1

Topic: Spam FROM LOCAL [92.222.11.210]:46344 <postmaster@painel.vpsmaster2.ne

==== Required information ====
- iRedMail version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
======== Required information ====
- iRedMail version: 0.8.7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Linux/BSD distribution name and version: CENTOS 6.5
- Related log if you're reporting an issue:
====

Hello

After upgrading to latest version, I am getting email reporting that an email was detected as spam. I wonder how to disable this setting?


Content type: Spam 
Internal reference code for the message is 32373-01/N6FDsRL0UHAP 
 
First upstream SMTP client IP address: [92.222.11.210] ip210.vpsmaster2.net 
According to a 'Received:' trace, the message apparently originated at: 
  [92.222.11.210], ip210.vpsmaster2.net ip210.vpsmaster2.net [92.222.11.210] 
 
Return-Path: <postmaster@painel.vpsmaster2.net> 
From: "=?UTF-8?B?TXVsdGFzIGUgUG9udHVhw6fDo28=?=" <envio@painel.vpsmaster2.net> 
Message-ID: <1d3afa5a4c32a6a807cadf648ce55b7e@painel.vpsmaster2.net> 
Subject: 
  =?UTF-8?B?QXByZW5kYSBUw6ljbmljYXMgSW5mYWzDrXZlaXMgcGFyYSBDYW5jZWxhciBzdWFzIE11bHRhcyBkZSBUcsOibnNpdG8gZSBwb250b3MgbmEgQ05ILiA=?= 
Not quarantined. 
 
The message WAS NOT relayed to: 
<***@***.***>: 
   250 2.7.0 Ok, discarded, id=32373-01 - spam 
 
Spam scanner report: 
O filtro de spam do servidor "mail.domian.tld" identificou este 
e-mail como um spam. A mensagem original está anexa a este 
este e-mail para que possa ser visualizada (caso não seja 
um spam) ou para que emails futuros similares a este sejam 
marcados como spam também. Caso tenha alguma dúvida, entre 
em contato no email the administrator of that system para mais detalhes. 
 
Visualização de um trecho: Se voc&ecirc; n&atilde;o est&aacute; visualizando a mensagem 
   corretamente, acesse este link [http://painel.vpsmaster2.net/display.php?M=39749&C=f77e09bb7d3bceb900f449adda00f7ba&S=94&L=1&N=72]. 
   [http://painel.vpsmaster2.net/link.php?M=39749&N=94&L=760&F=T] [http://painel.vpsmaster2.net/link.php?M=39749&N=94&L=760&F=T] 
   [http://painel.vpsmaster2.net/link.php?M=39749&N=94&L=760&F=T] [http://painel.vpsmaster2.net/link.php?M=39749&N=94&L=760&F=T] 
   [http://painel.vpsmaster2.net/link.php?M=39749&N=94&L=760&F=T] [http://painel.vpsmaster2.net/link.php?M=39749&N=94&L=760&F=T] 
   [http://painel.vpsmaster2.net/link.php?M=39749&N=94&L=760&F=T] [http://painel.vpsmaster2.net/link.php?M=39749&N=94&L=760&F=T] 
   [http://painel.vpsmaster2.net/link.php?M=39749&N=94&L=760&F=T] MANUAL TIRE 
   MULTAS 100% LEGALIZADO Aprenda t&eacute;cnicas 100% comprovadas para anular 
   suas multas e pontua&ccedil;&otilde;es! [http://painel.vpsmaster2.net/link.php?M=39749&N=94&L=761&F=T 
   DE VENDAS EM TODO BRASIL Nosso kit funciona em todo territ&oacute;rio nacional! 
   Manual explicativo de f&aacute;cil entendimento, voc&ecirc; faz tudo sozinho 
   e economiza seu dinheiro! Saiba mais [http://painel.vpsmaster2.net/link.php?M=39749&N=94&L=760&F=T]. 
   [...] 
 
Detalhes da análise: (22.1 pontos, mínimo de 5.0) 
 
 pts regra descrição 
---- ---------------------- -------------------------------------------------- 
 2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL 
                            [92.222.11.210 listed in psbl.surriel.com] 
 1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT 
                            [92.222.11.210 listed in bb.barracudacentral.org] 
-0.0 SPF_PASS SPF: Remetente é válido de acordo com registro SPF 
-0.7 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 
 0.2 URIBL_WS_SURBL Contém uma URL listada na blacklist WS SURBL 
                            [URIs: vpsmaster2.net] 
 0.3 URIBL_JP_SURBL Contém uma URL listada na blacklist JP SURBL 
                            [URIs: vpsmaster2.net] 
 1.3 BR_TRABALHE_EM_CASA BODY: Trabalhe em casa 
 0.7 BR_TRABALHAR_CASA BODY: Fala sobre 'Trabalhar em Casa' 
 2.0 BR_SPAMMER_URI URI: Texto suspeito 
 0.8 HTML_IMAGE_RATIO_02 BODY: O HTML tem pouco texto em relação às 
                            imagens 
 0.0 HTML_MESSAGE BODY: HTML incluso na mensagem 
 1.8 BR_CLIQUE_AQUI FULL: Contem o texto 'Clique aqui' 
 4.0 DCC_CHECK Classificado como email em massa pelo DCC (dcc-servers.net) 
 2.5 RAZOR2_CHECK Listado na Razor2 (http://razor.sf.net/) 
 2.4 RAZOR2_CF_RANGE_E8_51_100 Nível de confiança na Razor2 em engine 4 
                            acima de 50% 
                            [cf: 100] 
 0.4 RAZOR2_CF_RANGE_51_100 Nível de confiança na Razor2 acima de 50% 
                            [cf: 100] 
-0.1 DKIM_VALID Mensagem possui ao menos uma assinatura DKIM ou DK válida 
 0.1 DKIM_SIGNED Mensagem possui uma assinatura DKIM ou DK não 
                            necessariamente válida 
 0.0 DIGEST_MULTIPLE Remetente está listado em mais de uma blacklist 
 2.0 BR_ADJUST_2 Fortes caracteristicas +2 

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Spam FROM LOCAL [92.222.11.210]:46344 <postmaster@painel.vpsmaster2.ne

Search "warnspamsender" in Amavisd config file (/etc/amavisd/amavisd.conf), set it to 0 to disable this feature.

3 (edited by mrteam 2014-05-29 01:35:14)

Re: Spam FROM LOCAL [92.222.11.210]:46344 <postmaster@painel.vpsmaster2.ne

Hello,

Thanks for the reply. I made the change as requested, but I'm still getting the notifications.

Content type: Spam 
Internal reference code for the message is 02626-07/Gim1YYTML5vd 
 
First upstream SMTP client IP address: [67.228.184.123] 
  67.228.184.123-static.reverse.softlayer.com 
According to a 'Received:' trace, the message apparently originated at: 
  [67.228.184.123], 67.228.184.123-static.reverse.softlayer.com 
  67.228.184.123-static.reverse.softlayer.com [67.228.184.123] 
 
Return-Path: <root@67.228.184.123-static.reverse.softlayer.com> 
From: informacoes@serasa.comr <informacoes@serasa.comr> 
Message-ID: 
  <20140528140940.B06B6E8C12@67.228.184.123-static.reverse.softlayer.com> 
Subject: Pendências Financeiras 
Not quarantined. 
 
The message WILL BE relayed to: 
<xxxx@xxxx> 
 
Spam scanner report: 
Spam detection software, running on the system "mail.bymr.me", has 
identified this incoming email as possible spam. The original message 
has been attached to this so you can view it (if it isn't spam) or label 
similar future email. If you have any questions, see 
the administrator of that system for details. 
 
Content preview: Pendências Extratos pendencias Outubro 2013.pdf (15,2 KB) 
  Extratos pendencias Novembro 2013.pdf (16,3 KB) Extratos pendencias Dezembro 
   2013.pdf (16,3 KB) Favor retornar o mais breve possível para efetuarmos a 
   baixa do débito, lembramos que ja efetuamos a interação com os orgãos de 
  crédito e para concluirmos o processo necessitamos do retorno imediato. [...] 
    
 
Content analysis details: (20.1 points, 25.0 required) 
 
 pts rule name description 
---- ---------------------- -------------------------------------------------- 
 0.3 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist 
                            [URIs: clubdelgourmetriocuarto.com] 
 2.9 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split 
                            IP) 
 1.5 CK_HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname 
                            (Split IP) 
 0.2 CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or 
                            Generic rPTR 
 0.8 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in DNS 
-0.7 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 
 0.0 HTML_MESSAGE BODY: HTML included in message 
 1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 
 4.0 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net) 
 2.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 
 2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level 
                            above 50% 
                            [cf: 100] 
 0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% 
                            [cf: 100] 
 2.5 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) 
 0.0 DIGEST_MULTIPLE Message hits more than one network digest check 
 0.1 SUBJECT_NEEDS_ENCODING Subject is encoded but does not specify the 
                            encoding 
 2.0 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME 
                            headers 

4

Re: Spam FROM LOCAL [92.222.11.210]:46344 <postmaster@painel.vpsmaster2.ne

There're several "warnspamsender" parameters in Amavisd config file, did you check them all?

5

Re: Spam FROM LOCAL [92.222.11.210]:46344 <postmaster@painel.vpsmaster2.ne

Hello,
Those who are found in these files:

...
$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
  originating => 1,  # declare that mail was submitted by our smtp client
  allow_disclaimers => 1,  # enables disclaimer insertion if available
  # notify administrator of locally originating malware
  virus_admin_maps => ["root\@$mydomain"],
  spam_admin_maps  => ["root\@$mydomain"],
  warnbadhsender   => 1,

...
# Notify virus sender?
$warnvirussender = 0;

# Notify spam sender?
$warnspamsender = 0;

# Notify sender of banned files?
$warnbannedsender = 0;

# Notify sender of syntactically invalid header containing non-ASCII characters?
$warnbadhsender = 0;

# Notify virus (or banned files) RECIPIENT?
#  (not very useful, but some policies demand it)
$warnvirusrecip = 0;
$warnbannedrecip = 0;

# Notify also non-local virus/banned recipients if $warn*recip is true?
#  (including those not matching local_domains*)
$warn_offsite = 0;
...

6

Re: Spam FROM LOCAL [92.222.11.210]:46344 <postmaster@painel.vpsmaster2.ne

Did you restart Amavisd service?

7

Re: Spam FROM LOCAL [92.222.11.210]:46344 <postmaster@painel.vpsmaster2.ne

Hi,

Yes! up already restarted the server. I'm still receiving emails.

8

Re: Spam FROM LOCAL [92.222.11.210]:46344 <postmaster@painel.vpsmaster2.ne

*) Do you have any other content-based spam filter installed on this server? It doesn't look like generated by Amavisd.
*) Could you please show us output of command "postconf -n"?

9 (edited by mrteam 2014-06-03 10:53:29)

Re: Spam FROM LOCAL [92.222.11.210]:46344 <postmaster@painel.vpsmaster2.ne

Hello

I just have spamassassin installed by default with iredmail, and even then disabled the service.

doing a search on the text I get, that the case is an translation for Brazilian Portuguese found the following:

http://svn.apache.org/repos/asf/spamass … t_pt_br.cf

[root@mail ~]# postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
biff = no
bounce_queue_lifetime = 4h
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
delay_warning_time = 0h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailbox_command = /usr/libexec/dovecot/deliver
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 4000s
maximal_queue_lifetime = 4h
message_size_limit = 15728640
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname, localhost.$mydomain
mydomain = bymr.me
myhostname = mail.bymr.me
mynetworks = 127.0.0.0/8 94.23.35.118/32 37.59.58.39/32
mynetworks_style = host
myorigin = mail.bymr.me
newaliases_path = /usr/bin/newaliases.postfix
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix-2.11.0/README_FILES
recipient_bcc_maps = proxy:ldap:/etc/postfix/ldap/recipient_bcc_maps_user.cf, proxy:ldap:/etc/postfix/ldap/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:ldap:/etc/postfix/ldap/relay_domains.cf
sample_directory = /usr/share/doc/postfix-2.11.0/samples
sender_bcc_maps = proxy:ldap:/etc/postfix/ldap/sender_bcc_maps_user.cf, proxy:ldap:/etc/postfix/ldap/sender_bcc_maps_domain.cf
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp-amavis_destination_recipient_limit = 1
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_loglevel = 0
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org,
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre reject_unknown_hostname, reject_invalid_hostname, reject_non_fqdn_hostname
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination reject_rhsbl_sender dsn.rfc-ignorant.org, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_unauth_destination,
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:ldap:/etc/postfix/ldap/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rhsbl_sender dsn.rfc-ignorant.org, reject_unauth_pipelining
smtpd_tls_CAfile = /etc/pki/tls/certs/bymr-ssl-uni.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/bymr-ssl-uni.crt
smtpd_tls_key_file = /etc/pki/tls/private/bymr-ssl.key
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:ldap:/etc/postfix/ldap/transport_maps_user.cf, proxy:ldap:/etc/postfix/ldap/transport_maps_domain.cf
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:ldap:/etc/postfix/ldap/virtual_alias_maps.cf, proxy:ldap:/etc/postfix/ldap/virtual_group_maps.cf, proxy:ldap:/etc/postfix/ldap/virtual_group_members_maps.cf, proxy:ldap:/etc/postfix/ldap/catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:ldap:/etc/postfix/ldap/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

10

Re: Spam FROM LOCAL [92.222.11.210]:46344 <postmaster@painel.vpsmaster2.ne

Could you please show us output of below command?

# grep -i 'warn' /etc/amavisd/amavisd.conf

11

Re: Spam FROM LOCAL [92.222.11.210]:46344 <postmaster@painel.vpsmaster2.ne

hi

[root@mail ~]# grep -i 'warn' /etc/amavisd/amavisd.conf
  warnbadhsender   => 1,
# $warnbadhsender,
# $warnvirusrecip, $warnbannedrecip, $warnbadhrecip, (or @warn*recip_maps)
$warnvirussender = 0;
$warnspamsender = 0;
$warnbannedsender = 0;
$warnbadhsender = 0;
$warnvirusrecip = 0;
$warnbannedrecip = 0;
# Notify also non-local virus/banned recipients if $warn*recip is true?
$warn_offsite = 0;
# WARNING: it must match (equal to or larger than) the number set in
[root@mail ~]#

12

Re: Spam FROM LOCAL [92.222.11.210]:46344 <postmaster@painel.vpsmaster2.ne

up

13

Re: Spam FROM LOCAL [92.222.11.210]:46344 <postmaster@painel.vpsmaster2.ne

I have no idea yet, the report doesn't look like generated by Amavisd.
Could you please show me output of below commands:

# grep '_quarantine_' /etc/amavisd/amavisd.conf
# grep 'final_spam_destiny' /etc/amavisd/amavisd.conf

14

Re: Spam FROM LOCAL [92.222.11.210]:46344 <postmaster@painel.vpsmaster2.ne

Hello,

this message as posted earlier is related to spamassassin, but do not know which setting may be, only to discover that it found in a repository of Apache translation for en message sent.


grep '_quarantine_' /etc/amavisd/amavisd.conf

# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off
# $bad_header_quarantine_method = undef;
# $clean_quarantine_method, $virus_quarantine_to, $banned_quarantine_to,
# $bad_header_quarantine_to, $spam_quarantine_to,
    #clean_quarantine_method => 'sql:',
$bad_header_quarantine_method = undef;
$spam_quarantine_method = undef;
#$spam_quarantine_method = 'sql:';
#$spam_quarantine_to = 'spam-quarantine';
#$virus_quarantine_to     = 'virus-quarantine';
#$virus_quarantine_method = 'sql:';
$banned_files_quarantine_method = undef;
#$banned_files_quarantine_method = 'sql:';
#$banned_quarantine_to = 'banned-quarantine';

grep 'final_spam_destiny' /etc/amavisd/amavisd.conf

#$final_spam_destiny       = D_DISCARD;  #!!!  D_DISCARD / D_REJECT
$final_spam_destiny       = D_PASS;

about $ final_spam_destiny ever used DISCARD and BOUNCE, and I'm still getting the messages already performed a clean install of the system and keep getting the message.
What I have in my additional settings is only this file

[root@mail ~]# cat /etc/mail/spamassassin/br_rules.cf
#########################################################################
## SpamBR - SpamAssassin Brazilian Rules - www.lafraia.com.br/spambr/  ##
## Autor: Daniel Lafraia                                               ##
##---------------------------------------------------------------------##
## Agradecimentos: Sandro Enomoto, Vitor Renato Alves de Brito         ##
##              ...e todas as pessoas que mandam sugest▒es!!! ;-)      ##
#########################################################################
## Informacoes:                                                        ##
## Este arquivo pode ser distribuido livremente nos mesmos termos do   ##
## SpamAssassin (www.spamassassin.org). N▒o h▒ nenhum interesse        ##
## comercial neste projeto, a nao ser identificar caracteristicas dos  ##
## SPAMs brasileiros para tentar diminuir o volume desse tipo de email.##
##                                                                     ##
## As regras encontradas neste arquivo foram criadas a partir de       ##
## exemplos de Spams recebidos pelo autor e colaboradores.             ##
##                                                                     ##
## Este arquivo ▒ atualizado a cada 15 ou 30 dias, e ▒ disponibilizado ##
## no endereco www.lafraia.com.br/spambr/br_rules.cf                   ##
##                                                                     ##
## Colabore com este projeto!                                          ##
#########################################################################
## Proxima versao em 2003/10/10 no www.lafraia.com.br/spambr/          ##
## Versao minima do SpamAssassin para essas regras ▒ 2.50              ##
#########################################################################

version_tag     spambr_20030926a

# Descricoes
describe BR_KNOWN_MAILER        X-Mailer conhecido
describe BR_MALFORMED_FROM_1    From com formatacao errada
describe BR_MALFORMED_FROM_2    From com formatacao errada
describe BR_MALFORMED_FROM_3    From com formatacao errada
describe BR_MAILTO_KEYS         Mailto para um endereco suspeito
describe BR_COPYRIGHT           Todos os direitos reservados
describe BR_LINK_UNSAFE         Links para arquivos exe,pif,scr e outros
describe BR_HOAX_SUBJ           Hoax conhecidos no Subject
describe BR_SIGILO_ABSOLUTO     Sigilo Absoluto
describe BR_DUVIDAS_CONJUGAIS   Duvidas Conjugais
describe BR_GRAVADOR_TELEFONICO Grampo?
describe BR_REDEBIZ             Redebiz.com.br
describe BR_DETETIVE_MOREIRA    Detetive Moreira
describe BR_TENHA_SEU_SITE      Tenha seu site na Internet
describe BR_ENVIOU_1REAL        Enviou R$1,00
describe BR_GANHE_ENVIANDO      Ganhe dinheiro enviando e-mails
describe BR_INCLUIR_PIRAMIDE    Incluir meu nome na piramide
describe BR_TRABALHE_EM_CASA    Trabalhe em casa
describe BR_MEPPS               MEPPS
describe BR_MEPPS_SUBJ          MEPPS no subject
describe BR_RETIRAR_EMAIL       Para retirar seu e-mail da lista
describe BR_DIVULGUE_SUA        Divulgue sua/seu
describe BR_PERDER_TEMPO        Fala sobre nao perder tempo
describe BR_USER_URI            Chamada para URI de usuario
describe BR_FAKE_HELO           SMTP HELO possivelmente falso
describe BR_24_HORAS            24 Horas
describe BR_SUA_EMPRESA         Contem 'de/para sua empresa'
describe BR_HOSPEDAGEM          Contem a palavra 'hospedagem'
describe BR_HOSPEDAGEM_SUBJ     Contem a palavra 'hospedagem' no Subject
describe BR_AUMENTE_PENIS       Fala sobre aumento de penis
describe BR_AUMENTE_PENIS_SUBJ  Fala sobre aumento de penis
describe BR_PESO_KG             Subject: xx kg
describe BR_VAGAS_ABERTAS_SUBJ  Subject: Vagas Abertas
describe BR_INTERNET_EMAIL      Saved URL com internet.e-mail
describe BR_HTML_TITLE          Title suspeito
describe BR_HTML_TITLE_KEYS     Palavras-chave no title
describe BR_VIDEO_PORNO_SUBJ    Videos porno no subject
describe BR_E_CONFIRA           Texto 'e confira'
describe BR_AGENCIA_DE_XXXX     Agencia de Aproximacao/Modelos
describe BR_ESPECIALMENTE_VC    Especialmente para voce
describe BR_NAO_RESPONDA        Fala para nao responder o e-mail
describe BR_PERDER_PESO         Fala sobre perder peso
describe BR_PERDER_PESO_2       Fala sobre perder peso
describe BR_PERDER_PESO_SUBJ    Fala sobre perder peso no Subject
describe BR_SAVED_URI           Saved from URL
describe BR_DESCULPE            Pede desculpas pelo incomodo/transtorno
describe BR_CONSULTE            Consulte-nos!
describe BR_ESPIONAGEM          Detetive ou Espionagem
describe BR_DESPACHO            Despachamos para todo o Brasil
describe BR_FROM_EXCLAMACAO     Contem ponto de exclamacao no From
describe BR_EMAIL_COUNT         Provavelmente e' sobre venda de listas de e-mails
describe BR_TELEMARKETING       Fala sobre 'Telemarketing'
describe BR_TRABALHAR_CASA      Fala sobre 'Trabalhar em Casa'
describe BR_SAIBA_MAIS          Fala sobre 'e saiba mais'
describe BR_IMPERDIVEL          Fala sobre 'Imperdivel'
describe BR_NEDSTAT             Tracking do Nedstat
describe BR_VISITE              Fala sobre 'Visite nosso site'
describe BR_APROVEITE           Fala sobre 'Aproveite nossa promocao'
describe BR_KEYWORD_JA          XXXXX agora/ja
describe BR_SUBJ_KEYS           Palavras-chave no Subject
describe BR_CURSO_ONLINE        'Curso on-line' no subject
describe BR_CURSO_SUBJ          Curso no subject
describe BR_CURSO_BODY          Curso no body
describe BR_MALADIRETA          Inclui 'Mala Direta'
describe BR_MALADIRETA2         Inclui 'Mala Direta de e-mail'
describe BR_GRATIS              Inclui a palavra 'Gratis'
describe BR_FRETE_GRATIS        Inclui o texto 'Frete Gratis'
describe BR_REMOVER_EMAIL       Inclui texto para remover email
describe BR_REMOVER_QUOTE       Inclui texto para remover email (quote)
describe BR_TEMPO_LIMITADO      Inclui a frase 'Tempo Limitado'
describe BR_RECEIVED_SPAMMER    Received com endereco DSL ou Dial-Up de Spammers
describe BR_DECRETO             Falso Decreto sobre spam
describe BR_CONGRESSO           Congresso Base das Normativas Int. sobre Spam?
describe BR_CLIQUE_AQUI         Contem o texto 'Clique aqui'
describe BR_SPAMMER_URI         Texto suspeito
describe BR_RENDA_EXTRA_BODY    Texto sobre 'Renda Extra'
describe BR_GANHE_DINHEIRO      Ganhe Dinheiro no Subject
describe BR_RENDA_EXTRA_SUBJ    Texto sobre 'Renda Extra' no Subject
describe BR_FROM_KEYS           From com a palavras-chave
describe BR_PROMOCAO_SUBJ       Subject com a palavra 'Promocao'
describe BR_VOCE                Contem a palavra 'voce' no Subject
describe BR_CJB_URI             Link para sites no cjb.net
describe BR_KITNET_URI          Link para sites no kit.net
describe BR_CALL_KITNET         Chamando url no kit.net (src=)
describe BR_FREEHOST_URI        Link para sites de hospedagem gratis
describe BR_HPG_URI             Link para sites no HPG
describe BR_ML_URI              Link para produtos no Mercado Livre
describe BR_NAO_MAIS            Texto sobre nao receber mais a mensagem
describe BR_NAO_MAIS_2          Texto sobre nao receber mais a mensagem
describe BR_NAO_MAIS_3          Texto sobre nao receber mais a mensagem
describe BR_UMA_VEZ             Dizendo que a msg sera enviada apenas uma vez
describe BR_NOT_SPAM            Dizendo que a msg n▒o ▒ um spam
describe BR_QUESTION_SUBJ       Interrogacao no subject
describe BR_A_PARTIR_DE         Texto 'A partir de $xx.xx'
describe BR_APENAS              Texto 'apenas $xx.xx'
describe BR_APENAS_SUBJ         Texto 'apenas $xx.xx' no Subject
describe BR_PRICE_SUBJ          Preco no Subject
describe BR_GLOBO_COM           Link para Globo.com
describe BR_WWW_SUAEMPRESA      www.suaempresa.com.br (e similares)
describe BR_WWW_SUAEMPRESA_URI  www.suaempresa.com.br (e similares)
describe BR_TMPSTR              Received com 'TmpStr'
describe BR_PRIORITY_SPAM       Spam com alta prioridade
describe BR_ADJUST_1            Fortes caracteristicas +1
describe BR_ADJUST_1B           Fortes caracteristicas +1.5
describe BR_ADJUST_1C           Fortes caracteristicas +1.5
describe BR_ADJUST_2            Fortes caracteristicas +2
describe BR_ADJUST_3            Fortes caracteristicas +3
describe BR_ADJUST_3B           Fortes caracteristicas +3.5

# Match sem notas (para ser usado por meta rules depois)
rawbody  __BR_SAVED_URI         /url\=\(\d+\)http:\/\//i
body     __BR_ROMANCE           /\bromance\b/i

# Body/Header/URI
score    BR_MAILTO_KEYS         0.3
rawbody  BR_MAILTO_KEYS         /mailto\:\S*(?:cadastro|curso|promo|remov|sexo|gostosa|oportunidade|renda)\S*\@(?:bol|ig)\.com\.br/i
score    BR_KNOWN_MAILER        1.5
header   BR_KNOWN_MAILER        X-Mailer =~ /phpmailer/i
score    BR_MALFORMED_FROM_1    1.5
header   BR_MALFORMED_FROM_1    From =~ /\s+\>/
score    BR_MALFORMED_FROM_2    1.5
header   BR_MALFORMED_FROM_2    From =~ /\<[^\>]+$/
score    BR_MALFORMED_FROM_3    1.5
header   BR_MALFORMED_FROM_3    From =~ /\<[^\s]+\s[^\>]+\>/
score    BR_COPYRIGHT           0.3
body     BR_COPYRIGHT           /todos\s+os\s+direitos\s+reservados/i
score    BR_HOAX_SUBJ           2.5
header   BR_HOAX_SUBJ           Subject =~ /chamada.*xbina|big.{0,3}brother.{0,3}bra[zs]il/i
score    BR_LINK_UNSAFE         1.5
uri      BR_LINK_UNSAFE         /\.(?:exe|vbs|pif|scr|bat|dll)$/i
score    BR_SIGILO_ABSOLUTO     0.2
full     BR_SIGILO_ABSOLUTO     /si[gj]ilo\s+absoluto/i
score    BR_DUVIDAS_CONJUGAIS   0.2
full     BR_DUVIDAS_CONJUGAIS   /d.{1,3}vidas\s+conjugais/i
score    BR_GRAVADOR_TELEFONICO 0.2
full     BR_GRAVADOR_TELEFONICO /(?:gravador|grampo)\W+telef.{1,3}n(?:ico|e)/i
score    BR_MEPPS_SUBJ          2.5
header   BR_MEPPS_SUBJ          Subject =~ /\bM\.*E\.*P\.*P\.*S\.*\b/i
score    BR_MEPPS               1.3
body     BR_MEPPS               /\bM\.*E\.*P\.*P\.*S\.*\b/i
score    BR_DIVULGUE_SUA        0.3
body     BR_DIVULGUE_SUA        /divulgue\s+(?:sua|seu)/i
score    BR_AUMENTE_PENIS       1.5
body     BR_AUMENTE_PENIS       /aument[ae]\s+(?:seu){0,1}\s*p(?:e|▒|▒|&ecirc\;)nis/i
score    BR_AUMENTE_PENIS_SUBJ  2.0
header   BR_AUMENTE_PENIS_SUBJ  Subject =~ /aument[ae]\s+(?:seu){0,1}\s*p(?:e|▒|▒|&ecirc\;)nis/i
score    BR_PERDER_TEMPO        0.3
body     BR_PERDER_TEMPO        /perca\s+(?:mais){0,1}\s*tempo/i
score    BR_USER_URI            0.2
uri      BR_USER_URI            /\/\~/
score    BR_FAKE_HELO           0.3
header   BR_FAKE_HELO           Received =~ /helo\=(?:globo|hotmail|[ubg]ol|ig)\.com(?:\.br)?\)/i
score    BR_24_HORAS            0.1
body     BR_24_HORAS            /\b24\s*(?:horas|h|hr|hrs)\b/i
score    BR_SUA_EMPRESA         0.6
body     BR_SUA_EMPRESA         /\b(?:de|para)\s+sua\s+empresa\b/i
score    BR_HOSPEDAGEM          0.3
body     BR_HOSPEDAGEM          /\bhospedagem\b/i
score    BR_HOSPEDAGEM_SUBJ     0.5
header   BR_HOSPEDAGEM_SUBJ     Subject =~ /\bhospedagem\b/i
score    BR_NAO_RESPONDA        1.3
body     BR_NAO_RESPONDA        /\b(?:▒|▒|a|\&atilde\;)o\s+responda\s+(?:esta\s+mensagem|este\s+e\-*mail)/i
score    BR_PERDER_PESO         0.8
full     BR_PERDER_PESO         /(?:precisa|quer)\W+perder\W+(?:peso|[\d\,\.]\s*(?:kg|kilos))/i
score    BR_PERDER_PESO_2       0.3
full     BR_PERDER_PESO_2       /perca\W+(?:peso|[\d\,\.]\s*(?:kg|kilos))/i
score    BR_PERDER_PESO_SUBJ    0.8
header   BR_PERDER_PESO_SUBJ    Subject =~ /\b(?:precisa|quer){0,1}\s*(?:perder|perca)\s+peso\s*(?:j(?:a|▒|▒|\&aacute\;)+){0,1}\s*[\!\?]/i
score    BR_DESCULPE            0.3
body     BR_DESCULPE            /desculpe\s+o\s+(?:inc(?:o|▒|▒|\&ocirc\;)modo|transtorno)/i
score    BR_CONSULTE            0.1
body     BR_CONSULTE            /\bconsulte\-*nos\b/i
score    BR_ESPIONAGEM          0.1
body     BR_ESPIONAGEM          /\b(?:espionagem|detetive)\b/i
score    BR_DESPACHO            0.3
body     BR_DESPACHO            /Despachamos\s+para\s+todo\s+o\s+Brasil/i
score    BR_FROM_EXCLAMACAO     0.4
header   BR_FROM_EXCLAMACAO     From =~ /\!/
score    BR_EMAIL_COUNT         1.5
body     BR_EMAIL_COUNT         /(?:[\d\.]{7,}|\d+\s*milh.{0,3}(?:es|o))\s+(?:de\s+)e\-*mail[\'s]{0,2}\b/i
score    BR_TELEMARKETING       0.3
body     BR_TELEMARKETING       /tele.{0,3}marketing/i
score    BR_TRABALHAR_CASA      0.7
body     BR_TRABALHAR_CASA      /trabalh(?:ar|e)\s+(?:de|em)\s+casa\b/i
score    BR_SAIBA_MAIS          0.3
body     BR_SAIBA_MAIS          /\bsaiba\s+mais/i
score    BR_SAIBA_MAIS          0.3
body     BR_SAIBA_MAIS          /\bimperd(?:.{1,3}|\&iacute\;)vel\b/i
score    BR_NEDSTAT             1.8
rawbody  BR_NEDSTAT             /nedstatbasic/i
score    BR_VISITE              0.3
body     BR_VISITE              /visite\s+nosso\s+site/i
score    BR_APROVEITE           0.3
body     BR_APROVEITE           /\baproveitem?\s+(?:nossa|es[st]a)\s+promo/i
score    BR_KEYWORD_JA          0.8
body     BR_KEYWORD_JA          /\b(?:garanta|compre|ligue|adi*quira)\s+.{0,10}\s*(?:j(?:a|▒|▒|\&aacute\;)|agora)\b/i
score    BR_SUBJ_KEYS           0.3
header   BR_SUBJ_KEYS           Subject =~ /\b(?:kits*|confira|ganhe|hospedagem|compre|divulgue|gr.{1,3}tis|gratu.{1,3}ta)\b/i
score    BR_CURSO_ONLINE        0.4
header   BR_CURSO_ONLINE        Subject =~ /\bcurs[o0]s?\s+[o0]n\-*l[i1]ne\b/i
score    BR_CURSO_SUBJ          0.1
header   BR_CURSO_SUBJ          Subject =~ /\bcurs[o0]s?\b/i
score    BR_CURSO_BODY          0.1
body     BR_CURSO_BODY          /\bcurs[o0]s?\b/i
score    BR_MALADIRETA          0.2
rawbody  BR_MALADIRETA          /mala.{0,5}direta/i
score    BR_MALADIRETA2         0.8
rawbody  BR_MALADIRETA2         /mala.{0,5}direta\s+de\s+e\-*mail\'*s*/i
score    BR_GRATIS              0.1
body     BR_GRATIS              /\bgr.tis\b/i
score    BR_FRETE_GRATIS        0.4
body     BR_FRETE_GRATIS        /\bfrete\s+gr.tis\b/i
score    BR_REMOVER_EMAIL       1.5
body     BR_REMOVER_EMAIL       /\b(?:para\s+){0,1}remover(?:\s+(?:seu|o\s+seu)){0,1}\s+e\-*mail\b/i
score    BR_REMOVER_QUOTE       0.8
rawbody  BR_REMOVER_QUOTE       /[\"\'\>\;]+remover*[(?:\&quote\;)\<\"\']+/i
score    BR_TEMPO_LIMITADO      0.8
body     BR_TEMPO_LIMITADO      /tempo\s+limitado/i
score    BR_RECEIVED_SPAMMER    0.5
header   BR_RECEIVED_SPAMMER    Received =~ /\.(?:dsl|dial\-*up|user|sao)\.(?:ajato|veloxzone|telesp|brasiltelecom)\.(?:net|com)\.br/i
score    BR_DECRETO             1.5
full     BR_DECRETO             /\bDecreto\s+S\.*\s*1618\b/i
score    BR_CONGRESSO           3.0
full     BR_CONGRESSO           /Congresso\W+(?:Base\W+){0,1}das\W+Normativas\W+Internacionais\W+sobre\W+(?:o\W+){0,1}SPAM/i
score    BR_CLIQUE_AQUI         1.8
full     BR_CLIQUE_AQUI         /cli(?:que|[ck]+|[ck]+ar)(?:\W+|(?:\s*\<[^\>]+\>\s*)+)(?:aqui|abaixo)/i
score    BR_SPAMMER_URI         2.0
uri      BR_SPAMMER_URI         /renda\-*extra|formulario|sexo|penis|gostosa|e\-*mail|mulheres|ninfeta|venda|ganhe|mala\-*direta|grampo|promo.{2}o|oportunidade|livre\-*se|divulg|respond|remov/i
score    BR_RENDA_EXTRA_BODY    0.3
body     BR_RENDA_EXTRA_BODY    /\baument(e|ar|ou|ando)\s+(?:a\s+sua|sua|o\s+seu|o|a){0,1}\s+(?:renda|ganho)|(?:renda|ganho|dinheiro)[\s\-]+extra\b/i
score    BR_GANHE_DINHEIRO      0.5
header   BR_GANHE_DINHEIRO      Subject =~ /\bganhe\s+dinheiro\b/i
score    BR_RENDA_EXTRA_SUBJ    1.0
header   BR_RENDA_EXTRA_SUBJ    Subject =~ /\baument(e|ar|ou|ando)\s+(?:a\s+sua|sua|o\s+seu|o|a){0,1}\s+(?:renda|ganho)|(?:renda|ganho|dinheiro)[\s\-]+extra\b/i
score    BR_FROM_KEYS           2.0
header   BR_FROM_KEYS           From =~ /(?:cadastro|promo.{2}o|\w{4}\_\w{4}\_._._.|oportunidade|livre\-se|divulgue|respond|remov|melhor)/i
score    BR_PROMOCAO_SUBJ       1.0
header   BR_PROMOCAO_SUBJ       Subject =~ /\bpromo.{2}o\b/i
score    BR_VOCE                0.2
header   BR_VOCE                Subject =~ /\bvoc.{1,2}s{0,1}[\s\!\.]/i
score    BR_CJB_URI             0.4
uri      BR_CJB_URI             /\.cjb\.net/i
score    BR_KITNET_URI          0.8
uri      BR_KITNET_URI          /\.kit\.net/i
score    BR_FREEHOST_URI        0.8
uri      BR_FREEHOST_URI        /\.freesites\.com\.br|netfirms\.com/i
score    BR_CALL_KITNET         1.5
rawbody  BR_CALL_KITNET         /src\=\S+kit\.net/i
score    BR_HPG_URI             0.2
uri      BR_HPG_URI             /\.(?:hpg|ig)\.com\.br/i
score    BR_ML_URI              0.2
uri      BR_ML_URI              /\.mercadoli[vb]re\.com/i
score    BR_NAO_MAIS            1.3
full     BR_NAO_MAIS            /caso\W+n(?:▒|▒|a|\&atilde\;)o\W+queira\W+receber\W+esta\W+mensage[mn]/i
score    BR_NAO_MAIS_2          1.3
full     BR_NAO_MAIS_2          /para\W+deixar\W+de\W+receber\W+estas*\W+mensage[mn]/i
score    BR_NAO_MAIS_3          1.3
full     BR_NAO_MAIS_3          /n(?:▒|▒|a|\&atilde\;)o\W+(?:estaremos\W+enviando|enviaremos)\W+estas*\W+mensage[mn]\W+(?:novamente|de\s+novo|uma\s+segunda\s+vez)/i
score    BR_RETIRAR_EMAIL       0.3
full     BR_RETIRAR_EMAIL       /para\W+(?:retirar|remover)\W+seu\W+e\-*mail/i
score    BR_UMA_VEZ             2.5
body     BR_UMA_VEZ             /esta\s+mensagem\s+(?:(?:s(?:o|▒|▒|\&oacute\;)\s+){0,1}(?:vai\s+ser|ser(?:a|▒|▒|\&aacute\;))|est(?:a|▒|▒)\ssendo|foi)\s+enviada(?:\sapenas){0,1}\s+uma{0,1}(?:\s+(?:u|▒|▒|\&uacute\;)nica)\s+ve[zs]/i
score    BR_NOT_SPAM            3.0
full     BR_NOT_SPAM            /est.\s+\S+\s*(?:\,*\s*segundo\s+a\s+nova\s+legisla.{1,2}(?:a|▒|▒|\&atilde\;)o\s*\,*\s+){0,1}n(?:▒|▒|a|\&atilde\;)o\s+(?:pode\s+ser|▒|▒|e|\&eacute\;)(?:\s+considerad[ao])(?:\s+um){0,1}\s+spam/i
score    BR_QUESTION_SUBJ       0.1
header   BR_QUESTION_SUBJ       Subject =~ /\?/i
score    BR_A_PARTIR_DE         0.8
body     BR_A_PARTIR_DE         /\ba\s*partir\s+de\s+[a-z]{0,3}\$\s*[\d\.\,]+/i
score    BR_APENAS              0.8
body     BR_APENAS              /\bapenas\s+[a-z]{0,3}\$\s*[\d\.\,]+/i
score    BR_APENAS_SUBJ         0.8
header   BR_APENAS_SUBJ         Subject =~ /\bapenas\s+[a-z]{0,3}\$\s*[\d\.\,]+/i
score    BR_PRICE_SUBJ          0.9
header   BR_PRICE_SUBJ          Subject =~ /\b[a-z]{0,3}\$\s*[\d\.\,]+/i
score    BR_GLOBO_COM           -0.5
uri      BR_GLOBO_COM           /[^(?:webmail)]\.(?:rede){0,1}globo\.com/i
score    BR_WWW_SUAEMPRESA_URI  1.0
uri      BR_WWW_SUAEMPRESA_URI  /\.(?:(?:sua\-*){0,1}empresa|voce)\.com/i
score    BR_WWW_SUAEMPRESA      0.8
body     BR_WWW_SUAEMPRESA      /\.(?:(?:sua\-*){0,1}empresa|voce)\.com/i
score    BR_TMPSTR              4.0
header   BR_TMPSTR              Received =~ /\=TmpStr\b/i
score    BR_ESPECIALMENTE_VC    0.8
body     BR_ESPECIALMENTE_VC    /\bespecialmente\s+p(?:\/|\.|a{0,1}ra)\s+v(?:c|oc(?:.{1,2}|\&ecirc\;))[\s\.\!]/i
score    BR_AGENCIA_DE_XXXX     0.4
body     BR_AGENCIA_DE_XXXX     /\bAg(?:..|e|▒|▒|\&ecirc\;)ncia\s+de\s+(?:aproxima|modelo)/i
score    BR_E_CONFIRA           0.2
body     BR_E_CONFIRA           /\be\s+confira/i
score    BR_VIDEO_PORNO_SUBJ    1.5
header   BR_VIDEO_PORNO_SUBJ    Subject =~ /\bv(?:.{1,2}|\&iacute\;|1)deos+\s+porn(?:o|▒|▒|\&ocirc\;)/i
score    BR_HTML_TITLE          1.5
full     BR_HTML_TITLE          /\<\s*title\s*\>\s*(.)\1+[^\<]*(.)\2+\s*\<\/title\>/i
score    BR_HTML_TITLE_KEYS     2.0
full     BR_HTML_TITLE_KEYS     /\<\s*title\s*\>.*(?:divulg|melhor|livre\-se|oportunidade|marketing|earn|money|viagra|penis|sexo).*\<\/title\>/i
score    BR_INTERNET_EMAIL      1.0
rawbody  BR_INTERNET_EMAIL      /\(0022\)http\:\/\/internet\.e\-mail \-+\>/
score    BR_VAGAS_ABERTAS_SUBJ  0.8
header   BR_VAGAS_ABERTAS_SUBJ  Subject =~ /vagas+\s+abertas+/i
score    BR_PESO_KG             0.5
header   BR_PESO_KG             Subject =~ /\b[\d\.\,]+\s*(?:kg|kilos|lb)\b/i
score    BR_GANHE_ENVIANDO      1.5
body     BR_GANHE_ENVIANDO      /ganhe dinheiro.{0,20}enviando e\-*mail/i
score    BR_INCLUIR_PIRAMIDE    1.5
body     BR_INCLUIR_PIRAMIDE    /meu nome.{0,10}inclu.{1,3}do.{0,15}sua lista de correspond.{1,3}ncia/i
score    BR_TRABALHE_EM_CASA    1.3
body     BR_TRABALHE_EM_CASA    /trabalhe (?:a partir )?(?:de|em) casa/i
score    BR_ENVIOU_1REAL        0.5
body     BR_ENVIOU_1REAL        /(?:mand|envi)(?:e|ou|aram|ar.{1,3}o)\s+(?:imediatamente\s*)?r\$\s*1[\,\.]00\b/i
score    BR_TENHA_SEU_SITE      1.0
body     BR_TENHA_SEU_SITE      /tenha seu site na internet/i

# Meta
score    BR_PRIORITY_SPAM       1.5
meta     BR_PRIORITY_SPAM       ((BR_CONGRESSO || BR_DECRETO) && X_PRIORITY_HIGH) > 0
score    BR_SAVED_URI           1.5
meta     BR_SAVED_URI           (! HTML_COMMENT_SAVED_URL && __BR_SAVED_URI)

# Regras "meta" para ajuste
score    BR_ADJUST_1            1.0
meta     BR_ADJUST_1            (BR_ESPECIALMENTE_VC && (BR_E_CONFIRA || BR_AGENCIA_DE_XXXX))
score    BR_ADJUST_1B           1.5
meta     BR_ADJUST_1B           (BR_NAO_MAIS || BR_NAO_MAIS_2 || BR_NAO_MAIS_3) && BR_CLIQUE_AQUI
score    BR_ADJUST_1C           1.5
meta     BR_ADJUST_1C           BR_MAILTO && BR_FROM_KEYS
score    BR_ADJUST_2            2.0
meta     BR_ADJUST_2            (BR_AGENCIA_DE_XXXX && __BR_ROMANCE) || ((BR_FROM_KEYS || BR_REMOVER_EMAIL || BR_KITNET_URI || BR_SPAMMER_URI) && (BR_KITNET_URI || BR_CLIQUE_AQUI || BR_APENAS || BR_NAO_RESPONDA || BR_CONGRESSO || BR_DECRETO || BR_VIDEO_PORNO_SUBJ))
score    BR_ADJUST_3            3.0
meta     BR_ADJUST_3            ((HTML_COMMENT_SAVED_URL || __BR_SAVED_URI || BR_TRABALHE_EM_CASA || BR_GANHE_ENVIANDO) && (BR_REMOVER_QUOTE || (BR_INCLUIR_PIRAMIDE && BR_ENVIOU_1REAL))) || (BR_APENAS && BR_SPAMMER_URI && BR_NAO_RESPONDA)
score    BR_ADJUST_3B           3.5
meta     BR_ADJUST_3B           (HIDE_WIN_STATUS || BR_LINK_UNSAFE) && BR_HOAX_SUBJ && (BR_FREEHOST_URI || BR_KITNET_URI || BR_CALL_KITNET || BR_CJB_URI)

# Spams Especificos
score    BR_DETETIVE_MOREIRA    1.4
full     BR_DETETIVE_MOREIRA    /detetivemoreira\@globo\.com/i
score    BR_REDEBIZ             2.5
uri      BR_REDEBIZ             /redebiz\.com\.br/i

Thanks!

15

Re: Spam FROM LOCAL [92.222.11.210]:46344 <postmaster@painel.vpsmaster2.ne

Does it work if you set empty value for 'spam_admin_maps' in Amavisd config file? For example:

$policy_bank{'ORIGINATING'} = {
    ...
    spam_admin_maps  => [],
    ...
};

$policy_bank{'MYUSERS'} = {
    ...
    spam_admin_maps  => [],
    ...
};