#
# 2005-2007 Victor Ustugov <victor+spamassasin@corvax.kiev.ua>
#
# для проверки комбинаций полей заголовка нужен патч:
# http://mta.org.ua/spamassassin-3.2.0/patches/3.2.0/patch-src::MultiCaseSensHeadersCheck-3.2.0.patch
#

## negative lookahead exempts this MUA from circa 1997-2000
## X-Mailer: Microsoft Outlook Express 4.71.1712.3
## Message-ID: <01bd45da$2649cdc0$LocalHost@andrew>
#header __MSGID_DOLLARS_OK       MESSAGEID =~ /<[0-9a-f]{4,}\$[0-9a-f]{4,}\$[0-9a-f]{4,}\@\S+>/m
#header __MSGID_DOLLARS_OK       MESSAGEID =~ /<[0-9a-f]{4,}\$[0-9a-f]{4,}\$[0-9a-f]{4,}\@\S+>/mi
#header __MSGID_DOLLARS_MAYBE    MESSAGEID =~ /<\w{4,}\$\w{4,}\$(?!localhost)\w{4,}\@\S+>/mi
#meta MSGID_DOLLARS_RANDOM       __MSGID_DOLLARS_MAYBE && !__MSGID_DOLLARS_OK





header		__TO_NEEDS_MIME			To =~ /[\x00-\x08\x0b\x0c\x0e-\x1f\x7f-\xff]/
header		__TO_ENCODED_QP			To:raw =~ /=\?\S+\?Q\?/i
header		__TO_ENCODED_B64		To:raw =~ /=\?\S+\?B\?/i

meta		TO_EXCESS_QP			__TO_ENCODED_QP && !__TO_NEEDS_MIME
describe	TO_EXCESS_QP			To: quoted-printable encoded unnecessarily
score		TO_EXCESS_QP			1.0

meta		TO_EXCESS_BASE64		__TO_ENCODED_B64 && !__TO_NEEDS_MIME
describe	TO_EXCESS_BASE64		To: base64 encoded unnecessarily
score		TO_EXCESS_BASE64		1.2

header		__REPLY_TO_NEEDS_MIME		Reply-To =~ /[\x00-\x08\x0b\x0c\x0e-\x1f\x7f-\xff]/
header		__REPLY_TO_ENCODED_QP		Reply-To:raw =~ /=\?\S+\?Q\?/i
header		__REPLY_TO_ENCODED_B64		Reply-To:raw =~ /=\?\S+\?B\?/i

meta		REPLY_TO_EXCESS_QP		__REPLY_TO_ENCODED_QP && !__REPLY_TO_NEEDS_MIME
describe	REPLY_TO_EXCESS_QP		Reply-To: quoted-printable encoded unnecessarily
score		REPLY_TO_EXCESS_QP		1.0

meta		REPLY_TO_EXCESS_BASE64		__REPLY_TO_ENCODED_B64 && !__REPLY_TO_NEEDS_MIME
describe	REPLY_TO_EXCESS_BASE64		Reply-To: base64 encoded unnecessarily
score		REPLY_TO_EXCESS_BASE64		1.2

header		__CC_NEEDS_MIME			Cc =~ /[\x00-\x08\x0b\x0c\x0e-\x1f\x7f-\xff]/
header		__CC_ENCODED_QP			Cc:raw =~ /=\?\S+\?Q\?/i
header		__CC_ENCODED_B64		Cc:raw =~ /=\?\S+\?B\?/i

meta		CC_EXCESS_QP			__CC_ENCODED_QP && !__CC_NEEDS_MIME
describe	CC_EXCESS_QP			Cc: quoted-printable encoded unnecessarily
score		CC_EXCESS_QP			1.0

meta		CC_EXCESS_BASE64		__CC_ENCODED_B64 && !__CC_NEEDS_MIME
describe	CC_EXCESS_BASE64		Cc: base64 encoded unnecessarily
score		CC_EXCESS_BASE64		1.2





#header SUBJ_ILLEGAL_CHARS       eval:check_illegal_chars('Subject','0.00','2')
#describe SUBJ_ILLEGAL_CHARS     Subject: has too many raw illegal characters
#score SUBJ_ILLEGAL_CHARS 3.360 3.360 3.978 4.279
score           SUBJ_ILLEGAL_CHARS      0.5

header		__SUBJ_ILLEGAL_CHAR	eval:check_illegal_chars('Subject','0.00','1')
meta		SUBJ_ILLEGAL_CHAR	__SUBJ_ILLEGAL_CHAR && !SUBJ_ILLEGAL_CHARS
describe	SUBJ_ILLEGAL_CHAR	Subject: has raw illegal character
score		SUBJ_ILLEGAL_CHAR	0.2

#header FROM_ILLEGAL_CHARS       eval:check_illegal_chars('From','0.20','2')
#describe FROM_ILLEGAL_CHARS     From: has too many raw illegal characters
#score FROM_ILLEGAL_CHARS 3.280 3.280 3.792 4.100
score           FROM_ILLEGAL_CHARS      0.5

header		__FROM_ILLEGAL_CHAR	eval:check_illegal_chars('From','0.20','1')
meta		FROM_ILLEGAL_CHAR	__FROM_ILLEGAL_CHAR && !FROM_ILLEGAL_CHARS
describe	FROM_ILLEGAL_CHAR	From: has raw illegal character
score           FROM_ILLEGAL_CHAR	0.2

#header HEAD_ILLEGAL_CHARS       eval:check_illegal_chars('ALL','0.010','2')
#describe HEAD_ILLEGAL_CHARS     Headers have too many raw illegal characters
#score HEAD_ILLEGAL_CHARS 1.652 1.519 1.796 1.606
score           HEAD_ILLEGAL_CHARS      0.5

header		__HEAD_ILLEGAL_CHAR	eval:check_illegal_chars('ALL','0.010','1')
meta		HEAD_ILLEGAL_CHAR	__HEAD_ILLEGAL_CHAR && !HEAD_ILLEGAL_CHARS
describe	HEAD_ILLEGAL_CHAR	Headers have raw illegal character
score           HEAD_ILLEGAL_CHAR	0.2


header TO_ILLEGAL_CHARS	eval:check_illegal_chars('To','0.20','2')
describe TO_ILLEGAL_CHARS	To: has too many raw illegal characters
score           TO_ILLEGAL_CHARS      0.5

header		__TO_ILLEGAL_CHAR	eval:check_illegal_chars('To','0.00','1')
meta		TO_ILLEGAL_CHAR	__TO_ILLEGAL_CHAR && !TO_ILLEGAL_CHARS
describe	TO_ILLEGAL_CHAR	To: has raw illegal character
score		TO_ILLEGAL_CHAR	0.2


header REPLY_TO_ILLEGAL_CHARS	eval:check_illegal_chars('Reply-To','0.20','2')
describe REPLY_TO_ILLEGAL_CHARS	Reply-To: has too many raw illegal characters
score           REPLY_TO_ILLEGAL_CHARS      0.5

header		__REPLY_TO_ILLEGAL_CHAR	eval:check_illegal_chars('Reply-To','0.00','1')
meta		REPLY_TO_ILLEGAL_CHAR	__REPLY_TO_ILLEGAL_CHAR && !REPLY_TO_ILLEGAL_CHARS
describe	REPLY_TO_ILLEGAL_CHAR	Reply-To: has raw illegal character
score		REPLY_TO_ILLEGAL_CHAR	0.2


header CC_ILLEGAL_CHARS	eval:check_illegal_chars('Cc','0.20','2')
describe CC_ILLEGAL_CHARS	Cc: has too many raw illegal characters
score           CC_ILLEGAL_CHARS      0.5

header		__CC_ILLEGAL_CHAR	eval:check_illegal_chars('Cc','0.00','1')
meta		CC_ILLEGAL_CHAR	__CC_ILLEGAL_CHAR && !CC_ILLEGAL_CHARS
describe	CC_ILLEGAL_CHAR	Cc: has raw illegal character
score		CC_ILLEGAL_CHAR	0.2



#header SUBJ_ALL_CAPS		eval:subject_is_all_caps()
#describe SUBJ_ALL_CAPS		Subject is all capitals
#score SUBJ_ALL_CAPS 1.049 1.166 0.459 0.997
header		__SUBJ_ALL_CAPS		eval:subject_is_all_caps()
meta		SUBJ_ALL_CAPS		__SUBJ_ALL_CAPS && __CUST_Subject_7bit
describe	SUBJ_ALL_CAPS		Subject is all capitals
score		SUBJ_ALL_CAPS		1.2



#meta FORGED_MUA_THEBAT_CS	(__THEBAT_MUA && __CTYPE_CHARSET_QUOTED)
#describe FORGED_MUA_THEBAT_CS	Mail pretending to be from The Bat! (charset)
meta FORGED_MUA_THEBAT_CS	(__THEBAT_MUA && __CTYPE_CHARSET_QUOTED) && __CUST_X_Mailman_Version_EMPTY && __CUST_List_Id_EMPTY



#header __REPTO_OVERQUOTE	Reply-To =~ /"[\w. -]+"\s*\</
#meta REPTO_OVERQUOTE_THEBAT	__REPTO_OVERQUOTE && __THEBAT_MUA
#describe REPTO_OVERQUOTE_THEBAT	The Bat! doesn't do quoting like this
header __REPTO_OVERQUOTE	Reply-To =~ /"[\w\d -]+"\s*\</
meta REPTO_OVERQUOTE_THEBAT	__REPTO_OVERQUOTE && __THEBAT_MUA && !(__CUST_List_Id_EMPTY || __CUST_List_Post_EMPTY || __CUST_X_Mailman_Version_EMPTY)



##header MSGID_MULTIPLE_AT	MESSAGEID =~ /<[^>]*\@[^>]*\@/
##describe MSGID_MULTIPLE_AT	Message-ID contains multiple '@' characters

#header		__MSO12_From_Message_ID1		From|Message-ID:case =~ /^[^\.]+\@[^\.]+\.([^>]+)>[\s\r\n]*\|\s*<0[\da-f]{3}01[\da-f]{6}\$[\da-f]{8}\$[\da-f]{8}\$\@\1>$/i
#header		__MSO12_From_Message_ID2		From|Message-ID:case =~ /^.+\.(\S+\@[^>]+)>[\s\r\n]*\|\s*<0[\da-f]{3}01[\da-f]{6}\$[\da-z]{8}\$[\da-z]{8}\$\@\1>$/i
header __MSGID_MULTIPLE_AT	MESSAGEID =~ /<[^>]*\@[^>]*\@/
meta MSGID_MULTIPLE_AT	__MSGID_MULTIPLE_AT && (!__CUST_X_Mailer_MSO12 || !(__MSO12_From_Message_ID1 || __MSO12_From_Message_ID2))



#header __RCVD_WITH_EXCHANGE	Received =~ /with Microsoft Exchange Server/
#meta RATWARE_OUTLOOK_NONAME	__MSGID_DOLLARS_OK && !__HAS_X_MAILER && !__RCVD_WITH_EXCHANGE
#describe RATWARE_OUTLOOK_NONAME	Bulk email fingerprint (Outlook no name) found
#meta RATWARE_MS_HASH 		__MSGID_DOLLARS_OK && !__MIMEOLE_MS && !__RCVD_WITH_EXCHANGE
#describe RATWARE_MS_HASH	Bulk email fingerprint (msgid ms hash) found

meta RATWARE_OUTLOOK_NONAME	__MSGID_DOLLARS_OK && !__HAS_X_MAILER && !__RCVD_WITH_EXCHANGE && !__RCVD_WITH_EXCHANGE_2007
meta RATWARE_MS_HASH 		__MSGID_DOLLARS_OK && !__MIMEOLE_MS && !__RCVD_WITH_EXCHANGE && !__RCVD_WITH_EXCHANGE_2007



## Outlook Express 4, 5, and 6
#header __OE_MUA			X-Mailer =~ /\bOutlook Express [456]\./
#header __OE_MSGID_1		MESSAGEID =~ /^<[A-Za-z0-9-]{7}[A-Za-z0-9]{20}\@hotmail\.com>$/m
#header __OE_MSGID_2		MESSAGEID =~ /^<(?:[0-9a-f]{8}|[0-9a-f]{12})\$[0-9a-f]{8}\$[0-9a-f]{8}\@\S+>$/m
#header __OE_MSGID_3		MESSAGEID =~ /^<BAY\d+-DAV\d+[A-Z0-9]{25}\@phx\.gbl>$/m
#meta __FORGED_OE		(__OE_MUA && !__OE_MSGID_1 && !__OE_MSGID_2 && !__OE_MSGID_3 && !__UNUSABLE_MSGID)
meta __FORGED_OE		__OE_MUA && !__OE_MSGID_1 && !__OE_MSGID_2 && !__OE_MSGID_3 && !__UNUSABLE_MSGID && !(__NEW_OE_Message_ID && __NEW_OE_X_Mailer)



ifplugin Mail::SpamAssassin::Plugin::HeaderEval

#header CHARSET_FARAWAY_HEADER	eval:check_for_faraway_charset_in_headers()
#describe CHARSET_FARAWAY_HEADER	A foreign language charset used in headers
#tflags CHARSET_FARAWAY_HEADER	userconf
#score CHARSET_FARAWAY_HEADER 3.200
header __CHARSET_FARAWAY_HEADER	eval:check_for_faraway_charset_in_headers()
meta CHARSET_FARAWAY_HEADER	__CHARSET_FARAWAY_HEADER && !(GMAIL_COM && (__CUST_Subject_BASE64_GB2312 || __CUST_Subject_BASE64_ISO_2022_JP || __CUST_From_BASE64_GB2312 || __CUST_From_BASE64_ISO_2022_JP)) && !EBEWE_COM

endif


##{ SUBJ_RE_NUM
#meta SUBJ_RE_NUM	!__THEBAT_MUA && __SUBJ_RE_NUM
#describe SUBJ_RE_NUM	Subject is faking 'The Bat!' responses
meta SUBJ_RE_NUM	!__THEBAT_MUA && __SUBJ_RE_NUM && !__UKRNET
##} SUBJ_RE_NUM


#meta __DOS_DIRECT_TO_MX		__DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT
meta __DOS_DIRECT_TO_MX		__DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT


#header   FH_DATE_PAST_20XX	Date =~ /20[1-9][0-9]/ [if-unset: 2006]
#describe FH_DATE_PAST_20XX	The date is grossly in the future.
#score FH_DATE_PAST_20XX 2.075 3.384 3.554 3.188 # n=2
header   FH_DATE_PAST_20XX	Date =~ /20(1[1-9]|[2-9]\d)/ [if-unset: 2006]