2 body ORIENTSKY /orient-sky\.com/
3 describe ORIENTSKY Japanese spam
7 body PACHETES /www\.pachetes\.com/
8 describe PACHETES Spanish spam
11 # cjwatson, 2003/07/12
12 body NO_MORE_ACCENT /www\.no-more-accent\.com/
13 describe NO_MORE_ACCENT No More Accent spam
14 score NO_MORE_ACCENT 4
17 header FETHARD Subject =~ /fethard.biz/i
18 describe FETHARD Spam from Fethard.biz
21 # joy, 2003-10-21, 2003-10-31
22 body PHARMACYSPAM3 /http:\/\/www\.rx(salenow|ville)\.biz/i
23 describe PHARMACYSPAM3 pharmacy spam 3
26 # cjwatson, 2004-01-13
27 # blarson, any number 2004-04-01
28 # blarson, more ajustmets 2004-04-03
29 body HREF_NNNN /www\.\d{3,5}hosting\.com/
30 describe HREF_NNNN www.NNNNhosting.com spam
33 # cjwatson, 2004-02-16
34 body SOCCER_MOMS /www\.soccer-moms\.biz/
35 describe SOCCER_MOMS Porn spam
38 # cjwatson, 2004-02-22
39 body MRSM_TILO /mrsm-tilo\.com/
40 describe MRSM_TILO Medical spam
43 # cjwatson, 2004-02-27
44 body FAST_ACTING /fast-acting\.com/
45 describe FAST_ACTING Viagra spam
49 body COMCLICKPH /com-click\.com\.ph/
50 describe COMCLICKPH PH spam gang
54 body MEDS675 /(675meds|medsarergreat)\.com/i
55 describe MEDS675 More drug spam
59 body ERHOME /erhome\.com/i
60 describe ERHOME loan spammer
64 body CANDYHOS /\.(?:candyhos\.com|(?:mycountry|polty|make4u)\.cc|puchiphoto\.org|purepure\.org)\//i
65 describe CANDYHOS spams from korea, hosts in japan
69 # don 2007-11-21 -- combine other rule; increment score
70 body GEOCITIES /http\:\/\/.*geocities/i
71 describe GEOCITIES geocities url
75 body EMPTYURL /\bhttp:\/\/(?:www\.)?$/i
76 describe EMPTYURL empty URL
80 body AMPRO /www\.amateurprovideo\.info/i
81 describe AMPRO bug submitting spammer
85 body IMAGESHACK /\/img\d+\.imageshack\.us\//i
86 describe IMAGESHACK shack attack
91 header MSOUTLOOK x-mailer =~ /Microsoft\s+Outlook/i
92 describe MSOUTLOOK Microsoft Outlook
95 meta SHACKOUTLOOK IMAGESHACK && MSOUTLOOK
96 describe SHACKOUTLOOK shack'ed to outlook
100 body UNSUBG /\bwww\.guiaartistica\.com\.ar\b/
101 describe UNSUBG spamming bts with unsubscribe messages
105 body IMGCLOSET /\bhttp\:\/\/.*\b((image(closet|thrust|hosting)|mypicshare|tinypic|fileanchor|imgspot)\.com|bilder-hosting\.de|saunalahti\.fi|upload2\.net|imagehost\.ro)\b/i
106 describe IMGCLOSET closet spammer
110 body TROUBLEDE /\bhttp\:\/\/www\.TroubleAgent\.de\b/
111 describe TROUBLEDE troubleagent.de spam
115 body BESTLOANS /www.bestmortloans.com/i
116 describe BESTLOANS Best loans url
119 # blarson 2007-07-22 2007-09-12
120 body PENPRO /\@(?:penmailpro|OnsetIng|openprotection|NearOut|SuperOnset|medicalgloveonline|YourOnset|GreatGloveCell|thegloveworks|asiafriendworld|NaturalImprove|charmshine|healthinsweb)\.info\b/i
121 describe PENPRO penmailpro spam
124 # blarson 2007-09-05 2007-09-11
125 body WWWCN /\b(?:www\.|https?\:.*)\w+\.cn\b/i
126 describe WWWCN chinese web site
129 # cjwatson, 2002/04/04
130 body EMAILOFFER /www\.emailoffer\.us/
131 describe EMAILOFFER Gibberish HTML spammers
134 # cjwatson, 2002/04/08
135 body JUSTYAK /www\.JustYak\.com/
136 describe JUSTYAK JustSpam
140 body SIZMATZ /\bsize-matterz\.com\b/i
141 describe SIZMATZ size matterz
145 body EMAGX /\bhttp\:\/\/emagx\.net\b/i
146 describe EMAGX wondercum spammer
150 body FREENFL /\bhttp\:\/\/freeNFLtracker\.com\b/i
151 describe FREENFL nfl spam
155 body SPAMARREST /\bhttp\:\/\/www\.spamarrest\.com\b/
156 describe SPAMARREST forwards thier spam problem
160 body FROMAD /\bhttp\:\/\/(?:budhipps|fromad|conavel|cliensy|comnoe)\.com\b/i
161 describe FROMAD more penis spam
165 uridnsbl URIBL_CNKR cn-kr.blackholes.us. A
166 body URIBL_CNKR eval:check_uridnsbl('URIBL_CNKR')
167 describe URIBL_CNKR china or korea hosted web site
168 tflags URIBL_CNKR net
172 uridnsbl_skip_domain debian.org debian.net yahoo.com google.com
175 uridnsbl URIBL_SBL sbl.spamhaus.org. A
176 body URIBL_SBL eval:check_uridnsbl('URIBL_SBL')
177 describe URIBL_SBL Contains an URL listed in the SBL blocklist
183 body MYCHEAP /\b(?:my)?cheap(?:xp|adobe)?(?:oem|soft)+(?:now|ware)?(?:(?:4|for)?less)?\d*\s*\.\s*com\b/i
184 describe MYCHEAP software spam
188 body WWWRU /\b(?:www\.|https?\:.*)\w+\.ru\b/i
189 describe WWWRU russian web site
193 body VIPSMS /\bvipsms\.org\b/i
194 describe VIPSMS vipsms.org
198 header MAKEUP subject =~ /makeup\.com/i
199 describe MAKEUP makeup.com url
203 body SUBT /\bsubtracthold\.com\b/i
204 describe SUBT subtracthold.com
207 body GRAPHICMAIL /\bhttp\:\/\/www\.graphicmail\.de\b/i
208 describe GRAPHICMAIL graphicmail.de
212 body WWWRO /\b(?:www\.|https?\:.*)\w+\.ro\b/i
213 describe WWWRO romanian web site
217 body CLEANDOM /http\:\/\/\{_clean_domains\}/
218 describe CLEANDOM broken spamware
222 body SOFTNLSE /\bsoftnlse\s*\.\s*com\b/i
223 describe SOFTNLSE softnlse.com
227 body MUSVID /\b(?:MusicAndVideoWorld|usa-bestsellers)\.com/i
228 describe MUSVID MusicAndVideoWorld.com
232 body PLATSOFT /\btheplatinumsoft\.com\b/i
233 describe PLATSOFT theplatinumsoft.com
237 body BLOGSPOT /\bblogspot\.com\b/i
238 describe BLOGSPOT spammers are hosting on blogspot
242 body PILLUS /PILL-US\.COM\b/i
243 describe PILLUS PILL-US spam
247 body BETWEENTO /\bhttp\:\/\/betweento\.com\b/i
248 describe BETWEENTO betweento.com
252 body MASZON /mc?a(szon|yvidol|ttk)\.(com|org|net)/i
253 describe MASZON pron spam
258 body GMAIL /\@gmail\.com\b/i
259 describe GMAIL @gmail.com
263 body MAILRU /\@mail\.ru\b/i
264 describe MAILRU @mail.ru
268 body ADOBE4LESS /\b(?:adobe4less|realnewsoft|newmicrosoftdeals|kvaka-soft)\s*[.,]\s*com\b/i
269 describe ADOBE4LESS adobe4less . com
273 body RMAPPLY /http\:\/\/rmapply\.com\b/i
274 describe RMAPPLY http://rmapply.com
278 header HANOIFASH subject =~ /WWW\.HANOI-FASHION\.COM/i
279 describe HANOIFASH WWW.HANOI-FASHION.COM
283 body ONLINEMED /\b(?:onlinemedicalkey|pharm\w*|webvinz|wendebay|webdcd|vowelstep|wclth|duringgear|broadbasic|instantsuffix|magnetdouble|drugsdirecteat)\s*\.\s*com\b/i
284 describe ONLINEMED onlinemedicalkey.com
288 body GETUP /\bgetupgradednow\.com\b/i
289 describe GETUP getupgradednow.com
292 # blarson (pusling's idea) 2007-11-16
293 body SPACECOM /^[\w\d]+\s\.\scom\b/
294 describe SPACECOM whatever . com
297 # don -- flowgoaway.com doesn't appear to be a working RBL anymore (if it ever was?)
299 # uridnsbl URIBL_FLO flowgoaway.com. A
300 # body URIBL_FLO eval:check_uridnsbl('URIBL_FLO')
301 # describe URIBL_FLO web site in flowgoaway.com
302 # tflags URIBL_FLO net
306 body SOFTROU /\bwww\.softrou\.com\b/i
307 describe SOFTROU www.softrou.com
311 body GOOGLEPAGES /\bgooglepages\.com\b/i
312 describe GOOGLEPAGES spammers use googlepages
316 body SOFTBESTGRAND /\bsoft(?:bestgrand|wareonlinemuch)\.com\b/
317 describe SOFTBESTGRAND softbestgrand.com
318 score SOFTBESTGRAND 4
321 body PCSOFTCHEAP /\b(?:pcsoftcheap|cheapezsoft|cheapsoftxp|adobe4cheap|phonowa|saleonsoftware|bestdealoem|realcheapsoft|krasniyles|cheapxp4pc|supercheapoem|lowpriceoem|realcheapoem|cheapadobedeal|softwarefoundation|2008oem|xpxmas|cheap2008soft|snowysoftware|2008adobe|adobe2008|cheapgetsoftone|x(?:higher|main|prime)(?:soft|software|easy)|softonlinepc|andsoftware|softonlinedownload|kunchakoem|erhere\w|kiroemch|phonowd|cheap(?:soft|oem|software)here|softwarenowprox|xprosoftonlinedl|siniyglaz|popandosoem|xsoftprodepot|triudava|krasniynos|fastsoftnow|cheapeasy(soft|oem|software)|ezadobenow|softnowpromohere|primenetsofthe|nowinstantsoftieq|isktesoft|best(?:oem|soft|software)2008|new2008(?:soft|oem|software)|fastez(?:soft|oem|software)|ezfast(?:oem|soft|software)|2008(?:micro)?softdeals|oemfactorysale|nbuysoft|softnuhere|softsale2008|softwintersale|blatnoyoem|svedsoft|gsxoempromo|getmicrosoftfast)\s?\.\s?(?:com|net)\b/
322 describe PCSOFTCHEAP pcsoftcheap. com
326 body GOLDGAME /\b(?:gamblingplacegold|goldgamesite|topgamingsite|richbestgaming|luxgoldgaming)\.(?:net|com)\b/
327 describe GOLDGAME gambling sites
331 body ENLARGETW /\b(?:enlarge|0rz)\.tw\b/
332 describe ENLARGETW enlarge.tw
336 body POSTTHROUGH /\b(?:postthrough|speedgrand|certaincoast)\.com\b/
337 describe POSTTHROUGH postthrough.com
341 body UHAVE /\b(?:uhavepost|happy(?:santa)?|newyear|familypost|fresh|post)cards?-?(?:2008)?\.com\b/
342 describe UHAVE uhavepostcard.com
346 body RUSSWIFE /\b(?:your|best|new|the|my)(?:russ[il]an?|address|russ)(?:wife|bride)\.info\b/
347 describe RUSSWIFE yourrussianwife.info
351 body HAPPY2008 /\b(?:happy2008toyou|hellosanta2008|hohoho2008|santawishes2008)\.com\b/
352 describe HAPPY2008 happy2008toyou.com
356 body BONGHIT /\b(?:beaverbonghits|dobongworld)\.com\b/
357 describe BONGHIT beaverbonghits.com
361 body GOOGLESEARCH /\bgoo+gle\.(com|\w\w|com?\.\w\w)\/+(?:search|pagead)/i
362 describe GOOGLESEARCH google search URL
366 body SIGAS /\b(?:Sigashash|Reelhotsi|Erisgoonti|Erisgoners|Freesignsies|Rielhotties|Foredroons|Feeshoons|Erisgant|hapburge|wuimooed|jiuezdoo|goingoinghom|buloies|Poeshages|Rueshabesoo|clitoriseries|clitorina|glueplot|crumbtost|ideaputs)(?:\.|\=2E)com\b/
367 describe SIGAS www.Sigashash.com
371 body RUSSIABRIDE /\bruss[il]an?(bride|wife)(?:home|live|blog|)\.info\b/
372 describe RUSSIABRIDE russiabridehome.info
376 body REDMEHS /\bwww\.(?:redmehs|feltas|barataslo|quasibot|tageshes|flessimo|spendhope|instrumentstart)\b/
377 describe REDMEHS www.redmehs
381 body MYURL /\bmyurl\.com\.tw\b/i
382 describe MYURL myurl.com.tw
386 body W0MEN /w0men\.info\b/i
387 describe W0MEN hotw0men.info ukrw0men.info
391 body ACEMST /\bacemst\.com\b/
392 describe ACEMST acemst.com
396 body GALSINFO /\b(?:foreigngals|californiaimprove)\.info\b/i
397 describe GALSINFO foreigngals.info
401 body RIDGEST /\bridgest\.com\b/
402 describe RIDGEST ridgest.com
406 body SOFTROI /\bsoft(?:roi|ove)\.com\b/
407 describe SOFTROI softroi.com
411 body FILEZONE /(file-zone.co.uk|File-Zone)/
412 describe FILEZONE File-Zone
416 body X2J1F /\b2j1f\.com\b/i
417 descrIbe X2J1F 2j1f.com
421 body ILVE /\bilveant\.net\b/i
422 describe ILVE www.ilveant.net