1 # -*- mode: spamassassin -*-
3 body ORIENTSKY /orient-sky\.com/
4 describe ORIENTSKY Japanese spam
8 body PACHETES /www\.pachetes\.com/
9 describe PACHETES Spanish spam
12 # cjwatson, 2003/07/12
13 body NO_MORE_ACCENT /www\.no-more-accent\.com/
14 describe NO_MORE_ACCENT No More Accent spam
15 score NO_MORE_ACCENT 4
18 header FETHARD Subject =~ /fethard.biz/i
19 describe FETHARD Spam from Fethard.biz
22 # joy, 2003-10-21, 2003-10-31
23 body PHARMACYSPAM3 /http:\/\/www\.rx(salenow|ville)\.biz/i
24 describe PHARMACYSPAM3 pharmacy spam 3
27 # cjwatson, 2004-01-13
28 # blarson, any number 2004-04-01
29 # blarson, more ajustmets 2004-04-03
30 body HREF_NNNN /www\.\d{3,5}hosting\.com/
31 describe HREF_NNNN www.NNNNhosting.com spam
34 # cjwatson, 2004-02-16
35 body SOCCER_MOMS /www\.soccer-moms\.biz/
36 describe SOCCER_MOMS Porn spam
39 # cjwatson, 2004-02-22
40 body MRSM_TILO /mrsm-tilo\.com/
41 describe MRSM_TILO Medical spam
44 # cjwatson, 2004-02-27
45 body FAST_ACTING /fast-acting\.com/
46 describe FAST_ACTING Viagra spam
50 body COMCLICKPH /com-click\.com\.ph/
51 describe COMCLICKPH PH spam gang
55 body MEDS675 /(675meds|medsarergreat)\.com/i
56 describe MEDS675 More drug spam
60 body ERHOME /erhome\.com/i
61 describe ERHOME loan spammer
65 body CANDYHOS /\.(?:candyhos\.com|(?:mycountry|polty|make4u)\.cc|puchiphoto\.org|purepure\.org)\//i
66 describe CANDYHOS spams from korea, hosts in japan
70 # don 2007-11-21 -- combine other rule; increment score
71 body GEOCITIES /http\:\/\/.*geocities/i
72 describe GEOCITIES geocities url
76 body EMPTYURL /\bhttp:\/\/(?:www\.)?$/i
77 describe EMPTYURL empty URL
81 body AMPRO /www\.amateurprovideo\.info/i
82 describe AMPRO bug submitting spammer
86 body IMAGESHACK /\/img\d+\.imageshack\.us\//i
87 describe IMAGESHACK shack attack
92 header MSOUTLOOK x-mailer =~ /Microsoft\s+Outlook/i
93 describe MSOUTLOOK Microsoft Outlook
96 meta SHACKOUTLOOK IMAGESHACK && MSOUTLOOK
97 describe SHACKOUTLOOK shack'ed to outlook
101 body UNSUBG /\bwww\.guiaartistica\.com\.ar\b/
102 describe UNSUBG spamming bts with unsubscribe messages
106 body IMGCLOSET /\bhttp\:\/\/.*\b((image(closet|thrust|hosting)|mypicshare|tinypic|fileanchor|imgspot)\.com|bilder-hosting\.de|saunalahti\.fi|upload2\.net|imagehost\.ro)\b/i
107 describe IMGCLOSET closet spammer
111 body TROUBLEDE /\bhttp\:\/\/www\.TroubleAgent\.de\b/
112 describe TROUBLEDE troubleagent.de spam
116 body BESTLOANS /www.bestmortloans.com/i
117 describe BESTLOANS Best loans url
120 # blarson 2007-07-22 2007-09-12
121 body PENPRO /\@(?:penmailpro|OnsetIng|openprotection|NearOut|SuperOnset|medicalgloveonline|YourOnset|GreatGloveCell|thegloveworks|asiafriendworld|NaturalImprove|charmshine|healthinsweb)\.info\b/i
122 describe PENPRO penmailpro spam
125 # blarson 2007-09-05 2007-09-11
126 body WWWCN /\b(?:www\.|https?\:.*)\w+\.cn\b/i
127 describe WWWCN chinese web site
130 # cjwatson, 2002/04/04
131 body EMAILOFFER /www\.emailoffer\.us/
132 describe EMAILOFFER Gibberish HTML spammers
135 # cjwatson, 2002/04/08
136 body JUSTYAK /www\.JustYak\.com/
137 describe JUSTYAK JustSpam
141 body SIZMATZ /\bsize-matterz\.com\b/i
142 describe SIZMATZ size matterz
146 body EMAGX /\bhttp\:\/\/emagx\.net\b/i
147 describe EMAGX wondercum spammer
151 body FREENFL /\bhttp\:\/\/freeNFLtracker\.com\b/i
152 describe FREENFL nfl spam
156 body SPAMARREST /\bhttp\:\/\/www\.spamarrest\.com\b/
157 describe SPAMARREST forwards thier spam problem
161 body FROMAD /\bhttp\:\/\/(?:budhipps|fromad|conavel|cliensy|comnoe|mybudshop)\.com\b/i
162 describe FROMAD more penis spam
166 body MYCHEAP /\b(?:my)?cheap(?:xp|adobe)?(?:oem|soft)+(?:now|ware)?(?:(?:4|for)?less)?\d*\s*\.\s*com\b/i
167 describe MYCHEAP software spam
171 body WWWRU /\b(?:www\.|https?\:.*)\w+\.ru\b/i
172 describe WWWRU russian web site
176 body VIPSMS /\bvipsms\.org\b/i
177 describe VIPSMS vipsms.org
181 header MAKEUP subject =~ /makeup\.com/i
182 describe MAKEUP makeup.com url
186 body SUBT /\bsubtracthold\.com\b/i
187 describe SUBT subtracthold.com
190 body GRAPHICMAIL /\bhttp\:\/\/www\.graphicmail\.de\b/i
191 describe GRAPHICMAIL graphicmail.de
195 body WWWRO /\b(?:www\.|https?\:.*)\w+\.ro\b/i
196 describe WWWRO romanian web site
200 body CLEANDOM /http\:\/\/\{_clean_domains\}/
201 describe CLEANDOM broken spamware
205 body SOFTNLSE /\bsoftnlse\s*\.\s*com\b/i
206 describe SOFTNLSE softnlse.com
210 body MUSVID /\b(?:MusicAndVideoWorld|usa-bestsellers)\.com/i
211 describe MUSVID MusicAndVideoWorld.com
215 body PLATSOFT /\btheplatinumsoft\.com\b/i
216 describe PLATSOFT theplatinumsoft.com
220 body BLOGSPOT /\bblogspot\.com\b/i
221 describe BLOGSPOT spammers are hosting on blogspot
225 body PILLUS /PILL-US\.COM\b/i
226 describe PILLUS PILL-US spam
230 body BETWEENTO /\bhttp\:\/\/betweento\.com\b/i
231 describe BETWEENTO betweento.com
235 body MASZON /mc?a(szon|yvidol|ttk)\.(com|org|net)/i
236 describe MASZON pron spam
241 body GMAIL /\@gmail\.com\b/i
242 describe GMAIL @gmail.com
246 body MAILRU /\@mail\.ru\b/i
247 describe MAILRU @mail.ru
251 body ADOBE4LESS /\b(?:adobe4less|realnewsoft|newmicrosoftdeals|kvaka-soft)\s*[.,]\s*com\b/i
252 describe ADOBE4LESS adobe4less . com
256 body RMAPPLY /http\:\/\/rmapply\.com\b/i
257 describe RMAPPLY http://rmapply.com
261 header HANOIFASH subject =~ /WWW\.HANOI-FASHION\.COM/i
262 describe HANOIFASH WWW.HANOI-FASHION.COM
266 body ONLINEMED /\b(?:onlinemedicalkey|pharm\w*|webvinz|wendebay|webdcd|vowelstep|wclth|duringgear|broadbasic|instantsuffix|magnetdouble|drugsdirecteat)\s*\.\s*com\b/i
267 describe ONLINEMED onlinemedicalkey.com
271 body GETUP /\bgetupgradednow\.com\b/i
272 describe GETUP getupgradednow.com
275 # blarson (pusling's idea) 2007-11-16
276 body SPACECOM /^[\w\d]+\s\.\scom\b/
277 describe SPACECOM whatever . com
280 # don -- flowgoaway.com doesn't appear to be a working RBL anymore (if it ever was?)
282 # uridnsbl URIBL_FLO flowgoaway.com. A
283 # body URIBL_FLO eval:check_uridnsbl('URIBL_FLO')
284 # describe URIBL_FLO web site in flowgoaway.com
285 # tflags URIBL_FLO net
289 body SOFTROU /\bwww\.softrou\.com\b/i
290 describe SOFTROU www.softrou.com
294 body GOOGLEPAGES /\bgooglepages\.com\b/i
295 describe GOOGLEPAGES spammers use googlepages
299 body SOFTBESTGRAND /\bsoft(?:bestgrand|wareonlinemuch)\.com\b/
300 describe SOFTBESTGRAND softbestgrand.com
301 score SOFTBESTGRAND 4
304 body PCSOFTCHEAP /\b(?:pcsoftcheap|cheapezsoft|cheapsoftxp|adobe4cheap|phonowa|saleonsoftware|bestdealoem|realcheapsoft|krasniyles|cheapxp4pc|supercheapoem|lowpriceoem|realcheapoem|cheapadobedeal|softwarefoundation|2008oem|xpxmas|cheap2008soft|snowysoftware|2008adobe|adobe2008|cheapgetsoftone|x(?:higher|main|prime)(?:soft|software|easy)|softonlinepc|andsoftware|softonlinedownload|kunchakoem|erhere\w|kiroemch|phonowd|cheap(?:soft|oem|software)here|softwarenowprox|xprosoftonlinedl|siniyglaz|popandosoem|xsoftprodepot|triudava|krasniynos|fastsoftnow|cheapeasy(soft|oem|software)|ezadobenow|softnowpromohere|primenetsofthe|nowinstantsoftieq|isktesoft|best(?:oem|soft|software)2008|new2008(?:soft|oem|software)|fastez(?:soft|oem|software)|ezfast(?:oem|soft|software)|2008(?:micro)?softdeals|oemfactorysale|nbuysoft|softnuhere|softsale2008|softwintersale|blatnoyoem|svedsoft|gsxoempromo|getmicrosoftfast|adobeoemsale|xp4(?:cheap|less)|xpoemnow|buycheapxp|alloem4less|lun(?:soft|oem|software)|(?:new|fast)xp(?:soft|oem|software)|frukanoka|softcheap(?:n[eo]w|xp)|adobe(?:web|blog|new)(?:soft|spot|deal))\s?\.\s?(?:com|net)\b/
305 describe PCSOFTCHEAP pcsoftcheap. com
309 body GOLDGAME /\b(?:gamblingplacegold|goldgamesite|topgamingsite|richbestgaming|luxgoldgaming)\.(?:net|com)\b/
310 describe GOLDGAME gambling sites
314 body ENLARGETW /\b(?:enlarge|0rz)\.tw\b/
315 describe ENLARGETW enlarge.tw
319 body POSTTHROUGH /\b(?:postthrough|speedgrand|certaincoast)\.com\b/
320 describe POSTTHROUGH postthrough.com
324 body UHAVE /\b(?:uhavepost|happy(?:santa)?|newyear|familypost|fresh|post)cards?-?(?:2008)?\.com\b/
325 describe UHAVE uhavepostcard.com
329 body RUSSWIFE /\b(?:your|best|new|the|my)(?:russ[il]an?|address|russ)(?:wife|bride)\.info\b/
330 describe RUSSWIFE yourrussianwife.info
334 body HAPPY2008 /\b(?:happy2008toyou|hellosanta2008|hohoho2008|santawishes2008)\.com\b/
335 describe HAPPY2008 happy2008toyou.com
339 body BONGHIT /\b(?:beaverbonghits|dobongworld)\.com\b/
340 describe BONGHIT beaverbonghits.com
344 body GOOGLESEARCH /\bgoo+gle\.(com|\w\w|com?\.\w\w)\/+(?:search|pagead)/i
345 describe GOOGLESEARCH google search URL
349 body SIGAS /\b(?:Sigashash|Reelhotsi|Erisgoonti|Erisgoners|Freesignsies|Rielhotties|Foredroons|Feeshoons|Erisgant|hapburge|wuimooed|jiuezdoo|goingoinghom|buloies|Poeshages|Rueshabesoo|clitoriseries|clitorina|glueplot|crumbtost|ideaputs)(?:\.|\=2E)com\b/
350 describe SIGAS www.Sigashash.com
354 body RUSSIABRIDE /\bruss[il]an?(bride|wife)(?:home|live|blog|)\.info\b/
355 describe RUSSIABRIDE russiabridehome.info
359 body REDMEHS /\bwww\.(?:redmehs|feltas|barataslo|quasibot|tageshes|flessimo|spendhope|instrumentstart)\b/
360 describe REDMEHS www.redmehs
364 body MYURL /\bmyurl\.com\.tw\b/i
365 describe MYURL myurl.com.tw
369 body W0MEN /w0men\.info\b/i
370 describe W0MEN hotw0men.info ukrw0men.info
374 body ACEMST /\bacemst\.com\b/
375 describe ACEMST acemst.com
379 body GALSINFO /\b(?:foreigngals|californiaimprove)\.info\b/i
380 describe GALSINFO foreigngals.info
384 body RIDGEST /\bridgest\.com\b/
385 describe RIDGEST ridgest.com
389 body SOFTROI /\bsoft(?:roi|ove)\.com\b/
390 describe SOFTROI softroi.com
394 body FILEZONE /(file-zone.co.uk|File-Zone)/
395 describe FILEZONE File-Zone
399 body X2J1F /\b2j1f\.com\b/i
400 descrIbe X2J1F 2j1f.com
404 body ILVE /\bilveant\.net\b/i
405 describe ILVE www.ilveant.net
409 body VIDEOFILBMS /www\.videofilbms\.cn/i
410 describe VIDEOFILBMS video filbms url
414 body ABESOFT /\bca.abesoft\.com\b/i
415 describe ABESOFT www.cazabesoft.com etc.
419 body STARLEYT /\bstarleyt\.com\b/i
420 describe STARLEYT starleyt.com
424 body URLOEM /\bhttp\:\/\/\{/
425 describe URLOEM http://{urloem2}
429 body WILDERGO /\b(?:WilderGoLovan|golovable|BestGolova|SuperGolovaWorld)\.com\b/i
430 describe WILDERGO WilderGoLovan.com
434 body PROGOLD /\bprogold-inc\.com\b/i
435 describe PROGOLD progold-inc.com
439 body KMINU /\b(?:kminutte|rubstream)\.com\b/i
440 describe KMINU kminutte.com
444 body SCIJOURNALS /\bsciencejournals\.info\b/i
445 describe SCIJOURNALS scientific journals
449 body JANEHOT /\bjane\d[\w\d]*\@hotmail\.com\s*$/
450 describe JANEHOT jane*@hotmail.com
454 rawbody BIFUTRA /\b(?:bifutra|veriapoli|xenifeao|toporaig|jieros|bifreca|werikine|incroomise|genbullenst|writeprovide)(?:\.|\=2E)com\b/
455 describe BIFUTRA spammer web sites
459 body LONGLINEURL /^.{55,}\S\shttp:\/\/www\.\w+\.(?:com|net|org)\/\s*$/
460 describe LONGLINEURL long line ending in a simple url
464 uri MYTHANKYOUURI /www\.mythankyou\.com/i
465 describe MYTHANKYOUURI www.mythankyou.com
466 score MYTHANKYOUURI 5
469 uri SAMEAS /\bsupersameas\.com\b/
470 describe SAMEAS supersameas.com
474 body URIEXE /\bhttp:\S*\.exe\b/
475 describe URIEXE .exe url
479 uri SANSATION /\b(?:sansationel|garmenys|iconaliste)\.com\b/i
480 describe SANSATION sansationel.com
484 body EQMEDS /\beqmeds\b/i
485 describe EQMEDS eqmeds
489 uri MYLIVE /\bmylivegi\b/i
490 describe MYLIVE mylivegirlx.com
494 body BROKENURL /^\s*www((\s+\.\s*)|(\s*\.\+))\S+((\s+\.\s*)|(\s*\.\+))(com|net|org)\s*$/
495 describe BROKENURL Broken url displayed
499 body STUPIDURL /\w+\[\w+\](?:com|net|org)/
500 describe STUPIDURL No one will guess that fooo[DOT]com is an URL!
504 body SUGARCOM /\b(?:indicatesugar|industryexpect|eset)\.com\b/
505 describe SUGARCOM indicatesugar.com
509 body VIEWMOVIE /\/(?:(?:viewmovie|stream|watchit|topnews|hotnews|fresh|checkit|default|gowatch|showvideo|livestreaming|top|whatsup|tophot|lol|first|index1|1)\.html\b|(?:video|news2\/)\s*$)/
510 describe VIEWMOVIE tabiloid style spam
514 uri OPERAMAIL /\bwww\.opera\.com\/mail\//
515 describe OPERAMAIL opera.com mail
519 body NOSITE /http:\/\/\//
520 describe NOSITE http URL with no site
524 uri TIECORRECT /tiecorrect\.com/
525 describe TIECORRECT Contains a tiecorrect.com uri
529 body 4MINUTI /4minuti/
530 describe 4MINUTI Spam from 4 minuti
534 uri CREDITREPORTURI /creditreport/
535 describe CREDITREPORTURI Credit report in the url isn't good
536 score CREDITREPORTURI 2