# # 2008-2024 Victor Ustugov # ######################################## header PBS_COM_UA Received =~ /\b(from pbs\.com\.ua|helo=pbs\.com\.ua)/ describe PBS_COM_UA Message from pbs.com.ua (sa-learn_candidate, not_classified) score PBS_COM_UA 1.0 ######################################## header FROM_GAINREP From =~ /<(invite\@gainrepinvitation.com|invite\@gainrepinvite.com)>$/ describe FROM_GAINREP Message from www.gainrepl.com (bayes_recheck, sa-learn_candidate, not_classified) score FROM_GAINREP 3.0 ######################################## header __Reply_To_gov_ua Reply-To =~ /\.gov\.ua>$/ header __STRANGE_ID_GOV_UA_1_From From =~ /\.(ru|by)>?$/ meta STRANGE_ID_GOV_UA_1 __STRANGE_ID_GOV_UA_1_From && __Reply_To_gov_ua describe STRANGE_ID_GOV_UA_1 Strange combination of From and Reply-To domains (DSPAM_autolearn, already_read, bayes_recheck, sa-learn_candidate, not_classified) score STRANGE_ID_GOV_UA_1 15.0 tflags STRANGE_ID_GOV_UA_1 mandatory_learn header __STRANGE_ID_GOV_UA_2_From From =~ /\.(cn|hk|tw|ir|vn|tk|cf|kr|jp|id|in|ar|br|pe|cl|mx)>?$/ meta STRANGE_ID_GOV_UA_2 __STRANGE_ID_GOV_UA_2_From && __Reply_To_gov_ua describe STRANGE_ID_GOV_UA_2 Strange combination of From and Reply-To domains (DSPAM_autolearn, already_read, bayes_recheck, sa-learn_candidate, not_classified) score STRANGE_ID_GOV_UA_2 10.0 tflags STRANGE_ID_GOV_UA_2 mandatory_learn header __STRANGE_ID_GOV_UA_3_From From =~ /\.(us|ca|il|uk|it|at|de|pl|sk)>?$/ meta STRANGE_ID_GOV_UA_3 __STRANGE_ID_GOV_UA_3_From && __Reply_To_gov_ua describe STRANGE_ID_GOV_UA_3 Strange combination of From and Reply-To domains (DSPAM_autolearn, already_read, bayes_recheck, sa-learn_candidate, not_classified) score STRANGE_ID_GOV_UA_3 6.0 tflags STRANGE_ID_GOV_UA_3 mandatory_learn header __STRANGE_ID_GOV_UA_4_From From =~ /\.com>?$/ meta STRANGE_ID_GOV_UA_4 __STRANGE_ID_GOV_UA_4_From && __Reply_To_gov_ua #describe STRANGE_ID_GOV_UA_4 Strange combination of From and Reply-To domains (DSPAM_autolearn, already_read, bayes_recheck, sa-learn_candidate, not_classified) describe STRANGE_ID_GOV_UA_4 Strange combination of From and Reply-To domains (sa-learn_candidate, not_classified) score STRANGE_ID_GOV_UA_4 4.0 #tflags STRANGE_ID_GOV_UA_4 mandatory_learn ######################################## header NIBULON_PROBABLY_INFECTED From =~ /^\s*ТОВ СП Нiбулон/ describe NIBULON_PROBABLY_INFECTED Probably infected message (DSPAM_autolearn, already_read, bayes_recheck, sa-learn_candidate, not_classified) score NIBULON_PROBABLY_INFECTED 8.0 tflags NIBULON_PROBABLY_INFECTED mandatory_learn ######################################## # Papa_Agency MailWizz # List-Id: cj462qw02hca7 # List-Id: zr053tajrn592 # List-Id: gn010jkjxfdcc # List-Id: ox951nk0ad666 header Papa_Agency_MailWizz_List_Id List-Id =~ /^\s*[a-z\d]{13} $/ describe Papa_Agency_MailWizz_List_Id Maybe message from Papa_Agency MailWizz (sa-learn_candidate, not_classified) score Papa_Agency_MailWizz_List_Id 2.0 ######################################## header FAKE_DPS From =~ /^\s*ДПС Украiни gov\.ua \s*$/ describe FAKE_PRIVAT_24_ZA Fake header From (DSPAM_autolearn, bayes_recheck, not_classified) score FAKE_PRIVAT_24_ZA 10.0 tflags FAKE_PRIVAT_24_ZA mandatory_learn ######################################## header FROM_Jetmail From =~ /^\s*"(JETMAIL|JetMail|Jetmail|JetMailOne|Jetmailone|Jetmail Traffic)" $/ describe Reply_To_mail_at_mail_com Reply-To: (DSPAM_autolearn, sa-learn_candidate) score Reply_To_mail_at_mail_com 4.0 tflags Reply_To_mail_at_mail_com mandatory_learn ######################################## header Mesage_Id_space Mesage-Id =~ /^\s*[A-Z\d]+ [A-Z\d]+$/ describe Mesage_Id_space Strange header with strange value score Mesage_Id_space 5.0 header Unsubscribe_link_broken Unsubscribe-link =~ /^\s*https:\/\/[A-Z\d]+\/unsubscribe$/ describe Unsubscribe_link_broken Strange header with strange value score Unsubscribe_link_broken 5.0 header SUSPICIOUS_Message_ID_microsof Message-ID =~ /^\s*<[A-F\d]{32}\@microsof-[\da-f]{6,10}>$/ describe SUSPICIOUS_Message_ID_microsof Suspicious Message-ID microsof (DSPAM_autolearn) score SUSPICIOUS_Message_ID_microsof 4.0 tflags SUSPICIOUS_Message_ID_microsof mandatory_learn ######################################## header FROM_administrator_freemail_hu From =~ /(admlnistrator|adminlstrator|p0stmasters?)\@freemail\.hu/ describe FROM_administrator_freemail_hu From administrator@freemail.hu (DSPAM_autolearn) score FROM_administrator_freemail_hu 4.0 header ENV_FROM_administrator_freemail_hu X-Envelope-From =~ /^\s*<(admlnistrator|adminlstrator|p0stmasters?)\@freemail\.hu>$/ describe ENV_FROM_administrator_freemail_hu From administrator@freemail.hu (DSPAM_autolearn) score ENV_FROM_administrator_freemail_hu 4.0 header RETURN_PATH_administrator_freemail_hu Return-Path =~ /^\s*<(admlnistrator|adminlstrator|p0stmasters?)\@freemail\.hu>$/ describe RETURN_PATH_administrator_freemail_hu From administrator@freemail.hu (DSPAM_autolearn) score RETURN_PATH_administrator_freemail_hu 4.0 ######################################## header Logistics_Partner_Organization Organization =~ /^\s*Logistics-Partner.com.ua$/ describe Logistics_Partner_Organization Message from Logistics Partner (DSPAM_autolearn, bayes_recheck, sa-learn_candidate) score Logistics_Partner_Organization 3.0 tflags Logistics_Partner_Organization mandatory_learn # From: "Logistics Partner UA" header Logistics_Partner_From From =~ /^\s*"Logistics Partner UA" $/ describe Logistics_Partner_From Message from Logistics Partner (DSPAM_autolearn, bayes_recheck, sa-learn_candidate) score Logistics_Partner_From 3.0 tflags Logistics_Partner_From mandatory_learn # Reply-To: "Logistics Partner" header Logistics_Partner_Reply_To Reply-To =~ /^\s*"Logistics Partner" $/ describe Logistics_Partner_Reply_To Message from Logistics Partner (DSPAM_autolearn, bayes_recheck, sa-learn_candidate) score Logistics_Partner_Reply_To 3.0 tflags Logistics_Partner_Reply_To mandatory_learn ######################################## header Infomedia_X_Express_LID exists:X-Express-LID describe Infomedia_X_Express_LID Message from Infomedia (sa-learn_candidate) (DSPAM_autolearn) score Infomedia_X_Express_LID 2.0 tflags Infomedia_X_Express_LID mandatory_learn header Infomedia_X_Express_RecptId exists:X-Express-RecptId describe Infomedia_X_Express_RecptId Message from Infomedia (sa-learn_candidate) (DSPAM_autolearn) score Infomedia_X_Express_RecptId 2.0 tflags Infomedia_X_Express_RecptId mandatory_learn header Infomedia_X_Express_SID exists:X-Express-SID describe Infomedia_X_Express_SID Message from Infomedia (sa-learn_candidate) (DSPAM_autolearn) score Infomedia_X_Express_SID 2.0 tflags Infomedia_X_Express_SID mandatory_learn header Infomedia_X_Express_Sent_By exists:X-Express-Sent-By describe Infomedia_X_Express_Sent_By Message from Infomedia (sa-learn_candidate) (DSPAM_autolearn) score Infomedia_X_Express_Sent_By 2.0 tflags Infomedia_X_Express_Sent_By mandatory_learn header Infomedia_Mailer X-Mailer =~ /^\s*Infomedia Mailer \d+\.\d+$/ describe Infomedia_Mailer Message from Infomedia (sa-learn_candidate) (DSPAM_autolearn) score Infomedia_Mailer 3.0 tflags Infomedia_Mailer mandatory_learn header Infomedia_Organization Organization =~ /^\s*(Infomedia( LLC)?| | ..| )$/ describe Infomedia_Organization Message from Infomedia (sa-learn_candidate) (DSPAM_autolearn) score Infomedia_Organization 3.0 tflags Infomedia_Organization mandatory_learn header Infomedia_From From =~ /(.+\@ethno\.ua|infomedia\@ethnoexpress\.com|notify\@center1\.com\.ua|noreply\@ethnostyling\.com|promotion\@regularnewsletter\.com|promo(tion)?\@infoletter\.com\.ua|noreply\@fastmail\.com\.ua|\S+\@geomail\.com\.ua)/ describe Infomedia_From Message from Infomedia (sa-learn_candidate) (DSPAM_autolearn) score Infomedia_From 4.0 tflags Infomedia_From mandatory_learn header Infomedia_From_realname From =~ /("Ethno Infomedia"|Ethno Safe)/ describe Infomedia_From_realname Message from Infomedia (sa-learn_candidate) (DSPAM_autolearn) score Infomedia_From_realname 4.0 tflags Infomedia_From_realname mandatory_learn header Infomedia_Reply_To Reply-To =~ /^\s*((seminar|promotion)\@(infomedia\.com\.ua|ethno\.ua)|info\@ethnosafe\.com|info\@ethno\.ua)$/ describe Infomedia_Reply_To Message from Infomedia (sa-learn_candidate) (DSPAM_autolearn) score Infomedia_Reply_To 3.0 tflags Infomedia_Reply_To mandatory_learn header Infomedia_Message_Id Message-Id =~ /^\s*<(19[789]\d|20\d\d)(0\d|1[012])([012]\d|3[01])([0-5]\d)([0-5]\d)([0-5]\d)\.[A-F\d]{11,12}\@(srv\d|apollo)\.ethnohosting\.com>$/ describe Infomedia_Message_Id Message from Infomedia (sa-learn_candidate) (DSPAM_autolearn) score Infomedia_Message_Id 3.0 tflags Infomedia_Message_Id mandatory_learn header Infomedia_Message_Id_geomail Message-Id =~ /^\s*\d+\.[\dA-F]+\.d\+\@geomail\.com\.ua$/ describe Infomedia_Message_Id_geomail Message from Infomedia (sa-learn_candidate) (DSPAM_autolearn) score Infomedia_Message_Id_geomail 3.0 tflags Infomedia_Message_Id_geomail mandatory_learn header Infomedia_Message_Id_ethnoexpress Message-ID =~ /^\s*<[\da-z]{32}\@my\.ethnoexpress\.com>$/ describe Infomedia_Message_Id_ethnoexpress Message from Infomedia (sa-learn_candidate) (DSPAM_autolearn) score Infomedia_Message_Id_ethnoexpress 3.0 tflags Infomedia_Message_Id_ethnoexpress mandatory_learn header Infomedia_List_Unsubscribe List-Unsubscribe =~ /^\s*, $/ describe Infomedia_List_Unsubscribe Message from Infomedia (sa-learn_candidate) (DSPAM_autolearn) score Infomedia_List_Unsubscribe 3.0 tflags Infomedia_List_Unsubscribe mandatory_learn header Infomedia_List_Unsubscribe2 List-Unsubscribe =~ /\s*, $/ describe Infomedia_List_Unsubscribe3 Message from Infomedia (sa-learn_candidate) (DSPAM_autolearn) score Infomedia_List_Unsubscribe3 3.0 tflags Infomedia_List_Unsubscribe3 mandatory_learn header Infomedia_List_Unsubscribe_unsubscribe_com_ua List-Unsubscribe =~ /http:\/\/www\.unsubscribe\.com\.ua\// describe Infomedia_List_Unsubscribe_unsubscribe_com_ua Message from Infomedia (sa-learn_candidate) (DSPAM_autolearn) score Infomedia_List_Unsubscribe_unsubscribe_com_ua 3.0 tflags Infomedia_List_Unsubscribe_unsubscribe_com_ua mandatory_learn header Infomedia_List_Id List-Id =~ /^\s*<.+\.ethnopromo\.com>$/ describe Infomedia_List_Id Message from Infomedia (sa-learn_candidate) (DSPAM_autolearn) score Infomedia_List_Id 3.0 tflags Infomedia_List_Id mandatory_learn header Infomedia_List_Owner List-Owner =~ /^\s*$/ describe Infomedia_List_Owner Message from Infomedia (sa-learn_candidate) (DSPAM_autolearn) score Infomedia_List_Owner 3.0 tflags Infomedia_List_Owner mandatory_learn header RECEIVED_ethnohosting_com Received =~ /(juno|srv5|atlas|apollo|leto)\.ethnohosting\.com/ describe RECEIVED_ethnohosting_com Received via ethnohosting.com (sa-learn_candidate) (DSPAM_autolearn) score RECEIVED_ethnohosting_com 3.5 tflags RECEIVED_ethnohosting_com mandatory_learn ######################################## header SUSPICIOUS_RECEIVED_HELO_Delldim5150 Received =~ /from ([\w\d\-]+\.)+[a-z]{2,3} \(HELO Delldim5150\)[\s\r\n]+\(\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\) by ([\w\d\-]+\.)+[a-z]{2,3} with ESMTP;/ describe SUSPICIOUS_RECEIVED_HELO_Delldim5150 Suspicious header Received with HELO Delldim5150 (DSPAM_autolearn) score SUSPICIOUS_RECEIVED_HELO_Delldim5150 6.0 ifplugin Mail::SpamAssassin::Plugin::DSPAM meta SUSPICIOUS_RECEIVED_HELO_Delldim5150_DSPAM SUSPICIOUS_RECEIVED_HELO_Delldim5150 && DSPAM_CHECK_00_01 describe SUSPICIOUS_RECEIVED_HELO_Delldim5150_DSPAM DSPAM compensation for suspicious header Received with HELO Delldim5150 score SUSPICIOUS_RECEIVED_HELO_Delldim5150_DSPAM 3.5 endif header SUSPICIOUS_MSGID_Delldim5150 Message-ID =~ /^\s*<\S+\@Delldim5150$/ describe SUSPICIOUS_MSGID_Delldim5150 Suspicious header Message-ID with Delldim5150 (DSPAM_autolearn) score SUSPICIOUS_MSGID_Delldim5150 6.0 ifplugin Mail::SpamAssassin::Plugin::DSPAM meta SUSPICIOUS_MSGID_Delldim5150_DSPAM SUSPICIOUS_MSGID_Delldim5150 && DSPAM_CHECK_00_01 describe SUSPICIOUS_MSGID_Delldim5150_DSPAM DSPAM compensation for Suspicious header Message-ID with Delldim5150 score SUSPICIOUS_MSGID_Delldim5150_DSPAM 3.5 endif ######################################## # X-Mailer: TOL Mailer header CT_SUSP_BOUNDARY_TOL_Mailer Content-Type =~ /boundary=_0_\.__\.__TOL__Mailer__Part_Boundary_$/ describe CT_SUSP_BOUNDARY_TOL_Mailer Suspicious non-unique boundary (DSPAM_autolearn) score CT_SUSP_BOUNDARY_TOL_Mailer 3.0 header SMSCENTRE_FROM From =~ /^\s*<(sales|info)\@smscentre\.com\.ua>$/ describe SMSCENTRE_FROM Message from sales@smscentre.com.ua (DSPAM_autolearn) score SMSCENTRE_FROM 4.0 tflags SMSCENTRE_FROM mandatory_learn header SMSCENTRE_X_SENDER X-Sender =~ /^\s(sales|info)\@smscentre\.com\.ua$/ describe SMSCENTRE_X_SENDER Message from sales@smscentre.com.ua (DSPAM_autolearn) score SMSCENTRE_X_SENDER 4.0 tflags SMSCENTRE_X_SENDER mandatory_learn header SMSCENTRE_RET_RCPT_TO Return-Receipt-To =~ /^\s*<(sales|info)\@smscentre\.com\.ua>$/ describe SMSCENTRE_RET_RCPT_TO Message from sales@smscentre.com.ua (DSPAM_autolearn) score SMSCENTRE_RET_RCPT_TO 2.0 tflags SMSCENTRE_RET_RCPT_TO mandatory_learn header SMSCENTRE_DISP_NOTIF_TO Disposition-Notification-To =~ /^\s*<(sales|info)\@smscentre\.com\.ua>$/ describe SMSCENTRE_DISP_NOTIF_TO Message from sales@smscentre.com.ua (DSPAM_autolearn) score SMSCENTRE_DISP_NOTIF_TO 2.0 tflags SMSCENTRE_DISP_NOTIF_TO mandatory_learn header SMSCENTRE_X_Originating_IP X-Originating-IP =~ /^\s*\[89\.252\.18\.236\]$/ describe SMSCENTRE_X_Originating_IP Message from sales@smscentre.com.ua (DSPAM_autolearn) score SMSCENTRE_X_Originating_IP 4.0 tflags SMSCENTRE_X_Originating_IP mandatory_learn ######################################## header __RealName_BListed_From_Subj Subject =~ /^\s*((Re(\[\d+\])|Fw|Fwd):)?\s*(Building|Cep|Conference services|C epa|goodyear|Ground-2005|H o ec|Kap. Ox|Ko|Kcao e|Kao e|K pa |LOGISTIKA|OBRIY CONSULTING COMPANY|Ofshore|Oeoc|Oeo|Oo|Oc|Petr Petrovich|Pe e|tyre|Tyre|UkrBusinessConsulting-2000|Vega Consulting|Vengriya| |.*"?"?||x-c|x-|xap|xep|x|-oca|-o|-c|aep|ap|p|||ea pe coao C|a ae epoo |e-p|c|-.*"?"?|e|||| || || ||p| ||ep Pa ppaec|ep Pa ppae|ep Pa paa|e P eaeca|e ppec|p P pec|p P ppc| P peea| e a| a ppaca| a paa| epa|a Bep|aa. |oc |oao e|oao p|oa ep|oo ep| |ca p|-|a e|o | |( )? | | |ee|e|||a o |ec|| o eco | |||paoc cc| | ||o||x aax|| Bep|oexa c a|oe |o|o |o o|o | i|e|e oo|e o||| .|oaa||a|i i|||eece|ece Be|a|a a|| a|ea |e || |- | || |p-opa|p-op|e|||-2000| |o a| a| | ||| 2000|opo pecc|(( )? )? | | c| ||| | |- |p ea| | | |e 400 ae HR-e| 400 a HR-ee|a c a| e||| |-||a eee)[\s\r\n]*$/ describe MAIDAN_ORG_UA_FROM From (DSPAM_autolearn) score MAIDAN_ORG_UA_FROM 4.0 tflags MAIDAN_ORG_UA_FROM mandatory_learn header ADMIN_XPORTAL_COM_UA_FROM From =~ /^\s*admin\@xportal\.com\.ua$/ describe ADMIN_XPORTAL_COM_UA_FROM From admin@xportal.com.ua (DSPAM_autolearn) score ADMIN_XPORTAL_COM_UA_FROM 4.0 tflags ADMIN_XPORTAL_COM_UA_FROM mandatory_learn header FROM_Seminar_vega_st_com From:raw =~ /^\s*seminar\@vega-st\.com$/ describe FROM_Seminar_vega_st_com Message from seminar@vega-st.com score FROM_Seminar_vega_st_com 2.5 header FROM_mail_fish_net_ua From =~ /mail\@fish\.net\.ua/ describe FROM_mail_fish_net_ua e-mail from mail@fish.net.ua (DSPAM_autolearn) score FROM_mail_fish_net_ua 3.5 tflags FROM_mail_fish_net_ua mandatory_learn header FROM_YAHOO_BESSIE From =~ /bessie\..+\@yahoo\./ describe FROM_YAHOO_BESSIE Header From contains bessie in mailbox and yahoo in domain score FROM_YAHOO_BESSIE 2.0 header FROM_SV_Development From =~ /^\s*SV Development $/ describe FROM_SV_Development From SV Development (DSPAM_autolearn) score FROM_SV_Development 3.0 tflags FROM_SV_Development mandatory_learn header REPLY_TO_KAM_POD_UNIVER Reply-To =~ // describe REPLY_TO_KAM_POD_UNIVER Message from Kamenets-Podolsky National University (DSPAM_autolearn, already_read) score REPLY_TO_KAM_POD_UNIVER 4.0 tflags REPLY_TO_KAM_POD_UNIVER mandatory_learn header REPLY_TO_WEDEUS Reply-To =~ /^\s*info\@wedeus\.com$/ describe REPLY_TO_WEDEUS Message from Wedeus, may be thru newsletter.si (DSPAM_autolearn, already_read) score REPLY_TO_WEDEUS 4.0 tflags REPLY_TO_WEDEUS mandatory_learn header REPLY_TO_SP_SERVICE Reply-To =~ // describe REPLY_TO_SP_SERVICE Message from Sp Service (DSPAM_autolearn, already_read) score REPLY_TO_SP_SERVICE 4.0 tflags REPLY_TO_SP_SERVICE mandatory_learn header REPLY_TO_CORP_TOURISM Reply-To =~ /$/ describe REPLY_TO_CORP_TOURISM Message about "Corporate tourism" (DSPAM_autolearn, already_read) score REPLY_TO_CORP_TOURISM 4.0 tflags REPLY_TO_CORP_TOURISM mandatory_learn header FROM_computerra_net_ua From =~ // describe FROM_computerra_net_ua From spam service mail@computerra.net.ua (DSPAM_autolearn) score FROM_computerra_net_ua 5.0 tflags FROM_computerra_net_ua mandatory_learn header FROM_ONLINE_GAME From =~ /^\s*On-Line $/ describe FROM_ONLINE_GAME From On-Line Game (DSPAM_autolearn) score FROM_ONLINE_GAME 4.0 tflags FROM_ONLINE_GAME mandatory_learn header FROM_TRANSPORTLINE_RU From =~ /^\s*info\@transportline\.ru$/ describe FROM_TRANSPORTLINE_RU From TRANSPORTLINE (DSPAM_autolearn, already_read) score FROM_TRANSPORTLINE_RU 4.0 tflags FROM_TRANSPORTLINE_RU mandatory_learn header FROM_MESSAGE_FRO_YOU_LTD From =~ /^\s*" " $/ describe FROM_MIXPRINT Message from mixpintu@mail.ru (DSPAM_autolearn) score FROM_MIXPRINT 2.0 tflags FROM_MIXPRINT mandatory_learn header FROM_SPECTOVAR From =~ /$/ describe FROM_SITEDESIGNER Message from SIteDesigner. (From: info@sitedesigner.com.ua) (DSPAM_autolearn, already_read) score FROM_SITEDESIGNER 5.0 tflags FROM_SITEDESIGNER mandatory_learn header REPLY_TO_SITEDESIGNER Reply-To =~ /info\@sitedesigner\.com\.ua>$/ describe REPLY_TO_SITEDESIGNER Message from SIteDesigner. (Reply-To: info@sitedesigner.com.ua) (DSPAM_autolearn, already_read) score REPLY_TO_SITEDESIGNER 3.0 tflags REPLY_TO_SITEDESIGNER mandatory_learn ######################################### header FROM_WebInside From =~ /^\s*"(WebInside|Dispatch|D\.L\.X)" \s*$/ describe FROM_DISPATCH From WebInside/Dispatch (DSPAM_autolearn, already_read) score FROM_DISPATCH 5.0 tflags FROM_DISPATCH mandatory_learn header FROM_kiev_dlx_tut_by From =~ /\s*$/ describe FROM_kiev_dlx_tut_by From WebInside/Dispatch/DLX (DSPAM_autolearn, already_read) score FROM_kiev_dlx_tut_by 5.0 tflags FROM_kiev_dlx_tut_by mandatory_learn header REPLY_TO_kiev_dlx_tut_by From =~ /\s*$/ describe REPLY_TO_kiev_dlx_tut_by From WebInside/Dispatch/DLX (DSPAM_autolearn, already_read) score REPLY_TO_kiev_dlx_tut_by 5.0 tflags REPLY_TO_kiev_dlx_tut_by mandatory_learn ######################################### header FROM_REGULARNEWSLETTER From =~ /\@regularnewsletter\.com>$/ describe FROM_REGULARNEWSLETTER Message from regularnewsletter.com (DSPAM_autolearn) score FROM_REGULARNEWSLETTER 4.0 tflags FROM_REGULARNEWSLETTER mandatory_learn header FROM_OEVEL From =~ /\@oevel\.com>$/ describe FROM_OEVEL Message from oevel.com (DSPAM_autolearn) score FROM_OEVEL 4.0 tflags FROM_OEVEL mandatory_learn ######################################## # # X-Mailer: WebMail_You can gain better health # X-Mailer: WebMail_Heal for your woody! # X-Mailer: WebMail_Your private video here # X-Mailer: WebMail_Your reply needed # X-Mailer: WebMail_Take her from above # X-Mailer: WebMail_Support Obama, buying from us # X-Mailer: WebMail_Your confirmation period has expired # header X_MAILER_WEBMAIL_ X-Mailer =~ /^\s*WebMail_([A-Za-z]+(\s[A-Z]?[''a-z\d]+[,\%!]?)+[\.\?\!]?)?$/ describe X_MAILER_WEBMAIL_ Suspicious X-Mailer (DSPAM_autolearn, already_read) score X_MAILER_WEBMAIL_ 4.5 #tflags X_MAILER_WEBMAIL_ mandatory_learn ######################################## header FOTO75_REPLY_TO Reply-to =~ /^\s*"www\.Foto75\.in\.UA" $/ describe FOTO75_REPLY_TO Foto75 Reply-To (DSPAM_autolearn, already_read) score FOTO75_REPLY_TO 2.0 header FOTO75_ORG Organization =~ /^\s*www\.Foto75\.in\.UA$/ describe FOTO75_ORG Foto75 Organization (DSPAM_autolearn, already_read) score FOTO75_ORG 2.0 header FOTO75_DISP_NOTIF_TO Disposition-notification-to =~ /^\s*foto75\@3g\.ua$/ describe FOTO75_DISP_NOTIF_TO Foto75 Disposition-notification-to (DSPAM_autolearn, already_read) score FOTO75_DISP_NOTIF_TO 2.0 header FOTO75_RETURN_RECEIPT_TO Return-receipt-to =~ /^\s*foto75\@3g\.ua$/ describe FOTO75_RETURN_RECEIPT_TO Foto75 Return-receipt-to (DSPAM_autolearn, already_read) score FOTO75_RETURN_RECEIPT_TO 2.0 header FOTO75_X_CONFIRM_READING_TO X-confirm-reading-to =~ /^\s*foto75\@3g\.ua$/ describe FOTO75_X_CONFIRM_READING_TO Foto75 X-confirm-reading-to (DSPAM_autolearn, already_read) score FOTO75_X_CONFIRM_READING_TO 2.0 ######################################## header BAMBOO_RPATH Return-path =~ /\@bamboo\.nichost\.ru>$/ describe BAMBOO_RPATH Message from BambooClub (DSPAM_autolearn) score BAMBOO_RPATH 2.0 header BAMBOO_X_ENVFROM X-Envelope-From =~ /\@bamboo\.nichost\.ru>$/ describe BAMBOO_X_ENVFROM Message from BambooClub (DSPAM_autolearn) score BAMBOO_X_ENVFROM 2.0 header BAMBOO_List_Unsubscribe List-Unsubscribe =~ /^\s*mailto:\S+\@bamboo\.nichost\.ru$/ describe BAMBOO_List_Unsubscribe Message from BambooClub (DSPAM_autolearn) score BAMBOO_List_Unsubscribe 2.0 header BAMBOO_List_ID List-ID =~ /^\s*<\S+\.bamboo\.nichost\.ru>$/ describe BAMBOO_List_ID Message from BambooClub (DSPAM_autolearn) score BAMBOO_List_ID 2.0 header BAMBOO_Sender Sender =~ /^\s*<\S+\@bamboo\.nichost\.ru>$/ describe BAMBOO_Sender Message from BambooClub (DSPAM_autolearn) score BAMBOO_Sender 2.0 header BAMBOO_From From =~ /<\S+\@bamboo\.nichost\.ru>$/ describe BAMBOO_From Message from BambooClub (DSPAM_autolearn) score BAMBOO_From 2.0 ######################################## # , mail5.freehost.com.ua header FROM_info_crb_in_ua From =~ /$/ describe FROM_info_crb_in_ua Message from info@crb.in.ua score FROM_info_crb_in_ua 2.5 header ORG_info_crb_in_ua Organization =~ /^\s*info\@crb\.in\.ua$/ describe ORG_info_crb_in_ua Message from info@crb.in.ua score ORG_info_crb_in_ua 2.5 ######################################## header SCRIPT_PATH_SPAM_SERVICE ScriptPath =~ /^\s*(gino-arte\.net\/nodele\.te\.php)/ describe SCRIPT_PATH_SPAM_SERVICE Spam mailing service score SCRIPT_PATH_SPAM_SERVICE 2.0 ######################################## header SHIP_LETTER_ORG_UA X-PHP-Script =~ /^\s*ship-letter\.org\.ua/ describe SHIP_LETTER_ORG_UA Message sent by ship-letter.org.ua (DSPAM_autolearn) score SHIP_LETTER_ORG_UA 5.0 tflags SHIP_LETTER_ORG_UA mandatory_learn header __BRICOCOOK_COM_X_PHP_Script X-PHP-Script =~ /^\s*bricocook\.com\/images\/view\.php for \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/ meta BRICOCOOK_COM_X_PHP_Script __BRICOCOOK_COM_X_PHP_Script && __X_Mailer_Thunderbird describe BRICOCOOK_COM_X_PHP_Script Mail from X-PHP-Script bricocook.com/images/view.php score BRICOCOOK_COM_X_PHP_Script 2.0 tflags BRICOCOOK_COM_X_PHP_Script mandatory_learn ######################################## header ORG_X_NOMERA_NET Organization =~ /^\s*(XBOSS|BINBOT|ANTISHTRAF\.ME|FNOMER|HIDENUM|INVIS|INVIS-XNOMER\.COM|NO-XCAMS|NoCAMS|ProNomer|STOP-POLICE|X-INVISIBLER|X-nomer|X-NOMER|X-NOMERA\.NET|X-PARTNOMER\.COM|X-Watch|XBOSS|XINVISIBLER|XNOMER|Xplenka|| 2013||)$/ describe ORG_X_NOMERA_NET Message from X-NOMERA.NET or the like, already_read score ORG_X_NOMERA_NET 5.0 header ORG_X_NOMERA_NET_AFFILATE Organization =~ /^\s*(APTEKA-ONLINE24\.BIZ|GoldiPhone|GreenSlim800|RUSS-KREDIT|RusTabs| | | | | || | .| 1 .| | | |.| |Business ProA|Business ProD|Business ProG|EMSGOLDEX|FinansPromo|GetKredit|OptionMoney|Project-KIDS|SmokeMagnit|StopSmoke|U-Bot|UBOT|UP-BOTMONEY 2014|XMAGNIT|XSMOKERS|Xsmoker 2014|ZeroSmok|ZeroSmoke|zNoSmoking)$/ describe ORG_X_NOMERA_NET_AFFILATE Message affiliated with from X-NOMERA.NET, already_read score ORG_X_NOMERA_NET_AFFILATE 4.0 header ORG_X_NOMERA_NET_AFFILATE2 Organization =~ /^\s*(| | | | | | | 2013-2014| 30 | | ||| |||| | | | | |||| | | | | |)$/ describe ORG_X_NOMERA_NET_AFFILATE2 Message affiliated with from X-NOMERA.NET score ORG_X_NOMERA_NET_AFFILATE2 4.0 header FROM_X_NOMERA_NET From =~ /^\s*"(ANTISHTRAF\.ME|HIDENUM|INVIS|INVIS-XNOMER\.COM|NO-XCAMS|NoCAMS|ProNomer|STOP-POLICE|X-INVISIBLER|X-NOMER|X-NOMERA\.NET|X-PARTNOMER\.COM|X-Watch|X-nomer|XINVISIBLER|XNOMER|Xplenka)" / describe HEADER_TO_YET_ANOTHER_ROW Very stratnge spammer's mistake score HEADER_TO_YET_ANOTHER_ROW 3.0 header HEADER_TO_USER To =~ /^\s*User$/ describe HEADER_TO_USER Suspicious heaer To (DSPAM_autolearn) score HEADER_TO_USER 4.0 tflags HEADER_TO_USER mandatory_learn header FROM_Freshfile_Net From =~ /^\s*Freshfile\.Net $/ describe FROM_Freshfile_Net Message from Freshfile.Net score FROM_Freshfile_Net 2.0 header HEADER_CT_MIME_VER Content-Type:raw =~ /^\s*text\/html; charset=iso-8859-1 MIME-Version: 1\.0 $/ describe HEADER_CT_MIME_VER Stupid mistake in header Content-Type (DSPAM_autolearn) score HEADER_CT_MIME_VER 5.0 tflags HEADER_CT_MIME_VER mandatory_learn header MYPERSONAL_FROM_MAILRU X-Collect-Stat =~ /^\s*87686$/ describe MYPERSONAL_FROM_MAILRU Message from promotion@mypersonal.com.ua thru mailer@sender5.mail.ru score MYPERSONAL_FROM_MAILRU 2.2 header FROM_emailservice_ukr_net From =~ /emailservice\@ukr\.net/ describe FROM_emailservice_ukr_net Mesage with spam deal (DSPAM_autolearn) score FROM_emailservice_ukr_net 3.0 header FROM_in_fashion_com_ua From =~ /^\s*"in-fashion\.com\.ua"/ describe FROM_in_fashion_com_ua Message from www.in-fashion.com.ua (DSPAM_autolearn) score FROM_in_fashion_com_ua 3.0 header TO_recipient_rcpthost_rcptdomain To =~ /recipient\@rcpthost\.rcptdomain/ describe TO_recipient_rcpthost_rcptdomain Message to recipient@rcpthost.rcptdomain score TO_recipient_rcpthost_rcptdomain 3.0 header FROM_VSESHINI From =~ /\@vseshini\.com\.ua>$/ describe FROM_VSESHINI Message from @vseshini.com.ua (DSPAM_autolearn) score FROM_VSESHINI 3.0 tflags FROM_VSESHINI mandatory_learn header FROM_viagra From =~ /viagra/i describe FROM_viagra Viagra in header From (DSPAM_autolearn, already_read) score FROM_viagra 2.0 tflags FROM_viagra mandatory_learn header __BF_FROM From =~ /^\s*"BusinessForward" $/ header __BF_REPLY_TO Reply-To =~ /^\s*"BusinessForward" $/ meta BusinessForward __BF_FROM && __BF_REPLY_TO describe BusinessForward Message from BusinessForward (DSPAM_autolearn, already_read) score BusinessForward 3.0 tflags BusinessForward mandatory_learn header ICN_OD_UA_SUSP_HELO Received =~ /from yandex\.ru \(unknown \[\d+\.\d+\.\d+\.\d+\]\)[\r\n\s]+by relay1\.icn\.od\.ua \(Postfix\) with SMTP id/ describe ICN_OD_UA_SUSP_HELO Suspicious HELO (DSPAM_autolearn, already_read) score ICN_OD_UA_SUSP_HELO 4.0 tflags ICN_OD_UA_SUSP_HELO mandatory_learn ifplugin Mail::SpamAssassin::Plugin::DSPAM meta ICN_OD_UA_SUSP_HELO_DSPAM ICN_OD_UA_SUSP_HELO && DSPAM_CHECK_00_01 describe ICN_OD_UA_SUSP_HELO_DSPAM DSPAM compensation for Suspicious HELO score ICN_OD_UA_SUSP_HELO_DSPAM 3.5 endif header ICN_OD_UA_SUSP_HELO_YANDEX Received =~ /from \?+-\?+ \(unknown \[\d+\.\d+\.\d+\.\d+\]\)[\r\n\s]+by relay1\.icn\.od\.ua \(Postfix\) with SMTP id/ describe ICN_OD_UA_SUSP_HELO_YANDEX Suspicious HELO (DSPAM_autolearn, already_read) score ICN_OD_UA_SUSP_HELO_YANDEX 4.0 tflags ICN_OD_UA_SUSP_HELO_YANDEX mandatory_learn ifplugin Mail::SpamAssassin::Plugin::DSPAM meta ICN_OD_UA_SUSP_HELO_YANDEX_DSPAM ICN_OD_UA_SUSP_HELO_YANDEX && DSPAM_CHECK_00_01 describe ICN_OD_UA_SUSP_HELO_YANDEX_DSPAM DSPAM compensation for Suspicious HELO score ICN_OD_UA_SUSP_HELO_YANDEX_DSPAM 3.5 endif header MAIL_ARTSV_NET_SUSP_HELO Received =~ /from (PROMEDIKAS|Server2003|SERVER) \(unknown \[\d+\.\d+\.\d+\.\d+\]\)[\r\n\s]+by mail\.artsv\.net \(Postfix\) with ESMTPA id/ describe MAIL_ARTSV_NET_SUSP_HELO Suspicious HELO (DSPAM_autolearn, already_read) score MAIL_ARTSV_NET_SUSP_HELO 4.0 tflags MAIL_ARTSV_NET_SUSP_HELO mandatory_learn ifplugin Mail::SpamAssassin::Plugin::DSPAM meta MAIL_ARTSV_NET_SUSP_HELO_DSPAM MAIL_ARTSV_NET_SUSP_HELO && DSPAM_CHECK_00_01 describe MAIL_ARTSV_NET_SUSP_HELO_DSPAM DSPAM compensation for Suspicious HELO score MAIL_ARTSV_NET_SUSP_HELO_DSPAM 3.5 endif header BBVA_From From =~ /^\s*BBVA.+(BBVA|bbva).*\.es>/ describe BBVA_From Message from BBVA (DSPAM_autolearn, already_read) score BBVA_From 4.0 tflags BBVA_From mandatory_learn header SUBJ_JOIN_US Subject =~ /^\s*[a-z]+: !$/ describe SUBJ_JOIN_US Message "Join us" (DSPAM_autolearn, already_read) score SUBJ_JOIN_US 4.0 tflags SUBJ_JOIN_US mandatory_learn header SMS_MARKET Reply-To =~ // describe SMS_MARKET Message from SMS spammers (DSPAM_autolearn, already_read) score SMS_MARKET 5.0 tflags SMS_MARKET mandatory_learn header From_seminary_odessa From =~ /(seminary\.odessa\@gmail\.com|seminary\.odessa\@meta-inform\.com)/ describe From_seminary_odessa Message from seminary (seminary.odessa@gmail.com or seminary.odessa@meta-inform.com) (DSPAM_autolearn, already_read) score From_seminary_odessa 4.0 tflags From_seminary_odessa mandatory_learn header From_M_Line From =~ /^\s*"M-Line" / describe FROM_GORODA2010 Message from spammers (DSPAM_autolearn, already_read) score FROM_GORODA2010 5.0 tflags FROM_GORODA2010 mandatory_learn header FROM_Reklama From =~ /^\s*"Reklama" / describe FROM_my_remont_3 Blacklisted sender address in header Reply-To (DSPAM_autolearn, already_read) score FROM_my_remont_3 3.0 tflags FROM_my_remont_3 mandatory_learn header FROM_balty_com_ua Reply-To =~ /\@balty\.com\.ua>/ describe FROM_balty_com_ua Message from @balty.com.ua (DSPAM_autolearn, already_read) score FROM_balty_com_ua 3.0 tflags FROM_balty_com_ua mandatory_learn header FROM_Glamour_Agency From =~ /^\s*"Glamour Agency" / header __REPLY_TO_Design_Academy Reply-To =~ // meta FROM_Design_Academy __FROM_Design_Academy || __REPLY_TO_Design_Academy describe FROM_Design_Academy Message from "Design Academy" news@a-d.net.ua, DMS (DSPAM_autolearn, already_read) score FROM_Design_Academy 4.0 tflags FROM_Design_Academy mandatory_learn header __FROM_Realization_Academy From =~ // header __REPLY_TO_Realization_Academy Reply-To =~ // meta FROM_Realization_Academy __FROM_Realization_Academy || __REPLY_TO_Realization_Academy describe FROM_Realization_Academy Message from "Realization Academy" news@-a-v-z.com.ua, DMS (DSPAM_autolearn, already_read) score FROM_Realization_Academy 4.0 tflags FROM_Realization_Academy mandatory_learn header FROM_uagirls_ukr_net Reply-To =~ // describe FROM_uagirls_ukr_net Message from uagirls@ukr.net (DSPAM_autolearn, already_read) score FROM_uagirls_ukr_net 5.0 tflags FROM_uagirls_ukr_net mandatory_learn header FROM_viza_com From =~ /^\s*"viza com" $/ describe From_list_200kiev_org_ua_1gb_ua From list@200kiev-org-ua.1gb.ua (DSPAM_autolearn, already_read) score From_list_200kiev_org_ua_1gb_ua 2.0 tflags From_list_200kiev_org_ua_1gb_ua mandatory_learn header Reply_To_list_200kiev_org_ua_1gb_ua Reply-To =~ /$/ describe Reply_To_list_200kiev_org_ua_1gb_ua From list@200kiev-org-ua.1gb.ua (DSPAM_autolearn, already_read) score Reply_To_list_200kiev_org_ua_1gb_ua 2.0 tflags Reply_To_list_200kiev_org_ua_1gb_ua mandatory_learn header Reply_To_vagonka_2011_mail_ru Reply-To =~ /$/ describe Reply_To_vagonka_2011_mail_ru From vagonka-2011@mail.ru (DSPAM_autolearn, already_read) score Reply_To_vagonka_2011_mail_ru 2.0 tflags Reply_To_vagonka_2011_mail_ru mandatory_learn header FROM_boris75_fobax_in From =~ /boris75\@fobax\.in/ describe FROM_boris75_fobax_in Message from boris75@fobax.in (DSPAM_autolearn, already_read) score FROM_boris75_fobax_in 5.0 tflags FROM_boris75_fobax_in mandatory_learn header From_services_chitai24_net From =~ /$/ describe From_services_chitai24_net From services@chitai24.net (DSPAM_autolearn, already_read) score From_services_chitai24_net 2.0 tflags From_services_chitai24_net mandatory_learn header From_Traflinks From =~ /^\S+ Трафлинкс $/ meta MSGID_cmgserver __MSGID_cmgserver && (RECEIVED_77_110_55_86_cmgserver || RECEIVED_77_110_55_86_77_110_55_86) describe MSGID_cmgserver Message from cmgserver score MSGID_cmgserver 3.5 meta MSGID_cmgserver_STRIPPED_RCVD __MSGID_cmgserver && !RECEIVED_77_110_55_86_cmgserver && !RECEIVED_77_110_55_86_77_110_55_86 describe MSGID_cmgserver_STRIPPED_RCVD Message from cmgserver score MSGID_cmgserver_STRIPPED_RCVD 5.5 header MSGID_ECONTACT_COM_UA Message-ID =~ /\@.+\.econtact\.com\.ua>$/ describe MSGID_ECONTACT_COM_UA Message-ID from Email marketing system eContact.com.ua score MSGID_ECONTACT_COM_UA 3.0 header INDIGOUA_REPLYTO Reply-To =~ /$/ describe INDIGOUA_REPLYTO Suspicious address in header Reply-To score INDIGOUA_REPLYTO 5.0 header From_raskrutka_sayta_mail_ru From =~ /$/ describe From_raskrutka_sayta_mail_ru From raskrutka.sayta@mail.ru (DSPAM_autolearn, already_read) score From_raskrutka_sayta_mail_ru 5.0 tflags From_raskrutka_sayta_mail_ru mandatory_learn header From_support_tracker_bigfile_info From =~ /support\@tracker-bigfile\.info/ describe From_support_tracker_bigfile_info From support@tracker-bigfile.info (DSPAM_autolearn, already_read) score From_support_tracker_bigfile_info 5.0 tflags From_support_tracker_bigfile_info mandatory_learn header From_registrator_predpriyatiya_mail_ru From =~ // describe From_registrator_predpriyatiya_mail_ru From registrator.predpriyatiya@mail.ru (DSPAM_autolearn, already_read) score From_registrator_predpriyatiya_mail_ru 5.0 tflags From_registrator_predpriyatiya_mail_ru mandatory_learn header From_xenon_y_yandex_ua From =~ // describe From_xenon_y_yandex_ua From xenon.y@yandex.ua (DSPAM_autolearn, already_read) score From_xenon_y_yandex_ua 5.0 tflags From_xenon_y_yandex_ua mandatory_learn header To_ukr_net To =~ /^\s*"" $/ describe To_ukr_net Stupid header To (DSPAM_autolearn, already_read) score To_ukr_net 10.0 tflags To_ukr_net mandatory_learn header Reply_To_seminar_ua_tiscali_it Reply-To =~ /$/ describe Reply_To_seminar_ua_tiscali_it From seminar-ua@tiscali.it (DSPAM_autolearn, already_read) score Reply_To_seminar_ua_tiscali_it 5.0 tflags Reply_To_seminar_ua_tiscali_it mandatory_learn header From_air_mails_ukr_net From =~ // describe From_air_mails_ukr_net From air.mails@ukr.net (DSPAM_autolearn, already_read) score From_air_mails_ukr_net 5.0 tflags From_air_mails_ukr_net mandatory_learn header Reply_To_news_dmc_com_ua Reply-To =~ /$/ describe Reply_To_news_dmc_com_ua From news@dmc.com.ua (DSPAM_autolearn, already_read) score Reply_To_news_dmc_com_ua 5.0 tflags Reply_To_news_dmc_com_ua mandatory_learn header Received_from_69_199_15_202 Received =~ /69\.199\.15\.202/ describe Received_from_69_199_15_202 Message generated on spam-source host 69.199.15.202, already_read score Received_from_69_199_15_202 5.0 header From_flaerok_del_i_ua From =~ // describe From_flaerok_del_i_ua From flaerok-del@i.ua (DSPAM_autolearn, already_read) score From_flaerok_del_i_ua 5.0 tflags From_flaerok_del_i_ua mandatory_learn header From_mediapro_office_ukr_net From =~ // describe From_mediapro_office_ukr_net From mediapro.office@ukr.net (DSPAM_autolearn, already_read) score From_mediapro_office_ukr_net 5.0 tflags From_mediapro_office_ukr_net mandatory_learn header From_SpeakUP From =~ /^\s*"SpeakUP"/ describe From_SpeakUP From "SpeakUP" (DSPAM_autolearn, already_read) score From_SpeakUP 5.0 tflags From_SpeakUP mandatory_learn header Reply_To_salfetki_2011_mail_ru Reply-To =~ /$/ describe Reply_To_salfetki_2011_mail_ru From salfetki.2011@mail.ru (DSPAM_autolearn, already_read) score Reply_To_salfetki_2011_mail_ru 7.0 tflags Reply_To_salfetki_2011_mail_ru mandatory_learn header From_OXYGROUP From =~ // describe From_OXYGROUP From oxygroup@ukr.net (DSPAM_autolearn, already_read) score From_OXYGROUP 5.0 tflags From_OXYGROUP mandatory_learn header From_RD From =~ // describe From_RD From Reader's Digest (DSPAM_autolearn, already_read) score From_RD 5.0 tflags From_RD mandatory_learn header Reply_To_RD Reply-To =~ // describe Reply_To_RD From Reader's Digest (DSPAM_autolearn, already_read) score Reply_To_RD 5.0 tflags Reply_To_RD mandatory_learn header X_PHP_SCRIPTS_WP_script_new3 X-PHP-Script =~ /^\s*[^\/]+\/wp-content\/.+\/script_new3\.php/ describe X_PHP_SCRIPTS_WP_script_new3 Messge from WordPress script_new3.php script score X_PHP_SCRIPTS_WP_script_new3 2.0 header From_DLX From =~ /^\s*"D\.L\.X" $/ describe From_DLX From D.L.X (DSPAM_autolearn, already_read) score From_DLX 5.0 tflags From_DLX mandatory_learn header Sender_DLX Sender =~ /^\s*"D\.L\.X" $/ describe Sender_DLX From D.L.X (DSPAM_autolearn, already_read) score Sender_DLX 5.0 tflags Sender_DLX mandatory_learn header Org_Hoolla Organization =~ /^\s*H?o+l+a$/ describe Org_Hoolla From organization Hoollla, Hollla or olla (DSPAM_autolearn, already_read) score Org_Hoolla 5.0 tflags Org_Hoolla mandatory_learn header Org_teplopanel Organization =~ /^\s*teplopanel$/ describe Org_teplopanel From organization teplopanel (DSPAM_autolearn, already_read) score Org_teplopanel 5.0 tflags Org_teplopanel mandatory_learn header From_Naruzhka From =~ // describe From_Naruzhka From "Naruzhka" (DSPAM_autolearn, already_read) score From_Naruzhka 5.0 tflags From_Naruzhka mandatory_learn #header From_Naruzhka_raw From:raw =~ /=\?koi8-r\?B\?7sHS1dbLwQ==\?=/ #describe From_Naruzhka_raw From "Naruzhka" (DSPAM_autolearn, already_read) #score From_Naruzhka_raw 5.0 #tflags From_Naruzhka_raw mandatory_learn ifplugin Mail::SpamAssassin::Plugin::DSPAM meta From_Naruzhka_DSPAM (From_Naruzhka || From_Naruzhka_raw) && DSPAM_CHECK_00_01 describe From_Naruzhka_DSPAM From_Naruzhka DSPAM compensation score From_Naruzhka_DSPAM 3.5 endif header From_SMS_MAIL Subject =~ /Sms E-mail / describe From_SMS_MAIL Subject "Sms and E-mail mailling" (DSPAM_autolearn, already_read) score From_SMS_MAIL 5.0 tflags From_SMS_MAIL mandatory_learn header From_SMS_MAIL_raw Subject:raw =~ /^\s*=\?UTF-8\?B\?U21zINC4IEUtbWFpbCDRgNCw0YHRgdGL0LvQutCw\?=$/ describe From_SMS_MAIL_raw Subject "Sms and E-mail mailling" (DSPAM_autolearn, already_read) score From_SMS_MAIL_raw 5.0 tflags From_SMS_MAIL_raw mandatory_learn ifplugin Mail::SpamAssassin::Plugin::DSPAM meta From_SMS_MAIL_DSPAM (From_SMS_MAIL || From_SMS_MAIL_raw) && DSPAM_CHECK_00_01 describe From_SMS_MAIL_DSPAM Subject "Sms and E-mail mailling" DSPAM compensation score From_SMS_MAIL_DSPAM 3.5 endif header Subject_Arenda_ofisov_raw Subject:raw =~ /^\s*=\?UTF-8\?B\?0JDRgNC10L3QtNCwINC\+0YTQuNGB0L7QsiDQmtC40LXQsg==\?=$/ describe Subject_Arenda_ofisov_raw Subject "Arenda ofisov" (DSPAM_autolearn, already_read) score Subject_Arenda_ofisov_raw 7.0 tflags Subject_Arenda_ofisov_raw mandatory_learn ifplugin Mail::SpamAssassin::Plugin::DSPAM meta Subject_Arenda_ofisov_DSPAM Subject_Arenda_ofisov_raw && DSPAM_CHECK_00_01 describe Subject_Arenda_ofisov_DSPAM Subject_Arenda_ofisov DSPAM compensation score Subject_Arenda_ofisov_DSPAM 3.5 endif header From_Bordy From =~ /(|)/ describe From_Bordy From "Bordy" (DSPAM_autolearn, already_read) score From_Bordy 5.0 tflags From_Bordy mandatory_learn ifplugin Mail::SpamAssassin::Plugin::DSPAM meta From_Bordy_DSPAM From_Bordy && DSPAM_CHECK_00_01 describe From_Bordy_DSPAM From_Bordy DSPAM compensation score From_Bordy_DSPAM 3.5 endif header From_Billbord From =~ // describe From_Billbord From "Billbord" (DSPAM_autolearn, already_read) score From_Billbord 5.0 tflags From_Billbord mandatory_learn ifplugin Mail::SpamAssassin::Plugin::DSPAM meta From_Billbord_DSPAM From_Billbord && DSPAM_CHECK_00_01 describe From_Billbord_DSPAM From_Billbord DSPAM compensation score From_Billbord_DSPAM 3.5 endif header From_Gruz From =~ /^\s* *$/ describe From_ADDR_BOGUSH From "bogush taym" (DSPAM_autolearn, already_read) score From_ADDR_BOGUSH 5.0 tflags From_ADDR_BOGUSH mandatory_learn # # X-Confirm-Reading-To: %_RLIST_<<troparev329@mail.ru>>>% # header SUSPICIOUS_X_Confirm_Reading_To_RLIST_ X-Confirm-Reading-To =~ /^\s*\%_RLIST_<<<\S+<\/\/\/>\S+>>>\%$/ describe SUSPICIOUS_X_Confirm_Reading_To_RLIST_ Suspicious value of header X-Confirm-Reading-To score SUSPICIOUS_X_Confirm_Reading_To_RLIST_ 5.0 tflags SUSPICIOUS_X_Confirm_Reading_To_RLIST_ mandatory_learn header ORG_Morpho_Didius Organization =~ /^\s"Morpho Didius"$/ describe ORG_Morpho_Didius Message from "Morpho Didius" score ORG_Morpho_Didius 3.5 header Reply_To_mailair2009_aol_com Reply-To =~ // describe Reply_To_mailair2009_aol_com Message from mailair2009@aol.com (DSPAM_autolearn) score Reply_To_mailair2009_aol_com 5.0 tflags Reply_To_mailair2009_aol_com mandatory_learn header FROM_BOGUSH_TIME From =~ /bogush.*taym\@/ describe FROM_BOGUSH_TIME Message from "Bogush Time" (DSPAM_autolearn, already_read) score FROM_BOGUSH_TIME 5.0 tflags FROM_BOGUSH_TIME mandatory_learn header CITY_POLIGRAF_ORG Organization =~ /^\s*City poligraf$/ describe CITY_POLIGRAF_ORG City poligraf Organization (DSPAM_autolearn, already_read) score CITY_POLIGRAF_ORG 5.0 header DATAGRADE_INFO_ORG Organization =~ /^\s*Datagrade Info$/ describe DATAGRADE_INFO_ORG Datagrade Info Organization (DSPAM_autolearn, already_read) score DATAGRADE_INFO_ORG 5.0 tflags DATAGRADE_INFO_ORG mandatory_learn header DATAGRADE_INFO_FROM From =~ /^\s*"Datagrade Info" # To: "all_users@odesalive.com.ua" # cc: "all_users@odesalive.com.ua" # Reply-To: news@data578.info # header __TO_CC_EQUAL_To_cc To:case|cc:case =~ /^\s*"(\S+)" <\1>[\r\n\s]*\|\s*"\1" <\1>$/ header __TO_CC_EQUAL_From_Reply_To From:case|Reply-To:case =~ /^\s*"\S+" <(\S+)>[\r\n\s]*\|\s*\1$/ meta TO_CC_EQUAL __TO_CC_EQUAL_To_cc && __TO_CC_EQUAL_From_Reply_To describe TO_CC_EQUAL Redundant header To and cc, From and Reply-To score TO_CC_EQUAL 0.5 header ORG_Rybinski_Polimer Organization =~ / / describe ORG_Rybinski_Polimer Organization "Rybinski polimer" (DSPAM_autolearn, already_read) score ORG_Rybinski_Polimer 5.0 tflags ORG_Rybinski_Polimer mandatory_learn # # X-Sender-Info: <277399591@icpu1672.kundenserver.de> # header HACKED_HOST_X_Sender_Info X-Sender-Info =~ /^\s*<\d+\@icpu1672\.kundenserver\.de>$/ describe HACKED_HOST_X_Sender_Info X-Sender-Info from icpu1672.kundenserver.de score HACKED_HOST_X_Sender_Info 3.0 header ORG_INF0BR0K Organization =~ /^\s*INF0BR0K$/ describe ORG_INF0BR0K INF0BR0K sends spam by spamware (DSPAM_autolearn, already_read) score ORG_INF0BR0K 5.0 header __SUSP_MSGID_localhost_localdomain Message-ID =~ /\@localhost\.localdomain>$/ header __SUSP_MSGID_From_exclude From =~ /<(admin\@notify\.vk\.com|yakaboo\@yakaboo\.com|support\@torg\.ua|support\@prom\.ua|no-reply\@finance1\.ru|no-reply\@zapchast\.com\.ua|.+\@qnx\.com|newsletter\@slando\.ru|.+\@sendgrid\.info|sales\@rozetka\.com\.ua)>$/ meta SUSP_MSGID_localhost_localdomain __SUSP_MSGID_localhost_localdomain && !__SUSP_MSGID_From_exclude describe SUSP_MSGID_localhost_localdomain Suspicious Message-ID domain localhost.localdomain score SUSP_MSGID_localhost_localdomain 2.5 header ORG_MINUS Organization =~ /^\s*-$/ describe ORG_MINUS Suspicious organization score ORG_MINUS 3.0 header CAZINO From =~ /?$/ describe CAZINO Promotion message from online cazino score CAZINO 5.0 header ORG_KOMPLEKT_SERVIS Organization =~ /^\s*" "$/ describe ORG_KOMPLEKT_SERVIS Foto75 Organization (DSPAM_autolearn, already_read) score ORG_KOMPLEKT_SERVIS 5.0 tflags ORG_KOMPLEKT_SERVIS mandatory_learn header RECEIVED_HELO_mail_gmail_com Received =~ /\bmail\.gmail\.com\b/ describe RECEIVED_HELO_mail_gmail_com Received via mail.gmail.com (DSPAM_autolearn) score RECEIVED_HELO_mail_gmail_com 3.5 tflags RECEIVED_HELO_mail_gmail_com mandatory_learn header RECEIVED_HELO_marketingbaza_ru Received =~ /\bhelo=marketingbaza\.ru\b/ describe RECEIVED_HELO_marketingbaza_ru Received via marketingbaza.ru (DSPAM_autolearn) score RECEIVED_HELO_marketingbaza_ru 3.5 tflags RECEIVED_HELO_marketingbaza_ru mandatory_learn header __MSGID_swift_generated Message-ID =~ /^\s*<\S+\@swift\.generated>$/ meta MSGID_swift_generated __MSGID_swift_generated && !__KUPONATOR_FROM describe MSGID_swift_generated Message-ID from "Free Feature-rich PHP Mailer" Swift Mailer, RFC violating score MSGID_swift_generated 1.5 header ukrashenie_fasadov__REPLYTO Reply-To =~ /$/ describe ukrashenie_fasadov__REPLYTO Reply-To ukrashenie.fasadov@ukr.net (DSPAM_autolearn, already_read) score ukrashenie_fasadov__REPLYTO 5.0 tflags ukrashenie_fasadov__REPLYTO mandatory_learn header DOG_SUPPLY_FROM From =~ /^\s*3U Pet Suppl/ describe DOG_SUPPLY_FROM From "3U Pet Suppl" with subject "dog supply" (DSPAM_autolearn, already_read) score DOG_SUPPLY_FROM 7.0 tflags DOG_SUPPLY_FROM mandatory_learn header __MSGID_fastwebnet_it Message-ID =~ /^\s*<\S+\@\d+-\d+-\d+-\d+\.ip\d+\.fastwebnet\.it>$/ meta SENDER_ukr_net_MSGID_fastwebnet_it (__UKR_NET_Return_Path || __UKR_NET_X_Envelope_From) && __MSGID_fastwebnet_it describe SENDER_ukr_net_MSGID_fastwebnet_it There is ukr.net domain in sender address and fastwebnet.it domain in Message-ID score SENDER_ukr_net_MSGID_fastwebnet_it 7.0 tflags SENDER_ukr_net_MSGID_fastwebnet_it mandatory_learn header FROM_NBC From =~ /\@(nseminar\.org\.ua|mailnbc\.com|nbcseminar\.com\.ua|newhost\.kiev\.ua)>?$/ describe FROM_NBC Message from NBC (DSPAM_autolearn, already_read) score FROM_NBC 6.0 tflags FROM_NBC mandatory_learn header FROM_NBC_NEWS From =~ /^\s*"(News NBC|NBC NEWS)/ describe FROM_NBC_NEWS Message from NBC (DSPAM_autolearn, already_read) score FROM_NBC_NEWS 5.0 tflags FROM_NBC_NEWS mandatory_learn header MSGID_NBC Message-ID =~ /^\s*$/ describe MSGID_NBC Message from NBC (DSPAM_autolearn, already_read) score MSGID_NBC 5.0 tflags MSGID_NBC mandatory_learn header LIST_UNSUBSCRIBE_eurokurs_com_ua List-Unsubscribe=~ /^\s*/ describe REPLYTO_upakovka_strapex_com_ua Message from upakovka@strapex.com.ua score REPLYTO_upakovka_strapex_com_ua 5.0 header Krasivaya_posuda_Org Organization =~ /^\s*Красивая посуда/ describe Krasivaya_posuda_Org Message from shop "Krasivaya posuda" score Krasivaya_posuda_Org 5.0 header ORG_KARNAKOV Organization =~ /^\s* "Karnakov"$/ describe ORG_KARNAKOV Karnakov Organization (DSPAM_autolearn, already_read) score ORG_KARNAKOV 5.0 tflags ORG_KARNAKOV mandatory_learn header ORG_MINUS Organization =~ /^\s*-$/ describe ORG_MINUS Suspicious organization "-", may be SMS Center Ukraine score ORG_MINUS 2.0 header ORG_SMS_CENTER_UKRAINE_TOV Organization =~ /^\s*ООО "ЭС.ЭМ.ЭС. ЦЕНТР УКРАИНА"$/ describe ORG_SMS_CENTER_UKRAINE_TOV Message from SMS Center Ukraine (DSPAM_autolearn, already_read) score ORG_SMS_CENTER_UKRAINE_TOV 5.0 tflags ORG_SMS_CENTER_UKRAINE_TOV mandatory_learn header ORG_SMS_CENTER_UKRAINE Organization:raw =~ /^\s*=\?Windows-1251\?B\?q93xLt3sLt3xLiDW5e3y8CDT6vDg6O3guw==\?=$/ describe ORG_SMS_CENTER_UKRAINE Message from SMS Center Ukraine (DSPAM_autolearn, already_read) score ORG_SMS_CENTER_UKRAINE 5.0 tflags ORG_SMS_CENTER_UKRAINE mandatory_learn header ORG_Artsexhibition_in_Russia Organization =~ /^\s*Artsexhibition in Russia$/ describe ORG_Artsexhibition_in_Russia Message from Artsexhibition in Russia score ORG_Artsexhibition_in_Russia 5.0 header ORG_Art_information Organization =~ /^\s*Art-information$/ describe ORG_Art_information Message from Art-information score ORG_Art_information 5.0 header FROM_059_com_ua From =~ /\@059\.com\.ua>?$/ describe FROM_059_com_ua Message from 059.com.ua (DSPAM_autolearn, already_read) score FROM_059_com_ua 6.0 header helo_SOL_FTTB_150_26_163_188_sovam_net_ua Received =~ /helo=SOL-FTTB\.150\.26\.163\.188\.sovam\.net\.ua\b/ describe helo_SOL_FTTB_150_26_163_188_sovam_net_ua Received with helo SOL-FTTB.150.26.163.188.sovam.net.ua via relay06.kiev.sovam.com probably (DSPAM_autolearn) score helo_SOL_FTTB_150_26_163_188_sovam_net_ua 5.0 tflags helo_SOL_FTTB_150_26_163_188_sovam_net_ua mandatory_learn header FROM_Comfort_Web From =~ /^\s*"?Comfort Web"? <\S+\@ukr\.net>$/ describe FROM_Comfort_Web Message from Comfort Web with random address with ukr.net domain, already_read score FROM_Comfort_Web 5.0 header ORG_VitaL_VL Organization =~ /^\s*VitaL VL/ describe ORG_VitaL_VL Message from Organization VitaL VL(tm) score ORG_VitaL_VL 5.0 header ORG_BUM Organization =~ /^\s*$/ describe ORG_BUM Message from Organization BUM score ORG_BUM 5.0 header FROM_BUM From =~ /^\s*"Info BUM"/ describe FROM_BUM Message from BUM score FROM_BUM 5.0 header FROM_MASSMAILS_NET From =~ /\@massmails\.net>$/ describe FROM_MASSMAILS_NET Message from massmails.net score FROM_MASSMAILS_NET 5.0 header ORG_Novarealitka Organization =~ /^\s*Novarealitka$/ describe ORG_Novarealitka Message from Organization Novarealitka score ORG_Novarealitka 5.0 header ORG_SalesUp Organization =~ /^\s*SalesUp$/ describe ORG_SalesUp Message from Organization SalesUp score ORG_SalesUp 5.0 header ORG_Biznes Organization =~ /^\s*$/ describe ORG_Biznes Message from Organization Biznes score ORG_Biznes 2.0 header __RECEIVED_from_smtpsender Received =~ /\bfrom smtpsender \(/ header __RECEIVED_HELO1_smtpsender Received =~ /\bfrom \S+ \((account \S+ )?HELO smtpsender\)/ header __RECEIVED_HELO2_smtpsender Received =~ /\bfrom \[\d+.\d+.\d+.\d+\] \((port=\d+ |\[\d+.\d+.\d+.\d+:\d+\] )?helo=smtpsender\)/ header __RECEIVED_HELO3_smtpsender Received =~ /\bfrom \S+ \(\[\d+.\d+.\d+.\d+\] ?helo=smtpsender\)/ meta RECEIVED_from_smtpsender __RECEIVED_from_smtpsender || __RECEIVED_HELO1_smtpsender || __RECEIVED_HELO2_smtpsender || __RECEIVED_HELO3_smtpsender describe RECEIVED_from_smtpsender Received from smtpsender score RECEIVED_from_smtpsender 7.0 header RECEIVED_Unknown Received =~ /\bUnknown\b/ describe RECEIVED_Unknown "Unknown" found in Received headers (may be helo) score RECEIVED_Unknown 1.7 header __MESSAGE_CP1251_FROM_ZA_From From =~ /\.za>?$/ header __MESSAGE_CP1251_FROM_ZA_Subject Subject:raw =~ /^\s*=\?windows-1251\?(B|Q)\?/ meta MESSAGE_CP1251_FROM_ZA __MESSAGE_CP1251_FROM_ZA_From && __MESSAGE_CP1251_FROM_ZA_Subject describe MESSAGE_CP1251_FROM_ZA Message from South Africa with charset Windows-1251 score MESSAGE_CP1251_FROM_ZA 1.0 # From: "Mastersales.com.ua" header FROM_MASTERSALES From =~ /^\s*"Mastersales\.com\.ua" $/ describe FROM_MASTERSALES Message from Mastersales.com.ua (may be thru pechkintrust.ru) score FROM_MASTERSALES 5.0 # From: ComfortWeb header FROM_COMFORTWEB From =~ /^\s*ComfortWeb $/ describe List_Unsubscribe_unsubscribe Strange value of header List-Unsubscribe score List_Unsubscribe_unsubscribe 4.0 header X_Mailer_Mailer X-Mailer =~ /^\s*Mailer$/ describe X_Mailer_Mailer Strange value of header X-Mailer score X_Mailer_Mailer 4.0 header MSGID_NBC_newhost_com_ua Message-ID =~ /^\s*<[\dA-F]{32}\@nvh\d+\.newhost\.com\.ua>$/ describe MSGID_NBC_newhost_com_ua NBC domain found in header Message-ID (DSPAM_autolearn, already_read) score MSGID_NBC_newhost_com_ua 4.0 header HEADER_MY_NEW_PHOTO Subject =~ /^\s*my new photo ;\)\s*$/ describe HEADER_MY_NEW_PHOTO Suspicious header Subject score HEADER_MY_NEW_PHOTO 2.0 header FROM_Business_Newsletters From =~ /^\s* / describe MSGID_FLIPORA Message from Flip/Flipora/Infoaxe score MSGID_FLIPORA 5.0 header FROM_ALL_PROJEKT4_RU From =~ /\@(all-forinfo\.ru|all-projekt14\.ru|all-projekt4\.ru|allprojekt2014\.ru|bigwin2014\.ru|casino-thebest1\.ru|casino-thebest2\.ru|choice-info\.ru|earthling\.net|free-news2\.ru|hit-buyto\.ru|hit-foryou\.ru|invest-thebest2\.ru|investforyou1\.ru|kotalog-hitov\.ru|kupi-tut2014\.ru|mail-for-you14\.ru|produktigoda\.ru|tovari-bez-nacenki\.ru|tovari-sale\.ru|win4all\.ru|womenmail\.ru|yop4mail\.ru|zarabotokru\.ru)\s*>?\s*$/ describe FROM_ALL_PROJEKT4_RU Message from all-projekt4.ru domain score FROM_ALL_PROJEKT4_RU 5.0 # # spam sources are the hosts from 37.9.53.0/24 network # header __RECEIVED_37_9_53 Received =~ /\b37\.9\.53\./ header __X_MDRemoteIP_37_9_53 X-MDRemoteIP =~ /^\s*37\.9\.53\.\d+$/ header __X_SA_Exim_Connect_IP_37_9_53 X-SA-Exim-Connect-IP =~ /^\s*37\.9\.53\.\d+$/ header __X_MagicMail_SourceIP_37_9_53 X-MagicMail-SourceIP =~ /^\s*37\.9\.53\.\d+$/ header __X_Originating_IP_37_9_53 X-Originating-IP =~ /^\s*(37\.9\.53\.\d+|\[37\.9\.53\.\d+\])$/ header __X_Connected_IP_37_9_53 X-Connected-IP =~ /^\s*37\.9\.53\.\d+:\d+$/ header __X_Rambler_User_37_9_53 X-Rambler-User =~ /^\s*\S+\/37\.9\.53\.\d+$/ header __X_Source_Sender_37_9_53 X-Source-Sender =~ /^\s*\(\S+\) \[37\.9\.53\.\d+\]:\d+$/ header __X_Source_IP_37_9_53 X-Source-IP =~ /^\s*37\.9\.53\.\d+$/ meta __37_9_53_0 __RECEIVED_37_9_53 || __X_MDRemoteIP_37_9_53 || __X_MagicMail_SourceIP_37_9_53 || __X_Originating_IP_37_9_53 || __X_Connected_IP_37_9_53 || __X_Rambler_User_37_9_53 || __X_SA_Exim_Connect_IP_37_9_53 || __X_Source_IP_37_9_53 meta NET_37_9_53_0 __37_9_53_0 && !(RECEIVED_37_9_53 || X_MDRemoteIP_37_9_53) describe NET_37_9_53_0 Message from 37.9.53.0/24, already_read score NET_37_9_53_0 4.0 header FROM_LTD_LIQUIDATION From =~ /\s* \s* # List-Unsubscribe: # List-Unsubscribe: # List-Unsubscribe: # List-Unsubscribe: # List-Unsubscribe: header List_Unsubscribe_www_mail_ru List-Unsubscribe =~ /^\s*$/ describe List_Unsubscribe_www_mail_ru Suspicious header List-Unsubscribe score List_Unsubscribe_www_mail_ru 5.0 header ORG_Mail_ru Organization =~ /^\s*Mail\.ru$/ describe ORG_Mail_ru Mail.ru Organization score ORG_Mail_ru 5.0 header ORG_b_konstruktor_com Organization =~ /^\s*b-konstruktor\.com$/ describe ORG_b_konstruktor_com Organization b-konstruktor.com score ORG_b_konstruktor_com 5.0 header From_Manager_Arxon_Group From =~ /^\s*Manager Arxon Group/ describe From_Manager_Arxon_Group From: Manager Arxon Group score From_Manager_Arxon_Group 5.0 header To_Recipients_www To =~ /^\s*Recipients $/ describe To_Recipients_www To: Recipients score To_Recipients_www 5.0 header FROM_ELIT_UKRAINE_FAKE_DOMAIN From =~ /^\s*Элит Украина <.+\@(?!elit\.ua)/ describe FROM_ELIT_UKRAINE_FAKE_DOMAIN Fake sender domain score FROM_ELIT_UKRAINE_FAKE_DOMAIN 0.1 # To: Recipients # To: Recipients <> header To_Recipients_no_addr To =~ /^\s*Recipients( <>)?$/ describe To_Recipients_no_addr Suspicious header To (sa-learn_candidate) score To_Recipients_no_addr 5.0 header To_Recipients To =~ /^\s*Recipients? header Suspicious_From_malformed_mailbox From =~ /<\@\S+\.\S+>$/i describe Suspicious_From_malformed_mailbox Suspicious header From score Suspicious_From_malformed_mailbox 3.0 header Suspicious_From_malformed_addr_1 From =~ /<\@[^\.>]+>$/i describe Suspicious_From_malformed_addr_1 Suspicious header From score Suspicious_From_malformed_addr_1 3.0 # From: Loan Offer header Suspicious_From_malformed_addr_2 From =~ /^\s*[a-z\. ]+( <>)?$/i describe Suspicious_From_malformed_addr_2 Suspicious header From score Suspicious_From_malformed_addr_2 3.0 # From: <> header Suspicious_From_malformed_addr_3 From =~ /^\s*<>$/i describe Suspicious_From_malformed_addr_3 Suspicious header From score Suspicious_From_malformed_addr_3 3.0 # Cc: You header Suspicious_Cc_malformed_addr_2 Cc =~ /^\s*[a-z\. ]+( <>)?$/i describe Suspicious_Cc_malformed_addr_2 Suspicious header Cc score Suspicious_Cc_malformed_addr_2 3.0 # Organization: The Okrug Gazette header ORG_Okrug_Gazette Organization =~ /^\s*The Okrug Gazette$/ describe ORG_Okrug_Gazette Message from The Okrug Gazette score ORG_Okrug_Gazette 5.0 # Received: from gordeev1071.fvds.ru ([62.109.22.29] helo=902302.ru) # by steelboxnetworks.ru with esmtpa (Exim 4.72) # (envelope-from ) # id 1a3pmc-0007tD-9o # for xxxxxxxxxxx@miacugra.ru; Tue, 01 Dec 2015 21:36:10 +0300 # Received: from gordeev10711.fvds.ru ([188.120.237.204] helo=safeev.ru) # by orionosa.ru with esmtpa (Exim 4.72) # (envelope-from ) # id 1a3wxj-0002tb-D8 # for xxxxxxxxxxx@miacugra.ru; Wed, 02 Dec 2015 05:16:07 +0300 header RECEIVED_gordeev10711_fvds_ru Received =~ /\bgordeev\d+\.fvds\.ru\b/ describe RECEIVED_gordeev10711_fvds_ru Message from gordeev[0-9]+.fvds.ru score RECEIVED_gordeev10711_fvds_ru 4.0 header X_Mw_Mailer_SwiftMailer X-Mw-Mailer =~ /^\s*SwiftMailer( - \@SWIFT_VERSION_NUMBER\@)?$/ describe X_Mw_Mailer_SwiftMailer MailWizz SwiftMailer (DSPAM_autolearn, already_read) score X_Mw_Mailer_SwiftMailer 3.5 tflags X_Mw_Mailer_SwiftMailer mandatory_learn header X_Mw_Mailer_PHPMailer X-Mw-Mailer =~ /^\s*PHPMailer$/ describe X_Mw_Mailer_PHPMailer MailWizz PHPMailer score X_Mw_Mailer_PHPMailer 1.6 header FROM_ZARABOTAINA2016GOD Reply-To =~ /^\s*\S+\@zarabotaina2016god\.ru$/ describe FROM_ZARABOTAINA2016GOD Message from zarabotaina2016god.ru (DSPAM_autolearn, already_read) score FROM_ZARABOTAINA2016GOD 4.0 tflags FROM_ZARABOTAINA2016GOD mandatory_learn header From_disposable_email_discard_email From =~ /\@(discard\.email|0815\.ru|abcz\.info\.tm|anotherdomaincyka\.tk|azazazatashkent\.tk|cachedot\.net|ckaazaza\.tk|cnn\.coms\.hk|dasdasdascyka\.tk|dfghj\.ml|discardmail\.com|discardmail\.de|fast-mail\.fr|fbi\.coms\.hk|freelance-france\.eu|freundin\.ru|hulapla\.de|immo-gerance\.info|instantmail\.fr|je-recycle\.info|jobbikszimpatizans\.hu|lolito\.tk|mail-easy\.fr|mail2\.info\.tm|mail2\.worksmobile\.ml|nike\.coms\.hk|pepsi\.coms\.hk|regspaces\.tk|s0ny\.net|spambog\.com|spambog\.de|spambog\.ru|sweetxxx\.de|teewars\.org|vaasfc4\.tk|visa\.coms\.hk|web-contact\.info|web-emailbox\.eu|webcontact-france\.eu|wfgdfhj\.tk|xy9ce\.tk|zaktouni\.fr|zeta-telecom\.com|zmail\.info\.tm)>?\s*$/ #describe From_disposable_email_discard_email Message from disposable e-mail address from http://discard.email/ (DSPAM_autolearn, already_read) describe From_disposable_email_discard_email Message from disposable e-mail address from http://discard.email/ score From_disposable_email_discard_email 3.0 #tflags From_disposable_email_discard_email mandatory_learn header From_disposable_email_dropmail_me From =~ /\@(dropmail\.me|10mail\.org|yomail.info)>?\s*$/ #describe From_disposable_email_dropmail_me Message from disposable e-mail address from http://dropmail.me/ (DSPAM_autolearn, already_read) describe From_disposable_email_dropmail_me Message from disposable e-mail address from http://dropmail.me/ score From_disposable_email_dropmail_me 3.0 #tflags From_disposable_email_dropmail_me mandatory_learn # List-Unsubscribe: <[TUnsubscribeLink,9,DC,AE: Template ignored in non-PersonalCopy modes!]> header TUnsubscribeLink List-Unsubscribe =~ /^\s*<\[TUnsubscribeLink,.+: Template ignored in non-PersonalCopy modes!\]>/ describe TUnsubscribeLink Spam template (DSPAM_autolearn, already_read) score TUnsubscribeLink 8.0 tflags TUnsubscribeLink mandatory_learn header FROM_FATE_CONTROL From =~ /<(info\@uprav-sudboy\.com|phurba\d+\@yandex\.ru|post-meditation\d+\@mail\.ru)>/ describe FROM_FATE_CONTROL Message from "Control yout fate" score FROM_FATE_CONTROL 3.0 header FROM_FREE_TLD From =~ /\.(cf|ga|gq|ml|tk)>?$/ describe FROM_FREE_TLD Message from domain with free TLD score FROM_FREE_TLD 1.5 # From: "i4b" header FROM_I4B From =~ /^\s*"i4b"/ describe FROM_I4B Message from i4b (DSPAM_autolearn, already_read) score FROM_I4B 5.0 tflags FROM_I4B mandatory_learn # Organization: Art Week International # Organization: Art Festival International # Organization: Art Week International # Organization: Art exhibition in the Ukrainian House # Organization: Design & Fashion Festival # Organization: World Art Exhibition & Contests # Organization: Russian Art Week International # Organization: Art Exhibition konkurs header ORG_ART_WEEK Organization =~ /^\s*(Art Week International|Art Festival International|Art exhibition in the Ukrainian House|Design \& Fashion Festival|World Art Exhibition \& Contests|Russian Art Week International|Art Exhibition konkurs)$/ describe ORG_ART_WEEK Art Week (DSPAM_autolearn, already_read) score ORG_ART_WEEK 3.0 tflags ORG_ART_WEEK mandatory_learn # From: =?UTF-8?B?0KHQsNGI0LAg0KHQsNCx0L7QvdC+0LLQsA==?= # From: =?UTF-8?B?0JzQsNGI0LAg0KHQsNC70YzQvdC40LrQvtCy0LA=?= # From: =?UTF-8?B?0J3QsNC00Y8g0JrRgNGD0L/RgdC60LDRjw==?= # From: noreply-15338976@list.ru # From: noreply-14555582@mail.ua # From: noreply-84055696@list.ru # From: =?UTF-8?B?0JvQuNC30LAg0JrRg9GC0LrQuNC90LA=?= header NOREPLY_MAIL_RU From =~ /^\s*(.*<)?noreply-\d{7,8}\@(mail\.ua|mail\.ru|list\.ru|bk\.ru|inbox\.ru)>?$/ describe NOREPLY_MAIL_RU Message from noreply-*@mail.ru score NOREPLY_MAIL_RU 3.0