1 # SARE Header Abuse Ruleset for SpamAssassin -- file 0
5 # Usage instructions and documentation in 70_sare_header0.cf
7 # Full Revision History / Change Log in 70_sare_header.log
8 #@@# 01.03.16 Oct 28 2005
9 #@@# Minor score updates based on additional mass-check
10 #@@# Added to file 0: SARE_FRM_HOODIA
11 #@@# Added to file 0: SARE_HEAD_HDR_XIDSRVR
12 #@@# Added to file 0: SARE_RECV_IP_064069032
13 #@@# Added to file 0: SARE_RECV_IP_066059094
14 #@@# Added to file 0: SARE_RECV_IP_066159017
15 #@@# Added to file 0: SARE_RECV_IP_204010039
16 #@@# Added to file 0: SARE_XMAIL_LEO
17 #@@# Moved file 0 to file 1: SARE_BOUNDARY_LC
18 #@@# Moved file 0 to file 1: SARE_FREE_WEBM_FrVoila
19 #@@# Moved file 0 to file 1: SARE_HEAD_HDR_XBBOUNC
20 #@@# Moved file 0 to file 1: SARE_HEAD_XWORD
21 #@@# Moved file 0 to file 1: SARE_RECV_IP_066165224
22 #@@# Moved file 0 to file 1: SARE_RECV_IP_218088
23 #@@# Moved file 0 to file 1: SARE_XMAIL_TOLMAIL
24 #@@# Moved file 0 to file 2: SARE_RECV_IP_063111025
25 #@@# Moved file 0 to file 2: SARE_RECV_RANDOM
26 #@@# Moved file 0 to file x31: SARE_MULT_RATW_02 to x31 file; RATWARE_NAME_ID is now in version 3.1.0
27 #@@# Moved file 1 to file 0: SARE_HEAD_XMIMEO_MS
28 #@@# Moved file 1 to file 0: SARE_RECV_IP_069060122
29 #@@# Moved file 1 to file 0: SARE_XMAIL_DYNAMAILER
30 #@@# Moved file 2 to file 0: SARE_HEAD_HDR_XE
31 #@@# Replaced __SARE_HEAD_HDR_MIMEV in SARE_HEAD_MIME_INVALID with SA 2.60 rule __MIME_VERSION
32 #@@# Replaced __SARE_HEAD_MAIL_BAT1 in SARE_HEAD_BAT_WEB with SA 3.1.0 rule __THEBAT_MUA
34 # License: Artistic - see http://www.rulesemporium.com/license.txt
35 # Current Maintainer: Bob Menschel - RMSA@Menschel.net
36 # Current Home: http://www.rulesemporium.com/rules/70_sare_header0.cf
38 # Usage: This family of files, 70_sare_header*.cf, contain rules that test email headers
39 # (except the Subject header, which is handled in the 70_sare_genlsubj*.cf family of files).
41 # File 0: 70_sare_header0.cf -- These are header rules that hit at least 10 spam and no ham.
42 # While SARE cannot guarantee they never will hit ham, they have not hit ham in any SARE mass-check, against tens of thousands of ham.
43 # This is a rules file we expect any/all email systems using SpamAssassin to benefit from.
45 # File 1: 70_sare_header1.cf -- These are header rules that meet one of the follow criteria:
46 # a) Rules that do, or in the past have hit ham during SARE mass-check tests
47 # b) Rules that hit no ham and currently do not hit more than 10 spam in any single mass-check run.
48 # If the rules hit ham, they hit at last 10 spam to each 1 ham.
49 # With few exceptions these rules score significantly less than the rules in file 0.
50 # Systems which are very sensitive to false positives and/or need to be very careful about resource use may want to exclude this ruleset,
51 # pick and choose among its rules, or lower their scores.
52 # Systems that use this file 1 should ALSO use file 0.
54 # File 2: 70_sare_header2.cf -- These header rules hit no spam at this time, but they are considered "safe" rules that should never hit ham.
55 # These are primarily rules that test for specific headers seen only in spam, or similar types of "pretty darn sure" rules.
56 # Systems which are very sensitive to SpamAssassin overhead may want to exclude this ruleset file to avoid its overhead,
57 # but systems with plenty of resources that want to be aggressive against spam may benefit from this ruleset file.
59 # File 3: 70_sare_header3.cf -- These are header rules that hit a significant amount of ham during SARE mass-check tests.
60 # Systems which are very sensitive to false positives or to SA resource usage should NOT install this ruleset.
62 # File 4: 70_sare_header4.cf -- These are header rules that meet one of the following criteria:
63 # a) They hit over 100 ham during SARE mass-check tests, but still hit enough spam to be worth while to aggressively anti-spam systems.
64 # b) They hit no emails at this time, but have been recommended by anti-spam sources (such as rules developed from Spam-L list reports).
65 # Again, systems which are very sensitive to false positives or to SA resource usage should NOT install this ruleset.
67 # eng: 70_sare_header_eng.cf -- These are header rules which work well within the English language, but are liable to cause false
68 # positives in other languages. They include rules which test for letter combinations and encoded header headers. Systems that
69 # receive ham in languages other than English should NOT use this file.
71 # x264_x30: 70_sare_header_x264_x30.cf -- These are header rules which have been incorporated into both SpamAssassin 2.64 and 3.0.x,
72 # or which duplicate or greatly overlap both 3.0.x rules.
73 # Systems which have installed SpamAssassin version 2.64 or 3.0.x should therefore NOT use this file.
75 # x30: 70_sare_header_x30.cf -- These are header rules which have been incorporated into SpamAssassin 3.0.x,
76 # or which duplicate or greatly overlap 3.0.x rules.
77 # Systems which have installed SpamAssassin 3.0.x should therefore NOT use this file.
79 # arc: 70_sare_header_arc.cf -- These are header rules that once were published in other files, but which have since lost all value.
80 # They either hit too much ham (without hitting enough spam to make it worth while), or they don't hit any spam.
81 # SARE regularly runs mass-checks on these rules to see if any of them are worth reviving, but
82 # we expect that nobody will be running these rules in any production system.
84 ######## ###################### ##################################################
85 # Component rules used within meta rules
86 ######## ###################### ##################################################
88 header __SARE_HEAD_8BIT_SUBJ Subject =~ /[\x80-\xff]{3,}/
89 #counts __SARE_HEAD_8BIT_SUBJ 17149s/110h of 238550 corpus (112525s/126025h RM) 02/28/05
90 #counts __SARE_HEAD_8BIT_SUBJ 3478s/2h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
91 #counts __SARE_HEAD_8BIT_SUBJ 2s/1h of 26190 corpus (22790s/3400h MY) 02/15/05
93 ######## ###################### ##################################################
94 # Meta rules used to prevent --lint errors after moving/changing rules
95 ######## ###################### ##################################################
97 meta SARE_HEAD_HDR_APPROV 0
98 meta SARE_HEAD_HDR_CONVWLS 0
99 meta SARE_HEAD_HDR_DISCREC 0
100 meta SARE_HEAD_HDR_XENC 0
101 meta SARE_HEAD_HDR_XENVID 0
102 meta SARE_HEAD_HDR_XMAILID 0
103 meta SARE_HEAD_HDR_XTID 0
104 meta SARE_FROM_PRINTER 0
105 meta SARE_FROM_DEBT 0
106 meta SARE_FROM_DVDCOPY 0
107 meta SARE_FROM_SPAM_CHAR0 0
108 meta SARE_FREE_WEBM_Jpop 0
109 meta SARE_FREE_WEBM_NETCITY 0
110 meta SARE_FREE_WEBM_ZCom03 0
111 meta SARE_MSGID_LONG 0
112 meta SARE_HELO_YAHOO 0
113 meta SARE_RECV_SPAM_DOMN0a 0
114 meta SARE_RECV_SPAM_DOMN02 0
115 meta SARE_RECV_VIRTUACOMBR 0
116 meta SARE_RECV_IP_066111 0
117 meta SARE_RECV_IP_081019 0
118 meta SARE_RECV_IP_082154 0
119 meta SARE_RECV_IP_195229 0
120 meta SARE_RECV_IP_200150 0
121 meta SARE_RECV_IP_218216 0
122 meta SARE_RECV_IP_222000 0
123 meta SARE_RECV_IP_222126 0
124 meta SARE_XMAIL_PSSMAILER 0
125 meta SARE_XMAIL_RLSP 0
126 meta SARE_MULT_VIA_CITIZNET 0
127 meta SARE_FROM_SUPPORT_DIG 0
128 meta SARE_TOCC_BCC_MANY 0
129 meta SARE_HEAD_HDR_EPATH 0
130 meta SARE_HEAD_HDR_XAR 0
131 meta SARE_HEAD_HDR_XNOSPAM 0
132 meta SARE_FROM_QUOTE 0
133 meta SARE_FROM_SPACE2 0
134 meta SARE_MSGID_EMPTY 0
135 meta SARE_RECV_SPAM_DOMN81 0
136 meta SARE_RECV_SPAM_NAME0 0
137 meta SARE_FROM_SPAM_NAME0 0
138 meta SARE_HEAD_HDR_XAUTOGN 0
139 meta SARE_HEAD_HDR_XCCDIAG 0
140 meta SARE_HEAD_HDR_XMLFILT 0
141 meta SARE_HELO_MAIL 0
142 meta SARE_HEAD_HDR_XACWGHT 0
143 meta SARE_HEAD_HDR_XMCAVTP 0
144 meta SARE_USERAG_Dig 0
145 meta SARE_HEAD_HDR_XUNOLOOK 0
146 meta SARE_MSGID_2KDD 0
147 meta SARE_REPLY_SPAMWORD0 0
148 meta SARE_FROM_SPAM_WORD0 0
149 meta SARE_TOCC_COMBO1 0
150 meta SARE_FROM_UK2NET2 0
151 meta SARE_FREE_WEBM_NetSafe 0
152 meta SARE_FREE_WEBM_ZCom02 0
153 meta SARE_RECV_SKANOVA 0
154 meta SARE_RECV_IP_061050 0
155 meta SARE_RECV_IP_140117 0
156 meta SARE_RECV_IP_211216 0
158 meta SARE_HEAD_8BIT_SPAM 0
159 meta SARE_RECV_SPAM_DOMN3 0
160 meta SARE_BOUNDARY_D8 0
161 meta SARE_HEAD_HDR_XCONTAC 0
162 meta SARE_RECV_IP_066114b 0
163 meta SARE_BOUNDARY_05 0
164 meta SARE_BOUNDARY_06 0
165 meta SARE_FREE_WEBM_ZZa001 0
166 meta SARE_FROM_CAPS_MSN 0
167 meta SARE_FROM_NUM_9DIG 0
168 meta SARE_FROM_SPAM_DOMN0 0
169 meta SARE_FROM_SPAM_PL1 0
170 meta SARE_HEAD_8BIT_DATE 0
171 meta SARE_HEAD_8BIT_NOSPM 0
172 meta SARE_HEAD_DATE14 0
173 meta SARE_HEAD_DATE_5L 0
174 meta SARE_HEAD_HDR_XLISTAD 0
175 meta SARE_HEAD_HDR_XRIPE 0
176 meta SARE_HEAD_HDR_XWTID 0
177 meta SARE_HEAD_HDR_XWTVERS 0
178 meta SARE_HELO_SERVER 0
179 meta SARE_MSGID_D1D1D2D16 0
180 meta SARE_RECV_BEZEQINT_B 0
181 meta SARE_RECV_IP_061072 0
182 meta SARE_RECV_IP_061190 0
183 meta SARE_RECV_IP_061228 0
184 meta SARE_RECV_IP_062023 0
185 meta SARE_RECV_IP_192116 0
186 meta SARE_RECV_IP_203177 0
187 meta SARE_RECV_IP_218078 0
188 meta SARE_RECV_IP_221124 0
189 meta SARE_RECV_IP_222064 0
190 meta SARE_RECV_ISWEST 0
191 meta SARE_RECV_PATMEDIA 0
192 meta SARE_BOUNDARY_NP2 0
193 meta SARE_CONTENT_BITBITNUM 0
194 meta SARE_FROM_VIRUS1 0
195 meta SARE_HEAD_HDR_JLH 0
196 meta SARE_HEAD_HDR_RTNPATH 0
197 meta SARE_MULT_RATW_03 0
198 meta SARE_RECV_IP_064192191 0
199 meta SARE_BOUNDARY_D10 0
200 meta SARE_HEAD_HDR_XMAILTH 0
201 meta SARE_HEAD_HDR_XMLRSRV 0
202 meta SARE_HEAD_HDR_XSMTPSV 0
203 meta SARE_HEAD_HDR_XUMAIL 0
204 meta SARE_MSGID_LONG50 0
205 meta SARE_RECV_SPAM_DOMN04 0
206 meta SARE_XMAIL_GOMAIL 0
207 meta SARE_HEAD_8BIT_RECV 0
208 meta SARE_RECV_FEP5 0
209 meta SARE_RECV_IP_203210128 0
210 meta SARE_RECV_SPAM_DOMN06 0
211 meta SARE_FREE_WEBM_ZCom05 0
212 meta SARE_HEAD_XUNSENT 0
213 meta SARE_RECV_IP_069050210 0
214 meta SARE_RECV_IP_206131 0
215 meta SARE_RECV_IP_206248152 0
216 meta SARE_RECV_PORTHELO_1 0
217 meta SARE_RECV_PORTHELO_2 0
218 meta SARE_RECV_PORTHELO_3 0
219 meta SARE_RECV_CHAR_CARAT 0
220 meta SARE_MULT_RATW_02 0
221 meta SARE_BOUNDARY_LC 0
222 meta SARE_FREE_WEBM_FrVoila 0
223 meta SARE_RECV_IP_066165224 0
224 meta SARE_RECV_IP_218088 0
225 meta SARE_XMAIL_TOLMAIL 0
226 meta SARE_RECV_IP_063111025 0
227 meta SARE_RECV_RANDOM 0
228 meta SARE_BOUNDARY_LC 0
229 meta SARE_FREE_WEBM_FrVoila 0
230 meta SARE_HEAD_XWORD 0
231 meta SARE_RECV_IP_066165224 0
232 meta SARE_RECV_IP_218088 0
233 meta SARE_XMAIL_TOLMAIL 0
234 meta SARE_RECV_IP_063111025 0
235 meta SARE_RECV_RANDOM 0
236 meta SARE_MULT_RATW_02 0
237 meta SARE_HEAD_HDR_XBBOUNC 0
238 meta SARE_RECV_IP_071004246 0
240 #####################################################################################
241 # SARE Header-Exists rules
242 ######## ###################### ##################################################
244 header SARE_HEAD_HDR_CONVER exists:Conversion
245 describe SARE_HEAD_HDR_CONVER Message headers used which identify spam
246 score SARE_HEAD_HDR_CONVER 1.111
247 #stype SARE_HEAD_HDR_CONVER spamp
248 #counts SARE_HEAD_HDR_CONVER 12s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
249 #max SARE_HEAD_HDR_CONVER 54s/0h of 275081 corpus (134226s/140855h RM) 05/30/05
250 #counts SARE_HEAD_HDR_CONVER 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
251 #counts SARE_HEAD_HDR_CONVER 9s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
252 #max SARE_HEAD_HDR_CONVER 10s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
253 #counts SARE_HEAD_HDR_CONVER 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
254 #counts SARE_HEAD_HDR_CONVER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
255 #counts SARE_HEAD_HDR_CONVER 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
257 header SARE_HEAD_HDR_DISPNOP exists:Disposition-Notification-Options
258 describe SARE_HEAD_HDR_DISPNOP Message headers used which identify spam
259 score SARE_HEAD_HDR_DISPNOP 1.111
260 #stype SARE_HEAD_HDR_DISPNOP spamp
261 #counts SARE_HEAD_HDR_DISPNOP 16s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
262 #max SARE_HEAD_HDR_DISPNOP 60s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
263 #counts SARE_HEAD_HDR_DISPNOP 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
264 #counts SARE_HEAD_HDR_DISPNOP 11s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
265 #max SARE_HEAD_HDR_DISPNOP 13s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
266 #counts SARE_HEAD_HDR_DISPNOP 2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
267 #max SARE_HEAD_HDR_DISPNOP 14s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
268 #counts SARE_HEAD_HDR_DISPNOP 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
270 header SARE_HEAD_HDR_LANG exists:Language
271 describe SARE_HEAD_HDR_LANG Message headers used which identify spam
272 score SARE_HEAD_HDR_LANG 1.666
273 #stype SARE_HEAD_HDR_LANG spamp
274 #counts SARE_HEAD_HDR_LANG 122s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
275 #max SARE_HEAD_HDR_LANG 413s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
276 #counts SARE_HEAD_HDR_LANG 78s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
277 #max SARE_HEAD_HDR_LANG 86s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
278 #counts SARE_HEAD_HDR_LANG 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
279 #max SARE_HEAD_HDR_LANG 3s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
280 #counts SARE_HEAD_HDR_LANG 19s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
281 #max SARE_HEAD_HDR_LANG 42s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
282 #counts SARE_HEAD_HDR_LANG 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
284 header SARE_HEAD_HDR_NLETRID exists:Newsletter-ID
285 describe SARE_HEAD_HDR_NLETRID Message headers used which identify spam
286 score SARE_HEAD_HDR_NLETRID 1.666
287 #stype SARE_HEAD_HDR_NLETRID spamp
288 #counts SARE_HEAD_HDR_NLETRID 0s/0h of 259338 corpus (110116s/149222h RM) 05/16/05
289 #max SARE_HEAD_HDR_NLETRID 173s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
290 #counts SARE_HEAD_HDR_NLETRID 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
291 #max SARE_HEAD_HDR_NLETRID 1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
292 #counts SARE_HEAD_HDR_NLETRID 28s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
293 #counts SARE_HEAD_HDR_NLETRID 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
294 #max SARE_HEAD_HDR_NLETRID 12s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
295 #counts SARE_HEAD_HDR_NLETRID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
297 header SARE_HEAD_HDR_PID exists:PID
298 describe SARE_HEAD_HDR_PID Message headers used which identify spam
299 score SARE_HEAD_HDR_PID 1.666
300 #stype SARE_HEAD_HDR_PID spamp
301 #counts SARE_HEAD_HDR_PID 1s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
302 #max SARE_HEAD_HDR_PID 139s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
303 #counts SARE_HEAD_HDR_PID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
304 #counts SARE_HEAD_HDR_PID 36s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
305 #counts SARE_HEAD_HDR_PID 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
306 #max SARE_HEAD_HDR_PID 20s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
307 #counts SARE_HEAD_HDR_PID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
309 header SARE_HEAD_HDR_PREVNDR exists:Prevent-NonDelivery-Report
310 describe SARE_HEAD_HDR_PREVNDR Message headers used which identify spam
311 score SARE_HEAD_HDR_PREVNDR 1.666
312 #stype SARE_HEAD_HDR_PREVNDR spamp
313 #counts SARE_HEAD_HDR_PREVNDR 19s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
314 #max SARE_HEAD_HDR_PREVNDR 129s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
315 #counts SARE_HEAD_HDR_PREVNDR 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
316 #counts SARE_HEAD_HDR_PREVNDR 18s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
317 #max SARE_HEAD_HDR_PREVNDR 20s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
318 #counts SARE_HEAD_HDR_PREVNDR 6s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
319 #max SARE_HEAD_HDR_PREVNDR 21s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
320 #counts SARE_HEAD_HDR_PREVNDR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
322 header SARE_HEAD_HDR_XBNCETR exists:X-BounceTrace
323 describe SARE_HEAD_HDR_XBNCETR Message headers used which identify spam
324 score SARE_HEAD_HDR_XBNCETR 1.111
325 #stype SARE_HEAD_HDR_XBNCETR spamp
326 #counts SARE_HEAD_HDR_XBNCETR 96s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
327 #counts SARE_HEAD_HDR_XBNCETR 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
328 #counts SARE_HEAD_HDR_XBNCETR 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
329 #counts SARE_HEAD_HDR_XBNCETR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
330 #counts SARE_HEAD_HDR_XBNCETR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
332 header SARE_HEAD_HDR_XCAMPIDZ exists:X-Campidz
333 describe SARE_HEAD_HDR_XCAMPIDZ Message headers used which identify spam
334 score SARE_HEAD_HDR_XCAMPIDZ 2.333
335 #stype SARE_HEAD_HDR_XCAMPIDZ spamp
336 #counts SARE_HEAD_HDR_XCAMPIDZ 2171s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
337 #counts SARE_HEAD_HDR_XCAMPIDZ 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
338 #counts SARE_HEAD_HDR_XCAMPIDZ 9s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
339 #counts SARE_HEAD_HDR_XCAMPIDZ 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
340 #counts SARE_HEAD_HDR_XCAMPIDZ 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
342 header SARE_HEAD_HDR_XCLIHST exists:X-ClientHost
343 describe SARE_HEAD_HDR_XCLIHST Message headers used which identify spam
344 score SARE_HEAD_HDR_XCLIHST 2.888
345 #stype SARE_HEAD_HDR_XCLIHST spamp
346 #counts SARE_HEAD_HDR_XCLIHST 7465s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
347 #counts SARE_HEAD_HDR_XCLIHST 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
348 #counts SARE_HEAD_HDR_XCLIHST 19s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
349 #counts SARE_HEAD_HDR_XCLIHST 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
350 #counts SARE_HEAD_HDR_XCLIHST 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
352 header SARE_HEAD_HDR_XE exists:X-E
353 describe SARE_HEAD_HDR_XE Message headers used which identify spam
354 score SARE_HEAD_HDR_XE 1.666
355 #counts SARE_HEAD_HDR_XE 810s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
356 #counts SARE_HEAD_HDR_XE 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
357 #counts SARE_HEAD_HDR_XE 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
358 #counts SARE_HEAD_HDR_XE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
359 #counts SARE_HEAD_HDR_XE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
361 header SARE_HEAD_HDR_XCSIP exists:X-CS-IP
362 describe SARE_HEAD_HDR_XCSIP Message headers used which identify spam
363 score SARE_HEAD_HDR_XCSIP 1.666
364 #stype SARE_HEAD_HDR_XCSIP spamp
365 #hist SARE_HEAD_HDR_XCSIP FH_HAS_CS_IP
366 #counts SARE_HEAD_HDR_XCSIP 155s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
367 #max SARE_HEAD_HDR_XCSIP 590s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
368 #counts SARE_HEAD_HDR_XCSIP 101s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
369 #max SARE_HEAD_HDR_XCSIP 127s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
370 #counts SARE_HEAD_HDR_XCSIP 1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
371 #max SARE_HEAD_HDR_XCSIP 136s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
372 #counts SARE_HEAD_HDR_XCSIP 13s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
373 #max SARE_HEAD_HDR_XCSIP 98s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
374 #counts SARE_HEAD_HDR_XCSIP 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
376 header SARE_HEAD_HDR_XEMAIL exists:X-EMail
377 describe SARE_HEAD_HDR_XEMAIL Message headers used which identify spam
378 score SARE_HEAD_HDR_XEMAIL 1.666
379 #stype SARE_HEAD_HDR_XEMAIL spamp
380 #counts SARE_HEAD_HDR_XEMAIL 841s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
381 #counts SARE_HEAD_HDR_XEMAIL 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
382 #counts SARE_HEAD_HDR_XEMAIL 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
383 #counts SARE_HEAD_HDR_XEMAIL 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
384 #counts SARE_HEAD_HDR_XEMAIL 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
386 header SARE_HEAD_HDR_XENCVER exists:X-Encoding-Version
387 describe SARE_HEAD_HDR_XENCVER Message headers used which identify spam
388 score SARE_HEAD_HDR_XENCVER 1.666
389 #stype SARE_HEAD_HDR_XENCVER spamp
390 #counts SARE_HEAD_HDR_XENCVER 306s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
391 #counts SARE_HEAD_HDR_XENCVER 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
392 #counts SARE_HEAD_HDR_XENCVER 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
393 #counts SARE_HEAD_HDR_XENCVER 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
394 #counts SARE_HEAD_HDR_XENCVER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
396 header SARE_HEAD_HDR_XFIND exists:X-Find
397 describe SARE_HEAD_HDR_XFIND Message headers used which identify spam
398 score SARE_HEAD_HDR_XFIND 1.666
399 #stype SARE_HEAD_HDR_XFIND spamp
400 #counts SARE_HEAD_HDR_XFIND 306s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
401 #counts SARE_HEAD_HDR_XFIND 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
402 #counts SARE_HEAD_HDR_XFIND 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
403 #counts SARE_HEAD_HDR_XFIND 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
404 #counts SARE_HEAD_HDR_XFIND 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
406 header SARE_HEAD_HDR_XGMAILA exists:X-Gmail-Account
407 describe SARE_HEAD_HDR_XGMAILA Message headers used which identify spam
408 score SARE_HEAD_HDR_XGMAILA 1.111
409 #stype SARE_HEAD_HDR_XGMAILA spamp
410 #counts SARE_HEAD_HDR_XGMAILA 3s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
411 #max SARE_HEAD_HDR_XGMAILA 20s/0h of 259338 corpus (110116s/149222h RM) 05/16/05
412 #counts SARE_HEAD_HDR_XGMAILA 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
413 #counts SARE_HEAD_HDR_XGMAILA 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
414 #counts SARE_HEAD_HDR_XGMAILA 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
415 #counts SARE_HEAD_HDR_XGMAILA 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
417 header SARE_HEAD_HDR_XGMXAV exists:X-GMX-Antivirus
418 describe SARE_HEAD_HDR_XGMXAV Message headers used which identify spam
419 score SARE_HEAD_HDR_XGMXAV 1.666
420 #counts SARE_HEAD_HDR_XGMXAV 171s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
421 #max SARE_HEAD_HDR_XGMXAV 199s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
422 #counts SARE_HEAD_HDR_XGMXAV 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
423 #max SARE_HEAD_HDR_XGMXAV 33s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
424 #counts SARE_HEAD_HDR_XGMXAV 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
425 #max SARE_HEAD_HDR_XGMXAV 10s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
426 #counts SARE_HEAD_HDR_XGMXAV 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
427 #counts SARE_HEAD_HDR_XGMXAV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
429 header SARE_HEAD_HDR_XIDSRVR exists:X-Identity-Server
430 describe SARE_HEAD_HDR_XIDSRVR Message headers used which identify spam
431 score SARE_HEAD_HDR_XIDSRVR 1.111
432 #stype SARE_HEAD_HDR_XIDSRVR spamp
433 #hist SARE_HEAD_HDR_XIDSRVR Bob Menschel, June 3 2005, idea by Alex Broens
434 #counts SARE_HEAD_HDR_XIDSRVR 15s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
435 #counts SARE_HEAD_HDR_XIDSRVR 0s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
436 #counts SARE_HEAD_HDR_XIDSRVR 0s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
437 #counts SARE_HEAD_HDR_XIDSRVR 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
438 #counts SARE_HEAD_HDR_XIDSRVR 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
440 header SARE_HEAD_HDR_XRMDTXT exists:X-RMD-Text
441 describe SARE_HEAD_HDR_XRMDTXT Message headers used which identify spam
442 score SARE_HEAD_HDR_XRMDTXT 1.111
443 #stype SARE_HEAD_HDR_XRMDTXT spamp
444 #counts SARE_HEAD_HDR_XRMDTXT 33s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
445 #counts SARE_HEAD_HDR_XRMDTXT 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
446 #max SARE_HEAD_HDR_XRMDTXT 1s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
447 #counts SARE_HEAD_HDR_XRMDTXT 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
448 #counts SARE_HEAD_HDR_XRMDTXT 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
449 #counts SARE_HEAD_HDR_XRMDTXT 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
451 header SARE_HEAD_HDR_XRMVADR exists:X-Remove-Address
452 describe SARE_HEAD_HDR_XRMVADR Message headers used which identify spam
453 score SARE_HEAD_HDR_XRMVADR 1.111
454 #stype SARE_HEAD_HDR_XRMVADR spamp
455 #counts SARE_HEAD_HDR_XRMVADR 38s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
456 #max SARE_HEAD_HDR_XRMVADR 42s/0h of 275081 corpus (134226s/140855h RM) 05/30/05
457 #counts SARE_HEAD_HDR_XRMVADR 1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
458 #counts SARE_HEAD_HDR_XRMVADR 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
459 #counts SARE_HEAD_HDR_XRMVADR 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
460 #counts SARE_HEAD_HDR_XRMVADR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
461 #counts SARE_HEAD_HDR_XRMVADR 1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
463 header SARE_HEAD_HDR_XRSPCID exists:X-Responder-CID
464 describe SARE_HEAD_HDR_XRSPCID Message headers used which identify spam
465 score SARE_HEAD_HDR_XRSPCID 1.111
466 #stype SARE_HEAD_HDR_XRSPCID spamp
467 #counts SARE_HEAD_HDR_XRSPCID 25s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
468 #counts SARE_HEAD_HDR_XRSPCID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
469 #counts SARE_HEAD_HDR_XRSPCID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
470 #counts SARE_HEAD_HDR_XRSPCID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
471 #counts SARE_HEAD_HDR_XRSPCID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
473 header SARE_HEAD_HDR_XRSPRID exists:X-Responder-ID
474 describe SARE_HEAD_HDR_XRSPRID Message headers used which identify spam
475 score SARE_HEAD_HDR_XRSPRID 1.111
476 #stype SARE_HEAD_HDR_XRSPRID spamp
477 #counts SARE_HEAD_HDR_XRSPRID 71s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
478 #counts SARE_HEAD_HDR_XRSPRID 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
479 #counts SARE_HEAD_HDR_XRSPRID 1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
480 #counts SARE_HEAD_HDR_XRSPRID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
481 #counts SARE_HEAD_HDR_XRSPRID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
482 #counts SARE_HEAD_HDR_XRSPRID 1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
484 header SARE_HEAD_HDR_XRSPUSR exists:X-Responder-USR
485 describe SARE_HEAD_HDR_XRSPUSR Message headers used which identify spam
486 score SARE_HEAD_HDR_XRSPUSR 1.111
487 #stype SARE_HEAD_HDR_XRSPUSR spamp
488 #counts SARE_HEAD_HDR_XRSPUSR 25s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
489 #counts SARE_HEAD_HDR_XRSPUSR 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
490 #counts SARE_HEAD_HDR_XRSPUSR 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
491 #counts SARE_HEAD_HDR_XRSPUSR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
492 #counts SARE_HEAD_HDR_XRSPUSR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
494 header SARE_HEAD_HDR_XSPAMTST exists:X-SpamTest-Info
495 describe SARE_HEAD_HDR_XSPAMTST Message headers used which identify spam
496 score SARE_HEAD_HDR_XSPAMTST 1.111
497 #stype SARE_HEAD_HDR_XSPAMTST spamp
498 #hist SARE_HEAD_HDR_XSPAMTST Bob Menschel, May 14, 2005
499 #counts SARE_HEAD_HDR_XSPAMTST 43s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
500 #max SARE_HEAD_HDR_XSPAMTST 57s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
501 #counts SARE_HEAD_HDR_XSPAMTST 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
502 #counts SARE_HEAD_HDR_XSPAMTST 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
503 #counts SARE_HEAD_HDR_XSPAMTST 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
505 header SARE_HEAD_HDR_XSPTRID exists:X-SP-Track-ID
506 describe SARE_HEAD_HDR_XSPTRID Message headers used which identify spam
507 score SARE_HEAD_HDR_XSPTRID 1.666
508 #stype SARE_HEAD_HDR_XSPTRID spamp
509 #hist SARE_HEAD_HDR_XSPTRID FH_XSPTRACK
510 #counts SARE_HEAD_HDR_XSPTRID 593s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
511 #counts SARE_HEAD_HDR_XSPTRID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
512 #counts SARE_HEAD_HDR_XSPTRID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
513 #counts SARE_HEAD_HDR_XSPTRID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
514 #counts SARE_HEAD_HDR_XSPTRID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
516 header SARE_HEAD_HDR_XUOLSRV exists:X-UOL-Srv
517 describe SARE_HEAD_HDR_XUOLSRV Message headers used which identify spam
518 score SARE_HEAD_HDR_XUOLSRV 1.111
519 #stype SARE_HEAD_HDR_XUOLSRV spamp
520 #counts SARE_HEAD_HDR_XUOLSRV 23s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
521 #counts SARE_HEAD_HDR_XUOLSRV 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
522 #counts SARE_HEAD_HDR_XUOLSRV 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
523 #counts SARE_HEAD_HDR_XUOLSRV 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
524 #counts SARE_HEAD_HDR_XUOLSRV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
526 header SARE_HEAD_HDR_XWCMID exists:X-WCMailID
527 describe SARE_HEAD_HDR_XWCMID Message headers used which identify spam
528 score SARE_HEAD_HDR_XWCMID 2.222
529 #counts SARE_HEAD_HDR_XWCMID 1011s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
530 #counts SARE_HEAD_HDR_XWCMID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
531 #counts SARE_HEAD_HDR_XWCMID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
532 #counts SARE_HEAD_HDR_XWCMID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
533 #counts SARE_HEAD_HDR_XWCMID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
535 header SARE_HEAD_HDR_XWEBMTM exists:X-Webmail-Time
536 describe SARE_HEAD_HDR_XWEBMTM Message headers used which identify spam
537 score SARE_HEAD_HDR_XWEBMTM 1.666
538 #stype SARE_HEAD_HDR_XWEBMTM spamp
539 #counts SARE_HEAD_HDR_XWEBMTM 237s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
540 #max SARE_HEAD_HDR_XWEBMTM 351s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
541 #counts SARE_HEAD_HDR_XWEBMTM 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
542 #max SARE_HEAD_HDR_XWEBMTM 78s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
543 #counts SARE_HEAD_HDR_XWEBMTM 100s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
544 #max SARE_HEAD_HDR_XWEBMTM 112s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
545 #counts SARE_HEAD_HDR_XWEBMTM 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
546 #max SARE_HEAD_HDR_XWEBMTM 41s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
547 #counts SARE_HEAD_HDR_XWEBMTM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
549 #####################################################################################
550 # SARE Content-Type and Boundary rules
551 ######## ###################### ##################################################
553 header SARE_BOUNDARY_02 Content-Type =~ /boundary\=('|\")?\~{10,}/
554 describe SARE_BOUNDARY_02 Too many ~'s in the boundary.
555 score SARE_BOUNDARY_02 0.650
556 #hist SARE_BOUNDARY_02 MY_BOUNDARY2
557 #counts SARE_BOUNDARY_02 37s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
558 #max SARE_BOUNDARY_02 51s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
559 #counts SARE_BOUNDARY_02 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
560 #counts SARE_BOUNDARY_02 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
561 #counts SARE_BOUNDARY_02 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
563 header SARE_BOUNDARY_03 Content-Type =~ /boundary="-{10}[A-F0-9]{20,}"/
564 describe SARE_BOUNDARY_03 Content type boundary used in spam or virus
565 score SARE_BOUNDARY_03 1.666
566 #stype SARE_BOUNDARY_03 spamp
567 #hist SARE_BOUNDARY_03 Created by Bob Menschel May 31 2004
568 #counts SARE_BOUNDARY_03 59s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
569 #max SARE_BOUNDARY_03 132s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
570 #counts SARE_BOUNDARY_03 0s/0h of 13447 corpus (11336s/2111h MY) 06/02/04
571 #counts SARE_BOUNDARY_03 590s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
572 #counts SARE_BOUNDARY_03 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
573 #counts SARE_BOUNDARY_03 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
575 header SARE_BOUNDARY_10 Content-Type =~ /boundary=\"----[a-z\d]{10}-[\w\.]+\"$/is
576 describe SARE_BOUNDARY_10 Possible spam flag
577 score SARE_BOUNDARY_10 2.333
578 #hist SARE_BOUNDARY_10 Loren Wilton, Feb 21 2005
579 #counts SARE_BOUNDARY_10 1831s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
580 #max SARE_BOUNDARY_10 2495s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
581 #counts SARE_BOUNDARY_10 117s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
582 #counts SARE_BOUNDARY_10 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
583 #counts SARE_BOUNDARY_10 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
584 #counts SARE_BOUNDARY_10 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
586 header SARE_BOUNDARY_11 Content-Type =~ /boundary=\"--\d{2,7}-\d{2,7}-\d{2,7}\"/
587 score SARE_BOUNDARY_11 1.344
588 describe SARE_BOUNDARY_11 Possible spam flag
589 #hist SARE_BOUNDARY_11 Loren Wilton, Feb 21 2005
590 #counts SARE_BOUNDARY_11 77s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
591 #max SARE_BOUNDARY_11 125s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
592 #counts SARE_BOUNDARY_11 17s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
593 #counts SARE_BOUNDARY_11 38s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
594 #counts SARE_BOUNDARY_11 1s/0h of 2500 corpus (531s/1969h ft) 05/17/05
595 #counts SARE_BOUNDARY_11 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
597 header SARE_BOUNDARY_12 Content-Type =~ /boundary=\"--[a-z]+\d+[a-z]+"/ # no /i
598 describe SARE_BOUNDARY_12 Possible spam flag
599 score SARE_BOUNDARY_12 1.666
600 #hist SARE_BOUNDARY_12 Loren Wilton, Feb 21 2005
601 #counts SARE_BOUNDARY_12 60s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
602 #max SARE_BOUNDARY_12 288s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
603 #counts SARE_BOUNDARY_12 27s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
604 #counts SARE_BOUNDARY_12 41s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
605 #max SARE_BOUNDARY_12 45s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
606 #counts SARE_BOUNDARY_12 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
607 #counts SARE_BOUNDARY_12 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
609 header SARE_BOUNDARY_13 Content-Type =~ /boundary=\"Java\.[A-Z]{5}\.\d{10,30}"/ # no /i
610 score SARE_BOUNDARY_13 1.666
611 describe SARE_BOUNDARY_13 Possible spam flag
612 #hist SARE_BOUNDARY_13 Loren Wilton, Feb 21 2005
613 #counts SARE_BOUNDARY_13 29s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
614 #max SARE_BOUNDARY_13 614s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
615 #counts SARE_BOUNDARY_13 61s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
616 #counts SARE_BOUNDARY_13 86s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
617 #max SARE_BOUNDARY_13 133s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
618 #counts SARE_BOUNDARY_13 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
619 #counts SARE_BOUNDARY_13 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
621 header SARE_BOUNDARY_D9 Content-Type =~ /boundary="\d{9}"/
622 describe SARE_BOUNDARY_D9 Content type boundary used in spam or virus
623 score SARE_BOUNDARY_D9 1.111
624 #stype SARE_BOUNDARY_D9 spamp
625 #hist SARE_BOUNDARY_D9 Created by Bob Menschel May 31 2004
626 #counts SARE_BOUNDARY_D9 76s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
627 #max SARE_BOUNDARY_D9 80s/0h of 275081 corpus (134226s/140855h RM) 05/30/05
628 #counts SARE_BOUNDARY_D9 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
629 #counts SARE_BOUNDARY_D9 8s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
630 #counts SARE_BOUNDARY_D9 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
631 #counts SARE_BOUNDARY_D9 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
633 header SARE_BOUNDARY_D11 Content-Type =~ /boundary="\d{11}"/
634 describe SARE_BOUNDARY_D11 Content type boundary used in spam or virus
635 score SARE_BOUNDARY_D11 1.666
636 #stype SARE_BOUNDARY_D11 spamp
637 #hist SARE_BOUNDARY_D11 Created by Bob Menschel May 31 2004
638 #counts SARE_BOUNDARY_D11 112s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
639 #counts SARE_BOUNDARY_D11 3s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
640 #counts SARE_BOUNDARY_D11 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
641 #counts SARE_BOUNDARY_D11 7s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
642 #counts SARE_BOUNDARY_D11 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
644 header __SARE_BOUNDARY_D12 Content-Type =~ /boundary="\d{12,}"/
645 meta SARE_BOUNDARY_D12 __SARE_BOUNDARY_D12 && !MIME_BOUND_DIGITS_15
646 describe SARE_BOUNDARY_D12 Content type boundary used in spam or virus
647 score SARE_BOUNDARY_D12 1.666
648 #stype SARE_BOUNDARY_D12 spamp
649 #hist SARE_BOUNDARY_D12 Created by Bob Menschel May 31 2004
650 #V300 SARE_BOUNDARY_D12 Converted to meta to avoid double-scoring new SA 3.0 MIME_BOUND_DIGITS_15 rule
651 #counts SARE_BOUNDARY_D12 412s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
652 #counts SARE_BOUNDARY_D12 188s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
653 #max SARE_BOUNDARY_D12 238s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
654 #counts SARE_BOUNDARY_D12 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
655 #counts SARE_BOUNDARY_D12 32s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
656 #max SARE_BOUNDARY_D12 65s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
657 #counts SARE_BOUNDARY_D12 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
658 #alone SARE_BOUNDARY_D12 701s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
660 header SARE_BOUNDARY_ANYDIG Content-Type =~ /boundary="--.*\[\d\]/i
661 describe SARE_BOUNDARY_ANYDIG Content type boundary used in spam and viruses
662 score SARE_BOUNDARY_ANYDIG 1.666
663 #hist SARE_BOUNDARY_ANYDIG Created by Bob Menschel May 7 2005, suggested by Alex Broens
664 #counts SARE_BOUNDARY_ANYDIG 143s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
665 #max SARE_BOUNDARY_ANYDIG 282s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
666 #counts SARE_BOUNDARY_ANYDIG 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
667 #counts SARE_BOUNDARY_ANYDIG 85s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
668 #counts SARE_BOUNDARY_ANYDIG 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
670 header SARE_BOUNDARY_QZSOFT content-type =~ /boundary="qzsoft_directmail_seperator"/
671 describe SARE_BOUNDARY_QZSOFT Identifies spam from specific spamware
672 score SARE_BOUNDARY_QZSOFT 1.666
673 #hist SARE_BOUNDARY_QZSOFT Loren Wilton, LW_DIRECTMAIL, Sep 5 2004
674 #counts SARE_BOUNDARY_QZSOFT 347s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
675 #counts SARE_BOUNDARY_QZSOFT 5s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
676 #max SARE_BOUNDARY_QZSOFT 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
677 #counts SARE_BOUNDARY_QZSOFT 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
678 #counts SARE_BOUNDARY_QZSOFT 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
679 #counts SARE_BOUNDARY_QZSOFT 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
681 #####################################################################################
683 ######## ###################### ##################################################
685 header __AOL_FROM From:addr =~ /\@(?:aol|cs)\.com$/i
686 header __SARE_FROM_GOODAOL From =~ /[a-z][a-z0-9]{2,15}\@aol.com/i
687 describe __SARE_FROM_GOODAOL Partial Rule: Marks Bad AOL Addresses
688 meta SARE_FROM_BADAOL __AOL_FROM && !__SARE_FROM_GOODAOL
689 describe SARE_FROM_BADAOL From an Invalid AOL Email Address
690 score SARE_FROM_BADAOL 1.666
691 #hist SARE_FROM_BADAOL KAM.COMBO_BADAOL Originally submitted by from Kevin A. McGrail
692 #hist SARE_FROM_BADAOL Rule based on Kelson Vibber's MD code for bogus AOL Addresses
693 #hist SARE_FROM_BADAOL Check for bogus AOL addresses as described at
694 #hist SARE_FROM_BADAOL http://postmaster.aol.com/faq/mailerfaq.html#syntax
695 #hist SARE_FROM_BADAOL Rule for good addresses: all alphanumeric, starting with a letter, from 3 to 16 characters long.
696 #note SARE_FROM_BADAOL __AOL_FROM is SA Distrib rule
697 #counts SARE_FROM_BADAOL 226s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
698 #max SARE_FROM_BADAOL 359s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
699 #counts SARE_FROM_BADAOL 30s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
700 #max SARE_FROM_BADAOL 51s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
701 #counts SARE_FROM_BADAOL 1s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
702 #max SARE_FROM_BADAOL 10s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
703 #counts SARE_FROM_BADAOL 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
704 #counts SARE_FROM_BADAOL 4s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
706 header SARE_FROM_DRUGS From =~ /\b(?:cialis|levitra|phentermine|valium|viagra|vicodin|xanax)\b/i
707 describe SARE_FROM_DRUGS From a drug
708 score SARE_FROM_DRUGS 1.666
709 #hist SARE_FROM_DRUGS Bob Menschel May 14 2005, from sample provided by Joanne Dow
710 #hist SARE_FROM_DRUGS Split SOMA to new SARE_FROM_DRUGS2 rule because of ham.
711 #counts SARE_FROM_DRUGS 243s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
712 #max SARE_FROM_DRUGS 753s/0h of 272483 corpus (108035s/164448h RM) 05/15/05
713 #counts SARE_FROM_DRUGS 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
714 #max SARE_FROM_DRUGS 17s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
715 #counts SARE_FROM_DRUGS 2s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
716 #counts SARE_FROM_DRUGS 72s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
717 #max SARE_FROM_DRUGS 108s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
718 #counts SARE_FROM_DRUGS 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
720 header SARE_FROM_HOODIA From =~ /"Hoodia/i
721 describe SARE_FROM_HOODIA From who do ya say?
722 score SARE_FROM_HOODIA 1.666
723 #stype SARE_FRMO_HOODIA spamg
724 #hist SARE_FROM_HOODIA Loren Wilton, Sept 2005
725 #counts SARE_FROM_HOODIA 45s/0h of 659759 corpus (325842s/333917h RM) 09/20/05
726 #counts SARE_FROM_HOODIA 31s/0h of 56592 corpus (51660s/4932h MY) 09/22/05
727 #counts SARE_FROM_HOODIA 1s/0h of 10551 corpus (5780s/4771h CT) 09/18/05
729 header SARE_FROM_PAYPAL_INV From =~ /(?:admin|services|support|update|verification)\@paypal.com/i
730 describe SARE_FROM_PAYPAL_INV From invalid address at PayPal
731 score SARE_FROM_PAYPAL_INV 1.111
732 #stype SARE_FROM_PAYPAL_INV spamp
733 #hist SARE_FROM_PAYPAL_INV Created by Bob Menschel Sep 24 2004
734 #counts SARE_FROM_PAYPAL_INV 27s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
735 #max SARE_FROM_PAYPAL_INV 39s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
736 #counts SARE_FROM_PAYPAL_INV 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
737 #counts SARE_FROM_PAYPAL_INV 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
738 #counts SARE_FROM_PAYPAL_INV 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
739 #counts SARE_FROM_PAYPAL_INV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
741 header SARE_FROM_SPAM_NAME2 From =~ /(?:Dating Tips|Email-Gallery|everyday-solution|Free Credit Report|FreebieFix|Long Distance|medmicro|Shape Solutions|TMobile Authorized Dealer|TheGolfWarehouses|Typing Teacher|Value Center|freePriority Shipping|funpage|koldny|propecia|thedailyfreesamples)/i
742 describe SARE_FROM_SPAM_NAME2 From address suggests this is spam
743 score SARE_FROM_SPAM_NAME2 1.666
744 #stype SARE_FROM_SPAM_NAME2 spamp
745 #hist SARE_FROM_SPAM_NAME2 COMBINED.FROM and other sources
746 #counts SARE_FROM_SPAM_NAME2 140s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
747 #counts SARE_FROM_SPAM_NAME2 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
748 #max SARE_FROM_SPAM_NAME2 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
749 #counts SARE_FROM_SPAM_NAME2 3s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
750 #max SARE_FROM_SPAM_NAME2 16s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
751 #counts SARE_FROM_SPAM_NAME2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
752 #counts SARE_FROM_SPAM_NAME2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
754 header SARE_FROM_WSJ From:name =~ /Wall Street (?:News Alert|Journal Online|Stock Wizard|Detective|Universe|Update|Chronicle)/i
755 score SARE_FROM_WSJ 1.666
756 #hist SARE_FROM_WSJ Matt Yackley, Apr 15 2005, expanded by Bob Menschel
757 #counts SARE_FROM_WSJ 77s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
758 #max SARE_FROM_WSJ 86s/0h of 259338 corpus (110116s/149222h RM) 05/16/05
759 #counts SARE_FROM_WSJ 2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
760 #counts SARE_FROM_WSJ 11s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
761 #counts SARE_FROM_WSJ 258s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
762 #counts SARE_FROM_WSJ 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
764 #####################################################################################
765 # SARE From Rules -- Emails coming from free webmail accounts
766 # Since spam from these can vary depending upon country of origin,
767 # country of destination, policies, and enforcement of policies,
768 # most of these are kept as separate rules rather than combined.
769 ######## ###################### ##################################################
771 header SARE_FREE_WEBM_COMWALL From =~ /\@walla\.com/i
772 describe SARE_FREE_WEBM_COMWALL Maybe spammer with free email
773 score SARE_FREE_WEBM_COMWALL 1.666
774 #hist SARE_FREE_WEBM_COMWALL Created by Bob Menschel Sep 26 2004
775 #counts SARE_FREE_WEBM_COMWALL 851s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
776 #counts SARE_FREE_WEBM_COMWALL 18s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
777 #counts SARE_FREE_WEBM_COMWALL 10s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
778 #max SARE_FREE_WEBM_COMWALL 13s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
779 #counts SARE_FREE_WEBM_COMWALL 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
780 #counts SARE_FREE_WEBM_COMWALL 1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
782 header SARE_FREE_WEBM_Dora From =~ /\bdoramail\.com/i
783 describe SARE_FREE_WEBM_Dora Sender used free email account - may be spammer
784 score SARE_FREE_WEBM_Dora 1.666
785 #counts SARE_FREE_WEBM_Dora 182s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
786 #counts SARE_FREE_WEBM_Dora 9s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
787 #max SARE_FREE_WEBM_Dora 20s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
788 #counts SARE_FREE_WEBM_Dora 18s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
789 #max SARE_FREE_WEBM_Dora 21s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
790 #counts SARE_FREE_WEBM_Dora 10s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
791 #max SARE_FREE_WEBM_Dora 20s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
792 #counts SARE_FREE_WEBM_Dora 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
794 header SARE_FROM_WEBM_ERESMAS From =~ /eresmas\.com/i
795 describe SARE_FROM_WEBM_ERESMAS Probable spammer
796 score SARE_FROM_WEBM_ERESMAS 1.666
797 #hist SARE_FROM_WEBM_ERESMAS Bob Menschel May 14 2005
798 #counts SARE_FROM_WEBM_ERESMAS 113s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
799 #max SARE_FROM_WEBM_ERESMAS 619s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
800 #counts SARE_FROM_WEBM_ERESMAS 13s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
801 #counts SARE_FROM_WEBM_ERESMAS 1s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
802 #counts SARE_FROM_WEBM_ERESMAS 26s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
803 #counts SARE_FROM_WEBM_ERESMAS 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
805 header SARE_FREE_WEBM_EsTerra From =~ /\bterra\.es/i
806 describe SARE_FREE_WEBM_EsTerra Sender used free email account - may be spammer
807 score SARE_FREE_WEBM_EsTerra 1.666
808 #counts SARE_FREE_WEBM_EsTerra 142s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
809 #max SARE_FREE_WEBM_EsTerra 228s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
810 #counts SARE_FREE_WEBM_EsTerra 8s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
811 #counts SARE_FREE_WEBM_EsTerra 6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
812 #counts SARE_FREE_WEBM_EsTerra 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
813 #counts SARE_FREE_WEBM_EsTerra 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
815 header SARE_FREE_WEBM_Kero From =~ /\bKeromail\.com/i
816 describe SARE_FREE_WEBM_Kero Sender used free email account - may be spammer
817 score SARE_FREE_WEBM_Kero 0.950
818 #counts SARE_FREE_WEBM_Kero 29s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
819 #max SARE_FREE_WEBM_Kero 46s/0h of 97268 corpus (79437s/17831h RM) 01/24/04
820 #counts SARE_FREE_WEBM_Kero 5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
821 #max SARE_FREE_WEBM_Kero 12s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
822 #counts SARE_FREE_WEBM_Kero 7s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
823 #counts SARE_FREE_WEBM_Kero 6s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
824 #counts SARE_FREE_WEBM_Kero 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
826 header SARE_FREE_WEBM_LATINML From =~ /\@latinmail\.com/i
827 describe SARE_FREE_WEBM_LATINML Maybe spammer with free email
828 score SARE_FREE_WEBM_LATINML 1.666
829 #hist SARE_FREE_WEBM_LATINML Created by Bob Menschel Sep 28 2004
830 #counts SARE_FREE_WEBM_LATINML 124s/1h of 619677 corpus (318875s/300802h RM) 09/11/05
831 #max SARE_FREE_WEBM_LATINML 296s/0h of 275081 corpus (134226s/140855h RM) 05/30/05
832 #counts SARE_FREE_WEBM_LATINML 18s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
833 #max SARE_FREE_WEBM_LATINML 19s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
834 #counts SARE_FREE_WEBM_LATINML 7s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
835 #counts SARE_FREE_WEBM_LATINML 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
836 #max SARE_FREE_WEBM_LATINML 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
837 #counts SARE_FREE_WEBM_LATINML 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
839 header SARE_FREE_WEBM_OwnEm1 From =~ /\@(?:ownemail|akkadian|alarmists|armymail|arsed|astromail|barefooted|bellybuster|bemused|bigisbeautiful|bigisbetter|bigsecret|blag|blahdeblah|blowitup|boardmaster|bobbles|boster|brutes|buttonpushers|chalky|changeplace|charlies|chasing|cherrycola|chewies|chocolatejunkies|clubfever|codemaster|creaky|crumbly|currymonster|cutemail|darkcorner|darkplace|daydreamer|deepdesire|desilver|diddled|djsuperstars|doleoffice|dotters|downboy|ducktail|elitists|emergencymail)\.com/i
840 describe SARE_FREE_WEBM_OwnEm1 Sender used free email account - may be spammer
841 #describ SARE_FREE_WEBM_OwnEm1 These are all aliases of the OwnEmail.Com service, from which we get spam.
842 score SARE_FREE_WEBM_OwnEm1 1.666
843 #note SARE_FREE_WEBM_OwnEm1 The SARE_FREE_WEBM_OWNEMn rules all apply to the same webmail host -- score identically as long as no ham match.
844 #counts SARE_FREE_WEBM_OwnEm1 11s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
845 #max SARE_FREE_WEBM_OwnEm1 159s/0h of 115937 corpus (94614s/21323h) 04/29/04
846 #counts SARE_FREE_WEBM_OwnEm1 9s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
847 #max SARE_FREE_WEBM_OwnEm1 19s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
848 #counts SARE_FREE_WEBM_OwnEm1 31s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
849 #max SARE_FREE_WEBM_OwnEm1 35s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
850 #counts SARE_FREE_WEBM_OwnEm1 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
851 #max SARE_FREE_WEBM_OwnEm1 6s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
852 #counts SARE_FREE_WEBM_OwnEm1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
854 header SARE_FREE_WEBM_OwnEm2 From =~ /\@(?:fairyqueen|fantasyforce|fastbowler|firelord|fynns|gameaddict|gobby|hothatches|kickedout|kred|lemonmail|liquidlunch|lovesecrets|luckster|lucys|madder|makethebreak|manmachine|mippy|misssporty|mistersporty|mrlottery|mrsporty|nagging|naseem|nicked|ownplace|pammy|poppet|qualitymail|r-a-v-e|raddled|ribber|shearer|slouching|spoofer|stalkers|sthelens|stubby|sunstertacomail|taureans|tenderkiss|thearchway|thebrewer|thecutest|thelostworld|tiggy|tizzi|tosser|trilby)\.com/i
855 describe SARE_FREE_WEBM_OwnEm2 Sender used free email account - may be spammer
856 score SARE_FREE_WEBM_OwnEm2 1.666
857 #note SARE_FREE_WEBM_OWNEm2 The SARE_FREE_WEBM_OWNEMn rules all apply to the same webmail host -- score identically as long as no ham match.
858 #counts SARE_FREE_WEBM_OwnEm2 12s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
859 #max SARE_FREE_WEBM_OwnEm2 153s/0h of 115937 corpus (94614s/21323h) 04/29/04
860 #counts SARE_FREE_WEBM_OwnEm2 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
861 #max SARE_FREE_WEBM_OwnEm2 8s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
862 #counts SARE_FREE_WEBM_OwnEm2 35s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
863 #counts SARE_FREE_WEBM_OwnEm2 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
864 #counts SARE_FREE_WEBM_OwnEm2 2s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
866 header SARE_FREE_WEBM_Uymail From =~ /\buymail\.com/i
867 describe SARE_FREE_WEBM_Uymail Sender used free email account - may be spammer
868 score SARE_FREE_WEBM_Uymail 1.228
869 #counts SARE_FREE_WEBM_Uymail 22s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
870 #max SARE_FREE_WEBM_Uymail 103s/0h of 125163 corpus (104972s/20191h) 03/28/04
871 #counts SARE_FREE_WEBM_Uymail 13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
872 #counts SARE_FREE_WEBM_Uymail 1s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
873 #max SARE_FREE_WEBM_Uymail 4s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
874 #counts SARE_FREE_WEBM_Uymail 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
875 #counts SARE_FREE_WEBM_Uymail 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
877 header SARE_FREE_WEBM_Zwallet From =~ /\bzwallet\.com/i
878 describe SARE_FREE_WEBM_Zwallet Sender used free email account - may be spammer
879 score SARE_FREE_WEBM_Zwallet 1.666
880 #counts SARE_FREE_WEBM_Zwallet 241s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
881 #counts SARE_FREE_WEBM_Zwallet 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
882 #max SARE_FREE_WEBM_Zwallet 8s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
883 #counts SARE_FREE_WEBM_Zwallet 3s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
884 #counts SARE_FREE_WEBM_Zwallet 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
885 #counts SARE_FREE_WEBM_Zwallet 11s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
887 #####################################################################################
888 # SARE Message-ID rules
889 ######## ###################### ##################################################
891 header SARE_MSGID_1Z1Z MESSAGEID =~ /<1z.+\@1z/
892 describe SARE_MSGID_1Z1Z Message-ID has ratware pattern (1zXXXX@1z)
893 score SARE_MSGID_1Z1Z 2.222
894 #counts SARE_MSGID_1Z1Z 978s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
895 #counts SARE_MSGID_1Z1Z 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
896 #max SARE_MSGID_1Z1Z 94s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04
897 #counts SARE_MSGID_1Z1Z 527s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
898 #counts SARE_MSGID_1Z1Z 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
899 #counts SARE_MSGID_1Z1Z 1s/0h of 2500 corpus (531s/1969h ft) 05/17/05
901 header SARE_MSGID_HEX30 MESSAGEID =~ /<[A-Z0-9]{30}\$[0-9a-z]{9}\@/
902 describe SARE_MSGID_HEX30 Message-ID has ratware pattern (HEXHEXHEX$9x9@)
903 score SARE_MSGID_HEX30 1.666
904 #counts SARE_MSGID_HEX30 18s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
905 #counts SARE_MSGID_HEX30 235s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
906 #counts SARE_MSGID_HEX30 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
907 #counts SARE_MSGID_HEX30 0s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04
908 #counts SARE_MSGID_HEX30 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
910 #####################################################################################
911 # SARE Received Header Rules
912 ######## ###################### ##################################################
914 header SARE_HELO_MAILUSER Received =~ /helo=MailUser\)/i
915 describe SARE_HELO_MAILUSER Received header has possible spamsign
916 score SARE_HELO_MAILUSER 1.111
917 #stype SARE_HELO_MAILUSER spamp
918 #hist SARE_HELO_MAILUSER Created by Bob Menschel May 31 2004
919 #counts SARE_HELO_MAILUSER 7s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
920 #max SARE_HELO_MAILUSER 12s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
921 #counts SARE_HELO_MAILUSER 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
922 #counts SARE_HELO_MAILUSER 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
923 #counts SARE_HELO_MAILUSER 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
924 #counts SARE_HELO_MAILUSER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
926 header SARE_RECV_LOCALHOST Received =~ /localhosts\.txt/i
927 describe SARE_RECV_LOCALHOST fingerprint
928 score SARE_RECV_LOCALHOST 1.111
929 #stype SARE_RECV_LOCALHOST spamp
930 #hist SARE_RECV_LOCALHOST Alex Broens, June 2005
931 #counts SARE_RECV_LOCALHOST 1s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
932 #max SARE_RECV_LOCALHOST 77s/0h of 271461 corpus (129860s/141601h RM) 06/12/05
933 #counts SARE_RECV_LOCALHOST 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
934 #counts SARE_RECV_LOCALHOST 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
936 header SARE_RECV_SUSP_2 Received =~ /from\s+[A-Z0-9]+\s+\(\[10\.2\.202\.25\]\)\s+by\s+[A-Z0-9]+\.[a-z]+/
937 describe SARE_RECV_SUSP_2 Spammer sign in headers
938 score SARE_RECV_SUSP_2 1.666
939 #hist SARE_RECV_SUSP_2 LW_RATWARE1
940 #counts SARE_RECV_SUSP_2 31s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
941 #max SARE_RECV_SUSP_2 69s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
942 #counts SARE_RECV_SUSP_2 31s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
943 #max SARE_RECV_SUSP_2 124s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
944 #counts SARE_RECV_SUSP_2 1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
945 #counts SARE_RECV_SUSP_2 4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
946 #max SARE_RECV_SUSP_2 8s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
947 #counts SARE_RECV_SUSP_2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
949 header SARE_RECV_TRADVALUES Received =~ /\btraditionalvalues\.org/i
950 describe SARE_RECV_TRADVALUES From or passed through spammer/unreliable domain
951 score SARE_RECV_TRADVALUES 3.333
952 #stype SARE_RECV_TRADVALUES spamgg
953 #hist SARE_RECV_TRADVALUES RM_hr_tradvalues
954 #counts SARE_RECV_TRADVALUES 79s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
955 #max SARE_RECV_TRADVALUES 97s/0h of 271461 corpus (129860s/141601h RM) 06/12/05
956 #counts SARE_RECV_TRADVALUES 0s/0h of 18651 corpus (16120s/2531h MY) 08/29/04
957 #counts SARE_RECV_TRADVALUES 0s/0h of 38751 corpus (15270s/23481h JH-SA3.0rc1) 08/30/04
958 #counts SARE_RECV_TRADVALUES 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
959 #counts SARE_RECV_TRADVALUES 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
961 header SARE_RECV_VIPLIST Received =~ /\b(?:viplist\.us|\[216.74.127.234\])/
962 describe SARE_RECV_VIPLIST Email comes from known spammer system
963 score SARE_RECV_VIPLIST 4.000
964 #stype SARE_RECV_VIPLIST spamggg
965 #hist SARE_RECV_VIPLIST Created by Bob Menschel Sep 29 2004
966 #counts SARE_RECV_VIPLIST 46s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
967 #max SARE_RECV_VIPLIST 255s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
968 #counts SARE_RECV_VIPLIST 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
969 #counts SARE_RECV_VIPLIST 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
970 #counts SARE_RECV_VIPLIST 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
971 #counts SARE_RECV_VIPLIST 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
973 header SARE_RECV_XACTRIX Received =~ /\b(?:accutra|xactrix)\.com/i
974 describe SARE_RECV_XACTRIX From/through probable spammer system
975 score SARE_RECV_XACTRIX 2.500
976 #stype SARE_RECV_XACTRIX spamg
977 #hist SARE_RECV_XACTRIX Created by Bob Menschel Sep 03 2004
978 #counts SARE_RECV_XACTRIX 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
979 #max SARE_RECV_XACTRIX 11s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
980 #counts SARE_RECV_XACTRIX 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
981 #counts SARE_RECV_XACTRIX 12s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
982 #max SARE_RECV_XACTRIX 21s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
983 #counts SARE_RECV_XACTRIX 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
984 #counts SARE_RECV_XACTRIX 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
986 #####################################################################################
987 # SARE Received Header IP Address Rules
988 ######## ###################### ##################################################
990 header SARE_RECV_IP_004078 Received =~ /\[4\.78\.193\.\d{1,3}\]/
991 describe SARE_RECV_IP_004078 Spam passed through possible spammer relay
992 score SARE_RECV_IP_004078 1.666
993 #hist SARE_RECV_IP_004078 Created by Bob Menschel Feb 5 2005 from Spam-L information
994 #note SARE_RECV_IP_004078 CWIE, LLC
995 #counts SARE_RECV_IP_004078 0s/0h of 95095 corpus (59680s/35415h RM) 02/05/05
996 #counts SARE_RECV_IP_004078 0s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
997 #counts SARE_RECV_IP_004078 347s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
998 #max SARE_RECV_IP_004078 397s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
999 #counts SARE_RECV_IP_004078 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1000 #counts SARE_RECV_IP_004078 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1002 header SARE_RECV_IP_038112147 Received =~ /\[38\.112\.147\.\d{1,3}\]/
1003 describe SARE_RECV_IP_038112147 Spam passed through possible spammer relay
1004 score SARE_RECV_IP_038112147 1.111
1005 #stype SARE_RECV_IP_038112147 spamp
1006 #hist SARE_RECV_IP_038112147 Created by Bob Menschel, Feb 19 2005, from Spam-L posting
1007 #counts SARE_RECV_IP_038112147 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
1008 #max SARE_RECV_IP_038112147 66s/0h of 283497 corpus (129933s/153564h RM) 03/08/05
1009 #counts SARE_RECV_IP_038112147 0s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
1010 #counts SARE_RECV_IP_038112147 3s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1011 #max SARE_RECV_IP_038112147 3s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
1012 #counts SARE_RECV_IP_038112147 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1013 #counts SARE_RECV_IP_038112147 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1015 header SARE_RECV_IP_061052 Received =~ /\[61\.5[2-4]\.\d{1,3}\.\d{1,3}\]/
1016 describe SARE_RECV_IP_061052 Spam passed through possible spammer relay
1017 score SARE_RECV_IP_061052 1.666
1018 #stype SARE_RECV_IP_061052 spamp
1019 #hist SARE_RECV_IP_061052 Created by Bob Menschel May 10 2004
1020 #counts SARE_RECV_IP_061052 410s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1021 #counts SARE_RECV_IP_061052 16s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1022 #max SARE_RECV_IP_061052 25s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
1023 #counts SARE_RECV_IP_061052 13s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1024 #max SARE_RECV_IP_061052 15s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
1025 #counts SARE_RECV_IP_061052 18s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1026 #max SARE_RECV_IP_061052 19s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1027 #counts SARE_RECV_IP_061052 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1029 header SARE_RECV_IP_061172 Received =~ /\[61\.17[23]\.\d{1,3}\.\d{1,3}\]/
1030 describe SARE_RECV_IP_061172 Spam passed through possible spammer relay
1031 score SARE_RECV_IP_061172 1.666
1032 #stype SARE_RECV_IP_061172 spamp
1033 #counts SARE_RECV_IP_061172 206s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1034 #max SARE_RECV_IP_061172 305s/0h of 119325 corpus (98981s/20344h) 03/22/04
1035 #counts SARE_RECV_IP_061172 13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1036 #max SARE_RECV_IP_061172 27s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
1037 #counts SARE_RECV_IP_061172 276s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1038 #counts SARE_RECV_IP_061172 45s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1039 #counts SARE_RECV_IP_061172 1s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
1041 header SARE_RECV_IP_063106130 Received =~ /\[63\.106\.130\.\d{1,3}\]/
1042 describe SARE_RECV_IP_063106130 Spam passed through possible spammer relay
1043 score SARE_RECV_IP_063106130 1.111
1044 #stype SARE_RECV_IP_063106130 spamp
1045 #hist SARE_RECV_IP_063106130 Created by Bob Menschel May 14 2005
1046 #note SARE_RECV_IP_063106130 Data Depot LLC
1047 #counts SARE_RECV_IP_063106130 5s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
1048 #max SARE_RECV_IP_063106130 15s/0h of 272483 corpus (108035s/164448h RM) 05/15/05
1049 #counts SARE_RECV_IP_063106130 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1050 #counts SARE_RECV_IP_063106130 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1051 #counts SARE_RECV_IP_063106130 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1052 #counts SARE_RECV_IP_063106130 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1054 header SARE_RECV_IP_064069032 Received =~ /\[64\.69\.32\.\d{1,3}\]/
1055 describe SARE_RECV_IP_064069032 Spam passed through possible spammer relay
1056 score SARE_RECV_IP_064069032 1.111
1057 #stype SARE_RECV_IP_064069032 spamp
1058 #hist SARE_RECV_IP_064069032 Created by Bob Menschel Aug 07 2005
1059 #counts SARE_RECV_IP_064069032 13s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1060 #counts SARE_RECV_IP_064069032 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
1061 #counts SARE_RECV_IP_064069032 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
1063 header SARE_RECV_IP_064192082 received =~ /\[64\.192\.8[23]\.\d{1,3}\]/
1064 describe SARE_RECV_IP_064192082 Spam passed through possible spammer relay
1065 score SARE_RECV_IP_064192082 1.111
1066 #stype SARE_RECV_IP_064192082 spamp
1067 #hist SARE_RECV_IP_064192082 Created by Bob Menschel Jan 29 2005 from info supplied via Spam-L
1068 #counts SARE_RECV_IP_064192082 0s/0h of 98352 corpus (59690s/38662h RM) 01/29/05
1069 #counts SARE_RECV_IP_064192082 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1070 #counts SARE_RECV_IP_064192082 9s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1071 #max SARE_RECV_IP_064192082 39s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1072 #counts SARE_RECV_IP_064192082 0s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1073 #counts SARE_RECV_IP_064192082 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1075 header SARE_RECV_IP_066059094 Received =~ /\[66\.59\.94\.\d{1,3}\]/
1076 describe SARE_RECV_IP_066059094 Spam passed through possible spammer relay
1077 score SARE_RECV_IP_066059094 2.333
1078 #hist SARE_RECV_IP_066059094 Created by Bob Menschel Aug 07 2005
1079 #counts SARE_RECV_IP_066059094 2505s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1080 #counts SARE_RECV_IP_066059094 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
1081 #counts SARE_RECV_IP_066059094 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
1083 header SARE_RECV_IP_066063 Received =~ /\[66\.63\.178\.\d{1,3}\]/
1084 describe SARE_RECV_IP_066063 Passed through possible spammer relay or source
1085 score SARE_RECV_IP_066063 1.111
1086 #stype SARE_RECV_IP_066063 spamp
1087 #hist SARE_RECV_IP_066063 Created by Bob Menschel Feb 10 2005 from Spam-L info
1088 #counts SARE_RECV_IP_066063 0s/0h of 118836 corpus (71083s/47753h RM) 02/10/05
1089 #counts SARE_RECV_IP_066063 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
1090 #counts SARE_RECV_IP_066063 21s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1091 #counts SARE_RECV_IP_066063 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1092 #counts SARE_RECV_IP_066063 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1094 header SARE_RECV_IP_066114a Received =~ /\[66\.114\.217\.\d{1,3}\]/
1095 describe SARE_RECV_IP_066114a Spam passed through possible spammer relay
1096 score SARE_RECV_IP_066114a 1.111
1097 #stype SARE_RECV_IP_066114a spamp
1098 #hist SARE_RECV_IP_066114a Created by Bob Menschel Feb 5 2005 from Spam-L info
1099 #note SARE_RECV_IP_066114a SW FLA Hosting
1100 #counts SARE_RECV_IP_066114a 0s/0h of 275081 corpus (134226s/140855h RM) 05/30/05
1101 #max SARE_RECV_IP_066114a 27s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
1102 #counts SARE_RECV_IP_066114a 0s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
1103 #counts SARE_RECV_IP_066114a 13s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1104 #counts SARE_RECV_IP_066114a 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1105 #counts SARE_RECV_IP_066114a 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1107 header SARE_RECV_IP_066159017 Received =~ /\[66\.159\.17\.8[4-7]\]/
1108 describe SARE_RECV_IP_066159017 Spam passed through possible spammer relay
1109 score SARE_RECV_IP_066159017 1.666
1110 #hist SARE_RECV_IP_066159017 Created by Bob Menschel Aug 07 2005
1111 #counts SARE_RECV_IP_066159017 219s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1112 #counts SARE_RECV_IP_066159017 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
1113 #counts SARE_RECV_IP_066159017 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
1115 header SARE_RECV_IP_069060122 Received =~ /\[69\.60\.122\.\d{1,3}\]/
1116 describe SARE_RECV_IP_069060122 Spam passed through possible spammer relay
1117 score SARE_RECV_IP_069060122 1.111
1118 #stype SARE_RECV_IP_069060122 spamp
1119 #hist SARE_RECV_IP_069060122 Created by Bob Menschel May 14 2005
1120 #counts SARE_RECV_IP_069060122 28s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1121 #counts SARE_RECV_IP_069060122 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1122 #counts SARE_RECV_IP_069060122 3s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1124 header SARE_RECV_IP_070096177 Received =~ /\[70\.96\.177\.\d{1,3}\]/
1125 describe SARE_RECV_IP_070096177 Spam passed through possible spammer relay
1126 score SARE_RECV_IP_070096177 1.666
1127 #stype SARE_RECV_IP_070096177 spamp
1128 #hist SARE_RECV_IP_070096177 Created by Bob Menschel May 14 2005
1129 #note SARE_RECV_IP_070096177 Broadlogix
1130 #counts SARE_RECV_IP_070096177 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
1131 #max SARE_RECV_IP_070096177 78s/0h of 275081 corpus (134226s/140855h RM) 05/30/05
1132 #counts SARE_RECV_IP_070096177 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1133 #counts SARE_RECV_IP_070096177 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1134 #counts SARE_RECV_IP_070096177 48s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
1136 header SARE_RECV_IP_071004200 Received =~ /\[71\.4\.2\d\d\.\d{1,3}\]/
1137 describe SARE_RECV_IP_071004200 Spam passed through possible spammer relay
1138 score SARE_RECV_IP_071004200 1.666
1139 #stype SARE_RECV_IP_071004200 spamp
1140 #hist SARE_RECV_IP_071004200 Created by Bob Menschel May 14 2005
1141 #counts SARE_RECV_IP_071004200 17s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1142 #max SARE_RECV_IP_071004200 51s/0h of 275081 corpus (134226s/140855h RM) 05/30/05
1143 #counts SARE_RECV_IP_071004200 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1144 #counts SARE_RECV_IP_071004200 298s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1145 #counts SARE_RECV_IP_071004200 1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
1147 header SARE_RECV_IP_072034096 Received =~ /\[72\.34\.(?:9[6-9]|1(?:0\d|1[01]))\.\d{1,3}\]/
1148 describe SARE_RECV_IP_072034096 Spam passed through possible spammer relay
1149 score SARE_RECV_IP_072034096 1.666
1150 #stype SARE_RECV_IP_072034096 spamp
1151 #hist SARE_RECV_IP_072034096 Created by Bob Menschel May 14 2005
1152 #note SARE_RECV_IP_072034096 Race Technologies
1153 #counts SARE_RECV_IP_072034096 4s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1154 #max SARE_RECV_IP_072034096 255s/0h of 272483 corpus (108035s/164448h RM) 05/15/05
1155 #counts SARE_RECV_IP_072034096 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1156 #counts SARE_RECV_IP_072034096 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1157 #counts SARE_RECV_IP_072034096 4s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1159 header SARE_RECV_IP_204010039 Received =~ /\[204\.10\.39\.(?:3[2-9]|[45]\d|6[0-3])\]/
1160 describe SARE_RECV_IP_204010039 Spam passed through possible spammer relay
1161 score SARE_RECV_IP_204010039 1.111
1162 #stype SARE_RECV_IP_204010039 spamp
1163 #hist SARE_RECV_IP_204010039 Created by Bob Menschel Aug 07 2005
1164 #note SARE_RECV_IP_204010039 Strategic Impact Concepts
1165 #counts SARE_RECV_IP_204010039 34s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1166 #counts SARE_RECV_IP_204010039 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
1167 #counts SARE_RECV_IP_204010039 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
1169 header SARE_RECV_IP_206081080 received =~ /\[206\.81\.(?:8\d|9[0-5])\.\d{1,3}\]/
1170 describe SARE_RECV_IP_206081080 Spam passed through possible spammer relay
1171 score SARE_RECV_IP_206081080 1.666
1172 #stype SARE_RECV_IP_206081080 spamp
1173 #hist SARE_RECV_IP_206081080 Created by Bob Menschel Jan 29 2005 from info supplied via Spam-L
1174 #counts SARE_RECV_IP_206081080 4s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1175 #max SARE_RECV_IP_206081080 32s/0h of 283497 corpus (129933s/153564h RM) 03/08/05
1176 #counts SARE_RECV_IP_206081080 1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1177 #max SARE_RECV_IP_206081080 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1178 #counts SARE_RECV_IP_206081080 80s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1179 #max SARE_RECV_IP_206081080 152s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
1180 #counts SARE_RECV_IP_206081080 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1181 #counts SARE_RECV_IP_206081080 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1183 header SARE_RECV_IP_207182 Received =~ /\[207\.182\.146\.(?:19[2-9]|2\d{2})\]/
1184 describe SARE_RECV_IP_207182 Passed through possible spammer relay or source
1185 score SARE_RECV_IP_207182 1.666
1186 #stype SARE_RECV_IP_207182 spamp
1187 #hist SARE_RECV_IP_207182 Created by Bob Menschel Feb 10 2005 from Spam-L info
1188 #counts SARE_RECV_IP_207182 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
1189 #max SARE_RECV_IP_207182 26s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
1190 #counts SARE_RECV_IP_207182 71s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1191 #counts SARE_RECV_IP_207182 20s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1192 #max SARE_RECV_IP_207182 57s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
1193 #counts SARE_RECV_IP_207182 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1194 #counts SARE_RECV_IP_207182 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1196 header SARE_RECV_IP_208048182 Received =~ /\[208.48\.182\.\d{1,3}\]/
1197 describe SARE_RECV_IP_208048182 Spam passed through possible spammer relay
1198 score SARE_RECV_IP_208048182 1.111
1199 #stype SARE_RECV_IP_208048182 spamp
1200 #hist SARE_RECV_IP_208048182 Created by Bob Menschel May 14 2005
1201 #counts SARE_RECV_IP_208048182 0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
1202 #counts SARE_RECV_IP_208048182 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1203 #counts SARE_RECV_IP_208048182 36s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1204 #max SARE_RECV_IP_208048182 43s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1206 header SARE_RECV_IP_208053011 Received =~ /\[208\.53\.11\.\d{1,3}\]/
1207 describe SARE_RECV_IP_208053011 Spam passed through possible spammer relay
1208 score SARE_RECV_IP_208053011 1.666
1209 #stype SARE_RECV_IP_208053011 spamp
1210 #hist SARE_RECV_IP_208053011 Created by Bob Menschel May 14 2005
1211 #note SARE_RECV_IP_208053011 Advanced Dedicated Database Servers LLC
1212 #counts SARE_RECV_IP_208053011 1s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
1213 #max SARE_RECV_IP_208053011 5s/0h of 259338 corpus (110116s/149222h RM) 05/16/05
1214 #counts SARE_RECV_IP_208053011 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1215 #counts SARE_RECV_IP_208053011 17s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1217 header SARE_RECV_IP_216055133 Received =~ /\[216\.55\.133\.\d{1,3}\]/
1218 describe SARE_RECV_IP_216055133 Spam passed through possible spammer relay
1219 score SARE_RECV_IP_216055133 1.111
1220 #stype SARE_RECV_IP_216055133 spamp
1221 #hist SARE_RECV_IP_216055133 Created by Bob Menschel May 14 2005
1222 #counts SARE_RECV_IP_216055133 0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
1223 #counts SARE_RECV_IP_216055133 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1224 #counts SARE_RECV_IP_216055133 1s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1225 #counts SARE_RECV_IP_216055133 15s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1227 header SARE_RECV_IP_218011 Received =~ /\[218\.1[12]\.\d{1,3}\.\d{1,3}\]/
1228 describe SARE_RECV_IP_218011 Spam passed through Chinese CNCGROUP-HE system
1229 score SARE_RECV_IP_218011 1.666
1230 #stype SARE_RECV_IP_218011 spamp
1231 #counts SARE_RECV_IP_218011 60s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1232 #max SARE_RECV_IP_218011 149s/0h of 97268 corpus (79437s/17831h RM) 01/24/04
1233 #counts SARE_RECV_IP_218011 22s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1234 #counts SARE_RECV_IP_218011 6s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1235 #counts SARE_RECV_IP_218011 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1236 #max SARE_RECV_IP_218011 9s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1237 #counts SARE_RECV_IP_218011 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1239 header SARE_RECV_IP_218062 Received =~ /\[218\.6[23]\.\d{1,3}\.\d{1,3}\]/
1240 describe SARE_RECV_IP_218062 Passed through possible spammer relay or source
1241 score SARE_RECV_IP_218062 1.111
1242 #stype SARE_RECV_IP_218062 spamp
1243 #hist SARE_RECV_IP_218062 Created by Bob Menschel Aug 09 2004
1244 #counts SARE_RECV_IP_218062 55s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1245 #counts SARE_RECV_IP_218062 8s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1246 #counts SARE_RECV_IP_218062 5s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1247 #counts SARE_RECV_IP_218062 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1248 #max SARE_RECV_IP_218062 5s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1249 #counts SARE_RECV_IP_218062 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1251 header SARE_RECV_IP_218071 Received =~ /\[218\.71\.\d{1,3}\.\d{1,3}\]/
1252 describe SARE_RECV_IP_218071 Spam passed through possible spammer relay
1253 score SARE_RECV_IP_218071 1.666
1254 #hist SARE_RECV_IP_218071 Created by Bob Menschel Apr 04 2004
1255 #counts SARE_RECV_IP_218071 160s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1256 #counts SARE_RECV_IP_218071 16s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1257 #counts SARE_RECV_IP_218071 126s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
1258 #counts SARE_RECV_IP_218071 2s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1259 #max SARE_RECV_IP_218071 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1260 #counts SARE_RECV_IP_218071 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1262 header SARE_RECV_IP_218085 Received =~ /\[218\.8[56]\.\d{1,3}\.\d{1,3}\]/
1263 describe SARE_RECV_IP_218085 Passed through possible spammer relay or source
1264 score SARE_RECV_IP_218085 1.666
1265 #stype SARE_RECV_IP_218085 spamp
1266 #hist SARE_RECV_IP_218085 Created by Bob Menschel Aug 23 2004
1267 #counts SARE_RECV_IP_218085 122s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1268 #counts SARE_RECV_IP_218085 14s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1269 #max SARE_RECV_IP_218085 17s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
1270 #counts SARE_RECV_IP_218085 51s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1271 #max SARE_RECV_IP_218085 51s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
1272 #counts SARE_RECV_IP_218085 5s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
1273 #max SARE_RECV_IP_218085 8s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1274 #counts SARE_RECV_IP_218085 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1276 header SARE_RECV_IP_219159 Received =~ /\[219\.159\.(?:6[4-9]|[7-9]\d|\d{3})\.\d{1,3}\]/
1277 describe SARE_RECV_IP_219159 Spam passed through possible spammer relay
1278 score SARE_RECV_IP_219159 1.111
1279 #stype SARE_RECV_IP_219159 spamp
1280 #hist SARE_RECV_IP_219159 Created by Bob Menschel Apr 28 2004
1281 #counts SARE_RECV_IP_219159 52s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1282 #counts SARE_RECV_IP_219159 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1283 #max SARE_RECV_IP_219159 2s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
1284 #counts SARE_RECV_IP_219159 2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1285 #counts SARE_RECV_IP_219159 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1286 #max SARE_RECV_IP_219159 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1287 #counts SARE_RECV_IP_219159 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1289 header SARE_RECV_IP_219248 Received =~ /\[219\.248\.\d{1,3}\.\d{1,3}\]/
1290 describe SARE_RECV_IP_219248 Passed through possible spammer relay or source
1291 score SARE_RECV_IP_219248 1.666
1292 #hist SARE_RECV_IP_219248 Created by Bob Menschel Dec 09 2004
1293 #note SARE_RECV_IP_219248 Korea Network Information Center
1294 #counts SARE_RECV_IP_219248 325s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1295 #counts SARE_RECV_IP_219248 30s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1296 #counts SARE_RECV_IP_219248 11s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1297 #counts SARE_RECV_IP_219248 7s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1298 #max SARE_RECV_IP_219248 19s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1299 #counts SARE_RECV_IP_219248 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1301 header SARE_RECV_IP_220168 Received =~ /\[220\.1(?:6[89]|70)\.\d{1,3}\.\d{1,3}\]/
1302 describe SARE_RECV_IP_220168 Passed through possible spammer relay or source
1303 score SARE_RECV_IP_220168 1.666
1304 #note SARE_RECV_IP_220168 ChinaNet, Hunan Province
1305 #hist SARE_RECV_IP_220168 Created by Bob Menschel Nov 13 2004
1306 #counts SARE_RECV_IP_220168 85s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1307 #max SARE_RECV_IP_220168 104s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
1308 #counts SARE_RECV_IP_220168 19s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1309 #counts SARE_RECV_IP_220168 111s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1310 #counts SARE_RECV_IP_220168 2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1311 #max SARE_RECV_IP_220168 9s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1312 #counts SARE_RECV_IP_220168 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1314 header SARE_RECV_IP_220189 Received =~ /\[220\.189\.(?:\d|[1-5]\d|6[0-3])\.\d{1,3}\]/
1315 describe SARE_RECV_IP_220189 Passed through possible spammer relay or source
1316 score SARE_RECV_IP_220189 0.844
1317 #hist SARE_RECV_IP_220189 Created by Bob Menschel May 1 2004
1318 #counts SARE_RECV_IP_220189 28s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1319 #max SARE_RECV_IP_220189 28s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
1320 #counts SARE_RECV_IP_220189 5s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1321 #counts SARE_RECV_IP_220189 18s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
1322 #max SARE_RECV_IP_220189 18s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
1323 #counts SARE_RECV_IP_220189 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1324 #counts SARE_RECV_IP_220189 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1326 header SARE_RECV_IP_221000 Received =~ /\[221\.[0-3]\.\d{1,3}\.\d{1,3}\]/
1327 describe SARE_RECV_IP_221000 Passed through possible spammer relay or source
1328 score SARE_RECV_IP_221000 1.433
1329 #hist SARE_RECV_IP_221000 Created by Bob Menschel Jul 24 2004
1330 #counts SARE_RECV_IP_221000 117s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1331 #counts SARE_RECV_IP_221000 13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1332 #counts SARE_RECV_IP_221000 24s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1333 #counts SARE_RECV_IP_221000 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1334 #max SARE_RECV_IP_221000 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1335 #counts SARE_RECV_IP_221000 1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
1337 header SARE_RECV_IP_222032 Received =~ /\[222\.(?:3[2-9]|[45]\d|6[0-3])\.\d{1,3}\.\d{1,3}\]/
1338 describe SARE_RECV_IP_222032 Spam passed through possible spammer relay
1339 score SARE_RECV_IP_222032 2.222
1340 #stype SARE_RECV_IP_222032 spamp
1341 #note SARE_RECV_IP_222032 China Railway Telecommunications Center , Beijing
1342 #hist SARE_RECV_IP_222032 Created by Bob Menschel Feb 24 2005
1343 #counts SARE_RECV_IP_222032 1699s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1344 #counts SARE_RECV_IP_222032 70s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1345 #counts SARE_RECV_IP_222032 89s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1346 #counts SARE_RECV_IP_222032 38s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1347 #max SARE_RECV_IP_222032 103s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1348 #counts SARE_RECV_IP_222032 2s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
1350 #####################################################################################
1351 # SARE Reply-To Header Rules
1352 ######## ###################### ##################################################
1354 header SARE_REPLY_XACTRIX Reply-To =~ /\b(?:accutra|xactrix)\.com/i
1355 describe SARE_REPLY_XACTRIX Reply-To email addr to spammer
1356 score SARE_REPLY_XACTRIX 1.666
1357 #stype SARE_REPLY_XACTRIX spamg
1358 #hist SARE_REPLY_XACTRIX Created by Bob Menschel Sep 03 2004
1359 #counts SARE_REPLY_XACTRIX 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
1360 #max SARE_REPLY_XACTRIX 11s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
1361 #counts SARE_REPLY_XACTRIX 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1362 #counts SARE_REPLY_XACTRIX 12s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1363 #max SARE_REPLY_XACTRIX 21s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1364 #counts SARE_REPLY_XACTRIX 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1365 #counts SARE_REPLY_XACTRIX 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1367 #####################################################################################
1368 # SARE To/Cc Destination rules
1369 ######## ###################### ##################################################
1371 header __SARE_TOCC_MULT_BIGFT5 ToCc =~ /(?:\@bigfoot.com\b.*){5}/i
1372 meta SARE_TOCC_MULT_BIGFT5 __SARE_TOCC_MULT_BIGFT5 && !( SARE_TOCC_MULT_BIGFT9 || SARE_TOCC_MULT_BIGFT8 || SARE_TOCC_MULT_BIGFT7 || SARE_TOCC_MULT_BIGFT6 )
1373 describe SARE_TOCC_MULT_BIGFT5 Sent to multiple bigfoot addresses
1374 score SARE_TOCC_MULT_BIGFT5 1.666
1375 #hist SARE_TOCC_MULT_BIGFT5 Created by Bob Menschel Apr 09 2004
1376 #counts SARE_TOCC_MULT_BIGFT5 42s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1377 #max SARE_TOCC_MULT_BIGFT5 271s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
1378 #counts SARE_TOCC_MULT_BIGFT5 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1379 #counts SARE_TOCC_MULT_BIGFT5 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1380 #counts SARE_TOCC_MULT_BIGFT5 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1381 #counts SARE_TOCC_MULT_BIGFT5 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1383 header __SARE_TOCC_MULT_BIGFT6 ToCc =~ /(?:\@bigfoot.com\b.*){6}/i
1384 meta SARE_TOCC_MULT_BIGFT6 __SARE_TOCC_MULT_BIGFT6 && !( SARE_TOCC_MULT_BIGFT9 || SARE_TOCC_MULT_BIGFT8 || SARE_TOCC_MULT_BIGFT7 )
1385 describe SARE_TOCC_MULT_BIGFT6 Sent to multiple bigfoot addresses
1386 score SARE_TOCC_MULT_BIGFT6 1.666
1387 #hist SARE_TOCC_MULT_BIGFT6 Created by Bob Menschel Apr 09 2004
1388 #counts SARE_TOCC_MULT_BIGFT6 21s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1389 #max SARE_TOCC_MULT_BIGFT6 396s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
1390 #counts SARE_TOCC_MULT_BIGFT6 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1391 #counts SARE_TOCC_MULT_BIGFT6 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1392 #counts SARE_TOCC_MULT_BIGFT6 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1393 #counts SARE_TOCC_MULT_BIGFT6 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1395 header __SARE_TOCC_MULT_BIGFT7 ToCc =~ /(?:\@bigfoot.com\b.*){7}/i
1396 meta SARE_TOCC_MULT_BIGFT7 __SARE_TOCC_MULT_BIGFT7 && !( SARE_TOCC_MULT_BIGFT9 || SARE_TOCC_MULT_BIGFT8 )
1397 describe SARE_TOCC_MULT_BIGFT7 Sent to multiple bigfoot addresses
1398 score SARE_TOCC_MULT_BIGFT7 1.122
1399 #hist SARE_TOCC_MULT_BIGFT7 Created by Bob Menschel Apr 09 2004
1400 #counts SARE_TOCC_MULT_BIGFT7 34s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1401 #max SARE_TOCC_MULT_BIGFT7 102s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
1402 #counts SARE_TOCC_MULT_BIGFT7 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1403 #counts SARE_TOCC_MULT_BIGFT7 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1404 #counts SARE_TOCC_MULT_BIGFT7 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1405 #counts SARE_TOCC_MULT_BIGFT7 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1407 header __SARE_TOCC_MULT_BIGFT8 ToCc =~ /(?:\@bigfoot.com\b.*){8}/i
1408 meta SARE_TOCC_MULT_BIGFT8 __SARE_TOCC_MULT_BIGFT8 && !( SARE_TOCC_MULT_BIGFT9 )
1409 describe SARE_TOCC_MULT_BIGFT8 Sent to multiple bigfoot addresses
1410 score SARE_TOCC_MULT_BIGFT8 1.172
1411 #stype SARE_TOCC_MULT_BIGFT8 fixed
1412 #hist SARE_TOCC_MULT_BIGFT8 Created by Bob Menschel Apr 09 2004
1413 #counts SARE_TOCC_MULT_BIGFT8 25s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1414 #max SARE_TOCC_MULT_BIGFT8 111s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
1415 #counts SARE_TOCC_MULT_BIGFT8 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1416 #counts SARE_TOCC_MULT_BIGFT8 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1417 #counts SARE_TOCC_MULT_BIGFT8 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1418 #counts SARE_TOCC_MULT_BIGFT8 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1420 header SARE_TOCC_MULT_BIGFT9 ToCc =~ /(?:\@bigfoot.com\b.*){9}/i
1421 describe SARE_TOCC_MULT_BIGFT9 Sent to multiple bigfoot addresses
1422 score SARE_TOCC_MULT_BIGFT9 1.666
1423 #hist SARE_TOCC_MULT_BIGFT9 Created by Bob Menschel Apr 09 2004
1424 #counts SARE_TOCC_MULT_BIGFT9 125s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1425 #max SARE_TOCC_MULT_BIGFT9 283s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
1426 #counts SARE_TOCC_MULT_BIGFT9 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1427 #counts SARE_TOCC_MULT_BIGFT9 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1428 #counts SARE_TOCC_MULT_BIGFT9 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1429 #counts SARE_TOCC_MULT_BIGFT9 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1431 #####################################################################################
1432 # SARE User-Agent rules
1433 ######## ###################### ##################################################
1435 header SARE_USERAG_2 User-Agent =~ /eGroups Message Poster/
1436 describe SARE_USERAG_2 Strange user-agent header implying spam
1437 score SARE_USERAG_2 3.333
1438 #stype SARE_USERAG_2 spamgg
1439 #counts SARE_USERAG_2 35s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1440 #max SARE_USERAG_2 57s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
1441 #counts SARE_USERAG_2 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1442 #counts SARE_USERAG_2 0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1443 #max SARE_USERAG_2 2s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
1444 #counts SARE_USERAG_2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1445 #max SARE_USERAG_2 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1446 #counts SARE_USERAG_2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1448 header SARE_USERAG_3 User-Agent =~ /8.0 for Windows sub 6014/i
1449 describe SARE_USERAG_3 Strange user-agent header implying spam
1450 score SARE_USERAG_3 3.333
1451 #stype SARE_USERAG_3 spamgg
1452 #hist SARE_USERAG_3 Created by Bob Menschel Apr 28 2004
1453 #counts SARE_USERAG_3 28s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1454 #max SARE_USERAG_3 40s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
1455 #counts SARE_USERAG_3 8s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1456 #max SARE_USERAG_3 9s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1457 #counts SARE_USERAG_3 2s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1458 #max SARE_USERAG_3 4s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
1459 #counts SARE_USERAG_3 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1460 #max SARE_USERAG_3 4s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1461 #counts SARE_USERAG_3 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1463 header SARE_USERAG_BAT User-Agent =~ /^The Bat!/
1464 describe SARE_USERAG_BAT Spamware pretending to be 'The Bat!'
1465 score SARE_USERAG_BAT 2.222
1466 #stype SARE_USERAG_BAT spamg
1467 #hist SARE_USERAG_BAT Tim Jackson, May 12 2005
1468 #counts SARE_USERAG_BAT 94s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1469 #counts SARE_USERAG_BAT 12s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1470 #max SARE_USERAG_BAT 14s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1471 #counts SARE_USERAG_BAT 1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
1472 #counts SARE_USERAG_BAT 15s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1473 #max SARE_USERAG_BAT 19s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
1474 #counts SARE_USERAG_BAT 15s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1476 header SARE_USERAG_SPAM0 User-Agent =~ /(?:Foxmail|VXmailer|Mail Bomber|Rodriquezmail|LMAIL|MOMENTUM)/
1477 describe SARE_USERAG_SPAM0 Was sent by a SPAM User Agent
1478 score SARE_USERAG_SPAM0 1.666
1479 #hist SARE_USERAG_SPAM0 SARE_TM2_RW_UA
1480 #counts SARE_USERAG_SPAM0 159s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1481 #max SARE_USERAG_SPAM0 175s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
1482 #counts SARE_USERAG_SPAM0 18s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1483 #max SARE_USERAG_SPAM0 29s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
1484 #counts SARE_USERAG_SPAM0 5s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1485 #max SARE_USERAG_SPAM0 19s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
1486 #counts SARE_USERAG_SPAM0 15s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1487 #counts SARE_USERAG_SPAM0 3s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
1489 #####################################################################################
1490 # SARE X-Mailer Rules
1491 ######## ###################### ##################################################
1493 header SARE_XMAIL_DIRUNIV X-Mailer =~ /Direct Universe/i
1494 describe SARE_XMAIL_DIRUNIV Apparently uses spam/bulk mailer
1495 score SARE_XMAIL_DIRUNIV 1.111
1496 #stype SARE_XMAIL_DIRUNIV spamp
1497 #hist SARE_XMAIL_DIRUNIV Bob Menschel, May 14 2005
1498 #counts SARE_XMAIL_DIRUNIV 36s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1499 #max SARE_XMAIL_DIRUNIV 48s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
1500 #counts SARE_XMAIL_DIRUNIV 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1501 #counts SARE_XMAIL_DIRUNIV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1502 #counts SARE_XMAIL_DIRUNIV 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1503 #counts SARE_XMAIL_DIRUNIV 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1505 header SARE_XMAIL_DYNAMAILER X-Mailer =~ /Dynamailer/
1506 describe SARE_XMAIL_DYNAMAILER Bulk email fingerprint (DynaMailer) found
1507 score SARE_XMAIL_DYNAMAILER 1.111
1508 #stype SARE_XMAIL_DYNAMAILER spamp
1509 #hist SARE_XMAIL_DYNAMAILER Suggested via SA Dev mailing list bug 4127, Feb 9 2005
1510 #counts SARE_XMAIL_DYNAMAILER 14s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1511 #counts SARE_XMAIL_DYNAMAILER 0s/0h of 54103 corpus (16925s/37178h JH-3.01) 02/15/05
1512 #counts SARE_XMAIL_DYNAMAILER 0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05
1513 #counts SARE_XMAIL_DYNAMAILER 1s/0h of 682 corpus (290s/392h CRF) 02/16/05
1514 #counts SARE_XMAIL_DYNAMAILER 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1515 #counts SARE_XMAIL_DYNAMAILER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1517 header SARE_XMAIL_FNORD X-Mailer =~ m'KYX CP/M FNORD 5602'
1518 describe SARE_XMAIL_FNORD Recognized spam sign in xmail header
1519 score SARE_XMAIL_FNORD 1.666
1520 #hist SARE_XMAIL_FNORD Loren Wilton, Jul 23 2005
1521 #counts SARE_XMAIL_FNORD 527s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1522 #counts SARE_XMAIL_FNORD 34s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1523 #counts SARE_XMAIL_FNORD 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
1525 header SARE_XMAIL_INTERMED X-Mailer =~ /\bIntermedia mail\b/i
1526 describe SARE_XMAIL_INTERMED possible spamware
1527 score SARE_XMAIL_INTERMED 0.850
1528 #hist SARE_XMAIL_INTERMED Alex Broens, June 30 2005
1529 #counts SARE_XMAIL_INTERMED 51s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1530 #counts SARE_XMAIL_INTERMED 1s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
1531 #counts SARE_XMAIL_INTERMED 1s/0h of 6905 corpus (1401s/5504h ft) 07/24/05
1533 header SARE_XMAIL_LEO X-Mailer =~ /^[A-Z][a-x]+\s[a-z]{2}\s\d\.\d\d\s*$/ # no /i
1534 score SARE_XMAIL_LEO 2.333
1535 describe SARE_XMAIL_LEO Spamsign in x-mailer header
1536 #hist SARE_XMAIL_LEO Loren Wilton, Sept 07, 2005
1537 #counts SARE_XMAIL_LEO 2625s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1538 #counts SARE_XMAIL_LEO 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
1539 #counts SARE_XMAIL_LEO 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
1541 header SARE_XMAIL_PHPBulkEmai X-Mailer =~ /PHPBulkEmailer/i
1542 describe SARE_XMAIL_PHPBulkEmai Apparently uses spam/bulk mailer
1543 score SARE_XMAIL_PHPBulkEmai 1.111
1544 #stype SARE_XMAIL_PHPBulkEmai spamp
1545 #hist SARE_XMAIL_PHPBulkEmai Bob Menschel, Apr 11, 2005, from suggestion by Loren Wilton
1546 #counts SARE_XMAIL_PHPBulkEmai 14s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1547 #max SARE_XMAIL_PHPBulkEmai 45s/0h of 275081 corpus (134226s/140855h RM) 05/30/05
1548 #counts SARE_XMAIL_PHPBulkEmai 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1549 #counts SARE_XMAIL_PHPBulkEmai 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1550 #counts SARE_XMAIL_PHPBulkEmai 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1551 #counts SARE_XMAIL_PHPBulkEmai 1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1553 header SARE_XMAIL_RANDMAILER X-Mailer =~ /^([a-z]{4,12} ){1,3}$/
1554 describe SARE_XMAIL_RANDMAILER only 1-3 lowercase words in X-mailer field
1555 score SARE_XMAIL_RANDMAILER 2.222
1556 #hist SARE_XMAIL_RANDMAILER from Pierre Thomson
1557 #counts SARE_XMAIL_RANDMAILER 413s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1558 #counts SARE_XMAIL_RANDMAILER 103s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1559 #max SARE_XMAIL_RANDMAILER 112s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1560 #counts SARE_XMAIL_RANDMAILER 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1561 #counts SARE_XMAIL_RANDMAILER 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1562 #max SARE_XMAIL_RANDMAILER 20s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1563 #counts SARE_XMAIL_RANDMAILER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1565 header SARE_XMAIL_TTBOARD X-Mailer =~ /TTBOARD/i
1566 describe SARE_XMAIL_TTBOARD X-Mailer used by spammer
1567 score SARE_XMAIL_TTBOARD 1.666
1568 #stype SARE_XMAIL_TTBOARD spamp
1569 #hist SARE_XMAIL_TTBOARD Created by Bob Menschel Jan 14 2005, based on info from Joel Rubin via Spam-L
1570 #counts SARE_XMAIL_TTBOARD 15s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1571 #max SARE_XMAIL_TTBOARD 230s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
1572 #counts SARE_XMAIL_TTBOARD 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1573 #counts SARE_XMAIL_TTBOARD 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1574 #counts SARE_XMAIL_TTBOARD 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1575 #counts SARE_XMAIL_TTBOARD 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1577 #####################################################################################
1578 # SARE Miscellaneous and X-Header header rules
1579 ######## ###################### ##################################################
1581 header SARE_HEAD_DATE46 Date =~ /^.{46}$/
1582 describe SARE_HEAD_DATE46 Date header suggests this is spam
1583 score SARE_HEAD_DATE46 1.666
1584 #counts SARE_HEAD_DATE46 409s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1585 #counts SARE_HEAD_DATE46 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
1586 #counts SARE_HEAD_DATE46 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
1587 #counts SARE_HEAD_DATE46 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1588 #counts SARE_HEAD_DATE46 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1590 header SARE_HEAD_LOC_INV1 Location =~ /^[a-z]+(?:\s[a-z]+)*$/ # no /i
1591 describe SARE_HEAD_LOC_INV1 Improper location
1592 score SARE_HEAD_LOC_INV1 1.666
1593 #hist SARE_HEAD_LOC_INV1 Loren Wilton, Feb 21 2005
1594 #counts SARE_HEAD_LOC_INV1 130s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1595 #counts SARE_HEAD_LOC_INV1 24s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
1596 #counts SARE_HEAD_LOC_INV1 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
1597 #counts SARE_HEAD_LOC_INV1 4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1598 #max SARE_HEAD_LOC_INV1 127s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1599 #counts SARE_HEAD_LOC_INV1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1601 header __MIME_VERSION exists:MIME-Version
1602 header __SARE_HEAD_MIME_VALID Mime-Version =~ m'^\s*1.0\b'
1603 meta SARE_HEAD_MIME_INVALID !__SARE_HEAD_MIME_VALID && __MIME_VERSION
1604 describe SARE_HEAD_MIME_INVALID Invalid mime version
1605 score SARE_HEAD_MIME_INVALID 1.666
1606 #stype SARE_HEAD_MIME_INVALID spamp
1607 #hist SARE_HEAD_MIME_INVALID Bob Menschel, June 15 2006, inspired by Alex Broens
1608 #counts SARE_HEAD_MIME_INVALID 150s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1609 #counts SARE_HEAD_MIME_INVALID 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1611 header __SARE_HEAD_MIME_PROD MIME-Version =~ /\(produced by [a-z]+ \d\.\d\)/
1612 header __SARE_HEAD_MIME_PROD2 Mime-Version =~ /^1\.0 \(produced by [a-z]{1,20} [0-9]\.[0-9]\)$/
1613 header __SARE_HEAD_MIME_PROD3 MIME-Version =~ /1.0 \(produced by [a-z]+ \d+\.\d+\)\s*$/
1614 meta SARE_HEAD_MIME_PROD __SARE_HEAD_MIME_PROD || __SARE_HEAD_MIME_PROD2 || __SARE_HEAD_MIME_PROD3
1615 describe SARE_HEAD_MIME_PROD Ratware MIME Version
1616 score SARE_HEAD_MIME_PROD 2.666
1617 #hist SARE_HEAD_MIME_PROD Originally: SARE_TM2_RW_MV
1618 #hist SARE_HEAD_MIME_PROD Feb 26 2005: Added patterns offered by Eric Fagan and Loren Wilton
1619 #counts SARE_HEAD_MIME_PROD 284s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1620 #max SARE_HEAD_MIME_PROD 862s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
1621 #counts SARE_HEAD_MIME_PROD 309s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1622 #max SARE_HEAD_MIME_PROD 364s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
1623 #counts SARE_HEAD_MIME_PROD 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
1624 #counts SARE_HEAD_MIME_PROD 62s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1625 #max SARE_HEAD_MIME_PROD 460s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1626 #counts SARE_HEAD_MIME_PROD 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1628 header SARE_HEAD_THRD_ALNUM Thread-Index =~ /ALNUM/
1629 describe SARE_HEAD_THRD_ALNUM Spam fingerprint in thread index
1630 score SARE_HEAD_THRD_ALNUM 0.839
1631 #hist SARE_HEAD_THRD_ALNUM Alex Broens, July 27 2005
1632 #counts SARE_HEAD_THRD_ALNUM 51s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1633 #counts SARE_HEAD_THRD_ALNUM 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
1635 header SARE_HEAD_XMF_AUTHSNDR X-Message-flag =~ /Authentic Sender/i
1636 describe SARE_HEAD_XMF_AUTHSNDR Headers contains spam sign
1637 score SARE_HEAD_XMF_AUTHSNDR 1.666
1638 #stype SARE_HEAD_XMF_AUTHSNDR spamp
1639 #hist SARE_HEAD_XMF_AUTHSNDR Created by Bob Menschel Jan 29 2005 from idea submitted by Alex Broens
1640 #counts SARE_HEAD_XMF_AUTHSNDR 109s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1641 #max SARE_HEAD_XMF_AUTHSNDR 726s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
1642 #counts SARE_HEAD_XMF_AUTHSNDR 67s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1643 #counts SARE_HEAD_XMF_AUTHSNDR 27s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1644 #max SARE_HEAD_XMF_AUTHSNDR 54s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1645 #counts SARE_HEAD_XMF_AUTHSNDR 26s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1646 #max SARE_HEAD_XMF_AUTHSNDR 89s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1647 #counts SARE_HEAD_XMF_AUTHSNDR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1649 header SARE_HEAD_XM4 ALL =~ /\nX-M-.{4}:/ # usually 4:28:12
1650 describe SARE_HEAD_XM4 Contains spamsign header
1651 score SARE_HEAD_XM4 1.111
1652 #stype SARE_HEAD_XM4 spamp
1653 #hist SARE_HEAD_XM4 Loren Wilton, June 2005
1654 #counts SARE_HEAD_XM4 80s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1655 #counts SARE_HEAD_XM4 0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1656 #counts SARE_HEAD_XM4 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
1658 header SARE_HEAD_XMIMEO_MS X-MimeOLE =~ /Mircosoft MimeOLE/i
1659 describe SARE_HEAD_XMIMEO_MS Ratware-misspelled header
1660 score SARE_HEAD_XMIMEO_MS 1.666
1661 #stype SARE_HEAD_XMIMEO_MS spamg
1662 #hist SARE_HEAD_XMIMEO_MS Idea from dfs@roaringpenguin.com, http://bugzilla.spamassassin.org/show_bug.cgi?id=3349
1663 #counts SARE_HEAD_XMIMEO_MS 27s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1664 #max SARE_HEAD_XMIMEO_MS 36s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
1665 #counts SARE_HEAD_XMIMEO_MS 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
1666 #counts SARE_HEAD_XMIMEO_MS 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1667 #counts SARE_HEAD_XMIMEO_MS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1668 #counts SARE_HEAD_XMIMEO_MS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1670 #####################################################################################
1671 # SARE Rules which identify headers found in email bodies
1672 ######## ###################### ##################################################
1674 rawbody SARE_HEAD_BDY_BOUNCES /^Bounces_to: .{1,50}\@/
1675 describe SARE_HEAD_BDY_BOUNCES Message header suggesting spam in body
1676 score SARE_HEAD_BDY_BOUNCES 1.666
1677 #note SARE_HEAD_BDY_BOUNCES Normally valid header currently very popular in spam. Presence in bounced emails strongly suggests bounced spam
1678 #hist SARE_HEAD_BDY_BOUNCES Bob Menschel, Apr 10 2005
1679 #counts SARE_HEAD_BDY_BOUNCES 1s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1680 #max SARE_HEAD_BDY_BOUNCES 433s/0h of 271461 corpus (129860s/141601h RM) 06/12/05
1681 #counts SARE_HEAD_BDY_BOUNCES 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1682 #counts SARE_HEAD_BDY_BOUNCES 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1683 #counts SARE_HEAD_BDY_BOUNCES 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1685 #####################################################################################
1686 # SARE Rules which examine multiple header types
1687 ######## ###################### ##################################################
1689 header __THEBAT_MUA X-Mailer =~ /The Bat!/
1690 header __SARE_HEAD_WEBMAIL Message-ID =~ /<.+\@(yahoo|hotmail|cfswebmail)\.com>$/i
1691 header __SARE_HEAD_MAIL_BAT2 User-Agent =~ /^The Bat!/
1692 meta SARE_HEAD_BAT_WEB __SARE_HEAD_WEBMAIL && ( __THEBAT_MUA || __SARE_HEAD_MAIL_BAT2 )
1693 describe SARE_HEAD_BAT_WEB Webmail message ID, but The Bat! X-Mailer
1694 score SARE_HEAD_BAT_WEB 3.333
1695 #stype SARE_HEAD_BAT_WEB spamg
1696 #hist SARE_HEAD_BAT_WEB Tim Jackson, May 11 2005
1697 #counts SARE_HEAD_BAT_WEB 1029s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1698 #counts SARE_HEAD_BAT_WEB 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1699 #counts SARE_HEAD_BAT_WEB 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1700 #counts SARE_HEAD_BAT_WEB 32s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1702 header __SARE_MULT_BMASTGR1 Received =~ /for bmastgr\@/
1703 header __SARE_MULT_BMASTGR2 ToCc =~ /\bbmastgr\@/
1704 header __SARE_MULT_BMASTGR3 From =~ /\bbmastgr\@/
1705 header __SARE_MULT_BMASTGR4 Envelope-to =~ /\bbmastgr\@/
1706 header __SARE_MULT_BMASTGR5 Subject =~ /\bbmastgr\b/
1707 meta SARE_MULT_BMASTGR ( __SARE_MULT_BMASTGR1 || __SARE_MULT_BMASTGR2 || __SARE_MULT_BMASTGR3 || __SARE_MULT_BMASTGR4 || __SARE_MULT_BMASTGR5 )
1708 describe SARE_MULT_BMASTGR Directed to/from invalid address
1709 score SARE_MULT_BMASTGR 5.000
1710 #stype SARE_MULT_BMASTGR spamggg
1711 #hist SARE_MULT_MBASTGR Missing meta dependencies fixed by Fred T, Oct 6 2005
1712 #counts SARE_MULT_BMASTGR 497s/0h of 487606 corpus (219627s/267979h RM) 10/07/05
1713 #max SARE_MULT_BMASTGR 1336s/0h of 115925 corpus (94616s/21309h RM) 05/01/04
1714 #counts SARE_MULT_BMASTGR 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
1715 #counts SARE_MULT_BMASTGR 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
1716 #counts SARE_MULT_BMASTGR 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1717 #counts SARE_MULT_BMASTGR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1718 #counts SARE_MULT_BMASTGR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1720 header SARE_MULT_FROM ALL =~ /\nFrom:.{10,150}\nFrom:.{10,150}\nFrom:/s
1721 score SARE_MULT_FROM 0.777
1722 describe SARE_MULT_FROM Many from lines
1723 #hist SARE_MULT_FROM Loren Wilton, June 2005
1724 #counts SARE_MULT_FROM 0s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1725 #max SARE_MULT_FROM 40s/0h of 271461 corpus (129860s/141601h RM) 06/12/05
1726 #counts SARE_MULT_FROM 0s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
1727 #counts SARE_MULT_FROM 0s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
1728 #counts SARE_MULT_FROM 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1729 #counts SARE_MULT_FROM 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
1731 header __SARE_MULT_FROM_MRS From =~ /"Mrs[\. ][A-Z][a-z]+"/
1732 header __SARE_MULT_HITHERE Subject =~ /^(?:HELLO|Hello|Hey|Hi)\w{0,8},?(?:Mrs\.)?/
1733 body __SARE_MULT_PROFILE /(?:on-?line profile|profile (?:is )?on-?line)/
1734 meta SARE_MULT_SEXCLUB __SARE_MULT_HITHERE && (__SARE_MULT_PROFILE || __SARE_MULT_FROM_MRS)
1735 describe SARE_MULT_SEXCLUB Adult invitation spam
1736 score SARE_MULT_SEXCLUB 1.666
1737 #hist SARE_MULT_SEXCLUB Loren Wilton, Feb 22 2005
1738 #counts SARE_MULT_SEXCLUB 2s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1739 #max SARE_MULT_SEXCLUB 114s/0h of 283497 corpus (129933s/153564h RM) 03/08/05
1740 #counts SARE_MULT_SEXCLUB 8s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
1741 #counts SARE_MULT_SEXCLUB 54s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
1742 #max SARE_MULT_SEXCLUB 59s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1743 #counts SARE_MULT_SEXCLUB 11s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1744 #max SARE_MULT_SEXCLUB 22s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1745 #counts SARE_MULT_SEXCLUB 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1747 header SARE_MULT_SUBJ ALL =~ /\nSubject:.{10,150}\nSubject:.{10,150}\nSubject:/s
1748 score SARE_MULT_SUBJ 0.777
1749 describe SARE_MULT_SUBJ Many subject lines
1750 #hist SARE_MULT_SUBJ Loren Wilton, June 2005
1751 #counts SARE_MULT_SUBJ 0s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1752 #max SARE_MULT_SUBJ 40s/0h of 271461 corpus (129860s/141601h RM) 06/12/05
1753 #counts SARE_MULT_SUBJ 0s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
1754 #counts SARE_MULT_SUBJ 0s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
1755 #counts SARE_MULT_SUBJ 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1756 #counts SARE_MULT_SUBJ 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
1760 # SARE Header Abuse Ruleset for SpamAssassin -- file 1
1762 # Created: 2004-04-25
1763 # Modified: 2005-10-28
1764 # Usage instructions and documentation in 70_sare_header0.cf
1766 # Full Revision History / Change Log in 70_sare_header.log
1767 #@@# 01.03.16 Oct 28 2005
1768 #@@# Minor score updates based on additional mass-check
1769 #@@# Added to file 1: SARE_HEAD_HDR_XLEGAL1, 2, 3, 4
1770 #@@# Added to file 1: SARE_HEAD_HDR_XSIDPRA
1771 #@@# Added to file 1: SARE_HEAD_HDR_XSIDRES
1772 #@@# Added to file 1: SARE_RECV_IP_064034
1773 #@@# Added to file 1: SARE_RECV_IP_209051
1774 #@@# Added to file 1: SARE_RECV_IP_209190
1775 #@@# Added to file 1: SARE_RECV_IP_216118120
1776 #@@# Modified: SARE_FROM_SPAM_DOMN0: split yahoo.net to separate rule
1777 #@@# Moved file 0 to file 1: SARE_BOUNDARY_LC
1778 #@@# Moved file 0 to file 1: SARE_FREE_WEBM_FrVoila
1779 #@@# Moved file 0 to file 1: SARE_FREE_WEBM_Mailexc
1780 #@@# Moved file 0 to file 1: SARE_HEAD_HDR_XBBOUNC
1781 #@@# Moved file 0 to file 1: SARE_HEAD_XWORD
1782 #@@# Moved file 0 to file 1: SARE_RECV_IP_066165224
1783 #@@# Moved file 0 to file 1: SARE_RECV_IP_218088
1784 #@@# Moved file 0 to file 1: SARE_XMAIL_TOLMAIL
1785 #@@# Moved file 1 to file 0: SARE_HEAD_XMIMEO_MS
1786 #@@# Moved file 1 to file 0: SARE_RECV_IP_069060122
1787 #@@# Moved file 1 to file 0: SARE_XMAIL_DYNAMAILER
1788 #@@# Moved file 1 to file 2: SARE_FREE_WEBM_USACOPS
1789 #@@# Moved file 1 to file 2: SARE_HEAD_HDR_XEMGBMS
1790 #@@# Moved file 1 to file 2: SARE_HEAD_XCANIT1
1791 #@@# Moved file 1 to file 2: SARE_HEAD_XCANIT2
1792 #@@# Moved file 1 to file 2: SARE_MSGID_SPAM_DOMN0
1793 #@@# Moved file 1 to file 2: SARE_MSGID_SUSP2
1794 #@@# Moved file 1 to file 2: SARE_RECV_IP_081019
1795 #@@# Moved file 1 to file 2: SARE_RECV_IP_211049
1796 #@@# Moved file 1 to file 2: SARE_RECV_RND_NUMBER
1797 #@@# Moved file 1 to file 3: SARE_FROM_NONAME
1798 #@@# Moved file 1 to file 3: SARE_FROM_SPAM_CHAR0
1799 #@@# Moved file 1 to file 3: SARE_HEAD_XCOM_RFCMIN
1800 #@@# Moved file 1 to file 3: SARE_RECV_IP_080178
1801 #@@# Moved file 1 to file 3: SARE_XMAIL_SUSP3
1802 #@@# Moved file 2 to file 1: SARE_FROM_AST
1803 #@@# Moved file 2 to file 1: SARE_HEAD_HDR_XCNDINF
1804 #@@# Moved file 3 to file 1: SARE_FROM_SPAM_MONEY2
1805 #@@# Moved from file 1 to x31: SARE_MSGID_DBL_AT
1806 #@@# Replaced __SARE_HEAD_HDR_RCVD with SA 3.1.0 rule __HAS_RCVD
1807 #@@# Split mail2world.com from SARE_FREE_WEBM_ZCom03
1809 # License: Artistic - see http://www.rulesemporium.com/license.txt
1810 # Current Maintainer: Bob Menschel - RMSA@Menschel.net
1811 # Current Home: http://www.rulesemporium.com/rules/70_sare_header1.cf
1813 ######## ###################### ##################################################
1814 # Component rules used within meta rules
1815 ######## ###################### ##################################################
1817 header __SARE_HEAD_8BIT_SUBJ Subject =~ /[\x80-\xff]{3,}/
1819 ######## ###################### ##################################################
1820 # Meta rules used to prevent --lint errors after moving/changing rules
1821 ######## ###################### ##################################################
1823 meta SARE_FREE_WEBM_CZSEZNA 0
1824 meta SARE_FROM_MULTI_DASH 0
1825 meta SARE_HEAD_DATE18 0
1826 meta SARE_MSGID_LONG40 0
1827 meta SARE_MSGID_LONG55 0
1828 meta SARE_MULT_VIA_FWCATS 0
1829 meta SARE_RECV_IP_064080 0
1830 meta SARE_RECV_ISWEST 0
1831 meta SARE_FROM_AMERICA 0
1832 meta SARE_HEAD_SUBJ_RAND 0
1833 meta SARE_HEAD_XORIP_IP 0
1834 meta SARE_MSGID_06D6 0
1835 meta SARE_RECV_IP_142046 0
1836 meta SARE_RECV_IP_212164 0
1837 meta SARE_BOUNDARY_MULTB 0
1838 meta SARE_FROM_NUM_9DIG 0
1839 meta SARE_FROM_PRINTER 0
1840 meta SARE_HEAD_8BIT_NOSPM 0
1841 meta SARE_HEAD_8BIT_SPAM 0
1842 meta SARE_HEAD_HDR_XCCDIAG 0
1843 meta SARE_HEAD_HDR_XMAILTH 0
1844 meta SARE_HEAD_HDR_XSMTPSV 0
1845 meta SARE_HEAD_HDR_XUMAIL 0
1846 meta SARE_HELO_SERVER 0
1847 meta SARE_MSGID_LONG35 0
1848 meta SARE_MSGID_LONG65 0
1849 meta SARE_MSGID_LONG75 0
1850 meta SARE_RECV_IP_066111 0
1851 meta SARE_RECV_SUSP_3 0
1852 meta SARE_XMAIL_XMAIL 0
1853 meta SARE_HEAD_HDR_XEMGBMS 0
1854 meta SARE_HEAD_XCANIT1 0
1855 meta SARE_HEAD_XCANIT2 0
1856 meta SARE_MSGID_SPAM_DOMN0 0
1857 meta SARE_MSGID_SUSP2 0
1858 meta SARE_RECV_IP_081019 0
1859 meta SARE_RECV_IP_211049 0
1860 meta SARE_RECV_RND_NUMBER 0
1861 meta SARE_FROM_NONAME 0
1862 meta SARE_FROM_SPAM_CHAR0 0
1863 meta SARE_HEAD_XCOM_RFCMIN 0
1864 meta SARE_RECV_IP_080178 0
1865 meta SARE_XMAIL_SUSP3 0
1866 meta SARE_MSGID_DBL_AT 0
1867 meta SARE_FREE_WEBM_USACOPS 0
1869 #####################################################################################
1870 # SARE Header-Exists rules
1871 ######## ###################### ##################################################
1873 header SARE_HEAD_HDR_ALTREC exists:Alternate-Recipient
1874 describe SARE_HEAD_HDR_ALTREC Message headers used which identify spam
1875 score SARE_HEAD_HDR_ALTREC 0.148
1876 #ham SARE_HEAD_HDR_ALTREC "Alternate-recipient: prohibited", From: JOEL RHEINBERGER <xxx@abc.net.au>, UA-content-id: A266IPY323WU, A1-type: MAIL, Hop-count: 1, Received: from VAXB.abc.net.au, no indication which email client was used
1877 #counts SARE_HEAD_HDR_ALTREC 98s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
1878 #max SARE_HEAD_HDR_ALTREC 324s/4h of 115509 corpus (81073s/34436h RM) 01/16/05
1879 #counts SARE_HEAD_HDR_ALTREC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
1880 #counts SARE_HEAD_HDR_ALTREC 43s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1881 #max SARE_HEAD_HDR_ALTREC 44s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1882 #counts SARE_HEAD_HDR_ALTREC 19s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1883 #max SARE_HEAD_HDR_ALTREC 21s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
1884 #counts SARE_HEAD_HDR_ALTREC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1886 header SARE_HEAD_HDR_APPROV exists:Approved
1887 describe SARE_HEAD_HDR_APPROV Message headers used which identify spam
1888 score SARE_HEAD_HDR_APPROV 0.817
1889 #hist SARE_HEAD_HDR_APPROV Moved file 0 to 1, version 01.03.09, 2 ham confirmed
1890 #counts SARE_HEAD_HDR_APPROV 21s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
1891 #max SARE_HEAD_HDR_APPROV 163s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
1892 #counts SARE_HEAD_HDR_APPROV 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
1893 #counts SARE_HEAD_HDR_APPROV 19s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1894 #max SARE_HEAD_HDR_APPROV 21s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1895 #counts SARE_HEAD_HDR_APPROV 7s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1896 #max SARE_HEAD_HDR_APPROV 19s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1897 #counts SARE_HEAD_HDR_APPROV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1899 #todo SARE_HEAD_HDR_AUTSUBD Test both rules independently %%%
1900 header SARE_HEAD_HDR_AUTSUBD exists:Auto-submitted
1901 header SARE_HEAD_HDR_AUTSUBD exists:X-RMD-Text
1902 describe SARE_HEAD_HDR_AUTSUBD Message headers used which identify spam
1903 score SARE_HEAD_HDR_AUTSUBD 1.111
1904 #stype SARE_HEAD_HDR_AUTSUBD spamp
1905 #counts SARE_HEAD_HDR_AUTSUBD 33s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1906 #counts SARE_HEAD_HDR_AUTSUBD 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1907 #max SARE_HEAD_HDR_AUTSUBD 1s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
1908 #counts SARE_HEAD_HDR_AUTSUBD 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1909 #counts SARE_HEAD_HDR_AUTSUBD 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1910 #counts SARE_HEAD_HDR_AUTSUBD 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1912 header SARE_HEAD_HDR_DISCREC exists:Disclose-Recipients
1913 describe SARE_HEAD_HDR_DISCREC Message headers used which identify spam
1914 score SARE_HEAD_HDR_DISCREC 0.739
1915 #ham SARE_HEAD_HDR_DISCREC confirmed (4), Used by usdoj.gov
1916 #counts SARE_HEAD_HDR_DISCREC 28s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
1917 #max SARE_HEAD_HDR_DISCREC 210s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
1918 #counts SARE_HEAD_HDR_DISCREC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
1919 #counts SARE_HEAD_HDR_DISCREC 32s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1920 #max SARE_HEAD_HDR_DISCREC 33s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1921 #counts SARE_HEAD_HDR_DISCREC 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1922 #max SARE_HEAD_HDR_DISCREC 9s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1923 #counts SARE_HEAD_HDR_DISCREC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1925 header SARE_HEAD_HDR_MSGTYPE exists:Message-Type
1926 describe SARE_HEAD_HDR_MSGTYPE Message headers used which identify spam
1927 score SARE_HEAD_HDR_MSGTYPE 0.555
1928 #stype SARE_HEAD_HDR_MSGTYPE spamp
1929 #counts SARE_HEAD_HDR_MSGTYPE 1s/0h of 259338 corpus (110116s/149222h RM) 05/16/05
1930 #max SARE_HEAD_HDR_MSGTYPE 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
1931 #counts SARE_HEAD_HDR_MSGTYPE 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
1932 #counts SARE_HEAD_HDR_MSGTYPE 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1933 #counts SARE_HEAD_HDR_MSGTYPE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1934 #counts SARE_HEAD_HDR_MSGTYPE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1936 header SARE_HEAD_HDR_X400RCV exists:X400-Received
1937 describe SARE_HEAD_HDR_X400RCV Message headers used which identify spam
1938 score SARE_HEAD_HDR_X400RCV 0.555
1939 #stype SARE_HEAD_HDR_X400RCV spamp
1940 #counts SARE_HEAD_HDR_X400RCV 1s/0h of 259338 corpus (110116s/149222h RM) 05/16/05
1941 #max SARE_HEAD_HDR_X400RCV 1s/0h of 114261 corpus (81069s/33192h RM) 01/15/05
1942 #counts SARE_HEAD_HDR_X400RCV 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
1943 #counts SARE_HEAD_HDR_X400RCV 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1944 #counts SARE_HEAD_HDR_X400RCV 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1945 #counts SARE_HEAD_HDR_X400RCV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1947 header SARE_HEAD_HDR_XBBOUNC exists:X-BBounce
1948 describe SARE_HEAD_HDR_XBBOUNC Message headers used which identify spam
1949 score SARE_HEAD_HDR_XBBOUNC 0.878
1950 #ham SARE_HEAD_HDR_XBBOUNC likely (2)
1951 #counts SARE_HEAD_HDR_XBBOUNC 174s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
1952 #counts SARE_HEAD_HDR_XBBOUNC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
1953 #counts SARE_HEAD_HDR_XBBOUNC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1954 #counts SARE_HEAD_HDR_XBBOUNC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1955 #counts SARE_HEAD_HDR_XBBOUNC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1957 header SARE_HEAD_HDR_XCNDINF exists:X-CND-Info
1958 describe SARE_HEAD_HDR_XCNDINF Message headers used which identify spam
1959 score SARE_HEAD_HDR_XCNDINF 0.555
1960 #stype SARE_HEAD_HDR_XCNDINF spamp
1961 #counts SARE_HEAD_HDR_XCNDINF 6s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1962 #counts SARE_HEAD_HDR_XCNDINF 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
1963 #counts SARE_HEAD_HDR_XCNDINF 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
1964 #counts SARE_HEAD_HDR_XCNDINF 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1965 #counts SARE_HEAD_HDR_XCNDINF 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1967 header SARE_HEAD_HDR_XENC exists:X-ENC
1968 describe SARE_HEAD_HDR_XENC Message headers used which identify spam
1969 score SARE_HEAD_HDR_XENC 1.111
1970 #stype SARE_HEAD_HDR_XENC spamp
1971 #hist SARE_HEAD_HDR_XENC Created by Bob Menschel Sep 03 2004
1972 #counts SARE_HEAD_HDR_XENC 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
1973 #max SARE_HEAD_HDR_XENC 19s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
1974 #counts SARE_HEAD_HDR_XENC 1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
1975 #counts SARE_HEAD_HDR_XENC 0s/0h of 44754 corpus (16523s/28231h JH-SA3.0rc1) 09/06/04
1976 #counts SARE_HEAD_HDR_XENC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
1977 #counts SARE_HEAD_HDR_XENC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
1979 header __HAS_RCVD exists:Received
1980 header __SARE_HEAD_HDR_IDKEY exists:X-Identity-Key
1981 meta SARE_HEAD_HDR_XIDKEY __SARE_HEAD_HDR_IDKEY && __HAS_RCVD
1982 header SARE_HEAD_HDR_XIDKEY exists:X-Identity-Key
1983 describe SARE_HEAD_HDR_XIDKEY Apparent spam sign in headers
1984 score SARE_HEAD_HDR_XIDKEY 1.666
1985 #ham SARE_HEAD_HDR_XIDKEY verified (4)
1986 #hist SARE_HEAD_HDR_XIDKEY Created by Chris Santerre Aug 31 2004
1987 #counts SARE_HEAD_HDR_XIDKEY 3611s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
1988 #counts SARE_HEAD_HDR_XIDKEY 68s/2h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
1989 #counts SARE_HEAD_HDR_XIDKEY 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
1990 #counts SARE_HEAD_HDR_XIDKEY 67s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
1991 #counts SARE_HEAD_HDR_XIDKEY 3s/1h of 7500 corpus (1767s/5733h ft) 09/18/05
1993 header __SARE_HEAD_HDR_XLEGAL exists:X-Legal
1994 header __SARE_HEAD_HDR_XLEGAC X-Legal =~ m'copyright|\(c\)'i
1995 header __SARE_HEAD_HDR_XLEGAI X-Legal =~ m'in compliance'i
1996 header __SARE_HEAD_HDR_XLEGAB X-Legal =~ m'BE ADVISED'i
1997 meta SARE_HEAD_HDR_XLEGAL1 __SARE_HEAD_HDR_XLEGAB && __SARE_HEAD_HDR_XLEGAI && !__SARE_HEAD_HDR_XLEGAC
1998 describe SARE_HEAD_HDR_XLEGAL1 Message headers used which identify spam
1999 score SARE_HEAD_HDR_XLEGAL1 1.666
2000 #stype SARE_HEAD_HDR_XLEGAL1 spamgg
2001 #hist SARE_HEAD_HDR_XLEGAL1 Bob Menschel, Aug 07 2005
2002 #counts SARE_HEAD_HDR_XLEGAL1 7s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2003 #counts SARE_HEAD_HDR_XLEGAL1 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
2004 #counts SARE_HEAD_HDR_XLEGAL1 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
2006 meta SARE_HEAD_HDR_XLEGAL2 ( __SARE_HEAD_HDR_XLEGAB || __SARE_HEAD_HDR_XLEGAI ) && !__SARE_HEAD_HDR_XLEGAC && !SARE_HEAD_HDR_XLEGAL1
2007 describe SARE_HEAD_HDR_XLEGAL2 Message headers used which identify spam
2008 score SARE_HEAD_HDR_XLEGAL2 1.666
2009 #stype SARE_HEAD_HDR_XLEGAL2 spamgg
2010 #hist SARE_HEAD_HDR_XLEGAL2 Bob Menschel, Aug 07 2005
2011 #counts SARE_HEAD_HDR_XLEGAL2 0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2012 #counts SARE_HEAD_HDR_XLEGAL2 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
2013 #counts SARE_HEAD_HDR_XLEGAL2 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
2015 meta SARE_HEAD_HDR_XLEGAL3 __SARE_HEAD_HDR_XLEGAL && !SARE_HEAD_HDR_XLEGAL1 && !SARE_HEAD_HDR_XLEGAL1 && !__SARE_HEAD_HDR_XLEGAC
2016 describe SARE_HEAD_HDR_XLEGAL3 Message headers used which identify spam
2017 score SARE_HEAD_HDR_XLEGAL3 1.666
2018 #stype SARE_HEAD_HDR_XLEGAL3 spamgg
2019 #hist SARE_HEAD_HDR_XLEGAL3 Bob Menschel, Aug 07 2005
2020 #counts SARE_HEAD_HDR_XLEGAL3 0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2021 #counts SARE_HEAD_HDR_XLEGAL3 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
2022 #counts SARE_HEAD_HDR_XLEGAL3 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
2024 meta SARE_HEAD_HDR_XLEGAL4 __SARE_HEAD_HDR_XLEGAL && !SARE_HEAD_HDR_XLEGAL1 && !SARE_HEAD_HDR_XLEGAL1 && !SARE_HEAD_HDR_XLEGAL3
2025 describe SARE_HEAD_HDR_XLEGAL4 Message headers used which might identify spam
2026 score SARE_HEAD_HDR_XLEGAL4 0.100
2027 #hist SARE_HEAD_HDR_XLEGAL4 Bob Menschel, Aug 07 2005
2028 #counts SARE_HEAD_HDR_XLEGAL4 3s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
2029 #counts SARE_HEAD_HDR_XLEGAL4 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
2030 #counts SARE_HEAD_HDR_XLEGAL4 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
2032 header SARE_HEAD_HDR_XLISTAD exists:X-LISTADDRESS
2033 describe SARE_HEAD_HDR_XLISTAD Message headers used which identify spam
2034 score SARE_HEAD_HDR_XLISTAD 1.111
2035 #stype SARE_HEAD_HDR_XLISTAD spamp
2036 #counts SARE_HEAD_HDR_XLISTAD 46s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2037 #counts SARE_HEAD_HDR_XLISTAD 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
2038 #counts SARE_HEAD_HDR_XLISTAD 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2039 #counts SARE_HEAD_HDR_XLISTAD 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2040 #counts SARE_HEAD_HDR_XLISTAD 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2042 header SARE_HEAD_HDR_XMAILID exists:X-Mailid
2043 describe SARE_HEAD_HDR_XMAILID Message headers used which identify spam
2044 score SARE_HEAD_HDR_XMAILID 0.966
2045 #counts SARE_HEAD_HDR_XMAILID 222s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2046 #counts SARE_HEAD_HDR_XMAILID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
2047 #counts SARE_HEAD_HDR_XMAILID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2048 #counts SARE_HEAD_HDR_XMAILID 0s/2h of 10590 corpus (5819s/4771h CT) 07/26/05
2049 #was SARE_HEAD_HDR_XMAILID 0s/3h of 10853 corpus (6391s/4462h CT) 05/16/05
2050 #counts SARE_HEAD_HDR_XMAILID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2052 header SARE_HEAD_HDR_XMEBDOM exists:X-ME-bounce-domain
2053 describe SARE_HEAD_HDR_XMEBDOM Message headers used which identify spam
2054 score SARE_HEAD_HDR_XMEBDOM 0.555
2055 #stype SARE_HEAD_HDR_XMEBDOM spamp
2056 #counts SARE_HEAD_HDR_XMEBDOM 2s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
2057 #max SARE_HEAD_HDR_XMEBDOM 8s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
2058 #counts SARE_HEAD_HDR_XMEBDOM 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
2059 #counts SARE_HEAD_HDR_XMEBDOM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2060 #counts SARE_HEAD_HDR_XMEBDOM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2061 #counts SARE_HEAD_HDR_XMEBDOM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2063 header SARE_HEAD_HDR_XMLRSRV exists:X-Mailer-Server
2064 describe SARE_HEAD_HDR_XMLRSRV Message headers used which identify spam
2065 score SARE_HEAD_HDR_XMLRSRV 0.372
2066 #ham SARE_HEAD_HDR_XMLRSRV verified (1)
2067 #counts SARE_HEAD_HDR_XMLRSRV 67s/10h of 689155 corpus (348140s/341015h RM) 09/18/05
2068 #counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
2069 #counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2070 #counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2071 #counts SARE_HEAD_HDR_XMLRSRV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2073 header SARE_HEAD_HDR_XRESPID exists:X-Response-ID
2074 describe SARE_HEAD_HDR_XRESPID Message headers used which identify spam
2075 score SARE_HEAD_HDR_XRESPID 1.111
2076 #stype SARE_HEAD_HDR_XRESPID spamp
2077 #counts SARE_HEAD_HDR_XRESPID 35s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2078 #counts SARE_HEAD_HDR_XRESPID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
2079 #counts SARE_HEAD_HDR_XRESPID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2080 #counts SARE_HEAD_HDR_XRESPID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2081 #counts SARE_HEAD_HDR_XRESPID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2083 header SARE_HEAD_HDR_XRIPE exists:X-RIPE
2084 describe SARE_HEAD_HDR_XRIPE Message headers used which identify spam
2085 score SARE_HEAD_HDR_XRIPE 1.111
2086 #stype SARE_HEAD_HDR_XRIPE spamp
2087 #counts SARE_HEAD_HDR_XRIPE 4s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
2088 #max SARE_HEAD_HDR_XRIPE 16s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
2089 #counts SARE_HEAD_HDR_XRIPE 0s/0h of 10995 corpus (6568s/4427h CT) 03/10/05
2090 #counts SARE_HEAD_HDR_XRIPE 0s/0h of 54806 corpus (17633s/37173h JH-3.01) 03/14/05
2091 #counts SARE_HEAD_HDR_XRIPE 0s/0h of 31513 corpus (27912s/3601h MY) 03/09/05
2092 #counts SARE_HEAD_HDR_XRIPE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2093 #counts SARE_HEAD_HDR_XRIPE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2095 header SARE_HEAD_HDR_XSAFMMI exists:X-SafeMailer-MsgId
2096 describe SARE_HEAD_HDR_XSAFMMI Message headers used which identify spam
2097 score SARE_HEAD_HDR_XSAFMMI 0.555
2098 #stype SARE_HEAD_HDR_XSAFMMI spamp
2099 #counts SARE_HEAD_HDR_XSAFMMI 1s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
2100 #max SARE_HEAD_HDR_XSAFMMI 1s/0h of 114238 corpus (81067s/33171h RM) 01/15/05
2101 #counts SARE_HEAD_HDR_XSAFMMI 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
2102 #counts SARE_HEAD_HDR_XSAFMMI 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2103 #counts SARE_HEAD_HDR_XSAFMMI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2104 #counts SARE_HEAD_HDR_XSAFMMI 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2106 header SARE_HEAD_HDR_XSIDPRA exists:X-SID-PRA
2107 describe SARE_HEAD_HDR_XSIDPRA fingerprint
2108 score SARE_HEAD_HDR_XSIDPRA 0.684
2109 #hist SARE_HEAD_HDR_XSIDPRA Alex Broens, Aug 3 2005
2110 #counts SARE_HEAD_HDR_XSIDPRA 113s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
2111 #counts SARE_HEAD_HDR_XSIDPRA 3s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
2113 header SARE_HEAD_HDR_XSIDRES exists:X-SID-Result
2114 describe SARE_HEAD_HDR_XSIDRES fingerprint
2115 score SARE_HEAD_HDR_XSIDRES 0.684
2116 #hist SARE_HEAD_HDR_XSIDRES Alex Broens, Aug 3 2005
2117 #counts SARE_HEAD_HDR_XSIDRES 113s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
2118 #counts SARE_HEAD_HDR_XSIDRES 3s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
2120 header SARE_HEAD_HDR_XTID exists:X-TID
2121 describe SARE_HEAD_HDR_XTID Message headers used which identify spam
2122 score SARE_HEAD_HDR_XTID 1.111
2123 #stype SARE_HEAD_HDR_XTID spamp
2124 #counts SARE_HEAD_HDR_XTID 1s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
2125 #max SARE_HEAD_HDR_XTID 19s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
2126 #counts SARE_HEAD_HDR_XTID 1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
2127 #counts SARE_HEAD_HDR_XTID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2128 #counts SARE_HEAD_HDR_XTID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2129 #counts SARE_HEAD_HDR_XTID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2131 header SARE_HEAD_HDR_XWTID exists:X-WTID
2132 describe SARE_HEAD_HDR_XWTID Message headers used which identify spam
2133 score SARE_HEAD_HDR_XWTID 0.611
2134 #counts SARE_HEAD_HDR_XWTID 20s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
2135 #max SARE_HEAD_HDR_XWTID 29s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
2136 #counts SARE_HEAD_HDR_XWTID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
2137 #counts SARE_HEAD_HDR_XWTID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2138 #counts SARE_HEAD_HDR_XWTID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2139 #counts SARE_HEAD_HDR_XWTID 0s/1h of 6924 corpus (1403s/5521h ft) 07/27/05
2141 header SARE_HEAD_HDR_XWTVERS exists:X-WTVersion
2142 describe SARE_HEAD_HDR_XWTVERS Message headers used which identify spam
2143 score SARE_HEAD_HDR_XWTVERS 0.611
2144 #stype SARE_HEAD_HDR_XWTVERS spamp
2145 #counts SARE_HEAD_HDR_XWTVERS 20s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
2146 #max SARE_HEAD_HDR_XWTVERS 29s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
2147 #counts SARE_HEAD_HDR_XWTVERS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
2148 #counts SARE_HEAD_HDR_XWTVERS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2149 #counts SARE_HEAD_HDR_XWTVERS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2150 #counts SARE_HEAD_HDR_XWTVERS 0s/1h of 6924 corpus (1403s/5521h ft) 07/27/05
2152 header SARE_HEAD_ORIG_RECIP exists:Original-Recipient
2153 describe SARE_HEAD_ORIG_RECIP Message header used which suggests spam
2154 score SARE_HEAD_ORIG_RECIP 0.669
2155 #hist SARE_HEAD_ORIG_RECIP Bob Menschel, Feb 26 2005
2156 #ham SARE_HEAD_ORIG_RECIP delivery delayed messages from Postmaster@justact.org
2157 #counts SARE_HEAD_ORIG_RECIP 351s/21h of 689155 corpus (348140s/341015h RM) 09/18/05
2158 #max SARE_HEAD_ORIG_RECIP 388s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
2159 #counts SARE_HEAD_ORIG_RECIP 64s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2160 #counts SARE_HEAD_ORIG_RECIP 10s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
2161 #max SARE_HEAD_ORIG_RECIP 17s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
2162 #counts SARE_HEAD_ORIG_RECIP 19s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2163 #max SARE_HEAD_ORIG_RECIP 64s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2164 #counts SARE_HEAD_ORIG_RECIP 6s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
2166 #####################################################################################
2167 # SARE Content-Type and Boundary rules
2168 ######## ###################### ##################################################
2170 header SARE_BOUNDARY_05 Content-Type =~ /boundary="-{8}[a-z]{20}"/
2171 describe SARE_BOUNDARY_05 Content type boundary used in spam
2172 score SARE_BOUNDARY_05 1.666
2173 #stype SARE_BOUNDARY_05 vbggg
2174 #hist SARE_BOUNDARY_05 Moved from file 0 to 1 May 2005
2175 #counts SARE_BOUNDARY_05 5s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
2176 #max SARE_BOUNDARY_05 451s/0h of 66979 corpus (41757s/25222h RM) 09/04/04
2177 #counts SARE_BOUNDARY_05 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
2178 #counts SARE_BOUNDARY_05 5s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2179 #max SARE_BOUNDARY_05 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2180 #counts SARE_BOUNDARY_05 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2181 #max SARE_BOUNDARY_05 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
2182 #counts SARE_BOUNDARY_05 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2184 header SARE_BOUNDARY_06 Content-Type =~ /boundary="Boundary_\w{5}_\w{4}_\w{23}"/i
2185 describe SARE_BOUNDARY_06 Content type boundary used in spam
2186 score SARE_BOUNDARY_06 1.666
2187 #stype SARE_BOUNDARY_06 vbggg
2188 #hist SARE_BOUNDARY_06 Created by Bob Menschel May 4 2004
2189 #hist SARE_BOUNDARY_06 Moved from file 0 to 1 May 2005
2190 #counts SARE_BOUNDARY_06 84s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2191 #counts SARE_BOUNDARY_06 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
2192 #counts SARE_BOUNDARY_06 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
2193 #counts SARE_BOUNDARY_06 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2194 #counts SARE_BOUNDARY_06 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2196 header SARE_BOUNDARY_08 Content-Type =~ /boundary="[\.\_]*(?:[A-Z\d]+[\.\_]+){4,20}[A-Z\d]*\"/s
2197 describe SARE_BOUNDARY_08 Improbable MIME boundary format
2198 score SARE_BOUNDARY_08 1.666
2199 #hist SARE_BOUNDARY_08 LW_BOUNDARY1
2200 #ham SARE_BOUNDARY_08 ServiceMagic <customerservice@servicemagic.com>, 2001
2201 #ham SARE_BOUNDARY_08 verizon wireless picture phone transmission
2202 #counts SARE_BOUNDARY_08 5929s/6h of 689155 corpus (348140s/341015h RM) 09/18/05
2203 #counts SARE_BOUNDARY_08 15s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2204 #max SARE_BOUNDARY_08 228s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
2205 #counts SARE_BOUNDARY_08 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
2206 #max SARE_BOUNDARY_08 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
2207 #counts SARE_BOUNDARY_08 6s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2208 #max SARE_BOUNDARY_08 18s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
2209 #counts SARE_BOUNDARY_08 0s/2h of 7500 corpus (1767s/5733h ft) 09/18/05
2211 header SARE_BOUNDARY_D10 Content-Type =~ /boundary="\d{10}"/
2212 describe SARE_BOUNDARY_D10 Content type boundary used in spam or virus
2213 score SARE_BOUNDARY_D10 1.400
2214 #ham SARE_BOUNDARY_D10 verified (1)
2215 #hist SARE_BOUNDARY_D10 Created by Bob Menschel May 31 2004
2216 #counts SARE_BOUNDARY_D10 134s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2217 #counts SARE_BOUNDARY_D10 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2218 #counts SARE_BOUNDARY_D10 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
2219 #counts SARE_BOUNDARY_D10 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2220 #counts SARE_BOUNDARY_D10 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2222 header SARE_BOUNDARY_LC Content-Type =~ /boundary="(?!ffff)[a-z]+"/
2223 describe SARE_BOUNDARY_LC Content type boundary used in spam
2224 score SARE_BOUNDARY_LC 1.666
2225 #ham SARE_BOUNDARY_LC questionable newsletters
2226 #hist SARE_BOUNDARY_LC Created by Bob Menschel May 31 2004
2227 #ham SARE_BOUNDARY_LC "ffff": Game Rival <newsletter@gamerival.com>, ThePerfectGreeting <updates@perfectgreeting.com>
2228 #counts SARE_BOUNDARY_LC 899s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
2229 #counts SARE_BOUNDARY_LC 83s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2230 #counts SARE_BOUNDARY_LC 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
2231 #counts SARE_BOUNDARY_LC 30s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2232 #max SARE_BOUNDARY_LC 125s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
2233 #counts SARE_BOUNDARY_LC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2235 header SARE_BOUNDARY_NP2 Content-Type =~ /boundary=".*_NextPart_.*_NextPart_/
2236 describe SARE_BOUNDARY_NP2 Content type boundary used in spam and viruses
2237 score SARE_BOUNDARY_NP2 4.000
2238 #stype SARE_BOUNDARY_NP2 vbg
2239 #hist SARE_BOUNDARY_NP2 Created by Bob Menschel May 31 2004
2240 #hist SARE_BOUNDARY_NP2 Bugzilla entry 3861, Oct 03 2004
2241 #counts SARE_BOUNDARY_NP2 4s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
2242 #max SARE_BOUNDARY_NP2 1118s/0h of 68491 corpus (41115s/27376h RM) 09/18/04
2243 #counts SARE_BOUNDARY_NP2 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2244 #max SARE_BOUNDARY_NP2 37s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
2245 #counts SARE_BOUNDARY_NP2 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
2246 #counts SARE_BOUNDARY_NP2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2247 #counts SARE_BOUNDARY_NP2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2249 #####################################################################################
2251 ######## ###################### ##################################################
2253 header SARE_FROM_AST From =~ /<\*\@.{1,50}\..{1,3}/
2254 describe SARE_FROM_AST Invalid character in email address
2255 score SARE_FROM_AST 0.666
2256 #hist SARE_FROM_AST Originally submitted by Fred Tarasevicius
2257 #counts SARE_FROM_AST 1s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2258 #max SARE_FROM_AST 20s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
2259 #counts SARE_FROM_AST 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
2260 #counts SARE_FROM_AST 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
2261 #counts SARE_FROM_AST 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2262 #counts SARE_FROM_AST 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2264 header SARE_FROM_CAPS_MSN From =~ /"[^"]+" <[A-Z]+\@msn.com>/ # no /i
2265 describe SARE_FROM_CAPS_MSN Ratware all-caps MSN from address
2266 score SARE_FROM_CAPS_MSN 0.759
2267 #ham SARE_FRMO_CAPS_MSN verified (3)
2268 #hist SARE_FROM_CAPS_MSN Created by Bob Menschel May 15 2004
2269 #counts SARE_FROM_CAPS_MSN 173s/6h of 689155 corpus (348140s/341015h RM) 09/18/05
2270 #max SARE_FROM_CAPS_MSN 421s/0h of 85084 corpus (62489s/22595h RM) 06/08/04
2271 #counts SARE_FROM_CAPS_MSN 48s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2272 #max SARE_FROM_CAPS_MSN 102s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
2273 #counts SARE_FROM_CAPS_MSN 6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
2274 #max SARE_FROM_CAPS_MSN 59s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
2275 #counts SARE_FROM_CAPS_MSN 29s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
2276 #max SARE_FROM_CAPS_MSN 51s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
2277 #counts SARE_FROM_CAPS_MSN 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2279 header SARE_FROM_DRUGS2 From =~ /\bsoma\b/i
2280 describe SARE_FROM_DRUGS2 From a drug
2281 score SARE_FROM_DRUGS2 0.754
2282 #ham SARE_FRMO_DRUGS2 verified (3)
2283 #hist SARE_FROM_DRUGS2 Bob Menschel June 25 2005; ham email from userid = soma
2284 #counts SARE_FROM_DRUGS2 79s/3h of 689155 corpus (348140s/341015h RM) 09/18/05
2285 #counts SARE_FROM_DRUGS2 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
2286 #counts SARE_FROM_DRUGS2 62s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
2287 #counts SARE_FROM_DRUGS2 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
2289 header SARE_FROM_DVDCOPY From =~ m'(?:DVD.*cop[iy]|\bdvd\b)'i
2290 describe SARE_FROM_DVDCOPY From DVD abuse address
2291 score SARE_FROM_DVDCOPY 0.630
2292 #ham SARE_FROM_DVDCOPY Columbia House DVD Club <columbiahouse@mail.columbiahouse.com>
2293 #hist SARE_FROM_DVDCOPY Created by Bob Menschel Sep 04 2004
2294 #counts SARE_FROM_DVDCOPY 243s/28h of 689155 corpus (348140s/341015h RM) 09/18/05
2295 #counts SARE_FROM_DVDCOPY 24s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2296 #max SARE_FROM_DVDCOPY 31s/0h of 44754 corpus (16523s/28231h JH-SA3.0rc1) 09/06/04
2297 #counts SARE_FROM_DVDCOPY 98s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
2298 #counts SARE_FROM_DVDCOPY 24s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2299 #counts SARE_FROM_DVDCOPY 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2301 header FROM_BLANK_NAME From =~ /(?:\s|^)"" <\S+>/i # SA 3.1.0
2302 header __SARE_FROM_NONAME From =~ /"" ?</
2303 meta SARE_FROM_NONAME __SARE_FROM_NONAME && !FROM_BLANK_NAME
2304 score SARE_FROM_NONAME 0.714
2305 #hist SARE_FROM_NONAME Created by Fred Tarasevicius
2306 #overlap SARE_FROM_NONAME SARE rule catches spam missed by SA rule. Use meta to avoid duplication
2307 #counts SARE_FROM_NONAME 371s/12h of 689155 corpus (348140s/341015h RM) 09/18/05
2308 #counts SARE_FROM_NONAME 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
2309 #counts SARE_FROM_NONAME 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
2311 header SARE_FROM_SPAM_DOMN0 From =~ /\b(?:(?:peo\d|postalbureau|startremodeling)\.com)/i
2312 describe SARE_FROM_SPAM_DOMN0 From address suggests this is spam
2313 score SARE_FROM_SPAM_DOMN0 0.555
2314 #ham SARE_FROM_SPAM_DOMN0 confirmed: 1 yahoo.net, perhaps a user's error
2315 #hist SARE_FROM_SPAM_DOMN0 RM_fa_PeoCom, RM_fa_PostalBur
2316 #hist SARE_FROM_SPAM_DOMN0 Moved from file 0 to 1 May 2005
2317 #counts SARE_FROM_SPAM_DOMN0 1s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2318 #max SARE_FROM_SPAM_DOMN0 36s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
2319 #counts SARE_FROM_SPAM_DOMN0 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
2320 #max SARE_FROM_SPAM_DOMN0 27s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
2321 #counts SARE_FROM_SPAM_DOMN0 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
2322 #max SARE_FROM_SPAM_DOMN0 5s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
2323 #counts SARE_FROM_SPAM_DOMN0 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2324 #counts SARE_FROM_SPAM_DOMN0 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2326 header SARE_FROM_SPAM_DOMN0Y From =~ /\byahoo\.net/i
2327 describe SARE_FROM_SPAM_DOMN0Y From address suggests this is spam
2328 score SARE_FROM_SPAM_DOMN0Y 0.555
2329 #ham SARE_FROM_SPAM_DOMN0Y confirmed: 1 yahoo.net, perhaps a user's error
2330 #counts SARE_FROM_SPAM_DOMN0Y 1s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
2331 #max SARE_FROM_SPAM_DOMN0Y 36s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
2333 header __SARE_FROM_SPAM_MONY1 From =~ /money.*\@/i
2334 header __SARE_FROM_SPAM_MONY2 From =~ /money\S*\@/i
2335 meta SARE_FROM_SPAM_MONEY __SARE_FROM_SPAM_MONY2
2336 describe SARE_FROM_SPAM_MONEY From address suggests this is spam
2337 score SARE_FROM_SPAM_MONEY 0.866
2338 #ham SARE_FROM_SPAM_MONEY confirmed (1)
2339 #addsto SARE_FROM_SPAM_MONEY SARE_FROM_SPAM_MONEY2
2340 #hist SARE_FROM_SPAM_MONEY RM_fw_Money. Meta created Aug 20 2004 to improve scoring.
2341 #counts SARE_FROM_SPAM_MONEY 249s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
2342 #counts SARE_FROM_SPAM_MONEY 4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2343 #counts SARE_FROM_SPAM_MONEY 31s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
2344 #counts SARE_FROM_SPAM_MONEY 33s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2345 #counts SARE_FROM_SPAM_MONEY 18s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
2347 header __SARE_FROM_SPAM_MONY1 From =~ /money.*\@/i
2348 header __SARE_FROM_SPAM_MONY2 From =~ /money\S*\@/i
2349 meta SARE_FROM_SPAM_MONEY2 __SARE_FROM_SPAM_MONY1 && !__SARE_FROM_SPAM_MONY2
2350 describe SARE_FROM_SPAM_MONEY2 From address suggests this is spam
2351 score SARE_FROM_SPAM_MONEY2 0.741
2352 #ham SARE_FROM_SPAM_MONEY2 Valid end-users with "money" in their display name
2353 #counts SARE_FROM_SPAM_MONEY2 290s/7h of 689155 corpus (348140s/341015h RM) 09/18/05
2354 #counts SARE_FROM_SPAM_MONEY2 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2355 #counts SARE_FROM_SPAM_MONEY2 62s/3h of 47809 corpus (43224s/4585h MY) 07/27/05
2356 #counts SARE_FROM_SPAM_MONEY2 12s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2357 #counts SARE_FROM_SPAM_MONEY2 2s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
2359 header SARE_FROM_SPAM_NAME0 From =~ /(?:Direct Marketing|FreeOffers|FunBenefits|salestonight|WESTEC SALES|\bWSEAS\b)/i
2360 describe SARE_FROM_SPAM_NAME0 From address suggests this is spam
2361 score SARE_FROM_SPAM_NAME0 3.333
2362 #stype SARE_FROM_SPAM_NAME0 spamg
2363 #hist SARE_FROM_SPAM_NAME0 COMBINED.FROM and other sources
2364 #counts SARE_FROM_SPAM_NAME0 0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2365 #max SARE_FROM_SPAM_NAME0 369s/0h of 85084 corpus (62489s/22595h RM) 06/08/04
2366 #counts SARE_FROM_SPAM_NAME0 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
2367 #counts SARE_FROM_SPAM_NAME0 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
2368 #counts SARE_FROM_SPAM_NAME0 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2369 #counts SARE_FROM_SPAM_NAME0 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2371 header SARE_FROM_SPAM_PL1 From =~ /\@tpnet\.pl\b/
2372 describe SARE_FROM_SPAM_PL1 A lot of spam comes from here
2373 score SARE_FROM_SPAM_PL1 0.500
2374 #stype SARE_FRMO_SPAM_PL1 max:0.5 # possible valid ISP in Poland
2375 #hist SARE_FROM_SPAM_PL1 Loren Wilton, Feb 21 2005
2376 #counts SARE_FROM_SPAM_PL1 1s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2377 #max SARE_FROM_SPAM_PL1 26s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
2378 #counts SARE_FROM_SPAM_PL1 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
2379 #counts SARE_FROM_SPAM_PL1 6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
2380 #counts SARE_FROM_SPAM_PL1 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2381 #max SARE_FROM_SPAM_PL1 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
2382 #counts SARE_FROM_SPAM_PL1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2384 header SARE_FROM_SPAM_WORD2 From =~ /\b(?:^high.?speed|interacial)\b/i
2385 describe SARE_FROM_SPAM_WORD2 From address suggests this is spam
2386 score SARE_FROM_SPAM_WORD2 0.555
2387 #stype SARE_FRM_SPAM_WORD2 spamp
2388 #hist SARE_FROM_SPAM_WORD2 COMBINED.FROM and other sources
2389 #counts SARE_FROM_SPAM_WORD2 9s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2390 #counts SARE_FROM_SPAM_WORD2 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
2391 #counts SARE_FROM_SPAM_WORD2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2392 #counts SARE_FROM_SPAM_WORD2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2394 #####################################################################################
2395 # SARE From Rules -- Emails coming from free webmail accounts
2396 # Since spam from these can vary depending upon country of origin,
2397 # country of destination, policies, and enforcement of policies,
2398 # most of these are kept as separate rules rather than combined.
2399 ######## ###################### ##################################################
2401 header SARE_FREE_WEBM_BIGMAIL From =~ /\bbigmailbox\.com/i
2402 describe SARE_FREE_WEBM_BIGMAIL Sender used free email account - may be spammer
2403 score SARE_FREE_WEBM_BIGMAIL 0.650
2404 #counts SARE_FREE_WEBM_BIGMAIL 1s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2405 #max SARE_FREE_WEBM_BIGMAIL 13s/0h of 125163 corpus (104972s/20191h) 03/28/04
2406 #counts SARE_FREE_WEBM_BIGMAIL 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
2407 #counts SARE_FREE_WEBM_BIGMAIL 4s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
2408 #counts SARE_FREE_WEBM_BIGMAIL 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2409 #counts SARE_FREE_WEBM_BIGMAIL 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2411 header SARE_FREE_WEBM_FrVoila From =~ /\bvoila\.fr/i
2412 describe SARE_FREE_WEBM_FrVoila Sender used free email account - may be spammer
2413 score SARE_FREE_WEBM_FrVoila 0.644
2414 #ham SARE_FREE_WEBM_FrVoila confirmed: 1
2415 #counts SARE_FREE_WEBM_FrVoila 30s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
2416 #max SARE_FREE_WEBM_FrVoila 40s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
2417 #counts SARE_FREE_WEBM_FrVoila 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2418 #counts SARE_FREE_WEBM_FrVoila 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
2419 #max SARE_FREE_WEBM_FrVoila 3s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
2420 #counts SARE_FREE_WEBM_FrVoila 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2421 #counts SARE_FREE_WEBM_FrVoila 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2423 header SARE_FREE_WEBM_Jpop From =~ /\bjpopmail\.com/i
2424 describe SARE_FREE_WEBM_Jpop Sender used free email account - may be spammer
2425 score SARE_FREE_WEBM_Jpop 0.944
2426 #counts SARE_FREE_WEBM_Jpop 1s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
2427 #max SARE_FREE_WEBM_Jpop 66s/0h of 125163 corpus (104972s/20191h) 03/28/04
2428 #counts SARE_FREE_WEBM_Jpop 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2429 #counts SARE_FREE_WEBM_Jpop 2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
2430 #max SARE_FREE_WEBM_Jpop 2s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
2431 #counts SARE_FREE_WEBM_Jpop 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2432 #max SARE_FREE_WEBM_Jpop 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2433 #counts SARE_FREE_WEBM_Jpop 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2435 header SARE_FREE_WEBM_MailD From =~ /mail\d{1,3}\.com/i
2436 describe SARE_FREE_WEBM_MailD Sender used free email account - may be spammer
2437 score SARE_FREE_WEBM_MailD 1.666
2438 #ham SARE_FREE_WEBM_MailD questionable
2439 #counts SARE_FREE_WEBM_MailD 2051s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
2440 #counts SARE_FREE_WEBM_MailD 21s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2441 #max SARE_FREE_WEBM_MailD 27s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2442 #counts SARE_FREE_WEBM_MailD 75s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
2443 #counts SARE_FREE_WEBM_MailD 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2444 #counts SARE_FREE_WEBM_MailD 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2446 header SARE_FREE_WEBM_Mailexc From =~ /\bmailexcite\.com/i
2447 describe SARE_FREE_WEBM_Mailexc Sender used free email account - may be spammer
2448 score SARE_FREE_WEBM_Mailexc 0.215
2449 #ham SARE_FREE_WEMB_Mailexc verified (6)
2450 #counts SARE_FREE_WEBM_Mailexc 21s/7h of 689155 corpus (348140s/341015h RM) 09/18/05
2451 #max SARE_FREE_WEBM_Mailexc 44s/0h of 125163 corpus (104972s/20191h) 03/28/04
2452 #counts SARE_FREE_WEBM_Mailexc 5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2453 #counts SARE_FREE_WEBM_Mailexc 3s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
2454 #max SARE_FREE_WEBM_Mailexc 7s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
2455 #counts SARE_FREE_WEBM_Mailexc 2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2456 #counts SARE_FREE_WEBM_Mailexc 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2458 header SARE_FREE_WEBM_NETCITY From =~ /\@netcity\w+\.com/i
2459 describe SARE_FREE_WEBM_NETCITY Maybe spammer with free email
2460 score SARE_FREE_WEBM_NETCITY 1.111
2461 #stype SARE_FREE_WEBM_NETCITY spamp
2462 #hist SARE_FREE_WEBM_NETCITY Created by Bob Menschel Aug 20 2004
2463 #counts SARE_FREE_WEBM_NETCITY 4s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2464 #max SARE_FREE_WEBM_NETCITY 12s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
2465 #counts SARE_FREE_WEBM_NETCITY 4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2466 #counts SARE_FREE_WEBM_NETCITY 2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
2467 #counts SARE_FREE_WEBM_NETCITY 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2468 #counts SARE_FREE_WEBM_NETCITY 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2470 header SARE_FREE_WEBM_NetFs From =~ /\bfsmail\.net/i
2471 describe SARE_FREE_WEBM_NetFs Sender used free email account - may be spammer
2472 score SARE_FREE_WEBM_NetFs 0.685
2473 #ham SARE_FREE_WEBM_NetFs confirmed (1)
2474 #counts SARE_FREE_WEBM_NetFs 70s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
2475 #max SARE_FREE_WEBM_NetFs 129s/0h of 125163 corpus (104972s/20191h) 03/28/04
2476 #counts SARE_FREE_WEBM_NetFs 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
2477 #counts SARE_FREE_WEBM_NetFs 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
2478 #max SARE_FREE_WEBM_NetFs 8s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
2479 #counts SARE_FREE_WEBM_NetFs 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2480 #counts SARE_FREE_WEBM_NetFs 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2482 header SARE_FREE_WEBM_NetSafe From =~ /\bsafe-mail\.net/i
2483 describe SARE_FREE_WEBM_NetSafe Sender used free email account - may be spammer
2484 score SARE_FREE_WEBM_NetSafe 0.714
2485 #counts SARE_FREE_WEBM_NetSafe 27s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
2486 #max SARE_FREE_WEBM_NetSafe 28s/1h of 283497 corpus (129933s/153564h RM) 03/08/05
2487 #counts SARE_FREE_WEBM_NetSafe 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2488 #max SARE_FREE_WEBM_NetSafe 9s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
2489 #counts SARE_FREE_WEBM_NetSafe 19s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
2490 #counts SARE_FREE_WEBM_NetSafe 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2491 #counts SARE_FREE_WEBM_NetSafe 6s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
2493 header SARE_FREE_WEBM_Netster From =~ /\bnetster\.com/i
2494 describe SARE_FREE_WEBM_Netster Sender used free email account - may be spammer
2495 score SARE_FREE_WEBM_Netster 0.889
2496 #ham SARE_FREE_WEBM_Netster confirmed (1)
2497 #counts SARE_FREE_WEBM_Netster 6s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2498 #max SARE_FREE_WEBM_Netster 43s/0h of 125163 corpus (104972s/20191h) 03/28/04
2499 #counts SARE_FREE_WEBM_Netster 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2500 #max SARE_FREE_WEBM_Netster 2s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
2501 #counts SARE_FREE_WEBM_Netster 3s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
2502 #max SARE_FREE_WEBM_Netster 12s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
2503 #counts SARE_FREE_WEBM_Netster 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2504 #max SARE_FREE_WEBM_Netster 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
2505 #counts SARE_FREE_WEBM_Netster 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2507 header SARE_FREE_WEBM_PlTenbi From =~ /\btenbit\.pl/i
2508 describe SARE_FREE_WEBM_PlTenbi Sender used free email account - may be spammer
2509 score SARE_FREE_WEBM_PlTenbi 1.056
2510 #counts SARE_FREE_WEBM_PlTenbi 2s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2511 #max SARE_FREE_WEBM_PlTenbi 83s/0h of 115937 corpus (94614s/21323h) 04/29/04
2512 #counts SARE_FREE_WEBM_PlTenbi 4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2513 #counts SARE_FREE_WEBM_PlTenbi 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
2514 #max SARE_FREE_WEBM_PlTenbi 2s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
2515 #counts SARE_FREE_WEBM_PlTenbi 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2516 #max SARE_FREE_WEBM_PlTenbi 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
2517 #counts SARE_FREE_WEBM_PlTenbi 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2519 header SARE_FREE_WEBM_ZCom05 From =~ /\b(?:redwhitearmy|emailaccount)\.com/i
2520 describe SARE_FREE_WEBM_ZCom05 Sender used free email account - may be spammer
2521 score SARE_FREE_WEBM_ZCom05 0.981
2522 #ham SARE_FREE_WEBM_ZCom05 confirmed (1)
2523 #counts SARE_FREE_WEBM_ZCom05 183s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
2524 #counts SARE_FREE_WEBM_ZCom05 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2525 #max SARE_FREE_WEBM_ZCom05 9s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
2526 #counts SARE_FREE_WEBM_ZCom05 26s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
2527 #max SARE_FREE_WEBM_ZCom05 54s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
2528 #counts SARE_FREE_WEBM_ZCom05 14s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2529 #counts SARE_FREE_WEBM_ZCom05 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2531 header SARE_FREE_WEBM_Whoever From =~ /\bWhoever\.com/i
2532 describe SARE_FREE_WEBM_Whoever Sender used free email account - may be spammer
2533 score SARE_FREE_WEBM_Whoever 0.700
2534 #counts SARE_FREE_WEBM_Whoever 2s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2535 #max SARE_FREE_WEBM_Whoever 18s/0h of 85901 corpus (63701s/22200h RM) 06/05/04
2536 #counts SARE_FREE_WEBM_Whoever 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2537 #max SARE_FREE_WEBM_Whoever 5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2538 #counts SARE_FREE_WEBM_Whoever 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
2539 #max SARE_FREE_WEBM_Whoever 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
2540 #counts SARE_FREE_WEBM_Whoever 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2541 #counts SARE_FREE_WEBM_Whoever 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2543 header SARE_FREE_WEBM_WOWMAIL From =~ /\@wowmail\.com/i
2544 describe SARE_FREE_WEBM_WOWMAIL Sender used free email account - may be spammer
2545 score SARE_FREE_WEBM_WOWMAIL 0.767
2546 #hist SARE_FREE_WEBM_WOWMAIL Created by Bob Menschel June 16 2004
2547 #counts SARE_FREE_WEBM_WOWMAIL 0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2548 #max SARE_FREE_WEBM_WOWMAIL 18s/0h of 92181 corpus (67808s/24373h RM) 07/18/04
2549 #counts SARE_FREE_WEBM_WOWMAIL 2s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
2550 #max SARE_FREE_WEBM_WOWMAIL 7s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
2551 #counts SARE_FREE_WEBM_WOWMAIL 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2552 #counts SARE_FREE_WEBM_WOWMAIL 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2553 #max SARE_FREE_WEBM_WOWMAIL 6s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
2554 #counts SARE_FREE_WEBM_WOWMAIL 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2556 header SARE_FREE_WEBM_ZCom01 From =~ /\b(?:sify|superonline|coolgoose)\.com/i
2557 describe SARE_FREE_WEBM_ZCom01 Sender used free email account - may be spammer
2558 score SARE_FREE_WEBM_ZCom01 0.854
2559 #counts SARE_FREE_WEBM_ZCom01 150s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
2560 #counts SARE_FREE_WEBM_ZCom01 4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2561 #counts SARE_FREE_WEBM_ZCom01 3s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
2562 #max SARE_FREE_WEBM_ZCom01 5s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
2563 #counts SARE_FREE_WEBM_ZCom01 4s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2564 #counts SARE_FREE_WEBM_ZCom01 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2566 header SARE_FREE_WEBM_ZCom02 From =~ /\b(?:macmail|emailacc)\.com/i
2567 describe SARE_FREE_WEBM_ZCom02 Sender used free email account - may be spammer
2568 score SARE_FREE_WEBM_ZCom02 0.682
2569 #ham SARE_FREE_WEBM_ZCom02 Confirmed: macmail.com(2)
2570 #counts SARE_FREE_WEBM_ZCom02 122s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
2571 #counts SARE_FREE_WEBM_ZCom02 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2572 #max SARE_FREE_WEBM_ZCom02 10s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
2573 #counts SARE_FREE_WEBM_ZCom02 5s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
2574 #counts SARE_FREE_WEBM_ZCom02 4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2575 #counts SARE_FREE_WEBM_ZCom02 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2577 header SARE_FREE_WEBM_ZCom03 From =~ /\b(?:pakistanmail|prontomail)\.com/i
2578 describe SARE_FREE_WEBM_ZCom03 Sender used free email account - may be spammer
2579 score SARE_FREE_WEBM_ZCom03 0.622
2580 #ham SARE_FREE_WEBM_ZCom03 valid email bounce messages
2581 #hist SARE_FREE_WEBM_ZCom03 Removed mail2world.com since it hit ham.
2582 #counts SARE_FREE_WEBM_ZCom03 139s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2583 #counts SARE_FREE_WEBM_ZCom03 13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2584 #counts SARE_FREE_WEBM_ZCom03 18s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
2585 #counts SARE_FREE_WEBM_ZCom03 8s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2586 #counts SARE_FREE_WEBM_ZCom03 1s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
2588 header SARE_FREE_WEBM_ZCom03B From =~ /\bmail2world\.com/i
2589 describe SARE_FREE_WEBM_ZCom03B Sender used free email account - may be spammer
2590 score SARE_FREE_WEBM_ZCom03B 0.622
2591 #ham SARE_FREE_WEBM_ZCom03B valid email bounce messages
2592 #counts SARE_FREE_WEBM_ZCom03B 139s/14h of 689155 corpus (348140s/341015h RM) 09/18/05
2593 #counts SARE_FREE_WEBM_ZCom03B 13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2594 #counts SARE_FREE_WEBM_ZCom03B 18s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
2595 #counts SARE_FREE_WEBM_ZCom03B 8s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2596 #counts SARE_FREE_WEBM_ZCom03B 1s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
2598 header SARE_FREE_WEBM_ZCom04 From =~ /\b(?:luxmail|olemail|sailormoon)\.com/i
2599 describe SARE_FREE_WEBM_ZCom04 Sender used free email account - may be spammer
2600 score SARE_FREE_WEBM_ZCom04 0.711
2601 #counts SARE_FREE_WEBM_ZCom04 3s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2602 #max SARE_FREE_WEBM_ZCom04 19s/0h of 97268 corpus (79437s/17831h RM) 01/24/04
2603 #counts SARE_FREE_WEBM_ZCom04 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2604 #counts SARE_FREE_WEBM_ZCom04 7s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
2605 #counts SARE_FREE_WEBM_ZCom04 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2606 #max SARE_FREE_WEBM_ZCom04 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
2607 #counts SARE_FREE_WEBM_ZCom04 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2609 header SARE_FREE_WEBM_ZCom06 From =~ /\b(?:clickitmail|deskpilot|killergreenmail|lancsmail|lovecat)\.com/i
2610 describe SARE_FREE_WEBM_ZCom06 Sender used free email account - may be spammer
2611 score SARE_FREE_WEBM_ZCom06 0.755
2612 #counts SARE_FREE_WEBM_ZCom06 23s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2613 #counts SARE_FREE_WEBM_ZCom06 9s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2614 #counts SARE_FREE_WEBM_ZCom06 2s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
2615 #max SARE_FREE_WEBM_ZCom06 5s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
2616 #counts SARE_FREE_WEBM_ZCom06 2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2617 #counts SARE_FREE_WEBM_ZCom06 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2619 header SARE_FREE_WEBM_ZCom07 From =~ /\b(?:bolt|amnestymail)\.com/i
2620 describe SARE_FREE_WEBM_ZCom07 Sender used free email account - may be spammer
2621 score SARE_FREE_WEBM_ZCom07 0.756
2622 #counts SARE_FREE_WEBM_ZCom07 25s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2623 #counts SARE_FREE_WEBM_ZCom07 5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2624 #counts SARE_FREE_WEBM_ZCom07 14s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
2625 #counts SARE_FREE_WEBM_ZCom07 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2626 #max SARE_FREE_WEBM_ZCom07 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
2627 #counts SARE_FREE_WEBM_ZCom07 1s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2629 header SARE_FREE_WEBM_ZZa001 From =~ /\@702mail\.co\.za/i
2630 describe SARE_FREE_WEBM_ZZa001 Sender used free email account - may be spammer
2631 score SARE_FREE_WEBM_ZZa001 0.783
2632 #counts SARE_FREE_WEBM_ZZa001 21s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2633 #max SARE_FREE_WEBM_ZZa001 38s/0h of 85901 corpus (63701s/22200h RM) 06/05/04
2634 #counts SARE_FREE_WEBM_ZZa001 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
2635 #counts SARE_FREE_WEBM_ZZa001 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
2636 #max SARE_FREE_WEBM_ZZa001 3s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
2637 #counts SARE_FREE_WEBM_ZZa001 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2638 #counts SARE_FREE_WEBM_ZZa001 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2640 body __SARE_FREE_WEBM_SERV1 /Mail sent from WebMail service/i
2641 body __SARE_FREE_WEBM_SERV2 /spedita dal servizio WebMail/i
2642 body __SARE_FREE_WEBM_SERV3 /Mail enviado desde el servicio de WebMail/i
2643 body __SARE_FREE_WEBM_SERV4 /Mail inviata dal WebMail service/i
2644 body __SARE_FREE_WEBM_SERV5 /le module WebMail des service/i
2645 body __SARE_FREE_WEBM_SERV6 /Servizio WebMail offerto/i
2646 meta SARE_FREE_WEBM_SERV (__SARE_FREE_WEBM_SERV1 || __SARE_FREE_WEBM_SERV2 || __SARE_FREE_WEBM_SERV3 || __SARE_FREE_WEBM_SERV4 || __SARE_FREE_WEBM_SERV5 || __SARE_FREE_WEBM_SERV6)
2647 describe SARE_FREE_WEBM_SERV Sent from Webmail server
2648 score SARE_FREE_WEBM_SERV 1.374
2649 #ham SARE_FREE_WEBM_SERV confirmed (several)
2650 #hist SARE_FREE_WEBM_SERV Kevin Peuhkurinen, May 2005
2651 #counts SARE_FREE_WEBM_SERV 1104s/7h of 689155 corpus (348140s/341015h RM) 09/18/05
2652 #counts SARE_FREE_WEBM_SERV 3s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
2653 #counts SARE_FREE_WEBM_SERV 58s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
2654 #counts SARE_FREE_WEBM_SERV 9s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2655 #counts SARE_FREE_WEBM_SERV 4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2657 #####################################################################################
2658 # SARE Message-ID rules
2659 ######## ###################### ##################################################
2661 header __SARE_RECV_LOCALHOST Received =~ /LOCALHOST/
2662 header __SARE_MSGID_D1D1D2D16 MESSAGEID =~ /<\d\.\d\.\d\d\.\d{16}[a-f0-9]{6}@/
2663 meta SARE_MSGID_D1D1D2D16 !__SARE_RECV_LOCALHOST && __SARE_MSGID_D1D1D2D16
2664 describe SARE_MSGID_D1D1D2D16 Message-ID has ratware pattern (9.9.99.9999999hex@
2665 score SARE_MSGID_D1D1D2D16 1.666
2666 #counts SARE_MSGID_D1D1D2D16 11s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2667 #max SARE_MSGID_D1D1D2D16 590s/0h of 115439 corpus (94250s/21189h) 04/30/04
2668 #counts SARE_MSGID_D1D1D2D16 46s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2669 #counts SARE_MSGID_D1D1D2D16 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
2670 #counts SARE_MSGID_D1D1D2D16 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2671 #max SARE_MSGID_D1D1D2D16 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
2672 #counts SARE_MSGID_D1D1D2D16 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2674 header SARE_MSGID_D5D7 MESSAGEID =~ /<\d{5}\.\d{7}\@/
2675 describe SARE_MSGID_D5D7 Message-ID has ratware pattern (99999.9999999@)
2676 score SARE_MSGID_D5D7 0.622
2677 #counts SARE_MSGID_D5D7 0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
2678 #max SARE_MSGID_D5D7 4s/1h of 114238 corpus (81067s/33171h RM) 01/15/05
2679 #counts SARE_MSGID_D5D7 11s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2680 #counts SARE_MSGID_D5D7 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
2681 #max SARE_MSGID_D5D7 25s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
2682 #counts SARE_MSGID_D5D7 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2683 #counts SARE_MSGID_D5D7 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2685 header __SARE_RECV_LOCALHOST Received =~ /LOCALHOST/
2686 header __SARE_MSGID_DDDASH MESSAGEID =~ /<\d\d?[\$-]/
2687 meta SARE_MSGID_DDDASH __SARE_MSGID_DDDASH && !__SARE_RECV_LOCALHOST
2688 describe SARE_MSGID_DDDASH Message-ID has ratware pattern (9-, 9$, 99-)
2689 score SARE_MSGID_DDDASH 1.666
2690 #counts SARE_MSGID_DDDASH 3039s/8h of 689155 corpus (348140s/341015h RM) 09/18/05
2691 #counts SARE_MSGID_DDDASH 10s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2692 #max SARE_MSGID_DDDASH 114s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04
2693 #counts SARE_MSGID_DDDASH 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
2694 #counts SARE_MSGID_DDDASH 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2695 #max SARE_MSGID_DDDASH 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
2696 #counts SARE_MSGID_DDDASH 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2698 header SARE_MSGID_LONG50 MESSAGEID =~ /[a-z0-9\$]{50}/
2699 describe SARE_MSGID_LONG50 Exceedingly long message id
2700 score SARE_MSGID_LONG50 0.726
2701 #ihst SARE_MSGID_LONG50 Created by Frederic Tarasevicius
2702 #counts SARE_MSGID_LONG50 448s/11h of 689155 corpus (348140s/341015h RM) 09/18/05
2703 #max SARE_MSGID_LONG50 575s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
2704 #counts SARE_MSGID_LONG50 14s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2705 #counts SARE_MSGID_LONG50 28s/4h of 47809 corpus (43224s/4585h MY) 07/27/05
2706 #max SARE_MSGID_LONG50 38s/2h of 47283 corpus (43206s/4077h MY) 06/05/05
2707 #counts SARE_MSGID_LONG50 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2708 #max SARE_MSGID_LONG50 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
2709 #counts SARE_MSGID_LONG50 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2711 header SARE_MSGID_QMAIL1 MESSAGEID =~ /^<.*[a-z].*\.qmail\@.*>/
2712 describe SARE_MSGID_QMAIL1 Contains spoofing message id
2713 score SARE_MSGID_QMAIL1 3.333
2714 #stype SARE_MSGID_QMAIL1 spamgg
2715 #hist SARE_MSGID_QMAIL1 David Hooton, Fri, 11 Jun 2004
2716 #counts SARE_MSGID_QMAIL1 6s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2717 #max SARE_MSGID_QMAIL1 31s/0h of 68491 corpus (41115s/27376h RM) 09/18/04
2718 #counts SARE_MSGID_QMAIL1 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
2719 #max SARE_MSGID_QMAIL1 12s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
2720 #counts SARE_MSGID_QMAIL1 1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2721 #max SARE_MSGID_QMAIL1 9s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
2722 #counts SARE_MSGID_QMAIL1 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2723 #counts SARE_MSGID_QMAIL1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2725 header SARE_MSGID_RATWARE2 MESSAGEID =~ /\<\d{10,15}\.\d{18,40}\@[a-z]+\>/ # no /i!
2726 describe SARE_MSGID_RATWARE2 Message-Id is <digits.digits@letters>
2727 score SARE_MSGID_RATWARE2 0.683
2728 #hist SARE_MSGID_RATWARE2 Loren Wilton Sat, 3 Apr 2004 20:29:32 -0800
2729 #matches SARE_MSGID_RATWARE2 numbers.numbers@letters
2730 #counts SARE_MSGID_RATWARE2 32s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2731 #max SARE_MSGID_RATWARE2 1640s/0h of 115925 corpus (94616s/21309h) 05/01/04
2732 #counts SARE_MSGID_RATWARE2 33s/2h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2733 #max SARE_MSGID_RATWARE2 66s/2h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
2734 #counts SARE_MSGID_RATWARE2 9s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
2735 #max SARE_MSGID_RATWARE2 31s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
2736 #counts SARE_MSGID_RATWARE2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2737 #max SARE_MSGID_RATWARE2 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
2738 #counts SARE_MSGID_RATWARE2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2740 header SARE_MSGID_SHORT MESSAGEID =~ /^.{1,6}$/
2741 describe SARE_MSGID_SHORT Message ID is too short to be valid.
2742 score SARE_MSGID_SHORT 1.283
2743 #hist SARE_MSGID_SHORT RM_hm_ShortMsgid6
2744 #counts SARE_MSGID_SHORT 181s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2745 #max SARE_MSGID_SHORT 191s/0h of 115925 corpus (94616s/21309h RM) 05/01/04
2746 #counts SARE_MSGID_SHORT 34s/1h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2747 #max SARE_MSGID_SHORT 40s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2748 #counts SARE_MSGID_SHORT 43s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
2749 #max SARE_MSGID_SHORT 68s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
2750 #counts SARE_MSGID_SHORT 4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2751 #max SARE_MSGID_SHORT 9s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
2752 #counts SARE_MSGID_SHORT 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2754 #####################################################################################
2755 # SARE Received Header Rules
2756 ######## ###################### ##################################################
2758 header SARE_HELO_EQ_DSL_3 X-Spam-Relays-Untrusted =~ /helo=dsl-/
2759 score SARE_HELO_EQ_DSL_3 0.752
2760 #ham SARE_HELO_EQ_DSL_3 confirmed (several)
2761 #hist SARE_HELO_EQ_DSL_3 Frederic Tarasevicius, Feb 22 2005
2762 #counts SARE_HELO_EQ_DSL_3 529s/18h of 689155 corpus (348140s/341015h RM) 09/18/05
2763 #counts SARE_HELO_EQ_DSL_3 143s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2764 #max SARE_HELO_EQ_DSL_3 149s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
2765 #counts SARE_HELO_EQ_DSL_3 35s/1h of 47809 corpus (43224s/4585h MY) 07/27/05
2766 #max SARE_HELO_EQ_DSL_3 42s/1h of 45478 corpus (41529s/3949h MY) 05/16/05
2767 #counts SARE_HELO_EQ_DSL_3 34s/1h of 10590 corpus (5819s/4771h CT) 07/26/05
2768 #max SARE_HELO_EQ_DSL_3 68s/1h of 10853 corpus (6391s/4462h CT) 05/16/05
2769 #counts SARE_HELO_EQ_DSL_3 3s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
2771 header SARE_HELO_EQ_PPPOE X-Spam-Relays-Untrusted =~ /helo=pppoe-\d{2,3}-\d{1,3}-\d{1,3}-\d{1,3}/i
2772 score SARE_HELO_EQ_PPPOE 0.555
2773 #stype SARE_HELO_EQ_PPPOE spamp
2774 #hist SARE_HELO_EQ_PPPOE Frederic Tarasevicius, Feb 22 2005
2775 #counts SARE_HELO_EQ_PPPOE 3s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2776 #counts SARE_HELO_EQ_PPPOE 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
2777 #counts SARE_HELO_EQ_PPPOE 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
2778 #counts SARE_HELO_EQ_PPPOE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2779 #counts SARE_HELO_EQ_PPPOE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2781 header SARE_HELO_YAHOO Received =~ /helo=yahoo\.com/i
2782 describe SARE_HELO_YAHOO Received header has spamsign
2783 score SARE_HELO_YAHOO 1.666
2784 #ham SARE_HELO_YAHOO confirmed (6), generated by X-Mailer: Apple Mail (2.552)
2785 #hist SARE_HELO_YAHOO Created by Bob Menschel Oct 26 2004
2786 #counts SARE_HELO_YAHOO 663s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
2787 #counts SARE_HELO_YAHOO 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2788 #counts SARE_HELO_YAHOO 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
2789 #counts SARE_HELO_YAHOO 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2790 #counts SARE_HELO_YAHOO 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2792 header SARE_HEAD_8BIT_RECV Received =~ /[\x80-\xff]{3,}/
2793 describe SARE_HEAD_8BIT_RECV High-ascii characters found in strange header
2794 score SARE_HEAD_8BIT_RECV 1.666
2795 #ham SARE_HEAD_8BIT_RECV verified (1)
2796 #hist SARE_HEAD_8BIT_RECV From Bugzilla # 2243
2797 #counts SARE_HEAD_8BIT_RECV 1029s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2798 #counts SARE_HEAD_8BIT_RECV 10s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2799 #counts SARE_HEAD_8BIT_RECV 0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05
2800 #counts SARE_HEAD_8BIT_RECV 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2801 #counts SARE_HEAD_8BIT_RECV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2803 header SARE_RECV_FEP5 Received =~ /by fep5\./i
2804 describe SARE_RECV_FEP5 Message contains known spam format
2805 score SARE_RECV_FEP5 1.666
2806 #ham SARE_RECV_FEP5 verified (1)
2807 #counts SARE_RECV_FEP5 527s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2808 #max SARE_RECV_FEP5 528s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
2809 #counts SARE_RECV_FEP5 7s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
2810 #counts SARE_RECV_FEP5 208s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
2811 #max SARE_RECV_FEP5 479s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
2812 #counts SARE_RECV_FEP5 168s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2813 #max SARE_RECV_FEP5 195s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2814 #counts SARE_RECV_FEP5 6s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2816 header SARE_RECV_FREESERVE Received =~ /\bfreeserve\.com/
2817 describe SARE_RECV_FREESERVE spam passed through system used by spammers
2818 score SARE_RECV_FREESERVE 0.704
2819 #ham SARE_RECV_FREESERVE confirmed (1)
2820 #ham SARE_RECV_FREESERVE userid@hurrel.freeserve.co.uk, valid email sent to Yahoo groups list by subscriber
2821 #counts SARE_RECV_FREESERVE 77s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
2822 #counts SARE_RECV_FREESERVE 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2823 #counts SARE_RECV_FREESERVE 1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
2824 #counts SARE_RECV_FREESERVE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2825 #counts SARE_RECV_FREESERVE 1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
2827 header SARE_RECV_MDNETCOMBR Received =~ /\bmdnet\.com\.br/
2828 describe SARE_RECV_MDNETCOMBR Came through/fromsite used by spammer
2829 score SARE_RECV_MDNETCOMBR 0.756
2830 #counts SARE_RECV_MDNETCOMBR 2s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2831 #max SARE_RECV_MDNETCOMBR 33s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
2832 #counts SARE_RECV_MDNETCOMBR 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2833 #counts SARE_RECV_MDNETCOMBR 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
2834 #counts SARE_RECV_MDNETCOMBR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2835 #counts SARE_RECV_MDNETCOMBR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2837 header SARE_RECV_PATMEDIA Received =~ /\bpatmedia\.net/i
2838 describe SARE_RECV_PATMEDIA Passed through possible spammer relay or source
2839 score SARE_RECV_PATMEDIA 0.728
2840 #stype SARE_RECV_PATMEDIA spamp
2841 #hist SARE_RECV_PATMEDIA Created by Bob Menschel Aug 19 2004
2842 #counts SARE_RECV_PATMEDIA 47s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
2843 #counts SARE_RECV_PATMEDIA 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2844 #counts SARE_RECV_PATMEDIA 6s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
2845 #counts SARE_RECV_PATMEDIA 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
2846 #counts SARE_RECV_PATMEDIA 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2848 header __SARE_RECV_PORTHELOA Received =~ /helo=\[\w+\]/i
2849 header __SARE_RECV_PORTHELOB Received =~ /\(port=\d{4} helo=\[\w+\]\)/i
2850 header SARE_RECV_PORTHELO_1 Received =~ /from \[\d+\.\d+\.\d+\.\d+\] \(port=\d{4} helo=\[\w+\]\)/i
2851 meta SARE_RECV_PORTHELO_2 __SARE_RECV_PORTHELOB && !SARE_RECV_PORTHELO_1
2852 meta SARE_RECV_PORTHELO_3 __SARE_RECV_PORTHELOA && !__SARE_RECV_PORTHELOB && !SARE_RECV_PORTHELO_1
2853 describe SARE_RECV_PORTHELO_1 Apparent Spamsign in Received header
2854 describe SARE_RECV_PORTHELO_2 Apparent Spamsign in Received header
2855 describe SARE_RECV_PORTHELO_3 Apparent Spamsign in Received header
2856 score SARE_RECV_PORTHELO_1 2.666
2857 score SARE_RECV_PORTHELO_2 2.000
2858 score SARE_RECV_PORTHELO_3 1.666
2859 #note SARE_RECV_PORTHELO_1 As of June 8 2005, all three rules in this family hit identically.
2860 #note SARE_RECV_PORTHELO_1 We score them based on their "safety".
2861 #hist SARE_RECV_PORTHELO_1 Loren Wilton, June 2005
2862 #counts SARE_RECV_PORTHELO_1 5201s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2863 #counts SARE_RECV_PORTHELO_1 69s/0h of 55754 corpus (18581s/37173h JH-3.01) 06/10/05
2864 #counts SARE_RECV_PORTHELO_1 286s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
2865 #counts SARE_RECV_PORTHELO_1 83s/1h of 7500 corpus (1767s/5733h ft) 09/18/05
2866 #counts SARE_RECV_PORTHELO_1 42s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2867 #counts SARE_RECV_PORTHELO_3 499s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2869 header SARE_RECV_RND_DATE Received =~ /RND_DATE/i
2870 describe SARE_RECV_RND_DATE Spam passed through iswest.net relay
2871 score SARE_RECV_RND_DATE 1.666
2872 #stype SARE_RECV_RND_DATE spamg
2873 #counts SARE_RECV_RND_DATE 1s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
2874 #max SARE_RECV_RND_DATE 9s/0h of 268479 corpus (127479s/141000h RM) 06/17/05
2875 #counts SARE_RECV_RND_DATE 0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
2876 #counts SARE_RECV_RND_DATE 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
2877 #counts SARE_RECV_RND_DATE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2878 #counts SARE_RECV_RND_DATE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2880 header SARE_RECV_SKANOVA Received =~ /\bskanova\.com/i
2881 describe SARE_RECV_SKANOVA From or passed through spammer/unreliable domain
2882 score SARE_RECV_SKANOVA 0.741
2883 #ham SARE_RECV_SKANOVA verified (several)
2884 #hist SARE_RECV_SKANOVA Created by Bob Menschel Apr 03 2004
2885 #counts SARE_RECV_SKANOVA 197s/6h of 689155 corpus (348140s/341015h RM) 09/18/05
2886 #counts SARE_RECV_SKANOVA 18s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
2887 #counts SARE_RECV_SKANOVA 15s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
2888 #counts SARE_RECV_SKANOVA 4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2889 #counts SARE_RECV_SKANOVA 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2891 header SARE_RECV_SPAM_DOMN02 Received =~ /\b(?:dsl\.telesp|speedyterra)\.(?:com|net)\.br/
2892 describe SARE_RECV_SPAM_DOMN02 Email passed through apparent spammer domain
2893 score SARE_RECV_SPAM_DOMN02 1.666
2894 #ham SARE_RECV_SPAM_DOMN02 Confirmed (5)
2895 #counts SARE_RECV_SPAM_DOMN02 1953s/8h of 689155 corpus (348140s/341015h RM) 09/18/05
2896 #counts SARE_RECV_SPAM_DOMN02 138s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2897 #max SARE_RECV_SPAM_DOMN02 187s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
2898 #counts SARE_RECV_SPAM_DOMN02 64s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
2899 #counts SARE_RECV_SPAM_DOMN02 28s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2900 #max SARE_RECV_SPAM_DOMN02 44s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2901 #counts SARE_RECV_SPAM_DOMN02 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2903 header SARE_RECV_SPAM_DOMN04 Received =~ /\b(?:megared)\.(?:com|net)\.mx/
2904 describe SARE_RECV_SPAM_DOMN04 Email passed through apparent spammer domain
2905 score SARE_RECV_SPAM_DOMN04 0.709
2906 #ham SARE_RECV_SPAM_DOMN04 verified (3)
2907 #counts SARE_RECV_SPAM_DOMN04 244s/9h of 689155 corpus (348140s/341015h RM) 09/18/05
2908 #counts SARE_RECV_SPAM_DOMN04 29s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2909 #max SARE_RECV_SPAM_DOMN04 34s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2910 #counts SARE_RECV_SPAM_DOMN04 3s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
2911 #counts SARE_RECV_SPAM_DOMN04 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2912 #max SARE_RECV_SPAM_DOMN04 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
2913 #counts SARE_RECV_SPAM_DOMN04 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2915 header SARE_RECV_SPAM_DOMN06 Received =~ /adsl.cust.tie.cl/i
2916 describe SARE_RECV_SPAM_DOMN06 Passed through possible spammer relay or source
2917 score SARE_RECV_SPAM_DOMN06 0.878
2918 #ham SARE_RECV_SPAM_DOMN06 verified (1)
2919 #hist SARE_RECV_SPAM_DOMN06 Created by Bob Menschel Jul 17 2004
2920 #counts SARE_RECV_SPAM_DOMN06 161s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
2921 #counts SARE_RECV_SPAM_DOMN06 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2922 #counts SARE_RECV_SPAM_DOMN06 6s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
2923 #counts SARE_RECV_SPAM_DOMN06 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2924 #max SARE_RECV_SPAM_DOMN06 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
2925 #counts SARE_RECV_SPAM_DOMN06 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2927 header SARE_RECV_SPAM_DOMN0a Received =~ /\b(?:cyberemailings|netmedia-corp|themailservers|ucanrecover|vnuemedia|winnerssweepstakes|wseas|www--directory)\.(?:com|net|org|info)/
2928 describe SARE_RECV_SPAM_DOMN0a Email passed through apparent spammer domain
2929 score SARE_RECV_SPAM_DOMN0a 1.666
2930 #ham SARE_RECV_SPAM_DOMN0a 218-162-39-132.dynamic.hinet.net, valid/appropriate UCE
2931 #hist SARE_RECV_SPAM_DOMN0a freeserve.com removed May 16 2005
2932 #counts SARE_RECV_SPAM_DOMN0a 26s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2933 #max SARE_RECV_SPAM_DOMN0a 242s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
2934 #counts SARE_RECV_SPAM_DOMN0a 4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2935 #max SARE_RECV_SPAM_DOMN0a 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2936 #counts SARE_RECV_SPAM_DOMN0a 2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
2937 #counts SARE_RECV_SPAM_DOMN0a 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2938 #counts SARE_RECV_SPAM_DOMN0a 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2940 header SARE_RECV_SPAM_DOMN0b Received =~ /\bdynamic.hinet\.(?:com|net|org|info)/
2941 describe SARE_RECV_SPAM_DOMN0b Email passed through apparent spammer domain
2942 score SARE_RECV_SPAM_DOMN0b 1.666
2943 #ham SARE_RECV_SPAM_DOMN0b confirmed (many)
2944 #counts SARE_RECV_SPAM_DOMN0b 4287s/20h of 689155 corpus (348140s/341015h RM) 09/18/05
2945 #counts SARE_RECV_SPAM_DOMN0b 40s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2946 #counts SARE_RECV_SPAM_DOMN0b 59s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
2947 #counts SARE_RECV_SPAM_DOMN0b 31s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2948 #counts SARE_RECV_SPAM_DOMN0b 1s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
2950 header SARE_RECV_SPEEDY_AR Received =~ /\b(?:speedy)\.(?:com|net)\.ar/
2951 describe SARE_RECV_SPEEDY_AR Email passed through apparent spammer domain
2952 score SARE_RECV_SPEEDY_AR 1.154
2953 #ham SARE_RECV_SPEEDY_AR From: "Hushport Admin" <postmaster@hushport.com>, Received: from nairobi (200-63-141-89.speedy.com.ar [200.63.141.89])
2954 #counts SARE_RECV_SPEEDY_AR 278s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
2955 #counts SARE_RECV_SPEEDY_AR 32s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2956 #counts SARE_RECV_SPEEDY_AR 7s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
2957 #max SARE_RECV_SPEEDY_AR 14s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
2958 #counts SARE_RECV_SPEEDY_AR 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2959 #max SARE_RECV_SPEEDY_AR 8s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
2960 #counts SARE_RECV_SPEEDY_AR 1s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2962 header SARE_RECV_UK2NET2 Received =~ /\buk2\.net\b/i
2963 describe SARE_RECV_UK2NET2 Passed through possible spammer relay or source
2964 score SARE_RECV_UK2NET2 0.789
2965 #hist SARE_RECV_UK2NET2 Created by Bob Menschel Oct 01 2004
2966 #counts SARE_RECV_UK2NET2 29s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
2967 #counts SARE_RECV_UK2NET2 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2968 #max SARE_RECV_UK2NET2 8s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
2969 #counts SARE_RECV_UK2NET2 0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
2970 #max SARE_RECV_UK2NET2 2s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
2971 #counts SARE_RECV_UK2NET2 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2972 #counts SARE_RECV_UK2NET2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
2974 header SARE_RECV_VIRTUACOMBR Received =~ /\bvirtua\.com\.br/
2975 describe SARE_RECV_VIRTUACOMBR Came through/fromsite used by spammer
2976 score SARE_RECV_VIRTUACOMBR 0.680
2977 #ham SARE_RECV_VIRTUACOMBR confirmed (4)
2978 #hist SARE_RECV_VIRTUACOMBR RM_hr_VirtuaComBr
2979 #counts SARE_RECV_VIRTUACOMBR 882s/45h of 689155 corpus (348140s/341015h RM) 09/18/05
2980 #counts SARE_RECV_VIRTUACOMBR 20s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
2981 #counts SARE_RECV_VIRTUACOMBR 104s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
2982 #counts SARE_RECV_VIRTUACOMBR 17s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
2983 #max SARE_RECV_VIRTUACOMBR 37s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
2984 #counts SARE_RECV_VIRTUACOMBR 4s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
2986 #####################################################################################
2987 # SARE Received Header IP Address Rules
2988 ######## ###################### ##################################################
2990 #eader __SARE_RECV_BEZEQINT Received =~ /\bbezeqint\.net/
2991 header __SARE_RECV_BEZEQINT1 Received =~ /\[212\.179\.13\.\d{1,3}\]/
2992 header __SARE_RECV_BEZEQINT2 Received =~ /\[212\.179\.(?:8\d|9[1-46-9]|10[0-6]|11[6-9]|12[89]|1[3-6]\d|17[0-36-9]|19[02-9]|2\d\d)\.\d{1,3}\]/
2993 header __SARE_RECV_BEZEQINT3 Received =~ /\[62\.219\.(?:4[89]|5[1-9]|[67]\d|11[2-9]|1[2-5]\d|189|192)\.\d{1,3}\]/
2994 header __SARE_RECV_BEZEQINT4 Received =~ /\[81\.218\.(?:\d{1,2}|1[01]\d|12[0-7]|13[2-9]|1[4-9]\d|2\d\d)\.\d{1,3}\]/
2995 header __SARE_RECV_BEZEQINT5 Received =~ /\[82\.80\.(?:\d|[1-5]\d|6[0-3]|12[89]|1[3-9]\d|2[01]\d|22[0-3])\.\d{1,3}\]/
2996 header __SARE_RECV_BEZEQINT6 Received =~ /\[82\.81\.(?:\d|\d\d|1[01]\d|12[0-7]|19[2-9]|2[01]\d|22[0-3])\.\d{1,3}\]/
2997 meta SARE_RECV_BEZEQINT_B __SARE_RECV_BEZEQINT1 || __SARE_RECV_BEZEQINT2 || __SARE_RECV_BEZEQINT3 || __SARE_RECV_BEZEQINT4 || __SARE_RECV_BEZEQINT5 || __SARE_RECV_BEZEQINT6
2998 describe SARE_RECV_BEZEQINT_B Came through/fromsite used by spammer
2999 score SARE_RECV_BEZEQINT_B 0.980
3000 #ham SARE_RECV_BEZEQINT_B verified (4)
3001 #hist SARE_RECV_BEZEQINT_B Created by Bob Menschel Jan 29 from data supplied by Bezeqint.net to replace SARE_RECV_BEZEQINT
3002 #counts SARE_RECV_BEZEQINT_B 494s/6h of 689155 corpus (348140s/341015h RM) 09/18/05
3003 #counts SARE_RECV_BEZEQINT_B 21s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3004 #max SARE_RECV_BEZEQINT_B 24s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3005 #counts SARE_RECV_BEZEQINT_B 18s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
3006 #counts SARE_RECV_BEZEQINT_B 2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
3007 #max SARE_RECV_BEZEQINT_B 6s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
3008 #counts SARE_RECV_BEZEQINT_B 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3010 header SARE_RECV_IP_FROMIP1 Received =~ /from\s+((?:1?\d\d?|2[0-4]\d|25[0-4])\.){3}(?:1?\d\d?|2[0-4]\d|25[0-4])\s+by\s+((?:1?\d\d?|2[0-4]\d|25[0-4])\.){3}(?:1?\d\d?|2[0-4]\d|25[0-4])/i
3011 describe SARE_RECV_IP_FROMIP1 Received line is IP address from IP address
3012 score SARE_RECV_IP_FROMIP1 1.666
3013 #hist SARE_RECV_IP_FROMIP1 From Regis Wilson, Wed, 24 Mar 2004, SUSP_IP_RECEIVED
3014 #ham SARE_RECV_IP_FROMIP1 ham: South Valley Bank
3015 #counts SARE_RECV_IP_FROMIP1 2940s/7h of 689155 corpus (348140s/341015h RM) 09/18/05
3016 #counts SARE_RECV_IP_FROMIP1 1547s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3017 #max SARE_RECV_IP_FROMIP1 1784s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3018 #counts SARE_RECV_IP_FROMIP1 37s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
3019 #max SARE_RECV_IP_FROMIP1 639s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
3020 #counts SARE_RECV_IP_FROMIP1 125s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
3021 #max SARE_RECV_IP_FROMIP1 661s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
3022 #counts SARE_RECV_IP_FROMIP1 1s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3024 header SARE_RECV_IP_FROMIP3 ALL =~ /Received: from \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} by [a-z0-9.]{4,24}\.[a-z0-9.]{4,36}\.(?:com|net|org|biz); [SMTWF].{2}, \d{1,2} [JFMASOND].{2,5} \d{4} \d{2}:\d{2}:\d{2} [-+]\d{4}/i
3025 describe SARE_RECV_IP_FROMIP3 Received line is IP address from IP address
3026 score SARE_RECV_IP_FROMIP3 1.666
3027 #match SARE_RECV_IP_FROMIP3 Received: from 2.19.230.24 by web9DKKRb8QDIGIT.mail.yahoo.com; Sun, 28 Mar 2004 22:08:01 -0500
3028 #ham SARE_RECV_IP_FROMIP3 Messages from a cell phone
3029 #hist SARE_RECV_IP_FROMIP3 From Fred <tech2@i-is.com>, Fri, 2 Apr 2004, RE_hrip_IPfromIPc
3030 #counts SARE_RECV_IP_FROMIP3 587s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
3031 #counts SARE_RECV_IP_FROMIP3 111s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3032 #max SARE_RECV_IP_FROMIP3 155s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
3033 #counts SARE_RECV_IP_FROMIP3 15s/3h of 47809 corpus (43224s/4585h MY) 07/27/05
3034 #max SARE_RECV_IP_FROMIP3 46s/3h of 17050 corpus (14617s/2433h MY) 08/08/04
3035 #counts SARE_RECV_IP_FROMIP3 4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
3036 #max SARE_RECV_IP_FROMIP3 42s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
3037 #counts SARE_RECV_IP_FROMIP3 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3039 header SARE_RECV_IP_061050 Received =~ /\[61\.5[01]\.\d{1,3}\.\d{1,3}\]/
3040 describe SARE_RECV_IP_061050 Spam passed through possible spammer relay
3041 score SARE_RECV_IP_061050 1.666
3042 #ham SARE_RECV_IP_061050 confirmed (2)
3043 #counts SARE_RECV_IP_061050 757s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
3044 #counts SARE_RECV_IP_061050 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3045 #counts SARE_RECV_IP_061050 14s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
3046 #counts SARE_RECV_IP_061050 4s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
3047 #max SARE_RECV_IP_061050 4s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
3048 #counts SARE_RECV_IP_061050 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3050 header SARE_RECV_IP_061072 Received =~ /\[61\.7[2-7]\.\d{1,3}\.\d{1,3}\]/
3051 describe SARE_RECV_IP_061072 Passed through possible spammer relay or source
3052 score SARE_RECV_IP_061072 1.666
3053 #note SARE_RECV_IP_061072 Korea Telecom
3054 #hist SARE_RECV_IP_061072 Created by Bob Menschel Nov 02 2004
3055 #ham SARE_RECV_IP_061072 verified (1)
3056 #counts SARE_RECV_IP_061072 2043s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
3057 #counts SARE_RECV_IP_061072 38s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3058 #counts SARE_RECV_IP_061072 48s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
3059 #counts SARE_RECV_IP_061072 21s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
3060 #counts SARE_RECV_IP_061072 2s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
3062 header SARE_RECV_IP_061187 Received =~ /\[61\.187\.\d{1,3}\.\d{1,3}\]/
3063 describe SARE_RECV_IP_061187 Passed through possible spammer relay or source
3064 score SARE_RECV_IP_061187 0.639
3065 #hist SARE_RECV_IP_061187 Created by Bob Menschel Aug 09 2004
3066 #counts SARE_RECV_IP_061187 14s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
3067 #max SARE_RECV_IP_061187 36s/1h of 114241 corpus (81067s/33174h RM) 01/15/05
3068 #counts SARE_RECV_IP_061187 4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3069 #max SARE_RECV_IP_061187 4s/0h of 38751 corpus (15270s/23481h JH-SA3.0rc1) 08/30/04
3070 #counts SARE_RECV_IP_061187 12s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
3071 #max SARE_RECV_IP_061187 20s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
3072 #counts SARE_RECV_IP_061187 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
3073 #max SARE_RECV_IP_061187 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
3074 #counts SARE_RECV_IP_061187 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3076 header SARE_RECV_IP_061190 Received =~ /\[61\.190\.\d{1,3}\.\d{1,3}\]/
3077 describe SARE_RECV_IP_061190 Spam passed through possible spammer relay
3078 score SARE_RECV_IP_061190 1.111
3079 #stype SARE_RECV_IP_061190 spamp
3080 #hist SARE_RECV_IP_061190 Created by Bob Menschel Apr 04 2004
3081 #counts SARE_RECV_IP_061190 42s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
3082 #counts SARE_RECV_IP_061190 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3083 #max SARE_RECV_IP_061190 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3084 #counts SARE_RECV_IP_061190 5s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
3085 #counts SARE_RECV_IP_061190 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
3086 #counts SARE_RECV_IP_061190 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3088 header SARE_RECV_IP_061228 Received =~ /\[61\.(?:22[89]|23[01])\.\d{1,3}\.\d{1,3}\]/
3089 describe SARE_RECV_IP_061228 Spam passed through possible spammer relay
3090 score SARE_RECV_IP_061228 1.633
3091 #ham SARE_RECV_IP_061228 verified (1)
3092 #counts SARE_RECV_IP_061228 757s/3h of 689155 corpus (348140s/341015h RM) 09/18/05
3093 #counts SARE_RECV_IP_061228 6s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3094 #counts SARE_RECV_IP_061228 9s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
3095 #counts SARE_RECV_IP_061228 4s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3096 #max SARE_RECV_IP_061228 6s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
3097 #counts SARE_RECV_IP_061228 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3099 header SARE_RECV_IP_062023 Received =~ /\[62\.23\.133\.(?:19[2-9]|2\d{2})\]/
3100 describe SARE_RECV_IP_062023 Passed through possible spammer relay or source
3101 score SARE_RECV_IP_062023 1.111
3102 #stype SARE_RECV_IP_062023 spamp
3103 #hist SARE_RECV_IP_062023 Created by Bob Menschel Feb 10 2005 from Spam-L info
3104 #note SARE_RECV_IP_062023 E-Mail-Vision
3105 #counts SARE_RECV_IP_062023 9s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
3106 #max SARE_RECV_IP_062023 22s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
3107 #counts SARE_RECV_IP_062023 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
3108 #counts SARE_RECV_IP_062023 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
3109 #counts SARE_RECV_IP_062023 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3110 #counts SARE_RECV_IP_062023 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3112 header SARE_RECV_IP_065205157 received =~ /\[65\.205\.157\.(?:19[2-9]|2[01]\d|22[0-3])\]/
3113 describe SARE_RECV_IP_065205157 Spam passed through possible spammer relay
3114 score SARE_RECV_IP_065205157 1.111
3115 #stype SARE_RECV_IP_065205157 spamp
3116 #hist SARE_RECV_IP_065205157 Created by Bob Menschel Jan 29 2005 from info supplied via Spam-L
3117 #counts SARE_RECV_IP_065205157 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
3118 #max SARE_RECV_IP_065205157 7s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
3119 #counts SARE_RECV_IP_065205157 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3120 #counts SARE_RECV_IP_065205157 67s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
3121 #counts SARE_RECV_IP_065205157 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3122 #counts SARE_RECV_IP_065205157 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3124 header SARE_RECV_IP_064034 Received =~ /\[64\.34\.(?:\d{1,2}|1(?:[01]|2[0-7]))\.\d{1,3}\]/
3125 describe SARE_RECV_IP_064034 Spam passed through possible spammer relay
3126 score SARE_RECV_IP_064034 0.639
3127 #stype SARE_RECV_IP_064034 spamp
3128 #hist SARE_RECV_IP_064034 Created by Bob Menschel Aug 07 2005
3129 #counts SARE_RECV_IP_064034 144s/9h of 689155 corpus (348140s/341015h RM) 09/18/05
3130 #counts SARE_RECV_IP_064034 2s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
3131 #counts SARE_RECV_IP_064034 4s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
3133 header SARE_RECV_IP_066017 Received =~ /\[66\.17\.(?:12[89]|1[3-9]\d|2\d\d)\.\d{1,3}\]/
3134 describe SARE_RECV_IP_066017 Passed through possible spammer relay or source
3135 score SARE_RECV_IP_066017 0.689
3136 #ham SARE_RECV_IP_066017 confirmed (8)
3137 #note SARE_RECV_IP_066017 Yipes Communications Inc
3138 #hist SARE_RECV_IP_066017 Created by Bob Menschel Nov 20 2004
3139 #counts SARE_RECV_IP_066017 88s/12h of 689155 corpus (348140s/341015h RM) 09/18/05
3140 #counts SARE_RECV_IP_066017 1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3141 #max SARE_RECV_IP_066017 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3142 #counts SARE_RECV_IP_066017 224s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
3143 #max SARE_RECV_IP_066017 335s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
3144 #counts SARE_RECV_IP_066017 0s/8h of 10590 corpus (5819s/4771h CT) 07/26/05
3145 #max SARE_RECV_IP_066017 149s/8h of 11052 corpus (6614s/4438h CT) 03/10/05
3146 #counts SARE_RECV_IP_066017 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3148 header SARE_RECV_IP_066165224 Received =~ /\[66\.165\.2(?:2[4-9]|3\d)\.\d{1,3}\]/
3149 describe SARE_RECV_IP_066165224 Spam passed through possible spammer relay
3150 score SARE_RECV_IP_066165224 0.675
3151 #ham SARE_RECV_IP_066165224 confirmed: 3
3152 #hist SARE_RECV_IP_066165224 Created by Bob Menschel May 14 2005
3153 #note SARE_RECV_IP_066165224 Cyber World Internet Services
3154 #counts SARE_RECV_IP_066165224 7s/3h of 619677 corpus (318875s/300802h RM) 09/11/05
3155 #max SARE_RECV_IP_066165224 34s/0h of 272483 corpus (108035s/164448h RM) 05/15/05
3156 #counts SARE_RECV_IP_066165224 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3157 #counts SARE_RECV_IP_066165224 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3158 #counts SARE_RECV_IP_066165224 78s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
3159 #max SARE_RECV_IP_066165224 124s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
3161 header SARE_RECV_IP_066248154 Received =~ /\[66\.248\.154\.\d{1,3}\]/
3162 describe SARE_RECV_IP_066248154 Spam passed through possible spammer relay
3163 score SARE_RECV_IP_066248154 1.111
3164 #stype SARE_RECV_IP_066248154 spamp
3165 #hist SARE_RECV_IP_066248154 Created by Bob Menschel May 14 2005
3166 #note SARE_RECV_IP_066248154 Advanced Dedicated Database Servers LLC
3167 #counts SARE_RECV_IP_066248154 0s/0h of 268479 corpus (127479s/141000h RM) 06/17/05
3168 #max SARE_RECV_IP_066248154 8s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
3169 #counts SARE_RECV_IP_066248154 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3170 #counts SARE_RECV_IP_066248154 17s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
3172 header SARE_RECV_IP_069050210 Received =~ /\[69\.50\.210\.\d{1,3}\]/
3173 describe SARE_RECV_IP_069050210 Spam passed through possible spammer relay
3174 score SARE_RECV_IP_069050210 0.691
3175 #ham SARE_RECV_IP_069050210 confirmed (2)
3176 #hist SARE_RECV_IP_069050210 Created by Fred Tarasevicius May 2005
3177 #counts SARE_RECV_IP_069050210 49s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
3178 #counts SARE_RECV_IP_069050210 12s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
3179 #counts SARE_RECV_IP_069050210 12s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
3181 header SARE_RECV_IP_069060096 Received =~ /\[69\.60\.(?:9[6-9]|1(?:[01]\d|2[0-7]))\.\d{1,3}\]/
3182 describe SARE_RECV_IP_069060096 Spam passed through possible spammer relay
3183 score SARE_RECV_IP_069060096 1.666
3184 #ham SARE_RECV_IP_069060096 verified (1)
3185 #hist SARE_RECV_IP_069060096 Created by Bob Menschel May 14 2005
3186 #counts SARE_RECV_IP_069060096 6813s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
3187 #counts SARE_RECV_IP_069060096 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3188 #counts SARE_RECV_IP_069060096 2s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3189 #counts SARE_RECV_IP_069060096 398s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
3191 header SARE_RECV_IP_082080 Received =~ /\[82\.80\.(?:12[89]|1[3-8]\d|191)\.\d{1,3}\]/
3192 describe SARE_RECV_IP_082080 Spam passed through possible spammer relay
3193 score SARE_RECV_IP_082080 1.111
3194 #stype SARE_RECV_IP_082080 spamp
3195 #counts SARE_RECV_IP_082080 26s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
3196 #counts SARE_RECV_IP_082080 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3197 #max SARE_RECV_IP_082080 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3198 #counts SARE_RECV_IP_082080 2s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
3199 #counts SARE_RECV_IP_082080 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3200 #counts SARE_RECV_IP_082080 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3202 header SARE_RECV_IP_082102 Received =~ /\[82\.102\.(?:3[2-9]|[45]\d|6[0-3]).\d{1,3}\]/
3203 describe SARE_RECV_IP_082102 Spam passed through possible spammer relay
3204 score SARE_RECV_IP_082102 0.555
3205 #stype SARE_RECV_IP_082102 spamp
3206 #hist SARE_RECV_IP_082102 Created by Bob Menschel May 20 2004
3207 #counts SARE_RECV_IP_082102 9s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
3208 #counts SARE_RECV_IP_082102 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3209 #counts SARE_RECV_IP_082102 1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
3210 #max SARE_RECV_IP_082102 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
3211 #counts SARE_RECV_IP_082102 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
3212 #counts SARE_RECV_IP_082102 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3214 header SARE_RECV_IP_082154 Received =~ /\[82\.15[45]\.\d{1,3}\.\d{1,3}\]/
3215 describe SARE_RECV_IP_082154 Passed through possible spammer relay or source
3216 score SARE_RECV_IP_082154 1.144
3217 #ham SARE_RECV_IP_082154 confirmed (1)
3218 #hist SARE_RECV_IP_082154 Created by Bob Menschel Aug 10 2004
3219 #counts SARE_RECV_IP_082154 572s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
3220 #counts SARE_RECV_IP_082154 13s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3221 #counts SARE_RECV_IP_082154 43s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
3222 #counts SARE_RECV_IP_082154 6s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
3223 #counts SARE_RECV_IP_082154 1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
3225 header SARE_RECV_IP_083028 Received =~ /\[83\.28\.\d{1,3}\.\d{1,3}\]/
3226 describe SARE_RECV_IP_083028 Passed through possible spammer relay or source
3227 score SARE_RECV_IP_083028 0.874
3228 #ham SARE_RECV_IP_083028 verified (1)
3229 #hist SARE_RECV_IP_083028 Created by Bob Menschel Sep 10 2004
3230 #note SARE_RECV_IP_083028 Large block of IP addresses in Poland
3231 #counts SARE_RECV_IP_083028 171s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
3232 #counts SARE_RECV_IP_083028 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3233 #counts SARE_RECV_IP_083028 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
3234 #max SARE_RECV_IP_083028 4s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
3235 #counts SARE_RECV_IP_083028 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
3236 #max SARE_RECV_IP_083028 3s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
3237 #counts SARE_RECV_IP_083028 1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
3239 header SARE_RECV_IP_140117 Received =~ /\[140\.1(?:1[789]|2\d|3[0-8])\.\d{1,3}\.\d{1,3}\]/
3240 describe SARE_RECV_IP_140117 Passed through possible spammer relay or source
3241 score SARE_RECV_IP_140117 1.189
3242 #ham SARE_RECV_IP_140117 confirmed (1)
3243 #hist SARE_RECV_IP_140117 Created by Bob Menschel Oct 03 2004
3244 #note SARE_RECV_IP_140117 Ministry of Education Computing Center, Taipei, Taiwan
3245 #counts SARE_RECV_IP_140117 87s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
3246 #counts SARE_RECV_IP_140117 17s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3247 #counts SARE_RECV_IP_140117 6s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
3248 #counts SARE_RECV_IP_140117 3s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
3249 #max SARE_RECV_IP_140117 9s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
3250 #counts SARE_RECV_IP_140117 1s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3252 header SARE_RECV_IP_163125 Received =~ /\[163\.125\.\d{1,3}\.\d{1,3}\]/
3253 describe SARE_RECV_IP_163125 Spam passed through possible spammer relay
3254 score SARE_RECV_IP_163125 1.111
3255 #stype SARE_RECV_IP_163125 spamp
3256 #hist SARE_RECV_IP_163125 Created by Bob Menschel May 14 2005
3257 #note SARE_RECV_IP_163125 Success Marketing Associates, LLC
3258 #counts SARE_RECV_IP_163125 0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
3259 #counts SARE_RECV_IP_163125 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3260 #counts SARE_RECV_IP_163125 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
3261 #max SARE_RECV_IP_163125 9s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
3263 header SARE_RECV_IP_192116 Received =~ /\[192\.116\.13[3-7]\.\d{1,3}\]/
3264 describe SARE_RECV_IP_192116 Passed through possible spammer relay or source
3265 score SARE_RECV_IP_192116 0.861
3266 #note SARE_RECV_IP_192116 GILAT-SATCOM
3267 #hist SARE_RECV_IP_192116 Created by Bob Menschel Nov 16 2004
3268 #counts SARE_RECV_IP_192116 2s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
3269 #max SARE_RECV_IP_192116 52s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
3270 #counts SARE_RECV_IP_192116 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3271 #counts SARE_RECV_IP_192116 1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
3272 #counts SARE_RECV_IP_192116 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3273 #counts SARE_RECV_IP_192116 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3275 header SARE_RECV_IP_195229 Received =~ /\[195\.229\.2[45]\d\.\d{1,3}\]/
3276 describe SARE_RECV_IP_195229 Passed through possible spammer relay or source
3277 score SARE_RECV_IP_195229 0.805
3278 #hist SARE_RECV_IP_195229 Created by Bob Menschel Aug 31 2004
3279 #counts SARE_RECV_IP_195229 16s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
3280 #max SARE_RECV_IP_195229 44s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
3281 #counts SARE_RECV_IP_195229 0s/0h of 38748 corpus (15267s/23481h JH-SA3.0rc1) 09/04/04
3282 #counts SARE_RECV_IP_195229 0s/0h of 19447 corpus (16862s/2585h MY) 09/04/04
3283 #counts SARE_RECV_IP_195229 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3284 #counts SARE_RECV_IP_195229 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3286 header SARE_RECV_IP_200150 Received =~ /\[200\.150\.\d{1,3}\.\d{1,3}\]/
3287 describe SARE_RECV_IP_200150 Spam passed through possible spammer relay
3288 score SARE_RECV_IP_200150 1.031
3289 #ham SARE_RECV_IP_200150 confirmed (2)
3290 #hist SARE_RECV_IP_200150 Created by Bob Menschel Aug 29 2004
3291 #counts SARE_RECV_IP_200150 142s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
3292 #counts SARE_RECV_IP_200150 19s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3293 #counts SARE_RECV_IP_200150 7s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
3294 #counts SARE_RECV_IP_200150 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
3295 #max SARE_RECV_IP_200150 3s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3296 #counts SARE_RECV_IP_200150 1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
3298 header SARE_RECV_IP_203210128 Received =~ /\[203.210\.(?:1(?:2[89]|[3-9]\d)|2\d\d)\.\d{1,3}\]/
3299 describe SARE_RECV_IP_203210128 Spam passed through possible spammer relay
3300 score SARE_RECV_IP_203210128 0.516
3301 #ham SARE_RECV_IP_203210128 verified (3)
3302 #hist SARE_RECV_IP_203210128 Created by Bob Menschel May 14 2005
3303 #note SARE_RECV_IP_203210128 Vietnam Posts and Telecommunications (VNPT)
3304 #counts SARE_RECV_IP_203210128 56s/13h of 689155 corpus (348140s/341015h RM) 09/18/05
3305 #counts SARE_RECV_IP_203210128 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
3306 #max SARE_RECV_IP_203210128 2s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3307 #counts SARE_RECV_IP_203210128 69s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
3308 #max SARE_RECV_IP_203210128 79s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
3309 #counts SARE_RECV_IP_203210128 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3310 #counts SARE_RECV_IP_203210128 3s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
3312 header SARE_RECV_IP_203177 Received =~ /\[203\.177\.1(?:2[89]|[3-8]\d|9[01])\.\d{1,3}\]/
3313 describe SARE_RECV_IP_203177 Passed through possible spammer relay or source
3314 score SARE_RECV_IP_203177 0.622
3315 #hist SARE_RECV_IP_203177 Created by Bob Menschel Aug 20 2004
3316 #ham SARE_RECV_IP_203177 verified (1)
3317 #counts SARE_RECV_IP_203177 8s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
3318 #max SARE_RECV_IP_203177 42s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
3319 #counts SARE_RECV_IP_203177 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3320 #counts SARE_RECV_IP_203177 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
3321 #max SARE_RECV_IP_203177 5s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
3322 #counts SARE_RECV_IP_203177 2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
3323 #max SARE_RECV_IP_203177 4s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
3324 #counts SARE_RECV_IP_203177 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3326 header SARE_RECV_IP_206131 Received =~ /\[206\.131\.2(?:2[4-9]|[345]\d)\.\d{1,3}\]/
3327 describe SARE_RECV_IP_206131 Spam passed through possible spammer relay
3328 score SARE_RECV_IP_206131 1.666
3329 #ham SARE_RECV_IP_206131 confirmed (1)
3330 #hist SARE_RECV_IP_206131 Created by Bob Menschel Feb 5 2005 from Spam-L info
3331 #note SARE_RECV_IP_206131 Minerva Network Systems, Inc.
3332 #counts SARE_RECV_IP_206131 2849s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
3333 #counts SARE_RECV_IP_206131 0s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
3334 #counts SARE_RECV_IP_206131 34s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
3335 #counts SARE_RECV_IP_206131 6s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
3336 #counts SARE_RECV_IP_206131 1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
3338 header SARE_RECV_IP_206248152 Received =~ /\[206\.248\.153\.\d{1,3}\]/
3339 describe SARE_RECV_IP_206248152 Spam passed through possible spammer relay
3340 score SARE_RECV_IP_206248152 0.617
3341 #ham SARE_RECV_IP_206248152 confirmed (1)
3342 #hist SARE_RECV_IP_206248152 Created by Bob Menschel May 14 2005
3343 #note SARE_RECV_IP_206248152 3zCanada-GTA1
3344 #counts SARE_RECV_IP_206248152 1s/1h of 378679 corpus (166455s/212224h RM) 07/24/05
3345 #max SARE_RECV_IP_206248152 19s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
3346 #counts SARE_RECV_IP_206248152 2s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
3347 #counts SARE_RECV_IP_206248152 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3349 header SARE_RECV_IP_209051 Received =~ /\[209\.51\.(?:19[2-9]|2\d\d)\.\d{1,3}\]/
3350 describe SARE_RECV_IP_209051 Spam passed through possible spammer relay
3351 score SARE_RECV_IP_209051 1.111
3352 #stype SARE_RECV_IP_209051 spamp
3353 #hist SARE_RECV_IP_209051 Created by Bob Menschel Aug 07 2005
3354 #note SARE_RECV_IP_209051 S-INFOTECH, Inc.
3355 #counts SARE_RECV_IP_209051 56s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
3356 #counts SARE_RECV_IP_209051 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
3357 #counts SARE_RECV_IP_209051 1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
3359 header SARE_RECV_IP_209190 Received =~ /\[209\.190\.(?:8|9|1[0-5])\.\d{1,3}\]/
3360 describe SARE_RECV_IP_209190 Spam passed through possible spammer relay
3361 score SARE_RECV_IP_209190 1.111
3362 #stype SARE_RECV_IP_209190 spamp
3363 #hist SARE_RECV_IP_209190 Created by Bob Menschel Aug 07 2005
3364 #note SARE_RECV_IP_209190 S-INFOTECH, Inc.
3365 #counts SARE_RECV_IP_209190 26s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
3366 #counts SARE_RECV_IP_209190 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
3367 #counts SARE_RECV_IP_209190 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
3369 header SARE_RECV_IP_216118120 Received =~ /\[216\.118\.120\.(?:6[4-9]|[78]\d|9[0-1])\]/
3370 describe SARE_RECV_IP_216118120 Spam passed through possible spammer relay
3371 score SARE_RECV_IP_216118120 2.222
3372 #hist SARE_RECV_IP_216118120 Created by Bob Menschel Aug 07 2005
3373 #counts SARE_RECV_IP_216118120 1224s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
3374 #counts SARE_RECV_IP_216118120 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
3375 #counts SARE_RECV_IP_216118120 0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
3377 header SARE_RECV_IP_211216 Received =~ /\[211\.2(?:1[6-9]|2[0-5]\d)\.\d{1,3}\.\d{1,3}\]/
3378 describe SARE_RECV_IP_211216 Passed through possible spammer relay or source
3379 score SARE_RECV_IP_211216 1.666
3380 #ham SARE_RECV_IP_211216 confirmed (1) - YahooGroups moderated group, posting approved by moderator
3381 #hist SARE_RECV_IP_211216 Created by Bob Menschel Aug 20 2004
3382 #note SARE_RECV_IP_211216 Korea Telecom
3383 #counts SARE_RECV_IP_211216 1308s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
3384 #counts SARE_RECV_IP_211216 27s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3385 #counts SARE_RECV_IP_211216 40s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
3386 #counts SARE_RECV_IP_211216 11s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
3387 #max SARE_RECV_IP_211216 14s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3388 #counts SARE_RECV_IP_211216 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3390 header SARE_RECV_IP_212068 Received =~ /\[212\.68\.2[45]\d\.\d{1,3}\]/
3391 describe SARE_RECV_IP_212068 Spam passed through possible spammer relay
3392 score SARE_RECV_IP_212068 1.111
3393 #stype SARE_RECV_IP_212068 spamp
3394 #hist SARE_RECV_IP_212068 Created by Bob Menschel Apr 09 2004
3395 #counts SARE_RECV_IP_212068 18s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
3396 #counts SARE_RECV_IP_212068 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3397 #counts SARE_RECV_IP_212068 1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
3398 #max SARE_RECV_IP_212068 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
3399 #counts SARE_RECV_IP_212068 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
3400 #max SARE_RECV_IP_212068 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3401 #counts SARE_RECV_IP_212068 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3403 header SARE_RECV_IP_216022 Received =~ /\[216\.22\.\d{1,3}\.\d{1,3}\]/
3404 describe SARE_RECV_IP_216022 Spam passed through possible spammer relay
3405 score SARE_RECV_IP_216022 1.666
3406 #hist SARE_RECV_IP_216022 Created by Bob Menschel May 14 2005
3407 #counts SARE_RECV_IP_216022 1146s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
3408 #counts SARE_RECV_IP_216022 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3409 #counts SARE_RECV_IP_216022 3s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3410 #counts SARE_RECV_IP_216022 100s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
3412 header SARE_RECV_IP_218070 Received =~ /\[218\.70\.\d{1,3}\.\d{1,3}\]/
3413 describe SARE_RECV_IP_218070 Spam passed through possible spammer relay
3414 score SARE_RECV_IP_218070 1.111
3415 #stype SARE_RECV_IP_218070 spamp
3416 #counts SARE_RECV_IP_218070 4s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
3417 #max SARE_RECV_IP_218070 21s/0h of 112471 corpus (92494s/19977h) 03/14/04
3418 #counts SARE_RECV_IP_218070 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3419 #max SARE_RECV_IP_218070 2s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
3420 #counts SARE_RECV_IP_218070 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
3421 #max SARE_RECV_IP_218070 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
3422 #counts SARE_RECV_IP_218070 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3423 #counts SARE_RECV_IP_218070 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3425 header SARE_RECV_IP_218072 Received =~ /\[218\.72\.\d{1,3}\.\d{1,3}\]/
3426 describe SARE_RECV_IP_218072 Spam passed through possible spammer relay
3427 score SARE_RECV_IP_218072 0.794
3428 #hist SARE_RECV_IP_218072 Created by Bob Menschel May 23 2004
3429 #counts SARE_RECV_IP_218072 55s/3h of 689155 corpus (348140s/341015h RM) 09/18/05
3430 #max SARE_RECV_IP_218072 69s/2h of 120459 corpus (71363s/49096h RM) 02/12/05
3431 #counts SARE_RECV_IP_218072 16s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3432 #max SARE_RECV_IP_218072 22s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
3433 #counts SARE_RECV_IP_218072 91s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
3434 #max SARE_RECV_IP_218072 133s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
3435 #counts SARE_RECV_IP_218072 10s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3436 #max SARE_RECV_IP_218072 13s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
3437 #counts SARE_RECV_IP_218072 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3439 header SARE_RECV_IP_218078 Received =~ /\[218\.(?:7[89]|8[0123])\.\d{1,3}\.\d{1,3}\]/
3440 describe SARE_RECV_IP_218078 Passed through possible spammer relay or source
3441 score SARE_RECV_IP_218078 1.666
3442 #hist SARE_RECV_IP_218078 Created by Bob Menschel Oct 07 2004
3443 #note SARE_RECV_IP_218078 ChinaNet, Shanghai Province
3444 #counts SARE_RECV_IP_218078 367s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
3445 #max SARE_RECV_IP_218078 581s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
3446 #counts SARE_RECV_IP_218078 38s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3447 #counts SARE_RECV_IP_218078 677s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
3448 #counts SARE_RECV_IP_218078 71s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
3449 #max SARE_RECV_IP_218078 74s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3450 #counts SARE_RECV_IP_218078 8s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
3452 header SARE_RECV_IP_218088 Received =~ /\[218\.8[89]\.\d{1,3}\.\d{1,3}\]/
3453 describe SARE_RECV_IP_218088 Passed through possible spammer relay or source
3454 score SARE_RECV_IP_218088 1.378
3455 #ham SARE_RECV_IP_218088 confirmed: 1
3456 #note SARE_RECV_IP_218088 CHINANET sichuan province network
3457 #hist SARE_RECV_IP_218088 Created by Bob Menschel Nov 04 2004
3458 #counts SARE_RECV_IP_218088 71s/1h of 619677 corpus (318875s/300802h RM) 09/11/05
3459 #max SARE_RECV_IP_218088 111s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
3460 #counts SARE_RECV_IP_218088 11s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3461 #max SARE_RECV_IP_218088 13s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
3462 #counts SARE_RECV_IP_218088 19s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
3463 #counts SARE_RECV_IP_218088 2s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
3464 #max SARE_RECV_IP_218088 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
3465 #counts SARE_RECV_IP_218088 1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
3467 header SARE_RECV_IP_218216 Received =~ /\[218\.(?:21[6-9]|22\d|23[01])\.\d{1,3}\.\d{1,3}\]/
3468 describe SARE_RECV_IP_218216 Passed through possible spammer relay or source
3469 score SARE_RECV_IP_218216 0.740
3470 #ham SARE_RECV_IP_218216 confirmed (2)
3471 #hist SARE_RECV_IP_218216 Created by Bob Menschel Oct 23 2004
3472 #counts SARE_RECV_IP_218216 260s/8h of 689155 corpus (348140s/341015h RM) 09/18/05
3473 #counts SARE_RECV_IP_218216 21s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3474 #counts SARE_RECV_IP_218216 12s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
3475 #counts SARE_RECV_IP_218216 6s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
3476 #max SARE_RECV_IP_218216 11s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3477 #counts SARE_RECV_IP_218216 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3479 header SARE_RECV_IP_219128 Received =~ /\[219\.1(?:2[89]|3[0-7])\.\d{1,3}\.\d{1,3}\]/
3480 describe SARE_RECV_IP_219128 Passed through possible spammer relay or source
3481 score SARE_RECV_IP_219128 1.666
3482 #hist SARE_RECV_IP_219128 Created by Bob Menschel Aug 23 2004
3483 #counts SARE_RECV_IP_219128 1752s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
3484 #counts SARE_RECV_IP_219128 100s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3485 #counts SARE_RECV_IP_219128 225s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
3486 #counts SARE_RECV_IP_219128 17s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
3487 #max SARE_RECV_IP_219128 37s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
3488 #counts SARE_RECV_IP_219128 4s/1h of 7500 corpus (1767s/5733h ft) 09/18/05
3490 header SARE_RECV_IP_220116 Received =~ /\[220\.(?:11[6-9]|12[0-7])\.\d{1,3}\.\d{1,3}\]/
3491 describe SARE_RECV_IP_220116 Passed through possible spammer relay or source
3492 score SARE_RECV_IP_220116 1.666
3493 #ham SARE_RECV_IP_220116 confirmed (1)
3494 #hist SARE_RECV_IP_220116 Created by Bob Menschel Jul 17 2004
3495 #note SARE_RECV_IP_220116 Korea Telecom
3496 #counts SARE_RECV_IP_220116 1177s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
3497 #counts SARE_RECV_IP_220116 108s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3498 #counts SARE_RECV_IP_220116 161s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
3499 #counts SARE_RECV_IP_220116 58s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
3500 #counts SARE_RECV_IP_220116 2s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
3502 header SARE_RECV_IP_221124 Received =~ /\[221\.12[4-7]\.\d{1,3}\.\d{1,3}\]/
3503 describe SARE_RECV_IP_221124 Spam passed through possible spammer relay
3504 score SARE_RECV_IP_221124 1.666
3505 #hist SARE_RECV_IP_221124 Created by Bob Menschel May 30 2004
3506 #counts SARE_RECV_IP_221124 633s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
3507 #counts SARE_RECV_IP_221124 66s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3508 #max SARE_RECV_IP_221124 74s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
3509 #counts SARE_RECV_IP_221124 16s/1h of 47283 corpus (43206s/4077h MY) 06/05/05
3510 #counts SARE_RECV_IP_221124 12s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
3511 #max SARE_RECV_IP_221124 24s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
3512 #counts SARE_RECV_IP_221124 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3514 header SARE_RECV_IP_222000 Received =~ /\[222\.(?:\d|1[0-5])\.\d{1,3}\.\d{1,3}\]/
3515 describe SARE_RECV_IP_222000 Passed through possible spammer relay or source
3516 score SARE_RECV_IP_222000 0.553
3517 #ham SARE_RECV_IP_222000 confirmed (1)
3518 #hist SARE_RECV_IP_222000 Created by Bob Menschel Aug 09 2004
3519 #counts SARE_RECV_IP_222000 171s/19h of 689155 corpus (348140s/341015h RM) 09/18/05
3520 #counts SARE_RECV_IP_222000 20s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3521 #counts SARE_RECV_IP_222000 6s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
3522 #counts SARE_RECV_IP_222000 2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
3523 #max SARE_RECV_IP_222000 7s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3524 #counts SARE_RECV_IP_222000 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3526 header SARE_RECV_IP_222064 Received =~ /\[222\.(?:6[4-9]|7[0-3])\.\d{1,3}\.\d{1,3}\]/
3527 describe SARE_RECV_IP_222064 Spam passed through possible spammer relay
3528 score SARE_RECV_IP_222064 1.666
3529 #ham SARE_RECV_IP_222064 verified (1)
3530 #hist SARE_RECV_IP_222064 Created by Bob Menschel Apr 18 2004
3531 #counts SARE_RECV_IP_222064 728s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
3532 #max SARE_RECV_IP_222064 831s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
3533 #counts SARE_RECV_IP_222064 95s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3534 #max SARE_RECV_IP_222064 97s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
3535 #counts SARE_RECV_IP_222064 685s/1h of 47809 corpus (43224s/4585h MY) 07/27/05
3536 #max SARE_RECV_IP_222064 849s/1h of 47283 corpus (43206s/4077h MY) 06/05/05
3537 #counts SARE_RECV_IP_222064 27s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
3538 #max SARE_RECV_IP_222064 65s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
3539 #counts SARE_RECV_IP_222064 5s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
3541 #####################################################################################
3542 # SARE Reply-To Rules
3543 ######## ###################### ##################################################
3545 #####################################################################################
3546 # SARE To/Cc Destination rules
3547 ######## ###################### ##################################################
3549 header SARE_TO_EMPTY To =~ /<>/
3550 describe SARE_TO_EMPTY To address is set to empty
3551 score SARE_TO_EMPTY 0.330 0.550 0.000 0.550 # prev target: 0.660 when added to TO_NO_USER
3552 score SARE_TO_EMPTY 0.000 0.222 0.000 0.222 # curr target: 0.333 when added to TO_NO_USER
3553 #hist SARE_TO_EMPTY Originally submitted by Bob Menschel
3554 #overlap SARE_TO_EMPTY Distrib: TO_NO_USER: score TO_NO_USER 0.332 0.116 1.615 0.128
3555 #counts SARE_TO_EMPTY 5s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
3556 #max SARE_TO_EMPTY 26s/0h of 114241 corpus (81067s/33174h RM) 01/15/05
3557 #counts SARE_TO_EMPTY 12s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3558 #counts SARE_TO_EMPTY 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
3559 #counts SARE_TO_EMPTY 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
3560 #max SARE_TO_EMPTY 0s/1h of 11052 corpus (6614s/4438h CT) 03/10/05
3561 #counts SARE_TO_EMPTY 0s/2h of 5653 corpus (1019s/4634h ft) 06/04/05
3563 #####################################################################################
3564 # SARE X-Mailer Rules
3565 ######## ###################### ##################################################
3567 header SARE_XMAIL_GDI X-Mailer=~/GDI Mailer/
3568 describe SARE_XMAIL_GDI Ratware mailer
3569 score SARE_XMAIL_GDI 0.100
3570 #hist SARE_XMAIL_GDI Bob Menschel, Feb 25 2005
3571 #counts SARE_XMAIL_GDI 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
3572 #max SARE_XMAIL_GDI 1s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
3573 #counts SARE_XMAIL_GDI 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
3574 #counts SARE_XMAIL_GDI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3575 #counts SARE_XMAIL_GDI 1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
3577 header SARE_XMAIL_GOMAIL X-Mailer =~ /GoMail/i
3578 describe SARE_XMAIL_GOMAIL Apparently uses spam/bulk mailer
3579 score SARE_XMAIL_GOMAIL 1.666
3580 #hist SARE_XMAIL_GOMAIL Bob Menschel, Mar 4 2005, from suggestion by Alex Broens
3581 #counts SARE_XMAIL_GOMAIL 1319s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
3582 #counts SARE_XMAIL_GOMAIL 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
3583 #max SARE_XMAIL_GOMAIL 1s/0h of 10995 corpus (6568s/4427h CT) 03/10/05
3584 #counts SARE_XMAIL_GOMAIL 15s/0h of 54806 corpus (17633s/37173h JH-3.01) 03/14/05
3585 #counts SARE_XMAIL_GOMAIL 0s/0h of 31513 corpus (27912s/3601h MY) 03/09/05
3586 #counts SARE_XMAIL_GOMAIL 0s/2h of 6924 corpus (1403s/5521h ft) 07/27/05
3588 header SARE_XMAIL_PSSMAILER X-Mailer =~ /PSS Mailer/
3589 describe SARE_XMAIL_PSSMAILER Apparently uses bulk mailer
3590 score SARE_XMAIL_PSSMAILER 1.111
3591 #stype SARE_XMAIL_PSSMAILER spamp
3592 #hist SARE_XMAIL_PSSMAILER RM_hxm_PSSMailer
3593 #counts SARE_XMAIL_PSSMAILER 8s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
3594 #max SARE_XMAIL_PSSMAILER 12s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
3595 #counts SARE_XMAIL_PSSMAILER 0s/0h of 18651 corpus (16120s/2531h MY) 08/29/04
3596 #counts SARE_XMAIL_PSSMAILER 0s/0h of 38751 corpus (15270s/23481h JH-SA3.0rc1) 08/30/04
3597 #counts SARE_XMAIL_PSSMAILER 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3598 #counts SARE_XMAIL_PSSMAILER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3600 header SARE_XMAIL_RLSP X-Mailer =~ /RLSP/
3601 describe SARE_XMAIL_RLSP Uses Bulk Mailer used by spammers
3602 score SARE_XMAIL_RLSP 1.666
3603 #ham SARE_XMAIL_RLSP cartoon newsletter, personal emails (2)
3604 #hist SARE_XMAIL_RLSP Created by Bob Menschel Sep 27 2004
3605 #counts SARE_XMAIL_RLSP 1782s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
3606 #counts SARE_XMAIL_RLSP 11s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3607 #counts SARE_XMAIL_RLSP 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
3608 #counts SARE_XMAIL_RLSP 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
3609 #counts SARE_XMAIL_RLSP 6s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
3611 header SARE_XMAIL_TOLMAIL X-Mailer =~ /\bTOL Mailer\b/
3612 describe SARE_XMAIL_TOLMAIL X-Mailer used by spammer
3613 score SARE_XMAIL_TOLMAIL 0.769
3614 #ham SARE_XMAIL_TOLMAIL possible (1)
3615 #hist SARE_XMAIL_TOLMAIL Alex Broens, July 29 2005
3616 #counts SARE_XMAIL_TOLMAIL 41s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
3617 #max SARE_XMAIL_TOLMAIL 36s/0h of 325151 corpus (158002s/167149h RM) 07/31/05
3618 #counts SARE_XMAIL_TOLMAIL 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
3620 #####################################################################################
3621 # SARE Miscellaneous and X-Header header rules
3622 ######## ###################### ##################################################
3624 header SARE_HEAD_DATE14 Date =~ /^.{1,14}$/
3625 score SARE_HEAD_DATE14 1.666
3626 #counts SARE_HEAD_DATE14 313s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
3627 #counts SARE_HEAD_DATE14 43s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
3628 #counts SARE_HEAD_DATE14 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
3629 #counts SARE_HEAD_DATE14 0s/1h of 10853 corpus (6391s/4462h CT) 05/16/05
3630 #counts SARE_HEAD_DATE14 0s/1h of 5653 corpus (1019s/4634h ft) 06/04/05
3632 header SARE_HEAD_DATE_5L Date =~ /[a-z]{5}\s*$/i
3633 describe SARE_HEAD_DATE_5L Date header ends in 5+ letters
3634 score SARE_HEAD_DATE_5L 0.776
3635 #ham SARE_HEAD_DATE_5L confirmed (5
3636 #hist SARE_HEAD_DATE_5L Tim Jackson, May 12 2005
3637 #counts SARE_HEAD_DATE_5L 395s/6h of 689155 corpus (348140s/341015h RM) 09/18/05
3638 #counts SARE_HEAD_DATE_5L 0s/3h of 10853 corpus (6391s/4462h CT) 05/16/05
3639 #counts SARE_HEAD_DATE_5L 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3640 #counts SARE_HEAD_DATE_5L 1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3642 header SARE_HEAD_DATE_RNDDATE Date =~ /RND/i
3643 describe SARE_HEAD_DATE_RNDDATE Spam passed through iswest.net relay
3644 score SARE_HEAD_DATE_RNDDATE 1.666
3645 #stype SARE_HEAD_DATE_RNDDATE spamg
3646 #counts SARE_HEAD_DATE_RNDDATE 1s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
3647 #max SARE_HEAD_DATE_RNDDATE 9s/0h of 268479 corpus (127479s/141000h RM) 06/17/05
3648 #counts SARE_HEAD_DATE_RNDDATE 0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
3649 #counts SARE_HEAD_DATE_RNDDATE 0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05
3650 #counts SARE_HEAD_DATE_RNDDATE 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3651 #counts SARE_HEAD_DATE_RNDDATE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3653 header SARE_HEAD_MSMPR_RNDSTR X-MSMail-Priority =~ /PRIORITY_STRING/i
3654 describe SARE_HEAD_MSMPR_RNDSTR Spam passed through iswest.net relay
3655 score SARE_HEAD_MSMPR_RNDSTR 1.666
3656 #stype SARE_HEAD_MSMPR_RNDSTR spamg
3657 #counts SARE_HEAD_MSMPR_RNDSTR 8s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
3658 #counts SARE_HEAD_MSMPR_RNDSTR 7s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3659 #counts SARE_HEAD_MSMPR_RNDSTR 0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05
3660 #counts SARE_HEAD_MSMPR_RNDSTR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3661 #counts SARE_HEAD_MSMPR_RNDSTR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3663 header SARE_HEAD_ORG_PREFIXW Organization =~ /Prefix that with/i
3664 describe SARE_HEAD_ORG_PREFIXW Spam sign in Organization header
3665 score SARE_HEAD_ORG_PREFIXW 0.617
3666 #hist SARE_HEAD_ORG_PREFIXW Alex Broens, Feb 20 2005
3667 #counts SARE_HEAD_ORG_PREFIXW 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
3668 #max SARE_HEAD_ORG_PREFIXW 10s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
3669 #counts SARE_HEAD_ORG_PREFIXW 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
3670 #counts SARE_HEAD_ORG_PREFIXW 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
3671 #counts SARE_HEAD_ORG_PREFIXW 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3672 #counts SARE_HEAD_ORG_PREFIXW 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3674 header SARE_HEAD_XLIB_INDY1 X-Library=~ /Indy 10.00.14-B/
3675 describe SARE_HEAD_XLIB_INDY1 Uses S/W version which has only been seen in spam
3676 score SARE_HEAD_XLIB_INDY1 0.844
3677 #hist SARE_HEAD_XLIB_INDY1 Originally submitted by Bob Menschel, RM.hxl_ForgedIndy
3678 #counts SARE_HEAD_XLIB_INDY1 0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05
3679 #max SARE_HEAD_XLIB_INDY1 30s/0h of 66979 corpus (41757s/25222h RM) 09/04/04
3680 #counts SARE_HEAD_XLIB_INDY1 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3681 #max SARE_HEAD_XLIB_INDY1 9s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
3682 #counts SARE_HEAD_XLIB_INDY1 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
3683 #max SARE_HEAD_XLIB_INDY1 13s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
3684 #counts SARE_HEAD_XLIB_INDY1 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3685 #counts SARE_HEAD_XLIB_INDY1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3687 header SARE_HEAD_XLIB_INDY2 X-Library=~ /Indy 8.0.25/
3688 describe SARE_HEAD_XLIB_INDY2 Uses S/W version which has only been seen in spam
3689 score SARE_HEAD_XLIB_INDY2 0.914
3690 #ham SARE_HEAD_XLIB_INDY2 verified (1)
3691 #hist SARE_HEAD_XLIB_INDY2 Created by Bob Menschel May 31 2004
3692 #counts SARE_HEAD_XLIB_INDY2 124s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
3693 #max SARE_HEAD_XLIB_INDY2 130s/1h of 327690 corpus (159737s/167953h RM) 07/27/05
3694 #counts SARE_HEAD_XLIB_INDY2 3s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3695 #counts SARE_HEAD_XLIB_INDY2 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
3696 #max SARE_HEAD_XLIB_INDY2 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
3697 #counts SARE_HEAD_XLIB_INDY2 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
3698 #max SARE_HEAD_XLIB_INDY2 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
3699 #counts SARE_HEAD_XLIB_INDY2 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
3701 header SARE_HEAD_XUNSENT X-Unsent =~ /\b1\b/i
3702 describe SARE_HEAD_XUNSENT Found spamsign header
3703 score SARE_HEAD_XUNSENT 1.666
3704 #hist SARE_HEAD_XUNSENT Alex Broens, June 10 2005
3705 #counts SARE_HEAD_XUNSENT 15436s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
3706 #counts SARE_HEAD_XUNSENT 57s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
3707 #counts SARE_HEAD_XUNSENT 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
3708 #counts SARE_HEAD_XUNSENT 98s/0h of 53950 corpus (16777s/37173h JH-3.01) 06/11/05
3709 #counts SARE_HEAD_XUNSENT 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
3711 header SARE_HEAD_XWORD ALL =~ /\n(?!(?:X-Scanned|X-Windows|X-Emacs|X-Note))X-[A-Z][a-z\d]+:\s+(?:[a-z]{2,20}\s){5,}/
3712 describe SARE_HEAD_XWORD Spam tool
3713 score SARE_HEAD_XWORD 1.111
3714 #ham SARE_HEAD_XWORD verified (1)
3715 #hist SARE_HEAD_XWORD Loren Wilton, June 2005
3716 #hist SARE_HEAD_XWORD Added X-Scanned exclusion Sep 24 2005
3717 #counts SARE_HEAD_XWORD 114s/6h of 689155 corpus (348140s/341015h RM) 09/18/05
3718 #counts SARE_HEAD_XWORD 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
3720 #####################################################################################
3721 # SARE Rules which examine multiple header types
3722 ######## ###################### ##################################################
3724 header SARE_HEAD_8BIT_DATE Date =~ /[\x80-\xff]{3}/
3725 describe SARE_HEAD_8BIT_DATE High-ascii characters found in strange header
3726 score SARE_HEAD_8BIT_DATE 1.666
3727 #hist SARE_HEAD_8BIT_DATE From Bugzilla # 2243
3728 #ham SARE_HEAD_8BIT_DATE verified (1)
3729 #counts SARE_HEAD_8BIT_DATE 433s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
3730 #counts SARE_HEAD_8BIT_DATE 4s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3731 #counts SARE_HEAD_8BIT_DATE 0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05
3732 #counts SARE_HEAD_8BIT_DATE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3733 #counts SARE_HEAD_8BIT_DATE 1s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
3735 header SARE_MULT_VIA_CITIZNET ALL =~ /\@(?:\w+\.)?citiz\.net\b/i
3736 describe SARE_MULT_VIA_CITIZNET header references apparent spam source
3737 score SARE_MULT_VIA_CITIZNET 0.816
3738 #ham SARE_MULT_VIA_CITIZNET confirmed (2)
3739 #hist SARE_MULT_VIA_CITIZNET Created by Bob Menschel Aug 23 2004
3740 #counts SARE_MULT_VIA_CITIZNET 37s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
3741 #counts SARE_MULT_VIA_CITIZNET 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
3742 #max SARE_MULT_VIA_CITIZNET 8s/0h of 18651 corpus (16120s/2531h MY) 08/29/04
3743 #counts SARE_MULT_VIA_CITIZNET 10s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
3744 #max SARE_MULT_VIA_CITIZNET 11s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3745 #counts SARE_MULT_VIA_CITIZNET 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
3746 #max SARE_MULT_VIA_CITIZNET 2s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3747 #counts SARE_MULT_VIA_CITIZNET 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3752 # SARE Header Abuse Ruleset for SpamAssassin -- file 2
3754 # Created: 2004-04-25
3755 # Modified: 2005-10-28
3756 # Usage instructions and documentation in 70_sare_header0.cf
3758 # Full Revision History / Change Log in 70_sare_header.log
3759 #@@# 01.03.16 Oct 28 2005
3760 #@@# Minor score updates based on additional mass-check
3761 #@@# Archived from file 2: SARE_HEAD_HDR_XAUTREPL
3762 #@@# Archived from file 2: SARE_HEAD_HDR_XESINSR
3763 #@@# Moved file 0 to file 2: SARE_RECV_IP_063111025
3764 #@@# Moved file 0 to file 2: SARE_RECV_RANDOM
3765 #@@# Moved file 1 to file 2: SARE_FREE_WEBM_USACOPS
3766 #@@# Moved file 1 to file 2: SARE_HEAD_HDR_XEMGBMS
3767 #@@# Moved file 1 to file 2: SARE_HEAD_XCANIT1
3768 #@@# Moved file 1 to file 2: SARE_HEAD_XCANIT2
3769 #@@# Moved file 1 to file 2: SARE_MSGID_SPAM_DOMN0
3770 #@@# Moved file 1 to file 2: SARE_MSGID_SUSP2
3771 #@@# Moved file 1 to file 2: SARE_RECV_IP_081019
3772 #@@# Moved file 1 to file 2: SARE_RECV_IP_211049
3773 #@@# Moved file 1 to file 2: SARE_RECV_RND_NUMBER
3774 #@@# Moved file 2 to file 0: SARE_HEAD_HDR_XE
3775 #@@# Moved file 2 to file 1: SARE_FROM_AST
3776 #@@# Moved file 2 to file 1: SARE_HEAD_HDR_XCNDINF
3777 #@@# Moved file 3 to file 2: SARE_FREE_WEBM_Iamfi
3778 #@@# Moved file 3 to file 2: SARE_MSGID_ALL_CAPHM
3779 #@@# Moved file 3 to file 2: SARE_TOCC_MAILDOMN
3780 #@@# Moved file 3 to file 2: SARE_XMAIL_BULK4
3782 ######## ###################### ##################################################
3783 # Component rules used within meta rules
3784 ######## ###################### ##################################################
3786 header __SARE_HEAD_8BIT_SUBJ Subject =~ /[\x80-\xff]{3,}/
3788 #####################################################################################
3789 # SARE Header-Exists rules
3790 ######## ###################### ##################################################
3792 header SARE_HEAD_HDR_CONVWLS exists:Conversion-With-Loss
3793 describe SARE_HEAD_HDR_CONVWLS Message headers used which identify spam
3794 score SARE_HEAD_HDR_CONVWLS 1.111
3795 #stype SARE_HEAD_HDR_CONVWLS spamp
3796 #counts SARE_HEAD_HDR_CONVWLS 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
3797 #max SARE_HEAD_HDR_CONVWLS 16s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
3798 #counts SARE_HEAD_HDR_CONVWLS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
3799 #counts SARE_HEAD_HDR_CONVWLS 4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3800 #counts SARE_HEAD_HDR_CONVWLS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3801 #counts SARE_HEAD_HDR_CONVWLS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3803 header SARE_HEAD_HDR_EPATH exists:Error-path
3804 describe SARE_HEAD_HDR_EPATH Message headers used which identify spam
3805 score SARE_HEAD_HDR_EPATH 0.555
3806 #stype SARE_HEAD_HDR_EPATH spamp
3807 #counts SARE_HEAD_HDR_EPATH 0s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
3808 #max SARE_HEAD_HDR_EPATH 4s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
3809 #counts SARE_HEAD_HDR_EPATH 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
3810 #counts SARE_HEAD_HDR_EPATH 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3811 #counts SARE_HEAD_HDR_EPATH 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3812 #counts SARE_HEAD_HDR_EPATH 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3814 header SARE_HEAD_HDR_JLH exists:X-JLH
3815 describe SARE_HEAD_HDR_JLH Message headers used which identify spam
3816 score SARE_HEAD_HDR_JLH 1.111
3817 #stype SARE_HEAD_HDR_JLH spamp
3818 #counts SARE_HEAD_HDR_JLH 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
3819 #max SARE_HEAD_HDR_JLH 71s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
3820 #counts SARE_HEAD_HDR_JLH 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
3821 #counts SARE_HEAD_HDR_JLH 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3822 #counts SARE_HEAD_HDR_JLH 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3823 #counts SARE_HEAD_HDR_JLH 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3825 header SARE_HEAD_HDR_REDIRTO exists:Redirect-to
3826 describe SARE_HEAD_HDR_REDIRTO Message headers used which identify spam
3827 score SARE_HEAD_HDR_REDIRTO 0.555
3828 #stype SARE_HEAD_HDR_REDIRTO spamp
3829 #counts SARE_HEAD_HDR_REDIRTO 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
3830 #max SARE_HEAD_HDR_REDIRTO 1s/0h of 114261 corpus (81069s/33192h RM) 01/15/05
3831 #counts SARE_HEAD_HDR_REDIRTO 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
3832 #counts SARE_HEAD_HDR_REDIRTO 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3833 #counts SARE_HEAD_HDR_REDIRTO 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3834 #counts SARE_HEAD_HDR_REDIRTO 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3836 header SARE_HEAD_HDR_ROT exists:Rot
3837 describe SARE_HEAD_HDR_ROT Message headers used which identify spam
3838 score SARE_HEAD_HDR_ROT 0.555
3839 #stype SARE_HEAD_HDR_ROT spamp
3840 #counts SARE_HEAD_HDR_ROT 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
3841 #max SARE_HEAD_HDR_ROT 3s/0h of 114261 corpus (81069s/33192h RM) 01/15/05
3842 #counts SARE_HEAD_HDR_ROT 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
3843 #counts SARE_HEAD_HDR_ROT 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3844 #counts SARE_HEAD_HDR_ROT 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3845 #counts SARE_HEAD_HDR_ROT 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3847 header SARE_HEAD_HDR_RTNPATH exists:List-Return-Path
3848 describe SARE_HEAD_HDR_RTNPATH Message headers used which identify spam
3849 score SARE_HEAD_HDR_RTNPATH 1.111
3850 #stype SARE_HEAD_HDR_RTNPATH spamp
3851 #counts SARE_HEAD_HDR_RTNPATH 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
3852 #max SARE_HEAD_HDR_RTNPATH 32s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
3853 #counts SARE_HEAD_HDR_RTNPATH 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
3854 #counts SARE_HEAD_HDR_RTNPATH 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3855 #counts SARE_HEAD_HDR_RTNPATH 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3856 #counts SARE_HEAD_HDR_RTNPATH 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3858 header SARE_HEAD_HDR_WCMSGID exists:WcMessage-ID
3859 describe SARE_HEAD_HDR_WCMSGID Message headers used which identify spam
3860 score SARE_HEAD_HDR_WCMSGID 0.555
3861 #stype SARE_HEAD_HDR_WCMSGID spamp
3862 #counts SARE_HEAD_HDR_WCMSGID 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
3863 #max SARE_HEAD_HDR_WCMSGID 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
3864 #counts SARE_HEAD_HDR_WCMSGID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
3865 #counts SARE_HEAD_HDR_WCMSGID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3866 #counts SARE_HEAD_HDR_WCMSGID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3867 #counts SARE_HEAD_HDR_WCMSGID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3869 header SARE_HEAD_HDR_X400MTI exists:X400-MTS-Identifier
3870 describe SARE_HEAD_HDR_X400MTI Message headers used which identify spam
3871 score SARE_HEAD_HDR_X400MTI 0.555
3872 #stype SARE_HEAD_HDR_X400MTI spamp
3873 #counts SARE_HEAD_HDR_X400MTI 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
3874 #max SARE_HEAD_HDR_X400MTI 1s/0h of 114261 corpus (81069s/33192h RM) 01/15/05
3875 #counts SARE_HEAD_HDR_X400MTI 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
3876 #counts SARE_HEAD_HDR_X400MTI 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3877 #counts SARE_HEAD_HDR_X400MTI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3878 #counts SARE_HEAD_HDR_X400MTI 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3880 header SARE_HEAD_HDR_XAR exists:X-AR
3881 describe SARE_HEAD_HDR_XAR Message headers used which identify spam
3882 score SARE_HEAD_HDR_XAR 0.555
3883 #stype SARE_HEAD_HDR_XAR spamp
3884 #counts SARE_HEAD_HDR_XAR 0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05
3885 #max SARE_HEAD_HDR_XAR 2s/0h of 66087 corpus (40127s/25960h RM) 09/11/04
3886 #counts SARE_HEAD_HDR_XAR 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
3887 #counts SARE_HEAD_HDR_XAR 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3888 #counts SARE_HEAD_HDR_XAR 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3889 #counts SARE_HEAD_HDR_XAR 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3891 header SARE_HEAD_HDR_XAUTGEN exists:X-Auto-Generated
3892 describe SARE_HEAD_HDR_XAUTGEN Message headers used which identify spam
3893 score SARE_HEAD_HDR_XAUTGEN 0.555
3894 #stype SARE_HEAD_HDR_XAUTGEN spamp
3895 #counts SARE_HEAD_HDR_XAUTGEN 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
3896 #max SARE_HEAD_HDR_XAUTGEN 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
3897 #counts SARE_HEAD_HDR_XAUTGEN 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
3898 #counts SARE_HEAD_HDR_XAUTGEN 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3899 #counts SARE_HEAD_HDR_XAUTGEN 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3900 #counts SARE_HEAD_HDR_XAUTGEN 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3902 header SARE_HEAD_HDR_XCROSS exists:X-cross
3903 describe SARE_HEAD_HDR_XCROSS Message headers used which identify spam
3904 score SARE_HEAD_HDR_XCROSS 0.100
3905 #stype SARE_HEAD_HDR_XCROSS spamp
3906 #counts SARE_HEAD_HDR_XCROSS 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
3907 #counts SARE_HEAD_HDR_XCROSS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
3908 #counts SARE_HEAD_HDR_XCROSS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3909 #counts SARE_HEAD_HDR_XCROSS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3910 #counts SARE_HEAD_HDR_XCROSS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3912 header SARE_HEAD_HDR_XEMGBMS exists:X-EMailGateBouncedMessage
3913 describe SARE_HEAD_HDR_XEMGBMS Message headers used which identify spam
3914 score SARE_HEAD_HDR_XEMGBMS 0.555
3915 #stype SARE_HEAD_HDR_XEMGBMS spamp
3916 #counts SARE_HEAD_HDR_XEMGBMS 0s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
3917 #max SARE_HEAD_HDR_XEMGBMS 6s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
3918 #counts SARE_HEAD_HDR_XEMGBMS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
3919 #counts SARE_HEAD_HDR_XEMGBMS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3920 #counts SARE_HEAD_HDR_XEMGBMS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3921 #counts SARE_HEAD_HDR_XEMGBMS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3923 header SARE_HEAD_HDR_XLC exists:X-L-C
3924 describe SARE_HEAD_HDR_XLC Message headers used which identify spam
3925 score SARE_HEAD_HDR_XLC 0.100
3926 #stype SARE_HEAD_HDR_XLC spamp
3927 #counts SARE_HEAD_HDR_XLC 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
3928 #counts SARE_HEAD_HDR_XLC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
3929 #counts SARE_HEAD_HDR_XLC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3930 #counts SARE_HEAD_HDR_XLC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3931 #counts SARE_HEAD_HDR_XLC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3933 header SARE_HEAD_HDR_XLIDCOD exists:X-LIDCode
3934 describe SARE_HEAD_HDR_XLIDCOD Message headers used which identify spam
3935 score SARE_HEAD_HDR_XLIDCOD 0.100
3936 #stype SARE_HEAD_HDR_XLIDCOD spamp
3937 #counts SARE_HEAD_HDR_XLIDCOD 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
3938 #counts SARE_HEAD_HDR_XLIDCOD 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
3939 #counts SARE_HEAD_HDR_XLIDCOD 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3940 #counts SARE_HEAD_HDR_XLIDCOD 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3941 #counts SARE_HEAD_HDR_XLIDCOD 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3943 header SARE_HEAD_HDR_XMISCID exists:X-Misc_ID
3944 describe SARE_HEAD_HDR_XMISCID Message headers used which identify spam
3945 score SARE_HEAD_HDR_XMISCID 0.100
3946 #stype SARE_HEAD_HDR_XMISCID spamp
3947 #hist SARE_HEAD_HDR_XMISCID FH_XMISCID
3948 #counts SARE_HEAD_HDR_XMISCID 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
3949 #counts SARE_HEAD_HDR_XMISCID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
3950 #counts SARE_HEAD_HDR_XMISCID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3951 #counts SARE_HEAD_HDR_XMISCID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3952 #counts SARE_HEAD_HDR_XMISCID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3954 header SARE_HEAD_HDR_XMLCIPH exists:X-mlcipher
3955 describe SARE_HEAD_HDR_XMLCIPH Message headers used which identify spam
3956 score SARE_HEAD_HDR_XMLCIPH 0.100
3957 #stype SARE_HEAD_HDR_XMLCIPH spamp
3958 #counts SARE_HEAD_HDR_XMLCIPH 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
3959 #counts SARE_HEAD_HDR_XMLCIPH 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
3960 #counts SARE_HEAD_HDR_XMLCIPH 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3961 #counts SARE_HEAD_HDR_XMLCIPH 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3962 #counts SARE_HEAD_HDR_XMLCIPH 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3964 header SARE_HEAD_HDR_XMLMSGI exists:X-mlmsgid
3965 describe SARE_HEAD_HDR_XMLMSGI Message headers used which identify spam
3966 score SARE_HEAD_HDR_XMLMSGI 0.100
3967 #stype SARE_HEAD_HDR_XMLMSGI spamp
3968 #counts SARE_HEAD_HDR_XMLMSGI 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
3969 #counts SARE_HEAD_HDR_XMLMSGI 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
3970 #counts SARE_HEAD_HDR_XMLMSGI 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3971 #counts SARE_HEAD_HDR_XMLMSGI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3972 #counts SARE_HEAD_HDR_XMLMSGI 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3974 header SARE_HEAD_HDR_XMAGDID exists:X-magdalene-ID
3975 describe SARE_HEAD_HDR_XMAGDID Message headers used which identify spam
3976 score SARE_HEAD_HDR_XMAGDID 0.555
3977 #stype SARE_HEAD_HDR_XMAGDID spamp
3978 #counts SARE_HEAD_HDR_XMAGDID 0s/0h of 71334 corpus (43633s/27701h RM) 10/03/04
3979 #max SARE_HEAD_HDR_XMAGDID 1s/0h of 60201 corpus (35226s/24975h RM) 08/14/04
3980 #counts SARE_HEAD_HDR_XMAGDID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
3981 #counts SARE_HEAD_HDR_XMAGDID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3982 #counts SARE_HEAD_HDR_XMAGDID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3983 #counts SARE_HEAD_HDR_XMAGDID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3985 header SARE_HEAD_HDR_XMPM exists:X-mpm
3986 describe SARE_HEAD_HDR_XMPM Message headers used which identify spam
3987 score SARE_HEAD_HDR_XMPM 0.100
3988 #stype SARE_HEAD_HDR_XMPM spamp
3989 #counts SARE_HEAD_HDR_XMPM 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
3990 #counts SARE_HEAD_HDR_XMPM 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
3991 #counts SARE_HEAD_HDR_XMPM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
3992 #counts SARE_HEAD_HDR_XMPM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
3993 #counts SARE_HEAD_HDR_XMPM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
3995 header SARE_HEAD_HDR_XMS exists:X-ms
3996 describe SARE_HEAD_HDR_XMS Message headers used which identify spam
3997 score SARE_HEAD_HDR_XMS 0.100
3998 #stype SARE_HEAD_HDR_XMS spamp
3999 #counts SARE_HEAD_HDR_XMS 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
4000 #counts SARE_HEAD_HDR_XMS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4001 #counts SARE_HEAD_HDR_XMS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4002 #counts SARE_HEAD_HDR_XMS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4003 #counts SARE_HEAD_HDR_XMS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4005 header SARE_HEAD_HDR_XNOSPAM exists:X-No-Spam
4006 describe SARE_HEAD_HDR_XNOSPAM Message headers used which identify spam
4007 score SARE_HEAD_HDR_XNOSPAM 1.111
4008 #stype SARE_HEAD_HDR_XNOSPAM spamp
4009 #counts SARE_HEAD_HDR_XNOSPAM 0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05
4010 #max SARE_HEAD_HDR_XNOSPAM 12s/0h of 60201 corpus (35226s/24975h RM) 08/14/04
4011 #counts SARE_HEAD_HDR_XNOSPAM 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
4012 #max SARE_HEAD_HDR_XNOSPAM 4s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4013 #counts SARE_HEAD_HDR_XNOSPAM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4014 #counts SARE_HEAD_HDR_XNOSPAM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4015 #counts SARE_HEAD_HDR_XNOSPAM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4017 header SARE_HEAD_HDR_XNTC exists:X-ntc
4018 describe SARE_HEAD_HDR_XNTC Message headers used which identify spam
4019 score SARE_HEAD_HDR_XNTC 0.100
4020 #stype SARE_HEAD_HDR_XNTC spamp
4021 #counts SARE_HEAD_HDR_XNTC 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
4022 #counts SARE_HEAD_HDR_XNTC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4023 #counts SARE_HEAD_HDR_XNTC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4024 #counts SARE_HEAD_HDR_XNTC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4025 #counts SARE_HEAD_HDR_XNTC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4027 header SARE_HEAD_HDR_XPOPB4S exists:X-Pop-Before-SMTP-Sender
4028 describe SARE_HEAD_HDR_XPOPB4S Message headers used which identify spam
4029 score SARE_HEAD_HDR_XPOPB4S 0.555
4030 #stype SARE_HEAD_HDR_XPOPB4S spamp
4031 #counts SARE_HEAD_HDR_XPOPB4S 0s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
4032 #max SARE_HEAD_HDR_XPOPB4S 1s/0h of 60201 corpus (35226s/24975h RM) 08/14/04
4033 #counts SARE_HEAD_HDR_XPOPB4S 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4034 #counts SARE_HEAD_HDR_XPOPB4S 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4035 #counts SARE_HEAD_HDR_XPOPB4S 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4036 #counts SARE_HEAD_HDR_XPOPB4S 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4038 header SARE_HEAD_HDR_XPOPFLK exists:X-POPFile-Link
4039 describe SARE_HEAD_HDR_XPOPFLK Message headers used which identify spam
4040 score SARE_HEAD_HDR_XPOPFLK 0.555
4041 #stype SARE_HEAD_HDR_XPOPFLK spamp
4042 #counts SARE_HEAD_HDR_XPOPFLK 0s/0h of 71334 corpus (43633s/27701h RM) 10/03/04
4043 #max SARE_HEAD_HDR_XPOPFLK 3s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
4044 #counts SARE_HEAD_HDR_XPOPFLK 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4045 #counts SARE_HEAD_HDR_XPOPFLK 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4046 #counts SARE_HEAD_HDR_XPOPFLK 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4047 #counts SARE_HEAD_HDR_XPOPFLK 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4049 header SARE_HEAD_HDR_XPRIOMS exists:X-Prioserve-MailScanner
4050 describe SARE_HEAD_HDR_XPRIOMS Message headers used which identify spam
4051 score SARE_HEAD_HDR_XPRIOMS 0.555
4052 #stype SARE_HEAD_HDR_XPRIOMS spamp
4053 #counts SARE_HEAD_HDR_XPRIOMS 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
4054 #max SARE_HEAD_HDR_XPRIOMS 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
4055 #counts SARE_HEAD_HDR_XPRIOMS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4056 #counts SARE_HEAD_HDR_XPRIOMS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4057 #counts SARE_HEAD_HDR_XPRIOMS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4058 #counts SARE_HEAD_HDR_XPRIOMS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4060 header SARE_HEAD_HDR_XPRIOMF exists:X-Prioserve-MailScanner-From
4061 describe SARE_HEAD_HDR_XPRIOMF Message headers used which identify spam
4062 score SARE_HEAD_HDR_XPRIOMF 0.555
4063 #stype SARE_HEAD_HDR_XPRIOMF spamp
4064 #counts SARE_HEAD_HDR_XPRIOMF 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
4065 #max SARE_HEAD_HDR_XPRIOMF 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
4066 #counts SARE_HEAD_HDR_XPRIOMF 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4067 #counts SARE_HEAD_HDR_XPRIOMF 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4068 #counts SARE_HEAD_HDR_XPRIOMF 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4069 #counts SARE_HEAD_HDR_XPRIOMF 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4071 header SARE_HEAD_HDR_XPRIOMI exists:X-Prioserve-MailScanner-Information
4072 describe SARE_HEAD_HDR_XPRIOMI Message headers used which identify spam
4073 score SARE_HEAD_HDR_XPRIOMI 0.555
4074 #stype SARE_HEAD_HDR_XPRIOMI spamp
4075 #counts SARE_HEAD_HDR_XPRIOMI 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
4076 #max SARE_HEAD_HDR_XPRIOMI 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
4077 #counts SARE_HEAD_HDR_XPRIOMI 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4078 #counts SARE_HEAD_HDR_XPRIOMI 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4079 #counts SARE_HEAD_HDR_XPRIOMI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4080 #counts SARE_HEAD_HDR_XPRIOMI 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4082 header SARE_HEAD_HDR_XPIROMC exists:X-Prioserve-MailScanner-SpamCheck
4083 describe SARE_HEAD_HDR_XPIROMC Message headers used which identify spam
4084 score SARE_HEAD_HDR_XPIROMC 0.555
4085 #stype SARE_HEAD_HDR_XPIROMC spamp
4086 #counts SARE_HEAD_HDR_XPIROMC 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
4087 #max SARE_HEAD_HDR_XPIROMC 1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
4088 #counts SARE_HEAD_HDR_XPIROMC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4089 #counts SARE_HEAD_HDR_XPIROMC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4090 #counts SARE_HEAD_HDR_XPIROMC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4091 #counts SARE_HEAD_HDR_XPIROMC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4093 header SARE_HEAD_HDR_XRBLTST exists:X-RBL-TST
4094 describe SARE_HEAD_HDR_XRBLTST Message headers used which identify spam
4095 score SARE_HEAD_HDR_XRBLTST 0.555
4096 #stype SARE_HEAD_HDR_XRBLTST spamp
4097 #counts SARE_HEAD_HDR_XRBLTST 0s/0h of 120459 corpus (71363s/49096h RM) 02/12/05
4098 #max SARE_HEAD_HDR_XRBLTST 2s/0h of 114238 corpus (81067s/33171h RM) 01/15/05
4099 #counts SARE_HEAD_HDR_XRBLTST 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4100 #counts SARE_HEAD_HDR_XRBLTST 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4101 #counts SARE_HEAD_HDR_XRBLTST 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4102 #counts SARE_HEAD_HDR_XRBLTST 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4104 header SARE_HEAD_HDR_XREC exists:X-Rec
4105 describe SARE_HEAD_HDR_XREC Message headers used which identify spam
4106 score SARE_HEAD_HDR_XREC 2.222
4107 #stype SARE_HEAD_HDR_XREC spamp
4108 #counts SARE_HEAD_HDR_XREC 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
4109 #counts SARE_HEAD_HDR_XREC 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4110 #counts SARE_HEAD_HDR_XREC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4111 #counts SARE_HEAD_HDR_XREC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4112 #counts SARE_HEAD_HDR_XREC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4114 header SARE_HEAD_HDR_XSPAMSC exists:X-Spam-Score
4115 describe SARE_HEAD_HDR_XSPAMSC Message headers used which identify spam
4116 score SARE_HEAD_HDR_XSPAMSC 0.555
4117 #stype SARE_HEAD_HDR_XSPAMSC spamp
4118 #counts SARE_HEAD_HDR_XSPAMSC 0s/0h of 60201 corpus (35226s/24975h RM) 08/14/04
4119 #counts SARE_HEAD_HDR_XSPAMSC 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
4120 #max SARE_HEAD_HDR_XSPAMSC 1s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4121 #counts SARE_HEAD_HDR_XSPAMSC 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4122 #counts SARE_HEAD_HDR_XSPAMSC 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4123 #counts SARE_HEAD_HDR_XSPAMSC 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4125 header SARE_HEAD_HDR_XSRK exists:X-srk
4126 describe SARE_HEAD_HDR_XSRK Message headers used which identify spam
4127 score SARE_HEAD_HDR_XSRK 0.100
4128 #stype SARE_HEAD_HDR_XSRK spamp
4129 #counts SARE_HEAD_HDR_XSRK 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
4130 #counts SARE_HEAD_HDR_XSRK 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4131 #counts SARE_HEAD_HDR_XSRK 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4132 #counts SARE_HEAD_HDR_XSRK 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4133 #counts SARE_HEAD_HDR_XSRK 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4135 header SARE_HEAD_HDR_XSUBID exists:X-SubID
4136 describe SARE_HEAD_HDR_XSUBID Message headers used which identify spam
4137 score SARE_HEAD_HDR_XSUBID 0.555
4138 #stype SARE_HEAD_HDR_XSUBID spamp
4139 #counts SARE_HEAD_HDR_XSUBID 0s/0h of 120459 corpus (71363s/49096h RM) 02/12/05
4140 #max SARE_HEAD_HDR_XSUBID 3s/0h of 114238 corpus (81067s/33171h RM) 01/15/05
4141 #counts SARE_HEAD_HDR_XSUBID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4142 #counts SARE_HEAD_HDR_XSUBID 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4143 #counts SARE_HEAD_HDR_XSUBID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4144 #counts SARE_HEAD_HDR_XSUBID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4146 header SARE_HEAD_HDR_XTRANS exists:X-Trans
4147 describe SARE_HEAD_HDR_XTRANS Message headers used which identify spam
4148 score SARE_HEAD_HDR_XTRANS 0.100
4149 #stype SARE_HEAD_HDR_XTRANS spamp
4150 #counts SARE_HEAD_HDR_XTRANS 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
4151 #counts SARE_HEAD_HDR_XTRANS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4152 #counts SARE_HEAD_HDR_XTRANS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4153 #counts SARE_HEAD_HDR_XTRANS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4154 #counts SARE_HEAD_HDR_XTRANS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4156 header SARE_HEAD_HDR_XTXTCLS exists:X-Text-Classification
4157 describe SARE_HEAD_HDR_XTXTCLS Message headers used which identify spam
4158 score SARE_HEAD_HDR_XTXTCLS 0.555
4159 #stype SARE_HEAD_HDR_XTXTCLS spamp
4160 #counts SARE_HEAD_HDR_XTXTCLS 0s/0h of 71334 corpus (43633s/27701h RM) 10/03/04
4161 #max SARE_HEAD_HDR_XTXTCLS 3s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
4162 #counts SARE_HEAD_HDR_XTXTCLS 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4163 #counts SARE_HEAD_HDR_XTXTCLS 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4164 #counts SARE_HEAD_HDR_XTXTCLS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4165 #counts SARE_HEAD_HDR_XTXTCLS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4167 header SARE_HEAD_HDR_XVIG exists:X-Vig
4168 describe SARE_HEAD_HDR_XVIG Message headers used which identify spam
4169 score SARE_HEAD_HDR_XVIG 0.100
4170 #stype SARE_HEAD_HDR_XVIG spamp
4171 #counts SARE_HEAD_HDR_XVIG 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
4172 #counts SARE_HEAD_HDR_XVIG 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4173 #counts SARE_HEAD_HDR_XVIG 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4174 #counts SARE_HEAD_HDR_XVIG 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4175 #counts SARE_HEAD_HDR_XVIG 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4177 header SARE_HEAD_HDR_XYD exists:X-yd
4178 describe SARE_HEAD_HDR_XYD Message headers used which identify spam
4179 score SARE_HEAD_HDR_XYD 0.100
4180 #stype SARE_HEAD_HDR_XYD spamp
4181 #counts SARE_HEAD_HDR_XYD 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
4182 #counts SARE_HEAD_HDR_XYD 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4183 #counts SARE_HEAD_HDR_XYD 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4184 #counts SARE_HEAD_HDR_XYD 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4185 #counts SARE_HEAD_HDR_XYD 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4187 header SARE_HEAD_HDR_XI exists:X-I
4188 describe SARE_HEAD_HDR_XI Message headers used which identify spam
4189 score SARE_HEAD_HDR_XI 0.100
4190 #stype SARE_HEAD_HDR_XI spamp
4191 #counts SARE_HEAD_HDR_XI 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
4192 #counts SARE_HEAD_HDR_XI 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4193 #counts SARE_HEAD_HDR_XI 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4194 #counts SARE_HEAD_HDR_XI 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4195 #counts SARE_HEAD_HDR_XI 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4197 header SARE_HEAD_HDR_XIM exists:X-IM
4198 describe SARE_HEAD_HDR_XIM Message headers used which identify spam
4199 score SARE_HEAD_HDR_XIM 0.100
4200 #stype SARE_HEAD_HDR_XIM spamp
4201 #counts SARE_HEAD_HDR_XIM 0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
4202 #counts SARE_HEAD_HDR_XIM 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4203 #counts SARE_HEAD_HDR_XIM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4204 #counts SARE_HEAD_HDR_XIM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4205 #counts SARE_HEAD_HDR_XIM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4207 #####################################################################################
4208 # SARE Content-Type and Boundary rules
4209 ######## ###################### ##################################################
4211 full SARE_CONTENT_BITBITNUM /\nContent-Encoding: BitBitNUM\n/
4212 describe SARE_CONTENT_BITBITNUM Unlikely content encoding
4213 score SARE_CONTENT_BITBITNUM 1.406
4214 #hist SARE_CONTENT_BITBITNUM Loren Wilton, Feb 1 2005
4215 #counts SARE_CONTENT_BITBITNUM 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
4216 #max SARE_CONTENT_BITBITNUM 153s/0h of 95210 corpus (59682s/35528h RM) 02/01/05
4217 #counts SARE_CONTENT_BITBITNUM 64s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
4218 #counts SARE_CONTENT_BITBITNUM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4219 #counts SARE_CONTENT_BITBITNUM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4221 #####################################################################################
4223 ######## ###################### ##################################################
4225 header SARE_FROM_AMERICA From =~ /[^\-]\bamerica\.com\b/i
4226 describe SARE_FROM_AMERICA From user address is used by spammer
4227 score SARE_FROM_AMERICA 1.111
4228 #stype SARE_FROM_AMERICA spamp
4229 #hist SARE_FROM_AMERICA Created by Bob Menschel Sep 24 2004
4230 #counts SARE_FROM_AMERICA 0s/0h of 268479 corpus (127479s/141000h RM) 06/17/05
4231 #max SARE_FROM_AMERICA 5s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
4232 #counts SARE_FROM_AMERICA 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
4233 #counts SARE_FROM_AMERICA 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
4234 #max SARE_FROM_AMERICA 4s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
4235 #counts SARE_FROM_AMERICA 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4236 #counts SARE_FROM_AMERICA 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4238 header SARE_FROM_SPAM_DOMN2 From =~ /\@wses\.(?:com|org)/i
4239 describe SARE_FROM_SPAM_DOMN2 From address suggests this is spam
4240 score SARE_FROM_SPAM_DOMN2 0.100
4241 #stype SARE_FROM_SPAM_DOMN2 spamp
4242 #hist SARE_FROM_SPAM_DOMN2 RM_fa_wses
4243 #counts SARE_FROM_SPAM_DOMN2 0s/0h of 85084 corpus (62489s/22595h RM) 06/08/04
4244 #counts SARE_FROM_SPAM_DOMN2 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
4245 #counts SARE_FROM_SPAM_DOMN2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4246 #counts SARE_FROM_SPAM_DOMN2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4248 header SARE_FROM_VIRUS1 ALL=~ /From:\ssupport\@microsoft.com/
4249 describe SARE_FROM_VIRUS1 From address suggests this is a virus
4250 score SARE_FROM_VIRUS1 3.333
4251 #stype SARE_FROM_VIRUS1 vbgg
4252 #counts SARE_FROM_VIRUS1 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
4253 #max SARE_FROM_VIRUS1 21s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
4254 #counts SARE_FROM_VIRUS1 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
4255 #counts SARE_FROM_VIRUS1 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4256 #counts SARE_FROM_VIRUS1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4258 #####################################################################################
4259 # SARE From Rules -- Emails coming from free webmail accounts
4260 # Since spam from these can vary depending upon country of origin,
4261 # country of destination, policies, and enforcement of policies,
4262 # most of these are kept as separate rules rather than combined.
4263 ######## ###################### ##################################################
4265 header SARE_FREE_WEBM_Iamfi From =~ /\biamfinallyonline\.com/i
4266 describe SARE_FREE_WEBM_Iamfi Sender used free email account - may be spammer
4267 score SARE_FREE_WEBM_Iamfi 0.555
4268 #stype SARE_FREE_WEBM_Iamfi spamp
4269 #hist SARE_FREE_WEBM_Iamfi Created by Bob Menschel Apr 09 2004
4270 #counts SARE_FREE_WEBM_Iamfi 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
4271 #max SARE_FREE_WEBM_Iamfi 3s/0h of 60630 corpus (35509s/25121h RM) 08/11/04
4272 #counts SARE_FREE_WEBM_Iamfi 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
4273 #counts SARE_FREE_WEBM_Iamfi 0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
4274 #max SARE_FREE_WEBM_Iamfi 1s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
4275 #counts SARE_FREE_WEBM_Iamfi 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4276 #counts SARE_FREE_WEBM_Iamfi 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4278 header SARE_FREE_WEBM_USACOPS From =~ /\@usacops\.com/i
4279 describe SARE_FREE_WEBM_USACOPS Maybe spammer with free email
4280 score SARE_FREE_WEBM_USACOPS 0.555
4281 #stype SARE_FREE_WEBM_USACOPS spamp
4282 #hist SARE_FREE_WEBM_USACOPS Created by Bob Menschel Feb 24 2005
4283 #counts SARE_FREE_WEBM_USACOPS 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
4284 #max SARE_FREE_WEBM_USACOPS 2s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
4285 #counts SARE_FREE_WEBM_USACOPS 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
4286 #counts SARE_FREE_WEBM_USACOPS 2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
4287 #counts SARE_FREE_WEBM_USACOPS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4288 #counts SARE_FREE_WEBM_USACOPS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4290 #####################################################################################
4291 # SARE Message-ID rules
4292 ######## ###################### ##################################################
4294 header SARE_MSGID_06D6 MESSAGEID =~ /<0{6}\d{6}\$\d/
4295 describe SARE_MSGID_06D6 Message-ID has ratware pattern (000009999$9)
4296 score SARE_MSGID_06D6 1.061
4297 #counts SARE_MSGID_06D6 0s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
4298 #max SARE_MSGID_06D6 91s/0h of 115439 corpus (94250s/21189h RM) 04/30/04
4299 #counts SARE_MSGID_06D6 0s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04
4300 #counts SARE_MSGID_06D6 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
4301 #counts SARE_MSGID_06D6 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4302 #counts SARE_MSGID_06D6 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4304 header MSGID_SPAM_CAPS Message-ID =~ /^\s*<?[A-Z]+\@(?!(?:mailcity|whowhere)\.com)/
4305 #hist MSGID_SPAM_CAPS Distrib: SA 2.64, 3.0.0
4306 header __SARE_MSGID_ALL_CAPHM MESSAGEID =~ /<[A-Z]+\@hotmail.com>/ # no /i
4307 meta SARE_MSGID_ALL_CAPHM __SARE_MSGID_ALL_CAPHM && !MSGID_SPAM_CAPS
4308 describe SARE_MSGID_ALL_CAPHM Ratware all-caps message-id
4309 score SARE_MSGID_ALL_CAPHM 1.666
4310 #stype SARE_MSGID_ALL_CAPHM spamg
4311 #hist SARE_MSGID_ALL_CAPHM Created by Bob Menschel May 15 2004
4312 #note SARE_MSGID_ALL_CAPHM Most emails that match __SARE_MSGID_ALL_CAPHM fall into SARE_MSGID_ALL_CAPS
4313 #counts SARE_MSGID_ALL_CAPHM 0s/0h of 70566 corpus (43013s/27553h RM) 10/02/04
4314 #max SARE_MSGID_ALL_CAPHM 1s/0h of 69619 corpus (42582s/27037h RM) 09/26/04
4315 #counts SARE_MSGID_ALL_CAPHM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4316 #max SARE_MSGID_ALL_CAPHM 1s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
4317 #counts SARE_MSGID_ALL_CAPHM 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
4318 #counts SARE_MSGID_ALL_CAPHM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4319 #counts SARE_MSGID_ALL_CAPHM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4321 header MSGID_SPAM_CAPS Message-ID =~ /^\s*<?[A-Z]+\@(?!(?:mailcity|whowhere)\.com)/
4322 #hist MSGID_SPAM_CAPS Distrib: SA 2.64, 3.0.0
4323 header __SARE_MSGID_ALL_CAPMS MESSAGEID =~ /<[A-Z]+\@msn.com>/ # no /i
4324 meta SARE_MSGID_ALL_CAPMS __SARE_MSGID_ALL_CAPMS && !MSGID_SPAM_CAPS
4325 describe SARE_MSGID_ALL_CAPMS Ratware all-caps message-id
4326 score SARE_MSGID_ALL_CAPMS 1.666
4327 #hist SARE_MSGID_ALL_CAPMS Created by Bob Menschel May 15 2004
4328 #note SARE_MSGID_ALL_CAPHM Most emails that match __SARE_MSGID_ALL_CAPMS fall into SARE_MSGID_ALL_CAPS
4329 #counts SARE_MSGID_ALL_CAPMS 0s/0h of 58336 corpus (33608s/24728h RM) 08/07/04
4330 #counts SARE_MSGID_ALL_CAPMS 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
4331 #counts SARE_MSGID_ALL_CAPMS 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4332 #counts SARE_MSGID_ALL_CAPMS 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4334 header SARE_MSGID_H7H4H4 MESSAGEID =~ /<[a-z0-9]{7}(\$[a-z0-9]{4}){2}\@/
4335 describe SARE_MSGID_H7H4H4 Message-ID has ratware pattern (7hex$4hex$4hex@)
4336 score SARE_MSGID_H7H4H4 0.222
4337 #counts SARE_MSGID_H7H4H4 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
4338 #max SARE_MSGID_H7H4H4 2s/0h of 115439 corpus (94250s/21189h) 04/30/04
4339 #counts SARE_MSGID_H7H4H4 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4340 #max SARE_MSGID_H7H4H4 2s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04
4341 #counts SARE_MSGID_H7H4H4 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
4342 #counts SARE_MSGID_H7H4H4 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4343 #counts SARE_MSGID_H7H4H4 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4345 header SARE_MSGID_SPAM_DOMN0 MESSAGEID =~ /\bjeanvaljean\.com/i
4346 describe SARE_MSGID_SPAM_DOMN0 Message ID implies possible spammer relay
4347 score SARE_MSGID_SPAM_DOMN0 1.666
4348 #stype SARE_MSGID_SPAM_DOMN0 spamg
4349 #hist SARE_MSGID_SPAM_DOMN0 Created by Bob Menschel Mar 22 2004
4350 #hist SARE_MSGID_SPAM_DOMN0 Removed moosq.com, since now in specific.cf
4351 #counts SARE_MSGID_SPAM_DOMN0 0s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
4352 #max SARE_MSGID_SPAM_DOMN0 1s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
4353 #counts SARE_MSGID_SPAM_DOMN0 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4354 #counts SARE_MSGID_SPAM_DOMN0 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4355 #counts SARE_MSGID_SPAM_DOMN0 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4357 header MSGID_SPAM_ALPHA_NUM MESSAGEID =~ /<[A-Z]{7}-000[0-9]{10}\@[a-z]*>/
4358 header __SARE_RECV_LOCALHOST Received =~ /LOCALHOST/
4359 header __SARE_MSGID_SUSP2 MESSAGEID =~ /\<[A-Z]{5,15}\-\d{10,25}\@[a-z]+\>/
4360 meta SARE_MSGID_SUSP2 __SARE_MSGID_SUSP2 && !__SARE_RECV_LOCALHOST && !MSGID_SPAM_ALPHA_NUM
4361 describe SARE_MSGID_SUSP2 Message-Id is <LETTERS-digits@letters>
4362 score SARE_MSGID_SUSP2 3.000
4363 #hist SARE_MSGID_SUSP2 Loren Wilton, LW_BOGUS_MSGID6
4364 #hist SARE_MSGID_SUSP2 Broadened Aug 2004 by Jesse Houwing, with ham-evading exclude
4365 #V300 SARE_MSGID_SUSP2 strong overlap with MSGID_SPAM_ALPHA_NUM
4366 #counts SARE_MSGID_SUSP2 0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
4367 #alone SARE_MSGID_SUSP2 174s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
4368 #max SARE_MSGID_SUSP2 9187s/0h of 115925 corpus (94616s/21309h RM) 05/01/04
4369 #counts SARE_MSGID_SUSP2 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
4370 #max SARE_MSGID_SUSP2 6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4371 #counts SARE_MSGID_SUSP2 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
4372 #max SARE_MSGID_SUSP2 187s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
4373 #counts SARE_MSGID_SUSP2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4374 #counts SARE_MSGID_SUSP2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4376 #####################################################################################
4377 # SARE Received Header Rules
4378 ######## ###################### ##################################################
4380 header SARE_HELO_AOLID Received =~ /helo=aol\.com ident=/
4381 describe SARE_HELO_AOLID Spam passed through apparent spammer relay
4382 score SARE_HELO_AOLID 0.611
4383 #counts SARE_HELO_AOLID 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
4384 #max SARE_HELO_AOLID 10s/0h of 114241 corpus (81067s/33174h RM) 01/15/05
4385 #counts SARE_HELO_AOLID 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
4386 #counts SARE_HELO_AOLID 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
4387 #counts SARE_HELO_AOLID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4388 #counts SARE_HELO_AOLID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4390 header SARE_RECV_ADDR2 Received =~ /^from \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\n/
4391 describe SARE_RECV_ADDR2 Received header missing a FQDN, IP only.
4392 score SARE_RECV_ADDR2 0.100
4393 #counts SARE_RECV_ADDR2 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
4394 #counts SARE_RECV_ADDR2 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
4395 #counts SARE_RECV_ADDR2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4396 #counts SARE_RECV_ADDR2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4398 header SARE_RECV_ADDR3 Received =~ /^from \(.?\[.?\].?\)\b/
4399 describe SARE_RECV_ADDR3 Received header contains an empty Recieved IP.
4400 score SARE_RECV_ADDR3 0.100
4401 #counts SARE_RECV_ADDR3 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
4402 #counts SARE_RECV_ADDR3 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
4403 #counts SARE_RECV_ADDR3 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4404 #counts SARE_RECV_ADDR3 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4406 header SARE_RECV_ADDR4 Received =~ /^from unknown \(\w+ \w+\)\b/
4407 describe SARE_RECV_ADDR4 Received contains unknown FQDN with possible HELO.
4408 score SARE_RECV_ADDR4 0.100
4409 #counts SARE_RECV_ADDR4 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
4410 #counts SARE_RECV_ADDR4 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
4411 #counts SARE_RECV_ADDR4 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4412 #counts SARE_RECV_ADDR4 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4414 header SARE_RECV_ADDR5 Received =~ /^from \(HELO \w+\) \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] by /
4415 describe SARE_RECV_ADDR5 RCVD header has no FQDN and a HELO.
4416 score SARE_RECV_ADDR5 0.100
4417 #counts SARE_RECV_ADDR5 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
4418 #counts SARE_RECV_ADDR5 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
4419 #counts SARE_RECV_ADDR5 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4420 #counts SARE_RECV_ADDR5 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4422 header __SARE_RECV_CHAR_DASHS Received =~ /---/
4423 header __SARE_RECV_CHAR_DOTS Received =~ /\.\./
4424 meta SARE_RECV_CHAR_DSHDT __SARE_RECV_CHAR_DASHS && __SARE_RECV_CHAR_DOTS
4425 describe SARE_RECV_CHAR_DSHDT Strange dashes and dots in received line
4426 score SARE_RECV_CHAR_DSHDT 0.500
4427 #counts SARE_RECV_CHAR_DSHDT 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
4428 #max SARE_RECV_CHAR_DSHDT 7s/0h of 114241 corpus (81067s/33174h RM) 01/15/05
4429 #counts SARE_RECV_CHAR_DSHDT 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4430 #max SARE_RECV_CHAR_DSHDT 2s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
4431 #counts SARE_RECV_CHAR_DSHDT 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
4432 #counts SARE_RECV_CHAR_DSHDT 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4433 #counts SARE_RECV_CHAR_DSHDT 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4435 header SARE_RECV_ESMTP Received =~ /^from \(?:unknown|\d+\.\d+\.\d+\.\d+\) \(\s+\) by \s+ with esmtp; /
4436 describe SARE_RECV_ESMTP Received header has forged lowercase 'esmtp' relay
4437 score SARE_RECV_ESMTP 0.100
4438 #counts SARE_RECV_ESMTP 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
4439 #counts SARE_RECV_ESMTP 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
4440 #counts SARE_RECV_ESMTP 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4441 #counts SARE_RECV_ESMTP 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4443 header SARE_RECV_RANDOM Received =~ /helo[ =].{1,30}<rnddg/i
4444 describe SARE_RECV_RANDOM Spam contains random string in received header
4445 score SARE_RECV_RANDOM 4.000
4446 #stype SARE_RECV_RANDOM spamggg
4447 #hist SARE_RECV_RANDOM Created by Bob Menschel Nov 02 2004
4448 #counts SARE_RECV_RANDOM 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
4449 #max SARE_RECV_RANDOM 80s/0h of 196708 corpus (96197s/100511h RM) 02/21/05
4450 #counts SARE_RECV_RANDOM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4451 #counts SARE_RECV_RANDOM 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
4452 #counts SARE_RECV_RANDOM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4453 #counts SARE_RECV_RANDOM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4455 header SARE_RECV_RND_NUMBER Received =~ /RND_NUMBER/i
4456 describe SARE_RECV_RND_NUMBER Spam passed through iswest.net relay
4457 score SARE_RECV_RND_NUMBER 1.666
4458 #stype SARE_RECV_RND_NUMBER spamg
4459 #counts SARE_RECV_RND_NUMBER 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
4460 #max SARE_RECV_RND_NUMBER 2s/0h of 120459 corpus (71363s/49096h RM) 02/12/05
4461 #counts SARE_RECV_RND_NUMBER 0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
4462 #counts SARE_RECV_RND_NUMBER 0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05
4463 #counts SARE_RECV_RND_NUMBER 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4464 #counts SARE_RECV_RND_NUMBER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4466 header SARE_RECV_WITH_X2 Received =~ / with with /
4467 describe SARE_RECV_WITH_X2 Spam identified by typo in received header
4468 score SARE_RECV_WITH_X2 1.666
4469 #stype SARE_RECV_WITH_X2 spamp
4470 #counts SARE_RECV_WITH_X2 0s/0h of 56796 corpus (32203s/24593h RM) 07/25/04
4471 #max SARE_RECV_WITH_X2 341s/0h of 100795 corpus (82099s/18696h) 02/16/04
4472 #counts SARE_RECV_WITH_X2 0s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4473 #counts SARE_RECV_WITH_X2 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
4474 #max SARE_RECV_WITH_X2 4s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
4475 #counts SARE_RECV_WITH_X2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4476 #counts SARE_RECV_WITH_X2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4478 #####################################################################################
4479 # SARE Received Header IP Address Rules
4480 ######## ###################### ##################################################
4482 header SARE_RECV_IP_063111025 received =~ /\[63\.111\.25\.\d{1,3}\]/
4483 describe SARE_RECV_IP_063111025 Spam passed through possible spammer relay
4484 score SARE_RECV_IP_063111025 1.666
4485 #stype SARE_RECV_IP_063111025 spamp
4486 #hist SARE_RECV_IP_063111025 Created by Bob Menschel Jan 29 2005 from info supplied via Spam-L
4487 #counts SARE_RECV_IP_063111025 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
4488 #max SARE_RECV_IP_063111025 65s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
4489 #counts SARE_RECV_IP_063111025 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4490 #counts SARE_RECV_IP_063111025 130s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
4491 #counts SARE_RECV_IP_063111025 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4492 #counts SARE_RECV_IP_063111025 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4494 header SARE_RECV_IP_064095 Received =~ /\[64\.95\.199\.\d{1,3}\]/
4495 describe SARE_RECV_IP_064095 Spam passed through probable spammer relay
4496 score SARE_RECV_IP_064095 1.666
4497 #stype SARE_RECV_IP_064095 spamg
4498 #hist SARE_RECV_IP_064095 Created by Bob Menschel Apr 17 2004
4499 #counts SARE_RECV_IP_064095 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
4500 #max SARE_RECV_IP_064095 3s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
4501 #counts SARE_RECV_IP_064095 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4502 #max SARE_RECV_IP_064095 22s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
4503 #counts SARE_RECV_IP_064095 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
4504 #max SARE_RECV_IP_064095 2s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
4505 #counts SARE_RECV_IP_064095 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4506 #counts SARE_RECV_IP_064095 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4508 header SARE_RECV_IP_064192191 Received =~ /\[64\.192\.191\.\d{1,3}\]/
4509 describe SARE_RECV_IP_064192191 Passed through possible spammer relay or source
4510 score SARE_RECV_IP_064192191 1.111
4511 #stype SARE_RECV_IP_064192191 spamp
4512 #hist SARE_RECV_IP_064192191 Created by Bob Menschel Jan 14 2005, info thanks to Paul Howarth, Dec 14 2004
4513 #note SARE_RECV_IP_064192191 WCG.NET, On The Net, Inc., onthenethosting.us
4514 #counts SARE_RECV_IP_064192191 0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
4515 #max SARE_RECV_IP_064192191 31s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
4516 #counts SARE_RECV_IP_064192191 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4517 #counts SARE_RECV_IP_064192191 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
4518 #counts SARE_RECV_IP_064192191 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4519 #counts SARE_RECV_IP_064192191 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4521 header SARE_RECV_IP_081019 Received =~ /\[81\.19\.24[0-3]\.\d{1,3}\]/
4522 describe SARE_RECV_IP_081019 Passed through possible spammer relay or source
4523 score SARE_RECV_IP_081019 0.678
4524 #hist SARE_RECV_IP_081019 Created by Bob Menschel Jul 27 2004
4525 #counts SARE_RECV_IP_081019 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
4526 #max SARE_RECV_IP_081019 15s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
4527 #counts SARE_RECV_IP_081019 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4528 #counts SARE_RECV_IP_081019 0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
4529 #max SARE_RECV_IP_081019 4s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
4530 #counts SARE_RECV_IP_081019 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4531 #counts SARE_RECV_IP_081019 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4533 header SARE_RECV_IP_081095 Received =~ /\[81\.95\.(?:3[2-9]|4[0-7])\.\d{1,3}\]/
4534 describe SARE_RECV_IP_081095 Spam passed through possible spammer relay
4535 score SARE_RECV_IP_081095 0.555
4536 #stype SARE_RECV_IP_081095 spamp
4537 #hist SARE_RECV_IP_081095 Created by Bob Menschel June 12 2004
4538 #counts SARE_RECV_IP_081095 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
4539 #max SARE_RECV_IP_081095 3s/0h of 66087 corpus (40127s/25960h RM) 09/11/04
4540 #counts SARE_RECV_IP_081095 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
4541 #max SARE_RECV_IP_081095 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
4542 #counts SARE_RECV_IP_081095 0s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
4543 #counts SARE_RECV_IP_081095 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4544 #counts SARE_RECV_IP_081095 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4546 header SARE_RECV_IP_142046 Received =~ /\[142\.46\.148\.\d{1,3}\]/
4547 describe SARE_RECV_IP_142046 Passed through possible spammer relay or source
4548 score SARE_RECV_IP_142046 0.555
4549 #stype SARE_RECV_IP_142046 spamp
4550 #hist SARE_RECV_IP_142046 Created by Bob Menschel Feb 10 2005 from Spam-L info
4551 #counts SARE_RECV_IP_142046 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
4552 #max SARE_RECV_IP_142046 8s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
4553 #counts SARE_RECV_IP_142046 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
4554 #counts SARE_RECV_IP_142046 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
4555 #counts SARE_RECV_IP_142046 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4556 #counts SARE_RECV_IP_142046 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4558 header SARE_RECV_IP_200203050 Received =~ /\[200\.203\.50\.160\]/
4559 describe SARE_RECV_IP_200203050 Spam passed through possible spammer relay
4560 score SARE_RECV_IP_200203050 0.555
4561 #stype SARE_RECV_IP_200203050 spamp
4562 #hist SARE_RECV_IP_200203050 Created by Bob Menschel, Feb 19 2005, from Spam-L posting
4563 #counts SARE_RECV_IP_200203050 0s/0h of 174366 corpus (98964s/75402h RM) 02/18/05
4564 #counts SARE_RECV_IP_200203050 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4565 #counts SARE_RECV_IP_200203050 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4567 header SARE_RECV_IP_202064 Received =~ /\[202\.22\.(?:24[89]|25[01])\.\d{1,3}\]/
4568 describe SARE_RECV_IP_202064 Spam passed through possible spammer relay
4569 score SARE_RECV_IP_202064 1.111
4570 #stype SARE_RECV_IP_202064 spamp
4571 #hist SARE_RECV_IP_202064 Created by Bob Menschel Apr 25 2004
4572 #counts SARE_RECV_IP_202064 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
4573 #max SARE_RECV_IP_202064 12s/0h of 114241 corpus (81067s/33174h RM) 01/15/05
4574 #counts SARE_RECV_IP_202064 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
4575 #counts SARE_RECV_IP_202064 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
4576 #max SARE_RECV_IP_202064 4s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
4577 #counts SARE_RECV_IP_202064 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4578 #counts SARE_RECV_IP_202064 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4580 header SARE_RECV_IP_211049 Received =~ /\[211\.49\.185\.\d{1,3}\]/
4581 describe SARE_RECV_IP_211049 Spam passed through possible spammer relay
4582 score SARE_RECV_IP_211049 0.555
4583 #stype SARE_RECV_IP_211049 spamp
4584 #counts SARE_RECV_IP_211049 0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
4585 #max SARE_RECV_IP_211049 3s/0h of 97268 corpus (79437s/17831h RM) 01/24/04
4586 #counts SARE_RECV_IP_211049 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
4587 #counts SARE_RECV_IP_211049 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
4588 #counts SARE_RECV_IP_211049 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4590 header SARE_RECV_IP_212164 Received =~ /\[212\.164\.1(?:6[4-9]|[78]\d|9[01])\.\d{1,3}\]/
4591 describe SARE_RECV_IP_212164 Spam passed through possible spammer relay
4592 score SARE_RECV_IP_212164 0.555
4593 #stype SARE_RECV_IP_212164 spamp
4594 #hist SARE_RECV_IP_212164 Created by Bob Menschel May 31 2004
4595 #counts SARE_RECV_IP_212164 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
4596 #max SARE_RECV_IP_212164 1s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
4597 #counts SARE_RECV_IP_212164 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
4598 #counts SARE_RECV_IP_212164 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4599 #counts SARE_RECV_IP_212164 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4601 #####################################################################################
4602 # SARE User-Agent rules
4603 ######## ###################### ##################################################
4605 #####################################################################################
4606 # SARE To/Cc Destination rules
4607 ######## ###################### ##################################################
4609 header SARE_TOCC_MAILDOMN ToCc =~ /(?:client|recipient)\@(?:smtpdomain|maildomain)\.(?:com|net)/i
4610 describe SARE_TOCC_MAILDOMN Destination identifies this as a virus bounce
4611 score SARE_TOCC_MAILDOMN 1.666
4612 #stype SARE_TOCC_MAILDOMN vbg
4613 #hist SARE_TOCC_MAILDOMN Created by Bob Menschel Mar 28 2004
4614 #counts SARE_TOCC_MAILDOMN 0s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
4615 #max SARE_TOCC_MAILDOMN 5s/0h of 60630 corpus (35509s/25121h RM) 08/11/04
4616 #counts SARE_TOCC_MAILDOMN 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4617 #counts SARE_TOCC_MAILDOMN 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
4618 #counts SARE_TOCC_MAILDOMN 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4619 #counts SARE_TOCC_MAILDOMN 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4621 header SARE_TOCC_SPAMWORD0 ToCc =~ /(?:alter-ego|Mailing-Boxes|ReMailer|User-info)\@/i
4622 describe SARE_TOCC_SPAMWORD0 Addressed to bogus email address
4623 score SARE_TOCC_SPAMWORD0 0.444
4624 #hist SARE_TOCC_SPAMWORD0 Removed Mailinglist May 14 2005
4625 #counts SARE_TOCC_SPAMWORD0 0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
4626 #max SARE_TOCC_SPAMWORD0 2s/3h of 196688 corpus (96191s/100497h RM) 02/21/05
4627 #counts SARE_TOCC_SPAMWORD0 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
4628 #counts SARE_TOCC_SPAMWORD0 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
4629 #max SARE_TOCC_SPAMWORD0 1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
4630 #counts SARE_TOCC_SPAMWORD0 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4631 #counts SARE_TOCC_SPAMWORD0 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4633 #####################################################################################
4634 # SARE X-Mailer Rules
4635 ######## ###################### ##################################################
4637 header SARE_XMAIL_BULK2 X-Mailer =~ /(?:Mail2000|Simple Mail Solutions)/i
4638 describe SARE_XMAIL_BULK2 Uses bulk mailer used by spammers
4639 score SARE_XMAIL_BULK2 0.100
4640 #hist SARE_XMAIL_BULK2 Bob Menschel: PSS Bulk Mailer, Calypso; removed OSM Client Feb 7 2005
4641 #counts SARE_XMAIL_BULK2 0s/0h of 85084 corpus (62489s/22595h RM) 06/08/04
4642 #counts SARE_XMAIL_BULK2 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
4643 #counts SARE_XMAIL_BULK2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4644 #counts SARE_XMAIL_BULK2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4646 header SARE_XMAIL_BULK4 X-Mailer =~ /(?:Master-SMTP)/i
4647 describe SARE_XMAIL_BULK4 Uses bulk mailer name forged by viruses
4648 score SARE_XMAIL_BULK4 0.277
4649 #stype SARE_XMAIL_BULK4 vbp
4650 #hist SARE_XMAIL_BULK4 Bob Menschel: Master-SMTP
4651 #counts SARE_XMAIL_BULK4 0s/0h of 114241 corpus (81067s/33174h RM) 01/15/05
4652 #max SARE_XMAIL_BULK4 5s/0h of 56804 corpus (32211s/24593h RM) 07/25/04
4653 #counts SARE_XMAIL_BULK4 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
4654 #counts SARE_XMAIL_BULK4 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
4655 #counts SARE_XMAIL_BULK4 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4656 #counts SARE_XMAIL_BULK4 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4658 #####################################################################################
4659 # SARE Content-Type and Boundary rules
4660 ######## ###################### ##################################################
4662 header SARE_BOUNDARY_01 Content-Type =~ /boundary==?\".{0,}XXXX-/
4663 describe SARE_BOUNDARY_01 Spam tool pattern in MIME boundary
4664 score SARE_BOUNDARY_01 0.100
4665 #hist SARE_BOUNDARY_01 L.MIME_BOUND_SIMPLE
4666 #counts SARE_BOUNDARY_01 0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
4667 #counts SARE_BOUNDARY_01 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
4668 #counts SARE_BOUNDARY_01 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4669 #counts SARE_BOUNDARY_01 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4671 #####################################################################################
4672 # SARE Rules which examine multiple header types
4673 ######## ###################### ##################################################
4675 header __SARE_MULT_RATW_03A MESSAGEID =~ /^<[A-Z]{20,26}\@[\w\d\.]+>/
4676 header __SARE_MULT_RATW_03B Received =~ /\bfrom \d{1,3}\.\d{1,3}\.\d{1.3}\.\d{1.3} by \d{1,3}\.\d{1,3}\.\d{1.3}\.\d{1.3};/
4677 header __SARE_MULT_RATW_03C Received =~ /\bfrom \d{1,3}\.\d{1,3}\.\d{1.3}\.\d{1.3} by ;/
4678 header __SARE_MULT_RATW_03D Received =~ /\bfrom \d{1,3}\.\d{1,3}\.\d{1.3}\.\d{1.3} by web\d{1,4}\.mail\.yahoo\.com;/
4679 header __SARE_MULT_RATW_03F Received =~ /\bfrom ([A-Z][\w\.]+) by \1$/
4680 header __SARE_MULT_RATW_03G Received =~ /\%HEAD_RND_DOM/
4681 header __SARE_MULT_RATW_03H Received =~ /\(qmail 14413 invoked from network\);/
4682 header __SARE_MULT_RATW_03I ALL =~ /\bX-Mailer: [a-z]+ [a-z]+\n[a-z]+\-[a-z]+: [a-z]+ [a-z]+ [a-z]+\n/s
4683 meta SARE_MULT_RATW_03 (__SARE_MULT_RATW_03A && (__SARE_MULT_RATW_03B || __SARE_MULT_RATW_03C || __SARE_MULT_RATW_03D || __SARE_MULT_RATW_03E || __SARE_MULT_RATW_03F || __SARE_MULT_RATW_03G || __SARE_MULT_RATW_03H || __SARE_MULT_RATW_03I))
4684 describe SARE_MULT_RATW_03 Spammer sign in headers
4685 score SARE_MULT_RATW_03 1.666
4686 #hist SARE_MULT_RATW_03 LW_RATWARE4
4687 #counts SARE_MULT_RATW_03 0s/0h of 196708 corpus (96197s/100511h RM) 02/21/05
4688 #max SARE_MULT_RATW_03 321s/0h of 85084 corpus (62489s/22595h RM) 06/08/04
4689 #counts SARE_MULT_RATW_03 57s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4690 #max SARE_MULT_RATW_03 172s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
4691 #counts SARE_MULT_RATW_03 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
4692 #max SARE_MULT_RATW_03 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
4693 #counts SARE_MULT_RATW_03 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4694 #counts SARE_MULT_RATW_03 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4696 #####################################################################################
4697 # SARE Miscellaneous and X-Header header rules
4698 ######## ###################### ##################################################
4700 header SARE_HEAD_CONT_RNDCONT Content-Transfer-Encoding =~ /CONTENT_ENCODING/i
4701 describe SARE_HEAD_CONT_RNDCONT Spam passed through iswest.net relay
4702 score SARE_HEAD_CONT_RNDCONT 1.166
4703 #counts SARE_HEAD_CONT_RNDCONT 0s/0h of 95112 corpus (59679s/35433h RM) 01/31/05
4704 #counts SARE_HEAD_CONT_RNDCONT 0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
4705 #counts SARE_HEAD_CONT_RNDCONT 0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05
4706 #counts SARE_HEAD_CONT_RNDCONT 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4707 #counts SARE_HEAD_CONT_RNDCONT 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4709 header __SARE_HEAD_SUBJ_RAND Subject =~ /^(?:R[Ee]: )?(?:[a-z]{2,20}[\-\.\,]?\s?){1,8}/ # no /i!
4710 meta SARE_HEAD_SUBJ_RAND (__SARE_HEAD_SUBJ_RAND && (SARE_XMAIL_SUSP2 || SARE_HEAD_XAUTH_WARN || X_AUTH_WARN_FAKED))
4711 describe SARE_HEAD_SUBJ_RAND Subject is possibly random words
4712 score SARE_HEAD_SUBJ_RAND 1.033
4713 #hist SARE_HEAD_SUBJ_RAND LW_BOGUS_SUBJECT
4714 #hist SARE_HEAD_SUBJ_RAND Added option for 3.0 rule X_AUTH_WARN_FAKED
4715 #note SARE_HEAD_SUBJ_RAND Stored in HEADER rule set rather than SUBJ rule set because of its meta dependencies.
4716 #ham SARE_HEAD_SUBJ_RAND confirmed (1): Re: entropy depletion
4717 #counts SARE_HEAD_SUBJ_RAND 0s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
4718 #max SARE_HEAD_SUBJ_RAND 343s/0h of 115925 corpus (94616s/21309h RM) 05/01/04
4719 #counts SARE_HEAD_SUBJ_RAND 0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
4720 #max SARE_HEAD_SUBJ_RAND 82s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4721 #counts SARE_HEAD_SUBJ_RAND 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
4722 #counts SARE_HEAD_SUBJ_RAND 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
4723 #max SARE_HEAD_SUBJ_RAND 6s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
4724 #counts SARE_HEAD_SUBJ_RAND 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4726 header SARE_HEAD_TOCC_DEFHNDL All =~ /TO_CC_DEFAULT_HANDLER/i
4727 describe SARE_HEAD_TOCC_DEFHNDL Spam passed through iswest.net relay
4728 score SARE_HEAD_TOCC_DEFHNDL 1.166
4729 #counts SARE_HEAD_TOCC_DEFHNDL 0s/0h of 95112 corpus (59679s/35433h RM) 01/31/05
4730 #counts SARE_HEAD_TOCC_DEFHNDL 0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
4731 #counts SARE_HEAD_TOCC_DEFHNDL 0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05
4732 #counts SARE_HEAD_TOCC_DEFHNDL 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4733 #counts SARE_HEAD_TOCC_DEFHNDL 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4735 header SARE_HEAD_XAUTH_WARN2 X-Authentication-Warning =~ /\b[A-Z]{2,5}[a-z]{5,7}[0-9]{2}\b/
4736 describe SARE_HEAD_XAUTH_WARN2 X-Authentication-Warning: Contains Spam Signature.
4737 score SARE_HEAD_XAUTH_WARN2 2.500
4738 #stype SARE_HEAD_XAUTH_WARN2 spamg
4739 #hist SARE_HEAD_XAUTH_WARN2 Mike Hogsett, Tuesday, May 25, 2004, CSL_X_AUTH_WARN_2
4740 #counts SARE_HEAD_XAUTH_WARN2 0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
4741 #max SARE_HEAD_XAUTH_WARN2 46s/0h of 60623 corpus (35501s/25122h RM) 08/11/04
4742 #counts SARE_HEAD_XAUTH_WARN2 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4743 #max SARE_HEAD_XAUTH_WARN2 14s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
4744 #counts SARE_HEAD_XAUTH_WARN2 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
4745 #max SARE_HEAD_XAUTH_WARN2 1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
4746 #counts SARE_HEAD_XAUTH_WARN2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4747 #counts SARE_HEAD_XAUTH_WARN2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4749 header SARE_HEAD_XCANIT1 X-CanItPRO-Stream =~ /^sbw\b/
4750 describe SARE_HEAD_XCANIT1 Message headers used which identify spam
4751 score SARE_HEAD_XCANIT1 1.111
4752 #stype SARE_HEAD_XCANIT1 spamp
4753 #hist SARE_HEAD_XCANIT1 Enhanced from original SARE_HEAD_HDR_XCANITP rule with help from RoaringPenguin
4754 #counts SARE_HEAD_XCANIT1 0s/0h of 259338 corpus (110116s/149222h RM) 05/16/05
4755 #max SARE_HEAD_XCANIT1 7s/0h of 68480 corpus (41098s/27382h RM) 09/18/04
4756 #counts SARE_HEAD_XCANIT1 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4757 #counts SARE_HEAD_XCANIT1 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4758 #counts SARE_HEAD_XCANIT1 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4759 #counts SARE_HEAD_XCANIT1 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4761 header __SARE_HEAD_XCANIT_H exists:X-CanItPRO-Stream
4762 header __SARE_HEAD_XCANIT_S exists:X-Scanned-By
4763 meta SARE_HEAD_XCANIT2 __SARE_HEAD_XCANIT_H && !__SARE_HEAD_XCANIT_S
4764 describe SARE_HEAD_XCANIT2 Incomplete anti-spam headers signifying spam
4765 score SARE_HEAD_XCANIT2 0.555
4766 #stype SARE_HEAD_XCANIT2 spamp
4767 #hist SARE_HEAD_XCANIT2 Created by Bob Menschel Jan 29 2005 from information provided by RoaringPenguin
4768 #counts SARE_HEAD_XCANIT2 0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05
4769 #max SARE_HEAD_XCANIT2 2s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
4770 #counts SARE_HEAD_XCANIT2 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4771 #counts SARE_HEAD_XCANIT2 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
4772 #counts SARE_HEAD_XCANIT2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4773 #counts SARE_HEAD_XCANIT2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4775 header SARE_HEAD_XORIP_IP X-Originating-IP =~ /IP/i
4776 describe SARE_HEAD_XORIP_IP header points to probable spammer
4777 score SARE_HEAD_XORIP_IP 3.333
4778 #stype SARE_HEAD_XORIP_IP spamg
4779 #counts SARE_HEAD_XORIP_IP 0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
4780 #max SARE_HEAD_XORIP_IP 4347s/0h of 97268 corpus (79437s/17831h RM) 01/24/04
4781 #counts SARE_HEAD_XORIP_IP 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
4782 #counts SARE_HEAD_XORIP_IP 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
4783 #max SARE_HEAD_XORIP_IP 26s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
4784 #counts SARE_HEAD_XORIP_IP 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4785 #counts SARE_HEAD_XORIP_IP 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4787 header SARE_HEAD_XPRI_RNDNUM X-Priority =~ /PRIORITY_NUMBER/i
4788 describe SARE_HEAD_XPRI_RNDNUM Spam passed through iswest.net relay
4789 score SARE_HEAD_XPRI_RNDNUM 1.666
4790 #stype SARE_HEAD_XPRI_RNDNUM spamg
4791 #counts SARE_HEAD_XPRI_RNDNUM 0s/0h of 95112 corpus (59679s/35433h RM) 01/31/05
4792 #counts SARE_HEAD_XPRI_RNDNUM 0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
4793 #counts SARE_HEAD_XPRI_RNDNUM 0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05
4794 #counts SARE_HEAD_XPRI_RNDNUM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4795 #counts SARE_HEAD_XPRI_RNDNUM 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4799 # SARE Header Abuse Ruleset for SpamAssassin -- file 3
4801 # Created: 2004-04-25
4802 # Modified: 2005-10-28
4803 # Usage instructions and documentation in 70_sare_header0.cf
4805 # Full Revision History / Change Log in 70_sare_header.log
4806 #@@# 01.03.16 Oct 28 2005
4807 #@@# Minor score updates based on additional mass-check
4808 #@@# Archived from file 3: SARE_FREE_WEBM_Excite
4809 #@@# Archived from file 3: SARE_FREE_WEBM_Softhom
4810 #@@# Archived from file 3: SARE_FROM_NUM_8DIG; rely on SARE_FROM_NUM_9DIG and SA distrib FROM_ENDS_IN_NUMS
4811 #@@# Archived from file 3: SARE_HEAD_HDR_XT2PID
4812 #@@# Archived from file 3: SARE_MSGID_ADDED
4813 #@@# Archived from file 3: SARE_MSGID_LONG35
4814 #@@# Archived from file 3: SARE_MULT_VIA_FWCATS
4815 #@@# Archived from file 3: SARE_RECV_IP_064152200
4816 #@@# Archived from file 3: SARE_RECV_ISWEST
4817 #@@# Archived from file 3: SARE_RECV_MANYMX
4818 #@@# Archived from file 3: SARE_TOCC_BCC_MANY
4819 #@@# Archived from file 3: SARE_XMAIL_XMAIL
4820 #@@# Moved file 1 to file 3: SARE_FROM_NONAME
4821 #@@# Moved file 1 to file 3: SARE_FROM_SPAM_CHAR0
4822 #@@# Moved file 1 to file 3: SARE_HEAD_XCOM_RFCMIN
4823 #@@# Moved file 1 to file 3: SARE_RECV_IP_080178
4824 #@@# Moved file 1 to file 3: SARE_XMAIL_SUSP3
4825 #@@# Moved file 3 to file 1: SARE_FROM_SPAM_MONEY2
4826 #@@# Moved file 3 to file 2: SARE_FREE_WEBM_Iamfi
4827 #@@# Moved file 3 to file 2: SARE_MSGID_ALL_CAPHM
4828 #@@# Moved file 3 to file 2: SARE_TOCC_MAILDOMN
4829 #@@# Moved file 3 to file 2: SARE_XMAIL_BULK4
4830 #@@# Moved file 3 to file 4: SARE_FREE_WEBM_EsYahoo
4831 #@@# Moved file 3 to file 4: SARE_FREE_WEBM_FrYahoo
4832 #@@# Moved file 3 to file 4: SARE_FREE_WEBM_MYWAY
4833 #@@# Moved file 3 to file 4: SARE_FROM_LEAD_PREP
4834 #@@# Moved file 3 to file 4: SARE_FROM_NUM_9DIG
4835 #@@# Moved file 3 to file 4: SARE_MSGID_ALL_LC
4836 #@@# Moved file 3 to file 4: SARE_MSGID_LONG55
4837 #@@# Moved file 3 to file 4: SARE_MSGID_LONG65
4838 #@@# Moved file 3 to file 4: SARE_MSGID_LONG75
4839 #@@# Moved file 3 to file 4: SARE_MULT_LCASE_X2
4840 #@@# Moved file 3 to file 4: SARE_RECV_SPAM_DOMN05
4841 #@@# Moved file 3 to file 4: SARE_RECV_SUSP_3
4842 #@@# Replaced __SARE_HEAD_HDR_RCVD with SA 3.1.0 rule __HAS_RCVD
4844 # License: Artistic - see http://www.rulesemporium.com/license.txt
4845 # Current Maintainer: Bob Menschel - RMSA@Menschel.net
4846 # Current Home: http://www.rulesemporium.com/rules/70_sare_header3.cf
4848 ######## ###################### ##################################################
4849 # Component rules used within meta rules
4850 ######## ###################### ##################################################
4852 header __SARE_HEAD_8BIT_SUBJ Subject =~ /[\x80-\xff]{3,}/
4854 #####################################################################################
4855 # SARE Header-Exists rules
4856 ######## ###################### ##################################################
4858 header SARE_HEAD_HDR_XKRNL exists:X-Kernel
4859 describe SARE_HEAD_HDR_XKRNL fingerprint
4860 score SARE_HEAD_HDR_XKRNL 1.405
4861 #hist SARE_HEAD_HDR_XKRNL Alex Broens, June 30, 2005
4862 #counts SARE_HEAD_HDR_XKRNL 63s/19h of 689155 corpus (348140s/341015h RM) 09/18/05
4863 #counts SARE_HEAD_HDR_XKRNL 43s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
4864 #counts SARE_HEAD_HDR_XKRNL 200s/0h of 12846 corpus (4657s/8189h MM) 06/30/05
4866 header SARE_HEAD_HDR_XSEQ exists:X-Sequence
4867 describe SARE_HEAD_HDR_XSEQ Rarely abused email header
4868 score SARE_HEAD_HDR_XSEQ -0.699
4869 #stype SARE_HEAD_HDR_XSEQ ham
4870 tflags SARE_HEAD_HDR_XSEQ nice
4871 #hist SARE_HEAD_HDR_XSEQ Loren Wilton, July 29 2005
4872 #counts SARE_HEAD_HDR_XSEQ 42s/1113h of 689155 corpus (348140s/341015h RM) 09/18/05
4873 #counts SARE_HEAD_HDR_XSEQ 0s/0h of 10551 corpus (5780s/4771h CT) 07/29/05
4875 header SARE_HEAD_HDR_XCCDIAG exists:X-CC-Diagnostic
4876 describe SARE_HEAD_HDR_XCCDIAG Message headers used which identify spam
4877 score SARE_HEAD_HDR_XCCDIAG 0.100
4878 #ham SARE_HEAD_HDR_XCCDIAG confirmed (1)
4879 #counts SARE_HEAD_HDR_XCCDIAG 1s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
4880 #max SARE_HEAD_HDR_XCCDIAG 4s/0h of 268479 corpus (127479s/141000h RM) 06/17/05
4881 #counts SARE_HEAD_HDR_XCCDIAG 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4882 #counts SARE_HEAD_HDR_XCCDIAG 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4883 #counts SARE_HEAD_HDR_XCCDIAG 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4885 header __SARE_HEAD_HDR_XCNTRY exists:X-country
4886 header __SARE_HEAD_HDR_XLANG exists:X-language
4887 meta SARE_HEAD_HDR_XCNTRY __SARE_HEAD_HDR_XCNTRY || __SARE_HEAD_HDR_XLANG
4888 describe SARE_HEAD_HDR_XCNTRY Message headers used which identify spam
4889 score SARE_HEAD_HDR_XCNTRY 0.250
4890 #ham SARE_HEAD_HDR_XCNTRY confirmed (1, valid paypal email to user)
4891 #counts SARE_HEAD_HDR_XCNTRY 24s/15h of 689155 corpus (348140s/341015h RM) 09/18/05
4892 #max SARE_HEAD_HDR_XCNTRY 153s/0h of 69632 corpus (42598s/27034h RM) 09/26/04
4893 #counts SARE_HEAD_HDR_XCNTRY 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
4894 #max SARE_HEAD_HDR_XCNTRY 1s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4895 #counts SARE_HEAD_HDR_XCNTRY 53s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4896 #counts SARE_HEAD_HDR_XCNTRY 4s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4897 #max SARE_HEAD_HDR_XCNTRY 12s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
4898 #counts SARE_HEAD_HDR_XCNTRY 0s/2h of 7500 corpus (1767s/5733h ft) 09/18/05
4900 header SARE_HEAD_HDR_XKASPAV exists:X-Kaspersky-Antivirus
4901 describe SARE_HEAD_HDR_XKASPAV Message headers used which identify spam
4902 score SARE_HEAD_HDR_XKASPAV 1.136
4903 #ham SARE_HEAD_HDR_XKASPAV Can be found in ham from Europe/Asia, esp. Russia
4904 #note SARE_HEAD_HDR_XKASPAV Keep in file 3 because "
4905 #counts SARE_HEAD_HDR_XKASPAV 200s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
4906 #counts SARE_HEAD_HDR_XKASPAV 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
4907 #max SARE_HEAD_HDR_XKASPAV 37s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4908 #counts SARE_HEAD_HDR_XKASPAV 5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4909 #counts SARE_HEAD_HDR_XKASPAV 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4910 #counts SARE_HEAD_HDR_XKASPAV 3s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
4912 header SARE_HEAD_HDR_XMAILTH exists:X-Mailer-Thread
4913 describe SARE_HEAD_HDR_XMAILTH Message headers used which identify spam
4914 score SARE_HEAD_HDR_XMAILTH 0.338
4915 #ham SARE_HEAD_HDR_XMAILTH verified (1), likely (7)
4916 #counts SARE_HEAD_HDR_XMAILTH 67s/10h of 689155 corpus (348140s/341015h RM) 09/18/05
4917 #counts SARE_HEAD_HDR_XMAILTH 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4918 #counts SARE_HEAD_HDR_XMAILTH 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4919 #counts SARE_HEAD_HDR_XMAILTH 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4920 #counts SARE_HEAD_HDR_XMAILTH 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4922 header SARE_HEAD_HDR_XMSGID exists:X-MSGID
4923 describe SARE_HEAD_HDR_XMSGID Message headers used which identify spam
4924 score SARE_HEAD_HDR_XMSGID 0.696
4925 #ham SARE_HEAD_HDR_XMSGID bankofamerica.com, also X-Mailer: Supernova
4926 #counts SARE_HEAD_HDR_XMSGID 126s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
4927 #counts SARE_HEAD_HDR_XMSGID 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4928 #counts SARE_HEAD_HDR_XMSGID 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4929 #counts SARE_HEAD_HDR_XMSGID 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4930 #counts SARE_HEAD_HDR_XMSGID 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4932 header SARE_HEAD_HDR_XRETURN exists:X-Return
4933 describe SARE_HEAD_HDR_XRETURN Message headers used which identify spam
4934 score SARE_HEAD_HDR_XRETURN 0.119
4935 #ham SARE_HEAD_HDR_XRETURN confirmed (1), Freelance Work Exchange
4936 #counts SARE_HEAD_HDR_XRETURN 64s/29h of 689155 corpus (348140s/341015h RM) 09/18/05
4937 #counts SARE_HEAD_HDR_XRETURN 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4938 #counts SARE_HEAD_HDR_XRETURN 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4939 #counts SARE_HEAD_HDR_XRETURN 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4940 #counts SARE_HEAD_HDR_XRETURN 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
4942 header SARE_HEAD_HDR_XSMTPSV exists:X-SMTP-Server
4943 describe SARE_HEAD_HDR_XSMTPSV Message headers used which identify spam
4944 score SARE_HEAD_HDR_XSMTPSV 0.338
4945 #ham SARE_HEAD_HDR_XSMTPSV verified (1)
4946 #counts SARE_HEAD_HDR_XSMTPSV 67s/10h of 689155 corpus (348140s/341015h RM) 09/18/05
4947 #counts SARE_HEAD_HDR_XSMTPSV 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4948 #counts SARE_HEAD_HDR_XSMTPSV 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4949 #counts SARE_HEAD_HDR_XSMTPSV 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4950 #counts SARE_HEAD_HDR_XSMTPSV 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4952 header SARE_HEAD_HDR_XSYSTEM exists:X-System
4953 describe SARE_HEAD_HDR_XSYSTEM Message headers used which identify spam
4954 score SARE_HEAD_HDR_XSYSTEM 0.625
4955 #ham SARE_HEAD_HDR_XSYSTEM X-System: Linux hell 2.6.8 i686
4956 #counts SARE_HEAD_HDR_XSYSTEM 25s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
4957 #counts SARE_HEAD_HDR_XSYSTEM 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4958 #counts SARE_HEAD_HDR_XSYSTEM 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4959 #counts SARE_HEAD_HDR_XSYSTEM 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4960 #counts SARE_HEAD_HDR_XSYSTEM 0s/1h of 6924 corpus (1403s/5521h ft) 07/27/05
4962 header SARE_HEAD_HDR_XUMAIL exists:X-UMail
4963 describe SARE_HEAD_HDR_XUMAIL Message headers used which identify spam
4964 score SARE_HEAD_HDR_XUMAIL 0.338
4965 #ham SARE_HEAD_HDR_XUMAIL verified (1)
4966 #counts SARE_HEAD_HDR_XUMAIL 67s/10h of 689155 corpus (348140s/341015h RM) 09/18/05
4967 #counts SARE_HEAD_HDR_XUMAIL 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4968 #counts SARE_HEAD_HDR_XUMAIL 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4969 #counts SARE_HEAD_HDR_XUMAIL 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4970 #counts SARE_HEAD_HDR_XUMAIL 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4972 header SARE_HEAD_HDR_XUNOLOOK exists:X-unolookiehere
4973 describe SARE_HEAD_HDR_XUNOLOOK Unique X-header found in email
4974 score SARE_HEAD_HDR_XUNOLOOK -1.000
4975 #stype SARE_HEAD_HDR_XUNOLOOK ham
4976 tflags SARE_HEAD_HDR_XUNOLOOK nice
4977 #counts SARE_HEAD_HDR_XUNOLOOK 0s/267h of 689155 corpus (348140s/341015h RM) 09/18/05
4978 #counts SARE_HEAD_HDR_XUNOLOOK 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
4979 #counts SARE_HEAD_HDR_XUNOLOOK 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
4980 #counts SARE_HEAD_HDR_XUNOLOOK 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4982 header SARE_HEAD_HDR_XUNSUB exists:X-Unsubscribe
4983 describe SARE_HEAD_HDR_XUNSUB Message headers used which identify spam
4984 score SARE_HEAD_HDR_XUNSUB -0.694
4985 tflags SARE_HEAD_HDR_XUNSUB nice
4986 #stype SARE_HEAD_HDR_XUNSUB ham
4987 #ham SARE_HEAD_HDR_XUNSUB Used by valid newsletters or lists
4988 #counts SARE_HEAD_HDR_XUNSUB 0s/25h of 689155 corpus (348140s/341015h RM) 09/18/05
4989 #max SARE_HEAD_HDR_XUNSUB 15s/94h of 238550 corpus (112525s/126025h RM) 02/28/05
4990 #counts SARE_HEAD_HDR_XUNSUB 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
4991 #counts SARE_HEAD_HDR_XUNSUB 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
4992 #counts SARE_HEAD_HDR_XUNSUB 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
4993 #counts SARE_HEAD_HDR_XUNSUB 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
4995 header __HAS_RCVD exists:Received
4996 header __SARE_HEAD_MOZ_DRAFT exists:X-Mozilla-Draft-Info
4997 meta SARE_HEAD_MOZ_DRAFT __SARE_HEAD_MOZ_DRAFT && __HAS_RCVD
4998 score SARE_HEAD_MOZ_DRAFT 0.646
4999 #ham SARE_HEAD_MOZ_DRAFT ham seems to be only on mails added to corpus from "sent" folders
5000 #ham SARE_HEAD_MOZ_DRAFT Seen in ham starting 4/23/05. Update to Mozilla email client?
5001 #counts SARE_HEAD_MOZ_DRAFT 0s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
5002 #max SARE_HEAD_MOZ_DRAFT 195s/0h of 120459 corpus (71363s/49096h RM) 02/12/05
5003 #counts SARE_HEAD_MOZ_DRAFT 48s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5004 #counts SARE_HEAD_MOZ_DRAFT 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
5005 #counts SARE_HEAD_MOZ_DRAFT 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5006 #max SARE_HEAD_MOZ_DRAFT 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
5007 #counts SARE_HEAD_MOZ_DRAFT 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5009 #####################################################################################
5010 # SARE Content-Type and Boundary rules
5011 ######## ###################### ##################################################
5013 header SARE_BOUNDARY_MULTB Content-Type =~ /boundary="= Multipart Boundary /i
5014 describe SARE_BOUNDARY_MULTB Content type boundary used in spam and viruses
5015 score SARE_BOUNDARY_MULTB 0.229
5016 #ham SARE_BOUNDARY_MULTB confirmed(2), moveon.org, bordc.org
5017 #hist SARE_BOUNDARY_MULTB Created by Bob Menschel Aug 24 2004
5018 #counts SARE_BOUNDARY_MULTB 216s/53h of 689155 corpus (348140s/341015h RM) 09/18/05
5019 #counts SARE_BOUNDARY_MULTB 0s/0h of 18651 corpus (16120s/2531h MY) 08/29/04
5020 #counts SARE_BOUNDARY_MULTB 5s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5021 #counts SARE_BOUNDARY_MULTB 6s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5022 #counts SARE_BOUNDARY_MULTB 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5024 #####################################################################################
5026 ######## ###################### ##################################################
5028 header SARE_FROM_DEBT From =~ m'debt'i
5029 describe SARE_FROM_DEBT From debt spammer
5030 score SARE_FROM_DEBT 0.736
5031 #ham SARE_FROM_DEBT ffcdebthelp.com
5032 #hist SARE_FROM_DEBT Created by Fred Tarasevicius Sep 14 2004
5033 #counts SARE_FROM_DEBT 858s/30h of 689155 corpus (348140s/341015h RM) 09/18/05
5034 #counts SARE_FROM_DEBT 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5035 #counts SARE_FROM_DEBT 84s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
5036 #max SARE_FROM_DEBT 93s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
5037 #counts SARE_FROM_DEBT 24s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5038 #counts SARE_FROM_DEBT 37s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
5040 header SARE_FROM_DLL From =~ m'\b\d[a-z][a-z]\.(?:com|net|biz|info)\b'i
5041 describe SARE_FROM_DLL Via a digit-letter-letter domain
5042 score SARE_FROM_DLL 0.473
5043 #ham SARE_FROM_DLL verified (3)
5044 #hist SARE_FROM_DLL Created by Bob Menschel Aug 23 2004
5045 #counts SARE_FROM_DLL 156s/22h of 689155 corpus (348140s/341015h RM) 09/18/05
5046 #counts SARE_FROM_DLL 4s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
5047 #max SARE_FROM_DLL 6s/0h of 18651 corpus (16120s/2531h MY) 08/29/04
5048 #counts SARE_FROM_DLL 9s/2h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5049 #counts SARE_FROM_DLL 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5050 #counts SARE_FROM_DLL 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5052 header SARE_FROM_MULTI_DASH From =~ /\@.*--/
5053 describe SARE_FROM_MULTI_DASH From domain has multiple consecutive hyphens
5054 score SARE_FROM_MULTI_DASH 0.934
5055 #hist SARE_FROM_MULTI_DASH Tim Jackson, May 12 2005
5056 #ham SARE_FROM_MULTI_DASH Valid email seen from gs at g--s dot de
5057 #counts SARE_FROM_MULTI_DASH 29s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
5058 #counts SARE_FROM_MULTI_DASH 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
5059 #counts SARE_FROM_MULTI_DASH 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5060 #counts SARE_FROM_MULTI_DASH 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
5062 header SARE_FROM_NONAME From =~ /"" </
5063 describe SARE_FROM_NONAME from has no name on purpose
5064 score SARE_FROM_NONAME 0.648
5065 #hist SARE_FROM_NONAME Originally submitted by Fred Tarasevicius
5066 #counts SARE_FROM_NONAME 1874s/99h of 689155 corpus (348140s/341015h RM) 09/18/05
5067 #counts SARE_FROM_NONAME 15s/11h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
5068 #max SARE_FROM_NONAME 17s/11h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5069 #counts SARE_FROM_NONAME 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
5070 #counts SARE_FROM_NONAME 28s/4h of 10590 corpus (5819s/4771h CT) 07/26/05
5071 #counts SARE_FROM_NONAME 1s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5073 header SARE_FROM_NUM_HOTML From =~ /\b[a-z]+\d{6,}\@hotmail.com/i
5074 describe SARE_FROM_NUM_HOTML Apparent spammer email address pattern
5075 score SARE_FROM_NUM_HOTML 1.156
5076 #hist SARE_FROM_NUM_HOTML Created by Bob Menschel May 24 2004
5077 #counts SARE_FROM_NUM_HOTML 740s/6h of 689155 corpus (348140s/341015h RM) 09/18/05
5078 #counts SARE_FROM_NUM_HOTML 16s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5079 #max SARE_FROM_NUM_HOTML 19s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
5080 #counts SARE_FROM_NUM_HOTML 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
5081 #max SARE_FROM_NUM_HOTML 6s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
5082 #counts SARE_FROM_NUM_HOTML 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
5083 #counts SARE_FROM_NUM_HOTML 0s/1h of 6924 corpus (1403s/5521h ft) 07/27/05
5085 # being refined. low score until we get better
5086 header SARE_FROM_PHRASE From =~ /(?!P?lease_Do_Not_Reply_To_This_)\b\w+_\w+_\w+_\w+_/i
5087 describe SARE_FROM_PHRASE Sender name appears to be phrase rather than name
5088 score SARE_FROM_PHRASE 0.078
5089 #hist SARE_FROM_PHRASE Originally submitted by Bob Menschel
5090 #ham SARE_FROM_PHRASE The Owner Center at My GMLink <The_Owner_Center_at_My_GMLink.UM.A.5.1302@www.imail.imrsvcs.com>
5091 #counts SARE_FROM_PHRASE 222s/88h of 689155 corpus (348140s/341015h RM) 09/18/05
5092 #counts SARE_FROM_PHRASE 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5093 #max SARE_FROM_PHRASE 10s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
5094 #counts SARE_FROM_PHRASE 16s/6h of 47809 corpus (43224s/4585h MY) 07/27/05
5095 #max SARE_FROM_PHRASE 17s/5h of 45478 corpus (41529s/3949h MY) 05/16/05
5096 #counts SARE_FROM_PHRASE 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5097 #max SARE_FROM_PHRASE 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
5098 #counts SARE_FROM_PHRASE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5100 header SARE_FROM_PRINTER From =~ /\bprinter\b/i
5101 describe SARE_FROM_PRINTER From user address seems to contain spam topic
5102 score SARE_FROM_PRINTER 0.444
5103 #counts SARE_FROM_PRINTER 69s/8h of 689155 corpus (348140s/341015h RM) 09/18/05
5104 #max SARE_FROM_PRINTER 98s/4h of 238550 corpus (112525s/126025h RM) 02/28/05
5105 #counts SARE_FROM_PRINTER 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5106 #counts SARE_FROM_PRINTER 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
5107 #max SARE_FROM_PRINTER 1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
5108 #counts SARE_FROM_PRINTER 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5109 #counts SARE_FROM_PRINTER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5111 header SARE_FROM_QUOTE From =~ /quote/i
5112 describe SARE_FROM_QUOTE From name/address has "quote" as part of it
5113 score SARE_FROM_QUOTE 0.473
5114 #hist SARE_FROM_QUOTE Fred Tarasevicius, FH_FROM_QUOTE
5115 #ham SARE_FROM_QUOTE resume from email account at intelliquote.com, hostquote@webhostdir.com
5116 #ham SARE_FROM_QUOTE WisdomToday.com <xquotes@WisdomToday.com>
5117 #counts SARE_FROM_QUOTE 419s/83h of 689155 corpus (348140s/341015h RM) 09/18/05
5118 #counts SARE_FROM_QUOTE 11s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5119 #counts SARE_FROM_QUOTE 282s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
5120 #counts SARE_FROM_QUOTE 16s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5121 #counts SARE_FROM_QUOTE 4s/2h of 6924 corpus (1403s/5521h ft) 07/27/05
5123 header SARE_FROM_SPAM_CHAR0a From =~ /^\?/i
5124 describe SARE_FROM_SPAM_CHAR0a Sender name has unexpected or invalid characters
5125 score SARE_FROM_SPAM_CHAR0a 0.636
5126 #counts SARE_FROM_SPAM_CHAR0a 1408s/105h of 689155 corpus (348140s/341015h RM) 09/18/05
5127 #counts SARE_FROM_SPAM_CHAR0a 54s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
5128 #max SARE_FROM_SPAM_CHAR0a 55s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5129 #counts SARE_FROM_SPAM_CHAR0a 45s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
5130 #counts SARE_FROM_SPAM_CHAR0a 22s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5131 #counts SARE_FROM_SPAM_CHAR0a 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5133 header SARE_FROM_SPAM_CHAR0b From =~ /^\$/i
5134 describe SARE_FROM_SPAM_CHAR0b Sender name has unexpected or invalid characters
5135 score SARE_FROM_SPAM_CHAR0b 0.636
5136 #counts SARE_FROM_SPAM_CHAR0b 1408s/105h of 689155 corpus (348140s/341015h RM) 09/18/05
5137 #counts SARE_FROM_SPAM_CHAR0b 54s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
5138 #max SARE_FROM_SPAM_CHAR0b 55s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5139 #counts SARE_FROM_SPAM_CHAR0b 45s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
5140 #counts SARE_FROM_SPAM_CHAR0b 22s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5141 #counts SARE_FROM_SPAM_CHAR0b 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5143 header SARE_FROM_SPAM_CHAR5 From =~ /zzz/i
5144 describe SARE_FROM_SPAM_CHAR5 Sender name has unlikely character string
5145 score SARE_FROM_SPAM_CHAR5 0.640
5146 #ham SARE_FROM_SPAM_CHAR5 Postmaster <postmaster@mail.zzzip.net> (valid bounce)
5147 #counts SARE_FROM_SPAM_CHAR5 114s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
5148 #counts SARE_FROM_SPAM_CHAR5 4s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5149 #max SARE_FROM_SPAM_CHAR5 30s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
5150 #counts SARE_FROM_SPAM_CHAR5 3s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
5151 #max SARE_FROM_SPAM_CHAR5 9s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
5152 #counts SARE_FROM_SPAM_CHAR5 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
5153 #counts SARE_FROM_SPAM_CHAR5 0s/1h of 7500 corpus (1767s/5733h ft) 09/18/05
5155 header SARE_FROM_SUPPORT_DIG From =~ /\bsupport\d/i
5156 describe SARE_FROM_SUPPORT_DIG From user address is used by spammer
5157 score SARE_FROM_SUPPORT_DIG 0.135
5158 #ham SARE_FROM_SUPPORT_DIG support1 @ $10domains.com
5159 #hist SARE_FROM_SUPPORT_DIG Created by Bob Menschel Oct 07 2004
5160 #counts SARE_FROM_SUPPORT_DIG 9s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
5161 #max SARE_FROM_SUPPORT_DIG 25s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
5162 #counts SARE_FROM_SUPPORT_DIG 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5163 #counts SARE_FROM_SUPPORT_DIG 1s/4h of 47809 corpus (43224s/4585h MY) 07/27/05
5164 #counts SARE_FROM_SUPPORT_DIG 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5165 #counts SARE_FROM_SUPPORT_DIG 5s/1h of 6924 corpus (1403s/5521h ft) 07/27/05
5167 #####################################################################################
5168 # SARE From Rules -- Emails coming from free webmail accounts
5169 # Since spam from these can vary depending upon country of origin,
5170 # country of destination, policies, and enforcement of policies,
5171 # most of these are kept as separate rules rather than combined.
5172 ######## ###################### ##################################################
5174 header SARE_FREE_WEBM_123 From =~ /\b123\.com/i
5175 describe SARE_FREE_WEBM_123 Sender used free email account - may be spammer
5176 score SARE_FREE_WEBM_123 0.389
5177 #ham SARE_FREE_WEBM_123 confirmed: 1, anonymous response via feedback page
5178 #counts SARE_FREE_WEBM_123 14s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
5179 #max SARE_FREE_WEBM_123 62s/0h of 97268 corpus (79437s/17831h RM) 01/24/04
5180 #counts SARE_FREE_WEBM_123 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
5181 #max SARE_FREE_WEBM_123 5s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
5182 #counts SARE_FREE_WEBM_123 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
5183 #max SARE_FREE_WEBM_123 10s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
5184 #counts SARE_FREE_WEBM_123 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
5185 #counts SARE_FREE_WEBM_123 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5187 header SARE_FREE_WEBM_CZSEZNA From =~ /\@seznam\.cz/i
5188 describe SARE_FREE_WEBM_CZSEZNA Sender used free email account - may be spammer
5189 score SARE_FREE_WEBM_CZSEZNA 0.248
5190 #hist SARE_FREE_WEBM_CZSEZNA Created by Bob Menschel May 31 2004
5191 #ham SARE_FREE_WEBM_CZSEZNA Confirmed (2) by JH
5192 #counts SARE_FREE_WEBM_CZSEZNA 41s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
5193 #counts SARE_FREE_WEBM_CZSEZNA 2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
5194 #max SARE_FREE_WEBM_CZSEZNA 12s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
5195 #counts SARE_FREE_WEBM_CZSEZNA 91s/2h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
5196 #max SARE_FREE_WEBM_CZSEZNA 186s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
5197 #counts SARE_FREE_WEBM_CZSEZNA 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5198 #max SARE_FREE_WEBM_CZSEZNA 7s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
5199 #counts SARE_FREE_WEBM_CZSEZNA 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5201 header SARE_FREE_WEBM_LAPOSTE From =~ /\@laposte\.net/i
5202 describe SARE_FREE_WEBM_LAPOSTE Maybe spammer with free email
5203 score SARE_FREE_WEBM_LAPOSTE 0.721
5204 #hist SARE_FREE_WEBM_LAPOSTE Created by Bob Menschel May 31 2004
5205 #counts SARE_FREE_WEBM_LAPOSTE 108s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
5206 #counts SARE_FREE_WEBM_LAPOSTE 1s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5207 #counts SARE_FREE_WEBM_LAPOSTE 9s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
5208 #counts SARE_FREE_WEBM_LAPOSTE 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
5209 #counts SARE_FREE_WEBM_LAPOSTE 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5211 header SARE_FREE_WEBM_Purin From =~ /\bpurinmail\.com/i
5212 describe SARE_FREE_WEBM_Purin Sender used free email account - may be spammer
5213 score SARE_FREE_WEBM_Purin 0.650
5214 #hist SARE_FREE_WEBM_Purin Created by Bob Menschel Mar 26 2004
5215 #counts SARE_FREE_WEBM_Purin 12s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
5216 #max SARE_FREE_WEBM_Purin 15s/0h of 125163 corpus (104972s/20191h) 03/28/04
5217 #counts SARE_FREE_WEBM_Purin 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5218 #counts SARE_FREE_WEBM_Purin 0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
5219 #max SARE_FREE_WEBM_Purin 1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
5220 #counts SARE_FREE_WEBM_Purin 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5221 #counts SARE_FREE_WEBM_Purin 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5223 header SARE_FREE_WEBM_RuMail From =~ /\@mail\.ru/i
5224 describe SARE_FREE_WEBM_RuMail Sender used free email account - may be spammer
5225 score SARE_FREE_WEBM_RuMail 0.671
5226 #counts SARE_FREE_WEBM_RuMail 740s/36h of 689155 corpus (348140s/341015h RM) 09/18/05
5227 #counts SARE_FREE_WEBM_RuMail 15s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5228 #max SARE_FREE_WEBM_RuMail 19s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
5229 #counts SARE_FREE_WEBM_RuMail 11s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
5230 #max SARE_FREE_WEBM_RuMail 27s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
5231 #counts SARE_FREE_WEBM_RuMail 6s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5232 #max SARE_FREE_WEBM_RuMail 9s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
5233 #counts SARE_FREE_WEBM_RuMail 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5235 header SARE_FREE_WEBM_Smapxsm From =~ /\bsmapxsmap\.net/i
5236 describe SARE_FREE_WEBM_Smapxsm Sender used free email account - may be spammer
5237 score SARE_FREE_WEBM_Smapxsm 0.667
5238 #counts SARE_FREE_WEBM_Smapxsm 12s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
5239 #counts SARE_FREE_WEBM_Smapxsm 7s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5240 #counts SARE_FREE_WEBM_Smapxsm 1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
5241 #max SARE_FREE_WEBM_Smapxsm 5s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
5242 #counts SARE_FREE_WEBM_Smapxsm 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5243 #max SARE_FREE_WEBM_Smapxsm 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
5244 #counts SARE_FREE_WEBM_Smapxsm 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5246 header SARE_FREE_WEBM_SURIML From =~ /\bsurimail\.com/i
5247 describe SARE_FREE_WEBM_SURIML Sender used free email account - may be spammer
5248 score SARE_FREE_WEBM_SURIML 0.555
5249 #hist SARE_FREE_WEBM_SURIML Created by Bob Menschel June 12 2004
5250 #counts SARE_FREE_WEBM_SURIML 2s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
5251 #counts SARE_FREE_WEBM_SURIML 0s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
5252 #counts SARE_FREE_WEBM_SURIML 7s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
5253 #counts SARE_FREE_WEBM_SURIML 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
5254 #counts SARE_FREE_WEBM_SURIML 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5256 #####################################################################################
5257 # SARE Message-ID rules
5258 ######## ###################### ##################################################
5260 header SARE_MSGID_LONG MESSAGEID =~ /<.{135,}>/
5261 describe SARE_MSGID_LONG Message ID is too long.
5262 score SARE_MSGID_LONG 0.202
5263 #ham SARE_MSGID_LONG confirmed (1)
5264 #hist SARE_MSGID_LONG Jesse Houwing, August 20 2004
5265 #counts SARE_MSGID_LONG 18s/13h of 689155 corpus (348140s/341015h RM) 09/18/05
5266 #max SARE_MSGID_LONG 97s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
5267 #counts SARE_MSGID_LONG 29s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5268 #counts SARE_MSGID_LONG 4s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
5269 #max SARE_MSGID_LONG 7s/0h of 34763 corpus (18647s/16116h MY) 08/25/04
5270 #counts SARE_MSGID_LONG 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5271 #max SARE_MSGID_LONG 8s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
5272 #counts SARE_MSGID_LONG 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5274 header __SARE_MSGID_LONG40 MESSAGEID =~ /[a-z0-9\$]{40}/
5275 meta SARE_MSGID_LONG40 __SARE_MSGID_LONG40 && !__SARE_MSGID_LONG45 && !__SARE_MSGID_LONG50 && !__SARE_MSGID_LONG55 && !__SARE_MSGID_LONG65 && !__SARE_MSGID_LONG75
5276 describe SARE_MSGID_LONG40 Message ID has suspicious length
5277 score SARE_MSGID_LONG40 0.637
5278 #hist SARE_MSGID_LONG40 Created by Frederic Tarasevicius
5279 #counts SARE_MSGID_LONG40 132s/12h of 689155 corpus (348140s/341015h RM) 09/18/05
5280 #max SARE_MSGID_LONG40 350s/5h of 238550 corpus (112525s/126025h RM) 02/28/05
5281 #counts SARE_MSGID_LONG40 67s/1h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
5282 #counts SARE_MSGID_LONG40 10s/1h of 47809 corpus (43224s/4585h MY) 07/27/05
5283 #max SARE_MSGID_LONG40 45s/1h of 47283 corpus (43206s/4077h MY) 06/05/05
5284 #counts SARE_MSGID_LONG40 12s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5285 #max SARE_MSGID_LONG40 29s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
5286 #counts SARE_MSGID_LONG40 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5288 header __SARE_MSGID_LONG45 MESSAGEID =~ /[a-z0-9\$]{45}/
5289 meta SARE_MSGID_LONG45 __SARE_MSGID_LONG45 && !__SARE_MSGID_LONG50 && !__SARE_MSGID_LONG55 && !__SARE_MSGID_LONG65 && !__SARE_MSGID_LONG75
5290 describe SARE_MSGID_LONG45 Message ID has suspicious length
5291 score SARE_MSGID_LONG45 0.893
5292 #hist SARE_MSGID_LONG45 Created by Frederic Tarasevicius
5293 #counts SARE_MSGID_LONG45 450s/6h of 689155 corpus (348140s/341015h RM) 09/18/05
5294 #counts SARE_MSGID_LONG45 7s/1h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
5295 #counts SARE_MSGID_LONG45 28s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
5296 #counts SARE_MSGID_LONG45 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5297 #max SARE_MSGID_LONG45 4s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
5298 #counts SARE_MSGID_LONG45 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5300 #####################################################################################
5301 # SARE Received Header Rules
5302 ######## ###################### ##################################################
5304 header SARE_HELO_EQ_CUST X-Spam-Relays-Untrusted =~ /helo=\S*\.customer/i
5305 score SARE_HELO_EQ_CUST 0.122
5306 #ham SARE_HELO_EQ_CUST MyCheckFree, billpay@billpay.bankofamerica.com,
5307 #hist SARE_HELO_EQ_CUST Frederic Tarasevicius, Feb 22 2005
5308 #counts SARE_HELO_EQ_CUST 108s/42h of 689155 corpus (348140s/341015h RM) 09/18/05
5309 #counts SARE_HELO_EQ_CUST 27s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
5310 #counts SARE_HELO_EQ_CUST 23s/6h of 47809 corpus (43224s/4585h MY) 07/27/05
5311 #counts SARE_HELO_EQ_CUST 12s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5312 #counts SARE_HELO_EQ_CUST 1s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5314 header SARE_HELO_SENDER Received =~ /helo=sender/i
5315 describe SARE_HELO_SENDER Received header has possible spamsign
5316 score SARE_HELO_SENDER 0.486
5317 #hist SARE_HELO_SENDER Originally submitted by Bob Menschel. RM.hr_HeloSender
5318 #ham SARE_HELO_SENDER American Express email to online business accepting their cards
5319 #counts SARE_HELO_SENDER 33s/3h of 689155 corpus (348140s/341015h RM) 09/18/05
5320 #max SARE_HELO_SENDER 33s/3h of 60630 corpus (35509s/25121h RM) 08/11/04
5321 #counts SARE_HELO_SENDER 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5322 #counts SARE_HELO_SENDER 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
5323 #counts SARE_HELO_SENDER 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5324 #max SARE_HELO_SENDER 1s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
5325 #counts SARE_HELO_SENDER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5327 header SARE_HELO_SERVER Received =~ /\(helo=server\)/i
5328 describe SARE_HELO_SERVER Received header has possible spamsign
5329 score SARE_HELO_SERVER 0.722
5330 #ham SARE_HELO_SERVER confirmed (4): "opt-in" messages from Canon, ASDS Computer Co. software registration confirmation
5331 #counts SARE_HELO_SERVER 25s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
5332 #max SARE_HELO_SERVER 104s/0h of 97268 corpus (79437s/17831h RM) 01/24/04
5333 #counts SARE_HELO_SERVER 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
5334 #counts SARE_HELO_SERVER 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
5335 #counts SARE_HELO_SERVER 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5336 #max SARE_HELO_SERVER 8s/3h of 11052 corpus (6614s/4438h CT) 03/10/05
5337 #counts SARE_HELO_SERVER 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5339 header SARE_RECV_CHAR_CARAT Received =~ /\^/
5340 describe SARE_RECV_CHAR_CARAT Received header has apparently invalid character
5341 score SARE_RECV_CHAR_CARAT 0.619
5342 #ham SARE_RECV_CHAR_CARAT confirmed (1)
5343 #hist SARE_RECV_CHAR_CARAT Created by Bob Menschel May 3 2004
5344 #counts SARE_RECV_CHAR_CARAT 23s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
5345 #counts SARE_RECV_CHAR_CARAT 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5346 #max SARE_RECV_CHAR_CARAT 2s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
5347 #counts SARE_RECV_CHAR_CARAT 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
5348 #counts SARE_RECV_CHAR_CARAT 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
5349 #counts SARE_RECV_CHAR_CARAT 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5351 header SARE_RECV_INFOSAT Received =~ /\binfosat\.(?:com|net)/
5352 describe SARE_RECV_INFOSAT Email passed through apparent spammer domain
5353 score SARE_RECV_INFOSAT 0.618
5354 #counts SARE_RECV_INFOSAT 37s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
5355 #max SARE_RECV_INFOSAT 484s/35h of 238550 corpus (112525s/126025h RM) 02/28/05
5356 #counts SARE_RECV_INFOSAT 18s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5357 #counts SARE_RECV_INFOSAT 17s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
5358 #counts SARE_RECV_INFOSAT 5s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
5359 #counts SARE_RECV_INFOSAT 2s/1h of 6924 corpus (1403s/5521h ft) 07/27/05
5361 header SARE_RECV_SPAM_DOMN03 Received =~ /\b(?:takas)\.lt/
5362 describe SARE_RECV_SPAM_DOMN03 Email passed through apparent spammer domain
5363 score SARE_RECV_SPAM_DOMN03 0.646
5364 #counts SARE_RECV_SPAM_DOMN03 56s/3h of 689155 corpus (348140s/341015h RM) 09/18/05
5365 #counts SARE_RECV_SPAM_DOMN03 4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5366 #max SARE_RECV_SPAM_DOMN03 7s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
5367 #counts SARE_RECV_SPAM_DOMN03 3s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
5368 #counts SARE_RECV_SPAM_DOMN03 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5369 #max SARE_RECV_SPAM_DOMN03 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
5370 #counts SARE_RECV_SPAM_DOMN03 2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
5372 header SARE_RECV_SPAM_DOMN07 Received =~ /\bnoos\.fr/
5373 describe SARE_RECV_SPAM_DOMN07 Spam passed through noos.fr relay
5374 score SARE_RECV_SPAM_DOMN07 0.615
5375 #counts SARE_RECV_SPAM_DOMN07 370s/44h of 689155 corpus (348140s/341015h RM) 09/18/05
5376 #counts SARE_RECV_SPAM_DOMN07 40s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5377 #counts SARE_RECV_SPAM_DOMN07 55s/1h of 47809 corpus (43224s/4585h MY) 07/27/05
5378 #counts SARE_RECV_SPAM_DOMN07 18s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5379 #counts SARE_RECV_SPAM_DOMN07 8s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
5381 header SARE_RECV_SPAM_NAME1 Received =~ /\bHINET-IP/i
5382 describe SARE_RECV_SPAM_NAME1 Email passed through probable spammer relay
5383 score SARE_RECV_SPAM_NAME1 0.614
5384 #counts SARE_RECV_SPAM_NAME1 349s/35h of 689155 corpus (348140s/341015h RM) 09/18/05
5385 #counts SARE_RECV_SPAM_NAME1 12s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5386 #counts SARE_RECV_SPAM_NAME1 11s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
5387 #max SARE_RECV_SPAM_NAME1 15s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
5388 #counts SARE_RECV_SPAM_NAME1 8s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5389 #max SARE_RECV_SPAM_NAME1 8s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
5390 #counts SARE_RECV_SPAM_NAME1 1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
5392 header SARE_RECV_SPAM_NAME2 Received =~ /\bnetvigator\.com/
5393 describe SARE_RECV_SPAM_NAME2 Spam passed through netvigator.com system
5394 score SARE_RECV_SPAM_NAME2 0.393
5395 #hist SARE_RECV_SPAM_NAME2 Created by Bob Menschel June 9 2004
5396 #ham SARE_RECV_SPAM_NAME2 Appropriate (probably not spam) UCE via TradeEasy to CW.com, 3 in 2003, 1 in 2004
5397 #counts SARE_RECV_SPAM_NAME2 155s/24h of 689155 corpus (348140s/341015h RM) 09/18/05
5398 #counts SARE_RECV_SPAM_NAME2 19s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5399 #counts SARE_RECV_SPAM_NAME2 4s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
5400 #max SARE_RECV_SPAM_NAME2 5s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
5401 #counts SARE_RECV_SPAM_NAME2 2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5402 #max SARE_RECV_SPAM_NAME2 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
5403 #counts SARE_RECV_SPAM_NAME2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5405 #####################################################################################
5406 # SARE Received Header IP Address Rules
5407 ######## ###################### ##################################################
5409 header SARE_RECV_IP_066111 Received =~ /\[66\.111\.(?:19[2-9]|2\d\d)\.\d{1,3}\]/
5410 describe SARE_RECV_IP_066111 Passed through possible spammer relay or source
5411 score SARE_RECV_IP_066111 0.347
5412 #ham SARE_RECV_IP_066111 confirmed (1)
5413 #note SARE_RECV_IP_066111 WebHostPlus
5414 #hist SARE_RECV_IP_066111 Created by Bob Menschel Nov 27 2004
5415 #counts SARE_RECV_IP_066111 38s/7h of 689155 corpus (348140s/341015h RM) 09/18/05
5416 #counts SARE_RECV_IP_066111 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5417 #counts SARE_RECV_IP_066111 12s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
5418 #max SARE_RECV_IP_066111 90s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
5419 #counts SARE_RECV_IP_066111 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
5420 #counts SARE_RECV_IP_066111 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5422 header SARE_RECV_IP_069194 Received =~ /from \[62\.19[45]\.\d{1,3}\.\d{1,3}\]/
5423 describe SARE_RECV_IP_069194 Spam passed through possible spammer relay
5424 score SARE_RECV_IP_069194 1.666
5425 #stype SARE_RECV_IP_069194 spamp
5426 #counts SARE_RECV_IP_069194 14s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
5427 #max SARE_RECV_IP_069194 213s/0h of 106584 corpus (86917s/19667h) 03/13/04
5428 #counts SARE_RECV_IP_069194 2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5429 #counts SARE_RECV_IP_069194 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
5430 #counts SARE_RECV_IP_069194 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
5431 #counts SARE_RECV_IP_069194 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5433 header SARE_RECV_IP_080032 Received =~ /\[80\.32\.\d{1,3}\.\d{1,3}\]/
5434 describe SARE_RECV_IP_080032 Spam passed through possible spammer relay
5435 score SARE_RECV_IP_080032 0.615
5436 #ham SARE_RECV_IP_080032 confirmed (1)
5437 #hist SARE_RECV_IP_080032 Created by Bob Menschel Apr 28 2004
5438 #counts SARE_RECV_IP_080032 30s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
5439 #counts SARE_RECV_IP_080032 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5440 #max SARE_RECV_IP_080032 2s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
5441 #counts SARE_RECV_IP_080032 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
5442 #counts SARE_RECV_IP_080032 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5443 #max SARE_RECV_IP_080032 2s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
5444 #counts SARE_RECV_IP_080032 1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
5446 header SARE_RECV_IP_080040 Received =~ /\[80\.4[1-7]\.\d{1,3}\.\d{1,3}\]/
5447 describe SARE_RECV_IP_080040 Spam passed through possible spammer relay
5448 score SARE_RECV_IP_080040 0.456
5449 #ham SARE_RECV_IP_080040 confirmed (6)
5450 #hist SARE_RECV_IP_080040 Created by Bob Menschel June 7 2004
5451 #counts SARE_RECV_IP_080040 298s/21h of 689155 corpus (348140s/341015h RM) 09/18/05
5452 #counts SARE_RECV_IP_080040 11s/18h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5453 #counts SARE_RECV_IP_080040 14s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
5454 #counts SARE_RECV_IP_080040 3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5455 #max SARE_RECV_IP_080040 5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
5456 #counts SARE_RECV_IP_080040 2s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
5458 header SARE_RECV_IP_080178 Received =~ /\[80\.17[89]\.\d{1,3}\.\d{1,3}\]/
5459 describe SARE_RECV_IP_080178 Spam passed through possible spammer relay
5460 score SARE_RECV_IP_080178 0.391
5461 #ham SARE_RECV_IP_080178 Family email from Israel
5462 #counts SARE_RECV_IP_080178 409s/60h of 689155 corpus (348140s/341015h RM) 09/18/05
5463 #counts SARE_RECV_IP_080178 11s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
5464 #max SARE_RECV_IP_080178 21s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
5465 #counts SARE_RECV_IP_080178 11s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
5466 #max SARE_RECV_IP_080178 11s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
5467 #counts SARE_RECV_IP_080178 4s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
5468 #counts SARE_RECV_IP_080178 1s/1h of 7500 corpus (1767s/5733h ft) 09/18/05
5470 header SARE_RECV_IP_222126 Received =~ /\[222\.126\.(?:\d{1,2}|1[01]\d|12[0-7])\.\d{1,3}\]/
5471 describe SARE_RECV_IP_222126 Passed through possible spammer relay or source
5472 score SARE_RECV_IP_222126 0.612
5473 #note SARE_RECV_IP_222126 Infocom, Makati City, PH
5474 #hist SARE_RECV_IP_222126 Created by Bob Menschel Dec 01 2004
5475 #counts SARE_RECV_IP_222126 37s/3h of 689155 corpus (348140s/341015h RM) 09/18/05
5476 #counts SARE_RECV_IP_222126 3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5477 #counts SARE_RECV_IP_222126 1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
5478 #counts SARE_RECV_IP_222126 0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5479 #max SARE_RECV_IP_222126 1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
5480 #counts SARE_RECV_IP_222126 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5482 #####################################################################################
5483 # SARE Reply-To Rules
5484 ######## ###################### ##################################################
5486 header SARE_REPLY_SPAMWORD2 Reply-To =~ /(?:amateur|funny|interacia)/i
5487 describe SARE_REPLY_SPAMWORD2 Reply-To email addr incl spam indicator word
5488 score SARE_REPLY_SPAMWORD2 0.486
5489 #ham SARE_REPLY_SPAMWORD2 confrmed (1)
5490 #counts SARE_REPLY_SPAMWORD2 10s/3h of 689155 corpus (348140s/341015h RM) 09/18/05
5491 #counts SARE_REPLY_SPAMWORD2 0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5492 #max SARE_REPLY_SPAMWORD2 1s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
5493 #counts SARE_REPLY_SPAMWORD2 25s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
5494 #counts SARE_REPLY_SPAMWORD2 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
5495 #counts SARE_REPLY_SPAMWORD2 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5497 #####################################################################################
5498 # SARE TO & CC Rules
5499 ######## ###################### ##################################################
5501 header SARE_TOCC_SLASHES ToCc =~ m'//'
5502 describe SARE_TOCC_SLASHES Spam sign: double slashes in To/Cc headers
5503 score SARE_TOCC_SLASHES 0.111
5504 #counts SARE_TOCC_SLASHES 4s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
5505 #max SARE_TOCC_SLASHES 9s/0h of 85901 corpus (63701s/22200h RM) 06/05/04
5506 #counts SARE_TOCC_SLASHES 1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5507 #counts SARE_TOCC_SLASHES 1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
5508 #counts SARE_TOCC_SLASHES 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
5509 #counts SARE_TOCC_SLASHES 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5511 #####################################################################################
5512 # SARE X-Mailer Rules
5513 ######## ###################### ##################################################
5515 header SARE_XMAIL_BULK3a X-Mailer =~ /Foxmail/i
5516 describe SARE_XMAIL_BULK3a Uses bulk mailer used by spammers
5517 score SARE_XMAIL_BULK3a 0.735
5518 #ham SARE_XMAIL_BULK3a ham from 2003 from China, "Foxmail 4.[12] \[cn\]", same as found in spam
5519 #hist SARE_XMAIL_BULK3a Bob Menschel: PSS Bulk Mailer, Calypso
5520 #counts SARE_XMAIL_BULK3a 2166s/65h of 689155 corpus (348140s/341015h RM) 09/18/05
5521 #counts SARE_XMAIL_BULK3a 4s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5522 #max SARE_XMAIL_BULK3a 5s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
5523 #counts SARE_XMAIL_BULK3a 0s/1h of 20489 corpus (17189s/3300h MY) 01/30/05
5524 #max SARE_XMAIL_BULK3a 4s/1h of 17050 corpus (14617s/2433h MY) 08/08/04
5525 #counts SARE_XMAIL_BULK3a 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
5526 #counts SARE_XMAIL_BULK3a 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5528 #todo SARE_XMAIL_BULK5 Add test for BSP-Trusted.
5529 header SARE_XMAIL_BULK5 X-Mailer =~ /(?:Roving Constant Contact)/i
5530 describe SARE_XMAIL_BULK5 Uses ham mailer, sometimes abused
5531 score SARE_XMAIL_BULK5 0.648
5532 #hist SARE_XMAIL_BULK5 Bob Menschel: Roving Constant Contact
5533 #counts SARE_XMAIL_BULK5 1641s/90h of 689155 corpus (348140s/341015h RM) 09/18/05
5534 #max SARE_XMAIL_BULK5 1900s/67h of 327690 corpus (159737s/167953h RM) 07/27/05
5535 #counts SARE_XMAIL_BULK5 0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
5536 #counts SARE_XMAIL_BULK5 0s/3h of 17050 corpus (14617s/2433h MY) 08/08/04
5537 #counts SARE_XMAIL_BULK5 0s/3h of 10590 corpus (5819s/4771h CT) 07/26/05
5538 #max SARE_XMAIL_BULK5 3s/3h of 10853 corpus (6391s/4462h CT) 05/16/05
5539 #counts SARE_XMAIL_BULK5 0s/2h of 6924 corpus (1403s/5521h ft) 07/27/05
5541 header SARE_XMAIL_LCDD X-Mailer=~/^[a-z]+ \d\.\d$/
5542 describe SARE_XMAIL_LCDD Ratware mailer
5543 score SARE_XMAIL_LCDD 0.642
5544 #ham SARE_XMAIL_LCDD X-Mailer: reportbug 3.8, tlmpmail 0.9
5545 #counts SARE_XMAIL_LCDD 134s/8h of 689155 corpus (348140s/341015h RM) 09/18/05
5546 #max SARE_XMAIL_LCDD 172s/0h of 33004 corpus (9761s/23243h RM) 05/21/04
5547 #counts SARE_XMAIL_LCDD 5s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5548 #max SARE_XMAIL_LCDD 31s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04
5549 #counts SARE_XMAIL_LCDD 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
5550 #counts SARE_XMAIL_LCDD 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
5551 #counts SARE_XMAIL_LCDD 1s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5553 header __SARE_XMAIL_SUSP3 X-Mailer=~ /^(?:[a-z\-]+\s+[a-z\-]+(?:,\s+[a-z\-]+)?|[a-z\-]+ \d\.\d)$/
5554 meta SARE_XMAIL_SUSP3 __SARE_XMAIL_SUSP3 && !SARE_XMAIL_LCDD
5555 describe SARE_XMAIL_SUSP3 Contains a suspicious X-Mailer header
5556 score SARE_XMAIL_SUSP3 1.208
5557 #hist SARE_XMAIL_SUSP3 Jesse Houwing, SARE_TM2_RW_XM
5558 #hist SARE_XMAIL_SUSP3 Modified to meta to avoid overlap with SARE_XMAIL_LCDD; must be in same file as LCDD
5559 #ham SARE_XMAIL_SUSP3 "a script" from macromedia.com
5560 #counts SARE_XMAIL_SUSP3 137s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
5561 #max SARE_XMAIL_SUSP3 505s/1h of 85084 corpus (62489s/22595h RM) 06/08/04
5562 #counts SARE_XMAIL_SUSP3 97s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
5563 #max SARE_XMAIL_SUSP3 291s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
5564 #counts SARE_XMAIL_SUSP3 0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
5565 #max SARE_XMAIL_SUSP3 49s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
5566 #counts SARE_XMAIL_SUSP3 1s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5567 #max SARE_XMAIL_SUSP3 10s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
5568 #counts SARE_XMAIL_SUSP3 0s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
5569 #max SARE_XMAIL_SUSP3 1s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
5571 #####################################################################################
5572 # SARE Miscellaneous and X-Header header rules
5573 ######## ###################### ##################################################
5575 header SARE_HEAD_DATE39 Date =~ /^.{39}$/
5576 describe SARE_HEAD_DATE39 Date header suggests this is spam
5577 score SARE_HEAD_DATE39 0.660
5578 #counts SARE_HEAD_DATE39 151s/8h of 689155 corpus (348140s/341015h RM) 09/18/05
5579 #max SARE_HEAD_DATE39 264s/3h of 238550 corpus (112525s/126025h RM) 02/28/05
5580 #counts SARE_HEAD_DATE39 0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
5581 #counts SARE_HEAD_DATE39 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
5582 #counts SARE_HEAD_DATE39 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
5583 #counts SARE_HEAD_DATE39 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5585 header SARE_HEAD_DATE61 Date =~ /^.{57,61}$/
5586 score SARE_HEAD_DATE61 -1.000
5587 tflags SARE_HEAD_DATE61 nice
5588 #stype SARE_HEAD_DATE61 ham
5589 #counts SARE_HEAD_DATE61 0s/72h of 689155 corpus (348140s/341015h RM) 09/18/05
5590 #counts SARE_HEAD_DATE61 0s/5h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
5591 #counts SARE_HEAD_DATE61 0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
5592 #counts SARE_HEAD_DATE61 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
5593 #counts SARE_HEAD_DATE61 0s/1h of 6924 corpus (1403s/5521h ft) 07/27/05
5595 header SARE_HEAD_DATE_ADDED Date =~ /\(added by/
5596 describe SARE_HEAD_DATE_ADDED Original email had no date - added by later system
5597 score SARE_HEAD_DATE_ADDED 0.139
5598 #ham SARE_HEAD_DATE_ADDED technical notification email from att.com
5599 #counts SARE_HEAD_DATE_ADDED 3s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
5600 #max SARE_HEAD_DATE_ADDED 21s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
5601 #counts SARE_HEAD_DATE_ADDED 2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
5602 #counts SARE_HEAD_DATE_ADDED 0s/1h of 17050 corpus (14617s/2433h MY) 08/08/04
5603 #counts SARE_HEAD_DATE_ADDED 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
5604 #counts SARE_HEAD_DATE_ADDED 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5606 header __SARE_HEAD_DATE_L1a Date =~ /.{50}/
5607 header __SARE_HEAD_DATE_L1b Date =~ /added by/
5608 meta SARE_HEAD_DATE_LONG1 __SARE_HEAD_DATE_L1a && !__SARE_HEAD_DATE_L1b
5609 describe SARE_HEAD_DATE_LONG1 Date header has interesting length
5610 score SARE_HEAD_DATE_LONG1 -0.500
5611 tflags SARE_HEAD_DATE_LONG1 nice
5612 #stype SARE_HEAD_DATE_LONG1 ham
5613 #hist SARE_HEAD_DATE_LONG1 Developed by Bob Menschel from rule by Frederic Tarasevicius
5614 #hist SARE_HEAD_DATE_LONG1 Reduce spam hits, Oct 13 2005, Bob Menschel
5615 #counts SARE_HEAD_DATE_LONG1 97s/3020h of 689155 corpus (348140s/341015h RM) 09/18/05
5616 #counts SARE_HEAD_DATE_LONG1 2s/25h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
5617 #counts SARE_HEAD_DATE_LONG1 0s/1h of 20489 corpus (17189s/3300h MY) 01/30/05
5618 #counts SARE_HEAD_DATE_LONG1 0s/3h of 11052 corpus (6614s/4438h CT) 03/10/05
5619 #counts SARE_HEAD_DATE_LONG1 0s/28h of 6924 corpus (1403s/5521h ft) 07/27/05
5621 header SARE_HEAD_XCOM_RFCMIN X-Comment =~ /Sending client does not conform to RFC822 minimum requirements/i
5622 describe SARE_HEAD_XCOM_RFCMIN AT&T Maillennium does not like this email
5623 score SARE_HEAD_XCOM_RFCMIN 0.555
5624 #ham SARE_HEAD_XCOM_RFCMIN confirmed (2)
5625 #hist SARE_HEAD_XCOM_RFCMIN Created by Bob Menschel Sep 05 2004
5626 #counts SARE_HEAD_XCOM_RFCMIN 3s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
5627 #counts SARE_HEAD_XCOM_RFCMIN 3s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
5628 #counts SARE_HEAD_XCOM_RFCMIN 0s/0h of 19447 corpus (16862s/2585h MY) 09/05/04
5629 #counts SARE_HEAD_XCOM_RFCMIN 0s/0h of 44754 corpus (16523s/28231h JH-SA3.0rc1) 09/06/04
5630 #counts SARE_HEAD_XCOM_RFCMIN 0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
5631 #counts SARE_HEAD_XCOM_RFCMIN 0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
5633 #####################################################################################
5634 # SARE Rules which examine multiple header types
5635 ######## ###################### ##################################################
5637 header __SARE_HEAD_8BIT_HDRS ALL =~ /[\x80-\xff]{3,}/
5638 header SUBJ_ILLEGAL_CHARS eval:check_illegal_chars('Subject','0.00','2')
5639 #note SUBJ_ILLEGAL_CHARS Standard SpamAssassin rule/test
5640 #counts __SARE_HEAD_8BIT_HDRS 14742s/63h of 238550 corpus (112525s/126025h RM) 02/28/05
5641 #counts __SARE_HEAD_8BIT_HDRS 1297s/1h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
5642 #counts __SARE_HEAD_8BIT_HDRS 0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05
5643 header __SARE_HEAD_8BIT_RPLY Reply-To =~ /[\x80-\xff]{3,}/
5644 #counts __SARE_HEAD_8BIT_RPLY 6259s/9h of 238550 corpus (112525s/126025h RM) 02/28/05
5645 #counts __SARE_HEAD_8BIT_RPLY 728s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
5646 #counts __SARE_HEAD_8BIT_RPLY 0s/0h of 26190 corpus (22790s/3400h MY) 02/15/05
5647 header __SARE_HEAD_8BIT_FROM From =~ /[\x80-\xff]{3,}/
5648 #counts __SARE_HEAD_8BIT_FROM 8565s/23h of 238550 corpus (112525s/126025h RM) 02/28/05
5649 #counts __SARE_HEAD_8BIT_FROM 1823s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
5650 #counts __SARE_HEAD_8BIT_FROM 2s/0h of 26190 corpus (22790s/3400h MY) 02/15/05
5652 meta SARE_HEAD_8BIT_NOSPM __SARE_HEAD_8BIT_HDRS && !__SARE_HEAD_8BIT_DATE && !__SARE_HEAD_8BIT_RECV && !__SARE_HEAD_8BIT_SUBJ
5653 describe SARE_HEAD_8BIT_NOSPM Header with 8-bit char suggests spam
5654 score SARE_HEAD_8BIT_NOSPM 0.385
5655 #hist SARE_HEAD_8BIT_NOSPM June 18 2005, Bob Menschel: Added exclusion for subject header
5656 #counts SARE_HEAD_8BIT_NOSPM 593s/85h of 689155 corpus (348140s/341015h RM) 09/18/05
5657 #max SARE_HEAD_8BIT_NOSPM 164s/80h of 268479 corpus (127479s/141000h RM) 06/17/05
5658 #counts SARE_HEAD_8BIT_NOSPM 3s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
5660 meta SARE_HEAD_8BIT_SPAM __SARE_HEAD_8BIT_HDRS && !__SARE_HEAD_8BIT_NOSPM && !SARE_HEAD_8BIT_DATE && !SARE_HEAD_8BIT_RECV && !__SARE_HEAD_8BIT_SUBJ
5661 describe SARE_HEAD_8BIT_SPAM High-ascii characters found in strange header
5662 score SARE_HEAD_8BIT_SPAM 1.666
5663 #hist SARE_HEAD_8BIT_SPAM From Bugzilla # 2243
5664 #hist SARE_HEAD_8BIT_SPAM June 18 2005, Bob Menschel: Added exclusion for subject header
5665 #todo%%% SARE_HEAD_8BIT_SPAM Analysis on avoiding the ham
5667 meta SARE_HEAD_8BIT_SPAM __SARE_HEAD_8BIT_SUBJ && !SUBJ_ILLEGAL_CHARS
5668 describe SARE_HEAD_8BIT_SPAM High-ascii characters found in subject header
5669 score SARE_HEAD_8BIT_SPAM 0.888
5670 #hist SARE_HEAD_8BIT_SPAM Bob Menschel implementation, June 17 2005
5671 #counts SARE_HEAD_8BIT_SPAM 7948s/130h of 689155 corpus (348140s/341015h RM) 09/18/05
5672 #counts SARE_HEAD_8BIT_SPAM 5s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
5673 #counts SARE_HEAD_8BIT_SPAM 1s/2h of 47809 corpus (43224s/4585h MY) 07/27/05
5674 #counts SARE_HEAD_8BIT_SPAM 5s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
projects / spamassassin_config.git / blob