jult/jbt-rules.cf

## jbt-rules.cf
# Put this file under /etc/spamassassin/ and run an sa-update or reload amavis etc.
#
#--------------------------------------------------
# The only RBL I trust, UCEPROTECT1 (single IP, not IP-ranges or entire ISPs) http://uceprotect.net
#--------------------------------------------------
header          RCVD_IN_UCEPROTECT1     eval:check_rbl_txt('uceprotect1', 'dnsbl-1.uceprotect.net')
describe        RCVD_IN_UCEPROTECT1     Listed in dnsbl-1.uceprotect.net
tflags          RCVD_IN_UCEPROTECT1     net
score           RCVD_IN_UCEPROTECT1     1.8

#--------------------------------------------------
# top level domain matching, and no, not Russia or China; In 2022 I got the absolute most spam from .cz and .ua actually!
#--------------------------------------------------
header SPAMMY_TLD_IN_RCVD Received =~ /(\.net\.ae|\.net\.id|\.ro|\.cz|\.co\.ke|\.AC\.ZA|\.co\.in|\.com\.vn|\.vn|\.cc|\.ua|\.com\.br|\.gr|\.hr|\.dk|\.win|\.bid|\.tw|\.br|\.pk|\.top|\.club|\.date|\.stream|\.xyz|\.trade|\.icu|\.press|\.pro|\.pet|\.kim|\.red)\s/i
score SPAMMY_TLD_IN_RCVD 0.3
describe SPAMMY_TLD_IN_RCVD Spammy TLD used in Received line

header SPAMMY_TLD_IN_FROM From =~ /(\.net\.ae|\.net\.id|\.ro|\.co\.jp|\.co\.ke|\.AC\.ZA|\.co\.in|\.com\.vn|\.vn|\.cc|\.ua|\.com\.br|\.gr|\.hr|\.cz|\.win|\.bid|\.tw|\.br|\.pk|\.top|\.club|\.date|\.stream|\.xyz|\.trade|\.icu|\.press|\.pro|\.pet|\.kim|\.red)>$/i
score SPAMMY_TLD_IN_FROM 0.3
describe SPAMMY_TLD_IN_FROM Spammy TLD used in From line

header __HIGH_SPAMMY_TLD_RCVD Received =~ /\.(win|bid|top|club|date|stream|xyz|icu)\/.*/i
header __HIGH_SPAMMY_TLD_FROM From =~ /\.(win|bid|top|club|date|stream|xyz|icu)\/.*/i
uri __HIGH_SPAMMY_TLD_URI /\.(win|bid|top|club|date|stream|xyz)\/.+/i
meta HIGH_SPAMMY_TLD (__HIGH_SPAMMY_TLD_RCVD && __HIGH_SPAMMY_TLD_FROM && __HIGH_SPAMMY_TLD_URI)
score HIGH_SPAMMY_TLD 1.1
describe HIGH_SPAMMY_TLD HIGH spammy tld used in Received, From and link

#--------------------------------------------------
# Software matching
#--------------------------------------------------
header EVALED_PHP X-PHP-Originating-Script =~ /eval\(\)\'d code/i
score EVALED_PHP 0.4
describe EVALED_PHP Mail send from evaled PHP code

# outdated php version
header OUTDATED_PHP X-Mailer =~ /PHP v?5\.[1234].*/i
score OUTDATED_PHP 0.1
describe OUTDATED_PHP Mail send from an outdated PHP version

header X_MAILER_SENDEMAIL X-Mailer =~ /sendEmail/i
score X_MAILER_SENDEMAIL 0.3

header VULN_PHPMAILER X-Mailer =~ /PHPMailer 5\.2\.[0-9] /i
score VULN_PHPMAILER 0.3
describe VULN_PHPMAILER Mail was sent from a vulnerable version of PHPMailer

# Various meta rules to match wordpress
header __WP_X_PHP_ORIG_SCRIPT X-PHP-Originating-Script =~ /(post|gallery|user)\.php/i
header __WP_X_PHP_SCRIPT X-PHP-Script =~ /(post|gallery|user)\.php/i
header __WP_X_SOURCE X-Source =~ /php-cgi/i
header __WP_X_SOURCE_ARGS X-Source-Args =~ /(post|gallery|user)\.php/i
header __WP_PATH_X_SOURCE_ARGS X-Source-Args =~ /\/wp\-(content|includes)\//i

# Various meta rules to match joomla
# e.g. X-Source-Args: /usr/bin/php /home/joventa/public_html/OLD/components/com_contact/helpers/files.php
header __JO_COMP_X_SOURCE_ARGS X-Source-Args =~ /components\/com_/i
header __JO_X_SOURCE_ARGS X-Source-Args =~ /\/joomla\//i

meta CMS_MAIL ( __WP_X_PHP_ORIG_SCRIPT || __WP_X_PHP_SCRIPT || __WP_X_SOURCE || __WP_X_SOURCE_ARGS || __WP_PATH_X_SOURCE_ARGS || __JO_COMP_X_SOURCE_ARGS || __JO_X_SOURCE_ARGS )
score CMS_MAIL 0.75
describe CMS_MAIL Mail sent from a probably hacked CMS (like Wordpress or Joomla)

#--------------------------------------------------
# Header matching
#--------------------------------------------------
header X_ORG_REAL_CAPITAL       X-Organization =~ /RealCapitalMarkets\.com/i
score X_ORG_REAL_CAPITAL        3.0

#--------------------------------------------------
# Subject matching
#--------------------------------------------------
header __SUBJECT_NEIGHBOR Subject =~ /Neighbou?r/i
header __SUBJECT_NEXT_DOOR Subject =~ /next door/i
meta SUBJECT_NEIGHBOUR (__SUBJECT_NEIGHBOR || __SUBJECT_NEXT_DOOR)
score SUBJECT_NEIGHBOUR 0.3

header __SUBJECT_VIAGRA Subject =~ /viagra/i
header __SUBJECT_PILLS Subject =~ /pills/i
header __SUBJECT_HEALTH_SECRET Subject =~ /health secret/i

meta SUBJECT_HEALTH (__SUBJECT_VIAGRA || __SUBJECT_PILLS || __SUBJECT_HEALTH_SECRET)
score SUBJECT_HEALTH 0.4
describe SUBJECT_HEALTH health-related subject

header SUBJECT_DARLEHEN Subject =~ /Darlehen Angebot jetzt bewerben/i
score SUBJECT_DARLEHEN 0.2

header __FROM_DAVIS_WRIGHT From =~ /Davis Wright/i
header __SUBJECT_LEG_DARLEHEN Subject =~ /Legitimes Darlehen Angebot/i
meta DAVIS_WRIGHT_DARLEHEN (__FROM_DAVIS_WRIGHT && __SUBJECT_LEG_DARLEHEN)
score DAVIS_WRIGHT_DARLEHEN 1.0

header __FROM_KEVIN_PAGE From =~ /Kevin Page/i
meta KEVIN_PAGE_DARLEHEN (__FROM_KEVIN_PAGE && SUBJECT_DARLEHEN)
score KEVIN_PAGE_DARLEHEN 1.0

# "Domain Expiration SEO" spam
header __SUBJECT_EXP_SEO Subject =~ /Expiration SEO/i
header __FROM_EXP_SEO From =~ /(Domain Expiration SEO|Final Reminder)/i
meta EXPIRATION_SEO (__SUBJECT_EXP_SEO && __FROM_EXP_SEO)
score EXPIRATION_SEO 0.3
describe EXPIRATION_SEO Variation of Domain SEO spam

# "SEO issue" spam
header __SUBJECT_SEO_ISSUE Subject =~ /SEO Issue/i
body __BODY_SEO_ISSUE /\s+(Search Specialist|Hello Team)/i
meta SEO_ISSUE (__SUBJECT_SEO_ISSUE && __BODY_SEO_ISSUE)
score SEO_ISSUE 0.4
describe SEO_ISSUE Variation of Domain SEO spam

# Domain Alert
header __SUBJECT_DOMAIN_ALERT Subject =~ /This is your Final (Reminder|Notice)/i
header __FROM_DOMAIN_ALERT From =~ /(Internet Services|Domain Notice|directimpactdesigns.com)/i
body __BODY_DOMAIN_ALERT /\s+search engine registration/i
meta DOMAIN_ALERT (__SUBJECT_DOMAIN_ALERT && __FROM_DOMAIN_ALERT && __BODY_DOMAIN_ALERT)
score DOMAIN_ALERT 0.5
describe DOMAIN_ALERT Variations of search engine registration spam

header __FROM_BITCOIN_CODE From =~ /bestofmesh.com/i
uri __BITCOIN_CODE_LINK /track.bestofmesh.com.*/i
meta BITCOIN_CODE (__FROM_BITCOIN_CODE && __BITCOIN_CODE_LINK)
score BITCOIN_CODE 0.8


# customlogobuilders.press
header FROM_CUSTOMLOGOBUILDERS From =~ /customlogobuilders.press/i
score FROM_CUSTOMLOGOBUILDERS 1.0

#--------------------------------------------------
# uri matching
#--------------------------------------------------

# Something like .... /plugin.php?t=147&SeBJYnc8AzD8YLd4kvf4uNR=Fqz&12i=Cwb&4f=cL4g
# the common parts are:
# - the first parameter name is one char long
# - at least two more parameter follow
uri SPAM_LINK_1 /\/[a-z]+\.php\?\w=[a-zA-Z0-9]+(&[\w\d]+=[a-zA-Z0-9]+){2,}/i
score SPAM_LINK_1 0.4
describe SPAM_LINK_1 Spam link

# same as above but focused on the link title
rawbody SPAM_LINK_2 /\>.*(profile is here|new photos|photos are here).*\<\/a\>/i
score SPAM_LINK_2 0.4
describe SPAM_LINK_2 Spam link title

# Something like ..../l/lt2K2240EH14R/1014LP2140G4657WU60A33287012SM1334722588
# Common parts:
# - first part is always one character
# - three parts in total
uri SPAM_LINK_3  /\/\w\/\w{10,}\/\w{10,}/i
score SPAM_LINK_3 0.4
describe SPAM_LINK_3 Spam link

# /pass.php?utm_source=6900l3njtv&utm_medium=nc6600mc98&utm_campaign=a1q4sxq0wo&utm_term=tvec4xo652&utm_content=403g22e07g
# Common parts
# - always a .php file in the root of the domain
# - only GA tracking parameters
# - values for utm_source, utm_medium and utm_campaign are always the same (at least between 2017-07 and 2017-10),
#   utm_term varies slightly and utm_content is random
# - all tracking parameters have 10 chars

uri SPAM_LINK_4 /\/[a-z]+\.php\?utm_source=[a-zA-Z0-9]{10}&utm_medium=[a-zA-Z0-9]{10}&utm_campaign=[a-zA-Z0-9]{10}&utm_term=[a-zA-Z0-9]{10}&utm_content=[a-zA-Z0-9]{10}/i
score SPAM_LINK_4 0.4
describe SPAM_LINK_4 Spam link

uri SPAM_LINK_4_EXTRA /\/[a-z]+\.php\?utm_source=6900l3njtv&utm_medium=nc6600mc98&utm_campaign=a1q4sxq0wo&utm_term=[a-zA-Z0-9]{10}&utm_content=[a-zA-Z0-9]{10}/i
score SPAM_LINK_4_EXTRA 0.4
describe SPAM_LINK_4_EXTRA Spam link (extra score)

# sth. /mw/index.php/campaigns/pc118pw7p78bf/track-url/eo948g9ba3535/955e46674ff54a5792d9fa1782e483d77e4fdfc8
uri SPAM_LINK_5 /\/campaigns\/[a-zA-Z0-9]{13}\/track-url\/[a-zA-Z0-9]{13}\/[a-zA-Z0-9]{40}/i
score SPAM_LINK_5 0.4
describe SPAM_LINK_5 Spam link

uri SPAM_LINK_6 /\/[a-zA-Z0-9]{13,18}\/[a-zA-Z0-9-_]{43}\/[a-zA-Z0-9-_]{107,128}/i
score SPAM_LINK_6 0.4
describe SPAM_LINK_6 Spam link

# looks almost the same as SPAM_LINK_6
# characteristics:
# - TLD: .date or .trade
# - Domain always with leading www.
# - path:
#   First part between 7 and 10 chars
#   Second part between 16 and 22 chars
#   Third part always(?) 43 chars
#   Fourth part > 80 chars but varying in length
uri SPAM_LINK_7_HIGH /www\.[a-zA-Z0-9]+\.(date|trade)\/[a-zA-Z0-9-_]{6,13}\/[a-zA-Z0-9-_]{13,24}\/[a-zA-Z0-9-_]{40,65}\/[a-zA-Z0-9-_]{80,999}/i
score SPAM_LINK_7_HIGH 1.2
describe SPAM_LINK_7_HIGH high scored spam link


#--------------------------------------------------
# Mime matching
#--------------------------------------------------
mimeheader DOC_ATTACHED Content-Disposition =~ /filename\=.*\.docx?/i
score DOC_ATTACHED 1.0
describe DOC_ATTACHED Contains .doc or .docx attachment

mimeheader XLS_ATTACHED Content-Disposition =~ /filename\=.*\.xlsx?/i
score XLS_ATTACHED 1.0
describe XLS_ATTACHED Contains .xls or .xlsx attachment

mimeheader __ZIP_ATTACHED Content-Disposition =~ /filename\=.*\.zip/i
describe __ZIP_ATTACHED Contains .zip attachment

#--------------------------------------------------
# Text matching
#--------------------------------------------------
header __SUBJECT_FUCK Subject =~ /f[ua5\&\%]ck/i
body __BODY_FUCK /\s+(fuck|sex|masturbate|anal)\s+/i
meta FUCKED_MAIL (__SUBJECT_FUCK || __BODY_FUCK )
score FUCKED_MAIL 0.5
describe FUCKED_MAIL Contains variations of 'fuck' in the subject and/or body

header __SUBJECT_FAX_RECEIVED Subject =~ /You have 1 new fax, document/i
header __SUBJECT_FAX_RECEIVED2 Subject =~ /You have received a new fax, document /i
meta FAX_RECEIVED ((__SUBJECT_FAX_RECEIVED || __SUBJECT_FAX_RECEIVED2) && __ZIP_ATTACHED)
score FAX_RECEIVED 1.2


body __BODY_VIAGRA /viagra/i
body __BODY_PILLS /pills/i
body __BODY_HEALTH_SECRET /health secret/i

meta BODY_HEALTH (__BODY_VIAGRA || __BODY_PILLS || __BODY_HEALTH_SECRET)
score BODY_HEALTH 0.2
describe BODY_HEALTH health-related body text

body __LEAKED_PWD1a /(I know )?[a-zA-Z0-9]{1,99} one of your pass./i
body __LEAKED_PWD1b /I (do )?know [a-zA-Z0-9]{1,99} one of your pass word./i
body __LEAKED_PWD2 /I actually (installed|placed) a (malware|software) on the (18+|xxx) (streaming|videos|video clips) \((porn|porno|sexually graphic)\)/i
meta LEAKED_PWD ((__LEAKED_PWD1a || __LEAKED_PWD1b) && __LEAKED_PWD2)
score LEAKED_PWD 2.0


#--------------------------------------------------
# Some very persistent spammers
#--------------------------------------------------

header FROM_MUNGAI From =~ /MUNGAI KIHANYA TRAINING/i
score FROM_MUNGAI 2.0

header FROM_KINETIC From =~ /KINETIC (ENTERPRISES|TECHNOLOGIEZ)/i
score FROM_KINETIC 1.0

header FROM_KINETIC2 From =~ /\*\s*KINETIC/i
score FROM_KINETIC2 1.0

meta KINETIC_SCREAMING (FROM_KINETIC2 && SUBJ_ALL_CAPS)
score KINETIC_SCREAMING 2.0

ifplugin Mail::SpamAssassin::Plugin::AskDNS

askdns DNSWL_DWL_HI _DKIMDOMAIN_.dwl.dnswl.org A /^127\.\d+\.\d+\.3/
tflags DNSWL_DWL_HI nice net
describe DNSWL_DWL_HI dwl.dnswl.org high trust
score DNSWL_DWL_HI -4

askdns DNSWL_DWL_MED _DKIMDOMAIN_.dwl.dnswl.org A /^127\.\d+\.\d+\.2/
tflags DNSWL_DWL_MED nice net
describe DNSWL_DWL_MED dwl.dnswl.org medium trust
score DNSWL_DWL_MED -2

askdns DNSWL_DWL_LOW _DKIMDOMAIN_.dwl.dnswl.org A /^127\.\d+\.\d+\.1/
tflags DNSWL_DWL_LOW nice net
describe DNSWL_DWL_LOW dwl.dnswl.org low trust
score DNSWL_DWL_LOW -1

askdns DNSWL_DWL_NONE _DKIMDOMAIN_.dwl.dnswl.org A /^127\.\d+\.\d+\.0/
tflags DNSWL_DWL_NONE nice net
describe DNSWL_DWL_NONE dwl.dnswl.org listed, but no particular trust information available
score DNSWL_DWL_NONE -0.2

endif # Mail::SpamAssassin::Plugin::AskDNS
	# Put this file under /etc/spamassassin/ and run an sa-update or reload amavis etc.
	#
	#--------------------------------------------------
	# The only RBL I trust, UCEPROTECT1 (single IP, not IP-ranges or entire ISPs) http://uceprotect.net
	#--------------------------------------------------
	header RCVD_IN_UCEPROTECT1 eval:check_rbl_txt('uceprotect1', 'dnsbl-1.uceprotect.net')
	describe RCVD_IN_UCEPROTECT1 Listed in dnsbl-1.uceprotect.net
	tflags RCVD_IN_UCEPROTECT1 net
	score RCVD_IN_UCEPROTECT1 1.8

	#--------------------------------------------------
	# top level domain matching, and no, not Russia or China; In 2022 I got the absolute most spam from .cz and .ua actually!
	#--------------------------------------------------
	header SPAMMY_TLD_IN_RCVD Received =~ /(\.net\.ae\|\.net\.id\|\.ro\|\.cz\|\.co\.ke\|\.AC\.ZA\|\.co\.in\|\.com\.vn\|\.vn\|\.cc\|\.ua\|\.com\.br\|\.gr\|\.hr\|\.dk\|\.win\|\.bid\|\.tw\|\.br\|\.pk\|\.top\|\.club\|\.date\|\.stream\|\.xyz\|\.trade\|\.icu\|\.press\|\.pro\|\.pet\|\.kim\|\.red)\s/i
	score SPAMMY_TLD_IN_RCVD 0.3
	describe SPAMMY_TLD_IN_RCVD Spammy TLD used in Received line

	header SPAMMY_TLD_IN_FROM From =~ /(\.net\.ae\|\.net\.id\|\.ro\|\.co\.jp\|\.co\.ke\|\.AC\.ZA\|\.co\.in\|\.com\.vn\|\.vn\|\.cc\|\.ua\|\.com\.br\|\.gr\|\.hr\|\.cz\|\.win\|\.bid\|\.tw\|\.br\|\.pk\|\.top\|\.club\|\.date\|\.stream\|\.xyz\|\.trade\|\.icu\|\.press\|\.pro\|\.pet\|\.kim\|\.red)>$/i
	score SPAMMY_TLD_IN_FROM 0.3
	describe SPAMMY_TLD_IN_FROM Spammy TLD used in From line

	header __HIGH_SPAMMY_TLD_RCVD Received =~ /\.(win\|bid\|top\|club\|date\|stream\|xyz\|icu)\/.*/i
	header __HIGH_SPAMMY_TLD_FROM From =~ /\.(win\|bid\|top\|club\|date\|stream\|xyz\|icu)\/.*/i
	uri __HIGH_SPAMMY_TLD_URI /\.(win\|bid\|top\|club\|date\|stream\|xyz)\/.+/i
	meta HIGH_SPAMMY_TLD (__HIGH_SPAMMY_TLD_RCVD && __HIGH_SPAMMY_TLD_FROM && __HIGH_SPAMMY_TLD_URI)
	score HIGH_SPAMMY_TLD 1.1
	describe HIGH_SPAMMY_TLD HIGH spammy tld used in Received, From and link

	#--------------------------------------------------
	# Software matching
	#--------------------------------------------------
	header EVALED_PHP X-PHP-Originating-Script =~ /eval\(\)\'d code/i
	score EVALED_PHP 0.4
	describe EVALED_PHP Mail send from evaled PHP code

	# outdated php version
	header OUTDATED_PHP X-Mailer =~ /PHP v?5\.[1234].*/i
	score OUTDATED_PHP 0.1
	describe OUTDATED_PHP Mail send from an outdated PHP version

	header X_MAILER_SENDEMAIL X-Mailer =~ /sendEmail/i
	score X_MAILER_SENDEMAIL 0.3

	header VULN_PHPMAILER X-Mailer =~ /PHPMailer 5\.2\.[0-9] /i
	score VULN_PHPMAILER 0.3
	describe VULN_PHPMAILER Mail was sent from a vulnerable version of PHPMailer

	# Various meta rules to match wordpress
	header __WP_X_PHP_ORIG_SCRIPT X-PHP-Originating-Script =~ /(post\|gallery\|user)\.php/i
	header __WP_X_PHP_SCRIPT X-PHP-Script =~ /(post\|gallery\|user)\.php/i
	header __WP_X_SOURCE X-Source =~ /php-cgi/i
	header __WP_X_SOURCE_ARGS X-Source-Args =~ /(post\|gallery\|user)\.php/i
	header __WP_PATH_X_SOURCE_ARGS X-Source-Args =~ /\/wp\-(content\|includes)\//i

	# Various meta rules to match joomla
	# e.g. X-Source-Args: /usr/bin/php /home/joventa/public_html/OLD/components/com_contact/helpers/files.php
	header __JO_COMP_X_SOURCE_ARGS X-Source-Args =~ /components\/com_/i
	header __JO_X_SOURCE_ARGS X-Source-Args =~ /\/joomla\//i

	meta CMS_MAIL ( __WP_X_PHP_ORIG_SCRIPT \|\| __WP_X_PHP_SCRIPT \|\| __WP_X_SOURCE \|\| __WP_X_SOURCE_ARGS \|\| __WP_PATH_X_SOURCE_ARGS \|\| __JO_COMP_X_SOURCE_ARGS \|\| __JO_X_SOURCE_ARGS )
	score CMS_MAIL 0.75
	describe CMS_MAIL Mail sent from a probably hacked CMS (like Wordpress or Joomla)

	#--------------------------------------------------
	# Header matching
	#--------------------------------------------------
	header X_ORG_REAL_CAPITAL X-Organization =~ /RealCapitalMarkets\.com/i
	score X_ORG_REAL_CAPITAL 3.0

	#--------------------------------------------------
	# Subject matching
	#--------------------------------------------------
	header __SUBJECT_NEIGHBOR Subject =~ /Neighbou?r/i
	header __SUBJECT_NEXT_DOOR Subject =~ /next door/i
	meta SUBJECT_NEIGHBOUR (__SUBJECT_NEIGHBOR \|\| __SUBJECT_NEXT_DOOR)
	score SUBJECT_NEIGHBOUR 0.3

	header __SUBJECT_VIAGRA Subject =~ /viagra/i
	header __SUBJECT_PILLS Subject =~ /pills/i
	header __SUBJECT_HEALTH_SECRET Subject =~ /health secret/i

	meta SUBJECT_HEALTH (__SUBJECT_VIAGRA \|\| __SUBJECT_PILLS \|\| __SUBJECT_HEALTH_SECRET)
	score SUBJECT_HEALTH 0.4
	describe SUBJECT_HEALTH health-related subject

	header SUBJECT_DARLEHEN Subject =~ /Darlehen Angebot jetzt bewerben/i
	score SUBJECT_DARLEHEN 0.2

	header __FROM_DAVIS_WRIGHT From =~ /Davis Wright/i
	header __SUBJECT_LEG_DARLEHEN Subject =~ /Legitimes Darlehen Angebot/i
	meta DAVIS_WRIGHT_DARLEHEN (__FROM_DAVIS_WRIGHT && __SUBJECT_LEG_DARLEHEN)
	score DAVIS_WRIGHT_DARLEHEN 1.0

	header __FROM_KEVIN_PAGE From =~ /Kevin Page/i
	meta KEVIN_PAGE_DARLEHEN (__FROM_KEVIN_PAGE && SUBJECT_DARLEHEN)
	score KEVIN_PAGE_DARLEHEN 1.0

	# "Domain Expiration SEO" spam
	header __SUBJECT_EXP_SEO Subject =~ /Expiration SEO/i
	header __FROM_EXP_SEO From =~ /(Domain Expiration SEO\|Final Reminder)/i
	meta EXPIRATION_SEO (__SUBJECT_EXP_SEO && __FROM_EXP_SEO)
	score EXPIRATION_SEO 0.3
	describe EXPIRATION_SEO Variation of Domain SEO spam

	# "SEO issue" spam
	header __SUBJECT_SEO_ISSUE Subject =~ /SEO Issue/i
	body __BODY_SEO_ISSUE /\s+(Search Specialist\|Hello Team)/i
	meta SEO_ISSUE (__SUBJECT_SEO_ISSUE && __BODY_SEO_ISSUE)
	score SEO_ISSUE 0.4
	describe SEO_ISSUE Variation of Domain SEO spam

	# Domain Alert
	header __SUBJECT_DOMAIN_ALERT Subject =~ /This is your Final (Reminder\|Notice)/i
	header __FROM_DOMAIN_ALERT From =~ /(Internet Services\|Domain Notice\|directimpactdesigns.com)/i
	body __BODY_DOMAIN_ALERT /\s+search engine registration/i
	meta DOMAIN_ALERT (__SUBJECT_DOMAIN_ALERT && __FROM_DOMAIN_ALERT && __BODY_DOMAIN_ALERT)
	score DOMAIN_ALERT 0.5
	describe DOMAIN_ALERT Variations of search engine registration spam

	header __FROM_BITCOIN_CODE From =~ /bestofmesh.com/i
	uri __BITCOIN_CODE_LINK /track.bestofmesh.com.*/i
	meta BITCOIN_CODE (__FROM_BITCOIN_CODE && __BITCOIN_CODE_LINK)
	score BITCOIN_CODE 0.8


	# customlogobuilders.press
	header FROM_CUSTOMLOGOBUILDERS From =~ /customlogobuilders.press/i
	score FROM_CUSTOMLOGOBUILDERS 1.0

	#--------------------------------------------------
	# uri matching
	#--------------------------------------------------

	# Something like .... /plugin.php?t=147&SeBJYnc8AzD8YLd4kvf4uNR=Fqz&12i=Cwb&4f=cL4g
	# the common parts are:
	# - the first parameter name is one char long
	# - at least two more parameter follow
	uri SPAM_LINK_1 /\/[a-z]+\.php\?\w=[a-zA-Z0-9]+(&[\w\d]+=[a-zA-Z0-9]+){2,}/i
	score SPAM_LINK_1 0.4
	describe SPAM_LINK_1 Spam link

	# same as above but focused on the link title
	rawbody SPAM_LINK_2 /\>.(profile is here\|new photos\|photos are here).\<\/a\>/i
	score SPAM_LINK_2 0.4
	describe SPAM_LINK_2 Spam link title

	# Something like ..../l/lt2K2240EH14R/1014LP2140G4657WU60A33287012SM1334722588
	# Common parts:
	# - first part is always one character
	# - three parts in total
	uri SPAM_LINK_3 /\/\w\/\w{10,}\/\w{10,}/i
	score SPAM_LINK_3 0.4
	describe SPAM_LINK_3 Spam link

	# /pass.php?utm_source=6900l3njtv&utm_medium=nc6600mc98&utm_campaign=a1q4sxq0wo&utm_term=tvec4xo652&utm_content=403g22e07g
	# Common parts
	# - always a .php file in the root of the domain
	# - only GA tracking parameters
	# - values for utm_source, utm_medium and utm_campaign are always the same (at least between 2017-07 and 2017-10),
	# utm_term varies slightly and utm_content is random
	# - all tracking parameters have 10 chars

	uri SPAM_LINK_4 /\/[a-z]+\.php\?utm_source=[a-zA-Z0-9]{10}&utm_medium=[a-zA-Z0-9]{10}&utm_campaign=[a-zA-Z0-9]{10}&utm_term=[a-zA-Z0-9]{10}&utm_content=[a-zA-Z0-9]{10}/i
	score SPAM_LINK_4 0.4
	describe SPAM_LINK_4 Spam link

	uri SPAM_LINK_4_EXTRA /\/[a-z]+\.php\?utm_source=6900l3njtv&utm_medium=nc6600mc98&utm_campaign=a1q4sxq0wo&utm_term=[a-zA-Z0-9]{10}&utm_content=[a-zA-Z0-9]{10}/i
	score SPAM_LINK_4_EXTRA 0.4
	describe SPAM_LINK_4_EXTRA Spam link (extra score)

	# sth. /mw/index.php/campaigns/pc118pw7p78bf/track-url/eo948g9ba3535/955e46674ff54a5792d9fa1782e483d77e4fdfc8
	uri SPAM_LINK_5 /\/campaigns\/[a-zA-Z0-9]{13}\/track-url\/[a-zA-Z0-9]{13}\/[a-zA-Z0-9]{40}/i
	score SPAM_LINK_5 0.4
	describe SPAM_LINK_5 Spam link

	uri SPAM_LINK_6 /\/[a-zA-Z0-9]{13,18}\/[a-zA-Z0-9-_]{43}\/[a-zA-Z0-9-_]{107,128}/i
	score SPAM_LINK_6 0.4
	describe SPAM_LINK_6 Spam link

	# looks almost the same as SPAM_LINK_6
	# characteristics:
	# - TLD: .date or .trade
	# - Domain always with leading www.
	# - path:
	# First part between 7 and 10 chars
	# Second part between 16 and 22 chars
	# Third part always(?) 43 chars
	# Fourth part > 80 chars but varying in length
	uri SPAM_LINK_7_HIGH /www\.[a-zA-Z0-9]+\.(date\|trade)\/[a-zA-Z0-9-_]{6,13}\/[a-zA-Z0-9-_]{13,24}\/[a-zA-Z0-9-_]{40,65}\/[a-zA-Z0-9-_]{80,999}/i
	score SPAM_LINK_7_HIGH 1.2
	describe SPAM_LINK_7_HIGH high scored spam link


	#--------------------------------------------------
	# Mime matching
	#--------------------------------------------------
	mimeheader DOC_ATTACHED Content-Disposition =~ /filename\=.*\.docx?/i
	score DOC_ATTACHED 1.0
	describe DOC_ATTACHED Contains .doc or .docx attachment

	mimeheader XLS_ATTACHED Content-Disposition =~ /filename\=.*\.xlsx?/i
	score XLS_ATTACHED 1.0
	describe XLS_ATTACHED Contains .xls or .xlsx attachment

	mimeheader __ZIP_ATTACHED Content-Disposition =~ /filename\=.*\.zip/i
	describe __ZIP_ATTACHED Contains .zip attachment

	#--------------------------------------------------
	# Text matching
	#--------------------------------------------------
	header __SUBJECT_FUCK Subject =~ /f[ua5\&\%]ck/i
	body __BODY_FUCK /\s+(fuck\|sex\|masturbate\|anal)\s+/i
	meta FUCKED_MAIL (__SUBJECT_FUCK \|\| __BODY_FUCK )
	score FUCKED_MAIL 0.5
	describe FUCKED_MAIL Contains variations of 'fuck' in the subject and/or body

	header __SUBJECT_FAX_RECEIVED Subject =~ /You have 1 new fax, document/i
	header __SUBJECT_FAX_RECEIVED2 Subject =~ /You have received a new fax, document /i
	meta FAX_RECEIVED ((__SUBJECT_FAX_RECEIVED \|\| __SUBJECT_FAX_RECEIVED2) && __ZIP_ATTACHED)
	score FAX_RECEIVED 1.2


	body __BODY_VIAGRA /viagra/i
	body __BODY_PILLS /pills/i
	body __BODY_HEALTH_SECRET /health secret/i

	meta BODY_HEALTH (__BODY_VIAGRA \|\| __BODY_PILLS \|\| __BODY_HEALTH_SECRET)
	score BODY_HEALTH 0.2
	describe BODY_HEALTH health-related body text

	body __LEAKED_PWD1a /(I know )?[a-zA-Z0-9]{1,99} one of your pass./i
	body __LEAKED_PWD1b /I (do )?know [a-zA-Z0-9]{1,99} one of your pass word./i
	body __LEAKED_PWD2 /I actually (installed\|placed) a (malware\|software) on the (18+\|xxx) (streaming\|videos\|video clips) \((porn\|porno\|sexually graphic)\)/i
	meta LEAKED_PWD ((__LEAKED_PWD1a \|\| __LEAKED_PWD1b) && __LEAKED_PWD2)
	score LEAKED_PWD 2.0


	#--------------------------------------------------
	# Some very persistent spammers
	#--------------------------------------------------

	header FROM_MUNGAI From =~ /MUNGAI KIHANYA TRAINING/i
	score FROM_MUNGAI 2.0

	header FROM_KINETIC From =~ /KINETIC (ENTERPRISES\|TECHNOLOGIEZ)/i
	score FROM_KINETIC 1.0

	header FROM_KINETIC2 From =~ /\\sKINETIC/i
	score FROM_KINETIC2 1.0

	meta KINETIC_SCREAMING (FROM_KINETIC2 && SUBJ_ALL_CAPS)
	score KINETIC_SCREAMING 2.0

	ifplugin Mail::SpamAssassin::Plugin::AskDNS

	askdns DNSWL_DWL_HI _DKIMDOMAIN_.dwl.dnswl.org A /^127\.\d+\.\d+\.3/
	tflags DNSWL_DWL_HI nice net
	describe DNSWL_DWL_HI dwl.dnswl.org high trust
	score DNSWL_DWL_HI -4

	askdns DNSWL_DWL_MED _DKIMDOMAIN_.dwl.dnswl.org A /^127\.\d+\.\d+\.2/
	tflags DNSWL_DWL_MED nice net
	describe DNSWL_DWL_MED dwl.dnswl.org medium trust
	score DNSWL_DWL_MED -2

	askdns DNSWL_DWL_LOW _DKIMDOMAIN_.dwl.dnswl.org A /^127\.\d+\.\d+\.1/
	tflags DNSWL_DWL_LOW nice net
	describe DNSWL_DWL_LOW dwl.dnswl.org low trust
	score DNSWL_DWL_LOW -1

	askdns DNSWL_DWL_NONE _DKIMDOMAIN_.dwl.dnswl.org A /^127\.\d+\.\d+\.0/
	tflags DNSWL_DWL_NONE nice net
	describe DNSWL_DWL_NONE dwl.dnswl.org listed, but no particular trust information available
	score DNSWL_DWL_NONE -0.2

	endif # Mail::SpamAssassin::Plugin::AskDNS