#LAST UPDATED 01/20/2011
#IMPORTANT NOTE LINE 31
#SKIPIFWEIGHT	25
MAXWEIGHT	20

#-------------------------------------------------------------------#
#	EXCEPTIONS		 				    #
#-------------------------------------------------------------------#

TESTSFAILED	END	PCRE	(GOOD-REVDNS|BONDEDSENDER|IADB)
MAILFROM	END	PCRE	(bounce.*@)
##BODY		END	PCRE	(?im:meta name.{3,10}Generator content.{3,10}Microsoft Word)

#-------------------------------------------------------------------#
#	HEADERS			 				    #
#-------------------------------------------------------------------#

HEADERS		3	PCRE (^<(0000[0-9a-f]{8}\$$0000[0-9a-f]{4}\$$0000[0-9a-f]{4}|[0-9a-f]{12}\$$[0-9a-f]{7}[1-9a-f]\$$[0-9a-f]{8}))


HEADERS		20	PCRE (?i:X-Spam-Flag:.?YES)
HEADERS		10	PCRE (?i:X-FB-OUTBOUND-SPAM: yes)
HEADERS		10	PCRE (?i:X-Spam-Status: Yes)
HEADERS		5	PCRE (?i:SUSPICIOUS_RECIPS)
HEADERS		8	PCRE (?i:Precedence: junk)
HEADERS		10	PCRE (%OE_VERSION%OE_SUBVERSION)
HEADERS		1	PCRE (?i:PowerMTA\(TM\))

#1-3 Words in X-Mailer Field
HEADERS		1	PCRE	(?im:X-Mailer.*([a-z]{4,12} ){1,3}$)

#!!UPDATE EVERY YEAR!! CURRENTLY SET 2011
HEADERS		5	PCRE (?im:Date:.{5,20}(201[02-9]|19[0-9]{2}|200[0-9]))

#-------------------------------------------------------------------#
#	SUBJECT			 				    #
#-------------------------------------------------------------------#
SUBJECT		8	PCRE	(?i:(\$[0-9]|gift).*card)
SUBJECT		5	PCRE	(?i:(save).*?[0-9].*)
SUBJECT		5	PCRE	(?i:([A-Z0-9]*_){4})

#GAPPY
SUBJECT		8	PCRE	(?i:\b(?:[a-z]([-_. =~\/:,*!\@\#\$\%\^&+;\"\'<>\\])\1{0,2}){4})
ANYWHERE	1	PCRE	(?i:\b(?:[a-z]([-_. =~\/:,*!\@\#\$\%\^&+;\"\'<>\\])\1{0,2}){4})
ANYWHERE	5	PCRE	(?i:([a-z]\s){6,15})

BODY		10	PCRE	(?i:Gift.?Card Offer)

#QUOTE
ANYWHERE	5	PCRE	(?i:free.{0,12}(?:(?:instant|express|online|no.?obligation).{0,4})+.{0,32}\bquote)

#-------------------------------------------------------------------#
#	SIGNATURE		 				    #
#-------------------------------------------------------------------#
BODY		20	PCRE	(?i:Exit:\r\nhttp:)
BODY		20	PCRE	(?i:\[Message clipped\] \<A href)
BODY		20	PCRE	(?im:Rx.+>.+http://)

BODY		15	PCRE	(?i:(?:Hello|Dear)\b.{0,30}@\S)
BODY		15	PCRE	(?i:\.33 (\b[A-Z0-9._%-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\b))
BODY		15	PCRE	(?:--\s\r\n[a-z]{35})
BODY		15	PCRE	(href="http://((?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/">http://www)
BODY		15	PCRE	(?i:ul style="list-style-image:url.http://.*;color:white)
BODY		15	PCRE	(?i:alt="IMAGES MUST BE ENABLED!")

BODY		12	PCRE	(<[0-9];[0-9].*>)

BODY		10	PCRE	(?i:\s{60,90}=\r\s{60,90}=)
BODY		10	PCRE	(?i:<br><center><a href="http://.*com/[0-9]{5,}_[0-9a-z]{5,}.htm"><img src="http://.*com/images/[0-9]{5,}_[0-9a-z]{5,}.gif" border="0"></a></center>)
BODY		10	PCRE	(?i:<a href="http://[\w]+.{3,6}/./.[\w]+\.[\w]{2,4}"><img border="0" src="http://[\w]+.{3,6}/./.[\w]+\.[\w]{3}"/></a></center>)
BODY		10	PCRE	(?i:(look|check|click|enjoy|free|play|try|login|link|Go|follow|paste).{0,50}http://((?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))
BODY		10	PCRE	(size='1'\>\<[0-9]{1,2};[0-9].{10,26}\>)
BODY		10	PCRE	((--\=_[a-z].*--)\r\n\r\n\.$)
BODY		10	PCRE	(?i:\<!--[^{<]{800,}--\>)
BODY		10	PCRE	(?i://[^<]{900,}//\>)
BODY		10	PCRE	(?i:\.(com|net|info)/t/c/)
BODY		10	PCRE	(?im:http://.*/[0-9]{4}_[a-z0-9]{10,15}.htm)
BODY		10	PCRE	(?im:http://.*/[0-9]{2,4}_[0-9]_[0-9]{2,7}_[A-Z0-9]+\.htm)

BODY		10	PCRE	(?im:([a-z]+[-_=?~][a-z]+){2}\s[a-z]+(\s)?[\.,]{2})
#BODY		5	PCRE	(?im:(?i:([a-z]+[-_~?!]){4}))

BODY		8	PCRE	(?i:td\>(\r\n|\s){1,3}\.(\r\n){1,2})
BODY		8	PCRE	(?i:http://.{0,15}\.(com|net)/?(\r\n){3}\.)
BODY		8	PCRE	(?i:<a href="https?://(www.)?[\w]+\.(([a-z]{2,3})?\.?([a-z]{2,5})/[a-z]/[\w-_]+\.[a-z]{2,5}).{8,}.src="https?://(www.)?[\w]+\.(([a-z]{2,3})?\.?([a-z]{2,5})/[a-z]/[\w-_]+\.(gif|jpg|png)"\s))

BODY		8	PCRE	(?i:href=.+\.(com|info|net)/[a-f0-9]{37,38}">)
BODY		8	PCRE	(?i:(http://|www).+\.(com|info|net)/[a-f0-9]{30,40}(\s|[>"]))

BODY		5	PCRE	(?i:font>(\W)?[ac-z]{1,2}(\W)?</?font)
BODY		5	PCRE	(?:(?!<(style|pre)>[.\S\W]+MsoNormal[.\S\W]+</?(style|pre)>)(<(style|pre)>[.\S\W]{999,}</?(style|pre)>))
BODY		5	PCRE	(?i:\s{5}(f|r)\r\n.Unsubscribe\b)
BODY		5	PCRE	(?i:\s{5}Click here:\r\n\s\r\n\shttp://)
BODY		5	PCRE	(?i:html\>\r\n\s\r\n\.)
BODY		5	PCRE	(?i:<!--(www|http))
BODY		5	PCRE	(?im:http://www\s)
BODY		5	PCRE	(?i:</html>\r\n\s?\r\n\.(\r\n){0,3})
BODY		5	PCRE	(?i:free.{0,20}http://((?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))
BODY		3	PCRE 	(boundary="(=+xymMimeex22ader|[0-9A-Za-z]+---Minemindfxxyf)[0-9A-Za-z]+=+"$$)
BODY		3	PCRE 	(?im:<a.*>(\r\n){2,3}$)
BODY		3	PCRE 	(?im:(\r\n)<a.*http.*(border="0">)(\r\n){2,3})
BODY		3	PCRE 	(?i:<title>Email message for)


#TEST http://storehousesolution.com/c/SomQvRgsKJktpsUM3SRWDQ.html
BODY		20	PCRE 	(?i:(https?|www).{0,50}.\.(([a-z]{0,2}\.)?[a-z]{2,4})/[a-z]/(\w|-){10,}\.html?)

#STYLE
BODY		10	PCRE	(?i:<style>.{2000,}</?style>)
BODY		7	PCRE	(?i:<style>([\w\d\s\.]{2,}?)</?style>)
BODY		7	PCRE	(?i:<style> />\s)
BODY		5	PCRE	(\<style\>\/)

#PATTERN
BODY	20	CONTAINS	<-*->

#-------------------------------------------------------------------#
#	OBSFUCATION ENCODING 			  		    #
#-------------------------------------------------------------------#
BODY		10	PCRE 	(?:(&#[0-9]{3,5};){5})
BODY		2	PCRE	((?i:[A-Z]([;:'., \- _]{1,3})){5})

#-------------------------------------------------------------------#
#	OTHER		 			  		    #
#-------------------------------------------------------------------#

#ENTIRE BODY IN CAPS
BODY		7	PCRE 	(\b(?!=)([A-Z0-9]|\W){300}\b)

#ADDRESS OBSUFUCATION FOR US STATES
BODY		3	PCRE 	(\|[A-Z]\|)

#-------------------------------------------------------------------#
#	URL		 			  		    #
#-------------------------------------------------------------------#
BODY		4	PCRE	(?i:https?://[^/\s]*[bcdfghjklmnpqrstvwxz]{7})
BODY		3	PCRE	(?i:https?://[^/\s]*[bcdfghjklmnpqrstvwxz]{6})

BODY		10	PCRE	(?im:http://.*/c/[cuv]/[0-9])

BODY		7	PCRE	(([abcdefghikprstulmnox]{2,7}\.|)geocities(\.yahoo|)(\.com|)(\.[abcdefghikprstulmnox]{2,7}|)(\.uk|))
BODY		3	PCRE	(?:(50megs|tripod|150m|freespaceusa|012webpages|9cy)\.com)
BODY		30	PCRE	((jesse-solutions|gem-stud)\.com)
BODY		5	PCRE	(?i:Bellagio)
BODY		5	PCRE	(?i:http://search\.aol\.com/aol/redir\?clickedItemURN=http://)

#FREE DOMAIN - REPORT http://www.co.cc/prosecution/prosecution.php
BODY		3	PCRE	(?i:\.co\.cc)
REVDNS		3	PCRE	(?i:\.co\.cc)
MAILFROM	3	PCRE	(?i:\.co\.cc)	

#-------------------------------------------------------------------#
#	DOMAIN EXTENSIONS		 			    #
#-------------------------------------------------------------------#
BODY		2	PCRE	(?i:(http://|www).{4,10}\.(biz|us|info|name|ws|cd))
BODY		4	PCRE	(?i:(http://|www).{4,10}\.(hk|cn|ru))

#-------------------------------------------------------------------#
#	MISCELLANEOUS			 			    #
#-------------------------------------------------------------------#
ANYWHERE	20	PCRE	(?i:(MyDishNow|iDishDirect|4CarWarranty|PC Bug Doctor|DirectDish|AccuQuote|OnlineDataDirect|Dish.?Network))

BODY		5	PCRE	(As Seen on TV!)
BODY		2	PCRE	(GiftCards?)
BODY		15	PCRE	((Dear).{0,2},)
BODY		10	PCRE	(Dear Friend!)
BODY		20	PCRE	(?i:Remove spaces in the above link)
BODY		20	PCRE	(?i:Just type www\s)

#-------------------------------------------------------------------#
#	FREE				 			    #
#-------------------------------------------------------------------#
BODY		10	PCRE	(?i:/bfr(|3){2}/b)
BODY		10	PCRE	(?i:(?!free)(\bf\W?r\W?e\W?e\b))
BODY		7	PCRE	(?i:(?!free)\b(f(\W?|_)r(\W?|_)e(\W?|_)e\b))
BODY		5	PCRE	(100% FREE)
BODY		4	PCRE	(?i:free\*)
BODY		4	PCRE	(?i:\*free)

#-------------------------------------------------------------------#
#	VARIABLE			 			    #
#-------------------------------------------------------------------#
BODY	10	PCRE		(\$\$TRACK\$\$)

BODY	5	PCRE		(%RND.)
BODY	5	PCRE		(- random comment -)
BODY	5	PCRE		(%RANDOM_WORD)
BODY	5	PCRE		(//random.)
BODY	5	PCRE		(\[RANDOMIZE\])
BODY	5	PCRE		(RANDOM_)
BODY	5	PCRE		(ENCODED_ALL_RECIPIENT)
BODY	5	PCRE		(\{BODY_TEXT\})
BODY	5	PCRE		(\{name_url\})

#-------------------------------------------------------------------#
#	REDIRECT			 			    #
#-------------------------------------------------------------------#
BODY	5	PCRE	((?<=http:).{0,30}redir(ect)?.{0,3}(php|cgi|asp)?)
BODY	5	PCRE	(?i:google.co.{3,5}/pagead/iclk?)

#-------------------------------------------------------------------#
#	MASK				 			    #
#-------------------------------------------------------------------#

#CHEAP
BODY	7	PCRE	(?i:(?!cheap)\b(c\W?h\W?e\W?a{1,2}\W?p\b))

#CLICK
BODY	7	PCRE	(?i:(?!click)\b(c(\W?|_)[|l1!](\W?|_)[|li1!](\W?|_)c(\W?|_)k\b))

#PRICE
BODY	10	PCRE	(?i:(?!price)\b(p\W?r\W?[|li1!]\W?c\W?e\b))

#ORDER
BODY	7	PCRE	(?i:(?!order)\b((o|0)\W?r\W?d\W?e\W?r\b))

#REMOVE
BODY	10	PCRE	(?i:(?!remove)\b(r\W?(e|3)\W?m\W?(o|0)\W?v\W?(e|3)\b))

#ONLINE
BODY	5	PCRE	(?i:(?!on.?line)\b[o0](\W?|_)n(\W?|_)[\|l1\!](\W?|_)[|li1!](\W?|_)n(\W?|_)e\b)

#OFFER
BODY	7	PCRE	(?i:(?!offer)\b((o|0)\W?f\W?f\W?e\W?r\b))

#DISCOUNT
BODY	7	PCRE	(?i:(?!discount)\bd(\W?|_)[|li1!](\W?|_)s(\W?|_)c(\W?|_)[0o](\W?|_)u(\W?|_)n(\W?|_)t\b)

#GENERIC
BODY	30	PCRE	(N0 C0ST)
BODY	30	PCRE	(?i:L00king)
BODY	30	PCRE	(?i:\bw0rk\b)


BODY	10	PCRE	(?i:review tax statement for taxpayer id)

#-------------------------------------------------------------------#
#	RFC				 			    #
#-------------------------------------------------------------------#
#Message body violates RFC-2822 (line too long)
#BODY	0	PCRE	(?im:.{998}.+)
#BODY	0	PCRE	(?i: \d{15,}\")

#-------------------------------------------------------------------#
#	ADDRESSES			 			    #
#-------------------------------------------------------------------#
BODY		15	PCRE	(?i:Suite 1300 West Palm Beach, FL 33401)
BODY		15	PCRE	(?i:269 S Beverly Drive, #346, Beverly Hills, CA 90212)
BODY		15	PCRE	(?i:DT Systems)

REVDNS		20	PCRE	(forsalconstruction\.com)

#-------------------------------------------------------------------#
#	MALWARE			 			   	    #
#-------------------------------------------------------------------#
BODY	20	PCRE	(?im:(https?|ftp).*\.(exe|pif|scr|bat)\W)

#-------------------------------------------------------------------#
#	UNSUBSCRIBE		 			   	    #
#-------------------------------------------------------------------#
BODY	20	PCRE		(?i:RE_M0VE)
BODY	15	PCRE		(?i:(No More Mail|To cease messages go here)\:)
BODY	15	PCRE		(?i:to start the process for email deletion)
BODY	10	PCRE		(?i:click here below|or write.{3,7}at\W|your request will be filled within 72 hours of receipt)
BODY	10	PCRE		(?i:\[or send mail to\])
BODY	5	PCRE		(?i:Click here to (prevent further|no longer receive) mailings)
BODY	5	PCRE		(?i:To (get out|exit).(of)?.(future|all) communications)
BODY	5	PCRE		(?i:(?!no more)n[o0]\sm[0o]re)
BODY	5	PCRE		(?i:(?!optout)\b[o0]pt[o0]ut\b)
BODY	2	PCRE		(\>(No More Thanks|Not at this time|Not Interested)\</)
BODY	2	PCRE		(?i:/optout/)


