* update spam scam
[spamassassin_config.git] / common / url_spam
1 # joy, 2003-06-29
2 body ORIENTSKY                  /orient-sky\.com/
3 describe ORIENTSKY              Japanese spam
4 score ORIENTSKY                 4
5
6 # joy, 2003-07-06
7 body PACHETES                   /www\.pachetes\.com/
8 describe PACHETES               Spanish spam
9 score PACHETES                  4
10
11 # cjwatson, 2003/07/12
12 body NO_MORE_ACCENT             /www\.no-more-accent\.com/
13 describe NO_MORE_ACCENT         No More Accent spam
14 score NO_MORE_ACCENT            4
15
16 # joy, 2003-08-15
17 header FETHARD                  Subject =~ /fethard.biz/i
18 describe FETHARD                Spam from Fethard.biz
19 score FETHARD                   4
20
21 # joy, 2003-10-21, 2003-10-31
22 body PHARMACYSPAM3      /http:\/\/www\.rx(salenow|ville)\.biz/i
23 describe PHARMACYSPAM3  pharmacy spam 3
24 score PHARMACYSPAM3     4
25
26 # cjwatson, 2004-01-13
27 # blarson, any number 2004-04-01
28 # blarson, more ajustmets 2004-04-03
29 body HREF_NNNN          /www\.\d{3,5}hosting\.com/
30 describe HREF_NNNN      www.NNNNhosting.com spam
31 score HREF_NNNN         3
32
33 # cjwatson, 2004-02-16
34 body SOCCER_MOMS        /www\.soccer-moms\.biz/
35 describe SOCCER_MOMS    Porn spam
36 score SOCCER_MOMS       4
37
38 # cjwatson, 2004-02-22
39 body MRSM_TILO          /mrsm-tilo\.com/
40 describe MRSM_TILO      Medical spam
41 score MRSM_TILO         4
42
43 # cjwatson, 2004-02-27
44 body FAST_ACTING        /fast-acting\.com/
45 describe FAST_ACTING    Viagra spam
46 score FAST_ACTING       4
47
48 # blarson 2004-04-04
49 body COMCLICKPH         /com-click\.com\.ph/
50 describe COMCLICKPH     PH spam gang
51 score COMCLICKPH        4
52
53 # blarson 2004-05-01
54 body MEDS675            /(675meds|medsarergreat)\.com/i
55 describe MEDS675        More drug spam
56 score MEDS675           3
57
58 # blarson 2004-04-30
59 body ERHOME             /erhome\.com/i
60 describe ERHOME         loan spammer
61 score ERHOME            3
62
63 # blarson 2005-04-27
64 body CANDYHOS           /\.(?:candyhos\.com|(?:mycountry|polty|make4u)\.cc|puchiphoto\.org|purepure\.org)\//i
65 describe CANDYHOS       spams from korea, hosts in japan
66 score CANDYHOS          5
67
68 # blarson 2005-12-08
69 # don 2007-11-21 -- combine other rule; increment score
70 body GEOCITIES          /http\:\/\/.*geocities/i
71 describe GEOCITIES      geocities url
72 score GEOCITIES         2.5
73
74 # blarson 2005-12-24
75 body EMPTYURL           /\bhttp:\/\/(?:www\.)?$/i
76 describe EMPTYURL       empty URL
77 score EMPTYURL          1.5
78
79 # blarson 2006-02-06
80 body AMPRO              /www\.amateurprovideo\.info/i
81 describe AMPRO          bug submitting spammer
82 score AMPRO             5
83
84 # blarson 2007-04-03
85 body IMAGESHACK         /\/img\d+\.imageshack\.us\//i
86 describe IMAGESHACK     shack attack
87 score IMAGESHACK        3.5
88
89
90 # dla 2007-04-03
91 header MSOUTLOOK        x-mailer =~ /Microsoft\s+Outlook/i
92 describe MSOUTLOOK      Microsoft Outlook
93 score   MSOUTLOOK       0
94
95 meta SHACKOUTLOOK       IMAGESHACK && MSOUTLOOK
96 describe SHACKOUTLOOK   shack'ed to outlook
97 score SHACKOUTLOOK      2
98
99 # blarson 2007-04-09
100 body UNSUBG             /\bwww\.guiaartistica\.com\.ar\b/
101 describe UNSUBG         spamming bts with unsubscribe messages
102 score UNSUBG            14
103
104 # blarson 2007-05-14
105 body IMGCLOSET          /\bhttp\:\/\/.*\b((image(closet|thrust|hosting)|mypicshare|tinypic|fileanchor|imgspot)\.com|bilder-hosting\.de|saunalahti\.fi|upload2\.net|imagehost\.ro)\b/i
106 describe IMGCLOSET      closet spammer
107 score IMGCLOSET         3.5
108
109 # blarson 2007-05-17
110 body TROUBLEDE          /\bhttp\:\/\/www\.TroubleAgent\.de\b/
111 describe TROUBLEDE      troubleagent.de spam
112 score TROUBLEDE         3.5
113
114 # don 2007-05-24
115 body BESTLOANS          /www.bestmortloans.com/i
116 describe BESTLOANS      Best loans url
117 score BESTLOANS         2
118
119 # blarson 2007-07-22 2007-09-12
120 body PENPRO             /\@(?:penmailpro|OnsetIng|openprotection|NearOut|SuperOnset|medicalgloveonline|YourOnset|GreatGloveCell|thegloveworks|asiafriendworld|NaturalImprove|charmshine|healthinsweb)\.info\b/i
121 describe PENPRO         penmailpro spam
122 score PENPRO            3.5
123
124 # blarson 2007-09-05 2007-09-11
125 body WWWCN              /\b(?:www\.|https?\:.*)\w+\.cn\b/i
126 describe WWWCN          chinese web site
127 score WWWCN             3
128
129 # cjwatson, 2002/04/04
130 body EMAILOFFER                 /www\.emailoffer\.us/
131 describe EMAILOFFER             Gibberish HTML spammers
132 score EMAILOFFER                4.0
133
134 # cjwatson, 2002/04/08
135 body JUSTYAK                    /www\.JustYak\.com/
136 describe JUSTYAK                JustSpam
137 score JUSTYAK                   4.0
138
139 # blarson 2007-09-10
140 body SIZMATZ            /\bsize-matterz\.com\b/i
141 describe SIZMATZ        size matterz
142 score SIZMATZ           3
143
144 # blarson 2007-09-10
145 body EMAGX              /\bhttp\:\/\/emagx\.net\b/i
146 describe EMAGX          wondercum spammer
147 score EMAGX             3.5
148
149 # blarson 2007-09-13
150 body FREENFL            /\bhttp\:\/\/freeNFLtracker\.com\b/i
151 describe FREENFL        nfl spam
152 score FREENFL           3
153
154 # blarson 2007-09-13
155 body SPAMARREST         /\bhttp\:\/\/www\.spamarrest\.com\b/
156 describe SPAMARREST     forwards thier spam problem
157 score SPAMARREST        4
158
159 # blarson 2007-09-14
160 body FROMAD             /\bhttp\:\/\/(?:budhipps|fromad|conavel|cliensy|comnoe|mybudshop)\.com\b/i
161 describe FROMAD         more penis spam
162 score FROMAD            4
163
164 # blarson 2007-09-17
165 body MYCHEAP            /\b(?:my)?cheap(?:xp|adobe)?(?:oem|soft)+(?:now|ware)?(?:(?:4|for)?less)?\d*\s*\.\s*com\b/i
166 describe MYCHEAP        software spam
167 score MYCHEAP           4
168
169 # blarson 2007-09-16
170 body WWWRU              /\b(?:www\.|https?\:.*)\w+\.ru\b/i
171 describe WWWRU          russian web site
172 score WWWRU             2
173
174 # blarson 2007-09-24
175 body VIPSMS             /\bvipsms\.org\b/i
176 describe VIPSMS         vipsms.org
177 score VIPSMS            4
178
179 # don 2007-10-01
180 header MAKEUP           subject =~ /makeup\.com/i
181 describe MAKEUP         makeup.com url
182 score MAKEUP            3
183
184 # blarson 2007-10-04
185 body SUBT               /\bsubtracthold\.com\b/i
186 describe SUBT           subtracthold.com
187 score SUBT              4
188
189 body GRAPHICMAIL        /\bhttp\:\/\/www\.graphicmail\.de\b/i
190 describe GRAPHICMAIL    graphicmail.de
191 score   GRAPHICMAIL     4
192
193
194 body WWWRO              /\b(?:www\.|https?\:.*)\w+\.ro\b/i
195 describe WWWRO          romanian web site
196 score WWWRO             2
197
198 # blarson 2007-10-10
199 body CLEANDOM           /http\:\/\/\{_clean_domains\}/
200 describe CLEANDOM       broken spamware
201 score CLEANDOM          4
202
203 # blarson 2007-10-11
204 body SOFTNLSE           /\bsoftnlse\s*\.\s*com\b/i
205 describe SOFTNLSE       softnlse.com
206 score SOFTNLSE          4
207
208 # blarson 2007-10-13
209 body MUSVID             /\b(?:MusicAndVideoWorld|usa-bestsellers)\.com/i
210 describe MUSVID         MusicAndVideoWorld.com
211 score MUSVID            4
212
213 # blarson 2007-10-16
214 body PLATSOFT           /\btheplatinumsoft\.com\b/i
215 describe PLATSOFT       theplatinumsoft.com
216 score PLATSOFT          4
217
218 # blarson 2007-10-22
219 body BLOGSPOT           /\bblogspot\.com\b/i
220 describe BLOGSPOT       spammers are hosting on blogspot
221 score BLOGSPOT          3
222
223 # blarson 2007-10-25
224 body PILLUS             /PILL-US\.COM\b/i
225 describe PILLUS         PILL-US spam
226 score PILLUS            4
227
228 # blarson 2007-10-25
229 body BETWEENTO          /\bhttp\:\/\/betweento\.com\b/i
230 describe BETWEENTO      betweento.com
231 score BETWEENTO         4
232
233 # don 2007-10-25
234 body MASZON             /mc?a(szon|yvidol|ttk)\.(com|org|net)/i
235 describe MASZON         pron spam
236 score MASZON            4
237
238
239 # blarson 2007-10-27
240 body GMAIL              /\@gmail\.com\b/i
241 describe GMAIL          @gmail.com
242 score GMAIL             1
243
244 # blarson 2007-10-28
245 body MAILRU             /\@mail\.ru\b/i
246 describe MAILRU         @mail.ru
247 score MAILRU            3
248
249 # blarson 2007-10-31
250 body ADOBE4LESS         /\b(?:adobe4less|realnewsoft|newmicrosoftdeals|kvaka-soft)\s*[.,]\s*com\b/i
251 describe ADOBE4LESS     adobe4less . com
252 score ADOBE4LESS        4
253
254 # blarson 2007-11-01
255 body RMAPPLY            /http\:\/\/rmapply\.com\b/i
256 describe RMAPPLY        http://rmapply.com
257 score RMAPPLY           4
258
259 # blarson 2007-11-04
260 header HANOIFASH        subject =~ /WWW\.HANOI-FASHION\.COM/i
261 describe HANOIFASH      WWW.HANOI-FASHION.COM
262 score HANOIFASH         4
263
264 # blarson 2007-11-06
265 body ONLINEMED          /\b(?:onlinemedicalkey|pharm\w*|webvinz|wendebay|webdcd|vowelstep|wclth|duringgear|broadbasic|instantsuffix|magnetdouble|drugsdirecteat)\s*\.\s*com\b/i
266 describe ONLINEMED      onlinemedicalkey.com
267 score ONLINEMED         4
268
269 # blarson 2007-11-15
270 body GETUP              /\bgetupgradednow\.com\b/i
271 describe GETUP          getupgradednow.com
272 score GETUP             4
273
274 # blarson (pusling's idea) 2007-11-16
275 body SPACECOM           /^[\w\d]+\s\.\scom\b/
276 describe SPACECOM       whatever . com
277 score SPACECOM          3
278
279 # don -- flowgoaway.com doesn't appear to be a working RBL anymore (if it ever was?)
280 # blarson 2007-11-20
281 # uridnsbl URIBL_FLO    flowgoaway.com. A
282 # body  URIBL_FLO       eval:check_uridnsbl('URIBL_FLO')
283 # describe URIBL_FLO    web site in flowgoaway.com
284 # tflags        URIBL_FLO       net
285 # score URIBL_FLO               1
286
287 # blarson 2007-11-20
288 body SOFTROU            /\bwww\.softrou\.com\b/i
289 describe SOFTROU        www.softrou.com
290 score SOFTROU           3
291
292 # blarson 2007-11-20
293 body GOOGLEPAGES        /\bgooglepages\.com\b/i
294 describe GOOGLEPAGES    spammers use googlepages
295 score GOOGLEPAGES       2
296
297 # blarson 2007-12-07
298 body SOFTBESTGRAND      /\bsoft(?:bestgrand|wareonlinemuch)\.com\b/
299 describe SOFTBESTGRAND  softbestgrand.com
300 score SOFTBESTGRAND     4
301
302 # blarson 2007-12-10
303 body PCSOFTCHEAP        /\b(?:pcsoftcheap|cheapezsoft|cheapsoftxp|adobe4cheap|phonowa|saleonsoftware|bestdealoem|realcheapsoft|krasniyles|cheapxp4pc|supercheapoem|lowpriceoem|realcheapoem|cheapadobedeal|softwarefoundation|2008oem|xpxmas|cheap2008soft|snowysoftware|2008adobe|adobe2008|cheapgetsoftone|x(?:higher|main|prime)(?:soft|software|easy)|softonlinepc|andsoftware|softonlinedownload|kunchakoem|erhere\w|kiroemch|phonowd|cheap(?:soft|oem|software)here|softwarenowprox|xprosoftonlinedl|siniyglaz|popandosoem|xsoftprodepot|triudava|krasniynos|fastsoftnow|cheapeasy(soft|oem|software)|ezadobenow|softnowpromohere|primenetsofthe|nowinstantsoftieq|isktesoft|best(?:oem|soft|software)2008|new2008(?:soft|oem|software)|fastez(?:soft|oem|software)|ezfast(?:oem|soft|software)|2008(?:micro)?softdeals|oemfactorysale|nbuysoft|softnuhere|softsale2008|softwintersale|blatnoyoem|svedsoft|gsxoempromo|getmicrosoftfast|adobeoemsale|xp4(?:cheap|less)|xpoemnow|buycheapxp|alloem4less|lun(?:soft|oem|software)|(?:new|fast)xp(?:soft|oem|software)|frukanoka|softcheap(?:n[eo]w|xp)|adobe(?:web|blog|new)(?:soft|spot|deal))\s?\.\s?(?:com|net)\b/
304 describe PCSOFTCHEAP    pcsoftcheap. com
305 score PCSOFTCHEAP       4
306
307 # blarson 2007-12-11
308 body GOLDGAME           /\b(?:gamblingplacegold|goldgamesite|topgamingsite|richbestgaming|luxgoldgaming)\.(?:net|com)\b/
309 describe GOLDGAME       gambling sites
310 score GOLDGAME          4
311
312 # blarson 2007-12-14
313 body ENLARGETW          /\b(?:enlarge|0rz)\.tw\b/
314 describe ENLARGETW      enlarge.tw
315 score ENLARGETW         4
316
317 # blarson 2007-12-15
318 body POSTTHROUGH        /\b(?:postthrough|speedgrand|certaincoast)\.com\b/
319 describe POSTTHROUGH    postthrough.com
320 score POSTTHROUGH       4
321
322 # blarson 2007-12-25
323 body UHAVE              /\b(?:uhavepost|happy(?:santa)?|newyear|familypost|fresh|post)cards?-?(?:2008)?\.com\b/
324 describe UHAVE          uhavepostcard.com
325 score UHAVE             4
326
327 # blarson 2007-12-26
328 body RUSSWIFE           /\b(?:your|best|new|the|my)(?:russ[il]an?|address|russ)(?:wife|bride)\.info\b/
329 describe RUSSWIFE       yourrussianwife.info
330 score RUSSWIFE          4
331
332 # blarson 2007-12-31
333 body HAPPY2008          /\b(?:happy2008toyou|hellosanta2008|hohoho2008|santawishes2008)\.com\b/
334 describe HAPPY2008      happy2008toyou.com
335 score HAPPY2008         4
336
337 # blarson 2008-01-02
338 body BONGHIT            /\b(?:beaverbonghits|dobongworld)\.com\b/
339 describe BONGHIT        beaverbonghits.com
340 score BONGHIT           4
341
342 # blarson 2008-01-02
343 body GOOGLESEARCH       /\bgoo+gle\.(com|\w\w|com?\.\w\w)\/+(?:search|pagead)/i
344 describe GOOGLESEARCH   google search URL
345 score GOOGLESEARCH      2
346
347 # blarson 2008-01-02
348 body SIGAS              /\b(?:Sigashash|Reelhotsi|Erisgoonti|Erisgoners|Freesignsies|Rielhotties|Foredroons|Feeshoons|Erisgant|hapburge|wuimooed|jiuezdoo|goingoinghom|buloies|Poeshages|Rueshabesoo|clitoriseries|clitorina|glueplot|crumbtost|ideaputs)(?:\.|\=2E)com\b/
349 describe SIGAS          www.Sigashash.com
350 score SIGAS             4
351
352 # blarson 2008-01-05
353 body RUSSIABRIDE        /\bruss[il]an?(bride|wife)(?:home|live|blog|)\.info\b/
354 describe RUSSIABRIDE    russiabridehome.info
355 score RUSSIABRIDE       4
356
357 # blarson 2008-01-14
358 body REDMEHS            /\bwww\.(?:redmehs|feltas|barataslo|quasibot|tageshes|flessimo|spendhope|instrumentstart)\b/
359 describe REDMEHS        www.redmehs
360 score REDMEHS           4
361
362 # blarson 2008-01-15
363 body MYURL              /\bmyurl\.com\.tw\b/i
364 describe MYURL          myurl.com.tw
365 score MYURL             3
366
367 # blarson 2008-01-28
368 body W0MEN              /w0men\.info\b/i
369 describe W0MEN          hotw0men.info ukrw0men.info
370 score W0MEN             3
371
372 # blarson 2008-01-29
373 body ACEMST             /\bacemst\.com\b/
374 describe ACEMST         acemst.com
375 score ACEMST            3
376
377 # blarson 2008-02-01
378 body GALSINFO           /\b(?:foreigngals|californiaimprove)\.info\b/i
379 describe GALSINFO       foreigngals.info
380 score GALSINFO          3
381
382 # blarson 2008-02-06
383 body RIDGEST            /\bridgest\.com\b/
384 describe RIDGEST        ridgest.com
385 score RIDGEST           4
386
387 # blarson 2008-02-16
388 body SOFTROI            /\bsoft(?:roi|ove)\.com\b/
389 describe SOFTROI        softroi.com
390 score SOFTROI           4
391
392 # don 2008-02-23
393 body FILEZONE           /(file-zone.co.uk|File-Zone)/
394 describe FILEZONE       File-Zone
395 score FILEZONE          2
396
397 # blarson 2008-02-28
398 body X2J1F              /\b2j1f\.com\b/i
399 descrIbe X2J1F          2j1f.com
400 score X2J1F             4
401
402 # blarson 2008-02-28
403 body ILVE               /\bilveant\.net\b/i
404 describe ILVE           www.ilveant.net
405 score ILVE              4
406
407 # don 2008-03-04
408 body  VIDEOFILBMS       /www\.videofilbms\.cn/i
409 describe VIDEOFILBMS    video filbms url
410 score    VIDEOFILBMS    4
411
412 # blarson 2008-03-05
413 body ABESOFT            /\bca.abesoft\.com\b/i
414 describe ABESOFT        www.cazabesoft.com etc.
415 score ABESOFT           4
416
417 # blarson 2008-03-06
418 body STARLEYT           /\bstarleyt\.com\b/i
419 describe STARLEYT       starleyt.com
420 score STARLEYT          4
421
422 # blarson 2008-03-07
423 body URLOEM             /\bhttp\:\/\/\{/
424 describe URLOEM         http://{urloem2}
425 score URLOEM            3
426
427 # blarson 2008-03-12
428 body WILDERGO           /\b(?:WilderGoLovan|golovable|BestGolova|SuperGolovaWorld)\.com\b/i
429 describe WILDERGO       WilderGoLovan.com
430 score WILDERGO          4
431
432 # don 2008-03-17
433 body PROGOLD            /\bprogold-inc\.com\b/i
434 describe PROGOLD        progold-inc.com
435 score PROGOLD           4
436
437 # blarson 2008-03-18
438 body KMINU              /\b(?:kminutte|rubstream)\.com\b/i
439 describe KMINU          kminutte.com
440 score KMINU             4
441
442 # don 2008-03-19
443 body SCIJOURNALS        /\bsciencejournals\.info\b/i
444 describe SCIJOURNALS    scientific journals
445 score SCIJOURNALS       4
446
447 # blarson 2008-03-19
448 body JANEHOT            /\bjane\d[\w\d]*\@hotmail\.com\s*$/
449 describe JANEHOT        jane*@hotmail.com
450 score JANEHOT           3
451
452 # blarson 2008-03-20
453 rawbody BIFUTRA         /\b(?:bifutra|veriapoli|xenifeao|toporaig|jieros|bifreca|werikine|incroomise|genbullenst|writeprovide)(?:\.|\=2E)com\b/
454 describe BIFUTRA        spammer web sites
455 score BIFUTRA           4
456
457 # don 2008-04-02
458 body LONGLINEURL        /^.{55,}\S\shttp:\/\/www\.\w+\.(?:com|net|org)\/\s*$/
459 describe LONGLINEURL    long line ending in a simple url
460 score LONGLINEURL       2
461
462 # don 2008-04-07
463 uri MYTHANKYOUURI       /www\.mythankyou\.com/i
464 describe MYTHANKYOUURI  www.mythankyou.com
465 score MYTHANKYOUURI     5
466
467 # blarson 2008-04-09
468 uri SAMEAS              /\bsupersameas\.com\b/
469 describe SAMEAS         supersameas.com
470 score SAMEAS            3
471
472 # blarson 2008-04-12
473 body URIEXE             /\bhttp:\S*\.exe\b/
474 describe URIEXE         .exe url
475 score URIEXE            3
476
477 # blarson 2008-04-24
478 uri SANSATION           /\b(?:sansationel|garmenys|iconaliste)\.com\b/i
479 describe SANSATION      sansationel.com
480 score SANSATION         4
481
482 # blarson 2008-05-04
483 body EQMEDS             /\beqmeds\b/i
484 describe EQMEDS         eqmeds
485 score EQMEDS            4
486
487 # blarson 2008-05-06
488 uri MYLIVE                      /\bmylivegi\b/i
489 describe MYLIVE         mylivegirlx.com
490 score MYLIVE            4
491
492 # don 2008-05-26
493 body BROKENURL          /^\s*www((\s+\.\s*)|(\s*\.\+))\S+((\s+\.\s*)|(\s*\.\+))(com|net|org)\s*$/
494 describe BROKENURL      Broken url displayed
495 score BROKENURL         4
496
497 body STUPIDURL         /\w+\[\w+\](?:com|net|org)/;
498 describe STUPIDURL     No one will guess that fooo[DOT]com is an URL!
499 score STUPIDURL        2.5