accelerator" proxy
tflags     URI_IMG_WP_REDIR            publish
##} URI_IMG_WP_REDIR

##{ URI_IPFS

meta        URI_IPFS                   __URI_IPFS
describe    URI_IPFS                   References Interplanetary File System PtP content, probable phishing
#score       URI_IPFS                   3.500	#limit
tflags      URI_IPFS                   publish
##} URI_IPFS

##{ URI_IPFSIO

meta        URI_IPFSIO                 __URI_IPFSIO
describe    URI_IPFSIO                 References Interplanetary File System PtP content via ipfs.io, likely phishing
#score       URI_IPFSIO                 3.500	# limit
tflags      URI_IPFSIO                 publish
##} URI_IPFSIO

##{ URI_LONG_REPEAT

meta       URI_LONG_REPEAT             __URI_LONG_REPEAT
describe   URI_LONG_REPEAT             Long identical host+domain
#score      URI_LONG_REPEAT             2.500	# limit
tflags     URI_LONG_REPEAT             publish
##} URI_LONG_REPEAT

##{ URI_MALWARE_SCMS

uri         URI_MALWARE_SCMS   /\.SettingContent-ms\b/i
describe    URI_MALWARE_SCMS   Link to malware exploit download (.SettingContent-ms file)
tflags      URI_MALWARE_SCMS   publish
##} URI_MALWARE_SCMS

##{ URI_NOCODEFORM

meta        URI_NOCODEFORM             __URI_NOCODEFORM
#score       URI_NOCODEFORM             1.500	# limit
describe    URI_NOCODEFORM             Uses nocodeform.io, possible phishing
tflags      URI_NOCODEFORM             publish
##} URI_NOCODEFORM

##{ URI_ONLY_MSGID_MALF

  meta      URI_ONLY_MSGID_MALF           __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO
describe  URI_ONLY_MSGID_MALF           URI only + malformed message ID
#score     URI_ONLY_MSGID_MALF           2.000	# limit
tflags    URI_ONLY_MSGID_MALF           publish
##} URI_ONLY_MSGID_MALF

##{ URI_OPTOUT_3LD

uri         URI_OPTOUT_3LD    m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:com|net)\b,i
describe    URI_OPTOUT_3LD    Opt-out URI, suspicious hostname
#score       URI_OPTOUT_3LD    2.000   # limit
tflags      URI_OPTOUT_3LD    publish
##} URI_OPTOUT_3LD

##{ URI_OPTOUT_USME

uri         URI_OPTOUT_USME   m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:us|me|mobi|club)\b,i
describe    URI_OPTOUT_USME   Opt-out URI, unusual TLD
tflags      URI_OPTOUT_USME   publish
##} URI_OPTOUT_USME

##{ URI_PHISH

describe    URI_PHISH            Phishing using web form
#score       URI_PHISH            4.00   # limit
tflags      URI_PHISH            publish
##} URI_PHISH

##{ URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta      URI_PHISH      __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT 
endif
##} URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)

##{ URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  meta      URI_PHISH      __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT 
endif
##} URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

##{ URI_PHP_REDIR

meta       URI_PHP_REDIR               __URI_PHP_REDIR && !__USING_VERP1 && !__RCD_RDNS_MTA 
#score      URI_PHP_REDIR               3.500	# limit
describe   URI_PHP_REDIR               PHP redirect to different URL (link obfuscation)
tflags     URI_PHP_REDIR               publish
##} URI_PHP_REDIR

##{ URI_TRY_3LD

meta        URI_TRY_3LD       __URI_TRY_3LD && !__HAS_ERRORS_TO && !__HDR_RCVD_ALIBABA && !__HDR_CASE_REVERSED && !__XM_EC_MESSENGER && !__CHARITY && !__URI_DOTEDU && !__HAS_X_REF && !__HDR_RCVD_APPLE 
describe    URI_TRY_3LD       "Try it" URI, suspicious hostname
#score       URI_TRY_3LD       2.000   # limit
tflags      URI_TRY_3LD       publish
##} URI_TRY_3LD

##{ URI_TRY_USME

meta        URI_TRY_USME      __URI_TRY_USME && !__DKIM_EXISTS 
describe    URI_TRY_USME      "Try it" URI, unusual TLD
#score       URI_TRY_USME      2.000	# limit
tflags      URI_TRY_USME      publish
##} URI_TRY_USME

##{ URI_WPADMIN

meta        URI_WPADMIN        __URI_WPADMIN
describe    URI_WPADMIN        WordPress login/admin URI, possible phishing
tflags      URI_WPADMIN        publish
##} URI_WPADMIN

##{ URI_WP_DIRINDEX

meta        URI_WP_DIRINDEX    __URI_WPDIRINDEX
describe    URI_WP_DIRINDEX    URI for compromised WordPress site, possible malware
#score       URI_WP_DIRINDEX    3.500   # limit
tflags      URI_WP_DIRINDEX    publish
##} URI_WP_DIRINDEX

##{ URI_WP_HACKED

meta        URI_WP_HACKED      (__URI_WPCONTENT || __URI_WPINCLUDES) && !__VIA_ML && !__HAS_ERRORS_TO && !__RCD_RDNS_SMTP && !__THREADED && !ALL_TRUSTED && !__NOT_SPOOFED 
describe    URI_WP_HACKED      URI for compromised WordPress site, possible malware
#score       URI_WP_HACKED      3.500   # limit
tflags      URI_WP_HACKED      publish
##} URI_WP_HACKED

##{ URI_WP_HACKED_2

meta        URI_WP_HACKED_2    (__PS_TEST_LOC_WP && !URI_WP_HACKED) && !__HAS_LIST_ID && !__THREADED && !__USING_VERP1 
describe    URI_WP_HACKED_2    URI for compromised WordPress site, possible malware
#score       URI_WP_HACKED_2    2.500   # limit
tflags      URI_WP_HACKED_2    publish
##} URI_WP_HACKED_2

##{ USB_DRIVES

meta       USB_DRIVES                 __SUBJ_USB_DRIVES
describe   USB_DRIVES                 Trying to sell custom USB flash drives
#score      USB_DRIVES                 2.000	# limit
tflags     USB_DRIVES                 publish
##} USB_DRIVES

##{ VFY_ACCT_NORDNS

meta        VFY_ACCT_NORDNS      __VFY_ACCT_NORDNS && !__STY_INVIS_MANY 
describe    VFY_ACCT_NORDNS      Verify your account to a poorly-configured MTA - probable phishing
#score       VFY_ACCT_NORDNS      3.000	# limit
tflags      VFY_ACCT_NORDNS      publish
##} VFY_ACCT_NORDNS

##{ VISTA_COST

meta        VISTA_COST                 __VISTA_COST && !__DOS_HAS_LIST_UNSUB 
describe    VISTA_COST                 Old MSFT msgid format + "cost"
#score       VISTA_COST                 2.500	# limit
tflags      VISTA_COST                 publish
##} VISTA_COST

##{ VISTA_TONOM_EQ_TOLOC

meta        VISTA_TONOM_EQ_TOLOC       __VISTA_TONOM_EQ_TOLOC && !__MSOE_MID_WRONG_CASE
describe    VISTA_TONOM_EQ_TOLOC       Old MSFT msgid format + To display name = username
#score       VISTA_TONOM_EQ_TOLOC       2.500	# limit
tflags      VISTA_TONOM_EQ_TOLOC       publish
##} VISTA_TONOM_EQ_TOLOC

##{ VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta     VPS_NO_NTLD __VPSNUMBERONLY_TLD && __FROM_ADDRLIST_SUSPNTLD
tflags   VPS_NO_NTLD publish
describe VPS_NO_NTLD vps[0-9] domain at a suspiscious TLD
#score    VPS_NO_NTLD 1.0 # limit
endif
endif
##} VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval

##{ WALMART_IMG_NOT_RCVD_WAL

meta       WALMART_IMG_NOT_RCVD_WAL    __WALMART_IMG_NOT_RCVD_WAL && !__DKIM_EXISTS
#score      WALMART_IMG_NOT_RCVD_WAL    2.500	# limit
describe   WALMART_IMG_NOT_RCVD_WAL    Walmart hosted image but message not from Walmart
tflags     WALMART_IMG_NOT_RCVD_WAL    publish
##} WALMART_IMG_NOT_RCVD_WAL

##{ WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      WORD_INVIS                    __WORD_INVIS_MINFP && !WORD_INVIS_MANY
  describe  WORD_INVIS                    A hidden word
#  score     WORD_INVIS                    3.000	# limit
  tflags    WORD_INVIS                    publish
endif
##} WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      WORD_INVIS_MANY               __WORD_INVIS_2
  describe  WORD_INVIS_MANY               Multiple individual hidden words
#  score     WORD_INVIS_MANY               3.000	# limit
  tflags    WORD_INVIS_MANY               publish
endif
##} WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)

##{ XFER_LOTSA_MONEY

meta     XFER_LOTSA_MONEY        __XFER_LOTSA_MONEY && !__VIA_ML && !__HAS_SENDER && !__SUBSCRIPTION_INFO 
describe XFER_LOTSA_MONEY        Transfer a lot of money
#score    XFER_LOTSA_MONEY        1.000   # limit
##} XFER_LOTSA_MONEY

##{ XM_DIGITS_ONLY

meta       XM_DIGITS_ONLY              __XM_DIGITS_ONLY
describe   XM_DIGITS_ONLY              X-Mailer malformed
#score      XM_DIGITS_ONLY              3.000	# limit
tflags     XM_DIGITS_ONLY              publish
##} XM_DIGITS_ONLY

##{ XM_PHPMAILER_FORGED

meta        XM_PHPMAILER_FORGED    __XM_PHPMAILER_FORGED
describe    XM_PHPMAILER_FORGED    Apparently forged header
tflags      XM_PHPMAILER_FORGED    publish
##} XM_PHPMAILER_FORGED

##{ XM_RANDOM

meta       XM_RANDOM                   __XM_RANDOM && !__STY_INVIS_3 && !__HAS_IN_REPLY_TO && !__XM_UC_ONLY && !__XM_ASPQMAIL && !__XM_VERY_LONG
describe   XM_RANDOM                   X-Mailer apparently random
#score      XM_RANDOM                   2.500	# limit
tflags     XM_RANDOM                   publish
##} XM_RANDOM

##{ XPRIO

describe    XPRIO              Has X-Priority header
#score       XPRIO              2.250	# limit
tflags      XPRIO              publish
##} XPRIO

##{ XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM)

if !plugin(Mail::SpamAssassin::Plugin::DKIM)
  meta      XPRIO              __XPRIO_MINFP
endif
##} XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM)

##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM

ifplugin Mail::SpamAssassin::Plugin::DKIM
  tflags    XPRIO              net
endif
##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM

##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF)

ifplugin Mail::SpamAssassin::Plugin::DKIM
if !plugin(Mail::SpamAssassin::Plugin::SPF)
    meta    XPRIO              __XPRIO_MINFP && !DKIM_SIGNED && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE 
endif
endif
##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF)

##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF

ifplugin Mail::SpamAssassin::Plugin::DKIM
  ifplugin Mail::SpamAssassin::Plugin::SPF
    meta    XPRIO              __XPRIO_MINFP && !DKIM_SIGNED && !DKIM_VALID && !DKIM_VALID_AU && !SPF_PASS && !RCVD_IN_DNSWL_NONE
endif
endif
##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF

##{ XPRIO_SHORT_SUBJ

meta        XPRIO_SHORT_SUBJ   __XPRIO_SHORT_SUBJ && !__MSM_PRIO_REPTO && !ALL_TRUSTED && !__DKIM_EXISTS && !__RELAY_THRU_WWW && !__CTYPE_HAS_BOUNDARY && !__RCD_RDNS_MTA && !__HAS_HREF 
describe    XPRIO_SHORT_SUBJ   Has X Priority header + short subject
#score       XPRIO_SHORT_SUBJ   2.500	# limit
tflags      XPRIO_SHORT_SUBJ   publish
##} XPRIO_SHORT_SUBJ

##{ XPRIO_VISTA

meta        XPRIO_VISTA          __XPRIO_VISTA && !__BITCOIN && !__TO_TOO_MANY
describe    XPRIO_VISTA          X-Priority + old MSFT msgid format
#score       XPRIO_VISTA          2.500	# limit
tflags      XPRIO_VISTA          publish
##} XPRIO_VISTA

##{ X_MAILER_CME_6543_MSN

header X_MAILER_CME_6543_MSN	X-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*$/
##} X_MAILER_CME_6543_MSN

##{ YOUR_DELIVERY_ADDRESS

body       YOUR_DELIVERY_ADDRESS       /(?:(?:respond|reply|answer) (?:to )?(?:our|this) ?e?mail (?:[\w,]+\s){0,10}(?:with|and send(?: us)?)|we need to know|let us know|(?:send|provide|tell|inform)(?: us)?(?: of)?|confirm|indicate)(?: t?he (?:order )?quantity and)? (?:your |the )?(?:detailed |specific |exact )?(?:(?:delivery |shipping |mailing |shipment |receiving )?(?:address|location)(?:\s?[,.;]|(?: and| so)? we| if you)|address (?:for|of) (?:shipping|delivery|shipment))|(?:provide|give) us (?:with |details of )(?:the |your )?address,? (?:and )?we will contact (?:the )?(?:warehouse|logistics|storage(?: facility))|your (?:mailing|shipping) address to (?:arrange|set ?up) (?:shipment|delivery) (?:(?:for|to) you|of th)/i
#score      YOUR_DELIVERY_ADDRESS       1.250	# limit
##} YOUR_DELIVERY_ADDRESS

##{ YOUR_PERMISSION

meta     YOUR_PERMISSION  __YOUR_PERM && !__CTYPE_HAS_BOUNDARY && !__DKIM_EXISTS && !__DOS_HAS_LIST_UNSUB && !__CT_TEXT_PLAIN && !__BUGGED_IMG && !__COMMENT_EXISTS
describe YOUR_PERMISSION  With your permission...
##} YOUR_PERMISSION

##{ YOU_INHERIT

meta     YOU_INHERIT      __YOU_INHERIT
describe YOU_INHERIT      Discussing your inheritance
##} YOU_INHERIT

##{ bayes_ignore_header_sandbox

bayes_ignore_header ARC-Authentication-Results
bayes_ignore_header ARC-Message-Signature
bayes_ignore_header ARC-Seal
bayes_ignore_header Authentication-Results
bayes_ignore_header Auto-Submitted
bayes_ignore_header Autocrypt
bayes_ignore_header CTCH-SenderID-TotalSpam
bayes_ignore_header IronPort-SDR
bayes_ignore_header List-Archive
bayes_ignore_header List-Help
bayes_ignore_header List-Id
bayes_ignore_header List-Post
bayes_ignore_header List-Subscribe
bayes_ignore_header List-Unsubscribe
bayes_ignore_header Mailing-List
bayes_ignore_header Precedence
bayes_ignore_header Received-SPF
bayes_ignore_header suggested_attachment_session_id
bayes_ignore_header X-ACL-Warn
bayes_ignore_header X-Alimail-AntiSpam
bayes_ignore_header X-Amavis-Modified
bayes_ignore_header X-Anti-Spam
bayes_ignore_header X-Anti-Virus
bayes_ignore_header X-Anti-Virus-Version
bayes_ignore_header X-AntiAbuse
bayes_ignore_header X-Antispam
bayes_ignore_header X-Antivirus
bayes_ignore_header X-Antivirus-Code
bayes_ignore_header X-Antivirus-Status
bayes_ignore_header X-Antivirus-Version
bayes_ignore_header x-aol-global-disposition
bayes_ignore_header X-ASF-Spam-Status
bayes_ignore_header X-ASG-Debug-ID
bayes_ignore_header X-ASG-Orig-Subj
bayes_ignore_header X-ASG-Recipient-Whitelist
bayes_ignore_header X-ASG-Tag
bayes_ignore_header X-Assp-Version
bayes_ignore_header X-Attachment-Id
bayes_ignore_header X-Authority-Analysis
bayes_ignore_header X-Authvirus
bayes_ignore_header X-Auto-Response-Suppress
bayes_ignore_header X-AV-Do-Run
bayes_ignore_header X-AV-Status
bayes_ignore_header x-avast-antispam
bayes_ignore_header X-Backend
bayes_ignore_header X-Barracuda-Apparent-Source-IP
bayes_ignore_header X-Barracuda-Bayes
bayes_ignore_header X-Barracuda-BBL-IP
bayes_ignore_header X-Barracuda-BRTS-Status
bayes_ignore_header X-Barracuda-BRTS-URL-Found
bayes_ignore_header X-Barracuda-Connect
bayes_ignore_header X-Barracuda-Encrypted
bayes_ignore_header X-Barracuda-Envelope-From
bayes_ignore_header X-Barracuda-Fingerprint-Found
bayes_ignore_header X-Barracuda-Orig-Rcpt
bayes_ignore_header X-Barracuda-RBL-IP
bayes_ignore_header X-Barracuda-RBL-Trusted-Forwarder
bayes_ignore_header X-Barracuda-Spam-Report
bayes_ignore_header X-Barracuda-Spam-Score
bayes_ignore_header X-Barracuda-Spam-Status
bayes_ignore_header X-Barracuda-Start-Time
bayes_ignore_header X-Barracuda-UID
bayes_ignore_header X-Barracuda-URL
bayes_ignore_header X-Barracuda-Virus-Alert
bayes_ignore_header X-Bayes-Prob
bayes_ignore_header X-Bayesian-Result
bayes_ignore_header X-BeenThere
bayes_ignore_header X-BitDefender-Spam
bayes_ignore_header X-BitDefender-SpamStamp
bayes_ignore_header X-BL
bayes_ignore_header X-Bogosity
bayes_ignore_header X-Boxtrapper
bayes_ignore_header X-Brightmail-Tracker
bayes_ignore_header X-BTI-AntiSpam
bayes_ignore_header X-Bugzilla-Version
bayes_ignore_header X-CanIt-Geo
bayes_ignore_header X-Canit-Stats-ID
bayes_ignore_header X-CanItPRO-Stream
bayes_ignore_header X-Clapf-spamicity
bayes_ignore_header X-ClientProxiedBy
bayes_ignore_header X-Cloud-Security
bayes_ignore_header X-CM-Score
bayes_ignore_header X-CMAE-Analysis
bayes_ignore_header X-CMAE-Match
bayes_ignore_header X-CMAE-Score
bayes_ignore_header X-CMAE-Verdict
bayes_ignore_header X-CNFS-Analysis
bayes_ignore_header X-Company
bayes_ignore_header X-Complaints-To
bayes_ignore_header X-Coremail-Antispam
bayes_ignore_header X-CRM114-CacheID
bayes_ignore_header X-CRM114-Status
bayes_ignore_header X-CRM114-Version
bayes_ignore_header X-CT-Spam
bayes_ignore_header X-CTCH-SenderID
bayes_ignore_header X-CTCH-SenderID-TotalBulk
bayes_ignore_header X-CTCH-SenderID-TotalConfirmed
bayes_ignore_header X-CTCH-SenderID-TotalMessages
bayes_ignore_header X-CTCH-SenderID-TotalRecipients
bayes_ignore_header X-CTCH-SenderID-TotalSpam
bayes_ignore_header X-CTCH-SenderID-TotalSuspected
bayes_ignore_header X-CTCH-SenderID-TotalVirus
bayes_ignore_header X-CTCH-Spam
bayes_ignore_header X-CTCH-VOD
bayes_ignore_header X-Delivered-To
bayes_ignore_header X-Drweb-SpamState
bayes_ignore_header X-DSPAM-Confidence
bayes_ignore_header X-DSPAM-Factors
bayes_ignore_header X-DSPAM-Improbability
bayes_ignore_header X-DSPAM-Probability
bayes_ignore_header X-DSPAM-Processed
bayes_ignore_header X-DSPAM-Result
bayes_ignore_header X-DSPAM-Signature
bayes_ignore_header x-eavas
bayes_ignore_header x-eavas-action
bayes_ignore_header x-eavas-eavasid
bayes_ignore_header X-Enigmail-Version
bayes_ignore_header X-EsetId
bayes_ignore_header X-EsetResult
bayes_ignore_header X-Exchange-Antispam-Report
bayes_ignore_header X-Exchange-Antispam-Report-CFA-Test
bayes_ignore_header X-ExtloopSabreCommercials1
bayes_ignore_header X-EYOU-SPAMVALUE
bayes_ignore_header X-FB-OUTBOUND-SPAM
bayes_ignore_header X-FEAS-SBL
bayes_ignore_header X-FILTER-SCORE
bayes_ignore_header X-Forefront-Antispam-Report
bayes_ignore_header X-Forefront-Antispam-Report-Untrusted
bayes_ignore_header X-Forefront-PRVS
bayes_ignore_header X-Freemail-From
bayes_ignore_header X-Fuglu-Spamstatus
bayes_ignore_header X-Fuglu-Suspect
bayes_ignore_header X-getmail-filter-classifier
bayes_ignore_header X-GFIME-MASPAM
bayes_ignore_header X-Gm-Message-State
bayes_ignore_header X-Gmane-NNTP-Posting-Host
bayes_ignore_header X-GMX-Antispam
bayes_ignore_header X-GMX-Antivirus
bayes_ignore_header X-Google-DKIM-Signature
bayes_ignore_header X-He-Spam
bayes_ignore_header X-hMailServer-Spam
bayes_ignore_header X-IAS
bayes_ignore_header X-iGspam-global
bayes_ignore_header X-Injected-Via-Gmane
bayes_ignore_header X-Interia-Antivirus
bayes_ignore_header X-IP-Spam-Verdict
bayes_ignore_header X-Ironport
bayes_ignore_header X-IronPort-Anti-Spam-Filtered
bayes_ignore_header X-IronPort-Anti-Spam-Result
bayes_ignore_header X-IronPort-AV
bayes_ignore_header X-Ironport-HAT
bayes_ignore_header X-Ironport-HOSTNAME
bayes_ignore_header X-Ironport-LNR
bayes_ignore_header X-Ironport-MessageFilter
bayes_ignore_header X-Ironport-MFP
bayes_ignore_header X-Ironport-MID
bayes_ignore_header X-IronPort-Outgoing-Antispam
bayes_ignore_header X-Ironport-RIF
bayes_ignore_header X-Ironport-SBRS
bayes_ignore_header X-Ironport-SENDER
bayes_ignore_header X-Ironport-SUBJECT
bayes_ignore_header X-Junk-Score
bayes_ignore_header X-Junkmail
bayes_ignore_header X-Klms-Anti
bayes_ignore_header X-KLMS-AntiPhishing
bayes_ignore_header X-Klms-Antispam
bayes_ignore_header X-KLMS-AntiSpam-Info
bayes_ignore_header X-KLMS-AntiSpam-Interceptor-Info
bayes_ignore_header X-KLMS-AntiSpam-Lua-Profiles
bayes_ignore_header X-KLMS-AntiSpam-Method
bayes_ignore_header X-KLMS-AntiSpam-Moebius-Timestamps
bayes_ignore_header X-KLMS-AntiSpam-Rate
bayes_ignore_header X-KLMS-AntiSpam-Status
bayes_ignore_header X-KLMS-AntiSpam-Version
bayes_ignore_header X-KLMS-AntiVirus
bayes_ignore_header X-KLMS-AntiVirus-Status
bayes_ignore_header X-KLMS-Message-Action
bayes_ignore_header X-KLMS-Rule-ID
bayes_ignore_header X-KMail-EncryptionState
bayes_ignore_header X-KMail-MDN-Sent
bayes_ignore_header X-KMail-SignatureState
bayes_ignore_header X-Kse-Anti
bayes_ignore_header X-Loom-IP
bayes_ignore_header X-MailCleaner-SpamChec
bayes_ignore_header X-MailCleaner-SpamCheck
bayes_ignore_header X-MailFoundry
bayes_ignore_header X-Mailman-Version
bayes_ignore_header X-MDAV-Processed
bayes_ignore_header X-MDMailLookup-Result
bayes_ignore_header X-ME-Bayesian
bayes_ignore_header X-ME-Content
bayes_ignore_header X-MessageFilter
bayes_ignore_header x-microsoft-antispam
bayes_ignore_header X-Microsoft-Antispam-Message-Info
bayes_ignore_header X-Microsoft-Antispam-Message-Info-Original
bayes_ignore_header X-Microsoft-Antispam-Untrusted
bayes_ignore_header X-Microsoft-Exchange-Diagnostics
bayes_ignore_header X-Mlf-Version
bayes_ignore_header X-Mozilla-Keys
bayes_ignore_header X-Mozilla-Status
bayes_ignore_header X-Mozilla-Status2
bayes_ignore_header x-ms-exchange-antispam-messagedata
bayes_ignore_header x-ms-exchange-antispam-messagedata-0
bayes_ignore_header X-MS-Exchange-CrossTenant-AuthAs
bayes_ignore_header X-MS-Exchange-CrossTenant-AuthSource
bayes_ignore_header X-MS-Exchange-CrossTenant-FromEntityHeader
bayes_ignore_header x-ms-exchange-crosstenant-id
bayes_ignore_header x-ms-exchange-crosstenant-network-message-id
bayes_ignore_header X-MS-Exchange-CrossTenant-OriginalArrivalTime
bayes_ignore_header x-ms-exchange-crosstenant-rms-persistedconsumerorg
bayes_ignore_header X-MS-Exchange-CrossTenant-userprincipalname
bayes_ignore_header x-ms-exchange-slblob-mailprops
bayes_ignore_header X-MS-Exchange-Transport-CrossTenantHeadersStamped
bayes_ignore_header x-ms-office365-filtering-correlation-id
bayes_ignore_header X-MS-TrafficTypeDiagnostic
bayes_ignore_header X-MSFBL
bayes_ignore_header X-MSMail-Priority
bayes_ignore_header X-MXScan-AntiSpam
bayes_ignore_header X-MXScan-AntiVirus
bayes_ignore_header X-MXScan-Country-Sequence
bayes_ignore_header X-MXScan-License
bayes_ignore_header X-MXScan-Msgid
bayes_ignore_header X-MXScan-ProcessingTime
bayes_ignore_header X-MXScan-Scan
bayes_ignore_header X-NAI-Spam-Flag
bayes_ignore_header X-NAI-Spam-Rules
bayes_ignore_header X-NAI-Spam-Score
bayes_ignore_header X-NAI-Spam-Threshold
bayes_ignore_header X-NetStation-Status
bayes_ignore_header X-No-Relay
bayes_ignore_header X-OriginatorOrg
bayes_ignore_header X-OVH-SPAMCAUSE
bayes_ignore_header X-OVH-SPAMCAUSE:
bayes_ignore_header X-OVH-SPAMSCORE
bayes_ignore_header X-OVH-SPAMSTATE
bayes_ignore_header X-PerlMx-Spam
bayes_ignore_header X-PerlMx-Virus-Scanned
bayes_ignore_header X-PFSI-Info
bayes_ignore_header X-PMX-Spam
bayes_ignore_header X-PMX-Version
bayes_ignore_header X-Policy-Service
bayes_ignore_header X-policyd-weight
bayes_ignore_header X-PreRBLs
bayes_ignore_header X-Probable-Spam
bayes_ignore_header X-PROLinux-SpamCheck
bayes_ignore_header X-Proofpoint-Spam-Reason
bayes_ignore_header X-Proofpoint-Virus-Version
bayes_ignore_header X-Provags-ID
bayes_ignore_header x-purgate-eavas: clean
bayes_ignore_header x-purgate-id
bayes_ignore_header x-purgate-size
bayes_ignore_header x-purgate-type
bayes_ignore_header X-Qmail-Scanner-Diagnostics
bayes_ignore_header X-Qmail-Scanner-MOVED-X-Spam-Status
bayes_ignore_header X-Quarantine-ID
bayes_ignore_header X-Received
bayes_ignore_header X-RSpam-Report
bayes_ignore_header X-SA-Do-Not-Run
bayes_ignore_header X-SA-Exim-Version
bayes_ignore_header X-Scanned-by
bayes_ignore_header X-ServerMaster-MailScanner
bayes_ignore_header X-SG-EID
bayes_ignore_header X-SG-ID
bayes_ignore_header X-SmarterMail-CustomSpamHeader
bayes_ignore_header X-Spam
bayes_ignore_header X-Spam-Action
bayes_ignore_header X-SPAM-AISP
bayes_ignore_header X-Spam-Check-By
bayes_ignore_header X-Spam-Checker-Version
bayes_ignore_header X-Spam-CMAE-Analysis
bayes_ignore_header X-Spam-CMAESCORE
bayes_ignore_header X-Spam-CTCH-RefID
bayes_ignore_header X-Spam-Flag
bayes_ignore_header X-Spam-Level
bayes_ignore_header X-Spam-Processed
bayes_ignore_header X-Spam-Report
bayes_ignore_header X-Spam-Scanned
bayes_ignore_header X-Spam-Score
bayes_ignore_header X-Spam-Score-Int
bayes_ignore_header X-Spam-SmartLearn
bayes_ignore_header X-Spam-Status
bayes_ignore_header X-Spam-Threshold
bayes_ignore_header X-Spam_bar
bayes_ignore_header X-Spambayes-Classification
bayes_ignore_header X-SpamExperts-Domain
bayes_ignore_header X-SpamExperts-Outgoing-Class
bayes_ignore_header X-SpamExperts-Outgoing-Evidence
bayes_ignore_header X-SpamExperts-Username
bayes_ignore_header X-Spamfilter-host
bayes_ignore_header X-Spamina-Bogosity
bayes_ignore_header X-Spamina-Spam-Report
bayes_ignore_header X-Spamina-Spam-Score
bayes_ignore_header X-SpamInfo
bayes_ignore_header X-Spamsave
bayes_ignore_header X-SpamTest-Group-ID
bayes_ignore_header X-SpamTest-Info
bayes_ignore_header X-SpamTest-Method
bayes_ignore_header X-SpamTest-Rate
bayes_ignore_header X-SpamTest-SPF
bayes_ignore_header X-SpamTest-Status
bayes_ignore_header X-SpamTest-Status-Extended
bayes_ignore_header X-SPF-Scan-By
bayes_ignore_header X-STA-Metric
bayes_ignore_header X-STA-NotSpam
bayes_ignore_header X-STA-Spam
bayes_ignore_header X-StarScan-Version
bayes_ignore_header X-SurGATE-Result
bayes_ignore_header X-SWITCHham-Score
bayes_ignore_header X-UI-Filterresults
bayes_ignore_header X-UI-Loop
bayes_ignore_header X-UI-Out-Filterresults
bayes_ignore_header X-Univie-Spam-Checker-Version
bayes_ignore_header X-Univie-Virus-Scan
bayes_ignore_header X-Virus
bayes_ignore_header X-Virus-Checker-Version
bayes_ignore_header X-Virus-Scanned
bayes_ignore_header X-Virus-Scanner-Result
bayes_ignore_header X-Virus-Scanner-Version
bayes_ignore_header X-Virus-Status
bayes_ignore_header X-VirusChecked
bayes_ignore_header X-VR-SCORE
bayes_ignore_header X-VR-SPAMCAUSE
bayes_ignore_header X-VR-STATUS
bayes_ignore_header X-WatchGuard-Mail-Client-IP
bayes_ignore_header X-WatchGuard-Mail-From
bayes_ignore_header X-WatchGuard-Mail-Recipients
bayes_ignore_header X-WatchGuard-Spam-ID
bayes_ignore_header X-WatchGuard-Spam-Score
bayes_ignore_header X-Whitelist-Domain
bayes_ignore_header X-WUM-CCI
bayes_ignore_header X_CMAE_Category
##} bayes_ignore_header_sandbox

##{ if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox

if (version >= 3.004001)
ifplugin Mail::SpamAssassin::Plugin::AskDNS
askdns     __FROM_FMBLA_NEWDOM    _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.2$/
askdns     __FROM_FMBLA_NEWDOM14  _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.14$/
askdns     __FROM_FMBLA_NEWDOM28  _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.28$/
askdns     __FROM_FMBLA_NDBLOCKED _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.255\.255\.255$/
reuse      FROM_FMBLA_NEWDOM
reuse      FROM_FMBLA_NEWDOM14
reuse      FROM_FMBLA_NEWDOM28
reuse      FROM_FMBLA_NDBLOCKED
reuse    __PDS_NEWDOMAIN
reuse    FROM_NUMBERO_NEWDOMAIN
reuse    FROM_NEWDOM_BTC
askdns   __PDS_SPF_ONLYALL _SENDERDOMAIN_ TXT /^v=spf1 \+all$/
reuse    BITCOIN_SPF_ONLYALL
endif
endif
##} if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox

##{ if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
enlist_addrlist (PAYPAL) *@paypal.com *@paypal.co.uk *@paypal.de *@paypal.com.au *@paypal.it
enlist_addrlist (PAYPAL) *@paypal.es *@paypal.fr *@paypal.de *@paypal.com.hk
enlist_addrlist (PAYPAL) *@*.paypal.com *@*.paypal.co.uk
reuse    __FROM_ADDRLIST_PAYPAL
reuse    FROM_PAYPAL_SPOOF
enlist_addrlist (BANKS) *@abbey.co.uk *@abbey.com *@abbeyinternational.com *@abbeyinternational.co.uk *@abbeynational.com *@abbeynational.co.uk
enlist_addrlist (BANKS) *@allianceleicester.com *@allianceleicester.co.uk *@alliance-leicester.com *@alliance-leicester.co.uk
enlist_addrlist (BANKS) *@bankofamerica.com *@bankofamerica.co.uk
enlist_addrlist (BANKS) *@barclaycard.com *@barclays.com
enlist_addrlist (BANKS) *@citibank.com
enlist_addrlist (BANKS) *@firstdirect.com *@firstdirect.co.uk
enlist_addrlist (BANKS) *@halifax.com *@halifax.co.uk *@halifax-online.co.uk *@halifax-online.com
enlist_addrlist (BANKS) *@hbos.com *@hbos.co.uk
enlist_addrlist (BANKS) *@hsbc.com *@hsbc.co.uk *@hsbc.hk *@hsbcgroup.com *@hsbcgroup.co.uk
enlist_addrlist (BANKS) *@lloydstsb.com *@lloydstsb.co.uk *@lloyds.com
enlist_addrlist (BANKS) *@mbna.com
enlist_addrlist (BANKS) *@nationwide.com *@nationwide.co.uk
enlist_addrlist (BANKS) *@natwest.com *@natwest.co.uk
enlist_addrlist (BANKS) *@santander.com *@santander.co.uk
enlist_addrlist (BANKS) *@standardbank.co.za
enlist_addrlist (BANKS) *@ybonline.co.uk *@ybonline.com
reuse    __FROM_ADDRLIST_BANKS
reuse    FROM_BANK_NOAUTH
enlist_addrlist (GOV) *@*.gov
enlist_addrlist (GOV) *@*.gov.uk *@parliament.uk *@*.parliament.uk
reuse    __FROM_ADDRLIST_GOV
reuse    FROM_GOV_SPOOF
reuse    FROM_GOV_DKIM_AU
reuse    FROM_GOV_REPLYTO_FREEMAIL
enlist_addrlist (SUSP_NTLD) *@*.icu
enlist_addrlist (SUSP_NTLD) *@*.online
enlist_addrlist (SUSP_NTLD) *@*.work
enlist_addrlist (SUSP_NTLD) *@*.date
enlist_addrlist (SUSP_NTLD) *@*.top
enlist_addrlist (SUSP_NTLD) *@*.fun
enlist_addrlist (SUSP_NTLD) *@*.life
enlist_addrlist (SUSP_NTLD) *@*.review
enlist_addrlist (SUSP_NTLD) *@*.bid
enlist_addrlist (SUSP_NTLD) *@*.stream
enlist_addrlist (SUSP_NTLD) *@*.gdn
enlist_addrlist (SUSP_NTLD) *@*.click
enlist_addrlist (SUSP_NTLD) *@*.world
enlist_addrlist (SUSP_NTLD) *@*.fit
enlist_addrlist (SUSP_NTLD) *@*.ooo
enlist_addrlist (SUSP_NTLD) *@*.faith
enlist_addrlist (SUSP_NTLD) *@*.buzz
enlist_addrlist (SUSP_NTLD) *@*.trade
enlist_addrlist (SUSP_NTLD) *@*.cyou
enlist_addrlist (SUSP_NTLD) *@*.vip
enlist_uri_host (SUSP_URI_NTLD) icu
enlist_uri_host (SUSP_URI_NTLD) online
enlist_uri_host (SUSP_URI_NTLD) work
enlist_uri_host (SUSP_URI_NTLD) date
enlist_uri_host (SUSP_URI_NTLD) top
enlist_uri_host (SUSP_URI_NTLD) fun
enlist_uri_host (SUSP_URI_NTLD) life
enlist_uri_host (SUSP_URI_NTLD) review
enlist_uri_host (SUSP_URI_NTLD) bid
enlist_uri_host (SUSP_URI_NTLD) stream
enlist_uri_host (SUSP_URI_NTLD) gdn
enlist_uri_host (SUSP_URI_NTLD) click
enlist_uri_host (SUSP_URI_NTLD) world
enlist_uri_host (SUSP_URI_NTLD) fit
enlist_uri_host (SUSP_URI_NTLD) ooo
enlist_uri_host (SUSP_URI_NTLD) faith
enlist_uri_host (SUSP_URI_NTLD) buzz
enlist_uri_host (SUSP_URI_NTLD) trade
enlist_uri_host (SUSP_URI_NTLD) cyou
enlist_uri_host (SUSP_URI_NTLD) vip
enlist_uri_host (SUSP_URI_NTLD_PRO) pro
reuse    __FROM_ADDRLIST_SUSPNTLD
reuse    __REPLYTO_ADDRLIST_SUSPNTLD
reuse    FROM_SUSPICIOUS_NTLD
reuse    GOOGLE_DRIVE_REPLY_BAD_NTLD
reuse    VPS_NO_NTLD
endif
endif
##} if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox

##{ if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox

if (version >= 3.004003)
  ifplugin Mail::SpamAssassin::Plugin::HashBL
    priority      GB_HASHBL_BTC -100
    reuse         GB_HASHBL_BTC
endif
endif
##} if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox

##{ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
    replace_tag lcase_e (?:e|\xc3[\xa8\xa9\xaa\xab]|\xc4[\x93\x95\x97\x99\x9b]|\xc8[\x85\x87\x80]|\xcf\xb5|\xd0\xb5|\xd1[\x90\x91\x94\xb3]|\xd2[\xbc\xbd\xbe\xbf]|\xd3[\x07\xa9\xab])
    replace_rules   __E_LIKE_LETTER 
endif
endif
##} if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox

##{ ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox

ifplugin Mail::SpamAssassin::Plugin::AskDNS
askdns    __DKIMWL_FREEMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.3\.\d+$/
reuse     __DKIMWL_FREEMAIL
askdns    __DKIMWL_BULKMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.2\.\d+$/
reuse     __DKIMWL_BULKMAIL
askdns    __DKIMWL_WL_HI    _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.5$/
reuse     __DKIMWL_WL_HI
askdns    __DKIMWL_WL_MEDHI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.4$/
reuse     __DKIMWL_WL_MEDHI
askdns    __DKIMWL_WL_MED   _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.3$/
reuse     __DKIMWL_WL_MED
askdns    __DKIMWL_WL_BL   _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.0$/
reuse     __DKIMWL_WL_BL
askdns    __DKIMWL_BLOCKED  _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.255\.255\.255$/
reuse     __DKIMWL_BLOCKED
reuse     DKIMWL_WL_HIGH
reuse     DKIMWL_WL_MEDHI
reuse     DKIMWL_WL_MED
reuse     DKIMWL_BL
reuse     DKIMWL_BLOCKED
askdns   __HELO_DNS _LASTEXTERNALHELO_ A /./
endif
##} ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox

##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox

ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
reuse    RCVD_IN_PSBL
endif
##} ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox

##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox

ifplugin Mail::SpamAssassin::Plugin::DNSEval
reuse  RCVD_IN_IADB_LISTED
reuse  RCVD_IN_IADB_SPF
reuse  RCVD_IN_IADB_SENDERID
reuse  RCVD_IN_IADB_DK
reuse  RCVD_IN_IADB_RDNS
reuse  RCVD_IN_IADB_DMARC
reuse  RCVD_IN_IADB_NOCONTROL
reuse  RCVD_IN_IADB_OPTOUTONLY
reuse  RCVD_IN_IADB_UNVERIFIED_1
reuse  RCVD_IN_IADB_UNVERIFIED_2
reuse  RCVD_IN_IADB_LOOSE
reuse  RCVD_IN_IADB_OPTIN_LT50
reuse  RCVD_IN_IADB_OPTIN_GT50
reuse  RCVD_IN_IADB_OPTIN
reuse  RCVD_IN_IADB_DOPTIN_LT50
reuse  RCVD_IN_IADB_DOPTIN_GT50
reuse  RCVD_IN_IADB_DOPTIN
reuse  RCVD_IN_IADB_ML_DOPTIN
reuse  RCVD_IN_IADB_OOO
reuse  RCVD_IN_IADB_SOCIAL
reuse  RCVD_IN_IADB_TRACK
reuse  RCVD_IN_IADB_ECARD
reuse  RCVD_IN_IADB_ESP
reuse  RCVD_IN_IADB_LEG_NPROFIT
reuse  RCVD_IN_IADB_LEG_BNPROFIT
reuse  RCVD_IN_IADB_LEG_MAND
reuse  RCVD_IN_IADB_COURT
reuse  RCVD_IN_IADB_URG
reuse  RCVD_IN_IADB_MI_CPEAR
reuse  RCVD_IN_IADB_UT_CPEAR
endif
##} ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox

##{ ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox

ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
fns_ignore_dkim linkedin.com googlegroups.com yahoogroups.com yahoogroups.de
fns_ignore_headers List-Id
fns_check 1
reuse    __PLUGIN_FROMNAME_SPOOF
reuse    __PLUGIN_FROMNAME_EQUALS_TO
endif
##} ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox

##{ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_rules T_FUZZY_SPRM
replace_rules FUZZY_MERIDIA
replace_rules TVD_FUZZY_PHARMACEUTICAL
replace_rules TVD_FUZZY_SYMBOL
replace_rules T_TVD_FUZZY_SECURITIES
replace_rules TVD_FUZZY_FINANCE
replace_rules TVD_FUZZY_FIXED_RATE
replace_rules TVD_FUZZY_MICROCAP
replace_rules T_TVD_FUZZY_SECTOR
replace_rules TVD_FUZZY_DEGREE
  replace_rules __COPY_PASTE_EN
  replace_tag FF_LNNO   (?:(?:\d{1,3}(?:[)}\]:.,]{1,80}|(?:st|nd|rd|th)[)}\]:.,]{0,3})|\W?\([\div]{1,5}\)|\W?\{\d{1,3}\}|\[\d{1,3}\]|\*{1,5}|\#{1,5}|\(?[A-K][)}\]:.,]{1,3})\s?)
  replace_tag FF_YOUR   (?:a?\s?copy\sof\s)?(?:(?:your|din|seu|twoje)[\s,:]{1,5})?(?:present\s|c[uo]rrent\s|full(?:st[\xe4]ndigt)?\s?|complete\s|direct\s|private?\s|valid\s|personal\s|nuvarande\s|vollst[\xe4]ndige\s|aktuelle\s|pe\s(?:ne\s)?){0,3}
  replace_tag ANDOR     (?:\s?[\/&+,]\s?|\sor\s|\sand?\s)
  replace_tag NUMBER    (?:(?:ruf)?num(?:[bm]er)?\(?s?\)?|nos?\.|no\b|n[\xb0]|\#s?|nbrs?\.?)
  replace_tag FF_SUFFIX (?:\sin\s(?:full|words)|\scompleto)?:?(?:\s?[({][^)}]{1,30}[)}])?
  replace_tag FF_BLANK1 (?:[\s:;]{0,4}(?:(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){3,100}))
  replace_tag FF_BLANK2 (?:[^-=_.,:;*\w]{0,3}(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){1,100})
  replace_tag FF_A1 (?:(?:countr?y|city|province|ter+itory|(?:zip|post(?:al)?)(?:\s?code)?|st?ates?|ad+res+e?)<ANDOR>?){1,3}(?:\sof\s(?:residence|birth|employment|citizenship|origin))?
  replace_tag FF_A2 (?:(?:contact|full|house|home|resident[ia]+l|busines+|mailing|work|delivery|ship+ing|post(?:al)?|of+ice|e-?mail|bostads|wohn)<ANDOR>?){0,3}\s?(?:ad+res+[es]{0,2}|location|endere[\xe7]o)(?:\sline)?(?:\s[0-9])?
  replace_tag FF_N1 (?:company|first|last|all|busines+|legal|ben[ei]ficiary|user|vollstaendigen)?\s?(?:name?[sn]?|navne|nome|nazwy)(?:<ANDOR>ad+res+)?
  replace_tag FF_P1 (?:(?:(?:busines+|contact|fax|voice|house|home|mobile?|cel+(?:ular)?|of+ice|tel+e?(?:\s?(?:ph|f)one?)?|(?:ph|f)one|private)(?:\s(?:ph|f)one)?<ANDOR>?){1,3}(?:\s?<NUMBER>)?<ANDOR>?){1,3}
  replace_tag FF_M1 (?:(?:ages?|marital\s?statu[se]|sex|gender|male\sor\sfemale|(?:date\s(?:of\s)?)?birth|religion|nationality|(?:user )?email|next\sof\skin|alter|staatsangehoerigkeit|nationalitet|idade|weik)<ANDOR>?){1,3}
  replace_tag FF_L1 (?:(?:previous\s)?work(?:ing)\s?experience|employment|position|profes+ion|(?:monthly|an+ual)?\s?income|purpose\sof\sl(?:oa|ao)n|an+ual\sturn\s?over|l(?:oa|ao)n\sduration|oc+up[ae]tion(?:\/position)?s?|(?:l(?:oa|ao)n\s|the\s)?amount(?:\sneed(ed)?|\sdesired)?(?:\s(?:as|of)\sloan)?|beruf|zaw(?:=F3|[\xf3])d)
  replace_tag FF_F1 (?:(?:bank(?:ing)?|beneficiary|billing|acc(?:oun)?t|rout(?:ing)?|swift|receiver|user)<ANDOR>?){1,3}\s(?:(?:name|ad+res+(?:es)?|location|code|details|institution|a\/c|<NUMBER>)<ANDOR>?){1,3}
  replace_tag FF_F2 (?:(?:(?:international\s)?driver'?s?\sli[sc]+(?:en[sc]e)?|pas+\s?port|id\scard|[ia]d(?:entification|entity)(?:\s(?:card|<NUMBER>|papers?))?)<ANDOR>?){1,3}(?:\s<NUMBER>)?
  replace_tag FF_F3 (?:picture|zdj\scie|test\squestion|answer|amount\swon|(?:inheritance\s)?funds?\svalue|(?:e-?mail\s)?pas+word|e-?mai?l\sid|amount\s[\w\s]{0,30}lost[\w\s]{0,15})
  replace_tag FF_F4 (?:log[-\s]?in|(?:e-?mail\s)?user)\s?names?
  replace_tag FF_F5 (?:ref(?:erence)?|batch|win+ing|award|billet)[-\s]?<NUMBER>
  replace_tag FF_ALL (?:<FF_A1>|<FF_A2>|<FF_N1>|<FF_P1>|<FF_M1>|<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>|<FF_L1>)
  replace_rules   __FILL_THIS_FORM_LONG1
  replace_rules   __FILL_THIS_FORM_LONG2
  replace_rules   __FILL_THIS_FORM_PARTIAL
  replace_rules   __FILL_THIS_FORM_PARTIAL_RAW
  replace_rules   __FILL_THIS_FORM_SHORT1
  replace_rules   __FILL_THIS_FORM_SHORT2
  replace_rules   __FILL_THIS_FORM_LOAN1
  replace_rules   __FILL_THIS_FORM_FRAUD_PHISH1
  replace_tag  CURRENCY   (?:[\(\[]?(?:\bU[Ss][D\$]{0,2}|\$(?:US)?|u\s?s\s?d|U\s?S\s?D|CAD|G\s?B\s?P|=[Aa][34]|\xa3|&\#16[34];|(?i:pounds\ssterling)|\xa4|EUR(?:OS?)?|(?:d')?[Ee]uro?s?|(?i:eur)\sde|CHF|FCFA|d[\xf3]lares\sde\slos\sE+\.\s?U+\.)[\]\)]?)
  replace_tag  GB_UK      \b(?:U\.?K\.?|(?:Great\s)?Brit(?:ain|ish)|G\.?B\.?)\b
  replace_tag  NUM_NOT_DATE       [1-9](?!\d\d\d\.\d\d\.\d\d\s)(?!\d?\.\d\d?\.\d\d\d\d\s)
  replace_tag  NUM_NOT_DATE_IP    <NUM_NOT_DATE>(?!\d{0,2}(?:\.0|\.[1-2]\d{0,2}){3}(?:\D|$))
  replace_rules   __LOTSA_MONEY_00 __LOTSA_MONEY_01 __LOTSA_MONEY_02 __LOTSA_MONEY_03 __LOTSA_MONEY_04
  replace_tag  PERCENT      \b(?:\d\d|ten|[a-z]+teen|(?:twen|thir|fou?r|fif)ty(?:-?[a-z]+)?)\s?(?:%|percent)
  replace_rules  __PCT_FOR_YOU_1 __PCT_FOR_YOU_2 __PCT_FOR_YOU_3 __PCT_OF_PMTS
  replace_rules  T_FUZZY_OPTOUT
	replace_rules                  __FRT_PRICE
  replace_rules FUZZY_UNSUBSCRIBE
  replace_rules FUZZY_ANDROID
  replace_rules FUZZY_PROMOTION
  replace_rules FUZZY_PRIVACY
  replace_rules FUZZY_BROWSER
  replace_rules FUZZY_SAVINGS
  replace_rules FUZZY_IMPORTANT
  replace_rules FUZZY_SECURITY
  replace_rules __FUZZY_DR_OZ
  replace_rules FUZZY_CLICK_HERE
  replace_rules FUZZY_BITCOIN   
  replace_rules __BITCOIN   
  replace_rules FUZZY_WALLET    
  replace_rules __FUZZY_MONERO
  replace_rules __FUZZY_WELLSFARGO_BODY
  replace_rules __FUZZY_WELLSFARGO_FROM
  replace_rules __FUZZY_PORN      
  replace_rules FUZZY_AMAZON   
  replace_rules FUZZY_APPLE    
  replace_rules FUZZY_MICROSOFT
  replace_rules FUZZY_FACEBOOK  
  replace_rules FUZZY_PAYPAL   
  replace_rules FUZZY_NORTON   
  replace_rules FUZZY_OVERSTOCK
  replace_rules __FUZZY_TRUSTWALLET_BODY
  replace_rules __FUZZY_TRUSTWALLET_FROM
  replace_rules FUZZY_TRUMP    
  replace_rules FUZZY_HARRIS   
  replace_rules  __MY_VICTIM
  replace_rules  __MY_MALWARE
  replace_rules  __PAY_ME
  replace_rules  __YOUR_PASSWORD
  replace_rules  __YOUR_WEBCAM
  replace_rules  __YOUR_ONAN
  replace_rules  __YOUR_PERSONAL
  replace_rules  __HOURS_DEADLINE
  replace_rules  __EXPLOSIVE_DEVICE
  replace_tag    SHY                     (?:=ad|[\xc2][\xad]|[\xad]|&\#xad;|&\#173;|&shy;|\x{E2}\x{80}\x{8F})
  replace_rules  __SHY_OBFU_PASSWORD
  replace_rules  __SHY_OBFU_EXPIRE  
replace_rules T_LFUZ_PWRMALE
  replace_rules   __PDS_BTC_HACKER __PDS_BTC_PIRATE
  reuse    T_PDS_BTC_AHACKER
  reuse    T_PDS_BTC_HACKER
  reuse    T_PDS_LTC_AHACKER
  reuse    T_PDS_LTC_HACKER
endif
##} ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox

##{ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
reuse URIBL_RHS_DOB
endif
##} ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox

##{ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox

ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
enlist_uri_host (PDS_CASHSHORTENER) cutpaid.com
enlist_uri_host (PDS_CASHSHORTENER) caat.site
enlist_uri_host (PDS_CASHSHORTENER) triabicia.com
enlist_uri_host (PDS_CASHSHORTENER) 2xs.io
enlist_uri_host (PDS_CASHSHORTENER) ocest.site
enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz
enlist_uri_host (PDS_CASHSHORTENER) waar.site
enlist_uri_host (PDS_CASHSHORTENER) cpmlink.net
enlist_uri_host (PDS_CASHSHORTENER) cowner.net
enlist_uri_host (PDS_CASHSHORTENER) adfoc.us
enlist_uri_host (PDS_CASHSHORTENER) shrinkhere.xyz
enlist_uri_host (PDS_CASHSHORTENER) gurl.pw
enlist_uri_host (PDS_CASHSHORTENER) shortearn.eu
enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz
enlist_uri_host (PDS_CASHSHORTENER) libittarc.com
enlist_uri_host (PDS_CASHSHORTENER) pc.cd
enlist_uri_host (PDS_CASHSHORTENER) fc.lc
enlist_uri_host (PDS_CASHSHORTENER) dares.xyz
enlist_uri_host (PDS_CASHSHORTENER) trendlouds.com
enlist_uri_host (PDS_CASHSHORTENER) yogaf.xyz
enlist_uri_host (PDS_CASHSHORTENER) cobs.xyz
enlist_uri_host (PDS_CASHSHORTENER) olnew.xyz
enlist_uri_host (PDS_CASHSHORTENER) cleft.xyz
enlist_uri_host (PDS_CASHSHORTENER) 7r6.com
enlist_uri_host (PDS_CASHSHORTENER) mitly.us
enlist_uri_host (PDS_CASHSHORTENER) kutpay.com
enlist_uri_host (PDS_CASHSHORTENER) gsurl.me
enlist_uri_host (PDS_CASHSHORTENER) gurl.ly
enlist_uri_host (PDS_CASHSHORTENER) gsurl.in
enlist_uri_host (PDS_CASHSHORTENER) acitoate.com
enlist_uri_host (PDS_CASHSHORTENER) aclabink.com
enlist_uri_host (PDS_CASHSHORTENER) activeation.com
enlist_uri_host (PDS_CASHSHORTENER) activeterium.com
enlist_uri_host (PDS_CASHSHORTENER) adflyforum.com
enlist_uri_host (PDS_CASHSHORTENER) adflymail.com
enlist_uri_host (PDS_CASHSHORTENER) adult.xyz
enlist_uri_host (PDS_CASHSHORTENER) agileurbia.com
enlist_uri_host (PDS_CASHSHORTENER) atomcurve.com
enlist_uri_host (PDS_CASHSHORTENER) ay.gy
enlist_uri_host (PDS_CASHSHORTENER) battleate.com
enlist_uri_host (PDS_CASHSHORTENER) biastonu.com
enlist_uri_host (PDS_CASHSHORTENER) bitigee.com
enlist_uri_host (PDS_CASHSHORTENER) briskrange.com
enlist_uri_host (PDS_CASHSHORTENER) brisktopia.com
enlist_uri_host (PDS_CASHSHORTENER) casualient.com
enlist_uri_host (PDS_CASHSHORTENER) clesolea.com
enlist_uri_host (PDS_CASHSHORTENER) code404.biz
enlist_uri_host (PDS_CASHSHORTENER) coginator.com
enlist_uri_host (PDS_CASHSHORTENER) cogismith.com
enlist_uri_host (PDS_CASHSHORTENER) covelign.com
enlist_uri_host (PDS_CASHSHORTENER) crefranek.com
enlist_uri_host (PDS_CASHSHORTENER) dashsphere.com
enlist_uri_host (PDS_CASHSHORTENER) dataurbia.com
enlist_uri_host (PDS_CASHSHORTENER) deciomm.com
enlist_uri_host (PDS_CASHSHORTENER) ducolomal.com
enlist_uri_host (PDS_CASHSHORTENER) east-jones.com
enlist_uri_host (PDS_CASHSHORTENER) ecleneue.com
enlist_uri_host (PDS_CASHSHORTENER) ellevolaw.com
enlist_uri_host (PDS_CASHSHORTENER) endroudo.com
enlist_uri_host (PDS_CASHSHORTENER) eunsetee.com
enlist_uri_host (PDS_CASHSHORTENER) fainbory.com
enlist_uri_host (PDS_CASHSHORTENER) fasttory.com
enlist_uri_host (PDS_CASHSHORTENER) fawright.com
enlist_uri_host (PDS_CASHSHORTENER) flyserve.co
enlist_uri_host (PDS_CASHSHORTENER) greponozy.com
enlist_uri_host (PDS_CASHSHORTENER) homoluath.com
enlist_uri_host (PDS_CASHSHORTENER) hopigrarn.com
enlist_uri_host (PDS_CASHSHORTENER) infopade.com
enlist_uri_host (PDS_CASHSHORTENER) j.gs
enlist_uri_host (PDS_CASHSHORTENER) kaitect.com
enlist_uri_host (PDS_CASHSHORTENER) kializer.com
enlist_uri_host (PDS_CASHSHORTENER) kibuilder.com
enlist_uri_host (PDS_CASHSHORTENER) kimechanic.com
enlist_uri_host (PDS_CASHSHORTENER) kudoflow.com
enlist_uri_host (PDS_CASHSHORTENER) legeerook.com
enlist_uri_host (PDS_CASHSHORTENER) libittarc.com
enlist_uri_host (PDS_CASHSHORTENER) linkjaunt.com
enlist_uri_host (PDS_CASHSHORTENER) locinealy.com
enlist_uri_host (PDS_CASHSHORTENER) maetrimal.com
enlist_uri_host (PDS_CASHSHORTENER) metastead.com
enlist_uri_host (PDS_CASHSHORTENER) mmoity.com
enlist_uri_host (PDS_CASHSHORTENER) mondoagram.com
enlist_uri_host (PDS_CASHSHORTENER) neswery.com
enlist_uri_host (PDS_CASHSHORTENER) nimbleinity.com
enlist_uri_host (PDS_CASHSHORTENER) onisedeo.com
enlist_uri_host (PDS_CASHSHORTENER) optitopt.com
enlist_uri_host (PDS_CASHSHORTENER) picocurl.com
enlist_uri_host (PDS_CASHSHORTENER) pladollmo.com
enlist_uri_host (PDS_CASHSHORTENER) preofery.com
enlist_uri_host (PDS_CASHSHORTENER) prereheus.com
enlist_uri_host (PDS_CASHSHORTENER) q.gs
enlist_uri_host (PDS_CASHSHORTENER) quainator.com
enlist_uri_host (PDS_CASHSHORTENER) quamiller.com
enlist_uri_host (PDS_CASHSHORTENER) queuecosm.bid
enlist_uri_host (PDS_CASHSHORTENER) raboninco.com
enlist_uri_host (PDS_CASHSHORTENER) rapidteria.com
enlist_uri_host (PDS_CASHSHORTENER) rapidtory.com
enlist_uri_host (PDS_CASHSHORTENER) sapolatsu.com
enlist_uri_host (PDS_CASHSHORTENER) scapognel.com
enlist_uri_host (PDS_CASHSHORTENER) simizer.com
enlist_uri_host (PDS_CASHSHORTENER) skamaker.com
enlist_uri_host (PDS_CASHSHORTENER) skamason.com
enlist_uri_host (PDS_CASHSHORTENER) sluppend.com
enlist_uri_host (PDS_CASHSHORTENER) sprysphere.com
enlist_uri_host (PDS_CASHSHORTENER) streamvoyage.com
enlist_uri_host (PDS_CASHSHORTENER) swarife.com
enlist_uri_host (PDS_CASHSHORTENER) swiftation.com
enlist_uri_host (PDS_CASHSHORTENER) swifttopia.com
enlist_uri_host (PDS_CASHSHORTENER) techigo.com
enlist_uri_host (PDS_CASHSHORTENER) threadsphere.bid
enlist_uri_host (PDS_CASHSHORTENER) tinyical.com
enlist_uri_host (PDS_CASHSHORTENER) tonancos.com
enlist_uri_host (PDS_CASHSHORTENER) triabicia.com
enlist_uri_host (PDS_CASHSHORTENER) turboagram.com
enlist_uri_host (PDS_CASHSHORTENER) twineer.com
enlist_uri_host (PDS_CASHSHORTENER) twiriock.com
enlist_uri_host (PDS_CASHSHORTENER) userlab66.com
enlist_uri_host (PDS_CASHSHORTENER) vaugette.com
enlist_uri_host (PDS_CASHSHORTENER) velocicosm.com
enlist_uri_host (PDS_CASHSHORTENER) velociterium.com
enlist_uri_host (PDS_CASHSHORTENER) viahold.com
enlist_uri_host (PDS_CASHSHORTENER) vializer.com
enlist_uri_host (PDS_CASHSHORTENER) viwright.com
enlist_uri_host (PDS_CASHSHORTENER) whareotiv.com
enlist_uri_host (PDS_CASHSHORTENER) wirecellar.com
enlist_uri_host (PDS_CASHSHORTENER) x19.biz
enlist_uri_host (PDS_CASHSHORTENER) x19network.com
enlist_uri_host (PDS_CASHSHORTENER) yabuilder.com
enlist_uri_host (PDS_CASHSHORTENER) yamechanic.com
enlist_uri_host (PDS_CASHSHORTENER) yoalizer.com
enlist_uri_host (PDS_CASHSHORTENER) yobuilder.com
enlist_uri_host (PDS_CASHSHORTENER) yoineer.com
enlist_uri_host (PDS_CASHSHORTENER) yoitect.com
enlist_uri_host (PDS_CASHSHORTENER) zipansion.com
enlist_uri_host (PDS_CASHSHORTENER) zipteria.com
enlist_uri_host (PDS_CASHSHORTENER) zipvale.com
reuse    T_PDS_SHORTFWD_URISHRT
endif
endif
##} ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox

##{ redirector_pattern_sandbox

redirector_pattern m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&\#])'i
redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i
redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:site|inurl):(.*?)(?:$|%20|[\s+&\#])'i
redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&\#])'i
redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&\#])'i
redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/pagead/iclk\?.*?(?<=[?&])adurl=(.*?)(?:$|[&\#])'i
redirector_pattern m'^https?:/*(?:\w+\.)?aol\.com/redir\.adp\?.*(?<=[?&])_url=(.*?)(?:$|[&\#])'i
redirector_pattern m'^https?/*(?:\w+\.)?facebook\.com/l/;(.*)'i
redirector_pattern                     m;^https?://web\.mmac\.org/.*[?&]url=//(.+)$;
##} redirector_pattern_sandbox

##{ reuse_sandbox

reuse    T_PDS_HIDDEN_UK_BUSINESSLOAN
reuse    T_PDS_DOUBLE_URL
reuse    PDS_DBL_URL_LINKBAIT
reuse    T_PDS_DBL_URL_TNB_RUNON
reuse    T_PDS_DBL_URL_ILLEGAL_CHARS
reuse    T_FROM_2_EMAILS_SHORT
reuse    T_SHORT_BODY_QUOTE
reuse    T_BODY_QUOTE_MALF_MSGID
reuse    SPOOFED_FREEMAIL_NO_RDNS
reuse    T_PDS_URI_HIDDEN_HELO_NO_DOMAIN
reuse    T_PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE
reuse    T_PDS_TONAME_EQ_TOLOCAL_SHORT
reuse    T_PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE
reuse    T_PDS_TONAME_EQ_TOLOCAL_VSHORT
reuse    T_PDS_LITECOIN_ID
reuse    PDS_BTC_ID
reuse    PDS_BTC_MSGID
reuse  __PDS_GOOGLE_DRIVE_SHARE_1
reuse  __PDS_GOOGLE_DRIVE_SHARE_2
reuse  __PDS_GOOGLE_DRIVE_SHARE_3
reuse    __PDS_GOOGLE_DRIVE_SHARE
reuse    T_GOOGLE_DRIVE_DEAR_SOMETHING
reuse    __PDS_GOOGLE_DRIVE_FILE
reuse    __SHORT_BODY_G_DRIVE
reuse    __SHORT_BODY_G_DRIVE_DYN
reuse    T_SHORT_BODY_G_DRIVE_DYN
reuse    T_FROM_NAME_EQ_TO_G_DRIVE
##} reuse_sandbox


uri         __128_ALNUM_URI     m;[/?][0-9a-z]{128,}$;i

uri         __128_HEX_URI     m,/[0-9a-f]{128},

uri         __128_LC_URI        m;[/?][a-z]{128,}$;

uri         __45_ALNUM_IMG      m;/[0-9a-z]{45,}/\w+\.(?:png|gif|jpe?g|webp)$;i

uri         __45_ALNUM_URI      m;[/?][0-9a-z]{45,}$;i

meta        __45_ALNUM_URI_O    __45_ALNUM_URI && !__64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI

body       __4BYTE_UTF8_WORD           /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/
tflags     __4BYTE_UTF8_WORD           multiple maxhits=10

header     __4BYTE_UTF8_WORD_FROM      From:name =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/

header     __4BYTE_UTF8_WORD_SUBJ      Subject =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/

uri         __64_ANY_URI        m;[/?]\w{64,}$;i

body        __ACCESS_RESTORE     /\bto (?:(?:restore|regain) access|(?:remove|uplift) (?:the|this) suspens|continue using your (?:account|online|mailbox)|zugreifen wiederhergestellt)/i

body        __ACCESS_REVOKE      /(?:(?:temporary|permanent) (?:de-?activation|removal) of your (?:\w{1,30} )?(?:access|account)|Ihre Kreditkarte wird gesperrt)/i

body        __ACCESS_SUSPENDED   /\b(?:(?:access|account|e?-?mails) (?:suspension|(?:has|have) (?:been )?(?:temporar(?:il)?y (?:been )?)?(?:suspended|blocked|locked|blacklisted))|suspend (?:you from|your) access(?:ing)?|suspen(?:sion|se|ded) noti(?:ce|fication))\b/i
tflags      __ACCESS_SUSPENDED   multiple maxhits=2

body        __ACCOUNT_DISRUPT    /\b(?:ensure (?:that )?your (?:account|access) is not (?:disrupted|suspended|interrupted)|(?:avoid|incoming) (?:[a-z]+ ){0,5}e?-?mails? (?:from )?being rejected|avoid (?:account|e?-?mail(?: ?box)? )?(?:shut ?down|suspension|locking|termination|expiration)|will terminate (?:your|its) service)\b/i
tflags      __ACCOUNT_DISRUPT    multiple maxhits=2

body        __ACCOUNT_ERROR      /\b(?:your account (?:is|appears to be) (?:incorrect|missing|in error|invalid))\b/i

body        __ACCOUNT_REACTIV    /(?:(?:account|access) (?:has been )?(?:successfully )?(?:reviewed and )?re-?(?:activat(?:ion|ed)|new(?:al|ed))|(?:unlock|re-?activate|restore|recover) (?:your|the|this) (?:account|access))/i

body        __ACCOUNT_SECURE     /\b(?:make your (?:"?[^\@\s]+\@\S+"? |e-?mail )?account more secure|Ihre Kreditkarte weist einige Sicherheitsprobleme)\b/i

body        __ACCOUNT_UPGRADE    /\b(?:upgrade (?:of )your (?:account|access)|your (?:access|account) is[\w\s]{0,40}being upgraded|Weiter zur Aktualisierung)\b/i

meta        __ACCT_PHISH         (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __PDS_FROM_NAME_TO_DOMAIN) > 1 && !__ACCT_PHISH_MANY

meta        __ACCT_PHISH_MANY    (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + __PDS_FROM_NAME_TO_DOMAIN) > 3

body        __ACH_CANCELLED_01     /\b(?:(?-i:ACH)|dividend)[-_ ](?:payment|transfer|transaction|was)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i

body        __ACH_CANCELLED_02     /(?:rejected|cancel+ed|declined|your)[-_ ](?:(?-i:ACH)|direct[-_ ]deposit)[-_ ](?:payment|transfer|transaction|declin(?:ed|ing))/i

body        __ACH_CANCELLED_03     /\bwire[-_ ]?(?:payment|transfer|transaction)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i

body        __ACH_CANCELLED_04     /\bregarding[-_ ]your[-_ ]direct[-_ ]deposit[-_ ]via[-_ ](?-i:ACH)/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
	meta         __ACH_CANCELLED_EXE (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && __EXE_ATTACH
endif

uri __AC_1SEQC_URI	/\/1[a-z0-9]8[a-z0-9_]{20,}\/C\//

uri __AC_1SEQV_URI	/\/1[a-z0-9]8[a-z0-9_]{20,}\/V\//

uri __AC_CHDSEQ_URI	/\/chd[a-z0-9]{20,}/

header     __AC_FROM_MANY_DOTS         From =~ /<(?!do\.not\.reply@)(?:\w{2,}\.){2,}\w+@/i

meta       __AC_FROM_MANY_DOTS_MINFP   __AC_FROM_MANY_DOTS && !ALL_TRUSTED && !FREEMAIL_FORGED_FROMDOMAIN && !FORGED_GMAIL_RCVD && !__UNSUB_LINK && !__XM_VBULLETIN && !__RDNS_SHORT && !__REPTO_QUOTE && !__FSL_RELAY_GOOGLE && !__HAS_IN_REPLY_TO && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_MX_MESSY && !__CTYPE_MULTIPART_MIXED && !__RCD_RDNS_MTA && !__VIA_ML && !__HAS_ERRORS_TO 

rawbody    __AC_HTML_ENTITY_BONANZA_SHRT_RAW          /(?:&[A-Z0-9\#]{2,};\s{0,64}){10}/i

uri __AC_LAND_URI	/\/land\//

uri __AC_LONGSEQ_URI	/\/[A-Z0-9]{50,}\.(?:php|html|cgi)\b/

uri __AC_MHDSEQ_URI	/\/mhd[a-z0-9]{20,}/

uri __AC_NDOMLONGNASPX_URI	/[A-Za-z]+[0-9]{2}\.[A-Za-z0-9-]+\.me\/(?:[A-Za-z0-9-]{10,}\/){2}[0-9]{8,}\/[A-Za-z]+\.aspx/

uri __AC_NUMS_URI	/(?:\/[0-9]+){5}\.[0-9a-zA-Z]+\.(?:php|html)\b/

uri __AC_OUTI_URI	/\/outi\b/

uri __AC_OUTL_URI	/\/outl\b/

uri __AC_PHPOFFSUB_URI	/\/php\/off\/[0-9.]+\/sub\//

uri __AC_PHPOFFTOP_URI	/\/php\/off\/[0-9.]+\/top\//

uri        __AC_POSTHTMLEXTRAS         /(?:main[0-9]?|mian|start(?:page)?|info(?:page|source|center)?|(?:one|view)?(?:site|source)(?:view|[0-9])?|(?:hub|file)one|index(?:[0-9]|page)?|mediafile|userlink|faction1)[.,]html?\/\w{2,}\b/i

uri        __AC_POSTIMGEXTRAS          /(?:(?:main|external|hosted|new|file)?(?:im(?:g|age)?|user|one)s?-?(?:view(?:er)?|file|map|finder|portal|hub|online)?s?|library|media(?:source|-?files?)?|main|png|view|begin|file|port|space|webpics|host)(?:[-]?(?:[0-9]|one|two|three|four|five|six|seven|eight|nine))?[.,](?:jpe?g|png|gif|webp)\/\w{2,}\b/i

meta       __AC_POST_EXTRAS            (__AC_POSTHTMLEXTRAS || __AC_POSTIMGEXTRAS)

uri __AC_PUNCTNUMS_URI	/\.com\/[A-Za-z+=\/.?_-]{4,}[0-9]{9,12}[a-z0-9]{1,2}[A-Za-z+=\/.?_-]+[0-9]{7,9}[A-Za-z+=\/.?_-]{6,}[0-9]{7,9}\b/

uri __AC_REPORT_URI	/\/report\//

uri __AC_RMOVE_URI	/\/r\/move\/[0-9]+\//

rawbody     __AC_TINY_FONT           /(?:font-size)\s*:\s*[1-3]\s*(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i

uri __AC_UHDSEQ_URI	/\/uhd[a-z0-9]{20,}/

uri __AC_UNSUB_URI	/\/unsub\//

body        __ADMAIL          /(?:\b|_)ad-?(?:mail|message)s?(?:\b|_)/i

body        __ADMITS_SPAM     /\bth(?:e[- ]+above|is)(?:\?+s|[- ]+is)[- ]+(?:intended[- ]+as[- ]+)?an?[- ]+(?:e-?mail[- ]+)?[a@]dvert[i1l]sement\b/i

body       __ADULTDATINGCOMPANY_BODY   /\bAdultDatingCompany\b/i

header     __ADULTDATINGCOMPANY_FROM   From:name =~ /\bAdultDatingCompany\b/i

header     __ADULTDATINGCOMPANY_REPTO  Reply-To:name =~ /\bAdultDatingCompany\b/i

meta      __ADVANCE_FEE_2_NEW  (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH +  __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT +  UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 1) && !__THREAD_INDEX_GOOD

meta      __ADVANCE_FEE_2_NEW_FORM  __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW

meta      __ADVANCE_FEE_2_NEW_FRM_MNY  __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW

meta      __ADVANCE_FEE_2_NEW_MONEY  !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW

meta      __ADVANCE_FEE_3_NEW  (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH +  __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT +  UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 2) && !__THREAD_INDEX_GOOD

meta      __ADVANCE_FEE_3_NEW_FORM  __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW

meta      __ADVANCE_FEE_3_NEW_FRM_MNY  __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW

meta      __ADVANCE_FEE_3_NEW_MONEY  !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW

meta      __ADVANCE_FEE_4_NEW  (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH +  __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT +  UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 3) && !__THREAD_INDEX_GOOD

meta      __ADVANCE_FEE_4_NEW_FORM  __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW

meta      __ADVANCE_FEE_4_NEW_FRM_MNY  __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW

meta      __ADVANCE_FEE_4_NEW_MONEY  !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW

meta      __ADVANCE_FEE_5_NEW  (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH +  __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT +  UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 4) && !__THREAD_INDEX_GOOD

meta      __ADVANCE_FEE_5_NEW_FORM  __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW

meta      __ADVANCE_FEE_5_NEW_FRM_MNY  __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW

meta      __ADVANCE_FEE_5_NEW_MONEY  !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW

body __AFF_004470_NUMBER  /(?:\+|00|011)\W{0,3}44\W{0,3}0?\W{0,3}70/

body __AFF_LOTTERY        /(?:lottery|winner)/i

meta     __AFRICAN_STATE  (__NIGERIA || __IVORY_COAST || __BURKINA_FASO || __GHANA || __BENIN || __AFR_UNION)

body     __AFR_UNION      /\bafrican\sunion\b/i

body     __AGREED_RATIO   /\b(?:agreed|sharing)\s(?:ratios?|percent\w+)\b/i

meta       __ALIBABA_IMG_NOT_RCVD_ALI  __URI_IMG_ALICDN && !__HDR_RCVD_ALIBABA

header         __AMADEUSMS_MUA     X-Mailer =~ /^Amadeus Messaging Server/

meta       __AMAZON_IMG_NOT_RCVD_AMZN  __URI_IMG_AMAZON && !__HDR_RCVD_AMAZON && !__HDR_RCVD_AMAZON_HELO

body     __AM_DYING       /\b(?:am\s(?:\S+\s)?dying|terminally\sill|cancer|en\sphase\sterminale|(?:become|is|devenu|maladie)\sincurable|que\sje\smeurs)\b/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /\bimage\//i
endif

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta        __ANY_TEXT_ATTACH 0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader  __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __ANY_TEXT_ATTACH_DOC     Content-Type =~ /text\/\w+/i
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  body       __APP_DEVELOPMENT           /\b(?:mobile apps|(?:apps?|portal) (?:dev(?:elop(?:ment|ed))?|design|test(?:ing)?|U[IX]|maintenance|support)|(?:we |can |have )+(?:design(?:ed)?|buil[dt]|maintain(?:ed)?|created?)(?: over| more than)?[\s0-9]+apps|different platforms|we are (?:[-a-z]+ ){1,4}(?:software|apps?) (?:company|develop(?:ers|ment)))\b/i
  tflags     __APP_DEVELOPMENT           multiple maxhits=6
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta       __APP_DEVELOPMENT_MANY      __APP_DEVELOPMENT > 5
endif

body     __ATM_CARD       /\b(?:your|the|this|through|via|by\smeans\sof\|that\sa|issue\s(?:(?:to|for)\s)?you\sa)[\s\(](?:\w{1,20}\s)?(?:atm|debit|(?:money[\s-]?gram\s)?fast\scash)(?:\smaster|swift|value?|cash)?[\s\)]card/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  meta         __ATTACH_MSO_MHTML  __TEXT_XML_MT && __MSO_THEME_MT && __X_MSO_MT
endif

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta         __ATTACH_NAME_NO_EXT 0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __ATTACH_NAME_NO_EXT Content-Type =~ m,\bname\s?=\s?"(?!=\?)[^."]+",i
endif

body        __ATTN_MAIL_USER     /\b(?:att(?:entio)?n|dear|caro) (?:web ?(?:mail)?\s\S\s)?(?:web ?|e-?)?mail (?:user|DO USU(?:=E1|[\xe1]|[\xc3][\xa1])RIO)[:;,]/i

body     __AUTO_ACCIDENT     /auto(?:mobile)? accident/i

header __AXB_MO_OL_024C2  X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2600\.0000/

header __AXB_XM_OL_024C2  X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2600\.0000/

body     __BACK_SCRATCH   /\bmutual+y?\s(?:benefi(?:t|cial)|interest)\b/i

body     __BANK_DRAFT     /\bbank\sdraft/i

body     __BARRISTER      /\b(?:barrister|solicitor at law|barr\.)/i

meta       __BEBEE_IMG_NOT_RCVD_BB     __URI_IMG_BEBEE && !__HDR_RCVD_BEBEE

body     __BENEFICIARY    /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])n(?:e|=E9|[\xe9]|[\xc3][\xa9])fi(?:c|sh)i?ai?r(?:y|ies|es?)/i

body     __BENIN          /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])nin\b/i

body           __BIGNUM_EMAILS            /\b(?:thousand|million|\d[,1-9]{0,6}(?:[,0]{2,}k?|k))\s(?:(?!and|or|your|place|baby|suspicious|supportive|subpoenaed)\w+\s)?(?:e-?mail(?:(?![-:.\)\>\]])s?|\saddresses)|fax numbers|leads|names)\b/i
tflags         __BIGNUM_EMAILS            multiple maxhits=5

meta           __BIGNUM_EMAILS_3          __BIGNUM_EMAILS > 2

meta           __BIGNUM_EMAILS_FREEM      __BIGNUM_EMAILS && __freemail_hdr_replyto

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  body          __BITCOIN           /\bB[-\s]?i[-\s]?t[-\s]?c[-\s]?o[-\s]?i[-\s]?n\b/i
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          __BITCOIN           /<B>[-\s]?<I>[-\s]?<T>[-\s]?<C>[-\s]?<O>[-\s]?<I>[-\s]?<N>/i
endif

body           __BITCOIN_ID     /\b(?<!=)(?:[13](?:(?:[-_=\s][a-km-zA-HJ-NP-Z1-9]){29,34}|[a-km-zA-HJ-NP-Z1-9]{29,34})|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90}|b[-_=\s]c[-_=\s]1(?:[-_=\s][acdefghjklmnpqrstuvwxyz234567890]){30,90})\b/

meta       __BITCOIN_IMGUR             __IMGUR_IMG && __BITCOIN 

meta           __BITCOIN_OBFU_SUBJ  __BITCOIN && __SUBJ_OBFU_PUNCT 

meta           __BITCOIN_SPAM_02  __BITCOIN_ID && __BOTH_INR_AND_REF 

meta           __BITCOIN_SPAM_05  __BITCOIN_ID && __SPOOFED_FREEMAIL 

meta           __BITCOIN_SPAM_07  __BITCOIN_ID && __TO_EQ_FROM

meta           __BITCOIN_TOEQFM     __BITCOIN && __TO_EQ_FROM 

meta       __BITCOIN_WFH_01            __BITCOIN && __WFH_01

meta           __BITCOIN_XPRIO      __XPRIO && (__BITCOIN || __BITCOIN_ID)

body __BODY_STARTS_WITH_FROM_LINE /^From \S+ \S\S\S \S\S\S .. ..:..:.. \S+\s+\S+\: /s

body        __BODY_TEXT_LINE     /^\s*\S/
tflags      __BODY_TEXT_LINE     multiple maxhits=3

meta        __BODY_URI_ONLY      __BODY_TEXT_LINE < 3 && __HAS_ANY_URI && !__SMIME_MESSAGE

body           __BODY_XHTML             /<x-html>/i

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  full       __BOGUS_MIME_HDR            /\bContent-[XYZ]-[a-z]{6,15}:\s+[a-z]{6,15}\b/
  tflags     __BOGUS_MIME_HDR            multiple maxhits=8
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta       __BOGUS_MIME_HDR_MANY       __BOGUS_MIME_HDR > 7
endif

header     __BOGUS_MIME_VER_02         MIME-Version =~ /^(?!.*\b1\.0\b).+/

meta       __BOGUS_MSM_HDRS             __HAS_MSMAIL_PRI && __MSOE_MID_WRONG_CASE && __HDR_ORDER_FTSDMCXXXX

body       __BONUS_LAST_DAY            /\b(?:last|final) day of the (?:\$\d+ |\d+ dollars? )?bonus offer(?:ing)?\b/i

meta     __BOTH_INR_AND_REF	(__XM_BALSA || __XM_CALYPSO || __XM_FORTE || __XM_MHE || __XM_SQRLMAIL || __XM_SYLPHEED || __THEBAT_MUA || __XM_VM || __XM_XIMEVOL || __UA_KMAIL || __UA_MOZ5 || __UA_OPERA7)

body           __BTC_OBFU_2     /\b\W{0,10}b(?!it[-\s]?coin)\W{0,10}i\W{0,10}t\W{0,10}c\W{0,10}o\W{0,10}i\W{0,10}n\W{0,10}\b/i

body           __BTC_OBFU_3     /\b\W{0,10}b(?!tc\b)\W{0,10}t\W{0,10}c\W{0,10}\b/i

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  body           __BTC_OBFU_4     /\bb(?!itcoin)[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
endif

body           __BTC_OBFU_5     /&\#x62;&\#x69;&\#x74;&\#x63;&\#x6F;&\#x69;&\#x6E;/i

rawbody  __BUGGED_IMG	m{<img\b[^>]{0,100}\ssrc=.?https?://[^>]{6,80}(?:\?[^>]{8}|[^a-z](?![a-f]{3}|20\d\d[01]\d[0-3]\d)[0-9a-f]{8})}i

body     __BURKINA_FASO   /\bburkina\s?faso\b/i

body        __CANT_SEE_AD_1   /\b(?:can(?:no|')?t|(?:aren'?t[-,!\s]{1,3}|not[-,!\s]{1,3}|un)able[-,!\s]{1,3}to)[-,!\s]{1,3}(?:(?!our|this|the)\w{1,12}[-,\s]{1,3}){1,2}(?:our|this|the)[-.,\s*]{1,3}(?:commercial[-.,\s]{1,3}|ad(?:v[-.]?ert[i1l]se-?ment)?[-.,\s]{1,3}|images |newsletter |mailing ){1,2}(?:at all|(?:(?:down )?(?:below|underneath))|in (?:your|this) mail|(?:due to|because(?: of)?|as|from) (?:no |missing |unloaded |blocked )?(?:images|graphics))\b/i

body        __CANT_SEE_AD_2   /\b(?:issue|problem|trouble) (?:getting|viewing|with) (?:(?:our|the) )?(?:message|content|e-?mail|details)(?: below)?[.?] (?:please|go ahead and) (?:click|browse)\b/i

body        __CAN_HELP         /\bcan help\b/i

body __CASHPRZ      /cash prize of/

body     __CHARITY        /\b(?:charit(?:y|[ai]ble)|orphans?|homeless|orphelins|sans\sabri)\b/i

body        __CLEAN_MAILBOX      /\b(?:(?:e-?mail|mail\s?box|violation:|(?-i:CLICK)) (?:quota size|clean(?:-?up))|clean ?up click ?here|(?:please|automatically) reduce (?:your|the) e?-?mail ?box size|reduce (?:your |the )?(?:e?-?mail(?: ?box)? )?size automatically)\b/i
tflags      __CLEAN_MAILBOX      multiple maxhits=2

body        __CLICK_HERE       /\bclick\shere\b/i

rawbody        __COMMENT_GIBBERISH      /<!--(?:\s{1,10}[-\w'"]{1,40}){100}/im

body     __COMPENSATION   /\b(?:compensat(?:e|ion)|recompensed?|ausgleich)\b/i

body     __CONTACT_ATTY   /\bcontact(?:er)?\s(?:my|(?:de\s)?mon)\s(?:barrister|attou?rney|lawyer|avocat|gestionnaire)\b/i

body     __CONTACT_YOU    /\b(?:contact(?:ing)\syou|vous\scontacter?)\b/i

rawbody    __CONTENT_AFTER_HTML        /<\/html>\s*[a-z0-9]/i

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  body     __COPY_PASTE_EN    /Copy (?:and|\+|\&) paste/i
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body     __COPY_PASTE_EN    /<C><O><P><Y> (?:<A><N><D>|\+|\&) <P><A><S><T><E>/i
endif

body     __COURIER        /\bcourier\s(?:company|service)\b/i

header      __CR_IN_SUBJ      Subject:raw =~ /\015/

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta         __CTE_BAS64         0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __CTE_BAS64         Content-Transfer-Encoding =~ /\bbas64\b/i
endif

header  __CTYPE_MULTIPART_ANY Content-Type =~ /multipart\/\w+/i

header     __CTYPE_MULTIPART_MIXED Content-Type =~ /multipart\/mixed/i

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta         __CTYPE_NULL        0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __CTYPE_NULL        Content-Type =~ /^\s*;/
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __CTYPE_ONETAB_GIF Content-Type:raw =~ /^image\/gif;\n\tname=\".+?\"$/s
endif

header     __CT_ENCRYPTED              Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader	__CT_UTF7		Content-Type =~ /\bcharset=.?utf-7\b/i
endif

header      __DATE_LOWER       ALL =~ /date: \S{5}/

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  body       __DAY_I_EARNED            /day,?\sI\s(?:earned|got|received|made|brought\sin)\s\$\s?\d{3}/i
  tflags     __DAY_I_EARNED            multiple maxhits=4
endif

body __DBLCLAIM     /avoid double claiming/

body     __DEAD_PARENT    /\b(?:my|meu)\s(?:(?:deceased|dead)\s(?:father|mother|husband)|(?:father|dad|mother|mom|husband|marido)(?:'?s)?\s(?:death|died|passed\saway|murder|was\s(?:killed|murdered|poisoned)|faleceu))/i

body     __DEAL           /\b(?:(?:business|financial|this|the|mutual|die(?:se)?r?|cette|profitable)\s(?:deal|transa[ck]tion|proposal|off[er]{2}|venture|suggestion|partnership)|your\spartnership)/i

body     __DECEASED       /\b(?:the|my|your|der|du|le|meu?)\s(?:deceased|late|verstorbenen|d(?:i|e|=E9|[\xe9]|[\xc3][\xa9])funto?|d(?:e|=E9|[\xe9]|[\xc3][\xa9])nt|falecido)\b/i

body     __DESTROY_ME     /\b(?:destroy|hunt|quemar)\sm[eyi]\b/i

body           __DESTROY_YOU    /\b(?:destroy\syou|deine Zukunft zerst\S{1,3}ren)/i

body     __DIED_IN        /\bdied\sin\b/i

body     __DIPLOMATIC     /\bdiplomatic\b/i

ifplugin Mail::SpamAssassin::Plugin::AskDNS
tflags    __DKIMWL_BLOCKED  net
endif

ifplugin Mail::SpamAssassin::Plugin::AskDNS
tflags    __DKIMWL_BULKMAIL net
endif

ifplugin Mail::SpamAssassin::Plugin::AskDNS
tflags    __DKIMWL_FREEMAIL net
endif

ifplugin Mail::SpamAssassin::Plugin::AskDNS
tflags    __DKIMWL_WL_BL   net
endif

ifplugin Mail::SpamAssassin::Plugin::AskDNS
tflags    __DKIMWL_WL_HI    net
endif

ifplugin Mail::SpamAssassin::Plugin::AskDNS
tflags    __DKIMWL_WL_MED   net
endif

ifplugin Mail::SpamAssassin::Plugin::AskDNS
tflags    __DKIMWL_WL_MEDHI net
endif

header	 __DKIM_EXISTS	exists:DKIM-Signature
tflags	 __DKIM_EXISTS	nice

body           __DLND_ATTACH      /\bdownload\sthe\sattach(?:ed|ment)\b/i

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta         __DOC_ATTACH       0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  meta         __DOC_ATTACH       (__DOC_ATTACH_MT || __DOC_ATTACH_FN1 || __DOC_ATTACH_FN2)
endif

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta         __DOC_ATTACH_FN1   0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __DOC_ATTACH_FN1   Content-Type =~ /="[^"]+\.(?:docx?|rtf)"/i
endif

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta         __DOC_ATTACH_FN2   0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __DOC_ATTACH_FN2   Content-Disposition =~ /="[^"]+\.(?:docx?|rtf)"/i
endif

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta         __DOC_ATTACH_MT    0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __DOC_ATTACH_MT    Content-Type =~ m,\bapplication/(?:msword|rtf|vnd\.ms-word|vnd\.openxmlformats-officedocument\.wordprocessingml\.document)\b,i
endif

body     __DORMANT_ACCT   /\b(?:(?:dormant|abandoned|left\s?over)\s(?:account|fund|transaction|sum|deposit)|fonds\sdorment)/i

body	__DOS_BODY_FRI	/\bfri(?:day)?\b/i

body	__DOS_BODY_MON	/\bmon(?:day)?\b/i

body	__DOS_BODY_SAT	/\bsat(?:day)?\b/i

body		__DOS_BODY_STOCK	/\bstock\b/i

body	__DOS_BODY_SUN	/\bsun(?:day)?\b/i

body	__DOS_BODY_THU	/\bthu(?:r(?:s(?:day)?)?)?\b/i

body		__DOS_BODY_TICKER	/\b[A-Z]{4}\.(?:OB|PK)\b/

body	__DOS_BODY_TUE	/\btue(?:s(?:day)?)?\b/i

body	__DOS_BODY_WED	/\bwed(?:nesday)?\b/i

body	__DOS_COMING_TO_YOUR_PLACE	/I (?:am|might(?: be)?) c[a-z]?o[a-z]?m[a-z]?(?:i[a-z]?n[a-z]?g[a-z]{0,2}|e down) to y[!a-z]{2,4}r (?:city|place[a-z]{0,2}|co[a-z]?u[a-z]?n[a-z]?t[a-z]?ry) in (?:f[a-z]?e[a-z]?w|\d{1,2}) (?:day|week)s/

body	__DOS_CORRESPOND_EMAIL		/correspond with me using my email/

meta __DOS_DIRECT_TO_MX		__DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT

meta __DOS_DIRECT_TO_MX_UNTRUSTED	__DOS_DIRECT_TO_MX && !ALL_TRUSTED

body	__DOS_DROP_ME_A_LINE		/Drop me a line at/

body	__DOS_EMAIL_DIRECTLY		/(?:Email m[a-z]?e|address) direc(?:tl|lt)y at/

body		__DOS_FIN_ADVANTAGE	/\bfinancial advantage/i

uri __DOS_HAS_ANY_URI		/^\w+:\/\//

header __DOS_HAS_LIST_ID	exists:List-ID

header __DOS_HAS_LIST_UNSUB	exists:List-Unsubscribe

header __DOS_HAS_MAILING_LIST	exists:Mailing-List

body __DOS_HI                   /^Hi,$/

body	__DOS_I_AM_25			/I a.?m 25/

body __DOS_I_DRIVE_A	/I drive a/

body __DOS_LET_GO_JOB	/I was (?:let go|fired|layed off|dismissed) from a job I h(?:el|a)d for (?:2\d years|\d{3} months)/

body __DOS_LINK                 /\blink\b/

body	__DOS_MEET_EACH_OTHER		/(?:meet each other|[Mm]ay ?be we can meet)/

header __DOS_MSGID_DIGITS10 Message-ID =~ /<1[013-9]\d{8}\@.*>/

header __DOS_MSGID_DIGITS9 Message-ID =~ /<\d{9}\@.*>/

body __DOS_MY_OLD_JOB	/my old job/

body	__DOS_PERSONAL_EMAIL		/personal email at/

header	__DOS_RCVD_FRI	Received =~ / Fri, /

header	__DOS_RCVD_MON	Received =~ / Mon, /

header	__DOS_RCVD_SAT	Received =~ / Sat, /

header	__DOS_RCVD_SUN	Received =~ / Sun, /

header	__DOS_RCVD_THU	Received =~ / Thu, /

header	__DOS_RCVD_TUE	Received =~ / Tue, /

header	__DOS_RCVD_WED	Received =~ / Wed, /

meta	__DOS_REF_2_WK_DAYS	(__DOS_RCVD_MON && __DOS_BODY_WED) || (__DOS_RCVD_TUE && __DOS_BODY_THU) || (__DOS_RCVD_WED && __DOS_BODY_FRI) || (__DOS_RCVD_THU && __DOS_BODY_MON) || (__DOS_RCVD_FRI && __DOS_BODY_TUE) || (__DOS_RCVD_SAT && __DOS_BODY_TUE) || (__DOS_RCVD_SUN && __DOS_BODY_TUE)

meta	__DOS_REF_NEXT_WK_DAY	(__DOS_RCVD_MON && __DOS_BODY_TUE) || (__DOS_RCVD_TUE && __DOS_BODY_WED) || (__DOS_RCVD_WED && __DOS_BODY_THU) || (__DOS_RCVD_THU && __DOS_BODY_FRI) || (__DOS_RCVD_FRI && __DOS_BODY_MON) || (__DOS_RCVD_SAT && __DOS_BODY_MON) || (__DOS_RCVD_SUN && __DOS_BODY_MON)

meta	__DOS_REF_TODAY		(__DOS_RCVD_MON && __DOS_BODY_MON) || (__DOS_RCVD_TUE && __DOS_BODY_TUE) || (__DOS_RCVD_WED && __DOS_BODY_WED) || (__DOS_RCVD_THU && __DOS_BODY_THU) || (__DOS_RCVD_FRI && __DOS_BODY_FRI) || (__DOS_RCVD_SAT && __DOS_BODY_SAT) || (__DOS_RCVD_SUN && __DOS_BODY_SUN)

header __DOS_RELAYED_EXT	ALL-EXTERNAL =~ /(?:^|\n)[Rr][eE][cC][eE][iI][vV][eE][dD]:\s.+\n[Rr][eE][cC][eE][iI][vV][eE][dD]:\s/s

header __DOS_SINGLE_EXT_RELAY   X-Spam-Relays-External =~ /^\[ [^\]]+ \]$/

body		__DOS_STEADY_COURSE	/\bsteady (?:and increasing )?course\b/i

body		__DOS_STRONG_CF		/\bstrong cash flow/i

body __DOS_TAKING_HOME	/Taking home \d (?:digit level|figures) in \d{1,2} months/

body	__DOS_WRITE_ME_AT		/[Ww].?r.?i.?t.?e me at/

meta       __DOTGOV_IMAGE              __URI_DOTGOV && __REMOTE_IMAGE 

meta       __DYNAMIC_IMGUR             __IMGUR_IMG && __RDNS_DYNAMIC_IPADDR 

body     __EARLY_DEMISE   /\buntimely\sdeath\b/i

header	 __EBAY_ADDRESS 	From:addr =~ /[\@.]ebay\.\w\w\w?(?:\.\w\w)?$/i

meta       __EBAY_IMG_NOT_RCVD_EBAY    __URI_IMG_EBAY && !__HDR_RCVD_EBAY

meta        __EMAIL_PHISH        (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN) > 1) && !__EMAIL_PHISH_MANY

meta        __EMAIL_PHISH_MANY   (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN || __TO_IN_SUBJ) > 3)

meta        __EMPTY_BODY         __BODY_TEXT_LINE < 2 && !__SMIME_MESSAGE

body           __END_FUTURE_EMAILS /\b(?:end|stop(?! receiving these (?:alerts|emails))|cease|discontinue|removed?|(?:do(?! not wish to receive [\w\s]{0,20}emails)|would|you(?:'d)?) (?:not (?:wish|want|like|desire)|(?:prefer|wish|want|like|desire) not) to|exclude yourself|fore?go)[- ](?:get |receiv(?:ing|e) |or |(?:a-z{1,30} ){0,4}from )?(?:these|our|(?:any )?(?:future|further)) (?:(?:e|ad)?-?m(?:ail(?:ing)?|es+[age]{3})|alert|PSA|marketing|notice)[- ]?(?:ad|update)?s?\b/i

header     __ENVFROM_GOOG_TRIX         EnvelopeFrom =~ /(?:@|=)trix\.bounces\.google\.com(?:$|=)/

meta       __ENVFROM_GOOG_TRIX_SPAMMY  __ENVFROM_GOOG_TRIX && (__GOOGLE_DOC_SUSP || FREEMAIL_REPLYTO_END_DIGIT || __ADVANCE_FEE_2_NEW || FORGED_GMAIL_RCVD || LOTS_OF_MONEY || __HAS_X_SOURCE_DIR )

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
	meta         __EXE_ATTACH        0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
	mimeheader   __EXE_ATTACH        Content-Type =~ /\.exe\b/i
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  body           __EXPLOSIVE_DEVICE     /\b(?:explosive\sdevice|bomb)\b/i
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body           __EXPLOSIVE_DEVICE     /(?:^|\s)(?:<E><X><P><L><O><S><I><V><E>\s<D><E><V><I><C><E>|<B><O><M><B>)\s/i
endif

meta           __EXTORT_MANY          (__MY_MALWARE + __PAY_ME + __MY_VICTIM + __YOUR_WEBCAM + __YOUR_ONAN + __YOUR_PERSONAL + __HOURS_DEADLINE + __YOUR_PASSWORD + LOCALPART_IN_SUBJECT + __DESTROY_ME + __DESTROY_YOU + __EXPLOSIVE_DEVICE + __PAXFUL + __HUSH_HUSH) > 3

body     __EX_CUSTOMER    /\b(?:(?:dead|deceased|late|verstorbenen|death\sof\sthe)\s(?:[ck]lient|customer|ac+ount|invest[eo]r|beneficiary|depositor|mr\.|kunde|engr?\.?)|titulaire\sdu\scompte\sest\sd(?:e|=E9|[\xe9]|[\xc3][\xa9])c(?:e|=E9|[\xe9]|[\xc3][\xa9])d(?:e|=E9|[\xe9]|[\xc3][\xa9])|invest[eo]r\sdied|(?:e|=E9|[\xe9]|[\xc3][\xa9])tranger\sd(?:e|=E9|[\xe9]|[\xc3][\xa9])c(?:e|=E9|[\xe9]|[\xc3][\xa9])d(?:e|=E9|[\xe9]|[\xc3][\xa9])|(?:[ck]lient|customer|ac+ount|invest[eo]r|beneficiary|mr\.|kunde|engr?\.?)\s(?:[a-z]{1,10}\s)?(?:dead|deceased|verstorbenen))/i

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
    body            __E_LIKE_LETTER /<lcase_e>/
    tflags          __E_LIKE_LETTER multiple maxhits=320 
endif
endif

meta       __FACEBOOK_IMG_NOT_RCVD_FB  __URI_IMG_FACEBOOK && !__HDR_RCVD_FACEBOOK

body        __FAILED_LOGINS      /unsuc+es+ful log-?[io]n at+empts/i

body        __FBI_BODY_SHOUT_1   /^FEDERAL BUREAU OF INVESTIGATIONS?\b/

rawbody     __FBI_BODY_SHOUT_2   /^FEDERAL BUREAU OF INVESTIGATIONS?\b/m

header      __FBI_FM_DOM         From:addr =~ /\bfbi\.gov$/

header      __FBI_FM_NAME        From:name =~ /federal\sbureau\sof\sinvestigation/i

header      __FBI_RCVD_DOM       X-Spam-Relays-External =~ / rdns=\S+\bfbi\.gov /

meta        __FBI_SPOOF          (__FBI_FM_NAME || __FBI_FM_DOM || __FBI_BODY_SHOUT_1 || __FBI_BODY_SHOUT_2) && !__FBI_RCVD_DOM && __HAS_REPLY_TO

body        __FB_COST          /\bcost\b/i

body        __FB_NUM_PERCNT    /\d\s?\%/

body        __FB_S_PRICE       /pri{1,2}c[a-z]?e/i

body        __FB_S_STOCK       /\bstock/i

body        __FB_TOUR          /\btour/i

body     __FEES           /\b(?:security|safe\w*|courier|registration|pay|paid|up-?front|processing|delivery|transfer|keeping)[\s\w]{0,15}\s(?:fee|charge)s?\b/i 

body     __FIFTY_FIFTY    /\b(?:50|fifty)(?:%?[\/:]50%?|%|\spercent)/i

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta     __FILL_THIS_FORM               0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta     __FILL_THIS_FORM               (__FILL_THIS_FORM_LONG || __FILL_THIS_FORM_PARTIAL > 4 || __FILL_THIS_FORM_PARTIAL_RAW > 4)
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta     __FILL_THIS_FORM_FRAUD_PHISH   0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta     __FILL_THIS_FORM_FRAUD_PHISH   (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FILL_THIS_FORM_FRAUD_PHISH1 || __EMAIL_PHISH || __ACCT_PHISH)
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta     __FILL_THIS_FORM_FRAUD_PHISH1  0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body     __FILL_THIS_FORM_FRAUD_PHISH1   /<FF_YOUR>(?:<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>)<FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta     __FILL_THIS_FORM_LOAN          0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta     __FILL_THIS_FORM_LOAN          __FILL_THIS_FORM && __FILL_THIS_FORM_LOAN1
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta     __FILL_THIS_FORM_LOAN1         0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body     __FILL_THIS_FORM_LOAN1         /<FF_YOUR><FF_L1><FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta     __FILL_THIS_FORM_LONG          0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta     __FILL_THIS_FORM_LONG          __FILL_THIS_FORM_LONG1 || __FILL_THIS_FORM_LONG2
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta     __FILL_THIS_FORM_LONG1         0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body     __FILL_THIS_FORM_LONG1         /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta     __FILL_THIS_FORM_LONG2         0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body     __FILL_THIS_FORM_LONG2         /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta     __FILL_THIS_FORM_PARTIAL       0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body     __FILL_THIS_FORM_PARTIAL       /^\s?<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20){1,4}$)/im
  tflags   __FILL_THIS_FORM_PARTIAL       multiple maxhits=5
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta     __FILL_THIS_FORM_PARTIAL_RAW   0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  rawbody  __FILL_THIS_FORM_PARTIAL_RAW   /^(?>\s{0,50})<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20|&nbsp;|<\/\w+>){0,4}$)/im
  tflags   __FILL_THIS_FORM_PARTIAL_RAW   multiple maxhits=5
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta     __FILL_THIS_FORM_SHORT         0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta     __FILL_THIS_FORM_SHORT         !__FILL_THIS_FORM && (__FILL_THIS_FORM_SHORT1 || __FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_PARTIAL > 2 || __FILL_THIS_FORM_PARTIAL_RAW > 2)
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta     __FILL_THIS_FORM_SHORT1        0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body     __FILL_THIS_FORM_SHORT1        /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta     __FILL_THIS_FORM_SHORT2        0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body     __FILL_THIS_FORM_SHORT2        /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i
endif

header         __FLASHMAIL_MUA     X-Mailer =~ /^NetEase Flash Mail \d/

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
	meta        __FM_MY_PRICE      __FB_S_PRICE
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
	meta        __FM_MY_PRICE      (__FB_S_PRICE || __FRT_PRICE)
endif

meta           __FM_TO_ALL_NUMS     __FROM_ALL_NUMS && __TO_ALL_NUMS

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  rawbody   __FONT_INVIS                  /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|pc|ch|rem|lh|vmax|%)|0+(?:\.0\d*)(?:em|ex|in))(?:\s[a-z]|\s*[;'])|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>[a-z0-9]/i
  tflags    __FONT_INVIS                  multiple maxhits=11
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      __FONT_INVIS_10               __FONT_INVIS > 10
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      __FONT_INVIS_2                __FONT_INVIS > 2
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      __FONT_INVIS_5                __FONT_INVIS > 5
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      __FONT_INVIS_CENTER           __FONT_INVIS && __TAG_EXISTS_CENTER 
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      __FONT_INVIS_DIRECT           __FONT_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED 
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      __FONT_INVIS_DOTGOV           __FONT_INVIS && __URI_DOTGOV 
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      __FONT_INVIS_HTML_NOHTML      __FONT_INVIS && HTML_MIME_NO_HTML_TAG 
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      __FONT_INVIS_LONG_LINE        __FONT_INVIS && __LONGLINE 
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      __FONT_INVIS_MANY             __FONT_INVIS_2
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      __FONT_INVIS_MSGID            __FONT_INVIS && __MSGID_OK_HOST 
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      __FONT_INVIS_NORDNS           __FONT_INVIS && __RDNS_NONE 
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      __FONT_INVIS_SINGLET          __FONT_INVIS && __HTML_SINGLET 
endif

header       __FORGED_MUA_POSTFIX0	User-Agent =~ /Postfix/

header       __FORGED_MUA_POSTFIX1	X-Mailer =~ /Postfix/

header __FORGED_RELAY_MUA_TO_MX       X-Spam-Relays-External =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\[]+ helo=(!(?!(?:10|127|169\.254|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\.)| )[^\[]+$/

meta       __FORGED_TBIRD_IMG      __MUA_TBIRD && __JPEG_ATTACH && __MIME_BDRY_0D0D
describe   __FORGED_TBIRD_IMG      Possibly forged Thunderbird image spam

meta     __FORM_FRAUD     (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH +  __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX +  __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 1)

meta     __FORM_FRAUD_3  (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH +  __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX +  __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3)

meta     __FORM_FRAUD_5  (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH +  __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX +  __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  body        __FOR_SALE_LTP            /00\.? (?:less 10%|LTP)/i
  tflags      __FOR_SALE_LTP            multiple maxhits=11
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta        __FOR_SALE_LTP_MANY       __FOR_SALE_LTP > 10
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  body        __FOR_SALE_NET            /00\.? NET/i
  tflags      __FOR_SALE_NET            multiple maxhits=11
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta        __FOR_SALE_NET_MANY       __FOR_SALE_NET > 10
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  body        __FOR_SALE_OBO            /\bor best offer\b/i
  tflags      __FOR_SALE_OBO            multiple maxhits=6
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta        __FOR_SALE_OBO_MANY       __FOR_SALE_OBO > 5
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  body        __FOR_SALE_PRC_100K       /\bprice:? \$\d\d\d,\d\d\d/i
  tflags      __FOR_SALE_PRC_100K       multiple maxhits=11
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta        __FOR_SALE_PRC_100K_MANY  __FOR_SALE_PRC_100K > 5
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  body        __FOR_SALE_PRC_10K        /\bprice:? \$\d\d,\d\d\d/i
  tflags      __FOR_SALE_PRC_10K        multiple maxhits=11
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta        __FOR_SALE_PRC_10K_MANY   __FOR_SALE_PRC_10K > 10
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  body        __FOR_SALE_PRC_1K         /\bprice:? \$\d,?\d\d\d[.\s]/i
  tflags      __FOR_SALE_PRC_1K         multiple maxhits=11
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta        __FOR_SALE_PRC_1K_MANY    __FOR_SALE_PRC_1K > 10
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  rawbody     __FOR_SALE_PRC_EOL        /\s\$\d{1,3},\d00(?:\.00)?$/m
  tflags      __FOR_SALE_PRC_EOL        multiple maxhits=11
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta        __FOR_SALE_PRC_EOL_MANY   __FOR_SALE_PRC_EOL > 10
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta        __FOR_SALE_PRC_MANY       (__FOR_SALE_PRC_1K + __FOR_SALE_PRC_10K + __FOR_SALE_PRC_100K) > 20
endif

body     __FOUND_YOU      /\b(?:I|we)\sfound\syour?\b/i

body     __FRAUD          /\b(?:de)?fraud/i

body __FRAUD_IOV	/\b(?:no risks?|risky?[- ]{0,3}free|free of risks?|100% safe|v\S{1,3}llig Risikofrei ist)\b/i

body __FRAUD_PTX	/\b(?:ass?ass?inat(?:ed|ion)|murder(?:e?d)?|poison(?:e?d)?|kill(?:ed|ing|ers)\b[^.]{0,99}\b(?:war veterans|rebels?)|les tueurs)\b/i

body __FRAUD_XWW	/\b(?:honest(?:ly)?\sco(?:-?operat(?:e|ion)|llaborat(?:e|ion))|ehrliche\szusammenarbeit|sichere [kc]o+p[eo]ration|col+aboration\swith\sme)\b/i

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  header   __FREEMAIL_DISPTO   eval:check_freemail_header('Disposition-Notification-To')
endif

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta         __FREEMAIL_DOC_PDF     (__DOC_ATTACH || __PDF_ATTACH) && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
endif

meta       __FREEMAIL_WFH_01           (FREEMAIL_FROM || FREEMAIL_REPLYTO) && __WFH_01

meta       __FREEM_FRNUM_UNICD_EMPTY  FREEMAIL_FROM && __FROM_ALL_NUMS && __FROM_ENCODED_B64 && __SUBJECT_ENCODED_B64 && __EMPTY_BODY

if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
  meta         __FROM_41_FREEMAIL         0
endif

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta         __FROM_41_FREEMAIL         (__NSL_ORIG_FROM_41 || __NSL_RCVD_FROM_41) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) && !__THREADED
  describe     __FROM_41_FREEMAIL         Sent from Africa + freemail provider
endif

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header   __FROM_ADDRLIST_BANKS eval:check_from_in_list('BANKS')
endif
endif

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header   __FROM_ADDRLIST_GOV eval:check_from_in_list('GOV')
endif
endif

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header   __FROM_ADDRLIST_PAYPAL eval:check_from_in_list('PAYPAL')
endif
endif

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header   __FROM_ADDRLIST_SUSPNTLD eval:check_from_in_list('SUSP_NTLD')
endif
endif

header     __FROM_ADDR_WS              From:addr =~ /\s/

header      __FROM_ADMIN         From =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i

header __FROM_ALL_HEX	    From:addr =~ /^(?!(?:19|20)\d\d[01]\d[0-3]\d)(?![0-9a-f]*[a-f]{3})[0-9a-f]+\@/

header         __FROM_ALL_NUMS      From:addr =~ /^\d+@/

header      __FROM_AMEX          From =~ /american\s?express/i

header      __FROM_ASB_BANK      From:addr =~ /\basb\.co\.nz$/i

header      __FROM_BANK_LOOSE    From =~ /ban(?:k|co)/i

header      __FROM_CHASE         From:addr =~ /chase(?:2?-?paymentech)\.com$/i

header      __FROM_CMNWLTH_BANK  From:addr =~ /\bcommonwealth\.com\.au$/i

header	 __FROM_DNS		From =~ /(?<![^\w.-])dns(?:admin)?\@/i

meta        __FROM_DOM_ADMIN     __FROM_ADMIN && __PDS_FROM_NAME_TO_DOMAIN

header      __FROM_DOM_INFO    From:addr =~ /\.info$/i

header __FROM_EBAY	From:addr =~ /\@ebay\.com$/i

header      __FROM_EBAY_LOOSE    From =~ /\be-?bay\b/i

header         __FROM_EQ_ORG_1       ALL =~ /\nFrom: "?([^\n]+)"? <[^>]+>\n.*Organization: \1\n/ism

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
    header   __FROM_EQ_REPLY            eval:check_fromname_equals_replyto()
endif
endif

if (version >= 3.004001)
ifplugin Mail::SpamAssassin::Plugin::AskDNS
tflags     __FROM_FMBLA_NDBLOCKED net
endif
endif

if (version >= 3.004001)
ifplugin Mail::SpamAssassin::Plugin::AskDNS
tflags     __FROM_FMBLA_NEWDOM    net
endif
endif

if (version >= 3.004001)
ifplugin Mail::SpamAssassin::Plugin::AskDNS
tflags     __FROM_FMBLA_NEWDOM14  net
endif
endif

if (version >= 3.004001)
ifplugin Mail::SpamAssassin::Plugin::AskDNS
tflags     __FROM_FMBLA_NEWDOM28  net
endif
endif

header	 __FROM_FULL_NAME	From:name =~ /^[^a-z[:punct:][:cntrl:]\d\s][^[:punct:][:cntrl:]\d\s]*[[:punct:]\s]+[^a-z[:punct:][:cntrl:]\d\s]/
tflags	 __FROM_FULL_NAME	nice

header      __FROM_HSBC          From:addr =~ /\bhsbc\.co\.uk$/i

header	 __FROM_INFO		From =~ /(?<![^\w.-])info\@/i

header      __FROM_LLOYDSTSB     From:addr =~ /\blloyds(?:tsb)\.(?:co\.uk|com)$/i

header          __FROM_LONG_DOM         From:addr =~ /\@[^.]{30}/

header      __FROM_LOWER       ALL =~ /from: \S{5}/

header         __FROM_MISSPACED      From =~ /^\s*"[^"]*"</

meta           __FROM_MISSP_EH_MATCH __FROM_RUNON_UNCODED && __LCL__ENV_AND_HDR_FROM_MATCH

if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
  meta         __FROM_MISSP_FREEMAIL 0
endif

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta         __FROM_MISSP_FREEMAIL __FROM_RUNON && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
endif

meta        __FROM_MISSP_PHISH   __FROM_MISSPACED && (__FROM_ASB_BANK || __FROM_AMEX || __FROM_BANK_LOOSE || __FROM_CHASE || __FROM_CMNWLTH_BANK || __FROM_EBAY_LOOSE || __FROM_HSBC || __FROM_LLOYDSTSB || __FROM_PAYPAL_LOOSE || __FROM_WELLSFARGO || __FROM_WESTERNUNION)

meta           __FROM_MISSP_REPLYTO  __FROM_RUNON && __HAS_REPLY_TO

if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
  meta       __FROM_MULTI_NORDNS      __PDS_FROM_2_EMAILS && __RDNS_NONE 
endif

if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
  meta       __FROM_MULTI_SHORT_IMG   __PDS_FROM_2_EMAILS && (HTML_IMAGE_ONLY_16 || HTML_SHORT_LINK_IMG_2 || __HTML_IMG_ONLY)
endif

header     __FROM_NAME_APPLECOM        From:name =~ /\bapple\.com\b/i

header     __FROM_NAME_EBAYCOM         From:name =~ /\bebay\.com\b/i

full       __FROM_NAME_IN_MSG         /^From:\s+([^<]\S+\s\S+)\s(?=.{1,2048}^\1\r?$)/sm

header     __FROM_NAME_PAYPALCOM       From:name =~ /\bpaypal\.com\b/i

header __FROM_PAYPAL	From:addr =~ /\@paypal\.com$/i

header      __FROM_PAYPAL_LOOSE  From =~ /paypal/i

header         __FROM_RUNON          From =~ /\S+<\w+/

header         __FROM_RUNON_UNCODED  From:raw =~ /\S+(?<!\?=)<\w+/

header __FROM_WEB_DAEMON From:addr =~ /(?:apache|www|web|tomcat|\biis\b).*\@/i

header      __FROM_WELLSFARGO    From:addr =~ /wellsfargo\.com$/i

header      __FROM_WESTERNUNION  From:addr =~ /westernunion\.com$/i

header     __FROM_WORDY                From:addr =~ /^(?:(?:[A-Z][A-Za-z]+|or|&)\.)+[A-Z][A-Za-z]+\@/

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
	meta        __FRT_PRICE        0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
	body        __FRT_PRICE        /<inter SP2><post P2>\b(?!price)<P><R><IX><C><E>\b/i
endif

rawbody     __FR_SPACING_8     /[a-z0-9]{6}\s{8}[a-z0-9]{5}/i

header   __FSL_HAS_LIST_UNSUB  exists:List-Unsubscribe

header  __FSL_HELO_BARE_IP_1      X-Spam-Relays-External =~ /^[^\]]+ helo=(?!127)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} [^\]]*auth= /i

header  __FSL_HELO_USER_1   X-Spam-Relays-External =~ / helo=user /i

header  __FSL_HELO_USER_2   Received =~ /from User(?:\s+by|\s*[\[\(]|$)/i

header  __FSL_HELO_USER_3   Received =~ /(?:eh|he)lo(?:=|\s)User\)/i

header   __FSL_RELAY_GOOGLE	X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.google\.com\.? /i

header      __FS_SUBJ_RE       Subject =~ /^Re: /

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          __FUZZY_DR_OZ       /(?=<D>)(?!(?-i:D(?:r.|octor)(?:\s|&nbsp;)Oz))(?:<R>|<O><C>(?:<T><O><R>)?)\.?<WS>*<O><Z>(?:$|\W)/i
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta          __FUZZY_MONERO      0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          __FUZZY_MONERO      /(?=<M>)(?!monero)<M><O><N><E><R><O>/i
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          __FUZZY_PORN        /(?=<P>)(?!pornograph?(?:y|i[ca]|er))<P><O><R><N><O><G><R><A><P><H>?(?:<Y>|<I><C>|<E><R>)/i
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          __FUZZY_TRUSTWALLET_BODY  /(?=<T>)(?!Trust[-\s]?Wallet)<T><R><U><S><T>[-\s]*<W><A><L><L><E><T>/i
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  header        __FUZZY_TRUSTWALLET_FROM  From =~ /(?=<T>)(?!Trust[-\s]?Wallet)<T><R><U><S><T>[-\s]*<W><A><L><L><E><T>/i
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body          __FUZZY_WELLSFARGO_BODY  /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>\S{0,2}[-\s]?<F><A><R><G><O>/i
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  header        __FUZZY_WELLSFARGO_FROM  From:name =~ /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>\S{0,2}[-\s]?<F><A><R><G><O>/i
endif

meta        __GAPPY_HTML           __MIME_HTML && (__GAPPY_HTML_01 || __GAPPY_HTML_02)

full        __GAPPY_HTML_01        m;</?[a-z]{1,6}(?:\s[^>]{0,40})?>(?:\s|=09){0,80}(?:(?!\d)[\w'()\#,.:!]{1,15}(?:\s|=09){4,80}){7}\S;

full        __GAPPY_HTML_02        m;\S(?:(?:\s|=09){4,80}(?!\d)[\w'()\#,.:!]{1,15}){7}(?:\s|=09){0,5}</?[a-z]{1,6}/?>;

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  body       __GAPPY_SALES_LEADS         /\b(?:business|e?-?mail|your|marketing|advertising)\s(?!sales|leads|campaign)(?:s\s?a\s?l\s?e\s?s|l\s?e\s?a\s?d\s?s|c\s?a\s?m\s?p\s?a\s?i\s?g\s?n)\b/i
  tflags     __GAPPY_SALES_LEADS         multiple maxhits=3
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta       __GAPPY_SALES_LEADS_MANY    __GAPPY_SALES_LEADS > 2
endif

if (version >= 4.000000)
if can(Mail::SpamAssassin::Conf::feature_capture_rules)
  uri           __GB_CUSTOM_HTM_URI0    m;^https?://.{10,128}(?:\.html?|\.php|\/)?(?:\#|\?&e=)%{GB_TO_ADDR};i
endif
endif

if (version >= 4.000000)
if can(Mail::SpamAssassin::Conf::feature_capture_rules)
  uri           __GB_CUSTOM_HTM_URI1    m|^https?://.{10,64}\=https?://.{4,64}\#%{GB_TO_ADDR}|i
endif
endif

if (version >= 4.000000)
if can(Mail::SpamAssassin::Conf::feature_capture_rules)
  uri           __GB_CUSTOM_HTM_URI2    m;^https?://.{10,256}(?:\/\?)?(?:(?<!blocker)email=|audit\#|wapp\#)%{GB_TO_ADDR};i
endif
endif

if (version >= 4.000000)
if can(Mail::SpamAssassin::Conf::feature_capture_rules)
  uri           __GB_DRUPAL_URI         m|^https?://.{10,64}/default/files/(?:\@)?\#%{GB_TO_ADDR}|i
endif
endif

header     __GB_FAKE_RF                  Subject =~ /(?:Fw|Re)\:{1,2}[\W+]/i

if (version >= 4.000000)
if can(Mail::SpamAssassin::Conf::feature_capture_rules)
  header        __GB_TO_ADDR            To:addr =~ /(?<GB_TO_ADDR>.*)/
endif
endif

body     __GHANA          /\bghana\b/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __GIF_ATTACH Content-Type =~ /^image\/gif\b/i
endif

body     __GIVE_MONEY     /\b(?:(?:give\syou\s(?:this\s)?(?:money|fund|inheritance))|(?:donated?\s(?:\w\+\s){0,3}(?:the\ssum\sof|(?:(?:the|this|some)\s(?:money|funds?|inheritance)|to\s)(?:you|(?:(?:the|a)\s)?church|charit(?:y|ies)|humanit\w+|needy|poor|orphan(?:age)?s?|philanthropists\?)))|de vous donner cet argent|faire don de la somme|voudrais en faire don|tego funduszu do dom(?:=F3|[\xf3])w (?:dziecka|wdowy))\b/i

meta        __GOOGLE_DOCS_PHISH_1  __URI_GOOGLE_DOC && (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST)

meta        __GOOGLE_DOCS_PHISH_2  __URI_GOOGLE_DOC && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY

meta        __GOOGLE_DOC_SUSP    __URI_GOOGLE_DOC && (__HAS_DOMAINKEY_SIG || __RDNS_NONE || __SYSADMIN || __STY_INVIS || LOTS_OF_MONEY || __XFER_MONEY || __ADVANCE_FEE_2_NEW) && !ALL_TRUSTED

uri       __GOOG_MALWARE_DNLD           m;^https?://[^/]*\.google\.com/[^?]*url\?.*[\?&/]download;i

uri       __GOOG_REDIR                  m;^https?://[^/]*\.google\.com/url\?;i

meta        __GOOG_STO_HTML_PHISH     __URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY

meta       __GOOG_STO_IMG_HTML_1      __URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML

meta       __GOOG_STO_IMG_NOHTML      __URI_GOOG_STO_IMG && !__URI_GOOG_STO_HTML

meta       __GOOG_STO_NOIMG_HTML      !__URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML

body __HAS_ANY_EMAIL /\w@\S+\.\w/

uri __HAS_ANY_URI   /^\w+:\/\//

header     __HAS_CAMPAIGNID            exists:X-Campaignid

header     __HAS_CID                   exists:X-CID

header     __HAS_COMPLAINT_TO          exists:Complaint-To

header     __HAS_DOMAINKEY_SIG         exists:DomainKey-Signature

describe	__HAS_HREF	Has an anchor tag with a href attribute in non-quoted line
rawbody		__HAS_HREF	/^[^>].*?<a href=/im
tflags		__HAS_HREF	multiple maxhits=100

describe	__HAS_HREF_ONECASE	Has an anchor tag with a href attribute in non-quoted line with consistent case
rawbody		__HAS_HREF_ONECASE	/^[^>].*?<(?:a href|A HREF)=/m
tflags		__HAS_HREF_ONECASE	multiple maxhits=100

describe	__HAS_IMG_SRC	Has an img tag on a non-quoted line
rawbody		__HAS_IMG_SRC	/^[^>].*?<img src=/im
tflags		__HAS_IMG_SRC	multiple maxhits=100

rawbody  __HAS_IMG_SRC_DATA  /^[^>].*?<img src=['"]data/im

describe	__HAS_IMG_SRC_ONECASE	Has an img tag on a non-quoted line with consistent case
rawbody		__HAS_IMG_SRC_ONECASE	/^[^>].*?<(?:img src|IMG SRC)=/m
tflags		__HAS_IMG_SRC_ONECASE	multiple maxhits=100

header     __HAS_LIST_OPEN             exists:List-Open

header     __HAS_LOGID                 exists:logid

header     __HAS_MESSAGEID             exists:MessageID

header     __HAS_PHP_ORIG_SCRIPT       exists:X-PHP-Originating-Script

header     __HAS_PHP_SCRIPT            exists:X-PHP-Script

header __HAS_THREAD_INDEX  exists:Thread-Index

header     __HAS_TRACKING_CODE         exists:Tracking-Code

body     __HAS_WON_01    /\bque ha ganado\b/i

header     __HAS_XM_LID                exists:X-Mailer-LID

header     __HAS_XM_RECPTID            exists:X-Mailer-RecptId

header     __HAS_XM_SENTBY             exists:X-Mailer-Sent-By

header     __HAS_XM_SID                exists:X-Mailer-SID

header     __HAS_X_ANTIABUSE           exists:X-AntiAbuse

header     __HAS_X_AUTHED_SENDER       exists:X-Authenticated-Sender

header     __HAS_X_EBSERVER            exists:X-EBSERVER

header     __HAS_X_ENTITY_ID           exists:X-Entity-ID

header     __HAS_X_LETTER              exists:X-Letter

header    __HAS_X_NO_RELAY              exists:X-No-Relay

header     __HAS_X_OUTGOING_SPAM_STAT  exists:X-OutGoing-Spam-Status

header     __HAS_X_SENDER              exists:X-Sender

header     __HAS_X_SOURCE_DIR          exists:X-Source-Dir

header         __HDRS_LCASE          ALL =~ /\n(?:Message-id|Content-type|X-MSMail-priority|from|subject|to|cc|Disposition-notification-to):/sm
tflags         __HDRS_LCASE          multiple maxhits=3

meta           __HDRS_LCASE_KNOWN    __MSGID_JAVAMAIL || __UA_MSOEMAC || __UA_MSOMAC || __MSGID_APPLEMAIL || __MSGID_HEX_UID || __MSGID_HEXISH

header         __HDRS_MISSP          ALL:raw =~ /^(?:Subject|From|To|Reply-To):\S/ism

header     __HDR_CASE_REVERSED         ALL =~ /^(?!DomainKey)[^-:\s]*[a-z][A-Z]/m
tflags     __HDR_CASE_REVERSED         multiple maxhits=4

header     __HDR_ENVFROM_SHOPIFY       X-Spam-Relays-External =~ /\shelo=\S+\.mailer\.shopify\.com\s(?:[^\]\s]+\s)*envfrom=\S+\.shopifyemail\.com\s/

header __HDR_ORDER_FTSDMCXXXX ALL =~ /\nFrom: .{1,80}?\nTo: .{1,80}?\nSubject: .{1,200}?\nDate: .{1,40}?\nMIME-Version: .{1,40}?\nContent-Type: .{1,120}?\nX-Priority: .{1,40}?\nX-MSMail-Priority: .{1,40}?\nX-Mailer: .{1,80}?\nX-MimeOLE:/s

header     __HDR_RCVD_ALIBABA          X-Spam-Relays-External =~ /\srdns=\S+\.alibaba\.com\s/

header     __HDR_RCVD_AMAZON           X-Spam-Relays-External =~ /\srdns=\S+\.amazon(?:ses)?\.com\s/

header     __HDR_RCVD_AMAZON_HELO      X-Spam-Relays-External =~ /\srdns=\shelo=[^.]+\.smtp-out\.amazonses\.com\s/

header     __HDR_RCVD_APPLE            X-Spam-Relays-External =~ /\srdns=\S+\.apple\.com\s/

header     __HDR_RCVD_BEBEE            X-Spam-Relays-External =~ /\srdns=\S+\.bebee\.com\s/

header     __HDR_RCVD_EBAY             X-Spam-Relays-External =~ /\srdns=\S+\.ebay\.com\s/

header     __HDR_RCVD_FACEBOOK         X-Spam-Relays-External =~ /\srdns=\S+\.facebook\.com\s/

header     __HDR_RCVD_GOOGLE           X-Spam-Relays-External =~ / rdns=mail-\S+\.google\.com\.?\s/

header     __HDR_RCVD_KEEPA            X-Spam-Relays-External =~ /\srdns=\S+\.keepa\.com\s/

header     __HDR_RCVD_LINKEDIN         X-Spam-Relays-External =~ /\srdns=\S+\.linkedin\.com\s/

header     __HDR_RCVD_NEWEGG           X-Spam-Relays-External =~ /\srdns=\S+\.newegg\.com\s/

header     __HDR_RCVD_PAYPAL           X-Spam-Relays-External =~ /\srdns=\S+\.paypal\.com\s/

header     __HDR_RCVD_SHOPIFY          X-Spam-Relays-External =~ /\srdns=\S+\.shopify\.com\s/

header     __HDR_RCVD_TAGSTAT          X-Spam-Relays-External =~ /\srdns=\S+\.tagstat\.com\s/

header     __HDR_RCVD_TARINGANET       X-Spam-Relays-External =~ /\srdns=\S+\.taringa\.net\s/

header      __HDR_RCVD_TONLINEDE       X-Spam-Relays-External =~ /\srdns=\S+\.t-online\.de\s/

header     __HDR_RCVD_WALMART          X-Spam-Relays-External =~ /\srdns=\S+\.walmart\.com\s/

ifplugin Mail::SpamAssassin::Plugin::AskDNS
tflags   __HELO_DNS net
endif

header   __HELO_HIGHPROFILE  X-Spam-Relays-External =~ /^[^\]]+ helo=\S*(?:hotmail|gmail|google|yahoo|msn|microsoft|outlook|paypal|xxx)\.[\w]+\b/i

header __HELO_NOT_RDNS	X-Spam-Relays-External =~ /^[^\]]+ rdns=(\S+) helo=(?!(?i)\1)\S/

header __HELO_NO_DOMAIN   X-Spam-Relays-External =~ /^[^\]]+ helo=[^\.]+ /

body        __HEXHASHWORD_S2EU /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[a-z]{0,10}(?!-?\d{1,5}-)(?!\d{10}\s)(?:(?!--)[-0-9a-f]){10,64}(?:[g-z][a-z]{0,10})?\s[A-Z]?[a-z]{1,15}\b/
tflags      __HEXHASHWORD_S2EU multiple maxhits=4

body		__HK_LOTTO_2		/\blot(?:eri[ej]|t(?:ery|o)) ?(?:(?:inter)?national|foundation|mercato|univers|euro ?million|e-?mail|euro-pw|bill ?gates|swiss|prestige|cristal|am.ricaine|coca.?cola|fiduciary|department)/i

body		__HK_LOTTO_BALLOT	/\b(?:promotional|on.?line|computer|internet|e-?mail|fran.aise) (?:ballot|draw|sweepstake)/i

body		__HK_LOTTO_STAATS	/\bstaatsloteri/i

ifplugin Mail::SpamAssassin::Plugin::FreeMail
if (version >= 3.004000)
  header	__HK_NAME_FROM		From:name =~ /^FROM\b/mi
endif
endif

ifplugin Mail::SpamAssassin::Plugin::FreeMail
if (version >= 3.004000)
  header	__HK_NAME_MR_MRS	From:name =~ /^M(?:RS?|ISS)\b/mi
endif
endif

body		__HK_SCAM_N15		/\b(?:account (?:overseas?|offshore)|(?:overseas?|offshore) account)\b/i

body		__HK_SCAM_N16		/\b(?:arrangement secret|secret arrangement)\b/i

body		__HK_SCAM_N2		/\bnext of kin\b/i

body		__HK_SCAM_N3		/\bdirect telephone numbers?\b/i

body		__HK_SCAM_N8		/\byour compensation\b/i

body		__HK_SCAM_S1		/pay you the sum of/i

body		__HK_SCAM_S15		/(?:discovered a dormant account|can you be my partner)/i

body		__HK_SCAM_S25		/\bbank (?:in|of) ghana/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader	__HK_SPAMMY_CDFN	Content-Disposition =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader	__HK_SPAMMY_CTFN	Content-Type =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi
endif

meta       __HOSTED_IMG_DIRECT_MX      __DOS_DIRECT_TO_MX && __URI_HOSTED_IMG

meta       __HOSTED_IMG_DQ_UNSUB       __URI_DQ_UNSUB && __URI_HOSTED_IMG

meta       __HOSTED_IMG_FREEM          ( FREEMAIL_REPLYTO || FREEMAIL_FROM ) && __URI_HOSTED_IMG

meta       __HOSTED_IMG_MULTI          ( __URI_IMG_EBAY + __URI_IMG_AMAZON + __URI_IMG_ALICDN + __URI_IMG_WALMART + __URI_IMG_NEWEGG + __URI_IMG_SHOPIFY + __URI_IMG_YTIMG + __URI_IMG_JOOMCDN + __URI_IMG_WISH + __URI_IMG_WP_REDIR + __URI_IMG_STATICBG + __URI_IMG_CHANNYPIC + __URI_IMG_TOPHATTER + __URI_IMG_GBTCDN + __URI_IMG_LINKEDIN + __URI_IMG_TUMBLR + __URI_IMG_TAGSTAT + __URI_IMG_FACEBOOK + __URI_IMG_TARINGANET + __URI_IMG_BEBEE + __URI_IMG_EFUSERASSETS + __URI_IMG_IMGBOX_THUMB + __URI_IMG_500PXORG + __URI_IMG_WIXMP + __URI_IMG_POSTIMGCC + __URI_IMG_GTRACING + __URI_IMG_JOOMCDN + __URI_IMG_DHRESOURCE + __URI_IMG_CWINDOWSNET) > 1

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  body           __HOURS_DEADLINE       /\b(?:(?:give\syou|gebe\sihnen(?:\snur)?|you\s(?:will\s)?have(?:\sonly|\sjust)?|within)(?:(?:\sthe)?\s(?:last|next))?\s(?:\d+|one|two|three|a few)\s?(?:hours?|hr(?:\s?s)?|days?|stunden)|(?:by|to|until|before)\sthe\send\sof\sthe\s(?:work(?:ing)?\s)?day|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\shours?\sbefore\s(?:sending|releasing|exposing|publishing)|(?:the|your)\sdeadline\s(?:is|will\sbe))\b/i
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body           __HOURS_DEADLINE       /(?:^|\s)(?:(?:<G><I><V><E>\s<Y><O><U>|<G><E><B><E>\s<I><H><N><E><N>(?:\s<N><U><R>)?|<Y><O><U>\s(?:<W><I><L><L>\s)?<H><A><V><E>(?:\s<O><N><L><Y>|\s<J><U><S><T>)?|<W><I><T><H><I><N>)(?:(?:\s<T><H><E>)?\s(?:<L><A><S><T>|<N><E><X><T>))?\s(?:\d+|<O><N><E>|<T><W><O>|<T><H><R><E><E>|<A> <F><E><W>)\s?(?:<H><O><U><R><S>?|<H><R>\s?<S>?|<D><A><Y><S>?|<S><T><U><N><D><E><N>)|(?:<B><Y>|<T><O>|<U><N><T><I><L>|<B><E><F><O><R><E>)\s<T><H><E>\s<E><N><D>\s<O><F>\s<T><H><E>\s(?:<W><O><R><K>(?:<I><N><G>)?\s)?<D><A><Y>|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\s<H><O><U><R><S>?\s<B><E><F><O><R><E>\s(?:<S><E><N><D><I><N><G>|<R><E><L><E><A><S><I><N><G>|<E><X><P><O><S><I><N><G>|<P><U><B><L><I><S><H><I><N><G>)|(?:<T><H><E>|<Y><O><U><R>)\s<D><E><A><D><L><I><N><E>\s(?:<I><S>|<W><I><L><L>\s<B><E>))/i
endif

rawbody    __HREF_EMPTY                /href=""/

meta       __HREF_EMPTY_NORDNS         __HREF_EMPTY && __RDNS_NONE

meta       __HREF_EMPTY_PHPMAIL        __HREF_EMPTY && (__PHPMAILER_MUA || __XMAIL_PHPMAIL)

meta       __HREF_EMPTY_XANTIABUSE     __HREF_EMPTY && __HAS_X_ANTIABUSE

meta       __HREF_EMPTY_XAUTHED        __HREF_EMPTY && __HAS_X_AUTHED_SENDER

rawbody __HS_QUOTE /^> /

header __HS_SUBJ_RE_FW Subject =~ /^(?i:re|fw):/

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta         __HTML_ATTACH_01    0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __HTML_ATTACH_01    Content-Type =~ m,\btext/html\b.+\.[a-z]?html?\b,i
endif

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta         __HTML_ATTACH_02    0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __HTML_ATTACH_02    Content-Disposition =~ m,\bfilename="?[^"]+\.[a-z]?html?\b,i
endif

rawbody    __HTML_ENTITY_ASCII         /(?:&\#(?:(?:\d{1,2}|1[01]\d|12[0-7])|x[0-7][0-9a-f])\s{0,64};\s{0,64}){10}/i

meta       __HTML_ENTITY_ASCII_MINFP   __HTML_ENTITY_ASCII && !__DKIM_EXISTS && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__JM_REACTOR_DATE && !__HAS_ERRORS_TO && !__L_BODY_8BITS && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML 

meta       __HTML_ENTITY_ASCII_TINY    __HTML_ENTITY_ASCII && (__HTML_FONT_TINY_01 || __HTML_FONT_TINY_02 || __AC_TINY_FONT)

rawbody     __HTML_FONT_TINY_01      /font-size:\s{0,5}[0-4]px;/i

rawbody     __HTML_FONT_TINY_02      /<font\s[^>]{0,80}size\s*=\s*["']?-(?:[2-9]|[1-9]\d+)["']?[^>]{0,80}>/i

meta        __HTML_FONT_TINY_NORDNS  (__HTML_FONT_TINY_01 || __HTML_FONT_TINY_02 || __AC_TINY_FONT) && __RDNS_NONE 

rawbody     __HTML_OFF_PAGE   /;(?:top|left):-\d{3,9}px;/i

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  rawbody    __HTML_SHRT_CMNT_OBFU       /\w<!--\s*\w+\s*-->\w/
  tflags     __HTML_SHRT_CMNT_OBFU       multiple maxhits=10
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta       __HTML_SHRT_CMNT_OBFU_MANY  __HTML_SHRT_CMNT_OBFU > 5 && HTML_MESSAGE
endif

rawbody   __HTML_SINGLET                />\s*(?:[a-z"]|&\#(?:\d+|x[0-9a-f]+);)\s*</i
tflags    __HTML_SINGLET                multiple maxhits=21

meta      __HTML_SINGLET_MANY           __HTML_SINGLET > 20

ifplugin Mail::SpamAssassin::Plugin::HTMLEval
  body       __HTML_TAG_BALANCE_CENTER     eval:html_tag_balance('center', '!= 0')
endif

body     __HUSH_HUSH      /\b(?:confiden[tc]i[ae]l(?:\b|ity\b|it(?:=E9|[\xe9]|[\xc3][\xa9]))|private\b|secr[e\xe8](?:te?|cy)\b|sensitive\b|concealed\b|obscured?\b|discre(?:et|tion)\b|very\sdiscrete|top\ssecret|vertraulich(?:en)?\b|geheim\b|priv(?:e|=E9|[\xe9]|[\xc3][\xa9]))/i

uri        __IMGUR_IMG                 m,^https?://(?:[^.]+\.)?imgur\.com/[a-z0-9]{7}\.(?:png|gif|jpe?g|webp)$,i
tflags     __IMGUR_IMG                 multiple maxhits=4

meta       __IMGUR_IMG_2               __IMGUR_IMG == 2

meta       __IMGUR_IMG_3               __IMGUR_IMG == 3

if !plugin(Mail::SpamAssassin::Plugin::ImageInfo)
  meta       __IMG_LE_300K           0
endif

ifplugin Mail::SpamAssassin::Plugin::ImageInfo
  body       __IMG_LE_300K           eval:pixel_coverage('all',62500,300000)
endif

uri         __IMG_S3_AWS      m;https://(?:[a-z0-9-]+)\.s3\.amazonaws\.com/uploads/[^./]{1,256}\.(?:jpe?g|gif|png|webp);i

body     __INHERIT_PMT    /\binheritance\spayment\s/i

body     __INTL_BANK      /\b(?:international\s(?:\w+\s)?bank|banque\sinternationale)\b/i

body     __INVEST_COUNTRY /\binvest\sin\syour?\scountry\b/i

body     __INVEST_MONEY   /\binvest(?:ir)?\s(?:this|ces|d[ae]s|sur ce|de ces)\s(?:money|f[ou]nds?)\b/i

header __IP_IN_RELAY  X-Spam-Relays-External =~ /^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) (?:[^\]]* )?(?:rdns|helo)=\S*(?:\1\D\2\D\3\D\4|\4\D\3\D\2\D\1)/

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta         __ISO_ATTACH        0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __ISO_ATTACH        Content-Disposition =~ m,\bfilename="?[^"]+\.iso[";$],i
endif

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta         __ISO_ATTACH_MT     0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __ISO_ATTACH_MT     Content-Type =~ m,\bapplication/x-iso9660-image\b,i
endif

body     __IS_LEGAL       /\b(?:(?:(?:this|esta)\s(?:deal|offer|transac[tc]i(?:o|[\xc3][\xb3])n|proposal|exchange|arrangement|work)|it)?\s[ie]s\s(?:(?:guaranteed|completely|absolutely|perfectly|100%|very|fully)\s)?(?:legal|hitch-free|seguro|legitimate)|legitimate\sarrangement|toute?\sl(?:e|=E9|[\xe9]|[\xc3][\xa9])gale)\b/i

body     __IVORY_COAST    /\b(?:Cote\s?D.Ivoire|Ivory\s?Coast|Costa\sde\sMarfil)\b/i

body     __I_INHERIT      /\b(?:I|eu)\s[a-z\s]{0,30}(?:inherited|herdei)\b/i

body     __I_WILL_YOU     /\bwill(?:ed)?\s(?:[a-z\s]{0,20}(?:fortune|money|\$[\d,]+[a-z]{0,9})\s)?to\syou\b/i

header __JM_REACTOR_DATE    Date =~ / \+0000$/

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader __JPEG_ATTACH           Content-Type =~ /image\/jpe?g/i
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader 	__KAM_BLOCK_UTF7_2     	Content-Type =~ /charset=(?:unicode-\d+-\d+-)?utf-7/i
endif

ifplugin Mail::SpamAssassin::Plugin::BodyEval
  if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
        body            __KAM_BODY_LENGTH_LT_1024       eval:check_body_length('1024')
        describe        __KAM_BODY_LENGTH_LT_1024       The length of the body of the email is less than 1024 bytes.
endif
endif

ifplugin Mail::SpamAssassin::Plugin::BodyEval
  if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
	body            __KAM_BODY_LENGTH_LT_128        eval:check_body_length('128')
        describe        __KAM_BODY_LENGTH_LT_128        The length of the body of the email is less than 128 bytes.
endif
endif

ifplugin Mail::SpamAssassin::Plugin::BodyEval
  if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
        body            __KAM_BODY_LENGTH_LT_256        eval:check_body_length('256')
        describe        __KAM_BODY_LENGTH_LT_256        The length of the body of the email is less than 256 bytes.
endif
endif

ifplugin Mail::SpamAssassin::Plugin::BodyEval
  if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
        body            __KAM_BODY_LENGTH_LT_512        eval:check_body_length('512')
        describe        __KAM_BODY_LENGTH_LT_512        The length of the body of the email is less than 512 bytes.
endif
endif

if !plugin(Mail::SpamAssassin::Plugin::HTMLEval)
meta		__KAM_HTML_FONT_INVALID		0
endif

ifplugin Mail::SpamAssassin::Plugin::HTMLEval
body		__KAM_HTML_FONT_INVALID		eval:html_test('font_invalid_color')
endif

body            __KAM_LOTTO2    /(?:(?:ticket|serial|lucky) number|secret pin ?code|batch number|reference number|promotion date)/is

header   __KB_DATE_CONTAINS_TAB  Date:raw =~ /^\t/

header __KB_MSGID_OUTLOOK_888  Message-Id =~ /^<[0-9a-f]{8}(?:\$[0-9a-f]{8}){2}\@/

meta	 __KHOP_NO_FULL_NAME	!(__NOT_A_PERSON || __FROM_ENCODED_QP || __FROM_NEEDS_MIME || __FROM_FULL_NAME)

if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
   meta        __LARGE_PERCENT_AFTER  0
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
   body        __LARGE_PERCENT_AFTER  /\d{3}% after/i
   tflags      __LARGE_PERCENT_AFTER  multiple maxhits=4
endif

if !plugin(Mail::SpamAssassin::Plugin::HeaderEval)
  meta      __LCL__ENV_AND_HDR_FROM_MATCH     0
endif

ifplugin Mail::SpamAssassin::Plugin::HeaderEval
  meta      __LCL__ENV_AND_HDR_FROM_MATCH     __ENV_AND_HDR_FROM_MATCH
endif

if !plugin(Mail::SpamAssassin::Plugin::BodyEval)
  meta      __LCL__KAM_BODY_LENGTH_LT_1024    0
endif

ifplugin Mail::SpamAssassin::Plugin::BodyEval
if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length))
    meta      __LCL__KAM_BODY_LENGTH_LT_1024    0
endif
endif

ifplugin Mail::SpamAssassin::Plugin::BodyEval
  if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
    meta      __LCL__KAM_BODY_LENGTH_LT_1024    __KAM_BODY_LENGTH_LT_1024
endif
endif

if !plugin(Mail::SpamAssassin::Plugin::BodyEval)
  meta      __LCL__KAM_BODY_LENGTH_LT_128     0
endif

ifplugin Mail::SpamAssassin::Plugin::BodyEval
if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length))
    meta      __LCL__KAM_BODY_LENGTH_LT_128     0
endif
endif

ifplugin Mail::SpamAssassin::Plugin::BodyEval
  if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
    meta      __LCL__KAM_BODY_LENGTH_LT_128     __KAM_BODY_LENGTH_LT_128
endif
endif

if !plugin(Mail::SpamAssassin::Plugin::BodyEval)
  meta      __LCL__KAM_BODY_LENGTH_LT_512     0
endif

ifplugin Mail::SpamAssassin::Plugin::BodyEval
if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length))
    meta      __LCL__KAM_BODY_LENGTH_LT_512     0
endif
endif

ifplugin Mail::SpamAssassin::Plugin::BodyEval
  if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
    meta      __LCL__KAM_BODY_LENGTH_LT_512     __KAM_BODY_LENGTH_LT_512
endif
endif

meta       __LINKED_IMG_NOT_RCVD_LINK  __URI_IMG_LINKEDIN && !__HDR_RCVD_LINKEDIN

meta        __LIST_PARTIAL         __DOS_HAS_LIST_UNSUB && !__DOS_HAS_LIST_ID

meta        __LIST_PRTL_PUMPDUMP   __LIST_PARTIAL && __PD_CNT_1

meta        __LIST_PRTL_SAME_USER  __LIST_PARTIAL && __TO_EQ_FROM_USR

body     __LITECOIN_ID   /\b(?<!=)[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b/

uri __LOCAL_PP_NONPPURL		m'https?://(?:[A-Za-z0-9-_]+)\.(?!paypal\.com)(?:[A-Za-z0-9-_\.]+)'i

body        __LOCK_MAILBOX       /\b(?:(?:deactivate|lock(?: up)?|lose ac+ess to|los[se] (?:of )?(?:important )?(?:information|mail|messages) in) (?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|your (?:mail\s?box|(?:(?:web ?|e-?)mail)(?: account)?) (?:(?:will|may) be(?:come)? )?(?:in-?a(?:ctive|cess[ia]ble)|locked|disabled|deleted|removed)\b|ditt konto vara "?deaktiverad"?|begr(?:=E4|\xe4|[\xc3][\xa4])nsad tillg(?:=E5|[\xe5]|[\xc3][\xa5])ng till din brevl(?:=E5|[\xe5]|[\xc3][\xa5])da|contas? de (?:web ?|e-?)mail (?:ser(?:=E1|[\xe1]|[\xc3][\xa1]) (?:desativado|exclu(?:=ED|[\xed]|[\xc3][\xad])do)|(?:=E9|[\xe9]|[\xc3][\xa9]) exclu(?:=ED|[\xed]|[\xc3][\xad])do)|destruir a sua caixa de (?:correio|entrada)|tw(?:=F3|[\xf3])j konto zostalo ograniczone|straci swoje e-?mail na sta[\xc5][\x82]e|konto zostanie automatycznie wy[\xc5][\x82][\xc4][\x85]czona|e-?mail account[^.]{0,30}deactivated (?:in|from) our (?:database|system|server)|you will be deactivated|(?:account|e?-?mail(?: ?box)?) (?:will (?:be )?)?(?:shut ?down|expire|deactivate)|we have (?:stopped|suspended) (?:processing|accepting) (?:any )?(?:incoming|new|fresh) email)/i
tflags      __LOCK_MAILBOX       multiple maxhits=2

full     __LONGLINE	/^[^\r\n]{998}/m

meta        __LONGLN_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __LONGLINE

rawbody   __LONG_INVIS_DIV              /<div\s+style\s*=\s*"(?:(?<!-)visibility\s*:\s*hidden|display\s*:\s*none)\s*">[^<\s]{1400}/i

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      __LONG_STY_INVIS              __STY_INVIS_2 && __LONGLINE
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta     __LOTSA_MONEY_00   0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body     __LOTSA_MONEY_00   /<CURRENCY>[\s\.]?<NUM_NOT_DATE>[\dOo][,\.][\dOo]{3}(?:(?!\d)|\b)/
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta     __LOTSA_MONEY_01   0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body     __LOTSA_MONEY_01   /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)[\s\.]?<NUM_NOT_DATE_IP>[\d.,\sOo]{5,20}[\dOo](?<!\.00)\b/
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta     __LOTSA_MONEY_02   0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body     __LOTSA_MONEY_02   /(?<![-\d\#])<NUM_NOT_DATE_IP>[\d.,\sOo]{5,20}[\dOo][\)\]\(]?\s?(?:<CURRENCY>|Pounds|(?i:dollars?|bucks))\b/
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta     __LOTSA_MONEY_03   0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body     __LOTSA_MONEY_03   /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)<NUM_NOT_DATE>[\d.,\sOo]{0,5}[\)\]]?\s?(?i:M(?i:il+)?\b|mil+(?i:io|<O>)n|hund?[re]+a?[dt]|thousand|tausend|milh[\xf5]es)/
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta     __LOTSA_MONEY_04   0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body     __LOTSA_MONEY_04   /(?:(?<![-\d])<NUM_NOT_DATE>[\d\.,]{0,4}(?:M|\smilli?one?s|\s?mln)|million(?!s)|mill<O>n|hund?rea?d(?!s)[^\.]{1,25}thousand(?!s)|cents?[^\.]{1,25}mille|hundert[^\.]{1,30}tausend|ientos?[^\.]{1,20}mil|cent[a-z\s]{1,20}mil\s[a-z]{1,20}centos)[^\.\$]{0,50}?(?:(?:U\.?\s?S\.?\s?(?:A\.?\s?)?|united\s?states\s|E\.\s?U\.\s|canad(?:ian|a)\s|(?:ia\s)?de\s)?d(?:[o\xf3]|[\xc3][\xb3])l+are?s?|\bbucks|U\s?S\s?D|G\s?B\s?P|<GB_UK>\spounds?|(?:<GB_UK>\s)?pounds?\ssterling|pounds(?!\sof)|(?:d'\s?)?euros?|francs?)\b/i
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta     __LOTSA_MONEY_05   0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body     __LOTSA_MONEY_05   /(?:(?:sum|value|amount)\sof\s)<NUM_NOT_DATE_IP>[\d.,\sO]{7,20}[\dO\.][\)\]\(\s]{0,3}(?:pounds?|dollars?|euros?|bucks)\b/i
endif

meta     __LOTTO_ADMITS     __LOTTO_ADMITS_1 || __LOTTO_ADMITS_2 || __LOTTO_ADMITS_3 || __LOTTO_ATTACH_1 || __LOTTO_ATTACH_2

body     __LOTTO_ADMITS_1 /\b(?:on-?line|e-?mail|ballot|(?:inter)?national|state|(?:UK|euro)[- ]?(?:mil+ions?|PW)|Canada|Microsoft|MSN|internet|mega|jackpot+|Royal Heritage|foundation|cash\sgrant|mercato|univers|staatsloterij|bill\s?gates|Olympics?|swiss|this|est[ea]|internationaux de gagnants de)(?:\s(?!lot|swe|prom)\w{1,20}){0,3}\s?(?:lot(?:to|t+ery|eri[ea])|sweepstakes?|promo(?:tion|cao|cion)?|jackpot+)\b/i

body     __LOTTO_ADMITS_2 /\b(?:free)?(?:lot(?:to|tery|erie)|sweepstakes)\s(?:(?:inter)?na[tz]ional|department|bureau|group|award|microsoft)/i

uri      __LOTTO_ADMITS_3 /lott+ery/i

meta     __LOTTO_AGENT    __LOTTO_AGENT_01 || __LOTTO_AGENT_02

body     __LOTTO_AGENT_01 /\b(?:(?:(?:the|y?our)(?:\s\w{1,20})?|contact|accredited|listed)\sclaim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:prize|international|intl|foreign|win+ing)(?:[\s,.]+(?:rem+it+ance|settlement|payment|payout|award|transfer))+|payment|payout|immunity|(?<!memory\s)grants?(?!\smanager))\s?(?:agent|manager|officer|secretary|director|mgr\b)/i

body     __LOTTO_AGENT_02 /\blot+ery[^\.]{1,40} ticket agent/i

header   __LOTTO_AGENT_RPLY Reply-To =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize\stransfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta         __LOTTO_ATTACH_1   0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __LOTTO_ATTACH_1   Content-Type =~ /lott(?:o|ery)/i
endif

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta         __LOTTO_ATTACH_2   0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __LOTTO_ATTACH_2   Content-Disposition =~ /lott(?:o|ery)/i
endif

body     __LOTTO_DEPT       /\b(?:claim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)(?:\s(?:rem+it+ance|settlement|payment|award))+|payment|award|compensation|lot+ery)(?:\s\w+)?\s?(?:department|dept|unit|group|committee|bureau)/i

body     __LOTTO_RELATED    /\b(?:lot+(?:o|ery)|sweepstakes)\s(?:prize|draw(?:s|ing)?|(?:ge)?win(?:n?er|n?ing)?|jackpot+|award|fund|com+it+e+|com+is+ion|guild|promotion|promocao|program|day|online|company|(?:in)?corporat|agent|co[-,]?ordinator|team)/i

body     __LOTTO_VERIFY     /\bpromo\sverification/i

body     __LOTTO_WINNINGS   /\b(?:claim|process(?:ing)?|transfert?(?:\s\w+)?|redeem|payment|virement|zahlung|reivindicar|demandar|remise)\s(?:(?:[a-z]{1,5}\s)?(?:your|of|the|this|de|ihrer|seu|tu)\s)+(?:win+ings?|money|(?:cash\s)?prize|award|f[ou]nds?|grant|gewinne|premio|gain)\b/i

body     __LOTTO_WIN_01     /\bwin+ing\s(?:prize|number|notification|draw|check|cheque|details|information|payment)/i

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
    body            __LOWER_E       /e/
    tflags          __LOWER_E       multiple maxhits=230
endif
endif

body     __LUCKY_WINNER   /\b(?:lucky|gl.cklich(?:en)?|afortunados)\s(?:(?:ge)?win+ers?|ganador(?:es)?|individuals?)\b/i

body     __LUCRATIVE      /\b(?:lucrative|profitable|tr[\xe8]s\ssalutaire)\b/i

header     __LUNSUB_BEFORE_SUBJDT      ALL =~ /^List-unsubscribe: (?:[^\n]+\n+){1,40}^(?:Subject|Date): /ism

rawbody __L_BODY_8BITS          /[\x80-\xff]/

header __L_CTE_7BIT             Content-Transfer-Encoding =~ /^7bit$/

header __L_CTE_8BIT             Content-Transfer-Encoding =~ /^8bit$/

body        __MAILBOX_FULL       /\b(?:you(?:r (?:mail\s?box|(?:e-?|web ?)mail))? (?:is (?:almost )?full|quota is running low|(?:quota )?ha(?:s|ve) (?:reached|exceeded|passed) (?:the|your|it'?s?) (?:university )?(?:size|storage|set|(?:e-?|web ?)mail|quota|folder|mail ?box)[\/\s](?:limit |quota |account )+)|over your mail\s?box (?:size )?(?:limit|quota)|maximum mail\s?box (?:size )?(?:limit|quota) exceeded|sua (?:conta|caixa) de (?:(?:e-?|web ?)mail|correio) (?:excedeu (?:sua|o) limite|est(?:=E1|[\xe1]|[\xc3][\xa1]) quase cheio))\b/i

body        __MAILBOX_FULL_SE    /(?:\b=F6|[\xf6]|[\xc3][\xb6])verskridit gr(?:=E4|[\xe4]|[\xc3][\xa4])nsen f(?:=F6|[\xf6]|[\xc3][\xb6])r din postl(?:=E5|[\xe5]|[\xc3][\xa5])da\b/i

header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/

body        __MAIL_ACCT_ACCESS1  /\b(?:your (?:web ?|e-?)?mail (?:account|log-?in) (?:has )?been accessed|r(?:=F3|[\xf3])zne komputery zalogowaniu sie)\b/i

body        __MAIL_ACCT_ACCESS2  /\blo+se ac+es+ to your (?:web|e-?)?mail ?(?:account|log-?in|box|address)\b/i

uri	 __MAIL_LINK	/\?.{0,200}\w\@[\w-]{1,20}.\w\w\w?\b/i
tflags	 __MAIL_LINK	nice

body       __MAKE_XTRA_DOLLAR          /\bmake an extra dollar\b/i

header     __MALF_MIME_VER             MIME-Version =~ /^1\.0\S/

meta           __MALWARE_NORDNS       __MY_MALWARE && __RDNS_NONE 

meta           __MALWARE_PASSWORD     __MY_MALWARE && __PASSWORD 

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  meta         __MALW_ATTACH       __MALW_ATTACH_01_01 || __MALW_ATTACH_01_02 || __MALW_ATTACH_02_01 || __MALW_ATTACH_02_02
endif

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta         __MALW_ATTACH_01_01 0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __MALW_ATTACH_01_01 Content-Disposition =~ /\bfilename(?:="?[^"]+|\*(?:\d+\*)?=(?:UTF-8'')?\S+)\.SettingContent-ms\b/i
endif

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta         __MALW_ATTACH_01_02 0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __MALW_ATTACH_01_02 Content-Type =~ /\bname="?[^"]+\.SettingContent-ms\b/i
endif

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta         __MALW_ATTACH_02_01 0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __MALW_ATTACH_02_01 Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:invoice|statement|payment(?: advice)?|(?:[.,_]|%C2%B7|[\xc2][\xb7])(?:pdf|img|png|gif|jpe?g|webp))\.(?:ace|zip|rar|r17|[7g]?z|iso)[";$]/i
endif

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta         __MALW_ATTACH_02_02 0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __MALW_ATTACH_02_02 Content-Type =~ /\bname="?[^"]*(?:invoice|statement|payment(?: advice)?|(?:[.,_]|[\xc2][\xb7])(?:pdf|img|png|gif|jpe?g|webp))\.(?:ace|zip|rar|r17|[7g]?z|iso)[";$]/i
endif

meta           __MANY_HDRS_LCASE     __HDRS_LCASE > 1

meta           __MANY_SPAN_IN_TEXT   (__SPAN_BEG_TEXT > 4) && (__SPAN_END_TEXT > 4)

uri            __MANY_SUBDOM       m;^https?://(?:[^\./]{1,30}\.){6};i

header __MAY_BE_FORGED	Received =~ /\(may be forged\)/

header __MID_START_001C   Message-ID =~ /^<000001c/

body     __MILLIONS       /\bmillions\sof\s(?:dollar|euro|pound)/i

header __MIMEOLE_1106   X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2800.1106$/

meta       __MIMEOLE_DIRECT_TO_MX      __HAS_MIMEOLE && __DOS_DIRECT_TO_MX 

header     __MIME_BDRY_0D0D        Content-Type =~ /boundary="-{12}(?:0[1-9]){12}/

if !((version >= 3.004000))
	meta        __MIME_CTYPE_IN_BODY    0
endif

if (version >= 3.004000)
	body        __MIME_CTYPE_IN_BODY    /^Content-Type:\s/
endif

if !((version >= 3.004000))
	meta        __MIME_MALF      0
endif

if (version >= 3.004000)
	meta        __MIME_MALF      __CTYPE_MULTIPART_ANY && __MIME_CTYPE_IN_BODY
endif

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta        __MIME_NO_TEXT    0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  meta        __MIME_NO_TEXT    (__CTYPE_MULTIPART_ANY && !__ANY_TEXT_ATTACH)
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEEval
  rawbody __MIME_QPC           eval:check_for_mime('mime_qp_count')
endif

header   __MISSING_REF		References =~ /^UNSET$/ [if-unset: UNSET]

header   __MISSING_REPLY	In-Reply-To =~ /^UNSET$/ [if-unset: UNSET]

rawbody    __MIXED_AREA_CASE           /<(?!AREA|area)[Aa][Rr][Ee][Aa]\s/

rawbody    __MIXED_CENTER_CASE         /<(?!CENTER|center)[Cc][Ee][Nn][Tt][Ee][Rr]>/

rawbody    __MIXED_FONT_CASE           /<(?!FONT|font)[Ff][Oo][Nn][Tt]\s/

describe	__MIXED_HREF_CASE	Has anchor tags with mixed-up cases in non-quoted lines
meta		__MIXED_HREF_CASE	__HAS_HREF - __HAS_HREF_ONECASE > 0

rawbody    __MIXED_IMG_CASE_JH         /<(?!IMG|img)[Ii][Mm][Gg]\s/

header __MOLE_2962  X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/

meta           __MONERO         (__MONERO_ID || __MONERO_CURNCY || __URI_MONERO || __FUZZY_MONERO)

body           __MONERO_CURNCY  /Monero \(XMR\)/

body           __MONERO_ID      /\b4[0-9AB][1-9A-HJ-NP-Za-km-z]{93,104}\b/

meta     __MONEY_ATM_CARD LOTS_OF_MONEY && __ATM_CARD

meta     __MONEY_FORM        LOTS_OF_MONEY && __FILL_THIS_FORM

meta     __MONEY_FORM_SHORT  LOTS_OF_MONEY && __FILL_THIS_FORM_SHORT

meta     __MONEY_FRAUD_3  LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH +  __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS +  __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX +  __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3)

meta     __MONEY_FRAUD_5  LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH +  __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS +  __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX +  __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5)

meta     __MONEY_FRAUD_8  LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH +  __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS +  __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX +  __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 8)

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta     __MONEY_FREEMAIL_REPTO   LOTS_OF_MONEY && __freemail_hdr_replyto
endif

meta            __MONEY_FROM_41           __NSL_RCVD_FROM_41 && LOTS_OF_MONEY

body     __MOVE_MONEY     /\b(?:(?:receive|re-?profile|transfer(?:ring|ir|t)?|release|repatriat(?:e|ion)|rapatrier|secure|r(?:e|=E9|[\xe9]|[\xc3][\xa9])clamation|possession|virer|dona(?:te|r)|depositante|dep[\xc3][\xb3]sito)\s(?:th(?:e(?:se)?|is)|d[ae]s|sur ce|de ce[st]|cet|est[eao]s?|del?)|re-?profiling|receive|re-?locat(?:e|ing)(?:\s\w{1,15})?)\s(?:of\s|your\s|the\s){0,2}(?:sums?\sof\s|inheritance\s)?(?:proceeds|funds?|money|balance|account|g[eo]ld|compte|fond[so]{1,2}|dinero|argent)\b/i

meta       __MSGID_DOLLARS_URI_IMG     __MSGID_DOLLARS_MAYBE && __HAS_ANY_URI && __HTML_LINK_IMAGE

header         __MSGID_GUID          Message-ID =~ /^<?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}\@/i

header         __MSGID_HEXISH        Message-ID =~ /^<?OF[0-9A-F]{8}\.[0-9A-F]{8}-ON[0-9A-F]{8}\.[0-9A-F]{8}(?:-[0-9A-F]{8}\.[0-9A-F]{8})?\@/

header         __MSGID_HEX_UID       Message-ID =~ /^<?[0-9A-F]{8}\.[0-9A-F]{2,5}%[a-zA-Z]/

header __MSGID_JAVAMAIL	Message-ID =~ /\.JavaMail\./
tflags __MSGID_JAVAMAIL	nice

header	 __MSGID_LIST	Message-ID =~ /-\w+\#[\w.]+\.\w{2,4}\@/
tflags	 __MSGID_LIST	nice

header   __MSGID_NOFQDN2  Message-ID =~ /<.*\@[A-Za-z0-9]+>/m

meta       __MSM_PRIO_REPTO             __HAS_MSMAIL_PRI && __HAS_REPLY_TO && __SUBJ_SHORT 

header __MSOE_MID_WRONG_CASE   ALL =~ /\nMessage-Id: /

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __MSO_THEME_MT      Content-Type =~ m,\bapplication/vnd.ms-officetheme\b,i
endif

header         __MTLANDROID_MUA    X-Mailer =~ /\bMotorola android mail \d+\.\d/

header     __MUA_TBIRD             User-Agent =~ /^Mozilla\/.* Thunderbird/

body     __MY_FORTUNE     /\b(?:my|his|her)\s(?:fortune|heritage)\b/i

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  body           __MY_MALWARE           /\b(?:(?:I(?:'ve|\shave)?\s(?:put|set\s?up|installed|buil[td]\sin|placed)\s(?:a\s)?|my\s(?:personal\s|background\s|hidden\s)?)(?:mal+ware|virus|spy\s?ware|trojan|program\srecorded|expl[o0]it|backdoor|(?:sneaky\s|hidden\s|malicious\s)+(?:app|stuff))|(?:application|mal+ware)[^\.]{1,30}(?:enable[sd]|allow(?:s|ed))\sme\sto\s(?:access|control)|I\s(?:contaminated|infected|hacked|toxified|poisoned)\s(?:your|this)\s(?:machine|computer|gadget|(?:smart\s?)?phone|device|email)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|mein\shinterhältiges\sProgramm|I\s?am\s?a\s?hacker|(?:(?:trojan|virus|spyware|mal+ware)\s)+giv(?:es|ing)\sme)\b/i
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body           __MY_MALWARE           /(?:^|\s)(?:(?:<I>(?:'<V><E>|\s<H><A><V><E>)?\s(?:<P><U><T><|><S><E><T>\s?<U><P>|<I><N><S><T><A><L><L><E><D>|<B><U><I><L>(?:<T>|<D>)\s<I><N>|<P><L><A><C><E><D>)\s(?:<A>\s)?|<M><Y>\s(?:<P><E><R><S><O><N><A><L>\s|<B><A><C><K><G><R><O><U><N><D>\s|<H><I><D><D><E><N>\s)?)(?:<M><A><L>+<W><A><R><E>|<V><I><R><U><S>|<S><P><Y>\s?<W><A><R><E>|<T><R><O><J><A><N>|<P><R><O><G><R><A><M>\s<R><E><C><O><R><D><E><D>|<E><X><P><L>(?:<O>|0)<I><T>|<B><A><C><K><D><O><O><R>|(?:<S><N><E><A><K><Y>\s|<H><I><D><D><E><N>\s|<M><A><L><I><C><I><O><U><S>\s)+(?:<A><P><P>|<S><T><U><F><F>))|(?:<A><P><P><L><I><C><A><T><I><O><N>|<M><A><L>+<W><A><R><E>)[^\.]{1,30}(?:<E><N><A><B><L><E>(?:<D>|<S>)|<A><L><L><O><W>(?:<S>|<E><D>))\s<M><E>\s<T><O>\s(?:<A><C><C><E><S><S>|<C><O><N><T><R><O><L>)|<I>\s(?:<C><O><N><T><A><M><I><N><A><T><E><D>|<I><N><F><E><C><T><E><D>|<H><A><C><K><E><D>|<T><O><X><I><F><I><E><D>|<P><O><I><S><O><N><E><D>)\s(?:<Y><O><U><R>|<T><H><I><S>)\s(?:<M><A><C><H><I><N><E>|<C><O><M><P><U><T><E><R>|<G><A><D><G><E><T>|(?:<S><M><A><R><T>\s?)?<P><H><O><N><E>|<D><E><V><I><C><E>|<E><M><A><I><L>)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|<M><E><I><N>\s<H><I><N><T><E><R><H><A><L><T><I><G><E><S>\s<P><R><O><G><R><A><M>+|<I>\s?<A><M>\s?<A>\s?<H><A><C><K><E><R>|(?:(?:<T><R><O><J><A><N>|<V><I><R><U><S>|<S><P><Y><W><A><R><E>|<M><A><L>+<W><A><R><E>)\s)+<G><I><V>(?:<E><S>|<I><N><G>)\s<M><E>)[\s\.,]/i
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  body           __MY_VICTIM            /\b(?:hi|hello),?(?:\smy)?\s(?:victim|prey)\b/i
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body           __MY_VICTIM            /(?:<H><I>|<H><E><L><L><O>),?(?:\s<M><Y>)?\s(?:<V><I><C><T><I><M>|<P><R><E><Y>)/i
endif

header __NAKED_TO   To =~ /^[^\s<>]+\@[^\s<>]+$/

meta           __NAME_EMAIL_DIFF   __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL

header __NAME_EQ_EMAIL	From:raw =~ /([\w+.-]+\@[\w.-]+\.\w\w+)["'`\s]*<\s*\1>/i

header __NAME_IS_EMAIL	From:raw =~ /\w\@[\w.-]+\.\w\w+["'`]*\s*<\w+\@\w/

meta       __NEWEGG_IMG_NOT_RCVD_NEGG  __URI_IMG_NEWEGG && !__HDR_RCVD_NEWEGG

body       __NEW_PRODUCTS              /\bhere are new products|\b(?:Our company|we) (?:has |have )?(?:(?:recently|just|newly) (?:introduce|release|launche)[ds](?: a| our| the)? (?:new|(?:\w+\s){1,5}below)|a new (?!cat\s|kitten\s|dog\s|puppy\s|pet\s|baby\s|child\s|boy\s|girl\s)(?:\w+\s){1,5} here)|recently,? our company (?:launch|releas)ed|\bI want to recommend a new (?:\w+ ){1,5}(?:we|our)\b|latest version of our (?:stock|product)|\b(?:our|a) new (?:\w+ ){1,3}has (?:recently|just) been released/i

body     __NEXT_OF_KIN    /\bnext[-\s]of[-\s]kin\b/i

body     __NIGERIA        /\bnigeria\b/i

meta        __NORDNS_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __RDNS_NONE

meta	 __NOT_A_PERSON	__VACATION || ANY_BOUNCE_MESSAGE || __CHALLENGE_RESPONSE || __VIA_ML || __DOS_HAS_LIST_UNSUB || __SENDER_BOT || __UNSUB_LINK || __UNSUB_EMAIL || __MSGID_LIST || __SUBSCRIPTION_INFO
tflags	 __NOT_A_PERSON	nice

body     __NOT_DEAD_YET   /\b(?:will\sinherit|que\sherede|your\sdeath|your?\sbeing\sdead)\b/i

body     __NOT_SCAM       /\b(?:not\sa\sscam|(?:not|never)\sscam\syou)\b/i

tflags	   __NOT_SPOOFED	nice

if !(!plugin(Mail::SpamAssassin::Plugin::DKIM))
if !plugin(Mail::SpamAssassin::Plugin::SPF)
  meta __NOT_SPOOFED  DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED	# yes DKIM, no SPF
endif
endif

if !(!plugin(Mail::SpamAssassin::Plugin::DKIM))
 ifplugin Mail::SpamAssassin::Plugin::SPF
  meta __NOT_SPOOFED  SPF_PASS || DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED	# yes DKIM, yes SPF
endif
endif

if !plugin(Mail::SpamAssassin::Plugin::DKIM)
if !plugin(Mail::SpamAssassin::Plugin::SPF)
   meta __NOT_SPOOFED  __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED	# no DKIM, no SPF.
endif
endif

if !plugin(Mail::SpamAssassin::Plugin::DKIM)
 ifplugin Mail::SpamAssassin::Plugin::SPF
   meta __NOT_SPOOFED  SPF_PASS || __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED	# no DKIM, yes SPF
endif
endif

meta     __NO_INR_YES_REF	(__XM_GNUS || __XM_MSOE5 || __XM_MSOE6 || __XM_MOZ4 || __XM_SKYRI || __XM_WWWMAIL || __UA_GNUS || __UA_KNODE || __UA_MUTT || __UA_PAN || __UA_XNEWS)

header          __NSL_ORIG_FROM_41        X-Originating-IP =~ /^(?:.+\[)?41\./
describe        __NSL_ORIG_FROM_41        Originates from 41.0.0.0/8

header          __NSL_RCVD_FROM_41        X-Spam-Relays-External =~ / ip=41\./
describe        __NSL_RCVD_FROM_41        Received from 41.0.0.0/8

header   __NUMBERONLY_TLD From:addr =~ /\@[0-9]{4,}(?:\.[a-z]{2,4})?\.[a-z]+$/i

header      __NUMBERS_IN_SUBJ  Subject =~ /\d{3}/

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta           __OBFU_BITCOIN   ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) )
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta           __OBFU_BITCOIN   ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) )
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta           __OBFU_BITCOIN_NOID   ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) )
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta           __OBFU_BITCOIN_NOID   ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) )
endif

body       __OBFU_UNSUB_UL             /(?:click_here|remove_your|our_e?mail|this_list|to_unsubscribe|future_e?mail|our_list)/

if !plugin(Mail::SpamAssassin::Plugin::ImageInfo)
  meta       __ONE_IMG               0
endif

ifplugin Mail::SpamAssassin::Plugin::ImageInfo
  body       __ONE_IMG               eval:image_count('all',1,1)
endif

header   __OPERA_MID_NON_OP    Message-ID =~ /^<[^o][^p]\./

body     __OUR_BEHALF     /\b(?:on\s(?:my|our)\sbehalf|of\sbehalf\sof)\b/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __PART_CID_STOCK_LESS    Content-ID =~ /^<00[a-f0-9]{10}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[A-Za-z]+>$/
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __PART_STOCK_CD_F Content-Disposition =~ /filename/
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __PART_STOCK_CID Content-ID =~ /^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[^\s\.]+>$/
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __PART_STOCK_CL Content-Location =~ /./
endif

body       __PASSIVE_INCOME            /\bpassive income\b/i

body       __PASSWORD                  /\bp[-\s_]?a[-\s_]?s[-\s_]?s[-\s_]?w[-\s_]?o[-\s_]?r[-\s_]?d\b/i

body        __PASSWORD_EXP_CLUMSY  /\bpassword is due for expiration yesterday\b/i

body        __PASSWORD_UPGRADE   /\bpassword upgrade\b/i

body           __PAXFUL         /\bp-?a+-?x+-?f-?u+-?l\b/i

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  body           __PAY_ME               /\b(?:pay\sme|(?:(?:send|transmit|give)\s(?:to\s)?me|(?:send(?:en\ssie)?|transfer)\s(?:the\samount\sof|exactly|genau)|I\swant|den\sbetrag\svon|payment\sof)\s(?:[\d,'.\$£]+\s?(?:usd?|eur?(?:os)?|gbp|BTC)?|bitcoin|BTC)|(?:make|perform|send|transmit)\sthe\spayment|amount\sfor\smy\ssilence|(?:pay|fund)\sthis\s(?:bitcoin|monero)[-\s](?:address|wallet|brieftasche)|my bribe(?:ry)?)\b/i
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body           __PAY_ME               /(?:^|\s)(?:<P><A><Y>\s<M><E>|(?:(?:<S><E><N><D>|<T><R><A><N><S><M><I><T>|<G><I><V><E>)\s(?:<T><O>\s)?<M><E>|(?:<S><E><N><D>(?:<E><N>\s<S><I><E>)?|<T><R><A><N><S><F><E><R>)\s(?:<T><H><E>\s<A><M><O><U><N><T>\s<O><F>|<E><X><A><C><T><L><Y>|<G><E><N><A><U>)|<I>\s<W><A><N><T>|<D><E><N>\s<B><E><T><R><A><G>\s<V><O><N>|<P><A><Y><M><E><N><T>\s<O><F>)\s(?:[\d,'.\$£]+\s?(?:<U><S><D>?|<E><U><R>?(?:<O><S>)?|<G><B><P>|<B><T><C>)?|<B><I><T><C><O><I><N>|<B><T><C>)|(?:<M><A><K><E>|<P><E><R><F><O><R><M>|<S><E><N><D>|<T><R><A><N><S><M><I><T>)\s<T><H><E>\s<P><A><Y><M><E><N><T>|<A><M><O><U><N><T>\s<F><O><R>\s<M><Y>\s<S><I><L><E><N><C><E>|(?:<P><A><Y>|<F><U><N><D>)\s<T><H><I><S>\s(?:<B><I><T><C><O><I><N>|<M><O><N><E><R><O>)[-\s](?:<A><D><D><R><E><S><S>|<W><A><L><L><E><T>|<B><R><I><E><F><T><A><S><C><H><E>|<M><Y> <B><R><I><B><E>(?:<R><Y>)?))[\s\.,]/i
endif

body     __PAY_YOU        /\bpay\syou\b/

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta     __PCT_FOR_YOU    0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta     __PCT_FOR_YOU    __PCT_FOR_YOU_1 || __PCT_FOR_YOU_2 || __PCT_FOR_YOU_3 || T_SHARE_50_50
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta     __PCT_FOR_YOU_1  0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body     __PCT_FOR_YOU_1  /<PERCENT>[\s)]{0,3}(?:(?:of\s[\w\s]{0,35}?)?(?:for|to|as)\syour?|(?:[^\s.]{1,15}\s)?an uns beide)/i
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta     __PCT_FOR_YOU_2  0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body     __PCT_FOR_YOU_2  /\b(?:(?:give|offer)\syou|vous\s(?:aurez\sdroit\s(?:=E0|[\xe0])|donnerai|all(?:e|=E9|[\xe9]|[\xc3][\xa9])\srecevoir\sautour\sde)|ihnen)\s<PERCENT>/i
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta     __PCT_FOR_YOU_3  0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body     __PCT_FOR_YOU_3  /\byour?\s(?!can)(?:(?!you)\w{1,15}\s){0,10}(?:(?:share|entiti?le(?:d|ment)?|percentage|fee|assist(?:ance)?|comp[ea]nsat(?:ed?|tion)|reward(?:ed)?|renumerat(?:e|tion)|com+is+ion|paid|deduct|account|tage|(?:will|shall|would|(?:are|stand|going)\sto)\s(?:be\s)?(?:tak(?:e|ing)|earn|get(?:ting)?|remit|subtract|with+old)|(?:deduct|taken?|subtract(?:ed)?)\syour|keep(?:ing)?|receiv(?:e|ing)|retain(?:ing)?|have|half|giv(?:en|ing)|paid|(?:give|pay|offer)\s(?:me|you|him)|bank\saccount|to\s(?:take|use)|(?:time|country)\sand|ratio\sof)(?:\s(?!you)\w{1,15}){0,10})\s(?<!by\s)(?<!up\sto\s)<PERCENT>/i
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  meta     __PCT_OF_PMTS    0
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body     __PCT_OF_PMTS    /<PERCENT>[\s)]+(?:of\s[\w\s]{0,35}?)?(?:of|du|de)\s(?:(?:the|la)\s)?(?:total\s)?(?:payments?|rem+it+ances?|capital|chec(?:k|que)s?|mon(?:ey|ies)|suma?)/i
endif

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta         __PDF_ATTACH       0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  meta         __PDF_ATTACH       (__PDF_ATTACH_MT || __PDF_ATTACH_FN1 || __PDF_ATTACH_FN2)
endif

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta         __PDF_ATTACH_FN1   0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __PDF_ATTACH_FN1   Content-Type =~ /="[^"]+\.pdf"/i
endif

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta         __PDF_ATTACH_FN2   0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __PDF_ATTACH_FN2   Content-Disposition =~ /="[^"]+\.pdf"/i
endif

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta         __PDF_ATTACH_MT    0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __PDF_ATTACH_MT    Content-Type =~ m,\bapplication/pdf\b,i
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  header   __PDS_BTC_ANON     From:name =~ /\bAnon/
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  meta     __PDS_BTC_BADFROM     ( __PDS_BTC_HACKER || __PDS_BTC_PIRATE )
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  header   __PDS_BTC_HACKER   From:name =~ /h<A>ck<E>r/i
endif

meta     __PDS_BTC_ID   ( __BITCOIN_ID && !__URL_BTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG)

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  header   __PDS_BTC_PIRATE   From:name =~ /p<I>r<A>t<E>/i
endif

ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
header   __PDS_CASHSHORTENER eval:check_uri_host_listed('PDS_CASHSHORTENER')
endif
endif

uri  __PDS_DOUBLE_URL m;https?://[\S]+(?:\?|=)https?://[\S]+[\w]+$;

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
body     __PDS_EXPIRATION_NOTICE /\bexpiration (?:notice|alert|date)\b/i
endif
endif

if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
  header     __PDS_FROM_2_EMAILS      From =~ /(?:^|<|"| )([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i
endif

header   __PDS_FROM_GMAIL From:addr =~ /\@g(?:oogle)?mail\.com$/i

header   __PDS_FROM_NAME_TO_DOMAIN  ALL =~ /From: ["']?([a-z0-9\.-]+\.[0-9a-z\.-]+)["']? [^\n]+\n+To:[^\n]+\@\1/ism

header   __PDS_GMAIL_MID Message-Id =~ /\@mail.gmail.com>$/

meta     __PDS_GOOGLE_DRIVE_SHARE (__PDS_GOOGLE_DRIVE_SHARE_1 + __PDS_GOOGLE_DRIVE_SHARE_2 + __PDS_GOOGLE_DRIVE_SHARE_3 >= 2)

header __PDS_GOOGLE_DRIVE_SHARE_1 References =~ /\@docs\-share\.google\.com\>/

header __PDS_GOOGLE_DRIVE_SHARE_2 From:addr =~ /^drive\-shares\-noreply\@google\.com$/

header __PDS_GOOGLE_DRIVE_SHARE_3 X-Envelope-From:addr =~ /\@doclist\.bounces\.google\.com$/

ifplugin Mail::SpamAssassin::Plugin::AskDNS
meta     __PDS_HP_HELO_NODNS (__HELO_HIGHPROFILE && !__HELO_DNS)
tflags   __PDS_HP_HELO_NODNS net
endif

ifplugin Mail::SpamAssassin::Plugin::HTMLEval
meta __PDS_HTML_LENGTH_1024 __HTML_LENGTH_0000_1024
endif

ifplugin Mail::SpamAssassin::Plugin::HTMLEval
meta __PDS_HTML_LENGTH_2048 __HTML_LENGTH_0000_1024 || __HTML_LENGTH_1024_1536 || __HTML_LENGTH_1536_2048
endif

meta     __PDS_LITECOIN_ID (__LITECOIN_ID && !__URL_LTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG)

meta     __PDS_MSG_1024 (__KAM_BODY_LENGTH_LT_1024 || __PDS_HTML_LENGTH_1024)

meta     __PDS_MSG_512 (__KAM_BODY_LENGTH_LT_512 || __HTML_LENGTH_512)

if (version >= 3.004001)
ifplugin Mail::SpamAssassin::Plugin::AskDNS
meta     __PDS_NEWDOMAIN  (__FROM_FMBLA_NEWDOM || __FROM_FMBLA_NEWDOM14 || __FROM_FMBLA_NEWDOM28)
tflags   __PDS_NEWDOMAIN  net
endif
endif

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
body     __PDS_OFFER_ONLY_AMERICA /This offer (?:is )?(?:only )?for (?:United States|USA)/i
endif
endif

if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
  meta    __PDS_QP_1024 0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEEval
  meta    __PDS_QP_1024      (__MIME_QPC > 0) && (__MIME_QPC < 1024)
endif

if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
  meta    __PDS_QP_128 0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEEval
  meta    __PDS_QP_128       (__MIME_QPC > 0) && (__MIME_QPC < 128)
endif

if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
  meta    __PDS_QP_512 0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEEval
  meta    __PDS_QP_512       (__MIME_QPC > 0) && (__MIME_QPC < 512)
endif

if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
  meta    __PDS_QP_64 0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEEval
  meta    __PDS_QP_64        (__MIME_QPC > 0) && (__MIME_QPC < 64)
endif

header   __PDS_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(?:mta|mail|mx|smtp)\b\S* /i

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
body     __PDS_SENT_TO_EMAIL_ADDR /This message was sent to Email Address\./i
endif
endif

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
body     __PDS_SEO1 /(?:top|first page|1st) (?:(?:results|rank(?:ing)?) )?(?:in|of|on) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building/i
endif
endif

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
body     __PDS_SEO2 /losing your (?:[a-z]+ )?(?:rank(?:ing)?|results)|rank well on [a-z]+\b/i
endif
endif

ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
meta     __PDS_SHORT_URL __SHORT_URL && !__URL_SHORTENER && !ALL_TRUSTED
endif
endif

if (version >= 3.004001)
ifplugin Mail::SpamAssassin::Plugin::AskDNS
tflags   __PDS_SPF_ONLYALL net
endif
endif

meta     __PDS_SPOOF_GMAIL_MID __PDS_FROM_GMAIL && !__PDS_GMAIL_MID && !__FSL_RELAY_GOOGLE

header   __PDS_TONAME_EQ_TOLOCAL To:raw =~ /^\s*['"]?([^'"]+)['"]? <?\1\@/

if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
  header     __PDS_TO_EQ_FROM_NAME_1  ALL =~ /\nTo: (?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From:\W+(\1)([^\n\w<]++<)?((?!\1)[^\n">]++)>?\n/ism
endif

if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
  header     __PDS_TO_EQ_FROM_NAME_2  ALL =~ /\nFrom:\W+"([\w+.-]+\@[\w.-]+\.\w\w+)(?:[^\n\w<]{0,80}<)?((?!\1)[^\n">]++)>?\n+(?:[^\n]{1,100}\n+)*To: (?:[^\n<]{0,80}<)?(\1)>?/ism
endif

ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
meta     __PDS_TO_SUBJ_URISHRT __TO_IN_SUBJ && __URL_SHORTENER && __PDS_MSG_1024
endif
endif

ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
meta     __PDS_URISHORTENER __URL_SHORTENER
endif
endif

meta        __PD_CNT_1        (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 0

body        __PENDING_MESSAGES   /\b(?:messages pending|(?:your|\d+[\])}]?) (?:pending|un(?:delivered|received)) (?:messages|e?-?mails))\b/i

body       __PERFECT_BINARY            /\bperfect binary option\b/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __PHISH_ATTACH_01_01  Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:\.|%C2%B7|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __PHISH_ATTACH_01_02  Content-Type =~ /\bname="?[^"]*(?:\.|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i
endif

meta       __PHISH_FBASE_01            (__URI_FIREBASEAPP || __URI_WEBAPP) && __PDS_FROM_NAME_TO_DOMAIN && __MAIL_LINK

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  body       __PHOTO_RETOUCHING         /\b(?:(?:retouching|(?:image|photo|pic)s? (?:[a-z]{1,15} ){0,3}(?:edit(?:ing|ors)|team|(?:cut+|mask|clip+|clean|crop+|resiz|enhanc|etch)ing|cut+(?:ing)?[-\s]?out|enhancement|manipulation|restoration|compositing|working|(?:color|contrast|brightnes+|background|make-?up) (?:cor+ection|change)|solution|work|services?)|(?<!that\s)(?<!\.\s)your (?:imag(?:es|ing)|pics)|photo\s?shop (?:expert|service)s?|(?:deliver (?:the|your) |(?:(?:send|throw|ship|drop|deliver|give|provide|e-?mail) us|(?:cut+(?:ing)?[-\s]?out|masking|(?:test|edit)(?:ing)?) (?:for|of|on|with)) (?:(?:an?|one|your|some|sample|test|example|the) )+)(?:image|photo|pic)s?|(?:proces+|edit)(?:\sover|\smore th[ae]n)? \d{2,5}\D? (?:image|photo|pic)s|improv(?:e|ing) (?:(?:image|photo|picture|pic) (?:quality|lighting)|(?:(?:image|photo|picture|pic) )?(?:resolution|contrast|background|color))|cor+ecting (?:color|contrast|brightnes+|background))\b|(?:e-?com+erce|website|jew[el]+r(?:[y's]+|ies)|model+(?:s|ing)?|products?|portraits?|graduation['s]*|school['s]*|bab(?:[y's]+|ies)|famil(?:[y's]+|ies)|kids|wedding|beauty|glamou?r|catalog['s]*|store['s]*|shop['s]*|(?:cut+(?:ing)?[-\s]?out|clip+ing\spath|(?:all|any) kinds? of|enhance|retouch|edit(?:ing)?)[,;]?(?:\s[a-z]{1,15}){0,4})\s(?:image|photo|pic)s?(?:[.,?]|$|\sand\b|\sor\b|\setc\b)|\b(?:imag(?:es|ing)|photos)\s\d+$)/i
  tflags     __PHOTO_RETOUCHING         multiple maxhits=5
endif

header  __PHPMAILER_MUA       X-Mailer =~ /^PHPMailer\b/

meta    __PHP_MUA             __PHP_MUA_1 || __PHP_MUA_2

header  __PHP_MUA_1           X-Mailer =~ /^PHP\s?v?\/?\d\./

header  __PHP_MUA_2           X-Mailer =~ /^PHP\d$/

header  __PHP_NOVER_MUA       X-Mailer =~ /^PHP$/

meta       __PHP_ORIG_SCRIPT_SONLY     __HAS_PHP_ORIG_SCRIPT && (__TVD_SPACE_RATIO || __SINGLE_WORD_SUBJ || __OBFUSCATING_COMMENT_B)

if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
  meta        __PILL_PRICE_01        0
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  body        __PILL_PRICE_01        m;(?=[\d .f])(?:free|[\d .]{3}(?:/|per|each)) ?(?=[ptc])(?:pill|tablet|cap(?:sule|let))s?\b;i
  tflags      __PILL_PRICE_01        multiple maxhits=3
endif

if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
  meta        __PILL_PRICE_02        0
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  body        __PILL_PRICE_02        /(?=[ptc])(?:pill|tablet|cap(?:sule|let))s[-= :]{1,5}\$?[\d .]{3}/i
  tflags      __PILL_PRICE_02        multiple maxhits=3
endif

body           __PLS_REVIEW       /\b(?:please|kindly)\s(?:(?:re)?view|see)(?:\s\w+)?\sattach(?:ed|ment)\b/i

ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
header   __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to()
endif

ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
header   __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof()
endif

uri         __PS_TEST_LOC_WP   m;/(?:wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module)/.{1,128}(?!\.gif|\.jpg|\.png|\.bmp|\.ico|\.pdf|\.svg|\.webp)[^?]{4}(?:\?[^?]{1,5})?$;i

body        __PUMPDUMP_01     /\b(?:times|multiply|tripl(?:e|ing)|quadrupl(?:e|ing)|quintupl(?:e|ing)) (?:your|an) (?:princip(?:al|le)|investment)\b/i

body        __PUMPDUMP_02     /\b(?:sto[ck]{2}|share price) (?:will |may |is (?:(?:about|poised|positioned|ready) to |gonna ))?(?:triple|quadruple|quintuple|soar|go(?:es?) (?:nuts|crazy|sky high|way up))\b/i

body        __PUMPDUMP_03     /\bbuy (?:[^.!]{1,30} )?(?:(?:(?:mon|tues|wednes|thurs|fri)day|tomorrow) (?:first thing|open|morning)|(?:first thing|opens|before) (?:(?:mon|tues|wednes|thurs|fri)day|tomorrow))/i

body        __PUMPDUMP_04     /\bmake you (?:big bucks|hundreds|thousands)\b/i

body        __PUMPDUMP_05     /\b(?:tripled|quadrupled|quintupled|(?:shares|value|company) (?:go up|increase|has (?:increased|gained)) (?:by|more than) [a-z\s]{0,20}\d+(?: times| percent| ?%)) (?:and that )?in (?:(?:\d|a (?:span of|few)) days|a very short period)\b/i

body        __PUMPDUMP_06     /\brecommend(?:ed|s)? (?:a|this) (?:company|stock)\b/i

body        __PUMPDUMP_07     /\b(?:buy|grab it) for (?:around |about |less than )?\d+ cents\b/i

body        __PUMPDUMP_08     /\b(?:sto[ck]{2}|sotk) of the year/i

body        __PUMPDUMP_09     /\b(?:buy|get|snap up|grab) as many shares (?:of it )?as (?:you|I) can\b/i

body        __PUMPDUMP_10     /\btrading at (?:such )?a (?:bargain|cheap|low)\b/i

body     __RANDOM_PICK    /\b(?:random(?:ly)?\s(?:\w+\s)?(?:select(?:ion|ed)|pick(?:ed)?|computer)|(?:select|pick)ed\s(?:at\s)?random(?:ly)?|(?:esco(?:g|lh)idos|seleccion) (?:aleatoria(?:mente)?|al azar))\b/i

header    __RAND_HEADER                ALL =~ /^(?!Accept-Language|Authentication-Results|Content-|DomainKey-Signature|DKIM-|List-|MIME-|Received-SPF|Return-Path|Thread-|User-Agent|Tracking-Code)(?:[a-z]{4,}-[a-z]{3,}|[a-z]{3,}-[a-z]{4,}):\s+\d(?=\S{6,}\s*$)[\da-f]*(?:[-.]\w+)*\s*$/ism
tflags    __RAND_HEADER                multiple maxhits=4

meta      __RAND_HEADER_2              __RAND_HEADER > 1

header    __RAND_MKTG_HEADER           ALL =~ /^X-(?:[a-z]{2}){1,2}-(?:EBS|(?:Tracking|Subscriber|Delivery|Customer|Campaign)-[DSU]?id):/ism

header __RATWARE_BOUND_A  ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{10,400}boundary="----=_NextPart_000_...._\1\./msi # "

header __RATWARE_BOUND_B  ALL =~ /boundary="----=_NextPart_000_...._([0-9a-f]{8})\..{10,400}^Message-Id: <....\1\$[0-9a-f]{8}\$/msi # "

header __RCD_RDNS_MAIL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmail[^a-z]/i
tflags __RCD_RDNS_MAIL nice

header __RCD_RDNS_MAIL_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mail/i
tflags __RCD_RDNS_MAIL_MESSY nice

header __RCD_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmta[^a-z]/i
tflags __RCD_RDNS_MTA nice

header __RCD_RDNS_MTA_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mta/i
tflags __RCD_RDNS_MTA_MESSY nice

header __RCD_RDNS_MX X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmx[^a-z]/i
tflags __RCD_RDNS_MX nice

header __RCD_RDNS_MX_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mx/
tflags __RCD_RDNS_MX_MESSY nice

header __RCD_RDNS_OB X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\boutbounds?[^a-z]/i
tflags __RCD_RDNS_OB nice

header __RCD_RDNS_SMTP X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bsmtps?[^a-z]/i
tflags __RCD_RDNS_SMTP nice

header __RCD_RDNS_SMTP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*smtp/
tflags __RCD_RDNS_SMTP_MESSY nice

header     __RCVD_DOTEDU_EXT           X-Spam-Relays-External =~ /\srdns=\S+\.edu\s/i

meta       __RCVD_DOTEDU_SHORT         __RCVD_DOTEDU_EXT && ( __HTML_IMG_ONLY || __BODY_URI_ONLY || __HTML_LENGTH_1024_1536 )

meta       __RCVD_DOTEDU_SUSP_URI      __RCVD_DOTEDU_EXT && ( __45_ALNUM_URI || __45_ALNUM_URI_O || __64_ANY_URI )

header     __RCVD_DOTGOV_EXT           X-Spam-Relays-External =~ /\srdns=\S+\.gov\s/i

header         __RCVD_ZIXMAIL        X-Spam-Relays-Untrusted =~ / helo=smtpout\.zixmail\.net /

header __RDNS_LONG	X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{30}/

header __RDNS_NO_SUBDOM	X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\.\w+ /

header     __RDNS_NUMERIC_TLD          X-Spam-Relays-External =~ /\srdns=\S+\.\d+\s/

header __RDNS_SHORT	X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{4,14} /

body       __RECEIVE_BONUS             /\byou(?:'ll)?(?: also| will)* (?:rec[ei]*ve|get|earn|collect|be (?:awarded|handed|remitted|given|paid|(?:greeted|welcomed|started) with)) (?:an? )?(?:gift|bonus|extra)(?: of|:)? \$[\d,]+/i

header __RELAY_THRU_WWW	Received =~ /from (?:[^ \@]+\@)?www\./

body        __RELEASE_MESSAGES   /\b(?:release messages|(?:retrieve|release|download) your(?: undelivered|unreceived|held|pending)? e?-?mails|(?:e?-?mails|messages).{1,20}download them now)\b/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
  meta	__REMOTE_IMAGE	(__HTML_IMG_ONLY || __HTML_LINK_IMAGE) && !(__SUBSCRIPTION_INFO || __VIA_ML || __SENDER_BOT || __ANY_IMAGE_ATTACH)
endif

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header   __REPLYTO_ADDRLIST_SUSPNTLD eval:check_replyto_in_list('SUSP_NTLD')
endif
endif

header __REPTO_419_FRAUD_AOL_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:f\.|ljaber)|brownchurchill|c(?:hanprivacy|laimdept|ristinabruno|ustom_service)|d(?:hodgkins|onald_anderson)|evelynjoshua|f(?:d\.|ernandezfernandez)|george_clifford|hernandezrosemary|k\.doreen|l(?:erynnewest|izcarroll|ynnpage)|m(?:\.francco|_l\.wanczyk|asayohara|rsjanetedwards)|o(?:fficework|xf)|p(?:aulpollard|eterwong)|royalpalace|spwalker|usembassy|webank|yurdaaytarkan))\d+\@aol\.com$/i

header __REPTO_419_FRAUD_GM_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:9porssts|a(?:\.wafager|b(?:dullahmundani|u(?:lkareem|shadi))|cecere|isha(?:1976gaddafi|gaddafilibya)|l(?:an\.austin|ber\.yang|ex(?:anderpeterson|hoffman)|ghafrij|icedoris|kasimunadi|l(?:enholden|isoncluade)|ure\.wawrenka)|m(?:bassadormarybethleonardl|ericadeliverycomapny|ina(?:ltwaijiri|medjahed))|n(?:d(?:rewhawkins|yfox)|na(?:llee|sigurlaug)|thonyjblinken)|office1office|radka|shwestwood|tmcarddepartment|ustinbillmark|yevayawovi|zi(?:m(?:\.hpremji|hashim(?:donation)?)|z(?:dake|george)))|b(?:a(?:nkcentralasiahalobca|r(?:bersmadar|rister(?:clarkephillips|lordruben)|teld\.huisman))|bongo|e(?:alitoniua|linekra|n(?:ezero|gatl|jaminsarah)|rnard\.arnult|tsyholden)|ill\.lawrence|mwautomobile|oarddept|r(?:avolpaul|endalaporte)|uffettwarrene)|c(?:a(?:mluba|reisu)|bnatm|e(?:da\.ogada|lineroullier)|h(?:a(?:ngching|r(?:itylisajohnrobinson|l(?:esluenga|tonnewmanus)))|e(?:mchung|nchung))|iticonsultantjohncg|la(?:imadviser|xtonpaul)|o(?:lombasjuan|ntactad|operation)|r(?:awfordgillies|ist(?:brun?|davis|ydavis(?:donation|foundation)))|ustomerservicelacaixa)|d(?:a(?:nnuar|vi(?:d(?:\.(?:loanfirm|murray)|ibe|larbi|mathers|pere|ramirez\.luis)|scarolyn|yax))|e(?:btm|nnis(?:clark|quaid)|partmentofstate)|hlexpresscompany|ipfrancis|minique|ona(?:ldwilliam|tionhelpercare)|r(?:\.w(?:erneroyer|ilsonpaul)|davidrhama|joesimon|rhamahassan)|unsilva)|e(?:benezero|christina|dmundventura|l(?:i(?:bethgomez|sabeth(?:gmuer|maria)|zabethedw)|o(?:diesawadogo|tocashoffice))|m(?:efieleg?|ilyrichmond)|ngr\.des|re(?:evemusk|nakgeorge|zcelic)|s(?:sexlss|therkatherine)|wynn)|f(?:\.mikhail|a(?:ithdesrie|rahwasam|tme\.mehmed)|blott|irstbank|r(?:a(?:100dub|n(?:c(?:es(?:\.connelly|patrickconnolly)|iscamendoza)|k(?:j(?:ane|ody)|linpiesie)))|eelottosweepstake)|spero|u(?:lanlan|ndinternationalmonetary))|g(?:00gleggewinner|a(?:briel(?:eschmitt|kalia)|r(?:ciavincent|yakinson))|bill|e(?:neralwilliamstony|orge(?:brownhoward|kwame)|r(?:aldjhjh|tjanvlieghe))|i(?:idp|ocastano)|l(?:enmoore|oriachow)|oo(?:golteam|oglegwiinner)|r(?:aceobia|e(?:ant|energeoffrey)))|h(?:a(?:r(?:gate|ryebert)|sh(?:imyreem|mireem)|zimissa)|e(?:a(?:dofficecentre|therbrooeke)|ctor(?:castillos|scastillo)|lengiggs|ritagetrustbank)|gold|heba\.hhassan|ildad|o(?:lsemeyerole|nmackjohn|rnbeckmajordennis|seoky)|trryt)|i(?:b(?:ed|rahimelizabeth)|mfdeputyoff|n(?:fo\.(?:annedouglas|marviswanczyk)|gridrolle|ternationallppp)|rvinekim|smail(?:eman|tarkan))|j(?:a(?:cobmaseon|mesokoh|vierlesme)|e(?:fferydean|ssikasingh)|o(?:edward|hn(?:griffn|nietaylor|r(?:awlings|oxfordjr)|sonwilson|tanko|uba|walterlove|a)|n(?:a(?:haskel|thanhaskel)|esandassociates|hugo)|seph(?:acevedo|babatunde|ichael)|vannyanderson|ymrskone)|rawlings|ulie(?:t\.lee?|watson))|k(?:a(?:l(?:iaksandr|stromjames|tschmidtdavid)|malnizar|rabo\.ramala|t(?:hilittman|jamess|rinaziako))|e(?:lsawamelia|nnedy\.sawadogo)|halidbuhazza|kasbu|r(?:istinewellenstein|nkl)|un(?:gwei|ioue))|l(?:a(?:rrytoms|ursent|wrencefoundation)|e(?:enasinghs|ndfair\.co\.uk|rynne(?:0west|west)|wisrichards)|i(?:amfinchus|fecshortt|liane\.bettencourt|n(?:elink|glung)|sa(?:milner|robin)|xiungl?)|john|o(?:ttyoffice|u(?:ghreymargaret|isdreyfusmargarita))|s(?:arbn|chantal)|u(?:ckywinners|sba\.moored)|y(?:\.cheapiseth|diawright|n(?:\.arthur|cmba|nmkl)))|m(?:\.francco|a(?:ckoliver|incare|jor(?:dennishornbeck|townsend)|lletman|n(?:duesq|fran|uelfranco(?:(?:donation|foundation|spende))?)|r(?:i(?:a(?:hhills|nnewoosley)|nacoleman|opabl)|k(?:roth|uses)|shalh|tinamayer|y(?:franson|josen))|s(?:onmanny|pencer)|u(?:hin|rhinck)|viswan(?:czyk(?:(?:foundation|k))?)?)|brons|c\.cheadychang|dredban|el(?:aniekreiss|vidabullock)|gfrederick|i(?:c(?:h(?:ael\.woosley|ealwuu)|w)|k(?:e\.weirsky\.foundational|hai(?:\.fridman|lfridm))|ntonjustin|ss\.yasmineibrahim)|k(?:ent|untjoro)|mrstephen|o(?:ham(?:edabdul|m(?:adraqab|daljililati|edshamekh))|rienkal)|r(?:\.(?:elbahi\.mohammed\.|justinmaxwell|tonyelumelu)|cjames|ericschmid|hanimuhammad|jamesmc|morgangomez|richardanthony|s(?:\.(?:biyufungchi|susanread)|a(?:isha(?:alqadafi|gaddafi)|ngela|shaalqaddfi)|dominiquethomas|evelynbrown|fatimaamiraqureshi|hamima|j(?:ackman|essicajeffrey)|lisamilner|ma(?:riaelizabethscheffle|ureens|yaoliver)|r(?:eem|obinsanders|uthsmith)|sarahbenjamin|victoriaedmond))|s(?:\.ellagolan|agent|golaan|smadar)|ustadris)|n(?:aomiiwasaki|eilt(?:rotter)?|icholas\.jose|obuyuki\.hirano)|o(?:\.peace|ffice(?:emaill|rricherd)|hallkenneth|lenasheve|rabankheadofficelometogo|xfaminternationa)|p(?:a(?:storfrancesco|ul(?:eed|n)|ymentofficer)|b(?:ph202lay|rookk)|e(?:rezdonlorenzo|ter(?:\.waddell|guggi|kenin|stephen))|hillip\.richead|ieterstevens|resleybathini)|q(?:iquanzhou|nzeng)|r(?:a(?:kidy|lhashimi|ymond(?:aba|damon))|e(?:alyh|beccagarang|em(?:has(?:himy|m)|n)|plyback|sultbox|v(?:\.jamesabel|fr(?:ankjackson|paulwilliams)))|i(?:cha(?:miller|rdw(?:ahl|illis))|tawilliams)|main|o(?:b(?:erthanandez|inf)|naldmorris|s(?:a\.gomes|ekipkalya))|raya|t\.rev\.ericmark|uddicklana)|s(?:a(?:l(?:ehhussienconsult|imzaid)|rfiafarfask)|cott(?:henryjames|peters)|e(?:cretservicce|rgeantrobertbrown)|gt(?:\.monicab|ireneb)|h(?:anemissler|ery(?:\.gtl|etr)|inawatrathaksin)|im(?:lkheng|onhei)|o(?:fia\.adams|p(?:adam|hiajesse))|peelman|t(?:anleyjohn|e(?:fanopn|phentam))|u(?:iyang|n\.hor|sanneklatten)|weeneyjohnson)|t(?:a(?:mmywebster|y(?:ebsouami|lorcathy))|e(?:am\.spacex|nreyrosilvana|rryparkins)|h(?:ailandbankoffice|e(?:ara\.choy|odorosloannis|resawilliams|smithfm))|imothymetheny|lyerdonald|o(?:m(?:ander|c(?:hrist|rist(?:(?:donation|foundation))?)|spende)|ny(?:\.chung|robins|zimpro)|shikazusendo)|sfoundation)|u(?:babankheadoffice|derleyen|marukareem|n(?:claimedfunds|ited(?:bankforafrica\.plc|nation(?:organization|s)))|s(?:alotery|departmentofjustice))|v(?:anderwesthuizen|e(?:enapatel|r(?:a(?:aellen|hollinkvan)|enichekaterinaekaterina))|i(?:ctoriaabraham|dalpamela|ngut)|johannes)|w(?:a(?:dp|hlr(?:ichard)?|nczykm|rrenebuffett)|ellensteinfoundation|hatsappofficial|i(?:elandherzog\.sw\.herad|ll(?:clark|iam(?:robert|smartyrs)))|u(?:\.office|mt)|ww\.moneygram)|y(?:\.oguzhan|anghoseok|doo|o(?:ngkm|usefzongo)|uliiakadulina)|z(?:bank|enithbankplconline|kiaslan|minhong)))\d+\@gmail\.com$/i

header __REPTO_419_FRAUD_YH_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson|gaaintl\-4g5ee\.w|ilmohammed|lesiakalina|nn(?:awax|hester\.usa))|b(?:a(?:nk\.phbng|rrister\.dennis)|e(?:linekra|n(?:jaminb|nicholas))|riceangela)|c(?:\.(?:aroline|coulibaly)|h(?:arlesscharf|jackson)|juan|ythiamiller\.un)|d(?:hamilton|iaanesoto)|e(?:denvictor|ricalbert)|f(?:aizaadama|ederal\.r)|infobank|j(?:\.edwards|a(?:ckson\.davis|netemoon)|kimyong)|k(?:altschmidtdavid|elvinmark|im(?:\.leang|leang))|l(?:e(?:a_edem|hman)|isarobinson_|y_cheapiseth)|m(?:\.kogi|arie_avis|dzsesszika|elissalewis|o(?:hammedaahil|keye)|unny(?:\.sopheap|_sopheap))|nestordaniel|o(?:biorahkenneth|fficial_franksylvester|legkozyrev|mranshaalan)|peterlee|r(?:alphw(?:\.johnson|johnson)|i(?:chard\.w|taadamsw)|o(?:b(?:ertbailey|orts)|serichard))|s(?:amthong|igurlauganna|leo|mithcolin|oftc|pwalker|te(?:fanopessina|vecox\.))|tylerhess\.|u(?:butu|kdebtmanagement)|vanserge|will(?:clark|smi)|xianglongdai))\d+\@yahoo\.com$/i

header    __REPTO_CHN_FREEM             Reply-To =~ /\@(?:sina|aliyun)\.com/i

header    __REPTO_RUS_FREEM             Reply-To =~ /\@mail\.ru/i

if !((version >= 3.003000))
  meta        __RP_MATCHES_RCVD      0
endif

if (version >= 3.003000)
if !plugin(Mail::SpamAssassin::Plugin::WLBLEval)
  meta        __RP_MATCHES_RCVD      0
endif
endif

if (version >= 3.003000)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
  header      __RP_MATCHES_RCVD      eval:check_mailfrom_matches_rcvd()
endif
endif

body     __SCAM           /\bscam(?:m?e[dr])?s?\b/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader	__SCC_BOGUS_CTE_1	Content-Transfer-Encoding =~ /^Hexa/i
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader	__SCC_CTMPP     Content-Type =~ /multipart\/parallel/	
endif

rawbody        __SCRIPT_GIBBERISH       /<script>[^;<]{100}/im

body           __SCRIPT_TAG_IN_BODY     /<script>/i

body        __SECURITY_DEPT      /\bsecurity dep(?:artmen)?t\b/i

header	 __SENDER_BOT	ALL =~ /(?:not?\W?repl[yi]|bounce|contact|daemon|subscri|report|respon[ds]e?r?s?\b|\b(?:root|news|nobody|agent|(?:post|web)?master|manag|send(?:er|ing)?|out|(?:bot|web|www)\b))[^\@ >]{0,5}s?\@\w/i
tflags	 __SENDER_BOT	nice

uri        __SENDGRID_REDIR            m,://u\d+\.ct\.sendgrid\.net/ls/click\?upn=,

meta       __SENDGRID_REDIR_PHISH      __SENDGRID_REDIR && ( __PDS_FROM_NAME_TO_DOMAIN || __FORGED_RELAY_MUA_TO_MX || __TO_IN_SUBJ )

body     __SHARE_IT       /\b(?:(?:share|allocate|teilen|parteger(?:ez|ons)?|partage)\s(?:th(?:e|is)|das|les?|des)\s(?:proceeds|funds?|money|balance|account|geld|compte|fonds)|partager(?:ez|ons)? (?:avec (?:vous|moi)|ratio|suivant un pourcentage))\b/i

meta       __SHOPIFY_IMG_NOT_RCVD_SFY  __URI_IMG_SHOPIFY && !__HDR_RCVD_SHOPIFY && !__HDR_ENVFROM_SHOPIFY

uri	 __SHORT_URL	/^https?:\/\/[^\/]{3,6}\.\w\w\/[^\/]{3,8}\/?$/

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  rawbody        __SHY_OBFU_EXPIRE       /e(?!xpire)<SHY>{0,6}x<SHY>{0,6}p<SHY>{0,6}i<SHY>{0,6}r<SHY>{0,6}e/i
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  rawbody        __SHY_OBFU_PASSWORD     /p(?!assword)<SHY>{0,6}a<SHY>{0,6}s<SHY>{0,6}s<SHY>{0,6}w<SHY>{0,6}o<SHY>{0,6}r<SHY>{0,6}d/i
endif

body        __SINGLE_WORD_LINE  /^\s?\S{1,60}\s?$/
tflags      __SINGLE_WORD_LINE  multiple maxhits=2

header      __SINGLE_WORD_SUBJ  Subject =~ /^\s*\S{1,60}\s*$/

header      __SMIME_MESSAGE    Content-Type =~ /application\/pkcs7-mime;/i

rawbody        __SPAN_BEG_TEXT     /[a-z]{2}<(?i:span)\s/
tflags         __SPAN_BEG_TEXT     multiple maxhits=5

rawbody        __SPAN_END_TEXT     /[^;>]<\/(?i:span)>[a-z]{3}/
tflags         __SPAN_END_TEXT     multiple maxhits=5

if !plugin(Mail::SpamAssassin::Plugin::SPF)
  meta            __SPF_FULL_PASS         0
endif

ifplugin Mail::SpamAssassin::Plugin::SPF
  meta            __SPF_FULL_PASS         (SPF_PASS && SPF_HELO_PASS)
  tflags          __SPF_FULL_PASS         net
endif

if !plugin(Mail::SpamAssassin::Plugin::SPF)
  meta            __SPF_RANDOM_SENDER     0
endif

ifplugin Mail::SpamAssassin::Plugin::SPF
  meta            __SPF_RANDOM_SENDER     (SPF_HELO_PASS && !SPF_PASS)
  tflags          __SPF_RANDOM_SENDER     net
endif

meta     __SPOOFED_FREEMAIL     !__NOT_SPOOFED && FREEMAIL_FROM
tflags   __SPOOFED_FREEMAIL     net

meta      __SPOOFED_FREEM_REPTO         __SPOOFED_FREEMAIL && FREEMAIL_REPLYTO
tflags    __SPOOFED_FREEM_REPTO         net

rawbody  __SPOOFED_URL	m/<a\s[^>]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\# ]{8,29}[^>"'\# :\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i

meta        __STATIC_XPRIO_OLE   __XPRIO && __RDNS_STATIC && __HAS_MIMEOLE

body       __STAY_HOME                 /\b(?:going out of|leaving)(?: your)? (?:home|house|residence)\b/i

body        __STOCK_TIP       /\bsto[ck]{2}\s?tip\b/i

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  rawbody   __STY_INVIS                   /\bstyle\s*=\s*"[^">]{0,80}(?:(?<!-)visibility\s*:\s*hidden\s*|display\s*:\s*none\s*)[;"!]/i
  tflags    __STY_INVIS                   multiple maxhits=6
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      __STY_INVIS_1                 __STY_INVIS == 1
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      __STY_INVIS_1_MINFP           __STY_INVIS_1 && !MIME_QP_LONG_LINE && !__MOZILLA_MSGID
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      __STY_INVIS_2                 __STY_INVIS > 1
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      __STY_INVIS_3                 __STY_INVIS > 2
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      __STY_INVIS_DIRECT            __STY_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED 
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      __STY_INVIS_MANY              __STY_INVIS > 5
endif

header     __SUBJECT_EMPTY              Subject:raw =~ /^\s*$/

meta       __SUBJECT_PRESENT_EMPTY      __HAS_SUBJECT && __SUBJECT_EMPTY

header      __SUBJ_ADMIN         Subject =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i

header      __SUBJ_ATTENTION     Subject =~ /ATTENTION/

meta        __SUBJ_BRKN_WORDNUMS   __SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFU

header      __SUBJ_BROKEN_WORD     Subject =~ /\s(?!i[PTM][aoh][bcdou]|e[MP]a[is])[a-z]{1,3}[A-Z][a-z]{2}/
tflags      __SUBJ_BROKEN_WORD     multiple maxhits=2

meta        __SUBJ_DOM_ADMIN     __SUBJ_ADMIN && __PDS_FROM_NAME_TO_DOMAIN

    header        __SUBJ_HAS_FROM_1    ALL =~ /\nFrom: (?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*Subject: [^\n]{0,100}\1[>,:\s\n]/ism

header         __SUBJ_HAS_TO_1      ALL =~ /\nTo: (?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n+(?:[^\n]{1,200}\n+)*Subject: [^\n]{0,100}\1[^a-z0-9]/ism

header         __SUBJ_HAS_TO_2      ALL =~ /\nReceived:[^\n]{0,200} for <?([^\n\s>;]+)>?;(?:[^\n]+\n+)*Subject: [^\n]{0,100}\1[^a-z0-9]/ism

header         __SUBJ_HAS_TO_3      ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n+)*To: [^\n]{0,100}\1[^a-z0-9.]/ism

header	 __SUBJ_NOT_SHORT	Subject =~ /^.{16}/

header      __SUBJ_OBFU_PUNCT      Subject =~ /(?:[-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;][a-z][-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;\s]|(?:[a-z][~`"!@\#$%^&*()_+={}|\\?<>,.:;][a-z](?![a-z])))/i
tflags      __SUBJ_OBFU_PUNCT      multiple maxhits=4

header   __SUBJ_RE		Subject =~ /^(?:R[eE]|S[vV]|V[sS]|A[wW]):/

header __SUBJ_SHORT	Subject =~ /^.{0,8}$/

header    __SUBJ_UNNEEDED_HTML          Subject =~ /%[0-9a-f][0-9a-f]/i
tflags    __SUBJ_UNNEEDED_HTML          multiple maxhits=3

header     __SUBJ_USB_DRIVES          Subject =~ /\bUSB (?:[Ff]lash )?[Dd]rives\b/

body	 __SUBSCRIPTION_INFO	/\b(?:e?newsletters?|(?:un)?(?:subscrib|register)|you(?:r| are) subscri(?:b|ption)|opt(?:.|ing)?out\b|further info|you do ?n[o']t w(?:ish|ant)|remov\w{1,3}.{1,9}\blists?\b|to your white.?list)/i
tflags	 __SUBSCRIPTION_INFO	nice

body     __SUM_OF_FUND    /\b(?:sum|release|freigabe)\s(?:of|der)\s(?:amount|fund|investment|mittel)\b/i

body        __SURVEY           /\bsurvey\b/i

body     __SURVIVORS      /\b(?:widow|son|daughter|husband|wife|brother|sister|attorney|vi(?:=FA|[\xfa]|[\xc3][\xba])va|esposa|veuve)\s(?:of|to|do|de)\s(?:the\s)?(?:late|falecido|finales|feu|d(?:e|=E9|[\xe9]|[\xc3][\xa9])funt|mr\.?)\s\w+\b/i

body        __SUSPICION_LOGIN    /\bsuspicion login\b/i

body        __SYSADMIN           /\b(?:help?[- ]?desk|(?:(?:web ?)?mail ?|sys(?:tem )?)admin(?:istrator)|local[- ]host|(?:support|upgrade|management|security|admin(?:istrat(?:or|ion))?) (?:team|center)|message from administrator|university mail server copyright|suporte t(?:=E9|[\xe9]|[\xc3][\xa9])cnico|administrador do sistema)\b/i

meta       __TAGSTAT_IMG_NOT_RCVD_TGST __URI_IMG_TAGSTAT && !__HDR_RCVD_TAGSTAT

meta       __TARINGANET_IMG_NOT_RCVD_TN  __URI_IMG_TARINGANET && !__HDR_RCVD_TARINGANET

header         __TB_MIME_BDRY_NO_Z   Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/

rawbody        __TENWORD_GIBBERISH    /^\s*(?:[a-z]+\s+){10}\.$/m
tflags         __TENWORD_GIBBERISH    multiple maxhits=21

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __TEXT_XML_MT       Content-Type =~ m,\btext/xml\b,i
endif

body     __THEY_INHERIT   /\b(?:inherit\sth(?:e|is)\smoney|herede\sest[ea]\sdinero)\b/i

body        __THIS_AD         /(?:\b|_)this[- _]+(?:ad(?:vert[i1l]sement)?|promo(?:tion)?)s?(?:\b|_)/i

meta    __THREADED     (!__MISSING_REPLY && !__NO_INR_YES_REF) || (__MISSING_REPLY && !__MISSING_REF)
tflags  __THREADED     nice

header __THREAD_INDEX_GOOD  Thread-Index =~ m,^A[A-Za-z0-9][A-Za-z0-9+/]{27}(?:[A-Za-z0-9+/]{20})?(?:[AQgw]==|[A-Za-z0-9+/]{7}|[A-Za-z0-9+/]{13}[AEIMQUYcgkosw048]=)$,

header         __TO_ALL_NUMS        To:addr =~ /^\d+@/

meta           __TO_EQ_FM_DIRECT_MX __TO_EQ_FROM && __DOS_DIRECT_TO_MX

meta           __TO_EQ_FM_DOM_HTML_IMG  __TO_EQ_FROM_DOM && __HTML_LINK_IMAGE

if !plugin(Mail::SpamAssassin::Plugin::SPF)
  meta           __TO_EQ_FM_DOM_SPF_FAIL  0
endif

ifplugin Mail::SpamAssassin::Plugin::SPF
  meta           __TO_EQ_FM_DOM_SPF_FAIL  __TO_EQ_FROM_DOM && SPF_FAIL
  tflags         __TO_EQ_FM_DOM_SPF_FAIL  net
endif

meta           __TO_EQ_FM_HTML_ONLY __TO_EQ_FROM && MIME_HTML_ONLY

if !plugin(Mail::SpamAssassin::Plugin::SPF)
  meta           __TO_EQ_FM_SPF_FAIL  0
endif

ifplugin Mail::SpamAssassin::Plugin::SPF
  meta           __TO_EQ_FM_SPF_FAIL  __TO_EQ_FROM && SPF_FAIL
  tflags         __TO_EQ_FM_SPF_FAIL  net
endif

meta           __TO_EQ_FROM         (__TO_EQ_FROM_1 || __TO_EQ_FROM_2)
describe       __TO_EQ_FROM         To: same as From:

header         __TO_EQ_FROM_1       ALL =~ /\nFrom: (?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*To: (?:[^\n]{0,80}<)?\1[>,\s\n]/ism

header         __TO_EQ_FROM_2       ALL =~ /\nTo: (?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From: (?:[^\n]{0,80}<)?\1[>,\s\n]/ism

meta           __TO_EQ_FROM_DOM     (__TO_EQ_FROM_DOM_1 || __TO_EQ_FROM_DOM_2)
describe       __TO_EQ_FROM_DOM     To: domain same as From: domain

header         __TO_EQ_FROM_DOM_1   ALL =~ /\nFrom: [^\n@]{0,80}@([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*To: [^\n]+@\1[>,\s\n]/ism

header         __TO_EQ_FROM_DOM_2   ALL =~ /\nTo: [^\n@]{0,80}@([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From: [^\n]+@\1[>,\s\n]/ism

meta	 __TO_EQ_FROM_USR	(__TO_EQ_FROM_USR_1 || __TO_EQ_FROM_USR_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT)
describe __TO_EQ_FROM_USR	To: username same as From: username

header	 __TO_EQ_FROM_USR_1	ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*To:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism

header	 __TO_EQ_FROM_USR_2	ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*From:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism

meta	 __TO_EQ_FROM_USR_NN	(__TO_EQ_FROM_USR_NN_1 || __TO_EQ_FROM_USR_NN_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT)
describe __TO_EQ_FROM_USR_NN	To: username same as From: username sans trailing nums

header	 __TO_EQ_FROM_USR_NN_1	ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*To:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism

header	 __TO_EQ_FROM_USR_NN_2	ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*From:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism

meta	 __TO_EQ_FROM_USR_NN_MINFP	__TO_EQ_FROM_USR_NN && !__TO_EQ_FROM_USR_1 && !__TO_EQ_FROM && !__TO_EQ_FROM_DOM && !__LCL__ENV_AND_HDR_FROM_MATCH && !__DKIM_EXISTS && !__NOT_SPOOFED && !__RCD_RDNS_SMTP && !__RCD_RDNS_MX_MESSY && !__THREADED

meta           __TO_IN_SUBJ         (__SUBJ_HAS_TO_1 || __SUBJ_HAS_TO_2 || __SUBJ_HAS_TO_3)

header     __TO_NO_ARROWS_R        To !~ /(?:>$|>,)/

if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
  meta       __TO_NO_BRKTS_FREEMAIL  0
endif

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  meta       __TO_NO_BRKTS_FREEMAIL  __TO_NO_ARROWS_R && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
endif

meta       __TO_NO_BRKTS_FROM_RUNON  __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && __FROM_RUNON

meta       __TO_NO_BRKTS_HTML_IMG  __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && HTML_MESSAGE && __ONE_IMG

meta       __TO_NO_BRKTS_HTML_ONLY __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && MIME_HTML_ONLY

meta       __TO_NO_BRKTS_MSFT       __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS)

meta       __TO_NO_BRKTS_NORDNS_HTML    __TO_NO_BRKTS_HTML_ONLY && RDNS_NONE

meta       __TO_NO_BRKTS_PCNT       __TO_NO_ARROWS_R && __FB_NUM_PERCNT

header      __TO_TOO_MANY          To =~ /(?:,[^,]{1,90}){30}/

meta       __TO_TOO_MANY_WFH_01        __TO_WAY_TOO_MANY && __WFH_01

header     __TO_UNDISCLOSED        To =~ /\b(?:undisclosed[-\s]recipients|destinataires inconnus|destinatari nascosti)\b/i

header      __TO_WAY_TOO_MANY      ToCc =~ /(?:,[^,]{1,90}){50}/

body     __TO_YOUR_ACCT   /\b(?:(?:f[uo]nds|money|f[uo]ndo|dinheiro|bank)\s(?:\w{1,10}\s){0,4}(?:transfer(?:red)?|transferido|sont)|\d+)\s(?:to|para|en)\s(?:your?|sua|votre)\s(?:account|conta|pos+es+ion)/i

body     __TO_YOUR_ORG       /\b(?:to|for) your organi[sz]ation\b/i

header      __TO___LOWER       ALL =~ /to: \S{5}/

body       __TRANSFORM_LIFE            /\b(?:transform|change) your (?:daily )?life(?:style)?\b/i

body        __TRAVEL_AGENT     /\btravel\sagen(?:t|cy)\b/i

body        __TRAVEL_BUSINESS  /\bbusiness\stravel\b/i

body     __TRAVEL_ITINERARY  /(?:travel|ticketed|your|current) itinerary/i

meta        __TRAVEL_MANY      (__TRAVEL_PROFILE + __TRAVEL_RESERV + __TRAVEL_BUSINESS + __TRAVEL_AGENT) > 2

body        __TRAVEL_PROFILE   /\btravel+er\sprofile\b/i

body        __TRAVEL_RESERV    /\b(?:reservation\s(?:confirmed|number)|travel\sreservations?)\b/i

body     __TRTMT_DEFILED  /\bdefiled\sall\s(?:forms\sof\s)?(?:medical\s)?treatments?\b/i

body     __TRUNK_BOX      /\b(?:(?:trunk|metallic|proof|security|consignment)\sbox(?:es)?|sealed\ssafe|une mallette m(?:e|=E9|[\xe9]|[\xc3][\xa9])tallique)\b/i

body     __TRUSTED_CHECK  /\b(?:cashier'?s?|certified)\sche(?:ck|que)/i

header __TT_BROKEN_VALIUM       Subject =~ /V[:^."%()*\[\\]?A[:^."%()*\[\\]?L[:^."%()*\[\\]?I[:^."%()*\[\\]?U[:^."%()*\[\\]?M/i

header __TT_BROKEN_VIAGRA       Subject =~ /V[:^."%()*\[\\]?I[:^."%()*\[\\]?A[:^."%()*\[\\]?G[:^."%()*\[\\]?R[:^."%()*\[\\]?A/i

header __TT_OBSCURED_VALIUM     Subject =~ /(?:v|V|\\\/)(?:a|A|\(a\)|4|@)(?:l|L|\|)(?:i|I|1|\xef|\|)(?:u|U|\(u\))(?:m|M)/

header __TT_OBSCURED_VIAGRA     Subject =~ /(?:v|V|\\\/)(?:i|I|1|\xef|\|)(?:a|A|\(a\)|4|@)(?:g|G)(?:r|R)(?:a|A|\(a\)|4|@)/

header __TT_VALIUM              Subject =~ /VALIUM/i

header __TT_VIAGRA              Subject =~ /VIAGRA/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __TVD_FW_GRAPHIC_ID1 Content-Id =~ /<[0-9a-f]{12}(?:\$[0-9a-f]{8}){2}\@/
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __TVD_MIME_ATT_AP    Content-Type =~ /^application\/pdf/i
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __TVD_MIME_ATT_TP    Content-Type =~ /^text\/plain/i
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __TVD_OUTLOOK_IMG    Content-Id =~ /<image\d+\.(?:gif|jpe?g|png)\@/
endif

body __TVD_PH_BODY_01		/\baccount .{0,20}placed? [io]n restricted status/i

body __TVD_PH_BODY_02		/\brecords (?:[a-z_,-]+ )+?(?:feature|(?:a|re)ward)/i

body __TVD_PH_BODY_03		/\byou(?:'ve| have) been (?:[a-z_,-]+ )+?payment/i

body __TVD_PH_BODY_04		/\bfunds? (?!transfer from)(?!from)(?!in)(?!via)(?:[a-z_,-]+ )+?to your (?:[a-z_,-]+ )*?account/i

body __TVD_PH_BODY_05		/\bthis is (?:[a-z_,-]+ )+?protect (?:[a-z_,-]+ )+?your/i

body __TVD_PH_BODY_06		/Dear [a-z]+ bank (?:member|customer)/i

body __TVD_PH_BODY_07		/\bguarantee the safety of your (?:[a-z_,-]+ )*?account/i

body __TVD_PH_BODY_08		/\bmultiple password failures/i

body __TVD_PH_BODY_ACCOUNTS_POST	/\b(?:(?:[dr]e-?)?activat[a-z]*|(?:re-?)?validate|secure|restore|confirm|update|suspend) (?!your)(?:[a-z_,-]+ )+?accounts?\b/i

body __TVD_PH_BODY_ACCOUNTS_PRE		/\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*|suspen[a-z]+|notif(?:y|ication)|updated|verifications?|credited)\b/i

meta __TVD_PH_BODY_META		__TVD_PH_BODY_01 || __TVD_PH_BODY_02 || __TVD_PH_BODY_03 || __TVD_PH_BODY_04 || __TVD_PH_BODY_05 || __TVD_PH_BODY_06 || __TVD_PH_BODY_07 || __TVD_PH_BODY_08

header __TVD_PH_SUBJ_00		Subject =~ /\brewards? survey\b/i

header __TVD_PH_SUBJ_02		Subject =~ /\byour payment has been sent\b/i

header __TVD_PH_SUBJ_04		Subject =~ /\baccounts? profile\b/i

header __TVD_PH_SUBJ_15		Subject =~ /\binvestment for (?:[a-z_,-]+ )*?to(?:morrow|day)\b/i

header __TVD_PH_SUBJ_17		Subject =~ /\bremove limitations?\b/i

header __TVD_PH_SUBJ_18		Subject =~ /\bsecurity (?:[a-z_,-]+ )*?changes\b/i

header __TVD_PH_SUBJ_19		Subject =~ /\bmessage (?:[a-z_,-]+ )*?bank\b/i

header __TVD_PH_SUBJ_29		Subject =~ /^notice(?::|[\s\W]*$)/i

header __TVD_PH_SUBJ_31		Subject =~ /\bsecurity (?:[a-z_,-]+ )*?verification\b/i

header __TVD_PH_SUBJ_36		Subject =~ /\bconsumer notice\b/i

header __TVD_PH_SUBJ_37		Subject =~ /\bvalued member[a-z]*\b/i

header __TVD_PH_SUBJ_38		Subject =~ /\bonline bank[a-z]*\b/i

header __TVD_PH_SUBJ_39		Subject =~ /\bonline department\b/i

header __TVD_PH_SUBJ_41		Subject =~ /\bunusual activity\b/i

header __TVD_PH_SUBJ_52		Subject =~ /\b(?:account|online) profile\b/i

header __TVD_PH_SUBJ_54		Subject =~ /\bun-?authorized access(?:es)?\b/i

header __TVD_PH_SUBJ_56		Subject =~ /\brespond now\b/i

header __TVD_PH_SUBJ_58		Subject =~ /\bbilling service\b/i

header __TVD_PH_SUBJ_59		Subject =~ /\bquestion from (?:[a-z_,-]+ )*?member\b/i

header __TVD_PH_SUBJ_ACCESS_POST	Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)) (?:[a-z_,-]+ )*?access\b/i

meta __TVD_PH_SUBJ_META		__TVD_PH_SUBJ_00 || __TVD_PH_SUBJ_02 || __TVD_PH_SUBJ_04 || __TVD_PH_SUBJ_15 || __TVD_PH_SUBJ_17 || __TVD_PH_SUBJ_18 || __TVD_PH_SUBJ_19 || __TVD_PH_SUBJ_29 || __TVD_PH_SUBJ_31 || __TVD_PH_SUBJ_36 || __TVD_PH_SUBJ_37 || __TVD_PH_SUBJ_38 || __TVD_PH_SUBJ_39 || __TVD_PH_SUBJ_41 || __TVD_PH_SUBJ_52 || __TVD_PH_SUBJ_54 || __TVD_PH_SUBJ_56 || __TVD_PH_SUBJ_58 || __TVD_PH_SUBJ_59 || __TVD_PH_SUBJ_ACCESS_POST

meta        __TVD_SPACE_ENCODED    (__TVD_SPACE_RATIO && __SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED)

if !plugin(Mail::SpamAssassin::Plugin::BodyEval)
  meta      __TVD_SPACE_RATIO      0
endif

header      __TVD_SUBJ_NUM_OBFU    Subject =~ /[a-z]{3,}\d+[a-z]{2,}/i

meta     __T_PDS_MSG_512 (__KAM_BODY_LENGTH_LT_512 || __HTML_LENGTH_512 || __PDS_QP_512)

header   __UA_GNUS		User-Agent =~ /^Gnus/

header   __UA_KMAIL		User-Agent =~ /^KMail/

header   __UA_KNODE		User-Agent =~ /^KNode/

header   __UA_MOZ5		User-Agent =~ /^Mozilla\/5/

header   __UA_MSOEMAC		User-Agent =~ /^Microsoft-Outlook-Express-Mac/

header         __UA_MSOMAC           User-Agent =~ /^Microsoft-MacOutlook\/(?:\d+\.){3}/

header   __UA_MUTT		User-Agent =~ /^Mutt/

header   __UA_OPERA7		User-Agent =~ /^Opera7/

header   __UA_PAN		User-Agent =~ /^Pan/

header   __UA_XNEWS		User-Agent =~ /^Xnews/

body        __UC_GIBB_OBFU     /\b[A-Za-z][a-z]{0,20}[,;)]?\s[A-Z]{16,}[a-z]?\s[A-Za-z][a-z]{1,15}\b/
tflags      __UC_GIBB_OBFU     multiple maxhits=2

body     __UN             /\bunited\snations?\b/i

meta       __UNDISC_FREEM              __TO_UNDISCLOSED && __freemail_replyto 

meta       __UNDISC_MONEY              __TO_UNDISCLOSED && (__ADVANCE_FEE_2_NEW || LOTS_OF_MONEY)

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  body       __UNICODE_OBFU_ASC         /[a-z0-9\s](?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9]{1,8}(?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9\s]/i
  tflags     __UNICODE_OBFU_ASC         multiple maxhits=10
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta       __UNICODE_OBFU_ASC_MANY    __UNICODE_OBFU_ASC > 9
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  body       __UNICODE_OBFU_ZW          /[a-z0-9\s](?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+(?!\s)[a-z0-9\s]{1,8}(?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+[a-z0-9\s]/i
  tflags     __UNICODE_OBFU_ZW          multiple maxhits=10
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta       __UNICODE_OBFU_ZW_10       __UNICODE_OBFU_ZW > 9
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta       __UNICODE_OBFU_ZW_2        __UNICODE_OBFU_ZW > 1
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta       __UNICODE_OBFU_ZW_3        __UNICODE_OBFU_ZW > 2
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta       __UNICODE_OBFU_ZW_5        __UNICODE_OBFU_ZW > 4
endif

body        __UNICODE_RTL_OBFU         /\w(?:\x{E2}\x{80}\x{8F}){2,}\w/
tflags      __UNICODE_RTL_OBFU         multiple maxhits=10

body	 __UNSUB_EMAIL	/\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b[-a-z_0-9.+=]{0,60}\@[a-z0-9][-a-z_0-9.]{4,20}(?:[^a-z_0-9.-]|$)/i
tflags	 __UNSUB_EMAIL	nice

body        __UNSUB_GOOG_FORM    m,Unsub?sc?ribe\s<?https?://docs\.google\.com/forms/,i

uri	 __UNSUB_LINK	/\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b/i
tflags	 __UNSUB_LINK	nice

body        __UPGR_MAILBOX       /\b(?:up(?:g[ra]+d(?:e|ing)|date) (?:(?:[hw]as|and)\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|(?:web ?|e-?)mail Upgrade cuenta|atualiz(?:e|ar) (?:a|sua) caixa de correio|click\S{0,10} (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?|below)(?: link)? to (?:(?:complete|finish|increase) )?(?:(?:the|this|your)\s)?(?:up(?:date|grade)|(?:web ?|e-?)?mail(?:\s?box)? (?:size|quota|limit))|utrzymania aktywnego konta|request (?:for )additional storage|you (?:have )?(?:failed|refused) to up(?:date|grade))\b/i

uri         __UPPERCASE_URI        /^[^:A-Z]+[A-Z]/

uri            __URI_12LTRDOM      m,://(?:[^./]+\.)*[a-z]{12}\.[^./]+/,i

uri        __URI_ADOBESPARK            m,https?://branchlink\.adobespark\.com/,i

uri        __URI_AZURE_CLOUDAPP        m,://(?:[^./]+\.)+cloudapp\.azure\.com/,

uri        __URI_BUFFLY                m,//buff\.ly/,i

uri         __URI_CLOUDFLAREIPFS       m,//(?:[^@/]+@)?cloudflare-ipfs\.com/ipfs/,i

uri        __URI_DASHGOVEDU            m,://[^/]*-(?:gov|edu)\.com/,i

uri         __URI_DATA         /^data:(?!image\/)[a-z]/i

uri         __URI_DBL_DOM      m,^https?://[^.]+\.(?!amazon\.com)([^/]+)/.*https?://[^.]+\.\1/,i

uri        __URI_DOTEDU                m;^https?://(?:[^./]+\.)+edu/;i

meta       __URI_DOTEDU_ENTITY         __URI_DOTEDU && __AC_HTML_ENTITY_BONANZA_SHRT_RAW 

uri        __URI_DOTGOV                m;^https?://(?:[^./]+\.)+gov/;i

uri         __URI_DOTTY_HEX            /(?:\.[0-9a-f]{2}){30}/

uri            __URI_DQ_UNSUB   m;^[a-z]+://(?:\d+\.){3}\d+/.*unsubscribe;i

uri         __URI_DWEBIPFS             m;//[^.]{50,}\.ipfs\.dweb\.link/;i

rawbody     __URI_EXCESS_SLASHES       m;https?:///+;i

uri        __URI_FIREBASEAPP           m,://[^./]+\.firebaseapp\.com/,

uri         __URI_FLKIPFSXYZIPFS       m;//[^.]{50,}\.ipfs\.flk-ipfs\.xyz/;i

uri         __URI_GOOGDRAWPREVIEW      m,://docs\.google\.com/drawings/d/[^/]*/preview,i

uri         __URI_GOOGLE_DOC     m,^https?://docs\.google\.com/(?:[^/]+/)*(?:view(?:form)?\?(?:[^&]+&)*(?:id|formkey|usp)=|document/),i

uri         __URI_GOOGLE_DRV     m,^https?://(?:drive\.google|googledrive)\.com/,i

uri            __URI_GOOGLE_PROXY     m;^https?://[^.]+\.googleusercontent\.com/proxy/;i

uri         __URI_GOOG_STO_EMAIL       m;^https?://(?:firebase)?storage\.googleapis\.com/.*[a-z0-9]@(?:[a-z0-9]{2,20}\.){1,3}[a-z]{2,3}$;i

uri        __URI_GOOG_STO_HTML        m,^https?://(?:[^./]+.)?(?:firebase)?storage\.googleapis\.com/.*\.html?(?:$|\?),i
tflags     __URI_GOOG_STO_HTML        multiple maxhits=5

uri        __URI_GOOG_STO_IMG         m,^https?://(?:[^./]+.)?(?:firebase)?storage\.googleapis\.com/.*\.(?:png|jpe?g|gif|webp)$,i
tflags     __URI_GOOG_STO_IMG         multiple maxhits=5

uri        __URI_HEX_IP                m;://0x[0-9A-F]{8,}[:/];i

meta       __URI_HOSTED_IMG            ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC || __URI_IMG_TOPHATTER || __URI_IMG_GBTCDN || __URI_IMG_LINKEDIN || __URI_IMG_TUMBLR || __URI_IMG_TAGSTAT || __URI_IMG_FACEBOOK || __URI_IMG_TARINGANET || __URI_IMG_BEBEE || __URI_IMG_EFUSERASSETS || __URI_IMG_IMGBOX_THUMB || __URI_IMG_500PXORG || __URI_IMG_WIXMP || __URI_IMG_POSTIMGCC || __URI_IMG_GTRACING || __URI_IMG_JOOMCDN || __URI_IMG_DHRESOURCE || __URI_IMG_CWINDOWSNET || __URI_IMG_LEAADPERSONS || __URI_IMG_SENSILOEDPER)

uri        __URI_IMG_500PXORG          m;://drscdn\.500px\.org/photo/;i

uri        __URI_IMG_ALICDN            m,//(?:[^/.]+\.)*alicdn\.com/.+\.(?:jpe?g|gif|png|webp),i

uri        __URI_IMG_AMAZON            m,://[^/?]+\.(?:ssl-)?(?:images|media)-amazon\.com/.*\.(?:png|gif|jpe?g|webp)$,i

uri        __URI_IMG_BEBEE             m;://contents\.bebee\.com/users/.+\.(?:jpe?g|gif|png|webp);i

uri        __URI_IMG_CHANNYPIC         m,://www\.channypicture\.com/pic/,i

uri        __URI_IMG_CWINDOWSNET       m;://[^.]{12,}\.(?:blob|web)\.core\.windows\.net/.+\.(?:jpe?g|gif|png|webp);i

uri        __URI_IMG_DHRESOURCE        m;://www\.dhresource\.com/.+\.(?:jpe?g|gif|png|webp);i

uri        __URI_IMG_EBAY              m,://[^/?]+\.ebayimg\.com/,i

uri        __URI_IMG_EFUSERASSETS      m;://\d+\.efuserassets\.com/\d+/.+\.(?:jpe?g|gif|png|webp);i

uri        __URI_IMG_FACEBOOK          m;://(?:[^/.]+\.)+fbcdn\.net/v/.+\.(?:jpe?g|gif|png|webp);i

uri        __URI_IMG_GBTCDN            m;://des\.gbtcdn\.com/storage/store/[0-9a-f/]{30,}\.(?:png|gif|jpe?g|webp)$;i

uri        __URI_IMG_GTRACING          m;://shopify\.gtracing\.com/img/.+\.(?:jpe?g|gif|png|webp);i

uri        __URI_IMG_IMGBOX_THUMB      m;://thumbs\d*\.imgbox\.com/.+\.(?:jpe?g|gif|png|webp);i

uri        __URI_IMG_JOOMCDN           m,://img\.joomcdn\.net/,i
uri        __URI_IMG_JOOMCDN           m;://img\.joomcdn\.net/.+\.(?:jpe?g|gif|png|webp);i

uri        __URI_IMG_LEAADPERSONS      m;://www\.leaadpersons\.com/biz/.+\.(?:jpe?g|gif|png|webp);i

uri        __URI_IMG_LINKEDIN          m;://media-exp\d\.licdn\.com/dms/image/;i

uri        __URI_IMG_NEWEGG            m,://[^/?]+\.neweggimages\.com/,i

uri        __URI_IMG_POSTIMGCC         m;://i\.postimg\.cc/.+\.(?:jpe?g|gif|png|webp);i

uri        __URI_IMG_SENSILOEDPER      m;://www\.sensiloedper\.com/bizgstorage/.+\.(?:jpe?g|gif|png|webp);i

uri        __URI_IMG_SHOPIFY           m,://cdn\.shopify\.com/.+\.(?:jpe?g|gif|png|webp),i

uri        __URI_IMG_STATICBG          m,://imgaz\.staticbg\.com/images/,i

uri        __URI_IMG_TAGSTAT           m;://i\d+\.tagstat\.com/.+\.(?:jpe?g|gif|png|webp);i

uri        __URI_IMG_TARINGANET        m;://media\.taringa\.net/knn/;i

uri        __URI_IMG_TOPHATTER         m;://images\.tophatter\.com/[0-9a-f]{30,}/;i

uri        __URI_IMG_TUMBLR            m;://\d+\.media\.tumblr\.com/.+\.(?:jpe?g|gif|png|webp);i

uri        __URI_IMG_WALMART           m,://[^/?]+\.walmartimages\.com/,i

uri        __URI_IMG_WISH              m,://contestimg\.wish\.com/,i

uri        __URI_IMG_WIXMP             m;://images-wixmp-[0-9a-f]{20,}\.wixmp\.com/;i

uri        __URI_IMG_WP_REDIR          m;://i[02]\.wp\.com/.*\.(?:jpe?g|gif|png|webp)$;i

uri        __URI_IMG_YTIMG             m,://[^/?]+\.ytimg\.com/,i

uri         __URI_INFURAIPFSIO         m,//(?:[^@/]+@)?(?:[^.]+\.)?infura-ipfs\.io/ipfs/,i

meta        __URI_IPFS                 __URI_IPFSIO || __URI_INFURAIPFSIO || __URI_CLOUDFLAREIPFS || __URI_DWEBIPFS || __URI_FLKIPFSXYZIPFS

uri         __URI_IPFSIO               m,//(?:[^@/]+@)?ipfs\.io/ipfs/,i

uri        __URI_LONG_REPEAT           m;(?:://|@)(?:\w+\.)*(\w{7,}\.)\1;i

uri         __URI_MAILTO              /^mailto:/i
tflags      __URI_MAILTO              multiple maxhits=16

uri            __URI_MONERO     /buy-monero/i

uri         __URI_NOCODEFORM           m;://nocodeform\.io/f/;i

meta      __URI_ONLY_MSGID_MALF         __BODY_URI_ONLY && __MSGID_NOFQDN2

meta        __URI_PHISH    __HAS_ANY_URI && !__URI_GOOGLE_DOC && !__URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH)

uri        __URI_PHP_REDIR             m;/redirect\.php\?;i

uri        __URI_PRODUCT_AMAZON        m,://www\.amazon\.(?:com|co\.uk|[a-z][a-z])/dp/[a-z0-9]{10}/,i

uri         __URI_TRY_3LD     m,^https?://(?:try(?!r\.codeschool)|start|get(?!\.adobe)|save|check(?!out)|act(?!ion)|compare|join|learn(?!ing)|request|visit(?!or|\.vermont)|my(?!sub|turbotax|news\.apple|a\.godaddy|account|support|build|blob|images?|photos?)\w)[^.]*\.(?:(?!list-manage|lt\.)[^/.]+\.)+(?:com|net)\b,i

uri         __URI_TRY_USME    m,^https?://(?:try|start|get|save|check|act|compare|join|learn|request|visit|my)[^.]*\.[^/]+\.(?:us|me|mobi|club)\b,i

uri        __URI_WEBAPP                m,://[^./]+\.web\.app/,

uri         __URI_WPADMIN      m,/wp-admin/\w+/,i

uri         __URI_WPCONTENT    m,/wp-content/.*\.(?:php|html?)\b,i

uri         __URI_WPDIRINDEX   m,/wp-(?:content|includes)/.*/$,i

uri         __URI_WPINCLUDES   m,/wp-includes/.*\.(?:php|html?)\b,i

uri            __URL_BTC_ID     m;[/.](?:[13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})(?:/|$);

uri      __URL_LTC_ID     m;[/.][LM3][a-km-zA-HJ-NP-Z1-9]{26,33}(?:/|$);

header __USING_VERP1 Return-Path =~ /[+-].*=/

header __VACATION Subject =~ /\b(?:vacatio|away|out.of.offic|auto.?re|confirm)/i
tflags __VACATION nice

body        __VALIDATE_MAILBOX   /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta|you (?:have )?(?:failed|refused) to (?:verify|validate)|(?:e-?mail|confirm) verification|verify k?now|logs?in below to (?:\S+\s){0,10}(?:download|release|retrieve) your (?:messages|e?-?mails)|verify [a-z][a-z0-9_]{3,40}@[a-z][a-z0-9]{2,30}\.[a-z]{2,6}|your mailbox [^@\s]{3,30}@\S{3,30} (?:(?:needs to|must) be verified|(?:needs|requires) verification))\b/i
tflags      __VALIDATE_MAILBOX   multiple maxhits=2

body        __VALIDATE_MBOX_SE   /(?:\b=E5|[\xe5]|[\xc3][\xa5])terst(?:=E4|\xe4|[\xc3][\xa4])lla ditt konto\b/i

body        __VERIFY_ACCOUNT     /(?:confirm|updated?|verif(?:y|ied)) (?:your|the) (?:(?:account|current|billing|personal|online)? ?(?:records?|information|account|identity|access|data|login)|"?[^\@\s]+\@\S+"? (?:account|mail ?box)|confirm verification|verify k?now|Ihre Angaben .berpr.ft und best.tigt)/i
tflags      __VERIFY_ACCOUNT     multiple maxhits=2

meta        __VFY_ACCT_NORDNS    __VERIFY_ACCOUNT && __RDNS_NONE 

meta        __VISTA_COST               __VISTA_MSGID && __FB_COST

meta        __VISTA_TONOM_EQ_TOLOC     __VISTA_MSGID && __PDS_TONAME_EQ_TOLOCAL

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header   __VPSNUMBERONLY_TLD From:addr =~ /\@vps[0-9]{4,}\.[a-z]+$/i
endif
endif

meta       __WALMART_IMG_NOT_RCVD_WAL  __URI_IMG_WALMART && !__HDR_RCVD_WALMART

body        __WEBMAIL_ACCT       /\byour web ?mail account/i

body       __WE_PAID                   /\bwe have (?:already )?(?:paid|sent|remitted|issued) \$?\d+(?:,\d+)* (?:thousand )?(?:dollars )?to our (?:users|subscribers|members|clients|affiliates|partners)\b/i

meta       __WFH_01                    ( __PERFECT_BINARY + __WE_PAID + __MAKE_XTRA_DOLLAR + __BONUS_LAST_DAY + __PASSIVE_INCOME + __WITHOUT_EFFORT + __TRANSFORM_LIFE + __STAY_HOME + __RECEIVE_BONUS ) > 2

body     __WIDOW          /\b(?:widow(?:e[rd])'?s?|veuve)\b/i

body     __WILL_LEGAL     /\b(?:codicil|last\stestament|probate|executor|intestate|bequest|mandamus)\b/i

body     __WIRE_XFR       /\b(?:wire|telegraph(?:ic)?|bank)\s?transfer/i

body       __WITHOUT_EFFORT            /\bwith(?:out(?: a(?:ny)?| the)?| no)(?: great| special| extra)? effort\b/i

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  rawbody   __WORD_INVIS                  /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|in|pc|em|ex|ch|rem|lh|vmax))\s*[;'a-z]|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w{1,20}</i
  tflags    __WORD_INVIS                  multiple maxhits=6
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      __WORD_INVIS_2                __WORD_INVIS > 1
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      __WORD_INVIS_5                __WORD_INVIS > 5
endif

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  meta      __WORD_INVIS_MINFP            __WORD_INVIS && !__SURVEY && !MIME_QP_LONG_LINE && !__FB_TOUR && !__MSGID_GUID 
endif

header         __XEROXWORKCTR_MUA  X-Mailer =~ /^WorkCentre \D?\d[\d\.]\d+/

meta     __XFER_LOTSA_MONEY      __XFER_MONEY && LOTS_OF_MONEY

meta     __XFER_MONEY     (__WIRE_XFR || __TRUSTED_CHECK || __BANK_DRAFT || __MOVE_MONEY || __TO_YOUR_ACCT || __PAY_YOU || __GIVE_MONEY)

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  header          __XMAIL_CODEIGN         X-Mailer =~ /CodeIgniter/
endif

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  header          __XMAIL_PHPMAIL         X-Mailer =~ /PHPMailer/
endif

header   __XM_APPLEMAIL		X-Mailer =~ /^Apple Mail/

header     __XM_ASPQMAIL               X-Mailer =~ /^AspQMail/

header   __XM_BALSA		X-Mailer =~ /^Balsa \d/

header   __XM_CALYPSO		X-Mailer =~ /^Calypso/

header     __XM_DIGITS_ONLY            X-Mailer =~ /^\s*\d+\s*$/

header      __XM_EC_MESSENGER      X-Mailer =~ /\beC-Messenger\b/

header   __XM_FORTE		X-Mailer =~ /^Forte Agent \d/

header   __XM_GNUS		X-Mailer =~ /^Gnus v/

header   __XM_MHE		X-Mailer =~ /^mh-e \d/

header   __XM_MOZ4		X-Mailer =~ /^Mozilla 4/

header   __XM_MSOE5		X-Mailer =~ /^Microsoft Outlook Express 5/

header   __XM_MSOE6		X-Mailer =~ /^Microsoft Outlook Express 6/

header __XM_MS_IN_GENERAL     X-Mailer =~ /\bMSCRM\b|Microsoft (?:CDO|Outlook|Office Outlook)\b/

header __XM_OL_10_0_4115    X-Mailer =~ /^Microsoft Outlook, Build 10.0.4115$/

header __XM_OL_28001441    X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.1441$/

header __XM_OL_28004682    X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.4682$/

header __XM_OL_48072300    X-Mailer =~ /^Microsoft Outlook Express 5.50.4807.2300$/

header __XM_OL_4_72_2106_4  X-Mailer =~ /^Microsoft Outlook Express 4.72.2106.4$/

header __XM_OUTLOOK_EXPRESS    X-Mailer =~ /^Microsoft Outlook Express \d/

header      __XM_PHPMAILER_FORGED  X-Mailer =~ /PHPMailer\s.*version\D+$/

header     __XM_RANDOM                 X-Mailer =~ /q(?!(?:q|box|i\s)?mail|\d|[-\w]*=+;)[^u]/i

header   __XM_SKYRI		X-Mailer =~ /^SKYRiXgreen/

header   __XM_SQRLMAIL		X-Mailer =~ /^SquirrelMail/

header   __XM_SYLPHEED		X-Mailer =~ /^Sylpheed/

header     __XM_UC_ONLY                X-Mailer =~ /^[^a-z]+$/

header     __XM_VERY_LONG              X-Mailer =~ /.{50}/

header   __XM_VM		X-Mailer =~ /^VM \d/

header   __XM_WWWMAIL		X-Mailer =~ /^WWW-Mail \d/

header   __XM_XIMEVOL		X-Mailer =~ /^Ximian Evolution/

meta        __XPRIO_MINFP      __XPRIO && !__CT_ENCRYPTED && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_IMG_SRC && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__PHPMAILER_MUA && !__AC_TINY_FONT && !__HAS_PHP_SCRIPT && !__DOS_HAS_LIST_UNSUB && !__HAS_IMG_SRC_ONECASE && !__NAKED_TO && !__HAS_THREAD_INDEX && !__HAS_TNEF && !__HAS_SENDER && !__UNPARSEABLE_RELAY_COUNT && !__PDS_RDNS_MTA && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MX_MESSY && !__TO___LOWER && !__FROM_WORDY && !__RP_MATCHES_RCVD && !__DKIM_EXISTS && !__FROM_WEB_DAEMON && !__RDNS_SHORT && !__L_BODY_8BITS && !__HAS_X_SENDER 

meta        __XPRIO_SHORT_SUBJ __XPRIO_MINFP && __SUBJ_SHORT 

meta        __XPRIO_VISTA        __XPRIO_MINFP && __VISTA_MSGID

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __X_MSO_MT          Content-Type =~ m,\bapplication/x-mso\b,i
endif

body     __YOUR_BANK      /\byour?\s(?:full\s)?bank(?:ing)?\sinformations?\b/i

body     __YOUR_CONSIGNMENT     /\b(?:received?|pa(?:y|id)|sen[dt]|h[oe]ld|delay(?:ed)?|impound(?:ed)?|released?|ship(?:ped)?)\syour(?:\s\w+)?\sconsignment\b/i

body     __YOUR_FUND      /\b(?:your|ihr)\s(?:unpaid\s|win+ing\s|ap+roved\s|foreign\s|overdue\s|outstanding\s|contract\s|inheritance\s|nicht\sausbezahlten\s){0,3}(?:fund|f\su\sn\sd|payment|geld)\b/i

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  body           __YOUR_ONAN            /\b(?:your?|ihrer)\s(?:ma+s+t+[ur]+b+a+t+(?:ion|ing|e)(?:svideo)?|onanism|solitary\ssex|hand\sfucking|Selbstbefriedigung|(?:pleasur(?:e|ing)|satisfy(?:ing)?)\syourself)\b/i
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body           __YOUR_ONAN            /(?:^|\s)(?:<Y><O><U><R>?|<I><H><R><E><R>)\s(?:<M>+<A>+<S>+<T>+(?:<U>|<R>)+<B>+<A>+<T>+(?:<I><O><N>|<I><N><G>|<E>)(?:<S><V><I><D><E><O>)?|<O><N><A><N><I><S><M>|<S><O><L><I><T><A><R><Y>\s<S><E><X>|<H><A><N><D>\s<F><U><C><K><I><N><G>|<S><E><L><B><S><T><B><E><F><R><I><E><D><I><G><U><N><G>|(?:<P><L><E><A><S><U><R>(?:<E>|<I><N><G>)|<S><A><T><I><S><F><Y>(?:<I><N><G>)?)\s<Y><O><U><R><S><E><L><F>)/i
endif

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  body           __YOUR_PASSWORD        /\b(?:your|(?:change|modify|update|reset|alter|fix)\sthe)\s(?:account\s|e-?mail\s)?(?:pass[-\s_]?word|pswd)\b/i
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body           __YOUR_PASSWORD        /(?:^|\s)(?:<Y><O><U><R>|(?:<C><H><A><N><G><E>|<M><O><D><I><F><Y>|<U><P><D><A><T><E>|<R><E><S><E><T>|<A><L><T><E><R>|<F><I><X>)\s<T><H><E>)\s(?:<A><C><C><O><U><N><T>\s|<E>-?<M><A><I><L>\s)?(?:<P><A><S><S>[-\s_]?<W><O><R><D>|<P><S><W><D>\s)/i
endif

body     __YOUR_PERM      /\byour\spermission\b/i

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  body           __YOUR_PERSONAL        /\b(?:your\s(?:personal|private|social\scontact|address|friends)\s(?:info(?:rmation)?|data|details|book|secrets)|all\s(?:of\s)?your\s(?:files|contacts|secrets|correspondence))\b/i
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body           __YOUR_PERSONAL        /(?:^|\s)(?:<Y><O><U><R>\s(?:<P><E><R><S><O><N><A><L>|<P><R><I><V><A><T><E>|<S><O><C><I><A><L>\s<C><O><N><T><A><C><T>|<A><D><D><R><E><S><S>|<F><R><I><E><N><D><S>)\s(?:<I><N><F><O>(?:<R><M><A><T><I><O><N>)?|<D><A><T><A>|<D><E><T><A><I><L><S>|<B><O><O><K>|<S><E><C><R><E><T><S>)|<A><L><L>\s(?:<O><F>\s)?<Y><O><U><R>\s(?:<F><I><L><E><S>|<C><O><N><T><A><C><T><S>|<S><E><C><R><E><T><S>|<C><O><R><R><E><S><P><O><N><D><E><N><C><E>))[\s\.,]/i
endif

body     __YOUR_PROFIT    /\byour?\sprofit/i

if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
  body           __YOUR_WEBCAM          /\b(?:from|your|with|and|on)\s(?:(?:screen|desktop|microphone)\sand\s|own\s)?(?:web[-\s]?|front[-\s]?|network\s|your\s)camer+a/i
endif

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
  body           __YOUR_WEBCAM          /(?:^|\s)(?:<F><R><O><M>|<Y><O><U><R>|<W><I><T><H>|<A><N><D>|<O><N>)\s(?:(?:<S><C><R><E><E><N>|<D><E><S><K><T><O><P>|<M><I><C><R><O><P><H><O><N><E>)\s<A><N><D>\s|<O><W><N>\s)?(?:<W><E><B>[-\s]?|<F><R><O><N><T>[-\s]?|<N><E><T><W><O><R><K>\s|<Y><O><U><R>\s)<C><A><M><E><R>+<A>/i
endif

body     __YOU_ASSIST     /\b(?:your\sas+istan(?:ce|t)|votre\s(?:as+istance|aide))\b/i

body     __YOU_INHERIT    /\byour\s[a-z\s]{0,30}inherit+ance\b/i

meta     __YOU_WON       __YOU_WON_01 || __YOU_WON_02 || __YOU_WON_03 || __YOU_WON_04 || __HAS_WON_01 || (__YOU_WON_05 && (__MOVE_MONEY || __GIVE_MONEY))

body     __YOU_WON_01    /\byou(?:r|'re|'ve|'ll|\shave|\sdid)?\s(?:e-?mail\s)?(?:\w+\s){0,2}(?:a\s)?w[io]n+(?:er|ing)?(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i

body     __YOU_WON_02    /\bw[io]n\s(?:(?:for|by)\s)?your?\b/i

body     __YOU_WON_03    /\b(?:your?|win+ing|win+ers?|beneficiaries|participants?|individuals?|address(?:es)?|accounts?|emails?)(?:\s[-a-z\s]{4,40})?\s(?:w(?:ere|as)|ha(?:ve|s) be(?:en)?)\s(?:automatically\s)?(?:(?:randomly|raffly)\s(?:selected|cho+sen|cho+sing|picked)|(?:selected|cho+sen|cho+sing|picked)\s(?:[a-z\s]{2,40}?\srandom(?:ly)?|online|lottery|computer\s(?:ballot|wahlgang))|(?:selected|cho+sen|cho+sing|picked)(?:\sas?|\sthe){0,3}\swin+er)/i 

body     __YOU_WON_04    /\bqu[ei]\s?(?:vous (?:[\xc3][\xaa]|=C3=AA|[\xea]|e)tes\s?gagnant|en\scons(?:e|=E9|[\xe9]|[\xc3][\xa9])quence\sgagne)\b/i

body     __YOU_WON_05    /\bI won(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta         __ZIP_ATTACH_MT     0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __ZIP_ATTACH_MT     Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)\b,i
endif

if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
  meta         __ZIP_ATTACH_NOFN   0
endif

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader   __ZIP_ATTACH_NOFN   Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)[;\s]*$,i
endif

ifplugin Mail::SpamAssassin::Plugin::FreeMail
  header     __freemail_mailreplyto      eval:check_freemail_header('Mail-Reply-To')
endif

body		__hk_bigmoney		/(?:EURO?|USD?|GBP|CFA|\&\#163;|[\xa3\xa4]|\$|sum of).{0,4}(?:[0-9]{3}[^0-9a-z]?[0-9]{3}|[0-9.,]{1,4}(?: ?M\b| ?(?:de )?Mil))/i

body		__hk_win_0		/\byour? e-?mail just w[oi]n/i

body		__hk_win_2		/\battn.{0,10}winner/i

body		__hk_win_3		/\bhappily aa?nnounce/i

body		__hk_win_4		/\bpleas(?:ure|ed) to inform/i

body		__hk_win_5		/\b(?:notice the|your) winning/i

body		__hk_win_7		/\bcongratulations? to your/i

body		__hk_win_8		/\bunexpected luck/i

body		__hk_win_9		/\blucky (?:nl )number/i

body		__hk_win_a		/\bwinning (?:e-?mail|numbers|information)/i

body		__hk_win_b		/\byour e-?mail (?:address )?(?:has )?w[io]n/i

body		__hk_win_c		/\bune adresse e-?mail sur internet/i

body		__hk_win_d		/\bcategory (?:\S{0,5} )?winner of our/i

body		__hk_win_i		/\bfunds? transfer/i

body		__hk_win_j		/\b(?:winning|ready for|sum) pay ?out/i

body		__hk_win_l		/\b(?:make|file) (?:for )?your claim/i

body		__hk_win_m		/\br.clamation de votre prix/i

body		__hk_win_n		/\bcollect your prize/i

body		__hk_win_o		/\bclarification and procedure/i

ifplugin Mail::SpamAssassin::Plugin::FreeMail
header   __smf_freemail_hdr_replyto  eval:check_freemail_header('Reply-To:addr')
endif