# # 2021, 2022 Victor Ustugov # header __OFFICE365_RCVD_FIRST Received =~ /^(.*\n)+from (?:[A-Z\d]+\.[a-zA-Z]+\d+\.(?:prod\.outlook\.com|PROD\.OUTLOOK\.COM)|[A-Z\d]+\.(?:[a-zA-Z]+\d+\.)?(?:prod\.exchangelabs\.com|PROD\.EXCHANGELABS\.COM)) \(((?:[\da-f]+)?(?::(?:[\da-f]+)?)+|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\) by (?:[A-Z\d]+\.[a-zA-Z]+\d+\.(?:prod\.outlook\.com|PROD\.OUTLOOK\.COM)|[A-Z\d]+\.(?:[a-zA-Z]+\d+\.)?(?:prod\.exchangelabs\.com|PROD\.EXCHANGELABS\.COM)) \(((?:[\da-f]+)?(?::(?:[\da-f]+)?)+|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\) with Microsoft SMTP Server \(version=TLS1_[23], cipher=TLS(?:_[A-Z\d]+)+\) id 15\.\d+\.\d+\.\d+; (?:Mon|Tue|Wed|Thu|Fri|Sat|Sun),\s+\d+ (?:Jan|Feb|Ma[ry]|Apr|Ju[nl]|Aug|Sep|Oct|Nov|Dec) 20\d\d \d\d:\d\d:\d\d \+0000\nfrom (?:[A-Z\d]+\.[a-zA-Z]+\d+\.(?:prod\.outlook\.com|PROD\.OUTLOOK\.COM)|[A-Z\d]+\.(?:[a-zA-Z]+\d+\.)?(?:prod\.exchangelabs\.com|PROD\.EXCHANGELABS\.COM)) \(\[(?:[\da-f]+)?(?::(?:[\da-f]+)?)+\]\) by (?:[A-Z\d]+\.[a-zA-Z]+\d+\.(?:prod\.outlook\.com|PROD\.OUTLOOK\.COM)|[A-Z\d]+\.(?:[a-zA-Z]+\d+\.)?(?:prod\.exchangelabs\.com|PROD\.EXCHANGELABS\.COM)) \(\[(?:[\da-f]+)?(?::(?:[\da-f]+)?)+\%\d+\]\) with mapi id 15\.\d+\.\d+\.\d+; (?:Mon|Tue|Wed|Thu|Fri|Sat|Sun),\s+\d+ (?:Jan|Feb|Ma[ry]|Apr|Ju[nl]|Aug|Sep|Oct|Nov|Dec) 20\d\d \d\d:\d\d:\d\d \+0000$/ header __OFFICE365_MSGID Message-ID:case =~ /^<[A-Z\d]{38,40}\@(?:[A-Z\d]+\.[a-zA-Z]+\d+\.(?:prod\.outlook\.com|PROD\.OUTLOOK\.COM)|[A-Z\d]+\.(?:[a-zA-Z]+\d+\.)?(?:prod\.exchangelabs\.com|PROD\.EXCHANGELABS\.COM))>$/ header __OFFICE365_X_MS_Exchange_CrossTenant_AuthAs_Internal X-MS-Exchange-CrossTenant-AuthAs =~ /^Internal$/ header __OFFICE365_X_MS_Exchange_CrossTenant_AuthAs_Anonymous X-MS-Exchange-CrossTenant-AuthAs =~ /^Anonymous$/ #meta __OFFICE365 __CUST_MIME_Version_1_0 && __HAS_x_ms_publictraffictype && __HAS_X_MS_Office365_Filtering_Correlation_Id && __HAS_x_ms_traffictypediagnostic && __HAS_x_microsoft_antispam_prvs && __HAS_x_ms_oob_tlc_oobclassifiers && __HAS_x_ms_exchange_senderadcheck && __HAS_x_microsoft_antispam && __HAS_x_microsoft_antispam_message_info && __HAS_x_forefront_antispam_report && __HAS_x_ms_exchange_antispam_messagedata && __HAS_X_OriginatorOrg && __HAS_X_MS_Exchange_CrossTenant_AuthSource && __HAS_X_MS_Exchange_CrossTenant_Network_Message_Id && __HAS_X_MS_Exchange_CrossTenant_originalarrivaltime && __HAS_X_MS_Exchange_CrossTenant_fromentityheader && __HAS_X_MS_Exchange_CrossTenant_id && __HAS_X_MS_Exchange_Transport_CrossTenantHeadersStamped && __HAS_X_MS_Exchange_CrossTenant_AuthAs && __HAS_X_MS_Exchange_CrossTenant_mailboxtype && __HAS_X_MS_Exchange_CrossTenant_userprincipalname && __HAS_Content_Language && DKIM_SIGNED #meta __OFFICE365 __CUST_MIME_Version_1_0 && __HAS_x_ms_publictraffictype && __HAS_X_MS_Office365_Filtering_Correlation_Id && __HAS_x_ms_traffictypediagnostic && __HAS_x_microsoft_antispam_prvs && __HAS_x_ms_oob_tlc_oobclassifiers && __HAS_x_ms_exchange_senderadcheck && __HAS_x_microsoft_antispam && __HAS_x_microsoft_antispam_message_info && __HAS_x_forefront_antispam_report && __HAS_x_ms_exchange_antispam_messagedata && __HAS_X_OriginatorOrg && __HAS_X_MS_Exchange_CrossTenant_AuthSource && __HAS_X_MS_Exchange_CrossTenant_Network_Message_Id && __HAS_X_MS_Exchange_CrossTenant_originalarrivaltime && __HAS_X_MS_Exchange_CrossTenant_fromentityheader && __HAS_X_MS_Exchange_CrossTenant_id && __HAS_X_MS_Exchange_Transport_CrossTenantHeadersStamped && __HAS_X_MS_Exchange_CrossTenant_AuthAs && __HAS_X_MS_Exchange_CrossTenant_mailboxtype && __HAS_X_MS_Exchange_CrossTenant_userprincipalname #meta __OFFICE365 __CUST_MIME_Version_1_0 && __HAS_x_ms_publictraffictype && __HAS_X_MS_Office365_Filtering_Correlation_Id && __HAS_x_ms_traffictypediagnostic && __HAS_x_microsoft_antispam_prvs && __HAS_x_ms_oob_tlc_oobclassifiers && __HAS_x_ms_exchange_senderadcheck && __HAS_x_microsoft_antispam && __HAS_x_microsoft_antispam_message_info && __HAS_x_forefront_antispam_report && __HAS_x_ms_exchange_antispam_messagedata && __HAS_X_OriginatorOrg && __HAS_X_MS_Exchange_CrossTenant_AuthSource && __HAS_X_MS_Exchange_CrossTenant_Network_Message_Id && __HAS_X_MS_Exchange_CrossTenant_originalarrivaltime && __HAS_X_MS_Exchange_CrossTenant_fromentityheader && __HAS_X_MS_Exchange_CrossTenant_id && __HAS_X_MS_Exchange_Transport_CrossTenantHeadersStamped && __HAS_X_MS_Exchange_CrossTenant_AuthAs #eta __OFFICE365 __CUST_MIME_Version_1_0 && __HAS_x_ms_publictraffictype && __HAS_X_MS_Office365_Filtering_Correlation_Id && __HAS_x_ms_traffictypediagnostic && __HAS_x_microsoft_antispam_prvs && __HAS_x_ms_oob_tlc_oobclassifiers && __HAS_x_ms_exchange_senderadcheck && __HAS_x_microsoft_antispam && __HAS_x_microsoft_antispam_message_info && __HAS_x_forefront_antispam_report && __HAS_x_ms_exchange_antispam_messagedata && __HAS_X_OriginatorOrg && __HAS_X_MS_Exchange_CrossTenant_AuthSource && __HAS_X_MS_Exchange_CrossTenant_Network_Message_Id && __HAS_X_MS_Exchange_CrossTenant_originalarrivaltime && __HAS_X_MS_Exchange_CrossTenant_fromentityheader && __HAS_X_MS_Exchange_CrossTenant_id && __HAS_X_MS_Exchange_Transport_CrossTenantHeadersStamped && ((__OFFICE365_X_MS_Exchange_CrossTenant_AuthAs_Internal && __HAS_X_MS_Exchange_CrossTenant_mailboxtype && __HAS_X_MS_Exchange_CrossTenant_userprincipalname) || __OFFICE365_X_MS_Exchange_CrossTenant_AuthAs_Anonymous) meta __OFFICE365 __CUST_MIME_Version_1_0 && __HAS_x_ms_publictraffictype && __HAS_X_MS_Office365_Filtering_Correlation_Id && __HAS_x_ms_traffictypediagnostic && __HAS_x_microsoft_antispam_prvs && __HAS_x_ms_oob_tlc_oobclassifiers && __HAS_x_ms_exchange_senderadcheck && __HAS_x_microsoft_antispam && __HAS_x_microsoft_antispam_message_info && __HAS_x_forefront_antispam_report && (__HAS_x_ms_exchange_antispam_messagedata || (__HAS_x_ms_exchange_antispam_messagedata_chunkcount && __HAS_x_ms_exchange_antispam_messagedata_0)) && __HAS_X_OriginatorOrg && __HAS_X_MS_Exchange_CrossTenant_AuthSource && __HAS_X_MS_Exchange_CrossTenant_Network_Message_Id && __HAS_X_MS_Exchange_CrossTenant_originalarrivaltime && __HAS_X_MS_Exchange_CrossTenant_fromentityheader && __HAS_X_MS_Exchange_CrossTenant_id && __HAS_X_MS_Exchange_Transport_CrossTenantHeadersStamped && ((__OFFICE365_X_MS_Exchange_CrossTenant_AuthAs_Internal && __HAS_X_MS_Exchange_CrossTenant_mailboxtype && __HAS_X_MS_Exchange_CrossTenant_userprincipalname) || __OFFICE365_X_MS_Exchange_CrossTenant_AuthAs_Anonymous) meta __ARC __HAS_ARC_Seal && __HAS_ARC_Message_Signature && __HAS_ARC_Authentication_Results meta __OFFICE365_MSO_OR_WEB __OFFICE365_RCVD_FIRST && __OFFICE365_MSGID && __HAS_Thread_Topic && __HAS_Thread_Index && __HAS_Accept_Language && __HAS_X_MS_Has_Attach && __HAS_X_MS_TNEF_Correlator && __HAS_x_ms_exchange_transport_forked meta OFFICE365_MSO_OR_WEB __OFFICE365 && __OFFICE365_MSO_OR_WEB && __ARC && DKIM_SIGNED describe OFFICE365_MSO_OR_WEB Message from Office 365 score OFFICE365_MSO_OR_WEB -0.01 meta OFFICE365_MSO_OR_WEB_WITHOUT_ARC __OFFICE365 && __OFFICE365_MSO_OR_WEB && !__ARC describe OFFICE365_MSO_OR_WEB_WITHOUT_ARC Message from Office 365 score OFFICE365_MSO_OR_WEB_WITHOUT_ARC 0.01 meta OFFICE365_MSO_OR_WEB_WITHOUT_DKIM __OFFICE365 && __OFFICE365_MSO_OR_WEB && !DKIM_SIGNED describe OFFICE365_MSO_OR_WEB_WITHOUT_DKIM Message from Office 365 score OFFICE365_MSO_OR_WEB_WITHOUT_DKIM 0.01 header __OFFICE365_SMTP_RCVD_FIRST Received =~ /^(.*\n)+from ([A-Z\d]+\.[a-zA-Z]+\d+\.(?:prod\.outlook\.com|PROD\.OUTLOOK\.COM) )?\((?:[\da-f]+)?(?::(?:[\da-f]+)?)+\) by [A-Z\d]+\.[a-zA-Z]+\d+\.(?:prod\.outlook\.com|PROD\.OUTLOOK\.COM) \((?:[\da-f]+)?(?::(?:[\da-f]+)?)+\) with Microsoft SMTP Server \(version=TLS1_[0123], cipher=TLS(?:_[A-Z\d]+)+\) id 15\.\d+\.\d+\.\d+; (?:Mon|Tue|Wed|Thu|Fri|Sat|Sun),\s+\d+ (?:Jan|Feb|Ma[ry]|Apr|Ju[nl]|Aug|Sep|Oct|Nov|Dec) 20\d\d \d\d:\d\d:\d\d \+0000\nfrom [A-Z\d]+\.[a-zA-Z]+\d+\.(?:prod\.outlook\.com|PROD\.OUTLOOK\.COM) \(\[(?:[\da-f]+)?(?::(?:[\da-f]+)?)+\]\) by [A-Z\d]+\.[a-zA-Z]+\d+\.(?:prod\.outlook\.com|PROD\.OUTLOOK\.COM) \(\[(?:[\da-f]+)?(?::(?:[\da-f]+)?)+\%\d+\]\) with mapi id 15\.\d+\.\d+\.\d+; (?:Mon|Tue|Wed|Thu|Fri|Sat|Sun),\s+\d+ (?:Jan|Feb|Ma[ry]|Apr|Ju[nl]|Aug|Sep|Oct|Nov|Dec) 20\d\d \d\d:\d\d:\d\d \+0000\nfrom (?:\[((?:[\da-f]+)?(?::(?:[\da-f]+)?)+|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]|[A-Za-z\d\-]+(\.[A-Za-z\d\-]+)*) \(((?:[\da-f]+)?(?::(?:[\da-f]+)?)+|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\) by [A-Z\d]+\.[a-zA-Z]+\d+\.(prod\.outlook\.com|PROD\.OUTLOOK\.COM|prod\.exchangelabs\.com|PROD\.EXCHANGELABS\.COM) \((?:[\da-f]+)?(?::(?:[\da-f]+)?)+\) with Microsoft SMTP Server \(version=TLS1_[0123], cipher=TLS(?:_[A-Z\d]+)+\) id 15\.\d+\.\d+\.\d+ via Frontend Transport; (?:Mon|Tue|Wed|Thu|Fri|Sat|Sun),\s+\d+ (?:Jan|Feb|Ma[ry]|Apr|Ju[nl]|Aug|Sep|Oct|Nov|Dec) 20\d\d \d\d:\d\d:\d\d \+0000$/ meta OFFICE365_SMTP __OFFICE365 && !__OFFICE365_MSO_OR_WEB && __OFFICE365_SMTP_RCVD_FIRST describe OFFICE365_SMTP Message from Office 365 score OFFICE365_SMTP -0.01 meta OFFICE365_CT_MULTIPART_NO_X_MAILER __OFFICE365 && CT_MULTIPART_NO_X_MAILER describe OFFICE365_CT_MULTIPART_NO_X_MAILER OFFICE365 - CT_MULTIPART_NO_X_MAILER compensation score OFFICE365_CT_MULTIPART_NO_X_MAILER -0.4 meta OFFICE365_MSGID_FROM_MTA_HEADER __OFFICE365 && MSGID_FROM_MTA_HEADER describe OFFICE365_MSGID_FROM_MTA_HEADER OFFICE365 - MSGID_FROM_MTA_HEADER compensation score OFFICE365_MSGID_FROM_MTA_HEADER -1.0 meta OFFICE365_X_Orig_IP_without_X_Mailer __OFFICE365 && X_Orig_IP_without_X_Mailer describe OFFICE365_X_Orig_IP_without_X_Mailer OFFICE365 - X_Orig_IP_without_X_Mailer compensation score OFFICE365_X_Orig_IP_without_X_Mailer -1.0 header __OUTLOOK_COM_RCVD_FIRST_1 Received =~ /^(.*\n)+from [A-Z\d]+\.[a-zA-Z\-]+\d+\.(?:prod\.protection\.outlook\.com|PROD\.PROTECTION\.OUTLOOK\.COM) \(((?:[\da-f]+)?(?::(?:[\da-f]+)?)+|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\) by [A-Z\d]+\.[a-zA-Z\-]+\d+\.(?:prod\.protection\.outlook\.com|PROD\.PROTECTION\.OUTLOOK\.COM) \(((?:[\da-f]+)?(?::(?:[\da-f]+)?)+|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\) with Microsoft SMTP Server \(version=TLS1_[23], cipher=TLS(?:_[A-Z\d]+)+\) id 15\.\d+\.\d+\.\d+; (?:Mon|Tue|Wed|Thu|Fri|Sat|Sun),\s+\d+ (?:Jan|Feb|Ma[ry]|Apr|Ju[nl]|Aug|Sep|Oct|Nov|Dec) 20\d\d \d\d:\d\d:\d\d \+0000\nfrom [A-Z\d]+\.[a-zA-Z]+\d+\.(?:prod\.outlook\.com|PROD\.OUTLOOK\.COM|prod\.exchangelabs\.com|PROD\.EXCHANGELABS\.COM) \(((?:[\da-f]+)?(?::(?:[\da-f]+)?)+|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\) by [A-Z\d]+\.(?:mail\.protection\.outlook\.com|MAIL\.PROTECTION\.OUTLOOK\.COM) \(((?:[\da-f]+)?(?::(?:[\da-f]+)?)+|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\) with Microsoft SMTP Server \(version=TLS1_[23], cipher=TLS(?:_[A-Z\d]+)+\) id 15\.\d+\.\d+\.\d+ via Frontend Transport; (?:Mon|Tue|Wed|Thu|Fri|Sat|Sun),\s+\d+ (?:Jan|Feb|Ma[ry]|Apr|Ju[nl]|Aug|Sep|Oct|Nov|Dec) 20\d\d \d\d:\d\d:\d\d \+0000\nfrom [A-Z\d]+\.[a-zA-Z]+\d+\.(?:prod\.outlook\.com|PROD\.OUTLOOK\.COM|prod\.exchangelabs\.com|PROD\.EXCHANGELABS\.COM) \(\[(?:[\da-f]+)?(?::(?:[\da-f]+)?)+\]\) by [A-Z\d]+\.[a-zA-Z]+\d+\.(?:prod\.outlook\.com|PROD\.OUTLOOK\.COM|prod\.exchangelabs\.com|PROD\.EXCHANGELABS\.COM) \(\[(?:[\da-f]+)?(?::(?:[\da-f]+)?)+\%\d+\]\) with mapi id 15\.\d+\.\d+\.\d+; (?:Mon|Tue|Wed|Thu|Fri|Sat|Sun),\s+\d+ (?:Jan|Feb|Ma[ry]|Apr|Ju[nl]|Aug|Sep|Oct|Nov|Dec) 20\d\d \d\d:\d\d:\d\d \+0000$/ header __OUTLOOK_COM_RCVD_FIRST_2 Received =~ /^(.*\n)+from [A-Z\d]+\.[a-zA-Z\-]+\d+\.(?:prod(?:\.protection)?\.outlook\.com|PROD(?:\.PROTECTION)?\.OUTLOOK\.COM) \(\[((?:[\da-f]+)?(?::(?:[\da-f]+)?)+|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]\) by [A-Z\d]+\.[a-zA-Z\-]+\d+\.(?:prod(?:\.protection)?\.outlook\.com|PROD(?:\.PROTECTION)?\.OUTLOOK\.COM) \(\[((?:[\da-f]+)?(?::(?:[\da-f]+)?)+(?:\%4)?|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]\) with mapi id 15\.\d+\.\d+\.\d+; (?:Mon|Tue|Wed|Thu|Fri|Sat|Sun),\s+\d+ (?:Jan|Feb|Ma[ry]|Apr|Ju[nl]|Aug|Sep|Oct|Nov|Dec) 20\d\d \d\d:\d\d:\d\d \+0000$/ meta __OUTLOOK_COM_RCVD_FIRST __OUTLOOK_COM_RCVD_FIRST_1 || __OUTLOOK_COM_RCVD_FIRST_2 #meta OUTLOOK_COM __CUST_MIME_Version_1_0 && DKIM_SIGNED && __ARC && __OUTLOOK_COM_RCVD_FIRST && __HAS_x_ms_publictraffictype && __HAS_X_MS_Office365_Filtering_Correlation_Id && __HAS_x_ms_traffictypediagnostic && __HAS_x_microsoft_antispam && __HAS_x_microsoft_antispam_message_info && __HAS_x_ms_exchange_antispam_messagedata && __HAS_X_OriginatorOrg && __HAS_X_MS_Exchange_CrossTenant_AuthAs && __HAS_X_MS_Exchange_CrossTenant_AuthSource && __HAS_X_MS_Exchange_CrossTenant_Network_Message_Id && __HAS_X_MS_Exchange_CrossTenant_originalarrivaltime && __HAS_X_MS_Exchange_CrossTenant_fromentityheader && __HAS_X_MS_Exchange_CrossTenant_id && __HAS_X_MS_Exchange_Transport_CrossTenantHeadersStamped && __OFFICE365_MSGID && __HAS_Thread_Topic && __HAS_Thread_Index && __HAS_Accept_Language && __HAS_X_MS_Has_Attach && __HAS_X_MS_TNEF_Correlator && __HAS_x_ms_exchange_transport_forked meta OUTLOOK_COM __CUST_MIME_Version_1_0 && DKIM_SIGNED && __ARC && __OUTLOOK_COM_RCVD_FIRST && __HAS_x_ms_publictraffictype && __HAS_X_MS_Office365_Filtering_Correlation_Id && __HAS_x_ms_traffictypediagnostic && __HAS_x_microsoft_antispam && __HAS_x_microsoft_antispam_message_info && (__HAS_x_ms_exchange_antispam_messagedata || (__HAS_x_ms_exchange_antispam_messagedata_chunkcount && __HAS_x_ms_exchange_antispam_messagedata_0)) && __HAS_X_OriginatorOrg && __HAS_X_MS_Exchange_CrossTenant_AuthAs && __HAS_X_MS_Exchange_CrossTenant_AuthSource && __HAS_X_MS_Exchange_CrossTenant_Network_Message_Id && __HAS_X_MS_Exchange_CrossTenant_originalarrivaltime && __HAS_X_MS_Exchange_CrossTenant_fromentityheader && __HAS_X_MS_Exchange_CrossTenant_id && __HAS_X_MS_Exchange_Transport_CrossTenantHeadersStamped && __OFFICE365_MSGID && __HAS_Thread_Topic && __HAS_Thread_Index && __HAS_Accept_Language && __HAS_X_MS_Has_Attach && __HAS_X_MS_TNEF_Correlator describe OUTLOOK_COM Message from outlook.com score OUTLOOK_COM -0.01 meta OUTLOOK_COM_CT_MULTIPART_NO_X_MAILER OUTLOOK_COM && CT_MULTIPART_NO_X_MAILER describe OUTLOOK_COM_CT_MULTIPART_NO_X_MAILER OUTLOOK_COM - CT_MULTIPART_NO_X_MAILER compensation score OUTLOOK_COM_CT_MULTIPART_NO_X_MAILER -0.4 meta OUTLOOK_COM_HEADER_SUBJECT_0A OUTLOOK_COM && HEADER_SUBJECT_0A describe OUTLOOK_COM_HEADER_SUBJECT_0A OUTLOOK_COM - HEADER_SUBJECT_0A compensation score OUTLOOK_COM_HEADER_SUBJECT_0A -0.5