# our MTAs fix up headers for a slew of spams, so mark these as suspicious
# -- joy, 2003-06-28
-header OUR_MTA_MSGID Message-Id =~ /\@(murphy|master|gluck)\.debian\.org/
-describe OUR_MTA_MSGID Sounds like a MsgId autogenerated by our MTAs
-score OUR_MTA_MSGID 1
+# deactivated as this rule is also part of SA itself.
+#header OUR_MTA_MSGID Message-Id =~ /\@(bendel|master|gluck)\.debian\.org/
+#describe OUR_MTA_MSGID Sounds like a MsgId autogenerated by our MTAs
+#score OUR_MTA_MSGID 1
# -- joy, 2003-08-15
-header SENDER_FOR_US From =~ /\@(murphy|master|gluck|lists)\.debian\.org/
+header SENDER_FOR_US From =~ /\@(bendel|master|gluck|lists)\.debian\.org/
describe SENDER_FOR_US Sounds like a mail aimed at tricking our MTAs
score SENDER_FOR_US 2
#describe OURCRONMAILS Sounds like a legitimate cron job mail
#score OURCRONMAILS -3
-header MURPHY_LOCAL_FORWARDED Resent-From =~ /murphy\.debian\.org/
-describe MURPHY_LOCAL_FORWARDED Mail has been locally forwarded.
-score MURPHY_LOCAL_FORWARDED -5
+header BENDEL_LOCAL_FORWARDED Resent-From =~ /bendel\.debian\.org/
+describe BENDEL_LOCAL_FORWARDED Mail has been locally forwarded.
+score BENDEL_LOCAL_FORWARDED -5
# temp work-around for d-l-f
score MURPHY_MIGUS_REPORT -5
# our own whitelisting of subscribers
-header LDOSUBSCRIBER X-Subscriber-murphy.debian.org =~ /./
+header LDOSUBSCRIBER X-Subscriber-lists.debian.org =~ /./
describe LDOSUBSCRIBER Sender is a lists.debian.org subscriber
score LDOSUBSCRIBER -6
+# whitelist mails to majordomo
+header MAJORDOMOMAIL Delivered-To =~ /lists-majordomo@/
+describe MAJORDOMOMAIL mail to major domo
+score MAJORDOMOMAIL -0.1
+
+meta MAJORDOMOWHITE (MAJORDOMO && (NOSUBJECT || MISSING_SUBJECT))
+describe MAJORDOMOWHITE Counteract no subject score for majordomo mails
+score MAJORDOMOWHITE -3
+
+# count recipients and score those with Too Many. -cord
+describe TO_TOO_MANY To: too many recipients
+header TO_TOO_MANY To =~ /(?:,[^,]{1,80}){5}/
+score TO_TOO_MANY 1
+
+describe TO_WAY_TOO_MANY To: way too many recipients
+header TO_WAY_TOO_MANY To =~ /(?:,[^,]{1,80}){10}/
+score TO_WAY_TOO_MANY 3
+
+describe CC_TOO_MANY CC: too many recipients
+header CC_TOO_MANY CC =~ /(?:,[^,]{1,80}){10}/
+score CC_TOO_MANY 3
+
+score CORRUPT_FROM_LINE_IN_HDRS 0
+score FM_DDDD_TIMES_2 0
+score FM_SEX_HOSTDDDD 0
+score NO_HEADERS_MESSAGE 0
+score SARE_HEAD_SUBJ_RAND 0
+score SARE_SPEC_PROLEO_M2a 0
+score SHACKOUTLOOK 0
+score MSGID_FROM_MTA_ID 0