Will ensure any email you restore from Recycle Bin will come through marked as good and not marked for delete. False 200 #FF1A19B3 White False False False All Header Contains PlainText Resent-From: "MailWasher? Pro recycle bin" < Currently set for many non latin languages. You can edit this filter to your own preference. False -100 #FFCC0098 White False False All EntireMessage Contains Language Arabic,Chinese,Cyrillic,Hebrew,Indic,Japanese,Korean,Tamil,Vietnamese Looks for messages that are not addressed to you on either the To or CC lines. You need to edit this to include all your own email addresses to use. False -100 #FFCC0098 White False False All To NotContain PlainText bob@test.com To NotContain PlainText bob.builder@test.com To NotContain PlainText bbuilder@test.com Delivery Status Notification (Failure) True 0 #FF434343 White False False All ReturnPath Is PlainText <> Subject Contains PlainText Delivery Status Notification (Failure) MAILER-DAEMON Bounce True 0 #FF434343 White True False False All ReturnPath Is PlainText <> From Contains PlainText MAILER-DAEMON@ Not A Scam True 200 #FF149899 White False False False All From Contains RegEx (service|paypal)@paypal.com Header Contains RegEx Received:\ from\ (mx\d\.(phx|slc)\.paypal\.com|\(?\[173.0.84.\d{1,3}\]|helo=mx\d{0,3}\.slc\.paypal\.com|.+\.paypalcorp\.com|mail\d{1,4}.\.paypal.mkt2944.com) Header Contains RegEx DKIM-Signature:\s.+\sd=paypal.com; Not A Scam True 100 #FF149899 White False False All From Contains PlainText noreply@mail.paypal.com Header Contains RegEx domain\ of\ bounce@mail\.paypal\.com\ designates\ 142\.54\.244\.\d{1,3}\ as\ permitted\ sender Header Contains PlainText Return-Path: <bounce@mail.paypal.com> XLSM Attachment/Stream False -150 #FFFFE500 Black False False All EntireMessage Contains RegEx Content-Disposition:\ attachment;\ filename=".+\.xlsm" EntireMessage Contains RegEx Content-Type:\ application/octet-stream;\ name=".+\.xlsm" Security protocol update exploit link True -200 #FFCC0098 White False False All Header Contains PlainText .pw> Subject Contains PlainText Security protocol update Body Contains PlainText Update Emails .pw spam False -100 #FFCC0098 White False False All Header Contains PlainText .pw> Header Contains RegEx Received: from ns\d\.[a-z0-9]+\.pw\s False -100 #FFCC0098 White False False All Body Contains PlainText .digitaloceanspaces.com/ Googleapis Spam True -150 #FFCC0098 White False False All Body Contains RegEx https://storage.googleapis.com/.+ Body Contains RegEx <title>\nfacebook.com\ngoogle.com\namazon.com\nebay.com\ntwitter.com\nfacebook.com\ngoogle.com\namazon.com\nebay.com\nfacebook.com\ntwitter.com\n Sextortion Scam False -100 #FFCC0098 White False False All From Contains PlainText Recorded You Subject Contains PlainText Video Of You! Body Contains PlainText Hey, today I got some bad news for you. Body Contains PlainText To stop me, pay Body Contains PlainText //paxful.om/buy-bitcoin Sextortion Scam False -150 #FFCC0098 White False False All Body Contains PlainText PRONOGRAPHIC Body Contains PlainText P0RN0graphic videos Body Contains PlainText BIT C0lN Body Contains PlainText Important! The address(CaSe SeNsItIvE) contains spaces so you must to eliminate all the spaces Body Contains PlainText The Address which is CASE SENSITIVE contains spaces so you have to manually remove all spaces Body Contains PlainText My malicious application Body Contains PlainText my bitcoin wallet: Body Contains PlainText I have gained access to your devices Body Contains PlainText you masturbate Likely Sextortion Scam True -100 #FFCC0098 White False False All Body Contains PlainText Send Body Contains PlainText video Body Contains RegEx Bitcoin|bitcoin Body Contains RegEx address|wallet Body Contains RegEx (1|3|bc)(\d|\w){32,34}(=)?\s Bitcoin Wallet Listed False -100 #FFCC0098 White False False All Body Contains RegEx bitcoin\ wallet.*:\ [0-9|a-z|A-Z]{34} Sextortion Scam True -200 #FFCC0098 White False False All Subject Contains RegEx .+@.+\.[a-z]{2,4}\ has\ been\ hacked,\ change\ your\ password\s(ASAP)? Sextortion Scam False -200 #FFCC0098 White False False All Subject Contains RegEx This\ information\ concerns\ the\ security\ of\ your\ account:\ .+@.+\.[a-z]{2,4} Hacker Scam True -200 #FFCC0098 White False False All Body Contains PlainText Hello! Body Contains PlainText I'm a member of an international hacker group. Body Contains PlainText your account Body Contains PlainText was hacked, because I sent message you from it. Sextortion Scam False -200 #FFCC0098 White False False All From Contains PlainText Recorded You Subject Contains PlainText Video Of You! Subject Is PlainText your new adult video Subject Contains PlainText Your account is being used by another person Subject Contains RegEx [Pp]ervert\s-\s.+ Subject Contains PlainText mastrubate Subject Contains PlainText mÉ‘sturbating Body Contains PlainText mÉ‘sturbation From Contains PlainText Anonymous Hacker From Contains PlainText Your Life From Contains PlainText Your Privacy From Contains PlainText Save You From Contains PlainText Save Yourself From Contains PlainText SaveYourself Body Contains PlainText You will make a bitcoin payment (if you don't know, look for "how to buy bitcoins" on Google). Body Contains PlainText Hi, I know one of your passwords is: Body Contains PlainText Your computer was infected with my private malware Body Contains PlainText My malware gave me full access to all your accounts Body Contains PlainText I can publish all your private data everywhere Body Contains PlainText The only way to stop me, is to pay exactly Body Contains PlainText (USD dollars) is a fair price for our little secret. Body Contains PlainText My nickname in darknet is Body Contains PlainText who cracked your email Body Contains PlainText I hacked this mailbox Body Contains PlainText I have access to all your accounts Body Contains PlainText I'm a hacker Body Contains PlainText I uploaded malicious code to your Operation System Body Contains PlainText Also I installed a Trojan on your device Body Contains PlainText When you went online, my trojan was installed Body Contains PlainText I expect payment from you for my silence Body Contains PlainText This is a hacker code of honor Body Contains PlainText This is the word of honor hacker Body Contains PlainText It is useless to change the password, my malware intercepts it every time Body Contains PlainText After payment, my virus and dirty photos with you self-destruct automatically Body Contains PlainText I want to say - you are a big pervert. Body Contains PlainText I want to say - you are a BIG pervert Body Contains PlainText I am a spyware software developer Body Contains PlainText Your account has been hacked by me Body Contains PlainText my exploit downloaded my malicious code Body Contains PlainText I hacked your OS and got full access to your account Body Contains PlainText Your account has been hacked by me Body Contains PlainText I give you 48 hours to pay. Body Contains PlainText I also have access to all your contacts and all your correspondence. Body Contains PlainText As you may have noticed, I sent you an email from your account. Body Contains PlainText Hi, your account has been infected! Body Contains PlainText I'm a hacker who exploited Body Contains PlainText This email won't acquire too much of your efforts Body Contains PlainText This is the bitcoin wallet address Body Contains PlainText Password in the video >> Body Contains PlainText Ç·orn website Body Contains PlainText Ç·erverted Body Contains PlainText update your antiviruses Body Contains PlainText This is my bitcoin wallet address Body Contains PlainText http://www.login.blockchain.com/en/ Body Contains PlainText I am a representative of the ChaosCC hacker group. Body Contains PlainText all your contacts are known to us Body Contains PlainText copy & paste - it's case sensitive - and combine both lines into one single Sextortion Scam True -200 #FFCC0098 White False False All Body Contains RegEx \b[0-9a-zA-z]{34}\b Body Contains RegEx (\w+\s?){3,} Body Contains RegEx copy.pa(ste|ste) Sextortion Scam True -200 #FFCC0098 White False False All Subject Is RegEx [a-z0-9-_.]+\s:\s.+ Body Contains RegEx Content-Type: text/plain; charset="utf-8"\nContent-Transfer-Encoding: base64\n\n.+ Known Spam [F] False -200 #FFCC0098 White True False All Header Contains RegEx \.(bid|club|faith|host|science|space|stream|top|vip|website|win|xyz)[>)] Header Contains PlainText relay-x.misswldrs.com Header Contains PlainText mysecuritycamera.org From Contains PlainText livenewsupdate@millan.pgw.jp From Contains PlainText SafeStreets ADT From Contains PlainText Wealth Builder Header Contains PlainText HOTSINGLESNET.NET From Contains PlainText 4Sale From Contains PlainText offeronmail.com Header Contains PlainText mail.justechnology.com Header Contains PlainText From: "News" Header Contains PlainText From: 'USA Government Center' Header Contains PlainText From: =?UTF-8?Q?=C2= Header Contains RegEx ^(?-i)IME-Version:\ 1\.0$ From Contains PlainText Software Sale From Contains PlainText OEM Software From Contains PlainText Easy-E-Cards-Online From Contains PlainText support@aicpa.org From Contains PlainText FB Account From Contains PlainText CockBlocked From Contains PlainText FreeAdultHookup From Contains PlainText Best Credit Cards From Contains PlainText iGreatLife From Contains PlainText Express Mail Service From Contains PlainText Dr. Travis Stork From Contains PlainText George Aguiar Header Contains PlainText From: "Support" Header Contains PlainText sikhguardian.net Header Contains PlainText email.eminentinc.com Header Contains PlainText Received: from internal (unknown [x.x.x.x]) Header Contains PlainText Received: from [107.174.30. Header Contains PlainText Received: from [107.175.123. Header Contains PlainText 217-182-182.eu Header Contains RegEx (^From:\s{1,3}'?(Mr\.?\ Song\ Li|ph[ra]{2}macy|(?-i)E-STORE|\{|\}|'=\?ISO-8859-1\?Q\?)) From Contains RegEx CanadianPharm|Rx\ The\ Best\ Source|SENATOR\ DAVID\ MARK|SexBoosters|hard.{1}on From Contains RegEx MensHealth\.com|Extenze|Try\s?[1i]t\s?4Free|TheDR|Max-?Man|Facebook\ Manager|sexual|iContact|Pharmacy.?Online|Online.?Pharmacy|Medical|Vicodin|Drugs|penile|Potency|\bSex\b|Pharm|Pill.?store|(?-i)ANGEL From Contains RegEx (?-i)i?[A-Z][a-z]+Health\s From Contains RegEx (?i)(Dr\.?|Doctor)\s?[O0]Z\b|[O0]Z\ .*News Header Contains RegEx \[81\.7\.([0-9]?|[1-5][0-9]?|6[0-3]?)\.\d{1,3}\] Header Contains RegEx Received:\sfrom\s\[(5\.230\.126|27.122.14|45\.35\.\d{1,3}|45\.58\.132|50\.115\.167|66\.23\.212|81\.7\.1[4-7]|95\.58\.2[01]|104.36.84|104\.217\.137|104\.254\.213|185\.105\.[4-7]|188.72.68|193\.124\.1(7[6-9]|8[0-9]|9[01])|194\.67\.222|199\.116\.11[89]|204\.188\.245|208\.89\.2(0[8-9]|1[0-5])|216.126.239)\.\d{1,3}\]\s Header Contains RegEx \[198\.27\.110\.(6[4-9]|7[0-9]|8[0-9]|9[0-9]|1([0-1][0-9]|2[0-7]))\] Header Contains RegEx \[198\.50\.205\.1(2[89]|[345][0-9])\] Header Contains RegEx Received:\ from\ \[23\.95\.187\.(19[6-9]|2[01][0-9]|22[012])\] Header Contains RegEx Received:\ from\ \[36\.(5[6-9]|6[0-3])\.\d{1,3}\.\d{1,3}\] Header Contains RegEx Received:\ from\ \[194\.67\.\d{1,3}\.\d{1,3}\] Header Contains RegEx Received:\ from\ \[64\.71\.76\.(199|20[0-9])\] Gambling Spam False -200 #FFCC0098 White False False All Subject Contains PlainText Earn 50.000 euro every month Body Contains PlainText Fully automatic software can generate 500-1500 euro every day Body Contains PlainText Our private clients make over 500.000 euro Body Contains PlainText tracker?offer_id=3459&aff_id=198 CEST Time Zone Spam True -200 #FFCC0098 White False False All Header Contains PlainText +0200 Header Contains PlainText (CEST) KAZAKHSTAN or KYRGYZSTAN False -200 #FFCC0098 White False False All Header Contains RegEx Date:\ .+\ \+0600 UNSUB Known Spam True -200 #FFCC0098 White True False All Body Contains RegEx (?-i)<br>UNSUBhERE</a> X-SPF-Check: Fail True -100 #FFFFFF01 Black False False All EntireMessage Contains RegEx X-SPF-Check:\ [0-9.]+\ is\ not\ allowed\ to\ send\ mail\ from\s Exploit Link False -200 #FFFFE500 Black True False All Header Contains PlainText To: "DyGDYBHOGSKIXGFQDyQRJTHS" Body Contains PlainText =DyGDYBHOGSKIXGFQDyQRJTHS" Header Contains RegEx /bin/sh\.-c|perl\.ex\.txt|wget\.[\d\.]+/|lwp-download|cd\s/tmp\s;curl Body Contains PlainText /arc/file/"> Body Contains PlainText HELLO!,Is This Your Photo?link Body Contains PlainText some jerk has posted your pictures Body Contains PlainText and sent a link of them to all ur friends Body Contains PlainText Please read the attachment to get the message Body Contains PlainText Please read the attachment.</A> Body Contains PlainText have attached your document.</A> Body Contains PlainText /viewmovie.html Body Contains RegEx .(avi|mpg).exe'> Body Contains RegEx /(ecard|install|msvideoc)\.exe('>)? Body Contains RegEx /(best|index1|up)(\.|=2E)php' Body Contains RegEx (?-s)^Content-Transfer-Encoding:\ quoted-printable\r\n\r\n^.+http://.+/.+\.html$\r\n^------=_NextPart_ Body Contains RegEx http://.+/(begin|checkit|first|fresh|index1|gowatch|live(streaming)?|lol|news|showvideo|start|stream(ing)?|topnews|up|viewmovie|watch|watchit|whatsup|1)\.html(</a><br>)?(\r\n)? Body Contains RegEx \.pdf\.exe</a> Body Contains PlainText waiting to be downloaded at sendspace Body Contains PlainText /wp-config.htm" Body Contains PlainText .php?v20120226 Body Contains PlainText /wp-content/plugins/wps.php? Body Contains PlainText /f.php? ColoCrossing Spam False -150 #FFCC0098 White False False All Header Contains RegEx Received:\ from\ \[23\.9[45]\.\d{1,3}\.\d{1,3}\] Email Harvester Scam True -200 #FFFFFF01 Black True True All Body Contains RegEx <img\ src="http://.+/unsubscribe\.php\?email=.+@.+"> Intuit Quickbooks Spoof True -200 #FFFFFF01 Black False False All From Contains RegEx (Quickbooks|Intuit) From NotContain RegEx @(.+\.)?intuit.com Images Scam False -100 #FFCC0098 White False False All Body Contains PlainText I was confused, to put it nicely, when I came across my images at your web-site. Body Contains PlainText It's not legal to use stolen images and it's so mean! Body Contains PlainText If you don't remove the images mentioned in the document above within the next few days, Body Contains PlainText you may be pretty damn sure I am going to report and sue you! Docusign Scam True -100 #FFCC0098 White False False All From Contains PlainText DocuSign From NotContain RegEx @docusign\.(com|net) Subject Contains PlainText DocuSign Body Contains PlainText //docs.google.com/document/ Malware Attachment True -200 #FFFFE500 Black False False All Header Contains PlainText Return-path: <fraud@aexp.com> Body Contains PlainText Content-Type: application/zip; Body Contains PlainText Content-Disposition: attachment; Body Contains RegEx name=".+\.zip" Malware Scam False -200 #FFFFE500 Black False False All ReturnPath Contains PlainText Return-path: <fraud@aexp.com> Header Contains PlainText (envelope-from <fraud@aexp.com>) Malware Link True -200 #FFFFE500 Black False False All EntireMessage Contains RegEx Whats.?App Body Contains RegEx (©|©)\s(2014\s)?Whats.?App Body Contains RegEx New\ offline\ video\ mail|You\ have\ a\ new\ incoming\ audiomessage.|New\ voice\ mail. Body Contains RegEx a href="http://.+/.+\.(php|pl)" Body Contains RegEx (Autoplay|Play|Listen)</a> Amazon spoof True -200 #FFFFE500 Black True False False All From Contains RegEx Amazon|@amazon\.com ReturnPath NotContain PlainText @bounces.amazon.com> Received NotContain RegEx \.(amazon|amazonses)\.com\) Header NotContain RegEx ^(DomainKey-Signature:|DKIM-Signature:) Body Contains RegEx ^Content-Type:\ application/zip;\ name=".+\.zip" Amazon Spoof True -200 #FFFFE500 Black True False False All From Contains PlainText @amazon.com Header Contains PlainText X-SPF-Check: Header Contains PlainText is not allowed to send mail from amazon.com Malware Attachment True -200 #FFCC0098 White True False All Body Contains PlainText (ZIP archive, Adobe PDF) Body Contains PlainText Content-Disposition: attachment; Body Contains PlainText .pdf.zip" Malformed/Malware Zipfile Attachment Name False -200 #FFFFFF01 Black True False False All Header Contains PlainText Content-Type: application/zip; Header Contains PlainText Content-Disposition: attachment Body Contains RegEx Content-Type:\s\sapplication/x(-zip)?-compressed;\sname=\s.+\.zip Body Contains RegEx Content-Type:\s\sapplication/x-zip;\sname=\s.+\.zip Body Contains RegEx Content-Type:\s\sapplication/x-compress;\sname=\s.+\.zip Body Contains RegEx Content-Type:\s\sapplication/octet-stream;\sname=\s.+\.zip Body Contains RegEx Content-Type:\s\smultipart/x-zip;\sname=\s.+\.zip IMG subject, but ZIP attachment True -200 #FFFFFF01 Black True False False All Header Contains RegEx Subject:\ (\[SPAM\]\s{2})?IMG_\d{4,5}(\.(BMP|GIF|JPE?G|PDF))?\s?\n EntireMessage Contains PlainText Content-Type: application/octet-stream; EntireMessage Contains RegEx (file)?name=IMG_\d+\.zip Possible malware attachment True -150 #FFFFCC00 Black False False All Body Contains RegEx ^Content-disposition:\ attachment;|^Content-Type:\ application/zip; Body Contains PlainText filename="Photo.zip" Malware in Zipfile True -200 #FFCC0098 White False False All From Contains PlainText invoices@ Subject Contains PlainText Invoice- Body Contains RegEx Content-Disposition:\sattachment;\sfilename=".+_Invoice\.zip" CV Zipfile Attachment True -150 #FFFF0000 White False False All Body Contains RegEx ^Content-Type:\ application/zip; Body Contains RegEx ^Content-disposition:\ attachment; Body Contains RegEx (\s?filename|\tname)=".+cv\.zip" Zip, Rar, 7z, or Gz Attachment True -200 #FFFFFF01 Black True False False All Body Contains RegEx Content-[dD]isposition:\ (attachment|inline);|Content-Type:\ application/(zip|x-rar-compressed); Body Contains RegEx (\s?filename|\bname)=".+\.(zip|rar|t?gz|7z)" Exploit in Attachment True -200 #FFFFFF01 Black False False All Header Contains PlainText X-Mailer: PHPMailer [version 1.73] Body Contains RegEx (Content-Type:\ application/zip;|Content-Disposition:\ attachment;)\ (file)?name=".+\.zip" Exploit Attachment False -200 #FFFFFF01 Black False False All Body Contains PlainText Content-Type: application/vnd.ms-word.document.macroEnabled.12; CNBC Diet Scam True -200 #FFCC0098 White False False All From Contains PlainText CNBC From NotContain PlainText cnbc.com Header Contains PlainText X-Mailer: WhatCounts .EU Spam Domain Link True -200 #FFCC0098 White True False All Body Contains RegEx http://[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.eu/\?.+ Weight Loss Scam False -200 #FFCC0098 White False False All Header Contains RegEx Slimmer|slimming|Slim-Fast From Contains RegEx (?i)Los(e|ing).?Weight|weight.?loss|FatBurning|Los(e|ing).?(Fat|Pounds)|WeightLoss|Slim|Nanoxyn\sAlpha From Contains RegEx (?-i)^(Dr\.?\s?(O|0)(Z|z)|OZ) From Contains RegEx Lbs.?[O0]FF Subject Contains PlainText WegihtLoss Subject Contains PlainText excessive pounds Subject Contains RegEx Lbs.?[O0]FF Subject Contains RegEx (?i)Get\ (Skinny|Slim)|Lose.+\d\d\ lbs Subject Contains RegEx (?i)weight.?loss|Fat.?Loss|FatBurning Subject Contains RegEx (?i)(Drop|Shed|your)\ Weight Subject Contains RegEx (?i)Loo?s(e|ing)\s?(your\ )?(fat|pounds|weight)|unwanted\ fat|Lose\ \d\d\ (lbs|pounds) Subject Contains RegEx \d\dkg|\bhcg\b|(?-i)Hoodia|Gordonii|Anatrim|Acai[\sBW]|HCG Subject Contains RegEx (?i)(our\s)?(diet|dietary)\s(aid|formula|medicine|pills?|plan|products|science|solution|suppliments?) Subject Contains RegEx nutrionist|weight\sreduction|weight\s.*loss Subject Contains PlainText Unheard of results guaranteed Subject Contains PlainText your body's natural weight Subject Contains PlainText Your Metabolism Subject Contains PlainText Dropping Pounds Weight Loss Scam False -200 #FFCC0098 White False False All Body Contains PlainText Dr. OZ Newsletter Body Contains PlainText Its The Best Product We Have Seen - Mark Cuban Body Contains PlainText kilograms a month Body Contains PlainText get rid of extra pounds Body Contains PlainText pounds in the next two weeks Body Contains PlainText lose weight Body Contains PlainText loseweight Body Contains PlainText lost weight Body Contains PlainText shed weight Body Contains PlainText Losing Weight Body Contains PlainText Amazing weight loss Body Contains PlainText your weight. Body Contains PlainText WeightL0SS Body Contains PlainText Weight Loss Body Contains PlainText weight-loss Body Contains PlainText iWellHealth Body Contains PlainText garciniacambo Body Contains PlainText bodyfat Body Contains PlainText excess fat Body Contains PlainText lose fat Body Contains PlainText sciencedaily Body Contains PlainText fatsolution Body Contains PlainText fatburn Body Contains PlainText healthnews Body Contains PlainText slimming product Body Contains PlainText get a slim figure Body Contains PlainText Better Your Body Body Contains PlainText Pure Forskolin Extract Body Contains PlainText Nanoxyn Alpha Body Contains RegEx http://.*greencoffe.+\.[a-z]{2,4}/ Body Contains RegEx http://.*g?arcinia.+ Body Contains RegEx obese|obe\.se|o\.b\.esity|(?-i)Obesity Body Contains RegEx los(e|ing)\ [a-z0-9\+]{2,8}\ kilograms Body Contains RegEx herbal\ (capsules|components) Body Contains RegEx \bhcg\b|(?-i)Hoodia|Gordonii|Fatblaster|QuickSlim|Anatrim|Acai\s Body Contains RegEx drop(ped)?\s20-?lbs Anti-Aging Treatment Spam False -200 #FFCC0098 White False False All Subject Contains RegEx Anti-?Aging Subject Contains RegEx Reverses?\ Alzheimers Subject Contains RegEx (brain|cerebral)\ (booster|capacity|enhancer|stimulant} Subject Contains PlainText mental power Subject Contains PlainText boost your mental Body Contains RegEx Reverses?\ Alzheimers Body Contains RegEx anti-?aging Body Contains PlainText Ceramide Body Contains RegEx \bFirmativ\b Pump and Dump Scam False -200 #FF0000FF White False False All Header Contains RegEx X-cid:\ scott\.\d+ From Contains RegEx (?i)Stocks|(Buy|Penny).?Stock|Stock.?(Advisor|Watch)|stock.?(pick|tip)|(?-i)OTC\b|iMarket|Investors?|Investments|IHub|Money\ Runners Subject Contains RegEx (?-i)DYNV|PennyStock|Market\ News|ECMZ|Insider\ Report|Trading\ Alert Subject Contains RegEx (?i)(Best|One|this)\s?stock|stock.{0,2}(pick|tip)|Penny\ Stocks?|bioceutical|IHub|Money\ Runners EntireMessage Contains PlainText I'm Mike Statler EntireMessage Contains PlainText MarketWatch EntireMessage Contains PlainText This company is going to triple EntireMessage Contains PlainText This stock is going to triple EntireMessage Contains PlainText pennystockcrew.com Body Contains PlainText StockTips Body Contains PlainText iStocks Body Contains PlainText stokc Body Contains PlainText and only broker Body Contains PlainText stocks adviser Body Contains PlainText Stock Symbol: Body Contains PlainText Scout Exploration Body Contains PlainText call your broker NOW before it is Body Contains PlainText PowerPlay2Day Body Contains PlainText Market Newsletter Body Contains PlainText Market Info Body Contains PlainText Please Enable Links and Images to View the Newsletter! Body Contains PlainText (use the first letters of each word to make up your 4 letter symbol Body Contains PlainText This is the ticker Subject Contains PlainText this company could yield you a ten bagger Subject Contains PlainText stock is guaranteed to jump Subject Contains PlainText on your principal in just a few days Subject Contains PlainText This company just found a Header Contains PlainText X-Mailer: PHPMailer 5.2.8 (https://github.com/PHPMailer/PHPMailer/) Subject Contains PlainText This crypto coin could go up Body Contains PlainText buy SIC (Swisscoin) Pump and Dump Scam True -200 #FF1A19B3 White False False All Body Contains PlainText $. Body Contains PlainText range. Body Contains PlainText is selling Body Contains PlainText for pennies Body Contains PlainText buy Pump and Dump Scam True -200 #FF1A19B3 White False False All Body Contains PlainText trade Body Contains PlainText shares Body Contains PlainText value Body Contains RegEx (below|under)\s(\$1|dollar) Pump and Dump Scam False -200 #FF0000FF White False False All Body Contains RegEx Investors.?Hub Body Contains RegEx Penny.?Stock.?(Newsletter|Picks) Body Contains RegEx (?-i)(Symbol|[tT]icker):?\ [A-Z]{3,5} Body Contains RegEx (?-i)Date:\s.+\n.*(Company|Name):\s.+\n.+\n.*\n(.*Price:|.*Target:) Body Contains RegEx (?i)\b(3D)?(Q[._-\W\s]?S[._-\W\s]?M[._-\W\s]?G) Body Contains RegEx (?-i)\b(3D)?(E[._-\W\s]?C[._-\W\s]?G[._-\W\s]?R)\b Body Contains RegEx (?-i)\b(3D)?(I[._-\W\s]?N[._-\W\s]?C[._-\W\s]?T)\b Body Contains RegEx (?-i)\b(3D)?(G[._-\W\s]?R[._-\W\s]?Y[._-\W\s]?N)\b Body Contains RegEx (?-i)\b(3D)?(S[._-\W\s]?I[._-\W\s]?C)\b Pump and Dump Scam False -200 #FF1A19B3 White False False All Body Contains RegEx (?-i)\b(3D)?(N[._-\W\s]?T[._-\W\s]?E[._-\W\s]?K)\b Body Contains RegEx (?-i)\b(3D)?(T[._-\W\s]?P[._-\W\s]?H[._-\W\s]?X)\b Body Contains RegEx (?-i)\b(3D)?(B[._-\W\s]?W[._-\W\s]?P[._-\W\s]?C)\b Body Contains RegEx (?-i)\b(3D)?(A[._-\W\s]?G[._-\W\s]?H[._-\W\s]?I)\b Body Contains RegEx (?-i)\b(3D)?(D[._-\W\s]?J[._-\W\s]?R[._-\W\s]?T)\b Body Contains RegEx (?-i)\b(3D)?(E[._-\W\s]?W[._-\W\s]?R[._-\W\s]?C)\b Body Contains RegEx (?-i)\b(3D)?(C[._-\W\s]?R[._-\W\s]?G[._-\W\s]?P)\b Body Contains RegEx (?-i)\b(3D)?(S[_-\W\s]?N[_-\W\s]?X[_-\W\s]?G)\b Body Contains RegEx (?-i)\b(3D)?(N[_-\W\s]?U[_-\W\s]?A[_-\W\s]?N)\b Body Contains RegEx (?-i)\b(3D)?(C[_-\W\s]?N[_-\W\s]?R[_-\W\s]?M[_-\W\s]?F)\b Body Contains RegEx (?-i)ISM\s?\.\s?TO|\sISM\s Spam from PHP script False -200 #FFCC0098 White False False All Header Contains RegEx X-PHP-Originating-Script:\ \d{5}:(Api|Mailer|Qmail)\.php Header Contains RegEx X-PHP-Originating-Script: 10\d\d:Sendmail.php Pump and Dump Scam #5 True -200 #FF1A19B3 White False False All From Contains RegEx Agora.*Financial From NotContain PlainText @agorafinancial.com> Fake Pharmacy True -200 #FFCC0098 White False False All Header Contains PlainText Return-path: <> Subject Contains RegEx beloved|girlfriend|intimate|ladies|satisfy|sex|your\ (lady|lov[ei]|girl|gf|nature|(female\s)?partner|night) Fake Pharmacy True -200 #FFCC0098 White False False All ReturnPath Is PlainText <> Body Contains RegEx ^https?://www.google.com/url\?q=http%3A%2F%2F Russian Punycode Domain Link False -200 #FFCC0098 White False False All Body Contains RegEx http://.+\.xn--p1ai/ Empty Return-path True -200 #FFFFCC00 Black False False All ReturnPath Is PlainText <> Fake Pharmacy False -200 #FFCC0098 White True False All Header Contains PlainText American Health Shop Body Contains PlainText American Health Shop Viagra Spam False -200 #FFCC0098 White True False All From Contains PlainText Viiagra From Contains PlainText Pfizer From Contains PlainText viagra.com From Contains PlainText Free To Try From Contains PlainText sex remedies From Contains PlainText ® Official Site From Contains RegEx Erectile|Erection|\bP[i1l]lls\b|(Potency|Sex)\s?Tablets|\b(Anti.?)?(?-i)ED\b|[Aa]nti-ed From Contains RegEx VI[A@]G®A|V[I1|]AGR[A@]|Viag.?ra|Vi.gra|Vigara|viagar|ivagra|v[ia]{2}gra|v[iy]arga|V_I_A_G_R_A|Impotence|sexual\ health From Contains RegEx Cii?aa?lis|Cia1is|C1alis|^i?Ci?a.?li?s\b|Levitra From Contains RegEx Vii?a?a?gg?a?a?rr?aa? Viagra Spam False -200 #FFCC0098 White False False All Subject Contains PlainText Viagra/Cialis/Levitra Subject Contains PlainText Buy Vaigra Subject Contains PlainText Always be ready. Subject Contains PlainText impotenc Subject Contains PlainText se>.< Subject Contains PlainText dysfunction Subject Contains PlainText $_e'xual Subject Contains RegEx (blue|love).?pills?\b Subject Is PlainText Be ready. Subject Contains RegEx \b(ciali[a-z]|levitra|viagra|VIGARA|Viigaaraa|Vi@gra|Pfizer|^Pending\ delivery)\b|(?-i)C[i1]al[i1]s|Kamagra Subject Contains RegEx (?-i)ED[_\s]dysfunction|\sED\.|[Aa]nti-ED Subject Contains RegEx (?-i)Online\ V[a-z1]{1,4}A\ Store Subject Contains RegEx ^user\ .+brand\ \d\d%\ Off\ Sale Subject Contains PlainText success stories about V Subject Contains RegEx personal\ \d\d%\ dis[cs]ount Subject Contains RegEx V I A G R A Viagra Spam False -150 #FFCC0098 White False False All Subject Contains PlainText on Pfizer Subject Contains RegEx Pf[|1l]zer Subject Contains PlainText Re: Please, placce you order now Subject Contains PlainText Re: Please, conflrm you receipt Subject Contains RegEx Hey,?\ [a-z0-9]+,?\ get\ percent [0O]FF Subject Contains RegEx .+\d\d% (off\s)?only\ for\ you Subject Contains RegEx .+Catch\ \d\d%\ discounts\ [a-z]+ Subject Contains RegEx ^Your\ Order\ Status\ ID:\ [A-Z]{11,} Subject Contains RegEx ^Visitor\ .+'s\ personal\ \d\d%\ OFF$ Subject Contains RegEx ^User\ .+\ save\ \d\d%\ now Subject Contains RegEx ^Hello,\ [a-z0-9]{3,}.?\ \d\d%\ off\ till?\ [A-Z][a-z]{3,8}\ [a-z]{3,} Subject Contains RegEx ^(RE:\ )?(January|February|March|April|May|June|July|August|September|October|November|December)\ \d\d%\ OFF\s?$ Russian Domain Link False -200 #FFCC0098 White True False All Body Contains RegEx http://(www\.)?(.+\.r[uo]/|.+\.r[uo](\r|\n|\s)|.+\.ua)|.+\.[se]u(/|\s|$)|.+\.by(/|\b) Body Contains RegEx www\.[a-z0-9-]{1,16}\.ru(/.+)? Body Contains RegEx <a href=(3D)?'[a-z0-9\.]{4,}\.ru'> Viagra Spam False -200 #FFCC0098 White False False All Body Contains PlainText Viagra! Body Contains PlainText VIAGQRA Body Contains PlainText Viagra Professional Body Contains PlainText Best Price for VIAGRA Body Contains RegEx \b(Erectifix|erectile\ dysfunction|(?-i)anti-ED|(?-i)cure\ ED|(im)?potence|ED\ treatment)\b Body Contains PlainText Taste the V Body Contains PlainText V-letter remedy Body Contains RegEx blue.?pill?|SoftTabs|\$1\.\d\d/pill\b Body Contains RegEx (?-i)Vi?<span\ style='FONT-SIZE:\ 2px;\ FLOAT:\ right;\ COLOR:\ white'> Body Contains RegEx ViaGrow|viiagra|Vagria|Vgaira|Pfizer|Kamagra Body Contains RegEx (Buy|order|original|with)\ .*Viagra Body Contains RegEx Viagra\s{1,3}tabs|Viagra.+\$\d Body Contains RegEx <a\ href=.+>.*viagra.*</a> Body Contains RegEx bring\ back\ fire\ and\ passion|make\ (luv|love)\ all\ night|endless\ climaxes|your\ xxx\ drive|sexual\ health|\bmale problems?\b Viagra Spam False -150 #FFCC0098 White False False All EntireMessage Contains PlainText Viagra Viagra Spam False -200 #FFCC0098 White True False All Subject Contains PlainText ⋁ἲấġբẚ Subject Contains PlainText VIAG*RA Subject Contains RegEx V\lsAGRA|VIAGQRA|VAIGRA|Vyagra|Vgaira|V\|AGRA|[vw]iag.?row Subject Contains RegEx (?-i)Vlagrxa|Viagr.a|Viagr\d|Vi\dgra Subject Contains RegEx ^V.{4,6}a\s\d\d\s?mg Subject Contains RegEx (V|\\/|/)[i|l!1]agr[a@] Subject Contains RegEx \bv.i.a.g.r.a\b Subject Contains RegEx (?-i)V[iy]a(rga|gar|gra) Header Contains RegEx Subject:.+\bV[i1!l|]AGRA\b.+ Subject Contains RegEx viaq[ij]ra Known Spam Subjects False -200 #FFCC0098 White True False All Subject Contains PlainText Product Recommended by Subject Contains PlainText new In town Subject Is PlainText Alone Subject Is PlainText Uniform traffic ticket Subject Is PlainText Industrial Invoices Subject Contains PlainText FDIC notification Subject Contains PlainText Scan from a Xerox W Subject Contains PlainText Scan from a HP ScanJet Subject Contains PlainText Scan from a Hewlett-Packard ScanJet Subject Contains PlainText Termination of your accountant license Subject Contains PlainText Cannabis Cancer Treatment Subject Contains PlainText (random) Subject Contains PlainText - Copies of Policies. Subject Is PlainText You pig! Subject Contains PlainText Questionary Subject Contains PlainText Your CashPro Online Digital Certificate Subject Contains RegEx ^Your\ friend\ .+\ has\ recommended\ this\ great\ product\ from\s Subject Contains RegEx ^Web\ design\ and\ marketing\ \$\d\d\ /\ Month$ Subject Is PlainText SPECIAL PROMOCODE INSIDE Subject Is PlainText SPECIAL PROMO CODE INSIDE Subject Is RegEx (?i)Invoice\ NIC\d{6} Secure.Message Scam False -200 #FFCC0098 White False False All From Contains RegEx (?-i)(Private|Secure).?Message From Contains RegEx SecureMessage.?System Body Contains PlainText SecurePM Body Contains PlainText SecureMessage System From Contains RegEx Dating.?System Body Contains PlainText NewDating System NACHA Fraud False -200 #FFCC0098 White True False All From Contains PlainText NACHA FDIC Fraud False -200 #FFCC0098 White False False All From Contains PlainText FDIC ACH Fraud [From] False -200 #FFCC0098 White True False All From Contains PlainText The Electronic Payments Association From Contains RegEx (?-i)\bACH\b ACH Fruad True -200 #FFCC0098 White True False All EntireMessage Contains RegEx (?-i)\bACH\b Body Contains PlainText Transaction Body Contains RegEx Cancell?ed|rejected|suspended Body Contains RegEx financial\ (body|institution)|bank|banking\ information Body Contains RegEx Report|form Body Contains RegEx details\ in\ the\ attachment|nacha\.(org|net|us)/reports?/|(?-i)Transaction\ Report:?|status ADP Fraud True -200 #FFCC0098 White False False All From Contains RegEx (?-i)ADP Received NotContain PlainText adp.com) Body NotContain RegEx <a\ href="https://www\.[a-z]+\.adp\.com/.+/[a-z]+\.aspx">? BBB Fraud False -200 #FFCC0098 White False False All From Contains PlainText ::Better Business Bureau:: From Contains RegEx Better.?Business.?Bureau|(?-i)BBB From Contains PlainText @bbb.org Subject Contains PlainText BBB Case # Subject Contains PlainText Activity Report Subject Contains PlainText Better Business Bureau Case # Body Contains PlainText The Better Business Bureau has been sent the above mentioned complaint from one of your clients Body Contains PlainText the consumer's concern is included in attached file Body Contains PlainText Business Bureau Council of Better Business Bureaus Body Contains RegEx The\ details\ of\ the\ consumer's\ (concern|complaint)\ are\ (explained|included)\ in\ (the\s)?attached\ file\. Body Contains RegEx Please\ (open|use)\ the\ link\ below\ to\ (re)?view\ the\ contents\ of\ the\ complaint: Credit Card Locked Scam False -200 #FFCC0098 White False False All Subject Contains RegEx Your\ credit\ card\ has\ been\ b?locked From Contains PlainText VISA TEAM Body Contains PlainText Your credit card is locked! Body Contains PlainText From your credit card has been removed Body Contains PlainText Possibly illegal operation! Tax Fraud True -200 #FFCC0098 White True False All Subject Contains RegEx Tax\ Payment\ .+\ (has|is)\ failed Body Contains PlainText Your Federal Tax Payment ID Body Contains PlainText has been rejected Body Contains PlainText Return Reason Code Body Contains PlainText The identification number used Body Contains PlainText is not valid Fake IRS Notice True -200 #FFCC0098 White True False All From Contains RegEx @irs\.gov|(?-i)IRS Subject Contains PlainText Tax Received NotContain PlainText .irs.gov Body Contains PlainText We are unable to process your tax return Exploit Link False -200 #FFCC0098 White False False All Body Contains RegEx (?-i)http://[a-z0-9-]+\.[a-z]{2,4}/.+\.htm\?[A-Z0-9=&]+= Body Contains RegEx (?-i)http://[a-z0-9-]+\.[a-z]{2,4}(\.[a-z]{2,4})?/.+\.htm\?[A-Z0-9=&]+= Body Contains RegEx (?-i)/[a-z0-9]+(=\s*[a-z0-9]+)?\.htm\?[A-Z0-9]{4,7}=[A-z0-9&=]+= Malware Attachment True -200 #FFCC0098 White True False All Body Contains PlainText (Internet Exlporer File) Body Contains PlainText Content-Transfer-Encoding: base64 Body Contains PlainText Content-Disposition: attachment; Body Contains RegEx filename=".+\.htm" Body Contains PlainText UGFnZSBsb2FkaW5n Body Contains PlainText UGxlYXNlIHdhaXQ= Body Contains PlainText DQo8c2NyaXB0 Malware Attachment True -200 #FFCC0098 White False False All Body Contains PlainText Content-Transfer-Encoding: base64 Body Contains PlainText Content-Disposition: attachment; Body Contains RegEx filename=".+\htm" Body Contains PlainText PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMDEgVHJhbnNpdGlvbmFs Wire Transfer Fraud True -200 #FFCC0098 White True False All Subject Contains RegEx Wire\ [tT]ransfer Body Contains RegEx Federal\ (Bank|Reserve)|Bank\ Account\ Operator|(?i)Operator Body Contains RegEx Outgoing\ Wire\ transaction|by\ the\ other|Domestic\ Wire\ Transfer|WIRE\ TRANSACTION:|WIRE N: Fake Facebook Friend Request True -200 #FFCC0098 White True False All Subject Contains PlainText wants to be friends on Facebook From Contains PlainText @facebookmail.com Header NotContain PlainText Received: from mx-out.facebook.com Body Contains PlainText Confirm Friend Request Body NotContain PlainText http://www.facebook.com/n/?reqs.php Facebook Spoof True -100 #FFCC0098 White False False All From Contains PlainText Facebook From NotContain RegEx @(support\.)?facebook(mail)?\.com Header NotContain PlainText Received: from mx-out.facebook.com Exploit Link True -200 #FFCC0098 White True False All Subject Contains PlainText Order confirmation Body Contains PlainText You've just ordered pizza from our site Body Contains RegEx Pizza\ .{8,30}with\ extras: Body Contains RegEx Total (Due|to\ pay):.+[0-9]{2,3}\$ Body Contains RegEx (?-i)<h\d>CANCEL\ ORDER\ .*NOW(=)?\s?\r?\n?!</h\d></a> Body Contains RegEx (?-i)Pizza\ by\ [A-Z]{4,}$ Twitter Exploit Scam True -200 #FFCC0098 White False False All Subject Contains RegEx Confirm\ your\ Twitter\ account,\ .+\! Header Contains RegEx ^Received:\ from\ \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\ $port=\d{2,5}$\s?$ Malware Template False -200 #FFCC0098 White False False All Body Contains PlainText  Missing Subject in Header True 0 #FF434343 White False False All Header NotContain RegEx ^(?-i)Subject: .co.cc/aff/ Spam True -200 #FFCC0098 White False False All Body Contains PlainText .co.cc/aff/ Pharmaceuticals True -200 #FFCC0098 White False False All Header Contains PlainText Content-Type: text/plain; charset=utf-8 Header Contains PlainText Content-Transfer-Encoding: 7bit Body Contains RegEx ^\n?(?i)[A-Z].+http://.+\.\w{2}/\r\n\r\n([A-Z0-9]{22,}\r\n){3,}$ Pharmaceuticals True -200 #FFCC0098 White False False All Body Contains RegEx ^(?i)([A-Z0-9]{22,}\r?\n|\n?)[A-Z].+http://.+\.\w{2}/(\??[A-Z0-9]{22,})?(\r?\n){2,3}([A-Z0-9]{22,}\r?\n){3,}$ Pharmaceuticals True -200 #FFCC0098 White False False All EntireMessage Contains PlainText Pharmacy Body Contains RegEx http://(www\.)?(.+\.r[uo]/|.+\.r[uo]\b|.+\.ua) Ukrainian spam domain False -200 #FFCC0098 White True False All Body Contains RegEx http://[a-z0-9\._-]{3,}\.com\.ua/ False -200 #FFCC0098 White True False All From Contains RegEx Doctor|Restricted|\bRx|Meds|M3ds|Medd[sz]|Medz|V[i1l|]c[o0]d[i1l|]n|Perc[o0]cet|Phh?aa?rr?mm?a Subject Contains PlainText EMS Delivery Subject Contains PlainText without a prescription Subject Contains PlainText No Prescription required Subject Contains RegEx Adderall?|ADIPEX|Avandia|CODEINE|HYDROCODONE|KLONOPIN|Oxycontin|Phentermine|Perco[cs]e.?t|Rit[ai]lin|Tramadol|Valiu[mn]|Vicodin?|XANAX Body Contains PlainText rxrefill.com Body Contains PlainText No RX required! Body Contains PlainText no prescription needed Body Contains PlainText medications available without a prescr Body Contains PlainText http://health.groups.yahoo.com/group/ Body Contains RegEx (?-i)Codeine|Valium|Vicodin|Percocet|Phentermine|Ritalin Cialis False -200 #FFCC0098 White True False All Subject Contains PlainText Cialis Subject Contains RegEx C[I|i|1|y].?[A|@].?L[i|1]{1,2}.?[S$]|(?-i)Ca[iy]lis|(?-i)Cy[al][al]is Body Contains RegEx \b(?-i)Cialis\W Body Contains RegEx C\\Ialis|C1A.LIS|tadalafil|\bCalis\b Body Contains RegEx C\s(/|1|I)\sA\s(L|I|1)\s(/|I|1)\s(S|\$) Male Enhancement False -200 #FFCC0098 White True False All From Contains RegEx Penis|Enlarge(r|ment) From Contains RegEx Dr\..?Maxman From Contains PlainText NEOSIZE Male Enhancement False -200 #FFCC0098 White True False All Subject Contains RegEx Ereectile|Erecctile Subject Contains PlainText Dysfuunction Subject Contains RegEx (?-i)Dr\..?Maxman|E?Xtra\s?size|ErectGrow|Manster|MaxGentleman|Max.?[mM]an\b|Mega\s?(Dik|size)|NEOSIZE|Sizeable|Viamax|VPXL Subject Contains RegEx Gains?\ (up\ to\ )?(\d\+?\s)?(inches\ )?in\ (girth|length|size)|Gaining\ inches Subject Contains RegEx (big(ger|gest)?|fuck|hard(er)?|gigantic|love|man)\s(pecker|pole|rod|sausage|stick|tool|weapon) Subject Contains RegEx (get|grow)\ (a\s)?bigger|sc?h[l1][o0]ng|love\ muscle|your\ small\ (di.?k|stick)|your\ little\s Subject Contains RegEx elongate|enhancement\b|en[l|1]a?rge(d|ment)|Enlarge,\ Widen\ and\ Strengthen|enlarge\ and\ lengthen|enlarge\syour|(Enlarge|Super-Size)\ It|Upsize\ your\ D[il]C?'?K Subject Contains RegEx (bat|bulge|monster|python|rocket|snake)\ in\ your\s{0,3}(pants|pocket|trousers)|trouser\ snake|giant\ bulge Subject Contains RegEx Longer\ Harder\ Thicker|(harder|thicker)\ and\ longer|long(er)?\ and\ thick(er)?|thicker\ shaft|\b(bigger|harder|larger|thicker|your)\ (?-i)(PE)\b Subject Contains RegEx (longest|your)\ device\b|short(er)?\s?Penis|Peni[l1]e|pen.?[i1l!]s\b|p[e3]nis|pen-nis|p\ e\ n\ [i1l]\ s|\bp[aei3]nis\b Subject Contains RegEx add\ (\d\s)?inche?s|\d\ inn?cc?hes|girth,?\s( and\s)?(length|lenght)|(length|lenght)\ and\ (girth|thickness)|thickness\ (a[nd][dn])\ length Subject Contains RegEx Bring\ her\ to\ seventh\ heaven|huge\s?(dic'?k|dignity|package)|problems?\swith\ssize|size\ (really\s)?(does\s)?matters?|I've\ gained\ an\ inch|your\ dic?'?k\ size|rock\ hard|Impress\ .*wom[ae]n Subject Contains RegEx your\s?(male\ p[a@]ck[a@]ge|copulation|lovetoy|manhood|manliness|masculinity|(new|your)\ (tool|rod|size|weener|willy))|Bodypart|(giant|gigantic|male|man|pocket)\ tool|manly|Masculine|lovemaking|penetrate Subject Contains RegEx boner|blue\ balls|c[o0]ck|\bcum\b|\bdong\b|ejaculat(e|ion|ory)|ejauclation|Erectile|Erection|flaccid|foreplay|\bpeckers?\b|phall(i|us)?|pleasance|prick|\bsexual|s'e[^a-z]?x|s'e_xual|\$e><|(?-i)d1ck|dic'?k Male Enhancement False -200 #FFCC0098 White False False All Body Contains PlainText Extra inches gives Body Contains PlainText Natural Male Enhancement Body Contains PlainText enhance your male drive Body Contains PlainText Increase your organ size Body Contains PlainText your manhood Body Contains PlainText PE forum Body Contains PlainText male enhancement products Body Contains RegEx Penis\s?En(hance|large)ment|Flaccid(ity)? Body Contains RegEx en(hanc|larg)ement\s?(formula|method|pills|suppliment) Body Contains RegEx (their|your)\ (enlarged|huge)\ (organ|package|prick|shaft) Body Contains RegEx Magnum.?Pro\b|ManSter|Man[\s-]XL|Max[gG]ain(\+|Plus)|MaxGentleman|maxx?.?man|Megadik|PowerEnlarge|\bVPXL\b|Xtrasize\s?(\+|Plus) Watches False -200 #FFCC0098 White False False All From Contains RegEx R[o0][l1]exx?|Rep[l1]icas|Watches|(Luxury|Replica)\ watch|Luxurious|VIP\ (Watch|G[o0]{2}ds) Subject Is PlainText Luxury Subject Contains PlainText //atches Subject Contains PlainText \/\/ATCHES Subject Contains RegEx (Breitling|ROLEX)\ Discount|R_O_L_E_X Subject Contains RegEx Cheap\s?(Rolex|Omega) Subject Contains RegEx \bHERMES\b|\bWa.ches\b|Wat4ch|Submariner\ SS|(replica|Rolex|swiss|vip)\s?watches|w\.a\.t\.c\.h\.e\.s|\ba\ watch\b|(designer|Swiss)\ watch|watch\ brands Subject Contains RegEx \b(R[0olex\.]{8,}|R[o0][lI1]ex|Re4plica|r,?eplicas?|r\.{1,3}e\.{1,3}p\.{1,3}.l\.{1,3}i\.{1,3}c\.{1,3}a\.{1,3}|watches|chronometers|timepieces?|time\ control)\b Body Contains RegEx (luxury|luxurious|new)\ (replica|watch)|famous\ watch\ manufacturer Body Contains PlainText brand name watch Body Contains PlainText We only sell premium watches. Body Contains PlainText exact copies of the original watches Body Contains PlainText Detailed replicas of best chronometers by the best brands Body Contains PlainText put one of these on your xmas list, you will fall in love with them all Body Contains RegEx copies\ of\ [a-z]{5,}\ watch|Rolex|Rollie|\ replicas\b|Submariner\ SS|replica\ watches|//atches|chronometers?|timepieces?|flashy\ bling|expensive\ watch|fashion\ pieces Body Contains PlainText bling.com Counterfeit Goods False -200 #FFCC0098 White False False All From Contains PlainText Ray Ban Outlet From Contains PlainText RAY-BAN From Contains PlainText Louis Vuitton From Contains RegEx Gucci|Luxury|Tiffany Subject Contains PlainText Michael Kors Handbags Subject Contains RegEx des1gner|designer\s(brands|footwear|shoes)|modish Subject Contains RegEx \b(gucci|prada|chanel|chloe|dior|(?-i)UGG|Vertu|Tiffany)\b Subject Contains PlainText repl!c@ Subject Contains RegEx Cartier|Gucci|Versace|KN[0O]CK.?[0O]FFS Subject Contains RegEx (?-i)SHOES|\bBling\b Subject Contains RegEx luxury\ (brands|footwear|needs)|looking\ classy Subject Contains RegEx Branded\ (footwear|shoes) Subject Contains PlainText Clad your feet Body Contains PlainText ~ Gucci Body Contains RegEx Knock.?[O0]ffs|^Luxury\ blowout\ sale|(?-i)\sLux\s Body Contains RegEx (?-i)Vertu\s.{3,14}phones\s Casino Spam False -200 #FFCC0098 White False False All EntireMessage Contains PlainText Lucky Cash Club EntireMessage Contains PlainText Romeo Club From Contains RegEx (?-i)[Gg]ambl(e|ing)|Casino|Casnio|Cazino|Club.?VIP|CVC\s?Support|Game.?Book|Total.?Vegas|Grand\ Palace Subject Is PlainText VIP Subject Contains PlainText YOU play we PAY Subject Contains PlainText no-deposit bonus Subject Contains PlainText Sign up & collect $500! Subject Contains RegEx [''\*s\_-]?(Cas[i1]n[o0]s?|club\s?world|No\ Deposit\ Required|Gambling|online\ games|roulette|black.?jack|\bcraps|poker|slot\ machines|video\ slots?|win\ money)[''\*s\_-]?|\d{3,4}\sGratuits Body Contains PlainText Red Stag Casino Body Contains PlainText 777$ Body Contains PlainText 777USD Body Contains PlainText Gâmës Body Contains PlainText casino gamer Body Contains PlainText the velvet ropes Body Contains PlainText Play at our club Body Contains PlainText free gaming money Body Contains PlainText Sign up & collect $500! Body Contains PlainText There are more than 120 games that you can play Body Contains RegEx (?-i)Club.?VIP|Total.?Vegas|Grand\ Palace Body Contains RegEx Games\ Online|Online\ Gambling Body Contains RegEx \bpoker\ blackjack\ slots\b Body Contains RegEx Gambling\s{1,2}(chips|credit|from\ home|online) Body Contains RegEx (Big\ Dollars?|Free|Golden\ Gate|online|no\ deposit|the|World)\ Casino|casino\.com/ Body Contains RegEx Club\s?World|casino\ (classics|games|members)|(Bet|Gamble)\s{1,2}On\s{0,2}(line|credit)|^\s{1,2}Win\s{1,2}\$ Pharmaceuticals False -200 #FFCC0098 White True False False All Subject Contains PlainText MensHealt Subject Contains PlainText RE: MedHelp Subject Contains PlainText OFFICIAL SITE Subject Contains PlainText Enhance your life with these products Subject Contains RegEx \b(?-i)(FDA|Doctor)\ Approved Subject Contains RegEx Phramacy|Pharmaceutical|Pharmacy|pharmas|apothecary|(?-i)\bRX\b Subject Contains RegEx no\ (pres|pers?)cription|(pres|pers?)cription\ not Subject Contains RegEx \bPhar|P.?ha.{0,2}rmacy\b Subject Contains RegEx med[il|1]c(al|ations?|ines?)|\bm3ds|medds|medzz?\b|(order|purchase|your)\smeds|drug.?store|usa.?drug Subject Contains RegEx PH.*[A@(/\)]RM[A@(/\)] Subject Contains RegEx health supersite Subject Contains RegEx ^discreet\ (delivery|packing|shipping)|worldwide\ delivery Subject Contains RegEx save\ \d\d%\ on\ your\ (medic|meds|pharma|pills)|\d\d%\sdiscount\.\sCode\s#[a-z0-9]{4,8}|\d\d%\ personal\ discount Subject Contains PlainText Buy Meds Subject Contains RegEx Canadian\ Health.*Care\ Mall Pharmaceuticals False -165 #FFCC0098 White False False All Body Contains PlainText PHARMACY Body Contains RegEx (high.quality|prescription)\ medications Body Contains PlainText »»» Body Contains PlainText alt=3D'HUGE Discount Body Contains PlainText Then I found this link and my life started changing for the better Body Contains PlainText We are offering you the latest medical achievements. Body Contains PlainText used to sleep in separate rooms Body Contains PlainText that's when my problems in bed began Body Contains PlainText delivered discreetly Body Contains PlainText but the results exceeded our expectations. Body Contains PlainText due to intimate problems Body Contains RegEx ON.?li[nm]e\ pharmacy|pharmacy\ club Body Contains RegEx Prescription\ drugs\s{1,}without a prescription Body Contains RegEx I'm your new family physician Pharmaceuticals False -200 #FFCC0098 White True False All Body Contains PlainText DRUG Body Contains PlainText DRUGS Body Contains PlainText Drugstore Pills Spam False -200 #FFCC0098 White False False All Subject Contains RegEx Ere\w+\ Dy[sSy$]fu\w+\ ((Pills)|(Pillls)|(P\|\|\|s)|(P\|1ls)|(Plils)) Pills Spam False -100 #FFCC0098 White False False All Subject Contains PlainText P|\\S Subject Contains RegEx BE$T|\bPILL.?S\b|Plills|\bp[i1l|!][1l|!]{2,3}s\b|pill\ that\ (.*)?works|Pilules|\bPILZ\b Subject Contains PlainText MEDS Subject Contains PlainText generic Body Contains RegEx generics|pillstore|pillz|\bmeds\b Body Contains RegEx (boost|our|these)\s{1,3}pills Body Contains RegEx \b(buy|cheap|herbal|wonder)\ (drugs|pills|remed(y|ies)|solutions?)\b|pills\ at\ (dirt\s|the\s)?cheap(est)?\ prices?|medicines|your\ prescriptions Body Contains RegEx ^http://.*(medshop|pills).*\.com Body Contains RegEx ^<a\ href=(3D)?'http://.*pharmacy.*\.com'> Software Spam False -200 #FFCC0098 White False False All Subject Contains PlainText software outlet Subject Contains RegEx Buy.?Software|SoftwareDiscounts Subject Contains RegEx ^[Ss]oftware$ Subject Contains RegEx Eurosoft|(best|cheap(est)?|downloadable|oem|office|popular|quality).*s[o0]ft(wares?)?|Soft(ware)?\ in\ many\ languages|software\ at\ (amazingly|surprisingly)\ low\ prices|perfectly\ working\ software|software\ you\ need|software\ immediately\ after\ purchase|ado6e|Vista\ Microsoft\ SP1\ and\ XP\ Cracked|Office\ (Enterprise\ 200[789]|200[789]\ Enterprise)|(?-i)(Access|Communicator|PowerPoint)\ 200[789]|Auto([cC]ad|desk)\ 200[789]|OEM\ full\ version\ download|Microsoft,\ Adobe\ and\ many\ other\ software\ brands|purchase\ any\ software\ you\ want|look\ at\ our\ prices\ for\ Adobe\ \w|100%\ workable\ software|\$oftware|software\ price\$|(?-i)^_Buy\ And\ Download Subject Contains RegEx Windows\ 7.+Office\ 201\d.+Adobe CS\d Courier Scam True -100 #FFCC0098 White False False All Subject Contains RegEx (?-i)^(DHL|UPS)\ (?i)Delivery\ Problem|Services Body Contains RegEx we\ (failed|were\ not\ able)\ to\ deliver\ (the\ |your\ )?(postal\ )?package Body Contains PlainText print out the invoice Body Contains PlainText Content-Disposition: attachment; Courier Scam True -100 #FFCC0098 White False False All Subject Contains RegEx (?-i)Confirm\ Your\ UPS\ Parcel\ Delivery|UPS\ (Tracking\ (Number|#)|Package\ [A-Z]\d{8,}) Header NotContain RegEx ^Received:\ from\ [a-z0-9]+\.?ups\.com Courier Scam True -100 #FFCC0098 White False False All Subject Contains RegEx (?-i)DHL|FedEx Subject Contains RegEx get\ (a|your)\ parcel|(?-i)Tracking\ (NR|Number)\ \d{8,}|Error\ in\ delivery\ addres Body Contains RegEx ((our|The)\ (courier|postal)\ service\ was)|(we\ were)\ (not\ |un)able\ to\ deliver\s Body Contains RegEx Print\ this\ label\ |print\ and\ fill\ attached\ document|The\ postal\ label\ is\ attached Body Contains PlainText Content-Disposition: attachment; From Contains RegEx Director|Manager|Postal|DHL|FedEx Courier Scam False -100 #FFCC0098 White False False All Subject Contains PlainText DELIVER CONFIRMATION - FAILED Subject Contains RegEx (Delivery\ Problem|UPS\ INVOICE) NR\d{6,8}\. From Contains PlainText Fedex Manager, Body Contains RegEx ^Content-Disposition: attachment; filename="(UPS|Fedex).+.zip"$ Courier Scam True -100 #FFCC0098 White False False All From Contains PlainText UPS Subject Contains PlainText UPS Header Contains PlainText X-Mailer: The Bat! Body Contains PlainText unable to deliver Body Contains PlainText print Body Contains PlainText mailing label Body Contains PlainText Content-Disposition: attachment; Courier Scam True -200 #FFCC0098 White True False False All Subject Contains PlainText DHL notification Body Contains PlainText Dear customer Body Contains PlainText The parcel was send your home address Body Contains PlainText will arrice within 7 bussness day Body Contains PlainText attached in document below Courier Scam True -200 #FFCC0098 White False False All From Contains RegEx (DHL|United)\ (Global|Parcel)|Express|(info|support)\.?\d{1,2}@ups.com Subject Contains RegEx ^(?-i)(DHL|United\ Parcel)\ (Express\s)?Services?|Express\ delivery|UPS Body Contains RegEx The\ parcel\ was\ sent\ (to\ )?your\ home\ add?ress? Body Contains RegEx it\ will\ arrive\ within\ \d{1,2}\ business\ day Body Contains PlainText attached in document below DHL Scam True -200 #FFCC0098 White False False All Body Contains PlainText DHL Body Contains PlainText Notification Body Contains PlainText Courier was unable to deliver Body Contains PlainText the parcel to you Courier Scam False -200 #FFCC0098 White True False All Subject Contains PlainText USPS Delivery Failure Notification Subject Contains PlainText United Postal Service Body Contains PlainText Unfortunately we failed to deliver the postal package Body Contains PlainText Please print out the shipment label attached and collect the package at our office. Body Contains PlainText filename="USPS report.zip" Courier Scam True -200 #FFCC0098 White False False All From Contains PlainText USPS Express Services Subject Contains PlainText package Body Contains RegEx US?PS\ Logistics\ Services|UPS\ , Courier Scam True -200 #FFCC0098 White False False All From Contains RegEx Post Express Subject Contains PlainText Post Express Subject Contains RegEx (?-i)\bNR\b|Number Body Contains PlainText Your package has been returned Body Contains PlainText print Body Contains PlainText mailing label Body Contains PlainText Attached Body Contains PlainText Post Express Body Contains PlainText Content-Disposition: attachment; Possible Exploit Link True -200 #FFFFFF01 Black False False All Header Contains PlainText X-Mailer: PHPMailer Header Contains PlainText Content-Type: text/plain; charset="iso-8859-2" Body Contains RegEx "http://[a-z0-9-_.]+\.[a-z]{2,4}/(?-i)(?=.*?[A-Z].*?[A-Z])(?=.*?[a-z].*?[a-z])(?=.*?\d).{8}/index\.html" Possible Exploit Link #2 False -150 #FFFFE500 Black False False All Body Contains RegEx href="http://.+\.[a-z]{2,4}/[a-zA-Z0-9]{6,8}/index(32)?\.html" Body Contains RegEx /(?-i)[A-Z]{10}\.php\?receipt= Known Exploit Link False -200 #FFFFE500 Black False False All Body Contains PlainText /forwarding.htm" Body Contains PlainText /loading.htm" Body Contains PlainText /redirectng.htm" Body Contains RegEx /page\d{1,2}\.htm" Body Contains RegEx http://.+(?-i)/[A-Z]{10}\.php\?php= Body Contains RegEx http://(\d{1,3}\.){3}\d{1,3}/(boston|news)\.html Numeric IP Link True -100 #FFFFE500 Black False False All Header NotContain RegEx ^Message-ID:\ <.+@mail.gmail.com> Body Contains RegEx ^.*http://(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/)|\d{10}:\d{2,4}/ Possible Exploit Link False -200 #FFFFE500 Black False False All Body Contains RegEx http://[a-zA-Z0-9\._-]+/(.+/)?.+\.pl(\s|\b|\?|\$) Link to a PHP File True -100 #FFFFFF01 Black False False All Body Contains RegEx http://.+=?[\n]?.+\.php Tor Link False -200 #FFFFFF01 Black False False All Body Contains PlainText .onion.to/ 419 Scam True -100 #FFCC0098 White False False All Subject Contains PlainText URGENT Subject Contains PlainText AND Subject Contains PlainText CONFIDENTIAL 419 Scam True -100 #FFCC0098 White False False All Subject Contains RegEx (?-i)^URGENT|CONFIDENTIAL Subject Contains PlainText BUSINESS Subject Contains RegEx (?-i)PROPOSAL|RELATIONSHIP 419 Scam False -200 #FFCC0098 White False False All Header Contains PlainText <info@bank.com> From Contains RegEx (?-i)ARTHUR\ GUINNESS|BARRISTER|TRANSFER|Business\ Proposal|Micheal\ A\.\s?Potter|$ESQ$|MR.MICHEAL From Contains PlainText Bill & Melinda Gates Foundation Header Contains PlainText infogatefoundation@usa.com Header Contains RegEx ^Reply-To:\s.+<?.+@yahoo.com\.hk>?$|thwala Subject Is PlainText BUSINESS Subject Is PlainText URGENT BUSINESS Subject Contains PlainText Oil license Subject Contains PlainText kindly get back to me urgently Subject Contains PlainText KINDLY OPEN THE ATTACHED FILE AND GET BACK TO ME Subject Contains RegEx (kindly|Please)\ reply/call\ me Subject Contains PlainText Atten: Friend, Subject Contains RegEx (?-i)(^CONTACT\ (\w*\s)?(COURIER\ COMPANY|ATM\ DEPARTMENT)) Subject Contains RegEx (?-i)TREAT\ (AS|VERY)\ (CONFIDENTIAL|URGENT)|(EMINENTLY|STRICTLY|URGENTLY)\ CONFIDENTIAL|CONFIDENTIALITY\ AND\ TRUST Subject Contains RegEx UNITEDN\ NATION|Director,\ United\ Nations Subject Contains RegEx ^Dear\ Friend$|Urgent\ Proposal|Business\ letter\ from Subject Contains PlainText FUND TRANSFER Subject Contains PlainText From Barrister Subject Contains RegEx ^(From\s)(?-i)Mrs?[,\.]?\s?[A-Z][a-z]{2,}\s[A-Z][a-z]{1,} Subject Contains PlainText AWARD NOTIFICATION Subject Contains PlainText 2015 Application Tender for Grant Subject Contains PlainText FIRST BANK PLCSCAM VICTIM PAYMENT NOTIFICATION Subject Contains PlainText BANK PAYMENT NOTIFICATION REPLY FAST 419 Scam True -100 #FFCC0098 White False False All Body Contains RegEx ^(Kind\s)?Atte?n:|ATTENTION Body Contains RegEx Beneficiary|(My\ )?Dear\ (GOOD\s)?(Beloved|Friend) 419 Scam False -100 #FFCC0098 White False False All Body Contains PlainText contacting you based on Trust Body Contains RegEx ^Hello,\ I.{0,2}m\ Sgt\. Body Contains RegEx ^(?-i)\*?(Dear\ (Sir/Madam|Friend)\n|Complement\ of\ the\ day) Body Contains PlainText I need your urgent assistance in transferring Body Contains PlainText Waiting to hear from you soonest Body Contains RegEx unclaimed\ (benefits|funds) Body Contains RegEx (I\ am|My\ name\ is)\ Barrister|^Barrister.+ESQ$|(?-i)Barrister\ [A-Z][a-z]{2,}\ [A-Z][a-z]{2,} Body Contains RegEx ^Best\sregards.?\r\nBarr\..?[A-Z] Body Contains RegEx ^Mr\.\ \w{3,}\ \w{3,}\ $Barrister$ Body Contains PlainText your utmost confidentiality in this matter Body Contains PlainText Mr.Micheal Godswill Body Contains PlainText MR. MICHEAL GODSWILL 419 Scam False -100 #FFCC0098 White False False All Body Contains RegEx Bank\ (of\ )?(Nigeria|Benin|(South\s)?Africa)|Benin\ Republic|Republic\ of\ Benin|Director,\ United\ Nations|REPUBLIC\ OF\ NIGERIA Body Contains RegEx beneficiary|no\ Beneficiaries|codicil|demurrage|dumourage|duemorrage|Clearance\ Certificate\ (\r\n)?Fee|keeping\ fees|(?-i)IMMEDIATE\ RELEASE\ OF\ YOUR\ PAYMENT Body Contains RegEx \{[a-z]{3,8}\sMillion\s[a-z-]{3,6}\sHundred\sThousand\sDollars} Body Contains PlainText I am Mr. Patrick Chan Body Contains PlainText Compliment of the day to you Body Contains RegEx (?-i)\bNIGERIAN?\b Body Contains PlainText (Esq. 419 Scam False -100 #FFCC0098 White False False All Header Contains RegEx \b41.(58|66|71|85|93|136|138|139|155|184|189|190|191|194|20[2-8]|21[0-24-9]|22[0-3])\.[\d\.]+ Header Contains PlainText @hotmail.co.za Header Contains RegEx Reply-To:\ <.+@rediffmail\.com> From Contains PlainText Thomas James Subject Is PlainText I Seek Your Consent. Body Contains PlainText @rediffmail.com Body Contains PlainText @hotmail.co.za Body Contains PlainText @live.co.za Nigerian 419 Scam True -150 #FFCC0098 White False False All Subject Contains PlainText VIEW Subject Contains PlainText ATTACHED Subject Contains PlainText FILE Lottery Scam False -100 #FFCC0098 White False False All Subject Contains RegEx Your\ Email\s(Address\s)?Has\ Won Subject Contains RegEx WINNING\ (Notification|NUMBER:)|ticket\ number\ $.+$|(?-i)COCA\ COLA.?(AWARD|TOBACCO\ COMPANY)|(?-I)OFFICIAL\ PRIZE\ NOTIFICATION Subject Contains PlainText Lottery Subject Contains PlainText GO FOR CLAIM VERIFICATION FORM From Contains RegEx \bLotto\b|Lottery\ Notification|International\ lottery|(?-i)LOTTERY|NOTIFICATION\ DRAW|DRAW\ 201\d From Contains RegEx coca.?cola.*promm?o|Microsoft\ Award(\ Department)?|Department\ of\ National\ Lotteries|Superenalotto|WORLD\ CUP|your\ email\ (address|id)\ has\ (won|been\ selected) Body Contains PlainText Attn: Lucky Winner Body Contains PlainText DEAR WINNER Body Contains PlainText YOUR E-MAIL ADDRESS WON Body Contains PlainText please contact your fudiciary agent Body Contains PlainText International Program Online Co-ordinator Body Contains RegEx (?-i)WINNING\ NUMBER:|LOTTERY|RE:\ LOTTO|Lottery\ Coordinator|your\ email\ (ID|identity)\ has\ won Body Contains RegEx (COCA-COLA|jackpot|International|ExxonMobil|Microsoft|National)\ (Award|Lottery)|Freelotto|fiduciary|The\ Kings\ Charity|weekly\ sweepstakes Body Contains RegEx You\ are\ advised\ to\ keep\ this\ winning\ (.+\s)?confidential From Contains PlainText AFRICA 419 Scam True -100 #FFCC0098 White False False All Header Contains RegEx Received:\ from\ \[68\.68\.108\.\d{1,3}\] Money Mule Scam False -200 #FFCC0098 White True False All EntireMessage Contains RegEx (?-i)Rock\s?[a-zA-z]{4,8}\s?Management Subject Contains PlainText Your Job Application Status Subject Contains RegEx Update\ on\ available\ .+positions Subject Contains PlainText We are searching for partners in USA Subject Contains PlainText Environmental business currently seeking representatives worldwide Body Contains RegEx range\ from\ \$35\.77\ .+ to\ \$57\.62\ .{1,4}(hr|hour).\s? Body Contains RegEx [a-z0-9]+@((jobsearchoo|newstatejob|usanewjobgov)\.com|europcareers\.net) Body Contains PlainText EMPLOYER SNAPSHOT Body Contains PlainText VACANCY CODE: Body Contains PlainText An at home Key Account Manager Position Body Contains PlainText An import export company seeks remote employees in United States. Body Contains PlainText Being foreign company makes it harder to manage sales transactions with US customers Body Contains PlainText The main duties include receiving and making payments on client's behalf Body Contains PlainText managing the preparation and distribution for expected transactions Body Contains PlainText (at the beginning of work) to 5-7 (after the first probation month) Body Contains PlainText All banking, Western Union and cell phone expenses covered Body Contains PlainText This position is for US residents only, please no applicants from other countries. Work At Home Scam False -200 #FFCC0098 White True False All Body Contains PlainText thank me later Body Contains PlainText online based job Body Contains PlainText working from home! Body Contains PlainText make money at home Body Contains PlainText Work from the house Body Contains PlainText Make money online! Body Contains PlainText every 5 days from home Body Contains PlainText at home on the computer! Body Contains PlainText self-employed testimonials Body Contains PlainText I had finally hit rock bottom Body Contains PlainText I had reached the end of the line Body Contains PlainText This is not a Pyramid or MLM Program Body Contains PlainText I finally made a life changing decision Body Contains PlainText this is the best thing that has happened to my family in years Body Contains PlainText TeachYouToBeRich Body Contains PlainText Work At Home Group Body Contains PlainText http://automobcode.com/ Body Contains PlainText Gold Digger Software Body Contains PlainText GOLD DIGGER Body Contains PlainText We are looking for employees working remotely. Work At Home Scam False -200 #FFCC0098 White True False All To Contains PlainText marketer To Contains PlainText Fellow Entrepreneur From Contains PlainText HomeJob From Contains PlainText Rock Cruit From Contains PlainText W0RK FROM H0ME From Contains RegEx Work\ (at|from)\ Home From Contains PlainText Home Business Subject Contains PlainText Work from home Subject Contains PlainText Start making money immediately without risk Subject Contains PlainText Online job Subject Contains RegEx Work(ing)?\ (at|From)\ Home|Career\ (Finders|Hunters?) Subject Contains RegEx ^Your\ friend\ [a-z]{5,10}\ has\ recommended\ this\ great\ product\ from\s Body Contains PlainText Rock Cruit Management Body Contains PlainText You will love me for this! Body Contains PlainText You will thank me for this! Body Contains PlainText who needs a 9-5 when you got this program Body Contains PlainText I was able to regain my independence using this Body Contains PlainText its the greatest thing that's hapened to us all year Body Contains PlainText anyone who wants to work in the comfort of their own home Body Contains PlainText everybody thats got access to a computer will be able to perform this job Body Contains PlainText You dont need any special skills to do this work. Body Contains PlainText Hi marketer! Work At Home Scam False -200 #FFCC0098 White False False All EntireMessage Contains PlainText Get paid $25 for each email you process Body Contains PlainText R3m0ve Body Contains PlainText /deltaxdr-4.php Body Contains PlainText CNBC Profits Online Body Contains RegEx Email\ processing\ is\ one\ of\ the\ best\ ways\ to\ earn\s{1,2}money\ on\ the\ internet Body Contains RegEx (?-i)News\ Channel.?\d{1,2} Body Contains RegEx Don'?t\ forget\ to\ thank\ me Body Contains RegEx http://www\.mynbcnews11\.com/|3Dcnbc7(\.[a-z]{2,4})?&btnI=3D1 Body Contains RegEx (Here'?s\ how|It's\ all\ because\ of)\ -(\s|=\r\n\s)<a\ href=(3D)?"h.*t.*t.*p://(goo\.gl|[tx]\.co)/.{5,8}"> Body Contains RegEx >(?-i)(Channel\ \d{1,2}\ )?(Career\ (Guide|News|Trends)|News\ [Dd]aily|Daily\ News|http://(localnews|newsbreaking)\d\d\.com).{0,3}</[aA]> Body Contains RegEx ^[iI]\ (just\s)?(earned|made|netted|profited|pulled(\ in)?)\ \$?\d{3,4}\$?\ in\ (\d\ days|less\ th[ae]n\ a\ day|a\ few\ (days|hours)|a\ couple\ (of\ )?hours) Body Contains RegEx ^Please\ reply\ to:\ [\w\d_-]{3,9}@googlein-de\.com$ Body Contains RegEx ^Marketing,\ Liaison\ and\ HR\ Department$ Mystery Shopper Scam True -200 #FFCC0098 White True False False All EntireMessage Contains PlainText My$tery $hopper Body Contains PlainText Mystery shopper Body Contains PlainText you will be paid Body Contains PlainText task you complete Body Contains PlainText The job Ascii Art Spam True -200 #FFCC0098 White False True All Header Contains PlainText Content-Type: text/html; charset=us-ascii Body Contains PlainText <pre> Body Contains PlainText <a href="http:// Body Contains RegEx (8{5,}\s{2,}){2}|([1234567890]{5,}\s+){3} Body Contains RegEx </pre>\s?\n?</a> Russian Bride Scam False -200 #FFCC0098 White True False All Subject Contains RegEx \ ru\ girls?|\d\d\s?y\.o\..*\sRussia Body Contains PlainText .ru>Marriage Agency</a> Body Contains PlainText a pretty Ukrainian lady Body Contains PlainText international marriage site Body Contains PlainText Look at this girl who wants to get married Body Contains RegEx ^http://date[a-z]{4,8}\.ru/ Dating Spam False -200 #FFCC0098 White False False All From Contains PlainText Dating Header Contains PlainText From: "=?ISO-8859-1?Q?_=41=64=72=69=61=6E=61?=" From Contains PlainText Darina From Contains PlainText Violette From Contains PlainText Olga Dating Spam False -150 #FFCC0098 White True False All Subject Is PlainText Personal Invite Subject Is PlainText Come to my profile Subject Contains RegEx Russian (Girls|Women) Subject Contains PlainText (status-online) Subject Contains PlainText Kiss to you Subject Contains RegEx \bdating\b|single.?ladies|Married.{1,5}lonely Subject Contains RegEx Russian\ (beauties|girls?|hotties?|lad(ies|y)|wife|wives|wom[ae]n)|from\ [Rr]ussia Subject Contains RegEx ^Hi\ remember\ me\?|we\ fucked|blonde?\ and\ cute|(?-i)^[A-Z][a-z]{4,7}\s\d\d\s?y\.o[\.,]\s Subject Contains RegEx (?-i)Add\ Me|Find\ Someone|meet\ a\ beautiful\ girl|Meet\ that\ special\ someone|Looking\ for\ love\b Subject Contains RegEx Unread\ message\ from\ ~[A-Z][a-z]{3,6}\ $uid:\d{4,6}$ Subject Contains RegEx ^New\ message\ for\ you$ Subject Is PlainText Hi Subject Is PlainText Hello Subject Is PlainText hi there Dating Spam False -150 #FFCC0098 White True False All Body Contains PlainText How is your day? What is your name? Body Contains PlainText I am interested in chatting with you, what do you think about it? Body Contains PlainText find my profile here Body Contains PlainText name="my_photo.zip" Body Contains PlainText name="my_iphone_photo.zip" Body Contains PlainText I want to know you better. Body Contains PlainText ur email from a fling app Body Contains PlainText if you like what you see txt me Body Contains PlainText AdultFriendFinder Body Contains PlainText I would like to find a man Body Contains PlainText HOTSINGLESNET.NET Body Contains PlainText girls at our site Body Contains PlainText My pics and short video Body Contains PlainText Do you like beautiful girls? Body Contains PlainText Please write me a letter here http:// Body Contains PlainText Greetings! I wish to get acquainted with you Body Contains PlainText looking for a nice guy to chat with Body Contains PlainText good looking girl who is looking to chat with you Body Contains PlainText I saw you on this website the other day Body Contains PlainText asiandate. Body Contains PlainText www.anastasiadate. Body Contains PlainText anastasiaaffiliate Body Contains RegEx \bdating\ (agency|site|system)\b|dating!|flirting Body Contains RegEx HithereI|Ifoundyourprofileonline|you(r|'re)\ so\ hot! Body Contains RegEx (status-online)\ sent\ new\ message|waiting\ you\ for\ chat Body Contains RegEx I\ read\ your\ profile\ online|i\ (found|loved|was\ just\ reading)\ your\ profile Body Contains RegEx a\ nice\ pretty\ girl|I'm\ from\ Russia|Russian\ (beaut(y|ies)|girls|lad(ies|y))|single\ Russian\ (girl|lad.{1,3}|wom[ea]n) Body Contains RegEx reply\ to\ address\ [a-z0-9]+@rambler\.ru$ Dating spam True -200 #FFCC0098 White True False All Body Contains RegEx Russia Body Contains RegEx .+@(rambler|yandex)\.ru\b Asian Dating Scam True -200 #FFCC0098 White False False All Body Contains PlainText Asian Body Contains RegEx \bDating\b Pics Spam True -100 #FFCC0098 White False False All Body Contains RegEx profile\ on\ facebook|\ (yo)?ur\ profile|your\ pic Body Contains RegEx share\ (mine|my\ pics?)\ with\ you|you\ my\ pics?|see\ my\ pic|(non-public\ photos|private\ (images|photos)) Body Contains PlainText @hotmail.com Image Spam #11 False -100 #FFCC0098 White False False All Body Contains PlainText Please unlock images. VERY IMPORTANT Body Contains PlainText This is very important. Please enable images! Body Contains PlainText You must [Enable Images] to Unlock this image Body Contains PlainText Please Enable Images to View this Body Contains PlainText Please Enable Links and Images to Confirm Your Order!<BR> Body Contains PlainText 'Click above to show images' Body Contains PlainText '"View image in browser now' Body Contains PlainText alt='One click to open store' Body Contains PlainText alt='Cant see a picture? Click Here!' Body Contains PlainText alt='Show picture and go to site now!' Body Contains PlainText alt=3D'Want to request ? It's easy to make a request online. Body Contains PlainText this picture is blocked. Click to unblock now Body Contains RegEx <img\ alt=3D"Click\ \[Show\ Images\]\ if\ no\ image\ (=\n)?here" Body Contains RegEx ^<(center|/style)>\r\n^<a\ href='http://.+\.(ca|cn|com|net|org|info)'><img\ src='.+/.*\.gif'>\r\n^<style>$ Body Contains RegEx (?-i)^<BODY><table>\r\n<tr><td><a\ href='http://.+\.com/'><img\ src='http://.+\.com/.+\.jpg'\ border=0\ alt='Visit\ site\ now!'></a><br>\r\n<br></td></tr></table></BODY></HTML>$ Body Contains RegEx (?-i)^<BODY><a\ href='http://.+\.com/'\ target='_blank'>\r\n^<img\ src='http://.+\.com/.+\.(gif|jpg)'\ border=0\ alt='Having\ trouble\ viewing\ this\ email\?\s?\r\n^Click\ here\ to\ view\ as\ a\ webpage\.'></a></BODY></HTML>$ Re [digits] False -200 #FFCC0098 White False False All Subject Contains RegEx ^re.?\s?(\d{1,2}|\[\d{1,3}\]:?)$ Subject Contains RegEx ^Re\[\d{1,2}\]:\s.* Diploma Spam False -200 #FFCC0098 White True False All Header Contains PlainText Bachelor Degree Subject Contains PlainText college degree Subject Contains PlainText university award Subject Contains PlainText College and University Subject Contains RegEx Order\ .{0,4}Diploma Subject Contains RegEx Qualification.?Diploma Subject Contains RegEx \b(Dgeree|Dergee|diplomas?|dip1omas?|DIMPLOMAS?|Degree)\b|(?-i)Bacheelor|Masteer|MBA\b|Doctoraate|Uinversity|Unviersity Diploma Spam True -200 #FFCC0098 White False False All Subject Contains RegEx ^(RE|FW)\s?:$|((FW|RE)\s?:\s?){2}\s?$ Body Contains PlainText diploma Diploma Spam False -200 #FFCC0098 White True False All Body Contains PlainText diplomas Body Contains PlainText get a Diploma Body Contains PlainText customized diploma Body Contains PlainText Please leave us the infarmation: Body Contains PlainText non-accredited Body Contains PlainText UNIVERSITY DIPLOMA Body Contains PlainText your Graduation is a phone call away Body Contains PlainText obtain Master degree Body Contains PlainText Obtain the_degree you deserve Body Contains PlainText Please leave us a voice message with your phone number with country code if outside USA Body Contains PlainText 100% verifiable diploma Body Contains PlainText with a diploma Body Contains PlainText all you need is a diploma Body Contains PlainText Quick Diploma Group Diploma Spam False -200 #FFCC0098 White False False All Body Contains RegEx \s{10,}diplomas?\b Body Contains RegEx call(ing)?\ this\ number: Body Contains RegEx ^No\ (classes|Exams|Pre-School) Body Contains RegEx your\ (degree|diploma)|No\ Pre-School Body Contains RegEx (deserve|get|need|order)\ a\ diploma Body Contains RegEx Diiploma|DIMPLOMA|(?-i)D\ I\ P\ L\ O\ M\ A\sS? Body Contains RegEx ^(inside|for)\s+U.?S.?(A\.?)?:?\s+(\+)?1\s?[0-9\s-,.]+ Body Contains RegEx outside\s+(the\s+)?U.?S.?A.?:?\s+\+?1\s?[0-9\s-,.]+ Body Contains RegEx (?-i)([dD]iplomas|Bachelor'?s,?|\bMaster's,\b|\bMBA[,\s']|Doctora(l|te)|PhD's) Phishing Scam False -100 #FFCC0098 White False False All Subject Contains PlainText Your Card Number 5018-0XXX-XXXX-XXXXX Body Contains PlainText MasterCard has been deactivated. Body Contains PlainText As the primary contact, you have to reactivate your card or you will not be able to use it. Body Contains PlainText Please reactivate your MasterCard by going to: Body Contains PlainText Dear VISA card holder, Body Contains PlainText .vc/secureapps/ Webmail Phishing Scam False -100 #FFCC0098 White False False All Subject Contains RegEx (?-i)^Dear\ Account\ Owner|^Dear\ Webmail\ Subscriber|^YOUR\ WEBMAIL\ ACCOUNT Body Contains RegEx ^Dear\sWebmail\s(Subscriber|User)[;,]$ Porn Spam False -100 #FFCC0098 White False False All From Contains RegEx F.ckBook Subject Contains RegEx F.ckBook Subject Contains RegEx \bporn\b Subject Contains RegEx lesbian.*(pics|movie) Body Contains PlainText I have some sexy undies Body Contains PlainText nude pictures Body Contains PlainText FuckDirect Body Contains PlainText there is any porn Body Contains PlainText More Pron Body Contains PlainText We have porn Software Spam False -150 #FFFFE500 Black False False All Body Contains PlainText bestsoftware Body Contains RegEx Whirl Wind Software Body Contains PlainText Click this link and download most popular software Body Contains PlainText Click this link and downloaded newest software Body Contains PlainText you can download them right after pur Body Contains PlainText The best software products at the best prices. Body Contains PlainText Any program for any operational system Body Contains RegEx (?-i)Twit\sfrom:\r\n\s+\r\n\s+@Adobe Body Contains RegEx Software\ (is\s)?in\ different\ languages|All\ programs\ offered\ in\ many\ languages Body Contains RegEx EURO.?SOFT(WARE)?|European\ languages|Fully\ localized\ versions Body Contains RegEx ^Retail Price:?\s{1,10}\$\d{3,4}\.[0-9]{2}\r\n^Our Price:?\s{1,10}\$\d{3,4}\.[0-9]{2} Body Contains RegEx Operational\ systems|newsoft|softwares|Cheap.*soft(ware)?|oem\ software|software\ (you\s)?needs? Body Contains RegEx SSoftwarr?e|down.?lo.?ad(d?able)?\ (legal\ )?s?so.?ft(ware)?|(Best|cheapest|lowest)\ software\ prices|popular\s?software|\boem\ soft(\b|ware) Body Contains RegEx ^(type|vis[il]t)\s'?.+soft.*\s\.\scom'?\sin\syour\s.nternet\sExplorer Body Contains RegEx (?-i)Office\ (Enterprise\ 20\d\d|20\d\d\ Enterprise)|(Access|Communicator|PowerPoint)\ 20\d\d|Auto([cC]ad|desk)\ 20\d\d Software Spam True -100 #FFCC0098 White False False All Body Contains RegEx for\ MAC\s?<br/> Body Contains RegEx Retail\ price:\ \$\ \d{3,4}\.\d\d\s?<br/> Body Contains RegEx Our\ price:\ \$\ \d{2,3}\.\d\d\s?<br/> Body Contains PlainText Features: Software Spam True -100 #FFCC0098 White False False All Body Contains RegEx for\ Windows\s?<br/> Body Contains RegEx Retail\ price:\ \$\ \d{3,4}\.\d\d\s?<br/> Body Contains RegEx Our\ price:\ \$\ \d{2,3}\.\d\d\s?<br/> Body Contains PlainText Features: Chinese Domain Registration Scam False -200 #FFCC0098 White False False All Body Contains PlainText (If you are not in charge of this please transfer this email to your Body Contains PlainText We are the department of Asian Domain registration service in china Body Contains PlainText One company which self-styled Body Contains PlainText After our initial checking, we found the name were similar to your Body Contains PlainText authorized that company to register these names Body Contains PlainText please let us know within 7 workdays, so that we will handle this issue Body Contains PlainText Out of the time limit we will unconditionally finish the Body Contains PlainText Please consider the environment before printing this email .BR or .CN Domain Link False -200 #FFCC0098 White False False All Body Contains RegEx http://(www\.)?(.+\.br/.*|.+\.cn/.*['"]>|.+\.cn$|.+\.cn\.com) .US Domain Extension False 0 #FF434343 White False False All From Contains PlainText .us> Received Contains PlainText .us) Received Contains PlainText .us ( Body Contains RegEx https?://[a-z0-9-.]+\.us(/.*)?$ Russian Sender False -200 #FFCC0098 White True False All Header Contains PlainText @rambler.ru Header Contains PlainText Received: from rambler.ru Header Contains PlainText From: =?koi8-r Header Contains PlainText Subject: =?koi8-r Header Contains PlainText Subject: =?windows-1251 Header Contains PlainText charset='koi8-r'; Body Contains PlainText charset=3Dkoi8-r Header Contains RegEx ^Received:\ from\ .*85\.140\.\d{1,3}\.\d{1,3} Header Contains RegEx Message-ID:\s<.+@.+\.(ru|su)> Header Contains RegEx $envelope-from\ <.+@.+\.(ru|su)>$ Header Contains RegEx HELO\s.+\.(ru|su) Header Contains PlainText ukrtel.net Header Contains RegEx Received:\ from\ .+\.(ru|su)\x20 Ukrainina Sender False -200 #FFCC0098 White True False All Header Contains PlainText Received: from [91.232.21. Header Contains RegEx (?-i)\.ua[/\s\]\)] Not .com, .edu, .gov, info, .mil, net, org False -100 #FFCC0098 White False False All From NotContain RegEx @.+\.(biz|com|edu|gov|info|mil|net|org|tv)>?\b Known Spam Domains False -200 #FFFF0000 White False False All Header Contains PlainText Received: from %RND_IP Header Contains PlainText Received: from [160.20.15. Header Contains RegEx helo=.+\.stream Header Contains RegEx \.server4you\.de|(canonpluy|chinesegamer|\.cwazy|emaillove|staticip\.rima-tde|infinitelinker)\.net|(\.163|coughfusion|decor99|explodefast|ibizsource|\.ono|otcpundit|rserver\d\d\d)\.com|myautorepair\.info|Bumerang|Taipei|(diaserver|mail4[cs]ure|rescuemails?)\.org Header Contains RegEx Received:\ from\ .+\.ml\b Body Contains PlainText sikhguardian.net/ Body Contains PlainText www.diaserver.org Body Contains PlainText opakrotak.info Body Contains PlainText www.maillinker.com Body Contains PlainText salesandrevenues.com/ Body Contains RegEx http://www\.more.+\.us/ Body Contains RegEx "http://[\w-]+\.pl/\?[A-Za-z0-9=-]{24,} Body Contains PlainText http://ur1.ca/ Body Contains PlainText .freehyperspace2.com Body Contains PlainText sent from: iContact Body Contains PlainText bumerang.cc/ Body Contains PlainText @mail-filter.com Body Contains PlainText /group.php?group_id=152 Body Contains PlainText /group.php?group_id=3D152 Body Contains PlainText Altera product announcements Body Contains PlainText http://partofpimproller.com/ Body Contains PlainText http://the-binarycoded.biz/ Body Contains RegEx http://.*emailbiz\.info/.+ Body Contains RegEx (?-i)P\.P\.\ Monthly\ Newsletter|SMART-LIST|iContact\ Family|<strong>E-mail\ Newsletter\ Services</strong> Body Contains RegEx (?-i)(Discovery\ Health|Men's\ Health\ Today|Health\s?Central|OTC\ Pundit|Plentiful\ Pleasures|US\ Pharmacy) Body Contains RegEx http://.+\.com-\w\w\d\d\.net/\?qs=[A-Z0-9]+ Body Contains RegEx \.top(/|&sa=) Body Contains PlainText .stream/ Body Contains PlainText .science/ Body Contains PlainText offeronmail.com Body Contains PlainText .club/ Body Contains PlainText .win/ Body Contains PlainText deckaffiliating.com Cannabis Spam False -200 #FFCC0098 White False False All Subject Contains PlainText Cannabis Body Contains RegEx cannabis(-based)?\ extracts Body Contains RegEx cannn?abis.?treatment Locky in PDF True -100 #FFFFE500 Black False False All Body Contains PlainText <div dir="ltr"><br></div> Body Contains RegEx ^Content-Type:\ application/pdf;\ name=".+\.pdf" Body Contains RegEx ^Content-Disposition:\ attachment;\ filename=".+\.pdf" PDF Attachment True -100 #FF434343 White False False All Body Contains RegEx ^Content-Type: application/(pdf|octet-stream); Body Contains RegEx ^Content-Disposition:\ (attachment|inline); Body Contains RegEx filename=['"].+\.pdf['"] Malware Attachment True -200 #FFFFE500 Black False False All Body Contains RegEx (?i)Attached Body Contains RegEx $Internet\ Explorer\ (?i)File$|(?-i)your\ Internet\ Browser\b Body Contains PlainText Content-Disposition: attachment; Body Contains RegEx filename=".+\.htm" Malware Attachment True -200 #FFFFE500 Black True False All Body Contains PlainText Content-Disposition: attachment; Body Contains RegEx filename=".+\.htm" Body Contains PlainText PGh0bWw+DQogPGhlYWQ+DQogIDxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVu Malware Attachment True -200 #FFFFE500 Black True False All Body Contains PlainText Content-Transfer-Encoding: base64 Body Contains PlainText Content-Disposition: attachment; Body Contains RegEx (file)?name=".+\.htm"\n Body Contains PlainText KXt2PSJldmFs Base64 Spam True -200 #FF434343 White False False All Body Contains PlainText Content-Disposition: attachment Body Contains PlainText Content-Transfer-Encoding: base64 Body Contains PlainText X-Attachment-Id: Body Contains PlainText DQo8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCI+dmFy African Sender False -200 #FFCC0098 White False False All Header Contains RegEx Received:\sfrom\s.*[\[$]41\.\d{1,3}\.\d{1,3}\.\d{1,3}[\[\]$] Header Contains RegEx Received:\sfrom\s.*[\[$]196\.\d{1,3}\.\d{1,3}\.\d{1,3}[\[\]$] Header Contains RegEx Received:\sfrom\s.*[\[$]81\.199\.\d{1,3}\.\d{1,3}[\[\]$] Header Contains RegEx ^Received:\ from\ [^\d\s]+41\.\d{1,3}\.\d{1,3}\.\d{1,3} Body Contains RegEx (Tele)?phone\s\+?(0027|002[123456]\d)[\s_\*'-]\d{3,} Subject All Caps True 0 #FF434343 White False False All Subject NotContain RegEx (?-i)[a-z] Subject Contains RegEx (?-i)[A-Z]{3,}\s Phishing Scam False -100 #FFCC0098 White False False All From Contains RegEx (?-i)HSBC\ Bank|NetBank.?Notification|Taxation\ Office|Tax\ |BOA\ Services|Online\ Banking\ Security|Chase\ Bank|TD\ Canada|Internet\ Banking|USAA|Midwest\ Bank Subject Contains PlainText Facebook Update Tool Subject Contains PlainText Unauthorized Activity Subject Contains PlainText Taxation Office Subject Contains PlainText Your paypal access has been limited Subject Contains PlainText Your PayPal Will Be Limited Subject Contains PlainText Online Banking Verification Process Subject Contains PlainText Notification of limited account access Subject Contains PlainText Security Notification for your Online Banking Subject Contains PlainText Your AOL Instant Messenger account will be deleted Subject Contains PlainText Please visit our Client Verification Form using the link below Subject Contains RegEx Your\ .*account\ .*(has\ been|was)\ (limited|locked) Subject Contains RegEx (?-i)NetBank|Your\ Bank\s.+account\ has\ been\ locked|Internet\ Bank(ing)?:.*Urgent\ Security\ Update|Underreported\ Income\ Notice|American\ Express\ Online\ Form|Restore\ your\ Online\ Banking Phishing Scam False -100 #FFCC0098 White False False All Body Contains PlainText due to multiple login errors on your account Body Contains PlainText Your account has been suspended after too many failed login Body Contains PlainText Your account has been limited due to a login attempt failure. Body Contains PlainText we were unable to verify your account details Body Contains PlainText We were unable to verify your account information during our regular maintainance Body Contains PlainText Click CONFIRM to confirm your identity Body Contains PlainText Securely confirm your banking information Body Contains PlainText failure to confirm your records may result in account Body Contains PlainText Failure to do so may result in temporary account suspension. Body Contains PlainText has been locked due to some internal issues. Body Contains PlainText Read more about installation of SSL Certificate Body Contains PlainText To restore your account we have attached a form to this email. Body Contains PlainText Due to inactivity, your account has been deactivated Body Contains PlainText account was locked because of too many failed logon attempts. Body Contains RegEx Your\ [A-Za-z]{3,}\ account\ (is|has\ (been|become))\ (flagged\ as\ )?inactive|account\ is\ currently\ locked|:8080/www\.capitalone\.com/|Commonwealth\ (Net)?Bank|\sNetBank|^Issue:\ Unreported/Underreported\ Income\ $Fraud\ Application$ Phishing Scam True -100 #FFCC0098 White False False All Header NotContain RegEx ^Received:\ from\ .+\..+ebay\.com\ .+\ helo=.+\.ebay\.com Subject Contains RegEx (?-i)eBay|Security Message Body Contains RegEx ^Dear\ eBay\ (Customer|Member),|^You\ have\ \d\ new\ Security\ Message\ Alert!|eBay\ Confirmation\ Request Facebook Scam True -150 #FFCC0098 White False False All From Contains PlainText @facebook.com Subject Contains RegEx password Body Contains RegEx new\ password\ (in|is)\ attached Body Contains PlainText Facebook Body Contains PlainText Content-Disposition: attachment; PayPal Phishing Scam True -100 #FFCC0098 White False False All Header NotContain RegEx Received:\ from\ ([a-z0-9.-]+\.(epsl1|paypal)\.com\s|\[(\d{1,3}\.){3}\d{1,3}\]\ $(port=\d{4,5}\s)?helo=mx\d\..{3}\.paypal\.com$\s?\n|helo=outbound\.na\.e\.paypal\.com\)\n Header NotContain RegEx ^Received:\ from\ \[[0-9.]+\]\ $port=\d{4,5}\ helo=mail2550.paypal.mkt2944.com$\s?\n Header NotContain RegEx ^Received:\ from\ ccg\d\dmail\d\.ccg\d\d\.slc\.paypalinc\.com From Contains RegEx .+@(intl|www[-\.])?paypal(-us)?.com|^PayPa[l1I]|paypai\.com PayPal Phishing Scam True -100 #FFCC0098 White False False All Body Contains RegEx ^Dear\ PayPal\ (User|Member|Customer)|Your\ paypal\ access\ has\ been\ limited Header NotContain PlainText nix.paypal.com PayPal Scam True -200 #FFFFE500 Black False False All From Contains PlainText service@paypal.com Header NotContain RegEx Received:\ from\ (mx\d\.slc\.paypal\.com|\(?\[173.0.84.\d{1,3}\]|helo=mx\d{0,3}\.slc\.paypal\.com|ccg\d\dmail\d\.ccg\d\d\.slc\.paypalinc\.com) Amazon Scam True -100 #FFFFE500 Black False False All From Contains PlainText @amazon.com ReturnPath NotContain RegEx @(bounces\.)?amazon.com Phishing Scam True -100 #FFCC0098 White False False All From Contains PlainText Wells Fargo From NotContain PlainText @wellsfargo.com WORM >Double Extension!! True -100 #FFFF0000 White False False All Body Contains PlainText Content-disposition: attachment; filename= Body Contains RegEx (file)?name='.+\.(gif|jpg)\.(scr|pif|exe|cmd|com)' Dangerous Attachment Extension! True -100 #FFFF0000 White False False All Body Contains PlainText Content-disposition: attachment; Body Contains RegEx ^\s?filename='.+\.(pif|scr|hta|cmd|bat|vbs|com|cpl|hlp)' .exe attachment True 0 #FFFF0000 White False False All Body Contains PlainText Content-disposition:\ attachment; Body Contains RegEx ^\s?filename='.+\.exe' .doc attachment (419 Scam?) True -100 #FFCC0098 White False False All Subject Contains PlainText attach Body Contains PlainText Content-Disposition: attachment; Body Contains PlainText filename=" Body Contains PlainText .doc" Google Docs Scam True -100 #FFCC0098 White False False All Body Contains PlainText has invited you to view the following document: Body Contains PlainText Open in Docs Exploit Link True -200 #FFCC0098 White False False All Subject Contains PlainText New Acrobat PDF Reader Has Released ! Subject Contains RegEx (Download|Upgrade)\ Now Header Contains PlainText X-rext: 3.interact2 Body Contains PlainText ADOBE PDF READER UPGRADE NOTIFICATION Body Contains RegEx We\ are\ pleased\ to\ announce\ the\ new\ (Acrobat|Adobe|PDF)\ Reader Body Contains PlainText contains critical security updates Body Contains PlainText To upgrade your application: <br /> Body Contains RegEx -(download|upgrade)=2Ecom< Exploit Link True -200 #FFCC0098 White False False All Subject Contains PlainText Download New Version Of Skype ! ReturnPath NotContain PlainText @skype.com Body NotContain PlainText To download the latest version , go to Body Contains RegEx -downloads?=2Ecom Exploit Link True -100 #FFFFCC00 Black False False All Subject Contains PlainText Official Update Body Contains RegEx /.+\.exe'> digits-consnts False -100 #FFCC0098 White False False All Subject Contains RegEx ^\s?[bcdfghjklmnpqrstvwxz0-9]{6,} Non-English Language True -200 #FFCC0098 White False False All Subject Contains RegEx Á|Â|à|á|â|ã|è|é|ê|ë|ì|í|î|ï|ñ|ò|ó|õ|ù|ú|û|ü|ý|\b(avec|des|et|la|vous)\b Body Contains RegEx Á|Â|à|á|â|ã|è|é|ê|ë|ì|í|î|ï|ñ|ò|ó|õ|ù|ú|û|ü|ý|\b(avec|des|et|la|vous)\b Subject NotContain RegEx R[eé]sum[eé] Body NotContain RegEx R[eé]sum[eé] Thunderbird Spam True -100 #FFCC0098 White False False All Header Contains RegEx ^User-Agent:\ .+Thunderbird/\d\.\d(\.\d)?$ Body Contains RegEx ^(?)[A-Z][a-z]{3,6}[A-Za-z\s\w,]+\d\d%\s[O0]FF.?\r\n Body Contains RegEx http://.+\.[a-z]{2}/[a-z0-9]{3,6} Re: or Fw: False -100 #FFCC0098 White False False All Subject Is PlainText Re: Subject Is PlainText Fw: Subject Contains PlainText RE:RE: Subject Contains PlainText Re: Re: Re: info1 Scam False -200 #FFCC0098 White False False All To Contains PlainText info1@msn.com No Subject, Just Link True -100 #FFCC0098 White False False All Subject NotContain RegEx .{1,} Body Contains RegEx \A^http://.+=?(\r\n)?.*\.html?(\r\n)?$\Z No Subject True -80 #FFCC0098 White False False All Header NotContain PlainText Subject: =?utf- Subject NotContain RegEx .{1,} 1 Word Subject False -100 #FF434343 White False False All Subject Contains RegEx ^[a-z''\|\{\}\[\]]{7,8}$ Subject Contains RegEx ^\d{7,8}$ Subject contains email address True -100 #FFCC0098 White False False All Subject Contains RegEx .+@.+\.[a-z]{2,4} X-Spam-Status: Yes False -200 #FFCC0098 White False False All Header Contains PlainText X-Spam-Status: Yes Chain Letter True 0 #FFD4D4D4 Black False False All To Contains RegEx (.+@.+,\s){5,}|undisclosed\ recipients: Subject Contains PlainText FW: CC List Spam True -200 #FFCC0098 White False False All Header Contains RegEx Subject:\ [Ff]rom:\ [A-Z][a-z]+\ [A-Z][a-z]+ To Contains RegEx (?i)(<[a-z0-9-.+_]+@[a-z0-9-.]+\.[a-z]{2,4}>,\ ){3,} CC List True 0 #FF434343 White False False All Header Contains RegEx To:\s(?i)(<?[a-z0-9-_.]+@[a-z0-9-.]+\.(\w{2,7})>?,\s{1,}){3,}<?[a-z0-9-_.]+@[a-z0-9-.]+\.(\w{2,7})>?\n TO: Contains << >> True -100 #FFCC0098 White False False All To Contains RegEx <<.+@.+>> To Webmaster Spam False -100 #FFCC0098 White False False All Subject Is PlainText to webmaster Phishing Scam True -100 #FFCC0098 White False False All Subject Contains RegEx Notification\ of\ limited\ (account\ )access|(?-i)Western\ Union From Contains PlainText Western Union Header NotContain RegEx Received:\ from\ (westernunion|instantservice).com Body Contains RegEx (?-i)Western\ Union|Your account has been limited Twitter Scam False -100 #FFCC0098 White False False All Body Contains PlainText Once you confirm, all future email from Twitter will be sent to this Body Contains PlainText You have 3 unreaded message(s) from Twitter. Subject Contains RegEx You\ have\ \d\ (unread\ direct|urgent)\ messages\ (from|on)\ (?-i)Twitter! E-Card Scam False -150 #FFCC0098 White False False All From Contains PlainText Easy E-CARD From Contains RegEx (?-i)E-Card-|-E-Cards|Instant\ [eE]-Cards Subject Contains PlainText Ecard Special Delivery Subject Contains PlainText You have [1] new e-card waiting for you. Subject Contains PlainText There is [1] new e-Card waiting to be read Subject Contains PlainText Someone likes you and has sent you an e-Card Subject Contains PlainText There is currently [1] e-Card waiting for you to read. Subject Contains PlainText Someone has just sent you an e-Card! Body Contains PlainText Click here to view the e-card waiting for you from [Secret Admirer] Body Contains PlainText -e-card4you.com Body Contains PlainText [Secret Admirer] has just sent you an e-Card! Body Contains PlainText http://yourluckyday.info Email Addresses 4 Sale False -200 #FFCC0098 White False False All From Contains PlainText ePOSTMAN Subject Contains PlainText Large sending of email newsletters Body Contains PlainText Do you need to send millions of emails per month? Body Contains PlainText List of country-targeted recepients Body Contains PlainText USA 89 000 000 records - 700 EUR (1000 $) Body Contains PlainText please contact sales@mail-netpost.ru Body Contains PlainText Connect with 89 million recipients in USA as low as $ Body Contains PlainText We can deliver your message to any country of the world, just contact us for more details on: Body Contains PlainText accounts for mass-mailing EntireMessage Contains PlainText fans4web Marketing Spam False -200 #FFCC0098 White False False All Subject Contains PlainText Reveal the secrets of our banking system Body Contains PlainText Don't you wish you had a better understanding of the financial world around you? Body Contains PlainText Would you like to be able to break free of your financial bonds? Body Contains PlainText This guy will teach you everything you need to know! Body Contains PlainText This is your chance to generate up to $600 per day charset=iso-8859-2 False -150 #FFCC0098 White False False All Header Contains PlainText Content-Type: text/plain; charset=iso-8859-2 Header Contains PlainText charset="iso-8859-2" Header Contains RegEx $port=\d{3,6}\ helo=178\.12[0-9]\.\d{1,3}\.\d{1,3}$ Spam from India False -200 #FFCC0098 White True False False All Header Contains RegEx X-Originating-IP:\ \[115\.11[2-9]\.\d{1,3}\.\d{1,3}\] From India False -200 #FFCC0098 White False False All EntireMessage Contains RegEx ^Date:\s\w+,\s\d{1,2}\s\w+\s201\d\s\d\d:\d\d:\d\d\s\+0530$ Header Contains PlainText +0530 (IST) India Website Link True -200 #FFCC0098 White False False All Body Contains RegEx http://.+\.in/ Spain False -100 #FFCC0098 White False False All Header Contains RegEx Received:\ from\ .*\[84\.12[0-3]\.\d{1,3}\.\d{1,3}\] Header Contains PlainText .ono.com Header Contains PlainText Content-language: es Turkey False -100 #FFCC0098 White False False All Header Contains RegEx ^Received:\ from\ (\[(85.10[56]\.\d{1,3}\.\d{1,3}|88\.234\..+\..+|194\.27\.\d{1,3}\.\d{1,3}|195.175\.\d{1,3}\.\d{1,3})\])|.+\.tr\) Header Contains RegEx 88\.255\.\d{1,3}\.\d{1,3} Chinese Characters Spam False -100 #FFCC0098 White False False All Header Contains PlainText From: =?utf-8?B?5 Chinese Sender False -200 #FFCC0098 White False False All Header Contains PlainText +0800 From Contains PlainText @126.com ReplyTo Contains PlainText @126.com Header Contains RegEx @163.com Header Contains RegEx X-Mailer:\ Foxmail\ .*\ [cn] Header Contains RegEx .+@.+\.cn> Header Contains RegEx .+@51jop\.(net|xyz)> Hong Kong Spam False -100 #FFCC0098 White False False All Header Contains PlainText +0800 (HKT) Body Contains RegEx ^http://.+\.hk/\?.+ Indo-China False -200 #FFCC0098 White False False All Header Contains RegEx Received:\ from \[113\.1([6-8][0-9]|9[01])\.\d{1,3}\.\d{1,3}\] Header Contains RegEx Date:\ .+\ \+0700$ Header Contains RegEx \[123\.(1[6-9]|2[0-9]|3[0-1])\.\d{1,3}\.\d{1,3}\] APNIC False -100 #FFCC0098 White False False All Header Contains PlainText +0900 (JST) Header Contains PlainText SE Asia Standard Time Header Contains PlainText charset=big5 Header Contains RegEx ^Message-Id:\s.*<.+@.+\.cn>$ Header Contains RegEx Received:\ from\ .+\.hinet\.net Header Contains RegEx 112\.201\.\d{1,3}\.\d{1,3} Header Contains RegEx ^Received:\ from\ \[182\.18\.\d{1,2}\.\d{1,3}\] Header Contains RegEx ^Received: from [^[]*?\[(6[01]|20[23]|21[01]|21[89]|22[0-2])(\.[1-2]?\d?\d?){3}\] Header Contains RegEx ^Received: from [^[]*?\[(\[58|\[59]|6[01]|20[23]|21[01]|21[89]|22[0-2])(\.[1-2]?\d?\d?){3}\] Body Contains PlainText charset="iso-2022-jp" Body Contains PlainText charset="ks_c_5601-1987" Vietnam Link False -200 #FFCC0098 White True False False All Body Contains RegEx http://.+\.vn/ RIPE False 0 #FF434343 White False False All Header Contains PlainText Received: from [194.67. Header Contains RegEx ^Received: from [^[]*?\[(62|8[0-2]|19[345]|21[237])(\.[1-2]?\d?\d?){3}\] Header Contains PlainText kpnplanet.nl Header Contains PlainText kpnxchange.com Header Contains RegEx Date:\ .+\+0200 LACNIC False -100 #FFCC0098 White False False All Received Contains RegEx helo=.*\.br\) Header Contains RegEx Received:\ from\ \[187\.[0-9.]+\]\s Header Contains RegEx ^Received:\ from\ [^[]*?\[20[01](\.[1-2]?\d?\d?){3}\] Header Contains RegEx (\.fibertel\.com\.ar|\.cable\.net\.co|\.(com|net)\.br)\b Header Contains PlainText (BRT) .co.(country code) Sender False 0 #FF434343 White False False All Header Contains RegEx ^Received:\ from\ .+\.co\.[a-z]{2} Blocked Country False -100 #FFCC0098 White False False All Header Contains RegEx ^Received:\ from\ .+\.(ar|br|cn|jp|kr|ma|my|ng|pl|ro|ru|th|tr|vn|hinet\.net|orange.fr|ukrtel\.net)\b\s? Base 64 Encoded True 0 #FF434343 White False False All Body Contains PlainText Content-Transfer-Encoding: base64 Body Contains PlainText Content-Type: text/plain Body NotContain RegEx ^Content-Disposition:\ (inline|attachment);|^Content-Type:\ (application|image)/[a-z]{3,};|Content-Type:\ application/octet-stream; Currently set for many non latin languages. You can edit this filter to your own preference. False -100 #FFCC0098 White False False All EntireMessage Contains Language Arabic,Baltic,Chinese,Cyrillic,Greek,Hebrew,Indic,Japanese,Korean,Tamil,Thai,Turkish,Vietnamese Spam Assassin True -100 #FFCC0098 White False False All Subject Contains PlainText *****SPAM***** .Info Sender, Images and Links True -200 #FFCC0098 White True False All Header Contains PlainText Subject: =?ISO-8859-1?Q? Body Contains RegEx <a href=['"]http://.+.info/\d{10,22}['"]> Body Contains RegEx <img src=http://.+.info/\d{10,22}['"]' border='0' /></a><br /> Body Contains PlainText <div style="color:#FEFFFE;font-size:0.25em;"> .Info Sender and Links True -200 #FFCC0098 White False False All Header Contains RegEx ^Received:\ from\ .+\.info\ $.+$\r\n From Contains PlainText .info Body Contains RegEx http://.+\.info/ .Info Sender True 0 #FF434343 White False False All Header Contains RegEx ^Received:\ from\ .+\.info\ $.+$\r\n From Contains PlainText .info X-Mailer: PHPMailer False -100 #FFCC0098 White False False All Header Contains PlainText X-Mailer: PHPMailer X-Mailer: The Bat! False -150 #FFFFE500 Black False False All Header Contains PlainText X-Mailer: The Bat! X-Mailer: CheetahMailer False -150 #FFCC0098 White False False All Header Contains PlainText X-Mailer: CheetahMailer JavaMailer Spam True -200 #FFCC0098 White False False All Header Contains PlainText x-mailer: JavaMailer Header Contains PlainText x-mailerid: 3 Known X-Mailer False 0 #FF434343 White False False All Header Contains PlainText X-Mailer: The Bat! Header Contains PlainText X-Mailer: Apple Mail (2.924) Header Contains PlainText X-Mailer: Mediacomm Communicator Header Contains PlainText X-Mailer: xinnet.com webmail 1.0 Header Contains PlainText X-Mailer: Openwave WebEngine Header Contains PlainText X-Mailer: iPlanet Messenger Express Header Contains PlainText X-Mailer: CommuniGate Pro WebUser Header Contains PlainText X-Mailer: Sun Java Header Contains PlainText X-Mailer: Evolution Header Contains PlainText X-Mailer: IPS PHP Mailer Header Contains PlainText x-mailer: JavaMailer Header Contains RegEx ^X-Mailer:\ (Prayer|sejkuuk|Zimbra) Header Contains PlainText ArGoSoft Mail Server Freeware Header Contains PlainText X-Mailer: Airmail (223) Header Contains PlainText X-Mailer: Networx Mail 1.2.2 Header Contains PlainText X-Mailer: PHPMailer [version 1.73] Header Contains PlainText X-Mailer: TurboMailer Header Contains PlainText X-Mailer: Leaf PHPMailer Header Contains PlainText X-Mailer: iPhone Mail (14F89) Header Contains PlainText X-Mailer: iPad Mail (13E238) Header Contains PlainText X-Mailer: iPad Mail (11D169b Hidden ISO Subject True 0 #FF434343 White False False All Header NotContain PlainText Subject: =?utf-8? Header Contains PlainText Subject: =? Link Exchange Request False 0 #FF434343 White True False False All Body Contains PlainText I've just visited your site and I really appreciate the efforts you have put in your Website. Body Contains PlainText I would like to propose a link exchange between our sites. Body Contains PlainText We already added your Website here: Body Contains PlainText We request you to use the following details to link back to our website Body Contains PlainText If you are not interested in linking back then we will remove this reciprocal link URL shortener, or 2 digit country code link False -100 #FF434343 White False False All Body Contains PlainText goo.gl Body Contains RegEx (http:)?//[tx]\.co/ Body Contains RegEx http://wurl\.ca/\?r=.+ Body Contains RegEx http://linkzip\.net/F/.{4,5} Body Contains RegEx http://mp77.com/[a-z0-9]{4,6} Body Contains RegEx http://.+\.\w{2}/[a-z0-9]{4,6} Body Contains RegEx http://takeme\.to\.it/[a-z0-9]{4,6} Body Contains RegEx http://just\.as/[a-z0-9]{6} Loans/Bankrupcy False -100 #FF434343 White False False All Subject Contains RegEx reduce\ (your\s)?debt|debt\ reduction Subject Contains RegEx consolidat(e|ion)|lenders|loan|mortgage|refinan?c(e|ing|ment)|Your\ Life\ Insurance|\bLender\b\x20 Body Contains PlainText Bad credit Body Contains PlainText Bankruptcy Body Contains PlainText fixed low rate Body Contains PlainText You have been pre-approved Body Contains PlainText Refinance Body Contains PlainText loans Body Contains PlainText NetLoan Body Contains PlainText Are your premiums payments too high Body Contains PlainText eLoan is offering loan to Body Contains RegEx low(est)?\ rate(s)?|payday\ (loan|advance)|(Equity|short-term)\ loan|debt\ reduction Body Contains RegEx ^C[o0]ngra[dt]ulati[o0]ns.*you('ll|\scan)\ get\ (.*\ )?\$'?\d\d\d.+'?\ loan\ for\x20 Empty Return Path Spam True -200 #FFCC0098 White False False All ReturnPath Is PlainText <> Body Contains PlainText Sent from my iPhone Empty Return Path Spam True -200 #FFCC0098 White False False All ReturnPath Is PlainText <> Body Contains RegEx Santa\ Packages|PACKAGE\ FROM\ SANTA|Letter\ From\ Santa Outlook.com & WhatCounts True -150 #FFCC0098 White False False All From Contains PlainText @outlook.com Header Contains PlainText X-Mailer: WhatCounts German Sender False -200 #FFCC0098 White False False All Header Contains PlainText .pools.vodafone-ip.de) Numerous lines of X-Envelope-To: False -200 #FFCC0098 White False False All Header Contains RegEx ^(X-Envelope-To:.+\n){10,} Religious Words Spam True -200 #FF434343 White False False All Body Contains RegEx \b(begat|Jehovah|thou|shalt|thee|unto|God\.?)\b|saith\ the\ LORD Body NotContain RegEx thou= Foreign Time Zone True 0 #FF434343 White False False All Header Contains RegEx \d\d:\d\d:\d\d\s\+0[1-9]\d{2} Not a US TLD False 0 #FF434343 White False False All Header NotContain RegEx ^From:\s[=a-zA-Z0-9_\-\.\?\s",&@]+\r?<[\w-._]+@.+\.(com|edu|gov|info|mil|net|org)\n?>$ Android Email True 0 #FF434343 White False False All Header Contains PlainText boundary="--_com.android.email_ X-Mailer: iPhone Mail True 0 #FF434343 White False False All EntireMessage Contains PlainText X-Mailer: iPhone Mail X-Mailer: iPad Mail False -100 #FFCC0098 White False False All Header Contains PlainText X-Mailer: iPad Mail xn--p1ai or ru Russian Domain False -100 #FFCC0098 White False False All EntireMessage Contains PlainText xn--p1ai Body Contains PlainText .ru? Body Contains PlainText http://rhettacarolynn Invisible Text False -100 #FFCC0098 White False False All Body Contains RegEx (<|<)font.+color.+#f3f3f3.+(>|>)[0-9A-Za-z]+ Body Contains RegEx (<|<)span\ (=\n)?style=3D("|")\s?color:\s?(=\n)?#F.F.F.("|")(>|>)( |\s)?[A-Za-z0-9]{1,} Body Contains RegEx (<|<)span\ style=(3D=)?.*\n?"LINE-HEIGHT:\ 0px;\ DISPLAY:\ inline;.+\n?.*OVERFLOW:\ hidden.*(>|>)[a-zA-Z0-9]* Body Contains RegEx (<|<)(div|span)\ (=\n)?style=3D(=\n)?("|")\s?color:\s?(=\n)?#F.F.F.;?(\s?font-size:[0-8]p.)?("|")(>|>)( |\s)?[A-Za-z0-9]{1,} HTML Entity in Domain Name False -100 #FFCC0098 White False False All Body Contains PlainText 。 Canadian Pharmacy Spam 2021 True -100 #FFCC0098 White False False All Body Contains PlainText <td><span style=3D"color: #1E817F">CA</span> Body Contains PlainText <td><span style=3D"color: #1E817F">NA</span> Body Contains PlainText <td><span style=3D"color: #1E817F">DI</span> Body Contains PlainText <td><span style=3D"color: #1E817F">AN</span> From Pakistan +0500 False -200 #FFCC0098 White False False All Header Contains RegEx Date:\s.+\s\+0500