# subject used in spam autogenerated from metadata exporter
# 6 or more characters (skipping fwd: re: blank)
#auto
MB_SUBJECT_USED_IN_SPAM {
  type = "header";
  header = "subject";
  regexp = true;
  map = "https://maps.mailbaby.net/dqs/dqs_subject.map";
  score = 2.0;
}

#mailbaby spam phrases
#general spam phrases
#manual
mailbaby_spamphrases_body {
  type = "content";
  filter = "oneline";
  map = "https://maps.mailbaby.net/mailbaby-spamphrases-body.map";
  regexp = true;
  symbol = "MAILBABY_SPAMPHRASES_BODY";
  score 5.0;
  description = "Mailbaby: Spam signs in body";
}

#probable spam / compromised
#manual
PHPSPAM_HEADER {
  type = "content";
  map = "https://maps.mailbaby.net/phpspam_header.map";
  filter = "headers"
  regexp = true;
  symbols_set = ["PHPSPAM_HEADER"];
  score = 8.0;
}

#possible spam / compromise
#manual
PHPGREY_HEADER {
  type = "content";
  map = "https://maps.mailbaby.net/phpgrey_header.map";
  filter = "headers"
  regexp = true;
  symbols_set = ["PHPGREY_HEADER"];
  score = 2.0;
}

#manual
SPAM_WORDS {
  type = "content";
  filter = "text";
  map = "https://maps.mailbaby.net/spam_words.map";
  regexp = true;
  score = 0.1;
}

#manual
# some problematic asn's
asn_grey {
  type = "asn";
  map = "https://maps.mailbaby.net/mb_rspamd_int_asn_grey.map";
  score = 2;
  description = "Poor ASN karma";
  symbol = "ASN_GREYLIST";
}

#manually generated higher score subject used in spam
MB_SUBJECT_REGEX {
 type = "header";
 header = "subject";
 regexp = true;
 map = "https://maps.mailbaby.net/subject_block.map";
 score = 10.0;
}

# manually generated lower score subject used in spam
MB_LOW_SUBJ_REG {
 type = "header";
 header = "subject";
 regexp = true;
 score = 4.0;
 map = "https://maps.mailbaby.net/low_subject_block.map";
}

#manual
# bit.ly is being massivly used for spam and others
MB_HIGH_SPAM_URL {
  type = "url";
  regexp = false;
  map = "https://maps.mailbaby.net/mb_high_spam_url.map";
  symbol = "MB_HIGH_SPAM_URL";
  score = 1.0;
  one_shot = true;
}

#manual
# smtp crack emails seem to be more common than I thought
mailbaby_smtpcrack_body {
  type = "content";
  filter = "oneline";
  map = "https://maps.mailbaby.net/mailbaby-smtpcrack-body.map";
  regexp = true;
  symbol = "MAILBABY_SMTPCRACK_BODY";
  score 15.0;
  description = "Mailbaby: password disclosure or crack in body";
}

# manual based on content
PROB_DHL_DELIVERY {
  type = "content";
  filter = "text";
  map = "https://maps.mailbaby.net/contentfiltering/dhl_delivery.map";
  regexp = true;
  score = 0.5;
  # If you want to match all possible regexps/globs in that list, not a single one, then you need to define multi flag for that map:
  multi = true;
}

#manual
#google_forms_phish.map
PROB_GOOGLE_FORM_PHISH {
type = "content";
  filter = "text";
  map = "https://maps.mailbaby.net/contentfiltering/google_forms_phish.map";
  regexp = true;
  score = 0.5;
  # If you want to match all possible regexps/globs in that list, not a single one, then you need to define multi flag for that map:
  multi = true;
}

#manual
#google_forms_phish.map
PROB_FAKE_EMAIL_SPAMBOX {
  type = "content";
  filter = "text";
  map = "https://maps.mailbaby.net/contentfiltering/fake_email_spambox.map";
  regexp = true;
  score = 0.5;
  # If you want to match all possible regexps/globs in that list, not a single one, then you need to define multi flag for that map:
  multi = true;
}

#manual
#google_forms_phish.map
PROB_DOMAIN_FOR_SALE {
  type = "content";
  filter = "text";
  map = "https://maps.mailbaby.net/contentfiltering/domain_for_sale.map";
  regexp = true;
  score = 0.5;
  # If you want to match all possible regexps/globs in that list, not a single one, then you need to define multi flag for that map:
  multi = true;
}

#manual
# lots of spam with search engine queries
CONTAINS_SEARCH_ENGINE_DIRECT_LINK {
  type = "content";
  map = "https://maps.mailbaby.net/contentfiltering/contains_search_engine_link.map";
  filter = "text"
  regexp = true;
  symbols_set = ["CONTAINS_SEARCH_ENGINE_DIRECT_LINK"];
  score = 2.0;
}

# auto updated
# attachment hashes which appear many spam reports
  MAILBABY_CH_ATTACHMENT_DIGEST_IN_SPAM {
  type = "selector";
  selector = "attachments(hex).substring(1, 16)";
  map = "https://maps.mailbaby.net/ch/attachment.map";
  score = 5.0;
}

#auto
# content digest used in spam
MAILBABY_CH_CONTENT_DIGEST_IN_SPAM {
  type = "selector";
  selector = "digest";
  map = "https://maps.mailbaby.net/ch/digest.map";
  score = 5.0;
}

#auto
# short url abuse in spam
CH_SHORTURL_ABUSE {
  type = "url";
  filter = "full";
  map = "https://maps.mailbaby.net/ch/ch_shorturl.map";
  score = 10.0;
}