2 body ORIENTSKY /orient-sky\.com/
3 describe ORIENTSKY Japanese spam
7 body PACHETES /www\.pachetes\.com/
8 describe PACHETES Spanish spam
11 # cjwatson, 2003/07/12
12 body NO_MORE_ACCENT /www\.no-more-accent\.com/
13 describe NO_MORE_ACCENT No More Accent spam
14 score NO_MORE_ACCENT 4
17 header FETHARD Subject =~ /fethard.biz/i
18 describe FETHARD Spam from Fethard.biz
21 # joy, 2003-10-21, 2003-10-31
22 body PHARMACYSPAM3 /http:\/\/www\.rx(salenow|ville)\.biz/i
23 describe PHARMACYSPAM3 pharmacy spam 3
26 # cjwatson, 2004-01-13
27 # blarson, any number 2004-04-01
28 # blarson, more ajustmets 2004-04-03
29 body HREF_NNNN /www\.\d{3,5}hosting\.com/
30 describe HREF_NNNN www.NNNNhosting.com spam
33 # cjwatson, 2004-02-16
34 body SOCCER_MOMS /www\.soccer-moms\.biz/
35 describe SOCCER_MOMS Porn spam
38 # cjwatson, 2004-02-22
39 body MRSM_TILO /mrsm-tilo\.com/
40 describe MRSM_TILO Medical spam
43 # cjwatson, 2004-02-27
44 body FAST_ACTING /fast-acting\.com/
45 describe FAST_ACTING Viagra spam
49 body COMCLICKPH /com-click\.com\.ph/
50 describe COMCLICKPH PH spam gang
54 body MEDS675 /(675meds|medsarergreat)\.com/i
55 describe MEDS675 More drug spam
59 body ERHOME /erhome\.com/i
60 describe ERHOME loan spammer
64 body CANDYHOS /\.(?:candyhos\.com|(?:mycountry|polty|make4u)\.cc|puchiphoto\.org|purepure\.org)\//i
65 describe CANDYHOS spams from korea, hosts in japan
69 # don 2007-11-21 -- combine other rule; increment score
70 body GEOCITIES /http\:\/\/.*geocities/i
71 describe GEOCITIES geocities url
75 body EMPTYURL /\bhttp:\/\/(?:www\.)?$/i
76 describe EMPTYURL empty URL
80 body AMPRO /www\.amateurprovideo\.info/i
81 describe AMPRO bug submitting spammer
85 body IMAGESHACK /\/img\d+\.imageshack\.us\//i
86 describe IMAGESHACK shack attack
91 header MSOUTLOOK x-mailer =~ /Microsoft\s+Outlook/i
92 describe MSOUTLOOK Microsoft Outlook
95 meta SHACKOUTLOOK IMAGESHACK && MSOUTLOOK
96 describe SHACKOUTLOOK shack'ed to outlook
100 body UNSUBG /\bwww\.guiaartistica\.com\.ar\b/
101 describe UNSUBG spamming bts with unsubscribe messages
105 body IMGCLOSET /\bhttp\:\/\/.*\b((image(closet|thrust|hosting)|mypicshare|tinypic|fileanchor|imgspot)\.com|bilder-hosting\.de|saunalahti\.fi|upload2\.net|imagehost\.ro)\b/i
106 describe IMGCLOSET closet spammer
110 body TROUBLEDE /\bhttp\:\/\/www\.TroubleAgent\.de\b/
111 describe TROUBLEDE troubleagent.de spam
115 body BESTLOANS /www.bestmortloans.com/i
116 describe BESTLOANS Best loans url
119 # blarson 2007-07-22 2007-09-12
120 body PENPRO /\@(?:penmailpro|OnsetIng|openprotection|NearOut|SuperOnset|medicalgloveonline|YourOnset|GreatGloveCell|thegloveworks|asiafriendworld|NaturalImprove|charmshine|healthinsweb)\.info\b/i
121 describe PENPRO penmailpro spam
124 # blarson 2007-09-05 2007-09-11
125 body WWWCN /\b(?:www\.|https?\:.*)\w+\.cn\b/i
126 describe WWWCN chinese web site
129 # cjwatson, 2002/04/04
130 body EMAILOFFER /www\.emailoffer\.us/
131 describe EMAILOFFER Gibberish HTML spammers
134 # cjwatson, 2002/04/08
135 body JUSTYAK /www\.JustYak\.com/
136 describe JUSTYAK JustSpam
140 body SIZMATZ /\bsize-matterz\.com\b/i
141 describe SIZMATZ size matterz
145 body EMAGX /\bhttp\:\/\/emagx\.net\b/i
146 describe EMAGX wondercum spammer
150 body FREENFL /\bhttp\:\/\/freeNFLtracker\.com\b/i
151 describe FREENFL nfl spam
155 body SPAMARREST /\bhttp\:\/\/www\.spamarrest\.com\b/
156 describe SPAMARREST forwards thier spam problem
160 body FROMAD /\bhttp\:\/\/(?:budhipps|fromad|conavel|cliensy|comnoe|mybudshop)\.com\b/i
161 describe FROMAD more penis spam
165 body MYCHEAP /\b(?:my)?cheap(?:xp|adobe)?(?:oem|soft)+(?:now|ware)?(?:(?:4|for)?less)?\d*\s*\.\s*com\b/i
166 describe MYCHEAP software spam
170 body WWWRU /\b(?:www\.|https?\:.*)\w+\.ru\b/i
171 describe WWWRU russian web site
175 body VIPSMS /\bvipsms\.org\b/i
176 describe VIPSMS vipsms.org
180 header MAKEUP subject =~ /makeup\.com/i
181 describe MAKEUP makeup.com url
185 body SUBT /\bsubtracthold\.com\b/i
186 describe SUBT subtracthold.com
189 body GRAPHICMAIL /\bhttp\:\/\/www\.graphicmail\.de\b/i
190 describe GRAPHICMAIL graphicmail.de
194 body WWWRO /\b(?:www\.|https?\:.*)\w+\.ro\b/i
195 describe WWWRO romanian web site
199 body CLEANDOM /http\:\/\/\{_clean_domains\}/
200 describe CLEANDOM broken spamware
204 body SOFTNLSE /\bsoftnlse\s*\.\s*com\b/i
205 describe SOFTNLSE softnlse.com
209 body MUSVID /\b(?:MusicAndVideoWorld|usa-bestsellers)\.com/i
210 describe MUSVID MusicAndVideoWorld.com
214 body PLATSOFT /\btheplatinumsoft\.com\b/i
215 describe PLATSOFT theplatinumsoft.com
219 body BLOGSPOT /\bblogspot\.com\b/i
220 describe BLOGSPOT spammers are hosting on blogspot
224 body PILLUS /PILL-US\.COM\b/i
225 describe PILLUS PILL-US spam
229 body BETWEENTO /\bhttp\:\/\/betweento\.com\b/i
230 describe BETWEENTO betweento.com
234 body MASZON /mc?a(szon|yvidol|ttk)\.(com|org|net)/i
235 describe MASZON pron spam
240 body GMAIL /\@gmail\.com\b/i
241 describe GMAIL @gmail.com
245 body MAILRU /\@mail\.ru\b/i
246 describe MAILRU @mail.ru
250 body ADOBE4LESS /\b(?:adobe4less|realnewsoft|newmicrosoftdeals|kvaka-soft)\s*[.,]\s*com\b/i
251 describe ADOBE4LESS adobe4less . com
255 body RMAPPLY /http\:\/\/rmapply\.com\b/i
256 describe RMAPPLY http://rmapply.com
260 header HANOIFASH subject =~ /WWW\.HANOI-FASHION\.COM/i
261 describe HANOIFASH WWW.HANOI-FASHION.COM
265 body ONLINEMED /\b(?:onlinemedicalkey|pharm\w*|webvinz|wendebay|webdcd|vowelstep|wclth|duringgear|broadbasic|instantsuffix|magnetdouble|drugsdirecteat)\s*\.\s*com\b/i
266 describe ONLINEMED onlinemedicalkey.com
270 body GETUP /\bgetupgradednow\.com\b/i
271 describe GETUP getupgradednow.com
274 # blarson (pusling's idea) 2007-11-16
275 body SPACECOM /^[\w\d]+\s\.\scom\b/
276 describe SPACECOM whatever . com
279 # don -- flowgoaway.com doesn't appear to be a working RBL anymore (if it ever was?)
281 # uridnsbl URIBL_FLO flowgoaway.com. A
282 # body URIBL_FLO eval:check_uridnsbl('URIBL_FLO')
283 # describe URIBL_FLO web site in flowgoaway.com
284 # tflags URIBL_FLO net
288 body SOFTROU /\bwww\.softrou\.com\b/i
289 describe SOFTROU www.softrou.com
293 body GOOGLEPAGES /\bgooglepages\.com\b/i
294 describe GOOGLEPAGES spammers use googlepages
298 body SOFTBESTGRAND /\bsoft(?:bestgrand|wareonlinemuch)\.com\b/
299 describe SOFTBESTGRAND softbestgrand.com
300 score SOFTBESTGRAND 4
303 body PCSOFTCHEAP /\b(?:pcsoftcheap|cheapezsoft|cheapsoftxp|adobe4cheap|phonowa|saleonsoftware|bestdealoem|realcheapsoft|krasniyles|cheapxp4pc|supercheapoem|lowpriceoem|realcheapoem|cheapadobedeal|softwarefoundation|2008oem|xpxmas|cheap2008soft|snowysoftware|2008adobe|adobe2008|cheapgetsoftone|x(?:higher|main|prime)(?:soft|software|easy)|softonlinepc|andsoftware|softonlinedownload|kunchakoem|erhere\w|kiroemch|phonowd|cheap(?:soft|oem|software)here|softwarenowprox|xprosoftonlinedl|siniyglaz|popandosoem|xsoftprodepot|triudava|krasniynos|fastsoftnow|cheapeasy(soft|oem|software)|ezadobenow|softnowpromohere|primenetsofthe|nowinstantsoftieq|isktesoft|best(?:oem|soft|software)2008|new2008(?:soft|oem|software)|fastez(?:soft|oem|software)|ezfast(?:oem|soft|software)|2008(?:micro)?softdeals|oemfactorysale|nbuysoft|softnuhere|softsale2008|softwintersale|blatnoyoem|svedsoft|gsxoempromo|getmicrosoftfast|adobeoemsale|xp4(?:cheap|less)|xpoemnow|buycheapxp|alloem4less|lun(?:soft|oem|software)|(?:new|fast)xp(?:soft|oem|software)|frukanoka|softcheap(?:n[eo]w|xp)|adobe(?:web|blog|new)(?:soft|spot|deal))\s?\.\s?(?:com|net)\b/
304 describe PCSOFTCHEAP pcsoftcheap. com
308 body GOLDGAME /\b(?:gamblingplacegold|goldgamesite|topgamingsite|richbestgaming|luxgoldgaming)\.(?:net|com)\b/
309 describe GOLDGAME gambling sites
313 body ENLARGETW /\b(?:enlarge|0rz)\.tw\b/
314 describe ENLARGETW enlarge.tw
318 body POSTTHROUGH /\b(?:postthrough|speedgrand|certaincoast)\.com\b/
319 describe POSTTHROUGH postthrough.com
323 body UHAVE /\b(?:uhavepost|happy(?:santa)?|newyear|familypost|fresh|post)cards?-?(?:2008)?\.com\b/
324 describe UHAVE uhavepostcard.com
328 body RUSSWIFE /\b(?:your|best|new|the|my)(?:russ[il]an?|address|russ)(?:wife|bride)\.info\b/
329 describe RUSSWIFE yourrussianwife.info
333 body HAPPY2008 /\b(?:happy2008toyou|hellosanta2008|hohoho2008|santawishes2008)\.com\b/
334 describe HAPPY2008 happy2008toyou.com
338 body BONGHIT /\b(?:beaverbonghits|dobongworld)\.com\b/
339 describe BONGHIT beaverbonghits.com
343 body GOOGLESEARCH /\bgoo+gle\.(com|\w\w|com?\.\w\w)\/+(?:search|pagead)/i
344 describe GOOGLESEARCH google search URL
348 body SIGAS /\b(?:Sigashash|Reelhotsi|Erisgoonti|Erisgoners|Freesignsies|Rielhotties|Foredroons|Feeshoons|Erisgant|hapburge|wuimooed|jiuezdoo|goingoinghom|buloies|Poeshages|Rueshabesoo|clitoriseries|clitorina|glueplot|crumbtost|ideaputs)(?:\.|\=2E)com\b/
349 describe SIGAS www.Sigashash.com
353 body RUSSIABRIDE /\bruss[il]an?(bride|wife)(?:home|live|blog|)\.info\b/
354 describe RUSSIABRIDE russiabridehome.info
358 body REDMEHS /\bwww\.(?:redmehs|feltas|barataslo|quasibot|tageshes|flessimo|spendhope|instrumentstart)\b/
359 describe REDMEHS www.redmehs
363 body MYURL /\bmyurl\.com\.tw\b/i
364 describe MYURL myurl.com.tw
368 body W0MEN /w0men\.info\b/i
369 describe W0MEN hotw0men.info ukrw0men.info
373 body ACEMST /\bacemst\.com\b/
374 describe ACEMST acemst.com
378 body GALSINFO /\b(?:foreigngals|californiaimprove)\.info\b/i
379 describe GALSINFO foreigngals.info
383 body RIDGEST /\bridgest\.com\b/
384 describe RIDGEST ridgest.com
388 body SOFTROI /\bsoft(?:roi|ove)\.com\b/
389 describe SOFTROI softroi.com
393 body FILEZONE /(file-zone.co.uk|File-Zone)/
394 describe FILEZONE File-Zone
398 body X2J1F /\b2j1f\.com\b/i
399 descrIbe X2J1F 2j1f.com
403 body ILVE /\bilveant\.net\b/i
404 describe ILVE www.ilveant.net
408 body VIDEOFILBMS /www\.videofilbms\.cn/i
409 describe VIDEOFILBMS video filbms url
413 body ABESOFT /\bca.abesoft\.com\b/i
414 describe ABESOFT www.cazabesoft.com etc.
418 body STARLEYT /\bstarleyt\.com\b/i
419 describe STARLEYT starleyt.com
423 body URLOEM /\bhttp\:\/\/\{/
424 describe URLOEM http://{urloem2}
428 body WILDERGO /\b(?:WilderGoLovan|golovable|BestGolova|SuperGolovaWorld)\.com\b/i
429 describe WILDERGO WilderGoLovan.com
433 body PROGOLD /\bprogold-inc\.com\b/i
434 describe PROGOLD progold-inc.com
438 body KMINU /\b(?:kminutte|rubstream)\.com\b/i
439 describe KMINU kminutte.com
443 body SCIJOURNALS /\bsciencejournals\.info\b/i
444 describe SCIJOURNALS scientific journals
448 body JANEHOT /\bjane\d[\w\d]*\@hotmail\.com\s*$/
449 describe JANEHOT jane*@hotmail.com
453 rawbody BIFUTRA /\b(?:bifutra|veriapoli|xenifeao|toporaig|jieros|bifreca|werikine|incroomise|genbullenst|writeprovide)(?:\.|\=2E)com\b/
454 describe BIFUTRA spammer web sites
458 body LONGLINEURL /^.{55,}\S\shttp:\/\/www\.\w+\.(?:com|net|org)\/\s*$/
459 describe LONGLINEURL long line ending in a simple url
463 uri MYTHANKYOUURI /www\.mythankyou\.com/i
464 describe MYTHANKYOUURI www.mythankyou.com
465 score MYTHANKYOUURI 5
468 uri SAMEAS /\bsupersameas\.com\b/
469 describe SAMEAS supersameas.com
473 body URIEXE /\bhttp:\S*\.exe\b/
474 describe URIEXE .exe url
478 uri SANSATION /\b(?:sansationel|garmenys|iconaliste)\.com\b/i
479 describe SANSATION sansationel.com
483 body EQMEDS /\beqmeds\b/i
484 describe EQMEDS eqmeds
488 uri MYLIVE /\bmylivegi\b/i
489 describe MYLIVE mylivegirlx.com
493 body BROKENURL /^\s*www((\s+\.\s*)|(\s*\.\+))\S+((\s+\.\s*)|(\s*\.\+))(com|net|org)\s*$/
494 describe BROKENURL Broken url displayed
498 body STUPIDURL /\w+\[\w+\](?:com|net|org)/
499 describe STUPIDURL No one will guess that fooo[DOT]com is an URL!
503 body SUGARCOM /\b(?:indicatesugar|industryexpect|eset)\.com\b/
504 describe SUGARCOM indicatesugar.com