# *******************************************************************
# Personnal rules. Do whatever you want with them...
# by Maxime Ritter : airmax AT netlibre DOT info
#
# $Id: airmax.cf,v 1.5 2004/03/09 19:17:07 airmax Exp airmax $
#
# Some of them are rejected rules from the SA distribution, some were
# written by other people, some are mine, etc...
# Some might even be found in the SA distribution (I will clean them...
# when I have time). Some may give you bad results also...
#
# Use with care, and try to understand them.
# *******************************************************************
#
# Best and latest rules at the beginning...

# Jan-Mar 2004 : Fake Habeas
header __HABEAS_SWE                eval:message_is_habeas_swe( )
header __HAB_FORGE_BOUND            Content-Type =~ /boundary="--[0-9]{15,20}"/
header __HAB_FORGE_MID              Message-ID =~ /<[A-Z]{20,25}@[-a-z0-9]{3}/
meta HABEAS_FORGERY                 (__HAB_FORGE_BOUND && __HAB_FORGE_MID && __HABEAS_SWE)
meta HABEAS_SWE                     (__HABEAS_SWE && ! HABEAS_FORGERY)
describe HABEAS_FORGERY             Common Habeas Forgery
lang fr describe  HABEAS_FORGERY    Spammeur utilisant Habeas sans autorisation
score HABEAS_FORGERY                3.5
# -8.0 for default Habeas score.

# mPOP Web-mail (very common)
header __XMAILER_MPOP               X-Mailer =~ /mPOP Web-Mail/
header __SUBJECT_MPOP               Subject =~ /^Re: (?:([A-Z]{2,8})|(%RND_UC_CHAR\[2-8\])), /
header __REFERENCES                 exists:References
meta RATWARE_MPOP                   ( (__XMAILER_MPOP && __SUBJECT_MPOP) && ! __REFERENCES)
describe RATWARE_MPOP               Bulk email software fingerprint (mPOP Web-mail) found in headers
lang fr describe RATWARE_MPOP       En-tête d'un logiciel envoyeur de spams (mPOP Web-mail)
score RATWARE_MPOP                  3.5

# Fake X-authentification Warning (spams which weren't detected at my school) 
header __XAUTH                      exists:X-Authentication-Warning
header __FAKE_XAUTH                 X-Authentication-Warning !~ /(set sender)|(owned process doing)|(claimed to be)/
meta FAKE_XAUTH                     (__FAKE_XAUTH && __XAUTH)
describe FAKE_XAUTH                 Using Fake X-Authentication-Warning header
lang fr describe FAKE_XAUTH         L'en-tête X-Authentication-Warning est suspecte
score FAKE_XAUTH					0.5
# One might give a little bonus to XAUTH, since spammers avoid hosts
# which put those warnings... That's also what SA did before 2.60

# Seen on SA-talk Jan 2004. Very efficient. Think it appears in 2.70cvs (but
# not sure)
header   XMAILERBOGUS  X-Mailer =~ /^[a-z][^A-Z0-9]*$/                                                                                                                   
describe XMAILERBOGUS  X-Mailer has NO uppercase letters, NO number

# How do they expect me to believe this ??
meta	XAUTH_XMAILER	(XMAILERBOGUS && FAKE_XAUTH)
score	XAUTH_XMAILER	1.5

# Detect IE urlspoof.
# From: Lucas Albers <admin@cs.montana.edu>
# Date: Thursday 22 January 2004 23:42:00
# Groups: gmane.mail.spam.spamassassin.general
uri IE_ADDRESS_SPOOF_EXPLOIT		/^https?\:\/\/[^\/\s].*%0[1|0]@/
describe IE_ADDRESS_SPOOF_EXPLOIT 	Message contains IE address spoof
score IE_ADDRESS_SPOOF_EXPLOIT 		1.5

# 1st Feb 2004 : Bug 2992 
# These messages have a header:
# Received: from [numeric_ip] by numeric_ip with HTTP; ...

header 		L_SPAMMY_RCVD Received =~ /from \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] by \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} with HTTP;/ 
describe 	L_SPAMMY_RCVD Received header has Ratware traces 
score 		L_SPAMMY_RCVD 1.0
 
header 		L_MIME_BOUND_MANY_DIG	Content-Type =~ /boundary=\"\d{13,}\"/
describe	L_MIME_BOUND_MANY_DIG  	MIME boundary contains all digits
score 		L_MIME_BOUND_MANY_DIG  	1.0
 
header		L_MSGID_SPAM1         	Message-Id =~ /<[A-Z]{7}-000[0-9]{10}\@[a-z]*>/
describe	L_MSGID_SPAM1       	Message-ID has known spammer pattern
score		L_MSGID_SPAM1          	1.0
 
rawbody 	L_TITLE_MESSAGE      	m{<TITLE>Message</TITLE>}
describe  	L_TITLE_MESSAGE    		Mail has an HMTL TITLE tag of "Message"
score  		L_TITLE_MESSAGE       	1.0

rawbody 	L_CONVERTED          	m{<DIV><!-- Converted from text/plain format -->}
describe 	L_CONVERTED         	Converted from text/plain
score  		L_CONVERTED           	1.0

####
# Too much spams with things not to get catched by Razor/Pyzor/DCC
# Not very usefull with other rulesets.
body IMPRONONCABLE_1				/([bcdfghjklmnpqrstvwxz]){5,20}/					
describe IMPRONONCABLE_1			Some words aren't easy to pronounce (too much wovels)
lang fr describe IMPRONONCABLE_1	Certains mots ne sont pas évidents a prononcer (trop de voyelles)
body IMPRONONCABLE_2				/(([abcdefghijklmnopqrstvwxyz]){1,9}\d{1,4}){2,9}/	
describe IMPRONONCABLE_2			Some words aren't easy to pronounce (mixed numbers and lower-case letters)
lang fr describe IMPRONONCABLE_2	Certains mots ne sont pas évidents a prononcer (mélanges nombres/letres).


####
# Some obfuscation

body OBFUSCAT_ZERO					/\b(p0rn|rem0ve|bel0w)\b/i
describe OBFUSCAT_ZERO				Common obfuscation with a zero
lang fr describe OBFUSCAT_ZERO		Cache des mots avec des zéros.


# Feb 2004
header   VERYBAD_YAHOOMSGID  Message-ID =~ /[A-Z]{8}\@yahoo\.com/i
describe VERYBAD_YAHOOMSGID  Very bad Yahoo Message-ID from Charles Gregory <cgregory@hwcn.org>
score    VERYBAD_YAHOOMSGID  2.0

header	 BAD_YAHOOMSGID      Message-ID=~ /\@yahoo.com/i
describe BAD_YAHOOMSGID      Bad Yahoo Message-ID from Charles Gregory <cgregory@hwcn.org> 
score    BAD_YAHOOMSGID      0.8

###
# Catching this kind of User-Agent rules
# User-Agent: Mozilla/5.016 (X11; U; solaris; U; NT4.0; en-us) Gecko/25250101
# note: should be fixed with 2.70, but these kind of forgery isn't as common as it used to
header BAD_MOZILLA_VERSION				User-Agent =~ /Mozilla\/5\.0\d\d/ 
describe BAD_MOZILLA_VERSION			User-Agent from a mozilla version which doesn't exist
lang fr describe BAD_MOZILLA_VERSION	Champ User-Agent référant a un version de Mozilla inexistante.
score BAD_MOZILLA_VERSION				2.4

# and some improvement to base rule (not to catch those forgery)
# header USER_AGENT_MOZILLA_UA    User-Agent =~ /^Mozilla\/5\.0 \(.*\) Gecko\/20\d{6}(?: |$)/
# this rule doe not longer exist in SA...

####
# Some usefull spams signs. I didn't open any new bug for them.
header RCVD_POWERMTA 			Received =~ /PowerMTA/
describe RCVD_POWERMTA          PowerMTA found in Received field
lang fr RCVD_POWERMTA           Contient 'PowerMTA' dans le champ Received
score RCVD_POWERMTA             1.0

header FFFF_BOUNDARIES           Content-Type =~ /boundary=\"ffff"/
describe FFFF_BOUNDARIES         MIME Boundaries too short and similar to some of my spams.
lang fr describe FFFF_BOUNDARIES Frontières MIME trop courtes et identiques a certains spams.
score FFFF_BOUNDARIES            2.0


####
# RBL maintened by french people.
# Isn't down as I thought : http://www.rfc1149.net/wsff
header   RCVD_IN_WSFF    	rbleval:check_rbl('relay','will-spam-for-food.eu.org')
describe RCVD_IN_WSFF       Received via a relay in will-spam-for-food.eu.org
tflags   RCVD_IN_WSFF       net

header MAIL_BOMB_1		X-UIDL =~ /KicKaSSmSgID/
describe MAIL_BOMB_1		Mail bomb Ratware.
score MAIL_BOMB_1		3.0
lang fr describe MAIL_BOMB_1	Entêtes de Mail Bomber

####
# Fucking X-Mailer
header MAILER_VERSION		X-Mailer =~ /Version 5.0/
describe MAILER_VERSION		X-Mailer header shows some ratware (Version 5.0)
lang fr describe MAILER_VERSION	Entête X-Mailer provenant d'un logiciel à spams (Version 5.0)

header PSS_BULK			X-Mailer =~ /PSS Bulk Mailer/
describe PSS_BULK               X-Mailer header shows some ratware (PSS Bulk Mailer)
lang fr describe PSS_BULK  	Entête X-Mailer provenant d'un logiciel à spams (PSS Bulk Mailer)

# Some rules used by alussinan.org (see : http://www.alussinan.org/filtres.html)
# some of these rule may be duplicate of SA ones...

header ALUSSINAN_1		Comments =~ /Mailociraptor/
describe ALUSSINAN_1		alussinan.org rule 1	
lang fr describe ALUSSINAN_1 	Rejet spam sur presence du champ Comments:

header ALUSSINAN_3		exists:xAddress-Sent
describe ALUSSINAN_3		alussinan.org rule 3
lang fr describe ALUSSINAN_3	Rejet spam sur presence du champ "xAddress-Sent:"

header ALUSSINAN_4		X-Info =~ /Mindshare/ 
describe ALUSSINAN_4		alussinan.org rule 4
lang fr describe ALUSSINAN_4	Rejet de courrier envoye via spammailer (X-Info)

header ALUSSINAN_5		X-Mailer =~ /Vop Mail|Signature|Juno|Rafale|Mass Sender|MailCity| mailer$|Marketing|MMailer|K-ML|GoldMine|MAGIC|bomber|expeditor|Brooklyn North|Broadcast|DMailer|Extractor|EMailing List Pro|Group|Fusion|News Breaker|dbMail|Unity|PG-MAILINGLIST PRO|Dynamic| Splio|Sarbacane|sMailing|JMail|Broadc\@st|WorkZ|SuperMail/
describe ALUSSINAN_5		alussinan.org rule 5
lang fr describe ALLUSSINAN_5	Rejet de courrier envoye via spammailer (X-Mailer)

header ALUSSINAN_6		X-Sender =~ /Rafale|Mass Sender|MailCity|\ mailer$|Marketing|MMailer|K-ML|GoldMine|MAGIC|bomber|expeditor|Brooklyn North|Broadcast|DMailer|Extractor|EMailing List Pro|Group|Fusion|News Breaker|dbMail|Unity|PG-MAILINGLIST PRO|Dynamic| Splio|Sarbacane|sMailing|JMail|Broadc\@st|WorkZ|SuperMail/
describe ALUSSINAN_6		alussinan rule 6
lang fr describe ALUSSINAN_6	Rejet de courrier envoye via spammailer (X-Sender)

header ALUSSINAN_7		X-Attention =~ /opt-in/
describe ALUSSINAN_7		alussinan rule 7
lang fr describe ALUSSINAN_7	Rejet X-Attention


#####
# Targeting some common geeky headers :
# Only geeks use them, and those geeks dont send HTML stuff which might match
# any positive rule. And they are also easy to forge. Not a good idea to add
# it to SA distribution

header X_URL			exists:X-URL
describe X_URL			Message contains X-URL header
lang fr describe X_URL		En-tête X-URL trouvée
score X_URL			-1
tflags X_URL			nice

header X_GPG			X-GPG-Fingerprint =~ /^([0-9A-F]{4}  ?){10}/
describe X_GPG			Message contains X-GPG-Fingerprint header
lang fr describe X_GPG		En-tête X-UGPG-Fingerprint trouvée
score X_GPG			-1
tflags X_GPG			nice

header X_OS 			exists:X-Operating-System
describe X_OS			Message contains X-Operating-System header
lang fr describe X_OS		En-tête X-Operating-System trouvée
score X_OS			-1
tflags X_OS			nice

header X_EDITOR			exists:X-Editor
describe X_EDITOR		Message contains X-Editor header
lang fr describe X_EDITOR	En-tête X-Editor trouvée
score X_EDITOR			-1
tflags X_EDITOR			nice

header X_KERNEL			exists:X-Kernel
describe X_KERNEL		Message contains X-Kernel header
lang fr describe X_KERNEL	En-tête X-Kernel trouvée
score X_KERNEL			-1
tflags X_KERNEL			nice

######
# hello somebody@mailaddress.com
# http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1757
# original author : Martin Radford <martin-sabz@zamenhof.demon.co.uk> 
# refused : low s/o (for most people), low spam. But very 
# interesting for me....

body 	_HELLO_ADDRESS		/\b(?:Hi|Hello|Dear)\b.{0,30}@\S/i	
describe L_HELLO_ADDRESS	Greets you by address, not by name
score 	_HELLO_ADDRESS		0.5


#####
# Outlook can't send HTML message only (thanks to DaScritch http://www.dascritch.net/ )
# Vire immédiatement tout mail écrit avec Outlook uniquement en texte enrichi 
# sans texte brut. Jamais vu ailleurs qu'en spam.  
# (spoke about it in SAtalk ML, might be added in future version of SA)
meta OUTLOOK_FAKED		( __OUTLOOK_MUA && __MIME_HTML_ONLY )
describe OUTLOOK_FAKED		Outlook can't send HTML message only
lang fr describe OUTLOOK_FAKED  Outlook ne sait pas envoyer de mail en HTML pur sans texte brut.
score OUTLOOK_FAKED		3 


#####
# Saving some percent
body SAVE_PERCENT			/Saves? [1-9][0-9]? ?%/i
describe SAVE_PERCENT			Save some percentage
lang fr describe SAVE_PERCENT		Economisez un certain pourcentage (en anglais)

#####
# bug 1415 : Smileys !
# refused : low ratings, too easy to forge...  but remaining in my own rules... 
body SMILEY					/\s[:;][-^o]?[][)(><}{|\/DPp]/
describe SMILEY				Contains one or more Smileys
lang fr describe SMILEY		Contient un ou plusieurs Smileys
score SMILEY				-0.5
tflags SMILEY				nice

# Some ratware (spoke about it in SAtalk ML)
header RATWARE_GAVIN		X-Mailer =~ /gavin V[1-9]/
describe RATWARE_GAVIN		Bulk email software fingerprint (gavin) found in headers
lang fr describe RATWARE_GAVIN En-tête d'un logiciel envoyeur de spams trouvée (gavin)

#body     SEE_FOR_YOURSELF       /See (?:for|it) yourself\b/i
body     SEE_FOR_YOURSELF       /See (?:for|it|it for) yourself\b/i
#--> Catches "See it for yourself", which is missed by the original

# More Nigerian Scum
meta NIGERIAN_BODY_2      ( __NIGERIAN_BODY_1 + __NIGERIAN_BODY_2 + __NIGERIAN_BODY_3 + __NIGERIAN_BODY_5 + __NIGERIAN_BODY_6 + __NIGERIAN_BODY_7 + __NIGERIAN_BODY_8 + __NIGERIAN_BODY_9 + __NIGERIAN_BODY_10 + __NIGERIAN_BODY_11 + __NIGERIAN_BODY_12 + __NIGERIAN_BODY_13 + __NIGERIAN_BODY_14 + __NIGERIAN_BODY_15 + __NIGERIAN_BODY_16 + __NIGERIAN_BODY_17 + __NIGERIAN_BODY_18 + __NIGERIAN_BODY_19 + __NIGERIAN_BODY_20 + __NIGERIAN_BODY_21 + __NIGERIAN_BODY_22 + __NIGERIAN_BODY_25 + __NIGERIAN_BODY_26 + __NIGERIAN_BODY_27 + __NIGERIAN_BODY_28 + __NIGERIAN_BODY_29 + __NIGERIAN_BODY_30 + __NIGERIAN_BODY_31 + __NIGERIAN_BODY_32 + __NIGERIAN_BODY_33 + __NIGERIAN_BODY_34 + __NIGERIAN_BODY_35 + __NIGERIAN_BODY_36 + __NIGERIAN_BODY_37 + __NIGERIAN_BODY_38 + __NIGERIAN_BODY_39 + __NIGERIAN_BODY_40 + __NIGERIAN_BODY_41 + __NIGERIAN_BODY_42 ) > 3 
score 				NIGERIAN_BODY_2		3.0
describe 			NIGERIAN_BODY_2	More Nigerian scum body content
lang fr describe 	NIGERIAN_BODY_2	Contenu du message ressemblant de manière vraiment douteuse à la combine nigérienne

meta NIGERIAN_BODY_3      ( __NIGERIAN_BODY_1 + __NIGERIAN_BODY_2 + __NIGERIAN_BODY_3 + __NIGERIAN_BODY_5 + __NIGERIAN_BODY_6 + __NIGERIAN_BODY_7 + __NIGERIAN_BODY_8 + __NIGERIAN_BODY_9 + __NIGERIAN_BODY_10 + __NIGERIAN_BODY_11 + __NIGERIAN_BODY_12 + __NIGERIAN_BODY_13 + __NIGERIAN_BODY_14 + __NIGERIAN_BODY_15 + __NIGERIAN_BODY_16 + __NIGERIAN_BODY_17 + __NIGERIAN_BODY_18 + __NIGERIAN_BODY_19 + __NIGERIAN_BODY_20 + __NIGERIAN_BODY_21 + __NIGERIAN_BODY_22 + __NIGERIAN_BODY_25 + __NIGERIAN_BODY_26 + __NIGERIAN_BODY_27 + __NIGERIAN_BODY_28 + __NIGERIAN_BODY_29 + __NIGERIAN_BODY_30 + __NIGERIAN_BODY_31 + __NIGERIAN_BODY_32 + __NIGERIAN_BODY_33 + __NIGERIAN_BODY_34 + __NIGERIAN_BODY_35 + __NIGERIAN_BODY_36 + __NIGERIAN_BODY_37 + __NIGERIAN_BODY_38 + __NIGERIAN_BODY_39 + __NIGERIAN_BODY_40 + __NIGERIAN_BODY_41 + __NIGERIAN_BODY_42 ) > 5 
score 				NIGERIAN_BODY_3		5.0
describe 			NIGERIAN_BODY_3	A lot of Nigerian scum body content
lang fr describe 	NIGERIAN_BODY_3	Contenu du message ressemblant de manière vraiment trop douteuse à la combine nigérienne

#####################################################################
# Chris Santerre's rules                                            #
#####################################################################

#(This has been recent. Dumb spammers. this may go away after a while)
#raw RND_WORD /\%RANDOM_WORD/
#describe RND_WORD Spammers can't use their own software!
#score RND_WORD 1.11
# --> syntax error

# (This has been working great so far. There are more I can|will add.)
header MY_DSL Received =~ /adsl|dsl|tampabay\.rr\.com|vc\.shawcable\.net|se\.client..?\.attbi\.com|\.(east|west)\.verizon\.net/i
describe MY_DSL I could use a BL for this.
score MY_DSL .85


# (The following 2 are to try to catch some of these dynamic IP users faking
# legit Froms like, AOL, MSN, Hotmail, excite.... I'm working on this theory a
# little more. But this gives you an idea. I wanted to increase the score when
# the email hit both rules. I'll most likely change this to more generic and
# include all the other domains. score is low for testing.)

meta AOL_DSL (_AOL_FAKE_MAIL && MY_DSL)
describe AOL_DSL AOL email sent from dsl line.
score AOL_DSL .25

# (Ok, the rest are pretty straight forward. Did you read my note above? Did
# you? :p Some of you will scream FALSE POSITIVES on these. And REDUNDANT! But
# as I said, I counter these with some larger negatives for company specific
# things.)
#
# (I only took the ones I found the most usefull)

header FROM_LIGHT From =~ /sales?|free|autos?|funpages?|discounts?/i
describe FROM_LIGHT I don't know people named this!
score FROM_LIGHT .75

header SALES_REPLY Reply-To =~ /sales?|deals?|specials?|offers?|rewards?|direct|funny|discounts?/i
describe SALES_REPLY Your parents named you sales?
score SALES_REPLY .43


#####################################################################
# Matt Ketler's rulez                                               #
#####################################################################

# Generalize this to cover "special xxx offer"
# Plus, needs a bit more weight -- my friends don't normally say these things.
#body OFFER                      /\b(?:free|special|trial)\s+(?:|[a-z]+\s+)offer/i
#score OFFER 0.5

# Generalize this a bit to cover "CATV xxx descrambler"
body CABLE_CONVERTER            /\b(?:cable|catv).{0,9}(?:converter|descrambler)/i

# Generalize this to allow for a number between "call" and "now"
body CALL_NOW                   /\bCALL (?:|[-0-9]+\s+)NOW/i

# Extended, more evil version of ONLY_COST
body ONLY_COST_BANG             /\bonly .{0,9}\$\s*[0-9.]+\s*!{2,9}/i
describe ONLY_COST_BANG         Only $$$ !!!
score ONLY_COST_BANG 1.0

# Generalize this to cover "opt-out" and "optout", all cases
body OPT_OUT                    /\bopt.?out\b/i
score OPT_OUT 1.0

#####################################################################
# Marc Perkel rules                                                  #
#####################################################################


# Offer : bug 1849 (waiting for 2.70).
# not very usefull with bayes & high risk of false positive

header ADDR_OFFER        ALL =~ /(?:to|from|reply-to):.*<.*offer.*\n/i
describe ADDR_OFFER        From address contains OFFER

uri OFFER_URI            /^https?:\/\/.*?(?:offer[sz]?\.\w|[.\/]offer|offer=)/i
describe OFFER_URI        Offer in link address

body OFFER         		/\b(?:free|trial|full|phone|points?|hottest|internet|great|of this|about this|dealer|responded|not an|pay|are able to|future|valuable|partner|receiv(?:e|ed|ing)|introductory|exclusive|promotional|coupon|bonus|further|following|product|proud to|additional|website|amazing|discounts?).{0,9}(?:this|these|)\boffer(?:s|ings?|ed|)\b/i
describe OFFER            Offers you Something
score OFFER				0.3

body OFFER_2            /\boffer(?:s|ings?|) .{0,9}\b(?:expires|subject|limited|ends|mailed|originator|contained|discounts?|confidential|is good|available|valid|in error|!)\b/i
describe OFFER_2        Offers you Something (2)
score OFFER_2			0.3

body SPECIAL_OFFER       /\bspecial .{0,15}\boffer(?:s|ings?|ed|)/i
describe SPECIAL_OFFER   Special Offer
score SPECIAL_OFFER		0.3

# Bug 1924 : mispelled penis
# http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1924
# better version for french spams (pénis)
body DISGUISE_PENIS     /\b(?:p.n[1líîìï]s)\b/i
describe DISGUISE_PENIS		Disguised word "penis"
lang fr describe DISGUISE_PENIS		Contient le mot "pénis" déguisé.

#
# Chris Convington (no reverse DNS rules).
#
# This is what I'm now using w/Postfix (should work for any MTA):

header NO_RDNS Received=~ /\(unknown[ ]\[/
describe NO_RDNS Sending MTA has no reverse DNS (Postfix variant)

header NO_RDNS2 Received=~ /\(\[.*\]\)/
describe NO_RDNS2 Sending MTA has no reverse DNS


# ABC Tracking
# not quite sure it is very efficient...
header ABC_TRACKING		ABC-Tracking=~ /\<ZW.{4,25}\>/
describe ABC_TRACKING	Has an ABC-Tracking header
score ABC_TRACKING		2.5

#
# Some improvement to base rules
#
body REMOVE_FROM_LIST             /to be r[e3]mov[e3]d from (?:the|my|our) (?:ma[i1]l[i1]ng|e.?ma[i1]l|opt[ -]?[i1]in)? ?l[i1]st/i
body CLICK_TO_REMOVE_1            /click here to be (?:permanently )?(?:r[e3]mov[e3]d|d[e3]l[e3]t[e3]d)/i
body EXCUSE_3                     /to (?:be removed|be deleted|no longer receive th(?:is|ese) messages?) (?:from|send|reply|[e-]*mail)/i
body EXCUSE_7                     /you (?:wish|want|would like|desire) to be removed/i
body EXCUSE_REMOVE                /to be removed from.{0,20}(?:mailings|offers)/i


# A Nice rule (Gmane)
#### 

header GMANE_INJECTED		X-Injected-Via-Gmane =~  /http:\/\/gmane.org\//
describe GMANE_INJECTED		Header : Injected Via Gmane  
score GMANE_INJECTED		-1.5