+# -*- mode: spamassassin -*-
+
# This seems to catch a lot of spam, but not sure about false positive (from airmax.cf)
# pasc couldn't find any false positives on the lists he's on
header X_MESSAGE_INFO exists:X-Message-Info
describe GUEBDE www.geub.de
score GUEBDE 5
+# Don 2008-06-27
+full PGPSIGNATURE /-----BEGIN PGP SIGNATURE-----/
+describe PGPSIGNATURE Has a pgp signature (may not be valid, but who cares?)
+score PGPSIGNATURE -5
+
# TODO: The rules below seem to be very similar; possibly fix them.
describe NEXTPART spammer mime separator
score NEXTPART 2.5
-# blarson 2006-10-17
+# blarson 2006-10-17 2009-04-30
full CT_IMAGE /Content\-Type\:\s*image/i
describe CT_IMAGE Picture attached
-score CT_IMAGE 1
+score CT_IMAGE 1.5
# blarson 2006-12-01 (score so low since it will also hit CT_IMAGE)
header CT_IMAGE_HEAD content-type =~ /image/
score FAILNOTE 2
# blarson 2007-06-28
-rawbody CTINLINE /^Content\-Disposition\: inline\;\b/
+full CTINLINE /^Content\-Disposition\: inline\;\b/
describe CTINLINE Inline attachment
score CTINLINE 1
describe OUTOFOFFICE Out of the office
score OUTOFOFFICE 3
+body OUTOFOFFICE_BACK /will be back/i
+describe OUTOFOFFICE_BACK Out of the office
+score OUTOFOFFICE_BACK 3
+
# blarson 2007-08-01 \w was too broad 2007-08-12 add dash, at least 3 digits
header SUBENDNUM subject =~ /[a-zA-Z!]-?\d{3,}$/
describe SUBENDNUM Subject ends in word989
header XJ2ID X-J2Id =~ /\d+/
describe XJ2ID fax bounce
score XJ2ID 4
+
+# blarson 2007-11-15
+header LONGWORD subject =~ /\b[\w\d]{30,}/i
+describe LONGWORD long word in subject
+score LONGWORD 2
+
+# blarson 2007-11-23
+header TESTIMONIAL subject =~ /\btestimonial/i
+describe TESTIMONIAL testimonials
+score TESTIMONIAL 2
+
+# blarson 2007-12-13
+header ITXS subject =~ /\bit\`s\b/i
+describe ITXS it`s
+score ITXS 4
+
+# blarson 2007-12-18
+rawbody TINYFONT /\bFONT-SIZE\:\s+[123]px\;/i
+describe TINYFONT tiny font specified
+score TINYFONT 3
+
+# blarson 2008-04-03
+full ZIPFILE /\bfilename\=.*\.zip\b/i
+describe ZIPFILE zipfile attachment
+score ZIPFILE 0.5
+
+# blarson 2008-04-19
+header SPACESUB subject =~ /^\s\w/
+describe SPACESUB extra space before subject
+score SPACESUB 0.5
+
+# don 2008-05-04
+header YAHOOCALENDAR X-Yahoo-Newman-Property: =~ /calendar-invite/i
+describe YAHOOCALENDAR Calendar invite from yahoo; broken captcha
+score YAHOOCALENDAR 4
+
+# blarson 2008-06-03
+header BOUNDARYID content-type =~ /\bboundary\=\"Boundary_\(ID_/
+describe BOUNDARYID spamware boundary
+score BOUNDARYID 0.6
+
+# blarson 2008-07-02
+body GBKXWFLXF /\bgbkxwflxf\b/
+describe GBKXWFLXF gbkxwflxf
+score GBKXWFLXF 5
+
+# blarson 2008-09-07
+body LUKSUS /\bluksus\b/i
+score LUKSUS 4
+describe LUKSUS Luksus
+
+# disabled by don; was causing false positives
+# probably needs to be modified to check if it really is ironport
+# blarson 2008-09-22
+# header XIRONPORT X-IronPort-Anti-Spam-Filtered =~ /true/
+# describe XIRONPORT claims to be ironport filtered
+# score XIRONPORT 2.5
+
+# blarson 2008-10-13
+header AUTORESPON subject =~ /Auto_response/
+describe AUTORESPON Auto_response
+score AUTORESPON 3
+
+# blarson 2008-10-28
+header XWUM x-wum-to =~ /./
+describe XWUM X-WUM-TO
+score XWUM 2
+
+# cord 2008-10-31
+# compensate false-positives for 140.Red-80-25-20.staticIP.rima-tde.net and stuff
+header STATIC_RIMA_TDE received =~ /staticIP\.rima-tde\.net/
+describe STATIC_RIMA_TDE static IP from rima-tde.net
+score STATIC_RIMA_TDE -5
+
+# cord 2008-11-30 # compensate LDO_SUBSCRIBER bonus for Forum2Mail-Gw
+full NABBLE /lists\@nabble\.com/
+describe NABBLE sent through nabble.com
+score NABBLE 5
+
+# don 2009-02-04
+full HTML_NBSP /(\ ){3,}/
+describe HTML_NBSP Lots of
+score HTML_NBSP 2
+
+# blarson 2009-02-19
+header ENTIST subject =~ /(?:e.?entist|o.?ctor)/i
+describe ENTIST (D)entit/(D)octor
+score ENTIST 2
+
+header THREADTOPIC thread-topic =~ /./i
+describe THREADTOPIC Has a thread topic header
+score THREADTOPIC 2
+
+# [2009-04-14 cord]
+# replacing old aol-rules from rc.spam
+
+header AOL_SPAM1 from =~ /[0-9].*\@([^\@]+\.)?aol\.com/i
+describe AOL_SPAM1 possible AOL-pretending spam, matching rule 1
+score AOL_SPAM1 1
+
+header AOL_SPAM2 from =~ /...........*\@([^\@]+\.)?aol\.com/i
+describe AOL_SPAM2 possible AOL-pretending spam, matching rule 2
+score AOL_SPAM2 1
+
+header AOL_SPAM3 from =~ /.?.?\@([^\@]+\.)?aol\.com/i
+describe AOL_SPAM3 possible AOL-pretending spam, matching rule 3
+score AOL_SPAM3 1
+
+header AOL_SPAM4 from =~ /[^a-zA-Z0-9]+.*\@([^\@]+\.)?aol\.com/i
+describe AOL_SPAM4 possible AOL-pretending spam, matching rule 4
+score AOL_SPAM4 1
+
+# blarson 2009-04-15
+body WEBMAIL /\bwebmail\b/i
+describe WEBMAIL webmail
+score WEBMAIL 1
+
+# blarson 2009-04-17
+header REFNO subject =~ /\bref no\b/i
+describe REFNO Ref No
+score REFNO 2
+
+# blarson 2009-05-26
+header INFOCOUK to =~ /\b(?:info|winner|loan|lotto|grant|win)\@(?:info\.|winner\.|loan\.|lotto\.|hotmail\.|grant\.|win\.|yahoo\.|)(?:co\.uk|net|com|org)\b/
+describe INFOCOUK to info@co.uk
+score INFOCOUK 3
+
+# blarson 2009-05-27
+body EXITAT /\b(?:exit|rembox)\@(?:datalistsource|listsourcesworld|BestAccurateReliable|expertdatasystems|bestbizlists)\.\b/i
+describe EXITAT exit@datalistsource.com
+score EXITAT 3
+
+# blarson 2009-06-05
+header TOINFO to =~ /\binfo\@/
+describe TOINFO to info@
+score TOINFO 1
+
+# don 2009-07-06
+header CONSTCONTACT X-Mailer =~ /Constant Contact/i
+describe CONSTCONTACT Mail comming from constant contact, which doesn't require double opt-in
+score CONSTCONTACT 5
+
+# blarson 2009-08-16
+meta CTBDN (CT_IMAGE && MIXEDBDN)
+describe CTBDN CT_IMAGE && MIXEDBDN
+score CTBDN 0.5
+
+# don 2009-09-22
+body NUMEMAIL /\d{3,}\s+emails?/i
+describe NUMEMAIL Mail which mentions some number of e-mail addresses
+score NUMEMAIL 2
+
+# don 2009-11-25
+header YAHOOCALENDAR X-Yahoo-Calendar-IId: =~ /./
+describe YAHOOCALENDAR Mail comming from yahoo calendar, which spams us with updates
+score YAHOOCALENDAR 5
+
+# alex 2009-12-05
+header TLOTTERY subject =~ /Ticket no: [0-9]+/i
+describe TLOTTERY Lottery spam
+score TLOTTERY 3
+
+# alex 2009-12-05
+header GLOTTERY subject =~ /Google_L_o_t_t_e_r_y_W_i_n_n_e_r_s/i
+describe GLOTTERY Google Lottery spam
+score GLOTTERY 3
+
+# alex 2009-12-16
+header DOTNET subject =~ /Planning a Website Design\? Updates/
+describe DOTNET .NET Spam
+score DOTNET 3
+
+# blarson 2010-02-02
+body REMBOX /\b(?:rembo[xt]|disappear|stopping|delrem|remfiles?|exit|takemeoff|offthelist|purgefile)\s?\@/
+describe REMBOX rembox
+score REMBOX 3
+
+# formorer 2010-01-23
+header LONGTO to =~ /([\S]+, ){15,}/
+describe LONGTO very long To line
+score LONGTO 3
+
+# formorer 2010-01-25
+header VAULAS subject =~ /cursos video aulas video/i
+describe VAULAS some spanish video spam
+score VAULAS 3
+
+# blarson 2010-01-28
+header FROMWWW from =~ /\bwww\./i
+describe FROMWWW from www.whatever
+score FROMWWW 3
+
+# blarson 2010-02-16
+header FROMCASINO from =~ /\bcasino/i
+describe FROMCASINO from casino
+score FROMCASINO 3
+
+# don 2010-06-10
+header CTOCTET_STREAM Content-Type =~ /octet-stream/i
+describe CTOCTET_STREAM Content type is octet-stream
+score CTOCTET_STREAM 0.5
+
+full RTF_ATTACH /^Content-Disposition:.+name=.+\.(rtf|doc)/i
+describe RTF_ATTACH Contains an RTF or DOC Attachment
+score RTF_ATTACH 2
+
+meta RTF_SPAM CTOCTET_STREAM && RTF_ATTACH
+describe RTF_SPAM Content type is octet-stream and has an RTF Attachment
+score RTF_SPAM 3
+
+# blarson 2010-10-11
+header WORDDIGDIG subject =~ /^\w{3,}\s+\d\s\d\s*$/
+describe WORDDIGDIG Word digit digit subject
+score WORDDIGDIG 3
+
+# don 2011-06-06
+header BRACE_SUBJECT Subject =~ /^\[\ [a-z0-9]{16}]\ /
+describe BRACE_SUBJECT 16 length word in braces in the subject
+score BRACE_SUBJECT 4
+
+# formorer 2011-08-12
+header COMPTESFR subject =~ /concernant Compte SFR/i
+describe COMPTESFR concernant Compte SFR
+score COMPTESFR 3
+
+# formorer 2012-02-02
+header BACKTOME subject =~ /Please get back to me/i
+describe BACKTOME Phrase get back to me
+score BACKTOME 4