1 # SARE Header Abuse Ruleset for SpamAssassin -- file 1
5 # Usage instructions and documentation in 70_sare_header0.cf
7 # Full Revision History / Change Log in 70_sare_header.log
8 #@@# 01.03.20 May 20 2005
9 #@@# Minor score updates based on additional mass-check
10 #@@# Modified "rule has been moved" meta flags
11 #@@# Archived from file 1 SARE_FROM_SPAM_DOMN0
12 #@@# Archived from file 1 SARE_HEAD_HDR_ALTREC
13 #@@# Archived from file 1 SARE_HEAD_HDR_XBBOUNC
14 #@@# Archived from file 1 SARE_HEAD_HDR_XLEGAL2
15 #@@# Archived from file 1 SARE_HEAD_HDR_XLEGAL4
16 #@@# Archived from file 1 SARE_HEAD_HDR_XMEBDOM
17 #@@# Archived from file 1 SARE_HEAD_HDR_XWTID
18 #@@# Archived from file 1 SARE_HEAD_HDR_XWTVERS
19 #@@# Archived from file 1 SARE_HEAD_ORIG_RECIP
20 #@@# Archived from file 1 SARE_RECV_IP_195229
21 #@@# Moved file 0 to file 1 SARE_FREE_WEBM_EsTerra
22 #@@# Moved file 0 to file 1 SARE_FROM_SPAM_NAME2A
23 #@@# Moved file 0 to file 1 SARE_HEAD_DATE46
24 #@@# Moved file 0 to file 1 SARE_HEAD_HDR_XEMAIL
25 #@@# Moved file 0 to file 1 SARE_HEAD_MIME_INVALID
26 #@@# Moved file 0 to file 1 SARE_RECV_IP_063106130
27 #@@# Moved file 1 to file 0 SARE_HEAD_HDR_XLISTAD
28 #@@# Moved file 1 to file 0 SARE_HEAD_MSMPR_RNDSTR
29 #@@# Moved file 1 to file 0 SARE_RECV_IP_209190
30 #@@# Moved file 1 to file 2 SARE_HEAD_DATE_RNDDATE
31 #@@# Moved file 1 to file 2 SARE_HEAD_HDR_MSGTYPE
32 #@@# Moved file 1 to file 2 SARE_HEAD_HDR_X400RCV
33 #@@# Moved file 1 to file 2 SARE_HEAD_HDR_XCNDINF
34 #@@# Moved file 1 to file 2 SARE_HEAD_HDR_XRIPE
35 #@@# Moved file 1 to file 2 SARE_HEAD_HDR_XSAFMMI
36 #@@# Moved file 1 to file 2 SARE_RECV_IP_062023
37 #@@# Moved file 1 to file 2 SARE_RECV_IP_065205157
38 #@@# Moved file 1 to file 2 SARE_RECV_IP_066248154
39 #@@# Moved file 1 to file 2 SARE_RECV_IP_206248152
40 #@@# Moved file 1 to file 2 SARE_RECV_RND_DATE
41 #@@# Moved file 1 to file 2 SARE_XMAIL_GDI
42 #@@# Moved file 1 to file 3 SARE_HEAD_DATE_5L
43 #@@# Moved file 1 to file 3 SARE_HEAD_XWORD
44 #@@# Moved file 1 to file 3 SARE_RECV_IP_063106130
45 #@@# Moved file 1 to file 3 SARE_RECV_IP_064034
46 #@@# Moved file 1 to file 3 SARE_XMAIL_GOMAIL
47 #@@# Moved file 1 to file 3 SARE_XMAIL_TOLMAIL
48 #@@# Moved from file 1 to 3 SARE_FROM_DVDCOPY
49 #@@# Moved from file 1 to 3 SARE_RECV_FREESERVE
50 #@@# Returned file 1 to file 0 SARE_HEAD_HDR_XTID
51 #@@# Returned file 1 to file 0 SARE_RECV_IP_163125
52 #@@# Returned file 2 to file 1 SARE_RECV_IP_142046
53 #@@# 01.03.21 May 21 2005
54 #@@# Minor repairs to "downgraded rule" metas.
56 # License: Artistic - see http://www.rulesemporium.com/license.txt
57 # Current Maintainer: Bob Menschel - RMSA@Menschel.net
58 # Current Home: http://www.rulesemporium.com/rules/70_sare_header1.cf
60 ######## ###################### ##################################################
61 # Component rules used within meta rules
62 ######## ###################### ##################################################
64 header __SARE_HEAD_8BIT_SUBJ Subject =~ /[\x80-\xff]{3,}/
66 ######## ###################### ##################################################
67 # Meta rules used to prevent --lint errors after moving/changing rules
68 ######## ###################### ##################################################
70 meta __SARE_HEAD_FALSE __FROM_AOL_COM && !__FROM_AOL_COM
71 meta SARE_FREE_WEBM_CZSEZNA __SARE_HEAD_FALSE
72 meta SARE_FROM_MULTI_DASH __SARE_HEAD_FALSE
73 meta SARE_HEAD_DATE18 __SARE_HEAD_FALSE
74 meta SARE_MSGID_LONG40 __SARE_HEAD_FALSE
75 meta SARE_MSGID_LONG55 __SARE_HEAD_FALSE
76 meta SARE_MULT_VIA_FWCATS __SARE_HEAD_FALSE
77 meta SARE_RECV_IP_064080 __SARE_HEAD_FALSE
78 meta SARE_RECV_ISWEST __SARE_HEAD_FALSE
79 meta SARE_FROM_AMERICA __SARE_HEAD_FALSE
80 meta SARE_MSGID_06D6 __SARE_HEAD_FALSE
81 meta SARE_RECV_IP_212164 __SARE_HEAD_FALSE
82 meta SARE_BOUNDARY_MULTB __SARE_HEAD_FALSE
83 meta SARE_FROM_NUM_9DIG __SARE_HEAD_FALSE
84 meta SARE_FROM_PRINTER __SARE_HEAD_FALSE
85 meta SARE_HEAD_8BIT_NOSPM __SARE_HEAD_FALSE
86 meta SARE_HEAD_8BIT_SPAM __SARE_HEAD_FALSE
87 meta SARE_HEAD_HDR_XCCDIAG __SARE_HEAD_FALSE
88 meta SARE_HEAD_HDR_XMAILTH __SARE_HEAD_FALSE
89 meta SARE_HEAD_HDR_XSMTPSV __SARE_HEAD_FALSE
90 meta SARE_HEAD_HDR_XUMAIL __SARE_HEAD_FALSE
91 meta SARE_HELO_SERVER __SARE_HEAD_FALSE
92 meta SARE_MSGID_LONG35 __SARE_HEAD_FALSE
93 meta SARE_MSGID_LONG65 __SARE_HEAD_FALSE
94 meta SARE_MSGID_LONG75 __SARE_HEAD_FALSE
95 meta SARE_RECV_IP_066111 __SARE_HEAD_FALSE
96 meta SARE_RECV_SUSP_3 __SARE_HEAD_FALSE
97 meta SARE_XMAIL_XMAIL __SARE_HEAD_FALSE
98 meta SARE_HEAD_HDR_XEMGBMS __SARE_HEAD_FALSE
99 meta SARE_HEAD_XCANIT1 __SARE_HEAD_FALSE
100 meta SARE_HEAD_XCANIT2 __SARE_HEAD_FALSE
101 meta SARE_MSGID_SPAM_DOMN0 __SARE_HEAD_FALSE
102 meta SARE_MSGID_SUSP2 __SARE_HEAD_FALSE
103 meta SARE_RECV_IP_081019 __SARE_HEAD_FALSE
104 meta SARE_RECV_IP_211049 __SARE_HEAD_FALSE
105 meta SARE_RECV_RND_NUMBER __SARE_HEAD_FALSE
106 meta SARE_FROM_NONAME __SARE_HEAD_FALSE
107 meta SARE_FROM_SPAM_CHAR0 __SARE_HEAD_FALSE
108 meta SARE_HEAD_XCOM_RFCMIN __SARE_HEAD_FALSE
109 meta SARE_RECV_IP_080178 __SARE_HEAD_FALSE
110 meta SARE_XMAIL_SUSP3 __SARE_HEAD_FALSE
111 meta SARE_MSGID_DBL_AT __SARE_HEAD_FALSE
112 meta SARE_FREE_WEBM_USACOPS __SARE_HEAD_FALSE
113 meta SARE_FROM_SPAM_DOMN0 __SARE_HEAD_FALSE
114 meta SARE_HEAD_HDR_ALTREC __SARE_HEAD_FALSE
115 meta SARE_HEAD_HDR_XBBOUNC __SARE_HEAD_FALSE
116 meta SARE_HEAD_HDR_XLEGAL2 __SARE_HEAD_FALSE
117 meta SARE_HEAD_HDR_XLEGAL4 __SARE_HEAD_FALSE
118 meta SARE_HEAD_HDR_XMEBDOM __SARE_HEAD_FALSE
119 meta SARE_HEAD_HDR_XWTID __SARE_HEAD_FALSE
120 meta SARE_HEAD_HDR_XWTVERS __SARE_HEAD_FALSE
121 meta SARE_HEAD_ORIG_RECIP __SARE_HEAD_FALSE
122 meta SARE_RECV_IP_195229 __SARE_HEAD_FALSE
123 meta SARE_FREE_WEBM_EsTerra __SARE_HEAD_FALSE
124 meta SARE_FROM_SPAM_NAME2A __SARE_HEAD_FALSE
125 meta SARE_HEAD_DATE46 __SARE_HEAD_FALSE
126 meta SARE_HEAD_HDR_XEMAIL __SARE_HEAD_FALSE
127 meta SARE_HEAD_MIME_INVALID __SARE_HEAD_FALSE
128 meta SARE_RECV_IP_063106130 __SARE_HEAD_FALSE
129 meta SARE_HEAD_HDR_XLISTAD __SARE_HEAD_FALSE
130 meta SARE_HEAD_MSMPR_RNDSTR __SARE_HEAD_FALSE
131 meta SARE_RECV_IP_209190 __SARE_HEAD_FALSE
132 meta SARE_HEAD_DATE_RNDDATE __SARE_HEAD_FALSE
133 meta SARE_HEAD_HDR_MSGTYPE __SARE_HEAD_FALSE
134 meta SARE_HEAD_HDR_X400RCV __SARE_HEAD_FALSE
135 meta SARE_HEAD_HDR_XCNDINF __SARE_HEAD_FALSE
136 meta SARE_HEAD_HDR_XRIPE __SARE_HEAD_FALSE
137 meta SARE_HEAD_HDR_XSAFMMI __SARE_HEAD_FALSE
138 meta SARE_RECV_IP_062023 __SARE_HEAD_FALSE
139 meta SARE_RECV_IP_065205157 __SARE_HEAD_FALSE
140 meta SARE_RECV_IP_066248154 __SARE_HEAD_FALSE
141 meta SARE_RECV_IP_206248152 __SARE_HEAD_FALSE
142 meta SARE_RECV_RND_DATE __SARE_HEAD_FALSE
143 meta SARE_XMAIL_GDI __SARE_HEAD_FALSE
144 meta SARE_HEAD_DATE_5L __SARE_HEAD_FALSE
145 meta SARE_HEAD_XWORD __SARE_HEAD_FALSE
146 meta SARE_RECV_IP_063106130 __SARE_HEAD_FALSE
147 meta SARE_RECV_IP_064034 __SARE_HEAD_FALSE
148 meta SARE_XMAIL_GOMAIL __SARE_HEAD_FALSE
149 meta SARE_XMAIL_TOLMAIL __SARE_HEAD_FALSE
150 meta SARE_FROM_DVDCOPY __SARE_HEAD_FALSE
151 meta SARE_RECV_FREESERVE __SARE_HEAD_FALSE
153 #####################################################################################
154 # SARE Header-Exists rules
155 ######## ###################### ##################################################
157 header SARE_HEAD_HDR_APPROV exists:Approved
158 describe SARE_HEAD_HDR_APPROV Message headers used which identify spam
159 score SARE_HEAD_HDR_APPROV 0.166
160 #hist SARE_HEAD_HDR_APPROV Moved file 0 to 1, version 01.03.09, 2 ham confirmed
161 #counts SARE_HEAD_HDR_APPROV 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
162 #max SARE_HEAD_HDR_APPROV 163s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
163 #counts SARE_HEAD_HDR_APPROV 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
164 #counts SARE_HEAD_HDR_APPROV 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
165 #counts SARE_HEAD_HDR_APPROV 19s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
166 #max SARE_HEAD_HDR_APPROV 21s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
167 #counts SARE_HEAD_HDR_APPROV 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
168 #max SARE_HEAD_HDR_APPROV 19s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
169 #counts SARE_HEAD_HDR_APPROV 2s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
170 #counts SARE_HEAD_HDR_APPROV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
172 header SARE_HEAD_HDR_DISCREC exists:Disclose-Recipients
173 describe SARE_HEAD_HDR_DISCREC Message headers used which identify spam
174 score SARE_HEAD_HDR_DISCREC 0.772
175 #ham SARE_HEAD_HDR_DISCREC confirmed (4), Used by usdoj.gov
176 #counts SARE_HEAD_HDR_DISCREC 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
177 #max SARE_HEAD_HDR_DISCREC 210s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
178 #counts SARE_HEAD_HDR_DISCREC 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
179 #counts SARE_HEAD_HDR_DISCREC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
180 #counts SARE_HEAD_HDR_DISCREC 32s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
181 #max SARE_HEAD_HDR_DISCREC 33s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
182 #counts SARE_HEAD_HDR_DISCREC 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
183 #max SARE_HEAD_HDR_DISCREC 9s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
184 #counts SARE_HEAD_HDR_DISCREC 4s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
185 #counts SARE_HEAD_HDR_DISCREC 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
187 header SARE_HEAD_HDR_XEMAIL exists:X-EMail
188 describe SARE_HEAD_HDR_XEMAIL Message headers used which identify spam
189 score SARE_HEAD_HDR_XEMAIL 1.666
190 #ham SARE_HEAD_HDR_XEMAIL confirmed (several, one source)
191 #counts SARE_HEAD_HDR_XEMAIL 221s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
192 #max SARE_HEAD_HDR_XEMAIL 841s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
193 #counts SARE_HEAD_HDR_XEMAIL 78s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
194 #counts SARE_HEAD_HDR_XEMAIL 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
195 #counts SARE_HEAD_HDR_XEMAIL 458s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
196 #counts SARE_HEAD_HDR_XEMAIL 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
197 #counts SARE_HEAD_HDR_XEMAIL 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
198 #counts SARE_HEAD_HDR_XEMAIL 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
200 header SARE_HEAD_HDR_XENC exists:X-ENC
201 describe SARE_HEAD_HDR_XENC Message headers used which identify spam
202 score SARE_HEAD_HDR_XENC 0.872
203 #stype SARE_HEAD_HDR_XENC spamp
204 #hist SARE_HEAD_HDR_XENC Created by Bob Menschel Sep 03 2004
205 #counts SARE_HEAD_HDR_XENC 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
206 #max SARE_HEAD_HDR_XENC 19s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
207 #counts SARE_HEAD_HDR_XENC 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
208 #max SARE_HEAD_HDR_XENC 1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
209 #counts SARE_HEAD_HDR_XENC 0s/0h of 44754 corpus (16523s/28231h JH-SA3.0rc1) 09/06/04
210 #counts SARE_HEAD_HDR_XENC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
211 #counts SARE_HEAD_HDR_XENC 57s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
212 #counts SARE_HEAD_HDR_XENC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
214 header __HAS_RCVD exists:Received
215 header __SARE_HEAD_HDR_IDKEY exists:X-Identity-Key
216 meta SARE_HEAD_HDR_XIDKEY __SARE_HEAD_HDR_IDKEY && __HAS_RCVD
217 header SARE_HEAD_HDR_XIDKEY exists:X-Identity-Key
218 describe SARE_HEAD_HDR_XIDKEY Apparent spam sign in headers
219 score SARE_HEAD_HDR_XIDKEY 1.666
220 #ham SARE_HEAD_HDR_XIDKEY verified (4)
221 #hist SARE_HEAD_HDR_XIDKEY Created by Chris Santerre Aug 31 2004
222 #counts SARE_HEAD_HDR_XIDKEY 30s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
223 #max SARE_HEAD_HDR_XIDKEY 3611s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
224 #counts SARE_HEAD_HDR_XIDKEY 232s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
225 #counts SARE_HEAD_HDR_XIDKEY 68s/2h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
226 #counts SARE_HEAD_HDR_XIDKEY 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
227 #counts SARE_HEAD_HDR_XIDKEY 104s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
228 #counts SARE_HEAD_HDR_XIDKEY 367s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
229 #counts SARE_HEAD_HDR_XIDKEY 859s/1h of 42275 corpus (34158s/8117h FVGT) 05/15/06
231 header __SARE_HEAD_HDR_XLEGAL exists:X-Legal
232 header __SARE_HEAD_HDR_XLEGAC X-Legal =~ m'copyright|\(c\)'i
233 header __SARE_HEAD_HDR_XLEGAI X-Legal =~ m'in compliance'i
234 header __SARE_HEAD_HDR_XLEGAB X-Legal =~ m'BE ADVISED'i
235 meta SARE_HEAD_HDR_XLEGAL1 __SARE_HEAD_HDR_XLEGAB && __SARE_HEAD_HDR_XLEGAI && !__SARE_HEAD_HDR_XLEGAC
236 describe SARE_HEAD_HDR_XLEGAL1 Message headers used which identify spam
237 score SARE_HEAD_HDR_XLEGAL1 1.666
238 #stype SARE_HEAD_HDR_XLEGAL1 spamgg
239 #hist SARE_HEAD_HDR_XLEGAL1 Bob Menschel, Aug 07 2005
240 #counts SARE_HEAD_HDR_XLEGAL1 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
241 #max SARE_HEAD_HDR_XLEGAL1 7s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
242 #counts SARE_HEAD_HDR_XLEGAL1 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
243 #counts SARE_HEAD_HDR_XLEGAL1 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
244 #counts SARE_HEAD_HDR_XLEGAL1 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
246 meta SARE_HEAD_HDR_XLEGAL3 __SARE_HEAD_HDR_XLEGAL && !SARE_HEAD_HDR_XLEGAL1 && !__SARE_HEAD_HDR_XLEGAC
247 describe SARE_HEAD_HDR_XLEGAL3 Message headers used which identify spam
248 score SARE_HEAD_HDR_XLEGAL3 1.666
249 #stype SARE_HEAD_HDR_XLEGAL3 spamgg
250 #hist SARE_HEAD_HDR_XLEGAL3 Bob Menschel, Aug 07 2005
251 #counts SARE_HEAD_HDR_XLEGAL3 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
252 #counts SARE_HEAD_HDR_XLEGAL3 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
253 #counts SARE_HEAD_HDR_XLEGAL3 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
255 header SARE_HEAD_HDR_XMAILID exists:X-Mailid
256 describe SARE_HEAD_HDR_XMAILID Message headers used which identify spam
257 score SARE_HEAD_HDR_XMAILID 1.666
258 #ham SARE_HEAD_HDR_XMAILID confirmed
259 #counts SARE_HEAD_HDR_XMAILID 248s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
260 #counts SARE_HEAD_HDR_XMAILID 4s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
261 #counts SARE_HEAD_HDR_XMAILID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
262 #counts SARE_HEAD_HDR_XMAILID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
263 #counts SARE_HEAD_HDR_XMAILID 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
264 #was SARE_HEAD_HDR_XMAILID 0s/3h of 10853 corpus (6391s/4462h CT) 05/16/05
265 #counts SARE_HEAD_HDR_XMAILID 5s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
267 header SARE_HEAD_HDR_XMLRSRV exists:X-Mailer-Server
268 describe SARE_HEAD_HDR_XMLRSRV Message headers used which identify spam
269 score SARE_HEAD_HDR_XMLRSRV 0.555
270 #ham SARE_HEAD_HDR_XMLRSRV verified (1)
271 #counts SARE_HEAD_HDR_XMLRSRV 2s/5h of 173032 corpus (99056s/73976h RM) 05/11/06
272 #max SARE_HEAD_HDR_XMLRSRV 67s/10h of 689155 corpus (348140s/341015h RM) 09/18/05
273 #counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
274 #counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
275 #counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
276 #counts SARE_HEAD_HDR_XMLRSRV 84s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
277 #counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
279 header SARE_HEAD_HDR_XRESPID exists:X-Response-ID
280 describe SARE_HEAD_HDR_XRESPID Message headers used which identify spam
281 score SARE_HEAD_HDR_XRESPID 0.528
282 #ham SARE_HEAD_HDR_XRESPID confirmed (1)
283 #counts SARE_HEAD_HDR_XRESPID 0s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
284 #max SARE_HEAD_HDR_XRESPID 35s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
285 #counts SARE_HEAD_HDR_XRESPID 18s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
286 #counts SARE_HEAD_HDR_XRESPID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
287 #counts SARE_HEAD_HDR_XRESPID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
288 #counts SARE_HEAD_HDR_XRESPID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
289 #counts SARE_HEAD_HDR_XRESPID 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
291 header SARE_HEAD_HDR_XSIDPRA exists:X-SID-PRA
292 describe SARE_HEAD_HDR_XSIDPRA fingerprint
293 score SARE_HEAD_HDR_XSIDPRA 0.616
294 #ham SARE_HEAD_HDR_XSIDPRA confirmed
295 #hist SARE_HEAD_HDR_XSIDPRA Alex Broens, Aug 3 2005
296 #counts SARE_HEAD_HDR_XSIDPRA 3s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
297 #max SARE_HEAD_HDR_XSIDPRA 113s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
298 #counts SARE_HEAD_HDR_XSIDPRA 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
299 #counts SARE_HEAD_HDR_XSIDPRA 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
300 #max SARE_HEAD_HDR_XSIDPRA 3s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
301 #counts SARE_HEAD_HDR_XSIDPRA 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
303 header SARE_HEAD_HDR_XSIDRES exists:X-SID-Result
304 describe SARE_HEAD_HDR_XSIDRES fingerprint
305 score SARE_HEAD_HDR_XSIDRES 0.616
306 #ham SARE_HEAD_HDR_XSIDRES confirmed
307 #hist SARE_HEAD_HDR_XSIDRES Alex Broens, Aug 3 2005
308 #counts SARE_HEAD_HDR_XSIDRES 3s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
309 #max SARE_HEAD_HDR_XSIDRES 113s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
310 #counts SARE_HEAD_HDR_XSIDRES 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
311 #counts SARE_HEAD_HDR_XSIDRES 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
312 #max SARE_HEAD_HDR_XSIDRES 3s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
313 #counts SARE_HEAD_HDR_XSIDRES 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
315 #####################################################################################
316 # SARE Content-Type and Boundary rules
317 ######## ###################### ##################################################
319 header SARE_BOUNDARY_05 Content-Type =~ /boundary="-{8}[a-z]{20}"/
320 describe SARE_BOUNDARY_05 Content type boundary used in spam
321 score SARE_BOUNDARY_05 1.666
322 #stype SARE_BOUNDARY_05 vbggg
323 #hist SARE_BOUNDARY_05 Moved from file 0 to 1 May 2005
324 #counts SARE_BOUNDARY_05 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
325 #max SARE_BOUNDARY_05 451s/0h of 66979 corpus (41757s/25222h RM) 09/04/04
326 #counts SARE_BOUNDARY_05 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
327 #counts SARE_BOUNDARY_05 5s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
328 #max SARE_BOUNDARY_05 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
329 #counts SARE_BOUNDARY_05 4s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
330 #counts SARE_BOUNDARY_05 9s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
331 #counts SARE_BOUNDARY_05 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
333 header SARE_BOUNDARY_06 Content-Type =~ /boundary="Boundary_\w{5}_\w{4}_\w{23}"/i
334 describe SARE_BOUNDARY_06 Content type boundary used in spam
335 score SARE_BOUNDARY_06 1.666
336 #stype SARE_BOUNDARY_06 vbggg
337 #hist SARE_BOUNDARY_06 Created by Bob Menschel May 4 2004
338 #hist SARE_BOUNDARY_06 Moved from file 0 to 1 May 2005
339 #counts SARE_BOUNDARY_06 36s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
340 #max SARE_BOUNDARY_06 84s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
341 #counts SARE_BOUNDARY_06 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
342 #counts SARE_BOUNDARY_06 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
343 #counts SARE_BOUNDARY_06 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
344 #counts SARE_BOUNDARY_06 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
346 header SARE_BOUNDARY_08 Content-Type =~ /boundary="[\.\_]*(?:[A-Z\d]+[\.\_]+){4,20}[A-Z\d]*\"/s
347 describe SARE_BOUNDARY_08 Improbable MIME boundary format
348 score SARE_BOUNDARY_08 1.666
349 #hist SARE_BOUNDARY_08 LW_BOUNDARY1
350 #ham SARE_BOUNDARY_08 ServiceMagic <customerservice@servicemagic.com>, 2001
351 #ham SARE_BOUNDARY_08 verizon wireless picture phone transmission
352 #counts SARE_BOUNDARY_08 613s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
353 #max SARE_BOUNDARY_08 5929s/6h of 689155 corpus (348140s/341015h RM) 09/18/05
354 #counts SARE_BOUNDARY_08 38s/3h of 55929 corpus (51589s/4340h AxB2) 05/14/06
355 #counts SARE_BOUNDARY_08 15s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
356 #max SARE_BOUNDARY_08 228s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
357 #counts SARE_BOUNDARY_08 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
358 #max SARE_BOUNDARY_08 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
359 #counts SARE_BOUNDARY_08 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
360 #max SARE_BOUNDARY_08 18s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
361 #counts SARE_BOUNDARY_08 826s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
362 #counts SARE_BOUNDARY_08 243s/2h of 42275 corpus (34158s/8117h FVGT) 05/15/06
364 header SARE_BOUNDARY_D10 Content-Type =~ /boundary="\d{10}"/
365 describe SARE_BOUNDARY_D10 Content type boundary used in spam or virus
366 score SARE_BOUNDARY_D10 0.444
367 #ham SARE_BOUNDARY_D10 verified (1)
368 #hist SARE_BOUNDARY_D10 Created by Bob Menschel May 31 2004
369 #counts SARE_BOUNDARY_D10 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
370 #max SARE_BOUNDARY_D10 134s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
371 #counts SARE_BOUNDARY_D10 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
372 #counts SARE_BOUNDARY_D10 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
373 #counts SARE_BOUNDARY_D10 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
374 #max SARE_BOUNDARY_D10 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
375 #counts SARE_BOUNDARY_D10 5s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
376 #counts SARE_BOUNDARY_D10 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
378 header SARE_BOUNDARY_LC Content-Type =~ /boundary="(?!ffff)[a-z]+"/
379 describe SARE_BOUNDARY_LC Content type boundary used in spam
380 score SARE_BOUNDARY_LC 1.666
381 #ham SARE_BOUNDARY_LC questionable newsletters
382 #hist SARE_BOUNDARY_LC Created by Bob Menschel May 31 2004
383 #ham SARE_BOUNDARY_LC "ffff": Game Rival <newsletter@gamerival.com>, ThePerfectGreeting <updates@perfectgreeting.com>
384 #counts SARE_BOUNDARY_LC 0s/3h of 173032 corpus (99056s/73976h RM) 05/11/06
385 #max SARE_BOUNDARY_LC 899s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
386 #counts SARE_BOUNDARY_LC 44s/2h of 55929 corpus (51589s/4340h AxB2) 05/14/06
387 #counts SARE_BOUNDARY_LC 83s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
388 #counts SARE_BOUNDARY_LC 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
389 #counts SARE_BOUNDARY_LC 0s/1h of 13313 corpus (7438s/5875h CT) 05/14/06
390 #max SARE_BOUNDARY_LC 125s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
391 #counts SARE_BOUNDARY_LC 15s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
392 #counts SARE_BOUNDARY_LC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
394 header SARE_BOUNDARY_NP2 Content-Type =~ /boundary=".*_NextPart_.*_NextPart_/
395 describe SARE_BOUNDARY_NP2 Content type boundary used in spam and viruses
396 score SARE_BOUNDARY_NP2 4.000
397 #stype SARE_BOUNDARY_NP2 vbg
398 #hist SARE_BOUNDARY_NP2 Created by Bob Menschel May 31 2004
399 #hist SARE_BOUNDARY_NP2 Bugzilla entry 3861, Oct 03 2004
400 #counts SARE_BOUNDARY_NP2 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
401 #max SARE_BOUNDARY_NP2 1118s/0h of 68491 corpus (41115s/27376h RM) 09/18/04
402 #counts SARE_BOUNDARY_NP2 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
403 #max SARE_BOUNDARY_NP2 37s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
404 #counts SARE_BOUNDARY_NP2 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
405 #counts SARE_BOUNDARY_NP2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
406 #counts SARE_BOUNDARY_NP2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
408 #####################################################################################
410 ######## ###################### ##################################################
412 header SARE_FROM_AST From =~ /<\*\@.{1,50}\..{1,3}/
413 describe SARE_FROM_AST Invalid character in email address
414 score SARE_FROM_AST 0.666
415 #hist SARE_FROM_AST Originally submitted by Fred Tarasevicius
416 #hist SARE_FROM_AST Returned from file 2 to file 1 Oct 2005
417 #counts SARE_FROM_AST 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
418 #max SARE_FROM_AST 20s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
419 #counts SARE_FROM_AST 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
420 #counts SARE_FROM_AST 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
421 #counts SARE_FROM_AST 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
422 #counts SARE_FROM_AST 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
424 header SARE_FROM_CAPS_MSN From =~ /"[^"]+" <[A-Z]+\@msn.com>/ # no /i
425 describe SARE_FROM_CAPS_MSN Ratware all-caps MSN from address
426 score SARE_FROM_CAPS_MSN 0.828
427 #ham SARE_FRMO_CAPS_MSN verified (3)
428 #hist SARE_FROM_CAPS_MSN Created by Bob Menschel May 15 2004
429 #counts SARE_FROM_CAPS_MSN 18s/3h of 173032 corpus (99056s/73976h RM) 05/11/06
430 #max SARE_FROM_CAPS_MSN 421s/0h of 85084 corpus (62489s/22595h RM) 06/08/04
431 #counts SARE_FROM_CAPS_MSN 4s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
432 #counts SARE_FROM_CAPS_MSN 48s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
433 #max SARE_FROM_CAPS_MSN 102s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
434 #counts SARE_FROM_CAPS_MSN 6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
435 #max SARE_FROM_CAPS_MSN 59s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
436 #counts SARE_FROM_CAPS_MSN 28s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
437 #max SARE_FROM_CAPS_MSN 51s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
438 #counts SARE_FROM_CAPS_MSN 61s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
439 #counts SARE_FROM_CAPS_MSN 28s/1h of 42275 corpus (34158s/8117h FVGT) 05/15/06
441 header SARE_FROM_DRUGS2 From =~ /\bsoma\b/i
442 describe SARE_FROM_DRUGS2 From a drug
443 score SARE_FROM_DRUGS2 0.644
444 #ham SARE_FROM_DRUGS2 verified (3)
445 #hist SARE_FROM_DRUGS2 Bob Menschel June 25 2005; ham email from userid = soma
446 #counts SARE_FROM_DRUGS2 1s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
447 #max SARE_FROM_DRUGS2 79s/3h of 689155 corpus (348140s/341015h RM) 09/18/05
448 #counts SARE_FROM_DRUGS2 0s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
449 #max SARE_FROM_DRUGS2 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
450 #counts SARE_FROM_DRUGS2 20s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
451 #max SARE_FROM_DRUGS2 62s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
452 #counts SARE_FROM_DRUGS2 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
453 #counts SARE_FROM_DRUGS2 11s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
455 header FROM_BLANK_NAME From =~ /(?:\s|^)"" <\S+>/i # SA 3.1.0
456 header __SARE_FROM_NONAME From =~ /"" ?</
457 meta SARE_FROM_NONAME __SARE_FROM_NONAME && !FROM_BLANK_NAME
458 score SARE_FROM_NONAME 1.294
459 #hist SARE_FROM_NONAME Created by Fred Tarasevicius
460 #overlap SARE_FROM_NONAME SARE rule catches spam missed by SA rule. Use meta to avoid duplication
461 #counts SARE_FROM_NONAME 256s/2h of 173032 corpus (99056s/73976h RM) 05/11/06
462 #max SARE_FROM_NONAME 371s/12h of 689155 corpus (348140s/341015h RM) 09/18/05
463 #counts SARE_FROM_NONAME 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
464 #counts SARE_FROM_NONAME 11s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
465 #counts SARE_FROM_NONAME 129s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
466 #counts SARE_FROM_NONAME 2s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
468 header SARE_FROM_SPAM_DOMN0Y From =~ /\byahoo\.net/i
469 describe SARE_FROM_SPAM_DOMN0Y From address suggests this is spam
470 score SARE_FROM_SPAM_DOMN0Y 0.555
471 #ham SARE_FROM_SPAM_DOMN0Y confirmed: 1 yahoo.net, perhaps a user's error
472 #counts SARE_FROM_SPAM_DOMN0Y 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
473 #max SARE_FROM_SPAM_DOMN0Y 36s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
475 header __SARE_FROM_SPAM_MONY1 From =~ /money.*\@/i
476 header __SARE_FROM_SPAM_MONY2 From =~ /money\S*\@/i
477 meta SARE_FROM_SPAM_MONEY __SARE_FROM_SPAM_MONY2
478 describe SARE_FROM_SPAM_MONEY From address suggests this is spam
479 score SARE_FROM_SPAM_MONEY 1.208
480 #ham SARE_FROM_SPAM_MONEY confirmed (1)
481 #addsto SARE_FROM_SPAM_MONEY SARE_FROM_SPAM_MONEY2
482 #hist SARE_FROM_SPAM_MONEY RM_fw_Money. Meta created Aug 20 2004 to improve scoring.
483 #counts SARE_FROM_SPAM_MONEY 257s/8h of 173032 corpus (99056s/73976h RM) 05/11/06
484 #max SARE_FROM_SPAM_MONEY 249s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
485 #counts SARE_FROM_SPAM_MONEY 68s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
486 #counts SARE_FROM_SPAM_MONEY 4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
487 #counts SARE_FROM_SPAM_MONEY 14s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
488 #max SARE_FROM_SPAM_MONEY 31s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
489 #counts SARE_FROM_SPAM_MONEY 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
490 #max SARE_FROM_SPAM_MONEY 33s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
491 #counts SARE_FROM_SPAM_MONEY 693s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
492 #counts SARE_FROM_SPAM_MONEY 18s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
494 header __SARE_FROM_SPAM_MONY1 From =~ /money.*\@/i
495 header __SARE_FROM_SPAM_MONY2 From =~ /money\S*\@/i
496 meta SARE_FROM_SPAM_MONEY2 __SARE_FROM_SPAM_MONY1 && !__SARE_FROM_SPAM_MONY2
497 describe SARE_FROM_SPAM_MONEY2 From address suggests this is spam
498 score SARE_FROM_SPAM_MONEY2 0.890
499 #ham SARE_FROM_SPAM_MONEY2 Valid end-users with "money" in their display name
500 #counts SARE_FROM_SPAM_MONEY2 84s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
501 #max SARE_FROM_SPAM_MONEY2 290s/7h of 689155 corpus (348140s/341015h RM) 09/18/05
502 #counts SARE_FROM_SPAM_MONEY2 33s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
503 #counts SARE_FROM_SPAM_MONEY2 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
504 #counts SARE_FROM_SPAM_MONEY2 61s/3h of 22942 corpus (17234s/5708h MY) 05/14/06
505 #max SARE_FROM_SPAM_MONEY2 62s/3h of 47809 corpus (43224s/4585h MY) 07/27/05
506 #counts SARE_FROM_SPAM_MONEY2 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
507 #max SARE_FROM_SPAM_MONEY2 12s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
508 #counts SARE_FROM_SPAM_MONEY2 176s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
509 #counts SARE_FROM_SPAM_MONEY2 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
511 header SARE_FROM_SPAM_NAME0 From =~ /(?:Direct Marketing|FreeOffers|FunBenefits|salestonight|WESTEC SALES|\bWSEAS\b)/i
512 describe SARE_FROM_SPAM_NAME0 From address suggests this is spam
513 score SARE_FROM_SPAM_NAME0 3.333
514 #stype SARE_FROM_SPAM_NAME0 spamg
515 #hist SARE_FROM_SPAM_NAME0 COMBINED.FROM and other sources
516 #counts SARE_FROM_SPAM_NAME0 0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
517 #max SARE_FROM_SPAM_NAME0 369s/0h of 85084 corpus (62489s/22595h RM) 06/08/04
518 #counts SARE_FROM_SPAM_NAME0 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
519 #counts SARE_FROM_SPAM_NAME0 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
520 #counts SARE_FROM_SPAM_NAME0 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
521 #counts SARE_FROM_SPAM_NAME0 12s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
522 #counts SARE_FROM_SPAM_NAME0 16s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
524 header SARE_FROM_SPAM_NAME2A From =~ /\bfunpage\b/i
525 describe SARE_FROM_SPAM_NAME2A From address suggests this is spam
526 score SARE_FROM_SPAM_NAME2A 0.111
527 #stype SARE_FROM_SPAM_NAME2A spamp
528 #hist SARE_FROM_SPAM_NAME2A COMBINED.FROM and other sources
529 #counts SARE_FROM_SPAM_NAME2A 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
530 #counts SARE_FROM_SPAM_NAME2A 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06
531 #counts SARE_FROM_SPAM_NAME2A 2s/0h of 105832 corpus (72573s/33259h ML) 05/14/06
533 header SARE_FROM_SPAM_PL1 From =~ /\@tpnet\.pl\b/
534 describe SARE_FROM_SPAM_PL1 A lot of spam comes from here
535 score SARE_FROM_SPAM_PL1 0.500
536 #stype SARE_FRMO_SPAM_PL1 max:0.5 # possible valid ISP in Poland
537 #hist SARE_FROM_SPAM_PL1 Loren Wilton, Feb 21 2005
538 #counts SARE_FROM_SPAM_PL1 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
539 #max SARE_FROM_SPAM_PL1 26s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
540 #counts SARE_FROM_SPAM_PL1 14s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
541 #counts SARE_FROM_SPAM_PL1 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
542 #counts SARE_FROM_SPAM_PL1 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
543 #max SARE_FROM_SPAM_PL1 6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
544 #counts SARE_FROM_SPAM_PL1 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
545 #max SARE_FROM_SPAM_PL1 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
546 #counts SARE_FROM_SPAM_PL1 12s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
547 #counts SARE_FROM_SPAM_PL1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
549 header SARE_FROM_SPAM_WORD2 From =~ /\b(?:^high.?speed|interacial)\b/i
550 describe SARE_FROM_SPAM_WORD2 From address suggests this is spam
551 score SARE_FROM_SPAM_WORD2 0.555
552 #stype SARE_FRM_SPAM_WORD2 spamp
553 #hist SARE_FROM_SPAM_WORD2 COMBINED.FROM and other sources
554 #counts SARE_FROM_SPAM_WORD2 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
555 #max SARE_FROM_SPAM_WORD2 9s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
556 #counts SARE_FROM_SPAM_WORD2 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
557 #counts SARE_FROM_SPAM_WORD2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
558 #counts SARE_FROM_SPAM_WORD2 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
559 #counts SARE_FROM_SPAM_WORD2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
561 #####################################################################################
562 # SARE From Rules -- Emails coming from free webmail accounts
563 # Since spam from these can vary depending upon country of origin,
564 # country of destination, policies, and enforcement of policies,
565 # most of these are kept as separate rules rather than combined.
566 ######## ###################### ##################################################
568 header SARE_FREE_WEBM_BIGMAIL From =~ /\bbigmailbox\.com/i
569 describe SARE_FREE_WEBM_BIGMAIL Sender used free email account - may be spammer
570 score SARE_FREE_WEBM_BIGMAIL 0.667
571 #counts SARE_FREE_WEBM_BIGMAIL 14s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
572 #counts SARE_FREE_WEBM_BIGMAIL 2s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
573 #counts SARE_FREE_WEBM_BIGMAIL 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
574 #counts SARE_FREE_WEBM_BIGMAIL 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
575 #max SARE_FREE_WEBM_BIGMAIL 4s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
576 #counts SARE_FREE_WEBM_BIGMAIL 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
577 #counts SARE_FREE_WEBM_BIGMAIL 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
579 header SARE_FREE_WEBM_EsTerra From =~ /\bterra\.es/i
580 describe SARE_FREE_WEBM_EsTerra Sender used free email account - may be spammer
581 score SARE_FREE_WEBM_EsTerra 1.666
582 #counts SARE_FREE_WEBM_EsTerra 4s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
583 #max SARE_FREE_WEBM_EsTerra 228s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
584 #counts SARE_FREE_WEBM_EsTerra 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
585 #counts SARE_FREE_WEBM_EsTerra 8s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
586 #counts SARE_FREE_WEBM_EsTerra 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
587 #max SARE_FREE_WEBM_EsTerra 6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
588 #counts SARE_FREE_WEBM_EsTerra 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
589 #max SARE_FREE_WEBM_EsTerra 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
590 #counts SARE_FREE_WEBM_EsTerra 6s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
591 #counts SARE_FREE_WEBM_EsTerra 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
593 header SARE_FREE_WEBM_FrVoila From =~ /\bvoila\.fr/i
594 describe SARE_FREE_WEBM_FrVoila Sender used free email account - may be spammer
595 score SARE_FREE_WEBM_FrVoila 0.444
596 #ham SARE_FREE_WEBM_FrVoila confirmed: 1
597 #counts SARE_FREE_WEBM_FrVoila 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
598 #max SARE_FREE_WEBM_FrVoila 40s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
599 #counts SARE_FREE_WEBM_FrVoila 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
600 #counts SARE_FREE_WEBM_FrVoila 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
601 #counts SARE_FREE_WEBM_FrVoila 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
602 #max SARE_FREE_WEBM_FrVoila 3s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
603 #counts SARE_FREE_WEBM_FrVoila 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
604 #counts SARE_FREE_WEBM_FrVoila 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
605 #counts SARE_FREE_WEBM_FrVoila 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
607 header SARE_FREE_WEBM_Jpop From =~ /\bjpopmail\.com/i
608 describe SARE_FREE_WEBM_Jpop Sender used free email account - may be spammer
609 score SARE_FREE_WEBM_Jpop 0.989
610 #counts SARE_FREE_WEBM_Jpop 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
611 #max SARE_FREE_WEBM_Jpop 66s/0h of 125163 corpus (104972s/20191h) 03/28/04
612 #counts SARE_FREE_WEBM_Jpop 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
613 #counts SARE_FREE_WEBM_Jpop 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
614 #counts SARE_FREE_WEBM_Jpop 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
615 #max SARE_FREE_WEBM_Jpop 2s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
616 #counts SARE_FREE_WEBM_Jpop 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
617 #max SARE_FREE_WEBM_Jpop 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
618 #counts SARE_FREE_WEBM_Jpop 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
619 #counts SARE_FREE_WEBM_Jpop 4s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
621 header SARE_FREE_WEBM_MailD From =~ /mail\d{1,3}\.com/i
622 describe SARE_FREE_WEBM_MailD Sender used free email account - may be spammer
623 score SARE_FREE_WEBM_MailD 1.485
624 #ham SARE_FREE_WEBM_MailD questionable
625 #counts SARE_FREE_WEBM_MailD 124s/2h of 173032 corpus (99056s/73976h RM) 05/11/06
626 #max SARE_FREE_WEBM_MailD 2051s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
627 #counts SARE_FREE_WEBM_MailD 10s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
628 #counts SARE_FREE_WEBM_MailD 21s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
629 #max SARE_FREE_WEBM_MailD 27s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
630 #counts SARE_FREE_WEBM_MailD 31s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
631 #max SARE_FREE_WEBM_MailD 75s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
632 #counts SARE_FREE_WEBM_MailD 10s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
633 #counts SARE_FREE_WEBM_MailD 234s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
634 #counts SARE_FREE_WEBM_MailD 72s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
636 header SARE_FREE_WEBM_Mailexc From =~ /\bmailexcite\.com/i
637 describe SARE_FREE_WEBM_Mailexc Sender used free email account - may be spammer
638 score SARE_FREE_WEBM_Mailexc 0.889
639 #ham SARE_FREE_WEMB_Mailexc verified (6)
640 #counts SARE_FREE_WEBM_Mailexc 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
641 #max SARE_FREE_WEBM_Mailexc 44s/0h of 125163 corpus (104972s/20191h) 03/28/04
642 #counts SARE_FREE_WEBM_Mailexc 4s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
643 #counts SARE_FREE_WEBM_Mailexc 5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
644 #counts SARE_FREE_WEBM_Mailexc 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
645 #max SARE_FREE_WEBM_Mailexc 7s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
646 #counts SARE_FREE_WEBM_Mailexc 2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
647 #counts SARE_FREE_WEBM_Mailexc 40s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
648 #counts SARE_FREE_WEBM_Mailexc 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
650 header SARE_FREE_WEBM_NETCITY From =~ /\@netcity\w+\.com/i
651 describe SARE_FREE_WEBM_NETCITY Maybe spammer with free email
652 score SARE_FREE_WEBM_NETCITY 1.111
653 #stype SARE_FREE_WEBM_NETCITY spamp
654 #hist SARE_FREE_WEBM_NETCITY Created by Bob Menschel Aug 20 2004
655 #counts SARE_FREE_WEBM_NETCITY 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
656 #max SARE_FREE_WEBM_NETCITY 12s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
657 #counts SARE_FREE_WEBM_NETCITY 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
658 #counts SARE_FREE_WEBM_NETCITY 4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
659 #counts SARE_FREE_WEBM_NETCITY 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
660 #max SARE_FREE_WEBM_NETCITY 2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
661 #counts SARE_FREE_WEBM_NETCITY 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
662 #counts SARE_FREE_WEBM_NETCITY 2s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
663 #counts SARE_FREE_WEBM_NETCITY 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
665 header SARE_FREE_WEBM_NetFs From =~ /\bfsmail\.net/i
666 describe SARE_FREE_WEBM_NetFs Sender used free email account - may be spammer
667 score SARE_FREE_WEBM_NetFs 0.500
668 #ham SARE_FREE_WEBM_NetFs confirmed (1)
669 #counts SARE_FREE_WEBM_NetFs 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
670 #max SARE_FREE_WEBM_NetFs 129s/0h of 125163 corpus (104972s/20191h) 03/28/04
671 #counts SARE_FREE_WEBM_NetFs 4s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
672 #counts SARE_FREE_WEBM_NetFs 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
673 #counts SARE_FREE_WEBM_NetFs 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
674 #max SARE_FREE_WEBM_NetFs 8s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
675 #counts SARE_FREE_WEBM_NetFs 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
676 #counts SARE_FREE_WEBM_NETCITY 2s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
677 #counts SARE_FREE_WEBM_NetFs 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
679 header SARE_FREE_WEBM_NetSafe From =~ /\bsafe-mail\.net/i
680 describe SARE_FREE_WEBM_NetSafe Sender used free email account - may be spammer
681 score SARE_FREE_WEBM_NetSafe 0.667
682 #counts SARE_FREE_WEBM_NetSafe 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
683 #max SARE_FREE_WEBM_NetSafe 28s/1h of 283497 corpus (129933s/153564h RM) 03/08/05
684 #counts SARE_FREE_WEBM_NetSafe 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
685 #counts SARE_FREE_WEBM_NetSafe 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
686 #max SARE_FREE_WEBM_NetSafe 9s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
687 #counts SARE_FREE_WEBM_NetSafe 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
688 #max SARE_FREE_WEBM_NetSafe 19s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
689 #counts SARE_FREE_WEBM_NetSafe 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
690 #max SARE_FREE_WEBM_NetSafe 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
691 #counts SARE_FREE_WEBM_NetSafe 16s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
692 #counts SARE_FREE_WEBM_NetSafe 0s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
693 #max SARE_FREE_WEBM_NetSafe 6s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
695 header SARE_FREE_WEBM_Netster From =~ /\bnetster\.com/i
696 describe SARE_FREE_WEBM_Netster Sender used free email account - may be spammer
697 score SARE_FREE_WEBM_Netster 0.222
698 #ham SARE_FREE_WEBM_Netster confirmed (1)
699 #counts SARE_FREE_WEBM_Netster 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
700 #max SARE_FREE_WEBM_Netster 43s/0h of 125163 corpus (104972s/20191h) 03/28/04
701 #counts SARE_FREE_WEBM_Netster 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
702 #max SARE_FREE_WEBM_Netster 2s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
703 #counts SARE_FREE_WEBM_Netster 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
704 #max SARE_FREE_WEBM_Netster 12s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
705 #counts SARE_FREE_WEBM_Netster 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
706 #max SARE_FREE_WEBM_Netster 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
707 #counts SARE_FREE_WEBM_Netster 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
708 #counts SARE_FREE_WEBM_Netster 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
710 header SARE_FREE_WEBM_PlTenbi From =~ /\btenbit\.pl/i
711 describe SARE_FREE_WEBM_PlTenbi Sender used free email account - may be spammer
712 score SARE_FREE_WEBM_PlTenbi 1.083
713 #counts SARE_FREE_WEBM_PlTenbi 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
714 #max SARE_FREE_WEBM_PlTenbi 83s/0h of 115937 corpus (94614s/21323h) 04/29/04
715 #counts SARE_FREE_WEBM_PlTenbi 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
716 #counts SARE_FREE_WEBM_PlTenbi 4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
717 #counts SARE_FREE_WEBM_PlTenbi 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
718 #max SARE_FREE_WEBM_PlTenbi 2s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
719 #counts SARE_FREE_WEBM_PlTenbi 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
720 #max SARE_FREE_WEBM_PlTenbi 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
721 #counts SARE_FREE_WEBM_PlTenbi 4s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
722 #counts SARE_FREE_WEBM_PlTenbi 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
724 header SARE_FREE_WEBM_ZCom05 From =~ /\b(?:redwhitearmy|emailaccount)\.com/i
725 describe SARE_FREE_WEBM_ZCom05 Sender used free email account - may be spammer
726 score SARE_FREE_WEBM_ZCom05 0.972
727 #ham SARE_FREE_WEBM_ZCom05 confirmed (1)
728 #counts SARE_FREE_WEBM_ZCom05 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
729 #max SARE_FREE_WEBM_ZCom05 183s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
730 #counts SARE_FREE_WEBM_ZCom05 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
731 #max SARE_FREE_WEBM_ZCom05 9s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
732 #counts SARE_FREE_WEBM_ZCom05 3s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
733 #max SARE_FREE_WEBM_ZCom05 54s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
734 #counts SARE_FREE_WEBM_ZCom05 6s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
735 #max SARE_FREE_WEBM_ZCom05 14s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
736 #counts SARE_FREE_WEBM_ZCom05 25s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
737 #counts SARE_FREE_WEBM_ZCom05 32s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
739 header SARE_FREE_WEBM_Whoever From =~ /\bWhoever\.com/i
740 describe SARE_FREE_WEBM_Whoever Sender used free email account - may be spammer
741 score SARE_FREE_WEBM_Whoever 0.711
742 #counts SARE_FREE_WEBM_Whoever 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
743 #max SARE_FREE_WEBM_Whoever 18s/0h of 85901 corpus (63701s/22200h RM) 06/05/04
744 #counts SARE_FREE_WEBM_Whoever 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
745 #max SARE_FREE_WEBM_Whoever 5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
746 #counts SARE_FREE_WEBM_Whoever 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
747 #max SARE_FREE_WEBM_Whoever 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
748 #counts SARE_FREE_WEBM_Whoever 2s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
749 #counts SARE_FREE_WEBM_Whoever 2s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
751 header SARE_FREE_WEBM_WOWMAIL From =~ /\@wowmail\.com/i
752 describe SARE_FREE_WEBM_WOWMAIL Sender used free email account - may be spammer
753 score SARE_FREE_WEBM_WOWMAIL 0.789
754 #hist SARE_FREE_WEBM_WOWMAIL Created by Bob Menschel June 16 2004
755 #counts SARE_FREE_WEBM_WOWMAIL 0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
756 #max SARE_FREE_WEBM_WOWMAIL 18s/0h of 92181 corpus (67808s/24373h RM) 07/18/04
757 #counts SARE_FREE_WEBM_WOWMAIL 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
758 #counts SARE_FREE_WEBM_WOWMAIL 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
759 #max SARE_FREE_WEBM_WOWMAIL 7s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
760 #counts SARE_FREE_WEBM_WOWMAIL 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
761 #counts SARE_FREE_WEBM_WOWMAIL 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
762 #max SARE_FREE_WEBM_WOWMAIL 6s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
763 #counts SARE_FREE_WEBM_WOWMAIL 2s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
765 header SARE_FREE_WEBM_ZCom01 From =~ /\b(?:sify|superonline|coolgoose)\.com/i
766 describe SARE_FREE_WEBM_ZCom01 Sender used free email account - may be spammer
767 score SARE_FREE_WEBM_ZCom01 0.630
768 #ham SARE_FREE_WEBM_ZCom01 confirmed
769 #counts SARE_FREE_WEBM_ZCom01 7s/3h of 173032 corpus (99056s/73976h RM) 05/11/06
770 #max SARE_FREE_WEBM_ZCom01 150s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
771 #counts SARE_FREE_WEBM_ZCom01 3s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
772 #counts SARE_FREE_WEBM_ZCom01 4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
773 #counts SARE_FREE_WEBM_ZCom01 4s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
774 #max SARE_FREE_WEBM_ZCom01 5s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
775 #counts SARE_FREE_WEBM_ZCom01 16s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
776 #counts SARE_FREE_WEBM_ZCom01 33s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
777 #counts SARE_FREE_WEBM_ZCom01 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
779 header SARE_FREE_WEBM_ZCom02 From =~ /\b(?:macmail|emailacc)\.com/i
780 describe SARE_FREE_WEBM_ZCom02 Sender used free email account - may be spammer
781 score SARE_FREE_WEBM_ZCom02 0.900
782 #ham SARE_FREE_WEBM_ZCom02 Confirmed: macmail.com(2)
783 #counts SARE_FREE_WEBM_ZCom02 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
784 #max SARE_FREE_WEBM_ZCom02 122s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
785 #counts SARE_FREE_WEBM_ZCom02 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
786 #counts SARE_FREE_WEBM_ZCom02 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
787 #max SARE_FREE_WEBM_ZCom02 10s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
788 #counts SARE_FREE_WEBM_ZCom02 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
789 #max SARE_FREE_WEBM_ZCom02 5s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
790 #counts SARE_FREE_WEBM_ZCom02 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
791 #max SARE_FREE_WEBM_ZCom02 4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
792 #counts SARE_FREE_WEBM_ZCom02 9s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
793 #counts SARE_FREE_WEBM_ZCom02 43s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
795 header SARE_FREE_WEBM_ZCom03 From =~ /\b(?:pakistanmail|prontomail)\.com/i
796 describe SARE_FREE_WEBM_ZCom03 Sender used free email account - may be spammer
797 score SARE_FREE_WEBM_ZCom03 0.656
798 #ham SARE_FREE_WEBM_ZCom03 valid email bounce messages
799 #hist SARE_FREE_WEBM_ZCom03 Removed mail2world.com since it hit ham.
800 #counts SARE_FREE_WEBM_ZCom03 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
801 #max SARE_FREE_WEBM_ZCom03 139s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
802 #counts SARE_FREE_WEBM_ZCom03 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
803 #counts SARE_FREE_WEBM_ZCom03 13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
804 #counts SARE_FREE_WEBM_ZCom03 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
805 #max SARE_FREE_WEBM_ZCom03 18s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
806 #counts SARE_FREE_WEBM_ZCom03 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
807 #max SARE_FREE_WEBM_ZCom03 8s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
808 #counts SARE_FREE_WEBM_ZCom03 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
809 #counts SARE_FREE_WEBM_ZCom03 2s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
811 header SARE_FREE_WEBM_ZCom03B From =~ /\bmail2world\.com/i
812 describe SARE_FREE_WEBM_ZCom03B Sender used free email account - may be spammer
813 score SARE_FREE_WEBM_ZCom03B 0.917
814 #ham SARE_FREE_WEBM_ZCom03B valid email bounce messages
815 #counts SARE_FREE_WEBM_ZCom03B 12s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
816 #max SARE_FREE_WEBM_ZCom03B 139s/14h of 689155 corpus (348140s/341015h RM) 09/18/05
817 #counts SARE_FREE_WEBM_ZCom03B 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
818 #counts SARE_FREE_WEBM_ZCom03B 13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
819 #counts SARE_FREE_WEBM_ZCom03B 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
820 #max SARE_FREE_WEBM_ZCom03B 18s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
821 #counts SARE_FREE_WEBM_ZCom03B 2s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
822 #max SARE_FREE_WEBM_ZCom03B 8s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
823 #counts SARE_FREE_WEBM_ZCom03B 7s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
824 #counts SARE_FREE_WEBM_ZCom03B 29s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
826 header SARE_FREE_WEBM_ZCom04 From =~ /\b(?:luxmail|olemail|sailormoon)\.com/i
827 describe SARE_FREE_WEBM_ZCom04 Sender used free email account - may be spammer
828 score SARE_FREE_WEBM_ZCom04 0.778
829 #counts SARE_FREE_WEBM_ZCom04 4s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
830 #max SARE_FREE_WEBM_ZCom04 19s/0h of 97268 corpus (79437s/17831h RM) 01/24/04
831 #counts SARE_FREE_WEBM_ZCom04 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
832 #counts SARE_FREE_WEBM_ZCom04 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
833 #counts SARE_FREE_WEBM_ZCom04 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
834 #max SARE_FREE_WEBM_ZCom04 7s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
835 #counts SARE_FREE_WEBM_ZCom04 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
836 #max SARE_FREE_WEBM_ZCom04 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
837 #counts SARE_FREE_WEBM_ZCom04 10s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
838 #counts SARE_FREE_WEBM_ZCom04 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
840 header SARE_FREE_WEBM_ZCom06 From =~ /\b(?:clickitmail|deskpilot|killergreenmail|lancsmail|lovecat)\.com/i
841 describe SARE_FREE_WEBM_ZCom06 Sender used free email account - may be spammer
842 score SARE_FREE_WEBM_ZCom06 0.711
843 #ham SARE_FREE_WEBM_ZCom06 confirmed
844 #counts SARE_FREE_WEBM_ZCom06 3s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
845 #max SARE_FREE_WEBM_ZCom06 23s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
846 #counts SARE_FREE_WEBM_ZCom06 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
847 #counts SARE_FREE_WEBM_ZCom06 9s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
848 #counts SARE_FREE_WEBM_ZCom06 3s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
849 #max SARE_FREE_WEBM_ZCom06 5s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
850 #counts SARE_FREE_WEBM_ZCom06 4s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
851 #counts SARE_FREE_WEBM_ZCom06 26s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
852 #counts SARE_FREE_WEBM_ZCom06 9s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
854 header SARE_FREE_WEBM_ZCom07 From =~ /\b(?:bolt|amnestymail)\.com/i
855 describe SARE_FREE_WEBM_ZCom07 Sender used free email account - may be spammer
856 score SARE_FREE_WEBM_ZCom07 0.856
857 #counts SARE_FREE_WEBM_ZCom07 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
858 #max SARE_FREE_WEBM_ZCom07 25s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
859 #counts SARE_FREE_WEBM_ZCom07 5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
860 #counts SARE_FREE_WEBM_ZCom07 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
861 #max SARE_FREE_WEBM_ZCom07 14s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
862 #counts SARE_FREE_WEBM_ZCom07 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
863 #max SARE_FREE_WEBM_ZCom07 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
864 #counts SARE_FREE_WEBM_ZCom07 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
865 #counts SARE_FREE_WEBM_ZCom07 1s/0h of 2500 corpus (531s/1969h ft) 05/17/05
867 header SARE_FREE_WEBM_ZZa001 From =~ /\@702mail\.co\.za/i
868 describe SARE_FREE_WEBM_ZZa001 Sender used free email account - may be spammer
869 score SARE_FREE_WEBM_ZZa001 0.822
870 #counts SARE_FREE_WEBM_ZZa001 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
871 #max SARE_FREE_WEBM_ZZa001 38s/0h of 85901 corpus (63701s/22200h RM) 06/05/04
872 #counts SARE_FREE_WEBM_ZZa001 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
873 #counts SARE_FREE_WEBM_ZZa001 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
874 #max SARE_FREE_WEBM_ZZa001 3s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
875 #counts SARE_FREE_WEBM_ZZa001 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
876 #counts SARE_FREE_WEBM_ZZa001 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
877 #counts SARE_FREE_WEBM_ZZa001 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
879 body __SARE_FREE_WEBM_SERV1 /Mail sent from WebMail service/i
880 body __SARE_FREE_WEBM_SERV2 /spedita dal servizio WebMail/i
881 body __SARE_FREE_WEBM_SERV3 /Mail enviado desde el servicio de WebMail/i
882 body __SARE_FREE_WEBM_SERV4 /Mail inviata dal WebMail service/i
883 body __SARE_FREE_WEBM_SERV5 /le module WebMail des service/i
884 body __SARE_FREE_WEBM_SERV6 /Servizio WebMail offerto/i
885 meta SARE_FREE_WEBM_SERV (__SARE_FREE_WEBM_SERV1 || __SARE_FREE_WEBM_SERV2 || __SARE_FREE_WEBM_SERV3 || __SARE_FREE_WEBM_SERV4 || __SARE_FREE_WEBM_SERV5 || __SARE_FREE_WEBM_SERV6)
886 describe SARE_FREE_WEBM_SERV Sent from Webmail server
887 score SARE_FREE_WEBM_SERV 0.698
888 #ham SARE_FREE_WEBM_SERV confirmed (several)
889 #hist SARE_FREE_WEBM_SERV Kevin Peuhkurinen, May 2005
890 #counts SARE_FREE_WEBM_SERV 25s/4h of 173032 corpus (99056s/73976h RM) 05/11/06
891 #max SARE_FREE_WEBM_SERV 1104s/7h of 689155 corpus (348140s/341015h RM) 09/18/05
892 #counts SARE_FREE_WEBM_SERV 28s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
893 #counts SARE_FREE_WEBM_SERV 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
894 #max SARE_FREE_WEBM_SERV 4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
895 #counts SARE_FREE_WEBM_SERV 48s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
896 #counts SARE_FREE_WEBM_SERV 9s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
897 #counts SARE_FREE_WEBM_SERV 10s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
898 #max SARE_FREE_WEBM_SERV 58s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
899 #counts SARE_FREE_WEBM_SERV 9s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
901 #####################################################################################
902 # SARE Message-ID rules
903 ######## ###################### ##################################################
905 header __SARE_RECV_LOCALHOST Received =~ /LOCALHOST/
906 header __SARE_MSGID_D1D1D2D16 MESSAGEID =~ /<\d\.\d\.\d\d\.\d{16}[a-f0-9]{6}@/
907 meta SARE_MSGID_D1D1D2D16 !__SARE_RECV_LOCALHOST && __SARE_MSGID_D1D1D2D16
908 describe SARE_MSGID_D1D1D2D16 Message-ID has ratware pattern (9.9.99.9999999hex@
909 score SARE_MSGID_D1D1D2D16 1.666
910 #counts SARE_MSGID_D1D1D2D16 13s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
911 #max SARE_MSGID_D1D1D2D16 590s/0h of 115439 corpus (94250s/21189h) 04/30/04
912 #counts SARE_MSGID_D1D1D2D16 3s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
913 #counts SARE_MSGID_D1D1D2D16 46s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
914 #counts SARE_MSGID_D1D1D2D16 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
915 #counts SARE_MSGID_D1D1D2D16 22s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
916 #counts SARE_MSGID_D1D1D2D16 109s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
917 #counts SARE_MSGID_D1D1D2D16 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
919 header SARE_MSGID_D5D7 MESSAGEID =~ /<\d{5}\.\d{7}\@/
920 describe SARE_MSGID_D5D7 Message-ID has ratware pattern (99999.9999999@)
921 score SARE_MSGID_D5D7 0.622
922 #ham SARE_MSGID_D5D7 confirmed
923 #counts SARE_MSGID_D5D7 0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
924 #max SARE_MSGID_D5D7 4s/1h of 114238 corpus (81067s/33171h RM) 01/15/05
925 #counts SARE_MSGID_D5D7 11s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
926 #counts SARE_MSGID_D5D7 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
927 #max SARE_MSGID_D5D7 25s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
928 #counts SARE_MSGID_D5D7 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
929 #counts SARE_MSGID_D5D7 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
931 header __SARE_RECV_LOCALHOST Received =~ /LOCALHOST/
932 header __SARE_MSGID_DDDASH MESSAGEID =~ /<\d\d?[\$-]/
933 meta SARE_MSGID_DDDASH __SARE_MSGID_DDDASH && !__SARE_RECV_LOCALHOST
934 describe SARE_MSGID_DDDASH Message-ID has ratware pattern (9-, 9$, 99-)
935 score SARE_MSGID_DDDASH 1.666
936 #counts SARE_MSGID_DDDASH 2420s/5h of 173032 corpus (99056s/73976h RM) 05/11/06
937 #max SARE_MSGID_DDDASH 3039s/8h of 689155 corpus (348140s/341015h RM) 09/18/05
938 #counts SARE_MSGID_DDDASH 3230s/2h of 55929 corpus (51589s/4340h AxB2) 05/14/06
939 #counts SARE_MSGID_DDDASH 10s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
940 #max SARE_MSGID_DDDASH 114s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04
941 #counts SARE_MSGID_DDDASH 8s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
942 #counts SARE_MSGID_D5D7 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
943 #max SARE_MSGID_DDDASH 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
944 #counts SARE_MSGID_DDDASH 13030s/3h of 155430 corpus (103881s/51549h DOC) 05/15/06
945 #counts SARE_MSGID_DDDASH 206s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
947 header SARE_MSGID_LONG50 MESSAGEID =~ /[a-z0-9\$]{50}/
948 describe SARE_MSGID_LONG50 Exceedingly long message id
949 score SARE_MSGID_LONG50 0.619
950 #ihst SARE_MSGID_LONG50 Created by Frederic Tarasevicius
951 #counts SARE_MSGID_LONG50 4s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
952 #max SARE_MSGID_LONG50 575s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
953 #counts SARE_MSGID_LONG50 14s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
954 #counts SARE_MSGID_LONG50 15s/5h of 22942 corpus (17234s/5708h MY) 05/14/06
955 #max SARE_MSGID_LONG50 38s/2h of 47283 corpus (43206s/4077h MY) 06/05/05
956 #counts SARE_MSGID_LONG50 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
957 #max SARE_MSGID_LONG50 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
958 #counts SARE_MSGID_LONG50 26s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
959 #counts SARE_MSGID_LONG50 10s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
961 header SARE_MSGID_QMAIL1 MESSAGEID =~ /^<.*[a-z].*\.qmail\@.*>/
962 describe SARE_MSGID_QMAIL1 Contains spoofing message id
963 score SARE_MSGID_QMAIL1 0.056
964 #ham SARE_MSGID_QMAIL1 confirmed
965 #hist SARE_MSGID_QMAIL1 David Hooton, Fri, 11 Jun 2004
966 #counts SARE_MSGID_QMAIL1 0s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
967 #max SARE_MSGID_QMAIL1 31s/0h of 68491 corpus (41115s/27376h RM) 09/18/04
968 #counts SARE_MSGID_QMAIL1 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
969 #max SARE_MSGID_QMAIL1 12s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
970 #counts SARE_MSGID_QMAIL1 1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
971 #max SARE_MSGID_QMAIL1 9s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
972 #counts SARE_MSGID_QMAIL1 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
973 #counts SARE_MSGID_QMAIL1 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
974 #counts SARE_MSGID_QMAIL1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
976 header SARE_MSGID_RATWARE2 MESSAGEID =~ /\<\d{10,15}\.\d{18,40}\@[a-z]+\>/ # no /i!
977 describe SARE_MSGID_RATWARE2 Message-Id is <digits.digits@letters>
978 score SARE_MSGID_RATWARE2 0.639
979 #hist SARE_MSGID_RATWARE2 Loren Wilton Sat, 3 Apr 2004 20:29:32 -0800
980 #matches SARE_MSGID_RATWARE2 numbers.numbers@letters
981 #counts SARE_MSGID_RATWARE2 7s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
982 #max SARE_MSGID_RATWARE2 1640s/0h of 115925 corpus (94616s/21309h) 05/01/04
983 #counts SARE_MSGID_RATWARE2 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
984 #counts SARE_MSGID_RATWARE2 33s/2h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
985 #max SARE_MSGID_RATWARE2 66s/2h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
986 #counts SARE_MSGID_RATWARE2 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
987 #max SARE_MSGID_RATWARE2 31s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
988 #counts SARE_MSGID_RATWARE2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
989 #max SARE_MSGID_RATWARE2 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
990 #counts SARE_MSGID_RATWARE2 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
991 #counts SARE_MSGID_RATWARE2 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
993 header SARE_MSGID_SHORT MESSAGEID =~ /^.{1,6}$/
994 describe SARE_MSGID_SHORT Message ID is too short to be valid.
995 score SARE_MSGID_SHORT 0.856
996 #hist SARE_MSGID_SHORT RM_hm_ShortMsgid6
997 #counts SARE_MSGID_SHORT 11s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
998 #max SARE_MSGID_SHORT 191s/0h of 115925 corpus (94616s/21309h RM) 05/01/04
999 #counts SARE_MSGID_SHORT 16s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1000 #counts SARE_MSGID_SHORT 34s/1h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1001 #max SARE_MSGID_SHORT 40s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1002 #counts SARE_MSGID_SHORT 1s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1003 #max SARE_MSGID_SHORT 68s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
1004 #counts SARE_MSGID_SHORT 18s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1005 #counts SARE_MSGID_SHORT 28s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1007 #####################################################################################
1008 # SARE Received Header Rules
1009 ######## ###################### ##################################################
1011 header SARE_HELO_EQ_DSL_3 X-Spam-Relays-Untrusted =~ /helo=dsl-/
1012 score SARE_HELO_EQ_DSL_3 1.022
1013 #ham SARE_HELO_EQ_DSL_3 confirmed (several)
1014 #hist SARE_HELO_EQ_DSL_3 Frederic Tarasevicius, Feb 22 2005
1015 #counts SARE_HELO_EQ_DSL_3 232s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
1016 #max SARE_HELO_EQ_DSL_3 529s/18h of 689155 corpus (348140s/341015h RM) 09/18/05
1017 #counts SARE_HELO_EQ_DSL_3 51s/2h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1018 #counts SARE_HELO_EQ_DSL_3 143s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1019 #max SARE_HELO_EQ_DSL_3 149s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
1020 #counts SARE_HELO_EQ_DSL_3 23s/1h of 22942 corpus (17234s/5708h MY) 05/14/06
1021 #max SARE_HELO_EQ_DSL_3 42s/1h of 45478 corpus (41529s/3949h MY) 05/16/05
1022 #counts SARE_HELO_EQ_DSL_3 22s/2h of 13313 corpus (7438s/5875h CT) 05/14/06
1023 #max SARE_HELO_EQ_DSL_3 68s/1h of 10853 corpus (6391s/4462h CT) 05/16/05
1024 #counts SARE_HELO_EQ_DSL_3 84s/1h of 155430 corpus (103881s/51549h DOC) 05/15/06
1025 #counts SARE_HELO_EQ_DSL_3 117s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1027 header SARE_HELO_EQ_PPPOE X-Spam-Relays-Untrusted =~ /helo=pppoe-\d{2,3}-\d{1,3}-\d{1,3}-\d{1,3}/i
1028 score SARE_HELO_EQ_PPPOE 0.555
1029 #stype SARE_HELO_EQ_PPPOE spamp
1030 #hist SARE_HELO_EQ_PPPOE Frederic Tarasevicius, Feb 22 2005
1031 #counts SARE_HELO_EQ_PPPOE 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1032 #max SARE_HELO_EQ_PPPOE 3s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1033 #counts SARE_HELO_EQ_PPPOE 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
1034 #counts SARE_HELO_EQ_PPPOE 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
1035 #counts SARE_HELO_EQ_PPPOE 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
1036 #counts SARE_HELO_EQ_PPPOE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1037 #counts SARE_HELO_EQ_PPPOE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1039 header SARE_HELO_YAHOO Received =~ /helo=yahoo\.com/i
1040 describe SARE_HELO_YAHOO Received header has spamsign
1041 score SARE_HELO_YAHOO 0.828
1042 #ham SARE_HELO_YAHOO confirmed (6), generated by X-Mailer: Apple Mail (2.552)
1043 #hist SARE_HELO_YAHOO Created by Bob Menschel Oct 26 2004
1044 #counts SARE_HELO_YAHOO 41s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1045 #max SARE_HELO_YAHOO 663s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
1046 #counts SARE_HELO_YAHOO 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1047 #counts SARE_HELO_YAHOO 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1048 #counts SARE_HELO_YAHOO 5s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1049 #counts SARE_HELO_YAHOO 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1051 header SARE_HEAD_8BIT_RECV Received =~ /[\x80-\xff]{3,}/
1052 describe SARE_HEAD_8BIT_RECV High-ascii characters found in strange header
1053 score SARE_HEAD_8BIT_RECV 1.666
1054 #ham SARE_HEAD_8BIT_RECV verified (1)
1055 #hist SARE_HEAD_8BIT_RECV From Bugzilla # 2243
1056 #counts SARE_HEAD_8BIT_RECV 20s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1057 #max SARE_HEAD_8BIT_RECV 1029s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1058 #counts SARE_HEAD_8BIT_RECV 21s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1059 #counts SARE_HEAD_8BIT_RECV 10s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1060 #counts SARE_HEAD_8BIT_RECV 0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05
1061 #counts SARE_HEAD_8BIT_RECV 10s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1062 #counts SARE_HEAD_8BIT_RECV 13s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1063 #counts SARE_HEAD_8BIT_RECV 182s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1065 header SARE_RECV_FEP5 Received =~ /by fep5\./i
1066 describe SARE_RECV_FEP5 Message contains known spam format
1067 score SARE_RECV_FEP5 1.666
1068 #ham SARE_RECV_FEP5 verified (1)
1069 #counts SARE_RECV_FEP5 7s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1070 #max SARE_RECV_FEP5 528s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
1071 #counts SARE_RECV_FEP5 7s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
1072 #counts SARE_RECV_FEP5 27s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1073 #max SARE_RECV_FEP5 479s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
1074 #counts SARE_RECV_FEP5 208s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1075 #counts SARE_RECV_FEP5 72s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1076 #counts SARE_RECV_FEP5 6s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1078 header SARE_RECV_MDNETCOMBR Received =~ /\bmdnet\.com\.br/
1079 describe SARE_RECV_MDNETCOMBR Came through/fromsite used by spammer
1080 score SARE_RECV_MDNETCOMBR 0.756
1081 #counts SARE_RECV_MDNETCOMBR 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1082 #max SARE_RECV_MDNETCOMBR 33s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
1083 #counts SARE_RECV_MDNETCOMBR 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1084 #counts SARE_RECV_MDNETCOMBR 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1085 #counts SARE_RECV_MDNETCOMBR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1086 #counts SARE_RECV_MDNETCOMBR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1088 header SARE_RECV_PATMEDIA Received =~ /\bpatmedia\.net/i
1089 describe SARE_RECV_PATMEDIA Passed through possible spammer relay or source
1090 score SARE_RECV_PATMEDIA 0.964
1091 #stype SARE_RECV_PATMEDIA spamp
1092 #hist SARE_RECV_PATMEDIA Created by Bob Menschel Aug 19 2004
1093 #counts SARE_RECV_PATMEDIA 10s/19h of 173032 corpus (99056s/73976h RM) 05/11/06
1094 #max SARE_RECV_PATMEDIA 47s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
1095 #counts SARE_RECV_PATMEDIA 15s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
1096 #counts SARE_RECV_PATMEDIA 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1097 #counts SARE_RECV_PATMEDIA 6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1098 #counts SARE_RECV_PATMEDIA 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1099 #max SARE_RECV_PATMEDIA 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1100 #counts SARE_RECV_PATMEDIA 93s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1101 #counts SARE_RECV_PATMEDIA 16s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1103 header __SARE_RECV_PORTHELOA Received =~ /helo=\[\w+\]/i
1104 header __SARE_RECV_PORTHELOB Received =~ /\(port=\d{4} helo=\[\w+\]\)/i
1105 header SARE_RECV_PORTHELO_1 Received =~ /from \[\d+\.\d+\.\d+\.\d+\] \(port=\d{4} helo=\[\w+\]\)/i
1106 meta SARE_RECV_PORTHELO_2 __SARE_RECV_PORTHELOB && !SARE_RECV_PORTHELO_1
1107 meta SARE_RECV_PORTHELO_3 __SARE_RECV_PORTHELOA && !__SARE_RECV_PORTHELOB && !SARE_RECV_PORTHELO_1
1108 describe SARE_RECV_PORTHELO_1 Apparent Spamsign in Received header
1109 describe SARE_RECV_PORTHELO_2 Apparent Spamsign in Received header
1110 describe SARE_RECV_PORTHELO_3 Apparent Spamsign in Received header
1111 score SARE_RECV_PORTHELO_1 1.666
1112 #note SARE_RECV_PORTHELO_1 As of June 8 2005, all three rules in this family hit identically.
1113 #note SARE_RECV_PORTHELO_1 We score them based on their "safety".
1114 #hist SARE_RECV_PORTHELO_1 Loren Wilton, June 2005
1115 #counts SARE_RECV_PORTHELO_1 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1116 #max SARE_RECV_PORTHELO_1 5201s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1117 #counts SARE_RECV_PORTHELO_1 2s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1118 #max SARE_RECV_PORTHELO_1 42s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1119 #counts SARE_RECV_PORTHELO_1 116s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1120 #counts SARE_RECV_PORTHELO_1 0s/1h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1121 #max SARE_RECV_PORTHELO_1 83s/1h of 7500 corpus (1767s/5733h ft) 09/18/05
1122 #counts SARE_RECV_PORTHELO_1 69s/0h of 55754 corpus (18581s/37173h JH-3.01) 06/10/05
1123 #counts SARE_RECV_PORTHELO_1 230s/1h of 22942 corpus (17234s/5708h MY) 05/14/06
1124 #max SARE_RECV_PORTHELO_1 286s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1125 score SARE_RECV_PORTHELO_2 2.000
1126 #counts SARE_RECV_PORTHELO_2 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1127 score SARE_RECV_PORTHELO_3 2.222
1128 #counts SARE_RECV_PORTHELO_3 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1129 #max SARE_RECV_PORTHELO_3 499s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1130 #counts SARE_RECV_PORTHELO_3 6s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1132 header SARE_RECV_SKANOVA Received =~ /\bskanova\.com/i
1133 describe SARE_RECV_SKANOVA From or passed through spammer/unreliable domain
1134 score SARE_RECV_SKANOVA 0.660
1135 #ham SARE_RECV_SKANOVA verified (several)
1136 #hist SARE_RECV_SKANOVA Created by Bob Menschel Apr 03 2004
1137 #counts SARE_RECV_SKANOVA 37s/2h of 173032 corpus (99056s/73976h RM) 05/11/06
1138 #max SARE_RECV_SKANOVA 197s/6h of 689155 corpus (348140s/341015h RM) 09/18/05
1139 #counts SARE_RECV_SKANOVA 6s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1140 #counts SARE_RECV_SKANOVA 5s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1141 #max SARE_RECV_SKANOVA 18s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1142 #counts SARE_RECV_SKANOVA 15s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
1143 #counts SARE_RECV_SKANOVA 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1144 #max SARE_RECV_SKANOVA 4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1145 #counts SARE_RECV_SKANOVA 43s/3h of 155430 corpus (103881s/51549h DOC) 05/15/06
1146 #counts SARE_RECV_SKANOVA 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1148 header SARE_RECV_SPAM_DOMN02 Received =~ /\b(?:dsl\.telesp|speedyterra)\.(?:com|net)\.br/
1149 describe SARE_RECV_SPAM_DOMN02 Email passed through apparent spammer domain
1150 score SARE_RECV_SPAM_DOMN02 1.666
1151 #ham SARE_RECV_SPAM_DOMN02 Confirmed (5)
1152 #counts SARE_RECV_SPAM_DOMN02 31s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1153 #max SARE_RECV_SPAM_DOMN02 1953s/8h of 689155 corpus (348140s/341015h RM) 09/18/05
1154 #counts SARE_RECV_SPAM_DOMN02 138s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1155 #counts SARE_RECV_SPAM_DOMN02 168s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1156 #max SARE_RECV_SPAM_DOMN02 187s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
1157 #counts SARE_RECV_SPAM_DOMN02 17s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1158 #max SARE_RECV_SPAM_DOMN02 64s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
1159 #counts SARE_RECV_SPAM_DOMN02 60s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1160 #counts SARE_RECV_SPAM_DOMN02 631s/3h of 155430 corpus (103881s/51549h DOC) 05/15/06
1161 #counts SARE_RECV_SPAM_DOMN02 194s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1163 header SARE_RECV_SPAM_DOMN04 Received =~ /\b(?:megared)\.(?:com|net)\.mx/
1164 describe SARE_RECV_SPAM_DOMN04 Email passed through apparent spammer domain
1165 score SARE_RECV_SPAM_DOMN04 0.772
1166 #ham SARE_RECV_SPAM_DOMN04 verified (3)
1167 #counts SARE_RECV_SPAM_DOMN04 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1168 #max SARE_RECV_SPAM_DOMN04 244s/9h of 689155 corpus (348140s/341015h RM) 09/18/05
1169 #counts SARE_RECV_SPAM_DOMN04 29s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1170 #max SARE_RECV_SPAM_DOMN04 34s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1171 #counts SARE_RECV_SPAM_DOMN04 6s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1172 #counts SARE_RECV_SPAM_DOMN04 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1173 #max SARE_RECV_SPAM_DOMN04 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1174 #counts SARE_RECV_SPAM_DOMN04 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1175 #counts SARE_RECV_SPAM_DOMN04 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1177 header SARE_RECV_SPAM_DOMN06 Received =~ /adsl.cust.tie.cl/i
1178 describe SARE_RECV_SPAM_DOMN06 Passed through possible spammer relay or source
1179 score SARE_RECV_SPAM_DOMN06 0.678
1180 #ham SARE_RECV_SPAM_DOMN06 verified (1)
1181 #hist SARE_RECV_SPAM_DOMN06 Created by Bob Menschel Jul 17 2004
1182 #counts SARE_RECV_SPAM_DOMN06 9s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1183 #max SARE_RECV_SPAM_DOMN06 161s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
1184 #counts SARE_RECV_SPAM_DOMN06 5s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1185 #counts SARE_RECV_SPAM_DOMN06 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1186 #counts SARE_RECV_SPAM_DOMN06 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1187 #max SARE_RECV_SPAM_DOMN06 6s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
1188 #counts SARE_RECV_SPAM_DOMN06 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1189 #max SARE_RECV_SPAM_DOMN06 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1190 #counts SARE_RECV_SPAM_DOMN06 27s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1191 #counts SARE_RECV_SPAM_DOMN06 15s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1193 header SARE_RECV_SPAM_DOMN0a Received =~ /\b(?:cyberemailings|netmedia-corp|themailservers|ucanrecover|vnuemedia|winnerssweepstakes|wseas|www--directory)\.(?:com|net|org|info)/
1194 describe SARE_RECV_SPAM_DOMN0a Email passed through apparent spammer domain
1195 score SARE_RECV_SPAM_DOMN0a 0.917
1196 #ham SARE_RECV_SPAM_DOMN0a 218-162-39-132.dynamic.hinet.net, valid/appropriate UCE
1197 #hist SARE_RECV_SPAM_DOMN0a freeserve.com removed May 16 2005
1198 #counts SARE_RECV_SPAM_DOMN0a 28s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1199 #max SARE_RECV_SPAM_DOMN0a 242s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
1200 #counts SARE_RECV_SPAM_DOMN0a 19s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1201 #counts SARE_RECV_SPAM_DOMN0a 4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1202 #max SARE_RECV_SPAM_DOMN0a 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1203 #counts SARE_RECV_SPAM_DOMN0a 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1204 #max SARE_RECV_SPAM_DOMN0a 2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1205 #counts SARE_RECV_SPAM_DOMN0a 2s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1206 #counts SARE_RECV_SPAM_DOMN0a 8s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1207 #counts SARE_RECV_SPAM_DOMN0a 4s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1209 header SARE_RECV_SPAM_DOMN0b Received =~ /\bdynamic.hinet\.(?:com|net|org|info)/
1210 describe SARE_RECV_SPAM_DOMN0b Email passed through apparent spammer domain
1211 score SARE_RECV_SPAM_DOMN0b 1.666
1212 #ham SARE_RECV_SPAM_DOMN0b confirmed (many)
1213 #counts SARE_RECV_SPAM_DOMN0b 1272s/39h of 173032 corpus (99056s/73976h RM) 05/11/06
1214 #max SARE_RECV_SPAM_DOMN0b 4287s/20h of 689155 corpus (348140s/341015h RM) 09/18/05
1215 #counts SARE_RECV_SPAM_DOMN0b 809s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1216 #counts SARE_RECV_SPAM_DOMN0b 40s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1217 #counts SARE_RECV_SPAM_DOMN0b 25s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1218 #max SARE_RECV_SPAM_DOMN0b 59s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
1219 #counts SARE_RECV_SPAM_DOMN0b 43s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1220 #counts SARE_RECV_SPAM_DOMN0b 600s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1221 #counts SARE_RECV_SPAM_DOMN0b 399s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1223 header SARE_RECV_SPEEDY_AR Received =~ /\b(?:speedy)\.(?:com|net)\.ar/
1224 describe SARE_RECV_SPEEDY_AR Email passed through apparent spammer domain
1225 score SARE_RECV_SPEEDY_AR 0.808
1226 #ham SARE_RECV_SPEEDY_AR From: "Hushport Admin" <postmaster@hushport.com>, Received: from nairobi (200-63-141-89.speedy.com.ar [200.63.141.89])
1227 #counts SARE_RECV_SPEEDY_AR 60s/3h of 173032 corpus (99056s/73976h RM) 05/11/06
1228 #max SARE_RECV_SPEEDY_AR 278s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
1229 #counts SARE_RECV_SPEEDY_AR 10s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
1230 #counts SARE_RECV_SPEEDY_AR 32s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1231 #counts SARE_RECV_SPEEDY_AR 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1232 #max SARE_RECV_SPEEDY_AR 14s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
1233 #counts SARE_RECV_SPEEDY_AR 4s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1234 #max SARE_RECV_SPEEDY_AR 8s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1235 #counts SARE_RECV_SPEEDY_AR 25s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1236 #counts SARE_RECV_SPEEDY_AR 51s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1238 header SARE_RECV_UK2NET2 Received =~ /\buk2\.net\b/i
1239 describe SARE_RECV_UK2NET2 Passed through possible spammer relay or source
1240 score SARE_RECV_UK2NET2 0.917
1241 #hist SARE_RECV_UK2NET2 Created by Bob Menschel Oct 01 2004
1242 #counts SARE_RECV_UK2NET2 32s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1243 #counts SARE_RECV_UK2NET2 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1244 #counts SARE_RECV_UK2NET2 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1245 #max SARE_RECV_UK2NET2 8s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1246 #counts SARE_RECV_UK2NET2 0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1247 #max SARE_RECV_UK2NET2 2s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1248 #counts SARE_RECV_UK2NET2 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1249 #max SARE_RECV_UK2NET2 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1250 #counts SARE_RECV_UK2NET2 11s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1251 #counts SARE_RECV_UK2NET2 7s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1253 header SARE_RECV_VIRTUACOMBR Received =~ /\bvirtua\.com\.br/
1254 describe SARE_RECV_VIRTUACOMBR Came through/fromsite used by spammer
1255 score SARE_RECV_VIRTUACOMBR 1.193
1256 #ham SARE_RECV_VIRTUACOMBR confirmed (4)
1257 #hist SARE_RECV_VIRTUACOMBR RM_hr_VirtuaComBr
1258 #counts SARE_RECV_VIRTUACOMBR 32s/3h of 173032 corpus (99056s/73976h RM) 05/11/06
1259 #max SARE_RECV_VIRTUACOMBR 882s/45h of 689155 corpus (348140s/341015h RM) 09/18/05
1260 #counts SARE_RECV_VIRTUACOMBR 36s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1261 #counts SARE_RECV_VIRTUACOMBR 6s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1262 #max SARE_RECV_VIRTUACOMBR 20s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1263 #counts SARE_RECV_VIRTUACOMBR 104s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1264 #counts SARE_RECV_VIRTUACOMBR 25s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1265 #max SARE_RECV_VIRTUACOMBR 37s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1266 #counts SARE_RECV_VIRTUACOMBR 193s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1267 #counts SARE_RECV_VIRTUACOMBR 63s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1269 #####################################################################################
1270 # SARE Received Header IP Address Rules
1271 ######## ###################### ##################################################
1273 #eader __SARE_RECV_BEZEQINT Received =~ /\bbezeqint\.net/
1274 header __SARE_RECV_BEZEQINT1 Received =~ /\[212\.179\.13\.\d{1,3}\]/
1275 header __SARE_RECV_BEZEQINT2 Received =~ /\[212\.179\.(?:8\d|9[1-46-9]|10[0-6]|11[6-9]|12[89]|1[3-6]\d|17[0-36-9]|19[02-9]|2\d\d)\.\d{1,3}\]/
1276 header __SARE_RECV_BEZEQINT3 Received =~ /\[62\.219\.(?:4[89]|5[1-9]|[67]\d|11[2-9]|1[2-5]\d|189|192)\.\d{1,3}\]/
1277 header __SARE_RECV_BEZEQINT4 Received =~ /\[81\.218\.(?:\d{1,2}|1[01]\d|12[0-7]|13[2-9]|1[4-9]\d|2\d\d)\.\d{1,3}\]/
1278 header __SARE_RECV_BEZEQINT5 Received =~ /\[82\.80\.(?:\d|[1-5]\d|6[0-3]|12[89]|1[3-9]\d|2[01]\d|22[0-3])\.\d{1,3}\]/
1279 header __SARE_RECV_BEZEQINT6 Received =~ /\[82\.81\.(?:\d|\d\d|1[01]\d|12[0-7]|19[2-9]|2[01]\d|22[0-3])\.\d{1,3}\]/
1280 meta SARE_RECV_BEZEQINT_B __SARE_RECV_BEZEQINT1 || __SARE_RECV_BEZEQINT2 || __SARE_RECV_BEZEQINT3 || __SARE_RECV_BEZEQINT4 || __SARE_RECV_BEZEQINT5 || __SARE_RECV_BEZEQINT6
1281 describe SARE_RECV_BEZEQINT_B Came through/fromsite used by spammer
1282 score SARE_RECV_BEZEQINT_B 0.763
1283 #ham SARE_RECV_BEZEQINT_B verified (4)
1284 #hist SARE_RECV_BEZEQINT_B Created by Bob Menschel Jan 29 from data supplied by Bezeqint.net to replace SARE_RECV_BEZEQINT
1285 #counts SARE_RECV_BEZEQINT_B 23s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1286 #max SARE_RECV_BEZEQINT_B 494s/6h of 689155 corpus (348140s/341015h RM) 09/18/05
1287 #counts SARE_RECV_BEZEQINT_B 21s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1288 #max SARE_RECV_BEZEQINT_B 24s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1289 #counts SARE_RECV_BEZEQINT_B 5s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1290 #max SARE_RECV_BEZEQINT_B 18s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1291 #counts SARE_RECV_BEZEQINT_B 5s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1292 #max SARE_RECV_BEZEQINT_B 6s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1293 #counts SARE_RECV_BEZEQINT_B 38s/2h of 155430 corpus (103881s/51549h DOC) 05/15/06
1294 #counts SARE_RECV_BEZEQINT_B 20s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1296 header SARE_RECV_IP_FROMIP1 Received =~ /from\s+((?:1?\d\d?|2[0-4]\d|25[0-4])\.){3}(?:1?\d\d?|2[0-4]\d|25[0-4])\s+by\s+((?:1?\d\d?|2[0-4]\d|25[0-4])\.){3}(?:1?\d\d?|2[0-4]\d|25[0-4])/i
1297 describe SARE_RECV_IP_FROMIP1 Received line is IP address from IP address
1298 score SARE_RECV_IP_FROMIP1 1.666
1299 #hist SARE_RECV_IP_FROMIP1 From Regis Wilson, Wed, 24 Mar 2004, SUSP_IP_RECEIVED
1300 #ham SARE_RECV_IP_FROMIP1 ham: South Valley Bank
1301 #counts SARE_RECV_IP_FROMIP1 598s/3h of 173032 corpus (99056s/73976h RM) 05/11/06
1302 #max SARE_RECV_IP_FROMIP1 2940s/7h of 689155 corpus (348140s/341015h RM) 09/18/05
1303 #counts SARE_RECV_IP_FROMIP1 186s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1304 #counts SARE_RECV_IP_FROMIP1 1547s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1305 #max SARE_RECV_IP_FROMIP1 1784s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1306 #counts SARE_RECV_IP_FROMIP1 18s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1307 #max SARE_RECV_IP_FROMIP1 639s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
1308 #counts SARE_RECV_IP_FROMIP1 81s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1309 #max SARE_RECV_IP_FROMIP1 661s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1310 #counts SARE_RECV_IP_FROMIP1 173s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1311 #counts SARE_RECV_IP_FROMIP1 730s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1313 header SARE_RECV_IP_FROMIP3 ALL =~ /Received: from \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} by [a-z0-9.]{4,24}\.[a-z0-9.]{4,36}\.(?:com|net|org|biz); [SMTWF].{2}, \d{1,2} [JFMASOND].{2,5} \d{4} \d{2}:\d{2}:\d{2} [-+]\d{4}/i
1314 describe SARE_RECV_IP_FROMIP3 Received line is IP address from IP address
1315 score SARE_RECV_IP_FROMIP3 0.711
1316 #match SARE_RECV_IP_FROMIP3 Received: from 2.19.230.24 by web9DKKRb8QDIGIT.mail.yahoo.com; Sun, 28 Mar 2004 22:08:01 -0500
1317 #ham SARE_RECV_IP_FROMIP3 Messages from a cell phone
1318 #hist SARE_RECV_IP_FROMIP3 From Fred <tech2@i-is.com>, Fri, 2 Apr 2004, RE_hrip_IPfromIPc
1319 #counts SARE_RECV_IP_FROMIP3 2s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1320 #max SARE_RECV_IP_FROMIP3 587s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1321 #counts SARE_RECV_IP_FROMIP3 1s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1322 #counts SARE_RECV_IP_FROMIP3 111s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1323 #max SARE_RECV_IP_FROMIP3 155s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
1324 #counts SARE_RECV_IP_FROMIP3 1s/4h of 22942 corpus (17234s/5708h MY) 05/14/06
1325 #max SARE_RECV_IP_FROMIP3 46s/3h of 17050 corpus (14617s/2433h MY) 08/08/04
1326 #counts SARE_RECV_IP_FROMIP3 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1327 #max SARE_RECV_IP_FROMIP3 42s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1328 #counts SARE_RECV_IP_FROMIP3 6s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1329 #counts SARE_RECV_IP_FROMIP3 19s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1331 header SARE_RECV_IP_061050 Received =~ /\[61\.5[01]\.\d{1,3}\.\d{1,3}\]/
1332 describe SARE_RECV_IP_061050 Spam passed through possible spammer relay
1333 score SARE_RECV_IP_061050 1.544
1334 #ham SARE_RECV_IP_061050 confirmed (2)
1335 #counts SARE_RECV_IP_061050 66s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1336 #max SARE_RECV_IP_061050 757s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
1337 #counts SARE_RECV_IP_061050 62s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1338 #counts SARE_RECV_IP_061050 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1339 #counts SARE_RECV_IP_061050 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1340 #max SARE_RECV_IP_061050 14s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1341 #counts SARE_RECV_IP_061050 7s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1342 #counts SARE_RECV_IP_061050 23s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1343 #counts SARE_RECV_IP_061050 11s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1345 header SARE_RECV_IP_061072 Received =~ /\[61\.7[2-7]\.\d{1,3}\.\d{1,3}\]/
1346 describe SARE_RECV_IP_061072 Passed through possible spammer relay or source
1347 score SARE_RECV_IP_061072 1.592
1348 #note SARE_RECV_IP_061072 Korea Telecom
1349 #hist SARE_RECV_IP_061072 Created by Bob Menschel Nov 02 2004
1350 #ham SARE_RECV_IP_061072 verified (1)
1351 #counts SARE_RECV_IP_061072 42s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
1352 #max SARE_RECV_IP_061072 2043s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
1353 #counts SARE_RECV_IP_061072 61s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1354 #counts SARE_RECV_IP_061072 38s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1355 #counts SARE_RECV_IP_061072 11s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1356 #max SARE_RECV_IP_061072 48s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1357 #counts SARE_RECV_IP_061072 11s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1358 #max SARE_RECV_IP_061072 21s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1359 #counts SARE_RECV_IP_061072 177s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1360 #counts SARE_RECV_IP_061072 33s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1362 header SARE_RECV_IP_061187 Received =~ /\[61\.187\.\d{1,3}\.\d{1,3}\]/
1363 describe SARE_RECV_IP_061187 Passed through possible spammer relay or source
1364 score SARE_RECV_IP_061187 0.694
1365 #hist SARE_RECV_IP_061187 Created by Bob Menschel Aug 09 2004
1366 #counts SARE_RECV_IP_061187 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1367 #max SARE_RECV_IP_061187 36s/1h of 114241 corpus (81067s/33174h RM) 01/15/05
1368 #counts SARE_RECV_IP_061187 4s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1369 #counts SARE_RECV_IP_061187 4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1370 #max SARE_RECV_IP_061187 4s/0h of 38751 corpus (15270s/23481h JH-SA3.0rc1) 08/30/04
1371 #counts SARE_RECV_IP_061187 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1372 #max SARE_RECV_IP_061187 20s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1373 #counts SARE_RECV_IP_061187 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1374 #counts SARE_RECV_IP_061187 7s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1375 #counts SARE_RECV_IP_061187 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1377 header SARE_RECV_IP_061190 Received =~ /\[61\.190\.\d{1,3}\.\d{1,3}\]/
1378 describe SARE_RECV_IP_061190 Spam passed through possible spammer relay
1379 score SARE_RECV_IP_061190 1.111
1380 #stype SARE_RECV_IP_061190 spamp
1381 #hist SARE_RECV_IP_061190 Created by Bob Menschel Apr 04 2004
1382 #counts SARE_RECV_IP_061190 11s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1383 #max SARE_RECV_IP_061190 42s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1384 #counts SARE_RECV_IP_061190 5s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1385 #counts SARE_RECV_IP_061190 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1386 #max SARE_RECV_IP_061190 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1387 #counts SARE_RECV_IP_061190 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1388 #max SARE_RECV_IP_061190 5s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
1389 #counts SARE_RECV_IP_061190 6s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1390 #counts SARE_RECV_IP_061190 7s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1391 #counts SARE_RECV_IP_061190 6s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1393 header SARE_RECV_IP_061228 Received =~ /\[61\.(?:22[89]|23[01])\.\d{1,3}\.\d{1,3}\]/
1394 describe SARE_RECV_IP_061228 Spam passed through possible spammer relay
1395 score SARE_RECV_IP_061228 0.895
1396 #ham SARE_RECV_IP_061228 verified (1)
1397 #counts SARE_RECV_IP_061228 229s/8h of 173032 corpus (99056s/73976h RM) 05/11/06
1398 #max SARE_RECV_IP_061228 757s/3h of 689155 corpus (348140s/341015h RM) 09/18/05
1399 #counts SARE_RECV_IP_061228 140s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1400 #counts SARE_RECV_IP_061228 6s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1401 #counts SARE_RECV_IP_061228 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1402 #max SARE_RECV_IP_061228 9s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1403 #counts SARE_RECV_IP_061228 8s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1404 #counts SARE_RECV_IP_061228 85s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1405 #counts SARE_RECV_IP_061228 80s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1407 header SARE_RECV_IP_066017 Received =~ /\[66\.17\.(?:12[89]|1[3-9]\d|2\d\d)\.\d{1,3}\]/
1408 describe SARE_RECV_IP_066017 Passed through possible spammer relay or source
1409 score SARE_RECV_IP_066017 0.637
1410 #ham SARE_RECV_IP_066017 confirmed (8)
1411 #note SARE_RECV_IP_066017 Yipes Communications Inc
1412 #hist SARE_RECV_IP_066017 Created by Bob Menschel Nov 20 2004
1413 #counts SARE_RECV_IP_066017 16s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1414 #max SARE_RECV_IP_066017 88s/12h of 689155 corpus (348140s/341015h RM) 09/18/05
1415 #counts SARE_RECV_IP_066017 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1416 #counts SARE_RECV_IP_066017 1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1417 #max SARE_RECV_IP_066017 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1418 #counts SARE_RECV_IP_066017 61s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1419 #max SARE_RECV_IP_066017 335s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1420 #counts SARE_RECV_IP_066017 0s/8h of 10590 corpus (5819s/4771h CT) 07/26/05
1421 #max SARE_RECV_IP_066017 149s/8h of 11052 corpus (6614s/4438h CT) 03/10/05
1422 #counts SARE_RECV_IP_066017 52s/1h of 155430 corpus (103881s/51549h DOC) 05/15/06
1423 #counts SARE_RECV_IP_066017 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1425 header SARE_RECV_IP_066165224 Received =~ /\[66\.165\.2(?:2[4-9]|3\d)\.\d{1,3}\]/
1426 describe SARE_RECV_IP_066165224 Spam passed through possible spammer relay
1427 score SARE_RECV_IP_066165224 1.278
1428 #ham SARE_RECV_IP_066165224 confirmed: 3
1429 #hist SARE_RECV_IP_066165224 Created by Bob Menschel May 14 2005
1430 #note SARE_RECV_IP_066165224 Cyber World Internet Services
1431 #counts SARE_RECV_IP_066165224 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1432 #max SARE_RECV_IP_066165224 34s/0h of 272483 corpus (108035s/164448h RM) 05/15/05
1433 #counts SARE_RECV_IP_066165224 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1434 #max SARE_RECV_IP_066165224 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1435 #counts SARE_RECV_IP_066165224 2s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1436 #counts SARE_RECV_IP_066165224 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1437 #counts SARE_RECV_IP_066165224 4s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1438 #max SARE_RECV_IP_066165224 124s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1440 header SARE_RECV_IP_069050210 Received =~ /\[69\.50\.210\.\d{1,3}\]/
1441 describe SARE_RECV_IP_069050210 Spam passed through possible spammer relay
1442 score SARE_RECV_IP_069050210 0.700
1443 #ham SARE_RECV_IP_069050210 confirmed (2)
1444 #hist SARE_RECV_IP_069050210 Created by Fred Tarasevicius May 2005
1445 #counts SARE_RECV_IP_069050210 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1446 #max SARE_RECV_IP_069050210 49s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
1447 #counts SARE_RECV_IP_069050210 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1448 #counts SARE_RECV_IP_069050210 0s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1449 #max SARE_RECV_IP_069050210 12s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
1450 #counts SARE_RECV_IP_069050210 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1451 #max SARE_RECV_IP_069050210 12s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1453 header SARE_RECV_IP_069060096 Received =~ /\[69\.60\.(?:9[6-9]|1(?:[01]\d|2[0-7]))\.\d{1,3}\]/
1454 describe SARE_RECV_IP_069060096 Spam passed through possible spammer relay
1455 score SARE_RECV_IP_069060096 1.666
1456 #ham SARE_RECV_IP_069060096 verified (1)
1457 #hist SARE_RECV_IP_069060096 Created by Bob Menschel May 14 2005
1458 #counts SARE_RECV_IP_069060096 112s/2h of 173032 corpus (99056s/73976h RM) 05/11/06
1459 #max SARE_RECV_IP_069060096 6813s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
1460 #counts SARE_RECV_IP_069060096 11s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
1461 #counts SARE_RECV_IP_069060096 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1462 #counts SARE_RECV_IP_069060096 409s/3h of 155430 corpus (103881s/51549h DOC) 05/15/06
1463 #counts SARE_RECV_IP_069060096 166s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1464 #counts SARE_RECV_IP_069060096 368s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1465 #max SARE_RECV_IP_069060096 398s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1467 header SARE_RECV_IP_082080 Received =~ /\[82\.80\.(?:12[89]|1[3-8]\d|191)\.\d{1,3}\]/
1468 describe SARE_RECV_IP_082080 Spam passed through possible spammer relay
1469 score SARE_RECV_IP_082080 1.111
1470 #stype SARE_RECV_IP_082080 spamp
1471 #counts SARE_RECV_IP_082080 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1472 #max SARE_RECV_IP_082080 26s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1473 #counts SARE_RECV_IP_082080 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1474 #max SARE_RECV_IP_082080 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1475 #counts SARE_RECV_IP_082080 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1476 #max SARE_RECV_IP_082080 2s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1477 #counts SARE_RECV_IP_082080 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1478 #counts SARE_RECV_IP_082080 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1479 #counts SARE_RECV_IP_082080 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1481 header SARE_RECV_IP_082102 Received =~ /\[82\.102\.(?:3[2-9]|[45]\d|6[0-3]).\d{1,3}\]/
1482 describe SARE_RECV_IP_082102 Spam passed through possible spammer relay
1483 score SARE_RECV_IP_082102 0.555
1484 #stype SARE_RECV_IP_082102 spamp
1485 #hist SARE_RECV_IP_082102 Created by Bob Menschel May 20 2004
1486 #counts SARE_RECV_IP_082102 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1487 #max SARE_RECV_IP_082102 9s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1488 #counts SARE_RECV_IP_082102 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1489 #counts SARE_RECV_IP_082102 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1490 #max SARE_RECV_IP_082102 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
1491 #counts SARE_RECV_IP_082102 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1492 #max SARE_RECV_IP_082102 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1493 #counts SARE_RECV_IP_082102 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1494 #counts SARE_RECV_IP_082102 2s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1496 header SARE_RECV_IP_082154 Received =~ /\[82\.15[45]\.\d{1,3}\.\d{1,3}\]/
1497 describe SARE_RECV_IP_082154 Passed through possible spammer relay or source
1498 score SARE_RECV_IP_082154 1.666
1499 #ham SARE_RECV_IP_082154 confirmed (1)
1500 #hist SARE_RECV_IP_082154 Created by Bob Menschel Aug 10 2004
1501 #counts SARE_RECV_IP_082154 256s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1502 #max SARE_RECV_IP_082154 572s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
1503 #counts SARE_RECV_IP_082154 62s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1504 #counts SARE_RECV_IP_082154 13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1505 #counts SARE_RECV_IP_082154 8s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1506 #max SARE_RECV_IP_082154 43s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1507 #counts SARE_RECV_IP_082154 9s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1508 #counts SARE_RECV_IP_082154 231s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1509 #counts SARE_RECV_IP_082154 11s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1511 header SARE_RECV_IP_083028 Received =~ /\[83\.28\.\d{1,3}\.\d{1,3}\]/
1512 describe SARE_RECV_IP_083028 Passed through possible spammer relay or source
1513 score SARE_RECV_IP_083028 1.666
1514 #ham SARE_RECV_IP_083028 verified (1)
1515 #hist SARE_RECV_IP_083028 Created by Bob Menschel Sep 10 2004
1516 #note SARE_RECV_IP_083028 Large block of IP addresses in Poland
1517 #counts SARE_RECV_IP_083028 8s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1518 #max SARE_RECV_IP_083028 171s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
1519 #counts SARE_RECV_IP_083028 157s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1520 #counts SARE_RECV_IP_083028 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1521 #counts SARE_RECV_IP_083028 3s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1522 #max SARE_RECV_IP_083028 4s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
1523 #counts SARE_RECV_IP_083028 5s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1524 #counts SARE_RECV_IP_083028 42s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1525 #counts SARE_RECV_IP_083028 19s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1527 header SARE_RECV_IP_140117 Received =~ /\[140\.1(?:1[789]|2\d|3[0-8])\.\d{1,3}\.\d{1,3}\]/
1528 describe SARE_RECV_IP_140117 Passed through possible spammer relay or source
1529 score SARE_RECV_IP_140117 0.690
1530 #ham SARE_RECV_IP_140117 confirmed (1)
1531 #hist SARE_RECV_IP_140117 Created by Bob Menschel Oct 03 2004
1532 #note SARE_RECV_IP_140117 Ministry of Education Computing Center, Taipei, Taiwan
1533 #counts SARE_RECV_IP_140117 26s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1534 #max SARE_RECV_IP_140117 87s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1535 #counts SARE_RECV_IP_140117 7s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1536 #counts SARE_RECV_IP_140117 17s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1537 #counts SARE_RECV_IP_140117 8s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1538 #counts SARE_RECV_IP_140117 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1539 #max SARE_RECV_IP_140117 9s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1540 #counts SARE_RECV_IP_140117 22s/4h of 155430 corpus (103881s/51549h DOC) 05/15/06
1541 #counts SARE_RECV_IP_140117 16s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1543 header SARE_RECV_IP_142046 Received =~ /\[142\.46\.148\.\d{1,3}\]/
1544 describe SARE_RECV_IP_142046 Passed through possible spammer relay or source
1545 score SARE_RECV_IP_142046 0.555
1546 #stype SARE_RECV_IP_142046 spamp
1547 #hist SARE_RECV_IP_142046 Created by Bob Menschel Feb 10 2005 from Spam-L info
1548 #counts SARE_RECV_IP_142046 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
1549 #max SARE_RECV_IP_142046 8s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
1550 #counts SARE_RECV_IP_142046 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1551 #counts SARE_RECV_IP_142046 5s/0h of 155106 corpus (103557s/51549h DOC) 05/14/06
1552 #counts SARE_RECV_IP_142046 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1553 #counts SARE_RECV_IP_142046 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
1554 #counts SARE_RECV_IP_142046 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
1556 header SARE_RECV_IP_192116 Received =~ /\[192\.116\.13[3-7]\.\d{1,3}\]/
1557 describe SARE_RECV_IP_192116 Passed through possible spammer relay or source
1558 score SARE_RECV_IP_192116 0.861
1559 #note SARE_RECV_IP_192116 GILAT-SATCOM
1560 #hist SARE_RECV_IP_192116 Created by Bob Menschel Nov 16 2004
1561 #counts SARE_RECV_IP_192116 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1562 #max SARE_RECV_IP_192116 52s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
1563 #counts SARE_RECV_IP_192116 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1564 #counts SARE_RECV_IP_192116 1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1565 #counts SARE_RECV_IP_192116 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1566 #max SARE_RECV_IP_192116 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1567 #counts SARE_RECV_IP_192116 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1569 header SARE_RECV_IP_200150 Received =~ /\[200\.150\.\d{1,3}\.\d{1,3}\]/
1570 describe SARE_RECV_IP_200150 Spam passed through possible spammer relay
1571 score SARE_RECV_IP_200150 0.612
1572 #ham SARE_RECV_IP_200150 confirmed (2)
1573 #hist SARE_RECV_IP_200150 Created by Bob Menschel Aug 29 2004
1574 #counts SARE_RECV_IP_200150 9s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1575 #max SARE_RECV_IP_200150 142s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
1576 #counts SARE_RECV_IP_200150 6s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1577 #counts SARE_RECV_IP_200150 19s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1578 #counts SARE_RECV_IP_200150 8s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1579 #counts SARE_RECV_IP_200150 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1580 #max SARE_RECV_IP_200150 3s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1581 #counts SARE_RECV_IP_200150 14s/5h of 155430 corpus (103881s/51549h DOC) 05/15/06
1582 #counts SARE_RECV_IP_200150 4s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1584 header SARE_RECV_IP_203210128 Received =~ /\[203.210\.(?:1(?:2[89]|[3-9]\d)|2\d\d)\.\d{1,3}\]/
1585 describe SARE_RECV_IP_203210128 Spam passed through possible spammer relay
1586 score SARE_RECV_IP_203210128 0.959
1587 #ham SARE_RECV_IP_203210128 verified (3)
1588 #hist SARE_RECV_IP_203210128 Created by Bob Menschel May 14 2005
1589 #note SARE_RECV_IP_203210128 Vietnam Posts and Telecommunications (VNPT)
1590 #counts SARE_RECV_IP_203210128 36s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1591 #max SARE_RECV_IP_203210128 56s/13h of 689155 corpus (348140s/341015h RM) 09/18/05
1592 #counts SARE_RECV_IP_203210128 43s/2h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1593 #counts SARE_RECV_IP_203210128 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1594 #max SARE_RECV_IP_203210128 2s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1595 #counts SARE_RECV_IP_203210128 13s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1596 #counts SARE_RECV_IP_203210128 7s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1597 #max SARE_RECV_IP_203210128 79s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1598 #counts SARE_RECV_IP_203210128 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1599 #counts SARE_RECV_IP_203210128 116s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1601 header SARE_RECV_IP_203177 Received =~ /\[203\.177\.1(?:2[89]|[3-8]\d|9[01])\.\d{1,3}\]/
1602 describe SARE_RECV_IP_203177 Passed through possible spammer relay or source
1603 score SARE_RECV_IP_203177 0.772
1604 #hist SARE_RECV_IP_203177 Created by Bob Menschel Aug 20 2004
1605 #ham SARE_RECV_IP_203177 verified (1)
1606 #counts SARE_RECV_IP_203177 8s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1607 #max SARE_RECV_IP_203177 42s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
1608 #counts SARE_RECV_IP_203177 23s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1609 #counts SARE_RECV_IP_203177 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1610 #counts SARE_RECV_IP_203177 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1611 #max SARE_RECV_IP_203177 5s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1612 #counts SARE_RECV_IP_203177 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1613 #max SARE_RECV_IP_203177 4s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1614 #counts SARE_RECV_IP_203177 1s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1615 #counts SARE_RECV_IP_203177 4s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1617 header SARE_RECV_IP_206131 Received =~ /\[206\.131\.2(?:2[4-9]|[345]\d)\.\d{1,3}\]/
1618 describe SARE_RECV_IP_206131 Spam passed through possible spammer relay
1619 score SARE_RECV_IP_206131 1.666
1620 #ham SARE_RECV_IP_206131 confirmed (1)
1621 #hist SARE_RECV_IP_206131 Created by Bob Menschel Feb 5 2005 from Spam-L info
1622 #note SARE_RECV_IP_206131 Minerva Network Systems, Inc.
1623 #counts SARE_RECV_IP_206131 54s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
1624 #max SARE_RECV_IP_206131 2849s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
1625 #counts SARE_RECV_IP_206131 692s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1626 #counts SARE_RECV_IP_206131 0s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
1627 #counts SARE_RECV_IP_206131 13s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1628 #max SARE_RECV_IP_206131 34s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1629 #counts SARE_RECV_IP_206131 9s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1630 #counts SARE_RECV_IP_206131 1699s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1631 #counts SARE_RECV_IP_206131 31s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1633 header SARE_RECV_IP_209051 Received =~ /\[209\.51\.(?:19[2-9]|2\d\d)\.\d{1,3}\]/
1634 describe SARE_RECV_IP_209051 Spam passed through possible spammer relay
1635 score SARE_RECV_IP_209051 1.111
1636 #stype SARE_RECV_IP_209051 spamp
1637 #hist SARE_RECV_IP_209051 Created by Bob Menschel Aug 07 2005
1638 #note SARE_RECV_IP_209051 S-INFOTECH, Inc.
1639 #counts SARE_RECV_IP_209051 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1640 #max SARE_RECV_IP_209051 56s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1641 #counts SARE_RECV_IP_209051 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
1642 #counts SARE_RECV_IP_209051 22s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1643 #counts SARE_RECV_IP_209051 2s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1644 #counts SARE_RECV_IP_209051 1s/1h of 22942 corpus (17234s/5708h MY) 05/14/06
1646 header SARE_RECV_IP_216118120 Received =~ /\[216\.118\.120\.(?:6[4-9]|[78]\d|9[0-1])\]/
1647 describe SARE_RECV_IP_216118120 Spam passed through possible spammer relay
1648 score SARE_RECV_IP_216118120 2.222
1649 #hist SARE_RECV_IP_216118120 Created by Bob Menschel Aug 07 2005
1650 #counts SARE_RECV_IP_216118120 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1651 #max SARE_RECV_IP_216118120 1224s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1652 #counts SARE_RECV_IP_216118120 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
1653 #counts SARE_RECV_IP_216118120 10s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1654 #counts SARE_RECV_IP_216118120 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
1656 header SARE_RECV_IP_211216 Received =~ /\[211\.2(?:1[6-9]|2[0-5]\d)\.\d{1,3}\.\d{1,3}\]/
1657 describe SARE_RECV_IP_211216 Passed through possible spammer relay or source
1658 score SARE_RECV_IP_211216 0.978
1659 #stype SARE_RECV_IP_211216 max:1.000
1660 #ham SARE_RECV_IP_211216 confirmed (1) - YahooGroups moderated group, posting approved by moderator
1661 #hist SARE_RECV_IP_211216 Created by Bob Menschel Aug 20 2004
1662 #note SARE_RECV_IP_211216 Korea Telecom
1663 #note SARE_RECV_IP_211216 Score kept low to avoid FPs for naver.com
1664 #counts SARE_RECV_IP_211216 32s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1665 #max SARE_RECV_IP_211216 1308s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
1666 #counts SARE_RECV_IP_211216 33s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1667 #counts SARE_RECV_IP_211216 27s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1668 #counts SARE_RECV_IP_211216 13s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1669 #max SARE_RECV_IP_211216 40s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1670 #counts SARE_RECV_IP_211216 8s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1671 #max SARE_RECV_IP_211216 14s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1672 #counts SARE_RECV_IP_211216 25s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1673 #counts SARE_RECV_IP_211216 14s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1675 header SARE_RECV_IP_212068 Received =~ /\[212\.68\.2[45]\d\.\d{1,3}\]/
1676 describe SARE_RECV_IP_212068 Spam passed through possible spammer relay
1677 score SARE_RECV_IP_212068 1.111
1678 #stype SARE_RECV_IP_212068 spamp
1679 #hist SARE_RECV_IP_212068 Created by Bob Menschel Apr 09 2004
1680 #counts SARE_RECV_IP_212068 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1681 #max SARE_RECV_IP_212068 18s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1682 #counts SARE_RECV_IP_212068 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1683 #counts SARE_RECV_IP_212068 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1684 #max SARE_RECV_IP_212068 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
1685 #counts SARE_RECV_IP_212068 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1686 #max SARE_RECV_IP_212068 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1687 #counts SARE_RECV_IP_212068 3s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1688 #counts SARE_RECV_IP_212068 1s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1690 header SARE_RECV_IP_216022 Received =~ /\[216\.22\.\d{1,3}\.\d{1,3}\]/
1691 describe SARE_RECV_IP_216022 Spam passed through possible spammer relay
1692 score SARE_RECV_IP_216022 1.666
1693 #hist SARE_RECV_IP_216022 Created by Bob Menschel May 14 2005
1694 #counts SARE_RECV_IP_216022 270s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1695 #max SARE_RECV_IP_216022 1146s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
1696 #counts SARE_RECV_IP_216022 196s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1697 #counts SARE_RECV_IP_216022 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1698 #counts SARE_RECV_IP_216022 554s/6h of 155430 corpus (103881s/51549h DOC) 05/15/06
1699 #counts SARE_RECV_IP_216022 212s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1700 #counts SARE_RECV_IP_216022 307s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1702 header SARE_RECV_IP_218070 Received =~ /\[218\.70\.\d{1,3}\.\d{1,3}\]/
1703 describe SARE_RECV_IP_218070 Spam passed through possible spammer relay
1704 score SARE_RECV_IP_218070 1.111
1705 #stype SARE_RECV_IP_218070 spamp
1706 #counts SARE_RECV_IP_218070 1s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1707 #max SARE_RECV_IP_218070 21s/0h of 112471 corpus (92494s/19977h) 03/14/04
1708 #counts SARE_RECV_IP_218070 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1709 #counts SARE_RECV_IP_218070 2s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1710 #max SARE_RECV_IP_218070 2s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
1711 #counts SARE_RECV_IP_218070 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1712 #max SARE_RECV_IP_218070 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
1713 #counts SARE_RECV_IP_218070 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1714 #counts SARE_RECV_IP_218070 3s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1716 header SARE_RECV_IP_218072 Received =~ /\[218\.72\.\d{1,3}\.\d{1,3}\]/
1717 describe SARE_RECV_IP_218072 Spam passed through possible spammer relay
1718 score SARE_RECV_IP_218072 0.813
1719 #hist SARE_RECV_IP_218072 Created by Bob Menschel May 23 2004
1720 #counts SARE_RECV_IP_218072 87s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1721 #counts SARE_RECV_IP_218072 16s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1722 #max SARE_RECV_IP_218072 22s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
1723 #counts SARE_RECV_IP_218072 13s/2h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1724 #counts SARE_RECV_IP_218072 2s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1725 #max SARE_RECV_IP_218072 133s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1726 #counts SARE_RECV_IP_218072 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1727 #max SARE_RECV_IP_218072 13s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1728 #counts SARE_RECV_IP_218072 2s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1729 #counts SARE_RECV_IP_218072 16s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1731 header SARE_RECV_IP_218078 Received =~ /\[218\.(?:7[89]|8[0123])\.\d{1,3}\.\d{1,3}\]/
1732 describe SARE_RECV_IP_218078 Passed through possible spammer relay or source
1733 score SARE_RECV_IP_218078 1.666
1734 #hist SARE_RECV_IP_218078 Created by Bob Menschel Oct 07 2004
1735 #ham SARE_RECV_IP_218078 confirmed (1)
1736 #note SARE_RECV_IP_218078 ChinaNet, Shanghai Province
1737 #counts SARE_RECV_IP_218078 34s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1738 #max SARE_RECV_IP_218078 581s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
1739 #counts SARE_RECV_IP_218078 51s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1740 #counts SARE_RECV_IP_218078 38s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1741 #counts SARE_RECV_IP_218078 136s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1742 #max SARE_RECV_IP_218078 677s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
1743 #counts SARE_RECV_IP_218078 53s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1744 #max SARE_RECV_IP_218078 74s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1745 #counts SARE_RECV_IP_218078 67s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1746 #counts SARE_RECV_IP_218078 58s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1748 header SARE_RECV_IP_218088 Received =~ /\[218\.8[89]\.\d{1,3}\.\d{1,3}\]/
1749 describe SARE_RECV_IP_218088 Passed through possible spammer relay or source
1750 score SARE_RECV_IP_218088 1.100
1751 #ham SARE_RECV_IP_218088 confirmed: 1
1752 #note SARE_RECV_IP_218088 CHINANET sichuan province network
1753 #hist SARE_RECV_IP_218088 Created by Bob Menschel Nov 04 2004
1754 #counts SARE_RECV_IP_218088 29s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1755 #max SARE_RECV_IP_218088 111s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
1756 #counts SARE_RECV_IP_218088 15s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1757 #counts SARE_RECV_IP_218088 11s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1758 #max SARE_RECV_IP_218088 13s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
1759 #counts SARE_RECV_IP_218088 6s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1760 #max SARE_RECV_IP_218088 19s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
1761 #counts SARE_RECV_IP_218088 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1762 #max SARE_RECV_IP_218088 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1763 #counts SARE_RECV_IP_218088 9s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1764 #counts SARE_RECV_IP_218088 25s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1766 header SARE_RECV_IP_218216 Received =~ /\[218\.(?:21[6-9]|22\d|23[01])\.\d{1,3}\.\d{1,3}\]/
1767 describe SARE_RECV_IP_218216 Passed through possible spammer relay or source
1768 score SARE_RECV_IP_218216 0.629
1769 #ham SARE_RECV_IP_218216 confirmed (2)
1770 #hist SARE_RECV_IP_218216 Created by Bob Menschel Oct 23 2004
1771 #counts SARE_RECV_IP_218216 88s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1772 #max SARE_RECV_IP_218216 260s/8h of 689155 corpus (348140s/341015h RM) 09/18/05
1773 #counts SARE_RECV_IP_218216 31s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1774 #counts SARE_RECV_IP_218216 21s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1775 #counts SARE_RECV_IP_218216 6s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1776 #max SARE_RECV_IP_218216 12s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1777 #counts SARE_RECV_IP_218216 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1778 #max SARE_RECV_IP_218216 11s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1779 #counts SARE_RECV_IP_218216 121s/22h of 155430 corpus (103881s/51549h DOC) 05/15/06
1780 #counts SARE_RECV_IP_218216 35s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1782 header SARE_RECV_IP_219128 Received =~ /\[219\.1(?:2[89]|3[0-7])\.\d{1,3}\.\d{1,3}\]/
1783 describe SARE_RECV_IP_219128 Passed through possible spammer relay or source
1784 score SARE_RECV_IP_219128 1.666
1785 #hist SARE_RECV_IP_219128 Created by Bob Menschel Aug 23 2004
1786 #counts SARE_RECV_IP_219128 381s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
1787 #max SARE_RECV_IP_219128 1752s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
1788 #counts SARE_RECV_IP_219128 114s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1789 #counts SARE_RECV_IP_219128 100s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1790 #counts SARE_RECV_IP_219128 79s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1791 #max SARE_RECV_IP_219128 225s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1792 #counts SARE_RECV_IP_219128 52s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1793 #counts SARE_RECV_IP_219128 36s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1794 #counts SARE_RECV_IP_219128 116s/1h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1796 header SARE_RECV_IP_220116 Received =~ /\[220\.(?:11[6-9]|12[0-7])\.\d{1,3}\.\d{1,3}\]/
1797 describe SARE_RECV_IP_220116 Passed through possible spammer relay or source
1798 score SARE_RECV_IP_220116 1.666
1799 #ham SARE_RECV_IP_220116 confirmed (1)
1800 #hist SARE_RECV_IP_220116 Created by Bob Menschel Jul 17 2004
1801 #note SARE_RECV_IP_220116 Korea Telecom
1802 #counts SARE_RECV_IP_220116 180s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
1803 #max SARE_RECV_IP_220116 1177s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
1804 #counts SARE_RECV_IP_220116 192s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1805 #counts SARE_RECV_IP_220116 108s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1806 #counts SARE_RECV_IP_220116 13s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1807 #max SARE_RECV_IP_220116 161s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1808 #counts SARE_RECV_IP_220116 23s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1809 #max SARE_RECV_IP_220116 58s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1810 #counts SARE_RECV_IP_220116 206s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1811 #counts SARE_RECV_IP_220116 182s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1813 header SARE_RECV_IP_221124 Received =~ /\[221\.12[4-7]\.\d{1,3}\.\d{1,3}\]/
1814 describe SARE_RECV_IP_221124 Spam passed through possible spammer relay
1815 score SARE_RECV_IP_221124 1.666
1816 #hist SARE_RECV_IP_221124 Created by Bob Menschel May 30 2004
1817 #counts SARE_RECV_IP_221124 91s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1818 #max SARE_RECV_IP_221124 633s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1819 #counts SARE_RECV_IP_221124 88s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1820 #counts SARE_RECV_IP_221124 66s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1821 #max SARE_RECV_IP_221124 74s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
1822 #counts SARE_RECV_IP_221124 4s/1h of 22942 corpus (17234s/5708h MY) 05/14/06
1823 #max SARE_RECV_IP_221124 16s/1h of 47283 corpus (43206s/4077h MY) 06/05/05
1824 #counts SARE_RECV_IP_221124 15s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1825 #max SARE_RECV_IP_221124 24s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1826 #counts SARE_RECV_IP_221124 56s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1827 #counts SARE_RECV_IP_221124 119s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1829 header SARE_RECV_IP_222000 Received =~ /\[222\.(?:\d|1[0-5])\.\d{1,3}\.\d{1,3}\]/
1830 describe SARE_RECV_IP_222000 Passed through possible spammer relay or source
1831 score SARE_RECV_IP_222000 1.508
1832 #ham SARE_RECV_IP_222000 confirmed (1)
1833 #hist SARE_RECV_IP_222000 Created by Bob Menschel Aug 09 2004
1834 #counts SARE_RECV_IP_222000 79s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1835 #max SARE_RECV_IP_222000 171s/19h of 689155 corpus (348140s/341015h RM) 09/18/05
1836 #counts SARE_RECV_IP_222000 80s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1837 #counts SARE_RECV_IP_222000 20s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1838 #counts SARE_RECV_IP_222000 7s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1839 #counts SARE_RECV_IP_222000 6s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1840 #max SARE_RECV_IP_222000 7s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1841 #counts SARE_RECV_IP_222000 133s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1842 #counts SARE_RECV_IP_222000 18s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1844 header SARE_RECV_IP_222064 Received =~ /\[222\.(?:6[4-9]|7[0-3])\.\d{1,3}\.\d{1,3}\]/
1845 describe SARE_RECV_IP_222064 Spam passed through possible spammer relay
1846 score SARE_RECV_IP_222064 1.666
1847 #ham SARE_RECV_IP_222064 verified (1)
1848 #hist SARE_RECV_IP_222064 Created by Bob Menschel Apr 18 2004
1849 #counts SARE_RECV_IP_222064 115s/1h of 173032 corpus (99056s/73976h RM) 05/11/06
1850 #max SARE_RECV_IP_222064 831s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
1851 #counts SARE_RECV_IP_222064 54s/1h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1852 #counts SARE_RECV_IP_222064 95s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1853 #max SARE_RECV_IP_222064 97s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
1854 #counts SARE_RECV_IP_222064 189s/1h of 22942 corpus (17234s/5708h MY) 05/14/06
1855 #max SARE_RECV_IP_222064 849s/1h of 47283 corpus (43206s/4077h MY) 06/05/05
1856 #counts SARE_RECV_IP_222064 17s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1857 #max SARE_RECV_IP_222064 65s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1858 #counts SARE_RECV_IP_222064 352s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1859 #counts SARE_RECV_IP_222064 35s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1861 #####################################################################################
1862 # SARE Reply-To Rules
1863 ######## ###################### ##################################################
1865 #####################################################################################
1866 # SARE To/Cc Destination rules
1867 ######## ###################### ##################################################
1869 header SARE_TO_EMPTY To =~ /<>/
1870 describe SARE_TO_EMPTY To address is set to empty
1871 #core SARE_TO_EMPTY 0.330 0.550 0.000 0.550 # prev target: 0.660 when added to TO_NO_USER
1872 score SARE_TO_EMPTY 0.000 0.222 0.000 0.222 # curr target: 0.333 when added to TO_NO_USER
1873 #hist SARE_TO_EMPTY Originally submitted by Bob Menschel
1874 #overlap SARE_TO_EMPTY Distrib: TO_NO_USER: score TO_NO_USER 0.332 0.116 1.615 0.128
1875 #counts SARE_TO_EMPTY 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1876 #max SARE_TO_EMPTY 26s/0h of 114241 corpus (81067s/33174h RM) 01/15/05
1877 #counts SARE_TO_EMPTY 12s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1878 #counts SARE_TO_EMPTY 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1879 #counts SARE_TO_EMPTY 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
1880 #max SARE_TO_EMPTY 0s/1h of 11052 corpus (6614s/4438h CT) 03/10/05
1881 #counts SARE_TO_EMPTY 0s/2h of 5653 corpus (1019s/4634h ft) 06/04/05
1883 #####################################################################################
1884 # SARE X-Mailer Rules
1885 ######## ###################### ##################################################
1887 header SARE_XMAIL_PSSMAILER X-Mailer =~ /PSS Mailer/
1888 describe SARE_XMAIL_PSSMAILER Apparently uses bulk mailer
1889 score SARE_XMAIL_PSSMAILER 1.111
1890 #stype SARE_XMAIL_PSSMAILER spamp
1891 #hist SARE_XMAIL_PSSMAILER RM_hxm_PSSMailer
1892 #counts SARE_XMAIL_PSSMAILER 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1893 #max SARE_XMAIL_PSSMAILER 12s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
1894 #counts SARE_XMAIL_PSSMAILER 0s/0h of 18651 corpus (16120s/2531h MY) 08/29/04
1895 #counts SARE_XMAIL_PSSMAILER 0s/0h of 38751 corpus (15270s/23481h JH-SA3.0rc1) 08/30/04
1896 #counts SARE_XMAIL_PSSMAILER 1s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1897 #counts SARE_XMAIL_PSSMAILER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1899 header SARE_XMAIL_RLSP X-Mailer =~ /RLSP/
1900 describe SARE_XMAIL_RLSP Uses Bulk Mailer used by spammers
1901 score SARE_XMAIL_RLSP 0.740
1902 #ham SARE_XMAIL_RLSP cartoon newsletter, personal emails (2)
1903 #hist SARE_XMAIL_RLSP Created by Bob Menschel Sep 27 2004
1904 #counts SARE_XMAIL_RLSP 26s/4h of 173032 corpus (99056s/73976h RM) 05/11/06
1905 #max SARE_XMAIL_RLSP 1782s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
1906 #counts SARE_XMAIL_RLSP 52s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1907 #counts SARE_XMAIL_RLSP 11s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1908 #counts SARE_XMAIL_RLSP 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1909 #counts SARE_XMAIL_RLSP 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1910 #max SARE_XMAIL_RLSP 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1911 #counts SARE_XMAIL_RLSP 68s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1912 #counts SARE_XMAIL_RLSP 9s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1914 #####################################################################################
1915 # SARE Miscellaneous and X-Header header rules
1916 ######## ###################### ##################################################
1918 header SARE_HEAD_DATE14 Date =~ /^.{1,14}$/
1919 score SARE_HEAD_DATE14 0.847
1920 #counts SARE_HEAD_DATE14 3s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1921 #max SARE_HEAD_DATE14 313s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1922 #counts SARE_HEAD_DATE14 43s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
1923 #counts SARE_HEAD_DATE14 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
1924 #counts SARE_HEAD_DATE14 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1925 #max SARE_HEAD_DATE14 0s/1h of 10853 corpus (6391s/4462h CT) 05/16/05
1926 #counts SARE_HEAD_DATE14 57s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1927 #counts SARE_HEAD_DATE14 2s/1h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1929 header SARE_HEAD_DATE46 Date =~ /^.{46}$/
1930 describe SARE_HEAD_DATE46 Date header suggests this is spam
1931 score SARE_HEAD_DATE46 1.666
1932 #ham SARE_HEAD_DATE46 Confirmed (1)
1933 #counts SARE_HEAD_DATE46 409s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1934 #counts SARE_HEAD_DATE46 7s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1935 #counts SARE_HEAD_DATE46 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
1936 #counts SARE_HEAD_DATE46 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
1937 #counts SARE_HEAD_DATE46 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1938 #counts SARE_HEAD_DATE46 6s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1939 #counts SARE_HEAD_DATE46 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1941 header __MIME_VERSION exists:MIME-Version
1942 header __SARE_HEAD_MIME_VALID Mime-Version =~ m'^\s*1.0\b'
1943 meta SARE_HEAD_MIME_INVALID !__SARE_HEAD_MIME_VALID && __MIME_VERSION
1944 describe SARE_HEAD_MIME_INVALID Invalid mime version
1945 score SARE_HEAD_MIME_INVALID 1.116
1946 #ham SARE_HEAD_MIME_INVALID confirmed
1947 #hist SARE_HEAD_MIME_INVALID Bob Menschel, June 15 2005, inspired by Alex Broens
1948 #counts SARE_HEAD_MIME_INVALID 433s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1949 #counts SARE_HEAD_MIME_INVALID 7s/0h of 9987 corpus (5650s/4337h AxB) 05/14/06
1950 #counts SARE_HEAD_MIME_INVALID 3s/0h of 13303 corpus (7429s/5874h CT) 05/14/06
1951 #counts SARE_HEAD_MIME_INVALID 0s/5h of 15713 corpus (7767s/7946h FT) 05/14/06
1952 #counts SARE_HEAD_MIME_INVALID 172s/0h of 105832 corpus (72573s/33259h ML) 05/14/06
1954 header SARE_HEAD_ORG_PREFIXW Organization =~ /Prefix that with/i
1955 describe SARE_HEAD_ORG_PREFIXW Spam sign in Organization header
1956 score SARE_HEAD_ORG_PREFIXW 0.617
1957 #hist SARE_HEAD_ORG_PREFIXW Alex Broens, Feb 20 2005
1958 #counts SARE_HEAD_ORG_PREFIXW 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
1959 #max SARE_HEAD_ORG_PREFIXW 10s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
1960 #counts SARE_HEAD_ORG_PREFIXW 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
1961 #counts SARE_HEAD_ORG_PREFIXW 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
1962 #counts SARE_HEAD_ORG_PREFIXW 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
1963 #max SARE_HEAD_ORG_PREFIXW 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1964 #counts SARE_HEAD_ORG_PREFIXW 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1966 header SARE_HEAD_XLIB_INDY1 X-Library=~ /Indy 10.00.14-B/
1967 describe SARE_HEAD_XLIB_INDY1 Uses S/W version which has only been seen in spam
1968 score SARE_HEAD_XLIB_INDY1 0.844
1969 #hist SARE_HEAD_XLIB_INDY1 Originally submitted by Bob Menschel, RM.hxl_ForgedIndy
1970 #counts SARE_HEAD_XLIB_INDY1 0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05
1971 #max SARE_HEAD_XLIB_INDY1 30s/0h of 66979 corpus (41757s/25222h RM) 09/04/04
1972 #counts SARE_HEAD_XLIB_INDY1 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1973 #max SARE_HEAD_XLIB_INDY1 9s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
1974 #counts SARE_HEAD_XLIB_INDY1 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1975 #max SARE_HEAD_XLIB_INDY1 13s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
1976 #counts SARE_HEAD_XLIB_INDY1 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1977 #counts SARE_HEAD_XLIB_INDY1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1979 header SARE_HEAD_XLIB_INDY2 X-Library=~ /Indy 8.0.25/
1980 describe SARE_HEAD_XLIB_INDY2 Uses S/W version which has only been seen in spam
1981 score SARE_HEAD_XLIB_INDY2 1.272
1982 #ham SARE_HEAD_XLIB_INDY2 verified (1)
1983 #hist SARE_HEAD_XLIB_INDY2 Created by Bob Menschel May 31 2004
1984 #counts SARE_HEAD_XLIB_INDY2 3s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1985 #max SARE_HEAD_XLIB_INDY2 130s/1h of 327690 corpus (159737s/167953h RM) 07/27/05
1986 #counts SARE_HEAD_XLIB_INDY2 91s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
1987 #counts SARE_HEAD_XLIB_INDY2 3s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1988 #counts SARE_HEAD_XLIB_INDY2 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1989 #max SARE_HEAD_XLIB_INDY2 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
1990 #counts SARE_HEAD_XLIB_INDY2 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1991 #max SARE_HEAD_XLIB_INDY2 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1992 #counts SARE_HEAD_XLIB_INDY2 30s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
1993 #counts SARE_HEAD_XLIB_INDY2 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
1995 header SARE_HEAD_XUNSENT X-Unsent =~ /\b1\b/i
1996 describe SARE_HEAD_XUNSENT Found spamsign header
1997 score SARE_HEAD_XUNSENT 1.666
1998 #hist SARE_HEAD_XUNSENT Alex Broens, June 10 2005
1999 #counts SARE_HEAD_XUNSENT 4s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
2000 #max SARE_HEAD_XUNSENT 15436s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
2001 #counts SARE_HEAD_XUNSENT 1s/0h of 9991 corpus (5650s/4341h AxB) 05/14/06
2002 #counts SARE_HEAD_XUNSENT 0s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
2003 #max SARE_HEAD_XUNSENT 57s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2004 #counts SARE_HEAD_XUNSENT 126s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
2005 #counts SARE_HEAD_XUNSENT 0s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
2006 #max SARE_HEAD_XUNSENT 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
2007 #counts SARE_HEAD_XUNSENT 98s/0h of 53950 corpus (16777s/37173h JH-3.01) 06/11/05
2008 #counts SARE_HEAD_XUNSENT 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
2010 #####################################################################################
2011 # SARE Rules which examine multiple header types
2012 ######## ###################### ##################################################
2014 header SARE_HEAD_8BIT_DATE Date =~ /[\x80-\xff]{3}/
2015 describe SARE_HEAD_8BIT_DATE High-ascii characters found in strange header
2016 score SARE_HEAD_8BIT_DATE 1.666
2017 #hist SARE_HEAD_8BIT_DATE From Bugzilla # 2243
2018 #ham SARE_HEAD_8BIT_DATE verified (1)
2019 #counts SARE_HEAD_8BIT_DATE 20s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
2020 #max SARE_HEAD_8BIT_DATE 433s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2021 #counts SARE_HEAD_8BIT_DATE 116s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
2022 #counts SARE_HEAD_8BIT_DATE 4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2023 #counts SARE_HEAD_8BIT_DATE 0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05
2024 #counts SARE_HEAD_8BIT_DATE 71s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
2025 #counts SARE_HEAD_8BIT_DATE 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
2026 #counts SARE_HEAD_8BIT_DATE 65s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
2028 header SARE_MULT_VIA_CITIZNET ALL =~ /\@(?:\w+\.)?citiz\.net\b/i
2029 describe SARE_MULT_VIA_CITIZNET header references apparent spam source
2030 score SARE_MULT_VIA_CITIZNET 1.394
2031 #ham SARE_MULT_VIA_CITIZNET confirmed (2)
2032 #hist SARE_MULT_VIA_CITIZNET Created by Bob Menschel Aug 23 2004
2033 #counts SARE_MULT_VIA_CITIZNET 25s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
2034 #max SARE_MULT_VIA_CITIZNET 37s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2035 #counts SARE_MULT_VIA_CITIZNET 60s/0h of 55929 corpus (51589s/4340h AxB2) 05/14/06
2036 #counts SARE_MULT_VIA_CITIZNET 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
2037 #max SARE_MULT_VIA_CITIZNET 8s/0h of 18651 corpus (16120s/2531h MY) 08/29/04
2038 #counts SARE_MULT_VIA_CITIZNET 10s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2039 #max SARE_MULT_VIA_CITIZNET 11s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2040 #counts SARE_MULT_VIA_CITIZNET 3s/0h of 13313 corpus (7438s/5875h CT) 05/14/06
2041 #counts SARE_MULT_VIA_CITIZNET 40s/0h of 155430 corpus (103881s/51549h DOC) 05/15/06
2042 #counts SARE_MULT_VIA_CITIZNET 13s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06