#LAST UPDATED 10/28/2019 #SKIPIFWEIGHT 25 MINWEIGHTTOFAIL 10 SUBJECT 5 PCRE (Action Required.+Account Restricted) BODY 20 PCRE (?i:USPS_Document\.zip) BODY 2 PCRE (?i:online banking) BODY 2 PCRE (?i:online acess) BODY 2 PCRE (?i:restore) BODY 2 PCRE (?i:unauthori[sz]ed) #-------------------------------------------------------------------# # EXCEPTIONS # #-------------------------------------------------------------------# TESTSFAILED END PCRE (BONDEDSENDER|GOOD-REVDNS|IADB) REVDNS END PCRE (?i:\(timeout\)) REVDNS END PCRE (?i:\.(psmtp|messagelabs)\.com$) HEADERS END PCRE (?i:X-Declude-RefID) MAILFROM END PCRE ([a-z]{5}\+[a-z]{0,5}_=.+\@gmail\.com) #3RD PARTY MAILER REVDNS END PCRE (?i:\.(epsl1)\.com$) #-------------------------------------------------------------------# # IPLINKED & URL # #-------------------------------------------------------------------# BODY 10 PCRE (http://.*\.doc\.exe) BODY 10 PCRE (0[xX][0-9a-fA-F]+\.0[xX][0-9a-fA-F]+\.0[xX][0-9a-fA-F]+\.0[xX][0-9a-fA-F]+) BODY 15 PCRE (?i:https?://([0-9a-z]+\.){5,}\.{2,5}/) BODY 9 PCRE (?i:https?://.{3,60}(\.com\.)[a-z0-9_\./]{3,60}?(\.[a-z]{2,4}/)) BODY 5 PCRE (?i:https?://((?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/) #-------------------------------------------------------------------# # SPOOFED LINKS # #-------------------------------------------------------------------# BODY 5 PCRE (?i:https?://(www.{3,30}/www\.)) #GENERIC ENVELOPE MAILFROM MAILFROM 1 PCRE (?i:(anonymous|apache|cgi-mailer|hostadmin|httpd|info|nobody|root|web(users)?|www(-data|run)?)@?) #-------------------------------------------------------------------# # SUBJECT # #-------------------------------------------------------------------# SUBJECT 5 PCRE (?i:Account.{0,10}(Blocked|Security|Update|Validation|Verification|Access|Noti(ce|fication)|suspen(sion|ded)|Restricted)) SUBJECT 5 PCRE (?i:Fraud.(alert|investigation|protection|report)) SUBJECT 5 PCRE (?i:(Security|online).(alert|check|maintenance|noti(?:fication|ce)|update|Message)) SUBJECT 5 PCRE (?i:Official.(information|noti(?:fication|ce))) SUBJECT 5 PCRE (?i:important.{0,16}(alert|bank|account|security|fraud)) SUBJECT 5 PCRE (?i:(customer|banking).alert) SUBJECT 5 PCRE (?i:billing.(Center|info|Department|profile|Error|issue|update)) SUBJECT 5 PCRE (?i:Notice of Underreported Income) #-------------------------------------------------------------------# # ABSA # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.absa\.co\.za$) HEADERS 10 PCRE (?im:From:.*(Absa\W|\@(.*[.-])?absa\.co\.za)) MAILFROM 10 PCRE (?i:\@absa\.co\.za) BODY 3 PCRE (?i:[\\.]absa\.co\.za) #-------------------------------------------------------------------# # AMAZON # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.(amazon|amazonses)\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?amazon\.com) MAILFROM 10 PCRE (?i:\@amazon\.com) BODY 3 PCRE (?i:[\\.]amazon\.com) #-------------------------------------------------------------------# # AMERICAN EXPRESS # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.(americanexpress|aexp)\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?(americanexpress|aexp)\.com) MAILFROM 10 PCRE (?i:\@(americanexpress|aexp)\.com) BODY 3 PCRE (?i:[\\.](americanexpress|aexp)\.com) #-------------------------------------------------------------------# # ARIZONA FEDERAL CREDIT UNION # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.azfcu \.org$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?azfcu\.org) MAILFROM 10 PCRE (?i:\@azfcu\.com) BODY 3 PCRE (?i:[\\.]azfcu\.org) SUBJECT 4 PCRE (Unsuccessful login attempts) #-------------------------------------------------------------------# # BANK OF AMERICA # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.(bankofamerica|par3)\.com$) REVDNS END PCRE (?i:\.customercenter\.net$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?bankofamerica\.com) MAILFROM 10 PCRE (?i:\@bankofamerica\.com) BODY 3 PCRE (?i:[\\.]bankofamerica\.com) SUBJECT 20 PCRE (?i:Important Warning From Bank Of America) #-------------------------------------------------------------------# # BANK OF THE WEST # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.bankofthewest\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?bankofthewest\.com) MAILFROM 10 PCRE (?i:\@bankofthewest\.com) BODY 3 PCRE (?i:[\\.]bankofthewest\.com) BODY 10 PCRE (?i:alertboalogo.jpg) #-------------------------------------------------------------------# # BANKONE/JPMORGAN # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.(bankone|jpmorgan)\.com$) REVDNS END PCRE (?i:\.(bankone)\.net$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?(jpmorgan|bankone)\.(com|net)) MAILFROM 10 PCRE (?i:\@(jpmorgan|bankone)\.(com|net)) BODY 3 PCRE (?i:[\\.](jpmorgan|bankone)\.(com|net)) #-------------------------------------------------------------------# # BARCLAYS # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.barclays\.co\.uk$) HEADERS 10 PCRE (?im:From:.*barclays.co.uk) MAILFROM 10 PCRE (?i:\@barclays\.co\.uk) BODY 3 PCRE (?i:[\\.]barclays\.co\.uk) #-------------------------------------------------------------------# # BBB # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.thebbb\.org$) HEADERS 10 PCRE (?im:From:.*@bbb\.org) MAILFROM 10 PCRE (?i:\@bbb\.org) BODY 3 PCRE (?i:[\\.]bbb\.org) #-------------------------------------------------------------------# # BMO # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.bmofg\.com$) HEADERS 10 PCRE (?im:From:.*@bmo(fg)?\.com) MAILFROM 10 PCRE (?i:\@bmo(fg)?\.com) BODY 3 PCRE (?i:[\\.]bmo(fg)?\.com) #-------------------------------------------------------------------# # CHASE # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.(chase)\.com$) HEADERS 10 PCRE (?im:From:.*@(e.)?chase\.com) MAILFROM 10 PCRE (?i:\@chase\.com) BODY 3 PCRE (?i:[\\.]chase\.com) #-------------------------------------------------------------------# # CHARTERONE # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.charterone(bank|)\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?charterone(bank|)\.com) MAILFROM 10 PCRE (?i:\@charterone(bank|)\.com) BODY 3 PCRE (?i:[\\.]charterone(bank|)\.com) #-------------------------------------------------------------------# # CITIBANK # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.(citi(bank|corp|group)|ssmb)\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?citi(bank|corp|group)\.com) MAILFROM 10 PCRE (?i:\@citi(bank|corp|group)\.com) BODY 3 PCRE (?i:[\\.]citi(bank|corp|group)\.com) #-------------------------------------------------------------------# # COMMERCEBANK # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.?(commercebank(\.com\.mail[5678]\.psmtp)?)\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?ccommercebank\.com) MAILFROM 10 PCRE (?i:\@commercebank\.com) BODY 3 PCRE (?i:[\\.]commercebank\.com) #-------------------------------------------------------------------# # DESJARDINS # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.(desjardins)\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?desjardins\.com) MAILFROM 10 PCRE (?i:\@desjardins\.com) BODY 3 PCRE (?i:[\\.]desjardins\.com) #-------------------------------------------------------------------# # DISCOVER # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.(discover(card)?)\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?discover(card)?\.com) MAILFROM 10 PCRE (?i:\@discover(card)?\.com) BODY 3 PCRE (?i:[\\.]discover(card)?\.com) #-------------------------------------------------------------------# # EBAY # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.(ebay|emailebay)\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?ebay\.com) MAILFROM 10 PCRE (?i:\@ebay\.com) BODY 3 PCRE (?i:[\\.]ebay\.com) SUBJECT 10 PCRE (?i:eBay.{0,60}(response required|issue|review|confirm(ed)|suspen(ded|sion)|identity|verify|security|account|information)) SUBJECT 10 PCRE (TKO NOTICE) #-------------------------------------------------------------------# # ETRADE # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.etrade\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?etrade\.com) MAILFROM 10 PCRE (?i:\@etrade\.com) BODY 3 PCRE (?i:[\\.]etrade\.com) #-------------------------------------------------------------------# # FACEBOOK # #-------------------------------------------------------------------# SUBJECT 10 PCRE (?i:New login system) BODY 10 PCRE (?i:http://www.facebook.com\.[a-z0-9]+\.) #-------------------------------------------------------------------# # FIRST NATIONAL BANK # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.fnb(mailer|connect)?(-mail)?\.(co\.za|com)) REVDNS END PCRE (?i:\.(mailfnb)\.co\.za$) REMOTEIP END IS 196.11.133.150 #3RD PARTY MAILER REMOTEIP END IS 41.160.30.196 REMOTEIP END IS 196.15.204.59 HEADERS 10 PCRE (?im:From:.+(FNB\s|.*@(.*[.-])?fnb\.co\.za)) MAILFROM 10 PCRE (?i:\@fnb(mailer)?\.co\.za) BODY 3 PCRE (?i:[\\.]fnb(mailer)?\.co\.za) BODY 5 PCRE (?i:Account Statement) REMOTEIP WHITELIST CONTAINS 196.11.134.205 #-------------------------------------------------------------------# # FLORIDA CREDIT UNION # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.flcu\.org$) HEADERS 10 PCRE (?im:From:.+@(.*[.-])?flcu\.org) MAILFROM 10 PCRE (?i:\@flcu\.org) BODY 3 PCRE (?i:[\\.]flcu\.org) #-------------------------------------------------------------------# # HALIFAX # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.halifax\.co\.uk$) HEADERS 10 PCRE (?im:From:.*halifax.co.uk) MAILFROM 10 PCRE (?i:\@halifax\.co\.uk) BODY 3 PCRE (?i:[\\.]halifax\.co\.uk) #-------------------------------------------------------------------# # HDFC BANK # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.hdfcbank\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?hdfcbank\.com) MAILFROM 10 PCRE (?i:\@hdfcbank\.com) BODY 3 PCRE (?i:[\\.]hdfcbank\.com) #-------------------------------------------------------------------# # HSBC # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.hsbc\.co\.uk$) HEADERS 10 PCRE (?im:From:.*(HSBC Bank|\@(.*[.-])?hsbc\.co\.uk)) MAILFROM 10 PCRE (?i:\@hsbc\.co\.uk) BODY 3 PCRE (?i:[\\.]hsbc\.co\.uk) REVDNS END PCRE (?i:\.hsbcgroup\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?hsbcgroup\.com) MAILFROM 10 PCRE (?i:\@hsbcgroup\.com) BODY 3 PCRE (?i:[\\.]hsbcgroup\.com) #-------------------------------------------------------------------# # HMRC # #-------------------------------------------------------------------# HEADERS 10 PCRE (?im:From:.*@hmrc\.gov\.uk) MAILFROM 10 PCRE (?i:\@hmrc\.gov\.uk) BODY 3 PCRE (?i:[\\.]hmrc\.gov\.uk) SUBJECT 10 PCRE (Tax Refund Notification) #-------------------------------------------------------------------# # IRS # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.(irs|treas)\.gov$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?irs\.gov) MAILFROM 10 PCRE (?i:\@irs\.gov) BODY 3 PCRE (?i:[\\.]irs\.gov) SUBJECT 10 PCRE (Possible Fraud : Tax Avoidance Investigation) #-------------------------------------------------------------------# # LASSALL # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.lasallebank\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?lasallebank\.com) MAILFROM 10 PCRE (?i:\@lasallebank\.com) BODY 3 PCRE (?i:[\\.]lasallebank\.com) #-------------------------------------------------------------------# # LLOYDS TSB # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.lloydstsb\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?lloydstsb\.com) MAILFROM 10 PCRE (?i:\@lloydstsb\.com) BODY 3 PCRE (?i:[\\.]lloydstsb\.com) #-------------------------------------------------------------------# # M&I BANK # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.micorp\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?(micorp|mibank)\.com) MAILFROM 10 PCRE (?i:\@(micorp|mibank)\.com) BODY 3 PCRE (?i:[\\.](micorp|mibank)\.com) #-------------------------------------------------------------------# # MIDAMERICA BANK # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.midamericabank\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?(midamerica(bank)?)\.com) MAILFROM 10 PCRE (?i:\@(midamerica(bank)?)\.com) BODY 3 PCRE (?i:[\\.](midamerica(bank)?)\.com) #-------------------------------------------------------------------# # NEDBANK # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.nedbank\.co\.za$) HEADERS 10 PCRE (?im:From:.*(ned.?bank|\@(.*[.-])?nedbank\.co\.za)) MAILFROM 10 PCRE (?i:\@nedbank\.co\.za) BODY 3 PCRE (?i:[\\.]nedbank\.co\.za) #-------------------------------------------------------------------# # NORTH FORT BANK # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.nfb\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?nfb\.com) MAILFROM 10 PCRE (?i:\@nfb\.com) BODY 3 PCRE (?i:[\\.](nfb|nfbconnect|northforkbank)\.com) #-------------------------------------------------------------------# # NORTH ISLAND CREDIT UNION # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.nifcu\.org$) MAILFROM 10 PCRE (?i:\@nifcu\.org) BODY 3 PCRE (?i:[\\.]nifcu\.org) MAILFROM 10 PCRE (?i:\@myisland\.com) BODY 3 PCRE (?i:[\\.]myisland\.com) SUBJECT 20 PCRE (?i:URGENT! Renew your account right now !) #-------------------------------------------------------------------# # POSTBANK (ING) # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.(de|nl)\.uu\.net$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?(postbank|ing)\.nl) MAILFROM 10 PCRE (?i:\@(postbank|ing)\.nl) BODY 3 PCRE (?i:[\\.](postbank|ing)\.nl) SUBJECT 5 PCRE (?i:Verificatie Update) #-------------------------------------------------------------------# # PAYPAL # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.(paypal|ebay)\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?paypal(-inc)?\.com) MAILFROM 10 PCRE (?i:\@paypal(-inc)?\.com) BODY 3 PCRE (?i:[\\.]paypal\.com) #-------------------------------------------------------------------# # REGIONS # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.(regions|regionsbank)\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?(regions|regionsbank)\.com) MAILFROM 10 PCRE (?i:\@(regions|regionsbank)\.com) BODY 3 PCRE (?i:[\\.](regions|regionsbank)\.com) BODY 20 PCRE (regions-update.us) SUBJECT 10 PCRE (Notification about your Regions online account) SUBJECT 10 PCRE (Regarding Your Regions Account!) #-------------------------------------------------------------------# # SARS # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.sars\.(gov|co)\.za$) REVDNS END PCRE (?i:\.mfw\.is\.co\.za$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?sars\.(gov|co)\.za) MAILFROM 10 PCRE (?i:\@sars\.(gov|co)\.za) BODY 3 PCRE (?i:[\\.]sars\.(gov|co)\.za) SUBJECT 20 PCRE (?i:South Africa Revenue Service Refunds Update) #-------------------------------------------------------------------# # SCHWAB # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.schwab\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?schwab\.com) MAILFROM 10 PCRE (?i:\@schwab\.com) BODY 3 PCRE (?i:[\\.]schwab\.com) #-------------------------------------------------------------------# # SOUTHTRUST # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.southtrust\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?southtrust\.com) MAILFROM 10 PCRE (?i:\@southtrust\.com) BODY 3 PCRE (?i:[\\.]southtrust\.com) #-------------------------------------------------------------------# # SOOPER CREDIT UNION # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.soopercu\.org$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?soopercu\.org) MAILFROM 10 PCRE (?i:\@soopercu\.org) BODY 3 PCRE (?i:[\\.]soopercu\.org) #-------------------------------------------------------------------# # STANDARD # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.standard\.co\.za$) HEADERS 10 PCRE (?im:From:.*(\@(.*[.-])?standard\.co\.za)) MAILFROM 10 PCRE (?i:\@standard\.co\.za) BODY 3 PCRE (?i:[\\.]standard\.co\.za) #-------------------------------------------------------------------# # SUNTRUST # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.suntrust\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?suntrust\.com) MAILFROM 10 PCRE (?i:\@uboc\.com) BODY 3 PCRE (?i:[\\.]suntrust\.com) SUBJECT 20 PCRE (?i:SunTrust Bank client service team: please update your data!) #-------------------------------------------------------------------# # UNION BANK OF CALIFORNIA UBOC # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.uboc\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?uboc\.com) MAILFROM 10 PCRE (?i:\@uboc\.com) BODY 3 PCRE (?i:[\\.]uboc\.com) #-------------------------------------------------------------------# # VISA # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.visa(online|checkout)?\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?visa(online|checkout)?\.com) MAILFROM 10 PCRE (?i:\@visa(online|checkout)?\.com) BODY 3 PCRE (?i:[\\.]visa(online|checkout)?\.com) #-------------------------------------------------------------------# # WASHINGTON MUTUAL # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.wamu\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?(wamu\.com|online-wamu\.com)) MAILFROM 10 PCRE (?i:\@wamu\.com) MAILFROM 10 PCRE (?i:\@online-wamu\.com) BODY 3 PCRE (?i:[\\.]wamu\.com) #-------------------------------------------------------------------# # WACHOVIA # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.wachovia\.com$) HEADERS 10 PCRE (?im:From:.*(@(.*[.-])?wachovia\.com|Wachovia Bank)) MAILFROM 10 PCRE (?i:\@wachovia\.com) BODY 3 PCRE (?i:[\\.]wachovia\.com) #-------------------------------------------------------------------# # USBANK # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.usbank\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?usbank\.com) MAILFROM 10 PCRE (?i:\@usbank\.com) BODY 3 PCRE (?i:[\\.]usbank\.com) #-------------------------------------------------------------------# # WELLSFARGO # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.wellsfargo\.com$) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?wellsfargo\.com) MAILFROM 10 PCRE (?i:\@wellsfargo\.com) BODY 3 PCRE (?i:[\\.]wellsfargo\.com) #-------------------------------------------------------------------# # WESTERN UNION # #-------------------------------------------------------------------# REVDNS END PCRE (?i:\.westernunion\.com$) HEADERS 10 PCRE (?im:From:.*Western Union) HEADERS 10 PCRE (?im:From:.*@(.*[.-])?westernunion\.com) MAILFROM 10 PCRE (?i:\@westernunion\.com) BODY 3 PCRE (?i:[\\.]westernunion\.com)