1 # -*- mode: spamassassin -*-
3 body ORIENTSKY /orient-sky\.com/
4 describe ORIENTSKY Japanese spam
8 body PACHETES /www\.pachetes\.com/
9 describe PACHETES Spanish spam
12 # cjwatson, 2003/07/12
13 body NO_MORE_ACCENT /www\.no-more-accent\.com/
14 describe NO_MORE_ACCENT No More Accent spam
15 score NO_MORE_ACCENT 4
18 header FETHARD Subject =~ /fethard.biz/i
19 describe FETHARD Spam from Fethard.biz
22 # joy, 2003-10-21, 2003-10-31
23 body PHARMACYSPAM3 /http:\/\/www\.rx(salenow|ville)\.biz/i
24 describe PHARMACYSPAM3 pharmacy spam 3
27 # cjwatson, 2004-01-13
28 # blarson, any number 2004-04-01
29 # blarson, more ajustmets 2004-04-03
30 body HREF_NNNN /www\.\d{3,5}hosting\.com/
31 describe HREF_NNNN www.NNNNhosting.com spam
34 # cjwatson, 2004-02-16
35 body SOCCER_MOMS /www\.soccer-moms\.biz/
36 describe SOCCER_MOMS Porn spam
39 # cjwatson, 2004-02-22
40 body MRSM_TILO /mrsm-tilo\.com/
41 describe MRSM_TILO Medical spam
44 # cjwatson, 2004-02-27
45 body FAST_ACTING /fast-acting\.com/
46 describe FAST_ACTING Viagra spam
50 body COMCLICKPH /com-click\.com\.ph/
51 describe COMCLICKPH PH spam gang
55 body MEDS675 /(675meds|medsarergreat)\.com/i
56 describe MEDS675 More drug spam
60 body ERHOME /erhome\.com/i
61 describe ERHOME loan spammer
65 body CANDYHOS /\.(?:candyhos\.com|(?:mycountry|polty|make4u)\.cc|puchiphoto\.org|purepure\.org)\//i
66 describe CANDYHOS spams from korea, hosts in japan
70 # don 2007-11-21 -- combine other rule; increment score
71 # don 2009-02-17 -- increase score even more; ditch http
72 uri GEOCITIES /geocities/i
73 describe GEOCITIES geocities uri
77 body EMPTYURL /\bhttp:\/\/(?:www\.)?$/i
78 describe EMPTYURL empty URL
82 body AMPRO /www\.amateurprovideo\.info/i
83 describe AMPRO bug submitting spammer
87 body IMAGESHACK /\/img\d+\.imageshack\.us\//i
88 describe IMAGESHACK shack attack
93 header MSOUTLOOK x-mailer =~ /Microsoft\s+Outlook/i
94 describe MSOUTLOOK Microsoft Outlook
97 meta SHACKOUTLOOK IMAGESHACK && MSOUTLOOK
98 describe SHACKOUTLOOK shack'ed to outlook
102 body UNSUBG /\bwww\.guiaartistica\.com\.ar\b/
103 describe UNSUBG spamming bts with unsubscribe messages
107 body IMGCLOSET /\bhttp\:\/\/.*\b((image(closet|thrust|hosting)|mypicshare|tinypic|fileanchor|imgspot)\.com|bilder-hosting\.de|saunalahti\.fi|upload2\.net|imagehost\.ro)\b/i
108 describe IMGCLOSET closet spammer
112 body TROUBLEDE /\bhttp\:\/\/www\.TroubleAgent\.de\b/
113 describe TROUBLEDE troubleagent.de spam
117 body BESTLOANS /www.bestmortloans.com/i
118 describe BESTLOANS Best loans url
121 # blarson 2007-07-22 2007-09-12
122 body PENPRO /\@(?:penmailpro|OnsetIng|openprotection|NearOut|SuperOnset|medicalgloveonline|YourOnset|GreatGloveCell|thegloveworks|asiafriendworld|NaturalImprove|charmshine|healthinsweb)\.info\b/i
123 describe PENPRO penmailpro spam
126 # blarson 2007-09-05 2007-09-11
127 body WWWCN /\b(?:www\.|https?\:.*)\w+\.cn\b/i
128 describe WWWCN chinese web site
131 # cjwatson, 2002/04/04
132 body EMAILOFFER /www\.emailoffer\.us/
133 describe EMAILOFFER Gibberish HTML spammers
136 # cjwatson, 2002/04/08
137 body JUSTYAK /www\.JustYak\.com/
138 describe JUSTYAK JustSpam
142 body SIZMATZ /\bsize-matterz\.com\b/i
143 describe SIZMATZ size matterz
147 body EMAGX /\bhttp\:\/\/emagx\.net\b/i
148 describe EMAGX wondercum spammer
152 body FREENFL /\bhttp\:\/\/freeNFLtracker\.com\b/i
153 describe FREENFL nfl spam
157 body SPAMARREST /\bhttp\:\/\/www\.spamarrest\.com\b/
158 describe SPAMARREST forwards thier spam problem
162 body FROMAD /\bhttp\:\/\/(?:budhipps|fromad|conavel|cliensy|comnoe|mybudshop)\.com\b/i
163 describe FROMAD more penis spam
167 body MYCHEAP /\b(?:my)?cheap(?:xp|adobe)?(?:oem|soft)+(?:now|ware)?(?:(?:4|for)?less)?\d*\s*\.\s*com\b/i
168 describe MYCHEAP software spam
172 body WWWRU /\b(?:www\.|https?\:.*)\w+\.ru\b/i
173 describe WWWRU russian web site
177 body VIPSMS /\bvipsms\.org\b/i
178 describe VIPSMS vipsms.org
182 header MAKEUP subject =~ /makeup\.com/i
183 describe MAKEUP makeup.com url
187 body SUBT /\bsubtracthold\.com\b/i
188 describe SUBT subtracthold.com
191 body GRAPHICMAIL /\bhttp\:\/\/www\.graphicmail\.de\b/i
192 describe GRAPHICMAIL graphicmail.de
196 body WWWRO /\b(?:www\.|https?\:.*)\w+\.ro\b/i
197 describe WWWRO romanian web site
201 body CLEANDOM /http\:\/\/\{_clean_domains\}/
202 describe CLEANDOM broken spamware
206 body SOFTNLSE /\bsoftnlse\s*\.\s*com\b/i
207 describe SOFTNLSE softnlse.com
211 body MUSVID /\b(?:MusicAndVideoWorld|usa-bestsellers)\.com/i
212 describe MUSVID MusicAndVideoWorld.com
216 body PLATSOFT /\btheplatinumsoft\.com\b/i
217 describe PLATSOFT theplatinumsoft.com
221 body BLOGSPOT /\bblogspot\.com\b/i
222 describe BLOGSPOT spammers are hosting on blogspot
226 body PILLUS /PILL-US\.COM\b/i
227 describe PILLUS PILL-US spam
231 body BETWEENTO /\bhttp\:\/\/betweento\.com\b/i
232 describe BETWEENTO betweento.com
236 body MASZON /mc?a(szon|yvidol|ttk)\.(com|org|net)/i
237 describe MASZON pron spam
242 body GMAIL /\@gmail\.com\b/i
243 describe GMAIL @gmail.com
247 body MAILRU /\@mail\.ru\b/i
248 describe MAILRU @mail.ru
252 body ADOBE4LESS /\b(?:adobe4less|realnewsoft|newmicrosoftdeals|kvaka-soft)\s*[.,]\s*com\b/i
253 describe ADOBE4LESS adobe4less . com
257 body RMAPPLY /http\:\/\/rmapply\.com\b/i
258 describe RMAPPLY http://rmapply.com
262 header HANOIFASH subject =~ /WWW\.HANOI-FASHION\.COM/i
263 describe HANOIFASH WWW.HANOI-FASHION.COM
267 body ONLINEMED /\b(?:onlinemedicalkey|pharm\w*|webvinz|wendebay|webdcd|vowelstep|wclth|duringgear|broadbasic|instantsuffix|magnetdouble|drugsdirecteat)\s*\.\s*com\b/i
268 describe ONLINEMED onlinemedicalkey.com
272 body GETUP /\bgetupgradednow\.com\b/i
273 describe GETUP getupgradednow.com
276 # blarson (pusling's idea) 2007-11-16
277 body SPACECOM /^[\w\d]+\s\.\scom\b/
278 describe SPACECOM whatever . com
281 # don -- flowgoaway.com doesn't appear to be a working RBL anymore (if it ever was?)
283 # uridnsbl URIBL_FLO flowgoaway.com. A
284 # body URIBL_FLO eval:check_uridnsbl('URIBL_FLO')
285 # describe URIBL_FLO web site in flowgoaway.com
286 # tflags URIBL_FLO net
290 body SOFTROU /\bwww\.softrou\.com\b/i
291 describe SOFTROU www.softrou.com
295 body GOOGLEPAGES /\bgooglepages\.com\b/i
296 describe GOOGLEPAGES spammers use googlepages
300 body SOFTBESTGRAND /\bsoft(?:bestgrand|wareonlinemuch)\.com\b/
301 describe SOFTBESTGRAND softbestgrand.com
302 score SOFTBESTGRAND 4
305 body PCSOFTCHEAP /\b(?:pcsoftcheap|cheapezsoft|cheapsoftxp|adobe4cheap|phonowa|saleonsoftware|bestdealoem|realcheapsoft|krasniyles|cheapxp4pc|supercheapoem|lowpriceoem|realcheapoem|cheapadobedeal|softwarefoundation|2008oem|xpxmas|cheap2008soft|snowysoftware|2008adobe|adobe2008|cheapgetsoftone|x(?:higher|main|prime)(?:soft|software|easy)|softonlinepc|andsoftware|softonlinedownload|kunchakoem|erhere\w|kiroemch|phonowd|cheap(?:soft|oem|software)here|softwarenowprox|xprosoftonlinedl|siniyglaz|popandosoem|xsoftprodepot|triudava|krasniynos|fastsoftnow|cheapeasy(soft|oem|software)|ezadobenow|softnowpromohere|primenetsofthe|nowinstantsoftieq|isktesoft|best(?:oem|soft|software)2008|new2008(?:soft|oem|software)|fastez(?:soft|oem|software)|ezfast(?:oem|soft|software)|2008(?:micro)?softdeals|oemfactorysale|nbuysoft|softnuhere|softsale2008|softwintersale|blatnoyoem|svedsoft|gsxoempromo|getmicrosoftfast|adobeoemsale|xp4(?:cheap|less)|xpoemnow|buycheapxp|alloem4less|lun(?:soft|oem|software)|(?:new|fast)xp(?:soft|oem|software)|frukanoka|softcheap(?:n[eo]w|xp)|adobe(?:web|blog|new)(?:soft|spot|deal))\s?\.\s?(?:com|net)\b/
306 describe PCSOFTCHEAP pcsoftcheap. com
310 body GOLDGAME /\b(?:gamblingplacegold|goldgamesite|topgamingsite|richbestgaming|luxgoldgaming)\.(?:net|com)\b/
311 describe GOLDGAME gambling sites
315 body ENLARGETW /\b(?:enlarge|0rz)\.tw\b/
316 describe ENLARGETW enlarge.tw
320 body POSTTHROUGH /\b(?:postthrough|speedgrand|certaincoast)\.com\b/
321 describe POSTTHROUGH postthrough.com
325 body UHAVE /\b(?:uhavepost|happy(?:santa)?|newyear|familypost|fresh|post)cards?-?(?:2008)?\.com\b/
326 describe UHAVE uhavepostcard.com
330 body RUSSWIFE /\b(?:your|best|new|the|my)(?:russ[il]an?|address|russ)(?:wife|bride)\.info\b/
331 describe RUSSWIFE yourrussianwife.info
335 body HAPPY2008 /\b(?:happy2008toyou|hellosanta2008|hohoho2008|santawishes2008)\.com\b/
336 describe HAPPY2008 happy2008toyou.com
340 body BONGHIT /\b(?:beaverbonghits|dobongworld)\.com\b/
341 describe BONGHIT beaverbonghits.com
345 body GOOGLESEARCH /\bgoo+gle\.(com|\w\w|com?\.\w\w)\/+(?:search|pagead)/i
346 describe GOOGLESEARCH google search URL
350 body SIGAS /\b(?:Sigashash|Reelhotsi|Erisgoonti|Erisgoners|Freesignsies|Rielhotties|Foredroons|Feeshoons|Erisgant|hapburge|wuimooed|jiuezdoo|goingoinghom|buloies|Poeshages|Rueshabesoo|clitoriseries|clitorina|glueplot|crumbtost|ideaputs)(?:\.|\=2E)com\b/
351 describe SIGAS www.Sigashash.com
355 body RUSSIABRIDE /\bruss[il]an?(bride|wife)(?:home|live|blog|)\.info\b/
356 describe RUSSIABRIDE russiabridehome.info
360 body REDMEHS /\bwww\.(?:redmehs|feltas|barataslo|quasibot|tageshes|flessimo|spendhope|instrumentstart)\b/
361 describe REDMEHS www.redmehs
365 body MYURL /\bmyurl\.com\.tw\b/i
366 describe MYURL myurl.com.tw
370 body W0MEN /w0men\.info\b/i
371 describe W0MEN hotw0men.info ukrw0men.info
375 body ACEMST /\bacemst\.com\b/
376 describe ACEMST acemst.com
380 body GALSINFO /\b(?:foreigngals|californiaimprove)\.info\b/i
381 describe GALSINFO foreigngals.info
385 body RIDGEST /\bridgest\.com\b/
386 describe RIDGEST ridgest.com
390 body SOFTROI /\bsoft(?:roi|ove)\.com\b/
391 describe SOFTROI softroi.com
395 body FILEZONE /(file-zone.co.uk|File-Zone)/
396 describe FILEZONE File-Zone
400 body X2J1F /\b2j1f\.com\b/i
401 descrIbe X2J1F 2j1f.com
405 body ILVE /\bilveant\.net\b/i
406 describe ILVE www.ilveant.net
410 body VIDEOFILBMS /www\.videofilbms\.cn/i
411 describe VIDEOFILBMS video filbms url
415 body ABESOFT /\bca.abesoft\.com\b/i
416 describe ABESOFT www.cazabesoft.com etc.
420 body STARLEYT /\bstarleyt\.com\b/i
421 describe STARLEYT starleyt.com
425 body URLOEM /\bhttp\:\/\/\{/
426 describe URLOEM http://{urloem2}
430 body WILDERGO /\b(?:WilderGoLovan|golovable|BestGolova|SuperGolovaWorld)\.com\b/i
431 describe WILDERGO WilderGoLovan.com
435 body PROGOLD /\bprogold-inc\.com\b/i
436 describe PROGOLD progold-inc.com
440 body KMINU /\b(?:kminutte|rubstream)\.com\b/i
441 describe KMINU kminutte.com
445 body SCIJOURNALS /\bsciencejournals\.info\b/i
446 describe SCIJOURNALS scientific journals
450 body JANEHOT /\bjane\d[\w\d]*\@hotmail\.com\s*$/
451 describe JANEHOT jane*@hotmail.com
455 rawbody BIFUTRA /\b(?:bifutra|veriapoli|xenifeao|toporaig|jieros|bifreca|werikine|incroomise|genbullenst|writeprovide)(?:\.|\=2E)com\b/
456 describe BIFUTRA spammer web sites
460 body LONGLINEURL /^.{55,}\S\shttp:\/\/www\.\w+\.(?:com|net|org)\/\s*$/
461 describe LONGLINEURL long line ending in a simple url
465 uri MYTHANKYOUURI /www\.mythankyou\.com/i
466 describe MYTHANKYOUURI www.mythankyou.com
467 score MYTHANKYOUURI 5
470 uri SAMEAS /\bsupersameas\.com\b/
471 describe SAMEAS supersameas.com
475 body URIEXE /\bhttp:\S*\.exe\b/
476 describe URIEXE .exe url
480 uri SANSATION /\b(?:sansationel|garmenys|iconaliste)\.com\b/i
481 describe SANSATION sansationel.com
485 body EQMEDS /\beqmeds\b/i
486 describe EQMEDS eqmeds
490 uri MYLIVE /\bmylivegi\b/i
491 describe MYLIVE mylivegirlx.com
495 body BROKENURL /^\s*www((\s+\.\s*)|(\s*\.\+))\S+((\s+\.\s*)|(\s*\.\+))(com|net|org)\s*$/
496 describe BROKENURL Broken url displayed
500 body STUPIDURL /\w+\[\w+\](?:com|net|org)/
501 describe STUPIDURL No one will guess that fooo[DOT]com is an URL!
505 body SUGARCOM /\b(?:indicatesugar|industryexpect|eset)\.com\b/
506 describe SUGARCOM indicatesugar.com
510 body VIEWMOVIE /\/(?:(?:viewmovie|stream|watchit|topnews|hotnews|fresh|checkit|default|gowatch|showvideo|livestreaming|top|whatsup|tophot|lol|first|index1|1)\.html\b|(?:video|news2\/)\s*$)/
511 describe VIEWMOVIE tabiloid style spam
515 uri OPERAMAIL /\bwww\.opera\.com\/mail\//
516 describe OPERAMAIL opera.com mail
520 body NOSITE /http:\/\/\//
521 describe NOSITE http URL with no site
525 uri TIECORRECT /tiecorrect\.com/
526 describe TIECORRECT Contains a tiecorrect.com uri
530 body FOURMINUTI /4minuti/
531 describe FOURMINUTI Spam from 4 minuti
535 uri CREDITREPORTURI /creditreport/
536 describe CREDITREPORTURI Credit report in the url isn't good
537 score CREDITREPORTURI 2
539 uri YAARIURI /yaari.com/i
540 describe YAARIURI Contains a yaari.com uri