[Fix] Cleanup mess with groups

rules/headers_checks.lua

@@ -59,7 +59,7 @@ rspamd_config:register_symbol{
   parent = rcvd_cb_id,
   type = 'virtual',
   description = 'No received',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_symbol{
   name = 'RCVD_COUNT_ONE',
@@ -67,7 +67,7 @@ rspamd_config:register_symbol{
   parent = rcvd_cb_id,
   type = 'virtual',
   description = 'One received',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_symbol{
   name = 'RCVD_COUNT_TWO',
@@ -83,7 +83,7 @@ rspamd_config:register_symbol{
   parent = rcvd_cb_id,
   type = 'virtual',
   description = '3-5 received',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_symbol{
   name = 'RCVD_COUNT_FIVE',
@@ -91,7 +91,7 @@ rspamd_config:register_symbol{
   parent = rcvd_cb_id,
   type = 'virtual',
   description = '5-7 received',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_symbol{
   name = 'RCVD_COUNT_SEVEN',
@@ -99,7 +99,7 @@ rspamd_config:register_symbol{
   parent = rcvd_cb_id,
   type = 'virtual',
   description = '7-11 received',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_symbol{
   name = 'RCVD_COUNT_TWELVE',
@@ -107,7 +107,7 @@ rspamd_config:register_symbol{
   parent = rcvd_cb_id,
   type = 'virtual',
   description = '12+ received',
-  group = 'header',
+  group = 'headers',
 }
 
 local prio_cb_id = rspamd_config:register_symbol {
@@ -141,7 +141,7 @@ rspamd_config:register_symbol{
   parent = prio_cb_id,
   type = 'virtual',
   description = 'Priority 0',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_symbol{
   name = 'HAS_X_PRIO_ONE',
@@ -149,7 +149,7 @@ rspamd_config:register_symbol{
   parent = prio_cb_id,
   type = 'virtual',
   description = 'Priority 1',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_symbol{
   name = 'HAS_X_PRIO_TWO',
@@ -157,7 +157,7 @@ rspamd_config:register_symbol{
   parent = prio_cb_id,
   type = 'virtual',
   description = 'Priority 2',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_symbol{
   name = 'HAS_X_PRIO_THREE',
@@ -165,7 +165,7 @@ rspamd_config:register_symbol{
   parent = prio_cb_id,
   type = 'virtual',
   description = 'Priority 3-4',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_symbol{
   name = 'HAS_X_PRIO_FIVE',
@@ -173,7 +173,7 @@ rspamd_config:register_symbol{
   parent = prio_cb_id,
   type = 'virtual',
   description = 'Priority 5+',
-  group = 'header',
+  group = 'headers',
 }
 
 local function get_raw_header(task, name)
@@ -237,7 +237,7 @@ rspamd_config:register_symbol{
   parent = check_replyto_id,
   type = 'virtual',
   description = 'Reply-To header could not be parsed',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_symbol{
   name = 'HAS_REPLYTO',
@@ -245,7 +245,7 @@ rspamd_config:register_symbol{
   parent = check_replyto_id,
   type = 'virtual',
   description = 'Has Reply-To header',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_symbol{
   name = 'REPLYTO_EQ_FROM',
@@ -253,7 +253,7 @@ rspamd_config:register_symbol{
   parent = check_replyto_id,
   type = 'virtual',
   description = 'Reply-To header is identical to From header',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_symbol{
   name = 'REPLYTO_ADDR_EQ_FROM',
@@ -261,7 +261,7 @@ rspamd_config:register_symbol{
   parent = check_replyto_id,
   type = 'virtual',
   description = 'Reply-To header is identical to SMTP From',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_symbol{
   name = 'REPLYTO_DOM_EQ_FROM_DOM',
@@ -269,7 +269,7 @@ rspamd_config:register_symbol{
   parent = check_replyto_id,
   type = 'virtual',
   description = 'Reply-To domain matches the From domain',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_symbol{
   name = 'REPLYTO_DOM_NEQ_FROM_DOM',
@@ -277,7 +277,7 @@ rspamd_config:register_symbol{
   parent = check_replyto_id,
   type = 'virtual',
   description = 'Reply-To domain does not match the From domain',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_symbol{
   name = 'REPLYTO_DN_EQ_FROM_DN',
@@ -285,7 +285,7 @@ rspamd_config:register_symbol{
   parent = check_replyto_id,
   type = 'virtual',
   description = 'Reply-To display name matches From',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_symbol{
   name = 'REPLYTO_EMAIL_HAS_TITLE',
@@ -293,7 +293,7 @@ rspamd_config:register_symbol{
   parent = check_replyto_id,
   type = 'virtual',
   description = 'Reply-To header has title',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_dependency(check_replyto_id, 'FROM_NAME_HAS_TITLE')
 
@@ -359,7 +359,7 @@ rspamd_config:register_symbol{
   parent = check_mime_id,
   type = 'virtual',
   description = 'MIME-Version header is missing',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_symbol{
   name = 'MIME_MA_MISSING_TEXT',
@@ -367,7 +367,7 @@ rspamd_config:register_symbol{
   parent = check_mime_id,
   type = 'virtual',
   description = 'MIME multipart/alternative missing text/plain part',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_symbol{
   name = 'MIME_MA_MISSING_HTML',
@@ -375,7 +375,7 @@ rspamd_config:register_symbol{
   parent = check_mime_id,
   type = 'virtual',
   description = 'MIME multipart/alternative missing text/html part',
-  group = 'header',
+  group = 'headers',
 }
 
 -- Used to be called IS_LIST
@@ -405,7 +405,7 @@ rspamd_config.BROKEN_HEADERS = {
     return task:has_flag('broken_headers')
   end,
   score = 10.0,
-  group = 'header',
+  group = 'headers',
   description = 'Headers structure is likely broken'
 }
 
@@ -415,7 +415,7 @@ rspamd_config.BROKEN_CONTENT_TYPE = {
       task:get_parts())
   end,
   score = 1.5,
-  group = 'header',
+  group = 'headers',
   description = 'Message has part with broken content type'
 }
 
@@ -444,7 +444,7 @@ rspamd_config.HEADER_RCONFIRM_MISMATCH = {
   end,
 
   score = 2.0,
-  group = 'header',
+  group = 'headers',
   description = 'Read confirmation address is different to from address'
 }
 
@@ -477,7 +477,7 @@ rspamd_config.HEADER_FORGED_MDN = {
   end,
 
   score = 2.0,
-  group = 'header',
+  group = 'headers',
   description = 'Read confirmation address is different to return path'
 }
 
@@ -520,7 +520,8 @@ rspamd_config.MULTIPLE_UNIQUE_HEADERS = {
   end,
 
   score = 5.0,
-  group = 'header',
+  group = 'headers',
+  one_shot = true,
   description = 'Repeated unique headers'
 }
 
@@ -533,7 +534,7 @@ rspamd_config.MISSING_FROM = {
     return false
   end,
   score = 2.0,
-  group = 'header',
+  group = 'headers',
   description = 'Missing From: header'
 }
 rspamd_config.MV_CASE = {
@@ -542,7 +543,8 @@ rspamd_config.MV_CASE = {
     if (mv) then return true end
   end,
   description = 'Mime-Version .vs. MIME-Version',
-  score = 0.5
+  score = 0.5,
+  group = 'headers',
 }
 
 rspamd_config.FAKE_REPLY = {
@@ -556,7 +558,8 @@ rspamd_config.FAKE_REPLY = {
     return false
   end,
   description = 'Fake reply',
-  score = 1.0
+  score = 1.0,
+  group = 'headers'
 }
 
 local check_from_id = rspamd_config:register_symbol{
@@ -612,7 +615,7 @@ local check_from_id = rspamd_config:register_symbol{
 rspamd_config:register_symbol{
   name = 'FROM_NO_DN',
   score = 0,
-  group = 'header',
+  group = 'headers',
   parent = check_from_id,
   type = 'virtual',
   description = 'From header does not have a display name',
@@ -620,7 +623,7 @@ rspamd_config:register_symbol{
 rspamd_config:register_symbol{
   name = 'FROM_DN_EQ_ADDR',
   score = 1.0,
-  group = 'header',
+  group = 'headers',
   parent = check_from_id,
   type = 'virtual',
   description = 'From header display name is the same as the address',
@@ -628,7 +631,7 @@ rspamd_config:register_symbol{
 rspamd_config:register_symbol{
   name = 'FROM_HAS_DN',
   score = 0.0,
-  group = 'header',
+  group = 'headers',
   parent = check_from_id,
   type = 'virtual',
   description = 'From header has a display name',
@@ -636,7 +639,7 @@ rspamd_config:register_symbol{
 rspamd_config:register_symbol{
   name = 'FROM_NAME_EXCESS_SPACE',
   score = 1.0,
-  group = 'header',
+  group = 'headers',
   parent = check_from_id,
   type = 'virtual',
   description = 'From header display name contains excess whitespace',
@@ -644,7 +647,7 @@ rspamd_config:register_symbol{
 rspamd_config:register_symbol{
   name = 'FROM_NAME_HAS_TITLE',
   score = 1.0,
-  group = 'header',
+  group = 'headers',
   parent = check_from_id,
   type = 'virtual',
   description = 'From header display name has a title (Mr/Mrs/Dr)',
@@ -652,7 +655,7 @@ rspamd_config:register_symbol{
 rspamd_config:register_symbol{
   name = 'FROM_EQ_ENVFROM',
   score = 0.0,
-  group = 'header',
+  group = 'headers',
   parent = check_from_id,
   type = 'virtual',
   description = 'From address is the same as the envelope',
@@ -660,7 +663,7 @@ rspamd_config:register_symbol{
 rspamd_config:register_symbol{
   name = 'FROM_NEQ_ENVFROM',
   score = 0.0,
-  group = 'header',
+  group = 'headers',
   parent = check_from_id,
   type = 'virtual',
   description = 'From address is different to the envelope',
@@ -668,7 +671,7 @@ rspamd_config:register_symbol{
 rspamd_config:register_symbol{
   name = 'TO_EQ_FROM',
   score = 0.0,
-  group = 'header',
+  group = 'headers',
   parent = check_from_id,
   type = 'virtual',
   description = 'To address matches the From address',
@@ -676,7 +679,7 @@ rspamd_config:register_symbol{
 rspamd_config:register_symbol{
   name = 'TO_DOM_EQ_FROM_DOM',
   score = 0.0,
-  group = 'header',
+  group = 'headers',
   parent = check_from_id,
   type = 'virtual',
   description = 'To domain is the same as the From domain',
@@ -761,7 +764,7 @@ rspamd_config:register_symbol{
   parent = check_to_cc_id,
   type = 'virtual',
   description = 'No recipients',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_symbol{
   name = 'RCPT_COUNT_ONE',
@@ -769,7 +772,7 @@ rspamd_config:register_symbol{
   parent = check_to_cc_id,
   type = 'virtual',
   description = 'One recipient',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_symbol{
   name = 'RCPT_COUNT_TWO',
@@ -777,7 +780,7 @@ rspamd_config:register_symbol{
   parent = check_to_cc_id,
   type = 'virtual',
   description = 'Two recipients',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_symbol{
   name = 'RCPT_COUNT_THREE',
@@ -785,7 +788,7 @@ rspamd_config:register_symbol{
   parent = check_to_cc_id,
   type = 'virtual',
   description = '3-5 recipients',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_symbol{
   name = 'RCPT_COUNT_FIVE',
@@ -793,7 +796,7 @@ rspamd_config:register_symbol{
   parent = check_to_cc_id,
   type = 'virtual',
   description = '5-7 recipients',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_symbol{
   name = 'RCPT_COUNT_SEVEN',
@@ -801,7 +804,7 @@ rspamd_config:register_symbol{
   parent = check_to_cc_id,
   type = 'virtual',
   description = '7-11 recipients',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_symbol{
   name = 'RCPT_COUNT_TWELVE',
@@ -809,7 +812,7 @@ rspamd_config:register_symbol{
   parent = check_to_cc_id,
   type = 'virtual',
   description = '12-50 recipients',
-  group = 'header',
+  group = 'headers',
 }
 rspamd_config:register_symbol{
   name = 'RCPT_COUNT_GT_50',
@@ -817,13 +820,13 @@ rspamd_config:register_symbol{
   parent = check_to_cc_id,
   type = 'virtual',
   description = '50+ recipients',
-  group = 'header',
+  group = 'headers',
 }
 
 rspamd_config:register_symbol{
   name = 'TO_DN_RECIPIENTS',
   score = 2.0,
-  group = 'header',
+  group = 'headers',
   parent = check_to_cc_id,
   type = 'virtual',
   description = 'To header display name is "Recipients"',
@@ -831,7 +834,7 @@ rspamd_config:register_symbol{
 rspamd_config:register_symbol{
   name = 'TO_DN_NONE',
   score = 0.0,
-  group = 'header',
+  group = 'headers',
   parent = check_to_cc_id,
   type = 'virtual',
   description = 'None of the recipients have display names',
@@ -839,7 +842,7 @@ rspamd_config:register_symbol{
 rspamd_config:register_symbol{
   name = 'TO_DN_ALL',
   score = 0.0,
-  group = 'header',
+  group = 'headers',
   parent = check_to_cc_id,
   type = 'virtual',
   description = 'All the recipients have display names',
@@ -847,7 +850,7 @@ rspamd_config:register_symbol{
 rspamd_config:register_symbol{
   name = 'TO_DN_SOME',
   score = 0.0,
-  group = 'header',
+  group = 'headers',
   parent = check_to_cc_id,
   type = 'virtual',
   description = 'Some of the recipients have display names',
@@ -855,7 +858,7 @@ rspamd_config:register_symbol{
 rspamd_config:register_symbol{
   name = 'TO_DN_EQ_ADDR_ALL',
   score = 0.0,
-  group = 'header',
+  group = 'headers',
   parent = check_to_cc_id,
   type = 'virtual',
   description = 'All of the recipients have display names that are the same as their address',
@@ -863,7 +866,7 @@ rspamd_config:register_symbol{
 rspamd_config:register_symbol{
   name = 'TO_DN_EQ_ADDR_SOME',
   score = 0.0,
-  group = 'header',
+  group = 'headers',
   parent = check_to_cc_id,
   type = 'virtual',
   description = 'Some of the recipients have display names that are the same as their address',
@@ -871,7 +874,7 @@ rspamd_config:register_symbol{
 rspamd_config:register_symbol{
   name = 'TO_MATCH_ENVRCPT_ALL',
   score = 0.0,
-  group = 'header',
+  group = 'headers',
   parent = check_to_cc_id,
   type = 'virtual',
   description = 'All of the recipients match the envelope',
@@ -879,7 +882,7 @@ rspamd_config:register_symbol{
 rspamd_config:register_symbol{
   name = 'TO_MATCH_ENVRCPT_SOME',
   score = 0.0,
-  group = 'header',
+  group = 'headers',
   parent = check_to_cc_id,
   type = 'virtual',
   description = 'Some of the recipients match the envelope',
@@ -907,7 +910,7 @@ rspamd_config.CTYPE_MISSING_DISPOSITION = {
   end,
   description = 'Binary content-type not specified as an attachment',
   score = 4.0,
-  group = 'header'
+  group = 'headers'
 }
 
 rspamd_config.CTYPE_MIXED_BOGUS = {

rules/html.lua

@@ -20,7 +20,7 @@ reconf['MIME_HTML_ONLY'] = {
   re = 'has_only_html_part()',
   score = 0.2,
   description = 'Messages that have only HTML part',
-  group = 'header'
+  group = 'headers'
 }
 
 local function check_html_image(task, min, max)

rules/misc.lua

@@ -65,7 +65,7 @@ rspamd_config.MISSING_DATE = {
   end,
   score = 1.0,
   description = 'Message date is missing',
-  group = 'date'
+  group = 'headers'
 }
 
 rspamd_config.DATE_IN_FUTURE = {
@@ -80,7 +80,7 @@ rspamd_config.DATE_IN_FUTURE = {
   end,
   score = 4.0,
   description = 'Message date is in future',
-  group = 'date'
+  group = 'headers'
 }
 
 rspamd_config.DATE_IN_PAST = {
@@ -95,7 +95,7 @@ rspamd_config.DATE_IN_PAST = {
   end,
   score = 1.0,
   description = 'Message date is in past',
-  group = 'date'
+  group = 'headers'
 }
 
 rspamd_config.R_SUSPICIOUS_URL = {
@@ -157,7 +157,7 @@ rspamd_config.ENVFROM_PRVS = {
   end,
   score = 0.0,
   description = "Envelope From is a PRVS address that matches the From address",
-  group = 'prvs'
+  group = 'headers'
 }
 
 rspamd_config.ENVFROM_VERP = {
@@ -185,7 +185,7 @@ rspamd_config.ENVFROM_VERP = {
   end,
   score = 0.0,
   description = "Envelope From is a VERP address",
-  group = "mailing_list"
+  group = "headers"
 }
 
 local check_rcvd = rspamd_config:register_symbol{
@@ -232,7 +232,7 @@ rspamd_config:register_symbol{
   name = 'RCVD_TLS_ALL',
   description = 'All hops used encrypted transports',
   score = 0.0,
-  group = 'encryption'
+  group = 'headers'
 }
 
 rspamd_config:register_symbol{
@@ -241,7 +241,7 @@ rspamd_config:register_symbol{
   name = 'RCVD_TLS_LAST',
   description = 'Last hop used encrypted transports',
   score = 0.0,
-  group = 'encryption'
+  group = 'headers'
 }
 
 rspamd_config:register_symbol{
@@ -250,7 +250,7 @@ rspamd_config:register_symbol{
   name = 'RCVD_NO_TLS_LAST',
   description = 'Last hop did not use encrypted transports',
   score = 0.0,
-  group = 'encryption'
+  group = 'headers'
 }
 
 rspamd_config:register_symbol{
@@ -260,7 +260,7 @@ rspamd_config:register_symbol{
   -- NB This does not mean sender was authenticated; see task:get_user()
   description = 'Authenticated hand-off was seen in Received headers',
   score = 0.0,
-  group = 'authentication'
+  group = 'headers'
 }
 
 rspamd_config.RCVD_HELO_USER = {
@@ -280,6 +280,7 @@ rspamd_config.RCVD_HELO_USER = {
     end
   end,
   description = 'HELO User spam pattern',
+  group = 'headers',
   score = 3.0
 }
 
@@ -298,7 +299,8 @@ rspamd_config.URI_COUNT_ODD = {
     end
   end,
   description = 'Odd number of URIs in multipart/alternative message',
-  score = 1.0
+  score = 1.0,
+  group = 'url',
 }
 
 rspamd_config.HAS_ATTACHMENT = {
@@ -313,7 +315,8 @@ rspamd_config.HAS_ATTACHMENT = {
       end
     end
   end,
-  description = 'Message contains attachments'
+  description = 'Message contains attachments',
+  group = 'body',
 }
 
 -- Requires freemail maps loaded in multimap
@@ -332,7 +335,8 @@ local freemail_reply_neq_from_id = rspamd_config:register_symbol({
   name = 'FREEMAIL_REPLYTO_NEQ_FROM_DOM',
   callback = freemail_reply_neq_from,
   description = 'Freemail From and Reply-To, but to different Freemail services',
-  score = 3.0
+  score = 3.0,
+  group = 'headers',
 })
 rspamd_config:register_dependency(freemail_reply_neq_from_id, 'FREEMAIL_REPLYTO')
 rspamd_config:register_dependency(freemail_reply_neq_from_id, 'FREEMAIL_FROM')
@@ -379,6 +383,7 @@ rspamd_config.OMOGRAPH_URL = {
     return false
   end,
   score = 5.0,
+  group = 'url',
   description = 'Url contains both latin and non-latin characters'
 }
 
@@ -404,7 +409,9 @@ rspamd_config.URL_IN_SUBJECT = {
     return false
   end,
   score = 4.0,
+  group = 'subject',
   description = 'Url found in Subject'
+
 }
 
 local aliases_id = rspamd_config:register_symbol{
@@ -453,6 +460,7 @@ local aliases_id = rspamd_config:register_symbol{
   end,
   priority = 150,
   description = 'Removes plus aliases from the email',
+  group = 'headers',
 }
 
 rspamd_config:register_symbol{
@@ -460,6 +468,7 @@ rspamd_config:register_symbol{
   parent = aliases_id,
   name = 'TAGGED_RCPT',
   description = 'SMTP recipients have plus tags',
+  group = 'headers',
   score = 0,
 }
 rspamd_config:register_symbol{
@@ -467,6 +476,7 @@ rspamd_config:register_symbol{
   parent = aliases_id,
   name = 'TAGGED_FROM',
   description = 'SMTP from has plus tags',
+  group = 'headers',
   score = 0,
 }
 
@@ -513,6 +523,7 @@ rspamd_config:register_symbol{
   parent = check_from_display_name,
   name = 'SPOOF_DISPLAY_NAME',
   description = 'Display name is being used to spoof and trick the recipient',
+  group = 'headers',
   score = 8,
 }
 
@@ -520,6 +531,7 @@ rspamd_config:register_symbol{
   type = 'virtual',
   parent = check_from_display_name,
   name = 'FROM_NEQ_DISPLAY_NAME',
+  group = 'headers',
   description = 'Display name contains an email address different to the From address',
   score = 4,
 }
@@ -562,6 +574,7 @@ rspamd_config.SPOOF_REPLYTO = {
     end
     return false
   end,
+  group = 'headers',
   description = 'Reply-To is being used to spoof and trick the recipient to send an off-domain reply',
   score = 6.0
 }
@@ -586,6 +599,7 @@ rspamd_config.INFO_TO_INFO_LU = {
     return false
   end,
   description = 'info@ From/To address with List-Unsubscribe headers',
+  group = 'headers',
   score = 2.0
 }
 
@@ -618,5 +632,5 @@ rspamd_config.R_BAD_CTE_7BIT = {
   end,
   score = 3.5,
   description = 'Detects bad content-transfer-encoding for text parts',
-  group = 'header'
+  group = 'headers'
 }

rules/regexp/compromised_hosts.lua

@@ -93,12 +93,14 @@ reconf['X_PHP_EVAL'] = {
 reconf['HAS_WP_URI'] = {
   re = '/\\/wp-[^\\/]+\\//Ui',
   description = "Contains WordPress URIs",
+  one_shot = true,
   group = "compromised_hosts"
 }
 
 reconf['WP_COMPROMISED'] = {
   re = '/\\/wp-(?:content|includes)[^\\/]+\\//Ui',
   description = "URL that is pointing to a compromised WordPress installation",
+  one_shot = true,
   group = "compromised_hosts"
 }
 
@@ -140,6 +142,7 @@ reconf['URI_HIDDEN_PATH'] = {
   re = "/\\/\\..+/U",
   description = "URL contains a UNIX hidden file/directory",
   score = 1.0,
+  one_shot = true,
   group = "compromised_hosts"
 }
 

rules/regexp/misc.lua

@@ -22,6 +22,7 @@ reconf['HTML_META_REFRESH_URL'] = {
   re = '/<meta\\s+http-equiv="refresh"\\s+content="\\d+\\s*;\\s*url=/{sa_raw_body}i',
   description = "Has HTML Meta refresh URL",
   score = 5.0,
+  one_shot = true,
   group = 'HTML'
 }
 
@@ -29,7 +30,8 @@ reconf['HAS_DATA_URI'] = {
   -- Requires options { check_attachements = true; }
   re = '/data:[^\\/]+\\/[^; ]+;base64,/{sa_raw_body}i',
   description = "Has Data URI encoding",
-  group = 'HTML'
+  group = 'HTML',
+  one_shot = true,
 }
 
 reconf['DATA_URI_OBFU'] = {
@@ -37,6 +39,7 @@ reconf['DATA_URI_OBFU'] = {
   re = '/data:text\\/(?:plain|html);base64,/{sa_raw_body}i',
   description = "Uses Data URI encoding to obfuscate plain or HTML in base64",
   group = 'HTML',
+  one_shot = true,
   score = 2.0
 }
 
@@ -44,6 +47,7 @@ reconf['INTRODUCTION'] = {
   re = '/\\b(?:my name is\\b|(?:i am|this is)\\s+(?:mr|mrs|ms|miss|master|sir|prof(?:essor)?|d(?:octo)?r|rev(?:erend)?)(?:\\.|\\b))/{sa_body}i',
   description = "Sender introduces themselves",
   score = 2.0,
+  one_shot = true,
   group = 'scams'
 }