// MailWasher Pro filter rules #3, compiled by "Wiz" Feinberg, from www.wizcrafts.net.
// Can be used to replace the default rules, saved to your MWP profile data folders as filters.txt.
// This page is a child of: http://www.wizcrafts.net/mailwasher.html and http://www.wizcrafts.net/mwp-filters.html where you can get MailWasher Pro, or learn more about it.
//
// If these rules prove beneficial to you, please make a donation, at: http://www.wizcrafts.net/donations/
// Thanks :-)
//
// READ THESE NOTES
// // Indicates a comment, and is not parsed.
//
// IMPORTANT READ THE FOLLOWING!
// If you make changes to this file while MailWasher Pro is running, the changes will be overwritten when MailWasher Pro is closed.
// To be safe, close MailWasher first,then edit the filters. Or, edit them within MailWasher using the Filter Sidebar (Control + F7).
// I have had reports about corruption when copying and pasting my filters into existing filters.txt files. Most of the time this is caused because the text editor you are using is allowing a mixture of Unicode and Ascii entries to be copied.
// If you experience MailWasher wiping out the pasted in filters, after you re-open it (assuming it was not running at all when you saved the changes), do this.
// When copying and pasting some or all of these filters into your own "filters.txt," if you are using a text editor that is unicode-aware, you should not just SAVE the file. Rather you should use the "Save AS" feature to save the file as either all ASCII or all UNICODE. MailWasher will accept either, but can only deal with one at a time.
//
// Personally identifiable rules have been deleted from this list. You should create your own rules to deal with your domain name or email address in the Subject or From fields.
// Sample rule for spam sent to an non-existent account on your Domain server, - contacts@yourDomain ...
// (ex:)  [enabled],"contacts@YourDomain.com","Contacts Spam",16711680,OR,Hidden,Delete,Automatic,To,contains,contacts@YourDomain.com,EntireHeader,contains,contacts@YourDomain.com,Subject,contains,contacts@YourDomain.com,From,contains,contacts@yourDomain
// The following are actual, functional rules, ready to drop in to your existing Mailwasher Filters. There may be duplicates because some are from common rules sources.
// There must not be any blank lines from the start of the list to the end. Each rule must be on one continuous line, with a linefeed between rules. The last rule must end at the end of it's line, without a linefeed!
// Turn off word wrap to view these rules.
// Be sure you add your friends and contacts to your Friends List, or the image spam filter rules may delete email you wanted.
// Removed undesirable "Bounce" directives on August 8, 2007. Bouncing no longer works for modern spam as the Return To and From field is always forged and is sent from zombie botnetted home or office computers.
// WARNING! This version of my filters contains Hidden and Automatic deletion actions when an email is identified as spam by some of these rules. You should review these filters and change these actions if you prefer to see all flagged messages and delete them manually.
// You should definitely turn on "Allow deleted email to be restored from the summary screen," then set your SMTP server and logon credentials, and set the scanning size to at least 250 lines or more (300+ lines is better).
// Rearranged filters according to my own usage; most current rules nearest the top; catch-alls near bottom.
// December 2, 2007: (Split Pharmaceuticals and Male Enhancement filters into separate detections for Subject [S] and Body [B] word matches. Merged Canadian Pharmacy filter into Pharmaceuticals.)
// January 3, 2008, I have begun anchoring the starting characters on new lines with ^ to improve rule processing. Many rules are getting updated to include this, as is appropriate.
// January 17, 2008, I added a new filter to detect the same domain name on both sides of @ sign, in "From:" field. Removed part of .info sender filter to speed up processing.
// March 8, 2008, made HTML Tricks filter automatically delete, afer a deluge of spam matching it's rules, with no false positives.
// Recently disabled and moved to bottom: Fake CNN and MSN Breaking news alerts leading to Trojan video codec downloads.
// Removed most of the image spam filters because this type of spam is rarely used now. Only Image Spam #11 remains.
// Recent additions: UPS Scam, New User-Agent and X-Mailer filters, Fake Domain Renewals, Fake MSN Newsletter, Thunderbird 2-Line Spam, Canadian Pharmacy Fake Newsletter, Daily Top 10 Canadian Pharmacy, Controlled Drugs, Money Mule Scam, SquirrelMail, Canadian Pharmacy, Fake Fox News Canadian Pharmacy, Fake ABCNews Canadian Pharmacy, Bank Phishing, Known Spam Subjects #3, Thunderbird mailer, Yahoo Calendar and Yahoo Search spam filters.
// Previously updated on December 28, 2008: updated Pills, Known Spam Domains and Known User Agent spam filters.
// Last Updated on January 3, 2009: Updated Known Spam [From or Body] filter for Mr. Song Li(le) scams.
// All of these comments will be erased as soon as you save this file as filters.txt and activate MailWasher Pro. Keep a copy of this file on hand.

[enabled],"AVG Returned Email","AVG Bounces",16711680,OR,Delete,Body,contains,"This is the AVG E-mail Scanner program.",Body,contains,"I'm sorry to inform you that the message",Subject,contains,"Undelivered Mail Returned to Sender"
[enabled],"Restored by MWP","Restored by MWP",26112,AND,Legitimate,TakesPrecedence,EntireHeader,contains,"Resent-From: ""MailWasher Pro recycle bin"""
[enabled],"Mailwasher Reports","MWP Report",26112,AND,Legitimate,Subject,contains,"MailWasher Pro summary"
[enabled],"Multiple Forwarded Messages","Multiple Forwarded Messages",16711680,AND,To,containsRE,"(.+@.+,\s){5,}",Subject,contains,FW:
[enabled],XdomainY@domain,BlackList,0,AND,Delete,Automatic,EntireHeader,containsRE,"^Received: from.*@(([\w\d]*)\.\w{2,4}).*^From:.*<\w{2,}\2\w+?@\1"
[enabled],"Angelina Jolie Video Trojan","Angelina Jolie Video Trojan",255,AND,Delete,TakesPrecedence,Automatic,Subject,containsRE,"An[gj]elina\s{1,2}(Jolie\s)?(Free|naked|nude|XXX)?\s(movie|Video)|Jolie\ naked"
[enabled],"Fake Windows Update","Exploit Link",16711680,AND,Delete,TakesPrecedence,Subject,contains,"Official Update",Body,containsRE,"/.+\.exe"">"
[enabled],"Trojan Video Link [S]","Trojan Video Link",16711680,OR,Delete,Automatic,Subject,containsRE,(Kick-up|News)\s-.+-\svideo,Subject,contains,"video without cowards",Subject,contains,"Re: Delivery Protection",Subject,is,"BREAKING news",Subject,is,"Weekly top news",Subject,containsRE,"(BBC:|CNN:|Breaking\ news:|Hot\ news:)"
[enabled],"Trojan Video Link [B]","Trojan Video Link",16711680,OR,Delete,Automatic,Body,containsRE,"(Kick-up|New|Shocking)\s(presentation|video)|video\ without\ cowards|mp3\ is\ shocking|Interesting\ (cd|mp3|mpeg4)|Stunning\ (mpeg4|porno|video)|porno\ dvd",Body,containsRE,"Download\ and\ watch|Download\ (it\s)?now\!|get\ this\ kick-up\ cd|Look\ (at\s)?it\ now\!",Body,containsRE,"/(play(er)?|mov|stream|vid|video_?\d?|watchit)\.exe"">",Body,contains,"Download VIDEO",Body,contains,"Open video",Body,contains,/paris_hilton,Body,contains,"PUSH TO WATCH",Body,contains,"Shocking movie",Body,containsRE,"/index[0-9]{1,2}\.html"">",Body,contains,"Video attached"
[enabled],"Trojan Video Link [S&B]","Trojan Video Link",16711680,AND,Delete,Automatic,Subject,containsRE,"Barack\ Obama|Britney\ Spears|(Paris|Barron)\ Hilton",Body,containsRE,"\.exe"">|/index_?\d{1,2}\.html"">|video\ report|news\ page>>"
[enabled],"Exploit Link","Exploit Link",16711680,OR,Delete,Automatic,Body,contains,"Please read the attachment to get the message",Body,contains,"Please read the attachment.</A>",Body,contains,"have attached your document.</A>",Body,containsRE,http://.+/(begin|checkit|default|first|fresh|index1|gowatch|live(streaming)?|lol|main|news|r|showvideo|start|stream(ing)?|topnews|up|viewmovie|watch|watchit|whatsup)\.html(</a><br>)?(\r\n)?,Body,contains,/viewmovie.html,Body,containsRE,"/(install|msvideoc)\.exe"">",Body,containsRE,".(avi|mpg).exe"">",Body,containsRE,"/(best|index1|up)(\.|=2E)php""",Body,contains,"American soldiery",Body,containsRE,"(?-s)^Content-Transfer-Encoding:\ quoted-printable\r\n\r\n^.+http://.+/.+\.html$\r\n^------=_NextPart_"
[enabled],"Known Spam Subjects #1","Known Spam Subjects",16711680,OR,Delete,Automatic,Subject,containsRE,"^\d\d% discount$",Subject,contains,"Can you tell me what's wrong, and how we can fix it?",Subject,contains,"No more embarrassment",Subject,contains,"New size for Men",Subject,contains,"U on board",Subject,contains,"huge dignity",Subject,contains,"Won't forget last night",Subject,contains,"Realize all of her dreams",Subject,contains,"re:Nobody will know bout your problems",Subject,contains,"Get on this right away",Subject,is,"Batteries included",Subject,containsRE,(?-i)^Mego\s.+,Subject,containsRE,^(?-i)(MSG\s)?ID:\d{5}\s.+
[enabled],"Known Spam Subjects #2","Known Spam Subjects",16711680,OR,Delete,Automatic,Subject,contains,"For every men of different ages unique decision",Subject,is,"What time is okay for you",Subject,contains,"We provide for you a real advantage to turn her on",Subject,contains,"Our best decision is suitable for every age",Subject,contains,"She will call you Macho",Subject,contains,"Legendary Hero of rumors",Subject,contains,"Extend your possibilities in your private life",Subject,contains,"Know her from the sexual side how is she inside exactly",Subject,containsRE,"(guys|Mens?)\ (Love|Need)\ This|Are\ you\ ...\?|XXX\ Video",Subject,containsRE,"size\ increase|(luck|pleasure)\ in\ love|\b(?-i)[GH]uu\w{2,}|virility|bikini\s.*shoot",Subject,contains,"The most powerful weapon for your battles",Subject,contains,"Fast Shipping WorldWide",Subject,containsRE,"(Best|Finest|Good)\ ([a-z]{3,}\ )?(propos(al|ition)|solution|suggestion)"
[enabled],"Known Spam Subjects #3","Known Spam Subjects",16711680,OR,Delete,Automatic,Subject,is,"Bring back time when girls were yours.",Subject,is,"Solution for your sexual life",Subject,is,"You can do anything with it",Subject,is,"you have nothing to lose, just a lot to gain!",Subject,contains,"Proven Effective",Subject,contains,"Make your lady w",Subject,contains,"Relax. Take a Deep Breath",Subject,contains,"Buy now, you won't regret!",Subject,containsRE,"^\d\d%\ off\ for\ [a-z0-9]{3,}$",Subject,containsRE,"(?-i)^from\s[A-Z][a-z]{2,}\s[A-Z][a-z]{3,}$"
[enabled],"Known 1-word spam subject","Known Spam Subjects",16711680,OR,Delete,Automatic,Subject,is,Enlarge,Subject,is,Rwd:,Subject,is,Vulcan!,Subject,containsRE,^[0-9]{4}$,Subject,containsRE,^(Ave|Best|Electronics|Finest|Good(iest)?|Salute|Super)$,Subject,containsRE,^(attehuor|fumerent|herkapit|Hermes|idaza|atiohar|Mego|ne-gnorw|nidnalad)$
[enabled],"Known Spam [From or Body]","Known Spam [F or B]",16711680,OR,Delete,Automatic,Body,contains,"The most powerful weapon for your battles",Body,containsRE,"SpamIt\.com|best-kept\ secret\ for\ Men|^peascod|^(?-i)Severtieth|Healthcare\ Management\ Inc",Body,containsRE,"\b(show\ woman\ you(rself)?\ care|(many|Your)\ w[eo]men)\b",Body,contains,"The finest of products, at the lowest of prices:",EntireHeader,containsRE,"(^From:\s{1,3}""?(Mr\.?\ Song\ Li|ph[ra]{2}macy|(?-i)E-STORE|\{|\}|""=\?ISO-8859-1\?Q\?))|(^X-Mailer:\ PHPMailer\ \[version 1\.73\]\r\n^X-Mailer:\ phplist\ v2\.10\.4$)",EntireHeader,contains,"From: ""USA Government Center""",Body,containsRE,"^Satisfy\ (your\ (girl|wom[ae]n)|her\b)|^Best\ offers\.\ \(c\)\ 200[89]",Body,contains,"gift for your lover",Body,contains,"Make her worship you",Body,contains,"pleasure in bed",Body,contains,"(c) 2008. To unsubscribe press <a",From,contains,"Rx The Best Source"
[enabled],"Viagra.com Spam","Viagra Spam",16711680,OR,Delete,TakesPrecedence,Automatic,From,contains,viagra.com,From,contains,"® Official Site",From,containsRE,VI[A@]G®A|VIAGR[A@]|Viag.?ra|viagar|ivagra|v[ia]{2}gra|v[iy]arga|V_I_A_G_R_A,From,containsRE,^i?Ci?a.?li?s\b,Subject,containsRE,"^(RE:\ )?(January|February|March|April|May|June|July|August|September|October|November|December)\ \d\d%\ OFF\s?$",Subject,containsRE,"^Your\ Order\ Status\ ID:\ [A-Z]{11,}",EntireHeader,containsRE,wizd(ist|om)\.com
[enabled],"Canadian Pharmacy Fake Newsletter","Canadian Pharmacy",16711680,OR,Delete,Automatic,From,contains,noreply@newsletter.,From,containsRE,"(?-i)(Express\ Newsletter|WWW\ News|Healthcare\ Management\ Inc|Incredible\ News)",From,contains,"Morning Breaking news",Body,contains,"CPA Newsletters",Body,contains,"Gardena Professional Pharmacy"
[enabled],"Canadian Pharmacy","Canadian Pharmacy",16711680,OR,Delete,TakesPrecedence,Automatic,Subject,containsRE,"Canadian\s?(Pharmacy|P\.h\.a\.r\.m\.a\.c\.y|RX|Health\ (&|adn|and)\ Care\ Mall)|^re:.{3,4}(?-i)Doctor\ [A-Z].+",Subject,containsRE,"^\d\d\ percent\ discount$",Body,containsRE,Canadian\s?(Chemist|Medical|Pharmacy|RX),Body,contains,"Canadian Health and Care Mall",Body,contains,"Canadian Health & Care Mall",Body,contains,"This email was sent by: CMD",Body,contains,<Info...>,Body,contains,"preparations for immunity improvement",Body,containsRE,Canadian.?(Phar?|p\.h\.a\.r\.m\.a\.c\.y)|Pharma?.*(Canada|market),Body,containsRE,"^<A\ href=3D""http://.+/index\d\d\.php"">.+>>></A>$"
[enabled],"Fake MSN Newsletter","Canadian Pharmacy",16711680,AND,Delete,TakesPrecedence,EntireHeader,doesn'tContainRE,"^Received:\ from\ .*\.msn\.com",Subject,containsRE,"(?-i)^RE:\ .+",Body,contains,"you subscribed to MSN Featured Offers."
[enabled],"Hidden ISO Subject","Hidden ISO or Ascii Subject",16711680,OR,Delete,Automatic,EntireHeader,containsRE,^Subject:[^\n]*?=?ISO-8859-[^\n]*?\n,EntireHeader,contains,"Subject: =?us-ascii?",EntireHeader,contains,"Subject: =?windows-1251?B?",EntireHeader,contains,"Subject: =?gb2312?B?"
[enabled],"&nbsp Spam","&nbsp Spam",16711680,AND,Delete,Body,contains,"<TR style=3D""background-color:#33CCFF "">",Body,contains,<TD>&nbsp;</TD>,Body,contains,"<TD style=3D""background-color:#33CCFF "">&nbsp;</TD>",Body,containsRE,"\.(com|net)"">Click here</A></P>"
[enabled],"Postcard Trojan Scam","Postcard Scam",16711680,AND,Delete,Automatic,Subject,containsRE,"\b(e-?)?(card|greeting|postcard|new\ (greeting|postcard|year)|Happy\ 2009!|New\ Hope\ and\ New\ Beginnings|new\s.*year)",Body,containsRE,"\b((e-?)?(post|greeting\s)?card)|new\ (greeting|postcard|year)\b",Body,containsRE,"^http://(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/|(.*postcards?.*|newyearwithlove|.+2009|happy.+cards?|happy2009.*?)\.(com|exe|org)/?)"
[enabled],"Numeric IP Link","Numeric IP Link",16711680,AND,Delete,Automatic,Body,containsRE,"^.*http://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/",EntireHeader,doesn'tContainRE,"^Message-ID:\ <.+@mail.gmail.com>"
[enabled],"Image Spam #11","Image Spam #11",16711680,OR,Delete,TakesPrecedence,Body,containsRE,"^<(center|/style)>\r\n^<a\ href=""http://.+\.(ca|cn|com|net|org|info)""><img\ src="".+/.*\.gif"">\r\n^<style>$",Body,contains,img0.gif,Body,contains,"alt=3D""Want to request ? It's easy to make a request online.",Body,contains,8dvs9.jpg,Body,contains,ioreuu78.jpg,Body,containsRE,"(?-i)^<BODY><a\ href=""http://.+\.com/""\ target=""_blank"">\r\n^<img\ src=""http://.+\.com/.+\.(gif|jpg)""\ border=0\ alt=""Having\ trouble\ viewing\ this\ email\?\s?\r\n^Click\ here\ to\ view\ as\ a\ webpage\.""></a></BODY></HTML>$",Body,containsRE,"(?-i)^<BODY><table>\r\n<tr><td><a\ href=""http://.+\.com/""><img\ src=""http://.+\.com/.+\.jpg""\ border=0\ alt=""Visit\ site\ now!""></a><br>\r\n<br></td></tr></table></BODY></HTML>$"
[enabled],"Fake Fox News Canadian Pharmacy","Canadian Pharmacy",16711680,AND,Delete,Automatic,EntireHeader,contains,"X-MimeOLE: Produced By Microsoft Exchange V6.5",EntireHeader,doesn'tContain,"Received: from listserv.foxnews.com",Body,contains,"To stop ALL email from FOX News Network",Body,contains,"This email was sent by: FOX News Network"
[enabled],"Fake ABCNews Canadian Pharmacy","Canadian Pharmacy",16711680,AND,Delete,Automatic,Body,contains,"To stop ALL email from ABCNews Newsletters, click here to remove =",Body,contains,&SESSID=3D,EntireHeader,contains,"X-MimeOLE: Produced By Microsoft Exchange V6.5"
[enabled],"Daily Top 10 Canadian Pharmacy","Canadian Pharmacy",16711680,AND,Delete,Body,contains,CNN.com,Body,contains,"THE DAILY TOP 10",EntireHeader,doesn'tContainRE,"^Received:\ from\ .+\.cnn\.com\ \(\[64\.236\.31\.[0-9]+\]\)$"
[enabled],"Viagra Spam [S]","Viagra Spam",16711680,OR,Delete,TakesPrecedence,Automatic,Subject,contains,"Always be ready.",Subject,contains,impotency,Subject,contains,se>.<,Subject,contains," dysfunction",Subject,contains,$_e'xual,Subject,containsRE,blue.?pills?\b,Subject,is,"Be ready.",Subject,containsRE,"\b(cialis|levitra|viagra|Pfizer|^Pending\ delivery)\b",Subject,containsRE,(?-i)ED[_\s]dysfunction,Subject,containsRE,"(?-i)Online\ V[a-z1]{1,4}A\ Store"
[enabled],"Misspelled Viagra [S]","Viagra Spam",16711680,OR,Delete,Automatic,Subject,contains,VlsAGRA,Subject,contains,VIAGQRA,Subject,contains,Vlagrxa,Subject,containsRE,"^V.{4,6}a\s\d\d\s?mg",Subject,containsRE,(V|\\/|/)[i|l!1]agr[a@],Subject,containsRE,\bv.*i.*a.*g.*r.*a[^b-z\s]?\b,Subject,contains,Vyagra,Subject,containsRE,(?-i)V[iy]a(rga|gar|gra),Subject,contains,Vgaira
[enabled],"Male Enhancement [S]","Male Enhancement",16711680,OR,Delete,Automatic,Subject,containsRE,"your\ (male\ p[a@]ck[a@]ge|copulation|manliness|masculinity|new\ (tool|rod|size|weener|willy))|Bodypart|(giant|gigantic|male|man|pocket)\ tool|manly|Masculine|lovemaking|(harder|thicker)\ and\ longer|penetrate|Enlarge,\ Widen\ and\ Strengthen|enlarge\ and\ lengthen",Subject,containsRE,"add\ (\d\s)?inches|\d\ inn?cc?hes|girth,?\s( and\s)?(length|lenght)|(length|lenght)\ and\ (girth|thickness)|thickness\ (a[nd][dn])\ length|long(er)?\ and\ thick(er)?",Subject,containsRE,(big(ger)?|fuck|hard(er)?|gigantic|love|man)\s(sausage|stick|pecker|pole|rod|weapon),Subject,containsRE,"Bring\ her\ to\ seventh\ heaven|huge\s?(dic'?k|dignity|package)|problems?\swith\ssize|size\ (really\s)?(does\s)?matters?|I've\ gained\ an\ inch|your\ dic?'?k\ size|rock\ hard|Upsize\ your\ DlC?'?K|(Enlarge|Super-Size)\ It|Impress\ .*wom[ae]n",Subject,containsRE,"(boner|blue\ balls|c[o0]ck|\bcum\b|d1ck|dic'?k|\bdong\b|ejaculat(e|ion|ory)|ejauclation|elongate|enhancements?|enlarge(d|ment)|enlarge\syour|Erectile|Erection|flaccid|foreplay|\bpeckers?\b|pen.?[i1l!]s\b|p[e3]nis|pen-nis|p\ e\ n\ [i1l]\ s|\bp[aei3]nis\b|phall(i|us)?|prick|sex(ual)?|s'e[^a-z]?x|s'e_xual|\$e><|Sizeable|VPXL)",Subject,containsRE,"Gains?\ (up\ to\ )?(\d\+?\s)?(inches\ )?in\ (girth|length|size)|Gaining\ inches",Subject,containsRE,"(bat|bulge|monster|python|rocket|snake)\ in\ your\s{0,3}(pants|pocket|trousers)|trouser\ snake",Subject,containsRE,"\b(?-i)(FDA|Doctor)\ Approved",Subject,containsRE,"(get|grow)\ (a\s)?bigger|sc?h[l1][o0]ng|love\ muscle|\b(bigger|harder|larger|thicker|your)\ (?-i)(PE)\b|giant\ bulge|your\ small\ (di.?k|stick)|your\ little\s",Subject,contains,"thicker shaft"
[enabled],"Male Enhancement [B]","Male Enhancement",16711680,OR,Delete,Automatic,Body,containsRE,"(?-i)P.n.ss?\ En[lI1]argement",Body,contains,"Enlargement Patch",Body,contains," PE ",Body,contains,peniss,Body,contains,patchess,Body,contains,"male enhancement",Body,containsRE,"(enlarge|enhance|increase)\ (and\ thicken\s)?your\ (tool|manhood|p.n.ss?)|your\ tool\ ",Body,containsRE,"(?-i)VPXL|MaxDic?k|Maxgain|POWER\ Gain\+|Advanced\ Gain\ Pro|AGP\ [Pp]ills",Body,contains,"penis size",Body,contains," Penis "
[enabled],"Pharmaceutical Spam [S]",Pharmaceutical,16711680,OR,Delete,Automatic,Subject,contains,"RE: MedHelp ",Subject,containsRE,Pharmaceutical|Pharmacy|pharmas|apothecary|(?-i)RX,Subject,containsRE,(no)?presc(ription)?,Subject,containsRE,"\bPhar|P.?ha.{0,2}rmacy\b",Subject,containsRE,medic(al|ations?|ines?)|\bmedds|medzz?\b|(order|purchase|your)\smeds|drugstore,Subject,containsRE,PH.*[A@(/\)]RM[A@(/\)],Subject,containsRE,"health supersite",Subject,containsRE,"^discreet\ (delivery|packing|shipping)",Subject,containsRE,"save\ \d\d%\ on\ your\ (medic|meds|pharma|pills)|\d\d%\sdiscount\.\sCode\s#[a-z0-9]{4,8}",Subject,contains,"Enhance your life with these products"
[enabled],"Herbal Spam","Herbal Spam",16711680,OR,Delete,Automatic,Subject,contains,"Be full of energy and fill your partner with it",Subject,is,"Amazing New Products launch!",Subject,contains,"U on board",Subject,contains,"Now it is possible to have sex more than 10 times a day",Subject,containsRE,"insatiable\ chick|egiteat|herba[l1]|Manster|Mega\s?(Dik|size)|E?Xtra\s?size|sexual\ (life|marathon|partners?|preparations?|side)",Subject,contains,"Instead of our old formula, the new one is more concentrated",Body,containsRE,"(Choose|Elite|Express)\ Herbal|(?-i)Express\ Newsletter|(herba[l1]|natura[l1])\ (breakthrough|formulations|pill|products|science|supplement|therapy)|Extra-Time|(male|Men's)\ Supplement|natural\ (herbs|ingredients)|organic\ drugs",Body,contains,"i am so much more confident with the women",Body,contains,"you really can make it big",Body,containsRE,"\bhttp://.+greeting.*This\ product\ is\ amazing!?$",Body,containsRE,EGADIK|E?xtrasize|Mega\W?Dic?k|M.?a.?n.?S.?t.?e.?r
[enabled],"Breast Enlargement Pills",Breasts,16711680,OR,Delete,Automatic,Subject,contains,breasts,Subject,contains,"breast enh",Body,contains,SizeUp,Body,contains,ratedjay.com,Body,contains,breasts,Body,contains,"breast enh"
[enabled],"Watches Spam",Watches,16711680,OR,Delete,Automatic,From,containsRE,R[o0]lexx?,Subject,is,Luxury,Subject,contains,//atches,Subject,contains,\/\/ATCHES,Subject,containsRE,"Submariner\ SS|(replica|Rolex|swiss|vip)\ watches|w\.a\.t\.c\.h\.e\.s|\ba\ watch\b",Subject,containsRE,"\b(R[0olex\.]{8,}|Rolex|r,?eplicas?|r\.{1,3}e\.{1,3}p\.{1,3}.l\.{1,3}i\.{1,3}c\.{1,3}a\.{1,3}|watches|chronometers|timepieces?|time\ control)\b",Body,contains,"luxury replica",Body,contains,"We only sell premium watches.",Body,contains,"exact copies of the original watches",Body,contains,"Detailed replicas of best chronometers by the best brands",Body,contains,"put one of these on your xmas list, you will fall in love with them all",Body,containsRE,"Rolex|Rollie|replicas?|Submariner\ SS|watches|//atches|chronometers?|timepieces?|flashy\ bling|expensive\ watch|fashion\ pieces"
[enabled],"Phishing Scam","Phishing Scam",16711680,OR,Delete,Subject,contains,"Unauthorized Activity",Subject,contains,"Online Banking Verification Process",Subject,contains,"Please visit our Client Verification Form using the link below",Subject,contains,"Better Business Bureaus, ",Body,contains,>>></,Body,contains,/OSL.htm?LOB=,Body,contains,/OSL.htm?LOGIN=,Body,contains,"Attention Better Business Bureaus Consumers!",Body,contains,"Read more about installation of SSL Certificate",Body,contains,>></A><BR>,Body,contains,"failure to confirm your records may result in account ",Body,containsRE,:8080/www\.capitalone\.com/
[enabled],"Viagra Spam [B]","Viagra Spam",16711680,OR,Delete,Automatic,Body,contains,Viagra!,Body,contains,VIAGQRA,Body,contains,"Best Price for VIAGRA",Body,containsRE,"\b(Erectifix|erectile\ dysfunction|(?-i)anti-ED|(?-i)cure\ ED|(im)?potence)\b",Body,contains,"Taste the V",Body,contains,"V-letter remedy",Body,containsRE,blue.?pill?|SoftTabs,Body,containsRE,\b(?-i)Vi*a*g*r*a\b,Body,containsRE,"(?-i)Vi?<span\ style=""FONT-SIZE:\ 2px;\ FLOAT:\ right;\ COLOR:\ white"">",Body,containsRE,(V|\\/)[l1i|!](a|/\\)g.*(a|/\\)|viiagra|Vagria|Vgaira|Pfizer,Body,containsRE,"(Buy|order|original|with)\ .*Viagra",Body,containsRE,"Viagra\s{1,3}tabs|Viagra.+\$\d",Body,containsRE,"<a\ href=.+>.*viagra.*</a>",Body,containsRE,"make\ (luv|love)\ all\ night|endless\ climaxes|your\ xxx\ drive|sexual\ health|\bmale problems?\b"
[enabled],"Cialis or Levitra","Cialis or Levitra",16711680,OR,Delete,Automatic,Subject,containsRE,"C[I|i|1|y].?[A|@].?L[i|1]{1,2}.?[S$]|(?-i)Ca[iy]lis|(?-i)Cy[al][al]is",Subject,containsRE,L[E|3].?V.?[I|1|Y]T(R[A|@]|AR),Subject,contains,"DOCT0R & FDA ",Subject,contains,"C1A.LIS & LEV.1TRA",Subject,contains,Cialis,Body,containsRE,C\\Ialis|C1A.LIS|tadalafil,Body,containsRE,"C[Il|1](A|@|/\\)[Ll|I1][I|1|/].?[S$]|^ci.{0,2}a.?lis\b",Body,containsRE,C\s(/|1|I)\sA\s(L|I|1)\s(/|I|1)\s(S|\$),Body,contains,LEV.1TRA,Body,contains,levitra
[enabled],"Vertical Text Viagra and Cialis","Viagra Spam",16711680,AND,Delete,Automatic,Body,containsRE,"^(?-i)(DIV|P):first-letter\ \{.+FONT-SIZE:\s\d{3}%",Body,containsRE,"(?-i)(<(DIV|P)\ class=3D[a-z]+>[VC][a-z]+[,;\.]?</(DIV|P)>\r\n)",Body,containsRE,"(?-i)(<(DIV|P)\ class=3D[a-z]+>I[a-z]+[,;\.]?</(DIV|P)>\r\n)",Body,containsRE,"(?-i)(<(DIV|P)\ class=3D[a-z]+>A[a-z]+[,;\.]?</(DIV|P)>\r\n)",Body,containsRE,"(?-i)(<(DIV|P)\ class=3D[a-z]+>[GL][a-z]+[,;\.]?</(DIV|P)>\r\n)",Body,containsRE,"(?-i)(<(DIV|P)\ class=3D[a-z]+>[RI][a-z]+[,;\.]?</(DIV|P)>\r\n)",Body,containsRE,"(?-i)(<(DIV|P)\ class=3D[a-z]+>[AS][a-z]+[,;\.]?</(DIV|P)>(</A></TD>)?\r\n)"
[enabled],"Pharmaceutical Spam [B]",Pharmaceutical,16711680,OR,Delete,Automatic,Body,containsRE,"(Offshore|Online)\ (Chemists|Health|Pharmacy|p\.h\.a\.r\.m\.a\.c\.y)|Health\ Products\ Supersite",Body,containsRE,/\?said=[a-z]\d\d,Body,containsRE,"\bPharmac(y|euticals?)|Pharm@cy|meds|generic\ (analogs|me(d)?(i)?(s)?)\b",Body,containsRE,"No\ prescription\ required|prescription\ (bills|prices)|prescription\ .*not\ required|prescriptions|Prescripitons",Body,containsRE,"\bWe\ don.?t\ advertise,\ we\ advise\b",Body,containsRE,"Doctor\ Approved|No\ Health\ practitioner|your\ health",Body,containsRE,"\bpharma.*\ (pills|products)\b",Body,containsRE,"licensed\ medicines|medicinal|medications?",Body,containsRE,"(online|popular)\ (medical|drug)\ (store)?|(buy|get)\ (your\ )?drugs|Your\ medicati|our\ chemists|dr/\\gs(tore)?",Body,containsRE,"(?-i)(Ph|Ca)<span\ style=""FONT-SIZE:\ 2px;\ FLOAT:\ right;\ COLOR:\ white"">",Body,containsRE,\b(me<style>\s.+\s</style>ds)\b,Body,containsRE,"""http://(www\.)?(prescription|drug).+\.c(om|n)/?"">"
[enabled],"Controlled Drugs",Pharmaceutical,16711680,OR,Delete,Subject,containsRE,(?-i)\bSoma\b,Body,contains,"Soma "
[enabled],"Pills Spam","Pills Spam",16711680,OR,Delete,TakesPrecedence,Subject,contains,P|\\S,Subject,contains,pills,Subject,containsRE,"BE$T|PILL.?S|Plills|p[i1l|!][1l|!]{2,3}s|pill\ that\ (.*)?works",Subject,contains,MEDS,Subject,contains,generic,Body,containsRE,generics|pillz|\bmeds\b,Body,contains,"these pills ",Body,containsRE,"\b(buy|cheap|herbal|wonder)\ (drugs|pills|remed(y|ies)|solutions?)\b|pills\ at\ (dirt\s|the\s)?cheap(est)?\ prices?|medicines|your\ prescriptions|(?-i)MaxGentleman",Body,containsRE,^http://.*pills.*\.com,Body,containsRE,"^<a\ href=(3D)?""http://.*pharmacy.*\.com"">"
[enabled],"HGH Spam","HGH Spam",16711680,OR,Delete,Automatic,Body,contains,"HGH ",Body,contains,Regenisis,Body,containsRE,H\s{2}G\s{2}H,Body,contains,"Rediscover your youth with ",Body,contains,"Who wouldn't want to feel younger and stronger?",Body,contains,"The Fountain of Youth today!",Body,contains,"Tighten and Increase skin vitality",Subject,contains,"Experience the feeling of youth again",Body,contains,"Feel young again today!"
[enabled],"Casino Spam","Casino Spam",16711680,OR,Delete,Automatic,Subject,contains,"YOU play we PAY",Subject,contains,"Sign up & collect $500!",Subject,containsRE,"\b(Cas[i1]n[o0]|club\s?world|No\ Deposit\ Required|Gambling|online\ games|roulette|black.?jack|craps|poker|slot\ machines|video\ slots?|win\ money)\b",From,containsRE,(?-i)Gambl(e|ing)|Casino|Casnio|Cazino,Body,contains,"Sign up & collect $500!",Body,containsRE,"Games\ Online|Online\ Gam(es|ing|bling)|Gâmëss?",Body,containsRE,"(Big\ Dollars?|Free|Golden\ Gate|online|no\ deposit|the)\ Casino",Body,containsRE,"\b(poker|jackpot)|poker\ blackjack\ slots\b",Body,containsRE,"Club\s?World|casino\ (games|members)|(Bet|Gamble)\s{1,2}On\s{0,2}(line|credit)|^\s{1,2}Win\s{1,2}\$",Body,containsRE,"Gambling\s{1,2}(chips|credit|from\ home|online)",Body,containsRE,"<a\ href=(3d)?""http://.*casino.+"">.*Casino|Click\ Here</A>"
[enabled],"Nigerian 419 Scams","419 Scam",16711680,OR,Blacklist,Delete,Subject,is,"Dear Friend",Subject,is,"URGENT AND CONFIDENTIAL",Subject,containsRE,"(?-i)(CONFIDENTIAL\s)?(MUTUAL\s)?BUSINESS\ PROPOSAL|UNITEDN\ NATION|CONTACT\ ATM\ DEPARTMENT|Director,\ United\ Nations",Subject,containsRE,"(?-i)^CONTACT\ .+\ (COURIER\ COMPANY|ATM\ DEPARTMENT)",Subject,containsRE,"(?-i)TREAT\ (AS|VERY)\ (CONFIDENTIAL|URGENT)|(EMINENTLY|STRICTLY|URGENTLY)\ CONFIDENTIAL",Body,containsRE,"^(?-i)\*?Dear\ (Sir/Madam|Friend),\*?(<br>)?$",Body,contains,"URGENT AND CONFIDENTIAL",Body,containsRE,"Bank\ of\ (Nigeria|Benin|(South\s)?Africa)|Benin\ Republic|Republic\ of\ Benin|Director,\ United\ Nations|REPUBLIC\ OF\ NIGERIA",Body,containsRE,"unclaimed\ (benefits|funds)",Body,contains,"contacting you based on Trust",Body,containsRE,"(Kind\s)?Attn:\s?Beneficiary|^(Hello\s)?(MY\s)?(DEAR\s)?(GOOD\s)?FRIEND[,.]|^Atte?n:Dear\ Friend,|^(Attn,\s)?My Dear\ (Beloved|Friend)[,.]$|^ATTENTION\s?:\s?BENEFICIARY.?$|(?-i)<STRONG>Kind\ Attn:\s?</STRONG>|(?-i)<STRONG>Beneficiary|BENEFICIARY,",Body,containsRE,"demurrage|dumourage|Clearance\ Certificate\ (\r\n)?Fee|keeping\ fees|(?-i)IMMEDIATE\ RELEASE\ OF\ YOUR\ PAYMENT|(I\ am|My\ name\ is)\ Barrister"
[enabled],"Lottery Scam","Lottery Scam",16711680,OR,Blacklist,Delete,Automatic,Subject,containsRE,"^WINNING\ (Notification|NUMBER:)",Subject,contains,"Microsoft Lottery",Subject,contains,"GO FOR CLAIM VERIFICATION FORM",From,contains,LOTTERY,From,contains,"Department of National Lotteries",Body,contains,"Attn: Lucky Winner",Body,contains,"ATTENTION: DEAR WINNER",Body,contains,"YOUR E-MAIL ADDRESS WON ",Body,contains,"please contact your fudiciary agent",Body,contains,"International Program Online Co-ordinator",Body,containsRE,"(?-i)WINNING\ NUMBER:|LOTTERY|RE:\ LOTTO|Lottery\ Coordinator",Body,containsRE,"(jackpot|International|Microsoft|National)\ Lottery|fiduciary|The\ Kings\ Charity|weekly\ sweepstakes",Body,containsRE,"You\ are\ advised\ to\ keep\ this\ winning\ (.+\s)?confidential"
[enabled],"Money Transfer Scam","$ Xfer Scam",16711680,OR,Delete,Automatic,Subject,contains,"TRANSFER ASSISTANCE",Subject,contains,"SWIFT CREDIT CARD",Body,contains,"SWIFT CREDIT CARD",Body,contains,AWARD/INHERITANCE/CONTRACT,Body,contains,"Promptitude in sending the payment",Body,contains,"We redirect the client's payment to you",Body,contains,"after you'll keep our(and yours) earnings, ",Body,contains,"it is your obligation to transfer the rest",Body,contains,"Basic knowledge in Acconting and payment transactions.",Body,containsRE,"^My\ dear\ friend,$|Dear\ good\ friend\s?,|modalities|money\ transfer\ system|I\ will\ give\ you\ \d\d%\ for\ your\ kind\ assistance to me",Body,contains,CONTRACT/INHERITANCE
[enabled],"Job Scams","Job Scams",16711680,OR,Delete,Automatic,Subject,containsRE,"(jobs|work)\ (at|from)\ home",Subject,containsRE,"(earn|Make)\ Money\ (at|From)\ (Your\s)?Home",Body,contains,"looking for representatives in the US",Body,contains,"Our company is looking for new business partners in United States.",Body,contains,lvelectronic,Body,contains,"I`m president of LV Electroni",Body,contains,"If you are interested in our proposition, contact us by e-mail:"
[enabled],"Money Mule Scam","Money Mule",16711680,OR,Delete,Subject,containsRE,"Update\ on\ available\ .+positions",Body,contains,"EMPLOYER SNAPSHOT",Body,contains,"VACANCY CODE: "
[enabled],"Weight Loss Drugs","Weight Loss Drugs",16711680,OR,Delete,Automatic,Subject,containsRE,"Loo?s(e|ing)\ (your\ )?(pounds|weight)",Subject,contains,"weight loss",Subject,containsRE,Hoodia|Gordonii|Anatrim,Body,containsRE,Hoodia|Gordonii|Fatblaster|anatrim,Subject,contains,"Are you satisfied with the size of your ",Body,containsRE,"herbal\ (capsules|components)",Body,contains,"lose weight",Body,contains,"Amazing weight loss ",Body,contains,"your weight."
[enabled],"Quit Smoking Spam","Quit Smoking",16711680,OR,Delete,Automatic,Subject,contains,"Live longer life without cigarettes",Subject,contains,"quit smoking",Subject,contains,"Stop Smoking ",Body,contains,"Break free from Nicotine",Body,contains,"break the nasty habit",Body,contains,LIVEFREE,Body,contains,"quit smoking once and for all.",Body,containsRE,"(quit|stop)\ smoking\."
[enabled],"Counterfeit Goods","Counterfeit Goods",16711680,OR,Delete,Automatic,Subject,containsRE,designer\s(brands|footwear|shoes),Subject,containsRE,\b(gucci|prada|chanel|chloe|dior|(?-i)UGG)\b,Subject,contains,repl!c@,Subject,containsRE,Cartier|Gucci|Versace,Subject,containsRE,(?-i)SHOES,Subject,contains,"luxury footwear",Subject,containsRE,"Branded\ (footwear|shoes)",Subject,contains,"Clad your feet",Body,contains,"~ Gucci",From,contains,Gucci
[enabled],"Get Laid Spam","Get Laid Spam",16711680,OR,Hidden,Delete,Automatic,Body,contains,"Best of all: it is free...",Body,contains," get laid",Body,contains,"% of members have already gotten laid using our system!",Body,contains,"Are you interested in hooking up with people who live just minutes from you?",Body,contains,"Are you interested in getting laid with locals?",Body,contains,"We have the power to make this happen!",Body,containsRE,fuck.?(buddy|friend),Body,containsRE,"<a\ href=""http://www\.(geocities\.com/.+|.+\.cn)"">.*(It's\ all\ here|Here\ it\ is|Check\ it\!)(\!)?</a>",Body,contains,"want more sex"
[enabled],"Dating Spam","Dating Spam",16711680,OR,Hidden,Delete,Automatic,Subject,containsRE,\bdating\b|single.?ladies,Body,contains,"Greetings! I wish to get acquainted with you",Body,contains,flirting,Body,containsRE,"\bdating\ system\b|dating!",Body,containsRE,"\d\d%\ of\ our\ members\ .*hooked\ up\ (using|with)\ our\ .*system",Body,contains,"I read your profile online and I was int",Body,contains,"Please write me a letter here http://",Body,contains,"Do you like beautiful girls?",Body,contains,"good looking girl who is looking to chat with you",Body,contains,"looking for a nice guy to chat with",Body,containsRE,"i\ (found|loved|was\ just\ reading)\ your\ profile|and\ i\ would\ (like|love)\ to\ get\s"
[enabled],"The Bat Image Spam","The Bat Image Spam",16711680,AND,Delete,Automatic,EntireHeader,contains,"X-Mailer: The Bat!",Body,containsRE,"^(?-i)<BODY>\r\n^<img\ src=3D""cid:[a-z0-9@$]+"">\r\n^<P><SMALL>.+</SMALL></P></BODY></HTML>",Body,contains,"Content-Type: image/gif;"
[enabled],"Re [digits] Spammer","Re [digits]",16711680,AND,Hidden,Delete,Automatic,Subject,containsRE,^re.?,Subject,containsRE,"\[\d{1,3}\]:?"
[enabled],"Re: or FW: Spam","Re: or Fw:",16711680,OR,Hidden,Delete,Subject,is,Re:,Subject,is,Fw:
[enabled],"Loans Spam",Loans/Bankrupcy,16711680,OR,Delete,Automatic,Body,contains,"Bad credit",Body,contains,Bankruptcy,Body,containsRE,"low(est)?\ rate(s)?|payday\ (loan|advance)|(Equity|short-term)\ loan|debt",Body,contains,"fixed low rate",Body,contains,"You have been pre-approved",Subject,containsRE,"consolidat(e|ion)|debt|lenders|loan|mortgage|refinan?c(e|ing|ment)|Your\ Life\ Insurance",Body,containsRE,"^C[o0]ngra[dt]ulati[o0]ns.*you('ll|\scan)\ get\ (.*\ )?\$""?\d\d\d.+""?\ loan\ for\ ",Body,contains,"Refinance ",Body,contains,loans,Body,contains,"Are your premiums payments too high"
[enabled],"HTML Spam Tricks","HTML Tricks",16711680,OR,Delete,Automatic,Subject,containsRE,.*\$.*\$|.*@.*@|(?-i)\$REPSBJ,Body,contains,=2Ecom/,Body,containsRE,(?-i)\$REP(BODY|LINK),Body,containsRE,"font\ size=""?0""?",Body,containsRE,"((<![\w\s,\.\-]+>)([\w\s,\.\-]){1,10}){3,}",Body,containsRE,((&#0*(3[3-9]|[4-9]\d|1[01]\d|12[0-6]);).*?){6},Body,containsRE,"(/[a-z0-9]/[a-z0-9]){5,}",Body,contains,<iframe,Body,contains,<br><br><br><br><br><br><br><br>,Body,containsRE,<\![^-D],Body,contains,&#85;&#00110;&#000115;&#00117;&#98;&#115;&#0099;&#000114;&#00105;&#098;&#101;,Body,contains,"<span style=""FONT-SIZE: 2px; FLOAT: right; COLOR: white"">",Body,contains,"<span style=3D""FONT-SIZE: 2px; FLO",Body,containsRE,"<td\ colspan=(3D)?""\d{1,3}""\ bgcolor=(3D)?""#FFFFFF""></td><td\ colspan=(3D)?""\d{1,3}""\ bgcolor=(3D)?""#[a-z0-9]{6}"">"
[enabled],"Ebay Phishing Scams","Ebay Phishing Scam",16711680,AND,Delete,EntireHeader,doesn'tContainRE,"^Received:\ from\ .+\..+ebay\.com\ .+\ helo=.+\.ebay\.com",Subject,contains,eBay,Body,containsRE,"^Dear\ eBay\ (Customer|Member),",Body,contains,"eBay Confirmation Request"
[enabled],"PayPal Scams #1","PayPal Scam #1",16711680,AND,Delete,TakesPrecedence,EntireHeader,doesn'tContainRE,"^Received:\ from\ [a-z0-9.-]+\.paypal\.com\s",From,containsRE,.+@(intl\.)?paypal(-us)?.com
[enabled],"PayPal Scams #2","PayPal Scam #2",16711680,AND,Delete,TakesPrecedence,Body,containsRE,"^Dear\ PayPal\ (User|Member|Customer)",EntireHeader,doesn'tContain,nix.paypal.com
[enabled],"Diploma Spam","Diploma Spam",16711680,OR,Delete,Automatic,Subject,containsRE,(\b(diplomas?|dip1omas?|DIMPLOMAS?|Degree)\b)|(?-i)Bacheelor|Masteer|MBA/|Doctoraate,Body,containsRE,"^No\ (classes|Exams|Pre-School)",Body,contains,"your Graduation is a phone call away",Body,contains,"UNIVERSITY DIPLOMA",Body,containsRE,"Diiploma|DIMPLOMA|(?-i)D\ I\ P\ L\ O\ M\ A\sS?",Body,contains,"Obtain the_degree you deserve",Body,containsRE,"^(For US:\s)?1[-,'\.\*\s\~](206|267|305|501|781|832)[-,'\.\*\s\~]\d{3}[-,'\.\*\s\~]\d{4}|Call\ Today|call(ing)?\ this\ number:",Body,containsRE,"your\ (degree|diploma)|No\ Pre-School",Body,containsRE,"(?-i)([dD]iplomas|Bachelors,?|Masters,?|Doctoral|PhD's)",Body,contains,non-accredited
[enabled],"Russian Sender","Russian Sender",16711680,OR,Delete,Automatic,EntireHeader,containsRE,"^Received:\ from\ .*85\.140\.\d{1,3}\.\d{1,3}",EntireHeader,containsRE,"^Received:\ from\ .*80\.85\.1([7][6-9]|[8[0-9]|9[01])\.\d{1,3}(\]\))?",EntireHeader,contains,"charset=""koi8-r"";",EntireHeader,contains,"Subject: =?koi8-r",Body,contains,charset=3Dkoi8-r
[enabled],"Hitman Scam","Hitman Scam",16711680,AND,Blacklist,Delete,Automatic,Subject,contains,"BE MORE CAREFUL",From,contains,"BE MORE CAREFUL"
[enabled],Pornography,Porn,16711680,OR,Delete,Automatic,Subject,containsRE,"((wet\ )?puss(ies|y))|nympho|porno?s?\b|Live\ Girls|\bP[\.,']?0RN[0O]?\b",Body,contains,nymphos,From,contains,"webcam ",Body,contains,"Porniest Home Videos",Body,contains,P.0RN,Body,contains,PORN,Body,contains," XXX "
[enabled],"Malformed Link Spam","Malformed Link",16711680,AND,Delete,Body,containsRE,"^\s?http://.+\ \.\ (com|cn|info|org|net|ru)/?$"
[enabled],"Google Phishing Scam","Google Phishing Scam",16711680,AND,Delete,TakesPrecedence,Automatic,Subject,contains,Please,From,contains,Google-AdWords,EntireHeader,doesn'tContainRE,"Received:\ from\ [a-z0-9-\.]+\.google\.com",Body,contains,"Dear Advertiser,"
[enabled],"Google Redirect Exploit","Google Redirect Exploit",255,AND,Delete,Automatic,Body,contains,"href=3D""http://www.google.com/pagead/iclk?",Body,contains,durl=3Dhttp://
[enabled],"Underscore/Dash Sender","_- Sender",16711680,OR,Delete,EntireHeader,containsRE,"(envelope-from\ <-[a-z0-9]+@.+\..+>)",From,containsRE,".*<_[a-z1-9-]+@.+\.\w{2,3}>$"
[enabled],"Zip attachment","Zip, Rar, Gz Attachment",255,AND,TakesPrecedence,Body,containsRE,"^Content-disposition:\ attachment;$|^Content-Type:\ application/zip;$",Body,containsRE,"(^\s?filename|\tname)="".+\.(zip|rar|t?gz)"""
[enabled],"Thunderbird 2-Line Spam","Thunderbird Spam",16711680,AND,Delete,Automatic,EntireHeader,contains,"User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)",EntireHeader,contains,"MIME-Version: 1.0",Body,contains,"Content-Transfer-Encoding: 7bit",Body,containsRE,"^[a-z,'!\.\s-]+\r\n^http://[a-z]+\.(com|net)\s<(http://[a-z]+\.(com|net)|(?-i)(GoTo|Info)\.\.\.)>\r\n\r\n-+0"
[enabled],"Known X-Mailer Spam","Known X-Mailer Spam",16711680,OR,Delete,EntireHeader,contains,"X-Mailer: Apple Mail (2.924)",EntireHeader,contains,"X-Mailer: The Bat! ",EntireHeader,contains,"X-Mailer: Mediacomm Communicator ",EntireHeader,contains,"X-Mailer: xinnet.com webmail 1.0",EntireHeader,contains,"X-Mailer: Openwave WebEngine",EntireHeader,contains,"X-Mailer: iPlanet Messenger Express"
[enabled],"Known User-Agent Spam","Known User-Agent Spam",16711680,OR,Delete,EntireHeader,contains,"User-Agent: SquirrelMail/1.4.12",EntireHeader,contains,"User-Agent: Rodriquezmail v9.8",EntireHeader,contains,"User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)",EntireHeader,contains,"User-Agent: Opera Mail/9.50 (Win32)",EntireHeader,contains,"User-Agent: Microsoft-Entourage/12.1.0.080305"
[enabled],"Base 64 Encoded Body","Base 64 Encoded",16711680,AND,Delete,Body,contains,"Content-Transfer-Encoding: base64",Body,doesn'tContain,"Content-Type: image/",Body,doesn'tContainRE,"^Content-Disposition:\ (inline|attachment);",Body,contains,"Content-Type: text/plain;"
[enabled],"1 Word Subject","1 Word Subject",16711680,OR,Delete,Subject,containsRE,"^[a-z'""\|\{\}\[\]]{7,8}$",Subject,containsRE,"^\d{7,8}$"
[enabled],"Subject All Caps","Subject All Caps",33023,AND,Delete,Subject,doesn'tContainRE,(?-i)[a-z],Subject,containsRE,.
[enabled],"No Subject","No Subject",16711680,AND,Delete,Subject,doesn'tContainRE,.
[enabled],"Flash Link Spam","Flash Link Spam",16711680,AND,Delete,Body,containsRE,http://.+/.+\.swf
[enabled],"Geocities Link","Geocities Link",16711680,AND,Delete,Body,contains,http://www.geocities.com/
[enabled],"Worm - Double Extension Attachment","WORM >Double Extension!!",255,AND,Delete,TakesPrecedence,noreport,Body,contains,"Content-disposition: attachment; filename=",Body,containsRE,"(file)?name="".+\.(gif|jpg)\.(scr|pif|exe|cmd|com)"""
[enabled],"Dangerous Attachment Extension","Dangerous Attachment Extension!",255,AND,Delete,TakesPrecedence,noreport,Body,contains,"Content-disposition: attachment;",Body,containsRE,"^\s?filename="".+\.(pif|scr|hta|cmd|bat|vbs|com|cpl|hlp)"""
[enabled],"Exe Attachment",".exe attachment",255,AND,TakesPrecedence,noreport,Body,contains,"Content-disposition:\ attachment;",Body,containsRE,"^\s?filename="".+\.exe"""
[enabled],".info sender",".info sender",16711680,AND,Delete,From,containsRE,.+@.+\.info
[enabled],"Software Spam","Software Spam",16711680,OR,Delete,Subject,is,Software,Subject,containsRE,"\$oftware|software\ price\$",Subject,containsRE,"(best|cheap(est)?|downloadable|oem|office|quality).*s[o0]ft(wares?)?|Soft(ware)?\ in\ many\ languages|software\ at\ (amazingly|surprisingly)\ low\ prices|perfectly\ working\ software|software\ immediately\ after\ purchase|ado6e|Vista\ Microsoft\ SP1\ and\ XP\ Cracked|Office\ (Enterprise\ 200[789]|200[789]\ Enterprise)|(?-i)(Access|Communicator|PowerPoint)\ 200[789]|Auto([cC]ad|desk)\ 200[789]",Body,contains,"Click this link and download most popular software",Body,contains,"Click this link and downloaded newest software",Body,contains,"you can download them right after pur",Body,contains,"The best software products at the best prices.",Body,containsRE,"European\ languages|Fully\ localized\ versions",Body,containsRE,"^Retail Price:?\s{1,10}\$\d{3,4}\.[0-9]{2}\r\n^Our Price:?\s{1,10}\$\d{3,4}\.[0-9]{2}",Body,containsRE,"Operational\ systems|newsoft|softwares|Cheap.*soft(ware)?|oem\ssoftware|software\ (you\s)?needs?",Body,containsRE,"SSoftwarr?e|down.?lo.?ad(d?able)?\ (legal\ )?s?so.?ft(ware)?|(Best|cheapest|lowest)\ software\ prices",Body,containsRE,http://.*software.*\.(com|cn|net|org|php|html?),Body,containsRE,^(type|vis[il]t)\s'?.+soft.*\s\.\scom'?\sin\syour\s.nternet\sExplorer,Body,containsRE,"(?-i)Office\ (Enterprise\ 200[789]|200[789]\ Enterprise)|(Access|Communicator|PowerPoint)\ 200[789]|Auto([cC]ad|desk)\ 200[789]"
[enabled],"Fake Domain Renewals","Fake Domain Renewals",16711680,AND,Delete,Automatic,From,contains,"eNom Support Team",Body,containsRE,http://www\.enom\.com\..+.ru
[enabled],"Known Spam Domains","Known Spam Domains",255,OR,Delete,Automatic,Body,contains,.freehyperspace2.com,EntireHeader,containsRE,\.server4you\.de|staticip\.rima-tde\.net|emaillove\.net,EntireHeader,contains,.ono.com,EntireHeader,contains,".es ",EntireHeader,contains,Taipei,EntireHeader,contains,Ö,EntireHeader,contains,"Received: from %RND_IP",EntireHeader,contains,@rocketmail.com,Body,containsRE,http://(www\.)?(.+\.cn|.+\.chat\.ru|pages\.suddenlink\.net/|heartremember\.com|highoptimism\.com|spamsoft)
[enabled],"Consecutive digits or consonants",digits-consnts,16711680,OR,Hidden,Delete,Subject,containsRE,"^[bcdfghjklmnpqrstvwxz0-9]{5,}"
[enabled],"Blocked Countries","Blocked Country",16711680,OR,Delete,EntireHeader,containsRE,"^Received:\ from\ .+\.(ar|br|cn|co|jp|kr|ma|my|ng|pl|ro|ru|th|tr|vn|hinet\.net|ukrtel\.net)\b\s?"
[enabled],Spain,Spain,16711680,OR,Delete,EntireHeader,containsRE,"Received:\ from\ .*\[84\.12[0-3]\.\d{1,3}\.\d{1,3}\]",EntireHeader,contains,".ono.com "
[enabled],Turkey,Turkey,16711680,OR,Delete,EntireHeader,containsRE,"^Received:\ from\ (\[(85.10[56]\.\d{1,3}\.\d{1,3}|88\.234\..+\..+|194\.27\.\d{1,3}\.\d{1,3}|195.175\.\d{1,3}\.\d{1,3})\])|.+\.tr\)",EntireHeader,containsRE,"88\.255\.\d{1,3}\.\d{1,3}"
[enabled],"Hong Kong Spam","Hong Kong Spam",16711680,OR,Delete,Automatic,Body,containsRE,^http://.+\.hk/\?.+
[enabled],"APNIC (Asia-Pacific)",APNIC,16711808,OR,Delete,EntireHeader,containsRE,"^Received: from [^[]*?\[(6[01]|20[23]|21[01]|21[89]|22[0-2])(\.[1-2]?\d?\d?){3}\]",EntireHeader,containsRE,"^Received: from [^[]*?\[(\[58|\[59]|6[01]|20[23]|21[01]|21[89]|22[0-2])(\.[1-2]?\d?\d?){3}\]",EntireHeader,contains,"SE Asia Standard Time"
[enabled],"RIPE (Europe)",RIPE,16711808,AND,Delete,EntireHeader,containsRE,"^Received: from [^[]*?\[(62|8[0-2]|19[345]|21[237])(\.[1-2]?\d?\d?){3}\]"
[enabled],"LACNIC (Latin America)",LACNIC,16711808,OR,Delete,EntireHeader,containsRE,"^Received: from [^[]*?\[20[01](\.[1-2]?\d?\d?){3}\]",EntireHeader,containsRE,(\.fibertel\.com\.ar|\.cable\.net\.co)\b
[enabled],"Yahoo Calendar Invite Spam",filtered,16711680,AND,Delete,EntireHeader,contains,"X-Yahoo-Newman-Property: calendar-invite",EntireHeader,contains,X-Yahoo-Calendar-Iid:
[enabled],"Yahoo Search Spam","Search Engine Spam",16711680,AND,Delete,CC,contains,@yahoo.com,Body,contains,http://www.yahoo.com/////////////////////////////,Body,contains,"<td valign=""top"" style=""font: inherit;"">"
[enabled],"Credit Report Spam","Credit Report Spam",16711680,OR,Blacklist,Delete,From,contains,MemberValueChoice,Subject,contains,"your Credit Report",EntireHeader,containsRE,(rhino|rhbino|rhmino)yellow\.com
[enabled],"Illegal Drugs","Illegal Drugs",16711680,OR,Hidden,Delete,Automatic,Subject,contains,"legal buds",Body,containsRE,"legal\ buds?\ online"
[enabled],"Spam Domains in Header","Spam Domain (H)",16711680,OR,Delete,EntireHeader,containsRE,"^http-x-forwarded-for\ 065\.110\.05[4-5]\.+|sender\@mail1\.unlist\.net|64\.46\.114\.161|\.unlist\.net|codec\.ro|marshall\.cc|matrix\.net|tomparker\@another\-world\.com|mail\.bsbx\.net|bruffner\.com|pretension\.com",EntireHeader,contains,mail2world.com,EntireHeader,contains,dyn.optonline.net,EntireHeader,contains,dsl.brasiltelecom.net.br,EntireHeader,containsRE,^canada\.com$,EntireHeader,containsRE,(prod-infinitum|pongimmediate|vsteals)\.com,EntireHeader,containsRE,(fibertel|freedoomsat)\.com\.ar,EntireHeader,containsRE,"^Received: from (boardermail\.com|bolt\.com|moxmail16|sleepyseed\.com|boardermail\.com|email\.com|eadvertizing|bobolink|hkgolden\.com|1million2006\.com|saurabh\.info|lists\.aikiri\.com)",EntireHeader,containsRE,"Natalee\ Almonte|maintec\.com|Robin\ Keyes|Richard\ K\.\ Lee|ezagenda\.com|thefreesite\.com|hotpop\.com|minnietheminx\.com|malaysia\.net|prod-infinitum\.com|di-ve\.com|playful\.com|mc\.videotron\.ca|mozartmail\.com|adsl\.tele\.dk|routerhoster\.com|mchsi\.com|pollcadot|wise-expectations\.com|westcoastnovelty\.com|authenticinternetpromotions\.com|cliffordwindows\.com|mail4him\.com|bestbidding\.com|KINGCOOLER\.COM\.CN|mixmail\.com|freeoffers4you\.com|hotwireindia\.com|forex\ profits|proper\.com|blackburnmail\.com|andreaeberl\.de|worldnetcams\.com|tvsatbg\.net|online.*bid\.info|hooters"
[enabled],"SiteProtect Ebay Phishing Scam","Phishing Scam",255,AND,Delete,TakesPrecedence,ReturnPath,contains,.siteprotect.com,EntireHeader,contains,siteprotect.com,From,contains,"eBay Gifts"
[enabled],"Screensaver Trojan","Screensaver Trojan",255,OR,Delete,Subject,is,"Life is beautiful",Subject,is,"Life will be better",Subject,is,"Good summer",Subject,is,"help you",Body,contains,"filename=""bsaver.zip""",Body,contains,"cool screensaver in your attachment!",Body,contains,"Wanna more? Welcome to our site"
[enabled],"Stocks spam #1","Stocks spam #1",16711680,OR,Delete,Automatic,Body,containsRE,"^H.?ot\ st.?ock\ ale.?rt",Body,containsRE,"breaking\ mark.?et\ n.?ews",Body,containsRE,"Watc.?h\ this\ sto.?ck\ go\ higher\ and\ higher",Body,containsRE,^((Symbol|Stock)(\s)?:\s){1}([A-Z].?[A-Z].?[A-Z].?),Body,containsRE,"(financial|fina\ ncial|fin\ ancial|fi\ nancial)\sadvice",Body,containsRE,"^Price:?\ \$?\d{0,2}\.\d{2,3}",Body,contains,"within the meaning of Section 27a of the Securities act of 1933",Body,contains,"Information within this email contains ""forward looking",Body,contains,"Expected: This one is going to grow at a rapid rate",Subject,containsRE,"^Read\ this\ before\ .+day"
[enabled],"Stocks spam #2","Stocks spam #2",16711680,OR,Delete,Automatic,Subject,containsRE,"^Trade\ Noti(ce|fication)",Subject,containsRE,"g.?oing\ to\ e.?xplode\ on\ (mon|tues|wednes|thurs|fri)day",Subject,containsRE,invest(or|ment)|Dividends,Body,containsRE,stock.?exchange,Body,containsRE,"^U.?RGENT S.?TOCK A.?LERT",Body,contains,"Big News Expected",Body,contains,"Easy walk in price",Body,contains,"MARKET WIRE",Body,contains,"Opening bell message",Subject,containsRE,"\b(Big\ Market|(Market|Trader)\ Alert)\b"
[enabled],"Stocks Spam #3","Stocks Spam #3",16711680,OR,Delete,Automatic,Body,contains,"This Is Going To Explode!",Body,containsRE,^(target|current).?price,Body,contains,"stock watch notices",Body,contains,"Stock reporting sites",Body,containsRE,^Sym(bol)?.?:\s[A-Z],Body,containsRE,c.?h.?i.?n.?a\s\w,Body,containsRE,"^j?.u.?m.?p\ o.?n\ t.?h.?i.?s\ f.?i.?r.?s.?t\ t.?h.?i.?n.?g\s",Body,containsRE,"^H.?E.?R.?E\ W.?E\ G.?O\ A.?G.?A.?I.?N\!",Body,containsRE,"^T.?i.{1,2}k.{1,2}:\ \w.?\w.?\w.?\w\s?$",Body,containsRE,"^(S|\$).?y.?m.?b.{0,4}\W?:\ \w.?\w.?\w.?\w\s?$"
[enabled],"Stocks Spam #4","Stocks Spam #4",16711680,OR,Hidden,Delete,Body,containsRE,"read\ (up|the)\ (news|release)?",Body,containsRE,"and\ (get\ (all\ over|on))|(move\ on|jump\ on)|(be\ ready\ to)",Body,containsRE,"\bget\ (all\ over|on)\ [A-Z]{4}\ first\ thing\ .+day\b",Body,contains,"Beat the news to the market",Body,containsRE,"^Price\ up\ .{1,4}%",Body,containsRE,"^5.*day\ price: ",Body,contains,"Emergency report. Check",Body,containsRE,"pushed\ share\ prices\ up\ over\ \d{1,3}%",Body,contains,"The Gold Watcher",Body,contains,"is climbing hard. UP"
[enabled],"UPS Phishing Scam","UPS Phishing Scam",16711680,AND,Delete,EntireHeader,doesn'tContainRE,"^Received:\ from\ .+\ups\.com",Body,contains,"postal package",Body,contains," the invoice attached",Body,contains,"Your UPS"
[disabled],"Fake Daily Top 10","Exploit Link",16711680,AND,Delete,Subject,contains,"CNN.com Daily Top 10",From,contains,"Daily Top 10",From,doesn'tContain,cnn.com
[disabled],"Fake CNN Alerts","Exploit Link",16711680,AND,Delete,Automatic,Subject,contains,"CNN Alerts: ",From,doesn'tContain,cnn.com,EntireHeader,doesn'tContainRE,"^Received:\ from\ .+\.cnn\.com\ \(\[64\.236\.31\.[0-9]+\]\)$"
[disabled],"Fake Msnbc Alerts","Exploit Link",16711680,AND,Delete,Automatic,Subject,contains,"msnbc.com - BREAKING NEWS:",From,doesn'tContain,msnbc.com,EntireHeader,doesn'tContain,"Received: from lists.msnbc.com"
[disabled],"Apple Mail Spam","Apple Mail Spam",16711680,AND,Delete,Automatic,EntireHeader,contains,"X-Mailer: Apple Mail (2.924)",Body,containsRE,"^Content-transfer-encoding:\s7BIT\r\n\r\n^[a-z0-9-'""\s\.,\?]+(\r\n)?http://.+\..{2,3}/(.+\.html)?\r\n",Body,containsRE,"<div><a\s(\r\n)?href=""http://.+(/.*)?"">http://.+/.*</a></div></body></html>$"
[disabled],"Opera Mail Spam","Opera Mail Spam",16711680,AND,Delete,Automatic,EntireHeader,containsRE,"^Content-Type: text/plain; format=flowed; delsp=yes; charset=(koi8-r|ISO-8859-1)",EntireHeader,contains,"Content-Transfer-Encoding: 7bit",EntireHeader,contains,"User-Agent: Opera Mail/9.50 (Win32)",Body,containsRE,"^[a-z3-9,’'\.-\s\?]+(\s|\r\n)http://(www\.)?.+\.(c(om|n)|net|org)/",Body,contains,"Using Opera's revolutionary e-mail client: http://www.opera.com/mail/"
[disabled],"SquirrelMail Spam","SquirrelMail Spam",16711680,AND,Delete,EntireHeader,contains,"User-Agent: SquirrelMail/1.4.12"
[disabled],"Thunderbird Spam","Thunderbird Spam",16711680,AND,Delete,EntireHeader,contains,"User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)",EntireHeader,contains,"MIME-Version: 1.0"
[disabled],"X-Mailer: The Bat!","X-Mailer: The Bat!",16711680,OR,Delete,Automatic,EntireHeader,contains,"X-Mailer: The Bat! "
[disabled],"Example filter - Mail sent to ""Undisclosed recipients"" (ie not specifically me)","undisclosed recipients",16711680,AND,Delete,To,contains,undisclosed,To,contains,recipients