# <<< ---NOTE---  ---NOTE---  ---NOTE---  ---NOTE--- >>>
# 
# THIS FILE IS FOR SA 3.x! SA 2.63 & 2.64 ARE NO LONGER SUPPORTED!
# 
# <<< ---NOTE---  ---NOTE---  ---NOTE---  ---NOTE--- >>>

# Add your own customisations to this file.  See 'man Mail::SpamAssassin::Conf'
# for details of what can be tweaked.
# 
# ~/.spamassassin/user_prefs
# $Id: user_prefs,v 1.1312 2009/11/22 13:52:53 yoh Exp $
# 
# http://tlec.linux.or.jp/docs/user_prefs
# Original source from:
# http://www.linux.or.jp/~ukai/l-u-spam/local.cf
# modified by MATSUDA Yoh-ichi [yoh] (yoh@flcl.org)
# 
# This file is updated frequently. You can use web antenna software for
# checking this file.
# 
# Notice for Non-Japanese natives:
# Thank you for watching this file.
# This is "user_prefs", SpamAssassin user-specific configuration 
# file "for Japanese".
# But, some rules are useful for Non-Japanese natives, I believe.
# 
# Feel free to use this file, there is no problem using whether
# whole or partial.
# You can use this file for personal, business, or built-in
# commercial products.
# 
# I hope happy E-mail world.
# 
# Notice for Japanese natives:
# You have to read 
# http://tlec.linux.or.jp/docs/spamassassin_setup_example.html
# before using this file.
# 
# [News for Japanese natives]
# If you are Bayes filter beginner and you want sample spam, I made
# a spams archive files for you:
# http://www.flcl.org/~yoh/spam/jp/
# 
# _._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._
# If you have any problem, questions or suggestions, email to: yoh@flcl.org
# _._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._
# 
# Copyright (c) 2002-2009  MATSUDA Yoh-ichi
# This file is licensed under the Open Software License v.2.0.
# 
# Open Software License v.2.0 at: http://opensource.org/licenses/osl-2.0.php
# Japanese translation at: http://www.opensource.jp/licenses/osl-2.0.html
# 

# 
# <<< ---NOTE---  ---NOTE---  ---NOTE---  ---NOTE--- >>>
# 
#            How to use this file:
# 
# 1. wget -O ~/.spamassassin/user_prefs http://tlec.linux.or.jp/docs/user_prefs
# 
# 2. write below rules in your ~/.spamassassin/private_prefs:
# 
# (1) your own 'trusted_networks'
# 
# trusted_networks 127.0.0.1/8 192.168.0.1/16 10.0.0.1/8 172.16.0.1/12 210.150.184.16/29 202.93.83.109 202.93.83.110/31 202.93.83.112 202.93.85.135 202.93.85.136/31 202.93.85.138 219.100.31.229 202.248.238.70 64.233.162.192/28 61.215.208.41 210.157.158.35 210.157.158.37 210.171.226.47 211.10.155.25
# 
# (2) your own 'MYMTA'
# 
# replace_tag   MYMTA (mail\.flcl\.org|(mxg|userg)[35]\d+\.nifty\.com|mta\d+\.mail\.([a-z]{3}\.){0,1}yahoo\.co\.jp)
# 
# 
# for more details, see http://spamassassin.jp/modules/xhnewbb/viewtopic.php?topic_id=9&post_id=47#forumpost47
# 
# sample private_prefs is available at
# http://tlec.linux.or.jp/docs/private_prefs
# 
# <<< ---NOTE---  ---NOTE---  ---NOTE---  ---NOTE--- >>>
# 


# ex. in my ~/.procmailrc:
# 
#------------------ ~/.procmailrc -------------------
# SHELL=/bin/sh
# LOGFILE=$HOME/Mail/procmail.log
# DEFAULT=$ORGMAIL
# SPAM=$HOME/spam/spam/.
# DOUBT=$HOME/spam/doubt/.
# # call spamassassin
# :0fw: spamassassin.lock
# * < 600000
# | spamassassin
# # "autolearn=spam" is "spam"
# :0H:
# * X-Spam-Flag: YES
# * X-Spam-Status:.*autolearn=spam
# $SPAM
# # score over 20 is "spam"
# :0H:
# * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
# $SPAM
# # other is "doubt"
# :0H:
# * !^X-Spam-Probability: 
# * ^X-Spam-Flag: YES
# $DOUBT
#------------------ End of ~/.procmailrc -------------------


# 
# - include private configuration file
#   You can write your private settings into separated file.
#   Ex. spamcop_from_address, spamcop_to_address, ...
#   Relative path begins from ~/.spamassassin/ .
#   2005.10.09 by [yoh]
# 

include private_prefs

# 
# - global configuration
#   some definition, no depending languages etc.
#   you can tune threshold score level as you like.
# 

# 
#   threshold level up to 8.0 2004.12.14 by [yoh]
#   threshold level up to 13.0 2005.11.3 by [yoh]
# 

required_score 13.0

# 
#   autolearn threshold setting 2005.11.3 by [yoh]
# 

bayes_auto_learn_threshold_nonspam 0.1
bayes_auto_learn_threshold_spam 12.0

# 
#   For AWL working properly, we have to write your trusted networks.
#   http://article.gmane.org/gmane.mail.spam.spamassassin.general/72509
#   http://wiki.apache.org/spamassassin/AwlWrongWay?highlight=%28awl%29
#   2005.09.23 by [yoh]
#   Thanks to OOI Keita san
#   2005.11.22 by [yoh]
# 
#   You MUST write below in your ~/.spamassassin/private_prefs
#   2006.04.18 by [yoh]
# 
# trusted_networks 127.0.0.1/8 192.168.0.1/16 10.0.0.1/8 172.16.0.1/12 210.150.184.16/29 202.93.83.109 202.93.83.110/31 202.93.83.112 202.93.85.135 202.93.85.136/31 202.93.85.138 219.100.31.229 202.248.238.70 64.233.162.192/28 61.215.208.41 210.157.158.35 210.157.158.37 210.171.226.47 211.10.155.25


# added 2009.05.31 by [yoh]
# for checking Yahoo! Japan webmail spam.
trusted_networks 124.83.168.15/32 124.83.168.16/29 124.83.168.24/30 124.83.168.28/31 124.83.168.32/29 124.83.168.40/30 124.83.168.44/31 124.83.168.46/32 124.83.200.48/28 124.83.200.64/29 124.83.200.72/30 124.83.200.76/31 124.83.212.21/32 124.83.212.22/31 124.83.212.24/29 124.83.212.32/30 124.83.212.81/32 124.83.212.82/31 124.83.212.84/30 124.83.212.88/29 203.216.226.171/32 203.216.226.172/30 203.216.226.176/28 203.216.226.192/31 203.216.226.194/32 203.216.249.201/32 203.216.249.202/31 203.216.249.204/30 203.216.249.208/29 202.93.80.0/20

# 
# - tuning internal rules score
#   some rules need score level up, some rules need deactivate.
# 

# modified 2009.03.22 by [yoh]
# Bayes depends on learning.
# So, autolearning too much spam makes false positive.

score BAYES_80 4.0
score BAYES_95 5.0
score BAYES_99 5.5

score BAYES_00 0 0 -1.665 -6.0
score BAYES_05 0 0 -0.925 -4.0

score X_LIBRARY 4.3
# score HTML_70_80 1.0
# score UPPERCASE_25_50 0.5

score NO_DNS_FOR_FROM 3.5

# score HOT_NASTY 2.0
# score RISK_FREE 2.0
score RATWARE_OE_MALFORMED 4.1
score UPPERCASE_75_100 1.0

score HTML_MESSAGE 1.0

# score MSGID_FROM_MTA_ID 2.7

score GAPPY_SUBJECT 0.5

# 
# This rule is no meanings because many ham sender doesn't add real name
# in his/her From: area.
# 2006.10.29 by [yoh]
# 
# score NO_REAL_NAME 0

# 
# This rule is no meanings because some web mail agents add 
# X-MSMail-Priority.
# 2006.10.29 by [yoh]
# 
score MISSING_MIMEOLE 0.1

# 
# This rule is no meanings because some Japanese ham has this rule.
# 2006.10.29 by [yoh]
# 
score PLING_QUERY 0.1

# 
# This rule is no meanings because many people send "no subject" mail.
# 2008.05.31 by [yoh]
# 
score MISSING_SUBJECT 0

# 
# This rule is no meanings because Outlook Express send this type mail.
# 2008.05.31 by [yoh]
# 
score FROM_EXCESS_BASE64 0

# 
# This rule is no meanings because Outlook Express send this type mail.
# So, this rule is nonsense.
# 2008.05.31 by [yoh]
# 
score TVD_SPACE_RATIO 0

# 
# This rule is no meanings because some hammy host send this type mail.
# So, this rule is nonsense.
# 2009.10.23 by [yoh]
# 
score RCVD_HELO_IP_MISMATCH 0



# 
# - language definition
#   if you aren't native Japanese, you have to change definition below.
#   In 3.1.0, you have to enable plugin "Mail::SpamAssassin::Plugin::TextCat"
#   in /etc/spamassassin/v310.pre .
#   http://marc.theaimsgroup.com/?l=spamassassin-announce&m=112674318914008&w=2
#   2005.09.26 by [yoh]
# 

ok_languages ja en
ok_locales ja en

# 
# - language definition related rules
#   if you aren't native Japanese, you have to change definition below.
# 

# There is no effect whether target mail is Japanese or not.
# 2004.05.28 by [yoh]
header ISO2022JP_CHARSET        Content-Type =~ /charset=['"]?iso-2022-jp['"]?/i
describe ISO2022JP_CHARSET      ISO-2022-JP message
# score ISO2022JP_CHARSET -0.182
score ISO2022JP_CHARSET -0.1

header GB2312_CHARSET	Content-Type =~ /charset=['"]?GB2312['"]?/i
describe GB2312_CHARSET		GB2312 message
score GB2312_CHARSET	5.00

# thrown away 2005.09.14 by [yoh]
# 
# header KS5601_CHARSET   Content-Type =~ /charset= ?['"]?ks_c_5601/i
# describe KS5601_CHARSET         KS_C_5601 message
# score KS5601_CHARSET    5.00

header BIG5_CHARSET    Content-Type =~ /charset=['"]?big5['"]?/i
describe BIG5_CHARSET  Big5 message
score BIG5_CHARSET     5.0

header WINDOWS_CHARSET    Content-Type =~ /charset=['"]?windows-125.['"]?/i
describe WINDOWS_CHARSET  Windows-1252 message
score WINDOWS_CHARSET     5.0



full GB2312ENC /\nContent-Type: .*; charset=.*gb2312[\n\r]/i
describe GB2312ENC gb2312 message
score GB2312ENC 1.0

full MIMEQENC /\nContent-Transfer-Encoding: quoted-printable[\n\r]/i
describe MIMEQENC Quoted-Printable mime definition
score MIMEQENC 0.2

full QENCPTR1 /=[1-9][0-9A-Fa-f]/
describe QENCPTR1 Quoted-Printable mime pattern
score QENCPTR1 0.2

full QENCPTR2 /[a-zA-Z]=[\n\r]/
describe QENCPTR2 Quoted-Printable mime pattern
score QENCPTR2 0.2

# thrown away 2005.09.14 by [yoh]
# 
# meta GB2312QENC GB2312ENC && MIMEQENC && QENCPTR1 && QENCPTR2
# describe GB2312QENC GB2312 quoted-printable MIME body
# score GB2312QENC 10.0
# 
# full BIG5_BODY /\nContent-Type:.*charset=.*big5.*[\n\r]/i
# describe BIG5_BODY Big5 charset in multipart
# score BIG5_BODY 10.0


# 
# generic, miscellaneous header rules.
# 

# ([a-z,'\-]+ ){2,}[a-z]+[0-9]+$|([0-9a-z,'\-]+ ){1,}[a-z ,'\-]+$
# ^[0-9A-Za-z]{10,}$


header X_MAILER         X-Mailer =~ /(GpsMailer|SpireMail|IM200[01] Version|Pinta Magazine|MultiMail|BSMTP DLL|E-Magazine|Direct Email|Achi-Kochi Mail|MagicalMail|InternetPost for Active Platform|Web Based Pronto|Oshirase.*-Mailer|SendMailEX|Douhou\@Mail|{%xmailer%}|<IMail v|jpfree Group Mail Express|SMTPit - FileMaker Pro Email Plugin|MultiSneder|Allaire ColdFusion Application Server|fuck_you69|adToOne|MailMagic|FightIK Version |Pegasus Mail for Win32 |vb_smtp_test|Fox[mM]ail \d\.\d+.+\[cn\]|ACMAILER scripted by http:\/\/[a-z0-9.]+\/|takamail|Super Mailer 9 \[cn\]\[outlook\]|jmail v2\.0|Yotiyoti Mailer Version |o2\.pl WebMail v|MIME-tools 5\.[0-9]+ \(Entity 5\.[0-9]+\)|WsMail 1|NEXTism Mailer|Shadow Mail v|UmailNG \.NET \(powered by Microsoft Windows 2003\))/
describe X_MAILER       spammer's choice of X-Mailer
score X_MAILER          7.0

header XTRAXMAILER  X-Mailer =~ /(Easy DM free|DM Mailer|Shadow Mail v\. 2.0|DM-SenderEX|Mail Distributor ver\.|Mail Distributer|BLT-TECH_EXEMAIL_1)/
describe XTRAXMAILER  spammer's choice of X-Mailer
score XTRAXMAILER  22.0

# 
# 
# New rules from version 3.1.0
# 2005.09.21 by [yoh]
# 
# 

# 
# This rule has no meanings since every long Japanese Subject have twice
# encode strings.
# 2005.10.11 by [yoh]
# 

# score SUBJECT_ENCODED_TWICE 0.1

score UNPARSEABLE_RELAY 0.5
meta UNPARSEABLERELAY99 UNPARSEABLE_RELAY && BAYES_99
describe UNPARSEABLERELAY99 UNPARSEABLE_RELAY && BAYES_99
score UNPARSEABLERELAY99 3.5

# score X_MAILER_SPAM  3.0

# meta XMAILERSPAM99 X_MAILER_SPAM && BAYES_99
# describe XMAILERSPAM99 X_MAILER_SPAM && BAYES_99
# score XMAILERSPAM99 7.0

header X_MAIL_AGENT     X-Mail-Agent =~ /\(Extra Japan\)|BSMTP DLL/
describe X_MAIL_AGENT   spammer's choice of X-Mail-Agent
score X_MAIL_AGENT      1.0

meta DYN_XMAGNT (X_MAIL_AGENT||X_MAILER) && ___DYNAMICIP
score DYN_XMAGNT 5.5


header USERAGENT User-Agent =~ /(VXmailer 1\.1|MMBoard Ver\.[0-9]+|Foxmail 4\.2 \[cn\]|MIME-tools 5\.[0-9]+ \(Entity |AspMail [0-9])/
describe USERAGENT spammer's choice of User-Agent
score USERAGENT 7.0

# 
# http://www.google.co.jp/search?hl=ja&ie=EUC-JP&oe=EUC-JP&q=coremail&btnG=Google+%B8%A1%BA%F7&lr=
# 2006.05.25 by [yoh]
# 
header COREMAIL Received =~/ by [^ ]+ \(Coremail\) with SMTP id \w{14,}/
describe COREMAIL spamming MTA made in China
score COREMAIL 5.0

meta CORE_KTC COREMAIL && ___KOREATAIWANCHINA 
score CORE_KTC 8.0

meta CORE_DCN COREMAIL && ___DCN
score CORE_DCN 8.0

# meta CORE_B64 COREMAIL && MIME_BASE64_NO_NAME && MIME_BASE64_TEXT && MIME_BASE64_BLANKS
meta CORE_B64 COREMAIL && MIME_BASE64_TEXT && MIME_BASE64_BLANKS
score CORE_B64 8.0

# 
# added 2007.01.18 by [yoh]
# 
header FORGEDMTAIDSTR Received =~/ id (?![A-Z0-9]{6}-[A-Z0-9]{6}-[A-Z0-9]{2})[A-Z0-9\W]{6}-[A-Z0-9\W]{6}-[A-Z0-9\W]{2}/

meta FRGDMTAWROTE RCVD_FORGED_WROTE && FORGEDMTAIDSTR
score FRGDMTAWROTE 5.0

# 
# added 2007.02.04 by [yoh]
# 
header FORGED_RCVD_BY Received =~/by (?!localhost)([a-z]{4,} \(8\.13\.\d|[A-Z]{5} \([A-Z]{3}Sys\))/



header MULTIPART_ALTERNATIVE    Content-Type =~ /[mM]ultipart\/[aA]lternative/
describe MULTIPART_ALTERNATIVE  Multipart/alternative  
score MULTIPART_ALTERNATIVE     0.1

# 
# generic, miscellaneous body rules.
# 

body THANKS_GOD_BLESS  /^THANKS.+GOD.+BLESS/i
describe THANKS_GOD_BLESS  Thanks, GOD BLESS YOU
score THANKS_GOD_BLESS  2.0

# meta RISK_THANKS RISK_FREE && THANKS_GOD_BLESS
# score RISK_THANKS 3.5

rawbody RANDOM_ID2 /^[a-z]{15,}$/
describe RANDOM_ID2 random lowercase alphabet ID-like phrase
score RANDOM_ID2 0.5

body CONGRATULATIONS /(!+ )*CONGRATULATIONS{0,1}(!| !+)/i
describe CONGRATULATIONS !!!!! CONGRATULATIONS !!!!!
score CONGRATULATIONS 3.0

body LOTTERY /LOTTERY/i
describe LOTTERY talking about LOTTERY
score LOTTERY 0.1

meta CONGLAT_LOTTERY CONGRATULATIONS && LOTTERY
describe CONGLAT_LOTTERY CONGRATULATIONS && LOTTERY
score CONGLAT_LOTTERY 3.5

body CALLNOW /call now /i
describe CALLNOW "Call Now"
score CALLNOW 0.1

body YOURDIPLOMA /YOUR (DIPLOMA|Graduation)/i
describe YOURDIPLOMA "YOUR DIPLOMA"
score YOURDIPLOMA 0.1

body CALLDIPLOMA /call now .+YOUR (DIPLOMA|Graduation)/i
describe CALLDIPLOMA call now - your Graduation
score CALLDIPLOMA 1.5


rawbody REMOVEMAIL1 /mailto:remove\@/
describe REMOVEMAIL1 mailto:remove@
score REMOVEMAIL1 2.0

# thrown away 2005.09.14 by [yoh]

# body PHPDONOTEMAIL /http:\/\/.+\/lx\.php\?a=donotemail\&b=/
# describe PHPDONOTEMAIL http://5.shyx.us/lx.php?a=donotemail&b=yoh%40flcl.org
# score PHPDONOTEMAIL 2.0
# 
# body PHPSEARCH /\/lx\.php\?a=search\&b=5\&c=/
# describe PHPSEARCH http://4.shyx.biz/lx.php?a=search&b=5&c=yoh%40flcl.org
# score PHPSEARCH 2.0
# 
# meta PHPSPAM PHPDONOTEMAIL && PHPSEARCH && BAYES_99
# describe PHPSPAM PHPDONOTEMAIL && PHPSEARCH && BAYES_99
# score PHPSPAM 7.0

# score FROM_AND_TO_SAME -0.5

score MIME_HTML_ONLY 0.4
score INVALID_DATE 5.4
# score REMOVE_PAGE 2.0
score FROM_ILLEGAL_CHARS 2.9
# score PORN_URL_SEX 1.0

# Below rule is too high.
# 2006.12.10 by [yoh]
score SUBJ_ILLEGAL_CHARS 1.0

# Below rules include bugs at proccessing ISO-2022-JP strings.

score WEIRD_QUOTING 0.1
score OBSCURED_EMAIL 0.1


# re-opened 2009.08.22 by [yoh]
# Below rule has serious problem, so it needs to be disabled.
# ex. Gmail HTML spam
score ALL_TRUSTED 0.0


# thrown away 2005.09.14 by [yoh]
# 
# rawbody FOXMAIL /^X-Mailer: FoxMail [1-9]\.[0-9]+ .+\[cn\]/
# describe FOXMAIL X-Mailer: FoxMail 3.11 Release [cn]
# score FOXMAIL 8.0

# header RANDORG Organization =~ /^([A-Z][a-z]+ [a-z]+|[a-z]+\.[a-z]+)$/
# describe RANDORG Organization: random strings
# score RANDORG 2.0

# meta SUBJ_SPACES_UNIQID SUBJ_HAS_SPACES && SUBJ_HAS_UNIQ_ID
# describe SUBJ_SPACES_UNIQID SUBJ_HAS_SPACES && SUBJ_HAS_UNIQ_ID
# score SUBJ_SPACES_UNIQID 2.5

meta MIMEHEXQENC MIME_BOUND_MANY_HEX && MIMEQENC
describe MIMEHEXQENC MIME_BOUND_MANY_HEX && MIMEQENC
score MIMEHEXQENC 1.1

header TEXT_NOCHARSET    Content-Type =~ /^text\/(plain|html);{0,1}$/
describe TEXT_NOCHARSET  Content-Type: text/(plain|html) with no charset
score TEXT_NOCHARSET  0.5

meta TEXTHOTMAIL TEXT_NOCHARSET && FORGED_HOTMAIL_RCVD2 && BAYES_99
describe TEXTHOTMAIL TEXT_NOCHARSET && FORGED_HOTMAIL_RCVD2 && BAYES_99
score TEXTHOTMAIL 10.0

# modified 2009.05.14 by [yoh]
meta TEXTPYZOR TEXT_NOCHARSET && PYZOR_CHECK
describe TEXTPYZOR TEXT_NOCHARSET && PYZOR_CHECK
score TEXTPYZOR 3.0

# thrown away 2005.09.14 by [yoh]
# 
# header POSTFIX_ERRCONT Content-Type =~/^multipart\/report; report-type=delivery-status;.+boundary=/
# describe POSTFIX_ERRCONT Content-Type is Postfix/Sendmail type delivery error message
# score POSTFIX_ERRCONT 0.1
# 
# meta POSTFIXBOUNCE POSTFIX_ERRCONT && ILLEGALSTR04
# describe POSTFIXBOUNCE bounce spam using a footstool MTA Postfix
# score POSTFIXBOUNCE 7.0

header EXIM_ERRWARN Received =~/ with local \(Exim .+\)/
describe EXIM_ERRWARN bounce mail from Exim
score EXIM_ERRWARN 0.1

header MSES_ERRXM X-Mailer =~ /Internet Mail Service \([0-9.]+\)$/
describe MSES_ERRXM X-Mailer: is Microsoft Exchange Server type delivery error message
score MSES_ERRXM 1.0

# thrown away 2005.09.14 by [yoh]
# 
# body YOURFINANCESTHEEASYWAY /Your Finances The Easy Way\!/
# describe YOURFINANCESTHEEASYWAY Your Finances The Easy Way!
# score YOURFINANCESTHEEASYWAY 1.0
# 
# body IFYOUWISHTOBEDELETED /If you wish to be deleted from (this|our) list, please .*CLICK/
# describe IFYOUWISHTOBEDELETED If you wish to be deleted from this list, please CLICK
# score IFYOUWISHTOBEDELETED 2.0
# 
# full FONT_1PX_STR /<font style=font-size:[12]px>([a-z'.]+ ){40,}([a-z]+.){0,1}<\/font>/
# describe FONT_1PX_STR font-size:1px and random strings are obfuscating bayesian filter
# score FONT_1PX_STR 7.0
# 
# body ORDER_YOURS_NOW /Order Yours NOW!/
# describe ORDER_YOURS_NOW Order Yours NOW!
# score ORDER_YOURS_NOW 1.5

# thrown away 2006.01.04 by [yoh]
# 
# rawbody TABLEPRE /<TD><PRE><font style=\"font-size:/
# describe TABLEPRE dot art spam using html table tag with pre tag.
# score TABLEPRE 3.5


# [a-z]{2,2}\.geocities\.com\/[a-zA-Z0-9]+\/

# rawbody UKGEOCITIES /http:\/\/[a-z]{2,3}\.geocities\.com\/[A-Za-z0-9_-]+\/(\?{0,1}[A-Za-z0-9_-]+| |$)/
# uri UKGEOCITIES /(geocities\.yahoo\.com\.br|[a-z]{2,3}\.geocities\.com)\/[A-Za-z0-9_-]+\/(\?{0,1}[A-Za-z0-9_-]+| |$)/

# thrown away 2009.07.27 by [yoh]
# uri UKGEOCITIES /(geocities\.yahoo\.com\.br|([a-z]{2,3}\.){0,1}geocities\.com)\/[A-Za-z0-9_-]+(\/\?{0,1}[A-Za-z0-9_-]+|\/ |\/$| |$)/
# describe UKGEOCITIES http://uk.geocities.com/Hoge_Hoge/?Fuga=tekitou
# score UKGEOCITIES 0.5

# meta CHINAUKGEO UKGEOCITIES && (RCVD_IN_CHINA || X_CHINESE_RELAY || RCVD_IN_SORBS_DUL || RCVD_IN_XBL || RCVD_IN_AHBL || RCVD_IN_WHOIS_INVALID || DNS_FROM_SECURITYSAGE || RCVD_IN_NJABL_DUL)
# meta CHINAUKGEO UKGEOCITIES && (RCVD_IN_CHINA || X_CHINESE_RELAY || RCVD_IN_SORBS_DUL || RCVD_IN_XBL || RCVD_IN_AHBL )

# thrown away 2009.07.27 by [yoh]
# meta CHINAUKGEO UKGEOCITIES && (RCVD_IN_CHINA || X_CHINESE_RELAY || RCVD_IN_XBL || RCVD_IN_AHBL )
# describe CHINAUKGEO UKGEOCITIES && RCVD_IN_CHINA
# score CHINAUKGEO 8.0

# thrown away 2009.07.27 by [yoh]
# meta CHINANETUKGEO (CHINANET || CRTC) && UKGEOCITIES && BAYES_99
# describe CHINANETUKGEO (CHINANET || CRTC) && UKGEOCITIES && BAYES_99
# score CHINANETUKGEO 10

# full FAKEDREPLYMSG /[[:alpha:]]+[\r\n]+([[:print:]]{10,}[\r\n]+){1,}[[:alpha:]]+[\r\n]+ -+Original Message-+/

# thrown away 2009.07.27 by [yoh]
# full FAKEDREPLYMSG /[[:print:]]+[\r\n]+([[:print:]]{10,}[\r\n]+){1,}[[:alpha:]]+[\r\n]+ -+Original Message-+/
# describe FAKEDREPLYMSG faked reply message strings
# score FAKEDREPLYMSG 0.1

# thrown away 2009.07.27 by [yoh]
# meta UKGEOFORMAT FAKEDREPLYMSG && UKGEOCITIES && BAYES_99
# describe UKGEOFORMAT FAKEDREPLYMSG && UKGEOCITIES && BAYES_99
# score UKGEOFORMAT 3.5

# meta UKGEOFORMAT2 (FORGED_RCVD_HELO || SUBJECT_FUZZY_MEDS || FUZZY_PHARMACY) && MSGID_FROM_MTA_ID && UKGEOCITIES && BAYES_99
# describe UKGEOFORMAT2 (FORGED_RCVD_HELO || SUBJECT_FUZZY_MEDS || FUZZY_PHARMACY) && MSGID_FROM_MTA_ID && UKGEOCITIES && BAYES_99
# score UKGEOFORMAT2 10

# header ___PLTXTUSASCII Content-Type =~/charset=\"?us-ascii/
# thrown away 2009.07.27 by [yoh]
# header ___PLTXTUSASCII Content-Type =~ /text\/plain.+charset=\"?us-ascii/i
# score ___PLTXTUSASCII 0.1

# thrown away 2009.07.27 by [yoh]
# mimeheader ___MIMETXTUSASCII Content-Type =~ /text\/(plain|html).+charset=\"?us-ascii/i
# score ___MIMETXTUSASCII 0.1

# thrown away 2009.07.27 by [yoh]
# meta UKGEOFORMAT3 CHINANETUKGEO && (___PLTXTUSASCII || ___MIMETXTUSASCII)
# describe UKGEOFORMAT3 ascii text mail from China with uk.geocities.com uri
# score UKGEOFORMAT3 10

# thrown away 2009.07.27 by [yoh]
# meta SPF_UKGEO (SPF_HELO_SOFTFAIL || SPF_FAIL) && UKGEOCITIES
# score SPF_UKGEO 3.5

# thrown away 2009.07.27 by [yoh]
# meta AHBL_UKGEO DNS_FROM_AHBL_RHSBL && UKGEOCITIES
# score AHBL_UKGEO 1.5
# meta FIVETEN_UKGEO RCVD_IN_FIVETENSG && UKGEOCITIES
# score FIVETEN_UKGEO 1.5
# meta COP_UKGEO RCVD_IN_BL_SPAMCOP_NET && UKGEOCITIES
# score COP_UKGEO 1.0
# meta SORTRCPS_UKGEO SORTED_RECIPS && UKGEOCITIES
# score SORTRCPS_UKGEO 2.0
# meta XYAHOO_UKGEO XYAHOOFILTEREDBULK && UKGEOCITIES
# score XYAHOO_UKGEO 2.5
# meta KTC_UKGEO ___KOREATAIWANCHINA && UKGEOCITIES
# score KTC_UKGEO 2.5

# 
# added 2006.10.12 by [yoh]
# spammer sneaked away at 2006.12.12.
# 
body STILLPAYING /(Still paying too much for your current mortgage\?|Several Companies have been competing for your mortgage|your mortgage refinance application over the past 2 weeks\. The company|competing for your mortgage refinance application over the past 2 weeks\.|We've attempted to contact you to refinance your home\. Your current loan|In accordance with our terms please visit here to verify your information on our secure, private site to ensure our|We tried contacting you awhile ago about your low interest morta\(ge rate\.)/i
score STILLPAYING 1.5

meta STILL_DCN ___DCN && STILLPAYING
score STILL_DCN 5

# meta STILL_UKGEO UKGEOCITIES && STILLPAYING
# score STILL_UKGEO 2.5
# meta STILL_SORT_UKGEO SORTRCPS_UKGEO && STILLPAYING
# score STILL_SORT_UKGEO 5


meta STILL_EUDORA FORGED_MUA_EUDORA && STILLPAYING
score STILL_EUDORA 5

# meta STILL_FUZREF FUZZY_REFINANCE && STILL_UKGEO && (___DCN || XYAHOOFILTEREDBULK)
# score STILL_FUZREF 5
# meta STILL_TVDFUZREF TVD_FUZZY_FINANCE && STILL_UKGEO && (___DCN || XYAHOOFILTEREDBULK)
# score STILL_TVDFUZREF 5
# meta STILL_FUZOBL FUZZY_OBLIGATION && STILL_UKGEO && (___DCN || XYAHOOFILTEREDBULK)
# score STILL_FUZOBL 5
# meta STILL_XYAHOO XYAHOOFILTEREDBULK && STILL_UKGEO && ___DCN
# score STILL_XYAHOO 5


body FAKEHOSTURI /http:\/\/[a-z]+\.com>\.[a-z0-9]+\.[a-z]+\.[a-z]{2,3}/
score FAKEHOSTURI 2.5

meta FHURI_COP FAKEHOSTURI && RCVD_IN_BL_SPAMCOP_NET
score FHURI_COP 5.0

meta FHURI_SBL FAKEHOSTURI && URIBL_SBL
score FHURI_SBL 5.0

meta FHURI_XBL FAKEHOSTURI && RCVD_IN_XBL
score FHURI_XBL 7.0

meta FHURI_HLDYNIP FAKEHOSTURI && HELO_DYNAMIC_IPADDR
score FHURI_HLDYNIP 7.0


# added 2008.09.13 by [yoh]
rawbody MANYSLASHURI /http:\/\/.+(?:\/{5,}|[\(\)]{5,})/
score MANYSLASHURI 4.5
meta MANYDCC MANYSLASHURI && DCC_CHECK
score MANYDCC 3.5
meta MANYPROXY MANYSLASHURI && RCVD_IN_NJABL_PROXY
meta MANYMULTI MANYSLASHURI && MULTIPART_ALTERNATIVE
score MANYMULTI 3.5
meta MANYFRGN MANYSLASHURI && (LACNIC||AFRINIC)
score MANYFRGN 2.5


# added 2008.09.14 by [yoh]
rawbody DOTREPLACE /(www\.){0,1}[a-z]{6,} {0,3}\[DOT\] {0,3}com/
score DOTREPLACE 2.5

meta DOTBOGUSMX DOTREPLACE && DNS_FROM_RFC_BOGUSMX
score DOTBOGUSMX 2.5
meta DOTDSN DOTREPLACE && DNS_FROM_RFC_DSN
score DOTDSN 2.5
meta DOTPBL DOTREPLACE && RCVD_IN_PBL
score DOTPBL 2.5
meta DOTXBL DOTREPLACE && RCVD_IN_XBL
score DOTXBL 2.5
meta DOTCBL DOTREPLACE && RCVD_IN_CBL
score DOTCBL 2.5
meta DOTCOP DOTREPLACE && RCVD_IN_BL_SPAMCOP_NET
score DOTCOP 2.5
# meta DOTDUL DOTREPLACE && RCVD_IN_SORBS_DUL
# score DOTDUL 2.5
meta DOTDCC DOTREPLACE && DCC_CHECK
score DOTDCC 2.5
meta DOTJMRM DOTREPLACE && JM_REACTOR_MAILER
score DOTJMRM 2.5
meta DOTAHBL DOTREPLACE && RCVD_IN_AHBL
score DOTAHBL 2.5
meta DOTAHPRXY DOTREPLACE && RCVD_IN_AHBL_PROXY
score DOTAHPRXY 2.5

meta JMRMPBL RCVD_IN_PBL && JM_REACTOR_MAILER
score JMRMPBL 3.5

meta DOSMXPBL DOS_OE_TO_MX && RCVD_IN_PBL
score DOSMXPBL 3.5



# score ADVANCE_FEE_1 1.0

# meta BASE64TXT60  MIME_BASE64_NO_NAME && MIME_BASE64_TEXT && MIME_BASE64_BLANKS && RATWARE_NAME_ID && TEXT_NOCHARSET
# describe BASE64TXT60 60 columns base64 encoded plain text message
# score BASE64TXT60 20

meta ___HTMLIMG HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 || HTML_IMAGE_ONLY_12 || HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_20 || HTML_IMAGE_ONLY_24 || HTML_IMAGE_ONLY_28 || HTML_IMAGE_ONLY_32 || HTML_IMAGE_RATIO_02

meta PASTIMG DATE_IN_PAST_06_12 && ___HTMLIMG && BAYES_99
score PASTIMG 5.0

# meta HTMLIMG_FRGDHELO (FORGED_RCVD_HELO || RCVD_NUMERIC_HELO || RCVD_NUMERIC_HELO2)&& ___HTMLIMG && BAYES_99
meta HTMLIMG_FRGDHELO (RCVD_NUMERIC_HELO || RCVD_NUMERIC_HELO2)&& ___HTMLIMG && BAYES_99
describe HTMLIMG_FRGDHELO FORGED_RCVD_HELO && HTML_IMAGE_ONLY_??
score HTMLIMG_FRGDHELO 5.5

rawbody HTML_FONT_SIZE_TINY2 /<FONT (face=\w+ |)size=\"{0,1}[0-3]\"{0,1}(>| )/i
describe HTML_FONT_SIZE_TINY2 <FONT face=Arial size=2>
score HTML_FONT_SIZE_TINY2 0.5

meta IMGONLYHTML1 HTML_FONT_SIZE_TINY2 && ___HTMLIMG && BAYES_99
score IMGONLYHTML1 5.0

rawbody ___OBSCURED_TEXT1 /^(,|\!)($| \w)/
rawbody ___OBSCURED_TEXT2 /\w (,|\!) \w/

meta IMGONLYHTML2 ___OBSCURED_TEXT1 && ___OBSCURED_TEXT2 && ___HTMLIMG
score IMGONLYHTML2 5.0

# 
# It's not smart rule...
# 2007.12.30 by [yoh]
# 
# 

score SHORT_HELO_AND_INLINE_IMAGE 1.5
meta SHII_OTHER SHORT_HELO_AND_INLINE_IMAGE && (ARIN || RIPE_NCC || LACNIC || AFRINIC || ___KOREATAIWANCHINA )
score SHII_OTHER 3.5
meta SHII_CBL SHORT_HELO_AND_INLINE_IMAGE && RCVD_IN_CBL
score SHII_CBL 3.5
meta SHII_SPAMCOP SHORT_HELO_AND_INLINE_IMAGE && RCVD_IN_BL_SPAMCOP_NET
score SHII_SPAMCOP 3.5
meta SHII_DSBL SHORT_HELO_AND_INLINE_IMAGE && RCVD_IN_DSBL
score SHII_DSBL 3.5
# meta SHII_DUL SHORT_HELO_AND_INLINE_IMAGE && RCVD_IN_SORBS_DUL
# score SHII_DUL 3.5


# 
# It's not smart rule...
# 2006.04.22 by [yoh]
# 
# 

rawbody ___OBFUSCATING_FLOAT0 /<span style=\"border: 0px\; float/
rawbody ___OBFUSCATING_FLOAT1 /^: right\"> \w <\/span>/
meta OBFUSCATING_FLOAT ___OBFUSCATING_FLOAT0 && ___OBFUSCATING_FLOAT1 
describe OBFUSCATING_FLOAT <span style="border: 0px; float: right"> d </span>
score OBFUSCATING_FLOAT 1.5

rawbody FLOATGEOCITIES /^<A href=\"http:\/\/geocities\.com\/\w+\/\">\w+<span style=\"border: 0px\; float/
describe FLOATGEOCITIES <A href="http://geocities.com/GabicRectohoate/">V<span style="border: 0px; float
score FLOATGEOCITIES 2.0

rawbody FLOAT_A_HREF /^<A href=\"http:\/\/(www\.){0,1}\w+\.(com|net)">\w+<span style=\"border: 0px\; float/
describe FLOAT_A_HREF <A href="http://www.h75h.net">Vi<span style="border: 0px; float
score FLOAT_A_HREF 2.0

meta MULTIFLOAT99 MULTIPART_ALTERNATIVE && OBFUSCATING_FLOAT && BAYES_99
score MULTIFLOAT99 3.5

meta OBFUSGEOFLOAT OBFUSCATING_FLOAT && (FLOATGEOCITIES || FLOAT_A_HREF)
score OBFUSGEOFLOAT 3.5

# meta SPANFLOAT (FORGED_RCVD_HELO ||DIRECTUNKNOWN) && MULTIFLOAT99 && FLOATGEOCITIES
meta SPANFLOAT DIRECTUNKNOWN && MULTIFLOAT99 && FLOATGEOCITIES
score SPANFLOAT 5


mimeheader MIMEHTMLWINDOWS1252 Content-Type =~ /text\/html.+charset=\"windows-1252/i

body FRGN_SCAMTEL /(001-514-342-0679|001-617-812-6356|001-732-572-3335|001-732-572-6222|0044-700-580-7134|0044-703-184-7929|0044-704-010-3388|1-206-279-9144|1-334-323-5633|1-484-693-8861|1-717-427-5771|1-718-504-5376|1-800-608-3158|1-818-309-4529|44-704-010-6598|44-870-134-4753|8-926-216-8419|1-206-600-4655|1-206-350-3737|1-206-202-4570|1-206-666-2456|1-206-337-1968|1-206-984-3376|1-206-984-0833|1-206-339-6285)/
describe FRGN_SCAMTEL foreign (outside Japan) scam telephone number
score FRGN_SCAMTEL 1.5

meta FRGNTELDCN ___DCN && FRGN_SCAMTEL
score FRGNTELDCN 4.5

meta UPRLY_FRGNTEL UNPARSEABLE_RELAY && FRGN_SCAMTEL
score UPRLY_FRGNTEL 3.0


# added 2006.12.28 by [yoh]
# spammer sneaked away at 2006.12.30.
# and added more rules 2007.01.03 by [yoh]
# spammer sneaked away at 2007.01.04.
body CURRENTPRICE /(^Current Price:.+Short Term Target:.+(Long Term ){0,1}(Projected|Target)|^ +[\w ]+\. \([A-Z]{4}\) +is +at +\$.+\$.+short-term.+long-term)/
score CURRENTPRICE 1.5

meta CURRDCN ___DCN && CURRENTPRICE
score CURRDCN 3.5

meta CURRWROTE RCVD_FORGED_WROTE && CURRENTPRICE
score CURRWROTE 3.5

# 
# added 2007.02.04 by [yoh]
# 
body REPLACEWITHDOT /([rR]eplace \"{0,1}\W\"{0,1} with \"{0,1}\.\"{0,1}|([Ii]mpor{0,1}tant {0,1}[:!]{0,1} ){0,1}[rR]emove \"\W\" (to make the link working[.!]){0,1})/
meta ONLY1RPLCDOT ONLY1HOPDIRECT && REPLACEWITHDOT
score ONLY1RPLCDOT 3.0

# =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# 
# Japanese rules.
# 
# Because SA's bayes engine doesn't support Japanese.
# In Japanese language, words are NOT splitted by space.
# So, we have to write some rules for checking typical words,
# by our hand...
# 
# <FYI>
# If you want to add matching rules for Japanese:
# 
# (1) ISO-2022-JP
# 
# $ echo (Japanese strings)|nkf -j|awk '{gsub(/\x1B[$(]B/,"");print}'
# 
# (2) Shift-JIS
# 
# $ echo -n (Japanese strings)|nkf -s|od -txC
# 

# 
#
# Now, "MISHOUDAKU KOUKOKU" has changed normal ad-mail.
# "True spams" are using spamware, DNSBLed MTA, inviting scam site...
# 2004.11.20 by [yoh]
# 
# thrown away 2005.09.30 by [yoh]
# Today, "Mishoudaku Kokukoku" is meaningless. (sigh)
# 
# 
# header MISYOUDAKU Subject =~ /L\$.*(>|=3E)5.*Bz/
# describe MISYOUDAKU Misyoudaku
# score  MISYOUDAKU 1.0
# 
# header BANG_BANG Subject =~ /(!\*|\033\$[B@]).*(!\*|\033\([BJ]!)/
# describe BANG_BANG !...!
# score BANG_BANG 1.00
# 
# header STAR Subject =~ /(\"\(|\*|\!v)/
# describe STAR *
# score STAR 1.0
# 
# header KOUKOKU Subject =~ /9-9p/
# describe KOUKOKU KOUKOKU
# score KOUKOKU 2.0
# 
# meta MISYOUDAKUKOUKOKU MISYOUDAKU && KOUKOKU && STAR
# describe MISYOUDAKUKOUKOKU MISYOUDAKU && KOUKOKU && STAR
# score MISYOUDAKUKOUKOKU 1.0

# Special thanks to Satoshi IWAMOTO-san, for advice: 2002/10/21
rawbody HAISHINTEISHI /G\[\?\.(..){0,2}(Dd;_|ITMW)/
describe HAISHINTEISHI Haishin (no) Teishi
score HAISHINTEISHI 0.3

meta DYN_HAISHINTEISHI ___DYNAMICIP && HAISHINTEISHI
score DYN_HAISHINTEISHI 1.5

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody KOUDOKUKAIJO /9XFI(..)*2r=\|/
describe KOUDOKUKAIJO Koudoku Kaijo
score KOUDOKUKAIJO 1.0

meta DYN_KOUDOKUKAIJO ___DYNAMICIP && KOUDOKUKAIJO
score DYN_KOUDOKUKAIJO 3.5

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody MURYOU /L5NA/
describe MURYOU Muryou
score MURYOU 0.2

meta DYN_MURYOU ___DYNAMICIP && MURYOU
score DYN_MURYOU 1.5

header HAJIMEMASHITE Subject =~ /(\$O\$8|=i)\$a\$\^\$7\$F/
describe HAJIMEMASHITE Hajimemashite ? I don't know about you.
score HAJIMEMASHITE 1.5

#$O$8$a$^$7$F
#;O$a$^$7$F
#=i$a$^$7$F
# /\=i\$a\$\^\$7\$F/
# /(\$O\$8|\=i)\$a\$\^\$7\$F.+\$H\$\$\$\$\$\^\$9/

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody HAJIMEMASHITE2 /(\$O\$8|\=i)\$a\$\^\$7\$F/
describe HAJIMEMASHITE2 Hajimemashite ? I don't know about you.
score HAJIMEMASHITE2 0.5

meta DYN_HAJIMETE (HAJIMEMASHITE ||HAJIMEMASHITE2) && ___DYNAMICIP
score DYN_HAJIMETE 2.0


# There is no effect whether target mail is Japanese or not.
# 2004.05.28 by [yoh]
# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody ISO2022JP_BODY /\033\$[B@]/
describe ISO2022JP_BODY ISO-2022-JP message
# score ISO2022JP_BODY -2.394
score ISO2022JP_BODY -0.1

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody KOUKOKUMEERU /9\-9p\%a\!\<\%k(\$N){0,1}G\[\?\.(Dd\;_|Be9T)/
describe KOUKOKUMEERU koukokume-ru
score KOUKOKUMEERU 1.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody HAISHINDAIKOU /G\[\?\.Be9T/
describe HAISHINDAIKOU haishindaikou
score HAISHINDAIKOU 1.0


# Original source from: Jcode.pm 0.83 dankogai
# Thanks for your advice: Ikari-same, Ishioka-same.
# 2004.06.29 by [yoh]

# SJIS_C    => '[\x81-\x9f\xe0-\xfc][\x40-\x7e\x80-\xfc]',
# EUC_C     => '[\xa1-\xfe][\xa1-\xfe]',
# includes:      \xe0-\xfc  \xa1-\xfc
# so, excludes:  \x81-x9f   \x40-\x7e\x80-\x8f
# EUC_KANA  =>  '\x8e[\xa1-\xdf]',
#                \x8e \xa1-\xdf
# EUC_0212  =>  '\x8f[\xa1-\xfe][\xa1-\xfe]',
# so, excludes:  \x81-\x8d\x90-\x9f   \x40-\x7e\x80-\x8f

# 
# Umm, it's a time to need to support UTF-8 messages detection.
# http://search.luky.org/./linux-users.a/msg05613.html
# http://search.luky.org/./linux-users.a/msg05643.html
# 2005.09.29 by [yoh]
# 

# UTF8      => '[\xc0-\xdf][\x80-\xbf]|[\xe0-\xef][\x80-\xbf][\x80-\xbf]'
#              '[\xc0-\xdf]         [\x80-\xbf]
# SJIS_C    => '[\x81-\x9f\xe0-\xfc][\x40-\x7e\x80-\xfc]',
# so,excludes:   \x81-\x9f\xe0-\xfc  \x40-\x7e\xc0-\xfc
#              |[\xe0-\xef][\x80-\xbf][\x80-\xbf]'
#              '[\x81-\x9f\xe0-\xfc][\x40-\x7e\x80-\xfc]',
# so,excludes:   \x81-\x9f\xf0-\xfc  \x40-\x7e\xc0-\xfc
# so,excludes:   \xc0-\xfc           \x40-\x7e\xc0-\xfc

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody UTF8      /(([\xe0-\xef][\x80-\xbf][\x80-\xbf])(?!([\x81-\x9f\xe0-\xfc][\x40-\x7e\xc0-\xfc]|[\x81-\x9f\xf0-\xfc][\x40-\x7e\xc0-\xfc]|[\xc0-\xfc][\x40-\x7e\xc0-\xfc]))){5,}/
describe UTF8   UTF-8 message body
score UTF8  -0.1

# 
# almost completely detecting SJIS messages.
# 2005.09.29 by [yoh]
# 

# body SJIS_C /([\x81-\x9f\xe0-\xfc][\x40-\x7e\x80-\xfc]){5,}/

# 
# This rule was written at 2005.09.29 by [yoh]
# Shift-JIS: Japanese character encoding, which is not to be used for email.
# http://en.wikipedia.org/wiki/Shift-JIS
# Yes, Shift-JIS emails have high probability of spam.
# 2006.01.11 by [yoh]
# 

# 
# Todo: fix missing detecting: gb2312, koi8-r
# 2006.05.03 by [yoh]
# 

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody SJIS_C /(([\x81-\x9f\xe0-\xfc][\x40-\x7e\x80-\xfc])(?!([\xc0-\xdf][\x80-\xbf]|[\xe0-\xef][\x80-\xbf][\x80-\xbf]|[\xa1-\xfe][\xa1-\xfe]))){7,}/
describe SJIS_C SHIFT_JIS message body
score SJIS_C 2.0

# 2009.04.06 by [yoh]
header SJIS_SUBJECT Subject =~ /(([\x81-\x9f\xe0-\xfc][\x40-\x7e\x80-\xfc])(?!([\xc0-\xdf][\x80-\xbf]|[\xe0-\xef][\x80-\xbf][\x80-\xbf]|[\xa1-\xfe][\xa1-\xfe]))){7,}/

meta SJISSBJDCN ___DCN && SJIS_SUBJECT
score SJISSBJDCN 3.5


# body ___EUC_C_ONLY /([\xa1-\xfe][\xa1-\xfe]){5,}/
# describe ___EUC_C_ONLY [\xa1-\xdf][\xa1-\xfe]
# score ___EUC_C_ONLY -2.0

# 
# For only backward compatibility.
# 2005.09.29 by [yoh]
# 

# meta SJIS_BODY SJIS_C && ! ___EUC_C_ONLY
meta SJIS_BODY SJIS_C 
describe SJIS_BODY Shift_JIS message
score SJIS_BODY 0.1

header SJISFROM From =~ /([\x81-\x9f\xe0-\xfc][\x40-\x7e\x80-\xfc]){2,}@/
describe SJISFROM From: SJIS strings
score SJISFROM 2.0


# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody SHIROUTOMUSUME /AG\?ML</
describe SHIROUTOMUSUME obscene word: shiroutomusume
score SHIROUTOMUSUME 1.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody CLICK_JP /%\/%j%C%\//
describe CLICK_JP click
score CLICK_JP 1.0

# header   ILLEGULAR_FROM From =~ /^[A-Za-z0-9._-]+\@[A-Za-z0-9._-]+\@[A-Za-z0-9._-]+$/
# header   ILLEGULAR_FROM From =~ /(^[A-Za-z0-9._-]+\@[A-Za-z0-9._-]+\@[A-Za-z0-9._-]+$|<\"[a-z0-9._-]+\"\@[a-z0-9._-]+\>$)/
header   ILLEGULAR_FROM From =~ /(^[\w\.-]+\@[\w\.-]+\@[\w\.-]+$|<\"[\w\.-]+\"\@[\w\.-]+\>$)/
describe ILLEGULAR_FROM From: xxxx@xxxx.jp@xxxx.jp
score    ILLEGULAR_FROM 10.0

header   ILLEGULAR_TO To =~ /^\"[\w\.-]+\@[\w\.-]+\"\@[\w\.-]+$/
describe ILLEGULAR_TO To: "xxxx@xxxx.jp"@xxxx.jp
score ILLEGULAR_TO 7.0

# header   ILLEGULAR_REPLYTO Reply-To =~ /(^[A-Za-z0-9._-]+\@[A-Za-z0-9._-]+\@[A-Za-z0-9._-]+$|<\"[a-z0-9._-]+\"\@[a-z0-9._-]+\>$)/
header   ILLEGULAR_REPLYTO Reply-To =~ /(^[\w\.-]+\@[\w\.-]+\@[\w\.-]+$|<\"[\w\.-]+\"\@[\w\.-]+\>$)/
describe ILLEGULAR_REPLYTO Reply-To: <"******...************"@***.com>
score ILLEGULAR_REPLYTO 15.0


# 
# below rules are generic, but originated from Japanese spam.
# 

header CONTENT_TYPE_PRESENT	exists:Content-Type
describe CONTENT_TYPE_PRESENT	exists:Content-Type
score CONTENT_TYPE_PRESENT	-0.1

meta NOTINCONTENTTYPE ! CONTENT_TYPE_PRESENT
describe NOTINCONTENTTYPE ! There's no Content-Type header
score NOTINCONTENTTYPE 0.2

# 
# 
# If you have yahoo.co.jp mail account, you can use below.
# 2005.09.18 by [yoh]
# But, yahoo.co.jp's "X-YahooFilteredBulk" is not reliable.
# 2005.10.12 by [yoh]
# 
# 

header XYAHOOFILTEREDBULK       exists:X-YahooFilteredBulk
describe XYAHOOFILTEREDBULK     exists:X-YahooFilteredBulk
score XYAHOOFILTEREDBULK        0.1

meta XYAHOOFILTERED99   XYAHOOFILTEREDBULK && BAYES_99
describe XYAHOOFILTERED99   XYAHOOFILTEREDBULK && BAYES_99
score XYAHOOFILTERED99   3.5

meta XYAHOOFILTERED95   XYAHOOFILTEREDBULK && BAYES_95
describe XYAHOOFILTERED95   XYAHOOFILTEREDBULK && BAYES_95
score XYAHOOFILTERED95   1.5


#
# detecting Japanese spam using yahoo.co.jp mail address.
# 2004.08.22 by [yoh]
# 2006.04.08 by [yoh]
#

header ___XAPPARENTLYFROM X-Apparently-From =~ /^<.+\@yahoo\.co\.jp>$/
# describe ___XAPPARENTLYFROM X-Apparently-From: <xxxxxxxx@yahoo.co.jp>
# score ___XAPPARENTLYFROM -0.1

# header ___YAHOOJPRCVD1 Received =~ /by .+\.mail.*\.yahoo\.co\.jp with SMTP/
header ___YAHOOJPRCVD1 X-Spam-Relays-Untrusted =~ / by=\w+\.mail.*\.yahoo\.co\.jp /
# describe ___YAHOOJPRCVD1 Received: from ... by smtp18.mail.bbt.yahoo.co.jp with SMTP
# score ___YAHOOJPRCVD1 -0.1
# header ___YAHOOJPRCVD2 Received =~ /from dns.+.mail.yahoo.co.jp/
# describe ___YAHOOJPRCVD2 Received: from ....mail.yahoo.co.jp
# score ___YAHOOJPRCVD2 -0.1

header ___YAHOOJPRCVD3 Received =~ /from .+ by web.+\.mail\..*yahoo\.co\.jp via HTTP/
# describe ___YAHOOJPRCVD3 Received: from ... by web2101.mail.bbt.yahoo.co.jp via HTTP
# score ___YAHOOJPRCVD3 -0.1

header ___YAHOOJPFROM From =~ /.+\@yahoo\.co\.jp/
# describe ___YAHOOJPFROM From: ...@yahoo.co.jp
# score ___YAHOOJPFROM -0.1

# meta VALIDYAHOOJP ((___XAPPARENTLYFROM && ___YAHOOJPRCVD1) || ___YAHOOJPRCVD3) && ___YAHOOJPFROM
meta VALIDYAHOOJP ___XAPPARENTLYFROM && ___YAHOOJPRCVD1 && ___YAHOOJPFROM
describe VALIDYAHOOJP This mail is valid yahoo.co.jp mail.
score VALIDYAHOOJP -0.1

meta INVALIDYAHOOJP ___YAHOOJPFROM && ! ((___XAPPARENTLYFROM && ___YAHOOJPRCVD1 ) || ___YAHOOJPRCVD3)
describe INVALIDYAHOOJP From: is ...@yahoo.co.jp but this mail didn't come from yahoo.co.jp
score INVALIDYAHOOJP 1.0

# thrown away 2006.04.08 by [yoh]
# 
# meta FAKEVALIDYAHOOJP VALIDYAHOOJP && MSGID_FROM_MTA_HEADER
# describe FAKEVALIDYAHOOJP VALIDYAHOOJP && MSGID_FROM_MTA_HEADER
# score FAKEVALIDYAHOOJP 5.0


meta YAHOOJPSPAMCOP RCVD_IN_BL_SPAMCOP_NET && INVALIDYAHOOJP
describe YAHOOJPSPAMCOP RCVD_IN_BL_SPAMCOP_NET && INVALIDYAHOOJP
score YAHOOJPSPAMCOP 7.0

meta INVYJP_DYN INVALIDYAHOOJP && ___DYNAMICIP
score INVYJP_DYN 3.5

# 
# Thanks to WAGATSUMA Yoshiko aka kuromomo tan
# 2005.10.28 by [yoh]
# 2006.04.07 by [yoh]
# 2008.01.04 by [yoh]
# 

# header ___VALIDHOTMAILRCVD1 Received =~/from.+(hotmail\.com \(bay[0-9]+-[a-z]+[0-9]+\.bay[0-9]+\.hotmail\.com \[64\.4(\.[0-9]+){2,2}\]\)|64\.4(\.[0-9]+){2,2} +\(.+ hotmail\.com\) +\(64\.4(\.[0-9]+){2,2}\)).+by /
# header ___VALIDHOTMAILRCVD3 Received =~/from 64\.4(\.[0-9]{1,3}){2,2} by [a-z0-9]+\.[a-z0-9]+\.hotmail\.msn\.com with HTTP/
# header ___VALIDHOTMAILRCVD1 X-Spam-Relays-Untrusted =~ / ip=(64\.4|65\.5[2-5])(\.\d{1,3}){2} rdns=bay\d+-\w+\.bay\d+\.hotmail\.com helo=hotmail\.com by=.+ ident= envfrom= intl=0 id=.+ auth= /
header ___VALIDHOTMAILRCVD1 X-Spam-Relays-Untrusted =~ / ip=(64\.4|65\.5[2-5])(\.\d{1,3}){2} /
# header ___VALIDHOTMAILRCVD2 Received =~/from mail pickup service by hotmail\.com with Microsoft SMTPSVC/
# header ___VALIDHOTMAILRCVD3 X-Spam-Relays-Untrusted =~ / ip=64\.4(\.\d{1,3}){2} rdns= helo= by=\w+\.bay\d+\.hotmail\.msn\.com ident= envfrom= intl=0 id= auth=HTTP /
header ___VALIDHOTMAILRCVD4 X-Originating-IP =~/\[\d{2,3}(\.\d{1,3}){3}\]/
# header ___VALIDHOTMAILRCVD5 X-Originating-Email =~/\[.+\@hotmail\.co\.jp\]/
# header ___VALIDHOTMAILRCVD6 X-Sender =~/.+\@hotmail\.co\.jp/
header ___HOTMAILCOJPFROM From =~/.+\@hotmail\.co\.jp/

# meta FORGED_JPHOTMAIL_RCVD ___HOTMAILCOJPFROM && ! (___VALIDHOTMAILRCVD1 && ___VALIDHOTMAILRCVD2 && ___VALIDHOTMAILRCVD3 && ___VALIDHOTMAILRCVD4 && ___VALIDHOTMAILRCVD5 && ___VALIDHOTMAILRCVD6)
meta FORGED_JPHOTMAIL_RCVD ___HOTMAILCOJPFROM && ! (___VALIDHOTMAILRCVD1 && ___VALIDHOTMAILRCVD4)
describe FORGED_JPHOTMAIL_RCVD From: has hotmail.co.jp, but no Received: from hotmail.com
score FORGED_JPHOTMAIL_RCVD 1.5

# meta VALID_JPHOTMAIL_RCVD ___HOTMAILCOJPFROM && ___VALIDHOTMAILRCVD1 && ___VALIDHOTMAILRCVD2 && ___VALIDHOTMAILRCVD3 && ___VALIDHOTMAILRCVD4 && ___VALIDHOTMAILRCVD5 && ___VALIDHOTMAILRCVD6
meta VALID_JPHOTMAIL_RCVD ___HOTMAILCOJPFROM && ___VALIDHOTMAILRCVD1 && ___VALIDHOTMAILRCVD4
score VALID_JPHOTMAIL_RCVD -1.0


header FORGED_MSSMTP Received =~ /from (?!mail pickup service )[\w\._-]+ \((\d{1,4}\.){3}\d{1,4}\) by [\w\._-]+ with Microsoft SMTPSVC\(\d/
describe FORGED_MSSMTP MSExchange doesn't add such a Received: header
score FORGED_MSSMTP 1.5

header ___MSEX X-MimeOLE =~ /Produced By Microsoft Exchange V\d/
# probably forged MSSMTPSVC strings
meta ___FRGDMSSMTPSVC FORGED_MSSMTP && !___MSEX

meta SJISFRGDMSSMTP MIME_BASE64_TEXT && SJIS_C && ___FRGDMSSMTPSVC
score SJISFRGDMSSMTP 3.5

meta DCN_FRGDMSSMTP ___DCN && ___FRGDMSSMTPSVC
score DCN_FRGDMSSMTP 3.5


score INVALID_MSGID 1.5

header SHIFT_JIS2 Content-Type =~ /charset=\"shift_jis\"/i
describe SHIFT_JIS2 Content-Type: text/plain; charset="SHIFT_JIS"
score SHIFT_JIS2 1.5

full SHIFT_JIS1 /charset="shift_jis"/i
describe SHIFT_JIS1 charset="shift_jis"
score SHIFT_JIS1 1.0

meta INVALIDSJIS INVALID_MSGID && (SHIFT_JIS1 || SJIS_BODY)
describe INVALIDSJIS INVALID_MSGID && (SHIFT_JIS1 || SJIS_BODY)
score INVALIDSJIS 5.0

# thrown away 2005.09.28 by [yoh]
# 
# full DREAMWIZ /dreamwiz\.com/
# describe DREAMWIZ http://my.dreamwiz.com/
# score DREAMWIZ 5.0
# 
# header HANMAIL_NET  Reply-To =~ /\@hanmail\.net/
# describe HANMAIL_NET  hanmail.net
# score HANMAIL_NET   2.0

rawbody SIDEBUSINESS /%5%\$%I%S%8%M%9/
describe SIDEBUSINESS SIDEBUSINESS
score SIDEBUSINESS 1.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody OTAKARA /\$\*Ju/
describe OTAKARA OTAKARA
score OTAKARA 1.0


# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody FUJITAYUZAN /F\#EDM\:\;3/
describe FUJITAYUZAN FUJITAYUZAN
score FUJITAYUZAN 0.5

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody HIROSHIMAKENCHIJI /9\-Eg8\)CN\;v/
describe HIROSHIMAKENCHIJI HIROSHIMAKENCHIJI
score HIROSHIMAKENCHIJI 0.5

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody NOMOTODENO /\$N85\$G\$N/
describe NOMOTODENO NOMOTODENO
score NOMOTODENO 0.1

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody OSOROSHIIHANASHI /62\$m\$7\$\$OC/
describe OSOROSHIIHANASHI OSOROSHIIHANASHI
score OSOROSHIIHANASHI 0.1

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody GYOUSEISOSHO /9T\@\/AJ\>Y/
describe GYOUSEISOSHO GYOUSEISOSHO
score GYOUSEISOSHO 0.1

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody SOKURYOSHI /B\,NL\;N/
describe SOKURYOSHI SOKURYOSHI
score SOKURYOSHI 0.1

meta FUJITACHIJI FUJITAYUZAN && HIROSHIMAKENCHIJI
describe FUJITACHIJI FUJITAYUZAN && HIROSHIMAKENCHIJI
score FUJITACHIJI 1.0
meta CHIJINOMOTO HIROSHIMAKENCHIJI && NOMOTODENO
describe CHIJINOMOTO HIROSHIMAKENCHIJI && NOMOTODENO
score CHIJINOMOTO 1.0
meta MOTODEOSORO NOMOTODENO && OSOROSHIIHANASHI
describe MOTODEOSORO NOMOTODENO && OSOROSHIIHANASHI
score MOTODEOSORO 1.0
meta OSOROGYOUSEI OSOROSHIIHANASHI && GYOUSEISOSHO
describe OSOROGYOUSEI OSOROSHIIHANASHI && GYOUSEISOSHO
score OSOROGYOUSEI 1.0

meta FUJITASPAM1 FUJITACHIJI && CHIJINOMOTO && MOTODEOSORO
describe FUJITASPAM1 FUJITACHIJI && CHIJINOMOTO && MOTODEOSORO
score FUJITASPAM1 3.0
meta FUJITASPAM2 FUJITACHIJI && MOTODEOSORO && OSOROGYOUSEI
describe FUJITASPAM2 FUJITACHIJI && MOTODEOSORO && OSOROGYOUSEI
score FUJITASPAM2 3.0

header NIKKEIBP From =~ /nikkeibp.co.jp/
describe NIKKEIBP nikkeibp.co.jp
score NIKKEIBP -10

# Thanks to: SHIBATA Hisaaki san
body AFAF /(zimbabwe|nigeria|angola|south afric|Sierra|UNITA)/i
describe AFAF Afaf
score AFAF 1.5

# replacing "OBFUSCATING_COMMENT"
# There are many types of OBFUSCATING_COMMENT. So, it's very difficult
# to detect various types of them.
# I think that detecting single or double rules are dangerous.

# Original rule fails to detect normal Japanese word, and scores too high.
score OBFUSCATING_COMMENT 0.0

# Outlook Express CAN send HTML in this format
# 2006.07.11 [yoh]
score FORGED_OUTLOOK_TAGS 0

# Outlook Express CAN send HTML in this format
# 2006.08.07 [yoh]
score HTML_OBFUSCATE_05_10 0.1
# score HTML_NONELEMENT_70_80 0.1

rawbody FAKEDWORD_ATMARK /(^| |\r|\n)[A-Za-z]{0,}(\@[A-Za-z]+){1,}(\.{0,1}$| |[:;\r\n])/
describe FAKEDWORD_ATMARK ex. em@il (this rule is only for body)
score FAKEDWORD_ATMARK 0.5

full FAKEDWORD_ZERO /( |\r|\n)[A-Za-z]{0,}(0[A-Za-z]+){1,}(\.{0,1}$| |[:;\r\n])/
describe FAKEDWORD_ZERO ex. Cust0mer
score FAKEDWORD_ZERO 0.5

full FAKEDWORD_ONE /( |\r|\n)[A-Za-z]{0,}(1[A-Za-z]+){1,}(\.{0,1}$| |[:;\r\n])/
describe FAKEDWORD_ONE ex. l1st
score FAKEDWORD_ONE 0.5

full FAKEDWORD_EXCLAMATION /( |\r|\n)[A-Za-z]{0,}(\![A-Za-z]+){1,}(\.{0,1}$| |[:;\r\n])/
describe FAKEDWORD_EXCLAMATION ex. MED!C!NE
score FAKEDWORD_EXCLAMATION 0.5

full FAKEDWORD_VERTICALLINE /( |\r|\n)[A-Za-z]{0,}([1|][A-Za-z]+){1,}(\.{0,1}$| |[:;\r\n])/
describe FAKEDWORD_VERTICALLINE ex. REM|O|VED
score FAKEDWORD_VERTICALLINE 0.5

full FAKEDWORD_BACKQUOTE /( |\r|\n)[A-Za-z]{0,}(\`[A-Za-z]+){1,}(\.{0,1}$| |[:;\r\n])/
describe FAKEDWORD_BACKQUOTE ex. B`uy
score FAKEDWORD_BACKQUOTE 0.5

full FAKEDWORD_BQONE /( |\r|\n)[A-Za-z1]{1,}[\^\`]{1,}[A-Za-z1]{2,}(\.{0,1}$| |[:;\r\n])/
describe FAKEDWORD_BQONE ex. ava1^iable
score FAKEDWORD_BQONE 0.5

full MULTIPART_EMPTY /(\r|\n){2}\-{6}=_NextPart_\d{3}_\d{4}_\w{8}\.\w{8}(\r|\n)Content\-Type: multipart\/alternative\;(\r|\n)\tboundary=\"\-{4}=_NextPart_\d{3}_\d{4}_\w{8}\.\w{8}\"(\r|\n){2,}\-{6}=_NextPart_\d{3}_\d{4}_\w{8}\.\w{8}(\r|\n)Content\-Type: text\/plain\;(\r|\n)\tcharset=\"Windows-1252\"(\r|\n)Content-Transfer-Encoding: quoted-printable(\r|\n){2,}/

meta MULTIEMPTY99 MULTIPART_EMPTY && BAYES_99
score MULTIEMPTY99 5.0

meta MULTIEMPTYFUTURE DATE_IN_FUTURE_06_12 && MULTIPART_EMPTY
score MULTIEMPTYFUTURE 3.5

meta EMPTYEXTRAMPARTTYPE EXTRA_MPART_TYPE && MULTIPART_EMPTY
score EMPTYEXTRAMPARTTYPE 3.5


# thrown away 2005.09.14 by [yoh]
# 
# rawbody OBFUSTAG1 /<(sup|em|font|big)><\/\1>/
# describe OBFUSTAG1 <sup></sup>
# score OBFUSTAG1 3.0

# special thanks to: R.Takashi ISHIOKA-san! 2003/07/16
# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody SJIS_SOSHINSHA /\221\227\220M\216\322/
describe SJIS_SOSHINSHA soushinsha using sjis
score SJIS_SOSHINSHA 1.0

# thrown away 2005.09.14 by [yoh]
# 
# meta FAKED_SJISBODY1 SJIS_SOSHINSHA && ISO2022JP_BODY
# describe FAKED_SJISBODY1 SJIS_SOSHINSHA && ISO2022JP_BODY
# score FAKED_SJISBODY1 5.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody SJIS_URAVIDEO /\x97.\x83\x72\x83\x66\x83\x49/
describe SJIS_URAVIDEO uravideo using sjis
score SJIS_URAVIDEO 2.5
# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody SJIS_SAISHINRYUSHUTSU /\x8d\xc5\x90\x56\x97\xac\x8f\x6f/
describe SJIS_SAISHINRYUSHUTSU saishinryushutsu using sjis
score SJIS_SAISHINRYUSHUTSU 2.5
# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody SJIS_BURUSERA /\x83\x75\x83\x8b\x83\x5a\x83\x89/
describe SJIS_BURUSERA burusera using sjis
score SJIS_BURUSERA 2.5
# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody SJIS_SHIROUTOTOUKOU /\x91\x66\x90\x6c\x93\x8a\x8d\x65/
describe SJIS_SHIROUTOTOUKOU shiroutotoukou using sjis
score SJIS_SHIROUTOTOUKOU 2.5
# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody SJIS_YOUMONO /\x97\x6d\x95\xa8/
describe SJIS_YOUMONO youmono using sjis
score SJIS_YOUMONO 2.5
# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody SJIS_TOUSATSU /\x93\x90\x8e\x42/
describe SJIS_TOUSATSU tousatsu using sjis
score SJIS_TOUSATSU 2.5
# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody SJIS_LOLIKEI /\x83\x8d\x83\x8a\x8c\x6e/
describe SJIS_LOLIKEI lolikei using sjis
score SJIS_LOLIKEI 2.5
# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody SJIS_ZENKAKU_SM /\x82\x72\x82\x6c/
describe SJIS_ZENKAKU_SM SM in zenkaku using sjis
score SJIS_ZENKAKU_SM 1.5

meta PORN_SJIS (SJIS_BURUSERA||SJIS_LOLIKEI||SJIS_SAISHINRYUSHUTSU||SJIS_SHIROUTOTOUKOU||SJIS_TOUSATSU||SJIS_URAVIDEO||SJIS_YOUMONO||SJIS_ZENKAKU_SM)&&(ISO2022JP_BODY||ISO2022JP_CHARSET)
describe PORN_SJIS (SJIS_BURUSERA||SJIS_LOLIKEI||SJIS_SAISHINRYUSHUTSU||SJIS_SHIROUTOTOUKOU||SJIS_TOUSATSU||SJIS_URAVIDEO||SJIS_YOUMONO||SJIS_ZENKAKU_SM)&&(ISO2022JP_BODY||ISO2022JP_CHARSET)
score PORN_SJIS 5.0

# thrown away 2005.09.14 by [yoh]
# 
# header HOSYOU_JPSPAM Received =~ /(\(HELO hosyou|from hosyou-.\.mine\.nu \(.+tokyo.ocn.ne.jp)/
# describe HOSYOU_JPSPAM ZAITAKUBUSINESS type Japanese spammer
# score HOSYOU_JPSPAM 7.0
# 
# body SHOUKOMISEMASU /\>Z5r.*8\+\$\;\$\^\$9/
# describe SHOUKOMISEMASU SHOUKO MISEMASU
# score SHOUKOMISEMASU 2.0




# body ZAITAKU /\:_Bp/
rawbody ZAITAKU /\:_Bp/
describe ZAITAKU ZAITAKU
score ZAITAKU 0.2

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody BUSINESS /%S%8%M%9/
describe BUSINESS BUSINESS
score BUSINESS 0.2

meta DYN_BUSINESS ___DYNAMICIP && BUSINESS
score DYN_BUSINESS 2.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody SHUUNYUU /\<\}F\~/
describe SHUUNYUU SHUUNYUU
score SHUUNYUU 0.2

# thrown away 2005.09.14 by [yoh]
# 
# body HOSYOU_590MYEN /\#52\/\#9\@iK\|1_/
# describe HOSYOU_590MYEN 590000000yen
# score HOSYOU_590MYEN 2.0
# 
# meta HOSYOUSPAM2 HOSYOU_JPSPAM && HOSYOU_590MYEN
# describe HOSYOUSPAM2 HOSYOU_JPSPAM && HOSYOU_590MYEN
# score HOSYOUSPAM2 5.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody OATSUI /\$\*G\.\$\$/
describe OATSUI Japanese porn word: OATSUI
score OATSUI 0.2

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody ZUKOZUKO /%:%3%:%3/
describe ZUKOZUKO Japanese porn word: ZUKOZUKO
score ZUKOZUKO 0.5

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody BINYUU /H~F}/
describe BINYUU Japanese porn word: BINYUU
score BINYUU 0.5

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody SEISHI /\@:;R/
describe SEISHI Japanese porn word: SEISHI
score SEISHI 0.5

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody BIMAN /H~%^%s/
describe BIMAN Japanese porn word: BIMAN
score BIMAN 0.5

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody DOSUKEBE /\$I\$9\$1\$Y/
describe DOSUKEBE Japanese porn word: DOSUKEBE
score DOSUKEBE 0.5

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody SHOJO /=h=w/
describe SHOJO Japanese porn word: SHOJO
score SHOJO 1.0

# !#$*JV;vBT$C$F$^$9!#!#

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody OHENJIMATT /\!\#\$\*JV;vBT\$C\$F\$\^\$9\!\#\!\#/
describe OHENJIMATT OHENJIMATTEMASU
score OHENJIMATT 1.0

rawbody TOOLONGSTR /^.{480,}$/
describe TOOLONGSTR too long strings without linefeed
score TOOLONGSTR 0.5

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody ZENKOKUSOKUJITSU /\x91\x53\x8d\x91\x91\xa6\x93\xfa.+\x97\x5a\x8e\x91/
describe ZENKOKUSOKUJITSU YAMIKIN word: zenkokusokujitsu supi-do yuushi
score ZENKOKUSOKUJITSU 3.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody TOUKYOUTOCHIJININKA /\x93\x8c\x8b\x9e\x93\x73\x92\x6d\x8e\x96\x94\x46\x89\xc2.+\x8f\xc1\x94\xef\x8e\xd2\x8b\xe0\x97\x5a/
describe TOUKYOUTOCHIJININKA YAMIKIN word: toukyoutochijininkazumi no shouhisha kin'yuu
score TOUKYOUTOCHIJININKA 3.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody GEKIYASU /(7c|3J)0B/
describe GEKIYASU GEKIYASU
score GEKIYASU 0.5

meta DYN_GEKIYASU ___DYNAMICIP && GEKIYASU
score DYN_GEKIYASU 3.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody PCSOFTHANBAI /PC...\%\=\%U\%H.*HNGd/
describe PCSOFTHANBAI PCsofthanbai
score PCSOFTHANBAI 1.0

meta DYN_PCSOFTHANBAI ___DYNAMICIP && PCSOFTHANBAI
score DYN_PCSOFTHANBAI 3.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody SAISHINPCSOFT /\:G\?7...PC...\%\=\%U\%H/
describe SAISHINPCSOFT saishinPCsoft
score SAISHINPCSOFT 2.0

meta DYN_SAISHINPCSOFT ___DYNAMICIP && SAISHINPCSOFT
score DYN_SAISHINPCSOFT 3.5

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody PCSOFTGEKIYASU /PC.+\%\=\%U\%H(7c|3J)0B/
describe PCSOFTGEKIYASU PCSOFTGEKIYASU
score PCSOFTGEKIYASU 1.5

meta DYN_PCSOFTGEKIYASU ___DYNAMICIP && PCSOFTGEKIYASU
score DYN_PCSOFTGEKIYASU 3.5

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody AITAI /(2q\$\$\$\?\$\$|\$\*2q\$\$\$7\$(\?\$\$|F\$_\$\^)|2q\$C\$F\$_\$(\^|F|\?))/
describe AITAI aitai...(sigh)
score AITAI 1.5

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody MATTERU /((BT|\$\^)\$C\$F(\$\$\$^\$9|\$C\$F\$b\$\$\$\$|\$F\$b\$\$\$\$|\$\^\$9|\$k|\$\$\$k)|\$\*BT\$A\$7\$F|BT\$C\$F\$\$\$\^\$9\!\#)/
describe MATTERU matteru
score MATTERU 0.3

meta DYN_MATTERU ___DYNAMICIP && MATTERU
score DYN_MATTERU 2.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody RENRAKU /O\"Mm/
describe RENRAKU renraku
score RENRAKU 0.2

meta DYN_RENRAKU ___DYNAMICIP && RENRAKU
score DYN_RENRAKU 2.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody DEAI /\=P2q\$\$/
describe DEAI deai
score DEAI 0.5

meta DYN_DEAI ___DYNAMICIP && DEAI
score DYN_DEAI 2.5

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody KARAMAIL /6u\%a\!\<\%k/
describe KARAMAIL karame-ru
score KARAMAIL 0.3

# thrown away 2005.09.14 by [yoh]
# 
# meta KARASCAM KARAMAIL && JPSCAMMAILADDRESS
# describe KARASCAM KARAMAIL && JPSCAMMAILADDRESS
# score KARASCAM 3.5

# $*IU$-9g$$
# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody OTSUKIAI /\$\*IU(\$\-){0,1}9g\$\$/
describe OTSUKIAI otsukiai
score OTSUKIAI 0.3

meta DYN_OTSUKIAI ___DYNAMICIP && OTSUKIAI
score DYN_OTSUKIAI 2.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody KONOKIMOCHI /\$3\$N5\$\;\}\$A/
describe KONOKIMOCHI konokimochi
score KONOKIMOCHI 0.3

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody UWAKI /Ib5\$/
describe UWAKI uwaki
score UWAKI 0.3

meta DYN_UWAKI ___DYNAMICIP && UWAKI
score DYN_UWAKI 2.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody FURIN /ITNQ/
describe FURIN furin
score FURIN 0.3

meta DYN_FURIN ___DYNAMICIP && FURIN
score DYN_FURIN 2.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody WARIKIRI /3d\$j\@Z\$j/
describe WARIKIRI warikiri
score WARIKIRI 0.3

meta DYN_WARIKIRI ___DYNAMICIP && WARIKIRI
score DYN_WARIKIRI 2.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody DOUTEI /F8Dg/
describe DOUTEI doutei
score DOUTEI 0.3

meta DYN_DOUTEI ___DYNAMICIP && DOUTEI
score DYN_DOUTEI 2.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody HITODZUMA /\?M\:J/
describe HITODZUMA hitodzuma
score HITODZUMA 0.3

meta DYN_HITODZUMA ___DYNAMICIP && HITODZUMA
score DYN_HITODZUMA 2.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody MIDARA /0\|\$i/
describe MIDARA midara
score MIDARA 0.3

meta DYN_MIDARA ___DYNAMICIP && MIDARA
score DYN_MIDARA 2.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody HIMITSUNO /HkL\)\$N/
describe HIMITSUNO himitsuno
score HIMITSUNO 0.1

meta DYN_HIMITSUNO ___DYNAMICIP && HIMITSUNO
score DYN_HIMITSUNO 2.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody HIMITSUNOHOGE /HkL\)\$N(\=P2q\$\$|M\'C\#|4X78|\$\*IU\$\-9g\$\$)/
describe HIMITSUNOHOGE himitsuno hogehoge
score HIMITSUNOHOGE 1.5

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody FUAN /IT0B/
describe FUAN fuan
score FUAN 0.2

meta DYN_FUAN ___DYNAMICIP && FUAN
score DYN_FUAN 2.0

# body ANATA /\$\"\$J\$\?(\$\,|\$7\$\+|\$H|\$K|\$N|\$O|\$X\$N|\$b|\$r)/
# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody ANATA /(5\.J\}|\$\"\$J\$\?)(\$\,|\$7\$\+|\$H|\$K|\$N|\$O|\$X\$N|\$b|\$r|\$\@)/
describe ANATA Anata ... call me my name.(sigh)
score ANATA 0.5

meta DYN_ANATA  ___DYNAMICIP && ANATA
score DYN_ANATA 2.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody ONEGAI /\$\*4j\$\$/
describe ONEGAI onegai
score ONEGAI 0.2

meta DYN_ONEGAI ___DYNAMICIP && ONEGAI
score DYN_ONEGAI 2.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody TOUROKU /EPO\?(\$\,|\$7\$\?|\$7\$A\$c\$\$|\$7\$F|\$7\$J\$\$|\$7\$\^\$9|\$9\$k|\$C\$F|\$G\$\-|\$H\$\$\$\&|\$H\$\+|\$N|\$O|\<T\$N\>R2p|\$"\$j\$,\$H\$\&\$4\$6\$\$\$\^)/

#)/
describe TOUROKU touroku
score TOUROKU 0.5

meta DYN_TOUROKU ___DYNAMICIP && TOUROKU
score DYN_TOUROKU 2.0

# 
# meta ANATAONEGAITOUROKU ANATA && ONEGAI && TOUROKU && (JPSCAMURI || JPSCAMMAILADDRESS)
# describe ANATAONEGAITOUROKU ANATA ONEGAI TOUROKU to JPSCAMURI or JPSCAMMAILADDRESS
# score ANATAONEGAITOUROKU 3.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody OHENJI /\$\*JV\;v/
describe OHENJI Ohenji
score OHENJI 0.2

meta DYN_OHENJI ___DYNAMICIP && OHENJI
score DYN_OHENJI 2.0

meta OHENJIMATTERU OHENJI && MATTERU
describe OHENJIMATTERU OHENJI && MATTERU
score OHENJIMATTERU 1.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody HOTERU /\%\[\%F\%k/
describe HOTERU hoteru
score HOTERU 0.5

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody HOTEL /(HOTEL|\#H\#O\#T\#E\#L)/i
describe HOTEL hotel
score HOTEL 0.5

meta DYN_HOTEL ___DYNAMICIP && (HOTEL || HOTERU)
score DYN_HOTEL 2.5

# meta HOTEL __HOTERU || __HOTEL
# describe HOTEL HOTEL
# score HOTEL 0.5

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody TOUSATSU /Ep\;\#/
describe TOUSATSU tousatsu
score TOUSATSU 1.0

meta DYN_TOUSATSU ___DYNAMICIP && TOUSATSU
score DYN_TOUSATSU 4.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody KARESHI /H\`\;a/
describe KARESHI kareshi
score KARESHI 0.2

meta DYN_KARESHI ___DYNAMICIP && KARESHI
score DYN_KARESHI 2.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody CHAT /\%A\%c\%C\%H/
describe CHAT chatto
score CHAT 0.2

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody HITORIKURASHI /0l\?MJk\$i\$7/
describe HITORIKURASHI hitorikurashi
score HITORIKURASHI 0.2

meta DYN_HITORIKURASHI ___DYNAMICIP && HITORIKURASHI
score DYN_HITORIKURASHI 2.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody CIRCLE /\%5\!\<\%\/\%k/
describe CIRCLE sa-kuru
score CIRCLE 0.1

meta DYN_CIRCLE ___DYNAMICIP && CIRCLE
score DYN_CIRCLE 1.5

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody MAJIMENAKANKEI /(\?\?LLL\\\$J|3d\$j\@Z\$C\$\?|Bg\?M\$N|BN\$N)(4X78|8r\:\]|\$\*IU\$\-9g\$\$|\$\*\$D\$\-9g\$\$)/
describe MAJIMENAKANKEI majimenakankei
score MAJIMENAKANKEI 1.5

meta DYN_MAJIMENAKANKEI ___DYNAMICIP && MAJIMENAKANKEI
score DYN_MAJIMENAKANKEI 3.0

# 
# meta CIRCLEKANKEI CIRCLE && MAJIMENAKANKEI
# describe CIRCLEKANKEI CIRCLE && MAJIMENAKANKEI
# score CIRCLEKANKEI 3.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody ENQUETE /\%\"\%s\%1\!\<\%H/
describe ENQUETE anke-to
score ENQUETE 0.2

meta DYN_ENQUETE ___DYNAMICIP && ENQUETE
score DYN_ENQUETE 2.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody DAIHYOU /BeI\=/
describe DAIHYOU daihyou
score DAIHYOU 0.2

meta DYN_DAIHYOU ___DYNAMICIP && DAIHYOU
score DYN_DAIHYOU 2.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody BOSHUUWO /Jg\=8\$r/
describe BOSHUUWO boshuuwo
score BOSHUUWO 0.1

meta DYN_BOSHUUWO ___DYNAMICIP && BOSHUUWO
score DYN_BOSHUUWO 2.0

# thrown away 2005.09.14 by [yoh]
# 
# meta DAIHYOUBOSHUUENQ ENQUETE && DAIHYOU && BOSHUUWO
# describe DAIHYOUBOSHUUENQ ENQUETE && DAIHYOU && BOSHUUWO
# score DAIHYOUBOSHUUENQ 1.5

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody DANSEIKAIIN /(CK|\=w)\@\-2q0w/
describe DANSEIKAIIN danseikaiin
score DANSEIKAIIN 1.5

meta DYN_DANSEIKAIIN ___DYNAMICIP && DANSEIKAIIN
score DYN_DANSEIKAIIN 3.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody TOMODACHI /M\'C\#/
describe TOMODACHI tomodachi
score TOMODACHI 0.1

meta DYN_TOMODACHI ___DYNAMICIP && TOMODACHI
score DYN_TOMODACHI 1.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody AISHOU /Aj\@\-/
describe AISHOU aishou
score AISHOU 0.2

meta DYN_AISHOU ___DYNAMICIP && AISHOU
score DYN_AISHOU 1.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody FERA /\%U\%\'\%i/
describe FERA Japanese porn word: fera
score FERA 1.0

meta DYN_FERA ___DYNAMICIP && FERA
score DYN_FERA 3.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody KINSENTEKI /6bA\,E\*\$[JK]/
describe KINSENTEKI Kinsenteki
score KINSENTEKI 0.2

meta DYN_KINSENTEKI ___DYNAMICIP && KINSENTEKI
score DYN_KINSENTEKI 1.5

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody KIKONSHA /4\{\:\'\<T/
describe KIKONSHA Kikonsha
score KIKONSHA 0.2

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody OTTO /IW\$[\+|K|\,|\@|X|O|N|H]/
describe OTTO otto
score OTTO 0.1

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody SHUJIN /\<g\?M/
describe SHUJIN shujin
score SHUJIN 0.1

meta DYN_SHUJIN ___DYNAMICIP && (SHUJIN || OTTO || KIKONSHA)
score DYN_SHUJIN 1.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody DEETO /\%G\!\<\%H/
describe DEETO deeto
score DEETO 0.1

meta DYN_DEETO ___DYNAMICIP && DEETO
score DYN_DEETO 1.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody WAGAMAMA /((\$o|2f)\$\,\$\^\$\^|\%o\%\,\%\^\%\^|2fPV)/
describe WAGAMAMA wagamama
score WAGAMAMA 0.1

meta DYN_WAGAMAMA ___DYNAMICIP && WAGAMAMA
score DYN_WAGAMAMA 1.0


# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody ASONDE /M7\$s\$G/
describe ASONDE asonde
score ASONDE 0.1

meta DYN_ASONDE ___DYNAMICIP && ASONDE
score DYN_ASONDE 1.5

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody SUPPORT /\%5\%\]\!\<\%H/
describe SUPPORT sapo-to
score SUPPORT 0.1

meta DYN_SUPPORT ___DYNAMICIP && SUPPORT
score DYN_SUPPORT 2.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody ___MAN_EN /K\|1_/
describe ___MAN_EN man'en

# thrown away 2006.01.05 by [yoh]
# 
# meta AITAISUPPORT AITAI && SUPPORT && ___MAN_EN && (BAYES_99 || BAYES_95)
# describe AITAISUPPORT AITAI && SUPPORT
# score AITAISUPPORT 5.0

# 
# I wrote this rule at 2005.11.14 00:40
# I modified this rule at 2005.11.14 10:00 and uploaded at 13:22
# So, when this NG word will dissapear? :-P
# 2005.11.14 by [yoh]
# Yes, "Gyakuen" means fraud.
# If you're native Japanese, you'd better read this:
# http://itpro.nikkeibp.co.jp/article/Watcher/20060319/232825/
# 2006.03.27 by [yoh]
# 

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody GYAKUEN /5U(\!o|1g|1o)/
describe GYAKUEN gyakuen
score GYAKUEN 1.0

# 
# I wrote this rule at 2005.11.14 13:22
# So, when this NG word will dissapear? :-P
# 2005.11.14 by [yoh]
# 

header GYAKUENSUBJ Subject =~ /5U(\!o|1g)/
describe GYAKUENSUBJ gyakuen in Subject:
score GYAKUENSUBJ 2.0

meta DYN_GYAKUEN ___DYNAMICIP && (GYAKUEN || GYAKUENSUBJ)
score DYN_GYAKUEN 2.5

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody URADVD /N\".{2,5}DVD/
describe URADVD uradvd
score URADVD 1.0

meta DYN_URADVD ___DYNAMICIP && URADVD
score DYN_URADVD 4.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody KEIJIBAN /7G\<\(HD/
describe KEIJIBAN keijiban
score KEIJIBAN 0.3

meta DYN_KEIJIBAN ___DYNAMICIP && KEIJIBAN
score DYN_KEIJIBAN 1.0

meta HAJIMETEKEIJIBAN DYN_HAJIMETE && KEIJIBAN
score HAJIMETEKEIJIBAN 5.5

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody SEFURE /\%\;\%U\%l/
describe SEFURE sefure
score SEFURE 0.7

meta DYN_SEFURE ___DYNAMICIP && SEFURE
score DYN_SEFURE 2.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody OAITE /\$\*Aj\<j/
describe OAITE oaite
score OAITE 0.2

meta DYN_OAITE ___DYNAMICIP && OAITE
score DYN_OAITE 1.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody ECSTASY /\%\(\%\/\%9\%\?\%7/
describe ECSTASY ecstasy
score ECSTASY 0.3

meta DYN_ECSTASY ___DYNAMICIP && ECSTASY
score DYN_ECSTASY 3.0

# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody OMATOME /\$\*\$\^\$H\$a/
describe OMATOME omatome
score OMATOME 1.0

meta DYN_OMATOME ___DYNAMICIP && OMATOME
score DYN_OMATOME 3.5


rawbody AFFILIATE /\%\"\%U\%\#\%j\%\(\%\$\%H/
describe AFFILIATE affiliate
score AFFILIATE 0.5

meta DYN_AFFILIATE ___DYNAMICIP && AFFILIATE
score DYN_AFFILIATE 3.5

rawbody KASEGU /2T\$0/
describe KASEGU kasegu
score KASEGU 0.5

meta DYN_KASEGU ___DYNAMICIP && KASEGU
score DYN_KASEGU 3.5

rawbody KONOTABI /\$3\$N(?:EY|\$?\$S)\$O/
score KONOTABI 0.5

meta DYN_KONOTABI ___DYNAMICIP && KONOTABI
score DYN_KONOTABI 3.5

rawbody NAIYOUHAIKA /(?:EPO\?FbMF\$O0J2<\$N(?:DL|\$H\$\*)\$j|DL\$j\!\"\@_Dj)/
score NAIYOUHAIKA 0.5

meta DYN_NAIYOUHAIKA ___DYNAMICIP && NAIYOUHAIKA
score DYN_NAIYOUHAIKA 3.5

rawbody RANKING /\%s\%0E=/
score RANKING 0.5

meta DYN_RANKING ___DYNAMICIP && RANKING
score DYN_RANKING 3.5



# In SA 3.2.x, "body" rule has been changed.
# So, for matching ISO-2022-JP strings, we have to change to "rawbody" rule.
# 2008.05.24 by [yoh]
rawbody PACHINKO /\%Q\%A\%s\%3/
describe PACHINKO pachinko
score PACHINKO 0.1

meta XSPD_PACHINKO XPEED_KR && PACHINKO
score XSPD_PACHINKO 5.5

# 
# I wrote this rule at 2005.10.19 10:30.
# When the faked Received: will be disappeared?
# 2005.10.19 by [yoh]
# 
# http://www.iana.org/assignments/ipv4-address-space
# over 223.0.0.0 is invalid.
# 2005.12.15 by [yoh]
# 

# header FORGED_RCVD_IP Received =~ /from.+((2(2[3-9]|[3-9][0-9])|[3-9][0-9][0-9])(\.[0-9]+){3,3}|[0-9]+\.(2(5[6-9]|[6-9][0-9])|[3-9][0-9][0-9])(\.[0-9]+){2,2}|([0-9]+\.){2,2}(2(5[6-9]|[6-9][0-9])|[3-9][0-9][0-9])(\.[0-9]+)|(2(5[6-9]|[6-9][0-9])|[3-9][0-9][0-9])(\.[0-9]+){3,3})/
# header FORGED_RCVD_IP Received =~ /from.+((2(2[3-9]|[3-9][0-9])|[3-9][0-9][0-9])(\.[0-9]+){3,3}[^a-zA-Z0-9\._-]|[0-9]+\.(2(5[6-9]|[6-9][0-9])|[3-9][0-9][0-9])(\.[0-9]+){2,2}|([0-9]+\.){2,2}(2(5[6-9]|[6-9][0-9])|[3-9][0-9][0-9])(\.[0-9]+)|([0-9]+\.){3,3}(2(5[6-9]|[6-9][0-9])|[3-9][0-9][0-9]))/
# header FORGED_RCVD_IP Received =~ /from.+((2(2[3-9]|[3-9]\d)|[3-9]\d\d)(\.\d){3}[^a-zA-Z0-9\._-]|\d{1,3}\.(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3}){2}|(\d{1,3}\.){2}(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3})|(\d{1,3}\.){3}(2(5[6-9]|[6-9]\d)|[3-9]\d\d))/
# header FORGED_RCVD_IP Received =~ /from.+(\W(9[6-9]|1[01]\d|120|2(2[3-9]|[3-9]\d)|[3-9]\d\d)(\.\d{1,3}){3}[^\w\.-]|\d{1,3}\.(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3}){2}|(\d{1,3}\.){2}(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3})|(\d{1,3}\.){3}(2(5[6-9]|[6-9]\d)|[3-9]\d\d))/
# header FORGED_RCVD_IP Received =~ /(\W([01257]|2[37]|3[1679]|42|7[789]|9[6-9]|1[01]\d|120|17[3-9]|18[0-7]|197|2(2[3-9]|[3-9]\d)|[3-9]\d\d|\d{4,})(\.\d{1,3}){3}[^\w\.-]|\d{1,3}\.(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3}){2}|(\d{1,3}\.){2}(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3})|(\d{1,3}\.){3}(2(5[6-9]|[6-9]\d)|[3-9]\d\d))/
# header FORGED_RCVD_IP Received =~ /([^\w\.]([01257]|2[37]|3[1679]|42|7[789]|9[6-9]|1[01]\d|120|17[3-9]|18[0-7]|197|2(2[3-9]|[3-9]\d)|[3-9]\d\d|\d{4,})(\.\d{1,3}){3}[^\w\.-]|\d{1,3}\.(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3}){2}|(\d{1,3}\.){2}(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3})|(\d{1,3}\.){3}(2(5[6-9]|[6-9]\d)|[3-9]\d\d))/
# header FORGED_RCVD_IP Received =~ /[^\w\.](([01257]|2[37]|3[1679]|42|7[789]|9[6-9]|1[01]\d|120|17[3-9]|18[0-7]|197|2(2[3-9]|[3-9]\d)|[3-9]\d\d|\d{4,})(\.\d{1,3}){3}|\d{1,3}\.(2(5[6-9]|[6-9]\d)|[3-9]\d\d|\d{4,})(\.\d{1,3}){2}|(\d{1,3}\.){2}(2(5[6-9]|[6-9]\d)|[3-9]\d\d|\d{4,})(\.\d{1,3})|(\d{1,3}\.){3}(2(5[6-9]|[6-9]\d)|[3-9]\d\d|\d{4,}))[^\w\.-]/
# header FORGED_RCVD_IP Received =~ /[^\w\.](([01257]|2[37]|3[1679]|42|7[789]|9[6-9]|1[01]\d|120|17[3-9]|18[0-7]|197|2(2[3-9]|[3-9]\d)|[3-9]\d\d)(\.\d{1,3}){3}|\d{1,3}\.(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3}){2}|(\d{1,3}\.){2}(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3})|(\d{1,3}\.){3}(2(5[6-9]|[6-9]\d)|[3-9]\d\d))[^\w\.-]/
# header FORGED_RCVD_IP Received =~ /[^\w\.](([01257]|2[37]|3[1679]|42|7[789]|9[6-9]|1[01]\d|120|17[3-9]|18[0-7]|197|2(2[3-9]|[3-9]\d)|[3-9]\d\d|\d{4,})(\.\d{1,3}){3}|\d{1,3}\.(2(5[6-9]|[6-9]\d)|[3-9]\d\d|\d{4,})(\.\d{1,3}){2}|(\d{1,3}\.){2}(2(5[6-9]|[6-9]\d)|[3-9]\d\d|\d{4,})(\.\d{1,3})|(\d{1,3}\.){3}(2(5[6-9]|[6-9]\d)|[3-9]\d\d|\d{4,}))[^\w\.-].+with/
# header FORGED_RCVD_IP Received =~ /[^\w\.](([01257]|2[37]|3[1679]|42|7[89]|9[6-9]|1[01][0-5]|120|17[3-9]|18[0-7]|197|2(2[3-9]|[3-9]\d)|[3-9]\d\d|\d{4,})(\.\d{1,3}){3}|\d{1,3}\.(2(5[6-9]|[6-9]\d)|[3-9]\d\d|\d{4,})(\.\d{1,3}){2}|(\d{1,3}\.){2}(2(5[6-9]|[6-9]\d)|[3-9]\d\d|\d{4,})(\.\d{1,3})|(\d{1,3}\.){3}(2(5[6-9]|[6-9]\d)|[3-9]\d\d|\d{4,}))[\)\] ].+with/
header FORGED_RCVD_IP Received =~ /[^\w\.](([01257]|2[37]|3[1679]|4[269]|50|[89]\d|10[0-7]|17[3-9]|18[156]|197|2(2[3-9]|[3-9]\d)|[3-9]\d\d|\d{4,})(\.\d{1,3}){3}|\d{1,3}\.(2(5[6-9]|[6-9]\d)|[3-9]\d\d|\d{4,})(\.\d{1,3}){2}|(\d{1,3}\.){2}(2(5[6-9]|[6-9]\d)|[3-9]\d\d|\d{4,})(\.\d{1,3})|(\d{1,3}\.){3}(2(5[6-9]|[6-9]\d)|[3-9]\d\d|\d{4,}))[\)\] ].+with/
describe FORGED_RCVD_IP Invalid IP number, over 255.
score FORGED_RCVD_IP 1.0


# header RCVD_NUMERIC_HELO2 X-Spam-Relays-Untrusted =~ /helo=\!([0-9]{1,3}\.){3,3}[0-9]{1,3}\! .+ ident= envfrom= intl=0 .+ auth= /
header RCVD_NUMERIC_HELO2 X-Spam-Relays-Untrusted =~ /helo=\!(\d{1,3}\.){3}\d{1,3}\! .+ ident= envfrom= intl=0 .+ auth= /
describe RCVD_NUMERIC_HELO2 Received: contains bracketted IP address string used for HELO
score RCVD_NUMERIC_HELO2 1.5


# added 2009.06.17 by [yoh]
# 
header X_MAILER_PRESENT	exists:X-Mailer
describe X_MAILER_PRESENT	exists:X-Mailer
score X_MAILER_PRESENT	0.1

header X_SHIROYAGI_VER exists:X-Shiroyagi-Version
score X_SHIROYAGI_VER 1.5

header X_SHIROYAGI_URL exists:X-Shiroyagi-URL
score X_SHIROYAGI_URL 1.5

meta DYN_SHIROYAGI ___DYNAMICIP && (X_SHIROYAGI_VER || X_SHIROYAGI_URL)
score DYN_SHIROYAGI 3.5



# thrown away 2005.09.14 by [yoh]
# 
# meta SUNFINANCE_2 ISO2022JP_CHARSET && OBFUS_JP_TO && !(X_MAILER_PRESENT)
# describe SUNFINANCE_2 ISO2022JP_CHARSET && OBFUS_JP_TO && !(X_MAILER_PRESENT)
# score SUNFINANCE_2 2.4

header THREAD_INDEX exists:thread-index
describe THREAD_INDEX thread-index: AcO7Y8iR61tzADqsRmmc5wNiFHEOig==
score THREAD_INDEX 0.3

header THREAD_TOPIC exists: Thread-Topic
describe THREAD_TOPIC Thread-Topic: ...(Japanese Subject)...
score THREAD_TOPIC 0.3

meta SJISNOTXMAILER (SHIFT_JIS1 || SJIS_BODY) && ! X_MAILER_PRESENT
describe SJISNOTXMAILER (SHIFT_JIS1 || SJIS_BODY) && ! X_MAILER_PRESENT
score SJISNOTXMAILER 2.0


# I found that "uri" testing fails to match uri strings preceding Japanese character.
# 2004.06.19 [yoh]
rawbody JPPORNURI /http:\/\/[a-z0-9.]*(5611[1-8]\.jp|117net\.net|lovemedo\.jp|miss\-you\.jp|w\-ink\.net|celebc\.com|18kin\.jp|e-dm\.org|4610\.com|koi51\.net|chachat\.net|dekichat\.com|pacificgirls\.com|altero\.tv|1919mmo\.com|008s\.be|warikiri\.to|web-wave\.com|77qq\.net|deai-tt\.com|hitkart\.com|qqq-aaa\.com|amg\.to|net-land\.info|yoitokoro\.com|okokoknet\.net|yoitokoro\.com|av-live\.com|b-tiku\.com|secretoflove\.net|39515[12]\.com|elitecities\.com|free-mode\.net|pure-sweethome\.bz|191919\.cc|garlicbutter\.net|sukeper\.net|551155\.jp|withlove\.the-ninja\.jp|na7\.dynu\.ca)\/{0,1}/
describe JPPORNURI Japanese porn site
score JPPORNURI 4.0

header JPPORNSCAMFROM From =~ /\@(5611[1-8]\.jp|117net\.net|lovemedo\.jp|e-dm\.org|55dvd\.net|koi51\.net|love2deai\.com|lily-adolescence\.|d-mail\.biz|1919japan\.com|395152\.com|vig-seet\.to|1919\.st|adadjp\.com|famail\.jp|venusnetwoerk\.cx|spacelan\.ne\.jp)/
describe JPPORNSCAMFROM Japanese porn and scam domain
score JPPORNSCAMFROM 7.0

# I found that "uri" testing fails to match uri strings preceding Japanese character.
# 2004.06.19 [yoh]
# 2004.11.05 [yoh]
# baken\.tv|hot\.hot\.com|denen-soho\.com|117mail\.net|
# combzmail\.jp|
# |[a-z0-9]+

rawbody JPSCAMURI /http:\/\/[a-z0-9-.]*(europe\.webmatrixhosting\.net|gogoway\.orgdns\.org|spread\.or\.tv|maga\.readymade\.jp|value\.webcordial\.com|pika\.tv|19191969\.com|093ana\.com|cam-cam\.net|candypop\.tv|deaiking\.com|milkymail\.net|purelove888\.com|secretoflove\.net|l1l9\.com|otegaruhp\.com\/cobra\/html\/hirokopr|online-jp\.net|outside-lover\.com|blue-ocean2004\.com|naturalget\.com|scoop-on\.(com|jp)|1092\.cn|1092\.gs|19190930\.com|i1i9\.net|l1l9\.com|yoso-zu\.com|rose-kiss\.com|members\.fortunecity\.com|up7\.cc|eyc\.jp|zl8\.jp|61\.96\.62\.167|pure1151\.com|bblive\.tv|ai-angel\.net|soku-aeru\.net|nightpita\.com|dejavu\.to|tada\.ph|peachat\.net|1919japan\.com|to-roku\.com|ceaw\.jp|59862777\.com|orange-rocket\.com|prin\.to|lolo\.ojiji\.net|ana093\.cc|eroero999\.com|love4deai\.com|kicks-ass\.net|is-a-geek\.org|lovemint\.net|e-hot-news\.jp|getget\.oops\.jp|upper\.jp|xx-mail\.jp|px\.a8\.net|pc\.lovefree\.tv|pure1107\.net|ljart\.net|(0-9a-z)+\.ifdef\.jp|(free24mail|365hdate)\.fc2\.com|odaiba-bbs\.jp|ai51\.e-city\.tv|bokumetu\.com|kissmi\.jp|party-jamjam\.org|hosting-geomax\.jp|sf-spot\.com|big-888\.com|o-oku-channel\.com|soresoreweb\.com|geocities\.jp\/(sayacchimail|poophy15)|websamba\.com|members\.lycos\.co\.uk\/cadlove|[a-z0-9-]+\.(tripod\.com|host\.sk)(\/top|\/main){0,1}|xid-love\.netfirms\.com|club-classico\.com|e-ezweb\.jp|rakuen-dx\.com|lover-kiss\.com|cross\.ne\.jp|j-sine\.com|swht\.jp|doxlive\.com|perfectharmony-ms\.org|1251\.us|servecounterstrike\.com|[a-z_-]*deai[a-z_-]*\.[a-z0-9-]+\.(jp|com|net|tv|sk|cn)|61\.197\.117\.99|redmax\.jp|morachao\.com|1251\.cc|formzu\.net|members\.ocry\.com|cbat\.page\.ne\.jp|889860\.com|89balls\.com|filltheblank\.com|members2\.jcom\.home\.ne\.jp\/3385927201|aru-aru\.jpn\.org|otz5678\.hn\.org|tinyurl\.com|choco2\.jp|buisinespp\.dyndns\.dk|abcwill\.dyn\.dhs\.org|yudoweb1\.freewebsitehosting\.com|umimono.no.sapo.pt|656566\.com|sss-japan\.co\.jp|home\.doramail\.com|www40\.brinkster\.com|shameme\.host\.sk|autocall\.jp|dm-mail\.net|www18\.ocn\.ne\.jp\/\~kio-pack|mo-v\.jp|www\.tactnet\.co\.jp|hiromirror-desighner\.net|fff\.lir\.dk|s-s\.kyed\.com|brandwholesaler\.com|nihon-cash\.com|dogyman\.com|yellowsanta\.jp|bottom-up1\.com|hime\.ontheweb\.nu|free-xx\.com|address-bank\.homeip\.net|agk-777\.jp|shotgunmarriage\.net|(minami|farewell|alstroemeria)\.dynu\.ca|kyousai\.squares\.net|gigamerimp\.net|boorats19\.info|sunnyday\.jp|life-line\.mods\.jp|lucavenus\.jp|e-shops\.jp|fox99\.staticcling\.org|e-net\.velvet\.jp|access\.main\.jp|webclick\.chu\.jp|www\.infotop\.jp|www\.mailbank\.biz|ladymaid\.net|new-homebiz\.com|777navi\.cc|riajet\.com|af-sv\.com|yy-life\.com|1151bbs\.jp|gambletips\.net|oogachi-t\.com|keiba-de-myhome-get\.seesaa\.net|pachipuro-m\.com|sugowaza\.jp|free-book\.jp|ippatu\.com|.\$B%a%k%:.\(B\.jp|data-jobbank\.from\.tv|deairooms\.com|1-coin\.jp|combzmail\.jp|insiderscoachingclub\.com|genkiclub\.net|viviani\.jp|sakakibara\.zz\.tc|miss-me\.findyou2\.net|at-soho\.rdy\.jp|pavbq\.com|kagurazaka\.biz|sc37\.vczln\.com|snsns\.my-sv\.net|e-bukken\.co\.jp|ji06\.gtwd\.biz|ktaisearch\.com|shop\.shenlihang\.info|baojpp\.com|sakuradvd\.com|oshirase-jp\.com|genkiclub1470\.com|shoppingjp\.net|rdnw\.net|i-ktai\.com|rkg\.(?:jp|cc)|megami\.hiho\.jp|infodirect\.bz)\/{0,1}/
describe JPSCAMURI Japanese scam site
score JPSCAMURI 3.5

meta JPSCAMURI99 JPSCAMURI && BAYES_99
describe JPSCAMURI99 JPSCAMURI && BAYES_99
score JPSCAMURI99 5.0

meta SJISJPSCAMURI SJIS_C && JPSCAMURI
describe SJISJPSCAMURI SJIS_C && JPSCAMURI
score SJISJPSCAMURI 10

rawbody URLTRANSFER /(http:\/\/tinyurl\.com\/{0,1}|http:\/\/www\.google\.([a-z].|com|co\.[a-z].)\/pagead\/iclk\?sa=l\&ai=[A-Za-z]+\&num=\d+\&adurl=http:\/\/)/
score URLTRANSFER 0.1

meta DYN_URLTRANS ___DYNAMICIP && URLTRANSFER
score DYN_URLTRANS 3.5

meta URLT_CBL URLTRANSFER && RCVD_IN_CBL
score URLT_CBL 3.5
meta URLT_SPAMCOP URLTRANSFER && RCVD_IN_BL_SPAMCOP_NET
score URLT_SPAMCOP 3.5
meta URLT_DSBL URLTRANSFER && RCVD_IN_DSBL
score URLT_DSBL 3.5
# meta URLT_DUL URLTRANSFER && RCVD_IN_SORBS_DUL
# score URLT_DUL 3.5

meta URLT_PBL URLTRANSFER && RCVD_IN_PBL
score URLT_PBL 3.5
meta URLT_DCN URLTRANSFER && ___DCN 
score URLT_DCN 3.5


# Umm, I've not seen recent spams including telephone numbers.
# 2005.04.21 by [yoh]

body JPSCAMTEL /(0774-52-5633|090-8159-3461|0774-56-6428|0120-40-8689|090-8437-9455|090-8174-2533|0774-55-7505|03-3404-7373|\#0\#8\#0\!\]\#5\#4\#4\#3\!\]\#4\#0\#7\#6|0774-55-1479|0774-52-5634|090-9947-4750|090-8502-8857|090-5518-3019|080-3768-3495|090-6010-0125|090-8431-1023|03-5981-0843|09081601952|090-1568-7184|06-6263-2169|0774-52-5639|0774-55-6737|03-5979-6201|0774-55-6726|03-3392-2301|03-3392-2308)/
describe JPSCAMTEL Japanese scam telephone number
score JPSCAMTEL 4.0

# body JPSCAMMAILADDRESS /(play\-M\-[0-9]{5}\@[a-z-]+\.net)/
body JPSCAMMAILADDRESS /(play|reg)\-M\-[a-z0-9]+\@[a-z-]+\.(net|com|jp)/
describe JPSCAMMAILADDRESS Japanese scam mail address
score JPSCAMMAILADDRESS 3.0

# uri SCAMPHARM /http:\/\/[a-z0-9.]*(anadromous3344pi11s\.us|aplace2getmyrx\.com|direct-meds4less\.com|e-prescriptions\.us|ettllrx\.us|findrxfast\.com|good4umeds\.com|hasslefreerx\.com|inspiredbyachievement\.com|morning-meds\.com|okscriptsworld\.com|pharm-martworld\.com|reliableherbalproducts\.com|rxtrx\.us|seenonlyonce\.com|simpleandgreat\.com|smileyproductmall\.com|startoverproducts\.com|stream8759dryg\.us|the-medmart\.com|the-medmartworld\.com|traditionalrx\.com|where2go4rx\.com|worldofrx\.com|thepillsnational\.com)/

# thrown away 2005.09.14 by [yoh]
# 
# meta INVYAHJPFALSE ALL_TRUSTED && INVALIDYAHOOJP
# describe INVYAHJPFALSE ALL_TRUSTED && INVALIDYAHOOJP
# score INVYAHJPFALSE 3.3
# 
# meta PLAYINVYAHOOJP JPSCAMMAILADDRESS && INVALIDYAHOOJP
# describe PLAYINVYAHOOJP JPSCAMMAILADDRESS && INVALIDYAHOOJP
# score PLAYINVYAHOOJP 7.0
# 
# rawbody SWEN_A_BOUNCED /<BR><BR><BR>Undelivered mail to <B>[a-z]{6,}\@(america|aol|bigfoot|freemail|microsoft|netmail|puremail|rocketmail|yahoo)\.(com|net)<\/B>/
# describe SWEN_A_BOUNCED Faked "bounced error" message generated by I-Worm/Swen.A
# score SWEN_A_BOUNCED 10.0

# (FORGED_OUTLOOK_TAGS || FORGED_HOTMAIL_RCVD || FORGED_YAHOO_RCVD || FORGED_OUTLOOK_TAGS || FORGED_HOTMAIL_RCVD2 || FORGED_JUNO_RCVD || FORGED_MUA_OIMO || FORGED_HOTMAIL_RCVD2 || FORGED_MUA_OUTLOOK || FORGED_MX_HOTMAIL || FORGED_MUA_OUTLOOK)

meta FORGED99 BAYES_99 && ___FORGED
describe FORGED99 FORGED_* && BAYES_99
score FORGED99 2.0


# meta MTAIDRBLJP MSGID_FROM_MTA_ID && URLBL_RBLJP
# describe MTAIDRBLJP MSGID_FROM_MTA_ID && URLBL_RBLJP
# score MTAIDRBLJP 10.0

# meta UNDISCMTAID UNDISC_RECIPS && MSGID_FROM_MTA_ID
# describe UNDISCMTAID UNDISC_RECIPS && MSGID_FROM_MTA_ID
# score UNDISCMTAID 10.0

# 
# 2008.06.29 by [yoh]
# 
meta BOUNCESPAM (__BOUNCE_RPATH_NULL || __BOUNCE_FROM_DAEMON || __BOUNCE_CTYPE ||__BOUNCE_RPATH_MD) && (URIBL_BLACK || URIBL_AB_SURBL || URIBL_SC_SURBL || URIBL_JP_SURBL || URIBL_OB_SURBL || URIBL_SBL || URIBL_RHS_DOB || URIBL_PH_SURBL || URIBL_WS_SURBL || URLBL_RBLJP)
score BOUNCESPAM 7.5

# 
# - Razor and Pyzor score
# 

# Razor2 sometimes fails to recognize ham as spam.
# So I can't add score.
# In 3.1.0, you have to enable plugin "Mail::SpamAssassin::Plugin::Razor2"
# in /etc/spamassassin/v310.pre .
# http://marc.theaimsgroup.com/?l=spamassassin-announce&m=112674318914008&w=2
# 2005.09.26 by [yoh]
# 

score RAZOR2_CF_RANGE_51_100 2.5
score RAZOR2_CHECK 1.0

meta RAZORPYZOR RAZOR2_CF_RANGE_51_100 && PYZOR_CHECK && BAYES_99
describe RAZORPYZOR RAZOR2_CF_RANGE_51_100 && PYZOR_CHECK && BAYES_99
score RAZORPYZOR 10.0

meta RAZOR99 RAZOR2_CF_RANGE_51_100 && BAYES_99
describe RAZOR99 RAZOR2_CF_RANGE_51_100 && BAYES_99
score RAZOR99 8.5

# 2009.09.29 by [yoh]
meta DYN_RAZOR RAZOR2_CF_RANGE_51_100 && ___DYNAMICIP
score DYN_RAZOR 3.5

# Pyzor sometimes fails to recognize ham as spam.
# So I decided setting low score.
# 2007.07.08 by [yoh]

score PYZOR_CHECK 1.5


meta PYZOR99 PYZOR_CHECK && BAYES_99
describe PYZOR99 PYZOR_CHECK && BAYES_99
score PYZOR99 5.5

# 2009.09.29 by [yoh]
meta DYN_PYZOR PYZOR_CHECK && ___DYNAMICIP
score DYN_PYZOR 3.5


# DCC sometimes fails to recognize ham as spam.
# So I decided setting low score.
# 2009.03.22 by [yoh]

score DCC_CHECK 1.2

# 2009.09.29 by [yoh]
meta DYN_DCC DCC_CHECK && ___DYNAMICIP
score DYN_DCC 3.5


meta ___DCN RAZOR2_CF_RANGE_E8_51_100  || RAZOR2_CHECK  || RAZOR2_CF_RANGE_51_100  || PYZOR_CHECK || DCC_CHECK

# meta ___FORGED (FORGED_RCVD_HELO || FORGED_OUTLOOK_TAGS || FORGED_HOTMAIL_RCVD || FORGED_YAHOO_RCVD || FORGED_OUTLOOK_TAGS || FORGED_HOTMAIL_RCVD2 || FORGED_JUNO_RCVD || FORGED_MUA_OIMO || FORGED_HOTMAIL_RCVD2 || FORGED_MUA_OUTLOOK || FORGED_MUA_OUTLOOK)
# meta ___FORGED FORGED_HOTMAIL_RCVD || FORGED_HOTMAIL_RCVD2 || FORGED_JUNO_RCVD || FORGED_MUA_OIMO || FORGED_MUA_OUTLOOK || FORGED_RCVD_HELO || FORGED_YAHOO_RCVD
meta ___FORGED FORGED_HOTMAIL_RCVD2 || FORGED_MUA_OIMO || FORGED_MUA_OUTLOOK || FORGED_YAHOO_RCVD

meta FORGED_DCN ___DCN && ___FORGED
describe FORGED_DCN Distributed Collaborative Network and FORGED_xxx
score FORGED_DCN 5.5

meta SPF_DCN (SPF_HELO_SOFTFAIL || SPF_FAIL) && ___DCN
score SPF_DCN 5.5

meta THEBAT_DCN REPTO_OVERQUOTE_THEBAT && ___DCN
score THEBAT_DCN 5.5


# meta ___TVD TVD_FW_GRAPHIC_ID1 || TVD_FW_GRAPHIC_ID2 || TVD_FW_GRAPHIC_ID3 || TVD_FW_GRAPHIC_NAME_LONG || TVD_PDF_FINGER01
meta ___TVD TVD_FW_GRAPHIC_NAME_LONG || TVD_PDF_FINGER01

meta TVDFWGR_DCN ___TVD && ___DCN
score TVDFWGR_DCN 3.5

meta THEBAT_TVDFWGR REPTO_OVERQUOTE_THEBAT && ___TVD
score THEBAT_TVDFWGR 3.5

# meta MTAID_THEBAT MSGID_FROM_MTA_ID && REPTO_OVERQUOTE_THEBAT
# score MTAID_THEBAT 3.5

# meta MTAID_TVDFWGR MSGID_FROM_MTA_ID && ___TVD
# score MTAID_TVDFWGR 3.5

meta RCVDIP_DCN RCVD_HELO_IP_MISMATCH && ___DCN
score RCVDIP_DCN 5.5



# These DNSBLs policy is idealism.
# We have to escape some legal sites against marking from the DNSBLs.
# DNS_FROM_RFC_WHOIS
# DNS_FROM_RFC_POST
# DNS_FROM_RFC_ABUSE

# score DNS_FROM_RFC_POST 0.1
# score DNS_FROM_RFC_ABUSE 0.1

# 
# Special thanks to: 'Koaihito' Yu-ma shishou and Nasa-n: 2005/09/21 by [yoh]
# 

# header VALIDDOCOMO Received =~ /from .*203\.138\.203\./
# header VALIDDOCOMO Received =~ /from .*203\.138\.203\.([0-9]|[1-9][0-9]{1,2}|2[0-4][0-9]|25[0-5]).+by /
# header VALIDDOCOMO X-Spam-Relays-Untrusted =~ /ip=203\.138\.203\.\d{1,3} [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
header VALIDDOCOMO X-Spam-Relays-Untrusted =~ /^\[ ip=203\.138\.203\.\d{1,3} /
describe VALIDDOCOMO valid docomo.ne.jp's IP
score VALIDDOCOMO -3.5

# meta DNSFRMRFC_WHITE DNS_FROM_RFC_POST && VALIDDOCOMO
# describe DNSFRMRFC_WHITE for avoiding valid site from DNS_FROM_RFC_POST
# score DNSFRMRFC_WHITE -3.5

# 
# Special thanks to: Yajisan and Kamosame: 2005/09/29 by [yoh]
# 

header VALIDWILLCOM Received =~ /from .*pdxio[0-9]+\.pdx\.ne\.jp.+by /
describe VALIDWILLCOM valid WILLCOM IP
score VALIDWILLCOM -3.5



# -- DNSBL checking --
# Before you use DNSBL checking, you have to install
# "Net::DNS - Perl DNS Resolver Module"
# ex. apt-get install libnet-dns-perl (Debian)
# 2004.04.23 by [yoh]

#
# I found some DNSBLs have wrong IP/URI listings.
# To avoid wrong judgement, making meta rules with BAYES_99 may be a good
# solution, I believe.
# 2005.02.05 by [yoh]
#


skip_rbl_checks 0
rbl_timeout 15


# http://improbable.org/chris/index.php?ID=109

header      RCVD_IN_RFC_PM      eval:check_rbl('relay', 'postmaster.rfc-ignorant.org.')
describe    RCVD_IN_RFC_PM      Received via a relay in postmaster.rfc-ignorant.org
score       RCVD_IN_RFC_PM      0.1

header      X_CHINESE_RELAY     eval:check_rbl('relay', 'cn.rbl.cluecentral.net.')
describe    X_CHINESE_RELAY     Received via a relay in China
score       X_CHINESE_RELAY     0.1

header      X_KOREAN_RELAY      eval:check_rbl('relay', 'korea.services.net.')
describe    X_KOREAN_RELAY      Received via a relay in Korea
score       X_KOREAN_RELAY      0.1

meta XKOREAN99 X_KOREAN_RELAY && BAYES_99
describe XKOREAN99 X_KOREAN_RELAY && BAYES_99
score XKOREAN99 2.0

meta XKOREANJP X_KOREAN_RELAY && (ISO2022JP_BODY || SJIS_BODY)
describe XKOREANJP X_KOREAN_RELAY && (ISO2022JP_BODY || SJIS_BODY)
score XKOREANJP 1.0

# block.blars.org is not reliable. see http://check.jippg.org/rblchk.cgi
# 
# header    RCVD_IN_BLARS                 eval:check_rbl('blars', 'block.blars.org.')
# describe  RCVD_IN_BLARS                 BLARS: in Blacklist / Blocklist block.blars.org
# score     RCVD_IN_BLARS                 0.1
# tflags    RCVD_IN_BLARS                 net
# 
# header    RCVD_IN_BLARS_SPAM            eval:check_rbl_sub('blars', '1')
# describe  RCVD_IN_BLARS_SPAM            BLARS: Spam sending domain in Blacklist / Blocklist block.blars.org
# score     RCVD_IN_BLARS_SPAM            0.5
# tflags    RCVD_IN_BLARS_SPAM            net
# 
# header    RCVD_IN_BLARS_MULTI           eval:check_rbl_sub('blars', '2')
# describe  RCVD_IN_BLARS_MULTI           BLARS: Multi-hop relay in Blacklist / Blocklist block.blars.org
# score     RCVD_IN_BLARS_MULTI           0.1
# tflags    RCVD_IN_BLARS_MULTI           net
# 
# header    RCVD_IN_BLARS_DIALUP          eval:check_rbl_sub('blars-notfirsthop', '4')
# describe  RCVD_IN_BLARS_DIALUP          BLARS: Dynamic / Dialups in Blacklist / Blocklist block.blars.org
# score     RCVD_IN_BLARS_DIALUP          0.1
# tflags    RCVD_IN_BLARS_DIALUP          net
# 
# header    RCVD_IN_BLARS_HOOPS           eval:check_rbl_sub('blars', '8')
# describe  RCVD_IN_BLARS_HOOPS           BLARS: Wants spam complainers to jump through hoops in Blacklist / Blocklist block.blars.org
# score     RCVD_IN_BLARS_HOOPS           0.1
# tflags    RCVD_IN_BLARS_HOOPS           net
# 
# header    RCVD_IN_BLARS_ABUSE           eval:check_rbl_sub('blars', '16')
# describe  RCVD_IN_BLARS_ABUSE           BLARS: No working abuse address in Blacklist / Blocklist block.blars.org
# score     RCVD_IN_BLARS_ABUSE           0.1
# tflags    RCVD_IN_BLARS_ABUSE           net
# 
# header    RCVD_IN_BLARS_SPAM_WEB        eval:check_rbl_sub('blars', '32')
# describe  RCVD_IN_BLARS_SPAM_WEB        BLARS: Hosts spamers web sites in Blacklist / Blocklist block.blars.org
# score     RCVD_IN_BLARS_SPAM_WEB        0.01
# tflags    RCVD_IN_BLARS_SPAM_WEB        net
# 
# header    RCVD_IN_BLARS_SPAMDROP       eval:check_rbl_sub('blars', '64')
# describe  RCVD_IN_BLARS_SPAMDROP       BLARS: Hosts spammers email dropboxes in Blacklist / Blocklist block.blars.org
# score     RCVD_IN_BLARS_SPAMDROP       0.01
# tflags    RCVD_IN_BLARS_SPAMDROP       net
# 
# header    RCVD_IN_BLARS_HACK            eval:check_rbl_sub('blars', '128')
# describe  RCVD_IN_BLARS_HACK            BLARS: Breakin attempts in Blacklist / Blocklist block.blars.org
# score     RCVD_IN_BLARS_HACK            0.1
# tflags    RCVD_IN_BLARS_HACK            net
# 
# header    RCVD_IN_BLARS_SUE             eval:check_rbl_sub('blars', '256')
# describe  RCVD_IN_BLARS_SUE             BLARS: Sued or prosecuted DNSBL lister in Blacklist / Blocklist block.blars.org
# score     RCVD_IN_BLARS_SUE             0.1
# tflags    RCVD_IN_BLARS_SUE             net
# 
# header    RCVD_IN_BLARS_DOS             eval:check_rbl_sub('blars', '512')
# describe  RCVD_IN_BLARS_DOS             BLARS: DOS attack in Blacklist / Blocklist block.blars.org
# score     RCVD_IN_BLARS_DOS             0.01
# tflags    RCVD_IN_BLARS_DOS             net
# 
# header    RCVD_IN_BLARS_SPAMWARE       eval:check_rbl_sub('blars', '1024')
# describe  RCVD_IN_BLARS_SPAMWARE       BLARS: Supplier of spamware in Blacklist / Blocklist block.blars.org
# score     RCVD_IN_BLARS_SPAMWARE       0.1
# tflags    RCVD_IN_BLARS_SPAMWARE       net
# 
# header    RCVD_IN_BLARS_SPSPRT    eval:check_rbl_sub('blars', '2048')
# describe  RCVD_IN_BLARS_SPSPRT    BLARS: Knowingly supports spammers in Blacklist / Blocklist block.blars.org
# score     RCVD_IN_BLARS_SPSPRT    0.1
# tflags    RCVD_IN_BLARS_SPSPRT    net
# 
# header    RCVD_IN_BLARS_CARTOON       eval:check_rbl_sub('blars', '4096')
# describe  RCVD_IN_BLARS_CARTOON       BLARS: Legal threats in Blacklist / Blocklist block.blars.org
# score     RCVD_IN_BLARS_CARTOON       0.1
# tflags    RCVD_IN_BLARS_CARTOON       net
# 
# header    RCVD_IN_BLARS_HIJCKRLY      eval:check_rbl_sub('blars', '8192')
# describe  RCVD_IN_BLARS_HIJCKRLY      BLARS: Attempted mail relay exploits in Blacklist / Blocklist block.blars.org
# score     RCVD_IN_BLARS_HIJCKRLY      0.1
# tflags    RCVD_IN_BLARS_HIJCKRLY      net
# 
# header    RCVD_IN_BLARS_HIJCKCGI      eval:check_rbl_sub('blars', '16384')
# describe  RCVD_IN_BLARS_HIJCKCGI      BLARS: Attempted formmail exploits exploits in Blacklist / Blocklist block.blars.org
# score     RCVD_IN_BLARS_HIJCKCGI      0.1
# tflags    RCVD_IN_BLARS_HIJCKCGI      net
# 
# meta BLARS00 RCVD_IN_BLARS && BAYES_00
# describe BLARS00 RCVD_IN_BLARS is very low reliability.
# score BLARS00 -5
# 
# meta BLARS_SPAM00 RCVD_IN_BLARS_SPAM && BAYES_00
# describe BLARS_SPAM00 RCVD_IN_BLARS_SPAM is very low reliability.
# score BLARS_SPAM00 -5
# 

# SpamAssassin local.cf for AHBL BlackList / BlockList
# "Old blackholes.2mbit.com resurrected as AHBL (dnsbl.ahbl.org)"
# URL: http://www.ahbl.org
header RCVD_IN_AHBL eval:check_rbl('AHBL', 'dnsbl.ahbl.org.')
describe RCVD_IN_AHBL AHBL: sender is listed in BlackList / BlockList dnsbl.ahbl.org
score RCVD_IN_AHBL 0.5
tflags RCVD_IN_AHBL net header RCVD_IN_AHBL_UNKNOWN_1 eval:check_rbl_sub('AHBL', '127.0.0.1')
# describe RCVD_IN_AHBL_UNKNOWN_1 AHBL: Unknown Category 1 in BlackList / BlockList dnsbl.ahbl.org
# score RCVD_IN_AHBL_UNKNOWN_1 0.01
# tflags RCVD_IN_AHBL_UNKNOWN_1 net
# 
# header RCVD_IN_AHBL_SMTP eval:check_rbl_sub('AHBL', '127.0.0.2')
# describe RCVD_IN_AHBL_SMTP AHBL: Open SMTP relay in BlackList / BlockList dnsbl.ahbl.org
# score RCVD_IN_AHBL_SMTP 0.5
# tflags RCVD_IN_AHBL_SMTP net

header RCVD_IN_AHBL_PROXY eval:check_rbl_sub('AHBL', '127.0.0.3')
describe RCVD_IN_AHBL_PROXY AHBL: Open Proxy server in BlackList / BlockList dnsbl.ahbl.org
score RCVD_IN_AHBL_PROXY 0.2
tflags RCVD_IN_AHBL_PROXY net

header RCVD_IN_AHBL_SPAM eval:check_rbl_sub('AHBL', '127.0.0.4')
describe RCVD_IN_AHBL_SPAM AHBL: Spam Source in BlackList / BlockList dnsbl.ahbl.org
score RCVD_IN_AHBL_SPAM 0.1
tflags RCVD_IN_AHBL_SPAM net

# header RCVD_IN_AHBL_RTB eval:check_rbl_sub('AHBL', '127.0.0.5')
# describe RCVD_IN_AHBL_RTB AHBL: Real-Time Blocked in BlackList / BlockList dnsbl.ahbl.org
# score RCVD_IN_AHBL_RTB 0.01
# tflags RCVD_IN_AHBL_RTB net
# 
# header RCVD_IN_AHBL_FORMMAIL eval:check_rbl_sub('AHBL', '127.0.0.6')
# describe RCVD_IN_AHBL_FORMMAIL AHBL: Abuseable Form Mail in BlackList / BlockList dnsbl.ahbl.org
# score RCVD_IN_AHBL_FORMMAIL 0.5
# tflags RCVD_IN_AHBL_FORMMAIL net

header RCVD_IN_AHBL_SPSUPPORT eval:check_rbl_sub('AHBL', '127.0.0.7')
describe RCVD_IN_AHBL_SPSUPPORT AHBL: Spam Supporter in BlackList / BlockList dnsbl.ahbl.org
score RCVD_IN_AHBL_SPSUPPORT 0.5
tflags RCVD_IN_AHBL_SPSUPPORT net

# header RCVD_IN_AHBL_I_SPAM_SUPPORT eval:check_rbl_sub('AHBL', '127.0.0.8')
# describe RCVD_IN_AHBL_I_SPAM_SUPPORT AHBL: Indirect Spam supporter in BlackList / BlockList dnsbl.ahbl.org
# score RCVD_IN_AHBL_I_SPAM_SUPPORT 0.5
# tflags RCVD_IN_AHBL_I_SPAM_SUPPORT net
# 
# header RCVD_IN_AHBL_ENDUSER eval:check_rbl_sub('AHBL', '127.0.0.9')
# describe RCVD_IN_AHBL_ENDUSER AHBL: End User (non mail system) in BlackList / BlockList dnsbl.ahbl.org
# score RCVD_IN_AHBL_ENDUSER 0.5
# tflags RCVD_IN_AHBL_ENDUSER net
# 
# header RCVD_IN_AHBL_SOS eval:check_rbl_sub('AHBL-notfirsthop', '127.0.0.10')
# describe RCVD_IN_AHBL_SOS AHBL: Shoot On Sight in BlackList / BlockList dnsbl.ahbl.org
# score RCVD_IN_AHBL_SOS 0.5
# tflags RCVD_IN_AHBL_SOS net
# 
# header RCVD_IN_AHBL_RFCI_PA eval:check_rbl_sub('AHBL', '127.0.0.11')
# describe RCVD_IN_AHBL_RFCI_PA AHBL: Missing Postmaster or Abuse Address in BlackList / BlockList dnsbl.ahbl.org
# score RCVD_IN_AHBL_RFCI_PA 0.5
# tflags RCVD_IN_AHBL_RFCI_PA net
# 
# header RCVD_IN_AHBL_5XXI eval:check_rbl_sub('AHBL', '127.0.0.12')
# describe RCVD_IN_AHBL_5XXI AHBL: Does not properly handle 5xx errors in BlackList / BlockList dnsbl.ahbl.org
# score RCVD_IN_AHBL_5XXI 0.5
# tflags RCVD_IN_AHBL_5XXI net
# 
# header RCVD_IN_AHBL_RFCI_MISC eval:check_rbl_sub('AHBL', '127.0.0.13')
# describe RCVD_IN_AHBL_RFCI_MISC AHBL: Other Non-RFC Compliant in BlackList / BlockList dnsbl.ahbl.org
# score RCVD_IN_AHBL_RFCI_MISC 0.5
# tflags RCVD_IN_AHBL_RFCI_MISC net
# 
# header RCVD_IN_AHBL_MISC eval:check_rbl_sub('AHBL', '127.0.0.127')
# describe RCVD_IN_AHBL_MISC AHBL: Misc (other) in BlackList / BlockList dnsbl.ahbl.org
# score RCVD_IN_AHBL_MISC 0.5
# tflags RCVD_IN_AHBL_MISC net

# Listed in cbl.abuseat.org http://cbl.abuseat.org/
header RCVD_IN_CBL              eval:check_rbl_txt('cbl', 'cbl.abuseat.org.')
describe RCVD_IN_CBL            Received via a relay in cbl.abuseat.org
tflags RCVD_IN_CBL              net
score RCVD_IN_CBL               0.1


# Subject: Re: 2 Questions
# From: Matt Kettler <mkettler at evi-inc.com>
# Date: Wed, 13 Jul 2005 17:25:19 -0400
# http://mail-archives.apache.org/mod_mbox/spamassassin-users/200507.mbox/%3c42D586BF.6060600@evi-inc.com%3e

header RCVD_IN_CHINA_KR         eval:check_rbl('countrycnkr','cn-kr.blackholes.us.')
describe RCVD_IN_CHINA_KR       Received from China or Korea
tflags  RCVD_IN_CHINA_KR        net
score RCVD_IN_CHINA_KR          0.1



# header __RCVD_IN_NERDS    eval:check_rbl('nerds', 'zz.countries.nerd.dk.')
# describe __RCVD_IN_NERDS    Rule to match every country
# tflags __RCVD_IN_NERDS    net
# score RCVD_IN_NERDS_US    2.0
# 
# header RCVD_IN_NERDS_US    eval:check_rbl_sub('nerds', '127.0.3.72)
# describe RCVD_IN_NERDS_US    Rule to deduct weight for US sourced messages
# tflags RCVD_IN_NERDS_US    net nice
# score RCVD_IN_NERDS_US    -2.0
# 
# header __RCVD_IN_NERDS    eval:check_rbl('nerds', 'zz.countries.nerd.dk.')
# 
# 
# header __RCVD_IN_NERDS                  eval:check_rbl('nerds','zz.countries.nerd.dk.')
# describe __RCVD_IN_NERDS                Received from a spam country
# tflags __RCVD_IN_NERDS                  net
# 
# header RCVD_IN_NERDS_AR                 eval:check_rbl_sub('nerds','127.0.0.32')
# describe RCVD_IN_NERDS_AR               Received from Argentina
# tflags RCVD_IN_NERDS_AR                 net
# score RCVD_IN_NERDS_AR                  2.5
# 
# header RCVD_IN_NERDS_BR                 eval:check_rbl_sub('nerds','127.0.0.76')
# describe RCVD_IN_NERDS_BR               Received from Brazil
# tflags RCVD_IN_NERDS_BR                 net
# score RCVD_IN_NERDS_BR                  3.5
# 
# header RCVD_IN_NERDS_CL                 eval:check_rbl_sub('nerds','127.0.0.152')
# describe RCVD_IN_NERDS_CL               Received from Chile
# tflags RCVD_IN_NERDS_CL                 net
# score RCVD_IN_NERDS_CL                  2.5
# 
# header RCVD_IN_NERDS_CN                 eval:check_rbl_sub('nerds','127.0.0.156')
# describe RCVD_IN_NERDS_CN               Received from China
# tflags RCVD_IN_NERDS_CN                 net
# score RCVD_IN_NERDS_CN                  3.5
# 
# header RCVD_IN_NERDS_HK                 eval:check_rbl_sub('nerds','127.0.1.88')
# describe RCVD_IN_NERDS_HK               Received from Hong Kong
# tflags RCVD_IN_NERDS_HK                 net
# score RCVD_IN_NERDS_HK                  2.0
# 
# header RCVD_IN_NERDS_IN                 eval:check_rbl_sub('nerds','127.0.1.100')
# describe RCVD_IN_NERDS_IN               Received from India
# tflags RCVD_IN_NERDS_IN                 net
# score RCVD_IN_NERDS_IN                  2.5
# 
# header RCVD_IN_NERDS_JP                 eval:check_rbl_sub('nerds','127.0.1.136')
# describe RCVD_IN_NERDS_JP               Received from Japan
# tflags RCVD_IN_NERDS_JP                 net
# score RCVD_IN_NERDS_JP                  2.0
# 
# header RCVD_IN_NERDS_KP                 eval:check_rbl_sub('nerds','127.0.1.152')
# describe RCVD_IN_NERDS_KP               Received from North Korea
# tflags RCVD_IN_NERDS_KP                 net
# score RCVD_IN_NERDS_KR                  3.5
# 
# header RCVD_IN_NERDS_KR                 eval:check_rbl_sub('nerds','127.0.1.154')
# describe RCVD_IN_NERDS_KR               Received from South Korea
# tflags RCVD_IN_NERDS_KR                 net
# score RCVD_IN_NERDS_KR                  3.5
# 
# header RCVD_IN_NERDS_MY                 eval:check_rbl_sub('nerds','127.0.1.202')
# describe RCVD_IN_NERDS_MY               Received from Malaysia
# tflags RCVD_IN_NERDS_MY                 net
# score RCVD_IN_NERDS_MY                  2.5
# 
# header RCVD_IN_NERDS_MX                 eval:check_rbl_sub('nerds','127.0.1.228')
# describe RCVD_IN_NERDS_MX               Received from Mexico
# tflags RCVD_IN_NERDS_MX                 net
# score RCVD_IN_NERDS_MX                  2.0
# 
# header RCVD_IN_NERDS_NG                 eval:check_rbl_sub('nerds','127.0.2.54')
# describe RCVD_IN_NERDS_NG               Received from Nigera
# tflags RCVD_IN_NERDS_NG                 net
# score RCVD_IN_NERDS_NG                  3.5
# 
# header RCVD_IN_NERDS_RU                 eval:check_rbl_sub('nerds','127.0.2.131')
# describe RCVD_IN_NERDS_RU               Received from Russia
# tflags RCVD_IN_NERDS_RU                 net
# score RCVD_IN_NERDS_RU                  2.5
# 
# header RCVD_IN_NERDS_SG                 eval:check_rbl_sub('nerds','127.0.2.190')
# describe RCVD_IN_NERDS_SG               Received from North Singapore
# tflags RCVD_IN_NERDS_SG                 net
# score RCVD_IN_NERDS_SG                  2.0
# 
# header RCVD_IN_NERDS_TW                 eval:check_rbl_sub('nerds','127.0.0.158')
# describe RCVD_IN_NERDS_TW               Received from South Taiwan
# tflags RCVD_IN_NERDS_TW                 net
# score RCVD_IN_NERDS_TW                  2.5
# 
# header RCVD_IN_NERDS_TH                 eval:check_rbl_sub('nerds','127.0.2.252')
# describe RCVD_IN_NERDS_TH               Received from Thailand
# tflags RCVD_IN_NERDS_TH                 net
# score RCVD_IN_NERDS_TH                  2.5
# 
# header RCVD_IN_NERDS_TR                 eval:check_rbl_sub('nerds','127.0.3.24')
# describe RCVD_IN_NERDS_TR               Received from Turkey
# tflags RCVD_IN_NERDS_TR                 net
# score RCVD_IN_NERDS_TR                  2.0


# SORBS, list.dsbl.org, dnsbl.njabl.org have ISP's DHCP IP in Japan.
# So, meta rules of bayes is needed while using this DNSBL.
# 2005.1.28 by [yoh]

# SORBS will be closed.
# 2009.7.1 by [yoh]

# score       RCVD_IN_SORBS_DUL     0.5
# score       RCVD_IN_SORBS_HTTP    1.0
# score       RCVD_IN_SORBS_MISC    0.5
# score       RCVD_IN_SORBS_SOCKS   1.0
# score       RCVD_IN_SORBS_WEB     1.0

# meta SORBSDUL99 RCVD_IN_SORBS_DUL && BAYES_99
# describe SORBSDUL99 RCVD_IN_SORBS_DUL && BAYES_99
# score SORBSDUL99 2.0

# meta SORBSDUL00 RCVD_IN_SORBS_DUL && BAYES_00
# describe SORBSDUL00 RCVD_IN_SORBS_DUL && BAYES_00
# score SORBSDUL00 -2.0

# meta DYN_SORBSDUL RCVD_IN_SORBS_DUL && ___DYNAMICIP
# score DYN_SORBSDUL 3.5


# score       RCVD_IN_SORBS_SOCKS 1.50
# score       RCVD_IN_SORBS_HTTP  1.50
# score       RCVD_IN_OPM         1.50
# score       RCVD_IN_OPM_HTTP_POST 1.50

# 
# ORDB has been shutdowned. 2006.12.19 by [yoh]
# 
# header RCVD_IN_RELAYS_ORDBORG  rbleval:check_rbl('relay', 'relays.ordb.org.')
# describe RCVD_IN_RELAYS_ORDBORG Received via a relay in relays.ordb.org
# tflags RCVD_IN_RELAYS_ORDBORG  net
# score RCVD_IN_RELAYS_ORDBORG 0.5


score       RCVD_IN_DSBL        0.5

# 
# SPAMCOP - very strict DNSBL, but it's not complete.
# Sometimes SPAMCOP records hammy IPs.
# 2005.09.25 by [yoh]
# 
score       RCVD_IN_BL_SPAMCOP_NET 0.1

meta SPAMCOP99 RCVD_IN_BL_SPAMCOP_NET && BAYES_99
describe SPAMCOP99 RCVD_IN_BL_SPAMCOP_NET && BAYES_99
score SPAMCOP99 3.0

meta SPAMCOP95 RCVD_IN_BL_SPAMCOP_NET && BAYES_95
describe SPAMCOP95 RCVD_IN_BL_SPAMCOP_NET && BAYES_95
score SPAMCOP95 1.5

meta SPAMCOP00 RCVD_IN_BL_SPAMCOP_NET && BAYES_00
describe SPAMCOP00 RCVD_IN_BL_SPAMCOP_NET && BAYES_00
score SPAMCOP00 -5.0

meta RAZORSPAMCOP RCVD_IN_BL_SPAMCOP_NET && RAZOR2_CF_RANGE_51_100
describe RAZORSPAMCOP RCVD_IN_BL_SPAMCOP_NET && RAZOR2_CF_RANGE_51_100
score RAZORSPAMCOP 8.0

# meta FORGEDSPAMCOP RCVD_IN_BL_SPAMCOP_NET && ___FORGED
# describe FORGEDSPAMCOP Distributed Collaborative Network and RCVD_IN_BL_SPAMCOP_NET
# score FORGEDSPAMCOP 3.0


score       RCVD_IN_SBL         0.1
score       RCVD_IN_XBL         0.5

# meta SBL99 RCVD_IN_SBL && BAYES_99
# describe SBL99 RCVD_IN_SBL && BAYES_99
# score SBL99 3.50

score       RCVD_IN_NJABL_PROXY 0.50
# score       RCVD_IN_NJABL       0.50

score       RCVD_IN_NJABL_RELAY 0.50
# score       DNS_FROM_RFCI_DSN   1.50

# score       RCVD_IN_NJABL_DUL   0.50

# meta NJABLDUL99  RCVD_IN_NJABL_DUL && BAYES_99
# describe NJABLDUL99  RCVD_IN_NJABL_DUL && BAYES_99
# score NJABLDUL99  0.5

# meta DYN_NJABLDUL RCVD_IN_NJABL_DUL && ___DYNAMICIP
# score DYN_NJABLDUL 1.5


# score RCVD_IN_WHOIS_INVALID 1.0

# URIBL_BLACK includes false positive URIs.
# 2007.12.09 by [yoh]
score URIBL_BLACK 1.0


# meta RCVD_COP_SORBS_DSBL RCVD_IN_BL_SPAMCOP_NET && (RCVD_IN_SORBS || RCVD_IN_DSBL) && BAYES_99
# describe RCVD_COP_SORBS_DSBL RCVD_IN_BL_SPAMCOP_NET && (RCVD_IN_SORBS || RCVD_IN_DSBL) && BAYES_99
# score RCVD_COP_SORBS_DSBL 3.0

meta RCVDSBL99 RCVD_IN_SBL && BAYES_99
describe RCVDSBL99 RCVD_IN_SBL && BAYES_99
score RCVDSBL99 2.5

meta RCVDSBLBLACK RCVD_IN_SBL && URIBL_BLACK
score RCVDSBLBLACK 5.5


meta FORGEDDSBL RCVD_IN_DSBL && ___FORGED
describe FORGEDDSBL Distributed Collaborative Network and RCVD_IN_DSBL
score FORGEDDSBL 2.5



meta RCVDCBL99 RCVD_IN_CBL && BAYES_99
describe RCVDCBL99 RCVD_IN_CBL && BAYES_99
score RCVDCBL99 3.5

meta RCVDXBL99 RCVD_IN_XBL && BAYES_99
describe RCVDXBL99 RCVD_IN_XBL && BAYES_99
score RCVDXBL99 3.5

meta FORGEDXBL RCVD_IN_XBL && ___FORGED
describe FORGEDXBL Distributed Collaborative Network and RCVD_IN_XBL
score FORGEDXBL 2.5

meta TVDFWGR_XBL ___TVD && RCVD_IN_XBL
score TVDFWGR_XBL 3.5

meta TVDFWGR_COP ___TVD && RCVD_IN_BL_SPAMCOP_NET
score TVDFWGR_COP 3.5

meta SPF_COP (SPF_HELO_SOFTFAIL || SPF_FAIL) && RCVD_IN_BL_SPAMCOP_NET
score SPF_COP 3.5


meta XBL_DCN ___DCN && RCVD_IN_XBL
score XBL_DCN 3.5
meta CBL_DCN ___DCN && RCVD_IN_CBL
score CBL_DCN 3.5
meta PBL_DCN ___DCN && RCVD_IN_PBL
score PBL_DCN 3.5
meta BLACK_DCN ___DCN && URIBL_BLACK
score BLACK_DCN 3.5
meta SBL_DCN ___DCN && URIBL_SBL
score SBL_DCN 3.5
# meta DUL_DCN ___DCN && RCVD_IN_SORBS_DUL
# score DUL_DCN 3.5



# meta RCVD_COP_SBL_XBL RCVD_IN_BL_SPAMCOP_NET && RCVD_IN_SBL && BAYES_99
# describe RCVD_COP_SBL_XBL RCVD_IN_BL_SPAMCOP_NET && RCVD_IN_SBL && BAYES_99
# score RCVD_COP_SBL_XBL 3.0
# 
# meta RCVD_COP_CBL RCVD_IN_BL_SPAMCOP_NET && RCVD_IN_CBL && BAYES_99
# describe RCVD_COP_CBL RCVD_IN_BL_SPAMCOP_NET && RCVD_IN_CBL && BAYES_99
# score RCVD_COP_CBL 3.0
# 
# meta RCVD_CBL_SBL_XBL RCVD_IN_SBL && RCVD_IN_CBL && BAYES_99
# describe RCVD_CBL_SBL_XBL RCVD_IN_SBL && RCVD_IN_CBL && BAYES_99
# score RCVD_CBL_SBL_XBL 3.0


# URIBL_SBL has missing uri.
# So, it's not reliable.
# 2005.02.02 by [yoh]
# 2006.01.02 by [yoh]
# score URIBL_SBL 2.0
score URIBL_SBL 0.1

meta URIBLSBL99 URIBL_SBL && BAYES_99
describe URIBLSBL99 URIBL_SBL && BAYES_99
score URIBLSBL99 2.0

meta URIBLSBL00 URIBL_SBL && BAYES_00
describe URIBLSBL00 URIBL_SBL && BAYES_00
score URIBLSBL00 -2.0

meta RCVDIP_URIBLSBL URIBL_SBL && RCVD_HELO_IP_MISMATCH
score RCVDIP_URIBLSBL 3.5

# 2009.07.30 by [yoh]
meta DYN_SBL URIBL_SBL && ___DYNAMICIP
score DYN_SBL 3.5


# Now, URIBL_WS_SURBL is reliable.
# 2005.06.07 by [yoh]
# score URIBL_WS_SURBL 1.0

# Now, URIBL_JP_SURBL is reliable.
# 2005.06.07 by [yoh]
urirhssub URIBL_JP_SURBL  multi.surbl.org.        A   64
body      URIBL_JP_SURBL  eval:check_uridnsbl('URIBL_JP_SURBL')
describe  URIBL_JP_SURBL  Has URI in JP at http://www.surbl.org/lists.html
tflags    URIBL_JP_SURBL  net
score URIBL_JP_SURBL    1.0


# From: Jeff Chan <jeffc at surbl.org>
# Subject: Please test sc2.surbl.org (and xs.surbl.org)
# Date: Mon, 25 Jul 2005 06:14:59 GMT
# http://mail-archives.apache.org/mod_mbox/spamassassin-users/200507.mbox/%3c1974834350.20050724231459@surbl.org%3e
# From: Jeff Chan <jeffc at surbl.org>
# Subject: Re: Please test sc2.surbl.org (and xs.surbl.org)
# Date: Mon, 25 Jul 2005 08:55:12 GMT
# http://mail-archives.apache.org/mod_mbox/spamassassin-users/200507.mbox/%3c497174917.20050725015512@surbl.org%3e

urirhsbl  URIBL_SC2_SURBL  sc2.surbl.org.   A
body      URIBL_SC2_SURBL  eval:check_uridnsbl('URIBL_SC2_SURBL')
describe  URIBL_SC2_SURBL  Has URI in SC2 at http://www.surbl.org/lists.html
tflags    URIBL_SC2_SURBL  net

score     URIBL_SC2_SURBL  1.0

urirhsbl  URIBL_XS_SURBL   xs.surbl.org.    A
body      URIBL_XS_SURBL   eval:check_uridnsbl('URIBL_XS_SURBL')
describe  URIBL_XS_SURBL   Has URI in XS - Testing
tflags    URIBL_XS_SURBL   net

score     URIBL_XS_SURBL   1.0



# score RCVD_IN_SORBS_WEB 1.5
# meta SORBSWEB99 RCVD_IN_SORBS_WEB && BAYES_99
# describe SORBSWEB99 RCVD_IN_SORBS_WEB && BAYES_99
# score SORBSWEB99 1.5

score URIBL_OB_SURBL 0.1

meta SURBL99 (URIBL_AB_SURBL || URIBL_OB_SURBL || URIBL_PH_SURBL || URIBL_SC_SURBL || URIBL_WS_SURBL || URIBL_JP_SURBL || URIBL_SC2_SURBL || URIBL_XS_SURBL) && BAYES_99
describe SURBL99 URIBL_??_SURBL && BAYES_99
score SURBL99 3.5

meta SURBL_DCN (URIBL_AB_SURBL || URIBL_OB_SURBL || URIBL_PH_SURBL || URIBL_SC_SURBL || URIBL_WS_SURBL || URIBL_JP_SURBL || URIBL_SC2_SURBL || URIBL_XS_SURBL) && ___DCN
describe SURBL_DCN Distributed Collaborative Network and URIBL_??_SURBL
score SURBL_DCN 5.5


# 
# rbl.jp: strict and reliable DNSBL originated from Japan: 2004.11.27 by [yoh]
# 

urirhssub URLBL_RBLJP url.rbl.jp. A 2
body URLBL_RBLJP eval:check_uridnsbl('URLBL_RBLJP')
describe URLBL_RBLJP Has URI in url.rbl.jp
tflags URLBL_RBLJP net

uridnsbl_skip_domain livedoor.com reset.jp asahi-net.or.jp hi-ho.ne.jp 2ch.net hatena.ne.jp
uridnsbl_skip_domain mixi.jp
score URLBL_RBLJP 1.5

meta URLRBLJP99 URLBL_RBLJP && BAYES_99
describe URLRBLJP99 URLBL_RBLJP && BAYES_99
score URLRBLJP99 2.0

meta URLRBLJP_DCN URLBL_RBLJP && ___DCN
describe URLRBLJP_DCN URLBL_RBLJP && ___DCN
score URLRBLJP_DCN 10

meta URLRBLJP_DYN URLBL_RBLJP && ___DYNAMICIP
score URLRBLJP_DYN 5.5


header  RCVD_IN_SHORT_RBL_JP   eval:check_rbl_txt('rbl.jp', 'short.rbl.jp.')
describe RCVD_IN_SHORT_RBL_JP Received via a relay in short.rbl.jp
tflags RCVD_IN_SHORT_RBL_JP   net
score RCVD_IN_SHORT_RBL_JP 1.5

header  RCVD_IN_VIRUS_RBL_JP   eval:check_rbl_txt('rbl.jp', 'virus.rbl.jp.')
describe RCVD_IN_VIRUS_RBL_JP Received via a relay in virus.rbl.jp
tflags RCVD_IN_VIRUS_RBL_JP   net
score RCVD_IN_VIRUS_RBL_JP 1.0


meta SHORTRBLJP99 RCVD_IN_SHORT_RBL_JP && BAYES_99
describe SHORTRBLJP99 RCVD_IN_SHORT_RBL_JP && BAYES_99
score SHORTRBLJP99 1.5

meta RBLJP_URL_SHORT URLBL_RBLJP && RCVD_IN_SHORT_RBL_JP
score RBLJP_URL_SHORT 5.0

# 
# I stopped using fiveten.
# 2006.12.14 by [yoh]
# 

# http://marc.theaimsgroup.com/?l=spamassassin-users&m=111558903223018&w=2

# header __RCVD_IN_FIVETENSG    eval:check_rbl('blackholes', 'blackholes.five-ten-sg.com.')
# describe __RCVD_IN_FIVETENSG  Received via a relay in blackholes.five-ten-sg.com
# tflags __RCVD_IN_FIVETENSG    net

# header RCVD_IN_FIVETENSG    eval:check_rbl_sub('blackholes', '127.0.0.2')
# describe RCVD_IN_FIVETENSG  Received via a spam relay in blackholes.five-ten-sg.com
# tflags RCVD_IN_FIVETENSG    net
# score RCVD_IN_FIVETENSG     0.1

# meta FIVETEN99 RCVD_IN_FIVETENSG && BAYES_99
# describe FIVETEN99 RCVD_IN_FIVETENSG && BAYES_99
# score FIVETEN99 0.2

# meta RAZORFIVETEN RCVD_IN_FIVETENSG && RAZOR2_CF_RANGE_51_100
# describe RAZORFIVETEN RCVD_IN_FIVETENSG && RAZOR2_CF_RANGE_51_100
# score RAZORFIVETEN 1.0

# meta DYN_FIVETEN RCVD_IN_FIVETENSG && ___DYNAMICIP
# score DYN_FIVETEN 3.0

#
# http://mail-archives.apache.org/mod_mbox/spamassassin-users/200508.mbox/%3cLLEAJOOJPGKIFDOKCKLCEEFKDEAA.salist@floridacpu.com%3e
#

header RCVD_IN_CHINA		eval:check_rbl('country', 'china.blackholes.us')
describe RCVD_IN_CHINA		Received via a China IP address in china.blackholes.us
tflags RCVD_IN_CHINA		net
score RCVD_IN_CHINA		0.1

header RCVD_IN_TAIWAN		eval:check_rbl('country', 'taiwan.blackholes.us.')
describe RCVD_IN_TAIWAN		Received via a Taiwan IP address in taiwan.blackholes.us
tflags  RCVD_IN_TAIWAN		net
score RCVD_IN_TAIWAN		0.1


# meta DNSFRMRFCPST99 DNS_FROM_RFC_POST && BAYES_99 && ! VALIDDOCOMO
# describe DNSFRMRFCPST99 DNS_FROM_RFC_POST && BAYES_99 && ! VALIDDOCOMO
# score DNSFRMRFCPST99 1.5

# meta DYN_DNSFRMRFCPST DNS_FROM_RFC_POST && ___DYNAMICIP
# score DYN_DNSFRMRFCPST 3.5

meta DYN_JPSCAMURI JPSCAMURI && ___DYNAMICIP
score DYN_JPSCAMURI 3.0

score MISSING_MID 1.0

meta DYN_MISSMID MISSING_MID && ___DYNAMICIP
score DYN_MISSMID 3.5


# 
# 
# New rules from version 3.1.0
# 2005.09.20 by [yoh]
# 
# 

# meta DNSFRMRFCABS99 DNS_FROM_RFC_ABUSE && BAYES_99 && ! VALIDDOCOMO
# describe DNSFRMRFCABS99 DNS_FROM_RFC_ABUSE && BAYES_99 && ! VALIDDOCOMO
# score DNSFRMRFCABS99 0.2

# RCVD_IN_WHOIS_BOGONS is very low reliability.
# 2007.08.11 by [yoh]
#
# score RCVD_IN_WHOIS_BOGONS 0.1

# meta RCVDINWHSBGNS99 RCVD_IN_WHOIS_BOGONS && BAYES_99
# describe RCVDINWHSBGNS99 RCVD_IN_WHOIS_BOGONS && BAYES_99
# score RCVDINWHSBGNS99 1.0

# meta RCVDINWHSINV99 RCVD_IN_WHOIS_INVALID && BAYES_99
# describe RCVDINWHSINV99 RCVD_IN_WHOIS_INVALID && BAYES_99
# score RCVDINWHSINV99 4.5

# meta DNSFRMSCRSG99 DNS_FROM_SECURITYSAGE && BAYES_99
# describe DNSFRMSCRSG99 DNS_FROM_SECURITYSAGE && BAYES_99
# score DNSFRMSCRSG99 4.5

# These rules are needless and have bad influence for detecting bounce spams.
# 2008.09.06 by [yoh]
score RCVD_IN_DNSWL_LOW 0
score RCVD_IN_DNSWL_MED 0
score RCVD_IN_DNSWL_HI 0

# =-=-=-=-=-=-=-=-=-=-=-=-=-=- detecting ISP's IP =-=-=-=-=-=-=-=-=-=-=-=-=-=-

# 
# But, some ham's Received: includes private IP with same HELO & BY.
# 2006.02.25 by [yoh]
# Revised for strictly matching.
# 2006.02.25 by [yoh]
# 

# header HELO_BY_SAME X-Spam-Relays-Untrusted =~ /helo=([a-z0-9\._-]+) by=\1 ident= envfrom= intl=0 .+ auth= /
# header HELO_BY_SAME X-Spam-Relays-Untrusted =~ /ip=(?!(127\.0\.0\.1|192\.168(\.\d{1,3}){2}|172\.(1[6-9]|2\d|3[01](\.\d{1,3}){2}|10(\.\d{1,3}){3})))\d{2,3}(\.\d{1,3}){3} rdns=[a-z0-9\._-]+ helo=([a-z0-9\._-]+) by=\7/
# header HELO_BY_SAME X-Spam-Relays-Untrusted =~ /ip=(?!(127\.0\.0\.1|192\.168(\.\d{1,3}){2}|172\.(1[6-9]|2\d|3[01](\.\d{1,3}){2}|10(\.\d{1,3}){3})))\d{2,3}(\.\d{1,3}){3} rdns=[^\[]* helo=([\w\.-]+) by=\7/
# header HELO_BY_SAME X-Spam-Relays-Untrusted =~ /ip=(?!(?:127\.0\.0\.1|192\.168(?:\.\d{1,3}){2}|172\.(?:1[6-9]|2\d|3[01])(?:\.\d{1,3}){2}|10(?:\.\d{1,3}){3}))\d{2,3}(?:\.\d{1,3}){3} rdns=[^\[]* helo=([\w\._-]+) by=\1/
header HELO_BY_SAME X-Spam-Relays-Untrusted =~ /^\[ ip=(?!(?:127\.0\.0\.1|192\.168(?:\.\d{1,3}){2}|172\.(?:1[6-9]|2\d|3[01])(?:\.\d{1,3}){2}|10(?:\.\d{1,3}){3}))\d{2,3}(?:\.\d{1,3}){3} rdns=[^\[]* helo=([\w\._-]+) by=\1 [^\[\]]+ \]/
describe HELO_BY_SAME HELO is same received MTA's FQDN
score HELO_BY_SAME 1.5

# header HELO_BY_PARTIALSAME X-Spam-Relays-Untrusted =~ /ip=(?!(127\.0\.0\.1|192\.168(\.\d{1,3}){2}|172\.(1[6-9]|2\d|3[01](\.\d{1,3}){2}|10(\.\d{1,3}){3})))\d{2,3}(\.\d{1,3}){3} rdns=[^\[]* helo=([\w\.-]+) by=\w+\.\7/
# header HELO_BY_PARTIALSAME X-Spam-Relays-Untrusted =~ /ip=(?!(127\.0\.0\.1|192\.168(\.\d{1,3}){2}|172\.(1[6-9]|2\d|3[01](\.\d{1,3}){2}|10(\.\d{1,3}){3})))\d{2,3}(\.\d{1,3}){3} rdns=[^\[]* helo=([\w\.-]+) by=[\w\.]+\7/
# header HELO_BY_PARTIALSAME X-Spam-Relays-Untrusted =~ /ip=(?!(?:127\.0\.0\.1|192\.168(?:\.\d{1,3}){2}|172\.(?:1[6-9]|2\d|3[01])(?:\.\d{1,3}){2}|207\.46(?:\.\d{1,3}){2}|10(?:\.\d{1,3}){3}))\d{2,3}(?:\.\d{1,3}){3} rdns=[^\[]* helo=([\w\._-]+) by=[\w\._-]+\1/
header HELO_BY_PARTIALSAME X-Spam-Relays-Untrusted =~ /^\[ ip=(?!(?:127\.0\.0\.1|192\.168(?:\.\d{1,3}){2}|172\.(?:1[6-9]|2\d|3[01])(?:\.\d{1,3}){2}|207\.46(?:\.\d{1,3}){2}|10(?:\.\d{1,3}){3}))\d{2,3}(?:\.\d{1,3}){3} rdns=[^\[]* helo=([\w\._-]+) by=[\w\._-]+\1 [^\[\]]+ \]/
describe HELO_BY_PARTIALSAME HELO is same received MTA's domain name
score HELO_BY_PARTIALSAME 1.5

meta HLBYPRSM_KTC HELO_BY_PARTIALSAME && (___KOREATAIWANCHINA || DIRECTYOURNET) && ISO2022JP_BODY
score HLBYPRSM_KTC 5

# meta HLBY_MTAID HLBYPRSM_KTC && MSGID_FROM_MTA_ID
# score HLBY_MTAID 5

meta HLBYPRSM_DCN HELO_BY_PARTIALSAME && ___DCN 
score HLBYPRSM_DCN 5


meta ASIA1HOPHLBYPTSM ONLY1HOPDIRECT &&  ___DYNAMICIP && HELO_BY_PARTIALSAME
score ASIA1HOPHLBYPTSM 5


header RCVD_IPNUMONLY Received =~ /from (\d{1,3}\.){3}\d{1,3} by (\d{1,3}\.){3}\d{1,3}\;/
describe RCVD_IPNUMONLY Received: contains only IP numbers and date str
score RCVD_IPNUMONLY 3.5

meta RCVDIP_ILLCHR RCVD_IPNUMONLY && (SUBJ_ILLEGAL_CHARS || FROM_ILLEGAL_CHARS)
score RCVDIP_ILLCHR 5.0

# 
#
# detecting Japanese spammer's heaven.
# 2004.08.23 by [yoh]
# 
#

# 210.143.144.0-210.143.159.255
# 220.150.0.0 - 220.150.255.255
# 220.215.0.0 - 220.215.127.255
# 221.113.64.0 - 221.113.127.255
# 43.244.0.0/16
# 61.203.160.0-61.203.175.255
# 61.44.0.0 - 61.44.127.255
# 61.12.128.0 - 61.12.255.255


# header YOURNET Received =~ /from .+ap\.yournet\.ne\.jp /
# header YOURNET Received =~ /(from .+ap\.yournet\.ne\.jp |.+fbb\.ReSET\.JP |61\.203\.((16[0-9]|17[0-4])\.[0-9]{1,3}|175\.0)|220\.215\.([0-9]|[1-9][0-9]|1[01][0-9]|12[0-7])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]))/
# header YOURNET Received =~ /(from .+ap\.yournet\.ne\.jp |.+fbb\.ReSET\.JP |61\.203\.((16[0-9]|17[0-4])\.[0-9]{1,3}|175\.0)|220\.215\.([0-9]|[1-9][0-9]|1[01][0-9]|12[0-7])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])|43\.244(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2})/

# header YOURNET Received =~ /(from .+ap\.yournet\.ne\.jp |.+fbb\.ReSET\.JP |61\.203\.((16[0-9]|17[0-4])\.[0-9]{1,3}|175\.0)|220\.215\.([0-9]|[1-9][0-9]|1[01][0-9]|12[0-7])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])|(43\.244|220\.150)(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2})/

# header YOURNET Received =~ /from .+(.+(fbb\.ReSET\.JP|ap\.yournet\.ne\.jp)[^a-z]+[0-9]{2,3}(\.[0-9]{1,3}){3,3}|61\.203\.(16[0-9]|17[0-5])\.[0-9]{1,3}|61\.44\.([0-9]|[1-9][0-9]|1(1[0-9]|2[0-7]))\.[0-9]{1,3}|220\.215\.([0-9]|[1-9][0-9]|1[01][0-9]|12[0-7])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])|(43\.244|220\.150)(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2})[^(a-z]{0,3}by /

# header YOURNET X-Spam-Relays-Untrusted =~ /(ip=((43\.244|220\.(150|215))(\.[0-9]{1,3}){2}|(61\.203\.1(6[0-9]|7[0-5])|61\.44\.([0-9]|[1-9][0-9]|1[01][0-9]|12[0-7])|61\.12\.(12[89]|1[3-9][0-9]|2[0-4][0-9]|25[0-5])|210\.143\.1(4[4-9]|5[0-9])|221\.113\.(6[4-9]|[7-9][0-9]|1[01][0-9]|12[0-7]))\.[0-9]{1,3})|rdns=.+(fbb\.ReSET\.JP|ap\.yournet\.ne\.jp)) .+ident= envfrom= intl=0 .+auth= /
header YOURNET X-Spam-Relays-Untrusted =~ /(ip=((43\.244|220\.(150|215))(\.\d{1,3}){2}|(61\.203\.1(6\d|7[0-5])|61\.44\.(\d|[1-9]\d|1[01]\d|12[0-7])|61\.12\.(12[89]|1[3-9]\d|2[0-4]\d|25[0-5])|210\.143\.1(4[4-9]|5\d)|219\.112\.(\d|[1-9]\d|1[01]\d|12[0-7])|221\.113\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7]))\.\d{1,3})|rdns=.+(fbb\.ReSET\.JP|ap\.yournet\.ne\.jp)) .+ ident= envfrom= intl=0 [^\[\]]+auth= /
describe YOURNET Japanese spammer's heaven: yournet.ne.jp
score YOURNET 0.5

# thrown away 2005.09.14 by [yoh]
# 
# meta RFCIYOURNET RCVD_IN_RFCI && YOURNET
# describe RFCIYOURNET RCVD_IN_RFCI && YOURNET
# score RFCIYOURNET 4.0

# meta SORBSYOURNET RCVD_IN_SORBS && YOURNET
# describe SORBSYOURNET RCVD_IN_SORBS && YOURNET
# score SORBSYOURNET 3.0

# 
# thrown away 2006.04.09 by [yoh]
# 
# meta COPYOURNET RCVD_IN_BL_SPAMCOP_NET && YOURNET
# describe COPYOURNET RCVD_IN_BL_SPAMCOP_NET && YOURNET
# score COPYOURNET 5.0
# 
# # meta INVALIDYAHOOJPYOURNET INVALIDYAHOOJP && YOURNET && RCVDFRMLOCALIP
# meta INVALIDYAHOOJPYOURNET INVALIDYAHOOJP && YOURNET
# describe INVALIDYAHOOJPYOURNET INVALIDYAHOOJP && YOURNET
# score INVALIDYAHOOJPYOURNET 10.0


# 163.139.0.0 - 163.139.255.255
# 202.215.32.0-202.215.33.0
# 202.215.175.0-202.215.179.255
# 202.215.181.0-202.215.192.255
# 202.215.194.0-202.215.195.255
# 202.215.196.0-202.215.197.255
# 202.215.198.0-202.215.203.255
# 202.215.204.0-202.215.205.255
# 202.215.206.0-202.215.207.255
# 202.215.211.0-202.215.211.255
# 202.215.214.0-202.215.215.255
# 202.215.216.0-202.215.219.255
# 202.215.224.0-202.215.224.255
# 202.215.225.0-202.215.230.255
# 202.215.232.0-202.215.233.255
# 202.215.234.0-202.215.239.255
# (202.215.242.0-202.215.251.255)

# 220.247.0.0 - 220.247.127.255

# 202.215.132.0-202.215.133.0
# header VECTANTDYNIP Received =~ /from .*(202\.215\.13[23]\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])|(d[0-9]{1,3}\.JgunmaFL1|s[0-9]{1,3}\.ItokyoFL18)\.vectant\.ne\.jp)/
# header VECTANTDYNIP Received =~ /from .*(202\.215\.13[23]\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])|(d[0-9]{1,3}\.JgunmaFL1|[ds][0-9]{1,3}\.[GI]tokyoFL[0-9]+)\.vectant\.ne\.jp)/

# header VECTANTDYNIP Received =~ /from .*(d[0-9]{2,3}\.[A-Z][a-z]+FL[0-9]+|wd[0-9]+\.(afl|AFL)[0-9]+)\.vectant\.ne\.jp/
# X-Spam-Relays-Untrusted =~ /(ip=202\.215(\.\d{1,3}){2}|rdns=(d[0-9]{2,3}\.[A-Z][a-z]+FL[0-9]+|wd[0-9]+\.(afl|AFL)[0-9]+)\.vectant\.ne\.jp) .+ ident= envfrom= intl=0 [^\[\]]+auth= /
# header VECTANTDYNIP X-Spam-Relays-Untrusted =~ /(ip=((202\.215|222\.228)(\.\d{1,3}){2}|222\.229\.(\d|[1-5]\d|6[0-3])\.\d{1,3})|rdns=(d[0-9]{2,3}\.[A-Z][a-z]+FL[0-9]+|wd[0-9]+\.([ab]fl|[AB]FL)[0-9a-fA-F]+)\.vectant\.ne\.jp) [^\[\]]+ ident= envfrom= intl=0 [^\[\]]+auth= /
header VECTANTDYNIP X-Spam-Relays-Untrusted =~ /rdns=((e|w|w4|)d\d+\.[ABFGHIJNS]+[a-z]*(DS[AI]|FL){0,1}[bcd0-9]+|(163-139|202-215)(-\d{1,3}){2}\.(uis){0,1}rv)\.vectant\.ne\.jp [^\[\]]+ ident= envfrom= intl=0 [^\[\]]+auth= /
describe VECTANTDYNIP vectant.ne.jp: seems to be almost same yournet.ne.jp
score VECTANTDYNIP 0.1

# thrown away 2005.09.14 by [yoh]
# 
# meta VFLETSYAHOO INVALIDNOTYAHOO && VECTANTDYNIP
# describe VFLETSYAHOO INVALIDNOTYAHOO && VECTANTDYNIP
# score VFLETSYAHOO 3.5

# 61.197.0.0-61.197.127.0
# 210.165.128.0-210.165.255.0
# 219.102.248.0 - 219.102.255.255
# header INFOSPHERE Received =~ /from.*(61\.197\.([0-9]|[1-9][0-9]|1[01][0-9]|12[0-7])\.([0-9]|[1-9][0-9]|2[0-4][0-9]|25[0-5])|\.nttpc\.ne\.jp)/
# header INFOSPHERE Received =~ /from.*(61\.197\.([0-9]|[1-9][0-9]|1[01][0-9]|12[0-7])\.([0-9]|[1-9][0-9]|2[0-4][0-9]|25[0-5])|\.nttpc\.ne\.jp|210\.165\.(12[89]|1[3-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|2[0-4][0-9]|25[0-5]))/
# header INFOSPHERE X-Spam-Relays-Untrusted =~ /(ip=(61\.197\.(\d|[1-9]\d|1[01]\d|12[0-7])\.\d{1,3}|210\.165\.(12[89]|1[3-9]\d|2[0-4]\d|25[0-5])\.\d{1,3}|219\.102(\.\d{1,3}){2})|rdns=.+\.nttpc\.ne\.jp) .+ ident= envfrom= intl=0 .+auth= /
# header INFOSPHERE X-Spam-Relays-Untrusted =~ /(ip=(210\.165\.(12[89]|1[3-9]\d|2[0-4]\d|25[0-5])\.\d{1,3}|(61\.197|203\.138|219\.102)(\.\d{1,3}){2})|rdns=.+\.nttpc\.ne\.jp) .+ ident= envfrom= intl=0 .+auth= /
# header INFOSPHERE X-Spam-Relays-Untrusted =~ /(ip=(210\.165\.(12[89]|1[3-9]\d|2[0-4]\d|25[0-5])\.\d{1,3}|(61\.197|203\.138|210\.136|219\.102)(\.\d{1,3}){2})|rdns=.+\.nttpc\.ne\.jp) .+ ident= envfrom= intl=0 [^\[\]]+auth= /
# describe INFOSPHERE The Business Provider: InfoSphere
# score INFOSPHERE 0.1

# 
# thrown away 2006.04.09 by [yoh]
# 
# # meta YAHOOJPINFOSPHERE (VALIDYAHOOJP || INVALIDYAHOOJP) && INFOSPHERE && RCVDFRMLOCALIP
# meta YAHOOJPINFOSPHERE (VALIDYAHOOJP || INVALIDYAHOOJP) && INFOSPHERE
# describe YAHOOJPINFOSPHERE Why business user uses yahoo.co.jp free Mail address?
# score YAHOOJPINFOSPHERE 5.0

# thrown away 2005.09.15 by [yoh]
# 
# 67.18.0.0 - 67.19.255.255
# header ___THEPLANET Received =~ /from.*(61\.1[89](\.([0-9]|[1-9][0-9]|2[0-4][0-9]|25[0-5])){1,2}|reverse\.theplanet\.com)/
# describe ___THEPLANET a farm of 3rd party relay hosts: ThePlanet.com
# score ___THEPLANET 7.0

# Received: .+p[0-9]+-[a-z0-9-]+\.[a-z]+\.ocn.ne.jp
# header OCNNEJP Received =~ /from .+\.[a-z]+\.ocn\.ne\.jp/

# 219.160.0.0 - 219.165.255.255
# 219\.16[0-5](\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}
# 222.144.0.0 - 222.151.255.255
# 222\.(14[4-9]|15[01])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}

# Received =~ /from .+(p[0-9]+-[a-z0-9-]+\.[a-z]+\.ocn\.ne\.jp|(219\.16[0-5]|222\.(14[4-9]|15[01]))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2})/
header OCNNEJP X-Spam-Relays-Untrusted =~ /(ip=((219\.16[0-5]|222\.(14[4-9]|15[01]))(\.\d){2}|222\.146\.(12[89]|1[3-9]\d|2[0-4]\d|25[0-5])\.\d{1,3})|rdns=p[0-9]+-[a-z0-9-]+\.[a-z]+\.ocn\.ne\.jp) .+ ident= envfrom= intl=0 [^\[\]]+auth= /
describe OCNNEJP OCN - Open Computer Network
score OCNNEJP 0.1

# 
# thrown away 2006.04.09 by [yoh]
# 
# header ___VALIDOCN Received =~ /from .+p[0-9]+-[a-z0-9-]+\.[a-z]+\.ocn\.ne\.jp.+by smtp\.[a-z]+\.ocn\.ne\.jp /
# describe ___VALIDOCN valid ocn sender
# score ___VALIDOCN 0.1

# meta DIRECTOCN OCNNEJP && ! ___VALIDOCN
# describe DIRECTOCN seems to post from ocn.ne.jp dynamic IP to receiver's MTA
# score DIRECTOCN 1.0


# thrown away 2005.09.14 by [yoh]
# 
# meta OCNPLANET (___THEPLANET || ___EVERYONE) && OCNNEJP
# describe OCNPLANET probably this mail came from OCN through THEPLANET
# score OCNPLANET 10.0
# 
# meta YAHOOJPOCNPLANET (VALIDYAHOOJP || INVALIDYAHOOJP) && OCNPLANET
# describe YAHOOJPOCNPLANET free yahoo.co.jp mail address user uses THEPLANET
# score YAHOOJPOCNPLANET 10.0

# 
# thrown away 2006.04.09 by [yoh]
# 
# meta ___YAHOOJPOCN (VALIDYAHOOJP || INVALIDYAHOOJP) && OCNNEJP
# describe ___YAHOOJPOCN free yahoo.co.jp mail address user uses OCN
# score ___YAHOOJPOCN 2.0

# header RCVDFRMLOCALIP Received =~ /from (\[(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|127\.0\.0\.1)]|[a-z0-9-.]+ \(HELO \?(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|127\.0\.0\.1)\?\))/
# header RCVDFRMLOCALIP Received =~ /from [a-z0-9-.]+ \(\[127\.0\.0\.1\]\)/
# header RCVDFRMLOCALIP Received =~ /from (\[(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|127\.0\.0\.1)\]|[a-z0-9-.]+ \(HELO \?(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|127\.0\.0\.1)\?\)|[a-z0-9-.]+ \(\[127\.0\.0\.1\]\) by local)/
# header RCVDFRMLOCALIP Received =~ /from (\[192\.168\.[0-9]{1,3}\.[0-9]{1,3} \([a-z0-9-.]+ \[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\)|\[\(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|127\.0\.0\.1)\]|[a-z0-9-.]+ \(HELO \?(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|127\.0\.0\.1)\?\)|[a-z0-9-.]+ \(\[127\.0\.0\.1\]\) by local)/
# header RCVDFRMLOCALIP Received =~ /from \[192\.168\.[0-9]{1,3}\.[0-9]{1,3}\] \([a-z0-9-.]+ \[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/
# 
# thrown away 2005.09.29 by [yoh]
# 
# header RCVDFRMLOCALIP Received =~ /from ([a-z0-9-.]+ \(HELO \?(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|127\.0\.0\.1)\?\)|[a-z0-9-.]+ \(\[127\.0\.0\.1\]\) by local)/
# describe RCVDFRMLOCALIP Received: from [127.0.0.1]
# score RCVDFRMLOCALIP 0.1
# 
# 
# thrown away 2006.04.09 by [yoh]
# 
# # meta YAHOOJPOCN ___YAHOOJPOCN && RCVDFRMLOCALIP
# meta YAHOOJPOCN ___YAHOOJPOCN
# describe YAHOOJPOCN free yahoo.co.jp mail address user uses OCN
# score YAHOOJPOCN 5.0


# thrown away 2005.09.15 by [yoh]
# 
# 66.98.128.0 - 66.98.255.255
# header ___EVERYONE Received =~ /from.*(66\.98\.(12[89]|1[3-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])|\.ev1servers\.net)/
# describe ___EVERYONE Everyones Internet, Inc.
# score ___EVERYONE 1.0

# 202.215.247.0 <-> 202.215.247.127
header ANNIENET Received =~ /from.*(202\.215\.247\.(\d|[1-9]\d|1[01]\d|12[0-7])|\.annie\.ne\.jp)/
describe ANNIENET Annie Corporation
score ANNIENET 3.0

# thrown away 2005.09.14 by [yoh]
# 
# meta ANNIEINFOS INFOSPHERE && ___ANNIENET
# describe ANNIEINFOS INFOSPHERE user uses annie.ne.jp for sending spam.
# score ANNIEINFOS 10.0

# thrown away 2006.09.03 by [yoh]
# 
# 210.173.72.0-210.173.73.0
# header CCNET Received =~ /from.*(210\.173\.7[23]\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])|\.cc-net\.or\.jp)/
# describe CCNET City Connection Corp.
# score CCNET 3.0

# thrown away 2005.09.14 by [yoh]
# 
# meta CCNETYOURNET ___CCNET && YOURNET
# describe CCNETYOURNET yournet.ne.jp user uses relay site.
# score CCNETYOURNET 10.0

# 210.239.63.0 <-> 210.239.63.63
header IDATAKRP2 Received =~ /from.*210\.239\.63\.([0-9|[1-5][0-9]|6[0-3])/
describe IDATAKRP2 IDATA Co.,Ltd.
score IDATAKRP2 15.0

#
#202.181.105.181
#202.181.105.184
#202.181.105.185
#202.181.105.237
#202.181.105.238
#202.181.98.207
#202.181.98.208
#202.222.28.194
#202.222.30.140
#202.222.30.20
#202.222.31.188
#
# 210.188.205.24
# 202.222.31.180
# 202.222.30.196
# 210.188.205.24
# 
# 
# Received =~ /from .*sv[0-9]{1,3}\.lolipop\.jp/
header LOLIPOP X-Spam-Relays-Untrusted =~ /^\[ ip=(202\.181\.105\.136|202\.222\.(19\.80|30\.196|31\.180)|210\.172\.144\.16|210\.188\.(205\.(24|55|211)|220\.157)|219\.94\.(131\.186|167\.177)) /
describe LOLIPOP Japanese spammer's footstool: lolipop.jp
score LOLIPOP 1.5

# 202.61.29.93
# 202.61.29.82

header IMAPCC Received =~ /from .*[a-z0-9]+\.i-map\.cc/
describe IMAPCC i-map.cc
score IMAPCC 5.0


#
#202.181.99.18
#202.181.99.20
#202.181.99.32
#202.181.99.36
#202.181.99.42
#202.181.99.43
#202.181.99.51
#202.181.99.56
#202.181.99.59
#202.181.99.70
#202.181.99.72
#
#59.106.13.43
#
header SAKURAWEB Received =~ /from .*www[0-9]{1,3}\.sakura\.ne\.jp/
describe SAKURAWEB Japanese spammer uses footstool web hosting service: sakura.ne.jp
score SAKURAWEB 0.1

# meta SAKURAYAHOO INVALIDYAHOOJP && SAKURAWEB
# describe SAKURAYAHOO SAKURA web servers are used for spammer's mta
# score SAKURAYAHOO 3.0

# meta LOLIPOPYAHOO INVALIDYAHOOJP && LOLIPOP
# describe LOLIPOPYAHOO LOLIPOP web servers are used for spammer's mta
# score LOLIPOPYAHOO 3.0


# [210.239.39.128 <-> 210.239.39.191]     210.239.39.128/26
header SOHO Received =~ /from .*210\.239\.39\.1(2[89]|[3-8][0-9]|9[01])/
describe SOHO SOHO CO., LTD.
score SOHO 1.5

# 210.166.236.128 <-> 210.166.236.255
header CSIDENET Received =~ /from .*(.+cside\.jp|210\.166\.236\.(12[89]|1[3-9][0-9]|2[0-4][0-9]|25[0-5]))/
describe CSIDENET CsideNet: some spammers live in and use for footstool.
score CSIDENET 1.5

# meta CSIDEYAHOO CSIDENET && INVALIDYAHOOJP
# describe CSIDEYAHOO CSIDENET && INVALIDYAHOOJP
# score CSIDEYAHOO 3.5

# 220.151.197.64 - 220.151.197.79
header NICNAME Received =~ /220\.151\.197\.(6[4-9]|7[0-9])/
describe NICNAME NIC-NAME.com
score NICNAME 0.5

# meta NICNAMEYAHOO NICNAME && INVALIDYAHOOJP
# describe NICNAMEYAHOO NICNAME && INVALIDYAHOOJP
# score NICNAMEYAHOO 3.5


header SONETDYNIP Received =~ /from .+p[a-z0-9]{5,6}\.[a-z0-9]{7,8}\.ap\.so-net\.ne\.jp/
describe SONETDYNIP so-net.ne.jp dynamic IP
score SONETDYNIP 0.1

header ___VALIDSONET Received =~ /from .+p[a-z0-9]{5,6}\.[a-z0-9]{7,8}\.ap\.so-net\.ne\.jp.*by (mail\.[a-z][a-z][0-9][0-9]|mx[0-9][0-9]\.ms)\.so-net\.ne\.jp/
describe ___VALIDSONET valid so-net sender
score ___VALIDSONET 0.1

# meta DIRECTSONET SONETDYNIP && ! ___VALIDSONET
# describe DIRECTSONET seems to post from so-net.ne.jp dynamic IP to receiver's MTA
# score DIRECTSONET 1.0

# thrown away 2005.09.14 by [yoh]
# 
# meta YAHOOJPSONET INVALIDYAHOOJP && DIRECTSONET
# describe YAHOOJPSONET INVALIDYAHOOJP && DIRECTSONET
# score YAHOOJPSONET 3.5

# thrown away 2006.04.09 by [yoh]
# Why?
# Because, all 'INVALIDYAHOOJP' doesn't pass through yahoo.co.jp's MTA,
# so this rule is meaningless.
# 
# # header ___NOTYAHOO Message-ID =~ /(?!.*yahoo)/
# header ___NOTYAHOO Message-ID !~ /.+\@(?=yahoo\.co\.jp)/
# describe ___NOTYAHOO Message-ID is not yahoo.co.jp
# score ___NOTYAHOO 0.1
# 
# meta INVALIDNOTYAHOO INVALIDYAHOOJP && ___NOTYAHOO
# describe INVALIDNOTYAHOO This mail didn't pass through yahoo.co.jp's MTA
# score INVALIDNOTYAHOO 1.5
# 
# meta NOTYAHOOMSGID INVALIDNOTYAHOO && MSGID_FROM_MTA_ID
# describe NOTYAHOOMSGID INVALIDNOTYAHOO && MSGID_FROM_MTA_ID
# score NOTYAHOOMSGID 2.0


# thrown away 2005.12.26 by [yoh]
# 
# meta INVYAHOOJPBLARS INVALIDYAHOOJP && RCVD_IN_BLARS && (RCVD_IN_BLARS_SPAM || RCVD_IN_BLARS_ABUSE)
# describe INVYAHOOJPBLARS INVALIDYAHOOJP && RCVD_IN_BLARS && (RCVD_IN_BLARS_SPAM || RCVD_IN_BLARS_ABUSE)
# score INVYAHOOJPBLARS 3.0

meta INVYAHOOJPDCN INVALIDYAHOOJP && ___DCN
score INVYAHOOJPDCN 3.5

# 210.151.9.0 <-> 210.151.9.127            210.151.9.0/25

header GERAGERA Received =~ /from .+lo[0-9]+\.[0-9]+\.geragera\.co\.jp/
describe GERAGERA smtp mail from netcafe ip
score GERAGERA 1.5

#-  210.236.48.0-210.236.55.0
# 210.236.32.0-210.236.63.255
header SAINET_NET X-Spam-Relays-Untrusted =~ /ip=210\.236\.(3[2-9]|[45][0-9]|6[0-3])\.[0-9]{1,3}/
describe SAINET_NET sdx.ne.jp
score SAINET_NET 0.1

#165.76.0.0 - 165.76.255.255
# header INTERSPIN Received =~ /from .+165\.76(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}/
header INTERSPIN X-Spam-Relays-Untrusted =~ /rdns=\d{1,3}\.pool\d{1,2}\.(ftth|dsl24m)\w+\.att\.ne\.jp [^\[\]]+ ident= envfrom= intl=0 [^\[\]]+auth= /
describe INTERSPIN att.ne.jp dialup
score INTERSPIN 0.1

# 219.111.0.0 - 219.111.127.255
# Received =~ /from .+([0-9]{1,3}\.){3,4}dy\.bbexcite\.jp/
header BBEXCITE X-Spam-Relays-Untrusted =~ /(ip=219\.111\.(\d|[1-9]\d|1[01]\d|12[0-7])\.\d{1,3}|rdns=([0-9]{1,3}\.){4}dy\.bbexcite\.jp) .+ ident= envfrom= intl=0 [^\[\]]+auth= /
describe BBEXCITE BB.excite
score BBEXCITE 0.1

# 219.126.128.0 - 219.126.255.255
header HI_HO Received =~ /from .+[a-z]{3,3}[0-9]-p[0-9]{1,3}\.flets\.hi-ho\.ne\.jp/
describe HI_HO Panasonic hi-ho flets dynamic IP
score HI_HO 0.1

# header INFOWEB Received =~ /from .+nt[a-z]{4,4}[0-9]{6,6}\.[a-z]{4,4}\.nt\.(adsl|ftth)\.ppp\.infoweb\.ne\.jp/
# header INFOWEB X-Spam-Relays-Untrusted =~ /(ip=(58\.[01](\.\d{1,3}){2}|218\.217\.(\d|[1-9]\d|1\d\d|2[0-3]\d)\.\d{1,3})|rdns=nt[a-z]{4,4}[0-9]{6,6}\.[a-z]{4,4}\.nt\.(adsl|ftth)\.ppp\.infoweb\.ne\.jp) .+ ident= envfrom= intl=0 .+auth= /
# header INFOWEB X-Spam-Relays-Untrusted =~ /(ip=((58\.[01]|61\.124)(\.\d{1,3}){2}|218\.217\.(\d|[1-9]\d|1\d\d|2[0-3]\d)\.\d{1,3})|rdns=nt[a-z]{4,4}[0-9]{6,6}\.[a-z]{4,4}\.nt\.(adsl|ftth)\.ppp\.infoweb\.ne\.jp) .+ ident= envfrom= intl=0 [^\[\]]+auth= /
header INFOWEB X-Spam-Relays-Untrusted =~ /(ip=((58\.[01]|61\.124|125\.[0-3])(\.\d{1,3}){2}|218\.217\.(\d|[1-9]\d|1\d\d|2[0-3]\d)\.\d{1,3})|rdns=nt[a-z]{4}\d{6}\.[a-z]{4}\.nt\.(adsl|ftth)\d{0,1}\.ppp\.infoweb\.ne\.jp) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /


describe INFOWEB INFOWEB adsl|ftth dynamic IP
score INFOWEB 0.1

# header DTI Received =~ /from .+(PPP|DSL)[ax0-9]+\.[a-z]+\-(ip|4x8x)\.dti\.ne.jp/
header DTI X-Spam-Relays-Untrusted =~ /(ip=210\.170\.(12[89]|1[3-9]\d|2[0-4]\d|25[0-5])\.\d{1,3}|rdns=(PPP|DSL)[a-z0-9]+\.[a-z]+\-(ip|4x8x)\.dti\.ne.jp) .+ ident= envfrom= intl=0 [^\[\]]+auth= /
describe DTI Dream Train Internet
score DTI 0.1

# 219.117.192.0 - 219.117.255.255
# 203.141.144.0-203.141.151.255
# 61.206.120.0-61.206.127.255
header INTERLINK X-Spam-Relays-Untrusted =~ /(ip=(219\.117\.(19[2-9]|2([0-4][0-9]|5[0-5]))|203\.141\.1(4[4-9]|5[01])|61\.206\.12[0-7])\.[0-9]{1,3}|rdns=\d{2,3}(\.\d{1,3}){3}\.user\.\w{2}\.il24\.net) .+ ident= envfrom= intl=0 [^\[\]]+auth= /
describe INTERLINK INTERLINK Co.,LTD
score INTERLINK 0.1

header LINKCLUB X-Spam-Relays-Untrusted =~ /rdns=ad-\d{4}\.\w+\.ip-link\.ne\.jp .+ ident= envfrom= intl=0 [^\[\]]+auth= /
describe LINKCLUB Linkclub Internet Connection
score LINKCLUB 0.1

header PLALA X-Spam-Relays-Untrusted =~ /(ip=222\.150(\.\d{1,3}){2}|rdns=i\d{2,3}(-\d{1,3}){3}\.s\d{2}\.a\d{3}\.ap\.plala\.or\.jp) .+ ident= envfrom= intl=0 [^\[\]]+auth= /
describe PLALA Plala Networks Inc.
score PLALA 0.1


# 219.123.110.213
# 221.112.163.50
# 221.112.99.147
# 221.114.79.43
# 221.115.128.218
# 221.116.196.110
# 221.116.40.116
# 221.241.46.82
# 221.242.136.34
# 221.242.148.154
# 221.246.243.12
# 221.249.253.174
# 221.251.100.149
# 221.253.220.212
# 59.159.128.156
header USENBROAD Received =~ /from .+(usen-[25][0-9]{1,2}(x[0-9]{2,3}){3,3}\.ap-(us|US)[0-9]+\.usen\.ad\.jp|[25][0-9]{1,2}(x[0-9]{2,3}){3,3}\.ap[25][0-9]{1,2}\.ftth\.ucom\.ne\.jp)/
describe USENBROAD USEN broadgate
score USENBROAD 0.1

# header ALPHANET Received =~ /from .+[0-9]{2,3}(\.[0-9]{1,3}){3,3}\.[a-z]+\.b{0,1}flets\.alpha-net\.ne\.jp/
# header ALPHANET X-Spam-Relays-Untrusted =~ /(rdns=[0-9]{2,3}(\.[0-9]{1,3}){3,3}\.[a-z]+\.b{0,1}flets\.alpha-net\.ne\.jp|ip=61\.192\.(1(2[89]|[3-9]\d)|2([0-4]\d|5[0-5]))\.\d{1,3}) .+ ident= envfrom= intl=0 .+auth= /
header ALPHANET X-Spam-Relays-Untrusted =~ /(rdns=\d{1,3}(\.\d{1,3}){3}\.[a-z]+\.b{0,1}flets\.alpha-net\.ne\.jp|ip=61\.192\.(1(2[89]|[3-9]\d)|2([0-4]\d|5[0-5]))\.\d{1,3}) .+ ident= envfrom= intl=0 [^\[\]]+auth= /
describe ALPHANET alpha-net.ne.jp
score ALPHANET 0.1

# header UNETSURF Received =~ /from .+f[0-9a-f]{4,4}\.[a-z]+\.ppp\.u-netsurf\.ne\.jp/
header UNETSURF X-Spam-Relays-Untrusted =~ /rdns=(f[0-9a-f]{4,4}\.[a-z]+|\w+-\w+\.(\d{1,3}-){3}\d{1,3})\.ppp\.u-netsurf\.ne\.jp .+ ident= envfrom= intl=0 [^\[\]]+auth= /
describe UNETSURF u-netsurf.ne.jp
score UNETSURF 0.1


# 211.10.191.64/26 
header EMNETNEJP Received =~ /from .+rev\.em-net\.ne\.jp/
describe EMNETNEJP em-net.ne.jp
score EMNETNEJP 0.1

# 220.100.0.0 - 220.100.127.255
header SST_BB Received =~ /from .+([0-9]{1,3}\.){2,2}100\.220\.sst-bb\.sst\.ne\.jp/
describe SST_BB Sharp Space Town
score SST_BB 0.1

# 61.7.0.0 - 61.7.127.255
header SNI_NOC X-Spam-Relays-Untrusted =~ /ip=61\.7\.(\d|[1-9]\d|1[01]\d|12[0-7])\.\d{1,3} .+ ident= envfrom= intl=0 [^\[\]]+auth= /
describe SNI_NOC Sagashimbun Co., Ltd.
score SNI_NOC 0.1


# 202.171.224.0 - 202.171.224.255
header XEXONNET X-Spam-Relays-Untrusted =~ /ip=202\.171\.224\.[0-9]{1,3} .+ ident= envfrom= intl=0 [^\[\]]+auth= /
describe XEXONNET spammer's hosting service (see `host spamsrv[2-6].hn.org` `host xexon.net`)
score XEXONNET 3.5

meta XEXON99 XEXONNET && (BAYES_99 || BAYES_95)
describe XEXON99 XEXONNET && (BAYES_99 || BAYES_95)
score XEXON99 10


# http://www.google.co.jp/search?as_q=spam&num=100&hl=ja&inlang=ja&ie=EUC-JP&oe=EUC-JP&btnG=Google+%B8%A1%BA%F7&as_epq=combzmail+jp&as_oq=&as_eq=&lr=&as_ft=i&as_filetype=&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=&as_rights=
# 60.32.107.224 - 60.32.107.239
# 60.32.176.224 - 60.32.176.231
# 61.115.238.96-61.115.238.127
# 211.133.130.128-211.133.130.255
# 210.188.215.0-210.188.215.63
# 210.188.215.128-210.188.215.191
# header COMBZMAIL_JP X-Spam-Relays-Untrusted =~ /ip=(60\.32\.107\.2(2[4-9]|3\d)|60\.32\.176\.2(2[4-9]|3[01])|60\.32\.177\.(\d|1[0-5])|61\.115\.238\.(9[6-9]|1[01]\d|12[0-7])|210\.188\.215\.(\d|[1-5]\d|6[0-3]|12[89]|1[3-8]\d|19[01])|211\.133\.130\.(12[89]|1[3-9]\d|2\d\d)) .+ ident= envfrom= intl=0 [^\[\]]+auth= /
header COMBZMAIL_JP X-Spam-Relays-Untrusted =~ /(ip=(60\.32\.107\.2(2[4-9]|3\d)|60\.32\.176\.2(2[4-9]|3[01])|60\.32\.177\.(\d|1[0-5])|61\.115\.238\.(9[6-9]|1[01]\d|12[0-7])|210\.188\.215\.(\d|[1-5]\d|6[0-3]|12[89]|1[3-8]\d|19[01])|211\.133\.130\.(12[89]|1[3-9]\d|2\d\d))|helo=[\d\w.]+\.combzmail\.jp) .+ ident= envfrom= intl=0 [^\[\]]+auth= /
describe COMBZMAIL_JP Combz Inc.
score COMBZMAIL_JP 1.5

# 203.131.192.0 - 203.131.207.255
# 125.6.0.0 - 125.6.255.255
header DATAHOTEL_JP X-Spam-Relays-Untrusted =~ /^\[ ip=(?:125\.6\.(?:140\.5|141\.24)|203\.(?:104\.97\.101|131\.198\.71)) /
describe DATAHOTEL_JP Livedoor Co., Ltd.
score DATAHOTEL_JP 1.5



# =-=-=-=-=-=- Foreign ISP rules using X-Spam-Relays-Untrusted =-=-=-=-=-=- 
# 2005.12.5 by [yoh]
# 

# 222.101.0.80 - 222.122.255.254
# 222.122.45.0-222.122.46.255
# 222.101.0.80 - 222.122.255.254
# header KORNET Received =~ /from .+(222\.122\.4[56]\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])|59\.([0-9]|[12][0-9]|3[0-3])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2})/
# 222\.1(0[1-9]|1[0-9]|2[0-2])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}
# 218.144.0.0 - 218.159.255.255
# 221.144.0.0 - 221.168.255.255
# 222.101.0.80 - 222.122.255.255
# 59.0.0.0 - 59.31.255.255
# KORNET Smile Serv
# header KORNET Received =~ /from .+(218\.1(4[4-9]|5[0-9])|221\.1(4[4-9]|5[0-9]|6[0-8])|222\.1(0[1-9]|1[0-9]|2[012])|59\.([0-9]|[12][0-9]|3[01]))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}/
# describe KORNET Korea Telecom
# score KORNET 1.5
# 59.0.0.0 - 59.31.255.255
# 211.54.0.0 - 211.55.255.255
# 211.192.0.0 - 211.199.255.255
# 211.216.0.0 - 211.231.255.255
# 218.144.0.0 - 218.159.255.255
# 220.70.0.0 - 220.95.255.255
# 221.144.0.0 - 221.168.255.255
# 222.96.0.0 - 222.122.255.255

# 61.72.0.0 - 61.85.255.255

# 220.116.0.0 - 220.127.255.255

# header KOREATELECOM Received =~ /from .+(218\.1(4[4-9]|5[0-9])|221\.1(4[4-9]|5[0-9]|6[0-8])|59\.([0-9]|[12][0-9]|3[0-3])|222\.(9[6-9]|1([01][0-9]|2[012]))|211\.(19[2-9]|5[45]|2(1[6-9]|2[0-9]|3[01])))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}/
# header KOREATELECOM X-Spam-Relays-Untrusted =~ /ip=(218\.1(4[4-9]|5[0-9])|221\.1(4[4-9]|5[0-9]|6[0-8])|59\.([0-9]|[12][0-9]|3[0-3])|222\.(9[6-9]|1([01][0-9]|2[012]))|211\.(19[2-9]|5[45]|2(1[6-9]|2[0-9]|3[01])))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2} rdns= .+ident= envfrom= intl=0 .+auth= /
# header KOREATELECOM X-Spam-Relays-Untrusted =~ /ip=(59\.(\d|[12]\d|3[0-3])|61\.(7[2-9]|8[0-5])|211\.(19[2-9]|5[45]|2(1[6-9]|2\d|3[01]))|218\.1(4[4-9]|5\d)|220\.([78]\d|9[0-5]|11[6-9]|12[0-7])|221\.1(4[4-9]|5\d|6[0-8])|222\.(9[6-9]|1([01]\d|2[012])))(\.\d{1,3}){2,2} .+ident= envfrom= intl=0 .+auth= /
# 211.38.0.0 - 211.38.255.255
# 203.236.44.0 - 203.236.127.255
# header KOREATELECOM X-Spam-Relays-Untrusted =~ /ip=((59\.(\d|[12]\d|3[0-3])|61\.(7[2-9]|8[0-5])|211\.(38|19[2-9]|5[45]|2(1[6-9]|2\d|3[01]))|218\.1(4[4-9]|5\d)|220\.([78]\d|9[0-5]|11[6-9]|12[0-7])|221\.1(4[4-9]|5\d|6[0-8])|222\.(9[6-9]|1([01]\d|2[012])))(\.\d{1,3}){2}|203\.234\.(1(2[89]|[3-9]\d)|2([0-4]\d|5[0-5]))\.\d{1,3}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
# 210.91.0.0 - 210.91.255.255
# 210.92.0.0 - 210.92.63.255
# 210.101.64.0 - 210.101.127.255
# 210.105.0.0 - 210.105.255.255
# 210.113.0.0 - 210.113.255.255
# 210.121.128.0 - 210.121.255.255
# 210.123.0.0 - 210.123.255.255
# 210.126.0.0 - 210.126.127.255
# 210.183.0.0 - 210.183.255.255
# 210.217.0.0 - 210.217.127.255
# 210.222.0.0 - 210.222.255.255
# 210.223.0.0 - 210.223.255.255
# 211.48.0.0 - 211.48.255.255
# 203.228.0.0 - 203.228.127.255
# 125.128.0.0 - 125.159.255.255
# 211.107.1.0-211.107.255.255
# 203.232.2.0- 203.232.125.255
# 121.128.0.0 - 121.191.255.255
# 168.126.0.0 - 168.126.255.255
# 211.105.0.0 - 211.106.255.255
# 210.92.0.0 - 210.92.63.255
# header KOREATELECOM X-Spam-Relays-Untrusted =~ /ip=((59\.(\d|[12]\d|3[0-3])|61\.(7[2-9]|8[0-5])|115\.(1[6-9]|2[0-3])|118\.(3[2-9]|[45]\d|6[0-3])|121\.1(2[89]|[3-8]\d|9[01])|125\.1(2[89]|[345]\d)|128\.134|210\.(9[19]|105|113|123|183|22[23])|168\.126|211\.([34]8|19[2-9]|5[145]|10[567]|2(1[6-9]|2\d|3[01]))|218\.1(4[4-9]|5\d)|220\.([78]\d|9[0-5]|11[6-9]|12[0-7])|221\.1(4[4-9]|5\d|6[0-8])|222\.(9[6-9]|1([01]\d|2[012])))(\.\d{1,3}){2}|(203\.234\.(1(2[89]|[3-9]\d)|2([0-4]\d|5[0-5]))|203\.236\.(4[4-9]|[5-9]\d|1[01]\d|12[0-7])|203\.251\.(\d|\d\d|1[0-8]\d|19[01])|210\.92\.(\d|[1-5]\d|6[0-3])|(203\.2(28|32)|210\.(101|126|217))\.(\d|\d\d|1[01]\d|12[0-7]))\.\d{1,3}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
header KOREATELECOM X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:59\.(?:\d|[12]\d|3[0-3])|61\.(?:7[2-9]|8[0-5])|115\.(?:1[6-9]|2[0-3])|118\.(?:3[2-9]|[45]\d|6[0-3])|121\.1(?:2[89]|[3-8]\d|9[01])|125\.1(?:2[89]|[345]\d)|128\.134|168\.126|210\.(?:9[19]|105|113|123|183|22[23])|211\.(?:[34]8|19[2-9]|5[145]|10[567]|2(?:1[6-9]|2\d|3[01]))|218\.1(?:4[4-9]|5\d)|220\.(?:[78]\d|9[0-5]|11[6-9]|12[0-7])|221\.1(?:4[4-9]|5\d|6[0-8])|222\.(?:9[6-9]|1(?:[01]\d|2[012])))(?:\.\d{1,3}){2}|(?:203\.234\.(?:1(?:2[89]|[3-9]\d)|2(?:[0-4]\d|5[0-5]))|203\.236\.(?:4[4-9]|[5-9]\d|1[01]\d|12[0-7])|203\.251\.(?:\d|\d\d|1[0-8]\d|19[01])|210\.92\.(?:\d|[1-5]\d|6[0-3])|(?:203\.2(?:28|32)|210\.(?:101|126|217))\.(?:\d|\d\d|1[01]\d|12[0-7]))\.\d{1,3}) /
describe KOREATELECOM [KR]Korea Telecom
score KOREATELECOM 1.5


# 211.200.0.0-211.215.255.255

# 221.138.0.0 - 221.143.255.255
# 221.139.0.0 - 221.139.7.255
# 218.38.14.0-218.38.14.255

# 58.224.0.0 - 58.239.255.255
# 221.138.0.0 - 221.143.255.255
# 218.38.0.0-218.39.255.255

# 218.48.0.0-218.55.255.255
# 218.232.0.0-218.239.255.255

# 219.240.0.0-219.241.255.255

# 222.232.0.0-222.239.255.255
# 211.176.0.0-211.179.255.255
# 211.52.128.0-211.52.143.255

# header HANAROTELECOM Received =~ /from .+(58\.2(2[4-9]|3[0-9])|211\.(17[6-9]|20[0-9]|21[0-5])|221\.1(3[89]|4[0-3])|218\.(3[89]|4[89]|5[0-5]|23[2-9])|219\.24[01]|222\.23[2-9])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}/

# rdns= helo=mail\.[a-z0-9_-]+\.(com|net)/
# header HANAROTELECOM X-Spam-Relays-Untrusted =~ /ip=(58\.2(2[4-9]|3[0-9])|211\.(17[6-9]|20[0-9]|21[0-5])|221\.1(3[89]|4[0-3])|218\.(3[89]|4[89]|5[0-5]|23[2-9])|219\.(24[01]|25[45])|222\.23[2-9])(\.[0-9]{1,3}){2,2} .+ident= envfrom= intl=0 .+auth= /
# header HANAROTELECOM X-Spam-Relays-Untrusted =~ /ip=(58\.2(2[4-9]|3[0-9])|211\.(49|17[6-9]|20[0-9]|21[0-5])|221\.1(3[89]|4[0-3])|218\.(3[89]|4[89]|5[0-5]|23[2-9])|219\.(24[01]|25[45])|222\.23[2-9])(\.[0-9]{1,3}){2,2} .+ident= envfrom= intl=0 .+auth= /
# 219.248.0.0-219.251.255.255
# 61.254.0.0 - 61.254.127.255
# 124.111.0.0 - 124.111.255.255
# 211.44.15.0-211.44.253.255
# 211.108.0.0-211.108.255.255
# 61.98.0.0 - 61.99.255.255
# 211.117.0.0 - 211.117.255.255
# 61.254.160.0 - 61.255.255.255
# 61.254.0.0 - 61.254.127.255
# 61.105.0.0 - 61.105.255.255
# 123.212.0.0 - 123.215.255.255
# 211.244.0.0 - 211.244.255.255
# 211.33.0.0 - 211.33.127.255
# header HANAROTELECOM X-Spam-Relays-Untrusted =~ /ip=((58\.(12[0-7]|2(2[4-9]|3\d))|61\.(9[89]|105|25[35])|121\.12[45]|123\.21[2-5]|124\.111|211\.(49|5[289]|108|117|17[6-9]|20\d|21[0-5]|24[345])|218\.(3[89]|4[89]|5[0-5]|23[2-9])|219\.(24[0189]|25[0145])|221\.1(3[89]|4[0-3])|222\.23[2-9])(\.\d{1,3}){2}|(61\.254\.(\d|[1-9]\d|1[01]\d|12[0-7]|1[6-9]\d|2\d\d)|211\.33\.(\d|\d\d|1[01]\d|12[0-7])|211\.44\.(1[5-9]|[2-9]\d|1\d\d|2[0-4]\d|25[0-3])|211\.52\.1(2[89]|3\d|4[0-3]))\.\d{1,3}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
header HANAROTELECOM X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:58\.(?:12[0-7]|2(?:2[4-9]|3\d))|61\.(?:9[89]|105|25[35])|116\.12[0-7]|121\.12[45]|123\.21[2-5]|124\.111|211\.(?:49|5[289]|108|117|17[6-9]|20\d|21[0-5]|24[345])|218\.(?:3[89]|4[89]|5[0-5]|23[2-9])|219\.(?:24[0189]|25[0145])|221\.1(?:3[89]|4[0-3])|222\.23[2-9])(?:\.\d{1,3}){2}|(?:61\.254\.(?:\d|\d\d|1[01]\d|12[0-7]|1[6-9]\d|2\d\d)|211\.33\.(?:\d|\d\d|1[01]\d|12[0-7])|211\.44\.(?:1[5-9]|[2-9]\d|1\d\d|2[0-4]\d|25[0-3])|211\.52\.1(?:2[89]|3\d|4[0-3]))\.\d{1,3}) /
describe HANAROTELECOM [KR]Hanaro Telecom, Inc.(also AKA HANANET)
score HANAROTELECOM 1.5


# 211.36.0.0-211.36.63.255
# 211.240.60.0-211.240.60.255
# 211.52.113.0-211.52.113.255
# 211.174.128.0 - 211.174.255.255
# 210.219.242.64-210.219.242.255
# header ELIMNET Received =~ /from .+(211\.36\.([0-9]|[1-5][0-9]|6[0-3])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])|(211\.240\.60|211\.52\.113)\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]))/
# header ELIMNET X-Spam-Relays-Untrusted =~ /ip=(211\.36\.([0-9]|[1-5][0-9]|6[0-3])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])|(211\.240\.60|211\.52\.113)\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])) rdns= .+ident= envfrom= intl=0 .+auth= /
# header ELIMNET X-Spam-Relays-Untrusted =~ /ip=211\.(36\.([0-9]|[1-5][0-9]|6[0-3])|52\.(6[4-9]|[7-9][0-9]|1[01][0-9]|12[0-7])|174\.(12[89]|1[3-9][0-9]|2[0-4][0-9]|25[0-5])|240\.([0-9]|[1-9][0-9]|1[01][0-9]|12[0-7]))\.[0-9]{1,3} rdns= [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
header ELIMNET X-Spam-Relays-Untrusted =~ /ip=(210\.219\.242\.\d{1,3}|211\.(36\.(\d|[1-5]\d|6[0-3])|52\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])|112\.(\d|[1-5]\d|6[0-3])|174\.(12[89]|1[3-9]\d|2\d\d)|240\.(\d|\d\d|1[01]\d|12[0-7]))\.\d{1,3}) rdns= [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe ELIMNET [KR]ELIMNET-IDC
score ELIMNET 1.0

# 220.230.0.0 - 220.230.255.255
# 59.150.0.0 - 59.150.255.255
# 125.57.0.0 - 125.57.255.255
# 211.183.0.0 - 211.183.255.255
# 211.175.0.0 - 211.175.255.255
# 211.61.128.0-211.61.255.255

# header DREAMX Received =~ /from .+(220\.230|59\.150|125\.57)(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}/
# header DREAMX X-Spam-Relays-Untrusted =~ /ip=(220\.230|59\.150|125\.57|211\.1(75|83))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2} rdns= .+ident= envfrom= intl=0 .+auth= /
# 211.247.128.0 - 211.247.255.255
# 61.103.0.0 - 61.103.255.255
header DREAMX X-Spam-Relays-Untrusted =~ /ip=((220\.230|59\.150|61\.103|125\.57|211\.1(75|83))(\.\d{1,3}){2}|211\.(61|247)\.(12[89]|1[3-9]\d|2[0-4]\d|25[0-5])\.\d{1,3}) .+ ident= envfrom= intl=0 [^\[\]]+auth= /
describe DREAMX [KR]DREAMLINE CO.
score DREAMX 1.5

# 58.180.0.0 - 58.180.255.255
# 211.190.0.0-211.191.255.255
# 61.248.0.0 - 61.249.246.255
# 210.111.0.0-210.111.127.255
# 211.113.128.0-211.113.255.255

# header SHINBIRO Received =~ /from .+58\.180(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}/
# header SHINBIRO X-Spam-Relays-Untrusted =~ /ip=58\.180(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2} .+ident= envfrom= intl=0 .+auth= /
# header SHINBIRO X-Spam-Relays-Untrusted =~ /ip=(58\.180|211\.19[01])(\.[0-9]{1,3}){2,2} .+ident= envfrom= intl=0 .+auth= /
# 210.127.204.0-210.127.255.255
# 61.110.0.0 - 61.111.255.255
# 203.240.128.0 - 203.240.255.255
# 210.114.220.0-210.114.250.255
# header SHINBIRO X-Spam-Relays-Untrusted =~ /ip=((58\.180|61\.11[01]|211\.19[01]|61\.248)(\.\d{1,3}){2}|(61\.249\.(\d|[1-9]\d|1\d\d|2[0-3]\d|24[0-6])|203\.251\.(19[2-9]|2\d\d)|210\.111\.(\d|\d\d|1[01]\d|12[0-7])|210\.114\.2([234]\d|50)|210\.127\.2(0[4-9]|[1-5]\d)|(203\.240|211\.113)\.(12[89]|1[3-9]\d|2\d\d))\.\d{1,3}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /

# 211.61.64.0 - 211.61.127.255
header SHINBIRO X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:58\.180|61\.11[01]|211\.19[01]|61\.248)(?:\.\d{1,3}){2}|(?:61\.249\.(?:\d|[1-9]\d|1\d\d|2[0-3]\d|24[0-6])|203\.251\.(?:19[2-9]|2\d\d)|210\.111\.(?:\d|\d\d|1[01]\d|12[0-7])|210\.114\.2(?:[234]\d|50)|210\.127\.2(?:0[4-9]|[1-5]\d)|211\.61\.(?:6[4-9]|[789]\d|1[01]\d|12[0-7])|(?:203\.240|211\.113)\.(?:12[89]|1[3-9]\d|2\d\d))\.\d{1,3}) /
describe SHINBIRO [KR]ONSE Telecom Co.
score SHINBIRO 1.0


# 219.252.0.0-219.253.255.255
# 58.102.0.0 - 58.103.255.255
# 61.104.0.0 - 61.104.255.255
# header SKNETWORKS Received =~ /from .+219\.25[23](\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}/
# 124.136.0.0 - 124.139.255.255
# 124.0.0.0 - 124.1.255.255
# 61.254.128.0 - 61.254.159.255
# header SKNETWORKS X-Spam-Relays-Untrusted =~ /ip=((58\.10[23]|61\.104|124\.([01]|13[6-9])|219\.25[23])(\.\d{1,3}){2}|61\.254\.1(2[89]|[345]\d)\.\d{1,3}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
header SKNETWORKS X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:58\.10[23]|61\.104|124\.(?:[01]|13[6-9])|219\.25[2-5])(?:\.\d{1,3}){2}|61\.254\.1(?:2[89]|[345]\d)\.\d{1,3}) /
describe SKNETWORKS [KR]SK Networks co., Ltd
score SKNETWORKS 1.5

# 61.32.0.0 - 61.43.255.255
# 125.176.0.0 - 125.191.255.255
# 210.124.0.0 - 210.124.255.255
# 211.180.0.0 - 211.181.255.255
# 211.168.0.0 - 211.171.255.255
# 211.45.192.0 - 211.45.255.255
# header BORANET Received =~ /from .+61\.(3[2-9]|4[0-3])(\.[0-9]{1,3}){2,2}[\)\] ]/
# header BORANET X-Spam-Relays-Untrusted =~ /ip=(61\.(3[2-9]|4[0-3])|125\.1(7[6-9]|8[0-9]|9[01]))(\.[0-9]{1,3}){2,2} .+ident= envfrom= intl=0 .+auth= /
# header BORANET X-Spam-Relays-Untrusted =~ /ip=(61\.(3[2-9]|4[0-3])|125\.1(7[6-9]|8[0-9]|9[01])|210\.124|211\.1(6[89]|7[01]|8[01]))(\.[0-9]{1,3}){2,2} .+ident= envfrom= intl=0 .+auth= /
# header BORANET X-Spam-Relays-Untrusted =~ /ip=((61\.(3[2-9]|4[0-3])|125\.1(7[6-9]|8[0-9]|9[01])|210\.124|211\.1(6[89]|7[01]|8[01]))(\.[0-9]{1,3}){2,2}|211\.45\.(19[2-9]|2[0-4][0-9]|25[0-5])\.[0-9]{1,3}) .+ident= envfrom= intl=0 .+auth= /
# header BORANET X-Spam-Relays-Untrusted =~ /ip=((58\.7[2-9]|61\.(3[2-9]|4[0-3])|125\.1(7[6-9]|8\d|9[01])|210\.124|211\.1(6[89]|7[01]|8[01]))(\.\d{1,3}){2}|211\.45\.(19[2-9]|2[0-4]\d|25[0-5])\.\d{1,3}) .+ident= envfrom= intl=0 .+auth= /
# 211.118.0.0 - 211.119.255.255
# 60.196.0.0 - 60.197.255.255
# 210.92.64.0 - 210.92.255.255
# 211.40.0.0 - 211.40.255.255
# 210.101.128.0 - 210.101.191.255
# 211.53.0.0 - 211.53.255.255
# 210.216.0.0 - 210.216.255.255
# 125\.(1(7[6-9]|8\d|9[01])|24[0-7])|
# 164.124.0.0 - 164.124.255.255
# 203.248.128.0 - 203.248.255.255
# 210.108.0.0 - 210.108.255.255
# 121.64.0.0 - 121.67.255.255
# 125.248.0.0 - 125.251.255.255
# 58.150.0.0 - 58.151.255.255
# 123.140.0.0 - 123.143.255.255
# 210.98.128.0 - 210.98.191.255
# header BORANET X-Spam-Relays-Untrusted =~ /ip=((58\.(7[2-9]|15[01]|184)|59\.18[67]|60\.19[67]|61\.(3[2-9]|4[0-3])|121\.6[4-7]|123\.14[0-3]|125\.2(4\d|5[01])|164\.124|203\.248\.(1(2[89]|[3-9]\d)|2\d\d)|210\.(10[78]|12[04]|182|216)|211\.(32|40|5[03]|1(1[89]|6[89]|7[01]|8[01])))(\.\d{1,3}){2}|210\.92\.(6[4-9]|[7-9]\d|1\d\d|2[0-4]\d|25[0-5])\.\d{1,3}|210\.98\.1(2[89]|[3-8]\d|9[01])\.\d{1,3}|210\.101\.(12[89]|1[3-8]\d|19[01])\.\d{1,3}|211\.45\.(19[2-9]|2[0-4]\d|25[0-5])\.\d{1,3}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
header BORANET X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:58\.(?:7[2-9]|15[01]|184)|59\.18[67]|60\.19[67]|61\.(?:3[2-9]|4[0-3])|118\.1(?:2[89]|3[01])|121\.6[4-7]|123\.14[0-3]|125\.2(?:4\d|5[01])|164\.124|203\.248\.(?:1(?:2[89]|[3-9]\d)|2\d\d)|210\.(?:10[78]|12[04]|182|216)|211\.(?:32|40|5[03]|1(?:1[89]|6[89]|7[01]|8[01])))(?:\.\d{1,3}){2}|210\.92\.(?:6[4-9]|[7-9]\d|1\d\d|2[0-4]\d|25[0-5])\.\d{1,3}|210\.98\.1(?:2[89]|[3-8]\d|9[01])\.\d{1,3}|210\.101\.(?:12[89]|1[3-8]\d|19[01])\.\d{1,3}|211\.45\.(?:19[2-9]|2\d\d)\.\d{1,3}|211\.234\.(?:\d|\d\d|1[01]\d|12[0-7])\.\d{1,3}) /
describe BORANET [KR]DACOM Corp.
score BORANET 1.5

# 218.37.0.0-218.37.255.255
# 61.109.0.0 - 61.109.127.255
# 124.80.0.0 - 124.80.255.255
# 61.247.64.0 - 61.247.127.255
# 124.199.128.0 - 124.199.255.255
header HANVITINB X-Spam-Relays-Untrusted =~ /ip=((124\.80|218\.37)(\.[0-9]{1,3}){2}|(61\.109\.(\d|[1-9]\d|1[01]\d|12[0-7])|61\.247\.(6[4-9]|[789]\d|1[01]\d|12[0-7])|124\.199\.(12[89]|1[3-9]\d|2\d\d)|211\.237\.(1[678]\d|19[01]))\.\d{1,3}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe HANVITINB [KR]Hanvitinb 
score HANVITINB 1.5

# 58.140.0.0 - 58.143.255.255
header CNM_COMM X-Spam-Relays-Untrusted =~ /ip=58\.14[0-3](\.[0-9]{1,3}){2,2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe CNM_COMM [KR]C&M Communication Co., Ltd.
score CNM_COMM 1.5

# 211.109.0.0 - 211.110.255.255
# 211.186.0.0 - 211.187.255.255
header THRUNET X-Spam-Relays-Untrusted =~ /ip=211\.1(09|10|8[67])(\.[0-9]{1,3}){2,2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe THRUNET [KR]Thrunet Co., Ltd.
score THRUNET 1.5

# 211.236.128.0-211.236.223.255
header TACHYNET X-Spam-Relays-Untrusted =~ /ip=211\.236\.(12[89]|1[3-9][0-9]|2[01][0-9]|22[0-3])\.[0-9]{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe TACHYNET [KR]TACHYNET-INFRA
score TACHYNET 1.5

# 211.247.0.0 - 211.247.127.255
# 203.90.32.0 - 203.90.63.255
# 203.210.32.0 - 203.210.63.255
# 211.115.224.0-211.115.255.255
# 61.252.192.0-61.252.255.255
# 211.173.128.0-211.173.159.255
# 210.2.32.0 - 210.2.63.255
# 211.172.64.0 - 211.172.79.255
header CHEONANVITSSEN_KR X-Spam-Relays-Untrusted =~ /ip=(61\.252\.(19[2-9]|2\d\d)|203\.(90|210)\.(3[2-9]|[45]\d|6[0-3])|210\.2.(3[2-9]|[45]\d|6[0-3])|211\.115\.2(2[4-9]|[345]\d)|211\.172\.(6[4-9]|7\d)|211\.173\.1(2[89]|[345]\d)|211\.247\.(\d|[1-9]\d|1[01]\d|12[0-7]))\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe CHEONANVITSSEN_KR [KR] Cable TV Cheonan BroadcasMunhwa-dong, Cheonan-si
score CHEONANVITSSEN_KR 1.5

# 61.247.64.0 - 61.247.127.255
header CABLELINE_KR X-Spam-Relays-Untrusted =~ /ip=61\.247\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe CABLELINE_KR [KR]BANDOCABLELINE
score CABLELINE_KR 1.5

# 211.112.64.0 - 211.112.95.255
header ICNDIGITAL_KR X-Spam-Relays-Untrusted =~ /ip=211\.112\.(6[4-9]|[78]\d|9[0-5])\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe ICNDIGITAL_KR [KR]Korea Cable TV Namincheon Brodcasting Co., Ltd.
score ICNDIGITAL_KR 1.5

# 218.209.0.0 - 218.209.255.255
# 222.251.128.0 - 222.251.255.255
# header TBROAD_KR X-Spam-Relays-Untrusted =~ /ip=218\.209(\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
header TBROAD_KR X-Spam-Relays-Untrusted =~ /^\[ ip=(218\.209(\.\d{1,3}){2}|222\.251\.(12[89]|1[3-9]\d|2\d\d)\.\d{1,3}) /
describe TBROAD_KR [KR]Korea Cable Television Suwon Broadcating Co.
score TBROAD_KR 1.5

# 61.106.64.0 - 61.106.79.255
# 202.136.128.0 - 202.136.159.255
# 211.237.208.0-211.237.223.255
# 211.172.208.0-211.172.223.255
# 203.130.96.0 - 203.130.127.255
header KNCTV_KR X-Spam-Relays-Untrusted =~ /ip=(61\.106\.(6[4-9]|7\d)|202\.136\.1(2[89]|[3-5]\d)|203\.130\.(9[6-9]|1[01]\d|12[0-7])|211\.(172|237)\.2(0[89]|1\d|2[0-3]))\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe KNCTV_KR [KR]KangNam CableTV
score KNCTV_KR 1.5

# 163.180.0.0 - 163.180.255.255
header KHUNET_KR X-Spam-Relays-Untrusted =~ /ip=163\.180(\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe KHUNET_KR [KR]Kyung Hee University
score KHUNET_KR 1.5

# 203.240.0.0 - 203.243.255.255
# 61.96.0.0 - 61.111.255.255
# 211.41.0.0 - 211.41.255.255
# 211.104.0.0 - 211.119.255.255
# 211.54.0.0 - 211.59.255.255
# 211.232.0.0 - 211.255.255.255
# 203.226.0.0 - 203.231.255.255
# 220.64.0.0 - 220.71.255.255
# 210.90.0.0 - 210.91.255.255
# 210.125.0.0 - 210.127.255.255
# 203.224.0.0 - 203.255.255.255
# 218.36.0.0 - 218.39.255.255
header KRNIC_KR X-Spam-Relays-Untrusted =~ /ip=(61\.(9[6-9]|10\d|11[01]|24[89]|25\d)|203\.2(2[4-9]|[345]\d)|210\.(9\d|1[01]\d|12[0-7]|17[89]|18[0-3])|211\.(3[2-9]|[45]\d|6[0-3]|10[4-9]|11\d|16[89]|17[2-9]|1[89]\d|2\d\d)|218\.3[6-9]|220\.(6[4-9]|7[01]))(\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe KRNIC_KR [KR]Korea Network Information Center
score KRNIC_KR 1.5

# 58.65.64.0 - 58.65.127.255
# 211.246.128.0 - 211.246.255.255
# header SCSNET_KR X-Spam-Relays-Untrusted =~ /ip=58\.65\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
header SCSNET_KR X-Spam-Relays-Untrusted =~ /^\[ ip=(58\.65\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])|211\.246\.(12[89]|1[3-9]\d|2\d\d))\.\d{1,3} /
describe SCSNET_KR [KR]Seokyung Cable Television Co.. Ltd.
score SCSNET_KR 1.5

# 168.188.0.0 - 168.188.255.255
header CHUNGNAM_KR X-Spam-Relays-Untrusted =~ /ip=168\.188(\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe CHUNGNAM_KR [KR]Chungnam National University
score CHUNGNAM_KR 1.5

# 165.132.0.0 - 165.132.255.255
header YONSEI_NET_KR X-Spam-Relays-Untrusted =~ /ip=165\.132(\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe YONSEI_NET_KR [KR]imported inetnum object for YONSEI
score YONSEI_NET_KR 1.5

# 124.48.0.0 - 124.63.255.255
# 125.176.0.0 - 125.191.255.255
# 122.32.0.0 - 122.47.255.255
# 116.32.0.0 - 116.47.255.255
# /ip=(116\.(3[2-8]|4[0-7])|119\.(6[4-9]|7[01])|122\.(3[2-9]|4[0-7])|124\.(4[89]|5\d|6[0-3])|125\.1(7[6-9]|8\d|9[01]))(\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /

header XPEED_KR X-Spam-Relays-Untrusted =~ /^\[ ip=(?:116\.(?:3[2-9]|4[0-7])|119\.(?:6[4-9]|7[01])|122\.(?:3[2-9]|4[0-7])|124\.(?:4[89]|5\d|6[0-3])|125\.1(?:7[6-9]|8\d|9[01]))(?:\.\d{1,3}){2} /
describe XPEED_KR [KR]POWERCOM
score XPEED_KR 1.5

header __XPEEDMAILER X-Mailer =~ /(NEXTism Mailer|Shadow Mail v)/

meta XPEEDMAILER ISO2022JP_BODY && __XPEEDMAILER && XPEED_KR
score XPEEDMAILER 5.5



# 168.131.0.0 - 168.131.255.255
header CHONNAM_NET_KR X-Spam-Relays-Untrusted =~ /ip=168\.131(\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe CHONNAM_NET_KR [KR]Chonnam National University
score CHONNAM_NET_KR 1.5

# 203.210.16.0 - 203.210.31.255
header DOTNAME_KR X-Spam-Relays-Untrusted =~ /ip=203\.210\.(1[6-9]|2\d|3[01])\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe DOTNAME_KR [KR]Dotname Korea Corp
score DOTNAME_KR 1.5

# 124.197.128.0 - 124.197.223.255
header DONGDAEMUN_KR X-Spam-Relays-Untrusted =~ /ip=124\.197\.(12[89]|1[3-9]\d|2[01]\d|22[0-3])\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe DONGDAEMUN_KR [KR]Dongdaemun cable networks,Inc.
score DONGDAEMUN_KR 1.5

# 58.145.0.0 - 58.145.127.255
# 203.229.0.0 - 203.229.127.255
header QRIXNET_KR X-Spam-Relays-Untrusted =~ /ip=(58\.145|203\.229)\.(\d|\d\d|1[01]\d|12[0-7])\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe QRIXNET_KR [KR]QRIXNET
score QRIXNET_KR 1.5

# 211.41.0.0-211.41.46.255
header KITINET_KR X-Spam-Relays-Untrusted =~ /ip=211\.41\.(\d|[1-3]\d|4[0-6])\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe KITINET_KR [KR]KITINET-INFRA
score KITINET_KR 1.5

# 124.198.0.0 - 124.198.127.255
header HAIONNET_KR X-Spam-Relays-Untrusted =~ /ip=124\.198\.(\d|\d\d|1[01]\d|12[0-7])\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe HAIONNET_KR [KR]HAIonNet
score HAIONNET_KR 1.5

# 210.97.134.0-210.97.159.255
# 220.66.0.0-220.69.249.255
# 203.230.128.0-203.230.255.255
# 210.110.0.0-210.110.127.255
# 220.66.0.0-220.66.127.255
header KREN_KR X-Spam-Relays-Untrusted =~ /ip=(203\.230\.(12[89]|1[3-9]\d|2\d\d)\.\d{1,3}|210\.97\.1(3[4-9]|[45]\d)\.\d{1,3}|210\.110\.(\d|\d\d|1[01]\d|12[0-7])\.\d{1,3}|220\.6[6-9](\.\d{1,3}){2}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe KREN_KR [KR]kyungdongjeongbodaehak
score KREN_KR 1.5

# 202.150.176.0 - 202.150.191.255
# 211.47.80.0 - 211.47.127.255
# 120.50.64.0 - 120.50.127.255
# 114.199.128.0 - 114.199.255.255
header HCN_KR X-Spam-Relays-Untrusted =~ /^\[ ip=(114\.199\.(1(2[89]|[3-9]\d)|2\d\d)|120\.50\.(6[4-9]|[789]\d|1[01]\d|12[0-7])|202\.150\.1(7[6-9]|8\d|9[01])|211\.(41\.(19[2-9]|20[0-7])|47\.([89]\d|1[01]\d|12[0-7])|237\.2[45]\d))\.\d{1,3} /
describe HCN_KR [KR]HYUNDAI COMMUNICATIONS & NETWORK
score HCN_KR 1.5


# 203.67.0.0 - 203.67.255.255
# 210.64.0.0 - 210.64.255.255
# 210.66.0.0 - 210.66.255.255
# 210.68.0.0 - 210.68.255.255
# 203.70.0.0 - 203.70.255.255
# 210.243.127.0 - 210.243.255.255
# 139.175.0.0 - 139.175.255.255

# 203.73.0.0 - 203.73.255.255
# 211.74.0.0 - 211.74.255.255
# 210.244.0.0 - 210.244.127.255
# header SEEDNET Received =~ /from .+(203\.67|210\.6[468])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}/
header SEEDNET X-Spam-Relays-Untrusted =~ /ip=((59\.10[45]|139\.175|203\.(67|7[03])|210\.6[468]|211\.74)(\.\d{1,3}){2}|(210\.243\.(12[7-9]|1[3-9]\d|2\d\d)|210\.244\.(\d|\d\d|1[01]\d|12[0-7]))\.\d{1,3}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe SEEDNET [TW]Digital United Inc.
score SEEDNET 1.0

# 210.200.0.0 - 210.201.255.255
# 210.202.0.0 - 210.202.255.255
# 210.203.0.0 - 210.203.127.255
# 218.187.0.0 - 218.187.255.255

# header APOL Received =~ /from .+(21(0\.20[0-2]|8\.187)(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}|210\.203\.([0-9]|[1-9][0-9]|1[01][0-9]|12[0-7])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]))/
# header APOL X-Spam-Relays-Untrusted =~ /ip=(21(0\.20[0-2]|8\.187)(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}|210\.203\.([0-9]|[1-9][0-9]|1[01][0-9]|12[0-7])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])) rdns=.+(vdsl\.static|dialup\.dynamic)\.apol\.com\.tw .+ident= envfrom= intl=0 .+auth= /

# header APOL X-Spam-Relays-Untrusted =~ /ip=((210\.20[0-2]|218\.187)(\.[0-9]{1,3}){2,2}|210\.203\.([0-9]|[1-9][0-9]|1[01][0-9]|12[0-7])\.[0-9]{1,3}) rdns=.+(vdsl\.static|dialup\.dynamic)\.apol\.com\.tw .+ident= envfrom= intl=0 .+auth= /
# header APOL X-Spam-Relays-Untrusted =~ /(ip=((210\.20[0-2]|218\.187)(\.[0-9]{1,3}){2,2}|210\.203\.([0-9]|[1-9][0-9]|1[01][0-9]|12[0-7])\.[0-9]{1,3})|rdns=.+(vdsl\.static|dialup\.dynamic)\.apol\.com\.tw) .+ident= envfrom= intl=0 .+auth= /
# 222.156.0.0 - 222.157.255.255
# 219.91.0.0 - 219.91.127.255
header APOL X-Spam-Relays-Untrusted =~ /(ip=((124\.218|210\.20[0-2]|218\.(3[45]|187)|222\.15[67])(\.\d{1,3}){2}|(210\.203|219\.91)\.(\d|[1-9]\d|1[01]\d|12[0-7])\.\d{1,3})|rdns=.+(vdsl\.static|(cm|dialup)\.dynamic)\.apol\.com\.tw) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe APOL [TW]Asia Pacific On-line Services Inc.
score APOL 1.5

# 220.228.0.0 - 220.229.255.255
# 218.210.0.0 - 218.211.255.255

# header NCICNET Received =~ /from .+220\.22[89](\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}/
# 122.146.0.0 - 122.147.255.255
header NCICNET X-Spam-Relays-Untrusted =~ /ip=(122\.14[67]|218\.21[01]|220\.22[89])(\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe NCICNET [TW]New Centry InfoComm Tech. Co., Ltd.
score NCICNET 1.5

# 61.56.0.0 - 61.56.15.255
# header NCREE_GSN_NET
# describe NCREE_GSN_NET [TW]

# 61.56.80.0 - 61.56.95.255
# 61.56.64.0 - 61.56.79.255
# header DYXNET
# describe DYXNET [TW]Diyixian.com(TW)Ltd.

# TW: 61.56.0.0 - 61.71.255.255
# header TW_61_56_71 Received =~ /from .+61\.(5[6-9]|6[0-9]|7[01])(\.[0-9]{1,3}){2,2}[\)\] ]/
header TW_61_56_71 X-Spam-Relays-Untrusted =~ /ip=61\.(5[6-9]|6[0-9]|7[01])(\.[0-9]{1,3}){2,2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe TW_61_56_71 [TW]61.56.0.0 - 61.71.255.255
score TW_61_56_71 1.0

# 203.207.0.0 - 203.207.15.255
header ASIAINFRA X-Spam-Relays-Untrusted =~ /ip=203\.207\.([0-9]|1[0-5])\.[0-9]{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe ASIAINFRA [TW]AsiaInfra International Ltd.
score ASIAINFRA 1.0

# 218.160.0.0 - 218.175.255.255
# 220.128.0.0 - 220.143.255.255
# 59.112.0.0 - 59.127.255.255
# 61.228.0.0 - 61.231.255.255
# 60.248.0.0 - 60.251.255.255
# 125.232.0.0 - 125.233.255.255
# 211.20.0.0 - 211.23.255.255
# 125.224.0.0 - 125.231.255.255
# header HINET_TW X-Spam-Relays-Untrusted =~ /ip=(59\.1(1[2-9]|2[0-7])|60\.2(4[89]|5[01])|61\.2(2[89]|3[01])|125\.(22[4-9]|23[0-3])|211\.2[0-3]|218\.1(6\d|7[0-5])|220\.1(2[89]|3\d|4[0-3]))(\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
# 61.220.0.0 - 61.227.255.255
# 61.216.0.0 - 61.219.255.255
# 122.120.0.0 - 122.127.255.255
# 125.224.0.0 - 125.231.255.255
# header HINET_TW X-Spam-Relays-Untrusted =~ /(ip=(59\.1(1[2-9]|2[0-7])|60\.2(4[89]|5[01])|61\.2(1[6-9]|2\d|3[01])|122\.12[0-7]|125\.2(2[4-9]|3[0-3])|211\.75|218\.1(6\d|7[0-5])|220\.1(2[89]|3\d|4[0-3]))(\.\d{1,3}){2}|rdns=\d{2,3}(\-\d{1,3}){3}\.dynamic\.hinet\.net) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
header HINET_TW X-Spam-Relays-Untrusted =~ /^\[ ip=(?:59\.1(?:1[2-9]|2[0-7])|60\.2(?:4[89]|5[01])|61\.2(?:1[6-9]|2\d|3[01])|118\.1(?:6[89]|7[01])|122\.12[0-7]|125\.2(?:2[4-9]|3[0-3])|211\.75|218\.1(?:6\d|7[0-5])|220\.1(?:2[89]|3\d|4[0-3]))(?:\.\d{1,3}){2} /
describe HINET_TW [TW]CHTD, Chunghwa Telecom Co.,Ltd.
score HINET_TW 1.5

# 222.250.0.0 - 222.251.127.255
# 210.85.0.0 - 210.85.255.255
# 202.178.128.0 - 202.178.191.255
header ETWEBS_TW X-Spam-Relays-Untrusted =~ /ip=((210\.85|222\.250)(\.\d{1,3}){2}|202\.178\.1(2[89]|[3-8]\d|9[01])\.\d{1,3}|222\.251\.(\d|[1-9]\d|1[01]\d|12[0-7])\.\d{1,3}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe ETWEBS_TW [TW]ETWebs Taiwan Co. Ltd.
score ETWEBS_TW 1.5

# 61.30.0.0 - 61.31.255.255
# 124.8.0.0 - 124.12.255.255
# 219.80.0.0 - 219.81.255.255
# 219.86.0.0 - 219.87.255.255
header TFN_NET_TW X-Spam-Relays-Untrusted =~ /ip=(61\.3[01]|124\.([89]|1[012])|219\.8[0167])(\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe TFN_NET_TW [TW]Taiwan Fixed Network CO.,LTD.
score TFN_NET_TW 1.5

# 202.165.128.0 - 202.165.159.255
header SINGTEL_TW X-Spam-Relays-Untrusted =~ /ip=202\.165\.1(2[89]|[345]\d)\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe SINGTEL_TW [TW]Singtel Taiwan Limited
score SINGTEL_TW 1.5


# 219.84.0.0 - 219.85.255.255
header SONET_TW X-Spam-Relays-Untrusted =~ /ip=219\.8[45](\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe SONET_TW [TW]Sony Network Taiwan Limited
score SONET_TW 1.5

# 123.192.0.0 - 123.195.255.255
# 118.232.0.0 - 118.233.255.255
# header TUNGHO_NET_TW X-Spam-Relays-Untrusted =~ /ip=(118\.23[23]|123\.19[2-5])(\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
header TUNGHO_NET_TW X-Spam-Relays-Untrusted =~ /^\[ ip=(118\.23[23]|123\.19[2-5])(\.\d{1,3}){2} /
describe TUNGHO_NET_TW [TW]TUNG HO MULTIMEDIA CO. Ltd.
score TUNGHO_NET_TW 1.5

# 219.68.0.0 - 219.69.255.255
header GIGAMEDIA_TW X-Spam-Relays-Untrusted =~ /ip=219\.6[89](\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe GIGAMEDIA_TW [TW]Hoshin Gigamedia Center Inc.
score GIGAMEDIA_TW 1.5

# 202.132.0.0 - 202.132.255.255
# 210.192.0.0 - 210.192.63.255
# 210.192.128.0 - 210.192.255.255
header TTN_TW X-Spam-Relays-Untrusted =~ /ip=(202\.132(\.\d{1,3}){2}|210\.192\.(\d|[1-5]\d|6[0-3]|12[89]|1[3-9]\d|2\d\d)\.\d{1,3}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe TTN_TW [TW]Taiwan Telecommunication Network Services Co.,LTD.
score TTN_TW 1.5

# 123.240.0.0 - 123.241.255.255
header TBCOM_NET_TW X-Spam-Relays-Untrusted =~ /^\[ ip=123\.(?:110|24[01])(?:\.\d{1,3}){2} /
describe TBCOM_NET_TW [TW]TBC
score TBCOM_NET_TW 1.5

# 123.252.0.0 - 123.252.127.255
# 124.155.128.0 - 124.155.159.255
# 122.99.0.0 - 122.99.63.255
header KE_ING_NET_TW X-Spam-Relays-Untrusted =~ /^\[ ip=(122\.99\.(\d|[1-5]\d|6[0-3])|123\.252\.(\d|\d\d|1[01]\d|12[0-7])|124\.155\.1(2[89]|[345]\d))\.\d{1,3} /
describe KE_ING_NET_TW [TW]KE-ing Co , Ltd
score KE_ING_NET_TW 1.5


# 211.78.32.0 - 211.78.63.255
header KGT_TW X-Spam-Relays-Untrusted =~ /^\[ ip=211\.78\.(3[2-9]|[45]\d|6[0-3])\.\d{1,3} /
describe KGT_TW [TW]KGEx.com
score KGT_TW 1.5

header TAIWANMOBILE_NET_TW X-Spam-Relays-Untrusted =~ /^\[ ip=(?:115\.8[0-3]|117\.19)(?:\.\d{1,3}){2} /
describe TAIWANMOBILE_NET_TW [TW]taiwanmobile-net
score TAIWANMOBILE_NET_TW 1.5

header FETNET_TW X-Spam-Relays-Untrusted =~ /^\[ ip=(?:61\.20|118\.231)(?:\.\d{1,3}){2} /
describe FETNET_TW [TW]Far EasTone Telecommunication Co., Ltd.
score FETNET_TW 1.5


# CSLOXINFO || CNCGROUPNP || 


meta ___KOREATAIWANCHINA CNCGROUP || KOREATELECOM || HANAROTELECOM || ELIMNET || DREAMX || SHINBIRO || SEEDNET || SKNETWORKS || BORANET || HANVITINB || APOL || NCICNET || CRTC || CHINATELECOM || CHINANET || UNICOM || SEEHULINE || KDD_HK || NWTNET || HGC_HK || TW_61_56_71 || XDSLSTREAMYX || CN_211_136_167 || ASIAINFRA || CNM_COMM || DXTNET || CPCNET_HK || THRUNET || HKCABLE_HK || CN_202_127 || DEFENSNET || LOXINFO_TH || BTV_BEIJING || SINNET_CN || BAYANTELDSL_AP || ISP_TH || TACHYNET || GLOBAL_CN || DQTNET_CN || BSNLNET_IN || VSNL_IN || EXATTNET_IN || HINET_TW || HTXX_CN || TOPWAY_NET_CN || CERNET_CN || BHARTI_IN || NGNNET_CN || ETWEBS_TW || SINGNET_SG || SKYCABLENET_PH || RELIANCE_IN || IQARANET_IN || WASU_HZDTV_COM_CN || CMNET_CN || TFN_NET_TW || GWBN_CN || BEELINK_CN || THAINET_TH || VIETEL_VNNIC_VN || CNNIC_CN || SKYINET_PH || CHINACOMM_CN || SINGTEL_TW || CHEONANVITSSEN_KR || TELKOMNET_ZA || CABLELINE_KR || SIAMIDC_TH || ICNDIGITAL_KR || TBROAD_KR || SILNET_IN || KNCTV_KR || HFCCABLE_AU || KHUNET_KR || WORLDCALL_PK || BGCTVNET_CN || KRNIC_KR || CNNIC_CN || SCSNET_KR || VNPT_VNNIC_VN || IPG_PH || NBIP_CN || CHUNGNAM_KR || YONSEI_NET_KR || SGCABLEVISION_SG || XPEED_KR || CHONNAM_NET_KR || PLDTDSL_PH || INDONET_ID || INFOCOM_PH || DOTNAME_KR || LKTELECOM_LK || WASU_CN || TELKOMNET_ID || BBNET_CN || SIFYNET_IN || CJWXNET_CN || HRXT_CN || GLOBET_PH || COLNET_CN || TM_IDC_MY || DONGDAEMUN_KR || QRIXNET_KR || COMNETTH || PI_PH || KITINET_KR || ASIANET_ID || STPI_IN || CONS_PH || INET_CO_TH || HCMPT_NET_VN || TRIDEL_TECH_PH || STN_CN || SONET_TW || HAIONNET_KR || TUNGHO_NET_TW || GIGAMEDIA_TW || TIG_NZ || KREN_KR || TTN_TW || AIMS_MY || TOT_IP_NET_TH || EXTREME_MY || TBCOM_NET_TW || HATHWAY_NET_IN || PI_IN || INFOVISION_PH || NLSS_CN || FOUNDERBN_CN || BJJSNET_CN || ETPI_PH || AORONG_CN || THBA_CN || DRCSCNET_CN || HCN_KR || RINGLINK_CN || GDJS_CN || YOUTELE_IN || KE_ING_NET_TW || TOPNEWNET_CN || TYNET_CN || TUNET_CN || IOLNET_IN || HUARUI_CN || KGT_TW || WM_CNCGROUP_CN || SGATHER_CN || TAIWANMOBILE_NET_TW || BM_ID || OPTUSINTERNET_AU || YYNET_CN || FETNET_TW || DCL_BD || ORTELCOMM_IN || INDOSAT_ID || CHINANETCENTER_CN || JARDIKNAS_ID || PTCL_PK || CTTNET_CN || BEAMCABLE_IN || HKCIX_HK || ETC_VNNIC_VN || GPRS_IN || HKNET_HK || CTINET_HK || PRIMANET_ID || PACENET_IN || HLJ_CN || GENESIS_HK || SINGTEL_HK || LINKDOTNET_PK || ISATNET_ID || FNCL_HK || GLOBALSPEED_PH || FPT_NET_VN || NEXTWEB_PH || WOTONE_CN || CYBERNET_PK || MULTINETBROADBAND_PK 


meta JPSUBJTWKRCN ___KOREATAIWANCHINA && SUBJ_ILLEGAL_CHARS && ISO2022JP_BODY
describe JPSUBJTWKRCN JaPan and SUBJ_illegal_chars and TaiWan KoRea ChiNa
score JPSUBJTWKRCN 2.0

# modified 2009.07.26 by [yoh]
# because, SA's Bayes is not reliable.
# meta DCNTWKRCN ___KOREATAIWANCHINA && ___DCN && (BAYES_99 || BAYES_95)
meta DCNTWKRCN ___KOREATAIWANCHINA && ___DCN
describe DCNTWKRCN Distributed Collaborative Network and TaiWan KoRea ChiNa
# score DCNTWKRCN 6.5
score DCNTWKRCN 3.5

# 218.24.0.0 - 218.25.255.255

# thrown away 2008.07.26 by [yoh]
# header CNCGROUPNP Received =~ /(from .*218\.2[45](\.([0-9]|[1-9][0-9]{1,2}|2[0-4][0-9]|25[0-5])){2})/
# describe CNCGROUPNP [CN]All IPs are "cncln.online.ln.cn"
# score CNCGROUPNP 4.0
# 
# meta CNCNPJP CNCGROUPNP && (ISO2022JP_BODY || SJIS_BODY)
# describe CNCNPJP CNCGROUPNP && (ISO2022JP_BODY || SJIS_BODY)
# score CNCNPJP 10.0

# 
# ToDo: Merge CNCGROUP and CHINATELECOM IP addresses.
# CNCGROUP and CHINATELECOM are same ISP.
# 2006.04.17 by [yoh]
# 
# done.
# 2008.07.26 by [yoh]


#       58.16.0.0-58.23.255.255   (524288)
#       58.32.0.0-58.63.255.255   (2097152)
#      58.208.0.0-58.223.255.255  (1048576)
#      58.240.0.0-58.255.255.255  (1048576)
# 
# 58\.(1[6-9]|2[0-3]|3[2-9]|[45]\d|6[0-3]|2(0[89]|1\d|2[0-3]|[45]\d))
# 
#       59.32.0.0-59.63.255.255   (2097152)
# 
# 59\.(3[2-9]|[45]\d|6[0-3])
# 
#        60.0.0.0-60.31.255.255   (2097152)
#      60.160.0.0-60.191.255.255  (2097152)
#      60.208.0.0-60.223.255.255  (1048576)
# 
# 60\.(\d|[12]\d|3[01]|1([678]\d|9[01])|2(0[89]|1\d|2[0-3]))
# 
#       61.48.0.0-61.55.255.255   (524288)
#      61.128.0.0-61.191.255.255  (4194304)
# 
# 61\.(4[89]|5[0-5]|1(2[89]|[3-8]\d|9[01]))
# 
#       116.1.0.0-116.1.255.255   (65536)
#       116.2.0.0-116.3.255.255   (131072)
#       116.4.0.0-116.7.255.255   (262144)
#       116.8.0.0-116.11.255.255  (262144)
#      116.16.0.0-116.31.255.255  (1048576)
#     116.224.0.0-116.239.255.255 (1048576)
# 
# 116\.([1-9]|1[016-9]|2\d|3[01]|2(2[4-9]|3\d))
# 
# 
#     119.112.0.0-119.119.255.255 (524288)
# 
# 119\.11[2-9]
# 
#       121.8.0.0-121.15.255.255  (524288)
#      121.16.0.0-121.31.255.255  (1048576)
#      121.32.0.0-121.35.255.255  (262144)
# 
# 121\.([89]|[12]\d|3[0-5])
# 
#       122.4.0.0-122.7.255.255   (262144)
#     122.136.0.0-122.143.255.255 (524288)
#     122.156.0.0-122.159.255.255 (262144)
#     122.224.0.0-122.239.255.255 (1048576)
# 
# 122\.([4-7]|1([35][6-9]|4[0-3])|2(2[4-9]|3\d))
# 
#       123.4.0.0-123.7.255.255   (262144)
#       123.8.0.0-123.15.255.255  (524288)
#     123.144.0.0-123.151.255.255 (524288)
#     123.152.0.0-123.155.255.255 (262144)
#     123.156.0.0-123.156.255.255 (65536)
#     123.170.0.0-123.171.255.255 (131072)
#     123.172.0.0-123.175.255.255 (262144)
#     123.177.0.0-123.177.255.255 (65536)
#     123.178.0.0-123.179.255.255 (131072)
#     123.180.0.0-123.183.255.255 (262144)
#     123.184.0.0-123.191.255.255 (524288)
# 
# 123\.([4-9]|1[0-5]|1(4[4-9]|5[0-6]|7[0-5789]|8\d|9[01]))
# 
#      124.64.0.0-124.67.255.255  (262144)
#      124.72.0.0-124.79.255.255  (524288)
#      124.88.0.0-124.95.255.255  (524288)
#     124.114.0.0-124.115.255.255 (131072)
#     124.128.0.0-124.135.255.255 (524288)
#     124.160.0.0-124.161.255.255 (131072)
#     124.164.0.0-124.167.255.255 (262144)
#     124.226.0.0-124.227.255.255 (131072)
#     124.234.0.0-124.235.255.255 (131072)
# 
# 124\.(6[4-7]|7[2-9]|8[89]|9[0-5]|1(1[45]|2[89]|3[0-5]|6[014-7]|)|2(2[67]|3[45]))
# 
#      125.40.0.0-125.47.255.255  (524288)
#      125.64.0.0-125.95.255.255  (2097152)
#     125.104.0.0-125.111.255.255 (524288)
#     125.112.0.0-125.127.255.255 (1048576)
#     125.211.0.0-125.211.255.255 (65536)
# 
# 125\.(4[0-7]|6[4-9]|[78]\d|9[0-5]|1(0[4-9]|1\d|2[0-7])|211)
# 
#     129.128.0.0-129.135.255.255 (524288)
#     129.136.0.0-129.137.255.255 (131072)
#     129.141.0.0-129.141.255.255 (65536)
#     129.142.0.0-129.143.255.255 (131072)
#     129.144.0.0-129.151.255.255 (524288)
#     129.152.0.0-129.153.255.255 (131072)
# 
# 129\.1(2[89]|3[0-7]|4[1-9]|5[0-3])
# 
# 
#      202.96.0.0-202.111.255.255 (1048576)
# 
# 202\.(9[6-9]|10\d|11[01])
# 
#      210.12.0.0-210.13.255.255  (131072)
# 
#    210.14.160.0-210.14.191.255  (8192)
#    210.14.192.0-210.14.255.255  (16384)
#      210.15.0.0-210.15.127.255  (32768)
#    210.15.128.0-210.15.191.255  (16384)
# 
#      210.21.0.0-210.21.255.255  (65536)
#      210.22.0.0-210.22.255.255  (65536)
#      210.51.0.0-210.51.255.255  (65536)
#      210.52.0.0-210.53.255.255  (131072)
# 
#     210.74.96.0-210.74.127.255  (8192)
#    210.74.128.0-210.74.159.255  (8192)
# 
#      210.78.0.0-210.78.31.255   (8192)
# 
#      210.82.0.0-210.83.255.255  (131072)
# 
# 210\.(1[23]|2[12]|5[123]|8[23])
# 
# 210\.14\.(1[6-9]\d|2\d\d)
# 210\.15\.(\d|\d\d|1[0-8]\d|19[01])
# 210\.74\.(9[6-9]|1[0-5]\d)
# 210\.78\.(\d|[12]\d|3[01])
# 
#       218.0.0.0-218.31.255.255  (2097152)
#      218.56.0.0-218.63.255.255  (524288)
#      218.64.0.0-218.95.255.255  (2097152)
#      218.96.0.0-218.97.255.255  (131072)
#     218.104.0.0-218.107.255.255 (262144)
# 
# 218\.(\d|[12]\d|3[01]|5[6-9]|[678]\d|9[0-7]|10[4-7])
# 
# 
#     219.128.0.0-219.159.255.255 (2097152)
#     219.232.0.0-219.233.255.255 (131072)
#     219.234.0.0-219.234.255.255 (65536)
# 
# 219\.(12[89]|1[345]\d|23[234])
# 
#     220.160.0.0-220.191.255.255 (2097152)
#     220.248.0.0-220.251.255.255 (262144)
# 
# 220\.(1[678]\d|19[01]|24[89]|25\d)
# 
#       221.0.0.0-221.15.255.255  (1048576)
#     221.192.0.0-221.223.255.255 (2097152)
#     221.224.0.0-221.239.255.255 (1048576)
# 
# 221\.(\d|1[0-5]|19[2-9]|2[0-3]\d)
# 
#      222.64.0.0-222.95.255.255  (2097152)
#     222.128.0.0-222.159.255.255 (2097152)
#     222.160.0.0-222.163.255.255 (262144)
#     222.168.0.0-222.175.255.255 (524288)
#     222.176.0.0-222.191.255.255 (1048576)
#     222.208.0.0-222.223.255.255 (1048576)
#     222.240.0.0-222.247.255.255 (524288)
# 
# 222\.(6[4-9]|[78]\d|9[0-5]|12[89]|1[34578]\d|16[0-8]|19[01]|20[89]|21\d|22[0-3]|24[0-7])

replace_tag CNCGROUP_IPS (?:(?:58\.(?:1[6-9]|2[0-3]|3[2-9]|[45]\d|6[0-3]|2(?:0[89]|1\d|2[0-3]|[45]\d))|59\.(?:3[2-9]|[45]\d|6[0-3])|60\.(?:\d|[12]\d|3[01]|1(?:[678]\d|9[01])|2(?:0[89]|1\d|2[0-3]))|61\.(?:4[89]|5[0-5]|1(?:2[89]|[3-8]\d|9[01]))|113\.(?:\d|1[2-5]|5[67]|6[4-9]|[789]\d|10\d|11[01]|24[89]|25[01])|114\.2(?:1[6-9]|2[0-3]|[45]\d)|115\.1(?:4[89]|5[01])|116\.(?:[1-9]|1[016-9]|2\d|3[01]|6[0-3]|1(?:1[2-7]|9[456])|2(?:0[789]|1[01]|2[4-9]|3\d))|117\.(?:[89]|1[0-5]|2[1-9]|3\d|4[0-5]|6[4-9]|[78]\d|9[0-5])|118\.(?:14[4-7]|18\d|19[0-5]|24[4-7])|119\.(?:[4-7]|3[2-9]|4[014589]|5[0-5]|62|9[6-9]|1(?:0[0-389]|1[2-9]|[23]\d|4[0-3]|7[6-9]|8\d|9[01]))|120\.8[0-7]|121\.(?:[89]|[12]\d|3[0-5]|6[0-3])|122\.(?:[4-7]|1(?:[35][6-9]|4[0-3]|5[6-9]|9[2-5])|2(?:2[4-9]|3\d))|123\.(?:[4-9]|1[0-5]|5[2-5]|9[67]|1(?:1[2-9]|[23]\d|4[4-9]|5[0-6]|6[4-7]|7[0-5789]|8\d|9[01]))|124\.(?:6[4-7]|7[2-9]|8[89]|9[0-5]|1(?:1[234589]|2[89]|3[0-5]|6[014-7]|)|2(?:2[4567]|3[4-9]))|125\.(?:3[6-9]|4[0-7]|6[4-9]|[78]\d|9[0-5]|1(?:0[4-9]|1\d|2[0-7])|211)|129\.1(?:2[89]|3[0-7]|4[1-9]|5[0-3])|202\.(?:9[6-9]|10\d|11[01])|210\.(?:1[23]|2[12]|5[123]|8[23])|218\.(?:\d|[12]\d|3[01]|5[6-9]|[678]\d|9[0-7]|10[4-7])|219\.(?:12[89]|1[345]\d|23[234])|220\.(?:1[678]\d|19[01]|24[2389]|25\d)|221\.(?:\d|1[0-5]|19[2-9]|2[0-3]\d)|222\.(?:6[4-9]|[78]\d|9[0-5]|12[89]|13\d|14[0-3]|16[0-8]|19[01]|20[89]|21\d|22[0-3]|24[0-7]))(?:\.\d{1,3}){2}|(?:121\.58\.(?:\d|\d\d|1[01]\d|12[0-7])|122\.102\.(?:6[4-9]|[78]\d|9[0-5])|210\.(?:14\.(?:1[6-9]\d|2\d\d)|15\.(?:\d|\d\d|1[0-8]\d|19[01])|74\.(?:9[6-9]|1[0-5]\d)|78\.(?:\d|[12]\d|3[01])))\.\d{1,3})

header CNCGROUP X-Spam-Relays-Untrusted =~ /^\[ ip=<CNCGROUP_IPS> /
describe CNCGROUP [CN]Japanese spammer's footstool: CNCGROUP
score CNCGROUP 1.5

meta CNCJP CNCGROUP && (ISO2022JP_BODY || SJIS_BODY)
describe CNCJP CNCGROUP && (ISO2022JP_BODY || SJIS_BODY)
score CNCJP 1.5

# for catching webmail ips.
# 2008.07.26 by [yoh]
header ___GOOMAIL_CNCGROUP X-Original-IP =~ /\[<CNCGROUP_IPS>\]/
header ___INFOSEEK_WEBMAIL_CNCGROUP X-OriginalIP =~ /<CNCGROUP_IPS>/

meta WM_CNCGROUP_CN ___GOOMAIL_CNCGROUP || ___INFOSEEK_WEBMAIL_CNCGROUP
describe WM_CNCGROUP_CN [CN]webmail from CNCGROUP
score WM_CNCGROUP_CN 1.5




# 61.232.0.0 - 61.237.255.255
# 222.32.0.0 - 222.63.255.255

# header CRTC Received =~ /from .+(61\.23[2-7]|222\.(3[2-9]|[45][0-9]|6[0-3]))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}/
# header CRTC Received =~ /from .+(61\.23[2-7]|222\.(3[2-9]|[45][0-9]|6[0-3]))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}[\)\] ]/
# header CRTC X-Spam-Relays-Untrusted =~ /ip=(61\.23[2-7]|222\.(3[2-9]|[45][0-9]|6[0-3]))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2} rdns= .+ident= envfrom= intl=0 .+auth= /
# header CRTC X-Spam-Relays-Untrusted =~ /ip=(61\.23[2-7]|222\.(3[2-9]|[45][0-9]|6[0-3]))(\.[0-9]{1,3}){2,2} .+ ident= envfrom= intl=0 .+auth= /
header CRTC X-Spam-Relays-Untrusted =~ /ip=(61\.23[2-7]|221\.17[2-5]|222\.(3[2-9]|[45]\d|6[0-3]))(\.\d{1,3}){2,2} .+ ident= envfrom= intl=0 [^\[\]]+auth= /
describe CRTC [CN]CHINA RAILWAY TELECOMMUNICATIONS CENTER
score CRTC 1.5

# 219.147.128.0 - 219.147.255.255
# 222.170.0.0 - 222.172.127.255
# 222.168.0.0 - 222.169.255.255

# 222.76.0.0 - 222.79.255.255
# 219.234.0.0 - 219.234.31.255
# 222.173.0.0 - 222.175.255.255
# 221.224.0.0 - 221.231.255.255

# 218.22.0.0 - 218.23.255.255
# 222.64.0.0 - 222.73.255.255
# 59.32.0.0 - 59.63.255.255
# 60.160.0.0 - 60.161.255.255
# 60.162.0.0 - 60.165.255.255
# 60.166.0.0 - 60.175.255.255
# 60.176.0.0 - 60.191.255.255
# 218.70.0.0 - 218.95.255.255
# 222.64.0.0 - 222.95.255.255
# 222.168.0.0 - 222.191.255.255
# 222.208.0.0 - 222.223.255.255

# 220.160.0.0 - 220.191.255.255

# 61.169.0.0 - 61.175.255.255
# 124.72.0.0 - 124.79.255.255
# 121.32.0.0 - 121.35.255.255
header CHINATELECOM X-Spam-Relays-Untrusted =~ /ip=((61\.18[09]\.(\d|[1-9]\d|1[01]\d|12[0-8])|61\.159\.(12[89]|1[3-9]\d|2[0-4]\d|25[0-5])|219\.147\.(12[89]|1[3-9]\d|2[0-4]\d|25[0-5])|219\.234\.(\d|[12]\d|3[01])|222\.172\.(\d|[1-9]\d|1[01]\d|12[0-7]))\.\d{1,3}|(58\.(3[2-9]|[45]\d|6[0-3])|59\.(3[2-9]|[45]\d|6[0-3])|60\.(1[678]\d|19[01])|61\.(14[0-6]|15[457]|16[04-69]|17[0-578]|18[3-8]|19[01])|121\.3[2-5]|124\.(7[2-9]|11[45])|202\.103|218\.([0-6]|1[3-9]|2[023]|[678]\d|9[0-5])|219\.1(2[89]|3[0-7]|4[1-9]|5[0-3])|220\.1([678]\d|9[01])|221\.(22[4-9]|23\d)|222\.(6[4-9]|[78]\d|9[0-5]|17[01345]|16[89]|1[78]\d|19[01]|20[89]|21\d|22[0-3]))(\.\d{1,3}){2}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe CHINATELECOM [CN]China Telecom
score CHINATELECOM 1.5

header HAERBINTELECOM X-Spam-Relays-Untrusted =~ /ip=222\.171\.([0-9]|[1-9][0-9]|1[01][0-9]|12[0-7])\.[0-9]{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe HAERBINTELECOM [CN]HAERBIN TELECOM
score HAERBINTELECOM 1.5


# 218.65.128.0 - 218.65.255.255
# 218.66.0.0 - 218.67.127.255

#-218.1.0.0 - 218.1.255.255
#-218.6.128.0 - 218.6.255.255
#-218.13.0.0 - 218.18.255.255

# 218.19.0.0 - 218.20.255.255
#-218.21.0.0 - 218.21.47.255
#-218.21.48.0 - 218.21.63.255
#-218.21.64.0 - 218.21.127.255
##218.21.0.0 - 218.21.127.255
# (CNCGROUP)
# 218.22.0.0 - 218.23.255.255
#-218.31.0.0 - 218.31.255.255

##218.0.0.0 - 218.31.255.255

#-218.56.0.0 - 218.59.255.255(CNCGROUP)
# 218.64.0.0 - 218.65.127.255
#-218.66.0.0 - 218.67.127.255
# (CNCGROUP)
#-218.70.0.0 - 218.70.255.255
#-218.71.0.0 - 218.71.127.255
#-218.71.128.0 - 218.71.135.255
#-218.71.136.0 - 218.71.143.255
#-218.71.144.0 - 218.71.159.255
#-218.71.160.0 - 218.71.191.255
# 218.71.192.0 - 218.71.255.255
# 218.78.0.0 - 218.83.255.255
# 218.85.0.0 - 218.86.127.255
# 218.95.0.0 - 218.95.127.255
#-218.95.224.0 - 218.95.255.255

##218.56.0.0 - 218.95.255.255

# 219.128.0.0 - 219.137.255.255
#-219.159.64.0 - 219.159.255.255

##219.128.0.0 - 219.159.255.255
# (includes CHINATELECOM, CNCGROUP)

#-220.160.0.0 - 220.162.255.255
# 220.175.0.0 - 220.177.255.255
# 220.189.96.0 - 220.189.111.255
# 220.191.0.0 - 220.191.127.255
#-220.191.252.0 - 220.191.255.255

##220.160.0.0 - 220.191.255.255

# 222.64.220.0 - 222.64.223.255
# 222.65.60.0 - 222.65.63.255

# 222.64.0.0 - 222.73.255.255
# 222.76.0.0 - 222.79.255.255
#-222.92.0.0 - 222.95.255.255

##222.64.0.0 - 222.95.255.255

#-222.128.0.0 - 222.131.255.255(CNCGROUP)
#-222.136.0.0 - 222.143.255.255(CNCGROUP)

##222.128.0.0 - 222.143.255.255

# 58.33.180.0 - 58.33.183.255
#-58.32.0.0 - 58.41.255.255
#-58.60.0.0 - 58.63.255.255

##58.32.0.0 - 58.63.255.255

# 59.32.0.0 - 59.42.255.255
# 59.62.0.0 - 59.63.255.255

##59.32.0.0 - 58.63.255.255

#-60.160.0.0 - 60.161.255.255
#-60.166.0.0 - 60.175.255.255
# 60.177.0.0 - 60.177.255.255
#-60.176.0.0 - 60.191.255.255

##60.160.0.0 - 60.191.255.255

#-61.128.0.0 - 61.128.31.255
# 61.140.0.0 - 61.146.255.255
# 61.172.0.0 - 61.173.255.255
# 61.180.0.0 - 61.180.127.255
# 61.190.0.0 - 61.190.255.255
#-61.191.0.0 - 61.191.255.255

##61.128.0.0 - 61.191.255.255

# 202.96.0.0 - 202.111.255.255

# 125.112.0.0 - 125.127.255.255
# 58.208.0.0 - 58.223.255.255
# 124.234.0.0 - 124.235.255.255
# 122.4.0.0 - 122.7.255.255
header CHINANET X-Spam-Relays-Untrusted =~ /ip=(5[89]\.(3[2-9]|[45]\d|6[0-3])|58\.2(0[89]|1\d|2[0-3])|60\.1([6-8]\d|9[01])|61\.1(2[89]|[3-8]\d|9[01])|122\.[4-7]|124\.23[45]|125\.(6[4-9]|[78]\d|9[0-5]|10[4-9]|11\d|12[0-7])|202\.(9[6-9]|10\d|11[01])|218\.(\d|[12]\d|3[01]|5[6-9]|[678]\d|9[0-7])|219\.1(2[89]|[345]\d)|220\.1([678]\d|9[01])|221\.(\d|1[0-5]|19[2-9]|2[0-3]\d)|222\.(6[4-9]|[78]\d|9[0-5]|1(2[89]|3\d|4[0-3]|6[0-3])|24[0-7]))(\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe CHINANET [CN]Chinanet - large provider in China
score CHINANET 1.0

# 211.90.0.0 - 211.97.255.255
# 220.192.0.0 - 220.207.255.255
# (\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}
# (\.[0-9]{1,3}){2,2}
# 61.240.0.0 - 61.243.255.255
# header UNICOM Received =~ /from .+(211\.9[0-7]|220\.(19[2-9]|20[0-7]))(\.[0-9]{1,3}){2,2}[\)\] ]/
# header UNICOM X-Spam-Relays-Untrusted =~ /ip=(61\.24[0-3]|119\.16[4-7]|211\.9[0-7]|220\.(19[2-9]|20[0-7]))(\.[0-9]{1,3}){2,2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
header UNICOM X-Spam-Relays-Untrusted =~ /^\[ ip=(?:61\.24[0-3]|112\.(?:8[3-9]|9[0-5])|119\.16[2-7]|120\.(?:\d|1[0-5])|123\.23[2-5]|211\.9[0-7]|220\.(?:19[2-9]|20[0-7]))(?:\.\d{1,3}){2} /
describe UNICOM [CN]China United Telecommunications Corporation
score UNICOM 1.0

# 59.191.0.0 - 59.191.127.255

# header SEEHULINE Received =~ /from .+59\.191\.([0-9]|[1-9][0-9]|1([01][0-9]|2[0-7]))\.[0-9]{1,3}[\)\] ]/
header SEEHULINE X-Spam-Relays-Untrusted =~ /ip=59\.191\.([0-9]|[1-9][0-9]|1([01][0-9]|2[0-7]))\.[0-9]{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe SEEHULINE [CN]SeeHuline-New dream
score SEEHULINE 1.5

# 211.136.0.0 - 211.167.255.255
header CN_211_136_167 X-Spam-Relays-Untrusted =~ /ip=211\.1(3[6-9]|[45][0-9]|6[0-7])(\.[0-9]{1,3}){2,2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe CN_211_136_167 [CN]211.136.0.0 - 211.167.255.255
score CN_211_136_167 1.0

# 211.155.245.0 - 211.155.245.255
header BTV_BEIJING X-Spam-Relays-Untrusted =~ /ip=211\.155\.245\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe BTV_BEIJING [CN]BEIJING DIAN-SHI-TAI CO.LTD
score BTV_BEIJING 1.5


# 219.238.0.0 - 219.239.255.255
# 60.194.0.0 - 60.195.255.255
# 218.247.0.0 - 218.247.31.255
# 218.249.0.0 - 218.249.255.255
# 124.200.0.0 - 124.207.255.255
# header DXTNET X-Spam-Relays-Untrusted =~ /ip=(219\.23[89]|60\.19[45])(\.[0-9]{1,3}){2,2} .+ident= envfrom= intl=0 .+auth= /
# header DXTNET X-Spam-Relays-Untrusted =~ /ip=((219\.23[89]|60\.19[45]|218\.249)(\.\d{1,3}){2,2}|218\.247\.(\d|[12]\d|3[01])\.\d{1,3}) .+ident= envfrom= intl=0 .+auth= /
# header DXTNET X-Spam-Relays-Untrusted =~ /ip=((60\.(19[45]|207)|124\.(19[23]|20[0-7])|218\.249|219\.23[89])(\.\d{1,3}){2,2}|218\.247\.(\d|[12]\d|3[01])\.\d{1,3}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
header DXTNET X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:60\.(?:19[45]|207)|124\.(?:19[23]|20[0-7])|218\.249|219\.23[89])(?:\.\d{1,3}){2,2}|218\.247\.(?:\d|[12]\d|3[01])\.\d{1,3}) /
describe DXTNET [CN]Beijing Teletron Telecom Engineering Co., Ltd.
score DXTNET 1.5

# 202.127.0.0 - 202.127.255.255
header CN_202_127 X-Spam-Relays-Untrusted =~ /ip=202\.127(\.[0-9]{1,3}){2,2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe CN_202_127 [CN]202.127.0.0 - 202.127.255.255
score CN_202_127 1.0


# 124.42.0.0 - 124.42.127.255
header SINNET_CN X-Spam-Relays-Untrusted =~ /ip=124\.42\.(\d|[1-9]\d|1([01]\d|2[0-7]))\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe SINNET_CN [CN]Beijing Guanghuan Xinwang Digital Technology co.Ltd
score SINNET_CN 1.5

# 203.156.192.0 - 203.156.255.255
header GLOBAL_CN X-Spam-Relays-Untrusted =~ /ip=203\.156\.(19[2-9]|2[0-4]\d|25[0-5])\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe GLOBAL_CN [CN]ShangHai Global Network Co.Ltd
score GLOBAL_CN 1.5

# 203.90.128.0 - 203.90.223.255
# 61.47.128.0 - 61.47.191.255
# 125.58.128.0 - 125.58.255.255
# 219.235.64.0 - 219.235.127.255
# header DQTNET_CN X-Spam-Relays-Untrusted =~ /ip=(203\.90\.(12[89]|1[3-9]\d|2[01]\d|22[0-3])\.\d{1,3}|61\.47\.(12[89]|1[3-8]\d|19[01])\.\d{1,3}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
# header DQTNET_CN X-Spam-Relays-Untrusted =~ /ip=(?:61\.47\.(?:12[89]|1[3-8]\d|19[01])|125\.58\.(?:12[89]|1[3-9]\d|2\d\d)|203\.90\.(?:12[89]|1[3-9]\d|2[01]\d|22[0-3])|219\.235\.(?:6[4-9]|[789]\d|1[01]\d|12[0-7]))\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
header DQTNET_CN X-Spam-Relays-Untrusted =~ /^\[ ip=(?:61\.252\.\d{1,3}|61\.47\.(?:12[89]|1[3-8]\d|19[01])|125\.58\.(?:12[89]|1[3-9]\d|2\d\d)|203\.90\.(?:12[89]|1[3-9]\d|2[01]\d|22[0-3])|219\.235\.(?:6[4-9]|[789]\d|1[01]\d|12[0-7]))\.\d{1,3} /
describe DQTNET_CN [CN]Daqing Zhongji Petroleum Communication Construction Co.,Ltd.
score DQTNET_CN 1.5

# 202.8.128.0 - 202.8.159.255
header HTXX_CN X-Spam-Relays-Untrusted =~ /ip=202\.8\.(12[89]|1[345]\d)\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe HTXX_CN [CN]Huabei Petroleum Huatong
score HTXX_CN 1.5

# 222.248.0.0 - 222.248.255.255
# 219.234.96.0 - 219.234.127.255
# 222.125.0.0 - 222.125.255.255
header TOPWAY_NET_CN X-Spam-Relays-Untrusted =~ /ip=(219\.234\.(9[6-9]|1[01]\d|12[0-7])\.\d{1,3}|222\.(125|248)(\.\d{1,3}){2}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe TOPWAY_NET_CN [CN]Topway-Net
score TOPWAY_NET_CN 1.5


# 58.66.0.0 - 58.67.255.255
# 59.107.0.0 - 59.107.255.255
# 124.172.0.0 - 124.175.255.255
# header NGNNET_CN X-Spam-Relays-Untrusted =~ /ip=(58\.6[67]|59\.107)(\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 /
header NGNNET_CN X-Spam-Relays-Untrusted =~ /^\[ ip=(58\.6[67]|59\.107|124\.17[2-5])(\.\d{1,3}){2} /
describe NGNNET_CN [CN]World Crossing Telecom(GuangZhou) Ltd.
score NGNNET_CN 1.5

# 218.108.0.0 - 218.109.255.255
# 
# see http://www.hzdtv.com/
# 2006.04.23 by [yoh]
# 
# 219.82.0.0 - 219.82.255.255
header WASU_HZDTV_COM_CN X-Spam-Relays-Untrusted =~ /ip=(218\.10[89]|219\.82)(\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 /
describe WASU_HZDTV_COM_CN [CN]WASU TV & Communication Holding Co.,Ltd.
score WASU_HZDTV_COM_CN 2.0

# 202.112.0.0 - 202.121.255.255
# 202.192.0.0 - 202.207.255.255
# 219.216.0.0 - 219.231.255.255
# 222.16.0.0 - 222.31.255.255
# 222.206.0.0 - 222.207.255.255
# 58.200.0.0 - 58.207.255.255
# 210.25.0.0 - 210.47.255.255
# 58.192.0.0 - 58.207.255.255
# 218.192.0.0 - 218.199.255.255
# 222.192.0.0 - 222.207.255.255
header CERNET_CN X-Spam-Relays-Untrusted =~ /ip=(58\.(19[2-9]|20[0-7])|202\.(11[2-9]|12[01]|19[2-9]|20[0-7])|210\.(2[5-9]|3\d|4[0-7])|211\.8[0-7]|218\.19[2-9]|219\.2(1[6-9]|2\d|3[01])|222\.(1[6-9]|2\d|3[01]|19[2-9]|20[0-7]))(\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe CERNET_CN [CN]China Education and Research Network
score CERNET_CN 1.5


# 218.200.0.0 - 218.207.255.255
# 221.176.0.0 - 221.183.255.255
# 221.130.0.0 - 221.131.255.255
# header CMNET_CN X-Spam-Relays-Untrusted =~ /ip=(218\.20[0-7]|221\.1(3[01]|7[6-9]|8[0-3]))(\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 /
header CMNET_CN X-Spam-Relays-Untrusted =~ /^\[ ip=(?:121\.37|218\.20[0-7]|221\.1(?:3[01]|7[6-9]|8[0-3]))(?:\.\d{1,3}){2} /
describe CMNET_CN [CN]China Mobile Communications Corporation
score CMNET_CN 1.5

# 220.112.0.0 - 220.115.255.255
header GWBN_CN X-Spam-Relays-Untrusted =~ /ip=220\.11[2-5](\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 /
describe GWBN_CN [CN]FOR GREAT WALL BROADBAND NETWORK SERVICE ACCESS
score GWBN_CN 1.5

# 59.80.0.0 - 59.83.255.255
header BEELINK_CN X-Spam-Relays-Untrusted =~ /ip=59\.8[0-3](\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 /
describe BEELINK_CN [CN]Beelink Information Science & Technology Co.,Ltd.
score BEELINK_CN 1.5

# 218.96.0.0 - 218.99.255.255
header CNNIC_CN X-Spam-Relays-Untrusted =~ /ip=218\.9[6-9](\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 /
describe CNNIC_CN [CN]China Network Information Center
score CNNIC_CN 1.5

# 221.122.0.0 - 221.123.255.255
# 124.68.0.0 - 124.71.255.255
header CHINACOMM_CN X-Spam-Relays-Untrusted =~ /ip=(124\.(6[89]|7[01])|221\.12[23])(\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 /
describe CHINACOMM_CN [CN]CETC-CHINACOMM COMMUNICATIONS Co.,Ltd.
score CHINACOMM_CN 1.5

# 219.236.0.0 - 219.237.255.255
header BGCTVNET_CN X-Spam-Relays-Untrusted =~ /^\[ ip=(116\.21[6-9]|219\.23[67])(\.\d{1,3}){2} /
describe BGCTVNET_CN [CN]BEIJING GEHUA CATV NETWORK CO., LTD.
score BGCTVNET_CN 1.5

# 218.240.0.0 - 218.245.255.255
# 218.246.0.0 - 218.247.255.255
header CNNIC_CN X-Spam-Relays-Untrusted =~ /ip=218\.24[0-7](\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 /
describe CNNIC_CN [CN]China Network Information Center
score CNNIC_CN 1.5

# 221.136.0.0 - 221.136.255.255
header NBIP_CN X-Spam-Relays-Untrusted =~ /ip=221\.136(\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 /
describe NBIP_CN [CN]NBIP CNC(Ningbo)info-Port co.,Ltd
score NBIP_CN 1.5

# 58.100.0.0 - 58.101.255.255
header WASU_CN X-Spam-Relays-Untrusted =~ /ip=58\.10[01](\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 /
describe WASU_CN [CN]WASU TV & Communication Holding Co.,Ltd.
score WASU_CN 1.5

# 121.68.0.0 - 121.71.255.255      
header BBNET_CN X-Spam-Relays-Untrusted =~ /ip=121\.(6[89]|7[01])(\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 /
describe BBNET_CN [CN]BeiJing Kuandaitong Telecom Technology Co.,Ltd
score BBNET_CN 1.5

# 124.20.0.0 - 124.20.255.255
header CJWXNET_CN X-Spam-Relays-Untrusted =~ /ip=124\.2[01](\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 /
describe CJWXNET_CN [CN]Ningbo CJWX Communication Technology Ltd
score CJWXNET_CN 1.5

# 124.248.0.0 - 124.248.127.255
header HRXT_CN X-Spam-Relays-Untrusted =~ /ip=124\.248\.(\d|[1-9]\d|1[01]\d|12[0-7]).\d{1,3} [^\[\]]+ident= envfrom= intl=0 /
describe HRXT_CN [CN]Beijing HongRuiXunTong science & technology
score HRXT_CN 1.5

# 220.234.0.0 - 220.234.255.255
# 60.63.0.0 - 60.63.255.255
# 58.24.0.0 - 58.25.255.255
header COLNET_CN X-Spam-Relays-Untrusted =~ /ip=(58\.2[45]|60\.63|220\.234)(.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 /
describe COLNET_CN [CN]Oriental Cable Network Co., Ltd.
score COLNET_CN 1.5

# 122.0.128.0 - 122.0.255.255
# header STN_CN X-Spam-Relays-Untrusted =~ /ip=122\.0\.(12[89]|1[3-9]\d|2\d\d)\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 /
header STN_CN X-Spam-Relays-Untrusted =~ /^\[ ip=122\.0\.(12[89]|1[3-9]\d|2\d\d)\.\d{1,3} /
describe STN_CN [CN]Science & Technology Network Communication Co., Ltd.
score STN_CN 1.5

# 116.90.184.0 - 116.90.191.255
# header NLSS_CN X-Spam-Relays-Untrusted =~ /^\[ ip=116\.90\.1(8[4-9]|9[01])\.\d{1,3} rdns=[^ \[\]]* helo=[^ \[\]]+ by=[^ \[\]]+ ident= envfrom= intl=0 id=[^\[\] ]* auth= \]/
header NLSS_CN X-Spam-Relays-Untrusted =~ /^\[ ip=116\.90\.1(8[4-9]|9[01])\.\d{1,3} /
describe NLSS_CN [CN]Beijing North Latitude Starlit Sky Network Co.,Ltd
score NLSS_CN 1.5

# 59.108.0.0 - 59.109.255.255
# header FOUNDERBN_CN X-Spam-Relays-Untrusted =~ /^\[ ip=59\.10[89](\.\d{1,3}){2} rdns=[^ \[\]]* helo=[^ \[\]]+ by=[^ \[\]]+ ident= envfrom= intl=0 id=[^\[\] ]* auth= \]/
header FOUNDERBN_CN X-Spam-Relays-Untrusted =~ /^\[ ip=59\.10[89](\.\d{1,3}){2} /
describe FOUNDERBN_CN [CN]Beijing Founder Broadband Network Technology Co.,Ltd
score FOUNDERBN_CN 1.5

# 122.8.0.0 - 122.9.255.255
# header BJJSNET_CN X-Spam-Relays-Untrusted =~ /^\[ ip=122\.[89](\.\d{1,3}){2} rdns=[^ \[\]]* helo=[^ \[\]]+ by=[^ \[\]]+ ident= envfrom= intl=0 id=[^\[\] ]* auth= \]/
header BJJSNET_CN X-Spam-Relays-Untrusted =~ /^\[ ip=122\.[89](\.\d{1,3}){2} /
describe BJJSNET_CN [CN]Beijing Jiasheng Lianhua technical Co. Ltd
score BJJSNET_CN 1.5

# 59.155.0.0 - 59.155.255.255
header AORONG_CN X-Spam-Relays-Untrusted =~ /^\[ ip=59\.155(\.\d{1,3}){2} /
describe AORONG_CN [CN]Shanghai AORONG Info & Tech Service Co.Ltd
score AORONG_CN 1.5

# 124.254.0.0 - 124.254.63.255
header THBA_CN X-Spam-Relays-Untrusted =~ /^\[ ip=124\.254\.(\d|[1-5]\d|6[0-3])\.\d{1,3} /
describe THBA_CN [CN]Beijing THBA Technology Co,.Ltd.
score THBA_CN 1.5

# 220.101.192.0 - 220.101.255.255
header DRCSCNET_CN X-Spam-Relays-Untrusted =~ /^\[ ip=220\.101\.(19[2-9]|2\d\d)\.\d{1,3} /
describe DRCSCNET_CN [CN]Development & Research Center of State Council Net.
score DRCSCNET_CN 1.5

header RINGLINK_CN X-Spam-Relays-Untrusted =~ /^\[ ip=59\.11[01](\.\d{1,3}){2} /
describe RINGLINK_CN [CN]RingLink telecom Ltd.
score RINGLINK_CN 1.5

header GDJS_CN X-Spam-Relays-Untrusted =~ /^\[ ip=123\.242\.(\d|\d\d|1[01]\d|12[0-7])\.\d{1,3} /
describe GDJS_CN [CN]Guangdong Jinsheng Investment Development Co.,Ltd
score GDJS_CN 1.5

header TOPNEWNET_CN X-Spam-Relays-Untrusted =~ /^\[ ip=121\.52\.2(0[89]|1\d|2[0-3])\.\d{1,3} /
describe TOPNEWNET_CN [CN]Beijing Topnew Info&Tech co,.LTD.
score TOPNEWNET_CN 1.5

header TYNET_CN X-Spam-Relays-Untrusted =~ /^\[ ip=119\.19(\.\d{1,3}){2} /
describe TYNET_CN [CN]Tianying Information and Technology Co. Ltd.
score TYNET_CN 1.5

header TUNET_CN X-Spam-Relays-Untrusted =~ /^\[ ip=166\.111(\.\d{1,3}){2} /
describe TUNET_CN [CN]Tsinghua University
score TUNET_CN 1.5

header HUARUI_CN X-Spam-Relays-Untrusted =~ /^\[ ip=(118\.102\.(1[6-9]|2\d|3[01])|119\.25[45]\.\d{1,3})\.\d{1,3} /
describe HUARUI_CN [CN]Langfang Development Area Huarui Xintong Network Technology Co., Ltd.
score HUARUI_CN 1.5

header SGATHER_CN X-Spam-Relays-Untrusted =~ /^\[ ip=122\.200\.(6[4-9]|[789]\d|1[01]\d|12[0-7])\.\d{1,3} /
describe SGATHER_CN [CN]Beijing HeJu ShuZi Telecom Engineering Co.Ltd.
score SGATHER_CN 1.5

header YYNET_CN X-Spam-Relays-Untrusted =~ /^\[ ip=116\.24[45](\.\d{1,3}){2} /
describe YYNET_CN [CN]Beijing Yiliyou Date Co.,Ltd
score YYNET_CN 1.5

header CHINANETCENTER_CN X-Spam-Relays-Untrusted =~ /^\[ ip=(?:123\.103\.(?:\d|\d\d|1[01]\d|12[0-7])\.\d{1,3}|203\.130\.(?:3[2-9]|[45]\d|6[0-3])\.\d{1,3}) /
describe CHINANETCENTER_CN [CN]ChinaNetCenter Ltd.
score CHINANETCENTER_CN 1.5

header CTTNET_CN X-Spam-Relays-Untrusted =~ /^\[ ip=(?:12[23]\.(?:6[4-9]|[78]\d|9[0-5])(?:\.\d{1,3}){2}) /
describe CTTNET_CN [CN]China TieTong Telecommunications Corporation
score CTTNET_CN 1.5

header HLJ_CN X-Spam-Relays-Untrusted =~ /^\[ ip=210\.76\.(?:3[2-9]|[45]\d|6[0-3])\.\d{1,3} /
describe HLJ_CN [CN]Heilongjiang Province
score HLJ_CN 1.5

header WOTONE_CN X-Spam-Relays-Untrusted =~ /^\[ ip=116\.20[45](?:\.\d{1,3}){2} /
describe WOTONE_CN [CN]Wotone Network Ltd.
score WOTONE_CN 1.5

# 60.48.0.0 -  60.54.255.255
# 202.75.32.0 - 202.75.63.255
# 218.208.128.0 - 218.208.255.255
# 219.92.0.0 - 219.93.255.255
# 219.94.0.0 - 219.94.127.255
# 202.71.96.0 - 202.71.111.255
# header XDSLSTREAMYX X-Spam-Relays-Untrusted =~ /ip=(60\.(4[89]|5[0-4])(\.\d{1,3}){2}|(202\.75\.(3[2-9]|[45]\d|6[0-3])|218\.208\.(12[89]|1[3-9]\d|2[0-4]\d|25[0-5]))\.\d{1,3}) .+ident= envfrom= intl=0 /
# 218.111.0.0 - 218.111.255.255
# 219.95.0.0 - 219.95.255.255
# 218.208.0.0 - 218.208.255.255
# 118.100.0.0 - 118.101.255.255
# 124.13.0.0 - 124.13.255.255
header XDSLSTREAMYX X-Spam-Relays-Untrusted =~ /ip=((60\.(4[89]|5[0-4])|118\.10[01]|124\.13|218\.(111|208)|219\.9[235])(\.\d{1,3}){2}|(202\.71\.(9[6-9]|10\d|11[01])|202\.75\.(3[2-9]|[45]\d|6[0-3])|218\.208\.(12[89]|1[3-9]\d|2\d\d)|219\.94\.(\d|\d\d|1[01]\d|12[0-7]))\.\d{1,3}) [^\[\]]+ident= envfrom= intl=0 /
describe XDSLSTREAMYX [MY]Telekom Malaysia Berhad
score XDSLSTREAMYX 1.5

# 210.48.144.0 - 210.48.159.255 
header TM_IDC_MY X-Spam-Relays-Untrusted =~ /ip=210\.48\.1(4[89]|5\d)\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 /
describe TM_IDC_MY [MY]TM NET SDN BHD
score TM_IDC_MY 1.5

# 116.0.96.0 - 116.0.127.255
header AIMS_MY X-Spam-Relays-Untrusted =~ /ip=116\.0\.(9[6-9]|1[01]\d|12[0-7])\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 /
describe AIMS_MY [MY]Applied Information Management Services Kuala Lumper Malaysia
score AIMS_MY 1.5

# 203.188.232.0 - 203.188.239.255
header EXTREME_MY X-Spam-Relays-Untrusted =~ /ip=203\.188\.23[2-9]\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 /
describe EXTREME_MY [MY]Extreme Broadband Sdn. Bhd.
score EXTREME_MY 1.5


# 203.113.128.0 - 203.113.191.255
# header VIETEL_VNNIC_VN X-Spam-Relays-Untrusted =~ /ip=203\.113\.1(2[89]|[3-8]\d|9[01])\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 /
header VIETEL_VNNIC_VN X-Spam-Relays-Untrusted =~ /^\[ ip=(?:117\.[0-7](?:\.\d{1,3}){2}|203\.113\.1(2[89]|[3-8]\d|9[01])\.\d{1,3}) /
describe VIETEL_VNNIC_VN [VN]Vietel Corporation - Internet service/exchange provider
score VIETEL_VNNIC_VN 1.5

# 222.252.0.0 -  222.255.255.255
# 203.210.128.0 - 203.210.255.255
# header VNPT_VNNIC_VN X-Spam-Relays-Untrusted =~ /ip=(203\.210\.(12[89]|1[3-9]\d|2[0-4]\d|25[0-5])\.\d{1,3}|222\.25[2-5](\.\d{1,3}){2}) [^\[\]]+ident= envfrom= intl=0 /
header VNPT_VNNIC_VN X-Spam-Relays-Untrusted =~ /^\[ ip=(?:203\.210\.(?:12[89]|1[3-9]\d|2[0-4]\d|25[0-5])\.\d{1,3}|(?:113\.1(?:[678]\d|9[01])|222\.25[2-5])(?:\.\d{1,3}){2}) /
describe VNPT_VNNIC_VN [VN]Vietnam Posts and Telecommunications Corp (VNPT)
score VNPT_VNNIC_VN 1.5

# 222.253.32.0 - 222.253.175.255
header HCMPT_NET_VN X-Spam-Relays-Untrusted =~ /ip=222\.253\.(3[2-9]|[4-9]\d|1[0-6]\d|17[0-5])\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 /
describe HCMPT_NET_VN [VN]Ho Chi Minh City Post and Telecom Company
score HCMPT_NET_VN 1.5

header ETC_VNNIC_VN X-Spam-Relays-Untrusted =~ /^\[ ip=(?:116\.(?:9[6-9]|10\d|11[01])(?:\.\d{1,3}){2}|125\.214\.(?:\d|[1-5]\d|6[0-3])\.\d{1,3}) /
describe ETC_VNNIC_VN [VN]Electric Telecommunication Company
score ETC_VNNIC_VN 1.5

header FPT_NET_VN X-Spam-Relays-Untrusted =~ /^\[ ip=(?:58\.18[67]|118\.(?:6[89]|7[01]))(?:\.\d{1,3}){2} /
describe FPT_NET_VN [VN]FPT Broadband Service
score FPT_NET_VN 1.5



# 202.159.0.0 - 202.159.127.255
header INDONET_ID X-Spam-Relays-Untrusted =~ /ip=202\.159\.(\d|[1-9]\d|1[01]\d|12[0-7])\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 /
describe INDONET_ID [ID]PT. IndoInternet
score INDONET_ID 1.5

# 222.124.0.0 - 222.124.255.255
header TELKOMNET_ID X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:114\.12[0-7]|118\.9[67]|125\.16[0-3]|222\.124)(?:\.\d{1,3}){2}|125\.163\.1(?:2[89]|[3-8]\d|90)\.\d{1,3}|125\.163\.191\.(?:\d|1\d|2[0-5])) /
describe TELKOMNET_ID [ID]PT. TELEKOMUNIKASI INDONESIA
score TELKOMNET_ID 1.5

# 202.150.224.0 - 202.150.255.255
header ASIANET_ID X-Spam-Relays-Untrusted =~ /ip=202\.150\.2(2[4-9]|[345]\d)\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe ASIANET_ID [ID]PT.Medialintas Antar Buana
score ASIANET_ID 1.5

header BM_ID X-Spam-Relays-Untrusted =~ /^\[ ip=118\.13[67](\.\d{1,3}){2} /
describe BM_ID [ID]PT. Broadband Multimedia, Tbk
score BM_ID 1.5

# 219.83.0.0 - 219.83.127.255
# 114.56.0.0 - 114.59.255.255
header INDOSAT_ID X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:114\.5[6-9]|120\.1(?:[678]\d|9[01]))(?:\.\d{1,3}){2}|202\.155\.(?:9[6-9]|1[01]\d|12[0-7])\.\d{1,3}|219\.83\.(?:\d|\d\d|1[01]\d|12[0-7])\.\d{1,3}) /
describe INDOSAT_ID [ID]Indosat Internet Service Provider
score INDOSAT_ID 1.5

header JARDIKNAS_ID X-Spam-Relays-Untrusted =~ /^\[ ip=118\.98\.(12[89]|1[3-9]\d|2\d\d)\.\d{1,3} /
describe JARDIKNAS_ID [ID]Departemen Pendidikan Nasional Tim Data Center Jardiknas
score JARDIKNAS_ID 1.5

# 202.57.0.0 - 202.57.15.255
header PRIMANET_ID X-Spam-Relays-Untrusted =~ /^\[ ip=202\.57\.10\.(3[2-9]|4[0-7]) /
describe PRIMANET_ID [ID]PRIMANET - ISP
score PRIMANET_ID 1.5

header ISATNET_ID X-Spam-Relays-Untrusted =~ /^\[ ip=58\.65\.245\.(?:8\d|9[0-5]) /
describe ISATNET_ID [ID]PT Insan Sarana Telematika
score ISATNET_ID 1.5
 

# 203.109.128.0 - 203.109.255.255
header TIG_NZ X-Spam-Relays-Untrusted =~ /ip=203\.109\.(12[89]|1[3-9]\d|2\d\d)\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe TIG_NZ [NZ]The Internet Group Ltd.
score TIG_NZ 1.5




# 69.240.0.0 - 69.255.255.255
# header COMCAST Received =~ /from .+((c-[0-9]+.+|(pc|bg)p[0-9]+.+|rmhc[0-9]+)\.comcast\.net|69\.2(4[0-9]|5[0-5])(\.[0-9]{1,3}){2,2}[\)\] ])/
# header COMCAST X-Spam-Relays-Untrusted =~ /rdns=(c-[0-9]+.+|(pc|bg)p[0-9]+.+|rmhc[0-9]+)\.comcast\.net/
# header COMCAST X-Spam-Relays-Untrusted =~ /(ip=69\.2(4[0-9]|5[0-5])(\.[0-9]{1,3}){2,2}|rdns=(c-[0-9]+.+|(pc|bg)p[0-9]+.+|rmhc[0-9]+)\.comcast\.net) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
# header COMCAST X-Spam-Relays-Untrusted =~ /(ip=69\.2(4[0-9]|5[0-5])(\.[0-9]{1,3}){2,2}|rdns=c-\d{2,3}(-\d{1,3}){3}\.hsd1\.\w\w\.comcast\.net) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
header COMCAST X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:69\.2[45]\d|71\.(?:19[2-9]|20[0-7])|98\.(?:19[2-9]|2[0-3]\d|24[0-7]))(?:\.\d{1,3}){2}|\d{2,3}(?:\.\d{1,3}){3} rdns=c-\d{2,3}(-\d{1,3}){3}\.hsd1\.\w\w\.comcast\.net) /
describe COMCAST [US]Comcast Cable Communications, Inc.
score COMCAST 1.0

# 24.151.0.0 - 24.151.255.255 
# 24.159.0.0 - 24.159.255.255 
# 24.176.0.0 - 24.183.255.255 
# 68.112.0.0 - 68.119.255.255 
# 68.184.0.0 - 68.191.255.255 
# 71.80.0.0 - 71.95.255.255 
# 75.128.0.0 - 75.143.255.255 
# 97.80.0.0 - 97.95.255.255 
header CHARTER_NET_US X-Spam-Relays-Untrusted =~ /^\[ ip=(?:24\.15[19]|24\.1(?:7[6-9]|8[0-3])|68\.11[2-9]|68\.1(?:8[4-9]|9[01])|71\.(?:8\d|9[0-5])|75\.1(?:2[89]|3\d|4[0-3])|96\.(?:3[2-9]|4[012])|97\.(?:8\d|9[0-5]))(?:\.[0-9]{1,3}){2,2} /
describe CHARTER_NET_US [US]Charter Communications
score CHARTER_NET_US 1.0

# 66.16.0.0 - 66.16.127.255 
header CAVTEL_BLK X-Spam-Relays-Untrusted =~ /ip=66\.16\.([0-9]|[1-9][0-9]|1[01][0-9]|12[0-7])\.[0-9]{1,3} .+ ident= envfrom= intl=0 [^\[\]]+auth= /
describe CAVTEL_BLK [US]Cavalier Telephone
score CAVTEL_BLK 1.0

# header ROADRUNNER X-Spam-Relays-Untrusted =~ / rdns=.+\.res\.rr\.com .+ ident= envfrom= intl=0 .+ auth= /
header ROADRUNNER X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:70\.1(?:1[2-9]|2[0-7])|98\.14)(?:\.\d{1,3}){2}|\d{2,3}(?:\.\d{1,3}){3} rdns=.+\.res\.rr\.com) /
describe ROADRUNNER [US]Road Runner 
score ROADRUNNER 1.0

header WAVEB_US X-Spam-Relays-Untrusted =~ /^\[ ip=66\.119\.206\.(48|60) /
describe WAVEB_US [US]Wave Broadband, LLC 
score WAVEB_US 1.5

# NetRange:   209.160.0.0 - 209.160.79.255
# CIDR:       209.160.0.0/18, 209.160.64.0/20
header HOPONE_US X-Spam-Relays-Untrusted =~ /^\[ ip=209\.160\.40\.176 /
describe HOPONE_US [US]HopOne Internet Corporation
score HOPONE_US 1.5

# 72.55.128.0 - 72.55.191.255
header IWEBGROUP_US X-Spam-Relays-Untrusted =~ /^\[ ip=72\.55\.165\.209 /
describe IWEBGROUP_US [US]Groupe iWeb Technologies inc.
score IWEBGROUP_US 1.5

# 68.24.0.0 - 68.31.255.255
# 70.0.0.0 - 70.14.255.255
header SPCS_US X-Spam-Relays-Untrusted =~ /^\[ ip=(?:68\.(?:2[4-9]|3[01]|24[0-7])|70\.(?:\d|1[0-4])|99\.20[0-7])(?:\.\d{1,3}){2} /
describe SPCS_US [US]Sprint PCS
score SPCS_US 1.5

header GNAXNET_US X-Spam-Relays-Untrusted =~ /^\[ ip=209\.51\.154\.66 /
describe GNAXNET_US [US]Global Net Access, LLC
score GNAXNET_US 1.5

# 38.0.0.0 - 38.255.255.255
header PSINET_US X-Spam-Relays-Untrusted =~ /^\[ ip=38\.110\.146\.\d{1,3} /
describe PSINET_US [US]PSINet, Inc.
score PSINET_US 1.5

# 82.64.0.0 - 82.67.255.255
# header PROXAD Received =~ /from .+[a-z0-9-]+(-[0-9]{1,3}){4,4}\.(fbx|adsl)\.proxad\.net/
header PROXAD X-Spam-Relays-Untrusted =~ /rdns=[a-z0-9-]+(-[0-9]{1,3}){4,4}\.(fbx|adsl)\.proxad\.net [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe PROXAD [FR]Proxad / Free SAS
score PROXAD 1.0

# 62.38.32.0 - 62.38.35.255
# header HOL_INFRA Received =~ /from .+62\.38\.3[2-5]\.[0-9]{1,3}[\)\] ]/
header HOL_INFRA X-Spam-Relays-Untrusted =~ /ip=62\.38\.3[2-5]\.[0-9]{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe HOL_INFRA [GR]Hellas On Line S.A.
score HOL_INFRA 1.0

# 80.233.216.0 - 80.233.223.255
# header NEOLAINTELIALV Received =~ /from .+80\.233\.2(1[6-9]|2[0-3])\.[0-9]{1,3}[\)\] ]/
header NEOLAINTELIALV X-Spam-Relays-Untrusted =~ /ip=80\.233\.2(1[6-9]|2[0-3])\.[0-9]{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe NEOLAINTELIALV [LV]Neolain Ltd. (Latvia)
score NEOLAINTELIALV 1.0

# 200.81.0.0-200.81.31.255
# header MILLICOMAR Received =~ /from .+200\.81\.([0-9]|[12][0-9]|3[01])\.[0-9]{1,3}[\)\] ]/
header MILLICOMAR X-Spam-Relays-Untrusted =~ /ip=200\.81\.([0-9]|[12][0-9]|3[01])\.[0-9]{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe MILLICOMAR [AR]Millicom Argentina S.A.
score MILLICOMAR 1.0

# header RIMA_TDE_NET Received =~ /from .+[0-9]{1,3}\.Red(-[0-9]{1,3}){3,3}\.(dynamicIP|staticIP|pooles)\.rima-tde\.net/
header RIMA_TDE_NET X-Spam-Relays-Untrusted =~ /rdns=[0-9]{1,3}\.Red(-[0-9]{1,3}){3,3}\.(dynamicIP|staticIP|pooles)\.rima-tde\.net [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe RIMA_TDE_NET [ES]RIMA (Red IP Multi Acceso)TELEFONICA DE ESPANA
score RIMA_TDE_NET 1.0


# .revip.asianet.co.th
# header ASIANET_TH Received =~ /from .+\.revip[2-9]{0,1}\.asianet\.co\.th/
# header ASIANET_TH X-Spam-Relays-Untrusted =~ /(ip=(58\.([89]|1[01])|124\.12[012])(\.\d{1,3}){2}|rdns=.+\.(revip[2-9]{0,1}|static)\.asianet\.co\.th) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
header ASIANET_TH X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:58\.(?:[89]|1[01])|61\.9[01]|124\.12[012])(?:\.\d{1,3}){2}|\d{2,3}(?:\.\d{1,3}){3} rdns=rdns=.+\.(?:revip[2-9]{0,1}|static)\.asianet\.co\.th) /
describe ASIANET_TH [TH]Asianet Corperation
score ASIANET_TH 2.0

# Thai: 203.150.0.0 - 203.159.255.255
# 203.155.0.0 - 203.155.255.255
# 202.149.96.0 - 202.149.127.255
# header COMNETTH Received =~ /from .+203\.155(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}[\)\] ]/
# header COMNETTH X-Spam-Relays-Untrusted =~ /ip=(202\.149\.(9[6-9]|1[01]\d|12[0-7])\.\d{1,3}|203\.155(\.\d{1,3}){2}|203\.188\.(\d|[1-5]\d|6[0-3]).\d{1,3}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
header COMNETTH X-Spam-Relays-Untrusted =~ /^\[ ip=(?:202\.149\.(?:9[6-9]|1[01]\d|12[0-7])\.\d{1,3}|203\.209\.(?:\d|\d\d|1[01]\d|12[0-7])\.\d{1,3}|203\.155(?:\.\d{1,3}){2}|203\.188\.(?:\d|[1-5]\d|6[0-3]).\d{1,3}) /
describe COMNETTH [TH]KSC Commercial Internet Co. Ltd.
score COMNETTH 1.5

# 
# thrown away due to same provider 2007.01.04 by [yoh]
# 
# header CSLOXINFO X-Spam-Relays-Untrusted =~ /(ip=58\.136(\.\d{1,3}){2}|rdns=p\d+-\w+\d+\.C\.csloxinfo\.net) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
# describe CSLOXINFO [TH]csloxinfo-th
# score CSLOXINFO 1.5

# 203.170.128.0 - 203.170.255.255
header LOXINFO_TH X-Spam-Relays-Untrusted =~ /ip=(203\.170\.(12[89]|1[3-9]\d|2\d\d)\.\d{1,3}|(58\.136|203\.146)(\.\d{1,3}){2}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe LOXINFO_TH [TH]Loxley Information Company Ltd.
score LOXINFO_TH 1.5

# 202.57.128.0 - 202.57.191.255
# 203.153.160.0 - 203.153.175.255
header ISP_TH X-Spam-Relays-Untrusted =~ /ip=(202\.57\.1(2[89]|[3-8][0-9]|9[01])|203\.153\.1(6\d|7[0-5]))\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe ISP_TH [TH]Internet Service Provider Co., Ltd.
score ISP_TH 1.5

# 202.28.0.0 - 202.29.255.255
header THAINET_TH X-Spam-Relays-Untrusted =~ /ip=202\.2[89](\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe THAINET_TH [TH]UniNet(Inter-university network)
score THAINET_TH 1.5

# 202.151.176.0 - 202.151.191.255
header SIAMIDC_TH X-Spam-Relays-Untrusted =~ /ip=202\.151\.1(7[6-9]|8\d|9[01])\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe SIAMIDC_TH [TH]SIAMIDC,Internet Datacenter , Bangkok, Thailand
score SIAMIDC_TH 1.5

# 203.151.0.0 - 203.151.255.255
header INET_CO_TH X-Spam-Relays-Untrusted =~ /ip=203\.151(\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe INET_CO_TH [TH]Internet Thailand Company Limited
score INET_CO_TH 1.5

# 125.24.0.0 - 125.24.255.255
# header TOT_IP_NET_TH X-Spam-Relays-Untrusted =~ /ip=125\.24(\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
header TOT_IP_NET_TH X-Spam-Relays-Untrusted =~ /^\[ ip=(?:118\.17[2-5]|125\.24)(?:\.\d{1,3}){2} /
describe TOT_IP_NET_TH [TH]tot ip network ip address pool for adsl services
score TOT_IP_NET_TH 1.5



# 202.83.32.0 - 202.83.63.255
# 202.164.128.0 - 202.164.159.255
# header ASIANET_IN Received =~ /from .+202\.83\.(3[2-9]|[4-7][0-9]|8[0-3])\.[0-9]{1,3}[\)\] ]/
# header ASIANET_IN X-Spam-Relays-Untrusted =~ /ip=202\.83\.(3[2-9]|[4-7][0-9]|8[0-3])\.[0-9]{1,3} .+ident= envfrom= intl=0 .+auth= /
header ASIANET_IN X-Spam-Relays-Untrusted =~ /ip=202\.(83\.(3[2-9]|[4-7][0-9]|8[0-3])|164\.1(2[89]|[345]\d))\.[0-9]{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe ASIANET_IN [IN]Asianet ISP providing broadband internet access through Cable Network
score ASIANET_IN 1.5


# 59.88.0.0 - 59.99.255.255
# 210.212.0.0 - 210.212.255.255
# 61.0.0.0 - 61.1.255.255
# 117.192.0.0 - 117.255.255.255
header BSNLNET_IN X-Spam-Relays-Untrusted =~ /ip=(59\.(8[89]|9\d)|61\.[0-3]|117\.(19[2-9]|2\d\d)|210\.212|218\.248)(\.[\d]{1,3}){2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe BSNLNET_IN [IN]NIB (National Internet Backbone)
score BSNLNET_IN 1.5

# 61.17.0.0 - 61.17.255.255
# 59.160.0.0 - 59.165.255.255
# 202.54.0.0 - 202.54.255.255
# 219.64.0.0 - 219.65.255.255
# 202.9.128.0 - 202.9.191.255
# 203.197.0.0 - 203.197.255.255
# 61.11.0.0 - 61.11.127.255
# 203.200.0.0 - 203.200.255.255
# 121.240.0.0 - 121.247.255.255
# 210.211.128.0 - 210.211.255.255
header VSNL_IN X-Spam-Relays-Untrusted =~ /(ip=((59\.16[0-5]|61\.17|121\.24[0-7]|202\.54|203\.(19[79]|200)|219\.6[45])(\.[\d]{1,3}){2}|(61\.11\.(\d|\d\d|1[01]\d|12[0-7])|202\.9\.1(2[89]|[3-8]\d|9[01])|210\.211\.(12[89]|1[3-9]\d|2\d\d))\.\d{1,3})|rdns=\d{2,3}(\.\d{1,3}){3}\.[A-Z-]+\.dialup\.vsnl\.net\.in) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe VSNL_IN [IN]Videsh Sanchar Nigam Ltd - India.
score VSNL_IN 1.5

# 221.128.128.0 - 221.128.255.255
header EXATTNET_IN X-Spam-Relays-Untrusted =~ /ip=221\.128\.(12[89]|1[3-9]\d|2[0-4]\d|25[0-5])\.[\d]{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe EXATTNET_IN [IN]EXATTNET
score EXATTNET_IN 1.5

# 61.246.0.0 - 61.246.255.255
# 59.144.0.0 - 59.145.255.255
# 203.101.0.0 - 203.101.127.255
# 125.16.0.0 - 125.23.255.255
# 203.145.128.0 - 203.145.191.255
# header BHARTI_IN X-Spam-Relays-Untrusted =~ /ip=((59\.14[45]|61\.246|125\.(1[6-9]|2[0-3]))(\.\d{1,3}){2}|203\.101\.(\d|[1-9]\d|1[01]\d|12[0-7])\.\d{1,3}|203\.145\.(12[89]|1[3-9]\d|2\d\d)\.\d{1,3}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
header BHARTI_IN X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:59\.14[45]|61\.246|122\.16[0-38]|125\.(?:1[6-9]|2[0-3]))(?:\.\d{1,3}){2}|122\.1(?:6\d|7[0-5])(?:\.\d{1,3}){2}|203\.101\.(?:\d|[1-9]\d|1[01]\d|12[0-7])\.\d{1,3}|203\.145\.(?:12[89]|1[3-9]\d|2\d\d)\.\d{1,3}) /
describe BHARTI_IN [IN]Bharti Broadband networks Limited
score BHARTI_IN 1.5

# 220.226.128.0 - 220.226.191.255
# 220.224.0.0 - 220.227.255.255
# 123.236.0.0 - 123.239.255.255
# 115.240.0.0 - 115.255.255.255
# header RELIANCE_IN X-Spam-Relays-Untrusted =~ /ip=220\.226\.1(2[89]|[3-8]\d|9[01])\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
# header RELIANCE_IN X-Spam-Relays-Untrusted =~ /ip=(123\.23[6-9]|124\.12[45]|220\.22[4-7])(\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
header RELIANCE_IN X-Spam-Relays-Untrusted =~ /^\[ ip=(?:115\.2[45]\d|123\.23[6-9]|124\.12[45]|220\.22[4-7])(?:\.\d{1,3}){2} /
describe RELIANCE_IN [IN]Reliance Infocom Ltd Internet Data Centre
score RELIANCE_IN 1.5

# 219.91.128.0 - 219.91.255.255
# header IQARANET_IN X-Spam-Relays-Untrusted =~ /ip=(123\.201(\.\d{1,3}){2}|219\.91\.(12[89]|1[3-9]\d|2\d\d)\.\d{1,3}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
header IQARANET_IN X-Spam-Relays-Untrusted =~ /^\[ ip=(123\.201(\.\d{1,3}){2}|219\.91\.(12[89]|1[3-9]\d|2\d\d)\.\d{1,3}) /
describe IQARANET_IN [IN]Iqara Telecom India Pvt Ltd Cable Internet Service Provider
score IQARANET_IN 1.5

# 210.214.0.0 - 210.214.255.255
# header SILNET_IN X-Spam-Relays-Untrusted =~ /ip=210\.214(\.\d{1,3}){2} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
header SILNET_IN X-Spam-Relays-Untrusted =~ /^\[ ip=210\.214(\.\d{1,3}){2} /
describe SILNET_IN [IN]Satyam Infoway Pvt.Ltd. Value Added Network service provider in India.
score SILNET_IN 1.5

# 202.177.144.0 - 202.177.191.255
header SIFYNET_IN X-Spam-Relays-Untrusted =~ /^\[ ip=202\.177\.1(4[4-9]|[5-8]\d|9[01])\.\d{1,3} /
describe SIFYNET_IN [IN]Satyam Infoway (P) Ltd. National Internet Service Provider
score SIFYNET_IN 1.5

# 203.129.192.0 - 203.129.255.255
header STPI_IN X-Spam-Relays-Untrusted =~ /^\[ ip=203\.129\.(19[2-9]|2\d\d)\.\d{1,3} /
describe STPI_IN [IN]Software Technology Parks of India
score STPI_IN 1.5

# 202.88.128.0 - 202.88.191.255
# 203.212.192.0 - 203.212.255.255
# 60.243.0.0 - 60.243.255.255
# 125.99.0.0 - 125.99.255.255
# 60.254.0.0 - 60.254.127.255
# 210.18.128.0 - 210.18.191.255
# 202.88.208.0 - 202.88.223.255
# 116.72.0.0 - 116.75.255.255
# header HATHWAY_NET_IN X-Spam-Relays-Untrusted =~ /ip=((60\.243|116\.7[2-5]|125\.99)(\.\d{1,3}){2}|(60\.254\.(\d|\d\d|1[01]\d|12[0-7])|202\.88\.(1(2[89]|[3-8]\d|9[01])|20[2-9]|21\d|22[0-3])|203\.212\.(19[2-9]|2\d\d)|210\.18\.1(2[89]|[3-8]\d|9[01]))\.\d{1,3}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
header HATHWAY_NET_IN X-Spam-Relays-Untrusted =~ /^\[ ip=((60\.243|116\.7[2-5]|125\.99)(\.\d{1,3}){2}|(60\.254\.(\d|\d\d|1[01]\d|12[0-7])|202\.88\.(1(2[89]|[3-8]\d|9[01])|20[2-9]|21\d|22[0-3])|203\.212\.(19[2-9]|2\d\d)|210\.18\.1(2[89]|[3-8]\d|9[01]))\.\d{1,3}) /
describe HATHWAY_NET_IN [IN]Hathway IP Over Cable Internet Access Service
score HATHWAY_NET_IN 1.5

# 203.123.128.0 - 203.123.191.255
header PI_IN X-Spam-Relays-Untrusted =~ /^\[ ip=203\.123\.1(2[89]|[3-8]\d|9[01])\.\d{1,3} /
describe PI_IN [IN]Pacific Internet Limited
score PI_IN 1.5

header YOUTELE_IN X-Spam-Relays-Untrusted =~ /^\[ ip=(123.201(\.\d{1,3}){2}|203.109.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\.\d{1,3}|203\.187\.(19[2-9]|2\d\d)\.\d{1,3}|219.91.(12[89]|1[3-9]\d|2\d\d)\.\d{1,3}) /
describe YOUTELE_IN [IN]Iqara Telecom India Pvt Ltd
score YOUTELE_IN 1.5

# 202.70.192.0 - 202.70.207.255
header IOLNET_IN X-Spam-Relays-Untrusted =~ /^\[ ip=202\.(?:63\.1(?:[678]\d|9[01])\.\d{1,3}|70\.198\.133) /
describe IOLNET_IN [IN]India Online Network Ltd.
score IOLNET_IN 1.5

header ORTELCOMM_IN X-Spam-Relays-Untrusted =~ /^\[ ip=122\.50\.(?:12[89]|1[3-9]\d|2\d\d)\.\d{1,3} /
describe ORTELCOMM_IN [IN]ORTELCOMMUNICATIONS INTERNET SERVICE PROVIDER
score ORTELCOMM_IN 1.5

header BEAMCABLE_IN X-Spam-Relays-Untrusted =~ /^\[ ip=(123\.176\.(3[2-9]|4[0-7])\.\d{1,3}|124\.123(\.\d{1,3}){2}|202\.53\.([89]|1[0-5])\.\d{1,3}) /
describe BEAMCABLE_IN [IN]Internet Telephony Service Provider
score BEAMCABLE_IN 1.5

header GPRS_IN X-Spam-Relays-Untrusted =~ /^\[ ip=117\.9[67](?:\.\d{1,3}){2} /
describe GPRS_IN [IN]GPRS-Subscribers
score GPRS_IN 1.5

header PACENET_IN X-Spam-Relays-Untrusted =~ /^\[ ip=(?:210\.89\.(?:3[2-9]|[45]\d|6[0-3])|203\.76\.(?:17[6-9]|18\d|19[01])|203\.115\.(?:6[4-9]|[78]\d|9[0-5]))\.\d{1,3} /
describe PACENET_IN [IN]India's Premeir Broadband and IPTV services, Mumbai.
score PACENET_IN 1.5


# 68.32.0.0 - 68.63.255.255

# 24.0.0.0 - 24.15.255.255
# 24.16.0.0 - 24.23.255.255

# 24.0.0.0 - 24.23.255.255

# 24.30.0.0 - 24.30.95.255
# 24.30.96.0 - 24.30.127.255

# 24.30.0.0 -  24.30.127.255

# 24.60.0.0 - 24.63.255.255
# 24.130.224.0 - 24.130.255.255


# 202.177.0.0 - 202.177.31.255
header KDD_HK Received =~ /from .+202\.177\.([0-9]|[12][0-9]|3[01])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/
describe KDD_HK [HK]KDDI HONG KONG LIMITED
score KDD_HK 1.5

# 210.245.128.0 - 210.245.255.255
# 59.188.0.0 - 59.188.255.255
# header NWTNET Received =~ /from .+210\.245\.(1(2[89]|[3-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/
# 210.209.64.0 - 210.209.127.255
header NWTNET X-Spam-Relays-Untrusted =~ /^\[ ip=(59\.188(\.\d{1,3}){2}|(210\.209\.(6[4-9]|[789]\d|1[01]\d|12[0-7])|210\.245\.(1(2[89]|[3-9]\d)|2\d\d))\.\d{1,3}) /
describe NWTNET [HK]New World Telephone
score NWTNET 1.5

# 218.190.0.0 - 218.191.255.255
# 221.124.0.0 - 221.127.255.255
# 210.0.128.0 - 210.0.255.255
# 218.188.0.0 - 218.189.255.255
# 210.3.0.0 - 210.3.255.255
# header HGC_HK Received =~ /from .+218\.19[01](\.[0-9]{1,3}){2,2}/
header HGC_HK X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:113\.25[2-5]|118\.14[0-3]|210\.3|218\.1(?:8[89]|9[01])|221\.12[4-7])(?:\.\d{1,3}){2}|210\.0\.(?:12[89]|1[3-9]\d|2\d\d)\.\d{1,3}) /
describe HGC_HK [HK]Hutchison Global Communications
score HGC_HK 1.5

# 202.66.0.0 - 202.66.255.255
header CPCNET_HK X-Spam-Relays-Untrusted =~ /^\[ ip=202\.66(\.[0-9]{1,3}){2} /
describe CPCNET_HK [HK]CPCNet Hong Kong Ltd.
score CPCNET_HK 1.5

# 218.252.0.0 - 218.255.255.255
# 222.166.0.0 - 222.166.255.255
# header HKCABLE_HK X-Spam-Relays-Untrusted =~ /ip=(218\.25[2-5]|222\.16[67])(\.[0-9]{1,3}){2} .+ident= envfrom= intl=0 .+auth= /
header HKCABLE_HK X-Spam-Relays-Untrusted =~ /(rdns=cm\d{2,3}(-\d{1,3}){3}\.hkcable\.com\.hk|ip=(218\.25[2-5]|222\.16[67])(\.[0-9]{1,3}){2}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe HKCABLE_HK [HK]HK Cable TV Ltd
score HKCABLE_HK 1.5


header HKCIX_HK X-Spam-Relays-Untrusted =~ /^\[ ip=202\.181\.(?:12[89]|1[3-9]\d|2\d\d)\.\d{1,3} /
describe HKCIX_HK [HK]Hongkong Commercial Internet Exchange
score HKCIX_HK 1.5

header HKNET_HK X-Spam-Relays-Untrusted =~ /^\[ ip=(?:202\.67|203\.169)\.(?:12[89]|1[3-9]\d|2\d\d)\.\d{1,3} /
describe HKNET_HK [HK]HKNet Company Ltd.
score HKNET_HK 1.5

# 203.80.192.0 - 203.80.255.255
header CTINET_HK X-Spam-Relays-Untrusted =~ /^\[ ip=203\.80\.250\.1(?:2[89]|[345]\d) /
describe CTINET_HK [HK]City Telecom (H.K.) Ltd.
score CTINET_HK 1.5

header GENESIS_HK X-Spam-Relays-Untrusted =~ /^\[ ip=(?:202\.65\.(?:19[2-9]|20[0-7])|219\.90\.1(?:1[2-9]|2[0-7]))\.\d{1,3} /
describe GENESIS_HK [HK]Genesis Net Limited
score GENESIS_HK 1.5

header SINGTEL_HK X-Spam-Relays-Untrusted =~ /^\[ ip=202\.83\.(?:19[2-9]|2[012]\d|22[0-3])\.\d{1,3} /
describe SINGTEL_HK [HK]Singtel Hong Kong Limited
score SINGTEL_HK 1.5

header FNCL_HK X-Spam-Relays-Untrusted =~ /^\[ ip=(?:116\.212\.11[2-8]|118\.102\.(?:[89]|1[0-5])|202\.59\.15[2-9])\.\d{1,3} /
describe FNCL_HK [HK]First Network Communications Limited, ISP at HK
score FNCL_HK 1.5


# 203.215.80.0-203.215.95.255
# 203.115.144.0-203.115.159.255
# 203.115.128.0-203.115.159.255
# 203.115.176.0-203.115.191.255
# 203.115.128.0-203.115.191.255
# 121.96.0.0 - 121.97.255.255
# header PHSKYINET Received =~ /from .+203\.215\.(8[0-9]|9[0-5])\.[0-9]{1,3}/
header SKYINET_PH X-Spam-Relays-Untrusted =~ /^\[ ip=(121\.9[67](\.\d{1,3}){2}|203\.(115\.1(2[89]|[3-8]\d|9[01])|215\.(8[0-9]|9[0-5]))\.\d{1,3}) /
describe SKYINET_PH [PH]Bayan Telecommunications Inc.
score SKYINET_PH 1.0

# 203.82.16.0 - 203.82.23.255
header DEFENSNET X-Spam-Relays-Untrusted =~ /^\[ ip=203\.82\.(1[6-9]|2[0-3])\.\d{1,3} /
describe DEFENSNET [PH]DEFENSNET, Hosting Service and Content Provider from Antonio Defensor Consulting
score DEFENSNET 1.0

# 210.4.0.0 - 210.4.63.255
header BAYANTELDSL_AP X-Spam-Relays-Untrusted =~ /^\[ ip=210\.4\.(\d|[1-5]\d|6[0-3])\.\d{1,3} /
describe BAYANTELDSL_AP [PH]Bayantel DSL Infrastructure
score BAYANTELDSL_AP 1.5

# 202.78.96.0-202.78.111.255
header SKYCABLENET_PH X-Spam-Relays-Untrusted =~ /^\[ ip=202\.78\.(9[6-9]|10\d|11[01])\.\d{1,3} /
describe SKYCABLENET_PH [PH]Sky Internet http://www.skyinet.net/
score SKYCABLENET_PH 1.5

# 210.14.0.0 - 210.14.31.255
# 124.104.0.0 - 124.107.255.255
# 58.71.0.0 - 58.71.127.255
# 58.69.0.0 - 58.69.255.255
# 122.52.0.0 - 122.55.255.255
# 122.2.0.0 - 122.3.255.255
# 119.92.0.0 - 119.95.255.255
header IPG_PH X-Spam-Relays-Untrusted =~ /^\[ ip=((58\.69|119\.9[2-5]|122\.([23]|5[2-5])|124\.10[4-7])(\.\d{1,3}){2}|(58\.71\.(\d|\d\d|1[01]\d|12[0-7])|210\.14\.(\d|[12]\d|3[01]))\.\d{1,3}) /
describe IPG_PH [PH]Philippine Long Distance Telephone Company
score IPG_PH 1.5

# 58.69.0.0 - 58.69.127.0
header PLDTDSL_PH X-Spam-Relays-Untrusted =~ /^\[ ip=58\.69\.(\d|[1-9]\d|1[01]\d|12[0-7])\.\d{1,3} /
describe PLDTDSL_PH [PH]DSL_Consumer
score PLDTDSL_PH 1.5

# 203.131.64.0 - 203.131.191.255
header INFOCOM_PH X-Spam-Relays-Untrusted =~ /^\[ ip=203\.131\.(6[4-9]|[7-9]\d|1[0-8]\d|19[01])\.\d{1,3} /
describe INFOCOM_PH [PH]INFOCOM Technologies Inc
score INFOCOM_PH 1.5

# 124.6.128.0 - 124.6.191.255
# 203.177.0.0 - 203.177.255.255
# 222.127.0.0 - 222.127.127.255
header GLOBET_PH X-Spam-Relays-Untrusted =~ /^\[ ip=(124\.6\.1(2[89]|[3-8]\d|9[01])\.\d{1,3}|(203\.177|222\.127)(\.\d{1,3}){2}) /
describe GLOBET_PH [PH]Globe Telecom/Innove Communication
score GLOBET_PH 1.5

# 210.23.96.0 - 210.23.127.255
header PI_PH X-Spam-Relays-Untrusted =~ /^\[ ip=210\.23\.(9[6-9]|1[01]\d|12[0-7])\.\d{1,3} /
describe PI_PH [PH]Pacific Internet Philippines
score PI_PH 1.5

# 124.104.176.0 - 124.104.191.255
header CONS_PH X-Spam-Relays-Untrusted =~ /^\[ ip=124\.104\.1(7[6-9]|8\d|9[01])\.\d{1,3} /
describe CONS_PH [PH]GNTC7300i02_Consumer
score CONS_PH 1.5

# 203.167.0.0 - 203.167.31.255
header TRIDEL_TECH_PH X-Spam-Relays-Untrusted =~ /^\[ ip=203\.167\.(\d|[12]\d|3[01])\.\d{1,3} /
describe TRIDEL_TECH_PH [PH]Tridel Technologies, Inc.
score TRIDEL_TECH_PH 1.5

# 117.103.40.0 - 117.103.47.255
# 119.27.128.0 - 119.27.159.255
# 115.166.64.0 - 115.166.95.255
header INFOVISION_PH X-Spam-Relays-Untrusted =~ /^\[ ip=(115\.166.(6[4-9]|[78]\d|9[0-5])|117\.103\.4[0-7]|119\.27\.1(2[89]|[345]\d))\.\d{1,3} /
describe INFOVISION_PH [PH]Infovision Data Hosting Services
score INFOVISION_PH 1.5

# 61.28.128.0 - 61.28.191.255
# 117.104.240.0 - 117.104.255.255
# 116.50.128.0 - 116.50.255.255
header ETPI_PH X-Spam-Relays-Untrusted =~ /^\[ ip=(?:61\.28\.1(?:2[89]|[3-8]\d|9[01])|112\.199\.(?:\d|\d\d|1[01]\d|12[0-7])|113\.61\.(?:3[2-9]|[45]\d|6[0-3])|115\.(?:84\.2(?:2[4-9]|[345]\d)|85\.(?:\d|[1-5]\d|6[0-3]))|116\.50\.(?:12[89]|1[3-9]\d|2\d\d)|117\.104\.2[45]\d|120\.89\.(?:\d|[1-5]\d|6[0-3])|202\.164\.(?:1[678]\d|19[01])|202\.175\.(?:19[2-9]|2\d\d))\.\d{1,3} /
describe ETPI_PH [PH]Eastern Telecoms Philippines, Inc.
score ETPI_PH 1.5

header GLOBALSPEED_PH X-Spam-Relays-Untrusted =~ /^\[ ip=180\.94\.(?:\d|[12]\d|3[01])\.\d{1,3} /
describe GLOBALSPEED_PH [PH]GLOBALSPEED-PH
score GLOBALSPEED_PH 1.5

header NEXTWEB_PH X-Spam-Relays-Untrusted =~ /^\[ ip=113\.20\.1(?:[678]\d|9[01])(?:\.\d{1,3}) /
describe NEXTWEB_PH [PH]NEXT WEB PHIL
score NEXTWEB_PH 1.5


# 220.255.0.0 - 220.255.255.255
# 219.74.0.0 - 219.75.127.255
# 121.6.0.0 - 121.7.255.255
header SINGNET_SG X-Spam-Relays-Untrusted =~ /ip=((121\.[67]|219\.74|220\.255)(\.\d{1,3}){2}|219\.75\.(\d|[1-9]\d|1[01]\d|12[0-7])\.\d{1,3}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe SINGNET_SG [SG]SingNet Pte Ltd
score SINGNET_SG 1.5

# 222.164.0.0 - 222.165.127.255
header SGCABLEVISION_SG X-Spam-Relays-Untrusted =~ /ip=(222\.164(\.\d{1,3}){2}|222\.165\.(\d|[1-9]\d|1[01]\d|12[0-7])\.\d{1,3}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe SGCABLEVISION_SG [SG]StarHub Cable Vision Ltd Singapore Broadband Access Provider
score SGCABLEVISION_SG 1.5



# 203.208.64.0 - 203.208.127.255
header HFCCABLE_AU X-Spam-Relays-Untrusted =~ /ip=203\.208\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe HFCCABLE_AU [AU]Provider of  Internet, Telecommunications services and PayTV over Broadband HFC cable network throughout regional VIC.
score HFCCABLE_AU 1.5

header OPTUSINTERNET_AU X-Spam-Relays-Untrusted =~ /^\[ ip=114\.7[2-5](\.\d{1,3}){2} /
describe OPTUSINTERNET_AU [AU]OPTUS INTERNET - RETAIL INTERNET SERVICES
score OPTUSINTERNET_AU 1.5



# 203.81.192.0 - 203.81.239.255
header WORLDCALL_PK X-Spam-Relays-Untrusted =~ /ip=203\.81\.(19[2-9]|2[0-3]\d)\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe WORLDCALL_PK [PK]WorldCALL Multimedia Ltd
score WORLDCALL_PK 1.5

# 119.152.0.0 - 119.159.255.255
# 221.120.192.0 - 221.120.255.255
header PTCL_PK X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:59\.103|119\.15[2-9])(?:\.\d{1,3}){2}|221\.120\.(?:19[2-9]|2\d\d)\.\d{1,3}) /
describe PTCL_PK [PK]Pakistan Telecommunication Company Limited
score PTCL_PK 1.5

header LINKDOTNET_PK X-Spam-Relays-Untrusted =~ /^\[ ip=(?:119\.73\.(?:\d|\d\d|1[01]\d|12[0-7])|210\.2\.(?:12[89]|1[3-8]\d|19[01]))\.\d{1,3} /
describe LINKDOTNET_PK [PK]LINKdotNET Telecom Limited
score LINKDOTNET_PK 1.5

header CYBERNET_PK X-Spam-Relays-Untrusted =~ /^\[ ip=61\.5\.1(?:2[89]|[345]\d)\.\d{1,3} /
describe CYBERNET_PK [PK]CYBER INTERNET SERVICES (PVT.) LTD. PAKISTAN BASED ISP
score CYBERNET_PK 1.5

header MULTINETBROADBAND_PK X-Spam-Relays-Untrusted =~ /^\[ ip=125\.209\.(?:6[4-9]|[789]\d|1[01]\d|12[0-7])\.\d{1,3} /
describe MULTINETBROADBAND_PK [PK]MULTINETBROADBAND Karachi
score MULTINETBROADBAND_PK 1.5


# 222.165.128.0 - 222.165.191.255
# header LKTELECOM_LK X-Spam-Relays-Untrusted =~ /ip=222\.165\.(12[89]|1[3-8]\d|139[01])\.\d{1,3} [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
header LKTELECOM_LK X-Spam-Relays-Untrusted =~ /^\[ ip=(?:124\.43(?:\.\d{1,3})|222\.165\.(?:12[89]|1[3-8]\d|139[01])\.\d{1,3}) /
describe LKTELECOM_LK [LK]Sri Lanka Telecom Internet Service Provider in Sri Lanka
score LKTELECOM_LK 1.5


header DCL_BD X-Spam-Relays-Untrusted =~ /^\[ ip=202\.4\.(?:9[6-9]|1[01]\d|12[0-7])\.\d{1,3} /
describe DCL_BD [BD]DhakaCom Limited
score DCL_BD 1.5


# 200.74.0.0 - 200.74.127.255
header METROPOLISINTERCOM Received =~ /from .+200\.74\.([0-9]|[1-9][0-9]|1([01][0-9]|2[0-7]))\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/
describe METROPOLISINTERCOM [CL]Metropolis Intercom
score METROPOLISINTERCOM 1.5

# 86.101.0.0 - 86.101.127.255
header UPCMK Received =~ /from .+86\.101\.([0-9]|[1-9][0-9]|1([01][0-9]|2[0-7]))\.[0-9]{1,3}/
describe UPCMK [HU]UPC Magyarorszag Kft.
score UPCMK 1.5

# 165.143.0.0 - 165.149.255.255
header TELKOMNET_ZA X-Spam-Relays-Untrusted =~ /(ip=165\.14[3-9](\.\d{1,3}){2}|rdns=dsl(-\d{1,3}){3}\.telkomadsl\.co\.za) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe TELKOMNET_ZA [ZA]Telkom SA Limited
score TELKOMNET_ZA 1.5



# 
# added 2007.01.21 by [yoh]
# modified 2007.07.04 by [yoh]
# 
# header ONLY1HOPDIRECT X-Spam-Relays-Untrusted =~ /^\[ ip=(\d{1,3}\.){3}\d{1,3} rdns=[^\[\] ]* helo=[^\[\] ]+ by=<MYMTA> ident= envfrom= intl=0 id=[^\[\] ]* auth= \]$/
# header ONLY1HOPDIRECT X-Spam-Relays-Untrusted =~ /^\[ ip=(\d{1,3}\.){3}\d{1,3} rdns=[^\[\] ]* helo=[^\[\] ]+ by=<MYMTA> ident= envfrom= intl=0 id=[^\[\] ]* auth= \]($| \[ ip=127\.0\.0\.1 rdns=localhost helo=localhost by=[^\[\] ]+ ident= envfrom= intl=0 id= auth= \]$)/
# header ONLY1HOPDIRECT X-Spam-Relays-Untrusted =~ /^\[ ip=(\d{1,3}\.){3}\d{1,3} rdns=[^\[\] ]* helo=[^\[\] ]+ by=<MYMTA> [^\[\]]+ \]($| \[ ip=127\.0\.0\.1 rdns=localhost helo=localhost [^\[\]]+ \]$)/
header ONLY1HOPDIRECT X-Spam-Relays-Untrusted =~ /^\[ ip=(\d{1,3}\.){3}\d{1,3} [^\[\]]+ \]($| \[ ip=127\.0\.0\.1 rdns=localhost helo=localhost [^\[\]]+ \]$)/

# meta MTAIDONLY1HOP MSGID_FROM_MTA_ID && ONLY1HOPDIRECT
# score MTAIDONLY1HOP 3.5


# 1st BY is same 2nd HELO
# added 2007.07.08 by [yoh]
# 
# header SAMEHELOBY2HOP X-Spam-Relays-Untrusted =~ /^\[ ip=(?:\d{1,3}\.){3}\d{1,3} rdns=[^\[\] ]* helo=([^\[\] ]+) by=(?:[^ ]+) ident= envfrom= intl=0 id=[^\[\] ]* auth= \] \[ ip=(?:\d{1,3}\.){3}\d{1,3} rdns=[^\[\] ]* helo=[a-z]{3,} by=\1 ident= envfrom= intl=0 id=[^\[\] ]* auth= \]$/
header SAMEHELOBY2HOP X-Spam-Relays-Untrusted =~ /^\[ ip=(?:\d{1,3}\.){3}\d{1,3} rdns=[^\[\] ]* helo=([^\[\] ]+) by=(?:[^ ]+) [^\[\]]+ \] \[ ip=(?:\d{1,3}\.){3}\d{1,3} rdns=[^\[\] ]* helo=[a-z]{3,} by=\1 [^\[\]]+ \]/

mimeheader MIMEPDF Content-Type =~ /application\/pdf.+name=\".+\.pdf\"/
score MIMEPDF 0.1

meta PDFSPAM SAMEHELOBY2HOP && MIMEPDF && (ARIN || RIPE_NCC || LACNIC || AFRINIC || ___KOREATAIWANCHINA )
score PDFSPAM 3.5


# added 2007.08.02 by [yoh]
# modified 2007.08.18 by [yoh]
# 
# full NULLTXTPDF /(\n(?:-{12,}0\d{22,}|--={19,}_\d{6,}==_)\n)Content-Type: text\/plain; charset=\"{0,1}[\w-]{5,}\"{0,1}; format=flowed(?:\nContent-Transfer-Encoding: 7bit){0,1}\n{2,}\1Content-Type: application\/(?:pdf|octet-stream);(?:\n| name=\")/
full NULLTXTPDF /(\n(?:-{12,}0\d{22,}|--={19,}_\d{6,}==_|-{12,}[0-9A-F]{16,})\n)Content-Type: text\/plain; charset=\"{0,1}[\w-]{5,}\"{0,1}(?:; format=flowed){0,1}(?:\nContent-Transfer-Encoding: 7bit){0,1}\n{2,}\1Content-Type: application\/(?:pdf|octet-stream);(?:\n| name=\")/


meta NULLPDF_DCN (NULLTXTPDF || HTMLPDF) && ___DCN
score NULLPDF_DCN 3.5


# added 2008.01.02 by [yoh]
# modified 2008.02.10 by [yoh]
# 
# full NULLTXTGIF /\nContent-Type: multipart\/mixed;\n  boundary=\"(----=_NextPart_000_000[6E]_0[0-9A-F]{7}\.[0-9A-F]{8})\"\n(?:.+\n)+\n.+\n\n--\1\nContent-Type: text\/plain;\n(?:.+\n){1,3}Content-Transfer-Encoding: 7bit\n{2,}--\1\nContent-Type: image\/gif;/
full NULLTXTGIF /\nContent-Type: multipart\/mixed;\n  boundary=\"(----=_NextPart_000_000[6E]_0[0-9A-F]{7}\.[0-9A-F]{8}|----------[0-9A-F]{16})\"\n(?:.+\n)+\n(?:.+\n\n){0,1}--\1\nContent-Type: text\/plain;(| charset=.+)\n(?:.+\n){0,3}Content-Transfer-Encoding: 7bit\n{2,}--\1\nContent-Type: image\/gif;/


meta NULLGIF_OTHER NULLTXTGIF && (ARIN || RIPE_NCC || LACNIC || AFRINIC || ___KOREATAIWANCHINA )
score NULLGIF_OTHER 3.5
meta NULLGIF_CBL NULLTXTGIF && RCVD_IN_CBL
score NULLGIF_CBL 3.5
meta NULLGIF_SPAMCOP NULLTXTGIF && RCVD_IN_BL_SPAMCOP_NET
score NULLGIF_SPAMCOP 3.5
meta NULLGIF_DSBL NULLTXTGIF && RCVD_IN_DSBL
score NULLGIF_DSBL 3.5
# meta NULLGIF_DUL NULLTXTGIF && RCVD_IN_SORBS_DUL
# score NULLGIF_DUL 3.5


# added 2008.02.01 by [yoh]
# 
# full NUMURLWITHWORDS /\n\n([A-Za-z&']{1,10} ){2,}http:\/\/\d{2,3}(\.\d{1,3}){3}\/\n\n+$/
full NUMURLWITHWORDS /\n\n[A-Za-z]\S{0,10} (\S{1,10} ){1,}http:\/\/\d{2,3}(\.\d{1,3}){3}\/\n\n+$/

meta NUMURL_OTHER NUMURLWITHWORDS && (ARIN || RIPE_NCC || LACNIC || AFRINIC || ___KOREATAIWANCHINA )
score NUMURL_OTHER 3.5
meta NUMURL_CBL NUMURLWITHWORDS && RCVD_IN_CBL
score NUMURL_CBL 3.5
meta NUMURL_SPAMCOP NUMURLWITHWORDS && RCVD_IN_BL_SPAMCOP_NET
score NUMURL_SPAMCOP 3.5
meta NUMURL_DSBL NUMURLWITHWORDS && RCVD_IN_DSBL
score NUMURL_DSBL 3.5
# meta NUMURL_DUL NUMURLWITHWORDS && RCVD_IN_SORBS_DUL
# score NUMURL_DUL 3.5

# added 2008.03.01 by [yoh]
# 
full LONGCHARHTTP /\nContent-Type: text\/plain;\n(?:.+\n)+\n[A-Z][a-z]{2,}[A-Za-z]{15,}\nhttp:\/\/[a-z.]+[a-z]\n{1,}$/
meta L_C_HTTP_OTHER LONGCHARHTTP && (ARIN || RIPE_NCC || LACNIC || AFRINIC || ___KOREATAIWANCHINA )
score L_C_HTTP_OTHER 3.5
meta L_C_HTTP_CBL LONGCHARHTTP && RCVD_IN_CBL
score L_C_HTTP_CBL 3.5
meta L_C_HTTP_SPAMCOP LONGCHARHTTP && RCVD_IN_BL_SPAMCOP_NET
score L_C_HTTP_SPAMCOP 3.5
meta L_C_HTTP_DSBL LONGCHARHTTP && RCVD_IN_DSBL
score L_C_HTTP_DSBL 3.5
# meta L_C_HTTP_DUL LONGCHARHTTP && RCVD_IN_SORBS_DUL
# score L_C_HTTP_DUL 3.5

# added 2008.03.03 by [yoh]
# 
full CHATGIRL /\nContent-Type: text\/plain;\n(?:.+\n)+\nHello\! I am .+ I am .+ that would like to chat with you\. Email me at [A-Z][a-z]+@[A-Za-z.]+ only/
meta C_G_OTHER CHATGIRL && (ARIN || RIPE_NCC || LACNIC || AFRINIC || ___KOREATAIWANCHINA )
score C_G_OTHER 3.5
meta C_G_CBL CHATGIRL && RCVD_IN_CBL
score C_G_CBL 3.5
meta C_G_SPAMCOP CHATGIRL && RCVD_IN_BL_SPAMCOP_NET
score C_G_SPAMCOP 3.5
meta C_G_DSBL CHATGIRL && RCVD_IN_DSBL
score C_G_DSBL 3.5
# meta C_G_DUL CHATGIRL && RCVD_IN_SORBS_DUL
# score C_G_DUL 3.5

meta C_G_PBL CHATGIRL && RCVD_IN_PBL
score C_G_PBL 3.5
meta C_G_DCN CHATGIRL && ___DCN 
score C_G_DCN 3.5


# added 2008.11.29 by [yoh]
# MultiPart/ALTernative but, Shift_JIS Quoted-Printable ONLY
# 
# full MPALTSJISQPONLY /\nContent-Type: multipart\/alternative;\n\tboundary=\"(--=.+(?:[a-zA-Z0-9]|=_))\"\n(.+\n){2,}\n--\1\nContent-Type: text\/plain; charset=\"shift_jis\"\nContent-Transfer-Encoding: quoted-printable\n\n(.*\n){2,}--\1--\n/
# full MPALTSJISQPONLY /\nContent-Type: multipart\/alternative;\n\tboundary=\"(--=.+(?:[a-zA-Z0-9]|=_)|--[0-9]{14,})\"\n(.+\n){2,}\n--\1\nContent-Type: text\/plain; charset=\"shift_jis\"\nContent-Transfer-Encoding: quoted-printable\n\n(.*\n){2,}--\1--\n/
# full MPALTSJISQPONLY /\nContent-Type: multipart\/alternative;\n\tboundary=\"(--=.+(?:[a-zA-Z0-9]|=_)|--[0-9]{14,})\"\n(.+\n){2,}\n--\1\nContent-Type: text\/plain;(?: charset=\"shift_jis\"){0,1}\nContent-Transfer-Encoding: quoted-printable\n\n(.*\n){2,}--\1--\n/
# full MPALTSJISQPONLY /\nContent-Type: multipart\/alternative;\n\tboundary=\"(--=.+(?:[a-zA-Z0-9]|=_)|--[0-9]{14,})\"\n(?:.+\n){2,}\n--\1\nContent-Type: text\/plain;(?: charset=\"shift_jis\"){0,1}\nContent-Transfer-Encoding: quoted-printable\n\n(?:(?!\1).+\n|\n){2,}--\1--\n/
full MPALTSJISQPONLY /\nContent-Type: multipart\/alternative;\n\tboundary=\"(--=.+(?:[a-zA-Z0-9]|=_)|--[0-9]{14,}|--)\"\n(?:.+\n){2,}\n--\1\nContent-Type: text\/plain;(?: charset=\"shift_jis\"){0,1}\nContent-Transfer-Encoding: quoted-printable\n\n(?:(?!\n--\1\n).+\n|\n){2,}--\1--\n/

meta M_A_S_Q_O_OTHER MPALTSJISQPONLY && (ARIN || RIPE_NCC || LACNIC || AFRINIC || ___KOREATAIWANCHINA )
score M_A_S_Q_O_OTHER 3.5
meta M_A_S_Q_O_PBL MPALTSJISQPONLY && RCVD_IN_PBL
score M_A_S_Q_O_PBL 3.5
meta M_A_S_Q_O_XBL MPALTSJISQPONLY && RCVD_IN_XBL
score M_A_S_Q_O_XBL 3.5
meta M_A_S_Q_O_CBL MPALTSJISQPONLY && RCVD_IN_CBL
score M_A_S_Q_O_CBL 3.5
meta M_A_S_Q_O_BLACK MPALTSJISQPONLY && URIBL_BLACK
score M_A_S_Q_O_BLACK 3.5
meta M_A_S_Q_O_COP MPALTSJISQPONLY && RCVD_IN_BL_SPAMCOP_NET
score M_A_S_Q_O_COP 3.5
meta M_A_S_Q_O_DCN MPALTSJISQPONLY && ___DCN 
score M_A_S_Q_O_DCN 3.5



# added 2007.08.11 by [yoh]
# 
full HTMLPDF /(-{6}=_NextPart_000_00[0-9A-F]{2}_[0-9A-F]{8}\.[0-9A-F]{8})\nContent-Type: multipart\/alternative;\n.boundary=\"(----=_NextPart_001_00[0-9A-F]{2}_[0-9A-F]{8}\.[0-9A-F]{8})\"\n\n\n--\2\nContent-Type: text\/plain;\n.charset=\"{0,1}[\w-]{5,}\"{0,1}\nContent-Transfer-Encoding: quoted-printable\n\n\n--\2\nContent-Type: text\/html;\n.charset=\"{0,1}[\w-]{5,}\"{0,1}\nContent-Transfer-Encoding: quoted-printable\n\n(?:.+\n){5}<STYLE><\/STYLE>\n.+\n.+\n<DIV><FONT face=3DArial size=3D2><\/FONT>&nbsp;<\/DIV><\/BODY><\/HTML>\n\n--\2--\n\n\1\nContent-Type: application\/(?:pdf|octet-stream);/



# ToDo: renew regex pattern by below:
# http://bgp.potaroo.net/ipv4/
# 2006.04.11 by [yoh]

# http://www.iana.org/assignments/ipv4-address-space
# header RIPE_NCC X-Spam-Relays-Untrusted =~ /ip=((62|7[789]|8\d|9[0-4]|151|19[345]|21[237])(\.\d{1,3}){3}|(156\.17|159\.14[789])(\.\d{1,3}){2}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
# header RIPE_NCC X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:62|7[789]|8\d|9[0-5]|151|19[345]|21[237])(?:\.\d{1,3}){3}|(?:95\.(?:2[4-9]|3[01]|5[2-5])|156\.17|159\.14[789]|188\.(?:4[89]|5[0-5]))(?:\.\d{1,3}){2}) /

replace_tag RIPE_NCC_IPS (?:(?:62|7[789]|8\d|9[0-5]|151|188|19[345]|21[237])(?:\.\d{1,3}){3}|(?:95\.(?:2[4-9]|3[01]|5[2-5])|156\.17|159\.14[789]|188\.(?:4[89]|5[0-5]))(?:\.\d{1,3}){2})
header RIPE_NCC X-Spam-Relays-Untrusted =~ /^\[ ip=<RIPE_NCC_IPS> /
describe RIPE_NCC Mail from RIPE NCC area (Russia, Italy, Spain...)
score RIPE_NCC 0.1

meta SJIS_RIPE_NCC SJIS_C && RIPE_NCC
describe SJIS_RIPE_NCC SHIFT_JIS mail from RIPE_NCC area
score SJIS_RIPE_NCC 5.5

# header ONLY1HOPDIRECTRIPE X-Spam-Relays-Untrusted =~ /^\[ ip=((62|8[0-9]|9[01]|151|19[345]|21[237])(\.\d{1,3}){3}|159\.14[789](\.\d{1,3}){2}) rdns=[^\[\] ]* helo=[^\[\] ]+ by=<MYMTA> ident= envfrom= intl=0 id=[^\[\] ]* auth= \]$/
header ONLY1HOPDIRECTRIPE X-Spam-Relays-Untrusted =~ /^\[ ip=<RIPE_NCC_IPS> [^\[\]]+ \]$/

# 96.12.0.0 - 96.15.255.255
# header ARIN X-Spam-Relays-Untrusted =~ /ip=((8|12|24|38|6[3-9]|7[0-6]|199|20[4-9]|216)(\.\d{1,3}){3}|128\.([1-689]|1[0-5789]|2\d|3[0-8]|4[2346-9]|5\d|6[0-4]|8[0-589]|9[0124-79]|1([01]\d|2[0-35-9]|3[235-8]|4[3-9]|[56]\d|7[0-57]|8[0-35-9]|9[0-8])|2(0[235-9]|1[0-35-9]|2\d|3[0135-9]|4[1245789]|5[1-5]))(\.\d{1,3}){2}|146\.([15-9]|1[02-8]|2[02-9]|3\d|4[0-79]|5[34578]|6[13589]|7[134689]|8[245689]|9[1-689]|1(1[1345]|2[1235-9]|3[0125789]|4[235-9]|5[0-467]|6[035-8]|7[04]|8[0134679]|9[0789])|2(0\d|1[4578]|2[2359]|3[35-9]|4[0-6]|5[02]))(\.\d{1,3}){2}|152\.([1-9]|[2-5]\d|6[0-57-9]|7[0259]|8[02567]|97|100|11[3679]|12\d|13[0-35-8]|14[0124568]|15[145789]|16[0-5]|17[6-9]|1[89]\d|20[89]|21\d|22[0-5789])(\.\d{1,3}){2}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
# header ARIN X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:8|12|24|38|6[3-9]|7[0-6]|1(?:6[45]|99)|20[4-9]|216)(?:\.\d{1,3}){3}|96\.1[2-5](?:\.\d{1,3}){2}|128\.(?:[1-689]|1[0-5789]|2\d|3[0-8]|4[2346-9]|5\d|6[0-4]|8[0-589]|9[0124-79]|1(?:[01]\d|2[0-35-9]|3[235-8]|4[3-9]|[56]\d|7[0-57]|8[0-35-9]|9[0-8])|2(?:0[235-9]|1[0-35-9]|2\d|3[0135-9]|4[1245789]|5[1-5]))(?:\.\d{1,3}){2}|146\.(?:[15-9]|1[02-8]|2[02-9]|3\d|4[0-79]|5[34578]|6[13589]|7[134689]|8[245689]|9[1-689]|1(?:1[1345]|2[1235-9]|3[0125789]|4[235-9]|5[0-467]|6[035-8]|7[04]|8[0134679]|9[0789])|2(?:0\d|1[4578]|2[2359]|3[35-9]|4[0-6]|5[02]))(?:\.\d{1,3}){2}|152\.(?:[1-9]|[2-5]\d|6[0-57-9]|7[0259]|8[02567]|97|100|11[3679]|12\d|13[0-35-8]|14[0124568]|15[145789]|16[0-5]|17[6-9]|1[89]\d|20[89]|21\d|22[0-5789])(?:\.\d{1,3}){2}|173\.(?:1[6-9]|2\d|3[01])(?:\.\d{1,3}){2}) /
replace_tag ARIN_IPS (?:(?:8|12|24|38|6[3-9]|7[0-6]|1(?:6[45]|99)|20[4-9]|216)(?:\.\d{1,3}){3}|96\.1[2-5](?:\.\d{1,3}){2}|128\.(?:[1-689]|1[0-5789]|2\d|3[0-8]|4[2346-9]|5\d|6[0-4]|8[0-589]|9[0124-79]|1(?:[01]\d|2[0-35-9]|3[235-8]|4[3-9]|[56]\d|7[0-57]|8[0-35-9]|9[0-8])|2(?:0[235-9]|1[0-35-9]|2\d|3[0135-9]|4[1245789]|5[1-5]))(?:\.\d{1,3}){2}|146\.(?:[15-9]|1[02-8]|2[02-9]|3\d|4[0-79]|5[34578]|6[13589]|7[134689]|8[245689]|9[1-689]|1(?:1[1345]|2[1235-9]|3[0125789]|4[235-9]|5[0-467]|6[035-8]|7[04]|8[0134679]|9[0789])|2(?:0\d|1[4578]|2[2359]|3[35-9]|4[0-6]|5[02]))(?:\.\d{1,3}){2}|152\.(?:[1-9]|[2-5]\d|6[0-57-9]|7[0259]|8[02567]|97|100|11[3679]|12\d|13[0-35-8]|14[0124568]|15[145789]|16[0-5]|17[6-9]|1[89]\d|20[89]|21\d|22[0-5789])(?:\.\d{1,3}){2}|166\.82(?:\.\d{1,3}){2}|169\.227(?:\.\d{1,3}){2}|173\.(?:1[6-9]|2\d|3[01])(?:\.\d{1,3}){2})
header ARIN X-Spam-Relays-Untrusted =~ /^\[ ip=<ARIN_IPS> /
describe ARIN Mail from ARIN area (USA)
score ARIN 0.1

meta SJIS_ARIN SJIS_C && ARIN
describe SJIS_ARIN SHIFT_JIS mail from ARIN area
score SJIS_ARIN 1.0

# header ONLY1HOPDIRECTARIN X-Spam-Relays-Untrusted =~ /^\[ ip=((8|12|24|38|6[3-9]|7[0-6]|199|20[4-9]|216)(\.\d{1,3}){3}|128\.([1-689]|1[0-5789]|2\d|3[0-8]|4[2346-9]|5\d|6[0-4]|8[0-589]|9[0124-79]|1([01]\d|2[0-35-9]|3[235-8]|4[3-9]|[56]\d|7[0-57]|8[0-35-9]|9[0-8])|2(0[235-9]|1[0-35-9]|2\d|3[0135-9]|4[1245789]|5[1-5]))(\.\d{1,3}){2}) rdns=[^\[\] ]* helo=[^\[\] ]+ by=<MYMTA> ident= envfrom= intl=0 id=[^\[\] ]* auth= \]$/
header ONLY1HOPDIRECTARIN X-Spam-Relays-Untrusted =~ /^\[ ip=<ARIN_IPS> [^\[\]]+ \]$/


# 148.201.0.0 - 148.250.255.255
# header LACNIC X-Spam-Relays-Untrusted =~ /ip=((189|190|20[01])(\.[0-9]{1,3}){3}|(148\.2([0-4]\d|50)|168\.226)(\.\d{1,3}){2}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
# header LACNIC X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:18[79]|190|20[01])(?:\.\d{1,3}){3}|(?:148\.2(?:[0-4]\d|50)|168\.226)(?:\.\d{1,3}){2}) /
replace_tag LACNIC_IPS (?:(?:18[79]|190|20[01])(?:\.\d{1,3}){3}|(?:148\.2(?:[0-4]\d|50)|168\.226)(?:\.\d{1,3}){2})
header LACNIC X-Spam-Relays-Untrusted =~ /^\[ ip=<LACNIC_IPS> /
describe LACNIC Mail from LACNIC area (Brazil, Mexico, Uruguay, Argentina...)
score LACNIC 0.1

meta SJIS_LACNIC SJIS_C && LACNIC
describe SJIS_LACNIC SHIFT_JIS mail from LACNIC area
score SJIS_LACNIC 5.5

# header ONLY1HOPDIRECTLACNIC X-Spam-Relays-Untrusted =~ /^\[ ip=((189|190|20[01])(\.[0-9]{1,3}){3}|(148\.2([0-4]\d|50)|168\.226)(\.\d{1,3}){2}) rdns=[^\[\] ]* helo=[^\[\] ]+ by=<MYMTA> ident= envfrom= intl=0 id=[^\[\] ]* auth= \]$/
header ONLY1HOPDIRECTLACNIC X-Spam-Relays-Untrusted =~ /^\[ ip=<LACNIC_IPS> /

# 165.3.0.0 - 165.5.255.255
# 165.8.0.0 - 165.11.255.255 
# 165.25.0.0 - 165.25.255.255 
# 165.143.0.0 - 165.149.255.255
# 165.165.0.0 - 165.165.255.255
# 165.180.0.0 - 165.180.255.255
# 165.233.0.0 - 165.233.255.255
# 196.208.0.0 - 196.211.255.255
# header AFRINIC X-Spam-Relays-Untrusted =~ /ip=((41|196)(\.[0-9]{1,3}){3}|(165\.([3-589]|1[01]|25|14[3-9]|165|180|233)|196\.2(0[89]|1[01]))(\.[0-9]{1,3}){2}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
replace_tag AFRINIC_IPS (?:(?:41|196)(?:\.[0-9]{1,3}){3}|(?:165\.(?:[3-589]|1[01]|25|14[3-9]|165|180|233)|196\.2(?:0[89]|1[01]))(?:\.[0-9]{1,3}){2})
header AFRINIC X-Spam-Relays-Untrusted =~ /^\[ ip=<AFRINIC_IPS> /
score AFRINIC 0.1

meta SJIS_AFRINIC SJIS_C && AFRINIC
score SJIS_AFRINIC 5.5

header ONLY1HOPDIRECTAFRINIC X-Spam-Relays-Untrusted =~ /^\[ ip=((41|196)(\.[0-9]{1,3}){3}|(165\.([3-589]|1[01]|25|14[3-9]|165|180|233)|196\.2(0[89]|1[01]))(\.[0-9]{1,3}){2}) rdns=[^\[\] ]* helo=[^\[\] ]+ by=<MYMTA> ident= envfrom= intl=0 id=[^\[\] ]* auth= \]$/


meta ONLY1DCN (ONLY1HOPDIRECTRIPE || ONLY1HOPDIRECTARIN || ONLY1HOPDIRECTLACNIC || ONLY1HOPDIRECTAFRINIC) && ___DCN
score ONLY1DCN 3.0

# meta ONLY1UKGEO (ONLY1HOPDIRECTRIPE || ONLY1HOPDIRECTARIN || ONLY1HOPDIRECTLACNIC || ONLY1HOPDIRECTAFRINIC) && UKGEOCITIES
# score ONLY1UKGEO 2.0


# 220.144.0.0 - 220.144.255.255
# Received =~ /from .+FL[AH]1A[a-z]{2,2}[0-9]{3,3}\.[a-z]{3,3}\.mesh\.ad\.jp/
header BIGLOBE X-Spam-Relays-Untrusted =~ /(ip=220\.144(\.\d{1,3}){2}|rdns=FL[AH]1A[a-z]{2,2}[0-9]{3,3}\.[a-z]{3,3}\.mesh\.ad\.jp) .+ ident= envfrom= intl=0 [^\[\]]+auth= /
describe BIGLOBE BIGLOBE
score BIGLOBE 0.1


# DION (KDDI CORPORATION)
# 219.108.16.0 - 219.108.255.255
# 59.128.0.0 - 59.140.255.255
# 218.222.0.0 - 218.222.255.255
# 222.0.0.0 - 222.15.255.255
# 
# 59\.1(2[89]|3[0-9]|40)
# 218\.222
# 222\.([0-9]|1[0-5])
# 
# (59\.1(2[89]|3[0-9]|40)|218\.222|222\.([0-9]|1[0-5]))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}
# 
# 219\.108\.(1[6-9]|[2-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])
# 
# 
# header DION Received =~ /from.+((59\.1(2[89]|3[0-9]|40)|218\.222|222\.([0-9]|1[0-5]))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}|219\.108\.(1[6-9]|[2-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]))/
header DION X-Spam-Relays-Untrusted =~ /(ip=((59\.1(2[89]|3[0-9]|40)|218\.222|222\.([0-9]|1[0-5]))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}|219\.108\.(1[6-9]|[2-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]))|rdns=([A-Z]{2,2}[0-9]{6,6}\.ppp|[a-zA-Z]{1,2}[0-9]{12,14}\.(ec-){0,1}userreverse)\.dion\.ne\.jp) .+ ident= envfrom= intl=0 [^\[\]]+auth= /
describe DION DION Dialup
score DION 0.1

# 61.116.0.0-61.116.255.255
# 211.131.0.0-211.131.255.255
# header ODN Received =~ /from.+((61.116|211.131)(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}|[A-Za-z0-9-]+\.ppp[0-9]{2,2}\.odn\.ad\.jp)/
# X-Spam-Relays-Untrusted =~ /(ip=((61.116|211.131)(\.\d{1,3}){2,2}|210\.231\.(\d|[0-8]\d)\.\d{1,3})|rdns=[A-Za-z0-9-]+\.ppp\d{2,2}\.odn\.ad\.jp) .+ ident= envfrom= intl=0 .+auth= /
# X-Spam-Relays-Untrusted =~ /(ip=((61.116|211.131)(\.\d{1,3}){2}|210\.231\.(\d|[1-8]\d)\.\d{1,3}|211\.121\.(\d|[1-9]\d|1[01]\d|12[0-7])\.\d{1,3})|rdns=[A-Za-z0-9-]+\.ppp\d{2,2}\.odn\.ad\.jp) .+ ident= envfrom= intl=0 .+auth= /
# header ODN X-Spam-Relays-Untrusted =~ /(ip=((61\.116|211\.131|219\.66)(\.\d{1,3}){2}|210\.231\.(\d|[1-8]\d)\.\d{1,3}|211\.121\.(\d|[1-9]\d|1[01]\d|12[0-7])\.\d{1,3})|rdns=[A-Za-z0-9-]+\.ppp\d{2,2}\.odn\.ad\.jp) .+ ident= envfrom= intl=0 [^\[\]]+auth= /
header ODN X-Spam-Relays-Untrusted =~ /(ip=((61\.116|211\.131|218\.218|219\.66)(\.\d{1,3}){2}|61\.209\.([4-9]|[1-9]\d|1[0-8]\d|190)\.\d{1,3}|210\.231\.(\d|[1-8]\d)\.\d{1,3}|211\.121\.(\d|[1-9]\d|1[01]\d|12[0-7])\.\d{1,3})|rdns=[A-Za-z0-9-]+\.ppp\d{2,2}\.odn\.ad\.jp) [^\[\]]+ ident= envfrom= intl=0 [^\[\]]+auth= /
describe ODN ODN Dialup
score ODN 0.1


# 219.0.0.0 - 219.63.255.255
# 220.0.0.0 - 220.63.255.255
# (219|220)\.
# (0-9|[1-5][0-9]|6[0-3])
# (\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}
# 219.168.0.0 - 219.215.255.255
# 219\.
# (16[89]|1[7-9][0-9]|20[0-9]|21[0-5])
# (\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}
# 218.112.0.0 - 218.143.255.255
# 218\.
# (11[2-9]|1[23][0-9]|14[0-3])
# (\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}
# 221.16.0.0 - 221.111.255.255
# 221\.
# (1[6-9]|[2-9][0-9]|10[0-9]|11[01])
# (\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}
# 126.0.0.0 - 126.255.255.255
# 126
# (\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3,3}
# header BBTEC Received =~ /from.+(yahoobb|YahooBB)[0-9]{12,12}\.bbtec\.net/
# header BBTEC Received =~ /from.+(221\.(1[6-9]|[2-9][0-9]|10[0-9]|11[01])|((219|220)\.(0-9|[1-5][0-9]|6[0-3])|219\.(16[89]|1[7-9][0-9]|20[0-9]|21[0-5])|218\.(11[2-9]|1[23][0-9]|14[0-3]))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}|126(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3,3})/

# header BBTEC Received =~ /from.+((221\.(1[6-9]|[2-9][0-9]|10[0-9]|11[01])|(219|220)\.(0-9|[1-5][0-9]|6[0-3])|219\.(16[89]|1[7-9][0-9]|20[0-9]|21[0-5])|218\.(11[2-9]|1[23][0-9]|14[0-3]))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}|126(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3,3})/
header BBTEC X-Spam-Relays-Untrusted =~ /ip=((221\.(1[6-9]|[2-9]\d|10\d|11[01])|(219|220)\.(\d|[1-5]\d|6[0-3])|219\.(16[89]|1[7-9]\d|20\d|21[0-5])|218\.(11[2-9]|1[23]\d|14[0-3]|17[6-9]|18[0-3]))(\.\d{1,3}){2}|126(\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])){3}) [^\[\]]+ident= envfrom= intl=0 [^\[\]]+auth= /
describe BBTEC YahooBB bbtec.net
score BBTEC 0.1

# 221.240.0.0 - 221.255.255.255
header USENISP Received =~ /from.+221\.(24[0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}/
describe USENISP U's Communications Corp.
score USENISP 0.1

header DORPHIN X-Spam-Relays-Untrusted =~ /(ip=211\.132\.(1[6-9]|2\d|3[01])\.\d{1,3}|rdns=[a-z]{3}[0-9]{2}-[0-9]{4}\.din\.or\.jp) [^\[\]]+ ident= envfrom= intl=0 [^\[\]]+auth= /
describe DORPHIN DOLPHIN INTERNATIONAL INC. (din.or.jp)
score DORPHIN 0.1

header WILLCOM X-Spam-Relays-Untrusted =~ /rdns=P\d{12}\.ppp\.prin\.ne\.jp .+ ident= envfrom= intl=0 [^\[\]]+auth= /
describe WILLCOM WILLCOM,Inc.
score WILLCOM 0.1


# 210.175.1.128-210.175.1.255
# Received =~ /from .+210\.175\.1\.(12[89]|1[3-9][0-9]|2[0-4][0-9]|25[0-5])/
# thrown away 2009.07.26 by [yoh]
# header VALIDVODAFONE X-Spam-Relays-Untrusted =~ /(ip=210\.175\.1\.(12[89]|1[3-9]\d|2[0-4]\d|25[0-5])|rdns=[\w\d\.]+vodafone\.ne\.jp) [^\[]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
# describe VALIDVODAFONE valid vodafone.ne.jp IP
# score VALIDVODAFONE -3.5


# 210.196.0.0/16 210.196.0.0-210.196.255.255
# 210\.196(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}
# 
# 61.117.0.0/17  61.117.0.0-61.117.127.255
# 61\.117\.([0-9]|[1-9][0-9]|1(0[0-9]|1[0-7]))\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])
# 
# 219.96.0.0 - 219.127.255.255
# 219\.(9[6-9]|1([01][0-9]|2[0-7]))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}

# 
# Special thanks to: 'Happy' Usa and Iori-chan: 2005/09/21 by [yoh]
# 
# Received =~ /from .+((210\.196|219\.125)(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}|61\.117\.([0-9]|[1-9][0-9]|1(0[0-9]|1[0-7]))\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])).+by /
# header VALIDEZWEB X-Spam-Relays-Untrusted =~ /ip=61\.(117\.[012]\.\d{1,3}|202\.3\.(10|50|70|230)) rdns=[\w\d\.]+ezweb\.ne\.jp helo=[\w\d\.]+ezweb\.ne\.jp by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
# temporarily thrown away 2009.07.26 by [yoh]
# header VALIDEZWEB X-Spam-Relays-Untrusted =~ /(ip=61\.(117\.[012]\.\d{1,3}|202\.3\.(10|50|70|230))|rdns=[\w\d\.-]+ezweb\.ne\.jp) [^\[]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
# describe VALIDEZWEB valid ezweb.ne.jp IP
# score VALIDEZWEB -3.5



header JPHANDPHONE From =~ /\@(ezweb|docomo|[a-z]\.vodafone|softbank)\.ne\.jp/
describe JPHANDPHONE Mail from KEITAI
score JPHANDPHONE 0.1

# meta KEITAIFROMISP JPHANDPHONE && (YOURNET || SAINET_NET || VECTANTDYNIP || INFOSPHERE || OCNNEJP || LOLIPOP || SAKURAWEB || SOHO || CSIDENET || NICNAME || SONETDYNIP || INTERSPIN || BBEXCITE || EMNETNEJP || BIGLOBE || KOREATELECOM || CHINATELECOM )
# describe KEITAIFROMISP KEITAI mail from ISP
# score KEITAIFROMISP 3.0

# meta KEITAIFROMPC JPHANDPHONE && RCVDFRMLOCALIP
# describe KEITAIFROMPC JPHANDPHONE && RCVDFRMLOCALIP
# score KEITAIFROMPC 5.0

header MSGIDLOCALMTA Message-ID =~/\@localhost\.localdomain/
describe MSGIDLOCALMTA seems to be sent from local MTA with dynamic IP
score MSGIDLOCALMTA 0.1
meta KEITAILOCALMTA JPHANDPHONE && MSGIDLOCALMTA
describe KEITAILOCALMTA JPHANDPHONE && MSGIDLOCALMTA
score KEITAILOCALMTA 3.0


# added 2009.06.16 by [yoh]
meta KEITAIASIA JPHANDPHONE && ___KOREATAIWANCHINA
score KEITAIASIA 5.0


# thrown away 2005.09.14 by [yoh]
# 
# header RCVDGOO Received =~ /from mx01\.mail\.goo\.ne\.jp \(.+\.(odn\.ad\.jp|ocn\.ne\.jp|yournet\.ne\.jp|fbb\.ReSET\.JP|zero-isp\.net|bbexcite\.jp|(hi-ho|so-net|dti|att|vectant)\.ne\.jp)/
# describe RCVDGOO faked Received: header
# score RCVDGOO 10.0

# revived 2008.01.06 by [yoh]
# revived 2008.08.05 by [yoh]
# 
header FORGEDHELOGOO X-Spam-Relays-Untrusted =~ /(helo=mx01\.mail\.goo\.n[^e]\.jp|ip=(?!210\.165\.9\.48).+ helo=mx01\.mail\.goo\.ne\.jp)/
describe FORGEDHELOGOO Forged HELO goo.nc.jp
score FORGEDHELOGOO 10.0

# added 2007.07.23 by [yoh]
# revived 2008.08.05 by [yoh]
# 
# header FORGEDHELOYAHOO X-Spam-Relays-Untrusted =~ /^\[ ip=((43\.244|220\.150)(\.\d{1,3}){2}|(203.141.1(2[89]|[345]\d)|210\.138\.[1-9]|61\.115\.(\d|\d\d|1[01]\d|12[0-7])|61\.206\.1(1[2-9]|2[0-7])|219\.103\.2(0[89]|1[0-5]))\.\d{1,3}) rdns=[^\[ ]+ helo=mx(01\.mail\.goo\.n[ce]\.jp|\d\.mail\.yahoo\.co\.jp|\d\.hotmail\.com) by=[^\[ ]+ ident= envfrom= intl=0 id= auth= \]$/
header FORGEDHELOYAHOO X-Spam-Relays-Untrusted =~ /^\[ ip=((43\.244|61\.189|124\.17[2-5]|210.138|218\.2[45]|220\.150)(\.\d{1,3}){2}|(61\.115\.(\d|\d\d|1[01]\d|12[0-7])|61\.205\.23[2-9]|61\.206\.1(1[2-9]|2[0-7])|122\.152\.1(2[89]|[3-8]\d|9[01])|124\.41\.(\d|\d\d|1[01]\d|12[0-7])|202\.213\.(19[2-9]|2\d\d)|202\.238\.(6[4-9]|[789]\d|1[01]\d|12[0-7])|203.141.1(2[89]|[345]\d)|219\.103\.2(0[89]|1[0-5])|219\.111\.(\d|\d\d|1[01]\d|12[0-7])|219\.117\.(19[2-9]|2\d\d))\.\d{1,3}) rdns=[^\[ ]* helo=(mx(01\.mail\.goo\.n[a-z]\.jp|\d\.mail\.yahoo\.co\.jp|\d\.hotmail\.com)|gmail\.com|excite\.co\.jp|yahoo\.co\.jp|grape\.plala\.or\.jp|mgsmax\.docomo\.ne\.jp|mail\.goo\.n[a-z]\.jp|gemini\.livedoor\.com|st1\.yuan\.sc) by=[^\[ ]+ ident= envfrom= intl=0 id=[^\[\] ]* auth= \]$/
score FORGEDHELOYAHOO 10.0

# added 2009.10.25 by [yoh]
# 
header HELOYAHOO X-Spam-Relays-Untrusted =~ /^\[ ip=\d{2,3}(\.\d{1,3}){3} rdns=[^\[ ]{0,} helo=(?:(?:mx\d\.mail\.){0,1}yahoo\.co\.jp|[A-Z]{2,3}-{0,1}\d{2,3}) /
score HELOYAHOO 0.1

meta HLYH_KTC HELOYAHOO && ___KOREATAIWANCHINA
score HLYH_KTC 3.5


header MSGID_NUMONLY Message-ID =~/^200\d{8,}$/
describe MSGID_NUMONLY Message-ID: YYYYMMDDHHMM
score MSGID_NUMONLY 10

meta SJISMSGIDNUMONLY MSGID_NUMONLY && SJIS_C
score SJISMSGIDNUMONLY 10

header MSGID_IPNUM Message-ID =~/\@(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])(\.\d{1,3}){3}/
describe MSGID_IPNUM Domain part of Message-ID is IP number
score MSGID_IPNUM 1.0

meta MSGIDIPNUM99 MSGID_IPNUM && BAYES_99
describe MSGIDIPNUM99 MSGID_IPNUM && BAYES_99
score MSGIDIPNUM99 3.5

header MSGID_TOOSHORT MESSAGEID =~ /^<[A-Z0-9]\[[0-9A-Z]{1,3}$/
describe MSGID_TOOSHORT Too short Message-Id: format
score MSGID_TOOSHORT 8.0

meta SJISMSGIDCAPS SJIS_C && MSGID_SPAM_CAPS
score SJISMSGIDCAPS 2.5

meta BASE64MSGIDCAPS MIME_BASE64_TEXT && MSGID_SPAM_CAPS
score BASE64MSGIDCAPS 2.5

meta UNPARSMSGIDCAPS UNPARSEABLE_RELAY && MSGID_SPAM_CAPS
score UNPARSMSGIDCAPS 2.5

meta SJISCAPSBASE64 SJISMSGIDCAPS && BASE64MSGIDCAPS
score SJISCAPSBASE64 3.5

meta SJISCAPSUNPARS SJISMSGIDCAPS && UNPARSMSGIDCAPS
score SJISCAPSUNPARS 3.5



header ___RCVDTOK2COM X-Spam-Relays-Untrusted =~ / helo=[0-9.]*pro\.tok2\.com /
# header ___RCVDBFRTOK2 X-Spam-Relays-Untrusted =~ / rdns= helo=\?192\.168(\.[0-9]{1,3}){2}\? .+ ident= envfrom= intl=0 id= auth= /
header ___RCVDBFRTOK2 X-Spam-Relays-Untrusted =~ / ip=((58\.[01]|220\.150)(\.[0-9]{1,3}){2}|61\.192\.(1(2[89]|[3-9][0-9])|2([0-4][0-9]|5[0-5]))\.[0-9]{1,3}) rdns= helo=\?192\.168(\.[0-9]{1,3}){2}\? .+ ident= envfrom= intl=0 id= auth= /
header ___XAUTHUSEN X-Authentication =~ / was authenticated by .+ftth\.ucom\.ne\.jp/
meta TOK2COM ___RCVDTOK2COM && ___RCVDBFRTOK2 && ___XAUTHUSEN
describe TOK2COM mail from tok2.com
score TOK2COM 3.0

header TOKU_NET X-Spam-Relays-Untrusted =~ / (rdns=\w+\.(toku|prime-server)\.net|helo=\w+\.toku\.net) .+ ident= envfrom= intl=0 .+ auth= /
describe TOKU_NET www3.toku.net
score TOKU_NET 3.0


# 64.151.112.40-64.151.112.47
# 211\.133\.130\.(12[89]|1[3-9]\d|2[0-4]\d|25[0-5])|

header OTHER_FOOTSTOOL Received =~ /from .*(sdns\.at-m\.jp|211\.10\.28\.165|206\.223\.148\.30|202\.177\.19\.75|64\.151.112.4[0-7]|58\.81\.102\.109|\.298\.jp|cansystem\.net|c-mgr\.com|networksolutionsemail\.com|211\.19\.52\.(19|103|149|193)|61\.197\.228\.8[0-7]|60\.32\.176\.2(2[4-9]|3[01])|s135\.secure\.ne\.jp)/
describe OTHER_FOOTSTOOL temporary registering spamming sites and footstools
score OTHER_FOOTSTOOL 2.0


# header LOHOSLODOM Received =~ / with SMTP id rad[0-9A-F]+ for/
# describe LOHOSLODOM localhost.localdomain
# score LOHOSLODOM 5.0

# header FROMLOCALMTA Received =~ /from .+\((192\.168(\.[0-9]{1,3}){2,2}|127\.0\.0\.1)\).+by localhost with SMTP\; .+ -0000/
# describe FROMLOCALMTA seems to using localmta
# score FROMLOCALMTA 1.0

# meta SPAMCOPLOCAL MSGID_FROM_MTA_ID && FROMLOCALMTA && RCVD_IN_BL_SPAMCOP_NET
# describe SPAMCOPLOCAL MSGID_FROM_MTA_ID && FROMLOCALMTA && RCVD_IN_BL_SPAMCOP_NET
# score SPAMCOPLOCAL 10




# =-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Personal rules =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# All below rules depend on my own mail environment.
# If you want to use, you have to write your ~/.spamassassin/private_prefs
# Ex. If you use OCN:
# replace_tag  MYMTA smtp\.[a-z]+\.ocn\.ne\.jp
# 
# 2006.04.17 by [yoh]
# 

replace_start <
replace_end   >

# 
# You have to write your ~/.spamassassin/private_prefs below.
# Ex. If you use OCN:
# replace_tag  MYMTA smtp\.[a-z]+\.ocn\.ne\.jp
# see perldoc Mail::SpamAssassin::Plugin::ReplaceTags
# 
# replace_tag   MYMTA (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)\d\d\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)

# header DIRECTYOURNET Received =~ /from .+(.+(fbb\.ReSET\.JP|ap\.yournet\.ne\.jp)[^a-z]+[0-9]{2,3}(\.[0-9]{1,3}){3,3}|61\.203\.(16[0-9]|17[0-5])\.[0-9]{1,3}|61\.44\.([0-9]|[1-9][0-9]|1(1[0-9]|2[0-7]))\.[0-9]{1,3}|220\.215\.([0-9]|[1-9][0-9]|1[01][0-9]|12[0-7])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])|(43\.244|220\.150)(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2})[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
# header DIRECTYOURNET X-Spam-Relays-Untrusted =~ /(ip=((61\.203\.(16[0-9]|17[0-5])|61\.44\.([0-9]|[1-9][0-9]|1(1[0-9]|2[0-7]))|220\.215\.([0-9]|[1-9][0-9]|1[01][0-9]|12[0-7]))\.[0-9]{1,3}|(43\.244|220\.150)(\.[0-9]{1,3}){2,2})|rdns=.+(fbb\.ReSET\.JP|ap\.(yournet|cyberbb)\.ne\.jp)) .+ by=(mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp) ident= envfrom= intl=0 .+auth= /
# header DIRECTYOURNET X-Spam-Relays-Untrusted =~ /(ip=((43\.244|220\.(150|215))(\.[0-9]{1,3}){2}|(61\.203\.1(6[0-9]|7[0-5])|61\.44\.([0-9]|[1-9][0-9]|1[01][0-9]|12[0-7])|61\.12\.(12[89]|1[3-9][0-9]|2[0-4][0-9]|25[0-5])|210\.143\.1(4[4-9]|5[0-9])|221\.113\.(6[4-9]|[7-9][0-9]|1[01][0-9]|12[0-7]))\.[0-9]{1,3})|rdns=.+(fbb\.ReSET\.JP|ap\.yournet\.ne\.jp)) .+ by=(mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp) ident= envfrom= intl=0 .+auth= /
# header DIRECTYOURNET X-Spam-Relays-Untrusted =~ /(ip=((43\.244|220\.(150|215))(\.\d{1,3}){2}|(61\.12\.(12[89]|1[3-9]\d|2[0-4]\d|25[0-5])|61\.44\.(\d|[1-9]\d|1[01]\d|12[0-7])|61\.87\.(\d|[1-5]\d|6[0-3])|61\.203\.1(6\d|7[0-5])|210\.143\.1(4[4-9]|5\d)|219\.112\.(\d|[1-9]\d|1[01]\d|12[0-7])|220\.150\.([4-9]|\d\d|\d\d\d)|221\.113\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7]))\.\d{1,3})|rdns=.+(fbb\.(ReSET\.JP|aol\.co\.jp)|ap\.((seikyou|yournet|infoeddy|cyberbb)\.ne\.jp|zero-isp\.NET|inforyoma\.or\.jp))) [^\[]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
header DIRECTYOURNET X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:(?:43\.244|220\.(?:150|215))(?:\.\d{1,3}){2}|(?:61\.12\.(?:12[89]|1[3-9]\d|2[0-4]\d|25[0-5])|61\.44\.(?:\d|[1-9]\d|1[01]\d|12[0-7])|61\.87\.(?:\d|[1-5]\d|6[0-3])|61\.203\.1(?:6\d|7[0-5])|210\.143\.1(?:4[4-9]|5\d)|219\.112\.(?:\d|[1-9]\d|1[01]\d|12[0-7])|220\.150\.(?:[4-9]|\d\d|\d\d\d)|221\.113\.(?:6[4-9]|[7-9]\d|1[01]\d|12[0-7]))\.\d{1,3})|\d{2,3}(?:\.\d{1,3}){3} rdns=.+(?:fbb\.(?:ReSET\.JP|aol\.co\.jp)|ap\.(?:(?:seikyou|yournet|infoeddy|cyberbb)\.ne\.jp|zero-isp\.NET|inforyoma\.or\.jp))) /
describe DIRECTYOURNET directly received spam from FreeBit
score DIRECTYOURNET 1.5

# header DIRECTINTERSPIN Received =~ /from .+165\.76(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
# header DIRECTINTERSPIN X-Spam-Relays-Untrusted =~ /ip=165\.76(\.[0-9]{1,3}){2,2} [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /

header DIRECTINTERSPIN X-Spam-Relays-Untrusted =~ /rdns=\d{1,3}\.pool\d{1,2}\.(ftth|dsl24m)\w+\.att\.ne\.jp [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTINTERSPIN directly received spam from InterSpin
score DIRECTINTERSPIN 1.5

# header DIRECTDION Received =~ /from.+((59\.1(2[89]|3[0-9]|40)|218\.222|222\.([0-9]|1[0-5]))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}|219\.108\.(1[6-9]|[2-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]))[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
# header DIRECTDION Received =~ /from.+([A-Z]{2,2}[0-9]{6,6}\.ppp|[a-zA-Z]{1,2}[0-9]{12,14}\.(ec-){0,1}userreverse)\.dion\.ne\.jp[^a-z]+[0-9]{2,3}(\.[0-9]{1,3}){3,3}[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
# header DIRECTDION X-Spam-Relays-Untrusted =~ /rdns=([A-Z]{2,2}[0-9]{6,6}\.ppp|[a-zA-Z]{1,2}[0-9]{12,14}\.(ec-){0,1}userreverse)\.dion\.ne\.jp .+ by=(mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp) ident= envfrom= intl=0 .+auth= /
# header DIRECTDION X-Spam-Relays-Untrusted =~ /(ip=((59\.1(2[89]|3[0-9]|40)|218\.222|222\.([0-9]|1[0-5]))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}|219\.108\.(1[6-9]|[2-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]))|rdns=([A-Z]{2,2}[0-9]{6,6}\.ppp|[a-zA-Z]{1,2}[0-9]{12,14}\.(ec-){0,1}userreverse)\.dion\.ne\.jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
# 61.202.0.0-61.202.127.255
# (61\.202\.(\d|[1-9]\d|1[01]\d|12[0-7])|)
# header DIRECTDION X-Spam-Relays-Untrusted =~ /(ip=(61\.117\.([6-9]|1[0-7]|(?!68)[2-9]\d|(?!103)1[01]\d|12[0-7])\.\d{1,3}|61\.202\.(?!(2|3|27|64|90|105)\.)(\d|[1-9]\d|1[01]\d|12[0-7])\.\d{1,3}|(59\.1(2[89]|3\d|40)|218\.222|222\.(\d|1[0-5]))(\.\d{1,3}){2}|219\.108\.(1[6-9]|[2-9]\d|1\d\d|2[0-4]\d|25[0-5])\.\d{1,3})|rdns=([A-Z]{1,2}\d{6}\.ppp|[a-zA-Z]{1,2}\d{12,14}\.(ec-){0,1}userreverse)\.dion\.ne\.jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
# 211.18.0.0 - 211.18.190.255
# 211.18.212.129 - 211.18.212.255
# header DIRECTDION X-Spam-Relays-Untrusted =~ /(ip=(210\.155\.83\.(6[4-9]|[789]\d|1[01]\d|12[0-7])|210\.230\.216\.163|211\.18\.((\d|\d\d|1[0-8]\d|190)\.\d{1,3}|212\.(129|1[3-9]\d|2\d\d))|61\.117\.([6-9]|1[0-7]|(?!68)[2-9]\d|(?!103)1[01]\d|12[0-7])\.\d{1,3}|61\.202\.(?!(2|3|27|64|90|105)\.)(\d|[1-9]\d|1[01]\d|12[0-7])\.\d{1,3}|(59\.1(2[89]|3\d|40)|218\.222|222\.([0-24-9]|1[0-5]))(\.\d{1,3}){2}|219\.108\.(1[6-9]|[2-9]\d|1\d\d|2[0-4]\d|25[0-5])\.\d{1,3})|rdns=([A-Z]{1,2}\d{6}\.ppp|[a-zA-Z]{1,2}\d{12,14}\.(ec-){0,1}userreverse)\.dion\.ne\.jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /

# avoid list:
# 222.3.140.*
# 2009.10.01 by [yoh]

header DIRECTDION X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:210\.155\.83\.(?:6[4-9]|[789]\d|1[01]\d|12[0-7])|210\.230\.216\.163|211\.18\.(?:(?:(?:\d|\d\d|1[0-8]\d|190)\.\d{1,3}|207\.1(?:6\d|7[0-5]))|212\.(?:129|1[3-9]\d|2\d\d))|61\.117\.(?:[6-9]|1[0-7]|(?!68)[2-9]\d|(?!103)1[01]\d|12[0-7])\.\d{1,3}|61\.202\.(?!(?:2|3|27|64|90|105)\.)(?:\d|[1-9]\d|1[01]\d|12[0-7])\.\d{1,3}|(?:59\.1(?:2[89]|3\d|40)|218\.222|222\.(?:[0-24-9]|1[0-5]))(?:\.\d{1,3}){2}|219\.108\.(?:1[6-9]|[2-9]\d|1\d\d|2[0-4]\d|25[0-5])\.\d{1,3})|(?:\d{1,3}\.){3}\d{1,3} rdns=(?:[A-Z]{1,2}\d{6}\.ppp|[a-zA-Z]{1,2}\d{12,14}\.(?:ec-){0,1}userreverse)\.dion\.ne\.jp) /
describe DIRECTDION directly received spam from DION
score DIRECTDION 1.5

# header DIRECTODN Received =~ /from.+((61.116|211.131)(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}|[A-Za-z0-9-]+\.ppp[0-9]{2,2}\.odn\.ad\.jp[^a-z]+[0-9]{2,3}(\.[0-9]{1,3}){3,3})[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
# header DIRECTODN X-Spam-Relays-Untrusted =~ /(ip=(61.116|211.131)(\.[0-9]{1,3}){2,2}|rdns=[A-Za-z0-9-]+\.ppp[0-9]{2,2}\.odn\.ad\.jp) .+ by=(mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp) ident= envfrom= intl=0 .+auth= /
# 210.231.0.0-210.231.89.255
# header DIRECTODN X-Spam-Relays-Untrusted =~ /(ip=((61.116|211.131)(\.\d{1,3}){2,2}|210\.231\.(\d|[0-8]\d)\.\d{1,3})|rdns=[A-Za-z0-9-]+\.ppp\d{2,2}\.odn\.ad\.jp) .+ by=(mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)\d\d\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp) ident= envfrom= intl=0 .+auth= /
# header DIRECTODN X-Spam-Relays-Untrusted =~ /(ip=((61.116|211.131)(\.\d{1,3}){2}|210\.231\.(\d|[1-8]\d)\.\d{1,3})|rdns=[A-Za-z0-9-]+\.ppp\d{2,2}\.odn\.ad\.jp) .+ by=(mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)\d\d\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp) ident= envfrom= intl=0 .+auth= /
# header DIRECTODN X-Spam-Relays-Untrusted =~ /(ip=((61.116|211.131)(\.\d{1,3}){2}|210\.231\.(\d|[1-8]\d)\.\d{1,3}|211\.121\.(\d|[1-9]\d|1[01]\d|12[0-7])\.\d{1,3})|rdns=[A-Za-z0-9-]+\.ppp\d{2,2}\.odn\.ad\.jp) .+ by=(mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)\d\d\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp) ident= envfrom= intl=0 .+auth= /
# 61.209.4.0 - 61.209.190.255
# 211.3.0.0 - 211.3.255.255
# lacked: 13-15, 49, 100, 102, 104-106, 134-135, 137, 144, 180-181, 194-195,
# 228, 230-231, 238, 247, 253, 255
# header DIRECTODN X-Spam-Relays-Untrusted =~ /(ip=((61\.116|211\.131|218\.218|219\.66)(\.\d{1,3}){2}|61\.209\.([4-9]|[1-9]\d|1[0-8]\d|190)\.\d{1,3}|210\.231\.(\d|[1-8]\d)\.\d{1,3}|211\.121\.(\d|[1-9]\d|1[01]\d|12[0-7])\.\d{1,3})|rdns=[A-Za-z0-9-]+\.ppp\d{2,2}\.odn\.ad\.jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
# 210.169.251.160-210.169.251.191
# 220.212.0.0-220.212.115.255
# 220.212.121.0-220.212.251.255
# 220.212.254.0-220.212.255.255
# ! 220.212.240.23 247.162 249.0/24 252.0/24 253.0/24
# header DIRECTODN X-Spam-Relays-Untrusted =~ /(ip=((61\.116|211\.131|218\.218|219\.66)(\.\d{1,3}){2}|61\.209\.([4-9]|[1-9]\d|1[0-8]\d|190)\.\d{1,3}|210\.231\.(\d|[1-8]\d)\.\d{1,3}|211\.3.(?!(1[345]\.|49\.|1(0[02456]|3[457]|44|8[01]|9[45])|2(28|3[018]|47|5[35])))(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.\d{1,3}|211\.121\.(\d|[1-9]\d|1[01]\d|12[0-7])\.\d{1,3}|210\.169\.251\.(1[67]\d|181))|rdns=[A-Za-z0-9-]+\.ppp\d{2,2}\.odn\.ad\.jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
# 61\.209\.([4-9]|[1-9]\d|1[0-8]\d|190)\.\d{1,3}
# header DIRECTODN X-Spam-Relays-Untrusted =~ /(ip=((61\.116|211\.131|218\.218|219\.66)(\.\d{1,3}){2}|61\.209\.([4-9]|[1235-9]\d|4[0-689]|1[0-8]\d|190|203)\.\d{1,3}|210\.231\.(\d|[1-8]\d)\.\d{1,3}|211\.3.(?!(1[345]\.|49\.|1(0[02456]|3[457]|44|8[01]|9[45])|2(28|3[018]|47|5[35])))(\d|[1-9]\d|[12]\d\d)\.\d{1,3}|211\.121\.(\d|[1-9]\d|1[01]\d|12[0-7])\.\d{1,3}|210\.169\.251\.(1[67]\d|181)|220\.212\.(\d|\d\d|1[01][0-5])\.\d{1,3}|220\.212\.(?!(240\.23[^\d]|247\.162|2(49|52|53)\.\d{1,3}))\d{1,3}\.\d{1,3})|rdns=[A-Za-z0-9-]+\.ppp\d{2,2}\.odn\.ad\.jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
header DIRECTODN X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:(?:61\.116|211\.131|218\.218|219\.66)(?:\.\d{1,3}){2}|61\.209\.(?:[4-9]|[1235-9]\d|4[0-689]|1[0-8]\d|190|203)\.\d{1,3}|210\.231\.(?:\d|[1-8]\d)\.\d{1,3}|211\.3.(?!(?:1[345]\.|49\.|1(?:0[02456]|3[457]|44|8[01]|9[45])|2(?:28|3[018]|47|5[35])))(?:\d|[1-9]\d|[12]\d\d)\.\d{1,3}|211\.121\.(?:\d|[1-9]\d|1[01]\d|12[0-7])\.\d{1,3}|210\.169\.251\.(?:1[67]\d|181)|220\.212\.(?:\d|\d\d|1[01][0-5])\.\d{1,3}|220\.212\.(?!(?:240\.23[^\d]|247\.162|2(?:49|52|53)\.\d{1,3}))\d{1,3}\.\d{1,3})|(?:\d{1,3}\.){3}\d{1,3} rdns=[A-Za-z0-9-]+\.ppp\d{2,2}\.odn\.ad\.jp) /
describe DIRECTODN directly received spam from ODN
score DIRECTODN 1.5


# header DIRECTINFOSPHERE X-Spam-Relays-Untrusted =~ /(ip=61\.197\.([0-9]|[1-9][0-9]|1[01][0-9]|12[0-7])\.[0-9]{1,3}|rdns=.+\.nttpc\.ne\.jp) .+ by=(mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp) ident= envfrom= intl=0 .+auth= /
# header DIRECTINFOSPHERE X-Spam-Relays-Untrusted =~ /(ip=(61\.197\.(\d|[1-9]\d|1[01]\d|12[0-7])\.\d{1,3}|210\.165\.(12[89]|1[3-9]\d|2[0-4]\d|25[0-5])\.\d{1,3}|219\.102(\.\d{1,3}){2})|rdns=.+\.nttpc\.ne\.jp) .+ by=(mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)\d\d\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp) ident= envfrom= intl=0 .+auth= /
# header DIRECTINFOSPHERE X-Spam-Relays-Untrusted =~ /(ip=(210\.165\.(12[89]|1[3-9]\d|2[0-4]\d|25[0-5])\.\d{1,3}|(61\.197|203\.138|219\.102)(\.\d{1,3}){2})|rdns=.+\.nttpc\.ne\.jp) .+ by=(mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)\d\d\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp) ident= envfrom= intl=0 .+auth= /

# 202.224.204.112-202.224.204.127
# header DIRECTINFOSPHERE X-Spam-Relays-Untrusted =~ /(ip=(61\,194\.206\.16[0-7]|61\.197\.(\d|\d\d|1[0-5]\d|16[01])\.\d{1,3}|210\.165\.(12[89]|1[3-9]\d|2\d\d)\.\d{1,3}|202\.212\.((9|1[237]|2[01]|7[4-9]|8[234]|9[023]|10[789]|11[01]|12[123]|156|16[4-7]|17[3-6]|18[56]|19[345]|23[67]|243|25[45])\.\d{1,3}|30\.(\d|[1-8]\d|9[0-5])|89\.1(2[89]|[34]\d|5[01])|91\.(\d|\d\d|1[0-4]\d|15[01])|1(19|40)\.(\d|[123]\d|4[0-7])|15[07]\.(\d|[1-5]\d|6[0-3])|183\.(\d|[12]\d|3[01])|184\.(\d|1[0-5])|242\.(\d|[1-3]\d|4[0-7])|252\.(\d|[1-5]\d|6[0-3]|12[89]|1[3-8]\d|19[01])|(35|169|221)\.(\d|\d\d|1[01]\d|12[0-7])|(36|87|120|140|157|179|180|184|25[01])\.1(2[89]|[345]\d))|202\.224\.204\.1(1[2-9]|2[0-79]|6\d|7[0-5])|202\.229\.(4[89]|5[01]|12[56]|13[2368]|14[0-3]|15[2-5]|16[4-7]|2(0\d|1[0-59]|2[1-9]|34|4[4-7]|5[345]))\.\d{1,3}|203\.138\.((92|114|16[89]|17[0-5])\.\d{1,3}|1(20|82)\.(\d|[1-5]\d|6[0-3])|17[69]\.(\d|\d\d|1[0-5]\d)|184\.(\d|[12]\d|3[01])|234\.(\d|\d\d|1[01]\d|12[0-7])|238\.(12[89]|1[345]\d)|240\.(12[89]|1[3-8]\d|19[01]))|210\.136\.(([0-3]|1[6-9]|2[0-389]|3[0-5]|8[4-9]|9[01]|12[89]|13[01]|14[0-3]|171|18[0-3]|19[6-9]|2[45]\d)\.\d{1,3}|13\.(\d|[12]\d|3[01])|36\.(6[4-9]7\d)|53\.(\d|[12]\d|3[01]|12[89]|1[345]\d)|82\.(129|1[3-9]\d|2\d\d)|186\.(\d|\d\d|10\d|11[01])|189\.(\d|[1-5]\d|6[0-3])|224\.(\d|[12]\d|3[01]|12[89]|1[3-8]\d|19[01])|234\.(\d|[1-5]\d|6[0-3])|238\.(20[89]|21\d|22[0-3]))|219\.102(\.\d{1,3}){2})|rdns=.+\.nttpc\.ne\.jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
header DIRECTINFOSPHERE X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:61\,194\.206\.16[0-7]|61\.197\.(?:\d|\d\d|1[0-5]\d|16[01])\.\d{1,3}|210\.165\.(?:12[89]|1[3-9]\d|2\d\d)\.\d{1,3}|202\.212\.(?:(?:9|1[237]|2[01]|7[4-9]|8[234]|9[023]|10[789]|11[01]|12[123]|156|16[4-7]|17[3-6]|18[56]|19[345]|23[67]|243|25[45])\.\d{1,3}|30\.(?:\d|[1-8]\d|9[0-5])|89\.1(?:2[89]|[34]\d|5[01])|91\.(?:\d|\d\d|1[0-4]\d|15[01])|1(?:19|40)\.(?:\d|[123]\d|4[0-7])|15[07]\.(?:\d|[1-5]\d|6[0-3])|183\.(?:\d|[12]\d|3[01])|184\.(?:\d|1[0-5])|242\.(?:\d|[1-3]\d|4[0-7])|252\.(?:\d|[1-5]\d|6[0-3]|12[89]|1[3-8]\d|19[01])|(?:35|169|221)\.(?:\d|\d\d|1[01]\d|12[0-7])|(?:36|87|120|140|157|179|180|184|25[01])\.1(?:2[89]|[345]\d))|202\.224\.204\.1(?:1[2-9]|2[0-79]|6\d|7[0-5])|202\.229\.(?:4[89]|5[01]|12[56]|13[2368]|14[0-3]|15[2-5]|16[4-7]|2(?:0\d|1[0-59]|2[1-9]|34|4[4-7]|5[345]))\.\d{1,3}|203\.138\.(?:(?:92|114|16[89]|17[0-5])\.\d{1,3}|1(?:20|82)\.(?:\d|[1-5]\d|6[0-3])|17[69]\.(?:\d|\d\d|1[0-5]\d)|184\.(?:\d|[12]\d|3[01])|234\.(?:\d|\d\d|1[01]\d|12[0-7])|238\.(?:12[89]|1[345]\d)|240\.(?:12[89]|1[3-8]\d|19[01]))|210\.136\.(?:(?:[0-3]|1[6-9]|2[0-389]|3[0-5]|8[4-9]|9[01]|12[89]|13[01]|14[0-3]|171|18[0-3]|19[6-9]|2[45]\d)\.\d{1,3}|13\.(?:\d|[12]\d|3[01])|36\.(?:6[4-9]7\d)|53\.(?:\d|[12]\d|3[01]|12[89]|1[345]\d)|82\.(?:129|1[3-9]\d|2\d\d)|186\.(?:\d|\d\d|10\d|11[01])|189\.(?:\d|[1-5]\d|6[0-3])|224\.(?:\d|[12]\d|3[01]|12[89]|1[3-8]\d|19[01])|234\.(?:\d|[1-5]\d|6[0-3])|238\.(?:20[89]|21\d|22[0-3]))|219\.102(?:\.\d{1,3}){2})|(?:\d{1,3}\.){3}\d{1,3} rdns=.+\.nttpc\.ne\.jp) /
describe DIRECTINFOSPHERE directly received spam from INFOSPHERE
score DIRECTINFOSPHERE 2.0

# header DIRECTSONETDYN Received =~ /from .+p[a-z0-9]{5,6}\.[a-z0-9]{7,8}\.ap\.so-net\.ne\.jp[^a-z]+[0-9]{2,3}(\.[0-9]{1,3}){3,3}[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
# header DIRECTSONETDYN X-Spam-Relays-Untrusted =~ /rdns=p[a-z0-9]{5,6}\.[a-z0-9]{7,8}\.ap\.so-net\.ne\.jp .+ by=(mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp) ident= envfrom= intl=0 [^\[\]]+auth= /
# header DIRECTSONETDYN X-Spam-Relays-Untrusted =~ /(rdns=p[a-z0-9]{5,6}\.[a-z0-9]{7,8}\.ap\.so-net\.ne\.jp|ip=(59\.14[67](\.\d{1,3}){2}|202\.213\.208\.11[2-9]|202\.238\.(65|7[0345]|8[01789]|9[0-8]|101|11[02-9]|12[0-7])\.\d{1,3}|210\.174\.(\d|1[01378]|[2-5]\d|6[0-3])\.\d{1,3})) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
# header DIRECTSONETDYN X-Spam-Relays-Untrusted =~ /(rdns=p[a-z0-9]{5,6}\.[a-z0-9]{7,8}\.ap\.so-net\.ne\.jp|ip=(59\.14[67](\.\d{1,3}){2}|202\.213\.(208\.11[2-9]|247\.\d{1,3})|202\.238\.(65|7[0345]|8[01789]|9[0-8]|101|11[02-9]|12[0-7])\.\d{1,3}|210\.174\.(\d|1[01378]|[2-5]\d|6[0-3])\.\d{1,3})) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
header DIRECTSONETDYN X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:59\.14[67](?:\.\d{1,3}){2}|202\.213\.(?:208\.11[2-9]|247\.\d{1,3})|202\.238\.(?:65|7[0345]|8[01789]|9[0-8]|101|11[02-9]|12[0-7])\.\d{1,3}|210\.174\.(?:\d|1[01378]|[2-5]\d|6[0-3])\.\d{1,3})|(?:\d{1,3}\.){3}\d{1,3} rdns=p[a-z0-9]{5,6}\.[a-z0-9]{7,8}\.ap\.so-net\.ne\.jp) /
describe DIRECTSONETDYN directly received spam from SO-NET
score DIRECTSONETDYN 1.5

# Received =~ /from .+(p[0-9]+-[a-z0-9-]+\.[a-z]+\.ocn\.ne\.jp|219\.16[0-5](\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2})

# header DIRECTOCNDYN Received =~ /from .+p[0-9]+-[a-z0-9-]+\.[a-z]+\.ocn\.ne\.jp[^a-z]+[0-9]{2,3}(\.[0-9]{1,3}){3,3}[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
# header DIRECTOCNDYN X-Spam-Relays-Untrusted =~ /rdns=p[0-9]+-[a-z0-9-]+\.[a-z]+\.ocn\.ne\.jp .+ by=(mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp) ident= envfrom= intl=0 .+auth= /
# header DIRECTOCNDYN X-Spam-Relays-Untrusted =~ /(ip=((125\.17[2-5]|219\.16[0-5]|221\.188|220\.9[678]|222\.(14[4-9]|15[01]))(\.\d{1,3}){2}|(61\.112\.(6[89]|[7-9]\d|1\d\d|2[0-4]\d|25[0-5])|61\.207\.(5[6-9]|[6-9]\d|1[0-57-9]\d|16[0-8]|20[04-9]|2[1-5]\d)|220\.99\.(\d|[1-5]\d|6[0-3])|222\.146\.(12[89]|1[3-9]\d|2[0-4]\d|25[0-5]))\.\d{1,3}|220\.110\.34\.3[2-9]|221\.186\.251\.(6[4-9]|[789]\d|1[01]\d|12[0-7]))|rdns=p[0-9]+-[a-z0-9-]+\.[a-z]+\.ocn\.ne\.jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
# 220.96.0.0 - 220.99.63.255
# 61.207.56.0 - 61.207.255.255
# 124.84.0.0 - 124.84.255.255
# 124.85.0.0 - 124.85.41.255
# 124.85.58.0 - 124.85.255.255
# 124.86.0.0 - 124.86.218.255
# 124.86.227.0 - 124.86.255.255
# 124.87.0.0 - 124.87.255.255
# 60.32.16.0 - 60.32.21.255
# 60.32.38.0 - 60.32.63.255
# 60.37.64.0 - 60.37.255.255
# 60.38.0.0 - 60.38.105.255
# 60.38.114.0 - 60.38.152.255
# 60.38.157.0 - 60.38.255.255
# 60.45.0.0 - 60.45.148.255
# 60.45.155.0 - 60.45.187.255
# 60.45.192.0 - 60.45.255.255
# 60.46.0.0 - 60.46.127.255
# 60.33.0.0 - 63.33.255.255
# 60.39.0.0 - 60.40.255.255
# 60.44.0.0 - 60.44.255.255
# 219.114.0.0 - 219.114.99.255
# 221.184.64.0 - 221.184.67.255
# 221.184.84.0 - 221.184.127.255
# header DIRECTOCNDYN X-Spam-Relays-Untrusted =~ /(ip=((60\.(3[39]|4[04])|122\.26|123\.220|124\.8[47]|125\.17[2-5]|219\.16[0-5]|221\.188|220\.(9[678]|10[4-7])|222\.(14[4-9]|15[01]))(\.\d{1,3}){2}|(60\.32\.(1[6-9]|2[01]|3[89]|[45]\d|6[0-3])|60\.37\.(6[4-9]|[789]\d|\d\d\d)|60\.38\.(\d|\d\d|10[0-5]|11[4-9]|1[2-9]\d|2\d\d)|60\.45\.(\d|\d\d|1[0-3]\d|14[0-8]|15[5-9]|1[67]\d|18[0-7]|19[2-9]|2\d\d)|60\.46\.(\d|\d\d|1[01]\d|12[0-7])|61\.112\.(6[89]|[7-9]\d|\d\d\d)|61\.199\.(\d|\d\d|1[01]\d|12[0-7])|61\.207\.(5[6-9]|[6-9]\d|1[0-57-9]\d|16[0-8]|20[04-9]|2[1-5]\d)|124\.85\.(\d|[1-3]\d|4[01]|5[89]|[6-9]\d|[12]\d\d)|124\.86\.(\d|\d\d|1\d\d|20\d|21[0-8]|22[789]|2[3-5]\d)|124\.(96\.([016-9]|[1-4789]\d|5[0124-7]|6[0-36-9]|10[16-9]|11[0-3789]|(1[236-9]|2\d)\d|14[02-9]|15[012])|97\.(\d|[1-8]\d|9[0-6]|10[5-9]|(1[1-9]|2\d)\d)|98\.(\d|1\d|2[04-7]|4[1-9]|[5-9]\d|1[0-57]\d|16[0124-9]|18[0-3]|19[01]|22[4-9]|23[013-9]|24[014-9]|25[0145])|99\.([0-5]|1[0-7]|2[2-689]|5[0-3]|[34]\d|7[2-9]|8[0-8]|9[4-9]|[12]\d\d)|100\.\d{1,3}|101\.([3-6]|1[1-489]|[23789]\d|4[0-5]|5[12]|6[3-9]|1[04-7]\d|11[0-4]|18[0-6]|20[2-9]|2[1-5]\d)|102\.(\d|\d\d|17[016-9]|1[0-689]\d|2\d\d)|103\.(\d|[1-8]\d|9[01]|10[2-5]|11[0-389]|1[235-9]\d|14[0-5]|2[0-4]\d))|219\.114\.(\d|[1-57-9]\d)|220\.99\.(\d|[1-5]\d|6[0-3])|220\.111\.(4[89]|[5-9]\d|\d\d\d)|222\.146\.(12[89]|1[3-9]\d|2[0-4]\d|25[0-5]))\.\d{1,3}|61\.199\.212\.20[1-6]|219\.166\.29\.(8[89]|9[0-5])|220\.110\.34\.3[2-9]|221\.184\.(6[4-7]|8[4-9]|9\d|1[01]\d|12[0-7])\.\d{1,3}|221\.186\.251\.(6[4-9]|[789]\d|1[01]\d|12[0-7]))|rdns=p[0-9]+-[a-z0-9-]+\.[a-z]+\.ocn\.ne\.jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /

# avoid list:
# 60.37.40.* 61.207.11.* 61.207.12.*
# 122.1.235.* 122.28.14.* 122.28.17.* 122.28.30.* 125.170.92.* 125.206.187.*
# 211.129.14.* 222.146.51.* 
# 2009.10.01 by [yoh]

header DIRECTOCNDYN X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:58\.(?:88|9[01245])|60\.(?:3[39]|4[04])|122\.26|123\.2(?:16|20)|124\.8[47]|125\.17[2-5]|219\.16[0-5]|221\.188|220\.(?:9[678]|10[4-7])|222\.(?:14[457-9]|15[01]))(?:\.\d{1,3}){2}|(?:60\.32\.(?:1[6-9]|2[01]|3[89]|[45]\d|6[0-3])|60\.37\.(?:6[4-9]|[789]\d|\d\d\d)|60\.38\.(?:\d|\d\d|10[0-5]|11[4-9]|1[2-9]\d|2\d\d)|60\.45\.(?:\d|\d\d|1[0-3]\d|14[0-8]|15[5-9]|1[67]\d|18[0-7]|19[2-9]|2\d\d)|60\.46\.(?:\d|\d\d|1[01]\d|12[0-7])|61\.112\.(?:6[89]|[7-9]\d|\d\d\d)|61\.199\.(?:\d|\d\d|1[01]\d|12[0-7])|61\.207\.(?:5[6-9]|[6-9]\d|1[0-57-9]\d|16[0-8]|20[04-9]|2[1-5]\d)|118\.15\.(?:1(?:2[89]|[3-8]\d|9[01])|2[45]\d)|124\.85\.(?:\d|[1-3]\d|4[01]|5[89]|[6-9]\d|[12]\d\d)|124\.86\.(?:\d|\d\d|1\d\d|20\d|21[0-8]|22[789]|2[3-5]\d)|124\.(?:96\.(?:[016-9]|[1-4789]\d|5[0124-7]|6[0-36-9]|10[16-9]|11[0-3789]|(?:1[236-9]|2\d)\d|14[02-9]|15[012])|97\.(?:\d|[1-8]\d|9[0-6]|10[5-9]|(?:1[1-9]|2\d)\d)|98\.(?:\d|1\d|2[04-7]|4[1-9]|[5-9]\d|1[0-57]\d|16[0124-9]|18[0-3]|19[01]|22[4-9]|23[013-9]|24[014-9]|25[0145])|99\.(?:[0-5]|1[0-7]|2[2-689]|5[0-3]|[34]\d|7[2-9]|8[0-8]|9[4-9]|[12]\d\d)|100\.\d{1,3}|101\.(?:[3-6]|1[1-489]|[23789]\d|4[0-5]|5[12]|6[3-9]|1[04-7]\d|11[0-4]|18[0-6]|20[2-9]|2[1-5]\d)|102\.(?:\d|\d\d|17[016-9]|1[0-689]\d|2\d\d)|103\.(?:\d|[1-8]\d|9[01]|10[2-5]|11[0-389]|1[235-9]\d|14[0-5]|2[0-4]\d))|218\.43\.118|219\.114\.(?:\d|[1-57-9]\d)|220\.99\.(?:\d|[1-5]\d|6[0-3])|220\.111\.(?:4[89]|[5-9]\d|\d\d\d)|222\.146\.(?:12[89]|1[3-9]\d|2[0-4]\d|25[0-5]))\.\d{1,3}|60\.37\.51\.(?:7|254)|61\.199\.212\.20[1-6]|118\.23\.108\.11|125\.206\.117\.1(?:25|33)|219\.166\.29\.(?:8[89]|9[0-5])|220\.110\.34\.3[2-9]|221\.184\.(?:6[4-7]|8[4-9]|9\d|1[01]\d|12[0-7])\.\d{1,3}|221\.186\.251\.(?:6[4-9]|[789]\d|1[01]\d|12[0-7])) /
describe DIRECTOCNDYN directly received spam from OCN
score DIRECTOCNDYN 1.5

# header DIRECTVECTANTDYN Received =~ /from .*(d[0-9]{2,3}\.[A-Z][a-z]+FL[0-9]+|wd[0-9]+\.(afl|AFL)[0-9]+)\.vectant\.ne\.jp[^a-z]+[0-9]{2,3}(\.[0-9]{1,3}){3,3}[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
# 222.228.0.0 - 222.229.63.255
# lacked: 91.0-91.59, 92.81-92.255, 110.60-110.99, 111.0-111.99,
# 123.21-123.99, 123.120-123.159, 157.0-157.39, 157.100-157.139,
# 
# 202.189.192.0 - 202.189.223.255
# 210.131.128.0 - 210.131.255.255
# lacked: 132-133, 137, 157.0-157.39, 159, 162-163, 168-169, 177, 200,
# 202, 205-210, 240.0-240.199, 241, 243, 246.130, 246.190-246.200,
# 249, 250.70-250.255, 251-252, 254, 255
# header DIRECTVECTANTDYN X-Spam-Relays-Untrusted =~ /(ip=(202\.189\.(19[2-9]|2[01]\d|22[0-3])\.\d{1,3}|222\.228\.(\d|[1-5]\d|6[0-3])\.\d{1,3})|rdns=((e|w|w4|)d\d+\.[ABFGHIJNS]+[a-z]*(DS[AI]|FL){0,1}[bcd0-9]+|(163-139|202-215)(-\d{1,3}){2}\.(uis){0,1}rv)\.vectant\.ne\.jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
# header DIRECTVECTANTDYN X-Spam-Relays-Untrusted =~ /(ip=(202\.189\.(19[2-9]|2[01]\d|22[0-3])\.\d{1,3}|202\.231\.(?!(64\.(20|129|14[4-9]|15\d|186|209|21[1-6])|66\.(89|9[01]|10[56])|68\.([24]|1[789]|2[0189]|30|11[34])|76\.(3[3-6]|5[89])|80\.(2|3[3-9]|4[0-3]|6[12])|84\.([2356]|9[78]|162|17[08]|23[3-6])|86\.(1[789]|2\d|30|69|70|17[89]|21[789]|22[012])|87\.(52|66|226|234)|89\.1(62|78)|97\.([129]|15|31|4[12]|24[1245])|101\.([3-8]|15|31|4[12]|24[1245])|106\.(9|1[01]|138|15[45]|178)|108\.([1235-9]|3[3-689])|110\.(19|2[012]|5[46]|6[012])|111\.(14[567]|16[34689]|17[02479])|121\.94|122\.(\d|1[0-3])|125\.(\d|1[0-5])))(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\.\d{1,3}|222\.228\.(\d|[1-5]\d|6[0-3])\.\d{1,3})|rdns=((e|w|w4|)d\d+\.[ABFGHIJNS]+[a-z]*(DS[AI]|FL){0,1}[bcd0-9]+|(163-139|202-215)(-\d{1,3}){2}\.(uis){0,1}rv)\.vectant\.ne\.jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
# header DIRECTVECTANTDYN X-Spam-Relays-Untrusted =~ /(ip=(124\.110\.(\d|[15]\d|2[0-689]|3[0-8]|4[1-9]|6[0-3]|9[6-9]|10[0124-9]|1[124-9]\d|15[0-35-9]|13[0-6]|2[02-5]\d|21[2-9])\.\d{1,3}|202\.189\.(19[2-9]|2[01]\d|22[0-3])\.\d{1,3}|202\.215\.([23]|1[0126-9]|2[014789]|3[04-7]|4[4-7]|5[5-9]|6[0-369]|7[0136-9]|8[14-8]|9[01]|1(0[235-9]|1[0-367]|2[04589]|3[0-36-9]|4[0-3]|5[3-9]|6[0-589]|7[0-3789]|8[2-5789]|9[2-69])|2(07|1[1-479]|24|3[067]|4[01]|55))\.\d{1,3}|202\.215\.(7\.([1-7]|1[6-9]|[2378]\d|4[0-7]|6[4-9]|9[5-9]|(1[0-3789]|2[345])\d|14[0-3]|15[2-9]|16[89]|20[0-7]|22[4-9])|13\.(\d|\d\d|(1[0-5]|2[345])\d|16[89]|17[0-5]|22[4-9])|15\.(\d|[123789]\d|4[0-7]|5[6-9]|6[0-4]|1[013458]\d|12[89]|16[0-7]|17[6-9]|19[01]|2[0345]\d|21[3-9])|26\.([89]|[125-9]\d|3[01]|4[89]|[12]\d\d)|33\.([0-7]|[14][6-9]|[236-9]\d|1[0-5789]\d|16[89]|2[0145]\d|22[0-3]|23[2-9])|49\.(\d|[1237]\d|6[45789]|9[6-9]|[12]\d\d)|51\.(\d|\d\d|1\d\d|2[0-35]\d|24[3-9])|53\.([89]|[13-6]\d|2[0-5789]|76|9[06-9]|10[0-8]|(1[1239]|2\d)\d|14[0-3]|15[29]|16[89]|17[0-5]|18[5-9])|64\.(?!(164|166|237|250))\d{1,3}|65\.(?!12[^\d])\d{1,3}|67\.(?!12[^\d])\d{1,3}|68\.(?!(1[678]\d|19[01]))\d{1,3}|72\.(?!6[05][^\d])\d{1,3}|83\.(12[89]|1[3-9]\d|2\d\d)|101\.([1-7]|1[6-9]|[235-8]\d|4[89]|9[0-5]|12[89]|1[3-9]\d|2\d\d)|114\.(\d|[1-8]\d|9[1-7]|1[0-35-9]\d|14[0-46-9]|2\d\d)|114\.(?!(9[089][^\d]|145))\d{1,3}|115\.(?!(21[6-9]|22[0-3]))\d{1,3}|118\.(?!(30[^\d]))\d{1,3}|119\.(\d|[1789]\d|2[0-3]|6[4-9]|[12]\d\d)|122\.(?!(1[26][^\d]|151))\d{1,3}|123\.(1[6-9]|[2689]\d|[37][01]|4[89]|5[3-9]|10[0-3]|11[2-9]|19[235-9]|2[01245]\d|23[01])|127\.([89]|1[0-6]|3[2-9]|[467]\d|5[025-9]|8[0-7]|9[6-9]|(1[04-9]|2\d)\d|11[01]|12[0-7]|13[6-9])|134\.(?!3[^\d])\d{1,3}|144\.(\d|[12]\d|30)|146\.(\d|[1456]\d|2[0-3]|7[01]|10[4-9]|1[1-9]\d|2\d\d)|148\.(?!(10|2[4-9]|3[01])[^\d])\d{1,3}|150\.(?!3[^\d])\d{1,3}|166\.(?!(16[^\d]|106))\d{1,3}|167\.(?!(4[89]|[56]\d|7[01])[^\d])\d{1,3}|179\.90|181\.(?!(17[6-9]|18[0-3]))\d{1,3}|191\.(?!10[^\d])\d{1,3}|203\.(2[4-9]|[3-9]\d|[12]\d\d)|205\.(\d|1[0-5]|2[4-9]|[3-9]\d|(1[01249]|2[023])\d|13[0-79]|15[0-39]|16[013-9]|17[1-5]|18[4-9]|21[0-69])|206\.(?!(17[6-9]|18[0-3]))\d{1,3}|229\.([1-8]|15|2[4-9]|3[01]|4[89]|[59]\d|6[0-3]|8[89]|[12]\d\d)|232\.(6[57]|7[24]|19[3569]|20[023])|233\.(9[79]|10[46]|16[138]|170)|234\.(209|21[168]))|202\.231\.(64\.(\d|1[0-5]|3[2-9]|[4-9]\d|(1[0167]|2[345])\d|12[0-7]|13[6-9]|1[48][0-3]|19[2-9]|2[0-7]|22[4-9])|66\.(\d|1[0-5]|3[2-9]|[4-7]\d|8[0-8]|9[2-9]|10[0-47-9]|(1[1-9]|2[0-4])\d|20[89]|25[0-4])|68\.([89]|1[0-5]|3[2-9]|[4-9]\d|[12]\d\d)|76\.(\d|[124789]\d|3[01]|5[0-5]|6[4-9]|[12]\d\d)|80\.(6[4-9]|7\d|129|(1[3-9]|2\d)\d)|84\.(1[6-9]|[2-9]\d|1[08][4-9]|1[1-59]\d|2\d\d)|86\.(\d|1[0-6]|31|[4589]\d|6[0-8]|7[1-9]|1[0-4679]\d|15[01]|18[4-9]|2[0345]\d|21[0-6]|22[3-9])|87\.(\d|[123]\d|4[0-7]|12[89]|1[3-9]\d|2[0-3]\d)|89\.(\d|\d\d|(1[0-5]|2\d)\d|19[2-9])|91\.(\d|[124-9]\d|3[01]|[12]\d\d)|101\.(3[2-9]|[4-9]\d|[12]\d\d)|106\.([1-7]|1[6-9]|[2-9]\d|(1[0129]|2\d)\d|13[0-5]|16[0-7]|18[4-9])|113\.(\d|[12]\d|30)|(6[579]|7[2-5789]|8[12358]|9[0245689]|10[02-57]|11[24-9]|12[03467])\.\d{1,3})|222\.228\.(\d|[1-5]\d|6[0-3])\.\d{1,3}|202\.215\.179\.90)|rdns=((e|w|w4|)d\d+\.[ABFGHIJNS]+[a-z]*(DS[AI]|FL){0,1}[bcd0-9]+|(163-139|202-215)(-\d{1,3}){2}\.(uis){0,1}rv)\.vectant\.ne\.jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /

header DIRECTVECTANTDYN X-Spam-Relays-Untrusted =~ /^\[ ip=(?:115\.179\.208\.61|115\.179\.214\.172|202\.215\.75\.119|124\.110\.(?:\d|[15]\d|2[0-689]|3[0-8]|4[1-9]|6[0-3]|9[6-9]|10[0124-9]|1[124-9]\d|15[0-35-9]|13[0-6]|2[02-5]\d|21[2-9])\.\d{1,3}|202\.189\.(?:19[2-9]|2[01]\d|22[0-3])\.\d{1,3}|202\.215\.(?:[23]|1[0126-9]|2[014789]|3[04-7]|4[4-7]|5[5-9]|6[0-369]|7[01346-9]|8[14-8]|9[01]|1(?:0[235-9]|1[0-367]|2[04589]|3[0-36-9]|4[0-3]|5[3-9]|6[0-589]|7[0-3789]|8[2-5789]|9[2-69])|2(?:07|1[1-479]|24|3[067]|4[01]|55))\.\d{1,3}|202\.215\.(?:7\.(?:[1-7]|1[6-9]|[2378]\d|4[0-7]|6[4-9]|9[5-9]|(?:1[0-3789]|2[345])\d|14[0-3]|15[2-9]|16[89]|20[0-7]|22[4-9])|13\.(?:\d|\d\d|(?:1[0-5]|2[345])\d|16[89]|17[0-5]|22[4-9])|15\.(?:\d|[123789]\d|4[0-7]|5[6-9]|6[0-4]|1[013458]\d|12[89]|16[0-7]|17[6-9]|19[01]|2[0345]\d|21[3-9])|26\.(?:[89]|[125-9]\d|3[01]|4[89]|[12]\d\d)|33\.(?:[0-7]|[14][6-9]|[236-9]\d|1[0-5789]\d|16[89]|2[0145]\d|22[0-3]|23[2-9])|49\.(?:\d|[1237]\d|6[45789]|9[6-9]|[12]\d\d)|51\.(?:\d|\d\d|1\d\d|2[0-35]\d|24[3-9])|53\.(?:[89]|[13-6]\d|2[0-5789]|76|9[06-9]|10[0-8]|(?:1[1239]|2\d)\d|14[0-3]|15[29]|16[89]|17[0-5]|18[5-9])|64\.(?!(?:164|166|237|250))\d{1,3}|65\.(?!12[^\d])\d{1,3}|67\.(?!12[^\d])\d{1,3}|68\.(?!(?:1[678]\d|19[01]))\d{1,3}|72\.(?!6[05][^\d])\d{1,3}|83\.(?:12[89]|1[3-9]\d|2\d\d)|101\.(?:[1-7]|1[6-9]|[235-8]\d|4[89]|9[0-5]|12[89]|1[3-9]\d|2\d\d)|114\.(?:\d|[1-8]\d|9[1-7]|1[0-35-9]\d|14[0-46-9]|2\d\d)|114\.(?!(?:9[089][^\d]|145))\d{1,3}|115\.(?!(?:21[6-9]|22[0-3]))\d{1,3}|118\.(?!(?:30[^\d]))\d{1,3}|119\.(?:\d|[1789]\d|2[0-3]|6[4-9]|[12]\d\d)|122\.(?!(?:1[26][^\d]|151))\d{1,3}|123\.(?:1[6-9]|[2689]\d|[37][01]|4[89]|5[3-9]|10[0-3]|11[2-9]|19[235-9]|2[01245]\d|23[01])|127\.(?:[89]|1[0-6]|3[2-9]|[467]\d|5[025-9]|8[0-7]|9[6-9]|(?:1[04-9]|2\d)\d|11[01]|12[0-7]|13[6-9])|134\.(?!3[^\d])\d{1,3}|144\.(?:\d|[12]\d|30)|146\.(?:\d|[1456]\d|2[0-3]|7[01]|10[4-9]|1[1-9]\d|2\d\d)|148\.(?!(?:10|2[4-9]|3[01])[^\d])\d{1,3}|150\.(?!3[^\d])\d{1,3}|166\.(?!(?:16[^\d]|106))\d{1,3}|167\.(?!(?:4[89]|[56]\d|7[01])[^\d])\d{1,3}|179\.90|181\.(?!(?:17[6-9]|18[0-3]))\d{1,3}|191\.(?!10[^\d])\d{1,3}|203\.(?:2[4-9]|[3-9]\d|[12]\d\d)|205\.(?:\d|1[0-5]|2[4-9]|[3-9]\d|(?:1[01249]|2[023])\d|13[0-79]|15[0-39]|16[013-9]|17[1-5]|18[4-9]|21[0-69])|206\.(?!(?:17[6-9]|18[0-3]))\d{1,3}|229\.(?:[1-8]|15|2[4-9]|3[01]|4[89]|[59]\d|6[0-3]|8[89]|[12]\d\d)|232\.(?:6[57]|7[24]|19[3569]|20[023])|233\.(?:9[79]|10[46]|16[138]|170)|234\.(?:209|21[168]))|202\.231\.(?:64\.(?:\d|1[0-5]|3[2-9]|[4-9]\d|(?:1[0167]|2[345])\d|12[0-7]|13[6-9]|1[48][0-3]|19[2-9]|2[0-7]|22[4-9])|66\.(?:\d|1[0-5]|3[2-9]|[4-7]\d|8[0-8]|9[2-9]|10[0-47-9]|(?:1[1-9]|2[0-4])\d|20[89]|25[0-4])|68\.(?:[89]|1[0-5]|3[2-9]|[4-9]\d|[12]\d\d)|76\.(?:\d|[124789]\d|3[01]|5[0-5]|6[4-9]|[12]\d\d)|80\.(?:6[4-9]|7\d|129|(?:1[3-9]|2\d)\d)|84\.(?:1[6-9]|[2-9]\d|1[08][4-9]|1[1-59]\d|2\d\d)|86\.(?:\d|1[0-6]|31|[4589]\d|6[0-8]|7[1-9]|1[0-4679]\d|15[01]|18[4-9]|2[0345]\d|21[0-6]|22[3-9])|87\.(?:\d|[123]\d|4[0-7]|12[89]|1[3-9]\d|2[0-3]\d)|89\.(?:\d|\d\d|(?:1[0-5]|2\d)\d|19[2-9])|91\.(?:\d|[124-9]\d|3[01]|[12]\d\d)|101\.(?:3[2-9]|[4-9]\d|[12]\d\d)|106\.(?:[1-7]|1[6-9]|[2-9]\d|(?:1[0129]|2\d)\d|13[0-5]|16[0-7]|18[4-9])|113\.(?:\d|[12]\d|30)|(?:6[579]|7[2-5789]|8[12358]|9[0245689]|10[02-57]|11[24-9]|12[03467])\.\d{1,3})|222\.228\.(?:\d|[1-5]\d|6[0-3])\.\d{1,3}|222\.230\.150\.241|\d{2,3}(?:\.\d{1,3}){3} rdns=(?:(?:e|w|w4|)d\d+\.[ABFGHIJNS]+[a-z]*(?:DS[AI]|FL){0,1}[bcd0-9]+|(?:163-139|202-215)(?:-\d{1,3}){2}\.(?:uis){0,1}rv)\.vectant\.ne\.jp) /
describe DIRECTVECTANTDYN directly received spam from vectant.ne.jp
score DIRECTVECTANTDYN 1.5

# header DIRECTHI_HO Received =~ /from .+[a-z]{3,3}[0-9]+-p[0-9]{1,3}\.flets\.hi-ho\.ne\.jp[^a-z]+[0-9]{2,3}(\.[0-9]{1,3}){3,3}[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
header DIRECTHI_HO X-Spam-Relays-Untrusted =~ /rdns=[a-z]{3,3}[0-9]+-p[0-9]{1,3}\.flets\.hi-ho\.ne\.jp [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTHI_HO directly received spam from Panasonic hi-ho
score DIRECTHI_HO 1.5

# header DIRECTUSENBROAD Received =~ /from .+(usen-[25][0-9]{1,2}(x[0-9]{2,3}){3,3}\.ap-(us|US)[0-9]+\.usen\.ad\.jp|[25][0-9]{1,2}(x[0-9]{2,3}){3,3}\.ap[25][0-9]{1,2}\.ftth\.ucom\.ne\.jp)[^a-z]+[0-9]{2,3}(\.[0-9]{1,3}){3,3}[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
# header DIRECTUSENBROAD X-Spam-Relays-Untrusted =~ /(rdns=(usen-[25][0-9]{1,2}(x[0-9]{2,3}){3,3}\.ap-(us|US)[0-9]+\.usen\.ad\.jp|[125][0-9]{1,2}(x[0-9]{2,3}){3,3}\.ap[125][0-9]{1,2}\.ftth\.ucom\.ne\.jp|\w+\.kabir-ken\.com)|ip=124\.34\.(4\.(0|1|14|4[567]|65|10[067]|22[56]|24[09]|25[012])|5\.(\d|[1-8]\d|23[2689]|2[45]\d))) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
header DIRECTUSENBROAD X-Spam-Relays-Untrusted =~ /(rdns=(usen-[25][0-9]{1,2}(x[0-9]{2,3}){3,3}\.ap-(us|US)[0-9]+\.usen\.ad\.jp|[125][0-9]{1,2}(x[0-9]{2,3}){3,3}\.ap[125][0-9]{1,2}\.ftth\.ucom\.ne\.jp|\w+\.(kabir-ken\.com|vds-server\.net))|ip=(124\.34\.(4\.(0|1|14|4[567]|65|98|10[067]|22[56]|24[09]|25[012])|5\.(\d|[1-8]\d|23[2689]|2[45]\d))|221\.252\.14\.7[2-9])) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTUSENBROAD directly received spam from USEN broadgate
score DIRECTUSENBROAD 1.5

# header DIRECTBBTEC Received =~ /from.+((221\.(1[6-9]|[2-9][0-9]|10[0-9]|11[01])|(219|220)\.(0-9|[1-5][0-9]|6[0-3])|219\.(16[89]|1[7-9][0-9]|20[0-9]|21[0-5])|218\.(11[2-9]|1[23][0-9]|14[0-3]))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2,2}|126(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3,3})[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
# 60.64.0.0 - 60.159.255.255
header DIRECTBBTEC X-Spam-Relays-Untrusted =~ /ip=((60\.(6[4-9]|[789]\d|1[0-5]\d)|221\.(1[6-9]|[2-9]\d|10\d|11[01])|(219|220)\.(\d|[1-5]\d|6[0-3])|219\.(16[89]|1[7-9]\d|20\d|21[0-5])|218\.(11[2-9]|1[23]\d|14[0-3]|17[6-9]|18[0-3]))(\.\d{1,3}){2}|126(\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])){3}) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTBBTEC directly received spam from YahooBB bbtec.net
score DIRECTBBTEC 1.5

# header DIRECTINFOWEB Received =~ /from .+nt[a-z]{4,4}[0-9]{6,6}\.[a-z]{4,4}\.nt\.(adsl|ftth)\.ppp\.infoweb\.ne\.jp[^a-z]+[0-9]{2,3}(\.[0-9]{1,3}){3,3}[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
# header DIRECTINFOWEB X-Spam-Relays-Untrusted =~ /rdns=nt[a-z]{4,4}[0-9]{6,6}\.[a-z]{4,4}\.nt\.(adsl|ftth)\.ppp\.infoweb\.ne\.jp .+ by=(mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp) ident= envfrom= intl=0 .+auth= /
# header DIRECTINFOWEB X-Spam-Relays-Untrusted =~ /(ip=58\.[01](\.\d{1,3}){2}|rdns=nt[a-z]{4,4}[0-9]{6,6}\.[a-z]{4,4}\.nt\.(adsl|ftth)\.ppp\.infoweb\.ne\.jp) .+ by=(mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp) ident= envfrom= intl=0 .+auth= /
# nt[a-z]{4}\d{6}\.[a-z]{4}\.nt\.(adsl|ftth)\d{0,1}\.ppp\.infoweb\.ne\.jp
# header DIRECTINFOWEB X-Spam-Relays-Untrusted =~ /(ip=((58\.[01]|61\.124|125\.[0-3]|218\.226)(\.\d{1,3}){2}|218\.217\.(\d|[1-9]\d|1\d\d|2[0-3]\d)\.\d{1,3})|rdns=(nt[a-z]{4}\d{6}\.[a-z]{4}\.nt\.(adsl|ftth)\d{0,1}|[a-z]{4}\d{6}\.catv)\.ppp\.infoweb\.ne\.jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
header DIRECTINFOWEB X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:58\.[01]|61\.124|125\.[0-3]|218\.226)(?:\.\d{1,3}){2}|218\.217\.(?:\d|[1-9]\d|1\d\d|2[0-3]\d)\.\d{1,3}|219\.104\.(?:\d|\d\d|1[0-36-9]\d|2\d\d|14[0-5]|15[3-9])\.\d{1,3}|219\.105\.43\.240|(?:\d{1,3}\.){3}\d{1,3} rdns=(?:nt[a-z]{4}\d{6}\.[a-z]{4}\.nt\.(?:adsl|ftth)\d{0,1}|[a-z]{4}\d{6}\.catv)\.ppp\.infoweb\.ne\.jp) /
describe DIRECTINFOWEB directly received spam from INFOWEB
score DIRECTINFOWEB 1.5

# header DIRECTDTI Received =~ /from .+(PPP|DSL)[a-z0-9]+\.[a-z]+\-(ip|4x8x)\.dti\.ne.jp[^a-z]+[0-9]{2,3}(\.[0-9]{1,3}){3,3}[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
# header DIRECTDTI X-Spam-Relays-Untrusted =~ /rdns=(PPP|DSL)[a-z0-9]+\.[a-z]+\-(ip|4x8x)\.dti\.ne.jp .+ by=(mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp) ident= envfrom= intl=0 .+auth= /
# 202.216.232.216-202.216.232.223
header DIRECTDTI X-Spam-Relays-Untrusted =~ /(ip=(202\.216\.232\.2(1[6-9]|2[0-3])|210\.170\.(12[89]|1[3-9]\d|2[0-4]\d|25[0-5])\.\d{1,3}|211\.132\.(6[4-9]|[78]\d|9[0-5])\.\d{1,3})|rdns=(PPP|DSL)[a-z0-9]+\.[a-z]+\-(ip|4x8x)\.dti\.ne.jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTDTI directly received spam from DTI
score DIRECTDTI 1.5

# header DIRECTBIGLOBE Received =~ /from .+FL[AH]1A[a-z]{2,2}[0-9]{3,3}\.[a-z]{3,3}\.mesh\.ad\.jp[^a-z]+[0-9]{2,3}(\.[0-9]{1,3}){3,3}[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
# header DIRECTBIGLOBE X-Spam-Relays-Untrusted =~ /rdns=FL[AH]1A[a-z]{2,2}[0-9]{3,3}\.[a-z]{3,3}\.mesh\.ad\.jp .+ by=(mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp) ident= envfrom= intl=0 .+auth= /
# header DIRECTBIGLOBE X-Spam-Relays-Untrusted =~ /(ip=(61\.203\.([4-9]|1[25-9]|2[0124-8]|3[014-9]|[4-8]\d|9[1-9]|1[01]\d|12[0-7])\.\d{1,3}|(219\.107|220\.144)(\.\d{1,3}){2})|rdns=FL[AH]1A[a-z]{2,2}[0-9]{3,3}\.[a-z]{3,3}\.mesh\.ad\.jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
# header DIRECTBIGLOBE X-Spam-Relays-Untrusted =~ /(ip=(61\.203\.([4-9]|1[25-9]|2[0124-8]|3[014-9]|[4-8]\d|9[1-9]|1[01]\d|12[0-7])\.\d{1,3}|125\.(19[2-8]\.([1-9]|\d\d|1\d\d|2[0-4]\d|25[0-4])|199\.([1-9]|\d\d|1\d\d|2[0-3]\d|24[0-7]))\.\d{1,3}|(219\.107|220\.144)(\.\d{1,3}){2})|rdns=FL[AH]1A[a-z]{2,2}[0-9]{3,3}\.[a-z]{3,3}\.mesh\.ad\.jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
header DIRECTBIGLOBE X-Spam-Relays-Untrusted =~ /^\[ ip=(?:61\.203\.(?:[4-9]|1[25-9]|2[0124-8]|3[014-9]|[4-8]\d|9[1-9]|1[01]\d|12[0-7])\.\d{1,3}|119\.243\.73\.\d{1,3}|125\.(?:19[2-8]\.(?:[1-9]|\d\d|1\d\d|2[0-4]\d|25[0-4])|199\.(?:[1-9]|\d\d|1\d\d|2[0-3]\d|24[0-7]))\.\d{1,3}|220\.102\.138\.\d{1,3}|(?:219\.107|220\.144)(?:\.\d{1,3}){2}) /
describe DIRECTBIGLOBE directly received spam from BIGLOBE
score DIRECTBIGLOBE 1.5

# header DIRECTALPHANET Received =~ /from .+[0-9]{2,3}(\.[0-9]{1,3}){3,3}\.[a-z]+\.b{0,1}flets\.alpha-net\.ne\.jp[^a-z]+[0-9]{2,3}(\.[0-9]{1,3}){3,3}[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
# header DIRECTALPHANET X-Spam-Relays-Untrusted =~ /rdns=[0-9]{2,3}(\.[0-9]{1,3}){3,3}\.[a-z]+\.b{0,1}flets\.alpha-net\.ne\.jp .+ by=(mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp) ident= envfrom= intl=0 .+auth= /
# header DIRECTALPHANET X-Spam-Relays-Untrusted =~ /(rdns=[0-9]{2,3}(\.[0-9]{1,3}){3,3}\.[a-z]+\.b{0,1}flets\.alpha-net\.ne\.jp|ip=61\.192\.(1(2[89]|[3-9]\d)|2([0-4]\d|5[0-5]))\.\d{1,3}) .+ by=(mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp) ident= envfrom= intl=0 .+auth= /
# header DIRECTALPHANET X-Spam-Relays-Untrusted =~ /(rdns=\d{1,3}(\.\d{1,3}){3}\.([a-z]+\.b{0,1}flets|west\.global)\.alpha-net\.ne\.jp|ip=61\.192\.(1(2[89]|[3-9]\d)|2([0-4]\d|5[0-5]))\.\d{1,3}) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
header DIRECTALPHANET X-Spam-Relays-Untrusted =~ /(rdns=\d{1,3}(\.\d{1,3}){3}\.([a-z]+\.b{0,1}flets|west\.global)\.alpha-net\.ne\.jp|ip=(61\.192\.(1(2[89]|[3-9]\d)|2([0-4]\d|5[0-5]))\.\d{1,3}|210\.229\.(67\.(3[3-9]|[4-9]\d|\d\d\d)|70\.(3[3-9]|[4-8]\d|9[01])|(7[36-9]|8[0-3])\.\d{1,3}))) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTALPHANET directly received spam from ALPHANET
score DIRECTALPHANET 1.5

# header DIRECTUNETSURF Received =~ /from .+f[0-9a-f]{4,4}\.[a-z]+\.ppp\.u-netsurf\.ne\.jp[^a-z]+[0-9]{2,3}(\.[0-9]{1,3}){3,3}[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/

header DIRECTUNETSURF X-Spam-Relays-Untrusted =~ /rdns=(f[0-9a-f]{4,4}\.[a-z]+|\w+-\w+\.(\d{1,3}-){3}\d{1,3})\.ppp\.u-netsurf\.ne\.jp [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTUNETSURF directly received spam from U-NETSURF
score DIRECTUNETSURF 1.5

# header DIRECTEDITNET Received =~ /from .+f[0-9a-z](\-[0-9]{1,3}){2,2}\.edit\.ne\.jp[^a-z]+[0-9]{2,3}(\.[0-9]{1,3}){3,3}[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
header DIRECTEDITNET X-Spam-Relays-Untrusted =~ /rdns=f[0-9a-z](\-[0-9]{1,3}){2,2}\.edit\.ne\.jp [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTEDITNET directly received spam from EDITNET
score DIRECTEDITNET 1.5

# flets-a-as-east-2-189.dsn.jp
# flets-a-as-east-2-210.dsn.jp
# flets-a-west-17-24.dsn.jp
# bflets-ma-as-east-1-46.dsn.jp

# header DIRECTDSNETWORKS Received =~ /from .+flets-[a-z]{1,2}-(as-east|west)(-[0-9]{1,3}){2,2}\.dsn\.jp[^a-z]+[0-9]{2,3}(\.[0-9]{1,3}){3,3}[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
header DIRECTDSNETWORKS X-Spam-Relays-Untrusted =~ /rdns=.*flets-[a-z]{1,2}-(as-east|west)(-[0-9]{1,3}){2,2}\.dsn\.jp [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTDSNETWORKS directly received spam from DS Networks Co.
score DIRECTDSNETWORKS 1.5

# header DIRECTGERAGERA Received =~ /from .+lo[0-9]+\.[0-9]+\.geragera\.co\.jp[^a-z]+[0-9]{2,3}(\.[0-9]{1,3}){3,3}[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
header DIRECTGERAGERA X-Spam-Relays-Untrusted =~ /rdns=lo[0-9]+\.[0-9]+\.geragera\.co\.jp [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTGERAGERA directly received spam from GERAGERA netcafe
score DIRECTGERAGERA 3.5

# 218.44.198.208-218.44.198.215
# 219.106.231.56 - 219.106.231.63
# header DIRECTVOICETOWN Received =~ /from.+(219\.106.231\.(5[6-9]|6[0-3])|218\.44\.198\.2(0[89]|1[0-5]))[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
header DIRECTVOICETOWN X-Spam-Relays-Untrusted =~ /ip=(219\.106.231\.(5[6-9]|6[0-3])|218\.44\.198\.2(0[89]|1[0-5])) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTVOICETOWN directly received spam from VOICETOWN netcafe
score DIRECTVOICETOWN 3.5


# header DIRECTSAKURAWEB Received =~ /from .*www[0-9]{1,3}\.sakura\.ne\.jp[^a-z]+[0-9]{2,3}(\.[0-9]{1,3}){3,3}[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
# header DIRECTSAKURAWEB X-Spam-Relays-Untrusted =~ /(ip=(59\.106\.(14\.204|18\.67|20\.223|32\.207|107\.72)|61\.211\.234\.41|202\.222\.30\.222|219\.94\.(128\.(45|51|173|188)|132\.(7|107)|133\.242))|rdns=(www2{0,1}\.skynetdm\.com|www933\.sakura\.ne\.jp|sv1\.mhai\.jp)) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
header DIRECTSAKURAWEB X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:59\.106\.(?:14\.204|18\.67|19\.40|20\.223|32\.207|100\.20[34]|107\.72|113\.84)|61\.211\.234\.41|112\.78\.112\.86|202\.(?:181\.(97\.71|98\.162|105\.136)|222\.30\.222)|210\.188\.201\.\d{1,3}|210\.188\.205\.(199|2(05|12))|210\.224\.165\.36|219\.94\.(?:128\.(?:45|51|173|188)|129\.(56|91)|132\.(?:7|107)|133\.2(14|42)|143\.3[2-5]|144\.71|148\.176|155\.184|162\.(?:15|142)|163\.153|167\.17[78]|181\.120|190\.106))|\d{2,3}(?:\.\d{1,3}){3} rdns=(?:www2{0,1}\.skynetdm\.com|www933\.sakura\.ne\.jp|sv1\.mhai\.jp|sv\d{1,3}\.xserver\.jp)) /
describe DIRECTSAKURAWEB directly received spam from SAKURAWEB
score DIRECTSAKURAWEB 3.5

# 210.188.233.128-210.188.233.255
# 210.188.248.0-210.188.248.127
header DIRECTHYPERBOX X-Spam-Relays-Untrusted =~ /(rdns=\w+\.cansystem\.(net|info)|ip=210\.188\.(233\.(12[89]|1[3-9]\d|2\d\d)|248\.(\d|\d\d|1[01]\d|12[0-7]))) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTHYPERBOX directly received spam from HYPERBOX
score DIRECTHYPERBOX 1.5

# header DIRECTGMOACCESS Received =~ /from .*([0-9]+\.){4,4}ap\.gmo-access\.jp[^a-z]+[0-9]{2,3}(\.[0-9]{1,3}){3,3}[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
header DIRECTGMOACCESS X-Spam-Relays-Untrusted =~ /rdns=([0-9]+\.){4,4}ap\.gmo-access\.jp [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTGMOACCESS directly received spam from GMO Internet
score DIRECTGMOACCESS 1.5

# header DIRECTIIJ4U Received =~ /from .*(h[0-9]+\.p[0-9]+|([0-9]+\.){4,4}dy)\.iij4u\.or\.jp[^a-z]+[0-9]{2,3}(\.[0-9]{1,3}){3,3}[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
# 125.30.0.0 - 125.30.255.255
header DIRECTIIJ4U X-Spam-Relays-Untrusted =~ /(ip=(124\.41\.(\d|[1-9]\d|1[01]\d|12[0-7])\.\d{1,3}|125\.30(\.\d{1,3}){2}|210.138.([4-7]|1[09]|2[1236]|35|4[13]|5[2-7]|6[02]|7[236]|8[0568]|9[01]|1(0[4589]|1[237]|2[0-3678]|3[4-8]|4[2389]|5\d|6[0-379]|7[36-9]|8[1-9]|9[0-46-9])|2(0[0-689]|1[0-79]|2\d|3[14-8]|4[0-4678]|52))\.\d{1,3}|210\.148\.64\.45)|rdns=((h\d+\.p\d+|(\d+\.){4}dy)\.iij4u\.or\.jp|[a-z\d]{8}\.i-revonet\.jp)) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTIIJ4U directly received spam from IIJ4U
score DIRECTIIJ4U 1.5

# header DIRECTASAHINET Received =~ /from .*[a-z][0-9]{6,6}\.ppp\.asahi-net\.or\.jp[^a-z]+[0-9]{2,3}(\.[0-9]{1,3}){3,3}[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
# 211.120.64.0-211.120.95.255
# 202.213.128.0-202.213.159.255
# 124.155.0.0 - 124.155.127.255
# 218.45.160.0 - 218.45.191.255
header DIRECTASAHINET X-Spam-Relays-Untrusted =~ /(ip=(121\.1\.(12[89]|1[3-9]\d|2\d\d)|122\.249\.\d{1,3}|124\.155\.(\d|\d\d|1[01]\d|12[0-7])|202\.213\.1(2[89]|[345]\d)|211\.13\.1(2[89]|[2-5]\d)|211\.120\.(6[4-9]|[78]\d|9[0-5])|218\.45\.1([678]\d|9[01]))\.\d{1,3}|rdns=[a-z][0-9]{6,6}\.ppp\.asahi-net\.or\.jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTASAHINET directly received spam from ASAHI-NET
score DIRECTASAHINET 1.5


# 153209147058user.viplt.ne.jp
# 58.147.204.0 - 58.147.221.255
# header DIRECTVIPLT Received =~ /from .*[0-9]{12,12}user\.viplt\.ne\.jp[^a-z]+[0-9]{2,3}(\.[0-9]{1,3}){3,3}[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
header DIRECTVIPLT X-Spam-Relays-Untrusted =~ /rdns=[0-9]{12,12}user\.viplt\.ne\.jp [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTVIPLT directly received spam from Vipalette (NTT NEOMEIT Co.)
score DIRECTVIPLT 1.5

# 220.100.0.0 - 220.100.127.255
# header DIRECTSST_BB Received =~ /from .+([0-9]{1,3}\.){2,2}100\.220\.sst-bb\.sst\.ne\.jp[^a-z]+[0-9]{2,3}(\.[0-9]{1,3}){3,3}[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
header DIRECTSST_BB X-Spam-Relays-Untrusted =~ /rdns=([0-9]{1,3}\.){2,2}100\.220\.sst-bb\.sst\.ne\.jp [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTSST_BB directly received spam from Sharp Space Town
score DIRECTSST_BB 1.5


# 59.84.0.0 - 59.86.159.255
# header DIRECTTCOMADSL Received =~ /from .+(p[0-9]{3,3}\.net[0-9]{9,9}\.tnc\.ne\.jp|[0-9]{1,3}\.net[0-9]{9,9}\.t-com\.ne\.jp)[^a-z]+[0-9]{2,3}(\.[0-9]{1,3}){3,3}[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
# 220.148.0.0 - 220.148.255.255
# 220.148.128.0 - 220.148.191.255
header DIRECTTCOMADSL X-Spam-Relays-Untrusted =~ /(rdns=(p\d{3,3}\.net\d{9,9}\.tnc\.ne\.jp|\d{1,3}\.net\d{9,9}\.t-com\.ne\.jp)|ip=(59\.(8[45](\.\d{1,3}){2}|86\.(\d|[1-9]\d|1[0-5]\d)\.\d{1,3}))|220\.148\.1(2[89]|[3-8]\d|9[01])\.\d{1,3}) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTTCOMADSL directly received spam from T-COM ADSL Service (TOKAI NETWORK CLUB)
score DIRECTTCOMADSL 1.5

# 202.171.224.0 - 202.171.224.255
# header DIRECTXEXONNET Received =~ /from .+202\.171\.224\.[0-9]{1,3}[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
header DIRECTXEXONNET X-Spam-Relays-Untrusted =~ /ip=202\.171\.224\.[0-9]{1,3} [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTXEXONNET directly received spam from XEXONNET spammer's hosting service (see `host spamsrv1.hn.org`)
score DIRECTXEXONNET 3.5

# header DIRECTBBEXCITE X-Spam-Relays-Untrusted =~ /rdns=([0-9]{1,3}\.){4}dy\.bbexcite\.jp .+ by=(mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp) ident= envfrom= intl=0 .+auth= /
# 220.100.222.0 - 220.100.229.255
# header DIRECTBBEXCITE X-Spam-Relays-Untrusted =~ /(ip=219\.111\.(\d|[1-9]\d|1[01]\d|12[0-7])\.\d{1,3}|rdns=([0-9]{1,3}\.){4}dy\.bbexcite\.jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
# header DIRECTBBEXCITE X-Spam-Relays-Untrusted =~ /(ip=(219\.111\.(\d|[1-9]\d|1[01]\d|12[0-7])|220\.100\.22[2-9])\.\d{1,3}|rdns=(\d{1,3}\.){4}dy\.bbexcite\.jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
header DIRECTBBEXCITE X-Spam-Relays-Untrusted =~ /^\[ ip=(219\.111\.(\d|[1-9]\d|1[01]\d|12[0-7])|220\.100\.22[2-9]|220\.156\.(9[6-9]|10[0-3]))\.\d{1,3} /
describe DIRECTBBEXCITE directly received spam from BB.excite
score DIRECTBBEXCITE 1.5

# 210.253.212.0 - 210.253.215.255
# 210.253.221.0 - 210.253.222.190
header DIRECTITSCOM X-Spam-Relays-Untrusted =~ /(ip=(210\.253\.)((21[2-5]|221)\.\d{1,3}|222\.(\d|[1-9]\d|1[0-8]\d|190))|rdns=(nttf\w+[0-9]\-[0-9]{3}|ote[a-z]{2}[0-9]{3})\.246\.ne\.jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTITSCOM directly received spam from its communications Inc.
score DIRECTITSCOM 1.5

header DIRECTSAINET_NET X-Spam-Relays-Untrusted =~ /ip=210\.236\.(3[2-9]|[45][0-9]|6[0-3])\.[0-9]{1,3} [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTSAINET_NET directly received spam from SaiNet Corporation
score DIRECTSAINET_NET 1.5

# 211.132.16.0-211.132.31.255
header DIRECTDORPHIN X-Spam-Relays-Untrusted =~ /(ip=211\.132\.(1[6-9]|2\d|3[01])\.\d{1,3}|rdns=[a-z]{3}[0-9]{2}-[0-9]{4}\.din\.or\.jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTDORPHIN directly received spam from DOLPHIN INTERNATIONAL INC.
score DIRECTDORPHIN 1.5

header DIRECTWILLCOM X-Spam-Relays-Untrusted =~ /rdns=P\d{12}\.ppp\.prin\.ne\.jp [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTWILLCOM directly received spam from WILLCOM
score DIRECTWILLCOM 1.5



# 203\.141\.(?:129\.(?!(4|34|38|45|58|68|83|98|110|122|143|161|176|201|209|220|225|231|244|252) )\d{1,3}|130\.(?!(15|30|35|36|60|66|69|121|122|123|124|125|126) )\d{1,3}|131\.(?!(0|1|2|3|4|5|6|7|58|180|194|195|196) )\d{1,3}|132\.(?!(8|24|41|55|59|64|98|100|101|130|139|160|170|193|196|217|229|238|241|249) )\d{1,3}|133\.(?!(4|13|16|33|34|41|43|55|73|74|75|168|199|208|232|234|242|248) )\d{1,3}|134\.(?!(6|33|41|55|67|72|80|88|91|103|105|114|127|133|145|150|171|172|178) )\d{1,3}|135\.(?!(20|21|98|99|100|101|102|113|114|115|116|117|118|119|120|121|122|123|124|125|126|210|212) )\d{1,3}|136\.(?!(\d|\d\d|1[01]\d|12[0-7]|160|193|219|225|230|235|242|244|247|250) )\d{1,3}|137\.(?!(5|40|42|44|60|90|99|109|114|116|132|133|146|185|191|198|201|202|204|211|219|242) )\d{1,3}|138\.(?!(10|31|43|45|50|51|57|69|72|91|94|100|148|171|187|200|211|216|220|221|228) )\d{1,3}|139\.(?!(31|34|56|77|101|117|122|126|129|131|150|156|157|165|178|182|183|185|187|193|197|207|227) )\d{1,3}|141\.(?!(\d|\d\d|1[01]\d|12[0-7]) )\d{1,3}|143\.(?:(4[89]|5\d|6[0-3]))|144\.(?!(17|30|36|41|44|47|52|54|63|66|68|79|88|103|107|115|127|150|169|179|180|189|195|203|218|224|225|230|232|235) )\d{1,3}|145\.(?!(82|84|146|248|249|250|251|252|253|254) )\d{1,3}|146\.(?!(8|11|88|102|128|138|139|140|150|186|187|190|191|197|198|208|238|246|250) )\d{1,3}|147\.(?!(19|24|30|65|66|67|68|69|122|124|125) )\d{1,3}|148\.(?!(1|2|5|18|25|57|58|59|60|61|62|96|97|98|99|100|101|102|103|186|187|188|189|199|200|212|219|229) )\d{1,3}|149\.(?!(18|20|36|106|107|113|114|115|116|117|118|134|137|153|194|212|226) )\d{1,3}|150\.(?!(58|59|130|131) )\d{1,3}|152\.(?!(16|17|33|34|44|46|50|58|64|66|72|74|114|118|120|121|125|132|136|175|198|199|202|210|230|243|246) )\d{1,3}|153\.(?!(1|2|3|4|5|6|33|34|35|36|37|38|65|66|67|68|106|169|170|171|172|173|174) )\d{1,3}|154\.(?!(3|143|186|188|210|249) )\d{1,3}|155\.(?!(6|18|23|34|46|57|83|85|133|156|162|178|193|202|212|219|245|252) )\d{1,3}|156\.(?!(23|49|74|79|122|143|152|197|217) )\d{1,3}|157\.(?!(27|80|82|119|124|142|154|163|205|213) )\d{1,3}|158\.(?!(2|5|16|17|22|28|39|47|48|56|65|84|92|97|98|108|118|119|128|149|163|168|183|199|200|208|210|214|216|219|225) )\d{1,3}|159\.(?!(18|20|49|50|51|52|53|54|122|155|158|170|182|191|193|200|205|212|215|219|240|252) )\d{1,3})

replace_tag INTERLINK_203_141 203\.141\.(129\.(?!(4|34|38|45|58|68|83|98|110|122|143|161|176|201|209|220|225|231|244|252) )\d{1,3}|130\.(?!(15|30|35|36|60|66|69|121|122|123|124|125|126) )\d{1,3}|131\.(?!(0|1|2|3|4|5|6|7|58|180|194|195|196) )\d{1,3}|132\.(?!(8|24|55|59|64|98|101|130|139|160|170|193|196|229|238|241|249) )\d{1,3}|133\.(?!(4|13|16|33|34|41|43|55|73|74|75|168|199|208|232|234|242|248) )\d{1,3}|134\.(?!(6|33|41|55|67|72|80|88|91|103|105|114|127|133|145|150|171|172|178) )\d{1,3}|135\.(?!(20|21|98|99|100|101|102|113|114|115|116|117|118|119|120|121|122|123|124|125|126|210|212|243) )\d{1,3}|136\.(?!(\d|\d\d|1[01]\d|12[0-7]|160|193|219|225|230|235|244|247|250) )\d{1,3}|137\.(?!(5|40|42|44|60|90|99|109|114|116|132|133|146|185|191|198|201|202|204|211|219|242) )\d{1,3}|138\.(?!(10|31|43|45|50|51|57|69|72|91|94|100|148|171|187|200|204|211|216|220|221|228) )\d{1,3}|139\.(?!(31|34|56|77|101|117|122|126|129|131|150|156|165|178|182|183|185|187|193|197|207|227|250) )\d{1,3}|141\.(?!(\d|\d\d|1[01]\d|12[0-7]) )\d{1,3}|143\.(?!(\d|[123789]\d|4[0-7]|6[4-9]|[12]\d\d) )\d{1,3}|144\.(?!(17|30|36|41|44|47|52|54|63|66|68|79|103|107|115|127|150|169|179|189|195|203|218|224|225|230|232) )\d{1,3}|145\.(?!(82|84|146|248|249|250|251|252|253|254) )\d{1,3}|146\.(?!(8|11|88|90|102|128|138|139|140|150|186|187|190|191|197|198|208|238|246|250) )\d{1,3}|147\.(?!(19|24|30|65|66|67|68|69|122|124|125) )\d{1,3}|148\.(?!(1|2|5|18|25|57|58|59|60|61|62|96|97|98|99|100|101|102|103|186|187|188|189|199|200|212|219|229) )\d{1,3}|149\.(?!(18|20|36|106|107|113|114|115|116|117|118|134|137|153|194|212|226) )\d{1,3}|150\.(?!(34|35|58|59|130|131|170) )\d{1,3}|152\.(?!(16|17|33|34|44|46|50|58|64|66|72|74|114|118|120|121|125|132|136|175|198|199|202|210|230|243|246) )\d{1,3}|153\.(?!(1|2|3|4|5|6|33|34|35|36|37|38|65|66|67|68|106|169|170|171|172|173|174) )\d{1,3}|154\.(?!(3|143|186|188|210|249) )\d{1,3}|155\.(?!(6|18|23|34|46|57|83|85|133|156|162|178|193|202|212|219|245|252) )\d{1,3}|156\.(?!(23|49|74|79|122|143|152|197|216|217) )\d{1,3}|157\.(?!(27|80|82|119|124|142|154|163|205|213) )\d{1,3}|158\.(?!(2|5|16|17|22|28|39|47|48|56|65|84|92|97|98|108|118|119|128|149|163|168|183|199|200|208|210|214|216|219|225) )\d{1,3}|159\.(?!(18|20|49|50|51|52|53|54|122|155|158|170|182|191|193|200|205|212|215|219|240|252) )\d{1,3})

# 116\.58\.(170\.(?!(136) )\d{1,3}|172\.(?!(7) )\d{1,3}|178\.(?!(26|65|66|67|68|69|70) )\d{1,3})

replace_tag INTERLINK_116_58 116\.58\.(167\.(?!(128|129|13\d|14[0-367]|150|186|193) )\d{1,3}|168\.(?!(2) )\d{1,3}|170\.(?!(136|144) )\d{1,3}|171\.(?!(203|204|241|242|243|244|249|250|251|252|253|254) )\d{1,3}|172\.(?!(7) )\d{1,3}|173\.(?!(5|37|170|171|172|173|174) )\d{1,3}|174\.(?!(130|210|241|242|243|244|245|246) )\d{1,3}|175\.(?!(195|196|197|225) )\d{1,3}|176\.(?!(10|117|126) )\d{1,3}|177\.(?!(190) )\d{1,3}|178\.(?!(26|65|66|67|68|69|70|113|114|193|194|195|196|197|198|206) )\d{1,3}|179\.(?!(19[2-9]|20[0-7]) )\d{1,3}|181\.(?!(210|211|213|236|238) )\d{1,3}|183\.(?!(145|154|155|179|18[0-3]|194|195|196|201|202|209|210|211|212|213|216|222) )\d{1,3}|184\.(?!(249|25\d) )\d{1,3}|185\.(?!(6[5-9|[789]\d|1[01]\d|12[0-7]|194|195|247|250|253|254) )\d{1,3}|186\.(?!(9[6-9]|1[01]\d|12[0-7]) )\d{1,3}|189\.(?!(145|146|147|148|158|161|163) )\d{1,3}|190\.(?!(129|130|131|132|134) )\d{1,3}|191\.(?!(14|3[2-9]|[45]\d|6[0-3]|13[012]) )\d{1,3})


replace_tag INTERLINK_203_152 203\.152\.(?:192\.(?!(16[0-7]|17[6-9]|1[89]\d|2[01]\d|22[0-3]|24[1-69]) )\d{1,3}|193\.(?!(6[4-7]|70|71|75|76|[89]\d|1[01]\d|12[0-7]|16[1-9]|17[0-4689]|188|190) )\d{1,3}|194\.(?!(90) )\d{1,3}|195\.(?!(\d|[1-5]\d|6[0-3]|16[26]|17[348]|18[78]|19[04-9]|2\d\d) )\d{1,3}|196\.(?!(17|54|1[3-8]\d|19[67]|209|21[0-3]|221) )\d{1,3}|197\.(?!(44|49|93|102|128|129|13\d|14[0-3]|19[4-79]|200|213|216) )\d{1,3}|198\.(?!(14|26|28|3[02-9]|[45]\d|6[0-3]|19[4-9]|2\d\d) )\d{1,3}|200\.(?!(5[789]|138|14[356]|19[3-9]|2[01]\d|22[012]) )\d{1,3}|201\.(?!(3|36|39|49|52|56|123|124|125) )\d{1,3}|202\.(?!(151|152) )\d{1,3}|203\.(?!(9|1[0-4]|2[678]|30|58|13[024]|169|17[0-4]|23[4-8]) )\d{1,3}|204\.(?!(24[1-9]|25[0-4]) )\d{1,3}|205\.(?!(10[5-9]|110|16[2349]|17[01]) )\d{1,3}|206\.(?!(99|107|120|121|123|126|147|149|153) )\d{1,3}|207\.(?!(130|16[1-9]|17[0-4]|18[5-9]|19[057]|202|210|222) )\d{1,3}|208\.(?!(22[5-9]|230) )\d{1,3}|210\.(?!(5|10|11|34|35|36|37|38|73|125|126) )\d{1,3}|211\.(?!([2-9]|[1-578]\d|6[0124-9]|9[0-5]|121|24[1-6]|25[012]) )\d{1,3}|212\.(?!(68|69|7\d|80|96|97|10[0-7]|11[3-8]|12[2-5]|1[678]\d|190|191|22[4-9]|23[0789]) )\d{1,3}|213\.(?!(7[3-8]|13[05]) )\d{1,3}|214\.(?!(2|13|26|30|6[678]|7[3-6]) )\d{1,3}|215\.(?!([1-9]|[12]\d|30|34|8[1-6]|10[5-9]|11[02-9]|12[0-7]|13[02-8]|15[89]|20[06]|23[46-9]|24[09]) )\d{1,3}|216\.(?!(3|8|32|46|6[5-9]|70|99|10[01]|13[0-5]|14[0-357]|150|16[89]|17[0-5]|20[89]|21\d|22[0-39]|230|24[23]) )\d{1,3}|217\.(?!(4[1-5]|17[6-9]|18\d|19[014-9]|20[0124-8]|22[127]|230|242|245|254) )\d{1,3}|218\.(?!(16|24|51|54|129|15[3-8]|19[5-9]|200|201|219|24[234]) )\d{1,3}|219\.(?!(11|2[789]|3[03-9]|4[0-6]|131|132|14[345]|19[3-9]|2[01]\d|220|23[34578]|24[23]) )\d{1,3}|220\.(?!(14|25|42|49|108|113|163|167|171|179|181|184|188|194|209|210) )\d{1,3}|221\.(?!(2|32|33|47|48|50|67|106|107|108|109|110|194|195|196|197|198|209|210|211|212|213|214) )\d{1,3}|222\.(?!([2-9]|1[0-4789]|2\d|30|5[789]|6[012]|81|90|13[0189]|140|141|1[678]\d|19[01]) )\d{1,3}|223\.(?!(5|29|36|49|55|193|195|208|209|21\d|22[0-3]) )\d{1,3})

# 202\.171\.(130\.(?!(3|11|16|48|63|92|93|100|103|104|106|120|129|130|131|132|133|134|135|136|137|138|139|140|141|142|143|144|145|146|147|148|149|150|151|152|153|154|155|156|157|158|161|162|163|164|165|166|170) )\d{1,3}|131\.(?!(195|196|197|198|234|235|242|243|250) )\d{1,3}|133\.(?!(28|41|42|62|76|95|101|192|193|194|195|196|197|198|199|200|201|202|203|204|205|206|207|228|229|230|231|235|236|237|248|250|252) )\d{1,3}|137\.(?!(?:36|47|64|65|66|67|68|69|70|71|74|161|162|163|164|165|166|209|210|211|212|213|214|216|217|218|219|220|222|241|242|243|244|245|246|247|248|249|250|251|252|253|254) )\d{1,3}|138\.(?!(33|34|35|36|37|38|42|43|44|45|46|132|144|169) )\d{1,3}|139\.(?!(9|18|29|130|131|132|134|135|136|139|140|142|143|144|145|146|147|148|149|150|151|152|154|155|156|157|209|210|211|212|213|214|232|236) )\d{1,3}|145\.(?!(118|119|136|141|181|185|186|187|188|189|190|227|228|229|232) )\d{1,3}|149\.(?!(210|211|212|218|219|220|221|222|233|234|235|236|237|238|242|243) )\d{1,3}|154\.(?!(16|34|74|75|76|77|114|116|118|121|162|186|187|211|212|213|214) )\d{1,3}|202\.171\.156\.(?!(30|34|48|51) )\d{1,3})

replace_tag INTERLINK_202_171 202\.171\.(128\.(?!(4|9|18|3[2-9]|[4-9]\d|1[01]\d|12[0-7]|162|20[89]|21\d|22[0-3]|24[2-9]|25\d) )\d{1,3}|129\.(?!(58|59|60|61|62) )\d{1,3}|130\.(?!(3|5|11|16|24|48|50|63|80|92|93|10[346]|12[09]|1[34]\d|15[0-8]|16[1-6]|170) )\d{1,3}|131\.(?!(195|196|197|198|234|235|242|243|250) )\d{1,3}|132\.(?!(13[189]|16[1-9]|17[0-47-9]|18\d|190|23[2-9]|24[1-9]|25\d) )\d{1,3}|133\.(?!(28|41|42|62|76|95|101|14[4-9]|15\d|19[2-9]|20\d|23[01567]|24[89]|25[02]) )\d{1,3}|134\.(?!(6[567]|70|1[3-8]\d|19[036-9]|200) )\d{1,3}|135\.(?!(25|26|27|12[2-6]|16\d|17[0-5]|190|202|248|249|25\d) )\d{1,3}|136\.(?!(6[6-9]|7[012]|13[0-4]|186|19[46-9]|20[0124-8]|21[0123568]|22[167]|23[02356]|25[12]) )\d{1,3}|137\.(?!(23|36|47|74|75|16[1-6]|21[1789]|220|24[1-9]|25\d) )\d{1,3}|138\.(?!(3[3-8]|4[2-6]|8\d|9[0-5]|132|144|169|21[01]|228|2[45]\d) )\d{1,3}|139\.(?!(9|21|29|30|96|97|98|99|1[01]\d|12[0-7]|13[0-69]|14[03-9]|15[124-7]|20[89]|21[0-5]) )\d{1,3}|140\.(?!(7|18|76|98|99|100|101|102|106|107|114|115|116|123|124|126|145|146|147|149|151|153|154|155|156|157|162|173) )\d{1,3}|141\.(?!(66|67|68|69|70|75|76|77|110|130|146|147|148|169|170|171|172|173|174|242|249|250|251|252|253|254) )\d{1,3}|142\.(?!(18|2[4-9]|3[0146]) )\d{1,3}|143\.(?!([1346]|18|97|98|99|1[013]\d|12[0-69]|14[012]|24[1-9]|25[04]) )\d{1,3}|144\.(?!(20|13[1-9]|14\d|15[0-8]|23[3-8]) )\d{1,3}|145\.(?!(118|119|136|141|18[15-9]|190|227|228|229|232) )\d{1,3}|146\.(?!(6[789]|[78]\d|9[0-4]|11[3-9]|12[0-6]|17[789]|18\d|190|22[689]|235|236|24[1-6]) )\d{1,3}|147\.(?!(1[27]|25|3[0128]|4[034]|53|60|90|129|13[0-4]|14[5-9]|15[0-8]) )\d{1,3}|148\.(?!(36|75|76|77|78|98|99|1[01]\d|12[0-6]|13[08]|16[1-6]|21[06]|221|225|238|24[1346-9]|25\d) )\d{1,3}|149\.(?!(128|129|13\d|14[0-3]|17[6-9]|18[0-3]|19[456]|21[0128]|220|222|23[3-8]|242|243) )\d{1,3}|150\.(?!(6[6-9]|70|71|72|87|88|89|9[0-4789]|10\d|110|131|249|250|251|253) )\d{1,3}|151\.(?!(22|9[6-9]|100|103|12[2-6]|138|139|14[015-9]|15[04-8]|178|179|18\d|19[03-9]|20[0-689]|220|221|222|23[4-7]|242|25[1-4]) )\d{1,3}|152\.(?!(117|118|120|212) )\d{1,3}|153\.(?!(113|114|116|117) )\d{1,3}|154\.(?!(2|16|34|74|75|76|77|114|116|118|121|162|186|187|211|212|213|214) )\d{1,3}|155\.(?!(3|24|50|121|122|123|124|125|126|135|136|137|139|140|141|142|143|145|146|147|148|149|151|162|163|164|165|166|170|171|220) )\d{1,3}|156\.(?!(30|34|48|51) )\d{1,3}|158\.(?!([12356]|10|11|29|5[0-4]|97|98|99|1[01345]\d|12[0-689]|208|209|21[0-5]) )\d{1,3}|159\.(?!(1[6-9]|2\d|30|31|7[2-9]|89|9[0-3]|19[3-9]|20[0-69]|210|211|214|253|254) )\d{1,3})


replace_tag INTERLINK_219_117 219\.117\.(?:192\.(?!(14|15|17|34|43|50|58|59|76|80|113|132|138|141|145|149|155|156|175|181|184|200|201|219|226|232|233|246) )\d{1,3}|193\.(?!(12|14|16|17|19|20|22|27|28|39|50|57|73|74|83|85|106|110|115|130|132|133|135|137|160|181|183|185|191|219|220|226|240|247) )\d{1,3}|194\.(?!(7|9|18|19|37|38|42|61|70|72|73|74|75|82|83|90|93|97|99|100|111|139|142|144|153|161|165|180|193|203|213|236|246|254) )\d{1,3}|195\.(?!(15|23|29|35|38|42|46|47|49|68|71|75|80|82|87|95|99|107|112|114|117|127|128|132|136|143|144|151|152|159|160|164|175|181|190|217|246) )\d{1,3}|196\.(?!(26|36|43|61|69|90|100|102|104|128|131|134|177|188|237|238) )\d{1,3}|197\.(?!(23|28|36|41|153|157|169|171|182|183|192|208|223|229|238|245|251) )\d{1,3}|198\.(?!(29|33|50|52|59|71|87|104|109|112|161|162|163|164|165|185|186|187|188|189|190|209|210|211|212|213|214) )\d{1,3}|199\.(?!(17|18|19|20|21|36|37|38|113|114|115|116|118|146|153|154|155|156|157|158|193|194|195|196|197) )\d{1,3}|200\.(?!(2|17|45|46|48|71|77|89|99|107|108|126|141|154|166|167|174|178|191|205|206|224|246|248|251) )\d{1,3}|201\.(?!(3|5|7|21|41|42|59|73|86|105|115|118|121|134|135|144|146|150|153|163|170|174|177|188|190|206|215|221|228|230|235|238|240|247|254) )\d{1,3}|202\.(?!(2|11|12|20|35|41|52|53|62|81|84|129|138|163|169|190|209|213|214|223|228|231|232|239) )\d{1,3}|203\.(?!(3|27|38|49|53|99|109|186|187|194) )\d{1,3}|204\.(?!(8|43|49|71|73|79|80|95|102|109|118|120|128|130|134|136|143|146|162|173|175|176|186|193|198|199|205|217|243|249|254) )\d{1,3}|205\.(?!(2|3|5|8|16|26|33|34|36|41|54|60|62|64|69|70|71|72|75|78|81|88|99|103|113|116|129|133|136|154|158|168|169|177|182|185|186|192|193|194|200|205|213|217|227|228|229|243|248) )\d{1,3}|206\.(?!(33|46|49|60|62|82|91|93|121|123|124|135|144|148|169|188|192|222) )\d{1,3}|207\.(?!(42|43|44|45|128|129|130|131|132|133|134|135|136|137|138|139|140|141|142|143|242|243|244|245|246|247) )\d{1,3}|208\.(?!(6|14|29|38|40|44|49|81|85|87|92|99|111|117|121|126|128|135|141|151|155|165|168|174|190|209|241) )\d{1,3}|209\.(?!(72|73|74|75|76|77|78|79|80|81|82|83|84|85|86|87|115|121|122|123|124|125|126|154|155|156|157|241|242|243|244|245|246|247) )\d{1,3}|210\.(?!(35|36|37|38|40|41|42|43|44|45|46|47|73|74|75|76|77|78|96|97|98|99|102|103|185|186|187|188|189|190|224|225|226|227|228|229|230|231|232|233|234|235|236|237|238|239|249|250|251|252|253|254) )\d{1,3}|211\.(?!(17|21|22|26|27|51|58|59|66|161|162|164|165|209|210|211|212|213|214|221|222) )\d{1,3}|212\.(?!(9|40|48|68|69|91|107|176|178|202|217|218) )\d{1,3}|213\.(?!(9|10|11|12|13|14|18|19|20|21|22|33|34|35|36|37|38|58|75|82|83|84|86|218|243) )\d{1,3}|214\.(?!(22|23|50|98|99|101|102|106|107|109|130|170|171|172|174) )\d{1,3}|215\.(?!(57|58|59|82|83|84|85|86|107|108|109|155|156) )\d{1,3}|216\.(?!(16|39|42|43|53|100|110|153|191|210|221|228|237|242|243|246) )\d{1,3}|217\.(?!(8|16|33|35|45|50|55|56|57|75|82|94|96|97|98|101|109|137|138|139|141|142|154|171|178|179|180|181|182|208|209|210|211|212|213|214|215|218) )\d{1,3}|218\.(?!(7|11|14|24|56|68|71|87|99|117|136|178|179|180|182|185|186|187|188|189|190) )\d{1,3}|219\.(?!(88|89|90|93|94|95|98|99|100|101|102|129|130|131|132|133|134|145|146|147|148|149|150|208|209|210|211|212|213|214|215|244|245) )\d{1,3}|220\.(?!(5|30|33|36|49|54|66|73|76|86|103|111|114|118|121|177|178|179|180|181|182|183|184|185|186|187|188|189|190|234|235|236) )\d{1,3}|221\.(?!(25|26|27|28|29|30|49|53|57|61|66|67|68|98|99|100|101|102|114|115|116|119|145|146|147|148|149|150|161|162|163|164|165|166|218|219|234|241|242|243|244|245|246) )\d{1,3}|222\.(?!(12|43|59|75|95|98|100|102|104|112|115|120|133|144|148|200|201|202|203|204|205|206|207|249|250) )\d{1,3}|223\.(?!(80|85|146|147|148|163|194|217|218|219|220|221|222) )\d{1,3}|224\.(?!(81|82|91|109|113|115|136|245) )\d{1,3}|225\.(?!(23|56|57|58|59|60|61|62|63|66|74|75|76|77|137|138|139|140|141|142|162|163|164|165|201|202|241|242|243|244|245|246) )\d{1,3}|226\.(?!(24|52|75|76|129|178|179|180|195|196|226|227|228|229|234|241|242|243|244|245|246) )\d{1,3}|227\.(?!(3|14|24|40|46|178|193|194|195|208|209|210|211|212|213|214|215|217|218|219|220|221|222|242|243|245) )\d{1,3}|228\.(?!(5|6|12|20|26|81|82|85|87|88|92|106|114|115|122|123|124|125|138|139|140|169|170|171|172|173|174|179|181|194|195) )\d{1,3}|229\.(?!(14|17|29|42|51|52|53|54|156|209|210|211|212|213|214|241|242|243|244|245|246|248|249|250|253) )\d{1,3}|230\.(?!(6|10|15|20|21|22|24|29|30|32|33|35|36|37|38|39|43|66|67|69|73|81|87|88|100|108|113|114|115|116|117|118|130|131|132|133|134|138|139|140|141|142|162|163|170|171|210|211|212|213|214|217|218|219|220|221|222|234|235|236|237|238) )\d{1,3}|231\.(?!(30|31|50|51|53|113|114|115|116|117|118|192|193|194|195|196|197|198|199|200|201|202|203|204|205|206|207|225|226|227|228|229|230|243|245|250) )\d{1,3}|232\.(?!(3|32|47|55|60|81|85|98|99|107|108|109|110|115|121|122|123|145|146|147|148|149|150|153|154|155|162|196|197|198|199|217|218) )\d{1,3}|233\.(?!(18|46|47|66|67|68|69|70|72|73|89|90|91|92|93|94|99|100|101|107|208|209|210|211|212|213|214|215|216|217|218|219|220|221|222|223|233|234|235|236|237|238) )\d{1,3}|234\.(?!(2|5|7|8|10|14|29|42|59|67|82|84|121|160|161|162|163|164|165|166|167|186) )\d{1,3}|235\.(?!(16|24|25|32|35|40|50|51|160|161|162|163|164|165|166|167|184|185|186|187|188|189|190|191|210|211|213) )\d{1,3}|236\.(?!(5|13|15|33|39|40|57|59|82|83|84|85|86|97|98|99|100|101|102|103|104|105|106|107|108|109|110|115|128|130|131|132|178|179|218|219|220|221|222|249|250|251|252|253|254) )\d{1,3}|237\.(?!(22|49|50|51|52|53|54|68|69|70|71|72|73|74|75|76|77|78|106|130|131|132|133|134|169|170|171|172|173|174|226|227|228|229|230) )\d{1,3}|238\.(?!(10|20|30|48|193|194|195|196|201|202|203|204|205|206) )\d{1,3}|239\.(?!(35|60|80|81|82|83|84|85|86|87|89|90|91|92|99|103|104|193|194|241|242|243|244|245|246) )\d{1,3}|240\.(?!(5|6|13|15|34|89|90|91|92|93|94|97|98|99|100|101|102|107|108|123|124|233|234|235|236|239) )\d{1,3}|241\.(?!(12|21|24|26|66|97|106|241|242|243|244|245|246) )\d{1,3}|242\.(?!(2|11|40|44|98|99|129|130|131|132|133|134|135|136|137|138|139|140|141|142|147|148|149|192|193|194|195|196|197|198|199|234|235|243) )\d{1,3}|243\.(?!(3|20|23|89|90|91|92|93|94|108|109|110|178|179|180|181|182|210|211|234|235|236|237) )\d{1,3}|244\.(?!(18|28|30|33|34|40|43|45|55|56|57|60|61|62|97|98|99|100|101|102|105|106|107|108|110|193|194|195|196|197|198|210|211|212) )\d{1,3}|245\.(?!(2|5|9|25|26|38|51|53|57|98|130|132|170|171|172|173|177|178|179|180|181|182|192|193|194|195|196|197|198|199|200|201|202|203|204|205|206|207|226|254) )\d{1,3}|246\.(?!(25|49|50|51|52|53|54|98|105|106|108|109|110|121|122|123|124|125|126|193|194|195|196|197|198|199|200|201|202|203|204|205|206|207|208|209|210|211|212|213|214|215|224|226|227|228|229|230|231|232|233|234|235|236|237|238|239|240|241|242|243|244|245|246|247|248|249|250|251|252|253|254|255) )\d{1,3}|247\.(?!(12|24|35|37|46|78|81|82|83|84|85|86|87|88|89|90|91|92|93|94|98|101|130|131|132|133|134|135|136|137|139|142|178|182|241|242|243|244|245|246) )\d{1,3}|248\.(?!(41|42|43|44|58|59|60|61|62|66|67|68|69|73|74|75|76|77|78|106|110|114|116|188|217|218|220|221|222|249|251|252) )\d{1,3}|249\.(?!(41|42|43|44|45|46|58|59|60|81|82|83|84|85|86|89|90|91|92|93|94|98|146|147|153|154|155|156|158|226|227|228) )\d{1,3}|250\.(?!(18|19|20|21|22|23|24|25|26|27|28|29|30|147|150|213|249|250|251|252|253|254) )\d{1,3}|251\.(?!(4|30|114|115|116|117|118|119|120|121|122|123|124|125|126|131|140|163|164|202|203|204|205|214) )\d{1,3}|252\.(?!(11|16|19|23|25|29|66|67|81|82|83|84|85|86|88|89|90|92|93|94|133|142|144|145|161|162|163|164|165|166|167|168|169|170|171|172|173|174|211|212|226|227|228|229|230) )\d{1,3}|253\.(?!(4|66|67|88|89|90|91|92|93|94|95|140|146|150|194|195|196|197|198|228|230|242|243|244|246|250|251|252|253|254) )\d{1,3}|254\.(?!(11|39|67|80|81|82|83|84|85|86|87|88|89|90|91|92|93|94|95|130|152|235) )\d{1,3}|255\.(?!(11|21|41|42|43|44|45|46|69|77|81|85|86|87|88|94|97|98|99|100|101|102|103|104|105|106|107|108|109|142|180|181|210|211|212|213|214|215|216|217|218|219|220|221|242|243|244|245|246|247|248|249|250|251|252|253|254) )\d{1,3})


# 61\.206\.(?:118\.(?!(27|40|42|43|63|81|89|103|105|122|132|133|137|140|171|172|185|224|234|236|241|243|244) )\d{1,3}|120\.(?!(?:13|16|30|49|55|74|86|94|116|119|135|136|142|148|165|171|180|222|239|246) )\d{1,3}|121\.(?!(?:1|21|26|28|32|37|39|41|49|53|58|59|114|177|178|179|180|181|182|209|210|211|212|213|214|215|216|217|218|219|220|221|222) )\d{1,3})
replace_tag INTERLINK_61_206 61\.206\.(112\.(?!(31|32|47|76|96|98|208|215) )\d{1,3}|113\.(?!(9|16|30|38|40|47|55|60|93|107|108|187|193|197|206|211|216|226|244) )\d{1,3}|114\.(?!(7|13|43|54|66|77|79|86|91|101|113|120|124|127|147|157|174|186|191|222|228) )\d{1,3}|115\.(?!([3568]|12|14|59|6[5-9]|70|83|105|106|128|129|13[0-589]|14[25-9]|150|155|163|169|17[0-4]|187|21[789]|220|23[4-8]) )\d{1,3}|116\.(?!(6|20|48|57|71|82|85|91|98|117|124) )\d{1,3}|117\.(?!(10|11|33|34|35|36|37|38|42|43|44|82|85|219|224|225|226|227|228|229|230|231) )\d{1,3}|118\.(?!(27|40|42|54|63|81|89|93|103|105|114|122|132|133|137|140|171|172|185|202|218|224|234|236|241|244) )\d{1,3}|119\.(?!(2|19|31|65|71|80|87|94|120|126|143|149|150|157|165|170|172|174|183|188|190|213|216|218|223) )\d{1,3}|120\.(?!(13|16|30|48|49|55|73|74|75|86|94|114|116|119|135|136|142|148|165|171|180|186|222|239|246|250) )\d{1,3}|121\.(?!(1|21|26|28|32|37|39|41|44|49|53|58|59|101|104|114|121|156|157|209|210|211|212|213|214|215|216|217|218|219|220|221|222) )\d{1,3})

replace_tag INTERLINK_210_48 210\.48\.(224\.(?!(19[3-9]|2[0-4]\d|25[012]) )\d{1,3}|22[57]\.\d{1,3}|226\.(?!(19[2-9]|2\d\d) )\d{1,3}|228\.(?!(19[3-9]|2[0-4]\d|25[012]) )\d{1,3}|229\.(?!(88|89|9[0-5]|22[5-8]|230|234|235) )\d{1,3}|230\.(?!(30|4[1-6]) )\d{1,3}|231\.(?!(90|91|92|14[5-9]|15[0-7]|177|180|182) )\d{1,3}|232\.(?!(42|80|81|82|83|84|85|86|87|90|19[2-9]|2[01]\d|22[0-36-9]|230|231) )\d{1,3}|233\.(?!(88|89|9\d|1[01]\d|12[0-7]|192|193|194|196|22[4-9]|2[345]\d|) )\d{1,3}|234\.\d{1,3}|235\.(?!(57|58|59|60|61|62|97|98|165|208|209|2[123]\d|249|250|254) )\d{1,3}|236\.(?!(89|90|91|92|94|211|22[014-9]|2[345]\d) )\d{1,3}|237\.(?!(16[0-5]|173|174|175) )\d{1,3}|238\.(?!(17|18|19|2[01246-9]|30|31) )\d{1,3}|239\.(?!(99|129|1[3-9]\d|2[0-3]\d|24[0-8]) )\d{1,3}|240\.(?!(1[678]\d|190|191) )\d{1,3}|243\.(?!(24[0-7]) )\d{1,3}|244\.(?!(128|129|1[345]\d) )\d{1,3}|24[125-8]\.\d{1,3}|249\.(?!(\d[1-5]\d|6[0-3]) )\d{1,3}|25[0-4]\.\d{1,3}|255\.(?!(\d[12]\d|3[0125-9|4[0158]|5[5-8]) )\d{1,3})


header DIRECTINTERLINK X-Spam-Relays-Untrusted =~ /^\[ ip=((?:<INTERLINK_203_141>|<INTERLINK_116_58>|<INTERLINK_203_152>|<INTERLINK_202_61>|<INTERLINK_202_171>|<INTERLINK_210_48>|<INTERLINK_219_117>|<INTERLINK_61_206>)|\d{2,3}(?:\.\d{1,3}){3} rdns=(\d{2,3}(\.\d{1,3}){3}\.user(\.\w{2}){0,1}\.il24\.net|\d{2,3}(\.\d{1,3}){3}\.static\.zoot\.jp)) /
describe DIRECTINTERLINK directly received spam from INTERLINK
score DIRECTINTERLINK 1.5

header DIRECTLINKCLUB X-Spam-Relays-Untrusted =~ /rdns=ad-\d{4}\.\w+\.ip-link\.ne\.jp [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTLINKCLUB directly received spam from LINKCLUB
score DIRECTLINKCLUB 1.5

# 222.150.0.0 - 222.150.255.255
# 220.99.128.0 - 220.99.255.255
# 60.34.0.0 - 60.35.255.255
# 60.36.0.0 - 63.36.167.255
# 60.36.192.0 - 60.36.255.255
# 60.41.0.0 - 60.42.255.255
# 60.43.0.0 - 60.43.62.255
# ??? 60.43.63.0 - 60.43.63.255
# 60.43.64.0 - 60.43.127.255
# 60.46.128.0 - 60.46.255.255
# 60.47.0.0 - 60.47.255.255
# header DIRECTPLALA X-Spam-Relays-Untrusted =~ /(ip=(220\.99\.(12[89]|1[3-9]\d|2[0-4]\d|25[0-5])\.\d{1,3}|222\.150(\.\d{1,3}){2})|rdns=i\d{2,3}(-\d{1,3}){3}\.s\d{2}\.a\d{3}\.ap\.plala\.or\.jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
header DIRECTPLALA X-Spam-Relays-Untrusted =~ /^\[ ip=((219\.119\.137|220\.99\.(12[89]|1[3-9]\d|2\d\d))\.\d{1,3}|222\.150(\.\d{1,3}){2}) /
describe DIRECTPLALA directly received spam from Plala Networks Inc.
score DIRECTPLALA 1.5

# 222.225.0.0 - 222.225.255.255
# 210.189.129.0 - 210.189.130.255
# 210.189.130.128-210.189.130.255
header DIRECTPOWEREDCOM X-Spam-Relays-Untrusted =~ /(ip=(210\.189\.130\.(12[89]|1[3-9]\d|2[0-4]\d|25[0-5])|222\.225(\.\d{1,3}){2})|rdns=[a-z]{2}\d{1,3}\.opt2\.point\.ne\.jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTPOWEREDCOM directly received spam from TEPCO-HIKARI(DREAM TRAIN INTERNET,Inc.)
score DIRECTPOWEREDCOM 1.5

# 202.69.224.0 - 202.69.239.255
# 124.40.0.0 - 124.40.63.255
# 8\.(12|32|41|6[78]|7[13]|81|1(3[24-9]|4[15]|50|6[27]|75|8[067])|2(0[0-49]|1[34]|2[0139]|3[24]|4[789]|50))
# header DIRECTARCSTAR X-Spam-Relays-Untrusted =~ /(ip=(124\.40\.(1\.(27|3[24]|62|76|107|180|242)|5\.11[5-8]|8\.(8|12|41|6[78]|81|1(12|45|50|67|75)|2(0[14]|24|4[79]|53))|9\.75|10\.103)|202\.69\.(230\.(106|173|197)|231\.(27|39|77|109|155|212)|234\.(59|2(04|19|52))|235\.(141|164|222)|237\.(16|20|61|1(1[45]|2[467]|3[78]|73)|212)|238\.(66|81|197))|203\.105\.(80\.25|81\.160|83\.(31|44|159|213|222|234)))|rdns=\w+\d{3,4}\.trialserver\.jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
header DIRECTARCSTAR X-Spam-Relays-Untrusted =~ /helo=\w+\d{3,4}\.trialserver\.jp by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTARCSTAR directly received spam from ARCSTAR (NTT COMMUNICATIONS CORPORATION)
score DIRECTARCSTAR 2.5

# 210.172.128.0-210.172.191.255
header DIRECTINTERQ X-Spam-Relays-Untrusted =~ /(ip=210\.172\.(160.120|165.149|177.87)|rdns=(\w+\.298\.jp|pharma-network\.com)) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTINTERQ directly received spam from Global Media Online inc.
score DIRECTINTERQ 1.5

# 218.45.64.0-218.45.95.255
header DIRECTEACCESS X-Spam-Relays-Untrusted =~ /(ip=218\.45\.(?!(78|87)\.)(6[4-9]|[78]\d|9[0-5])\.\d{1,3}|rdns=218\.45\.(?!(78|87)\.)(6[4-9]|[78]\d|9[0-5])\.\d{1,3}\.eo\.eaccess\.ne\.jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTEACCESS directly received spam from eAccess Co.,Ltd.
score DIRECTEACCESS 1.5

# 211.9.208.0-211.9.223.255
# header DIRECTCPI X-Spam-Relays-Untrusted =~ /(ip=211\.9\.(2(08|09|10|15|16)\.(11|133)|211\.(9|11|133)|21[2345789]\.11|215\.195|220\.(7|75|83|91|99|107|131|147|155\163|171|179|187|195|227|243)|221\.(11|19|27|99|107|115|147|179)|222\.(133|197|221|229)|223\.130)|rdns=\w+\d+\.secure\.(|ne\.)jp) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
header DIRECTCPI X-Spam-Relays-Untrusted =~ /^\[ ip=(122\.200\.(19[2-9]|2\d\d)\.\d{1,3}|211\.9\.(2(08|09|10|15|16)\.(11|133)|211\.(9|11|133)|21[2345789]\.11|215\.195|220\.(7|75|83|91|99|107|131|147|155\163|171|179|187|195|227|243)|221\.(11|19|27|99|107|115|147|179)|222\.(133|197|221|229)|223\.130)) /
describe DIRECTCPI directly received spam from CPI Incorporation
score DIRECTCPI 1.5

header DIRECTPROX X-Spam-Relays-Untrusted =~ /(ip=210\.166\.(215\.63|217\.167|221\.158)|rdns=ns\.(pop-ad|mailbank)\.biz) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTPROX directly received spam from PROX SYSTEM DESIGN
score DIRECTPROX 1.5

# 202.51.8.0 - 202.51.15.255
# header DIRECTCLARA X-Spam-Relays-Untrusted =~ /(ip=202\.(45\.(161\.192|165\.128)|51\.10\.130)|rdns=(www\.air[wW]ork\.jp|ms\.savaway\.jp)) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
# header DIRECTCLARA X-Spam-Relays-Untrusted =~ /^\[ ip=(?:(?:202\.(?:45\.(?:161\.192|165\.128)|51\.10\.130))|\d{2,3}(?:\.\d{1,3}){3} rdns=(?:www\.air[wW]ork\.jp|ms\.savaway\.jp)) /
header DIRECTCLARA X-Spam-Relays-Untrusted =~ /^\[ ip=(?:119\.18\.221\.131|202\.(?:45\.(?:161\.192|165\.128)|51\.10\.130)|\d{2,3}(?:\.\d{1,3}){3} rdns=(?:www\.air[wW]ork\.jp|ms\.savaway\.jp)) /
describe DIRECTCLARA directly received spam from Clara Online, Inc.
score DIRECTCLARA 1.5

# 203.82.128.0 - 203.82.159.255
header DIRECTSAVVIS X-Spam-Relays-Untrusted =~ /(ip=203\.82\.141\.105|rdns=mail05\.jp\.betrend\.com) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTSAVVIS SAVVIS Communications
score DIRECTSAVVIS 1.5

# header DIRECTATTGNS X-Spam-Relays-Untrusted =~ /(ip=210\.88\.([4-9]|1[0125]|3[2-9]|4[0-35]|6[6-9]|14[89]|1[567]\d|18[4-7]|218|22[0256]|23[6-9]|24[0235-9]|25\d)\.\d{1,3}|rdns=slip(-\d{1,3}){4}\.to\.jp\.prserv\.net) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
header DIRECTATTGNS X-Spam-Relays-Untrusted =~ /(ip=210\.(88\.([4-9]|1[0125]|3[2-9]|4[0-35]|6[6-9]|14[89]|1[567]\d|18[4-7]|218|22[0256]|23[6-9]|24[0235-9]|25\d)|89\.1(0[014-9]|1[036]))\.\d{1,3}|rdns=slip(-\d{1,3}){4}\.to\.jp\.prserv\.net) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTATTGNS directly received spam from AT&T GNS
score DIRECTATTGNS 1.5


# 61.14.128.0 - 61.14.191.255
# 125.252.64.0 - 125.252.127.255
# 122.152.128.0 - 122.152.191.255
header DIRECTASIANETCOM X-Spam-Relays-Untrusted =~ /(ip=(61\.14\.1(2[89]|[3-8]\d|9[01])|122\.152\.1(2[89]|[3-8]\d|9[01])|125\.252\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7]))\.\d{1,3}|rdns=ip(-\d{1,3}){4}\.asianetcom\.net) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTASIANETCOM directly received spam from Asia Netcom Corporation
score DIRECTASIANETCOM 1.5


header DIRECTSYSTEMDESIGN X-Spam-Relays-Untrusted =~ /(ip=210\.252\.63\.133|rdns=www\.otegami\.com) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
describe DIRECTSYSTEMDESIGN directly received spam from SYSTEMDESIGN
score DIRECTSYSTEMDESIGN 1.5

# header DIRECTWAKWAK X-Spam-Relays-Untrusted =~ /ip=(219\.103\.(210\.(84|135|18[234]|2(37|4[07]))|211\.11)|61\.115\.(72\.195|114\.4[34])|61\.205\.237\.(39|114|208)) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
# 211\.19\.100\.5[346]
# header DIRECTWAKWAK X-Spam-Relays-Untrusted =~ /ip=(61\.45\.36\.2\d\d|61\.115\.(72\.195|114\.4[34])|61\.205\.(237\.(39|114|208)|238\.127)|211\.19\.100\.(6|1[2348]|38|[4-9]\d)|219\.103\.(210\.(84|135|18[234]|2(37|4[07]))|211\.11)) [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
# 237\.(39|114|208)|238\.127
# 211\.19\.100\.(6|1[2348]|38|[4-9]\d)
# header DIRECTWAKWAK X-Spam-Relays-Untrusted =~ /^\[ ip=(61\.45\.(36\.2\d\d|39\.\d{1,3})|61\.115\.(72\.(57|195|2\d\d)|112\.\d{1,3}|114\.4[34]|1(1[35-9]|2[345])\.\d{1,3})|61\.205\.(22[67]|23[23678])\.\d{1,3}|211\.19\.10[01]\.\d{1,3}|219\.103\.(210\.(84|135|18[234]|2(37|4[07]))|211\.11)) /
header DIRECTWAKWAK X-Spam-Relays-Untrusted =~ /^\[ ip=(?:61\.45\.(?:36\.2\d\d|3[79]\.\d{1,3})|61\.115\.(?:72\.(?:57|195|2\d\d)|74\.\d{1,3}|112\.\d{1,3}|114\.\d{1,3}|1(?:1[35-9]|2[345])\.\d{1,3})|61\.205\.(?:22[67]|23[23678])\.\d{1,3}|211\.19\.10[01]\.\d{1,3}|219\.103\.(?:210\.(?:84|135|18[234]|2(?:37|4[07]))|211\.11)) /
describe DIRECTWAKWAK directly received spam from XePhion(NTT-ME Corporation)
score DIRECTWAKWAK 1.5

header DIRECTMEDIAWARS X-Spam-Relays-Untrusted =~ /^\[ ip=210\.233\.74\.16[46] /
describe DIRECTMEDIAWARS directly received spam from MEDIAWARS
score DIRECTMEDIAWARS 1.5

header DIRECTBITDRIVE X-Spam-Relays-Untrusted =~ /^\[ ip=(202\.94\.(129\.36|153\.(85,197))|211\.9\.45\.148) /
describe DIRECTBITDRIVE directly received spam from BIT-DRIVE(Sony Corporation)
score DIRECTBITDRIVE 1.5

header DIRECTXREA X-Spam-Relays-Untrusted =~ /^\[ ip=(125\.53\.25\.(\d|[1-5]\d|6[0-3])|210\.196\.169\.(19[2-9]|2[01]\d|22[0-3])|219\.101\.229\.159) /
describe DIRECTXREA directly received spam from XREA(DIGIROCK,INC.)
score DIRECTXREA 1.5

header DIRECTMEDEXCG X-Spam-Relays-Untrusted =~ /^\[ ip=(?:210\.166\.235\.(?:1[0-24-9]|[23]\d|4[013]|5[4-7]|61|7[6-9]|8[01])|211\.13\.(?:204\.65|217\.133)) /
describe DIRECTMEDEXCG directly received spam from Media Exchange Co., Inc.
score DIRECTMEDEXCG 1.5

header DIRECTADVANSCOPE X-Spam-Relays-Untrusted =~ /^\[ ip=61\.121\.224\.38 [^\[\]]+ \] \[ ip=219\.106\.190\.102 /
describe DIRECTADVANSCOPE directly received spam from advanscope.inc
score DIRECTADVANSCOPE 1.5

header DIRECTDIGIROCK X-Spam-Relays-Untrusted =~ /^\[ ip=(?:202\.172\.28\.\d{1,3}|219\.163\.200\.(?:6[4-9]|[789]\d|1[01]\d|12[0-7])) /
describe DIRECTDIGIROCK directly received spam from DigiRock, Inc.
score DIRECTDIGIROCK 1.5

header DIRECTCOMMUFA X-Spam-Relays-Untrusted =~ /^\[ ip=210\.173\.156\.223 /
describe DIRECTCOMMUFA directly received spam from Chubu Telecommunications Co.,Inc
score DIRECTCOMMUFA 1.5

# header DIRECTEMOBILE X-Spam-Relays-Untrusted =~ /^\[ ip=(60\.254\.(?!(193\.2(09|21|22)|209\.174) )(19[2-9]|2\d\d)|117\.55\.(?!1\.88 )(\d|\d\d|1[01]\d|12[0-7])|119\.72\.\d{1,3})\.\d{1,3} /
header DIRECTEMOBILE X-Spam-Relays-Untrusted =~ /^\[ ip=(60\.254\.(?!(193\.2(09|21|22)|209\.174) )(19[2-9]|2\d\d)|114\.(4[89]|5[01])\.\d{1,3}|117\.55\.(?!1\.88 )(\d|\d\d|1[01]\d|12[0-7])|119\.72\.\d{1,3})\.\d{1,3} /
describe DIRECTEMOBILE directly received spam from eMobile Ltd.
score DIRECTEMOBILE 1.5


# 121.104.0.0 - 121.111.255.255
header DIRECTKDDI X-Spam-Relays-Untrusted =~ /^\[ ip=(121\.111\.245\.(\d|[1-5]\d|6[0-3])|122\.200\.224\.163) /
describe DIRECTKDDI directly received spam from KDDI CORPORATION
score DIRECTKDDI 1.5

header DIRECTSBIDC X-Spam-Relays-Untrusted =~ /^\[ ip=(?:202\.218\.36\.(?:19[2-9]|2\d\d)|211\.13\.237\.(?:[789]|[1-5]\d|6[012])) /
describe DIRECTSBIDC directly received spam from SOFTBANK IDC Corp.
score DIRECTSBIDC 1.5

header DIRECTNTTMEDIAS X-Spam-Relays-Untrusted =~ /^\[ ip=219\.124\.(?:3[2-9]|4[0-6])\.\d{1,3} /
describe DIRECTNTTMEDIAS directly received spam from NTT Medias.
score DIRECTNTTMEDIAS 1.5

header DIRECTK_OPTICOM X-Spam-Relays-Untrusted =~ /^\[ ip=58\.188\.(?!(96\.(2[24]|80|150|229)|97\.(73|174)|98\.(40|104|215)|102\.(83|22[69])) )\d{1,3}\.\d{1,3} /
describe DIRECTK_OPTICOM directly received spam from K-Opticom Corporation
score DIRECTK_OPTICOM 1.5

header DIRECTJCN X-Spam-Relays-Untrusted =~ /^\[ ip=118\.8[37](?:\.\d{1,3}){2} /
describe DIRECTJCN directly received spam from JAPAN CABLENET LIMITED
score DIRECTJCN 1.5


# header DIRECTUNKNOWN Received =~ /from (.+\((unknown ){0,1}\[([0-9]{1,3}\.){3,3}[0-9]{1,3}\]\)|.*([0-9]{1,3}\.){3,3}[0-9]{1,3} +\((HE|EH)LO .+\).*\(([0-9]{1,3}\.){3,3}[0-9]{1,3}\))[^(a-z]{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/

# header DIRECTUNKNOWN Received =~ /from (.+\((unknown ){0,1}\[[0-9]{2,3}(\.[0-9]{1,3}){3,3}\]\)|.*([0-9]{1,3}\.){3,3}[0-9]{1,3} +\((HE|EH)LO .+\).*\(([0-9]{1,3}\.){3,3}[0-9]{1,3}\)).{0,3}by (mail\.flcl\.org|[a-z0-9]+\.nifty\.((ne|co|ad)\.jp|com)|(alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp|fm[1-6]\.freemail\.ne\.jp)/
# header DIRECTUNKNOWN Received =~ /from (.+\((unknown ){0,1}\[[0-9]{2,3}(\.[0-9]{1,3}){3,3}\]\)|.*([0-9]{1,3}\.){3,3}[0-9]{1,3} +\((HE|EH)LO .+\).*\(([0-9]{1,3}\.){3,3}[0-9]{1,3}\)).{0,3}by (alt|dns|mta|ybbmta)[0-9][0-9]\.mail\.((bbt|mci|tnz)\.){0,1}yahoo\.co\.jp/
# header DIRECTUNKNOWN X-Spam-Relays-Untrusted =~ /rdns= [^\[\]]+ by=<MYMTA> ident= envfrom= intl=0 [^\[\]]+auth= /
header DIRECTUNKNOWN X-Spam-Relays-Untrusted =~ /ip=(?!(127\.0\.0\.1|192\.168(\.\d{1,3}){2}|172\.(1[6-9]|2\d|3[01])(\.\d{1,3}){2}|10(\.\d{1,3}){3}))\d{2,3}(\.\d{1,3}){3} rdns= helo=[^\[\]]+ by=<MYMTA>/
describe DIRECTUNKNOWN directly received spam from suspicious dynamic IP
score DIRECTUNKNOWN 0.3



# meta FRGDHLDIRECT FORGED_RCVD_HELO && ___DYNAMICIP && BAYES_99
# describe FRGDHLDIRECT directly sent spam with forged Received: HELO
# score FRGDHLDIRECT 1.5

# meta MTAIDFRGDIRECT MSGID_FROM_MTA_ID && FRGDHLDIRECT
# describe MTAIDFRGDIRECT MSGID_FROM_MTA_ID && FRGDHLDIRECT
# score MTAIDFRGDIRECT 10.0

meta ___DYNAMICIP DIRECTYOURNET || DIRECTINTERSPIN || DIRECTDION || DIRECTODN || DIRECTINFOSPHERE || DIRECTSONETDYN || DIRECTOCNDYN || DIRECTVECTANTDYN || DIRECTHI_HO || DIRECTUSENBROAD || DIRECTBBTEC || DIRECTINFOWEB || DIRECTDTI || DIRECTBIGLOBE || DIRECTALPHANET || DIRECTUNETSURF || DIRECTEDITNET || DIRECTDSNETWORKS || DIRECTGERAGERA || DIRECTGMOACCESS || DIRECTIIJ4U || DIRECTVIPLT || DIRECTVOICETOWN || DIRECTSST_BB || DIRECTASAHINET || DIRECTTCOMADSL || DIRECTXEXONNET || DIRECTBBEXCITE || DIRECTITSCOM || DIRECTSAINET_NET || DIRECTDORPHIN || DIRECTWILLCOM || DIRECTHYPERBOX || DIRECTINTERLINK || DIRECTLINKCLUB || DIRECTPLALA || DIRECTPOWEREDCOM || DIRECTARCSTAR || DIRECTINTERQ || DIRECTEACCESS || DIRECTCPI || DIRECTPROX || COMBZMAIL_JP || TOKU_NET || DIRECTSAKURAWEB || LOLIPOP || SOHO || CSIDENET || NICNAME || GERAGERA || DATAHOTEL_JP || DIRECTCLARA || DIRECTSAVVIS || DIRECTATTGNS || DIRECTASIANETCOM || DIRECTSYSTEMDESIGN || DIRECTWAKWAK || DIRECTMEDIAWARS || DIRECTBITDRIVE || DIRECTXREA || DIRECTMEDEXCG || DIRECTADVANSCOPE || DIRECTDIGIROCK || DIRECTCOMMUFA || DIRECTEMOBILE || DIRECTKDDI || DIRECTSBIDC || DIRECTNTTMEDIAS ||DIRECTK_OPTICOM || DIRECTJCN ||FORGEDHELOYAHOO || ___KOREATAIWANCHINA || WAVEB_US || HOPONE_US || IWEBGROUP_US || SPCS_US || GNAXNET_US || PSINET_US || OTHER_FOOTSTOOL

# 
# $ awk 'BEGIN{printf "replace_rules "}/^header.+<MYMTA>/{printf $2 " "}END{print ""}' ~/.spamassassin/user_prefs
# 

replace_rules DIRECTYOURNET DIRECTINTERSPIN DIRECTDION DIRECTODN DIRECTINFOSPHERE DIRECTSONETDYN DIRECTOCNDYN DIRECTVECTANTDYN DIRECTHI_HO DIRECTUSENBROAD DIRECTBBTEC DIRECTINFOWEB DIRECTDTI DIRECTBIGLOBE DIRECTALPHANET DIRECTUNETSURF DIRECTEDITNET DIRECTDSNETWORKS DIRECTGERAGERA DIRECTVOICETOWN DIRECTSAKURAWEB DIRECTHYPERBOX DIRECTGMOACCESS DIRECTIIJ4U DIRECTASAHINET DIRECTVIPLT DIRECTSST_BB DIRECTTCOMADSL DIRECTXEXONNET DIRECTBBEXCITE DIRECTITSCOM DIRECTSAINET_NET DIRECTDORPHIN DIRECTWILLCOM DIRECTINTERLINK DIRECTLINKCLUB DIRECTPLALA DIRECTUNKNOWN DIRECTPOWEREDCOM DIRECTARCSTAR DIRECTINTERQ DIRECTEACCESS DIRECTCPI VALIDEZWEB VALIDVODAFONE DIRECTPROX DIRECTCLARA DIRECTSAVVIS DIRECTATTGNS DIRECTASIANETCOM DIRECTSYSTEMDESIGN DIRECTWAKWAK ONLY1HOPDIRECT ONLY1HOPDIRECTARIN ONLY1HOPDIRECTRIPE ONLY1HOPDIRECTLACNIC ONLY1HOPDIRECTAFRINIC CNCGROUP ___GOOMAIL_CNCGROUP ___INFOSEEK_WEBMAIL_CNCGROUP ARIN RIPE_NCC LACNIC AFRINIC 


# thrown away 2008.05.25 by [yoh]
# # header ___JPSCAMPORNQSV1 X-Spam-Relays-Untrusted =~ / helo=mail\.[a-z0-9_-]+\.(com|net) /
# header ___JPSCAMPORNQSV1 X-Spam-Relays-Untrusted =~ /( rdns=(mail\.[\w-]+\.(com|net)) helo=\2 | ip=(\d+\.\d+\.\d+\.\d+) rdns=\4 helo=mail\.[\w-]+\.(com|net) | rdns= helo=mail\.[\w-]+\.(com|net) )/
# header ___JPSCAMPORNQSV2 Return-Path =~ /info\@(mail\.){0,1}[\w-]+\.(com|net)/
# header ___JPSCAMPORNQSV3 MESSAGEID =~ /^<2\d+\.\d+\.qmail\@mail\.[\w-]+\.(com|net)/
# 
# meta JPSCAMPORNQSV ___JPSCAMPORNQSV1 && ___JPSCAMPORNQSV2 && ___JPSCAMPORNQSV3
# describe JPSCAMPORNQSV From info@mail.tekitou.com
# score JPSCAMPORNQSV 2.5
# 
# meta ASIAQSV JPSCAMPORNQSV && ___KOREATAIWANCHINA 
# describe ASIAQSV QSV spams come from east asia countries except Japan.
# score ASIAQSV 5.5
# 
# meta DCNQSV JPSCAMPORNQSV && ___DCN
# score DCNQSV 10

header REVDNSUNKNOWN Received =~ /\(\[(?!(127\.0\.0\.1|192\.168(\.\d{1,3}){2}|172\.(1[6-9]|2\d|3[01](\.\d{1,3}){2}|10(\.\d{1,3}){3})))\d{2,3}(\.\d{1,3}){3}\]\)/
describe REVDNSUNKNOWN some MTA doesn't tell result of reverse dns lookup failure.
score REVDNSUNKNOWN 0.2


# meta FRGDQSV (FORGED_RCVD_HELO || ___JPSCAMPORNQSV4 || REVDNSUNKNOWN) && JPSCAMPORNQSV
# score FRGDQSV 2.5

# 
# I've added following rule at 2005.12.29.
# When will the rule be unavailable?
# by [yoh]
# spamsrv1 -> popget (pgr
# 2006.1.1 by [yoh]
# spamsrv1.hn.org -> osugi2.com
# 2006.4.18 by [yoh]
# 
# 

# header ___HELO_SPAMSRV X-Spam-Relays-Untrusted =~ / helo=(spamsrv1\.hn\.org|osugi2\.com|[a-z0-9]{3,}\.info|[A-Z0-9]{3,}\.INFO|yahoo\.co\.jp) /
header ___HELO_SPAMSRV X-Spam-Relays-Untrusted =~ / helo=(spamsrv1\.hn\.org|osugi2\.com|[a-z0-9]{3,}\.info|[A-Z0-9]{3,}\.INFO) /
header ___RTRN_SPAMSRV Return-Path =~ /error\@(.+\.hn\.org|osugi2\.com)/
meta SPAMSRV ___HELO_SPAMSRV && ___RTRN_SPAMSRV
describe SPAMSRV error@spamsrv1.hn.org
score SPAMSRV 20

# thrown away 2008.05.25 by [yoh]
# header ___RTRN_APCINFO Return-Path =~ /([a-z0-9_]{3,}\@[\w_-]+\.(info|com)|[A-Z0-9_]{3,}\@[\w_-]+\.INFO)/
# header ___RTRN_YAHOOCOJP Return-Path =~ /(apache|[a-z0-9_]{3,})\@yahoo\.co\.jp/
# 
# header ___MSGID_APCINFO MESSAGEID =~ /^<2\d+\.[A-F0-9]+\@[\w_.-]+\.(info|com)/
# 
# # meta DEFENSAPCINFO DEFENSNET && (___RTRN_APCINFO && ___MSGID_APCINFO || ___HELO_SPAMSRV && ONLY1HOPDIRECT) && ISO2022JP_BODY
# meta DEFENSAPCINFO DEFENSNET && (___MSGID_APCINFO && ___HELO_SPAMSRV || (MSGID_FROM_MTA_ID || HELO_BY_PARTIALSAME) && (___RTRN_YAHOOCOJP || ___RTRN_APCINFO)) && ISO2022JP_BODY
# score DEFENSAPCINFO 3.0
# 
# meta DEFAPCINFOURI DEFENSAPCINFO && (JPSCAMURI || URIBL_SBL || URIBL_JP_SURBL || URIBL_OB_SURBL || URIBL_WS_SURBL)
# score DEFAPCINFOURI 3.5
# 
# meta DEFAPCINFONOT DEFENSAPCINFO && NOTINCONTENTTYPE
# score DEFAPCINFONOT 3.5
# 
# 
# meta DEFENSSJIS DEFENSNET && NOTINCONTENTTYPE && SJIS_BODY
# score DEFENSSJIS 5


header COMBZSENDER X-Sender =~ /CombzMailSender/
score COMBZSENDER 0.5
header COMBZMSGID MESSAGEID =~ /^<2\d+\.\d+\.qmail\@[a-z]\d+(\.ps){0,1}\.combzmail\.jp>/
score COMBZMSGID 0.5
header COMBZMAGAZINEID exists: MagazineId
score COMBZMAGAZINEID 0.5

# =-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Obsolete rules =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

# score EMAIL_ATTRIBUTION -0.1
# score BAYES_70 5.0

# score BAYES_90 7.0
# score BAYES_00 0 0 -1.665 -2.599
# score BAYES_05 0 0 -0.925 -0.413
# score BAYES_20 0 0 -0.730 -1.951
# score BAYES_40 0 0 -0.276 -1.096
# score BAYES_50 0 0 1.567 0.001
# score BAYES_60 0 0 3.515 0.372
# score BAYES_80 0 0 3.608 2.087
# score BAYES_95 0 0 3.514 2.063
# score BAYES_99 0 0 4.070 1.886

# score MSGID_GOOD_EXCHANGE 0
# score PGP_SIGNATURE 0
# score USER_AGENT_MSN 0
# 
# score IN_REP_TO 0

# score BIG_FONT 2.0
# score RATWARE_JIXING 10.0
# score NIGERIAN_TRANSACTION_1 2.0
# score NIGERIAN_TRANSACTION_2 2.0
# score SPAM_PHRASE_03_05 2.0
# score USER_AGENT_OE 2.0
# score USER_AGENT_THEBAT 7.0
# score CLICK_BELOW 1.0
# score CLICK_HERE_LINK 1.0
# score US_DOLLARS_2 1.0
# score US_DOLLARS_3 1.0
# score US_DOLLARS_4 1.0
# score RATWARE_DIFFOND 10.0
# score FOR_INSTANT_ACCESS 1.0
# score INSTANT_ACCESS 1.0
# score MICROSOFT_EXECUTABLE 4.0
# score CHARSET_FARAWAY_HEADERS 4.0
# score PORN_4 4.0

# score UNDESIRED_LANGUAGE_BODY  7.0

# header X_MAILER_U       X-MAILER =~ /Mail Explorer For Internet /
# describe X_MAILER_U     spammer's choice of X-MAILER
# score X_MAILER_U        10.0

# header REPLY_TO_REMOVE   Reply-To =~ /remove\@/
# describe REPLY_TO_REMOVE        Reply-To set to remove@...
# score REPLY_TO_REMOVE   2.0

# body AMSTERDAM_NETHERLANDS      /AMSTERDAM THE NETHERLANDS/
# describe AMSTERDAM_NETHERLANDS  AMSTERDAM THE NETHERLANDS
# score AMSTERDAM_NETHERLANDS     2.0
# 
# body CONFIDENTIAL_BUSINESS /CONFIDENTIAL BUSINESS PROPOSAL/
# describe CONFIDENTIAL_BUSINESS CONFIDENTIAL BUSINESS PROPOSAL
# score CONFIDENTIAL_BUSINESS 2.0
# 
# body ZIMBABWE_SCAM  /International Press into Zimbabwe and the drop from office of the/
# describe ZIMBABWE_SCAM International Press into Zimbabwe and the drop from office of the
# score ZIMBABWE_SCAM  10.0

# body GOD_BE_WITH_YOU /God be with you\./i
# describe GOD_BE_WITH_YOU God be with you.
# score GOD_BE_WITH_YOU 2.0
# 
# full HUGE_CASH_MIL_DOLS /huge[ \r\n]+cash deposit of .+ million dollars/
# describe HUGE_CASH_MIL_DOLS huge cash deposit of ... million dollars
# score HUGE_CASH_MIL_DOLS 2.0
# 
# meta NETHERLANDS_SCAM AMSTERDAM_NETHERLANDS && THANKS_GOD_BLESS && DEAR_SOMETHING
# describe NETHERLANDS_SCAM AMSTERDAM_NETHERLANDS && THANKS_GOD_BLESS
# score NETHERLANDS_SCAM 5.5
# 
# body NIGERIAN_NATIONAL_PETR /Nigerian National Petroleum/i
# describe NIGERIAN_NATIONAL_PETR Nigerian National Petroleum Corporation
# score NIGERIAN_NATIONAL_PETR 2.2
# 
# meta NIGERIAN_SCAM1 NIGERIAN_NATIONAL_PETR && RISK_FREE && DEAR_SOMEBODY && SUPERLONG_LINE
# describe NIGERIAN_SCAM1 NIGERIAN_NATIONAL_PETR && RISK_FREE && DEAR_SOMEBODY && SUPERLONG_LINE
# score NIGERIAN_SCAM1 5.0
# 
# rawbody RANDOM_ID /^[0-9]{4}[a-zA-Z]{4}[0-9]-[0-9]/
# describe RANDOM_ID random numeric and alphabet ID-like phrase
# score RANDOM_ID 8.0

# body NEVER_SENT_UNSOLICITED /mail is never sent unsolicited/i
# describe NEVER_SENT_UNSOLICITED mail is never sent unsolicited
# score NEVER_SENT_UNSOLICITED 3.5

# body TO_BE_REMOVED_TO /to be removed .*to:/
# describe TO_BE_REMOVED_TO to be removed and send ALL addresses to:
# score TO_BE_REMOVED_TO 2.0

# body ENTER_EMAIL /to.*be.*Removed.*from.*all.*future.*Messages.*enter.*email.*address/i
# describe ENTER_EMAIL to be Removed from all future Messages, enter email address
# score ENTER_EMAIL 8.0
# 
# body REMOVEEMAIL2 /if.*you.*want.*to.*remove.*your.*email.*address.*pleses.*sent.*email.*to/i
# describe REMOVEEMAIL2 if you want to remove your emailaddress pleses sent email to
# score REMOVEEMAIL2 8.0
# 
# body REMOVEEMAIL3 /If you do not desire to receive any further e-mails/i
# describe REMOVEEMAIL3 If you do not desire to receive any further e-mails
# score REMOVEEMAIL3 3.0
# 
# # body ADDYOURADDRESS /(^IMPORTANT \- .+ email address to our |^To add to )Do Not Email List (click ){0,1}here:/
# describe ADDYOURADDRESS please add your email address to our Do Not Email List here:
# score ADDYOURADDRESS 5.0

# body CENTRALREMOVALSERVICE /http:\/\/www.centralremovalservice.com\/cgi-bin\/.*.cgi/
# describe CENTRALREMOVALSERVICE http://www.centralremovalservice.com/cgi-bin/
# score CENTRALREMOVALSERVICE 5.0
# 
# body REDLIGHTEMAIL1 /www\.redlightemail\.com\/remove\.cfm/
# describe REDLIGHTEMAIL http://www.redlightemail.com/remove.cfm
# score REDLIGHTEMAIL 2.0
# 
# body REDLIGHTEMAIL2 /100% Spam Free RedLightEmail/
# describe REDLIGHTEMAIL2 100% Spam Free RedLightEmail
# score REDLIGHTEMAIL2 2.0
# 
# meta REDLIGHTEMAIL REDLIGHTEMAIL1 && REDLIGHTEMAIL2
# describe REDLIGHTEMAIL REDLIGHTEMAIL1 && REDLIGHTEMAIL2
# score REDLIGHTEMAIL 6.0
# 
# rawbody RANDOM_ID3 /^\(.+\)[0-9]+[A-Za-z]+[0-9]/
# describe RANDOM_ID3 random numeric and alphabet ID-like phrase
# score RANDOM_ID3 10.0
# 
# body RANDOM_ID4 /[A-Za-z]{18,} [A-Za-z-.]{18,} [A-Za-z]{18,}/
# describe RANDOM_ID4 random alphabet ID-like phrase
# score RANDOM_ID4 5.0

# body EURO_SCAM /Learn how \$10,000 in options will leverage \$1,000,000 in/
# describe EURO_SCAM Learn how $10,000 in options will leverage $1,000,000 in
# score EURO_SCAM 10.0
# 
# body BROWSE_FREE /BROWSE FREE!/
# describe BROWSE_FREE BROWSE FREE!
# score BROWSE_FREE 1.0
# 
# body B100P_FREE /100% FREE/
# describe B100P_FREE 100% FREE
# score B100P_FREE 1.0
# 
# rawbody OPTOUT6 /the opt\-out instruction below\. We apologize for any inconvenience\./i
# describe OPTOUT6 the opt-out instruction below. We apologize for any inconvenience.
# score OPTOUT6 3.0
# 
# body OPTOUT1 /""OPT-OUT""/
# describe OPTOUT1 ""OPT-OUT""
# score OPTOUT1 1.0
# 
# body OPTOUT2 /If you wish to "OPT-OUT" from this mailing/
# describe OPTOUT2 If you wish to "OPT-OUT" from this mailing
# score OPTOUT2 1.0
# 
# body OPTOUT3 /http:\/\/.+optout\.html/i
# describe OPTOUT3 http://*****/optout.html
# score OPTOUT3 2.0
# 
# meta OPTOUT4 OPTOUT1 && OPTOUT2 && OPTOUT3
# describe OPTOUT4 OPTOUT1 && OPTOUT2 && OPTOUT3
# score OPTOUT4 4.0
# 
# body BAD_CREDIT /We specialize in .+BAD CREDIT/i
# describe BAD_CREDIT We specialize in approving BAD CREDIT!
# score BAD_CREDIT 1.0
# 
# rawbody HTML_COMMENT_ID /<!-- [0-9]{6,}\.[0-9]{8,} -->/
# describe HTML_COMMENT_ID random ID number in HTML comment
# score HTML_COMMENT_ID 2.0
# 

# score IN_REP_TO -0.5

# score CTYPE_JUST_HTML 4.0
# score TO_LOCALPART_EQ_REAL 1.0
# score SMTPD_IN_RCVD 3.0
# score X_PRECEDENCE_REF 4.4

# header BINARY_ENCODING Content-Transfer-Encoding =~ /binary/
# describe BINARY_ENCODING Content-Transfer-Encoding: binary
# score BINARY_ENCODING 3.0
# 
# body STRICTLY_CONFIDENTIAL /STRICTLY CONFIDENTIAL/
# describe STRICTLY_CONFIDENTIAL "STRICTLY CONFIDENTIAL" is NOT confidential.
# score STRICTLY_CONFIDENTIAL 3.0
# 
# body ABSOLUTE_CONFIDENCE /I am writing you in absolute confidence primarily to seek/i
# describe ABSOLUTE_CONFIDENCE I am writing you in absolute confidence primarily to seek
# score ABSOLUTE_CONFIDENCE 1.0
# 
# body SOURCE_OF_THE_MONEY /^Source of the money:/i
# describe SOURCE_OF_THE_MONEY Source of the money:
# score SOURCE_OF_THE_MONEY 0.3
# 
# body MY_LATE_FATHER /My late father.+, a native of +Mende District in the/i
# describe MY_LATE_FATHER My late father XXXXXX, a native of Mende District in the
# score MY_LATE_FATHER 0.5
# 
# meta NIGERIAN_TRANSACTION_6 ABSOLUTE_CONFIDENCE && SOURCE_OF_THE_MONEY && MY_LATE_FATHER
# describe NIGERIAN_TRANSACTION_6 ABSOLUTE_CONFIDENCE && SOURCE_OF_THE_MONEY && MY_LATE_FATHER
# score NIGERIAN_TRANSACTION_6 8.0

# header SPAMMERS_BOUNDARY Content-Type =~ /multipart\/mixed; boundary="===_[A-Z][a-zA-Z]{5}_000_1[a-z]{13}"/
# describe SPAMMERS_BOUNDARY possibly spam mailer's boundary format
# score SPAMMERS_BOUNDARY 5.0
# 
# header MICROSOFT_ZIPPEDEXE Content-Type =~ /application\/x-compressed;.+name=".+.zip"/i
# describe MICROSOFT_ZIPPEDEXE possibly ZIP'ed Microsoft Windows virus
# score MICROSOFT_ZIPPEDEXE 7.0
# 
# Sorry, below rules are under construction. 03/07/06 by [yoh]
# 
# rawbody MICROSOFT_ZIPPEDEXE2 /application\/x-.*compressed;.+name=".+.zip"/i
# body MICROSOFT_ZIPPEDEXE2 /application\/x\-zip\-compressed./i
# describe MICROSOFT_ZIPPEDEXE2 possibly ZIP'ed Microsoft Windows virus
# score MICROSOFT_ZIPPEDEXE2 0.1
# 
# body MICROSOFT_ZIPPEDEXE3 /name/i
# describe MICROSOFT_ZIPPEDEXE3 possibly ZIP'ed Microsoft Windows virus
# score MICROSOFT_ZIPPEDEXE3 0.1
# 
# meta MICROSOFT_ZIPPEDEXE4 MICROSOFT_ZIPPEDEXE2 && MICROSOFT_ZIPPEDEXE3
# describe MICROSOFT_ZIPPEDEXE4 MICROSOFT_ZIPPEDEXE2 && MICROSOFT_ZIPPEDEXE3
# score MICROSOFT_ZIPPEDEXE4 7.0
# 
# header  MICROSOFT_EXEC2 Content-Type =~ /application\/x-msdownload;.+name=".+.exe"/i
# describe MICROSOFT_EXEC2 possibly Microsoft Windows virus
# score MICROSOFT_EXEC2 7.0
# full MICROSOFT_EXEC3 /[\r\n]{2,}TV[opq][AQ]AA[MIE]AAAA[CE]AA[A8]A/
# full MICROSOFT_EXEC3 /TVoAAAEAAAACAAAA/
# describe MICROSOFT_EXEC3 possibly Microsoft Windows virus
# score MICROSOFT_EXEC3 7.0
# TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAAAAC0TM0hAAAAAAAAAAAAAAAAAAAAAAAA
# TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
# 
# meta NIGERIAN_SCAM2 NIGERIAN_TRANSACTION_1 && MIMEQENC && US_DOLLARS_2 && US_DOLLARS_3
# describe NIGERIAN_SCAM2 NIGERIAN_TRANSACTION_1 && MIMEQENC && US_DOLLARS_2 && US_DOLLARS_3
# score NIGERIAN_SCAM2 4.0
# 
# rawbody OPTI_TARGET /^This is an Opti-Target network mailing\.  You were subscribed to this/
# describe OPTI_TARGET This is an Opti-Target network mailing.  You were subscribed to this
# score OPTI_TARGET 3.0
# 
# body OPTOUTINSTRUCTIONS /Opt-Out Instructions/
# describe OPTOUTINSTRUCTIONS Opt-Out Instructions
# score OPTOUTINSTRUCTIONS 1.0
# 
# body SENDING_UNSOLICITED /We are strongly against sending unsolicited emails to those/
# describe SENDING_UNSOLICITED We are strongly against sending unsolicited emails to those
# score SENDING_UNSOLICITED 2.0
# 
# meta OPTOUT5 OPTOUTINSTRUCTIONS && SENDING_UNSOLICITED
# describe OPTOUT5 OPTOUTINSTRUCTIONS && SENDING_UNSOLICITED
# score OPTOUT5 3.0
# 
# meta NIGERIAN_SCAM3 NIGERIAN_TRANSACTION_1 && RISK_FREE && LINES_OF_YELLING && US_DOLLARS_3
# describe NIGERIAN_SCAM3 NIGERIAN_TRANSACTION_1 && RISK_FREE && LINES_OF_YELLING && US_DOLLARS_3
# score NIGERIAN_SCAM3 4.0

# meta PORN_HTML  CLICK_HERE_LINK && PORN_4
# describe PORN_HTML CLICK_HERE_LINK && PORN_4
# score PORN_HTML 4.0
# 
# meta PORN_HTML2 PORN_4 && CTYPE_JUST_HTML
# describe PORN_HTML2 PORN_4 && CTYPE_JUST_HTML
# score PORN_HTML2 2.0
# 
# body USE_THIS_LINK /Use this link and we will not contact your email .+ at .+ again/i
# describe USE_THIS_LINK Use this link and we will not contact your email ++++ at ++++.+++ again
# score USE_THIS_LINK 2.0
# 
# body AS_SEEN_ON_NBC /As seen (on )*NBC, CBS, (and )*CNN, and even Oprah[!.]/i
# describe AS_SEEN_ON_NBC As seen on NBC, CBS, and CNN, and even Oprah!
# score AS_SEEN_ON_NBC 3.0
# 
# body THIS_EMAIL_SURPRISE /I presume this email will not be a surprise to you/i
# describe THIS_EMAIL_SURPRISE I presume this email will not be a surprise to you
# score THIS_EMAIL_SURPRISE 3.0
# 
# meta NIGERIAN_SCAM4 THIS_EMAIL_SURPRISE && (US_DOLLARS_2 || US_DOLLARS_3 || US_DOLLARS_4)
# describe NIGERIAN_SCAM4 THIS_EMAIL_SURPRISE && (US_DOLLARS_2 || US_DOLLARS_3 || US_DOLLARS_4)
# score NIGERIAN_SCAM4 3.0

# body BIGGESTNEWDRUG /^The Biggest New Drug since V1agra\! Many times as powerful\.$/
# describe BIGGESTNEWDRUG The Biggest New Drug since V1agra! Many times as powerful.
# score BIGGESTNEWDRUG 3.0

# header RANDXMAILER X-Mailer =~ /^[A-Z][a-z]+ [0-9]\.[0-9][0-9]$/
# describe RANDXMAILER X-Mailer: random strings
# score RANDXMAILER 2.0
# 
# meta RANDSPAMTOOL RANDORG && RANDXMAILER
# describe RANDSPAMTOOL RANDORG && RANDXMAILER
# score RANDSPAMTOOL 4.0
# 

# body RECEIVED_THIS_EMAIL /You received this email because you signed up/i
# describe RECEIVED_THIS_EMAIL You received this email because you signed up
# score RECEIVED_THIS_EMAIL 2.5
# 
# header XMIMETRACK X-MIMETrack =~ /Serialize by Router on .*\(Release /
# describe XMIMETRACK Serialize by Router on ...(Release ...
# score XMIMETRACK 1.0
# 
# meta PORN_SPAM1 (HOT_NASTY || LARGE_COLLECTION || NASTY_GIRLS || SPAM_PHRASE_01_02) && USE_THIS_LINK
# describe PORN_SPAM1 (HOT_NASTY || LARGE_COLLECTION || NASTY_GIRLS || SPAM_PHRASE_01_02) && USE_THIS_LINK
# score PORN_SPAM1 7.0

# meta BROKEN_HEADERS DATE_MISSING && FROM_MISSING && MISSING_HEADERS && SUBJ_MISSING
# describe BROKEN_HEADERS DATE_MISSING && FROM_MISSING && MISSING_HEADERS && SUBJ_MISSING
# score BROKEN_HEADERS 8.0
# 
# meta MICROSOFT_VIRUS MICROSOFT_EXECUTABLE && (MIME_HTML_NO_CHARSET || MULTIPART_ALTERNATIVE || MIMEQENC)
# describe MICROSOFT_VIRUS MICROSOFT_EXECUTABLE && (MIME_HTML_NO_CHARSET || MULTIPART_ALTERNATIVE || MIMEQENC)
# score MICROSOFT_VIRUS 8.0
# 
# header VIRUS_ALERT_SUBJ Subject =~ /Virus Alert/
# describe VIRUS_ALERT_SUBJ "Subject: Virus Alert" is a spam produced by the virusscanner
# score VIRUS_ALERT_SUBJ 3.0
# 
# body VIRUS_ALERT_MSG /The mail message \(file: .+\) you sent to .+\@.+ contains a virus\. \(on vsmail\)/
# describe VIRUS_ALERT_MSG The mail message (file: ...) you sent to ...@... contains a virus. (on vsmail)
# score VIRUS_ALERT_MSG 4.0

# meta TEXTINPO TEXT_NOCHARSET && IMPOTENCE && BAYES_99 && BIZ_TLD && CLICK_BELOW
# describe TEXTINPO TEXT_NOCHARSET && IMPOTENCE && BAYES_99 && BIZ_TLD && CLICK_BELOW
# score TEXTINPO 10.0

# header NEONMTA Received =~ /from .+Neon Mail Server System 1.3.1, 09 Sep 2003/
# describe NEONMTA Japanese spammer chooses MTA: Neon Mail Server System
# score NEONMTA 3.0
# 
# rawbody ILLEGALSTR01 /^([a-z]{80,}, ){3,}[a-z]{80,}$/
# describe ILLEGALSTR01 illegal strings that seems to obfuscate bayesian filter
# score ILLEGALSTR01 2.0
# 
# rawbody ILLEGALSTR02 /^([a-zA-Z0-9]{50,} +){3,}[a-zA-Z0-9]{20,}$/
# describe ILLEGALSTR02 illegal strings that seems to obfuscate bayesian filter
# score ILLEGALSTR02 2.0
# 
# full ILLEGALSTR03 /([a-z]+ [a-z]+, [a-z]+, [a-z]+ \. [a-z]+ [a-z]+ [a-z]+, [a-z]+, [a-z]+ \. [a-z]+[\r\n]){30,}/
# describe ILLEGALSTR03 illegal strings that seems to obfuscate bayesian filter
# score ILLEGALSTR03 2.0
# 
# meta CDCHEAP ILLEGALSTR01 && ILLEGALSTR03 && MULTIPART_ALTERNATIVE && HTML_MESSAGE
# describe CDCHEAP selling warez. (ILLEGALSTR01,03,MULTIPART_ALTERNATIVE,HTML_MESSAGE)
# score CDCHEAP 3.5
# 
# full ILLEGALSTR04 /([a-z]+[ \n][a-z]+[ \n][a-z]+,[ \n][a-z]+,[ \n][a-z]+[ \n]\.[ \n]){30,}/
# describe ILLEGALSTR04 illegal strings that seems to obfuscate bayesian filter
# score ILLEGALSTR04 3.5
# 
# rawbody ILLEGALSTR05 /(<p>([a-z]+ ){20,}<\/p>){2,}/
# describe ILLEGALSTR05 illegal strings that seems to obfuscate bayesian filter
# score ILLEGALSTR05 2.0
# 
# # (([a-z]+ ){3,}[\r\n]+|[a-z]+[\r\n]+([a-z]+ ){3,}[\r\n]+){3,}
# # ([a-z]+ ){3,}[\r\n]+|
# # [\r\n]+<P>\&nbsp;<\/P> ([a-z]+ ){3,}[\r\n]+
# # full ILLEGALSTR06 /([a-z]+[\r\n]+ ([a-z]+ ){3,}[\r\n]+){3,}/
# full ILLEGALSTR06 /([a-z]+[\r\n]+ ([a-z]+ ){3,}[\r\n]+|([a-z]+ ){3,}[\r\n]+){3,}/
# describe ILLEGALSTR06 illegal strings that seems to obfuscate bayesian filter
# score ILLEGALSTR06 3.5
# 
# uri ILLEGALALIAS01 /http:\/\/([a-z]+\.){4,}[a-z]+=([a-z]+\.){4,}[a-z]{2,4}\//
# describe ILLEGALALIAS01 hostname has very long random strings
# score ILLEGALALIAS01 5.0
# 
# # full URIPOISON /<A \n*href=\"http:\/\/www\.[a-z]+\.org\"><\/A>/
# full URIPOISON /(<A [ \n]*href=\"http:\/\/www\.[a-z]+\.org\"><\/A>[a-zA-Z0-9,. ]+){4,}/
# describe URIPOISON <A href="http://www.schottky.org"></A>ail re<A
# score URIPOISON 4.5
# 
# rawbody SYSINFO01 /^---- system information ----$/
# describe SYSINFO01 ---- system information ----
# score SYSINFO01 1.0
# 
# rawbody NEWMORTGAGE /because you now qualify for a new mortgage/
# describe NEWMORTGAGE I sent you an email a few days ago, because you now qualify for a new mortgage.
# score NEWMORTGAGE 2.0
# 
# meta BECAUSEMORTGAGE NEWMORTGAGE && SYSINFO01 && BAYES_99
# describe BECAUSEMORTGAGE NEWMORTGAGE && SYSINFO01 && BAYES_99
# score BECAUSEMORTGAGE 7.0
# 
# meta NATURALSYSINFO ALL_NATURAL && SYSINFO01 && BAYES_99
# describe NATURALSYSINFO ALL_NATURAL && SYSINFO01 && BAYES_99
# score NATURALSYSINFO 7.0
# 
# uri URI_PACIFICGIRLS /http:\/\/[a-z0-9]+\.pacificgirls.com\/[a-z0-9]+/
# describe URI_PACIFICGIRLS http://www.pacificgirls.com/
# score URI_PACIFICGIRLS 2.0
# 
# meta PACIFICGIRLS_COM URI_PACIFICGIRLS && RCVD_IN_RFCI && (RCVD_IN_SBL || RCVD_IN_SBL_XBL)
# describe PACIFICGIRLS_COM URI_PACIFICGIRLS && RCVD_IN_RFCI && (RCVD_IN_SBL || RCVD_IN_SBL_XBL)
# score PACIFICGIRLS_COM 5.0
# 
# header POSTFIX_ERRFROM From =~/MAILER-DAEMON@.+ \(Mail Delivery System\)$/
# describe POSTFIX_ERRFROM From: is Postfix type delivery error message
# score POSTFIX_ERRFROM 0.1

# meta MIMEHEXLONGQ MIME_BOUND_MANY_HEX && MIME_LONG_LINE_QP
# describe MIMEHEXLONGQ MIME_BOUND_MANY_HEX && MIME_LONG_LINE_QP
# score MIMEHEXLONGQ 2.0
# 
# meta LOTSCCSPAMADDR LOTS_OF_CC_LINES && MAILTO_TO_SPAM_ADDR
# describe LOTSCCSPAMADDR LOTS_OF_CC_LINES && MAILTO_TO_SPAM_ADDR
# score LOTSCCSPAMADDR 2.0
# 
# meta IDMTAXPRIHIGH MSG_ID_ADDED_BY_MTA_2 && X_PRIORITY_HIGH
# describe IDMTAXPRIHIGH MSG_ID_ADDED_BY_MTA_2 && X_PRIORITY_HIGH
# score IDMTAXPRIHIGH 2.0

# body NO_LONGER_WISH /but if you no longer wish to receive our emails please:/i
# describe NO_LONGER_WISH but if you no longer wish to receive our emails please:
# score NO_LONGER_WISH 1.5
# 
# body ENJOYEDRECEIVINGEMAIL /We hope you enjoyed receiving this email/i
# describe ENJOYEDRECEIVINGEMAIL We hope you enjoyed receiving this email
# score ENJOYEDRECEIVINGEMAIL 1.0
# 
# meta ENJOYED_NO_LONGER NO_LONGER_WISH && ENJOYEDRECEIVINGEMAIL
# describe ENJOYED_NO_LONGER NO_LONGER_WISH && ENJOYEDRECEIVINGEMAIL
# score ENJOYED_NO_LONGER 2.5
# 
# body SOBIG_BODY /^(Please ){0,1}See the attached file for details/i
# describe SOBIG_BODY Please see the attached file for details.
# score SOBIG_BODY 1.0
# 
# header SOBIG_HEADER Content-Type =~ /multipart\/mixed;.+boundary="_NextPart_/
# describe SOBIG_HEADER Probably Sobig.F's multipart header
# score SOBIG_HEADER 0.1
# 
# full SOBIG_HEADER2 /\nContent-Type: multipart\/mixed;\n\tboundary="_NextPart_/
# describe SOBIG_HEADER2 Probably Sobig.F's multipart header
# score SOBIG_HEADER2 0.1
# 
# meta SOBIG_F SOBIG_BODY && (SOBIG_HEADER || SOBIG_HEADER2)
# describe SOBIG_F SOBIG_BODY && (SOBIG_HEADER || SOBIG_HEADER2)
# score SOBIG_F 8.0
# 
# uri OFF_LIST_CGI /www\..+\.com\/cgi(-bin){0,1}\/off_list\.(cgi|pl)/
# describe OFF_LIST_CGI www.????.com/cgi-bin/off_list.cgi
# score OFF_LIST_CGI 1.0
# 
# meta FAKEDWORD_OFFLIST (FAKEDWORD_ATMARK|| FAKEDWORD_ZERO || FAKEDWORD_ONE || FAKEDWORD_EXCLAMATION || FAKEDWORD_VERTICALLINE || FAKEDWORD_BACKQUOTE || FAKEDWORD_BQONE) && OFF_LIST_CGI
# describe FAKEDWORD_OFFLIST (FAKEDWORD_ATMARK|| FAKEDWORD_ZERO || FAKEDWORD_ONE || FAKEDWORD_EXCLAMATION || FAKEDWORD_VERTICALLINE || FAKEDWORD_BACKQUOTE || FAKEDWORD_BQONE) && OFF_LIST_CGI
# score FAKEDWORD_OFFLIST 5.0
# 
# rawbody OFF_THE_LIST /(xen\.php|\.info\/r\/)\"\>Off the list/
# describe OFF_THE_LIST Off the list
# score OFF_THE_LIST 3.0
# 
# full SIZEDOESMATTER /<p>Size does matter\. (Feeling insecure about yourself\?|Most women agree that they are satisfied by bigger tools\.)<\/p>/
# describe SIZEDOESMATTER Size does matter.
# score SIZEDOESMATTER 3.0
# 
# full CANNOTSATISFY /<p>They married someone who cannot satisfy them\.<\/p>/
# # full CANNOTSATISFY /They married someone who cannot satisfy them/
# describe CANNOTSATISFY They married someone who cannot satisfy them.
# score CANNOTSATISFY 3.0

# meta EXIMBOUNCE EXIM_ERRWARN && ILLEGALSTR04
# describe EXIMBOUNCE bounce spam using a footstool MTA Exim
# score EXIMBOUNCE 7.0
# 
# header QMAIL_DELIVERR Received =~/\(qmail [0-9]+ invoked for bounce\); /
# describe QMAIL_DELIVERR bounce mail from qmail
# score QMAIL_DELIVERR 0.1
# 
# meta QMAILBOUNCE QMAIL_DELIVERR && ILLEGALSTR04
# describe QMAILBOUNCE bounce spam using a footstool MTA qmail
# score QMAILBOUNCE 7.0

# meta MSBOUNCE MSES_ERRXM && ILLEGALSTR04
# describe MSBOUNCE bounce spam using a footstool MTA MS Exchane Server
# score MSBOUNCE 7.0
# 
# header SLMAIL_ERRRCV Received =~ /by .+ from localhost.+ \(mail daemon,SLMail V2\.7\);/
# describe SLMAIL_ERRRCV Received: is SLMail for WinNT/2K type delivery error message
# score SLMAIL_ERRRCV 1.0
# 
# meta SLMBOUNCE SLMAIL_ERRRCV && ILLEGALSTR04
# describe SLMBOUNCE SLMAIL_ERRRCV && ILLEGALSTR04
# score SLMBOUNCE 7.0

# meta LIMITED_IFYOUWISH LIMITED_TIME_ONLY && IFYOUWISHTOBEDELETED
# describe LIMITED_IFYOUWISH LIMITED_TIME_ONLY && IFYOUWISHTOBEDELETED
# score LIMITED_IFYOUWISH 3.0
# 
# body WAREZSTR01 /MICROSOFT WINDOWS XP PROFESSIONAL .+Only \$50\!/
# describe WAREZSTR01 MICROSOFT WINDOWS XP PROFESSIONAL - Only $50!
# score WAREZSTR01 1.0
# 
# body WAREZSTR02 /Major titles from Microsoft and Adobe for Rock Bottom Prices\!/
# describe WAREZSTR02 Major titles from Microsoft and Adobe for Rock Bottom Prices!
# score WAREZSTR02 1.0
# 
# body WAREZSTR03 /re giving you these INSANE discounts because these are the/
# describe WAREZSTR03 We're giving you these INSANE discounts because these are...
# score WAREZSTR03 1.0
# 
# meta WAREZERRMSG WAREZSTR01 && WAREZSTR02 && WAREZSTR03 && POSTFIX_ERRCONT
# describe WAREZERRMSG WAREZSTR01 && WAREZSTR02 && WAREZSTR03 && POSTFIX_ERRCONT
# score WAREZERRMSG 3.0
# 
# full FONT_1PX_WHITE /<font style=3dfont-size:1px color=3d"\#FFFF(FF|00)">/
# describe FONT_1PX_WHITE font-size:1px and color="\#FFFFFF" means obfuscating bayesian filter
# score FONT_1PX_WHITE 5.0
# 
# rawbody FONT_0PX_WHITE /<p style="font-size:0px; color:white">/
# describe FONT_0PX_WHITE font-size:0px and color:white means obfuscating bayesian filter
# score FONT_0PX_WHITE 5.0

# meta POSTFIX_DELIVERRSPAM POSTFIX_ERRFROM && POSTFIX_ERRCONT && X_KOREAN_RELAY
# describe POSTFIX_DELIVERRSPAM POSTFIX_ERRFROM && POSTFIX_ERRCONT && X_KOREAN_RELAY
# score POSTFIX_DELIVERRSPAM 3.5
# 
# Subject =~/Mail delivery failed: returning message to sender$/
# describe EXIM_ERRSUBJ Subject: is Exim type delivery error message
# score EXIM_ERRSUBJ 0.1
# header EXIM_WARNSUBJ Subject =~/Warning: message [a-zA-Z0-9]+-[a-zA-Z0-9]+-[0-9]{2,2} delayed 24 hours$/
# describe EXIM_WARNSUBJ Subject: is Exim type delivery warning message
# score EXIM_WARNSUBJ 0.1

# full FONTCOLOR2LF /\n<font color=\n\n\#[0-9a-f]{6,6}>([a-zA-Z]+ ){3,}[a-zA-Z]+</font><br>/
# full FONTCOLOR2LF /\n<font color=\n\n\#[0-9a-f]{6,6}>([a-zA-Z]+ ){3,}[a-zA-Z]+<\/font><br>/
# describe FONTCOLOR2LF spam pattern of html "<font color="
# score FONTCOLOR2LF 5.0
# 
# rawbody THEYNEEDSOMEONE /^<p>They need someone to satisfy them tonight\.<\/p>$/
# describe THEYNEEDSOMEONE <p>They need someone to satisfy them tonight.</p>
# score THEYNEEDSOMEONE 3.0
# 
# rawbody BROWSEREALWIVES /Browse online listing of real wives looking for an affair/
# describe BROWSEREALWIVES Browse online listing of real wives looking for an affair
# score BROWSEREALWIVES 3.0
# 
# full MARKSTR01 /[\r\n]<p>([a-z]{8,} ){3,3}[a-z]{8,}<\/p>[\r\n]+<p>[a-zA-Z0-9]{10,}<\/p>[\r\n]+<p>[a-z]{8,} [a-z]{8,}<\/p>[\r\n]+/
# 
# [\r\n]
# <p>([a-z]{8,} ){3,}[a-z]{8,}<\/p>[\r\n]+
# <p>[a-zA-Z0-9]{10,}<\/p>[\r\n]+
# <p>[a-z]{8,} [a-z]{8,}<\/p>[\r\n]+
# 
# full MARKSTR01 /[\r\n]<p>([a-z]{8,} ){3,}[a-z]{8,}<\/p>[\r\n]+<p>[a-zA-Z0-9]{10,}<\/p>[\r\n]+<p>[a-z]{8,} [a-z]{8,}<\/p>[\r\n]+/
# describe MARKSTR01 marking strings
# score MARKSTR01 7.0
# 
# rawbody EXTREMELYCHEAP /^Looking for extremely cheap high-quality software\?\<br\>/
# describe EXTREMELYCHEAP Looking for extremely cheap high-quality software?<br>
# score EXTREMELYCHEAP 3.0
# 
# full MARKSTR02 /[\r\n]Content-Type: text\/plain; charset=.+[\r\n]+Content-Transfer-Encoding: [78][bB]it[\r\n]+([a-z]{2,}[ \r\n]{1,}){20,}[\r\n]/
# describe MARKSTR02 marking strings
# score MARKSTR02 7.0
# 
# full MARKSTR03 /<p>(([a-z]{2,} ){9,}[a-z]{2,}[\r\n]+){6,}/
# describe MARKSTR03 marking strings
# score MARKSTR03 7.0

# meta MALFORMED_TO_KOUKOKU TO_MALFORMED && MISYOUDAKUKOUKOKU
# describe MALFORMED_TO_KOUKOKU TO_MALFORMED && MISYOUDAKUKOUKOKU
# score MALFORMED_TO_KOUKOKU 3.5

# body KANZENMURYOU /40A4L5NA/
# describe KANZENMURYOU Kanzenmuryou
# score KANZENMURYOU 2.0

# body GOKUHIJOUHOU /6KHk>pJs/
# describe GOKUHIJOUHOU Gokuhi Jouhou
# score GOKUHIJOUHOU 5.0
# 

# body CHOUKAGEKI /D62a7c/
# describe CHOUKAGEKI obscene word: choukageki
# score CHOUKAGEKI 1.0
# 
# meta JP_PORN1 MOROMISE && SHIROUTOMUSUME && CHOUKAGEKI
# describe JP_PORN1 MOROMISE && SHIROUTOMUSUME && CHOUKAGEKI
# score JP_PORN1 5.0

# body SJIS_BODY /([\x81-\x8d\x90-\x9f][\x40-\x7e\x80-\x8f].*){5,}/
# describe SJIS_BODY Shift_JIS message
# score SJIS_BODY 3.0

# body MOROMISE /\$b\$m8\+\$;/
# describe MOROMISE obscene word: moromise
# score MOROMISE 2.0

# header BIZIMAGA Subject =~ /:G\?7%S%8%M%9>pJs%\^%,%8%s/
# describe BIZIMAGA BIZIMAGA
# score BIZIMAGA 10.0
# 
# header X_MACKY_ID_PRESENT	exists:X-Macky-ID
# score X_MACKY_ID_PRESENT 10.0
# 
# header X_MACKYCATCODE_PRESENT	exists:X-MackyCatCode
# score X_MACKYCATCODE_PRESENT 10.0
# 
# header X_MACKYMEDIA_PRESENT	exists:X-MackyMedia
# score X_MACKYMEDIA_PRESENT 10.0
# 
# body BIJINESUSHOUKAIHP /%S%8%M%9>R2p.\(BHP/
# describe BIJINESUSHOUKAIHP BIJINESUSHOUKAIHP
# score BIJINESUSHOUKAIHP 3.0
# 
# body GENSENBIJINESUJOUHOUHP /87A\*%S%8%M%9>pJs.\(BHP/
# describe GENSENBIJINESUJOUHOUHP GENSENBIJINESUJOUHOUHP
# score GENSENBIJINESUJOUHOUHP 3.0
# 
# header XTNSYSTEMMELNO exists:X-TN-SYSTEM-MELNO
# describe XTNSYSTEMMELNO X-TN-SYSTEM-MELNO: ejiya74
# score XTNSYSTEMMELNO 10
# 
# header XTNSYSTEMURL X-TN-SYSTEM-URL =~ /http:\/\/www\.tokyonetworks\.com\//
# describe XTNSYSTEMURL X-TN-SYSTEM-URL: http://www.tokyonetworks.com/
# score XTNSYSTEMURL 10
# body KONKAIKAGIRI /\$3\$N%a!<%k\$O:\#2s8B\$j/
# describe KONKAIKAGIRI KONKAIKAGIRI is NOT one-time mailing.
# score KONKAIKAGIRI 2.0
# 

# rawbody BUSINESSJOUHOU /%S%8%M%9>pJs/
# describe BUSINESSJOUHOU BUSINESSJOUHOU
# score BUSINESSJOUHOU 1.0
# 
# body FETIGAZOU /%U%'%A2hA\|/
# describe FETIGAZOU FETIGAZOU
# score FETIGAZOU 2.0
# 
# body RAPEGAZOU /%l%\$%W2hA\|/
# describe RAPEGAZOU RAPEGAZOU
# score RAPEGAZOU 3.0
# 
# body CHIRAGAZOU /%A%i2hA\|/
# describe CHIRAGAZOU CHIRAGAZOU
# score CHIRAGAZOU 2.0
# 
# body IDOLOTAKARA /%"%\$%I%k\$\*Ju/
# describe IDOLOTAKARA IDOLOTAKARA
# score IDOLOTAKARA 2.0

# rawbody FUKUGYOU /I{6H/
# describe FUKUGYOU FUKUGYOU
# score FUKUGYOU 0.5

# meta MULTI_SJIS MULTIPART_ALTERNATIVE && SHIFT_JIS1
# describe MULTI_SJIS MULTIPART_ALTERNATIVE && SHIFT_JIS1
# score MULTI_SJIS 1.0
# 
# header VSOURCE From =~ /Vsource/i
# describe VSOURCE VSOURCE
# score VSOURCE 5.0
# 
# header FAKEDMSOE User-Agent =~ /Microsoft-Outlook-Express-Macintosh-Edition/
# describe FAKEDMSOE User-Agent: Microsoft-Outlook-Express-Macintosh-Edition
# score FAKEDMSOE 3.0
# 
# body OSOKUNATTEGOMEN /\$\*JV;vCY\$\/\$J\$C\$F\$4\$a\$s\$M/
# describe OSOKUNATTEGOMEN "OSOKUNATTEGOMENNE"
# score OSOKUNATTEGOMEN 0.1
# 
# body HPTSUKUCCHATTA /HP.+:n\$C\$A\$c\$C\$\?/
# describe HPTSUKUCCHATTA "HPchokottotsukucchatta"
# score HPTSUKUCCHATTA 0.5
# 
# body ASOBINIKITENE /M7\$S\$KMh\$F\$M/
# describe ASOBINIKITENE "ASOBINIKITENE"
# score ASOBINIKITENE 0.1
# 
# meta LOVE2HOMUPEWAARUDO OSOKUNATTEGOMEN && HPTSUKUCCHATTA && ASOBINIKITENE
# describe LOVE2HOMUPEWAARUDO OSOKUNATTEGOMEN && HPTSUKUCCHATTA && ASOBINIKITENE
# score LOVE2HOMUPEWAARUDO 7.0
# 
# body CLICK_HERE_TO_UNSUB /^Click.+here.+to.+unsubscribe from this list/i
# describe CLICK_HERE_TO_UNSUB Click here to unsubscribe from this list
# score CLICK_HERE_TO_UNSUB 2.0
# 
# meta CLICK_HTML (CTYPE_JUST_HTML || MIME_HTML_ONLY) && CLICK_HERE_TO_UNSUB
# describe CLICK_HTML (CTYPE_JUST_HTML || MIME_HTML_ONLY) && CLICK_HERE_TO_UNSUB
# score CLICK_HTML 2.0
# 

# rawbody SHINGATASIDEBUSINESS /\?7.*7\?.*%5.*%\$.*%I.*%S.*%8.*%M.*%9.*>p.*Js/
# describe SHINGATASIDEBUSINESS SHIN. GATA. SA. I. DO. BI. JI. NE. SU. JOU. HOU#.
# score SHINGATASIDEBUSINESS 5.0
# 

# body SJIS_URAVIDEO /\227.\203r\203f\203\111/
# body SJIS_URAVIDEO /\227\240\203r\203f\203\111/

# body GAPPY_REM0VED / R E M 0 V E D /
# describe GAPPY_REM0VED R E M 0 V E D
# score GAPPY_REM0VED 1.5

# full FAKEDWORD_ZERO /((^)|( ))[A-Za-z]{0,}(0[A-Za-z]+){1,}(\.{0,1}$| |[:;\r\n])/
# body OBFUS_COMM2 /(<\![[:print:]]+>).+\1.+\1.+\1.+\1/
# describe OBFUS_COMM2 HTML comments which obfuscate text
# score OBFUS_COMM2 0.1
# 
# It's a difficult rules. Because it detects normal html comments too.
# full OBFUS_COMM3 /(<\!-- [-_a-zA-Z0-9]+ -->.+){2,}/
# describe OBFUS_COMM3 HTML comments which obfuscate text
# score OBFUS_COMM3 0.1
# 
# rawbody OBFUS_COMM4 /(<\![a-zA-Z0-9]>.*){8,}/
# describe OBFUS_COMM4 HTML comments which obfuscate text
# score OBFUS_COMM4 0.1
# 
# rawbody OBFUS_COMM5 /(<\![a-zA-Z0-9_,\[\] ]+>.*){4,}/
# describe OBFUS_COMM5 HTML comments which obfuscate text
# score OBFUS_COMM5 0.1
# 
# rawbody OBFUS_COMM6 /<\!--[-%_a-zA-Z0-9]+-->/
# describe OBFUS_COMM6 HTML comments which obfuscate text
# score OBFUS_COMM6 0.1
# 
# rawbody OBFUS_COMM7 /(<[a-zA-Z0-9]+ \/>.*){4,}/
# describe OBFUS_COMM7 HTML comments which obfuscate text
# score OBFUS_COMM7 0.1
# 
# meta OBFUSCATING_COMMENT2 (HTML_MESSAGE || MIME_HTML_ONLY) && (OBFUS_COMM2 || OBFUS_COMM3 || OBFUS_COMM4 || OBFUS_COMM5 || OBFUS_COMM6 || OBFUS_COMM7)
# describe OBFUSCATING_COMMENT2 HTML comments which obfuscate text
# score OBFUSCATING_COMMENT2 3.5
# 
# body FAKEWORDEMAIL /em\@il/i
# describe FAKEWORDEMAIL em@il
# score FAKEWORDEMAIL 0.5
# 
# body FAKEWORDEXTENTION /extensi0n/i
# describe FAKEWORDEXTENTION extensi0n
# score FAKEWORDEXTENTIONS 0.5
# 
# body FAKEWORDPLEASE /Ple\@se/i
# describe FAKEWORDPLEASE Ple@se
# score FAKEWORDPLEASE 0.5
# 
# body FAKEWORDREMOVE /rem0ve/i
# describe FAKEWORDREMOVE rem0ve
# score FAKEWORDREMOVE 0.5
# 
# body FAKEWORDPLEASEREMOVE /Ple\@se.+rem0ve:/i
# describe FAKEWORDPLEASEREMOVE Ple@se rem0ve:
# score FAKEWORDPLEASEREMOVE 1.5
# 
# body FAKEWORDNO /N0/i
# describe FAKEWORDNO N0
# score FAKEWORDNO 0.5
# 
# body FAKEWORDTRANSFER /tr\@nsfer/i
# describe FAKEWORDTRANSFER tr@nsfer
# score FAKEWORDTRANSFER 0.5
# 
# rawbody REMOVEDOMAINSFORPEOPLE /^http\:\/\/www.domainsforpeople.com\/cgi\-bin\/off_list\.pl/i
# describe REMOVEDOMAINSFORPEOPLE http://www.domainsforpeople.com/cgi-bin/off_list.pl
# score REMOVEDOMAINSFORPEOPLE 1.5
# 
# meta DOMAINSFORPEOPLE REMOVEDOMAINSFORPEOPLE && (FAKEWORDEMAIL || FAKEWORDEXTENTION || FAKEWORDPLEASE || FAKEWORDREMOVE || FAKEWORDNO || FAKEWORDTRANSFER)
# describe DOMAINSFORPEOPLE REMOVEDOMAINSFORPEOPLE && (FAKEWORDEMAIL || FAKEWORDEXTENTION || FAKEWORDPLEASE || FAKEWORDREMOVE || FAKEWORDNO || FAKEWORDTRANSFER)
# score DOMAINSFORPEOPLE 3.0

# meta MULTIMIME MULTIPART_ALTERNATIVE && (MIME_BOUND_DIGITS_7 || MIME_BOUND_DIGITS_4)
# describe MULTIMIME MULTIPART_ALTERNATIVE && (MIME_BOUND_DIGITS_7 || MIME_BOUND_DIGITS_4)
# score MULTIMIME 3.0

# header MARRYROSE Received =~ /from.* 202\.53\.18\.(1[6-9]|2[0-3])/
# describe MARRYROSE Japanese spammer: Marry Rose Inc.
# score MARRYROSE 5.0

# header J77QQ_NET Received =~ /from 77qq\.net /
# describe J77QQ_NET probably Japanese spammer's EHLO
# score J77QQ_NET 3.0
# 
# header FAKEDCTYPEJIS Content-type =~ /^text\/plain;charset=JIS$/
# describe FAKEDCTYPEJIS Content-type:text/plain;charset=JIS
# score FAKEDCTYPEJIS 2.0
# 
# meta J77QQSPAM FAKEDCTYPEJIS && J77QQ_NET
# describe J77QQSPAM FAKEDCTYPEJIS && J77QQ_NET
# score J77QQSPAM 5.0

# body SJIS_SHUUDANSTALKER /\x8f\x57\x92\x63\x83\x58\x83\x67\x81\x5b\x83\x4a\x81\x5b/
# describe SJIS_SHUUDANSTALKER Shuudan Stalker
# score SJIS_SHUUDANSTALKER 1.5
# 
# body SJIS_HONOMEKASHI /\x81\x75\x82\xd9\x82\xcc\x82\xdf\x82\xa9\x82\xb5\x81\x76\x82\xc6\x82\xcd/
# describe SJIS_HONOMEKASHI Honomekashi Toha
# score SJIS_HONOMEKASHI 1.5
# 
# body SJIS_NANISHITEMASUKA /\x89\xbd\x82\xb5\x82\xc4\x82\xdc\x82\xb7\x82\xa9/
# describe SJIS_NANISHITEMASUKA Nanishitemasuka
# score SJIS_NANISHITEMASUKA 2.0
# 
# body SJIS_OBOETENAIKANA /\x8a\x6f\x82\xa6\x82\xc4(\x82\xe9\x81\x48|\x82\xc8\x82\xa2\x82\xa9\x82\xc8\x82\x9f)/
# describe SJIS_OBOETENAIKANA Oboetenaikana
# score SJIS_OBOETENAIKANA 2.0
# 
# body SJIS_OMOUNDAKEDO /\x8e\x76\x82\xa4\x82\xf1\x82(\xc5\x82\xb7\x82\xaa|\xbe\x82\xaf\x82\xc7)/
# describe SJIS_OMOUNDAKEDO Omoundakedo
# score SJIS_OMOUNDAKEDO 2.0
# 
# body SJIS_MATTEMASU /\x91\xd2\x82\xc1\x82\xc4\x82(\xdc\x82\xb7\x81\x42|\xe9\x82\xcb\x81\x60)/
# describe SJIS_MATTEMASU Mattemasu
# score SJIS_MATTEMASU 2.0

# meta SORBSFORGEDOL RCVD_IN_SORBS && FORGED_MUA_OUTLOOK
# describe SORBSFORGEDOL RCVD_IN_SORBS && FORGED_MUA_OUTLOOK
# score SORBSFORGEDOL 7.0

# body MENSEKIJIKOU /LH\@U\;v9\`/
# describe MENSEKIJIKOU MENSEKIJIKOU
# score MENSEKIJIKOU 0.5

# meta YAMIKINPTR1 OBFUS_JP_TO && ZENKOKUSOKUJITSU
# describe YAMIKINPTR1 OBFUS_JP_TO && ZENKOKUSOKUJITSU
# score YAMIKINPTR1 3.0
# 
# meta YAMIKINPTR2 OBFUS_JP_TO && TOUKYOUTOCHIJININKA
# describe YAMIKINPTR2 OBFUS_JP_TO && TOUKYOUTOCHIJININKA
# score YAMIKINPTR2 3.0
# 
# body MERUTOMONINAROU /%a%kM'\$K\$J\$m\$\&/
# describe MERUTOMONINAROU Merutomoninarou
# score MERUTOMONINAROU 0.5
# 
# body KAOMOSHIRANAI /4i\$bCN\$i\$J\$\$\?M\$HCgNI\$\/\$J\$k\$N\$C\$F/
# describe KAOMOSHIRANAI Kaomoshiranai Hito
# score KAOMOSHIRANAI 1.0
# 
# body SHINSENNA /\?7A\/\$J463P\$\@\$\+\$iO"Mm/
# describe SHINSENNA Shinsenna Kankaku
# score SHINSENNA 1.0
# 
# body OHENJIMATTEMASU /"`\!e\)\$\*JV;vBT\$C\$F/
# describe OHENJIMATTEMASU Ohenji Mattemasu
# score OHENJIMATTEMASU 1.0
# 
# body MONEYPLAN /\"\(3N<B\$J%\^\%M\!<%W%i%s\$r\$\*9M\$\(\$\/\$\@\$5\$\$\!\#/
# describe MONEYPLAN KAKUJITSU NA MONEY PLAN
# score MONEYPLAN 3.0


# body SOFTDISCOUNT /\%\=\%U\%H7c0B\%G\%\#\%9\%\+\%\&\%s\%H/
# describe SOFTDISCOUNT SOFTDISCOUNT
# score SOFTDISCOUNT 1.5
# 
# body ONLINESHOP /\%G\%\#\%9\%\+\%\&\%s\%H\%\*\%s\%i\%\$\%s\%7\%g\%C\%W/
# describe ONLINESHOP ONLINESHOP
# score ONLINESHOP 1.5

# body SUPAMU_DEHAARIMASEN /%9%Q%`.+\$G\$O\$"\$j\$^\$;\$s/
# body SUPAMU_DEHAARIMASEN /%9%Q%`.+\$G\$O\$"\$j\$\^\$;\$s/
# describe SUPAMU_DEHAARIMASEN SUPAMU MEERU DEHAARIMASEN
# score SUPAMU_DEHAARIMASEN 7.0

# body ZAITAKUWORK /:_Bp(%o\!<%\/|%M%C%H)/
# describe ZAITAKUWORK Zaitaku Work
# score ZAITAKUWORK 0.5
# 
# rawbody SHOUKOARISH /\<gMWET\;T.+\:\#Lk.+L\@F\|/
# describe SHOUKOARISH SHOUKOARISH
# score SHOUKOARISH 2.0
# 
# body MEERUMAGAZINE /;~Be\$N\$a\!\<\$k%\^%,%8%s/
# describe MEERUMAGAZINE MEERUMAGAZINE
# score MEERUMAGAZINE 1.0
# 
# body DAMASAREMASEN /qY\$5\$l\$\^\$;\$s/
# describe DAMASAREMASEN Damasaremasen
# score DAMASAREMASEN 0.2
# 
# body LEVELCHETSUKU /%l%Y%k%A%'%D%\//
# describe LEVELCHETSUKU Levelchetsuku
# score LEVELCHETSUKU 1.0
# 
# body INCHIKIGYOUSHA /Kt\!"%$%s%A%-6H<T\$H;W\$C\$F\$\^\$;\$s\$\+\!\)/
# describe INCHIKIGYOUSHA They recognize themselves as Inchikigyousha
# score INCHIKIGYOUSHA 3.0
# 
# body KANARAZUKASEGERU /I,\$:2T\$2\$k/
# describe KANARAZUKASEGERU Kanarazu Kasegeru
# score KANARAZUKASEGERU 0.5
# 
# body USOITSUWARI /13\!\&56\$j\$N\$J\$\$/
# describe USOITSUWARI Uso Itsuwari
# score USOITSUWARI 0.5
# 
# body HOTHOTNEWS /%\[%C%H\!&%\[%C%H\!\&%K%e\!<%9/
# describe HOTHOTNEWS Hot Hot News
# score HOTHOTNEWS 1.0
# 
# body OSUSUMEJOUHOU /%\*%9%9%a>pJs\/%S%8%M%9/
# describe OSUSUMEJOUHOU Osusume Jouhou
# score OSUSUMEJOUHOU 1.0
# 
# body ZAITAKUGYOUMU /:_Bp6HL3Jg=8/
# describe ZAITAKUGYOUMU Zaitaku Gyoumu
# score ZAITAKUGYOUMU 0.5
# 
# body SHIRYOUUKEOI /;qNA\@AIi/
# describe SHIRYOUUKEOI Shiryou Ukeoi
# score SHIRYOUUKEOI 1.0
# 
# body CHOUSHOSHINSHA /D6=i\?4<T\$\+\$i2DG=/
# describe CHOUSHOSHINSHA Chou Shoshinsha
# score CHOUSHOSHINSHA 1.0
# 
# body LEVELCHECKNASHI /%l%Y%k%A%'%C%\/\$J\$7\$G/
# describe LEVELCHECKNASHI Level Check Nashi
# score LEVELCHECKNASHI 1.0

# rawbody SCAMPHARM /http:\/\/[a-z0-9._\-]+\.(com|net)\/(track.asp\?cg=[a-z]{1,2}\&c=info|f74m\/)/
# describe SCAMPHARM probably Pharmacy scam URI
# score SCAMPHARM 1.0
# 
# body QUOTEMESS /----- *Original Message *-----/i
# describe QUOTEMESS -----Original Message-----
# score QUOTEMESS -0.1
# 
# meta PHARMSCAM SCAMPHARM && QUOTEMESS && BAYES_99 && (FAKEDWORD_ATMARK || FAKEDWORD_ZERO || FAKEDWORD_ONE || FAKEDWORD_EXCLAMATION || FAKEDWORD_VERTICALLINE || FAKEDWORD_BACKQUOTE || FAKEDWORD_BQONE)
# describe PHARMSCAM SCAMPHARM && QUOTEMESS && BAYES_99 && FAKEDWORD_????
# score PHARMSCAM 8.0

# header X_MTA X-MTA =~/MELON SMTP Server version/
# describe X_MTA X-MTA: MELON SMTP Server version 1.34.0.0
# score X_MTA 7.0

# 
# header OBFUS_JP_TO To =~ /=\?ISO-2022-JP\?B\?\?=</
# describe OBFUS_JP_TO obfuscating To: address in Japanese Base64 encoding
# score OBFUS_JP_TO 4.0
# 
# meta SUNFINANCE_1 ISO2022JP_BODY && OBFUS_JP_TO
# describe SUNFINANCE_1 ISO2022JP_BODY && OBFUS_JP_TO
# score SUNFINANCE_1 3.0

# rawbody AFFILIATE_ID /http:\/\/[a-z0-9A-Z.]*\.info\/[A-Z]{2,2}[0-9]{3,}\/\?affiliate_id.+[0-9]{6,}.+campaign_id.+[0-9]{1,}/
# describe AFFILIATE_ID affiliate_id=??????&campaign_id=??????
# score AFFILIATE_ID 5.0

# Before you use njabl.org , you have to subscribe ML. http://njabl.org/use.html

#-# # Not Just Another BlackList tests from http://njabl.org/use.html
#-# header      IN_NJABL_ORG        rbleval:check_rbl('njabl','dnsbl.njabl.org.')
#-# describe    IN_NJABL_ORG        Received via a relay in dnsbl.njabl.org
#-# tflags      IN_NJABL_ORG        net
#-# 
#-# header      NJABL_OPEN_RELAY    rbleval:check_rbl_results_for('njabl', '127.0.0.2')
#-# describe    NJABL_OPEN_RELAY    DNSBL: sender is Confirmed Open Relay
#-# tflags      NJABL_OPEN_RELAY    net
#-# 
#-# header      NJABL_DUL           rbleval:check_rbl_results_for('njabl', '127.0.0.3')
#-# describe    NJABL_DUL           DNSBL: sender ip address in in a dialup block
#-# tflags      NJABL_DUL           net
#-# 
#-# header      NJABL_SPAM_SRC      rbleval:check_rbl_results_for('njabl', '127.0.0.4')
#-# describe    NJABL_SPAM_SRC      DNSBL: sender is Confirmed Spam Source
#-# tflags      NJABL_SPAM_SRC      net
#-# 
#-# header      NJABL_MULTI_STAGE   rbleval:check_rbl_results_for('njabl', '127.0.0.5')
#-# describe    NJABL_MULTI_STAGE   DNSBL: sent through multi-stage open relay
#-# tflags      NJABL_MULTI_STAGE   net
#-# 
#-# header      NJABL_CGI           rbleval:check_rbl_results_for('njabl', '127.0.0.8')
#-# describe    NJABL_CGI           DNSBL: sender is an open formmail
#-# tflags      NJABL_CGI           net
#-# 
#-# header      NJABL_PROXY         rbleval:check_rbl_results_for('njabl', '127.0.0.9')
#-# describe    NJABL_PROXY         DNSBL: sender is an open proxy
#-# tflags      NJABL_PROXY         net
#-# 
#-# score       IN_NJABL_ORG        0.38
#-# score       NJABL_DUL           0.62
#-# score       NJABL_MULTI_STAGE   0.75
#-# score       NJABL_PROXY         3.00
#-# score       NJABL_OPEN_RELAY    3.00
#-# score       NJABL_CGI           1.50
#-# score       NJABL_SPAM_SRC      3.00

# header      X_MONKEY_FORMMAIL   eval:check_rbl('relay', 'formmail.relays.monkeys.com.')
# describe    X_MONKEY_FORMMAIL   Received via relay in monkeys.com's open formmail scripts list
# score       X_MONKEY_FORMMAIL   1.5
# 
# header      X_MONKEY_PROXY      eval:check_rbl('relay', 'proxies.relays.monkeys.com.')
# describe    X_MONKEY_PROXY      Received via relay in monkeys.com's open proxy list
# score       X_MONKEY_PROXY      1.5
# 
# header      X_MONKEY_PROXY      eval:check_rbl('relay', 'spamhaus.relays.osirusoft.com.')
# describe    X_MONKEY_PROXY      Received via relay in Spamhaus Blacklist
# score       X_MONKEY_PROXY      1.5

# 
# 
# SURBL - a new type DNSBL. http://www.surbl.org/
# Many thanks to SURBL staff for your good job.
# 2004.09.07 by [yoh]
# 
# 

# urirhsbl  URIBL_SC_SURBL  sc.surbl.org.   A
# header    URIBL_SC_SURBL  eval:check_uridnsbl('URIBL_SC_SURBL')
# describe  URIBL_SC_SURBL  Contains a URL listed in SpamCop data at http://www.surbl.org/lists.html
# tflags    URIBL_SC_SURBL  net
# score URIBL_SC_SURBL    4.0
# 
# urirhsbl  URIBL_WS_SURBL  ws.surbl.org.   A
# header    URIBL_WS_SURBL  eval:check_uridnsbl('URIBL_WS_SURBL')
# describe  URIBL_WS_SURBL  Contains a URL listed in sa-blacklist at http://www.surbl.org/lists.html
# tflags    URIBL_WS_SURBL  net
# score URIBL_WS_SURBL    2.0
# 
# urirhsbl  URIBL_OB_SURBL  ob.surbl.org.   A
# header    URIBL_OB_SURBL  eval:check_uridnsbl('URIBL_OB_SURBL')
# describe  URIBL_OB_SURBL  Contains a URL listed in OB at http://www.surbl.org/lists.html
# tflags    URIBL_OB_SURBL  net
# score URIBL_OB_SURBL    4.0
# 
# urirhsbl  URIBL_AB_SURBL  ab.surbl.org.   A
# header    URIBL_AB_SURBL  eval:check_uridnsbl('URIBL_AB_SURBL')
# describe  URIBL_AB_SURBL  Contains a URL listed in AB at http://www.surbl.org/lists.html
# tflags    URIBL_AB_SURBL  net
# score URIBL_AB_SURBL    5.0
# 
# urirhssub URIBL_PH_SURBL  multi.surbl.org.        A   8
# header    URIBL_PH_SURBL  eval:check_uridnsbl('URIBL_PH_SURBL')
# describe  URIBL_PH_SURBL  Contains a URL listed in PH at http://www.surbl.org/lists.html
# tflags    URIBL_PH_SURBL  net
# score URIBL_PH_SURBL    5.0
# 
# urirhssub URIBL_JP_SURBL  multi.surbl.org.        A   64
# header    URIBL_JP_SURBL  eval:check_uridnsbl('URIBL_JP_SURBL')
# describe  URIBL_JP_SURBL  Contains a URL listed in JP at http://www.surbl.org/lists.html
# tflags    URIBL_JP_SURBL  net
# score URIBL_JP_SURBL    4.0

# 
# 
# If you're using SA 2.63&2,64, activate follows.
# 
# SURBL - a new type DNSBL. http://www.surbl.org/
# To activate, you have to install SpamCopURI:
# http://sourceforge.net/projects/spamcopuri/
# and you'll get satisfied. :-)
# Many thanks to SURBL staff for your good job.
# 2004.09.07 by [yoh]
# 
# 

# uri       SPAMCOP_URI_RBL  eval:check_spamcop_uri_rbl('sc.surbl.org','127.0.0.2')
# describe  SPAMCOP_URI_RBL  URI's domain appears in spamcop database at sc.surbl.org
# tflags    SPAMCOP_URI_RBL  net
# score     SPAMCOP_URI_RBL  4.0
# 
# uri       WS_URI_RBL  eval:check_spamcop_uri_rbl('ws.surbl.org','127.0.0.2')
# describe  WS_URI_RBL  URI's domain appears in sa-blacklist
# tflags    WS_URI_RBL  net
# score     WS_URI_RBL  3.0
# 
# uri       OB_URI_RBL  eval:check_spamcop_uri_rbl('ob.surbl.org','127.0.0.2')
# describe  OB_URI_RBL  URI's domain appears in ob.surbl.org
# tflags    OB_URI_RBL  net
# score     OB_URI_RBL  4.0
# 
# uri       AB_URI_RBL  eval:check_spamcop_uri_rbl('ab.surbl.org','127.0.0.2')
# describe  AB_URI_RBL  URI's domain appears in ab.surbl.org
# tflags    AB_URI_RBL  net
# score     AB_URI_RBL  5.0


# Special thanks to Hisaaki SHIBATA-san: 2003/04/04
# header UNDISCLOSED To =~ /undisclosed-recipients*:/i
# describe UNDISCLOSED Undisclosed-recipients
# score UNDISCLOSED 2.00

# Spamhaus XBL+SBL

# header RCVD_IN_SBL_XBL        eval:check_rbl('sblxbl', 'sbl-xbl.spamhaus.org.')
# describe RCVD_IN_SBL_XBL      Received via a relay in Spamhaus SBL+XBL
# tflags RCVD_IN_SBL_XBL        net
# score RCVD_IN_SBL_XBL         1.5


# ipwhois.rfc-ignorant.org has a crazy listing.
# See http://www.rfc-ignorant.org/tools/detail.php?domain=43.0.0.0/8&submitted=1050045420&table=ipwhois
# 
# http://mail-archives.apache.org/mod_mbox/spamassassin-users/200505.mbox/%3c61192FA29C719B469A2B13E57DEDF75B03E2F02F@mail.hbinc.com%3e
# 
# score       RCVD_IN_RFC_IPWHOIS     0
# score       RCVD_IN_RFCI        0