Will ensure any email you restore from Recycle Bin will come through marked as good and not marked for delete.
False
200
#FF1A19B3
White
False
False
False
All
Header
Contains
PlainText
Resent-From: "MailWasher? Pro recycle bin" <
Currently set for many non latin languages. You can edit this filter to your own preference.
False
-100
#FFCC0098
White
False
False
All
EntireMessage
Contains
Language
Arabic,Chinese,Cyrillic,Hebrew,Indic,Japanese,Korean,Tamil,Vietnamese
Looks for messages that are not addressed to you on either the To or CC lines. You need to edit this to include all your own email addresses to use.
False
-100
#FFCC0098
White
False
False
All
To
NotContain
PlainText
bob@test.com
To
NotContain
PlainText
bob.builder@test.com
To
NotContain
PlainText
bbuilder@test.com
Delivery Status Notification (Failure)
True
0
#FF434343
White
False
False
All
ReturnPath
Is
PlainText
<>
Subject
Contains
PlainText
Delivery Status Notification (Failure)
MAILER-DAEMON Bounce
True
0
#FF434343
White
True
False
False
All
ReturnPath
Is
PlainText
<>
From
Contains
PlainText
MAILER-DAEMON@
Not A Scam
True
200
#FF149899
White
False
False
False
All
From
Contains
RegEx
(service|paypal)@paypal.com
Header
Contains
RegEx
Received:\ from\ (mx\d\.(phx|slc)\.paypal\.com|\(?\[173.0.84.\d{1,3}\]|helo=mx\d{0,3}\.slc\.paypal\.com|.+\.paypalcorp\.com|mail\d{1,4}.\.paypal.mkt2944.com)
Header
Contains
RegEx
DKIM-Signature:\s.+\sd=paypal.com;
Not A Scam
True
100
#FF149899
White
False
False
All
From
Contains
PlainText
noreply@mail.paypal.com
Header
Contains
RegEx
domain\ of\ bounce@mail\.paypal\.com\ designates\ 142\.54\.244\.\d{1,3}\ as\ permitted\ sender
Header
Contains
PlainText
Return-Path: <bounce@mail.paypal.com>
XLSM Attachment/Stream
False
-150
#FFFFE500
Black
False
False
All
EntireMessage
Contains
RegEx
Content-Disposition:\ attachment;\ filename=".+\.xlsm"
EntireMessage
Contains
RegEx
Content-Type:\ application/octet-stream;\ name=".+\.xlsm"
Security protocol update exploit link
True
-200
#FFCC0098
White
False
False
All
Header
Contains
PlainText
.pw>
Subject
Contains
PlainText
Security protocol update
Body
Contains
PlainText
Update Emails
.pw spam
False
-100
#FFCC0098
White
False
False
All
Header
Contains
PlainText
.pw>
Header
Contains
RegEx
Received: from ns\d\.[a-z0-9]+\.pw\s
False
-100
#FFCC0098
White
False
False
All
Body
Contains
PlainText
.digitaloceanspaces.com/
Googleapis Spam
True
-150
#FFCC0098
White
False
False
All
Body
Contains
RegEx
https://storage.googleapis.com/.+
Body
Contains
RegEx
<title>\nfacebook.com\ngoogle.com\namazon.com\nebay.com\ntwitter.com\nfacebook.com\ngoogle.com\namazon.com\nebay.com\nfacebook.com\ntwitter.com\n
Sextortion Scam
False
-100
#FFCC0098
White
False
False
All
From
Contains
PlainText
Recorded You
Subject
Contains
PlainText
Video Of You!
Body
Contains
PlainText
Hey, today I got some bad news for you.
Body
Contains
PlainText
To stop me, pay
Body
Contains
PlainText
//paxful.om/buy-bitcoin
Sextortion Scam
False
-150
#FFCC0098
White
False
False
All
Body
Contains
PlainText
PRONOGRAPHIC
Body
Contains
PlainText
P0RN0graphic videos
Body
Contains
PlainText
BIT C0lN
Body
Contains
PlainText
Important! The address(CaSe SeNsItIvE) contains spaces so you must to eliminate all the spaces
Body
Contains
PlainText
The Address which is CASE SENSITIVE contains spaces so you have to manually remove all spaces
Body
Contains
PlainText
My malicious application
Body
Contains
PlainText
my bitcoin wallet:
Body
Contains
PlainText
I have gained access to your devices
Body
Contains
PlainText
you masturbate
Likely Sextortion Scam
True
-100
#FFCC0098
White
False
False
All
Body
Contains
PlainText
Send
Body
Contains
PlainText
video
Body
Contains
RegEx
Bitcoin|bitcoin
Body
Contains
RegEx
address|wallet
Body
Contains
RegEx
(1|3|bc)(\d|\w){32,34}(=)?\s
Bitcoin Wallet Listed
False
-100
#FFCC0098
White
False
False
All
Body
Contains
RegEx
bitcoin\ wallet.*:\ [0-9|a-z|A-Z]{34}
Sextortion Scam
True
-200
#FFCC0098
White
False
False
All
Subject
Contains
RegEx
.+@.+\.[a-z]{2,4}\ has\ been\ hacked,\ change\ your\ password\s(ASAP)?
Sextortion Scam
False
-200
#FFCC0098
White
False
False
All
Subject
Contains
RegEx
This\ information\ concerns\ the\ security\ of\ your\ account:\ .+@.+\.[a-z]{2,4}
Hacker Scam
True
-200
#FFCC0098
White
False
False
All
Body
Contains
PlainText
Hello!
Body
Contains
PlainText
I'm a member of an international hacker group.
Body
Contains
PlainText
your account
Body
Contains
PlainText
was hacked, because I sent message you from it.
Sextortion Scam
False
-200
#FFCC0098
White
False
False
All
From
Contains
PlainText
Recorded You
Subject
Contains
PlainText
Video Of You!
Subject
Is
PlainText
your new adult video
Subject
Contains
PlainText
Your account is being used by another person
Subject
Contains
RegEx
[Pp]ervert\s-\s.+
Subject
Contains
PlainText
mastrubate
Subject
Contains
PlainText
mɑsturbating
Body
Contains
PlainText
mɑsturbation
From
Contains
PlainText
Anonymous Hacker
From
Contains
PlainText
Your Life
From
Contains
PlainText
Your Privacy
From
Contains
PlainText
Save You
From
Contains
PlainText
Save Yourself
From
Contains
PlainText
SaveYourself
Body
Contains
PlainText
You will make a bitcoin payment (if you don't know, look for "how to buy bitcoins" on Google).
Body
Contains
PlainText
Hi, I know one of your passwords is:
Body
Contains
PlainText
Your computer was infected with my private malware
Body
Contains
PlainText
My malware gave me full access to all your accounts
Body
Contains
PlainText
I can publish all your private data everywhere
Body
Contains
PlainText
The only way to stop me, is to pay exactly
Body
Contains
PlainText
(USD dollars) is a fair price for our little secret.
Body
Contains
PlainText
My nickname in darknet is
Body
Contains
PlainText
who cracked your email
Body
Contains
PlainText
I hacked this mailbox
Body
Contains
PlainText
I have access to all your accounts
Body
Contains
PlainText
I'm a hacker
Body
Contains
PlainText
I uploaded malicious code to your Operation System
Body
Contains
PlainText
Also I installed a Trojan on your device
Body
Contains
PlainText
When you went online, my trojan was installed
Body
Contains
PlainText
I expect payment from you for my silence
Body
Contains
PlainText
This is a hacker code of honor
Body
Contains
PlainText
This is the word of honor hacker
Body
Contains
PlainText
It is useless to change the password, my malware intercepts it every time
Body
Contains
PlainText
After payment, my virus and dirty photos with you self-destruct automatically
Body
Contains
PlainText
I want to say - you are a big pervert.
Body
Contains
PlainText
I want to say - you are a BIG pervert
Body
Contains
PlainText
I am a spyware software developer
Body
Contains
PlainText
Your account has been hacked by me
Body
Contains
PlainText
my exploit downloaded my malicious code
Body
Contains
PlainText
I hacked your OS and got full access to your account
Body
Contains
PlainText
Your account has been hacked by me
Body
Contains
PlainText
I give you 48 hours to pay.
Body
Contains
PlainText
I also have access to all your contacts and all your correspondence.
Body
Contains
PlainText
As you may have noticed, I sent you an email from your account.
Body
Contains
PlainText
Hi, your account has been infected!
Body
Contains
PlainText
I'm a hacker who exploited
Body
Contains
PlainText
This email won't acquire too much of your efforts
Body
Contains
PlainText
This is the bitcoin wallet address
Body
Contains
PlainText
Password in the video >>
Body
Contains
PlainText
Ç·orn website
Body
Contains
PlainText
Ç·erverted
Body
Contains
PlainText
update your antiviruses
Body
Contains
PlainText
This is my bitcoin wallet address
Body
Contains
PlainText
http://www.login.blockchain.com/en/
Body
Contains
PlainText
I am a representative of the ChaosCC hacker group.
Body
Contains
PlainText
all your contacts are known to us
Body
Contains
PlainText
copy & paste - it's case sensitive - and combine both lines into one single
Sextortion Scam
True
-200
#FFCC0098
White
False
False
All
Body
Contains
RegEx
\b[0-9a-zA-z]{34}\b
Body
Contains
RegEx
(​\w+\s?){3,}
Body
Contains
RegEx
co​py.pa(​ste|ste)
Sextortion Scam
True
-200
#FFCC0098
White
False
False
All
Subject
Is
RegEx
[a-z0-9-_.]+\s:\s.+
Body
Contains
RegEx
Content-Type: text/plain; charset="utf-8"\nContent-Transfer-Encoding: base64\n\n.+
Known Spam [F]
False
-200
#FFCC0098
White
True
False
All
Header
Contains
RegEx
\.(bid|club|faith|host|science|space|stream|top|vip|website|win|xyz)[>)]
Header
Contains
PlainText
relay-x.misswldrs.com
Header
Contains
PlainText
mysecuritycamera.org
From
Contains
PlainText
livenewsupdate@millan.pgw.jp
From
Contains
PlainText
SafeStreets ADT
From
Contains
PlainText
Wealth Builder
Header
Contains
PlainText
HOTSINGLESNET.NET
From
Contains
PlainText
4Sale
From
Contains
PlainText
offeronmail.com
Header
Contains
PlainText
mail.justechnology.com
Header
Contains
PlainText
From: "News"
Header
Contains
PlainText
From: 'USA Government Center'
Header
Contains
PlainText
From: =?UTF-8?Q?=C2=
Header
Contains
RegEx
^(?-i)IME-Version:\ 1\.0$
From
Contains
PlainText
Software Sale
From
Contains
PlainText
OEM Software
From
Contains
PlainText
Easy-E-Cards-Online
From
Contains
PlainText
support@aicpa.org
From
Contains
PlainText
FB Account
From
Contains
PlainText
CockBlocked
From
Contains
PlainText
FreeAdultHookup
From
Contains
PlainText
Best Credit Cards
From
Contains
PlainText
iGreatLife
From
Contains
PlainText
Express Mail Service
From
Contains
PlainText
Dr. Travis Stork
From
Contains
PlainText
George Aguiar
Header
Contains
PlainText
From: "Support"
Header
Contains
PlainText
sikhguardian.net
Header
Contains
PlainText
email.eminentinc.com
Header
Contains
PlainText
Received: from internal (unknown [x.x.x.x])
Header
Contains
PlainText
Received: from [107.174.30.
Header
Contains
PlainText
Received: from [107.175.123.
Header
Contains
PlainText
217-182-182.eu
Header
Contains
RegEx
(^From:\s{1,3}'?(Mr\.?\ Song\ Li|ph[ra]{2}macy|(?-i)E-STORE|\{|\}|'=\?ISO-8859-1\?Q\?))
From
Contains
RegEx
CanadianPharm|Rx\ The\ Best\ Source|SENATOR\ DAVID\ MARK|SexBoosters|hard.{1}on
From
Contains
RegEx
MensHealth\.com|Extenze|Try\s?[1i]t\s?4Free|TheDR|Max-?Man|Facebook\ Manager|sexual|iContact|Pharmacy.?Online|Online.?Pharmacy|Medical|Vicodin|Drugs|penile|Potency|\bSex\b|Pharm|Pill.?store|(?-i)ANGEL
From
Contains
RegEx
(?-i)i?[A-Z][a-z]+Health\s
From
Contains
RegEx
(?i)(Dr\.?|Doctor)\s?[O0]Z\b|[O0]Z\ .*News
Header
Contains
RegEx
\[81\.7\.([0-9]?|[1-5][0-9]?|6[0-3]?)\.\d{1,3}\]
Header
Contains
RegEx
Received:\sfrom\s\[(5\.230\.126|27.122.14|45\.35\.\d{1,3}|45\.58\.132|50\.115\.167|66\.23\.212|81\.7\.1[4-7]|95\.58\.2[01]|104.36.84|104\.217\.137|104\.254\.213|185\.105\.[4-7]|188.72.68|193\.124\.1(7[6-9]|8[0-9]|9[01])|194\.67\.222|199\.116\.11[89]|204\.188\.245|208\.89\.2(0[8-9]|1[0-5])|216.126.239)\.\d{1,3}\]\s
Header
Contains
RegEx
\[198\.27\.110\.(6[4-9]|7[0-9]|8[0-9]|9[0-9]|1([0-1][0-9]|2[0-7]))\]
Header
Contains
RegEx
\[198\.50\.205\.1(2[89]|[345][0-9])\]
Header
Contains
RegEx
Received:\ from\ \[23\.95\.187\.(19[6-9]|2[01][0-9]|22[012])\]
Header
Contains
RegEx
Received:\ from\ \[36\.(5[6-9]|6[0-3])\.\d{1,3}\.\d{1,3}\]
Header
Contains
RegEx
Received:\ from\ \[194\.67\.\d{1,3}\.\d{1,3}\]
Header
Contains
RegEx
Received:\ from\ \[64\.71\.76\.(199|20[0-9])\]
Gambling Spam
False
-200
#FFCC0098
White
False
False
All
Subject
Contains
PlainText
Earn 50.000 euro every month
Body
Contains
PlainText
Fully automatic software can generate 500-1500 euro every day
Body
Contains
PlainText
Our private clients make over 500.000 euro
Body
Contains
PlainText
tracker?offer_id=3459&aff_id=198
CEST Time Zone Spam
True
-200
#FFCC0098
White
False
False
All
Header
Contains
PlainText
+0200
Header
Contains
PlainText
(CEST)
KAZAKHSTAN or KYRGYZSTAN
False
-200
#FFCC0098
White
False
False
All
Header
Contains
RegEx
Date:\ .+\ \+0600
UNSUB Known Spam
True
-200
#FFCC0098
White
True
False
All
Body
Contains
RegEx
(?-i)<br>UNSUBhERE</a>
X-SPF-Check: Fail
True
-100
#FFFFFF01
Black
False
False
All
EntireMessage
Contains
RegEx
X-SPF-Check:\ [0-9.]+\ is\ not\ allowed\ to\ send\ mail\ from\s
Exploit Link
False
-200
#FFFFE500
Black
True
False
All
Header
Contains
PlainText
To: "DyGDYBHOGSKIXGFQDyQRJTHS"
Body
Contains
PlainText
=DyGDYBHOGSKIXGFQDyQRJTHS"
Header
Contains
RegEx
/bin/sh\.-c|perl\.ex\.txt|wget\.[\d\.]+/|lwp-download|cd\s/tmp\s;curl
Body
Contains
PlainText
/arc/file/">
Body
Contains
PlainText
HELLO!,Is This Your Photo?link
Body
Contains
PlainText
some jerk has posted your pictures
Body
Contains
PlainText
and sent a link of them to all ur friends
Body
Contains
PlainText
Please read the attachment to get the message
Body
Contains
PlainText
Please read the attachment.</A>
Body
Contains
PlainText
have attached your document.</A>
Body
Contains
PlainText
/viewmovie.html
Body
Contains
RegEx
.(avi|mpg).exe'>
Body
Contains
RegEx
/(ecard|install|msvideoc)\.exe('>)?
Body
Contains
RegEx
/(best|index1|up)(\.|=2E)php'
Body
Contains
RegEx
(?-s)^Content-Transfer-Encoding:\ quoted-printable\r\n\r\n^.+http://.+/.+\.html$\r\n^------=_NextPart_
Body
Contains
RegEx
http://.+/(begin|checkit|first|fresh|index1|gowatch|live(streaming)?|lol|news|showvideo|start|stream(ing)?|topnews|up|viewmovie|watch|watchit|whatsup|1)\.html(</a><br>)?(\r\n)?
Body
Contains
RegEx
\.pdf\.exe</a>
Body
Contains
PlainText
waiting to be downloaded at sendspace
Body
Contains
PlainText
/wp-config.htm"
Body
Contains
PlainText
.php?v20120226
Body
Contains
PlainText
/wp-content/plugins/wps.php?
Body
Contains
PlainText
/f.php?
ColoCrossing Spam
False
-150
#FFCC0098
White
False
False
All
Header
Contains
RegEx
Received:\ from\ \[23\.9[45]\.\d{1,3}\.\d{1,3}\]
Email Harvester Scam
True
-200
#FFFFFF01
Black
True
True
All
Body
Contains
RegEx
<img\ src="http://.+/unsubscribe\.php\?email=.+@.+">
Intuit Quickbooks Spoof
True
-200
#FFFFFF01
Black
False
False
All
From
Contains
RegEx
(Quickbooks|Intuit)
From
NotContain
RegEx
@(.+\.)?intuit.com
Images Scam
False
-100
#FFCC0098
White
False
False
All
Body
Contains
PlainText
I was confused, to put it nicely, when I came across my images at your web-site.
Body
Contains
PlainText
It's not legal to use stolen images and it's so mean!
Body
Contains
PlainText
If you don't remove the images mentioned in the document above within the next few days,
Body
Contains
PlainText
you may be pretty damn sure I am going to report and sue you!
Docusign Scam
True
-100
#FFCC0098
White
False
False
All
From
Contains
PlainText
DocuSign
From
NotContain
RegEx
@docusign\.(com|net)
Subject
Contains
PlainText
DocuSign
Body
Contains
PlainText
//docs.google.com/document/
Malware Attachment
True
-200
#FFFFE500
Black
False
False
All
Header
Contains
PlainText
Return-path: <fraud@aexp.com>
Body
Contains
PlainText
Content-Type: application/zip;
Body
Contains
PlainText
Content-Disposition: attachment;
Body
Contains
RegEx
name=".+\.zip"
Malware Scam
False
-200
#FFFFE500
Black
False
False
All
ReturnPath
Contains
PlainText
Return-path: <fraud@aexp.com>
Header
Contains
PlainText
(envelope-from <fraud@aexp.com>)
Malware Link
True
-200
#FFFFE500
Black
False
False
All
EntireMessage
Contains
RegEx
Whats.?App
Body
Contains
RegEx
(©|©)\s(2014\s)?Whats.?App
Body
Contains
RegEx
New\ offline\ video\ mail|You\ have\ a\ new\ incoming\ audiomessage.|New\ voice\ mail.
Body
Contains
RegEx
a href="http://.+/.+\.(php|pl)"
Body
Contains
RegEx
(Autoplay|Play|Listen)</a>
Amazon spoof
True
-200
#FFFFE500
Black
True
False
False
All
From
Contains
RegEx
Amazon|@amazon\.com
ReturnPath
NotContain
PlainText
@bounces.amazon.com>
Received
NotContain
RegEx
\.(amazon|amazonses)\.com\)
Header
NotContain
RegEx
^(DomainKey-Signature:|DKIM-Signature:)
Body
Contains
RegEx
^Content-Type:\ application/zip;\ name=".+\.zip"
Amazon Spoof
True
-200
#FFFFE500
Black
True
False
False
All
From
Contains
PlainText
@amazon.com
Header
Contains
PlainText
X-SPF-Check:
Header
Contains
PlainText
is not allowed to send mail from amazon.com
Malware Attachment
True
-200
#FFCC0098
White
True
False
All
Body
Contains
PlainText
(ZIP archive, Adobe PDF)
Body
Contains
PlainText
Content-Disposition: attachment;
Body
Contains
PlainText
.pdf.zip"
Malformed/Malware Zipfile Attachment Name
False
-200
#FFFFFF01
Black
True
False
False
All
Header
Contains
PlainText
Content-Type: application/zip;
Header
Contains
PlainText
Content-Disposition: attachment
Body
Contains
RegEx
Content-Type:\s\sapplication/x(-zip)?-compressed;\sname=\s.+\.zip
Body
Contains
RegEx
Content-Type:\s\sapplication/x-zip;\sname=\s.+\.zip
Body
Contains
RegEx
Content-Type:\s\sapplication/x-compress;\sname=\s.+\.zip
Body
Contains
RegEx
Content-Type:\s\sapplication/octet-stream;\sname=\s.+\.zip
Body
Contains
RegEx
Content-Type:\s\smultipart/x-zip;\sname=\s.+\.zip
IMG subject, but ZIP attachment
True
-200
#FFFFFF01
Black
True
False
False
All
Header
Contains
RegEx
Subject:\ (\[SPAM\]\s{2})?IMG_\d{4,5}(\.(BMP|GIF|JPE?G|PDF))?\s?\n
EntireMessage
Contains
PlainText
Content-Type: application/octet-stream;
EntireMessage
Contains
RegEx
(file)?name=IMG_\d+\.zip
Possible malware attachment
True
-150
#FFFFCC00
Black
False
False
All
Body
Contains
RegEx
^Content-disposition:\ attachment;|^Content-Type:\ application/zip;
Body
Contains
PlainText
filename="Photo.zip"
Malware in Zipfile
True
-200
#FFCC0098
White
False
False
All
From
Contains
PlainText
invoices@
Subject
Contains
PlainText
Invoice-
Body
Contains
RegEx
Content-Disposition:\sattachment;\sfilename=".+_Invoice\.zip"
CV Zipfile Attachment
True
-150
#FFFF0000
White
False
False
All
Body
Contains
RegEx
^Content-Type:\ application/zip;
Body
Contains
RegEx
^Content-disposition:\ attachment;
Body
Contains
RegEx
(\s?filename|\tname)=".+cv\.zip"
Zip, Rar, 7z, or Gz Attachment
True
-200
#FFFFFF01
Black
True
False
False
All
Body
Contains
RegEx
Content-[dD]isposition:\ (attachment|inline);|Content-Type:\ application/(zip|x-rar-compressed);
Body
Contains
RegEx
(\s?filename|\bname)=".+\.(zip|rar|t?gz|7z)"
Exploit in Attachment
True
-200
#FFFFFF01
Black
False
False
All
Header
Contains
PlainText
X-Mailer: PHPMailer [version 1.73]
Body
Contains
RegEx
(Content-Type:\ application/zip;|Content-Disposition:\ attachment;)\ (file)?name=".+\.zip"
Exploit Attachment
False
-200
#FFFFFF01
Black
False
False
All
Body
Contains
PlainText
Content-Type: application/vnd.ms-word.document.macroEnabled.12;
CNBC Diet Scam
True
-200
#FFCC0098
White
False
False
All
From
Contains
PlainText
CNBC
From
NotContain
PlainText
cnbc.com
Header
Contains
PlainText
X-Mailer: WhatCounts
.EU Spam Domain Link
True
-200
#FFCC0098
White
True
False
All
Body
Contains
RegEx
http://[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.eu/\?.+
Weight Loss Scam
False
-200
#FFCC0098
White
False
False
All
Header
Contains
RegEx
Slimmer|slimming|Slim-Fast
From
Contains
RegEx
(?i)Los(e|ing).?Weight|weight.?loss|FatBurning|Los(e|ing).?(Fat|Pounds)|WeightLoss|Slim|Nanoxyn\sAlpha
From
Contains
RegEx
(?-i)^(Dr\.?\s?(O|0)(Z|z)|OZ)
From
Contains
RegEx
Lbs.?[O0]FF
Subject
Contains
PlainText
WegihtLoss
Subject
Contains
PlainText
excessive pounds
Subject
Contains
RegEx
Lbs.?[O0]FF
Subject
Contains
RegEx
(?i)Get\ (Skinny|Slim)|Lose.+\d\d\ lbs
Subject
Contains
RegEx
(?i)weight.?loss|Fat.?Loss|FatBurning
Subject
Contains
RegEx
(?i)(Drop|Shed|your)\ Weight
Subject
Contains
RegEx
(?i)Loo?s(e|ing)\s?(your\ )?(fat|pounds|weight)|unwanted\ fat|Lose\ \d\d\ (lbs|pounds)
Subject
Contains
RegEx
\d\dkg|\bhcg\b|(?-i)Hoodia|Gordonii|Anatrim|Acai[\sBW]|HCG
Subject
Contains
RegEx
(?i)(our\s)?(diet|dietary)\s(aid|formula|medicine|pills?|plan|products|science|solution|suppliments?)
Subject
Contains
RegEx
nutrionist|weight\sreduction|weight\s.*loss
Subject
Contains
PlainText
Unheard of results guaranteed
Subject
Contains
PlainText
your body's natural weight
Subject
Contains
PlainText
Your Metabolism
Subject
Contains
PlainText
Dropping Pounds
Weight Loss Scam
False
-200
#FFCC0098
White
False
False
All
Body
Contains
PlainText
Dr. OZ Newsletter
Body
Contains
PlainText
Its The Best Product We Have Seen - Mark Cuban
Body
Contains
PlainText
kilograms a month
Body
Contains
PlainText
get rid of extra pounds
Body
Contains
PlainText
pounds in the next two weeks
Body
Contains
PlainText
lose weight
Body
Contains
PlainText
loseweight
Body
Contains
PlainText
lost weight
Body
Contains
PlainText
shed weight
Body
Contains
PlainText
Losing Weight
Body
Contains
PlainText
Amazing weight loss
Body
Contains
PlainText
your weight.
Body
Contains
PlainText
WeightL0SS
Body
Contains
PlainText
Weight Loss
Body
Contains
PlainText
weight-loss
Body
Contains
PlainText
iWellHealth
Body
Contains
PlainText
garciniacambo
Body
Contains
PlainText
bodyfat
Body
Contains
PlainText
excess fat
Body
Contains
PlainText
lose fat
Body
Contains
PlainText
sciencedaily
Body
Contains
PlainText
fatsolution
Body
Contains
PlainText
fatburn
Body
Contains
PlainText
healthnews
Body
Contains
PlainText
slimming product
Body
Contains
PlainText
get a slim figure
Body
Contains
PlainText
Better Your Body
Body
Contains
PlainText
Pure Forskolin Extract
Body
Contains
PlainText
Nanoxyn Alpha
Body
Contains
RegEx
http://.*greencoffe.+\.[a-z]{2,4}/
Body
Contains
RegEx
http://.*g?arcinia.+
Body
Contains
RegEx
obese|obe\.se|o\.b\.esity|(?-i)Obesity
Body
Contains
RegEx
los(e|ing)\ [a-z0-9\+]{2,8}\ kilograms
Body
Contains
RegEx
herbal\ (capsules|components)
Body
Contains
RegEx
\bhcg\b|(?-i)Hoodia|Gordonii|Fatblaster|QuickSlim|Anatrim|Acai\s
Body
Contains
RegEx
drop(ped)?\s20-?lbs
Anti-Aging Treatment Spam
False
-200
#FFCC0098
White
False
False
All
Subject
Contains
RegEx
Anti-?Aging
Subject
Contains
RegEx
Reverses?\ Alzheimers
Subject
Contains
RegEx
(brain|cerebral)\ (booster|capacity|enhancer|stimulant}
Subject
Contains
PlainText
mental power
Subject
Contains
PlainText
boost your mental
Body
Contains
RegEx
Reverses?\ Alzheimers
Body
Contains
RegEx
anti-?aging
Body
Contains
PlainText
Ceramide
Body
Contains
RegEx
\bFirmativ\b
Pump and Dump Scam
False
-200
#FF0000FF
White
False
False
All
Header
Contains
RegEx
X-cid:\ scott\.\d+
From
Contains
RegEx
(?i)Stocks|(Buy|Penny).?Stock|Stock.?(Advisor|Watch)|stock.?(pick|tip)|(?-i)OTC\b|iMarket|Investors?|Investments|IHub|Money\ Runners
Subject
Contains
RegEx
(?-i)DYNV|PennyStock|Market\ News|ECMZ|Insider\ Report|Trading\ Alert
Subject
Contains
RegEx
(?i)(Best|One|this)\s?stock|stock.{0,2}(pick|tip)|Penny\ Stocks?|bioceutical|IHub|Money\ Runners
EntireMessage
Contains
PlainText
I'm Mike Statler
EntireMessage
Contains
PlainText
MarketWatch
EntireMessage
Contains
PlainText
This company is going to triple
EntireMessage
Contains
PlainText
This stock is going to triple
EntireMessage
Contains
PlainText
pennystockcrew.com
Body
Contains
PlainText
StockTips
Body
Contains
PlainText
iStocks
Body
Contains
PlainText
stokc
Body
Contains
PlainText
and only broker
Body
Contains
PlainText
stocks adviser
Body
Contains
PlainText
Stock Symbol:
Body
Contains
PlainText
Scout Exploration
Body
Contains
PlainText
call your broker NOW before it is
Body
Contains
PlainText
PowerPlay2Day
Body
Contains
PlainText
Market Newsletter
Body
Contains
PlainText
Market Info
Body
Contains
PlainText
Please Enable Links and Images to View the Newsletter!
Body
Contains
PlainText
(use the first letters of each word to make up your 4 letter symbol
Body
Contains
PlainText
This is the ticker
Subject
Contains
PlainText
this company could yield you a ten bagger
Subject
Contains
PlainText
stock is guaranteed to jump
Subject
Contains
PlainText
on your principal in just a few days
Subject
Contains
PlainText
This company just found a
Header
Contains
PlainText
X-Mailer: PHPMailer 5.2.8 (https://github.com/PHPMailer/PHPMailer/)
Subject
Contains
PlainText
This crypto coin could go up
Body
Contains
PlainText
buy SIC (Swisscoin)
Pump and Dump Scam
True
-200
#FF1A19B3
White
False
False
All
Body
Contains
PlainText
$.
Body
Contains
PlainText
range.
Body
Contains
PlainText
is selling
Body
Contains
PlainText
for pennies
Body
Contains
PlainText
buy
Pump and Dump Scam
True
-200
#FF1A19B3
White
False
False
All
Body
Contains
PlainText
trade
Body
Contains
PlainText
shares
Body
Contains
PlainText
value
Body
Contains
RegEx
(below|under)\s(\$1|dollar)
Pump and Dump Scam
False
-200
#FF0000FF
White
False
False
All
Body
Contains
RegEx
Investors.?Hub
Body
Contains
RegEx
Penny.?Stock.?(Newsletter|Picks)
Body
Contains
RegEx
(?-i)(Symbol|[tT]icker):?\ [A-Z]{3,5}
Body
Contains
RegEx
(?-i)Date:\s.+\n.*(Company|Name):\s.+\n.+\n.*\n(.*Price:|.*Target:)
Body
Contains
RegEx
(?i)\b(3D)?(Q[._-\W\s]?S[._-\W\s]?M[._-\W\s]?G)
Body
Contains
RegEx
(?-i)\b(3D)?(E[._-\W\s]?C[._-\W\s]?G[._-\W\s]?R)\b
Body
Contains
RegEx
(?-i)\b(3D)?(I[._-\W\s]?N[._-\W\s]?C[._-\W\s]?T)\b
Body
Contains
RegEx
(?-i)\b(3D)?(G[._-\W\s]?R[._-\W\s]?Y[._-\W\s]?N)\b
Body
Contains
RegEx
(?-i)\b(3D)?(S[._-\W\s]?I[._-\W\s]?C)\b
Pump and Dump Scam
False
-200
#FF1A19B3
White
False
False
All
Body
Contains
RegEx
(?-i)\b(3D)?(N[._-\W\s]?T[._-\W\s]?E[._-\W\s]?K)\b
Body
Contains
RegEx
(?-i)\b(3D)?(T[._-\W\s]?P[._-\W\s]?H[._-\W\s]?X)\b
Body
Contains
RegEx
(?-i)\b(3D)?(B[._-\W\s]?W[._-\W\s]?P[._-\W\s]?C)\b
Body
Contains
RegEx
(?-i)\b(3D)?(A[._-\W\s]?G[._-\W\s]?H[._-\W\s]?I)\b
Body
Contains
RegEx
(?-i)\b(3D)?(D[._-\W\s]?J[._-\W\s]?R[._-\W\s]?T)\b
Body
Contains
RegEx
(?-i)\b(3D)?(E[._-\W\s]?W[._-\W\s]?R[._-\W\s]?C)\b
Body
Contains
RegEx
(?-i)\b(3D)?(C[._-\W\s]?R[._-\W\s]?G[._-\W\s]?P)\b
Body
Contains
RegEx
(?-i)\b(3D)?(S[_-\W\s]?N[_-\W\s]?X[_-\W\s]?G)\b
Body
Contains
RegEx
(?-i)\b(3D)?(N[_-\W\s]?U[_-\W\s]?A[_-\W\s]?N)\b
Body
Contains
RegEx
(?-i)\b(3D)?(C[_-\W\s]?N[_-\W\s]?R[_-\W\s]?M[_-\W\s]?F)\b
Body
Contains
RegEx
(?-i)ISM\s?\.\s?TO|\sISM\s
Spam from PHP script
False
-200
#FFCC0098
White
False
False
All
Header
Contains
RegEx
X-PHP-Originating-Script:\ \d{5}:(Api|Mailer|Qmail)\.php
Header
Contains
RegEx
X-PHP-Originating-Script: 10\d\d:Sendmail.php
Pump and Dump Scam #5
True
-200
#FF1A19B3
White
False
False
All
From
Contains
RegEx
Agora.*Financial
From
NotContain
PlainText
@agorafinancial.com>
Fake Pharmacy
True
-200
#FFCC0098
White
False
False
All
Header
Contains
PlainText
Return-path: <>
Subject
Contains
RegEx
beloved|girlfriend|intimate|ladies|satisfy|sex|your\ (lady|lov[ei]|girl|gf|nature|(female\s)?partner|night)
Fake Pharmacy
True
-200
#FFCC0098
White
False
False
All
ReturnPath
Is
PlainText
<>
Body
Contains
RegEx
^https?://www.google.com/url\?q=http%3A%2F%2F
Russian Punycode Domain Link
False
-200
#FFCC0098
White
False
False
All
Body
Contains
RegEx
http://.+\.xn--p1ai/
Empty Return-path
True
-200
#FFFFCC00
Black
False
False
All
ReturnPath
Is
PlainText
<>
Fake Pharmacy
False
-200
#FFCC0098
White
True
False
All
Header
Contains
PlainText
American Health Shop
Body
Contains
PlainText
American Health Shop
Viagra Spam
False
-200
#FFCC0098
White
True
False
All
From
Contains
PlainText
Viiagra
From
Contains
PlainText
Pfizer
From
Contains
PlainText
viagra.com
From
Contains
PlainText
Free To Try
From
Contains
PlainText
sex remedies
From
Contains
PlainText
® Official Site
From
Contains
RegEx
Erectile|Erection|\bP[i1l]lls\b|(Potency|Sex)\s?Tablets|\b(Anti.?)?(?-i)ED\b|[Aa]nti-ed
From
Contains
RegEx
VI[A@]G®A|V[I1|]AGR[A@]|Viag.?ra|Vi.gra|Vigara|viagar|ivagra|v[ia]{2}gra|v[iy]arga|V_I_A_G_R_A|Impotence|sexual\ health
From
Contains
RegEx
Cii?aa?lis|Cia1is|C1alis|^i?Ci?a.?li?s\b|Levitra
From
Contains
RegEx
Vii?a?a?gg?a?a?rr?aa?
Viagra Spam
False
-200
#FFCC0098
White
False
False
All
Subject
Contains
PlainText
Viagra/Cialis/Levitra
Subject
Contains
PlainText
Buy Vaigra
Subject
Contains
PlainText
Always be ready.
Subject
Contains
PlainText
impotenc
Subject
Contains
PlainText
se>.<
Subject
Contains
PlainText
dysfunction
Subject
Contains
PlainText
$_e'xual
Subject
Contains
RegEx
(blue|love).?pills?\b
Subject
Is
PlainText
Be ready.
Subject
Contains
RegEx
\b(ciali[a-z]|levitra|viagra|VIGARA|Viigaaraa|Vi@gra|Pfizer|^Pending\ delivery)\b|(?-i)C[i1]al[i1]s|Kamagra
Subject
Contains
RegEx
(?-i)ED[_\s]dysfunction|\sED\.|[Aa]nti-ED
Subject
Contains
RegEx
(?-i)Online\ V[a-z1]{1,4}A\ Store
Subject
Contains
RegEx
^user\ .+brand\ \d\d%\ Off\ Sale
Subject
Contains
PlainText
success stories about V
Subject
Contains
RegEx
personal\ \d\d%\ dis[cs]ount
Subject
Contains
RegEx
V I A G R A
Viagra Spam
False
-150
#FFCC0098
White
False
False
All
Subject
Contains
PlainText
on Pfizer
Subject
Contains
RegEx
Pf[|1l]zer
Subject
Contains
PlainText
Re: Please, placce you order now
Subject
Contains
PlainText
Re: Please, conflrm you receipt
Subject
Contains
RegEx
Hey,?\ [a-z0-9]+,?\ get\ percent [0O]FF
Subject
Contains
RegEx
.+\d\d% (off\s)?only\ for\ you
Subject
Contains
RegEx
.+Catch\ \d\d%\ discounts\ [a-z]+
Subject
Contains
RegEx
^Your\ Order\ Status\ ID:\ [A-Z]{11,}
Subject
Contains
RegEx
^Visitor\ .+'s\ personal\ \d\d%\ OFF$
Subject
Contains
RegEx
^User\ .+\ save\ \d\d%\ now
Subject
Contains
RegEx
^Hello,\ [a-z0-9]{3,}.?\ \d\d%\ off\ till?\ [A-Z][a-z]{3,8}\ [a-z]{3,}
Subject
Contains
RegEx
^(RE:\ )?(January|February|March|April|May|June|July|August|September|October|November|December)\ \d\d%\ OFF\s?$
Russian Domain Link
False
-200
#FFCC0098
White
True
False
All
Body
Contains
RegEx
http://(www\.)?(.+\.r[uo]/|.+\.r[uo](\r|\n|\s)|.+\.ua)|.+\.[se]u(/|\s|$)|.+\.by(/|\b)
Body
Contains
RegEx
www\.[a-z0-9-]{1,16}\.ru(/.+)?
Body
Contains
RegEx
<a href=(3D)?'[a-z0-9\.]{4,}\.ru'>
Viagra Spam
False
-200
#FFCC0098
White
False
False
All
Body
Contains
PlainText
Viagra!
Body
Contains
PlainText
VIAGQRA
Body
Contains
PlainText
Viagra Professional
Body
Contains
PlainText
Best Price for VIAGRA
Body
Contains
RegEx
\b(Erectifix|erectile\ dysfunction|(?-i)anti-ED|(?-i)cure\ ED|(im)?potence|ED\ treatment)\b
Body
Contains
PlainText
Taste the V
Body
Contains
PlainText
V-letter remedy
Body
Contains
RegEx
blue.?pill?|SoftTabs|\$1\.\d\d/pill\b
Body
Contains
RegEx
(?-i)Vi?<span\ style='FONT-SIZE:\ 2px;\ FLOAT:\ right;\ COLOR:\ white'>
Body
Contains
RegEx
ViaGrow|viiagra|Vagria|Vgaira|Pfizer|Kamagra
Body
Contains
RegEx
(Buy|order|original|with)\ .*Viagra
Body
Contains
RegEx
Viagra\s{1,3}tabs|Viagra.+\$\d
Body
Contains
RegEx
<a\ href=.+>.*viagra.*</a>
Body
Contains
RegEx
bring\ back\ fire\ and\ passion|make\ (luv|love)\ all\ night|endless\ climaxes|your\ xxx\ drive|sexual\ health|\bmale problems?\b
Viagra Spam
False
-150
#FFCC0098
White
False
False
All
EntireMessage
Contains
PlainText
Viagra
Viagra Spam
False
-200
#FFCC0098
White
True
False
All
Subject
Contains
PlainText
⋁ἲấġբẚ
Subject
Contains
PlainText
VIAG*RA
Subject
Contains
RegEx
V\lsAGRA|VIAGQRA|VAIGRA|Vyagra|Vgaira|V\|AGRA|[vw]iag.?row
Subject
Contains
RegEx
(?-i)Vlagrxa|Viagr.a|Viagr\d|Vi\dgra
Subject
Contains
RegEx
^V.{4,6}a\s\d\d\s?mg
Subject
Contains
RegEx
(V|\\/|/)[i|l!1]agr[a@]
Subject
Contains
RegEx
\bv.i.a.g.r.a\b
Subject
Contains
RegEx
(?-i)V[iy]a(rga|gar|gra)
Header
Contains
RegEx
Subject:.+\bV[i1!l|]AGRA\b.+
Subject
Contains
RegEx
viaq[ij]ra
Known Spam Subjects
False
-200
#FFCC0098
White
True
False
All
Subject
Contains
PlainText
Product Recommended by
Subject
Contains
PlainText
new In town
Subject
Is
PlainText
Alone
Subject
Is
PlainText
Uniform traffic ticket
Subject
Is
PlainText
Industrial Invoices
Subject
Contains
PlainText
FDIC notification
Subject
Contains
PlainText
Scan from a Xerox W
Subject
Contains
PlainText
Scan from a HP ScanJet
Subject
Contains
PlainText
Scan from a Hewlett-Packard ScanJet
Subject
Contains
PlainText
Termination of your accountant license
Subject
Contains
PlainText
Cannabis Cancer Treatment
Subject
Contains
PlainText
(random)
Subject
Contains
PlainText
- Copies of Policies.
Subject
Is
PlainText
You pig!
Subject
Contains
PlainText
Questionary
Subject
Contains
PlainText
Your CashPro Online Digital Certificate
Subject
Contains
RegEx
^Your\ friend\ .+\ has\ recommended\ this\ great\ product\ from\s
Subject
Contains
RegEx
^Web\ design\ and\ marketing\ \$\d\d\ /\ Month$
Subject
Is
PlainText
SPECIAL PROMOCODE INSIDE
Subject
Is
PlainText
SPECIAL PROMO CODE INSIDE
Subject
Is
RegEx
(?i)Invoice\ NIC\d{6}
Secure.Message Scam
False
-200
#FFCC0098
White
False
False
All
From
Contains
RegEx
(?-i)(Private|Secure).?Message
From
Contains
RegEx
SecureMessage.?System
Body
Contains
PlainText
SecurePM
Body
Contains
PlainText
SecureMessage System
From
Contains
RegEx
Dating.?System
Body
Contains
PlainText
NewDating System
NACHA Fraud
False
-200
#FFCC0098
White
True
False
All
From
Contains
PlainText
NACHA
FDIC Fraud
False
-200
#FFCC0098
White
False
False
All
From
Contains
PlainText
FDIC
ACH Fraud [From]
False
-200
#FFCC0098
White
True
False
All
From
Contains
PlainText
The Electronic Payments Association
From
Contains
RegEx
(?-i)\bACH\b
ACH Fruad
True
-200
#FFCC0098
White
True
False
All
EntireMessage
Contains
RegEx
(?-i)\bACH\b
Body
Contains
PlainText
Transaction
Body
Contains
RegEx
Cancell?ed|rejected|suspended
Body
Contains
RegEx
financial\ (body|institution)|bank|banking\ information
Body
Contains
RegEx
Report|form
Body
Contains
RegEx
details\ in\ the\ attachment|nacha\.(org|net|us)/reports?/|(?-i)Transaction\ Report:?|status
ADP Fraud
True
-200
#FFCC0098
White
False
False
All
From
Contains
RegEx
(?-i)ADP
Received
NotContain
PlainText
adp.com)
Body
NotContain
RegEx
<a\ href="https://www\.[a-z]+\.adp\.com/.+/[a-z]+\.aspx">?
BBB Fraud
False
-200
#FFCC0098
White
False
False
All
From
Contains
PlainText
::Better Business Bureau::
From
Contains
RegEx
Better.?Business.?Bureau|(?-i)BBB
From
Contains
PlainText
@bbb.org
Subject
Contains
PlainText
BBB Case #
Subject
Contains
PlainText
Activity Report
Subject
Contains
PlainText
Better Business Bureau Case #
Body
Contains
PlainText
The Better Business Bureau has been sent the above mentioned complaint from one of your clients
Body
Contains
PlainText
the consumer's concern is included in attached file
Body
Contains
PlainText
Business Bureau Council of Better Business Bureaus
Body
Contains
RegEx
The\ details\ of\ the\ consumer's\ (concern|complaint)\ are\ (explained|included)\ in\ (the\s)?attached\ file\.
Body
Contains
RegEx
Please\ (open|use)\ the\ link\ below\ to\ (re)?view\ the\ contents\ of\ the\ complaint:
Credit Card Locked Scam
False
-200
#FFCC0098
White
False
False
All
Subject
Contains
RegEx
Your\ credit\ card\ has\ been\ b?locked
From
Contains
PlainText
VISA TEAM
Body
Contains
PlainText
Your credit card is locked!
Body
Contains
PlainText
From your credit card has been removed
Body
Contains
PlainText
Possibly illegal operation!
Tax Fraud
True
-200
#FFCC0098
White
True
False
All
Subject
Contains
RegEx
Tax\ Payment\ .+\ (has|is)\ failed
Body
Contains
PlainText
Your Federal Tax Payment ID
Body
Contains
PlainText
has been rejected
Body
Contains
PlainText
Return Reason Code
Body
Contains
PlainText
The identification number used
Body
Contains
PlainText
is not valid
Fake IRS Notice
True
-200
#FFCC0098
White
True
False
All
From
Contains
RegEx
@irs\.gov|(?-i)IRS
Subject
Contains
PlainText
Tax
Received
NotContain
PlainText
.irs.gov
Body
Contains
PlainText
We are unable to process your tax return
Exploit Link
False
-200
#FFCC0098
White
False
False
All
Body
Contains
RegEx
(?-i)http://[a-z0-9-]+\.[a-z]{2,4}/.+\.htm\?[A-Z0-9=&]+=
Body
Contains
RegEx
(?-i)http://[a-z0-9-]+\.[a-z]{2,4}(\.[a-z]{2,4})?/.+\.htm\?[A-Z0-9=&]+=
Body
Contains
RegEx
(?-i)/[a-z0-9]+(=\s*[a-z0-9]+)?\.htm\?[A-Z0-9]{4,7}=[A-z0-9&=]+=
Malware Attachment
True
-200
#FFCC0098
White
True
False
All
Body
Contains
PlainText
(Internet Exlporer File)
Body
Contains
PlainText
Content-Transfer-Encoding: base64
Body
Contains
PlainText
Content-Disposition: attachment;
Body
Contains
RegEx
filename=".+\.htm"
Body
Contains
PlainText
UGFnZSBsb2FkaW5n
Body
Contains
PlainText
UGxlYXNlIHdhaXQ=
Body
Contains
PlainText
DQo8c2NyaXB0
Malware Attachment
True
-200
#FFCC0098
White
False
False
All
Body
Contains
PlainText
Content-Transfer-Encoding: base64
Body
Contains
PlainText
Content-Disposition: attachment;
Body
Contains
RegEx
filename=".+\htm"
Body
Contains
PlainText
PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMDEgVHJhbnNpdGlvbmFs
Wire Transfer Fraud
True
-200
#FFCC0098
White
True
False
All
Subject
Contains
RegEx
Wire\ [tT]ransfer
Body
Contains
RegEx
Federal\ (Bank|Reserve)|Bank\ Account\ Operator|(?i)Operator
Body
Contains
RegEx
Outgoing\ Wire\ transaction|by\ the\ other|Domestic\ Wire\ Transfer|WIRE\ TRANSACTION:|WIRE N:
Fake Facebook Friend Request
True
-200
#FFCC0098
White
True
False
All
Subject
Contains
PlainText
wants to be friends on Facebook
From
Contains
PlainText
@facebookmail.com
Header
NotContain
PlainText
Received: from mx-out.facebook.com
Body
Contains
PlainText
Confirm Friend Request
Body
NotContain
PlainText
http://www.facebook.com/n/?reqs.php
Facebook Spoof
True
-100
#FFCC0098
White
False
False
All
From
Contains
PlainText
Facebook
From
NotContain
RegEx
@(support\.)?facebook(mail)?\.com
Header
NotContain
PlainText
Received: from mx-out.facebook.com
Exploit Link
True
-200
#FFCC0098
White
True
False
All
Subject
Contains
PlainText
Order confirmation
Body
Contains
PlainText
You've just ordered pizza from our site
Body
Contains
RegEx
Pizza\ .{8,30}with\ extras:
Body
Contains
RegEx
Total (Due|to\ pay):.+[0-9]{2,3}\$
Body
Contains
RegEx
(?-i)<h\d>CANCEL\ ORDER\ .*NOW(=)?\s?\r?\n?!</h\d></a>
Body
Contains
RegEx
(?-i)Pizza\ by\ [A-Z]{4,}$
Twitter Exploit Scam
True
-200
#FFCC0098
White
False
False
All
Subject
Contains
RegEx
Confirm\ your\ Twitter\ account,\ .+\!
Header
Contains
RegEx
^Received:\ from\ \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\ \(port=\d{2,5}\)\s?$
Malware Template
False
-200
#FFCC0098
White
False
False
All
Body
Contains
PlainText
<!-- ======================================================================= CONTENT HERE ================================================================================= -->
Missing Subject in Header
True
0
#FF434343
White
False
False
All
Header
NotContain
RegEx
^(?-i)Subject:
.co.cc/aff/ Spam
True
-200
#FFCC0098
White
False
False
All
Body
Contains
PlainText
.co.cc/aff/
Pharmaceuticals
True
-200
#FFCC0098
White
False
False
All
Header
Contains
PlainText
Content-Type: text/plain; charset=utf-8
Header
Contains
PlainText
Content-Transfer-Encoding: 7bit
Body
Contains
RegEx
^\n?(?i)[A-Z].+http://.+\.\w{2}/\r\n\r\n([A-Z0-9]{22,}\r\n){3,}$
Pharmaceuticals
True
-200
#FFCC0098
White
False
False
All
Body
Contains
RegEx
^(?i)([A-Z0-9]{22,}\r?\n|\n?)[A-Z].+http://.+\.\w{2}/(\??[A-Z0-9]{22,})?(\r?\n){2,3}([A-Z0-9]{22,}\r?\n){3,}$
Pharmaceuticals
True
-200
#FFCC0098
White
False
False
All
EntireMessage
Contains
PlainText
Pharmacy
Body
Contains
RegEx
http://(www\.)?(.+\.r[uo]/|.+\.r[uo]\b|.+\.ua)
Ukrainian spam domain
False
-200
#FFCC0098
White
True
False
All
Body
Contains
RegEx
http://[a-z0-9\._-]{3,}\.com\.ua/
False
-200
#FFCC0098
White
True
False
All
From
Contains
RegEx
Doctor|Restricted|\bRx|Meds|M3ds|Medd[sz]|Medz|V[i1l|]c[o0]d[i1l|]n|Perc[o0]cet|Phh?aa?rr?mm?a
Subject
Contains
PlainText
EMS Delivery
Subject
Contains
PlainText
without a prescription
Subject
Contains
PlainText
No Prescription required
Subject
Contains
RegEx
Adderall?|ADIPEX|Avandia|CODEINE|HYDROCODONE|KLONOPIN|Oxycontin|Phentermine|Perco[cs]e.?t|Rit[ai]lin|Tramadol|Valiu[mn]|Vicodin?|XANAX
Body
Contains
PlainText
rxrefill.com
Body
Contains
PlainText
No RX required!
Body
Contains
PlainText
no prescription needed
Body
Contains
PlainText
medications available without a prescr
Body
Contains
PlainText
http://health.groups.yahoo.com/group/
Body
Contains
RegEx
(?-i)Codeine|Valium|Vicodin|Percocet|Phentermine|Ritalin
Cialis
False
-200
#FFCC0098
White
True
False
All
Subject
Contains
PlainText
Cialis
Subject
Contains
RegEx
C[I|i|1|y].?[A|@].?L[i|1]{1,2}.?[S$]|(?-i)Ca[iy]lis|(?-i)Cy[al][al]is
Body
Contains
RegEx
\b(?-i)Cialis\W
Body
Contains
RegEx
C\\Ialis|C1A.LIS|tadalafil|\bCalis\b
Body
Contains
RegEx
C\s(/|1|I)\sA\s(L|I|1)\s(/|I|1)\s(S|\$)
Male Enhancement
False
-200
#FFCC0098
White
True
False
All
From
Contains
RegEx
Penis|Enlarge(r|ment)
From
Contains
RegEx
Dr\..?Maxman
From
Contains
PlainText
NEOSIZE
Male Enhancement
False
-200
#FFCC0098
White
True
False
All
Subject
Contains
RegEx
Ereectile|Erecctile
Subject
Contains
PlainText
Dysfuunction
Subject
Contains
RegEx
(?-i)Dr\..?Maxman|E?Xtra\s?size|ErectGrow|Manster|MaxGentleman|Max.?[mM]an\b|Mega\s?(Dik|size)|NEOSIZE|Sizeable|Viamax|VPXL
Subject
Contains
RegEx
Gains?\ (up\ to\ )?(\d\+?\s)?(inches\ )?in\ (girth|length|size)|Gaining\ inches
Subject
Contains
RegEx
(big(ger|gest)?|fuck|hard(er)?|gigantic|love|man)\s(pecker|pole|rod|sausage|stick|tool|weapon)
Subject
Contains
RegEx
(get|grow)\ (a\s)?bigger|sc?h[l1][o0]ng|love\ muscle|your\ small\ (di.?k|stick)|your\ little\s
Subject
Contains
RegEx
elongate|enhancement\b|en[l|1]a?rge(d|ment)|Enlarge,\ Widen\ and\ Strengthen|enlarge\ and\ lengthen|enlarge\syour|(Enlarge|Super-Size)\ It|Upsize\ your\ D[il]C?'?K
Subject
Contains
RegEx
(bat|bulge|monster|python|rocket|snake)\ in\ your\s{0,3}(pants|pocket|trousers)|trouser\ snake|giant\ bulge
Subject
Contains
RegEx
Longer\ Harder\ Thicker|(harder|thicker)\ and\ longer|long(er)?\ and\ thick(er)?|thicker\ shaft|\b(bigger|harder|larger|thicker|your)\ (?-i)(PE)\b
Subject
Contains
RegEx
(longest|your)\ device\b|short(er)?\s?Penis|Peni[l1]e|pen.?[i1l!]s\b|p[e3]nis|pen-nis|p\ e\ n\ [i1l]\ s|\bp[aei3]nis\b
Subject
Contains
RegEx
add\ (\d\s)?inche?s|\d\ inn?cc?hes|girth,?\s( and\s)?(length|lenght)|(length|lenght)\ and\ (girth|thickness)|thickness\ (a[nd][dn])\ length
Subject
Contains
RegEx
Bring\ her\ to\ seventh\ heaven|huge\s?(dic'?k|dignity|package)|problems?\swith\ssize|size\ (really\s)?(does\s)?matters?|I've\ gained\ an\ inch|your\ dic?'?k\ size|rock\ hard|Impress\ .*wom[ae]n
Subject
Contains
RegEx
your\s?(male\ p[a@]ck[a@]ge|copulation|lovetoy|manhood|manliness|masculinity|(new|your)\ (tool|rod|size|weener|willy))|Bodypart|(giant|gigantic|male|man|pocket)\ tool|manly|Masculine|lovemaking|penetrate
Subject
Contains
RegEx
boner|blue\ balls|c[o0]ck|\bcum\b|\bdong\b|ejaculat(e|ion|ory)|ejauclation|Erectile|Erection|flaccid|foreplay|\bpeckers?\b|phall(i|us)?|pleasance|prick|\bsexual|s'e[^a-z]?x|s'e_xual|\$e><|(?-i)d1ck|dic'?k
Male Enhancement
False
-200
#FFCC0098
White
False
False
All
Body
Contains
PlainText
Extra inches gives
Body
Contains
PlainText
Natural Male Enhancement
Body
Contains
PlainText
enhance your male drive
Body
Contains
PlainText
Increase your organ size
Body
Contains
PlainText
your manhood
Body
Contains
PlainText
PE forum
Body
Contains
PlainText
male enhancement products
Body
Contains
RegEx
Penis\s?En(hance|large)ment|Flaccid(ity)?
Body
Contains
RegEx
en(hanc|larg)ement\s?(formula|method|pills|suppliment)
Body
Contains
RegEx
(their|your)\ (enlarged|huge)\ (organ|package|prick|shaft)
Body
Contains
RegEx
Magnum.?Pro\b|ManSter|Man[\s-]XL|Max[gG]ain(\+|Plus)|MaxGentleman|maxx?.?man|Megadik|PowerEnlarge|\bVPXL\b|Xtrasize\s?(\+|Plus)
Watches
False
-200
#FFCC0098
White
False
False
All
From
Contains
RegEx
R[o0][l1]exx?|Rep[l1]icas|Watches|(Luxury|Replica)\ watch|Luxurious|VIP\ (Watch|G[o0]{2}ds)
Subject
Is
PlainText
Luxury
Subject
Contains
PlainText
//atches
Subject
Contains
PlainText
\/\/ATCHES
Subject
Contains
RegEx
(Breitling|ROLEX)\ Discount|R_O_L_E_X
Subject
Contains
RegEx
Cheap\s?(Rolex|Omega)
Subject
Contains
RegEx
\bHERMES\b|\bWa.ches\b|Wat4ch|Submariner\ SS|(replica|Rolex|swiss|vip)\s?watches|w\.a\.t\.c\.h\.e\.s|\ba\ watch\b|(designer|Swiss)\ watch|watch\ brands
Subject
Contains
RegEx
\b(R[0olex\.]{8,}|R[o0][lI1]ex|Re4plica|r,?eplicas?|r\.{1,3}e\.{1,3}p\.{1,3}.l\.{1,3}i\.{1,3}c\.{1,3}a\.{1,3}|watches|chronometers|timepieces?|time\ control)\b
Body
Contains
RegEx
(luxury|luxurious|new)\ (replica|watch)|famous\ watch\ manufacturer
Body
Contains
PlainText
brand name watch
Body
Contains
PlainText
We only sell premium watches.
Body
Contains
PlainText
exact copies of the original watches
Body
Contains
PlainText
Detailed replicas of best chronometers by the best brands
Body
Contains
PlainText
put one of these on your xmas list, you will fall in love with them all
Body
Contains
RegEx
copies\ of\ [a-z]{5,}\ watch|Rolex|Rollie|\ replicas\b|Submariner\ SS|replica\ watches|//atches|chronometers?|timepieces?|flashy\ bling|expensive\ watch|fashion\ pieces
Body
Contains
PlainText
bling.com
Counterfeit Goods
False
-200
#FFCC0098
White
False
False
All
From
Contains
PlainText
Ray Ban Outlet
From
Contains
PlainText
RAY-BAN
From
Contains
PlainText
Louis Vuitton
From
Contains
RegEx
Gucci|Luxury|Tiffany
Subject
Contains
PlainText
Michael Kors Handbags
Subject
Contains
RegEx
des1gner|designer\s(brands|footwear|shoes)|modish
Subject
Contains
RegEx
\b(gucci|prada|chanel|chloe|dior|(?-i)UGG|Vertu|Tiffany)\b
Subject
Contains
PlainText
repl!c@
Subject
Contains
RegEx
Cartier|Gucci|Versace|KN[0O]CK.?[0O]FFS
Subject
Contains
RegEx
(?-i)SHOES|\bBling\b
Subject
Contains
RegEx
luxury\ (brands|footwear|needs)|looking\ classy
Subject
Contains
RegEx
Branded\ (footwear|shoes)
Subject
Contains
PlainText
Clad your feet
Body
Contains
PlainText
~ Gucci
Body
Contains
RegEx
Knock.?[O0]ffs|^Luxury\ blowout\ sale|(?-i)\sLux\s
Body
Contains
RegEx
(?-i)Vertu\s.{3,14}phones\s
Casino Spam
False
-200
#FFCC0098
White
False
False
All
EntireMessage
Contains
PlainText
Lucky Cash Club
EntireMessage
Contains
PlainText
Romeo Club
From
Contains
RegEx
(?-i)[Gg]ambl(e|ing)|Casino|Casnio|Cazino|Club.?VIP|CVC\s?Support|Game.?Book|Total.?Vegas|Grand\ Palace
Subject
Is
PlainText
VIP
Subject
Contains
PlainText
YOU play we PAY
Subject
Contains
PlainText
no-deposit bonus
Subject
Contains
PlainText
Sign up & collect $500!
Subject
Contains
RegEx
[''\*s\_-]?(Cas[i1]n[o0]s?|club\s?world|No\ Deposit\ Required|Gambling|online\ games|roulette|black.?jack|\bcraps|poker|slot\ machines|video\ slots?|win\ money)[''\*s\_-]?|\d{3,4}\sGratuits
Body
Contains
PlainText
Red Stag Casino
Body
Contains
PlainText
777$
Body
Contains
PlainText
777USD
Body
Contains
PlainText
Gâmës
Body
Contains
PlainText
casino gamer
Body
Contains
PlainText
the velvet ropes
Body
Contains
PlainText
Play at our club
Body
Contains
PlainText
free gaming money
Body
Contains
PlainText
Sign up & collect $500!
Body
Contains
PlainText
There are more than 120 games that you can play
Body
Contains
RegEx
(?-i)Club.?VIP|Total.?Vegas|Grand\ Palace
Body
Contains
RegEx
Games\ Online|Online\ Gambling
Body
Contains
RegEx
\bpoker\ blackjack\ slots\b
Body
Contains
RegEx
Gambling\s{1,2}(chips|credit|from\ home|online)
Body
Contains
RegEx
(Big\ Dollars?|Free|Golden\ Gate|online|no\ deposit|the|World)\ Casino|casino\.com/
Body
Contains
RegEx
Club\s?World|casino\ (classics|games|members)|(Bet|Gamble)\s{1,2}On\s{0,2}(line|credit)|^\s{1,2}Win\s{1,2}\$
Pharmaceuticals
False
-200
#FFCC0098
White
True
False
False
All
Subject
Contains
PlainText
MensHealt
Subject
Contains
PlainText
RE: MedHelp
Subject
Contains
PlainText
OFFICIAL SITE
Subject
Contains
PlainText
Enhance your life with these products
Subject
Contains
RegEx
\b(?-i)(FDA|Doctor)\ Approved
Subject
Contains
RegEx
Phramacy|Pharmaceutical|Pharmacy|pharmas|apothecary|(?-i)\bRX\b
Subject
Contains
RegEx
no\ (pres|pers?)cription|(pres|pers?)cription\ not
Subject
Contains
RegEx
\bPhar|P.?ha.{0,2}rmacy\b
Subject
Contains
RegEx
med[il|1]c(al|ations?|ines?)|\bm3ds|medds|medzz?\b|(order|purchase|your)\smeds|drug.?store|usa.?drug
Subject
Contains
RegEx
PH.*[A@(/\)]RM[A@(/\)]
Subject
Contains
RegEx
health supersite
Subject
Contains
RegEx
^discreet\ (delivery|packing|shipping)|worldwide\ delivery
Subject
Contains
RegEx
save\ \d\d%\ on\ your\ (medic|meds|pharma|pills)|\d\d%\sdiscount\.\sCode\s#[a-z0-9]{4,8}|\d\d%\ personal\ discount
Subject
Contains
PlainText
Buy Meds
Subject
Contains
RegEx
Canadian\ Health.*Care\ Mall
Pharmaceuticals
False
-165
#FFCC0098
White
False
False
All
Body
Contains
PlainText
PHARMACY
Body
Contains
RegEx
(high.quality|prescription)\ medications
Body
Contains
PlainText
»»»
Body
Contains
PlainText
alt=3D'HUGE Discount
Body
Contains
PlainText
Then I found this link and my life started changing for the better
Body
Contains
PlainText
We are offering you the latest medical achievements.
Body
Contains
PlainText
used to sleep in separate rooms
Body
Contains
PlainText
that's when my problems in bed began
Body
Contains
PlainText
delivered discreetly
Body
Contains
PlainText
but the results exceeded our expectations.
Body
Contains
PlainText
due to intimate problems
Body
Contains
RegEx
ON.?li[nm]e\ pharmacy|pharmacy\ club
Body
Contains
RegEx
Prescription\ drugs\s{1,}without a prescription
Body
Contains
RegEx
I'm your new family physician
Pharmaceuticals
False
-200
#FFCC0098
White
True
False
All
Body
Contains
PlainText
DRUG
Body
Contains
PlainText
DRUGS
Body
Contains
PlainText
Drugstore
Pills Spam
False
-200
#FFCC0098
White
False
False
All
Subject
Contains
RegEx
Ere\w+\ Dy[sSy$]fu\w+\ ((Pills)|(Pillls)|(P\|\|\|s)|(P\|1ls)|(Plils))
Pills Spam
False
-100
#FFCC0098
White
False
False
All
Subject
Contains
PlainText
P|\\S
Subject
Contains
RegEx
BE$T|\bPILL.?S\b|Plills|\bp[i1l|!][1l|!]{2,3}s\b|pill\ that\ (.*)?works|Pilules|\bPILZ\b
Subject
Contains
PlainText
MEDS
Subject
Contains
PlainText
generic
Body
Contains
RegEx
generics|pillstore|pillz|\bmeds\b
Body
Contains
RegEx
(boost|our|these)\s{1,3}pills
Body
Contains
RegEx
\b(buy|cheap|herbal|wonder)\ (drugs|pills|remed(y|ies)|solutions?)\b|pills\ at\ (dirt\s|the\s)?cheap(est)?\ prices?|medicines|your\ prescriptions
Body
Contains
RegEx
^http://.*(medshop|pills).*\.com
Body
Contains
RegEx
^<a\ href=(3D)?'http://.*pharmacy.*\.com'>
Software Spam
False
-200
#FFCC0098
White
False
False
All
Subject
Contains
PlainText
software outlet
Subject
Contains
RegEx
Buy.?Software|SoftwareDiscounts
Subject
Contains
RegEx
^[Ss]oftware$
Subject
Contains
RegEx
Eurosoft|(best|cheap(est)?|downloadable|oem|office|popular|quality).*s[o0]ft(wares?)?|Soft(ware)?\ in\ many\ languages|software\ at\ (amazingly|surprisingly)\ low\ prices|perfectly\ working\ software|software\ you\ need|software\ immediately\ after\ purchase|ado6e|Vista\ Microsoft\ SP1\ and\ XP\ Cracked|Office\ (Enterprise\ 200[789]|200[789]\ Enterprise)|(?-i)(Access|Communicator|PowerPoint)\ 200[789]|Auto([cC]ad|desk)\ 200[789]|OEM\ full\ version\ download|Microsoft,\ Adobe\ and\ many\ other\ software\ brands|purchase\ any\ software\ you\ want|look\ at\ our\ prices\ for\ Adobe\ \w|100%\ workable\ software|\$oftware|software\ price\$|(?-i)^_Buy\ And\ Download
Subject
Contains
RegEx
Windows\ 7.+Office\ 201\d.+Adobe CS\d
Courier Scam
True
-100
#FFCC0098
White
False
False
All
Subject
Contains
RegEx
(?-i)^(DHL|UPS)\ (?i)Delivery\ Problem|Services
Body
Contains
RegEx
we\ (failed|were\ not\ able)\ to\ deliver\ (the\ |your\ )?(postal\ )?package
Body
Contains
PlainText
print out the invoice
Body
Contains
PlainText
Content-Disposition: attachment;
Courier Scam
True
-100
#FFCC0098
White
False
False
All
Subject
Contains
RegEx
(?-i)Confirm\ Your\ UPS\ Parcel\ Delivery|UPS\ (Tracking\ (Number|#)|Package\ [A-Z]\d{8,})
Header
NotContain
RegEx
^Received:\ from\ [a-z0-9]+\.?ups\.com
Courier Scam
True
-100
#FFCC0098
White
False
False
All
Subject
Contains
RegEx
(?-i)DHL|FedEx
Subject
Contains
RegEx
get\ (a|your)\ parcel|(?-i)Tracking\ (NR|Number)\ \d{8,}|Error\ in\ delivery\ addres
Body
Contains
RegEx
((our|The)\ (courier|postal)\ service\ was)|(we\ were)\ (not\ |un)able\ to\ deliver\s
Body
Contains
RegEx
Print\ this\ label\ |print\ and\ fill\ attached\ document|The\ postal\ label\ is\ attached
Body
Contains
PlainText
Content-Disposition: attachment;
From
Contains
RegEx
Director|Manager|Postal|DHL|FedEx
Courier Scam
False
-100
#FFCC0098
White
False
False
All
Subject
Contains
PlainText
DELIVER CONFIRMATION - FAILED
Subject
Contains
RegEx
(Delivery\ Problem|UPS\ INVOICE) NR\d{6,8}\.
From
Contains
PlainText
Fedex Manager,
Body
Contains
RegEx
^Content-Disposition: attachment; filename="(UPS|Fedex).+.zip"$
Courier Scam
True
-100
#FFCC0098
White
False
False
All
From
Contains
PlainText
UPS
Subject
Contains
PlainText
UPS
Header
Contains
PlainText
X-Mailer: The Bat!
Body
Contains
PlainText
unable to deliver
Body
Contains
PlainText
print
Body
Contains
PlainText
mailing label
Body
Contains
PlainText
Content-Disposition: attachment;
Courier Scam
True
-200
#FFCC0098
White
True
False
False
All
Subject
Contains
PlainText
DHL notification
Body
Contains
PlainText
Dear customer
Body
Contains
PlainText
The parcel was send your home address
Body
Contains
PlainText
will arrice within 7 bussness day
Body
Contains
PlainText
attached in document below
Courier Scam
True
-200
#FFCC0098
White
False
False
All
From
Contains
RegEx
(DHL|United)\ (Global|Parcel)|Express|(info|support)\.?\d{1,2}@ups.com
Subject
Contains
RegEx
^(?-i)(DHL|United\ Parcel)\ (Express\s)?Services?|Express\ delivery|UPS
Body
Contains
RegEx
The\ parcel\ was\ sent\ (to\ )?your\ home\ add?ress?
Body
Contains
RegEx
it\ will\ arrive\ within\ \d{1,2}\ business\ day
Body
Contains
PlainText
attached in document below
DHL Scam
True
-200
#FFCC0098
White
False
False
All
Body
Contains
PlainText
DHL
Body
Contains
PlainText
Notification
Body
Contains
PlainText
Courier was unable to deliver
Body
Contains
PlainText
the parcel to you
Courier Scam
False
-200
#FFCC0098
White
True
False
All
Subject
Contains
PlainText
USPS Delivery Failure Notification
Subject
Contains
PlainText
United Postal Service
Body
Contains
PlainText
Unfortunately we failed to deliver the postal package
Body
Contains
PlainText
Please print out the shipment label attached and collect the package at our office.
Body
Contains
PlainText
filename="USPS report.zip"
Courier Scam
True
-200
#FFCC0098
White
False
False
All
From
Contains
PlainText
USPS Express Services
Subject
Contains
PlainText
package
Body
Contains
RegEx
US?PS\ Logistics\ Services|UPS\ ,
Courier Scam
True
-200
#FFCC0098
White
False
False
All
From
Contains
RegEx
Post Express
Subject
Contains
PlainText
Post Express
Subject
Contains
RegEx
(?-i)\bNR\b|Number
Body
Contains
PlainText
Your package has been returned
Body
Contains
PlainText
print
Body
Contains
PlainText
mailing label
Body
Contains
PlainText
Attached
Body
Contains
PlainText
Post Express
Body
Contains
PlainText
Content-Disposition: attachment;
Possible Exploit Link
True
-200
#FFFFFF01
Black
False
False
All
Header
Contains
PlainText
X-Mailer: PHPMailer
Header
Contains
PlainText
Content-Type: text/plain; charset="iso-8859-2"
Body
Contains
RegEx
"http://[a-z0-9-_.]+\.[a-z]{2,4}/(?-i)(?=.*?[A-Z].*?[A-Z])(?=.*?[a-z].*?[a-z])(?=.*?\d).{8}/index\.html"
Possible Exploit Link #2
False
-150
#FFFFE500
Black
False
False
All
Body
Contains
RegEx
href="http://.+\.[a-z]{2,4}/[a-zA-Z0-9]{6,8}/index(32)?\.html"
Body
Contains
RegEx
/(?-i)[A-Z]{10}\.php\?receipt=
Known Exploit Link
False
-200
#FFFFE500
Black
False
False
All
Body
Contains
PlainText
/forwarding.htm"
Body
Contains
PlainText
/loading.htm"
Body
Contains
PlainText
/redirectng.htm"
Body
Contains
RegEx
/page\d{1,2}\.htm"
Body
Contains
RegEx
http://.+(?-i)/[A-Z]{10}\.php\?php=
Body
Contains
RegEx
http://(\d{1,3}\.){3}\d{1,3}/(boston|news)\.html
Numeric IP Link
True
-100
#FFFFE500
Black
False
False
All
Header
NotContain
RegEx
^Message-ID:\ <.+@mail.gmail.com>
Body
Contains
RegEx
^.*http://(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/)|\d{10}:\d{2,4}/
Possible Exploit Link
False
-200
#FFFFE500
Black
False
False
All
Body
Contains
RegEx
http://[a-zA-Z0-9\._-]+/(.+/)?.+\.pl(\s|\b|\?|\$)
Link to a PHP File
True
-100
#FFFFFF01
Black
False
False
All
Body
Contains
RegEx
http://.+=?[\n]?.+\.php
Tor Link
False
-200
#FFFFFF01
Black
False
False
All
Body
Contains
PlainText
.onion.to/
419 Scam
True
-100
#FFCC0098
White
False
False
All
Subject
Contains
PlainText
URGENT
Subject
Contains
PlainText
AND
Subject
Contains
PlainText
CONFIDENTIAL
419 Scam
True
-100
#FFCC0098
White
False
False
All
Subject
Contains
RegEx
(?-i)^URGENT|CONFIDENTIAL
Subject
Contains
PlainText
BUSINESS
Subject
Contains
RegEx
(?-i)PROPOSAL|RELATIONSHIP
419 Scam
False
-200
#FFCC0098
White
False
False
All
Header
Contains
PlainText
<info@bank.com>
From
Contains
RegEx
(?-i)ARTHUR\ GUINNESS|BARRISTER|TRANSFER|Business\ Proposal|Micheal\ A\.\s?Potter|\(ESQ\)|MR.MICHEAL
From
Contains
PlainText
Bill & Melinda Gates Foundation
Header
Contains
PlainText
infogatefoundation@usa.com
Header
Contains
RegEx
^Reply-To:\s.+<?.+@yahoo.com\.hk>?$|thwala
Subject
Is
PlainText
BUSINESS
Subject
Is
PlainText
URGENT BUSINESS
Subject
Contains
PlainText
Oil license
Subject
Contains
PlainText
kindly get back to me urgently
Subject
Contains
PlainText
KINDLY OPEN THE ATTACHED FILE AND GET BACK TO ME
Subject
Contains
RegEx
(kindly|Please)\ reply/call\ me
Subject
Contains
PlainText
Atten: Friend,
Subject
Contains
RegEx
(?-i)(^CONTACT\ (\w*\s)?(COURIER\ COMPANY|ATM\ DEPARTMENT))
Subject
Contains
RegEx
(?-i)TREAT\ (AS|VERY)\ (CONFIDENTIAL|URGENT)|(EMINENTLY|STRICTLY|URGENTLY)\ CONFIDENTIAL|CONFIDENTIALITY\ AND\ TRUST
Subject
Contains
RegEx
UNITEDN\ NATION|Director,\ United\ Nations
Subject
Contains
RegEx
^Dear\ Friend$|Urgent\ Proposal|Business\ letter\ from
Subject
Contains
PlainText
FUND TRANSFER
Subject
Contains
PlainText
From Barrister
Subject
Contains
RegEx
^(From\s)(?-i)Mrs?[,\.]?\s?[A-Z][a-z]{2,}\s[A-Z][a-z]{1,}
Subject
Contains
PlainText
AWARD NOTIFICATION
Subject
Contains
PlainText
2015 Application Tender for Grant
Subject
Contains
PlainText
FIRST BANK PLCSCAM VICTIM PAYMENT NOTIFICATION
Subject
Contains
PlainText
BANK PAYMENT NOTIFICATION REPLY FAST
419 Scam
True
-100
#FFCC0098
White
False
False
All
Body
Contains
RegEx
^(Kind\s)?Atte?n:|ATTENTION
Body
Contains
RegEx
Beneficiary|(My\ )?Dear\ (GOOD\s)?(Beloved|Friend)
419 Scam
False
-100
#FFCC0098
White
False
False
All
Body
Contains
PlainText
contacting you based on Trust
Body
Contains
RegEx
^Hello,\ I.{0,2}m\ Sgt\.
Body
Contains
RegEx
^(?-i)\*?(Dear\ (Sir/Madam|Friend)\n|Complement\ of\ the\ day)
Body
Contains
PlainText
I need your urgent assistance in transferring
Body
Contains
PlainText
Waiting to hear from you soonest
Body
Contains
RegEx
unclaimed\ (benefits|funds)
Body
Contains
RegEx
(I\ am|My\ name\ is)\ Barrister|^Barrister.+ESQ$|(?-i)Barrister\ [A-Z][a-z]{2,}\ [A-Z][a-z]{2,}
Body
Contains
RegEx
^Best\sregards.?\r\nBarr\..?[A-Z]
Body
Contains
RegEx
^Mr\.\ \w{3,}\ \w{3,}\ \(Barrister\)
Body
Contains
PlainText
your utmost confidentiality in this matter
Body
Contains
PlainText
Mr.Micheal Godswill
Body
Contains
PlainText
MR. MICHEAL GODSWILL
419 Scam
False
-100
#FFCC0098
White
False
False
All
Body
Contains
RegEx
Bank\ (of\ )?(Nigeria|Benin|(South\s)?Africa)|Benin\ Republic|Republic\ of\ Benin|Director,\ United\ Nations|REPUBLIC\ OF\ NIGERIA
Body
Contains
RegEx
beneficiary|no\ Beneficiaries|codicil|demurrage|dumourage|duemorrage|Clearance\ Certificate\ (\r\n)?Fee|keeping\ fees|(?-i)IMMEDIATE\ RELEASE\ OF\ YOUR\ PAYMENT
Body
Contains
RegEx
\{[a-z]{3,8}\sMillion\s[a-z-]{3,6}\sHundred\sThousand\sDollars}
Body
Contains
PlainText
I am Mr. Patrick Chan
Body
Contains
PlainText
Compliment of the day to you
Body
Contains
RegEx
(?-i)\bNIGERIAN?\b
Body
Contains
PlainText
(Esq.
419 Scam
False
-100
#FFCC0098
White
False
False
All
Header
Contains
RegEx
\b41.(58|66|71|85|93|136|138|139|155|184|189|190|191|194|20[2-8]|21[0-24-9]|22[0-3])\.[\d\.]+
Header
Contains
PlainText
@hotmail.co.za
Header
Contains
RegEx
Reply-To:\ <.+@rediffmail\.com>
From
Contains
PlainText
Thomas James
Subject
Is
PlainText
I Seek Your Consent.
Body
Contains
PlainText
@rediffmail.com
Body
Contains
PlainText
@hotmail.co.za
Body
Contains
PlainText
@live.co.za
Nigerian 419 Scam
True
-150
#FFCC0098
White
False
False
All
Subject
Contains
PlainText
VIEW
Subject
Contains
PlainText
ATTACHED
Subject
Contains
PlainText
FILE
Lottery Scam
False
-100
#FFCC0098
White
False
False
All
Subject
Contains
RegEx
Your\ Email\s(Address\s)?Has\ Won
Subject
Contains
RegEx
WINNING\ (Notification|NUMBER:)|ticket\ number\ \(.+\)|(?-i)COCA\ COLA.?(AWARD|TOBACCO\ COMPANY)|(?-I)OFFICIAL\ PRIZE\ NOTIFICATION
Subject
Contains
PlainText
Lottery
Subject
Contains
PlainText
GO FOR CLAIM VERIFICATION FORM
From
Contains
RegEx
\bLotto\b|Lottery\ Notification|International\ lottery|(?-i)LOTTERY|NOTIFICATION\ DRAW|DRAW\ 201\d
From
Contains
RegEx
coca.?cola.*promm?o|Microsoft\ Award(\ Department)?|Department\ of\ National\ Lotteries|Superenalotto|WORLD\ CUP|your\ email\ (address|id)\ has\ (won|been\ selected)
Body
Contains
PlainText
Attn: Lucky Winner
Body
Contains
PlainText
DEAR WINNER
Body
Contains
PlainText
YOUR E-MAIL ADDRESS WON
Body
Contains
PlainText
please contact your fudiciary agent
Body
Contains
PlainText
International Program Online Co-ordinator
Body
Contains
RegEx
(?-i)WINNING\ NUMBER:|LOTTERY|RE:\ LOTTO|Lottery\ Coordinator|your\ email\ (ID|identity)\ has\ won
Body
Contains
RegEx
(COCA-COLA|jackpot|International|ExxonMobil|Microsoft|National)\ (Award|Lottery)|Freelotto|fiduciary|The\ Kings\ Charity|weekly\ sweepstakes
Body
Contains
RegEx
You\ are\ advised\ to\ keep\ this\ winning\ (.+\s)?confidential
From
Contains
PlainText
AFRICA
419 Scam
True
-100
#FFCC0098
White
False
False
All
Header
Contains
RegEx
Received:\ from\ \[68\.68\.108\.\d{1,3}\]
Money Mule Scam
False
-200
#FFCC0098
White
True
False
All
EntireMessage
Contains
RegEx
(?-i)Rock\s?[a-zA-z]{4,8}\s?Management
Subject
Contains
PlainText
Your Job Application Status
Subject
Contains
RegEx
Update\ on\ available\ .+positions
Subject
Contains
PlainText
We are searching for partners in USA
Subject
Contains
PlainText
Environmental business currently seeking representatives worldwide
Body
Contains
RegEx
range\ from\ \$35\.77\ .+ to\ \$57\.62\ .{1,4}(hr|hour).\s?
Body
Contains
RegEx
[a-z0-9]+@((jobsearchoo|newstatejob|usanewjobgov)\.com|europcareers\.net)
Body
Contains
PlainText
EMPLOYER SNAPSHOT
Body
Contains
PlainText
VACANCY CODE:
Body
Contains
PlainText
An at home Key Account Manager Position
Body
Contains
PlainText
An import export company seeks remote employees in United States.
Body
Contains
PlainText
Being foreign company makes it harder to manage sales transactions with US customers
Body
Contains
PlainText
The main duties include receiving and making payments on client's behalf
Body
Contains
PlainText
managing the preparation and distribution for expected transactions
Body
Contains
PlainText
(at the beginning of work) to 5-7 (after the first probation month)
Body
Contains
PlainText
All banking, Western Union and cell phone expenses covered
Body
Contains
PlainText
This position is for US residents only, please no applicants from other countries.
Work At Home Scam
False
-200
#FFCC0098
White
True
False
All
Body
Contains
PlainText
thank me later
Body
Contains
PlainText
online based job
Body
Contains
PlainText
working from home!
Body
Contains
PlainText
make money at home
Body
Contains
PlainText
Work from the house
Body
Contains
PlainText
Make money online!
Body
Contains
PlainText
every 5 days from home
Body
Contains
PlainText
at home on the computer!
Body
Contains
PlainText
self-employed testimonials
Body
Contains
PlainText
I had finally hit rock bottom
Body
Contains
PlainText
I had reached the end of the line
Body
Contains
PlainText
This is not a Pyramid or MLM Program
Body
Contains
PlainText
I finally made a life changing decision
Body
Contains
PlainText
this is the best thing that has happened to my family in years
Body
Contains
PlainText
TeachYouToBeRich
Body
Contains
PlainText
Work At Home Group
Body
Contains
PlainText
http://automobcode.com/
Body
Contains
PlainText
Gold Digger Software
Body
Contains
PlainText
GOLD DIGGER
Body
Contains
PlainText
We are looking for employees working remotely.
Work At Home Scam
False
-200
#FFCC0098
White
True
False
All
To
Contains
PlainText
marketer
To
Contains
PlainText
Fellow Entrepreneur
From
Contains
PlainText
HomeJob
From
Contains
PlainText
Rock Cruit
From
Contains
PlainText
W0RK FROM H0ME
From
Contains
RegEx
Work\ (at|from)\ Home
From
Contains
PlainText
Home Business
Subject
Contains
PlainText
Work from home
Subject
Contains
PlainText
Start making money immediately without risk
Subject
Contains
PlainText
Online job
Subject
Contains
RegEx
Work(ing)?\ (at|From)\ Home|Career\ (Finders|Hunters?)
Subject
Contains
RegEx
^Your\ friend\ [a-z]{5,10}\ has\ recommended\ this\ great\ product\ from\s
Body
Contains
PlainText
Rock Cruit Management
Body
Contains
PlainText
You will love me for this!
Body
Contains
PlainText
You will thank me for this!
Body
Contains
PlainText
who needs a 9-5 when you got this program
Body
Contains
PlainText
I was able to regain my independence using this
Body
Contains
PlainText
its the greatest thing that's hapened to us all year
Body
Contains
PlainText
anyone who wants to work in the comfort of their own home
Body
Contains
PlainText
everybody thats got access to a computer will be able to perform this job
Body
Contains
PlainText
You dont need any special skills to do this work.
Body
Contains
PlainText
Hi marketer!
Work At Home Scam
False
-200
#FFCC0098
White
False
False
All
EntireMessage
Contains
PlainText
Get paid $25 for each email you process
Body
Contains
PlainText
R3m0ve
Body
Contains
PlainText
/deltaxdr-4.php
Body
Contains
PlainText
CNBC Profits Online
Body
Contains
RegEx
Email\ processing\ is\ one\ of\ the\ best\ ways\ to\ earn\s{1,2}money\ on\ the\ internet
Body
Contains
RegEx
(?-i)News\ Channel.?\d{1,2}
Body
Contains
RegEx
Don'?t\ forget\ to\ thank\ me
Body
Contains
RegEx
http://www\.mynbcnews11\.com/|3Dcnbc7(\.[a-z]{2,4})?&btnI=3D1
Body
Contains
RegEx
(Here'?s\ how|It's\ all\ because\ of)\ -(\s|=\r\n\s)<a\ href=(3D)?"h.*t.*t.*p://(goo\.gl|[tx]\.co)/.{5,8}">
Body
Contains
RegEx
>(?-i)(Channel\ \d{1,2}\ )?(Career\ (Guide|News|Trends)|News\ [Dd]aily|Daily\ News|http://(localnews|newsbreaking)\d\d\.com).{0,3}</[aA]>
Body
Contains
RegEx
^[iI]\ (just\s)?(earned|made|netted|profited|pulled(\ in)?)\ \$?\d{3,4}\$?\ in\ (\d\ days|less\ th[ae]n\ a\ day|a\ few\ (days|hours)|a\ couple\ (of\ )?hours)
Body
Contains
RegEx
^Please\ reply\ to:\ [\w\d_-]{3,9}@googlein-de\.com$
Body
Contains
RegEx
^Marketing,\ Liaison\ and\ HR\ Department$
Mystery Shopper Scam
True
-200
#FFCC0098
White
True
False
False
All
EntireMessage
Contains
PlainText
My$tery $hopper
Body
Contains
PlainText
Mystery shopper
Body
Contains
PlainText
you will be paid
Body
Contains
PlainText
task you complete
Body
Contains
PlainText
The job
Ascii Art Spam
True
-200
#FFCC0098
White
False
True
All
Header
Contains
PlainText
Content-Type: text/html; charset=us-ascii
Body
Contains
PlainText
<pre>
Body
Contains
PlainText
<a href="http://
Body
Contains
RegEx
(8{5,}\s{2,}){2}|([1234567890]{5,}\s+){3}
Body
Contains
RegEx
</pre>\s?\n?</a>
Russian Bride Scam
False
-200
#FFCC0098
White
True
False
All
Subject
Contains
RegEx
\ ru\ girls?|\d\d\s?y\.o\..*\sRussia
Body
Contains
PlainText
.ru>Marriage Agency</a>
Body
Contains
PlainText
a pretty Ukrainian lady
Body
Contains
PlainText
international marriage site
Body
Contains
PlainText
Look at this girl who wants to get married
Body
Contains
RegEx
^http://date[a-z]{4,8}\.ru/
Dating Spam
False
-200
#FFCC0098
White
False
False
All
From
Contains
PlainText
Dating
Header
Contains
PlainText
From: "=?ISO-8859-1?Q?_=41=64=72=69=61=6E=61?="
From
Contains
PlainText
Darina
From
Contains
PlainText
Violette
From
Contains
PlainText
Olga
Dating Spam
False
-150
#FFCC0098
White
True
False
All
Subject
Is
PlainText
Personal Invite
Subject
Is
PlainText
Come to my profile
Subject
Contains
RegEx
Russian (Girls|Women)
Subject
Contains
PlainText
(status-online)
Subject
Contains
PlainText
Kiss to you
Subject
Contains
RegEx
\bdating\b|single.?ladies|Married.{1,5}lonely
Subject
Contains
RegEx
Russian\ (beauties|girls?|hotties?|lad(ies|y)|wife|wives|wom[ae]n)|from\ [Rr]ussia
Subject
Contains
RegEx
^Hi\ remember\ me\?|we\ fucked|blonde?\ and\ cute|(?-i)^[A-Z][a-z]{4,7}\s\d\d\s?y\.o[\.,]\s
Subject
Contains
RegEx
(?-i)Add\ Me|Find\ Someone|meet\ a\ beautiful\ girl|Meet\ that\ special\ someone|Looking\ for\ love\b
Subject
Contains
RegEx
Unread\ message\ from\ ~[A-Z][a-z]{3,6}\ \(uid:\d{4,6}\)
Subject
Contains
RegEx
^New\ message\ for\ you$
Subject
Is
PlainText
Hi
Subject
Is
PlainText
Hello
Subject
Is
PlainText
hi there
Dating Spam
False
-150
#FFCC0098
White
True
False
All
Body
Contains
PlainText
How is your day? What is your name?
Body
Contains
PlainText
I am interested in chatting with you, what do you think about it?
Body
Contains
PlainText
find my profile here
Body
Contains
PlainText
name="my_photo.zip"
Body
Contains
PlainText
name="my_iphone_photo.zip"
Body
Contains
PlainText
I want to know you better.
Body
Contains
PlainText
ur email from a fling app
Body
Contains
PlainText
if you like what you see txt me
Body
Contains
PlainText
AdultFriendFinder
Body
Contains
PlainText
I would like to find a man
Body
Contains
PlainText
HOTSINGLESNET.NET
Body
Contains
PlainText
girls at our site
Body
Contains
PlainText
My pics and short video
Body
Contains
PlainText
Do you like beautiful girls?
Body
Contains
PlainText
Please write me a letter here http://
Body
Contains
PlainText
Greetings! I wish to get acquainted with you
Body
Contains
PlainText
looking for a nice guy to chat with
Body
Contains
PlainText
good looking girl who is looking to chat with you
Body
Contains
PlainText
I saw you on this website the other day
Body
Contains
PlainText
asiandate.
Body
Contains
PlainText
www.anastasiadate.
Body
Contains
PlainText
anastasiaaffiliate
Body
Contains
RegEx
\bdating\ (agency|site|system)\b|dating!|flirting
Body
Contains
RegEx
HithereI|Ifoundyourprofileonline|you(r|'re)\ so\ hot!
Body
Contains
RegEx
(status-online)\ sent\ new\ message|waiting\ you\ for\ chat
Body
Contains
RegEx
I\ read\ your\ profile\ online|i\ (found|loved|was\ just\ reading)\ your\ profile
Body
Contains
RegEx
a\ nice\ pretty\ girl|I'm\ from\ Russia|Russian\ (beaut(y|ies)|girls|lad(ies|y))|single\ Russian\ (girl|lad.{1,3}|wom[ea]n)
Body
Contains
RegEx
reply\ to\ address\ [a-z0-9]+@rambler\.ru$
Dating spam
True
-200
#FFCC0098
White
True
False
All
Body
Contains
RegEx
Russia
Body
Contains
RegEx
.+@(rambler|yandex)\.ru\b
Asian Dating Scam
True
-200
#FFCC0098
White
False
False
All
Body
Contains
PlainText
Asian
Body
Contains
RegEx
\bDating\b
Pics Spam
True
-100
#FFCC0098
White
False
False
All
Body
Contains
RegEx
profile\ on\ facebook|\ (yo)?ur\ profile|your\ pic
Body
Contains
RegEx
share\ (mine|my\ pics?)\ with\ you|you\ my\ pics?|see\ my\ pic|(non-public\ photos|private\ (images|photos))
Body
Contains
PlainText
@hotmail.com
Image Spam #11
False
-100
#FFCC0098
White
False
False
All
Body
Contains
PlainText
Please unlock images. VERY IMPORTANT
Body
Contains
PlainText
This is very important. Please enable images!
Body
Contains
PlainText
You must [Enable Images] to Unlock this image
Body
Contains
PlainText
Please Enable Images to View this
Body
Contains
PlainText
Please Enable Links and Images to Confirm Your Order!<BR>
Body
Contains
PlainText
'Click above to show images'
Body
Contains
PlainText
'"View image in browser now'
Body
Contains
PlainText
alt='One click to open store'
Body
Contains
PlainText
alt='Cant see a picture? Click Here!'
Body
Contains
PlainText
alt='Show picture and go to site now!'
Body
Contains
PlainText
alt=3D'Want to request ? It's easy to make a request online.
Body
Contains
PlainText
this picture is blocked. Click to unblock now
Body
Contains
RegEx
<img\ alt=3D"Click\ \[Show\ Images\]\ if\ no\ image\ (=\n)?here"
Body
Contains
RegEx
^<(center|/style)>\r\n^<a\ href='http://.+\.(ca|cn|com|net|org|info)'><img\ src='.+/.*\.gif'>\r\n^<style>$
Body
Contains
RegEx
(?-i)^<BODY><table>\r\n<tr><td><a\ href='http://.+\.com/'><img\ src='http://.+\.com/.+\.jpg'\ border=0\ alt='Visit\ site\ now!'></a><br>\r\n<br></td></tr></table></BODY></HTML>$
Body
Contains
RegEx
(?-i)^<BODY><a\ href='http://.+\.com/'\ target='_blank'>\r\n^<img\ src='http://.+\.com/.+\.(gif|jpg)'\ border=0\ alt='Having\ trouble\ viewing\ this\ email\?\s?\r\n^Click\ here\ to\ view\ as\ a\ webpage\.'></a></BODY></HTML>$
Re [digits]
False
-200
#FFCC0098
White
False
False
All
Subject
Contains
RegEx
^re.?\s?(\d{1,2}|\[\d{1,3}\]:?)$
Subject
Contains
RegEx
^Re\[\d{1,2}\]:\s.*
Diploma Spam
False
-200
#FFCC0098
White
True
False
All
Header
Contains
PlainText
Bachelor Degree
Subject
Contains
PlainText
college degree
Subject
Contains
PlainText
university award
Subject
Contains
PlainText
College and University
Subject
Contains
RegEx
Order\ .{0,4}Diploma
Subject
Contains
RegEx
Qualification.?Diploma
Subject
Contains
RegEx
\b(Dgeree|Dergee|diplomas?|dip1omas?|DIMPLOMAS?|Degree)\b|(?-i)Bacheelor|Masteer|MBA\b|Doctoraate|Uinversity|Unviersity
Diploma Spam
True
-200
#FFCC0098
White
False
False
All
Subject
Contains
RegEx
^(RE|FW)\s?:$|((FW|RE)\s?:\s?){2}\s?$
Body
Contains
PlainText
diploma
Diploma Spam
False
-200
#FFCC0098
White
True
False
All
Body
Contains
PlainText
diplomas
Body
Contains
PlainText
get a Diploma
Body
Contains
PlainText
customized diploma
Body
Contains
PlainText
Please leave us the infarmation:
Body
Contains
PlainText
non-accredited
Body
Contains
PlainText
UNIVERSITY DIPLOMA
Body
Contains
PlainText
your Graduation is a phone call away
Body
Contains
PlainText
obtain Master degree
Body
Contains
PlainText
Obtain the_degree you deserve
Body
Contains
PlainText
Please leave us a voice message with your phone number with country code if outside USA
Body
Contains
PlainText
100% verifiable diploma
Body
Contains
PlainText
with a diploma
Body
Contains
PlainText
all you need is a diploma
Body
Contains
PlainText
Quick Diploma Group
Diploma Spam
False
-200
#FFCC0098
White
False
False
All
Body
Contains
RegEx
\s{10,}diplomas?\b
Body
Contains
RegEx
call(ing)?\ this\ number:
Body
Contains
RegEx
^No\ (classes|Exams|Pre-School)
Body
Contains
RegEx
your\ (degree|diploma)|No\ Pre-School
Body
Contains
RegEx
(deserve|get|need|order)\ a\ diploma
Body
Contains
RegEx
Diiploma|DIMPLOMA|(?-i)D\ I\ P\ L\ O\ M\ A\sS?
Body
Contains
RegEx
^(inside|for)\s+U.?S.?(A\.?)?:?\s+(\+)?1\s?[0-9\s-,.]+
Body
Contains
RegEx
outside\s+(the\s+)?U.?S.?A.?:?\s+\+?1\s?[0-9\s-,.]+
Body
Contains
RegEx
(?-i)([dD]iplomas|Bachelor'?s,?|\bMaster's,\b|\bMBA[,\s']|Doctora(l|te)|PhD's)
Phishing Scam
False
-100
#FFCC0098
White
False
False
All
Subject
Contains
PlainText
Your Card Number 5018-0XXX-XXXX-XXXXX
Body
Contains
PlainText
MasterCard has been deactivated.
Body
Contains
PlainText
As the primary contact, you have to reactivate your card or you will not be able to use it.
Body
Contains
PlainText
Please reactivate your MasterCard by going to:
Body
Contains
PlainText
Dear VISA card holder,
Body
Contains
PlainText
.vc/secureapps/
Webmail Phishing Scam
False
-100
#FFCC0098
White
False
False
All
Subject
Contains
RegEx
(?-i)^Dear\ Account\ Owner|^Dear\ Webmail\ Subscriber|^YOUR\ WEBMAIL\ ACCOUNT
Body
Contains
RegEx
^Dear\sWebmail\s(Subscriber|User)[;,]$
Porn Spam
False
-100
#FFCC0098
White
False
False
All
From
Contains
RegEx
F.ckBook
Subject
Contains
RegEx
F.ckBook
Subject
Contains
RegEx
\bporn\b
Subject
Contains
RegEx
lesbian.*(pics|movie)
Body
Contains
PlainText
I have some sexy undies
Body
Contains
PlainText
nude pictures
Body
Contains
PlainText
FuckDirect
Body
Contains
PlainText
there is any porn
Body
Contains
PlainText
More Pron
Body
Contains
PlainText
We have porn
Software Spam
False
-150
#FFFFE500
Black
False
False
All
Body
Contains
PlainText
bestsoftware
Body
Contains
RegEx
Whirl Wind Software
Body
Contains
PlainText
Click this link and download most popular software
Body
Contains
PlainText
Click this link and downloaded newest software
Body
Contains
PlainText
you can download them right after pur
Body
Contains
PlainText
The best software products at the best prices.
Body
Contains
PlainText
Any program for any operational system
Body
Contains
RegEx
(?-i)Twit\sfrom:\r\n\s+\r\n\s+@Adobe
Body
Contains
RegEx
Software\ (is\s)?in\ different\ languages|All\ programs\ offered\ in\ many\ languages
Body
Contains
RegEx
EURO.?SOFT(WARE)?|European\ languages|Fully\ localized\ versions
Body
Contains
RegEx
^Retail Price:?\s{1,10}\$\d{3,4}\.[0-9]{2}\r\n^Our Price:?\s{1,10}\$\d{3,4}\.[0-9]{2}
Body
Contains
RegEx
Operational\ systems|newsoft|softwares|Cheap.*soft(ware)?|oem\ software|software\ (you\s)?needs?
Body
Contains
RegEx
SSoftwarr?e|down.?lo.?ad(d?able)?\ (legal\ )?s?so.?ft(ware)?|(Best|cheapest|lowest)\ software\ prices|popular\s?software|\boem\ soft(\b|ware)
Body
Contains
RegEx
^(type|vis[il]t)\s'?.+soft.*\s\.\scom'?\sin\syour\s.nternet\sExplorer
Body
Contains
RegEx
(?-i)Office\ (Enterprise\ 20\d\d|20\d\d\ Enterprise)|(Access|Communicator|PowerPoint)\ 20\d\d|Auto([cC]ad|desk)\ 20\d\d
Software Spam
True
-100
#FFCC0098
White
False
False
All
Body
Contains
RegEx
for\ MAC\s?<br/>
Body
Contains
RegEx
Retail\ price:\ \$\ \d{3,4}\.\d\d\s?<br/>
Body
Contains
RegEx
Our\ price:\ \$\ \d{2,3}\.\d\d\s?<br/>
Body
Contains
PlainText
Features:
Software Spam
True
-100
#FFCC0098
White
False
False
All
Body
Contains
RegEx
for\ Windows\s?<br/>
Body
Contains
RegEx
Retail\ price:\ \$\ \d{3,4}\.\d\d\s?<br/>
Body
Contains
RegEx
Our\ price:\ \$\ \d{2,3}\.\d\d\s?<br/>
Body
Contains
PlainText
Features:
Chinese Domain Registration Scam
False
-200
#FFCC0098
White
False
False
All
Body
Contains
PlainText
(If you are not in charge of this please transfer this email to your
Body
Contains
PlainText
We are the department of Asian Domain registration service in china
Body
Contains
PlainText
One company which self-styled
Body
Contains
PlainText
After our initial checking, we found the name were similar to your
Body
Contains
PlainText
authorized that company to register these names
Body
Contains
PlainText
please let us know within 7 workdays, so that we will handle this issue
Body
Contains
PlainText
Out of the time limit we will unconditionally finish the
Body
Contains
PlainText
Please consider the environment before printing this email
.BR or .CN Domain Link
False
-200
#FFCC0098
White
False
False
All
Body
Contains
RegEx
http://(www\.)?(.+\.br/.*|.+\.cn/.*['"]>|.+\.cn$|.+\.cn\.com)
.US Domain Extension
False
0
#FF434343
White
False
False
All
From
Contains
PlainText
.us>
Received
Contains
PlainText
.us)
Received
Contains
PlainText
.us (
Body
Contains
RegEx
https?://[a-z0-9-.]+\.us(/.*)?$
Russian Sender
False
-200
#FFCC0098
White
True
False
All
Header
Contains
PlainText
@rambler.ru
Header
Contains
PlainText
Received: from rambler.ru
Header
Contains
PlainText
From: =?koi8-r
Header
Contains
PlainText
Subject: =?koi8-r
Header
Contains
PlainText
Subject: =?windows-1251
Header
Contains
PlainText
charset='koi8-r';
Body
Contains
PlainText
charset=3Dkoi8-r
Header
Contains
RegEx
^Received:\ from\ .*85\.140\.\d{1,3}\.\d{1,3}
Header
Contains
RegEx
Message-ID:\s<.+@.+\.(ru|su)>
Header
Contains
RegEx
\(envelope-from\ <.+@.+\.(ru|su)>\)
Header
Contains
RegEx
HELO\s.+\.(ru|su)
Header
Contains
PlainText
ukrtel.net
Header
Contains
RegEx
Received:\ from\ .+\.(ru|su)\x20
Ukrainina Sender
False
-200
#FFCC0098
White
True
False
All
Header
Contains
PlainText
Received: from [91.232.21.
Header
Contains
RegEx
(?-i)\.ua[/\s\]\)]
Not .com, .edu, .gov, info, .mil, net, org
False
-100
#FFCC0098
White
False
False
All
From
NotContain
RegEx
@.+\.(biz|com|edu|gov|info|mil|net|org|tv)>?\b
Known Spam Domains
False
-200
#FFFF0000
White
False
False
All
Header
Contains
PlainText
Received: from %RND_IP
Header
Contains
PlainText
Received: from [160.20.15.
Header
Contains
RegEx
helo=.+\.stream
Header
Contains
RegEx
\.server4you\.de|(canonpluy|chinesegamer|\.cwazy|emaillove|staticip\.rima-tde|infinitelinker)\.net|(\.163|coughfusion|decor99|explodefast|ibizsource|\.ono|otcpundit|rserver\d\d\d)\.com|myautorepair\.info|Bumerang|Taipei|(diaserver|mail4[cs]ure|rescuemails?)\.org
Header
Contains
RegEx
Received:\ from\ .+\.ml\b
Body
Contains
PlainText
sikhguardian.net/
Body
Contains
PlainText
www.diaserver.org
Body
Contains
PlainText
opakrotak.info
Body
Contains
PlainText
www.maillinker.com
Body
Contains
PlainText
salesandrevenues.com/
Body
Contains
RegEx
http://www\.more.+\.us/
Body
Contains
RegEx
"http://[\w-]+\.pl/\?[A-Za-z0-9=-]{24,}
Body
Contains
PlainText
http://ur1.ca/
Body
Contains
PlainText
.freehyperspace2.com
Body
Contains
PlainText
sent from: iContact
Body
Contains
PlainText
bumerang.cc/
Body
Contains
PlainText
@mail-filter.com
Body
Contains
PlainText
/group.php?group_id=152
Body
Contains
PlainText
/group.php?group_id=3D152
Body
Contains
PlainText
Altera product announcements
Body
Contains
PlainText
http://partofpimproller.com/
Body
Contains
PlainText
http://the-binarycoded.biz/
Body
Contains
RegEx
http://.*emailbiz\.info/.+
Body
Contains
RegEx
(?-i)P\.P\.\ Monthly\ Newsletter|SMART-LIST|iContact\ Family|<strong>E-mail\ Newsletter\ Services</strong>
Body
Contains
RegEx
(?-i)(Discovery\ Health|Men's\ Health\ Today|Health\s?Central|OTC\ Pundit|Plentiful\ Pleasures|US\ Pharmacy)
Body
Contains
RegEx
http://.+\.com-\w\w\d\d\.net/\?qs=[A-Z0-9]+
Body
Contains
RegEx
\.top(/|&sa=)
Body
Contains
PlainText
.stream/
Body
Contains
PlainText
.science/
Body
Contains
PlainText
offeronmail.com
Body
Contains
PlainText
.club/
Body
Contains
PlainText
.win/
Body
Contains
PlainText
deckaffiliating.com
Cannabis Spam
False
-200
#FFCC0098
White
False
False
All
Subject
Contains
PlainText
Cannabis
Body
Contains
RegEx
cannabis(-based)?\ extracts
Body
Contains
RegEx
cannn?abis.?treatment
Locky in PDF
True
-100
#FFFFE500
Black
False
False
All
Body
Contains
PlainText
<div dir="ltr"><br></div>
Body
Contains
RegEx
^Content-Type:\ application/pdf;\ name=".+\.pdf"
Body
Contains
RegEx
^Content-Disposition:\ attachment;\ filename=".+\.pdf"
PDF Attachment
True
-100
#FF434343
White
False
False
All
Body
Contains
RegEx
^Content-Type: application/(pdf|octet-stream);
Body
Contains
RegEx
^Content-Disposition:\ (attachment|inline);
Body
Contains
RegEx
filename=['"].+\.pdf['"]
Malware Attachment
True
-200
#FFFFE500
Black
False
False
All
Body
Contains
RegEx
(?i)Attached
Body
Contains
RegEx
\(Internet\ Explorer\ (?i)File\)|(?-i)your\ Internet\ Browser\b
Body
Contains
PlainText
Content-Disposition: attachment;
Body
Contains
RegEx
filename=".+\.htm"
Malware Attachment
True
-200
#FFFFE500
Black
True
False
All
Body
Contains
PlainText
Content-Disposition: attachment;
Body
Contains
RegEx
filename=".+\.htm"
Body
Contains
PlainText
PGh0bWw+DQogPGhlYWQ+DQogIDxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVu
Malware Attachment
True
-200
#FFFFE500
Black
True
False
All
Body
Contains
PlainText
Content-Transfer-Encoding: base64
Body
Contains
PlainText
Content-Disposition: attachment;
Body
Contains
RegEx
(file)?name=".+\.htm"\n
Body
Contains
PlainText
KXt2PSJldmFs
Base64 Spam
True
-200
#FF434343
White
False
False
All
Body
Contains
PlainText
Content-Disposition: attachment
Body
Contains
PlainText
Content-Transfer-Encoding: base64
Body
Contains
PlainText
X-Attachment-Id:
Body
Contains
PlainText
DQo8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCI+dmFy
African Sender
False
-200
#FFCC0098
White
False
False
All
Header
Contains
RegEx
Received:\sfrom\s.*[\[\(]41\.\d{1,3}\.\d{1,3}\.\d{1,3}[\[\]\)]
Header
Contains
RegEx
Received:\sfrom\s.*[\[\(]196\.\d{1,3}\.\d{1,3}\.\d{1,3}[\[\]\)]
Header
Contains
RegEx
Received:\sfrom\s.*[\[\(]81\.199\.\d{1,3}\.\d{1,3}[\[\]\)]
Header
Contains
RegEx
^Received:\ from\ [^\d\s]+41\.\d{1,3}\.\d{1,3}\.\d{1,3}
Body
Contains
RegEx
(Tele)?phone\s\+?(0027|002[123456]\d)[\s_\*'-]\d{3,}
Subject All Caps
True
0
#FF434343
White
False
False
All
Subject
NotContain
RegEx
(?-i)[a-z]
Subject
Contains
RegEx
(?-i)[A-Z]{3,}\s
Phishing Scam
False
-100
#FFCC0098
White
False
False
All
From
Contains
RegEx
(?-i)HSBC\ Bank|NetBank.?Notification|Taxation\ Office|Tax\ |BOA\ Services|Online\ Banking\ Security|Chase\ Bank|TD\ Canada|Internet\ Banking|USAA|Midwest\ Bank
Subject
Contains
PlainText
Facebook Update Tool
Subject
Contains
PlainText
Unauthorized Activity
Subject
Contains
PlainText
Taxation Office
Subject
Contains
PlainText
Your paypal access has been limited
Subject
Contains
PlainText
Your PayPal Will Be Limited
Subject
Contains
PlainText
Online Banking Verification Process
Subject
Contains
PlainText
Notification of limited account access
Subject
Contains
PlainText
Security Notification for your Online Banking
Subject
Contains
PlainText
Your AOL Instant Messenger account will be deleted
Subject
Contains
PlainText
Please visit our Client Verification Form using the link below
Subject
Contains
RegEx
Your\ .*account\ .*(has\ been|was)\ (limited|locked)
Subject
Contains
RegEx
(?-i)NetBank|Your\ Bank\s.+account\ has\ been\ locked|Internet\ Bank(ing)?:.*Urgent\ Security\ Update|Underreported\ Income\ Notice|American\ Express\ Online\ Form|Restore\ your\ Online\ Banking
Phishing Scam
False
-100
#FFCC0098
White
False
False
All
Body
Contains
PlainText
due to multiple login errors on your account
Body
Contains
PlainText
Your account has been suspended after too many failed login
Body
Contains
PlainText
Your account has been limited due to a login attempt failure.
Body
Contains
PlainText
we were unable to verify your account details
Body
Contains
PlainText
We were unable to verify your account information during our regular maintainance
Body
Contains
PlainText
Click CONFIRM to confirm your identity
Body
Contains
PlainText
Securely confirm your banking information
Body
Contains
PlainText
failure to confirm your records may result in account
Body
Contains
PlainText
Failure to do so may result in temporary account suspension.
Body
Contains
PlainText
has been locked due to some internal issues.
Body
Contains
PlainText
Read more about installation of SSL Certificate
Body
Contains
PlainText
To restore your account we have attached a form to this email.
Body
Contains
PlainText
Due to inactivity, your account has been deactivated
Body
Contains
PlainText
account was locked because of too many failed logon attempts.
Body
Contains
RegEx
Your\ [A-Za-z]{3,}\ account\ (is|has\ (been|become))\ (flagged\ as\ )?inactive|account\ is\ currently\ locked|:8080/www\.capitalone\.com/|Commonwealth\ (Net)?Bank|\sNetBank|^Issue:\ Unreported/Underreported\ Income\ \(Fraud\ Application\)
Phishing Scam
True
-100
#FFCC0098
White
False
False
All
Header
NotContain
RegEx
^Received:\ from\ .+\..+ebay\.com\ .+\ helo=.+\.ebay\.com
Subject
Contains
RegEx
(?-i)eBay|Security Message
Body
Contains
RegEx
^Dear\ eBay\ (Customer|Member),|^You\ have\ \d\ new\ Security\ Message\ Alert!|eBay\ Confirmation\ Request
Facebook Scam
True
-150
#FFCC0098
White
False
False
All
From
Contains
PlainText
@facebook.com
Subject
Contains
RegEx
password
Body
Contains
RegEx
new\ password\ (in|is)\ attached
Body
Contains
PlainText
Facebook
Body
Contains
PlainText
Content-Disposition: attachment;
PayPal Phishing Scam
True
-100
#FFCC0098
White
False
False
All
Header
NotContain
RegEx
Received:\ from\ ([a-z0-9.-]+\.(epsl1|paypal)\.com\s|\[(\d{1,3}\.){3}\d{1,3}\]\ \((port=\d{4,5}\s)?helo=mx\d\..{3}\.paypal\.com\)\s?\n|helo=outbound\.na\.e\.paypal\.com\)\n
Header
NotContain
RegEx
^Received:\ from\ \[[0-9.]+\]\ \(port=\d{4,5}\ helo=mail2550.paypal.mkt2944.com\)\s?\n
Header
NotContain
RegEx
^Received:\ from\ ccg\d\dmail\d\.ccg\d\d\.slc\.paypalinc\.com
From
Contains
RegEx
.+@(intl|www[-\.])?paypal(-us)?.com|^PayPa[l1I]|paypai\.com
PayPal Phishing Scam
True
-100
#FFCC0098
White
False
False
All
Body
Contains
RegEx
^Dear\ PayPal\ (User|Member|Customer)|Your\ paypal\ access\ has\ been\ limited
Header
NotContain
PlainText
nix.paypal.com
PayPal Scam
True
-200
#FFFFE500
Black
False
False
All
From
Contains
PlainText
service@paypal.com
Header
NotContain
RegEx
Received:\ from\ (mx\d\.slc\.paypal\.com|\(?\[173.0.84.\d{1,3}\]|helo=mx\d{0,3}\.slc\.paypal\.com|ccg\d\dmail\d\.ccg\d\d\.slc\.paypalinc\.com)
Amazon Scam
True
-100
#FFFFE500
Black
False
False
All
From
Contains
PlainText
@amazon.com
ReturnPath
NotContain
RegEx
@(bounces\.)?amazon.com
Phishing Scam
True
-100
#FFCC0098
White
False
False
All
From
Contains
PlainText
Wells Fargo
From
NotContain
PlainText
@wellsfargo.com
WORM >Double Extension!!
True
-100
#FFFF0000
White
False
False
All
Body
Contains
PlainText
Content-disposition: attachment; filename=
Body
Contains
RegEx
(file)?name='.+\.(gif|jpg)\.(scr|pif|exe|cmd|com)'
Dangerous Attachment Extension!
True
-100
#FFFF0000
White
False
False
All
Body
Contains
PlainText
Content-disposition: attachment;
Body
Contains
RegEx
^\s?filename='.+\.(pif|scr|hta|cmd|bat|vbs|com|cpl|hlp)'
.exe attachment
True
0
#FFFF0000
White
False
False
All
Body
Contains
PlainText
Content-disposition:\ attachment;
Body
Contains
RegEx
^\s?filename='.+\.exe'
.doc attachment (419 Scam?)
True
-100
#FFCC0098
White
False
False
All
Subject
Contains
PlainText
attach
Body
Contains
PlainText
Content-Disposition: attachment;
Body
Contains
PlainText
filename="
Body
Contains
PlainText
.doc"
Google Docs Scam
True
-100
#FFCC0098
White
False
False
All
Body
Contains
PlainText
has invited you to view the following document:
Body
Contains
PlainText
Open in Docs
Exploit Link
True
-200
#FFCC0098
White
False
False
All
Subject
Contains
PlainText
New Acrobat PDF Reader Has Released !
Subject
Contains
RegEx
(Download|Upgrade)\ Now
Header
Contains
PlainText
X-rext: 3.interact2
Body
Contains
PlainText
ADOBE PDF READER UPGRADE NOTIFICATION
Body
Contains
RegEx
We\ are\ pleased\ to\ announce\ the\ new\ (Acrobat|Adobe|PDF)\ Reader
Body
Contains
PlainText
contains critical security updates
Body
Contains
PlainText
To upgrade your application: <br />
Body
Contains
RegEx
-(download|upgrade)=2Ecom<
Exploit Link
True
-200
#FFCC0098
White
False
False
All
Subject
Contains
PlainText
Download New Version Of Skype !
ReturnPath
NotContain
PlainText
@skype.com
Body
NotContain
PlainText
To download the latest version , go to
Body
Contains
RegEx
-downloads?=2Ecom
Exploit Link
True
-100
#FFFFCC00
Black
False
False
All
Subject
Contains
PlainText
Official Update
Body
Contains
RegEx
/.+\.exe'>
digits-consnts
False
-100
#FFCC0098
White
False
False
All
Subject
Contains
RegEx
^\s?[bcdfghjklmnpqrstvwxz0-9]{6,}
Non-English Language
True
-200
#FFCC0098
White
False
False
All
Subject
Contains
RegEx
Á|Â|à|á|â|ã|è|é|ê|ë|ì|í|î|ï|ñ|ò|ó|õ|ù|ú|û|ü|ý|\b(avec|des|et|la|vous)\b
Body
Contains
RegEx
Á|Â|à|á|â|ã|è|é|ê|ë|ì|í|î|ï|ñ|ò|ó|õ|ù|ú|û|ü|ý|\b(avec|des|et|la|vous)\b
Subject
NotContain
RegEx
R[eé]sum[eé]
Body
NotContain
RegEx
R[eé]sum[eé]
Thunderbird Spam
True
-100
#FFCC0098
White
False
False
All
Header
Contains
RegEx
^User-Agent:\ .+Thunderbird/\d\.\d(\.\d)?$
Body
Contains
RegEx
^(?)[A-Z][a-z]{3,6}[A-Za-z\s\w,]+\d\d%\s[O0]FF.?\r\n
Body
Contains
RegEx
http://.+\.[a-z]{2}/[a-z0-9]{3,6}
Re: or Fw:
False
-100
#FFCC0098
White
False
False
All
Subject
Is
PlainText
Re:
Subject
Is
PlainText
Fw:
Subject
Contains
PlainText
RE:RE:
Subject
Contains
PlainText
Re: Re: Re:
info1 Scam
False
-200
#FFCC0098
White
False
False
All
To
Contains
PlainText
info1@msn.com
No Subject, Just Link
True
-100
#FFCC0098
White
False
False
All
Subject
NotContain
RegEx
.{1,}
Body
Contains
RegEx
\A^http://.+=?(\r\n)?.*\.html?(\r\n)?$\Z
No Subject
True
-80
#FFCC0098
White
False
False
All
Header
NotContain
PlainText
Subject: =?utf-
Subject
NotContain
RegEx
.{1,}
1 Word Subject
False
-100
#FF434343
White
False
False
All
Subject
Contains
RegEx
^[a-z''\|\{\}\[\]]{7,8}$
Subject
Contains
RegEx
^\d{7,8}$
Subject contains email address
True
-100
#FFCC0098
White
False
False
All
Subject
Contains
RegEx
.+@.+\.[a-z]{2,4}
X-Spam-Status: Yes
False
-200
#FFCC0098
White
False
False
All
Header
Contains
PlainText
X-Spam-Status: Yes
Chain Letter
True
0
#FFD4D4D4
Black
False
False
All
To
Contains
RegEx
(.+@.+,\s){5,}|undisclosed\ recipients:
Subject
Contains
PlainText
FW:
CC List Spam
True
-200
#FFCC0098
White
False
False
All
Header
Contains
RegEx
Subject:\ [Ff]rom:\ [A-Z][a-z]+\ [A-Z][a-z]+
To
Contains
RegEx
(?i)(<[a-z0-9-.+_]+@[a-z0-9-.]+\.[a-z]{2,4}>,\ ){3,}
CC List
True
0
#FF434343
White
False
False
All
Header
Contains
RegEx
To:\s(?i)(<?[a-z0-9-_.]+@[a-z0-9-.]+\.(\w{2,7})>?,\s{1,}){3,}<?[a-z0-9-_.]+@[a-z0-9-.]+\.(\w{2,7})>?\n
TO: Contains << >>
True
-100
#FFCC0098
White
False
False
All
To
Contains
RegEx
<<.+@.+>>
To Webmaster Spam
False
-100
#FFCC0098
White
False
False
All
Subject
Is
PlainText
to webmaster
Phishing Scam
True
-100
#FFCC0098
White
False
False
All
Subject
Contains
RegEx
Notification\ of\ limited\ (account\ )access|(?-i)Western\ Union
From
Contains
PlainText
Western Union
Header
NotContain
RegEx
Received:\ from\ (westernunion|instantservice).com
Body
Contains
RegEx
(?-i)Western\ Union|Your account has been limited
Twitter Scam
False
-100
#FFCC0098
White
False
False
All
Body
Contains
PlainText
Once you confirm, all future email from Twitter will be sent to this
Body
Contains
PlainText
You have 3 unreaded message(s) from Twitter.
Subject
Contains
RegEx
You\ have\ \d\ (unread\ direct|urgent)\ messages\ (from|on)\ (?-i)Twitter!
E-Card Scam
False
-150
#FFCC0098
White
False
False
All
From
Contains
PlainText
Easy E-CARD
From
Contains
RegEx
(?-i)E-Card-|-E-Cards|Instant\ [eE]-Cards
Subject
Contains
PlainText
Ecard Special Delivery
Subject
Contains
PlainText
You have [1] new e-card waiting for you.
Subject
Contains
PlainText
There is [1] new e-Card waiting to be read
Subject
Contains
PlainText
Someone likes you and has sent you an e-Card
Subject
Contains
PlainText
There is currently [1] e-Card waiting for you to read.
Subject
Contains
PlainText
Someone has just sent you an e-Card!
Body
Contains
PlainText
Click here to view the e-card waiting for you from [Secret Admirer]
Body
Contains
PlainText
-e-card4you.com
Body
Contains
PlainText
[Secret Admirer] has just sent you an e-Card!
Body
Contains
PlainText
http://yourluckyday.info
Email Addresses 4 Sale
False
-200
#FFCC0098
White
False
False
All
From
Contains
PlainText
ePOSTMAN
Subject
Contains
PlainText
Large sending of email newsletters
Body
Contains
PlainText
Do you need to send millions of emails per month?
Body
Contains
PlainText
List of country-targeted recepients
Body
Contains
PlainText
USA 89 000 000 records - 700 EUR (1000 $)
Body
Contains
PlainText
please contact sales@mail-netpost.ru
Body
Contains
PlainText
Connect with 89 million recipients in USA as low as $
Body
Contains
PlainText
We can deliver your message to any country of the world, just contact us for more details on:
Body
Contains
PlainText
accounts for mass-mailing
EntireMessage
Contains
PlainText
fans4web
Marketing Spam
False
-200
#FFCC0098
White
False
False
All
Subject
Contains
PlainText
Reveal the secrets of our banking system
Body
Contains
PlainText
Don't you wish you had a better understanding of the financial world around you?
Body
Contains
PlainText
Would you like to be able to break free of your financial bonds?
Body
Contains
PlainText
This guy will teach you everything you need to know!
Body
Contains
PlainText
This is your chance to generate up to $600 per day
charset=iso-8859-2
False
-150
#FFCC0098
White
False
False
All
Header
Contains
PlainText
Content-Type: text/plain; charset=iso-8859-2
Header
Contains
PlainText
charset="iso-8859-2"
Header
Contains
RegEx
\(port=\d{3,6}\ helo=178\.12[0-9]\.\d{1,3}\.\d{1,3}\)
Spam from India
False
-200
#FFCC0098
White
True
False
False
All
Header
Contains
RegEx
X-Originating-IP:\ \[115\.11[2-9]\.\d{1,3}\.\d{1,3}\]
From India
False
-200
#FFCC0098
White
False
False
All
EntireMessage
Contains
RegEx
^Date:\s\w+,\s\d{1,2}\s\w+\s201\d\s\d\d:\d\d:\d\d\s\+0530$
Header
Contains
PlainText
+0530 (IST)
India Website Link
True
-200
#FFCC0098
White
False
False
All
Body
Contains
RegEx
http://.+\.in/
Spain
False
-100
#FFCC0098
White
False
False
All
Header
Contains
RegEx
Received:\ from\ .*\[84\.12[0-3]\.\d{1,3}\.\d{1,3}\]
Header
Contains
PlainText
.ono.com
Header
Contains
PlainText
Content-language: es
Turkey
False
-100
#FFCC0098
White
False
False
All
Header
Contains
RegEx
^Received:\ from\ (\[(85.10[56]\.\d{1,3}\.\d{1,3}|88\.234\..+\..+|194\.27\.\d{1,3}\.\d{1,3}|195.175\.\d{1,3}\.\d{1,3})\])|.+\.tr\)
Header
Contains
RegEx
88\.255\.\d{1,3}\.\d{1,3}
Chinese Characters Spam
False
-100
#FFCC0098
White
False
False
All
Header
Contains
PlainText
From: =?utf-8?B?5
Chinese Sender
False
-200
#FFCC0098
White
False
False
All
Header
Contains
PlainText
+0800
From
Contains
PlainText
@126.com
ReplyTo
Contains
PlainText
@126.com
Header
Contains
RegEx
@163.com
Header
Contains
RegEx
X-Mailer:\ Foxmail\ .*\ [cn]
Header
Contains
RegEx
.+@.+\.cn>
Header
Contains
RegEx
.+@51jop\.(net|xyz)>
Hong Kong Spam
False
-100
#FFCC0098
White
False
False
All
Header
Contains
PlainText
+0800 (HKT)
Body
Contains
RegEx
^http://.+\.hk/\?.+
Indo-China
False
-200
#FFCC0098
White
False
False
All
Header
Contains
RegEx
Received:\ from \[113\.1([6-8][0-9]|9[01])\.\d{1,3}\.\d{1,3}\]
Header
Contains
RegEx
Date:\ .+\ \+0700$
Header
Contains
RegEx
\[123\.(1[6-9]|2[0-9]|3[0-1])\.\d{1,3}\.\d{1,3}\]
APNIC
False
-100
#FFCC0098
White
False
False
All
Header
Contains
PlainText
+0900 (JST)
Header
Contains
PlainText
SE Asia Standard Time
Header
Contains
PlainText
charset=big5
Header
Contains
RegEx
^Message-Id:\s.*<.+@.+\.cn>$
Header
Contains
RegEx
Received:\ from\ .+\.hinet\.net
Header
Contains
RegEx
112\.201\.\d{1,3}\.\d{1,3}
Header
Contains
RegEx
^Received:\ from\ \[182\.18\.\d{1,2}\.\d{1,3}\]
Header
Contains
RegEx
^Received: from [^[]*?\[(6[01]|20[23]|21[01]|21[89]|22[0-2])(\.[1-2]?\d?\d?){3}\]
Header
Contains
RegEx
^Received: from [^[]*?\[(\[58|\[59]|6[01]|20[23]|21[01]|21[89]|22[0-2])(\.[1-2]?\d?\d?){3}\]
Body
Contains
PlainText
charset="iso-2022-jp"
Body
Contains
PlainText
charset="ks_c_5601-1987"
Vietnam Link
False
-200
#FFCC0098
White
True
False
False
All
Body
Contains
RegEx
http://.+\.vn/
RIPE
False
0
#FF434343
White
False
False
All
Header
Contains
PlainText
Received: from [194.67.
Header
Contains
RegEx
^Received: from [^[]*?\[(62|8[0-2]|19[345]|21[237])(\.[1-2]?\d?\d?){3}\]
Header
Contains
PlainText
kpnplanet.nl
Header
Contains
PlainText
kpnxchange.com
Header
Contains
RegEx
Date:\ .+\+0200
LACNIC
False
-100
#FFCC0098
White
False
False
All
Received
Contains
RegEx
helo=.*\.br\)
Header
Contains
RegEx
Received:\ from\ \[187\.[0-9.]+\]\s
Header
Contains
RegEx
^Received:\ from\ [^[]*?\[20[01](\.[1-2]?\d?\d?){3}\]
Header
Contains
RegEx
(\.fibertel\.com\.ar|\.cable\.net\.co|\.(com|net)\.br)\b
Header
Contains
PlainText
(BRT)
.co.(country code) Sender
False
0
#FF434343
White
False
False
All
Header
Contains
RegEx
^Received:\ from\ .+\.co\.[a-z]{2}
Blocked Country
False
-100
#FFCC0098
White
False
False
All
Header
Contains
RegEx
^Received:\ from\ .+\.(ar|br|cn|jp|kr|ma|my|ng|pl|ro|ru|th|tr|vn|hinet\.net|orange.fr|ukrtel\.net)\b\s?
Base 64 Encoded
True
0
#FF434343
White
False
False
All
Body
Contains
PlainText
Content-Transfer-Encoding: base64
Body
Contains
PlainText
Content-Type: text/plain
Body
NotContain
RegEx
^Content-Disposition:\ (inline|attachment);|^Content-Type:\ (application|image)/[a-z]{3,};|Content-Type:\ application/octet-stream;
Currently set for many non latin languages. You can edit this filter to your own preference.
False
-100
#FFCC0098
White
False
False
All
EntireMessage
Contains
Language
Arabic,Baltic,Chinese,Cyrillic,Greek,Hebrew,Indic,Japanese,Korean,Tamil,Thai,Turkish,Vietnamese
Spam Assassin
True
-100
#FFCC0098
White
False
False
All
Subject
Contains
PlainText
*****SPAM*****
.Info Sender, Images and Links
True
-200
#FFCC0098
White
True
False
All
Header
Contains
PlainText
Subject: =?ISO-8859-1?Q?
Body
Contains
RegEx
<a href=['"]http://.+.info/\d{10,22}['"]>
Body
Contains
RegEx
<img src=http://.+.info/\d{10,22}['"]' border='0' /></a><br />
Body
Contains
PlainText
<div style="color:#FEFFFE;font-size:0.25em;">
.Info Sender and Links
True
-200
#FFCC0098
White
False
False
All
Header
Contains
RegEx
^Received:\ from\ .+\.info\ \(.+\)\r\n
From
Contains
PlainText
.info
Body
Contains
RegEx
http://.+\.info/
.Info Sender
True
0
#FF434343
White
False
False
All
Header
Contains
RegEx
^Received:\ from\ .+\.info\ \(.+\)\r\n
From
Contains
PlainText
.info
X-Mailer: PHPMailer
False
-100
#FFCC0098
White
False
False
All
Header
Contains
PlainText
X-Mailer: PHPMailer
X-Mailer: The Bat!
False
-150
#FFFFE500
Black
False
False
All
Header
Contains
PlainText
X-Mailer: The Bat!
X-Mailer: CheetahMailer
False
-150
#FFCC0098
White
False
False
All
Header
Contains
PlainText
X-Mailer: CheetahMailer
JavaMailer Spam
True
-200
#FFCC0098
White
False
False
All
Header
Contains
PlainText
x-mailer: JavaMailer
Header
Contains
PlainText
x-mailerid: 3
Known X-Mailer
False
0
#FF434343
White
False
False
All
Header
Contains
PlainText
X-Mailer: The Bat!
Header
Contains
PlainText
X-Mailer: Apple Mail (2.924)
Header
Contains
PlainText
X-Mailer: Mediacomm Communicator
Header
Contains
PlainText
X-Mailer: xinnet.com webmail 1.0
Header
Contains
PlainText
X-Mailer: Openwave WebEngine
Header
Contains
PlainText
X-Mailer: iPlanet Messenger Express
Header
Contains
PlainText
X-Mailer: CommuniGate Pro WebUser
Header
Contains
PlainText
X-Mailer: Sun Java
Header
Contains
PlainText
X-Mailer: Evolution
Header
Contains
PlainText
X-Mailer: IPS PHP Mailer
Header
Contains
PlainText
x-mailer: JavaMailer
Header
Contains
RegEx
^X-Mailer:\ (Prayer|sejkuuk|Zimbra)
Header
Contains
PlainText
ArGoSoft Mail Server Freeware
Header
Contains
PlainText
X-Mailer: Airmail (223)
Header
Contains
PlainText
X-Mailer: Networx Mail 1.2.2
Header
Contains
PlainText
X-Mailer: PHPMailer [version 1.73]
Header
Contains
PlainText
X-Mailer: TurboMailer
Header
Contains
PlainText
X-Mailer: Leaf PHPMailer
Header
Contains
PlainText
X-Mailer: iPhone Mail (14F89)
Header
Contains
PlainText
X-Mailer: iPad Mail (13E238)
Header
Contains
PlainText
X-Mailer: iPad Mail (11D169b
Hidden ISO Subject
True
0
#FF434343
White
False
False
All
Header
NotContain
PlainText
Subject: =?utf-8?
Header
Contains
PlainText
Subject: =?
Link Exchange Request
False
0
#FF434343
White
True
False
False
All
Body
Contains
PlainText
I've just visited your site and I really appreciate the efforts you have put in your Website.
Body
Contains
PlainText
I would like to propose a link exchange between our sites.
Body
Contains
PlainText
We already added your Website here:
Body
Contains
PlainText
We request you to use the following details to link back to our website
Body
Contains
PlainText
If you are not interested in linking back then we will remove this reciprocal link
URL shortener, or 2 digit country code link
False
-100
#FF434343
White
False
False
All
Body
Contains
PlainText
goo.gl
Body
Contains
RegEx
(http:)?//[tx]\.co/
Body
Contains
RegEx
http://wurl\.ca/\?r=.+
Body
Contains
RegEx
http://linkzip\.net/F/.{4,5}
Body
Contains
RegEx
http://mp77.com/[a-z0-9]{4,6}
Body
Contains
RegEx
http://.+\.\w{2}/[a-z0-9]{4,6}
Body
Contains
RegEx
http://takeme\.to\.it/[a-z0-9]{4,6}
Body
Contains
RegEx
http://just\.as/[a-z0-9]{6}
Loans/Bankrupcy
False
-100
#FF434343
White
False
False
All
Subject
Contains
RegEx
reduce\ (your\s)?debt|debt\ reduction
Subject
Contains
RegEx
consolidat(e|ion)|lenders|loan|mortgage|refinan?c(e|ing|ment)|Your\ Life\ Insurance|\bLender\b\x20
Body
Contains
PlainText
Bad credit
Body
Contains
PlainText
Bankruptcy
Body
Contains
PlainText
fixed low rate
Body
Contains
PlainText
You have been pre-approved
Body
Contains
PlainText
Refinance
Body
Contains
PlainText
loans
Body
Contains
PlainText
NetLoan
Body
Contains
PlainText
Are your premiums payments too high
Body
Contains
PlainText
eLoan is offering loan to
Body
Contains
RegEx
low(est)?\ rate(s)?|payday\ (loan|advance)|(Equity|short-term)\ loan|debt\ reduction
Body
Contains
RegEx
^C[o0]ngra[dt]ulati[o0]ns.*you('ll|\scan)\ get\ (.*\ )?\$'?\d\d\d.+'?\ loan\ for\x20
Empty Return Path Spam
True
-200
#FFCC0098
White
False
False
All
ReturnPath
Is
PlainText
<>
Body
Contains
PlainText
Sent from my iPhone
Empty Return Path Spam
True
-200
#FFCC0098
White
False
False
All
ReturnPath
Is
PlainText
<>
Body
Contains
RegEx
Santa\ Packages|PACKAGE\ FROM\ SANTA|Letter\ From\ Santa
Outlook.com & WhatCounts
True
-150
#FFCC0098
White
False
False
All
From
Contains
PlainText
@outlook.com
Header
Contains
PlainText
X-Mailer: WhatCounts
German Sender
False
-200
#FFCC0098
White
False
False
All
Header
Contains
PlainText
.pools.vodafone-ip.de)
Numerous lines of X-Envelope-To:
False
-200
#FFCC0098
White
False
False
All
Header
Contains
RegEx
^(X-Envelope-To:.+\n){10,}
Religious Words Spam
True
-200
#FF434343
White
False
False
All
Body
Contains
RegEx
\b(begat|Jehovah|thou|shalt|thee|unto|God\.?)\b|saith\ the\ LORD
Body
NotContain
RegEx
thou=
Foreign Time Zone
True
0
#FF434343
White
False
False
All
Header
Contains
RegEx
\d\d:\d\d:\d\d\s\+0[1-9]\d{2}
Not a US TLD
False
0
#FF434343
White
False
False
All
Header
NotContain
RegEx
^From:\s[=a-zA-Z0-9_\-\.\?\s",&@]+\r?<[\w-._]+@.+\.(com|edu|gov|info|mil|net|org)\n?>$
Android Email
True
0
#FF434343
White
False
False
All
Header
Contains
PlainText
boundary="--_com.android.email_
X-Mailer: iPhone Mail
True
0
#FF434343
White
False
False
All
EntireMessage
Contains
PlainText
X-Mailer: iPhone Mail
X-Mailer: iPad Mail
False
-100
#FFCC0098
White
False
False
All
Header
Contains
PlainText
X-Mailer: iPad Mail
xn--p1ai or ru Russian Domain
False
-100
#FFCC0098
White
False
False
All
EntireMessage
Contains
PlainText
xn--p1ai
Body
Contains
PlainText
.ru?
Body
Contains
PlainText
http://rhettacarolynn
Invisible Text
False
-100
#FFCC0098
White
False
False
All
Body
Contains
RegEx
(<|<)font.+color.+#f3f3f3.+(>|>)[0-9A-Za-z]+
Body
Contains
RegEx
(<|<)span\ (=\n)?style=3D("|")\s?color:\s?(=\n)?#F.F.F.("|")(>|>)( |\s)?[A-Za-z0-9]{1,}
Body
Contains
RegEx
(<|<)span\ style=(3D=)?.*\n?"LINE-HEIGHT:\ 0px;\ DISPLAY:\ inline;.+\n?.*OVERFLOW:\ hidden.*(>|>)[a-zA-Z0-9]*
Body
Contains
RegEx
(<|<)(div|span)\ (=\n)?style=3D(=\n)?("|")\s?color:\s?(=\n)?#F.F.F.;?(\s?font-size:[0-8]p.)?("|")(>|>)( |\s)?[A-Za-z0-9]{1,}
HTML Entity in Domain Name
False
-100
#FFCC0098
White
False
False
All
Body
Contains
PlainText
。
Canadian Pharmacy Spam 2021
True
-100
#FFCC0098
White
False
False
All
Body
Contains
PlainText
<td><span style=3D"color: #1E817F">CA</span>
Body
Contains
PlainText
<td><span style=3D"color: #1E817F">NA</span>
Body
Contains
PlainText
<td><span style=3D"color: #1E817F">DI</span>
Body
Contains
PlainText
<td><span style=3D"color: #1E817F">AN</span>
From Pakistan +0500
False
-200
#FFCC0098
White
False
False
All
Header
Contains
RegEx
Date:\s.+\s\+0500