spamscanner 6.0.1 → 6.1.0

package/dist/esm/index.js

@@ -34,14 +34,14 @@ var replacements_exports = {};
 __export(replacements_exports, {
   default: () => replacements_default
 });
-import { debuglog } from "node:util";
+import { debuglog as debuglog5 } from "node:util";
 import { readFileSync } from "node:fs";
 import cryptoRandomString from "crypto-random-string";
-var debug, randomOptions, replacements, replacements_default;
+var debug5, randomOptions, replacements, replacements_default;
 var init_replacements = __esm({
   "replacements.js"() {
     init_replacement_words();
-    debug = debuglog("spamscanner");
+    debug5 = debuglog5("spamscanner");
     randomOptions = {
       length: 10,
       characters: "abcdefghijklmnopqrstuvwxyz"
@@ -50,7 +50,7 @@ var init_replacements = __esm({
     try {
       replacements = JSON.parse(readFileSync("./replacements.json", "utf8"));
     } catch (error) {
-      debug(error);
+      debug5(error);
       for (const replacement of replacement_words_default) {
         replacements[replacement] = `${replacement}${cryptoRandomString(randomOptions)}`;
       }
@@ -64,18 +64,18 @@ var get_classifier_exports = {};
 __export(get_classifier_exports, {
   default: () => get_classifier_default
 });
-import { debuglog as debuglog2 } from "node:util";
+import { debuglog as debuglog6 } from "node:util";
 import { readFileSync as readFileSync2 } from "node:fs";
 import NaiveBayes from "@ladjs/naivebayes";
-var debug2, classifier, get_classifier_default;
+var debug6, classifier, get_classifier_default;
 var init_get_classifier = __esm({
   "get-classifier.js"() {
-    debug2 = debuglog2("spamscanner");
+    debug6 = debuglog6("spamscanner");
     classifier = new NaiveBayes().toJsonObject();
     try {
       classifier = JSON.parse(readFileSync2("./classifier.json", "utf8"));
     } catch (error) {
-      debug2(error);
+      debug6(error);
     }
     get_classifier_default = classifier;
   }
@@ -520,11 +520,12 @@ var init_enhanced_idn_detector = __esm({
 });
 
 // src/index.js
+import { Buffer as Buffer3 } from "node:buffer";
 import fs from "node:fs";
 import path from "node:path";
 import process from "node:process";
 import { createHash as createHash2 } from "node:crypto";
-import { debuglog as debuglog3 } from "node:util";
+import { debuglog as debuglog7 } from "node:util";
 import { fileURLToPath } from "node:url";
 import autoBind from "auto-bind";
 import AFHConvert from "ascii-fullwidth-halfwidth-convert";
@@ -555,6 +556,1446 @@ import sw from "stopword";
 import urlRegexSafe from "url-regex-safe";
 import { simpleParser } from "mailparser";
 import { fileTypeFromBuffer } from "file-type";
+
+// src/auth.js
+import { Buffer as Buffer2 } from "node:buffer";
+import { debuglog } from "node:util";
+import dns from "node:dns";
+var debug = debuglog("spamscanner:auth");
+var mailauth;
+var getMailauth = async () => {
+  mailauth ||= await import("mailauth");
+  return mailauth;
+};
+var createResolver = (timeout = 1e4) => {
+  const resolver = new dns.promises.Resolver();
+  resolver.setServers(["8.8.8.8", "1.1.1.1"]);
+  return async (name, type) => {
+    try {
+      const controller = new AbortController();
+      const timeoutId = setTimeout(() => controller.abort(), timeout);
+      let result;
+      switch (type) {
+        case "TXT": {
+          result = await resolver.resolveTxt(name);
+          result = result.map((r) => Array.isArray(r) ? r.join("") : r);
+          break;
+        }
+        case "MX": {
+          result = await resolver.resolveMx(name);
+          break;
+        }
+        case "A": {
+          result = await resolver.resolve4(name);
+          break;
+        }
+        case "AAAA": {
+          result = await resolver.resolve6(name);
+          break;
+        }
+        case "PTR": {
+          result = await resolver.resolvePtr(name);
+          break;
+        }
+        case "CNAME": {
+          result = await resolver.resolveCname(name);
+          break;
+        }
+        default: {
+          result = await resolver.resolve(name, type);
+        }
+      }
+      clearTimeout(timeoutId);
+      return result;
+    } catch (error) {
+      debug("DNS lookup failed for %s %s: %s", type, name, error.message);
+      throw error;
+    }
+  };
+};
+async function authenticate(message, options = {}) {
+  const {
+    ip,
+    helo,
+    mta,
+    sender,
+    resolver = createResolver(options.timeout || 1e4)
+  } = options;
+  const defaultResult = {
+    dkim: {
+      results: [],
+      status: { result: "none", comment: "No DKIM signature found" }
+    },
+    spf: {
+      status: { result: "none", comment: "SPF check not performed" },
+      domain: null
+    },
+    dmarc: {
+      status: { result: "none", comment: "DMARC check not performed" },
+      policy: null,
+      domain: null
+    },
+    arc: {
+      status: { result: "none", comment: "No ARC chain found" },
+      chain: []
+    },
+    bimi: {
+      status: { result: "none", comment: "No BIMI record found" },
+      location: null,
+      authority: null
+    },
+    receivedChain: [],
+    headers: {}
+  };
+  if (!ip) {
+    debug("No IP address provided, skipping authentication");
+    return defaultResult;
+  }
+  try {
+    const { authenticate: mailauthAuthenticate } = await getMailauth();
+    const messageBuffer = Buffer2.isBuffer(message) ? message : Buffer2.from(message);
+    const authResult = await mailauthAuthenticate(messageBuffer, {
+      ip,
+      helo: helo || "unknown",
+      mta: mta || "spamscanner",
+      sender,
+      resolver
+    });
+    debug("Authentication result: %o", authResult);
+    return {
+      dkim: normalizeResult(authResult.dkim, "dkim"),
+      spf: normalizeResult(authResult.spf, "spf"),
+      dmarc: normalizeResult(authResult.dmarc, "dmarc"),
+      arc: normalizeResult(authResult.arc, "arc"),
+      bimi: normalizeResult(authResult.bimi, "bimi"),
+      receivedChain: authResult.receivedChain || [],
+      headers: authResult.headers || {}
+    };
+  } catch (error) {
+    debug("Authentication failed: %s", error.message);
+    return defaultResult;
+  }
+}
+function normalizeResult(result, type) {
+  if (!result) {
+    return {
+      status: { result: "none", comment: `No ${type.toUpperCase()} result` }
+    };
+  }
+  switch (type) {
+    case "dkim": {
+      return {
+        results: result.results || [],
+        status: result.status || { result: "none", comment: "No DKIM signature found" }
+      };
+    }
+    case "spf": {
+      return {
+        status: result.status || { result: "none", comment: "SPF check not performed" },
+        domain: result.domain || null,
+        explanation: result.explanation || null
+      };
+    }
+    case "dmarc": {
+      return {
+        status: result.status || { result: "none", comment: "DMARC check not performed" },
+        policy: result.policy || null,
+        domain: result.domain || null,
+        p: result.p || null,
+        sp: result.sp || null,
+        pct: result.pct || null
+      };
+    }
+    case "arc": {
+      return {
+        status: result.status || { result: "none", comment: "No ARC chain found" },
+        chain: result.chain || [],
+        i: result.i || null
+      };
+    }
+    case "bimi": {
+      return {
+        status: result.status || { result: "none", comment: "No BIMI record found" },
+        location: result.location || null,
+        authority: result.authority || null,
+        selector: result.selector || null
+      };
+    }
+    default: {
+      return result;
+    }
+  }
+}
+function calculateAuthScore(authResult, weights = {}) {
+  const defaultWeights = {
+    dkimPass: -2,
+    // Reduce spam score if DKIM passes
+    dkimFail: 3,
+    // Increase spam score if DKIM fails
+    spfPass: -1,
+    spfFail: 2,
+    spfSoftfail: 1,
+    dmarcPass: -2,
+    dmarcFail: 4,
+    arcPass: -1,
+    arcFail: 1,
+    ...weights
+  };
+  let score = 0;
+  const tests = [];
+  const dkimResult = authResult.dkim?.status?.result;
+  if (dkimResult === "pass") {
+    score += defaultWeights.dkimPass;
+    tests.push(`DKIM_PASS(${defaultWeights.dkimPass})`);
+  } else if (dkimResult === "fail") {
+    score += defaultWeights.dkimFail;
+    tests.push(`DKIM_FAIL(${defaultWeights.dkimFail})`);
+  }
+  const spfResult = authResult.spf?.status?.result;
+  switch (spfResult) {
+    case "pass": {
+      score += defaultWeights.spfPass;
+      tests.push(`SPF_PASS(${defaultWeights.spfPass})`);
+      break;
+    }
+    case "fail": {
+      score += defaultWeights.spfFail;
+      tests.push(`SPF_FAIL(${defaultWeights.spfFail})`);
+      break;
+    }
+    case "softfail": {
+      score += defaultWeights.spfSoftfail;
+      tests.push(`SPF_SOFTFAIL(${defaultWeights.spfSoftfail})`);
+      break;
+    }
+  }
+  const dmarcResult = authResult.dmarc?.status?.result;
+  if (dmarcResult === "pass") {
+    score += defaultWeights.dmarcPass;
+    tests.push(`DMARC_PASS(${defaultWeights.dmarcPass})`);
+  } else if (dmarcResult === "fail") {
+    score += defaultWeights.dmarcFail;
+    tests.push(`DMARC_FAIL(${defaultWeights.dmarcFail})`);
+  }
+  const arcResult = authResult.arc?.status?.result;
+  if (arcResult === "pass") {
+    score += defaultWeights.arcPass;
+    tests.push(`ARC_PASS(${defaultWeights.arcPass})`);
+  } else if (arcResult === "fail") {
+    score += defaultWeights.arcFail;
+    tests.push(`ARC_FAIL(${defaultWeights.arcFail})`);
+  }
+  return {
+    score,
+    tests,
+    details: {
+      dkim: dkimResult || "none",
+      spf: spfResult || "none",
+      dmarc: dmarcResult || "none",
+      arc: arcResult || "none"
+    }
+  };
+}
+function formatAuthResultsHeader(authResult, hostname = "spamscanner") {
+  const parts = [hostname];
+  if (authResult.dkim?.status?.result) {
+    const dkimResult = authResult.dkim.status.result;
+    let dkimPart = `dkim=${dkimResult}`;
+    if (authResult.dkim.results?.[0]?.signingDomain) {
+      dkimPart += ` header.d=${authResult.dkim.results[0].signingDomain}`;
+    }
+    parts.push(dkimPart);
+  }
+  if (authResult.spf?.status?.result) {
+    let spfPart = `spf=${authResult.spf.status.result}`;
+    if (authResult.spf.domain) {
+      spfPart += ` smtp.mailfrom=${authResult.spf.domain}`;
+    }
+    parts.push(spfPart);
+  }
+  if (authResult.dmarc?.status?.result) {
+    let dmarcPart = `dmarc=${authResult.dmarc.status.result}`;
+    if (authResult.dmarc.domain) {
+      dmarcPart += ` header.from=${authResult.dmarc.domain}`;
+    }
+    parts.push(dmarcPart);
+  }
+  if (authResult.arc?.status?.result) {
+    parts.push(`arc=${authResult.arc.status.result}`);
+  }
+  return parts.join(";\n	");
+}
+
+// src/reputation.js
+import { debuglog as debuglog2 } from "node:util";
+var debug2 = debuglog2("spamscanner:reputation");
+var DEFAULT_API_URL = "https://api.forwardemail.net/v1/reputation";
+var cache = /* @__PURE__ */ new Map();
+var CACHE_TTL = 5 * 60 * 1e3;
+async function checkReputation(value, options = {}) {
+  const {
+    apiUrl = DEFAULT_API_URL,
+    timeout = 1e4
+  } = options;
+  if (!value || typeof value !== "string") {
+    return {
+      isTruthSource: false,
+      truthSourceValue: null,
+      isAllowlisted: false,
+      allowlistValue: null,
+      isDenylisted: false,
+      denylistValue: null
+    };
+  }
+  const cacheKey = `${apiUrl}:${value}`;
+  const cached = cache.get(cacheKey);
+  if (cached && Date.now() - cached.timestamp < CACHE_TTL) {
+    debug2("Cache hit for %s", value);
+    return cached.result;
+  }
+  try {
+    const url = new URL(apiUrl);
+    url.searchParams.set("q", value);
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    const response = await fetch(url.toString(), {
+      method: "GET",
+      headers: {
+        Accept: "application/json",
+        "User-Agent": "SpamScanner/6.0"
+      },
+      signal: controller.signal
+    });
+    clearTimeout(timeoutId);
+    if (!response.ok) {
+      debug2("API returned status %d for %s", response.status, value);
+      return {
+        isTruthSource: false,
+        truthSourceValue: null,
+        isAllowlisted: false,
+        allowlistValue: null,
+        isDenylisted: false,
+        denylistValue: null
+      };
+    }
+    const result = await response.json();
+    const normalizedResult = {
+      isTruthSource: Boolean(result.isTruthSource),
+      truthSourceValue: result.truthSourceValue || null,
+      isAllowlisted: Boolean(result.isAllowlisted),
+      allowlistValue: result.allowlistValue || null,
+      isDenylisted: Boolean(result.isDenylisted),
+      denylistValue: result.denylistValue || null
+    };
+    cache.set(cacheKey, {
+      result: normalizedResult,
+      timestamp: Date.now()
+    });
+    debug2("Reputation check for %s: %o", value, normalizedResult);
+    return normalizedResult;
+  } catch (error) {
+    debug2("Reputation check failed for %s: %s", value, error.message);
+    return {
+      isTruthSource: false,
+      truthSourceValue: null,
+      isAllowlisted: false,
+      allowlistValue: null,
+      isDenylisted: false,
+      denylistValue: null
+    };
+  }
+}
+async function checkReputationBatch(values, options = {}) {
+  const uniqueValues = [...new Set(values.filter(Boolean))];
+  const results = await Promise.all(uniqueValues.map(async (value) => {
+    const result = await checkReputation(value, options);
+    return [value, result];
+  }));
+  return new Map(results);
+}
+function aggregateReputationResults(results) {
+  const aggregated = {
+    isTruthSource: false,
+    truthSourceValue: null,
+    isAllowlisted: false,
+    allowlistValue: null,
+    isDenylisted: false,
+    denylistValue: null
+  };
+  for (const result of results) {
+    if (result.isTruthSource) {
+      aggregated.isTruthSource = true;
+      aggregated.truthSourceValue ||= result.truthSourceValue;
+    }
+    if (result.isAllowlisted) {
+      aggregated.isAllowlisted = true;
+      aggregated.allowlistValue ||= result.allowlistValue;
+    }
+    if (result.isDenylisted) {
+      aggregated.isDenylisted = true;
+      aggregated.denylistValue ||= result.denylistValue;
+    }
+  }
+  return aggregated;
+}
+
+// src/is-arbitrary.js
+import { debuglog as debuglog3 } from "node:util";
+var debug3 = debuglog3("spamscanner:arbitrary");
+var BLOCKED_PHRASES_PATTERN = /cheecck y0ur acc0untt|recorded you|you've been hacked|account is hacked|personal data has leaked|private information has been stolen/im;
+var SYSADMIN_SUBJECT_PATTERN = /please moderate|mdadm monitoring|weekly report|wordfence|wordpress|wpforms|docker|graylog|digest|event notification|package update manager|event alert|system events|monit alert|ping|monitor|cron|yum|sendmail|exim|backup|logwatch|unattended-upgrades/im;
+var SPAM_PATTERNS = {
+  // Subject line patterns
+  subjectPatterns: [
+    // Urgency patterns
+    /\b(urgent|immediate|action required|act now|limited time|expires?|deadline)\b/i,
+    // Money patterns
+    /\b(free|winner|won|prize|lottery|million|billion|cash|money|investment|profit)\b/i,
+    // Phishing patterns
+    /\b(verify|confirm|update|suspend|locked|unusual activity|security alert)\b/i,
+    // Adult content
+    /\b(viagra|cialis|pharmacy|pills|medication|prescription)\b/i,
+    // Crypto spam
+    /\b(bitcoin|crypto|btc|eth|nft|blockchain|wallet)\b/i
+  ],
+  // Body patterns
+  bodyPatterns: [
+    // Nigerian prince / advance fee fraud
+    /\b(nigerian?|prince|inheritance|beneficiary|next of kin|deceased|unclaimed)\b/i,
+    // Lottery scams
+    /\b(congratulations.*won|you have been selected|claim your prize)\b/i,
+    // Phishing
+    /\b(click here to verify|confirm your identity|update your account|suspended.*account)\b/i,
+    // Urgency
+    /\b(act now|limited time offer|expires in \d+|only \d+ left)\b/i,
+    // Financial scams
+    /\b(wire transfer|western union|moneygram|bank transfer|routing number)\b/i,
+    // Adult/pharma spam
+    /\b(enlarge|enhancement|erectile|dysfunction|weight loss|diet pills)\b/i
+  ],
+  // Suspicious sender patterns
+  senderPatterns: [
+    // Random numbers in email
+    /^[a-z]+\d{4,}@/i,
+    // Very long local parts
+    /^.{30,}@/,
+    // Suspicious domains
+    /@.*(\.ru|\.cn|\.tk|\.ml|\.ga|\.cf|\.gq)$/i,
+    // Numeric domains
+    /@(?:\d+\.){3}\d+/
+  ]
+};
+var SUSPICIOUS_TLDS = /* @__PURE__ */ new Set([
+  "tk",
+  "ml",
+  "ga",
+  "cf",
+  "gq",
+  // Free TLDs often abused
+  "xyz",
+  "top",
+  "wang",
+  "win",
+  "bid",
+  "loan",
+  "click",
+  "link",
+  "work",
+  "date",
+  "racing",
+  "download",
+  "stream",
+  "trade"
+]);
+var SPAM_KEYWORDS = /* @__PURE__ */ new Map([
+  ["free", 1],
+  ["winner", 2],
+  ["prize", 2],
+  ["lottery", 3],
+  ["urgent", 1],
+  ["act now", 2],
+  ["limited time", 1],
+  ["click here", 1],
+  ["unsubscribe", -1],
+  // Legitimate emails often have this
+  ["verify your account", 2],
+  ["suspended", 2],
+  ["inheritance", 3],
+  ["million dollars", 3],
+  ["wire transfer", 3],
+  ["western union", 3],
+  ["nigerian", 3],
+  ["prince", 2],
+  ["beneficiary", 2],
+  ["congratulations", 1],
+  ["selected", 1],
+  ["viagra", 3],
+  ["cialis", 3],
+  ["pharmacy", 2],
+  ["bitcoin", 1],
+  ["crypto", 1],
+  ["investment opportunity", 2],
+  ["guaranteed", 1],
+  ["risk free", 2],
+  ["no obligation", 1],
+  ["dear friend", 2],
+  ["dear customer", 1],
+  ["dear user", 1]
+]);
+var PAYPAL_SPAM_TYPE_IDS = /* @__PURE__ */ new Set(["PPC001017", "RT000238", "RT000542", "RT002947"]);
+var MS_SPAM_CATEGORIES = {
+  // High-confidence threats (highest priority)
+  highConfidence: ["cat:malw", "cat:hphsh", "cat:hphish", "cat:hspm"],
+  // Impersonation attempts
+  impersonation: ["cat:bimp", "cat:dimp", "cat:gimp", "cat:uimp"],
+  // Phishing and spoofing
+  phishingAndSpoofing: ["cat:phsh", "cat:spoof"],
+  // Spam classifications
+  spam: ["cat:ospm", "cat:spm"]
+};
+var MS_SPAM_VERDICTS = ["sfv:spm", "sfv:skb", "sfv:sks"];
+function isArbitrary(parsed, options = {}) {
+  const {
+    threshold = 5,
+    checkSubject = true,
+    checkBody = true,
+    checkSender = true,
+    checkHeaders = true,
+    checkLinks = true,
+    checkMicrosoftHeaders = true,
+    checkVendorSpam = true,
+    checkSpoofing = true,
+    session = {}
+  } = options;
+  const reasons = [];
+  let score = 0;
+  let category = null;
+  const getHeader = (name) => {
+    if (parsed.headers?.get) {
+      return parsed.headers.get(name);
+    }
+    if (parsed.headerLines) {
+      const header = parsed.headerLines.find((h) => h.key.toLowerCase() === name.toLowerCase());
+      return header?.line?.split(":").slice(1).join(":").trim();
+    }
+    return null;
+  };
+  const subject = parsed.subject || getHeader("subject") || "";
+  const from = parsed.from?.value?.[0]?.address || parsed.from?.text || getHeader("from") || "";
+  const sessionInfo = buildSessionInfo(parsed, session, getHeader);
+  if (subject && BLOCKED_PHRASES_PATTERN.test(subject)) {
+    reasons.push("BLOCKED_PHRASE_IN_SUBJECT");
+    score += 10;
+    category = "SPAM";
+  }
+  if (checkMicrosoftHeaders) {
+    const msResult = checkMicrosoftExchangeHeaders(getHeader, sessionInfo);
+    if (msResult.blocked) {
+      reasons.push(...msResult.reasons);
+      score += msResult.score;
+      category = msResult.category || category;
+    }
+  }
+  if (checkVendorSpam) {
+    const vendorResult = checkVendorSpam_(parsed, sessionInfo, getHeader, subject, from);
+    if (vendorResult.blocked) {
+      reasons.push(...vendorResult.reasons);
+      score += vendorResult.score;
+      category = vendorResult.category || category;
+    }
+  }
+  if (checkSpoofing) {
+    const spoofResult = checkSpoofingAttacks(parsed, sessionInfo, getHeader, subject);
+    if (spoofResult.blocked) {
+      reasons.push(...spoofResult.reasons);
+      score += spoofResult.score;
+      category = spoofResult.category || category;
+    }
+  }
+  if (checkSubject && subject) {
+    const subjectResult = checkSubjectLine(subject);
+    score += subjectResult.score;
+    reasons.push(...subjectResult.reasons);
+  }
+  if (checkBody) {
+    const bodyText = parsed.text || "";
+    const bodyHtml = parsed.html || "";
+    const bodyResult = checkBodyContent(bodyText, bodyHtml);
+    score += bodyResult.score;
+    reasons.push(...bodyResult.reasons);
+  }
+  if (checkSender) {
+    const replyTo = parsed.replyTo?.value?.[0]?.address || parsed.replyTo?.text || "";
+    const senderResult = checkSenderPatterns(from, replyTo);
+    score += senderResult.score;
+    reasons.push(...senderResult.reasons);
+  }
+  if (checkHeaders) {
+    const headerResult = checkHeaderAnomalies(parsed, getHeader);
+    score += headerResult.score;
+    reasons.push(...headerResult.reasons);
+  }
+  if (checkLinks) {
+    const bodyHtml = parsed.html || parsed.text || "";
+    const linkResult = checkSuspiciousLinks(bodyHtml);
+    score += linkResult.score;
+    reasons.push(...linkResult.reasons);
+  }
+  const isArbitrarySpam = score >= threshold;
+  debug3(
+    "Arbitrary check result: score=%d, threshold=%d, isArbitrary=%s, category=%s, reasons=%o",
+    score,
+    threshold,
+    isArbitrarySpam,
+    category,
+    reasons
+  );
+  return {
+    isArbitrary: isArbitrarySpam,
+    reasons,
+    score,
+    category
+  };
+}
+function buildSessionInfo(parsed, session, getHeader) {
+  const info = { ...session };
+  const from = parsed.from?.value?.[0]?.address || parsed.from?.text || getHeader("from") || "";
+  if (from && !info.originalFromAddress) {
+    info.originalFromAddress = from.toLowerCase();
+    const atIndex = from.indexOf("@");
+    if (atIndex > 0) {
+      info.originalFromAddressDomain = from.slice(atIndex + 1).toLowerCase();
+      info.originalFromAddressRootDomain = getRootDomain(info.originalFromAddressDomain);
+    }
+  }
+  if (!info.resolvedClientHostname) {
+    info.resolvedClientHostname = extractClientHostname(parsed);
+    if (info.resolvedClientHostname) {
+      info.resolvedRootClientHostname = getRootDomain(info.resolvedClientHostname);
+    }
+  }
+  info.remoteAddress ||= extractRemoteIp(parsed);
+  return info;
+}
+function checkMicrosoftExchangeHeaders(getHeader, sessionInfo) {
+  const result = {
+    blocked: false,
+    reasons: [],
+    score: 0,
+    category: null
+  };
+  const isFromMicrosoft = sessionInfo.resolvedClientHostname && sessionInfo.resolvedClientHostname.endsWith(".outbound.protection.outlook.com");
+  if (!isFromMicrosoft) {
+    return result;
+  }
+  const msAuthHeader = getHeader("x-ms-exchange-authentication-results");
+  const forefrontHeader = getHeader("x-forefront-antispam-report");
+  if (forefrontHeader) {
+    const lowerForefront = forefrontHeader.toLowerCase();
+    const sclMatch = lowerForefront.match(/scl:(\d+)/);
+    const scl = sclMatch ? Number.parseInt(sclMatch[1], 10) : null;
+    const sfvNotSpam = lowerForefront.includes("sfv:nspm");
+    const microsoftSaysNotSpam = sfvNotSpam || scl !== null && scl <= 2;
+    if (!microsoftSaysNotSpam && msAuthHeader) {
+      const lowerMsAuth = msAuthHeader.toLowerCase();
+      const spfPass = lowerMsAuth.includes("spf=pass");
+      const dkimPass = lowerMsAuth.includes("dkim=pass");
+      const dmarcPass = lowerMsAuth.includes("dmarc=pass");
+      if (!spfPass && !dkimPass && !dmarcPass) {
+        const spfFailed = lowerMsAuth.includes("spf=fail");
+        const dkimFailed = lowerMsAuth.includes("dkim=fail");
+        const dmarcFailed = lowerMsAuth.includes("dmarc=fail");
+        if (spfFailed || dkimFailed || dmarcFailed) {
+          result.blocked = true;
+          result.reasons.push("MS_EXCHANGE_AUTH_FAILURE");
+          result.score += 10;
+          result.category = "AUTHENTICATION_FAILURE";
+          return result;
+        }
+      }
+    }
+    for (const cat of MS_SPAM_CATEGORIES.highConfidence) {
+      if (lowerForefront.includes(cat)) {
+        result.blocked = true;
+        result.reasons.push(`MS_HIGH_CONFIDENCE_THREAT: ${cat.toUpperCase()}`);
+        result.score += 15;
+        result.category = cat.includes("malw") ? "MALWARE" : cat.includes("phish") || cat.includes("phsh") ? "PHISHING" : "HIGH_CONFIDENCE_SPAM";
+        return result;
+      }
+    }
+    for (const cat of MS_SPAM_CATEGORIES.impersonation) {
+      if (lowerForefront.includes(cat)) {
+        result.blocked = true;
+        result.reasons.push(`MS_IMPERSONATION: ${cat.toUpperCase()}`);
+        result.score += 12;
+        result.category = "IMPERSONATION";
+        return result;
+      }
+    }
+    for (const cat of MS_SPAM_CATEGORIES.phishingAndSpoofing) {
+      if (lowerForefront.includes(cat)) {
+        result.blocked = true;
+        result.reasons.push(`MS_PHISHING_SPOOF: ${cat.toUpperCase()}`);
+        result.score += 12;
+        result.category = cat.includes("phsh") ? "PHISHING" : "SPOOFING";
+        return result;
+      }
+    }
+    for (const verdict of MS_SPAM_VERDICTS) {
+      if (lowerForefront.includes(verdict)) {
+        result.blocked = true;
+        result.reasons.push(`MS_SPAM_VERDICT: ${verdict.toUpperCase()}`);
+        result.score += 10;
+        result.category = "SPAM";
+        return result;
+      }
+    }
+    for (const cat of MS_SPAM_CATEGORIES.spam) {
+      if (lowerForefront.includes(cat)) {
+        result.blocked = true;
+        result.reasons.push(`MS_SPAM_CATEGORY: ${cat.toUpperCase()}`);
+        result.score += 10;
+        result.category = "SPAM";
+        return result;
+      }
+    }
+    if (scl !== null && scl >= 5) {
+      result.blocked = true;
+      result.reasons.push(`MS_HIGH_SCL: ${scl}`);
+      result.score += 8;
+      result.category = "SPAM";
+      return result;
+    }
+  } else if (msAuthHeader) {
+    const lowerMsAuth = msAuthHeader.toLowerCase();
+    const spfPass = lowerMsAuth.includes("spf=pass");
+    const dkimPass = lowerMsAuth.includes("dkim=pass");
+    const dmarcPass = lowerMsAuth.includes("dmarc=pass");
+    if (!spfPass && !dkimPass && !dmarcPass) {
+      const spfFailed = lowerMsAuth.includes("spf=fail");
+      const dkimFailed = lowerMsAuth.includes("dkim=fail");
+      const dmarcFailed = lowerMsAuth.includes("dmarc=fail");
+      if (spfFailed || dkimFailed || dmarcFailed) {
+        result.blocked = true;
+        result.reasons.push("MS_EXCHANGE_AUTH_FAILURE");
+        result.score += 10;
+        result.category = "AUTHENTICATION_FAILURE";
+      }
+    }
+  }
+  return result;
+}
+function checkVendorSpam_(parsed, sessionInfo, getHeader, subject, from) {
+  const result = {
+    blocked: false,
+    reasons: [],
+    score: 0,
+    category: null
+  };
+  const fromLower = from.toLowerCase();
+  if (sessionInfo.originalFromAddressRootDomain === "paypal.com" && getHeader("x-email-type-id")) {
+    const typeId = getHeader("x-email-type-id");
+    if (PAYPAL_SPAM_TYPE_IDS.has(typeId)) {
+      result.blocked = true;
+      result.reasons.push(`PAYPAL_INVOICE_SPAM: ${typeId}`);
+      result.score += 15;
+      result.category = "VENDOR_SPAM";
+      return result;
+    }
+  }
+  if (sessionInfo.originalFromAddress === "invoice@authorize.net" && sessionInfo.resolvedRootClientHostname === "visa.com") {
+    result.blocked = true;
+    result.reasons.push("AUTHORIZE_VISA_PHISHING");
+    result.score += 15;
+    result.category = "PHISHING";
+    return result;
+  }
+  if (fromLower.includes("amazon.co.jp") && (!sessionInfo.resolvedRootClientHostname || !sessionInfo.resolvedRootClientHostname.startsWith("amazon."))) {
+    result.blocked = true;
+    result.reasons.push("AMAZON_JP_IMPERSONATION");
+    result.score += 12;
+    result.category = "IMPERSONATION";
+    return result;
+  }
+  if (subject && subject.includes("pCloud") && sessionInfo.originalFromAddressRootDomain !== "pcloud.com" && fromLower.includes("pcloud")) {
+    result.blocked = true;
+    result.reasons.push("PCLOUD_IMPERSONATION");
+    result.score += 12;
+    result.category = "IMPERSONATION";
+    return result;
+  }
+  if ((sessionInfo.originalFromAddress === "postmaster@outlook.com" || sessionInfo.resolvedClientHostname && sessionInfo.resolvedClientHostname.endsWith(".outbound.protection.outlook.com") || sessionInfo.originalFromAddress?.startsWith("postmaster@") && sessionInfo.originalFromAddress?.endsWith(".onmicrosoft.com")) && isAutoReply(getHeader) && subject && (subject.startsWith("Undeliverable: ") || subject.startsWith("No se puede entregar: "))) {
+    result.blocked = true;
+    result.reasons.push("MS_BOUNCE_SPAM");
+    result.score += 10;
+    result.category = "BOUNCE_SPAM";
+    return result;
+  }
+  if (sessionInfo.originalFromAddress === "postmaster@163.com" && subject && subject.includes("\u7CFB\u7EDF\u9000\u4FE1")) {
+    result.blocked = true;
+    result.reasons.push("163_BOUNCE_SPAM");
+    result.score += 10;
+    result.category = "BOUNCE_SPAM";
+    return result;
+  }
+  if (sessionInfo.originalFromAddress === "dse_na4@docusign.net" && sessionInfo.spf?.domain && (sessionInfo.spf.domain.endsWith(".onmicrosoft.com") || sessionInfo.spf.domain === "onmicrosoft.com")) {
+    result.blocked = true;
+    result.reasons.push("DOCUSIGN_MS_SCAM");
+    result.score += 12;
+    result.category = "PHISHING";
+    return result;
+  }
+  return result;
+}
+function checkSpoofingAttacks(parsed, sessionInfo, getHeader, subject) {
+  const result = {
+    blocked: false,
+    reasons: [],
+    score: 0,
+    category: null
+  };
+  if (sessionInfo.hadAlignedAndPassingDKIM || sessionInfo.isAllowlisted) {
+    return result;
+  }
+  if (sessionInfo.hasSameHostnameAsFrom) {
+    return result;
+  }
+  const rcptTo = sessionInfo.envelope?.rcptTo || [];
+  const fromRootDomain = sessionInfo.originalFromAddressRootDomain;
+  if (!fromRootDomain || rcptTo.length === 0) {
+    return result;
+  }
+  const hasSameRcptToAsFrom = rcptTo.some((to) => {
+    if (!to.address) {
+      return false;
+    }
+    const toRootDomain = getRootDomain(parseHostFromAddress(to.address));
+    return toRootDomain === fromRootDomain;
+  });
+  if (!hasSameRcptToAsFrom) {
+    return result;
+  }
+  const spfResult = sessionInfo.spfFromHeader?.status?.result;
+  if (spfResult === "pass") {
+    return result;
+  }
+  sessionInfo.isPotentialPhishing = true;
+  const xPhpScript = getHeader("x-php-script");
+  const xMailer = getHeader("x-mailer");
+  if (xPhpScript) {
+    return result;
+  }
+  if (xMailer) {
+    const mailerLower = xMailer.toLowerCase();
+    if (mailerLower.includes("php") || mailerLower.includes("drupal")) {
+      return result;
+    }
+  }
+  if (subject && SYSADMIN_SUBJECT_PATTERN.test(subject)) {
+    return result;
+  }
+  result.blocked = true;
+  result.reasons.push("SPOOFING_ATTACK");
+  result.score += 12;
+  result.category = "SPOOFING";
+  return result;
+}
+function isAutoReply(getHeader) {
+  const autoSubmitted = getHeader("auto-submitted");
+  if (autoSubmitted && autoSubmitted !== "no") {
+    return true;
+  }
+  const autoResponseSuppress = getHeader("x-auto-response-suppress");
+  if (autoResponseSuppress) {
+    return true;
+  }
+  const precedence = getHeader("precedence");
+  if (precedence && ["bulk", "junk", "list", "auto_reply"].includes(precedence.toLowerCase())) {
+    return true;
+  }
+  if (getHeader("list-unsubscribe")) {
+    return true;
+  }
+  return false;
+}
+function checkSubjectLine(subject) {
+  const reasons = [];
+  let score = 0;
+  for (const pattern of SPAM_PATTERNS.subjectPatterns) {
+    if (pattern.test(subject)) {
+      const match = subject.match(pattern);
+      reasons.push(`SUBJECT_SPAM_PATTERN: ${match[0]}`);
+      score += 1;
+    }
+  }
+  const upperCount = (subject.match(/[A-Z]/g) || []).length;
+  const letterCount = (subject.match(/[a-zA-Z]/g) || []).length;
+  if (letterCount > 10 && upperCount / letterCount > 0.7) {
+    reasons.push("SUBJECT_ALL_CAPS");
+    score += 2;
+  }
+  const punctCount = (subject.match(/[!?$]/g) || []).length;
+  if (punctCount >= 3) {
+    reasons.push("SUBJECT_EXCESSIVE_PUNCTUATION");
+    score += 1;
+  }
+  if (/^(re|fw|fwd):/i.test(subject) && subject.length < 20) {
+    reasons.push("SUBJECT_FAKE_REPLY");
+    score += 1;
+  }
+  return { score, reasons };
+}
+function checkBodyContent(text, html) {
+  const reasons = [];
+  let score = 0;
+  const content = text || html || "";
+  const contentLower = content.toLowerCase();
+  for (const pattern of SPAM_PATTERNS.bodyPatterns) {
+    if (pattern.test(content)) {
+      const match = content.match(pattern);
+      reasons.push(`BODY_SPAM_PATTERN: ${match[0].slice(0, 50)}`);
+      score += 1;
+    }
+  }
+  for (const [keyword, weight] of SPAM_KEYWORDS) {
+    if (contentLower.includes(keyword.toLowerCase())) {
+      reasons.push(`SPAM_KEYWORD: ${keyword}`);
+      score += weight;
+    }
+  }
+  if (html) {
+    if (/color:\s*#fff|color:\s*white|font-size:\s*[01]px/i.test(html)) {
+      reasons.push("HIDDEN_TEXT");
+      score += 3;
+    }
+    const imgCount = (html.match(/<img/gi) || []).length;
+    const textLength = (text || "").length;
+    if (imgCount > 5 && textLength < 100) {
+      reasons.push("IMAGE_HEAVY_LOW_TEXT");
+      score += 2;
+    }
+  }
+  if (/data:image\/[^;]+;base64,/i.test(html || "")) {
+    reasons.push("BASE64_IMAGES");
+    score += 1;
+  }
+  const shortenerPatterns = /\b(bit\.ly|tinyurl|goo\.gl|t\.co|ow\.ly|is\.gd|buff\.ly|adf\.ly|j\.mp)\b/i;
+  if (shortenerPatterns.test(content)) {
+    reasons.push("URL_SHORTENER");
+    score += 2;
+  }
+  return { score, reasons };
+}
+function checkSenderPatterns(from, replyTo) {
+  const reasons = [];
+  let score = 0;
+  if (!from) {
+    reasons.push("MISSING_FROM");
+    score += 2;
+    return { score, reasons };
+  }
+  for (const pattern of SPAM_PATTERNS.senderPatterns) {
+    if (pattern.test(from)) {
+      reasons.push("SUSPICIOUS_SENDER_PATTERN");
+      score += 2;
+      break;
+    }
+  }
+  const tldMatch = from.match(/@[^.]+\.([a-z]+)$/i);
+  if (tldMatch && SUSPICIOUS_TLDS.has(tldMatch[1].toLowerCase())) {
+    reasons.push(`SUSPICIOUS_TLD: ${tldMatch[1]}`);
+    score += 2;
+  }
+  if (replyTo && from) {
+    const fromDomain = from.split("@")[1]?.toLowerCase();
+    const replyDomain = replyTo.split("@")[1]?.toLowerCase();
+    if (fromDomain && replyDomain && fromDomain !== replyDomain) {
+      reasons.push("FROM_REPLY_TO_MISMATCH");
+      score += 2;
+    }
+  }
+  const spoofPatterns = /^(paypal|amazon|apple|microsoft|google|bank|security)/i;
+  if (spoofPatterns.test(from) && !/@(paypal|amazon|apple|microsoft|google)\.com$/i.test(from)) {
+    reasons.push("DISPLAY_NAME_SPOOFING");
+    score += 3;
+  }
+  return { score, reasons };
+}
+function checkHeaderAnomalies(parsed, getHeader) {
+  const reasons = [];
+  let score = 0;
+  if (!parsed.messageId && !getHeader("message-id")) {
+    reasons.push("MISSING_MESSAGE_ID");
+    score += 1;
+  }
+  if (parsed.date) {
+    const messageDate = new Date(parsed.date);
+    const now = /* @__PURE__ */ new Date();
+    if (messageDate > now) {
+      const hoursDiff = (messageDate - now) / (1e3 * 60 * 60);
+      if (hoursDiff > 24) {
+        reasons.push("FUTURE_DATE");
+        score += 2;
+      }
+    }
+    const daysDiff = (now - messageDate) / (1e3 * 60 * 60 * 24);
+    if (daysDiff > 365) {
+      reasons.push("VERY_OLD_DATE");
+      score += 1;
+    }
+  } else {
+    reasons.push("MISSING_DATE");
+    score += 1;
+  }
+  const xMailer = getHeader("x-mailer") || "";
+  if (xMailer) {
+    const suspiciousMailers = /mass mail|bulk mail|email blast/i;
+    if (suspiciousMailers.test(xMailer)) {
+      reasons.push("SUSPICIOUS_MAILER");
+      score += 1;
+    }
+  }
+  const mimeVersion = getHeader("mime-version");
+  if (!mimeVersion && (parsed.html || parsed.attachments?.length > 0)) {
+    reasons.push("MISSING_MIME_VERSION");
+    score += 1;
+  }
+  const toCount = parsed.to?.value?.length || 0;
+  const ccCount = parsed.cc?.value?.length || 0;
+  if (toCount + ccCount > 50) {
+    reasons.push("EXCESSIVE_RECIPIENTS");
+    score += 2;
+  }
+  return { score, reasons };
+}
+function checkSuspiciousLinks(content) {
+  const reasons = [];
+  let score = 0;
+  const urlPattern = /https?:\/\/[^\s<>"']+/gi;
+  const urls = content.match(urlPattern) || [];
+  if (urls.length === 0) {
+    return { score, reasons };
+  }
+  const suspiciousUrls = /* @__PURE__ */ new Set();
+  for (const url of urls) {
+    try {
+      const parsed = new URL(url);
+      const hostname = parsed.hostname.toLowerCase();
+      if (/^(?:\d+\.){3}\d+$/.test(hostname)) {
+        suspiciousUrls.add("IP_ADDRESS_URL");
+      }
+      const tld = hostname.split(".").pop();
+      if (SUSPICIOUS_TLDS.has(tld)) {
+        suspiciousUrls.add(`SUSPICIOUS_URL_TLD: ${tld}`);
+      }
+      if (parsed.port && !["80", "443", ""].includes(parsed.port)) {
+        suspiciousUrls.add("URL_WITH_PORT");
+      }
+      if (url.length > 200) {
+        suspiciousUrls.add("VERY_LONG_URL");
+      }
+      const subdomainCount = hostname.split(".").length - 2;
+      if (subdomainCount > 3) {
+        suspiciousUrls.add("EXCESSIVE_SUBDOMAINS");
+      }
+      if (/%[\da-f]{2}/i.test(url) && /%[\da-f]{2}.*%[\da-f]{2}/i.test(url)) {
+        suspiciousUrls.add("URL_OBFUSCATION");
+      }
+    } catch {
+      suspiciousUrls.add("INVALID_URL");
+    }
+  }
+  for (const reason of suspiciousUrls) {
+    reasons.push(reason);
+    score += 1;
+  }
+  const linkPattern = /<a[^>]+href=["']([^"']+)["'][^>]*>([^<]+)<\/a>/gi;
+  let match;
+  while ((match = linkPattern.exec(content)) !== null) {
+    const href = match[1];
+    const text = match[2];
+    if (/^https?:\/\//i.test(text)) {
+      try {
+        const textUrl = new URL(text);
+        const hrefUrl = new URL(href);
+        if (textUrl.hostname.toLowerCase() !== hrefUrl.hostname.toLowerCase()) {
+          reasons.push("LINK_TEXT_URL_MISMATCH");
+          score += 3;
+          break;
+        }
+      } catch {
+      }
+    }
+  }
+  return { score, reasons };
+}
+function getRootDomain(hostname) {
+  if (!hostname) {
+    return "";
+  }
+  const parts = hostname.toLowerCase().split(".");
+  if (parts.length <= 2) {
+    return hostname.toLowerCase();
+  }
+  const multiPartTlds = ["co.uk", "com.au", "co.nz", "co.jp", "com.br", "co.in"];
+  const lastTwo = parts.slice(-2).join(".");
+  if (multiPartTlds.includes(lastTwo)) {
+    return parts.slice(-3).join(".");
+  }
+  return parts.slice(-2).join(".");
+}
+function parseHostFromAddress(address) {
+  if (!address) {
+    return "";
+  }
+  const atIndex = address.indexOf("@");
+  if (atIndex === -1) {
+    return "";
+  }
+  return address.slice(atIndex + 1).toLowerCase();
+}
+function extractClientHostname(parsed) {
+  let receivedHeaders = null;
+  if (parsed.headers?.get) {
+    receivedHeaders = parsed.headers.get("received");
+  } else if (parsed.headerLines) {
+    const headers = parsed.headerLines.filter((h) => h.key.toLowerCase() === "received");
+    receivedHeaders = headers.map((h) => h.line?.split(":").slice(1).join(":").trim());
+  }
+  if (!receivedHeaders) {
+    return null;
+  }
+  const received = Array.isArray(receivedHeaders) ? receivedHeaders[0] : receivedHeaders;
+  if (!received) {
+    return null;
+  }
+  const fromMatch = received.match(/from\s+([^\s(]+)/i);
+  if (fromMatch) {
+    return fromMatch[1].toLowerCase();
+  }
+  return null;
+}
+function extractRemoteIp(parsed) {
+  let receivedHeaders = null;
+  if (parsed.headers?.get) {
+    receivedHeaders = parsed.headers.get("received");
+  } else if (parsed.headerLines) {
+    const headers = parsed.headerLines.filter((h) => h.key.toLowerCase() === "received");
+    receivedHeaders = headers.map((h) => h.line?.split(":").slice(1).join(":").trim());
+  }
+  if (!receivedHeaders) {
+    return null;
+  }
+  const received = Array.isArray(receivedHeaders) ? receivedHeaders[0] : receivedHeaders;
+  if (!received) {
+    return null;
+  }
+  const ipv4Match = received.match(/\[((?:\d+\.){3}\d+)]/);
+  if (ipv4Match) {
+    return ipv4Match[1];
+  }
+  const ipv6Match = received.match(/\[([a-f\d:]+)]/i);
+  if (ipv6Match) {
+    return ipv6Match[1];
+  }
+  return null;
+}
+
+// src/get-attributes.js
+import { debuglog as debuglog4 } from "node:util";
+var debug4 = debuglog4("spamscanner:attributes");
+function checkSRS(address) {
+  if (!address) {
+    return "";
+  }
+  const srs0Match = address.match(/^srs0=[^=]+=([^=]+)=([^=]+)=([^@]+)@/i);
+  if (srs0Match) {
+    return `${srs0Match[3]}@${srs0Match[2]}`;
+  }
+  const srs1Match = address.match(/^srs1=[^=]+=[^=]+==[^=]+=([^=]+)=([^=]+)=([^@]+)@/i);
+  if (srs1Match) {
+    return `${srs1Match[3]}@${srs1Match[2]}`;
+  }
+  return address;
+}
+function parseHostFromDomainOrAddress(addressOrDomain) {
+  if (!addressOrDomain) {
+    return "";
+  }
+  const atIndex = addressOrDomain.indexOf("@");
+  if (atIndex !== -1) {
+    return addressOrDomain.slice(atIndex + 1).toLowerCase();
+  }
+  return addressOrDomain.toLowerCase();
+}
+function parseRootDomain(hostname) {
+  if (!hostname) {
+    return "";
+  }
+  const parts = hostname.toLowerCase().split(".");
+  if (parts.length <= 2) {
+    return hostname.toLowerCase();
+  }
+  const multiPartTlds = /* @__PURE__ */ new Set([
+    "co.uk",
+    "com.au",
+    "co.nz",
+    "co.jp",
+    "com.br",
+    "co.in",
+    "org.uk",
+    "net.au",
+    "com.mx",
+    "com.cn",
+    "com.tw",
+    "com.hk",
+    "co.za",
+    "com.sg"
+  ]);
+  const lastTwo = parts.slice(-2).join(".");
+  if (multiPartTlds.has(lastTwo)) {
+    return parts.slice(-3).join(".");
+  }
+  return parts.slice(-2).join(".");
+}
+function parseAddresses(headerValue) {
+  if (!headerValue) {
+    return [];
+  }
+  if (Array.isArray(headerValue)) {
+    return headerValue.flatMap((item) => {
+      if (typeof item === "string") {
+        return item;
+      }
+      if (item.address) {
+        return item.address;
+      }
+      if (item.value && Array.isArray(item.value)) {
+        return item.value.map((v) => v.address).filter(Boolean);
+      }
+      return null;
+    }).filter(Boolean);
+  }
+  if (headerValue.value && Array.isArray(headerValue.value)) {
+    return headerValue.value.map((v) => v.address).filter(Boolean);
+  }
+  if (typeof headerValue === "string") {
+    const emailPattern = /[\w.+-]+@[\w.-]+\.[a-z]{2,}/gi;
+    return headerValue.match(emailPattern) || [];
+  }
+  return [];
+}
+function getHeaders(headers, name) {
+  if (!headers) {
+    return null;
+  }
+  if (headers.get) {
+    const value = headers.get(name);
+    if (value) {
+      if (typeof value === "string") {
+        return value;
+      }
+      if (value.text) {
+        return value.text;
+      }
+      if (value.value && Array.isArray(value.value)) {
+        return value.value.map((v) => v.address || v.text || v).join(", ");
+      }
+    }
+    return null;
+  }
+  if (headers.headerLines) {
+    const header = headers.headerLines.find((h) => h.key.toLowerCase() === name.toLowerCase());
+    if (header) {
+      return header.line?.split(":").slice(1).join(":").trim();
+    }
+  }
+  if (typeof headers === "object") {
+    const key = Object.keys(headers).find((k) => k.toLowerCase() === name.toLowerCase());
+    if (key) {
+      const value = headers[key];
+      if (typeof value === "string") {
+        return value;
+      }
+      if (Array.isArray(value)) {
+        return value[0];
+      }
+    }
+  }
+  return null;
+}
+async function getAttributes(parsed, session = {}, options = {}) {
+  const { isAligned = false, authResults = null } = options;
+  const headers = parsed.headers || parsed;
+  const replyToHeader = getHeaders(headers, "reply-to");
+  const replyToAddresses = parseAddresses(parsed.replyTo || (replyToHeader ? { value: [{ address: replyToHeader }] } : null));
+  const array = [
+    session.resolvedClientHostname,
+    session.resolvedRootClientHostname,
+    session.remoteAddress
+  ];
+  const from = [
+    session.originalFromAddress,
+    session.originalFromAddressDomain,
+    session.originalFromAddressRootDomain
+  ];
+  const replyTo = [];
+  for (const addr of replyToAddresses) {
+    const checked = checkSRS(addr);
+    replyTo.push(
+      checked.toLowerCase(),
+      parseHostFromDomainOrAddress(checked),
+      parseRootDomain(parseHostFromDomainOrAddress(checked))
+    );
+  }
+  const mailFrom = [];
+  const mailFromAddress = session.envelope?.mailFrom?.address;
+  if (mailFromAddress) {
+    const checked = checkSRS(mailFromAddress);
+    mailFrom.push(
+      checked.toLowerCase(),
+      parseHostFromDomainOrAddress(checked),
+      parseRootDomain(parseHostFromDomainOrAddress(checked))
+    );
+  }
+  if (isAligned) {
+    const signingDomains = session.signingDomains || /* @__PURE__ */ new Set();
+    const spfResult = session.spfFromHeader?.status?.result;
+    const fromHasSpfPass = spfResult === "pass";
+    const fromHasDkimAlignment = signingDomains.size > 0 && (signingDomains.has(session.originalFromAddressDomain) || signingDomains.has(session.originalFromAddressRootDomain));
+    if (fromHasSpfPass || fromHasDkimAlignment) {
+      array.push(...from);
+    }
+    let hasAlignedReplyTo = false;
+    for (const addr of replyToAddresses) {
+      const checked = checkSRS(addr);
+      const domain = parseHostFromDomainOrAddress(checked);
+      const rootDomain = parseRootDomain(domain);
+      if (signingDomains.size > 0 && (signingDomains.has(domain) || signingDomains.has(rootDomain))) {
+        hasAlignedReplyTo = true;
+        break;
+      }
+      if (authResults?.spf) {
+        const spfForReplyTo = authResults.spf.find((r) => r.domain === domain || r.domain === rootDomain);
+        if (spfForReplyTo?.result === "pass") {
+          hasAlignedReplyTo = true;
+          break;
+        }
+      }
+    }
+    if (hasAlignedReplyTo) {
+      array.push(...replyTo);
+    }
+    if (mailFromAddress) {
+      const checked = checkSRS(mailFromAddress);
+      const domain = parseHostFromDomainOrAddress(checked);
+      const rootDomain = parseRootDomain(domain);
+      const mailFromHasDkimAlignment = signingDomains.size > 0 && (signingDomains.has(domain) || signingDomains.has(rootDomain));
+      let mailFromHasSpfPass = false;
+      if (authResults?.spf) {
+        const spfForMailFrom = authResults.spf.find((r) => r.domain === domain || r.domain === rootDomain);
+        mailFromHasSpfPass = spfForMailFrom?.result === "pass";
+      }
+      if (mailFromHasDkimAlignment || mailFromHasSpfPass) {
+        array.push(...mailFrom);
+      }
+    }
+  } else {
+    array.push(...from, ...replyTo, ...mailFrom);
+  }
+  const normalized = array.filter((string_) => typeof string_ === "string" && string_.length > 0).map((string_) => {
+    try {
+      return string_.toLowerCase().trim();
+    } catch {
+      return string_.toLowerCase().trim();
+    }
+  });
+  const unique = [...new Set(normalized)];
+  debug4("Extracted %d unique attributes (isAligned=%s): %o", unique.length, isAligned, unique);
+  return unique;
+}
+function buildSessionFromParsed(parsed, existingSession = {}) {
+  const session = { ...existingSession };
+  const headers = parsed.headers || parsed;
+  const fromHeader = getHeaders(headers, "from");
+  const fromAddresses = parseAddresses(parsed.from || fromHeader);
+  const fromAddress = fromAddresses[0];
+  if (fromAddress && !session.originalFromAddress) {
+    session.originalFromAddress = checkSRS(fromAddress).toLowerCase();
+    session.originalFromAddressDomain = parseHostFromDomainOrAddress(session.originalFromAddress);
+    session.originalFromAddressRootDomain = parseRootDomain(session.originalFromAddressDomain);
+  }
+  if (!session.resolvedClientHostname) {
+    const receivedHeader = getHeaders(headers, "received");
+    if (receivedHeader) {
+      const received = Array.isArray(receivedHeader) ? receivedHeader[0] : receivedHeader;
+      const fromMatch = received?.match(/from\s+([^\s(]+)/i);
+      if (fromMatch) {
+        session.resolvedClientHostname = fromMatch[1].toLowerCase();
+        session.resolvedRootClientHostname = parseRootDomain(session.resolvedClientHostname);
+      }
+    }
+  }
+  if (!session.remoteAddress) {
+    const receivedHeader = getHeaders(headers, "received");
+    if (receivedHeader) {
+      const received = Array.isArray(receivedHeader) ? receivedHeader[0] : receivedHeader;
+      const ipv4Match = received?.match(/\[((?:\d+\.){3}\d+)]/);
+      if (ipv4Match) {
+        session.remoteAddress = ipv4Match[1];
+      } else {
+        const ipv6Match = received?.match(/\[([a-f\d:]+)]/i);
+        if (ipv6Match) {
+          session.remoteAddress = ipv6Match[1];
+        }
+      }
+    }
+  }
+  if (!session.envelope) {
+    session.envelope = {
+      mailFrom: { address: session.originalFromAddress || "" },
+      rcptTo: []
+    };
+    const toAddresses = parseAddresses(parsed.to || getHeaders(headers, "to"));
+    const ccAddresses = parseAddresses(parsed.cc || getHeaders(headers, "cc"));
+    for (const addr of [...toAddresses, ...ccAddresses]) {
+      if (addr) {
+        session.envelope.rcptTo.push({ address: addr });
+      }
+    }
+  }
+  return session;
+}
+async function extractAttributes(parsed, options = {}) {
+  const { isAligned = false, senderIp, senderHostname, authResults } = options;
+  const session = buildSessionFromParsed(parsed, {
+    remoteAddress: senderIp,
+    resolvedClientHostname: senderHostname,
+    resolvedRootClientHostname: senderHostname ? parseRootDomain(senderHostname) : void 0
+  });
+  if (authResults?.dkim) {
+    session.signingDomains = /* @__PURE__ */ new Set();
+    for (const dkimResult of authResults.dkim) {
+      if (dkimResult.result === "pass" && dkimResult.domain) {
+        session.signingDomains.add(dkimResult.domain);
+        session.signingDomains.add(parseRootDomain(dkimResult.domain));
+      }
+    }
+    session.hadAlignedAndPassingDKIM = session.signingDomains.has(session.originalFromAddressDomain) || session.signingDomains.has(session.originalFromAddressRootDomain);
+  }
+  if (authResults?.spf) {
+    const spfForFrom = authResults.spf.find((r) => r.domain === session.originalFromAddressDomain || r.domain === session.originalFromAddressRootDomain);
+    if (spfForFrom) {
+      session.spfFromHeader = {
+        status: { result: spfForFrom.result }
+      };
+    }
+  }
+  const attributes = await getAttributes(parsed, session, { isAligned, authResults });
+  return { attributes, session };
+}
+
+// src/index.js
 var __filename = import.meta.url ? fileURLToPath(import.meta.url) : "";
 var __dirname = __filename ? path.dirname(__filename) : process.cwd();
 var findPackageRoot = (startDir) => {
@@ -578,7 +2019,7 @@ var getClassifier = async () => {
   const { default: classifier2 } = await Promise.resolve().then(() => (init_get_classifier(), get_classifier_exports));
   return classifier2;
 };
-var debug3 = debuglog3("spamscanner");
+var debug7 = debuglog7("spamscanner");
 var GENERIC_TOKENIZER = /[^a-zá-úÁ-Úà-úÀ-Úñü\dа-яёæøåàáảãạăắằẳẵặâấầẩẫậéèẻẽẹêếềểễệíìỉĩịóòỏõọôốồổỗộơớờởỡợúùủũụưứừửữựýỳỷỹỵđäöëïîûœçążśźęćńł-]+/i;
 var converter = new AFHConvert();
 var chineseTokenizer = { tokenize: (text) => text.split(/\s+/) };
@@ -664,6 +2105,41 @@ var SpamScanner = class {
       supportedLanguages: ["en"],
       enableMixedLanguageDetection: false,
       enableAdvancedPatternRecognition: true,
+      // Authentication options (mailauth)
+      enableAuthentication: false,
+      authOptions: {
+        ip: null,
+        // Remote IP address (required for auth)
+        helo: null,
+        // HELO/EHLO hostname
+        mta: "spamscanner",
+        // MTA hostname
+        sender: null,
+        // Envelope sender (MAIL FROM)
+        timeout: 1e4
+        // DNS lookup timeout
+      },
+      authScoreWeights: {
+        dkimPass: -2,
+        dkimFail: 3,
+        spfPass: -1,
+        spfFail: 2,
+        spfSoftfail: 1,
+        dmarcPass: -2,
+        dmarcFail: 4,
+        arcPass: -1,
+        arcFail: 1
+      },
+      // Reputation API options (Forward Email)
+      enableReputation: false,
+      reputationOptions: {
+        apiUrl: "https://api.forwardemail.net/v1/reputation",
+        timeout: 1e4,
+        onlyAligned: true
+      },
+      // Arbitrary spam detection options
+      enableArbitraryDetection: true,
+      arbitraryThreshold: 5,
       // Existing options
       debug: false,
       logger: console,
@@ -711,7 +2187,7 @@ var SpamScanner = class {
         return Array.isArray(tokens) ? tokens : [];
       };
     } catch (error) {
-      debug3("Failed to initialize classifier:", error);
+      debug7("Failed to initialize classifier:", error);
       this.classifier = new NaiveBayes2();
     }
   }
@@ -730,7 +2206,7 @@ var SpamScanner = class {
         throw new Error("Invalid replacements format");
       }
     } catch (error) {
-      debug3("Failed to initialize replacements:", error);
+      debug7("Failed to initialize replacements:", error);
       this.replacements = /* @__PURE__ */ new Map();
       const basicReplacements = {
         u: "you",
@@ -758,7 +2234,7 @@ var SpamScanner = class {
       try {
         this.clamscan = await new ClamScan().init(this.config.clamscan);
       } catch (error) {
-        debug3("ClamScan initialization failed:", error);
+        debug7("ClamScan initialization failed:", error);
         return [];
       }
     }
@@ -782,7 +2258,7 @@ var SpamScanner = class {
           }
         }
       } catch (error) {
-        debug3("Virus scan error:", error);
+        debug7("Virus scan error:", error);
       }
     }
     return results;
@@ -905,7 +2381,7 @@ var SpamScanner = class {
               });
             }
           } catch (error) {
-            debug3("PDF JavaScript detection error:", error);
+            debug7("PDF JavaScript detection error:", error);
           }
         }
       }
@@ -1148,7 +2624,7 @@ var SpamScanner = class {
         isPrivate: parsed.isPrivate
       };
     } catch (error) {
-      debug3("tldts parsing error:", error);
+      debug7("tldts parsing error:", error);
       return null;
     }
   }
@@ -1240,13 +2716,39 @@ var SpamScanner = class {
     }
     return text;
   }
-  // Main scan method - enhanced with performance metrics and new features
-  async scan(source) {
+  // Main scan method - enhanced with performance metrics, auth, and reputation
+  async scan(source, scanOptions = {}) {
     const startTime = Date.now();
     try {
       await this.initializeClassifier();
       await this.initializeReplacements();
       const { tokens, mail } = await this.getTokensAndMailFromSource(source);
+      const authOptions = { ...this.config.authOptions, ...scanOptions.authOptions };
+      const reputationOptions = { ...this.config.reputationOptions, ...scanOptions.reputationOptions };
+      const detectionPromises = [
+        this.getClassification(tokens),
+        this.getPhishingResults(mail),
+        this.getExecutableResults(mail),
+        this.config.enableMacroDetection ? this.getMacroResults(mail) : [],
+        this.config.enableArbitraryDetection ? this.getArbitraryResults(mail, { remoteAddress: authOptions.ip, resolvedClientHostname: authOptions.hostname }) : [],
+        this.getVirusResults(mail),
+        this.getPatternResults(mail),
+        this.getIDNHomographResults(mail),
+        this.getToxicityResults(mail),
+        this.getNSFWResults(mail)
+      ];
+      const enableAuth = scanOptions.enableAuthentication ?? this.config.enableAuthentication;
+      if (enableAuth && authOptions.ip) {
+        detectionPromises.push(this.getAuthenticationResults(source, mail, authOptions));
+      } else {
+        detectionPromises.push(Promise.resolve(null));
+      }
+      const enableReputation = scanOptions.enableReputation ?? this.config.enableReputation;
+      if (enableReputation) {
+        detectionPromises.push(this.getReputationResults(mail, authOptions, reputationOptions));
+      } else {
+        detectionPromises.push(Promise.resolve(null));
+      }
       const [
         classification,
         phishing,
@@ -1257,20 +2759,14 @@ var SpamScanner = class {
         patterns,
         idnHomographAttack,
         toxicity,
-        nsfw
-      ] = await Promise.all([
-        this.getClassification(tokens),
-        this.getPhishingResults(mail),
-        this.getExecutableResults(mail),
-        this.config.enableMacroDetection ? this.getMacroResults(mail) : [],
-        this.getArbitraryResults(mail),
-        this.getVirusResults(mail),
-        this.getPatternResults(mail),
-        this.getIDNHomographResults(mail),
-        this.getToxicityResults(mail),
-        this.getNSFWResults(mail)
-      ]);
-      const isSpam = classification.category === "spam" || phishing.length > 0 || executables.length > 0 || macros.length > 0 || arbitrary.length > 0 || viruses.length > 0 || patterns.length > 0 || idnHomographAttack && idnHomographAttack.detected || toxicity.length > 0 || nsfw.length > 0;
+        nsfw,
+        authResult,
+        reputationResult
+      ] = await Promise.all(detectionPromises);
+      let isSpam = classification.category === "spam" || phishing.length > 0 || executables.length > 0 || macros.length > 0 || arbitrary.length > 0 || viruses.length > 0 || patterns.length > 0 || idnHomographAttack && idnHomographAttack.detected || toxicity.length > 0 || nsfw.length > 0;
+      if (reputationResult && reputationResult.isDenylisted) {
+        isSpam = true;
+      }
       let message = "Ham";
       if (isSpam) {
         const reasons = [];
@@ -1304,7 +2800,14 @@ var SpamScanner = class {
         if (nsfw.length > 0) {
           reasons.push("NSFW content");
         }
+        if (reputationResult?.isDenylisted) {
+          reasons.push("denylisted sender");
+        }
         message = `Spam (${arrayJoinConjunction(reasons)})`;
+      } else if (reputationResult?.isTruthSource) {
+        message = "Ham (truth source)";
+      } else if (reputationResult?.isAllowlisted) {
+        message = "Ham (allowlisted)";
       }
       const endTime = Date.now();
       const processingTime = endTime - startTime;
@@ -1324,7 +2827,9 @@ var SpamScanner = class {
           patterns,
           idnHomographAttack,
           toxicity,
-          nsfw
+          nsfw,
+          authentication: authResult,
+          reputation: reputationResult
         },
         links: this.extractAllUrls(mail, source),
         tokens,
@@ -1346,10 +2851,85 @@ var SpamScanner = class {
       }
       return result;
     } catch (error) {
-      debug3("Scan error:", error);
+      debug7("Scan error:", error);
       throw error;
     }
   }
+  // Get authentication results using mailauth
+  async getAuthenticationResults(source, mail, options = {}) {
+    try {
+      const messageBuffer = typeof source === "string" ? Buffer3.from(source) : source;
+      const sender = options.sender || mail.from?.value?.[0]?.address || mail.from?.text;
+      const authResult = await authenticate(messageBuffer, {
+        ip: options.ip,
+        helo: options.helo,
+        mta: options.mta || "spamscanner",
+        sender,
+        timeout: options.timeout || 1e4
+      });
+      const scoreResult = calculateAuthScore(authResult, this.config.authScoreWeights);
+      return {
+        ...authResult,
+        score: scoreResult,
+        authResultsHeader: formatAuthResultsHeader(authResult, options.mta || "spamscanner")
+      };
+    } catch (error) {
+      debug7("Authentication error:", error);
+      return null;
+    }
+  }
+  // Get reputation results from Forward Email API
+  // Uses get-attributes module to extract comprehensive attributes for checking
+  async getReputationResults(mail, authOptions = {}, reputationOptions = {}) {
+    try {
+      const { attributes, session } = await extractAttributes(mail, {
+        isAligned: reputationOptions.onlyAligned ?? true,
+        senderIp: authOptions.ip,
+        senderHostname: authOptions.hostname,
+        authResults: authOptions.authResults
+      });
+      const valuesToCheck = [...attributes];
+      if (authOptions.sender) {
+        const senderLower = authOptions.sender.toLowerCase();
+        if (!valuesToCheck.includes(senderLower)) {
+          valuesToCheck.push(senderLower);
+        }
+        const envelopeDomain = senderLower.split("@")[1];
+        if (envelopeDomain && !valuesToCheck.includes(envelopeDomain)) {
+          valuesToCheck.push(envelopeDomain);
+        }
+      }
+      const replyTo = mail.replyTo?.value || [];
+      for (const addr of replyTo) {
+        if (addr.address) {
+          const addrLower = addr.address.toLowerCase();
+          if (!valuesToCheck.includes(addrLower)) {
+            valuesToCheck.push(addrLower);
+          }
+          const domain = addrLower.split("@")[1];
+          if (domain && !valuesToCheck.includes(domain)) {
+            valuesToCheck.push(domain);
+          }
+        }
+      }
+      if (valuesToCheck.length === 0) {
+        return null;
+      }
+      debug7("Checking reputation for %d attributes: %o", valuesToCheck.length, valuesToCheck);
+      const resultsMap = await checkReputationBatch(valuesToCheck, reputationOptions);
+      const aggregated = aggregateReputationResults([...resultsMap.values()]);
+      return {
+        ...aggregated,
+        checkedValues: valuesToCheck,
+        details: Object.fromEntries(resultsMap),
+        session
+        // Include session info for debugging
+      };
+    } catch (error) {
+      debug7("Reputation check error:", error);
+      return null;
+    }
+  }
   // Get pattern recognition results
   async getPatternResults(mail) {
     const results = [];
@@ -1386,7 +2966,7 @@ var SpamScanner = class {
     try {
       mail = await simpleParser(source);
     } catch (error) {
-      debug3("Mail parsing error:", error);
+      debug7("Mail parsing error:", error);
       mail = {
         text: source,
         html: "",
@@ -1417,7 +2997,7 @@ var SpamScanner = class {
         // Default probability
       };
     } catch (error) {
-      debug3("Classification error:", error);
+      debug7("Classification error:", error);
       return {
         category: "ham",
         probability: 0.5
@@ -1473,7 +3053,7 @@ var SpamScanner = class {
           }
         }
       } catch (error) {
-        debug3("Phishing check error:", error);
+        debug7("Phishing check error:", error);
       }
     }
     return results;
@@ -1517,14 +3097,15 @@ var SpamScanner = class {
             });
           }
         } catch (error) {
-          debug3("File type detection error:", error);
+          debug7("File type detection error:", error);
         }
       }
     }
     return results;
   }
-  // Arbitrary results (GTUBE, etc.)
-  async getArbitraryResults(mail) {
+  // Arbitrary results (GTUBE, spam patterns, etc.)
+  // Updated to use session info for Microsoft Exchange spam detection
+  async getArbitraryResults(mail, sessionInfo = {}) {
     const results = [];
     let content = (mail.text || "") + (mail.html || "");
     if (mail.headerLines && Array.isArray(mail.headerLines)) {
@@ -1537,9 +3118,42 @@ var SpamScanner = class {
     if (content.includes("XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X")) {
       results.push({
         type: "arbitrary",
-        description: "GTUBE spam test pattern detected"
+        subtype: "gtube",
+        description: "GTUBE spam test pattern detected",
+        score: 100
       });
     }
+    try {
+      const session = buildSessionInfo(mail, sessionInfo);
+      const arbitraryResult = isArbitrary(mail, {
+        threshold: this.config.arbitraryThreshold || 5,
+        checkSubject: true,
+        checkBody: true,
+        checkSender: true,
+        checkHeaders: true,
+        checkLinks: true,
+        checkMicrosoftHeaders: true,
+        // Enable Microsoft Exchange spam detection
+        checkVendorSpam: true,
+        // Enable vendor-specific spam detection
+        checkSpoofing: true,
+        // Enable spoofing attack detection
+        session
+        // Pass session info for advanced checks
+      });
+      if (arbitraryResult.isArbitrary) {
+        results.push({
+          type: "arbitrary",
+          subtype: arbitraryResult.category ? arbitraryResult.category.toLowerCase() : "pattern",
+          description: `Arbitrary spam patterns detected (score: ${arbitraryResult.score})`,
+          score: arbitraryResult.score,
+          reasons: arbitraryResult.reasons,
+          category: arbitraryResult.category
+        });
+      }
+    } catch (error) {
+      debug7("Arbitrary detection error:", error);
+    }
     return results;
   }
   // Parse and normalize locale
@@ -1605,7 +3219,7 @@ var SpamScanner = class {
             result.riskScore = Math.max(result.riskScore, analysis.riskScore);
           }
         } catch (error) {
-          debug3("IDN analysis error for URL:", url, error);
+          debug7("IDN analysis error for URL:", url, error);
         }
       }
       if (result.detected) {
@@ -1622,7 +3236,7 @@ var SpamScanner = class {
         result.details.push(...allRiskFactors);
       }
     } catch (error) {
-      debug3("IDN homograph detection error:", error);
+      debug7("IDN homograph detection error:", error);
     }
     return result;
   }
@@ -1638,7 +3252,7 @@ var SpamScanner = class {
           enableContextAnalysis: true
         });
       } catch (error) {
-        debug3("Failed to load IDN detector:", error);
+        debug7("Failed to load IDN detector:", error);
         return null;
       }
     }
@@ -1690,7 +3304,7 @@ var SpamScanner = class {
       }
       return detected;
     } catch (error) {
-      debug3("Language detection error:", error);
+      debug7("Language detection error:", error);
       try {
         const landeResult = lande(text);
         if (landeResult && landeResult.length > 0) {
@@ -1751,7 +3365,7 @@ var SpamScanner = class {
         }
       }
     } catch (error) {
-      debug3("Toxicity detection error:", error);
+      debug7("Toxicity detection error:", error);
     }
     return results;
   }
@@ -1801,11 +3415,11 @@ var SpamScanner = class {
             }
           }
         } catch (error) {
-          debug3("NSFW detection error for attachment:", attachment.filename, error);
+          debug7("NSFW detection error for attachment:", attachment.filename, error);
         }
       }
     } catch (error) {
-      debug3("NSFW detection error:", error);
+      debug7("NSFW detection error:", error);
     }
     return results;
   }