# Disable most DNSBLs -- overhead to high
# blarson 2005-01-28 try reducing timeout while adding spamcop back
# blarson 2005-10-29 adding some back now we are multi-threaded
-rbl_timeout 10
+# blarson 2007-09-14
+rbl_timeout 15
+
+# blarson 2007-09-14
+loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
+uridnsbl_timeout 5
include common/common_rbl
# cjwatson, 2004-03-09: virus alert flood
blacklist_from support@vds.it
+# blarson 2007-09-16
+blacklist_from percy@mx1.eccrm.epaper.com.tw
# blarson 2004-11-08
# claiming to be amazon...
score USER_IN_DEF_WHITELIST 0.5
+
+# blarson 2007-09-13
+# up this one a bit
+score INVALID_MSGID 3
+
+# blarson 2007-09-15
+score UNPARSEABLE_RELAY 1
# blarson 2004-11-20
header RCVD_IN_SBLXBL eval:check_rbl('SBLXBL', 'sbl-xbl.spamhaus.org')
describe RCVD_IN_SBLXBL listed in spamhaus.org sbl-xbl
+tflags RCVD_IN_SBLXBL net
# blarson 2005-01-28 see which return part 2005-02-26 ajust scores
-score RCVD_IN_SBLXBL 1
+score RCVD_IN_SBLXBL 2
header RCVD_IN_SBLXBL_SBL eval:check_rbl_sub('SBLXBL', '127.0.0.2')
-score RCVD_IN_SBLXBL_SBL 2
+score RCVD_IN_SBLXBL_SBL 1.5
header RCVD_IN_SBLXBL_CBL eval:check_rbl_sub('SBLXBL', '127.0.0.4')
score RCVD_IN_SBLXBL_CBL 1
header RCVD_IN_SBLXBL_5 eval:check_rbl_sub('SBLXBL', '127.0.0.5')
describe DRUGSPAM3 yet more drugs
score DRUGSPAM3 1.5
-body MURPHY_DRUGS1 /v.?i.?a.?g.?r.?a/i
+# blarson 2007-09-13
+body MURPHY_DRUGS1 /\bv.?i.?a.?g.?r.?a\b/i
describe MURPHY_DRUGS1 Viagra
-score MURPHY_DRUGS1 0.5
+score MURPHY_DRUGS1 1.5
body MURPHY_DRUGS2 /v.?i.?o.?x/i
describe MURPHY_DRUGS2 Viox
describe MED medical spam
score MED 2
-# blarson 2006-09-25
-body HOODIA /\bh.?oodia/i
+# blarson 2006-09-25 2007-09-18
+body HOODIA /\bh.?oo+dia/i
describe HOODIA weight loss scam
score HOODIA 3
# blarson 2007-09-12
body PILLS /\bx\s+\d+\s+pills\b/
describe PILLS pills spam
-score PILLS 3
+score PILLS 3.5
+
+# blarson 2007-09-13
+body PFIZER /\bPfizer\b/i
+describe PFIZER Pfizer
+score PFIZER 2
+
+# blarson 2007-09-19
+body WONDERCUM /\bwondercum\b/i
+describe WONDERCUM more drug spam
+score WONDERCUM 4
+
+# blarson 2007-09-21
+body DRUGSTORE /\bdrug store\b/i
+describe DRUGSTORE drug store
+score DRUGSTORE 3
describe COMPANYSYMBOLPRICE Stock scam
score COMPANYSYMBOLPRICE 3
+full COMPANYSYMBOLPRICE2 /(^(company|symb?o?l?|price|cost|marke?t)\:\s+.+\n){2,}/mi
+describe COMPANYSYMBOLPRICE2 Stock scam left column 2
+score COMPANYSYMBOLPRICE2 3
+
# blarson 2007-04-09
body PRETTYRUS /\b(pretty|cute) russian (girl|woman)\b/i
describe PRETTYRUS pretty russian spam
describe ANALLE stock spam in german
score ANALLE 3
-# blarson 2007-06-17 2007-09-10
-body REPWATCH2 /\breplica watch/i
+# blarson 2007-06-17 2007-09-21
+body REPWATCH2 /\breplica (?:watch|timepiece)/i
describe REPWATCH2 still pushing fake watches
score REPWATCH2 3.5
describe REFI mortgage spam
score REFI 2
+# don 2007-09-21
+body BIGMONEY /(b|tr|m|z)[i1][l1]+[i1][0o]n\s+(d[o0][l1]+ar|yen|buck|pound|euro)/i
+describe BIGMONEY Money money money money!
+score BIGMONEY 1.5
+
+
describe MESSAGESUB really descriptive subject
score MESSAGESUB 3
-# blarson 2006-03-16 2007-09-11
-body DEARDIGIT /^(?:well\s+)?(?:Dear|Hey|H[ea]y?ll?.?o|To|Attention|Hi+|Hey+a?|Bonjorno|Yo|(?:g[o0]+d\s*)?(?:d?ay|morning|evening?|afternoon|night)|what.?i?s\s+up|wa(?:s|z)+up|greetings?|Salutations|(Mail|News)\s+to|how(?:.?s|\s+is)?\s*(?:(?:it)?(?:\s+is)??\s*going|have\s+you\s+been|are you).?\s*(?:there|to\s+you)?)\,?\s+(?:Account\s+\#?|\=?3d|)(?:bro\s+)?\d{3,}/i
+# don 2007-09-20
+header SENTMESSAGE subject =~ /(sent you a( personal|) message|would like to chat)/i
+describe SENTMESSAGE Sent you a message (like duh?)
+score SENTMESSAGE 2
+
+# blarson 2006-03-16 2007-09-18
+body DEARDIGIT /^(?:well\s+)?(?:Dear|Hey|H[ea]y?ll?.?o|To|Attention|Hi+|Hey+a?|Bonjorno|(?:Yo\s*)+|(?:g[o0]+d\s*)?(?:d?ay|morning|evening?|afternoon|night)|what.?i?s\s+up|wa(?:s|z)+up|greetings?|Salutations|(Mail|News)\s+to|how(?:.?s|\s+is)?\s*(?:(?:it)?(?:\s+is)??\s*going|have\s+you\s+been|are you).?\s*(?:there|to\s+you)?|compliments|Regards|Adieu)\,?\s+(?:Account\s+\#?|\=?3d|)(?:bro|there|sir|Mr\.?)\s*?\d{3,}/i
describe DEARDIGIT Dear number
score DEARDIGIT 3.9
describe ACRO8PR0 sales spam
score ACRO8PR0 4
-# blarson 2007-09-11
-body WBRS /\b(WBRS|FPMC|ADYN|AFML|MISJ|HXPN|WHKA|CBFE|HSBC|PCAI|MPRG|HPRS|AUNI|TGVI|MHII|TAMG|GDKI|ACEN|CDYV|G7Q\.F|mbwc|CHFR|CDPN|DSDI|UTEV|P-S-U-D|GPSI|SGXI|CAON|SREA|ERMX|VPSN|SZSN|PAYI\.OB|LTDI|C\W\W?Y\W\W?T\W\W?V|E\WX\WM\WT|CYTV|VGPM|V\s?G\s?P\s?M(\.PK)?|wwng|WWNG)\b/
+# blarson 2007-09-15
+body WBRS /\b(WBRS|FPMC|ADYN|AFML|MISJ|HXPN|WHKA|CBFE|HSBC|PCAI|MPRG|HPRS|AUNI|TGVI|MHII|TAMG|GDKI|ACEN|CDYV|G7Q\.F|mbwc|CHFR|CDPN|DSDI|UTEV|P-S-U-D|GPSI|SGXI|CAON|SREA|ERMX|VPSN|SZSN|PAYI\.OB|LTDI|C\W\W?Y\W\W?T\W\W?V|E\WX\WM\WT|CYTV|VGPM|V\s?G\s?P\s?M(\.PK)?|wwng|WWNG|F\WD\WE\WG|FDEG|UTYW|M\s*I\s*H\s*I|O\W?N\W?C\W?O|P\W?P\W?Y\W?H)\b/
describe WBRS stock spam
score WBRS 4
+body FOURLA /\b([A-Z]\s?){4}\b/
+describe FOURLA Four letter acronym (stock spam?)
+score FOURLA 1
+
# blarson 2007-01-26
header ACROBAT8 subject =~ /\badobe acr[o0]bat 8\b/i
describe ACROBAT8 more sales spam
describe DELAFT more pdf spam
score DELAFT 3
+# blarson 2007-09-13
+header OFF1CE subject =~ /\b[O0]ff[1i]ce 2[O0][O0]7\b/i
+describe OFF1CE off1ce spam
+score OFF1CE 4
+
+# blarson 2007-09-13
+header SOFTSALE subject =~ /\bsoftware sales\b/i
+describe SOFTSALE software spam
+score SOFTSALE 3
+
+# blarson 2007-09-18
+body SUPERMACHO /\bBe a supermacho/i
+describe SUPERMACHO supermacho
+score SUPERMACHO 4
+
+# blarson 2007-09-19
+body BIGINTER /\bBig international commercial organization\b/i
+describe BIGINTER job spam
+score BIGINTER 4
+
+# blarson 2007-09-20
+header HASSENT subject =~ /\b(?:sent you a (?:personal|confidential)?\s*(?:message|note)|would like to chat)\b/i
+describe HASSENT sent a message
+score HASSENT 4
+
+# blarson 2007-09-20
+header ORDERNUM subject =~ /\b(?:Order|Recipet)\s*.?\d{3,}/i
+describe ORDERNUM order number
+score ORDERNUM 3
+
+# don 2007-09-20
+header DICTIONARYSEQ subject =~ /\b(\w{3})\w*(?:\s+\1\w*){2}/i
+describe DICTIONARYSEQ Ventricular Vents Venting Ventures
+score DICTIONARYSEQ 3.5
+
+# blarson 2007-09-21
+header NOLET subject =~ /^\W{4,}$/
+describe NOLET swearing subject
+score NOLET 2
+
+# blarson 2007-09-21
+body SSIST /^ssistant Manager/
+describe SSIST ssistant Manager
+score SSIST 4
+
+# blarson 2007-09-21
+body GRADUATEUNDER /\bgraduate in under\b/i
+describe GRADUATEUNDER graduate in under
+score GRADUATEUNDER 3
describe BESTLOANS Best loans url
score BESTLOANS 2
-# blarson 2007-07-22 2007-09-11
-body PENPRO /\@(?:penmailpro|OnsetIng|openprotection)\.info\b/i
+# blarson 2007-07-22 2007-09-12
+body PENPRO /\@(?:penmailpro|OnsetIng|openprotection|NearOut)\.info\b/i
describe PENPRO penmailpro spam
score PENPRO 3.5
body EMAGX /\bhttp\:\/\/emagx\.net\b/i
describe EMAGX wondercum spammer
score EMAGX 3.5
+
+# blarson 2007-09-13
+body FREENFL /\bhttp\:\/\/freeNFLtracker\.com\b/i
+describe FREENFL nfl spam
+score FREENFL 3
+
+# blarson 2007-09-13
+body SPAMARREST /\bhttp\:\/\/www\.spamarrest\.com\b/
+describe SPAMARREST forwards thier spam problem
+score SPAMARREST 4
+
+# blarson 2007-09-14
+body FROMAD /\bhttp\:\/\/(?:budhipps|fromad|conavel|cliensy|comnoe)\.com\b/i
+describe FROMAD more penis spam
+score FROMAD 4
+
+# blarson 2007-09-14
+uridnsbl URIBL_CNKR cn-kr.blackholes.us. A
+body URIBL_CNKR eval:check_uridnsbl('URIBL_CNKR')
+describe URIBL_CNKR china or korea hosted web site
+tflags URIBL_CNKR net
+score URIBL_CNKR 2.5
+
+# blarson 2007-09-14
+uridnsbl_skip_domain debian.org debian.net
+
+# blarson 2007-09-14
+uridnsbl URIBL_SBL sbl.spamhaus.org. A
+body URIBL_SBL eval:check_uridnsbl('URIBL_SBL')
+describe URIBL_SBL Contains an URL listed in the SBL blocklist
+tflags URIBL_SBL net
+#reuse URIBL_SBL
+score URIBL_SBL 3.5
+
+# blarson 2007-09-17
+body MYCHEAP /\b(?:my)?cheap(?:oem|soft)(?:now)?\s*\.\s*com\b/i
+describe MYCHEAP software spam
+score MYCHEAP 4
+
+# blarson 2007-09-16
+body WWWRU /\b(?:www\.|https?\:.*)\w+\.ru\b/i
+describe WWWRU russian web site
+score WWWRU 2
+