#
# 2005-2011 Victor Ustugov <victor+spamassasin@corvax.kiev.ua>
#


meta		SUBJECT_EXCESS_QP		__SUBJECT_ENCODED_QP && !__SUBJECT_NEEDS_MIME
describe	SUBJECT_EXCESS_QP		Subject: quoted-printable encoded unnecessarily
score		SUBJECT_EXCESS_QP		1.5

meta		SUBJECT_EXCESS_BASE64		__SUBJECT_ENCODED_B64 && !__SUBJECT_NEEDS_MIME
describe	SUBJECT_EXCESS_BASE64		Subject: base64 encoded encoded unnecessarily
score		SUBJECT_EXCESS_BASE64		1.7

header		BListed_Subject_suffix		Subject =~ /\s+(\#[a-z]{3,}|\/[a-z]{3,}|\(Recipient \#: \d+\)|\$\w{3,}|\.\.\.\s+[a-z\d]{3,}|\|\|\|\s+\d{3,}|\s+\*\*\*\s+[a-z]{3,}|\s+\+\+\+\s+\d{3,}|[\x23]?\d{3,}[\x23]?|\([a-z:]{3,}\)!?|\s{3}[\x80-\xff]{3,}|[a-z:]*:[a-z:]+!?|([\x80-\xFF]+ )?\#\s?\d{3,}\#?|:\s+[a-z]{3,}|\^\s+[a-z\d]{3,}|\^\s+\d{3,}\s+\^\^|[\."]\d{3,}|\#[a-z]{3,}|\^:[a-z]+|=== \d{3,} [a-z]{5,}|\(code=[a-z]{5,}\)|code=\d{5,}|((\.\.\.|\*\*\*)\s+)?\( \d+\))$/
describe	BListed_Subject_suffix		Subject suffix blacklisted
score		BListed_Subject_suffix		1.0

header		BListed_Subject_suffix2		Subject =~ /(_{3,}\d{3,})$/
describe	BListed_Subject_suffix2		Subject suffix blacklisted
score		BListed_Subject_suffix2		2.0

header		__Subject_City_prefix		Subject =~ /^[\s\r\n]*(\*\*\*\*\*SPAM\*\*\*\*\*|Spam:|\[(SPAM|Spam|spam)\] |\*S\*P\*A\*M\* |\{(SPAM|Spam|spam)\??\}|\[!! SPAM\]|\[SPAM PROBABLE\]:?|\[SUSPECTED SPAM\]|Suspected Spam:|\**May be Spam\**|\**(POSSIBLE )?SPAM\**|\[Spam Probability=\d+\]|X-IMail-SPAM-Premium|X-IMail-SPAM-Connection|!! SPAM Suspect : SPAM-Statistic !!)?[\s\r\n]*(((Re|RE|re)(\[\d+\])?|Fw|Fwd):|\[Re:\d+\])?\s*[\[\{][ÀÁÂÃÄÅ¨ÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞß]+[\]\}]/
header		__Subject_City_prefix_RAW	Subject:raw =~ /^\s*=\?Windows-1251\?(Q|B)\?/i
meta		Subject_City_prefix		__Subject_City_prefix && __Subject_City_prefix_RAW
describe	Subject_City_prefix		Subject contains all caps prefix, may be ciry prefix
score		Subject_City_prefix		1.5

header		__Subject_All_Caps_win1251	Subject =~ /^[\s\r\n]*(\*\*\*\*\*SPAM\*\*\*\*\*|Spam:|\[(SPAM|Spam|spam)\] |\*S\*P\*A\*M\* |\{(SPAM|Spam|spam)\??\}|\[!! SPAM\]|\[SPAM PROBABLE\]:?|\[SUSPECTED SPAM\]|Suspected Spam:|\**May be Spam\**|\**(POSSIBLE )?SPAM\**|\[Spam Probability=\d+\]|X-IMail-SPAM-Premium|X-IMail-SPAM-Connection|!! SPAM Suspect : SPAM-Statistic !!)?[\s\r\n]*(((Re|RE|re)(\[\d+\])?|Fw|Fwd):|\[Re:\d+\])?\s*[A-Z²ª¯«»– ÀÁÂÃÄÅ¨ÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞß\s\d!"'\#\$\%\^\&\*\(\)\-_\+=\[\]\{\}\\\/;:<>\?\.,\|]*[A-Z²ª¯«»– ÀÁÂÃÄÅ¨ÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞß]*[A-Z²ª¯«»– ÀÁÂÃÄÅ¨ÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞß\s\d!"'\#\$\%\^\&\*\(\)\-_\+=\[\]\{\}\\\/;:<>\?.,\|]*$/
header		__Subject_All_Caps_win1251_RAW	Subject:raw =~ /^\s*"?=\?Windows-1251\?(Q|B)\?/i
meta		Subject_All_Caps_win1251	__Subject_All_Caps_win1251 && __Subject_All_Caps_win1251_RAW
describe	Subject_All_Caps_win1251	Subject is all capitals (charset Windows-1251)
score		Subject_All_Caps_win1251	1.0

header		__Subject_All_Caps_koi8r	Subject =~ /^[\s\r\n]*(\*\*\*\*\*SPAM\*\*\*\*\*|Spam:|\[(SPAM|Spam|spam)\] |\*S\*P\*A\*M\* |\{(SPAM|Spam|spam)\??\}|\[!! SPAM\]|\[SPAM PROBABLE\]:?|\[SUSPECTED SPAM\]|Suspected Spam:|\**May be Spam\**|\**(POSSIBLE )?SPAM\**|\[Spam Probability=\d+\]|X-IMail-SPAM-Premium|X-IMail-SPAM-Connection|!! SPAM Suspect : SPAM-Statistic !!)?[\s\r\n]*(((Re|RE|re)(\[\d+\])?|Fw|Fwd):|\[Re:\d+\])?\s*[A-Záâ÷çäå³öúéêëìíîïðòóôõæèãþûýÿùøüàñ\s\d!"'\#\$\%\^\&\*\(\)\-_\+=\[\]\{\}\\\/;:<>\?\.,\|]*[A-Záâ÷çäå³öúéêëìíîïðòóôõæèãþûýÿùøüàñ]*[A-Záâ÷çäå³öúéêëìíîïðòóôõæèãþûýÿùøüàñ\s\d!"'\#\$\%\^\&\*\(\)\-_\+=\[\]\{\}\\\/;:<>\?.,\|]*$/
header		__Subject_All_Caps_koi8r_RAW	Subject:raw =~ /^\s*"?=\?koi8-r\?(Q|B)\?/i
meta		Subject_All_Caps_koi8r		__Subject_All_Caps_koi8r && __Subject_All_Caps_koi8r_RAW
describe	Subject_All_Caps_koi8r		Subject is all capitals (charset koi8-r)
score		Subject_All_Caps_koi8r		1.0

header		__SUBJECT_GIBE1			Subject =~ /^\s*((Fwd?|Re):\s*)?((Abort|Error|Failure) )?(Advice|Announcement|Notice|Report|Letter|Message)$/
header		__SUBJECT_GIBE2			Subject =~ /^\s*((Fwd?|Re):\s*)?((Current|Last|Latest|New|Newest) )?(Critical|Security|Microsoft|Net|Network|Internet) ((Critical|Security) )?(Pack|Patch|Update|Upgrade)$/
header		__SUBJECT_GIBE3			Subject =~ /^\s*((Fwd?|Re):\s*)?(Current|Last|Latest|New|Newest) ((Critical|Security|Microsoft|Net|Network|Internet) )?((Critical|Security) )?(Pack|Patch|Update|Upgrade)$/
meta		SUBJECT_GIBE			__SUBJECT_GIBE1 || __SUBJECT_GIBE2 || __SUBJECT_GIBE3
describe	SUBJECT_GIBE			GIBE subject
score		SUBJECT_GIBE			4.0

header		VERY_IMPORTANT_MESSAGE		Subject =~ /^\s*(Serious|Significant|Very important|Important|Weighty) (message|letter)\. You (require|must|need|have) to read\.$/
describe	VERY_IMPORTANT_MESSAGE		Very important message
score		VERY_IMPORTANT_MESSAGE		2.5

header		Subject_Reply_broken_no		Subject =~ /^\s*RE\[[a-z\d]{8,}\]$/
describe	Subject_Reply_broken_no		Subject of reply message with broken replies number
score		Subject_Reply_broken_no		1.5

header		__Subject_Reply_Empty2		Subject =~ /^\s*Re\[\d+\]:[\s_]+$/
meta		Subject_Reply_Empty2		__Subject_Reply_Empty2 && (SUBJECT_EXCESS_QP || FROM_EXCESS_BASE64)
describe	Subject_Reply_Empty2		Encoded Subject of reply message is empty
score		Subject_Reply_Empty2		2.0

header		Subject_Twiced_Word		Subject =~ /^\s*([\da-z]+)\s+\1$/
describe	Subject_Twiced_Word		Subject with two the same words
score		Subject_Twiced_Word		1.5

header		BListed_Subject_suffix2		Subject =~ /\s{3,}\w+$/
describe	BListed_Subject_suffix2		Subject suffix blacklisted
score		BListed_Subject_suffix2		0.5

header		BListed_Subject_suffix3		Subject =~ /\d\d\.\d\d\.200\d \d\d:\d\d:\d\d$/
describe	BListed_Subject_suffix3		Subject suffix blacklisted
score		BListed_Subject_suffix3		0.5

header		BListed_Subject_prefix1		Subject =~ /^\s*\(\d\):/
describe	BListed_Subject_prefix1		Subject prefix blacklisted
score		BListed_Subject_prefix1		1.5

header		SUBJECT_RECIPIENT_ID		Subject =~ /\([Rr]ecipient ?\#: \d+\)\s*$/
describe	SUBJECT_RECIPIENT_ID		Subject contains recipient id
score		SUBJECT_RECIPIENT_ID		3.0

header		RCPT_IN_SUBJECT			To|Subject =~ /^\s*(?:[a-z\s\-\.]+|".+")?\s*<?(\S+)\@\S+>?[\r\n\s]*\|\s*[Tt]o: <?\1>?$/
describe	RCPT_IN_SUBJECT			Recipient mailbox there is in Subject header
score		RCPT_IN_SUBJECT			2.0

header		__Subject_Reply_Empty		Subject =~ /^\s*Re:\s*$/i
meta		Subject_Reply_Empty		__Subject_Reply_Empty && (SUBJECT_EXCESS_QP || FROM_EXCESS_BASE64)
describe	Subject_Reply_Empty		Encoded Subject of reply message is empty
score		Subject_Reply_Empty		1.5

header		__Subject_Double_Reply_Empty	Subject =~ /^\s*Re:\s*RE:\s*$/
meta		Subject_Double_Reply_Empty	__Subject_Double_Reply_Empty && (SUBJECT_EXCESS_QP || FROM_EXCESS_BASE64)
describe	Subject_Double_Reply_Empty	Encoded Subject of reply message is empty
score		Subject_Double_Reply_Empty	2.0

header		__SUSPICIOUS_SUBJECT		Subject =~ /^\s*(\}+|\`+|;_\)|;"\(|\+{2,}\)|!|\?|\@|&|\+|=\]|\/'|\)\(|={1,5}-|(\||;|>|=|\-|\/|\)|\(|\.|\$|\?|:|~){1,30})\s*$/
meta		SUSPICIOUS_SUBJECT		__SUSPICIOUS_SUBJECT && __CUST_Subject_BASE64_windows_1251
describe	SUSPICIOUS_SUBJECT		Suspicious header Subject
score		SUSPICIOUS_SUBJECT		3.0

header		SUBJECT_DOUBLED_NAME		Subject =~ /^\s*Subject: /
describe	SUBJECT_DOUBLED_NAME		header Subject with doubled name
score		SUBJECT_DOUBLED_NAME		2.0

header		SUBJECT_DEAR_TO			To|Subject =~ /<(\S+\@\S+)>[\s\r\n]*\|\s*Dear \1/
describe	SUBJECT_DEAR_TO			header Subject contains "Dear" and address from header To
score		SUBJECT_DEAR_TO			3.0

header		SUBJECT_SMS			Subject =~ /^\s*380\d\d\d\d\d\d\d\d\d\@(sms2?\.kyivstar\.net|sms.mts.com.ua)$/
describe	SUBJECT_SMS			header Subject contains SMS2Mail address
score		SUBJECT_SMS			2.0

header		SUBJECT_MSG_ID			Subject =~ /^\s*MSG ID:\d{5}\s/
describe	SUBJECT_MSG_ID			header Subject contains MSG ID
score		SUBJECT_MSG_ID			2.0

header		SUBJECT_NUM			Subject =~ /^\s*\[\d\]:\s/
describe	SUBJECT_NUM			header Subject begins with number
score		SUBJECT_NUM			2.0

header		SUSPICIOUS_SUBJECT_PREFIX	Subject =~ /^\s*\[\d\]:/
describe	SUSPICIOUS_SUBJECT_PREFIX	Suspicious prefix in header Subject
score		SUSPICIOUS_SUBJECT_PREFIX	1.5

header		SUSPICIOUS_SUBJECT_PREFIX_Re	Subject =~ /^\s*på: /
describe	SUSPICIOUS_SUBJECT_PREFIX_Re	Suspicious prefix in header Subject
score		SUSPICIOUS_SUBJECT_PREFIX_Re	1.5

header		SUSPICIOUS_SUBJECT_RE		Subject =~ /^\s*R[eE]$/
describe	SUSPICIOUS_SUBJECT_RE		Suspicious header Subject
score		SUSPICIOUS_SUBJECT_RE		1.5

header		SUSPICIOUS_SUBJECT_BRACES	Subject =~ /^\s*\{.{5,}\}\s*$/
describe	SUSPICIOUS_SUBJECT_BRACES	There are braces in begin and end of header Subject
score		SUSPICIOUS_SUBJECT_BRACES	1.5

header		SUSPICIOUS_SUBJECT_BRACES_NULL	Subject =~ /^\s*\{.{5,}\}\x00\s*$/
describe	SUSPICIOUS_SUBJECT_BRACES_NULL	There are braces in begin and end of header Subject
score		SUSPICIOUS_SUBJECT_BRACES_NULL	3.5

header		__SUSPICIOUS_SUBJECT_ENCODED_TWICE1	Subject:raw =~ /=\?[a-z\-\d]+\?b\?.+\?=(.*[\r\n])*.*=\?[a-z\-\d]+\?q\?.+\?=/i
header		__SUSPICIOUS_SUBJECT_ENCODED_TWICE2	Subject:raw =~ /=\?[a-z\-\d]+\?q\?.+\?=(.*[\r\n])*.*=\?[a-z\-\d]+\?b\?.+\?=/i
meta		SUSPICIOUS_SUBJECT_ENCODED_TWICE	__SUSPICIOUS_SUBJECT_ENCODED_TWICE1 || __SUSPICIOUS_SUBJECT_ENCODED_TWICE2
describe	SUSPICIOUS_SUBJECT_ENCODED_TWICE	There are both BASE64 and QP encoding in header Subject
score		SUSPICIOUS_SUBJECT_ENCODED_TWICE	1.0

header		SUBJECT_EMPTY_ENCODED		Subject =~ /^\s*=\?windows-1251\?(B|Q)\?\?=$/
describe	SUBJECT_EMPTY_ENCODED		Empty but encoded header Subject
score		SUBJECT_EMPTY_ENCODED		2.0

header		HEADER_SUBJECT_CHARSET_MISSING	Subject:raw =~ /^\s*=\?\?[QB]\?.+\?=$/i
describe	HEADER_SUBJECT_CHARSET_MISSING	Charset missing in encoded header Subject
score		HEADER_SUBJECT_CHARSET_MISSING	3.0