match microsoft office enterprise
[spamassassin_config.git] / common / url_spam
1 # joy, 2003-06-29
2 body ORIENTSKY                  /orient-sky\.com/
3 describe ORIENTSKY              Japanese spam
4 score ORIENTSKY                 4
5
6 # joy, 2003-07-06
7 body PACHETES                   /www\.pachetes\.com/
8 describe PACHETES               Spanish spam
9 score PACHETES                  4
10
11 # cjwatson, 2003/07/12
12 body NO_MORE_ACCENT             /www\.no-more-accent\.com/
13 describe NO_MORE_ACCENT         No More Accent spam
14 score NO_MORE_ACCENT            4
15
16 # joy, 2003-08-15
17 header FETHARD                  Subject =~ /fethard.biz/i
18 describe FETHARD                Spam from Fethard.biz
19 score FETHARD                   4
20
21 # joy, 2003-10-21, 2003-10-31
22 body PHARMACYSPAM3      /http:\/\/www\.rx(salenow|ville)\.biz/i
23 describe PHARMACYSPAM3  pharmacy spam 3
24 score PHARMACYSPAM3     4
25
26 # cjwatson, 2004-01-13
27 # blarson, any number 2004-04-01
28 # blarson, more ajustmets 2004-04-03
29 body HREF_NNNN          /www\.\d{3,5}hosting\.com/
30 describe HREF_NNNN      www.NNNNhosting.com spam
31 score HREF_NNNN         3
32
33 # cjwatson, 2004-02-16
34 body SOCCER_MOMS        /www\.soccer-moms\.biz/
35 describe SOCCER_MOMS    Porn spam
36 score SOCCER_MOMS       4
37
38 # cjwatson, 2004-02-22
39 body MRSM_TILO          /mrsm-tilo\.com/
40 describe MRSM_TILO      Medical spam
41 score MRSM_TILO         4
42
43 # cjwatson, 2004-02-27
44 body FAST_ACTING        /fast-acting\.com/
45 describe FAST_ACTING    Viagra spam
46 score FAST_ACTING       4
47
48 # blarson 2004-04-04
49 body COMCLICKPH         /com-click\.com\.ph/
50 describe COMCLICKPH     PH spam gang
51 score COMCLICKPH        4
52
53 # blarson 2004-05-01
54 body MEDS675            /(675meds|medsarergreat)\.com/i
55 describe MEDS675        More drug spam
56 score MEDS675           3
57
58 # blarson 2004-04-30
59 body ERHOME             /erhome\.com/i
60 describe ERHOME         loan spammer
61 score ERHOME            3
62
63 # blarson 2005-04-27
64 body CANDYHOS           /\.(?:candyhos\.com|(?:mycountry|polty|make4u)\.cc|puchiphoto\.org|purepure\.org)\//i
65 describe CANDYHOS       spams from korea, hosts in japan
66 score CANDYHOS          5
67
68 # blarson 2005-12-08
69 # don 2007-11-21 -- combine other rule; increment score
70 body GEOCITIES          /http\:\/\/.*geocities/i
71 describe GEOCITIES      geocities url
72 score GEOCITIES         2.5
73
74 # blarson 2005-12-24
75 body EMPTYURL           /\bhttp:\/\/(?:www\.)?$/i
76 describe EMPTYURL       empty URL
77 score EMPTYURL          1.5
78
79 # blarson 2006-02-06
80 body AMPRO              /www\.amateurprovideo\.info/i
81 describe AMPRO          bug submitting spammer
82 score AMPRO             5
83
84 # blarson 2007-04-03
85 body IMAGESHACK         /\/img\d+\.imageshack\.us\//i
86 describe IMAGESHACK     shack attack
87 score IMAGESHACK        3.5
88
89
90 # dla 2007-04-03
91 header MSOUTLOOK        x-mailer =~ /Microsoft\s+Outlook/i
92 describe MSOUTLOOK      Microsoft Outlook
93 score   MSOUTLOOK       0
94
95 meta SHACKOUTLOOK       IMAGESHACK && MSOUTLOOK
96 describe SHACKOUTLOOK   shack'ed to outlook
97 score SHACKOUTLOOK      2
98
99 # blarson 2007-04-09
100 body UNSUBG             /\bwww\.guiaartistica\.com\.ar\b/
101 describe UNSUBG         spamming bts with unsubscribe messages
102 score UNSUBG            14
103
104 # blarson 2007-05-14
105 body IMGCLOSET          /\bhttp\:\/\/.*\b((image(closet|thrust|hosting)|mypicshare|tinypic|fileanchor|imgspot)\.com|bilder-hosting\.de|saunalahti\.fi|upload2\.net|imagehost\.ro)\b/i
106 describe IMGCLOSET      closet spammer
107 score IMGCLOSET         3.5
108
109 # blarson 2007-05-17
110 body TROUBLEDE          /\bhttp\:\/\/www\.TroubleAgent\.de\b/
111 describe TROUBLEDE      troubleagent.de spam
112 score TROUBLEDE         3.5
113
114 # don 2007-05-24
115 body BESTLOANS          /www.bestmortloans.com/i
116 describe BESTLOANS      Best loans url
117 score BESTLOANS         2
118
119 # blarson 2007-07-22 2007-09-12
120 body PENPRO             /\@(?:penmailpro|OnsetIng|openprotection|NearOut|SuperOnset|medicalgloveonline|YourOnset|GreatGloveCell|thegloveworks|asiafriendworld|NaturalImprove|charmshine|healthinsweb)\.info\b/i
121 describe PENPRO         penmailpro spam
122 score PENPRO            3.5
123
124 # blarson 2007-09-05 2007-09-11
125 body WWWCN              /\b(?:www\.|https?\:.*)\w+\.cn\b/i
126 describe WWWCN          chinese web site
127 score WWWCN             3
128
129 # cjwatson, 2002/04/04
130 body EMAILOFFER                 /www\.emailoffer\.us/
131 describe EMAILOFFER             Gibberish HTML spammers
132 score EMAILOFFER                4.0
133
134 # cjwatson, 2002/04/08
135 body JUSTYAK                    /www\.JustYak\.com/
136 describe JUSTYAK                JustSpam
137 score JUSTYAK                   4.0
138
139 # blarson 2007-09-10
140 body SIZMATZ            /\bsize-matterz\.com\b/i
141 describe SIZMATZ        size matterz
142 score SIZMATZ           3
143
144 # blarson 2007-09-10
145 body EMAGX              /\bhttp\:\/\/emagx\.net\b/i
146 describe EMAGX          wondercum spammer
147 score EMAGX             3.5
148
149 # blarson 2007-09-13
150 body FREENFL            /\bhttp\:\/\/freeNFLtracker\.com\b/i
151 describe FREENFL        nfl spam
152 score FREENFL           3
153
154 # blarson 2007-09-13
155 body SPAMARREST         /\bhttp\:\/\/www\.spamarrest\.com\b/
156 describe SPAMARREST     forwards thier spam problem
157 score SPAMARREST        4
158
159 # blarson 2007-09-14
160 body FROMAD             /\bhttp\:\/\/(?:budhipps|fromad|conavel|cliensy|comnoe)\.com\b/i
161 describe FROMAD         more penis spam
162 score FROMAD            4
163
164 # blarson 2007-09-14
165 uridnsbl URIBL_CNKR     cn-kr.blackholes.us.    A
166 body    URIBL_CNKR      eval:check_uridnsbl('URIBL_CNKR')
167 describe URIBL_CNKR     china or korea hosted web site
168 tflags  URIBL_CNKR      net
169 score URIBL_CNKR        2.5
170
171 # blarson 2007-09-14
172 uridnsbl_skip_domain    debian.org debian.net yahoo.com google.com
173
174 # blarson 2007-09-14
175 uridnsbl        URIBL_SBL       sbl.spamhaus.org.       A
176 body            URIBL_SBL       eval:check_uridnsbl('URIBL_SBL')
177 describe        URIBL_SBL       Contains an URL listed in the SBL blocklist
178 tflags          URIBL_SBL       net
179 #reuse          URIBL_SBL
180 score           URIBL_SBL       3.5
181
182 # blarson 2007-09-17
183 body MYCHEAP            /\b(?:my)?cheap(?:xp|adobe)?(?:oem|soft)+(?:now|ware)?(?:(?:4|for)?less)?\d*\s*\.\s*com\b/i
184 describe MYCHEAP        software spam
185 score MYCHEAP           4
186
187 # blarson 2007-09-16
188 body WWWRU              /\b(?:www\.|https?\:.*)\w+\.ru\b/i
189 describe WWWRU          russian web site
190 score WWWRU             2
191
192 # blarson 2007-09-24
193 body VIPSMS             /\bvipsms\.org\b/i
194 describe VIPSMS         vipsms.org
195 score VIPSMS            4
196
197 # don 2007-10-01
198 header MAKEUP           subject =~ /makeup\.com/i
199 describe MAKEUP         makeup.com url
200 score MAKEUP            3
201
202 # blarson 2007-10-04
203 body SUBT               /\bsubtracthold\.com\b/i
204 describe SUBT           subtracthold.com
205 score SUBT              4
206
207 body GRAPHICMAIL        /\bhttp\:\/\/www\.graphicmail\.de\b/i
208 describe GRAPHICMAIL    graphicmail.de
209 score   GRAPHICMAIL     4
210
211
212 body WWWRO              /\b(?:www\.|https?\:.*)\w+\.ro\b/i
213 describe WWWRO          romanian web site
214 score WWWRO             2
215
216 # blarson 2007-10-10
217 body CLEANDOM           /http\:\/\/\{_clean_domains\}/
218 describe CLEANDOM       broken spamware
219 score CLEANDOM          4
220
221 # blarson 2007-10-11
222 body SOFTNLSE           /\bsoftnlse\s*\.\s*com\b/i
223 describe SOFTNLSE       softnlse.com
224 score SOFTNLSE          4
225
226 # blarson 2007-10-13
227 body MUSVID             /\b(?:MusicAndVideoWorld|usa-bestsellers)\.com/i
228 describe MUSVID         MusicAndVideoWorld.com
229 score MUSVID            4
230
231 # blarson 2007-10-16
232 body PLATSOFT           /\btheplatinumsoft\.com\b/i
233 describe PLATSOFT       theplatinumsoft.com
234 score PLATSOFT          4
235
236 # blarson 2007-10-22
237 body BLOGSPOT           /\bblogspot\.com\b/i
238 describe BLOGSPOT       spammers are hosting on blogspot
239 score BLOGSPOT          2
240
241 # blarson 2007-10-25
242 body PILLUS             /PILL-US\.COM\b/i
243 describe PILLUS         PILL-US spam
244 score PILLUS            4
245
246 # blarson 2007-10-25
247 body BETWEENTO          /\bhttp\:\/\/betweento\.com\b/i
248 describe BETWEENTO      betweento.com
249 score BETWEENTO         4
250
251 # don 2007-10-25
252 body MASZON             /mc?a(szon|yvidol|ttk)\.(com|org|net)/i
253 describe MASZON         pron spam
254 score MASZON            4
255
256
257 # blarson 2007-10-27
258 body GMAIL              /\@gmail\.com\b/i
259 describe GMAIL          @gmail.com
260 score GMAIL             1
261
262 # blarson 2007-10-28
263 body MAILRU             /\@mail\.ru\b/i
264 describe MAILRU         @mail.ru
265 score MAILRU            3
266
267 # blarson 2007-10-31
268 body ADOBE4LESS         /\b(?:adobe4less|realnewsoft|newmicrosoftdeals|kvaka-soft)\s*[.,]\s*com\b/i
269 describe ADOBE4LESS     adobe4less . com
270 score ADOBE4LESS        4
271
272 # blarson 2007-11-01
273 body RMAPPLY            /http\:\/\/rmapply\.com\b/i
274 describe RMAPPLY        http://rmapply.com
275 score RMAPPLY           4
276
277 # blarson 2007-11-04
278 header HANOIFASH        subject =~ /WWW\.HANOI-FASHION\.COM/i
279 describe HANOIFASH      WWW.HANOI-FASHION.COM
280 score HANOIFASH         4
281
282 # blarson 2007-11-06
283 body ONLINEMED          /\b(?:onlinemedicalkey|pharm\w*|webvinz|wendebay|webdcd|vowelstep|wclth|duringgear|broadbasic|instantsuffix|magnetdouble|drugsdirecteat)\s*\.\s*com\b/i
284 describe ONLINEMED      onlinemedicalkey.com
285 score ONLINEMED         4
286
287 # blarson 2007-11-15
288 body GETUP              /\bgetupgradednow\.com\b/i
289 describe GETUP          getupgradednow.com
290 score GETUP             4
291
292 # blarson (pusling's idea) 2007-11-16
293 body SPACECOM           /^[\w\d]+\s\.\scom\b/
294 describe SPACECOM       whatever . com
295 score SPACECOM          3
296
297 # don -- flowgoaway.com doesn't appear to be a working RBL anymore (if it ever was?)
298 # blarson 2007-11-20
299 # uridnsbl URIBL_FLO    flowgoaway.com. A
300 # body  URIBL_FLO       eval:check_uridnsbl('URIBL_FLO')
301 # describe URIBL_FLO    web site in flowgoaway.com
302 # tflags        URIBL_FLO       net
303 # score URIBL_FLO               1
304
305 # blarson 2007-11-20
306 body SOFTROU            /\bwww\.softrou\.com\b/i
307 describe SOFTROU        www.softrou.com
308 score SOFTROU           3
309
310 # blarson 2007-11-20
311 body GOOGLEPAGES        /\bgooglepages\.com\b/i
312 describe GOOGLEPAGES    spammers use googlepages
313 score GOOGLEPAGES       2
314
315 # blarson 2007-12-07
316 body SOFTBESTGRAND      /\bsoft(?:bestgrand|wareonlinemuch)\.com\b/
317 describe SOFTBESTGRAND  softbestgrand.com
318 score SOFTBESTGRAND     4
319
320 # blarson 2007-12-10
321 body PCSOFTCHEAP        /\b(?:pcsoftcheap|cheapezsoft|cheapsoftxp|adobe4cheap|phonowa|saleonsoftware|bestdealoem|realcheapsoft|krasniyles|cheapxp4pc|supercheapoem|lowpriceoem|realcheapoem|cheapadobedeal|softwarefoundation|2008oem|xpxmas|cheap2008soft|snowysoftware|2008adobe|adobe2008|cheapgetsoftone|x(?:higher|main|prime)(?:soft|software|easy)|softonlinepc|andsoftware|softonlinedownload|kunchakoem|erhere\w|kiroemch|phonowd|cheap(?:soft|oem|software)here|softwarenowprox|xprosoftonlinedl|siniyglaz|popandosoem|xsoftprodepot|triudava|krasniynos|fastsoftnow|cheapeasy(soft|oem|software)|ezadobenow|softnowpromohere|primenetsofthe|nowinstantsoftieq|isktesoft|best(?:oem|soft|software)2008|new2008(?:soft|oem|software)|fastez(?:soft|oem|software)|ezfast(?:oem|soft|software)|2008(?:micro)?softdeals|oemfactorysale|nbuysoft|softnuhere|softsale2008|softwintersale|blatnoyoem|svedsoft|gsxoempromo|getmicrosoftfast)\s?\.\s?(?:com|net)\b/
322 describe PCSOFTCHEAP    pcsoftcheap. com
323 score PCSOFTCHEAP       4
324
325 # blarson 2007-12-11
326 body GOLDGAME           /\b(?:gamblingplacegold|goldgamesite|topgamingsite|richbestgaming|luxgoldgaming)\.(?:net|com)\b/
327 describe GOLDGAME       gambling sites
328 score GOLDGAME          4
329
330 # blarson 2007-12-14
331 body ENLARGETW          /\b(?:enlarge|0rz)\.tw\b/
332 describe ENLARGETW      enlarge.tw
333 score ENLARGETW         4
334
335 # blarson 2007-12-15
336 body POSTTHROUGH        /\b(?:postthrough|speedgrand|certaincoast)\.com\b/
337 describe POSTTHROUGH    postthrough.com
338 score POSTTHROUGH       4
339
340 # blarson 2007-12-25
341 body UHAVE              /\b(?:uhavepost|happy(?:santa)?|newyear|familypost|fresh|post)cards?-?(?:2008)?\.com\b/
342 describe UHAVE          uhavepostcard.com
343 score UHAVE             4
344
345 # blarson 2007-12-26
346 body RUSSWIFE           /\b(?:your|best|new|the|my)(?:russ[il]an?|address|russ)(?:wife|bride)\.info\b/
347 describe RUSSWIFE       yourrussianwife.info
348 score RUSSWIFE          4
349
350 # blarson 2007-12-31
351 body HAPPY2008          /\b(?:happy2008toyou|hellosanta2008|hohoho2008|santawishes2008)\.com\b/
352 describe HAPPY2008      happy2008toyou.com
353 score HAPPY2008         4
354
355 # blarson 2008-01-02
356 body BONGHIT            /\b(?:beaverbonghits|dobongworld)\.com\b/
357 describe BONGHIT        beaverbonghits.com
358 score BONGHIT           4
359
360 # blarson 2008-01-02
361 body GOOGLESEARCH       /\bgoo+gle\.(com|\w\w|com?\.\w\w)\/+(?:search|pagead)/i
362 describe GOOGLESEARCH   google search URL
363 score GOOGLESEARCH      2
364
365 # blarson 2008-01-02
366 body SIGAS              /\b(?:Sigashash|Reelhotsi|Erisgoonti|Erisgoners|Freesignsies|Rielhotties|Foredroons|Feeshoons|Erisgant|hapburge|wuimooed|jiuezdoo|goingoinghom|buloies|Poeshages|Rueshabesoo|clitoriseries|clitorina|glueplot|crumbtost|ideaputs)(?:\.|\=2E)com\b/
367 describe SIGAS          www.Sigashash.com
368 score SIGAS             4
369
370 # blarson 2008-01-05
371 body RUSSIABRIDE        /\bruss[il]an?(bride|wife)(?:home|live|blog|)\.info\b/
372 describe RUSSIABRIDE    russiabridehome.info
373 score RUSSIABRIDE       4
374
375 # blarson 2008-01-14
376 body REDMEHS            /\bwww\.(?:redmehs|feltas|barataslo|quasibot|tageshes|flessimo|spendhope|instrumentstart)\b/
377 describe REDMEHS        www.redmehs
378 score REDMEHS           4
379
380 # blarson 2008-01-15
381 body MYURL              /\bmyurl\.com\.tw\b/i
382 describe MYURL          myurl.com.tw
383 score MYURL             3
384
385 # blarson 2008-01-28
386 body W0MEN              /w0men\.info\b/i
387 describe W0MEN          hotw0men.info ukrw0men.info
388 score W0MEN             3
389
390 # blarson 2008-01-29
391 body ACEMST             /\bacemst\.com\b/
392 describe ACEMST         acemst.com
393 score ACEMST            3
394
395 # blarson 2008-02-01
396 body GALSINFO           /\b(?:foreigngals|californiaimprove)\.info\b/i
397 describe GALSINFO       foreigngals.info
398 score GALSINFO          3
399
400 # blarson 2008-02-06
401 body RIDGEST            /\bridgest\.com\b/
402 describe RIDGEST        ridgest.com
403 score RIDGEST           4
404
405 # blarson 2008-02-16
406 body SOFTROI            /\bsoft(?:roi|ove)\.com\b/
407 describe SOFTROI        softroi.com
408 score SOFTROI           4