dp-sa-rules

# A handful of custom SpamAssassin rules, tweaked to catch anything that gets
# through my SpamAssassin setup.
# Feel free to use if they're helpful to you.
#
# David Precious <davidp@preshweb.co.uk>


body        DP_ACAI   /acai/i
describe    DP_ACAI   Message body mentions Acai berry
score       DP_ACAI   3.5

body        DP_SHIP_WORLDWIDE  /We ship worldwide/i
describe    DP_SHIP_WORLDWIDE  Body mentions shipping worldwide
score       DP_SHIP_WORLDWIDE  2.5

body        DP_SEX_LIFE        /sex(ual)? life/i
describe    DP_SEX_LIFE        Body mentions sex life
score       DP_SEX_LIFE        3.0

body        DP_ENHANCE_YOUR    /enhance your/i
describe    DP_ENHANCE_YOUR    Body mentions enhancing your...
score       DP_ENHANCE_YOUR    3.0

body        DP_ONLINE_PHARMA   /on\W?line pharmacy/i
describe    DP_ONLINE_PHARMA   Body mentions online pharmacy
score       DP_ONLINE_PHARMA   3.0

header      DP_URGENT_SUBJ     Subject =~ /urgent/i
describe    DP_URGENT_SUBJ     Subject mentions urgent
score       DP_URGENT_SUBJ     2.5

header      DP_ASSISTANCE      Subject =~ /assistance needed/i
describe    DP_ASSISTANCE      Subject mentions assistance needed
score       DP_ASSISTANCE      2.3

body        DP_PAYMENT_OF      /payment of/i
describe    DP_PAYMENT_OF      Mentions a payment of
score       DP_PAYMENT_OF      1.8

body        DP_WISH_INTRO      /wish to introduce myself/i
describe    DP_WISH_INTRO      Body mentions wish to introduce myself
score       DP_WISH_INTRO      2.1

body        DP_IMF             /interational monetary fund/i
describe    DP_IMF             Mentions international monetary fund
score       DP_IMF             3.2

body        DP_FSA             /financial services authority/i
describe    DP_FSA             Mentions Financial Services Authority
score       DP_FSA             2.1

body        DP_BENEFICIARY     /beneficiary/i
describe    DP_BENEFICIARY     Mentions beneficiary
score       DP_BENEFICIARY     2.5

body        DP_SEND_INFO       /send the following info/i
describe    DP_SEND_INFO       Wants you to send info
score       DP_SEND_INFO       2.6

body        DP_ATM_CARD        /atm card/i
describe    DP_ATM_CARD        Mentions an ATM card
score       DP_ATM_CARD        3.0

body        DP_PAY_OFFICER     /payment officer/i
describe    DP_PAY_OFFICER     Mentions payment officer
score       DP_PAY_OFFICER     3.0

body        DP_CLAIM_AGENT     /claim agent/i
describe    DP_CLAIM_AGENT     Mentions claim agent
score       DP_CLAIM_AGENT     3.0

body        DP_ATTACH_WINNING  /attached to winning/i
describe    DP_ATTACH_WINNING  "attached to winning..."
score       DP_ATTACH_WINNING  3.0

body        DP_BATCH_NO        /batch n(o|umber)/i
describe    DP_BATCH_NO        Mentions a batch number (common in lotto scams)
score       DP_BATCH_NO        1.5

body        DP_REF_NO          /ref(erence)? n(o|umber)/i
describe    DP_REF_NO          Mentions a reference number (common in lotto scams)
score       DP_REF_NO          1.5

header      DP_SUBJ_CONGRAT    Subject =~ /Congrat(ulation|s)/i
describe    DP_SUBJ_CONGRAT    Congratulations in subject
score       DP_SUBJ_CONGRAT    1.2

body        DP_TO_CLAIM        /to claim your/i
describe    DP_TO_CLAIM        Mentions "to claim your..."
score       DP_TO_CLAIM        2.2

body        DP_FORM_YOURNAME   /Your(full |first |last )? name\s*:/i
describe    DP_FORM_YOURNAME   Form-like "Your name:"
score       DP_FORM_YOURNAME   1.5

body        DP_FRM_ADDRESS     /Address\s*:/i
describe    DP_FRM_ADDRESS     Form-like "Address:"
score       DP_FRM_ADDRESS     1.5

body        DP_FORM_NUMBER     /Number\s*:/i
describe    DP_FORM_NUMBER     Form-like "Number:"
score       DP_FORM_NUMBER     1.5

body        DP_CITYTOWN        /City\s*\/\s*town/i
describe    DP_CITYTOWN        Mentions "city/town"
score       DP_CITYTOWN        1.5

body        DP_ZIPCODE         /zip\s?code/i
describe    DP_ZIPCODE         Mentions a ZIP code
score       DP_ZIPCODE         1.0

header      DP_SUBJ_FROM       Subject =~ /^From/i
describe    DP_SUBJ_FROM       Subject starts with "From"
score       DP_SUBJ_FROM       2.0

body        DP_SIRMADAM        /Sir\/Madam/i
describe    DP_SIRMADAM        Contains "Sir/Madam" - very personal email
score       DP_SIRMADAM        1.8

body        DP_AGENT_NAME      /Agent Name/i
describe    DP_AGENT_NAME      Mentions "agent name"
score       DP_AGENT_NAME      2.0


body        DP_BOARD_OF        /board of/i
describe    DP_BOARD_OF        Mentions board of...
score       DP_BOARD_OF        2.6

body        DP_US_DOLLARS      /us dollars/i
describe    DP_US_DOLLARS      Mentions US dollars
score       DP_US_DOLLARS      2.5

body        DP_PROMO_CENTER    /promo(tion)? cent(re|er)/i
describe    DP_PROMO_CENTER    Mentions a "promo center"
score       DP_PROMO_CENTER    2.5

body        DP_CHOSEN_WINNER   /chosen as a winner/i
describe    DP_CHOSEN_WINNER   Mentions "chosen as a winner"
score       DP_CHOSEN_WINNER   2.8

body        DP_NUM_WORD        /\d+\s+\(\w+\)/i
describe    DP_NUM_WORD        Number then word (e.g. '6 (six)')
score       DP_NUM_WORD        1.8

body        DP_NUM_PAREN       /\(\d+\)/
describe    DP_NUM_PAREN       Number in parenthesis
score       DP_NUM_PAREN       1.8

body        DP_PROVIDE_INFO    /provide the following/i
describe    DP_PROVIDE_INFO    Provide the following info
score       DP_PROVIDE_INFO    2.5

body        DP_AWARDED         /you have been awarded/i
describe    DP_AWARDED         Mentions being awarded something
score       DP_AWARDED         2.5

body        DP_ATTACHED_TICKET /attached to ticket number/i
describe    DP_ATTACHED_TICKET Mentions attached to ticket (lottery spams)
score       DP_ATTACHED_TICKET 2.6

body        DP_COMP_SEL        /computeri[sz]ed (email )?selection/i
describe    DP_COMP_SEL        Mentions computerised selection
score       DP_COMP_SEL        2.4

body        DP_FROM_WWW        /from the world wide web/i
describe    DP_FROM_WWW        Mentions from the world wide web
score       DP_FROM_WWW        2.4

body        DP_WINNING_AMOUNT  /winning amount/i
describe    DP_WINNING_AMOUNT  Mentions winning an amount
score       DP_WINNING_AMOUNT  2.8

body        DP_RANDOM_SEL      /randomly selected/i
describe    DP_RANDOM_SEL      Mentions randomly selected
score       DP_RANDOM_SEL      2.6

body        DP_THOU_DOLLAR     /[\$£](\d{3},){2,}/
describe    DP_THOU_DOLLAR     Mentions large sum of dollars/pounds
score       DP_THOU_DOLLAR     2.8

body        DP_BIG_NUM         /[1-9]00,000/
describe    DP_BIG_NUM         Mentions x00,000... (common in lottery spam)
score       DP_BIG_NUM         2.4

body        DP_LUMP_SUM        /lump sum/i
describe    DP_LUMP_SUM        Mentions a lump sum
score       DP_LUMP_SUM        2.0

body        DP_YOU_ARE_REQ     /you are requested/i
describe    DP_YOU_ARE_REQ     You are requested...
score       DP_YOU_ARE_REQ     2.8

body        DP_CONTACT_AGENT   /contact (our )?agent/i
describe    DP_CONTACT_AGENT   Contact our agent..
score       DP_CONTACT_AGENT   2.6

body        DP_SEND_YOUR_WIN   /send your winning/i
describe    DP_SEND_YOUR_WIN   Send your winning ...
score       DP_SEND_YOUR_WIN   2.7

body        DP_SETTLEMENT_CNTR /settlement cent(er|re)/i
describe    DP_SETTLEMENT_CNTR Settlement centre
score       DP_SETTLEMENT_CNTR 2.8

body        DP_PRIZE_ADMIN     /prize administrator/i
describe    DP_PRIZE_ADMIN     Prize administrator
score       DP_PRIZE_ADMIN     3.0

header      DP_SUBJ_CONGRATS   Subject =~ /congratulations/i
describe    DP_SUBJ_CONGRATS   Congratulations in subject
score       DP_SUBJ_CONGRATS   2.5

body        DP_HAS_WON_YOU     /has won you/i
describe    DP_HAS_WON_YOU     Has won you...
score       DP_HAS_WON_YOU     2.8

body        DP_PAYMENT_APPR    /payment.+has been approved/i
describe    DP_PAYMENT_APPR    Payment has been approved
score       DP_PAYMENT_APPR    3.0

body        DP_SUM_OF          /the sum of/i
describe    DP_SUM_OF          The sum of...
score       DP_SUM_OF          2.0

body        DP_CONFIRM_IMM     /confirm immediately the following/i
describe    DP_CONFIRM_IMM     Confirm immediately the following...
score       DP_CONFIRM_IMM     2.7

body        DP_YOUR_FULL_NAME  /your full name/i
describe    DP_YOUR_FULL_NAME  Your full name/i
score       DP_YOUR_FULL_NAME  2.0

body        DP_ATTN            /Attn:/i
describe    DP_ATTN            Attn:
score       DP_ATTN            1.6

body        DP_DEBT_RELEASE    /debt release/i
describe    DP_DEBT_RELEASE    Debt release...
score       DP_DEBT_RELEASE    2.6

header      DP_WORK_WITH_US    Subject =~ /work (with|for) us/i
describe    DP_WORK_WITH_US    Work with us...
score       DP_WORK_WITH_US    2.0

body        DP_PROSP_EMP       /prospective employee/i
describe    DP_PROSP_EMP       Prospective employee
score       DP_PROSP_EMP       2.0

body        DP_BE_REP          /be one of our representatives/i
describe    DP_BE_REP          Be one of our representatives
score       DP_BE_REP          2.3

body        DP_EARN_A_COM      /earn a commission/i
describe    DP_EARN_A_COM      Earn a commission...
score       DP_EARN_A_COM      2.0

body        DP_DEDUCT_PC       /deduct \d+(%|percent)/i
describe    DP_DEDUCT_PC       Deduct a percentage
score       DP_DEDUCT_PC       1.8

body        DP_SEND_FOLLOWING  /(send|forward) the following/i
describe    DP_SEND_FOLLOWING  Send the following...
score       DP_SEND_FOLLOWING  1.9

body        DP_SUSPEND_ACCOUNT /(suspend your account|account will be suspended)/i
describe    DP_SUSPEND_ACCOUNT Account will be suspended...
score       DP_SUSPEND_ACCOUNT 2.8

full        DP_SUBJ_ACCESSED   /account was accessed by/i
describe    DP_SUBJ_ACCESSED   Account was accessed by...
score       DP_SUBJ_ACCESSED   2.8

body        DP_DOTS_DASHES     /[_.-]{6,}/
describe    DP_DOTS_DASHES     Long line of dots/dashes/underscores
score       DP_DOTS_DASHES     1.6

body        DP_YOU_WILL_EARN   /you will earn/i
describe    DP_YOU_WILL_EARN   You will earn...
score       DP_YOU_WILL_EARN   2.6

body        DP_MIL_OF_DOLLAR   /millions of dollars/i
describe    DP_MIL_OF_DOLLAR   Millions of dollars
score       DP_MIL_OF_DOLLAR   2.5

body        DP_YOU_HAVE_WON    /you have won/i
describe    DP_YOU_HAVE_WON    You have won...
score       DP_YOU_HAVE_WON    2.0

body        DP_WESTERN_UNION   /western union/i
describe    DP_WESTERN_UNION   Western Union is often dodgy
score       DP_WESTERN_UNION   2.0

body        DP_MONEY_TRANS     /money transfer/i
describe    DP_MONEY_TRANS     Money transfer...
score       DP_MONEY_TRANS     1.8

body        DP_UNITED_NATIONS  /united nation/i
describe    DP_UNITED_NATIONS  United Nations...
score       DP_UNITED_NATIONS  1.8

body        DP_SEC_GEN         /Secretary[ -]General/i
describe    DP_SEC_GEN         Secretary General...
score       DP_SEC_GEN         2.0

body        DP_COMMITTEE       /comm?itt?ee?/i
describe    DP_COMMITTEE       Committee
score       DP_COMMITTEE       1.5

body        DP_UNUSUAL_ACT     /(unusual|irregular) activity/i
describe    DP_UNUSUAL_ACT     Unusual activity
score       DP_UNUSUAL_ACT     1.8

body        DP_FOR_YOUR_PROT   /for your protection/i
describe    DP_FOR_YOUR_PROT   For your protection...
score       DP_FOR_YOUR_PROT   2.0

body        DP_ACTIVITY_ON_ACC /activity on your account/i
describe    DP_ACTIVITY_ON_ACC Activity on your account...
score       DP_ACTIVITY_ON_ACC 2.0

body        DP_YOU_MUST_VERIFY /you must verify/i
describe    DP_YOU_MUST_VERIFY You must verify...
score       DP_YOU_MUST_VERIFY 1.8

body        DP_REMOVE_RESTRICT /will remove any restrictions/i
describe    DP_REMOVE_RESTRICT Remove any restrictions...
score       DP_REMOVE_RESTRICT 2.0

body        DP_SIGN_INTO_IB    /sign into internet banking/i
describe    DP_SIGN_INTO_IB    Sign into internet banking...
score       DP_SIGN_INTO_IB    1.8

full        DP_ACC_WAS_ACCESSED /your account was accessed/i
describe    DP_ACC_WAS_ACCESSED Your account was accessed...
score       DP_ACC_WAS_ACCESSED 2.0

body        DP_MIL_GRD_ENC /Military Grade Encryption is Only the Start/i
describe    DP_MIL_GRD_ENC Military Grade Encryption is Only the Start...
score       DP_MIL_GRD_ENC 2.0

body        DP_NOTICED_LOGIN /We recently noticed .+attempts to log in/i
describe    DP_NOTICED_LOGIN We recently noticed attempts to log in
score       DP_NOTICED_LOGIN 2.0

body        DP_ACC_WAS_COMP /your account was compromised/i
describe    DP_ACC_WAS_COMP Your account was compromised, allegedly
score       DP_ACC_WAS_COMP 2.0

body        DP_IF_RIGHTFUL /if you are the rightfull? holder of/i
describe    DP_IF_RIGHTFUL If you are the rightful holder...
score       DP_IF_RIGHTFUL 2.0

body        DP_DOWNLOAD_FORM /download the form attached/i
describe    DP_DOWNLOAD_FORM Download the form attached
score       DP_DOWNLOAD_FORM 1.5

body        DP_WE_TRY_VERIFY /we try to verify your identity/i
describe    DP_WE_TRY_VERIFY We try to verify your identity.  We really do.
score       DP_WE_TRY_VERIFY 2.0

body        DP_SUSP_ACC /suspend your account/i
describe    DP_SUSP_ACC Suspend your account...
score       DP_SUSP_ACC 1.5



body        DP_SWEEPSTAKE_AW   /sweepstakes? award/i
describe    DP_SWEEPSTAKE_AW   Sweepstakes award
score       DP_SWEEPSTAKE_AW   2.5

body        DP_FUNDS_TRANS /funds transferr?ed/i
describe    DP_FUNDS_TRANS Funds transferred...
score       DP_FUNDS_TRANS 1.8

body        DP_MIL_DOLLARS /million.+thousand dollars/i
describe    DP_MIL_DOLLARS Thousands and missions (of dollars)
score       DP_MIL_DOLLARS 1.8

full        DP_MY_DEAR /My Dear,/i
describe    DP_MY_DEAR Don't call me baby^Wdear
score       DP_MY_DEAR 1.9

full        DP_DEAR_WINNER /Dear winner/i
describe    DP_DEAR_WINNER Dear winner...
score       DP_DEAR_WINNER 2.2

full        DP_PROMOTION /PROMOTION/
describe    DP_PROMOTION Promotion all in caps?  Sounds maybe dodgy
score       DP_PROMOTION 1

full        DP_YAHOO_PROMOTION /YAHOO PROMOTION/
describe    DP_YAHOO_PROMOTION Yahoo promotion?  Sure....
score       DP_YAHOO_PROMOTION 2.8

body        DP_EMAIL_FILE /email file/i
describe    DP_EMAIL_FILE Email file?  Who the hell says that?
score       DP_EMAIL_FILE 2.0

header      DP_TO_UNDISCLOSED To =~ /undisclosed recipients/
describe    DP_TO_UNDISCLOSED To undisclosed recipients
score       DP_TO_UNDISCLOSED 1.6

full        DP_PROPOSAL_FOR_YOU /I have a (business )?proposal/i
describe    DP_PROPOSAL_FOR_YOU I have a proposal for you
score       DP_PROPOSAL_FOR_YOU 1.4

full        DP_PROPOSAL_JUST_4U /proposal just for you/i
describe    DP_PROPOSAL_JUST_4U A proposal just for you
score       DP_PROPOSAL_JUST_4U 2.0

# Be careful, this isn't necessarily all that spammy
full        DP_MILLIONS /\d+,\d{3},\d{3}/
describe    DP_MILLIONS Contains a figure in the millions
score       DP_MILLIONS 1.2

# For me at least, millions of dollars are more spammy, though
full        DP_MILLIONS_DOLLARS /\$\d+,\d{3},\d{3}/
describe    DP_MILLIONS_DOLLARS Contains a figure of millions of dollars
score       DP_MILLIONS_DOLLARS 2.2

# Careful, this one will probably hit legitimate mails as well
body        DP_IF_YOU_NO_LONGER_WANT_SPAM /If you no longer wish to receive/i
describe    DP_IF_YOU_NO_LONGER_WANT_SPAM Offers unsubscribe instructions
score       DP_IF_YOU_NO_LONGER_WANT_SPAM 1.6

# Yes, I may be overweight; I can diet, you'll always be a spamming c**t.
body        DP_START_SLIMMING /start slimming/i
describe    DP_START_SLIMMING Start slimming?  Why don't you start dying?
score       DP_START_SLIMMING 3.0

full        DP_BANK_OF /bank of/i
describe    DP_BANK_OF "Bank of..."
score       DP_BANK_OF 1.5

full        DP_BANK_OF_NIGERIA /Bank of Nigeria/i
describe    DP_BANK_OF_NIGERIA "Bank of Nigeria"
score       DP_BANK_OF_NIGERIA 2.8

full        DP_DEPUTY_GOVERNOR /Deputy Governor/i
describe    DP_DEPUTY_GOVERNOR "Deputy Governor"
score       DP_DEPUTY_GOVERNOR 1.8

full        DP_FOREX /forex/i
describe    DP_FOREX "Forex"
score       DP_FOREX 1.8

full        DP_YOUR_FILE /your file/i
describe    DP_YOUR_FILE "Your file"
score       DP_YOUR_FILE 1.0

full        DP_RECV_YOUR_FUNDS /receive your (payment|fund)/i
describe    DP_RECV_YOUR_FUNDS 2.0

full        DP_BANK_OF_NIGERIA /Bank of Nigeria/i
describe    DP_BANK_OF_NIGERIA "Bank of Nigeria"
score       DP_BANK_OF_NIGERIA 3.4

full        DP_DEPUTY_GOVERNOR /Deputy Governor/i
describe    DP_DEPUTY_GOVERNOR "Deputy Governor"
score       DP_DEPUTY_GOVERNOR 1.8

full        DP_FOREX /forex/i
describe    DP_FOREX "Forex"
score       DP_FOREX 1.8

full        DP_YOUR_FILE /your file/i
describe    DP_YOUR_FILE "Your file"
score       DP_YOUR_FILE 1.0

full        DP_RECV_YOUR_FUNDS /Receive your (fund|payment)/i
describe    DP_RECV_YOUR_FUNDS "Receive your payment/funds"
score       DP_RECV_YOUR_FUNDS 3.0

body        DP_MY_NAME_IS /my name is/i
describe    DP_MY_NAME_IS "My name is..." (often seen in dating-type spam)
score       DP_MY_NAME_IS 2.8

body        DP_I_AM_LOOKING_FOR /I am looking for/i
describe    DP_I_AM_LOOKING_FOR "I am looking for..."
score       DP_I_AM_LOOKING_FOR 1.5

body        DP_LOOKING_FOR_DATING /I am looking for (?:a )?(?:male|friend|love|date)/i
describe    DP_LOOKING_FOR_DATING "I am looking for.." dating-type spam
score       DP_LOOKING_FOR_DATING 3.5

body        DP_WRITE_BACK /write (?:me )?back/i
describe    DP_WRITE_BACK "Write back..." (common in dating-type spam)
score       DP_WRITE_BACK 2.6

body        DP_FOREIGN_ASSISTANCE /foreign assistance/i
describe    DP_FOREIGN_ASSISTANCE "Foreign assistance"
score       DP_FOREIGN_ASSISTANCE 3.0

body        DP_RECEIVE_MONEY /receive (this|your)money/i
describe    DP_RECEIVE_MONEY "Receive your/this money"
score       DP_RECEIVE_MONEY 2.8

body        DP_WILLING_TO_HELP /willing to help me/i
describe    DP_WILLING_TO_HELP "Willing to help me..."
score       DP_WILLING_TO_HELP 1.8

body        DP_HELLO_FROM /Hello from/i
describe    DP_HELLO_FROM "Hello from..."
score       DP_HELLO_FROM 1.0

body        DP_HELLO_FROM /Hello from (Mr|Mister|Ms|Miss|Mrs)/i
describe    DP_HELLO_FROM "Hello from...Mr/Miss/etc"
score       DP_HELLO_FROM 1.8

body        DP_GOT_YOUR_DETAILS /got your (e?mail|contact|details)/i
describe    DP_GOT_YOUR_DETAILS "Got your details from..."
score       DP_GOT_YOUR_DETAILS 3.0

full        DP_DODGY_EMAIL_ADDRESSES /@(yahoo|live|hotmail)\./i
describe    DP_DODGY_EMAIL_ADDRESSES "Contains a webmail address common for spam"
score       DP_DODGY_EMAIL_ADDRESSES 2.2

full        DP_LOAN_OFFER /loan offer/i
describe    DP_LOAN_OFFER "Loan offer..."
score       DP_LOAN_OFFER 3.0

body        DP_MY_DEAREST /My Dear(est)?/i
describe    DP_MY_DEAREST "My Dearest... (that's not very dear)"
score       DP_MY_DEAREST 3.5

body        DP_PLEASE_WRITE_ME /Please write me/i
describe    DP_PLEASE_WRITE_ME "Please write me..."
score       DP_PLEASE_WRITE_ME 2.2

body        DP_MY_PICTURES /my pictures/i
describe    DP_MY_PICTURES "My pictures" (often seen in dating-type spam)
score       DP_MY_PICTURES 1.8

body        DP_HOMEBIZ /home biz/i
describe    DP_HOMEBIZ Mentions a "home biz"
score       DP_HOMEBIZ 2.0

body        DP_THISISREMARKABLE /This is (truly )?remarkable/i
describe    DP_THISISREMARKABLE "This is remarkable" - really?
score       DP_THISISREMARKABLE 1.5

body        DP_TOBEREMOVED /to be removed/i
describe    DP_TOBEREMOVED Contains "to be removed"
score       DP_TOBEREMOVED 1.0

body        DP_MARQUESBRIGHAM /Marques Brigham/
describe    DP_MARQUESBRIGHAM I received several spams from "Marques Brigham"
score       DP_MARQUESBRIGHAM 6.0

full        DP_FAKE_LOTTERY /(Google|Yahoo(\s?Mail)?|Microsoft|MSN|Coca.?Cola|Euro\s?Millions).{1,20}(Lottery|Award)/i
describe    DP_FAKE_LOTTERY Fake lotteries/awards using common company names
score       DP_FAKE_LOTTERY 5.0

full        DP_EMAIL_ACC_HOLDER /email account holder/i
describe    DP_EMAIL_ACC_HOLDER "Email account holder" - often seen in fake lottery scams etc
score       DP_EMAIL_ACC_HOLDER 3.7

full        DP_YOU_WON /you won/i
describe    DP_YOU_WON You won something
score       DP_YOU_WON 2.0

full        DP_BIG_MONEY /[\$£][0-9,.]{6,}/
describe    DP_BIG_MONEY Mentions a large amount of money
score       DP_BIG_MONEY 3.4

full        DP_INVESTMENT_OFFER /investment offer/i
describe    DP_INVESTMENT_OFFER Investment offers
score       DP_INVESTMENT_OFFER 3.2

full        DP_EMPLOYMENT_OPP /(career|employment) opportunity/i
describe    DP_EMPLOYMENT_OPP Employment/career opportunity
score       DP_EMPLOYMENT_OPP 3.6

full        DP_RECEIVE_PAYMENTS /receive payments/i
describe    DP_RECEIVE_PAYMENTS Receive payments
score       DP_RECEIVE_PAYMENTS 2.8

full        DP_ONLINE_CASINO /online casino/i
describe    DP_ONLINE_CASINO Online casinos
score       DP_ONLINE_CASINO 3.6

full        DP_REJECTED_TRANSACTION /rejected (\S+ )?transaction/i
describe    DP_REJECTED_TRANSACTION Rejected transactions
score       DP_REJECTED_TRANSACTION 3.5

full        DP_VIEW_ATTACHED /view (the )?attached/i
describe    DP_VIEW_ATTACHED "View the attached..."
score       DP_VIEW_ATTACHED 2.5

body        DP_GETBACKTOUS /get back to us/i
describe    DP_GETBACKTOUS Mentions "get back to us"
score       DP_GETBACKTOUS 2.3

header      DP_SUBJ_PROPOSAL Subject =~ /proposal/i
describe    DP_SUBJ_PROPOSAL "Proposal" in subject
score       DP_SUBJ_PROPOSAL 2.0

header      DP_FROM_BARRISTER From =~ /barrister/i
describe    DP_FROM_BARRISTER From a barrister, apparently
score       DP_FROM_BARRISTER 2.5

body        DP_EMAIL_ID /e-?mail id/
describe    DP_EMAIL_ID What's an "email id"?
score       DP_EMAIL_ID 2.8

body        DP_EMAIL_HAS /your e-?mail (address|id) has/i
describe    DP_EMAIL_HAS "your email address has..."
score       DP_EMAIL_HAS 2.8

body        DP_PROMOTION_MANAGER /promotion manager/i
describe    DP_PROMOTION_MANAGER Mentions a "promotion manager"
score       DP_PROMOTION_MANAGER 2.4

body        DP_TO_CLAIM_PRIZE /to claim (your|the) prize/i
describe    DP_TO_CLAIM_PRIZE "To claim your prize..."
score       DP_TO_CLAIM_PRIZE 3.0

body        DP_SEND_IT_TO /send it to/i
describe    DP_SEND_IT_TO "Send it to..." (common in lotto-type scams)
score       DP_SEND_IT_TO 1.6

header      DP_FROM_CLAIM From =~ /claim/i
describe    DP_FROM_CLAIM From address contains "claim"
score       DP_FROM_CLAIM 2.5

# What's an ACH transaction?
full        DP_ACH_TRANS /ACH trans(action|fer)/i
describe    DP_ACH_TRANS Mentions "ACH transaction/transfer"
score       DP_ACH_TRANS 3.4

full        DP_OTHER_FI /other financial institution/i
describe    DP_OTHER_FI "Other financial institution"
score       DP_OTHER_FI 1.8

body        DP_REJECT_REASON /reason for rejection/i
score       DP_REJECT_REASON 1.6

body        DP_WAS_REJECTED_BY /was rejected by/i
score       DP_WAS_REJECTED_BY 1.6

body        DP_ID_NUM /ID:\s*\d+/i
describe    DP_ID_NUM Contains "ID: xxx"
score       DP_ID_NUM 2.2

body        DP_WEBMAIL_HELP /webmail help\s*desk/i
describe    DP_WEBMAIL_HELP "Webmail help desk"
score       DP_WEBMAIL_HELP 2.5

body        DP_SYSAD /systemu? administrator/i
score       DP_SYSAD 1.2

full        DP_CANITRUSTYOU /Can I trust you/i
describe    DP_CANITRUSTYOU Asks if they can trust you (common in phishing)
score       DP_CANITRUSTYOU 2.7

full        DP_TITLECASE_LOTS /([A-Z][a-z]+ ){8,}/
describe    DP_TITLECASE_LOTS Lots Of Title Cased Words As Used By Retards
score       DP_TITLECASE_LOTS 2.8

full        DP_MAILBOX_EXCEEDED /mailbox has exceeded/i
describe    DP_MAILBOX_EXCEEDED Mailbox exceeded some limit
score       DP_MAILBOX_EXCEEDED 2.8

full        DP_YOUR_ADMINISTRATOR /your administrator/i
describe    DP_YOUR_ADMINISTRATOR "Your administrator" - you mean, me?
score       DP_YOUR_ADMINISTRATOR 1.8

header      DP_SUBJ_RESPOND Subject =~ /RESPOND/
describe    DP_SUBJ_RESPOND Subject contains "RESPOND"
score       DP_SUBJ_RESPOND 1.5

header      DP_REPLY_NEEDED Subject =~ /(Response|Reply) needed/i
describe    DP_REPLY_NEEDED Subject contains "Response/reply needed"
score       DP_REPLY_NEEDED 2.0

full        DP_MARKETING_LISTS /marketing lists/i
describe    DP_MARKETING_LISTS Mentions marketing lists
score       DP_MARKETING_LISTS 1.8

# often seen in "buy this spam list" spam
full        DP_EMAILS_IN_TOTAL /email(s| addresses) in total/i
describe    DP_EMAILS_IN_TOTAL Mentions total number of emails
score       DP_EMAILS_IN_TOTAL 1.5

full        DP_X_CAPSULES /\d+ (capsules|tabs)/i
describe    DP_X_CAPSULES Mentions x capsules/tabs
score       DP_X_CAPSULES 2.6

full        DP_EXTRA_CAPSULES /extra (capsules|tabs|tablets)/i
describe    DP_EXTRA_CAPSULES Mentions extra capsules/tabs/tablets
score       DP_EXTRA_CAPSULES 2.8

full        DP_PRICE_USD /[0-9.]+\s*USD/
describe    DP_PRICE_USD Contains a price in USD
score       DP_PRICE_USD 1.0


header      DP_SUBJ_REVIEW Subject =~ /review/i
describe    DP_SUBJ_REVIEW Subject contains "review"
score       DP_SUBJ_REVIEW -2.5

header      DP_SUBJ_PRODTEST Subject =~ /products? test/i
describe    DP_SUBJ_PRODTEST Subject contains "product test"
score       DP_SUBJ_PRODTEST -2.0


header      DP_SUBJ_ATTENTION Subject =~ /Attention:/i
describe    DP_SUBJ_ATTENTION Subject contains "Attention:"
score       DP_SUBJ_ATTENTION 1.0

header      DP_SUBJ_GIRLSWAITING Subject =~ /girls (are )?waiting/i
describe    DP_SUBJ_GIRLSWAITING Subject contains "girls waiting"
score       DP_SUBJ_GIRLSWAITING 6.0

header      DP_SUBJ_LIKETOMEET Subject =~ /would like to meet/i
describe    DP_SUBJ_LIKETOMEET Subject contains "would like to meet"
score       DP_SUBJ_LIKETOMEET 2.9


header      DP_SUBJ_EMAIL_STORAGE_WARNING Subject =~ /email storage (warning|limit|exceeded)/i
describe    DP_SUBJ_EMAIL_STORAGE_WARNING Subject contains "email storage warning" etc
score       DP_SUBJ_EMAIL_STORAGE_WARNING 4.0

full        DP_OUR_EMAIL_MARKETING /our email marketing/i
describe    DP_OUR_EMAIL_MARKETING Mentions "our email marketing"
score       DP_OUR_EMAIL_MARKETING 3.0

header    DP_DATING_CRAP_INSTAQUICKIE Subject =~ /(Insta(Quickie|Sex|Date|Cheat|Hookup|Affair|F??k)|SnapBangMsg|HotH00kup|SexiSnap|F..kBuddy|SnapF.ck)/
describe  DP_DATING_CRAP_INSTAQUICKIE "Various spammy dating site type cockends"
score     DP_DATING_CRAP_INSTAQUICKIE 9.0

full      DP_DATING_CRAP_LOOK_PICS /look (through|at) my (pics?|photos?)/
describe  DP_DATING_CRAP_LOOK_PICS "Look through my pics"
score     DP_DATING_CRAP_LOOK_PICS 4.5

full      DP_DATING_CRAP_H00KUP /h00kup/i
describe  DP_DATING_CRAP_H00KUP "Contains 'h00kup'"
score     DP_DATING_CRAP_H00KUP 5.0

full      DP_DATING_HORNY /horny/i
describe  DP_DATING_HORNY Contains 'horny'
score     DP_DATING_HORNY 3.2

full      DP_NEW_REQUEST_ALERT /new.{1,15}(request|alert|match)/i
describe  DP_NEW_REQUEST_ALERT "Contains 'new request' or 'new alert' etc"
score     DP_NEW_REQUEST_ALERT 1.6

full      DP_WANT_FUCK /want.{0,10}[fs].ck/
describe  DP_WANT_FUCK Want to fuck, etc
score     DP_WANT_FUCK 2.0

full      DP_MY_PICS /my.{1,10}pics/
describe  DP_MY_PICS See my pics, see my pics...
score     DP_MY_PICS 1.2

full      DP_IM_XXF /I.?m \d+\/F/
describe  DP_IM_XXF "Contains e.g. I'm 28/F"
score     DP_IM_XXF 2.5

full      DP_WANT_FUN /want to have some fun/
describe  DP_WANT_FUN "Contains 'want to have some fun'"
score     DP_WANT_FUN 2.2

full      DP_CHECKOUT_PROFILE /(see|look at|check\s?out|visit) my profile/
describe  DP_CHECKOUT_PROFILE "Contains e.g. 'check out my profile'"
score     DP_CHECKOUT_PROFILE 2.2

full      DP_BIGBOOBS /big b[o0]{2}bs/
describe  DP_BIGBOOBS "Mentions big boobs"
score     DP_BIGBOOBS 1.7

header    DP_PHPMAILER X-Mailer =~ /PHPMailer/
describe  DP_PHPMAILER "Sent with PHPMailer"
score     DP_PHPMAILER 1.5

full      DP_EGAGTROM /reverse mortgage/i
describe  DP_EGAGTROM "Talks about reverse mortgages"
score     DP_EGAGTROM 5.0

full      DP_ATM_CARD /ATM card/i
describe  DP_ATM_CARD "Talks about ATM cards (that's too US-centric)"
score     DP_ATM_CARD 4.0


full      DP_HERPES /herpes virus/
describe  DP_HERPES "Spam is the herpes of the Internet"
score     DP_HERPES 2.0

full      DP_HERPES_PROTOCOL /herpes protocol/
describe  DP_HERPES_PROTOCOL "Herpes protocol"
score     DP_HERPES_PROTOCOL 5.0

full      DP_LOOKING_FOR_LOAN /looking.+(finance|loan|mortgage)/
describe  DP_LOOKING_FOR_LOAN "Looking for loan/refinance etc"
score     DP_LOOKING_FOR_LOAN 4.0

header    DP_UPDATE_YOUR_ACCOUNT Subject =~ /up(date|grade) (your )?account/
describe  DP_UPDATE_YOUR_ACCOUNT "Update your account" etc
score     DP_UPDATE_YOUR_ACCOUNT 3.0


# Seeing a lot of RBC phish emails talking about "updating your account
# to the newly installed SSL servers" etc.
header    DP_NEWLY_INSTALLED_SSL_SERVER Subject =~ /installed ssl server/
describe  DP_NEWLY_INSTALLED_SSL_SERVER "talks about 'newly installed SSL server'
score     DP_NEWLY_INSTALLED_SSL_SERVER 3.5

header    DP_CHATURBATE From =~ /Chaturbate/i
describe  DP_CHATURBATE What a load of wank
score     DP_CHATURBATE 5.0



full      DP_DO_OR_DONT_DO /(don'?t (ever )?)?(do|eat) this/
describe  DP_DO_OR_DONT_DO "Do this ..(or don't do...)"
score     DP_DO_OR_DONT_DO 1.8

full      DP_NOTIFICATION_LETTER /notification letter/
describe  DP_NOTIFICATION_LETTER "notification letter"
score     DP_NOTIFICATION_LETTER 2.5

full      DP_GOOGLE_USER /Dear (Google|Microsoft) user/
describe  DP_GOOGLE_USER "Dear Google user"
score     DP_GOOGLE_USER 3.5

full      DP_TOENAIL_FUNGUS /toenail fungus/
describe  DP_TOENAIL_FUNGUS "Mentions toenail fungus (eww)"
score     DP_TOENAIL_FUNGUS 3.0

full      DP_WEIRD_TRICK /weird trick/
describe  DP_WEIRD_TRICK "weird tricks"
score     DP_WEIRD_TRICK 1.8


# Recent run of spam about Indigo credit - fuck off
header    DP_INDIGO_CREDIT Subject =~ /Indigo/
describe  DP_INDIGO_CREDIT "Mentions Indigo (spammy credit card company)"
score     DP_INDIGO_CREDIT 1.5

header    DP_THE_INDIGO_CARD Subject =~ /(with (the )?Indigo|Indigo.+card)/i
describe  DP_THE_INDIGO_CARD "Mentions Indigo credit card
score     DP_THE_INDIGO_CARD 4.0

header    DP_CREDIT_YOU_DESERVE Subject =~ /credit your? deserve/i
describe  DP_CREDIT_YOU_DESERVE "Give yourself the credit you deserve, etc"
score     DP_CREDIT_YOU_DESERVE 2.5


# I keep getting spam offering image editing, for some reason
header    DP_EDIT_PHOTOS Subject =~ /(edit.+(photo|image)|(photo|image).+edit)/i
describe  DP_EDIT_PHOTOS Subject mentions editing photos/images
score     DP_EDIT_PHOTOS 2.8


full      DP_IMAGE_EDITING_SERVICES /(photo|image) (editing )?services/i
describe  DP_IMAGE_EDITING_SERVICES Mentions image/photo editing services
score     DP_IMAGE_EDITING_SERVICES 3.8

full      DP_IMAGE_RETOUCHING /(photo|image|skin) re-?touch/i
describe  DP_IMAGE_RETOUCHING Mentions image retouching
score     DP_IMAGE_RETOUCHING 1.8

full      DP_CUTTING_OUT /(photo|image) (cutting|clipping)/i
describe  DP_CUTTING_OUT Mentions image cutting out/clipping
score     DP_CUTTING_OUT 1.8

full      DP_YOUR_PW_IS /your password is/i
describe  DP_YOUR_PW_IS Says your password is...
score     DP_YOUR_PW_IS 2.8

full      DP_YOUR_COMPUTER_INFECTED /your computer was infected/i
describe  DP_YOUR_COMPUTER_INFECTED Claims your computer was infected
score     DP_YOUR_COMPUTER_INFECTED 3.2

full      DP_COLLECTED_YOUR_DATA /I collected (all )?your (private )?data/i
describe  DP_COLLECTED_YOUR_DATA Claims to have collected your data
score     DP_COLLECTED_YOUR_DATA 3.2

full      DP_MAKE_AVG_OF /make an average of .{1,10}per/i
describe  DP_MAKE_AVG_OF Make an average of ...
score     DP_MAKE_AVG_OF 2.0

full      DP_SEND_BITCOINS /(send|transfer|fund).{1,10}bitcoin/i
describe  DP_SEND_BITCOINS Asks you to send BitCoin
score     DP_SEND_BITCOINS 2.2

full      DP_RECORDED_VIDEOS /video.{1,5}recorded of you/i
describe  DP_RECORDED_VIDEOS Mentions recorded videos of you
score     DP_RECORDED_VIDEOS 2.5

full      DP_SEND_TO_YOUR_CONTACTS /send the videos? to all your (contacts|friends)/i
describe  DP_SEND_TO_YOUR_CONTACTS Threatens to send video to all your contact
score     DP_SEND_TO_YOUR_CONTACTS 3.0

full      DP_MALWARE_GAVE_ME_ACCESS /My malware gave me full (access|control)/i
describe  DP_MALWARE_GAVE_ME_ACCESS My malware brings all the boys to the yard^W^W^W^W^W^W^Wgave me control
score     DP_MALWARE_GAVE_ME_ACCESS 3.0

full      DP_ACCESSED_YOUR_ACCOUNTS /I (got|gained|had) access to all your accounts/i
describe  DP_ACCESSED_YOUR_ACCOUNTS Claims to have gained access to accounts
score     DP_ACCESSED_YOUR_ACCOUNTS 3.0

full      DP_SENT_FROM_YOUR_ACCOUNT /I sent this message from your account/
describe  DP_SENT_FROM_YOUR_ACCOUNT Claims to have sent from your account
score     DP_SENT_FROM_YOUR_ACCOUNT 3.0

full      DP_SMALL_AMOUNT_FOR_SILENCE /small amount for my silence/
describe  DP_SMALL_AMOUNT_FOR_SILENCE Small amount for my silence blackmail
score     DP_SMALL_AMOUNT_FOR_SILENCE 3.0


full      DP_N1ghTm4r3 /N1ghTm4r3/i
describe  DP_N1ghTm4r3 "Contains 'N1ghTm4r3' - seen in lots of hacker blackmail spam"
score     DP_N1ghTm4r3 4.0

full      DP_RECORDED_YOU /recorded.{1,5}you masturbating/
describe  DP_RECORDED_YOU "Recorded you masturbating"
score     DP_RECORDED_YOU 4.0

header    DP_REPLY_TO_ALIYUN Reply-To =~ /.+\@aliyun.com/
describe  DP_REPLY_TO_ALIYUN Seen lots of spam using fake From and *@aliyun.com for Reply-To
score     DP_REPLY_TO_ALIYUN 100

header    DP_SUBJECT_JOE_WHO Subject =~ /Joe Vitale/
describe  DP_SUBJECT_JOE_WHO "NEW: Joe Vitale's Ho'oponopono Certification" - what?
score     DP_SUBJECT_JOE_WHO 5.0

header    DP_FREE_GUN_HOLDER Subject =~ /Complimentary Gun Holder/i
describe  DP_FREE_GUN_HOLDER Free gun holder?  Why would I want that?
score     DP_FREE_GUN_HOLDER 5.0

header    DP_DO_THIS_TO Subject =~ /(Do|Eat) THIS (one thing )?to/i
describe  DP_DO_THIS_TO Do THIS to get in my spam folder.
score     DP_DO_THIS_TO 3.8

header    DP_DO_THIS_TO Subject =~ /pursue money/i
describe  DP_DO_THIS_TO Spammers move to pursue money.
score     DP_DO_THIS_TO 2.5

header    DP_DO_THIS_TO Subject =~ /owed to you/i
describe  DP_DO_THIS_TO Money owed?  Yeah, right.
score     DP_DO_THIS_TO 2.5

header    DP_QUICK_CALL_TO Subject =~ /quick call to improve your business/
describe  DP_QUICK_CALL_TO A quick spam to annoy your business
score     DP_QUICK_CALL_TO 3.0

# Seen an awful lot of DocuSign spam lately, e.g.:
# "You received invoice from DocuSign Electronic Signature Service"
# "You got invoice from DocuSign Electronic Service"
# "You got notification from DocuSign Electronic Service"
# "Please DocuSign. Document for signature."
#
# Don't use this if you actually expect to receive documents to sign via
# DocuSign who I believe are a legit company.
header    DP_DOCUSIGN Subject =~ /docusign/i
describe  DP_DOCUSIGN DocuSign in subject
score     DP_DOCUSIGN 6.0


# Unlikely to want to be sent Windows executables, bat files etc:
full     DP_UNWANTED_ATTACH_TYPES /Content-Disposition:.+filename=".+(exe|bat|cmd|scr)"/
describe DP_UNWANTED_ATTACH_TYPES Windows executable type attachment
score    DP_UNWANTED_ATTACH_TYPES 4.0




# these depend on Mail::SpamAssassin::Plugin::RelayCountry :
header          RELAYCOUNTRY_CN X-Relay-Countries =~ /CN/
describe        RELAYCOUNTRY_CN Relayed through China
score           RELAYCOUNTRY_CN 4.0

header          RELAYCOUNTRY_RU X-Relay-Countries =~ /RU/
describe        RELAYCOUNTRY_RU Relayed through Russian Federation
score           RELAYCOUNTRY_RU 4.0