LuisCardenasSolis/antispam.cf

## antispam.cf
#WHITELIST
whitelist_from *@perulinux.pe
whitelist_from *@bcp.com.pe
whitelist_from *@scotiabank.com.pe
whitelist_from *@verisure.pe
whitelist_from *@telefonica.com
whitelist_from *@munlima.gob.pe
whitelist_from *@alignet.com
whitelist_from *@pay-me.com
whitelist_from *@perutributario.com.pe
whitelist_from *@banbif.com.pe
whitelist_from *@acepta.pe
whitelist_from *@hubspot.com
whitelist_from *@godaddy.com
whitelist_from *@ttr-group.de
whitelist_from *@gestion.pe
whitelist_from *@grupobbva.com.pe

#BLACKLIST
blacklist_from *@antojoscaseros.com
blacklist_from *@antryx.net.pe
blacklist_from *@babilima.com
blacklist_from *@binexi.com
blacklist_from *@bisonmarkets.com
blacklist_from *@cartrackgps.net
blacklist_from *@casonamollepata.com
blacklist_from *@chopscarnesyparrillas.com
blacklist_from *@classicoqatar.com
blacklist_from *@cmail19.com
blacklist_from *@cmail20.com
blacklist_from *@contadoresyperitos.com
blacklist_from *@creativaemailmarketing.com
blacklist_from *@dekorimeks.com
blacklist_from *@dsite.net
blacklist_from *@dynforms.com
blacklist_from *@e.arellanos@municallao.gob.pe
blacklist_from *@emark4.embluejet.com
blacklist_from *@emark9.embluejet.com
blacklist_from *@eurasianstudies.org
blacklist_from *@expoeverything.org
blacklist_from *@flkta.com
blacklist_from *@forward.net.pe
blacklist_from *@grupocreativorom.com
blacklist_from *@gwoo.com
blacklist_from *@hanazza.com
blacklist_from *@housesecurity-peru.com
blacklist_from *@hydroinex.com
blacklist_from *@kbdf.net
blacklist_from *@lapzil.com
blacklist_from *@lokring.net
blacklist_from *@ma.edestinos.com.pe
blacklist_from *@mailer2.gacetajuridica.com.pe
blacklist_from *@maximixe.com
blacklist_from *@mcdanielsco.com
blacklist_from *@md-line.com
blacklist_from *@newsletter.panuts.com
blacklist_from *@niyoshi-david.com
blacklist_from *@ommunity.3ds.com
blacklist_from *@php1.housesecurity-peru.com
blacklist_from *@php1.mcdanielsco.com
blacklist_from *@php2.housesecurity-peru.com
blacklist_from *@principal-goal.com
blacklist_from *@realityturn.com
blacklist_from *@record.shopingcenter.co
blacklist_from *@remsp.com
blacklist_from *@riadealvor.org
blacklist_from *@rumtoler.com
blacklist_from *@sendpulse.info
blacklist_from *@servicioscalidad.com
blacklist_from *@sfk-security.com
blacklist_from *@sofarelli.com
blacklist_from *@southernriver.org
blacklist_from *@sparelec.com
blacklist_from *@trytdd.org
blacklist_from *@vardell.org
blacklist_from *@vatran.net
blacklist_from *@youcanweb.net
blacklist_from *@bencresners.com
blacklist_from *@administrator.com
blacklist_from *@one-email.com
blacklist_from *@realsystems.com.pe
blacklist_from *@clubsatlanta.com
blacklist_from *@dunapanel.com
blacklist_from *@t-online.de
blacklist_from *@pappaya.com
blacklist_from *@fgjcdmx.gob.mx
blacklist_from *@*factu0id991.org
blacklist_from *@*minster9766.org
blacklist_from *@*factu04.*
blacklist_from *@*fact093.com
blacklist_from *@*.fact*.com
blacklist_from *@dyd.gov.bd
blacklist_from *@gestao.cosmake.com.pt
blacklist_from *@teleportstation.ga
blacklist_from dtfteetrs6@gmail.com
blacklist_from *@soolrange.ga
blacklist_from *@f-yax.info
blacklist_from *@moriaa.com
blacklist_from *@*.bissmex.win
blacklist_from *@*.wwwshiraz.com
blacklist_from *@lmv.com.co
blacklist_from *@pakdisasterfoundation.org
blacklist_from *@accesofinanciero.com
blacklist_from *@austrelis-sa.com
blacklist_from *@funcionpublica.com
blacklist_from *@e.anntaylorfactory.com
blacklist_from sgogob@gmail.com
blacklist_from *@testcontrol.com.pe
blacklist_from *@mail.promart-agora.pe
blacklist_from *@maxwellleadership.com
blacklist_from *@emails.skechers.com
blacklist_from *@mail.oechsle-agora.pe
blacklist_from *@e.loftoutlet.com
blacklist_from citas@sunat.gob.pe
blacklist_from noreply@volvo.com
blacklist_from *@lmv.com.co
blacklist_from *@pakdisasterfoundation.org
blacklist_from *@cfeaccesofinanciero.com

## custom.cf
header      BLOCK_MESSAGE_PHISHING  subject =~ /(atacado por piratas|fotos de la orden|tienes correos entrantes pendientes|todos los datos de su dispositivo fueron copiados|Suspension Notification|Important Notice|password update|Exceeded Storage|Mail Delivery Notification|Todos sus datos fueron copiados|FONDO BENEFICIARIO|Actualiza tu cuenta|Verifique su correo|Advertencia de servicio|caducidad de la contrasena|participa y gana un|Password Expiry|Pending emails|Incoming failed mails|Verification Notice|Neftlix est.*de cancel|Alerta de servicio de contrase|Action Required|Resolucion de Archivo Provisional)/i
describe    BLOCK_MESSAGE_PHISHING  Asuntos hack
score       BLOCK_MESSAGE_PHISHING  15.0

body        PHISHING_BODY  /(Su sistema ha sido hackeado|billetera.*bitcoin|monedero.*bitcoin|Comprar.*bitcoins|BANQUE ATLANTIQUE INTERNATIONAL|su cuenta ha caducado|devbhumiexpress|tiene.*para recuperar .* correo|haga clic.* para.*(?:correo|actualiz)|cuenta.*acaba de expirar|password.*expire|no puede recibir nuevos mensajes|continuar usando su.*correo.*confirme|You.*Incoming.*(?:email|message)|Mi difunto esposo|Emails will be deleted automatically|(?:cuenta|correo).*verific.*actualiz|you.*account.*suspended|su (?:cuenta|correo|membres.*) se suspender.*completar|account.*need.*update now|Verifique la propiedad de la cuenta)/i
describe    PHISHING_BODY  Phishing in message body
score       PHISHING_BODY  10.0

header      BLOCK_BOUNCE_SPAM  ALL =~ /bounce.*\@|\@.*bounce|noreply.*\@|no-reply.*\@/i
describe    BLOCK_BOUNCE_SPAM  Spam message hidden as bounce or noreply
score       BLOCK_BOUNCE_SPAM  1.5

header      BLOCK_INFO_SPAM  From =~ /info\@|marketing\@|newsletter\@|root\@|boletin\@//i
describe    BLOCK_INFO_SPAM  Spam account
score       BLOCK_INFO_SPAM  1.2

header      BLOCK_LARGE_EMAIL  From =~ /[A-Z0-9._%+-]{35}+\@/i
describe    BLOCK_LARGE_EMAIL  Large email in from
score       BLOCK_LARGE_EMAIL  0.5

header   VPS_SPAMER    Received =~ /vps/i
describe VPS_SPAMER    Host VPS
score    VPS_SPAMER    3.5

header      LOCK_SPAMERS          Received =~ /(housesecurity\-peru\.com|orbitta\.es|constantcontact\.com|rsgsv\.net|mcdlv\.net|email\-platform\.com|iniciarsesionmsn\.com|hubspotemail\.net|mercadolibre\.com|costcoventasonline|llonesdemasaje|cercontrh\.com|usinacrh\.com)/i
describe    LOCK_SPAMERS          Domain spamer
score       LOCK_SPAMERS          10.0

header      ATTACHMENT_HTML  ALL =~ /filename=".*\.html"/i
describe    ATTACHMENT_HTML  Message with HTML attachment
score       ATTACHMENT_HTML  8.0

header      MAILING_LIST_UNSUBSCRIBE  List-Unsubscribe =~ /subscribe/i
describe    MAILING_LIST_UNSUBSCRIBE  List subscribe boletin
score       MAILING_LIST_UNSUBSCRIBE  1.8

header   NOT_TO_RECIPIENT    To =~ /undisclosed-recipient/i
describe NOT_TO_RECIPIENT    Fail to recipient
score    NOT_TO_RECIPIENT    10.0

uri             PHISHING_URL    /\.host\.secureserver\.net|ipfs\.io|api\.whatsapp\.com|cloudapp\.azure\.com|amplifyapp\.com/
describe        PHISHING_URL    url blocked
score           PHISHING_URL    10.0

header      SERVERS_WHITELIST  Received =~ /(mail\.ondemand\.com|mta\.info\.latam\.com|\.zoom\.us|\.id\.hp\.com|salesforce\.com|\.bizagi\.com|\.bbva\.com\.pe)/i
describe    SERVERS_WHITELIST  Server Whitelist
score       SERVERS_WHITELIST  -10.0

header          CALENDAR_GOOGLE Sender =~ /calendar-notification\@google\.com/i
describe        CALENDAR_GOOGLE Calendar google notification
score           CALENDAR_GOOGLE -10.0

#BYPASS OFFICE SPLIT DOMAIN
header  __DOMAIN_OFFICE_FROM  From =~ /\@DOMAIN\.com\.pe/i
header  __SERVER_OFFICE  Received =~ /\.outbound\.protection\.outlook\.com/i

meta    BYPASS_DOMAIN_OFFICE     ( __DOMAIN_OFFICE_FROM && __SERVER_OFFICE )
score   BYPASS_DOMAIN_OFFICE     -20.0

#BYPASS GSUITE SPLIT DOMAIN
header  __DOMAIN_GSUITE_FROM  From =~ /\@DOMAIN\.com/i
header  __SERVER_GSUITE  Received =~ /\.google\.com/i
header  __SPF_GSUITE    Received-SPF =~ /pass/

meta    BYPASS_GSUITE   ( __DOMAIN_GSUITE_FROM && __SERVER_GSUITE && __SPF_GSUITE)
score   BYPASS_GSUITE   -20.0


#RESTRICT
score HEADER_FROM_DIFFERENT_DOMAINS 3.0
score BAYES_00  0  0 -0.4   -0.8

# URI
score   RCVD_IN_DNSWL_HI        0 -0.5 0 -0.5
score   USER_IN_DEF_SPF_WL      -0.7
score   URI_GOOGLE_PROXY        0.8 0.5 0.8 0.5

# DNSWL
score RCVD_IN_DNSWL_NONE 0 -0.0001 0 -0.0001
score RCVD_IN_DNSWL_LOW 0 -0.7 0 -0.7
score RCVD_IN_DNSWL_MED 0 -0.3 0 -0.3
score RCVD_IN_DNSWL_HI 0 -0.5 0 -0.5
score RCVD_IN_DNSWL_BLOCKED 0 0.001 0 0.001

# IADB
score RCVD_IN_IADB_VOUCHED 0 -0.2 0 -0.2
score RCVD_IN_IADB_DOPTIN 0 -0.4 0 -0.4
score RCVD_IN_IADB_ML_DOPTIN 0 -0.6 0 -0.6
score RCVD_IN_IADB_OPTIN  0 -0.4 0 -0.4

#SPF
ifplugin Mail::SpamAssassin::Plugin::SPF
score USER_IN_DEF_SPF_WL -1.0
endif # Mail::SpamAssassin::Plugin::SPF

#DKIM
ifplugin Mail::SpamAssassin::Plugin::DKIM
score USER_IN_DEF_DKIM_WL -1.0
endif # Mail::SpamAssassin::Plugin::DKIM

## emailthiefurls.cf
#emailthiefurls.cf (Zimbra 0 day 03-02-2022)

uri       EMAILTHIEF_URI	/www\.newsonline\.gq|mx\.newsonline\.gq|www\.spiritx\.ga|support\.newsonline\.gq|www\.thunderchannel\.tk|shadownight\.playquicksand\.tk|www\.windsoft\.cf|tigerstrike\.iceywindflow\.ml|shadowmaster\.iceywindflow\.ml|www\.iceywindflow\.gq|chargedboltsentry\.spiritfield\.tk|newsonline\.gq|spiritx\.ga|secretstep\.tk|spiritfield\.ga|www\.news-voice\.ml|www\.findtruth\.ml|news-online\.ml|iceywindflow\.gq|playquicksand\.tk|windsoft\.cf|findtruth\.ml|iceywindflow\.ml|news-voice\.ml|bruising-intellect\.ml|thunderchannel\.tk|spiritfield\.ml|iceywindflow\.cf|thunderchannel\.cf|spiritfield\.tk|update\.secretstep\.tk|mail\.bruising-intellect\.ml|www\.news-online\.ml|www\.thunderchannel\.cf|www\.spiritfield\.ga|winderosion\.spiritfield\.ml|flameshock\.spiritfield\.tk|windsource\.thunderchannel\.cf|yahoo-movie\.spiritx\.ga|windsource\.thunderchannel\.tk|opticaleel\.iceywindflow\.cf|shadownight\.spiritfield\.ga|www\.yahoo-corporation\.ml|amazon-check\.gq|amazon-team\.tk|yahoo-corporation\.ml|playquicksand\.gq|yahoo-corporation\.tk|playquicksand\.cf|spiritfield\.cf|amazon-check\.ga|amazon-check\.cf|amazon-check\.tk|playquicksand\.ml|www\.playquicksand\.cf|www\.amazon-check\.ga|www\.playquicksand\.gq/
describe	EMAILTHIEF_URI	Body contains any of bad urls related to EmailThief vuln
score     EMAILTHIEF_URI	6.0

header   EMAILTHIEF_IP    Received =~ /(206\.166\.251\.141|206\.166\.251\.166|108\.160\.133\.32|172\.86\.75\.158)/i
describe EMAILTHIEF_IP    Ip remitent EmailThief vuln
score    EMAILTHIEF_IP    10.0
	#WHITELIST
	whitelist_from *@perulinux.pe
	whitelist_from *@bcp.com.pe
	whitelist_from *@scotiabank.com.pe
	whitelist_from *@verisure.pe
	whitelist_from *@telefonica.com
	whitelist_from *@munlima.gob.pe
	whitelist_from *@alignet.com
	whitelist_from *@pay-me.com
	whitelist_from *@perutributario.com.pe
	whitelist_from *@banbif.com.pe
	whitelist_from *@acepta.pe
	whitelist_from *@hubspot.com
	whitelist_from *@godaddy.com
	whitelist_from *@ttr-group.de
	whitelist_from *@gestion.pe
	whitelist_from *@grupobbva.com.pe

	#BLACKLIST
	blacklist_from *@antojoscaseros.com
	blacklist_from *@antryx.net.pe
	blacklist_from *@babilima.com
	blacklist_from *@binexi.com
	blacklist_from *@bisonmarkets.com
	blacklist_from *@cartrackgps.net
	blacklist_from *@casonamollepata.com
	blacklist_from *@chopscarnesyparrillas.com
	blacklist_from *@classicoqatar.com
	blacklist_from *@cmail19.com
	blacklist_from *@cmail20.com
	blacklist_from *@contadoresyperitos.com
	blacklist_from *@creativaemailmarketing.com
	blacklist_from *@dekorimeks.com
	blacklist_from *@dsite.net
	blacklist_from *@dynforms.com
	blacklist_from *@e.arellanos@municallao.gob.pe
	blacklist_from *@emark4.embluejet.com
	blacklist_from *@emark9.embluejet.com
	blacklist_from *@eurasianstudies.org
	blacklist_from *@expoeverything.org
	blacklist_from *@flkta.com
	blacklist_from *@forward.net.pe
	blacklist_from *@grupocreativorom.com
	blacklist_from *@gwoo.com
	blacklist_from *@hanazza.com
	blacklist_from *@housesecurity-peru.com
	blacklist_from *@hydroinex.com
	blacklist_from *@kbdf.net
	blacklist_from *@lapzil.com
	blacklist_from *@lokring.net
	blacklist_from *@ma.edestinos.com.pe
	blacklist_from *@mailer2.gacetajuridica.com.pe
	blacklist_from *@maximixe.com
	blacklist_from *@mcdanielsco.com
	blacklist_from *@md-line.com
	blacklist_from *@newsletter.panuts.com
	blacklist_from *@niyoshi-david.com
	blacklist_from *@ommunity.3ds.com
	blacklist_from *@php1.housesecurity-peru.com
	blacklist_from *@php1.mcdanielsco.com
	blacklist_from *@php2.housesecurity-peru.com
	blacklist_from *@principal-goal.com
	blacklist_from *@realityturn.com
	blacklist_from *@record.shopingcenter.co
	blacklist_from *@remsp.com
	blacklist_from *@riadealvor.org
	blacklist_from *@rumtoler.com
	blacklist_from *@sendpulse.info
	blacklist_from *@servicioscalidad.com
	blacklist_from *@sfk-security.com
	blacklist_from *@sofarelli.com
	blacklist_from *@southernriver.org
	blacklist_from *@sparelec.com
	blacklist_from *@trytdd.org
	blacklist_from *@vardell.org
	blacklist_from *@vatran.net
	blacklist_from *@youcanweb.net
	blacklist_from *@bencresners.com
	blacklist_from *@administrator.com
	blacklist_from *@one-email.com
	blacklist_from *@realsystems.com.pe
	blacklist_from *@clubsatlanta.com
	blacklist_from *@dunapanel.com
	blacklist_from *@t-online.de
	blacklist_from *@pappaya.com
	blacklist_from *@fgjcdmx.gob.mx
	blacklist_from @factu0id991.org
	blacklist_from @minster9766.org
	blacklist_from @factu04.*
	blacklist_from @fact093.com
	blacklist_from @.fact*.com
	blacklist_from *@dyd.gov.bd
	blacklist_from *@gestao.cosmake.com.pt
	blacklist_from *@teleportstation.ga
	blacklist_from dtfteetrs6@gmail.com
	blacklist_from *@soolrange.ga
	blacklist_from *@f-yax.info
	blacklist_from *@moriaa.com
	blacklist_from @.bissmex.win
	blacklist_from @.wwwshiraz.com
	blacklist_from *@lmv.com.co
	blacklist_from *@pakdisasterfoundation.org
	blacklist_from *@accesofinanciero.com
	blacklist_from *@austrelis-sa.com
	blacklist_from *@funcionpublica.com
	blacklist_from *@e.anntaylorfactory.com
	blacklist_from sgogob@gmail.com
	blacklist_from *@testcontrol.com.pe
	blacklist_from *@mail.promart-agora.pe
	blacklist_from *@maxwellleadership.com
	blacklist_from *@emails.skechers.com
	blacklist_from *@mail.oechsle-agora.pe
	blacklist_from *@e.loftoutlet.com
	blacklist_from citas@sunat.gob.pe
	blacklist_from noreply@volvo.com
	blacklist_from *@lmv.com.co
	blacklist_from *@pakdisasterfoundation.org
	blacklist_from *@cfeaccesofinanciero.com
	header BLOCK_MESSAGE_PHISHING subject =~ /(atacado por piratas\|fotos de la orden\|tienes correos entrantes pendientes\|todos los datos de su dispositivo fueron copiados\|Suspension Notification\|Important Notice\|password update\|Exceeded Storage\|Mail Delivery Notification\|Todos sus datos fueron copiados\|FONDO BENEFICIARIO\|Actualiza tu cuenta\|Verifique su correo\|Advertencia de servicio\|caducidad de la contrasena\|participa y gana un\|Password Expiry\|Pending emails\|Incoming failed mails\|Verification Notice\|Neftlix est.*de cancel\|Alerta de servicio de contrase\|Action Required\|Resolucion de Archivo Provisional)/i
	describe BLOCK_MESSAGE_PHISHING Asuntos hack
	score BLOCK_MESSAGE_PHISHING 15.0

	body PHISHING_BODY /(Su sistema ha sido hackeado\|billetera.bitcoin\|monedero.bitcoin\|Comprar.bitcoins\|BANQUE ATLANTIQUE INTERNATIONAL\|su cuenta ha caducado\|devbhumiexpress\|tiene.para recuperar .* correo\|haga clic.* para.(?:correo\|actualiz)\|cuenta.acaba de expirar\|password.expire\|no puede recibir nuevos mensajes\|continuar usando su.correo.confirme\|You.Incoming.(?:email\|message)\|Mi difunto esposo\|Emails will be deleted automatically\|(?:cuenta\|correo).verific.actualiz\|you.account.suspended\|su (?:cuenta\|correo\|membres.) se suspender.completar\|account.need.*update now\|Verifique la propiedad de la cuenta)/i
	describe PHISHING_BODY Phishing in message body
	score PHISHING_BODY 10.0

	header BLOCK_BOUNCE_SPAM ALL =~ /bounce.\@\|\@.bounce\|noreply.\@\|no-reply.\@/i
	describe BLOCK_BOUNCE_SPAM Spam message hidden as bounce or noreply
	score BLOCK_BOUNCE_SPAM 1.5

	header BLOCK_INFO_SPAM From =~ /info\@\|marketing\@\|newsletter\@\|root\@\|boletin\@//i
	describe BLOCK_INFO_SPAM Spam account
	score BLOCK_INFO_SPAM 1.2

	header BLOCK_LARGE_EMAIL From =~ /[A-Z0-9._%+-]{35}+\@/i
	describe BLOCK_LARGE_EMAIL Large email in from
	score BLOCK_LARGE_EMAIL 0.5

	header VPS_SPAMER Received =~ /vps/i
	describe VPS_SPAMER Host VPS
	score VPS_SPAMER 3.5

	header LOCK_SPAMERS Received =~ /(housesecurity\-peru\.com\|orbitta\.es\|constantcontact\.com\|rsgsv\.net\|mcdlv\.net\|email\-platform\.com\|iniciarsesionmsn\.com\|hubspotemail\.net\|mercadolibre\.com\|costcoventasonline\|llonesdemasaje\|cercontrh\.com\|usinacrh\.com)/i
	describe LOCK_SPAMERS Domain spamer
	score LOCK_SPAMERS 10.0

	header ATTACHMENT_HTML ALL =~ /filename=".*\.html"/i
	describe ATTACHMENT_HTML Message with HTML attachment
	score ATTACHMENT_HTML 8.0

	header MAILING_LIST_UNSUBSCRIBE List-Unsubscribe =~ /subscribe/i
	describe MAILING_LIST_UNSUBSCRIBE List subscribe boletin
	score MAILING_LIST_UNSUBSCRIBE 1.8

	header NOT_TO_RECIPIENT To =~ /undisclosed-recipient/i
	describe NOT_TO_RECIPIENT Fail to recipient
	score NOT_TO_RECIPIENT 10.0

	uri PHISHING_URL /\.host\.secureserver\.net\|ipfs\.io\|api\.whatsapp\.com\|cloudapp\.azure\.com\|amplifyapp\.com/
	describe PHISHING_URL url blocked
	score PHISHING_URL 10.0

	header SERVERS_WHITELIST Received =~ /(mail\.ondemand\.com\|mta\.info\.latam\.com\|\.zoom\.us\|\.id\.hp\.com\|salesforce\.com\|\.bizagi\.com\|\.bbva\.com\.pe)/i
	describe SERVERS_WHITELIST Server Whitelist
	score SERVERS_WHITELIST -10.0

	header CALENDAR_GOOGLE Sender =~ /calendar-notification\@google\.com/i
	describe CALENDAR_GOOGLE Calendar google notification
	score CALENDAR_GOOGLE -10.0

	#BYPASS OFFICE SPLIT DOMAIN
	header __DOMAIN_OFFICE_FROM From =~ /\@DOMAIN\.com\.pe/i
	header __SERVER_OFFICE Received =~ /\.outbound\.protection\.outlook\.com/i

	meta BYPASS_DOMAIN_OFFICE ( __DOMAIN_OFFICE_FROM && __SERVER_OFFICE )
	score BYPASS_DOMAIN_OFFICE -20.0

	#BYPASS GSUITE SPLIT DOMAIN
	header __DOMAIN_GSUITE_FROM From =~ /\@DOMAIN\.com/i
	header __SERVER_GSUITE Received =~ /\.google\.com/i
	header __SPF_GSUITE Received-SPF =~ /pass/

	meta BYPASS_GSUITE ( __DOMAIN_GSUITE_FROM && __SERVER_GSUITE && __SPF_GSUITE)
	score BYPASS_GSUITE -20.0


	#RESTRICT
	score HEADER_FROM_DIFFERENT_DOMAINS 3.0
	score BAYES_00 0 0 -0.4 -0.8

	# URI
	score RCVD_IN_DNSWL_HI 0 -0.5 0 -0.5
	score USER_IN_DEF_SPF_WL -0.7
	score URI_GOOGLE_PROXY 0.8 0.5 0.8 0.5

	# DNSWL
	score RCVD_IN_DNSWL_NONE 0 -0.0001 0 -0.0001
	score RCVD_IN_DNSWL_LOW 0 -0.7 0 -0.7
	score RCVD_IN_DNSWL_MED 0 -0.3 0 -0.3
	score RCVD_IN_DNSWL_HI 0 -0.5 0 -0.5
	score RCVD_IN_DNSWL_BLOCKED 0 0.001 0 0.001

	# IADB
	score RCVD_IN_IADB_VOUCHED 0 -0.2 0 -0.2
	score RCVD_IN_IADB_DOPTIN 0 -0.4 0 -0.4
	score RCVD_IN_IADB_ML_DOPTIN 0 -0.6 0 -0.6
	score RCVD_IN_IADB_OPTIN 0 -0.4 0 -0.4

	#SPF
	ifplugin Mail::SpamAssassin::Plugin::SPF
	score USER_IN_DEF_SPF_WL -1.0
	endif # Mail::SpamAssassin::Plugin::SPF

	#DKIM
	ifplugin Mail::SpamAssassin::Plugin::DKIM
	score USER_IN_DEF_DKIM_WL -1.0
	endif # Mail::SpamAssassin::Plugin::DKIM
	#emailthiefurls.cf (Zimbra 0 day 03-02-2022)

	uri EMAILTHIEF_URI /www\.newsonline\.gq\|mx\.newsonline\.gq\|www\.spiritx\.ga\|support\.newsonline\.gq\|www\.thunderchannel\.tk\|shadownight\.playquicksand\.tk\|www\.windsoft\.cf\|tigerstrike\.iceywindflow\.ml\|shadowmaster\.iceywindflow\.ml\|www\.iceywindflow\.gq\|chargedboltsentry\.spiritfield\.tk\|newsonline\.gq\|spiritx\.ga\|secretstep\.tk\|spiritfield\.ga\|www\.news-voice\.ml\|www\.findtruth\.ml\|news-online\.ml\|iceywindflow\.gq\|playquicksand\.tk\|windsoft\.cf\|findtruth\.ml\|iceywindflow\.ml\|news-voice\.ml\|bruising-intellect\.ml\|thunderchannel\.tk\|spiritfield\.ml\|iceywindflow\.cf\|thunderchannel\.cf\|spiritfield\.tk\|update\.secretstep\.tk\|mail\.bruising-intellect\.ml\|www\.news-online\.ml\|www\.thunderchannel\.cf\|www\.spiritfield\.ga\|winderosion\.spiritfield\.ml\|flameshock\.spiritfield\.tk\|windsource\.thunderchannel\.cf\|yahoo-movie\.spiritx\.ga\|windsource\.thunderchannel\.tk\|opticaleel\.iceywindflow\.cf\|shadownight\.spiritfield\.ga\|www\.yahoo-corporation\.ml\|amazon-check\.gq\|amazon-team\.tk\|yahoo-corporation\.ml\|playquicksand\.gq\|yahoo-corporation\.tk\|playquicksand\.cf\|spiritfield\.cf\|amazon-check\.ga\|amazon-check\.cf\|amazon-check\.tk\|playquicksand\.ml\|www\.playquicksand\.cf\|www\.amazon-check\.ga\|www\.playquicksand\.gq/
	describe EMAILTHIEF_URI Body contains any of bad urls related to EmailThief vuln
	score EMAILTHIEF_URI 6.0

	header EMAILTHIEF_IP Received =~ /(206\.166\.251\.141\|206\.166\.251\.166\|108\.160\.133\.32\|172\.86\.75\.158)/i
	describe EMAILTHIEF_IP Ip remitent EmailThief vuln
	score EMAILTHIEF_IP 10.0