1 # SARE Header Abuse Ruleset for SpamAssassin -- file 2
5 # Usage instructions and documentation in 70_sare_header0.cf
7 # Full Revision History / Change Log in 70_sare_header.log
8 #@@# 01.03.20 May 20 2005
9 #@@# Minor score updates based on additional mass-check
10 #@@# Modified "rule has been moved" meta flags
11 #@@# Moved file 0 to file 2 SARE_BOUNDARY_02
12 #@@# Moved file 0 to file 2 SARE_BOUNDARY_ANYDIG
13 #@@# Moved file 0 to file 2 SARE_BOUNDARY_D11
14 #@@# Moved file 0 to file 2 SARE_FROM_SPAM_NAME2
15 #@@# Moved file 0 to file 2 SARE_FROM_WSJ
16 #@@# Moved file 0 to file 2 SARE_HEAD_BDY_BOUNCES %%% OR ARCHIVE
17 #@@# Moved file 0 to file 2 SARE_HEAD_HDR_CONVER
18 #@@# Moved file 0 to file 2 SARE_HEAD_HDR_NLETRID
19 #@@# Moved file 0 to file 2 SARE_HEAD_HDR_PID
20 #@@# Moved file 0 to file 2 SARE_HEAD_HDR_XBNCETR
21 #@@# Moved file 0 to file 2 SARE_HEAD_HDR_XGMAILA
22 #@@# Moved file 0 to file 2 SARE_HEAD_HDR_XIDSRVR
23 #@@# Moved file 0 to file 2 SARE_HEAD_THRD_ALNUM
24 #@@# Moved file 0 to file 2 SARE_HEAD_XM4
25 #@@# Moved file 0 to file 2 SARE_HEAD_XMF_AUTHSNDR
26 #@@# Moved file 0 to file 2 SARE_HELO_MAILUSER
27 #@@# Moved file 0 to file 2 SARE_MSGID_HEX30
28 #@@# Moved file 0 to file 2 SARE_MULT_SEXCLUB
29 #@@# Moved file 0 to file 2 SARE_MULT_SUBJ
30 #@@# Moved file 0 to file 2 SARE_RECV_IP_004078
31 #@@# Moved file 0 to file 2 SARE_RECV_IP_038112147
32 #@@# Moved file 0 to file 2 SARE_RECV_IP_064192082
33 #@@# Moved file 0 to file 2 SARE_RECV_IP_066063
34 #@@# Moved file 0 to file 2 SARE_RECV_IP_066114a
35 #@@# Moved file 0 to file 2 SARE_RECV_IP_066159017
36 #@@# Moved file 0 to file 2 SARE_RECV_IP_069060122
37 #@@# Moved file 0 to file 2 SARE_RECV_IP_070096177
38 #@@# Moved file 0 to file 2 SARE_RECV_IP_207182
39 #@@# Moved file 0 to file 2 SARE_RECV_IP_208048182
40 #@@# Moved file 0 to file 2 SARE_RECV_IP_216055133
41 #@@# Moved file 0 to file 2 SARE_RECV_LOCALHOST
42 #@@# Moved file 0 to file 2 SARE_RECV_SUSP_2
43 #@@# Moved file 0 to file 2 SARE_RECV_TRADVALUES
44 #@@# Moved file 0 to file 2 SARE_RECV_VIPLIST
45 #@@# Moved file 0 to file 2 SARE_RECV_XACTRIX
46 #@@# Moved file 0 to file 2 SARE_REPLY_XACTRIX
47 #@@# Moved file 0 to file 2 SARE_XMAIL_DIRUNIV
48 #@@# Moved file 0 to file 2 SARE_XMAIL_INTERMED
49 #@@# Moved file 0 to file 2 SARE_XMAIL_LEO
50 #@@# Moved file 0 to file 2 SARE_XMAIL_PHPBulkEmai
51 #@@# Moved file 0 to file 3 SARE_RECV_ADDR5
52 #@@# Moved file 1 to file 2 SARE_HEAD_DATE_RNDDATE
53 #@@# Moved file 1 to file 2 SARE_HEAD_HDR_MSGTYPE
54 #@@# Moved file 1 to file 2 SARE_HEAD_HDR_X400RCV
55 #@@# Moved file 1 to file 2 SARE_HEAD_HDR_XCNDINF
56 #@@# Moved file 1 to file 2 SARE_HEAD_HDR_XRIPE
57 #@@# Moved file 1 to file 2 SARE_HEAD_HDR_XSAFMMI
58 #@@# Moved file 1 to file 2 SARE_RECV_IP_062023
59 #@@# Moved file 1 to file 2 SARE_RECV_IP_065205157
60 #@@# Moved file 1 to file 2 SARE_RECV_IP_066248154
61 #@@# Moved file 1 to file 2 SARE_RECV_IP_206248152
62 #@@# Moved file 1 to file 2 SARE_RECV_RND_DATE
63 #@@# Moved file 1 to file 2 SARE_XMAIL_GDI
64 #@@# Moved file 2 to file 0 SARE_HEAD_HDR_CONVWLS
65 #@@# Moved file 2 to file 0 SARE_HEAD_SUBJ_RAND
66 #@@# Moved file 2 to file 0 SARE_HEAD_XORIP_IP
67 #@@# Moved file 2 to file 3 SARE_MULT_RATW_03
68 #@@# Returned file 2 to file 0 SARE_HEAD_HDR_EPATH
69 #@@# Returned file 2 to file 0 SARE_RECV_IP_063111025
70 #@@# Returned file 2 to file 1 SARE_RECV_IP_142046
71 #@@# 01.03.21 May 21 2005
72 #@@# Minor repairs to "downgraded rule" metas.
74 ######## ###################### ##################################################
75 # Meta rules used to prevent --lint errors after moving/changing rules
76 ######## ###################### ##################################################
78 meta __SARE_HEAD_FALSE __FROM_AOL_COM && !__FROM_AOL_COM
79 meta SARE_MULT_RATW_03 __SARE_HEAD_FALSE
81 ######## ###################### ##################################################
82 # Component rules used within meta rules
83 ######## ###################### ##################################################
85 header __SARE_HEAD_8BIT_SUBJ Subject =~ /[\x80-\xff]{3,}/
87 #####################################################################################
88 # SARE Header-Exists rules
89 ######## ###################### ##################################################
91 header SARE_HEAD_HDR_CONVER exists:Conversion
92 describe SARE_HEAD_HDR_CONVER Message headers used which identify spam
93 score SARE_HEAD_HDR_CONVER 1.111
94 #stype SARE_HEAD_HDR_CONVER spamp
95 #counts SARE_HEAD_HDR_CONVER 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
96 #max SARE_HEAD_HDR_CONVER 54s/0h of 275081 corpus (134226s/140855h RM) 05/30/05
97 #counts SARE_HEAD_HDR_CONVER 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
98 #counts SARE_HEAD_HDR_CONVER 9s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
99 #max SARE_HEAD_HDR_CONVER 10s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
100 #counts SARE_HEAD_HDR_CONVER 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06
101 #max SARE_HEAD_HDR_CONVER 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
102 #counts SARE_HEAD_HDR_CONVER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
103 #counts SARE_HEAD_HDR_CONVER 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
105 header SARE_HEAD_HDR_JLH exists:X-JLH
106 describe SARE_HEAD_HDR_JLH Message headers used which identify spam
107 score SARE_HEAD_HDR_JLH 1.111
108 #stype SARE_HEAD_HDR_JLH spamp
109 #counts SARE_HEAD_HDR_JLH 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
110 #max SARE_HEAD_HDR_JLH 71s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
111 #counts SARE_HEAD_HDR_JLH 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
112 #counts SARE_HEAD_HDR_JLH 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
113 #counts SARE_HEAD_HDR_JLH 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
114 #counts SARE_HEAD_HDR_JLH 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
116 header SARE_HEAD_HDR_MSGTYPE exists:Message-Type
117 describe SARE_HEAD_HDR_MSGTYPE Message headers used which identify spam
118 score SARE_HEAD_HDR_MSGTYPE 0.555
119 #stype SARE_HEAD_HDR_MSGTYPE spamp
120 #counts SARE_HEAD_HDR_MSGTYPE 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
121 #max SARE_HEAD_HDR_MSGTYPE 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
122 #counts SARE_HEAD_HDR_MSGTYPE 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
123 #counts SARE_HEAD_HDR_MSGTYPE 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
124 #counts SARE_HEAD_HDR_MSGTYPE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
125 #counts SARE_HEAD_HDR_MSGTYPE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
127 header SARE_HEAD_HDR_NLETRID exists:Newsletter-ID
128 describe SARE_HEAD_HDR_NLETRID Message headers used which identify spam
129 score SARE_HEAD_HDR_NLETRID 1.666
130 #stype SARE_HEAD_HDR_NLETRID spamp
131 #counts SARE_HEAD_HDR_NLETRID 0s/0h of 259338 corpus (110116s/149222h RM) 05/16/05
132 #max SARE_HEAD_HDR_NLETRID 173s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
133 #counts SARE_HEAD_HDR_NLETRID 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
134 #max SARE_HEAD_HDR_NLETRID 1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
135 #counts SARE_HEAD_HDR_NLETRID 28s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
136 #counts SARE_HEAD_HDR_NLETRID 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
137 #max SARE_HEAD_HDR_NLETRID 12s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
138 #counts SARE_HEAD_HDR_NLETRID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
140 header SARE_HEAD_HDR_PID exists:PID
141 describe SARE_HEAD_HDR_PID Message headers used which identify spam
142 score SARE_HEAD_HDR_PID 1.666
143 #stype SARE_HEAD_HDR_PID spamp
144 #counts SARE_HEAD_HDR_PID 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
145 #max SARE_HEAD_HDR_PID 139s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
146 #counts SARE_HEAD_HDR_PID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
147 #counts SARE_HEAD_HDR_PID 36s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
148 #counts SARE_HEAD_HDR_PID 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
149 #max SARE_HEAD_HDR_PID 20s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
150 #counts SARE_HEAD_HDR_PID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
152 header SARE_HEAD_HDR_REDIRTO exists:Redirect-to
153 describe SARE_HEAD_HDR_REDIRTO Message headers used which identify spam
154 score SARE_HEAD_HDR_REDIRTO 0.555
155 #stype SARE_HEAD_HDR_REDIRTO spamp
156 #counts SARE_HEAD_HDR_REDIRTO 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
157 #max SARE_HEAD_HDR_REDIRTO 1s/0h of 114261 corpus (81069s/33192h RM) 01/15/05
158 #counts SARE_HEAD_HDR_REDIRTO 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
159 #counts SARE_HEAD_HDR_REDIRTO 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
160 #counts SARE_HEAD_HDR_REDIRTO 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
161 #counts SARE_HEAD_HDR_REDIRTO 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
163 header SARE_HEAD_HDR_ROT exists:Rot
164 describe SARE_HEAD_HDR_ROT Message headers used which identify spam
165 score SARE_HEAD_HDR_ROT 0.555
166 #stype SARE_HEAD_HDR_ROT spamp
167 #counts SARE_HEAD_HDR_ROT 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
168 #max SARE_HEAD_HDR_ROT 3s/0h of 114261 corpus (81069s/33192h RM) 01/15/05
169 #counts SARE_HEAD_HDR_ROT 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
170 #counts SARE_HEAD_HDR_ROT 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
171 #counts SARE_HEAD_HDR_ROT 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
172 #counts SARE_HEAD_HDR_ROT 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
174 header SARE_HEAD_HDR_RTNPATH exists:List-Return-Path
175 describe SARE_HEAD_HDR_RTNPATH Message headers used which identify spam
176 score SARE_HEAD_HDR_RTNPATH 1.111
177 #stype SARE_HEAD_HDR_RTNPATH spamp
178 #counts SARE_HEAD_HDR_RTNPATH 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
179 #max SARE_HEAD_HDR_RTNPATH 32s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
180 #counts SARE_HEAD_HDR_RTNPATH 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
181 #counts SARE_HEAD_HDR_RTNPATH 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
182 #counts SARE_HEAD_HDR_RTNPATH 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
183 #counts SARE_HEAD_HDR_RTNPATH 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
185 header SARE_HEAD_HDR_WCMSGID exists:WcMessage-ID
186 describe SARE_HEAD_HDR_WCMSGID Message headers used which identify spam
187 score SARE_HEAD_HDR_WCMSGID 0.555
188 #stype SARE_HEAD_HDR_WCMSGID spamp
189 #counts SARE_HEAD_HDR_WCMSGID 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
190 #max SARE_HEAD_HDR_WCMSGID 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
191 #counts SARE_HEAD_HDR_WCMSGID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
192 #counts SARE_HEAD_HDR_WCMSGID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
193 #counts SARE_HEAD_HDR_WCMSGID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
194 #counts SARE_HEAD_HDR_WCMSGID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
196 header SARE_HEAD_HDR_X400MTI exists:X400-MTS-Identifier
197 describe SARE_HEAD_HDR_X400MTI Message headers used which identify spam
198 score SARE_HEAD_HDR_X400MTI 0.555
199 #stype SARE_HEAD_HDR_X400MTI spamp
200 #counts SARE_HEAD_HDR_X400MTI 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
201 #max SARE_HEAD_HDR_X400MTI 1s/0h of 114261 corpus (81069s/33192h RM) 01/15/05
202 #counts SARE_HEAD_HDR_X400MTI 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
203 #counts SARE_HEAD_HDR_X400MTI 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
204 #counts SARE_HEAD_HDR_X400MTI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
205 #counts SARE_HEAD_HDR_X400MTI 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
207 header SARE_HEAD_HDR_X400RCV exists:X400-Received
208 describe SARE_HEAD_HDR_X400RCV Message headers used which identify spam
209 score SARE_HEAD_HDR_X400RCV 0.555
210 #stype SARE_HEAD_HDR_X400RCV spamp
211 #counts SARE_HEAD_HDR_X400RCV 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
212 #max SARE_HEAD_HDR_X400RCV 1s/0h of 114261 corpus (81069s/33192h RM) 01/15/05
213 #counts SARE_HEAD_HDR_X400RCV 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
214 #counts SARE_HEAD_HDR_X400RCV 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
215 #counts SARE_HEAD_HDR_X400RCV 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
216 #counts SARE_HEAD_HDR_X400RCV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
218 header SARE_HEAD_HDR_XAR exists:X-AR
219 describe SARE_HEAD_HDR_XAR Message headers used which identify spam
220 score SARE_HEAD_HDR_XAR 0.555
221 #stype SARE_HEAD_HDR_XAR spamp
222 #counts SARE_HEAD_HDR_XAR 0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05
223 #max SARE_HEAD_HDR_XAR 2s/0h of 66087 corpus (40127s/25960h RM) 09/11/04
224 #counts SARE_HEAD_HDR_XAR 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
225 #counts SARE_HEAD_HDR_XAR 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
226 #counts SARE_HEAD_HDR_XAR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
227 #counts SARE_HEAD_HDR_XAR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
229 header SARE_HEAD_HDR_XAUTGEN exists:X-Auto-Generated
230 describe SARE_HEAD_HDR_XAUTGEN Message headers used which identify spam
231 score SARE_HEAD_HDR_XAUTGEN 0.555
232 #stype SARE_HEAD_HDR_XAUTGEN spamp
233 #counts SARE_HEAD_HDR_XAUTGEN 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
234 #max SARE_HEAD_HDR_XAUTGEN 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
235 #counts SARE_HEAD_HDR_XAUTGEN 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
236 #counts SARE_HEAD_HDR_XAUTGEN 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
237 #counts SARE_HEAD_HDR_XAUTGEN 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
238 #counts SARE_HEAD_HDR_XAUTGEN 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
240 header SARE_HEAD_HDR_XBNCETR exists:X-BounceTrace
241 describe SARE_HEAD_HDR_XBNCETR Message headers used which identify spam
242 score SARE_HEAD_HDR_XBNCETR 1.111
243 #stype SARE_HEAD_HDR_XBNCETR spamp
244 #counts SARE_HEAD_HDR_XBNCETR 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
245 #max SARE_HEAD_HDR_XBNCETR 96s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
246 #counts SARE_HEAD_HDR_XBNCETR 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
247 #counts SARE_HEAD_HDR_XBNCETR 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
248 #counts SARE_HEAD_HDR_XBNCETR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
249 #counts SARE_HEAD_HDR_XBNCETR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
251 header SARE_HEAD_HDR_XCNDINF exists:X-CND-Info
252 describe SARE_HEAD_HDR_XCNDINF Message headers used which identify spam
253 score SARE_HEAD_HDR_XCNDINF 0.555
254 #stype SARE_HEAD_HDR_XCNDINF spamp
255 #counts SARE_HEAD_HDR_XCNDINF 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
256 #max SARE_HEAD_HDR_XCNDINF 6s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
257 #counts SARE_HEAD_HDR_XCNDINF 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
258 #counts SARE_HEAD_HDR_XCNDINF 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
259 #counts SARE_HEAD_HDR_XCNDINF 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
260 #counts SARE_HEAD_HDR_XCNDINF 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
262 header SARE_HEAD_HDR_XCROSS exists:X-cross
263 describe SARE_HEAD_HDR_XCROSS Message headers used which identify spam
264 score SARE_HEAD_HDR_XCROSS 0.100
265 #stype SARE_HEAD_HDR_XCROSS spamp
266 #counts SARE_HEAD_HDR_XCROSS 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
267 #counts SARE_HEAD_HDR_XCROSS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
268 #counts SARE_HEAD_HDR_XCROSS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
269 #counts SARE_HEAD_HDR_XCROSS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
270 #counts SARE_HEAD_HDR_XCROSS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
272 header SARE_HEAD_HDR_XEMGBMS exists:X-EMailGateBouncedMessage
273 describe SARE_HEAD_HDR_XEMGBMS Message headers used which identify spam
274 score SARE_HEAD_HDR_XEMGBMS 0.555
275 #stype SARE_HEAD_HDR_XEMGBMS spamp
276 #counts SARE_HEAD_HDR_XEMGBMS 0s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
277 #max SARE_HEAD_HDR_XEMGBMS 6s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
278 #counts SARE_HEAD_HDR_XEMGBMS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
279 #counts SARE_HEAD_HDR_XEMGBMS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
280 #counts SARE_HEAD_HDR_XEMGBMS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
281 #counts SARE_HEAD_HDR_XEMGBMS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
283 header SARE_HEAD_HDR_XGMAILA exists:X-Gmail-Account
284 describe SARE_HEAD_HDR_XGMAILA Message headers used which identify spam
285 score SARE_HEAD_HDR_XGMAILA 1.111
286 #stype SARE_HEAD_HDR_XGMAILA spamp
287 #counts SARE_HEAD_HDR_XGMAILA 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
288 #max SARE_HEAD_HDR_XGMAILA 20s/0h of 259338 corpus (110116s/149222h RM) 05/16/05
289 #counts SARE_HEAD_HDR_XGMAILA 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
290 #counts SARE_HEAD_HDR_XGMAILA 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
291 #counts SARE_HEAD_HDR_XGMAILA 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
292 #counts SARE_HEAD_HDR_XGMAILA 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
294 header SARE_HEAD_HDR_XIDSRVR exists:X-Identity-Server
295 describe SARE_HEAD_HDR_XIDSRVR Message headers used which identify spam
296 score SARE_HEAD_HDR_XIDSRVR 1.111
297 #stype SARE_HEAD_HDR_XIDSRVR spamp
298 #hist SARE_HEAD_HDR_XIDSRVR Bob Menschel, June 3 2005, idea by Alex Broens
299 #counts SARE_HEAD_HDR_XIDSRVR 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
300 #max SARE_HEAD_HDR_XIDSRVR 15s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
301 #counts SARE_HEAD_HDR_XIDSRVR 0s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
302 #counts SARE_HEAD_HDR_XIDSRVR 0s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
303 #counts SARE_HEAD_HDR_XIDSRVR 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
304 #counts SARE_HEAD_HDR_XIDSRVR 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
306 header SARE_HEAD_HDR_XLC exists:X-L-C
307 describe SARE_HEAD_HDR_XLC Message headers used which identify spam
308 score SARE_HEAD_HDR_XLC 0.100
309 #stype SARE_HEAD_HDR_XLC spamp
310 #counts SARE_HEAD_HDR_XLC 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
311 #counts SARE_HEAD_HDR_XLC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
312 #counts SARE_HEAD_HDR_XLC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
313 #counts SARE_HEAD_HDR_XLC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
314 #counts SARE_HEAD_HDR_XLC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
316 header SARE_HEAD_HDR_XLIDCOD exists:X-LIDCode
317 describe SARE_HEAD_HDR_XLIDCOD Message headers used which identify spam
318 score SARE_HEAD_HDR_XLIDCOD 0.100
319 #stype SARE_HEAD_HDR_XLIDCOD spamp
320 #counts SARE_HEAD_HDR_XLIDCOD 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
321 #counts SARE_HEAD_HDR_XLIDCOD 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
322 #counts SARE_HEAD_HDR_XLIDCOD 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
323 #counts SARE_HEAD_HDR_XLIDCOD 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
324 #counts SARE_HEAD_HDR_XLIDCOD 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
326 header SARE_HEAD_HDR_XMISCID exists:X-Misc_ID
327 describe SARE_HEAD_HDR_XMISCID Message headers used which identify spam
328 score SARE_HEAD_HDR_XMISCID 0.100
329 #stype SARE_HEAD_HDR_XMISCID spamp
330 #hist SARE_HEAD_HDR_XMISCID FH_XMISCID
331 #counts SARE_HEAD_HDR_XMISCID 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
332 #counts SARE_HEAD_HDR_XMISCID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
333 #counts SARE_HEAD_HDR_XMISCID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
334 #counts SARE_HEAD_HDR_XMISCID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
335 #counts SARE_HEAD_HDR_XMISCID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
337 header SARE_HEAD_HDR_XMLCIPH exists:X-mlcipher
338 describe SARE_HEAD_HDR_XMLCIPH Message headers used which identify spam
339 score SARE_HEAD_HDR_XMLCIPH 0.100
340 #stype SARE_HEAD_HDR_XMLCIPH spamp
341 #counts SARE_HEAD_HDR_XMLCIPH 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
342 #counts SARE_HEAD_HDR_XMLCIPH 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
343 #counts SARE_HEAD_HDR_XMLCIPH 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
344 #counts SARE_HEAD_HDR_XMLCIPH 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
345 #counts SARE_HEAD_HDR_XMLCIPH 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
347 header SARE_HEAD_HDR_XMLMSGI exists:X-mlmsgid
348 describe SARE_HEAD_HDR_XMLMSGI Message headers used which identify spam
349 score SARE_HEAD_HDR_XMLMSGI 0.100
350 #stype SARE_HEAD_HDR_XMLMSGI spamp
351 #counts SARE_HEAD_HDR_XMLMSGI 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
352 #counts SARE_HEAD_HDR_XMLMSGI 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
353 #counts SARE_HEAD_HDR_XMLMSGI 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
354 #counts SARE_HEAD_HDR_XMLMSGI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
355 #counts SARE_HEAD_HDR_XMLMSGI 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
357 header SARE_HEAD_HDR_XMAGDID exists:X-magdalene-ID
358 describe SARE_HEAD_HDR_XMAGDID Message headers used which identify spam
359 score SARE_HEAD_HDR_XMAGDID 0.555
360 #stype SARE_HEAD_HDR_XMAGDID spamp
361 #counts SARE_HEAD_HDR_XMAGDID 0s/0h of 71334 corpus (43633s/27701h RM) 10/03/04
362 #max SARE_HEAD_HDR_XMAGDID 1s/0h of 60201 corpus (35226s/24975h RM) 08/14/04
363 #counts SARE_HEAD_HDR_XMAGDID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
364 #counts SARE_HEAD_HDR_XMAGDID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
365 #counts SARE_HEAD_HDR_XMAGDID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
366 #counts SARE_HEAD_HDR_XMAGDID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
368 header SARE_HEAD_HDR_XMPM exists:X-mpm
369 describe SARE_HEAD_HDR_XMPM Message headers used which identify spam
370 score SARE_HEAD_HDR_XMPM 0.100
371 #stype SARE_HEAD_HDR_XMPM spamp
372 #counts SARE_HEAD_HDR_XMPM 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
373 #counts SARE_HEAD_HDR_XMPM 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
374 #counts SARE_HEAD_HDR_XMPM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
375 #counts SARE_HEAD_HDR_XMPM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
376 #counts SARE_HEAD_HDR_XMPM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
378 header SARE_HEAD_HDR_XMS exists:X-ms
379 describe SARE_HEAD_HDR_XMS Message headers used which identify spam
380 score SARE_HEAD_HDR_XMS 0.100
381 #stype SARE_HEAD_HDR_XMS spamp
382 #counts SARE_HEAD_HDR_XMS 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
383 #counts SARE_HEAD_HDR_XMS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
384 #counts SARE_HEAD_HDR_XMS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
385 #counts SARE_HEAD_HDR_XMS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
386 #counts SARE_HEAD_HDR_XMS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
388 header SARE_HEAD_HDR_XNOSPAM exists:X-No-Spam
389 describe SARE_HEAD_HDR_XNOSPAM Message headers used which identify spam
390 score SARE_HEAD_HDR_XNOSPAM 1.111
391 #stype SARE_HEAD_HDR_XNOSPAM spamp
392 #counts SARE_HEAD_HDR_XNOSPAM 0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05
393 #max SARE_HEAD_HDR_XNOSPAM 12s/0h of 60201 corpus (35226s/24975h RM) 08/14/04
394 #counts SARE_HEAD_HDR_XNOSPAM 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
395 #max SARE_HEAD_HDR_XNOSPAM 4s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
396 #counts SARE_HEAD_HDR_XNOSPAM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
397 #counts SARE_HEAD_HDR_XNOSPAM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
398 #counts SARE_HEAD_HDR_XNOSPAM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
400 header SARE_HEAD_HDR_XNTC exists:X-ntc
401 describe SARE_HEAD_HDR_XNTC Message headers used which identify spam
402 score SARE_HEAD_HDR_XNTC 0.100
403 #stype SARE_HEAD_HDR_XNTC spamp
404 #counts SARE_HEAD_HDR_XNTC 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
405 #counts SARE_HEAD_HDR_XNTC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
406 #counts SARE_HEAD_HDR_XNTC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
407 #counts SARE_HEAD_HDR_XNTC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
408 #counts SARE_HEAD_HDR_XNTC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
410 header SARE_HEAD_HDR_XPOPB4S exists:X-Pop-Before-SMTP-Sender
411 describe SARE_HEAD_HDR_XPOPB4S Message headers used which identify spam
412 score SARE_HEAD_HDR_XPOPB4S 0.555
413 #stype SARE_HEAD_HDR_XPOPB4S spamp
414 #counts SARE_HEAD_HDR_XPOPB4S 0s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
415 #max SARE_HEAD_HDR_XPOPB4S 1s/0h of 60201 corpus (35226s/24975h RM) 08/14/04
416 #counts SARE_HEAD_HDR_XPOPB4S 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
417 #counts SARE_HEAD_HDR_XPOPB4S 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
418 #counts SARE_HEAD_HDR_XPOPB4S 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
419 #counts SARE_HEAD_HDR_XPOPB4S 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
421 header SARE_HEAD_HDR_XPOPFLK exists:X-POPFile-Link
422 describe SARE_HEAD_HDR_XPOPFLK Message headers used which identify spam
423 score SARE_HEAD_HDR_XPOPFLK 0.555
424 #stype SARE_HEAD_HDR_XPOPFLK spamp
425 #counts SARE_HEAD_HDR_XPOPFLK 0s/0h of 71334 corpus (43633s/27701h RM) 10/03/04
426 #max SARE_HEAD_HDR_XPOPFLK 3s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
427 #counts SARE_HEAD_HDR_XPOPFLK 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
428 #counts SARE_HEAD_HDR_XPOPFLK 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
429 #counts SARE_HEAD_HDR_XPOPFLK 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
430 #counts SARE_HEAD_HDR_XPOPFLK 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
432 header SARE_HEAD_HDR_XPRIOMS exists:X-Prioserve-MailScanner
433 describe SARE_HEAD_HDR_XPRIOMS Message headers used which identify spam
434 score SARE_HEAD_HDR_XPRIOMS 0.555
435 #stype SARE_HEAD_HDR_XPRIOMS spamp
436 #counts SARE_HEAD_HDR_XPRIOMS 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
437 #max SARE_HEAD_HDR_XPRIOMS 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
438 #counts SARE_HEAD_HDR_XPRIOMS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
439 #counts SARE_HEAD_HDR_XPRIOMS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
440 #counts SARE_HEAD_HDR_XPRIOMS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
441 #counts SARE_HEAD_HDR_XPRIOMS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
443 header SARE_HEAD_HDR_XPRIOMF exists:X-Prioserve-MailScanner-From
444 describe SARE_HEAD_HDR_XPRIOMF Message headers used which identify spam
445 score SARE_HEAD_HDR_XPRIOMF 0.555
446 #stype SARE_HEAD_HDR_XPRIOMF spamp
447 #counts SARE_HEAD_HDR_XPRIOMF 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
448 #max SARE_HEAD_HDR_XPRIOMF 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
449 #counts SARE_HEAD_HDR_XPRIOMF 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
450 #counts SARE_HEAD_HDR_XPRIOMF 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
451 #counts SARE_HEAD_HDR_XPRIOMF 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
452 #counts SARE_HEAD_HDR_XPRIOMF 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
454 header SARE_HEAD_HDR_XPRIOMI exists:X-Prioserve-MailScanner-Information
455 describe SARE_HEAD_HDR_XPRIOMI Message headers used which identify spam
456 score SARE_HEAD_HDR_XPRIOMI 0.555
457 #stype SARE_HEAD_HDR_XPRIOMI spamp
458 #counts SARE_HEAD_HDR_XPRIOMI 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
459 #max SARE_HEAD_HDR_XPRIOMI 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
460 #counts SARE_HEAD_HDR_XPRIOMI 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
461 #counts SARE_HEAD_HDR_XPRIOMI 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
462 #counts SARE_HEAD_HDR_XPRIOMI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
463 #counts SARE_HEAD_HDR_XPRIOMI 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
465 header SARE_HEAD_HDR_XPIROMC exists:X-Prioserve-MailScanner-SpamCheck
466 describe SARE_HEAD_HDR_XPIROMC Message headers used which identify spam
467 score SARE_HEAD_HDR_XPIROMC 0.555
468 #stype SARE_HEAD_HDR_XPIROMC spamp
469 #counts SARE_HEAD_HDR_XPIROMC 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
470 #max SARE_HEAD_HDR_XPIROMC 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
471 #counts SARE_HEAD_HDR_XPIROMC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
472 #counts SARE_HEAD_HDR_XPIROMC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
473 #counts SARE_HEAD_HDR_XPIROMC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
474 #counts SARE_HEAD_HDR_XPIROMC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
476 header SARE_HEAD_HDR_XRBLTST exists:X-RBL-TST
477 describe SARE_HEAD_HDR_XRBLTST Message headers used which identify spam
478 score SARE_HEAD_HDR_XRBLTST 0.555
479 #stype SARE_HEAD_HDR_XRBLTST spamp
480 #counts SARE_HEAD_HDR_XRBLTST 0s/0h of 120459 corpus (71363s/49096h RM) 02/12/05
481 #max SARE_HEAD_HDR_XRBLTST 2s/0h of 114238 corpus (81067s/33171h RM) 01/15/05
482 #counts SARE_HEAD_HDR_XRBLTST 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
483 #counts SARE_HEAD_HDR_XRBLTST 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
484 #counts SARE_HEAD_HDR_XRBLTST 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
485 #counts SARE_HEAD_HDR_XRBLTST 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
487 header SARE_HEAD_HDR_XREC exists:X-Rec
488 describe SARE_HEAD_HDR_XREC Message headers used which identify spam
489 score SARE_HEAD_HDR_XREC 2.222
490 #stype SARE_HEAD_HDR_XREC spamp
491 #counts SARE_HEAD_HDR_XREC 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
492 #counts SARE_HEAD_HDR_XREC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
493 #counts SARE_HEAD_HDR_XREC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
494 #counts SARE_HEAD_HDR_XREC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
495 #counts SARE_HEAD_HDR_XREC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
497 header SARE_HEAD_HDR_XRIPE exists:X-RIPE
498 describe SARE_HEAD_HDR_XRIPE Message headers used which identify spam
499 score SARE_HEAD_HDR_XRIPE 1.111
500 #stype SARE_HEAD_HDR_XRIPE spamp
501 #counts SARE_HEAD_HDR_XRIPE 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
502 #max SARE_HEAD_HDR_XRIPE 16s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
503 #counts SARE_HEAD_HDR_XRIPE 0s/0h of 10995 corpus (6568s/4427h CT) 03/10/05
504 #counts SARE_HEAD_HDR_XRIPE 0s/0h of 54806 corpus (17633s/37173h JH-3.01) 03/14/05
505 #counts SARE_HEAD_HDR_XRIPE 0s/0h of 31513 corpus (27912s/3601h MY) 03/09/05
506 #counts SARE_HEAD_HDR_XRIPE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
507 #counts SARE_HEAD_HDR_XRIPE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
509 header SARE_HEAD_HDR_XSAFMMI exists:X-SafeMailer-MsgId
510 describe SARE_HEAD_HDR_XSAFMMI Message headers used which identify spam
511 score SARE_HEAD_HDR_XSAFMMI 0.555
512 #stype SARE_HEAD_HDR_XSAFMMI spamp
513 #counts SARE_HEAD_HDR_XSAFMMI 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
514 #max SARE_HEAD_HDR_XSAFMMI 1s/0h of 114238 corpus (81067s/33171h RM) 01/15/05
515 #counts SARE_HEAD_HDR_XSAFMMI 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
516 #counts SARE_HEAD_HDR_XSAFMMI 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
517 #counts SARE_HEAD_HDR_XSAFMMI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
518 #counts SARE_HEAD_HDR_XSAFMMI 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
520 header SARE_HEAD_HDR_XSPAMSC exists:X-Spam-Score
521 describe SARE_HEAD_HDR_XSPAMSC Message headers used which identify spam
522 score SARE_HEAD_HDR_XSPAMSC 0.555
523 #stype SARE_HEAD_HDR_XSPAMSC spamp
524 #counts SARE_HEAD_HDR_XSPAMSC 0s/0h of 60201 corpus (35226s/24975h RM) 08/14/04
525 #counts SARE_HEAD_HDR_XSPAMSC 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
526 #max SARE_HEAD_HDR_XSPAMSC 1s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
527 #counts SARE_HEAD_HDR_XSPAMSC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
528 #counts SARE_HEAD_HDR_XSPAMSC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
529 #counts SARE_HEAD_HDR_XSPAMSC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
531 header SARE_HEAD_HDR_XSRK exists:X-srk
532 describe SARE_HEAD_HDR_XSRK Message headers used which identify spam
533 score SARE_HEAD_HDR_XSRK 0.100
534 #stype SARE_HEAD_HDR_XSRK spamp
535 #counts SARE_HEAD_HDR_XSRK 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
536 #counts SARE_HEAD_HDR_XSRK 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
537 #counts SARE_HEAD_HDR_XSRK 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
538 #counts SARE_HEAD_HDR_XSRK 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
539 #counts SARE_HEAD_HDR_XSRK 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
541 header SARE_HEAD_HDR_XSUBID exists:X-SubID
542 describe SARE_HEAD_HDR_XSUBID Message headers used which identify spam
543 score SARE_HEAD_HDR_XSUBID 0.555
544 #stype SARE_HEAD_HDR_XSUBID spamp
545 #counts SARE_HEAD_HDR_XSUBID 0s/0h of 120459 corpus (71363s/49096h RM) 02/12/05
546 #max SARE_HEAD_HDR_XSUBID 3s/0h of 114238 corpus (81067s/33171h RM) 01/15/05
547 #counts SARE_HEAD_HDR_XSUBID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
548 #counts SARE_HEAD_HDR_XSUBID 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
549 #counts SARE_HEAD_HDR_XSUBID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
550 #counts SARE_HEAD_HDR_XSUBID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
552 header SARE_HEAD_HDR_XTRANS exists:X-Trans
553 describe SARE_HEAD_HDR_XTRANS Message headers used which identify spam
554 score SARE_HEAD_HDR_XTRANS 0.100
555 #stype SARE_HEAD_HDR_XTRANS spamp
556 #counts SARE_HEAD_HDR_XTRANS 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
557 #counts SARE_HEAD_HDR_XTRANS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
558 #counts SARE_HEAD_HDR_XTRANS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
559 #counts SARE_HEAD_HDR_XTRANS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
560 #counts SARE_HEAD_HDR_XTRANS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
562 header SARE_HEAD_HDR_XTXTCLS exists:X-Text-Classification
563 describe SARE_HEAD_HDR_XTXTCLS Message headers used which identify spam
564 score SARE_HEAD_HDR_XTXTCLS 0.555
565 #stype SARE_HEAD_HDR_XTXTCLS spamp
566 #counts SARE_HEAD_HDR_XTXTCLS 0s/0h of 71334 corpus (43633s/27701h RM) 10/03/04
567 #max SARE_HEAD_HDR_XTXTCLS 3s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
568 #counts SARE_HEAD_HDR_XTXTCLS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
569 #counts SARE_HEAD_HDR_XTXTCLS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
570 #counts SARE_HEAD_HDR_XTXTCLS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
571 #counts SARE_HEAD_HDR_XTXTCLS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
573 header SARE_HEAD_HDR_XVIG exists:X-Vig
574 describe SARE_HEAD_HDR_XVIG Message headers used which identify spam
575 score SARE_HEAD_HDR_XVIG 0.100
576 #stype SARE_HEAD_HDR_XVIG spamp
577 #counts SARE_HEAD_HDR_XVIG 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
578 #counts SARE_HEAD_HDR_XVIG 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
579 #counts SARE_HEAD_HDR_XVIG 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
580 #counts SARE_HEAD_HDR_XVIG 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
581 #counts SARE_HEAD_HDR_XVIG 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
583 header SARE_HEAD_HDR_XYD exists:X-yd
584 describe SARE_HEAD_HDR_XYD Message headers used which identify spam
585 score SARE_HEAD_HDR_XYD 0.100
586 #stype SARE_HEAD_HDR_XYD spamp
587 #counts SARE_HEAD_HDR_XYD 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
588 #counts SARE_HEAD_HDR_XYD 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
589 #counts SARE_HEAD_HDR_XYD 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
590 #counts SARE_HEAD_HDR_XYD 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
591 #counts SARE_HEAD_HDR_XYD 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
593 header SARE_HEAD_HDR_XI exists:X-I
594 describe SARE_HEAD_HDR_XI Message headers used which identify spam
595 score SARE_HEAD_HDR_XI 0.100
596 #stype SARE_HEAD_HDR_XI spamp
597 #counts SARE_HEAD_HDR_XI 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
598 #counts SARE_HEAD_HDR_XI 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
599 #counts SARE_HEAD_HDR_XI 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
600 #counts SARE_HEAD_HDR_XI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
601 #counts SARE_HEAD_HDR_XI 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
603 header SARE_HEAD_HDR_XIM exists:X-IM
604 describe SARE_HEAD_HDR_XIM Message headers used which identify spam
605 score SARE_HEAD_HDR_XIM 0.100
606 #stype SARE_HEAD_HDR_XIM spamp
607 #counts SARE_HEAD_HDR_XIM 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
608 #counts SARE_HEAD_HDR_XIM 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
609 #counts SARE_HEAD_HDR_XIM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
610 #counts SARE_HEAD_HDR_XIM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
611 #counts SARE_HEAD_HDR_XIM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
613 #####################################################################################
614 # SARE Content-Type and Boundary rules
615 ######## ###################### ##################################################
617 header SARE_BOUNDARY_01 Content-Type =~ /boundary==?\".{0,}XXXX-/
618 describe SARE_BOUNDARY_01 Spam tool pattern in MIME boundary
619 score SARE_BOUNDARY_01 0.100
620 #hist SARE_BOUNDARY_01 L.MIME_BOUND_SIMPLE
621 #counts SARE_BOUNDARY_01 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
622 #counts SARE_BOUNDARY_01 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
623 #counts SARE_BOUNDARY_01 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
624 #counts SARE_BOUNDARY_01 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
626 header SARE_BOUNDARY_02 Content-Type =~ /boundary\=('|\")?\~{10,}/
627 describe SARE_BOUNDARY_02 Too many ~'s in the boundary.
628 score SARE_BOUNDARY_02 0.650
629 #hist SARE_BOUNDARY_02 MY_BOUNDARY2
630 #counts SARE_BOUNDARY_02 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
631 #max SARE_BOUNDARY_02 51s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
632 #counts SARE_BOUNDARY_02 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
633 #counts SARE_BOUNDARY_02 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
634 #counts SARE_BOUNDARY_02 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
636 header SARE_BOUNDARY_ANYDIG Content-Type =~ /boundary="--.*\[\d\]/i
637 describe SARE_BOUNDARY_ANYDIG Content type boundary used in spam and viruses
638 score SARE_BOUNDARY_ANYDIG 1.666
639 #hist SARE_BOUNDARY_ANYDIG Created by Bob Menschel May 7 2005, suggested by Alex Broens
640 #counts SARE_BOUNDARY_ANYDIG 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
641 #max SARE_BOUNDARY_ANYDIG 282s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
642 #counts SARE_BOUNDARY_ANYDIG 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06
643 #max SARE_BOUNDARY_ANYDIG 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
644 #counts SARE_BOUNDARY_ANYDIG 0s/0h of 15713 corpus (7767s/7946h FT) 05/14/06
645 #max SARE_BOUNDARY_ANYDIG 85s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
646 #counts SARE_BOUNDARY_ANYDIG 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
648 header SARE_BOUNDARY_D11 Content-Type =~ /boundary="\d{11}"/
649 describe SARE_BOUNDARY_D11 Content type boundary used in spam or virus
650 score SARE_BOUNDARY_D11 1.666
651 #stype SARE_BOUNDARY_D11 spamp
652 #hist SARE_BOUNDARY_D11 Created by Bob Menschel May 31 2004
653 #counts SARE_BOUNDARY_D11 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
654 #max SARE_BOUNDARY_D11 112s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
655 #counts SARE_BOUNDARY_D11 3s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
656 #counts SARE_BOUNDARY_D11 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
657 #counts SARE_BOUNDARY_D11 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06
658 #max SARE_BOUNDARY_D11 7s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
659 #counts SARE_BOUNDARY_D11 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
661 full SARE_CONTENT_BITBITNUM /\nContent-Encoding: BitBitNUM\n/
662 describe SARE_CONTENT_BITBITNUM Unlikely content encoding
663 score SARE_CONTENT_BITBITNUM 1.406
664 #hist SARE_CONTENT_BITBITNUM Loren Wilton, Feb 1 2005
665 #counts SARE_CONTENT_BITBITNUM 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
666 #max SARE_CONTENT_BITBITNUM 153s/0h of 95210 corpus (59682s/35528h RM) 02/01/05
667 #counts SARE_CONTENT_BITBITNUM 64s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
668 #counts SARE_CONTENT_BITBITNUM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
669 #counts SARE_CONTENT_BITBITNUM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
671 #####################################################################################
673 ######## ###################### ##################################################
675 header SARE_FROM_AMERICA From =~ /[^\-]\bamerica\.com\b/i
676 describe SARE_FROM_AMERICA From user address is used by spammer
677 score SARE_FROM_AMERICA 1.111
678 #stype SARE_FROM_AMERICA spamp
679 #hist SARE_FROM_AMERICA Created by Bob Menschel Sep 24 2004
680 #counts SARE_FROM_AMERICA 0s/0h of 268479 corpus (127479s/141000h RM) 06/17/05
681 #max SARE_FROM_AMERICA 5s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
682 #counts SARE_FROM_AMERICA 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
683 #counts SARE_FROM_AMERICA 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
684 #max SARE_FROM_AMERICA 4s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
685 #counts SARE_FROM_AMERICA 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
686 #counts SARE_FROM_AMERICA 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
688 header SARE_FROM_SPAM_DOMN2 From =~ /\@wses\.(?:com|org)/i
689 describe SARE_FROM_SPAM_DOMN2 From address suggests this is spam
690 score SARE_FROM_SPAM_DOMN2 0.100
691 #stype SARE_FROM_SPAM_DOMN2 spamp
692 #hist SARE_FROM_SPAM_DOMN2 RM_fa_wses
693 #counts SARE_FROM_SPAM_DOMN2 0s/0h of 85084 corpus (62489s/22595h RM) 06/08/04
694 #counts SARE_FROM_SPAM_DOMN2 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
695 #counts SARE_FROM_SPAM_DOMN2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
696 #counts SARE_FROM_SPAM_DOMN2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
698 header SARE_FROM_SPAM_NAME2 From =~ /(?:Dating Tips|Email-Gallery|everyday-solution|Free Credit Report|FreebieFix|Long Distance|medmicro|Shape Solutions|TMobile Authorized Dealer|TheGolfWarehouses|Typing Teacher|Value Center|freePriority Shipping|koldny|propecia|thedailyfreesamples)/i
699 describe SARE_FROM_SPAM_NAME2 From address suggests this is spam
700 score SARE_FROM_SPAM_NAME2 1.666
701 #stype SARE_FROM_SPAM_NAME2 spamp
702 #hist SARE_FROM_SPAM_NAME2 COMBINED.FROM and other sources
703 #counts SARE_FROM_SPAM_NAME2 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
704 #max SARE_FROM_SPAM_NAME2 140s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
705 #counts SARE_FROM_SPAM_NAME2 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
706 #max SARE_FROM_SPAM_NAME2 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
707 #counts SARE_FROM_SPAM_NAME2 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
708 #max SARE_FROM_SPAM_NAME2 16s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
709 #counts SARE_FROM_SPAM_NAME2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
710 #counts SARE_FROM_SPAM_NAME2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
712 header SARE_FROM_VIRUS1 ALL=~ /From:\ssupport\@microsoft.com/
713 describe SARE_FROM_VIRUS1 From address suggests this is a virus
714 score SARE_FROM_VIRUS1 3.333
715 #stype SARE_FROM_VIRUS1 vbgg
716 #counts SARE_FROM_VIRUS1 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
717 #max SARE_FROM_VIRUS1 21s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
718 #counts SARE_FROM_VIRUS1 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
719 #counts SARE_FROM_VIRUS1 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
720 #counts SARE_FROM_VIRUS1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
722 header __SARE_FROM_WSJ From:name =~ /Wall Street (?:News Alert|Journal Online|Stock Wizard|Detective|Universe|Update|Chronicle)/i
723 meta SARE_FROM_WSJ __SARE_FROM_WSJ && __SARE_WHITELIST_FLAG && !USER_IN_WHITELIST
724 score SARE_FROM_WSJ 1.666
725 #hist SARE_FROM_WSJ Matt Yackley, Apr 15 2005, expanded by Bob Menschel
726 #hist SARE_FROM_WSJ Dec 24 2005: Added real WSJ whitelist entry to 70_sare_whitelist.cf; added whitelist flags to new meta to force this rule to NOT hit if this is actually the WSJ.
727 #counts SARE_FROM_WSJ 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
728 #max SARE_FROM_WSJ 86s/0h of 259338 corpus (110116s/149222h RM) 05/16/05
729 #counts SARE_FROM_WSJ 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06
730 #max SARE_FROM_WSJ 2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
731 #counts SARE_FROM_WSJ 0s/0h of 15713 corpus (7767s/7946h FT) 05/14/06
732 #max SARE_FROM_WSJ 11s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
733 #counts SARE_FROM_WSJ 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
734 #max SARE_FROM_WSJ 258s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
735 #counts SARE_FROM_WSJ 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
737 #####################################################################################
738 # SARE From Rules -- Emails coming from free webmail accounts
739 # Since spam from these can vary depending upon country of origin,
740 # country of destination, policies, and enforcement of policies,
741 # most of these are kept as separate rules rather than combined.
742 ######## ###################### ##################################################
744 header SARE_FREE_WEBM_Iamfi From =~ /\biamfinallyonline\.com/i
745 describe SARE_FREE_WEBM_Iamfi Sender used free email account - may be spammer
746 score SARE_FREE_WEBM_Iamfi 0.555
747 #stype SARE_FREE_WEBM_Iamfi spamp
748 #hist SARE_FREE_WEBM_Iamfi Created by Bob Menschel Apr 09 2004
749 #counts SARE_FREE_WEBM_Iamfi 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
750 #max SARE_FREE_WEBM_Iamfi 3s/0h of 60630 corpus (35509s/25121h RM) 08/11/04
751 #counts SARE_FREE_WEBM_Iamfi 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
752 #counts SARE_FREE_WEBM_Iamfi 0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
753 #max SARE_FREE_WEBM_Iamfi 1s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
754 #counts SARE_FREE_WEBM_Iamfi 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
755 #counts SARE_FREE_WEBM_Iamfi 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
757 header SARE_FREE_WEBM_USACOPS From =~ /\@usacops\.com/i
758 describe SARE_FREE_WEBM_USACOPS Maybe spammer with free email
759 score SARE_FREE_WEBM_USACOPS 0.555
760 #stype SARE_FREE_WEBM_USACOPS spamp
761 #hist SARE_FREE_WEBM_USACOPS Created by Bob Menschel Feb 24 2005
762 #counts SARE_FREE_WEBM_USACOPS 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
763 #max SARE_FREE_WEBM_USACOPS 2s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
764 #counts SARE_FREE_WEBM_USACOPS 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
765 #counts SARE_FREE_WEBM_USACOPS 2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
766 #counts SARE_FREE_WEBM_USACOPS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
767 #counts SARE_FREE_WEBM_USACOPS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
769 #####################################################################################
770 # SARE Message-ID rules
771 ######## ###################### ##################################################
773 header SARE_MSGID_06D6 MESSAGEID =~ /<0{6}\d{6}\$\d/
774 describe SARE_MSGID_06D6 Message-ID has ratware pattern (000009999$9)
775 score SARE_MSGID_06D6 1.061
776 #counts SARE_MSGID_06D6 0s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
777 #max SARE_MSGID_06D6 91s/0h of 115439 corpus (94250s/21189h RM) 04/30/04
778 #counts SARE_MSGID_06D6 0s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04
779 #counts SARE_MSGID_06D6 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
780 #counts SARE_MSGID_06D6 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
781 #counts SARE_MSGID_06D6 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
783 header MSGID_SPAM_CAPS Message-ID =~ /^\s*<?[A-Z]+\@(?!(?:mailcity|whowhere)\.com)/
784 #hist MSGID_SPAM_CAPS Distrib: SA 2.64, 3.0.0
785 header __SARE_MSGID_ALL_CAPHM MESSAGEID =~ /<[A-Z]+\@hotmail.com>/ # no /i
786 meta SARE_MSGID_ALL_CAPHM __SARE_MSGID_ALL_CAPHM && !MSGID_SPAM_CAPS
787 describe SARE_MSGID_ALL_CAPHM Ratware all-caps message-id
788 score SARE_MSGID_ALL_CAPHM 1.666
789 #stype SARE_MSGID_ALL_CAPHM spamg
790 #hist SARE_MSGID_ALL_CAPHM Created by Bob Menschel May 15 2004
791 #note SARE_MSGID_ALL_CAPHM Most emails that match __SARE_MSGID_ALL_CAPHM fall into SARE_MSGID_ALL_CAPS
792 #counts SARE_MSGID_ALL_CAPHM 0s/0h of 70566 corpus (43013s/27553h RM) 10/02/04
793 #max SARE_MSGID_ALL_CAPHM 1s/0h of 69619 corpus (42582s/27037h RM) 09/26/04
794 #counts SARE_MSGID_ALL_CAPHM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
795 #max SARE_MSGID_ALL_CAPHM 1s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
796 #counts SARE_MSGID_ALL_CAPHM 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
797 #counts SARE_MSGID_ALL_CAPHM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
798 #counts SARE_MSGID_ALL_CAPHM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
800 header MSGID_SPAM_CAPS Message-ID =~ /^\s*<?[A-Z]+\@(?!(?:mailcity|whowhere)\.com)/
801 #hist MSGID_SPAM_CAPS Distrib: SA 2.64, 3.0.0
802 header __SARE_MSGID_ALL_CAPMS MESSAGEID =~ /<[A-Z]+\@msn.com>/ # no /i
803 meta SARE_MSGID_ALL_CAPMS __SARE_MSGID_ALL_CAPMS && !MSGID_SPAM_CAPS
804 describe SARE_MSGID_ALL_CAPMS Ratware all-caps message-id
805 score SARE_MSGID_ALL_CAPMS 1.666
806 #hist SARE_MSGID_ALL_CAPMS Created by Bob Menschel May 15 2004
807 #note SARE_MSGID_ALL_CAPHM Most emails that match __SARE_MSGID_ALL_CAPMS fall into SARE_MSGID_ALL_CAPS
808 #counts SARE_MSGID_ALL_CAPMS 0s/0h of 58336 corpus (33608s/24728h RM) 08/07/04
809 #counts SARE_MSGID_ALL_CAPMS 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
810 #counts SARE_MSGID_ALL_CAPMS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
811 #counts SARE_MSGID_ALL_CAPMS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
813 header SARE_MSGID_H7H4H4 MESSAGEID =~ /<[a-z0-9]{7}(\$[a-z0-9]{4}){2}\@/
814 describe SARE_MSGID_H7H4H4 Message-ID has ratware pattern (7hex$4hex$4hex@)
815 score SARE_MSGID_H7H4H4 0.222
816 #counts SARE_MSGID_H7H4H4 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
817 #max SARE_MSGID_H7H4H4 2s/0h of 115439 corpus (94250s/21189h) 04/30/04
818 #counts SARE_MSGID_H7H4H4 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
819 #max SARE_MSGID_H7H4H4 2s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04
820 #counts SARE_MSGID_H7H4H4 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
821 #counts SARE_MSGID_H7H4H4 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
822 #counts SARE_MSGID_H7H4H4 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
824 header SARE_MSGID_HEX30 MESSAGEID =~ /<[A-Z0-9]{30}\$[0-9a-z]{9}\@/
825 describe SARE_MSGID_HEX30 Message-ID has ratware pattern (HEXHEXHEX$9x9@)
826 score SARE_MSGID_HEX30 1.666
827 #counts SARE_MSGID_HEX30 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
828 #max SARE_MSGID_HEX30 18s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
829 #counts SARE_MSGID_HEX30 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
830 #max SARE_MSGID_HEX30 235s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
831 #counts SARE_MSGID_HEX30 0s/0h of 15713 corpus (7767s/7946h FT) 05/14/06
832 #max SARE_MSGID_HEX30 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
833 #counts SARE_MSGID_HEX30 0s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04
834 #counts SARE_MSGID_HEX30 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
836 header SARE_MSGID_SPAM_DOMN0 MESSAGEID =~ /\bjeanvaljean\.com/i
837 describe SARE_MSGID_SPAM_DOMN0 Message ID implies possible spammer relay
838 score SARE_MSGID_SPAM_DOMN0 1.666
839 #stype SARE_MSGID_SPAM_DOMN0 spamg
840 #hist SARE_MSGID_SPAM_DOMN0 Created by Bob Menschel Mar 22 2004
841 #hist SARE_MSGID_SPAM_DOMN0 Removed moosq.com, since now in specific.cf
842 #counts SARE_MSGID_SPAM_DOMN0 0s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
843 #max SARE_MSGID_SPAM_DOMN0 1s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
844 #counts SARE_MSGID_SPAM_DOMN0 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
845 #counts SARE_MSGID_SPAM_DOMN0 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
846 #counts SARE_MSGID_SPAM_DOMN0 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
848 header MSGID_SPAM_ALPHA_NUM MESSAGEID =~ /<[A-Z]{7}-000[0-9]{10}\@[a-z]*>/
849 header __SARE_RECV_LOCALHOST Received =~ /LOCALHOST/
850 header __SARE_MSGID_SUSP2 MESSAGEID =~ /\<[A-Z]{5,15}\-\d{10,25}\@[a-z]+\>/
851 meta SARE_MSGID_SUSP2 __SARE_MSGID_SUSP2 && !__SARE_RECV_LOCALHOST && !MSGID_SPAM_ALPHA_NUM
852 describe SARE_MSGID_SUSP2 Message-Id is <LETTERS-digits@letters>
853 score SARE_MSGID_SUSP2 3.000
854 #hist SARE_MSGID_SUSP2 Loren Wilton, LW_BOGUS_MSGID6
855 #hist SARE_MSGID_SUSP2 Broadened Aug 2004 by Jesse Houwing, with ham-evading exclude
856 #V300 SARE_MSGID_SUSP2 strong overlap with MSGID_SPAM_ALPHA_NUM
857 #counts SARE_MSGID_SUSP2 0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
858 #alone SARE_MSGID_SUSP2 174s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
859 #max SARE_MSGID_SUSP2 9187s/0h of 115925 corpus (94616s/21309h RM) 05/01/04
860 #counts SARE_MSGID_SUSP2 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
861 #max SARE_MSGID_SUSP2 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
862 #counts SARE_MSGID_SUSP2 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
863 #max SARE_MSGID_SUSP2 187s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
864 #counts SARE_MSGID_SUSP2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
865 #counts SARE_MSGID_SUSP2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
867 #####################################################################################
868 # SARE Received Header Rules
869 ######## ###################### ##################################################
871 header SARE_HELO_AOLID Received =~ /helo=aol\.com ident=/
872 describe SARE_HELO_AOLID Spam passed through apparent spammer relay
873 score SARE_HELO_AOLID 0.611
874 #counts SARE_HELO_AOLID 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
875 #max SARE_HELO_AOLID 10s/0h of 114241 corpus (81067s/33174h RM) 01/15/05
876 #counts SARE_HELO_AOLID 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
877 #counts SARE_HELO_AOLID 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
878 #counts SARE_HELO_AOLID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
879 #counts SARE_HELO_AOLID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
881 header SARE_HELO_MAILUSER Received =~ /helo=MailUser\)/i
882 describe SARE_HELO_MAILUSER Received header has possible spamsign
883 score SARE_HELO_MAILUSER 1.111
884 #stype SARE_HELO_MAILUSER spamp
885 #hist SARE_HELO_MAILUSER Created by Bob Menschel May 31 2004
886 #counts SARE_HELO_MAILUSER 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
887 #max SARE_HELO_MAILUSER 12s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
888 #counts SARE_HELO_MAILUSER 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
889 #counts SARE_HELO_MAILUSER 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
890 #counts SARE_HELO_MAILUSER 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
891 #counts SARE_HELO_MAILUSER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
893 header SARE_RECV_ADDR2 Received =~ /^from \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\n/
894 describe SARE_RECV_ADDR2 Received header missing a FQDN, IP only.
895 score SARE_RECV_ADDR2 0.100
896 #counts SARE_RECV_ADDR2 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
897 #counts SARE_RECV_ADDR2 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
898 #counts SARE_RECV_ADDR2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
899 #counts SARE_RECV_ADDR2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
901 header SARE_RECV_ADDR3 Received =~ /^from \(.?\[.?\].?\)\b/
902 describe SARE_RECV_ADDR3 Received header contains an empty Recieved IP.
903 score SARE_RECV_ADDR3 0.100
904 #counts SARE_RECV_ADDR3 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
905 #counts SARE_RECV_ADDR3 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
906 #counts SARE_RECV_ADDR3 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
907 #counts SARE_RECV_ADDR3 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
909 header SARE_RECV_ADDR4 Received =~ /^from unknown \(\w+ \w+\)\b/
910 describe SARE_RECV_ADDR4 Received contains unknown FQDN with possible HELO.
911 score SARE_RECV_ADDR4 0.100
912 #counts SARE_RECV_ADDR4 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
913 #counts SARE_RECV_ADDR4 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
914 #counts SARE_RECV_ADDR4 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
915 #counts SARE_RECV_ADDR4 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
917 header __SARE_RECV_CHAR_DASHS Received =~ /---/
918 header __SARE_RECV_CHAR_DOTS Received =~ /\.\./
919 meta SARE_RECV_CHAR_DSHDT __SARE_RECV_CHAR_DASHS && __SARE_RECV_CHAR_DOTS
920 describe SARE_RECV_CHAR_DSHDT Strange dashes and dots in received line
921 score SARE_RECV_CHAR_DSHDT 0.500
922 #counts SARE_RECV_CHAR_DSHDT 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
923 #max SARE_RECV_CHAR_DSHDT 7s/0h of 114241 corpus (81067s/33174h RM) 01/15/05
924 #counts SARE_RECV_CHAR_DSHDT 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
925 #max SARE_RECV_CHAR_DSHDT 2s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
926 #counts SARE_RECV_CHAR_DSHDT 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
927 #counts SARE_RECV_CHAR_DSHDT 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
928 #counts SARE_RECV_CHAR_DSHDT 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
930 header SARE_RECV_ESMTP Received =~ /^from \(?:unknown|\d+\.\d+\.\d+\.\d+\) \(\s+\) by \s+ with esmtp; /
931 describe SARE_RECV_ESMTP Received header has forged lowercase 'esmtp' relay
932 score SARE_RECV_ESMTP 0.100
933 #counts SARE_RECV_ESMTP 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
934 #counts SARE_RECV_ESMTP 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
935 #counts SARE_RECV_ESMTP 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
936 #counts SARE_RECV_ESMTP 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
938 header SARE_RECV_LOCALHOST Received =~ /localhosts\.txt/i
939 describe SARE_RECV_LOCALHOST fingerprint
940 score SARE_RECV_LOCALHOST 1.111
941 #stype SARE_RECV_LOCALHOST spamp
942 #hist SARE_RECV_LOCALHOST Alex Broens, June 2005
943 #counts SARE_RECV_LOCALHOST 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
944 #max SARE_RECV_LOCALHOST 77s/0h of 271461 corpus (129860s/141601h RM) 06/12/05
945 #counts SARE_RECV_LOCALHOST 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
946 #counts SARE_RECV_LOCALHOST 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
948 header SARE_RECV_RANDOM Received =~ /helo[ =].{1,30}<rnddg/i
949 describe SARE_RECV_RANDOM Spam contains random string in received header
950 score SARE_RECV_RANDOM 4.000
951 #stype SARE_RECV_RANDOM spamggg
952 #hist SARE_RECV_RANDOM Created by Bob Menschel Nov 02 2004
953 #counts SARE_RECV_RANDOM 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
954 #max SARE_RECV_RANDOM 80s/0h of 196708 corpus (96197s/100511h RM) 02/21/05
955 #counts SARE_RECV_RANDOM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
956 #counts SARE_RECV_RANDOM 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
957 #counts SARE_RECV_RANDOM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
958 #counts SARE_RECV_RANDOM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
960 header SARE_RECV_RND_DATE Received =~ /RND_DATE/i
961 describe SARE_RECV_RND_DATE Spam passed through iswest.net relay
962 score SARE_RECV_RND_DATE 1.666
963 #stype SARE_RECV_RND_DATE spamg
964 #counts SARE_RECV_RND_DATE 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
965 #max SARE_RECV_RND_DATE 9s/0h of 268479 corpus (127479s/141000h RM) 06/17/05
966 #counts SARE_RECV_RND_DATE 0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
967 #counts SARE_RECV_RND_DATE 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
968 #max SARE_RECV_RND_DATE 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
969 #counts SARE_RECV_RND_DATE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
970 #counts SARE_RECV_RND_DATE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
972 header SARE_RECV_RND_NUMBER Received =~ /RND_NUMBER/i
973 describe SARE_RECV_RND_NUMBER Spam passed through iswest.net relay
974 score SARE_RECV_RND_NUMBER 1.666
975 #stype SARE_RECV_RND_NUMBER spamg
976 #counts SARE_RECV_RND_NUMBER 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
977 #max SARE_RECV_RND_NUMBER 2s/0h of 120459 corpus (71363s/49096h RM) 02/12/05
978 #counts SARE_RECV_RND_NUMBER 0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
979 #counts SARE_RECV_RND_NUMBER 0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05
980 #counts SARE_RECV_RND_NUMBER 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
981 #counts SARE_RECV_RND_NUMBER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
983 header SARE_RECV_SUSP_2 Received =~ /from\s+[A-Z0-9]+\s+\(\[10\.2\.202\.25\]\)\s+by\s+[A-Z0-9]+\.[a-z]+/
984 describe SARE_RECV_SUSP_2 Spammer sign in headers
985 score SARE_RECV_SUSP_2 1.666
986 #hist SARE_RECV_SUSP_2 LW_RATWARE1
987 #counts SARE_RECV_SUSP_2 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
988 #max SARE_RECV_SUSP_2 69s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
989 #counts SARE_RECV_SUSP_2 31s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
990 #max SARE_RECV_SUSP_2 124s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
991 #counts SARE_RECV_SUSP_2 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
992 #max SARE_RECV_SUSP_2 1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
993 #counts SARE_RECV_SUSP_2 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06
994 #max SARE_RECV_SUSP_2 8s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
995 #counts SARE_RECV_SUSP_2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
997 header SARE_RECV_TRADVALUES Received =~ /\btraditionalvalues\.org/i
998 describe SARE_RECV_TRADVALUES From or passed through spammer/unreliable domain
999 score SARE_RECV_TRADVALUES 3.333
1000 #stype SARE_RECV_TRADVALUES spamgg
1001 #hist SARE_RECV_TRADVALUES RM_hr_tradvalues
1002 #counts SARE_RECV_TRADVALUES 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1003 #max SARE_RECV_TRADVALUES 97s/0h of 271461 corpus (129860s/141601h RM) 06/12/05
1004 #counts SARE_RECV_TRADVALUES 0s/0h of 18651 corpus (16120s/2531h MY) 08/29/04
1005 #counts SARE_RECV_TRADVALUES 0s/0h of 38751 corpus (15270s/23481h JH-SA3.0rc1) 08/30/04
1006 #counts SARE_RECV_TRADVALUES 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1007 #counts SARE_RECV_TRADVALUES 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1009 header SARE_RECV_VIPLIST Received =~ /\b(?:viplist\.us|\[216.74.127.234\])/
1010 describe SARE_RECV_VIPLIST Email comes from known spammer system
1011 score SARE_RECV_VIPLIST 4.000
1012 #stype SARE_RECV_VIPLIST spamggg
1013 #hist SARE_RECV_VIPLIST Created by Bob Menschel Sep 29 2004
1014 #counts SARE_RECV_VIPLIST 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1015 #max SARE_RECV_VIPLIST 255s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
1016 #counts SARE_RECV_VIPLIST 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1017 #counts SARE_RECV_VIPLIST 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1018 #counts SARE_RECV_VIPLIST 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1019 #counts SARE_RECV_VIPLIST 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1021 header SARE_RECV_WITH_X2 Received =~ / with with /
1022 describe SARE_RECV_WITH_X2 Spam identified by typo in received header
1023 score SARE_RECV_WITH_X2 1.666
1024 #stype SARE_RECV_WITH_X2 spamp
1025 #counts SARE_RECV_WITH_X2 0s/0h of 56796 corpus (32203s/24593h RM) 07/25/04
1026 #max SARE_RECV_WITH_X2 341s/0h of 100795 corpus (82099s/18696h) 02/16/04
1027 #counts SARE_RECV_WITH_X2 0s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1028 #counts SARE_RECV_WITH_X2 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1029 #max SARE_RECV_WITH_X2 4s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
1030 #counts SARE_RECV_WITH_X2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1031 #counts SARE_RECV_WITH_X2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1033 header SARE_RECV_XACTRIX Received =~ /\b(?:accutra|xactrix)\.com/i
1034 describe SARE_RECV_XACTRIX From/through probable spammer system
1035 score SARE_RECV_XACTRIX 2.500
1036 #stype SARE_RECV_XACTRIX spamg
1037 #hist SARE_RECV_XACTRIX Created by Bob Menschel Sep 03 2004
1038 #counts SARE_RECV_XACTRIX 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
1039 #max SARE_RECV_XACTRIX 11s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
1040 #counts SARE_RECV_XACTRIX 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1041 #counts SARE_RECV_XACTRIX 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
1042 #max SARE_RECV_XACTRIX 21s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1043 #counts SARE_RECV_XACTRIX 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1044 #counts SARE_RECV_XACTRIX 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1046 #####################################################################################
1047 # SARE Received Header IP Address Rules
1048 ######## ###################### ##################################################
1050 header SARE_RECV_IP_004078 Received =~ /\[4\.78\.193\.\d{1,3}\]/
1051 describe SARE_RECV_IP_004078 Spam passed through possible spammer relay
1052 score SARE_RECV_IP_004078 1.666
1053 #hist SARE_RECV_IP_004078 Created by Bob Menschel Feb 5 2005 from Spam-L information
1054 #note SARE_RECV_IP_004078 CWIE, LLC
1055 #counts SARE_RECV_IP_004078 0s/0h of 95095 corpus (59680s/35415h RM) 02/05/05
1056 #counts SARE_RECV_IP_004078 0s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
1057 #counts SARE_RECV_IP_004078 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
1058 #max SARE_RECV_IP_004078 397s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1059 #counts SARE_RECV_IP_004078 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1060 #counts SARE_RECV_IP_004078 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1062 header SARE_RECV_IP_038112147 Received =~ /\[38\.112\.147\.\d{1,3}\]/
1063 describe SARE_RECV_IP_038112147 Spam passed through possible spammer relay
1064 score SARE_RECV_IP_038112147 1.111
1065 #stype SARE_RECV_IP_038112147 spamp
1066 #hist SARE_RECV_IP_038112147 Created by Bob Menschel, Feb 19 2005, from Spam-L posting
1067 #counts SARE_RECV_IP_038112147 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
1068 #max SARE_RECV_IP_038112147 66s/0h of 283497 corpus (129933s/153564h RM) 03/08/05
1069 #counts SARE_RECV_IP_038112147 0s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
1070 #counts SARE_RECV_IP_038112147 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
1071 #max SARE_RECV_IP_038112147 3s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
1072 #counts SARE_RECV_IP_038112147 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1073 #counts SARE_RECV_IP_038112147 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1075 header SARE_RECV_IP_062023 Received =~ /\[62\.23\.133\.(?:19[2-9]|2\d{2})\]/
1076 describe SARE_RECV_IP_062023 Passed through possible spammer relay or source
1077 score SARE_RECV_IP_062023 1.111
1078 #stype SARE_RECV_IP_062023 spamp
1079 #hist SARE_RECV_IP_062023 Created by Bob Menschel Feb 10 2005 from Spam-L info
1080 #note SARE_RECV_IP_062023 E-Mail-Vision
1081 #counts SARE_RECV_IP_062023 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1082 #max SARE_RECV_IP_062023 22s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
1083 #counts SARE_RECV_IP_062023 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
1084 #counts SARE_RECV_IP_062023 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
1085 #counts SARE_RECV_IP_062023 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1086 #counts SARE_RECV_IP_062023 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1088 header SARE_RECV_IP_064069032 Received =~ /\[64\.69\.32\.\d{1,3}\]/
1089 describe SARE_RECV_IP_064069032 Spam passed through possible spammer relay
1090 score SARE_RECV_IP_064069032 1.111
1091 #stype SARE_RECV_IP_064069032 spamp
1092 #hist SARE_RECV_IP_064069032 Created by Bob Menschel Aug 07 2005
1093 #counts SARE_RECV_IP_064069032 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1094 #max SARE_RECV_IP_064069032 13s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1095 #counts SARE_RECV_IP_064069032 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
1096 #counts SARE_RECV_IP_064069032 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
1098 header SARE_RECV_IP_064095 Received =~ /\[64\.95\.199\.\d{1,3}\]/
1099 describe SARE_RECV_IP_064095 Spam passed through probable spammer relay
1100 score SARE_RECV_IP_064095 1.666
1101 #stype SARE_RECV_IP_064095 spamg
1102 #hist SARE_RECV_IP_064095 Created by Bob Menschel Apr 17 2004
1103 #counts SARE_RECV_IP_064095 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
1104 #max SARE_RECV_IP_064095 3s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
1105 #counts SARE_RECV_IP_064095 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1106 #max SARE_RECV_IP_064095 22s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
1107 #counts SARE_RECV_IP_064095 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1108 #max SARE_RECV_IP_064095 2s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
1109 #counts SARE_RECV_IP_064095 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1110 #counts SARE_RECV_IP_064095 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1112 header SARE_RECV_IP_064192082 received =~ /\[64\.192\.8[23]\.\d{1,3}\]/
1113 describe SARE_RECV_IP_064192082 Spam passed through possible spammer relay
1114 score SARE_RECV_IP_064192082 1.111
1115 #stype SARE_RECV_IP_064192082 spamp
1116 #hist SARE_RECV_IP_064192082 Created by Bob Menschel Jan 29 2005 from info supplied via Spam-L
1117 #counts SARE_RECV_IP_064192082 0s/0h of 98352 corpus (59690s/38662h RM) 01/29/05
1118 #counts SARE_RECV_IP_064192082 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1119 #counts SARE_RECV_IP_064192082 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
1120 #max SARE_RECV_IP_064192082 39s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1121 #counts SARE_RECV_IP_064192082 0s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1122 #counts SARE_RECV_IP_064192082 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1124 header SARE_RECV_IP_064192191 Received =~ /\[64\.192\.191\.\d{1,3}\]/
1125 describe SARE_RECV_IP_064192191 Passed through possible spammer relay or source
1126 score SARE_RECV_IP_064192191 1.111
1127 #stype SARE_RECV_IP_064192191 spamp
1128 #hist SARE_RECV_IP_064192191 Created by Bob Menschel Jan 14 2005, info thanks to Paul Howarth, Dec 14 2004
1129 #note SARE_RECV_IP_064192191 WCG.NET, On The Net, Inc., onthenethosting.us
1130 #counts SARE_RECV_IP_064192191 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
1131 #max SARE_RECV_IP_064192191 31s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
1132 #counts SARE_RECV_IP_064192191 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1133 #counts SARE_RECV_IP_064192191 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1134 #counts SARE_RECV_IP_064192191 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1135 #counts SARE_RECV_IP_064192191 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1137 header SARE_RECV_IP_065205157 received =~ /\[65\.205\.157\.(?:19[2-9]|2[01]\d|22[0-3])\]/
1138 describe SARE_RECV_IP_065205157 Spam passed through possible spammer relay
1139 score SARE_RECV_IP_065205157 1.111
1140 #stype SARE_RECV_IP_065205157 spamp
1141 #hist SARE_RECV_IP_065205157 Created by Bob Menschel Jan 29 2005 from info supplied via Spam-L
1142 #counts SARE_RECV_IP_065205157 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
1143 #max SARE_RECV_IP_065205157 7s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
1144 #counts SARE_RECV_IP_065205157 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1145 #counts SARE_RECV_IP_065205157 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1146 #max SARE_RECV_IP_065205157 67s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1147 #counts SARE_RECV_IP_065205157 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1148 #counts SARE_RECV_IP_065205157 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1150 header SARE_RECV_IP_066063 Received =~ /\[66\.63\.178\.\d{1,3}\]/
1151 describe SARE_RECV_IP_066063 Passed through possible spammer relay or source
1152 score SARE_RECV_IP_066063 1.111
1153 #stype SARE_RECV_IP_066063 spamp
1154 #hist SARE_RECV_IP_066063 Created by Bob Menschel Feb 10 2005 from Spam-L info
1155 #counts SARE_RECV_IP_066063 0s/0h of 118836 corpus (71083s/47753h RM) 02/10/05
1156 #counts SARE_RECV_IP_066063 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
1157 #counts SARE_RECV_IP_066063 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
1158 #max SARE_RECV_IP_066063 21s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1159 #counts SARE_RECV_IP_066063 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1160 #counts SARE_RECV_IP_066063 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1162 header SARE_RECV_IP_066114a Received =~ /\[66\.114\.217\.\d{1,3}\]/
1163 describe SARE_RECV_IP_066114a Spam passed through possible spammer relay
1164 score SARE_RECV_IP_066114a 1.111
1165 #stype SARE_RECV_IP_066114a spamp
1166 #hist SARE_RECV_IP_066114a Created by Bob Menschel Feb 5 2005 from Spam-L info
1167 #note SARE_RECV_IP_066114a SW FLA Hosting
1168 #counts SARE_RECV_IP_066114a 0s/0h of 275081 corpus (134226s/140855h RM) 05/30/05
1169 #max SARE_RECV_IP_066114a 27s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
1170 #counts SARE_RECV_IP_066114a 0s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
1171 #counts SARE_RECV_IP_066114a 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
1172 #max SARE_RECV_IP_066114a 13s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1173 #counts SARE_RECV_IP_066114a 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1174 #counts SARE_RECV_IP_066114a 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1176 header SARE_RECV_IP_066159017 Received =~ /\[66\.159\.17\.8[4-7]\]/
1177 describe SARE_RECV_IP_066159017 Spam passed through possible spammer relay
1178 score SARE_RECV_IP_066159017 1.666
1179 #hist SARE_RECV_IP_066159017 Created by Bob Menschel Aug 07 2005
1180 #counts SARE_RECV_IP_066159017 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1181 #max SARE_RECV_IP_066159017 219s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1182 #counts SARE_RECV_IP_066159017 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
1183 #counts SARE_RECV_IP_066159017 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
1185 header SARE_RECV_IP_066248154 Received =~ /\[66\.248\.154\.\d{1,3}\]/
1186 describe SARE_RECV_IP_066248154 Spam passed through possible spammer relay
1187 score SARE_RECV_IP_066248154 1.111
1188 #stype SARE_RECV_IP_066248154 spamp
1189 #hist SARE_RECV_IP_066248154 Created by Bob Menschel May 14 2005
1190 #note SARE_RECV_IP_066248154 Advanced Dedicated Database Servers LLC
1191 #counts SARE_RECV_IP_066248154 0s/0h of 268479 corpus (127479s/141000h RM) 06/17/05
1192 #max SARE_RECV_IP_066248154 8s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
1193 #counts SARE_RECV_IP_066248154 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1194 #counts SARE_RECV_IP_066248154 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1195 #max SARE_RECV_IP_066248154 17s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1197 header SARE_RECV_IP_069060122 Received =~ /\[69\.60\.122\.\d{1,3}\]/
1198 describe SARE_RECV_IP_069060122 Spam passed through possible spammer relay
1199 score SARE_RECV_IP_069060122 1.111
1200 #stype SARE_RECV_IP_069060122 spamp
1201 #hist SARE_RECV_IP_069060122 Created by Bob Menschel May 14 2005
1202 #counts SARE_RECV_IP_069060122 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1203 #counts SARE_RECV_IP_069060122 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1204 #counts SARE_RECV_IP_069060122 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
1205 #max SARE_RECV_IP_069060122 3s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1207 header SARE_RECV_IP_070096177 Received =~ /\[70\.96\.177\.\d{1,3}\]/
1208 describe SARE_RECV_IP_070096177 Spam passed through possible spammer relay
1209 score SARE_RECV_IP_070096177 1.666
1210 #stype SARE_RECV_IP_070096177 spamp
1211 #hist SARE_RECV_IP_070096177 Created by Bob Menschel May 14 2005
1212 #note SARE_RECV_IP_070096177 Broadlogix
1213 #counts SARE_RECV_IP_070096177 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
1214 #max SARE_RECV_IP_070096177 78s/0h of 275081 corpus (134226s/140855h RM) 05/30/05
1215 #counts SARE_RECV_IP_070096177 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1216 #counts SARE_RECV_IP_070096177 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1217 #counts SARE_RECV_IP_070096177 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
1218 #max SARE_RECV_IP_070096177 48s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
1220 header SARE_RECV_IP_081019 Received =~ /\[81\.19\.24[0-3]\.\d{1,3}\]/
1221 describe SARE_RECV_IP_081019 Passed through possible spammer relay or source
1222 score SARE_RECV_IP_081019 0.678
1223 #hist SARE_RECV_IP_081019 Created by Bob Menschel Jul 27 2004
1224 #counts SARE_RECV_IP_081019 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
1225 #max SARE_RECV_IP_081019 15s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
1226 #counts SARE_RECV_IP_081019 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1227 #counts SARE_RECV_IP_081019 0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1228 #max SARE_RECV_IP_081019 4s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1229 #counts SARE_RECV_IP_081019 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1230 #counts SARE_RECV_IP_081019 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1232 header SARE_RECV_IP_081095 Received =~ /\[81\.95\.(?:3[2-9]|4[0-7])\.\d{1,3}\]/
1233 describe SARE_RECV_IP_081095 Spam passed through possible spammer relay
1234 score SARE_RECV_IP_081095 0.555
1235 #stype SARE_RECV_IP_081095 spamp
1236 #hist SARE_RECV_IP_081095 Created by Bob Menschel June 12 2004
1237 #counts SARE_RECV_IP_081095 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
1238 #max SARE_RECV_IP_081095 3s/0h of 66087 corpus (40127s/25960h RM) 09/11/04
1239 #counts SARE_RECV_IP_081095 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1240 #max SARE_RECV_IP_081095 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
1241 #counts SARE_RECV_IP_081095 0s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
1242 #counts SARE_RECV_IP_081095 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1243 #counts SARE_RECV_IP_081095 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1245 header SARE_RECV_IP_200203050 Received =~ /\[200\.203\.50\.160\]/
1246 describe SARE_RECV_IP_200203050 Spam passed through possible spammer relay
1247 score SARE_RECV_IP_200203050 0.555
1248 #stype SARE_RECV_IP_200203050 spamp
1249 #hist SARE_RECV_IP_200203050 Created by Bob Menschel, Feb 19 2005, from Spam-L posting
1250 #counts SARE_RECV_IP_200203050 0s/0h of 174366 corpus (98964s/75402h RM) 02/18/05
1251 #counts SARE_RECV_IP_200203050 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1252 #counts SARE_RECV_IP_200203050 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1254 header SARE_RECV_IP_202064 Received =~ /\[202\.22\.(?:24[89]|25[01])\.\d{1,3}\]/
1255 describe SARE_RECV_IP_202064 Spam passed through possible spammer relay
1256 score SARE_RECV_IP_202064 1.111
1257 #stype SARE_RECV_IP_202064 spamp
1258 #hist SARE_RECV_IP_202064 Created by Bob Menschel Apr 25 2004
1259 #counts SARE_RECV_IP_202064 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
1260 #max SARE_RECV_IP_202064 12s/0h of 114241 corpus (81067s/33174h RM) 01/15/05
1261 #counts SARE_RECV_IP_202064 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
1262 #counts SARE_RECV_IP_202064 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1263 #max SARE_RECV_IP_202064 4s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
1264 #counts SARE_RECV_IP_202064 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1265 #counts SARE_RECV_IP_202064 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1267 header SARE_RECV_IP_206248152 Received =~ /\[206\.248\.153\.\d{1,3}\]/
1268 describe SARE_RECV_IP_206248152 Spam passed through possible spammer relay
1269 score SARE_RECV_IP_206248152 0.617
1270 #ham SARE_RECV_IP_206248152 confirmed (1)
1271 #hist SARE_RECV_IP_206248152 Created by Bob Menschel May 14 2005
1272 #note SARE_RECV_IP_206248152 3zCanada-GTA1
1273 #counts SARE_RECV_IP_206248152 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1274 #max SARE_RECV_IP_206248152 19s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
1275 #counts SARE_RECV_IP_206248152 0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
1276 #max SARE_RECV_IP_206248152 2s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
1277 #counts SARE_RECV_IP_206248152 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1279 header SARE_RECV_IP_207182 Received =~ /\[207\.182\.146\.(?:19[2-9]|2\d{2})\]/
1280 describe SARE_RECV_IP_207182 Passed through possible spammer relay or source
1281 score SARE_RECV_IP_207182 1.666
1282 #stype SARE_RECV_IP_207182 spamp
1283 #hist SARE_RECV_IP_207182 Created by Bob Menschel Feb 10 2005 from Spam-L info
1284 #counts SARE_RECV_IP_207182 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
1285 #max SARE_RECV_IP_207182 26s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
1286 #counts SARE_RECV_IP_207182 71s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1287 #counts SARE_RECV_IP_207182 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
1288 #max SARE_RECV_IP_207182 57s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
1289 #counts SARE_RECV_IP_207182 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1290 #counts SARE_RECV_IP_207182 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1292 header SARE_RECV_IP_208048182 Received =~ /\[208.48\.182\.\d{1,3}\]/
1293 describe SARE_RECV_IP_208048182 Spam passed through possible spammer relay
1294 score SARE_RECV_IP_208048182 1.111
1295 #stype SARE_RECV_IP_208048182 spamp
1296 #hist SARE_RECV_IP_208048182 Created by Bob Menschel May 14 2005
1297 #counts SARE_RECV_IP_208048182 0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
1298 #counts SARE_RECV_IP_208048182 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1299 #counts SARE_RECV_IP_208048182 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
1300 #max SARE_RECV_IP_208048182 43s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1302 header SARE_RECV_IP_211049 Received =~ /\[211\.49\.185\.\d{1,3}\]/
1303 describe SARE_RECV_IP_211049 Spam passed through possible spammer relay
1304 score SARE_RECV_IP_211049 0.555
1305 #stype SARE_RECV_IP_211049 spamp
1306 #counts SARE_RECV_IP_211049 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
1307 #max SARE_RECV_IP_211049 3s/0h of 97268 corpus (79437s/17831h RM) 01/24/04
1308 #counts SARE_RECV_IP_211049 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
1309 #counts SARE_RECV_IP_211049 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1310 #counts SARE_RECV_IP_211049 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1312 header SARE_RECV_IP_212164 Received =~ /\[212\.164\.1(?:6[4-9]|[78]\d|9[01])\.\d{1,3}\]/
1313 describe SARE_RECV_IP_212164 Spam passed through possible spammer relay
1314 score SARE_RECV_IP_212164 0.555
1315 #stype SARE_RECV_IP_212164 spamp
1316 #hist SARE_RECV_IP_212164 Created by Bob Menschel May 31 2004
1317 #counts SARE_RECV_IP_212164 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
1318 #max SARE_RECV_IP_212164 1s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
1319 #counts SARE_RECV_IP_212164 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
1320 #counts SARE_RECV_IP_212164 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1321 #counts SARE_RECV_IP_212164 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1323 header SARE_RECV_IP_216055133 Received =~ /\[216\.55\.133\.\d{1,3}\]/
1324 describe SARE_RECV_IP_216055133 Spam passed through possible spammer relay
1325 score SARE_RECV_IP_216055133 1.111
1326 #stype SARE_RECV_IP_216055133 spamp
1327 #hist SARE_RECV_IP_216055133 Created by Bob Menschel May 14 2005
1328 #counts SARE_RECV_IP_216055133 0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
1329 #counts SARE_RECV_IP_216055133 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1330 #counts SARE_RECV_IP_216055133 0s/0h of 15713 corpus (7767s/7946h FT) 05/14/06
1331 #max SARE_RECV_IP_216055133 1s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1332 #counts SARE_RECV_IP_216055133 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
1333 #max SARE_RECV_IP_216055133 15s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1335 #####################################################################################
1336 # SARE Reply-To Header Rules
1337 ######## ###################### ##################################################
1339 header SARE_REPLY_XACTRIX Reply-To =~ /\b(?:accutra|xactrix)\.com/i
1340 describe SARE_REPLY_XACTRIX Reply-To email addr to spammer
1341 score SARE_REPLY_XACTRIX 1.666
1342 #stype SARE_REPLY_XACTRIX spamg
1343 #hist SARE_REPLY_XACTRIX Created by Bob Menschel Sep 03 2004
1344 #counts SARE_REPLY_XACTRIX 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
1345 #max SARE_REPLY_XACTRIX 11s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
1346 #counts SARE_REPLY_XACTRIX 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1347 #counts SARE_REPLY_XACTRIX 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
1348 #max SARE_REPLY_XACTRIX 21s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1349 #counts SARE_REPLY_XACTRIX 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1350 #counts SARE_REPLY_XACTRIX 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1352 #####################################################################################
1353 # SARE User-Agent rules
1354 ######## ###################### ##################################################
1356 #####################################################################################
1357 # SARE To/Cc Destination rules
1358 ######## ###################### ##################################################
1360 header SARE_TOCC_MAILDOMN ToCc =~ /(?:client|recipient)\@(?:smtpdomain|maildomain)\.(?:com|net)/i
1361 describe SARE_TOCC_MAILDOMN Destination identifies this as a virus bounce
1362 score SARE_TOCC_MAILDOMN 1.666
1363 #stype SARE_TOCC_MAILDOMN vbg
1364 #hist SARE_TOCC_MAILDOMN Created by Bob Menschel Mar 28 2004
1365 #counts SARE_TOCC_MAILDOMN 0s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
1366 #max SARE_TOCC_MAILDOMN 5s/0h of 60630 corpus (35509s/25121h RM) 08/11/04
1367 #counts SARE_TOCC_MAILDOMN 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1368 #counts SARE_TOCC_MAILDOMN 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1369 #counts SARE_TOCC_MAILDOMN 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1370 #counts SARE_TOCC_MAILDOMN 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1372 header SARE_TOCC_SPAMWORD0 ToCc =~ /(?:alter-ego|Mailing-Boxes|ReMailer|User-info)\@/i
1373 describe SARE_TOCC_SPAMWORD0 Addressed to bogus email address
1374 score SARE_TOCC_SPAMWORD0 0.444
1375 #hist SARE_TOCC_SPAMWORD0 Removed Mailinglist May 14 2005
1376 #counts SARE_TOCC_SPAMWORD0 0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
1377 #max SARE_TOCC_SPAMWORD0 2s/3h of 196688 corpus (96191s/100497h RM) 02/21/05
1378 #counts SARE_TOCC_SPAMWORD0 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
1379 #counts SARE_TOCC_SPAMWORD0 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1380 #max SARE_TOCC_SPAMWORD0 1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1381 #counts SARE_TOCC_SPAMWORD0 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1382 #counts SARE_TOCC_SPAMWORD0 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1384 #####################################################################################
1385 # SARE X-Mailer Rules
1386 ######## ###################### ##################################################
1388 header SARE_XMAIL_BULK2 X-Mailer =~ /(?:Mail2000|Simple Mail Solutions)/i
1389 describe SARE_XMAIL_BULK2 Uses bulk mailer used by spammers
1390 score SARE_XMAIL_BULK2 0.100
1391 #hist SARE_XMAIL_BULK2 Bob Menschel: PSS Bulk Mailer, Calypso; removed OSM Client Feb 7 2005
1392 #counts SARE_XMAIL_BULK2 0s/0h of 85084 corpus (62489s/22595h RM) 06/08/04
1393 #counts SARE_XMAIL_BULK2 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
1394 #counts SARE_XMAIL_BULK2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1395 #counts SARE_XMAIL_BULK2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1397 header SARE_XMAIL_BULK4 X-Mailer =~ /(?:Master-SMTP)/i
1398 describe SARE_XMAIL_BULK4 Uses bulk mailer name forged by viruses
1399 score SARE_XMAIL_BULK4 0.277
1400 #stype SARE_XMAIL_BULK4 vbp
1401 #hist SARE_XMAIL_BULK4 Bob Menschel: Master-SMTP
1402 #counts SARE_XMAIL_BULK4 0s/0h of 114241 corpus (81067s/33174h RM) 01/15/05
1403 #max SARE_XMAIL_BULK4 5s/0h of 56804 corpus (32211s/24593h RM) 07/25/04
1404 #counts SARE_XMAIL_BULK4 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
1405 #counts SARE_XMAIL_BULK4 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
1406 #counts SARE_XMAIL_BULK4 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1407 #counts SARE_XMAIL_BULK4 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1409 header SARE_XMAIL_DIRUNIV X-Mailer =~ /Direct Universe/i
1410 describe SARE_XMAIL_DIRUNIV Apparently uses spam/bulk mailer
1411 score SARE_XMAIL_DIRUNIV 1.111
1412 #stype SARE_XMAIL_DIRUNIV spamp
1413 #hist SARE_XMAIL_DIRUNIV Bob Menschel, May 14 2005
1414 #counts SARE_XMAIL_DIRUNIV 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1415 #max SARE_XMAIL_DIRUNIV 48s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
1416 #counts SARE_XMAIL_DIRUNIV 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1417 #counts SARE_XMAIL_DIRUNIV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1418 #counts SARE_XMAIL_DIRUNIV 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1419 #counts SARE_XMAIL_DIRUNIV 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1421 header SARE_XMAIL_GDI X-Mailer=~/GDI Mailer/
1422 describe SARE_XMAIL_GDI Ratware mailer
1423 score SARE_XMAIL_GDI 0.100
1424 #hist SARE_XMAIL_GDI Bob Menschel, Feb 25 2005
1425 #counts SARE_XMAIL_GDI 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
1426 #max SARE_XMAIL_GDI 1s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
1427 #counts SARE_XMAIL_GDI 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
1428 #counts SARE_XMAIL_GDI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1429 #counts SARE_XMAIL_GDI 0s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
1430 #max SARE_XMAIL_GDI 1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
1432 header SARE_XMAIL_INTERMED X-Mailer =~ /\bIntermedia mail\b/i
1433 describe SARE_XMAIL_INTERMED possible spamware
1434 score SARE_XMAIL_INTERMED 0.850
1435 #hist SARE_XMAIL_INTERMED Alex Broens, June 30 2005
1436 #counts SARE_XMAIL_INTERMED 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1437 #max SARE_XMAIL_INTERMED 51s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1438 #counts SARE_XMAIL_INTERMED 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06
1439 #max SARE_XMAIL_INTERMED 1s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
1440 #counts SARE_XMAIL_INTERMED 0s/0h of 15713 corpus (7767s/7946h FT) 05/14/06
1441 #max SARE_XMAIL_INTERMED 1s/0h of 6905 corpus (1401s/5504h ft) 07/24/05
1443 header SARE_XMAIL_LEO X-Mailer =~ /^[A-Z][a-x]+\s[a-z]{2}\s\d\.\d\d\s*$/ # no /i
1444 score SARE_XMAIL_LEO 2.333
1445 describe SARE_XMAIL_LEO Spamsign in x-mailer header
1446 #hist SARE_XMAIL_LEO Loren Wilton, Sept 07, 2005
1447 #counts SARE_XMAIL_LEO 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1448 #max SARE_XMAIL_LEO 2625s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1449 #counts SARE_XMAIL_LEO 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
1450 #counts SARE_XMAIL_LEO 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
1452 header SARE_XMAIL_PHPBulkEmai X-Mailer =~ /PHPBulkEmailer/i
1453 describe SARE_XMAIL_PHPBulkEmai Apparently uses spam/bulk mailer
1454 score SARE_XMAIL_PHPBulkEmai 1.111
1455 #stype SARE_XMAIL_PHPBulkEmai spamp
1456 #hist SARE_XMAIL_PHPBulkEmai Bob Menschel, Apr 11, 2005, from suggestion by Loren Wilton
1457 #counts SARE_XMAIL_PHPBulkEmai 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1458 #max SARE_XMAIL_PHPBulkEmai 45s/0h of 275081 corpus (134226s/140855h RM) 05/30/05
1459 #counts SARE_XMAIL_PHPBulkEmai 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06
1460 #max SARE_XMAIL_PHPBulkEmai 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1461 #counts SARE_XMAIL_PHPBulkEmai 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1462 #counts SARE_XMAIL_PHPBulkEmai 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1463 #counts SARE_XMAIL_PHPBulkEmai 1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1465 #####################################################################################
1466 # SARE Rules which examine multiple header types
1467 ######## ###################### ##################################################
1469 #####################################################################################
1470 # SARE Miscellaneous and X-Header header rules
1471 ######## ###################### ##################################################
1473 header SARE_HEAD_CONT_RNDCONT Content-Transfer-Encoding =~ /CONTENT_ENCODING/i
1474 describe SARE_HEAD_CONT_RNDCONT Spam passed through iswest.net relay
1475 score SARE_HEAD_CONT_RNDCONT 1.166
1476 #counts SARE_HEAD_CONT_RNDCONT 0s/0h of 95112 corpus (59679s/35433h RM) 01/31/05
1477 #counts SARE_HEAD_CONT_RNDCONT 0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
1478 #counts SARE_HEAD_CONT_RNDCONT 0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05
1479 #counts SARE_HEAD_CONT_RNDCONT 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1480 #counts SARE_HEAD_CONT_RNDCONT 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1482 header SARE_HEAD_DATE_RNDDATE Date =~ /RND/i
1483 describe SARE_HEAD_DATE_RNDDATE Spam passed through iswest.net relay
1484 score SARE_HEAD_DATE_RNDDATE 1.666
1485 #stype SARE_HEAD_DATE_RNDDATE spamg
1486 #counts SARE_HEAD_DATE_RNDDATE 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1487 #max SARE_HEAD_DATE_RNDDATE 9s/0h of 268479 corpus (127479s/141000h RM) 06/17/05
1488 #counts SARE_HEAD_DATE_RNDDATE 0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
1489 #counts SARE_HEAD_DATE_RNDDATE 0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05
1490 #counts SARE_HEAD_DATE_RNDDATE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1491 #counts SARE_HEAD_DATE_RNDDATE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1493 header SARE_HEAD_THRD_ALNUM Thread-Index =~ /ALNUM/
1494 describe SARE_HEAD_THRD_ALNUM Spam fingerprint in thread index
1495 score SARE_HEAD_THRD_ALNUM 0.839
1496 #hist SARE_HEAD_THRD_ALNUM Alex Broens, July 27 2005
1497 #counts SARE_HEAD_THRD_ALNUM 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1498 #max SARE_HEAD_THRD_ALNUM 51s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1499 #counts SARE_HEAD_THRD_ALNUM 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
1501 header SARE_HEAD_TOCC_DEFHNDL All =~ /TO_CC_DEFAULT_HANDLER/i
1502 describe SARE_HEAD_TOCC_DEFHNDL Spam passed through iswest.net relay
1503 score SARE_HEAD_TOCC_DEFHNDL 1.166
1504 #counts SARE_HEAD_TOCC_DEFHNDL 0s/0h of 95112 corpus (59679s/35433h RM) 01/31/05
1505 #counts SARE_HEAD_TOCC_DEFHNDL 0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
1506 #counts SARE_HEAD_TOCC_DEFHNDL 0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05
1507 #counts SARE_HEAD_TOCC_DEFHNDL 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1508 #counts SARE_HEAD_TOCC_DEFHNDL 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1510 header SARE_HEAD_XAUTH_WARN2 X-Authentication-Warning =~ /\b[A-Z]{2,5}[a-z]{5,7}[0-9]{2}\b/
1511 describe SARE_HEAD_XAUTH_WARN2 X-Authentication-Warning: Contains Spam Signature.
1512 score SARE_HEAD_XAUTH_WARN2 2.500
1513 #stype SARE_HEAD_XAUTH_WARN2 spamg
1514 #hist SARE_HEAD_XAUTH_WARN2 Mike Hogsett, Tuesday, May 25, 2004, CSL_X_AUTH_WARN_2
1515 #counts SARE_HEAD_XAUTH_WARN2 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
1516 #max SARE_HEAD_XAUTH_WARN2 46s/0h of 60623 corpus (35501s/25122h RM) 08/11/04
1517 #counts SARE_HEAD_XAUTH_WARN2 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1518 #max SARE_HEAD_XAUTH_WARN2 14s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
1519 #counts SARE_HEAD_XAUTH_WARN2 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1520 #max SARE_HEAD_XAUTH_WARN2 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
1521 #counts SARE_HEAD_XAUTH_WARN2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1522 #counts SARE_HEAD_XAUTH_WARN2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1524 header SARE_HEAD_XCANIT1 X-CanItPRO-Stream =~ /^sbw\b/
1525 describe SARE_HEAD_XCANIT1 Message headers used which identify spam
1526 score SARE_HEAD_XCANIT1 1.111
1527 #stype SARE_HEAD_XCANIT1 spamp
1528 #hist SARE_HEAD_XCANIT1 Enhanced from original SARE_HEAD_HDR_XCANITP rule with help from RoaringPenguin
1529 #counts SARE_HEAD_XCANIT1 0s/0h of 259338 corpus (110116s/149222h RM) 05/16/05
1530 #max SARE_HEAD_XCANIT1 7s/0h of 68480 corpus (41098s/27382h RM) 09/18/04
1531 #counts SARE_HEAD_XCANIT1 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
1532 #counts SARE_HEAD_XCANIT1 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1533 #counts SARE_HEAD_XCANIT1 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1534 #counts SARE_HEAD_XCANIT1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1536 header __SARE_HEAD_XCANIT_H exists:X-CanItPRO-Stream
1537 header __SARE_HEAD_XCANIT_S exists:X-Scanned-By
1538 meta SARE_HEAD_XCANIT2 __SARE_HEAD_XCANIT_H && !__SARE_HEAD_XCANIT_S
1539 describe SARE_HEAD_XCANIT2 Incomplete anti-spam headers signifying spam
1540 score SARE_HEAD_XCANIT2 0.555
1541 #stype SARE_HEAD_XCANIT2 spamp
1542 #hist SARE_HEAD_XCANIT2 Created by Bob Menschel Jan 29 2005 from information provided by RoaringPenguin
1543 #counts SARE_HEAD_XCANIT2 0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05
1544 #max SARE_HEAD_XCANIT2 2s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
1545 #counts SARE_HEAD_XCANIT2 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1546 #counts SARE_HEAD_XCANIT2 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1547 #counts SARE_HEAD_XCANIT2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1548 #counts SARE_HEAD_XCANIT2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1550 header SARE_HEAD_XM4 ALL =~ /\nX-M-.{4}:/ # usually 4:28:12
1551 describe SARE_HEAD_XM4 Contains spamsign header
1552 score SARE_HEAD_XM4 1.111
1553 #stype SARE_HEAD_XM4 spamp
1554 #hist SARE_HEAD_XM4 Loren Wilton, June 2005
1555 #counts SARE_HEAD_XM4 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1556 #max SARE_HEAD_XM4 80s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1557 #counts SARE_HEAD_XM4 0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1558 #counts SARE_HEAD_XM4 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
1560 header SARE_HEAD_XMF_AUTHSNDR X-Message-flag =~ /Authentic Sender/i
1561 describe SARE_HEAD_XMF_AUTHSNDR Headers contains spam sign
1562 score SARE_HEAD_XMF_AUTHSNDR 1.666
1563 #stype SARE_HEAD_XMF_AUTHSNDR spamp
1564 #hist SARE_HEAD_XMF_AUTHSNDR Created by Bob Menschel Jan 29 2005 from idea submitted by Alex Broens
1565 #counts SARE_HEAD_XMF_AUTHSNDR 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1566 #max SARE_HEAD_XMF_AUTHSNDR 726s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
1567 #counts SARE_HEAD_XMF_AUTHSNDR 67s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1568 #counts SARE_HEAD_XMF_AUTHSNDR 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
1569 #max SARE_HEAD_XMF_AUTHSNDR 54s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1570 #counts SARE_HEAD_XMF_AUTHSNDR 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06
1571 #max SARE_HEAD_XMF_AUTHSNDR 89s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1572 #counts SARE_HEAD_XMF_AUTHSNDR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1574 header SARE_HEAD_XPRI_RNDNUM X-Priority =~ /PRIORITY_NUMBER/i
1575 describe SARE_HEAD_XPRI_RNDNUM Spam passed through iswest.net relay
1576 score SARE_HEAD_XPRI_RNDNUM 1.666
1577 #stype SARE_HEAD_XPRI_RNDNUM spamg
1578 #counts SARE_HEAD_XPRI_RNDNUM 0s/0h of 95112 corpus (59679s/35433h RM) 01/31/05
1579 #counts SARE_HEAD_XPRI_RNDNUM 0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
1580 #counts SARE_HEAD_XPRI_RNDNUM 0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05
1581 #counts SARE_HEAD_XPRI_RNDNUM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1582 #counts SARE_HEAD_XPRI_RNDNUM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1584 #####################################################################################
1585 # SARE Rules which identify headers found in email bodies
1586 ######## ###################### ##################################################
1588 rawbody SARE_HEAD_BDY_BOUNCES /^Bounces_to: .{1,50}\@/
1589 describe SARE_HEAD_BDY_BOUNCES Message header suggesting spam in body
1590 score SARE_HEAD_BDY_BOUNCES 1.666
1591 #note SARE_HEAD_BDY_BOUNCES Normally valid header currently very popular in spam. Presence in bounced emails strongly suggests bounced spam
1592 #hist SARE_HEAD_BDY_BOUNCES Bob Menschel, Apr 10 2005
1593 #counts SARE_HEAD_BDY_BOUNCES 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1594 #max SARE_HEAD_BDY_BOUNCES 433s/0h of 271461 corpus (129860s/141601h RM) 06/12/05
1595 #counts SARE_HEAD_BDY_BOUNCES 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1596 #counts SARE_HEAD_BDY_BOUNCES 0s/1h of 15713 corpus (7767s/7946h FT) 05/14/06
1597 #max SARE_HEAD_BDY_BOUNCES 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1598 #counts SARE_HEAD_BDY_BOUNCES 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1600 #####################################################################################
1601 # SARE Rules which examine multiple header types
1602 ######## ###################### ##################################################
1604 header __SARE_MULT_FROM_MRS From =~ /"Mrs[\. ][A-Z][a-z]+"/
1605 header __SARE_MULT_HITHERE Subject =~ /^(?:HELLO|Hello|Hey|Hi)\w{0,8},?(?:Mrs\.)?/
1606 body __SARE_MULT_PROFILE /(?:on-?line profile|profile (?:is )?on-?line)/
1607 meta SARE_MULT_SEXCLUB __SARE_MULT_HITHERE && (__SARE_MULT_PROFILE || __SARE_MULT_FROM_MRS)
1608 describe SARE_MULT_SEXCLUB Adult invitation spam
1609 score SARE_MULT_SEXCLUB 1.666
1610 #hist SARE_MULT_SEXCLUB Loren Wilton, Feb 22 2005
1611 #counts SARE_MULT_SEXCLUB 0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
1612 #max SARE_MULT_SEXCLUB 114s/0h of 283497 corpus (129933s/153564h RM) 03/08/05
1613 #counts SARE_MULT_SEXCLUB 8s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
1614 #counts SARE_MULT_SEXCLUB 0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
1615 #max SARE_MULT_SEXCLUB 59s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1616 #counts SARE_MULT_SEXCLUB 0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06
1617 #max SARE_MULT_SEXCLUB 22s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1618 #counts SARE_MULT_SEXCLUB 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1620 header SARE_MULT_SUBJ ALL =~ /\nSubject:.{10,150}\nSubject:.{10,150}\nSubject:/s
1621 score SARE_MULT_SUBJ 0.777
1622 describe SARE_MULT_SUBJ Many subject lines
1623 #hist SARE_MULT_SUBJ Loren Wilton, June 2005
1624 #counts SARE_MULT_SUBJ 0s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1625 #max SARE_MULT_SUBJ 40s/0h of 271461 corpus (129860s/141601h RM) 06/12/05
1626 #counts SARE_MULT_SUBJ 0s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
1627 #counts SARE_MULT_SUBJ 0s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
1628 #counts SARE_MULT_SUBJ 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1629 #counts SARE_MULT_SUBJ 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05