# SpamAssassin user preferences file. See 'perldoc Mail::SpamAssassin::Conf' # for details of what can be tweaked. ########################################################################### # ~/.spamassassin/user_prefs # $Id: user_prefs,v 1.69 2003/07/31 10:16:41 yoh Exp $ # # http://tlec.linux.or.jp/docs/user_prefs # Original source from: # http://www.linux.or.jp/~ukai/l-u-spam/local.cf # modified by yoh (yoh@flcl.org) # # Notice: # You'd better read http://tlec.linux.or.jp/docs/spamassassin.html # before using this file. # # Special thanks to Satoshi IWAMOTO-san, for advice: 2002/10/21 # Modified and Tested by G-HAL # Fri,15 Aug,2003 - Wed,03 Dec,2003 # Fri,23 Jan,2004 - Sat,31 Jan,2004 # Mon,10 May,2004 - Wed,12 May,2004 # Fri,04 Jun,2004 - Wed,12 May,2004 # Fri,16 Jul,2004 # Fri,17 Dec,2004, Fri,24 Dec,2004 - Tue,28 Dec,2004 # Fri,18 Feb,2005, Fri,25 Feb,2005 # Thr,03 Mar,2005 - Sat,05 Mar,2005 # 学習のさせかた # sa-learn --spam --mbox ~/mbox # sa-learn --spam --file * # sa-learn --ham --file * # など # RelayCountry - add metadata for Bayes learning, marking the countries # a message was relayed through # # loadplugin Mail::SpamAssassin::Plugin::RelayCountry # URIDNSBL - look up URLs found in the message against several DNS # blocklists. # loadplugin Mail::SpamAssassin::Plugin::URIDNSBL # Hashcash - perform hashcash verification. # loadplugin Mail::SpamAssassin::Plugin::Hashcash # SPF - perform SPF verification. # loadplugin Mail::SpamAssassin::Plugin::SPF # 期待する言語 ok_languages ja en ok_locales ja en # 無条件許可と無条件許可解除と無条件禁止と無条件禁止解除 #whitelist_from *@foo.var.jp #whitelist_from_rcvd *@foo.var.jp foo.var.jp #unwhitelist_from *@foo.var.jp #blacklist_from big@boss.com #unblacklist_from big@boss.com # SPAM なら Subject: 書き換え rewrite_subject 1 # Obsolate 3.x # Subject: に付加される題名 subject_tag *****SPAM***** # Obsolate 3.x rewrite_header Subject *****SPAM(_SCORE_)***** # Ham 判定なら Header を省略 #always_add_headers 0 # Obsolate 3.x # Spam 判定理由レポートを付けない #always_add_report 1 # Obsolate 3.x # Header に * でレベル表示 spam_level_stars 1 # Obsolate 3.x # レポートを Header に添付、本文はいじらない report_safe 0 # 短いレポート use_terse_report 1 # Obsolate 3.x # ユーザー別環境設定を有効にする allow_user_rules 1 # # 判定ルール # 判定閾値 required_hits 10 # Network Database に接続して試験する項目を飛ばす #use_razor1 0 # Obsolate: 2.55 まで? use_razor2 0 score DCC_CHECK 0 score PYZOR_CHECK 0 score RAZOR_CHECK 0 # Obsolate 3.x score RAZOR2_CHECK 0 # アジア系言語を使用 # BODY は ISO-2022 使用、HEADER は MIME ENCODING 使用、 # と言う事になっているので、 # EUC とか SJIS とか使って得点されても構わない。 #score HEADER_8BITS 0.001 #score HTML_COMMENT_8BITS 0.001 #score SUBJ_FULL_OF_8BITS 0.001 score UPPERCASE_25_50 0.001 score UPPERCASE_50_75 0.001 score UPPERCASE_75_100 1.0 # JIS の $$$ の誤認識回避 #meta CASHCASHCASH (!__ISO_2022_JP_DELIM && __THREE_DOLLARS) #describe CASHCASHCASH Contains at least 3 dollar signs in a row score CASHCASHCASH 0.001 # Obsolate 3.x # JIS の ? の誤認識回避 score SUBJ_HAS_Q_MARK 0.3 # Obsolate # To: が無い score MISSING_HEADERS 4.0 # To: が undisclosed-recipients になっている score UNDISC_RECIPS 4.0 # From: と To: が同じ score FROM_AND_TO_SAME 3.9 # Dear friend で始まる score DEAR_FRIEND 1.5 # # RBL ルール # #uridnsbl_skip_domain plala.jp # #header RCVD_IN_VIRUS_RBL_JP eval:check_rbl_txt('rbl.jp', 'virus.rbl.jp.') #describe RCVD_IN_VIRUS_RBL_JP Received via a relay in virus.rbl.jp #tflags RCVD_IN_VIRUS_RBL_JP net #score RCVD_IN_VIRUS_RBL_JP 9.0 #header RCVD_IN_SHORT_RBL_JP eval:check_rbl_txt('rbl.jp', 'short.rbl.jp.') #describe RCVD_IN_SHORT_RBL_JP Received via a relay in short.rbl.jp #tflags RCVD_IN_SHORT_RBL_JP net #score RCVD_IN_SHORT_RBL_JP 9.0 # all.rbl.jp = virus.rbl.jp + short.rbl.jp header RCVD_IN_ALL_RBL_JP eval:check_rbl_txt('rbl.jp', 'all.rbl.jp.') describe RCVD_IN_ALL_RBL_JP Received via a relay in all.rbl.jp tflags RCVD_IN_ALL_RBL_JP net score RCVD_IN_ALL_RBL_JP 9.0 # score RCVD_IN_DSBL 9.0 # default 2.8 score RCVD_IN_SBL 8.0 # default 1.1 score RCVD_IN_XBL 9.0 # default 2.5 # # Requires the Mail::SpamAssassin::Plugin::URIDNSBL plugin be loaded. ifplugin Mail::SpamAssassin::Plugin::URIDNSBL # urirhssub URIBL_RBLJP url.rbl.jp. A 2 body URIBL_RBLJP eval:check_uridnsbl('URIBL_RBLJP') describe URIBL_RBLJP Has URI in url.rbl.jp tflags URIBL_RBLJP net score URIBL_RBLJP 7.0 # urirhssub URIBL_DYNDNS_RBLJP dyndns.rbl.jp. A 4 body URIBL_DYNDNS_RBLJP eval:check_uridnsbl('URIBL_DYNDNS_RBLJP') describe URIBL_DYNDNS_RBLJP URL uses Dynamic DNS service tflags URIBL_DYNDNS_RBLJP net score URIBL_DYNDNS_RBLJP 7.0 # score URIBL_SBL 7.0 # default 0.6 # endif # Mail::SpamAssassin::Plugin::URIDNSBL # SpamAssassin 2.6x では SpamCopURI と言う物もあるらしい。 #uri SPAMCOP_URI_RBL eval:check_spamcop_uri_rbl('sc.surbl.org','127.0.0.2') #describe SPAMCOP_URI_RBL URI's domain appears in spamcop database at sc.surbl.org #tflags SPAMCOP_URI_RBL net #score SPAMCOP_URI_RBL 4.0 # #uri WS_URI_RBL eval:check_spamcop_uri_rbl('ws.surbl.org','127.0.0.2') #describe WS_URI_RBL URI's domain appears in sa-blacklist #tflags WS_URI_RBL net #score WS_URI_RBL 3.0 # #uri OB_URI_RBL eval:check_spamcop_uri_rbl('ob.surbl.org','127.0.0.2') #describe OB_URI_RBL URI's domain appears in ob.surbl.org #tflags OB_URI_RBL net #score OB_URI_RBL 4.0 # #uri AB_URI_RBL eval:check_spamcop_uri_rbl('ab.surbl.org','127.0.0.2') #describe AB_URI_RBL URI's domain appears in ab.surbl.org #tflags AB_URI_RBL net #score AB_URI_RBL 5.0 # # HTML parse ルール # # 本文が HTML のみ score CTYPE_JUST_HTML 4.4 # Obsolate score MIME_HTML_ONLY 4.4 # HTML が使われている、割合別得点。 score HTML_MESSAGE 1.0 score HTML_80_90 1.0 score HTML_70_80 1.2 # URL が書かれている上、おかしな記述になっている score HTTP_CTRL_CHARS_HOST 2.0 # URL が書かれている上、どこかのサイトへアクセスさせている body HTML_RELAYING_FRAME eval:html_test('relaying_frame') describe HTML_RELAYING_FRAME Frame wanted to load outside URL score HTML_RELAYING_FRAME 3.0 # Obsolate 3.x body HTML_LINK_CLICK_HERE eval:html_eval('anchor_text', '=~ /click\s*(?:here|this)/i') describe HTML_LINK_CLICK_HERE HTML link text says "click here" score HTML_LINK_CLICK_HERE 2.0 # Obsolate 3.x # HTML で mail を出させようとしている score MAILTO_TO_REMOVE 1.0 # HTML で個人認証をしようとしている score HTML_WEB_BUGS 2.0 # HTML に変なゴミがいっぱい付いている score OBFUSCATING_COMMENT 4.0 # HTML で画像を読み込ませている # 3.x では、HTML_IMAGE_ONLY_xx の xx の値が倍になった。 #body HTML_IMAGE_ONLY_02 eval:html_image_only('0000','0200') #describe HTML_IMAGE_ONLY_02 HTML: images with 0-200 bytes of words score HTML_IMAGE_ONLY_02 4.0 # Obsolate 3.x score HTML_IMAGE_ONLY_04 4.0 #body HTML_IMAGE_ONLY_06 eval:html_image_only('0400','0600') #describe HTML_IMAGE_ONLY_06 HTML: images with 400-600 bytes of words score HTML_IMAGE_ONLY_06 2.6 # Obsolate 3.x score HTML_IMAGE_ONLY_08 2.1 #body HTML_IMAGE_ONLY_10 eval:html_image_only('0800','1000') #describe HTML_IMAGE_ONLY_10 HTML: images with 800-1000 bytes of words score HTML_IMAGE_ONLY_10 1.5 # Obsolate 3.x score HTML_IMAGE_ONLY_12 0.3 # # JIS で「事実上」と書くと、";ve" になって、HTML_MESSAGE と誤認識する。 body __MISREC_HTML_MESSAGE_1 /;ve/ describe __MISREC_HTML_MESSAGE_1 "BODY: HTML Misrecognition ZI-ZI-TU-ZYO-U" score __MISREC_HTML_MESSAGE_1 -0.001 # JIS で「性質上」と書くと、"@-e" になって、HTML_MESSAGE と誤認識する。 body __MISREC_HTML_MESSAGE_2 /@-e/ describe __MISREC_HTML_MESSAGE_2 "BODY: HTML Misrecognition SE-I-SHI-TSU-ZYO-U" score __MISREC_HTML_MESSAGE_2 -0.001 # # 通常テキストなのに HTML と誤認識。 meta MISREC_HTML_MESSAGE HTML_MESSAGE && (__MISREC_HTML_MESSAGE_1 || __MISREC_HTML_MESSAGE_2) describe MISREC_HTML_MESSAGE "BODY: HTML Misrecognition, perhaps" score MISREC_HTML_MESSAGE -1.0 # 通常テキストモードだと主張しているのに、HTML で書かれている。 meta CT_PLAIN_BODY_HTML __CT_TEXT_PLAIN && HTML_MESSAGE && !MISREC_HTML_MESSAGE describe CT_PLAIN_BODY_HTML CTYPE is plain, but wrote by HTML. score CT_PLAIN_BODY_HTML 7.5 # # 追加ルール # ML, Online-Magazine など #Received: from mail.rsj.or.jp (mayotte.fs.ksi.ne.jp [164.46.138.193]) header FORGED_RSJ Received =~ /^from mail\.rsj\.or\.jp \([a-zA-Z]+[\-a-zA-Z0-9\.]*\.jp \[164\.46\.[0-9]{1,3}\.[0-9]{1,3}\]\)/mi describe FORGED_RSJ Received from RSJ mailing-list. score FORGED_RSJ -5.0 #Received: from erimail.nikkeibp.co.jp (erimail.nikkeibp.co.jp [210.145.118.248]) header FORGED_NIKKEIBP Received =~ /^from [a-zA-Z]+[\-a-zA-Z0-9\.]*\.nikkeibp\.co\.jp \([a-zA-Z]+[\-a-zA-Z0-9\.]*\.nikkeibp\.co\.jp \[210\.145\.11[78]\.[0-9]{1,3}\]\)/mi describe FORGED_NIKKEIBP Received from NIKKEIBP online service. score FORGED_NIKKEIBP -5.0 # 変な Envelope From (MAIL From:) の判別 by G-HAL # Obsolate 3.x # 3.x から、Envelope From は消してから処理する様になったらしく、 # 以下のルールは使用できない。 # #  根本的におかしいのは、MTA で蹴る。 # DNS 引いたり MX 引いたり。 # タコ設定な MTA だと無条件信用だったりする。 # #  procmail/milter から呼ばれる時点では # MAIL From: # RCPT To: # と喋った物が、 # sendmail-8.12.9/milter の場合 # X-Envelope-From: # X-Envelope-To: # sendmail-8.12.9/procmail の場合? # From foo@bar.baz Thu Aug 28 22:37:08 2003 # sendmail-8.12.6/procmail の場合 # From foo@bar.baz Wed Aug 27 21 # と記述されている、らしい。 #  inc(mh) を使用して受信すると、 # Return-Path: foo@bar.baz # に変換される。 # それ以外の受信ツールだと消したりなんだり、いろいろ。 #full __SENDER_TYPE_1 /^X-Envelope-From: ?$/i #score __SENDER_LOCAL1 -0.001 #full __SENDER_LOCAL2 /^From ?[\r\n]/im #score __SENDER_LOCAL2 -0.001 #header __SENDER_LOCAL3 Return-Path =~ /^[a-zA-Z0-9]+[a-zA-Z0-9\-\.\_]*$/i #score __SENDER_LOCAL3 -0.001 #meta SENDER_LOCAL ((__SENDER_TYPE_1 && __SENDER_LOCAL1) || (__SENDER_TYPE_2 && __SENDER_LOCAL2) || (__SENDER_TYPE_3 && __SENDER_LOCAL3)) #describe SENDER_LOCAL MAIL From: is local. #score SENDER_LOCAL 0.001 # #header __SENDER_REMOTE1 X-Envelope-From =~ /^?$/i #score __SENDER_REMOTE1 -0.001 #full __SENDER_REMOTE2 /^From ?[\r\n]/im #score __SENDER_REMOTE2 -0.001 #header __SENDER_REMOTE3 Return-Path =~ /^[a-zA-Z0-9]+[a-zA-Z0-9\-\.\_]*\@[a-zA-Z]+[\-a-zA-Z0-9\_\.]*$/i #score __SENDER_REMOTE3 -0.001 #meta __SENDER_REMOTE ((__SENDER_TYPE_1 && __SENDER_REMOTE1) || (__SENDER_TYPE_2 && __SENDER_REMOTE2) || (__SENDER_TYPE_3 && __SENDER_REMOTE3)) #describe __SENDER_REMOTE MAIL From: is remote. #score __SENDER_REMOTE 0.001 # #header __SENDER_MDAEMON1 X-Envelope-From =~ /^]/i #score __SENDER_MDAEMON1 -0.001 #full __SENDER_MDAEMON2 /^From ]/mi #score __SENDER_MDAEMON2 -0.001 #header __SENDER_MDAEMON31 Return-Path =~ /^MAILER[\-\.]DAEMON$/i #score __SENDER_MDAEMON31 -0.001 #header __SENDER_MDAEMON32 Return-Path =~ /^MAILER[\-\.]DAEMON\@/i #score __SENDER_MDAEMON32 -0.001 #meta SENDER_MDAEMON ((__SENDER_TYPE_1 && __SENDER_MDAEMON1) || (__SENDER_TYPE_2 && __SENDER_MDAEMON2) || (__SENDER_TYPE_3 && __SENDER_MDAEMON31) || (__SENDER_TYPE_3 && __SENDER_MDAEMON32)) #describe SENDER_MDAEMON MAIL From: is MAILER-DAEMON. #score SENDER_MDAEMON 0.001 # #meta SENDER_BLANK __SENDER_TYPE_DET && !(SENDER_LOCAL || __SENDER_REMOTE || SENDER_MDAEMON) #describe SENDER_BLANK MAIL From: is blank. #score SENDER_BLANK 14.0 # 変な Message-Id: の判別 by G-HAL score MSG_ID_ADDED_BY_MTA_2 4.0 # Obsolate header MSGID_IS_BLANK MESSAGEID !~ /./ describe MSGID_IS_BLANK Message-Id: is blank. score MSGID_IS_BLANK 3.0 # MSGID_HAS_NO_AT と重なるので、併せて +6.5 点。 # 内部から出す時、Message-Id はサーバに任せたりもする。 # そうすると、このあたりのペナルティが付いてしまう。 # 標準設定の sendmail なサーバの場合、Message-Id が無いと、 # 外部だろうが内部だろうが自動で付けちゃうし。 header MSGID_HAS_NO_AT MESSAGEID !~ /\@/ [if-unset: NO@MSGID] describe MSGID_HAS_NO_AT Message-Id has no @ sign score MSGID_HAS_NO_AT 3.5 # Obsolate 3.x score INVALID_MSGID 4.0 score MSGID_NO_HOST 5.0 header MSGID_HAS_LOCALHOST MESSAGEID =~ /\@localhost>?$/i describe MSGID_HAS_LOCALHOST Message-Id: is localhost. score MSGID_HAS_LOCALHOST 1.0 # MSGID_HAS_NO_DOMAIN と重なるので、併せて +5.0 点。 header MSGID_HAS_LOCALDOMAIN MESSAGEID =~ /\@localhost.localdomain>?$/i describe MSGID_HAS_LOCALDOMAIN Message-Id: has localhost.localdomain. score MSGID_HAS_LOCALDOMAIN 4.0 header MSGID_HAS_NO_DOMAIN MESSAGEID =~ /\@([a-z0-9]|[a-z0-9][\-a-z0-9]*[a-z0-9])>?$/i describe MSGID_HAS_NO_DOMAIN Message-Id: has no domain. score MSGID_HAS_NO_DOMAIN 4.0 header __MSGID_HAS_PRIVATE MESSAGEID =~ /\@(([a-z0-9]|[a-z0-9][\-a-z0-9]*[a-z0-9])\.)+private>?$/i describe __MSGID_HAS_PRIVATE Message-Id: has private domain. score __MSGID_HAS_PRIVATE -0.001 header __MSGID_HAS_CCTLD MESSAGEID =~ /\@(([a-z0-9]|[a-z0-9][\-a-z0-9]*[a-z0-9])\.)+[a-z]{2,2}>?$/i describe __MSGID_HAS_CCTLD Message-Id: has country code. score __MSGID_HAS_CCTLD -0.001 # arpa, com,net,org, edu,gov,mil,int # info,biz,name,aero,coop,museum,pro, nato header __MSGID_HAS_GTLD MESSAGEID =~ /\@(([a-z0-9]|[a-z0-9][\-a-z0-9]*[a-z0-9])\.)+(arpa|com|net|org|edu|gov|mil|int|info|biz|name|aero|coop|museum|pro|nato)>?$/i describe __MSGID_HAS_GTLD Message-Id: has generic Top Level Domain. score __MSGID_HAS_GTLD -0.001 header __MSGID_HAS_IP MESSAGEID =~ /\@\[?([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\]?>?$/i describe __MSGID_HAS_IP Message-Id: has ip address. score __MSGID_HAS_IP -0.001 header MSGID_HAS_IP0 MESSAGEID =~ /\@\[?0\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\]?>?$/i describe MSGID_HAS_IP0 Message-Id: has 0.x.x.x ip address. score MSGID_HAS_IP0 5 header MSGID_HAS_IP10 MESSAGEID =~ /\@\[?10\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\]?>?$/i describe MSGID_HAS_IP10 Message-Id: has 10.x.x.x ip address. score MSGID_HAS_IP10 5 header MSGID_HAS_IP127 MESSAGEID =~ /\@\[?127\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\]?>?$/i describe MSGID_HAS_IP127 Message-Id: has 127.x.x.x ip address. score MSGID_HAS_IP127 5 header MSGID_HAS_IP169254 MESSAGEID =~ /\@\[?169\.254\.([0-9]{1,3})\.([0-9]{1,3})\]?>?$/i describe MSGID_HAS_IP169254 Message-Id: has 169.254.x.x ip address. score MSGID_HAS_IP169254 5 header MSGID_HAS_IP192168 MESSAGEID =~ /\@\[?192\.168\.([0-9]{1,3})\.([0-9]{1,3})\]?>?$/i describe MSGID_HAS_IP192168 Message-Id: has 192.168.x.x ip address. score MSGID_HAS_IP192168 5 header MSGID_HAS_IP224 MESSAGEID =~ /\@\[?(22[4-9]|23[0-9])\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\]?>?$/i describe MSGID_HAS_IP224 Message-Id: has 224.x.x.x/4 ip address. score MSGID_HAS_IP224 5 header MSGID_HAS_IP240 MESSAGEID =~ /\@\[?(24[0-9]|25[0-5])\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\]?>?$/i describe MSGID_HAS_IP240 Message-Id: has 240.x.x.x/4 ip address. score MSGID_HAS_IP240 5 meta MSGID_ILLIGALDOMAIN !(MSGID_IS_BLANK || INVALID_MSGID || MSGID_HAS_NO_AT || MSGID_NO_HOST || MSGID_HAS_LOCALHOST || MSGID_HAS_LOCALDOMAIN || MSGID_HAS_NO_DOMAIN || __MSGID_HAS_PRIVATE || __MSGID_HAS_CCTLD || __MSGID_HAS_GTLD || __MSGID_HAS_IP) describe MSGID_ILLIGALDOMAIN Message-Id: has illigal domain. score MSGID_ILLIGALDOMAIN 5.0 # 変な Header の判別 by G-HAL full __HEADER_PICKUP_TEST /^[a-zA-Z0-9: \-\@\.\_\[\]]+/mi score __HEADER_PICKUP_TEST 0.001 header HDR_TO_CAMOUFLAGED_MANAGER To =~ /\"[a-z ]*\" *<(root|admin|adm|www|uucp)\@[-\.a-z0-9]*>/i describe HDR_TO_CAMOUFLAGED_MANAGER To: is camouflaged to manager score HDR_TO_CAMOUFLAGED_MANAGER 8.0 # ↑管理者宛は procmail で振り分けている事を前提としたルール。 header FROM_WAS_BLANK From !~ /./ describe FROM_WAS_BLANK From: is blank. score FROM_WAS_BLANK 3.0 header FROM_MDAEMON From =~ /MAILER-DAEMON/ describe FROM_MDAEMON From: MAILER-DAEMON score FROM_MDAEMON -0.001 header SUBJECT_WAS_BLANK Subject !~ /./ describe SUBJECT_WAS_BLANK Subject: is blank. score SUBJECT_WAS_BLANK 3.0 #meta FAKE_MAILER_DAEMON (SENDER_MDAEMON && !FROM_MDAEMON) || (!SENDER_MDAEMON && FROM_MDAEMON) #describe FAKE_MAILER_DAEMON Envelope/Header From: is MAILER-DAEMON, but fake. #score FAKE_MAILER_DAEMON 6.0 # # 追加ルール header FROM_HAS_CTRL_CHAR From =~ /[\x80-\xff]/ describe FROM_HAS_CTRL_CHAR From: has illegal charactors. score FROM_HAS_CTRL_CHAR 2.0 header MANY_ADDRESSES To =~ /\@.+(\@.+){3,}/ describe MANY_ADDRESSES To: more than 3 addresses score MANY_ADDRESSES 1.0 body SPECIAL_PRICE /special\s\w*\sprice/i describe SPECIAL_PRICE Percentage mark score SPECIAL_PRICE 1.9 body PHONE_NUMBER1 /(\+\d+[\s\-\(]+|)\d+[\s\-\)\(]+\d+[\s\-\)]+\d+/ describe PHONE_NUMBER1 Phone number score PHONE_NUMBER1 0.3 body JUST_FILL_OUT /just fill out/ describe JUST_FILL_OUT Contains reminder to fill out score JUST_FILL_OUT 2.0 body JUST_CLICK_ON /just click on/ describe JUST_CLICK_ON Contains reminder to click on score JUST_CLICK_ON 2.0 body LONG_WORD /\b[^ :\/\-]{40,}$/m describe LONG_WORD Long word more than 40 characters score LONG_WORD 1.0 body MUCH_DOLLARS /[bm]illions of United States Dollars/i describe MUCH_DOLLARS Talks about lots of money score MUCH_DOLLARS 3.060 #full CTYPE_TEST_0 /[\r\na-zA-Z0-9\s\S \\\-\[\]:;]*attachment[\r\na-zA-Z0-9\s\S \\\-\[\]:;]*/mi #describe CTYPE_TEST_0 Content-Type pick-up test. #score CTYPE_TEST_0 0.5 rawbody CTYPE_ENCODED /Content-Transfer-Encoding: quoted-printable/i describe CTYPE_ENCODED Contains quoted printable score CTYPE_ENCODED 1.6 rawbody CTYPE_OCTET_STREAM1 /Content-Type: application\/octet-stream;/i describe CTYPE_OCTET_STREAM1 Contains octet stream score CTYPE_OCTET_STREAM1 1.5 rawbody CTYPE_OCTET_STREAM2 /^\[skipped application\/octet-stream attachment\]$/i describe CTYPE_OCTET_STREAM2 Contains octet stream score CTYPE_OCTET_STREAM2 1.5 # 2.50 から、仕様が変わったらしい。 # skip されてしまって、それ以上の内容が読み出せない。 rawbody CTYPE_AUDIO /Content-Type: audio\//i describe CTYPE_AUDIO Contains audio data score CTYPE_AUDIO 4.5 rawbody CTYPE_TEXT_HTML /Content-Type: text\/html;/i describe CTYPE_TEXT_HTML Contains HTML score CTYPE_TEXT_HTML 3.0 header __ISO2022JP_CHARSET Content-Type =~ /charset=['"]?iso-2022-jp['"]?/i describe __ISO2022JP_CHARSET ISO-2022-JP message score __ISO2022JP_CHARSET -0.001 # 英語モード以外では、BODY_8BITS が強制解除される。その為の代替。 # 但し「集中」(JIS で [ESC]$B=8Cf[ESC](J)とかあると誤判定する。 body BODY_INCLUDE_8BITS /[\x80-\xff]{8,}/ describe BODY_INCLUDE_8BITS Body include 8bit charactors. score BODY_INCLUDE_8BITS 2.0 # 正直な所、いきなり10点でもいいと思う。 # RFC では、ISO-2022 で流すきまりだったと思うし。 meta CHARSET_MISMATCH __ISO2022JP_CHARSET && (BODY_8BITS || BODY_INCLUDE_8BITS) describe CHARSET_MISMATCH Header and Body charset was mismatch. score CHARSET_MISMATCH 5.0 #header GB2312_CHARSET Content-Type =~ /charset=['"]?GB2312['"]?/i #describe GB2312_CHARSET GB2312(Chinese ESC) message #score GB2312_CHARSET 10.00 #header KS5601_CHARSET Content-Type =~ /charset= ?['"]?ks_c_5601/i #describe KS5601_CHARSET KS_C_5601(Korean ESC) message #score KS5601_CHARSET 10.00 header MISYOUDAKU Subject =~ /L\$.*(>|=3E)5.*Bz/ describe MISYOUDAKU MiSyouDaku score MISYOUDAKU 2.0 header SUESYOUDAKU Subject =~ /Kv.*(>|=3E)5.*Bz/ describe SUESYOUDAKU SueSyouDaku score SUESYOUDAKU 2.0 header BANG_BANG Subject =~ /(!\*|\033\$[B@]).*(!\*|\033\([BJ]!)/ describe BANG_BANG !...! score BANG_BANG 2.00 header STAR Subject =~ /(\"\(|\*|\!v)/ describe STAR * score STAR 0.1 header KOUKOKU Subject =~ /9-9p/ describe KOUKOKU Koukoku score KOUKOKU 2.0 meta MISYOUDAKUKOUKOKU ( MISYOUDAKU || SUESYOUDAKU ) && KOUKOKU && STAR describe MISYOUDAKUKOUKOKU (Mi/Sue)SYOUDAKU && KOUKOKU && STAR score MISYOUDAKUKOUKOKU 6.0 meta MALFORMED_TO_KOUKOKU TO_MALFORMED && MISYOUDAKUKOUKOKU describe MALFORMED_TO_KOUKOKU TO_MALFORMED && MISYOUDAKUKOUKOKU score MALFORMED_TO_KOUKOKU 3.5 header STAR3_1S Subject =~ /\!z\!y\!z/ describe STAR3_1S Triple StarMark score STAR3_1S 1.0 header STAR3_2S Subject =~ /\!y\!z\!y/ describe STAR3_2S Triple StarMark score STAR3_2S 1.0 body STAR3_1 /\!z\!y\!z/ describe STAR3_1 Triple StarMark score STAR3_1 1.0 body STAR3_2 /\!y\!z\!y/ describe STAR3_2 Triple StarMark score STAR3_2 1.0 header TOUFU1S Subject =~ /"\#/ describe TOUFU1S Toufu Moji score TOUFU1S 0.1 header TOUFU2S Subject =~ /"\#.*"\#/ describe TOUFU2S Sandwiched by Toufu Moji score TOUFU2S 1.0 header TOUFU3S Subject =~ /"\#"\#"\#/ describe TOUFU3S Triple Toufu Moji score TOUFU3S 1.0 body TOUFU1 /"\#/ describe TOUFU1 Toufu Moji score TOUFU1 0.1 body TOUFU2 /"\#"\#/ describe TOUFU2 Dual Toufu Moji score TOUFU2 0.5 body TOUFU3 /"\#"\#"\#/ describe TOUFU3 Triple Toufu Moji score TOUFU3 0.5 rawbody HAISHINTEISHI /G\[\?\.(..){0,2}(Dd;_|ITMW)/ describe HAISHINTEISHI Haishin (no) Teishi score HAISHINTEISHI 2.4 rawbody HAISHINTEISHI_SJIS /\x94\x7a\x90\x4d(..){0,2}\x92\xe2\x8e\x7e/ describe HAISHINTEISHI_SJIS Haishin (no) Teishi using sjis score HAISHINTEISHI_SJIS 2.4 body KOUDOKUKAIJO /9XFI(..)*2r=\|/ describe KOUDOKUKAIJO Koudoku Kaijo score KOUDOKUKAIJO 2.4 body SAKUJYOKIBOU /:o=\|4uK>/ describe SAKUJYOKIBOU Sakujyo Kibou score SAKUJYOKIBOU 0.5 body SAKUJYOKIBOU_SJIS /\x8d\xed\x8f\x9c\x8a\xf3\x96\x5d/ describe SAKUJYOKIBOU_SJIS Sakujyo Kibou using sjis score SAKUJYOKIBOU_SJIS 0.5 body MURYOU /L5NA/ describe MURYOU Muryou score MURYOU 3.4 body URAVIDEO /N"%S%G%\*/ describe URAVIDEO Ura Video score URAVIDEO 2.4 header URAVIDEO_SUBJ Subject =~ /N"%S%G%\*/ describe URAVIDEO_SUBJ Ura Video score URAVIDEO_SUBJ 3.4 body ADULTVIDEO /%"%\@%k%H%S%G%\*/ describe ADULTVIDEO Adult Video score ADULTVIDEO 2.4 header ADULTVIDEO_SUBJ Subject =~ /%"%\@%k%H%S%G%\*/ describe ADULTVIDEO_SUBJ Adult Video score ADULTVIDEO_SUBJ 3.4 body URADVD /N"\#D\#V\#D/ describe URADVD Ura DVD score URADVD 2.4 header URADVD_SUBJ Subject =~ /N"\#D\#V\#D/ describe URADVD_SUBJ Ura DVD score URADVD_SUBJ 3.4 body ADULTDVD /%"%\@%k%H\#D\#V\#D/ describe ADULTDVD Adult DVD score ADULTDVD 2.4 header ADULTDVD_SUBJ Subject =~ /%"%\@%k%H\#D\#V\#D/ describe ADULTDVD_SUBJ Adult DVD score ADULTDVD_SUBJ 3.4 body __PINK /%T%s%\// describe __PINK PINK score __PINK 0.001 body __PINK_SJIS /\x83\x73\x83\x93\x83\x4e/ describe __PINK_SJIS PINK using sjis score __PINK_SJIS 0.001 body VIAGRA /%P%\$%"%0%/ describe VIAGRA VIAGRA score VIAGRA 1.4 body VIAGRA_SJIS /\x83\x6f\x83\x43\x83\x41\x83\x4f\x83\x89/ describe VIAGRA_SJIS VIAGRA using sjis score VIAGRA_SJIS 1.4 meta PINKVIAGRA (__PINK || __PINK_SJIS) && (VIAGRA || VIAGRA_SJIS) describe PINKVIAGRA BODY: Pink Viagra score PINKVIAGRA 1.4 body OBSCENE_WORD_1 /\@-4o/ describe OBSCENE_WORD_1 OBSCENE_WORD SEIKI score OBSCENE_WORD_1 2.4 body __ISO2022JP_BODY /\033\$[B@]/ describe __ISO2022JP_BODY ISO-2022-JP message score __ISO2022JP_BODY -0.001 header X_MAILER X-Mailer =~ /(GpsMailer|SpireMail|IM200[01] Version|Pinta Magazine|MultiMail|BSMTP DLL|E-Magazine|Direct Email|Achi-Kochi Mail|MagicalMail|InternetPost for Active Platform|Web Based Pronto|Oshirase.*-Mailer|SendMailEX|Douhou\@Mail|DM Mailer|Easy DM|{%xmailer%}|^[0-9A-Za-z]{10,}$|pJs/ describe GOKUHIJOUHOU Gokuhi Jouhou score GOKUHIJOUHOU 5.0 body CENTRALREMOVALSERVICE /http:\/\/www.centralremovalservice.com\/cgi-bin\/.*.cgi/ describe CENTRALREMOVALSERVICE http://www.centralremovalservice.com/cgi-bin/ score CENTRALREMOVALSERVICE 5.0 body REDLIGHTEMAIL1 /www\.redlightemail\.com\/remove\.cfm/ describe REDLIGHTEMAIL http://www.redlightemail.com/remove.cfm score REDLIGHTEMAIL 2.0 body REDLIGHTEMAIL2 /100% Spam Free RedLightEmail/ describe REDLIGHTEMAIL2 100% Spam Free RedLightEmail score REDLIGHTEMAIL2 2.0 meta REDLIGHTEMAIL REDLIGHTEMAIL1 && REDLIGHTEMAIL2 describe REDLIGHTEMAIL REDLIGHTEMAIL1 && REDLIGHTEMAIL2 score REDLIGHTEMAIL 6.0 rawbody RANDOM_ID3 /^\(.+\)[0-9]+[A-Za-z]+[0-9]/ describe RANDOM_ID3 random numeric and alphabet ID-like phrase score RANDOM_ID3 10.0 body RANDOM_ID4 /[A-Za-z]{18,} [A-Za-z-.]{18,} [A-Za-z]{18,}/ describe RANDOM_ID4 random alphabet ID-like phrase score RANDOM_ID4 5.0 header ILLEGULAR_FROM From =~ /^[A-Za-z0-9._-]+\@[A-Za-z0-9._-]+\@[A-Za-z0-9._-]+$/ describe ILLEGULAR_FROM From: xxxx@xxxx.jp@xxxx.jp score ILLEGULAR_FROM 10.0 header BIZIMAGA Subject =~ /:G\?7%S%8%M%9>pJs%\^%,%8%s/ describe BIZIMAGA BIZIMAGA score BIZIMAGA 10.0 header X_MACKY_ID_PRESENT exists:X-Macky-ID score X_MACKY_ID_PRESENT 10.0 header X_MACKYCATCODE_PRESENT exists:X-MackyCatCode score X_MACKYCATCODE_PRESENT 10.0 header X_MACKYMEDIA_PRESENT exists:X-MackyMedia score X_MACKYMEDIA_PRESENT 10.0 body BIJINESUSHOUKAIHP /%S%8%M%9>R2p.\(BHP/ describe BIJINESUSHOUKAIHP BIJINESUSHOUKAIHP score BIJINESUSHOUKAIHP 3.0 body GENSENBIJINESUJOUHOUHP /87A\*%S%8%M%9>pJs.\(BHP/ describe GENSENBIJINESUJOUHOUHP GENSENBIJINESUJOUHOUHP score GENSENBIJINESUJOUHOUHP 3.0 body EURO_SCAM /Learn how \$10,000 in options will leverage \$1,000,000 in/ describe EURO_SCAM $10,000 will leverage $1,000,000 score EURO_SCAM 10.0 body BROWSE_FREE /BROWSE FREE!/ describe BROWSE_FREE BROWSE FREE! score BROWSE_FREE 1.0 body B100P_FREE /100% FREE/ describe B100P_FREE 100% FREE score B100P_FREE 1.0 rawbody OPTOUT6 /the opt\-out instruction below\. We apologize for any inconvenience\./i describe OPTOUT6 We apologize for any inconvenience. score OPTOUT6 3.0 body OPTOUT1 /""OPT-OUT""/ describe OPTOUT1 ""OPT-OUT"" score OPTOUT1 1.0 body OPTOUT2 /If you wish to "OPT-OUT" from this mailing/ describe OPTOUT2 If you wish to "OPT-OUT" from this mailing score OPTOUT2 1.0 body OPTOUT3 /http:\/\/.+optout\.html/i describe OPTOUT3 http://*****/optout.html score OPTOUT3 2.0 meta OPTOUT4 OPTOUT1 && OPTOUT2 && OPTOUT3 describe OPTOUT4 OPTOUT1 && OPTOUT2 && OPTOUT3 score OPTOUT4 4.0 body BAD_CREDIT /We specialize in .+BAD CREDIT/i describe BAD_CREDIT We specialize in approving BAD CREDIT! score BAD_CREDIT 1.0 rawbody HTML_COMMENT_ID // describe HTML_COMMENT_ID random ID number in HTML comment score HTML_COMMENT_ID 2.0 rawbody SHINGATASIDEBUSINESS /\?7.*7\?.*%5.*%\$.*%I.*%S.*%8.*%M.*%9.*>p.*Js/ describe SHINGATASIDEBUSINESS SHIN. GATA. SA. I. DO. BI. JI. NE. SU. JOU. HOU. score SHINGATASIDEBUSINESS 5.0 score INVALID_DATE 5.4 score TO_LOCALPART_EQ_REAL 1.0 # Obsolate score SMTPD_IN_RCVD 3.0 # Obsolate 3.x score REMOVE_PAGE 2.0 header X_PRECEDENCE_REF exists:X-Precedence-Ref describe X_PRECEDENCE_REF Message has X-Precedence-Ref header score X_PRECEDENCE_REF 4.4 # Obsolate 3.x #full GB2312ENC /\nContent-Type: .*; charset=.*gb2312[\n\r]/i #describe GB2312ENC GB2312(Chinese ESC) message #score GB2312ENC 2.0 full QENCTXT /\nContent-Transfer-Encoding: quoted-printable[\n\r]/i describe QENCTXT quoted-printable score QENCTXT 3.0 #meta GB2312QENC GB2312ENC && QENCTXT #describe GB2312QENC GB2312(Chinese ESC) quoted-printable MIME body #score GB2312QENC 10.0 header BINARY_ENCODING Content-Transfer-Encoding =~ /binary/ describe BINARY_ENCODING Content-Transfer-Encoding: binary score BINARY_ENCODING 3.0 body STRICTLY_CONFIDENTIAL /STRICTLY CONFIDENTIAL/ describe STRICTLY_CONFIDENTIAL "STRICTLY CONFIDENTIAL" is NOT confidential. score STRICTLY_CONFIDENTIAL 3.0 body ABSOLUTE_CONFIDENCE /I am writing you in absolute confidence primarily to seek/i describe ABSOLUTE_CONFIDENCE absolute confidence primarily to seek score ABSOLUTE_CONFIDENCE 1.0 body SOURCE_OF_THE_MONEY /^Source of the money:/i describe SOURCE_OF_THE_MONEY Source of the money: score SOURCE_OF_THE_MONEY 0.3 body MY_LATE_FATHER /My late father.+, a native of +Mende District in the/i describe MY_LATE_FATHER a native of Mende District score MY_LATE_FATHER 0.5 meta NIGERIAN_TRANSACTION_6 ABSOLUTE_CONFIDENCE && SOURCE_OF_THE_MONEY && MY_LATE_FATHER describe NIGERIAN_TRANSACTION_6 Nigerian Transaction 6 score NIGERIAN_TRANSACTION_6 8.0 full SHIFT_JIS1 /charset="shift_jis"/i describe SHIFT_JIS1 charset="shift_jis" score SHIFT_JIS1 1.0 meta MULTI_SJIS MULTIPART_ALTERNATIVE && SHIFT_JIS1 describe MULTI_SJIS MULTIPART_ALTERNATIVE && SHIFT_JIS1 score MULTI_SJIS 1.0 header VSOURCE From =~ /Vsource/i describe VSOURCE VSOURCE score VSOURCE 5.0 header FAKEDMSOE User-Agent =~ /Microsoft-Outlook-Express-Macintosh-Edition/ describe FAKEDMSOE Faked MS-OE(Mac) score FAKEDMSOE 3.0 body OSOKUNATTEGOMEN /\$\*JV;vCY\$\/\$J\$C\$F\$4\$a\$s\$M/ describe OSOKUNATTEGOMEN "OSOKUNATTEGOMENNE" score OSOKUNATTEGOMEN 0.1 body HPTSUKUCCHATTA /HP.+:n\$C\$A\$c\$C\$\?/ describe HPTSUKUCCHATTA "HPchokottotsukucchatta" score HPTSUKUCCHATTA 0.5 body ASOBINIKITENE /M7\$S\$KMh\$F\$M/ describe ASOBINIKITENE "ASOBINIKITENE" score ASOBINIKITENE 0.1 meta LOVE2HOMUPEWAARUDO FAKEDMSOE && OSOKUNATTEGOMEN && HPTSUKUCCHATTA && ASOBINIKITENE describe LOVE2HOMUPEWAARUDO FakedMSOE and Messages... score LOVE2HOMUPEWAARUDO 8.0 score HOT_NASTY 2.0 #score BIG_FONT 2.0 ? #score RATWARE_JIXING 10.0 #score NIGERIAN_TRANSACTION_1 2.0 ? #score NIGERIAN_TRANSACTION_2 2.0 ? #score SPAM_PHRASE_03_05 2.0 ? #score USER_AGENT_OE 2.0 ? #score USER_AGENT_THEBAT 7.0 score RISK_FREE 2.0 #score RATWARE_OE_MALFORMED 4.1 body __CLICK_BELOW /click\s.{0,30}(?:here|below)/is meta CLICK_BELOW (__CLICK_BELOW && !CLICK_BELOW_CAPS) describe CLICK_BELOW Asks you to click below score CLICK_BELOW 1.0 # Obsolate 3.x #score CLICK_HERE_LINK 1.0 ? ##score US_DOLLARS_2 1.0 ##score US_DOLLARS_3 1.0 ##score US_DOLLARS_4 1.0 ? header RATWARE_DIFFOND ALL =~ /DiffondiCool/ describe RATWARE_DIFFOND Bulk email fingerprint (DiffondiCool) found score RATWARE_DIFFOND 6.0 # Obsolate 3.x score FOR_INSTANT_ACCESS 1.0 # Obsolate 3.x body INSTANT_ACCESS /\binstant access\b/i describe INSTANT_ACCESS offers "instant access" score INSTANT_ACCESS 1.0 # Obsolate 3.x rawbody MICROSOFT_EXECUTABLE eval:check_for_mime('microsoft_executable') describe MICROSOFT_EXECUTABLE Message includes Microsoft executable program tflags MICROSOFT_EXECUTABLE userconf score MICROSOFT_EXECUTABLE 6.0 # Obsolate 3.x #score CHARSET_FARAWAY_HEADERS 4.0 uri PORN_4 /^https?:\/\/[\w\.-]*(?:xxx|(?pJs/ describe BUSINESSJOUHOU BUSINESSJOUHOU score BUSINESSJOUHOU 1.0 body FETIGAZOU /%U%'%A2hA\|/ describe FETIGAZOU FETIGAZOU score FETIGAZOU 2.0 body RAPEGAZOU /%l%\$%W2hA\|/ describe RAPEGAZOU RAPEGAZOU score RAPEGAZOU 3.0 body CHIRAGAZOU /%A%i2hA\|/ describe CHIRAGAZOU CHIRAGAZOU score CHIRAGAZOU 2.0 body IDOLOTAKARA /%"%\$%I%k\$\*Ju/ describe IDOLOTAKARA IDOLOTAKARA score IDOLOTAKARA 2.0 body KONKAIKAGIRI /\$3\$N%a!<%k\$O:\#2s8B\$j/ describe KONKAIKAGIRI KONKAIKAGIRI is NOT one-time mailing. score KONKAIKAGIRI 4.0 body YOU_RECEIVED_THIS /You received this email because you signed up/i describe YOU_RECEIVED_THIS You received this email because you signed up score YOU_RECEIVED_THIS 2.5 header XMIMETRACK X-MIMETrack =~ /Serialize by Router on .*\(Release / describe XMIMETRACK Serialize by Router on ...(Release ... score XMIMETRACK 1.0 # Special thanks to Hisaaki SHIBATA-san: 2003/04/04 header UNDISCLOSED To =~ /undisclosed-recipients*:/i describe UNDISCLOSED Undisclosed-recipients score UNDISCLOSED 2.00 meta PORN_SPAM1 (HOT_NASTY || LARGE_COLLECTION || NASTY_GIRLS || SPAM_PHRASE_01_02) && USE_THIS_LINK describe PORN_SPAM1 PornWord and LINK score PORN_SPAM1 7.0 meta SUBJ_SPACES_UNIQID SUBJ_HAS_SPACES && SUBJ_HAS_UNIQ_ID describe SUBJ_SPACES_UNIQID SUBJ_HAS_SPACES && SUBJ_HAS_UNIQ_ID score SUBJ_SPACES_UNIQID 6.4 meta BROKEN_HEADERS DATE_MISSING && FROM_MISSING && MISSING_HEADERS && SUBJ_MISSING describe BROKEN_HEADERS Date/From/To/Subj Missing score BROKEN_HEADERS 8.0 meta MICROSOFT_VIRUS MICROSOFT_EXECUTABLE && (MIME_HTML_NO_CHARSET || MULTIPART_ALTERNATIVE || QENCTXT) describe MICROSOFT_VIRUS Doubt for MICROSOFT_VIRUS score MICROSOFT_VIRUS 8.0 meta MIMEHEXQENC MIME_BOUND_MANY_HEX && QENCTXT describe MIMEHEXQENC MIME_BOUND_MANY_HEX && QENCTXT score MIMEHEXQENC 1.1 meta MIMEHEXLONGQ MIME_BOUND_MANY_HEX && MIME_LONG_LINE_QP describe MIMEHEXLONGQ MIME_BOUND_MANY_HEX && MIME_LONG_LINE_QP score MIMEHEXLONGQ 2.0 meta LOTSCCSPAMADDR LOTS_OF_CC_LINES && MAILTO_TO_SPAM_ADDR describe LOTSCCSPAMADDR LOTS_OF_CC_LINES && MAILTO_TO_SPAM_ADDR score LOTSCCSPAMADDR 2.0 meta IDMTAXPRIHIGH MSG_ID_ADDED_BY_MTA_2 && X_PRIORITY_HIGH describe IDMTAXPRIHIGH MSG_ID_ADDED_BY_MTA_2 && X_PRIORITY_HIGH score IDMTAXPRIHIGH 2.0 body FUJITAYUZAN /F\#EDM\:\;3/ describe FUJITAYUZAN FUJITAYUZAN score FUJITAYUZAN 0.5 body HIROSHIMAKENCHIJI /9\-Eg8\)CN\;v/ describe HIROSHIMAKENCHIJI HIROSHIMAKENCHIJI score HIROSHIMAKENCHIJI 0.5 body NOMOTODENO /\$N85\$G\$N/ describe NOMOTODENO NOMOTODENO score NOMOTODENO 0.1 body OSOROSHIIHANASHI /62\$m\$7\$\$OC/ describe OSOROSHIIHANASHI OSOROSHIIHANASHI score OSOROSHIIHANASHI 0.1 body GYOUSEISOSHO /9T\@\/AJ\>Y/ describe GYOUSEISOSHO GYOUSEISOSHO score GYOUSEISOSHO 0.1 body SOKURYOSHI /B\,NL\;N/ describe SOKURYOSHI SOKURYOSHI score SOKURYOSHI 0.1 meta FUJITACHIJI FUJITAYUZAN && HIROSHIMAKENCHIJI describe FUJITACHIJI FUJITAYUZAN && HIROSHIMAKENCHIJI score FUJITACHIJI 1.0 meta CHIJINOMOTO HIROSHIMAKENCHIJI && NOMOTODENO describe CHIJINOMOTO HIROSHIMAKENCHIJI && NOMOTODENO score CHIJINOMOTO 1.0 meta MOTODEOSORO NOMOTODENO && OSOROSHIIHANASHI describe MOTODEOSORO NOMOTODENO && OSOROSHIIHANASHI score MOTODEOSORO 1.0 meta OSOROGYOUSEI OSOROSHIIHANASHI && GYOUSEISOSHO describe OSOROGYOUSEI OSOROSHIIHANASHI && GYOUSEISOSHO score OSOROGYOUSEI 1.0 meta FUJITASPAM1 FUJITACHIJI && CHIJINOMOTO && MOTODEOSORO describe FUJITASPAM1 FUJITACHIJI && CHIJINOMOTO && MOTODEOSORO score FUJITASPAM1 3.0 meta FUJITASPAM2 FUJITACHIJI && MOTODEOSORO && OSOROGYOUSEI describe FUJITASPAM2 FUJITACHIJI && MOTODEOSORO && OSOROGYOUSEI score FUJITASPAM2 3.0 meta MULTIMIME MULTIPART_ALTERNATIVE && (MIME_BOUND_DIGITS_7 || MIME_BOUND_DIGITS_4) describe MULTIMIME MultipartAlternative & (MIME_Bound 4 or 7) score MULTIMIME 3.0 # Thanks to: SHIBATA Hisaaki san body AFAF /(zimbabwe|nigeria|angola|south afric|Sierra|UNITA)/i describe AFAF Afaf score AFAF 3.0 # following "OBFUSCATING_COMMENT" # Obsolate: 2.55 まで #body OBFUSCATING_COMMENT2 /(<\![[:print:]]+>).+\1.+\1.+\1.+\1/ #describe OBFUSCATING_COMMENT2 HTML comments which obfuscate text #score OBFUSCATING_COMMENT2 4.0 body FAKEWORDEMAIL /em\@il/i describe FAKEWORDEMAIL em@il score FAKEWORDEMAIL 0.5 body FAKEWORDEXTENTION /extensi0n/i describe FAKEWORDEXTENTION extensi0n score FAKEWORDEXTENTION 0.5 body FAKEWORDPLEASE /Ple\@se/i describe FAKEWORDPLEASE Ple@se score FAKEWORDPLEASE 0.5 body FAKEWORDREMOVE /rem0ve/i describe FAKEWORDREMOVE rem0ve score FAKEWORDREMOVE 0.5 body FAKEWORDPLEASEREMOVE /Ple\@se.+rem0ve:/i describe FAKEWORDPLEASEREMOVE Ple@se rem0ve: score FAKEWORDPLEASEREMOVE 1.5 body FAKEWORDNO /N0/i describe FAKEWORDNO N0 score FAKEWORDNO 0.5 body FAKEWORDTRANSFER /tr\@nsfer/i describe FAKEWORDTRANSFER tr@nsfer score FAKEWORDTRANSFER 0.5 rawbody REMOVEDOMAINSFORPEOPLE /^http\:\/\/www.domainsforpeople.com\/cgi\-bin\/off_list\.pl/i describe REMOVEDOMAINSFORPEOPLE www.domainsforpeople.com score REMOVEDOMAINSFORPEOPLE 1.5 meta DOMAINSFORPEOPLE REMOVEDOMAINSFORPEOPLE && (FAKEWORDEMAIL || FAKEWORDEXTENTION || FAKEWORDPLEASE || FAKEWORDREMOVE || FAKEWORDNO || FAKEWORDTRANSFER) describe DOMAINSFORPEOPLE www.domainsforpeople.com & Messages score DOMAINSFORPEOPLE 3.0 #rawbody FAKEDWORD_ATMARK /( |\r|\n)[A-Za-z]{0,}(\@[A-Za-z]+){1,}(\.{0,1}$| |[:;\r\n])/ full FAKEDWORD_ATMARK /( |\r|\n)[A-Za-z]{0,}(\@[A-Za-z]+){1,}(\.{0,1}$| |[:;\r\n])/ describe FAKEDWORD_ATMARK ex. em@il (this rule is only for body) score FAKEDWORD_ATMARK 0.5 #full FAKEDWORD_ZERO /((^)|( ))[A-Za-z]{0,}(0[A-Za-z]+){1,}(\.{0,1}$| |[:;\r\n])/ full FAKEDWORD_ZERO /( |\r|\n)[A-Za-z]{0,}(0[A-Za-z]+){1,}(\.{0,1}$| |[:;\r\n])/ describe FAKEDWORD_ZERO ex. Cust0mer score FAKEDWORD_ZERO 0.5 full FAKEDWORD_ONE /( |\r|\n)[A-Za-z]{0,}(1[A-Za-z]+){1,}(\.{0,1}$| |[:;\r\n])/ describe FAKEDWORD_ONE ex. l1st score FAKEDWORD_ONE 0.5 full FAKEDWORD_EXCLAMATION /( |\r|\n)[A-Za-z]{0,}(\![A-Za-z]+){1,}(\.{0,1}$| |[:;\r\n])/ describe FAKEDWORD_EXCLAMATION ex. MED!C!NE score FAKEDWORD_EXCLAMATION 0.5 body GAPPY_REM0VED / R E M 0 V E D / describe GAPPY_REM0VED R E M 0 V E D score GAPPY_REM0VED 1.5 # special thanks to: R.Takashi ISHIOKA-san! 2003/07/16 body SJIS_SOSHINSHA /\221\227\220M\216\322/ describe SJIS_SOSHINSHA soushinsha using sjis score SJIS_SOSHINSHA 0.1 meta FAKED_SJISBODY1 SJIS_SOSHINSHA && __ISO2022JP_BODY describe FAKED_SJISBODY1 SJIS_SOSHINSHA && __ISO2022JP_BODY score FAKED_SJISBODY1 5.0 #body SJIS_URAVIDEO /\227\240\203r\203f\203\111/ #body SJIS_URAVIDEO /\227.\203r\203f\203\111/ body SJIS_URAVIDEO /\x97.\x83\x72\x83\x66\x83\x49/ describe SJIS_URAVIDEO uravideo using sjis score SJIS_URAVIDEO 1.5 body SJIS_URADVD /\x97.\x82\x63\x82\x75\x82\x63/ describe SJIS_URADVD ura-DVD using sjis score SJIS_URADVD 1.5 body SJIS_URADVD2 /\x97.DVD/ describe SJIS_URADVD2 ura-DVD using sjis score SJIS_URADVD2 1.5 body SJIS_ADULTDVD /\x83\x41\x83\x5f\x83\x8b\x83\x67\x82\x63\x82\x75\x82\x63/ describe SJIS_ADULTDVD Adult-DVD using sjis score SJIS_ADULTDVD 1.5 body SJIS_SAISHINRYUSHUTSU /\x8d\xc5\x90\x56\x97\xac\x8f\x6f/ describe SJIS_SAISHINRYUSHUTSU saishinryushutsu using sjis score SJIS_SAISHINRYUSHUTSU 1.5 body SJIS_BURUSERA /\x83\x75\x83\x8b\x83\x5a\x83\x89/ describe SJIS_BURUSERA burusera using sjis score SJIS_BURUSERA 1.5 body SJIS_SHIROUTOTOUKOU /\x91\x66\x90\x6c\x93\x8a\x8d\x65/ describe SJIS_SHIROUTOTOUKOU shiroutotoukou using sjis score SJIS_SHIROUTOTOUKOU 1.5 body SJIS_YOUMONO /\x97\x6d\x95\xa8/ describe SJIS_YOUMONO youmono using sjis score SJIS_YOUMONO 1.5 body SJIS_TOUSATSU /\x93\x90\x8e\x42/ describe SJIS_TOUSATSU tousatsu using sjis score SJIS_TOUSATSU 1.5 body SJIS_LOLIKEI /\x83\x8d\x83\x8a\x8c\x6e/ describe SJIS_LOLIKEI lolikei using sjis score SJIS_LOLIKEI 1.5 body SJIS_ZENKAKU_SM /\x82\x72\x82\x6c/ describe SJIS_ZENKAKU_SM SM in zenkaku using sjis score SJIS_ZENKAKU_SM 1.5 meta PORN_SJIS (SJIS_BURUSERA||SJIS_LOLIKEI||SJIS_SAISHINRYUSHUTSU||SJIS_SHIROUTOTOUKOU||SJIS_TOUSATSU||SJIS_URAVIDEO||SJIS_URADVD||SJIS_YOUMONO||SJIS_ZENKAKU_SM)&&__ISO2022JP_BODY describe PORN_SJIS SJIS Porn Words score PORN_SJIS 5.0 body NO_LONGER_WISH /but if you no longer wish to receive our emails please:/i describe NO_LONGER_WISH no longer wish to receive our emails please: score NO_LONGER_WISH 1.5 body ENJOYED_RECEIVING /We hope you enjoyed receiving this email/i describe ENJOYED_RECEIVING We hope you enjoyed receiving this email score ENJOYED_RECEIVING 1.0 meta ENJOYED_NO_LONGER NO_LONGER_WISH && ENJOYED_RECEIVING describe ENJOYED_NO_LONGER NO_LONGER_WISH && ENJOYED_RECEIVING score ENJOYED_NO_LONGER 2.5 #score EMAIL_ATTRIBUTION -0.1 # Obsolate 3.x #score BAYES_70 5.0 #score BAYES_80 5.5 #score BAYES_90 6.0 #score BAYES_99 6.5 #score MSGID_GOOD_EXCHANGE 0.001 # Obsolate 3.x #score X_LIBRARY 4.3 #score PGP_SIGNATURE 0.0 #score USER_AGENT_FORTE 0.001 # Obsolate 3.x #score USER_AGENT_GNUS_UA 0.001 # Obsolate 3.x #score USER_AGENT_GNUS_XM 0.001 # Obsolate 3.x #score USER_AGENT_IMP 0.001 # Obsolate 3.x #score USER_AGENT_KMAIL 0.001 # Obsolate 3.x #score USER_AGENT_MOZILLA_UA 0.001 # Obsolate 3.x #score USER_AGENT_MOZILLA_XM 0.001 # Obsolate 3.x #score USER_AGENT_MSN 0.001 # Obsolate 3.x #score USER_AGENT_MUTT 0.001 # Obsolate 3.x #score USER_AGENT_TONLINE 0.001 # Obsolate 3.x #score USER_AGENT_XIMIAN 0.001 # Obsolate 3.x #score RCVD_IN_RBL 10 #score RCVD_IN_RSS 1 #score RCVD_IN_DUL 1 #score RCVD_IN_BL_SPAMCOP_NET 3