1 # SARE HTML Ruleset for SpamAssassin - ruleset 1
5 # Usage instructions, documentation, and change history in 70_sare_html0.cf
7 #@@# Revision History: Full Revision History stored in 70_sare_html.log
8 #@@# 01.03.10: June 3 2006
9 #@@# Minor score tweaks based on recent mass-checks
10 #@@# Modified "rule has been moved" meta flags
11 #@@# Added to file 1 SARE_HTML_SINGLETS
12 #@@# Archive: SARE_HTML_ALT_WAIT1
13 #@@# Archive: SARE_HTML_A_NULL
14 #@@# Archive: SARE_HTML_H2_CLK
15 #@@# Archive: SARE_HTML_JSCRIPT_ENC
16 #@@# Archive: SARE_HTML_URI_BUG
17 #@@# Moved file 1 to 2: SARE_HTML_BR_MANY
18 #@@# Moved file 1 to 2: SARE_HTML_ONE_LINE2
19 #@@# Moved file 1 to 2: SARE_HTML_URI_OC
20 #@@# Moved file 1 to 3: SARE_HTML_TITLE_MNY
21 #@@# Moved file 1 to 3: SARE_HTML_URI_DEFASP
23 # License: Artistic - see http://www.rulesemporium.com/license.txt
24 # Current Maintainer: Bob Menschel - RMSA@Menschel.net
25 # Current Home: http://www.rulesemporium.com/rules/70_sare_html1.cf
27 ######## ###################### ##################################################
28 # Rules renamed or moved
29 ######## ###################### ##################################################
31 meta __SARE_HEAD_FALSE __FROM_AOL_COM && !__FROM_AOL_COM
32 meta SARE_HTML_URI_RM __SARE_HEAD_FALSE
33 meta SARE_HTML_URI_REFID __SARE_HEAD_FALSE
34 meta SARE_HTML_ALT_WAIT1 __SARE_HEAD_FALSE
35 meta SARE_HTML_A_NULL __SARE_HEAD_FALSE
36 meta SARE_HTML_H2_CLK __SARE_HEAD_FALSE
37 meta SARE_HTML_JSCRIPT_ENC __SARE_HEAD_FALSE
38 meta SARE_HTML_URI_BUG __SARE_HEAD_FALSE
39 meta SARE_HTML_BR_MANY __SARE_HEAD_FALSE
40 meta SARE_HTML_ONE_LINE2 __SARE_HEAD_FALSE
41 meta SARE_HTML_URI_OC __SARE_HEAD_FALSE
42 meta SARE_HTML_TITLE_MNY __SARE_HEAD_FALSE
43 meta SARE_HTML_URI_DEFASP __SARE_HEAD_FALSE
45 ######## ###################### ##################################################
47 header __CTYPE_HTML Content-Type =~ /text\/html/i
49 rawbody __SARE_HTML_HAS_A eval:html_tag_exists('a')
50 rawbody __SARE_HTML_HAS_BR eval:html_tag_exists('br')
51 rawbody __SARE_HTML_HAS_DIV eval:html_tag_exists('div')
52 rawbody __SARE_HTML_HAS_FONT eval:html_tag_exists('font')
53 rawbody __SARE_HTML_HAS_IMG eval:html_tag_exists('img')
54 rawbody __SARE_HTML_HAS_P eval:html_tag_exists('p')
55 rawbody __SARE_HTML_HAS_PRE eval:html_tag_exists('pre')
56 rawbody __SARE_HTML_HAS_TITLE eval:html_tag_exists('title')
58 rawbody __SARE_HTML_HBODY m'<html><body>'i
59 rawbody __SARE_HTML_BEHTML m'<body></html>'i
60 rawbody __SARE_HTML_BEHTML2 m'^</?body></html>'i
61 rawbody __SARE_HTML_EFONT m'^</font>'i
62 rawbody __SARE_HTML_EHEB m'^</html></body>'i
63 rawbody __SARE_HTML_CMT_CNTR /<center><!--/
65 # JH: These rules test for strange color combinations. There migth be even more powerful combinations, but I haven't had time to check them all
66 rawbody __SARE_LIGHT_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!fff\W|ffffff)(?:[e-f]{3}\W|(?:[e-f][0-9a-f]){3})|rgb(?:\((?!\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255)\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10}\)|\((?!\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%)\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10}\))|(?:Light(?:Cyan|Yellow)|(?:Ghost|Floral)White|WhiteSmoke|LemonChiffon|AliceBlue|Cornsilk|Seashell|Honeydew|Azure|MintCream|Snow|Ivory|OldLace|LavenderBlush|Linen|MistyRose))/i
67 rawbody __SARE_WHITE_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:fff\W|ffffff)|rgb(?:\(\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255\s{0,10}\)|\\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10}\))|white)/i
68 rawbody __SARE_DARK_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!000\W|000000)(?:[01]{3}\W|(?:[01][0-9a-f]){3})|rgb(?:\((?!\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\D)\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10}\)|\((?!\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%)\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10}\)))/i
69 rawbody __SARE_BLACK_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:000\W|000000)|rgb\s{0,10}\(\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\s{0,10}\)|rgb\s{0,10}\(\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10}\)|black)/i
70 rawbody __SARE_LIGHT_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!ffffff|fff\W)(?:[e-f]{3}\W|(?:[e-f][0-9a-f]){3})|rgb(?:\((?!\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255)\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10}\)|\((?!\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%)\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10}\))|(?:Light(?:Cyan|Yellow)|(?:Ghost|Floral)White|WhiteSmoke|LemonChiffon|AliceBlue|Cornsilk|Seashell|Honeydew|Azure|MintCream|Snow|Ivory|OldLace|LavenderBlush|Linen|MistyRose))/i
71 rawbody __SARE_WHITE_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:fff\W|ffffff)|rgb(?:\(\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255\s{0,10}\)|\(\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10}\))|white)/i
72 rawbody __SARE_DARK_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!000\W|000000)(?:[01]{3}\W|(?:[01][0-9a-f]){3})|rgb(?:\((?!\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\D)\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10}\)|\((?!\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%)\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10}\)))/i
73 rawbody __SARE_BLACK_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:000\W|000000)|rgb\s{0,10}\(\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\s{0,10}\)|rgb\s{0,10}\(\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10}\)|black)/i
74 rawbody __SARE_HAS_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=)/i
75 rawbody __SARE_HAS_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=)/i
77 ######## ###################### ##################################################
79 ######## ###################### ##################################################
81 ######## ###################### ##################################################
82 # <HTML> and <BODY> tag spamsign
83 ######## ###################### ##################################################
85 full SARE_HTML_HTML_QUOT /<HTML>.{0,2}"/is
86 describe SARE_HTML_HTML_QUOT Message body has very strange HTML sequence
87 score SARE_HTML_HTML_QUOT 1.666
88 #ham SARE_HTML_HTML_QUOT verified (2)
89 #hist SARE_HTML_HTML_QUOT Fred T: FR_HTML_QUOTE
90 #counts SARE_HTML_HTML_QUOT 197s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
91 #max SARE_HTML_HTML_QUOT 236s/0h of 114422 corpus (81069s/33353h RM) 01/16/05
92 #counts SARE_HTML_HTML_QUOT 23s/0h of 9991 corpus (5656s/4335h AxB) 05/14/06
93 #counts SARE_HTML_HTML_QUOT 16s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
94 #counts SARE_HTML_HTML_QUOT 82s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
95 #counts SARE_HTML_HTML_QUOT 38s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
96 #counts SARE_HTML_HTML_QUOT 159s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
97 #counts SARE_HTML_HTML_QUOT 5s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
98 #max SARE_HTML_HTML_QUOT 98s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
99 #counts SARE_HTML_HTML_QUOT 0s/0h of 4676 corpus (808s/3868h ft) 05/28/05
101 full SARE_HTML_HTML_TBL /<html>.{0,2}<table/is
102 describe SARE_HTML_HTML_TBL Message body has very strange HTML sequence
103 score SARE_HTML_HTML_TBL 0.646
104 #hist SARE_HTML_HTML_TBL Fred T: FR_HTML_TABLE
105 #counts SARE_HTML_HTML_TBL 94s/3h of 333405 corpus (262498s/70907h RM) 05/12/06
106 #max SARE_HTML_HTML_TBL 287s/0h of 114422 corpus (81069s/33353h RM) 01/16/05
107 #counts SARE_HTML_HTML_TBL 10s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
108 #counts SARE_HTML_HTML_TBL 10s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
109 #counts SARE_HTML_HTML_TBL 3s/3h of 42454 corpus (34336s/8118h FVGT) 05/15/06
110 #counts SARE_HTML_HTML_TBL 11s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
111 #max SARE_HTML_HTML_TBL 140s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
112 #counts SARE_HTML_HTML_TBL 22s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
113 #counts SARE_HTML_HTML_TBL 13s/3h of 23074 corpus (17350s/5724h MY) 05/14/06
114 #max SARE_HTML_HTML_TBL 30s/3h of 57287 corpus (52272s/5015h MY) 09/22/05
116 ######## ###################### ##################################################
118 ######## ###################### ##################################################
120 rawbody SARE_HTML_TITLE_1WD m'^<title>[a-z]+</title>$'
121 describe SARE_HTML_TITLE_1WD strange document title
122 score SARE_HTML_TITLE_1WD 1.591
123 #hist SARE_HTML_TITLE_1WD Loren Wilton LW_FUNNY_TITLE
124 #counts SARE_HTML_TITLE_1WD 1125s/4h of 333405 corpus (262498s/70907h RM) 05/12/06
125 #max SARE_HTML_TITLE_1WD 2076s/18h of 689155 corpus (348140s/341015h RM) 09/18/05
126 #counts SARE_HTML_TITLE_1WD 34s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
127 #counts SARE_HTML_TITLE_1WD 105s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
128 #max SARE_HTML_TITLE_1WD 143s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
129 #counts SARE_HTML_TITLE_1WD 0s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
130 #max SARE_HTML_TITLE_1WD 1s/0h of 4676 corpus (808s/3868h ft) 05/28/05
131 #counts SARE_HTML_TITLE_1WD 123s/2h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
132 #counts SARE_HTML_TITLE_1WD 174s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
133 #counts SARE_HTML_TITLE_1WD 53s/1h of 23074 corpus (17350s/5724h MY) 05/14/06
134 #max SARE_HTML_TITLE_1WD 151s/1h of 47221 corpus (42968s/4253h MY) 06/18/05
136 rawbody SARE_HTML_TITLE_2WD m'^<title>[a-z]+\s[a-z]+</title>$' # no /i
137 score SARE_HTML_TITLE_2WD 0.660
138 describe SARE_HTML_TITLE_2WD strange document title
139 #hist SARE_HTML_TITLE_2WD Loren Wilton LW_FUNNY_TITLE1
140 #counts SARE_HTML_TITLE_2WD 85s/7h of 333405 corpus (262498s/70907h RM) 05/12/06
141 #max SARE_HTML_TITLE_2WD 314s/9h of 689155 corpus (348140s/341015h RM) 09/18/05
142 #counts SARE_HTML_TITLE_2WD 18s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
143 #counts SARE_HTML_TITLE_2WD 14s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
144 #max SARE_HTML_TITLE_2WD 15s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
145 #counts SARE_HTML_TITLE_2WD 6s/1h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
146 #max SARE_HTML_TITLE_2WD 19s/1h of 54089 corpus (16916s/37173h JH-3.01) 02/25/05
147 #counts SARE_HTML_TITLE_2WD 29s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
148 #counts SARE_HTML_TITLE_2WD 18s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
149 #max SARE_HTML_TITLE_2WD 40s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
151 rawbody SARE_HTML_TITLE_DAY /<title>(monday|tuesday|wednesday|thursday|friday)<\/title>/i
152 describe SARE_HTML_TITLE_DAY HTML contains day of week in title
153 score SARE_HTML_TITLE_DAY 1.081
154 #hist SARE_HTML_TITLE_DAY Tim Jackson, May 12 2005
155 #counts SARE_HTML_TITLE_DAY 184s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
156 #counts SARE_HTML_TITLE_DAY 2s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
157 #counts SARE_HTML_TITLE_DAY 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
158 #max SARE_HTML_TITLE_DAY 25s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
159 #counts SARE_HTML_TITLE_DAY 2s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
160 #counts SARE_HTML_TITLE_DAY 1s/1h of 23074 corpus (17350s/5724h MY) 05/14/06
161 #max SARE_HTML_TITLE_DAY 16s/1h of 57287 corpus (52272s/5015h MY) 09/22/05
163 rawbody SARE_HTML_TITLE_LWORD /<title>[a-zA-Z]{15,}<\/title>/i
164 describe SARE_HTML_TITLE_LWORD HTML Title contains looong word
165 score SARE_HTML_TITLE_LWORD 0.665
166 #ham SARE_HTML_TITLE_LWORD Rite Aid Single Check Rebates <rebates@rebates.riteaid.com>
167 #counts SARE_HTML_TITLE_LWORD 485s/31h of 333405 corpus (262498s/70907h RM) 05/12/06
168 #max SARE_HTML_TITLE_LWORD 732s/40h of 689155 corpus (348140s/341015h RM) 09/18/05
169 #counts SARE_HTML_TITLE_LWORD 42s/1h of 56024 corpus (51686s/4338h AxB2) 05/15/06
170 #counts SARE_HTML_TITLE_LWORD 3s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
171 #max SARE_HTML_TITLE_LWORD 3s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
172 #counts SARE_HTML_TITLE_LWORD 4s/3h of 42454 corpus (34336s/8118h FVGT) 05/15/06
173 #counts SARE_HTML_TITLE_LWORD 32s/1h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
174 #counts SARE_HTML_TITLE_LWORD 161s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
175 #counts SARE_HTML_TITLE_LWORD 84s/4h of 23074 corpus (17350s/5724h MY) 05/14/06
176 #max SARE_HTML_TITLE_LWORD 202s/1h of 47221 corpus (42968s/4253h MY) 06/18/05
178 rawbody SARE_HTML_TITLE_SEX /<title>.{0,15}\bSex.{0,15}<\/title>/i
179 score SARE_HTML_TITLE_SEX 0.689
180 #ham SARE_HTML_TITLE_SEX confirmed (2)
181 #hist SARE_HTML_TITLE_SEX Fred T: FR_TITLE_SEX
182 #counts SARE_HTML_TITLE_SEX 4s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
183 #max SARE_HTML_TITLE_SEX 167s/2h of 196681 corpus (96193s/100488h RM) 02/22/05
184 #counts SARE_HTML_TITLE_SEX 1s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
185 #counts SARE_HTML_TITLE_SEX 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
186 #max SARE_HTML_TITLE_SEX 7s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
187 #counts SARE_HTML_TITLE_SEX 7s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
188 #counts SARE_HTML_TITLE_SEX 5s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
189 #max SARE_HTML_TITLE_SEX 14s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
190 #counts SARE_HTML_TITLE_SEX 1s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
191 #counts SARE_HTML_TITLE_SEX 6s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
193 ######## ###################### ##################################################
195 ######## ###################### ##################################################
197 full SARE_HTML_A_BODY /(?!<body>\n\n<a href)<body>.{0,4}<a href/is
198 describe SARE_HTML_A_BODY Message body has very strange HTML sequence
199 score SARE_HTML_A_BODY 0.742
200 #hist SARE_HTML_A_BODY Fred T: FR_BODY_AHREF
201 #counts SARE_HTML_A_BODY 419s/2h of 333405 corpus (262498s/70907h RM) 05/12/06
202 #max SARE_HTML_A_BODY 1527s/18h of 689155 corpus (348140s/341015h RM) 09/18/05
203 #counts SARE_HTML_A_BODY 20s/1h of 56024 corpus (51686s/4338h AxB2) 05/15/06
204 #counts SARE_HTML_A_BODY 2s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
205 #max SARE_HTML_A_BODY 92s/3h of 10826 corpus (6364s/4462h CT) 05/28/05
206 #counts SARE_HTML_A_BODY 30s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
207 #counts SARE_HTML_A_BODY 359s/25h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
208 #counts SARE_HTML_A_BODY 134s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
209 #counts SARE_HTML_A_BODY 10s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
210 #max SARE_HTML_A_BODY 50s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
212 ######## ###################### ##################################################
213 # Spamsign character sets and fonts
214 ######## ###################### ##################################################
216 rawbody SARE_HTML_FONT_EBEF m'</body></font>'i
217 describe SARE_HTML_FONT_EBEF Message body has very strange HTML sequence
218 score SARE_HTML_FONT_EBEF 0.658
219 #ham SARE_HTML_FONT_EBEF verified (1)
220 #hist SARE_HTML_FONT_EBEF Fred T: FR_BODY_FONT
221 #counts SARE_HTML_FONT_EBEF 0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
222 #max SARE_HTML_FONT_EBEF 44s/1h of 281655 corpus (110173s/171482h RM) 05/05/05
223 #counts SARE_HTML_FONT_EBEF 36s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
224 #max SARE_HTML_FONT_EBEF 123s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
225 #counts SARE_HTML_FONT_EBEF 1s/1h of 23074 corpus (17350s/5724h MY) 05/14/06
226 #max SARE_HTML_FONT_EBEF 50s/1h of 31513 corpus (27912s/3601h MY) 03/09/05
227 #counts SARE_HTML_FONT_EBEF 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
229 rawbody SARE_HTML_FONT_SPL /^\#[a-z0-9]{6}>/i
230 describe SARE_HTML_FONT_SPL Message uses suspicious font size and/or color
231 score SARE_HTML_FONT_SPL 0.650
232 #ham SARE_HTML_FONT_SPL verified (1)
233 #hist SARE_HTML_FONT_SPL Charles Gregory
234 #overlap SARE_HTML_FONT_SPL Overlaps strongly with SARE_HTML_A_INV, though there's no regex overlap
235 #overlap SARE_HTML_FONT_SPL Overlaps strongly with SARE_HTML_FONT_SPLIT for obvious reasons, but not enough to warrant dropping one.
236 #counts SARE_HTML_FONT_SPL 3s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
237 #max SARE_HTML_FONT_SPL 360s/0h of 85073 corpus (62478s/22595h RM) 06/07/04
238 #counts SARE_HTML_FONT_SPL 5s/0h of 9991 corpus (5656s/4335h AxB) 05/14/06
239 #counts SARE_HTML_FONT_SPL 1s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
240 #max SARE_HTML_FONT_SPL 14s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
241 #counts SARE_HTML_FONT_SPL 5s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
242 #max SARE_HTML_FONT_SPL 53s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
243 #counts SARE_HTML_FONT_SPL 3s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
244 #counts SARE_HTML_FONT_SPL 0s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
245 #max SARE_HTML_FONT_SPL 1s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
247 ######## ###################### ##################################################
248 # Invalid or Suspicious URI Tests
249 ######## ###################### ##################################################
251 rawbody SARE_HTML_URI_ESCWWW /(?:%77w%77|w%77%77|%77%77w)/i
252 describe SARE_HTML_URI_ESCWWW URI with obfuscated destination
253 score SARE_HTML_URI_ESCWWW 2.222
254 #hist SARE_HTML_URI_ESCWWW Fred T: FR_ESCAPE_WWW
255 #overlap SARE_HTML_URI_ESCWWW Overlaps with SARE_HTML_FSIZE_1ALL
256 #counts SARE_HTML_URI_ESCWWW 2572s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
257 #counts SARE_HTML_URI_ESCWWW 16s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
258 #counts SARE_HTML_URI_ESCWWW 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
259 #max SARE_HTML_URI_ESCWWW 3s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
260 #counts SARE_HTML_URI_ESCWWW 117s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
261 #counts SARE_HTML_URI_ESCWWW 0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
262 #max SARE_HTML_URI_ESCWWW 16s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
263 #counts SARE_HTML_URI_ESCWWW 70s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
264 #counts SARE_HTML_URI_ESCWWW 0s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
265 #max SARE_HTML_URI_ESCWWW 1s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
267 uri SARE_HTML_URI_LHOST30 m*^https?://[a-z0-9]{30}\.*i
268 describe SARE_HTML_URI_LHOST30 Long unbroken string within URI
269 score SARE_HTML_URI_LHOST30 1.666
270 #hist SARE_HTML_URI_LHOST30 Fred T (originally 40,)
271 #ham SARE_HTML_URI_LHOST30 30: www.rebuildingthevillagefoundation.org
272 #counts SARE_HTML_URI_LHOST30 301s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
273 #counts SARE_HTML_URI_LHOST30 18s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
274 #counts SARE_HTML_URI_LHOST30 6s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
275 #counts SARE_HTML_URI_LHOST30 27s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
276 #counts SARE_HTML_URI_LHOST30 0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
277 #max SARE_HTML_URI_LHOST30 3s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
278 #counts SARE_HTML_URI_LHOST30 128s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
279 #counts SARE_HTML_URI_LHOST30 5s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
280 #max SARE_HTML_URI_LHOST30 13s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
282 uri SARE_HTML_URI_LHOST31 m*^https?://[a-z0-9]{31,}\.*i
283 describe SARE_HTML_URI_LHOST31 Long unbroken string within URI
284 score SARE_HTML_URI_LHOST31 1.666
285 #hist SARE_HTML_URI_LHOST31 Fred T (originally 40,)
286 #ham SARE_HTML_URI_LHOST31 30: www.rebuildingthevillagefoundation.org
287 #counts SARE_HTML_URI_LHOST31 776s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
288 #max SARE_HTML_URI_LHOST31 840s/15h of 689155 corpus (348140s/341015h RM) 09/18/05
289 #counts SARE_HTML_URI_LHOST31 90s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
290 #counts SARE_HTML_URI_LHOST31 99s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
291 #counts SARE_HTML_URI_LHOST31 125s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
292 #counts SARE_HTML_URI_LHOST31 456s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
293 #counts SARE_HTML_URI_LHOST31 94s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
294 #counts SARE_HTML_URI_LHOST31 21s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
296 uri SARE_HTML_URI_NOMORE m'/nomore\.htm'i
297 describe SARE_HTML_URI_NOMORE URI to page name which suggests spammer's page
298 score SARE_HTML_URI_NOMORE 0.906
299 #ham SARE_HTML_URI_NOMORE http://www.afsc.org/nomore.htm; Student Peace Action Network (SPAN)
300 #counts SARE_HTML_URI_NOMORE 2s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
301 #max SARE_HTML_URI_NOMORE 1200s/0h of 92209 corpus (74874s/17335h RM) 01/17/04
302 #counts SARE_HTML_URI_NOMORE 7s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
303 #counts SARE_HTML_URI_NOMORE 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
304 #max SARE_HTML_URI_NOMORE 69s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
305 #counts SARE_HTML_URI_NOMORE 54s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
306 #max SARE_HTML_URI_NOMORE 68s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
307 #counts SARE_HTML_URI_NOMORE 0s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
308 #max SARE_HTML_URI_NOMORE 4s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
310 uri SARE_HTML_URI_OUTPHP /\bout\.php/i
311 describe SARE_HTML_URI_OUTPHP text uri to unsubscribe link
312 score SARE_HTML_URI_OUTPHP 0.907
313 #addsto SARE_HTML_URI_OUTPHP SARE_HTML_URI_OPTPHP
314 #ham SARE_HTML_URI_OUTPHP Bravenet ad attached to reply form email
315 #counts SARE_HTML_URI_OUTPHP 80s/3h of 333405 corpus (262498s/70907h RM) 05/12/06
316 #max SARE_HTML_URI_OUTPHP 144s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
317 #counts SARE_HTML_URI_OUTPHP 88s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
318 #counts SARE_HTML_URI_OUTPHP 10s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
319 #max SARE_HTML_URI_OUTPHP 21s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
320 #counts SARE_HTML_URI_OUTPHP 4s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
321 #counts SARE_HTML_URI_OUTPHP 13s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
322 #max SARE_HTML_URI_OUTPHP 25s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
323 #counts SARE_HTML_URI_OUTPHP 58s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
324 #counts SARE_HTML_URI_OUTPHP 0s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
325 #max SARE_HTML_URI_OUTPHP 17s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
327 uri SARE_HTML_URI_PARTID m|/[\?\&]partid=|i
328 describe SARE_HTML_URI_PARTID Partner Id in URL
329 score SARE_HTML_URI_PARTID 0.166
330 #hist SARE_HTML_URI_PARTID Loren Wilton <lwilton@earthlink.net>, Sat, 3 Apr 2004 20:29:32 -0800
331 #counts SARE_HTML_URI_PARTID 0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
332 #max SARE_HTML_URI_PARTID 1264s/0h of 85073 corpus (62478s/22595h RM) 06/07/04
333 #counts SARE_HTML_URI_PARTID 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
334 #max SARE_HTML_URI_PARTID 37s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
335 #counts SARE_HTML_URI_PARTID 81s/6h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
336 #max SARE_HTML_URI_PARTID 302s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
337 #counts SARE_HTML_URI_PARTID 3s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
338 #max SARE_HTML_URI_PARTID 26s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
340 ######## ###################### ##################################################
341 # <!-- Comment tag tests
342 ######## ###################### ##################################################
344 meta SARE_HTML_CMT_CNTR __SARE_HTML_CMT_CNTR
345 describe SARE_HTML_CMT_CNTR Message has a center followed by a comment
346 score SARE_HTML_CMT_CNTR 0.676
347 #hist SARE_HTML_CMT_CNTR Carl F: CRM_CENTER_COM
348 #ham SARE_HTML_CMT_CNTR Strategic Developer <strategicdeveloper@newsletter.infoworld.com>, Thursday, January 27, 2005, 10:57:37 AM
349 #counts SARE_HTML_CMT_CNTR 9s/2h of 333405 corpus (262498s/70907h RM) 05/12/06
350 #max SARE_HTML_CMT_CNTR 173s/7h of 689155 corpus (348140s/341015h RM) 09/18/05
351 #counts SARE_HTML_CMT_CNTR 1s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
352 #counts SARE_HTML_CMT_CNTR 53s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
353 #max SARE_HTML_CMT_CNTR 196s/0h of 32260 corpus (8983s/23277h JH) 05/14/04
354 #counts SARE_HTML_CMT_CNTR 2s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
355 #counts SARE_HTML_CMT_CNTR 21s/1h of 23074 corpus (17350s/5724h MY) 05/14/06
356 #counts SARE_HTML_CMT_CNTR 1s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
357 #counts SARE_HTML_CMT_CNTR 0s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
358 #max SARE_HTML_CMT_CNTR 7s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
360 ######## ###################### ##################################################
362 ######## ###################### ##################################################
364 rawbody SARE_HTML_IMG_2AT /IMG\s*SRC\s*=s*"cid:part1\.\d{8}.\d{8}\@[a-z]+\@[\w\.]+"/is
365 describe SARE_HTML_IMG_2AT strange internal image link
366 score SARE_HTML_IMG_2AT 1.216
367 #hist SARE_HTML_IMG_2AT Loren Wilton: LW_DOUBLE_AT
368 #hist SARE_HTML_IMG_2AT Apr 2 2005, Bob Menschel, Added spaces around "="
369 #hist SARE_HTML_IMG_2AT Apr 16 2005, Bob Menschel, replaced spaces with \s
370 #counts SARE_HTML_IMG_2AT 328s/13h of 333405 corpus (262498s/70907h RM) 05/12/06
371 #max SARE_HTML_IMG_2AT 3648s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
372 #counts SARE_HTML_IMG_2AT 222s/0h of 9991 corpus (5656s/4335h AxB) 05/14/06
373 #counts SARE_HTML_IMG_2AT 69s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
374 #counts SARE_HTML_IMG_2AT 828s/1h of 42454 corpus (34336s/8118h FVGT) 05/15/06
375 #counts SARE_HTML_IMG_2AT 57s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
376 #counts SARE_HTML_IMG_2AT 280s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
377 #counts SARE_HTML_IMG_2AT 0s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
378 #max SARE_HTML_IMG_2AT 105s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
380 ######## ###################### ##################################################
381 # <tag ... ALT= ...> tag tests
382 ######## ###################### ##################################################
384 ######## ###################### ##################################################
385 # Javascript and object tests
386 ######## ###################### ##################################################
388 full SARE_HTML_IMG_ONLY m'<(?:html|body).{1,200}<a.{12,145}<img.{11,200}</(?:body|html)>'is
389 describe SARE_HTML_IMG_ONLY Short HTML msg, IMG and A HREF, maybe naught else
390 score SARE_HTML_IMG_ONLY 1.666
391 #ham SARE_HTML_IMG_ONLY Verified (image-only ham)
392 #hist SARE_HTML_IMG_ONLY Originally Fred T: FVGT_m_IMAGE_ONLY
393 #hist SARE_HTML_IMG_ONLY Enhanced May 29 2004 by Bob Menschel, incorporate all tests in one regex
394 #ham SARE_HTML_IMG_ONLY 5: Oct 2002 Yahoo webmail with automatically inserted FAULTY flamingtext.com advertisement
395 #overlap SARE_HTML_IMG_ONLY Rules that completely overlap this one: SARE_HTML_PILL3, SARE_HTML_PILL4
396 #counts SARE_HTML_IMG_ONLY 14904s/16h of 333405 corpus (262498s/70907h RM) 05/12/06
397 #counts SARE_HTML_IMG_ONLY 70s/1h of 56024 corpus (51686s/4338h AxB2) 05/15/06
398 #counts SARE_HTML_IMG_ONLY 154s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
399 #counts SARE_HTML_IMG_ONLY 4131s/6h of 42454 corpus (34336s/8118h FVGT) 05/15/06
400 #counts SARE_HTML_IMG_ONLY 261s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
401 #max SARE_HTML_IMG_ONLY 553s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
402 #counts SARE_HTML_IMG_ONLY 4730s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
403 #counts SARE_HTML_IMG_ONLY 7s/7h of 23074 corpus (17350s/5724h MY) 05/14/06
404 #max SARE_HTML_IMG_ONLY 141s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
406 rawbody SARE_HTML_JVS_FLASH m'codebase="https://download\.macromedia\.com/pub/shockwave'i
407 describe SARE_HTML_JVS_FLASH Tries to load flash animation
408 score SARE_HTML_JVS_FLASH 1.246
409 #ham SARE_HTML_JVS_FLASH verified (1) cbs.marketwatch.com
410 #hist SARE_HTML_JVS_FLASH Mike Kuentz <JunkEmail@rapidigm.com>
411 #counts SARE_HTML_JVS_FLASH 444s/3h of 333405 corpus (262498s/70907h RM) 05/12/06
412 #counts SARE_HTML_JVS_FLASH 33s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
413 #counts SARE_HTML_JVS_FLASH 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
414 #max SARE_HTML_JVS_FLASH 4s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
415 #counts SARE_HTML_JVS_FLASH 0s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
416 #max SARE_HTML_JVS_FLASH 7s/0h of 29366 corpus (5882s/23484h JH) 07/23/04 TM2 SA3.0-pre2
417 #counts SARE_HTML_JVS_FLASH 53s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
418 #counts SARE_HTML_JVS_FLASH 0s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
419 #max SARE_HTML_JVS_FLASH 28s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
421 ######## ###################### ##################################################
422 # Obviously invalid html tag
423 ######## ###################### ##################################################
425 header __CT_TEXT_PLAIN Content-Type =~ /^text\/plain\b/i
426 rawbody __SARE_HTML_INV_TAG /\w<\!\w{18,60}>\w/i
427 rawbody __SARE_HTML_INV_TAG2 m'\w</?(?!(?:blockquote|optiongroup|plaintext|fontfamily|underline|cf.+))[a-z]{9,17}>\w'
428 rawbody __SARE_HTML_INV_TAG3 m'\w<[/!]?(?!cf.+)\w{11,20}>\w'i
429 rawbody __SARE_HTML_INV_TAG4 m'\w(?!</?cf.{1,8}>)<[/!]?[bcdfghjklmnpqrstvwxz]{5,9}>\w'i
431 meta SARE_HTML_INV_TAG ( __SARE_HTML_INV_TAG || __SARE_HTML_INV_TAG2 || __SARE_HTML_INV_TAG3 || __SARE_HTML_INV_TAG4 ) && !__CT_TEXT_PLAIN
432 describe SARE_HTML_INV_TAG Message contains invalid HTML tag
433 score SARE_HTML_INV_TAG 2.222
434 #ham SARE_HTML_INV_TAG Monotone source code included within body of email
435 #hist SARE_HTML_INV_TAG Combined three invalid-tag rules into one, added \w front and back, to test for
436 #hist SARE_HTML_INV_TAG obfuscation of surrounding text, added tests against __CT_TEXT_PLAIN to give
437 #hist SARE_HTML_INV_TAG higher scores to HTML email than to plain text email. Enhancements due to
438 #hist SARE_HTML_INV_TAG ideas suggested by Jesse Houwing, Nicolas Riendeau, and Bob Menschel
439 #counts SARE_HTML_INV_TAG 36s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
440 #max SARE_HTML_INV_TAG 5650s/0h of 114422 corpus (81069s/33353h RM) 01/16/05
441 #counts SARE_HTML_INV_TAG 8s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
442 #max SARE_HTML_INV_TAG 66s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
443 #counts SARE_HTML_INV_TAG 21s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
444 #counts SARE_HTML_INV_TAG 386s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
445 #max SARE_HTML_INV_TAG 930s/0h of 38766 corpus (15284s/23482h JH-SA3.0rc1) 09/03/04
446 #counts SARE_HTML_INV_TAG 17s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
447 #counts SARE_HTML_INV_TAG 0s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
448 #max SARE_HTML_INV_TAG 952s/0h of 19469 corpus (16883s/2586h MY) 09/03/04
450 ######## ###################### ##################################################
451 # Paragraphs, breaks, and spacings
452 ######## ###################### ##################################################
454 ######## ###################### ##################################################
455 # Suspicious tag combinations
456 ######## ###################### ##################################################
458 rawbody SARE_HTML_CNTR_TBL /<center>\s*<table>/im
459 describe SARE_HTML_CNTR_TBL Contains centred table
460 score SARE_HTML_CNTR_TBL 1.666
461 #ham SARE_HTML_CNTR_TBL verified (1)
462 #hist SARE_HTML_CNTR_TBL Tim Jackson, May 25 2005
463 #counts SARE_HTML_CNTR_TBL 745s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
464 #counts SARE_HTML_CNTR_TBL 1188s/2h of 56024 corpus (51686s/4338h AxB2) 05/15/06
465 #counts SARE_HTML_CNTR_TBL 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
466 #max SARE_HTML_CNTR_TBL 3s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
467 #counts SARE_HTML_CNTR_TBL 27s/1h of 42454 corpus (34336s/8118h FVGT) 05/15/06
468 #counts SARE_HTML_CNTR_TBL 0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
469 #counts SARE_HTML_CNTR_TBL 2s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
470 #counts SARE_HTML_CNTR_TBL 32s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
471 #max SARE_HTML_CNTR_TBL 57s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
473 rawbody __SARE_HTML_SINGLET1 /> [a-z] </i
474 rawbody __SARE_HTML_SINGLET2 />[a-z]</i
475 meta SARE_HTML_SINGLETS __SARE_HTML_SINGLET1 && __SARE_HTML_SINGLET2
476 describe SARE_HTML_SINGLETS spam pattern in HTML email
477 score SARE_HTML_SINGLETS 1.666
478 #hist SARE_HTML_SINGLETS Robert Brooks, March 2006
479 #ham SARE_HTML_SINGLETS verified (amateur webmaster sample page attached to email)
480 #counts SARE_HTML_SINGLETS 26498s/3h of 333405 corpus (262498s/70907h RM) 05/12/06
481 #counts SARE_HTML_SINGLETS 3660s/2h of 55981 corpus (51658s/4323h AxB2) 05/15/06
482 #counts SARE_HTML_SINGLETS 130s/0h of 13285 corpus (7413s/5872h CT) 05/14/06
483 #counts SARE_HTML_SINGLETS 2016s/0h of 155481 corpus (103930s/51551h DOC) 05/15/06
484 #counts SARE_HTML_SINGLETS 65s/2h of 42253 corpus (34139s/8114h FVGT) 05/15/06
485 #counts SARE_HTML_SINGLETS 5798s/1h of 106183 corpus (72941s/33242h ML) 05/14/06
486 #counts SARE_HTML_SINGLETS 20s/1h of 22939 corpus (17232s/5707h MY) 05/14/06
488 ######## ###################### ##################################################
489 # Useless tags (tag structures that do nothing)
490 # Largely submitted by Matt Yackley, with contributions by
491 # Carl Friend, Jennifer Wheeler, Scott Sprunger, Larry Gilson
492 ######## ###################### ##################################################
494 rawbody SARE_HTML_USL_FONT m'^<FONT[^>]{0,20}></FONT><'
495 describe SARE_HTML_USL_FONT Another spam attempt
496 score SARE_HTML_USL_FONT 0.797
497 #hist SARE_HTML_USL_FONT Loren Wilton Apr 11 2005
498 #counts SARE_HTML_USL_FONT 54s/2h of 333405 corpus (262498s/70907h RM) 05/12/06
499 #max SARE_HTML_USL_FONT 5192s/1h of 269462 corpus (128310s/141152h RM) 06/17/05
500 #counts SARE_HTML_USL_FONT 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
501 #max SARE_HTML_USL_FONT 1s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
502 #counts SARE_HTML_USL_FONT 0s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
503 #max SARE_HTML_USL_FONT 9s/0h of 6804 corpus (1336s/5468h ft) 06/17/05
504 #counts SARE_HTML_USL_FONT 7s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
505 #counts SARE_HTML_USL_FONT 32s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
506 #counts SARE_HTML_USL_FONT 81s/1h of 23074 corpus (17350s/5724h MY) 05/14/06
507 #max SARE_HTML_USL_FONT 1047s/1h of 57287 corpus (52272s/5015h MY) 09/22/05
509 rawbody SARE_HTML_USL_OBFU m'\w<(\w+)(?: [^>]*)?></\1[^>]*>\w'
510 describe SARE_HTML_USL_OBFU Message body has very strange HTML sequence
511 score SARE_HTML_USL_OBFU 1.666
512 #match SARE_HTML_USL_OBFU partialword<tag></tag>restofword
513 #hist SARE_HTML_USL_OBFU Created by Bob Menschel Aug 12 2004
514 #counts SARE_HTML_USL_OBFU 393s/3h of 333405 corpus (262498s/70907h RM) 05/12/06
515 #max SARE_HTML_USL_OBFU 520s/6h of 196718 corpus (96193s/100525h RM) 02/22/05
516 #counts SARE_HTML_USL_OBFU 14s/0h of 9991 corpus (5656s/4335h AxB) 05/14/06
517 #counts SARE_HTML_USL_OBFU 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
518 #max SARE_HTML_USL_OBFU 16s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
519 #counts SARE_HTML_USL_OBFU 88s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
520 #counts SARE_HTML_USL_OBFU 298s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
521 #max SARE_HTML_USL_OBFU 457s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
522 #counts SARE_HTML_USL_OBFU 111s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
523 #counts SARE_HTML_USL_OBFU 21s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
524 #max SARE_HTML_USL_OBFU 148s/0h of 17145 corpus (14677s/2468h MY) 08/12/04
526 ######## ###################### ##################################################
527 # Miscellaneous tag tests
528 ######## ###################### ##################################################