Contents of /trunk/spamassassin_config/common/misc_spam

# This seems to catch a lot of spam, but not sure about false positive (from airmax.cf)
# pasc couldn't find any false positives on the lists he's on
header   X_MESSAGE_INFO exists:X-Message-Info
score    X_MESSAGE_INFO 4.0

# Added by pasc 2004/07/08 (sent by abuse@outblaze via karsten)
# host no longer exists according to administrator
header FAKE_OUTBLAZE_RCVD       Received =~ /\.mr\.outblaze\.com/
describe FAKE_OUTBLAZE_RCVD     Received header contains faked 'mr.outblaze.com'
score FAKE_OUTBLAZE_RCVD        3.0

# blarson 2005-01-19 (--pasc 2005-01-30)
header TRACKING         subject =~ /\b(?:tracking|package|shipping|shipment|delivery) number :/i
describe TRACKING       tracking number
score TRACKING          2

# Sent in by blars (20050220) -- applied by pasc
body GUEBDE     /http\:\/\/www\.gueb\.de\//
describe GUEBDE www.geub.de
score GUEBDE    5

# Don 2008-06-27
rawbody  PGPSIGNATURE   /-----BEGIN PGP SIGNATURE-----/
describe PGPSIGNATURE   Has a pgp signature (may not be valid, but who cares?)
score    PGPSIGNATURE   -5


# TODO: The rules below seem to be very similar; possibly fix them.

# These might trip up on non-english lists. We'll see.
# They're fucking up on GPG signatures
body MURPHY_WRONG_WORD1 /[bcdfghjklmnpqrstvwxz]{7,}/i
score MURPHY_WRONG_WORD1 0.1

body MURPHY_WRONG_WORD2 /[bcdfghjklmnpqrstvwxz]{6,}/i
score MURPHY_WRONG_WORD2 0.2

#Impronounceable. Need to check this one for accuracy (from airmax.cf)
body IMPRONONCABLE_1                            /([bcdfghjklmnpqrstvwxz]){6,20}/
describe IMPRONONCABLE_1                        Some words aren't easy to pronounce (too much vowels)
body IMPRONONCABLE_2                            /(([abcdefghijklmnopqrstvwxyz]){1,9}\d{1,4}){2,9}/
describe IMPRONONCABLE_2                        Some words aren't easy to pronounce (mixed numbers and lower-case letters)

# From http://www.exit0.us/index.php/FredsRules
# Added by pasc 2004/06/20

body      __FVGT_b_OBFU_J      /j(b|c|f|g|w)/i
body      __FVGT_b_OBFU_OTHER  /(vj|vk|xj|xk|yy|zf|zj)/i
body      __FVGT_b_OBFU_Q0     /(j|k|p|q|t|v|w|z)q/i
body      __FVGT_b_OBFU_Q1     /q(a|f|h|j|k|m|n|s|y)/i
body      __FVGT_b_OBFU_V      /(f|g|q|w)v/i
body      __FVGT_b_OBFU_X      /(c|g|j|k|q|s|v|z)x/i
body      __FVGT_b_OBFU_Z      /(f|j|k|p|q|x)z/i
meta      FVGT_m_MULTI_ODD     ((__FVGT_b_OBFU_J + __FVGT_b_OBFU_OTHER + __FVGT_b_OBFU_Q0 + __FVGT_b_OBFU_Q1 + __FVGT_b_OBFU_V + __FVGT_b_OBFU_X + __FVGT_b_OBFU_Z) > 1)
describe  FVGT_m_MULTI_ODD      FVGT - contains multiple odd letter combinations
score     FVGT_m_MULTI_ODD      0.02

# joy, 2003-07-20
header NEPEYO                   From =~ /nepeyo\@catlover/
describe NEPEYO                 spamvertizers
score NEPEYO                    4

# cjwatson, 2003/07/28
header MP3_PLAYERS              Subject =~ /New mp3 player,usb flash drive/
describe MP3_PLAYERS            Spam from "HY Tech"
score MP3_PLAYERS               4

# joy, 2003-08-15
header UOSJUNK                  Subject =~ /UOS online Degree Programme/i
describe UOSJUNK                Spam from UOS
score UOSJUNK                   4

# cjwatson, 2004-02-27
body GAS_MILEAGE        /This amazing, revolutionary device|www\.mrev\.biz/
describe GAS_MILEAGE    Fuel-saving snake oil
score GAS_MILEAGE       3

# blarson, 2004-03-31
body FUELSAVER          /fuel.?saver/i
describe FUELSAVER      Fuel Saver spam
score FUELSAVER         3

# blarson, 2004-04-03
body CABLEFILTERZ       /cablefilterz/
describe CABLEFILTERZ   cablefilterz spam
score CABLEFILTERZ      4

# blarson 2004-04-15
header PARENNUM         subject =~ /^\(\s*([0-9\/]+\)|\%RND)/
describe PARENNUM       paren number in subject
score PARENNUM          3

# blarson 2004-04-25
# bounces our bounces.... (had negitive score)
header COVADRT          X-RT-Loop-Prevention =~ /^Covad$/
describe COVADRT        Covad request tracker bounces
score COVADRT           8

# blarson 2005-03-02
header ROBERTOJIMENOCA  from =~ /ROBERTOJIMENOCA\@terra\.es/
describe ROBERTOJIMENOCA ROBERTOJIMENOCA sends spammy looking messages
score ROBERTOJIMENOCA   -2

# blarson 2005-07-10
header TURBOPRO         subject =~ /\bturbonet pro\b/i
describe TURBOPRO       dialup accelerator spam
score TURBOPRO          3

# blarson 2006-04-28
header RESUBJECT        subject =~ /\sRe(?:\[\d+\])?:\s*$/i
describe RESUBJECT      re nothing
score RESUBJECT         2

# blarson 2004-10-22 2007-07-18 up score
header NOSUBJECT        subject =~ /^\s*$/
describe NOSUBJECT      No subject
score NOSUBJECT         2.5

# blarson 2006-10-17
full NEXTPART   /\-\=\_NextPart\_000\_/
describe NEXTPART       spammer mime separator
score NEXTPART          2.5

# blarson 2006-10-17
full CT_IMAGE           /Content\-Type\:\s*image/i
describe CT_IMAGE       Picture attached
score CT_IMAGE          1

# blarson 2006-12-01 (score so low since it will also hit CT_IMAGE)
header CT_IMAGE_HEAD    content-type =~ /image/
describe CT_IMAGE_HEAD  entire message is image
score CT_IMAGE_HEAD     2.5


# don 2006-10-25
header THREADINDEX      Thread-Index =~ /A-Z/
describe THREADINDEX    thread-index header on spam
score    THREADINDEX    1.5

# blarson 2006-10-30
header FORDASH          subject =~ /\bFor \- \d+/
describe FORDASH        for dash
score FORDASH           3

# blarson 2006-11-01
header KOREAN           subject =~ /\=\?koi8\-r/
describe KOREAN         Korean Character set spam
score KOREAN            2

# blarson 2006-12-04
header FWDNAME          subject =~ /fwd\: \w+\s*$/
describe FWDNAME        fwd: name spam
score FWDNAME           3

# blarson 2006-12-06
body NUMONLY            /^\s*\d+\s*$/
describe NUMONLY        number only body
score NUMONLY           1

# blarson 2007-04-24
header THUNDERB         User-Agent =~ /^Thunderbird 1\.5\.0\.10/
describe THUNDERB       spam missing content
score THUNDERB          2


# blarson 2007-06-15
header FAILNOTE         subject =~ /Failure notice\:/
describe FAILNOTE       bounced spam
score FAILNOTE          2

# blarson 2007-06-28
rawbody CTINLINE        /^Content\-Disposition\: inline\;\b/
describe CTINLINE       Inline attachment
score CTINLINE          1

# blarson 2007-07-07
body BOXTRAPPER         /^This message is a reply to a boxtrapper verifcation message\./
describe BOXTRAPPER     boxtrapper spam
score BOXTRAPPER        9

# blarson 2007-07-09
body PROMOCODE          /^promo code\:/i
describe PROMOCODE      promo code
score PROMOCODE         3

# blarson 2007-07-11
body XLMAN              /\bwww\.xl\-man\.net\b/
describe XLMAN          xl-man spam
score XLMAN             3

# blarson 2007-07-12
body COSTUMER           /^Dear costumer\b/
describe COSTUMER       paypal scam
score COSTUMER          3

# blarson 2007-07-13
body PRIVATE            /^Your private and confidential message is attached\./
describe PRIVATE        private message
score PRIVATE           4

# don 2007-07-15
header AUTOGENERATE     auto-submitted =~ /auto/i
describe AUTOGENERATE   auto generated crap
score AUTOGENERATE      3

# blarson 2007-07-15
body PRIVPDF            /^All our private messages are in pdf format/
describe PRIVPDF        private pdf
score PRIVPDF           4

# don 2007-07-19
header AUTORESPOND      X-Autorespond =~ /./
describe AUTORESPOND    Automatic response
score   AUTORESPOND     4

header AUTOMAILER       X-Mailer =~ /autors/
describe AUTOMAILER     Auto response mailer
score AUTOMAILER        3       

# blarson 2007-07-22
header OUTOFOFFICE_SUB  subject =~ /Out_of_Office/
describe OUTOFOFFICE_SUB        broken autoresponder
score OUTOFOFFICE_SUB   6

body OUTOFOFFICE        /out of the office/i
describe OUTOFOFFICE    Out of the office
score OUTOFOFFICE       3

# blarson 2007-08-01 \w was too broad 2007-08-12 add dash, at least 3 digits
header SUBENDNUM        subject =~ /[a-zA-Z!]-?\d{3,}$/
describe SUBENDNUM      Subject ends in word989
score SUBENDNUM         2

# blarson 2007-07-27
body PRIVMES            /^You have been sent a private message/
describe PRIVMES        more pdf spam
score PRIVMES           3

# blarson 2007-07-27
header MIXEDBDN         Content-Type =~ /multipart\/mixed\;.*boundary\=\"\-{4,}\d{4,}\"/
describe MIXEDBDN       more pdf spam
score MIXEDBDN          1

# blarson 2007-07-28
header DOTZIP           subject =~ /\d\.zip\b/
describe DOTZIP         zip spam
score DOTZIP            3

# blarson 2007-07-30
header MIXED2           Content-Type =~ /multipart\/mixed\;charset\=iso\-8859\-1\;.*boundary\=\"\-\-\-\-\=\_\d{8,}\_\d{4,}\"/
describe MIXED2         more pdf spam
score MIXED2            2.5

# blarson 2007-07-31
header KEYENCE          From =~ /KEYENCE CORPORATION/
describe KEYENCE        opt out spam
score KEYENCE           10

# blarson 2007-08-02
header NOSUB            subject =~ /\(No Subject\)$/i
describe NOSUB          explicity no subject
score NOSUB             1

# blarson 2007-08-07
header CTPDF            Content-Type =~ /\bapplication\/pdf\;/i
describe CTPDF          more pdf spam
score CTPDF             4

# blarson 2007-06-12
header JAPSUB           subject =~ /\=\?iso\-2022\-jp/i
describe JAPSUB         subject in japanese
score JAPSUB            3

# blarson 2007-08-24
header XMSATT           X-MS-Has-Attach =~ /yes/i
describe XMSATT         more pdf spam
score XMSATT            2

# blarson 2007-10-27
body ICQ                /^icq\:/i
describe ICQ            icq:
score ICQ               2

# blarson 2007-11-02
header XJ2ID            X-J2Id =~ /\d+/
describe XJ2ID          fax bounce
score XJ2ID             4

# blarson 2007-11-15
header LONGWORD         subject =~ /\b[\w\d]{30,}/i
describe LONGWORD       long word in subject
score LONGWORD          2

# blarson 2007-11-23
header TESTIMONIAL      subject =~ /\btestimonial/i
describe TESTIMONIAL    testimonials
score TESTIMONIAL       2

# blarson 2007-12-13
header ITXS             subject =~ /\bit\`s\b/i
describe ITXS           it`s
score ITXS              4

# blarson 2007-12-18
rawbody TINYFONT        /\bFONT-SIZE\:\s+[123]px\;/i
describe TINYFONT       tiny font specified
score TINYFONT          3

# blarson 2008-04-03
rawbody ZIPFILE         /\bfilename\=.*\.zip\b/i
describe ZIPFILE        zipfile attachment
score ZIPFILE           0.5

# blarson 2008-04-19
header SPACESUB         subject =~ /^\s\w/
describe SPACESUB       extra space before subject
score SPACESUB          0.5

# don 2008-05-04
header YAHOOCALENDAR    X-Yahoo-Newman-Property: =~ /calendar-invite/i
describe YAHOOCALENDAR  Calendar invite from yahoo; broken captcha
score YAHOOCALENDAR     4

# blarson 2008-06-03
header BOUNDARYID       content-type =~ /\bboundary\=\"Boundary_\(ID_/
describe BOUNDARYID     spamware boundary
score BOUNDARYID        0.6

# blarson 2008-07-02
body GBKXWFLXF          /\bgbkxwflxf\b/
describe GBKXWFLXF      gbkxwflxf
score GBKXWFLXF         5

# cord 2008-10-31
# compensate false-positives for 140.Red-80-25-20.staticIP.rima-tde.net and stuff
header STATIC_RIMA_TDE  received =~ /staticIP\.rima-tde\.net/
describe STATIC_RIMA_TDE static IP from rima-tde.net
score STATIC_RIMA_TDE   -5
1	don	2	# This seems to catch a lot of spam, but not sure about false positive (from airmax.cf)
2			# pasc couldn't find any false positives on the lists he's on
3			header X_MESSAGE_INFO exists:X-Message-Info
4			score X_MESSAGE_INFO 4.0
5
6			# Added by pasc 2004/07/08 (sent by abuse@outblaze via karsten)
7			# host no longer exists according to administrator
8			header FAKE_OUTBLAZE_RCVD Received =~ /\.mr\.outblaze\.com/
9			describe FAKE_OUTBLAZE_RCVD Received header contains faked 'mr.outblaze.com'
10			score FAKE_OUTBLAZE_RCVD 3.0
11
12			# blarson 2005-01-19 (--pasc 2005-01-30)
13			header TRACKING subject =~ /\b(?:tracking\|package\|shipping\|shipment\|delivery) number :/i
14			describe TRACKING tracking number
15			score TRACKING 2
16
17			# Sent in by blars (20050220) -- applied by pasc
18			body GUEBDE /http\:\/\/www\.gueb\.de\//
19			describe GUEBDE www.geub.de
20			score GUEBDE 5
21
22	don	226	# Don 2008-06-27
23	don	227	rawbody PGPSIGNATURE /-----BEGIN PGP SIGNATURE-----/
24			describe PGPSIGNATURE Has a pgp signature (may not be valid, but who cares?)
25			score PGPSIGNATURE -5
26	don	2
27	don	226
28	don	2	# TODO: The rules below seem to be very similar; possibly fix them.
29
30			# These might trip up on non-english lists. We'll see.
31			# They're fucking up on GPG signatures
32			body MURPHY_WRONG_WORD1 /[bcdfghjklmnpqrstvwxz]{7,}/i
33			score MURPHY_WRONG_WORD1 0.1
34
35			body MURPHY_WRONG_WORD2 /[bcdfghjklmnpqrstvwxz]{6,}/i
36			score MURPHY_WRONG_WORD2 0.2
37
38			#Impronounceable. Need to check this one for accuracy (from airmax.cf)
39	cord	18	body IMPRONONCABLE_1 /([bcdfghjklmnpqrstvwxz]){6,20}/
40	don	2	describe IMPRONONCABLE_1 Some words aren't easy to pronounce (too much vowels)
41			body IMPRONONCABLE_2 /(([abcdefghijklmnopqrstvwxyz]){1,9}\d{1,4}){2,9}/
42			describe IMPRONONCABLE_2 Some words aren't easy to pronounce (mixed numbers and lower-case letters)
43
44			# From http://www.exit0.us/index.php/FredsRules
45			# Added by pasc 2004/06/20
46
47			body __FVGT_b_OBFU_J /j(b\|c\|f\|g\|w)/i
48			body __FVGT_b_OBFU_OTHER /(vj\|vk\|xj\|xk\|yy\|zf\|zj)/i
49			body __FVGT_b_OBFU_Q0 /(j\|k\|p\|q\|t\|v\|w\|z)q/i
50			body __FVGT_b_OBFU_Q1 /q(a\|f\|h\|j\|k\|m\|n\|s\|y)/i
51			body __FVGT_b_OBFU_V /(f\|g\|q\|w)v/i
52			body __FVGT_b_OBFU_X /(c\|g\|j\|k\|q\|s\|v\|z)x/i
53			body __FVGT_b_OBFU_Z /(f\|j\|k\|p\|q\|x)z/i
54			meta FVGT_m_MULTI_ODD ((__FVGT_b_OBFU_J + __FVGT_b_OBFU_OTHER + __FVGT_b_OBFU_Q0 + __FVGT_b_OBFU_Q1 + __FVGT_b_OBFU_V + __FVGT_b_OBFU_X + __FVGT_b_OBFU_Z) > 1)
55			describe FVGT_m_MULTI_ODD FVGT - contains multiple odd letter combinations
56			score FVGT_m_MULTI_ODD 0.02
57
58			# joy, 2003-07-20
59			header NEPEYO From =~ /nepeyo\@catlover/
60			describe NEPEYO spamvertizers
61			score NEPEYO 4
62
63			# cjwatson, 2003/07/28
64			header MP3_PLAYERS Subject =~ /New mp3 player,usb flash drive/
65			describe MP3_PLAYERS Spam from "HY Tech"
66			score MP3_PLAYERS 4
67
68			# joy, 2003-08-15
69			header UOSJUNK Subject =~ /UOS online Degree Programme/i
70			describe UOSJUNK Spam from UOS
71			score UOSJUNK 4
72
73			# cjwatson, 2004-02-27
74			body GAS_MILEAGE /This amazing, revolutionary device\|www\.mrev\.biz/
75			describe GAS_MILEAGE Fuel-saving snake oil
76			score GAS_MILEAGE 3
77
78			# blarson, 2004-03-31
79			body FUELSAVER /fuel.?saver/i
80			describe FUELSAVER Fuel Saver spam
81			score FUELSAVER 3
82
83			# blarson, 2004-04-03
84			body CABLEFILTERZ /cablefilterz/
85			describe CABLEFILTERZ cablefilterz spam
86			score CABLEFILTERZ 4
87
88			# blarson 2004-04-15
89			header PARENNUM subject =~ /^\(\s*([0-9\/]+\)\|\%RND)/
90			describe PARENNUM paren number in subject
91			score PARENNUM 3
92
93			# blarson 2004-04-25
94			# bounces our bounces.... (had negitive score)
95			header COVADRT X-RT-Loop-Prevention =~ /^Covad$/
96			describe COVADRT Covad request tracker bounces
97			score COVADRT 8
98
99			# blarson 2005-03-02
100			header ROBERTOJIMENOCA from =~ /ROBERTOJIMENOCA\@terra\.es/
101			describe ROBERTOJIMENOCA ROBERTOJIMENOCA sends spammy looking messages
102			score ROBERTOJIMENOCA -2
103
104			# blarson 2005-07-10
105			header TURBOPRO subject =~ /\bturbonet pro\b/i
106			describe TURBOPRO dialup accelerator spam
107			score TURBOPRO 3
108
109			# blarson 2006-04-28
110			header RESUBJECT subject =~ /\sRe(?:\[\d+\])?:\s*$/i
111			describe RESUBJECT re nothing
112			score RESUBJECT 2
113
114			# blarson 2004-10-22 2007-07-18 up score
115			header NOSUBJECT subject =~ /^\s*$/
116			describe NOSUBJECT No subject
117			score NOSUBJECT 2.5
118
119			# blarson 2006-10-17
120			full NEXTPART /\-\=\_NextPart\_000\_/
121			describe NEXTPART spammer mime separator
122			score NEXTPART 2.5
123
124			# blarson 2006-10-17
125			full CT_IMAGE /Content\-Type\:\s*image/i
126			describe CT_IMAGE Picture attached
127			score CT_IMAGE 1
128
129			# blarson 2006-12-01 (score so low since it will also hit CT_IMAGE)
130			header CT_IMAGE_HEAD content-type =~ /image/
131			describe CT_IMAGE_HEAD entire message is image
132			score CT_IMAGE_HEAD 2.5
133
134
135			# don 2006-10-25
136			header THREADINDEX Thread-Index =~ /A-Z/
137			describe THREADINDEX thread-index header on spam
138			score THREADINDEX 1.5
139
140			# blarson 2006-10-30
141			header FORDASH subject =~ /\bFor \- \d+/
142			describe FORDASH for dash
143			score FORDASH 3
144
145			# blarson 2006-11-01
146			header KOREAN subject =~ /\=\?koi8\-r/
147			describe KOREAN Korean Character set spam
148			score KOREAN 2
149
150			# blarson 2006-12-04
151			header FWDNAME subject =~ /fwd\: \w+\s*$/
152			describe FWDNAME fwd: name spam
153			score FWDNAME 3
154
155			# blarson 2006-12-06
156			body NUMONLY /^\s\d+\s$/
157			describe NUMONLY number only body
158			score NUMONLY 1
159
160			# blarson 2007-04-24
161			header THUNDERB User-Agent =~ /^Thunderbird 1\.5\.0\.10/
162			describe THUNDERB spam missing content
163			score THUNDERB 2
164
165
166			# blarson 2007-06-15
167			header FAILNOTE subject =~ /Failure notice\:/
168			describe FAILNOTE bounced spam
169			score FAILNOTE 2
170
171			# blarson 2007-06-28
172			rawbody CTINLINE /^Content\-Disposition\: inline\;\b/
173			describe CTINLINE Inline attachment
174			score CTINLINE 1
175
176			# blarson 2007-07-07
177			body BOXTRAPPER /^This message is a reply to a boxtrapper verifcation message\./
178			describe BOXTRAPPER boxtrapper spam
179			score BOXTRAPPER 9
180
181			# blarson 2007-07-09
182			body PROMOCODE /^promo code\:/i
183			describe PROMOCODE promo code
184			score PROMOCODE 3
185
186			# blarson 2007-07-11
187			body XLMAN /\bwww\.xl\-man\.net\b/
188			describe XLMAN xl-man spam
189			score XLMAN 3
190
191			# blarson 2007-07-12
192			body COSTUMER /^Dear costumer\b/
193			describe COSTUMER paypal scam
194			score COSTUMER 3
195
196			# blarson 2007-07-13
197			body PRIVATE /^Your private and confidential message is attached\./
198			describe PRIVATE private message
199			score PRIVATE 4
200
201			# don 2007-07-15
202			header AUTOGENERATE auto-submitted =~ /auto/i
203			describe AUTOGENERATE auto generated crap
204			score AUTOGENERATE 3
205
206			# blarson 2007-07-15
207			body PRIVPDF /^All our private messages are in pdf format/
208			describe PRIVPDF private pdf
209			score PRIVPDF 4
210
211			# don 2007-07-19
212			header AUTORESPOND X-Autorespond =~ /./
213			describe AUTORESPOND Automatic response
214			score AUTORESPOND 4
215
216			header AUTOMAILER X-Mailer =~ /autors/
217			describe AUTOMAILER Auto response mailer
218			score AUTOMAILER 3
219
220			# blarson 2007-07-22
221			header OUTOFOFFICE_SUB subject =~ /Out_of_Office/
222			describe OUTOFOFFICE_SUB broken autoresponder
223			score OUTOFOFFICE_SUB 6
224
225			body OUTOFOFFICE /out of the office/i
226			describe OUTOFOFFICE Out of the office
227			score OUTOFOFFICE 3
228
229			# blarson 2007-08-01 \w was too broad 2007-08-12 add dash, at least 3 digits
230			header SUBENDNUM subject =~ /[a-zA-Z!]-?\d{3,}$/
231			describe SUBENDNUM Subject ends in word989
232			score SUBENDNUM 2
233
234			# blarson 2007-07-27
235			body PRIVMES /^You have been sent a private message/
236			describe PRIVMES more pdf spam
237			score PRIVMES 3
238
239			# blarson 2007-07-27
240			header MIXEDBDN Content-Type =~ /multipart\/mixed\;.*boundary\=\"\-{4,}\d{4,}\"/
241			describe MIXEDBDN more pdf spam
242	cord	19	score MIXEDBDN 1
243	don	2
244			# blarson 2007-07-28
245			header DOTZIP subject =~ /\d\.zip\b/
246			describe DOTZIP zip spam
247			score DOTZIP 3
248
249			# blarson 2007-07-30
250			header MIXED2 Content-Type =~ /multipart\/mixed\;charset\=iso\-8859\-1\;.*boundary\=\"\-\-\-\-\=\_\d{8,}\_\d{4,}\"/
251			describe MIXED2 more pdf spam
252			score MIXED2 2.5
253
254			# blarson 2007-07-31
255			header KEYENCE From =~ /KEYENCE CORPORATION/
256			describe KEYENCE opt out spam
257			score KEYENCE 10
258
259			# blarson 2007-08-02
260			header NOSUB subject =~ /\(No Subject\)$/i
261			describe NOSUB explicity no subject
262			score NOSUB 1
263
264			# blarson 2007-08-07
265			header CTPDF Content-Type =~ /\bapplication\/pdf\;/i
266			describe CTPDF more pdf spam
267			score CTPDF 4
268
269			# blarson 2007-06-12
270			header JAPSUB subject =~ /\=\?iso\-2022\-jp/i
271			describe JAPSUB subject in japanese
272			score JAPSUB 3
273
274			# blarson 2007-08-24
275			header XMSATT X-MS-Has-Attach =~ /yes/i
276			describe XMSATT more pdf spam
277			score XMSATT 2
278
279	don	87	# blarson 2007-10-27
280			body ICQ /^icq\:/i
281			describe ICQ icq:
282			score ICQ 2
283	don	2
284	don	91	# blarson 2007-11-02
285			header XJ2ID X-J2Id =~ /\d+/
286			describe XJ2ID fax bounce
287			score XJ2ID 4
288	don	103
289			# blarson 2007-11-15
290	don	105	header LONGWORD subject =~ /\b[\w\d]{30,}/i
291	don	103	describe LONGWORD long word in subject
292			score LONGWORD 2
293	don	121
294			# blarson 2007-11-23
295			header TESTIMONIAL subject =~ /\btestimonial/i
296			describe TESTIMONIAL testimonials
297			score TESTIMONIAL 2
298
299	don	125	# blarson 2007-12-13
300			header ITXS subject =~ /\bit\`s\b/i
301			describe ITXS it`s
302			score ITXS 4
303
304			# blarson 2007-12-18
305			rawbody TINYFONT /\bFONT-SIZE\:\s+[123]px\;/i
306			describe TINYFONT tiny font specified
307			score TINYFONT 3
308	don	185
309			# blarson 2008-04-03
310			rawbody ZIPFILE /\bfilename\=.*\.zip\b/i
311			describe ZIPFILE zipfile attachment
312			score ZIPFILE 0.5
313	don	194
314			# blarson 2008-04-19
315			header SPACESUB subject =~ /^\s\w/
316			describe SPACESUB extra space before subject
317			score SPACESUB 0.5
318	don	202
319			# don 2008-05-04
320			header YAHOOCALENDAR X-Yahoo-Newman-Property: =~ /calendar-invite/i
321			describe YAHOOCALENDAR Calendar invite from yahoo; broken captcha
322			score YAHOOCALENDAR 4
323	don	217
324			# blarson 2008-06-03
325			header BOUNDARYID content-type =~ /\bboundary\=\"Boundary_\(ID_/
326			describe BOUNDARYID spamware boundary
327			score BOUNDARYID 0.6
328	don	231
329			# blarson 2008-07-02
330			body GBKXWFLXF /\bgbkxwflxf\b/
331			describe GBKXWFLXF gbkxwflxf
332			score GBKXWFLXF 5
333	cord	249
334			# cord 2008-10-31
335			# compensate false-positives for 140.Red-80-25-20.staticIP.rima-tde.net and stuff
336			header STATIC_RIMA_TDE received =~ /staticIP\.rima-tde\.net/
337			describe STATIC_RIMA_TDE static IP from rima-tde.net
338			score STATIC_RIMA_TDE -5