#Copyright (c) 2022 Kevin A. McGrail and the McGrail Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # score MIME_HTML_ONLY_MULTI 0 # (__CTYPE_MULTIPART_ALT && MIME_HTML_ONLY) score MIME_CHARSET_FARAWAY 0 # (__MIME_CHARSET_FARAWAY && __HIGHBITS) score DRUGS_DIET 0 # (__DRUGS_DIET1 || __DRUGS_DIET2 || __DRUGS_DIET3 || __DRUGS_DIET4 ||__DRUGS_DIET5 ||__DRUGS_DIET6 ||__DRUGS_DIET7 ||__DRUGS_DIET8 || __DRUGS_DIET9 || __DRUGS_DIET10 ) score DRUGS_DIET_OBFU 0 # (__DRUGS_DIET1 && !__DRUGS_DIET_PHEN) score DRUGS_MUSCLE 0 # (__DRUGS_MUSCLE2 || __DRUGS_MUSCLE3 || __DRUGS_MUSCLE4 ||__DRUGS_MUSCLE5 ) score DRUGS_ANXIETY_OBFU 0 # ( (__DRUGS_ANXIETY1 &&! __DRUGS_ANXIETY_XAN) || (__DRUGS_ANXIETY3 && !__DRUGS_ANXIETY_VAL)) score DRUGS_ANXIETY_EREC 0 # (DRUGS_ERECTILE && DRUGS_ANXIETY) score DRUGS_SLEEP_EREC 0 # (DRUGS_ERECTILE && __DRUGS_SLEEP) score DRUGS_MANYKINDS 0 # (DRUGS_ERECTILE + DRUGS_DIET + __DRUGS_PAIN + __DRUGS_SLEEP + DRUGS_MUSCLE + DRUGS_ANXIETY > 3) score MSGID_DOLLARS_RANDOM 0 # __MSGID_DOLLARS_MAYBE && !__MSGID_DOLLARS_OK score FORGED_MSGID_AOL 0 # (__AT_AOL_MSGID && !__FROM_AOL_COM) score FORGED_MSGID_EXCITE 0 # (__AT_EXCITE_MSGID && !__MY_RCVD_EXCITE) score FORGED_MSGID_HOTMAIL 0 # (__AT_HOTMAIL_MSGID && (!__FROM_HOTMAIL_COM && !__FROM_MSN_COM && !__FROM_YAHOO_COM)) score FORGED_MSGID_MSN 0 # (__AT_MSN_MSGID && (!__FROM_MSN_COM && !__FROM_HOTMAIL_COM && !__FROM_YAHOO_COM)) score FORGED_MSGID_YAHOO 0 # (__AT_YAHOO_MSGID && !__FROM_YAHOO_COM) score JAPANESE_UCE_BODY 0 # (__ISO_2022_JP_DELIM && __JAPANESE_UCE_BODY) score CONFIRMED_FORGED 0 # (__FORGED_RCVD_TRAIL && (__FORGED_AOL_RCVD || __FORGED_HOTMAIL_RCVD || __FORGED_EUDORAMAIL_RCVD || FORGED_YAHOO_RCVD || __FORGED_JUNO_RCVD || FORGED_GMAIL_RCVD)) score MULTI_FORGED 0 # ((__FORGED_AOL_RCVD + __FORGED_HOTMAIL_RCVD + __FORGED_EUDORAMAIL_RCVD + FORGED_YAHOO_RCVD + __FORGED_JUNO_RCVD + FORGED_GMAIL_RCVD) > 1) score HTML_CHARSET_FARAWAY 0 # (__HTML_CHARSET_FARAWAY && __HIGHBITS) score HTML_MISSING_CTYPE 0 # (!__MIME_HTML && HTML_MESSAGE) score OBFUSCATING_COMMENT 0 # ((__OBFUSCATING_COMMENT_A && HTML_MESSAGE) || (__OBFUSCATING_COMMENT_B && MIME_HTML_ONLY)) && !__ISO_2022_JP_DELIM score JS_FROMCHARCODE 0 # (__JS_FROMCHARCODE && __JS_DOCWRITE) score PERCENT_RANDOM 0 # (__PC_RND_HEADER || __PC_RND_RAWBODY) score NO_HEADERS_MESSAGE 0 # (MISSING_DATE && MISSING_HEADERS && NO_RECEIVED && NO_RELAYS && MISSING_MID) score DIGEST_MULTIPLE 0 # RAZOR2_CHECK + DCC_CHECK + PYZOR_CHECK > 1 score RUDE_HTML 0 # __RUDE_HTML_1 || __RUDE_HTML_2 || __RUDE_HTML_3 || __RUDE_HTML_4 score FORGED_MUA_THEBAT_CS 0 # (__THEBAT_MUA && __CTYPE_CHARSET_QUOTED && !__MAILMAN_21) score FORGED_IMS_HTML 0 # (!__YAHOO_BULK && __IMS_MUA && MIME_HTML_ONLY && !(__IMS_HTML_BUILDS && __IMS_HTML_RCVD)) score FORGED_THEBAT_HTML 0 # (__THEBAT_MUA_V1 && MIME_HTML_ONLY) score REPTO_QUOTE_AOL 0 # __REPTO_QUOTE && __AOL_MUA score REPTO_QUOTE_IMS 0 # __REPTO_QUOTE && __IMS_MUA score REPTO_QUOTE_MSN 0 # __REPTO_QUOTE && (__FROM_MSN_COM || __AT_MSN_MSGID) score REPTO_QUOTE_QUALCOMM 0 # __REPTO_QUOTE && __ANY_QUALCOMM_MUA score FORGED_QUALCOMM_TAGS 0 # (__ANY_QUALCOMM_MUA && __MIME_HTML && !__TAG_EXISTS_HTML) score FORGED_IMS_TAGS 0 # (!__YAHOO_BULK && __ANY_IMS_MUA && __MIME_HTML && !(__TAG_EXISTS_HTML && __TAG_EXISTS_HEAD && __TAG_EXISTS_META && __TAG_EXISTS_BODY)) score RATWARE_ZERO_TZ 0 # (__RATWARE_0_TZ_DATE && __CTYPE_HTML && (__0_TZ_1 || __0_TZ_2 || __0_TZ_3 || __0_TZ_4 || __0_TZ_5 || __0_TZ_6 || __0_TZ_7)) score RATWARE_OUTLOOK_NONAME 0 # __MSGID_DOLLARS_OK && !__HAS_X_MAILER && !__RCVD_WITH_EXCHANGE score RATWARE_NAME_ID 0 # __RATWARE_0_TZ_DATE && __RATWARE_NAME_ID score NML_ADSP_CUSTOM_LOW 0 # DKIM_ADSP_CUSTOM_LOW && !__VIA_ML && !__VIA_RESIGNER score NML_ADSP_CUSTOM_MED 0 # DKIM_ADSP_CUSTOM_MED && !__VIA_ML && !__VIA_RESIGNER score NML_ADSP_CUSTOM_HIGH 0 # DKIM_ADSP_CUSTOM_HIGH && !__VIA_ML && !__VIA_RESIGNER score SUBJECT_FUZZY_VPILL 0 # __SUBJECT_FUZZY_VPILL && !FUZZY_VPILL score ENV_AND_HDR_SPF_MATCH 0 # (USER_IN_DEF_SPF_WL && __ENV_AND_HDR_FROM_MATCH) score AC_SPAMMY_URI_PATTERNS1 0 # (__AC_OUTL_URI && __AC_OUTI_URI) score AC_SPAMMY_URI_PATTERNS10 0 # __AC_PUNCTNUMS_URI score AC_SPAMMY_URI_PATTERNS11 0 # __AC_NDOMLONGNASPX_URI score AC_SPAMMY_URI_PATTERNS12 0 # (__AC_CHDSEQ_URI && __AC_MHDSEQ_URI && __AC_UHDSEQ_URI) score AC_SPAMMY_URI_PATTERNS2 0 # (__AC_LAND_URI && __AC_UNSUB_URI && __AC_REPORT_URI) score AC_SPAMMY_URI_PATTERNS3 0 # (__AC_PHPOFFTOP_URI && __AC_PHPOFFSUB_URI) score AC_SPAMMY_URI_PATTERNS9 0 # (__AC_1SEQC_URI && (__AC_1SEQV_URI || __AC_RMOVE_URI)) score ADMAIL 0 # __ADMAIL && !__DKIM_EXISTS && !__COMMENT_EXISTS score ADULT_DATING_COMPANY 0 # __ADULTDATINGCOMPANY_BODY || __ADULTDATINGCOMPANY_FROM || __ADULTDATINGCOMPANY_REPTO score BEBEE_IMG_NOT_RCVD_BB 0 # __BEBEE_IMG_NOT_RCVD_BB score BULK_RE_SUSP_NTLD 0 # __SUBJ_RE && __ML1 && __FROM_ADDRLIST_SUSPNTLD score CANT_SEE_AD 0 # (__CANT_SEE_AD_1 || __CANT_SEE_AD_2) && !__DOS_HAS_LIST_UNSUB score COMMENT_GIBBERISH 0 # __COMMENT_GIBBERISH && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__SENDER_BOT score CORRUPT_FROM_LINE_IN_HDRS 0 # (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS) score CTYPE_001C_A 0 # (0) # obsolete score DOS_DEREK_AUG08 0 # __DOS_SINGLE_EXT_RELAY && __DOS_HAS_ANY_URI && __NAKED_TO && __LAST_UNTRUSTED_RELAY_NO_AUTH && SPF_PASS && __TVD_MIME_ATT_TP && __CT_TEXT_PLAIN && (__DOS_MSGID_DIGITS9 || __DOS_MSGID_DIGITS10) score DOS_FIX_MY_URI 0 # __MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINK score DOS_HIGH_BAT_TO_MX 0 # __DOS_DIRECT_TO_MX && __HIGHBITS && __LAST_UNTRUSTED_RELAY_NO_AUTH && __THEBAT_MUA score DOS_LET_GO_JOB 0 # __DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOME score DOS_STOCK_BAT 0 # __THEBAT_MUA && (__DOS_BODY_STOCK || __DOS_BODY_TICKER) && (__DOS_REF_TODAY || __DOS_REF_NEXT_WK_DAY || __DOS_REF_2_WK_DAYS) score DOS_STOCK_BAT2 0 # DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2) score DOS_YOUR_PLACE 0 # (__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE || __DOS_CORRESPOND_EMAIL || __DOS_EMAIL_DIRECTLY || __DOS_I_AM_25 || __DOS_WRITE_ME_AT || __DOS_PERSONAL_EMAIL)) score FORM_FRAUD 0 # (__FORM_FRAUD && !__FORM_FRAUD_3 && !__FORM_FRAUD_5) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__UPPERCASE_URI && !__UNSUB_LINK score FORM_FRAUD_3 0 # (__FORM_FRAUD_3 && !__FORM_FRAUD_5 && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_3_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__MIME_QP && !__DOS_BODY_FRI && !__UNSUB_LINK && !__BUGGED_IMG && !__NOT_SPOOFED score FREEMAIL_WFH_01 0 # __FREEMAIL_WFH_01 score FREEM_FRNUM_UNICD_EMPTY 0 # __FREEM_FRNUM_UNICD_EMPTY score FRNAME_IN_MSG_XPRIO_NO_SUB 0 # (__FROM_NAME_IN_MSG && __XPRIO && (__SUBJECT_EMPTY || __SUBJ_SHORT)) && !__DKIM_EXISTS && !__SUBJ_NOT_SHORT && !ALL_TRUSTED score FROM_BANK_NOAUTH 0 # __FROM_ADDRLIST_BANKS && (! NO_RELAYS && ! ALL_TRUSTED) && (! SPF_PASS && ! DKIM_VALID_AU) score FUZZY_MONERO 0 # __FUZZY_MONERO score GB_FORGED_MUA_POSTFIX 0 # ( __FORGED_MUA_POSTFIX0 || __FORGED_MUA_POSTFIX1 ) score GOOGLE_DOCS_PHISH_MANY 0 # __URI_GOOGLE_DOC && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY) score GOOGLE_DRIVE_REPLY_BAD_NTLD 0 # __PDS_GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD score GOOG_REDIR_SHORT 0 # __GOOG_REDIR && __LCL__KAM_BODY_LENGTH_LT_512 score GOOG_STO_HTML_PHISH_MANY 0 # __URI_GOOG_STO_HTML && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY) score GOOG_STO_IMG_HTML 0 # __GOOG_STO_IMG_HTML_1 && !URI_GOOG_STO_SPAMMY score HDR_ORDER_FTSDMCXX_001C 0 # (__HDR_ORDER_FTSDMCXXXX && __MID_START_001C) score HDR_ORDER_FTSDMCXX_BAT 0 # (__HDR_ORDER_FTSDMCXXXX && __BAT_BOUNDARY) score HOSTED_IMG_DQ_UNSUB 0 # __HOSTED_IMG_DQ_UNSUB score HTML_SINGLET_MANY 0 # __HTML_SINGLET_MANY && !__RCD_RDNS_MTA_MESSY && !__NOT_SPOOFED && !ALL_TRUSTED && !__USING_VERP1 && !__MIME_QP score JM_TORA_XM 0 # (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO) score KB_DATE_CONTAINS_TAB 0 # __KB_DATE_CONTAINS_TAB && !__ML_TURNS_SP_TO_TAB score KB_FAKED_THE_BAT 0 # (__THEBAT_MUA && KB_DATE_CONTAINS_TAB) score KB_RATWARE_BOUNDARY 0 # __RATWARE_BOUND_A || __RATWARE_BOUND_B score KB_RATWARE_MSGID 0 # (__KB_MSGID_OUTLOOK_888 && __ANY_OUTLOOK_MUA) score KHOP_FAKE_EBAY 0 # __EBAY_ADDRESS && !__NOT_SPOOFED score KHOP_HELO_FCRDNS 0 # __HELO_NOT_RDNS && !(__VIA_ML || __freemail_safe || __RCVD_IN_DNSWL || __NOT_SPOOFED || __RDNS_SHORT) score LIST_PRTL_PUMPDUMP 0 # __LIST_PRTL_PUMPDUMP && !__DKIM_EXISTS score LIST_PRTL_SAME_USER 0 # __LIST_PRTL_SAME_USER && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_ERRORS_TO score LOTTERY_PH_004470 0 # (__AFF_004470_NUMBER && __AFF_LOTTERY) score LUCRATIVE 0 # ( __LUCRATIVE && __HELO_NO_DOMAIN ) && !ALL_TRUSTED score MALF_HTML_B64 0 # MIME_BASE64_TEXT && HTML_MIME_NO_HTML_TAG score MIXED_AREA_CASE 0 # __MIXED_AREA_CASE score MIXED_FONT_CASE 0 # __MIXED_FONT_CASE score MONERO_DEADLINE 0 # __MONERO && __HOURS_DEADLINE && !MONERO_EXTORT_01 score MONERO_EXTORT_01 0 # __MONERO && __EXTORT_MANY score MONERO_MALWARE 0 # __MONERO && __MY_MALWARE && !MONERO_EXTORT_01 score MONERO_PAY_ME 0 # __MONERO && __PAY_ME && !MONERO_EXTORT_01 score MSGID_DOLLARS_URI_IMG 0 # __MSGID_DOLLARS_URI_IMG && !__THREADED && !__HS_SUBJ_RE_FW score NEWEGG_IMG_NOT_RCVD_NEGG 0 # __NEWEGG_IMG_NOT_RCVD_NEGG score PART_CID_STOCK 0 # (__ANY_IMAGE_ATTACH&&__PART_STOCK_CID&&!__PART_STOCK_CL&&!__PART_STOCK_CD_F) score PART_CID_STOCK_LESS 0 # (__ANY_IMAGE_ATTACH&&__PART_CID_STOCK_LESS) score PDS_HELO_SPF_FAIL 0 # SPF_HELO_FAIL && __HELO_HIGHPROFILE score PHISH_FBASEAPP 0 # __PHISH_FBASE_01 score PHP_SCRIPT_MUA 0 # __HAS_PHP_SCRIPT && __PHP_NOVER_MUA score POSSIBLE_APPLE_PHISH_02 0 # (__FROM_NAME_APPLECOM && !__HDR_RCVD_APPLE) score POSSIBLE_EBAY_PHISH_02 0 # (__FROM_NAME_EBAYCOM && !__HDR_RCVD_EBAY) score POSSIBLE_PAYPAL_PHISH_01 0 # (__FROM_NAME_PAYPALCOM && __NAME_EMAIL_DIFF) score POSSIBLE_PAYPAL_PHISH_02 0 # (__FROM_NAME_PAYPALCOM && !__HDR_RCVD_PAYPAL) score PUMPDUMP_MULTI 0 # (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1 score PUMPDUMP_TIP 0 # __PD_CNT_1 && __STOCK_TIP score RAND_HEADER_MANY 0 # __RAND_HEADER_2 score RCVD_DOTEDU_SUSP_URI 0 # __RCVD_DOTEDU_SUSP_URI score RDNS_NUM_TLD_ATCHNX 0 # __RDNS_NUMERIC_TLD && __ATTACH_NAME_NO_EXT score REPTO_419_FRAUD_AOL_LOOSE 0 # __REPTO_419_FRAUD_AOL_LOOSE && !REPTO_419_FRAUD_AOL score REPTO_419_FRAUD_YH_LOOSE 0 # __REPTO_419_FRAUD_YH_LOOSE && !REPTO_419_FRAUD_YH score SENDGRID_REDIR_PHISH 0 # __SENDGRID_REDIR_PHISH score SHORT_IMG_SUSP_NTLD 0 # __LCL__KAM_BODY_LENGTH_LT_1024 && __HTML_LINK_IMAGE && __FROM_ADDRLIST_SUSPNTLD score STOCK_IMG_HDR_FROM 0 # (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY) score STOCK_IMG_HTML 0 # (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY) score STOCK_PRICES 0 # (SHORT_TERM_PRICE && LONG_TERM_PRICE) score STOCK_TIP 0 # __STOCK_TIP && !__DKIM_EXISTS score STOX_AND_PRICE 0 # CURR_PRICE && STOX_REPLY_TYPE score SYSADMIN 0 # __SYSADMIN && !ALL_TRUSTED && !__ANY_TEXT_ATTACH && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_OK_DIGITS score TBIRD_SUSP_MIME_BDRY 0 # __MUA_TBIRD && __TB_MIME_BDRY_NO_Z score TEQF_USR_IMAGE 0 # __TO_EQ_FROM_USR_NN_MINFP && __ANY_IMAGE_ATTACH score TEQF_USR_MSGID_HEX 0 # __TO_EQ_FROM_USR_NN_MINFP && __MSGID_OK_HEX && !__MSGID_NOFQDN2 score TEQF_USR_MSGID_MALF 0 # __TO_EQ_FROM_USR_NN_MINFP && __MSGID_NOFQDN2 score TONLINE_FAKE_DKIM 0 # __HDR_RCVD_TONLINEDE && __DKIM_EXISTS score TO_TOO_MANY_WFH_01 0 # __TO_TOO_MANY_WFH_01 score TT_OBSCURED_VALIUM 0 # ( __TT_BROKEN_VALIUM || __TT_OBSCURED_VALIUM ) && ! __TT_VALIUM score TT_OBSCURED_VIAGRA 0 # ( __TT_BROKEN_VIAGRA || __TT_OBSCURED_VIAGRA ) && ! __TT_VIAGRA score TVD_EB_PHISH 0 # __FROM_EBAY && NORMAL_HTTP_TO_IP score TVD_PP_PHISH 0 # __FROM_PAYPAL && NORMAL_HTTP_TO_IP score TVD_SPACE_RATIO_MINFP 0 # __TVD_SPACE_RATIO && !__CT_ENCRYPTED && !__X_CRON_ENV && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !ALL_TRUSTED && !__MIME_NO_TEXT && !__LONGLINE && !__THREADED && !__SUBSCRIPTION_INFO && !__VIA_ML && !__HELO_HIGHPROFILE && !__DKIM_EXISTS && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MAIL && !__EMPTY_BODY && !__XM_APPLEMAIL score TW_GIBBERISH_MANY 0 # __TENWORD_GIBBERISH > 20 score T_DRUGS_ERECTILE_SHORT_SHORTNER 0 # __PDS_HTML_LENGTH_1024 && __URL_SHORTENER && DRUGS_ERECTILE score T_FROMNAME_SPOOFED_EMAIL 0 # (__PLUGIN_FROMNAME_SPOOF && !__VIA_ML && !__VIA_RESIGNER && !__RP_MATCHES_RCVD) score T_OFFER_ONLY_AMERICA 0 # __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA score T_PDS_FROM_2_EMAILS_SHRTNER 0 # __URL_SHORTENER && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF) && __BODY_URI_ONLY score T_PDS_URISHRT_LOCALPART_SUBJ 0 # LOCALPART_IN_SUBJECT && __URL_SHORTENER && __PDS_MSG_1024 score T_SENT_TO_EMAIL_ADDR 0 # __FROM_ADDRLIST_SUSPNTLD && __PDS_SENT_TO_EMAIL_ADDR score T_SUSPNTLD_EXPIRATION_EXTORT 0 # LOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLD score T_XPRIO_URL_SHORTNER 0 # __XPRIO_MINFP && __URL_SHORTENER score USB_DRIVES 0 # __SUBJ_USB_DRIVES score VPS_NO_NTLD 0 # __VPSNUMBERONLY_TLD && __FROM_ADDRLIST_SUSPNTLD score XM_DIGITS_ONLY 0 # __XM_DIGITS_ONLY