1 # SARE HTML Ruleset for SpamAssassin - ruleset 0
5 # Usage instructions, documentation, and change history in 70_sare_html0.cf
7 #@@# Revision History: Full Revision History stored in 70_sare_html.log
8 #@@# 01.03.09: May 31 2006
9 #@@# Minor score tweaks based on recent mass-checks
10 #@@# Moved file 0 to file 2: SARE_HTML_EHTML_OBFU
11 #@@# Moved file 0 to file 2: SARE_HTML_HEAD_AFFIL
12 #@@# Moved file 0 to file 2: SARE_HTML_LEAKTHRU1
13 #@@# Moved file 0 to file 2: SARE_HTML_LEAKTHRU2
14 #@@# Moved file 0 to file 2: SARE_HTML_ONE_LINE3
15 #@@# Moved file 0 to file 2: SARE_HTML_POB1200
16 #@@# Moved file 0 to file 2: SARE_HTML_URI_HIDADD
17 #@@# Moved file 0 to file 2: SARE_HTML_URI_LOGOGEN
18 #@@# Moved file 0 to file 2: SARE_HTML_URI_OFF
19 #@@# Moved file 0 to file 2: SARE_HTML_USL_B7
20 #@@# Moved file 0 to file 2: SARE_HTML_USL_B9
21 #@@# Moved file 0 to file 2: SARE_PHISH_HTML_01
22 #@@# Added file 0: SARE_HTML_FLOAT1
23 #@@# 01.03.10: June 3 2006
24 #@@# Minor score tweaks based on recent mass-checks
25 #@@# Added file 0 SARE_HTML_LINKWARN
26 #@@# Added file 0 SARE_HTML_SPANNER
28 # License: Artistic - see http://www.rulesemporium.com/license.txt
29 # Current Maintainer: Bob Menschel - RMSA@Menschel.net
30 # Current Home: http://www.rulesemporium.com/rules/70_sare_html0.cf
32 # Usage: This family of files, 70_sare_html*.cf, contain rules that test HTML strings within emails
33 # (except URIs, which are handled in the 70_sare_uri*.cf family of files).
35 # File 0: 70_sare_html0.cf -- These are html rules that hit at least 10 spam and no ham.
36 # While SARE cannot guarantee they never will hit ham, they have not hit ham in any SARE mass-check, against tens of thousands of ham.
37 # This is a rules file we expect any/all email systems using SpamAssassin to benefit from.
39 # File 1: 70_sare_html1.cf -- These are html rules that meet one of the follow criteria:
40 # a) Rules that do, or in the past have hit ham during SARE mass-check tests
41 # b) Rules that hit no ham and currently do not hit more than 10 spam in any single mass-check run.
42 # If the rules hit ham, they hit at last 10 spam to each 1 ham.
43 # If the rules hit ham, they hit fewer than 100 ham
44 # With few exceptions these rules score significantly less than the rules in file 0.
45 # Systems which are very sensitive to false positives and/or need to be very careful about resource use may want to exclude this ruleset,
46 # pick and choose among its rules, or lower their scores.
47 # Systems that use this file 1 should ALSO use file 0.
49 # File 2: 70_sare_html2.cf -- These html rules hit no spam at this time, but they are considered "safe" rules that should never hit ham.
50 # These are primarily rules that test for specific html seen only in spam, or similar types of "pretty darn sure" rules.
51 # Systems which are very sensitive to SpamAssassin overhead may want to exclude this ruleset file to avoid its overhead,
52 # but systems with plenty of resources that want to be aggressive against spam may benefit from this ruleset file.
54 # File 3: 70_sare_html3.cf -- These are html rules that hit a significant amount of ham during SARE mass-check tests.
55 # Systems which are very sensitive to false positives or to SA resource usage should NOT install this ruleset.
57 # File 4: 70_sare_html4.cf -- These are html rules that meet one of the following criteria:
58 # a) They hit over 100 ham during SARE mass-check tests, but still hit enough spam to be worth while to aggressively anti-spam systems.
59 # b) They hit no emails at this time, but have been recommended by anti-spam sources.
60 # Again, systems which are very sensitive to false positives or to SA resource usage should NOT install this ruleset.
62 # eng: 70_sare_html_eng.cf -- These are html rules which work well within the English language, but are liable to cause false
63 # positives in other languages. They include rules which test for letter combinations. Systems that
64 # receive ham in languages other than English should NOT use this file.
66 # x30: 70_sare_html_x30.cf -- These are html rules which have been incorporated into SpamAssassin 3.0.x,
67 # or which duplicate or greatly overlap 3.0.x rules.
68 # Systems which have installed SpamAssassin 3.0.x should therefore NOT use this file.
70 # arc: 70_sare_html_arc.cf -- These are html rules that once were published in other files, but which have since lost all value.
71 # They either hit too much ham (without hitting enough spam to make it worth while), or they don't hit any spam.
72 # SARE regularly runs mass-checks on these rules to see if any of them are worth reviving, but
73 # we expect that nobody will be running these rules in any production system.
75 ######## ###################### ##################################################
77 ######## ###################### ##################################################
78 # Rules renamed or moved
79 ######## ###################### ##################################################
81 meta SARE_HTML_ALT_WAIT2 __SARE_HEAD_FALSE
82 meta SARE_HTML_BADOPEN __SARE_HEAD_FALSE
83 meta SARE_HTML_BAD_FG_CLR __SARE_HEAD_FALSE
84 meta SARE_HTML_COLOR_B __SARE_HEAD_FALSE
85 meta SARE_HTML_COLOR_NWHT3 __SARE_HEAD_FALSE
86 meta SARE_HTML_FONT_INVIS2 __SARE_HEAD_FALSE
87 meta SARE_HTML_FSIZE_1ALL __SARE_HEAD_FALSE
88 meta SARE_HTML_GIF_DIM __SARE_HEAD_FALSE
89 meta SARE_HTML_HTML_AFTER __SARE_HEAD_FALSE
90 meta SARE_HTML_HTML_DBL __SARE_HEAD_FALSE
91 meta SARE_HTML_HTML_TBL __SARE_HEAD_FALSE
92 meta SARE_HTML_IMG_ONLY __SARE_HEAD_FALSE
93 meta SARE_HTML_JVS_HREF __SARE_HEAD_FALSE
94 meta SARE_HTML_MANY_BR10 __SARE_HEAD_FALSE
95 meta SARE_HTML_MANY_BR10 __SARE_HEAD_FALSE
96 meta SARE_HTML_NO_BODY __SARE_HEAD_FALSE
97 meta SARE_HTML_NO_HTML1 __SARE_HEAD_FALSE
98 meta SARE_HTML_P_JUSTIFY __SARE_HEAD_FALSE
99 meta SARE_HTML_TITLE_SEX __SARE_HEAD_FALSE
100 meta SARE_HTML_URI_2SLASH __SARE_HEAD_FALSE
101 meta SARE_HTML_URI_AXEL __SARE_HEAD_FALSE
102 meta SARE_HTML_URI_BADQRY __SARE_HEAD_FALSE
103 meta SARE_HTML_URI_FORMPHP __SARE_HEAD_FALSE
104 meta SARE_HTML_URI_HREF __SARE_HEAD_FALSE
105 meta SARE_HTML_URI_MANYP2 __SARE_HEAD_FALSE
106 meta SARE_HTML_URI_MANYP3 __SARE_HEAD_FALSE
107 meta SARE_HTML_URI_NUMPHP3 __SARE_HEAD_FALSE
108 meta SARE_HTML_URI_OBFU4 __SARE_HEAD_FALSE
109 meta SARE_HTML_URI_OBFU4a __SARE_HEAD_FALSE
110 meta SARE_HTML_URI_PARTID __SARE_HEAD_FALSE
111 meta SARE_HTML_URI_RID __SARE_HEAD_FALSE
112 meta SARE_HTML_USL_MULT __SARE_HEAD_FALSE
113 meta SARE_HTML_FONT_EBEF __SARE_HEAD_FALSE
114 meta SARE_HTML_URI_DEFASP __SARE_HEAD_FALSE
115 meta SARE_HTML_INV_TAGA __SARE_HEAD_FALSE
116 meta SARE_HTML_EHTML_OBFU __SARE_HEAD_FALSE
117 meta SARE_HTML_HEAD_AFFIL __SARE_HEAD_FALSE
118 meta SARE_HTML_LEAKTHRU1 __SARE_HEAD_FALSE
119 meta SARE_HTML_LEAKTHRU2 __SARE_HEAD_FALSE
120 meta SARE_HTML_ONE_LINE3 __SARE_HEAD_FALSE
121 meta SARE_HTML_POB1200 __SARE_HEAD_FALSE
122 meta SARE_HTML_URI_HIDADD __SARE_HEAD_FALSE
123 meta SARE_HTML_URI_LOGOGEN __SARE_HEAD_FALSE
124 meta SARE_HTML_URI_OFF __SARE_HEAD_FALSE
125 meta SARE_HTML_USL_B7 __SARE_HEAD_FALSE
126 meta SARE_HTML_USL_B9 __SARE_HEAD_FALSE
127 meta SARE_PHISH_HTML_01 __SARE_HEAD_FALSE
129 ######## ###################### ##################################################
131 rawbody __SARE_HTML_HAS_A eval:html_tag_exists('a')
132 rawbody __SARE_HTML_HAS_BR eval:html_tag_exists('br')
133 rawbody __SARE_HTML_HAS_DIV eval:html_tag_exists('div')
134 rawbody __SARE_HTML_HAS_FONT eval:html_tag_exists('font')
135 rawbody __SARE_HTML_HAS_IMG eval:html_tag_exists('img')
136 rawbody __SARE_HTML_HAS_P eval:html_tag_exists('p')
137 rawbody __SARE_HTML_HAS_PRE eval:html_tag_exists('pre')
138 rawbody __SARE_HTML_HAS_TITLE eval:html_tag_exists('title')
140 rawbody __SARE_HTML_HBODY m'<html><body>'i
141 rawbody __SARE_HTML_BEHTML m'<body></html>'i
142 rawbody __SARE_HTML_BEHTML2 m'^</?body></html>'i
143 rawbody __SARE_HTML_EFONT m'^</font>'i
144 rawbody __SARE_HTML_EHEB m'^</html></body>'i
145 rawbody __SARE_HTML_CMT_CNTR /<center><!--/
147 # JH: These rules test for strange color combinations. There migth be even more powerful combinations, but I haven't had time to check them all
148 rawbody __SARE_LIGHT_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!fff\W|ffffff)(?:[e-f]{3}\W|(?:[e-f][0-9a-f]){3})|rgb(?:\((?!\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255)\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10}\)|\((?!\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%)\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10}\))|(?:Light(?:Cyan|Yellow)|(?:Ghost|Floral)White|WhiteSmoke|LemonChiffon|AliceBlue|Cornsilk|Seashell|Honeydew|Azure|MintCream|Snow|Ivory|OldLace|LavenderBlush|Linen|MistyRose))/i
149 rawbody __SARE_WHITE_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:fff\W|ffffff)|rgb(?:\(\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255\s{0,10}\)|\\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10}\))|white)/i
150 rawbody __SARE_DARK_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!000\W|000000)(?:[01]{3}\W|(?:[01][0-9a-f]){3})|rgb(?:\((?!\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\D)\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10}\)|\((?!\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%)\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10}\)))/i
151 rawbody __SARE_BLACK_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:000\W|000000)|rgb\s{0,10}\(\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\s{0,10}\)|rgb\s{0,10}\(\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10}\)|black)/i
152 rawbody __SARE_LIGHT_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!ffffff|fff\W)(?:[e-f]{3}\W|(?:[e-f][0-9a-f]){3})|rgb(?:\((?!\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255)\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10}\)|\((?!\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%)\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10}\))|(?:Light(?:Cyan|Yellow)|(?:Ghost|Floral)White|WhiteSmoke|LemonChiffon|AliceBlue|Cornsilk|Seashell|Honeydew|Azure|MintCream|Snow|Ivory|OldLace|LavenderBlush|Linen|MistyRose))/i
153 rawbody __SARE_WHITE_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:fff\W|ffffff)|rgb(?:\(\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255\s{0,10}\)|\(\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10}\))|white)/i
154 rawbody __SARE_DARK_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!000\W|000000)(?:[01]{3}\W|(?:[01][0-9a-f]){3})|rgb(?:\((?!\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\D)\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10}\)|\((?!\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%)\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10}\)))/i
155 rawbody __SARE_BLACK_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:000\W|000000)|rgb\s{0,10}\(\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\s{0,10}\)|rgb\s{0,10}\(\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10}\)|black)/i
156 rawbody __SARE_HAS_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=)/i
157 rawbody __SARE_HAS_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=)/i
159 ######## ###################### ##################################################
160 # <HTML> and <BODY> tag spamsign
161 ######## ###################### ##################################################
163 ######## ###################### ##################################################
165 ######## ###################### ##################################################
167 rawbody SARE_HTML_A_INV /href\w*href/i
168 describe SARE_HTML_A_INV HTML has malformed anchor/href tag
169 score SARE_HTML_A_INV 3.333
170 #stype SARE_HTML_A_INV spamg
171 #wasalso SARE_HTML_A_INV /href[a-z]*href/i
172 #wasalso SARE_HTML_A_INV Fred's FR_FUNNY_HREF
173 #wasalso SARE_HTML_A_INV /\w\whref=http:/i from David B Funk <dbfunk@engineering.uiowa.edu> Wed, 17 Mar 2004 04:04:58 -0600 (CST)
174 #counts SARE_HTML_A_INV 8s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
175 #max SARE_HTML_A_INV 628s/0h of 66351 corpus (40971s/25380h RM) 08/21/04
176 #counts SARE_HTML_A_INV 7s/0h of 9987 corpus (5656s/4331h AxB) 05/14/06
177 #counts SARE_HTML_A_INV 38s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
178 #counts SARE_HTML_A_INV 4s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
179 #max SARE_HTML_A_INV 23s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
180 #counts SARE_HTML_A_INV 2s/0h of 42447 corpus (34332s/8115h FVGT) 05/15/06
181 #counts SARE_HTML_A_INV 8s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
182 #max SARE_HTML_A_INV 101s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
183 #counts SARE_HTML_A_INV 3s/0h of 106350 corpus (72966s/33384h ML) 05/15/06
184 #counts SARE_HTML_A_INV 0s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
185 #max SARE_HTML_A_INV 2s/0h of 31513 corpus (27912s/3601h MY) 03/09/05
187 rawbody SARE_HTML_LINKWARN /\bShowLinkWarning\b/
188 score SARE_HTML_LINKWARN 1.133
189 describe SARE_HTML_LINKWARN Possible spam sign in HTML
190 #hist SARE_HTML_LINKWARN Loren Wilton, April 2006
191 #counts SARE_HTML_LINKWARN 126s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
192 #counts SARE_HTML_LINKWARN 5s/0h of 55981 corpus (51658s/4323h AxB2) 05/15/06
193 #counts SARE_HTML_LINKWARN 17s/0h of 13285 corpus (7413s/5872h CT) 05/14/06
194 #counts SARE_HTML_LINKWARN 60s/0h of 155481 corpus (103930s/51551h DOC) 05/15/06
195 #counts SARE_HTML_LINKWARN 168s/0h of 42253 corpus (34139s/8114h FVGT) 05/15/06
196 #counts SARE_HTML_LINKWARN 12s/0h of 106183 corpus (72941s/33242h ML) 05/14/06
197 #counts SARE_HTML_LINKWARN 26s/0h of 22939 corpus (17232s/5707h MY) 05/14/06
199 ######## ###################### ##################################################
200 # Spamsign character sets and fonts
201 ######## ###################### ##################################################
203 rawbody SARE_HTML_FONT_LWORD m'^<font style=font-size:1px>[a-z]{30,}\.</font><br>'i
204 describe SARE_HTML_FONT_LWORD unusual document format
205 score SARE_HTML_FONT_LWORD 1.666
206 #hist SARE_HTML_FONT_LWORD Loren Wilton: LW_SPAMFERSURE
207 #counts SARE_HTML_FONT_LWORD 0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
208 #max SARE_HTML_FONT_LWORD 194s/0h of 400504 corpus (178155s/222349h RM) 03/31/05
209 #counts SARE_HTML_FONT_LWORD 2s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
210 #counts SARE_HTML_FONT_LWORD 81s/0h of 54969 corpus (17793s/37176h JH-3.01) 03/13/05
211 #counts SARE_HTML_FONT_LWORD 0s/0h of 31513 corpus (27912s/3601h MY) 03/09/05
212 #counts SARE_HTML_FONT_LWORD 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
213 #max SARE_HTML_FONT_LWORD 2s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
215 full SARE_HTML_FONT_SPLIT /<font color=\n\n"?\#[a-f]\w[a-f]\w[a-f]\w"?>/i
216 describe SARE_HTML_FONT_SPLIT HTML bright font color tag split by blank lines
217 score SARE_HTML_FONT_SPLIT 1.666
218 #hist SARE_HTML_FONT_SPLIT David B Funk <dbfunk@engineering.uiowa.edu> Wed, 17 Mar 2004 04:04:58 -0600 (CST)
219 #overlap SARE_HTML_FONT_SPLIT Overlaps strongly with SARE_HTML_A_INV, though there's no regex overlap
220 #overlap SARE_HTML_FONT_SPLIT Overlaps strongly with SARE_HTML_FONT_SPL for obvious reasons, but not enough to warrant dropping one.
221 #counts SARE_HTML_FONT_SPLIT 5s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
222 #max SARE_HTML_FONT_SPLIT 431s/0h of 85073 corpus (62478s/22595h RM) 06/07/04
223 #counts SARE_HTML_FONT_SPLIT 5s/0h of 9987 corpus (5656s/4331h AxB) 05/14/06
224 #counts SARE_HTML_FONT_SPLIT 1s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
225 #max SARE_HTML_FONT_SPLIT 14s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
226 #counts SARE_HTML_FONT_SPLIT 31s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
227 #counts SARE_HTML_FONT_SPLIT 6s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
228 #max SARE_HTML_FONT_SPLIT 65s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
229 #counts SARE_HTML_FONT_SPLIT 3s/0h of 106350 corpus (72966s/33384h ML) 05/15/06
230 #counts SARE_HTML_FONT_SPLIT 0s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
232 ######## ###################### ##################################################
234 ######## ###################### ##################################################
236 ######## ###################### ##################################################
237 # Obviously invalid html tag
238 ######## ###################### ##################################################
240 ######## ###################### ##################################################
241 # Invalid or Suspicious URI Tests
242 ######## ###################### ##################################################
244 ######## ###################### ##################################################
245 # <!-- Comment tag tests
246 ######## ###################### ##################################################
248 ######## ###################### ##################################################
250 ######## ###################### ##################################################
252 rawbody SARE_HTML_IMG_CID2 /\"cid:(?:[A-Z]{8}\.){3}[A-Z]{8}_csseditor\"/ # no /i
253 describe SARE_HTML_IMG_CID2 table spam image
254 score SARE_HTML_IMG_CID2 2.222
255 #hist SARE_HTML_IMG_CID2 Loren Wilton, May 2005
256 #counts SARE_HTML_IMG_CID2 0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
257 #max SARE_HTML_IMG_CID2 1224s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
258 #counts SARE_HTML_IMG_CID2 66s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
259 #max SARE_HTML_IMG_CID2 114s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
260 #counts SARE_HTML_IMG_CID2 63s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
261 #counts SARE_HTML_IMG_CID2 2s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
262 #counts SARE_HTML_IMG_CID2 45s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
263 #counts SARE_HTML_IMG_CID2 8s/0h of 106350 corpus (72966s/33384h ML) 05/15/06
264 #counts SARE_HTML_IMG_CID2 4s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
265 #max SARE_HTML_IMG_CID2 37s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
267 ######## ###################### ##################################################
268 # Javascript and object tests
269 ######## ###################### ##################################################
271 ######## ###################### ##################################################
273 ######## ###################### ##################################################
275 ######## ###################### ##################################################
276 # Paragraphs, breaks, and spacings
277 ######## ###################### ##################################################
279 rawbody __SARE_HTML_FLOAT1A /^\s*(?:=(?:3[Dd])?\s*\"\s*)?float\s*(?:\:\s*)?$/i
280 rawbody __SARE_HTML_FLOAT1B /^(?:\s*|=(?:3D)?")?float:?\s*$/i
281 meta SARE_HTML_FLOAT1 __SARE_HTML_FLOAT1A || __SARE_HTML_FLOAT1B
282 describe SARE_HTML_FLOAT1 Contains HTML formatting used in spam
283 score SARE_HTML_FLOAT1 2.666
284 #counts SARE_HTML_FLOAT1 574s/0h of 192466 corpus (93270s/99196h RM) 05/31/06
285 #counts SARE_HTML_FLOAT1 21s/0h of 26358 corpus (22027s/4331h AxB2) 06/01/06
286 #counts SARE_HTML_FLOAT1 125s/0h of 13285 corpus (7412s/5873h CT) 05/31/06
287 #counts SARE_HTML_FLOAT1 1645s/0h of 162350 corpus (110752s/51598h DOC) 05/31/06
288 #counts SARE_HTML_FLOAT1 40s/0h of 15726 corpus (7781s/7945h FT) 05/31/06
289 #counts SARE_HTML_FLOAT1 3054s/0h of 119967 corpus (84310s/35657h ML) 05/31/06
290 #counts SARE_HTML_FLOAT1 17s/0h of 22937 corpus (17232s/5705h MY) 05/31/06
292 rawbody SARE_HTML_ORIG_MSG /^-----original message-----<br>$/
293 describe SARE_HTML_ORIG_MSG Fake replied message?
294 score SARE_HTML_ORIG_MSG 1.666
295 #hist SARE_HTML_ORIG_MSG Tim Jackson, May 12, 2005
296 #counts SARE_HTML_ORIG_MSG 65s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
297 #counts SARE_HTML_ORIG_MSG 6s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
298 #max SARE_HTML_ORIG_MSG 12s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
299 #counts SARE_HTML_ORIG_MSG 14s/0h of 9987 corpus (5656s/4331h AxB) 05/14/06
300 #counts SARE_HTML_ORIG_MSG 38s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
301 #counts SARE_HTML_ORIG_MSG 22s/1h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
302 #counts SARE_HTML_ORIG_MSG 119s/0h of 106350 corpus (72966s/33384h ML) 05/15/06
303 #counts SARE_HTML_ORIG_MSG 10s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
304 #max SARE_HTML_ORIG_MSG 154s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
306 rawbody SARE_HTML_SPANNER /> [a-z] <\/span>[a-z]<span/i
307 describe SARE_HTML_SPANNER spammer is a SARE_HTML_SPANNER
308 score SARE_HTML_SPANNER 2.222
309 #hist SARE_HTML_SPANNER variation apparently scheduled for SA distribution in 3.2
310 #hist SARE_HTML_SPANNER Robert Brooks, March 2006
311 #counts SARE_HTML_SPANNER 1849s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
312 #counts SARE_HTML_SPANNER 7s/0h of 9982 corpus (5652s/4330h AxB) 05/14/06
313 #counts SARE_HTML_SPANNER 108s/0h of 13285 corpus (7413s/5872h CT) 05/14/06
314 #counts SARE_HTML_SPANNER 959s/0h of 155481 corpus (103930s/51551h DOC) 05/15/06
315 #counts SARE_HTML_SPANNER 31s/0h of 42253 corpus (34139s/8114h FVGT) 05/15/06
316 #counts SARE_HTML_SPANNER 3027s/0h of 106183 corpus (72941s/33242h ML) 05/14/06
317 #counts SARE_HTML_SPANNER 9s/0h of 22939 corpus (17232s/5707h MY) 05/14/06
319 ######## ###################### ##################################################
320 # Suspicious tag combinations
321 ######## ###################### ##################################################
323 full SARE_HTML_CALL_ME m'\nPhone:\s+\d{3}-[\d\-<BR>]+\nMobile:\s+\d{3}-[\d\-<BR>]+\nEmail:\s+<A href.{1,100}</A>\n</DIV></BODY></HTML>'
324 describe SARE_HTML_CALL_ME spammer sign in text
325 score SARE_HTML_CALL_ME 2.222
326 #hist SARE_HTML_CALL_ME Loren Wilton: LW_CALLME
327 #counts SARE_HTML_CALL_ME 1s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
328 #max SARE_HTML_CALL_ME 1964s/0h of 400504 corpus (178155s/222349h RM) 03/31/05
329 #counts SARE_HTML_CALL_ME 270s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
330 #counts SARE_HTML_CALL_ME 0s/0h of 54969 corpus (17793s/37176h JH-3.01) 03/13/05
331 #counts SARE_HTML_CALL_ME 0s/0h of 31513 corpus (27912s/3601h MY) 03/09/05
332 #counts SARE_HTML_CALL_ME 0s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
334 ######## ###################### ##################################################
335 # Miscellaneous tag tests
336 ######## ###################### ##################################################
338 ######## ###################### ##################################################
339 # Useless tags (tag structures that do nothing)
340 # Largely submitted by Matt Yackley, with contributions by
341 # Carl Friend, Jennifer Wheeler, Scott Sprunger, Larry Gilson
342 ######## ###################### ##################################################
344 ######## ###################### ##################################################
345 # Tests destined for other rule sets
346 ######## ###################### ##################################################
348 rawbody __SARE_PHISH_HTML_02a m'<a[\s\w=\.]+href=\"https?://\d+[^>]+>https://[^\d]'i
349 full __SARE_PHISH_HTML_02b m'<a[\s\w=\.]+href=\"https?://\d+[^>]+>https://[^\d]'i
350 meta SARE_PHISH_HTML_02 __SARE_PHISH_HTML_02a || __SARE_PHISH_HTML_02b
351 score SARE_PHISH_HTML_02 2.500
352 #stype SARE_PHISH_HTML_02 spamgg # phish
353 #hist SARE_PHISH_HTML_02 Loren Wilton: SARE_PHISH_HTML_03
354 describe SARE_PHISH_HTML_02 numeric href with https description
355 #counts SARE_PHISH_HTML_02 49s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
356 #max SARE_PHISH_HTML_02 90s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
357 #counts SARE_PHISH_HTML_02 3s/0h of 56039 corpus (51703s/4336h AxB2) 05/15/06
358 #counts SARE_PHISH_HTML_02 6s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
359 #counts SARE_PHISH_HTML_02 18s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
360 #counts SARE_PHISH_HTML_02 34s/0h of 42447 corpus (34332s/8115h FVGT) 05/15/06
361 #counts SARE_PHISH_HTML_02 5s/0h of 54969 corpus (17793s/37176h JH-3.01) 03/13/05
362 #counts SARE_PHISH_HTML_02 3s/0h of 106350 corpus (72966s/33384h ML) 05/15/06
363 #counts SARE_PHISH_HTML_02 2s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
365 rawbody __SARE_PHISH_HTML_03 m'<a\s+[\s\w=\.]*href=\"https?://\d+[^>]+>https://[^\d]'is
366 full __SARE_PHISH_HTML_03a m'<a\s+[\s\w=\.]*href=\"https?://\d+[^>]+>https://[^\d]'is
367 meta SARE_PHISH_HTML_03 __SARE_PHISH_HTML_03 || __SARE_PHISH_HTML_03a
368 describe SARE_PHISH_HTML_03 numeric href with https description
369 score SARE_PHISH_HTML_03 1.666
370 #stype SARE_PHISH_HTML_03 spamg
371 #hist SARE_PHISH_HTML_03 Loren Wilton, Feb 28 2005
372 #counts SARE_PHISH_HTML_03 49s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
373 #max SARE_PHISH_HTML_03 90s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
374 #counts SARE_PHISH_HTML_03 3s/0h of 56039 corpus (51703s/4336h AxB2) 05/15/06
375 #counts SARE_PHISH_HTML_03 6s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
376 #counts SARE_PHISH_HTML_03 18s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
377 #counts SARE_PHISH_HTML_03 34s/0h of 42447 corpus (34332s/8115h FVGT) 05/15/06
378 #counts SARE_PHISH_HTML_03 5s/0h of 54806 corpus (17633s/37173h JH-3.01) 03/13/05
379 #counts SARE_PHISH_HTML_03 3s/0h of 106350 corpus (72966s/33384h ML) 05/15/06
380 #counts SARE_PHISH_HTML_03 2s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
385 # SARE HTML Ruleset for SpamAssassin - ruleset 1
387 # Created: 2004-03-31
388 # Modified: 2006-06-03
389 # Usage instructions, documentation, and change history in 70_sare_html0.cf
391 #@@# Revision History: Full Revision History stored in 70_sare_html.log
392 #@@# 01.03.10: June 3 2006
393 #@@# Minor score tweaks based on recent mass-checks
394 #@@# Modified "rule has been moved" meta flags
395 #@@# Added to file 1 SARE_HTML_SINGLETS
396 #@@# Archive: SARE_HTML_ALT_WAIT1
397 #@@# Archive: SARE_HTML_A_NULL
398 #@@# Archive: SARE_HTML_H2_CLK
399 #@@# Archive: SARE_HTML_JSCRIPT_ENC
400 #@@# Archive: SARE_HTML_URI_BUG
401 #@@# Moved file 1 to 2: SARE_HTML_BR_MANY
402 #@@# Moved file 1 to 2: SARE_HTML_ONE_LINE2
403 #@@# Moved file 1 to 2: SARE_HTML_URI_OC
404 #@@# Moved file 1 to 3: SARE_HTML_TITLE_MNY
405 #@@# Moved file 1 to 3: SARE_HTML_URI_DEFASP
407 # License: Artistic - see http://www.rulesemporium.com/license.txt
408 # Current Maintainer: Bob Menschel - RMSA@Menschel.net
409 # Current Home: http://www.rulesemporium.com/rules/70_sare_html1.cf
411 ######## ###################### ##################################################
412 # Rules renamed or moved
413 ######## ###################### ##################################################
415 meta __SARE_HEAD_FALSE __FROM_AOL_COM && !__FROM_AOL_COM
416 meta SARE_HTML_URI_RM __SARE_HEAD_FALSE
417 meta SARE_HTML_URI_REFID __SARE_HEAD_FALSE
418 meta SARE_HTML_ALT_WAIT1 __SARE_HEAD_FALSE
419 meta SARE_HTML_A_NULL __SARE_HEAD_FALSE
420 meta SARE_HTML_H2_CLK __SARE_HEAD_FALSE
421 meta SARE_HTML_JSCRIPT_ENC __SARE_HEAD_FALSE
422 meta SARE_HTML_URI_BUG __SARE_HEAD_FALSE
423 meta SARE_HTML_BR_MANY __SARE_HEAD_FALSE
424 meta SARE_HTML_ONE_LINE2 __SARE_HEAD_FALSE
425 meta SARE_HTML_URI_OC __SARE_HEAD_FALSE
426 meta SARE_HTML_TITLE_MNY __SARE_HEAD_FALSE
427 meta SARE_HTML_URI_DEFASP __SARE_HEAD_FALSE
429 ######## ###################### ##################################################
431 header __CTYPE_HTML Content-Type =~ /text\/html/i
433 rawbody __SARE_HTML_HAS_A eval:html_tag_exists('a')
434 rawbody __SARE_HTML_HAS_BR eval:html_tag_exists('br')
435 rawbody __SARE_HTML_HAS_DIV eval:html_tag_exists('div')
436 rawbody __SARE_HTML_HAS_FONT eval:html_tag_exists('font')
437 rawbody __SARE_HTML_HAS_IMG eval:html_tag_exists('img')
438 rawbody __SARE_HTML_HAS_P eval:html_tag_exists('p')
439 rawbody __SARE_HTML_HAS_PRE eval:html_tag_exists('pre')
440 rawbody __SARE_HTML_HAS_TITLE eval:html_tag_exists('title')
442 rawbody __SARE_HTML_HBODY m'<html><body>'i
443 rawbody __SARE_HTML_BEHTML m'<body></html>'i
444 rawbody __SARE_HTML_BEHTML2 m'^</?body></html>'i
445 rawbody __SARE_HTML_EFONT m'^</font>'i
446 rawbody __SARE_HTML_EHEB m'^</html></body>'i
447 rawbody __SARE_HTML_CMT_CNTR /<center><!--/
449 # JH: These rules test for strange color combinations. There migth be even more powerful combinations, but I haven't had time to check them all
450 rawbody __SARE_LIGHT_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!fff\W|ffffff)(?:[e-f]{3}\W|(?:[e-f][0-9a-f]){3})|rgb(?:\((?!\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255)\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10}\)|\((?!\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%)\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10}\))|(?:Light(?:Cyan|Yellow)|(?:Ghost|Floral)White|WhiteSmoke|LemonChiffon|AliceBlue|Cornsilk|Seashell|Honeydew|Azure|MintCream|Snow|Ivory|OldLace|LavenderBlush|Linen|MistyRose))/i
451 rawbody __SARE_WHITE_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:fff\W|ffffff)|rgb(?:\(\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255\s{0,10}\)|\\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10}\))|white)/i
452 rawbody __SARE_DARK_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!000\W|000000)(?:[01]{3}\W|(?:[01][0-9a-f]){3})|rgb(?:\((?!\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\D)\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10}\)|\((?!\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%)\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10}\)))/i
453 rawbody __SARE_BLACK_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:000\W|000000)|rgb\s{0,10}\(\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\s{0,10}\)|rgb\s{0,10}\(\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10}\)|black)/i
454 rawbody __SARE_LIGHT_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!ffffff|fff\W)(?:[e-f]{3}\W|(?:[e-f][0-9a-f]){3})|rgb(?:\((?!\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255)\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10}\)|\((?!\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%)\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10}\))|(?:Light(?:Cyan|Yellow)|(?:Ghost|Floral)White|WhiteSmoke|LemonChiffon|AliceBlue|Cornsilk|Seashell|Honeydew|Azure|MintCream|Snow|Ivory|OldLace|LavenderBlush|Linen|MistyRose))/i
455 rawbody __SARE_WHITE_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:fff\W|ffffff)|rgb(?:\(\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255\s{0,10}\)|\(\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10}\))|white)/i
456 rawbody __SARE_DARK_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!000\W|000000)(?:[01]{3}\W|(?:[01][0-9a-f]){3})|rgb(?:\((?!\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\D)\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10}\)|\((?!\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%)\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10}\)))/i
457 rawbody __SARE_BLACK_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:000\W|000000)|rgb\s{0,10}\(\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\s{0,10}\)|rgb\s{0,10}\(\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10}\)|black)/i
458 rawbody __SARE_HAS_BG_COLOR /(?:bg|background\-)color\s{0,10}(?::|=)/i
459 rawbody __SARE_HAS_FG_COLOR /[^\-a-z]color\s{0,10}(?::|=)/i
461 ######## ###################### ##################################################
462 # Is there a message?
463 ######## ###################### ##################################################
465 ######## ###################### ##################################################
466 # <HTML> and <BODY> tag spamsign
467 ######## ###################### ##################################################
469 full SARE_HTML_HTML_QUOT /<HTML>.{0,2}"/is
470 describe SARE_HTML_HTML_QUOT Message body has very strange HTML sequence
471 score SARE_HTML_HTML_QUOT 1.666
472 #ham SARE_HTML_HTML_QUOT verified (2)
473 #hist SARE_HTML_HTML_QUOT Fred T: FR_HTML_QUOTE
474 #counts SARE_HTML_HTML_QUOT 197s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
475 #max SARE_HTML_HTML_QUOT 236s/0h of 114422 corpus (81069s/33353h RM) 01/16/05
476 #counts SARE_HTML_HTML_QUOT 23s/0h of 9991 corpus (5656s/4335h AxB) 05/14/06
477 #counts SARE_HTML_HTML_QUOT 16s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
478 #counts SARE_HTML_HTML_QUOT 82s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
479 #counts SARE_HTML_HTML_QUOT 38s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
480 #counts SARE_HTML_HTML_QUOT 159s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
481 #counts SARE_HTML_HTML_QUOT 5s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
482 #max SARE_HTML_HTML_QUOT 98s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
483 #counts SARE_HTML_HTML_QUOT 0s/0h of 4676 corpus (808s/3868h ft) 05/28/05
485 full SARE_HTML_HTML_TBL /<html>.{0,2}<table/is
486 describe SARE_HTML_HTML_TBL Message body has very strange HTML sequence
487 score SARE_HTML_HTML_TBL 0.646
488 #hist SARE_HTML_HTML_TBL Fred T: FR_HTML_TABLE
489 #counts SARE_HTML_HTML_TBL 94s/3h of 333405 corpus (262498s/70907h RM) 05/12/06
490 #max SARE_HTML_HTML_TBL 287s/0h of 114422 corpus (81069s/33353h RM) 01/16/05
491 #counts SARE_HTML_HTML_TBL 10s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
492 #counts SARE_HTML_HTML_TBL 10s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
493 #counts SARE_HTML_HTML_TBL 3s/3h of 42454 corpus (34336s/8118h FVGT) 05/15/06
494 #counts SARE_HTML_HTML_TBL 11s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
495 #max SARE_HTML_HTML_TBL 140s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
496 #counts SARE_HTML_HTML_TBL 22s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
497 #counts SARE_HTML_HTML_TBL 13s/3h of 23074 corpus (17350s/5724h MY) 05/14/06
498 #max SARE_HTML_HTML_TBL 30s/3h of 57287 corpus (52272s/5015h MY) 09/22/05
500 ######## ###################### ##################################################
502 ######## ###################### ##################################################
504 rawbody SARE_HTML_TITLE_1WD m'^<title>[a-z]+</title>$'
505 describe SARE_HTML_TITLE_1WD strange document title
506 score SARE_HTML_TITLE_1WD 1.591
507 #hist SARE_HTML_TITLE_1WD Loren Wilton LW_FUNNY_TITLE
508 #counts SARE_HTML_TITLE_1WD 1125s/4h of 333405 corpus (262498s/70907h RM) 05/12/06
509 #max SARE_HTML_TITLE_1WD 2076s/18h of 689155 corpus (348140s/341015h RM) 09/18/05
510 #counts SARE_HTML_TITLE_1WD 34s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
511 #counts SARE_HTML_TITLE_1WD 105s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
512 #max SARE_HTML_TITLE_1WD 143s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
513 #counts SARE_HTML_TITLE_1WD 0s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
514 #max SARE_HTML_TITLE_1WD 1s/0h of 4676 corpus (808s/3868h ft) 05/28/05
515 #counts SARE_HTML_TITLE_1WD 123s/2h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
516 #counts SARE_HTML_TITLE_1WD 174s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
517 #counts SARE_HTML_TITLE_1WD 53s/1h of 23074 corpus (17350s/5724h MY) 05/14/06
518 #max SARE_HTML_TITLE_1WD 151s/1h of 47221 corpus (42968s/4253h MY) 06/18/05
520 rawbody SARE_HTML_TITLE_2WD m'^<title>[a-z]+\s[a-z]+</title>$' # no /i
521 score SARE_HTML_TITLE_2WD 0.660
522 describe SARE_HTML_TITLE_2WD strange document title
523 #hist SARE_HTML_TITLE_2WD Loren Wilton LW_FUNNY_TITLE1
524 #counts SARE_HTML_TITLE_2WD 85s/7h of 333405 corpus (262498s/70907h RM) 05/12/06
525 #max SARE_HTML_TITLE_2WD 314s/9h of 689155 corpus (348140s/341015h RM) 09/18/05
526 #counts SARE_HTML_TITLE_2WD 18s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
527 #counts SARE_HTML_TITLE_2WD 14s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
528 #max SARE_HTML_TITLE_2WD 15s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
529 #counts SARE_HTML_TITLE_2WD 6s/1h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
530 #max SARE_HTML_TITLE_2WD 19s/1h of 54089 corpus (16916s/37173h JH-3.01) 02/25/05
531 #counts SARE_HTML_TITLE_2WD 29s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
532 #counts SARE_HTML_TITLE_2WD 18s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
533 #max SARE_HTML_TITLE_2WD 40s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
535 rawbody SARE_HTML_TITLE_DAY /<title>(monday|tuesday|wednesday|thursday|friday)<\/title>/i
536 describe SARE_HTML_TITLE_DAY HTML contains day of week in title
537 score SARE_HTML_TITLE_DAY 1.081
538 #hist SARE_HTML_TITLE_DAY Tim Jackson, May 12 2005
539 #counts SARE_HTML_TITLE_DAY 184s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
540 #counts SARE_HTML_TITLE_DAY 2s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
541 #counts SARE_HTML_TITLE_DAY 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
542 #max SARE_HTML_TITLE_DAY 25s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
543 #counts SARE_HTML_TITLE_DAY 2s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
544 #counts SARE_HTML_TITLE_DAY 1s/1h of 23074 corpus (17350s/5724h MY) 05/14/06
545 #max SARE_HTML_TITLE_DAY 16s/1h of 57287 corpus (52272s/5015h MY) 09/22/05
547 rawbody SARE_HTML_TITLE_LWORD /<title>[a-zA-Z]{15,}<\/title>/i
548 describe SARE_HTML_TITLE_LWORD HTML Title contains looong word
549 score SARE_HTML_TITLE_LWORD 0.665
550 #ham SARE_HTML_TITLE_LWORD Rite Aid Single Check Rebates <rebates@rebates.riteaid.com>
551 #counts SARE_HTML_TITLE_LWORD 485s/31h of 333405 corpus (262498s/70907h RM) 05/12/06
552 #max SARE_HTML_TITLE_LWORD 732s/40h of 689155 corpus (348140s/341015h RM) 09/18/05
553 #counts SARE_HTML_TITLE_LWORD 42s/1h of 56024 corpus (51686s/4338h AxB2) 05/15/06
554 #counts SARE_HTML_TITLE_LWORD 3s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
555 #max SARE_HTML_TITLE_LWORD 3s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
556 #counts SARE_HTML_TITLE_LWORD 4s/3h of 42454 corpus (34336s/8118h FVGT) 05/15/06
557 #counts SARE_HTML_TITLE_LWORD 32s/1h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
558 #counts SARE_HTML_TITLE_LWORD 161s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
559 #counts SARE_HTML_TITLE_LWORD 84s/4h of 23074 corpus (17350s/5724h MY) 05/14/06
560 #max SARE_HTML_TITLE_LWORD 202s/1h of 47221 corpus (42968s/4253h MY) 06/18/05
562 rawbody SARE_HTML_TITLE_SEX /<title>.{0,15}\bSex.{0,15}<\/title>/i
563 score SARE_HTML_TITLE_SEX 0.689
564 #ham SARE_HTML_TITLE_SEX confirmed (2)
565 #hist SARE_HTML_TITLE_SEX Fred T: FR_TITLE_SEX
566 #counts SARE_HTML_TITLE_SEX 4s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
567 #max SARE_HTML_TITLE_SEX 167s/2h of 196681 corpus (96193s/100488h RM) 02/22/05
568 #counts SARE_HTML_TITLE_SEX 1s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
569 #counts SARE_HTML_TITLE_SEX 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
570 #max SARE_HTML_TITLE_SEX 7s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
571 #counts SARE_HTML_TITLE_SEX 7s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
572 #counts SARE_HTML_TITLE_SEX 5s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
573 #max SARE_HTML_TITLE_SEX 14s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
574 #counts SARE_HTML_TITLE_SEX 1s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
575 #counts SARE_HTML_TITLE_SEX 6s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
577 ######## ###################### ##################################################
579 ######## ###################### ##################################################
581 full SARE_HTML_A_BODY /(?!<body>\n\n<a href)<body>.{0,4}<a href/is
582 describe SARE_HTML_A_BODY Message body has very strange HTML sequence
583 score SARE_HTML_A_BODY 0.742
584 #hist SARE_HTML_A_BODY Fred T: FR_BODY_AHREF
585 #counts SARE_HTML_A_BODY 419s/2h of 333405 corpus (262498s/70907h RM) 05/12/06
586 #max SARE_HTML_A_BODY 1527s/18h of 689155 corpus (348140s/341015h RM) 09/18/05
587 #counts SARE_HTML_A_BODY 20s/1h of 56024 corpus (51686s/4338h AxB2) 05/15/06
588 #counts SARE_HTML_A_BODY 2s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
589 #max SARE_HTML_A_BODY 92s/3h of 10826 corpus (6364s/4462h CT) 05/28/05
590 #counts SARE_HTML_A_BODY 30s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
591 #counts SARE_HTML_A_BODY 359s/25h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
592 #counts SARE_HTML_A_BODY 134s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
593 #counts SARE_HTML_A_BODY 10s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
594 #max SARE_HTML_A_BODY 50s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
596 ######## ###################### ##################################################
597 # Spamsign character sets and fonts
598 ######## ###################### ##################################################
600 rawbody SARE_HTML_FONT_EBEF m'</body></font>'i
601 describe SARE_HTML_FONT_EBEF Message body has very strange HTML sequence
602 score SARE_HTML_FONT_EBEF 0.658
603 #ham SARE_HTML_FONT_EBEF verified (1)
604 #hist SARE_HTML_FONT_EBEF Fred T: FR_BODY_FONT
605 #counts SARE_HTML_FONT_EBEF 0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
606 #max SARE_HTML_FONT_EBEF 44s/1h of 281655 corpus (110173s/171482h RM) 05/05/05
607 #counts SARE_HTML_FONT_EBEF 36s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
608 #max SARE_HTML_FONT_EBEF 123s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
609 #counts SARE_HTML_FONT_EBEF 1s/1h of 23074 corpus (17350s/5724h MY) 05/14/06
610 #max SARE_HTML_FONT_EBEF 50s/1h of 31513 corpus (27912s/3601h MY) 03/09/05
611 #counts SARE_HTML_FONT_EBEF 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
613 rawbody SARE_HTML_FONT_SPL /^\#[a-z0-9]{6}>/i
614 describe SARE_HTML_FONT_SPL Message uses suspicious font size and/or color
615 score SARE_HTML_FONT_SPL 0.650
616 #ham SARE_HTML_FONT_SPL verified (1)
617 #hist SARE_HTML_FONT_SPL Charles Gregory
618 #overlap SARE_HTML_FONT_SPL Overlaps strongly with SARE_HTML_A_INV, though there's no regex overlap
619 #overlap SARE_HTML_FONT_SPL Overlaps strongly with SARE_HTML_FONT_SPLIT for obvious reasons, but not enough to warrant dropping one.
620 #counts SARE_HTML_FONT_SPL 3s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
621 #max SARE_HTML_FONT_SPL 360s/0h of 85073 corpus (62478s/22595h RM) 06/07/04
622 #counts SARE_HTML_FONT_SPL 5s/0h of 9991 corpus (5656s/4335h AxB) 05/14/06
623 #counts SARE_HTML_FONT_SPL 1s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
624 #max SARE_HTML_FONT_SPL 14s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
625 #counts SARE_HTML_FONT_SPL 5s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
626 #max SARE_HTML_FONT_SPL 53s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
627 #counts SARE_HTML_FONT_SPL 3s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
628 #counts SARE_HTML_FONT_SPL 0s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
629 #max SARE_HTML_FONT_SPL 1s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
631 ######## ###################### ##################################################
632 # Invalid or Suspicious URI Tests
633 ######## ###################### ##################################################
635 rawbody SARE_HTML_URI_ESCWWW /(?:%77w%77|w%77%77|%77%77w)/i
636 describe SARE_HTML_URI_ESCWWW URI with obfuscated destination
637 score SARE_HTML_URI_ESCWWW 2.222
638 #hist SARE_HTML_URI_ESCWWW Fred T: FR_ESCAPE_WWW
639 #overlap SARE_HTML_URI_ESCWWW Overlaps with SARE_HTML_FSIZE_1ALL
640 #counts SARE_HTML_URI_ESCWWW 2572s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
641 #counts SARE_HTML_URI_ESCWWW 16s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
642 #counts SARE_HTML_URI_ESCWWW 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
643 #max SARE_HTML_URI_ESCWWW 3s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
644 #counts SARE_HTML_URI_ESCWWW 117s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
645 #counts SARE_HTML_URI_ESCWWW 0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
646 #max SARE_HTML_URI_ESCWWW 16s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
647 #counts SARE_HTML_URI_ESCWWW 70s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
648 #counts SARE_HTML_URI_ESCWWW 0s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
649 #max SARE_HTML_URI_ESCWWW 1s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
651 uri SARE_HTML_URI_LHOST30 m*^https?://[a-z0-9]{30}\.*i
652 describe SARE_HTML_URI_LHOST30 Long unbroken string within URI
653 score SARE_HTML_URI_LHOST30 1.666
654 #hist SARE_HTML_URI_LHOST30 Fred T (originally 40,)
655 #ham SARE_HTML_URI_LHOST30 30: www.rebuildingthevillagefoundation.org
656 #counts SARE_HTML_URI_LHOST30 301s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
657 #counts SARE_HTML_URI_LHOST30 18s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
658 #counts SARE_HTML_URI_LHOST30 6s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
659 #counts SARE_HTML_URI_LHOST30 27s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
660 #counts SARE_HTML_URI_LHOST30 0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
661 #max SARE_HTML_URI_LHOST30 3s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
662 #counts SARE_HTML_URI_LHOST30 128s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
663 #counts SARE_HTML_URI_LHOST30 5s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
664 #max SARE_HTML_URI_LHOST30 13s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
666 uri SARE_HTML_URI_LHOST31 m*^https?://[a-z0-9]{31,}\.*i
667 describe SARE_HTML_URI_LHOST31 Long unbroken string within URI
668 score SARE_HTML_URI_LHOST31 1.666
669 #hist SARE_HTML_URI_LHOST31 Fred T (originally 40,)
670 #ham SARE_HTML_URI_LHOST31 30: www.rebuildingthevillagefoundation.org
671 #counts SARE_HTML_URI_LHOST31 776s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
672 #max SARE_HTML_URI_LHOST31 840s/15h of 689155 corpus (348140s/341015h RM) 09/18/05
673 #counts SARE_HTML_URI_LHOST31 90s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
674 #counts SARE_HTML_URI_LHOST31 99s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
675 #counts SARE_HTML_URI_LHOST31 125s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
676 #counts SARE_HTML_URI_LHOST31 456s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
677 #counts SARE_HTML_URI_LHOST31 94s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
678 #counts SARE_HTML_URI_LHOST31 21s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
680 uri SARE_HTML_URI_NOMORE m'/nomore\.htm'i
681 describe SARE_HTML_URI_NOMORE URI to page name which suggests spammer's page
682 score SARE_HTML_URI_NOMORE 0.906
683 #ham SARE_HTML_URI_NOMORE http://www.afsc.org/nomore.htm; Student Peace Action Network (SPAN)
684 #counts SARE_HTML_URI_NOMORE 2s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
685 #max SARE_HTML_URI_NOMORE 1200s/0h of 92209 corpus (74874s/17335h RM) 01/17/04
686 #counts SARE_HTML_URI_NOMORE 7s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
687 #counts SARE_HTML_URI_NOMORE 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
688 #max SARE_HTML_URI_NOMORE 69s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
689 #counts SARE_HTML_URI_NOMORE 54s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
690 #max SARE_HTML_URI_NOMORE 68s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
691 #counts SARE_HTML_URI_NOMORE 0s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
692 #max SARE_HTML_URI_NOMORE 4s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
694 uri SARE_HTML_URI_OUTPHP /\bout\.php/i
695 describe SARE_HTML_URI_OUTPHP text uri to unsubscribe link
696 score SARE_HTML_URI_OUTPHP 0.907
697 #addsto SARE_HTML_URI_OUTPHP SARE_HTML_URI_OPTPHP
698 #ham SARE_HTML_URI_OUTPHP Bravenet ad attached to reply form email
699 #counts SARE_HTML_URI_OUTPHP 80s/3h of 333405 corpus (262498s/70907h RM) 05/12/06
700 #max SARE_HTML_URI_OUTPHP 144s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
701 #counts SARE_HTML_URI_OUTPHP 88s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
702 #counts SARE_HTML_URI_OUTPHP 10s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
703 #max SARE_HTML_URI_OUTPHP 21s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
704 #counts SARE_HTML_URI_OUTPHP 4s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
705 #counts SARE_HTML_URI_OUTPHP 13s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
706 #max SARE_HTML_URI_OUTPHP 25s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
707 #counts SARE_HTML_URI_OUTPHP 58s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
708 #counts SARE_HTML_URI_OUTPHP 0s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
709 #max SARE_HTML_URI_OUTPHP 17s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
711 uri SARE_HTML_URI_PARTID m|/[\?\&]partid=|i
712 describe SARE_HTML_URI_PARTID Partner Id in URL
713 score SARE_HTML_URI_PARTID 0.166
714 #hist SARE_HTML_URI_PARTID Loren Wilton <lwilton@earthlink.net>, Sat, 3 Apr 2004 20:29:32 -0800
715 #counts SARE_HTML_URI_PARTID 0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
716 #max SARE_HTML_URI_PARTID 1264s/0h of 85073 corpus (62478s/22595h RM) 06/07/04
717 #counts SARE_HTML_URI_PARTID 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
718 #max SARE_HTML_URI_PARTID 37s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
719 #counts SARE_HTML_URI_PARTID 81s/6h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
720 #max SARE_HTML_URI_PARTID 302s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
721 #counts SARE_HTML_URI_PARTID 3s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
722 #max SARE_HTML_URI_PARTID 26s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
724 ######## ###################### ##################################################
725 # <!-- Comment tag tests
726 ######## ###################### ##################################################
728 meta SARE_HTML_CMT_CNTR __SARE_HTML_CMT_CNTR
729 describe SARE_HTML_CMT_CNTR Message has a center followed by a comment
730 score SARE_HTML_CMT_CNTR 0.676
731 #hist SARE_HTML_CMT_CNTR Carl F: CRM_CENTER_COM
732 #ham SARE_HTML_CMT_CNTR Strategic Developer <strategicdeveloper@newsletter.infoworld.com>, Thursday, January 27, 2005, 10:57:37 AM
733 #counts SARE_HTML_CMT_CNTR 9s/2h of 333405 corpus (262498s/70907h RM) 05/12/06
734 #max SARE_HTML_CMT_CNTR 173s/7h of 689155 corpus (348140s/341015h RM) 09/18/05
735 #counts SARE_HTML_CMT_CNTR 1s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
736 #counts SARE_HTML_CMT_CNTR 53s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
737 #max SARE_HTML_CMT_CNTR 196s/0h of 32260 corpus (8983s/23277h JH) 05/14/04
738 #counts SARE_HTML_CMT_CNTR 2s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
739 #counts SARE_HTML_CMT_CNTR 21s/1h of 23074 corpus (17350s/5724h MY) 05/14/06
740 #counts SARE_HTML_CMT_CNTR 1s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
741 #counts SARE_HTML_CMT_CNTR 0s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
742 #max SARE_HTML_CMT_CNTR 7s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
744 ######## ###################### ##################################################
746 ######## ###################### ##################################################
748 rawbody SARE_HTML_IMG_2AT /IMG\s*SRC\s*=s*"cid:part1\.\d{8}.\d{8}\@[a-z]+\@[\w\.]+"/is
749 describe SARE_HTML_IMG_2AT strange internal image link
750 score SARE_HTML_IMG_2AT 1.216
751 #hist SARE_HTML_IMG_2AT Loren Wilton: LW_DOUBLE_AT
752 #hist SARE_HTML_IMG_2AT Apr 2 2005, Bob Menschel, Added spaces around "="
753 #hist SARE_HTML_IMG_2AT Apr 16 2005, Bob Menschel, replaced spaces with \s
754 #counts SARE_HTML_IMG_2AT 328s/13h of 333405 corpus (262498s/70907h RM) 05/12/06
755 #max SARE_HTML_IMG_2AT 3648s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
756 #counts SARE_HTML_IMG_2AT 222s/0h of 9991 corpus (5656s/4335h AxB) 05/14/06
757 #counts SARE_HTML_IMG_2AT 69s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
758 #counts SARE_HTML_IMG_2AT 828s/1h of 42454 corpus (34336s/8118h FVGT) 05/15/06
759 #counts SARE_HTML_IMG_2AT 57s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
760 #counts SARE_HTML_IMG_2AT 280s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
761 #counts SARE_HTML_IMG_2AT 0s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
762 #max SARE_HTML_IMG_2AT 105s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
764 ######## ###################### ##################################################
765 # <tag ... ALT= ...> tag tests
766 ######## ###################### ##################################################
768 ######## ###################### ##################################################
769 # Javascript and object tests
770 ######## ###################### ##################################################
772 full SARE_HTML_IMG_ONLY m'<(?:html|body).{1,200}<a.{12,145}<img.{11,200}</(?:body|html)>'is
773 describe SARE_HTML_IMG_ONLY Short HTML msg, IMG and A HREF, maybe naught else
774 score SARE_HTML_IMG_ONLY 1.666
775 #ham SARE_HTML_IMG_ONLY Verified (image-only ham)
776 #hist SARE_HTML_IMG_ONLY Originally Fred T: FVGT_m_IMAGE_ONLY
777 #hist SARE_HTML_IMG_ONLY Enhanced May 29 2004 by Bob Menschel, incorporate all tests in one regex
778 #ham SARE_HTML_IMG_ONLY 5: Oct 2002 Yahoo webmail with automatically inserted FAULTY flamingtext.com advertisement
779 #overlap SARE_HTML_IMG_ONLY Rules that completely overlap this one: SARE_HTML_PILL3, SARE_HTML_PILL4
780 #counts SARE_HTML_IMG_ONLY 14904s/16h of 333405 corpus (262498s/70907h RM) 05/12/06
781 #counts SARE_HTML_IMG_ONLY 70s/1h of 56024 corpus (51686s/4338h AxB2) 05/15/06
782 #counts SARE_HTML_IMG_ONLY 154s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
783 #counts SARE_HTML_IMG_ONLY 4131s/6h of 42454 corpus (34336s/8118h FVGT) 05/15/06
784 #counts SARE_HTML_IMG_ONLY 261s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
785 #max SARE_HTML_IMG_ONLY 553s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
786 #counts SARE_HTML_IMG_ONLY 4730s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
787 #counts SARE_HTML_IMG_ONLY 7s/7h of 23074 corpus (17350s/5724h MY) 05/14/06
788 #max SARE_HTML_IMG_ONLY 141s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
790 rawbody SARE_HTML_JVS_FLASH m'codebase="https://download\.macromedia\.com/pub/shockwave'i
791 describe SARE_HTML_JVS_FLASH Tries to load flash animation
792 score SARE_HTML_JVS_FLASH 1.246
793 #ham SARE_HTML_JVS_FLASH verified (1) cbs.marketwatch.com
794 #hist SARE_HTML_JVS_FLASH Mike Kuentz <JunkEmail@rapidigm.com>
795 #counts SARE_HTML_JVS_FLASH 444s/3h of 333405 corpus (262498s/70907h RM) 05/12/06
796 #counts SARE_HTML_JVS_FLASH 33s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
797 #counts SARE_HTML_JVS_FLASH 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
798 #max SARE_HTML_JVS_FLASH 4s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
799 #counts SARE_HTML_JVS_FLASH 0s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
800 #max SARE_HTML_JVS_FLASH 7s/0h of 29366 corpus (5882s/23484h JH) 07/23/04 TM2 SA3.0-pre2
801 #counts SARE_HTML_JVS_FLASH 53s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
802 #counts SARE_HTML_JVS_FLASH 0s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
803 #max SARE_HTML_JVS_FLASH 28s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
805 ######## ###################### ##################################################
806 # Obviously invalid html tag
807 ######## ###################### ##################################################
809 header __CT_TEXT_PLAIN Content-Type =~ /^text\/plain\b/i
810 rawbody __SARE_HTML_INV_TAG /\w<\!\w{18,60}>\w/i
811 rawbody __SARE_HTML_INV_TAG2 m'\w</?(?!(?:blockquote|optiongroup|plaintext|fontfamily|underline|cf.+))[a-z]{9,17}>\w'
812 rawbody __SARE_HTML_INV_TAG3 m'\w<[/!]?(?!cf.+)\w{11,20}>\w'i
813 rawbody __SARE_HTML_INV_TAG4 m'\w(?!</?cf.{1,8}>)<[/!]?[bcdfghjklmnpqrstvwxz]{5,9}>\w'i
815 meta SARE_HTML_INV_TAG ( __SARE_HTML_INV_TAG || __SARE_HTML_INV_TAG2 || __SARE_HTML_INV_TAG3 || __SARE_HTML_INV_TAG4 ) && !__CT_TEXT_PLAIN
816 describe SARE_HTML_INV_TAG Message contains invalid HTML tag
817 score SARE_HTML_INV_TAG 2.222
818 #ham SARE_HTML_INV_TAG Monotone source code included within body of email
819 #hist SARE_HTML_INV_TAG Combined three invalid-tag rules into one, added \w front and back, to test for
820 #hist SARE_HTML_INV_TAG obfuscation of surrounding text, added tests against __CT_TEXT_PLAIN to give
821 #hist SARE_HTML_INV_TAG higher scores to HTML email than to plain text email. Enhancements due to
822 #hist SARE_HTML_INV_TAG ideas suggested by Jesse Houwing, Nicolas Riendeau, and Bob Menschel
823 #counts SARE_HTML_INV_TAG 36s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
824 #max SARE_HTML_INV_TAG 5650s/0h of 114422 corpus (81069s/33353h RM) 01/16/05
825 #counts SARE_HTML_INV_TAG 8s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
826 #max SARE_HTML_INV_TAG 66s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
827 #counts SARE_HTML_INV_TAG 21s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
828 #counts SARE_HTML_INV_TAG 386s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
829 #max SARE_HTML_INV_TAG 930s/0h of 38766 corpus (15284s/23482h JH-SA3.0rc1) 09/03/04
830 #counts SARE_HTML_INV_TAG 17s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
831 #counts SARE_HTML_INV_TAG 0s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
832 #max SARE_HTML_INV_TAG 952s/0h of 19469 corpus (16883s/2586h MY) 09/03/04
834 ######## ###################### ##################################################
835 # Paragraphs, breaks, and spacings
836 ######## ###################### ##################################################
838 ######## ###################### ##################################################
839 # Suspicious tag combinations
840 ######## ###################### ##################################################
842 rawbody SARE_HTML_CNTR_TBL /<center>\s*<table>/im
843 describe SARE_HTML_CNTR_TBL Contains centred table
844 score SARE_HTML_CNTR_TBL 1.666
845 #ham SARE_HTML_CNTR_TBL verified (1)
846 #hist SARE_HTML_CNTR_TBL Tim Jackson, May 25 2005
847 #counts SARE_HTML_CNTR_TBL 745s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
848 #counts SARE_HTML_CNTR_TBL 1188s/2h of 56024 corpus (51686s/4338h AxB2) 05/15/06
849 #counts SARE_HTML_CNTR_TBL 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
850 #max SARE_HTML_CNTR_TBL 3s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
851 #counts SARE_HTML_CNTR_TBL 27s/1h of 42454 corpus (34336s/8118h FVGT) 05/15/06
852 #counts SARE_HTML_CNTR_TBL 0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
853 #counts SARE_HTML_CNTR_TBL 2s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
854 #counts SARE_HTML_CNTR_TBL 32s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
855 #max SARE_HTML_CNTR_TBL 57s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
857 rawbody __SARE_HTML_SINGLET1 /> [a-z] </i
858 rawbody __SARE_HTML_SINGLET2 />[a-z]</i
859 meta SARE_HTML_SINGLETS __SARE_HTML_SINGLET1 && __SARE_HTML_SINGLET2
860 describe SARE_HTML_SINGLETS spam pattern in HTML email
861 score SARE_HTML_SINGLETS 1.666
862 #hist SARE_HTML_SINGLETS Robert Brooks, March 2006
863 #ham SARE_HTML_SINGLETS verified (amateur webmaster sample page attached to email)
864 #counts SARE_HTML_SINGLETS 26498s/3h of 333405 corpus (262498s/70907h RM) 05/12/06
865 #counts SARE_HTML_SINGLETS 3660s/2h of 55981 corpus (51658s/4323h AxB2) 05/15/06
866 #counts SARE_HTML_SINGLETS 130s/0h of 13285 corpus (7413s/5872h CT) 05/14/06
867 #counts SARE_HTML_SINGLETS 2016s/0h of 155481 corpus (103930s/51551h DOC) 05/15/06
868 #counts SARE_HTML_SINGLETS 65s/2h of 42253 corpus (34139s/8114h FVGT) 05/15/06
869 #counts SARE_HTML_SINGLETS 5798s/1h of 106183 corpus (72941s/33242h ML) 05/14/06
870 #counts SARE_HTML_SINGLETS 20s/1h of 22939 corpus (17232s/5707h MY) 05/14/06
872 ######## ###################### ##################################################
873 # Useless tags (tag structures that do nothing)
874 # Largely submitted by Matt Yackley, with contributions by
875 # Carl Friend, Jennifer Wheeler, Scott Sprunger, Larry Gilson
876 ######## ###################### ##################################################
878 rawbody SARE_HTML_USL_FONT m'^<FONT[^>]{0,20}></FONT><'
879 describe SARE_HTML_USL_FONT Another spam attempt
880 score SARE_HTML_USL_FONT 0.797
881 #hist SARE_HTML_USL_FONT Loren Wilton Apr 11 2005
882 #counts SARE_HTML_USL_FONT 54s/2h of 333405 corpus (262498s/70907h RM) 05/12/06
883 #max SARE_HTML_USL_FONT 5192s/1h of 269462 corpus (128310s/141152h RM) 06/17/05
884 #counts SARE_HTML_USL_FONT 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
885 #max SARE_HTML_USL_FONT 1s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
886 #counts SARE_HTML_USL_FONT 0s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
887 #max SARE_HTML_USL_FONT 9s/0h of 6804 corpus (1336s/5468h ft) 06/17/05
888 #counts SARE_HTML_USL_FONT 7s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
889 #counts SARE_HTML_USL_FONT 32s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
890 #counts SARE_HTML_USL_FONT 81s/1h of 23074 corpus (17350s/5724h MY) 05/14/06
891 #max SARE_HTML_USL_FONT 1047s/1h of 57287 corpus (52272s/5015h MY) 09/22/05
893 rawbody SARE_HTML_USL_OBFU m'\w<(\w+)(?: [^>]*)?></\1[^>]*>\w'
894 describe SARE_HTML_USL_OBFU Message body has very strange HTML sequence
895 score SARE_HTML_USL_OBFU 1.666
896 #match SARE_HTML_USL_OBFU partialword<tag></tag>restofword
897 #hist SARE_HTML_USL_OBFU Created by Bob Menschel Aug 12 2004
898 #counts SARE_HTML_USL_OBFU 393s/3h of 333405 corpus (262498s/70907h RM) 05/12/06
899 #max SARE_HTML_USL_OBFU 520s/6h of 196718 corpus (96193s/100525h RM) 02/22/05
900 #counts SARE_HTML_USL_OBFU 14s/0h of 9991 corpus (5656s/4335h AxB) 05/14/06
901 #counts SARE_HTML_USL_OBFU 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
902 #max SARE_HTML_USL_OBFU 16s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
903 #counts SARE_HTML_USL_OBFU 88s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
904 #counts SARE_HTML_USL_OBFU 298s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
905 #max SARE_HTML_USL_OBFU 457s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
906 #counts SARE_HTML_USL_OBFU 111s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
907 #counts SARE_HTML_USL_OBFU 21s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
908 #max SARE_HTML_USL_OBFU 148s/0h of 17145 corpus (14677s/2468h MY) 08/12/04
910 ######## ###################### ##################################################
911 # Miscellaneous tag tests
912 ######## ###################### ##################################################
917 # SARE HTML Ruleset for SpamAssassin - ruleset 2
919 # Created: 2004-03-31
920 # Modified: 2006-06-03
921 # Usage instructions, documentation, and change history in 70_sare_html0.cf
923 #@@# Revision History: Full Revision History stored in 70_sare_html.log
924 #@@# 01.03.09: May ?? 2006
925 #@@# Minor score tweaks based on recent mass-checks
926 #@@# Moved file 0 to file 2: SARE_HTML_EHTML_OBFU
927 #@@# Moved file 0 to file 2: SARE_HTML_HEAD_AFFIL
928 #@@# Moved file 0 to file 2: SARE_HTML_LEAKTHRU1
929 #@@# Moved file 0 to file 2: SARE_HTML_LEAKTHRU2
930 #@@# Moved file 0 to file 2: SARE_HTML_ONE_LINE3
931 #@@# Moved file 0 to file 2: SARE_HTML_POB1200
932 #@@# Moved file 0 to file 2: SARE_HTML_URI_HIDADD
933 #@@# Moved file 0 to file 2: SARE_HTML_URI_LOGOGEN
934 #@@# Moved file 0 to file 2: SARE_HTML_URI_OFF
935 #@@# Moved file 0 to file 2: SARE_HTML_USL_B7
936 #@@# Moved file 0 to file 2: SARE_HTML_USL_B9
937 #@@# Moved file 0 to file 2: SARE_PHISH_HTML_01
938 #@@# 01.03.10: June 3 2006
939 #@@# Minor score tweaks based on recent mass-checks
940 #@@# Moved file 1 to 2: SARE_HTML_BR_MANY
941 #@@# Moved file 1 to 2: SARE_HTML_ONE_LINE2
942 #@@# Moved file 1 to 2: SARE_HTML_URI_OC
944 # License: Artistic - see http://www.rulesemporium.com/license.txt
945 # Current Maintainer: Bob Menschel - RMSA@Menschel.net
946 # Current Home: http://www.rulesemporium.com/rules/70_sare_html2.cf
948 ######## ###################### ##################################################
950 rawbody __SARE_HTML_HAS_A eval:html_tag_exists('a')
951 rawbody __SARE_HTML_HAS_BR eval:html_tag_exists('br')
952 rawbody __SARE_HTML_HAS_DIV eval:html_tag_exists('div')
953 rawbody __SARE_HTML_HAS_FONT eval:html_tag_exists('font')
954 rawbody __SARE_HTML_HAS_IMG eval:html_tag_exists('img')
955 rawbody __SARE_HTML_HAS_P eval:html_tag_exists('p')
956 rawbody __SARE_HTML_HAS_PRE eval:html_tag_exists('pre')
957 rawbody __SARE_HTML_HAS_TITLE eval:html_tag_exists('title')
959 rawbody __SARE_HTML_HBODY m'<html><body>'i
960 rawbody __SARE_HTML_BEHTML m'<body></html>'i
961 rawbody __SARE_HTML_BEHTML2 m'^</?body></html>'i
962 rawbody __SARE_HTML_EFONT m'^</font>'i
963 rawbody __SARE_HTML_EHEB m'^</html></body>'i
964 rawbody __SARE_HTML_CMT_CNTR /<center><!--/
966 ######## ###################### ##################################################
967 # <HTML> and <BODY> tag spamsign
968 ######## ###################### ##################################################
970 rawbody SARE_HTML_EHTML_OBFU m'<\s*/\s+(?!html)[HTmL\s]{4,}>'i
971 describe SARE_HTML_EHTML_OBFU Phoney tag
972 score SARE_HTML_EHTML_OBFU 1.111
973 #stype SARE_HTML_EHTML_OBFU spamp
974 #hist SARE_HTML_EHTML_OBFU Loren Wilton, June 2005
975 #counts SARE_HTML_EHTML_OBFU 0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
976 #max SARE_HTML_EHTML_OBFU 30s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
977 #counts SARE_HTML_EHTML_OBFU 0s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
978 #counts SARE_HTML_EHTML_OBFU 0s/0h of 6804 corpus (1336s/5468h ft) 06/17/05
979 #counts SARE_HTML_EHTML_OBFU 21s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
980 #counts SARE_HTML_EHTML_OBFU 0s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
981 #max SARE_HTML_EHTML_OBFU 34s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
983 ######## ###################### ##################################################
984 # Spamsign character sets and fonts
985 ######## ###################### ##################################################
987 rawbody SARE_HTML_COLOR_D /(?:style="?|<style[^>]*>)[^>"]*[^-]color\s*:\s*rgb\(\s*(?:100|9[0-9]|8[6-9])\s*%\s*,\s*(?:100|9[0-9]|8[6-9])\s*%\s*,\s*(?:100|9[0-9]|8[6-9])\s*%\s*\)[^>]*>/i
988 describe SARE_HTML_COLOR_D BAD STYLE: color: too light (rgb(%))
989 score SARE_HTML_COLOR_D 0.100
990 #hist SARE_HTML_COLOR_D From Jesse Houwing May 14 2004
991 #counts SARE_HTML_COLOR_D 0s/0h of 98435 corpus (76828s/21607h RM) 05/14/04
992 #counts SARE_HTML_COLOR_D 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2
994 rawbody SARE_HTML_POB1200 /width="599" bgColor="\#9999FF"/i
995 describe SARE_HTML_POB1200 Used by POB1200 Orangestad spammer
996 score SARE_HTML_POB1200 1.666
997 #stype SARE_HTML_POB1200 spamp
998 #hist SARE_HTML_POB1200 Jennifer Wheeler <jennifer.sare@nxtek.net> May 17 2004
999 #counts SARE_HTML_POB1200 0s/0h of 196681 corpus (96193s/100488h RM) 02/22/05
1000 #max SARE_HTML_POB1200 414s/0h of 114422 corpus (81069s/33353h RM) 01/16/05
1001 #counts SARE_HTML_POB1200 1s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
1002 #max SARE_HTML_POB1200 18s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
1003 #counts SARE_HTML_POB1200 0s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
1004 #max SARE_HTML_POB1200 42s/0h of 18153 corpus (15872s/2281h MY) 05/18/04
1005 #counts SARE_HTML_POB1200 0s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
1007 ######## ###################### ##################################################
1009 ######## ###################### ##################################################
1011 rawbody SARE_HTML_NOFRAMES /<frame><noframes>\w*<\/noframes><\/frame>/i
1012 describe SARE_HTML_NOFRAMES Body appears to hide anti-anti-spam text in frame
1013 score SARE_HTML_NOFRAMES 1.000
1014 #counts SARE_HTML_NOFRAMES 0s/0h of 98542 corpus (76935s/21607h RM) 05/12/04
1015 #max SARE_HTML_NOFRAMES 96 spam, 0 ham, Sep 5 2003
1016 #counts SARE_HTML_NOFRAMES 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2
1018 ######## ###################### ##################################################
1019 # Invalid or Suspicious URI Tests
1020 ######## ###################### ##################################################
1022 rawbody SARE_HTML_URI_GBYE />Good Bye<\/a>/i
1023 describe SARE_HTML_URI_GBYE text has URL to spammer's unsubscribe link
1024 score SARE_HTML_URI_GBYE 0.100
1025 #counts SARE_HTML_URI_GBYE 0s/0h of 98542 corpus (76935s/21607h RM) 05/12/04
1026 #counts SARE_HTML_URI_GBYE 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2
1028 #overlap SARE_HTML_URI_HIDADD Overlaps completely within SARE_HTML_P_BREAK 2004-06-11
1029 rawbody SARE_HTML_URI_HIDADD /(?:\&\~c\&o\&m|\&\~n\&e\&t)/i
1030 describe SARE_HTML_URI_HIDADD URI with obfuscated destination
1031 score SARE_HTML_URI_HIDADD 1.666
1032 #stype SARE_HTML_URI_HIDADD spamp
1033 #hist SARE_HTML_URI_HIDADD Fred T: FR_HIDDEN_ADDY
1034 #overlap SARE_HTML_URI_HIDADD Overlaps completely within SARE_HTML_P_BREAK 2004-06-11
1035 #counts SARE_HTML_URI_HIDADD 0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
1036 #max SARE_HTML_URI_HIDADD 817s/0h of 400504 corpus (178155s/222349h RM) 03/31/05
1037 #counts SARE_HTML_URI_HIDADD 0s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
1038 #max SARE_HTML_URI_HIDADD 2s/0h of 32260 corpus (8983s/23277h JH) 05/14/04
1039 #counts SARE_HTML_URI_HIDADD 0s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
1040 #max SARE_HTML_URI_HIDADD 1s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
1041 #counts SARE_HTML_URI_HIDADD 0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
1043 uri SARE_HTML_URI_HIDE1 /:ac=[A-Z,a-z,0-9,@,!,;]+/
1044 describe SARE_HTML_URI_HIDE1 URI attempts to hide destination domain
1045 score SARE_HTML_URI_HIDE1 0.100
1046 #counts SARE_HTML_URI_HIDE1 0s/0h of 98542 corpus (76935s/21607h RM) 05/12/04
1047 #counts SARE_HTML_URI_HIDE1 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2
1049 uri SARE_HTML_URI_LOGOGEN m{/logogen\.img\?}i
1050 score SARE_HTML_URI_LOGOGEN 1.666
1051 describe SARE_HTML_URI_LOGOGEN Uses some logo generation software
1052 #hist SARE_HTML_URI_LOGOGEN Jesse Houwing, Aug 19 2004
1053 #counts SARE_HTML_URI_LOGOGEN 0s/0h of 175738 corpus (98979s/76759h RM) 02/14/05
1054 #max SARE_HTML_URI_LOGOGEN 6s/0h of 65858 corpus (40621s/25237h RM) 08/19/04
1055 #counts SARE_HTML_URI_LOGOGEN 319s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
1056 #max SARE_HTML_URI_LOGOGEN 453s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
1057 #counts SARE_HTML_URI_LOGOGEN 0s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
1058 #max SARE_HTML_URI_LOGOGEN 48s/0h of 18647 corpus (16116s/2531h MY) 08/25/04
1059 #counts SARE_HTML_URI_LOGOGEN 0s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
1060 #max SARE_HTML_URI_LOGOGEN 7s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
1062 uri SARE_HTML_URI_OC /\?oc=\d{4,10}/
1063 describe SARE_HTML_URI_OC Possible spammer sign in URL
1064 score SARE_HTML_URI_OC 1.666
1065 #hist SARE_HTML_URI_OC LW_URI_OC
1066 #counts SARE_HTML_URI_OC 0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1067 #max SARE_HTML_URI_OC 440s/0h of 89461 corpus (67464s/21997h RM) 05/29/04
1068 #counts SARE_HTML_URI_OC 0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
1069 #max SARE_HTML_URI_OC 17s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
1070 #counts SARE_HTML_URI_OC 0s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
1071 #max SARE_HTML_URI_OC 85s/0h of 13454 corpus (11339s/2115h MY) 06/02/04
1073 uri SARE_HTML_URI_OFF /http.{5,35}\boff\.(?:htm|html|php|asp|pl|cgi|jsp)\b/i
1074 describe SARE_HTML_URI_OFF URI to page name which suggests spammer's page
1075 score SARE_HTML_URI_OFF 2.222
1076 #hist SARE_HTML_URI_OFF FR_PAGE_OFF
1077 #counts SARE_HTML_URI_OFF 0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
1078 #max SARE_HTML_URI_OFF 2619s/0h of 109180 corpus (88746s/20434h RM) 04/09/04
1079 #counts SARE_HTML_URI_OFF 2s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
1080 #max SARE_HTML_URI_OFF 89s/0h of 32260 corpus (8983s/23277h JH) 05/14/04
1081 #counts SARE_HTML_URI_OFF 0s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
1082 #counts SARE_HTML_URI_OFF 0s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
1083 #max SARE_HTML_URI_OFF 39s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
1085 ######## ###################### ##################################################
1087 ######## ###################### ##################################################
1089 rawbody SARE_HTML_HEAD_AFFIL /\<h[0-9]\>.{2,30}\/.{1,3}affiliate.{1,20}\<\/h[0-9]\>/i
1090 describe SARE_HTML_HEAD_AFFIL Affiliate in BOLD
1091 score SARE_HTML_HEAD_AFFIL 0.744
1092 #hist SARE_HTML_HEAD_AFFIL Matt Yackley, Apr 15 2005
1093 #counts SARE_HTML_HEAD_AFFIL 0s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1094 #max SARE_HTML_HEAD_AFFIL 23s/0h of 292246 corpus (119174s/173072h RM) 04/15/05
1095 #counts SARE_HTML_HEAD_AFFIL 0s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
1096 #max SARE_HTML_HEAD_AFFIL 1s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
1097 #counts SARE_HTML_HEAD_AFFIL 0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
1098 #counts SARE_HTML_HEAD_AFFIL 0s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
1099 #max SARE_HTML_HEAD_AFFIL 10s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
1101 ######## ###################### ##################################################
1102 # Suspicious tag combinations
1103 ######## ###################### ##################################################
1105 rawbody SARE_HTML_ONE_LINE2 m'<body><p><a href="http://\w+\.\w+\.info/\?[\w\.]+"><IMG SRC="cid:[\w\@\.]+" border="0" ALT=""></a>'
1106 describe SARE_HTML_ONE_LINE2 standard spam formatting
1107 score SARE_HTML_ONE_LINE2 1.111
1108 #stype SARE_HTML_ONE_LINE2 spamp
1109 #hist SARE_HTML_ONE_LINE2 Loren Wilton, LW_SINGLELINE4 Sep 5 2004
1110 #counts SARE_HTML_ONE_LINE2 0s/0h of 281655 corpus (110173s/171482h RM) 05/05/05
1111 #max SARE_HTML_ONE_LINE2 22s/0h of 114422 corpus (81069s/33353h RM) 01/16/05
1112 #counts SARE_HTML_ONE_LINE2 1s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
1113 #counts SARE_HTML_ONE_LINE2 0s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
1114 #max SARE_HTML_ONE_LINE2 5s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
1116 full SARE_HTML_ONE_LINE3 m'\n<html><body>\n<center>.{0,140}</center>\n</body></html>\n'
1117 describe SARE_HTML_ONE_LINE3 Another single-line centered HTML message
1118 score SARE_HTML_ONE_LINE3 1.256
1119 #hist SARE_HTML_ONE_LINE3 Loren Wilton: LW_SINGLELINE4
1120 #counts SARE_HTML_ONE_LINE3 0s/0h of 281271 corpus (109792s/171479h RM) 05/05/05
1121 #max SARE_HTML_ONE_LINE3 64s/0h of 70245 corpus (42816s/27429h RM) 10/02/04
1122 #counts SARE_HTML_ONE_LINE3 61s/0h of 54969 corpus (17793s/37176h JH-3.01) 03/13/05
1123 #counts SARE_HTML_ONE_LINE3 0s/0h of 19447 corpus (16862s/2585h MY) 10/06/04
1124 #counts SARE_HTML_ONE_LINE3 0s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
1125 #max SARE_HTML_ONE_LINE3 1s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
1127 rawbody SARE_HTML_LEAKTHRU1 m'^<BODY><p><(\w+)></(?:\1)><A href=\"[^"]+\"><(\w+)></(?:\2)>$'
1128 score SARE_HTML_LEAKTHRU1 1.111
1129 #stype SARE_HTML_LEAKTHRU1 spamp
1130 #hist SARE_HTML_LEAKTHRU1 Loren Wilton: LW_LEAKTHRU
1131 describe SARE_HTML_LEAKTHRU1 Another image-only spam
1132 #counts SARE_HTML_LEAKTHRU1 0s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1133 #max SARE_HTML_LEAKTHRU1 72s/0h of 196642 corpus (96193s/100449h RM) 02/22/05
1134 #counts SARE_HTML_LEAKTHRU1 0s/0h of 54969 corpus (17793s/37176h JH-3.01) 03/13/05
1135 #counts SARE_HTML_LEAKTHRU1 0s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
1136 #max SARE_HTML_LEAKTHRU1 22s/0h of 31513 corpus (27912s/3601h MY) 03/09/05
1137 #counts SARE_HTML_LEAKTHRU1 0s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
1139 rawbody SARE_HTML_LEAKTHRU2 m'^<BODY><p><(\w+)(?:\s[\w\=]+)?></(?:\1)><A href=\"[^"]+\"><(\w+)(?:\s[\w\=]+)?></(?:\2)>$'
1140 score SARE_HTML_LEAKTHRU2 1.666
1141 #stype SARE_HTML_LEAKTHRU2 spamp
1142 #hist SARE_HTML_LEAKTHRU2 Loren Wilton: LW_LEAKTHRU1
1143 describe SARE_HTML_LEAKTHRU2 Another image-only spam
1144 #counts SARE_HTML_LEAKTHRU2 0s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1145 #max SARE_HTML_LEAKTHRU2 178s/0h of 283600 corpus (129945s/153655h RM) 03/08/05
1146 #counts SARE_HTML_LEAKTHRU2 0s/0h of 54969 corpus (17793s/37176h JH-3.01) 03/13/05
1147 #counts SARE_HTML_LEAKTHRU2 0s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
1148 #max SARE_HTML_LEAKTHRU2 48s/0h of 31513 corpus (27912s/3601h MY) 03/09/05
1149 #counts SARE_HTML_LEAKTHRU2 0s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
1151 ######## ###################### ##################################################
1152 # Useless tags (tag structures that do nothing)
1153 # Largely submitted by Matt Yackley, with contributions by
1154 # Carl Friend, Jennifer Wheeler, Scott Sprunger, Larry Gilson
1155 ######## ###################### ##################################################
1157 rawbody SARE_HTML_USL_B7 /(<b><\/b>.{1,5}){7,8}/i
1158 describe SARE_HTML_USL_B7 Multiple <b></b> (7-8)
1159 score SARE_HTML_USL_B7 0.100
1160 #counts SARE_HTML_USL_B7 0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
1161 #max SARE_HTML_USL_B7 105s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1162 #counts SARE_HTML_USL_B7 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2
1163 #counts SARE_HTML_USL_B7 0s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
1165 rawbody SARE_HTML_USL_B9 /(<b><\/b>.{1,5}){9,10}/i
1166 describe SARE_HTML_USL_B9 Multiple <b></b> (9-10)
1167 score SARE_HTML_USL_B9 0.100
1168 #counts SARE_HTML_USL_B9 0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
1169 #max SARE_HTML_USL_B9 99s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1170 #counts SARE_HTML_USL_B9 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2
1171 #counts SARE_HTML_USL_B9 0s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
1173 ######## ###################### ##################################################
1174 # <tag ... ALT= ...> tag tests
1175 ######## ###################### ##################################################
1177 ######## ###################### ##################################################
1178 # <!-- Comment tag tests
1179 ######## ###################### ##################################################
1181 rawbody SARE_HTML_CMT_MONEY /<\!--\${1,10}-->/i
1182 describe SARE_HTML_CMT_MONEY HTML Comment seems to mention money
1183 score SARE_HTML_CMT_MONEY 0.100
1184 #counts SARE_HTML_CMT_MONEY 0s/0h of 98542 corpus (76935s/21607h RM) 05/12/04
1185 #counts SARE_HTML_CMT_MONEY 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2
1187 ######## ###################### ##################################################
1189 ######## ###################### ##################################################
1191 rawbody SARE_HTML_GIF_NUM /\.gif\d{2,}/i
1192 describe SARE_HTML_GIF_NUM HTML contains tracking numbers after .gif
1193 score SARE_HTML_GIF_NUM 0.100
1194 #counts SARE_HTML_GIF_NUM 0s/0h of 98542 corpus (76935s/21607h RM) 05/12/04
1195 #counts SARE_HTML_GIF_NUM 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2
1197 ######## ###################### ##################################################
1198 # Paragraphs, breaks, and spacings
1199 ######## ###################### ##################################################
1201 rawbody SARE_HTML_BR_MANY /<br>{5}/i
1202 describe SARE_HTML_BR_MANY Too many sequential identical HTML tags
1203 score SARE_HTML_BR_MANY 0.555
1204 #stype SARE_HTML_BR_MANY spamp
1205 #counts SARE_HTML_BR_MANY 0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
1206 #max SARE_HTML_BR_MANY 2s/0h of 258858 corpus (114246s/144612h RM) 05/27/05
1207 #counts SARE_HTML_BR_MANY 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2
1208 #counts SARE_HTML_BR_MANY 0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
1209 #counts SARE_HTML_BR_MANY 0s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
1211 rawbody __SARE_HTML_MANY_BR05 /<br>\s*<br>\s*<br>\s*<br>\s*<br>\s*<br>/i
1212 meta SARE_HTML_MANY_BR05 __SARE_HTML_MANY_BR05 && HTML_MESSAGE
1213 describe SARE_HTML_MANY_BR05 Tooo many <br>'s!
1214 score SARE_HTML_MANY_BR05 0.500
1215 #hist SARE_HTML_MANY_BR05 Contrib by Matt Keller June 7 2004
1216 #note SARE_HTML_MANY_BR05 Remove HTML_MESSAGE test increases spam 4% but doubles ham
1217 #hist SARE_HTML_MANY_BR05 this and SARE_HTML_MANY_BR10 obsolete SARE_HTML_TD_BR4 = FR_WICKED_SPAM_??
1218 #counts SARE_HTML_MANY_BR05 0s/0h of 114422 corpus (81069s/33353h RM) 01/16/05
1219 #alone SARE_HTML_MANY_BR05 2051s/43h of 66351 corpus (40971s/25380h RM) 08/21/04
1220 #counts SARE_HTML_MANY_BR05 0s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
1221 #max SARE_HTML_MANY_BR05 755s/2h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
1222 #counts SARE_HTML_MANY_BR05 0s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
1224 ######## ###################### ##################################################
1225 # Javascript and object tests
1226 ######## ###################### ##################################################
1228 rawbody SARE_HTML_JVS_POPUP /<body onload \= \"window\.open/i
1229 describe SARE_HTML_JVS_POPUP Bad HTML form. Tries to load a javascript pop up.
1230 score SARE_HTML_JVS_POPUP 0.100
1231 #counts SARE_HTML_JVS_POPUP 0s/0h of 98542 corpus (76935s/21607h RM) 05/12/04
1232 #counts SARE_HTML_JVS_POPUP 0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2
1234 ######## ###################### ##################################################
1235 # Tests destined for other rule sets
1236 ######## ###################### ##################################################
1238 full __SARE_PHISH_HTML_01a m*<a[^<]{0,60} onMouseMove=(?:3D)?"window.status=(?:3D)?'https?://*
1239 rawbody __SARE_PHISH_HTML_01b m*<a[^<]{0,60} onMouseMove=(?:3D)?"window.status=(?:3D)?'https?://*
1240 meta SARE_PHISH_HTML_01 __SARE_PHISH_HTML_01a || __SARE_PHISH_HTML_01b
1241 describe SARE_PHISH_HTML_01 Hiding actual site with fake secure site!
1242 score SARE_PHISH_HTML_01 2.500
1243 #stype SARE_PHISH_HTML_01 spamgg # phish
1244 #hist SARE_PHISH_HTML_01 Loren Wilton: LW_MOUSEMOVE
1245 #counts SARE_PHISH_HTML_01 1s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
1246 #max SARE_PHISH_HTML_01 17s/0h of 70245 corpus (42816s/27429h RM) 10/02/04
1247 #counts SARE_PHISH_HTML_01 2s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
1248 #max SARE_PHISH_HTML_01 5s/0h of 54969 corpus (17793s/37176h JH-3.01) 03/13/05
1249 #counts SARE_PHISH_HTML_01 0s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
1250 #max SARE_PHISH_HTML_01 6s/0h of 19447 corpus (16862s/2585h MY) 10/06/04
1251 #counts SARE_PHISH_HTML_01 0s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
1255 # SARE HTML Ruleset for SpamAssassin - ruleset 3
1257 # Created: 2004-03-31
1258 # Modified: 2006-06-03
1259 # Usage instructions, documentation, and change history in 70_sare_html0.cf
1261 #@@# Revision History: Full Revision History stored in 70_sare_html.log
1262 #@@# 01.03.10: June 3 2006
1263 #@@# Minor score tweaks based on recent mass-checks
1264 #@@# Modified "rule has been moved" meta flags
1265 #@@# Archive: SARE_HTML_URI_OPTPHP
1266 #@@# Moved file 1 to 3: SARE_HTML_URI_DEFASP
1268 # License: Artistic - see http://www.rulesemporium.com/license.txt
1269 # Current Maintainer: Bob Menschel - RMSA@Menschel.net
1270 # Current Home: http://www.rulesemporium.com/rules/70_sare_html3.cf
1272 ######## ###################### ##################################################
1273 ######## ###################### ##################################################
1274 # Rules renamed or moved
1275 ######## ###################### ##################################################
1277 meta __SARE_HEAD_FALSE __FROM_AOL_COM && !__FROM_AOL_COM
1278 meta SARE_HTML_URI_OPTPHP __SARE_HEAD_FALSE
1280 ######## ###################### ##################################################
1282 body __NONEMPTY_BODY /\S/
1283 header __TOCC_EXISTS exists:ToCc
1285 rawbody __SARE_HTML_HAS_A eval:html_tag_exists('a')
1286 rawbody __SARE_HTML_HAS_BR eval:html_tag_exists('br')
1287 rawbody __SARE_HTML_HAS_DIV eval:html_tag_exists('div')
1288 rawbody __SARE_HTML_HAS_FONT eval:html_tag_exists('font')
1289 rawbody __SARE_HTML_HAS_IMG eval:html_tag_exists('img')
1290 rawbody __SARE_HTML_HAS_P eval:html_tag_exists('p')
1291 rawbody __SARE_HTML_HAS_PRE eval:html_tag_exists('pre')
1292 rawbody __SARE_HTML_HAS_TITLE eval:html_tag_exists('title')
1294 rawbody __SARE_HTML_HBODY m'<html><body>'i
1295 rawbody __SARE_HTML_BEHTML m'<body></html>'i
1296 rawbody __SARE_HTML_BEHTML2 m'^</?body></html>'i
1297 rawbody __SARE_HTML_EFONT m'^</font>'i
1298 rawbody __SARE_HTML_EHEB m'^</html></body>'i
1299 rawbody __SARE_HTML_CMT_CNTR /<center><!--/
1301 ######## ###################### ##################################################
1302 # Is there a message?
1303 ######## ###################### ##################################################
1305 meta SARE_HTML_EMPTY __CTYPE_HTML && !( __SARE_HTML_HAS_TITLE || __TAG_EXISTS_HTML || __SARE_HTML_HAS_FONT || __TAG_EXISTS_BODY || __SARE_HTML_HAS_PRE || __SARE_HTML_HAS_DIV || __SARE_HTML_HAS_P || __SARE_HTML_HAS_A || __SARE_HTML_HAS_BR )
1306 describe SARE_HTML_EMPTY Email is HTML format, but common tags not found
1307 score SARE_HTML_EMPTY 0.681
1308 #ham SARE_HTML_EMPTY An "html" format email, 30 Oct 2002, Microsoft Outlook Express 6.00.2600.0000, that used no tags, just one long textual paragraph
1309 #counts SARE_HTML_EMPTY 226s/7h of 333405 corpus (262498s/70907h RM) 05/12/06
1310 #max SARE_HTML_EMPTY 506s/33h of 689155 corpus (348140s/341015h RM) 09/18/05
1311 #counts SARE_HTML_EMPTY 28s/1h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
1312 #max SARE_HTML_EMPTY 32s/2h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
1313 #counts SARE_HTML_EMPTY 0s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
1314 #max SARE_HTML_EMPTY 132s/2h of 26326 corpus (22886s/3440h MY) 02/15/05
1315 #counts SARE_HTML_EMPTY 0s/0h of 13284 corpus (7412s/5872h CT) 05/14/06
1316 #max SARE_HTML_EMPTY 12s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
1317 #counts SARE_HTML_EMPTY 1s/173h of 7500 corpus (1767s/5733h ft) 09/18/05
1319 ######## ###################### ##################################################
1320 # <HTML> and <BODY> tag spamsign
1321 ######## ###################### ##################################################
1323 rawbody __SARE_HTML_BODY_END2 m'</body[^>]*>.*</body[^>]*>'i
1324 meta SARE_HTML_BODY_END2 __SARE_HTML_BODY_END2
1325 describe SARE_HTML_BODY_END2 Double </body>
1326 score SARE_HTML_BODY_END2 0.444
1327 #hist SARE_HTML_BODY_END2 Contrib by Matt Keller June 7 2004
1328 #note SARE_HTML_BODY_END2 Add/remove HTML_MESSAGE test has no effect
1329 #counts SARE_HTML_BODY_END2 15s/1h of 333405 corpus (262498s/70907h RM) 05/12/06
1330 #max SARE_HTML_BODY_END2 163s/13h of 281655 corpus (110173s/171482h RM) 05/05/05
1331 #counts SARE_HTML_BODY_END2 2s/1h of 9988 corpus (5657s/4331h AxB) 05/14/06
1332 #counts SARE_HTML_BODY_END2 1s/1h of 13284 corpus (7412s/5872h CT) 05/14/06
1333 #max SARE_HTML_BODY_END2 6s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
1334 #counts SARE_HTML_BODY_END2 6s/0h of 155408 corpus (103805s/51603h DOC) 05/15/06
1335 #counts SARE_HTML_BODY_END2 0s/7h of 42328 corpus (34212s/8116h FVGT) 05/15/06
1336 #counts SARE_HTML_BODY_END2 15s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
1337 #max SARE_HTML_BODY_END2 63s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
1338 #counts SARE_HTML_BODY_END2 13s/0h of 106399 corpus (73151s/33248h ML) 05/14/06
1339 #counts SARE_HTML_BODY_END2 52s/2h of 23053 corpus (17334s/5719h MY) 05/14/06
1340 #max SARE_HTML_BODY_END2 69s/2h of 57287 corpus (52272s/5015h MY) 09/22/05
1342 rawbody SARE_HTML_HTML_DBL /<html[^>]*><html[^>]*>/i
1343 describe SARE_HTML_HTML_DBL Message body has very strange HTML sequence
1344 score SARE_HTML_HTML_DBL 0.639
1345 #ham SARE_HTML_HTML_DBL Verified (several), common to various opt-in lists.
1346 #hist SARE_HTML_HTML_DBL Fred T: FR_HTML_HTML
1347 #hist SARE_HTML_HTML_DBL 2004-06-11: [^>]* added by Bob Menschel
1348 #counts SARE_HTML_HTML_DBL 7s/1h of 333405 corpus (262498s/70907h RM) 05/12/06
1349 #max SARE_HTML_HTML_DBL 168s/0h of 65984 corpus (40739s/25245h RM) 08/21/04
1350 #counts SARE_HTML_HTML_DBL 1s/0h of 9988 corpus (5657s/4331h AxB) 05/14/06
1351 #counts SARE_HTML_HTML_DBL 0s/0h of 13284 corpus (7412s/5872h CT) 05/14/06
1352 #max SARE_HTML_HTML_DBL 9s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
1353 #counts SARE_HTML_HTML_DBL 3s/0h of 155408 corpus (103805s/51603h DOC) 05/15/06
1354 #counts SARE_HTML_HTML_DBL 25s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
1355 #max SARE_HTML_HTML_DBL 75s/0h of 32906 corpus (9660s/23246h JH) 05/24/04
1356 #counts SARE_HTML_HTML_DBL 1s/0h of 106399 corpus (73151s/33248h ML) 05/14/06
1357 #counts SARE_HTML_HTML_DBL 8s/1h of 23053 corpus (17334s/5719h MY) 05/14/06
1358 #max SARE_HTML_HTML_DBL 10s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
1360 ######## ###################### ##################################################
1362 ######## ###################### ##################################################
1364 # Moved file 1 to 3: SARE_HTML_TITLE_MNY
1365 rawbody SARE_HTML_TITLE_MNY /<title>.{0,25}Money.{0,25}<\/title>/i
1366 describe SARE_HTML_TITLE_MNY HTML Title implies this may be spam
1367 score SARE_HTML_TITLE_MNY 0.458
1368 #ham SARE_HTML_TITLE_MNY confirmed
1369 #hist SARE_HTML_TITLE_MNY Fred T: FR_TITLE_MONEY
1370 #counts SARE_HTML_TITLE_MNY 16s/2h of 333405 corpus (262498s/70907h RM) 05/12/06
1371 #max SARE_HTML_TITLE_MNY 260s/11h of 689155 corpus (348140s/341015h RM) 09/18/05
1372 #counts SARE_HTML_TITLE_MNY 0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
1373 #max SARE_HTML_TITLE_MNY 0s/1h of 6944 corpus (3188s/3756h CT) 05/19/04
1374 #counts SARE_HTML_TITLE_MNY 0s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
1375 #max SARE_HTML_TITLE_MNY 7s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
1376 #counts SARE_HTML_TITLE_MNY 2s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
1377 #counts SARE_HTML_TITLE_MNY 15s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
1378 #max SARE_HTML_TITLE_MNY 120s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
1380 ######## ###################### ##################################################
1381 # <A> and HREF rules
1382 ######## ###################### ##################################################
1384 ######## ###################### ##################################################
1385 # Spamsign character sets and fonts
1386 ######## ###################### ##################################################
1388 rawbody SARE_HTML_COLOR_B /(?:style="?|<style[^>]*>)[^>"]*[^-]color\s*:\s*rgb\(\s*2[2-5][0-9]\s*,\s*2[2-5][0-9]\s*,\s*2[2-5][0-9]\s*\)[^>]*>/i
1389 describe SARE_HTML_COLOR_B BAD STYLE: color: too light (rgb(n))
1390 score SARE_HTML_COLOR_B 0.621
1391 #ham SARE_HTML_COLOR_B Tickemaster ticket confirmation emails
1392 #hist SARE_HTML_COLOR_B From Jesse Houwing May 14 2004
1393 #counts SARE_HTML_COLOR_B 20s/4h of 333405 corpus (262498s/70907h RM) 05/12/06
1394 #counts SARE_HTML_COLOR_B 2s/8h of 9988 corpus (5657s/4331h AxB) 05/14/06
1395 #counts SARE_HTML_COLOR_B 1s/1h of 13284 corpus (7412s/5872h CT) 05/14/06
1396 #counts SARE_HTML_COLOR_B 47s/0h of 155408 corpus (103805s/51603h DOC) 05/15/06
1397 #counts SARE_HTML_COLOR_B 0s/1h of 42328 corpus (34212s/8116h FVGT) 05/15/06
1398 #counts SARE_HTML_COLOR_B 3s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
1399 #max SARE_HTML_COLOR_B 5s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
1400 #counts SARE_HTML_COLOR_B 12s/0h of 106399 corpus (73151s/33248h ML) 05/14/06
1401 #counts SARE_HTML_COLOR_B 8s/0h of 23053 corpus (17334s/5719h MY) 05/14/06
1403 rawbody SARE_HTML_LANG_PTBR /lang=(?:3D)?PT-BR/
1404 describe SARE_HTML_LANG_PTBR Odd language
1405 score SARE_HTML_LANG_PTBR 0.189
1406 #hist SARE_HTML_LANG_PTBR LW_PT_BR, Loren Wilton
1407 #counts SARE_HTML_LANG_PTBR 11s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
1408 #max SARE_HTML_LANG_PTBR 213s/0h of 70693 corpus (43127s/27566h RM) 10/02/04
1409 #counts SARE_HTML_LANG_PTBR 0s/1h of 56020 corpus (51687s/4333h AxB2) 05/15/06
1410 #counts SARE_HTML_LANG_PTBR 9s/25h of 13284 corpus (7412s/5872h CT) 05/14/06
1411 #counts SARE_HTML_LANG_PTBR 1s/0h of 155408 corpus (103805s/51603h DOC) 05/15/06
1412 #counts SARE_HTML_LANG_PTBR 69s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
1413 #counts SARE_HTML_LANG_PTBR 2s/0h of 106399 corpus (73151s/33248h ML) 05/14/06
1414 #counts SARE_HTML_LANG_PTBR 0s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
1415 #max SARE_HTML_LANG_PTBR 10s/0h of 19448 corpus (16863s/2585h MY) 10/05/04
1417 ######## ###################### ##################################################
1418 # Invalid or Suspicious URI Tests
1419 ######## ###################### ##################################################
1421 uri SARE_HTML_URI_DEFASP m'/default.asp\?id='i
1422 describe SARE_HTML_URI_DEFASP URI to page name which suggests spammer's page
1423 score SARE_HTML_URI_DEFASP 0.093
1424 #hist SARE_HTML_URI_DEFASP Deleted SARE_HTML_URI_X1 = LW_URI_ID due to complete overlap: /\?id\x10\x30\x34\x35/i
1425 #counts SARE_HTML_URI_DEFASP 0s/8h of 333405 corpus (262498s/70907h RM) 05/12/06
1426 #max SARE_HTML_URI_DEFASP 130s/27h of 689155 corpus (348140s/341015h RM) 09/18/05
1427 #counts SARE_HTML_URI_DEFASP 0s/5h of 13287 corpus (7414s/5873h CT) 05/14/06
1428 #max SARE_HTML_URI_DEFASP 44s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
1429 #counts SARE_HTML_URI_DEFASP 1s/1h of 42454 corpus (34336s/8118h FVGT) 05/15/06
1430 #counts SARE_HTML_URI_DEFASP 0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
1431 #max SARE_HTML_URI_DEFASP 361s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
1432 #counts SARE_HTML_URI_DEFASP 24s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
1433 #max SARE_HTML_URI_DEFASP 24s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
1435 ######## ###################### ##################################################
1437 ######## ###################### ##################################################
1439 ######## ###################### ##################################################
1440 # Paragraphs, breaks, and spacings
1441 ######## ###################### ##################################################
1443 rawbody SARE_HTML_P_MANY3 /<P><P><P>/i
1444 describe SARE_HTML_P_MANY3 Too many empty paragraph tags in a row
1445 score SARE_HTML_P_MANY3 1.108
1446 #hist SARE_HTML_P_MANY3 04/02/2004 http://www.rulesemporium.com/rules/99_FVGT_rawbody.cf
1447 #overlap SARE_HTML_P_MANY3 Total overlap within SARE_HTML_URI_MANYP2, but no ham hits here (until Feb 2005)
1448 #ham SARE_HTML_P_MANY3 From: Ticketmaster <support@reply.ticketmaster.com>, Tuesday, January 25, 2005, 4:00:27 PM
1449 #counts SARE_HTML_P_MANY3 78s/6h of 333405 corpus (262498s/70907h RM) 05/12/06
1450 #max SARE_HTML_P_MANY3 458s/28h of 689155 corpus (348140s/341015h RM) 09/18/05
1451 #counts SARE_HTML_P_MANY3 143s/0h of 56020 corpus (51687s/4333h AxB2) 05/15/06
1452 #counts SARE_HTML_P_MANY3 0s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
1453 #max SARE_HTML_P_MANY3 9s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
1454 #counts SARE_HTML_P_MANY3 412s/0h of 155408 corpus (103805s/51603h DOC) 05/15/06
1455 #counts SARE_HTML_P_MANY3 50s/0h of 42328 corpus (34212s/8116h FVGT) 05/15/06
1456 #counts SARE_HTML_P_MANY3 4s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
1457 #max SARE_HTML_P_MANY3 15s/0h of 32260 corpus (8983s/23277h JH) 05/14/04
1458 #counts SARE_HTML_P_MANY3 9s/0h of 23053 corpus (17334s/5719h MY) 05/14/06
1459 #max SARE_HTML_P_MANY3 41s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
1461 ######## ###################### ##################################################
1462 # Javascript and object tests
1463 ######## ###################### ##################################################
1465 ######## ###################### ##################################################
1466 # Useless tags (tag structures that do nothing)
1467 # Largely submitted by Matt Yackley, with contributions by
1468 # Carl Friend, Jennifer Wheeler, Scott Sprunger, Larry Gilson
1469 ######## ###################### ##################################################
1471 rawbody SARE_HTML_USL_1CHAR m'(?!<[biopu]></[biopu]>)<([a-z])></\1>'i
1472 describe SARE_HTML_USL_1CHAR Invalid and empty 1-char tag - /tag combination
1473 score SARE_HTML_USL_1CHAR 0.029
1474 #counts SARE_HTML_USL_1CHAR 6s/14h of 333405 corpus (262498s/70907h RM) 05/12/06
1475 #max SARE_HTML_USL_1CHAR 46s/6h of 196718 corpus (96193s/100525h RM) 02/22/05
1476 #counts SARE_HTML_USL_1CHAR 3s/0h of 56020 corpus (51687s/4333h AxB2) 05/15/06
1477 #counts SARE_HTML_USL_1CHAR 0s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
1478 #max SARE_HTML_USL_1CHAR 3s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
1479 #counts SARE_HTML_USL_1CHAR 8s/30h of 155408 corpus (103805s/51603h DOC) 05/15/06
1480 #counts SARE_HTML_USL_1CHAR 2s/1h of 42328 corpus (34212s/8116h FVGT) 05/15/06
1481 #counts SARE_HTML_USL_1CHAR 3s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
1482 #max SARE_HTML_USL_1CHAR 6s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
1483 #counts SARE_HTML_USL_1CHAR 2s/0h of 23053 corpus (17334s/5719h MY) 05/14/06
1485 ######## ###################### ##################################################
1486 # Miscellaneous tag tests
1487 ######## ###################### ##################################################
1489 rawbody SARE_HTML_BODY_2SP /<body /i
1490 describe SARE_HTML_BODY_2SP HTML tag is strangely formed
1491 score SARE_HTML_BODY_2SP 0.665
1492 #hist SARE_HTML_BODY_2SP FR_BODY_2SPACES
1493 #counts SARE_HTML_BODY_2SP 682s/152h of 333405 corpus (262498s/70907h RM) 05/12/06
1494 #counts SARE_HTML_BODY_2SP 678s/2h of 9988 corpus (5657s/4331h AxB) 05/14/06
1495 #counts SARE_HTML_BODY_2SP 48s/0h of 13284 corpus (7412s/5872h CT) 05/14/06
1496 #counts SARE_HTML_BODY_2SP 215s/0h of 155408 corpus (103805s/51603h DOC) 05/15/06
1497 #counts SARE_HTML_BODY_2SP 1455s/8h of 42328 corpus (34212s/8116h FVGT) 05/15/06
1498 #counts SARE_HTML_BODY_2SP 62s/5h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
1499 #max SARE_HTML_BODY_2SP 94s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
1500 #counts SARE_HTML_BODY_2SP 361s/2h of 106399 corpus (73151s/33248h ML) 05/14/06
1501 #counts SARE_HTML_BODY_2SP 21s/2h of 23053 corpus (17334s/5719h MY) 05/14/06
1502 #max SARE_HTML_BODY_2SP 66s/2h of 47221 corpus (42968s/4253h MY) 06/18/05
1504 full SARE_HTML_TD_BR m'<td.{10,400}<br>.{1,7}<br>.{1,7}<br>.{1,7}<br>.{0,400}</td>'is
1505 describe SARE_HTML_TD_BR Multiple line breaks in spammer pattern
1506 score SARE_HTML_TD_BR 0.934
1507 #hist SARE_HTML_TD_BR Fred T: FR_WICKED_SPAM_??
1508 #counts SARE_HTML_TD_BR 2757s/33h of 333405 corpus (262498s/70907h RM) 05/12/06
1509 #counts SARE_HTML_TD_BR 368s/0h of 56020 corpus (51687s/4333h AxB2) 05/15/06
1510 #counts SARE_HTML_TD_BR 40s/10h of 13284 corpus (7412s/5872h CT) 05/14/06
1511 #counts SARE_HTML_TD_BR 471s/0h of 155408 corpus (103805s/51603h DOC) 05/15/06
1512 #counts SARE_HTML_TD_BR 190s/10h of 42328 corpus (34212s/8116h FVGT) 05/15/06
1513 #counts SARE_HTML_TD_BR 36s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
1514 #max SARE_HTML_TD_BR 182s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
1515 #counts SARE_HTML_TD_BR 700s/0h of 106399 corpus (73151s/33248h ML) 05/14/06
1516 #counts SARE_HTML_TD_BR 68s/14h of 23053 corpus (17334s/5719h MY) 05/14/06
1517 #max SARE_HTML_TD_BR 184s/15h of 47221 corpus (42968s/4253h MY) 06/18/05
projects / spamassassin_config.git / blob