2 Added some rules from Rule du Jour that I've been testing for a while
4 #Monotone (from airmax.cf)
5 body MONOTONE_WORDS_2_15 /^([a-z]{2,20}[\s\.]+){15}/
6 describe MONOTONE_WORDS_2_15 Lines with many (long) lowercase words (15+ words, 2+ letters)
7 body MONOTONE_WORDS_2_30 /^([a-z]{2,20}[\s\.]+){30}/
8 describe MONOTONE_WORDS_2_30 Lines with many (long) lowercase words (30+ words, 2+ letters)
9 body MONOTONE_WORDS_3_20 /^([a-z]{3,20}[\s\.]+){20}/
10 describe MONOTONE_WORDS_3_20 Lines with many (long) lowercase words (20+ words, 3+ letters)
11 body MONOTONE_WORDS_5_8 /^([a-z]{5,20}[\s\.]+){8}/
12 describe MONOTONE_WORDS_5_8 Lines with many (long) lowercase words (8+ words, 5+ letters)
13 body MONOTONE_WORDS_5_12 /^([a-z]{5,20}[\s\.]+){12}/
14 describe MONOTONE_WORDS_5_12 Lines with many (long) lowercase words (12+ words, 5+ letters)
15 body MONOTONE_WORDS_5_20 /^([a-z]{5,20}[\s\.]+){20}/
16 describe MONOTONE_WORDS_5_20 Lines with many (long) lowercase words (20+ words, 5+ letters)
18 # Lots of auto-responders seem to have this
19 body MDO_AUTORESP1 /online form/i
20 score MDO_AUTORESP1 0.1
22 body MDO_AUTORESP2 /large amount of (spam|virus)/i
23 score MDO_AUTORESP2 0.1
25 body MDO_AUTORESP3 /(electronically|automatically) (generated|created) (email|ack)/i
26 score MDO_AUTORESP3 0.1
28 body MDO_AUTORESP4 /(respond|answer) your enquiry/i
29 score MDO_AUTORESP4 0.1
31 body MDO_AUTORESP5 /(email|enquiry) has been received/i
32 score MDO_AUTORESP5 0.1
34 body MDO_AUTORESP6 /will be answered within/i
35 score MDO_AUTORESP6 0.1
37 body MDO_AUTORESP7 /the e-mail address to which you have written does not support incoming messages/i
38 score MDO_AUTORESP7 0.1
40 meta MDO_AUTORESP_META1 (MDO_AUTORESP1 + MDO_AUTORESP2 + MDO_AUTORESP3 + MDO_AUTORESP4 + MDO_AUTORESP5 + MDO_AUTORESP6 + MDO_AUTORESP7) > 1
41 score MDO_AUTORESP_META1 2.0
43 body MURPHY_DIPLOMA /Diploma/
44 describe MURPHY_DIPLOMA No Diploma
45 score MURPHY_DIPLOMA 1
47 body MURPHY_CALORIES /calories/
48 describe MURPHY_CALORIES No Calories
49 score MURPHY_CALORIES 1
51 header MURPHY_CONTENT_GIF Content-Type =~ /image\/gif/
52 describe MURPHY_CONTENT_GIF Content contains image/gif
53 score MURPHY_CONTENT_GIF 1
55 # cable tv spam -- pasc 04/05/11-12
56 body MDO_CABLE_TV1 /pay.?per.?view/i
57 score MDO_CABLE_TV1 0.5
59 body MDO_CABLE_TV2 /mature.?channel/i
60 score MDO_CABLE_TV2 0.5
62 body MDO_CABLE_TV3 /c(\@|a)ble/i
63 score MDO_CABLE_TV3 0.5
65 body MDO_CABLE_TV4 /rem(o|0)te.?control/i
66 score MDO_CABLE_TV4 0.5
68 meta MDO_CABLE_META1 (MDO_CABLE_TV1 || MDO_CABLE_TV2 || MDO_CABLE_TV4) && (MDO_CABLE_TV3)
69 describe MDO_CABLE_META1 Too much cable stuff
70 score MDO_CABLE_META1 3
72 header MDO_TAGSPAM1 Subject =~ /Unknown Tag *free* Please Fix/
75 body MDO_BAD_WORD1 /PORTFOLIO/i
76 score MDO_BAD_WORD1 2.8
78 # blarson, 2004-04-30 -> lists --pasc 04/05/11
79 body AFFILIATEID /affiliate.?id/i
80 describe AFFILIATEID affiliate id
83 # joy, 2003-08-30, 2003-09-21
84 header FW Subject =~ /^Fw: /
85 describe FW Sounds like a Fw: spam
89 header REFWD subject =~ /\b(?:RE|FWD)\:\s*$/i
90 describe REFWD re or fwd nothing
94 header ONEWORD subject =~ /^(?:Fw:|re:)?\s*\w+\s*$/i
95 describe ONEWORD one word subject
98 # robot101, 2003-09-22
99 header CROSSWALK X-UnityUser =~ /^Crosswalk.com, Inc/
100 describe CROSSWALK Crosswalk bible mailing list
103 header CROSSWALK_SPAM From =~ /Crosswalk/
104 describe CROSSWALK_SPAM Crosswalk Spam
105 score CROSSWALK_SPAM 1
108 header BOMDIA Subject =~ /Bom dia /
109 describe BOMDIA Bom dia, usually some Romanic language spam
112 header RCVD_FROM_UNCONF_HOST Received =~ /^from localhost.localdomain/
113 describe RCVD_FROM_UNCONF_HOST Mail comes from a host with unconfigured mailer daemon
114 score RCVD_FROM_UNCONF_HOST 2
117 body ECOSPAM /Corridas de Toros para los turistas Ingleses en Barcelona/
118 describe ECOSPAM Eco-spam all right
121 # cjwatson, 2003/02/24
122 body SPANISH_FORM_CGI /Este formulario fue enviado por/
123 describe SPANISH_FORM_CGI "Below is the result of your feedback form", eh?
124 score SPANISH_FORM_CGI 4.0
127 body TRAFFICMAGNET /Become a TrafficMagnet Reseller/
128 describe TRAFFICMAGNET SpamMagnet
129 score TRAFFICMAGNET 4
132 header BKR Subject =~ /^bkr/
133 describe BKR bkr spam
137 header RISEANDSHINE Subject =~ /^Rise and Shine in 15 minutes/
138 describe RISEANDSHINE Rise and Shine in 15 minutes spam
142 header UNIVDIP Subject =~ /U N I V E R S I T Y . D I P L O M A S/i
143 describe UNIVDIP university diplomas spam
147 header YOUTHERE Subject =~ /^(Re: )?You/i
148 describe YOUTHERE Who, me? Likely spam
151 # cjwatson, 2003-11-20
152 header HOUSECLEANING Subject =~ /^Affordable Housecleaning Service/
153 describe HOUSECLEANING let's clean out the spam instead
154 score HOUSECLEANING 3
156 # cjwatson, 2003-12-11
157 header OTC_FIRST Subject =~ /OTC FIRST ALERT/
158 describe OTC_FIRST OTC spam
162 body AVAILABLENOW /available now/i
163 describe AVAILABLENOW must be selling some shit
166 # cjwatson, 2004-01-16
167 body TEDIOUS_WITTER /If not i included it below so let me know if you like it/
168 describe TEDIOUS_WITTER annoying wittering spam, mypillsource.com I think
169 score TEDIOUS_WITTER 2
171 # cjwatson, 2004-03-12
173 header UNI_DIPLOMA Subject =~ /\b(university|college)\s+(diploma|cert|degree)/i
174 describe UNI_DIPLOMA Got one, thanks
178 body UNI2 /university\s+(diploma|cert|degree)/i
179 describe UNI2 Got one, thanks
182 # cjwatson, 2004-03-12
183 header JOB_CONFIRM Subject =~ /Job confirmation/
184 describe JOB_CONFIRM Got one of these too, thanks
188 header MESSAGESUB subject =~ /^\s*\(?message\s*(subject)?\)?$/i
189 describe MESSAGESUB really descriptive subject
193 header SENTMESSAGE subject =~ /(sent you a( personal|) message|would like to chat)/i
194 describe SENTMESSAGE Sent you a message (like duh?)
197 # blarson 2006-03-16 2007-09-18
198 body DEARDIGIT /^(?:well\s+)?(?:Dear|Hey|H[ea]y?ll?.?o|To|Attention|Hi+|Hey+a?|Bonjorno|(?:Yo\s*)+|(?:g[o0]+d\s*)?(?:d?ay|morning|evening?|afternoon|night)|what.?i?s\s+up|wa(?:s|z)+up|greetings?|Salutations|(Mail|News)\s+to|how(?:.?s|\s+is)?\s*(?:(?:it)?(?:\s+is)??\s*going|have\s+you\s+been|are you).?\s*(?:there|to\s+you)?|compliments|Regards|Adieu)\,?\s+(?:Account\s+\#?|\=?3d|)(?:bro|there|sir|Mr\.?)\s*?\d{3,}/i
199 describe DEARDIGIT Dear number
203 header SIZEMATTERS subject =~ /^S.ze matters$/i
204 describe SIZEMATTERS Size matters spammer
207 # cjwatson 2005-01-02
208 header RNDMX subject =~ /^<rndmx/
209 describe RNDMX weird empty spam
213 header VERIFYCAT subject =~ /verifycation mail/
214 describe VERIFYCAT verifycation spam
218 header D0WNLOAD subject =~ /\bd[o0]wn[l1][o0]ad.*(?:m[o0]v[i1]e|mp3|tune|music)/i
219 describe D0WNLOAD download spam
223 header REDUCESPAM subject =~ /Reduce Spam\b/i
224 describe REDUCESPAM reduce spam spam
228 body DIRT /\.(?:the|\d|)dirty?\d+\.info\//
229 describe DIRT dirty spammer
233 body RNDWORD /^RND_WORD\s*$/
234 describe RNDWORD RND_WORD
238 header D3GREE subject =~ /\bd(?:3gres?|esgre|eerge|eeerg|reege|egres)e?s?\b/i
239 describe D3GREE Want a used paper from someone who can't spell
243 body FINALNOTE /\bfinal\s+notif/i
244 describe FINALNOTE yet another final notification
248 header HIITS subject =~ /\bHi\! It\'s\b/i
249 describe HIITS hi its
253 header GOTONE subject =~ /\bgot one$/i
254 describe GOTONE got this spam already
258 body IMMEDIATEREV /^ATTENTION- For your immediate review:/
259 describe IMMEDIATEREV immediate discard
263 body CLIENTALERT /^(?:CLIENT ALERT|ATTENTION CLIENT)/i
264 describe CLIENTALERT client alert
267 # cjwatson 2005-10-20
268 header DEBIANTUX23 From =~ /DebianTux23|wieseltux23/i
269 describe DEBIANTUX23 Linux spammer, sigh
273 body SHITBRO /^\s*sh[i1]+t\s+bro/i
274 describe SHITBRO shitty spam
278 header POPPROG subject =~ /popular programs for everyday use/i
279 describe POPPROG unpopular spam
283 body GREET /^\%(?:GREET|EXIT)/
284 describe GREET broken spamware
288 header WROTE subject =~ /\bwrote\:\s*$/i
289 describe WROTE stock scam
292 body DEGREE_SPAM /earn.+degree.+transcripts/i
293 describe DEGREE_SPAM earn a degree with transcripts spam
294 score DEGREE_SPAM 2.5
297 body BLUEPILL /blue pill/i
298 describe BLUEPILL Blue pill spam
302 header PHOTOQUEST subject =~ /question about your photo/i
303 describe PHOTOQUEST questioning photo
307 body KBDP /Knowledge Based Degree Program/i
308 describe KBDP degree spam
312 body CRITERIAHAS /\bOur criteria has changed\b/i
313 describe CRITERIAHAS Diploma salesman with bad english
317 body TORA08 /\b\d{6} \d{7} \d{6} \d \d{7} \d{7}/
318 describe TORA08 TORA.08 spam
322 body SERIOUSBRO /^Seriously bro\b/i
323 describe SERIOUSBRO Seriously bro
327 body INSETET /\bwilson\@insitetcnologia\.com\.br\b/
328 describe INSETET please send spammer
332 body USUARIO /\bEl usuario destinatario no es un usuario valido/
333 describe USUARIO No such user -- sent in infinite loop
337 body NOMAILRECBI /no recibi tu mail/i
338 describe NOMAILRECBI No recbi of mail -- was closing way to many bugs
342 header URHELP subject =~ /\bi need ur help\b/
343 describe URHELP blank spam
347 header ACRO8PR0 subject =~ /\bAcr[0o]bat\s*[78]\s+(?:PR[0O]\b|\$?\d+\$?)/i
348 describe ACRO8PR0 sales spam
352 body WBRS /\b(WBRS|FPMC|ADYN|AFML|MISJ|HXPN|WHKA|CBFE|HSBC|PCAI|MPRG|HPRS|AUNI|TGVI|MHII|TAMG|GDKI|ACEN|CDYV|G7Q\.F|mbwc|CHFR|CDPN|DSDI|UTEV|P-S-U-D|GPSI|SGXI|CAON|SREA|ERMX|VPSN|SZSN|PAYI\.OB|LTDI|C\W\W?Y\W\W?T\W\W?V|E\WX\WM\WT|CYTV|VGPM|V\s?G\s?P\s?M(\.PK)?|wwng|WWNG|F\WD\WE\WG|FDEG|UTYW|M\s*I\s*H\s*I|O\W?N\W?C\W?O|P\W?P\W?Y\W?H|S\W?R\W?E\W?A|A\W?C\W?G\W?U|S\W?C\W?Y\W?F|C\W?H\W?V\W?C|D\W?M\W?X\W?C|F\W?R\W?L\W?E|M\W?A\W?K\W?U|C\W?W\W?T\W?E|F\W?R\W?L\W?E|M\W?X\W?X\W?R|P\W?R\W?T\W?H)\b/
353 describe WBRS stock spam
356 body FOURLA /\b([A-Z]\s?){4}\b/
357 describe FOURLA Four letter acronym (stock spam?)
360 meta STOCKLIKE (FOURLA && (MONEY || SUBJMONEY))
361 describe STOCKLIKE Four letter acronyms with money; stock scam
365 header ACROBAT8 subject =~ /\badobe acr[o0]bat 8\b/i
366 describe ACROBAT8 more sales spam
370 header VLSTA subject =~ /VlSTA|0FFlCE|ACR0B8T/i
371 describe VLSTA misspelled microshit software
375 header ANGEKUEN subject =~ /\bTrauer angekuendigt\b/
376 describe ANGEKUEN german spam
380 body INTCAFE /\binternet caff?e\b/i
381 describe INTCAFE internet cafe spam
385 header VERIFIC subject =~ /Your email requires verification/
386 describe VERIFIC some people prefer you get their spam
390 header WHITELIST subject =~ /You have been added to .* whitelist/
391 describe WHITELIST whitelist spam
395 body CASNIO /^Please be advised that your casnio account is still inactive/
396 describe CASNIO casnio account
400 header AUTOREPLY subject =~ /\bauto(?:mated|matic|)[\s-]+re(?:spon[cs]e|ply)\b/i
401 describe AUTOREPLY Automatic reply
405 body CONFSERV /^Thanks for using our confidential service/
406 describe CONFSERV confidential service
410 body CONTENC /^Confirmation has been enclosed/
411 describe CONTENC more pdf spam
415 header PHONE subject =~ /\b(tele)?phone\b/i
416 describe PHONE phone spam
420 body ASPDF /^We send our messages as Portable Document Format/
421 describe ASPDF more pdf spam
425 body DELAFT /Please delete your private message after reading/
426 describe DELAFT more pdf spam
430 header OFF1CE subject =~ /\b[O0Q]f+[1i7l|]ce\s*\W?2[O0Qk]+7\b/i
431 describe OFF1CE off1ce spam
435 header SOFTSALE subject =~ /\bsoftware sales\b/i
436 describe SOFTSALE software spam
440 body SUPERMACHO /\bBe a supermacho/i
441 describe SUPERMACHO supermacho
445 body BIGINTER /\bBig international commercial organization\b/i
446 describe BIGINTER job spam
450 header HASSENT subject =~ /\b(?:sent you a (?:personal|confidential)?\s*(?:message|note)|would like to chat)\b/i
451 describe HASSENT sent a message
455 header ORDERNUM subject =~ /\b(?:Order|Recipet)\s*.?\d{3,}/i
456 describe ORDERNUM order number
460 header DICTIONARYSEQ subject =~ /\b(\w{3})\w*(?:\s+\1\w*){2}/i
461 describe DICTIONARYSEQ Ventricular Vents Venting Ventures
462 score DICTIONARYSEQ 3.5
465 header NOLET subject =~ /^\W{4,}$/
466 describe NOLET swearing subject
470 body SSIST /^ssistant Manager/
471 describe SSIST ssistant Manager
475 body GRADUATEUNDER /\bgraduate in under\b/i
476 describe GRADUATEUNDER graduate in under
477 score GRADUATEUNDER 3
480 header NOINVEST subject =~ /\b(?:no investment|high.paid)\b/i
481 describe NOINVEST no investment
485 header INTEXP subject =~ /\b[I|]nternet Exp[l|]orer\b/i
486 describe INTEXP |nternet Exp|orer
490 header WORKATHOME subject =~ /work\Wat\Whome/i
491 describe WORKATHOME Work at home
495 body PHONENUMBER /\b1[\-\.\s]?8[07]+[\-\.\s]?\d+/
496 describe PHONENUMBER Toll free phone number
497 score PHONENUMBER 1.5
500 body GERMANSPAM /Zerix Intern/i
501 describe GERMANSPAM Um... no clue what that is.
504 body URBANNEWS /UrbaNNews\.ro/
505 describe URBANNEWS URBANNEWS Newsletter
509 header JOBS subject =~ /\b(?:job|Employ(?:ers|ment|ee))s?\b/i
510 describe JOBS job spam
514 header FREEPASSWORD subject =~ /your\s*free\s*password/i
515 describe FREEPASSWORD We don't need free password
519 header AFRICABYBIKE subject =~ /africa\s*by\s*bike/i
520 describe AFRICABYBIKE We don't care about africa by bike or car or bus or train