For this type spam (works not always, but better than nothing):
acl_check_mime:
deny condition = ${if eq{$mime_content_type}{text/plain}}
!hosts = +whitelisted_hosts
!sender_domains = returns.groups.yahoo.com : groups.io
!authenticated = *
condition = ${if !def:header_List-ID:}
set acl_m_fakedom = ${if match{$message_headers_raw}{\N\nReceived: \
.*?(?:\n\s.*?)*?\
(?:helo=|HELO |EHLO |from )([a-z]{4,6}\.(?:com|net|org))\
.*?(?:\n\s.*?)*?\
(?i)(?:smtpsa|bizsmtp)\
.*?(?:\n\s.*?)*?\
\n[^R\s]\N}{$1}}
condition = ${if def:acl_m_fakedom}
mime_regex = https?.//
!mime_regex = (?s)https?.//.+https?.//
condition = ${if eq{}{${lookup dnsdb{defer_never,a=$acl_m_fakedom}}}}
condition = ${if eq{}{${lookup dnsdb{defer_never,mxh=$acl_m_fakedom}}}}
message = trojan link suspected: \
${if match{$message_body}{\N(https?://[^>\s]+)\N}{$1}} \
rcpthelo=$acl_m_fakedom recipients=$recipients
